--- /dev/null
+From f35a7f91f66af528b3ee1921de16bea31d347ab0 Mon Sep 17 00:00:00 2001
+From: Rakesh Pillai <pillair@qti.qualcomm.com>
+Date: Wed, 2 Aug 2017 16:03:37 +0530
+Subject: ath10k: fix memory leak in rx ring buffer allocation
+
+From: Rakesh Pillai <pillair@qti.qualcomm.com>
+
+commit f35a7f91f66af528b3ee1921de16bea31d347ab0 upstream.
+
+The rx ring buffers are added to a hash table if
+firmware support full rx reorder. If the full rx
+reorder support flag is not set before allocating
+the rx ring buffers, none of the buffers are added
+to the hash table.
+
+There is a race condition between rx ring refill and
+rx buffer replenish from napi poll. The interrupts are
+enabled in hif start, before the rx ring is refilled during init.
+We replenish buffers from napi poll due to the interrupts which
+get enabled after hif start. Hence before the entire rx ring is
+refilled during the init, the napi poll replenishes a few buffers
+in steps of 100 buffers per attempt. During this rx ring replenish
+from napi poll, the rx reorder flag has not been set due to which
+the replenished buffers are not added to the hash table
+
+Set the rx full reorder support flag before we allocate
+the rx ring buffer to avoid the memory leak.
+
+Signed-off-by: Rakesh Pillai <pillair@qti.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Cc: Christian Lamparter <chunkeey@googlemail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath10k/core.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath10k/core.c
++++ b/drivers/net/wireless/ath/ath10k/core.c
+@@ -1852,6 +1852,12 @@ int ath10k_core_start(struct ath10k *ar,
+ goto err_wmi_detach;
+ }
+
++ /* If firmware indicates Full Rx Reorder support it must be used in a
++ * slightly different manner. Let HTT code know.
++ */
++ ar->htt.rx_ring.in_ord_rx = !!(test_bit(WMI_SERVICE_RX_FULL_REORDER,
++ ar->wmi.svc_map));
++
+ status = ath10k_htt_rx_alloc(&ar->htt);
+ if (status) {
+ ath10k_err(ar, "failed to alloc htt rx: %d\n", status);
+@@ -1964,12 +1970,6 @@ int ath10k_core_start(struct ath10k *ar,
+ }
+ }
+
+- /* If firmware indicates Full Rx Reorder support it must be used in a
+- * slightly different manner. Let HTT code know.
+- */
+- ar->htt.rx_ring.in_ord_rx = !!(test_bit(WMI_SERVICE_RX_FULL_REORDER,
+- ar->wmi.svc_map));
+-
+ status = ath10k_htt_rx_ring_refill(ar);
+ if (status) {
+ ath10k_err(ar, "failed to refill htt rx ring: %d\n", status);
--- /dev/null
+From a81d72d2002d6a932bd83022cbf8c442b1b97512 Mon Sep 17 00:00:00 2001
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+Date: Tue, 8 Aug 2017 14:09:02 +0300
+Subject: Bluetooth: Add support of 13d3:3494 RTL8723BE device
+
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+
+commit a81d72d2002d6a932bd83022cbf8c442b1b97512 upstream.
+
+T: Bus=02 Lev=01 Prnt=01 Port=03 Cnt=03 Dev#= 4 Spd=12 MxCh= 0
+D: Ver= 2.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=13d3 ProdID=3494 Rev= 2.00
+S: Manufacturer=Realtek
+S: Product=Bluetooth Radio
+S: SerialNumber=00e04c000001
+C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
+I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+
+Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/btusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -342,6 +342,7 @@ static const struct usb_device_id blackl
+ { USB_DEVICE(0x13d3, 0x3410), .driver_info = BTUSB_REALTEK },
+ { USB_DEVICE(0x13d3, 0x3416), .driver_info = BTUSB_REALTEK },
+ { USB_DEVICE(0x13d3, 0x3459), .driver_info = BTUSB_REALTEK },
++ { USB_DEVICE(0x13d3, 0x3494), .driver_info = BTUSB_REALTEK },
+
+ /* Additional Realtek 8821AE Bluetooth devices */
+ { USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK },
--- /dev/null
+From 55acdd926f6b21a5cdba23da98a48aedf19ac9c3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= <edvin.torok@citrix.com>
+Date: Thu, 3 Aug 2017 10:30:06 +0100
+Subject: dlm: avoid double-free on error path in dlm_device_{register,unregister}
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Edwin Török <edvin.torok@citrix.com>
+
+commit 55acdd926f6b21a5cdba23da98a48aedf19ac9c3 upstream.
+
+Can be reproduced when running dlm_controld (tested on 4.4.x, 4.12.4):
+ # seq 1 100 | xargs -P0 -n1 dlm_tool join
+ # seq 1 100 | xargs -P0 -n1 dlm_tool leave
+
+misc_register fails due to duplicate sysfs entry, which causes
+dlm_device_register to free ls->ls_device.name.
+In dlm_device_deregister the name was freed again, causing memory
+corruption.
+
+According to the comment in dlm_device_deregister the name should've been
+set to NULL when registration fails,
+so this patch does that.
+
+sysfs: cannot create duplicate filename '/dev/char/10:1'
+------------[ cut here ]------------
+warning: cpu: 1 pid: 4450 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x56/0x70
+modules linked in: msr rfcomm dlm ccm bnep dm_crypt uvcvideo
+videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core videodev
+btusb media btrtl btbcm btintel bluetooth ecdh_generic intel_rapl
+x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm
+snd_hda_codec_hdmi irqbypass crct10dif_pclmul crc32_pclmul
+ghash_clmulni_intel thinkpad_acpi pcbc nvram snd_seq_midi
+snd_seq_midi_event aesni_intel snd_hda_codec_realtek snd_hda_codec_generic
+snd_rawmidi aes_x86_64 crypto_simd glue_helper snd_hda_intel snd_hda_codec
+cryptd intel_cstate arc4 snd_hda_core snd_seq snd_seq_device snd_hwdep
+iwldvm intel_rapl_perf mac80211 joydev input_leds iwlwifi serio_raw
+cfg80211 snd_pcm shpchp snd_timer snd mac_hid mei_me lpc_ich mei soundcore
+sunrpc parport_pc ppdev lp parport autofs4 i915 psmouse
+ e1000e ahci libahci i2c_algo_bit sdhci_pci ptp drm_kms_helper sdhci
+pps_core syscopyarea sysfillrect sysimgblt fb_sys_fops drm wmi video
+cpu: 1 pid: 4450 comm: dlm_test.exe not tainted 4.12.4-041204-generic
+hardware name: lenovo 232425u/232425u, bios g2et82ww (2.02 ) 09/11/2012
+task: ffff96b0cbabe140 task.stack: ffffb199027d0000
+rip: 0010:sysfs_warn_dup+0x56/0x70
+rsp: 0018:ffffb199027d3c58 eflags: 00010282
+rax: 0000000000000038 rbx: ffff96b0e2c49158 rcx: 0000000000000006
+rdx: 0000000000000000 rsi: 0000000000000086 rdi: ffff96b15e24dcc0
+rbp: ffffb199027d3c70 r08: 0000000000000001 r09: 0000000000000721
+r10: ffffb199027d3c00 r11: 0000000000000721 r12: ffffb199027d3cd1
+r13: ffff96b1592088f0 r14: 0000000000000001 r15: ffffffffffffffef
+fs: 00007f78069c0700(0000) gs:ffff96b15e240000(0000)
+knlgs:0000000000000000
+cs: 0010 ds: 0000 es: 0000 cr0: 0000000080050033
+cr2: 000000178625ed28 cr3: 0000000091d3e000 cr4: 00000000001406e0
+call trace:
+ sysfs_do_create_link_sd.isra.2+0x9e/0xb0
+ sysfs_create_link+0x25/0x40
+ device_add+0x5a9/0x640
+ device_create_groups_vargs+0xe0/0xf0
+ device_create_with_groups+0x3f/0x60
+ ? snprintf+0x45/0x70
+ misc_register+0x140/0x180
+ device_write+0x6a8/0x790 [dlm]
+ __vfs_write+0x37/0x160
+ ? apparmor_file_permission+0x1a/0x20
+ ? security_file_permission+0x3b/0xc0
+ vfs_write+0xb5/0x1a0
+ sys_write+0x55/0xc0
+ ? sys_fcntl+0x5d/0xb0
+ entry_syscall_64_fastpath+0x1e/0xa9
+rip: 0033:0x7f78083454bd
+rsp: 002b:00007f78069bbd30 eflags: 00000293 orig_rax: 0000000000000001
+rax: ffffffffffffffda rbx: 0000000000000006 rcx: 00007f78083454bd
+rdx: 000000000000009c rsi: 00007f78069bee00 rdi: 0000000000000005
+rbp: 00007f77f8000a20 r08: 000000000000fcf0 r09: 0000000000000032
+r10: 0000000000000024 r11: 0000000000000293 r12: 00007f78069bde00
+r13: 00007f78069bee00 r14: 000000000000000a r15: 00007f78069bbd70
+code: 85 c0 48 89 c3 74 12 b9 00 10 00 00 48 89 c2 31 f6 4c 89 ef e8 2c c8
+ff ff 4c 89 e2 48 89 de 48 c7 c7 b0 8e 0c a8 e8 41 e8 ed ff <0f> ff 48 89
+df e8 00 d5 f4 ff 5b 41 5c 41 5d 5d c3 66 0f 1f 84
+---[ end trace 40412246357cc9e0 ]---
+
+dlm: 59f24629-ae39-44e2-9030-397ebc2eda26: leaving the lockspace group...
+bug: unable to handle kernel null pointer dereference at 0000000000000001
+ip: [<ffffffff811a3b4a>] kmem_cache_alloc+0x7a/0x140
+pgd 0
+oops: 0000 [#1] smp
+modules linked in: dlm 8021q garp mrp stp llc openvswitch nf_defrag_ipv6
+nf_conntrack libcrc32c iptable_filter dm_multipath crc32_pclmul dm_mod
+aesni_intel psmouse aes_x86_64 sg ablk_helper cryptd lrw gf128mul
+glue_helper i2c_piix4 nls_utf8 tpm_tis tpm isofs nfsd auth_rpcgss
+oid_registry nfs_acl lockd grace sunrpc xen_wdt ip_tables x_tables autofs4
+hid_generic usbhid hid sr_mod cdrom sd_mod ata_generic pata_acpi 8139too
+serio_raw ata_piix 8139cp mii uhci_hcd ehci_pci ehci_hcd libata
+scsi_dh_rdac scsi_dh_hp_sw scsi_dh_emc scsi_dh_alua scsi_mod ipv6
+cpu: 0 pid: 394 comm: systemd-udevd tainted: g w 4.4.0+0 #1
+hardware name: xen hvm domu, bios 4.7.2-2.2 05/11/2017
+task: ffff880002410000 ti: ffff88000243c000 task.ti: ffff88000243c000
+rip: e030:[<ffffffff811a3b4a>] [<ffffffff811a3b4a>]
+kmem_cache_alloc+0x7a/0x140
+rsp: e02b:ffff88000243fd90 eflags: 00010202
+rax: 0000000000000000 rbx: ffff8800029864d0 rcx: 000000000007b36c
+rdx: 000000000007b36b rsi: 00000000024000c0 rdi: ffff880036801c00
+rbp: ffff88000243fdc0 r08: 0000000000018880 r09: 0000000000000054
+r10: 000000000000004a r11: ffff880034ace6c0 r12: 00000000024000c0
+r13: ffff880036801c00 r14: 0000000000000001 r15: ffffffff8118dcc2
+fs: 00007f0ab77548c0(0000) gs:ffff880036e00000(0000) knlgs:0000000000000000
+cs: e033 ds: 0000 es: 0000 cr0: 0000000080050033
+cr2: 0000000000000001 cr3: 000000000332d000 cr4: 0000000000040660
+stack:
+ffffffff8118dc90 ffff8800029864d0 0000000000000000 ffff88003430b0b0
+ffff880034b78320 ffff88003430b0b0 ffff88000243fdf8 ffffffff8118dcc2
+ffff8800349c6700 ffff8800029864d0 000000000000000b 00007f0ab7754b90
+call trace:
+[<ffffffff8118dc90>] ? anon_vma_fork+0x60/0x140
+[<ffffffff8118dcc2>] anon_vma_fork+0x92/0x140
+[<ffffffff8107033e>] copy_process+0xcae/0x1a80
+[<ffffffff8107128b>] _do_fork+0x8b/0x2d0
+[<ffffffff81071579>] sys_clone+0x19/0x20
+[<ffffffff815a30ae>] entry_syscall_64_fastpath+0x12/0x71
+] code: f6 75 1c 4c 89 fa 44 89 e6 4c 89 ef e8 a7 e4 00 00 41 f7 c4 00 80
+00 00 49 89 c6 74 47 eb 32 49 63 45 20 48 8d 4a 01 4d 8b 45 00 <49> 8b 1c
+06 4c 89 f0 65 49 0f c7 08 0f 94 c0 84 c0 74 ac 49 63
+rip [<ffffffff811a3b4a>] kmem_cache_alloc+0x7a/0x140
+rsp <ffff88000243fd90>
+cr2: 0000000000000001
+--[ end trace 70cb9fd1b164a0e8 ]--
+
+Signed-off-by: Edwin Török <edvin.torok@citrix.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dlm/user.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/dlm/user.c
++++ b/fs/dlm/user.c
+@@ -355,6 +355,10 @@ static int dlm_device_register(struct dl
+ error = misc_register(&ls->ls_device);
+ if (error) {
+ kfree(ls->ls_device.name);
++ /* this has to be set to NULL
++ * to avoid a double-free in dlm_device_deregister
++ */
++ ls->ls_device.name = NULL;
+ }
+ fail:
+ return error;
--- /dev/null
+From 0f9b011d3321ca1079c7a46c18cb1956fbdb7bcb Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Tue, 29 Aug 2017 21:23:49 +0200
+Subject: driver core: bus: Fix a potential double free
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 0f9b011d3321ca1079c7a46c18cb1956fbdb7bcb upstream.
+
+The .release function of driver_ktype is 'driver_release()'.
+This function frees the container_of this kobject.
+
+So, this memory must not be freed explicitly in the error handling path of
+'bus_add_driver()'. Otherwise a double free will occur.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/bus.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/base/bus.c
++++ b/drivers/base/bus.c
+@@ -736,7 +736,7 @@ int bus_add_driver(struct device_driver
+
+ out_unregister:
+ kobject_put(&priv->kobj);
+- kfree(drv->p);
++ /* drv->p is freed in driver_release() */
+ drv->p = NULL;
+ out_put_bus:
+ bus_put(bus);
--- /dev/null
+From bc60c90f472b6e762ea96ef384072145adc8d4af Mon Sep 17 00:00:00 2001
+From: Ilia Mirkin <imirkin@alum.mit.edu>
+Date: Thu, 10 Aug 2017 12:13:40 -0400
+Subject: drm/nouveau/pci/msi: disable MSI on big-endian platforms by default
+
+From: Ilia Mirkin <imirkin@alum.mit.edu>
+
+commit bc60c90f472b6e762ea96ef384072145adc8d4af upstream.
+
+It appears that MSI does not work on either G5 PPC nor on a E5500-based
+platform, where other hardware is reported to work fine with MSI.
+
+Both tests were conducted with NV4x hardware, so perhaps other (or even
+this) hardware can be made to work. It's still possible to force-enable
+with config=NvMSI=1 on load.
+
+Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c
+@@ -192,6 +192,10 @@ nvkm_pci_new_(const struct nvkm_pci_func
+ }
+ }
+
++#ifdef __BIG_ENDIAN
++ pci->msi = false;
++#endif
++
+ pci->msi = nvkm_boolopt(device->cfgopt, "NvMSI", pci->msi);
+ if (pci->msi && func->msi_rearm) {
+ pci->msi = pci_enable_msi(pci->pdev) == 0;
--- /dev/null
+From 4744d4e2afebf9644a439da9ca73d822fdd67bd9 Mon Sep 17 00:00:00 2001
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Fri, 21 Jul 2017 00:24:22 +0900
+Subject: iio: adc: ti-ads1015: add adequate wait time to get correct conversion
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+commit 4744d4e2afebf9644a439da9ca73d822fdd67bd9 upstream.
+
+This driver assumes that the device is operating in the continuous
+conversion mode which performs the conversion continuously. So this driver
+inserts a wait time before reading the conversion register if the
+configuration is changed from a previous request.
+
+Currently, the wait time is only the period required for a single
+conversion that is calculated as the reciprocal of the sampling frequency.
+However we also need to wait for the the previous conversion to complete.
+Otherwise we probably get the conversion result for the previous
+configuration when the sampling frequency is lower.
+
+Cc: Daniel Baluta <daniel.baluta@gmail.com>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/ti-ads1015.c | 31 +++++++++++++++++++------------
+ 1 file changed, 19 insertions(+), 12 deletions(-)
+
+--- a/drivers/iio/adc/ti-ads1015.c
++++ b/drivers/iio/adc/ti-ads1015.c
+@@ -241,27 +241,34 @@ static
+ int ads1015_get_adc_result(struct ads1015_data *data, int chan, int *val)
+ {
+ int ret, pga, dr, conv_time;
+- bool change;
++ unsigned int old, mask, cfg;
+
+ if (chan < 0 || chan >= ADS1015_CHANNELS)
+ return -EINVAL;
+
++ ret = regmap_read(data->regmap, ADS1015_CFG_REG, &old);
++ if (ret)
++ return ret;
++
+ pga = data->channel_data[chan].pga;
+ dr = data->channel_data[chan].data_rate;
++ mask = ADS1015_CFG_MUX_MASK | ADS1015_CFG_PGA_MASK |
++ ADS1015_CFG_DR_MASK;
++ cfg = chan << ADS1015_CFG_MUX_SHIFT | pga << ADS1015_CFG_PGA_SHIFT |
++ dr << ADS1015_CFG_DR_SHIFT;
+
+- ret = regmap_update_bits_check(data->regmap, ADS1015_CFG_REG,
+- ADS1015_CFG_MUX_MASK |
+- ADS1015_CFG_PGA_MASK |
+- ADS1015_CFG_DR_MASK,
+- chan << ADS1015_CFG_MUX_SHIFT |
+- pga << ADS1015_CFG_PGA_SHIFT |
+- dr << ADS1015_CFG_DR_SHIFT,
+- &change);
+- if (ret < 0)
++ cfg = (old & ~mask) | (cfg & mask);
++
++ ret = regmap_write(data->regmap, ADS1015_CFG_REG, cfg);
++ if (ret)
+ return ret;
+
+- if (change || data->conv_invalid) {
+- conv_time = DIV_ROUND_UP(USEC_PER_SEC, data->data_rate[dr]);
++ if (old != cfg || data->conv_invalid) {
++ int dr_old = (old & ADS1015_CFG_DR_MASK) >>
++ ADS1015_CFG_DR_SHIFT;
++
++ conv_time = DIV_ROUND_UP(USEC_PER_SEC, data->data_rate[dr_old]);
++ conv_time += DIV_ROUND_UP(USEC_PER_SEC, data->data_rate[dr]);
+ usleep_range(conv_time, conv_time + 1);
+ data->conv_invalid = false;
+ }
--- /dev/null
+From 73e3e3fc50de50cfd68e945d85679c983ed31bd9 Mon Sep 17 00:00:00 2001
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Fri, 21 Jul 2017 00:24:20 +0900
+Subject: iio: adc: ti-ads1015: avoid getting stale result after runtime resume
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+commit 73e3e3fc50de50cfd68e945d85679c983ed31bd9 upstream.
+
+This driver assumes that the device is operating in the continuous
+conversion mode which performs the conversion continuously. So this driver
+doesn't insert a wait time before reading the conversion register if the
+configuration is not changed from a previous request.
+
+This assumption is broken if the device is runtime suspended and entered
+a power-down state. The forthcoming request causes reading a stale result
+from the conversion register as the device is runtime resumed just before.
+
+Fix it by adding a flag to detect that condition and insert a necessary
+wait time.
+
+Cc: Daniel Baluta <daniel.baluta@gmail.com>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/ti-ads1015.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/adc/ti-ads1015.c
++++ b/drivers/iio/adc/ti-ads1015.c
+@@ -176,6 +176,12 @@ struct ads1015_data {
+ struct ads1015_channel_data channel_data[ADS1015_CHANNELS];
+
+ unsigned int *data_rate;
++ /*
++ * Set to true when the ADC is switched to the continuous-conversion
++ * mode and exits from a power-down state. This flag is used to avoid
++ * getting the stale result from the conversion register.
++ */
++ bool conv_invalid;
+ };
+
+ static bool ads1015_is_writeable_reg(struct device *dev, unsigned int reg)
+@@ -254,9 +260,10 @@ int ads1015_get_adc_result(struct ads101
+ if (ret < 0)
+ return ret;
+
+- if (change) {
++ if (change || data->conv_invalid) {
+ conv_time = DIV_ROUND_UP(USEC_PER_SEC, data->data_rate[dr]);
+ usleep_range(conv_time, conv_time + 1);
++ data->conv_invalid = false;
+ }
+
+ return regmap_read(data->regmap, ADS1015_CONV_REG, val);
+@@ -624,6 +631,8 @@ static int ads1015_probe(struct i2c_clie
+ if (ret)
+ return ret;
+
++ data->conv_invalid = true;
++
+ ret = pm_runtime_set_active(&client->dev);
+ if (ret)
+ goto err_buffer_cleanup;
+@@ -679,10 +688,15 @@ static int ads1015_runtime_resume(struct
+ {
+ struct iio_dev *indio_dev = i2c_get_clientdata(to_i2c_client(dev));
+ struct ads1015_data *data = iio_priv(indio_dev);
++ int ret;
+
+- return regmap_update_bits(data->regmap, ADS1015_CFG_REG,
++ ret = regmap_update_bits(data->regmap, ADS1015_CFG_REG,
+ ADS1015_CFG_MOD_MASK,
+ ADS1015_CONTINUOUS << ADS1015_CFG_MOD_SHIFT);
++ if (!ret)
++ data->conv_invalid = true;
++
++ return ret;
+ }
+ #endif
+
--- /dev/null
+From a6fe5e52d5ecfc98530034d6c9db73777cf41ede Mon Sep 17 00:00:00 2001
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Fri, 21 Jul 2017 00:24:21 +0900
+Subject: iio: adc: ti-ads1015: don't return invalid value from buffer setup callbacks
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+commit a6fe5e52d5ecfc98530034d6c9db73777cf41ede upstream.
+
+pm_runtime_get_sync() and pm_runtime_put_autosuspend() return 0 on
+success, 1 if the device's runtime PM status was already requested status
+or error code on failure. So a positive return value doesn't indicate an
+error condition.
+
+However, any non-zero return values from buffer preenable and postdisable
+callbacks are recognized as an error and this driver reuses the return
+value from pm_runtime_get_sync() and pm_runtime_put_autosuspend() in
+these callbacks. This change fixes the false error detections.
+
+Cc: Daniel Baluta <daniel.baluta@gmail.com>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/ti-ads1015.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/ti-ads1015.c
++++ b/drivers/iio/adc/ti-ads1015.c
+@@ -234,7 +234,7 @@ static int ads1015_set_power_state(struc
+ ret = pm_runtime_put_autosuspend(dev);
+ }
+
+- return ret;
++ return ret < 0 ? ret : 0;
+ }
+
+ static
--- /dev/null
+From e8245c68350104b6022b6783719e843d69ea7c43 Mon Sep 17 00:00:00 2001
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Fri, 21 Jul 2017 00:24:19 +0900
+Subject: iio: adc: ti-ads1015: enable conversion when CONFIG_PM is not set
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+commit e8245c68350104b6022b6783719e843d69ea7c43 upstream.
+
+The ADS1015 device have two operating modes, continuous conversion mode
+and single-shot mode. This driver assumes that the continuous conversion
+mode is selected by runtime resume callback when the ADC result is
+requested.
+
+If CONFIG_PM is disabled, the device is always in the default single-shot
+mode and no one begins a single conversion. So the conversion register
+doesn't contain valid ADC result. Fix it by changing the continuous mode
+in probe function.
+
+Cc: Daniel Baluta <daniel.baluta@gmail.com>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/ti-ads1015.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/iio/adc/ti-ads1015.c
++++ b/drivers/iio/adc/ti-ads1015.c
+@@ -617,6 +617,13 @@ static int ads1015_probe(struct i2c_clie
+ dev_err(&client->dev, "iio triggered buffer setup failed\n");
+ return ret;
+ }
++
++ ret = regmap_update_bits(data->regmap, ADS1015_CFG_REG,
++ ADS1015_CFG_MOD_MASK,
++ ADS1015_CONTINUOUS << ADS1015_CFG_MOD_SHIFT);
++ if (ret)
++ return ret;
++
+ ret = pm_runtime_set_active(&client->dev);
+ if (ret)
+ goto err_buffer_cleanup;
--- /dev/null
+From 0d106b74c558e3000aa0e058b4725cacb70ce77a Mon Sep 17 00:00:00 2001
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Fri, 21 Jul 2017 00:24:17 +0900
+Subject: iio: adc: ti-ads1015: fix incorrect data rate setting update
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+commit 0d106b74c558e3000aa0e058b4725cacb70ce77a upstream.
+
+The ti-ads1015 driver has eight iio voltage channels and each iio channel
+can hold own sampling frequency information.
+
+The ADS1015 device only have a single config register which contains an
+input multiplexer selection, PGA and data rate settings. So the driver
+should load the correct settings when the input multiplexer selection is
+changed.
+
+However, regardless of which channlel is currently selected, changing any
+iio channel's sampling frequency information immediately overwrites the
+current data rate setting in the config register.
+
+It breaks the current data rate setting if the different channel's sampling
+frequency information is changed because the data rate setting is not
+reloaded when the input multiplexer is switched.
+
+This removes the unexpected config register update and correctly load the
+data rate setting before getting adc result.
+
+Cc: Daniel Baluta <daniel.baluta@gmail.com>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/ti-ads1015.c | 27 ++++++++++-----------------
+ 1 file changed, 10 insertions(+), 17 deletions(-)
+
+--- a/drivers/iio/adc/ti-ads1015.c
++++ b/drivers/iio/adc/ti-ads1015.c
+@@ -251,9 +251,11 @@ int ads1015_get_adc_result(struct ads101
+
+ ret = regmap_update_bits_check(data->regmap, ADS1015_CFG_REG,
+ ADS1015_CFG_MUX_MASK |
+- ADS1015_CFG_PGA_MASK,
++ ADS1015_CFG_PGA_MASK |
++ ADS1015_CFG_DR_MASK,
+ chan << ADS1015_CFG_MUX_SHIFT |
+- pga << ADS1015_CFG_PGA_SHIFT,
++ pga << ADS1015_CFG_PGA_SHIFT |
++ dr << ADS1015_CFG_DR_SHIFT,
+ &change);
+ if (ret < 0)
+ return ret;
+@@ -324,25 +326,16 @@ static int ads1015_set_scale(struct ads1
+
+ static int ads1015_set_data_rate(struct ads1015_data *data, int chan, int rate)
+ {
+- int i, ret, rindex = -1;
++ int i;
+
+- for (i = 0; i < ARRAY_SIZE(ads1015_data_rate); i++)
++ for (i = 0; i < ARRAY_SIZE(ads1015_data_rate); i++) {
+ if (data->data_rate[i] == rate) {
+- rindex = i;
+- break;
++ data->channel_data[chan].data_rate = i;
++ return 0;
+ }
+- if (rindex < 0)
+- return -EINVAL;
+-
+- ret = regmap_update_bits(data->regmap, ADS1015_CFG_REG,
+- ADS1015_CFG_DR_MASK,
+- rindex << ADS1015_CFG_DR_SHIFT);
+- if (ret < 0)
+- return ret;
+-
+- data->channel_data[chan].data_rate = rindex;
++ }
+
+- return 0;
++ return -EINVAL;
+ }
+
+ static int ads1015_read_raw(struct iio_dev *indio_dev,
--- /dev/null
+From 8d0e8e795623bd6229cf48bb7777a1c456c370ed Mon Sep 17 00:00:00 2001
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Fri, 21 Jul 2017 00:24:18 +0900
+Subject: iio: adc: ti-ads1015: fix scale information for ADS1115
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+commit 8d0e8e795623bd6229cf48bb7777a1c456c370ed upstream.
+
+The ti-ads1015 driver supports ADS1015 and ADS1115 devices. The same
+scale information is used for both devices in this driver, however they
+have actually different values and the ADS1115's one is not correct.
+
+These devices have the same full-scale input voltage range for each PGA
+selection. So instead of adding another hardcoded scale information,
+compute a correct scale on demand from each device's resolution.
+
+Cc: Daniel Baluta <daniel.baluta@gmail.com>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/ti-ads1015.c | 48 +++++++++++++++++++++----------------------
+ 1 file changed, 24 insertions(+), 24 deletions(-)
+
+--- a/drivers/iio/adc/ti-ads1015.c
++++ b/drivers/iio/adc/ti-ads1015.c
+@@ -80,18 +80,12 @@ static const unsigned int ads1115_data_r
+ 8, 16, 32, 64, 128, 250, 475, 860
+ };
+
+-static const struct {
+- int scale;
+- int uscale;
+-} ads1015_scale[] = {
+- {3, 0},
+- {2, 0},
+- {1, 0},
+- {0, 500000},
+- {0, 250000},
+- {0, 125000},
+- {0, 125000},
+- {0, 125000},
++/*
++ * Translation from PGA bits to full-scale positive and negative input voltage
++ * range in mV
++ */
++static int ads1015_fullscale_range[] = {
++ 6144, 4096, 2048, 1024, 512, 256, 256, 256
+ };
+
+ #define ADS1015_V_CHAN(_chan, _addr) { \
+@@ -299,17 +293,20 @@ err:
+ return IRQ_HANDLED;
+ }
+
+-static int ads1015_set_scale(struct ads1015_data *data, int chan,
++static int ads1015_set_scale(struct ads1015_data *data,
++ struct iio_chan_spec const *chan,
+ int scale, int uscale)
+ {
+ int i, ret, rindex = -1;
++ int fullscale = div_s64((scale * 1000000LL + uscale) <<
++ (chan->scan_type.realbits - 1), 1000000);
+
+- for (i = 0; i < ARRAY_SIZE(ads1015_scale); i++)
+- if (ads1015_scale[i].scale == scale &&
+- ads1015_scale[i].uscale == uscale) {
++ for (i = 0; i < ARRAY_SIZE(ads1015_fullscale_range); i++) {
++ if (ads1015_fullscale_range[i] == fullscale) {
+ rindex = i;
+ break;
+ }
++ }
+ if (rindex < 0)
+ return -EINVAL;
+
+@@ -319,7 +316,7 @@ static int ads1015_set_scale(struct ads1
+ if (ret < 0)
+ return ret;
+
+- data->channel_data[chan].pga = rindex;
++ data->channel_data[chan->address].pga = rindex;
+
+ return 0;
+ }
+@@ -377,9 +374,9 @@ static int ads1015_read_raw(struct iio_d
+ }
+ case IIO_CHAN_INFO_SCALE:
+ idx = data->channel_data[chan->address].pga;
+- *val = ads1015_scale[idx].scale;
+- *val2 = ads1015_scale[idx].uscale;
+- ret = IIO_VAL_INT_PLUS_MICRO;
++ *val = ads1015_fullscale_range[idx];
++ *val2 = chan->scan_type.realbits - 1;
++ ret = IIO_VAL_FRACTIONAL_LOG2;
+ break;
+ case IIO_CHAN_INFO_SAMP_FREQ:
+ idx = data->channel_data[chan->address].data_rate;
+@@ -406,7 +403,7 @@ static int ads1015_write_raw(struct iio_
+ mutex_lock(&data->lock);
+ switch (mask) {
+ case IIO_CHAN_INFO_SCALE:
+- ret = ads1015_set_scale(data, chan->address, val, val2);
++ ret = ads1015_set_scale(data, chan, val, val2);
+ break;
+ case IIO_CHAN_INFO_SAMP_FREQ:
+ ret = ads1015_set_data_rate(data, chan->address, val);
+@@ -438,7 +435,10 @@ static const struct iio_buffer_setup_ops
+ .validate_scan_mask = &iio_validate_scan_mask_onehot,
+ };
+
+-static IIO_CONST_ATTR(scale_available, "3 2 1 0.5 0.25 0.125");
++static IIO_CONST_ATTR_NAMED(ads1015_scale_available, scale_available,
++ "3 2 1 0.5 0.25 0.125");
++static IIO_CONST_ATTR_NAMED(ads1115_scale_available, scale_available,
++ "0.1875 0.125 0.0625 0.03125 0.015625 0.007813");
+
+ static IIO_CONST_ATTR_NAMED(ads1015_sampling_frequency_available,
+ sampling_frequency_available, "128 250 490 920 1600 2400 3300");
+@@ -446,7 +446,7 @@ static IIO_CONST_ATTR_NAMED(ads1115_samp
+ sampling_frequency_available, "8 16 32 64 128 250 475 860");
+
+ static struct attribute *ads1015_attributes[] = {
+- &iio_const_attr_scale_available.dev_attr.attr,
++ &iio_const_attr_ads1015_scale_available.dev_attr.attr,
+ &iio_const_attr_ads1015_sampling_frequency_available.dev_attr.attr,
+ NULL,
+ };
+@@ -456,7 +456,7 @@ static const struct attribute_group ads1
+ };
+
+ static struct attribute *ads1115_attributes[] = {
+- &iio_const_attr_scale_available.dev_attr.attr,
++ &iio_const_attr_ads1115_scale_available.dev_attr.attr,
+ &iio_const_attr_ads1115_sampling_frequency_available.dev_attr.attr,
+ NULL,
+ };
--- /dev/null
+From 293b915fd9bebf33cdc906516fb28d54649a25ac Mon Sep 17 00:00:00 2001
+From: Oscar Campos <oscar.campos@member.fsf.org>
+Date: Tue, 18 Jul 2017 17:20:36 -0700
+Subject: Input: trackpoint - assume 3 buttons when buttons detection fails
+
+From: Oscar Campos <oscar.campos@member.fsf.org>
+
+commit 293b915fd9bebf33cdc906516fb28d54649a25ac upstream.
+
+Trackpoint buttons detection fails on ThinkPad 570 and 470 series,
+this makes the middle button of the trackpoint to not being recogized.
+As I don't believe there is any trackpoint with less than 3 buttons this
+patch just assumes three buttons when the extended button information
+read fails.
+
+Signed-off-by: Oscar Campos <oscar.campos@member.fsf.org>
+Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/mouse/trackpoint.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/mouse/trackpoint.c
++++ b/drivers/input/mouse/trackpoint.c
+@@ -381,8 +381,8 @@ int trackpoint_detect(struct psmouse *ps
+ return 0;
+
+ if (trackpoint_read(&psmouse->ps2dev, TP_EXT_BTN, &button_info)) {
+- psmouse_warn(psmouse, "failed to get extended button data\n");
+- button_info = 0;
++ psmouse_warn(psmouse, "failed to get extended button data, assuming 3 buttons\n");
++ button_info = 0x33;
+ }
+
+ psmouse->private = kzalloc(sizeof(struct trackpoint_data), GFP_KERNEL);
--- /dev/null
+From 84331e1390b6378a5129a3678c87a42c6f697d29 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Thu, 30 Jun 2016 16:11:13 +0300
+Subject: intel_th: pci: Add Cannon Lake PCH-H support
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 84331e1390b6378a5129a3678c87a42c6f697d29 upstream.
+
+This adds Intel(R) Trace Hub PCI ID for Cannon Lake PCH-H.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/hwtracing/intel_th/pci.c
++++ b/drivers/hwtracing/intel_th/pci.c
+@@ -85,6 +85,11 @@ static const struct pci_device_id intel_
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa2a6),
+ .driver_data = (kernel_ulong_t)0,
+ },
++ {
++ /* Cannon Lake H */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa326),
++ .driver_data = (kernel_ulong_t)0,
++ },
+ { 0 },
+ };
+
--- /dev/null
+From efb3669e14fe17d0ec4ecf57d0365039fe726f59 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Thu, 30 Jun 2016 16:11:31 +0300
+Subject: intel_th: pci: Add Cannon Lake PCH-LP support
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit efb3669e14fe17d0ec4ecf57d0365039fe726f59 upstream.
+
+This adds Intel(R) Trace Hub PCI ID for Cannon Lake PCH-LP.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/hwtracing/intel_th/pci.c
++++ b/drivers/hwtracing/intel_th/pci.c
+@@ -90,6 +90,11 @@ static const struct pci_device_id intel_
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa326),
+ .driver_data = (kernel_ulong_t)0,
+ },
++ {
++ /* Cannon Lake LP */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x9da6),
++ .driver_data = (kernel_ulong_t)0,
++ },
+ { 0 },
+ };
+
--- /dev/null
+From 3f7a5e13e85026b6e460bbd6e87f87379421d272 Mon Sep 17 00:00:00 2001
+From: Luca Coelho <luciano.coelho@intel.com>
+Date: Wed, 16 Aug 2017 08:47:38 +0300
+Subject: iwlwifi: pci: add new PCI ID for 7265D
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+commit 3f7a5e13e85026b6e460bbd6e87f87379421d272 upstream.
+
+We have a new PCI subsystem ID for 7265D. Add it to the list.
+
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+@@ -429,6 +429,7 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x095B, 0x520A, iwl7265_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x095A, 0x9000, iwl7265_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x095A, 0x9400, iwl7265_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x095A, 0x9E10, iwl7265_2ac_cfg)},
+
+ /* 8000 Series */
+ {IWL_PCI_DEVICE(0x24F3, 0x0010, iwl8260_2ac_cfg)},
--- /dev/null
+From acf5e051ac44d5dc60b21bc4734ef1b844d55551 Mon Sep 17 00:00:00 2001
+From: Michael Moese <michael.moese@men.de>
+Date: Tue, 29 Aug 2017 14:47:24 +0200
+Subject: MCB: add support for SC31 to mcb-lpc
+
+From: Michael Moese <michael.moese@men.de>
+
+commit acf5e051ac44d5dc60b21bc4734ef1b844d55551 upstream.
+
+This patch adds the resources and DMI ID's for the MEN SC31,
+which uses a different address region to map the LPC bus than
+the one used for the existing SC24.
+
+Signed-off-by: Michael Moese <michael.moese@men.de>
+[jth add stable tag]
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mcb/mcb-lpc.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/drivers/mcb/mcb-lpc.c
++++ b/drivers/mcb/mcb-lpc.c
+@@ -114,6 +114,12 @@ static struct resource sc24_fpga_resourc
+ .flags = IORESOURCE_MEM,
+ };
+
++static struct resource sc31_fpga_resource = {
++ .start = 0xf000e000,
++ .end = 0xf000e000 + CHAM_HEADER_SIZE,
++ .flags = IORESOURCE_MEM,
++};
++
+ static struct platform_driver mcb_lpc_driver = {
+ .driver = {
+ .name = "mcb-lpc",
+@@ -132,6 +138,15 @@ static const struct dmi_system_id mcb_lp
+ .driver_data = (void *)&sc24_fpga_resource,
+ .callback = mcb_lpc_create_platform_device,
+ },
++ {
++ .ident = "SC31",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "MEN"),
++ DMI_MATCH(DMI_PRODUCT_VERSION, "14SC31"),
++ },
++ .driver_data = (void *)&sc31_fpga_resource,
++ .callback = mcb_lpc_create_platform_device,
++ },
+ {}
+ };
+ MODULE_DEVICE_TABLE(dmi, mcb_lpc_dmi_table);
--- /dev/null
+From 4b5dde2d6234ff5bc68e97e6901d1f2a0a7f3749 Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Thu, 29 Jun 2017 18:23:54 -0700
+Subject: mwifiex: correct channel stat buffer overflows
+
+From: Brian Norris <briannorris@chromium.org>
+
+commit 4b5dde2d6234ff5bc68e97e6901d1f2a0a7f3749 upstream.
+
+mwifiex records information about various channels as it receives scan
+information. It does this by appending to a buffer that was sized
+to the max number of supported channels on any band, but there are
+numerous problems:
+
+(a) scans can return info from more than one band (e.g., both 2.4 and 5
+ GHz), so the determined "max" is not large enough
+(b) some firmware appears to return multiple results for a given
+ channel, so the max *really* isn't large enough
+(c) there is no bounds checking when stashing these stats, so problems
+ (a) and (b) can easily lead to buffer overflows
+
+Let's patch this by setting a slightly-more-correct max (that accounts
+for a combination of both 2.4G and 5G bands) and adding a bounds check
+when writing to our statistics buffer.
+
+Due to problem (b), we still might not properly report all known survey
+information (e.g., with "iw <dev> survey dump"), since duplicate results
+(or otherwise "larger than expected" results) will cause some
+truncation. But that's a problem for a future bugfix.
+
+(And because of this known deficiency, only log the excess at the WARN
+level, since that isn't visible by default in this driver and would
+otherwise be a bit too noisy.)
+
+Fixes: bf35443314ac ("mwifiex: channel statistics support for mwifiex")
+Cc: Avinash Patil <patila@marvell.com>
+Cc: Xinming Hu <huxm@marvell.com>
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Reviewed-by: Ganapathi Bhat <gbhat@marvell.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/marvell/mwifiex/cfg80211.c | 2 +-
+ drivers/net/wireless/marvell/mwifiex/scan.c | 6 ++++++
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c
++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+@@ -4188,7 +4188,7 @@ int mwifiex_init_channel_scan_gap(struct
+ if (adapter->config_bands & BAND_A)
+ n_channels_a = mwifiex_band_5ghz.n_channels;
+
+- adapter->num_in_chan_stats = max_t(u32, n_channels_bg, n_channels_a);
++ adapter->num_in_chan_stats = n_channels_bg + n_channels_a;
+ adapter->chan_stats = vmalloc(sizeof(*adapter->chan_stats) *
+ adapter->num_in_chan_stats);
+
+--- a/drivers/net/wireless/marvell/mwifiex/scan.c
++++ b/drivers/net/wireless/marvell/mwifiex/scan.c
+@@ -2479,6 +2479,12 @@ mwifiex_update_chan_statistics(struct mw
+ sizeof(struct mwifiex_chan_stats);
+
+ for (i = 0 ; i < num_chan; i++) {
++ if (adapter->survey_idx >= adapter->num_in_chan_stats) {
++ mwifiex_dbg(adapter, WARN,
++ "FW reported too many channel results (max %d)\n",
++ adapter->num_in_chan_stats);
++ return;
++ }
+ chan_stats.chan_num = fw_chan_stats->chan_num;
+ chan_stats.bandcfg = fw_chan_stats->bandcfg;
+ chan_stats.flags = fw_chan_stats->flags;
--- /dev/null
+From fc81bab5eeb103711925d7510157cf5cd2b153f4 Mon Sep 17 00:00:00 2001
+From: Malcolm Priestley <tvboxspy@gmail.com>
+Date: Sun, 30 Jul 2017 09:02:19 +0100
+Subject: rtlwifi: rtl_pci_probe: Fix fail path of _rtl_pci_find_adapter
+
+From: Malcolm Priestley <tvboxspy@gmail.com>
+
+commit fc81bab5eeb103711925d7510157cf5cd2b153f4 upstream.
+
+_rtl_pci_find_adapter fail path will jump to label fail3 for
+unsupported adapter types.
+
+However, on course for fail3 there will be call rtl_deinit_core
+before rtl_init_core.
+
+For the inclusion of checking pci_iounmap this fail can be moved to
+fail2.
+
+Fixes
+[ 4.492963] BUG: unable to handle kernel NULL pointer dereference at (null)
+[ 4.493067] IP: rtl_deinit_core+0x31/0x90 [rtlwifi]
+
+Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/pci.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
+@@ -2269,7 +2269,7 @@ int rtl_pci_probe(struct pci_dev *pdev,
+ /* find adapter */
+ if (!_rtl_pci_find_adapter(pdev, hw)) {
+ err = -ENODEV;
+- goto fail3;
++ goto fail2;
+ }
+
+ /* Init IO handler */
+@@ -2339,10 +2339,10 @@ fail3:
+ pci_set_drvdata(pdev, NULL);
+ rtl_deinit_core(hw);
+
++fail2:
+ if (rtlpriv->io.pci_mem_start != 0)
+ pci_iounmap(pdev, (void __iomem *)rtlpriv->io.pci_mem_start);
+
+-fail2:
+ pci_release_regions(pdev);
+ complete(&rtlpriv->firmware_loading_complete);
+
--- /dev/null
+From fa41ba0d08de7c975c3e94d0067553f9b934221f Mon Sep 17 00:00:00 2001
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Thu, 24 Aug 2017 12:55:08 +0200
+Subject: s390/mm: avoid empty zero pages for KVM guests to avoid postcopy hangs
+
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+
+commit fa41ba0d08de7c975c3e94d0067553f9b934221f upstream.
+
+Right now there is a potential hang situation for postcopy migrations,
+if the guest is enabling storage keys on the target system during the
+postcopy process.
+
+For storage key virtualization, we have to forbid the empty zero page as
+the storage key is a property of the physical page frame. As we enable
+storage key handling lazily we then drop all mappings for empty zero
+pages for lazy refaulting later on.
+
+This does not work with the postcopy migration, which relies on the
+empty zero page never triggering a fault again in the future. The reason
+is that postcopy migration will simply read a page on the target system
+if that page is a known zero page to fault in an empty zero page. At
+the same time postcopy remembers that this page was already transferred
+- so any future userfault on that page will NOT be retransmitted again
+to avoid races.
+
+If now the guest enters the storage key mode while in postcopy, we will
+break this assumption of postcopy.
+
+The solution is to disable the empty zero page for KVM guests early on
+and not during storage key enablement. With this change, the postcopy
+migration process is guaranteed to start after no zero pages are left.
+
+As guest pages are very likely not empty zero pages anyway the memory
+overhead is also pretty small.
+
+While at it this also adds proper page table locking to the zero page
+removal.
+
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Acked-by: Janosch Frank <frankja@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/include/asm/pgtable.h | 2 +-
+ arch/s390/mm/gmap.c | 39 ++++++++++++++++++++++++++++++++-------
+ 2 files changed, 33 insertions(+), 8 deletions(-)
+
+--- a/arch/s390/include/asm/pgtable.h
++++ b/arch/s390/include/asm/pgtable.h
+@@ -480,7 +480,7 @@ static inline int mm_alloc_pgste(struct
+ * In the case that a guest uses storage keys
+ * faults should no longer be backed by zero pages
+ */
+-#define mm_forbids_zeropage mm_use_skey
++#define mm_forbids_zeropage mm_has_pgste
+ static inline int mm_use_skey(struct mm_struct *mm)
+ {
+ #ifdef CONFIG_PGSTE
+--- a/arch/s390/mm/gmap.c
++++ b/arch/s390/mm/gmap.c
+@@ -2125,6 +2125,37 @@ static inline void thp_split_mm(struct m
+ }
+
+ /*
++ * Remove all empty zero pages from the mapping for lazy refaulting
++ * - This must be called after mm->context.has_pgste is set, to avoid
++ * future creation of zero pages
++ * - This must be called after THP was enabled
++ */
++static int __zap_zero_pages(pmd_t *pmd, unsigned long start,
++ unsigned long end, struct mm_walk *walk)
++{
++ unsigned long addr;
++
++ for (addr = start; addr != end; addr += PAGE_SIZE) {
++ pte_t *ptep;
++ spinlock_t *ptl;
++
++ ptep = pte_offset_map_lock(walk->mm, pmd, addr, &ptl);
++ if (is_zero_pfn(pte_pfn(*ptep)))
++ ptep_xchg_direct(walk->mm, addr, ptep, __pte(_PAGE_INVALID));
++ pte_unmap_unlock(ptep, ptl);
++ }
++ return 0;
++}
++
++static inline void zap_zero_pages(struct mm_struct *mm)
++{
++ struct mm_walk walk = { .pmd_entry = __zap_zero_pages };
++
++ walk.mm = mm;
++ walk_page_range(0, TASK_SIZE, &walk);
++}
++
++/*
+ * switch on pgstes for its userspace process (for kvm)
+ */
+ int s390_enable_sie(void)
+@@ -2141,6 +2172,7 @@ int s390_enable_sie(void)
+ mm->context.has_pgste = 1;
+ /* split thp mappings and disable thp for future mappings */
+ thp_split_mm(mm);
++ zap_zero_pages(mm);
+ up_write(&mm->mmap_sem);
+ return 0;
+ }
+@@ -2153,13 +2185,6 @@ EXPORT_SYMBOL_GPL(s390_enable_sie);
+ static int __s390_enable_skey(pte_t *pte, unsigned long addr,
+ unsigned long next, struct mm_walk *walk)
+ {
+- /*
+- * Remove all zero page mappings,
+- * after establishing a policy to forbid zero page mappings
+- * following faults for that page will get fresh anonymous pages
+- */
+- if (is_zero_pfn(pte_pfn(*pte)))
+- ptep_xchg_direct(walk->mm, addr, pte, __pte(_PAGE_INVALID));
+ /* Clear storage key */
+ ptep_zap_key(walk->mm, addr, pte);
+ return 0;
usb-add-device-quirk-for-logitech-hd-pro-webcam-c920-c.patch
usb-xhci-fix-regression-when-ati-chipsets-detected.patch
usb-musb-fix-external-abort-on-suspend.patch
+usb-core-avoid-race-of-async_completed-w-usbdev_release.patch
+staging-rts5208-fix-incorrect-shift-to-extract-upper-nybble.patch
+iio-adc-ti-ads1015-fix-incorrect-data-rate-setting-update.patch
+iio-adc-ti-ads1015-fix-scale-information-for-ads1115.patch
+iio-adc-ti-ads1015-enable-conversion-when-config_pm-is-not-set.patch
+iio-adc-ti-ads1015-avoid-getting-stale-result-after-runtime-resume.patch
+iio-adc-ti-ads1015-don-t-return-invalid-value-from-buffer-setup-callbacks.patch
+iio-adc-ti-ads1015-add-adequate-wait-time-to-get-correct-conversion.patch
+driver-core-bus-fix-a-potential-double-free.patch
+intel_th-pci-add-cannon-lake-pch-h-support.patch
+intel_th-pci-add-cannon-lake-pch-lp-support.patch
+ath10k-fix-memory-leak-in-rx-ring-buffer-allocation.patch
+input-trackpoint-assume-3-buttons-when-buttons-detection-fails.patch
+rtlwifi-rtl_pci_probe-fix-fail-path-of-_rtl_pci_find_adapter.patch
+bluetooth-add-support-of-13d3-3494-rtl8723be-device.patch
+iwlwifi-pci-add-new-pci-id-for-7265d.patch
+dlm-avoid-double-free-on-error-path-in-dlm_device_-register-unregister.patch
+mwifiex-correct-channel-stat-buffer-overflows.patch
+mcb-add-support-for-sc31-to-mcb-lpc.patch
+s390-mm-avoid-empty-zero-pages-for-kvm-guests-to-avoid-postcopy-hangs.patch
+drm-nouveau-pci-msi-disable-msi-on-big-endian-platforms-by-default.patch
+workqueue-fix-flag-collision.patch
--- /dev/null
+From 34ff1bf4920471cff66775dc39537b15c5f0feff Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 18 Aug 2017 14:34:16 +0100
+Subject: staging/rts5208: fix incorrect shift to extract upper nybble
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 34ff1bf4920471cff66775dc39537b15c5f0feff upstream.
+
+The mask of sns_key_info1 suggests the upper nybble is being extracted
+however the following shift of 8 bits is too large and always results in
+0. Fix this by shifting only by 4 bits to correctly get the upper nybble.
+
+Detected by CoverityScan, CID#142891 ("Operands don't affect result")
+
+Fixes: fa590c222fba ("staging: rts5208: add support for rts5208 and rts5288")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rts5208/rtsx_scsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rts5208/rtsx_scsi.c
++++ b/drivers/staging/rts5208/rtsx_scsi.c
+@@ -414,7 +414,7 @@ void set_sense_data(struct rtsx_chip *ch
+ sense->ascq = ascq;
+ if (sns_key_info0 != 0) {
+ sense->sns_key_info[0] = SKSV | sns_key_info0;
+- sense->sns_key_info[1] = (sns_key_info1 & 0xf0) >> 8;
++ sense->sns_key_info[1] = (sns_key_info1 & 0xf0) >> 4;
+ sense->sns_key_info[2] = sns_key_info1 & 0x0f;
+ }
+ }
--- /dev/null
+From ed62ca2f4f51c17841ea39d98c0c409cb53a3e10 Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Thu, 10 Aug 2017 15:42:22 -0700
+Subject: USB: core: Avoid race of async_completed() w/ usbdev_release()
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit ed62ca2f4f51c17841ea39d98c0c409cb53a3e10 upstream.
+
+While running reboot tests w/ a specific set of USB devices (and
+slub_debug enabled), I found that once every few hours my device would
+be crashed with a stack that looked like this:
+
+[ 14.012445] BUG: spinlock bad magic on CPU#0, modprobe/2091
+[ 14.012460] lock: 0xffffffc0cb055978, .magic: ffffffc0, .owner: cryption contexts: %lu/%lu
+[ 14.012460] /1025536097, .owner_cpu: 0
+[ 14.012466] CPU: 0 PID: 2091 Comm: modprobe Not tainted 4.4.79 #352
+[ 14.012468] Hardware name: Google Kevin (DT)
+[ 14.012471] Call trace:
+[ 14.012483] [<....>] dump_backtrace+0x0/0x160
+[ 14.012487] [<....>] show_stack+0x20/0x28
+[ 14.012494] [<....>] dump_stack+0xb4/0xf0
+[ 14.012500] [<....>] spin_dump+0x8c/0x98
+[ 14.012504] [<....>] spin_bug+0x30/0x3c
+[ 14.012508] [<....>] do_raw_spin_lock+0x40/0x164
+[ 14.012515] [<....>] _raw_spin_lock_irqsave+0x64/0x74
+[ 14.012521] [<....>] __wake_up+0x2c/0x60
+[ 14.012528] [<....>] async_completed+0x2d0/0x300
+[ 14.012534] [<....>] __usb_hcd_giveback_urb+0xc4/0x138
+[ 14.012538] [<....>] usb_hcd_giveback_urb+0x54/0xf0
+[ 14.012544] [<....>] xhci_irq+0x1314/0x1348
+[ 14.012548] [<....>] usb_hcd_irq+0x40/0x50
+[ 14.012553] [<....>] handle_irq_event_percpu+0x1b4/0x3f0
+[ 14.012556] [<....>] handle_irq_event+0x4c/0x7c
+[ 14.012561] [<....>] handle_fasteoi_irq+0x158/0x1c8
+[ 14.012564] [<....>] generic_handle_irq+0x30/0x44
+[ 14.012568] [<....>] __handle_domain_irq+0x90/0xbc
+[ 14.012572] [<....>] gic_handle_irq+0xcc/0x18c
+
+Investigation using kgdb() found that the wait queue that was passed
+into wake_up() had been freed (it was filled with slub_debug poison).
+
+I analyzed and instrumented the code and reproduced. My current
+belief is that this is happening:
+
+1. async_completed() is called (from IRQ). Moves "as" onto the
+ completed list.
+2. On another CPU, proc_reapurbnonblock_compat() calls
+ async_getcompleted(). Blocks on spinlock.
+3. async_completed() releases the lock; keeps running; gets blocked
+ midway through wake_up().
+4. proc_reapurbnonblock_compat() => async_getcompleted() gets the
+ lock; removes "as" from completed list and frees it.
+5. usbdev_release() is called. Frees "ps".
+6. async_completed() finally continues running wake_up(). ...but
+ wake_up() has a pointer to the freed "ps".
+
+The instrumentation that led me to believe this was based on adding
+some trace_printk() calls in a select few functions and then using
+kdb's "ftdump" at crash time. The trace follows (NOTE: in the trace
+below I cheated a little bit and added a udelay(1000) in
+async_completed() after releasing the spinlock because I wanted it to
+trigger quicker):
+
+<...>-2104 0d.h2 13759034us!: async_completed at start: as=ffffffc0cc638200
+mtpd-2055 3.... 13759356us : async_getcompleted before spin_lock_irqsave
+mtpd-2055 3d..1 13759362us : async_getcompleted after list_del_init: as=ffffffc0cc638200
+mtpd-2055 3.... 13759371us+: proc_reapurbnonblock_compat: free_async(ffffffc0cc638200)
+mtpd-2055 3.... 13759422us+: async_getcompleted before spin_lock_irqsave
+mtpd-2055 3.... 13759479us : usbdev_release at start: ps=ffffffc0cc042080
+mtpd-2055 3.... 13759487us : async_getcompleted before spin_lock_irqsave
+mtpd-2055 3.... 13759497us!: usbdev_release after kfree(ps): ps=ffffffc0cc042080
+<...>-2104 0d.h2 13760294us : async_completed before wake_up(): as=ffffffc0cc638200
+
+To fix this problem we can just move the wake_up() under the ps->lock.
+There should be no issues there that I'm aware of.
+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/devio.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -629,6 +629,8 @@ static void async_completed(struct urb *
+ if (as->status < 0 && as->bulk_addr && as->status != -ECONNRESET &&
+ as->status != -ENOENT)
+ cancel_bulk_urbs(ps, as->bulk_addr);
++
++ wake_up(&ps->wait);
+ spin_unlock(&ps->lock);
+
+ if (signr) {
+@@ -636,8 +638,6 @@ static void async_completed(struct urb *
+ put_pid(pid);
+ put_cred(cred);
+ }
+-
+- wake_up(&ps->wait);
+ }
+
+ static void destroy_async(struct usb_dev_state *ps, struct list_head *list)
--- /dev/null
+From fbf1c41fc0f4d3574ac2377245efd666c1fa3075 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun, 3 Sep 2017 01:18:41 +0100
+Subject: workqueue: Fix flag collision
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit fbf1c41fc0f4d3574ac2377245efd666c1fa3075 upstream.
+
+Commit 0a94efb5acbb ("workqueue: implicit ordered attribute should be
+overridable") introduced a __WQ_ORDERED_EXPLICIT flag but gave it the
+same value as __WQ_LEGACY. I don't believe these were intended to
+mean the same thing, so renumber __WQ_ORDERED_EXPLICIT.
+
+Fixes: 0a94efb5acbb ("workqueue: implicit ordered attribute should be ...")
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/workqueue.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/workqueue.h
++++ b/include/linux/workqueue.h
+@@ -311,8 +311,8 @@ enum {
+
+ __WQ_DRAINING = 1 << 16, /* internal: workqueue is draining */
+ __WQ_ORDERED = 1 << 17, /* internal: workqueue is ordered */
+- __WQ_ORDERED_EXPLICIT = 1 << 18, /* internal: alloc_ordered_workqueue() */
+ __WQ_LEGACY = 1 << 18, /* internal: create*_workqueue() */
++ __WQ_ORDERED_EXPLICIT = 1 << 19, /* internal: alloc_ordered_workqueue() */
+
+ WQ_MAX_ACTIVE = 512, /* I like 512, better ideas? */
+ WQ_MAX_UNBOUND_PER_CPU = 4, /* 4 * #cpus for unbound wq */
projects / thirdparty / kernel / stable-queue.git / commitdiff
