--- /dev/null
+From 35639a0e98391036a4c7f23253c321d6621a8897 Mon Sep 17 00:00:00 2001
+From: Vinod Koul <vinod.koul@intel.com>
+Date: Thu, 9 Jun 2016 11:32:14 +0530
+Subject: ALSA: hda - Add PCI ID for Kabylake
+
+From: Vinod Koul <vinod.koul@intel.com>
+
+commit 35639a0e98391036a4c7f23253c321d6621a8897 upstream.
+
+Kabylake shows up as PCI ID 0xa171. And Kabylake-LP as 0x9d71.
+Since these are similar to Skylake add these to SKL_PLUS macro
+
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_intel.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -359,8 +359,11 @@ enum {
+
+ #define IS_SKL(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0xa170)
+ #define IS_SKL_LP(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x9d70)
++#define IS_KBL(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0xa171)
++#define IS_KBL_LP(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x9d71)
+ #define IS_BXT(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x5a98)
+-#define IS_SKL_PLUS(pci) (IS_SKL(pci) || IS_SKL_LP(pci) || IS_BXT(pci))
++#define IS_SKL_PLUS(pci) (IS_SKL(pci) || IS_SKL_LP(pci) || IS_BXT(pci)) || \
++ IS_KBL(pci) || IS_KBL_LP(pci)
+
+ static char *driver_short_names[] = {
+ [AZX_DRIVER_ICH] = "HDA Intel",
+@@ -2204,6 +2207,12 @@ static const struct pci_device_id azx_id
+ /* Sunrise Point-LP */
+ { PCI_DEVICE(0x8086, 0x9d70),
+ .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_SKYLAKE },
++ /* Kabylake */
++ { PCI_DEVICE(0x8086, 0xa171),
++ .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_SKYLAKE },
++ /* Kabylake-LP */
++ { PCI_DEVICE(0x8086, 0x9d71),
++ .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_SKYLAKE },
+ /* Broxton-P(Apollolake) */
+ { PCI_DEVICE(0x8086, 0x5a98),
+ .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_BROXTON },
--- /dev/null
+From f90d83b301701026b2e4c437a3613f377f63290e Mon Sep 17 00:00:00 2001
+From: AceLan Kao <acelan.kao@canonical.com>
+Date: Fri, 3 Jun 2016 14:45:25 +0800
+Subject: ALSA: hda - Fix headset mic detection problem for Dell machine
+
+From: AceLan Kao <acelan.kao@canonical.com>
+
+commit f90d83b301701026b2e4c437a3613f377f63290e upstream.
+
+Add the pin configuration value of this machine into the pin_quirk
+table to make DELL1_MIC_NO_PRESENCE apply to this machine.
+
+Signed-off-by: AceLan Kao <acelan.kao@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5775,6 +5775,10 @@ static const struct snd_hda_pin_quirk al
+ {0x12, 0x90a60180},
+ {0x14, 0x90170130},
+ {0x21, 0x02211040}),
++ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell Inspiron 5565", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
++ {0x12, 0x90a60180},
++ {0x14, 0x90170120},
++ {0x21, 0x02211030}),
+ SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
+ {0x12, 0x90a60160},
+ {0x14, 0x90170120},
--- /dev/null
+From 6fbae35a3170c3e2b1b9d7b9cc943cbe48771362 Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Mon, 30 May 2016 16:44:20 +0800
+Subject: ALSA: hda/realtek - Add support for new codecs ALC700/ALC701/ALC703
+
+From: Kailang Yang <kailang@realtek.com>
+
+commit 6fbae35a3170c3e2b1b9d7b9cc943cbe48771362 upstream.
+
+Support new codecs for ALC700/ALC701/ALC703.
+
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -346,6 +346,9 @@ static void alc_fill_eapd_coef(struct hd
+ case 0x10ec0234:
+ case 0x10ec0274:
+ case 0x10ec0294:
++ case 0x10ec0700:
++ case 0x10ec0701:
++ case 0x10ec0703:
+ alc_update_coef_idx(codec, 0x10, 1<<15, 0);
+ break;
+ case 0x10ec0662:
+@@ -2655,6 +2658,7 @@ enum {
+ ALC269_TYPE_ALC256,
+ ALC269_TYPE_ALC225,
+ ALC269_TYPE_ALC294,
++ ALC269_TYPE_ALC700,
+ };
+
+ /*
+@@ -2686,6 +2690,7 @@ static int alc269_parse_auto_config(stru
+ case ALC269_TYPE_ALC256:
+ case ALC269_TYPE_ALC225:
+ case ALC269_TYPE_ALC294:
++ case ALC269_TYPE_ALC700:
+ ssids = alc269_ssids;
+ break;
+ default:
+@@ -6099,6 +6104,14 @@ static int patch_alc269(struct hda_codec
+ case 0x10ec0294:
+ spec->codec_variant = ALC269_TYPE_ALC294;
+ break;
++ case 0x10ec0700:
++ case 0x10ec0701:
++ case 0x10ec0703:
++ spec->codec_variant = ALC269_TYPE_ALC700;
++ spec->gen.mixer_nid = 0; /* ALC700 does not have any loopback mixer path */
++ alc_update_coef_idx(codec, 0x4a, 0, 1 << 15); /* Combo jack auto trigger control */
++ break;
++
+ }
+
+ if (snd_hda_codec_read(codec, 0x51, 0, AC_VERB_PARAMETERS, 0) == 0x10ec5505) {
+@@ -7054,6 +7067,9 @@ static const struct hda_device_id snd_hd
+ HDA_CODEC_ENTRY(0x10ec0670, "ALC670", patch_alc662),
+ HDA_CODEC_ENTRY(0x10ec0671, "ALC671", patch_alc662),
+ HDA_CODEC_ENTRY(0x10ec0680, "ALC680", patch_alc680),
++ HDA_CODEC_ENTRY(0x10ec0700, "ALC700", patch_alc269),
++ HDA_CODEC_ENTRY(0x10ec0701, "ALC701", patch_alc269),
++ HDA_CODEC_ENTRY(0x10ec0703, "ALC703", patch_alc269),
+ HDA_CODEC_ENTRY(0x10ec0867, "ALC891", patch_alc882),
+ HDA_CODEC_ENTRY(0x10ec0880, "ALC880", patch_alc880),
+ HDA_CODEC_ENTRY(0x10ec0882, "ALC882", patch_alc882),
--- /dev/null
+From dab38e43b298501a4e8807b56117c029e2e98383 Mon Sep 17 00:00:00 2001
+From: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+Date: Tue, 7 Jun 2016 13:14:21 +0200
+Subject: ALSA: hda/realtek: Add T560 docking unit fixup
+
+From: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+
+commit dab38e43b298501a4e8807b56117c029e2e98383 upstream.
+
+Tested with Lenovo Ultradock. Fixes the non-working headphone jack on
+the docking unit.
+
+Signed-off-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+Tested-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5634,6 +5634,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x17aa, 0x2218, "Thinkpad X1 Carbon 2nd", ALC292_FIXUP_TPT440_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x2223, "ThinkPad T550", ALC292_FIXUP_TPT440_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x2226, "ThinkPad X250", ALC292_FIXUP_TPT440_DOCK),
++ SND_PCI_QUIRK(0x17aa, 0x2231, "Thinkpad T560", ALC292_FIXUP_TPT460),
+ SND_PCI_QUIRK(0x17aa, 0x2233, "Thinkpad", ALC292_FIXUP_TPT460),
+ SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
+ SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
--- /dev/null
+From e69e7e03ed225abf3e1c43545aa3bcb68dc81d5f Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Mon, 30 May 2016 15:58:28 +0800
+Subject: ALSA: hda/realtek - ALC256 speaker noise issue
+
+From: Kailang Yang <kailang@realtek.com>
+
+commit e69e7e03ed225abf3e1c43545aa3bcb68dc81d5f upstream.
+
+That is some different register for ALC255 and ALC256.
+ALC256 can't fit with some ALC255 register.
+This issue is cause from LDO output voltage control.
+This patch is updated the right LDO register value.
+
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 52 +++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 47 insertions(+), 5 deletions(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -3618,13 +3618,20 @@ static void alc269_fixup_hp_line1_mic1_l
+ static void alc_headset_mode_unplugged(struct hda_codec *codec)
+ {
+ static struct coef_fw coef0255[] = {
+- WRITE_COEF(0x1b, 0x0c0b), /* LDO and MISC control */
+ WRITE_COEF(0x45, 0xd089), /* UAJ function set to menual mode */
+ UPDATE_COEFEX(0x57, 0x05, 1<<14, 0), /* Direct Drive HP Amp control(Set to verb control)*/
+ WRITE_COEF(0x06, 0x6104), /* Set MIC2 Vref gate with HP */
+ WRITE_COEFEX(0x57, 0x03, 0x8aa6), /* Direct Drive HP Amp control */
+ {}
+ };
++ static struct coef_fw coef0255_1[] = {
++ WRITE_COEF(0x1b, 0x0c0b), /* LDO and MISC control */
++ {}
++ };
++ static struct coef_fw coef0256[] = {
++ WRITE_COEF(0x1b, 0x0c4b), /* LDO and MISC control */
++ {}
++ };
+ static struct coef_fw coef0233[] = {
+ WRITE_COEF(0x1b, 0x0c0b),
+ WRITE_COEF(0x45, 0xc429),
+@@ -3677,7 +3684,11 @@ static void alc_headset_mode_unplugged(s
+
+ switch (codec->core.vendor_id) {
+ case 0x10ec0255:
++ alc_process_coef_fw(codec, coef0255_1);
++ alc_process_coef_fw(codec, coef0255);
++ break;
+ case 0x10ec0256:
++ alc_process_coef_fw(codec, coef0256);
+ alc_process_coef_fw(codec, coef0255);
+ break;
+ case 0x10ec0233:
+@@ -3896,6 +3907,12 @@ static void alc_headset_mode_ctia(struct
+ WRITE_COEFEX(0x57, 0x03, 0x8ea6),
+ {}
+ };
++ static struct coef_fw coef0256[] = {
++ WRITE_COEF(0x45, 0xd489), /* Set to CTIA type */
++ WRITE_COEF(0x1b, 0x0c6b),
++ WRITE_COEFEX(0x57, 0x03, 0x8ea6),
++ {}
++ };
+ static struct coef_fw coef0233[] = {
+ WRITE_COEF(0x45, 0xd429),
+ WRITE_COEF(0x1b, 0x0c2b),
+@@ -3936,9 +3953,11 @@ static void alc_headset_mode_ctia(struct
+
+ switch (codec->core.vendor_id) {
+ case 0x10ec0255:
+- case 0x10ec0256:
+ alc_process_coef_fw(codec, coef0255);
+ break;
++ case 0x10ec0256:
++ alc_process_coef_fw(codec, coef0256);
++ break;
+ case 0x10ec0233:
+ case 0x10ec0283:
+ alc_process_coef_fw(codec, coef0233);
+@@ -3978,6 +3997,12 @@ static void alc_headset_mode_omtp(struct
+ WRITE_COEFEX(0x57, 0x03, 0x8ea6),
+ {}
+ };
++ static struct coef_fw coef0256[] = {
++ WRITE_COEF(0x45, 0xe489), /* Set to OMTP Type */
++ WRITE_COEF(0x1b, 0x0c6b),
++ WRITE_COEFEX(0x57, 0x03, 0x8ea6),
++ {}
++ };
+ static struct coef_fw coef0233[] = {
+ WRITE_COEF(0x45, 0xe429),
+ WRITE_COEF(0x1b, 0x0c2b),
+@@ -4018,9 +4043,11 @@ static void alc_headset_mode_omtp(struct
+
+ switch (codec->core.vendor_id) {
+ case 0x10ec0255:
+- case 0x10ec0256:
+ alc_process_coef_fw(codec, coef0255);
+ break;
++ case 0x10ec0256:
++ alc_process_coef_fw(codec, coef0256);
++ break;
+ case 0x10ec0233:
+ case 0x10ec0283:
+ alc_process_coef_fw(codec, coef0233);
+@@ -4266,7 +4293,7 @@ static void alc_fixup_headset_mode_no_hp
+ static void alc255_set_default_jack_type(struct hda_codec *codec)
+ {
+ /* Set to iphone type */
+- static struct coef_fw fw[] = {
++ static struct coef_fw alc255fw[] = {
+ WRITE_COEF(0x1b, 0x880b),
+ WRITE_COEF(0x45, 0xd089),
+ WRITE_COEF(0x1b, 0x080b),
+@@ -4274,7 +4301,22 @@ static void alc255_set_default_jack_type
+ WRITE_COEF(0x1b, 0x0c0b),
+ {}
+ };
+- alc_process_coef_fw(codec, fw);
++ static struct coef_fw alc256fw[] = {
++ WRITE_COEF(0x1b, 0x884b),
++ WRITE_COEF(0x45, 0xd089),
++ WRITE_COEF(0x1b, 0x084b),
++ WRITE_COEF(0x46, 0x0004),
++ WRITE_COEF(0x1b, 0x0c4b),
++ {}
++ };
++ switch (codec->core.vendor_id) {
++ case 0x10ec0255:
++ alc_process_coef_fw(codec, alc255fw);
++ break;
++ case 0x10ec0256:
++ alc_process_coef_fw(codec, alc256fw);
++ break;
++ }
+ msleep(30);
+ }
+
--- /dev/null
+From e2dfb4b880146bfd4b6aa8e138c0205407cebbaf Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Mon, 30 May 2016 23:14:56 +0100
+Subject: ARM: fix PTRACE_SETVFPREGS on SMP systems
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+commit e2dfb4b880146bfd4b6aa8e138c0205407cebbaf upstream.
+
+PTRACE_SETVFPREGS fails to properly mark the VFP register set to be
+reloaded, because it undoes one of the effects of vfp_flush_hwstate().
+
+Specifically vfp_flush_hwstate() sets thread->vfpstate.hard.cpu to
+an invalid CPU number, but vfp_set() overwrites this with the original
+CPU number, thereby rendering the hardware state as apparently "valid",
+even though the software state is more recent.
+
+Fix this by reverting the previous change.
+
+Fixes: 8130b9d7b9d8 ("ARM: 7308/1: vfp: flush thread hwstate before copying ptrace registers")
+Acked-by: Will Deacon <will.deacon@arm.com>
+Tested-by: Simon Marchi <simon.marchi@ericsson.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kernel/ptrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/kernel/ptrace.c
++++ b/arch/arm/kernel/ptrace.c
+@@ -733,8 +733,8 @@ static int vfp_set(struct task_struct *t
+ if (ret)
+ return ret;
+
+- vfp_flush_hwstate(thread);
+ thread->vfpstate.hard = new_vfp;
++ vfp_flush_hwstate(thread);
+
+ return 0;
+ }
--- /dev/null
+From 0106d456c4cb1770253fefc0ab23c9ca760b43f7 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Tue, 7 Jun 2016 17:55:15 +0100
+Subject: arm64: mm: always take dirty state from new pte in ptep_set_access_flags
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit 0106d456c4cb1770253fefc0ab23c9ca760b43f7 upstream.
+
+Commit 66dbd6e61a52 ("arm64: Implement ptep_set_access_flags() for
+hardware AF/DBM") ensured that pte flags are updated atomically in the
+face of potential concurrent, hardware-assisted updates. However, Alex
+reports that:
+
+ | This patch breaks swapping for me.
+ | In the broken case, you'll see either systemd cpu time spike (because
+ | it's stuck in a page fault loop) or the system hang (because the
+ | application owning the screen is stuck in a page fault loop).
+
+It turns out that this is because the 'dirty' argument to
+ptep_set_access_flags is always 0 for read faults, and so we can't use
+it to set PTE_RDONLY. The failing sequence is:
+
+ 1. We put down a PTE_WRITE | PTE_DIRTY | PTE_AF pte
+ 2. Memory pressure -> pte_mkold(pte) -> clear PTE_AF
+ 3. A read faults due to the missing access flag
+ 4. ptep_set_access_flags is called with dirty = 0, due to the read fault
+ 5. pte is then made PTE_WRITE | PTE_DIRTY | PTE_AF | PTE_RDONLY (!)
+ 6. A write faults, but pte_write is true so we get stuck
+
+The solution is to check the new page table entry (as would be done by
+the generic, non-atomic definition of ptep_set_access_flags that just
+calls set_pte_at) to establish the dirty state.
+
+Fixes: 66dbd6e61a52 ("arm64: Implement ptep_set_access_flags() for hardware AF/DBM")
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Reported-by: Alexander Graf <agraf@suse.de>
+Tested-by: Alexander Graf <agraf@suse.de>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/mm/fault.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/mm/fault.c
++++ b/arch/arm64/mm/fault.c
+@@ -109,7 +109,7 @@ int ptep_set_access_flags(struct vm_area
+ * PTE_RDONLY is cleared by default in the asm below, so set it in
+ * back if necessary (read-only or clean PTE).
+ */
+- if (!pte_write(entry) || !dirty)
++ if (!pte_write(entry) || !pte_sw_dirty(entry))
+ pte_val(entry) |= PTE_RDONLY;
+
+ /*
--- /dev/null
+From e47b020a323d1b2a7b1e9aac86e99eae19463630 Mon Sep 17 00:00:00 2001
+From: Catalin Marinas <catalin.marinas@arm.com>
+Date: Tue, 31 May 2016 15:55:03 +0100
+Subject: arm64: Provide "model name" in /proc/cpuinfo for PER_LINUX32 tasks
+
+From: Catalin Marinas <catalin.marinas@arm.com>
+
+commit e47b020a323d1b2a7b1e9aac86e99eae19463630 upstream.
+
+This patch brings the PER_LINUX32 /proc/cpuinfo format more in line with
+the 32-bit ARM one by providing an additional line:
+
+model name : ARMv8 Processor rev X (v8l)
+
+Acked-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/elf.h | 4 ++--
+ arch/arm64/kernel/cpuinfo.c | 8 +++++++-
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/arch/arm64/include/asm/elf.h
++++ b/arch/arm64/include/asm/elf.h
+@@ -156,14 +156,14 @@ extern int arch_setup_additional_pages(s
+ #define STACK_RND_MASK (0x3ffff >> (PAGE_SHIFT - 12))
+ #endif
+
+-#ifdef CONFIG_COMPAT
+-
+ #ifdef __AARCH64EB__
+ #define COMPAT_ELF_PLATFORM ("v8b")
+ #else
+ #define COMPAT_ELF_PLATFORM ("v8l")
+ #endif
+
++#ifdef CONFIG_COMPAT
++
+ #define COMPAT_ELF_ET_DYN_BASE (2 * TASK_SIZE_32 / 3)
+
+ /* AArch32 registers. */
+--- a/arch/arm64/kernel/cpuinfo.c
++++ b/arch/arm64/kernel/cpuinfo.c
+@@ -22,6 +22,8 @@
+
+ #include <linux/bitops.h>
+ #include <linux/bug.h>
++#include <linux/compat.h>
++#include <linux/elf.h>
+ #include <linux/init.h>
+ #include <linux/kernel.h>
+ #include <linux/personality.h>
+@@ -102,6 +104,7 @@ static const char *const compat_hwcap2_s
+ static int c_show(struct seq_file *m, void *v)
+ {
+ int i, j;
++ bool compat = personality(current->personality) == PER_LINUX32;
+
+ for_each_online_cpu(i) {
+ struct cpuinfo_arm64 *cpuinfo = &per_cpu(cpu_data, i);
+@@ -113,6 +116,9 @@ static int c_show(struct seq_file *m, vo
+ * "processor". Give glibc what it expects.
+ */
+ seq_printf(m, "processor\t: %d\n", i);
++ if (compat)
++ seq_printf(m, "model name\t: ARMv8 Processor rev %d (%s)\n",
++ MIDR_REVISION(midr), COMPAT_ELF_PLATFORM);
+
+ seq_printf(m, "BogoMIPS\t: %lu.%02lu\n",
+ loops_per_jiffy / (500000UL/HZ),
+@@ -125,7 +131,7 @@ static int c_show(struct seq_file *m, vo
+ * software which does already (at least for 32-bit).
+ */
+ seq_puts(m, "Features\t:");
+- if (personality(current->personality) == PER_LINUX32) {
++ if (compat) {
+ #ifdef CONFIG_COMPAT
+ for (j = 0; compat_hwcap_str[j]; j++)
+ if (compat_elf_hwcap & (1 << j))
--- /dev/null
+From ab6a11a7c8ef47f996974dd3c648c2c0b1a36ab1 Mon Sep 17 00:00:00 2001
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Fri, 20 May 2016 17:33:03 -0500
+Subject: crypto: ccp - Fix AES XTS error for request sizes above 4096
+
+From: Tom Lendacky <thomas.lendacky@amd.com>
+
+commit ab6a11a7c8ef47f996974dd3c648c2c0b1a36ab1 upstream.
+
+The ccp-crypto module for AES XTS support has a bug that can allow requests
+greater than 4096 bytes in size to be passed to the CCP hardware. The CCP
+hardware does not support request sizes larger than 4096, resulting in
+incorrect output. The request should actually be handled by the fallback
+mechanism instantiated by the ccp-crypto module.
+
+Add a check to insure the request size is less than or equal to the maximum
+supported size and use the fallback mechanism if it is not.
+
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/ccp/ccp-crypto-aes-xts.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/drivers/crypto/ccp/ccp-crypto-aes-xts.c
++++ b/drivers/crypto/ccp/ccp-crypto-aes-xts.c
+@@ -122,6 +122,7 @@ static int ccp_aes_xts_crypt(struct ablk
+ struct ccp_ctx *ctx = crypto_tfm_ctx(req->base.tfm);
+ struct ccp_aes_req_ctx *rctx = ablkcipher_request_ctx(req);
+ unsigned int unit;
++ u32 unit_size;
+ int ret;
+
+ if (!ctx->u.aes.key_len)
+@@ -133,11 +134,17 @@ static int ccp_aes_xts_crypt(struct ablk
+ if (!req->info)
+ return -EINVAL;
+
+- for (unit = 0; unit < ARRAY_SIZE(unit_size_map); unit++)
+- if (!(req->nbytes & (unit_size_map[unit].size - 1)))
+- break;
++ unit_size = CCP_XTS_AES_UNIT_SIZE__LAST;
++ if (req->nbytes <= unit_size_map[0].size) {
++ for (unit = 0; unit < ARRAY_SIZE(unit_size_map); unit++) {
++ if (!(req->nbytes & (unit_size_map[unit].size - 1))) {
++ unit_size = unit_size_map[unit].value;
++ break;
++ }
++ }
++ }
+
+- if ((unit_size_map[unit].value == CCP_XTS_AES_UNIT_SIZE__LAST) ||
++ if ((unit_size == CCP_XTS_AES_UNIT_SIZE__LAST) ||
+ (ctx->u.aes.key_len != AES_KEYSIZE_128)) {
+ /* Use the fallback to process the request for any
+ * unsupported unit sizes or key sizes
+@@ -158,7 +165,7 @@ static int ccp_aes_xts_crypt(struct ablk
+ rctx->cmd.engine = CCP_ENGINE_XTS_AES_128;
+ rctx->cmd.u.xts.action = (encrypt) ? CCP_AES_ACTION_ENCRYPT
+ : CCP_AES_ACTION_DECRYPT;
+- rctx->cmd.u.xts.unit_size = unit_size_map[unit].value;
++ rctx->cmd.u.xts.unit_size = unit_size;
+ rctx->cmd.u.xts.key = &ctx->u.aes.key_sg;
+ rctx->cmd.u.xts.key_len = ctx->u.aes.key_len;
+ rctx->cmd.u.xts.iv = &rctx->iv_sg;
--- /dev/null
+From bad6a185b4d6f81d0ed2b6e4c16307969f160b95 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 18 May 2016 16:55:56 +0200
+Subject: crypto: public_key: select CRYPTO_AKCIPHER
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit bad6a185b4d6f81d0ed2b6e4c16307969f160b95 upstream.
+
+In some rare randconfig builds, we can end up with
+ASYMMETRIC_PUBLIC_KEY_SUBTYPE enabled but CRYPTO_AKCIPHER disabled,
+which fails to link because of the reference to crypto_alloc_akcipher:
+
+crypto/built-in.o: In function `public_key_verify_signature':
+:(.text+0x110e4): undefined reference to `crypto_alloc_akcipher'
+
+This adds a Kconfig 'select' statement to ensure the dependency
+is always there.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/asymmetric_keys/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/crypto/asymmetric_keys/Kconfig
++++ b/crypto/asymmetric_keys/Kconfig
+@@ -14,6 +14,7 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ select MPILIB
+ select PUBLIC_KEY_ALGO_RSA
+ select CRYPTO_HASH_INFO
++ select CRYPTO_AKCIPHER
+ help
+ This option provides support for asymmetric public key type handling.
+ If signature generation and/or verification are to be used,
--- /dev/null
+From 2f36db71009304b3f0b95afacd8eba1f9f046b87 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 1 Jun 2016 11:55:06 +0200
+Subject: ecryptfs: forbid opening files without mmap handler
+
+From: Jann Horn <jannh@google.com>
+
+commit 2f36db71009304b3f0b95afacd8eba1f9f046b87 upstream.
+
+This prevents users from triggering a stack overflow through a recursive
+invocation of pagefault handling that involves mapping procfs files into
+virtual memory.
+
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ecryptfs/kthread.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/fs/ecryptfs/kthread.c
++++ b/fs/ecryptfs/kthread.c
+@@ -25,6 +25,7 @@
+ #include <linux/slab.h>
+ #include <linux/wait.h>
+ #include <linux/mount.h>
++#include <linux/file.h>
+ #include "ecryptfs_kernel.h"
+
+ struct ecryptfs_open_req {
+@@ -147,7 +148,7 @@ int ecryptfs_privileged_open(struct file
+ flags |= IS_RDONLY(d_inode(lower_dentry)) ? O_RDONLY : O_RDWR;
+ (*lower_file) = dentry_open(&req.path, flags, cred);
+ if (!IS_ERR(*lower_file))
+- goto out;
++ goto have_file;
+ if ((flags & O_ACCMODE) == O_RDONLY) {
+ rc = PTR_ERR((*lower_file));
+ goto out;
+@@ -165,8 +166,16 @@ int ecryptfs_privileged_open(struct file
+ mutex_unlock(&ecryptfs_kthread_ctl.mux);
+ wake_up(&ecryptfs_kthread_ctl.wait);
+ wait_for_completion(&req.done);
+- if (IS_ERR(*lower_file))
++ if (IS_ERR(*lower_file)) {
+ rc = PTR_ERR(*lower_file);
++ goto out;
++ }
++have_file:
++ if ((*lower_file)->f_op->mmap == NULL) {
++ fput(*lower_file);
++ *lower_file = NULL;
++ rc = -EMEDIUMTYPE;
++ }
+ out:
+ return rc;
+ }
--- /dev/null
+From 3d56c25e3bb0726a5c5e16fc2d9e38f8ed763085 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Tue, 7 Jun 2016 21:26:55 -0400
+Subject: fix d_walk()/non-delayed __d_free() race
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 3d56c25e3bb0726a5c5e16fc2d9e38f8ed763085 upstream.
+
+Ascend-to-parent logics in d_walk() depends on all encountered child
+dentries not getting freed without an RCU delay. Unfortunately, in
+quite a few cases it is not true, with hard-to-hit oopsable race as
+the result.
+
+Fortunately, the fix is simiple; right now the rule is "if it ever
+been hashed, freeing must be delayed" and changing it to "if it
+ever had a parent, freeing must be delayed" closes that hole and
+covers all cases the old rule used to cover. Moreover, pipes and
+sockets remain _not_ covered, so we do not introduce RCU delay in
+the cases which are the reason for having that delay conditional
+in the first place.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dcache.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -1618,7 +1618,7 @@ struct dentry *d_alloc(struct dentry * p
+ struct dentry *dentry = __d_alloc(parent->d_sb, name);
+ if (!dentry)
+ return NULL;
+-
++ dentry->d_flags |= DCACHE_RCUACCESS;
+ spin_lock(&parent->d_lock);
+ /*
+ * don't need child lock because it is not subject
+@@ -2413,7 +2413,6 @@ static void __d_rehash(struct dentry * e
+ {
+ BUG_ON(!d_unhashed(entry));
+ hlist_bl_lock(b);
+- entry->d_flags |= DCACHE_RCUACCESS;
+ hlist_bl_add_head_rcu(&entry->d_hash, b);
+ hlist_bl_unlock(b);
+ }
+@@ -2632,6 +2631,7 @@ static void __d_move(struct dentry *dent
+ /* ... and switch them in the tree */
+ if (IS_ROOT(dentry)) {
+ /* splicing a tree */
++ dentry->d_flags |= DCACHE_RCUACCESS;
+ dentry->d_parent = target->d_parent;
+ target->d_parent = target;
+ list_del_init(&target->d_child);
--- /dev/null
+From b66b2a0adf0e48973b582e055758b9907a7eee7c Mon Sep 17 00:00:00 2001
+From: Ben Dooks <ben.dooks@codethink.co.uk>
+Date: Tue, 7 Jun 2016 17:22:17 +0100
+Subject: gpio: bcm-kona: fix bcm_kona_gpio_reset() warnings
+
+From: Ben Dooks <ben.dooks@codethink.co.uk>
+
+commit b66b2a0adf0e48973b582e055758b9907a7eee7c upstream.
+
+The bcm_kona_gpio_reset() calls bcm_kona_gpio_write_lock_regs()
+with what looks like the wrong parameter. The write_lock_regs
+function takes a pointer to the registers, not the bcm_kona_gpio
+structure.
+
+Fix the warning, and probably bug by changing the function to
+pass reg_base instead of kona_gpio, fixing the following warning:
+
+drivers/gpio/gpio-bcm-kona.c:550:47: warning: incorrect type in argument 1
+ (different address spaces)
+ expected void [noderef] <asn:2>*reg_base
+ got struct bcm_kona_gpio *kona_gpio
+ warning: incorrect type in argument 1 (different address spaces)
+ expected void [noderef] <asn:2>*reg_base
+ got struct bcm_kona_gpio *kona_gpio
+
+Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
+Acked-by: Ray Jui <ray.jui@broadcom.com>
+Reviewed-by: Markus Mayer <mmayer@broadcom.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpio-bcm-kona.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpio/gpio-bcm-kona.c
++++ b/drivers/gpio/gpio-bcm-kona.c
+@@ -551,11 +551,11 @@ static void bcm_kona_gpio_reset(struct b
+ /* disable interrupts and clear status */
+ for (i = 0; i < kona_gpio->num_bank; i++) {
+ /* Unlock the entire bank first */
+- bcm_kona_gpio_write_lock_regs(kona_gpio, i, UNLOCK_CODE);
++ bcm_kona_gpio_write_lock_regs(reg_base, i, UNLOCK_CODE);
+ writel(0xffffffff, reg_base + GPIO_INT_MASK(i));
+ writel(0xffffffff, reg_base + GPIO_INT_STATUS(i));
+ /* Now re-lock the bank */
+- bcm_kona_gpio_write_lock_regs(kona_gpio, i, LOCK_CODE);
++ bcm_kona_gpio_write_lock_regs(reg_base, i, LOCK_CODE);
+ }
+ }
+
--- /dev/null
+From dd5f1b049dc139876801db3cdd0f20d21fd428cc Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Thu, 2 Jun 2016 09:00:28 +0100
+Subject: irqchip/gic-v3: Fix ICC_SGI1R_EL1.INTID decoding mask
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit dd5f1b049dc139876801db3cdd0f20d21fd428cc upstream.
+
+The INTID mask is wrong, and is made a signed value, which has
+nteresting effects in the KVM emulation. Let's sanitize it.
+
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/irqchip/arm-gic-v3.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/irqchip/arm-gic-v3.h
++++ b/include/linux/irqchip/arm-gic-v3.h
+@@ -301,7 +301,7 @@
+ #define ICC_SGI1R_AFFINITY_1_SHIFT 16
+ #define ICC_SGI1R_AFFINITY_1_MASK (0xff << ICC_SGI1R_AFFINITY_1_SHIFT)
+ #define ICC_SGI1R_SGI_ID_SHIFT 24
+-#define ICC_SGI1R_SGI_ID_MASK (0xff << ICC_SGI1R_SGI_ID_SHIFT)
++#define ICC_SGI1R_SGI_ID_MASK (0xfULL << ICC_SGI1R_SGI_ID_SHIFT)
+ #define ICC_SGI1R_AFFINITY_2_SHIFT 32
+ #define ICC_SGI1R_AFFINITY_2_MASK (0xffULL << ICC_SGI1R_AFFINITY_1_SHIFT)
+ #define ICC_SGI1R_IRQ_ROUTING_MODE_BIT 40
--- /dev/null
+From c622a3c21ede892e370b56e1ceb9eb28f8bbda6b Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 1 Jun 2016 14:09:21 +0200
+Subject: KVM: irqfd: fix NULL pointer dereference in kvm_irq_map_gsi
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit c622a3c21ede892e370b56e1ceb9eb28f8bbda6b upstream.
+
+Found by syzkaller:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000120
+ IP: [<ffffffffa0797202>] kvm_irq_map_gsi+0x12/0x90 [kvm]
+ PGD 6f80b067 PUD b6535067 PMD 0
+ Oops: 0000 [#1] SMP
+ CPU: 3 PID: 4988 Comm: a.out Not tainted 4.4.9-300.fc23.x86_64 #1
+ [...]
+ Call Trace:
+ [<ffffffffa0795f62>] irqfd_update+0x32/0xc0 [kvm]
+ [<ffffffffa0796c7c>] kvm_irqfd+0x3dc/0x5b0 [kvm]
+ [<ffffffffa07943f4>] kvm_vm_ioctl+0x164/0x6f0 [kvm]
+ [<ffffffff81241648>] do_vfs_ioctl+0x298/0x480
+ [<ffffffff812418a9>] SyS_ioctl+0x79/0x90
+ [<ffffffff817a1062>] tracesys_phase2+0x84/0x89
+ Code: b5 71 a7 e0 5b 41 5c 41 5d 5d f3 c3 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 8b 8f 10 2e 00 00 31 c0 48 89 e5 <39> 91 20 01 00 00 76 6a 48 63 d2 48 8b 94 d1 28 01 00 00 48 85
+ RIP [<ffffffffa0797202>] kvm_irq_map_gsi+0x12/0x90 [kvm]
+ RSP <ffff8800926cbca8>
+ CR2: 0000000000000120
+
+Testcase:
+
+ #include <unistd.h>
+ #include <sys/syscall.h>
+ #include <string.h>
+ #include <stdint.h>
+ #include <linux/kvm.h>
+ #include <fcntl.h>
+ #include <sys/ioctl.h>
+
+ long r[26];
+
+ int main()
+ {
+ memset(r, -1, sizeof(r));
+ r[2] = open("/dev/kvm", 0);
+ r[3] = ioctl(r[2], KVM_CREATE_VM, 0);
+
+ struct kvm_irqfd ifd;
+ ifd.fd = syscall(SYS_eventfd2, 5, 0);
+ ifd.gsi = 3;
+ ifd.flags = 2;
+ ifd.resamplefd = ifd.fd;
+ r[25] = ioctl(r[3], KVM_IRQFD, &ifd);
+ return 0;
+ }
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/irqchip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/virt/kvm/irqchip.c
++++ b/virt/kvm/irqchip.c
+@@ -40,7 +40,7 @@ int kvm_irq_map_gsi(struct kvm *kvm,
+
+ irq_rt = srcu_dereference_check(kvm->irq_routing, &kvm->irq_srcu,
+ lockdep_is_held(&kvm->irq_lock));
+- if (gsi < irq_rt->nr_rt_entries) {
++ if (irq_rt && gsi < irq_rt->nr_rt_entries) {
+ hlist_for_each_entry(e, &irq_rt->map[gsi], link) {
+ entries[n] = *e;
+ ++n;
--- /dev/null
+From d14bdb553f9196169f003058ae1cdabe514470e6 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 1 Jun 2016 14:09:23 +0200
+Subject: KVM: x86: fix OOPS after invalid KVM_SET_DEBUGREGS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit d14bdb553f9196169f003058ae1cdabe514470e6 upstream.
+
+MOV to DR6 or DR7 causes a #GP if an attempt is made to write a 1 to
+any of bits 63:32. However, this is not detected at KVM_SET_DEBUGREGS
+time, and the next KVM_RUN oopses:
+
+ general protection fault: 0000 [#1] SMP
+ CPU: 2 PID: 14987 Comm: a.out Not tainted 4.4.9-300.fc23.x86_64 #1
+ Hardware name: LENOVO 2325F51/2325F51, BIOS G2ET32WW (1.12 ) 05/30/2012
+ [...]
+ Call Trace:
+ [<ffffffffa072c93d>] kvm_arch_vcpu_ioctl_run+0x141d/0x14e0 [kvm]
+ [<ffffffffa071405d>] kvm_vcpu_ioctl+0x33d/0x620 [kvm]
+ [<ffffffff81241648>] do_vfs_ioctl+0x298/0x480
+ [<ffffffff812418a9>] SyS_ioctl+0x79/0x90
+ [<ffffffff817a0f2e>] entry_SYSCALL_64_fastpath+0x12/0x71
+ Code: 55 83 ff 07 48 89 e5 77 27 89 ff ff 24 fd 90 87 80 81 0f 23 fe 5d c3 0f 23 c6 5d c3 0f 23 ce 5d c3 0f 23 d6 5d c3 0f 23 de 5d c3 <0f> 23 f6 5d c3 0f 0b 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00
+ RIP [<ffffffff810639eb>] native_set_debugreg+0x2b/0x40
+ RSP <ffff88005836bd50>
+
+Testcase (beautified/reduced from syzkaller output):
+
+ #include <unistd.h>
+ #include <sys/syscall.h>
+ #include <string.h>
+ #include <stdint.h>
+ #include <linux/kvm.h>
+ #include <fcntl.h>
+ #include <sys/ioctl.h>
+
+ long r[8];
+
+ int main()
+ {
+ struct kvm_debugregs dr = { 0 };
+
+ r[2] = open("/dev/kvm", O_RDONLY);
+ r[3] = ioctl(r[2], KVM_CREATE_VM, 0);
+ r[4] = ioctl(r[3], KVM_CREATE_VCPU, 7);
+
+ memcpy(&dr,
+ "\x5d\x6a\x6b\xe8\x57\x3b\x4b\x7e\xcf\x0d\xa1\x72"
+ "\xa3\x4a\x29\x0c\xfc\x6d\x44\x00\xa7\x52\xc7\xd8"
+ "\x00\xdb\x89\x9d\x78\xb5\x54\x6b\x6b\x13\x1c\xe9"
+ "\x5e\xd3\x0e\x40\x6f\xb4\x66\xf7\x5b\xe3\x36\xcb",
+ 48);
+ r[7] = ioctl(r[4], KVM_SET_DEBUGREGS, &dr);
+ r[6] = ioctl(r[4], KVM_RUN, 0);
+ }
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -3014,6 +3014,11 @@ static int kvm_vcpu_ioctl_x86_set_debugr
+ if (dbgregs->flags)
+ return -EINVAL;
+
++ if (dbgregs->dr6 & ~0xffffffffull)
++ return -EINVAL;
++ if (dbgregs->dr7 & ~0xffffffffull)
++ return -EINVAL;
++
+ memcpy(vcpu->arch.db, dbgregs->db, sizeof(vcpu->arch.db));
+ kvm_update_dr0123(vcpu);
+ vcpu->arch.dr6 = dbgregs->dr6;
--- /dev/null
+From 3a06bb78ceeceacc86a1e31133a7944013f9775b Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Fri, 3 Jun 2016 14:55:44 -0700
+Subject: memcg: add RCU locking around css_for_each_descendant_pre() in memcg_offline_kmem()
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 3a06bb78ceeceacc86a1e31133a7944013f9775b upstream.
+
+memcg_offline_kmem() may be called from memcg_free_kmem() after a css
+init failure. memcg_free_kmem() is a ->css_free callback which is
+called without cgroup_mutex and memcg_offline_kmem() ends up using
+css_for_each_descendant_pre() without any locking. Fix it by adding rcu
+read locking around it.
+
+ mkdir: cannot create directory `65530': No space left on device
+ ===============================
+ [ INFO: suspicious RCU usage. ]
+ 4.6.0-work+ #321 Not tainted
+ -------------------------------
+ kernel/cgroup.c:4008 cgroup_mutex or RCU read lock required!
+ [ 527.243970] other info that might help us debug this:
+ [ 527.244715]
+ rcu_scheduler_active = 1, debug_locks = 0
+ 2 locks held by kworker/0:5/1664:
+ #0: ("cgroup_destroy"){.+.+..}, at: [<ffffffff81060ab5>] process_one_work+0x165/0x4a0
+ #1: ((&css->destroy_work)#3){+.+...}, at: [<ffffffff81060ab5>] process_one_work+0x165/0x4a0
+ [ 527.248098] stack backtrace:
+ CPU: 0 PID: 1664 Comm: kworker/0:5 Not tainted 4.6.0-work+ #321
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.1-1.fc24 04/01/2014
+ Workqueue: cgroup_destroy css_free_work_fn
+ Call Trace:
+ dump_stack+0x68/0xa1
+ lockdep_rcu_suspicious+0xd7/0x110
+ css_next_descendant_pre+0x7d/0xb0
+ memcg_offline_kmem.part.44+0x4a/0xc0
+ mem_cgroup_css_free+0x1ec/0x200
+ css_free_work_fn+0x49/0x5e0
+ process_one_work+0x1c5/0x4a0
+ worker_thread+0x49/0x490
+ kthread+0xea/0x100
+ ret_from_fork+0x1f/0x40
+
+Link: http://lkml.kernel.org/r/20160526203018.GG23194@mtj.duckdns.org
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Acked-by: Vladimir Davydov <vdavydov@virtuozzo.com>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Michal Hocko <mhocko@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memcontrol.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -3661,6 +3661,7 @@ static void memcg_deactivate_kmem(struct
+ * ordering is imposed by list_lru_node->lock taken by
+ * memcg_drain_all_list_lrus().
+ */
++ rcu_read_lock(); /* can be called from css_free w/o cgroup_mutex */
+ css_for_each_descendant_pre(css, &memcg->css) {
+ child = mem_cgroup_from_css(css);
+ BUG_ON(child->kmemcg_id != kmemcg_id);
+@@ -3668,6 +3669,8 @@ static void memcg_deactivate_kmem(struct
+ if (!memcg->use_hierarchy)
+ break;
+ }
++ rcu_read_unlock();
++
+ memcg_drain_all_list_lrus(kmemcg_id, parent->kmemcg_id);
+
+ memcg_free_cache_id(kmemcg_id);
--- /dev/null
+From 8b78f260887df532da529f225c49195d18fef36b Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sat, 4 Jun 2016 17:21:33 +0200
+Subject: parisc: Fix pagefault crash in unaligned __get_user() call
+
+From: Helge Deller <deller@gmx.de>
+
+commit 8b78f260887df532da529f225c49195d18fef36b upstream.
+
+One of the debian buildd servers had this crash in the syslog without
+any other information:
+
+ Unaligned handler failed, ret = -2
+ clock_adjtime (pid 22578): Unaligned data reference (code 28)
+ CPU: 1 PID: 22578 Comm: clock_adjtime Tainted: G E 4.5.0-2-parisc64-smp #1 Debian 4.5.4-1
+ task: 000000007d9960f8 ti: 00000001bde7c000 task.ti: 00000001bde7c000
+
+ YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
+ PSW: 00001000000001001111100000001111 Tainted: G E
+ r00-03 000000ff0804f80f 00000001bde7c2b0 00000000402d2be8 00000001bde7c2b0
+ r04-07 00000000409e1fd0 00000000fa6f7fff 00000001bde7c148 00000000fa6f7fff
+ r08-11 0000000000000000 00000000ffffffff 00000000fac9bb7b 000000000002b4d4
+ r12-15 000000000015241c 000000000015242c 000000000000002d 00000000fac9bb7b
+ r16-19 0000000000028800 0000000000000001 0000000000000070 00000001bde7c218
+ r20-23 0000000000000000 00000001bde7c210 0000000000000002 0000000000000000
+ r24-27 0000000000000000 0000000000000000 00000001bde7c148 00000000409e1fd0
+ r28-31 0000000000000001 00000001bde7c320 00000001bde7c350 00000001bde7c218
+ sr00-03 0000000001200000 0000000001200000 0000000000000000 0000000001200000
+ sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+
+ IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000402d2e84 00000000402d2e88
+ IIR: 0ca0d089 ISR: 0000000001200000 IOR: 00000000fa6f7fff
+ CPU: 1 CR30: 00000001bde7c000 CR31: ffffffffffffffff
+ ORIG_R28: 00000002369fe628
+ IAOQ[0]: compat_get_timex+0x2dc/0x3c0
+ IAOQ[1]: compat_get_timex+0x2e0/0x3c0
+ RP(r2): compat_get_timex+0x40/0x3c0
+ Backtrace:
+ [<00000000402d4608>] compat_SyS_clock_adjtime+0x40/0xc0
+ [<0000000040205024>] syscall_exit+0x0/0x14
+
+This means the userspace program clock_adjtime called the clock_adjtime()
+syscall and then crashed inside the compat_get_timex() function.
+Syscalls should never crash programs, but instead return EFAULT.
+
+The IIR register contains the executed instruction, which disassebles
+into "ldw 0(sr3,r5),r9".
+This load-word instruction is part of __get_user() which tried to read the word
+at %r5/IOR (0xfa6f7fff). This means the unaligned handler jumped in. The
+unaligned handler is able to emulate all ldw instructions, but it fails if it
+fails to read the source e.g. because of page fault.
+
+The following program reproduces the problem:
+
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <sys/mman.h>
+
+int main(void) {
+ /* allocate 8k */
+ char *ptr = mmap(NULL, 2*4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
+ /* free second half (upper 4k) and make it invalid. */
+ munmap(ptr+4096, 4096);
+ /* syscall where first int is unaligned and clobbers into invalid memory region */
+ /* syscall should return EFAULT */
+ return syscall(__NR_clock_adjtime, 0, ptr+4095);
+}
+
+To fix this issue we simply need to check if the faulting instruction address
+is in the exception fixup table when the unaligned handler failed. If it
+is, call the fixup routine instead of crashing.
+
+While looking at the unaligned handler I found another issue as well: The
+target register should not be modified if the handler was unsuccessful.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/unaligned.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/arch/parisc/kernel/unaligned.c
++++ b/arch/parisc/kernel/unaligned.c
+@@ -666,7 +666,7 @@ void handle_unaligned(struct pt_regs *re
+ break;
+ }
+
+- if (modify && R1(regs->iir))
++ if (ret == 0 && modify && R1(regs->iir))
+ regs->gr[R1(regs->iir)] = newbase;
+
+
+@@ -677,6 +677,14 @@ void handle_unaligned(struct pt_regs *re
+
+ if (ret)
+ {
++ /*
++ * The unaligned handler failed.
++ * If we were called by __get_user() or __put_user() jump
++ * to it's exception fixup handler instead of crashing.
++ */
++ if (!user_mode(regs) && fixup_exception(regs))
++ return;
++
+ printk(KERN_CRIT "Unaligned handler failed, ret = %d\n", ret);
+ die_if_kernel("Unaligned data reference", regs, 28);
+
--- /dev/null
+From 5edf673d07fdcb6498be24914f3f38f8d8843199 Mon Sep 17 00:00:00 2001
+From: "hongkun.cao" <hongkun.cao@mediatek.com>
+Date: Sat, 21 May 2016 15:23:39 +0800
+Subject: pinctrl: mediatek: fix dual-edge code defect
+
+From: hongkun.cao <hongkun.cao@mediatek.com>
+
+commit 5edf673d07fdcb6498be24914f3f38f8d8843199 upstream.
+
+When a dual-edge irq is triggered, an incorrect irq will be reported on
+condition that the external signal is not stable and this incorrect irq
+has been registered.
+Correct the register offset.
+
+Signed-off-by: Hongkun Cao <hongkun.cao@mediatek.com>
+Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/mediatek/pinctrl-mtk-common.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/pinctrl/mediatek/pinctrl-mtk-common.c
++++ b/drivers/pinctrl/mediatek/pinctrl-mtk-common.c
+@@ -1191,9 +1191,10 @@ static void mtk_eint_irq_handler(struct
+ const struct mtk_desc_pin *pin;
+
+ chained_irq_enter(chip, desc);
+- for (eint_num = 0; eint_num < pctl->devdata->ap_num; eint_num += 32) {
++ for (eint_num = 0;
++ eint_num < pctl->devdata->ap_num;
++ eint_num += 32, reg += 4) {
+ status = readl(reg);
+- reg += 4;
+ while (status) {
+ offset = __ffs(status);
+ index = eint_num + offset;
--- /dev/null
+From d23fac2b27d94aeb7b65536a50d32bfdc21fe01e Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Thu, 12 May 2016 13:26:44 +0200
+Subject: powerpc: Fix definition of SIAR and SDAR registers
+
+From: Thomas Huth <thuth@redhat.com>
+
+commit d23fac2b27d94aeb7b65536a50d32bfdc21fe01e upstream.
+
+The SIAR and SDAR registers are available twice, one time as SPRs
+780 / 781 (unprivileged, but read-only), and one time as the SPRs
+796 / 797 (privileged, but read and write). The Linux kernel code
+currently uses the unprivileged SPRs - while this is OK for reading,
+writing to that register of course does not work.
+Since the KVM code tries to write to this register, too (see the mtspr
+in book3s_hv_rmhandlers.S), the contents of this register sometimes get
+lost for the guests, e.g. during migration of a VM.
+To fix this issue, simply switch to the privileged SPR numbers instead.
+
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Acked-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/reg.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/include/asm/reg.h
++++ b/arch/powerpc/include/asm/reg.h
+@@ -744,13 +744,13 @@
+ #define SPRN_PMC6 792
+ #define SPRN_PMC7 793
+ #define SPRN_PMC8 794
+-#define SPRN_SIAR 780
+-#define SPRN_SDAR 781
+ #define SPRN_SIER 784
+ #define SIER_SIPR 0x2000000 /* Sampled MSR_PR */
+ #define SIER_SIHV 0x1000000 /* Sampled MSR_HV */
+ #define SIER_SIAR_VALID 0x0400000 /* SIAR contents valid */
+ #define SIER_SDAR_VALID 0x0200000 /* SDAR contents valid */
++#define SPRN_SIAR 796
++#define SPRN_SDAR 797
+ #define SPRN_TACR 888
+ #define SPRN_TCSCR 889
+ #define SPRN_CSIGR 890
--- /dev/null
+From 7cc851039d643a2ee7df4d18177150f2c3a484f5 Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Tue, 31 May 2016 07:51:17 +0200
+Subject: powerpc/pseries: Add POWER8NVL support to ibm,client-architecture-support call
+
+From: Thomas Huth <thuth@redhat.com>
+
+commit 7cc851039d643a2ee7df4d18177150f2c3a484f5 upstream.
+
+If we do not provide the PVR for POWER8NVL, a guest on this system
+currently ends up in PowerISA 2.06 compatibility mode on KVM, since QEMU
+does not provide a generic PowerISA 2.07 mode yet. So some new
+instructions from POWER8 (like "mtvsrd") get disabled for the guest,
+resulting in crashes when using code compiled explicitly for
+POWER8 (e.g. with the "-mcpu=power8" option of GCC).
+
+Fixes: ddee09c099c3 ("powerpc: Add PVR for POWER8NVL processor")
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/prom_init.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/powerpc/kernel/prom_init.c
++++ b/arch/powerpc/kernel/prom_init.c
+@@ -655,6 +655,7 @@ unsigned char ibm_architecture_vec[] = {
+ W(0xffff0000), W(0x003e0000), /* POWER6 */
+ W(0xffff0000), W(0x003f0000), /* POWER7 */
+ W(0xffff0000), W(0x004b0000), /* POWER8E */
++ W(0xffff0000), W(0x004c0000), /* POWER8NVL */
+ W(0xffff0000), W(0x004d0000), /* POWER8 */
+ W(0xffffffff), W(0x0f000004), /* all 2.07-compliant */
+ W(0xffffffff), W(0x0f000003), /* all 2.06-compliant */
--- /dev/null
+From 871e178e0f2c4fa788f694721a10b4758d494ce1 Mon Sep 17 00:00:00 2001
+From: Russell Currey <ruscur@russell.cc>
+Date: Thu, 7 Apr 2016 16:28:26 +1000
+Subject: powerpc/pseries/eeh: Handle RTAS delay requests in configure_bridge
+
+From: Russell Currey <ruscur@russell.cc>
+
+commit 871e178e0f2c4fa788f694721a10b4758d494ce1 upstream.
+
+In the "ibm,configure-pe" and "ibm,configure-bridge" RTAS calls, the
+spec states that values of 9900-9905 can be returned, indicating that
+software should delay for 10^x (where x is the last digit, i.e. 990x)
+milliseconds and attempt the call again. Currently, the kernel doesn't
+know about this, and respecting it fixes some PCI failures when the
+hypervisor is busy.
+
+The delay is capped at 0.2 seconds.
+
+Signed-off-by: Russell Currey <ruscur@russell.cc>
+Acked-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/pseries/eeh_pseries.c | 51 +++++++++++++++++++--------
+ 1 file changed, 36 insertions(+), 15 deletions(-)
+
+--- a/arch/powerpc/platforms/pseries/eeh_pseries.c
++++ b/arch/powerpc/platforms/pseries/eeh_pseries.c
+@@ -615,29 +615,50 @@ static int pseries_eeh_configure_bridge(
+ {
+ int config_addr;
+ int ret;
++ /* Waiting 0.2s maximum before skipping configuration */
++ int max_wait = 200;
+
+ /* Figure out the PE address */
+ config_addr = pe->config_addr;
+ if (pe->addr)
+ config_addr = pe->addr;
+
+- /* Use new configure-pe function, if supported */
+- if (ibm_configure_pe != RTAS_UNKNOWN_SERVICE) {
+- ret = rtas_call(ibm_configure_pe, 3, 1, NULL,
+- config_addr, BUID_HI(pe->phb->buid),
+- BUID_LO(pe->phb->buid));
+- } else if (ibm_configure_bridge != RTAS_UNKNOWN_SERVICE) {
+- ret = rtas_call(ibm_configure_bridge, 3, 1, NULL,
+- config_addr, BUID_HI(pe->phb->buid),
+- BUID_LO(pe->phb->buid));
+- } else {
+- return -EFAULT;
+- }
++ while (max_wait > 0) {
++ /* Use new configure-pe function, if supported */
++ if (ibm_configure_pe != RTAS_UNKNOWN_SERVICE) {
++ ret = rtas_call(ibm_configure_pe, 3, 1, NULL,
++ config_addr, BUID_HI(pe->phb->buid),
++ BUID_LO(pe->phb->buid));
++ } else if (ibm_configure_bridge != RTAS_UNKNOWN_SERVICE) {
++ ret = rtas_call(ibm_configure_bridge, 3, 1, NULL,
++ config_addr, BUID_HI(pe->phb->buid),
++ BUID_LO(pe->phb->buid));
++ } else {
++ return -EFAULT;
++ }
++
++ if (!ret)
++ return ret;
++
++ /*
++ * If RTAS returns a delay value that's above 100ms, cut it
++ * down to 100ms in case firmware made a mistake. For more
++ * on how these delay values work see rtas_busy_delay_time
++ */
++ if (ret > RTAS_EXTENDED_DELAY_MIN+2 &&
++ ret <= RTAS_EXTENDED_DELAY_MAX)
++ ret = RTAS_EXTENDED_DELAY_MIN+2;
+
+- if (ret)
+- pr_warn("%s: Unable to configure bridge PHB#%d-PE#%x (%d)\n",
+- __func__, pe->phb->global_number, pe->addr, ret);
++ max_wait -= rtas_busy_delay_time(ret);
++
++ if (max_wait < 0)
++ break;
++
++ rtas_busy_delay(ret);
++ }
+
++ pr_warn("%s: Unable to configure bridge PHB#%d-PE#%x (%d)\n",
++ __func__, pe->phb->global_number, pe->addr, ret);
+ return ret;
+ }
+
--- /dev/null
+From 8dd75ccb571f3c92c48014b3dabd3d51a115ab41 Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Thu, 12 May 2016 13:29:11 +0200
+Subject: powerpc: Use privileged SPR number for MMCR2
+
+From: Thomas Huth <thuth@redhat.com>
+
+commit 8dd75ccb571f3c92c48014b3dabd3d51a115ab41 upstream.
+
+We are already using the privileged versions of MMCR0, MMCR1
+and MMCRA in the kernel, so for MMCR2, we should better use
+the privileged versions, too, to be consistent.
+
+Fixes: 240686c13687 ("powerpc: Initialise PMU related regs on Power8")
+Suggested-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Acked-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/reg.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/include/asm/reg.h
++++ b/arch/powerpc/include/asm/reg.h
+@@ -707,7 +707,7 @@
+ #define MMCR0_FCWAIT 0x00000002UL /* freeze counter in WAIT state */
+ #define MMCR0_FCHV 0x00000001UL /* freeze conditions in hypervisor mode */
+ #define SPRN_MMCR1 798
+-#define SPRN_MMCR2 769
++#define SPRN_MMCR2 785
+ #define SPRN_MMCRA 0x312
+ #define MMCRA_SDSYNC 0x80000000UL /* SDAR synced with SIAR */
+ #define MMCRA_SDAR_DCACHE_MISS 0x40000000UL
--- /dev/null
+From e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 1 Jun 2016 11:55:05 +0200
+Subject: proc: prevent stacking filesystems on top
+
+From: Jann Horn <jannh@google.com>
+
+commit e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9 upstream.
+
+This prevents stacking filesystems (ecryptfs and overlayfs) from using
+procfs as lower filesystem. There is too much magic going on inside
+procfs, and there is no good reason to stack stuff on top of procfs.
+
+(For example, procfs does access checks in VFS open handlers, and
+ecryptfs by design calls open handlers from a kernel thread that doesn't
+drop privileges or so.)
+
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/root.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/proc/root.c
++++ b/fs/proc/root.c
+@@ -121,6 +121,13 @@ static struct dentry *proc_mount(struct
+ if (IS_ERR(sb))
+ return ERR_CAST(sb);
+
++ /*
++ * procfs isn't actually a stacking filesystem; however, there is
++ * too much magic going on inside it to permit stacking things on
++ * top of it
++ */
++ sb->s_stack_depth = FILESYSTEM_MAX_STACK_DEPTH;
++
+ if (!proc_parse_options(options, ns)) {
+ deactivate_locked_super(sb);
+ return ERR_PTR(-EINVAL);
--- /dev/null
+From 6edf0aa4f8bbdfbb4d6d786892fa02728d05dc36 Mon Sep 17 00:00:00 2001
+From: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+Date: Wed, 11 May 2016 21:13:13 +0200
+Subject: s390/bpf: fix recache skb->data/hlen for skb_vlan_push/pop
+
+From: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+
+commit 6edf0aa4f8bbdfbb4d6d786892fa02728d05dc36 upstream.
+
+In case of usage of skb_vlan_push/pop, in the prologue we store
+the SKB pointer on the stack and restore it after BPF_JMP_CALL
+to skb_vlan_push/pop.
+
+Unfortunately currently there are two bugs in the code:
+
+ 1) The wrong stack slot (offset 170 instead of 176) is used
+ 2) The wrong register (W1 instead of B1) is saved
+
+So fix this and use correct stack slot and register.
+
+Fixes: 9db7f2b81880 ("s390/bpf: recache skb->data/hlen for skb_vlan_push/pop")
+Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/net/bpf_jit.h | 4 ++--
+ arch/s390/net/bpf_jit_comp.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/s390/net/bpf_jit.h
++++ b/arch/s390/net/bpf_jit.h
+@@ -37,7 +37,7 @@ extern u8 sk_load_word[], sk_load_half[]
+ * | | |
+ * +---------------+ |
+ * | 8 byte skbp | |
+- * R15+170 -> +---------------+ |
++ * R15+176 -> +---------------+ |
+ * | 8 byte hlen | |
+ * R15+168 -> +---------------+ |
+ * | 4 byte align | |
+@@ -58,7 +58,7 @@ extern u8 sk_load_word[], sk_load_half[]
+ #define STK_OFF (STK_SPACE - STK_160_UNUSED)
+ #define STK_OFF_TMP 160 /* Offset of tmp buffer on stack */
+ #define STK_OFF_HLEN 168 /* Offset of SKB header length on stack */
+-#define STK_OFF_SKBP 170 /* Offset of SKB pointer on stack */
++#define STK_OFF_SKBP 176 /* Offset of SKB pointer on stack */
+
+ #define STK_OFF_R6 (160 - 11 * 8) /* Offset of r6 on stack */
+ #define STK_OFF_TCCNT (160 - 12 * 8) /* Offset of tail_call_cnt on stack */
+--- a/arch/s390/net/bpf_jit_comp.c
++++ b/arch/s390/net/bpf_jit_comp.c
+@@ -446,7 +446,7 @@ static void bpf_jit_prologue(struct bpf_
+ emit_load_skb_data_hlen(jit);
+ if (jit->seen & SEEN_SKB_CHANGE)
+ /* stg %b1,ST_OFF_SKBP(%r0,%r15) */
+- EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0, REG_15,
++ EMIT6_DISP_LH(0xe3000000, 0x0024, BPF_REG_1, REG_0, REG_15,
+ STK_OFF_SKBP);
+ /* Clear A (%b0) and X (%b7) registers for converted BPF programs */
+ if (is_classic) {
--- /dev/null
+From 0fa963553a5c28d8f8aabd8878326d3f782045fc Mon Sep 17 00:00:00 2001
+From: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+Date: Thu, 12 May 2016 18:10:48 +0200
+Subject: s390/bpf: reduce maximum program size to 64 KB
+
+From: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+
+commit 0fa963553a5c28d8f8aabd8878326d3f782045fc upstream.
+
+The s390 BFP compiler currently uses relative branch instructions
+that only support jumps up to 64 KB. Examples are "j", "jnz", "cgrj",
+etc. Currently the maximum size of s390 BPF programs is set
+to 0x7ffff. If branches over 64 KB are generated the, kernel can
+crash due to incorrect code.
+
+So fix this an reduce the maximum size to 64 KB. Programs larger than
+that will be interpreted.
+
+Fixes: ce2b6ad9c185 ("s390/bpf: increase BPF_SIZE_MAX")
+Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/net/bpf_jit_comp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/net/bpf_jit_comp.c
++++ b/arch/s390/net/bpf_jit_comp.c
+@@ -45,7 +45,7 @@ struct bpf_jit {
+ int labels[1]; /* Labels for local jumps */
+ };
+
+-#define BPF_SIZE_MAX 0x7ffff /* Max size for program (20 bit signed displ) */
++#define BPF_SIZE_MAX 0xffff /* Max size for program (16 bit branches) */
+
+ #define SEEN_SKB 1 /* skb access */
+ #define SEEN_MEM 2 /* use mem[] for temporary storage */
--- /dev/null
+From 29d6455178a09e1dc340380c582b13356227e8df Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 1 Jun 2016 11:55:07 +0200
+Subject: sched: panic on corrupted stack end
+
+From: Jann Horn <jannh@google.com>
+
+commit 29d6455178a09e1dc340380c582b13356227e8df upstream.
+
+Until now, hitting this BUG_ON caused a recursive oops (because oops
+handling involves do_exit(), which calls into the scheduler, which in
+turn raises an oops), which caused stuff below the stack to be
+overwritten until a panic happened (e.g. via an oops in interrupt
+context, caused by the overwritten CPU index in the thread_info).
+
+Just panic directly.
+
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -3008,7 +3008,8 @@ static noinline void __schedule_bug(stru
+ static inline void schedule_debug(struct task_struct *prev)
+ {
+ #ifdef CONFIG_SCHED_STACK_END_CHECK
+- BUG_ON(task_stack_end_corrupted(prev));
++ if (task_stack_end_corrupted(prev))
++ panic("corrupted stack end detected inside scheduler\n");
+ #endif
+
+ if (unlikely(in_atomic_preempt_off())) {
vxlan-relax-mtu-constraints.patch
geneve-relax-mtu-constraints.patch
vxlan-gre-geneve-set-a-large-mtu-on-ovs-created-tunnel-devices.patch
+kvm-x86-fix-oops-after-invalid-kvm_set_debugregs.patch
+kvm-irqfd-fix-null-pointer-dereference-in-kvm_irq_map_gsi.patch
+alsa-hda-add-pci-id-for-kabylake.patch
+alsa-hda-fix-headset-mic-detection-problem-for-dell-machine.patch
+alsa-hda-realtek-alc256-speaker-noise-issue.patch
+alsa-hda-realtek-add-support-for-new-codecs-alc700-alc701-alc703.patch
+alsa-hda-realtek-add-t560-docking-unit-fixup.patch
+arm-fix-ptrace_setvfpregs-on-smp-systems.patch
+gpio-bcm-kona-fix-bcm_kona_gpio_reset-warnings.patch
+s390-bpf-fix-recache-skb-data-hlen-for-skb_vlan_push-pop.patch
+s390-bpf-reduce-maximum-program-size-to-64-kb.patch
+irqchip-gic-v3-fix-icc_sgi1r_el1.intid-decoding-mask.patch
+crypto-public_key-select-crypto_akcipher.patch
+crypto-ccp-fix-aes-xts-error-for-request-sizes-above-4096.patch
+arm64-provide-model-name-in-proc-cpuinfo-for-per_linux32-tasks.patch
+arm64-mm-always-take-dirty-state-from-new-pte-in-ptep_set_access_flags.patch
+powerpc-pseries-eeh-handle-rtas-delay-requests-in-configure_bridge.patch
+powerpc-fix-definition-of-siar-and-sdar-registers.patch
+powerpc-use-privileged-spr-number-for-mmcr2.patch
+powerpc-pseries-add-power8nvl-support-to-ibm-client-architecture-support-call.patch
+pinctrl-mediatek-fix-dual-edge-code-defect.patch
+parisc-fix-pagefault-crash-in-unaligned-__get_user-call.patch
+memcg-add-rcu-locking-around-css_for_each_descendant_pre-in-memcg_offline_kmem.patch
+ecryptfs-forbid-opening-files-without-mmap-handler.patch
+wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch
+x86-entry-traps-don-t-force-in_interrupt-to-return-true-in-ist-handlers.patch
+proc-prevent-stacking-filesystems-on-top.patch
+sched-panic-on-corrupted-stack-end.patch
+fix-d_walk-non-delayed-__d_free-race.patch
--- /dev/null
+From 3d5fdff46c4b2b9534fa2f9fc78e90a48e0ff724 Mon Sep 17 00:00:00 2001
+From: Prasun Maiti <prasunmaiti87@gmail.com>
+Date: Mon, 6 Jun 2016 20:04:19 +0530
+Subject: wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel
+
+From: Prasun Maiti <prasunmaiti87@gmail.com>
+
+commit 3d5fdff46c4b2b9534fa2f9fc78e90a48e0ff724 upstream.
+
+iwpriv app uses iw_point structure to send data to Kernel. The iw_point
+structure holds a pointer. For compatibility Kernel converts the pointer
+as required for WEXT IOCTLs (SIOCIWFIRST to SIOCIWLAST). Some drivers
+may use iw_handler_def.private_args to populate iwpriv commands instead
+of iw_handler_def.private. For those case, the IOCTLs from
+SIOCIWFIRSTPRIV to SIOCIWLASTPRIV will follow the path ndo_do_ioctl().
+Accordingly when the filled up iw_point structure comes from 32 bit
+iwpriv to 64 bit Kernel, Kernel will not convert the pointer and sends
+it to driver. So, the driver may get the invalid data.
+
+The pointer conversion for the IOCTLs (SIOCIWFIRSTPRIV to
+SIOCIWLASTPRIV), which follow the path ndo_do_ioctl(), is mandatory.
+This patch adds pointer conversion from 32 bit to 64 bit and vice versa,
+if the ioctl comes from 32 bit iwpriv to 64 bit Kernel.
+
+Signed-off-by: Prasun Maiti <prasunmaiti87@gmail.com>
+Signed-off-by: Ujjal Roy <royujjal@gmail.com>
+Tested-by: Dibyajyoti Ghosh <dibyajyotig@gmail.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/wext-core.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+--- a/net/wireless/wext-core.c
++++ b/net/wireless/wext-core.c
+@@ -955,8 +955,29 @@ static int wireless_process_ioctl(struct
+ return private(dev, iwr, cmd, info, handler);
+ }
+ /* Old driver API : call driver ioctl handler */
+- if (dev->netdev_ops->ndo_do_ioctl)
+- return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
++ if (dev->netdev_ops->ndo_do_ioctl) {
++#ifdef CONFIG_COMPAT
++ if (info->flags & IW_REQUEST_FLAG_COMPAT) {
++ int ret = 0;
++ struct iwreq iwr_lcl;
++ struct compat_iw_point *iwp_compat = (void *) &iwr->u.data;
++
++ memcpy(&iwr_lcl, iwr, sizeof(struct iwreq));
++ iwr_lcl.u.data.pointer = compat_ptr(iwp_compat->pointer);
++ iwr_lcl.u.data.length = iwp_compat->length;
++ iwr_lcl.u.data.flags = iwp_compat->flags;
++
++ ret = dev->netdev_ops->ndo_do_ioctl(dev, (void *) &iwr_lcl, cmd);
++
++ iwp_compat->pointer = ptr_to_compat(iwr_lcl.u.data.pointer);
++ iwp_compat->length = iwr_lcl.u.data.length;
++ iwp_compat->flags = iwr_lcl.u.data.flags;
++
++ return ret;
++ } else
++#endif
++ return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
++ }
+ return -EOPNOTSUPP;
+ }
+
--- /dev/null
+From aaee8c3c5cce2d9107310dd9f3026b4f901d441c Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Tue, 24 May 2016 15:54:04 -0700
+Subject: x86/entry/traps: Don't force in_interrupt() to return true in IST handlers
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit aaee8c3c5cce2d9107310dd9f3026b4f901d441c upstream.
+
+Forcing in_interrupt() to return true if we're not in a bona fide
+interrupt confuses the softirq code. This fixes warnings like:
+
+ NOHZ: local_softirq_pending 282
+
+... which can happen when running things like selftests/x86.
+
+This will change perf's static percpu buffer usage in IST context.
+I think this is okay, and it's changing the behavior to match
+historical (pre-4.0) behavior.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 959274753857 ("x86, traps: Track entry into and exit from IST context")
+Link: http://lkml.kernel.org/r/cdc215f94d118d691d73df35275022331156fb45.1464130360.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/traps.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+--- a/arch/x86/kernel/traps.c
++++ b/arch/x86/kernel/traps.c
+@@ -109,6 +109,12 @@ static inline void preempt_conditional_c
+ preempt_count_dec();
+ }
+
++/*
++ * In IST context, we explicitly disable preemption. This serves two
++ * purposes: it makes it much less likely that we would accidentally
++ * schedule in IST context and it will force a warning if we somehow
++ * manage to schedule by accident.
++ */
+ void ist_enter(struct pt_regs *regs)
+ {
+ if (user_mode(regs)) {
+@@ -123,13 +129,7 @@ void ist_enter(struct pt_regs *regs)
+ rcu_nmi_enter();
+ }
+
+- /*
+- * We are atomic because we're on the IST stack; or we're on
+- * x86_32, in which case we still shouldn't schedule; or we're
+- * on x86_64 and entered from user mode, in which case we're
+- * still atomic unless ist_begin_non_atomic is called.
+- */
+- preempt_count_add(HARDIRQ_OFFSET);
++ preempt_disable();
+
+ /* This code is a bit fragile. Test it. */
+ RCU_LOCKDEP_WARN(!rcu_is_watching(), "ist_enter didn't work");
+@@ -137,7 +137,7 @@ void ist_enter(struct pt_regs *regs)
+
+ void ist_exit(struct pt_regs *regs)
+ {
+- preempt_count_sub(HARDIRQ_OFFSET);
++ preempt_enable_no_resched();
+
+ if (!user_mode(regs))
+ rcu_nmi_exit();
+@@ -168,7 +168,7 @@ void ist_begin_non_atomic(struct pt_regs
+ BUG_ON((unsigned long)(current_top_of_stack() -
+ current_stack_pointer()) >= THREAD_SIZE);
+
+- preempt_count_sub(HARDIRQ_OFFSET);
++ preempt_enable_no_resched();
+ }
+
+ /**
+@@ -178,7 +178,7 @@ void ist_begin_non_atomic(struct pt_regs
+ */
+ void ist_end_non_atomic(void)
+ {
+- preempt_count_add(HARDIRQ_OFFSET);
++ preempt_disable();
+ }
+
+ static nokprobe_inline int
projects / thirdparty / kernel / stable-queue.git / commitdiff
