--- /dev/null
+From 1427228d5869f5804b03d47acfa4a88122572a78 Mon Sep 17 00:00:00 2001
+From: Kalle Valo <kvalo@qca.qualcomm.com>
+Date: Mon, 13 Feb 2017 12:38:39 +0200
+Subject: ath10k: fix napi crash during rmmod when probe firmware fails
+
+From: Kalle Valo <kvalo@qca.qualcomm.com>
+
+commit 1427228d5869f5804b03d47acfa4a88122572a78 upstream.
+
+This fixes the below crash when ath10k probe firmware fails, NAPI polling tries
+to access a rx ring resource which was never allocated. An easy way to
+reproduce this is easy to remove all the firmware files, load ath10k modules
+and ath10k will crash when calling 'rmmod ath10k_pci'. The fix is to call
+napi_enable() from ath10k_pci_hif_start() so that it matches with
+napi_disable() being called from ath10k_pci_hif_stop().
+
+Big thanks to Mohammed Shafi Shajakhan who debugged this and provided first
+version of the fix. In this patch I just fix the actual problem in pci.c
+instead of having a workaround in core.c.
+
+BUG: unable to handle kernel NULL pointer dereference at (null)
+IP: __ath10k_htt_rx_ring_fill_n+0x19/0x230 [ath10k_core]
+__ath10k_htt_rx_ring_fill_n+0x19/0x230 [ath10k_core]
+
+Call Trace:
+
+[<ffffffffa113ec62>] ath10k_htt_rx_msdu_buff_replenish+0x42/0x90
+[ath10k_core]
+[<ffffffffa113f393>] ath10k_htt_txrx_compl_task+0x433/0x17d0
+[ath10k_core]
+[<ffffffff8114406d>] ? __wake_up_common+0x4d/0x80
+[<ffffffff811349ec>] ? cpu_load_update+0xdc/0x150
+[<ffffffffa119301d>] ? ath10k_pci_read32+0xd/0x10 [ath10k_pci]
+[<ffffffffa1195b17>] ath10k_pci_napi_poll+0x47/0x110 [ath10k_pci]
+[<ffffffff817863af>] net_rx_action+0x20f/0x370
+
+Reported-by: Ben Greear <greearb@candelatech.com>
+Fixes: 3c97f5de1f28 ("ath10k: implement NAPI support")
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath10k/pci.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath10k/pci.c
++++ b/drivers/net/wireless/ath/ath10k/pci.c
+@@ -1647,6 +1647,8 @@ static int ath10k_pci_hif_start(struct a
+
+ ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot hif start\n");
+
++ napi_enable(&ar->napi);
++
+ ath10k_pci_irq_enable(ar);
+ ath10k_pci_rx_post(ar);
+
+@@ -2531,7 +2533,6 @@ static int ath10k_pci_hif_power_up(struc
+ ath10k_err(ar, "could not wake up target CPU: %d\n", ret);
+ goto err_ce;
+ }
+- napi_enable(&ar->napi);
+
+ return 0;
+
--- /dev/null
+From 5cda3ee5138e91ac369ed9d0b55eab0dab077686 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Sun, 4 Jun 2017 14:03:42 +0200
+Subject: can: gs_usb: fix memory leak in gs_cmd_reset()
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 5cda3ee5138e91ac369ed9d0b55eab0dab077686 upstream.
+
+This patch adds the missing kfree() in gs_cmd_reset() to free the
+memory that is not used anymore after usb_control_msg().
+
+Cc: Maximilian Schneider <max@schneidersoft.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/gs_usb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -265,6 +265,8 @@ static int gs_cmd_reset(struct gs_usb *g
+ sizeof(*dm),
+ 1000);
+
++ kfree(dm);
++
+ return rc;
+ }
+
--- /dev/null
+From ba80aa909c99802c428682c352b0ee0baac0acd3 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Thu, 8 Jun 2017 04:51:54 +0000
+Subject: configfs: Fix race between create_link and configfs_rmdir
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit ba80aa909c99802c428682c352b0ee0baac0acd3 upstream.
+
+This patch closes a long standing race in configfs between
+the creation of a new symlink in create_link(), while the
+symlink target's config_item is being concurrently removed
+via configfs_rmdir().
+
+This can happen because the symlink target's reference
+is obtained by config_item_get() in create_link() before
+the CONFIGFS_USET_DROPPING bit set by configfs_detach_prep()
+during configfs_rmdir() shutdown is actually checked..
+
+This originally manifested itself on ppc64 on v4.8.y under
+heavy load using ibmvscsi target ports with Novalink API:
+
+[ 7877.289863] rpadlpar_io: slot U8247.22L.212A91A-V1-C8 added
+[ 7879.893760] ------------[ cut here ]------------
+[ 7879.893768] WARNING: CPU: 15 PID: 17585 at ./include/linux/kref.h:46 config_item_get+0x7c/0x90 [configfs]
+[ 7879.893811] CPU: 15 PID: 17585 Comm: targetcli Tainted: G O 4.8.17-customv2.22 #12
+[ 7879.893812] task: c00000018a0d3400 task.stack: c0000001f3b40000
+[ 7879.893813] NIP: d000000002c664ec LR: d000000002c60980 CTR: c000000000b70870
+[ 7879.893814] REGS: c0000001f3b43810 TRAP: 0700 Tainted: G O (4.8.17-customv2.22)
+[ 7879.893815] MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 28222242 XER: 00000000
+[ 7879.893820] CFAR: d000000002c664bc SOFTE: 1
+ GPR00: d000000002c60980 c0000001f3b43a90 d000000002c70908 c0000000fbc06820
+ GPR04: c0000001ef1bd900 0000000000000004 0000000000000001 0000000000000000
+ GPR08: 0000000000000000 0000000000000001 d000000002c69560 d000000002c66d80
+ GPR12: c000000000b70870 c00000000e798700 c0000001f3b43ca0 c0000001d4949d40
+ GPR16: c00000014637e1c0 0000000000000000 0000000000000000 c0000000f2392940
+ GPR20: c0000001f3b43b98 0000000000000041 0000000000600000 0000000000000000
+ GPR24: fffffffffffff000 0000000000000000 d000000002c60be0 c0000001f1dac490
+ GPR28: 0000000000000004 0000000000000000 c0000001ef1bd900 c0000000f2392940
+[ 7879.893839] NIP [d000000002c664ec] config_item_get+0x7c/0x90 [configfs]
+[ 7879.893841] LR [d000000002c60980] check_perm+0x80/0x2e0 [configfs]
+[ 7879.893842] Call Trace:
+[ 7879.893844] [c0000001f3b43ac0] [d000000002c60980] check_perm+0x80/0x2e0 [configfs]
+[ 7879.893847] [c0000001f3b43b10] [c000000000329770] do_dentry_open+0x2c0/0x460
+[ 7879.893849] [c0000001f3b43b70] [c000000000344480] path_openat+0x210/0x1490
+[ 7879.893851] [c0000001f3b43c80] [c00000000034708c] do_filp_open+0xfc/0x170
+[ 7879.893853] [c0000001f3b43db0] [c00000000032b5bc] do_sys_open+0x1cc/0x390
+[ 7879.893856] [c0000001f3b43e30] [c000000000009584] system_call+0x38/0xec
+[ 7879.893856] Instruction dump:
+[ 7879.893858] 409d0014 38210030 e8010010 7c0803a6 4e800020 3d220000 e94981e0 892a0000
+[ 7879.893861] 2f890000 409effe0 39200001 992a0000 <0fe00000> 4bffffd0 60000000 60000000
+[ 7879.893866] ---[ end trace 14078f0b3b5ad0aa ]---
+
+To close this race, go ahead and obtain the symlink's target
+config_item reference only after the existing CONFIGFS_USET_DROPPING
+check succeeds.
+
+This way, if configfs_rmdir() wins create_link() will return -ENONET,
+and if create_link() wins configfs_rmdir() will return -EBUSY.
+
+Reported-by: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
+Tested-by: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/configfs/symlink.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/configfs/symlink.c
++++ b/fs/configfs/symlink.c
+@@ -83,14 +83,13 @@ static int create_link(struct config_ite
+ ret = -ENOMEM;
+ sl = kmalloc(sizeof(struct configfs_symlink), GFP_KERNEL);
+ if (sl) {
+- sl->sl_target = config_item_get(item);
+ spin_lock(&configfs_dirent_lock);
+ if (target_sd->s_type & CONFIGFS_USET_DROPPING) {
+ spin_unlock(&configfs_dirent_lock);
+- config_item_put(item);
+ kfree(sl);
+ return -ENOENT;
+ }
++ sl->sl_target = config_item_get(item);
+ list_add(&sl->sl_list, &target_sd->s_links);
+ spin_unlock(&configfs_dirent_lock);
+ ret = configfs_create_link(sl, parent_item->ci_dentry,
--- /dev/null
+From b8e11f7d2791bd9320be1c6e772a60b2aa093e45 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tomasz=20Wilczy=C5=84ski?= <twilczynski@naver.com>
+Date: Sun, 11 Jun 2017 17:28:39 +0900
+Subject: cpufreq: conservative: Allow down_threshold to take values from 1 to 10
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tomasz Wilczyński <twilczynski@naver.com>
+
+commit b8e11f7d2791bd9320be1c6e772a60b2aa093e45 upstream.
+
+Commit 27ed3cd2ebf4 (cpufreq: conservative: Fix the logic in frequency
+decrease checking) removed the 10 point substraction when comparing the
+load against down_threshold but did not remove the related limit for the
+down_threshold value. As a result, down_threshold lower than 11 is not
+allowed even though values from 1 to 10 do work correctly too. The
+comment ("cannot be lower than 11 otherwise freq will not fall") also
+does not apply after removing the substraction.
+
+For this reason, allow down_threshold to take any value from 1 to 99
+and fix the related comment.
+
+Fixes: 27ed3cd2ebf4 (cpufreq: conservative: Fix the logic in frequency decrease checking)
+Signed-off-by: Tomasz Wilczyński <twilczynski@naver.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/cpufreq_conservative.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/cpufreq/cpufreq_conservative.c
++++ b/drivers/cpufreq/cpufreq_conservative.c
+@@ -169,8 +169,8 @@ static ssize_t store_down_threshold(stru
+ int ret;
+ ret = sscanf(buf, "%u", &input);
+
+- /* cannot be lower than 11 otherwise freq will not fall */
+- if (ret != 1 || input < 11 || input > 100 ||
++ /* cannot be lower than 1 otherwise freq will not fall */
++ if (ret != 1 || input < 1 || input > 100 ||
+ input >= dbs_data->up_threshold)
+ return -EINVAL;
+
--- /dev/null
+From 8128a31eaadbcdfa37774bbd28f3f00bac69996a Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 8 May 2017 15:55:17 -0700
+Subject: drivers/misc/c2port/c2port-duramar2150.c: checking for NULL instead of IS_ERR()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 8128a31eaadbcdfa37774bbd28f3f00bac69996a upstream.
+
+c2port_device_register() never returns NULL, it uses error pointers.
+
+Link: http://lkml.kernel.org/r/20170412083321.GC3250@mwanda
+Fixes: 65131cd52b9e ("c2port: add c2port support for Eurotech Duramar 2150")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Rodolfo Giometti <giometti@linux.it>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/c2port/c2port-duramar2150.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/misc/c2port/c2port-duramar2150.c
++++ b/drivers/misc/c2port/c2port-duramar2150.c
+@@ -129,8 +129,8 @@ static int __init duramar2150_c2port_ini
+
+ duramar2150_c2port_dev = c2port_device_register("uc",
+ &duramar2150_c2port_ops, NULL);
+- if (!duramar2150_c2port_dev) {
+- ret = -ENODEV;
++ if (IS_ERR(duramar2150_c2port_dev)) {
++ ret = PTR_ERR(duramar2150_c2port_dev);
+ goto free_region;
+ }
+
--- /dev/null
+From bea10413934dcf98cb9b2dfcdc56e1d28f192897 Mon Sep 17 00:00:00 2001
+From: Mario Kleiner <mario.kleiner.de@gmail.com>
+Date: Tue, 13 Jun 2017 07:17:10 +0200
+Subject: drm/amdgpu: Fix overflow of watermark calcs at > 4k resolutions.
+
+From: Mario Kleiner <mario.kleiner.de@gmail.com>
+
+commit bea10413934dcf98cb9b2dfcdc56e1d28f192897 upstream.
+
+Commit d63c277dc672e0
+("drm/amdgpu: Make display watermark calculations more accurate")
+made watermark calculations more accurate, but not for > 4k
+resolutions on 32-Bit architectures, as it introduced an integer
+overflow for those setups and resolutions.
+
+Fix this by proper u64 casting and division.
+
+Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
+Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Fixes: d63c277dc672 ("drm/amdgpu: Make display watermark calculations more accurate")
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 7 +++++--
+ drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 7 +++++--
+ drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 7 +++++--
+ drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 7 +++++--
+ 4 files changed, 20 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/dce_v10_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/dce_v10_0.c
+@@ -1290,8 +1290,11 @@ static void dce_v10_0_program_watermarks
+ u32 tmp, wm_mask, lb_vblank_lead_lines = 0;
+
+ if (amdgpu_crtc->base.enabled && num_heads && mode) {
+- active_time = 1000000UL * (u32)mode->crtc_hdisplay / (u32)mode->clock;
+- line_time = min((u32) (1000000UL * (u32)mode->crtc_htotal / (u32)mode->clock), (u32)65535);
++ active_time = (u32) div_u64((u64)mode->crtc_hdisplay * 1000000,
++ (u32)mode->clock);
++ line_time = (u32) div_u64((u64)mode->crtc_htotal * 1000000,
++ (u32)mode->clock);
++ line_time = min(line_time, (u32)65535);
+
+ /* watermark for high clocks */
+ if (adev->pm.dpm_enabled) {
+--- a/drivers/gpu/drm/amd/amdgpu/dce_v11_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/dce_v11_0.c
+@@ -1257,8 +1257,11 @@ static void dce_v11_0_program_watermarks
+ u32 tmp, wm_mask, lb_vblank_lead_lines = 0;
+
+ if (amdgpu_crtc->base.enabled && num_heads && mode) {
+- active_time = 1000000UL * (u32)mode->crtc_hdisplay / (u32)mode->clock;
+- line_time = min((u32) (1000000UL * (u32)mode->crtc_htotal / (u32)mode->clock), (u32)65535);
++ active_time = (u32) div_u64((u64)mode->crtc_hdisplay * 1000000,
++ (u32)mode->clock);
++ line_time = (u32) div_u64((u64)mode->crtc_htotal * 1000000,
++ (u32)mode->clock);
++ line_time = min(line_time, (u32)65535);
+
+ /* watermark for high clocks */
+ if (adev->pm.dpm_enabled) {
+--- a/drivers/gpu/drm/amd/amdgpu/dce_v6_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/dce_v6_0.c
+@@ -1054,8 +1054,11 @@ static void dce_v6_0_program_watermarks(
+ fixed20_12 a, b, c;
+
+ if (amdgpu_crtc->base.enabled && num_heads && mode) {
+- active_time = 1000000UL * (u32)mode->crtc_hdisplay / (u32)mode->clock;
+- line_time = min((u32) (1000000UL * (u32)mode->crtc_htotal / (u32)mode->clock), (u32)65535);
++ active_time = (u32) div_u64((u64)mode->crtc_hdisplay * 1000000,
++ (u32)mode->clock);
++ line_time = (u32) div_u64((u64)mode->crtc_htotal * 1000000,
++ (u32)mode->clock);
++ line_time = min(line_time, (u32)65535);
+ priority_a_cnt = 0;
+ priority_b_cnt = 0;
+
+--- a/drivers/gpu/drm/amd/amdgpu/dce_v8_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/dce_v8_0.c
+@@ -1211,8 +1211,11 @@ static void dce_v8_0_program_watermarks(
+ u32 tmp, wm_mask, lb_vblank_lead_lines = 0;
+
+ if (amdgpu_crtc->base.enabled && num_heads && mode) {
+- active_time = 1000000UL * (u32)mode->crtc_hdisplay / (u32)mode->clock;
+- line_time = min((u32) (1000000UL * (u32)mode->crtc_htotal / (u32)mode->clock), (u32)65535);
++ active_time = (u32) div_u64((u64)mode->crtc_hdisplay * 1000000,
++ (u32)mode->clock);
++ line_time = (u32) div_u64((u64)mode->crtc_htotal * 1000000,
++ (u32)mode->clock);
++ line_time = min(line_time, (u32)65535);
+
+ /* watermark for high clocks */
+ if (adev->pm.dpm_enabled) {
--- /dev/null
+From c380f681245d7ae57f17d9ebbbe8f8f1557ee1fb Mon Sep 17 00:00:00 2001
+From: Zhenyu Wang <zhenyuw@linux.intel.com>
+Date: Fri, 9 Jun 2017 15:48:05 +0800
+Subject: drm/i915: Fix GVT-g PVINFO version compatibility check
+
+From: Zhenyu Wang <zhenyuw@linux.intel.com>
+
+commit c380f681245d7ae57f17d9ebbbe8f8f1557ee1fb upstream.
+
+Current it's strictly checked if PVINFO version matches 1.0
+for GVT-g i915 guest which doesn't help for compatibility at
+all and forces GVT-g host can't extend PVINFO easily with version
+bump for real compatibility check.
+
+This fixes that to check minimal required PVINFO version instead.
+
+v2:
+- drop unneeded version macro
+- use only major version for sanity check
+
+v3:
+- fix up PVInfo value with kernel type
+- one indent fix
+
+Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Cc: Chuanxiao Dong <chuanxiao.dong@intel.com>
+Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20170609074805.5101-1-zhenyuw@linux.intel.com
+(cherry picked from commit 0c8792d00d38de85b6ceb1dd67d3ee009d7c8e42)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_pvinfo.h | 8 ++------
+ drivers/gpu/drm/i915/i915_vgpu.c | 10 ++++------
+ 2 files changed, 6 insertions(+), 12 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_pvinfo.h
++++ b/drivers/gpu/drm/i915/i915_pvinfo.h
+@@ -36,10 +36,6 @@
+ #define VGT_VERSION_MAJOR 1
+ #define VGT_VERSION_MINOR 0
+
+-#define INTEL_VGT_IF_VERSION_ENCODE(major, minor) ((major) << 16 | (minor))
+-#define INTEL_VGT_IF_VERSION \
+- INTEL_VGT_IF_VERSION_ENCODE(VGT_VERSION_MAJOR, VGT_VERSION_MINOR)
+-
+ /*
+ * notifications from guest to vgpu device model
+ */
+@@ -55,8 +51,8 @@ enum vgt_g2v_type {
+
+ struct vgt_if {
+ u64 magic; /* VGT_MAGIC */
+- uint16_t version_major;
+- uint16_t version_minor;
++ u16 version_major;
++ u16 version_minor;
+ u32 vgt_id; /* ID of vGT instance */
+ u32 rsv1[12]; /* pad to offset 0x40 */
+ /*
+--- a/drivers/gpu/drm/i915/i915_vgpu.c
++++ b/drivers/gpu/drm/i915/i915_vgpu.c
+@@ -60,8 +60,8 @@
+ */
+ void i915_check_vgpu(struct drm_i915_private *dev_priv)
+ {
+- uint64_t magic;
+- uint32_t version;
++ u64 magic;
++ u16 version_major;
+
+ BUILD_BUG_ON(sizeof(struct vgt_if) != VGT_PVINFO_SIZE);
+
+@@ -69,10 +69,8 @@ void i915_check_vgpu(struct drm_i915_pri
+ if (magic != VGT_MAGIC)
+ return;
+
+- version = INTEL_VGT_IF_VERSION_ENCODE(
+- __raw_i915_read16(dev_priv, vgtif_reg(version_major)),
+- __raw_i915_read16(dev_priv, vgtif_reg(version_minor)));
+- if (version != INTEL_VGT_IF_VERSION) {
++ version_major = __raw_i915_read16(dev_priv, vgtif_reg(version_major));
++ if (version_major < VGT_VERSION_MAJOR) {
+ DRM_INFO("VGT interface version mismatch!\n");
+ return;
+ }
--- /dev/null
+From 014580ffab654bb83256783a2b185cf6c06dffaa Mon Sep 17 00:00:00 2001
+From: YYS <nickey.yang@rock-chips.com>
+Date: Tue, 21 Mar 2017 16:27:03 +0800
+Subject: drm/mediatek: fix mtk_hdmi_setup_vendor_specific_infoframe mistake
+
+From: YYS <nickey.yang@rock-chips.com>
+
+commit 014580ffab654bb83256783a2b185cf6c06dffaa upstream.
+
+mtk_hdmi_setup_vendor_specific_infoframe will return before handle
+mtk_hdmi_hw_send_info_frame.Because hdmi_vendor_infoframe_pack
+returns the number of bytes packed into the binary buffer or
+a negative error code on failure.
+So correct it.
+
+Fixes: 8f83f26891e1 ("drm/mediatek: Add HDMI support")
+Signed-off-by: Nickey Yang <nickey.yang@rock-chips.com>
+Signed-off-by: CK Hu <ck.hu@mediatek.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/mediatek/mtk_hdmi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/mediatek/mtk_hdmi.c
++++ b/drivers/gpu/drm/mediatek/mtk_hdmi.c
+@@ -1061,7 +1061,7 @@ static int mtk_hdmi_setup_vendor_specifi
+ }
+
+ err = hdmi_vendor_infoframe_pack(&frame, buffer, sizeof(buffer));
+- if (err) {
++ if (err < 0) {
+ dev_err(hdmi->dev, "Failed to pack vendor infoframe: %zd\n",
+ err);
+ return err;
--- /dev/null
+From ca39b449f6d03e8235969f12f5dd25b8eb4304d6 Mon Sep 17 00:00:00 2001
+From: Eric Anholt <eric@anholt.net>
+Date: Wed, 1 Mar 2017 10:56:02 -0800
+Subject: drm/vc4: Fix OOPSes from trying to cache a partially constructed BO.
+
+From: Eric Anholt <eric@anholt.net>
+
+commit ca39b449f6d03e8235969f12f5dd25b8eb4304d6 upstream.
+
+If a CMA allocation failed, the partially constructed BO would be
+unreferenced through the normal path, and we might choose to put it in
+the BO cache. If we then reused it before it expired from the cache,
+the kernel would OOPS.
+
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Fixes: c826a6e10644 ("drm/vc4: Add a BO cache.")
+Reviewed-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20170301185602.6873-2-eric@anholt.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/vc4/vc4_bo.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/gpu/drm/vc4/vc4_bo.c
++++ b/drivers/gpu/drm/vc4/vc4_bo.c
+@@ -313,6 +313,14 @@ void vc4_free_object(struct drm_gem_obje
+ goto out;
+ }
+
++ /* If this object was partially constructed but CMA allocation
++ * had failed, just free it.
++ */
++ if (!bo->base.vaddr) {
++ vc4_bo_destroy(bo);
++ goto out;
++ }
++
+ cache_list = vc4_get_cache_list_for_size(dev, gem_bo->size);
+ if (!cache_list) {
+ vc4_bo_destroy(bo);
--- /dev/null
+From 20223f0f39ea9d31ece08f04ac79f8c4e8d98246 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Fri, 16 Jun 2017 11:08:24 +0200
+Subject: fs: pass on flags in compat_writev
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 20223f0f39ea9d31ece08f04ac79f8c4e8d98246 upstream.
+
+Fixes: 793b80ef14af ("vfs: pass a flags argument to vfs_readv/vfs_writev")
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/read_write.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/read_write.c
++++ b/fs/read_write.c
+@@ -1232,7 +1232,7 @@ static size_t compat_writev(struct file
+ if (!(file->f_mode & FMODE_CAN_WRITE))
+ goto out;
+
+- ret = compat_do_readv_writev(WRITE, file, vec, vlen, pos, 0);
++ ret = compat_do_readv_writev(WRITE, file, vec, vlen, pos, flags);
+
+ out:
+ if (ret > 0)
--- /dev/null
+From de8d6e02efbdb259c67832ccf027d7ace9b91d5d Mon Sep 17 00:00:00 2001
+From: Eli Cohen <eli@mellanox.com>
+Date: Tue, 3 Jan 2017 23:55:19 +0200
+Subject: IB/mlx5: Fix kernel to user leak prevention logic
+
+From: Eli Cohen <eli@mellanox.com>
+
+commit de8d6e02efbdb259c67832ccf027d7ace9b91d5d upstream.
+
+The logic was broken as it failed to update the response length for
+architectures with PAGE_SIZE larger than 4kB. As a result further
+extension of the ucontext response struct would fail.
+
+Fixes: d69e3bcf7976 ('IB/mlx5: Mmap the HCA's core clock register to user-space')
+Signed-off-by: Eli Cohen <eli@mellanox.com>
+Reviewed-by: Matan Barak <matanb@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/main.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -1105,13 +1105,13 @@ static struct ib_ucontext *mlx5_ib_alloc
+ * pretend we don't support reading the HCA's core clock. This is also
+ * forced by mmap function.
+ */
+- if (PAGE_SIZE <= 4096 &&
+- field_avail(typeof(resp), hca_core_clock_offset, udata->outlen)) {
+- resp.comp_mask |=
+- MLX5_IB_ALLOC_UCONTEXT_RESP_MASK_CORE_CLOCK_OFFSET;
+- resp.hca_core_clock_offset =
+- offsetof(struct mlx5_init_seg, internal_timer_h) %
+- PAGE_SIZE;
++ if (field_avail(typeof(resp), hca_core_clock_offset, udata->outlen)) {
++ if (PAGE_SIZE <= 4096) {
++ resp.comp_mask |=
++ MLX5_IB_ALLOC_UCONTEXT_RESP_MASK_CORE_CLOCK_OFFSET;
++ resp.hca_core_clock_offset =
++ offsetof(struct mlx5_init_seg, internal_timer_h) % PAGE_SIZE;
++ }
+ resp.response_length += sizeof(resp.hca_core_clock_offset) +
+ sizeof(resp.reserved2);
+ }
--- /dev/null
+From 5ba5b437efaa7a502eec393c045d3bf90c92c4e9 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 10 May 2017 08:51:09 +0300
+Subject: iio: adc: ti_am335x_adc: allocating too much in probe
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 5ba5b437efaa7a502eec393c045d3bf90c92c4e9 upstream.
+
+We should be allocating enough information for a tiadc_device struct
+which is about 400 bytes but instead we allocate enough for a second
+iio_dev struct which is over 2000 bytes.
+
+Fixes: fea89e2dfcea ("iio: adc: ti_am335x_adc: use variable names for sizeof() operator")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/ti_am335x_adc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/ti_am335x_adc.c
++++ b/drivers/iio/adc/ti_am335x_adc.c
+@@ -484,7 +484,7 @@ static int tiadc_probe(struct platform_d
+ return -EINVAL;
+ }
+
+- indio_dev = devm_iio_device_alloc(&pdev->dev, sizeof(*indio_dev));
++ indio_dev = devm_iio_device_alloc(&pdev->dev, sizeof(*adc_dev));
+ if (indio_dev == NULL) {
+ dev_err(&pdev->dev, "failed to allocate iio device\n");
+ return -ENOMEM;
--- /dev/null
+From 6272c0de13abf1480f701d38288f28a11b4301c4 Mon Sep 17 00:00:00 2001
+From: Matt Ranostay <matt.ranostay@konsulko.com>
+Date: Fri, 14 Apr 2017 16:38:19 -0700
+Subject: iio: proximity: as3935: recalibrate RCO after resume
+
+From: Matt Ranostay <matt.ranostay@konsulko.com>
+
+commit 6272c0de13abf1480f701d38288f28a11b4301c4 upstream.
+
+According to the datasheet the RCO must be recalibrated
+on every power-on-reset. Also remove mutex locking in the
+calibration function since callers other than the probe
+function (which doesn't need it) will have a lock.
+
+Fixes: 24ddb0e4bba4 ("iio: Add AS3935 lightning sensor support")
+Cc: George McCollister <george.mccollister@gmail.com>
+Signed-off-by: Matt Ranostay <matt.ranostay@konsulko.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/proximity/as3935.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/iio/proximity/as3935.c
++++ b/drivers/iio/proximity/as3935.c
+@@ -269,8 +269,6 @@ static irqreturn_t as3935_interrupt_hand
+
+ static void calibrate_as3935(struct as3935_state *st)
+ {
+- mutex_lock(&st->lock);
+-
+ /* mask disturber interrupt bit */
+ as3935_write(st, AS3935_INT, BIT(5));
+
+@@ -280,8 +278,6 @@ static void calibrate_as3935(struct as39
+
+ mdelay(2);
+ as3935_write(st, AS3935_TUNE_CAP, (st->tune_cap / TUNE_CAP_DIV));
+-
+- mutex_unlock(&st->lock);
+ }
+
+ #ifdef CONFIG_PM_SLEEP
+@@ -318,6 +314,8 @@ static int as3935_resume(struct device *
+ val &= ~AS3935_AFE_PWR_BIT;
+ ret = as3935_write(st, AS3935_AFE_GAIN, val);
+
++ calibrate_as3935(st);
++
+ err_resume:
+ mutex_unlock(&st->lock);
+
--- /dev/null
+From 1b211d48abaa0e12e6e6177c0316ff55d11fdfce Mon Sep 17 00:00:00 2001
+From: Marcin Niestroj <m.niestroj@grinn-global.com>
+Date: Mon, 12 Dec 2016 17:58:42 +0100
+Subject: iio: st_pressure: Fix data sign
+
+From: Marcin Niestroj <m.niestroj@grinn-global.com>
+
+commit 1b211d48abaa0e12e6e6177c0316ff55d11fdfce upstream.
+
+Datasheet of each device (lps331ap, lps25h, lps001wp, lps22hb) says that
+the pressure and temperature data is a 2's complement.
+
+I'm sending this the slow way, as negative pressures on these are pretty
+unusual and the nature of the fixing of multiple device introduction patches
+will make it hard to apply to older kernels - Jonathan.
+
+Fixes: 217494e5b780 ("iio:pressure: Add STMicroelectronics pressures driver")
+Fixes: 2f5effcbd097 ("iio: pressure-core: st: Expand and rename LPS331AP's channel descriptor")
+Fixes: 7885a8ce6800 ("iio: pressure: st: Add support for new LPS001WP pressure sensor")
+Fixes: e039e2f5b4da ("iio:st_pressure:initial lps22hb sensor support")
+Signed-off-by: Marcin Niestroj <m.niestroj@grinn-global.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/pressure/st_pressure_core.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/iio/pressure/st_pressure_core.c
++++ b/drivers/iio/pressure/st_pressure_core.c
+@@ -227,7 +227,7 @@ static const struct iio_chan_spec st_pre
+ .address = ST_PRESS_1_OUT_XL_ADDR,
+ .scan_index = 0,
+ .scan_type = {
+- .sign = 'u',
++ .sign = 's',
+ .realbits = 24,
+ .storagebits = 32,
+ .endianness = IIO_LE,
+@@ -240,7 +240,7 @@ static const struct iio_chan_spec st_pre
+ .address = ST_TEMP_1_OUT_L_ADDR,
+ .scan_index = 1,
+ .scan_type = {
+- .sign = 'u',
++ .sign = 's',
+ .realbits = 16,
+ .storagebits = 16,
+ .endianness = IIO_LE,
+@@ -259,7 +259,7 @@ static const struct iio_chan_spec st_pre
+ .address = ST_PRESS_LPS001WP_OUT_L_ADDR,
+ .scan_index = 0,
+ .scan_type = {
+- .sign = 'u',
++ .sign = 's',
+ .realbits = 16,
+ .storagebits = 16,
+ .endianness = IIO_LE,
+@@ -273,7 +273,7 @@ static const struct iio_chan_spec st_pre
+ .address = ST_TEMP_LPS001WP_OUT_L_ADDR,
+ .scan_index = 1,
+ .scan_type = {
+- .sign = 'u',
++ .sign = 's',
+ .realbits = 16,
+ .storagebits = 16,
+ .endianness = IIO_LE,
+@@ -291,7 +291,7 @@ static const struct iio_chan_spec st_pre
+ .address = ST_PRESS_1_OUT_XL_ADDR,
+ .scan_index = 0,
+ .scan_type = {
+- .sign = 'u',
++ .sign = 's',
+ .realbits = 24,
+ .storagebits = 32,
+ .endianness = IIO_LE,
--- /dev/null
+From 0db47e3d323411beeb6ea97f2c4d19395c91fd8b Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 8 Jun 2017 09:54:24 +0200
+Subject: ila_xlat: add missing hash secret initialization
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 0db47e3d323411beeb6ea97f2c4d19395c91fd8b upstream.
+
+While discussing the possible merits of clang warning about unused initialized
+functions, I found one function that was clearly meant to be called but
+never actually is.
+
+__ila_hash_secret_init() initializes the hash value for the ila locator,
+apparently this is intended to prevent hash collision attacks, but this ends
+up being a read-only zero constant since there is no caller. I could find
+no indication of why it was never called, the earliest patch submission
+for the module already was like this. If my interpretation is right, we
+certainly want to backport the patch to stable kernels as well.
+
+I considered adding it to the ila_xlat_init callback, but for best effect
+the random data is read as late as possible, just before it is first used.
+The underlying net_get_random_once() is already highly optimized to avoid
+overhead when called frequently.
+
+Fixes: 7f00feaf1076 ("ila: Add generic ILA translation facility")
+Link: https://www.spinics.net/lists/kernel/msg2527243.html
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/ila/ila_xlat.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv6/ila/ila_xlat.c
++++ b/net/ipv6/ila/ila_xlat.c
+@@ -68,6 +68,7 @@ static inline u32 ila_locator_hash(struc
+ {
+ u32 *v = (u32 *)loc.v32;
+
++ __ila_hash_secret_init();
+ return jhash_2words(v[0], v[1], hashrnd);
+ }
+
--- /dev/null
+From 769dc04db3ed8484798aceb015b94deacc2ba557 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Thu, 8 Jun 2017 14:00:49 +0300
+Subject: mac80211: don't look at the PM bit of BAR frames
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 769dc04db3ed8484798aceb015b94deacc2ba557 upstream.
+
+When a peer sends a BAR frame with PM bit clear, we should
+not modify its PM state as madated by the spec in
+802.11-20012 10.2.1.2.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -1585,12 +1585,16 @@ ieee80211_rx_h_sta_process(struct ieee80
+ */
+ if (!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS) &&
+ !ieee80211_has_morefrags(hdr->frame_control) &&
++ !ieee80211_is_back_req(hdr->frame_control) &&
+ !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
+ (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
+ rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
+- /* PM bit is only checked in frames where it isn't reserved,
++ /*
++ * PM bit is only checked in frames where it isn't reserved,
+ * in AP mode it's reserved in non-bufferable management frames
+ * (cf. IEEE 802.11-2012 8.2.4.1.7 Power Management field)
++ * BAR frames should be ignored as specified in
++ * IEEE 802.11-2012 10.2.1.2.
+ */
+ (!ieee80211_is_mgmt(hdr->frame_control) ||
+ ieee80211_is_bufferable_mmpdu(hdr->frame_control))) {
--- /dev/null
+From b3dd8279659f14f3624bb32559782d699fa6f7d1 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Sat, 10 Jun 2017 13:52:45 +0300
+Subject: mac80211: don't send SMPS action frame in AP mode when not needed
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit b3dd8279659f14f3624bb32559782d699fa6f7d1 upstream.
+
+mac80211 allows to modify the SMPS state of an AP both,
+when it is started, and after it has been started. Such a
+change will trigger an action frame to all the peers that
+are currently connected, and will be remembered so that
+new peers will get notified as soon as they connect (since
+the SMPS setting in the beacon may not be the right one).
+
+This means that we need to remember the SMPS state
+currently requested as well as the SMPS state that was
+configured initially (and advertised in the beacon).
+The former is bss->req_smps and the latter is
+sdata->smps_mode.
+
+Initially, the AP interface could only be started with
+SMPS_OFF, which means that sdata->smps_mode was SMPS_OFF
+always. Later, a nl80211 API was added to be able to start
+an AP with a different AP mode. That code forgot to update
+bss->req_smps and because of that, if the AP interface was
+started with SMPS_DYNAMIC, we had:
+ sdata->smps_mode = SMPS_DYNAMIC
+ bss->req_smps = SMPS_OFF
+
+That configuration made mac80211 think it needs to fire off
+an action frame to any new station connecting to the AP in
+order to let it know that the actual SMPS configuration is
+SMPS_OFF.
+
+Fix that by properly setting bss->req_smps in
+ieee80211_start_ap.
+
+Fixes: f69931748730 ("mac80211: set smps_mode according to ap params")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/cfg.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -865,6 +865,8 @@ static int ieee80211_start_ap(struct wip
+ default:
+ return -EINVAL;
+ }
++ sdata->u.ap.req_smps = sdata->smps_mode;
++
+ sdata->needed_rx_chains = sdata->local->rx_chains;
+
+ mutex_lock(&local->mtx);
--- /dev/null
+From f181d6a3bcc35633facf5f3925699021c13492c5 Mon Sep 17 00:00:00 2001
+From: Koen Vandeputte <koen.vandeputte@ncentric.com>
+Date: Wed, 8 Feb 2017 15:32:05 +0100
+Subject: mac80211: fix CSA in IBSS mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Koen Vandeputte <koen.vandeputte@ncentric.com>
+
+commit f181d6a3bcc35633facf5f3925699021c13492c5 upstream.
+
+Add the missing IBSS capability flag during capability init as it needs
+to be inserted into the generated beacon in order for CSA to work.
+
+Fixes: cd7760e62c2ac ("mac80211: add support for CSA in IBSS mode")
+Signed-off-by: Piotr Gawlowicz <gawlowicz@tkn.tu-berlin.de>
+Signed-off-by: Mikołaj Chwalisz <chwalisz@tkn.tu-berlin.de>
+Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/ibss.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/ibss.c
++++ b/net/mac80211/ibss.c
+@@ -487,14 +487,14 @@ int ieee80211_ibss_csa_beacon(struct iee
+ struct beacon_data *presp, *old_presp;
+ struct cfg80211_bss *cbss;
+ const struct cfg80211_bss_ies *ies;
+- u16 capability = 0;
++ u16 capability = WLAN_CAPABILITY_IBSS;
+ u64 tsf;
+ int ret = 0;
+
+ sdata_assert_lock(sdata);
+
+ if (ifibss->privacy)
+- capability = WLAN_CAPABILITY_PRIVACY;
++ capability |= WLAN_CAPABILITY_PRIVACY;
+
+ cbss = cfg80211_get_bss(sdata->local->hw.wiphy, ifibss->chandef.chan,
+ ifibss->bssid, ifibss->ssid,
--- /dev/null
+From e165bc02a02c70e40d5c811c705ba269aeca0497 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 1 Jun 2017 21:26:03 +0200
+Subject: mac80211: fix dropped counter in multiqueue RX
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit e165bc02a02c70e40d5c811c705ba269aeca0497 upstream.
+
+In the commit enabling per-CPU station statistics, I inadvertedly
+copy-pasted some code to update rx_packets and forgot to change it
+to update rx_dropped_misc. Fix that.
+
+This addresses https://bugzilla.kernel.org/show_bug.cgi?id=195953.
+
+Fixes: c9c5962b56c1 ("mac80211: enable collecting station statistics per-CPU")
+Reported-by: Petru-Florin Mihancea <petrum@gmail.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/sta_info.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -2148,7 +2148,7 @@ void sta_set_sinfo(struct sta_info *sta,
+ struct ieee80211_sta_rx_stats *cpurxs;
+
+ cpurxs = per_cpu_ptr(sta->pcpu_rx_stats, cpu);
+- sinfo->rx_packets += cpurxs->dropped;
++ sinfo->rx_dropped_misc += cpurxs->dropped;
+ }
+ }
+
--- /dev/null
+From f1f3e9e2a50a70de908f9dfe0d870e9cdc67e042 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 27 Apr 2017 13:19:04 +0200
+Subject: mac80211: fix IBSS presp allocation size
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit f1f3e9e2a50a70de908f9dfe0d870e9cdc67e042 upstream.
+
+When VHT IBSS support was added, the size of the extra elements
+wasn't considered in ieee80211_ibss_build_presp(), which makes
+it possible that it would overrun the allocated buffer. Fix it
+by allocating the necessary space.
+
+Fixes: abcff6ef01f9 ("mac80211: add VHT support for IBSS")
+Reported-by: Shaul Triebitz <shaul.triebitz@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/ibss.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/mac80211/ibss.c
++++ b/net/mac80211/ibss.c
+@@ -66,6 +66,8 @@ ieee80211_ibss_build_presp(struct ieee80
+ 2 + (IEEE80211_MAX_SUPP_RATES - 8) +
+ 2 + sizeof(struct ieee80211_ht_cap) +
+ 2 + sizeof(struct ieee80211_ht_operation) +
++ 2 + sizeof(struct ieee80211_vht_cap) +
++ 2 + sizeof(struct ieee80211_vht_operation) +
+ ifibss->ie_len;
+ presp = kzalloc(sizeof(*presp) + frame_len, GFP_KERNEL);
+ if (!presp)
--- /dev/null
+From 0328edc77d4f35014b35f32b46be0a7e16aae74f Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 20 Feb 2017 08:59:16 +0100
+Subject: mac80211: fix packet statistics for fast-RX
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 0328edc77d4f35014b35f32b46be0a7e16aae74f upstream.
+
+When adding per-CPU statistics, which added statistics back
+to mac80211 for the fast-RX path, I evidently forgot to add
+the "stats->packets++" line. The reason for that is likely
+that I didn't see it since it's done in defragmentation for
+the regular RX path.
+
+Add the missing line to properly count received packets in
+the fast-RX case.
+
+Fixes: c9c5962b56c1 ("mac80211: enable collecting station statistics per-CPU")
+Reported-by: Oren Givon <oren.givon@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -3953,6 +3953,7 @@ static bool ieee80211_invoke_fast_rx(str
+ stats->last_rate = sta_stats_encode_rate(status);
+
+ stats->fragments++;
++ stats->packets++;
+
+ if (!(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
+ stats->last_signal = status->signal;
--- /dev/null
+From 5667c86acf021e6dcf02584408b4484a273ac68f Mon Sep 17 00:00:00 2001
+From: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
+Date: Sun, 14 May 2017 21:41:55 -0700
+Subject: mac80211: strictly check mesh address extension mode
+
+From: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
+
+commit 5667c86acf021e6dcf02584408b4484a273ac68f upstream.
+
+Mesh forwarding path checks for address extension mode to fetch
+appropriate proxied address and MPP address. Existing condition
+that looks for 6 address format is not strict enough so that
+frames with improper values are processed and invalid entries
+are added into MPP table. Fix that by adding a stricter check before
+processing the packet.
+
+Per IEEE Std 802.11s-2011 spec. Table 7-6g1 lists address extension
+mode 0x3 as reserved one. And also Table Table 9-13 does not specify
+0x3 as valid address field.
+
+Fixes: 9b395bc3be1c ("mac80211: verify that skb data is present")
+Signed-off-by: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c | 3 ++-
+ net/wireless/util.c | 10 ++++++----
+ 2 files changed, 8 insertions(+), 5 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2471,7 +2471,8 @@ ieee80211_rx_h_mesh_fwding(struct ieee80
+ if (is_multicast_ether_addr(hdr->addr1)) {
+ mpp_addr = hdr->addr3;
+ proxied_addr = mesh_hdr->eaddr1;
+- } else if (mesh_hdr->flags & MESH_FLAGS_AE_A5_A6) {
++ } else if ((mesh_hdr->flags & MESH_FLAGS_AE) ==
++ MESH_FLAGS_AE_A5_A6) {
+ /* has_a4 already checked in ieee80211_rx_mesh_check */
+ mpp_addr = hdr->addr4;
+ proxied_addr = mesh_hdr->eaddr2;
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -454,6 +454,8 @@ int ieee80211_data_to_8023_exthdr(struct
+ if (iftype == NL80211_IFTYPE_MESH_POINT)
+ skb_copy_bits(skb, hdrlen, &mesh_flags, 1);
+
++ mesh_flags &= MESH_FLAGS_AE;
++
+ switch (hdr->frame_control &
+ cpu_to_le16(IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) {
+ case cpu_to_le16(IEEE80211_FCTL_TODS):
+@@ -469,9 +471,9 @@ int ieee80211_data_to_8023_exthdr(struct
+ iftype != NL80211_IFTYPE_STATION))
+ return -1;
+ if (iftype == NL80211_IFTYPE_MESH_POINT) {
+- if (mesh_flags & MESH_FLAGS_AE_A4)
++ if (mesh_flags == MESH_FLAGS_AE_A4)
+ return -1;
+- if (mesh_flags & MESH_FLAGS_AE_A5_A6) {
++ if (mesh_flags == MESH_FLAGS_AE_A5_A6) {
+ skb_copy_bits(skb, hdrlen +
+ offsetof(struct ieee80211s_hdr, eaddr1),
+ tmp.h_dest, 2 * ETH_ALEN);
+@@ -487,9 +489,9 @@ int ieee80211_data_to_8023_exthdr(struct
+ ether_addr_equal(tmp.h_source, addr)))
+ return -1;
+ if (iftype == NL80211_IFTYPE_MESH_POINT) {
+- if (mesh_flags & MESH_FLAGS_AE_A5_A6)
++ if (mesh_flags == MESH_FLAGS_AE_A5_A6)
+ return -1;
+- if (mesh_flags & MESH_FLAGS_AE_A4)
++ if (mesh_flags == MESH_FLAGS_AE_A4)
+ skb_copy_bits(skb, hdrlen +
+ offsetof(struct ieee80211s_hdr, eaddr1),
+ tmp.h_source, ETH_ALEN);
--- /dev/null
+From 98c67d187db7808b1f3c95f2110dd4392d034182 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sat, 10 Jun 2017 04:59:12 +0200
+Subject: mac80211/wpa: use constant time memory comparison for MACs
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+commit 98c67d187db7808b1f3c95f2110dd4392d034182 upstream.
+
+Otherwise, we enable all sorts of forgeries via timing attack.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Cc: Johannes Berg <johannes@sipsolutions.net>
+Cc: linux-wireless@vger.kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/wpa.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/net/mac80211/wpa.c
++++ b/net/mac80211/wpa.c
+@@ -17,6 +17,7 @@
+ #include <asm/unaligned.h>
+ #include <net/mac80211.h>
+ #include <crypto/aes.h>
++#include <crypto/algapi.h>
+
+ #include "ieee80211_i.h"
+ #include "michael.h"
+@@ -153,7 +154,7 @@ ieee80211_rx_h_michael_mic_verify(struct
+ data_len = skb->len - hdrlen - MICHAEL_MIC_LEN;
+ key = &rx->key->conf.key[NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY];
+ michael_mic(key, hdr, data, data_len, mic);
+- if (memcmp(mic, data + data_len, MICHAEL_MIC_LEN) != 0)
++ if (crypto_memneq(mic, data + data_len, MICHAEL_MIC_LEN))
+ goto mic_fail;
+
+ /* remove Michael MIC from payload */
+@@ -1047,7 +1048,7 @@ ieee80211_crypto_aes_cmac_decrypt(struct
+ bip_aad(skb, aad);
+ ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad,
+ skb->data + 24, skb->len - 24, mic);
+- if (memcmp(mic, mmie->mic, sizeof(mmie->mic)) != 0) {
++ if (crypto_memneq(mic, mmie->mic, sizeof(mmie->mic))) {
+ key->u.aes_cmac.icverrors++;
+ return RX_DROP_UNUSABLE;
+ }
+@@ -1097,7 +1098,7 @@ ieee80211_crypto_aes_cmac_256_decrypt(st
+ bip_aad(skb, aad);
+ ieee80211_aes_cmac_256(key->u.aes_cmac.tfm, aad,
+ skb->data + 24, skb->len - 24, mic);
+- if (memcmp(mic, mmie->mic, sizeof(mmie->mic)) != 0) {
++ if (crypto_memneq(mic, mmie->mic, sizeof(mmie->mic))) {
+ key->u.aes_cmac.icverrors++;
+ return RX_DROP_UNUSABLE;
+ }
+@@ -1201,7 +1202,7 @@ ieee80211_crypto_aes_gmac_decrypt(struct
+ if (ieee80211_aes_gmac(key->u.aes_gmac.tfm, aad, nonce,
+ skb->data + 24, skb->len - 24,
+ mic) < 0 ||
+- memcmp(mic, mmie->mic, sizeof(mmie->mic)) != 0) {
++ crypto_memneq(mic, mmie->mic, sizeof(mmie->mic))) {
+ key->u.aes_gmac.icverrors++;
+ return RX_DROP_UNUSABLE;
+ }
--- /dev/null
+From 8b8a84c54aff4256d592dc18346c65ecf6811b45 Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Sat, 15 Apr 2017 10:05:08 -0700
+Subject: mfd: omap-usb-tll: Fix inverted bit use for USB TLL mode
+
+From: Tony Lindgren <tony@atomide.com>
+
+commit 8b8a84c54aff4256d592dc18346c65ecf6811b45 upstream.
+
+Commit 16fa3dc75c22 ("mfd: omap-usb-tll: HOST TLL platform driver")
+added support for USB TLL, but uses OMAP_TLL_CHANNEL_CONF_ULPINOBITSTUFF
+bit the wrong way. The comments in the code are correct, but the inverted
+use of OMAP_TLL_CHANNEL_CONF_ULPINOBITSTUFF causes the register to be
+enabled instead of disabled unlike what the comments say.
+
+Without this change the Wrigley 3G LTE modem on droid 4 EHCI bus can
+be only pinged few times before it stops responding.
+
+Fixes: 16fa3dc75c22 ("mfd: omap-usb-tll: HOST TLL platform driver")
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Acked-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/omap-usb-tll.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mfd/omap-usb-tll.c
++++ b/drivers/mfd/omap-usb-tll.c
+@@ -377,8 +377,8 @@ int omap_tll_init(struct usbhs_omap_plat
+ * and use SDR Mode
+ */
+ reg &= ~(OMAP_TLL_CHANNEL_CONF_UTMIAUTOIDLE
+- | OMAP_TLL_CHANNEL_CONF_ULPINOBITSTUFF
+ | OMAP_TLL_CHANNEL_CONF_ULPIDDRMODE);
++ reg |= OMAP_TLL_CHANNEL_CONF_ULPINOBITSTUFF;
+ } else if (pdata->port_mode[i] ==
+ OMAP_EHCI_PORT_MODE_HSIC) {
+ /*
--- /dev/null
+From 816c9311f1144a03da1fdc4feb2f6b0d3299fca0 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 9 Jan 2017 11:20:16 +0300
+Subject: misc: mic: double free on ioctl error path
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 816c9311f1144a03da1fdc4feb2f6b0d3299fca0 upstream.
+
+This function only has one caller. Freeing "vdev" here leads to a use
+after free bug. There are several other error paths in this function
+but this is the only one which frees "vdev". It looks like the kfree()
+can be safely removed.
+
+Fixes: 61e9c905df78 ("misc: mic: Enable VOP host side functionality")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/mic/vop/vop_vringh.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/misc/mic/vop/vop_vringh.c
++++ b/drivers/misc/mic/vop/vop_vringh.c
+@@ -292,7 +292,6 @@ static int vop_virtio_add_device(struct
+ if (ret) {
+ dev_err(vop_dev(vdev), "%s %d err %d\n",
+ __func__, __LINE__, ret);
+- kfree(vdev);
+ return ret;
+ }
+
--- /dev/null
+From 6830733d53a4517588e56227b9c8538633f0c496 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 2 Feb 2017 12:53:04 -0200
+Subject: [media] pvrusb2: reduce stack usage pvr2_eeprom_analyze()
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 6830733d53a4517588e56227b9c8538633f0c496 upstream.
+
+The driver uses a relatively large data structure on the stack, which
+showed up on my radar as we get a warning with the "latent entropy"
+GCC plugin:
+
+drivers/media/usb/pvrusb2/pvrusb2-eeprom.c:153:1: error: the frame size of 1376 bytes is larger than 1152 bytes [-Werror=frame-larger-than=]
+
+The warning is usually hidden as we raise the warning limit to 2048
+when the plugin is enabled, but I'd like to lower that again in the
+future, and making this function smaller helps to do that without
+build regressions.
+
+Further analysis shows that putting an 'i2c_client' structure on
+the stack is not really supported, as the embedded 'struct device'
+is not initialized here, and we are only saved by the fact that
+the function that is called here does not use the pointer at all.
+
+Fixes: d855497edbfb ("V4L/DVB (4228a): pvrusb2 to kernel 2.6.18")
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/pvrusb2/pvrusb2-eeprom.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+--- a/drivers/media/usb/pvrusb2/pvrusb2-eeprom.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-eeprom.c
+@@ -123,15 +123,10 @@ int pvr2_eeprom_analyze(struct pvr2_hdw
+ memset(&tvdata,0,sizeof(tvdata));
+
+ eeprom = pvr2_eeprom_fetch(hdw);
+- if (!eeprom) return -EINVAL;
++ if (!eeprom)
++ return -EINVAL;
+
+- {
+- struct i2c_client fake_client;
+- /* Newer version expects a useless client interface */
+- fake_client.addr = hdw->eeprom_addr;
+- fake_client.adapter = &hdw->i2c_adap;
+- tveeprom_hauppauge_analog(&fake_client,&tvdata,eeprom);
+- }
++ tveeprom_hauppauge_analog(NULL, &tvdata, eeprom);
+
+ trace_eeprom("eeprom assumed v4l tveeprom module");
+ trace_eeprom("eeprom direct call results:");
--- /dev/null
+From be40597a1bc173bf9dadccdf5388b956f620ae8f Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Fri, 12 May 2017 16:35:45 +0200
+Subject: serial: efm32: Fix parity management in 'efm32_uart_console_get_options()'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit be40597a1bc173bf9dadccdf5388b956f620ae8f upstream.
+
+UARTn_FRAME_PARITY_ODD is 0x0300
+UARTn_FRAME_PARITY_EVEN is 0x0200
+So if the UART is configured for EVEN parity, it would be reported as ODD.
+Fix it by correctly testing if the 2 bits are set.
+
+Fixes: 3afbd89c9639 ("serial/efm32: add new driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/efm32-uart.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/serial/efm32-uart.c
++++ b/drivers/tty/serial/efm32-uart.c
+@@ -27,6 +27,7 @@
+ #define UARTn_FRAME 0x04
+ #define UARTn_FRAME_DATABITS__MASK 0x000f
+ #define UARTn_FRAME_DATABITS(n) ((n) - 3)
++#define UARTn_FRAME_PARITY__MASK 0x0300
+ #define UARTn_FRAME_PARITY_NONE 0x0000
+ #define UARTn_FRAME_PARITY_EVEN 0x0200
+ #define UARTn_FRAME_PARITY_ODD 0x0300
+@@ -572,12 +573,16 @@ static void efm32_uart_console_get_optio
+ 16 * (4 + (clkdiv >> 6)));
+
+ frame = efm32_uart_read32(efm_port, UARTn_FRAME);
+- if (frame & UARTn_FRAME_PARITY_ODD)
++ switch (frame & UARTn_FRAME_PARITY__MASK) {
++ case UARTn_FRAME_PARITY_ODD:
+ *parity = 'o';
+- else if (frame & UARTn_FRAME_PARITY_EVEN)
++ break;
++ case UARTn_FRAME_PARITY_EVEN:
+ *parity = 'e';
+- else
++ break;
++ default:
+ *parity = 'n';
++ }
+
+ *bits = (frame & UARTn_FRAME_DATABITS__MASK) -
+ UARTn_FRAME_DATABITS(4) + 4;
--- /dev/null
+From 5f76895e4c712b1b5af450cf344389b8c53ac2c2 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Tue, 28 Mar 2017 11:13:45 +0200
+Subject: serial: sh-sci: Fix late enablement of AUTORTS
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit 5f76895e4c712b1b5af450cf344389b8c53ac2c2 upstream.
+
+When changing hardware control flow for a UART with dedicated RTS/CTS
+pins, the new AUTORTS state is not immediately reflected in the
+hardware, but only when RTS is raised. However, the serial core does
+not call .set_mctrl() after .set_termios(), hence AUTORTS may only
+become effective when the port is closed, and reopened later.
+Note that this problem does not happen when manually using stty to
+change CRTSCTS, as AUTORTS will work fine on next open.
+
+To fix this, call .set_mctrl() from .set_termios() when dedicated
+RTS/CTS pins are present, to refresh the AUTORTS or RTS state.
+This is similar to what other drivers supporting AUTORTS do (e.g.
+omap-serial).
+
+Reported-by: Baumann, Christoph (C.) <cbaumann@visteon.com>
+Fixes: 33f50ffc253854cf ("serial: sh-sci: Fix support for hardware-assisted RTS/CTS")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/sh-sci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -2366,6 +2366,10 @@ done:
+ */
+ udelay(DIV_ROUND_UP(10 * 1000000, baud));
+ }
++ if (port->flags & UPF_HARD_FLOW) {
++ /* Refresh (Auto) RTS */
++ sci_set_mctrl(port, port->mctrl);
++ }
+
+ #ifdef CONFIG_SERIAL_SH_SCI_DMA
+ /*
--- /dev/null
+From cf6c77323a96fc40309cc8a4921ef206cccdd961 Mon Sep 17 00:00:00 2001
+From: Eva Rachel Retuya <eraretuya@gmail.com>
+Date: Mon, 20 Mar 2017 19:27:05 +0800
+Subject: staging: iio: tsl2x7x_core: Fix standard deviation calculation
+
+From: Eva Rachel Retuya <eraretuya@gmail.com>
+
+commit cf6c77323a96fc40309cc8a4921ef206cccdd961 upstream.
+
+Standard deviation is calculated as the square root of the variance
+where variance is the mean of sample_sum and length. Correct the
+computation of statP->stddev in accordance to the proper calculation.
+
+Fixes: 3c97c08b5735 ("staging: iio: add TAOS tsl2x7x driver")
+Reported-by: Abhiram Balasubramanian <abhiram@cs.utah.edu>
+Signed-off-by: Eva Rachel Retuya <eraretuya@gmail.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/iio/light/tsl2x7x_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/iio/light/tsl2x7x_core.c
++++ b/drivers/staging/iio/light/tsl2x7x_core.c
+@@ -854,7 +854,7 @@ void tsl2x7x_prox_calculate(int *data, i
+ tmp = data[i] - statP->mean;
+ sample_sum += tmp * tmp;
+ }
+- statP->stddev = int_sqrt((long)sample_sum) / length;
++ statP->stddev = int_sqrt((long)sample_sum / length);
+ }
+
+ /**
--- /dev/null
+From 784047eb2d3405a35087af70cba46170c5576b25 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sat, 22 Apr 2017 13:47:23 +0300
+Subject: staging: rtl8188eu: prevent an underflow in rtw_check_beacon_data()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 784047eb2d3405a35087af70cba46170c5576b25 upstream.
+
+The "len" could be as low as -14 so we should check for negatives.
+
+Fixes: 9a7fe54ddc3a ("staging: r8188eu: Add source files for new driver - part 1")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8188eu/core/rtw_ap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8188eu/core/rtw_ap.c
++++ b/drivers/staging/rtl8188eu/core/rtw_ap.c
+@@ -890,7 +890,7 @@ int rtw_check_beacon_data(struct adapter
+ return _FAIL;
+
+
+- if (len > MAX_IE_SZ)
++ if (len < 0 || len > MAX_IE_SZ)
+ return _FAIL;
+
+ pbss_network->IELength = len;
--- /dev/null
+From 1a744d2eb76aaafb997fda004ae3ae62a1538f85 Mon Sep 17 00:00:00 2001
+From: Anton Bondarenko <anton.bondarenko.sama@gmail.com>
+Date: Sun, 7 May 2017 01:53:46 +0200
+Subject: usb: core: fix potential memory leak in error path during hcd creation
+
+From: Anton Bondarenko <anton.bondarenko.sama@gmail.com>
+
+commit 1a744d2eb76aaafb997fda004ae3ae62a1538f85 upstream.
+
+Free memory allocated for address0_mutex if allocation of bandwidth_mutex
+failed.
+
+Fixes: feb26ac31a2a ("usb: core: hub: hub_port_init lock controller instead of bus")
+
+Signed-off-by: Anton Bondarenko <anton.bondarenko.sama@gmail.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hcd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/core/hcd.c
++++ b/drivers/usb/core/hcd.c
+@@ -2535,6 +2535,7 @@ struct usb_hcd *usb_create_shared_hcd(co
+ hcd->bandwidth_mutex = kmalloc(sizeof(*hcd->bandwidth_mutex),
+ GFP_KERNEL);
+ if (!hcd->bandwidth_mutex) {
++ kfree(hcd->address0_mutex);
+ kfree(hcd);
+ dev_dbg(dev, "hcd bandwidth mutex alloc failed\n");
+ return NULL;
--- /dev/null
+From d81182ce30dbd497a1e7047d7fda2af040347790 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 10 May 2017 18:18:25 +0200
+Subject: USB: gadget: dummy_hcd: fix hub-descriptor removable fields
+
+From: Johan Hovold <johan@kernel.org>
+
+commit d81182ce30dbd497a1e7047d7fda2af040347790 upstream.
+
+Flag the first and only port as removable while also leaving the
+remaining bits (including the reserved bit zero) unset in accordance
+with the specifications:
+
+ "Within a byte, if no port exists for a given location, the bit
+ field representing the port characteristics shall be 0."
+
+Also add a comment marking the legacy PortPwrCtrlMask field.
+
+Fixes: 1cd8fd2887e1 ("usb: gadget: dummy_hcd: add SuperSpeed support")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: Tatyana Brokhman <tlinder@codeaurora.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/dummy_hcd.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/udc/dummy_hcd.c
++++ b/drivers/usb/gadget/udc/dummy_hcd.c
+@@ -2009,7 +2009,7 @@ ss_hub_descriptor(struct usb_hub_descrip
+ HUB_CHAR_COMMON_OCPM);
+ desc->bNbrPorts = 1;
+ desc->u.ss.bHubHdrDecLat = 0x04; /* Worst case: 0.4 micro sec*/
+- desc->u.ss.DeviceRemovable = 0xffff;
++ desc->u.ss.DeviceRemovable = 0;
+ }
+
+ static inline void hub_descriptor(struct usb_hub_descriptor *desc)
+@@ -2021,8 +2021,8 @@ static inline void hub_descriptor(struct
+ HUB_CHAR_INDV_PORT_LPSM |
+ HUB_CHAR_COMMON_OCPM);
+ desc->bNbrPorts = 1;
+- desc->u.hs.DeviceRemovable[0] = 0xff;
+- desc->u.hs.DeviceRemovable[1] = 0xff;
++ desc->u.hs.DeviceRemovable[0] = 0;
++ desc->u.hs.DeviceRemovable[1] = 0xff; /* PortPwrCtrlMask */
+ }
+
+ static int dummy_hub_control(
--- /dev/null
+From 067d6fdc558d2c43f0bfdc7af99630dd5eb08dc5 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Wed, 26 Apr 2017 20:50:08 +0900
+Subject: usb: gadget: udc: renesas_usb3: fix deadlock by spinlock
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 067d6fdc558d2c43f0bfdc7af99630dd5eb08dc5 upstream.
+
+This patch fixes an issue that this driver is possible to cause
+deadlock by double-spinclocked in renesas_usb3_stop_controller().
+So, this patch removes spinlock API calling in renesas_usb3_stop().
+(In other words, the previous code had a redundant lock.)
+
+Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/renesas_usb3.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/usb/gadget/udc/renesas_usb3.c
++++ b/drivers/usb/gadget/udc/renesas_usb3.c
+@@ -1718,14 +1718,11 @@ static int renesas_usb3_start(struct usb
+ static int renesas_usb3_stop(struct usb_gadget *gadget)
+ {
+ struct renesas_usb3 *usb3 = gadget_to_renesas_usb3(gadget);
+- unsigned long flags;
+
+- spin_lock_irqsave(&usb3->lock, flags);
+ usb3->softconnect = false;
+ usb3->gadget.speed = USB_SPEED_UNKNOWN;
+ usb3->driver = NULL;
+ renesas_usb3_stop_controller(usb3);
+- spin_unlock_irqrestore(&usb3->lock, flags);
+
+ pm_runtime_put(usb3_to_dev(usb3));
+ pm_runtime_disable(usb3_to_dev(usb3));
--- /dev/null
+From cdc876877ebc3f0677b267756d4564e2a429e730 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Wed, 26 Apr 2017 20:50:07 +0900
+Subject: usb: gadget: udc: renesas_usb3: fix pm_runtime functions calling
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit cdc876877ebc3f0677b267756d4564e2a429e730 upstream.
+
+This patch fixes an issue that this driver is possible to access
+the registers before pm_runtime_get_sync() if a gadget driver is
+installed first. After that, oops happens on R-Car Gen3 environment.
+To avoid it, this patch changes the pm_runtime call timing from
+probe/remove to udc_start/udc_stop.
+
+Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/renesas_usb3.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/gadget/udc/renesas_usb3.c
++++ b/drivers/usb/gadget/udc/renesas_usb3.c
+@@ -1707,6 +1707,9 @@ static int renesas_usb3_start(struct usb
+ /* hook up the driver */
+ usb3->driver = driver;
+
++ pm_runtime_enable(usb3_to_dev(usb3));
++ pm_runtime_get_sync(usb3_to_dev(usb3));
++
+ renesas_usb3_init_controller(usb3);
+
+ return 0;
+@@ -1724,6 +1727,9 @@ static int renesas_usb3_stop(struct usb_
+ renesas_usb3_stop_controller(usb3);
+ spin_unlock_irqrestore(&usb3->lock, flags);
+
++ pm_runtime_put(usb3_to_dev(usb3));
++ pm_runtime_disable(usb3_to_dev(usb3));
++
+ return 0;
+ }
+
+@@ -1761,9 +1767,6 @@ static int renesas_usb3_remove(struct pl
+ {
+ struct renesas_usb3 *usb3 = platform_get_drvdata(pdev);
+
+- pm_runtime_put(&pdev->dev);
+- pm_runtime_disable(&pdev->dev);
+-
+ usb_del_gadget_udc(&usb3->gadget);
+
+ __renesas_usb3_ep_free_request(usb3->ep0_req);
+@@ -1948,9 +1951,6 @@ static int renesas_usb3_probe(struct pla
+
+ usb3->workaround_for_vbus = priv->workaround_for_vbus;
+
+- pm_runtime_enable(&pdev->dev);
+- pm_runtime_get_sync(&pdev->dev);
+-
+ dev_info(&pdev->dev, "probed\n");
+
+ return 0;
--- /dev/null
+From 940f538a100c84c6e72813e4ac88bd1753a86945 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Wed, 26 Apr 2017 20:50:09 +0900
+Subject: usb: gadget: udc: renesas_usb3: lock for PN_ registers access
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 940f538a100c84c6e72813e4ac88bd1753a86945 upstream.
+
+This controller disallows to change the PIPE until reading/writing
+a packet finishes. However. the previous code is not enough to hold
+the lock in some functions. So, this patch fixes it.
+
+Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/renesas_usb3.c | 28 +++++++++++++++++++++++++---
+ 1 file changed, 25 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/udc/renesas_usb3.c
++++ b/drivers/usb/gadget/udc/renesas_usb3.c
+@@ -1401,7 +1401,13 @@ static void usb3_request_done_pipen(stru
+ struct renesas_usb3_request *usb3_req,
+ int status)
+ {
+- usb3_pn_stop(usb3);
++ unsigned long flags;
++
++ spin_lock_irqsave(&usb3->lock, flags);
++ if (usb3_pn_change(usb3, usb3_ep->num))
++ usb3_pn_stop(usb3);
++ spin_unlock_irqrestore(&usb3->lock, flags);
++
+ usb3_disable_pipe_irq(usb3, usb3_ep->num);
+ usb3_request_done(usb3_ep, usb3_req, status);
+
+@@ -1430,30 +1436,46 @@ static void usb3_irq_epc_pipen_bfrdy(str
+ {
+ struct renesas_usb3_ep *usb3_ep = usb3_get_ep(usb3, num);
+ struct renesas_usb3_request *usb3_req = usb3_get_request(usb3_ep);
++ bool done = false;
+
+ if (!usb3_req)
+ return;
+
++ spin_lock(&usb3->lock);
++ if (usb3_pn_change(usb3, num))
++ goto out;
++
+ if (usb3_ep->dir_in) {
+ /* Do not stop the IN pipe here to detect LSTTR interrupt */
+ if (!usb3_write_pipe(usb3_ep, usb3_req, USB3_PN_WRITE))
+ usb3_clear_bit(usb3, PN_INT_BFRDY, USB3_PN_INT_ENA);
+ } else {
+ if (!usb3_read_pipe(usb3_ep, usb3_req, USB3_PN_READ))
+- usb3_request_done_pipen(usb3, usb3_ep, usb3_req, 0);
++ done = true;
+ }
++
++out:
++ /* need to unlock because usb3_request_done_pipen() locks it */
++ spin_unlock(&usb3->lock);
++
++ if (done)
++ usb3_request_done_pipen(usb3, usb3_ep, usb3_req, 0);
+ }
+
+ static void usb3_irq_epc_pipen(struct renesas_usb3 *usb3, int num)
+ {
+ u32 pn_int_sta;
+
+- if (usb3_pn_change(usb3, num) < 0)
++ spin_lock(&usb3->lock);
++ if (usb3_pn_change(usb3, num) < 0) {
++ spin_unlock(&usb3->lock);
+ return;
++ }
+
+ pn_int_sta = usb3_read(usb3, USB3_PN_INT_STA);
+ pn_int_sta &= usb3_read(usb3, USB3_PN_INT_ENA);
+ usb3_write(usb3, pn_int_sta, USB3_PN_INT_STA);
++ spin_unlock(&usb3->lock);
+ if (pn_int_sta & PN_INT_LSTTR)
+ usb3_irq_epc_pipen_lsttr(usb3, num);
+ if (pn_int_sta & PN_INT_BFRDY)
--- /dev/null
+From 93491ced3c87c94b12220dbac0527e1356702179 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 10 May 2017 18:18:29 +0200
+Subject: USB: hub: fix SS max number of ports
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 93491ced3c87c94b12220dbac0527e1356702179 upstream.
+
+Add define for the maximum number of ports on a SuperSpeed hub as per
+USB 3.1 spec Table 10-5, and use it when verifying the retrieved hub
+descriptor.
+
+This specifically avoids benign attempts to update the DeviceRemovable
+mask for non-existing ports (should we get that far).
+
+Fixes: dbe79bbe9dcb ("USB 3.0 Hub Changes")
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hub.c | 8 +++++++-
+ include/uapi/linux/usb/ch11.h | 3 +++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -1334,7 +1334,13 @@ static int hub_configure(struct usb_hub
+ if (ret < 0) {
+ message = "can't read hub descriptor";
+ goto fail;
+- } else if (hub->descriptor->bNbrPorts > USB_MAXCHILDREN) {
++ }
++
++ maxchild = USB_MAXCHILDREN;
++ if (hub_is_superspeed(hdev))
++ maxchild = min_t(unsigned, maxchild, USB_SS_MAXPORTS);
++
++ if (hub->descriptor->bNbrPorts > maxchild) {
+ message = "hub has too many ports!";
+ ret = -ENODEV;
+ goto fail;
+--- a/include/uapi/linux/usb/ch11.h
++++ b/include/uapi/linux/usb/ch11.h
+@@ -22,6 +22,9 @@
+ */
+ #define USB_MAXCHILDREN 31
+
++/* See USB 3.1 spec Table 10-5 */
++#define USB_SS_MAXPORTS 15
++
+ /*
+ * Hub request types
+ */
--- /dev/null
+From b3addcf0d1f04f53fcc302577d5a5e964c18531a Mon Sep 17 00:00:00 2001
+From: Bin Liu <b-liu@ti.com>
+Date: Thu, 25 May 2017 13:42:39 -0500
+Subject: usb: musb: dsps: keep VBUS on for host-only mode
+
+From: Bin Liu <b-liu@ti.com>
+
+commit b3addcf0d1f04f53fcc302577d5a5e964c18531a upstream.
+
+Currently VBUS is turned off while a usb device is detached, and turned
+on again by the polling routine. This short period VBUS loss prevents
+usb modem to switch mode.
+
+VBUS should be constantly on for host-only mode, so this changes the
+driver to not turn off VBUS for host-only mode.
+
+Fixes: 2f3fd2c5bde1 ("usb: musb: Prepare dsps glue layer for PM runtime support")
+Reported-by: Moreno Bartalucci <moreno.bartalucci@tecnorama.it>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/musb/musb_dsps.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/usb/musb/musb_dsps.c
++++ b/drivers/usb/musb/musb_dsps.c
+@@ -213,6 +213,12 @@ static int dsps_check_status(struct musb
+ msecs_to_jiffies(wrp->poll_timeout));
+ break;
+ case OTG_STATE_A_WAIT_BCON:
++ /* keep VBUS on for host-only mode */
++ if (musb->port_mode == MUSB_PORT_MODE_HOST) {
++ mod_timer(&glue->timer, jiffies +
++ msecs_to_jiffies(wrp->poll_timeout));
++ break;
++ }
+ musb_writeb(musb->mregs, MUSB_DEVCTL, 0);
+ skip_session = 1;
+ /* fall */
--- /dev/null
+From dd14a3e9b92ac6f0918054f9e3477438760a4fa6 Mon Sep 17 00:00:00 2001
+From: Chris Brandt <chris.brandt@renesas.com>
+Date: Thu, 27 Apr 2017 12:12:49 -0700
+Subject: usb: r8a66597-hcd: decrease timeout
+
+From: Chris Brandt <chris.brandt@renesas.com>
+
+commit dd14a3e9b92ac6f0918054f9e3477438760a4fa6 upstream.
+
+The timeout for BULK packets was 300ms which is a long time if other
+endpoints or devices are waiting for their turn. Changing it to 50ms
+greatly increased the overall performance for multi-endpoint devices.
+
+Fixes: 5d3043586db4 ("usb: r8a66597-hcd: host controller driver for R8A6659")
+Signed-off-by: Chris Brandt <chris.brandt@renesas.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/r8a66597-hcd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/r8a66597-hcd.c
++++ b/drivers/usb/host/r8a66597-hcd.c
+@@ -1269,7 +1269,7 @@ static void set_td_timer(struct r8a66597
+ time = 30;
+ break;
+ default:
+- time = 300;
++ time = 50;
+ break;
+ }
+
--- /dev/null
+From 1f873d857b6c2fefb4dada952674aa01bcfb92bd Mon Sep 17 00:00:00 2001
+From: Chris Brandt <chris.brandt@renesas.com>
+Date: Thu, 27 Apr 2017 12:12:02 -0700
+Subject: usb: r8a66597-hcd: select a different endpoint on timeout
+
+From: Chris Brandt <chris.brandt@renesas.com>
+
+commit 1f873d857b6c2fefb4dada952674aa01bcfb92bd upstream.
+
+If multiple endpoints on a single device have pending IN URBs and one
+endpoint times out due to NAKs (perfectly legal), select a different
+endpoint URB to try.
+The existing code only checked to see another device address has pending
+URBs and ignores other IN endpoints on the current device address. This
+leads to endpoints never getting serviced if one endpoint is using NAK as
+a flow control method.
+
+Fixes: 5d3043586db4 ("usb: r8a66597-hcd: host controller driver for R8A6659")
+Signed-off-by: Chris Brandt <chris.brandt@renesas.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/r8a66597-hcd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/r8a66597-hcd.c
++++ b/drivers/usb/host/r8a66597-hcd.c
+@@ -1785,6 +1785,7 @@ static void r8a66597_td_timer(unsigned l
+ pipe = td->pipe;
+ pipe_stop(r8a66597, pipe);
+
++ /* Select a different address or endpoint */
+ new_td = td;
+ do {
+ list_move_tail(&new_td->queue,
+@@ -1794,7 +1795,8 @@ static void r8a66597_td_timer(unsigned l
+ new_td = td;
+ break;
+ }
+- } while (td != new_td && td->address == new_td->address);
++ } while (td != new_td && td->address == new_td->address &&
++ td->pipe->info.epnum == new_td->pipe->info.epnum);
+
+ start_transfer(r8a66597, new_td);
+
--- /dev/null
+From ec963b412a54aac8e527708ecad06a6988a86fb4 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 10 May 2017 18:18:26 +0200
+Subject: USB: usbip: fix nonconforming hub descriptor
+
+From: Johan Hovold <johan@kernel.org>
+
+commit ec963b412a54aac8e527708ecad06a6988a86fb4 upstream.
+
+Fix up the root-hub descriptor to accommodate the variable-length
+DeviceRemovable and PortPwrCtrlMask fields, while marking all ports as
+removable (and leaving the reserved bit zero unset).
+
+Also add a build-time constraint on VHCI_HC_PORTS which must never be
+greater than USB_MAXCHILDREN (but this was only enforced through a
+KConfig constant).
+
+This specifically fixes the descriptor layout whenever VHCI_HC_PORTS is
+greater than seven (default is 8).
+
+Fixes: 04679b3489e0 ("Staging: USB/IP: add client driver")
+Cc: Takahiro Hirofuchi <hirofuchi@users.sourceforge.net>
+Cc: Valentina Manea <valentina.manea.m@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usbip/vhci_hcd.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/usbip/vhci_hcd.c
++++ b/drivers/usb/usbip/vhci_hcd.c
+@@ -235,14 +235,19 @@ done:
+
+ static inline void hub_descriptor(struct usb_hub_descriptor *desc)
+ {
++ int width;
++
+ memset(desc, 0, sizeof(*desc));
+ desc->bDescriptorType = USB_DT_HUB;
+- desc->bDescLength = 9;
+ desc->wHubCharacteristics = cpu_to_le16(
+ HUB_CHAR_INDV_PORT_LPSM | HUB_CHAR_COMMON_OCPM);
++
+ desc->bNbrPorts = VHCI_HC_PORTS;
+- desc->u.hs.DeviceRemovable[0] = 0xff;
+- desc->u.hs.DeviceRemovable[1] = 0xff;
++ BUILD_BUG_ON(VHCI_HC_PORTS > USB_MAXCHILDREN);
++ width = desc->bNbrPorts / 8 + 1;
++ desc->bDescLength = USB_DT_HUB_NONVAR_SIZE + 2 * width;
++ memset(&desc->u.hs.DeviceRemovable[0], 0, width);
++ memset(&desc->u.hs.DeviceRemovable[width], 0xff, width);
+ }
+
+ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
--- /dev/null
+From 5ebb6dd36c9f5fb37b1077b393c254d70a14cb46 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Fri, 28 Apr 2017 01:51:40 -0300
+Subject: [media] vb2: Fix an off by one error in 'vb2_plane_vaddr'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 5ebb6dd36c9f5fb37b1077b393c254d70a14cb46 upstream.
+
+We should ensure that 'plane_no' is '< vb->num_planes' as done in
+'vb2_plane_cookie' just a few lines below.
+
+Fixes: e23ccc0ad925 ("[media] v4l: add videobuf2 Video for Linux 2 driver framework")
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/videobuf2-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/v4l2-core/videobuf2-core.c
++++ b/drivers/media/v4l2-core/videobuf2-core.c
+@@ -868,7 +868,7 @@ EXPORT_SYMBOL_GPL(vb2_core_create_bufs);
+
+ void *vb2_plane_vaddr(struct vb2_buffer *vb, unsigned int plane_no)
+ {
+- if (plane_no > vb->num_planes || !vb->planes[plane_no].mem_priv)
++ if (plane_no >= vb->num_planes || !vb->planes[plane_no].mem_priv)
+ return NULL;
+
+ return call_ptr_memop(vb, vaddr, vb->planes[plane_no].mem_priv);
--- /dev/null
+From 861ce4a3244c21b0af64f880d5bfe5e6e2fb9e4a Mon Sep 17 00:00:00 2001
+From: Laura Abbott <labbott@redhat.com>
+Date: Mon, 8 May 2017 14:23:16 -0700
+Subject: x86/mm/32: Set the '__vmalloc_start_set' flag in initmem_init()
+
+From: Laura Abbott <labbott@redhat.com>
+
+commit 861ce4a3244c21b0af64f880d5bfe5e6e2fb9e4a upstream.
+
+'__vmalloc_start_set' currently only gets set in initmem_init() when
+!CONFIG_NEED_MULTIPLE_NODES. This breaks detection of vmalloc address
+with virt_addr_valid() with CONFIG_NEED_MULTIPLE_NODES=y, causing
+a kernel crash:
+
+ [mm/usercopy] 517e1fbeb6: kernel BUG at arch/x86/mm/physaddr.c:78!
+
+Set '__vmalloc_start_set' appropriately for that case as well.
+
+Reported-by: kbuild test robot <fengguang.wu@intel.com>
+Signed-off-by: Laura Abbott <labbott@redhat.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: dc16ecf7fd1f ("x86-32: use specific __vmalloc_start_set flag in __virt_addr_valid")
+Link: http://lkml.kernel.org/r/1494278596-30373-1-git-send-email-labbott@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/numa_32.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/mm/numa_32.c
++++ b/arch/x86/mm/numa_32.c
+@@ -100,5 +100,6 @@ void __init initmem_init(void)
+ printk(KERN_DEBUG "High memory starts at vaddr %08lx\n",
+ (ulong) pfn_to_kaddr(highstart_pfn));
+
++ __vmalloc_start_set = true;
+ setup_bootmem_allocator();
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
