--- /dev/null
+From a79a812131b07254c09cf325ec68c0d05aaed0b5 Mon Sep 17 00:00:00 2001
+From: Alexey Brodkin <abrodkin@synopsys.com>
+Date: Thu, 3 Nov 2016 18:06:13 +0300
+Subject: arc: Implement arch-specific dma_map_ops.mmap
+
+From: Alexey Brodkin <abrodkin@synopsys.com>
+
+commit a79a812131b07254c09cf325ec68c0d05aaed0b5 upstream.
+
+We used to use generic implementation of dma_map_ops.mmap which is
+dma_common_mmap() but that only worked for simpler cached mappings when
+vaddr = paddr.
+
+If a driver requests uncached DMA buffer kernel maps it to virtual
+address so that MMU gets involved and page uncached status takes into
+account. In that case usage of dma_common_mmap() lead to mapping of
+vaddr to vaddr for user-space which is obviously wrong. For more detals
+please refer to verbose explanation here [1].
+
+So here we implement our own version of mmap() which always deals
+with dma_addr and maps underlying memory to user-space properly
+(note that DMA buffer mapped to user-space is always uncached
+because there's no way to properly manage cache from user-space).
+
+[1] https://lkml.org/lkml/2016/10/26/973
+
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/mm/dma.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+--- a/arch/arc/mm/dma.c
++++ b/arch/arc/mm/dma.c
+@@ -105,6 +105,31 @@ static void arc_dma_free(struct device *
+ __free_pages(page, get_order(size));
+ }
+
++static int arc_dma_mmap(struct device *dev, struct vm_area_struct *vma,
++ void *cpu_addr, dma_addr_t dma_addr, size_t size,
++ unsigned long attrs)
++{
++ unsigned long user_count = vma_pages(vma);
++ unsigned long count = PAGE_ALIGN(size) >> PAGE_SHIFT;
++ unsigned long pfn = __phys_to_pfn(plat_dma_to_phys(dev, dma_addr));
++ unsigned long off = vma->vm_pgoff;
++ int ret = -ENXIO;
++
++ vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
++
++ if (dma_mmap_from_coherent(dev, vma, cpu_addr, size, &ret))
++ return ret;
++
++ if (off < count && user_count <= (count - off)) {
++ ret = remap_pfn_range(vma, vma->vm_start,
++ pfn + off,
++ user_count << PAGE_SHIFT,
++ vma->vm_page_prot);
++ }
++
++ return ret;
++}
++
+ /*
+ * streaming DMA Mapping API...
+ * CPU accesses page via normal paddr, thus needs to explicitly made
+@@ -193,6 +218,7 @@ static int arc_dma_supported(struct devi
+ struct dma_map_ops arc_dma_ops = {
+ .alloc = arc_dma_alloc,
+ .free = arc_dma_free,
++ .mmap = arc_dma_mmap,
+ .map_page = arc_dma_map_page,
+ .map_sg = arc_dma_map_sg,
+ .sync_single_for_device = arc_dma_sync_single_for_device,
--- /dev/null
+From 922cc171998ac3dbe74d57011ef7ed57e9b0d7df Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Mon, 31 Oct 2016 14:09:52 -0700
+Subject: ARC: timer: rtc: implement read loop in "C" vs. inline asm
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+commit 922cc171998ac3dbe74d57011ef7ed57e9b0d7df upstream.
+
+The current code doesn't even compile as somehow the inline assembly
+can't see the register names defined as ARC_RTC_*
+I'm pretty sure It worked when I first got it merged, but the tools were
+definitely different then.
+
+So better to write this in "C" anyways.
+
+Acked-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/kernel/time.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+--- a/arch/arc/kernel/time.c
++++ b/arch/arc/kernel/time.c
+@@ -152,14 +152,17 @@ static cycle_t arc_read_rtc(struct clock
+ cycle_t full;
+ } stamp;
+
+-
+- __asm__ __volatile(
+- "1: \n"
+- " lr %0, [AUX_RTC_LOW] \n"
+- " lr %1, [AUX_RTC_HIGH] \n"
+- " lr %2, [AUX_RTC_CTRL] \n"
+- " bbit0.nt %2, 31, 1b \n"
+- : "=r" (stamp.low), "=r" (stamp.high), "=r" (status));
++ /*
++ * hardware has an internal state machine which tracks readout of
++ * low/high and updates the CTRL.status if
++ * - interrupt/exception taken between the two reads
++ * - high increments after low has been read
++ */
++ do {
++ stamp.low = read_aux_reg(AUX_RTC_LOW);
++ stamp.high = read_aux_reg(AUX_RTC_HIGH);
++ status = read_aux_reg(AUX_RTC_CTRL);
++ } while (!(status & _BITUL(31)));
+
+ return stamp.full;
+ }
--- /dev/null
+From 7309aa847ead3fa561663b16779a0dde8c64cc7c Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Wed, 2 Nov 2016 14:42:52 +0100
+Subject: cdc-acm: fix uninitialized variable
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 7309aa847ead3fa561663b16779a0dde8c64cc7c upstream.
+
+variable struct usb_cdc_parsed_header h may be used
+uninitialized in acm_probe.
+
+In kernel 4.8.
+
+ /* handle quirks deadly to normal probing*/
+ if (quirks == NO_UNION_NORMAL)
+
+ ...
+
+ goto skip_normal_probe;
+ }
+
+we bypass call to
+
+ cdc_parse_cdc_header(&h, intf, buffer, buflen);
+
+but later use h in
+
+ if (h.usb_cdc_country_functional_desc) { /* export the country data */
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: Victor Sologoubov <victor0@rambler.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1173,6 +1173,8 @@ static int acm_probe(struct usb_interfac
+ if (quirks == IGNORE_DEVICE)
+ return -ENODEV;
+
++ memset(&h, 0x00, sizeof(struct usb_cdc_parsed_header));
++
+ num_rx_buf = (quirks == SINGLE_RX_URB) ? 1 : ACM_NR;
+
+ /* handle quirks deadly to normal probing*/
--- /dev/null
+From 7c1c5413a7bdf1c9adc8d979521f1b8286366aef Mon Sep 17 00:00:00 2001
+From: Scott Wood <oss@buserror.net>
+Date: Mon, 17 Oct 2016 13:42:23 -0500
+Subject: clk: qoriq: Don't allow CPU clocks higher than starting value
+
+From: Scott Wood <oss@buserror.net>
+
+commit 7c1c5413a7bdf1c9adc8d979521f1b8286366aef upstream.
+
+The boot-time frequency of a CPU is considered its rated maximum, as we
+have no other source of such information. However, this was previously
+only used for chips with 80% restrictions on secondary PLLs. This
+usually wasn't a problem because most chips/configs boot with a divider
+of /1, with other dividers being used only for dynamic frequency
+reduction. However, at least one config (LS1021A at less than 1 GHz)
+uses a different divider for top speed. This was causing cpufreq to set
+a frequency beyond the chip's rated speed.
+
+This is fixed by applying a 100%-of-initial-speed limit to all CPU PLLs,
+similar to the existing 80% limit that only applied to some.
+
+Signed-off-by: Scott Wood <oss@buserror.net>
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/clk-qoriq.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/clk/clk-qoriq.c
++++ b/drivers/clk/clk-qoriq.c
+@@ -700,6 +700,7 @@ static struct clk * __init create_mux_co
+ struct mux_hwclock *hwc,
+ const struct clk_ops *ops,
+ unsigned long min_rate,
++ unsigned long max_rate,
+ unsigned long pct80_rate,
+ const char *fmt, int idx)
+ {
+@@ -728,6 +729,8 @@ static struct clk * __init create_mux_co
+ continue;
+ if (rate < min_rate)
+ continue;
++ if (rate > max_rate)
++ continue;
+
+ parent_names[j] = div->name;
+ hwc->parent_to_clksel[j] = i;
+@@ -759,7 +762,7 @@ static struct clk * __init create_one_cm
+ struct mux_hwclock *hwc;
+ const struct clockgen_pll_div *div;
+ unsigned long plat_rate, min_rate;
+- u64 pct80_rate;
++ u64 max_rate, pct80_rate;
+ u32 clksel;
+
+ hwc = kzalloc(sizeof(*hwc), GFP_KERNEL);
+@@ -787,8 +790,8 @@ static struct clk * __init create_one_cm
+ return NULL;
+ }
+
+- pct80_rate = clk_get_rate(div->clk);
+- pct80_rate *= 8;
++ max_rate = clk_get_rate(div->clk);
++ pct80_rate = max_rate * 8;
+ do_div(pct80_rate, 10);
+
+ plat_rate = clk_get_rate(cg->pll[PLATFORM_PLL].div[PLL_DIV1].clk);
+@@ -798,7 +801,7 @@ static struct clk * __init create_one_cm
+ else
+ min_rate = plat_rate / 2;
+
+- return create_mux_common(cg, hwc, &cmux_ops, min_rate,
++ return create_mux_common(cg, hwc, &cmux_ops, min_rate, max_rate,
+ pct80_rate, "cg-cmux%d", idx);
+ }
+
+@@ -813,7 +816,7 @@ static struct clk * __init create_one_hw
+ hwc->reg = cg->regs + 0x20 * idx + 0x10;
+ hwc->info = cg->info.hwaccel[idx];
+
+- return create_mux_common(cg, hwc, &hwaccel_ops, 0, 0,
++ return create_mux_common(cg, hwc, &hwaccel_ops, 0, ULONG_MAX, 0,
+ "cg-hwaccel%d", idx);
+ }
+
--- /dev/null
+From 70d78fe7c8b640b5acfad56ad341985b3810998a Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Date: Thu, 10 Nov 2016 10:46:38 -0800
+Subject: coredump: fix unfreezable coredumping task
+
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+
+commit 70d78fe7c8b640b5acfad56ad341985b3810998a upstream.
+
+It could be not possible to freeze coredumping task when it waits for
+'core_state->startup' completion, because threads are frozen in
+get_signal() before they got a chance to complete 'core_state->startup'.
+
+Inability to freeze a task during suspend will cause suspend to fail.
+Also CRIU uses cgroup freezer during dump operation. So with an
+unfreezable task the CRIU dump will fail because it waits for a
+transition from 'FREEZING' to 'FROZEN' state which will never happen.
+
+Use freezer_do_not_count() to tell freezer to ignore coredumping task
+while it waits for core_state->startup completion.
+
+Link: http://lkml.kernel.org/r/1475225434-3753-1-git-send-email-aryabinin@virtuozzo.com
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Michal Hocko <mhocko@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/coredump.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/coredump.c
++++ b/fs/coredump.c
+@@ -1,6 +1,7 @@
+ #include <linux/slab.h>
+ #include <linux/file.h>
+ #include <linux/fdtable.h>
++#include <linux/freezer.h>
+ #include <linux/mm.h>
+ #include <linux/stat.h>
+ #include <linux/fcntl.h>
+@@ -423,7 +424,9 @@ static int coredump_wait(int exit_code,
+ if (core_waiters > 0) {
+ struct core_thread *ptr;
+
++ freezer_do_not_count();
+ wait_for_completion(&core_state->startup);
++ freezer_count();
+ /*
+ * Wait for all the threads to become inactive, so that
+ * all the thread context (extended register state, like
--- /dev/null
+From c25badc9ceb612c6cc227a6fc4b0aaf678e3bcf9 Mon Sep 17 00:00:00 2001
+From: Laura Abbott <labbott@redhat.com>
+Date: Wed, 19 Oct 2016 15:53:52 -0700
+Subject: cpupower: Correct return type of cpu_power_is_cpu_online() in cpufreq-set
+
+From: Laura Abbott <labbott@redhat.com>
+
+commit c25badc9ceb612c6cc227a6fc4b0aaf678e3bcf9 upstream.
+
+When converting to a shared library in ac5a181d065d ("cpupower: Add
+cpuidle parts into library"), cpu_freq_cpu_exists() was converted to
+cpupower_is_cpu_online(). cpu_req_cpu_exists() returned 0 on success and
+-ENOSYS on failure whereas cpupower_is_cpu_online returns 1 on success.
+Check for the correct return value in cpufreq-set.
+
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=1374212
+Fixes: ac5a181d065d (cpupower: Add cpuidle parts into library)
+Reported-by: Julian Seward <jseward@acm.org>
+Signed-off-by: Laura Abbott <labbott@redhat.com>
+Acked-by: Thomas Renninger <trenn@suse.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/power/cpupower/utils/cpufreq-set.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/tools/power/cpupower/utils/cpufreq-set.c
++++ b/tools/power/cpupower/utils/cpufreq-set.c
+@@ -296,7 +296,7 @@ int cmd_freq_set(int argc, char **argv)
+ struct cpufreq_affected_cpus *cpus;
+
+ if (!bitmask_isbitset(cpus_chosen, cpu) ||
+- cpupower_is_cpu_online(cpu))
++ cpupower_is_cpu_online(cpu) != 1)
+ continue;
+
+ cpus = cpufreq_get_related_cpus(cpu);
+@@ -316,10 +316,7 @@ int cmd_freq_set(int argc, char **argv)
+ cpu <= bitmask_last(cpus_chosen); cpu++) {
+
+ if (!bitmask_isbitset(cpus_chosen, cpu) ||
+- cpupower_is_cpu_online(cpu))
+- continue;
+-
+- if (cpupower_is_cpu_online(cpu) != 1)
++ cpupower_is_cpu_online(cpu) != 1)
+ continue;
+
+ printf(_("Setting cpu: %d\n"), cpu);
--- /dev/null
+From d8e9e5e80e882b4f90cba7edf1e6cb7376e52e54 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Wed, 9 Nov 2016 22:52:58 +0100
+Subject: drbd: Fix kernel_sendmsg() usage - potential NULL deref
+
+From: Richard Weinberger <richard@nod.at>
+
+commit d8e9e5e80e882b4f90cba7edf1e6cb7376e52e54 upstream.
+
+Don't pass a size larger than iov_len to kernel_sendmsg().
+Otherwise it will cause a NULL pointer deref when kernel_sendmsg()
+returns with rv < size.
+
+DRBD as external module has been around in the kernel 2.4 days already.
+We used to be compatible to 2.4 and very early 2.6 kernels,
+we used to use
+ rv = sock_sendmsg(sock, &msg, iov.iov_len);
+then later changed to
+ rv = kernel_sendmsg(sock, &msg, &iov, 1, size);
+when we should have used
+ rv = kernel_sendmsg(sock, &msg, &iov, 1, iov.iov_len);
+
+tcp_sendmsg() used to totally ignore the size parameter.
+ 57be5bd ip: convert tcp_sendmsg() to iov_iter primitives
+changes that, and exposes our long standing error.
+
+Even with this error exposed, to trigger the bug, we would need to have
+an environment (config or otherwise) causing us to not use sendpage()
+for larger transfers, a failing connection, and have it fail "just at the
+right time". Apparently that was unlikely enough for most, so this went
+unnoticed for years.
+
+Still, it is known to trigger at least some of these,
+and suspected for the others:
+[0] http://lists.linbit.com/pipermail/drbd-user/2016-July/023112.html
+[1] http://lists.linbit.com/pipermail/drbd-dev/2016-March/003362.html
+[2] https://forums.grsecurity.net/viewtopic.php?f=3&t=4546
+[3] https://ubuntuforums.org/showthread.php?t=2336150
+[4] http://e2.howsolveproblem.com/i/1175162/
+
+This should go into 4.9,
+and into all stable branches since and including v4.0,
+which is the first to contain the exposing change.
+
+It is correct for all stable branches older than that as well
+(which contain the DRBD driver; which is 2.6.33 and up).
+
+It requires a small "conflict" resolution for v4.4 and earlier, with v4.5
+we dropped the comment block immediately preceding the kernel_sendmsg().
+
+Fixes: b411b3637fa7 ("The DRBD driver")
+Cc: viro@zeniv.linux.org.uk
+Cc: christoph.lechleitner@iteg.at
+Cc: wolfgang.glas@iteg.at
+Reported-by: Christoph Lechleitner <christoph.lechleitner@iteg.at>
+Tested-by: Christoph Lechleitner <christoph.lechleitner@iteg.at>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+[changed oneliner to be "obvious" without context; more verbose message]
+Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/drbd/drbd_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/block/drbd/drbd_main.c
++++ b/drivers/block/drbd/drbd_main.c
+@@ -1871,7 +1871,7 @@ int drbd_send(struct drbd_connection *co
+ drbd_update_congested(connection);
+ }
+ do {
+- rv = kernel_sendmsg(sock, &msg, &iov, 1, size);
++ rv = kernel_sendmsg(sock, &msg, &iov, 1, iov.iov_len);
+ if (rv == -EAGAIN) {
+ if (we_should_drop_the_connection(connection, sock))
+ break;
--- /dev/null
+From d8f8a74d5fece355d2234e1731231d1aebc66b38 Mon Sep 17 00:00:00 2001
+From: Paul Fertser <fercerpav@gmail.com>
+Date: Thu, 27 Oct 2016 17:22:08 +0300
+Subject: drivers: staging: nvec: remove bogus reset command for PS/2 interface
+
+From: Paul Fertser <fercerpav@gmail.com>
+
+commit d8f8a74d5fece355d2234e1731231d1aebc66b38 upstream.
+
+This command was sent behind serio's back and the answer to it was
+confusing atkbd probe function which lead to the elantech touchpad
+getting detected as a keyboard.
+
+To prevent this from happening just let every party do its part of the
+job.
+
+Signed-off-by: Paul Fertser <fercerpav@gmail.com>
+Acked-by: Marc Dietrich <marvin24@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/nvec/nvec_ps2.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/staging/nvec/nvec_ps2.c
++++ b/drivers/staging/nvec/nvec_ps2.c
+@@ -106,7 +106,6 @@ static int nvec_mouse_probe(struct platf
+ {
+ struct nvec_chip *nvec = dev_get_drvdata(pdev->dev.parent);
+ struct serio *ser_dev;
+- char mouse_reset[] = { NVEC_PS2, SEND_COMMAND, PSMOUSE_RST, 3 };
+
+ ser_dev = devm_kzalloc(&pdev->dev, sizeof(struct serio), GFP_KERNEL);
+ if (!ser_dev)
+@@ -127,9 +126,6 @@ static int nvec_mouse_probe(struct platf
+
+ serio_register_port(ser_dev);
+
+- /* mouse reset */
+- nvec_write_async(nvec, mouse_reset, sizeof(mouse_reset));
+-
+ return 0;
+ }
+
--- /dev/null
+From 84b1528e8cef55274f0df20e93513b3060ce495a Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 31 Oct 2016 11:02:31 -0400
+Subject: drm/amdgpu: disable runtime pm in certain cases
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 84b1528e8cef55274f0df20e93513b3060ce495a upstream.
+
+If the platform does not support hybrid graphics or ATPX dGPU
+power control.
+
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
+@@ -99,6 +99,8 @@ int amdgpu_driver_load_kms(struct drm_de
+
+ if ((amdgpu_runtime_pm != 0) &&
+ amdgpu_has_atpx() &&
++ (amdgpu_is_atpx_hybrid() ||
++ amdgpu_has_atpx_dgpu_power_cntl()) &&
+ ((flags & AMD_IS_APU) == 0))
+ flags |= AMD_IS_PX;
+
--- /dev/null
+From 757124d95c42bb579d67df51e51789849929ee31 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Thu, 3 Nov 2016 17:47:51 -0400
+Subject: drm/amdgpu: fix crash in acp_hw_fini
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 757124d95c42bb579d67df51e51789849929ee31 upstream.
+
+On CZ/ST systems with AZ rather than ACP audio, we need to bail
+early in hw_fini since there is nothing to do.
+
+bug: https://bugs.freedesktop.org/show_bug.cgi?id=98276
+
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c
+@@ -395,9 +395,12 @@ static int acp_hw_fini(void *handle)
+ {
+ int i, ret;
+ struct device *dev;
+-
+ struct amdgpu_device *adev = (struct amdgpu_device *)handle;
+
++ /* return early if no ACP */
++ if (!adev->acp.acp_genpd)
++ return 0;
++
+ for (i = 0; i < ACP_DEVS ; i++) {
+ dev = get_mfd_cell_dev(adev->acp.acp_cell[i].name, i);
+ ret = pm_genpd_remove_device(&adev->acp.acp_genpd->gpd, dev);
--- /dev/null
+From fbb21c5202ae7f1e71e832b1af59fb047da6383e Mon Sep 17 00:00:00 2001
+From: Dhinakaran Pandiyan <dhinakaran.pandiyan@intel.com>
+Date: Tue, 1 Nov 2016 11:47:59 -0700
+Subject: drm/i915/dp: BDW cdclk fix for DP audio
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dhinakaran Pandiyan <dhinakaran.pandiyan@intel.com>
+
+commit fbb21c5202ae7f1e71e832b1af59fb047da6383e upstream.
+
+According to BSpec, cdclk for BDW has to be not less than 432 MHz with DP
+audio enabled, port width x4, and link rate HBR2 (5.4 GHz). With cdclk less
+than 432 MHz, enabling audio leads to pipe FIFO underruns and displays
+cycling on/off.
+
+From BSpec:
+"Display» BDW-SKL» dpr» [Register] DP_TP_CTL [BDW+,EXCLUDE(CHV)]
+Workaround : Do not use DisplayPort with CDCLK less than 432 MHz, audio
+enabled, port width x4, and link rate HBR2 (5.4 GHz), or else there may
+be audio corruption or screen corruption."
+
+Since, some DP configurations (e.g., MST) use port width x4 and HBR2
+link rate, let's increase the cdclk to >= 432 MHz to enable audio for those
+cases.
+
+v4: Changed commit message
+v3: Combine BDW pixel rate adjustments into a function (Jani)
+v2: Restrict fix to BDW
+ Retain the set cdclk across modesets (Ville)
+Signed-off-by: Dhinakaran Pandiyan <dhinakaran.pandiyan@intel.com>
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/1478026080-2925-1-git-send-email-dhinakaran.pandiyan@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+(cherry picked from commit b30ce9e0552aa017ac6f2243f3c2d8e36fe52e69)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+
+---
+ drivers/gpu/drm/i915/intel_display.c | 27 ++++++++++++++++++++++++---
+ 1 file changed, 24 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -9737,6 +9737,27 @@ static void bxt_modeset_commit_cdclk(str
+ bxt_set_cdclk(to_i915(dev), req_cdclk);
+ }
+
++static int bdw_adjust_min_pipe_pixel_rate(struct intel_crtc_state *crtc_state,
++ int pixel_rate)
++{
++ /* pixel rate mustn't exceed 95% of cdclk with IPS on BDW */
++ if (crtc_state->ips_enabled)
++ pixel_rate = DIV_ROUND_UP(pixel_rate * 100, 95);
++
++ /* BSpec says "Do not use DisplayPort with CDCLK less than
++ * 432 MHz, audio enabled, port width x4, and link rate
++ * HBR2 (5.4 GHz), or else there may be audio corruption or
++ * screen corruption."
++ */
++ if (intel_crtc_has_dp_encoder(crtc_state) &&
++ crtc_state->has_audio &&
++ crtc_state->port_clock >= 540000 &&
++ crtc_state->lane_count == 4)
++ pixel_rate = max(432000, pixel_rate);
++
++ return pixel_rate;
++}
++
+ /* compute the max rate for new configuration */
+ static int ilk_max_pixel_rate(struct drm_atomic_state *state)
+ {
+@@ -9762,9 +9783,9 @@ static int ilk_max_pixel_rate(struct drm
+
+ pixel_rate = ilk_pipe_pixel_rate(crtc_state);
+
+- /* pixel rate mustn't exceed 95% of cdclk with IPS on BDW */
+- if (IS_BROADWELL(dev_priv) && crtc_state->ips_enabled)
+- pixel_rate = DIV_ROUND_UP(pixel_rate * 100, 95);
++ if (IS_BROADWELL(dev_priv))
++ pixel_rate = bdw_adjust_min_pipe_pixel_rate(crtc_state,
++ pixel_rate);
+
+ intel_state->min_pixclk[i] = pixel_rate;
+ }
--- /dev/null
+From 61e0c5438866d0e737937fc35d752538960e1e9f Mon Sep 17 00:00:00 2001
+From: Dhinakaran Pandiyan <dhinakaran.pandiyan@intel.com>
+Date: Wed, 2 Nov 2016 13:13:21 -0700
+Subject: drm/i915/dp: Extend BDW DP audio workaround to GEN9 platforms
+
+From: Dhinakaran Pandiyan <dhinakaran.pandiyan@intel.com>
+
+commit 61e0c5438866d0e737937fc35d752538960e1e9f upstream.
+
+According to BSpec, cdclk for BDW has to be not less than 432 MHz with DP
+audio enabled, port width x4, and link rate HBR2 (5.4 GHz). With cdclk less
+than 432 MHz, enabling audio leads to pipe FIFO underruns and displays
+cycling on/off.
+
+Let's apply this work around to GEN9 platforms too, as it fixes the same
+issue.
+
+v2: Move drm_device to drm_i915_private conversion
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97907
+Cc: Libin Yang <libin.yang@linux.intel.com>
+Signed-off-by: Dhinakaran Pandiyan <dhinakaran.pandiyan@intel.com>
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/1478117601-19122-1-git-send-email-dhinakaran.pandiyan@intel.com
+(cherry picked from commit 9c7540241885838cfc7fa58c4a8bd75be0303ed1)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_display.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -9740,8 +9740,10 @@ static void bxt_modeset_commit_cdclk(str
+ static int bdw_adjust_min_pipe_pixel_rate(struct intel_crtc_state *crtc_state,
+ int pixel_rate)
+ {
++ struct drm_i915_private *dev_priv = to_i915(crtc_state->base.crtc->dev);
++
+ /* pixel rate mustn't exceed 95% of cdclk with IPS on BDW */
+- if (crtc_state->ips_enabled)
++ if (IS_BROADWELL(dev_priv) && crtc_state->ips_enabled)
+ pixel_rate = DIV_ROUND_UP(pixel_rate * 100, 95);
+
+ /* BSpec says "Do not use DisplayPort with CDCLK less than
+@@ -9783,7 +9785,7 @@ static int ilk_max_pixel_rate(struct drm
+
+ pixel_rate = ilk_pipe_pixel_rate(crtc_state);
+
+- if (IS_BROADWELL(dev_priv))
++ if (IS_BROADWELL(dev_priv) || IS_GEN9(dev_priv))
+ pixel_rate = bdw_adjust_min_pipe_pixel_rate(crtc_state,
+ pixel_rate);
+
--- /dev/null
+From 8d83bc22b259e5526625b6d298f637786c71129f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Tue, 11 Oct 2016 20:52:46 +0300
+Subject: drm/i915: Respect alternate_ddc_pin for all DDI ports
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 8d83bc22b259e5526625b6d298f637786c71129f upstream.
+
+The VBT provides the platform a way to mix and match the DDI ports vs.
+GMBUS pins. Currently we only trust the VBT for DDI E, which I suppose
+has no standard GMBUS pin assignment. However, there are machines out
+there that use a non-standard mapping for the other ports as well.
+Let's start trusting the VBT on this one for all ports on DDI platforms.
+
+I've structured the code such that other platforms could easily start
+using this as well, by simply filling in the ddi_port_info. IIRC there
+may be CHV system that might actually need this.
+
+v2: Include a commit message, include a debug message during init
+
+Cc: Maarten Maathuis <madman2003@gmail.com>
+Tested-by: Maarten Maathuis <madman2003@gmail.com>
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97877
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/1476208368-5710-3-git-send-email-ville.syrjala@linux.intel.com
+Reviewed-by: Jim Bride <jim.bride@linux.intel.com>
+(cherry picked from commit e4ab73a13291fc844c9e24d5c347bd95818544d2)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_hdmi.c | 84 +++++++++++++++++++++-----------------
+ 1 file changed, 48 insertions(+), 36 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_hdmi.c
++++ b/drivers/gpu/drm/i915/intel_hdmi.c
+@@ -1759,6 +1759,50 @@ intel_hdmi_add_properties(struct intel_h
+ intel_hdmi->aspect_ratio = HDMI_PICTURE_ASPECT_NONE;
+ }
+
++static u8 intel_hdmi_ddc_pin(struct drm_i915_private *dev_priv,
++ enum port port)
++{
++ const struct ddi_vbt_port_info *info =
++ &dev_priv->vbt.ddi_port_info[port];
++ u8 ddc_pin;
++
++ if (info->alternate_ddc_pin) {
++ DRM_DEBUG_KMS("Using DDC pin 0x%x for port %c (VBT)\n",
++ info->alternate_ddc_pin, port_name(port));
++ return info->alternate_ddc_pin;
++ }
++
++ switch (port) {
++ case PORT_B:
++ if (IS_BROXTON(dev_priv))
++ ddc_pin = GMBUS_PIN_1_BXT;
++ else
++ ddc_pin = GMBUS_PIN_DPB;
++ break;
++ case PORT_C:
++ if (IS_BROXTON(dev_priv))
++ ddc_pin = GMBUS_PIN_2_BXT;
++ else
++ ddc_pin = GMBUS_PIN_DPC;
++ break;
++ case PORT_D:
++ if (IS_CHERRYVIEW(dev_priv))
++ ddc_pin = GMBUS_PIN_DPD_CHV;
++ else
++ ddc_pin = GMBUS_PIN_DPD;
++ break;
++ default:
++ MISSING_CASE(port);
++ ddc_pin = GMBUS_PIN_DPB;
++ break;
++ }
++
++ DRM_DEBUG_KMS("Using DDC pin 0x%x for port %c (platform default)\n",
++ ddc_pin, port_name(port));
++
++ return ddc_pin;
++}
++
+ void intel_hdmi_init_connector(struct intel_digital_port *intel_dig_port,
+ struct intel_connector *intel_connector)
+ {
+@@ -1768,7 +1812,6 @@ void intel_hdmi_init_connector(struct in
+ struct drm_device *dev = intel_encoder->base.dev;
+ struct drm_i915_private *dev_priv = to_i915(dev);
+ enum port port = intel_dig_port->port;
+- uint8_t alternate_ddc_pin;
+
+ DRM_DEBUG_KMS("Adding HDMI connector on port %c\n",
+ port_name(port));
+@@ -1786,12 +1829,10 @@ void intel_hdmi_init_connector(struct in
+ connector->doublescan_allowed = 0;
+ connector->stereo_allowed = 1;
+
++ intel_hdmi->ddc_bus = intel_hdmi_ddc_pin(dev_priv, port);
++
+ switch (port) {
+ case PORT_B:
+- if (IS_BROXTON(dev_priv))
+- intel_hdmi->ddc_bus = GMBUS_PIN_1_BXT;
+- else
+- intel_hdmi->ddc_bus = GMBUS_PIN_DPB;
+ /*
+ * On BXT A0/A1, sw needs to activate DDIA HPD logic and
+ * interrupts to check the external panel connection.
+@@ -1802,46 +1843,17 @@ void intel_hdmi_init_connector(struct in
+ intel_encoder->hpd_pin = HPD_PORT_B;
+ break;
+ case PORT_C:
+- if (IS_BROXTON(dev_priv))
+- intel_hdmi->ddc_bus = GMBUS_PIN_2_BXT;
+- else
+- intel_hdmi->ddc_bus = GMBUS_PIN_DPC;
+ intel_encoder->hpd_pin = HPD_PORT_C;
+ break;
+ case PORT_D:
+- if (WARN_ON(IS_BROXTON(dev_priv)))
+- intel_hdmi->ddc_bus = GMBUS_PIN_DISABLED;
+- else if (IS_CHERRYVIEW(dev_priv))
+- intel_hdmi->ddc_bus = GMBUS_PIN_DPD_CHV;
+- else
+- intel_hdmi->ddc_bus = GMBUS_PIN_DPD;
+ intel_encoder->hpd_pin = HPD_PORT_D;
+ break;
+ case PORT_E:
+- /* On SKL PORT E doesn't have seperate GMBUS pin
+- * We rely on VBT to set a proper alternate GMBUS pin. */
+- alternate_ddc_pin =
+- dev_priv->vbt.ddi_port_info[PORT_E].alternate_ddc_pin;
+- switch (alternate_ddc_pin) {
+- case DDC_PIN_B:
+- intel_hdmi->ddc_bus = GMBUS_PIN_DPB;
+- break;
+- case DDC_PIN_C:
+- intel_hdmi->ddc_bus = GMBUS_PIN_DPC;
+- break;
+- case DDC_PIN_D:
+- intel_hdmi->ddc_bus = GMBUS_PIN_DPD;
+- break;
+- default:
+- MISSING_CASE(alternate_ddc_pin);
+- }
+ intel_encoder->hpd_pin = HPD_PORT_E;
+ break;
+- case PORT_A:
+- intel_encoder->hpd_pin = HPD_PORT_A;
+- /* Internal port only for eDP. */
+ default:
+- BUG();
++ MISSING_CASE(port);
++ return;
+ }
+
+ if (IS_VALLEYVIEW(dev) || IS_CHERRYVIEW(dev)) {
--- /dev/null
+From 066f1f0b4719eb4573ef09bfc63c2bbb6f7676ca Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 31 Oct 2016 10:41:49 -0400
+Subject: drm/radeon: disable runtime pm in certain cases
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 066f1f0b4719eb4573ef09bfc63c2bbb6f7676ca upstream.
+
+If the platform does not support hybrid graphics or ATPX dGPU
+power control.
+
+bug: https://bugzilla.kernel.org/show_bug.cgi?id=51381
+
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/radeon_device.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/gpu/drm/radeon/radeon_device.c
++++ b/drivers/gpu/drm/radeon/radeon_device.c
+@@ -104,6 +104,14 @@ static const char radeon_family_name[][1
+ "LAST",
+ };
+
++#if defined(CONFIG_VGA_SWITCHEROO)
++bool radeon_has_atpx_dgpu_power_cntl(void);
++bool radeon_is_atpx_hybrid(void);
++#else
++static inline bool radeon_has_atpx_dgpu_power_cntl(void) { return false; }
++static inline bool radeon_is_atpx_hybrid(void) { return false; }
++#endif
++
+ #define RADEON_PX_QUIRK_DISABLE_PX (1 << 0)
+ #define RADEON_PX_QUIRK_LONG_WAKEUP (1 << 1)
+
+@@ -160,6 +168,11 @@ static void radeon_device_handle_px_quir
+
+ if (rdev->px_quirk_flags & RADEON_PX_QUIRK_DISABLE_PX)
+ rdev->flags &= ~RADEON_IS_PX;
++
++ /* disable PX is the system doesn't support dGPU power control or hybrid gfx */
++ if (!radeon_is_atpx_hybrid() &&
++ !radeon_has_atpx_dgpu_power_cntl())
++ rdev->flags &= ~RADEON_IS_PX;
+ }
+
+ /**
--- /dev/null
+From 6f77199e9e4b84340c751c585691d7642a47d226 Mon Sep 17 00:00:00 2001
+From: Song Hongyan <hongyan.song@intel.com>
+Date: Tue, 25 Oct 2016 01:30:07 +0000
+Subject: iio: hid-sensors: Increase the precision of scale to fix wrong reading interpretation.
+
+From: Song Hongyan <hongyan.song@intel.com>
+
+commit 6f77199e9e4b84340c751c585691d7642a47d226 upstream.
+
+While testing, it was observed that on some platforms the scale value
+from iio sysfs for gyroscope is always 0 (E.g. Yoga 260). This results
+in the final angular velocity component values to be zeros.
+
+This is caused by insufficient precision of scale value displayed in sysfs.
+If the precision is changed to nano from current micro, then this is
+sufficient to display the scale value on this platform.
+Since this can be a problem for all other HID sensors, increase scale
+precision of all HID sensors to nano from current micro.
+
+Results on Yoga 260:
+
+name scale before scale now
+--------------------------------------------
+gyro_3d 0.000000 0.000000174
+als 0.001000 0.001000000
+magn_3d 0.000001 0.000001000
+accel_3d 0.000009 0.000009806
+
+Signed-off-by: Song Hongyan <hongyan.song@intel.com>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/common/hid-sensors/hid-sensor-attributes.c | 56 ++++++++---------
+ 1 file changed, 28 insertions(+), 28 deletions(-)
+
+--- a/drivers/iio/common/hid-sensors/hid-sensor-attributes.c
++++ b/drivers/iio/common/hid-sensors/hid-sensor-attributes.c
+@@ -30,26 +30,26 @@ static struct {
+ u32 usage_id;
+ int unit; /* 0 for default others from HID sensor spec */
+ int scale_val0; /* scale, whole number */
+- int scale_val1; /* scale, fraction in micros */
++ int scale_val1; /* scale, fraction in nanos */
+ } unit_conversion[] = {
+- {HID_USAGE_SENSOR_ACCEL_3D, 0, 9, 806650},
++ {HID_USAGE_SENSOR_ACCEL_3D, 0, 9, 806650000},
+ {HID_USAGE_SENSOR_ACCEL_3D,
+ HID_USAGE_SENSOR_UNITS_METERS_PER_SEC_SQRD, 1, 0},
+ {HID_USAGE_SENSOR_ACCEL_3D,
+- HID_USAGE_SENSOR_UNITS_G, 9, 806650},
++ HID_USAGE_SENSOR_UNITS_G, 9, 806650000},
+
+- {HID_USAGE_SENSOR_GYRO_3D, 0, 0, 17453},
++ {HID_USAGE_SENSOR_GYRO_3D, 0, 0, 17453293},
+ {HID_USAGE_SENSOR_GYRO_3D,
+ HID_USAGE_SENSOR_UNITS_RADIANS_PER_SECOND, 1, 0},
+ {HID_USAGE_SENSOR_GYRO_3D,
+- HID_USAGE_SENSOR_UNITS_DEGREES_PER_SECOND, 0, 17453},
++ HID_USAGE_SENSOR_UNITS_DEGREES_PER_SECOND, 0, 17453293},
+
+- {HID_USAGE_SENSOR_COMPASS_3D, 0, 0, 1000},
++ {HID_USAGE_SENSOR_COMPASS_3D, 0, 0, 1000000},
+ {HID_USAGE_SENSOR_COMPASS_3D, HID_USAGE_SENSOR_UNITS_GAUSS, 1, 0},
+
+- {HID_USAGE_SENSOR_INCLINOMETER_3D, 0, 0, 17453},
++ {HID_USAGE_SENSOR_INCLINOMETER_3D, 0, 0, 17453293},
+ {HID_USAGE_SENSOR_INCLINOMETER_3D,
+- HID_USAGE_SENSOR_UNITS_DEGREES, 0, 17453},
++ HID_USAGE_SENSOR_UNITS_DEGREES, 0, 17453293},
+ {HID_USAGE_SENSOR_INCLINOMETER_3D,
+ HID_USAGE_SENSOR_UNITS_RADIANS, 1, 0},
+
+@@ -57,7 +57,7 @@ static struct {
+ {HID_USAGE_SENSOR_ALS, HID_USAGE_SENSOR_UNITS_LUX, 1, 0},
+
+ {HID_USAGE_SENSOR_PRESSURE, 0, 100, 0},
+- {HID_USAGE_SENSOR_PRESSURE, HID_USAGE_SENSOR_UNITS_PASCAL, 0, 1000},
++ {HID_USAGE_SENSOR_PRESSURE, HID_USAGE_SENSOR_UNITS_PASCAL, 0, 1000000},
+ };
+
+ static int pow_10(unsigned power)
+@@ -266,15 +266,15 @@ EXPORT_SYMBOL(hid_sensor_write_raw_hyst_
+ /*
+ * This fuction applies the unit exponent to the scale.
+ * For example:
+- * 9.806650 ->exp:2-> val0[980]val1[665000]
+- * 9.000806 ->exp:2-> val0[900]val1[80600]
+- * 0.174535 ->exp:2-> val0[17]val1[453500]
+- * 1.001745 ->exp:0-> val0[1]val1[1745]
+- * 1.001745 ->exp:2-> val0[100]val1[174500]
+- * 1.001745 ->exp:4-> val0[10017]val1[450000]
+- * 9.806650 ->exp:-2-> val0[0]val1[98066]
++ * 9.806650000 ->exp:2-> val0[980]val1[665000000]
++ * 9.000806000 ->exp:2-> val0[900]val1[80600000]
++ * 0.174535293 ->exp:2-> val0[17]val1[453529300]
++ * 1.001745329 ->exp:0-> val0[1]val1[1745329]
++ * 1.001745329 ->exp:2-> val0[100]val1[174532900]
++ * 1.001745329 ->exp:4-> val0[10017]val1[453290000]
++ * 9.806650000 ->exp:-2-> val0[0]val1[98066500]
+ */
+-static void adjust_exponent_micro(int *val0, int *val1, int scale0,
++static void adjust_exponent_nano(int *val0, int *val1, int scale0,
+ int scale1, int exp)
+ {
+ int i;
+@@ -285,32 +285,32 @@ static void adjust_exponent_micro(int *v
+ if (exp > 0) {
+ *val0 = scale0 * pow_10(exp);
+ res = 0;
+- if (exp > 6) {
++ if (exp > 9) {
+ *val1 = 0;
+ return;
+ }
+ for (i = 0; i < exp; ++i) {
+- x = scale1 / pow_10(5 - i);
++ x = scale1 / pow_10(8 - i);
+ res += (pow_10(exp - 1 - i) * x);
+- scale1 = scale1 % pow_10(5 - i);
++ scale1 = scale1 % pow_10(8 - i);
+ }
+ *val0 += res;
+ *val1 = scale1 * pow_10(exp);
+ } else if (exp < 0) {
+ exp = abs(exp);
+- if (exp > 6) {
++ if (exp > 9) {
+ *val0 = *val1 = 0;
+ return;
+ }
+ *val0 = scale0 / pow_10(exp);
+ rem = scale0 % pow_10(exp);
+ res = 0;
+- for (i = 0; i < (6 - exp); ++i) {
+- x = scale1 / pow_10(5 - i);
+- res += (pow_10(5 - exp - i) * x);
+- scale1 = scale1 % pow_10(5 - i);
++ for (i = 0; i < (9 - exp); ++i) {
++ x = scale1 / pow_10(8 - i);
++ res += (pow_10(8 - exp - i) * x);
++ scale1 = scale1 % pow_10(8 - i);
+ }
+- *val1 = rem * pow_10(6 - exp) + res;
++ *val1 = rem * pow_10(9 - exp) + res;
+ } else {
+ *val0 = scale0;
+ *val1 = scale1;
+@@ -332,14 +332,14 @@ int hid_sensor_format_scale(u32 usage_id
+ unit_conversion[i].unit == attr_info->units) {
+ exp = hid_sensor_convert_exponent(
+ attr_info->unit_expo);
+- adjust_exponent_micro(val0, val1,
++ adjust_exponent_nano(val0, val1,
+ unit_conversion[i].scale_val0,
+ unit_conversion[i].scale_val1, exp);
+ break;
+ }
+ }
+
+- return IIO_VAL_INT_PLUS_MICRO;
++ return IIO_VAL_INT_PLUS_NANO;
+ }
+ EXPORT_SYMBOL(hid_sensor_format_scale);
+
--- /dev/null
+From 8af644a7d6846f48d6b72be5d4a3c6eb16bd33c8 Mon Sep 17 00:00:00 2001
+From: Song Hongyan <hongyan.song@intel.com>
+Date: Tue, 25 Oct 2016 01:06:03 +0000
+Subject: iio: orientation: hid-sensor-rotation: Add PM function (fix non working driver)
+
+From: Song Hongyan <hongyan.song@intel.com>
+
+commit 8af644a7d6846f48d6b72be5d4a3c6eb16bd33c8 upstream.
+
+This fix makes newer ISH hubs work. Previous ones worked by lucky
+coincidence.
+
+Rotation sensor function does not work due to miss PM function.
+Add common hid sensor iio pm function for rotation sensor.
+
+Further clarification from Srinivas:
+
+If CONFIG_PM is not defined, then this prevents this sensor to
+function. So above commit caused this.
+
+This sensor was supposed to be always on to trigger wake up in prior
+external hubs. But with the new ISH hub this is not the case.
+
+Signed-off-by: Song Hongyan <hongyan.song@intel.com>
+Fixes: 2b89635e9a9e ("iio: hid_sensor_hub: Common PM functions")
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/orientation/hid-sensor-rotation.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/orientation/hid-sensor-rotation.c
++++ b/drivers/iio/orientation/hid-sensor-rotation.c
+@@ -335,6 +335,7 @@ static struct platform_driver hid_dev_ro
+ .id_table = hid_dev_rot_ids,
+ .driver = {
+ .name = KBUILD_MODNAME,
++ .pm = &hid_sensor_pm_ops,
+ },
+ .probe = hid_dev_rot_probe,
+ .remove = hid_dev_rot_remove,
--- /dev/null
+From d304286abbbe7ed6228a553a56ba054e900907eb Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>
+Date: Tue, 25 Oct 2016 23:07:38 +0200
+Subject: iio: st_sensors: fix scale configuration for h3lis331dl
+
+From: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>
+
+commit d304286abbbe7ed6228a553a56ba054e900907eb upstream.
+
+fix scale configuration/parsing for h3lis331dl accel driver
+when sensitivity is higher than 1(m/s^2)/digit
+
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@st.com>
+Fixes: 1e52fefc9b0c ("iio: accel: Add support for the h3lis331dl accelerometer")
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/accel/st_accel_core.c | 12 ++++++++----
+ drivers/iio/common/st_sensors/st_sensors_core.c | 8 +++++---
+ 2 files changed, 13 insertions(+), 7 deletions(-)
+
+--- a/drivers/iio/accel/st_accel_core.c
++++ b/drivers/iio/accel/st_accel_core.c
+@@ -743,8 +743,8 @@ static int st_accel_read_raw(struct iio_
+
+ return IIO_VAL_INT;
+ case IIO_CHAN_INFO_SCALE:
+- *val = 0;
+- *val2 = adata->current_fullscale->gain;
++ *val = adata->current_fullscale->gain / 1000000;
++ *val2 = adata->current_fullscale->gain % 1000000;
+ return IIO_VAL_INT_PLUS_MICRO;
+ case IIO_CHAN_INFO_SAMP_FREQ:
+ *val = adata->odr;
+@@ -763,9 +763,13 @@ static int st_accel_write_raw(struct iio
+ int err;
+
+ switch (mask) {
+- case IIO_CHAN_INFO_SCALE:
+- err = st_sensors_set_fullscale_by_gain(indio_dev, val2);
++ case IIO_CHAN_INFO_SCALE: {
++ int gain;
++
++ gain = val * 1000000 + val2;
++ err = st_sensors_set_fullscale_by_gain(indio_dev, gain);
+ break;
++ }
+ case IIO_CHAN_INFO_SAMP_FREQ:
+ if (val2)
+ return -EINVAL;
+--- a/drivers/iio/common/st_sensors/st_sensors_core.c
++++ b/drivers/iio/common/st_sensors/st_sensors_core.c
+@@ -619,7 +619,7 @@ EXPORT_SYMBOL(st_sensors_sysfs_sampling_
+ ssize_t st_sensors_sysfs_scale_avail(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+- int i, len = 0;
++ int i, len = 0, q, r;
+ struct iio_dev *indio_dev = dev_get_drvdata(dev);
+ struct st_sensor_data *sdata = iio_priv(indio_dev);
+
+@@ -628,8 +628,10 @@ ssize_t st_sensors_sysfs_scale_avail(str
+ if (sdata->sensor_settings->fs.fs_avl[i].num == 0)
+ break;
+
+- len += scnprintf(buf + len, PAGE_SIZE - len, "0.%06u ",
+- sdata->sensor_settings->fs.fs_avl[i].gain);
++ q = sdata->sensor_settings->fs.fs_avl[i].gain / 1000000;
++ r = sdata->sensor_settings->fs.fs_avl[i].gain % 1000000;
++
++ len += scnprintf(buf + len, PAGE_SIZE - len, "%u.%06u ", q, r);
+ }
+ mutex_unlock(&indio_dev->mlock);
+ buf[len - 1] = '\n';
--- /dev/null
+From 112b0b8f8f6e18d4695d21457961c0e1b322a1d7 Mon Sep 17 00:00:00 2001
+From: Andre Przywara <andre.przywara@arm.com>
+Date: Tue, 1 Nov 2016 18:00:08 +0000
+Subject: KVM: arm/arm64: vgic: Prevent access to invalid SPIs
+
+From: Andre Przywara <andre.przywara@arm.com>
+
+commit 112b0b8f8f6e18d4695d21457961c0e1b322a1d7 upstream.
+
+In our VGIC implementation we limit the number of SPIs to a number
+that the userland application told us. Accordingly we limit the
+allocation of memory for virtual IRQs to that number.
+However in our MMIO dispatcher we didn't check if we ever access an
+IRQ beyond that limit, leading to out-of-bound accesses.
+Add a test against the number of allocated SPIs in check_region().
+Adjust the VGIC_ADDR_TO_INT macro to avoid an actual division, which
+is not implemented on ARM(32).
+
+[maz: cleaned-up original patch]
+
+Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/vgic/vgic-mmio.c | 41 +++++++++++++++++++++++++++--------------
+ virt/kvm/arm/vgic/vgic-mmio.h | 14 +++++++-------
+ 2 files changed, 34 insertions(+), 21 deletions(-)
+
+--- a/virt/kvm/arm/vgic/vgic-mmio.c
++++ b/virt/kvm/arm/vgic/vgic-mmio.c
+@@ -453,17 +453,33 @@ struct vgic_io_device *kvm_to_vgic_iodev
+ return container_of(dev, struct vgic_io_device, dev);
+ }
+
+-static bool check_region(const struct vgic_register_region *region,
++static bool check_region(const struct kvm *kvm,
++ const struct vgic_register_region *region,
+ gpa_t addr, int len)
+ {
+- if ((region->access_flags & VGIC_ACCESS_8bit) && len == 1)
+- return true;
+- if ((region->access_flags & VGIC_ACCESS_32bit) &&
+- len == sizeof(u32) && !(addr & 3))
+- return true;
+- if ((region->access_flags & VGIC_ACCESS_64bit) &&
+- len == sizeof(u64) && !(addr & 7))
+- return true;
++ int flags, nr_irqs = kvm->arch.vgic.nr_spis + VGIC_NR_PRIVATE_IRQS;
++
++ switch (len) {
++ case sizeof(u8):
++ flags = VGIC_ACCESS_8bit;
++ break;
++ case sizeof(u32):
++ flags = VGIC_ACCESS_32bit;
++ break;
++ case sizeof(u64):
++ flags = VGIC_ACCESS_64bit;
++ break;
++ default:
++ return false;
++ }
++
++ if ((region->access_flags & flags) && IS_ALIGNED(addr, len)) {
++ if (!region->bits_per_irq)
++ return true;
++
++ /* Do we access a non-allocated IRQ? */
++ return VGIC_ADDR_TO_INTID(addr, region->bits_per_irq) < nr_irqs;
++ }
+
+ return false;
+ }
+@@ -477,7 +493,7 @@ static int dispatch_mmio_read(struct kvm
+
+ region = vgic_find_mmio_region(iodev->regions, iodev->nr_regions,
+ addr - iodev->base_addr);
+- if (!region || !check_region(region, addr, len)) {
++ if (!region || !check_region(vcpu->kvm, region, addr, len)) {
+ memset(val, 0, len);
+ return 0;
+ }
+@@ -510,10 +526,7 @@ static int dispatch_mmio_write(struct kv
+
+ region = vgic_find_mmio_region(iodev->regions, iodev->nr_regions,
+ addr - iodev->base_addr);
+- if (!region)
+- return 0;
+-
+- if (!check_region(region, addr, len))
++ if (!region || !check_region(vcpu->kvm, region, addr, len))
+ return 0;
+
+ switch (iodev->iodev_type) {
+--- a/virt/kvm/arm/vgic/vgic-mmio.h
++++ b/virt/kvm/arm/vgic/vgic-mmio.h
+@@ -50,15 +50,15 @@ extern struct kvm_io_device_ops kvm_io_g
+ #define VGIC_ADDR_IRQ_MASK(bits) (((bits) * 1024 / 8) - 1)
+
+ /*
+- * (addr & mask) gives us the byte offset for the INT ID, so we want to
+- * divide this with 'bytes per irq' to get the INT ID, which is given
+- * by '(bits) / 8'. But we do this with fixed-point-arithmetic and
+- * take advantage of the fact that division by a fraction equals
+- * multiplication with the inverted fraction, and scale up both the
+- * numerator and denominator with 8 to support at most 64 bits per IRQ:
++ * (addr & mask) gives us the _byte_ offset for the INT ID.
++ * We multiply this by 8 the get the _bit_ offset, then divide this by
++ * the number of bits to learn the actual INT ID.
++ * But instead of a division (which requires a "long long div" implementation),
++ * we shift by the binary logarithm of <bits>.
++ * This assumes that <bits> is a power of two.
+ */
+ #define VGIC_ADDR_TO_INTID(addr, bits) (((addr) & VGIC_ADDR_IRQ_MASK(bits)) * \
+- 64 / (bits) / 8)
++ 8 >> ilog2(bits))
+
+ /*
+ * Some VGIC registers store per-IRQ information, with a different number
--- /dev/null
+From 5e322beefc8699b5747cfb35539a9496034e4296 Mon Sep 17 00:00:00 2001
+From: Vlastimil Babka <vbabka@suse.cz>
+Date: Thu, 10 Nov 2016 10:46:07 -0800
+Subject: mm, frontswap: make sure allocated frontswap map is assigned
+
+From: Vlastimil Babka <vbabka@suse.cz>
+
+commit 5e322beefc8699b5747cfb35539a9496034e4296 upstream.
+
+Christian Borntraeger reports:
+
+With commit 8ea1d2a1985a ("mm, frontswap: convert frontswap_enabled to
+static key") kmemleak complains about a memory leak in swapon
+
+ unreferenced object 0x3e09ba56000 (size 32112640):
+ comm "swapon", pid 7852, jiffies 4294968787 (age 1490.770s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ __vmalloc_node_range+0x194/0x2d8
+ vzalloc+0x58/0x68
+ SyS_swapon+0xd60/0x12f8
+ system_call+0xd6/0x270
+
+Turns out kmemleak is right. We now allocate the frontswap map
+depending on the kernel config (and no longer on the enablement)
+
+ swapfile.c:
+ [...]
+ if (IS_ENABLED(CONFIG_FRONTSWAP))
+ frontswap_map = vzalloc(BITS_TO_LONGS(maxpages) * sizeof(long));
+
+but later on this is passed along
+ --> enable_swap_info(p, prio, swap_map, cluster_info, frontswap_map);
+
+and ignored if frontswap is disabled
+ --> frontswap_init(p->type, frontswap_map);
+
+ static inline void frontswap_init(unsigned type, unsigned long *map)
+ {
+ if (frontswap_enabled())
+ __frontswap_init(type, map);
+ }
+
+Thing is, that frontswap map is never freed.
+
+The leakage is relatively not that bad, because swapon is an infrequent
+and privileged operation. However, if the first frontswap backend is
+registered after a swap type has been already enabled, it will WARN_ON
+in frontswap_register_ops() and frontswap will not be available for the
+swap type.
+
+Fix this by making sure the map is assigned by frontswap_init() as long
+as CONFIG_FRONTSWAP is enabled.
+
+Fixes: 8ea1d2a1985a ("mm, frontswap: convert frontswap_enabled to static key")
+Link: http://lkml.kernel.org/r/20161026134220.2566-1-vbabka@suse.cz
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Reported-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: David Vrabel <david.vrabel@citrix.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/frontswap.h | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/include/linux/frontswap.h
++++ b/include/linux/frontswap.h
+@@ -106,8 +106,9 @@ static inline void frontswap_invalidate_
+
+ static inline void frontswap_init(unsigned type, unsigned long *map)
+ {
+- if (frontswap_enabled())
+- __frontswap_init(type, map);
++#ifdef CONFIG_FRONTSWAP
++ __frontswap_init(type, map);
++#endif
+ }
+
+ #endif /* _LINUX_FRONTSWAP_H */
--- /dev/null
+From 96b96a96ddee4ba08ce4aeb8a558a3271fd4a7a7 Mon Sep 17 00:00:00 2001
+From: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Thu, 10 Nov 2016 10:46:32 -0800
+Subject: mm/hugetlb: fix huge page reservation leak in private mapping error paths
+
+From: Mike Kravetz <mike.kravetz@oracle.com>
+
+commit 96b96a96ddee4ba08ce4aeb8a558a3271fd4a7a7 upstream.
+
+Error paths in hugetlb_cow() and hugetlb_no_page() may free a newly
+allocated huge page.
+
+If a reservation was associated with the huge page, alloc_huge_page()
+consumed the reservation while allocating. When the newly allocated
+page is freed in free_huge_page(), it will increment the global
+reservation count. However, the reservation entry in the reserve map
+will remain.
+
+This is not an issue for shared mappings as the entry in the reserve map
+indicates a reservation exists. But, an entry in a private mapping
+reserve map indicates the reservation was consumed and no longer exists.
+This results in an inconsistency between the reserve map and the global
+reservation count. This 'leaks' a reserved huge page.
+
+Create a new routine restore_reserve_on_error() to restore the reserve
+entry in these specific error paths. This routine makes use of a new
+function vma_add_reservation() which will add a reserve entry for a
+specific address/page.
+
+In general, these error paths were rarely (if ever) taken on most
+architectures. However, powerpc contained arch specific code that that
+resulted in an extra fault and execution of these error paths on all
+private mappings.
+
+Fixes: 67961f9db8c4 ("mm/hugetlb: fix huge page reserve accounting for private mappings)
+Link: http://lkml.kernel.org/r/1476933077-23091-2-git-send-email-mike.kravetz@oracle.com
+Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+Reported-by: Jan Stancek <jstancek@redhat.com>
+Tested-by: Jan Stancek <jstancek@redhat.com>
+Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Acked-by: Hillf Danton <hillf.zj@alibaba-inc.com>
+Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Kirill A . Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/hugetlb.c | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 66 insertions(+)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -1826,11 +1826,17 @@ static void return_unused_surplus_pages(
+ * is not the case is if a reserve map was changed between calls. It
+ * is the responsibility of the caller to notice the difference and
+ * take appropriate action.
++ *
++ * vma_add_reservation is used in error paths where a reservation must
++ * be restored when a newly allocated huge page must be freed. It is
++ * to be called after calling vma_needs_reservation to determine if a
++ * reservation exists.
+ */
+ enum vma_resv_mode {
+ VMA_NEEDS_RESV,
+ VMA_COMMIT_RESV,
+ VMA_END_RESV,
++ VMA_ADD_RESV,
+ };
+ static long __vma_reservation_common(struct hstate *h,
+ struct vm_area_struct *vma, unsigned long addr,
+@@ -1856,6 +1862,14 @@ static long __vma_reservation_common(str
+ region_abort(resv, idx, idx + 1);
+ ret = 0;
+ break;
++ case VMA_ADD_RESV:
++ if (vma->vm_flags & VM_MAYSHARE)
++ ret = region_add(resv, idx, idx + 1);
++ else {
++ region_abort(resv, idx, idx + 1);
++ ret = region_del(resv, idx, idx + 1);
++ }
++ break;
+ default:
+ BUG();
+ }
+@@ -1903,6 +1917,56 @@ static void vma_end_reservation(struct h
+ (void)__vma_reservation_common(h, vma, addr, VMA_END_RESV);
+ }
+
++static long vma_add_reservation(struct hstate *h,
++ struct vm_area_struct *vma, unsigned long addr)
++{
++ return __vma_reservation_common(h, vma, addr, VMA_ADD_RESV);
++}
++
++/*
++ * This routine is called to restore a reservation on error paths. In the
++ * specific error paths, a huge page was allocated (via alloc_huge_page)
++ * and is about to be freed. If a reservation for the page existed,
++ * alloc_huge_page would have consumed the reservation and set PagePrivate
++ * in the newly allocated page. When the page is freed via free_huge_page,
++ * the global reservation count will be incremented if PagePrivate is set.
++ * However, free_huge_page can not adjust the reserve map. Adjust the
++ * reserve map here to be consistent with global reserve count adjustments
++ * to be made by free_huge_page.
++ */
++static void restore_reserve_on_error(struct hstate *h,
++ struct vm_area_struct *vma, unsigned long address,
++ struct page *page)
++{
++ if (unlikely(PagePrivate(page))) {
++ long rc = vma_needs_reservation(h, vma, address);
++
++ if (unlikely(rc < 0)) {
++ /*
++ * Rare out of memory condition in reserve map
++ * manipulation. Clear PagePrivate so that
++ * global reserve count will not be incremented
++ * by free_huge_page. This will make it appear
++ * as though the reservation for this page was
++ * consumed. This may prevent the task from
++ * faulting in the page at a later time. This
++ * is better than inconsistent global huge page
++ * accounting of reserve counts.
++ */
++ ClearPagePrivate(page);
++ } else if (rc) {
++ rc = vma_add_reservation(h, vma, address);
++ if (unlikely(rc < 0))
++ /*
++ * See above comment about rare out of
++ * memory condition.
++ */
++ ClearPagePrivate(page);
++ } else
++ vma_end_reservation(h, vma, address);
++ }
++}
++
+ struct page *alloc_huge_page(struct vm_area_struct *vma,
+ unsigned long addr, int avoid_reserve)
+ {
+@@ -3498,6 +3562,7 @@ retry_avoidcopy:
+ spin_unlock(ptl);
+ mmu_notifier_invalidate_range_end(mm, mmun_start, mmun_end);
+ out_release_all:
++ restore_reserve_on_error(h, vma, address, new_page);
+ put_page(new_page);
+ out_release_old:
+ put_page(old_page);
+@@ -3680,6 +3745,7 @@ backout:
+ spin_unlock(ptl);
+ backout_unlocked:
+ unlock_page(page);
++ restore_reserve_on_error(h, vma, address, page);
+ put_page(page);
+ goto out;
+ }
--- /dev/null
+From c3901e722b2975666f42748340df798114742d6d Mon Sep 17 00:00:00 2001
+From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Date: Thu, 10 Nov 2016 10:46:23 -0800
+Subject: mm: hwpoison: fix thp split handling in memory_failure()
+
+From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+
+commit c3901e722b2975666f42748340df798114742d6d upstream.
+
+When memory_failure() runs on a thp tail page after pmd is split, we
+trigger the following VM_BUG_ON_PAGE():
+
+ page:ffffd7cd819b0040 count:0 mapcount:0 mapping: (null) index:0x1
+ flags: 0x1fffc000400000(hwpoison)
+ page dumped because: VM_BUG_ON_PAGE(!page_count(p))
+ ------------[ cut here ]------------
+ kernel BUG at /src/linux-dev/mm/memory-failure.c:1132!
+
+memory_failure() passed refcount and page lock from tail page to head
+page, which is not needed because we can pass any subpage to
+split_huge_page().
+
+Fixes: 61f5d698cc97 ("mm: re-enable THP")
+Link: http://lkml.kernel.org/r/1477961577-7183-1-git-send-email-n-horiguchi@ah.jp.nec.com
+Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memory-failure.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/mm/memory-failure.c
++++ b/mm/memory-failure.c
+@@ -1112,10 +1112,10 @@ int memory_failure(unsigned long pfn, in
+ }
+
+ if (!PageHuge(p) && PageTransHuge(hpage)) {
+- lock_page(hpage);
+- if (!PageAnon(hpage) || unlikely(split_huge_page(hpage))) {
+- unlock_page(hpage);
+- if (!PageAnon(hpage))
++ lock_page(p);
++ if (!PageAnon(p) || unlikely(split_huge_page(p))) {
++ unlock_page(p);
++ if (!PageAnon(p))
+ pr_err("Memory failure: %#lx: non anonymous thp\n",
+ pfn);
+ else
+@@ -1126,9 +1126,7 @@ int memory_failure(unsigned long pfn, in
+ put_hwpoison_page(p);
+ return -EBUSY;
+ }
+- unlock_page(hpage);
+- get_hwpoison_page(p);
+- put_hwpoison_page(hpage);
++ unlock_page(p);
+ VM_BUG_ON_PAGE(!page_count(p), p);
+ hpage = compound_head(p);
+ }
--- /dev/null
+From fe1b5700c70faac6e027982d59667bc6020de5a8 Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Fri, 4 Nov 2016 18:32:33 +0100
+Subject: mmc: mmc: Use 500ms as the default generic CMD6 timeout
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit fe1b5700c70faac6e027982d59667bc6020de5a8 upstream.
+
+In the eMMC 4.51 version of the spec, an EXT_CSD field called
+GENERIC_CMD6_TIME[248] was added. This allows cards to specify the maximum
+time it may need to move out from its busy state, when a CMD6 command has
+been sent.
+
+In cases when the card is compliant to versions < 4.51 of the eMMC spec,
+obviously the core needs to use a fall-back value for this timeout, which
+currently is set to 10 minutes. This value is completely in the wrong range
+and importantly in some cases it causes a card initialization to take more
+than 10 minute to complete.
+
+Earlier this scenario was avoided as the mmc core used CMD13 to poll the
+card, to find out when it stopped signaling busy. Commit 08573eaf1a70
+("mmc: mmc: do not use CMD13 to get status after speed mode switch")
+changed this behavior.
+
+Instead of reverting that commit, which would cause other issues, let's
+instead start by picking a simple solution for the problem, by using a
+500ms default generic CMD6 timeout.
+
+The reason for using exactly 500ms, comes from observations that shows it's
+quite common for cards to specify 250ms. 500ms is two times that value so
+likely it should be enough for most cards.
+
+Fixes: 08573eaf1a70 ("mmc: mmc: do not use CMD13 to get status after speed
+mode switch")
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Tested-by: Stephen Boyd <sboyd@codeaurora.org>
+Tested-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/core/mmc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/mmc/core/mmc.c
++++ b/drivers/mmc/core/mmc.c
+@@ -26,6 +26,8 @@
+ #include "mmc_ops.h"
+ #include "sd_ops.h"
+
++#define DEFAULT_CMD6_TIMEOUT_MS 500
++
+ static const unsigned int tran_exp[] = {
+ 10000, 100000, 1000000, 10000000,
+ 0, 0, 0, 0
+@@ -571,6 +573,7 @@ static int mmc_decode_ext_csd(struct mmc
+ card->erased_byte = 0x0;
+
+ /* eMMC v4.5 or later */
++ card->ext_csd.generic_cmd6_time = DEFAULT_CMD6_TIMEOUT_MS;
+ if (card->ext_csd.rev >= 6) {
+ card->ext_csd.feature_support |= MMC_DISCARD_FEATURE;
+
--- /dev/null
+From 6ebebeab5185f50d55c6a24d0abe47e5dac1b191 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Wed, 2 Nov 2016 15:49:08 +0200
+Subject: mmc: sdhci: Fix CMD line reset interfering with ongoing data transfer
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 6ebebeab5185f50d55c6a24d0abe47e5dac1b191 upstream.
+
+CMD line reset during an ongoing data transfer can cause the data transfer
+to hang. Fix by delaying the reset until the data transfer is finished.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -2269,10 +2269,8 @@ static bool sdhci_request_done(struct sd
+
+ for (i = 0; i < SDHCI_MAX_MRQS; i++) {
+ mrq = host->mrqs_done[i];
+- if (mrq) {
+- host->mrqs_done[i] = NULL;
++ if (mrq)
+ break;
+- }
+ }
+
+ if (!mrq) {
+@@ -2303,6 +2301,17 @@ static bool sdhci_request_done(struct sd
+ * upon error conditions.
+ */
+ if (sdhci_needs_reset(host, mrq)) {
++ /*
++ * Do not finish until command and data lines are available for
++ * reset. Note there can only be one other mrq, so it cannot
++ * also be in mrqs_done, otherwise host->cmd and host->data_cmd
++ * would both be null.
++ */
++ if (host->cmd || host->data_cmd) {
++ spin_unlock_irqrestore(&host->lock, flags);
++ return true;
++ }
++
+ /* Some controllers need this kick or reset won't work here */
+ if (host->quirks & SDHCI_QUIRK_CLOCK_BEFORE_RESET)
+ /* This is to force an update */
+@@ -2310,10 +2319,8 @@ static bool sdhci_request_done(struct sd
+
+ /* Spec says we should do both at the same time, but Ricoh
+ controllers do not like that. */
+- if (!host->cmd)
+- sdhci_do_reset(host, SDHCI_RESET_CMD);
+- if (!host->data_cmd)
+- sdhci_do_reset(host, SDHCI_RESET_DATA);
++ sdhci_do_reset(host, SDHCI_RESET_CMD);
++ sdhci_do_reset(host, SDHCI_RESET_DATA);
+
+ host->pending_reset = false;
+ }
+@@ -2321,6 +2328,8 @@ static bool sdhci_request_done(struct sd
+ if (!sdhci_has_requests(host))
+ sdhci_led_deactivate(host);
+
++ host->mrqs_done[i] = NULL;
++
+ mmiowb();
+ spin_unlock_irqrestore(&host->lock, flags);
+
--- /dev/null
+From 69b962a65a547690a356f9f76bc4f53db538ac49 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Wed, 2 Nov 2016 15:49:09 +0200
+Subject: mmc: sdhci: Fix unexpected data interrupt handling
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 69b962a65a547690a356f9f76bc4f53db538ac49 upstream.
+
+In the busy response case (i.e. !host->data), an unexpected data interrupt
+would result in clearing the data command as though it had completed but
+without informing the upper layers and thus resulting in a hang. Fix by
+only clearing the data command for data interrupts that are expected.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -2509,9 +2509,6 @@ static void sdhci_data_irq(struct sdhci_
+ if (!host->data) {
+ struct mmc_command *data_cmd = host->data_cmd;
+
+- if (data_cmd)
+- host->data_cmd = NULL;
+-
+ /*
+ * The "data complete" interrupt is also used to
+ * indicate that a busy state has ended. See comment
+@@ -2519,11 +2516,13 @@ static void sdhci_data_irq(struct sdhci_
+ */
+ if (data_cmd && (data_cmd->flags & MMC_RSP_BUSY)) {
+ if (intmask & SDHCI_INT_DATA_TIMEOUT) {
++ host->data_cmd = NULL;
+ data_cmd->error = -ETIMEDOUT;
+ sdhci_finish_mrq(host, data_cmd->mrq);
+ return;
+ }
+ if (intmask & SDHCI_INT_DATA_END) {
++ host->data_cmd = NULL;
+ /*
+ * Some cards handle busy-end interrupt
+ * before the command completed, so make
--- /dev/null
+From 16d917b130d782b94fa02afc7bdf0d4aae689da4 Mon Sep 17 00:00:00 2001
+From: Bjorn Helgaas <bhelgaas@google.com>
+Date: Tue, 8 Nov 2016 14:25:24 -0600
+Subject: PCI: Don't attempt to claim shadow copies of ROM
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+commit 16d917b130d782b94fa02afc7bdf0d4aae689da4 upstream.
+
+If we're using a shadow copy of a PCI device ROM, the shadow copy is in RAM
+and the device never sees accesses to it and doesn't respond to it. We
+don't have to route the shadow range to the PCI device, and the device
+doesn't have to claim the range.
+
+Previously we treated the shadow copy as though it were the ROM BAR, and we
+failed to claim it because the region wasn't routed to the device:
+
+ pci 0000:01:00.0: Video device with shadowed ROM at [mem 0x000c0000-0x000dffff]
+ pci_bus 0000:01: Allocating resources
+ pci 0000:01:00.0: can't claim BAR 6 [mem 0x000c0000-0x000dffff]: no compatible bridge window
+
+The failure path of pcibios_allocate_dev_rom_resource() cleared out the
+resource start address, which also caused the following ioremap() warning:
+
+ WARNING: CPU: 0 PID: 116 at /build/linux-akdJXO/linux-4.8.0/arch/x86/mm/ioremap.c:121 __ioremap_caller+0x1ec/0x370
+ ioremap on RAM at 0x0000000000000000 - 0x000000000001ffff
+
+Handle an option ROM shadow copy as RAM, without trying to insert it into
+the iomem resource tree.
+
+This fixes a regression caused by 0c0e0736acad ("PCI: Set ROM shadow
+location in arch code, not in PCI core"), which appeared in v4.6. The
+regression causes video device initialization to fail. This was reported
+on AMD Turks, but it likely affects others as well.
+
+Fixes: 0c0e0736acad ("PCI: Set ROM shadow location in arch code, not in PCI core")
+Reported-and-tested-by: Vecu Bosseur <vecu.bosseur@gmail.com>
+Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1627496
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=175391
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=1352272
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/setup-res.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/pci/setup-res.c
++++ b/drivers/pci/setup-res.c
+@@ -121,6 +121,14 @@ int pci_claim_resource(struct pci_dev *d
+ return -EINVAL;
+ }
+
++ /*
++ * If we have a shadow copy in RAM, the PCI device doesn't respond
++ * to the shadow range, so we don't need to claim it, and upstream
++ * bridges don't need to route the range to the device.
++ */
++ if (res->flags & IORESOURCE_ROM_SHADOW)
++ return 0;
++
+ root = pci_find_parent_resource(dev, res);
+ if (!root) {
+ dev_info(&dev->dev, "can't claim BAR %d %pR: no compatible bridge window\n",
--- /dev/null
+From d2cdf5dc58f6970e9d9d26e47974c21fe87983f3 Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Mon, 31 Oct 2016 16:57:33 +0200
+Subject: pinctrl: cherryview: Prevent possible interrupt storm on resume
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit d2cdf5dc58f6970e9d9d26e47974c21fe87983f3 upstream.
+
+When the system is suspended to S3 the BIOS might re-initialize certain
+GPIO pins back to their original state or it may re-program interrupt mask
+of others. For example Acer TravelMate B116-M had BIOS bug where certain
+GPIO pin (MF_ISH_GPIO_5) was programmed to trigger on high level, and the
+pin state was high once the BIOS gave control to the OS on resume.
+
+This triggers lots of messages like:
+
+ irq 117, desc: ffff88017a61e600, depth: 1, count: 0, unhandled: 0
+ ->handle_irq(): ffffffff8109b613, handle_bad_irq+0x0/0x1e0
+ ->irq_data.chip(): ffffffffa0020180, chv_pinctrl_exit+0x2d84/0x12 [pinctrl_cherryview]
+ ->action(): (null)
+ IRQ_NOPROBE set
+
+We reset the mask back to known state in chv_pinctrl_resume() but that is
+called only after device interrupts have already been enabled.
+
+Now, this particular issue was fixed by upgrading the BIOS to the latest
+(v1.23) but not everybody upgrades their BIOSes so we fix it up in the
+driver as well.
+
+Prevent the possible interrupt storm by moving suspend and resume hooks to
+be called at _noirq time instead. Since device interrupts are still
+disabled we can restore the mask back to known state before interrupt storm
+happens.
+
+Reported-by: Christian Steiner <christian.steiner@outlook.de>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/intel/pinctrl-cherryview.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/pinctrl/intel/pinctrl-cherryview.c
++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c
+@@ -1634,7 +1634,7 @@ static int chv_pinctrl_remove(struct pla
+ }
+
+ #ifdef CONFIG_PM_SLEEP
+-static int chv_pinctrl_suspend(struct device *dev)
++static int chv_pinctrl_suspend_noirq(struct device *dev)
+ {
+ struct platform_device *pdev = to_platform_device(dev);
+ struct chv_pinctrl *pctrl = platform_get_drvdata(pdev);
+@@ -1668,7 +1668,7 @@ static int chv_pinctrl_suspend(struct de
+ return 0;
+ }
+
+-static int chv_pinctrl_resume(struct device *dev)
++static int chv_pinctrl_resume_noirq(struct device *dev)
+ {
+ struct platform_device *pdev = to_platform_device(dev);
+ struct chv_pinctrl *pctrl = platform_get_drvdata(pdev);
+@@ -1728,7 +1728,8 @@ static int chv_pinctrl_resume(struct dev
+ #endif
+
+ static const struct dev_pm_ops chv_pinctrl_pm_ops = {
+- SET_LATE_SYSTEM_SLEEP_PM_OPS(chv_pinctrl_suspend, chv_pinctrl_resume)
++ SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(chv_pinctrl_suspend_noirq,
++ chv_pinctrl_resume_noirq)
+ };
+
+ static const struct acpi_device_id chv_pinctrl_acpi_match[] = {
--- /dev/null
+From 56211121c0825cd188caad05574fdc518d5cac6f Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Mon, 31 Oct 2016 16:57:32 +0200
+Subject: pinctrl: cherryview: Serialize register access in suspend/resume
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit 56211121c0825cd188caad05574fdc518d5cac6f upstream.
+
+If async suspend is enabled, the driver may access registers concurrently
+with another instance which may fail because of the bug in Cherryview GPIO
+hardware. Prevent this by taking the shared lock while accessing the
+hardware in suspend and resume hooks.
+
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/intel/pinctrl-cherryview.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/pinctrl/intel/pinctrl-cherryview.c
++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c
+@@ -1638,8 +1638,11 @@ static int chv_pinctrl_suspend(struct de
+ {
+ struct platform_device *pdev = to_platform_device(dev);
+ struct chv_pinctrl *pctrl = platform_get_drvdata(pdev);
++ unsigned long flags;
+ int i;
+
++ raw_spin_lock_irqsave(&chv_lock, flags);
++
+ pctrl->saved_intmask = readl(pctrl->regs + CHV_INTMASK);
+
+ for (i = 0; i < pctrl->community->npins; i++) {
+@@ -1660,6 +1663,8 @@ static int chv_pinctrl_suspend(struct de
+ ctx->padctrl1 = readl(reg);
+ }
+
++ raw_spin_unlock_irqrestore(&chv_lock, flags);
++
+ return 0;
+ }
+
+@@ -1667,8 +1672,11 @@ static int chv_pinctrl_resume(struct dev
+ {
+ struct platform_device *pdev = to_platform_device(dev);
+ struct chv_pinctrl *pctrl = platform_get_drvdata(pdev);
++ unsigned long flags;
+ int i;
+
++ raw_spin_lock_irqsave(&chv_lock, flags);
++
+ /*
+ * Mask all interrupts before restoring per-pin configuration
+ * registers because we don't know in which state BIOS left them
+@@ -1713,6 +1721,8 @@ static int chv_pinctrl_resume(struct dev
+ chv_writel(0xffff, pctrl->regs + CHV_INTSTAT);
+ chv_writel(pctrl->saved_intmask, pctrl->regs + CHV_INTMASK);
+
++ raw_spin_unlock_irqrestore(&chv_lock, flags);
++
+ return 0;
+ }
+ #endif
--- /dev/null
+From 17c1c9ba15b238ef79b51cf40d855c05b58d5934 Mon Sep 17 00:00:00 2001
+From: Paul Fertser <fercerpav@gmail.com>
+Date: Thu, 27 Oct 2016 17:22:09 +0300
+Subject: Revert "staging: nvec: ps2: change serio type to passthrough"
+
+From: Paul Fertser <fercerpav@gmail.com>
+
+commit 17c1c9ba15b238ef79b51cf40d855c05b58d5934 upstream.
+
+This reverts commit 36b30d6138f4677514aca35ab76c20c1604baaad.
+
+This is necessary to detect paz00 (ac100) touchpad properly as one
+speaking ETPS/2 protocol. Without it X.org's synaptics driver doesn't
+work as the touchpad is detected as an ImPS/2 mouse instead.
+
+Commit ec6184b1c717b8768122e25fe6d312f609cc1bb4 changed the way
+auto-detection is performed on ports marked as pass through and made the
+issue apparent.
+
+A pass through port is an additional PS/2 port used to connect a slave
+device to a master device that is using PS/2 to communicate with the
+host (so slave's PS/2 communication is tunneled over master's PS/2
+link). "Synaptics PS/2 TouchPad Interfacing Guide" describes such a
+setup (PS/2 PASS-THROUGH OPTION section).
+
+Since paz00's embedded controller is not connected to a PS/2 port
+itself, the PS/2 interface it exposes is not a pass-through one.
+
+Signed-off-by: Paul Fertser <fercerpav@gmail.com>
+Acked-by: Marc Dietrich <marvin24@gmx.de>
+Fixes: 36b30d6138f4 ("staging: nvec: ps2: change serio type to passthrough")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/nvec/nvec_ps2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/nvec/nvec_ps2.c
++++ b/drivers/staging/nvec/nvec_ps2.c
+@@ -111,7 +111,7 @@ static int nvec_mouse_probe(struct platf
+ if (!ser_dev)
+ return -ENOMEM;
+
+- ser_dev->id.type = SERIO_PS_PSTHRU;
++ ser_dev->id.type = SERIO_8042;
+ ser_dev->write = ps2_sendcommand;
+ ser_dev->start = ps2_startstreaming;
+ ser_dev->stop = ps2_stopstreaming;
--- /dev/null
+From 237d6e6884136923b6bd26d5141ebe1d065960c9 Mon Sep 17 00:00:00 2001
+From: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+Date: Tue, 25 Oct 2016 16:24:28 +0200
+Subject: s390/hypfs: Use get_free_page() instead of kmalloc to ensure page alignment
+
+From: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+
+commit 237d6e6884136923b6bd26d5141ebe1d065960c9 upstream.
+
+Since commit d86bd1bece6f ("mm/slub: support left redzone") it is no longer
+guaranteed that kmalloc(PAGE_SIZE) returns page aligned memory.
+
+After the above commit we get an error for diag224 because aligned
+memory is required. This leads to the following user visible error:
+
+ # mount none -t s390_hypfs /sys/hypervisor/
+ mount: unknown filesystem type 's390_hypfs'
+
+ # dmesg | grep hypfs
+ hypfs.cccfb8: The hardware system does not provide all functions
+ required by hypfs
+ hypfs.7a79f0: Initialization of hypfs failed with rc=-61
+
+Fix this problem and use get_free_page() instead of kmalloc() to get
+correctly aligned memory.
+
+Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/hypfs/hypfs_diag.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/s390/hypfs/hypfs_diag.c
++++ b/arch/s390/hypfs/hypfs_diag.c
+@@ -363,11 +363,11 @@ out:
+ static int diag224_get_name_table(void)
+ {
+ /* memory must be below 2GB */
+- diag224_cpu_names = kmalloc(PAGE_SIZE, GFP_KERNEL | GFP_DMA);
++ diag224_cpu_names = (char *) __get_free_page(GFP_KERNEL | GFP_DMA);
+ if (!diag224_cpu_names)
+ return -ENOMEM;
+ if (diag224(diag224_cpu_names)) {
+- kfree(diag224_cpu_names);
++ free_page((unsigned long) diag224_cpu_names);
+ return -EOPNOTSUPP;
+ }
+ EBCASC(diag224_cpu_names + 16, (*diag224_cpu_names + 1) * 16);
+@@ -376,7 +376,7 @@ static int diag224_get_name_table(void)
+
+ static void diag224_delete_name_table(void)
+ {
+- kfree(diag224_cpu_names);
++ free_page((unsigned long) diag224_cpu_names);
+ }
+
+ static int diag224_idx2name(int index, char *name)
--- /dev/null
+From 6d3a56ed098566bc83d6c2afa74b4199c12ea074 Mon Sep 17 00:00:00 2001
+From: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+Date: Fri, 28 Oct 2016 10:09:12 +0530
+Subject: scsi: mpt3sas: Fix for block device of raid exists even after deleting raid disk
+
+From: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+
+commit 6d3a56ed098566bc83d6c2afa74b4199c12ea074 upstream.
+
+While merging mpt3sas & mpt2sas code, we added the is_warpdrive check
+condition on the wrong line
+
+---------------------------------------------------------------------------
+ scsih_target_alloc(struct scsi_target *starget)
+ sas_target_priv_data->handle = raid_device->handle;
+ sas_target_priv_data->sas_address = raid_device->wwid;
+ sas_target_priv_data->flags |= MPT_TARGET_FLAGS_VOLUME;
+- raid_device->starget = starget;
++ sas_target_priv_data->raid_device = raid_device;
++ if (ioc->is_warpdrive)
++ raid_device->starget = starget;
+ }
+ spin_unlock_irqrestore(&ioc->raid_device_lock, flags);
+ return 0;
+------------------------------------------------------------------------------
+
+That check should be for the line sas_target_priv_data->raid_device =
+raid_device;
+
+Due to above hunk, we are not initializing raid_device's starget for
+raid volumes, and so during raid disk deletion driver is not calling
+scsi_remove_target() API as driver observes starget field of
+raid_device's structure as NULL.
+
+Signed-off-by: Sreekanth Reddy <Sreekanth.Reddy@broadcom.com>
+Fixes: 7786ab6aff9 ("mpt3sas: Ported WarpDrive product SSS6200 support")
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+@@ -1273,9 +1273,9 @@ scsih_target_alloc(struct scsi_target *s
+ sas_target_priv_data->handle = raid_device->handle;
+ sas_target_priv_data->sas_address = raid_device->wwid;
+ sas_target_priv_data->flags |= MPT_TARGET_FLAGS_VOLUME;
+- sas_target_priv_data->raid_device = raid_device;
+ if (ioc->is_warpdrive)
+- raid_device->starget = starget;
++ sas_target_priv_data->raid_device = raid_device;
++ raid_device->starget = starget;
+ }
+ spin_unlock_irqrestore(&ioc->raid_device_lock, flags);
+ return 0;
--- /dev/null
+From a5dd506e1584e91f3e7500ab9a165aa1b49eabd4 Mon Sep 17 00:00:00 2001
+From: Bill Kuzeja <William.Kuzeja@stratus.com>
+Date: Fri, 21 Oct 2016 16:45:27 -0400
+Subject: scsi: qla2xxx: Fix scsi scan hang triggered if adapter fails during init
+
+From: Bill Kuzeja <William.Kuzeja@stratus.com>
+
+commit a5dd506e1584e91f3e7500ab9a165aa1b49eabd4 upstream.
+
+A system can get hung task timeouts if a qlogic board fails during
+initialization (if the board breaks again or fails the init). The hang
+involves the scsi scan.
+
+In a nutshell, since commit beb9e315e6e0 ("qla2xxx: Prevent removal and
+board_disable race"):
+
+...it is possible to have freed ha (base_vha->hw) early by a call to
+qla2x00_remove_one when pdev->enable_cnt equals zero:
+
+ if (!atomic_read(&pdev->enable_cnt)) {
+ scsi_host_put(base_vha->host);
+ kfree(ha);
+ pci_set_drvdata(pdev, NULL);
+ return;
+
+Almost always, the scsi_host_put above frees the vha structure
+(attached to the end of the Scsi_Host we're putting) since it's the last
+put, and life is good. However, if we are entering this routine because
+the adapter has broken sometime during initialization AND a scsi scan is
+already in progress (and has done its own scsi_host_get), vha will not
+be freed. What's worse, the scsi scan will access the freed ha structure
+through qla2xxx_scan_finished:
+
+ if (time > vha->hw->loop_reset_delay * HZ)
+ return 1;
+
+The scsi scan keeps checking to see if a scan is complete by calling
+qla2xxx_scan_finished. There is a timeout value that limits the length
+of time a scan can take (hw->loop_reset_delay, usually set to 5
+seconds), but this definition is in the data structure (hw) that can get
+freed early.
+
+This can yield unpredictable results, the worst of which is that the
+scsi scan can hang indefinitely. This happens when the freed structure
+gets reused and loop_reset_delay gets overwritten with garbage, which
+the scan obliviously uses as its timeout value.
+
+The fix for this is simple: at the top of qla2xxx_scan_finished, check
+for the UNLOADING bit in the vha structure (_vha is not freed at this
+point). If UNLOADING is set, we exit the scan for this adapter
+immediately. After this last reference to the ha structure, we'll exit
+the scan for this adapter, and continue on.
+
+This problem is hard to hit, but I have run into it doing negative
+testing many times now (with a test specifically designed to bring it
+out), so I can verify that this fix works. My testing has been against a
+RHEL7 driver variant, but the bug and patch are equally relevant to to
+the upstream driver.
+
+Fixes: beb9e315e6e0 ("qla2xxx: Prevent removal and board_disable race")
+Signed-off-by: Bill Kuzeja <william.kuzeja@stratus.com>
+Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_os.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -2341,6 +2341,8 @@ qla2xxx_scan_finished(struct Scsi_Host *
+ {
+ scsi_qla_host_t *vha = shost_priv(shost);
+
++ if (test_bit(UNLOADING, &vha->dpc_flags))
++ return 1;
+ if (!vha->host)
+ return 1;
+ if (time > vha->hw->loop_reset_delay * HZ)
--- /dev/null
+From df3d422cbac685da882e4c239dfda07de33d431b Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+Date: Tue, 1 Nov 2016 08:19:57 -0600
+Subject: scsi: scsi_dh_alua: Fix a reference counting bug
+
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+
+commit df3d422cbac685da882e4c239dfda07de33d431b upstream.
+
+The code at the end of alua_rtpg_work() is as follows:
+
+ scsi_device_put(sdev);
+ kref_put(&pg->kref, release_port_group);
+
+In other words, alua_rtpg_queue() must hold an sdev reference and a pg
+reference before queueing rtpg work. If no rtpg work is queued no
+additional references should be held when alua_rtpg_queue() returns. If
+no rtpg work is queued, ensure that alua_rtpg_queue() only gives up the
+sdev reference if that reference was obtained by the same
+alua_rtpg_queue() call.
+
+Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Reported-by: Tang Junhui <tang.junhui@zte.com.cn>
+Cc: Hannes Reinecke <hare@suse.com>
+Cc: Tang Junhui <tang.junhui@zte.com.cn>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/device_handler/scsi_dh_alua.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/device_handler/scsi_dh_alua.c
++++ b/drivers/scsi/device_handler/scsi_dh_alua.c
+@@ -890,6 +890,7 @@ static void alua_rtpg_queue(struct alua_
+ /* Do not queue if the worker is already running */
+ if (!(pg->flags & ALUA_PG_RUNNING)) {
+ kref_get(&pg->kref);
++ sdev = NULL;
+ start_queue = 1;
+ }
+ }
+@@ -901,7 +902,8 @@ static void alua_rtpg_queue(struct alua_
+ if (start_queue &&
+ !queue_delayed_work(alua_wq, &pg->rtpg_work,
+ msecs_to_jiffies(ALUA_RTPG_DELAY_MSECS))) {
+- scsi_device_put(sdev);
++ if (sdev)
++ scsi_device_put(sdev);
+ kref_put(&pg->kref, release_port_group);
+ }
+ }
--- /dev/null
+From 1fdd14279eab2e9f79745631379f0c53cb8f9a5a Mon Sep 17 00:00:00 2001
+From: "tang.junhui" <tang.junhui@zte.com.cn>
+Date: Fri, 28 Oct 2016 15:54:07 +0800
+Subject: scsi: scsi_dh_alua: fix missing kref_put() in alua_rtpg_work()
+
+From: tang.junhui <tang.junhui@zte.com.cn>
+
+commit 1fdd14279eab2e9f79745631379f0c53cb8f9a5a upstream.
+
+Reference count of pg leaks in alua_rtpg_work() since kref_put() is not
+called to decrease the reference count of pg when the condition
+pg->rtpg_sdev==NULL satisfied (actually it is easy to satisfy), it would
+cause memory of pg leakage.
+
+Signed-off-by: tang.junhui <tang.junhui@zte.com.cn>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/device_handler/scsi_dh_alua.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/device_handler/scsi_dh_alua.c
++++ b/drivers/scsi/device_handler/scsi_dh_alua.c
+@@ -792,6 +792,7 @@ static void alua_rtpg_work(struct work_s
+ WARN_ON(pg->flags & ALUA_PG_RUN_RTPG);
+ WARN_ON(pg->flags & ALUA_PG_RUN_STPG);
+ spin_unlock_irqrestore(&pg->lock, flags);
++ kref_put(&pg->kref, release_port_group);
+ return;
+ }
+ if (pg->flags & ALUA_SYNC_STPG)
alsa-info-limit-the-proc-text-input-size.patch
asoc-cs4270-fix-dapm-stream-name-mismatch.patch
dib0700-fix-nec-repeat-handling.patch
+mm-frontswap-make-sure-allocated-frontswap-map-is-assigned.patch
+shmem-fix-pageflags-after-swapping-dma32-object.patch
+swapfile-fix-memory-corruption-via-malformed-swapfile.patch
+mm-hwpoison-fix-thp-split-handling-in-memory_failure.patch
+mm-hugetlb-fix-huge-page-reservation-leak-in-private-mapping-error-paths.patch
+coredump-fix-unfreezable-coredumping-task.patch
+s390-hypfs-use-get_free_page-instead-of-kmalloc-to-ensure-page-alignment.patch
+arc-timer-rtc-implement-read-loop-in-c-vs.-inline-asm.patch
+pci-don-t-attempt-to-claim-shadow-copies-of-rom.patch
+arc-implement-arch-specific-dma_map_ops.mmap.patch
+pinctrl-cherryview-serialize-register-access-in-suspend-resume.patch
+pinctrl-cherryview-prevent-possible-interrupt-storm-on-resume.patch
+cpupower-correct-return-type-of-cpu_power_is_cpu_online-in-cpufreq-set.patch
+mmc-sdhci-fix-cmd-line-reset-interfering-with-ongoing-data-transfer.patch
+mmc-sdhci-fix-unexpected-data-interrupt-handling.patch
+mmc-mmc-use-500ms-as-the-default-generic-cmd6-timeout.patch
+staging-iio-ad5933-avoid-uninitialized-variable-in-error-case.patch
+staging-sm750fb-fix-bugs-introduced-by-early-commits.patch
+staging-comedi-ni_tio-fix-buggy-ni_tio_clock_period_ps-return-value.patch
+drivers-staging-nvec-remove-bogus-reset-command-for-ps-2-interface.patch
+revert-staging-nvec-ps2-change-serio-type-to-passthrough.patch
+staging-nvec-remove-managed-resource-from-ps2-driver.patch
+usb-dwc3-fix-error-handling-for-core-init.patch
+usb-cdc-acm-fix-tiocmiwait.patch
+usb-gadget-u_ether-remove-interrupt-throttling.patch
+drbd-fix-kernel_sendmsg-usage-potential-null-deref.patch
+toshiba-wmi-fix-loading-the-driver-on-non-toshiba-laptops.patch
+clk-qoriq-don-t-allow-cpu-clocks-higher-than-starting-value.patch
+cdc-acm-fix-uninitialized-variable.patch
+iio-hid-sensors-increase-the-precision-of-scale-to-fix-wrong-reading-interpretation.patch
+iio-orientation-hid-sensor-rotation-add-pm-function-fix-non-working-driver.patch
+iio-st_sensors-fix-scale-configuration-for-h3lis331dl.patch
+scsi-qla2xxx-fix-scsi-scan-hang-triggered-if-adapter-fails-during-init.patch
+scsi-mpt3sas-fix-for-block-device-of-raid-exists-even-after-deleting-raid-disk.patch
+scsi-scsi_dh_alua-fix-missing-kref_put-in-alua_rtpg_work.patch
+scsi-scsi_dh_alua-fix-a-reference-counting-bug.patch
+kvm-arm-arm64-vgic-prevent-access-to-invalid-spis.patch
+drm-radeon-disable-runtime-pm-in-certain-cases.patch
+drm-i915-respect-alternate_ddc_pin-for-all-ddi-ports.patch
+drm-i915-dp-bdw-cdclk-fix-for-dp-audio.patch
+drm-i915-dp-extend-bdw-dp-audio-workaround-to-gen9-platforms.patch
+drm-amdgpu-disable-runtime-pm-in-certain-cases.patch
+drm-amdgpu-fix-crash-in-acp_hw_fini.patch
--- /dev/null
+From 9956edf37e65e93fbb76dcff1236dff2323d306a Mon Sep 17 00:00:00 2001
+From: Hugh Dickins <hughd@google.com>
+Date: Thu, 10 Nov 2016 10:46:11 -0800
+Subject: shmem: fix pageflags after swapping DMA32 object
+
+From: Hugh Dickins <hughd@google.com>
+
+commit 9956edf37e65e93fbb76dcff1236dff2323d306a upstream.
+
+If shmem_alloc_page() does not set PageLocked and PageSwapBacked, then
+shmem_replace_page() needs to do so for itself. Without this, it puts
+newpage on the wrong lru, re-unlocks the unlocked newpage, and system
+descends into "Bad page" reports and freeze; or if CONFIG_DEBUG_VM=y, it
+hits an earlier VM_BUG_ON_PAGE(!PageLocked), depending on config.
+
+But shmem_replace_page() is not a common path: it's only called when
+swapin (or swapoff) finds the page was already read into an unsuitable
+zone: usually all zones are suitable, but gem objects for a few drm
+devices (gma500, omapdrm, crestline, broadwater) require zone DMA32 if
+there's more than 4GB of ram.
+
+Fixes: 800d8c63b2e9 ("shmem: add huge pages support")
+Link: http://lkml.kernel.org/r/alpine.LSU.2.11.1611062003510.11253@eggly.anvils
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/shmem.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -1483,6 +1483,8 @@ static int shmem_replace_page(struct pag
+ copy_highpage(newpage, oldpage);
+ flush_dcache_page(newpage);
+
++ __SetPageLocked(newpage);
++ __SetPageSwapBacked(newpage);
+ SetPageUptodate(newpage);
+ set_page_private(newpage, swap_index);
+ SetPageSwapCache(newpage);
--- /dev/null
+From 55abe8165f31ffb83ce8b24da959b61362dca4c4 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Thu, 27 Oct 2016 20:28:36 +0100
+Subject: staging: comedi: ni_tio: fix buggy ni_tio_clock_period_ps() return value
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 55abe8165f31ffb83ce8b24da959b61362dca4c4 upstream.
+
+`ni_tio_clock_period_ps()` used to return the clock period in
+picoseconds, and had a `BUG()` call for invalid cases. It was changed
+to pass the clock period back via a pointer parameter and return an
+error for the invalid cases. Unfortunately the code to handle
+user-specified clock sources with user-specified clock period is still
+returning the clock period the old way, which can lead to the caller not
+getting the clock period, or seeing an unexpected error. Fix it by
+passing the clock period via the pointer parameter and returning `0`.
+
+Fixes: b42ca86ad605 ("staging: comedi: ni_tio: remove BUG() checks for ni_tio_get_clock_src()")
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/drivers/ni_tio.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/ni_tio.c
++++ b/drivers/staging/comedi/drivers/ni_tio.c
+@@ -207,7 +207,8 @@ static int ni_tio_clock_period_ps(const
+ * clock period is specified by user with prescaling
+ * already taken into account.
+ */
+- return counter->clock_period_ps;
++ *period_ps = counter->clock_period_ps;
++ return 0;
+ }
+
+ switch (generic_clock_source & NI_GPCT_PRESCALE_MODE_CLOCK_SRC_MASK) {
--- /dev/null
+From 34eee70a7b82b09dbda4cb453e0e21d460dae226 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 24 Oct 2016 17:22:01 +0200
+Subject: staging: iio: ad5933: avoid uninitialized variable in error case
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 34eee70a7b82b09dbda4cb453e0e21d460dae226 upstream.
+
+The ad5933_i2c_read function returns an error code to indicate
+whether it could read data or not. However ad5933_work() ignores
+this return code and just accesses the data unconditionally,
+which gets detected by gcc as a possible bug:
+
+drivers/staging/iio/impedance-analyzer/ad5933.c: In function 'ad5933_work':
+drivers/staging/iio/impedance-analyzer/ad5933.c:649:16: warning: 'status' may be used uninitialized in this function [-Wmaybe-uninitialized]
+
+This adds minimal error handling so we only evaluate the
+data if it was correctly read.
+
+Link: https://patchwork.kernel.org/patch/8110281/
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/iio/impedance-analyzer/ad5933.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+--- a/drivers/staging/iio/impedance-analyzer/ad5933.c
++++ b/drivers/staging/iio/impedance-analyzer/ad5933.c
+@@ -655,6 +655,7 @@ static void ad5933_work(struct work_stru
+ __be16 buf[2];
+ int val[2];
+ unsigned char status;
++ int ret;
+
+ mutex_lock(&indio_dev->mlock);
+ if (st->state == AD5933_CTRL_INIT_START_FREQ) {
+@@ -662,19 +663,22 @@ static void ad5933_work(struct work_stru
+ ad5933_cmd(st, AD5933_CTRL_START_SWEEP);
+ st->state = AD5933_CTRL_START_SWEEP;
+ schedule_delayed_work(&st->work, st->poll_time_jiffies);
+- mutex_unlock(&indio_dev->mlock);
+- return;
++ goto out;
+ }
+
+- ad5933_i2c_read(st->client, AD5933_REG_STATUS, 1, &status);
++ ret = ad5933_i2c_read(st->client, AD5933_REG_STATUS, 1, &status);
++ if (ret)
++ goto out;
+
+ if (status & AD5933_STAT_DATA_VALID) {
+ int scan_count = bitmap_weight(indio_dev->active_scan_mask,
+ indio_dev->masklength);
+- ad5933_i2c_read(st->client,
++ ret = ad5933_i2c_read(st->client,
+ test_bit(1, indio_dev->active_scan_mask) ?
+ AD5933_REG_REAL_DATA : AD5933_REG_IMAG_DATA,
+ scan_count * 2, (u8 *)buf);
++ if (ret)
++ goto out;
+
+ if (scan_count == 2) {
+ val[0] = be16_to_cpu(buf[0]);
+@@ -686,8 +690,7 @@ static void ad5933_work(struct work_stru
+ } else {
+ /* no data available - try again later */
+ schedule_delayed_work(&st->work, st->poll_time_jiffies);
+- mutex_unlock(&indio_dev->mlock);
+- return;
++ goto out;
+ }
+
+ if (status & AD5933_STAT_SWEEP_DONE) {
+@@ -700,7 +703,7 @@ static void ad5933_work(struct work_stru
+ ad5933_cmd(st, AD5933_CTRL_INC_FREQ);
+ schedule_delayed_work(&st->work, st->poll_time_jiffies);
+ }
+-
++out:
+ mutex_unlock(&indio_dev->mlock);
+ }
+
--- /dev/null
+From 68fae2f3df455f53d0dfe33483a49020b3b758f3 Mon Sep 17 00:00:00 2001
+From: Marc Dietrich <marvin24@gmx.de>
+Date: Tue, 1 Nov 2016 13:59:40 +0100
+Subject: staging: nvec: remove managed resource from PS2 driver
+
+From: Marc Dietrich <marvin24@gmx.de>
+
+commit 68fae2f3df455f53d0dfe33483a49020b3b758f3 upstream.
+
+This basicly reverts commit e534f3e9 (staging:nvec: Introduce the use of
+the managed version of kzalloc). Serio struct should never by managed
+because it is refcounted. Doing so will lead to a double free oops on module
+remove.
+
+Signed-off-by: Marc Dietrich <marvin24@gmx.de>
+Fixes: e534f3e9429f ("staging:nvec: Introduce the use of the managed version of kzalloc")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/nvec/nvec_ps2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/nvec/nvec_ps2.c
++++ b/drivers/staging/nvec/nvec_ps2.c
+@@ -107,7 +107,7 @@ static int nvec_mouse_probe(struct platf
+ struct nvec_chip *nvec = dev_get_drvdata(pdev->dev.parent);
+ struct serio *ser_dev;
+
+- ser_dev = devm_kzalloc(&pdev->dev, sizeof(struct serio), GFP_KERNEL);
++ ser_dev = kzalloc(sizeof(struct serio), GFP_KERNEL);
+ if (!ser_dev)
+ return -ENOMEM;
+
--- /dev/null
+From 33c027ae3cfd8fefb6cccccc5c6b2c07d80891ce Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Thu, 3 Nov 2016 12:48:43 +0800
+Subject: staging: sm750fb: Fix bugs introduced by early commits
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit 33c027ae3cfd8fefb6cccccc5c6b2c07d80891ce upstream.
+
+Early commit 30ca5cb63c56965 ("staging: sm750fb: change definition of
+PANEL_PLANE_TL fields") and 27b047bbe1ee9c0 ("staging: sm750fb: change
+definition of PANEL_PLANE_BR fields") modify the register bit fields
+definitions. But the modifications are wrong, because the bit mask of
+"bit field 10:0" is not 0xeff, but 0x7ff. The wrong definition bugs
+makes display very strange.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/sm750fb/ddk750_reg.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/staging/sm750fb/ddk750_reg.h
++++ b/drivers/staging/sm750fb/ddk750_reg.h
+@@ -601,13 +601,13 @@
+
+ #define PANEL_PLANE_TL 0x08001C
+ #define PANEL_PLANE_TL_TOP_SHIFT 16
+-#define PANEL_PLANE_TL_TOP_MASK (0xeff << 16)
+-#define PANEL_PLANE_TL_LEFT_MASK 0xeff
++#define PANEL_PLANE_TL_TOP_MASK (0x7ff << 16)
++#define PANEL_PLANE_TL_LEFT_MASK 0x7ff
+
+ #define PANEL_PLANE_BR 0x080020
+ #define PANEL_PLANE_BR_BOTTOM_SHIFT 16
+-#define PANEL_PLANE_BR_BOTTOM_MASK (0xeff << 16)
+-#define PANEL_PLANE_BR_RIGHT_MASK 0xeff
++#define PANEL_PLANE_BR_BOTTOM_MASK (0x7ff << 16)
++#define PANEL_PLANE_BR_RIGHT_MASK 0x7ff
+
+ #define PANEL_HORIZONTAL_TOTAL 0x080024
+ #define PANEL_HORIZONTAL_TOTAL_TOTAL_SHIFT 16
--- /dev/null
+From dd111be69114cc867f8e826284559bfbc1c40e37 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jann@thejh.net>
+Date: Thu, 10 Nov 2016 10:46:19 -0800
+Subject: swapfile: fix memory corruption via malformed swapfile
+
+From: Jann Horn <jann@thejh.net>
+
+commit dd111be69114cc867f8e826284559bfbc1c40e37 upstream.
+
+When root activates a swap partition whose header has the wrong
+endianness, nr_badpages elements of badpages are swabbed before
+nr_badpages has been checked, leading to a buffer overrun of up to 8GB.
+
+This normally is not a security issue because it can only be exploited
+by root (more specifically, a process with CAP_SYS_ADMIN or the ability
+to modify a swap file/partition), and such a process can already e.g.
+modify swapped-out memory of any other userspace process on the system.
+
+Link: http://lkml.kernel.org/r/1477949533-2509-1-git-send-email-jann@thejh.net
+Signed-off-by: Jann Horn <jann@thejh.net>
+Acked-by: Kees Cook <keescook@chromium.org>
+Acked-by: Jerome Marchand <jmarchan@redhat.com>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Hugh Dickins <hughd@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/swapfile.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/swapfile.c
++++ b/mm/swapfile.c
+@@ -2218,6 +2218,8 @@ static unsigned long read_swap_header(st
+ swab32s(&swap_header->info.version);
+ swab32s(&swap_header->info.last_page);
+ swab32s(&swap_header->info.nr_badpages);
++ if (swap_header->info.nr_badpages > MAX_SWAP_BADPAGES)
++ return 0;
+ for (i = 0; i < swap_header->info.nr_badpages; i++)
+ swab32s(&swap_header->info.badpages[i]);
+ }
--- /dev/null
+From 1c80e9603fe8341ed5bea696747d07083d5e0476 Mon Sep 17 00:00:00 2001
+From: Azael Avalos <coproscefalo@gmail.com>
+Date: Thu, 25 Aug 2016 12:50:55 -0600
+Subject: toshiba-wmi: Fix loading the driver on non Toshiba laptops
+
+From: Azael Avalos <coproscefalo@gmail.com>
+
+commit 1c80e9603fe8341ed5bea696747d07083d5e0476 upstream.
+
+Bug 150611 uncovered that the WMI ID used by the toshiba-wmi driver
+is not Toshiba specific, and as such, the driver was being loaded
+on non Toshiba laptops too.
+
+This patch adds a DMI matching list checking for TOSHIBA as the
+vendor, refusing to load if it is not.
+
+Also the WMI GUID was renamed, dropping the TOSHIBA_ prefix, to
+better reflect that such GUID is not a Toshiba specific one.
+
+Signed-off-by: Azael Avalos <coproscefalo@gmail.com>
+Signed-off-by: Darren Hart <dvhart@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/platform/x86/toshiba-wmi.c | 26 +++++++++++++++++++-------
+ 1 file changed, 19 insertions(+), 7 deletions(-)
+
+--- a/drivers/platform/x86/toshiba-wmi.c
++++ b/drivers/platform/x86/toshiba-wmi.c
+@@ -24,14 +24,15 @@
+ #include <linux/acpi.h>
+ #include <linux/input.h>
+ #include <linux/input/sparse-keymap.h>
++#include <linux/dmi.h>
+
+ MODULE_AUTHOR("Azael Avalos");
+ MODULE_DESCRIPTION("Toshiba WMI Hotkey Driver");
+ MODULE_LICENSE("GPL");
+
+-#define TOSHIBA_WMI_EVENT_GUID "59142400-C6A3-40FA-BADB-8A2652834100"
++#define WMI_EVENT_GUID "59142400-C6A3-40FA-BADB-8A2652834100"
+
+-MODULE_ALIAS("wmi:"TOSHIBA_WMI_EVENT_GUID);
++MODULE_ALIAS("wmi:"WMI_EVENT_GUID);
+
+ static struct input_dev *toshiba_wmi_input_dev;
+
+@@ -63,6 +64,16 @@ static void toshiba_wmi_notify(u32 value
+ kfree(response.pointer);
+ }
+
++static struct dmi_system_id toshiba_wmi_dmi_table[] __initdata = {
++ {
++ .ident = "Toshiba laptop",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
++ },
++ },
++ {}
++};
++
+ static int __init toshiba_wmi_input_setup(void)
+ {
+ acpi_status status;
+@@ -81,7 +92,7 @@ static int __init toshiba_wmi_input_setu
+ if (err)
+ goto err_free_dev;
+
+- status = wmi_install_notify_handler(TOSHIBA_WMI_EVENT_GUID,
++ status = wmi_install_notify_handler(WMI_EVENT_GUID,
+ toshiba_wmi_notify, NULL);
+ if (ACPI_FAILURE(status)) {
+ err = -EIO;
+@@ -95,7 +106,7 @@ static int __init toshiba_wmi_input_setu
+ return 0;
+
+ err_remove_notifier:
+- wmi_remove_notify_handler(TOSHIBA_WMI_EVENT_GUID);
++ wmi_remove_notify_handler(WMI_EVENT_GUID);
+ err_free_keymap:
+ sparse_keymap_free(toshiba_wmi_input_dev);
+ err_free_dev:
+@@ -105,7 +116,7 @@ static int __init toshiba_wmi_input_setu
+
+ static void toshiba_wmi_input_destroy(void)
+ {
+- wmi_remove_notify_handler(TOSHIBA_WMI_EVENT_GUID);
++ wmi_remove_notify_handler(WMI_EVENT_GUID);
+ sparse_keymap_free(toshiba_wmi_input_dev);
+ input_unregister_device(toshiba_wmi_input_dev);
+ }
+@@ -114,7 +125,8 @@ static int __init toshiba_wmi_init(void)
+ {
+ int ret;
+
+- if (!wmi_has_guid(TOSHIBA_WMI_EVENT_GUID))
++ if (!wmi_has_guid(WMI_EVENT_GUID) ||
++ !dmi_check_system(toshiba_wmi_dmi_table))
+ return -ENODEV;
+
+ ret = toshiba_wmi_input_setup();
+@@ -130,7 +142,7 @@ static int __init toshiba_wmi_init(void)
+
+ static void __exit toshiba_wmi_exit(void)
+ {
+- if (wmi_has_guid(TOSHIBA_WMI_EVENT_GUID))
++ if (wmi_has_guid(WMI_EVENT_GUID))
+ toshiba_wmi_input_destroy();
+ }
+
--- /dev/null
+From 18266403f3fe507f0246faa1d5432333a2f139ca Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 8 Nov 2016 13:10:57 +0100
+Subject: USB: cdc-acm: fix TIOCMIWAIT
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 18266403f3fe507f0246faa1d5432333a2f139ca upstream.
+
+The TIOCMIWAIT implementation would return -EINVAL if any of the three
+supported signals were included in the mask.
+
+Instead of returning an error in case TIOCM_CTS is included, simply
+drop the mask check completely, which is in accordance with how other
+drivers implement this ioctl.
+
+Fixes: 5a6a62bdb925 ("cdc-acm: add TIOCMIWAIT")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -946,8 +946,6 @@ static int wait_serial_change(struct acm
+ DECLARE_WAITQUEUE(wait, current);
+ struct async_icount old, new;
+
+- if (arg & (TIOCM_DSR | TIOCM_RI | TIOCM_CD))
+- return -EINVAL;
+ do {
+ spin_lock_irq(&acm->read_lock);
+ old = acm->oldcount;
--- /dev/null
+From 9b9d7cdd0a20a8c26a022604580f93516ad69c36 Mon Sep 17 00:00:00 2001
+From: Vivek Gautam <vivek.gautam@codeaurora.org>
+Date: Fri, 21 Oct 2016 16:21:07 +0530
+Subject: usb: dwc3: Fix error handling for core init
+
+From: Vivek Gautam <vivek.gautam@codeaurora.org>
+
+commit 9b9d7cdd0a20a8c26a022604580f93516ad69c36 upstream.
+
+Fixing the sequence of events in dwc3_core_init() error exit path.
+dwc3_core_exit() call is also removed from the error path since,
+whatever it's doing is already done.
+
+Fixes: c499ff7 usb: dwc3: core: re-factor init and exit paths
+
+Cc: Felipe Balbi <felipe.balbi@linux.intel.com>
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Signed-off-by: Vivek Gautam <vivek.gautam@codeaurora.org>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/core.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -669,15 +669,14 @@ static int dwc3_core_init(struct dwc3 *d
+ return 0;
+
+ err4:
+- phy_power_off(dwc->usb2_generic_phy);
++ phy_power_off(dwc->usb3_generic_phy);
+
+ err3:
+- phy_power_off(dwc->usb3_generic_phy);
++ phy_power_off(dwc->usb2_generic_phy);
+
+ err2:
+ usb_phy_set_suspend(dwc->usb2_phy, 1);
+ usb_phy_set_suspend(dwc->usb3_phy, 1);
+- dwc3_core_exit(dwc);
+
+ err1:
+ usb_phy_shutdown(dwc->usb2_phy);
--- /dev/null
+From fd9afd3cbe404998d732be6cc798f749597c5114 Mon Sep 17 00:00:00 2001
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+Date: Tue, 1 Nov 2016 13:20:22 +0200
+Subject: usb: gadget: u_ether: remove interrupt throttling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+
+commit fd9afd3cbe404998d732be6cc798f749597c5114 upstream.
+
+According to Dave Miller "the networking stack has a
+hard requirement that all SKBs which are transmitted
+must have their completion signalled in a fininte
+amount of time. This is because, until the SKB is
+freed by the driver, it holds onto socket,
+netfilter, and other subsystem resources."
+
+In summary, this means that using TX IRQ throttling
+for the networking gadgets is, at least, complex and
+we should avoid it for the time being.
+
+Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Tested-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Suggested-by: David Miller <davem@davemloft.net>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/u_ether.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+--- a/drivers/usb/gadget/function/u_ether.c
++++ b/drivers/usb/gadget/function/u_ether.c
+@@ -585,14 +585,6 @@ static netdev_tx_t eth_start_xmit(struct
+
+ req->length = length;
+
+- /* throttle high/super speed IRQ rate back slightly */
+- if (gadget_is_dualspeed(dev->gadget))
+- req->no_interrupt = (((dev->gadget->speed == USB_SPEED_HIGH ||
+- dev->gadget->speed == USB_SPEED_SUPER)) &&
+- !list_empty(&dev->tx_reqs))
+- ? ((atomic_read(&dev->tx_qlen) % dev->qmult) != 0)
+- : 0;
+-
+ retval = usb_ep_queue(in, req, GFP_ATOMIC);
+ switch (retval) {
+ default:
projects / thirdparty / kernel / stable-queue.git / commitdiff
