--- /dev/null
+From a0a966b83873f33778710a4fc59240244b0734a5 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Date: Fri, 22 Apr 2016 09:26:52 +0200
+Subject: ARM: EXYNOS: Properly skip unitialized parent clock in power domain on
+
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+
+commit a0a966b83873f33778710a4fc59240244b0734a5 upstream.
+
+We want to skip reparenting a clock on turning on power domain, if we
+do not have the parent yet. The parent is obtained when turning the
+domain off. However due to a typo, the loop is continued on IS_ERR() of
+clock being reparented, not on the IS_ERR() of the parent.
+
+Theoretically this could lead to OOPS on first turn on of a power
+domain, if there was no turn off before. Practically that should never
+happen because all power domains are turned on by default (reset value,
+bootloader does not turn off them usually) so the first action will be
+always turn off.
+
+Fixes: 29e5eea06bc1 ("ARM: EXYNOS: Get current parent clock for power domain on/off")
+Reported-by: Vladimir Zapolskiy <vz@mleia.com>
+Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-exynos/pm_domains.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/mach-exynos/pm_domains.c
++++ b/arch/arm/mach-exynos/pm_domains.c
+@@ -92,7 +92,7 @@ static int exynos_pd_power(struct generi
+ if (IS_ERR(pd->clk[i]))
+ break;
+
+- if (IS_ERR(pd->clk[i]))
++ if (IS_ERR(pd->pclk[i]))
+ continue; /* Skip on first power up */
+ if (clk_set_parent(pd->clk[i], pd->pclk[i]))
+ pr_err("%s: error setting parent to clock%d\n",
--- /dev/null
+From 5616f36713ea77f57ae908bf2fef641364403c9f Mon Sep 17 00:00:00 2001
+From: Sascha Hauer <s.hauer@pengutronix.de>
+Date: Wed, 20 Apr 2016 13:34:31 +0000
+Subject: ARM: SoCFPGA: Fix secondary CPU startup in thumb2 kernel
+
+From: Sascha Hauer <s.hauer@pengutronix.de>
+
+commit 5616f36713ea77f57ae908bf2fef641364403c9f upstream.
+
+The secondary CPU starts up in ARM mode. When the kernel is compiled in
+thumb2 mode we have to explicitly compile the secondary startup
+trampoline in ARM mode, otherwise the CPU will go to Nirvana.
+
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Reported-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
+Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Dinh Nguyen <dinguyen@opensource.altera.com>
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-socfpga/headsmp.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/mach-socfpga/headsmp.S
++++ b/arch/arm/mach-socfpga/headsmp.S
+@@ -13,6 +13,7 @@
+ #include <asm/assembler.h>
+
+ .arch armv7-a
++ .arm
+
+ ENTRY(secondary_trampoline)
+ /* CPU1 will always fetch from 0x0 when it is brought out of reset.
--- /dev/null
+From c78296665c3d81f040117432ab9e1cb125521b0c Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 26 Feb 2016 17:56:13 +0100
+Subject: batman-adv: Check skb size before using encapsulated ETH+VLAN header
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit c78296665c3d81f040117432ab9e1cb125521b0c upstream.
+
+The encapsulated ethernet and VLAN header may be outside the received
+ethernet frame. Thus the skb buffer size has to be checked before it can be
+parsed to find out if it encapsulates another batman-adv packet.
+
+Fixes: 420193573f11 ("batman-adv: softif bridge loop avoidance")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Antonio Quartulli <a@unstable.cc>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/batman-adv/soft-interface.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/batman-adv/soft-interface.c
++++ b/net/batman-adv/soft-interface.c
+@@ -407,11 +407,17 @@ void batadv_interface_rx(struct net_devi
+ */
+ nf_reset(skb);
+
++ if (unlikely(!pskb_may_pull(skb, ETH_HLEN)))
++ goto dropped;
++
+ vid = batadv_get_vid(skb, 0);
+ ethhdr = eth_hdr(skb);
+
+ switch (ntohs(ethhdr->h_proto)) {
+ case ETH_P_8021Q:
++ if (!pskb_may_pull(skb, VLAN_ETH_HLEN))
++ goto dropped;
++
+ vhdr = (struct vlan_ethhdr *)skb->data;
+
+ if (vhdr->h_vlan_encapsulated_proto != ethertype)
+@@ -423,8 +429,6 @@ void batadv_interface_rx(struct net_devi
+ }
+
+ /* skb->dev & skb->pkt_type are set here */
+- if (unlikely(!pskb_may_pull(skb, ETH_HLEN)))
+- goto dropped;
+ skb->protocol = eth_type_trans(skb, soft_iface);
+
+ /* should not be necessary anymore as we use skb_pull_rcsum()
--- /dev/null
+From c4fdb6cff2aa0ae740c5f19b6f745cbbe786d42f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@c0d3.blue>
+Date: Fri, 11 Mar 2016 14:04:49 +0100
+Subject: batman-adv: Fix broadcast/ogm queue limit on a removed interface
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+
+commit c4fdb6cff2aa0ae740c5f19b6f745cbbe786d42f upstream.
+
+When removing a single interface while a broadcast or ogm packet is
+still pending then we will free the forward packet without releasing the
+queue slots again.
+
+This patch is supposed to fix this issue.
+
+Fixes: 6d5808d4ae1b ("batman-adv: Add missing hardif_free_ref in forw_packet_free")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+[sven@narfation.org: fix conflicts with current version]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Antonio Quartulli <a@unstable.cc>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/batman-adv/send.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/batman-adv/send.c
++++ b/net/batman-adv/send.c
+@@ -657,6 +657,12 @@ batadv_purge_outstanding_packets(struct
+
+ if (pending) {
+ hlist_del(&forw_packet->list);
++ if (!forw_packet->own)
++ atomic_inc(&bat_priv->bcast_queue_left);
++
++ if (!forw_packet->own)
++ atomic_inc(&bat_priv->batman_queue_left);
++
+ batadv_forw_packet_free(forw_packet);
+ }
+ }
--- /dev/null
+From 2871734e85e920503d49b3a8bc0afbe0773b6036 Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <a@unstable.cc>
+Date: Sat, 12 Mar 2016 11:12:59 +0100
+Subject: batman-adv: fix DAT candidate selection (must use vid)
+
+From: Antonio Quartulli <a@unstable.cc>
+
+commit 2871734e85e920503d49b3a8bc0afbe0773b6036 upstream.
+
+Now that DAT is VLAN aware, it must use the VID when
+computing the DHT address of the candidate nodes where
+an entry is going to be stored/retrieved.
+
+Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware")
+Signed-off-by: Antonio Quartulli <a@unstable.cc>
+[sven@narfation.org: fix conflicts with current version]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/batman-adv/distributed-arp-table.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+--- a/net/batman-adv/distributed-arp-table.c
++++ b/net/batman-adv/distributed-arp-table.c
+@@ -553,6 +553,7 @@ static void batadv_choose_next_candidate
+ * be sent to
+ * @bat_priv: the bat priv with all the soft interface information
+ * @ip_dst: ipv4 to look up in the DHT
++ * @vid: VLAN identifier
+ *
+ * An originator O is selected if and only if its DHT_ID value is one of three
+ * closest values (from the LEFT, with wrap around if needed) then the hash
+@@ -561,7 +562,8 @@ static void batadv_choose_next_candidate
+ * Returns the candidate array of size BATADV_DAT_CANDIDATE_NUM.
+ */
+ static struct batadv_dat_candidate *
+-batadv_dat_select_candidates(struct batadv_priv *bat_priv, __be32 ip_dst)
++batadv_dat_select_candidates(struct batadv_priv *bat_priv, __be32 ip_dst,
++ unsigned short vid)
+ {
+ int select;
+ batadv_dat_addr_t last_max = BATADV_DAT_ADDR_MAX, ip_key;
+@@ -577,7 +579,7 @@ batadv_dat_select_candidates(struct bata
+ return NULL;
+
+ dat.ip = ip_dst;
+- dat.vid = 0;
++ dat.vid = vid;
+ ip_key = (batadv_dat_addr_t)batadv_hash_dat(&dat,
+ BATADV_DAT_ADDR_MAX);
+
+@@ -597,6 +599,7 @@ batadv_dat_select_candidates(struct bata
+ * @bat_priv: the bat priv with all the soft interface information
+ * @skb: payload to send
+ * @ip: the DHT key
++ * @vid: VLAN identifier
+ * @packet_subtype: unicast4addr packet subtype to use
+ *
+ * This function copies the skb with pskb_copy() and is sent as unicast packet
+@@ -607,7 +610,7 @@ batadv_dat_select_candidates(struct bata
+ */
+ static bool batadv_dat_send_data(struct batadv_priv *bat_priv,
+ struct sk_buff *skb, __be32 ip,
+- int packet_subtype)
++ unsigned short vid, int packet_subtype)
+ {
+ int i;
+ bool ret = false;
+@@ -616,7 +619,7 @@ static bool batadv_dat_send_data(struct
+ struct sk_buff *tmp_skb;
+ struct batadv_dat_candidate *cand;
+
+- cand = batadv_dat_select_candidates(bat_priv, ip);
++ cand = batadv_dat_select_candidates(bat_priv, ip, vid);
+ if (!cand)
+ goto out;
+
+@@ -1004,7 +1007,7 @@ bool batadv_dat_snoop_outgoing_arp_reque
+ ret = true;
+ } else {
+ /* Send the request to the DHT */
+- ret = batadv_dat_send_data(bat_priv, skb, ip_dst,
++ ret = batadv_dat_send_data(bat_priv, skb, ip_dst, vid,
+ BATADV_P_DAT_DHT_GET);
+ }
+ out:
+@@ -1132,8 +1135,8 @@ void batadv_dat_snoop_outgoing_arp_reply
+ /* Send the ARP reply to the candidates for both the IP addresses that
+ * the node obtained from the ARP reply
+ */
+- batadv_dat_send_data(bat_priv, skb, ip_src, BATADV_P_DAT_DHT_PUT);
+- batadv_dat_send_data(bat_priv, skb, ip_dst, BATADV_P_DAT_DHT_PUT);
++ batadv_dat_send_data(bat_priv, skb, ip_src, vid, BATADV_P_DAT_DHT_PUT);
++ batadv_dat_send_data(bat_priv, skb, ip_dst, vid, BATADV_P_DAT_DHT_PUT);
+ }
+
+ /**
--- /dev/null
+From d1a65f1741bfd9c69f9e4e2ad447a89b6810427d Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 20 Mar 2016 12:27:53 +0100
+Subject: batman-adv: Reduce refcnt of removed router when updating route
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit d1a65f1741bfd9c69f9e4e2ad447a89b6810427d upstream.
+
+_batadv_update_route rcu_derefences orig_ifinfo->router outside of a
+spinlock protected region to print some information messages to the debug
+log. But this pointer is not checked again when the new pointer is assigned
+in the spinlock protected region. Thus is can happen that the value of
+orig_ifinfo->router changed in the meantime and thus the reference counter
+of the wrong router gets reduced after the spinlock protected region.
+
+Just rcu_dereferencing the value of orig_ifinfo->router inside the spinlock
+protected region (which also set the new pointer) is enough to get the
+correct old router object.
+
+Fixes: e1a5382f978b ("batman-adv: Make orig_node->router an rcu protected pointer")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Antonio Quartulli <a@unstable.cc>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/batman-adv/routing.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/net/batman-adv/routing.c
++++ b/net/batman-adv/routing.c
+@@ -104,6 +104,15 @@ static void _batadv_update_route(struct
+ neigh_node = NULL;
+
+ spin_lock_bh(&orig_node->neigh_list_lock);
++ /* curr_router used earlier may not be the current orig_ifinfo->router
++ * anymore because it was dereferenced outside of the neigh_list_lock
++ * protected region. After the new best neighbor has replace the current
++ * best neighbor the reference counter needs to decrease. Consequently,
++ * the code needs to ensure the curr_router variable contains a pointer
++ * to the replaced best neighbor.
++ */
++ curr_router = rcu_dereference_protected(orig_ifinfo->router, true);
++
+ rcu_assign_pointer(orig_ifinfo->router, neigh_node);
+ spin_unlock_bh(&orig_node->neigh_list_lock);
+ batadv_orig_ifinfo_free_ref(orig_ifinfo);
--- /dev/null
+From 567a44ecb44eb2584ddb93e962cfb133ce77e0bb Mon Sep 17 00:00:00 2001
+From: Nazar Mokrynskyi <nazar@mokrynskyi.com>
+Date: Mon, 25 Apr 2016 17:01:56 +0300
+Subject: HID: Fix boot delay for Creative SB Omni Surround 5.1 with quirk
+
+From: Nazar Mokrynskyi <nazar@mokrynskyi.com>
+
+commit 567a44ecb44eb2584ddb93e962cfb133ce77e0bb upstream.
+
+Needed for v2 of the device firmware, otherwise kernel will stuck for few
+seconds and throw "usb_submit_urb(ctrl) failed: -1" early on system boot.
+
+Signed-off-by: Nazar Mokrynskyi <nazar@mokrynskyi.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/usbhid/hid-quirks.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -255,6 +255,7 @@
+ #define USB_DEVICE_ID_CORSAIR_K90 0x1b02
+
+ #define USB_VENDOR_ID_CREATIVELABS 0x041e
++#define USB_DEVICE_ID_CREATIVE_SB_OMNI_SURROUND_51 0x322c
+ #define USB_DEVICE_ID_PRODIKEYS_PCMIDI 0x2801
+
+ #define USB_VENDOR_ID_CVTOUCH 0x1ff7
+--- a/drivers/hid/usbhid/hid-quirks.c
++++ b/drivers/hid/usbhid/hid-quirks.c
+@@ -70,6 +70,7 @@ static const struct hid_blacklist {
+ { USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_3AXIS_5BUTTON_STICK, HID_QUIRK_NOGET },
+ { USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_AXIS_295, HID_QUIRK_NOGET },
+ { USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_PIXART_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL },
++ { USB_VENDOR_ID_CREATIVELABS, USB_DEVICE_ID_CREATIVE_SB_OMNI_SURROUND_51, HID_QUIRK_NOGET },
+ { USB_VENDOR_ID_DMI, USB_DEVICE_ID_DMI_ENC, HID_QUIRK_NOGET },
+ { USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_WIIU, HID_QUIRK_MULTI_INPUT },
+ { USB_VENDOR_ID_ELAN, HID_ANY_ID, HID_QUIRK_ALWAYS_POLL },
--- /dev/null
+From e1123fe975852cc0970b4e53ea65ca917e54c923 Mon Sep 17 00:00:00 2001
+From: Ping Cheng <pinglinux@gmail.com>
+Date: Tue, 12 Apr 2016 13:37:45 -0700
+Subject: HID: wacom: Add support for DTK-1651
+
+From: Ping Cheng <pinglinux@gmail.com>
+
+commit e1123fe975852cc0970b4e53ea65ca917e54c923 upstream.
+
+DTK-1651 is a display pen-only tablet
+
+Signed-off-by: Ping Cheng <pingc@wacom.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/wacom_wac.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -3449,6 +3449,10 @@ static const struct wacom_features wacom
+ { "Wacom Intuos PT M 2", 21600, 13500, 2047, 63,
+ INTUOSHT2, WACOM_INTUOS_RES, WACOM_INTUOS_RES, .touch_max = 16,
+ .check_for_hid_type = true, .hid_type = HID_TYPE_USBNONE };
++static const struct wacom_features wacom_features_0x343 =
++ { "Wacom DTK1651", 34616, 19559, 1023, 0,
++ DTUS, WACOM_INTUOS_RES, WACOM_INTUOS_RES, 4,
++ WACOM_DTU_OFFSET, WACOM_DTU_OFFSET };
+
+ static const struct wacom_features wacom_features_HID_ANY_ID =
+ { "Wacom HID", .type = HID_GENERIC };
+@@ -3614,6 +3618,7 @@ const struct hid_device_id wacom_ids[] =
+ { USB_DEVICE_WACOM(0x33C) },
+ { USB_DEVICE_WACOM(0x33D) },
+ { USB_DEVICE_WACOM(0x33E) },
++ { USB_DEVICE_WACOM(0x343) },
+ { USB_DEVICE_WACOM(0x4001) },
+ { USB_DEVICE_WACOM(0x4004) },
+ { USB_DEVICE_WACOM(0x5000) },
--- /dev/null
+From 6984ab1ab35f422292b7781c65284038bcc0f6a6 Mon Sep 17 00:00:00 2001
+From: Knut Wohlrab <Knut.Wohlrab@de.bosch.com>
+Date: Mon, 25 Apr 2016 14:08:25 -0700
+Subject: Input: zforce_ts - fix dual touch recognition
+
+From: Knut Wohlrab <Knut.Wohlrab@de.bosch.com>
+
+commit 6984ab1ab35f422292b7781c65284038bcc0f6a6 upstream.
+
+A wrong decoding of the touch coordinate message causes a wrong touch
+ID. Touch ID for dual touch must be 0 or 1.
+
+According to the actual Neonode nine byte touch coordinate coding,
+the state is transported in the lower nibble and the touch ID in
+the higher nibble of payload byte five.
+
+Signed-off-by: Knut Wohlrab <Knut.Wohlrab@de.bosch.com>
+Signed-off-by: Oleksij Rempel <linux@rempel-privat.de>
+Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/zforce_ts.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/touchscreen/zforce_ts.c
++++ b/drivers/input/touchscreen/zforce_ts.c
+@@ -370,8 +370,8 @@ static int zforce_touch_event(struct zfo
+ point.coord_x = point.coord_y = 0;
+ }
+
+- point.state = payload[9 * i + 5] & 0x03;
+- point.id = (payload[9 * i + 5] & 0xfc) >> 2;
++ point.state = payload[9 * i + 5] & 0x0f;
++ point.id = (payload[9 * i + 5] & 0xf0) >> 4;
+
+ /* determine touch major, minor and orientation */
+ point.area_major = max(payload[9 * i + 6],
--- /dev/null
+From 14af4a5e9b26ad251f81c174e8a43f3e179434a5 Mon Sep 17 00:00:00 2001
+From: Hugh Dickins <hughd@google.com>
+Date: Thu, 5 May 2016 16:22:15 -0700
+Subject: mm, cma: prevent nr_isolated_* counters from going negative
+
+From: Hugh Dickins <hughd@google.com>
+
+commit 14af4a5e9b26ad251f81c174e8a43f3e179434a5 upstream.
+
+/proc/sys/vm/stat_refresh warns nr_isolated_anon and nr_isolated_file go
+increasingly negative under compaction: which would add delay when
+should be none, or no delay when should delay. The bug in compaction
+was due to a recent mmotm patch, but much older instance of the bug was
+also noticed in isolate_migratepages_range() which is used for CMA and
+gigantic hugepage allocations.
+
+The bug is caused by putback_movable_pages() in an error path
+decrementing the isolated counters without them being previously
+incremented by acct_isolated(). Fix isolate_migratepages_range() by
+removing the error-path putback, thus reaching acct_isolated() with
+migratepages still isolated, and leaving putback to caller like most
+other places do.
+
+Fixes: edc2ca612496 ("mm, compaction: move pageblock checks up from isolate_migratepages_range()")
+[vbabka@suse.cz: expanded the changelog]
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Acked-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Michal Hocko <mhocko@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/compaction.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+--- a/mm/compaction.c
++++ b/mm/compaction.c
+@@ -880,16 +880,8 @@ isolate_migratepages_range(struct compac
+ pfn = isolate_migratepages_block(cc, pfn, block_end_pfn,
+ ISOLATE_UNEVICTABLE);
+
+- /*
+- * In case of fatal failure, release everything that might
+- * have been isolated in the previous iteration, and signal
+- * the failure back to caller.
+- */
+- if (!pfn) {
+- putback_movable_pages(&cc->migratepages);
+- cc->nr_migratepages = 0;
++ if (!pfn)
+ break;
+- }
+
+ if (cc->nr_migratepages == COMPACT_CLUSTER_MAX)
+ break;
--- /dev/null
+From bc22af74f271ef76b2e6f72f3941f91f0da3f5f8 Mon Sep 17 00:00:00 2001
+From: Jason Baron <jbaron@akamai.com>
+Date: Thu, 5 May 2016 16:22:12 -0700
+Subject: mm: update min_free_kbytes from khugepaged after core initialization
+
+From: Jason Baron <jbaron@akamai.com>
+
+commit bc22af74f271ef76b2e6f72f3941f91f0da3f5f8 upstream.
+
+Khugepaged attempts to raise min_free_kbytes if its set too low.
+However, on boot khugepaged sets min_free_kbytes first from
+subsys_initcall(), and then the mm 'core' over-rides min_free_kbytes
+after from init_per_zone_wmark_min(), via a module_init() call.
+
+Khugepaged used to use a late_initcall() to set min_free_kbytes (such
+that it occurred after the core initialization), however this was
+removed when the initialization of min_free_kbytes was integrated into
+the starting of the khugepaged thread.
+
+The fix here is simply to invoke the core initialization using a
+core_initcall() instead of module_init(), such that the previous
+initialization ordering is restored. I didn't restore the
+late_initcall() since start_stop_khugepaged() already sets
+min_free_kbytes via set_recommended_min_free_kbytes().
+
+This was noticed when we had a number of page allocation failures when
+moving a workload to a kernel with this new initialization ordering. On
+an 8GB system this restores min_free_kbytes back to 67584 from 11365
+when CONFIG_TRANSPARENT_HUGEPAGE=y is set and either
+CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y or
+CONFIG_TRANSPARENT_HUGEPAGE_MADVISE=y.
+
+Fixes: 79553da293d3 ("thp: cleanup khugepaged startup")
+Signed-off-by: Jason Baron <jbaron@akamai.com>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Acked-by: David Rientjes <rientjes@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/page_alloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -6193,7 +6193,7 @@ int __meminit init_per_zone_wmark_min(vo
+ setup_per_zone_inactive_ratio();
+ return 0;
+ }
+-module_init(init_per_zone_wmark_min)
++core_initcall(init_per_zone_wmark_min)
+
+ /*
+ * min_free_kbytes_sysctl_handler - just a wrapper around proc_dointvec() so
--- /dev/null
+From 32a4e169039927bfb6ee9f0ccbbe3a8aaf13a4bc Mon Sep 17 00:00:00 2001
+From: Dan Streetman <ddstreet@ieee.org>
+Date: Thu, 5 May 2016 16:22:23 -0700
+Subject: mm/zswap: provide unique zpool name
+
+From: Dan Streetman <ddstreet@ieee.org>
+
+commit 32a4e169039927bfb6ee9f0ccbbe3a8aaf13a4bc upstream.
+
+Instead of using "zswap" as the name for all zpools created, add an
+atomic counter and use "zswap%x" with the counter number for each zpool
+created, to provide a unique name for each new zpool.
+
+As zsmalloc, one of the zpool implementations, requires/expects a unique
+name for each pool created, zswap should provide a unique name. The
+zsmalloc pool creation does not fail if a new pool with a conflicting
+name is created, unless CONFIG_ZSMALLOC_STAT is enabled; in that case,
+zsmalloc pool creation fails with -ENOMEM. Then zswap will be unable to
+change its compressor parameter if its zpool is zsmalloc; it also will
+be unable to change its zpool parameter back to zsmalloc, if it has any
+existing old zpool using zsmalloc with page(s) in it. Attempts to
+change the parameters will result in failure to create the zpool. This
+changes zswap to provide a unique name for each zpool creation.
+
+Fixes: f1c54846ee45 ("zswap: dynamic pool creation")
+Signed-off-by: Dan Streetman <ddstreet@ieee.org>
+Reported-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Cc: Dan Streetman <dan.streetman@canonical.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/zswap.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/mm/zswap.c
++++ b/mm/zswap.c
+@@ -170,6 +170,8 @@ static struct zswap_tree *zswap_trees[MA
+ static LIST_HEAD(zswap_pools);
+ /* protects zswap_pools list modification */
+ static DEFINE_SPINLOCK(zswap_pools_lock);
++/* pool counter to provide unique names to zpool */
++static atomic_t zswap_pools_count = ATOMIC_INIT(0);
+
+ /* used by param callback function */
+ static bool zswap_init_started;
+@@ -565,6 +567,7 @@ static struct zswap_pool *zswap_pool_fin
+ static struct zswap_pool *zswap_pool_create(char *type, char *compressor)
+ {
+ struct zswap_pool *pool;
++ char name[38]; /* 'zswap' + 32 char (max) num + \0 */
+ gfp_t gfp = __GFP_NORETRY | __GFP_NOWARN | __GFP_KSWAPD_RECLAIM;
+
+ pool = kzalloc(sizeof(*pool), GFP_KERNEL);
+@@ -573,7 +576,10 @@ static struct zswap_pool *zswap_pool_cre
+ return NULL;
+ }
+
+- pool->zpool = zpool_create_pool(type, "zswap", gfp, &zswap_zpool_ops);
++ /* unique name for each pool specifically required by zsmalloc */
++ snprintf(name, 38, "zswap%x", atomic_inc_return(&zswap_pools_count));
++
++ pool->zpool = zpool_create_pool(type, name, gfp, &zswap_zpool_ops);
+ if (!pool->zpool) {
+ pr_err("%s zpool not available\n", type);
+ goto error;
--- /dev/null
+From 8148a73c9901a8794a50f950083c00ccf97d43b3 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Thu, 5 May 2016 16:22:26 -0700
+Subject: proc: prevent accessing /proc/<PID>/environ until it's ready
+
+From: Mathias Krause <minipli@googlemail.com>
+
+commit 8148a73c9901a8794a50f950083c00ccf97d43b3 upstream.
+
+If /proc/<PID>/environ gets read before the envp[] array is fully set up
+in create_{aout,elf,elf_fdpic,flat}_tables(), we might end up trying to
+read more bytes than are actually written, as env_start will already be
+set but env_end will still be zero, making the range calculation
+underflow, allowing to read beyond the end of what has been written.
+
+Fix this as it is done for /proc/<PID>/cmdline by testing env_end for
+zero. It is, apparently, intentionally set last in create_*_tables().
+
+This bug was found by the PaX size_overflow plugin that detected the
+arithmetic underflow of 'this_len = env_end - (env_start + src)' when
+env_end is still zero.
+
+The expected consequence is that userland trying to access
+/proc/<PID>/environ of a not yet fully set up process may get
+inconsistent data as we're in the middle of copying in the environment
+variables.
+
+Fixes: https://forums.grsecurity.net/viewtopic.php?f=3&t=4363
+Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=116461
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Emese Revfy <re.emese@gmail.com>
+Cc: Pax Team <pageexec@freemail.hu>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Mateusz Guzik <mguzik@redhat.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Cyrill Gorcunov <gorcunov@openvz.org>
+Cc: Jarod Wilson <jarod@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/base.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -954,7 +954,8 @@ static ssize_t environ_read(struct file
+ int ret = 0;
+ struct mm_struct *mm = file->private_data;
+
+- if (!mm)
++ /* Ensure the process spawned far enough to have an environment. */
++ if (!mm || !mm->env_end)
+ return 0;
+
+ page = (char *)__get_free_page(GFP_TEMPORARY);
tracing-don-t-display-trigger-file-for-events-that-can-t-be-enabled.patch
md-make-bio-mergeable.patch
minimal-fix-up-of-bad-hashing-behavior-of-hash_64.patch
+mm-cma-prevent-nr_isolated_-counters-from-going-negative.patch
+mm-zswap-provide-unique-zpool-name.patch
+arm-exynos-properly-skip-unitialized-parent-clock-in-power-domain-on.patch
+arm-socfpga-fix-secondary-cpu-startup-in-thumb2-kernel.patch
+xen-fix-page-pfn-conversion-on-32-bit-systems.patch
+xen-balloon-fix-crash-when-ballooning-on-x86-32-bit-pae.patch
+xen-evtchn-fix-ring-resize-when-binding-new-events.patch
+hid-wacom-add-support-for-dtk-1651.patch
+hid-fix-boot-delay-for-creative-sb-omni-surround-5.1-with-quirk.patch
+input-zforce_ts-fix-dual-touch-recognition.patch
+proc-prevent-accessing-proc-pid-environ-until-it-s-ready.patch
+mm-update-min_free_kbytes-from-khugepaged-after-core-initialization.patch
+batman-adv-fix-dat-candidate-selection-must-use-vid.patch
+batman-adv-check-skb-size-before-using-encapsulated-eth-vlan-header.patch
+batman-adv-fix-broadcast-ogm-queue-limit-on-a-removed-interface.patch
+batman-adv-reduce-refcnt-of-removed-router-when-updating-route.patch
--- /dev/null
+From dfd74a1edfaba5864276a2859190a8d242d18952 Mon Sep 17 00:00:00 2001
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+Date: Thu, 17 Mar 2016 16:52:00 +0000
+Subject: xen/balloon: Fix crash when ballooning on x86 32 bit PAE
+
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+
+commit dfd74a1edfaba5864276a2859190a8d242d18952 upstream.
+
+Commit 55b3da98a40dbb3776f7454daf0d95dde25c33d2 (xen/balloon: find
+non-conflicting regions to place hotplugged memory) caused a
+regression in 4.4.
+
+When ballooning on an x86 32 bit PAE system with close to 64 GiB of
+memory, the address returned by allocate_resource may be above 64 GiB.
+When using CONFIG_SPARSEMEM, this setup is limited to using physical
+addresses < 64 GiB. When adding memory at this address, it runs off
+the end of the mem_section array and causes a crash. Instead, fail
+the ballooning request.
+
+Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/balloon.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -152,6 +152,8 @@ static DECLARE_WAIT_QUEUE_HEAD(balloon_w
+ static void balloon_process(struct work_struct *work);
+ static DECLARE_DELAYED_WORK(balloon_worker, balloon_process);
+
++static void release_memory_resource(struct resource *resource);
++
+ /* When ballooning out (allocating memory to return to Xen) we don't really
+ want the kernel to try too hard since that can trigger the oom killer. */
+ #define GFP_BALLOON \
+@@ -268,6 +270,20 @@ static struct resource *additional_memor
+ return NULL;
+ }
+
++#ifdef CONFIG_SPARSEMEM
++ {
++ unsigned long limit = 1UL << (MAX_PHYSMEM_BITS - PAGE_SHIFT);
++ unsigned long pfn = res->start >> PAGE_SHIFT;
++
++ if (pfn > limit) {
++ pr_err("New System RAM resource outside addressable RAM (%lu > %lu)\n",
++ pfn, limit);
++ release_memory_resource(res);
++ return NULL;
++ }
++ }
++#endif
++
+ return res;
+ }
+
--- /dev/null
+From 27e0e6385377c4dc68a4ddaf1a35a2dfa951f3c5 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <JBeulich@suse.com>
+Date: Wed, 4 May 2016 07:02:36 -0600
+Subject: xen/evtchn: fix ring resize when binding new events
+
+From: Jan Beulich <JBeulich@suse.com>
+
+commit 27e0e6385377c4dc68a4ddaf1a35a2dfa951f3c5 upstream.
+
+The copying of ring data was wrong for two cases: For a full ring
+nothing got copied at all (as in that case the canonicalized producer
+and consumer indexes are identical). And in case one or both of the
+canonicalized (after the resize) indexes would point into the second
+half of the buffer, the copied data ended up in the wrong (free) part
+of the new buffer. In both cases uninitialized data would get passed
+back to the caller.
+
+Fix this by simply copying the old ring contents twice: Once to the
+low half of the new buffer, and a second time to the high half.
+
+This addresses the inability to boot a HVM guest with 64 or more
+vCPUs. This regression was caused by 8620015499101090 (xen/evtchn:
+dynamically grow pending event channel ring).
+
+Reported-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/evtchn.c | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+--- a/drivers/xen/evtchn.c
++++ b/drivers/xen/evtchn.c
+@@ -316,7 +316,6 @@ static int evtchn_resize_ring(struct per
+ {
+ unsigned int new_size;
+ evtchn_port_t *new_ring, *old_ring;
+- unsigned int p, c;
+
+ /*
+ * Ensure the ring is large enough to capture all possible
+@@ -346,20 +345,17 @@ static int evtchn_resize_ring(struct per
+ /*
+ * Copy the old ring contents to the new ring.
+ *
+- * If the ring contents crosses the end of the current ring,
+- * it needs to be copied in two chunks.
++ * To take care of wrapping, a full ring, and the new index
++ * pointing into the second half, simply copy the old contents
++ * twice.
+ *
+ * +---------+ +------------------+
+- * |34567 12| -> | 1234567 |
+- * +-----p-c-+ +------------------+
++ * |34567 12| -> |34567 1234567 12|
++ * +-----p-c-+ +-------c------p---+
+ */
+- p = evtchn_ring_offset(u, u->ring_prod);
+- c = evtchn_ring_offset(u, u->ring_cons);
+- if (p < c) {
+- memcpy(new_ring + c, u->ring + c, (u->ring_size - c) * sizeof(*u->ring));
+- memcpy(new_ring + u->ring_size, u->ring, p * sizeof(*u->ring));
+- } else
+- memcpy(new_ring + c, u->ring + c, (p - c) * sizeof(*u->ring));
++ memcpy(new_ring, old_ring, u->ring_size * sizeof(*u->ring));
++ memcpy(new_ring + u->ring_size, old_ring,
++ u->ring_size * sizeof(*u->ring));
+
+ u->ring = new_ring;
+ u->ring_size = new_size;
--- /dev/null
+From 60901df3aed230d4565dca003f11b6a95fbf30d9 Mon Sep 17 00:00:00 2001
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+Date: Thu, 17 Mar 2016 16:51:59 +0000
+Subject: xen: Fix page <-> pfn conversion on 32 bit systems
+
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+
+commit 60901df3aed230d4565dca003f11b6a95fbf30d9 upstream.
+
+Commit 1084b1988d22dc165c9dbbc2b0e057f9248ac4db (xen: Add Xen specific
+page definition) caused a regression in 4.4.
+
+The xen functions to convert between pages and pfns fail due to an
+overflow on systems where a physical address may not fit in an
+unsigned long (e.g. x86 32 bit PAE systems). Rework the conversion to
+avoid overflow. This should also result in simpler object code.
+
+This bug manifested itself as disk corruption with Linux 4.4 when
+using blkfront in a Xen HVM x86 32 bit guest with more than 4 GiB of
+memory.
+
+Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/xen/page.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/xen/page.h
++++ b/include/xen/page.h
+@@ -15,9 +15,9 @@
+ */
+
+ #define xen_pfn_to_page(xen_pfn) \
+- ((pfn_to_page(((unsigned long)(xen_pfn) << XEN_PAGE_SHIFT) >> PAGE_SHIFT)))
++ (pfn_to_page((unsigned long)(xen_pfn) >> (PAGE_SHIFT - XEN_PAGE_SHIFT)))
+ #define page_to_xen_pfn(page) \
+- (((page_to_pfn(page)) << PAGE_SHIFT) >> XEN_PAGE_SHIFT)
++ ((page_to_pfn(page)) << (PAGE_SHIFT - XEN_PAGE_SHIFT))
+
+ #define XEN_PFN_PER_PAGE (PAGE_SIZE / XEN_PAGE_SIZE)
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
