--- /dev/null
+From 3925a16ae980c79d1a8fd182d7f9487da1edd4dc Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Thu, 28 Jul 2016 11:35:50 -0700
+Subject: ARC: mm: don't loose PTE_SPECIAL in pte_modify()
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+commit 3925a16ae980c79d1a8fd182d7f9487da1edd4dc upstream.
+
+LTP madvise05 was generating mm splat
+
+| [ARCLinux]# /sd/ltp/testcases/bin/madvise05
+| BUG: Bad page map in process madvise05 pte:80e08211 pmd:9f7d4000
+| page:9fdcfc90 count:1 mapcount:-1 mapping: (null) index:0x0 flags: 0x404(referenced|reserved)
+| page dumped because: bad pte
+| addr:200b8000 vm_flags:00000070 anon_vma: (null) mapping: (null) index:1005c
+| file: (null) fault: (null) mmap: (null) readpage: (null)
+| CPU: 2 PID: 6707 Comm: madvise05
+
+And for newer kernels, the system was rendered unusable afterwards.
+
+The problem was mprotect->pte_modify() clearing PTE_SPECIAL (which is
+set to identify the special zero page wired to the pte).
+When pte was finally unmapped, special casing for zero page was not
+done, and instead it was treated as a "normal" page, tripping on the
+map counts etc.
+
+This fixes ARC STAR 9001053308
+
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/include/asm/pgtable.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arc/include/asm/pgtable.h
++++ b/arch/arc/include/asm/pgtable.h
+@@ -110,7 +110,7 @@
+ #define ___DEF (_PAGE_PRESENT | _PAGE_CACHEABLE)
+
+ /* Set of bits not changed in pte_modify */
+-#define _PAGE_CHG_MASK (PAGE_MASK | _PAGE_ACCESSED | _PAGE_DIRTY)
++#define _PAGE_CHG_MASK (PAGE_MASK | _PAGE_ACCESSED | _PAGE_DIRTY | _PAGE_SPECIAL)
+
+ /* More Abbrevaited helpers */
+ #define PAGE_U_NONE __pgprot(___DEF)
--- /dev/null
+From 23bc6ab0a0912146fd674a0becc758c3162baabc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?=
+ <amadeusz.slawinski@tieto.com>
+Date: Thu, 14 Jul 2016 10:50:23 +0200
+Subject: Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Amadeusz Sławiński <amadeusz.slawinski@tieto.com>
+
+commit 23bc6ab0a0912146fd674a0becc758c3162baabc upstream.
+
+When we retrieve imtu value from userspace we should use 16 bit pointer
+cast instead of 32 as it's defined that way in headers. Fixes setsockopt
+calls on big-endian platforms.
+
+Signed-off-by: Amadeusz Sławiński <amadeusz.slawinski@tieto.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/l2cap_sock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -927,7 +927,7 @@ static int l2cap_sock_setsockopt(struct
+ break;
+ }
+
+- if (get_user(opt, (u32 __user *) optval)) {
++ if (get_user(opt, (u16 __user *) optval)) {
+ err = -EFAULT;
+ break;
+ }
--- /dev/null
+From eaf9a7361f47727b166688a9f2096854eef60fbe Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Tue, 2 Aug 2016 13:07:20 -0400
+Subject: dm: set DMF_SUSPENDED* _before_ clearing DMF_NOFLUSH_SUSPENDING
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit eaf9a7361f47727b166688a9f2096854eef60fbe upstream.
+
+Otherwise, there is potential for both DMF_SUSPENDED* and
+DMF_NOFLUSH_SUSPENDING to not be set during dm_suspend() -- which is
+definitely _not_ a valid state.
+
+This fix, in conjuction with "dm rq: fix the starting and stopping of
+blk-mq queues", addresses the potential for request-based DM multipath's
+__multipath_map() to see !dm_noflush_suspending() during suspend.
+
+Reported-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -3078,7 +3078,8 @@ static void unlock_fs(struct mapped_devi
+ * Caller must hold md->suspend_lock
+ */
+ static int __dm_suspend(struct mapped_device *md, struct dm_table *map,
+- unsigned suspend_flags, int interruptible)
++ unsigned suspend_flags, int interruptible,
++ int dmf_suspended_flag)
+ {
+ bool do_lockfs = suspend_flags & DM_SUSPEND_LOCKFS_FLAG;
+ bool noflush = suspend_flags & DM_SUSPEND_NOFLUSH_FLAG;
+@@ -3145,6 +3146,8 @@ static int __dm_suspend(struct mapped_de
+ * to finish.
+ */
+ r = dm_wait_for_completion(md, interruptible);
++ if (!r)
++ set_bit(dmf_suspended_flag, &md->flags);
+
+ if (noflush)
+ clear_bit(DMF_NOFLUSH_SUSPENDING, &md->flags);
+@@ -3206,12 +3209,10 @@ retry:
+
+ map = rcu_dereference_protected(md->map, lockdep_is_held(&md->suspend_lock));
+
+- r = __dm_suspend(md, map, suspend_flags, TASK_INTERRUPTIBLE);
++ r = __dm_suspend(md, map, suspend_flags, TASK_INTERRUPTIBLE, DMF_SUSPENDED);
+ if (r)
+ goto out_unlock;
+
+- set_bit(DMF_SUSPENDED, &md->flags);
+-
+ dm_table_postsuspend_targets(map);
+
+ out_unlock:
+@@ -3305,9 +3306,8 @@ static void __dm_internal_suspend(struct
+ * would require changing .presuspend to return an error -- avoid this
+ * until there is a need for more elaborate variants of internal suspend.
+ */
+- (void) __dm_suspend(md, map, suspend_flags, TASK_UNINTERRUPTIBLE);
+-
+- set_bit(DMF_SUSPENDED_INTERNALLY, &md->flags);
++ (void) __dm_suspend(md, map, suspend_flags, TASK_UNINTERRUPTIBLE,
++ DMF_SUSPENDED_INTERNALLY);
+
+ dm_table_postsuspend_targets(map);
+ }
--- /dev/null
+From bba142957e04c400440d2df83c1b3b2dfc42e220 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Fri, 10 Jun 2016 10:28:38 +0200
+Subject: EDAC: Correct channel count limit
+
+From: Borislav Petkov <bp@suse.de>
+
+commit bba142957e04c400440d2df83c1b3b2dfc42e220 upstream.
+
+c44696fff04f ("EDAC: Remove arbitrary limit on number of channels")
+lifted the arbitrary limit on memory controller channels in EDAC.
+However, the dynamic channel attributes dynamic_csrow_dimm_attr and
+dynamic_csrow_ce_count_attr remained 6.
+
+This wasn't a problem except channels 6 and 7 weren't visible in sysfs
+on machines with more than 6 channels after the conversion to static
+attr groups with
+
+ 2c1946b6d629 ("EDAC: Use static attribute groups for managing sysfs entries")
+
+ [ without that, we're exploding in edac_create_sysfs_mci_device()
+ because we're dereferencing out of the bounds of the
+ dynamic_csrow_dimm_attr array. ]
+
+Add attributes for channels 6 and 7 along with a guard for the
+future, should more channels be required and/or to sanity check for
+misconfigured machines.
+
+We still need to check against the number of channels present on the MC
+first, as Thor reported.
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reported-by: Hironobu Ishii <ishii.hironobu@jp.fujitsu.com>
+Tested-by: Thor Thayer <tthayer@opensource.altera.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/edac_mc_sysfs.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/drivers/edac/edac_mc_sysfs.c
++++ b/drivers/edac/edac_mc_sysfs.c
+@@ -313,7 +313,6 @@ static struct device_type csrow_attr_typ
+ * possible dynamic channel DIMM Label attribute files
+ *
+ */
+-
+ DEVICE_CHANNEL(ch0_dimm_label, S_IRUGO | S_IWUSR,
+ channel_dimm_label_show, channel_dimm_label_store, 0);
+ DEVICE_CHANNEL(ch1_dimm_label, S_IRUGO | S_IWUSR,
+@@ -326,6 +325,10 @@ DEVICE_CHANNEL(ch4_dimm_label, S_IRUGO |
+ channel_dimm_label_show, channel_dimm_label_store, 4);
+ DEVICE_CHANNEL(ch5_dimm_label, S_IRUGO | S_IWUSR,
+ channel_dimm_label_show, channel_dimm_label_store, 5);
++DEVICE_CHANNEL(ch6_dimm_label, S_IRUGO | S_IWUSR,
++ channel_dimm_label_show, channel_dimm_label_store, 6);
++DEVICE_CHANNEL(ch7_dimm_label, S_IRUGO | S_IWUSR,
++ channel_dimm_label_show, channel_dimm_label_store, 7);
+
+ /* Total possible dynamic DIMM Label attribute file table */
+ static struct attribute *dynamic_csrow_dimm_attr[] = {
+@@ -335,6 +338,8 @@ static struct attribute *dynamic_csrow_d
+ &dev_attr_legacy_ch3_dimm_label.attr.attr,
+ &dev_attr_legacy_ch4_dimm_label.attr.attr,
+ &dev_attr_legacy_ch5_dimm_label.attr.attr,
++ &dev_attr_legacy_ch6_dimm_label.attr.attr,
++ &dev_attr_legacy_ch7_dimm_label.attr.attr,
+ NULL
+ };
+
+@@ -351,6 +356,10 @@ DEVICE_CHANNEL(ch4_ce_count, S_IRUGO,
+ channel_ce_count_show, NULL, 4);
+ DEVICE_CHANNEL(ch5_ce_count, S_IRUGO,
+ channel_ce_count_show, NULL, 5);
++DEVICE_CHANNEL(ch6_ce_count, S_IRUGO,
++ channel_ce_count_show, NULL, 6);
++DEVICE_CHANNEL(ch7_ce_count, S_IRUGO,
++ channel_ce_count_show, NULL, 7);
+
+ /* Total possible dynamic ce_count attribute file table */
+ static struct attribute *dynamic_csrow_ce_count_attr[] = {
+@@ -360,6 +369,8 @@ static struct attribute *dynamic_csrow_c
+ &dev_attr_legacy_ch3_ce_count.attr.attr,
+ &dev_attr_legacy_ch4_ce_count.attr.attr,
+ &dev_attr_legacy_ch5_ce_count.attr.attr,
++ &dev_attr_legacy_ch6_ce_count.attr.attr,
++ &dev_attr_legacy_ch7_ce_count.attr.attr,
+ NULL
+ };
+
+@@ -371,9 +382,16 @@ static umode_t csrow_dev_is_visible(stru
+
+ if (idx >= csrow->nr_channels)
+ return 0;
++
++ if (idx >= ARRAY_SIZE(dynamic_csrow_ce_count_attr) - 1) {
++ WARN_ONCE(1, "idx: %d\n", idx);
++ return 0;
++ }
++
+ /* Only expose populated DIMMs */
+ if (!csrow->channels[idx]->dimm->nr_pages)
+ return 0;
++
+ return attr->mode;
+ }
+
--- /dev/null
+From bbdb34c90aeb8b2253eae88029788ebe1d7f2fd4 Mon Sep 17 00:00:00 2001
+From: Jonathan McDowell <noodles@earth.li>
+Date: Sat, 14 May 2016 14:01:26 -0300
+Subject: [media] Fix RC5 decoding with Fintek CIR chipset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan McDowell <noodles@earth.li>
+
+commit bbdb34c90aeb8b2253eae88029788ebe1d7f2fd4 upstream.
+
+Fix RC5 decoding with Fintek CIR chipset
+
+Commit e87b540be2dd02552fb9244d50ae8b4e4619a34b tightened up the RC5
+decoding by adding a check for trailing silence to ensure a valid RC5
+command had been received. Unfortunately the trailer length checked was
+10 units and the Fintek CIR device does not want to provide details of a
+space longer than 6350us. This meant that RC5 remotes working on a
+Fintek setup on 3.16 failed on 3.17 and later. Fix this by shortening
+the trailer check to 6 units (allowing for a previous space in the
+received remote command).
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=117221
+
+Signed-off-by: Jonathan McDowell <noodles@earth.li>
+Signed-off-by: David Härdeman <david@hardeman.nu>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/rc/ir-rc5-decoder.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/rc/ir-rc5-decoder.c
++++ b/drivers/media/rc/ir-rc5-decoder.c
+@@ -29,7 +29,7 @@
+ #define RC5_BIT_START (1 * RC5_UNIT)
+ #define RC5_BIT_END (1 * RC5_UNIT)
+ #define RC5X_SPACE (4 * RC5_UNIT)
+-#define RC5_TRAILER (10 * RC5_UNIT) /* In reality, approx 100 */
++#define RC5_TRAILER (6 * RC5_UNIT) /* In reality, approx 100 */
+
+ enum rc5_state {
+ STATE_INACTIVE,
--- /dev/null
+From 67f8ecc550b5bda03335f845dc869b8501d25fd0 Mon Sep 17 00:00:00 2001
+From: Roderick Colenbrander <roderick.colenbrander@sony.com>
+Date: Wed, 18 May 2016 13:11:09 -0700
+Subject: HID: uhid: fix timeout when probe races with IO
+
+From: Roderick Colenbrander <roderick.colenbrander@sony.com>
+
+commit 67f8ecc550b5bda03335f845dc869b8501d25fd0 upstream.
+
+Many devices use userspace bluetooth stacks like BlueZ or Bluedroid in combination
+with uhid. If any of these stacks is used with a HID device for which the driver
+performs a HID request as part .probe (or technically another HID operation),
+this results in a deadlock situation. The deadlock results in a 5 second timeout
+for I/O operations in HID drivers, so isn't fatal, but none of the I/O operations
+have a chance of succeeding.
+
+The root cause for the problem is that uhid only allows for one request to be
+processed at a time per uhid instance and locks out other operations. This means
+that if a user space is creating a new HID device through 'UHID_CREATE', which
+ultimately triggers '.probe' through the HID layer. Then any HID request e.g. a
+read for calibration data would trigger a HID operation on uhid again, but it
+won't go out to userspace, because it is still stuck in UHID_CREATE.
+In addition bluetooth stacks are typically single threaded, so they wouldn't be
+able to handle any requests while waiting on uhid.
+
+Lucikly the UHID spec is somewhat flexible and allows for fixing the issue,
+without breaking user space. The idea which the patch implements as discussed
+with David Herrmann is to decouple adding of a hid device (which triggers .probe)
+from UHID_CREATE. The work will kick off roughly once UHID_CREATE completed (or
+else will wait a tiny bit of time in .probe for a lock). A HID driver has to call
+HID to call 'hid_hw_start()' as part of .probe once it is ready for I/O, which
+triggers UHID_START to user space. Any HID operations should function now within
+.probe and won't deadlock because userspace is stuck on UHID_CREATE.
+
+We verified this patch on Bluedroid with Android 6.0 and on desktop Linux with
+BlueZ stacks. Prior to the patch they had the deadlock issue.
+
+[jkosina@suse.cz: reword subject]
+Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/uhid.c | 33 ++++++++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+
+--- a/drivers/hid/uhid.c
++++ b/drivers/hid/uhid.c
+@@ -51,10 +51,26 @@ struct uhid_device {
+ u32 report_id;
+ u32 report_type;
+ struct uhid_event report_buf;
++ struct work_struct worker;
+ };
+
+ static struct miscdevice uhid_misc;
+
++static void uhid_device_add_worker(struct work_struct *work)
++{
++ struct uhid_device *uhid = container_of(work, struct uhid_device, worker);
++ int ret;
++
++ ret = hid_add_device(uhid->hid);
++ if (ret) {
++ hid_err(uhid->hid, "Cannot register HID device: error %d\n", ret);
++
++ hid_destroy_device(uhid->hid);
++ uhid->hid = NULL;
++ uhid->running = false;
++ }
++}
++
+ static void uhid_queue(struct uhid_device *uhid, struct uhid_event *ev)
+ {
+ __u8 newhead;
+@@ -498,18 +514,14 @@ static int uhid_dev_create2(struct uhid_
+ uhid->hid = hid;
+ uhid->running = true;
+
+- ret = hid_add_device(hid);
+- if (ret) {
+- hid_err(hid, "Cannot register HID device\n");
+- goto err_hid;
+- }
++ /* Adding of a HID device is done through a worker, to allow HID drivers
++ * which use feature requests during .probe to work, without they would
++ * be blocked on devlock, which is held by uhid_char_write.
++ */
++ schedule_work(&uhid->worker);
+
+ return 0;
+
+-err_hid:
+- hid_destroy_device(hid);
+- uhid->hid = NULL;
+- uhid->running = false;
+ err_free:
+ kfree(uhid->rd_data);
+ uhid->rd_data = NULL;
+@@ -550,6 +562,8 @@ static int uhid_dev_destroy(struct uhid_
+ uhid->running = false;
+ wake_up_interruptible(&uhid->report_wait);
+
++ cancel_work_sync(&uhid->worker);
++
+ hid_destroy_device(uhid->hid);
+ kfree(uhid->rd_data);
+
+@@ -612,6 +626,7 @@ static int uhid_char_open(struct inode *
+ init_waitqueue_head(&uhid->waitq);
+ init_waitqueue_head(&uhid->report_wait);
+ uhid->running = false;
++ INIT_WORK(&uhid->worker, uhid_device_add_worker);
+
+ file->private_data = uhid;
+ nonseekable_open(inode, file);
--- /dev/null
+From fc8a601e1175ae351f662506030f9939cb7fdbfe Mon Sep 17 00:00:00 2001
+From: Alex Hung <alex.hung@canonical.com>
+Date: Mon, 13 Jun 2016 19:44:00 +0800
+Subject: hp-wmi: Fix wifi cannot be hard-unblocked
+
+From: Alex Hung <alex.hung@canonical.com>
+
+commit fc8a601e1175ae351f662506030f9939cb7fdbfe upstream.
+
+Several users reported wifi cannot be unblocked as discussed in [1].
+This patch removes the use of the 2009 flag by BIOS but uses the actual
+WMI function calls - it will be skipped if WMI reports unsupported.
+
+[1] https://bugzilla.kernel.org/show_bug.cgi?id=69131
+
+Signed-off-by: Alex Hung <alex.hung@canonical.com>
+Tested-by: Evgenii Shatokhin <eugene.shatokhin@yandex.ru>
+Signed-off-by: Darren Hart <dvhart@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/platform/x86/hp-wmi.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/platform/x86/hp-wmi.c
++++ b/drivers/platform/x86/hp-wmi.c
+@@ -723,6 +723,11 @@ static int __init hp_wmi_rfkill_setup(st
+ if (err)
+ return err;
+
++ err = hp_wmi_perform_query(HPWMI_WIRELESS_QUERY, 1, &wireless,
++ sizeof(wireless), 0);
++ if (err)
++ return err;
++
+ if (wireless & 0x1) {
+ wifi_rfkill = rfkill_alloc("hp-wifi", &device->dev,
+ RFKILL_TYPE_WLAN,
+@@ -910,7 +915,7 @@ static int __init hp_wmi_bios_setup(stru
+ gps_rfkill = NULL;
+ rfkill2_count = 0;
+
+- if (hp_wmi_bios_2009_later() || hp_wmi_rfkill_setup(device))
++ if (hp_wmi_rfkill_setup(device))
+ hp_wmi_rfkill2_setup(device);
+
+ err = device_create_file(&device->dev, &dev_attr_display);
--- /dev/null
+From 7dd91d52a813f99a95d20f539b777e9e6198b931 Mon Sep 17 00:00:00 2001
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Sat, 16 Jul 2016 02:36:38 +0300
+Subject: i2c: efm32: fix a failure path in efm32_i2c_probe()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+commit 7dd91d52a813f99a95d20f539b777e9e6198b931 upstream.
+
+There is the only failure path in efm32_i2c_probe(),
+where clk_disable_unprepare() is missed.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Fixes: 1b5b23718b84 ("i2c: efm32: new bus driver")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-efm32.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-efm32.c
++++ b/drivers/i2c/busses/i2c-efm32.c
+@@ -433,7 +433,7 @@ static int efm32_i2c_probe(struct platfo
+ ret = request_irq(ddata->irq, efm32_i2c_irq, 0, DRIVER_NAME, ddata);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "failed to request irq (%d)\n", ret);
+- return ret;
++ goto err_disable_clk;
+ }
+
+ ret = i2c_add_adapter(&ddata->adapter);
--- /dev/null
+From abcfb5d979892fc8b12574551fc907c05fe1b11b Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 30 Jun 2016 11:49:01 -0400
+Subject: jbd2: make journal y2038 safe
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit abcfb5d979892fc8b12574551fc907c05fe1b11b upstream.
+
+The jbd2 journal stores the commit time in 64-bit seconds and 32-bit
+nanoseconds, which avoids an overflow in 2038, but it gets the numbers
+from current_kernel_time(), which uses 'long' seconds on 32-bit
+architectures.
+
+This simply changes the code to call current_kernel_time64() so
+we use 64-bit seconds consistently.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/commit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/jbd2/commit.c
++++ b/fs/jbd2/commit.c
+@@ -124,7 +124,7 @@ static int journal_submit_commit_record(
+ struct commit_header *tmp;
+ struct buffer_head *bh;
+ int ret;
+- struct timespec now = current_kernel_time();
++ struct timespec64 now = current_kernel_time64();
+
+ *cbh = NULL;
+
--- /dev/null
+From ca6e6126db5494f18c6c6615060d4d803b528bff Mon Sep 17 00:00:00 2001
+From: Soeren Moch <smoch@web.de>
+Date: Wed, 11 May 2016 13:49:11 -0300
+Subject: [media] media: dvb_ringbuffer: Add memory barriers
+
+From: Soeren Moch <smoch@web.de>
+
+commit ca6e6126db5494f18c6c6615060d4d803b528bff upstream.
+
+Implement memory barriers according to Documentation/circular-buffers.txt:
+- use smp_store_release() to update ringbuffer read/write pointers
+- use smp_load_acquire() to load write pointer on reader side
+- use ACCESS_ONCE() to load read pointer on writer side
+
+This fixes data stream corruptions observed e.g. on an ARM Cortex-A9
+quad core system with different types (PCI, USB) of DVB tuners.
+
+Signed-off-by: Soeren Moch <smoch@web.de>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/dvb-core/dvb_ringbuffer.c | 74 ++++++++++++++++++++++++++------
+ 1 file changed, 61 insertions(+), 13 deletions(-)
+
+--- a/drivers/media/dvb-core/dvb_ringbuffer.c
++++ b/drivers/media/dvb-core/dvb_ringbuffer.c
+@@ -55,7 +55,13 @@ void dvb_ringbuffer_init(struct dvb_ring
+
+ int dvb_ringbuffer_empty(struct dvb_ringbuffer *rbuf)
+ {
+- return (rbuf->pread==rbuf->pwrite);
++ /* smp_load_acquire() to load write pointer on reader side
++ * this pairs with smp_store_release() in dvb_ringbuffer_write(),
++ * dvb_ringbuffer_write_user(), or dvb_ringbuffer_reset()
++ *
++ * for memory barriers also see Documentation/circular-buffers.txt
++ */
++ return (rbuf->pread == smp_load_acquire(&rbuf->pwrite));
+ }
+
+
+@@ -64,7 +70,12 @@ ssize_t dvb_ringbuffer_free(struct dvb_r
+ {
+ ssize_t free;
+
+- free = rbuf->pread - rbuf->pwrite;
++ /* ACCESS_ONCE() to load read pointer on writer side
++ * this pairs with smp_store_release() in dvb_ringbuffer_read(),
++ * dvb_ringbuffer_read_user(), dvb_ringbuffer_flush(),
++ * or dvb_ringbuffer_reset()
++ */
++ free = ACCESS_ONCE(rbuf->pread) - rbuf->pwrite;
+ if (free <= 0)
+ free += rbuf->size;
+ return free-1;
+@@ -76,7 +87,11 @@ ssize_t dvb_ringbuffer_avail(struct dvb_
+ {
+ ssize_t avail;
+
+- avail = rbuf->pwrite - rbuf->pread;
++ /* smp_load_acquire() to load write pointer on reader side
++ * this pairs with smp_store_release() in dvb_ringbuffer_write(),
++ * dvb_ringbuffer_write_user(), or dvb_ringbuffer_reset()
++ */
++ avail = smp_load_acquire(&rbuf->pwrite) - rbuf->pread;
+ if (avail < 0)
+ avail += rbuf->size;
+ return avail;
+@@ -86,14 +101,25 @@ ssize_t dvb_ringbuffer_avail(struct dvb_
+
+ void dvb_ringbuffer_flush(struct dvb_ringbuffer *rbuf)
+ {
+- rbuf->pread = rbuf->pwrite;
++ /* dvb_ringbuffer_flush() counts as read operation
++ * smp_load_acquire() to load write pointer
++ * smp_store_release() to update read pointer, this ensures that the
++ * correct pointer is visible for subsequent dvb_ringbuffer_free()
++ * calls on other cpu cores
++ */
++ smp_store_release(&rbuf->pread, smp_load_acquire(&rbuf->pwrite));
+ rbuf->error = 0;
+ }
+ EXPORT_SYMBOL(dvb_ringbuffer_flush);
+
+ void dvb_ringbuffer_reset(struct dvb_ringbuffer *rbuf)
+ {
+- rbuf->pread = rbuf->pwrite = 0;
++ /* dvb_ringbuffer_reset() counts as read and write operation
++ * smp_store_release() to update read pointer
++ */
++ smp_store_release(&rbuf->pread, 0);
++ /* smp_store_release() to update write pointer */
++ smp_store_release(&rbuf->pwrite, 0);
+ rbuf->error = 0;
+ }
+
+@@ -119,12 +145,17 @@ ssize_t dvb_ringbuffer_read_user(struct
+ return -EFAULT;
+ buf += split;
+ todo -= split;
+- rbuf->pread = 0;
++ /* smp_store_release() for read pointer update to ensure
++ * that buf is not overwritten until read is complete,
++ * this pairs with ACCESS_ONCE() in dvb_ringbuffer_free()
++ */
++ smp_store_release(&rbuf->pread, 0);
+ }
+ if (copy_to_user(buf, rbuf->data+rbuf->pread, todo))
+ return -EFAULT;
+
+- rbuf->pread = (rbuf->pread + todo) % rbuf->size;
++ /* smp_store_release() to update read pointer, see above */
++ smp_store_release(&rbuf->pread, (rbuf->pread + todo) % rbuf->size);
+
+ return len;
+ }
+@@ -139,11 +170,16 @@ void dvb_ringbuffer_read(struct dvb_ring
+ memcpy(buf, rbuf->data+rbuf->pread, split);
+ buf += split;
+ todo -= split;
+- rbuf->pread = 0;
++ /* smp_store_release() for read pointer update to ensure
++ * that buf is not overwritten until read is complete,
++ * this pairs with ACCESS_ONCE() in dvb_ringbuffer_free()
++ */
++ smp_store_release(&rbuf->pread, 0);
+ }
+ memcpy(buf, rbuf->data+rbuf->pread, todo);
+
+- rbuf->pread = (rbuf->pread + todo) % rbuf->size;
++ /* smp_store_release() to update read pointer, see above */
++ smp_store_release(&rbuf->pread, (rbuf->pread + todo) % rbuf->size);
+ }
+
+
+@@ -158,10 +194,16 @@ ssize_t dvb_ringbuffer_write(struct dvb_
+ memcpy(rbuf->data+rbuf->pwrite, buf, split);
+ buf += split;
+ todo -= split;
+- rbuf->pwrite = 0;
++ /* smp_store_release() for write pointer update to ensure that
++ * written data is visible on other cpu cores before the pointer
++ * update, this pairs with smp_load_acquire() in
++ * dvb_ringbuffer_empty() or dvb_ringbuffer_avail()
++ */
++ smp_store_release(&rbuf->pwrite, 0);
+ }
+ memcpy(rbuf->data+rbuf->pwrite, buf, todo);
+- rbuf->pwrite = (rbuf->pwrite + todo) % rbuf->size;
++ /* smp_store_release() for write pointer update, see above */
++ smp_store_release(&rbuf->pwrite, (rbuf->pwrite + todo) % rbuf->size);
+
+ return len;
+ }
+@@ -181,12 +223,18 @@ ssize_t dvb_ringbuffer_write_user(struct
+ return len - todo;
+ buf += split;
+ todo -= split;
+- rbuf->pwrite = 0;
++ /* smp_store_release() for write pointer update to ensure that
++ * written data is visible on other cpu cores before the pointer
++ * update, this pairs with smp_load_acquire() in
++ * dvb_ringbuffer_empty() or dvb_ringbuffer_avail()
++ */
++ smp_store_release(&rbuf->pwrite, 0);
+ }
+ status = copy_from_user(rbuf->data+rbuf->pwrite, buf, todo);
+ if (status)
+ return len - todo;
+- rbuf->pwrite = (rbuf->pwrite + todo) % rbuf->size;
++ /* smp_store_release() for write pointer update, see above */
++ smp_store_release(&rbuf->pwrite, (rbuf->pwrite + todo) % rbuf->size);
+
+ return len;
+ }
--- /dev/null
+From 2a00932f082aff93c3a55426e0c7af6d0ec03997 Mon Sep 17 00:00:00 2001
+From: Matthew Leach <matthew@mattleach.net>
+Date: Fri, 8 Jul 2016 09:04:27 -0300
+Subject: [media] media: usbtv: prevent access to free'd resources
+
+From: Matthew Leach <matthew@mattleach.net>
+
+commit 2a00932f082aff93c3a55426e0c7af6d0ec03997 upstream.
+
+When disconnecting the usbtv device, the sound card is unregistered
+from ALSA and the snd member of the usbtv struct is set to NULL. If
+the usbtv snd_trigger work is running, this can cause a race condition
+where the kernel will attempt to access free'd resources, shown in
+[1].
+
+This patch fixes the disconnection code by cancelling any snd_trigger
+work before unregistering the sound card from ALSA and checking that
+the snd member still exists in the work function.
+
+[1]:
+ usb 3-1.2: USB disconnect, device number 6
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+ IP: [<ffffffff81093850>] process_one_work+0x30/0x480
+ PGD 405bbf067 PUD 405bbe067 PMD 0
+ Call Trace:
+ [<ffffffff81093ce8>] worker_thread+0x48/0x4e0
+ [<ffffffff81093ca0>] ? process_one_work+0x480/0x480
+ [<ffffffff81093ca0>] ? process_one_work+0x480/0x480
+ [<ffffffff81099998>] kthread+0xd8/0xf0
+ [<ffffffff815c73c2>] ret_from_fork+0x22/0x40
+ [<ffffffff810998c0>] ? kthread_worker_fn+0x170/0x170
+ ---[ end trace 0f3dac5c1a38e610 ]---
+
+Signed-off-by: Matthew Leach <matthew@mattleach.net>
+Tested-by: Peter Sutton <foxxy@foxdogstudios.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/usbtv/usbtv-audio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/media/usb/usbtv/usbtv-audio.c
++++ b/drivers/media/usb/usbtv/usbtv-audio.c
+@@ -278,6 +278,9 @@ static void snd_usbtv_trigger(struct wor
+ {
+ struct usbtv *chip = container_of(work, struct usbtv, snd_trigger);
+
++ if (!chip->snd)
++ return;
++
+ if (atomic_read(&chip->snd_stream))
+ usbtv_audio_start(chip);
+ else
+@@ -378,6 +381,8 @@ err:
+
+ void usbtv_audio_free(struct usbtv *usbtv)
+ {
++ cancel_work_sync(&usbtv->snd_trigger);
++
+ if (usbtv->snd && usbtv->udev) {
+ snd_card_free(usbtv->snd);
+ usbtv->snd = NULL;
--- /dev/null
+From 76bc8e2843b66f8205026365966b49ec6da39ae7 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Fri, 29 Jul 2016 12:05:24 +0200
+Subject: ovl: disallow overlayfs as upperdir
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 76bc8e2843b66f8205026365966b49ec6da39ae7 upstream.
+
+This does not work and does not make sense. So instead of fixing it
+(probably not hard) just disallow.
+
+Reported-by: Andrei Vagin <avagin@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/super.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -376,7 +376,8 @@ static struct ovl_entry *ovl_alloc_entry
+ static bool ovl_dentry_remote(struct dentry *dentry)
+ {
+ return dentry->d_flags &
+- (DCACHE_OP_REVALIDATE | DCACHE_OP_WEAK_REVALIDATE);
++ (DCACHE_OP_REVALIDATE | DCACHE_OP_WEAK_REVALIDATE |
++ DCACHE_OP_REAL);
+ }
+
+ static bool ovl_dentry_weird(struct dentry *dentry)
--- /dev/null
+From d2e12e66a939c54ed84e5f1b6947f0c45f6c56eb Mon Sep 17 00:00:00 2001
+From: Dave Gerlach <d-gerlach@ti.com>
+Date: Wed, 25 May 2016 15:41:28 -0500
+Subject: remoteproc: Fix potential race condition in rproc_add
+
+From: Dave Gerlach <d-gerlach@ti.com>
+
+commit d2e12e66a939c54ed84e5f1b6947f0c45f6c56eb upstream.
+
+rproc_add adds the newly created remoteproc to a list for use by
+rproc_get_by_phandle and then does some additional processing to finish
+adding the remoteproc. This leaves a small window of time in which the
+rproc is available in the list but not yet fully initialized, so if
+another driver comes along and gets a handle to the rproc, it will be
+invalid. Rearrange the code in rproc_add to make sure the rproc is added
+to the list only after it has been successfuly initialized.
+
+Fixes: fec47d863587 ("remoteproc: introduce rproc_get_by_phandle API")
+Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/remoteproc/remoteproc_core.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/remoteproc/remoteproc_core.c
++++ b/drivers/remoteproc/remoteproc_core.c
+@@ -1239,11 +1239,6 @@ int rproc_add(struct rproc *rproc)
+ if (ret < 0)
+ return ret;
+
+- /* expose to rproc_get_by_phandle users */
+- mutex_lock(&rproc_list_mutex);
+- list_add(&rproc->node, &rproc_list);
+- mutex_unlock(&rproc_list_mutex);
+-
+ dev_info(dev, "%s is available\n", rproc->name);
+
+ dev_info(dev, "Note: remoteproc is still under development and considered experimental.\n");
+@@ -1251,8 +1246,16 @@ int rproc_add(struct rproc *rproc)
+
+ /* create debugfs entries */
+ rproc_create_debug_dir(rproc);
++ ret = rproc_add_virtio_devices(rproc);
++ if (ret < 0)
++ return ret;
++
++ /* expose to rproc_get_by_phandle users */
++ mutex_lock(&rproc_list_mutex);
++ list_add(&rproc->node, &rproc_list);
++ mutex_unlock(&rproc_list_mutex);
+
+- return rproc_add_virtio_devices(rproc);
++ return 0;
+ }
+ EXPORT_SYMBOL(rproc_add);
+
--- /dev/null
+From 6311f1261f59ce5e51fbe5cc3b5e7737197316ac Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javier@osg.samsung.com>
+Date: Tue, 3 May 2016 16:27:17 -0400
+Subject: s5p-mfc: Add release callback for memory region devs
+
+From: Javier Martinez Canillas <javier@osg.samsung.com>
+
+commit 6311f1261f59ce5e51fbe5cc3b5e7737197316ac upstream.
+
+When s5p_mfc_remove() calls put_device() for the reserved memory region
+devs, the driver core warns that the dev doesn't have a release callback:
+
+WARNING: CPU: 0 PID: 591 at drivers/base/core.c:251 device_release+0x8c/0x90
+Device 's5p-mfc-l' does not have a release() function, it is broken and must be fixed.
+
+Also, the declared DMA memory using dma_declare_coherent_memory() isn't
+relased so add a dev .release that calls dma_release_declared_memory().
+
+Fixes: 6e83e6e25eb4 ("[media] s5p-mfc: Fix kernel warning on memory init")
+Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/s5p-mfc/s5p_mfc.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
+@@ -1029,6 +1029,11 @@ static int match_child(struct device *de
+ return !strcmp(dev_name(dev), (char *)data);
+ }
+
++static void s5p_mfc_memdev_release(struct device *dev)
++{
++ dma_release_declared_memory(dev);
++}
++
+ static void *mfc_get_drv_data(struct platform_device *pdev);
+
+ static int s5p_mfc_alloc_memdevs(struct s5p_mfc_dev *dev)
+@@ -1043,6 +1048,7 @@ static int s5p_mfc_alloc_memdevs(struct
+ }
+
+ dev_set_name(dev->mem_dev_l, "%s", "s5p-mfc-l");
++ dev->mem_dev_l->release = s5p_mfc_memdev_release;
+ device_initialize(dev->mem_dev_l);
+ of_property_read_u32_array(dev->plat_dev->dev.of_node,
+ "samsung,mfc-l", mem_info, 2);
+@@ -1062,6 +1068,7 @@ static int s5p_mfc_alloc_memdevs(struct
+ }
+
+ dev_set_name(dev->mem_dev_r, "%s", "s5p-mfc-r");
++ dev->mem_dev_r->release = s5p_mfc_memdev_release;
+ device_initialize(dev->mem_dev_r);
+ of_property_read_u32_array(dev->plat_dev->dev.of_node,
+ "samsung,mfc-r", mem_info, 2);
--- /dev/null
+From 29debab0a94035a390801d1f177d171d014b7765 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javier@osg.samsung.com>
+Date: Tue, 3 May 2016 16:27:16 -0400
+Subject: s5p-mfc: Set device name for reserved memory region devs
+
+From: Javier Martinez Canillas <javier@osg.samsung.com>
+
+commit 29debab0a94035a390801d1f177d171d014b7765 upstream.
+
+The devices don't have a name set, so makes dev_name() returns NULL which
+makes harder to identify the devices that are causing issues, for example:
+
+WARNING: CPU: 2 PID: 616 at drivers/base/core.c:251 device_release+0x8c/0x90
+Device '(null)' does not have a release() function, it is broken and must be fixed.
+
+And after setting the device name:
+
+WARNING: CPU: 0 PID: 591 at drivers/base/core.c:251 device_release+0x8c/0x90
+Device 's5p-mfc-l' does not have a release() function, it is broken and must be fixed.
+
+Fixes: 6e83e6e25eb4 ("[media] s5p-mfc: Fix kernel warning on memory init")
+Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/s5p-mfc/s5p_mfc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
+@@ -1041,6 +1041,8 @@ static int s5p_mfc_alloc_memdevs(struct
+ mfc_err("Not enough memory\n");
+ return -ENOMEM;
+ }
++
++ dev_set_name(dev->mem_dev_l, "%s", "s5p-mfc-l");
+ device_initialize(dev->mem_dev_l);
+ of_property_read_u32_array(dev->plat_dev->dev.of_node,
+ "samsung,mfc-l", mem_info, 2);
+@@ -1058,6 +1060,8 @@ static int s5p_mfc_alloc_memdevs(struct
+ mfc_err("Not enough memory\n");
+ return -ENOMEM;
+ }
++
++ dev_set_name(dev->mem_dev_r, "%s", "s5p-mfc-r");
+ device_initialize(dev->mem_dev_r);
+ of_property_read_u32_array(dev->plat_dev->dev.of_node,
+ "samsung,mfc-r", mem_info, 2);
intel_pstate-fix-msr_config_tdp_x-addressing-in-core_get_max_pstate.patch
mfd-qcom_rpm-fix-offset-error-for-msm8660.patch
mfd-qcom_rpm-parametrize-also-ack-selector-size.patch
+media-usbtv-prevent-access-to-free-d-resources.patch
+media-dvb_ringbuffer-add-memory-barriers.patch
+videobuf2-v4l2-verify-planes-array-in-buffer-dequeueing.patch
+vb2-core-skip-planes-array-verification-if-pb-is-null.patch
+fix-rc5-decoding-with-fintek-cir-chipset.patch
+sur40-lower-poll-interval-to-fix-occasional-fps-drops-to-56-fps.patch
+sur40-fix-occasional-oopses-on-device-close.patch
+dm-set-dmf_suspended-_before_-clearing-dmf_noflush_suspending.patch
+hp-wmi-fix-wifi-cannot-be-hard-unblocked.patch
+s5p-mfc-set-device-name-for-reserved-memory-region-devs.patch
+s5p-mfc-add-release-callback-for-memory-region-devs.patch
+i2c-efm32-fix-a-failure-path-in-efm32_i2c_probe.patch
+spi-pxa2xx-clear-all-rft-bits-in-reset_sccr1-on-intel-quark.patch
+bluetooth-fix-l2cap_sock_setsockopt-with-optname-bt_rcvmtu.patch
+edac-correct-channel-count-limit.patch
+hid-uhid-fix-timeout-when-probe-races-with-io.patch
+ovl-disallow-overlayfs-as-upperdir.patch
+remoteproc-fix-potential-race-condition-in-rproc_add.patch
+arc-mm-don-t-loose-pte_special-in-pte_modify.patch
+jbd2-make-journal-y2038-safe.patch
--- /dev/null
+From 152bc19e2fc2b7fce7ffbc2a9cea94b147223702 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Wed, 6 Jul 2016 12:08:11 +0300
+Subject: spi: pxa2xx: Clear all RFT bits in reset_sccr1() on Intel Quark
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 152bc19e2fc2b7fce7ffbc2a9cea94b147223702 upstream.
+
+It seems the commit e5262d0568dc ("spi: spi-pxa2xx: SPI support for Intel Quark
+X1000") misses one place to be adapted for Intel Quark, i.e. in reset_sccr1().
+
+Clear all RFT bits when call reset_sccr1() on Intel Quark.
+
+Fixes: e5262d0568dc ("spi: spi-pxa2xx: SPI support for Intel Quark X1000")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-pxa2xx.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-pxa2xx.c
++++ b/drivers/spi/spi-pxa2xx.c
+@@ -548,7 +548,14 @@ static void reset_sccr1(struct driver_da
+ u32 sccr1_reg;
+
+ sccr1_reg = pxa2xx_spi_read(drv_data, SSCR1) & ~drv_data->int_cr1;
+- sccr1_reg &= ~SSCR1_RFT;
++ switch (drv_data->ssp_type) {
++ case QUARK_X1000_SSP:
++ sccr1_reg &= ~QUARK_X1000_SSCR1_RFT;
++ break;
++ default:
++ sccr1_reg &= ~SSCR1_RFT;
++ break;
++ }
+ sccr1_reg |= chip->threshold;
+ pxa2xx_spi_write(drv_data, SSCR1, sccr1_reg);
+ }
--- /dev/null
+From 6a8588156657e607fcfdffd46c1daae8ba88a1e5 Mon Sep 17 00:00:00 2001
+From: Florian Echtler <floe@butterbrot.org>
+Date: Tue, 31 May 2016 17:15:33 -0300
+Subject: [media] sur40: fix occasional oopses on device close
+
+From: Florian Echtler <floe@butterbrot.org>
+
+commit 6a8588156657e607fcfdffd46c1daae8ba88a1e5 upstream.
+
+Closing the V4L2 device sometimes triggers a kernel oops.
+Present patch fixes this.
+
+Signed-off-by: Martin Kaltenbrunner <modin@yuri.at>
+Signed-off-by: Florian Echtler <floe@butterbrot.org>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/sur40.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/sur40.c
++++ b/drivers/input/touchscreen/sur40.c
+@@ -441,7 +441,7 @@ static void sur40_process_video(struct s
+
+ /* return error if streaming was stopped in the meantime */
+ if (sur40->sequence == -1)
+- goto err_poll;
++ return;
+
+ /* mark as finished */
+ v4l2_get_timestamp(&new_buf->vb.timestamp);
+@@ -730,6 +730,7 @@ static int sur40_start_streaming(struct
+ static void sur40_stop_streaming(struct vb2_queue *vq)
+ {
+ struct sur40_state *sur40 = vb2_get_drv_priv(vq);
++ vb2_wait_for_all_buffers(vq);
+ sur40->sequence = -1;
+
+ /* Release all active buffers */
--- /dev/null
+From af766ee005c496b8567976dc3eed7676443ed6de Mon Sep 17 00:00:00 2001
+From: Florian Echtler <floe@butterbrot.org>
+Date: Tue, 31 May 2016 17:15:32 -0300
+Subject: [media] sur40: lower poll interval to fix occasional FPS drops to ~56 FPS
+
+From: Florian Echtler <floe@butterbrot.org>
+
+commit af766ee005c496b8567976dc3eed7676443ed6de upstream.
+
+The framerate sometimes drops below 60 Hz if the poll interval is too high.
+Lowering it to the minimum of 1 ms fixes this.
+
+Signed-off-by: Martin Kaltenbrunner <modin@yuri.at>
+Signed-off-by: Florian Echtler <floe@butterbrot.org>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/sur40.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/sur40.c
++++ b/drivers/input/touchscreen/sur40.c
+@@ -126,7 +126,7 @@ struct sur40_image_header {
+ #define VIDEO_PACKET_SIZE 16384
+
+ /* polling interval (ms) */
+-#define POLL_INTERVAL 4
++#define POLL_INTERVAL 1
+
+ /* maximum number of contacts FIXME: this is a guess? */
+ #define MAX_CONTACTS 64
--- /dev/null
+From 126f40298446a82116e1f92a1aaf72b8c8228fae Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Wed, 11 May 2016 18:44:32 -0300
+Subject: [media] vb2: core: Skip planes array verification if pb is NULL
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 126f40298446a82116e1f92a1aaf72b8c8228fae upstream.
+
+An earlier patch fixing an input validation issue introduced another
+issue: vb2_core_dqbuf() is called with pb argument value NULL in some
+cases, causing a NULL pointer dereference. Fix this by skipping the
+verification as there's nothing to verify.
+
+Fixes: e7e0c3e26587 ("[media] videobuf2-core: Check user space planes array in dqbuf")
+
+Signed-off-by: David R <david@unsolicited.net>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/videobuf2-core.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/media/v4l2-core/videobuf2-core.c
++++ b/drivers/media/v4l2-core/videobuf2-core.c
+@@ -1505,7 +1505,7 @@ static int __vb2_get_done_vb(struct vb2_
+ void *pb, int nonblocking)
+ {
+ unsigned long flags;
+- int ret;
++ int ret = 0;
+
+ /*
+ * Wait for at least one buffer to become available on the done_list.
+@@ -1521,10 +1521,12 @@ static int __vb2_get_done_vb(struct vb2_
+ spin_lock_irqsave(&q->done_lock, flags);
+ *vb = list_first_entry(&q->done_list, struct vb2_buffer, done_entry);
+ /*
+- * Only remove the buffer from done_list if v4l2_buffer can handle all
+- * the planes.
++ * Only remove the buffer from done_list if all planes can be
++ * handled. Some cases such as V4L2 file I/O and DVB have pb
++ * == NULL; skip the check then as there's nothing to verify.
+ */
+- ret = call_bufop(q, verify_planes_array, *vb, pb);
++ if (pb)
++ ret = call_bufop(q, verify_planes_array, *vb, pb);
+ if (!ret)
+ list_del(&(*vb)->done_entry);
+ spin_unlock_irqrestore(&q->done_lock, flags);
--- /dev/null
+From 83934b75c368f529d084815c463a7ef781dc9751 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Sun, 3 Apr 2016 16:31:03 -0300
+Subject: [media] videobuf2-v4l2: Verify planes array in buffer dequeueing
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 83934b75c368f529d084815c463a7ef781dc9751 upstream.
+
+When a buffer is being dequeued using VIDIOC_DQBUF IOCTL, the exact buffer
+which will be dequeued is not known until the buffer has been removed from
+the queue. The number of planes is specific to a buffer, not to the queue.
+
+This does lead to the situation where multi-plane buffers may be requested
+and queued with n planes, but VIDIOC_DQBUF IOCTL may be passed an argument
+struct with fewer planes.
+
+__fill_v4l2_buffer() however uses the number of planes from the dequeued
+videobuf2 buffer, overwriting kernel memory (the m.planes array allocated
+in video_usercopy() in v4l2-ioctl.c) if the user provided fewer
+planes than the dequeued buffer had. Oops!
+
+Fixes: b0e0e1f83de3 ("[media] media: videobuf2: Prepare to divide videobuf2")
+
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/videobuf2-v4l2.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/media/v4l2-core/videobuf2-v4l2.c
++++ b/drivers/media/v4l2-core/videobuf2-v4l2.c
+@@ -67,6 +67,11 @@ static int __verify_planes_array(struct
+ return 0;
+ }
+
++static int __verify_planes_array_core(struct vb2_buffer *vb, const void *pb)
++{
++ return __verify_planes_array(vb, pb);
++}
++
+ /**
+ * __verify_length() - Verify that the bytesused value for each plane fits in
+ * the plane length and that the data offset doesn't exceed the bytesused value.
+@@ -432,6 +437,7 @@ static int __fill_vb2_buffer(struct vb2_
+ }
+
+ static const struct vb2_buf_ops v4l2_buf_ops = {
++ .verify_planes_array = __verify_planes_array_core,
+ .fill_user_buffer = __fill_v4l2_buffer,
+ .fill_vb2_buffer = __fill_vb2_buffer,
+ .set_timestamp = __set_timestamp,
projects / thirdparty / kernel / stable-queue.git / commitdiff
