--- /dev/null
+From c18df0adabf8400c1825b90382d06df5edc303fa Mon Sep 17 00:00:00 2001
+From: David Daney <david.daney@cavium.com>
+Date: Tue, 20 Sep 2016 11:46:35 -0700
+Subject: arm64: Call numa_store_cpu_info() earlier.
+
+From: David Daney <david.daney@cavium.com>
+
+commit c18df0adabf8400c1825b90382d06df5edc303fa upstream.
+
+The wq_numa_init() function makes a private CPU to node map by calling
+cpu_to_node() early in the boot process, before the non-boot CPUs are
+brought online. Since the default implementation of cpu_to_node()
+returns zero for CPUs that have never been brought online, the
+workqueue system's view is that *all* CPUs are on node zero.
+
+When the unbound workqueue for a non-zero node is created, the
+tsk_cpus_allowed() for the worker threads is the empty set because
+there are, in the view of the workqueue system, no CPUs on non-zero
+nodes. The code in try_to_wake_up() using this empty cpumask ends up
+using the cpumask empty set value of NR_CPUS as an index into the
+per-CPU area pointer array, and gets garbage as it is one past the end
+of the array. This results in:
+
+[ 0.881970] Unable to handle kernel paging request at virtual address fffffb1008b926a4
+[ 1.970095] pgd = fffffc00094b0000
+[ 1.973530] [fffffb1008b926a4] *pgd=0000000000000000, *pud=0000000000000000, *pmd=0000000000000000
+[ 1.982610] Internal error: Oops: 96000004 [#1] SMP
+[ 1.987541] Modules linked in:
+[ 1.990631] CPU: 48 PID: 295 Comm: cpuhp/48 Tainted: G W 4.8.0-rc6-preempt-vol+ #9
+[ 1.999435] Hardware name: Cavium ThunderX CN88XX board (DT)
+[ 2.005159] task: fffffe0fe89cc300 task.stack: fffffe0fe8b8c000
+[ 2.011158] PC is at try_to_wake_up+0x194/0x34c
+[ 2.015737] LR is at try_to_wake_up+0x150/0x34c
+[ 2.020318] pc : [<fffffc00080e7468>] lr : [<fffffc00080e7424>] pstate: 600000c5
+[ 2.027803] sp : fffffe0fe8b8fb10
+[ 2.031149] x29: fffffe0fe8b8fb10 x28: 0000000000000000
+[ 2.036522] x27: fffffc0008c63bc8 x26: 0000000000001000
+[ 2.041896] x25: fffffc0008c63c80 x24: fffffc0008bfb200
+[ 2.047270] x23: 00000000000000c0 x22: 0000000000000004
+[ 2.052642] x21: fffffe0fe89d25bc x20: 0000000000001000
+[ 2.058014] x19: fffffe0fe89d1d00 x18: 0000000000000000
+[ 2.063386] x17: 0000000000000000 x16: 0000000000000000
+[ 2.068760] x15: 0000000000000018 x14: 0000000000000000
+[ 2.074133] x13: 0000000000000000 x12: 0000000000000000
+[ 2.079505] x11: 0000000000000000 x10: 0000000000000000
+[ 2.084879] x9 : 0000000000000000 x8 : 0000000000000000
+[ 2.090251] x7 : 0000000000000040 x6 : 0000000000000000
+[ 2.095621] x5 : ffffffffffffffff x4 : 0000000000000000
+[ 2.100991] x3 : 0000000000000000 x2 : 0000000000000000
+[ 2.106364] x1 : fffffc0008be4c24 x0 : ffffff0ffffada80
+[ 2.111737]
+[ 2.113236] Process cpuhp/48 (pid: 295, stack limit = 0xfffffe0fe8b8c020)
+[ 2.120102] Stack: (0xfffffe0fe8b8fb10 to 0xfffffe0fe8b90000)
+[ 2.125914] fb00: fffffe0fe8b8fb80 fffffc00080e7648
+.
+.
+.
+[ 2.442859] Call trace:
+[ 2.445327] Exception stack(0xfffffe0fe8b8f940 to 0xfffffe0fe8b8fa70)
+[ 2.451843] f940: fffffe0fe89d1d00 0000040000000000 fffffe0fe8b8fb10 fffffc00080e7468
+[ 2.459767] f960: fffffe0fe8b8f980 fffffc00080e4958 ffffff0ff91ab200 fffffc00080e4b64
+[ 2.467690] f980: fffffe0fe8b8f9d0 fffffc00080e515c fffffe0fe8b8fa80 0000000000000000
+[ 2.475614] f9a0: fffffe0fe8b8f9d0 fffffc00080e58e4 fffffe0fe8b8fa80 0000000000000000
+[ 2.483540] f9c0: fffffe0fe8d10000 0000000000000040 fffffe0fe8b8fa50 fffffc00080e5ac4
+[ 2.491465] f9e0: ffffff0ffffada80 fffffc0008be4c24 0000000000000000 0000000000000000
+[ 2.499387] fa00: 0000000000000000 ffffffffffffffff 0000000000000000 0000000000000040
+[ 2.507309] fa20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+[ 2.515233] fa40: 0000000000000000 0000000000000000 0000000000000000 0000000000000018
+[ 2.523156] fa60: 0000000000000000 0000000000000000
+[ 2.528089] [<fffffc00080e7468>] try_to_wake_up+0x194/0x34c
+[ 2.533723] [<fffffc00080e7648>] wake_up_process+0x28/0x34
+[ 2.539275] [<fffffc00080d3764>] create_worker+0x110/0x19c
+[ 2.544824] [<fffffc00080d69dc>] alloc_unbound_pwq+0x3cc/0x4b0
+[ 2.550724] [<fffffc00080d6bcc>] wq_update_unbound_numa+0x10c/0x1e4
+[ 2.557066] [<fffffc00080d7d78>] workqueue_online_cpu+0x220/0x28c
+[ 2.563234] [<fffffc00080bd288>] cpuhp_invoke_callback+0x6c/0x168
+[ 2.569398] [<fffffc00080bdf74>] cpuhp_up_callbacks+0x44/0xe4
+[ 2.575210] [<fffffc00080be194>] cpuhp_thread_fun+0x13c/0x148
+[ 2.581027] [<fffffc00080dfbac>] smpboot_thread_fn+0x19c/0x1a8
+[ 2.586929] [<fffffc00080dbd64>] kthread+0xdc/0xf0
+[ 2.591776] [<fffffc0008083380>] ret_from_fork+0x10/0x50
+[ 2.597147] Code: b00057e1 91304021 91005021 b8626822 (b8606821)
+[ 2.603464] ---[ end trace 58c0cd36b88802bc ]---
+[ 2.608138] Kernel panic - not syncing: Fatal exception
+
+Fix by moving call to numa_store_cpu_info() for all CPUs into
+smp_prepare_cpus(), which happens before wq_numa_init(). Since
+smp_store_cpu_info() now contains only a single function call,
+simplify by removing the function and out-lining its contents.
+
+Suggested-by: Robert Richter <rric@kernel.org>
+Fixes: 1a2db300348b ("arm64, numa: Add NUMA support for arm64 platforms.")
+Signed-off-by: David Daney <david.daney@cavium.com>
+Reviewed-by: Robert Richter <rrichter@cavium.com>
+Tested-by: Yisheng Xie <xieyisheng1@huawei.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/smp.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+--- a/arch/arm64/kernel/smp.c
++++ b/arch/arm64/kernel/smp.c
+@@ -201,12 +201,6 @@ int __cpu_up(unsigned int cpu, struct ta
+ return ret;
+ }
+
+-static void smp_store_cpu_info(unsigned int cpuid)
+-{
+- store_cpu_topology(cpuid);
+- numa_store_cpu_info(cpuid);
+-}
+-
+ /*
+ * This is the secondary CPU boot entry. We're using this CPUs
+ * idle thread stack, but a set of temporary page tables.
+@@ -254,7 +248,7 @@ asmlinkage void secondary_start_kernel(v
+ */
+ notify_cpu_starting(cpu);
+
+- smp_store_cpu_info(cpu);
++ store_cpu_topology(cpu);
+
+ /*
+ * OK, now it's safe to let the boot CPU continue. Wait for
+@@ -687,10 +681,13 @@ void __init smp_prepare_cpus(unsigned in
+ {
+ int err;
+ unsigned int cpu;
++ unsigned int this_cpu;
+
+ init_cpu_topology();
+
+- smp_store_cpu_info(smp_processor_id());
++ this_cpu = smp_processor_id();
++ store_cpu_topology(this_cpu);
++ numa_store_cpu_info(this_cpu);
+
+ /*
+ * If UP is mandated by "nosmp" (which implies "maxcpus=0"), don't set
+@@ -717,6 +714,7 @@ void __init smp_prepare_cpus(unsigned in
+ continue;
+
+ set_cpu_present(cpu, true);
++ numa_store_cpu_info(cpu);
+ }
+ }
+
--- /dev/null
+From 325c50e3cebb9208009083e841550f98a863bfa0 Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Wed, 21 Sep 2016 08:31:29 -0400
+Subject: btrfs: ensure that file descriptor used with subvol ioctls is a dir
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+commit 325c50e3cebb9208009083e841550f98a863bfa0 upstream.
+
+If the subvol/snapshot create/destroy ioctls are passed a regular file
+with execute permissions set, we'll eventually Oops while trying to do
+inode->i_op->lookup via lookup_one_len.
+
+This patch ensures that the file descriptor refers to a directory.
+
+Fixes: cb8e70901d (Btrfs: Fix subvolume creation locking rules)
+Fixes: 76dda93c6a (Btrfs: add snapshot/subvolume destroy ioctl)
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/ioctl.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -1634,6 +1634,9 @@ static noinline int btrfs_ioctl_snap_cre
+ int namelen;
+ int ret = 0;
+
++ if (!S_ISDIR(file_inode(file)->i_mode))
++ return -ENOTDIR;
++
+ ret = mnt_want_write_file(file);
+ if (ret)
+ goto out;
+@@ -1691,6 +1694,9 @@ static noinline int btrfs_ioctl_snap_cre
+ struct btrfs_ioctl_vol_args *vol_args;
+ int ret;
+
++ if (!S_ISDIR(file_inode(file)->i_mode))
++ return -ENOTDIR;
++
+ vol_args = memdup_user(arg, sizeof(*vol_args));
+ if (IS_ERR(vol_args))
+ return PTR_ERR(vol_args);
+@@ -1714,6 +1720,9 @@ static noinline int btrfs_ioctl_snap_cre
+ bool readonly = false;
+ struct btrfs_qgroup_inherit *inherit = NULL;
+
++ if (!S_ISDIR(file_inode(file)->i_mode))
++ return -ENOTDIR;
++
+ vol_args = memdup_user(arg, sizeof(*vol_args));
+ if (IS_ERR(vol_args))
+ return PTR_ERR(vol_args);
+@@ -2358,6 +2367,9 @@ static noinline int btrfs_ioctl_snap_des
+ int ret;
+ int err = 0;
+
++ if (!S_ISDIR(dir->i_mode))
++ return -ENOTDIR;
++
+ vol_args = memdup_user(arg, sizeof(*vol_args));
+ if (IS_ERR(vol_args))
+ return PTR_ERR(vol_args);
--- /dev/null
+From 4de349e786a3a2d51bd02d56f3de151bbc3c3df9 Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <fabio.estevam@nxp.com>
+Date: Wed, 17 Aug 2016 12:41:08 -0300
+Subject: can: flexcan: fix resume function
+
+From: Fabio Estevam <fabio.estevam@nxp.com>
+
+commit 4de349e786a3a2d51bd02d56f3de151bbc3c3df9 upstream.
+
+On a imx6ul-pico board the following error is seen during system suspend:
+
+dpm_run_callback(): platform_pm_resume+0x0/0x54 returns -110
+PM: Device 2090000.flexcan failed to resume: error -110
+
+The reason for this suspend error is because when the CAN interface is not
+active the clocks are disabled and then flexcan_chip_enable() will
+always fail due to a timeout error.
+
+In order to fix this issue, only call flexcan_chip_enable/disable()
+when the CAN interface is active.
+
+Based on a patch from Dong Aisheng in the NXP kernel.
+
+Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/flexcan.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -1268,11 +1268,10 @@ static int __maybe_unused flexcan_suspen
+ struct flexcan_priv *priv = netdev_priv(dev);
+ int err;
+
+- err = flexcan_chip_disable(priv);
+- if (err)
+- return err;
+-
+ if (netif_running(dev)) {
++ err = flexcan_chip_disable(priv);
++ if (err)
++ return err;
+ netif_stop_queue(dev);
+ netif_device_detach(dev);
+ }
+@@ -1285,13 +1284,17 @@ static int __maybe_unused flexcan_resume
+ {
+ struct net_device *dev = dev_get_drvdata(device);
+ struct flexcan_priv *priv = netdev_priv(dev);
++ int err;
+
+ priv->can.state = CAN_STATE_ERROR_ACTIVE;
+ if (netif_running(dev)) {
+ netif_device_attach(dev);
+ netif_start_queue(dev);
++ err = flexcan_chip_enable(priv);
++ if (err)
++ return err;
+ }
+- return flexcan_chip_enable(priv);
++ return 0;
+ }
+
+ static SIMPLE_DEV_PM_OPS(flexcan_pm_ops, flexcan_suspend, flexcan_resume);
--- /dev/null
+From d979a39d7242e0601bf9b60e89628fb8ac577179 Mon Sep 17 00:00:00 2001
+From: Johannes Weiner <jweiner@fb.com>
+Date: Mon, 19 Sep 2016 14:44:38 -0700
+Subject: cgroup: duplicate cgroup reference when cloning sockets
+
+From: Johannes Weiner <jweiner@fb.com>
+
+commit d979a39d7242e0601bf9b60e89628fb8ac577179 upstream.
+
+When a socket is cloned, the associated sock_cgroup_data is duplicated
+but not its reference on the cgroup. As a result, the cgroup reference
+count will underflow when both sockets are destroyed later on.
+
+Fixes: bd1060a1d671 ("sock, cgroup: add sock->sk_cgroup")
+Link: http://lkml.kernel.org/r/20160914194846.11153-2-hannes@cmpxchg.org
+Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
+Acked-by: Tejun Heo <tj@kernel.org>
+Cc: Michal Hocko <mhocko@suse.cz>
+Cc: Vladimir Davydov <vdavydov@virtuozzo.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cgroup.c | 6 ++++++
+ net/core/sock.c | 5 ++++-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -6240,6 +6240,12 @@ void cgroup_sk_alloc(struct sock_cgroup_
+ if (cgroup_sk_alloc_disabled)
+ return;
+
++ /* Socket clone path */
++ if (skcd->val) {
++ cgroup_get(sock_cgroup_ptr(skcd));
++ return;
++ }
++
+ rcu_read_lock();
+
+ while (true) {
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1362,7 +1362,6 @@ static struct sock *sk_prot_alloc(struct
+ if (!try_module_get(prot->owner))
+ goto out_free_sec;
+ sk_tx_queue_clear(sk);
+- cgroup_sk_alloc(&sk->sk_cgrp_data);
+ }
+
+ return sk;
+@@ -1422,6 +1421,7 @@ struct sock *sk_alloc(struct net *net, i
+ sock_net_set(sk, net);
+ atomic_set(&sk->sk_wmem_alloc, 1);
+
++ cgroup_sk_alloc(&sk->sk_cgrp_data);
+ sock_update_classid(&sk->sk_cgrp_data);
+ sock_update_netprioidx(&sk->sk_cgrp_data);
+ }
+@@ -1566,6 +1566,9 @@ struct sock *sk_clone_lock(const struct
+ newsk->sk_priority = 0;
+ newsk->sk_incoming_cpu = raw_smp_processor_id();
+ atomic64_set(&newsk->sk_cookie, 0);
++
++ cgroup_sk_alloc(&newsk->sk_cgrp_data);
++
+ /*
+ * Before updating sk_refcnt, we must commit prior changes to memory
+ * (Documentation/RCU/rculist_nulls.txt for details)
--- /dev/null
+From 42857cf512cb34c2c8cb50f1e766689d979d64e0 Mon Sep 17 00:00:00 2001
+From: Phil Turnbull <phil.turnbull@oracle.com>
+Date: Thu, 15 Sep 2016 12:20:12 -0400
+Subject: configfs: Return -EFBIG from configfs_write_bin_file.
+
+From: Phil Turnbull <phil.turnbull@oracle.com>
+
+commit 42857cf512cb34c2c8cb50f1e766689d979d64e0 upstream.
+
+The check for writing more than cb_max_size bytes does not 'goto out' so
+it is a no-op which allows users to vmalloc an arbitrary amount.
+
+Fixes: 03607ace807b ("configfs: implement binary attributes")
+Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/configfs/file.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/configfs/file.c
++++ b/fs/configfs/file.c
+@@ -333,6 +333,7 @@ configfs_write_bin_file(struct file *fil
+ if (bin_attr->cb_max_size &&
+ *ppos + count > bin_attr->cb_max_size) {
+ len = -EFBIG;
++ goto out;
+ }
+
+ tbuf = vmalloc(*ppos + count);
--- /dev/null
+From 96d41019e3ac55f6f0115b0ce97e4f24a3d636d2 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 19 Sep 2016 14:44:30 -0700
+Subject: fanotify: fix list corruption in fanotify_get_response()
+
+From: Jan Kara <jack@suse.cz>
+
+commit 96d41019e3ac55f6f0115b0ce97e4f24a3d636d2 upstream.
+
+fanotify_get_response() calls fsnotify_remove_event() when it finds that
+group is being released from fanotify_release() (bypass_perm is set).
+
+However the event it removes need not be only in the group's notification
+queue but it can have already moved to access_list (userspace read the
+event before closing the fanotify instance fd) which is protected by a
+different lock. Thus when fsnotify_remove_event() races with
+fanotify_release() operating on access_list, the list can get corrupted.
+
+Fix the problem by moving all the logic removing permission events from
+the lists to one place - fanotify_release().
+
+Fixes: 5838d4442bd5 ("fanotify: fix double free of pending permission events")
+Link: http://lkml.kernel.org/r/1473797711-14111-3-git-send-email-jack@suse.cz
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reported-by: Miklos Szeredi <mszeredi@redhat.com>
+Tested-by: Miklos Szeredi <mszeredi@redhat.com>
+Reviewed-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/notify/fanotify/fanotify.c | 13 +------------
+ fs/notify/fanotify/fanotify_user.c | 36 ++++++++++++++++++++++++------------
+ fs/notify/notification.c | 15 ---------------
+ include/linux/fsnotify_backend.h | 3 ---
+ 4 files changed, 25 insertions(+), 42 deletions(-)
+
+--- a/fs/notify/fanotify/fanotify.c
++++ b/fs/notify/fanotify/fanotify.c
+@@ -67,18 +67,7 @@ static int fanotify_get_response(struct
+
+ pr_debug("%s: group=%p event=%p\n", __func__, group, event);
+
+- wait_event(group->fanotify_data.access_waitq, event->response ||
+- atomic_read(&group->fanotify_data.bypass_perm));
+-
+- if (!event->response) { /* bypass_perm set */
+- /*
+- * Event was canceled because group is being destroyed. Remove
+- * it from group's event list because we are responsible for
+- * freeing the permission event.
+- */
+- fsnotify_remove_event(group, &event->fae.fse);
+- return 0;
+- }
++ wait_event(group->fanotify_data.access_waitq, event->response);
+
+ /* userspace responded, convert to something usable */
+ switch (event->response) {
+--- a/fs/notify/fanotify/fanotify_user.c
++++ b/fs/notify/fanotify/fanotify_user.c
+@@ -358,16 +358,20 @@ static int fanotify_release(struct inode
+
+ #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
+ struct fanotify_perm_event_info *event, *next;
++ struct fsnotify_event *fsn_event;
+
+ /*
+- * There may be still new events arriving in the notification queue
+- * but since userspace cannot use fanotify fd anymore, no event can
+- * enter or leave access_list by now.
++ * Stop new events from arriving in the notification queue. since
++ * userspace cannot use fanotify fd anymore, no event can enter or
++ * leave access_list by now either.
+ */
+- spin_lock(&group->fanotify_data.access_lock);
+-
+- atomic_inc(&group->fanotify_data.bypass_perm);
++ fsnotify_group_stop_queueing(group);
+
++ /*
++ * Process all permission events on access_list and notification queue
++ * and simulate reply from userspace.
++ */
++ spin_lock(&group->fanotify_data.access_lock);
+ list_for_each_entry_safe(event, next, &group->fanotify_data.access_list,
+ fae.fse.list) {
+ pr_debug("%s: found group=%p event=%p\n", __func__, group,
+@@ -379,12 +383,21 @@ static int fanotify_release(struct inode
+ spin_unlock(&group->fanotify_data.access_lock);
+
+ /*
+- * Since bypass_perm is set, newly queued events will not wait for
+- * access response. Wake up the already sleeping ones now.
+- * synchronize_srcu() in fsnotify_destroy_group() will wait for all
+- * processes sleeping in fanotify_handle_event() waiting for access
+- * response and thus also for all permission events to be freed.
++ * Destroy all non-permission events. For permission events just
++ * dequeue them and set the response. They will be freed once the
++ * response is consumed and fanotify_get_response() returns.
+ */
++ mutex_lock(&group->notification_mutex);
++ while (!fsnotify_notify_queue_is_empty(group)) {
++ fsn_event = fsnotify_remove_first_event(group);
++ if (!(fsn_event->mask & FAN_ALL_PERM_EVENTS))
++ fsnotify_destroy_event(group, fsn_event);
++ else
++ FANOTIFY_PE(fsn_event)->response = FAN_ALLOW;
++ }
++ mutex_unlock(&group->notification_mutex);
++
++ /* Response for all permission events it set, wakeup waiters */
+ wake_up(&group->fanotify_data.access_waitq);
+ #endif
+
+@@ -755,7 +768,6 @@ SYSCALL_DEFINE2(fanotify_init, unsigned
+ spin_lock_init(&group->fanotify_data.access_lock);
+ init_waitqueue_head(&group->fanotify_data.access_waitq);
+ INIT_LIST_HEAD(&group->fanotify_data.access_list);
+- atomic_set(&group->fanotify_data.bypass_perm, 0);
+ #endif
+ switch (flags & FAN_ALL_CLASS_BITS) {
+ case FAN_CLASS_NOTIF:
+--- a/fs/notify/notification.c
++++ b/fs/notify/notification.c
+@@ -132,21 +132,6 @@ queue:
+ }
+
+ /*
+- * Remove @event from group's notification queue. It is the responsibility of
+- * the caller to destroy the event.
+- */
+-void fsnotify_remove_event(struct fsnotify_group *group,
+- struct fsnotify_event *event)
+-{
+- mutex_lock(&group->notification_mutex);
+- if (!list_empty(&event->list)) {
+- list_del_init(&event->list);
+- group->q_len--;
+- }
+- mutex_unlock(&group->notification_mutex);
+-}
+-
+-/*
+ * Remove and return the first event from the notification list. It is the
+ * responsibility of the caller to destroy the obtained event
+ */
+--- a/include/linux/fsnotify_backend.h
++++ b/include/linux/fsnotify_backend.h
+@@ -180,7 +180,6 @@ struct fsnotify_group {
+ spinlock_t access_lock;
+ struct list_head access_list;
+ wait_queue_head_t access_waitq;
+- atomic_t bypass_perm;
+ #endif /* CONFIG_FANOTIFY_ACCESS_PERMISSIONS */
+ int f_flags;
+ unsigned int max_marks;
+@@ -318,8 +317,6 @@ extern int fsnotify_add_event(struct fsn
+ struct fsnotify_event *event,
+ int (*merge)(struct list_head *,
+ struct fsnotify_event *));
+-/* Remove passed event from groups notification queue */
+-extern void fsnotify_remove_event(struct fsnotify_group *group, struct fsnotify_event *event);
+ /* true if the group notification queue is empty */
+ extern bool fsnotify_notify_queue_is_empty(struct fsnotify_group *group);
+ /* return, but do not dequeue the first event on the notification queue */
--- /dev/null
+From e23d4159b109167126e5bcd7f3775c95de7fee47 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Tue, 20 Sep 2016 20:07:42 +0100
+Subject: fix fault_in_multipages_...() on architectures with no-op access_ok()
+
+From: Al Viro <viro@ZenIV.linux.org.uk>
+
+commit e23d4159b109167126e5bcd7f3775c95de7fee47 upstream.
+
+Switching iov_iter fault-in to multipages variants has exposed an old
+bug in underlying fault_in_multipages_...(); they break if the range
+passed to them wraps around. Normally access_ok() done by callers will
+prevent such (and it's a guaranteed EFAULT - ERR_PTR() values fall into
+such a range and they should not point to any valid objects).
+
+However, on architectures where userland and kernel live in different
+MMU contexts (e.g. s390) access_ok() is a no-op and on those a range
+with a wraparound can reach fault_in_multipages_...().
+
+Since any wraparound means EFAULT there, the fix is trivial - turn
+those
+
+ while (uaddr <= end)
+ ...
+into
+
+ if (unlikely(uaddr > end))
+ return -EFAULT;
+ do
+ ...
+ while (uaddr <= end);
+
+Reported-by: Jan Stancek <jstancek@redhat.com>
+Tested-by: Jan Stancek <jstancek@redhat.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/pagemap.h | 38 +++++++++++++++++++-------------------
+ 1 file changed, 19 insertions(+), 19 deletions(-)
+
+--- a/include/linux/pagemap.h
++++ b/include/linux/pagemap.h
+@@ -571,56 +571,56 @@ static inline int fault_in_pages_readabl
+ */
+ static inline int fault_in_multipages_writeable(char __user *uaddr, int size)
+ {
+- int ret = 0;
+ char __user *end = uaddr + size - 1;
+
+ if (unlikely(size == 0))
+- return ret;
++ return 0;
+
++ if (unlikely(uaddr > end))
++ return -EFAULT;
+ /*
+ * Writing zeroes into userspace here is OK, because we know that if
+ * the zero gets there, we'll be overwriting it.
+ */
+- while (uaddr <= end) {
+- ret = __put_user(0, uaddr);
+- if (ret != 0)
+- return ret;
++ do {
++ if (unlikely(__put_user(0, uaddr) != 0))
++ return -EFAULT;
+ uaddr += PAGE_SIZE;
+- }
++ } while (uaddr <= end);
+
+ /* Check whether the range spilled into the next page. */
+ if (((unsigned long)uaddr & PAGE_MASK) ==
+ ((unsigned long)end & PAGE_MASK))
+- ret = __put_user(0, end);
++ return __put_user(0, end);
+
+- return ret;
++ return 0;
+ }
+
+ static inline int fault_in_multipages_readable(const char __user *uaddr,
+ int size)
+ {
+ volatile char c;
+- int ret = 0;
+ const char __user *end = uaddr + size - 1;
+
+ if (unlikely(size == 0))
+- return ret;
++ return 0;
++
++ if (unlikely(uaddr > end))
++ return -EFAULT;
+
+- while (uaddr <= end) {
+- ret = __get_user(c, uaddr);
+- if (ret != 0)
+- return ret;
++ do {
++ if (unlikely(__get_user(c, uaddr) != 0))
++ return -EFAULT;
+ uaddr += PAGE_SIZE;
+- }
++ } while (uaddr <= end);
+
+ /* Check whether the range spilled into the next page. */
+ if (((unsigned long)uaddr & PAGE_MASK) ==
+ ((unsigned long)end & PAGE_MASK)) {
+- ret = __get_user(c, end);
+- (void)c;
++ return __get_user(c, end);
+ }
+
+- return ret;
++ return 0;
+ }
+
+ int add_to_page_cache_locked(struct page *page, struct address_space *mapping,
--- /dev/null
+From 1ae2293dd6d2f5c823cf97e60b70d03631cd622f Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 17 Sep 2016 18:31:46 -0400
+Subject: fix memory leaks in tracing_buffers_splice_read()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 1ae2293dd6d2f5c823cf97e60b70d03631cd622f upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -5929,9 +5929,6 @@ tracing_buffers_splice_read(struct file
+ return -EBUSY;
+ #endif
+
+- if (splice_grow_spd(pipe, &spd))
+- return -ENOMEM;
+-
+ if (*ppos & (PAGE_SIZE - 1))
+ return -EINVAL;
+
+@@ -5941,6 +5938,9 @@ tracing_buffers_splice_read(struct file
+ len &= PAGE_MASK;
+ }
+
++ if (splice_grow_spd(pipe, &spd))
++ return -ENOMEM;
++
+ again:
+ trace_access_lock(iter->cpu_file);
+ entries = ring_buffer_entries_cpu(iter->trace_buffer->buffer, iter->cpu_file);
+@@ -5998,19 +5998,21 @@ tracing_buffers_splice_read(struct file
+ /* did we read anything? */
+ if (!spd.nr_pages) {
+ if (ret)
+- return ret;
++ goto out;
+
++ ret = -EAGAIN;
+ if ((file->f_flags & O_NONBLOCK) || (flags & SPLICE_F_NONBLOCK))
+- return -EAGAIN;
++ goto out;
+
+ ret = wait_on_pipe(iter, true);
+ if (ret)
+- return ret;
++ goto out;
+
+ goto again;
+ }
+
+ ret = splice_to_pipe(pipe, &spd);
++out:
+ splice_shrink_spd(&spd);
+
+ return ret;
--- /dev/null
+From 12703dbfeb15402260e7554d32a34ac40c233990 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 19 Sep 2016 14:44:27 -0700
+Subject: fsnotify: add a way to stop queueing events on group shutdown
+
+From: Jan Kara <jack@suse.cz>
+
+commit 12703dbfeb15402260e7554d32a34ac40c233990 upstream.
+
+Implement a function that can be called when a group is being shutdown
+to stop queueing new events to the group. Fanotify will use this.
+
+Fixes: 5838d4442bd5 ("fanotify: fix double free of pending permission events")
+Link: http://lkml.kernel.org/r/1473797711-14111-2-git-send-email-jack@suse.cz
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/notify/group.c | 19 +++++++++++++++++++
+ fs/notify/notification.c | 8 +++++++-
+ include/linux/fsnotify_backend.h | 3 +++
+ 3 files changed, 29 insertions(+), 1 deletion(-)
+
+--- a/fs/notify/group.c
++++ b/fs/notify/group.c
+@@ -40,6 +40,17 @@ static void fsnotify_final_destroy_group
+ }
+
+ /*
++ * Stop queueing new events for this group. Once this function returns
++ * fsnotify_add_event() will not add any new events to the group's queue.
++ */
++void fsnotify_group_stop_queueing(struct fsnotify_group *group)
++{
++ mutex_lock(&group->notification_mutex);
++ group->shutdown = true;
++ mutex_unlock(&group->notification_mutex);
++}
++
++/*
+ * Trying to get rid of a group. Remove all marks, flush all events and release
+ * the group reference.
+ * Note that another thread calling fsnotify_clear_marks_by_group() may still
+@@ -47,6 +58,14 @@ static void fsnotify_final_destroy_group
+ */
+ void fsnotify_destroy_group(struct fsnotify_group *group)
+ {
++ /*
++ * Stop queueing new events. The code below is careful enough to not
++ * require this but fanotify needs to stop queuing events even before
++ * fsnotify_destroy_group() is called and this makes the other callers
++ * of fsnotify_destroy_group() to see the same behavior.
++ */
++ fsnotify_group_stop_queueing(group);
++
+ /* clear all inode marks for this group, attach them to destroy_list */
+ fsnotify_detach_group_marks(group);
+
+--- a/fs/notify/notification.c
++++ b/fs/notify/notification.c
+@@ -82,7 +82,8 @@ void fsnotify_destroy_event(struct fsnot
+ * Add an event to the group notification queue. The group can later pull this
+ * event off the queue to deal with. The function returns 0 if the event was
+ * added to the queue, 1 if the event was merged with some other queued event,
+- * 2 if the queue of events has overflown.
++ * 2 if the event was not queued - either the queue of events has overflown
++ * or the group is shutting down.
+ */
+ int fsnotify_add_event(struct fsnotify_group *group,
+ struct fsnotify_event *event,
+@@ -96,6 +97,11 @@ int fsnotify_add_event(struct fsnotify_g
+
+ mutex_lock(&group->notification_mutex);
+
++ if (group->shutdown) {
++ mutex_unlock(&group->notification_mutex);
++ return 2;
++ }
++
+ if (group->q_len >= group->max_events) {
+ ret = 2;
+ /* Queue overflow event only if it isn't already queued */
+--- a/include/linux/fsnotify_backend.h
++++ b/include/linux/fsnotify_backend.h
+@@ -148,6 +148,7 @@ struct fsnotify_group {
+ #define FS_PRIO_1 1 /* fanotify content based access control */
+ #define FS_PRIO_2 2 /* fanotify pre-content access */
+ unsigned int priority;
++ bool shutdown; /* group is being shut down, don't queue more events */
+
+ /* stores all fastpath marks assoc with this group so they can be cleaned on unregister */
+ struct mutex mark_mutex; /* protect marks_list */
+@@ -303,6 +304,8 @@ extern struct fsnotify_group *fsnotify_a
+ extern void fsnotify_get_group(struct fsnotify_group *group);
+ /* drop reference on a group from fsnotify_alloc_group */
+ extern void fsnotify_put_group(struct fsnotify_group *group);
++/* group destruction begins, stop queuing new events */
++extern void fsnotify_group_stop_queueing(struct fsnotify_group *group);
+ /* destroy group */
+ extern void fsnotify_destroy_group(struct fsnotify_group *group);
+ /* fasync handler function */
--- /dev/null
+From 371a015344b6e270e7e3632107d9554ec6d27a6b Mon Sep 17 00:00:00 2001
+From: "Yadi.hu" <yadi.hu@windriver.com>
+Date: Sun, 18 Sep 2016 18:52:31 +0800
+Subject: i2c-eg20t: fix race between i2c init and interrupt enable
+
+From: Yadi.hu <yadi.hu@windriver.com>
+
+commit 371a015344b6e270e7e3632107d9554ec6d27a6b upstream.
+
+the eg20t driver call request_irq() function before the pch_base_address,
+base address of i2c controller's register, is assigned an effective value.
+
+there is one possible scenario that an interrupt which isn't inside eg20t
+arrives immediately after request_irq() is executed when i2c controller
+shares an interrupt number with others. since the interrupt handler
+pch_i2c_handler() has already active as shared action, it will be called
+and read its own register to determine if this interrupt is from itself.
+
+At that moment, since base address of i2c registers is not remapped
+in kernel space yet,so the INT handler will access an illegal address
+and then a error occurs.
+
+Signed-off-by: Yadi.hu <yadi.hu@windriver.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-eg20t.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-eg20t.c
++++ b/drivers/i2c/busses/i2c-eg20t.c
+@@ -773,13 +773,6 @@ static int pch_i2c_probe(struct pci_dev
+ /* Set the number of I2C channel instance */
+ adap_info->ch_num = id->driver_data;
+
+- ret = request_irq(pdev->irq, pch_i2c_handler, IRQF_SHARED,
+- KBUILD_MODNAME, adap_info);
+- if (ret) {
+- pch_pci_err(pdev, "request_irq FAILED\n");
+- goto err_request_irq;
+- }
+-
+ for (i = 0; i < adap_info->ch_num; i++) {
+ pch_adap = &adap_info->pch_data[i].pch_adapter;
+ adap_info->pch_i2c_suspended = false;
+@@ -797,6 +790,17 @@ static int pch_i2c_probe(struct pci_dev
+
+ pch_adap->dev.of_node = pdev->dev.of_node;
+ pch_adap->dev.parent = &pdev->dev;
++ }
++
++ ret = request_irq(pdev->irq, pch_i2c_handler, IRQF_SHARED,
++ KBUILD_MODNAME, adap_info);
++ if (ret) {
++ pch_pci_err(pdev, "request_irq FAILED\n");
++ goto err_request_irq;
++ }
++
++ for (i = 0; i < adap_info->ch_num; i++) {
++ pch_adap = &adap_info->pch_data[i].pch_adapter;
+
+ pch_i2c_init(&adap_info->pch_data[i]);
+
--- /dev/null
+From 463e8f845cbf1c01e4cc8aeef1703212991d8e1e Mon Sep 17 00:00:00 2001
+From: Peter Rosin <peda@axentia.se>
+Date: Wed, 14 Sep 2016 15:24:12 +0200
+Subject: i2c: mux: pca954x: retry updating the mux selection on failure
+
+From: Peter Rosin <peda@axentia.se>
+
+commit 463e8f845cbf1c01e4cc8aeef1703212991d8e1e upstream.
+
+The cached value of the last selected channel prevents retries on the
+next call, even on failure to update the selected channel. Fix that.
+
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/muxes/i2c-mux-pca954x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/muxes/i2c-mux-pca954x.c
++++ b/drivers/i2c/muxes/i2c-mux-pca954x.c
+@@ -164,7 +164,7 @@ static int pca954x_select_chan(struct i2
+ /* Only select the channel if its different from the last channel */
+ if (data->last_chan != regval) {
+ ret = pca954x_reg_write(muxc->parent, client, regval);
+- data->last_chan = regval;
++ data->last_chan = ret ? 0 : regval;
+ }
+
+ return ret;
--- /dev/null
+From 331dcf421c34d227784d07943eb01e4023a42b0a Mon Sep 17 00:00:00 2001
+From: Sudeep Holla <Sudeep.Holla@arm.com>
+Date: Thu, 25 Aug 2016 12:23:39 +0100
+Subject: i2c: qup: skip qup_i2c_suspend if the device is already runtime suspended
+
+From: Sudeep Holla <Sudeep.Holla@arm.com>
+
+commit 331dcf421c34d227784d07943eb01e4023a42b0a upstream.
+
+If the i2c device is already runtime suspended, if qup_i2c_suspend is
+executed during suspend-to-idle or suspend-to-ram it will result in the
+following splat:
+
+WARNING: CPU: 3 PID: 1593 at drivers/clk/clk.c:476 clk_core_unprepare+0x80/0x90
+Modules linked in:
+
+CPU: 3 PID: 1593 Comm: bash Tainted: G W 4.8.0-rc3 #14
+Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT)
+PC is at clk_core_unprepare+0x80/0x90
+LR is at clk_unprepare+0x28/0x40
+pc : [<ffff0000086eecf0>] lr : [<ffff0000086f0c58>] pstate: 60000145
+Call trace:
+ clk_core_unprepare+0x80/0x90
+ qup_i2c_disable_clocks+0x2c/0x68
+ qup_i2c_suspend+0x10/0x20
+ platform_pm_suspend+0x24/0x68
+ ...
+
+This patch fixes the issue by executing qup_i2c_pm_suspend_runtime
+conditionally in qup_i2c_suspend.
+
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Reviewed-by: Andy Gross <andy.gross@linaro.org>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-qup.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-qup.c
++++ b/drivers/i2c/busses/i2c-qup.c
+@@ -1610,7 +1610,8 @@ static int qup_i2c_pm_resume_runtime(str
+ #ifdef CONFIG_PM_SLEEP
+ static int qup_i2c_suspend(struct device *device)
+ {
+- qup_i2c_pm_suspend_runtime(device);
++ if (!pm_runtime_suspended(device))
++ return qup_i2c_pm_suspend_runtime(device);
+ return 0;
+ }
+
--- /dev/null
+From 31b4beb473e3bdee1bf79db849502dcb24b5c202 Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Mon, 19 Sep 2016 14:44:18 -0700
+Subject: ipc/shm: fix crash if CONFIG_SHMEM is not set
+
+From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+
+commit 31b4beb473e3bdee1bf79db849502dcb24b5c202 upstream.
+
+Commit c01d5b300774 ("shmem: get_unmapped_area align huge page") makes
+use of shm_get_unmapped_area() in shm_file_operations() unconditional to
+CONFIG_MMU.
+
+As Tony Battersby pointed this can lead NULL-pointer dereference on
+machine with CONFIG_MMU=y and CONFIG_SHMEM=n. In this case ipc/shm is
+backed by ramfs which doesn't provide f_op->get_unmapped_area for
+configurations with MMU.
+
+The solution is to provide dummy f_op->get_unmapped_area for ramfs when
+CONFIG_MMU=y, which just call current->mm->get_unmapped_area().
+
+Fixes: c01d5b300774 ("shmem: get_unmapped_area align huge page")
+Link: http://lkml.kernel.org/r/20160912102704.140442-1-kirill.shutemov@linux.intel.com
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Reported-by: Tony Battersby <tonyb@cybernetics.com>
+Tested-by: Tony Battersby <tonyb@cybernetics.com>
+Cc: Hugh Dickins <hughd@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ramfs/file-mmu.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/fs/ramfs/file-mmu.c
++++ b/fs/ramfs/file-mmu.c
+@@ -27,9 +27,17 @@
+ #include <linux/fs.h>
+ #include <linux/mm.h>
+ #include <linux/ramfs.h>
++#include <linux/sched.h>
+
+ #include "internal.h"
+
++static unsigned long ramfs_mmu_get_unmapped_area(struct file *file,
++ unsigned long addr, unsigned long len, unsigned long pgoff,
++ unsigned long flags)
++{
++ return current->mm->get_unmapped_area(file, addr, len, pgoff, flags);
++}
++
+ const struct file_operations ramfs_file_operations = {
+ .read_iter = generic_file_read_iter,
+ .write_iter = generic_file_write_iter,
+@@ -38,6 +46,7 @@ const struct file_operations ramfs_file_
+ .splice_read = generic_file_splice_read,
+ .splice_write = iter_file_splice_write,
+ .llseek = generic_file_llseek,
++ .get_unmapped_area = ramfs_mmu_get_unmapped_area,
+ };
+
+ const struct inode_operations ramfs_file_inode_operations = {
--- /dev/null
+From e875bd66dfb68f4e898e9a43ef42858c504a7f23 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@imgtec.com>
+Date: Tue, 13 Sep 2016 17:53:35 +0100
+Subject: irqchip/mips-gic: Fix local interrupts
+
+From: Paul Burton <paul.burton@imgtec.com>
+
+commit e875bd66dfb68f4e898e9a43ef42858c504a7f23 upstream.
+
+Since the device hierarchy domain was added by commit c98c1822ee13
+("irqchip/mips-gic: Add device hierarchy domain"), GIC local interrupts
+have been broken.
+
+Users attempting to setup a per-cpu local IRQ, for example the GIC timer
+clock events code in drivers/clocksource/mips-gic-timer.c, the
+setup_percpu_irq function would refuse with -EINVAL because the GIC
+irqchip driver never called irq_set_percpu_devid so the
+IRQ_PER_CPU_DEVID flag was never set for the IRQ. This happens because
+irq_set_percpu_devid was being called from the gic_irq_domain_map
+function which is no longer called.
+
+Doing only that runs into further problems because gic_dev_domain_alloc
+set the struct irq_chip for all interrupts, local or shared, to
+gic_level_irq_controller despite that only being suitable for shared
+interrupts. The typical outcome of this is that gic_level_irq_controller
+callback functions are called for local interrupts, and then hwirq
+number calculations overflow & the driver ends up attempting to access
+some invalid register with an address calculated from an invalid hwirq
+number. Best case scenario is that this then leads to a bus error. This
+is fixed by abstracting the setup of the hwirq & chip to a new function
+gic_setup_dev_chip which is used by both the root GIC IRQ domain & the
+device domain.
+
+Finally, decoding local interrupts failed because gic_dev_domain_alloc
+only called irq_domain_alloc_irqs_parent for shared interrupts. Local
+ones were therefore never associated with hwirqs in the root GIC IRQ
+domain and the virq in gic_handle_local_int would always be 0. This is
+fixed by calling irq_domain_alloc_irqs_parent unconditionally & having
+gic_irq_domain_alloc handle both local & shared interrupts, which is
+easy due to the aforementioned abstraction of chip setup into
+gic_setup_dev_chip.
+
+This fixes use of the MIPS GIC timer for clock events, which has been
+broken since c98c1822ee13 ("irqchip/mips-gic: Add device hierarchy
+domain") but hadn't been noticed due to a silent fallback to the MIPS
+coprocessor 0 count/compare clock events device.
+
+Fixes: c98c1822ee13 ("irqchip/mips-gic: Add device hierarchy domain")
+Signed-off-by: Paul Burton <paul.burton@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Cc: Jason Cooper <jason@lakedaemon.net>
+Cc: Qais Yousef <qsyousef@gmail.com>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Link: http://lkml.kernel.org/r/20160913165335.31389-1-paul.burton@imgtec.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-mips-gic.c | 105 +++++++++++++++++++----------------------
+ 1 file changed, 50 insertions(+), 55 deletions(-)
+
+--- a/drivers/irqchip/irq-mips-gic.c
++++ b/drivers/irqchip/irq-mips-gic.c
+@@ -638,27 +638,6 @@ static int gic_local_irq_domain_map(stru
+ if (!gic_local_irq_is_routable(intr))
+ return -EPERM;
+
+- /*
+- * HACK: These are all really percpu interrupts, but the rest
+- * of the MIPS kernel code does not use the percpu IRQ API for
+- * the CP0 timer and performance counter interrupts.
+- */
+- switch (intr) {
+- case GIC_LOCAL_INT_TIMER:
+- case GIC_LOCAL_INT_PERFCTR:
+- case GIC_LOCAL_INT_FDC:
+- irq_set_chip_and_handler(virq,
+- &gic_all_vpes_local_irq_controller,
+- handle_percpu_irq);
+- break;
+- default:
+- irq_set_chip_and_handler(virq,
+- &gic_local_irq_controller,
+- handle_percpu_devid_irq);
+- irq_set_percpu_devid(virq);
+- break;
+- }
+-
+ spin_lock_irqsave(&gic_lock, flags);
+ for (i = 0; i < gic_vpes; i++) {
+ u32 val = GIC_MAP_TO_PIN_MSK | gic_cpu_pin;
+@@ -724,16 +703,42 @@ static int gic_shared_irq_domain_map(str
+ return 0;
+ }
+
+-static int gic_irq_domain_map(struct irq_domain *d, unsigned int virq,
+- irq_hw_number_t hw)
++static int gic_setup_dev_chip(struct irq_domain *d, unsigned int virq,
++ unsigned int hwirq)
+ {
+- if (GIC_HWIRQ_TO_LOCAL(hw) < GIC_NUM_LOCAL_INTRS)
+- return gic_local_irq_domain_map(d, virq, hw);
++ struct irq_chip *chip;
++ int err;
+
+- irq_set_chip_and_handler(virq, &gic_level_irq_controller,
+- handle_level_irq);
++ if (hwirq >= GIC_SHARED_HWIRQ_BASE) {
++ err = irq_domain_set_hwirq_and_chip(d, virq, hwirq,
++ &gic_level_irq_controller,
++ NULL);
++ } else {
++ switch (GIC_HWIRQ_TO_LOCAL(hwirq)) {
++ case GIC_LOCAL_INT_TIMER:
++ case GIC_LOCAL_INT_PERFCTR:
++ case GIC_LOCAL_INT_FDC:
++ /*
++ * HACK: These are all really percpu interrupts, but
++ * the rest of the MIPS kernel code does not use the
++ * percpu IRQ API for them.
++ */
++ chip = &gic_all_vpes_local_irq_controller;
++ irq_set_handler(virq, handle_percpu_irq);
++ break;
++
++ default:
++ chip = &gic_local_irq_controller;
++ irq_set_handler(virq, handle_percpu_devid_irq);
++ irq_set_percpu_devid(virq);
++ break;
++ }
+
+- return gic_shared_irq_domain_map(d, virq, hw, 0);
++ err = irq_domain_set_hwirq_and_chip(d, virq, hwirq,
++ chip, NULL);
++ }
++
++ return err;
+ }
+
+ static int gic_irq_domain_alloc(struct irq_domain *d, unsigned int virq,
+@@ -744,15 +749,12 @@ static int gic_irq_domain_alloc(struct i
+ int cpu, ret, i;
+
+ if (spec->type == GIC_DEVICE) {
+- /* verify that it doesn't conflict with an IPI irq */
+- if (test_bit(spec->hwirq, ipi_resrv))
++ /* verify that shared irqs don't conflict with an IPI irq */
++ if ((spec->hwirq >= GIC_SHARED_HWIRQ_BASE) &&
++ test_bit(GIC_HWIRQ_TO_SHARED(spec->hwirq), ipi_resrv))
+ return -EBUSY;
+
+- hwirq = GIC_SHARED_TO_HWIRQ(spec->hwirq);
+-
+- return irq_domain_set_hwirq_and_chip(d, virq, hwirq,
+- &gic_level_irq_controller,
+- NULL);
++ return gic_setup_dev_chip(d, virq, spec->hwirq);
+ } else {
+ base_hwirq = find_first_bit(ipi_resrv, gic_shared_intrs);
+ if (base_hwirq == gic_shared_intrs) {
+@@ -821,7 +823,6 @@ int gic_irq_domain_match(struct irq_doma
+ }
+
+ static const struct irq_domain_ops gic_irq_domain_ops = {
+- .map = gic_irq_domain_map,
+ .alloc = gic_irq_domain_alloc,
+ .free = gic_irq_domain_free,
+ .match = gic_irq_domain_match,
+@@ -852,29 +853,20 @@ static int gic_dev_domain_alloc(struct i
+ struct irq_fwspec *fwspec = arg;
+ struct gic_irq_spec spec = {
+ .type = GIC_DEVICE,
+- .hwirq = fwspec->param[1],
+ };
+ int i, ret;
+- bool is_shared = fwspec->param[0] == GIC_SHARED;
+-
+- if (is_shared) {
+- ret = irq_domain_alloc_irqs_parent(d, virq, nr_irqs, &spec);
+- if (ret)
+- return ret;
+- }
+
+- for (i = 0; i < nr_irqs; i++) {
+- irq_hw_number_t hwirq;
++ if (fwspec->param[0] == GIC_SHARED)
++ spec.hwirq = GIC_SHARED_TO_HWIRQ(fwspec->param[1]);
++ else
++ spec.hwirq = GIC_LOCAL_TO_HWIRQ(fwspec->param[1]);
+
+- if (is_shared)
+- hwirq = GIC_SHARED_TO_HWIRQ(spec.hwirq + i);
+- else
+- hwirq = GIC_LOCAL_TO_HWIRQ(spec.hwirq + i);
++ ret = irq_domain_alloc_irqs_parent(d, virq, nr_irqs, &spec);
++ if (ret)
++ return ret;
+
+- ret = irq_domain_set_hwirq_and_chip(d, virq + i,
+- hwirq,
+- &gic_level_irq_controller,
+- NULL);
++ for (i = 0; i < nr_irqs; i++) {
++ ret = gic_setup_dev_chip(d, virq + i, spec.hwirq + i);
+ if (ret)
+ goto error;
+ }
+@@ -896,7 +888,10 @@ void gic_dev_domain_free(struct irq_doma
+ static void gic_dev_domain_activate(struct irq_domain *domain,
+ struct irq_data *d)
+ {
+- gic_shared_irq_domain_map(domain, d->irq, d->hwirq, 0);
++ if (GIC_HWIRQ_TO_LOCAL(d->hwirq) < GIC_NUM_LOCAL_INTRS)
++ gic_local_irq_domain_map(domain, d->irq, d->hwirq);
++ else
++ gic_shared_irq_domain_map(domain, d->irq, d->hwirq, 0);
+ }
+
+ static struct irq_domain_ops gic_dev_domain_ops = {
--- /dev/null
+From 54c5ef2e93ea002dc5dd63349298b2778fe59edb Mon Sep 17 00:00:00 2001
+From: Beni Lev <beni.lev@intel.com>
+Date: Wed, 10 Aug 2016 17:03:43 +0300
+Subject: iwlwifi: mvm: update TX queue before making a copy of the skb
+
+From: Beni Lev <beni.lev@intel.com>
+
+commit 54c5ef2e93ea002dc5dd63349298b2778fe59edb upstream.
+
+Off-channel action frames (such as ANQP frames) must be sent either on
+the AUX queue or on the offchannel queue, otherwise the firmware will
+cause a SYSASSERT.
+
+In the current implementation, the queue to be used is correctly set in
+the original skb, but this is done after it is copied. Thus the copy
+remains with the original, incorrect queue.
+
+Fix this by setting the queue in the original skb before copying it.
+
+Fixes: commit 5c08b0f5026f ("iwlwifi: mvm: don't override the rate with the AMSDU len")
+Signed-off-by: Beni Lev <beni.lev@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+@@ -501,6 +501,15 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mv
+ int hdrlen = ieee80211_hdrlen(hdr->frame_control);
+ int queue;
+
++ /* IWL_MVM_OFFCHANNEL_QUEUE is used for ROC packets that can be used
++ * in 2 different types of vifs, P2P & STATION. P2P uses the offchannel
++ * queue. STATION (HS2.0) uses the auxiliary context of the FW,
++ * and hence needs to be sent on the aux queue
++ */
++ if (IEEE80211_SKB_CB(skb)->hw_queue == IWL_MVM_OFFCHANNEL_QUEUE &&
++ skb_info->control.vif->type == NL80211_IFTYPE_STATION)
++ IEEE80211_SKB_CB(skb)->hw_queue = mvm->aux_queue;
++
+ memcpy(&info, skb->cb, sizeof(info));
+
+ if (WARN_ON_ONCE(info.flags & IEEE80211_TX_CTL_AMPDU))
+@@ -514,16 +523,6 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mv
+ /* This holds the amsdu headers length */
+ skb_info->driver_data[0] = (void *)(uintptr_t)0;
+
+- /*
+- * IWL_MVM_OFFCHANNEL_QUEUE is used for ROC packets that can be used
+- * in 2 different types of vifs, P2P & STATION. P2P uses the offchannel
+- * queue. STATION (HS2.0) uses the auxiliary context of the FW,
+- * and hence needs to be sent on the aux queue
+- */
+- if (IEEE80211_SKB_CB(skb)->hw_queue == IWL_MVM_OFFCHANNEL_QUEUE &&
+- info.control.vif->type == NL80211_IFTYPE_STATION)
+- IEEE80211_SKB_CB(skb)->hw_queue = mvm->aux_queue;
+-
+ queue = info.hw_queue;
+
+ /*
--- /dev/null
+From 456bee986e0a372ad4beed5d3cedb3622633d9df Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Tue, 20 Sep 2016 20:35:55 +0800
+Subject: KEYS: Fix skcipher IV clobbering
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 456bee986e0a372ad4beed5d3cedb3622633d9df upstream.
+
+The IV must not be modified by the skcipher operation so we need
+to duplicate it.
+
+Fixes: c3917fd9dfbc ("KEYS: Use skcipher")
+Reported-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/keys/encrypted-keys/encrypted.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/security/keys/encrypted-keys/encrypted.c
++++ b/security/keys/encrypted-keys/encrypted.c
+@@ -29,6 +29,7 @@
+ #include <linux/rcupdate.h>
+ #include <linux/scatterlist.h>
+ #include <linux/ctype.h>
++#include <crypto/aes.h>
+ #include <crypto/hash.h>
+ #include <crypto/sha.h>
+ #include <crypto/skcipher.h>
+@@ -478,6 +479,7 @@ static int derived_key_encrypt(struct en
+ struct crypto_skcipher *tfm;
+ struct skcipher_request *req;
+ unsigned int encrypted_datalen;
++ u8 iv[AES_BLOCK_SIZE];
+ unsigned int padlen;
+ char pad[16];
+ int ret;
+@@ -500,8 +502,8 @@ static int derived_key_encrypt(struct en
+ sg_init_table(sg_out, 1);
+ sg_set_buf(sg_out, epayload->encrypted_data, encrypted_datalen);
+
+- skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen,
+- epayload->iv);
++ memcpy(iv, epayload->iv, sizeof(iv));
++ skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen, iv);
+ ret = crypto_skcipher_encrypt(req);
+ tfm = crypto_skcipher_reqtfm(req);
+ skcipher_request_free(req);
+@@ -581,6 +583,7 @@ static int derived_key_decrypt(struct en
+ struct crypto_skcipher *tfm;
+ struct skcipher_request *req;
+ unsigned int encrypted_datalen;
++ u8 iv[AES_BLOCK_SIZE];
+ char pad[16];
+ int ret;
+
+@@ -599,8 +602,8 @@ static int derived_key_decrypt(struct en
+ epayload->decrypted_datalen);
+ sg_set_buf(&sg_out[1], pad, sizeof pad);
+
+- skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen,
+- epayload->iv);
++ memcpy(iv, epayload->iv, sizeof(iv));
++ skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen, iv);
+ ret = crypto_skcipher_decrypt(req);
+ tfm = crypto_skcipher_reqtfm(req);
+ skcipher_request_free(req);
--- /dev/null
+From 85d5313ed717ad60769491c7c072d23bc0a68e7a Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 14 Sep 2016 11:38:31 +0200
+Subject: mac80211: reject TSPEC TIDs (TSIDs) for aggregation
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 85d5313ed717ad60769491c7c072d23bc0a68e7a upstream.
+
+Since mac80211 doesn't currently support TSIDs 8-15 which can
+only be used after QoS TSPEC negotiation (and not even after
+WMM negotiation), reject attempts to set up aggregation
+sessions for them, which might confuse drivers. In mac80211
+we do correctly handle that, but the TSIDs should never get
+used anyway, and drivers might not be able to handle it.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/agg-rx.c | 8 +++++++-
+ net/mac80211/agg-tx.c | 3 +++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/agg-rx.c
++++ b/net/mac80211/agg-rx.c
+@@ -261,10 +261,16 @@ void __ieee80211_start_rx_ba_session(str
+ .timeout = timeout,
+ .ssn = start_seq_num,
+ };
+-
+ int i, ret = -EOPNOTSUPP;
+ u16 status = WLAN_STATUS_REQUEST_DECLINED;
+
++ if (tid >= IEEE80211_FIRST_TSPEC_TSID) {
++ ht_dbg(sta->sdata,
++ "STA %pM requests BA session on unsupported tid %d\n",
++ sta->sta.addr, tid);
++ goto end_no_lock;
++ }
++
+ if (!sta->sta.ht_cap.ht_supported) {
+ ht_dbg(sta->sdata,
+ "STA %pM erroneously requests BA session on tid %d w/o QoS\n",
+--- a/net/mac80211/agg-tx.c
++++ b/net/mac80211/agg-tx.c
+@@ -580,6 +580,9 @@ int ieee80211_start_tx_ba_session(struct
+ ieee80211_hw_check(&local->hw, TX_AMPDU_SETUP_IN_HW))
+ return -EINVAL;
+
++ if (WARN_ON(tid >= IEEE80211_FIRST_TSPEC_TSID))
++ return -EINVAL;
++
+ ht_dbg(sdata, "Open BA session requested for %pM tid %u\n",
+ pubsta->addr, tid);
+
--- /dev/null
+From 3cbc6fc9c99f1709203711f125bc3b79487aba06 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Mon, 5 Sep 2016 08:48:03 +0800
+Subject: MIPS: Add a missing ".set pop" in an early commit
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit 3cbc6fc9c99f1709203711f125bc3b79487aba06 upstream.
+
+Commit 842dfc11ea9a21 ("MIPS: Fix build with binutils 2.24.51+") missing
+a ".set pop" in macro fpu_restore_16even, so add it.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Acked-by: Manuel Lauss <manuel.lauss@gmail.com>
+Cc: Steven J . Hill <Steven.Hill@caviumnetworks.com>
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/14210/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/asmmacro.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/mips/include/asm/asmmacro.h
++++ b/arch/mips/include/asm/asmmacro.h
+@@ -157,6 +157,7 @@
+ ldc1 $f28, THREAD_FPR28(\thread)
+ ldc1 $f30, THREAD_FPR30(\thread)
+ ctc1 \tmp, fcr31
++ .set pop
+ .endm
+
+ .macro fpu_restore_16odd thread
--- /dev/null
+From b244614a60ab7ce54c12a9cbe15cfbf8d79d0967 Mon Sep 17 00:00:00 2001
+From: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+Date: Wed, 31 Aug 2016 12:33:23 +0200
+Subject: MIPS: Avoid a BUG warning during prctl(PR_SET_FP_MODE, ...)
+
+From: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+
+commit b244614a60ab7ce54c12a9cbe15cfbf8d79d0967 upstream.
+
+cpu_has_fpu macro uses smp_processor_id() and is currently executed
+with preemption enabled, that triggers the warning at runtime.
+
+It is assumed throughout the kernel that if any CPU has an FPU, then all
+CPUs would have an FPU as well, so it is safe to perform the check with
+preemption enabled - change the code to use raw_ variant of the check to
+avoid the warning.
+
+Signed-off-by: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/14125/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/process.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/mips/kernel/process.c
++++ b/arch/mips/kernel/process.c
+@@ -591,14 +591,14 @@ int mips_set_process_fp_mode(struct task
+ return -EOPNOTSUPP;
+
+ /* Avoid inadvertently triggering emulation */
+- if ((value & PR_FP_MODE_FR) && cpu_has_fpu &&
+- !(current_cpu_data.fpu_id & MIPS_FPIR_F64))
++ if ((value & PR_FP_MODE_FR) && raw_cpu_has_fpu &&
++ !(raw_current_cpu_data.fpu_id & MIPS_FPIR_F64))
+ return -EOPNOTSUPP;
+- if ((value & PR_FP_MODE_FRE) && cpu_has_fpu && !cpu_has_fre)
++ if ((value & PR_FP_MODE_FRE) && raw_cpu_has_fpu && !cpu_has_fre)
+ return -EOPNOTSUPP;
+
+ /* FR = 0 not supported in MIPS R6 */
+- if (!(value & PR_FP_MODE_FR) && cpu_has_fpu && cpu_has_mips_r6)
++ if (!(value & PR_FP_MODE_FR) && raw_cpu_has_fpu && cpu_has_mips_r6)
+ return -EOPNOTSUPP;
+
+ /* Proceed with the mode switch */
--- /dev/null
+From 7e956304eb8a285304a78582e4537e72c6365f20 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@imgtec.com>
+Date: Fri, 23 Sep 2016 15:13:53 +0100
+Subject: MIPS: Fix pre-r6 emulation FPU initialisation
+
+From: Paul Burton <paul.burton@imgtec.com>
+
+commit 7e956304eb8a285304a78582e4537e72c6365f20 upstream.
+
+In the mipsr2_decoder() function, used to emulate pre-MIPSr6
+instructions that were removed in MIPSr6, the init_fpu() function is
+called if a removed pre-MIPSr6 floating point instruction is the first
+floating point instruction used by the task. However, init_fpu()
+performs varous actions that rely upon not being migrated. For example
+in the most basic case it sets the coprocessor 0 Status.CU1 bit to
+enable the FPU & then loads FP register context into the FPU registers.
+If the task were to migrate during this time, it may end up attempting
+to load FP register context on a different CPU where it hasn't set the
+CU1 bit, leading to errors such as:
+
+ do_cpu invoked from kernel context![#2]:
+ CPU: 2 PID: 7338 Comm: fp-prctl Tainted: G D 4.7.0-00424-g49b0c82 #2
+ task: 838e4000 ti: 88d38000 task.ti: 88d38000
+ $ 0 : 00000000 00000001 ffffffff 88d3fef8
+ $ 4 : 838e4000 88d38004 00000000 00000001
+ $ 8 : 3400fc01 801f8020 808e9100 24000000
+ $12 : dbffffff 807b69d8 807b0000 00000000
+ $16 : 00000000 80786150 00400fc4 809c0398
+ $20 : 809c0338 0040273c 88d3ff28 808e9d30
+ $24 : 808e9d30 00400fb4
+ $28 : 88d38000 88d3fe88 00000000 8011a2ac
+ Hi : 0040273c
+ Lo : 88d3ff28
+ epc : 80114178 _restore_fp+0x10/0xa0
+ ra : 8011a2ac mipsr2_decoder+0xd5c/0x1660
+ Status: 1400fc03 KERNEL EXL IE
+ Cause : 1080002c (ExcCode 0b)
+ PrId : 0001a920 (MIPS I6400)
+ Modules linked in:
+ Process fp-prctl (pid: 7338, threadinfo=88d38000, task=838e4000, tls=766527d0)
+ Stack : 00000000 00000000 00000000 88d3fe98 00000000 00000000 809c0398 809c0338
+ 808e9100 00000000 88d3ff28 00400fc4 00400fc4 0040273c 7fb69e18 004a0000
+ 004a0000 004a0000 7664add0 8010de18 00000000 00000000 88d3fef8 88d3ff28
+ 808e9100 00000000 766527d0 8010e534 000c0000 85755000 8181d580 00000000
+ 00000000 00000000 004a0000 00000000 766527d0 7fb69e18 004a0000 80105c20
+ ...
+ Call Trace:
+ [<80114178>] _restore_fp+0x10/0xa0
+ [<8011a2ac>] mipsr2_decoder+0xd5c/0x1660
+ [<8010de18>] do_ri+0x90/0x6b8
+ [<80105c20>] ret_from_exception+0x0/0x10
+
+Fix this by disabling preemption around the call to init_fpu(), ensuring
+that it starts & completes on one CPU.
+
+Signed-off-by: Paul Burton <paul.burton@imgtec.com>
+Fixes: b0a668fb2038 ("MIPS: kernel: mips-r2-to-r6-emul: Add R2 emulator for MIPS R6")
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/14305/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/mips-r2-to-r6-emul.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/mips/kernel/mips-r2-to-r6-emul.c
++++ b/arch/mips/kernel/mips-r2-to-r6-emul.c
+@@ -1164,7 +1164,9 @@ fpu_emul:
+ regs->regs[31] = r31;
+ regs->cp0_epc = epc;
+ if (!used_math()) { /* First time FPU user. */
++ preempt_disable();
+ err = init_fpu();
++ preempt_enable();
+ set_used_math();
+ }
+ lose_fpu(1); /* Save FPU state for the emulator. */
--- /dev/null
+From 951c39cd3bc0aedf67fbd8fb4b9380287e6205d1 Mon Sep 17 00:00:00 2001
+From: Matt Redfearn <matt.redfearn@imgtec.com>
+Date: Mon, 5 Sep 2016 15:43:40 +0100
+Subject: MIPS: paravirt: Fix undefined reference to smp_bootstrap
+
+From: Matt Redfearn <matt.redfearn@imgtec.com>
+
+commit 951c39cd3bc0aedf67fbd8fb4b9380287e6205d1 upstream.
+
+If the paravirt machine is compiles without CONFIG_SMP, the following
+linker error occurs
+
+arch/mips/kernel/head.o: In function `kernel_entry':
+(.ref.text+0x10): undefined reference to `smp_bootstrap'
+
+due to the kernel entry macro always including SMP startup code.
+Wrap this code in CONFIG_SMP to fix the error.
+
+Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/14212/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/mach-paravirt/kernel-entry-init.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h
++++ b/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h
+@@ -11,11 +11,13 @@
+ #define CP0_EBASE $15, 1
+
+ .macro kernel_entry_setup
++#ifdef CONFIG_SMP
+ mfc0 t0, CP0_EBASE
+ andi t0, t0, 0x3ff # CPUNum
+ beqz t0, 1f
+ # CPUs other than zero goto smp_bootstrap
+ j smp_bootstrap
++#endif /* CONFIG_SMP */
+
+ 1:
+ .endm
--- /dev/null
+From b03c1e3b8eed9026733c473071d1f528358a0e50 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@imgtec.com>
+Date: Mon, 12 Sep 2016 10:58:06 +0100
+Subject: MIPS: Remove compact branch policy Kconfig entries
+
+From: Paul Burton <paul.burton@imgtec.com>
+
+commit b03c1e3b8eed9026733c473071d1f528358a0e50 upstream.
+
+Commit c1a0e9bc885d ("MIPS: Allow compact branch policy to be changed")
+added Kconfig entries allowing for the compact branch policy used by the
+compiler for MIPSr6 kernels to be specified. This can be useful for
+debugging, particularly in systems where compact branches have recently
+been introduced.
+
+Unfortunately mainline gcc 5.x supports MIPSr6 but not the
+-mcompact-branches compiler flag, leading to MIPSr6 kernels failing to
+build with gcc 5.x with errors such as:
+
+ mipsel-linux-gnu-gcc: error: unrecognized command line option '-mcompact-branches=optimal'
+ make[2]: *** [kernel/bounds.s] Error 1
+
+Fixing this by hiding the Kconfig entry behind another seems to be more
+hassle than it's worth, as MIPSr6 & compact branches have been around
+for a while now and if policy does need to be set for debug it can be
+done easily enough with KCFLAGS. Therefore remove the compact branch
+policy Kconfig entries & their handling in the Makefile.
+
+This reverts commit c1a0e9bc885d ("MIPS: Allow compact branch policy to
+be changed").
+
+Signed-off-by: Paul Burton <paul.burton@imgtec.com>
+Reported-by: kbuild test robot <fengguang.wu@intel.com>
+Fixes: c1a0e9bc885d ("MIPS: Allow compact branch policy to be changed")
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/14241/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/Kconfig.debug | 36 ------------------------------------
+ arch/mips/Makefile | 4 ----
+ 2 files changed, 40 deletions(-)
+
+--- a/arch/mips/Kconfig.debug
++++ b/arch/mips/Kconfig.debug
+@@ -113,42 +113,6 @@ config SPINLOCK_TEST
+ help
+ Add several files to the debugfs to test spinlock speed.
+
+-if CPU_MIPSR6
+-
+-choice
+- prompt "Compact branch policy"
+- default MIPS_COMPACT_BRANCHES_OPTIMAL
+-
+-config MIPS_COMPACT_BRANCHES_NEVER
+- bool "Never (force delay slot branches)"
+- help
+- Pass the -mcompact-branches=never flag to the compiler in order to
+- force it to always emit branches with delay slots, and make no use
+- of the compact branch instructions introduced by MIPSr6. This is
+- useful if you suspect there may be an issue with compact branches in
+- either the compiler or the CPU.
+-
+-config MIPS_COMPACT_BRANCHES_OPTIMAL
+- bool "Optimal (use where beneficial)"
+- help
+- Pass the -mcompact-branches=optimal flag to the compiler in order for
+- it to make use of compact branch instructions where it deems them
+- beneficial, and use branches with delay slots elsewhere. This is the
+- default compiler behaviour, and should be used unless you have a
+- reason to choose otherwise.
+-
+-config MIPS_COMPACT_BRANCHES_ALWAYS
+- bool "Always (force compact branches)"
+- help
+- Pass the -mcompact-branches=always flag to the compiler in order to
+- force it to always emit compact branches, making no use of branch
+- instructions with delay slots. This can result in more compact code
+- which may be beneficial in some scenarios.
+-
+-endchoice
+-
+-endif # CPU_MIPSR6
+-
+ config SCACHE_DEBUGFS
+ bool "L2 cache debugfs entries"
+ depends on DEBUG_FS
+--- a/arch/mips/Makefile
++++ b/arch/mips/Makefile
+@@ -203,10 +203,6 @@ endif
+ toolchain-virt := $(call cc-option-yn,$(mips-cflags) -mvirt)
+ cflags-$(toolchain-virt) += -DTOOLCHAIN_SUPPORTS_VIRT
+
+-cflags-$(CONFIG_MIPS_COMPACT_BRANCHES_NEVER) += -mcompact-branches=never
+-cflags-$(CONFIG_MIPS_COMPACT_BRANCHES_OPTIMAL) += -mcompact-branches=optimal
+-cflags-$(CONFIG_MIPS_COMPACT_BRANCHES_ALWAYS) += -mcompact-branches=always
+-
+ #
+ # Firmware support
+ #
--- /dev/null
+From 8f46cca1e6c06a058374816887059bcc017b382f Mon Sep 17 00:00:00 2001
+From: Matt Redfearn <matt.redfearn@imgtec.com>
+Date: Thu, 22 Sep 2016 17:15:47 +0100
+Subject: MIPS: SMP: Fix possibility of deadlock when bringing CPUs online
+
+From: Matt Redfearn <matt.redfearn@imgtec.com>
+
+commit 8f46cca1e6c06a058374816887059bcc017b382f upstream.
+
+This patch fixes the possibility of a deadlock when bringing up
+secondary CPUs.
+The deadlock occurs because the set_cpu_online() is called before
+synchronise_count_slave(). This can cause a deadlock if the boot CPU,
+having scheduled another thread, attempts to send an IPI to the
+secondary CPU, which it sees has been marked online. The secondary is
+blocked in synchronise_count_slave() waiting for the boot CPU to enter
+synchronise_count_master(), but the boot cpu is blocked in
+smp_call_function_many() waiting for the secondary to respond to it's
+IPI request.
+
+Fix this by marking the CPU online in cpu_callin_map and synchronising
+counters before declaring the CPU online and calculating the maps for
+IPIs.
+
+Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
+Reported-by: Justin Chen <justinpopo6@gmail.com>
+Tested-by: Justin Chen <justinpopo6@gmail.com>
+Cc: Florian Fainelli <f.fainelli@gmail.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/14302/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/smp.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/arch/mips/kernel/smp.c
++++ b/arch/mips/kernel/smp.c
+@@ -320,6 +320,9 @@ asmlinkage void start_secondary(void)
+ cpumask_set_cpu(cpu, &cpu_coherent_mask);
+ notify_cpu_starting(cpu);
+
++ cpumask_set_cpu(cpu, &cpu_callin_map);
++ synchronise_count_slave(cpu);
++
+ set_cpu_online(cpu, true);
+
+ set_cpu_sibling_map(cpu);
+@@ -327,10 +330,6 @@ asmlinkage void start_secondary(void)
+
+ calculate_cpu_foreign_map();
+
+- cpumask_set_cpu(cpu, &cpu_callin_map);
+-
+- synchronise_count_slave(cpu);
+-
+ /*
+ * irq will be enabled in ->smp_finish(), enabling it too early
+ * is dangerous.
--- /dev/null
+From 554af0c396380baf416f54c439b99b495180b2f4 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Wed, 7 Sep 2016 13:37:01 +0100
+Subject: MIPS: vDSO: Fix Malta EVA mapping to vDSO page structs
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 554af0c396380baf416f54c439b99b495180b2f4 upstream.
+
+The page structures associated with the vDSO pages in the kernel image
+are calculated using virt_to_page(), which uses __pa() under the hood to
+find the pfn associated with the virtual address. The vDSO data pointers
+however point to kernel symbols, so __pa_symbol() should really be used
+instead.
+
+Since there is no equivalent to virt_to_page() which uses __pa_symbol(),
+fix init_vdso_image() to work directly with pfns, calculated with
+__phys_to_pfn(__pa_symbol(...)).
+
+This issue broke the Malta Enhanced Virtual Addressing (EVA)
+configuration which has a non-default implementation of __pa_symbol().
+This is because it uses a physical alias so that the kernel executes
+from KSeg0 (VA 0x80000000 -> PA 0x00000000), while RAM is provided to
+the kernel in the KUSeg range (VA 0x00000000 -> PA 0x80000000) which
+uses the same underlying RAM.
+
+Since there are no page structures associated with the low physical
+address region, some arbitrary kernel memory would be interpreted as a
+page structure for the vDSO pages and badness ensues.
+
+Fixes: ebb5e78cc634 ("MIPS: Initial implementation of a VDSO")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/14229/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/vdso.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/mips/kernel/vdso.c
++++ b/arch/mips/kernel/vdso.c
+@@ -39,16 +39,16 @@ static struct vm_special_mapping vdso_vv
+ static void __init init_vdso_image(struct mips_vdso_image *image)
+ {
+ unsigned long num_pages, i;
++ unsigned long data_pfn;
+
+ BUG_ON(!PAGE_ALIGNED(image->data));
+ BUG_ON(!PAGE_ALIGNED(image->size));
+
+ num_pages = image->size / PAGE_SIZE;
+
+- for (i = 0; i < num_pages; i++) {
+- image->mapping.pages[i] =
+- virt_to_page(image->data + (i * PAGE_SIZE));
+- }
++ data_pfn = __phys_to_pfn(__pa_symbol(image->data));
++ for (i = 0; i < num_pages; i++)
++ image->mapping.pages[i] = pfn_to_page(data_pfn + i);
+ }
+
+ static int __init init_vdso(void)
--- /dev/null
+From b385d21f27d86426472f6ae92a231095f7de2a8d Mon Sep 17 00:00:00 2001
+From: Hugh Dickins <hughd@google.com>
+Date: Fri, 23 Sep 2016 20:27:04 -0700
+Subject: mm: delete unnecessary and unsafe init_tlb_ubc()
+
+From: Hugh Dickins <hughd@google.com>
+
+commit b385d21f27d86426472f6ae92a231095f7de2a8d upstream.
+
+init_tlb_ubc() looked unnecessary to me: tlb_ubc is statically
+initialized with zeroes in the init_task, and copied from parent to
+child while it is quiescent in arch_dup_task_struct(); so I went to
+delete it.
+
+But inserted temporary debug WARN_ONs in place of init_tlb_ubc() to
+check that it was always empty at that point, and found them firing:
+because memcg reclaim can recurse into global reclaim (when allocating
+biosets for swapout in my case), and arrive back at the init_tlb_ubc()
+in shrink_node_memcg().
+
+Resetting tlb_ubc.flush_required at that point is wrong: if the upper
+level needs a deferred TLB flush, but the lower level turns out not to,
+we miss a TLB flush. But fortunately, that's the only part of the
+protocol that does not nest: with the initialization removed, cpumask
+collects bits from upper and lower levels, and flushes TLB when needed.
+
+Fixes: 72b252aed506 ("mm: send one IPI per CPU to TLB flush all entries after unmapping pages")
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Acked-by: Mel Gorman <mgorman@techsingularity.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/vmscan.c | 19 -------------------
+ 1 file changed, 19 deletions(-)
+
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -2150,23 +2150,6 @@ out:
+ }
+ }
+
+-#ifdef CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH
+-static void init_tlb_ubc(void)
+-{
+- /*
+- * This deliberately does not clear the cpumask as it's expensive
+- * and unnecessary. If there happens to be data in there then the
+- * first SWAP_CLUSTER_MAX pages will send an unnecessary IPI and
+- * then will be cleared.
+- */
+- current->tlb_ubc.flush_required = false;
+-}
+-#else
+-static inline void init_tlb_ubc(void)
+-{
+-}
+-#endif /* CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH */
+-
+ /*
+ * This is a basic per-zone page freer. Used by both kswapd and direct reclaim.
+ */
+@@ -2202,8 +2185,6 @@ static void shrink_zone_memcg(struct zon
+ scan_adjusted = (global_reclaim(sc) && !current_is_kswapd() &&
+ sc->priority == DEF_PRIORITY);
+
+- init_tlb_ubc();
+-
+ blk_start_plug(&plug);
+ while (nr[LRU_INACTIVE_ANON] || nr[LRU_ACTIVE_FILE] ||
+ nr[LRU_INACTIVE_FILE]) {
--- /dev/null
+From c8de641b1e9c5489aa6ca57b7836acd68e7563f1 Mon Sep 17 00:00:00 2001
+From: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Date: Mon, 19 Sep 2016 14:44:15 -0700
+Subject: mm: fix the page_swap_info() BUG_ON check
+
+From: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+
+commit c8de641b1e9c5489aa6ca57b7836acd68e7563f1 upstream.
+
+Commit 62c230bc1790 ("mm: add support for a filesystem to activate
+swap files and use direct_IO for writing swap pages") replaced the
+swap_aops dirty hook from __set_page_dirty_no_writeback() with
+swap_set_page_dirty().
+
+For normal cases without these special SWP flags code path falls back to
+__set_page_dirty_no_writeback() so the behaviour is expected to be the
+same as before.
+
+But swap_set_page_dirty() makes use of the page_swap_info() helper to
+get the swap_info_struct to check for the flags like SWP_FILE,
+SWP_BLKDEV etc as desired for those features. This helper has
+BUG_ON(!PageSwapCache(page)) which is racy and safe only for the
+set_page_dirty_lock() path.
+
+For the set_page_dirty() path which is often needed for cases to be
+called from irq context, kswapd() can toggle the flag behind the back
+while the call is getting executed when system is low on memory and
+heavy swapping is ongoing.
+
+This ends up with undesired kernel panic.
+
+This patch just moves the check outside the helper to its users
+appropriately to fix kernel panic for the described path. Couple of
+users of helpers already take care of SwapCache condition so I skipped
+them.
+
+Link: http://lkml.kernel.org/r/1473460718-31013-1-git-send-email-santosh.shilimkar@oracle.com
+Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Cc: Mel Gorman <mgorman@suse.de>
+Cc: Joe Perches <joe@perches.com>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Jens Axboe <axboe@fb.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/page_io.c | 3 +++
+ mm/swapfile.c | 1 -
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/mm/page_io.c
++++ b/mm/page_io.c
+@@ -262,6 +262,7 @@ int __swap_writepage(struct page *page,
+ int ret, rw = WRITE;
+ struct swap_info_struct *sis = page_swap_info(page);
+
++ BUG_ON(!PageSwapCache(page));
+ if (sis->flags & SWP_FILE) {
+ struct kiocb kiocb;
+ struct file *swap_file = sis->swap_file;
+@@ -333,6 +334,7 @@ int swap_readpage(struct page *page)
+ int ret = 0;
+ struct swap_info_struct *sis = page_swap_info(page);
+
++ BUG_ON(!PageSwapCache(page));
+ VM_BUG_ON_PAGE(!PageLocked(page), page);
+ VM_BUG_ON_PAGE(PageUptodate(page), page);
+ if (frontswap_load(page) == 0) {
+@@ -381,6 +383,7 @@ int swap_set_page_dirty(struct page *pag
+
+ if (sis->flags & SWP_FILE) {
+ struct address_space *mapping = sis->swap_file->f_mapping;
++ BUG_ON(!PageSwapCache(page));
+ return mapping->a_ops->set_page_dirty(page);
+ } else {
+ return __set_page_dirty_no_writeback(page);
+--- a/mm/swapfile.c
++++ b/mm/swapfile.c
+@@ -2724,7 +2724,6 @@ int swapcache_prepare(swp_entry_t entry)
+ struct swap_info_struct *page_swap_info(struct page *page)
+ {
+ swp_entry_t swap = { .val = page_private(page) };
+- BUG_ON(!PageSwapCache(page));
+ return swap_info[swp_type(swap)];
+ }
+
--- /dev/null
+From db2ba40c277dc545bab531671c3f45ac0afea6f8 Mon Sep 17 00:00:00 2001
+From: Johannes Weiner <jweiner@fb.com>
+Date: Mon, 19 Sep 2016 14:44:36 -0700
+Subject: mm: memcontrol: make per-cpu charge cache IRQ-safe for socket accounting
+
+From: Johannes Weiner <jweiner@fb.com>
+
+commit db2ba40c277dc545bab531671c3f45ac0afea6f8 upstream.
+
+During cgroup2 rollout into production, we started encountering css
+refcount underflows and css access crashes in the memory controller.
+Splitting the heavily shared css reference counter into logical users
+narrowed the imbalance down to the cgroup2 socket memory accounting.
+
+The problem turns out to be the per-cpu charge cache. Cgroup1 had a
+separate socket counter, but the new cgroup2 socket accounting goes
+through the common charge path that uses a shared per-cpu cache for all
+memory that is being tracked. Those caches are safe against scheduling
+preemption, but not against interrupts - such as the newly added packet
+receive path. When cache draining is interrupted by network RX taking
+pages out of the cache, the resuming drain operation will put references
+of in-use pages, thus causing the imbalance.
+
+Disable IRQs during all per-cpu charge cache operations.
+
+Fixes: f7e1cb6ec51b ("mm: memcontrol: account socket memory in unified hierarchy memory controller")
+Link: http://lkml.kernel.org/r/20160914194846.11153-1-hannes@cmpxchg.org
+Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
+Acked-by: Tejun Heo <tj@kernel.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Michal Hocko <mhocko@suse.cz>
+Cc: Vladimir Davydov <vdavydov@virtuozzo.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memcontrol.c | 31 ++++++++++++++++++++++---------
+ 1 file changed, 22 insertions(+), 9 deletions(-)
+
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -1797,17 +1797,22 @@ static DEFINE_MUTEX(percpu_charge_mutex)
+ static bool consume_stock(struct mem_cgroup *memcg, unsigned int nr_pages)
+ {
+ struct memcg_stock_pcp *stock;
++ unsigned long flags;
+ bool ret = false;
+
+ if (nr_pages > CHARGE_BATCH)
+ return ret;
+
+- stock = &get_cpu_var(memcg_stock);
++ local_irq_save(flags);
++
++ stock = this_cpu_ptr(&memcg_stock);
+ if (memcg == stock->cached && stock->nr_pages >= nr_pages) {
+ stock->nr_pages -= nr_pages;
+ ret = true;
+ }
+- put_cpu_var(memcg_stock);
++
++ local_irq_restore(flags);
++
+ return ret;
+ }
+
+@@ -1828,15 +1833,18 @@ static void drain_stock(struct memcg_sto
+ stock->cached = NULL;
+ }
+
+-/*
+- * This must be called under preempt disabled or must be called by
+- * a thread which is pinned to local cpu.
+- */
+ static void drain_local_stock(struct work_struct *dummy)
+ {
+- struct memcg_stock_pcp *stock = this_cpu_ptr(&memcg_stock);
++ struct memcg_stock_pcp *stock;
++ unsigned long flags;
++
++ local_irq_save(flags);
++
++ stock = this_cpu_ptr(&memcg_stock);
+ drain_stock(stock);
+ clear_bit(FLUSHING_CACHED_CHARGE, &stock->flags);
++
++ local_irq_restore(flags);
+ }
+
+ /*
+@@ -1845,14 +1853,19 @@ static void drain_local_stock(struct wor
+ */
+ static void refill_stock(struct mem_cgroup *memcg, unsigned int nr_pages)
+ {
+- struct memcg_stock_pcp *stock = &get_cpu_var(memcg_stock);
++ struct memcg_stock_pcp *stock;
++ unsigned long flags;
++
++ local_irq_save(flags);
+
++ stock = this_cpu_ptr(&memcg_stock);
+ if (stock->cached != memcg) { /* reset if necessary */
+ drain_stock(stock);
+ stock->cached = memcg;
+ }
+ stock->nr_pages += nr_pages;
+- put_cpu_var(memcg_stock);
++
++ local_irq_restore(flags);
+ }
+
+ /*
--- /dev/null
+From dc01a28d80a42cef08c94dfc595565aaebe46d15 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 15 Jul 2016 14:06:30 +0300
+Subject: mtd: maps: sa1100-flash: potential NULL dereference
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit dc01a28d80a42cef08c94dfc595565aaebe46d15 upstream.
+
+We check for NULL but then dereference "info->mtd" on the next line.
+
+Fixes: 72169755cf36 ('mtd: maps: sa1100-flash: show parent device in sysfs')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/maps/sa1100-flash.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/mtd/maps/sa1100-flash.c
++++ b/drivers/mtd/maps/sa1100-flash.c
+@@ -230,8 +230,10 @@ static struct sa_info *sa1100_setup_mtd(
+
+ info->mtd = mtd_concat_create(cdev, info->num_subdev,
+ plat->name);
+- if (info->mtd == NULL)
++ if (info->mtd == NULL) {
+ ret = -ENXIO;
++ goto err;
++ }
+ }
+ info->mtd->dev.parent = &pdev->dev;
+
--- /dev/null
+From 38178e7b88dcbe1ab384f27a7370074e774dda81 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lothar=20Wa=C3=9Fmann?= <LW@KARO-electronics.de>
+Date: Mon, 19 Sep 2016 11:09:40 +0200
+Subject: mtd: nand: mxc: fix obiwan error in mxc_nand_v[12]_ooblayout_free() functions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lothar Waßmann <LW@KARO-electronics.de>
+
+commit 38178e7b88dcbe1ab384f27a7370074e774dda81 upstream.
+
+commit a894cf6c5a82 ("mtd: nand: mxc: switch to mtd_ooblayout_ops")
+introduced a regression accessing the OOB area from the mxc_nand
+driver due to an Obiwan error in the mxc_nand_v[12]_ooblayout_free()
+functions. They report a bogus oobregion { 64, 7 } which leads to
+errors accessing bogus data when reading the oob area.
+
+Prior to the commit the mtd-oobtest module could be run without any
+errors. With the offending commit, this test fails with results like:
+|Running mtd-oobtest
+|
+|=================================================
+|mtd_oobtest: MTD device: 5
+|mtd_oobtest: MTD device size 524288, eraseblock size 131072, page size 2048, count of eraseblocks 4, pages per eraseblock 64, OOB size 64
+|mtd_test: scanning for bad eraseblocks
+|mtd_test: scanned 4 eraseblocks, 0 are bad
+|mtd_oobtest: test 1 of 5
+|mtd_oobtest: writing OOBs of whole device
+|mtd_oobtest: written up to eraseblock 0
+|mtd_oobtest: written 4 eraseblocks
+|mtd_oobtest: verifying all eraseblocks
+|mtd_oobtest: error @addr[0x0:0x19] 0x9a -> 0x78 diff 0xe2
+|mtd_oobtest: error @addr[0x0:0x1a] 0xcc -> 0x0 diff 0xcc
+|mtd_oobtest: error @addr[0x0:0x1b] 0xe0 -> 0x85 diff 0x65
+|mtd_oobtest: error @addr[0x0:0x1c] 0x60 -> 0x62 diff 0x2
+|mtd_oobtest: error @addr[0x0:0x1d] 0x69 -> 0x45 diff 0x2c
+|mtd_oobtest: error @addr[0x0:0x1e] 0xcd -> 0xa0 diff 0x6d
+|mtd_oobtest: error @addr[0x0:0x1f] 0xf2 -> 0x60 diff 0x92
+|mtd_oobtest: error: verify failed at 0x0
+[...]
+
+Signed-off-by: Lothar Waßmann <LW@KARO-electronics.de>
+Fixes: a894cf6c5a82 ("mtd: nand: mxc: switch to mtd_ooblayout_ops")
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/mxc_nand.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/mxc_nand.c
++++ b/drivers/mtd/nand/mxc_nand.c
+@@ -943,7 +943,7 @@ static int mxc_v2_ooblayout_free(struct
+ struct nand_chip *nand_chip = mtd_to_nand(mtd);
+ int stepsize = nand_chip->ecc.bytes == 9 ? 16 : 26;
+
+- if (section > nand_chip->ecc.steps)
++ if (section >= nand_chip->ecc.steps)
+ return -ERANGE;
+
+ if (!section) {
--- /dev/null
+From 79ad07d45743721010e766e65dc004ad249bd429 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 14 Jul 2016 13:44:56 +0300
+Subject: mtd: pmcmsp-flash: Allocating too much in init_msp_flash()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 79ad07d45743721010e766e65dc004ad249bd429 upstream.
+
+There is a cut and paste issue here. The bug is that we are allocating
+more memory than necessary for msp_maps. We should be allocating enough
+space for a map_info struct (144 bytes) but we instead allocate enough
+for an mtd_info struct (1840 bytes). It's a small waste.
+
+The other part of this is not harmful but when we allocated msp_flash
+then we allocated enough space fro a map_info pointer instead of an
+mtd_info pointer. But since pointers are the same size it works out
+fine.
+
+Anyway, I decided to clean up all three allocations a bit to make them
+a bit more consistent and clear.
+
+Fixes: 68aa0fa87f6d ('[MTD] PMC MSP71xx flash/rootfs mappings')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/maps/pmcmsp-flash.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/mtd/maps/pmcmsp-flash.c
++++ b/drivers/mtd/maps/pmcmsp-flash.c
+@@ -75,15 +75,15 @@ static int __init init_msp_flash(void)
+
+ printk(KERN_NOTICE "Found %d PMC flash devices\n", fcnt);
+
+- msp_flash = kmalloc(fcnt * sizeof(struct map_info *), GFP_KERNEL);
++ msp_flash = kcalloc(fcnt, sizeof(*msp_flash), GFP_KERNEL);
+ if (!msp_flash)
+ return -ENOMEM;
+
+- msp_parts = kmalloc(fcnt * sizeof(struct mtd_partition *), GFP_KERNEL);
++ msp_parts = kcalloc(fcnt, sizeof(*msp_parts), GFP_KERNEL);
+ if (!msp_parts)
+ goto free_msp_flash;
+
+- msp_maps = kcalloc(fcnt, sizeof(struct mtd_info), GFP_KERNEL);
++ msp_maps = kcalloc(fcnt, sizeof(*msp_maps), GFP_KERNEL);
+ if (!msp_maps)
+ goto free_msp_parts;
+
--- /dev/null
+From 06586204714b7befec99e554c71687b0b40f351c Mon Sep 17 00:00:00 2001
+From: Brian Norris <computersforpeace@gmail.com>
+Date: Fri, 24 Jun 2016 10:38:14 -0700
+Subject: mtd: spi-nor: fix wrong "fully unlocked" test
+
+From: Brian Norris <computersforpeace@gmail.com>
+
+commit 06586204714b7befec99e554c71687b0b40f351c upstream.
+
+In stm_unlock(), the test to determine whether we've fully unlocked the
+flash checks for the lock length to be equal to the flash size. That is
+a typo/think-o -- the condition actually means the flash is completely
+*locked.* We should be using the inverse condition -- that the lock
+length is 0 (i.e., no protection).
+
+The result of this bug is that we never actually turn off the Status
+Register Write Disable bit, even if the flash is completely unlocked.
+Now we can.
+
+Fixes: 47b8edbf0d43 ("mtd: spi-nor: disallow further writes to SR if WP# is low")
+Reported-by: Giorgio <giorgio.nicole@arcor.de>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Cc: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/spi-nor/spi-nor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/spi-nor/spi-nor.c
++++ b/drivers/mtd/spi-nor/spi-nor.c
+@@ -661,7 +661,7 @@ static int stm_unlock(struct spi_nor *no
+ status_new = (status_old & ~mask & ~SR_TB) | val;
+
+ /* Don't protect status register if we're fully unlocked */
+- if (lock_len == mtd->size)
++ if (lock_len == 0)
+ status_new &= ~SR_SRWD;
+
+ if (!use_top)
--- /dev/null
+From 8d58790b832e13d6006d842037732304af357c3c Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@denx.de>
+Date: Mon, 19 Sep 2016 21:34:01 +0200
+Subject: net: can: ifi: Configure transmitter delay
+
+From: Marek Vasut <marex@denx.de>
+
+commit 8d58790b832e13d6006d842037732304af357c3c upstream.
+
+Configure the transmitter delay register at +0x1c to correctly handle
+the CAN FD bitrate switch (BRS). This moves the SSP (secondary sample
+point) to a proper offset, so that the TDC mechanism works and won't
+generate error frames on the CAN link.
+
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: Marc Kleine-Budde <mkl@pengutronix.de>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Oliver Hartkopp <socketcan@hartkopp.net>
+Cc: Wolfgang Grandegger <wg@grandegger.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/ifi_canfd/ifi_canfd.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/ifi_canfd/ifi_canfd.c
++++ b/drivers/net/can/ifi_canfd/ifi_canfd.c
+@@ -81,6 +81,10 @@
+ #define IFI_CANFD_TIME_SET_TIMEA_4_12_6_6 BIT(15)
+
+ #define IFI_CANFD_TDELAY 0x1c
++#define IFI_CANFD_TDELAY_DEFAULT 0xb
++#define IFI_CANFD_TDELAY_MASK 0x3fff
++#define IFI_CANFD_TDELAY_ABS BIT(14)
++#define IFI_CANFD_TDELAY_EN BIT(15)
+
+ #define IFI_CANFD_ERROR 0x20
+ #define IFI_CANFD_ERROR_TX_OFFSET 0
+@@ -641,7 +645,7 @@ static void ifi_canfd_set_bittiming(stru
+ struct ifi_canfd_priv *priv = netdev_priv(ndev);
+ const struct can_bittiming *bt = &priv->can.bittiming;
+ const struct can_bittiming *dbt = &priv->can.data_bittiming;
+- u16 brp, sjw, tseg1, tseg2;
++ u16 brp, sjw, tseg1, tseg2, tdc;
+
+ /* Configure bit timing */
+ brp = bt->brp - 2;
+@@ -664,6 +668,11 @@ static void ifi_canfd_set_bittiming(stru
+ (brp << IFI_CANFD_TIME_PRESCALE_OFF) |
+ (sjw << IFI_CANFD_TIME_SJW_OFF_7_9_8_8),
+ priv->base + IFI_CANFD_FTIME);
++
++ /* Configure transmitter delay */
++ tdc = (dbt->brp * (dbt->phase_seg1 + 1)) & IFI_CANFD_TDELAY_MASK;
++ writel(IFI_CANFD_TDELAY_EN | IFI_CANFD_TDELAY_ABS | tdc,
++ priv->base + IFI_CANFD_TDELAY);
+ }
+
+ static void ifi_canfd_set_filter(struct net_device *ndev, const u32 id,
--- /dev/null
+From ad5987b47e96a0fb6d13fea250e936aed000093c Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 13 Sep 2016 15:53:55 +0200
+Subject: nl80211: validate number of probe response CSA counters
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit ad5987b47e96a0fb6d13fea250e936aed000093c upstream.
+
+Due to an apparent copy/paste bug, the number of counters for the
+beacon configuration were checked twice, instead of checking the
+number of probe response counters. Fix this to check the number of
+probe response counters before parsing those.
+
+Fixes: 9a774c78e211 ("cfg80211: Support multiple CSA counters")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -6811,7 +6811,7 @@ static int nl80211_channel_switch(struct
+
+ params.n_counter_offsets_presp = len / sizeof(u16);
+ if (rdev->wiphy.max_num_csa_counters &&
+- (params.n_counter_offsets_beacon >
++ (params.n_counter_offsets_presp >
+ rdev->wiphy.max_num_csa_counters))
+ return -EINVAL;
+
--- /dev/null
+From bae170efd6c42bf116f513a1dd07639d68fa71b9 Mon Sep 17 00:00:00 2001
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Date: Fri, 12 Aug 2016 20:49:18 +0530
+Subject: power: reset: hisi-reboot: Unmap region obtained by of_iomap
+
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+
+commit bae170efd6c42bf116f513a1dd07639d68fa71b9 upstream.
+
+Free memory mapping, if probe is not successful.
+
+Fixes: 4a9b37371822 ("power: reset: move hisilicon reboot code")
+Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/reset/hisi-reboot.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/power/reset/hisi-reboot.c
++++ b/drivers/power/reset/hisi-reboot.c
+@@ -53,13 +53,16 @@ static int hisi_reboot_probe(struct plat
+
+ if (of_property_read_u32(np, "reboot-offset", &reboot_offset) < 0) {
+ pr_err("failed to find reboot-offset property\n");
++ iounmap(base);
+ return -EINVAL;
+ }
+
+ err = register_restart_handler(&hisi_restart_nb);
+- if (err)
++ if (err) {
+ dev_err(&pdev->dev, "cannot register restart handler (err=%d)\n",
+ err);
++ iounmap(base);
++ }
+
+ return err;
+ }
--- /dev/null
+From 168d7c4e8bb25c076ed8be67fcca84f5dcd0b2c6 Mon Sep 17 00:00:00 2001
+From: John Youn <johnyoun@synopsys.com>
+Date: Tue, 31 May 2016 16:55:01 -0700
+Subject: reset: Return -ENOTSUPP when not configured
+
+From: John Youn <johnyoun@synopsys.com>
+
+commit 168d7c4e8bb25c076ed8be67fcca84f5dcd0b2c6 upstream.
+
+Prior to commit 6c96f05c8bb8 ("reset: Make [of_]reset_control_get[_foo]
+functions wrappers"), the "optional" functions returned -ENOTSUPP when
+CONFIG_RESET_CONTROLLER was not set.
+
+Revert back to the old behavior by changing the new
+__devm_reset_control_get() and __of_reset_control_get() functions to
+return ERR_PTR(-ENOTSUPP) when compiled without CONFIG_RESET_CONTROLLER.
+
+Otherwise they will return -EINVAL causing users to think that an error
+occurred when CONFIG_RESET_CONTROLLER is not set.
+
+Fixes: 6c96f05c8bb8 ("reset: Make [of_]reset_control_get[_foo] functions wrappers")
+Signed-off-by: John Youn <johnyoun@synopsys.com>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/reset.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/reset.h
++++ b/include/linux/reset.h
+@@ -71,14 +71,14 @@ static inline struct reset_control *__of
+ struct device_node *node,
+ const char *id, int index, int shared)
+ {
+- return ERR_PTR(-EINVAL);
++ return ERR_PTR(-ENOTSUPP);
+ }
+
+ static inline struct reset_control *__devm_reset_control_get(
+ struct device *dev,
+ const char *id, int index, int shared)
+ {
+- return ERR_PTR(-EINVAL);
++ return ERR_PTR(-ENOTSUPP);
+ }
+
+ #endif /* CONFIG_RESET_CONTROLLER */
--- /dev/null
+From e29385fab0bf94017fac130ee32f5bb2daf74417 Mon Sep 17 00:00:00 2001
+From: Keerthy <j-keerthy@ti.com>
+Date: Wed, 1 Jun 2016 16:19:07 +0530
+Subject: rtc: ds1307: Fix relying on reset value for weekday
+
+From: Keerthy <j-keerthy@ti.com>
+
+commit e29385fab0bf94017fac130ee32f5bb2daf74417 upstream.
+
+The reset value of weekday is 0x1. This is wrong since
+the reset values of the day/month/year make up to Jan 1 2001.
+When computed weekday comes out to be Monday. On a scale
+of 1-7(Sunday - Saturday) it should be 0x2. So we should not
+be relying on the reset value.
+
+Hence compute the wday using the current date/month/year values.
+Check if reset wday is any different from the computed wday,
+If different then set the wday which we computed using
+date/month/year values.
+
+Document Referred:
+http://ww1.microchip.com/downloads/en/DeviceDoc/20002266F.pdf
+
+Fixes: 1d1945d261a2af "drivers/rtc/rtc-ds1307.c: add alarm support for mcp7941x chips"
+Signed-off-by: Keerthy <j-keerthy@ti.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/rtc/rtc-ds1307.c | 28 +++++++++++++++++++++++++++-
+ 1 file changed, 27 insertions(+), 1 deletion(-)
+
+--- a/drivers/rtc/rtc-ds1307.c
++++ b/drivers/rtc/rtc-ds1307.c
+@@ -602,6 +602,8 @@ static const struct rtc_class_ops ds13xx
+ * Alarm support for mcp794xx devices.
+ */
+
++#define MCP794XX_REG_WEEKDAY 0x3
++#define MCP794XX_REG_WEEKDAY_WDAY_MASK 0x7
+ #define MCP794XX_REG_CONTROL 0x07
+ # define MCP794XX_BIT_ALM0_EN 0x10
+ # define MCP794XX_BIT_ALM1_EN 0x20
+@@ -1231,13 +1233,16 @@ static int ds1307_probe(struct i2c_clien
+ {
+ struct ds1307 *ds1307;
+ int err = -ENODEV;
+- int tmp;
++ int tmp, wday;
+ struct chip_desc *chip = &chips[id->driver_data];
+ struct i2c_adapter *adapter = to_i2c_adapter(client->dev.parent);
+ bool want_irq = false;
+ bool ds1307_can_wakeup_device = false;
+ unsigned char *buf;
+ struct ds1307_platform_data *pdata = dev_get_platdata(&client->dev);
++ struct rtc_time tm;
++ unsigned long timestamp;
++
+ irq_handler_t irq_handler = ds1307_irq;
+
+ static const int bbsqi_bitpos[] = {
+@@ -1526,6 +1531,27 @@ read_rtc:
+ bin2bcd(tmp));
+ }
+
++ /*
++ * Some IPs have weekday reset value = 0x1 which might not correct
++ * hence compute the wday using the current date/month/year values
++ */
++ ds1307_get_time(&client->dev, &tm);
++ wday = tm.tm_wday;
++ timestamp = rtc_tm_to_time64(&tm);
++ rtc_time64_to_tm(timestamp, &tm);
++
++ /*
++ * Check if reset wday is different from the computed wday
++ * If different then set the wday which we computed using
++ * timestamp
++ */
++ if (wday != tm.tm_wday) {
++ wday = i2c_smbus_read_byte_data(client, MCP794XX_REG_WEEKDAY);
++ wday = wday & ~MCP794XX_REG_WEEKDAY_WDAY_MASK;
++ wday = wday | (tm.tm_wday + 1);
++ i2c_smbus_write_byte_data(client, MCP794XX_REG_WEEKDAY, wday);
++ }
++
+ if (want_irq) {
+ device_set_wakeup_capable(&client->dev, true);
+ set_bit(HAS_ALARM, &ds1307->flags);
disable-frame-address-warning.patch
makefile-mute-warning-for-__builtin_return_address-0-for-tracing-only.patch
xfs-prevent-dropping-ioend-completions-during-buftarg-wait.patch
+mm-fix-the-page_swap_info-bug_on-check.patch
+ipc-shm-fix-crash-if-config_shmem-is-not-set.patch
+fsnotify-add-a-way-to-stop-queueing-events-on-group-shutdown.patch
+fanotify-fix-list-corruption-in-fanotify_get_response.patch
+mm-memcontrol-make-per-cpu-charge-cache-irq-safe-for-socket-accounting.patch
+cgroup-duplicate-cgroup-reference-when-cloning-sockets.patch
+fix-fault_in_multipages_...-on-architectures-with-no-op-access_ok.patch
+keys-fix-skcipher-iv-clobbering.patch
+arm64-call-numa_store_cpu_info-earlier.patch
+configfs-return-efbig-from-configfs_write_bin_file.patch
+mtd-nand-mxc-fix-obiwan-error-in-mxc_nand_v_ooblayout_free-functions.patch
+mtd-maps-sa1100-flash-potential-null-dereference.patch
+mtd-pmcmsp-flash-allocating-too-much-in-init_msp_flash.patch
+mtd-spi-nor-fix-wrong-fully-unlocked-test.patch
+reset-return-enotsupp-when-not-configured.patch
+rtc-ds1307-fix-relying-on-reset-value-for-weekday.patch
+power-reset-hisi-reboot-unmap-region-obtained-by-of_iomap.patch
+mac80211-reject-tspec-tids-tsids-for-aggregation.patch
+fix-memory-leaks-in-tracing_buffers_splice_read.patch
+tracing-move-mutex-to-protect-against-resetting-of-seq-data.patch
+mm-delete-unnecessary-and-unsafe-init_tlb_ubc.patch
+can-flexcan-fix-resume-function.patch
+net-can-ifi-configure-transmitter-delay.patch
+iwlwifi-mvm-update-tx-queue-before-making-a-copy-of-the-skb.patch
+nl80211-validate-number-of-probe-response-csa-counters.patch
+btrfs-ensure-that-file-descriptor-used-with-subvol-ioctls-is-a-dir.patch
+x86-efi-only-map-ram-into-efi-page-tables-if-in-mixed-mode.patch
+irqchip-mips-gic-fix-local-interrupts.patch
+i2c-eg20t-fix-race-between-i2c-init-and-interrupt-enable.patch
+i2c-mux-pca954x-retry-updating-the-mux-selection-on-failure.patch
+i2c-qup-skip-qup_i2c_suspend-if-the-device-is-already-runtime-suspended.patch
+mips-fix-pre-r6-emulation-fpu-initialisation.patch
+mips-smp-fix-possibility-of-deadlock-when-bringing-cpus-online.patch
+mips-vdso-fix-malta-eva-mapping-to-vdso-page-structs.patch
+mips-remove-compact-branch-policy-kconfig-entries.patch
+mips-avoid-a-bug-warning-during-prctl-pr_set_fp_mode.patch
+mips-add-a-missing-.set-pop-in-an-early-commit.patch
+mips-paravirt-fix-undefined-reference-to-smp_bootstrap.patch
--- /dev/null
+From 1245800c0f96eb6ebb368593e251d66c01e61022 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+Date: Fri, 23 Sep 2016 22:57:13 -0400
+Subject: tracing: Move mutex to protect against resetting of seq data
+
+From: Steven Rostedt (Red Hat) <rostedt@goodmis.org>
+
+commit 1245800c0f96eb6ebb368593e251d66c01e61022 upstream.
+
+The iter->seq can be reset outside the protection of the mutex. So can
+reading of user data. Move the mutex up to the beginning of the function.
+
+Fixes: d7350c3f45694 ("tracing/core: make the read callbacks reentrants")
+Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -4890,19 +4890,20 @@ tracing_read_pipe(struct file *filp, cha
+ struct trace_iterator *iter = filp->private_data;
+ ssize_t sret;
+
+- /* return any leftover data */
+- sret = trace_seq_to_user(&iter->seq, ubuf, cnt);
+- if (sret != -EBUSY)
+- return sret;
+-
+- trace_seq_init(&iter->seq);
+-
+ /*
+ * Avoid more than one consumer on a single file descriptor
+ * This is just a matter of traces coherency, the ring buffer itself
+ * is protected.
+ */
+ mutex_lock(&iter->mutex);
++
++ /* return any leftover data */
++ sret = trace_seq_to_user(&iter->seq, ubuf, cnt);
++ if (sret != -EBUSY)
++ goto out;
++
++ trace_seq_init(&iter->seq);
++
+ if (iter->trace->read) {
+ sret = iter->trace->read(iter, filp, ubuf, cnt, ppos);
+ if (sret)
--- /dev/null
+From 1297667083d5442aafe3e337b9413bf02b114edb Mon Sep 17 00:00:00 2001
+From: Matt Fleming <matt@codeblueprint.co.uk>
+Date: Mon, 19 Sep 2016 13:09:09 +0100
+Subject: x86/efi: Only map RAM into EFI page tables if in mixed-mode
+
+From: Matt Fleming <matt@codeblueprint.co.uk>
+
+commit 1297667083d5442aafe3e337b9413bf02b114edb upstream.
+
+Waiman reported that booting with CONFIG_EFI_MIXED enabled on his
+multi-terabyte HP machine results in boot crashes, because the EFI
+region mapping functions loop forever while trying to map those
+regions describing RAM.
+
+While this patch doesn't fix the underlying hang, there's really no
+reason to map EFI_CONVENTIONAL_MEMORY regions into the EFI page tables
+when mixed-mode is not in use at runtime.
+
+Reported-by: Waiman Long <waiman.long@hpe.com>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+CC: Theodore Ts'o <tytso@mit.edu>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Scott J Norton <scott.norton@hpe.com>
+Cc: Douglas Hatch <doug.hatch@hpe.com>
+Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/platform/efi/efi_64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/platform/efi/efi_64.c
++++ b/arch/x86/platform/efi/efi_64.c
+@@ -244,7 +244,7 @@ int __init efi_setup_page_tables(unsigne
+ * text and allocate a new stack because we can't rely on the
+ * stack pointer being < 4GB.
+ */
+- if (!IS_ENABLED(CONFIG_EFI_MIXED))
++ if (!IS_ENABLED(CONFIG_EFI_MIXED) || efi_is_native())
+ return 0;
+
+ /*
projects / thirdparty / kernel / stable-queue.git / commitdiff
