)]}'
{"id":"LineageOS%2Fandroid_kernel_lge_msm8996~204446","triplet_id":"LineageOS%2Fandroid_kernel_lge_msm8996~cm-14.1~I3426ae9faee30bfffd9efa9d679132a8fb459241","project":"LineageOS/android_kernel_lge_msm8996","branch":"cm-14.1","hashtags":[],"change_id":"I3426ae9faee30bfffd9efa9d679132a8fb459241","subject":"Upstreamed from v3.18.31 to v3.18.40","status":"ABANDONED","created":"2018-01-28 09:52:10.000000000","updated":"2018-03-18 00:34:54.000000000","total_comment_count":0,"unresolved_comment_count":0,"has_review_started":true,"meta_rev_id":"abbf2f41cac515e9245743a75faff421ac415623","_number":204446,"virtual_id_number":204446,"owner":{"_account_id":18740,"name":"Kyle Elbert","email":"kcelbert@gmail.com","username":"Phoenix591","avatars":[{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"actions":{},"labels":{"Verified":{"all":[{"value":0,"permitted_voting_range":{"min":-1,"max":1},"_account_id":14737,"name":"Eric Meddaugh","email":"eric@meddaughs.com","username":"x86cpu","avatars":[{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},{"value":0,"permitted_voting_range":{"min":-1,"max":1},"_account_id":3962,"name":"Rashed Abdel-Tawab","email":"rashedabdeltawab@gmail.com","username":"Rashed","avatars":[{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}],"tags":["SERVICE_USER"]}],"values":{"-1":"Fails"," 0":"No score","+1":"Verified"},"description":"","default_value":0},"Code-Review":{"rejected":{"_account_id":3962,"name":"Rashed Abdel-Tawab","email":"rashedabdeltawab@gmail.com","username":"Rashed","avatars":[{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}],"tags":["SERVICE_USER"]},"all":[{"value":0,"date":"2018-01-28 11:52:19.000000000","permitted_voting_range":{"min":-2,"max":2},"_account_id":14737,"name":"Eric Meddaugh","email":"eric@meddaughs.com","username":"x86cpu","avatars":[{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},{"value":-2,"date":"2018-01-28 20:03:32.000000000","permitted_voting_range":{"min":-2,"max":2},"_account_id":3962,"name":"Rashed Abdel-Tawab","email":"rashedabdeltawab@gmail.com","username":"Rashed","avatars":[{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}],"tags":["SERVICE_USER"]}],"values":{"-2":"Do not submit","-1":"I would prefer that you didn\u0027t submit this"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me, approved"},"description":"","default_value":0,"blocking":true},"CI":{"all":[{"_account_id":14737,"name":"Eric Meddaugh","email":"eric@meddaughs.com","username":"x86cpu","avatars":[{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},{"_account_id":3962,"name":"Rashed Abdel-Tawab","email":"rashedabdeltawab@gmail.com","username":"Rashed","avatars":[{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}],"tags":["SERVICE_USER"]}],"values":{"-1":"Fail"," 0":"No score","+1":"Pass"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":3962,"name":"Rashed Abdel-Tawab","email":"rashedabdeltawab@gmail.com","username":"Rashed","avatars":[{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}],"tags":["SERVICE_USER"]},{"_account_id":14737,"name":"Eric Meddaugh","email":"eric@meddaughs.com","username":"x86cpu","avatars":[{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2018-01-28 11:52:19.000000000","updated_by":{"_account_id":14737,"name":"Eric Meddaugh","email":"eric@meddaughs.com","username":"x86cpu","avatars":[{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"reviewer":{"_account_id":14737,"name":"Eric Meddaugh","email":"eric@meddaughs.com","username":"x86cpu","avatars":[{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"state":"REVIEWER"},{"updated":"2018-01-28 20:03:32.000000000","updated_by":{"_account_id":3962,"name":"Rashed Abdel-Tawab","email":"rashedabdeltawab@gmail.com","username":"Rashed","avatars":[{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}],"tags":["SERVICE_USER"]},"reviewer":{"_account_id":3962,"name":"Rashed Abdel-Tawab","email":"rashedabdeltawab@gmail.com","username":"Rashed","avatars":[{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}],"tags":["SERVICE_USER"]},"state":"REVIEWER"}],"messages":[{"id":"d3565acc5ed3213a7fb2153ddb4b46843631989c","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":18740,"name":"Kyle Elbert","email":"kcelbert@gmail.com","username":"Phoenix591","avatars":[{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2018-01-28 09:52:10.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"80d2ccc276317253b7d568bc86a88d9e917a3c9a","author":{"_account_id":18740,"name":"Kyle Elbert","email":"kcelbert@gmail.com","username":"Phoenix591","avatars":[{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2018-01-28 10:05:38.000000000","message":"Patch Set 1:\n\nBoth 3.18.40 and 3.18.92 work on my us996, and I ran each for a decent bit of time (3.18.92 most of the time since the 17th, and it looks like I got on 3.18.40 Christmas Eve), while I did stop and check basic things once in a while in between. Cherry-picked the commits from linux-stable.","accounts_in_message":[],"_revision_number":1},{"id":"fea82f6873bb717b4da80e08f42be59b4ca6db45","tag":"autogenerated:gerrit:deleteReviewer","author":{"_account_id":18740,"name":"Kyle Elbert","email":"kcelbert@gmail.com","username":"Phoenix591","avatars":[{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2018-01-28 10:05:59.000000000","message":"Removed reviewer Kyle Elbert.","accounts_in_message":[],"_revision_number":1},{"id":"70c1b3814bb2db2d4f3adaa9ce0a0e0a2daa6851","author":{"_account_id":14737,"name":"Eric Meddaugh","email":"eric@meddaughs.com","username":"x86cpu","avatars":[{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2018-01-28 11:52:19.000000000","message":"Patch Set 1:\n\nThese will take some time to fully ensure they are working.  Also need to get G5/G6 validation too (I have a V20).","accounts_in_message":[],"_revision_number":1},{"id":"f8dcde08f39f3be2f924d8d7f6c0033d06e4a3ab","author":{"_account_id":3962,"name":"Rashed Abdel-Tawab","email":"rashedabdeltawab@gmail.com","username":"Rashed","avatars":[{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}],"tags":["SERVICE_USER"]},"date":"2018-01-28 20:03:32.000000000","message":"Patch Set 1: Code-Review-2\n\nNo... just no. We\u0027re not merging upstream on 14.1. This ends up causing breaks in stuff you can\u0027t see and makes merging CAF upstream almost impossible. Doing it on 15.1 is fine since CAF does it as well on their oreo branches, but doing it on 14.1 is not a good idea.","accounts_in_message":[],"_revision_number":1},{"id":"a0156e728108624430a5117039078a37da7e3990","tag":"autogenerated:gerrit:abandon","author":{"_account_id":14737,"name":"Eric Meddaugh","email":"eric@meddaughs.com","username":"x86cpu","avatars":[{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/37d2455b0bb2116851143953112df52a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2018-01-30 23:12:47.000000000","message":"Abandoned","accounts_in_message":[],"_revision_number":1},{"id":"b0eb41831281bb04f1eb6f36d013d82a227fc729","tag":"autogenerated:gerrit:restore","author":{"_account_id":3962,"name":"Rashed Abdel-Tawab","email":"rashedabdeltawab@gmail.com","username":"Rashed","avatars":[{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/6e28c56bf2b55e191b60a61ca5852f1f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}],"tags":["SERVICE_USER"]},"date":"2018-01-30 23:17:27.000000000","message":"Restored","accounts_in_message":[],"_revision_number":1},{"id":"abbf2f41cac515e9245743a75faff421ac415623","tag":"autogenerated:gerrit:abandon","author":{"_account_id":18740,"name":"Kyle Elbert","email":"kcelbert@gmail.com","username":"Phoenix591","avatars":[{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2018-03-18 00:34:54.000000000","message":"Abandoned","accounts_in_message":[],"_revision_number":1}],"current_revision_number":1,"current_revision":"91cf15b87c48ba78ff12e842cc0cd8c0dc338a60","revisions":{"91cf15b87c48ba78ff12e842cc0cd8c0dc338a60":{"kind":"REWORK","_number":1,"created":"2018-01-28 09:52:10.000000000","uploader":{"_account_id":18740,"name":"Kyle Elbert","email":"kcelbert@gmail.com","username":"Phoenix591","avatars":[{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/2a13f358d51e74c3a02f1567e870918f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"ref":"refs/changes/46/204446/1","fetch":{"anonymous http":{"url":"https://github.com/LineageOS/android_kernel_lge_msm8996","ref":"refs/changes/46/204446/1","commands":{"Branch":"git fetch https://github.com/LineageOS/android_kernel_lge_msm8996 refs/changes/46/204446/1 \u0026\u0026 git checkout -b change-204446 FETCH_HEAD","Checkout":"git fetch https://github.com/LineageOS/android_kernel_lge_msm8996 refs/changes/46/204446/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://github.com/LineageOS/android_kernel_lge_msm8996 refs/changes/46/204446/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://github.com/LineageOS/android_kernel_lge_msm8996 refs/changes/46/204446/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://github.com/LineageOS/android_kernel_lge_msm8996 refs/changes/46/204446/1","Reset To":"git fetch https://github.com/LineageOS/android_kernel_lge_msm8996 refs/changes/46/204446/1 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"fc7b3cb5ac0b8840131f05fc2cb1afb30f681836","subject":"msm8996: Fix #if for #ifdef on CONFIG_LGE_DISABLE_SECOND_SCREEN","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_lge_msm8996/commit/fc7b3cb5ac0b8840131f05fc2cb1afb30f681836"}]}],"author":{"name":"Phoenix591","email":"kcelbert@gmail.com","date":"2018-01-28 10:11:04.000000000","tz":0},"committer":{"name":"Phoenix591","email":"kcelbert@gmail.com","date":"2018-01-28 10:11:04.000000000","tz":0},"subject":"Upstreamed from v3.18.31 to v3.18.40","message":"Upstreamed from v3.18.31 to v3.18.40\n\nHID: usbhid: fix inconsistent reset/resume/reset-resume behavior\n\n[ Upstream commit 972e6a993f278b416a8ee3ec65475724fc36feb2 ]\n\nThe usbhid driver has inconsistently duplicated code in its post-reset,\nresume, and reset-resume pathways.\n\n\treset-resume doesn\u0027t check HID_STARTED before trying to\n\trestart the I/O queues.\n\n\tresume fails to clear the HID_SUSPENDED flag if HID_STARTED\n\tisn\u0027t set.\n\n\tresume calls usbhid_restart_queues() with usbhid-\u003elock held\n\tand the others call it without holding the lock.\n\nThe first item in particular causes a problem following a reset-resume\nif the driver hasn\u0027t started up its I/O.  URB submission fails because\nusbhid-\u003eurbin is NULL, and this triggers an unending reset-retry loop.\n\nThis patch fixes the problem by creating a new subroutine,\nhid_restart_io(), to carry out all the common activities.  It also\nadds some checks that were missing in the original code:\n\n\tAfter a reset, there\u0027s no need to clear any halted endpoints.\n\n\tAfter a resume, if a reset is pending there\u0027s no need to\n\trestart any I/O until the reset is finished.\n\n\tAfter a resume, if the interrupt-IN endpoint is halted there\u0027s\n\tno need to submit the input URB until the halt has been\n\tcleared.\n\nSigned-off-by: Alan Stern \u003cstern@rowland.harvard.edu\u003e\nReported-by: Daniel Fraga \u003cfragabr@gmail.com\u003e\nTested-by: Daniel Fraga \u003cfragabr@gmail.com\u003e\nCC: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.cz\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nARM: OMAP2+: hwmod: Fix updating of sysconfig register\n\n[ Upstream commit 3ca4a238106dedc285193ee47f494a6584b6fd2f ]\n\nCommit 127500ccb766f (\"ARM: OMAP2+: Only write the sysconfig on idle\nwhen necessary\") talks about verification of sysconfig cache value before\nupdating it, only during idle path. But the patch is adding the\nverification in the enable path. So, adding the check in a proper place\nas per the commit description.\n\nNot keeping this check during enable path as there is a chance of losing\ncontext and it is safe to do on idle as the context of the register will\nnever be lost while the device is active.\n\nSigned-off-by: Lokesh Vutla \u003clokeshvutla@ti.com\u003e\nAcked-by: Tero Kristo \u003ct-kristo@ti.com\u003e\nCc: Jon Hunter \u003cjonathanh@nvidia.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e # 3.12+\nFixes: commit 127500ccb766 \"ARM: OMAP2+: Only write the sysconfig on idle when necessary\"\n[paul@pwsan.com: appears to have been caused by my own mismerge of the\n originally posted patch]\nSigned-off-by: Paul Walmsley \u003cpaul@pwsan.com\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nusb: renesas_usbhs: avoid NULL pointer derefernce in usbhsf_pkt_handler()\n\n[ Upstream commit 894f2fc44f2f3f48c36c973b1123f6ab298be160 ]\n\nWhen unexpected situation happened (e.g. tx/rx irq happened while\nDMAC is used), the usbhsf_pkt_handler() was possible to cause NULL\npointer dereference like the followings:\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000000\npgd \u003d c0004000\n[00000000] *pgd\u003d00000000\nInternal error: Oops: 80000007 [#1] SMP ARM\nModules linked in: usb_f_acm u_serial g_serial libcomposite\nCPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.5.0-rc6-00842-gac57066-dirty #63\nHardware name: Generic R8A7790 (Flattened Device Tree)\ntask: c0729c00 ti: c0724000 task.ti: c0724000\nPC is at 0x0\nLR is at usbhsf_pkt_handler+0xac/0x118\npc : [\u003c00000000\u003e]    lr : [\u003cc03257e0\u003e]    psr: 60000193\nsp : c0725db8  ip : 00000000  fp : c0725df4\nr10: 00000001  r9 : 00000193  r8 : ef3ccab4\nr7 : ef3cca10  r6 : eea4586c  r5 : 00000000  r4 : ef19ceb4\nr3 : 00000000  r2 : 0000009c  r1 : c0725dc4  r0 : ef19ceb4\n\nThis patch adds a condition to avoid the dereference.\n\nFixes: e73a989 (\"usb: renesas_usbhs: add DMAEngine support\")\nCc: \u003cstable@vger.kernel.org\u003e # v3.1+\nSigned-off-by: Yoshihiro Shimoda \u003cyoshihiro.shimoda.uh@renesas.com\u003e\nSigned-off-by: Felipe Balbi \u003cfelipe.balbi@linux.intel.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nusb: renesas_usbhs: disable TX IRQ before starting TX DMAC transfer\n\n[ Upstream commit 6490865c67825277b29638e839850882600b48ec ]\n\nThis patch adds a code to surely disable TX IRQ of the pipe before\nstarting TX DMAC transfer. Otherwise, a lot of unnecessary TX IRQs\nmay happen in rare cases when DMAC is used.\n\nFixes: e73a989 (\"usb: renesas_usbhs: add DMAEngine support\")\nCc: \u003cstable@vger.kernel.org\u003e # v3.1+\nSigned-off-by: Yoshihiro Shimoda \u003cyoshihiro.shimoda.uh@renesas.com\u003e\nSigned-off-by: Felipe Balbi \u003cfelipe.balbi@linux.intel.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/qxl: fix cursor position with non-zero hotspot\n\n[ Upstream commit d59a1f71ff1aeda4b4630df92d3ad4e3b1dfc885 ]\n\nThe SPICE protocol considers the position of a cursor to be the location\nof its active pixel on the display, so the cursor is drawn with its\ntop-left corner at \"(x - hot_spot_x, y - hot_spot_y)\" but the DRM cursor\nposition gives the location where the top-left corner should be drawn,\nwith the hotspot being a hint for drivers that need it.\n\nThis fixes the location of the window resize cursors when using Fluxbox\nwith the QXL DRM driver and both the QXL and modesetting X drivers.\n\nSigned-off-by: John Keeping \u003cjohn@metanate.com\u003e\nReviewed-by: Daniel Vetter \u003cdaniel.vetter@ffwll.ch\u003e\nCc: stable@vger.kernel.org\nLink: http://patchwork.freedesktop.org/patch/msgid/1447845445-2116-1-git-send-email-john@metanate.com\nSigned-off-by: Jani Nikula \u003cjani.nikula@intel.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUSB: mct_u232: add sanity checking in probe\n\n[ Upstream commit 4e9a0b05257f29cf4b75f3209243ed71614d062e ]\n\nAn attack using the lack of sanity checking in probe is known. This\npatch checks for the existence of a second port.\n\nCVE-2016-3136\n\nSigned-off-by: Oliver Neukum \u003cONeukum@suse.com\u003e\nCC: stable@vger.kernel.org\n[johan: add error message ]\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUSB: digi_acceleport: do sanity checking for the number of ports\n\n[ Upstream commit 5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f ]\n\nThe driver can be crashed with devices that expose crafted descriptors\nwith too few endpoints.\n\nSee: http://seclists.org/bugtraq/2016/Mar/61\n\nSigned-off-by: Oliver Neukum \u003cONeukum@suse.com\u003e\n[johan: fix OOB endpoint check and add error messages ]\nCc: stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nsd: Fix excessive capacity printing on devices with blocks bigger than 512 bytes\n\n[ Upstream commit f08bb1e0dbdd0297258d0b8cd4dbfcc057e57b2a ]\n\nDuring revalidate we check whether device capacity has changed before we\ndecide whether to output disk information or not.\n\nThe check for old capacity failed to take into account that we scaled\nsdkp-\u003ecapacity based on the reported logical block size. And therefore\nthe capacity test would always fail for devices with sectors bigger than\n512 bytes and we would print several copies of the same discovery\ninformation.\n\nAvoid scaling sdkp-\u003ecapacity and instead adjust the value on the fly\nwhen setting the block device capacity and generating fake C/H/S\ngeometry.\n\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nReported-by: Hannes Reinecke \u003chare@suse.de\u003e\nReviewed-by: Hannes Reinicke \u003chare@suse.de\u003e\nReviewed-by: Ewan Milne \u003cemilne@redhat.com\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\next4: add lockdep annotations for i_data_sem\n\n[ Upstream commit daf647d2dd58cec59570d7698a45b98e580f2076 ]\n\nWith the internal Quota feature, mke2fs creates empty quota inodes and\nquota usage tracking is enabled as soon as the file system is mounted.\nSince quotacheck is no longer preallocating all of the blocks in the\nquota inode that are likely needed to be written to, we are now seeing\na lockdep false positive caused by needing to allocate a quota block\nfrom inside ext4_map_blocks(), while holding i_data_sem for a data\ninode.  This results in this complaint:\n\n  Possible unsafe locking scenario:\n\n        CPU0                    CPU1\n        ----                    ----\n   lock(\u0026ei-\u003ei_data_sem);\n                                lock(\u0026s-\u003es_dquot.dqio_mutex);\n                                lock(\u0026ei-\u003ei_data_sem);\n   lock(\u0026s-\u003es_dquot.dqio_mutex);\n\nGoogle-Bug-Id: 27907753\n\nSigned-off-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nKVM: x86: Inject pending interrupt even if pending nmi exist\n\n[ Upstream commit 321c5658c5e9192dea0d58ab67cf1791e45b2b26 ]\n\nNon maskable interrupts (NMI) are preferred to interrupts in current\nimplementation. If a NMI is pending and NMI is blocked by the result\nof nmi_allowed(), pending interrupt is not injected and\nenable_irq_window() is not executed, even if interrupts injection is\nallowed.\n\nIn old kernel (e.g. 2.6.32), schedule() is often called in NMI context.\nIn this case, interrupts are needed to execute iret that intends end\nof NMI. The flag of blocking new NMI is not cleared until the guest\nexecute the iret, and interrupts are blocked by pending NMI. Due to\nthis, iret can\u0027t be invoked in the guest, and the guest is starved\nuntil block is cleared by some events (e.g. canceling injection).\n\nThis patch injects pending interrupts, when it\u0027s allowed, even if NMI\nis blocked. And, If an interrupts is pending after executing\ninject_pending_event(), enable_irq_window() is executed regardless of\nNMI pending counter.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Yuki Shibuya \u003cshibuya.yk@ncos.nec.co.jp\u003e\nSuggested-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\next4: ignore quota mount options if the quota feature is enabled\n\n[ Upstream commit c325a67c72903e1cc30e990a15ce745bda0dbfde ]\n\nPreviously, ext4 would fail the mount if the file system had the quota\nfeature enabled and quota mount options (used for the older quota\nsetups) were present.  This broke xfstests, since xfs silently ignores\nthe usrquote and grpquota mount options if they are specified.  This\ncommit changes things so that we are consistent with xfs; having the\nmount options specified is harmless, so no sense break users by\nforbidding them.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nALSA: usb-audio: don\u0027t try to get Outlaw RR2150 sample rate\n\n[ Upstream commit 2f80b2958abe5658000d5ad9b45a36ecf879666e ]\n\nThis quirk allows us to avoid the noisy:\n\n\tcurrent rate 0 is different from the runtime rate\n\nmessage every time playback starts.  While USB DAC in the RR2150\nsupports reading the sample rate, it never returns a sample rate\nother than zero in my observation with common sample rates.\n\nSigned-off-by: Eric Wong \u003cnormalperson@yhbt.net\u003e\nCc: Joe Turner \u003cjoe@oampo.co.uk\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nALSA: usb-audio: Add sample rate inquiry quirk for AudioQuest DragonFly\n\n[ Upstream commit 12a6116e66695a728bcb9616416c508ce9c051a1 ]\n\nAvoid getting sample rate on AudioQuest DragonFly as it is unsupported\nand causes noisy \"cannot get freq at ep 0x1\" messages when playback\nstarts.\n\nSigned-off-by: Anssi Hannula \u003canssi.hannula@iki.fi\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nALSA: usb-audio: Add a sample rate quirk for Phoenix Audio TMX320\n\n[ Upstream commit f03b24a851d32ca85dacab01785b24a7ee717d37 ]\n\nPhoenix Audio TMX320 gives the similar error when the sample rate is\nasked:\n  usb 2-1.3: 2:1: cannot get freq at ep 0x85\n  usb 2-1.3: 1:1: cannot get freq at ep 0x2\n  ....\n\nAdd the corresponding USB-device ID (1de7:0014) to\nsnd_usb_get_sample_rate_quirk() list.\n\nBugzilla: https://bugzilla.kernel.org/show_bug.cgi?id\u003d110221\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nxen/events: Mask a moving irq\n\n[ Upstream commit ff1e22e7a638a0782f54f81a6c9cb139aca2da35 ]\n\nMoving an unmasked irq may result in irq handler being invoked on both\nsource and target CPUs.\n\nWith 2-level this can happen as follows:\n\nOn source CPU:\n        evtchn_2l_handle_events() -\u003e\n            generic_handle_irq() -\u003e\n                handle_edge_irq() -\u003e\n                   eoi_pirq():\n                       irq_move_irq(data);\n\n                       /***** WE ARE HERE *****/\n\n                       if (VALID_EVTCHN(evtchn))\n                           clear_evtchn(evtchn);\n\nIf at this moment target processor is handling an unrelated event in\nevtchn_2l_handle_events()\u0027s loop it may pick up our event since target\u0027s\ncpu_evtchn_mask claims that this event belongs to it *and* the event is\nunmasked and still pending. At the same time, source CPU will continue\nexecuting its own handle_edge_irq().\n\nWith FIFO interrupt the scenario is similar: irq_move_irq() may result\nin a EVTCHNOP_unmask hypercall which, in turn, may make the event\npending on the target CPU.\n\nWe can avoid this situation by moving and clearing the event while\nkeeping event masked.\n\nSigned-off-by: Boris Ostrovsky \u003cboris.ostrovsky@oracle.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: David Vrabel \u003cdavid.vrabel@citrix.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nusb: renesas_usbhs: fix spinlock suspected in a gadget complete function\n\n[ Upstream commit 00f30d29b497577954b20237b405e9d22b5286c2 ]\n\nAccording to the gadget.h, a \"complete\" function will always be called\nwith interrupts disabled. However, sometimes usbhsg_queue_pop() function\nis called with interrupts enabled. So, this function should be held by\nusbhs_lock() to disable interruption. Also, this driver has to call\nspin_unlock() to avoid spinlock recursion by this driver before calling\nusb_gadget_giveback_request().\nOtherwise, there is possible to cause a spinlock suspected in a gadget\ncomplete function.\n\nSigned-off-by: Yoshihiro Shimoda \u003cyoshihiro.shimoda.uh@renesas.com\u003e\nSigned-off-by: Felipe Balbi \u003cbalbi@ti.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nusb: renesas_usbhs: fix to avoid using a disabled ep in usbhsg_queue_done()\n\n[ Upstream commit 4fccb0767fdbdb781a9c5b5c15ee7b219443c89d ]\n\nThis patch fixes an issue that usbhsg_queue_done() may cause kernel\npanic when dma callback is running and usb_ep_disable() is called\nby interrupt handler. (Especially, we can reproduce this issue using\ng_audio with usb-dmac driver.)\n\nFor example of a flow:\n usbhsf_dma_complete (on tasklet)\n  --\u003e usbhsf_pkt_handler (on tasklet)\n   --\u003e usbhsg_queue_done (on tasklet)\n    *** interrupt happened and usb_ep_disable() is called ***\n    --\u003e usbhsg_queue_pop (on tasklet)\n     Then, oops happened.\n\nFixes: e73a989 (\"usb: renesas_usbhs: add DMAEngine support\")\nCc: \u003cstable@vger.kernel.org\u003e # v3.1+\nSigned-off-by: Yoshihiro Shimoda \u003cyoshihiro.shimoda.uh@renesas.com\u003e\nSigned-off-by: Felipe Balbi \u003cfelipe.balbi@linux.intel.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ncompiler-gcc: disable -ftracer for __noclone functions\n\n[ Upstream commit 95272c29378ee7dc15f43fa2758cb28a5913a06d ]\n\n-ftracer can duplicate asm blocks causing compilation to fail in\nnoclone functions.  For example, KVM declares a global variable\nin an asm like\n\n    asm(\"2: ... \\n\n         .pushsection data \\n\n         .global vmx_return \\n\n         vmx_return: .long 2b\");\n\nand -ftracer causes a double declaration.\n\nCc: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nCc: Michal Marek \u003cmmarek@suse.cz\u003e\nCc: stable@vger.kernel.org\nCc: kvm@vger.kernel.org\nReported-by: Linda Walsh \u003clkml@tlinx.org\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nrbd: use GFP_NOIO consistently for request allocations\n\n[ Upstream commit 2224d879c7c0f85c14183ef82eb48bd875ceb599 ]\n\nAs of 5a60e87603c4c533492c515b7f62578189b03c9c, RBD object request\nallocations are made via rbd_obj_request_create() with GFP_NOIO.\nHowever, subsequent OSD request allocations in rbd_osd_req_create*()\nuse GFP_ATOMIC.\n\nWith heavy page cache usage (e.g. OSDs running on same host as krbd\nclient), rbd_osd_req_create() order-1 GFP_ATOMIC allocations have been\nobserved to fail, where direct reclaim would have allowed GFP_NOIO\nallocations to succeed.\n\nCc: stable@vger.kernel.org # 3.18+\nSuggested-by: Vlastimil Babka \u003cvbabka@suse.cz\u003e\nSuggested-by: Neil Brown \u003cneilb@suse.com\u003e\nSigned-off-by: David Disseldorp \u003cddiss@suse.de\u003e\nSigned-off-by: Ilya Dryomov \u003cidryomov@gmail.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nALSA: usb-audio: Add a quirk for Plantronics BT300\n\n[ Upstream commit b4203ff5464da00b7812e7b480192745b0d66bbf ]\n\nPlantronics BT300 does not support reading the sample rate which leads\nto many lines of \"cannot get freq at ep 0x1\". This patch adds the USB\nID of the BT300 to quirks.c and avoids those error messages.\n\nSigned-off-by: Dennis Kadioglu \u003cdenk@post.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nBtrfs: fix fsync data loss after append write\n\n[ Upstream commit e4545de5b035c7debb73d260c78377dbb69cbfb5 ]\n\nIf we do an append write to a file (which increases its inode\u0027s i_size)\nthat does not have the flag BTRFS_INODE_NEEDS_FULL_SYNC set in its inode,\nand the previous transaction added a new hard link to the file, which sets\nthe flag BTRFS_INODE_COPY_EVERYTHING in the file\u0027s inode, and then fsync\nthe file, the inode\u0027s new i_size isn\u0027t logged. This has the consequence\nthat after the fsync log is replayed, the file size remains what it was\nbefore the append write operation, which means users/applications will\nnot be able to read the data that was successsfully fsync\u0027ed before.\n\nThis happens because neither the inode item nor the delayed inode get\ntheir i_size updated when the append write is made - doing so would\nrequire starting a transaction in the buffered write path, something that\nwe do not do intentionally for performance reasons.\n\nFix this by making sure that when the flag BTRFS_INODE_COPY_EVERYTHING is\nset the inode is logged with its current i_size (log the in-memory inode\ninto the log tree).\n\nThis issue is not a recent regression and is easy to reproduce with the\nfollowing test case for fstests:\n\n  seq\u003d`basename $0`\n  seqres\u003d$RESULT_DIR/$seq\n  echo \"QA output created by $seq\"\n\n  here\u003d`pwd`\n  tmp\u003d/tmp/$$\n  status\u003d1\t# failure is the default!\n\n  _cleanup()\n  {\n          _cleanup_flakey\n          rm -f $tmp.*\n  }\n  trap \"_cleanup; exit \\$status\" 0 1 2 3 15\n\n  # get standard environment, filters and checks\n  . ./common/rc\n  . ./common/filter\n  . ./common/dmflakey\n\n  # real QA test starts here\n  _supported_fs generic\n  _supported_os Linux\n  _need_to_be_root\n  _require_scratch\n  _require_dm_flakey\n  _require_metadata_journaling $SCRATCH_DEV\n\n  _crash_and_mount()\n  {\n          # Simulate a crash/power loss.\n          _load_flakey_table $FLAKEY_DROP_WRITES\n          _unmount_flakey\n          # Allow writes again and mount. This makes the fs replay its fsync log.\n          _load_flakey_table $FLAKEY_ALLOW_WRITES\n          _mount_flakey\n  }\n\n  rm -f $seqres.full\n\n  _scratch_mkfs \u003e\u003e $seqres.full 2\u003e\u00261\n  _init_flakey\n  _mount_flakey\n\n  # Create the test file with some initial data and then fsync it.\n  # The fsync here is only needed to trigger the issue in btrfs, as it causes the\n  # the flag BTRFS_INODE_NEEDS_FULL_SYNC to be removed from the btrfs inode.\n  $XFS_IO_PROG -f -c \"pwrite -S 0xaa 0 32k\" \\\n                  -c \"fsync\" \\\n                  $SCRATCH_MNT/foo | _filter_xfs_io\n  sync\n\n  # Add a hard link to our file.\n  # On btrfs this sets the flag BTRFS_INODE_COPY_EVERYTHING on the btrfs inode,\n  # which is a necessary condition to trigger the issue.\n  ln $SCRATCH_MNT/foo $SCRATCH_MNT/bar\n\n  # Sync the filesystem to force a commit of the current btrfs transaction, this\n  # is a necessary condition to trigger the bug on btrfs.\n  sync\n\n  # Now append more data to our file, increasing its size, and fsync the file.\n  # In btrfs because the inode flag BTRFS_INODE_COPY_EVERYTHING was set and the\n  # write path did not update the inode item in the btree nor the delayed inode\n  # item (in memory struture) in the current transaction (created by the fsync\n  # handler), the fsync did not record the inode\u0027s new i_size in the fsync\n  # log/journal. This made the data unavailable after the fsync log/journal is\n  # replayed.\n  $XFS_IO_PROG -c \"pwrite -S 0xbb 32K 32K\" \\\n               -c \"fsync\" \\\n               $SCRATCH_MNT/foo | _filter_xfs_io\n\n  echo \"File content after fsync and before crash:\"\n  od -t x1 $SCRATCH_MNT/foo\n\n  _crash_and_mount\n\n  echo \"File content after crash and log replay:\"\n  od -t x1 $SCRATCH_MNT/foo\n\n  status\u003d0\n  exit\n\nThe expected file output before and after the crash/power failure expects the\nappended data to be available, which is:\n\n  0000000 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa\n  *\n  0100000 bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb\n  *\n  0200000\n\nCc: stable@vger.kernel.org\nSigned-off-by: Filipe Manana \u003cfdmanana@suse.com\u003e\nReviewed-by: Liu Bo \u003cbo.li.liu@oracle.com\u003e\nSigned-off-by: Chris Mason \u003cclm@fb.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nBtrfs: fix fsync xattr loss in the fast fsync path\n\n[ Upstream commit 36283bf777d963fac099213297e155d071096994 ]\n\nAfter commit 4f764e515361 (\"Btrfs: remove deleted xattrs on fsync log\nreplay\"), we can end up in a situation where during log replay we end up\ndeleting xattrs that were never deleted when their file was last fsynced.\n\nThis happens in the fast fsync path (flag BTRFS_INODE_NEEDS_FULL_SYNC is\nnot set in the inode) if the inode has the flag BTRFS_INODE_COPY_EVERYTHING\nset, the xattr was added in a past transaction and the leaf where the\nxattr is located was not updated (COWed or created) in the current\ntransaction. In this scenario the xattr item never ends up in the log\ntree and therefore at log replay time, which makes the replay code delete\nthe xattr from the fs/subvol tree as it thinks that xattr was deleted\nprior to the last fsync.\n\nFix this by always logging all xattrs, which is the simplest and most\nreliable way to detect deleted xattrs and replay the deletes at log replay\ntime.\n\nThis issue is reproducible with the following test case for fstests:\n\n  seq\u003d`basename $0`\n  seqres\u003d$RESULT_DIR/$seq\n  echo \"QA output created by $seq\"\n\n  here\u003d`pwd`\n  tmp\u003d/tmp/$$\n  status\u003d1\t# failure is the default!\n\n  _cleanup()\n  {\n      _cleanup_flakey\n      rm -f $tmp.*\n  }\n  trap \"_cleanup; exit \\$status\" 0 1 2 3 15\n\n  # get standard environment, filters and checks\n  . ./common/rc\n  . ./common/filter\n  . ./common/dmflakey\n  . ./common/attr\n\n  # real QA test starts here\n\n  # We create a lot of xattrs for a single file. Only btrfs and xfs are currently\n  # able to store such a large mount of xattrs per file, other filesystems such\n  # as ext3/4 and f2fs for example, fail with ENOSPC even if we attempt to add\n  # less than 1000 xattrs with very small values.\n  _supported_fs btrfs xfs\n  _supported_os Linux\n  _need_to_be_root\n  _require_scratch\n  _require_dm_flakey\n  _require_attrs\n  _require_metadata_journaling $SCRATCH_DEV\n\n  rm -f $seqres.full\n\n  _scratch_mkfs \u003e\u003e $seqres.full 2\u003e\u00261\n  _init_flakey\n  _mount_flakey\n\n  # Create the test file with some initial data and make sure everything is\n  # durably persisted.\n  $XFS_IO_PROG -f -c \"pwrite -S 0xaa 0 32k\" $SCRATCH_MNT/foo | _filter_xfs_io\n  sync\n\n  # Add many small xattrs to our file.\n  # We create such a large amount because it\u0027s needed to trigger the issue found\n  # in btrfs - we need to have an amount that causes the fs to have at least 3\n  # btree leafs with xattrs stored in them, and it must work on any leaf size\n  # (maximum leaf/node size is 64Kb).\n  num_xattrs\u003d2000\n  for ((i \u003d 1; i \u003c\u003d $num_xattrs; i++)); do\n      name\u003d\"user.attr_$(printf \"%04d\" $i)\"\n      $SETFATTR_PROG -n $name -v \"val_$(printf \"%04d\" $i)\" $SCRATCH_MNT/foo\n  done\n\n  # Sync the filesystem to force a commit of the current btrfs transaction, this\n  # is a necessary condition to trigger the bug on btrfs.\n  sync\n\n  # Now update our file\u0027s data and fsync the file.\n  # After a successful fsync, if the fsync log/journal is replayed we expect to\n  # see all the xattrs we added before with the same values (and the updated file\n  # data of course). Btrfs used to delete some of these xattrs when it replayed\n  # its fsync log/journal.\n  $XFS_IO_PROG -c \"pwrite -S 0xbb 8K 16K\" \\\n               -c \"fsync\" \\\n               $SCRATCH_MNT/foo | _filter_xfs_io\n\n  # Simulate a crash/power loss.\n  _load_flakey_table $FLAKEY_DROP_WRITES\n  _unmount_flakey\n\n  # Allow writes again and mount. This makes the fs replay its fsync log.\n  _load_flakey_table $FLAKEY_ALLOW_WRITES\n  _mount_flakey\n\n  echo \"File content after crash and log replay:\"\n  od -t x1 $SCRATCH_MNT/foo\n\n  echo \"File xattrs after crash and log replay:\"\n  for ((i \u003d 1; i \u003c\u003d $num_xattrs; i++)); do\n      name\u003d\"user.attr_$(printf \"%04d\" $i)\"\n      echo -n \"$name\u003d\"\n      $GETFATTR_PROG --absolute-names -n $name --only-values $SCRATCH_MNT/foo\n      echo\n  done\n\n  status\u003d0\n  exit\n\nThe golden output expects all xattrs to be available, and with the correct\nvalues, after the fsync log is replayed.\n\nSigned-off-by: Filipe Manana \u003cfdmanana@suse.com\u003e\nSigned-off-by: Chris Mason \u003cclm@fb.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nBtrfs: fix fsync after truncate when no_holes feature is enabled\n\n[ Upstream commit a89ca6f24ffe435edad57de02eaabd37a2c6bff6 ]\n\nWhen we have the no_holes feature enabled, if a we truncate a file to a\nsmaller size, truncate it again but to a size greater than or equals to\nits original size and fsync it, the log tree will not have any information\nabout the hole covering the range [truncate_1_offset, new_file_size[.\nWhich means if the fsync log is replayed, the file will remain with the\nstate it had before both truncate operations.\n\nWithout the no_holes feature this does not happen, since when the inode\nis logged (full sync flag is set) it will find in the fs/subvol tree a\nleaf with a generation matching the current transaction id that has an\nexplicit extent item representing the hole.\n\nFix this by adding an explicit extent item representing a hole between\nthe last extent and the inode\u0027s i_size if we are doing a full sync.\n\nThe issue is easy to reproduce with the following test case for fstests:\n\n  . ./common/rc\n  . ./common/filter\n  . ./common/dmflakey\n\n  _need_to_be_root\n  _supported_fs generic\n  _supported_os Linux\n  _require_scratch\n  _require_dm_flakey\n\n  # This test was motivated by an issue found in btrfs when the btrfs\n  # no-holes feature is enabled (introduced in kernel 3.14). So enable\n  # the feature if the fs being tested is btrfs.\n  if [ $FSTYP \u003d\u003d \"btrfs\" ]; then\n      _require_btrfs_fs_feature \"no_holes\"\n      _require_btrfs_mkfs_feature \"no-holes\"\n      MKFS_OPTIONS\u003d\"$MKFS_OPTIONS -O no-holes\"\n  fi\n\n  rm -f $seqres.full\n\n  _scratch_mkfs \u003e\u003e$seqres.full 2\u003e\u00261\n  _init_flakey\n  _mount_flakey\n\n  # Create our test files and make sure everything is durably persisted.\n  $XFS_IO_PROG -f -c \"pwrite -S 0xaa 0 64K\"         \\\n                  -c \"pwrite -S 0xbb 64K 61K\"       \\\n                  $SCRATCH_MNT/foo | _filter_xfs_io\n  $XFS_IO_PROG -f -c \"pwrite -S 0xee 0 64K\"         \\\n                  -c \"pwrite -S 0xff 64K 61K\"       \\\n                  $SCRATCH_MNT/bar | _filter_xfs_io\n  sync\n\n  # Now truncate our file foo to a smaller size (64Kb) and then truncate\n  # it to the size it had before the shrinking truncate (125Kb). Then\n  # fsync our file. If a power failure happens after the fsync, we expect\n  # our file to have a size of 125Kb, with the first 64Kb of data having\n  # the value 0xaa and the second 61Kb of data having the value 0x00.\n  $XFS_IO_PROG -c \"truncate 64K\" \\\n               -c \"truncate 125K\" \\\n               -c \"fsync\" \\\n               $SCRATCH_MNT/foo\n\n  # Do something similar to our file bar, but the first truncation sets\n  # the file size to 0 and the second truncation expands the size to the\n  # double of what it was initially.\n  $XFS_IO_PROG -c \"truncate 0\" \\\n               -c \"truncate 253K\" \\\n               -c \"fsync\" \\\n               $SCRATCH_MNT/bar\n\n  _load_flakey_table $FLAKEY_DROP_WRITES\n  _unmount_flakey\n\n  # Allow writes again, mount to trigger log replay and validate file\n  # contents.\n  _load_flakey_table $FLAKEY_ALLOW_WRITES\n  _mount_flakey\n\n  # We expect foo to have a size of 125Kb, the first 64Kb of data all\n  # having the value 0xaa and the remaining 61Kb to be a hole (all bytes\n  # with value 0x00).\n  echo \"File foo content after log replay:\"\n  od -t x1 $SCRATCH_MNT/foo\n\n  # We expect bar to have a size of 253Kb and no extents (any byte read\n  # from bar has the value 0x00).\n  echo \"File bar content after log replay:\"\n  od -t x1 $SCRATCH_MNT/bar\n\n  status\u003d0\n  exit\n\nThe expected file contents in the golden output are:\n\n  File foo content after log replay:\n  0000000 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa\n  *\n  0200000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  *\n  0372000\n  File bar content after log replay:\n  0000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  *\n  0772000\n\nWithout this fix, their contents are:\n\n  File foo content after log replay:\n  0000000 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa\n  *\n  0200000 bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb\n  *\n  0372000\n  File bar content after log replay:\n  0000000 ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee\n  *\n  0200000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n  *\n  0372000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  *\n  0772000\n\nA test case submission for fstests follows soon.\n\nSigned-off-by: Filipe Manana \u003cfdmanana@suse.com\u003e\nReviewed-by: Liu Bo \u003cbo.li.liu@oracle.com\u003e\nSigned-off-by: Chris Mason \u003cclm@fb.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nBtrfs: fix file/data loss caused by fsync after rename and new inode\n\n[ Upstream commit 56f23fdbb600e6087db7b009775b95ce07cc3195 ]\n\nIf we rename an inode A (be it a file or a directory), create a new\ninode B with the old name of inode A and under the same parent directory,\nfsync inode B and then power fail, at log tree replay time we end up\nremoving inode A completely. If inode A is a directory then all its files\nare gone too.\n\nExample scenarios where this happens:\nThis is reproducible with the following steps, taken from a couple of\ntest cases written for fstests which are going to be submitted upstream\nsoon:\n\n   # Scenario 1\n\n   mkfs.btrfs -f /dev/sdc\n   mount /dev/sdc /mnt\n   mkdir -p /mnt/a/x\n   echo \"hello\" \u003e /mnt/a/x/foo\n   echo \"world\" \u003e /mnt/a/x/bar\n   sync\n   mv /mnt/a/x /mnt/a/y\n   mkdir /mnt/a/x\n   xfs_io -c fsync /mnt/a/x\n   \u003cpower failure happens\u003e\n\n   The next time the fs is mounted, log tree replay happens and\n   the directory \"y\" does not exist nor do the files \"foo\" and\n   \"bar\" exist anywhere (neither in \"y\" nor in \"x\", nor the root\n   nor anywhere).\n\n   # Scenario 2\n\n   mkfs.btrfs -f /dev/sdc\n   mount /dev/sdc /mnt\n   mkdir /mnt/a\n   echo \"hello\" \u003e /mnt/a/foo\n   sync\n   mv /mnt/a/foo /mnt/a/bar\n   echo \"world\" \u003e /mnt/a/foo\n   xfs_io -c fsync /mnt/a/foo\n   \u003cpower failure happens\u003e\n\n   The next time the fs is mounted, log tree replay happens and the\n   file \"bar\" does not exists anymore. A file with the name \"foo\"\n   exists and it matches the second file we created.\n\nAnother related problem that does not involve file/data loss is when a\nnew inode is created with the name of a deleted snapshot and we fsync it:\n\n   mkfs.btrfs -f /dev/sdc\n   mount /dev/sdc /mnt\n   mkdir /mnt/testdir\n   btrfs subvolume snapshot /mnt /mnt/testdir/snap\n   btrfs subvolume delete /mnt/testdir/snap\n   rmdir /mnt/testdir\n   mkdir /mnt/testdir\n   xfs_io -c fsync /mnt/testdir # or fsync some file inside /mnt/testdir\n   \u003cpower failure\u003e\n\n   The next time the fs is mounted the log replay procedure fails because\n   it attempts to delete the snapshot entry (which has dir item key type\n   of BTRFS_ROOT_ITEM_KEY) as if it were a regular (non-root) entry,\n   resulting in the following error that causes mount to fail:\n\n   [52174.510532] BTRFS info (device dm-0): failed to delete reference to snap, inode 257 parent 257\n   [52174.512570] ------------[ cut here ]------------\n   [52174.513278] WARNING: CPU: 12 PID: 28024 at fs/btrfs/inode.c:3986 __btrfs_unlink_inode+0x178/0x351 [btrfs]()\n   [52174.514681] BTRFS: Transaction aborted (error -2)\n   [52174.515630] Modules linked in: btrfs dm_flakey dm_mod overlay crc32c_generic ppdev xor raid6_pq acpi_cpufreq parport_pc tpm_tis sg parport tpm evdev i2c_piix4 proc\n   [52174.521568] CPU: 12 PID: 28024 Comm: mount Tainted: G        W       4.5.0-rc6-btrfs-next-27+ #1\n   [52174.522805] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS by qemu-project.org 04/01/2014\n   [52174.524053]  0000000000000000 ffff8801df2a7710 ffffffff81264e93 ffff8801df2a7758\n   [52174.524053]  0000000000000009 ffff8801df2a7748 ffffffff81051618 ffffffffa03591cd\n   [52174.524053]  00000000fffffffe ffff88015e6e5000 ffff88016dbc3c88 ffff88016dbc3c88\n   [52174.524053] Call Trace:\n   [52174.524053]  [\u003cffffffff81264e93\u003e] dump_stack+0x67/0x90\n   [52174.524053]  [\u003cffffffff81051618\u003e] warn_slowpath_common+0x99/0xb2\n   [52174.524053]  [\u003cffffffffa03591cd\u003e] ? __btrfs_unlink_inode+0x178/0x351 [btrfs]\n   [52174.524053]  [\u003cffffffff81051679\u003e] warn_slowpath_fmt+0x48/0x50\n   [52174.524053]  [\u003cffffffffa03591cd\u003e] __btrfs_unlink_inode+0x178/0x351 [btrfs]\n   [52174.524053]  [\u003cffffffff8118f5e9\u003e] ? iput+0xb0/0x284\n   [52174.524053]  [\u003cffffffffa0359fe8\u003e] btrfs_unlink_inode+0x1c/0x3d [btrfs]\n   [52174.524053]  [\u003cffffffffa038631e\u003e] check_item_in_log+0x1fe/0x29b [btrfs]\n   [52174.524053]  [\u003cffffffffa0386522\u003e] replay_dir_deletes+0x167/0x1cf [btrfs]\n   [52174.524053]  [\u003cffffffffa038739e\u003e] fixup_inode_link_count+0x289/0x2aa [btrfs]\n   [52174.524053]  [\u003cffffffffa038748a\u003e] fixup_inode_link_counts+0xcb/0x105 [btrfs]\n   [52174.524053]  [\u003cffffffffa038a5ec\u003e] btrfs_recover_log_trees+0x258/0x32c [btrfs]\n   [52174.524053]  [\u003cffffffffa03885b2\u003e] ? replay_one_extent+0x511/0x511 [btrfs]\n   [52174.524053]  [\u003cffffffffa034f288\u003e] open_ctree+0x1dd4/0x21b9 [btrfs]\n   [52174.524053]  [\u003cffffffffa032b753\u003e] btrfs_mount+0x97e/0xaed [btrfs]\n   [52174.524053]  [\u003cffffffff8108e1b7\u003e] ? trace_hardirqs_on+0xd/0xf\n   [52174.524053]  [\u003cffffffff8117bafa\u003e] mount_fs+0x67/0x131\n   [52174.524053]  [\u003cffffffff81193003\u003e] vfs_kern_mount+0x6c/0xde\n   [52174.524053]  [\u003cffffffffa032af81\u003e] btrfs_mount+0x1ac/0xaed [btrfs]\n   [52174.524053]  [\u003cffffffff8108e1b7\u003e] ? trace_hardirqs_on+0xd/0xf\n   [52174.524053]  [\u003cffffffff8108c262\u003e] ? lockdep_init_map+0xb9/0x1b3\n   [52174.524053]  [\u003cffffffff8117bafa\u003e] mount_fs+0x67/0x131\n   [52174.524053]  [\u003cffffffff81193003\u003e] vfs_kern_mount+0x6c/0xde\n   [52174.524053]  [\u003cffffffff8119590f\u003e] do_mount+0x8a6/0x9e8\n   [52174.524053]  [\u003cffffffff811358dd\u003e] ? strndup_user+0x3f/0x59\n   [52174.524053]  [\u003cffffffff81195c65\u003e] SyS_mount+0x77/0x9f\n   [52174.524053]  [\u003cffffffff814935d7\u003e] entry_SYSCALL_64_fastpath+0x12/0x6b\n   [52174.561288] ---[ end trace 6b53049efb1a3ea6 ]---\n\nFix this by forcing a transaction commit when such cases happen.\nThis means we check in the commit root of the subvolume tree if there\nwas any other inode with the same reference when the inode we are\nfsync\u0027ing is a new inode (created in the current transaction).\n\nTest cases for fstests, covering all the scenarios given above, were\nsubmitted upstream for fstests:\n\n  * fstests: generic test for fsync after renaming directory\n    https://patchwork.kernel.org/patch/8694281/\n\n  * fstests: generic test for fsync after renaming file\n    https://patchwork.kernel.org/patch/8694301/\n\n  * fstests: add btrfs test for fsync after snapshot deletion\n    https://patchwork.kernel.org/patch/8670671/\n\nCc: stable@vger.kernel.org\nSigned-off-by: Filipe Manana \u003cfdmanana@suse.com\u003e\nSigned-off-by: Chris Mason \u003cclm@fb.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUSB: serial: ftdi_sio: Add support for ICP DAS I-756xU devices\n\n[ Upstream commit ea6db90e750328068837bed34cb1302b7a177339 ]\n\nA Fedora user reports that the ftdi_sio driver works properly for the\nICP DAS I-7561U device.  Further, the user manual for these devices\ninstructs users to load the driver and add the ids using the sysfs\ninterface.\n\nAdd support for these in the driver directly so that the devices work\nout of the box instead of needing manual configuration.\n\nReported-by: \u003cthesource@mail.ru\u003e\nCC: stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Josh Boyer \u003cjwboyer@fedoraproject.org\u003e\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUSB: serial: cp210x: Adding GE Healthcare Device ID\n\n[ Upstream commit cddc9434e3dcc37a85c4412fb8e277d3a582e456 ]\n\nThe CP2105 is used in the GE Healthcare Remote Alarm Box, with the\nManufacturer ID of 0x1901 and Product ID of 0x0194.\n\nSigned-off-by: Martyn Welch \u003cmartyn.welch@collabora.co.uk\u003e\nCc: stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUSB: option: add \"D-Link DWM-221 B1\" device id\n\n[ Upstream commit d48d5691ebf88a15d95ba96486917ffc79256536 ]\n\nThomas reports:\n\"Windows:\n\n00 diagnostics\n01 modem\n02 at-port\n03 nmea\n04 nic\n\nLinux:\n\nT:  Bus\u003d02 Lev\u003d01 Prnt\u003d01 Port\u003d03 Cnt\u003d01 Dev#\u003d  4 Spd\u003d480 MxCh\u003d 0\nD:  Ver\u003d 2.00 Cls\u003d00(\u003eifc ) Sub\u003d00 Prot\u003d00 MxPS\u003d64 #Cfgs\u003d  1\nP:  Vendor\u003d2001 ProdID\u003d7e19 Rev\u003d02.32\nS:  Manufacturer\u003dMobile Connect\nS:  Product\u003dMobile Connect\nS:  SerialNumber\u003d0123456789ABCDEF\nC:  #Ifs\u003d 6 Cfg#\u003d 1 Atr\u003da0 MxPwr\u003d500mA\nI:  If#\u003d 0 Alt\u003d 0 #EPs\u003d 2 Cls\u003dff(vend.) Sub\u003dff Prot\u003dff Driver\u003doption\nI:  If#\u003d 1 Alt\u003d 0 #EPs\u003d 3 Cls\u003dff(vend.) Sub\u003d00 Prot\u003d00 Driver\u003doption\nI:  If#\u003d 2 Alt\u003d 0 #EPs\u003d 3 Cls\u003dff(vend.) Sub\u003d00 Prot\u003d00 Driver\u003doption\nI:  If#\u003d 3 Alt\u003d 0 #EPs\u003d 3 Cls\u003dff(vend.) Sub\u003d00 Prot\u003d00 Driver\u003doption\nI:  If#\u003d 4 Alt\u003d 0 #EPs\u003d 3 Cls\u003dff(vend.) Sub\u003dff Prot\u003dff Driver\u003dqmi_wwan\nI:  If#\u003d 5 Alt\u003d 0 #EPs\u003d 2 Cls\u003d08(stor.) Sub\u003d06 Prot\u003d50 Driver\u003dusb-storage\"\n\nReported-by: Thomas Schäfer \u003ctschaefer@t-online.de\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Bjørn Mork \u003cbjorn@mork.no\u003e\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ngpio: pca953x: Use correct u16 value for register word write\n\n[ Upstream commit 9b8e3ec34318663affced3c14d960e78d760dd9a ]\n\nThe current implementation only uses the first byte in val,\nthe second byte is always 0. Change it to use cpu_to_le16\nto write the two bytes into the register\n\nCc: stable@vger.kernel.org\nSigned-off-by: Yong Li \u003csdliyong@gmail.com\u003e\nReviewed-by: Phil Reid \u003cpreid@electromag.com.au\u003e\nSigned-off-by: Linus Walleij \u003clinus.walleij@linaro.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nparisc: Avoid function pointers for kernel exception routines\n\n[ Upstream commit e3893027a300927049efc1572f852201eb785142 ]\n\nWe want to avoid the kernel module loader to create function pointers\nfor the kernel fixup routines of get_user() and put_user(). Changing\nthe external reference from function type to int type fixes this.\n\nThis unbreaks exception handling for get_user() and put_user() when\ncalled from a kernel module.\n\nSigned-off-by: Helge Deller \u003cdeller@gmx.de\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nparisc: Fix kernel crash with reversed copy_from_user()\n\n[ Upstream commit ef72f3110d8b19f4c098a0bff7ed7d11945e70c6 ]\n\nThe kernel module testcase (lib/test_user_copy.c) exhibited a kernel\ncrash on parisc if the parameters for copy_from_user were reversed\n(\"illegal reversed copy_to_user\" testcase).\n\nFix this potential crash by checking the fault handler if the faulting\naddress is in the exception table.\n\nSigned-off-by: Helge Deller \u003cdeller@gmx.de\u003e\nCc: stable@vger.kernel.org\nCc: Kees Cook \u003ckeescook@chromium.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nparisc: percpu: update comments referring to __get_cpu_var\n\n[ Upstream commit 6ddb798f0248e3460c2dce76af5cb30a980efccd ]\n\n__get_cpu_var was removed. Update comments to refer to\nthis_cpu_ptr() instead.\n\nSigned-off-by: Christoph Lameter \u003ccl@linux.com\u003e\nCc: \"James E.J. Bottomley\" \u003cJames.Bottomley@HansenPartnership.com\u003e\nCc: Tejun Heo \u003ctj@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nparisc: Unbreak handling exceptions from kernel modules\n\n[ Upstream commit 2ef4dfd9d9f288943e249b78365a69e3ea3ec072 ]\n\nHandling exceptions from modules never worked on parisc.\nIt was just masked by the fact that exceptions from modules\ndon\u0027t happen during normal use.\n\nWhen a module triggers an exception in get_user() we need to load the\nmain kernel dp value before accessing the exception_data structure, and\nafterwards restore the original dp value of the module on exit.\n\nNoticed-by: Mikulas Patocka \u003cmpatocka@redhat.com\u003e\nSigned-off-by: Helge Deller \u003cdeller@gmx.de\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nkvm: x86: do not leak guest xcr0 into host interrupt handlers\n\n[ Upstream commit fc5b7f3bf1e1414bd4e91db6918c85ace0c873a5 ]\n\nAn interrupt handler that uses the fpu can kill a KVM VM, if it runs\nunder the following conditions:\n - the guest\u0027s xcr0 register is loaded on the cpu\n - the guest\u0027s fpu context is not loaded\n - the host is using eagerfpu\n\nNote that the guest\u0027s xcr0 register and fpu context are not loaded as\npart of the atomic world switch into \"guest mode\". They are loaded by\nKVM while the cpu is still in \"host mode\".\n\nUsage of the fpu in interrupt context is gated by irq_fpu_usable(). The\ninterrupt handler will look something like this:\n\nif (irq_fpu_usable()) {\n        kernel_fpu_begin();\n\n        [... code that uses the fpu ...]\n\n        kernel_fpu_end();\n}\n\nAs long as the guest\u0027s fpu is not loaded and the host is using eager\nfpu, irq_fpu_usable() returns true (interrupted_kernel_fpu_idle()\nreturns true). The interrupt handler proceeds to use the fpu with\nthe guest\u0027s xcr0 live.\n\nkernel_fpu_begin() saves the current fpu context. If this uses\nXSAVE[OPT], it may leave the xsave area in an undesirable state.\nAccording to the SDM, during XSAVE bit i of XSTATE_BV is not modified\nif bit i is 0 in xcr0. So it\u0027s possible that XSTATE_BV[i] \u003d\u003d 1 and\nxcr0[i] \u003d\u003d 0 following an XSAVE.\n\nkernel_fpu_end() restores the fpu context. Now if any bit i in\nXSTATE_BV \u003d\u003d 1 while xcr0[i] \u003d\u003d 0, XRSTOR generates a #GP. The\nfault is trapped and SIGSEGV is delivered to the current process.\n\nOnly pre-4.2 kernels appear to be vulnerable to this sequence of\nevents. Commit 653f52c (\"kvm,x86: load guest FPU context more eagerly\")\nfrom 4.2 forces the guest\u0027s fpu to always be loaded on eagerfpu hosts.\n\nThis patch fixes the bug by keeping the host\u0027s xcr0 loaded outside\nof the interrupts-disabled region where KVM switches into guest mode.\n\nCc: stable@vger.kernel.org\nSuggested-by: Andy Lutomirski \u003cluto@amacapital.net\u003e\nSigned-off-by: David Matlack \u003cdmatlack@google.com\u003e\n[Move load after goto cancel_injection. - Paolo]\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nALSA: hda - fix front mic problem for a HP desktop\n\n[ Upstream commit e549d190f7b5f94e9ab36bd965028112914d010d ]\n\nThe front mic jack (pink color) can\u0027t detect any plug or unplug. After\napplying this fix, both detecting function and recording function\nwork well.\n\nBugLink: https://bugs.launchpad.net/bugs/1564712\nCc: stable@vger.kernel.org\nSigned-off-by: Hui Wang \u003chui.wang@canonical.com\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nALSA: usb-audio: Skip volume controls triggers hangup on Dell USB Dock\n\n[ Upstream commit adcdd0d5a1cb779f6d455ae70882c19c527627a8 ]\n\nThis is Dell usb dock audio workaround.\nIt was fixed the master volume keep lower.\n\n[Some background: the patch essentially skips the controls of a couple\n of FU volumes.  Although the firmware exposes the dB and the value\n information via the usb descriptor, changing the values (we set the\n min volume as default) screws up the device.  Although this has been\n fixed in the newer firmware, the devices are shipped with the old\n firmware, thus we need the workaround in the driver side.  -- tiwai]\n\nSigned-off-by: Kailang Yang \u003ckailang@realtek.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndmaengine: dw: fix master selection\n\n[ Upstream commit 3fe6409c23e2bee4b2b1b6d671d2da8daa15271c ]\n\nThe commit 895005202987 (\"dmaengine: dw: apply both HS interfaces and remove\nslave_id usage\") cleaned up the code to avoid usage of depricated slave_id\nmember of generic slave configuration.\n\nMeanwhile it broke the master selection by removing important call to\ndwc_set_masters() in -\u003edevice_alloc_chan_resources() which copied masters from\ncustom slave configuration to the internal channel structure.\n\nEverything works until now since there is no customized connection of\nDesignWare DMA IP to the bus, i.e. one bus and one or more masters are in use.\nThe configurations where 2 masters are connected to the different masters are\nnot working anymore. We are expecting one user of such configuration and need\nto select masters properly. Besides that it is obviously a performance\nregression since only one master is in use in multi-master configuration.\n\nSelect masters in accordance with what user asked for. Keep this patch in a form\nmore suitable for back porting.\n\nWe are safe to take necessary data in -\u003edevice_alloc_chan_resources() because\nwe don\u0027t support generic slave configuration embedded into custom one, and thus\nthe only way to provide such is to use the parameter to a filter function which\nis called exactly before channel resource allocation.\n\nWhile here, replase BUG_ON to less noisy dev_warn() and prevent channel\nallocation in case of error.\n\nFixes: 895005202987 (\"dmaengine: dw: apply both HS interfaces and remove slave_id usage\")\nCc: stable@vger.kernel.org\nSigned-off-by: Andy Shevchenko \u003candriy.shevchenko@linux.intel.com\u003e\nSigned-off-by: Vinod Koul \u003cvinod.koul@intel.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nlib: lz4: fixed zram with lz4 on big endian machines\n\n[ Upstream commit 3e26a691fe3fe1e02a76e5bab0c143ace4b137b4 ]\n\nBased on Sergey\u0027s test patch [1], this fixes zram with lz4 compression\non big endian cpus.\n\nNote that the 64-bit preprocessor test is not a cleanup, it\u0027s part of\nthe fix, since those identifiers are bogus (for example, __ppc64__\nisn\u0027t defined anywhere else in the kernel, which means we\u0027d fall into\nthe 32-bit definitions on ppc64).\n\nTested on ppc64 with no regression on x86_64.\n\n[1] http://marc.info/?l\u003dlinux-kernel\u0026m\u003d145994470805853\u0026w\u003d4\n\nCc: stable@vger.kernel.org\nSuggested-by: Sergey Senozhatsky \u003csergey.senozhatsky@gmail.com\u003e\nSigned-off-by: Rui Salvaterra \u003crsalvaterra@gmail.com\u003e\nReviewed-by: Sergey Senozhatsky \u003csergey.senozhatsky@gmail.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nusb: xhci: applying XHCI_PME_STUCK_QUIRK to Intel BXT B0 host\n\n[ Upstream commit 0d46faca6f887a849efb07c1655b5a9f7c288b45 ]\n\nBroxton B0 also requires XHCI_PME_STUCK_QUIRK.\nAdding PCI device ID for Broxton B and adding to quirk.\n\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Rafal Redzimski \u003crafal.f.redzimski@intel.com\u003e\nSigned-off-by: Robert Dobrowolski \u003crobert.dobrowolski@linux.intel.com\u003e\nSigned-off-by: Mathias Nyman \u003cmathias.nyman@linux.intel.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nxhci: resume USB 3 roothub first\n\n[ Upstream commit 671ffdff5b13314b1fc65d62cf7604b873fb5dc4 ]\n\nGive USB3 devices a better chance to enumerate at USB 3 speeds if\nthey are connected to a suspended host.\nSolves an issue with NEC uPD720200 host hanging when partially\nenumerating a USB3 device as USB2 after host controller runtime resume.\n\nCc: \u003cstable@vger.kernel.org\u003e\nTested-by: Mike Murdoch \u003cmain.haarp@gmail.com\u003e\nSigned-off-by: Mathias Nyman \u003cmathias.nyman@linux.intel.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nusb: host: xhci: add a new quirk XHCI_NO_64BIT_SUPPORT\n\n[ Upstream commit 0a380be8233dbf8dd20795b801c5d5d5ef3992f7 ]\n\nOn some xHCI controllers (e.g. R-Car SoCs), the AC64 bit (bit 0) of\nHCCPARAMS1 is set to 1. However, the xHCs don\u0027t support 64-bit\naddress memory pointers actually. So, in this case, this driver should\ncall dma_set_coherent_mask(dev, DMA_BIT_MASK(32)) in xhci_gen_setup().\nOtherwise, the xHCI controller will be died after a usb device is\nconnected if it runs on above 4GB physical memory environment.\n\nSo, this patch adds a new quirk XHCI_NO_64BIT_SUPPORT to resolve\nsuch an issue.\n\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Yoshihiro Shimoda \u003cyoshihiro.shimoda.uh@renesas.com\u003e\nReviewed-by: Felipe Balbi \u003cfelipe.balbi@linux.intel.com\u003e\nSigned-off-by: Mathias Nyman \u003cmathias.nyman@linux.intel.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nusb: xhci: fix wild pointers in xhci_mem_cleanup\n\n[ Upstream commit 71504062a7c34838c3fccd92c447f399d3cb5797 ]\n\nThis patch fixes some wild pointers produced by xhci_mem_cleanup.\nThese wild pointers will cause system crash if xhci_mem_cleanup()\nis called twice.\n\nReported-and-tested-by: Pengcheng Li \u003clpc.li@hisilicon.com\u003e\nSigned-off-by: Lu Baolu \u003cbaolu.lu@linux.intel.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Mathias Nyman \u003cmathias.nyman@linux.intel.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nxhci: fix 10 second timeout on removal of PCI hotpluggable xhci controllers\n\n[ Upstream commit 98d74f9ceaefc2b6c4a6440050163a83be0abede ]\n\nPCI hotpluggable xhci controllers such as some Alpine Ridge solutions will\nremove the xhci controller from the PCI bus when the last USB device is\ndisconnected.\n\nAdd a flag to indicate that the host is being removed to avoid queueing\nconfigure_endpoint commands for the dropped endpoints.\nFor PCI hotplugged controllers this will prevent 5 second command timeouts\nFor static xhci controllers the configure_endpoint command is not needed\nin the removal case as everything will be returned, freed, and the\ncontroller is reset.\n\nFor now the flag is only set for PCI connected host controllers.\n\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Mathias Nyman \u003cmathias.nyman@linux.intel.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUSB: uas: Add a new NO_REPORT_LUNS quirk\n\n[ Upstream commit 1363074667a6b7d0507527742ccd7bbed5e3ceaa ]\n\nAdd a new NO_REPORT_LUNS quirk and set it for Seagate drives with\nan usb-id of: 0bc2:331a, as these will fail to respond to a\nREPORT_LUNS command.\n\nCc: stable@vger.kernel.org\nReported-and-tested-by: David Webb \u003cdjw@noc.ac.uk\u003e\nSigned-off-by: Hans de Goede \u003chdegoede@redhat.com\u003e\nAcked-by: Alan Stern \u003cstern@rowland.harvard.edu\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nusb: hcd: out of bounds access in for_each_companion\n\n[ Upstream commit e86103a75705c7c530768f4ffaba74cf382910f2 ]\n\nOn BXT platform Host Controller and Device Controller figure as\nsame PCI device but with different device function. HCD should\nnot pass data to Device Controller but only to Host Controllers.\nChecking if companion device is Host Controller, otherwise skip.\n\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Robert Dobrowolski \u003crobert.dobrowolski@linux.intel.com\u003e\nAcked-by: Alan Stern \u003cstern@rowland.harvard.edu\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ntcp_cubic: better follow cubic curve after idle period\n\n[ Upstream commit 30927520dbae297182990bb21d08762bcc35ce1d ]\n\nJana Iyengar found an interesting issue on CUBIC :\n\nThe epoch is only updated/reset initially and when experiencing losses.\nThe delta \"t\" of now - epoch_start can be arbitrary large after app idle\nas well as the bic_target. Consequentially the slope (inverse of\nca-\u003ecnt) would be really large, and eventually ca-\u003ecnt would be\nlower-bounded in the end to 2 to have delayed-ACK slow-start behavior.\n\nThis particularly shows up when slow_start_after_idle is disabled\nas a dangerous cwnd inflation (1.5 x RTT) after few seconds of idle\ntime.\n\nJana initial fix was to reset epoch_start if app limited,\nbut Neal pointed out it would ask the CUBIC algorithm to recalculate the\ncurve so that we again start growing steeply upward from where cwnd is\nnow (as CUBIC does just after a loss). Ideally we\u0027d want the cwnd growth\ncurve to be the same shape, just shifted later in time by the amount of\nthe idle period.\n\nReported-by: Jana Iyengar \u003cjri@google.com\u003e\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nSigned-off-by: Yuchung Cheng \u003cycheng@google.com\u003e\nSigned-off-by: Neal Cardwell \u003cncardwell@google.com\u003e\nCc: Stephen Hemminger \u003cstephen@networkplumber.org\u003e\nCc: Sangtae Ha \u003csangtae.ha@gmail.com\u003e\nCc: Lawrence Brakmo \u003clawrence@brakmo.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nusb: musb: cppi41: correct the macro name EP_MODE_AUTOREG_*\n\n[ Upstream commit 0149b07a9e28b0d8bd2fc1c238ffe7d530c2673f ]\n\nThe macro EP_MODE_AUTOREG_* should be called EP_MODE_AUTOREQ_*, as they\nare used for register AUTOREQ.\n\nSigned-off-by: Bin Liu \u003cb-liu@ti.com\u003e\nSigned-off-by: Felipe Balbi \u003cbalbi@ti.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nBtrfs: fix list transaction-\u003epending_ordered corruption\n\n[ Upstream commit d3efe08400317888f559bbedf0e42cd31575d0ef ]\n\nWhen we call btrfs_commit_transaction(), we splice the list \"ordered\"\nof our transaction handle into the transaction\u0027s \"pending_ordered\"\nlist, but we don\u0027t re-initialize the \"ordered\" list of our transaction\nhandle, this means it still points to the same elements it used to\nbefore the splice. Then we check if the current transaction\u0027s state is\n\u003e\u003d TRANS_STATE_COMMIT_START and if it is we end up calling\nbtrfs_end_transaction() which simply splices again the \"ordered\" list\nof our handle into the transaction\u0027s \"pending_ordered\" list, leaving\nmultiple pointers to the same ordered extents which results in list\ncorruption when we are iterating, removing and freeing ordered extents\nat btrfs_wait_pending_ordered(), resulting in access to dangling\npointers / use-after-free issues.\nSimilarly, btrfs_end_transaction() can end up in some cases calling\nbtrfs_commit_transaction(), and both did a list splice of the transaction\nhandle\u0027s \"ordered\" list into the transaction\u0027s \"pending_ordered\" without\nre-initializing the handle\u0027s \"ordered\" list, resulting in exactly the\nsame problem.\n\nThis produces the following warning on a kernel with linked list\ndebugging enabled:\n\n[109749.265416] ------------[ cut here ]------------\n[109749.266410] WARNING: CPU: 7 PID: 324 at lib/list_debug.c:59 __list_del_entry+0x5a/0x98()\n[109749.267969] list_del corruption. prev-\u003enext should be ffff8800ba087e20, but was fffffff8c1f7c35d\n(...)\n[109749.287505] Call Trace:\n[109749.288135]  [\u003cffffffff8145f077\u003e] dump_stack+0x4f/0x7b\n[109749.298080]  [\u003cffffffff81095de5\u003e] ? console_unlock+0x356/0x3a2\n[109749.331605]  [\u003cffffffff8104b3b0\u003e] warn_slowpath_common+0xa1/0xbb\n[109749.334849]  [\u003cffffffff81260642\u003e] ? __list_del_entry+0x5a/0x98\n[109749.337093]  [\u003cffffffff8104b410\u003e] warn_slowpath_fmt+0x46/0x48\n[109749.337847]  [\u003cffffffff81260642\u003e] __list_del_entry+0x5a/0x98\n[109749.338678]  [\u003cffffffffa053e8bf\u003e] btrfs_wait_pending_ordered+0x46/0xdb [btrfs]\n[109749.340145]  [\u003cffffffffa058a65f\u003e] ? __btrfs_run_delayed_items+0x149/0x163 [btrfs]\n[109749.348313]  [\u003cffffffffa054077d\u003e] btrfs_commit_transaction+0x36b/0xa10 [btrfs]\n[109749.349745]  [\u003cffffffff81087310\u003e] ? trace_hardirqs_on+0xd/0xf\n[109749.350819]  [\u003cffffffffa055370d\u003e] btrfs_sync_file+0x36f/0x3fc [btrfs]\n[109749.351976]  [\u003cffffffff8118ec98\u003e] vfs_fsync_range+0x8f/0x9e\n[109749.360341]  [\u003cffffffff8118ecc3\u003e] vfs_fsync+0x1c/0x1e\n[109749.368828]  [\u003cffffffff8118ee1d\u003e] do_fsync+0x34/0x4e\n[109749.369790]  [\u003cffffffff8118f045\u003e] SyS_fsync+0x10/0x14\n[109749.370925]  [\u003cffffffff81465197\u003e] system_call_fastpath+0x12/0x6f\n[109749.382274] ---[ end trace 48e0d07f7c03d95a ]---\n\nOn a non-debug kernel this leads to invalid memory accesses, causing a\ncrash. Fix this by using list_splice_init() instead of list_splice() in\nbtrfs_commit_transaction() and btrfs_end_transaction().\n\nCc: stable@vger.kernel.org\nFixes: 50d9aa99bd35 (\"Btrfs: make sure logged extents complete in the current transaction V3\"\nSigned-off-by: Filipe Manana \u003cfdmanana@suse.com\u003e\nReviewed-by: David Sterba \u003cdsterba@suse.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ntcp_cubic: do not set epoch_start in the future\n\n[ Upstream commit c2e7204d180f8efc80f27959ca9cf16fa17f67db ]\n\nTracking idle time in bictcp_cwnd_event() is imprecise, as epoch_start\nis normally set at ACK processing time, not at send time.\n\nDoing a proper fix would need to add an additional state variable,\nand does not seem worth the trouble, given CUBIC bug has been there\nforever before Jana noticed it.\n\nLet\u0027s simply not set epoch_start in the future, otherwise\nbictcp_update() could overflow and CUBIC would again\ngrow cwnd too fast.\n\nThis was detected thanks to a packetdrill test Neal wrote that was flaky\nbefore applying this fix.\n\nFixes: 30927520dbae (\"tcp_cubic: better follow cubic curve after idle period\")\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nSigned-off-by: Neal Cardwell \u003cncardwell@google.com\u003e\nSigned-off-by: Yuchung Cheng \u003cycheng@google.com\u003e\nCc: Jana Iyengar \u003cjri@google.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nLinux 3.18.32\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nInput: gtco - fix crash on detecting device without endpoints\n\n[ Upstream commit 162f98dea487206d9ab79fc12ed64700667a894d ]\n\nThe gtco driver expects at least one valid endpoint. If given malicious\ndescriptors that specify 0 for the number of endpoints, it will crash in\nthe probe function. Ensure there is at least one endpoint on the interface\nbefore using it.\n\nAlso let\u0027s fix a minor coding style issue.\n\nThe full correct report of this issue can be found in the public\nRed Hat Bugzilla:\n\nhttps://bugzilla.redhat.com/show_bug.cgi?id\u003d1283385\n\nReported-by: Ralf Spenneberg \u003cralf@spenneberg.net\u003e\nSigned-off-by: Vladis Dronov \u003cvdronov@redhat.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Dmitry Torokhov \u003cdmitry.torokhov@gmail.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnl80211: check netlink protocol in socket release notification\n\n[ Upstream commit 8f815cdde3e550e10c2736990d791f60c2ce43eb ]\n\nA non-privileged user can create a netlink socket with the same port_id as\nused by an existing open nl80211 netlink socket (e.g. as used by a hostapd\nprocess) with a different protocol number.\n\nClosing this socket will then lead to the notification going to nl80211\u0027s\nsocket release notification handler, and possibly cause an action such as\nremoving a virtual interface.\n\nFix this issue by checking that the netlink protocol is NETLINK_GENERIC.\nSince generic netlink has no notifier chain of its own, we can\u0027t fix the\nproblem more generically.\n\nFixes: 026331c4d9b5 (\"cfg80211/mac80211: allow registering for and sending action frames\")\nCc: stable@vger.kernel.org\nSigned-off-by: Dmitry Ivanov \u003cdima@ubnt.com\u003e\n[rewrite commit message]\nSigned-off-by: Johannes Berg \u003cjohannes.berg@intel.com\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ncrypto: sha1-mb - use corrcet pointer while completing jobs\n\n[ Upstream commit 0851561d9c965df086ef8a53f981f5f95a57c2c8 ]\n\nIn sha_complete_job, incorrect mcryptd_hash_request_ctx pointer is used\nwhen check and complete other jobs. If the memory of first completed req\nis freed, while still completing other jobs in the func, kernel will\ncrash since NULL pointer is assigned to RIP.\n\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Xiaodong Liu \u003cxiaodong.liu@intel.com\u003e\nAcked-by: Tim Chen \u003ctim.c.chen@linux.intel.com\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ncrypto: ccp - Prevent information leakage on export\n\n[ Upstream commit f709b45ec461b548c41a00044dba1f1b572783bf ]\n\nPrevent information from leaking to userspace by doing a memset to 0 of\nthe export state structure before setting the structure values and copying\nit. This prevents un-initialized padding areas from being copied into the\nexport area.\n\nCc: \u003cstable@vger.kernel.org\u003e # 3.14.x-\nReported-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\nSigned-off-by: Tom Lendacky \u003cthomas.lendacky@amd.com\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\npowerpc: Disable CPU_FTR_TM if TM is disabled by firmware\n\n[ Upstream commit 9e819963b45f79e87f5a8c44960a66c0727c80e6 ]\n\nFirmware is allowed to communicate to us via the \"ibm,pa-features\" property\nthat TM (Transactional Memory) support is disabled.\n\nCurrently this doesn\u0027t happen on any platform we\u0027re aware of, but we should\nhonor it anyway.\n\nSigned-off-by: Aneesh Kumar K.V \u003caneesh.kumar@linux.vnet.ibm.com\u003e\nSigned-off-by: Michael Ellerman \u003cmpe@ellerman.id.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\npowerpc: scan_features() updates incorrect bits for REAL_LE\n\n[ Upstream commit 6997e57d693b07289694239e52a10d2f02c3a46f ]\n\nThe REAL_LE feature entry in the ibm_pa_feature struct is missing an MMU\nfeature value, meaning all the remaining elements initialise the wrong\nvalues.\n\nThis means instead of checking for byte 5, bit 0, we check for byte 0,\nbit 0, and then we incorrectly set the CPU feature bit as well as MMU\nfeature bit 1 and CPU user feature bits 0 and 2 (5).\n\nChecking byte 0 bit 0 (IBM numbering), means we\u0027re looking at the\n\"Memory Management Unit (MMU)\" feature - ie. does the CPU have an MMU.\nIn practice that bit is set on all platforms which have the property.\n\nThis means we set CPU_FTR_REAL_LE always. In practice that seems not to\nmatter because all the modern cpus which have this property also\nimplement REAL_LE, and we\u0027ve never needed to disable it.\n\nWe\u0027re also incorrectly setting MMU feature bit 1, which is:\n\n  #define MMU_FTR_TYPE_8xx\t\t0x00000002\n\nLuckily the only place that looks for MMU_FTR_TYPE_8xx is in Book3E\ncode, which can\u0027t run on the same cpus as scan_features(). So this also\ndoesn\u0027t matter in practice.\n\nFinally in the CPU user feature mask, we\u0027re setting bits 0 and 2. Bit 2\nis not currently used, and bit 0 is:\n\n  #define PPC_FEATURE_PPC_LE\t\t0x00000001\n\nWhich says the CPU supports the old style \"PPC Little Endian\" mode.\nAgain this should be harmless in practice as no 64-bit CPUs implement\nthat mode.\n\nFix the code by adding the missing initialisation of the MMU feature.\n\nAlso add a comment marking CPU user feature bit 2 (0x4) as reserved. It\nwould be unsafe to start using it as old kernels incorrectly set it.\n\nFixes: 44ae3ab3358e (\"powerpc: Free up some CPU feature bits by moving out MMU-related features\")\nSigned-off-by: Anton Blanchard \u003canton@samba.org\u003e\nCc: stable@vger.kernel.org\n[mpe: Flesh out changelog, add comment reserving 0x4]\nSigned-off-by: Michael Ellerman \u003cmpe@ellerman.id.au\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\npowerpc: Update cpu_user_features2 in scan_features()\n\n[ Upstream commit beff82374b259d726e2625ec6c518a5f2613f0ae ]\n\nscan_features() updates cpu_user_features but not cpu_user_features2.\n\nAmongst other things, cpu_user_features2 contains the user TM feature\nbits which we must keep in sync with the kernel TM feature bit.\n\nSigned-off-by: Anton Blanchard \u003canton@samba.org\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Michael Ellerman \u003cmpe@ellerman.id.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/radeon: add quirk for MSI R7 370\n\n[ Upstream commit e78654799135a788a941bacad3452fbd7083e518 ]\n\nJust adds the quirk for MSI R7 370 Armor 2X\nBug:\nhttps://bugs.freedesktop.org/show_bug.cgi?id\u003d91294\n\nSigned-off-by: Maxim Sheviakov \u003cmrader3940@yandex.ru\u003e\nSigned-off-by: Alex Deucher \u003calexander.deucher@amd.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/radeon: add quirk for ASUS R7 370\n\n[ Upstream commit 2b02ec79004388a8c65e227bc289ed891b5ac8c6 ]\n\nBug:\nhttps://bugs.freedesktop.org/show_bug.cgi?id\u003d92260\n\nSigned-off-by: Alex Deucher \u003calexander.deucher@amd.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/radeon: add another R7 370 quirk\n\n[ Upstream commit a64663d9870364bd2a2df62bf0d3a9fbe5ea62a8 ]\n\nbug:\nhttps://bugzilla.kernel.org/show_bug.cgi?id\u003d115291\n\nSigned-off-by: Alex Deucher \u003calexander.deucher@amd.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/radeon: add a quirk for a XFX R9 270X\n\n[ Upstream commit bcb31eba4a4ea356fd61cbd5dec5511c3883f57e ]\n\nbug:\nhttps://bugs.freedesktop.org/show_bug.cgi?id\u003d76490\n\nSigned-off-by: Alex Deucher \u003calexander.deucher@amd.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nRevert \"drm/radeon: disable runtime pm on PX laptops without dGPU power control\"\n\n[ Upstream commit bfaddd9fc8ac048b99475f000dbef6f08297417f ]\n\nThis reverts commit e64c952efb8e0c15ae82cec8e455ab4910690ef1.\n\nATPX is the ACPI method for controlling AMD PowerXpress laptops.\nThere are flags to indicate which methods are supported.  If\nthe dGPU power down flag is not supported, the driver needs to\nimplement the dGPU power down manually.  We had previously\nalways forced the driver to assume the ATPX dGPU power down\nwas present, but this causes problems on boards where it is\nnot, leading to GPU hangs when attempting to power down the\ndGPU.  Manual dGPU power down is not currently supported in\nthe Linux driver.  Some laptops indicate that the ATPX\ndGPU power down method is not present, but it actually\napparently is.  I\u0027m not sure if this is a bios bug and it should\nbe set or if there is a reason it was unset and the method should\nnot be used.  This is not an issue on other OSes since both the\nATPX and the manual driver power down methods are supported.\n\nThis is apparently fairly widespread, so just revert for now.\n\nbugs:\nhttps://bugzilla.kernel.org/show_bug.cgi?id\u003d115321\nhttps://bugzilla.kernel.org/show_bug.cgi?id\u003d116581\nhttps://bugzilla.kernel.org/show_bug.cgi?id\u003d116251\n\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nfutex: Handle unlock_pi race gracefully\n\n[ Upstream commit 89e9e66ba1b3bde9d8ea90566c2aee20697ad681 ]\n\nIf userspace calls UNLOCK_PI unconditionally without trying the TID -\u003e 0\ntransition in user space first then the user space value might not have the\nwaiters bit set. This opens the following race:\n\nCPU0\t    \t      \t    CPU1\nuval \u003d get_user(futex)\n\t\t\t    lock(hb)\nlock(hb)\n\t\t\t    futex |\u003d FUTEX_WAITERS\n\t\t\t    ....\n\t\t\t    unlock(hb)\n\ncmpxchg(futex, uval, newval)\n\nSo the cmpxchg fails and returns -EINVAL to user space, which is wrong because\nthe futex value is valid.\n\nTo handle this (yes, yet another) corner case gracefully, check for a flag\nchange and retry.\n\n[ tglx: Massaged changelog and slightly reworked implementation ]\n\nFixes: ccf9e6a80d9e (\"futex: Make unlock_pi more robust\")\nSigned-off-by: Sebastian Andrzej Siewior \u003cbigeasy@linutronix.de\u003e\nCc: stable@vger.kernel.org\nCc: Davidlohr Bueso \u003cdave@stgolabs.net\u003e\nCc: Darren Hart \u003cdvhart@linux.intel.com\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nLink: http://lkml.kernel.org/r/1460723739-5195-1-git-send-email-bigeasy@linutronix.de\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nALSA: pcxhr: Fix missing mutex unlock\n\n[ Upstream commit 67f3754b51f22b18c4820fb84062f658c30e8644 ]\n\nThe commit [9bef72bdb26e: ALSA: pcxhr: Use nonatomic PCM ops]\nconverted to non-atomic PCM ops, but shamelessly with an unbalanced\nmutex locking, which leads to the hangup easily.  Fix it.\n\nFixes: 9bef72bdb26e (\u0027ALSA: pcxhr: Use nonatomic PCM ops\u0027)\nBugzilla: https://bugzilla.kernel.org/show_bug.cgi?id\u003d116441\nCc: \u003cstable@vger.kernel.org\u003e # 3.18+\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/radeon: forbid mapping of userptr bo through radeon device file\n\n[ Upstream commit b5dcec693f87cb8475f2291c0075b2422addd3d6 ]\n\nAllowing userptr bo which are basicly a list of page from some vma\n(so either anonymous page or file backed page) would lead to serious\ncorruption of kernel structures and counters (because we overwrite\nthe page-\u003emapping field when mapping buffer).\n\nThis will already block if the buffer was populated before anyone does\ntry to mmap it because then TTM_PAGE_FLAG_SG would be set in in the\nttm_tt flags. But that flag is check before ttm_tt_populate in the ttm\nvm fault handler.\n\nSo to be safe just add a check to verify_access() callback.\n\nReviewed-by: Christian König \u003cchristian.koenig@amd.com\u003e\nSigned-off-by: Jérôme Glisse \u003cjglisse@redhat.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Alex Deucher \u003calexander.deucher@amd.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm: Loongson-3 doesn\u0027t fully support wc memory\n\n[ Upstream commit 221004c66a58949a0f25c937a6789c0839feb530 ]\n\nSigned-off-by: Huacai Chen \u003cchenhc@lemote.com\u003e\nCc: stable@vger.kernel.org\nReviewed-by: Alex Deucher \u003calexander.deucher@amd.com\u003e\nSigned-off-by: Dave Airlie \u003cairlied@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmm: hugetlb: allow hugepages_supported to be architecture specific\n\n[ Upstream commit 2531c8cf56a640cd7d17057df8484e570716a450 ]\n\ns390 has a constant hugepage size, by setting HPAGE_SHIFT we also change\ne.g. the pageblock_order, which should be independent in respect to\nhugepage support.\n\nWith this patch every architecture is free to define how to check\nfor hugepage support.\n\nSigned-off-by: Dominik Dingel \u003cdingel@linux.vnet.ibm.com\u003e\nAcked-by: Martin Schwidefsky \u003cschwidefsky@de.ibm.com\u003e\nCc: Heiko Carstens \u003cheiko.carstens@de.ibm.com\u003e\nCc: Christian Borntraeger \u003cborntraeger@de.ibm.com\u003e\nCc: Michael Holzheu \u003cholzheu@linux.vnet.ibm.com\u003e\nCc: Gerald Schaefer \u003cgerald.schaefer@de.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ns390/hugetlb: add hugepages_supported define\n\n[ Upstream commit 7f9be77555bb2e52de84e9dddf7b4eb20cc6e171 ]\n\nOn s390 we only can enable hugepages if the underlying hardware/hypervisor\nalso does support this.  Common code now would assume this to be\nsignaled by setting HPAGE_SHIFT to 0.  But on s390, where we only\nsupport one hugepage size, there is a link between HPAGE_SHIFT and\npageblock_order.\n\nSo instead of setting HPAGE_SHIFT to 0, we will implement the check for\nthe hardware capability.\n\nSigned-off-by: Dominik Dingel \u003cdingel@linux.vnet.ibm.com\u003e\nAcked-by: Martin Schwidefsky \u003cschwidefsky@de.ibm.com\u003e\nCc: Heiko Carstens \u003cheiko.carstens@de.ibm.com\u003e\nCc: Christian Borntraeger \u003cborntraeger@de.ibm.com\u003e\nCc: Michael Holzheu \u003cholzheu@linux.vnet.ibm.com\u003e\nCc: Gerald Schaefer \u003cgerald.schaefer@de.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nx86/mm/xen: Suppress hugetlbfs in PV guests\n\n[ Upstream commit 103f6112f253017d7062cd74d17f4a514ed4485c ]\n\nHuge pages are not normally available to PV guests. Not suppressing\nhugetlbfs use results in an endless loop of page faults when user mode\ncode tries to access a hugetlbfs mapped area (since the hypervisor\ndenies such PTEs to be created, but error indications can\u0027t be\npropagated out of xen_set_pte_at(), just like for various of its\nsiblings), and - once killed in an oops like this:\n\n  kernel BUG at .../fs/hugetlbfs/inode.c:428!\n  invalid opcode: 0000 [#1] SMP\n  ...\n  RIP: e030:[\u003cffffffff811c333b\u003e]  [\u003cffffffff811c333b\u003e] remove_inode_hugepages+0x25b/0x320\n  ...\n  Call Trace:\n   [\u003cffffffff811c3415\u003e] hugetlbfs_evict_inode+0x15/0x40\n   [\u003cffffffff81167b3d\u003e] evict+0xbd/0x1b0\n   [\u003cffffffff8116514a\u003e] __dentry_kill+0x19a/0x1f0\n   [\u003cffffffff81165b0e\u003e] dput+0x1fe/0x220\n   [\u003cffffffff81150535\u003e] __fput+0x155/0x200\n   [\u003cffffffff81079fc0\u003e] task_work_run+0x60/0xa0\n   [\u003cffffffff81063510\u003e] do_exit+0x160/0x400\n   [\u003cffffffff810637eb\u003e] do_group_exit+0x3b/0xa0\n   [\u003cffffffff8106e8bd\u003e] get_signal+0x1ed/0x470\n   [\u003cffffffff8100f854\u003e] do_signal+0x14/0x110\n   [\u003cffffffff810030e9\u003e] prepare_exit_to_usermode+0xe9/0xf0\n   [\u003cffffffff814178a5\u003e] retint_user+0x8/0x13\n\nThis is CVE-2016-3961 / XSA-174.\n\nReported-by: Vitaly Kuznetsov \u003cvkuznets@redhat.com\u003e\nSigned-off-by: Jan Beulich \u003cjbeulich@suse.com\u003e\nCc: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nCc: Andy Lutomirski \u003cluto@amacapital.net\u003e\nCc: Boris Ostrovsky \u003cboris.ostrovsky@oracle.com\u003e\nCc: Borislav Petkov \u003cbp@alien8.de\u003e\nCc: Brian Gerst \u003cbrgerst@gmail.com\u003e\nCc: David Vrabel \u003cdavid.vrabel@citrix.com\u003e\nCc: Denys Vlasenko \u003cdvlasenk@redhat.com\u003e\nCc: H. Peter Anvin \u003chpa@zytor.com\u003e\nCc: Juergen Gross \u003cJGross@suse.com\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Luis R. Rodriguez \u003cmcgrof@suse.com\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Toshi Kani \u003ctoshi.kani@hp.com\u003e\nCc: stable@vger.kernel.org\nCc: xen-devel \u003cxen-devel@lists.xenproject.org\u003e\nLink: http://lkml.kernel.org/r/57188ED802000078000E431C@prv-mh.provo.novell.com\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nx86 EDAC, sb_edac.c: Repair damage introduced when \"fixing\" channel address\n\n[ Upstream commit ff15e95c82768d589957dbb17d7eb7dba7904659 ]\n\nIn commit:\n\n  eb1af3b71f9d (\"Fix computation of channel address\")\n\nI switched the \"sck_way\" variable from holding the log2 value read\nfrom the h/w to instead be the actual number. Unfortunately it\nis needed in log2 form when used to shift the address.\n\nTested-by: Patrick Geary \u003cpatrickg@supermicro.com\u003e\nSigned-off-by: Tony Luck \u003ctony.luck@intel.com\u003e\nAcked-by: Mauro Carvalho Chehab \u003cmchehab@osg.samsung.com\u003e\nCc: Aristeu Rozanski \u003carozansk@redhat.com\u003e\nCc: Borislav Petkov \u003cbp@alien8.de\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: linux-edac@vger.kernel.org\nCc: stable@vger.kernel.org\nFixes: eb1af3b71f9d (\"Fix computation of channel address\")\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nLinux 3.18.33\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nPhoenix591: minor reshuffle to fix merge conflict\nRevert \"usb: hub: do not clear BOS field during reset device\"\n\nThis reverts commit f9b3d78ac42bda9cd30e4c6d0149dba7067c402c.\n\nTony writes:\n\nThis upstream commit is causing an oops:\nd8f00cd685f5 (\"usb: hub: do not clear BOS field during reset device\")\n\nThis patch has already been included in several -stable kernels.  Here\nare the affected kernels:\n4.5.0-rc4 (current git)\n4.4.2\n4.3.6 (currently in review)\n4.1.18\n3.18.27\n3.14.61\n\nHow to reproduce the problem:\nBoot kernel with slub debugging enabled (otherwise memory corruption\nwill cause random oopses later instead of immediately)\nPlug in USB 3.0 disk to xhci USB 3.0 port\ndd if\u003d/dev/sdc of\u003d/dev/null bs\u003d65536\n(where /dev/sdc is the USB 3.0 disk)\nUnplug USB cable while dd is still going\nOops is immediate:\n\nReported-by: Tony Battersby \u003ctonyb@cybernetics.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ntimers: Use proper base migration in add_timer_on()\n\n[ Upstream commit 22b886dd1018093920c4250dee2a9a3cb7cff7b8 ]\n\nRegardless of the previous CPU a timer was on, add_timer_on()\ncurrently simply sets timer-\u003eflags to the new CPU.  As the caller must\nbe seeing the timer as idle, this is locally fine, but the timer\nleaving the old base while unlocked can lead to race conditions as\nfollows.\n\nLet\u0027s say timer was on cpu 0.\n\n  cpu 0\t\t\t\t\tcpu 1\n  -----------------------------------------------------------------------------\n  del_timer(timer) succeeds\n\t\t\t\t\tdel_timer(timer)\n\t\t\t\t\t  lock_timer_base(timer) locks cpu_0_base\n  add_timer_on(timer, 1)\n    spin_lock(\u0026cpu_1_base-\u003elock)\n    timer-\u003eflags set to cpu_1_base\n    operates on @timer\t\t\t  operates on @timer\n\nThis triggered with mod_delayed_work_on() which contains\n\"if (del_timer()) add_timer_on()\" sequence eventually leading to the\nfollowing oops.\n\n  BUG: unable to handle kernel NULL pointer dereference at           (null)\n  IP: [\u003cffffffff810ca6e9\u003e] detach_if_pending+0x69/0x1a0\n  ...\n  Workqueue: wqthrash wqthrash_workfunc [wqthrash]\n  task: ffff8800172ca680 ti: ffff8800172d0000 task.ti: ffff8800172d0000\n  RIP: 0010:[\u003cffffffff810ca6e9\u003e]  [\u003cffffffff810ca6e9\u003e] detach_if_pending+0x69/0x1a0\n  ...\n  Call Trace:\n   [\u003cffffffff810cb0b4\u003e] del_timer+0x44/0x60\n   [\u003cffffffff8106e836\u003e] try_to_grab_pending+0xb6/0x160\n   [\u003cffffffff8106e913\u003e] mod_delayed_work_on+0x33/0x80\n   [\u003cffffffffa0000081\u003e] wqthrash_workfunc+0x61/0x90 [wqthrash]\n   [\u003cffffffff8106dba8\u003e] process_one_work+0x1e8/0x650\n   [\u003cffffffff8106e05e\u003e] worker_thread+0x4e/0x450\n   [\u003cffffffff810746af\u003e] kthread+0xef/0x110\n   [\u003cffffffff8185980f\u003e] ret_from_fork+0x3f/0x70\n\nFix it by updating add_timer_on() to perform proper migration as\n__mod_timer() does.\n\nReported-and-tested-by: Jeff Layton \u003cjlayton@poochiereds.net\u003e\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nCc: Chris Worley \u003cchris.worley@primarydata.com\u003e\nCc: bfields@fieldses.org\nCc: Michael Skralivetsky \u003cmichael.skralivetsky@primarydata.com\u003e\nCc: Trond Myklebust \u003ctrond.myklebust@primarydata.com\u003e\nCc: Shaohua Li \u003cshli@fb.com\u003e\nCc: Jeff Layton \u003cjlayton@poochiereds.net\u003e\nCc: kernel-team@fb.com\nCc: stable@vger.kernel.org\nLink: http://lkml.kernel.org/r/20151029103113.2f893924@tlielax.poochiereds.net\nLink: http://lkml.kernel.org/r/20151104171533.GI5749@mtj.duckdns.org\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Konstantin Khlebnikov \u003ckhlebnikov@yandex-team.ru\u003e ( backport for 3.18 )\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nASoC: rt5640: Correct the digital interface data select\n\n[ Upstream commit 653aa4645244042826f105aab1be3d01b3d493ca ]\n\nthis patch corrects the interface adc/dac control register definition\naccording to datasheet.\n\nSigned-off-by: Sugar Zhang \u003csugar.zhang@rock-chips.com\u003e\nSigned-off-by: Mark Brown \u003cbroonie@kernel.org\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nregulator: s2mps11: Fix invalid selector mask and voltages for buck9\n\n[ Upstream commit 3b672623079bb3e5685b8549e514f2dfaa564406 ]\n\nThe buck9 regulator of S2MPS11 PMIC had incorrect vsel_mask (0xff\ninstead of 0x1f) thus reading entire register as buck9\u0027s voltage. This\neffectively caused regulator core to interpret values as higher voltages\nthan they were and then to set real voltage much lower than intended.\n\nThe buck9 provides power to other regulators, including LDO13\nand LDO19 which supply the MMC2 (SD card). On Odroid XU3/XU4 the lower\nvoltage caused SD card detection errors on Odroid XU3/XU4:\n\tmmc1: card never left busy state\n\tmmc1: error -110 whilst initialising SD card\n\nDuring driver probe the regulator core was checking whether initial\nvoltage matches the constraints. With incorrect vsel_mask of 0xff and\ndefault value of 0x50, the core interpreted this as 5 V which is outside\nof constraints (3-3.775 V). Then the regulator core was adjusting the\nvoltage to match the constraints. With incorrect vsel_mask this new\nvoltage mapped to a vere low voltage in the driver.\n\nSigned-off-by: Krzysztof Kozlowski \u003ck.kozlowski@samsung.com\u003e\nReviewed-by: Javier Martinez Canillas \u003cjavier@osg.samsung.com\u003e\nTested-by: Javier Martinez Canillas \u003cjavier@osg.samsung.com\u003e\nSigned-off-by: Mark Brown \u003cbroonie@kernel.org\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nlibahci: save port map for forced port map\n\n[ Upstream commit 2fd0f46cb1b82587c7ae4a616d69057fb9bd0af7 ]\n\nIn usecases where force_port_map is used saved_port_map is never set,\nresulting in not programming the PORTS_IMPL register as part of initial\nconfig. This patch fixes this by setting it to port_map even in case\nwhere force_port_map is used, making it more inline with other parts of\nthe code.\n\nFixes: 566d1827df2e (\"libata: disable forced PORTS_IMPL for \u003e\u003d AHCI 1.3\")\nCc: stable@vger.kernel.org # v4.5+\nSigned-off-by: Srinivas Kandagatla \u003csrinivas.kandagatla@linaro.org\u003e\nAcked-by: Tejun Heo \u003ctj@kernel.org\u003e\nReviewed-by: Andy Gross \u003candy.gross@linaro.org\u003e\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nata: ahci-platform: Add ports-implemented DT bindings.\n\n[ Upstream commit 17dcc37e3e847bc0e67a5b1ec52471fcc6c18682 ]\n\nOn some SOCs PORTS_IMPL register value is never programmed by the\nfirmware and left at zero value. Which means that no sata ports are\navailable for software. AHCI driver used to cope up with this by\nfabricating the port_map if the PORTS_IMPL register is read zero,\nbut recent patch broke this workaround as zero value was valid for\nNVMe disks.\n\nThis patch adds ports-implemented DT bindings as workaround for this issue\nin a way that DT can can override the PORTS_IMPL register in cases where\nthe firmware did not program it already.\n\nFixes: 566d1827df2e (\"libata: disable forced PORTS_IMPL for \u003e\u003d AHCI 1.3\")\nCc: stable@vger.kernel.org # v4.5+\nSigned-off-by: Srinivas Kandagatla \u003csrinivas.kandagatla@linaro.org\u003e\nAcked-by: Tejun Heo \u003ctj@kernel.org\u003e\nReviewed-by: Andy Gross \u003candy.gross@linaro.org\u003e\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nregmap: spmi: Fix regmap_spmi_ext_read in multi-byte case\n\n[ Upstream commit dec8e8f6e6504aa3496c0f7cc10c756bb0e10f44 ]\n\nSpecifically for the case of reads that use the Extended Register\nRead Long command, a multi-byte read operation is broken up into\n8-byte chunks.  However the call to spmi_ext_register_readl() is\nincorrectly passing \u0027val_size\u0027, which if greater than 8 will\nalways fail.  The argument should instead be \u0027len\u0027.\n\nFixes: c9afbb05a9ff (\"regmap: spmi: support base and extended register spaces\")\nSigned-off-by: Jack Pham \u003cjackp@codeaurora.org\u003e\nSigned-off-by: Mark Brown \u003cbroonie@kernel.org\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\niio: ak8975: Fix NULL pointer exception on early interrupt\n\n[ Upstream commit 07d2390e36ee5b3265e9cc8305f2a106c8721e16 ]\n\nIn certain probe conditions the interrupt came right after registering\nthe handler causing a NULL pointer exception because of uninitialized\nwaitqueue:\n\n$ udevadm trigger\ni2c-gpio i2c-gpio-1: using pins 143 (SDA) and 144 (SCL)\ni2c-gpio i2c-gpio-3: using pins 53 (SDA) and 52 (SCL)\nUnable to handle kernel NULL pointer dereference at virtual address 00000000\npgd \u003d e8b38000\n[00000000] *pgd\u003d00000000\nInternal error: Oops: 5 [#1] SMP ARM\nModules linked in: snd_soc_i2s(+) i2c_gpio(+) snd_soc_idma snd_soc_s3c_dma snd_soc_core snd_pcm_dmaengine snd_pcm snd_timer snd soundcore ac97_bus spi_s3c64xx pwm_samsung dwc2 exynos_adc phy_exynos_usb2 exynosdrm exynos_rng rng_core rtc_s3c\nCPU: 0 PID: 717 Comm: data-provider-m Not tainted 4.6.0-rc1-next-20160401-00011-g1b8d87473b9e-dirty #101\nHardware name: SAMSUNG EXYNOS (Flattened Device Tree)\n(...)\n(__wake_up_common) from [\u003cc0379624\u003e] (__wake_up+0x38/0x4c)\n(__wake_up) from [\u003cc0a41d30\u003e] (ak8975_irq_handler+0x28/0x30)\n(ak8975_irq_handler) from [\u003cc0386720\u003e] (handle_irq_event_percpu+0x88/0x140)\n(handle_irq_event_percpu) from [\u003cc038681c\u003e] (handle_irq_event+0x44/0x68)\n(handle_irq_event) from [\u003cc0389c40\u003e] (handle_edge_irq+0xf0/0x19c)\n(handle_edge_irq) from [\u003cc0385e04\u003e] (generic_handle_irq+0x24/0x34)\n(generic_handle_irq) from [\u003cc05ee360\u003e] (exynos_eint_gpio_irq+0x50/0x68)\n(exynos_eint_gpio_irq) from [\u003cc0386720\u003e] (handle_irq_event_percpu+0x88/0x140)\n(handle_irq_event_percpu) from [\u003cc038681c\u003e] (handle_irq_event+0x44/0x68)\n(handle_irq_event) from [\u003cc0389a70\u003e] (handle_fasteoi_irq+0xb4/0x194)\n(handle_fasteoi_irq) from [\u003cc0385e04\u003e] (generic_handle_irq+0x24/0x34)\n(generic_handle_irq) from [\u003cc03860b4\u003e] (__handle_domain_irq+0x5c/0xb4)\n(__handle_domain_irq) from [\u003cc0301774\u003e] (gic_handle_irq+0x54/0x94)\n(gic_handle_irq) from [\u003cc030c910\u003e] (__irq_usr+0x50/0x80)\n\nThe bug was reproduced on exynos4412-trats2 (with a max77693 device also\nusing i2c-gpio) after building max77693 as a module.\n\nCc: \u003cstable@vger.kernel.org\u003e\nFixes: 94a6d5cf7caa (\"iio:ak8975 Implement data ready interrupt handling\")\nSigned-off-by: Krzysztof Kozlowski \u003ck.kozlowski@samsung.com\u003e\nTested-by: Gregor Boirie \u003cgregor.boirie@parrot.com\u003e\nSigned-off-by: Jonathan Cameron \u003cjic23@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nefi: Fix out-of-bounds read in variable_matches()\n\n[ Upstream commit 630ba0cc7a6dbafbdee43795617c872b35cde1b4 ]\n\nThe variable_matches() function can currently read \"var_name[len]\", for\nexample when:\n\n - var_name[0] \u003d\u003d \u0027a\u0027,\n - len \u003d\u003d 1\n - match_name points to the NUL-terminated string \"ab\".\n\nThis function is supposed to accept \"var_name\" inputs that are not\nNUL-terminated (hence the \"len\" parameter\"). Document the function, and\naccess \"var_name[*match]\" only if \"*match\" is smaller than \"len\".\n\nReported-by: Chris Wilson \u003cchris@chris-wilson.co.uk\u003e\nSigned-off-by: Laszlo Ersek \u003clersek@redhat.com\u003e\nCc: Peter Jones \u003cpjones@redhat.com\u003e\nCc: Matthew Garrett \u003cmjg59@coreos.com\u003e\nCc: Jason Andryuk \u003cjandryuk@gmail.com\u003e\nCc: Jani Nikula \u003cjani.nikula@linux.intel.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e # v3.10+\nLink: http://thread.gmane.org/gmane.comp.freedesktop.xorg.drivers.intel/86906\nSigned-off-by: Matt Fleming \u003cmatt@codeblueprint.co.uk\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUSB: serial: cp210x: add ID for Link ECU\n\n[ Upstream commit 1d377f4d690637a0121eac8701f84a0aa1e69a69 ]\n\nThe Link ECU is an aftermarket ECU computer for vehicles that provides\nfull tuning abilities as well as datalogging and displaying capabilities\nvia the USB to Serial adapter built into the device.\n\nSigned-off-by: Mike Manning \u003cmichael@bsch.com.au\u003e\nCc: stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUSB: serial: cp210x: add Straizona Focusers device ids\n\n[ Upstream commit 613ac23a46e10d4d4339febdd534fafadd68e059 ]\n\nAdding VID:PID for Straizona Focusers to cp210x driver.\n\nSigned-off-by: Jasem Mutlaq \u003cmutlaqja@ikarustech.com\u003e\nCc: stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\n[media] v4l2-dv-timings.h: fix polarity for 4k formats\n\n[ Upstream commit 3020ca711871fdaf0c15c8bab677a6bc302e28fe ]\n\nThe VSync polarity was negative instead of positive for the 4k CEA formats.\nI probably copy-and-pasted these from the DMT 4k format, which does have a\nnegative VSync polarity.\n\nSigned-off-by: Hans Verkuil \u003chans.verkuil@cisco.com\u003e\nReported-by: Martin Bugge \u003cmarbugge@cisco.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e      # for v4.1 and up\nSigned-off-by: Mauro Carvalho Chehab \u003cmchehab@osg.samsung.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nMD: make bio mergeable\n\n[ Upstream commit 9c573de3283af007ea11c17bde1e4568d9417328 ]\n\nblk_queue_split marks bio unmergeable, which makes sense for normal bio.\nBut if dispatching the bio to underlayer disk, the blk_queue_split\nchecks are invalid, hence it\u0027s possible the bio becomes mergeable.\n\nIn the reported bug, this bug causes trim against raid0 performance slash\nhttps://bugzilla.kernel.org/show_bug.cgi?id\u003d117051\n\nReported-and-tested-by: Park Ju Hyung \u003cqkrwngud825@gmail.com\u003e\nFixes: 6ac45aeb6bca(block: avoid to merge splitted bio)\nCc: stable@vger.kernel.org (v4.3+)\nCc: Ming Lei \u003cming.lei@canonical.com\u003e\nCc: Neil Brown \u003cneilb@suse.de\u003e\nReviewed-by: Jens Axboe \u003caxboe@fb.com\u003e\nSigned-off-by: Shaohua Li \u003cshli@fb.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nALSA: hda - Add dock support for ThinkPad X260\n\n[ Upstream commit 037e119738120c1cdc460c6ae33871c3000531f3 ]\n\nFixes audio output on a ThinkPad X260, when using Lenovo CES 2013\ndocking station series (basic, pro, ultra).\n\nSigned-off-by: Conrad Kostecki \u003cck+linuxkernel@bl4ckb0x.de\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nworkqueue: fix ghost PENDING flag while doing MQ IO\n\n[ Upstream commit 346c09f80459a3ad97df1816d6d606169a51001a ]\n\nThe bug in a workqueue leads to a stalled IO request in MQ ctx-\u003erq_list\nwith the following backtrace:\n\n[  601.347452] INFO: task kworker/u129:5:1636 blocked for more than 120 seconds.\n[  601.347574]       Tainted: G           O    4.4.5-1-storage+ #6\n[  601.347651] \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[  601.348142] kworker/u129:5  D ffff880803077988     0  1636      2 0x00000000\n[  601.348519] Workqueue: ibnbd_server_fileio_wq ibnbd_dev_file_submit_io_worker [ibnbd_server]\n[  601.348999]  ffff880803077988 ffff88080466b900 ffff8808033f9c80 ffff880803078000\n[  601.349662]  ffff880807c95000 7fffffffffffffff ffffffff815b0920 ffff880803077ad0\n[  601.350333]  ffff8808030779a0 ffffffff815b01d5 0000000000000000 ffff880803077a38\n[  601.350965] Call Trace:\n[  601.351203]  [\u003cffffffff815b0920\u003e] ? bit_wait+0x60/0x60\n[  601.351444]  [\u003cffffffff815b01d5\u003e] schedule+0x35/0x80\n[  601.351709]  [\u003cffffffff815b2dd2\u003e] schedule_timeout+0x192/0x230\n[  601.351958]  [\u003cffffffff812d43f7\u003e] ? blk_flush_plug_list+0xc7/0x220\n[  601.352208]  [\u003cffffffff810bd737\u003e] ? ktime_get+0x37/0xa0\n[  601.352446]  [\u003cffffffff815b0920\u003e] ? bit_wait+0x60/0x60\n[  601.352688]  [\u003cffffffff815af784\u003e] io_schedule_timeout+0xa4/0x110\n[  601.352951]  [\u003cffffffff815b3a4e\u003e] ? _raw_spin_unlock_irqrestore+0xe/0x10\n[  601.353196]  [\u003cffffffff815b093b\u003e] bit_wait_io+0x1b/0x70\n[  601.353440]  [\u003cffffffff815b056d\u003e] __wait_on_bit+0x5d/0x90\n[  601.353689]  [\u003cffffffff81127bd0\u003e] wait_on_page_bit+0xc0/0xd0\n[  601.353958]  [\u003cffffffff81096db0\u003e] ? autoremove_wake_function+0x40/0x40\n[  601.354200]  [\u003cffffffff81127cc4\u003e] __filemap_fdatawait_range+0xe4/0x140\n[  601.354441]  [\u003cffffffff81127d34\u003e] filemap_fdatawait_range+0x14/0x30\n[  601.354688]  [\u003cffffffff81129a9f\u003e] filemap_write_and_wait_range+0x3f/0x70\n[  601.354932]  [\u003cffffffff811ced3b\u003e] blkdev_fsync+0x1b/0x50\n[  601.355193]  [\u003cffffffff811c82d9\u003e] vfs_fsync_range+0x49/0xa0\n[  601.355432]  [\u003cffffffff811cf45a\u003e] blkdev_write_iter+0xca/0x100\n[  601.355679]  [\u003cffffffff81197b1a\u003e] __vfs_write+0xaa/0xe0\n[  601.355925]  [\u003cffffffff81198379\u003e] vfs_write+0xa9/0x1a0\n[  601.356164]  [\u003cffffffff811c59d8\u003e] kernel_write+0x38/0x50\n\nThe underlying device is a null_blk, with default parameters:\n\n  queue_mode    \u003d MQ\n  submit_queues \u003d 1\n\nVerification that nullb0 has something inflight:\n\nroot@pserver8:~# cat /sys/block/nullb0/inflight\n       0        1\nroot@pserver8:~# find /sys/block/nullb0/mq/0/cpu* -name rq_list -print -exec cat {} \\;\n...\n/sys/block/nullb0/mq/0/cpu2/rq_list\nCTX pending:\n        ffff8838038e2400\n...\n\nDuring debug it became clear that stalled request is always inserted in\nthe rq_list from the following path:\n\n   save_stack_trace_tsk + 34\n   blk_mq_insert_requests + 231\n   blk_mq_flush_plug_list + 281\n   blk_flush_plug_list + 199\n   wait_on_page_bit + 192\n   __filemap_fdatawait_range + 228\n   filemap_fdatawait_range + 20\n   filemap_write_and_wait_range + 63\n   blkdev_fsync + 27\n   vfs_fsync_range + 73\n   blkdev_write_iter + 202\n   __vfs_write + 170\n   vfs_write + 169\n   kernel_write + 56\n\nSo blk_flush_plug_list() was called with from_schedule \u003d\u003d true.\n\nIf from_schedule is true, that means that finally blk_mq_insert_requests()\noffloads execution of __blk_mq_run_hw_queue() and uses kblockd workqueue,\ni.e. it calls kblockd_schedule_delayed_work_on().\n\nThat means, that we race with another CPU, which is about to execute\n__blk_mq_run_hw_queue() work.\n\nFurther debugging shows the following traces from different CPUs:\n\n  CPU#0                                  CPU#1\n  ----------------------------------     -------------------------------\n  reqeust A inserted\n  STORE hctx-\u003ectx_map[0] bit marked\n  kblockd_schedule...() returns 1\n  \u003cschedule to kblockd workqueue\u003e\n                                         request B inserted\n                                         STORE hctx-\u003ectx_map[1] bit marked\n                                         kblockd_schedule...() returns 0\n  *** WORK PENDING bit is cleared ***\n  flush_busy_ctxs() is executed, but\n  bit 1, set by CPU#1, is not observed\n\nAs a result request B pended forever.\n\nThis behaviour can be explained by speculative LOAD of hctx-\u003ectx_map on\nCPU#0, which is reordered with clear of PENDING bit and executed _before_\nactual STORE of bit 1 on CPU#1.\n\nThe proper fix is an explicit full barrier \u003cmfence\u003e, which guarantees\nthat clear of PENDING bit is to be executed before all possible\nspeculative LOADS or STORES inside actual work function.\n\nSigned-off-by: Roman Pen \u003croman.penyaev@profitbricks.com\u003e\nCc: Gioh Kim \u003cgi-oh.kim@profitbricks.com\u003e\nCc: Michael Wang \u003cyun.wang@profitbricks.com\u003e\nCc: Tejun Heo \u003ctj@kernel.org\u003e\nCc: Jens Axboe \u003caxboe@kernel.dk\u003e\nCc: linux-block@vger.kernel.org\nCc: linux-kernel@vger.kernel.org\nCc: stable@vger.kernel.org\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/dp/mst: Get validated port ref in drm_dp_update_payload_part1()\n\n[ Upstream commit 263efde31f97c498e1ebad30e4d2906609d7ad6b ]\n\nWe can thank KASAN for finding this, otherwise I probably would have spent\nhours on it. This fixes a somewhat harder to trigger kernel panic, occuring\nwhile enabling MST where the port we were currently updating the payload on\nwould have all of it\u0027s refs dropped before we finished what we were doing:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nBUG: KASAN: use-after-free in drm_dp_update_payload_part1+0xb3f/0xdb0 [drm_kms_helper] at addr ffff8800d29de018\nRead of size 4 by task Xorg/973\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nBUG kmalloc-2048 (Tainted: G    B   W      ): kasan: bad access detected\n-----------------------------------------------------------------------------\n\nINFO: Allocated in drm_dp_add_port+0x1aa/0x1ed0 [drm_kms_helper] age\u003d16477 cpu\u003d0 pid\u003d2175\n\t___slab_alloc+0x472/0x490\n\t__slab_alloc+0x20/0x40\n\tkmem_cache_alloc_trace+0x151/0x190\n\tdrm_dp_add_port+0x1aa/0x1ed0 [drm_kms_helper]\n\tdrm_dp_send_link_address+0x526/0x960 [drm_kms_helper]\n\tdrm_dp_check_and_send_link_address+0x1ac/0x210 [drm_kms_helper]\n\tdrm_dp_mst_link_probe_work+0x77/0xd0 [drm_kms_helper]\n\tprocess_one_work+0x562/0x1350\n\tworker_thread+0xd9/0x1390\n\tkthread+0x1c5/0x260\n\tret_from_fork+0x22/0x40\nINFO: Freed in drm_dp_free_mst_port+0x50/0x60 [drm_kms_helper] age\u003d7521 cpu\u003d0 pid\u003d2175\n\t__slab_free+0x17f/0x2d0\n\tkfree+0x169/0x180\n\tdrm_dp_free_mst_port+0x50/0x60 [drm_kms_helper]\n\tdrm_dp_destroy_connector_work+0x2b8/0x490 [drm_kms_helper]\n\tprocess_one_work+0x562/0x1350\n\tworker_thread+0xd9/0x1390\n\tkthread+0x1c5/0x260\n\tret_from_fork+0x22/0x40\n\nwhich on this T460s, would eventually lead to kernel panics in somewhat\nrandom places later in intel_mst_enable_dp() if we got lucky enough.\n\nSigned-off-by: Lyude \u003ccpaul@redhat.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Dave Airlie \u003cairlied@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/dp/mst: Restore primary hub guid on resume\n\n[ Upstream commit 9dc0487d96a0396367a1451b31873482080b527f ]\n\nSome hubs are forgetful, and end up forgetting whatever GUID we set\npreviously after we do a suspend/resume cycle. This can lead to\nhotplugging breaking (along with probably other things) since the hub\nwill start sending connection notifications with the wrong GUID. As\nsuch, we need to check on resume whether or not the GUID the hub is\ngiving us is valid.\n\nSigned-off-by: Lyude \u003ccpaul@redhat.com\u003e\nReviewed-by: Harry Wentland \u003charry.wentland@amd.com\u003e\nSigned-off-by: Daniel Vetter \u003cdaniel.vetter@ffwll.ch\u003e\nLink: http://patchwork.freedesktop.org/patch/msgid/1460580618-7421-1-git-send-email-cpaul@redhat.com\nCc: stable@vger.kernel.org\nSigned-off-by: Dave Airlie \u003cairlied@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ncxl: Keep IRQ mappings on context teardown\n\n[ Upstream commit d6776bba44d9752f6cdf640046070e71ee4bba7b ]\n\nKeep IRQ mappings on context teardown.  This won\u0027t leak IRQs as if we\nallocate the mapping again, the generic code will give the same\nmapping used last time.\n\nDoing this works around a race in the generic code. Masking the\ninterrupt introduces a race which can crash the kernel or result in\nIRQ that is never EOIed. The lost of EOI results in all subsequent\nmappings to the same HW IRQ never receiving an interrupt.\n\nWe\u0027ve seen this race with cxl test cases which are doing heavy context\nstartup and teardown at the same time as heavy interrupt load.\n\nA fix to the generic code is being investigated also.\n\nSigned-off-by: Michael Neuling \u003cmikey@neuling.org\u003e\nCc: stable@vger.kernel.org # 3.8\nTested-by: Andrew Donnellan \u003candrew.donnellan@au1.ibm.com\u003e\nAcked-by: Ian Munsie \u003cimunsie@au1.ibm.com\u003e\nTested-by: Vaibhav Jain \u003cvaibhav@linux.vnet.ibm.com\u003e\nSigned-off-by: Michael Ellerman \u003cmpe@ellerman.id.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/i915: Read out the power sequencer port assignment on resume on vlv/chv\n\n[ Upstream commit 49e6bc51bc9e22c8a433ba32a4e45a5818de3850 ]\n\nWhen we suspend we turn everything off so the pps should be idle, and we\nalso (or at least should) disable all power wells which will reset the\npower sequencer port assignment. So when we resume all power sequencers\nshould be in their reset state. However it\u0027s at least theoretically\npossible that the BIOS would touch the power seuqencer(s), so to be safe\nwe ought to read out the current port assignment like we do at driver\ninit time.\n\nTo do that we can simply call vlv_initial_power_sequencer_setup() from\nthe encoder -\u003ereset() hook before calling intel_edp_panel_vdd_sanitize().\nThere\u0027s no danger or clobbering the pps delays since we now have those\nstored within intel_dp and we don\u0027t change them once initialized.\n\nThis will make sure that the vdd state gets correctly tracked post-resume\nin case the BIOS enabled it.\n\nWe need to shuffle things around a bit to get the locking right, and\nwhile at it, make intel_edp_panel_vdd_sanitize() static and move it\naround a bit to avoid a forward declaration.\n\nCc: Imre Deak \u003cimre.deak@intel.com\u003e\nSigned-off-by: Ville Syrjälä \u003cville.syrjala@linux.intel.com\u003e\nReviewed-by: Imre Deak \u003cimre.deak@intel.com\u003e\nSigned-off-by: Daniel Vetter \u003cdaniel.vetter@ffwll.ch\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/i915/ddi: Fix eDP VDD handling during booting and suspend/resume\n\n[ Upstream commit 5eaa60c7109b40f17ac81090bc8b90482da76cd1 ]\n\nThe driver\u0027s VDD on/off logic assumes that whenever the VDD is on we\nalso hold an AUX power domain reference. Since BIOS can leave the VDD on\nduring booting and resuming and on DDI platforms we won\u0027t take a\ncorresponding power reference, the above assumption won\u0027t hold on those\nplatforms and an eventual delayed VDD off work will do an extraneous AUX\npower domain put resulting in a refcount underflow. Fix this the same\nway we did this for non-DDI DP encoders:\n\ncommit 6d93c0c41760c0 (\"drm/i915: fix VDD state tracking after system\nresume\")\n\nAt the same time call the DP encoder suspend handler the same way as the\nnon-DDI DP encoders do to flush any pending VDD off work. Leaving the\nwork running may cause a HW access where we don\u0027t expect this (at a point\nwhere power domains are suspended already).\n\nWhile at it remove an unnecessary function call indirection.\n\nThis fixed for me AUX refcount underflow problems on BXT during\nsuspend/resume.\n\nCC: Ville Syrjälä \u003cville.syrjala@linux.intel.com\u003e\nCC: stable@vger.kernel.org\nSigned-off-by: Imre Deak \u003cimre.deak@intel.com\u003e\nReviewed-by: Ville Syrjälä \u003cville.syrjala@linux.intel.com\u003e\nLink: http://patchwork.freedesktop.org/patch/msgid/1460963062-13211-4-git-send-email-imre.deak@intel.com\n(cherry picked from commit bf93ba67e9c05882f05b7ca2d773cfc8bf462c2a)\nSigned-off-by: Jani Nikula \u003cjani.nikula@intel.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nARM: SoCFPGA: Fix secondary CPU startup in thumb2 kernel\n\n[ Upstream commit 5616f36713ea77f57ae908bf2fef641364403c9f ]\n\nThe secondary CPU starts up in ARM mode. When the kernel is compiled in\nthumb2 mode we have to explicitly compile the secondary startup\ntrampoline in ARM mode, otherwise the CPU will go to Nirvana.\n\nSigned-off-by: Sascha Hauer \u003cs.hauer@pengutronix.de\u003e\nReported-by: Steffen Trumtrar \u003cs.trumtrar@pengutronix.de\u003e\nSuggested-by: Ard Biesheuvel \u003card.biesheuvel@linaro.org\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Dinh Nguyen \u003cdinguyen@opensource.altera.com\u003e\nSigned-off-by: Kevin Hilman \u003ckhilman@baylibre.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nIB/security: Restrict use of the write() interface\n\n[ Upstream commit e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3 ]\n\nThe drivers/infiniband stack uses write() as a replacement for\nbi-directional ioctl().  This is not safe. There are ways to\ntrigger write calls that result in the return structure that\nis normally written to user space being shunted off to user\nspecified kernel memory instead.\n\nFor the immediate repair, detect and deny suspicious accesses to\nthe write API.\n\nFor long term, update the user space libraries and the kernel API\nto something that doesn\u0027t present the same security vulnerabilities\n(likely a structured ioctl() interface).\n\nThe impacted uAPI interfaces are generally only available if\nhardware from drivers/infiniband is installed in the system.\n\nReported-by: Jann Horn \u003cjann@thejh.net\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Jason Gunthorpe \u003cjgunthorpe@obsidianresearch.com\u003e\n[ Expanded check to all known write() entry points ]\nCc: stable@vger.kernel.org\nSigned-off-by: Doug Ledford \u003cdledford@redhat.com\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmm/huge_memory: replace VM_NO_THP VM_BUG_ON with actual VMA check\n\n[ Upstream commit 3486b85a29c1741db99d0c522211c82d2b7a56d0 ]\n\nKhugepaged detects own VMAs by checking vm_file and vm_ops but this way\nit cannot distinguish private /dev/zero mappings from other special\nmappings like /dev/hpet which has no vm_ops and popultes PTEs in mmap.\n\nThis fixes false-positive VM_BUG_ON and prevents installing THP where\nthey are not expected.\n\nLink: http://lkml.kernel.org/r/CACT4Y+ZmuZMV5CjSFOeXviwQdABAgT7T+StKfTqan9YDtgEi5g@mail.gmail.com\nFixes: 78f11a255749 (\"mm: thp: fix /dev/zero MAP_PRIVATE and vm_flags cleanups\")\nSigned-off-by: Konstantin Khlebnikov \u003ckoct9i@gmail.com\u003e\nReported-by: Dmitry Vyukov \u003cdvyukov@google.com\u003e\nAcked-by: Vlastimil Babka \u003cvbabka@suse.cz\u003e\nAcked-by: Kirill A. Shutemov \u003ckirill.shutemov@linux.intel.com\u003e\nCc: Dmitry Vyukov \u003cdvyukov@google.com\u003e\nCc: Andrea Arcangeli \u003caarcange@redhat.com\u003e\nCc: stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nALSA: usb-audio: Quirk for yet another Phoenix Audio devices (v2)\n\n[ Upstream commit 2d2c038a9999f423e820d89db2b5d7774b67ba49 ]\n\nPhoenix Audio MT202pcs (1de7:0114) and MT202exe (1de7:0013) need the\nsame workaround as TMX320 for avoiding the firmware bug.  It fixes the\nfrequent error about the sample rate inquiries and the slow device\nprobe as consequence.\n\nBugzilla: https://bugzilla.kernel.org/show_bug.cgi?id\u003d117321\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nEDAC: i7core, sb_edac: Don\u0027t return NOTIFY_BAD from mce_decoder callback\n\n[ Upstream commit c4fc1956fa31003bfbe4f597e359d751568e2954 ]\n\nBoth of these drivers can return NOTIFY_BAD, but this terminates\nprocessing other callbacks that were registered later on the chain.\nSince the driver did nothing to log the error it seems wrong to prevent\nother interested parties from seeing it. E.g. neither of them had even\nbothered to check the type of the error to see if it was a memory error\nbefore the return NOTIFY_BAD.\n\nSigned-off-by: Tony Luck \u003ctony.luck@intel.com\u003e\nAcked-by: Aristeu Rozanski \u003caris@redhat.com\u003e\nAcked-by: Mauro Carvalho Chehab \u003cmchehab@osg.samsung.com\u003e\nCc: linux-edac \u003clinux-edac@vger.kernel.org\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nLink: http://lkml.kernel.org/r/72937355dd92318d2630979666063f8a2853495b.1461864507.git.tony.luck@intel.com\nSigned-off-by: Borislav Petkov \u003cbp@suse.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\natomic_open(): fix the handling of create_error\n\n[ Upstream commit 10c64cea04d3c75c306b3f990586ffb343b63287 ]\n\n* if we have a hashed negative dentry and either CREAT|EXCL on\nr/o filesystem, or CREAT|TRUNC on r/o filesystem, or CREAT|EXCL\nwith failing may_o_create(), we should fail with EROFS or the\nerror may_o_create() has returned, but not ENOENT.  Which is what\nthe current code ends up returning.\n\n* if we have CREAT|TRUNC hitting a regular file on a read-only\nfilesystem, we can\u0027t fail with EROFS here.  At the very least,\nnot until we\u0027d done follow_managed() - we might have a writable\nfile (or a device, for that matter) bound on top of that one.\nMoreover, the code downstream will see that O_TRUNC and attempt\nto grab the write access (*after* following possible mount), so\nif we really should fail with EROFS, it will happen.  No need\nto do that inside atomic_open().\n\nThe real logics is much simpler than what the current code is\ntrying to do - if we decided to go for simple lookup, ended\nup with a negative dentry *and* had create_error set, fail with\ncreate_error.  No matter whether we\u0027d got that negative dentry\nfrom lookup_real() or had found it in dcache.\n\nCc: stable@vger.kernel.org # v3.6+\nAcked-by: Miklos Szeredi \u003cmszeredi@redhat.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nDrivers: hv: ring_buffer.c: fix comment style\n\n[ Upstream commit 822f18d4d3e9d4efb4996bbe562d0f99ab82d7dd ]\n\nConvert 6+-string comments repeating function names to normal kernel-style\ncomments and fix a couple of other comment style issues. No textual or\nfunctional changes intended.\n\nSigned-off-by: Vitaly Kuznetsov \u003cvkuznets@redhat.com\u003e\nSigned-off-by: K. Y. Srinivasan \u003ckys@microsoft.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nDrivers: hv_vmbus: Fix signal to host condition\n\n[ Upstream commit a5cca686ce0ef4909deaee4ed46dd991e3a9ece4 ]\n\nFixes a bug where previously hv_ringbuffer_read would pass in the old\nnumber of bytes available to read instead of the expected old read index\nwhen calculating when to signal to the host that the ringbuffer is empty.\nSince the previous write size is already saved, also changes the\nhv_need_to_signal_on_read to use the previously read value rather than\nrecalculating it.\n\nSigned-off-by: Christopher Oo \u003ct-chriso@microsoft.com\u003e\nSigned-off-by: K. Y. Srinivasan \u003ckys@microsoft.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nDrivers: hv: vmbus: Fix signaling logic in hv_need_to_signal_on_read()\n\n[ Upstream commit 1db488d12894f1936360779d6ab2aede3dd7f06a ]\n\nOn the consumer side, we have interrupt driven flow management of the\nproducer. It is sufficient to base the signaling decision on the\namount of space that is available to write after the read is complete.\nThe current code samples the previous available space and uses this\nin making the signaling decision. This state can be stale and is\nunnecessary. Since the state can be stale, we end up not signaling\nthe host (when we should) and this can result in a hang. Fix this\nproblem by removing the unnecessary check. I would like to thank\nArseney Romanenko \u003carseneyr@microsoft.com\u003e for pointing out this issue.\n\nAlso, issue a full memory barrier before making the signaling descision\nto correctly deal with potential reordering of the write (read index)\nfollowed by the read of pending_sz.\n\nSigned-off-by: K. Y. Srinivasan \u003ckys@microsoft.com\u003e\nTested-by: Dexuan Cui \u003cdecui@microsoft.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\npowerpc: Fix bad inline asm constraint in create_zero_mask()\n\n[ Upstream commit b4c112114aab9aff5ed4568ca5e662bb02cdfe74 ]\n\nIn create_zero_mask() we have:\n\n\taddi\t%1,%2,-1\n\tandc\t%1,%1,%2\n\tpopcntd\t%0,%1\n\nusing the \"r\" constraint for %2. r0 is a valid register in the \"r\" set,\nbut addi X,r0,X turns it into an li:\n\n\tli\tr7,-1\n\tandc\tr7,r7,r0\n\tpopcntd\tr4,r7\n\nFix this by using the \"b\" constraint, for which r0 is not a valid\nregister.\n\nThis was found with a kernel build using gcc trunk, narrowed down to\nwhen -frename-registers was enabled at -O2. It is just luck however\nthat we aren\u0027t seeing this on older toolchains.\n\nThanks to Segher for working with me to find this issue.\n\nCc: stable@vger.kernel.org\nFixes: d0cebfa650a0 (\"powerpc: word-at-a-time optimization for 64-bit Little Endian\")\nSigned-off-by: Anton Blanchard \u003canton@samba.org\u003e\nSigned-off-by: Michael Ellerman \u003cmpe@ellerman.id.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nMinimal fix-up of bad hashing behavior of hash_64()\n\n[ Upstream commit 689de1d6ca95b3b5bd8ee446863bf81a4883ea25 ]\n\nThis is a fairly minimal fixup to the horribly bad behavior of hash_64()\nwith certain input patterns.\n\nIn particular, because the multiplicative value used for the 64-bit hash\nwas intentionally bit-sparse (so that the multiply could be done with\nshifts and adds on architectures without hardware multipliers), some\nbits did not get spread out very much.  In particular, certain fairly\ncommon bit ranges in the input (roughly bits 12-20: commonly with the\nmost information in them when you hash things like byte offsets in files\nor memory that have block factors that mean that the low bits are often\nzero) would not necessarily show up much in the result.\n\nThere\u0027s a bigger patch-series brewing to fix up things more completely,\nbut this is the fairly minimal fix for the 64-bit hashing problem.  It\nsimply picks a much better constant multiplier, spreading the bits out a\nlot better.\n\nNOTE! For 32-bit architectures, the bad old hash_64() remains the same\nfor now, since 64-bit multiplies are expensive.  The bigger hashing\ncleanup will replace the 32-bit case with something better.\n\nThe new constants were picked by George Spelvin who wrote that bigger\ncleanup series.  I just picked out the constants and part of the comment\nfrom that series.\n\nCc: stable@vger.kernel.org\nCc: George Spelvin \u003clinux@horizon.com\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ntracing: Don\u0027t display trigger file for events that can\u0027t be enabled\n\n[ Upstream commit 854145e0a8e9a05f7366d240e2f99d9c1ca6d6dd ]\n\nCurrently register functions for events will be called\nthrough the \u0027reg\u0027 field of event class directly without\nany check when seting up triggers.\n\nTriggers for events that don\u0027t support register through\ndebug fs (events under events/ftrace are for trace-cmd to\nread event format, and most of them don\u0027t have a register\nfunction except events/ftrace/functionx) can\u0027t be enabled\nat all, and an oops will be hit when setting up trigger\nfor those events, so just not creating them is an easy way\nto avoid the oops.\n\nLink: http://lkml.kernel.org/r/1462275274-3911-1-git-send-email-chuhu@redhat.com\n\nCc: stable@vger.kernel.org # 3.14+\nFixes: 85f2b08268c01 (\"tracing: Add basic event trigger framework\")\nSigned-off-by: Chunyu Hu \u003cchuhu@redhat.com\u003e\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/radeon: make sure vertical front porch is at least 1\n\n[ Upstream commit 3104b8128d4d646a574ed9d5b17c7d10752cd70b ]\n\nhw doesn\u0027t like a 0 value.\n\nSigned-off-by: Alex Deucher \u003calexander.deucher@amd.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nMAINTAINERS: Remove asterisk from EFI directory names\n\n[ Upstream commit e8dfe6d8f6762d515fcd4f30577f7bfcf7659887 ]\n\nMark reported that having asterisks on the end of directory names\nconfuses get_maintainer.pl when it encounters subdirectories, and that\nmy name does not appear when run on drivers/firmware/efi/libstub.\n\nReported-by: Mark Rutland \u003cmark.rutland@arm.com\u003e\nSigned-off-by: Matt Fleming \u003cmatt@codeblueprint.co.uk\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nCc: Ard Biesheuvel \u003card.biesheuvel@linaro.org\u003e\nCc: Catalin Marinas \u003ccatalin.marinas@arm.com\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: linux-efi@vger.kernel.org\nLink: http://lkml.kernel.org/r/1462303781-8686-2-git-send-email-matt@codeblueprint.co.uk\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nACPICA: Dispatcher: Update thread ID for recursive method calls\n\n[ Upstream commit 93d68841a23a5779cef6fb9aa0ef32e7c5bd00da ]\n\nACPICA commit 7a3bd2d962f221809f25ddb826c9e551b916eb25\n\nSet the mutex owner thread ID.\nOriginal patch from: Prarit Bhargava \u003cprarit@redhat.com\u003e\n\nLink: https://bugzilla.kernel.org/show_bug.cgi?id\u003d115121\nLink: https://github.com/acpica/acpica/commit/7a3bd2d9\nSigned-off-by: Prarit Bhargava \u003cprarit@redhat.com\u003e\nTested-by: Andy Lutomirski \u003cluto@kernel.org\u003e # On a Dell XPS 13 9350\nSigned-off-by: Bob Moore \u003crobert.moore@intel.com\u003e\nSigned-off-by: Lv Zheng \u003clv.zheng@intel.com\u003e\nCc: All applicable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Rafael J. Wysocki \u003crafael.j.wysocki@intel.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ncrypto: hash - Fix page length clamping in hash walk\n\n[ Upstream commit 13f4bb78cf6a312bbdec367ba3da044b09bf0e29 ]\n\nThe crypto hash walk code is broken when supplied with an offset\ngreater than or equal to PAGE_SIZE.  This patch fixes it by adjusting\nwalk-\u003epg and walk-\u003eoffset when this happens.\n\nCc: \u003cstable@vger.kernel.org\u003e\nReported-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nx86/sysfb_efi: Fix valid BAR address range check\n\n[ Upstream commit c10fcb14c7afd6688c7b197a814358fecf244222 ]\n\nThe code for checking whether a BAR address range is valid will break\nout of the loop when a start address of 0x0 is encountered.\n\nThis behaviour is wrong since by breaking out of the loop we may miss\nthe BAR that describes the EFI frame buffer in a later iteration.\n\nBecause of this bug I can\u0027t use video\u003defifb: boot parameter to get\nefifb on my new ThinkPad E550 for my old linux system hard disk with\n3.10 kernel. In 3.10, efifb is the only choice due to DRM/I915 not\nsupporting the GPU.\n\nThis patch also add a trivial optimization to break out after we find\nthe frame buffer address range without testing later BARs.\n\nSigned-off-by: Wang YanQing \u003cudknight@gmail.com\u003e\n[ Rewrote changelog. ]\nSigned-off-by: Matt Fleming \u003cmatt@codeblueprint.co.uk\u003e\nReviewed-by: Peter Jones \u003cpjones@redhat.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nCc: Ard Biesheuvel \u003card.biesheuvel@linaro.org\u003e\nCc: David Herrmann \u003cdh.herrmann@gmail.com\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Tomi Valkeinen \u003ctomi.valkeinen@ti.com\u003e\nCc: linux-efi@vger.kernel.org\nLink: http://lkml.kernel.org/r/1462454061-21561-2-git-send-email-matt@codeblueprint.co.uk\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nfs/pnode.c: treat zero mnt_group_id-s as unequal\n\n[ Upstream commit 7ae8fd0351f912b075149a1e03a017be8b903b9a ]\n\npropagate_one(m) calculates \"type\" argument for copy_tree() like this:\n\n\u003e    if (m-\u003emnt_group_id \u003d\u003d last_dest-\u003emnt_group_id) {\n\u003e        type \u003d CL_MAKE_SHARED;\n\u003e    } else {\n\u003e        type \u003d CL_SLAVE;\n\u003e        if (IS_MNT_SHARED(m))\n\u003e           type |\u003d CL_MAKE_SHARED;\n\u003e   }\n\nThe \"type\" argument then governs clone_mnt() behavior with respect to flags\nand mnt_master of new mount. When we iterate through a slave group, it is\npossible that both current \"m\" and \"last_dest\" are not shared (although,\nboth are slaves, i.e. have non-NULL mnt_master-s). Then the comparison\nabove erroneously makes new mount shared and sets its mnt_master to\nlast_source-\u003emnt_master. The patch fixes the problem by handling zero\nmnt_group_id-s as though they are unequal.\n\nThe similar problem exists in the implementation of \"else\" clause above\nwhen we have to ascend upward in the master/slave tree by calling:\n\n\u003e    last_source \u003d last_source-\u003emnt_master;\n\u003e    last_dest \u003d last_source-\u003emnt_parent;\n\nproper number of times. The last step is governed by\n\"n-\u003emnt_group_id !\u003d last_dest-\u003emnt_group_id\" condition that may lie if\nboth are zero. The patch fixes this case in the same way as the former one.\n\n[AV: don\u0027t open-code an obvious helper...]\n\nSigned-off-by: Maxim Patlasov \u003cmpatlasov@virtuozzo.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\npropogate_mnt: Handle the first propogated copy being a slave\n\n[ Upstream commit 5ec0811d30378ae104f250bfc9b3640242d81e3f ]\n\nWhen the first propgated copy was a slave the following oops would result:\n\u003e BUG: unable to handle kernel NULL pointer dereference at 0000000000000010\n\u003e IP: [\u003cffffffff811fba4e\u003e] propagate_one+0xbe/0x1c0\n\u003e PGD bacd4067 PUD bac66067 PMD 0\n\u003e Oops: 0000 [#1] SMP\n\u003e Modules linked in:\n\u003e CPU: 1 PID: 824 Comm: mount Not tainted 4.6.0-rc5userns+ #1523\n\u003e Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007\n\u003e task: ffff8800bb0a8000 ti: ffff8800bac3c000 task.ti: ffff8800bac3c000\n\u003e RIP: 0010:[\u003cffffffff811fba4e\u003e]  [\u003cffffffff811fba4e\u003e] propagate_one+0xbe/0x1c0\n\u003e RSP: 0018:ffff8800bac3fd38  EFLAGS: 00010283\n\u003e RAX: 0000000000000000 RBX: ffff8800bb77ec00 RCX: 0000000000000010\n\u003e RDX: 0000000000000000 RSI: ffff8800bb58c000 RDI: ffff8800bb58c480\n\u003e RBP: ffff8800bac3fd48 R08: 0000000000000001 R09: 0000000000000000\n\u003e R10: 0000000000001ca1 R11: 0000000000001c9d R12: 0000000000000000\n\u003e R13: ffff8800ba713800 R14: ffff8800bac3fda0 R15: ffff8800bb77ec00\n\u003e FS:  00007f3c0cd9b7e0(0000) GS:ffff8800bfb00000(0000) knlGS:0000000000000000\n\u003e CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\u003e CR2: 0000000000000010 CR3: 00000000bb79d000 CR4: 00000000000006e0\n\u003e Stack:\n\u003e  ffff8800bb77ec00 0000000000000000 ffff8800bac3fd88 ffffffff811fbf85\n\u003e  ffff8800bac3fd98 ffff8800bb77f080 ffff8800ba713800 ffff8800bb262b40\n\u003e  0000000000000000 0000000000000000 ffff8800bac3fdd8 ffffffff811f1da0\n\u003e Call Trace:\n\u003e  [\u003cffffffff811fbf85\u003e] propagate_mnt+0x105/0x140\n\u003e  [\u003cffffffff811f1da0\u003e] attach_recursive_mnt+0x120/0x1e0\n\u003e  [\u003cffffffff811f1ec3\u003e] graft_tree+0x63/0x70\n\u003e  [\u003cffffffff811f1f6b\u003e] do_add_mount+0x9b/0x100\n\u003e  [\u003cffffffff811f2c1a\u003e] do_mount+0x2aa/0xdf0\n\u003e  [\u003cffffffff8117efbe\u003e] ? strndup_user+0x4e/0x70\n\u003e  [\u003cffffffff811f3a45\u003e] SyS_mount+0x75/0xc0\n\u003e  [\u003cffffffff8100242b\u003e] do_syscall_64+0x4b/0xa0\n\u003e  [\u003cffffffff81988f3c\u003e] entry_SYSCALL64_slow_path+0x25/0x25\n\u003e Code: 00 00 75 ec 48 89 0d 02 22 22 01 8b 89 10 01 00 00 48 89 05 fd 21 22 01 39 8e 10 01 00 00 0f 84 e0 00 00 00 48 8b 80 d8 00 00 00 \u003c48\u003e 8b 50 10 48 89 05 df 21 22 01 48 89 15 d0 21 22 01 8b 53 30\n\u003e RIP  [\u003cffffffff811fba4e\u003e] propagate_one+0xbe/0x1c0\n\u003e  RSP \u003cffff8800bac3fd38\u003e\n\u003e CR2: 0000000000000010\n\u003e ---[ end trace 2725ecd95164f217 ]---\n\nThis oops happens with the namespace_sem held and can be triggered by\nnon-root users.  An all around not pleasant experience.\n\nTo avoid this scenario when finding the appropriate source mount to\ncopy stop the walk up the mnt_master chain when the first source mount\nis encountered.\n\nFurther rewrite the walk up the last_source mnt_master chain so that\nit is clear what is going on.\n\nThe reason why the first source mount is special is that it it\u0027s\nmnt_parent is not a mount in the dest_mnt propagation tree, and as\nsuch termination conditions based up on the dest_mnt mount propgation\ntree do not make sense.\n\nTo avoid other kinds of confusion last_dest is not changed when\ncomputing last_source.  last_dest is only used once in propagate_one\nand that is above the point of the code being modified, so changing\nthe global variable is meaningless and confusing.\n\nCc: stable@vger.kernel.org\nfixes: f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 (\"smarter propagate_mnt()\")\nReported-by: Tycho Andersen \u003ctycho.andersen@canonical.com\u003e\nReviewed-by: Seth Forshee \u003cseth.forshee@canonical.com\u003e\nTested-by: Seth Forshee \u003cseth.forshee@canonical.com\u003e\nSigned-off-by: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmm, cma: prevent nr_isolated_* counters from going negative\n\n[ Upstream commit 14af4a5e9b26ad251f81c174e8a43f3e179434a5 ]\n\n/proc/sys/vm/stat_refresh warns nr_isolated_anon and nr_isolated_file go\nincreasingly negative under compaction: which would add delay when\nshould be none, or no delay when should delay.  The bug in compaction\nwas due to a recent mmotm patch, but much older instance of the bug was\nalso noticed in isolate_migratepages_range() which is used for CMA and\ngigantic hugepage allocations.\n\nThe bug is caused by putback_movable_pages() in an error path\ndecrementing the isolated counters without them being previously\nincremented by acct_isolated().  Fix isolate_migratepages_range() by\nremoving the error-path putback, thus reaching acct_isolated() with\nmigratepages still isolated, and leaving putback to caller like most\nother places do.\n\nFixes: edc2ca612496 (\"mm, compaction: move pageblock checks up from isolate_migratepages_range()\")\n[vbabka@suse.cz: expanded the changelog]\nSigned-off-by: Hugh Dickins \u003chughd@google.com\u003e\nSigned-off-by: Vlastimil Babka \u003cvbabka@suse.cz\u003e\nAcked-by: Joonsoo Kim \u003ciamjoonsoo.kim@lge.com\u003e\nCc: Michal Hocko \u003cmhocko@kernel.org\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nx86/tsc: Read all ratio bits from MSR_PLATFORM_INFO\n\n[ Upstream commit 886123fb3a8656699dff40afa0573df359abeb18 ]\n\nCurrently we read the tsc radio: ratio \u003d (MSR_PLATFORM_INFO \u003e\u003e 8) \u0026 0x1f;\n\nThus we get bit 8-12 of MSR_PLATFORM_INFO, however according to the SDM\n(35.5), the ratio bits are bit 8-15.\n\nIgnoring the upper bits can result in an incorrect tsc ratio, which causes the\nTSC calibration and the Local APIC timer frequency to be incorrect.\n\nFix this problem by masking 0xff instead.\n\n[ tglx: Massaged changelog ]\n\nFixes: 7da7c1561366 \"x86, tsc: Add static (MSR) TSC calibration on Intel Atom SoCs\"\nSigned-off-by: Chen Yu \u003cyu.c.chen@intel.com\u003e\nCc: \"Rafael J. Wysocki\" \u003crafael@kernel.org\u003e\nCc: stable@vger.kernel.org\nCc: Bin Gao \u003cbin.gao@intel.com\u003e\nCc: Len Brown \u003clenb@kernel.org\u003e\nLink: http://lkml.kernel.org/r/1462505619-5516-1-git-send-email-yu.c.chen@intel.com\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nparisc: Fix ptrace syscall number and return value modification\n\n[ Upstream commit 98e8b6c9ac9d1b1e9d1122dfa6783d5d566bb8f7 ]\n\nMike Frysinger reported that his ptrace testcase showed strange\nbehaviour on parisc: It was not possible to avoid a syscall and the\nreturn value of a syscall couldn\u0027t be changed.\n\nTo modify a syscall number, we were missing to save the new syscall\nnumber to gr20 which is then picked up later in assembly again.\n\nThe effect that the return value couldn\u0027t be changed is a side-effect of\nanother bug in the assembly code. When a process is ptraced, userspace\nexpects each syscall to report entrance and exit of a syscall.  If a\nsyscall number was given which doesn\u0027t exist, we jumped to the normal\nsyscall exit code instead of informing userspace that the (non-existant)\nsyscall exits. This unexpected behaviour confuses userspace and thus the\nbug was misinterpreted as if we can\u0027t change the return value.\n\nThis patch fixes both problems and was tested on 64bit kernel with\n32bit userspace.\n\nSigned-off-by: Helge Deller \u003cdeller@gmx.de\u003e\nCc: Mike Frysinger \u003cvapier@gentoo.org\u003e\nCc: stable@vger.kernel.org  # v4.0+\nTested-by: Mike Frysinger \u003cvapier@gentoo.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nparisc: fix a bug when syscall number of tracee is __NR_Linux_syscalls\n\n[ Upstream commit f0b22d1bb2a37a665a969e95785c75a4f49d1499 ]\n\nDo not load one entry beyond the end of the syscall table when the\nsyscall number of a traced process equals to __NR_Linux_syscalls.\nSimilar bug with regular processes was fixed by commit 3bb457af4fa8\n(\"[PARISC] Fix bug when syscall nr is __NR_Linux_syscalls\").\n\nThis bug was found by strace test suite.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Dmitry V. Levin \u003cldv@altlinux.org\u003e\nAcked-by: Helge Deller \u003cdeller@gmx.de\u003e\nSigned-off-by: Helge Deller \u003cdeller@gmx.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nget_rock_ridge_filename(): handle malformed NM entries\n\n[ Upstream commit 99d825822eade8d827a1817357cbf3f889a552d6 ]\n\nPayloads of NM entries are not supposed to contain NUL.  When we run\ninto such, only the part prior to the first NUL goes into the\nconcatenation (i.e. the directory entry name being encoded by a bunch\nof NM entries).  We do stop when the amount collected so far + the\nclaimed amount in the current NM entry exceed 254.  So far, so good,\nbut what we return as the total length is the sum of *claimed*\nsizes, not the actual amount collected.  And that can grow pretty\nlarge - not unlimited, since you\u0027d need to put CE entries in\nbetween to be able to get more than the maximum that could be\ncontained in one isofs directory entry / continuation chunk and\nwe are stop once we\u0027d encountered 32 CEs, but you can get about 8Kb\neasily.  And that\u0027s what will be passed to readdir callback as the\nname length.  8Kb __copy_to_user() from a buffer allocated by\n__get_free_page()\n\nCc: stable@vger.kernel.org # 0.98pl6+ (yes, really)\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nALSA: hda - Fix bass pin fixup for ASUS N550JX\n\n[ Upstream commit db8948e653e12b218058bb6696f4a33fa7845f64 ]\n\nASUS N550JX (PCI SSID 1043:13df) requires the same fixup for a bass\nspeaker output pin as other N550 models.\n\nBugzilla: https://bugzilla.kernel.org/show_bug.cgi?id\u003d110001\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nALSA: hda - Apply fix for white noise on Asus N550JV, too\n\n[ Upstream commit 83a9efb5b8170b7cffef4f62656656e1d8ad2ccd ]\n\nApply the new fixup that is used for ASUS N750JV to another similar\nmodel, N500JV, too, for reducing the headphone noise.\n\nBugzilla: https://bugzilla.kernel.org/show_bug.cgi?id\u003d115181\nSigned-off-by: Bobi Mihalca \u003cbobbymihalca@touchtech.ro\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nALSA: hda - Fix white noise on Asus UX501VW headset\n\n[ Upstream commit 2da2dc9ead232f25601404335cca13c0f722d41b ]\n\nFor reducing the noise from the headset output on ASUS UX501VW,\ncall the existing fixup, alc_fixup_headset_mode_alc668(), additionally.\n\nThread: https://bbs.archlinux.org/viewtopic.php?id\u003d209554\n\nSigned-off-by: Kaho Ng \u003cngkaho1234@gmail.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nInput: max8997-haptic - fix NULL pointer dereference\n\n[ Upstream commit 6ae645d5fa385f3787bf1723639cd907fe5865e7 ]\n\nNULL pointer derefence happens when booting with DTB because the\nplatform data for haptic device is not set in supplied data from parent\nMFD device.\n\nThe MFD device creates only platform data (from Device Tree) for itself,\nnot for haptic child.\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000009c\npgd \u003d c0004000\n\t[0000009c] *pgd\u003d00000000\n\tInternal error: Oops: 5 [#1] PREEMPT SMP ARM\n\t(max8997_haptic_probe) from [\u003cc03f9cec\u003e] (platform_drv_probe+0x4c/0xb0)\n\t(platform_drv_probe) from [\u003cc03f8440\u003e] (driver_probe_device+0x214/0x2c0)\n\t(driver_probe_device) from [\u003cc03f8598\u003e] (__driver_attach+0xac/0xb0)\n\t(__driver_attach) from [\u003cc03f67ac\u003e] (bus_for_each_dev+0x68/0x9c)\n\t(bus_for_each_dev) from [\u003cc03f7a38\u003e] (bus_add_driver+0x1a0/0x218)\n\t(bus_add_driver) from [\u003cc03f8db0\u003e] (driver_register+0x78/0xf8)\n\t(driver_register) from [\u003cc0101774\u003e] (do_one_initcall+0x90/0x1d8)\n\t(do_one_initcall) from [\u003cc0a00dbc\u003e] (kernel_init_freeable+0x15c/0x1fc)\n\t(kernel_init_freeable) from [\u003cc06bb5b4\u003e] (kernel_init+0x8/0x114)\n\t(kernel_init) from [\u003cc0107938\u003e] (ret_from_fork+0x14/0x3c)\n\nSigned-off-by: Marek Szyprowski \u003cm.szyprowski@samsung.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nFixes: 104594b01ce7 (\"Input: add driver support for MAX8997-haptic\")\n[k.kozlowski: Write commit message, add CC-stable]\nSigned-off-by: Krzysztof Kozlowski \u003ck.kozlowski@samsung.com\u003e\nSigned-off-by: Dmitry Torokhov \u003cdmitry.torokhov@gmail.com\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/i915: Bail out of pipe config compute loop on LPT\n\n[ Upstream commit 2700818ac9f935d8590715eecd7e8cadbca552b6 ]\n\nLPT is pch, so might run into the fdi bandwidth constraint (especially\nsince it has only 2 lanes). But right now we just force pipe_bpp back\nto 24, resulting in a nice loop (which we bail out with a loud\nWARN_ON). Fix this.\n\nCc: Chris Wilson \u003cchris@chris-wilson.co.uk\u003e\nCc: Maarten Lankhorst \u003cmaarten.lankhorst@linux.intel.com\u003e\nReferences: https://bugs.freedesktop.org/show_bug.cgi?id\u003d93477\nSigned-off-by: Daniel Vetter \u003cdaniel.vetter@intel.com\u003e\nTested-by: Chris Wilson \u003cchris@chris-wilson.co.uk\u003e\nSigned-off-by: Maarten Lankhorst \u003cmaarten.lankhorst@linux.intel.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Daniel Vetter \u003cdaniel.vetter@ffwll.ch\u003e\nLink: http://patchwork.freedesktop.org/patch/msgid/1462264381-7573-1-git-send-email-daniel.vetter@ffwll.ch\n(cherry picked from commit f58a1acc7e4a1f37d26124ce4c875c647fbcc61f)\nSigned-off-by: Jani Nikula \u003cjani.nikula@intel.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nALSA: hda - Asus N750JV external subwoofer fixup\n\n[ Upstream commit 70cf2cbd685e218c3ffd105d9fb6cf0f8d767481 ]\n\nASUS N750JV needs the same fixup as N550 for enabling its subwoofer.\n\nBugzilla: https://bugzilla.kernel.org/show_bug.cgi?id\u003d115181\nSigned-off-by: Bobi Mihalca \u003cbobbymihalca@touchtech.ro\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nALSA: hda - Fix white noise on Asus N750JV headphone\n\n[ Upstream commit 9d4dc5840f93bcb002fa311693349deae7702bc5 ]\n\nFor reducing the noise from the headphone output on ASUS N750JV,\ncall the existing fixup, alc_fixup_auto_mute_via_amp(), additionally.\n\nBugzilla: https://bugzilla.kernel.org/show_bug.cgi?id\u003d115181\nSigned-off-by: Bobi Mihalca \u003cbobbymihalca@touchtech.ro\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nALSA: hda - Fix subwoofer pin on ASUS N751 and N551\n\n[ Upstream commit 3231e2053eaeee70bdfb216a78a30f11e88e2243 ]\n\nSubwoofer does not work out of the box on ASUS N751/N551 laptops. This\npatch fixes it. Patch tested on N751 laptop. N551 part is not tested,\nbut according to [1] and [2] this laptop requires similar changes, so I\nincluded them in the patch.\n\n1. https://github.com/honsiorovskyi/asus-n551-hda-fix\n2. https://bugs.launchpad.net/ubuntu/+source/alsa-tools/+bug/1405691\n\nBugzilla: https://bugzilla.kernel.org/show_bug.cgi?id\u003d117781\nSigned-off-by: Yura Pakhuchiy \u003cpakhuchiy@gmail.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nALSA: usb-audio: Yet another Phoneix Audio device quirk\n\n[ Upstream commit 84add303ef950b8d85f54bc2248c2bc73467c329 ]\n\nPhoenix Audio has yet another device with another id (even a different\nvendor id, 0556:0014) that requires the same quirk for the sample\nrate.\n\nBugzilla: https://bugzilla.kernel.org/show_bug.cgi?id\u003d110221\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ntools lib traceevent: Free filter tokens in process_filter()\n\n[ Upstream commit e1644aae4589274223c1ab9072ddbda98dd97f6a ]\n\nvalgrind showed that the filter token wasn\u0027t being freed properly in\nprocess_filter().\n\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nCc: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nCc: Jiri Olsa \u003cjolsa@redhat.com\u003e\nCc: Namhyung Kim \u003cnamhyung@kernel.org\u003e\nLink: http://lkml.kernel.org/r/20150324135923.817723903@goodmis.org\nSigned-off-by: Arnaldo Carvalho de Melo \u003cacme@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ntools lib traceevent: Do not reassign parg after collapse_tree()\n\n[ Upstream commit 106b816cb46ebd87408b4ed99a2e16203114daa6 ]\n\nAt the end of process_filter(), collapse_tree() was changed to update\nthe parg parameter, but the reassignment after the call wasn\u0027t removed.\n\nWhat happens is that the \"current_op\" gets modified and freed and parg\nis assigned to the new allocated argument. But after the call to\ncollapse_tree(), parg is assigned again to the just freed \"current_op\",\nand this causes the tool to crash.\n\nThe current_op variable must also be assigned to NULL in case of error,\notherwise it will cause it to be free()ed twice.\n\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nAcked-by: Namhyung Kim \u003cnamhyung@kernel.org\u003e\nCc: stable@vger.kernel.org # 3.14+\nFixes: 42d6194d133c (\"tools lib traceevent: Refactor process_filter()\")\nLink: http://lkml.kernel.org/r/20160511150936.678c18a1@gandalf.local.home\nSigned-off-by: Arnaldo Carvalho de Melo \u003cacme@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nworkqueue: fix rebind bound workers warning\n\n[ Upstream commit f7c17d26f43d5cc1b7a6b896cd2fa24a079739b9 ]\n\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 16 at kernel/workqueue.c:4559 rebind_workers+0x1c0/0x1d0\nModules linked in:\nCPU: 0 PID: 16 Comm: cpuhp/0 Not tainted 4.6.0-rc4+ #31\nHardware name: IBM IBM System x3550 M4 Server -[7914IUW]-/00Y8603, BIOS -[D7E128FUS-1.40]- 07/23/2013\n 0000000000000000 ffff881037babb58 ffffffff8139d885 0000000000000010\n 0000000000000000 0000000000000000 0000000000000000 ffff881037babba8\n ffffffff8108505d ffff881037ba0000 000011cf3e7d6e60 0000000000000046\nCall Trace:\n dump_stack+0x89/0xd4\n __warn+0xfd/0x120\n warn_slowpath_null+0x1d/0x20\n rebind_workers+0x1c0/0x1d0\n workqueue_cpu_up_callback+0xf5/0x1d0\n notifier_call_chain+0x64/0x90\n ? trace_hardirqs_on_caller+0xf2/0x220\n ? notify_prepare+0x80/0x80\n __raw_notifier_call_chain+0xe/0x10\n __cpu_notify+0x35/0x50\n notify_down_prepare+0x5e/0x80\n ? notify_prepare+0x80/0x80\n cpuhp_invoke_callback+0x73/0x330\n ? __schedule+0x33e/0x8a0\n cpuhp_down_callbacks+0x51/0xc0\n cpuhp_thread_fun+0xc1/0xf0\n smpboot_thread_fn+0x159/0x2a0\n ? smpboot_create_threads+0x80/0x80\n kthread+0xef/0x110\n ? wait_for_completion+0xf0/0x120\n ? schedule_tail+0x35/0xf0\n ret_from_fork+0x22/0x50\n ? __init_kthread_worker+0x70/0x70\n---[ end trace eb12ae47d2382d8f ]---\nnotify_down_prepare: attempt to take down CPU 0 failed\n\nThis bug can be reproduced by below config w/ nohz_full\u003d all cpus:\n\nCONFIG_BOOTPARAM_HOTPLUG_CPU0\u003dy\nCONFIG_DEBUG_HOTPLUG_CPU0\u003dy\nCONFIG_NO_HZ_FULL\u003dy\n\nAs Thomas pointed out:\n\n| If a down prepare callback fails, then DOWN_FAILED is invoked for all\n| callbacks which have successfully executed DOWN_PREPARE.\n|\n| But, workqueue has actually two notifiers. One which handles\n| UP/DOWN_FAILED/ONLINE and one which handles DOWN_PREPARE.\n|\n| Now look at the priorities of those callbacks:\n|\n| CPU_PRI_WORKQUEUE_UP        \u003d 5\n| CPU_PRI_WORKQUEUE_DOWN      \u003d -5\n|\n| So the call order on DOWN_PREPARE is:\n|\n| CB 1\n| CB ...\n| CB workqueue_up() -\u003e Ignores DOWN_PREPARE\n| CB ...\n| CB X ---\u003e Fails\n|\n| So we call up to CB X with DOWN_FAILED\n|\n| CB 1\n| CB ...\n| CB workqueue_up() -\u003e Handles DOWN_FAILED\n| CB ...\n| CB X-1\n|\n| So the problem is that the workqueue stuff handles DOWN_FAILED in the up\n| callback, while it should do it in the down callback. Which is not a good idea\n| either because it wants to be called early on rollback...\n|\n| Brilliant stuff, isn\u0027t it? The hotplug rework will solve this problem because\n| the callbacks become symetric, but for the existing mess, we need some\n| workaround in the workqueue code.\n\nThe boot CPU handles housekeeping duty(unbound timers, workqueues,\ntimekeeping, ...) on behalf of full dynticks CPUs. It must remain\nonline when nohz full is enabled. There is a priority set to every\nnotifier_blocks:\n\nworkqueue_cpu_up \u003e tick_nohz_cpu_down \u003e workqueue_cpu_down\n\nSo tick_nohz_cpu_down callback failed when down prepare cpu 0, and\nnotifier_blocks behind tick_nohz_cpu_down will not be called any\nmore, which leads to workers are actually not unbound. Then hotplug\nstate machine will fallback to undo and online cpu 0 again. Workers\nwill be rebound unconditionally even if they are not unbound and\ntrigger the warning in this progress.\n\nThis patch fix it by catching !DISASSOCIATED to avoid rebind bound\nworkers.\n\nCc: Tejun Heo \u003ctj@kernel.org\u003e\nCc: Lai Jiangshan \u003cjiangshanlai@gmail.com\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Frédéric Weisbecker \u003cfweisbec@gmail.com\u003e\nCc: stable@vger.kernel.org\nSuggested-by: Lai Jiangshan \u003cjiangshanlai@gmail.com\u003e\nSigned-off-by: Wanpeng Li \u003cwanpeng.li@hotmail.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nocfs2: fix SGID not inherited issue\n\n[ Upstream commit 854ee2e944b4daf795e32562a7d2f9e90ab5a6a8 ]\n\nCommit 8f1eb48758aa (\"ocfs2: fix umask ignored issue\") introduced an\nissue, SGID of sub dir was not inherited from its parents dir.  It is\nbecause SGID is set into \"inode-\u003ei_mode\" in ocfs2_get_init_inode(), but\nis overwritten by \"mode\" which don\u0027t have SGID set later.\n\nFixes: 8f1eb48758aa (\"ocfs2: fix umask ignored issue\")\nSigned-off-by: Junxiao Bi \u003cjunxiao.bi@oracle.com\u003e\nCc: Mark Fasheh \u003cmfasheh@suse.de\u003e\nCc: Joel Becker \u003cjlbec@evilplan.org\u003e\nAcked-by: Srinivas Eeda \u003csrinivas.eeda@oracle.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nocfs2: dereferencing freed pointers in ocfs2_reflink()\n\n[ Upstream commit e073fc58dfe6a4c9b614320c1d56bb71cb213ec4 ]\n\nThe code at the \"out\" label assumes that \"default_acl\" and \"acl\" are NULL,\nbut actually the pointers can be NULL, unitialized, or freed.\n\nSigned-off-by: Dan Carpenter \u003cdan.carpenter@oracle.com\u003e\nReviewed-by: Mark Fasheh \u003cmfasheh@suse.de\u003e\nCc: Joel Becker \u003cjlbec@evilplan.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nocfs2: revert using ocfs2_acl_chmod to avoid inode cluster lock hang\n\n[ Upstream commit 5ee0fbd50fdf1c1329de8bee35ea9d7c6a81a2e0 ]\n\nCommit 743b5f1434f5 (\"ocfs2: take inode lock in ocfs2_iop_set/get_acl()\")\nintroduced this issue.  ocfs2_setattr called by chmod command holds\ncluster wide inode lock when calling posix_acl_chmod.  This latter\nfunction in turn calls ocfs2_iop_get_acl and ocfs2_iop_set_acl.  These\ntwo are also called directly from vfs layer for getfacl/setfacl commands\nand therefore acquire the cluster wide inode lock.  If a remote\nconversion request comes after the first inode lock in ocfs2_setattr,\nOCFS2_LOCK_BLOCKED will be set.  And this will cause the second call to\ninode lock from the ocfs2_iop_get_acl() to block indefinetly.\n\nThe deleted version of ocfs2_acl_chmod() calls __posix_acl_chmod() which\ndoes not call back into the filesystem.  Therefore, we restore\nocfs2_acl_chmod(), modify it slightly for locking as needed, and use that\ninstead.\n\nFixes: 743b5f1434f5 (\"ocfs2: take inode lock in ocfs2_iop_set/get_acl()\")\nSigned-off-by: Tariq Saeed \u003ctariq.x.saeed@oracle.com\u003e\nSigned-off-by: Junxiao Bi \u003cjunxiao.bi@oracle.com\u003e\nCc: Mark Fasheh \u003cmfasheh@suse.de\u003e\nCc: Joel Becker \u003cjlbec@evilplan.org\u003e\nCc: Joseph Qi \u003cjoseph.qi@huawei.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nocfs2: fix posix_acl_create deadlock\n\n[ Upstream commit c25a1e0671fbca7b2c0d0757d533bd2650d6dc0c ]\n\nCommit 702e5bc68ad2 (\"ocfs2: use generic posix ACL infrastructure\")\nrefactored code to use posix_acl_create.  The problem with this function\nis that it is not mindful of the cluster wide inode lock making it\nunsuitable for use with ocfs2 inode creation with ACLs.  For example,\nwhen used in ocfs2_mknod, this function can cause deadlock as follows.\nThe parent dir inode lock is taken when calling posix_acl_create -\u003e\nget_acl -\u003e ocfs2_iop_get_acl which takes the inode lock again.  This can\ncause deadlock if there is a blocked remote lock request waiting for the\nlock to be downconverted.  And same deadlock happened in ocfs2_reflink.\nThis fix is to revert back using ocfs2_init_acl.\n\nFixes: 702e5bc68ad2 (\"ocfs2: use generic posix ACL infrastructure\")\nSigned-off-by: Tariq Saeed \u003ctariq.x.saeed@oracle.com\u003e\nSigned-off-by: Junxiao Bi \u003cjunxiao.bi@oracle.com\u003e\nCc: Mark Fasheh \u003cmfasheh@suse.de\u003e\nCc: Joel Becker \u003cjlbec@evilplan.org\u003e\nCc: Joseph Qi \u003cjoseph.qi@huawei.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnf_conntrack: avoid kernel pointer value leak in slab name\n\nchanged from Google\u0027s leak fix to upstream\u0027s to fix conflict\n\n[ Upstream commit 31b0b385f69d8d5491a4bca288e25e63f1d945d0 ]\n\nThe slab name ends up being visible in the directory structure under\n/sys, and even if you don\u0027t have access rights to the file you can see\nthe filenames.\n\nJust use a 64-bit counter instead of the pointer to the \u0027net\u0027 structure\nto generate a unique name.\n\nThis code will go away in 4.7 when the conntrack code moves to a single\nkmemcache, but this is the backportable simple solution to avoiding\nleaking kernel pointers to user space.\n\nFixes: 5b3501faa874 (\"netfilter: nf_conntrack: per netns nf_conntrack_cachep\")\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nAcked-by: Eric Dumazet \u003ceric.dumazet@gmail.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nLinux 3.18.34\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndmaengine: imx-sdma: switch to dynamic context mode after script loaded\n\n[ Upstream commit 855832e47c1e51db701786ed76f8a9fec323aad6 ]\n\nBelow comments got from Page4724 of Reference Manual of i.mx6q:\nhttp://cache.freescale.com/files/32bit/doc/ref_manual/IMX6DQRM.pdf\n\n--\"Static context mode should be used for the first channel called\nafter reset to ensure that the all context RAM for that channel is\ninitialized during the context SAVE phase when the channel is\ndone or yields. Subsequent calls to the same channel or\ndifferent channels may use any of the dynamic context modes.\nThis will ensure that all context locations for the bootload\nchannel are initialized, and prevent undefined values in context\nRAM from being loaded during the context restore if the\nchannel is re-started later\"\n\nUnfortunately, the rule was broken by commit(5b28aa319bba96987316425a1131813d87cbab35)\n.This patch just take them back.\n\nSigned-off-by: Robin Gong \u003cb38343@freescale.com\u003e\nSigned-off-by: Vinod Koul \u003cvinod.koul@intel.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nregulator: core: Use class device list for regulator_list in late init\n\n[ Upstream commit 609ca5f3cb32c2d11fd8cabe293ff3689e7d2613 ]\n\nThe regulator_list has exactly the same contents as the list that the\ndriver core maintains of regulator_class members so is redundant. As a\nfirst step in converting over to use the class device list convert our\niteration in late_initcall() to use the class device iterator.\n\nSigned-off-by: Mark Brown \u003cbroonie@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nath5k: Change led pin configuration for compaq c700 laptop\n\n[ Upstream commit 7b9bc799a445aea95f64f15e0083cb19b5789abe ]\n\nBugLink: http://bugs.launchpad.net/bugs/972604\n\nCommit 09c9bae26b0d3c9472cb6ae45010460a2cee8b8d (\"ath5k: add led pin\nconfiguration for compaq c700 laptop\") added a pin configuration for the Compaq\nc700 laptop.  However, the polarity of the led pin is reversed.  It should be\nred for wifi off and blue for wifi on, but it is the opposite.  This bug was\nreported in the following bug report:\nhttp://pad.lv/972604\n\nFixes: 09c9bae26b0d3c9472cb6ae45010460a2cee8b8d (\"ath5k: add led pin configuration for compaq c700 laptop\")\nSigned-off-by: Joseph Salisbury \u003cjoseph.salisbury@canonical.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Kalle Valo \u003ckvalo@qca.qualcomm.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nxfs: disallow ro-\u003erw remount on norecovery mount\n\n[ Upstream commit bbe051c841d522bf2aaa1d362b57fe47457187bf ]\n\nThere\u0027s a bit of a loophole in norecovery mount handling right\nnow: an initial mount must be readonly, but nothing prevents\na mount -o remount,rw from producing a writable, unrecovered\nxfs filesystem.\n\nIt might be possible to try to perform a log recovery when this\nis requested, but I\u0027m not sure it\u0027s worth the effort.  For now,\nsimply disallow this sort of transition.\n\nSigned-off-by: Eric Sandeen \u003csandeen@redhat.com\u003e\nReviewed-by: Dave Chinner \u003cdchinner@redhat.com\u003e\nSigned-off-by: Dave Chinner \u003cdavid@fromorbit.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nxfs: disallow rw remount on fs with unknown ro-compat features\n\n[ Upstream commit d0a58e833931234c44e515b5b8bede32bd4e6eed ]\n\nToday, a kernel which refuses to mount a filesystem read-write\ndue to unknown ro-compat features can still transition to read-write\nvia the remount path.  The old kernel is most likely none the wiser,\nbecause it\u0027s unaware of the new feature, and isn\u0027t using it.  However,\nwriting to the filesystem may well corrupt metadata related to that\nnew feature, and moving to a newer kernel which understand the feature\nwill have problems.\n\nRight now the only ro-compat feature we have is the free inode btree,\nwhich showed up in v3.16.  It would be good to push this back to\nall the active stable kernels, I think, so that if anyone is using\nnewer mkfs (which enables the finobt feature) with older kernel\nreleases, they\u0027ll be protected.\n\nCc: \u003cstable@vger.kernel.org\u003e # 3.10.x-\nSigned-off-by: Eric Sandeen \u003csandeen@redhat.com\u003e\nReviewed-by: Bill O\u0027Donnell \u003cbillodo@redhat.com\u003e\nReviewed-by: Dave Chinner \u003cdchinner@redhat.com\u003e\nSigned-off-by: Dave Chinner \u003cdavid@fromorbit.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nrtlwifi: rtl8723be: Fix module parameter initialization\n\n[ Upstream commit 7079604ddb83f428359feace3aeaf8a9f435be4a ]\n\nThis driver has a number of errors in the module initialization. These\ninclude the following:\n\nParameter msi_support is stored in two places - one is removed.\nParamters sw_crypto and disable_watchdog were never stored in the final\nlocations, nor were they initialized properly.\n\nSigned-off-by: Larry Finger \u003cLarry.Finger@lwfinger.net\u003e\nCc: Stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Kalle Valo \u003ckvalo@codeaurora.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/gma500: Fix possible out of bounds read\n\n[ Upstream commit 7ccca1d5bf69fdd1d3c5fcf84faf1659a6e0ad11 ]\n\nFix possible out of bounds read, by adding missing comma.\nThe code may read pass the end of the dsi_errors array\nwhen the most significant bit (bit #31) in the intr_stat register\nis set.\nThis bug has been detected using CppCheck (static analysis tool).\n\nCc: stable@vger.kernel.org\nSigned-off-by: Itai Handler \u003citai_handler@hotmail.com\u003e\nSigned-off-by: Patrik Jakobsson \u003cpatrik.r.jakobsson@gmail.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nBluetooth: vhci: fix open_timeout vs. hdev race\n\n[ Upstream commit 373a32c848ae3a1c03618517cce85f9211a6facf ]\n\nBoth vhci_get_user and vhci_release race with open_timeout work. They\nboth contain cancel_delayed_work_sync, but do not test whether the\nwork actually created hdev or not. Since the work can be in progress\nand _sync will wait for finishing it, we can have data-\u003ehdev allocated\nwhen cancel_delayed_work_sync returns. But the call sites do \u0027if\n(data-\u003ehdev)\u0027 *before* cancel_delayed_work_sync.\n\nAs a result:\n* vhci_get_user allocates a second hdev and puts it into\n  data-\u003ehdev. The former is leaked.\n* vhci_release does not release data-\u003ehdev properly as it thinks there\n  is none.\n\nFix both cases by moving the actual test *after* the call to\ncancel_delayed_work_sync.\n\nThis can be hit by this program:\n\t#include \u003cerr.h\u003e\n\t#include \u003cfcntl.h\u003e\n\t#include \u003cstdio.h\u003e\n\t#include \u003cstdlib.h\u003e\n\t#include \u003ctime.h\u003e\n\t#include \u003cunistd.h\u003e\n\n\t#include \u003csys/stat.h\u003e\n\t#include \u003csys/types.h\u003e\n\n\tint main(int argc, char **argv)\n\t{\n\t\tint fd;\n\n\t\tsrand(time(NULL));\n\n\t\twhile (1) {\n\t\t\tconst int delta \u003d (rand() % 200 - 100) * 100;\n\n\t\t\tfd \u003d open(\"/dev/vhci\", O_RDWR);\n\t\t\tif (fd \u003c 0)\n\t\t\t\terr(1, \"open\");\n\n\t\t\tusleep(1000000 + delta);\n\n\t\t\tclose(fd);\n\t\t}\n\n\t\treturn 0;\n\t}\n\nAnd the result is:\nBUG: KASAN: use-after-free in skb_queue_tail+0x13e/0x150 at addr ffff88006b0c1228\nRead of size 8 by task kworker/u13:1/32068\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nBUG kmalloc-192 (Tainted: G            E     ): kasan: bad access detected\n-----------------------------------------------------------------------------\n\nDisabling lock debugging due to kernel taint\nINFO: Allocated in vhci_open+0x50/0x330 [hci_vhci] age\u003d260 cpu\u003d3 pid\u003d32040\n...\n\tkmem_cache_alloc_trace+0x150/0x190\n\tvhci_open+0x50/0x330 [hci_vhci]\n\tmisc_open+0x35b/0x4e0\n\tchrdev_open+0x23b/0x510\n...\nINFO: Freed in vhci_release+0xa4/0xd0 [hci_vhci] age\u003d9 cpu\u003d2 pid\u003d32040\n...\n\t__slab_free+0x204/0x310\n\tvhci_release+0xa4/0xd0 [hci_vhci]\n...\nINFO: Slab 0xffffea0001ac3000 objects\u003d16 used\u003d13 fp\u003d0xffff88006b0c1e00 flags\u003d0x5fffff80004080\nINFO: Object 0xffff88006b0c1200 @offset\u003d4608 fp\u003d0xffff88006b0c0600\nBytes b4 ffff88006b0c11f0: 09 df 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................\nObject ffff88006b0c1200: 00 06 0c 6b 00 88 ff ff 00 00 00 00 00 00 00 00  ...k............\nObject ffff88006b0c1210: 10 12 0c 6b 00 88 ff ff 10 12 0c 6b 00 88 ff ff  ...k.......k....\nObject ffff88006b0c1220: c0 46 c2 6b 00 88 ff ff c0 46 c2 6b 00 88 ff ff  .F.k.....F.k....\nObject ffff88006b0c1230: 01 00 00 00 01 00 00 00 e0 ff ff ff 0f 00 00 00  ................\nObject ffff88006b0c1240: 40 12 0c 6b 00 88 ff ff 40 12 0c 6b 00 88 ff ff  @..k....@..k....\nObject ffff88006b0c1250: 50 0d 6e a0 ff ff ff ff 00 02 00 00 00 00 ad de  P.n.............\nObject ffff88006b0c1260: 00 00 00 00 00 00 00 00 ab 62 02 00 01 00 00 00  .........b......\nObject ffff88006b0c1270: 90 b9 19 81 ff ff ff ff 38 12 0c 6b 00 88 ff ff  ........8..k....\nObject ffff88006b0c1280: 03 00 20 00 ff ff ff ff ff ff ff ff 00 00 00 00  .. .............\nObject ffff88006b0c1290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\nObject ffff88006b0c12a0: 00 00 00 00 00 00 00 00 00 80 cd 3d 00 88 ff ff  ...........\u003d....\nObject ffff88006b0c12b0: 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00  . ..............\nRedzone ffff88006b0c12c0: bb bb bb bb bb bb bb bb                          ........\nPadding ffff88006b0c13f8: 00 00 00 00 00 00 00 00                          ........\nCPU: 3 PID: 32068 Comm: kworker/u13:1 Tainted: G    B       E      4.4.6-0-default #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.1-0-g4adadbd-20151112_172657-sheep25 04/01/2014\nWorkqueue: hci0 hci_cmd_work [bluetooth]\n 00000000ffffffff ffffffff81926cfa ffff88006be37c68 ffff88006bc27180\n ffff88006b0c1200 ffff88006b0c1234 ffffffff81577993 ffffffff82489320\n ffff88006bc24240 0000000000000046 ffff88006a100000 000000026e51eb80\nCall Trace:\n...\n [\u003cffffffff81ec8ebe\u003e] ? skb_queue_tail+0x13e/0x150\n [\u003cffffffffa06e027c\u003e] ? vhci_send_frame+0xac/0x100 [hci_vhci]\n [\u003cffffffffa0c61268\u003e] ? hci_send_frame+0x188/0x320 [bluetooth]\n [\u003cffffffffa0c61515\u003e] ? hci_cmd_work+0x115/0x310 [bluetooth]\n [\u003cffffffff811a1375\u003e] ? process_one_work+0x815/0x1340\n [\u003cffffffff811a1f85\u003e] ? worker_thread+0xe5/0x11f0\n [\u003cffffffff811a1ea0\u003e] ? process_one_work+0x1340/0x1340\n [\u003cffffffff811b3c68\u003e] ? kthread+0x1c8/0x230\n...\nMemory state around the buggy address:\n ffff88006b0c1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff88006b0c1180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n\u003effff88006b0c1200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n                                  ^\n ffff88006b0c1280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n ffff88006b0c1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n\nFixes: 23424c0d31 (Bluetooth: Add support creating virtual AMP controllers)\nSigned-off-by: Jiri Slaby \u003cjslaby@suse.cz\u003e\nSigned-off-by: Marcel Holtmann \u003cmarcel@holtmann.org\u003e\nCc: Dmitry Vyukov \u003cdvyukov@google.com\u003e\nCc: stable 3.13+ \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nBluetooth: vhci: purge unhandled skbs\n\n[ Upstream commit 13407376b255325fa817798800117a839f3aa055 ]\n\nThe write handler allocates skbs and queues them into data-\u003ereadq.\nRead side should read them, if there is any. If there is none, skbs\nshould be dropped by hdev-\u003eflush. But this happens only if the device\nis HCI_UP, i.e. hdev-\u003epower_on work was triggered already. When it was\nnot, skbs stay allocated in the queue when /dev/vhci is closed. So\npurge the queue in -\u003erelease.\n\nProgram to reproduce:\n\t#include \u003cerr.h\u003e\n\t#include \u003cfcntl.h\u003e\n\t#include \u003cstdio.h\u003e\n\t#include \u003cunistd.h\u003e\n\n\t#include \u003csys/stat.h\u003e\n\t#include \u003csys/types.h\u003e\n\t#include \u003csys/uio.h\u003e\n\n\tint main()\n\t{\n\t\tchar buf[] \u003d { 0xff, 0 };\n\t\tstruct iovec iov \u003d {\n\t\t\t.iov_base \u003d buf,\n\t\t\t.iov_len \u003d sizeof(buf),\n\t\t};\n\t\tint fd;\n\n\t\twhile (1) {\n\t\t\tfd \u003d open(\"/dev/vhci\", O_RDWR);\n\t\t\tif (fd \u003c 0)\n\t\t\t\terr(1, \"open\");\n\n\t\t\tusleep(50);\n\n\t\t\tif (writev(fd, \u0026iov, 1) \u003c 0)\n\t\t\t\terr(1, \"writev\");\n\n\t\t\tusleep(50);\n\n\t\t\tclose(fd);\n\t\t}\n\n\t\treturn 0;\n\t}\n\nResult:\nkmemleak: 4609 new suspected memory leaks\nunreferenced object 0xffff88059f4d5440 (size 232):\n  comm \"vhci\", pid 1084, jiffies 4294912542 (age 37569.296s)\n  hex dump (first 32 bytes):\n    20 f0 23 87 05 88 ff ff 20 f0 23 87 05 88 ff ff   .#..... .#.....\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n...\n    [\u003cffffffff81ece010\u003e] __alloc_skb+0x0/0x5a0\n    [\u003cffffffffa021886c\u003e] vhci_create_device+0x5c/0x580 [hci_vhci]\n    [\u003cffffffffa0219436\u003e] vhci_write+0x306/0x4c8 [hci_vhci]\n\nFixes: 23424c0d31 (Bluetooth: Add support creating virtual AMP controllers)\nSigned-off-by: Jiri Slaby \u003cjslaby@suse.cz\u003e\nSigned-off-by: Marcel Holtmann \u003cmarcel@holtmann.org\u003e\nCc: stable 3.13+ \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ncpuidle: Indicate when a device has been unregistered\n\n[ Upstream commit c998c07836f985b24361629dc98506ec7893e7a0 ]\n\nCurrently the \u0027registered\u0027 member of the cpuidle_device struct is set\nto 1 during cpuidle_register_device. In this same function there are\nchecks to see if the device is already registered to prevent duplicate\ncalls to register the device, but this value is never set to 0 even on\nunregister of the device. Because of this, any attempt to call\ncpuidle_register_device after a call to cpuidle_unregister_device will\nfail which shouldn\u0027t be the case.\n\nTo prevent this, set registered to 0 when the device is unregistered.\n\nFixes: c878a52d3c7c (cpuidle: Check if device is already registered)\nSigned-off-by: Dave Gerlach \u003cd-gerlach@ti.com\u003e\nAcked-by: Daniel Lezcano \u003cdaniel.lezcano@linaro.org\u003e\nCc: All applicable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Rafael J. Wysocki \u003crafael.j.wysocki@intel.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nBluetooth: vhci: Fix race at creating hci device\n\n[ Upstream commit c7c999cb18da88a881e10e07f0724ad0bfaff770 ]\n\nhci_vhci driver creates a hci device object dynamically upon each\nHCI_VENDOR_PKT write.  Although it checks the already created object\nand returns an error, it\u0027s still racy and may build multiple hci_dev\nobjects concurrently when parallel writes are performed, as the device\ntracks only a single hci_dev object.\n\nThis patch introduces a mutex to protect against the concurrent device\ncreations.\n\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Marcel Holtmann \u003cmarcel@holtmann.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\npowerpc/book3s64: Fix branching to OOL handlers in relocatable kernel\n\n[ Upstream commit 8ed8ab40047a570fdd8043a40c104a57248dd3fd ]\n\nSome of the interrupt vectors on 64-bit POWER server processors are only\n32 bytes long (8 instructions), which is not enough for the full\nfirst-level interrupt handler. For these we need to branch to an\nout-of-line (OOL) handler. But when we are running a relocatable kernel,\ninterrupt vectors till __end_interrupts marker are copied down to real\naddress 0x100. So, branching to labels (ie. OOL handlers) outside this\nsection must be handled differently (see LOAD_HANDLER()), considering\nrelocatable kernel, which would need at least 4 instructions.\n\nHowever, branching from interrupt vector means that we corrupt the\nCFAR (come-from address register) on POWER7 and later processors as\nmentioned in commit 1707dd16. So, EXCEPTION_PROLOG_0 (6 instructions)\nthat contains the part up to the point where the CFAR is saved in the\nPACA should be part of the short interrupt vectors before we branch out\nto OOL handlers.\n\nBut as mentioned already, there are interrupt vectors on 64-bit POWER\nserver processors that are only 32 bytes long (like vectors 0x4f00,\n0x4f20, etc.), which cannot accomodate the above two cases at the same\ntime owing to space constraint. Currently, in these interrupt vectors,\nwe simply branch out to OOL handlers, without using LOAD_HANDLER(),\nwhich leaves us vulnerable when running a relocatable kernel (eg. kdump\ncase). While this has been the case for sometime now and kdump is used\nwidely, we were fortunate not to see any problems so far, for three\nreasons:\n\n  1. In almost all cases, production kernel (relocatable) is used for\n     kdump as well, which would mean that crashed kernel\u0027s OOL handler\n     would be at the same place where we end up branching to, from short\n     interrupt vector of kdump kernel.\n  2. Also, OOL handler was unlikely the reason for crash in almost all\n     the kdump scenarios, which meant we had a sane OOL handler from\n     crashed kernel that we branched to.\n  3. On most 64-bit POWER server processors, page size is large enough\n     that marking interrupt vector code as executable (see commit\n     429d2e83) leads to marking OOL handler code from crashed kernel,\n     that sits right below interrupt vector code from kdump kernel, as\n     executable as well.\n\nLet us fix this by moving the __end_interrupts marker down past OOL\nhandlers to make sure that we also copy OOL handlers to real address\n0x100 when running a relocatable kernel.\n\nThis fix has been tested successfully in kdump scenario, on an LPAR with\n4K page size by using different default/production kernel and kdump\nkernel.\n\nAlso tested by manually corrupting the OOL handlers in the first kernel\nand then kdump\u0027ing, and then causing the OOL handlers to fire - mpe.\n\nFixes: c1fb6816fb1b (\"powerpc: Add relocation on exception vector handlers\")\nCc: stable@vger.kernel.org\nSigned-off-by: Hari Bathini \u003chbathini@linux.vnet.ibm.com\u003e\nSigned-off-by: Mahesh Salgaonkar \u003cmahesh@linux.vnet.ibm.com\u003e\nSigned-off-by: Michael Ellerman \u003cmpe@ellerman.id.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nPM / Runtime: Fix error path in pm_runtime_force_resume()\n\n[ Upstream commit 0ae3aeefabbeef26294e7a349b51f1c761d46c9f ]\n\nAs pm_runtime_set_active() may fail because the device\u0027s parent isn\u0027t\nactive, we can end up executing the -\u003eruntime_resume() callback for the\ndevice when it isn\u0027t allowed.\n\nFix this by invoking pm_runtime_set_active() before running the callback\nand let\u0027s also deal with the error code.\n\nFixes: 37f204164dfb (PM: Add pm_runtime_suspend|resume_force functions)\nSigned-off-by: Ulf Hansson \u003culf.hansson@linaro.org\u003e\nReviewed-by: Linus Walleij \u003clinus.walleij@linaro.org\u003e\nCc: 3.15+ \u003cstable@vger.kernel.org\u003e # 3.15+\nSigned-off-by: Rafael J. Wysocki \u003crafael.j.wysocki@intel.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ncrypto: s5p-sss - Remove useless hash interrupt handler\n\n[ Upstream commit 5512442553bbe8d4fcdba3e17b30f187706384a7 ]\n\nBeside regular feed control interrupt, the driver requires also hash\ninterrupt for older SoCs (samsung,s5pv210-secss). However after\nrequesting it, the interrupt handler isn\u0027t doing anything with it, not\neven clearing the hash interrupt bit.\n\nDriver does not provide hash functions so it is safe to remove the hash\ninterrupt related code and to not require the interrupt in Device Tree.\n\nSigned-off-by: Krzysztof Kozlowski \u003ck.kozlowski@samsung.com\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ncrypto: s5p-sss - Fix missed interrupts when working with 8 kB blocks\n\n[ Upstream commit 79152e8d085fd64484afd473ef6830b45518acba ]\n\nThe tcrypt testing module on Exynos5422-based Odroid XU3/4 board failed on\ntesting 8 kB size blocks:\n\n\t$ sudo modprobe tcrypt sec\u003d1 mode\u003d500\n\ttesting speed of async ecb(aes) (ecb-aes-s5p) encryption\n\ttest 0 (128 bit key, 16 byte blocks): 21971 operations in 1 seconds (351536 bytes)\n\ttest 1 (128 bit key, 64 byte blocks): 21731 operations in 1 seconds (1390784 bytes)\n\ttest 2 (128 bit key, 256 byte blocks): 21932 operations in 1 seconds (5614592 bytes)\n\ttest 3 (128 bit key, 1024 byte blocks): 21685 operations in 1 seconds (22205440 bytes)\n\ttest 4 (128 bit key, 8192 byte blocks):\n\nThis was caused by a race issue of missed BRDMA_DONE (\"Block cipher\nReceiving DMA\") interrupt. Device starts processing the data in DMA mode\nimmediately after setting length of DMA block: receiving (FCBRDMAL) or\ntransmitting (FCBTDMAL). The driver sets these lengths from interrupt\nhandler through s5p_set_dma_indata() function (or xxx_setdata()).\n\nHowever the interrupt handler was first dealing with receive buffer\n(dma-unmap old, dma-map new, set receive block length which starts the\noperation), then with transmit buffer and finally was clearing pending\ninterrupts (FCINTPEND). Because of the time window between setting\nreceive buffer length and clearing pending interrupts, the operation on\nreceive buffer could end already and driver would miss new interrupt.\n\nUser manual for Exynos5422 confirms in example code that setting DMA\nblock lengths should be the last operation.\n\nThe tcrypt hang could be also observed in following blocked-task dmesg:\n\nINFO: task modprobe:258 blocked for more than 120 seconds.\n      Not tainted 4.6.0-rc4-next-20160419-00005-g9eac8b7b7753-dirty #42\n\"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\nmodprobe        D c06b09d8     0   258    256 0x00000000\n[\u003cc06b09d8\u003e] (__schedule) from [\u003cc06b0f24\u003e] (schedule+0x40/0xac)\n[\u003cc06b0f24\u003e] (schedule) from [\u003cc06b49f8\u003e] (schedule_timeout+0x124/0x178)\n[\u003cc06b49f8\u003e] (schedule_timeout) from [\u003cc06b17fc\u003e] (wait_for_common+0xb8/0x144)\n[\u003cc06b17fc\u003e] (wait_for_common) from [\u003cbf0013b8\u003e] (test_acipher_speed+0x49c/0x740 [tcrypt])\n[\u003cbf0013b8\u003e] (test_acipher_speed [tcrypt]) from [\u003cbf003e8c\u003e] (do_test+0x2240/0x30ec [tcrypt])\n[\u003cbf003e8c\u003e] (do_test [tcrypt]) from [\u003cbf008048\u003e] (tcrypt_mod_init+0x48/0xa4 [tcrypt])\n[\u003cbf008048\u003e] (tcrypt_mod_init [tcrypt]) from [\u003cc010177c\u003e] (do_one_initcall+0x3c/0x16c)\n[\u003cc010177c\u003e] (do_one_initcall) from [\u003cc0191ff0\u003e] (do_init_module+0x5c/0x1ac)\n[\u003cc0191ff0\u003e] (do_init_module) from [\u003cc0185610\u003e] (load_module+0x1a30/0x1d08)\n[\u003cc0185610\u003e] (load_module) from [\u003cc0185ab0\u003e] (SyS_finit_module+0x8c/0x98)\n[\u003cc0185ab0\u003e] (SyS_finit_module) from [\u003cc01078c0\u003e] (ret_fast_syscall+0x0/0x3c)\n\nFixes: a49e490c7a8a (\"crypto: s5p-sss - add S5PV210 advanced crypto engine support\")\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Krzysztof Kozlowski \u003ck.kozlowski@samsung.com\u003e\nTested-by: Marek Szyprowski \u003cm.szyprowski@samsung.com\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards.\n\n[ Upstream commit 0f9edcdd88a993914fa1d1dc369b35dc503979db ]\n\nThe Wistron DNMA-92 and Compex WLM200NX have inverted LED polarity\n(active high instead of active low).\n\nThe same PCI Subsystem ID is used by both cards, which are based on\nthe same Atheros MB92 design.\n\nCc: \u003clinux-wireless@vger.kernel.org\u003e\nCc: \u003cath9k-devel@qca.qualcomm.com\u003e\nCc: \u003cath9k-devel@lists.ath9k.org\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Vittorio Gambaletta \u003clinuxbugs@vittgam.net\u003e\nSigned-off-by: Kalle Valo \u003ckvalo@qca.qualcomm.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\npinctrl: exynos5440: Use off-stack memory for pinctrl_gpio_range\n\n[ Upstream commit 71324fdc72ef0163e57631aa814a9a81e9e4770b ]\n\nThe range is registered into a linked list which can be referenced\nthroughout the lifetime of the driver. Ensure the range\u0027s memory is useful\nfor the same lifetime by adding it to the driver\u0027s private data structure.\n\nThe bug was introduced in the driver\u0027s initial commit, which was present in\nv3.10.\n\nFixes: f0b9a7e521fa (\"pinctrl: exynos5440: add pinctrl driver for Samsung EXYNOS5440 SoC\")\nCc: stable@vger.kernel.org\nSigned-off-by: Andrew Jeffery \u003candrew@aj.id.au\u003e\nAcked-by: Tomasz Figa \u003ctomasz.figa@gmail.com\u003e\nReviewed-by: Krzysztof Kozlowski \u003ck.kozlowski@samsung.com\u003e\nSigned-off-by: Linus Walleij \u003clinus.walleij@linaro.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nbtrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in btrfs_ioctl\n\n[ Upstream commit 4c63c2454eff996c5e27991221106eb511f7db38 ]\n\n32-bit ioctl uses these rather than the regular FS_IOC_* versions. They can\nbe handled in btrfs using the same code. Without this, 32-bit {ch,ls}attr\nfail.\n\nSigned-off-by: Luke Dashjr \u003cluke-jr+git@utopios.org\u003e\nCc: stable@vger.kernel.org\nReviewed-by: Josef Bacik \u003cjbacik@fb.com\u003e\nReviewed-by: David Sterba \u003cdsterba@suse.com\u003e\nSigned-off-by: David Sterba \u003cdsterba@suse.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nphoenix591 fixed conflict on hcd.c to preserve lg change\nusb: core: hub: hub_port_init lock controller instead of bus\n\n[ Upstream commit feb26ac31a2a5cb88d86680d9a94916a6343e9e6 ]\n\nThe XHCI controller presents two USB buses to the system - one for USB2\nand one for USB3. The hub init code (hub_port_init) is reentrant but\nonly locks one bus per thread, leading to a race condition failure when\ntwo threads attempt to simultaneously initialise a USB2 and USB3 device:\n\n[    8.034843] xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command\n[   13.183701] usb 3-3: device descriptor read/all, error -110\n\nOn a test system this failure occurred on 6% of all boots.\n\nThe call traces at the point of failure are:\n\nCall Trace:\n [\u003cffffffff81b9bab7\u003e] schedule+0x37/0x90\n [\u003cffffffff817da7cd\u003e] usb_kill_urb+0x8d/0xd0\n [\u003cffffffff8111e5e0\u003e] ? wake_up_atomic_t+0x30/0x30\n [\u003cffffffff817dafbe\u003e] usb_start_wait_urb+0xbe/0x150\n [\u003cffffffff817db10c\u003e] usb_control_msg+0xbc/0xf0\n [\u003cffffffff817d07de\u003e] hub_port_init+0x51e/0xb70\n [\u003cffffffff817d4697\u003e] hub_event+0x817/0x1570\n [\u003cffffffff810f3e6f\u003e] process_one_work+0x1ff/0x620\n [\u003cffffffff810f3dcf\u003e] ? process_one_work+0x15f/0x620\n [\u003cffffffff810f4684\u003e] worker_thread+0x64/0x4b0\n [\u003cffffffff810f4620\u003e] ? rescuer_thread+0x390/0x390\n [\u003cffffffff810fa7f5\u003e] kthread+0x105/0x120\n [\u003cffffffff810fa6f0\u003e] ? kthread_create_on_node+0x200/0x200\n [\u003cffffffff81ba183f\u003e] ret_from_fork+0x3f/0x70\n [\u003cffffffff810fa6f0\u003e] ? kthread_create_on_node+0x200/0x200\n\nCall Trace:\n [\u003cffffffff817fd36d\u003e] xhci_setup_device+0x53d/0xa40\n [\u003cffffffff817fd87e\u003e] xhci_address_device+0xe/0x10\n [\u003cffffffff817d047f\u003e] hub_port_init+0x1bf/0xb70\n [\u003cffffffff811247ed\u003e] ? trace_hardirqs_on+0xd/0x10\n [\u003cffffffff817d4697\u003e] hub_event+0x817/0x1570\n [\u003cffffffff810f3e6f\u003e] process_one_work+0x1ff/0x620\n [\u003cffffffff810f3dcf\u003e] ? process_one_work+0x15f/0x620\n [\u003cffffffff810f4684\u003e] worker_thread+0x64/0x4b0\n [\u003cffffffff810f4620\u003e] ? rescuer_thread+0x390/0x390\n [\u003cffffffff810fa7f5\u003e] kthread+0x105/0x120\n [\u003cffffffff810fa6f0\u003e] ? kthread_create_on_node+0x200/0x200\n [\u003cffffffff81ba183f\u003e] ret_from_fork+0x3f/0x70\n [\u003cffffffff810fa6f0\u003e] ? kthread_create_on_node+0x200/0x200\n\nWhich results from the two call chains:\n\nhub_port_init\n usb_get_device_descriptor\n  usb_get_descriptor\n   usb_control_msg\n    usb_internal_control_msg\n     usb_start_wait_urb\n      usb_submit_urb / wait_for_completion_timeout / usb_kill_urb\n\nhub_port_init\n hub_set_address\n  xhci_address_device\n   xhci_setup_device\n\nMathias Nyman explains the current behaviour violates the XHCI spec:\n\n hub_port_reset() will end up moving the corresponding xhci device slot\n to default state.\n\n As hub_port_reset() is called several times in hub_port_init() it\n sounds reasonable that we could end up with two threads having their\n xhci device slots in default state at the same time, which according to\n xhci 4.5.3 specs still is a big no no:\n\n \"Note: Software shall not transition more than one Device Slot to the\n  Default State at a time\"\n\n So both threads fail at their next task after this.\n One fails to read the descriptor, and the other fails addressing the\n device.\n\nFix this in hub_port_init by locking the USB controller (instead of an\nindividual bus) to prevent simultaneous initialisation of both buses.\n\nFixes: 638139eb95d2 (\"usb: hub: allow to process more usb hub events in parallel\")\nLink: https://lkml.org/lkml/2016/2/8/312\nLink: https://lkml.org/lkml/2016/2/4/748\nSigned-off-by: Chris Bainbridge \u003cchris.bainbridge@gmail.com\u003e\nCc: stable \u003cstable@vger.kernel.org\u003e\nAcked-by: Mathias Nyman \u003cmathias.nyman@linux.intel.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nTTY: n_gsm, fix false positive WARN_ON\n\n[ Upstream commit d175feca89a1c162f60f4e3560ca7bc9437c65eb ]\n\nDmitry reported, that the current cleanup code in n_gsm can trigger a\nwarning:\nWARNING: CPU: 2 PID: 24238 at drivers/tty/n_gsm.c:2048 gsm_cleanup_mux+0x166/0x6b0()\n...\nCall Trace:\n...\n [\u003cffffffff81247ab9\u003e] warn_slowpath_null+0x29/0x30 kernel/panic.c:490\n [\u003cffffffff828d0456\u003e] gsm_cleanup_mux+0x166/0x6b0 drivers/tty/n_gsm.c:2048\n [\u003cffffffff828d4d87\u003e] gsmld_open+0x5b7/0x7a0 drivers/tty/n_gsm.c:2386\n [\u003cffffffff828b9078\u003e] tty_ldisc_open.isra.2+0x78/0xd0 drivers/tty/tty_ldisc.c:447\n [\u003cffffffff828b973a\u003e] tty_set_ldisc+0x1ca/0xa70 drivers/tty/tty_ldisc.c:567\n [\u003c     inline     \u003e] tiocsetd drivers/tty/tty_io.c:2650\n [\u003cffffffff828a14ea\u003e] tty_ioctl+0xb2a/0x2140 drivers/tty/tty_io.c:2883\n...\n\nBut this is a legal path when open fails to find a space in the\ngsm_mux array and tries to clean up. So make it a standard test\ninstead of a warning.\n\nReported-by: \"Dmitry Vyukov\" \u003cdvyukov@google.com\u003e\nCc: Alan Cox \u003calan@linux.intel.com\u003e\nLink: http://lkml.kernel.org/r/CACT4Y+bHQbAB68VFi7Romcs-Z9ZW3kQRvcq+BvHH1oa5NcAdLA@mail.gmail.com\nFixes: 5a640967 (\"tty/n_gsm.c: fix a memory leak in gsmld_open()\")\nCc: stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Jiri Slaby \u003cjslaby@suse.cz\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\narm/arm64: KVM: Enforce Break-Before-Make on Stage-2 page tables\n\n[ Upstream commit d4b9e0790aa764c0b01e18d4e8d33e93ba36d51f ]\n\nThe ARM architecture mandates that when changing a page table entry\nfrom a valid entry to another valid entry, an invalid entry is first\nwritten, TLB invalidated, and only then the new entry being written.\n\nThe current code doesn\u0027t respect this, directly writing the new\nentry and only then invalidating TLBs. Let\u0027s fix it up.\n\nCc: \u003cstable@vger.kernel.org\u003e\nReported-by: Christoffer Dall \u003cchristoffer.dall@linaro.org\u003e\nSigned-off-by: Marc Zyngier \u003cmarc.zyngier@arm.com\u003e\nSigned-off-by: Christoffer Dall \u003cchristoffer.dall@linaro.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\naacraid: Relinquish CPU during timeout wait\n\n[ Upstream commit 07beca2be24cc710461c0b131832524c9ee08910 ]\n\naac_fib_send has a special function case for initial commands during\ndriver initialization using wait \u003c 0(pseudo sync mode). In this case,\nthe command does not sleep but rather spins checking for timeout.This\nloop is calls cpu_relax() in an attempt to allow other processes/threads\nto use the CPU, but this function does not relinquish the CPU and so the\ncommand will hog the processor. This was observed in a KDUMP\n\"crashkernel\" and that prevented the \"command thread\" (which is\nresponsible for completing the command from being timed out) from\nstarting because it could not get the CPU.\n\nFixed by replacing \"cpu_relax()\" call with \"schedule()\"\nCc: stable@vger.kernel.org\nSigned-off-by: Raghava Aditya Renukunta \u003cRaghavaAditya.Renukunta@microsemi.com\u003e\nReviewed-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\naacraid: Fix for aac_command_thread hang\n\n[ Upstream commit fc4bf75ea300a5e62a2419f89dd0e22189dd7ab7 ]\n\nTypically under error conditions, it is possible for aac_command_thread()\nto miss the wakeup from kthread_stop() and go back to sleep, causing it\nto hang aac_shutdown.\n\nIn the observed scenario, the adapter is not functioning correctly and so\naac_fib_send() never completes (or time-outs depending on how it was\ncalled). Shortly after aac_command_thread() starts it performs\naac_fib_send(SendHostTime) which hangs. When aac_probe_one\n/aac_get_adapter_info send time outs, kthread_stop is called which breaks\nthe command thread out of it\u0027s hang.\n\nThe code will still go back to sleep in schedule_timeout() without\nchecking kthread_should_stop() so it causes aac_probe_one to hang until\nthe schedule_timeout() which is 30 minutes.\n\nFixed by: Adding another kthread_should_stop() before schedule_timeout()\nCc: stable@vger.kernel.org\nSigned-off-by: Raghava Aditya Renukunta \u003cRaghavaAditya.Renukunta@microsemi.com\u003e\nReviewed-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\next4: fix hang when processing corrupted orphaned inode list\n\n[ Upstream commit c9eb13a9105e2e418f72e46a2b6da3f49e696902 ]\n\nIf the orphaned inode list contains inode #5, ext4_iget() returns a\nbad inode (since the bootloader inode should never be referenced\ndirectly).  Because of the bad inode, we end up processing the inode\nrepeatedly and this hangs the machine.\n\nThis can be reproduced via:\n\n   mke2fs -t ext4 /tmp/foo.img 100\n   debugfs -w -R \"ssv last_orphan 5\" /tmp/foo.img\n   mount -o loop /tmp/foo.img /mnt\n\n(But don\u0027t do this if you are using an unpatched kernel if you care\nabout the system staying functional.  :-)\n\nThis bug was found by the port of American Fuzzy Lop into the kernel\nto find file system problems[1].  (Since it *only* happens if inode #5\nshows up on the orphan list --- 3, 7, 8, etc. won\u0027t do it, it\u0027s not\nsurprising that AFL needed two hours before it found it.)\n\n[1] http://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf\n\nCc: stable@vger.kernel.org\nReported by: Vegard Nossum \u003cvegard.nossum@oracle.com\u003e\nSigned-off-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\next4: clean up error handling when orphan list is corrupted\n\n[ Upstream commit 7827a7f6ebfcb7f388dc47fddd48567a314701ba ]\n\nInstead of just printing warning messages, if the orphan list is\ncorrupted, declare the file system is corrupted.  If there are any\nreserved inodes in the orphaned inode list, declare the file system\ncorrupted and stop right away to avoid doing more potential damage to\nthe file system.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nMIPS: ath79: make bootconsole wait for both THRE and TEMT\n\n[ Upstream commit f5b556c94c8490d42fea79d7b4ae0ecbc291e69d ]\n\nThis makes the ath79 bootconsole behave the same way as the generic 8250\nbootconsole.\n\nAlso waiting for TEMT (transmit buffer is empty) instead of just THRE\n(transmit buffer is not full) ensures that all characters have been\ntransmitted before the real serial driver starts reconfiguring the serial\ncontroller (which would sometimes result in garbage being transmitted.)\nThis change does not cause a visible performance loss.\n\nIn addition, this seems to fix a hang observed in certain configurations on\nmany AR7xxx/AR9xxx SoCs during autoconfig of the real serial driver.\n\nA more complete follow-up patch will disable 8250 autoconfig for ath79\naltogether (the serial controller is detected as a 16550A, which is not\nfully compatible with the ath79 serial, and the autoconfig may lead to\nundefined behavior on ath79.)\n\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Matthias Schiffer \u003cmschiffer@universe-factory.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nQE-UART: add \"fsl,t1040-ucc-uart\" to of_device_id\n\n[ Upstream commit 11ca2b7ab432eb90906168c327733575e68d388f ]\n\nNew bindings use \"fsl,t1040-ucc-uart\" as the compatible for qe-uart.\nSo add it.\n\nSigned-off-by: Zhao Qiang \u003cqiang.zhao@nxp.com\u003e\nCc: stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nthunderbolt: Fix double free of drom buffer\n\n[ Upstream commit 2ffa9a5d76a75abbc1f95c17959fced666095bdd ]\n\nIf tb_drom_read() fails, sw-\u003edrom is freed but not set to NULL.  sw-\u003edrom\nis then freed again in the error path of tb_switch_alloc().\n\nThe bug can be triggered by unplugging a thunderbolt device shortly after\nit is detected by the thunderbolt driver.\n\nClear sw-\u003edrom if tb_drom_read() fails.\n\n[bhelgaas: add Fixes:, stable versions of interest]\nFixes: 343fcb8c70d7 (\"thunderbolt: Fix nontrivial endpoint devices.\")\nSigned-off-by: Andreas Noever \u003candreas.noever@gmail.com\u003e\nSigned-off-by: Bjorn Helgaas \u003cbhelgaas@google.com\u003e\nCC: stable@vger.kernel.org\t# v3.17+\nCC: Lukas Wunner \u003clukas@wunner.de\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUSB: serial: option: add support for Cinterion PH8 and AHxx\n\n[ Upstream commit 444f94e9e625f6ec6bbe2cb232a6451c637f35a3 ]\n\nAdded support for Gemalto\u0027s Cinterion PH8 and AHxx products\nwith 2 RmNet Interfaces and products with 1 RmNet + 1 USB Audio interface.\n\nIn addition some minor renaming and formatting.\n\nSigned-off-by: Hans-Christoph Schemmel \u003chans-christoph.schemmel@gemalto.com\u003e\n[johan: sort current entries and trim trailing whitespace ]\nCc: stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUSB: leave LPM alone if possible when binding/unbinding interface drivers\n\n[ Upstream commit 6fb650d43da3e7054984dc548eaa88765a94d49f ]\n\nWhen a USB driver is bound to an interface (either through probing or\nby claiming it) or is unbound from an interface, the USB core always\ndisables Link Power Management during the transition and then\nre-enables it afterward.  The reason is because the driver might want\nto prevent hub-initiated link power transitions, in which case the HCD\nwould have to recalculate the various LPM parameters.  This\nrecalculation takes place when LPM is re-enabled and the new\nparameters are sent to the device and its parent hub.\n\nHowever, if the driver does not want to prevent hub-initiated link\npower transitions then none of this work is necessary.  The parameters\ndon\u0027t need to be recalculated, and LPM doesn\u0027t need to be disabled and\nre-enabled.\n\nIt turns out that disabling and enabling LPM can be time-consuming,\nenough so that it interferes with user programs that want to claim and\nrelease interfaces rapidly via usbfs.  Since the usbfs kernel driver\ndoesn\u0027t set the disable_hub_initiated_lpm flag, we can speed things up\nand get the user programs to work by leaving LPM alone whenever the\nflag isn\u0027t set.\n\nAnd while we\u0027re improving the way disable_hub_initiated_lpm gets used,\nlet\u0027s also fix its kerneldoc.\n\nSigned-off-by: Alan Stern \u003cstern@rowland.harvard.edu\u003e\nTested-by: Matthew Giassa \u003cmatthew@giassa.net\u003e\nCC: Mathias Nyman \u003cmathias.nyman@intel.com\u003e\nCC: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nusb: misc: usbtest: format the data pattern according to max packet size\n\n[ Upstream commit b9a6e8e1001e28fecbd74c073f5503dac2790563 ]\n\nWith this change, the host and gadget doesn\u0027t need to agree with transfer\nlength for comparing the data, since they doesn\u0027t know each other\u0027s\ntransfer size, but know max packet size.\n\nSigned-off-by: Peter Chen \u003cpeter.chen@freescale.com\u003e\nAcked-by: Michal Nazarewicz \u003cmina86@mina86.com\u003e\n(Fixed the \u0027line over 80 characters warning\u0027 by Peter Chen)\nTested-by: Peter Chen \u003cpeter.chen@freescale.com\u003e\nSigned-off-by: Alan Stern \u003cstern@rowland.harvard.edu\u003e\nSigned-off-by: Felipe Balbi \u003cbalbi@ti.com\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nusb: misc: usbtest: fix pattern tests for scatterlists.\n\n[ Upstream commit cdc77c82a8286b1181b81b6e5ef60c8e83ded7bc ]\n\nThe current implemenentation restart the sent pattern for each entry in\nthe sg list. The receiving end expects a continuous pattern, and test\nwill fail unless scatterilst entries happen to be aligned with the\npattern\n\nFix this by calculating the pattern byte based on total sent size\ninstead of just the current sg entry.\n\nSigned-off-by: Mathias Nyman \u003cmathias.nyman@linux.intel.com\u003e\nFixes: 8b5249019352 (\"[PATCH] USB: usbtest: scatterlist OUT data pattern testing\")\nCc: \u003cstable@vger.kernel.org\u003e # v2.6.18+\nAcked-by: Felipe Balbi \u003cfelipe.balbi@linux.intel.com\u003e\nAcked-by: Alan Stern \u003cstern@rowland.harvard.edu\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmcb: Fixed bar number assignment for the gdd\n\n[ Upstream commit f75564d343010b025301d9548f2304f48eb25f01 ]\n\nThe bar number is found in reg2 within the gdd. Therefore\nwe need to change the assigment from reg1 to reg2 which\nis the correct location.\n\nSigned-off-by: Andreas Werner \u003candreas.werner@men.de\u003e\nFixes: \u00273764e82e5\u0027 drivers: Introduce MEN Chameleon Bus\nCc: stable@vger.kernel.org # v3.15+\nSigned-off-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUSB: serial: option: add more ZTE device ids\n\n[ Upstream commit f0d09463c59c2d764a6c6d492cbe6d2c77f27153 ]\n\nMore ZTE device ids.\n\nSigned-off-by: lei liu \u003cliu.lei78@zte.com.cn\u003e\nCc: stable \u003cstable@vger.kernel.org\u003e\n[properly sort them - gregkh]\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUSB: serial: option: add even more ZTE device ids\n\n[ Upstream commit 74d2a91aec97ab832790c9398d320413ad185321 ]\n\nAdd even more ZTE device ids.\n\nSigned-off-by: lei liu \u003cliu.lei78@zte.com.cn\u003e\nCc: stable \u003cstable@vger.kernel.org\u003e\n[johan: rebase and replace commit message ]\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nACPI / osi: Fix an issue that acpi_osi\u003d!* cannot disable ACPICA internal strings\n\n[ Upstream commit 30c9bb0d7603e7b3f4d6a0ea231e1cddae020c32 ]\n\nThe order of the _OSI related functionalities is as follows:\n\n  acpi_blacklisted()\n    acpi_dmi_osi_linux()\n      acpi_osi_setup()\n    acpi_osi_setup()\n      acpi_update_interfaces() if \"!*\"\n      \u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\n  parse_args()\n    __setup(\"acpi_osi\u003d\")\n      acpi_osi_setup_linux()\n        acpi_update_interfaces() if \"!*\"\n        \u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\n  acpi_early_init()\n    acpi_initialize_subsystem()\n      acpi_ut_initialize_interfaces()\n      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  acpi_bus_init()\n    acpi_os_initialize1()\n      acpi_install_interface_handler(acpi_osi_handler)\n      acpi_osi_setup_late()\n        acpi_update_interfaces() for \"!\"\n        \u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\n  acpi_osi_handler()\n\nSince acpi_osi_setup_linux() can override acpi_dmi_osi_linux(), the command\nline setting can override the DMI detection. That\u0027s why acpi_blacklisted()\nis put before __setup(\"acpi_osi\u003d\").\n\nThen we can notice the following wrong invocation order. There are\nacpi_update_interfaces() (marked by \u003c\u003c\u003c\u003c) calls invoked before\nacpi_ut_initialize_interfaces() (marked by ^^^^). This makes it impossible\nto use acpi_osi\u003d!* correctly from OSI DMI table or from the command line.\nThe use of acpi_osi\u003d!* is meant to disable both ACPICA\n(acpi_gbl_supported_interfaces) and Linux specific strings\n(osi_setup_entries) while the ACPICA part should have stopped working\nbecause of the order issue.\n\nThis patch fixes this issue by moving acpi_update_interfaces() to where\nit is invoked for acpi_osi\u003d! (marked by \u003e\u003e\u003e\u003e) as this is ensured to be\ninvoked after acpi_ut_initialize_interfaces() (marked by ^^^^). Linux\nspecific strings are still handled in the original place in order to make\nthe following command line working: acpi_osi\u003d!* acpi_osi\u003d\"Module Device\".\n\nNote that since acpi_osi\u003d!* is meant to further disable linux specific\nstring comparing to the acpi_osi\u003d!, there is no such use case in our bug\nfixing work and hence there is no one using acpi_osi\u003d!* either from the\ncommand line or from the DMI quirks, this issue is just a theoretical\nissue.\n\nFixes: 741d81280ad2 (ACPI: Add facility to remove all _OSI strings)\nCc: 3.12+ \u003cstable@vger.kernel.org\u003e # 3.12+\nTested-by: Lukas Wunner \u003clukas@wunner.de\u003e\nTested-by: Chen Yu \u003cyu.c.chen@intel.com\u003e\nSigned-off-by: Lv Zheng \u003clv.zheng@intel.com\u003e\nSigned-off-by: Rafael J. Wysocki \u003crafael.j.wysocki@intel.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUSB: cp210x: relocate private data from USB interface to port\n\n[ Upstream commit e2ae67a3b55188b0342522d8139acf013feb2a69 ]\n\nThis change is preparation for implementing a cp2108 bug workaround.\nThe workaround requires storing some private data. Right now the data is\nattached to the USB interface and allocated in the attach() callback.\nThe bug detection requires USB I/O which is done easier from port_probe()\ncallback rather than attach(). Since the USB access functions take port\nas a parameter, and since the private data is used exclusively by these\nfunctions, it can be allocated in port_probe(). Also, all cp210x devices\nhave exactly 1 port per USB iterface, so moving private data from the USB\ninterface to port is trivial.\n\nSigned-off-by: Konstantin Shkolnyy \u003ckonstantin.shkolnyy@gmail.com\u003e\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUSB: serial: cp210x: fix hardware flow-control disable\n\n[ Upstream commit a377f9e906af4df9071ba8ddba60188cb4013d93 ]\n\nA bug in the CRTSCTS handling caused RTS to alternate between\n\nCRTSCTS\u003d0 \u003d\u003e \"RTS is transmit active signal\" and\nCRTSCTS\u003d1 \u003d\u003e \"RTS is used for receive flow control\"\n\ninstead of\n\nCRTSCTS\u003d0 \u003d\u003e \"RTS is statically active\" and\nCRTSCTS\u003d1 \u003d\u003e \"RTS is used for receive flow control\"\n\nThis only happened after first having enabled CRTSCTS.\n\nSigned-off-by: Konstantin Shkolnyy \u003ckonstantin.shkolnyy@gmail.com\u003e\nFixes: 39a66b8d22a3 (\"[PATCH] USB: CP2101 Add support for flow control\")\nCc: stable \u003cstable@vger.kernel.org\u003e\n[johan: reword commit message ]\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\next4: fix oops on corrupted filesystem\n\n[ Upstream commit 74177f55b70e2f2be770dd28684dd6d17106a4ba ]\n\nWhen filesystem is corrupted in the right way, it can happen\next4_mark_iloc_dirty() in ext4_orphan_add() returns error and we\nsubsequently remove inode from the in-memory orphan list. However this\ndeletion is done with list_del(\u0026EXT4_I(inode)-\u003ei_orphan) and thus we\nleave i_orphan list_head with a stale content. Later we can look at this\ncontent causing list corruption, oops, or other issues. The reported\ntrace looked like:\n\nWARNING: CPU: 0 PID: 46 at lib/list_debug.c:53 __list_del_entry+0x6b/0x100()\nlist_del corruption, 0000000061c1d6e0-\u003enext is LIST_POISON1\n0000000000100100)\nCPU: 0 PID: 46 Comm: ext4.exe Not tainted 4.1.0-rc4+ #250\nStack:\n 60462947 62219960 602ede24 62219960\n 602ede24 603ca293 622198f0 602f02eb\n 62219950 6002c12c 62219900 601b4d6b\nCall Trace:\n [\u003c6005769c\u003e] ? vprintk_emit+0x2dc/0x5c0\n [\u003c602ede24\u003e] ? printk+0x0/0x94\n [\u003c600190bc\u003e] show_stack+0xdc/0x1a0\n [\u003c602ede24\u003e] ? printk+0x0/0x94\n [\u003c602ede24\u003e] ? printk+0x0/0x94\n [\u003c602f02eb\u003e] dump_stack+0x2a/0x2c\n [\u003c6002c12c\u003e] warn_slowpath_common+0x9c/0xf0\n [\u003c601b4d6b\u003e] ? __list_del_entry+0x6b/0x100\n [\u003c6002c254\u003e] warn_slowpath_fmt+0x94/0xa0\n [\u003c602f4d09\u003e] ? __mutex_lock_slowpath+0x239/0x3a0\n [\u003c6002c1c0\u003e] ? warn_slowpath_fmt+0x0/0xa0\n [\u003c60023ebf\u003e] ? set_signals+0x3f/0x50\n [\u003c600a205a\u003e] ? kmem_cache_free+0x10a/0x180\n [\u003c602f4e88\u003e] ? mutex_lock+0x18/0x30\n [\u003c601b4d6b\u003e] __list_del_entry+0x6b/0x100\n [\u003c601177ec\u003e] ext4_orphan_del+0x22c/0x2f0\n [\u003c6012f27c\u003e] ? __ext4_journal_start_sb+0x2c/0xa0\n [\u003c6010b973\u003e] ? ext4_truncate+0x383/0x390\n [\u003c6010bc8b\u003e] ext4_write_begin+0x30b/0x4b0\n [\u003c6001bb50\u003e] ? copy_from_user+0x0/0xb0\n [\u003c601aa840\u003e] ? iov_iter_fault_in_readable+0xa0/0xc0\n [\u003c60072c4f\u003e] generic_perform_write+0xaf/0x1e0\n [\u003c600c4166\u003e] ? file_update_time+0x46/0x110\n [\u003c60072f0f\u003e] __generic_file_write_iter+0x18f/0x1b0\n [\u003c6010030f\u003e] ext4_file_write_iter+0x15f/0x470\n [\u003c60094e10\u003e] ? unlink_file_vma+0x0/0x70\n [\u003c6009b180\u003e] ? unlink_anon_vmas+0x0/0x260\n [\u003c6008f169\u003e] ? free_pgtables+0xb9/0x100\n [\u003c600a6030\u003e] __vfs_write+0xb0/0x130\n [\u003c600a61d5\u003e] vfs_write+0xa5/0x170\n [\u003c600a63d6\u003e] SyS_write+0x56/0xe0\n [\u003c6029fcb0\u003e] ? __libc_waitpid+0x0/0xa0\n [\u003c6001b698\u003e] handle_syscall+0x68/0x90\n [\u003c6002633d\u003e] userspace+0x4fd/0x600\n [\u003c6002274f\u003e] ? save_registers+0x1f/0x40\n [\u003c60028bd7\u003e] ? arch_prctl+0x177/0x1b0\n [\u003c60017bd5\u003e] fork_handler+0x85/0x90\n\nFix the problem by using list_del_init() as we always should with\ni_orphan list.\n\nCC: stable@vger.kernel.org\nReported-by: Vegard Nossum \u003cvegard.nossum@oracle.com\u003e\nSigned-off-by: Jan Kara \u003cjack@suse.cz\u003e\nSigned-off-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\next4: address UBSAN warning in mb_find_order_for_block()\n\n[ Upstream commit b5cb316cdf3a3f5f6125412b0f6065185240cfdc ]\n\nCurrently, in mb_find_order_for_block(), there\u0027s a loop like the following:\n\n  while (order \u003c\u003d e4b-\u003ebd_blkbits + 1) {\n    ...\n    bb +\u003d 1 \u003c\u003c (e4b-\u003ebd_blkbits - order);\n  }\n\nNote that the updated bb is used in the loop\u0027s next iteration only.\n\nHowever, at the last iteration, that is at order \u003d\u003d e4b-\u003ebd_blkbits + 1,\nthe shift count becomes negative (c.f. C99 6.5.7(3)) and UBSAN reports\n\n  UBSAN: Undefined behaviour in fs/ext4/mballoc.c:1281:11\n  shift exponent -1 is negative\n  [...]\n  Call Trace:\n   [\u003cffffffff818c4d35\u003e] dump_stack+0xbc/0x117\n   [\u003cffffffff818c4c79\u003e] ? _atomic_dec_and_lock+0x169/0x169\n   [\u003cffffffff819411bb\u003e] ubsan_epilogue+0xd/0x4e\n   [\u003cffffffff81941cbc\u003e] __ubsan_handle_shift_out_of_bounds+0x1fb/0x254\n   [\u003cffffffff81941ac1\u003e] ? __ubsan_handle_load_invalid_value+0x158/0x158\n   [\u003cffffffff816e93a0\u003e] ? ext4_mb_generate_from_pa+0x590/0x590\n   [\u003cffffffff816502c8\u003e] ? ext4_read_block_bitmap_nowait+0x598/0xe80\n   [\u003cffffffff816e7b7e\u003e] mb_find_order_for_block+0x1ce/0x240\n   [...]\n\nUnless compilers start to do some fancy transformations (which at least\nGCC 6.0.0 doesn\u0027t currently do), the issue is of cosmetic nature only: the\nsuch calculated value of bb is never used again.\n\nSilence UBSAN by introducing another variable, bb_incr, holding the next\nincrement to apply to bb and adjust that one by right shifting it by one\nposition per loop iteration.\n\nBugzilla: https://bugzilla.kernel.org/show_bug.cgi?id\u003d114701\nBugzilla: https://bugzilla.kernel.org/show_bug.cgi?id\u003d112161\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nicolai Stange \u003cnicstange@gmail.com\u003e\nSigned-off-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\next4: silence UBSAN in ext4_mb_init()\n\n[ Upstream commit 935244cd54b86ca46e69bc6604d2adfb1aec2d42 ]\n\nCurrently, in ext4_mb_init(), there\u0027s a loop like the following:\n\n  do {\n    ...\n    offset +\u003d 1 \u003c\u003c (sb-\u003es_blocksize_bits - i);\n    i++;\n  } while (i \u003c\u003d sb-\u003es_blocksize_bits + 1);\n\nNote that the updated offset is used in the loop\u0027s next iteration only.\n\nHowever, at the last iteration, that is at i \u003d\u003d sb-\u003es_blocksize_bits + 1,\nthe shift count becomes equal to (unsigned)-1 \u003e 31 (c.f. C99 6.5.7(3))\nand UBSAN reports\n\n  UBSAN: Undefined behaviour in fs/ext4/mballoc.c:2621:15\n  shift exponent 4294967295 is too large for 32-bit type \u0027int\u0027\n  [...]\n  Call Trace:\n   [\u003cffffffff818c4d25\u003e] dump_stack+0xbc/0x117\n   [\u003cffffffff818c4c69\u003e] ? _atomic_dec_and_lock+0x169/0x169\n   [\u003cffffffff819411ab\u003e] ubsan_epilogue+0xd/0x4e\n   [\u003cffffffff81941cac\u003e] __ubsan_handle_shift_out_of_bounds+0x1fb/0x254\n   [\u003cffffffff81941ab1\u003e] ? __ubsan_handle_load_invalid_value+0x158/0x158\n   [\u003cffffffff814b6dc1\u003e] ? kmem_cache_alloc+0x101/0x390\n   [\u003cffffffff816fc13b\u003e] ? ext4_mb_init+0x13b/0xfd0\n   [\u003cffffffff814293c7\u003e] ? create_cache+0x57/0x1f0\n   [\u003cffffffff8142948a\u003e] ? create_cache+0x11a/0x1f0\n   [\u003cffffffff821c2168\u003e] ? mutex_lock+0x38/0x60\n   [\u003cffffffff821c23ab\u003e] ? mutex_unlock+0x1b/0x50\n   [\u003cffffffff814c26ab\u003e] ? put_online_mems+0x5b/0xc0\n   [\u003cffffffff81429677\u003e] ? kmem_cache_create+0x117/0x2c0\n   [\u003cffffffff816fcc49\u003e] ext4_mb_init+0xc49/0xfd0\n   [...]\n\nObserve that the mentioned shift exponent, 4294967295, equals (unsigned)-1.\n\nUnless compilers start to do some fancy transformations (which at least\nGCC 6.0.0 doesn\u0027t currently do), the issue is of cosmetic nature only: the\nsuch calculated value of offset is never used again.\n\nSilence UBSAN by introducing another variable, offset_incr, holding the\nnext increment to apply to offset and adjust that one by right shifting it\nby one position per loop iteration.\n\nBugzilla: https://bugzilla.kernel.org/show_bug.cgi?id\u003d114701\nBugzilla: https://bugzilla.kernel.org/show_bug.cgi?id\u003d112161\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nicolai Stange \u003cnicstange@gmail.com\u003e\nSigned-off-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmm: fix huge zero page accounting in smaps report\n\n[ Upstream commit c164e038eee805147e95789dddb88ae3b3aca11c ]\n\nAs a small zero page, huge zero page should not be accounted in smaps\nreport as normal page.\n\nFor small pages we rely on vm_normal_page() to filter out zero page, but\nvm_normal_page() is not designed to handle pmds.  We only get here due\nhackish cast pmd to pte in smaps_pte_range() -- pte and pmd format is not\nnecessary compatible on each and every architecture.\n\nLet\u0027s add separate codepath to handle pmds.  follow_trans_huge_pmd() will\ndetect huge zero page for us.\n\nWe would need pmd_dirty() helper to do this properly.  The patch adds it\nto THP-enabled architectures which don\u0027t yet have one.\n\n[akpm@linux-foundation.org: use do_div to fix 32-bit build]\nSigned-off-by: \"Kirill A. Shutemov\" \u003ckirill@shutemov.name\u003e\nReported-by: Fengguang Wu \u003cfengguang.wu@intel.com\u003e\nTested-by: Fengwei Yin \u003cyfw.kernel@gmail.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\narm64: Ensure pmd_present() returns false after pmd_mknotpresent()\n\n[ Upstream commit 5bb1cc0ff9a6b68871970737e6c4c16919928d8b ]\n\nCurrently, pmd_present() only checks for a non-zero value, returning\ntrue even after pmd_mknotpresent() (which only clears the type bits).\nThis patch converts pmd_present() to using pte_present(), similar to the\nother pmd_*() checks. As a side effect, it will return true for\nPROT_NONE mappings, though they are not yet used by the kernel with\ntransparent huge pages.\n\nFor consistency, also change pmd_mknotpresent() to only clear the\nPMD_SECT_VALID bit, even though the PMD_TABLE_BIT is already 0 for block\nmappings (no functional change). The unused PMD_SECT_PROT_NONE\ndefinition is removed as transparent huge pages use the pte page prot\nvalues.\n\nFixes: 9c7e535fcc17 (\"arm64: mm: Route pmd thp functions through pte equivalents\")\nCc: \u003cstable@vger.kernel.org\u003e # 3.15+\nReviewed-by: Will Deacon \u003cwill.deacon@arm.com\u003e\nSigned-off-by: Catalin Marinas \u003ccatalin.marinas@arm.com\u003e\nSigned-off-by: Will Deacon \u003cwill.deacon@arm.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ncan: fix handling of unmodifiable configuration options\n\n[ Upstream commit bb208f144cf3f59d8f89a09a80efd04389718907 ]\n\nAs described in \u0027can: m_can: tag current CAN FD controllers as non-ISO\u0027\n(6cfda7fbebe) it is possible to define fixed configuration options by\nsetting the according bit in \u0027ctrlmode\u0027 and clear it in \u0027ctrlmode_supported\u0027.\nThis leads to the incovenience that the fixed configuration bits can not be\npassed by netlink even when they have the correct values (e.g. non-ISO, FD).\n\nThis patch fixes that issue and not only allows fixed set bit values to be set\nagain but now requires(!) to provide these fixed values at configuration time.\nA valid CAN FD configuration consists of a nominal/arbitration bittiming, a\ndata bittiming and a control mode with CAN_CTRLMODE_FD set - which is now\nenforced by a new can_validate() function. This fix additionally removed the\ninconsistency that was prohibiting the support of \u0027CANFD-only\u0027 controller\ndrivers, like the RCar CAN FD.\n\nFor this reason a new helper can_set_static_ctrlmode() has been introduced to\nprovide a proper interface to handle static enabled CAN controller options.\n\nReported-by: Ramesh Shanmugasundaram \u003cramesh.shanmugasundaram@bp.renesas.com\u003e\nSigned-off-by: Oliver Hartkopp \u003csocketcan@hartkopp.net\u003e\nReviewed-by: Ramesh Shanmugasundaram  \u003cramesh.shanmugasundaram@bp.renesas.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e # \u003e\u003d 3.18\nSigned-off-by: Marc Kleine-Budde \u003cmkl@pengutronix.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nMIPS: Fix siginfo.h to use strict posix types\n\n[ Upstream commit 5daebc477da4dfeb31ae193d83084def58fd2697 ]\n\nCommit 85efde6f4e0d (\"make exported headers use strict posix types\")\nchanged the asm-generic siginfo.h to use the __kernel_* types, and\ncommit 3a471cbc081b (\"remove __KERNEL_STRICT_NAMES\") make the internal\ntypes accessible only to the kernel, but the MIPS implementation hasn\u0027t\nbeen updated to match.\n\nSwitch to proper types now so that the exported asm/siginfo.h won\u0027t\nproduce quite so many compiler errors when included alone by a user\nprogram.\n\nSigned-off-by: James Hogan \u003cjames.hogan@imgtec.com\u003e\nCc: Christopher Ferris \u003ccferris@google.com\u003e\nCc: linux-mips@linux-mips.org\nCc: \u003cstable@vger.kernel.org\u003e # 2.6.30-\nCc: linux-kernel@vger.kernel.org\nPatchwork: https://patchwork.linux-mips.org/patch/12477/\nSigned-off-by: Ralf Baechle \u003cralf@linux-mips.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nMIPS: Don\u0027t unwind to user mode with EVA\n\n[ Upstream commit a816b306c62195b7c43c92cb13330821a96bdc27 ]\n\nWhen unwinding through IRQs and exceptions, the unwinding only continues\nif the PC is a kernel text address, however since EVA it is possible for\nuser and kernel address ranges to overlap, potentially allowing\nunwinding to continue to user mode if the user PC happens to be in the\nkernel text address range.\n\nAdjust the check to also ensure that the register state from before the\nexception is actually running in kernel mode, i.e. !user_mode(regs).\n\nI don\u0027t believe any harm can come of this problem, since the PC is only\noutput, the stack pointer is checked to ensure it resides within the\ntask\u0027s stack page before it is dereferenced in search of the return\naddress, and the return address register is similarly only output (if\nthe PC is in a leaf function or the beginning of a non-leaf function).\n\nHowever unwind_stack() is only meant for unwinding kernel code, so to be\ncorrect the unwind should stop there.\n\nSigned-off-by: James Hogan \u003cjames.hogan@imgtec.com\u003e\nReviewed-by: Leonid Yegoshin \u003cLeonid.Yegoshin@imgtec.com\u003e\nCc: linux-mips@linux-mips.org\nCc: \u003cstable@vger.kernel.org\u003e # 3.15+\nPatchwork: https://patchwork.linux-mips.org/patch/11700/\nSigned-off-by: Ralf Baechle \u003cralf@linux-mips.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nMIPS: Avoid using unwind_stack() with usermode\n\n[ Upstream commit 81a76d7119f63c359750e4adeff922a31ad1135f ]\n\nWhen showing backtraces in response to traps, for example crashes and\naddress errors (usually unaligned accesses) when they are set in debugfs\nto be reported, unwind_stack will be used if the PC was in the kernel\ntext address range. However since EVA it is possible for user and kernel\naddress ranges to overlap, and even without EVA userland can still\ntrigger an address error by jumping to a KSeg0 address.\n\nAdjust the check to also ensure that it was running in kernel mode. I\ndon\u0027t believe any harm can come of this problem, since unwind_stack() is\nsufficiently defensive, however it is only meant for unwinding kernel\ncode, so to be correct it should use the raw backtracing instead.\n\nSigned-off-by: James Hogan \u003cjames.hogan@imgtec.com\u003e\nReviewed-by: Leonid Yegoshin \u003cLeonid.Yegoshin@imgtec.com\u003e\nCc: linux-mips@linux-mips.org\nCc: \u003cstable@vger.kernel.org\u003e # 3.15+\nPatchwork: https://patchwork.linux-mips.org/patch/11701/\nSigned-off-by: Ralf Baechle \u003cralf@linux-mips.org\u003e\n(cherry picked from commit d2941a975ac745c607dfb590e92bb30bc352dad9)\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmfd: omap-usb-tll: Fix scheduling while atomic BUG\n\n[ Upstream commit b49b927f16acee626c56a1af4ab4cb062f75b5df ]\n\nWe shouldn\u0027t be calling clk_prepare_enable()/clk_prepare_disable()\nin an atomic context.\n\nFixes the following issue:\n\n[    5.830970] ehci-omap: OMAP-EHCI Host Controller driver\n[    5.830974] driver_register \u0027ehci-omap\u0027\n[    5.895849] driver_register \u0027wl1271_sdio\u0027\n[    5.896870] BUG: scheduling while atomic: udevd/994/0x00000002\n[    5.896876] 4 locks held by udevd/994:\n[    5.896904]  #0:  (\u0026dev-\u003emutex){......}, at: [\u003cc049597c\u003e] __driver_attach+0x60/0xac\n[    5.896923]  #1:  (\u0026dev-\u003emutex){......}, at: [\u003cc049598c\u003e] __driver_attach+0x70/0xac\n[    5.896946]  #2:  (tll_lock){+.+...}, at: [\u003cc04c2630\u003e] omap_tll_enable+0x2c/0xd0\n[    5.896966]  #3:  (prepare_lock){+.+...}, at: [\u003cc05ce9c8\u003e] clk_prepare_lock+0x48/0xe0\n[    5.897042] Modules linked in: wlcore_sdio(+) ehci_omap(+) dwc3_omap snd_soc_ts3a225e leds_is31fl319x bq27xxx_battery_i2c tsc2007 bq27xxx_battery bq2429x_charger ina2xx tca8418_keypad as5013 leds_tca6507 twl6040_vibra gpio_twl6040 bmp085_i2c(+) palmas_gpadc usb3503 palmas_pwrbutton bmg160_i2c(+) bmp085 bma150(+) bmg160_core bmp280 input_polldev snd_soc_omap_mcbsp snd_soc_omap_mcpdm snd_soc_omap snd_pcm_dmaengine\n[    5.897048] Preemption disabled at:[\u003c  (null)\u003e]   (null)\n[    5.897051]\n[    5.897059] CPU: 0 PID: 994 Comm: udevd Not tainted 4.6.0-rc5-letux+ #233\n[    5.897062] Hardware name: Generic OMAP5 (Flattened Device Tree)\n[    5.897076] [\u003cc010e714\u003e] (unwind_backtrace) from [\u003cc010af34\u003e] (show_stack+0x10/0x14)\n[    5.897087] [\u003cc010af34\u003e] (show_stack) from [\u003cc040aa7c\u003e] (dump_stack+0x88/0xc0)\n[    5.897099] [\u003cc040aa7c\u003e] (dump_stack) from [\u003cc020c558\u003e] (__schedule_bug+0xac/0xd0)\n[    5.897111] [\u003cc020c558\u003e] (__schedule_bug) from [\u003cc06f3d44\u003e] (__schedule+0x88/0x7e4)\n[    5.897120] [\u003cc06f3d44\u003e] (__schedule) from [\u003cc06f46d8\u003e] (schedule+0x9c/0xc0)\n[    5.897129] [\u003cc06f46d8\u003e] (schedule) from [\u003cc06f4904\u003e] (schedule_preempt_disabled+0x14/0x20)\n[    5.897140] [\u003cc06f4904\u003e] (schedule_preempt_disabled) from [\u003cc06f64e4\u003e] (mutex_lock_nested+0x258/0x43c)\n[    5.897150] [\u003cc06f64e4\u003e] (mutex_lock_nested) from [\u003cc05ce9c8\u003e] (clk_prepare_lock+0x48/0xe0)\n[    5.897160] [\u003cc05ce9c8\u003e] (clk_prepare_lock) from [\u003cc05d0e7c\u003e] (clk_prepare+0x10/0x28)\n[    5.897169] [\u003cc05d0e7c\u003e] (clk_prepare) from [\u003cc04c2668\u003e] (omap_tll_enable+0x64/0xd0)\n[    5.897180] [\u003cc04c2668\u003e] (omap_tll_enable) from [\u003cc04c1728\u003e] (usbhs_runtime_resume+0x18/0x17c)\n[    5.897192] [\u003cc04c1728\u003e] (usbhs_runtime_resume) from [\u003cc049d404\u003e] (pm_generic_runtime_resume+0x2c/0x40)\n[    5.897202] [\u003cc049d404\u003e] (pm_generic_runtime_resume) from [\u003cc049f180\u003e] (__rpm_callback+0x38/0x68)\n[    5.897210] [\u003cc049f180\u003e] (__rpm_callback) from [\u003cc049f220\u003e] (rpm_callback+0x70/0x88)\n[    5.897218] [\u003cc049f220\u003e] (rpm_callback) from [\u003cc04a0a00\u003e] (rpm_resume+0x4ec/0x7ec)\n[    5.897227] [\u003cc04a0a00\u003e] (rpm_resume) from [\u003cc04a0f48\u003e] (__pm_runtime_resume+0x4c/0x64)\n[    5.897236] [\u003cc04a0f48\u003e] (__pm_runtime_resume) from [\u003cc04958dc\u003e] (driver_probe_device+0x30/0x70)\n[    5.897246] [\u003cc04958dc\u003e] (driver_probe_device) from [\u003cc04959a4\u003e] (__driver_attach+0x88/0xac)\n[    5.897256] [\u003cc04959a4\u003e] (__driver_attach) from [\u003cc04940f8\u003e] (bus_for_each_dev+0x50/0x84)\n[    5.897267] [\u003cc04940f8\u003e] (bus_for_each_dev) from [\u003cc0494e40\u003e] (bus_add_driver+0xcc/0x1e4)\n[    5.897276] [\u003cc0494e40\u003e] (bus_add_driver) from [\u003cc0496914\u003e] (driver_register+0xac/0xf4)\n[    5.897286] [\u003cc0496914\u003e] (driver_register) from [\u003cc01018e0\u003e] (do_one_initcall+0x100/0x1b8)\n[    5.897296] [\u003cc01018e0\u003e] (do_one_initcall) from [\u003cc01c7a54\u003e] (do_init_module+0x58/0x1c0)\n[    5.897304] [\u003cc01c7a54\u003e] (do_init_module) from [\u003cc01c8a3c\u003e] (SyS_finit_module+0x88/0x90)\n[    5.897313] [\u003cc01c8a3c\u003e] (SyS_finit_module) from [\u003cc0107120\u003e] (ret_fast_syscall+0x0/0x1c)\n[    5.912697] ------------[ cut here ]------------\n[    5.912711] WARNING: CPU: 0 PID: 994 at kernel/sched/core.c:2996 _raw_spin_unlock+0x28/0x58\n[    5.912717] DEBUG_LOCKS_WARN_ON(val \u003e preempt_count())\n\nCc: \u003cstable@vger.kernel.org\u003e\nReported-by: H. Nikolaus Schaller \u003chns@goldelico.com\u003e\nTested-by: H. Nikolaus Schaller \u003chns@goldelico.com\u003e\nSigned-off-by: Roger Quadros \u003crogerq@ti.com\u003e\nSigned-off-by: Lee Jones \u003clee.jones@linaro.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUSB: serial: io_edgeport: fix memory leaks in attach error path\n\n[ Upstream commit c5c0c55598cefc826d6cfb0a417eeaee3631715c ]\n\nPrivate data, URBs and buffers allocated for Epic devices during\nattach were never released on errors (e.g. missing endpoints).\n\nFixes: 6e8cf7751f9f (\"USB: add EPIC support to the io_edgeport driver\")\nCc: stable \u003cstable@vger.kernel.org\u003e\t# v2.6.21\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nAcked-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUSB: serial: io_edgeport: fix memory leaks in probe error path\n\n[ Upstream commit c8d62957d450cc1a22ce3242908709fe367ddc8e ]\n\nURBs and buffers allocated in attach for Epic devices would never be\ndeallocated in case of a later probe error (e.g. failure to allocate\nminor numbers) as disconnect is then never called.\n\nFix by moving deallocation to release and making sure that the\nURBs are first unlinked.\n\nFixes: f9c99bb8b3a1 (\"USB: usb-serial: replace shutdown with disconnect,\nrelease\")\nCc: stable \u003cstable@vger.kernel.org\u003e\t# v2.6.31\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nAcked-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUSB: serial: keyspan: fix use-after-free in probe error path\n\n[ Upstream commit 35be1a71d70775e7bd7e45fa6d2897342ff4c9d2 ]\n\nThe interface instat and indat URBs were submitted in attach, but never\nunlinked in release before deallocating the corresponding transfer\nbuffers.\n\nIn the case of a late probe error (e.g. due to failed minor allocation),\ndisconnect would not have been called before release, causing the\nbuffers to be freed while the URBs are still in use. We\u0027d also end up\nwith active URBs for an unbound interface.\n\nFixes: f9c99bb8b3a1 (\"USB: usb-serial: replace shutdown with disconnect,\nrelease\")\nCc: stable \u003cstable@vger.kernel.org\u003e\t# v2.6.31\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nAcked-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUSB: serial: mxuport: fix use-after-free in probe error path\n\n[ Upstream commit 9e45284984096314994777f27e1446dfbfd2f0d7 ]\n\nThe interface read and event URBs are submitted in attach, but were\nnever explicitly unlinked by the driver. Instead the URBs would have\nbeen killed by usb-serial core on disconnect.\n\nIn case of a late probe error (e.g. due to failed minor allocation),\ndisconnect is never called and we could end up with active URBs for an\nunbound interface. This in turn could lead to deallocated memory being\ndereferenced in the completion callbacks.\n\nFixes: ee467a1f2066 (\"USB: serial: add Moxa UPORT 12XX/14XX/16XX\ndriver\")\nCc: stable \u003cstable@vger.kernel.org\u003e\t# v3.14\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nAcked-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUSB: serial: quatech2: fix use-after-free in probe error path\n\n[ Upstream commit 028c49f5e02a257c94129cd815f7c8485f51d4ef ]\n\nThe interface read URB is submitted in attach, but was only unlinked by\nthe driver at disconnect.\n\nIn case of a late probe error (e.g. due to failed minor allocation),\ndisconnect is never called and we would end up with active URBs for an\nunbound interface. This in turn could lead to deallocated memory being\ndereferenced in the completion callback.\n\nFixes: f7a33e608d9a (\"USB: serial: add quatech2 usb to serial driver\")\nCc: stable \u003cstable@vger.kernel.org\u003e\t# v3.5: 40d04738491d\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nAcked-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ncrypto: caam - fix caam_jr_alloc() ret code\n\n[ Upstream commit e930c765ca5c6b039cd22ebfb4504ea7b5dab43d ]\n\ncaam_jr_alloc() used to return NULL if a JR device could not be\nallocated for a session. In turn, every user of this function used\nIS_ERR() function to verify if anything went wrong, which does NOT look\nfor NULL values. This made the kernel crash if the sanity check failed,\nbecause the driver continued to think it had allocated a valid JR dev\ninstance to the session and at some point it tries to do a caam_jr_free()\non a NULL JR dev pointer.\nThis patch is a fix for this issue.\n\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Catalin Vasile \u003ccata.vasile@nxp.com\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nMIPS: KVM: Fix timer IRQ race when freezing timer\n\n[ Upstream commit 4355c44f063d3de4f072d796604c7f4ba4085cc3 ]\n\nThere\u0027s a particularly narrow and subtle race condition when the\nsoftware emulated guest timer is frozen which can allow a guest timer\ninterrupt to be missed.\n\nThis happens due to the hrtimer expiry being inexact, so very\noccasionally the freeze time will be after the moment when the emulated\nCP0_Count transitions to the same value as CP0_Compare (so an IRQ should\nbe generated), but before the moment when the hrtimer is due to expire\n(so no IRQ is generated). The IRQ won\u0027t be generated when the timer is\nresumed either, since the resume CP0_Count will already match CP0_Compare.\n\nWith VZ guests in particular this is far more likely to happen, since\nthe soft timer may be frozen frequently in order to restore the timer\nstate to the hardware guest timer. This happens after 5-10 hours of\nguest soak testing, resulting in an overflow in guest kernel timekeeping\ncalculations, hanging the guest. A more focussed test case to\nintentionally hit the race (with the help of a new hypcall to cause the\ntimer state to migrated between hardware \u0026 software) hits the condition\nfairly reliably within around 30 seconds.\n\nInstead of relying purely on the inexact hrtimer expiry to determine\nwhether an IRQ should be generated, read the guest CP0_Compare and\ndirectly check whether the freeze time is before or after it. Only if\nCP0_Count is on or after CP0_Compare do we check the hrtimer expiry to\ndetermine whether the last IRQ has already been generated (which will\nhave pushed back the expiry by one timer period).\n\nFixes: e30492bbe95a (\"MIPS: KVM: Rewrite count/compare timer emulation\")\nSigned-off-by: James Hogan \u003cjames.hogan@imgtec.com\u003e\nCc: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\nCc: \"Radim Krčmář\" \u003crkrcmar@redhat.com\u003e\nCc: Ralf Baechle \u003cralf@linux-mips.org\u003e\nCc: linux-mips@linux-mips.org\nCc: kvm@vger.kernel.org\nCc: \u003cstable@vger.kernel.org\u003e # 3.16.x-\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nMIPS: KVM: Fix timer IRQ race when writing CP0_Compare\n\n[ Upstream commit b45bacd2d048f405c7760e5cc9b60dd67708734f ]\n\nWriting CP0_Compare clears the timer interrupt pending bit\n(CP0_Cause.TI), but this wasn\u0027t being done atomically. If a timer\ninterrupt raced with the write of the guest CP0_Compare, the timer\ninterrupt could end up being pending even though the new CP0_Compare is\nnowhere near CP0_Count.\n\nWe were already updating the hrtimer expiry with\nkvm_mips_update_hrtimer(), which used both kvm_mips_freeze_hrtimer() and\nkvm_mips_resume_hrtimer(). Close the race window by expanding out\nkvm_mips_update_hrtimer(), and clearing CP0_Cause.TI and setting\nCP0_Compare between the freeze and resume. Since the pending timer\ninterrupt should not be cleared when CP0_Compare is written via the KVM\nuser API, an ack argument is added to distinguish the source of the\nwrite.\n\nFixes: e30492bbe95a (\"MIPS: KVM: Rewrite count/compare timer emulation\")\nSigned-off-by: James Hogan \u003cjames.hogan@imgtec.com\u003e\nCc: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\nCc: \"Radim Krčmář\" \u003crkrcmar@redhat.com\u003e\nCc: Ralf Baechle \u003cralf@linux-mips.org\u003e\nCc: linux-mips@linux-mips.org\nCc: kvm@vger.kernel.org\nCc: \u003cstable@vger.kernel.org\u003e # 3.16.x-\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ngcov: disable tree-loop-im to reduce stack usage\n\n[ Upstream commit c87bf431448b404a6ef5fbabd74c0e3e42157a7f ]\n\nEnabling CONFIG_GCOV_PROFILE_ALL produces us a lot of warnings like\n\nlib/lz4/lz4hc_compress.c: In function \u0027lz4_compresshcctx\u0027:\nlib/lz4/lz4hc_compress.c:514:1: warning: the frame size of 1504 bytes is larger than 1024 bytes [-Wframe-larger-than\u003d]\n\nAfter some investigation, I found that this behavior started with gcc-4.9,\nand opened https://gcc.gnu.org/bugzilla/show_bug.cgi?id\u003d69702.\nA suggested workaround for it is to use the -fno-tree-loop-im\nflag that turns off one of the optimization stages in gcc, so the\ncode runs a little slower but does not use excessive amounts\nof stack.\n\nWe could make this conditional on the gcc version, but I could not\nfind an easy way to do this in Kbuild and the benefit would be\nfairly small, given that most of the gcc version in production are\naffected now.\n\nI\u0027m marking this for \u0027stable\u0027 backports because it addresses a bug\nwith code generation in gcc that exists in all kernel versions\nwith the affected gcc releases.\n\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\nAcked-by: Peter Oberparleiter \u003coberpar@linux.vnet.ibm.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Michal Marek \u003cmmarek@suse.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nirqchip/gic: Ensure ordering between read of INTACK and shared data\n\n[ Upstream commit f86c4fbd930ff6fecf3d8a1c313182bd0f49f496 ]\n\nWhen an IPI is generated by a CPU, the pattern looks roughly like:\n\n  \u003cwrite shared data\u003e\n  smp_wmb();\n  \u003cwrite to GIC to signal SGI\u003e\n\nOn the receiving CPU we rely on the fact that, once we\u0027ve taken the\ninterrupt, then the freshly written shared data must be visible to us.\nPut another way, the CPU isn\u0027t going to speculate taking an interrupt.\n\nUnfortunately, this assumption turns out to be broken.\n\nConsider that CPUx wants to send an IPI to CPUy, which will cause CPUy\nto read some shared_data. Before CPUx has done anything, a random\nperipheral raises an IRQ to the GIC and the IRQ line on CPUy is raised.\nCPUy then takes the IRQ and starts executing the entry code, heading\ntowards gic_handle_irq. Furthermore, let\u0027s assume that a bunch of the\nprevious interrupts handled by CPUy were SGIs, so the branch predictor\nkicks in and speculates that irqnr will be \u003c16 and we\u0027re likely to\nhead into handle_IPI. The prefetcher then grabs a speculative copy of\nshared_data which contains a stale value.\n\nMeanwhile, CPUx gets round to updating shared_data and asking the GIC\nto send an SGI to CPUy. Internally, the GIC decides that the SGI is\nmore important than the peripheral interrupt (which hasn\u0027t yet been\nACKed) but doesn\u0027t need to do anything to CPUy, because the IRQ line\nis already raised.\n\nCPUy then reads the ACK register on the GIC, sees the SGI value which\nconfirms the branch prediction and we end up with a stale shared_data\nvalue.\n\nThis patch fixes the problem by adding an smp_rmb() to the IPI entry\ncode in gic_handle_irq. As it turns out, the combination of a control\ndependency and an ISB instruction from the EOI in the GICv3 driver is\nenough to provide the ordering we need, so we add a comment there\njustifying the absence of an explicit smp_rmb().\n\nCc: stable@vger.kernel.org\nSigned-off-by: Will Deacon \u003cwill.deacon@arm.com\u003e\nSigned-off-by: Marc Zyngier \u003cmarc.zyngier@arm.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nkbuild: move -Wunused-const-variable to W\u003d1 warning level\n\n[ Upstream commit c9c6837d39311b0cc14cdbe7c18e815ab44aefb1 ]\n\ngcc-6 started warning by default about variables that are not\nused anywhere and that are marked \u0027const\u0027, generating many\nfalse positives in an allmodconfig build, e.g.:\n\narch/arm/mach-davinci/board-da830-evm.c:282:20: warning: \u0027da830_evm_emif25_pins\u0027 defined but not used [-Wunused-const-variable\u003d]\narch/arm/plat-omap/dmtimer.c:958:34: warning: \u0027omap_timer_match\u0027 defined but not used [-Wunused-const-variable\u003d]\ndrivers/bluetooth/hci_bcm.c:625:39: warning: \u0027acpi_bcm_default_gpios\u0027 defined but not used [-Wunused-const-variable\u003d]\ndrivers/char/hw_random/omap-rng.c:92:18: warning: \u0027reg_map_omap4\u0027 defined but not used [-Wunused-const-variable\u003d]\ndrivers/devfreq/exynos/exynos5_bus.c:381:32: warning: \u0027exynos5_busfreq_int_pm\u0027 defined but not used [-Wunused-const-variable\u003d]\ndrivers/dma/mv_xor.c:1139:34: warning: \u0027mv_xor_dt_ids\u0027 defined but not used [-Wunused-const-variable\u003d]\n\nThis is similar to the existing -Wunused-but-set-variable warning\nthat was added in an earlier release and that we disable by default\nnow and only enable when W\u003d1 is set, so it makes sense to do\nthe same here. Once we have eliminated the majority of the\nwarnings for both, we can put them back into the default list.\n\nWe probably want this in backport kernels as well, to allow building\nthem with gcc-6 without introducing extra warnings.\n\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\nAcked-by: Olof Johansson \u003colof@lixom.net\u003e\nAcked-by: Lee Jones \u003clee.jones@linaro.org\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Michal Marek \u003cmmarek@suse.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nrtlwifi: Fix logic error in enter/exit power-save mode\n\n[ Upstream commit 873ffe154ae074c46ed2d72dbd9a2a99f06f55b4 ]\n\nIn commit a269913c52ad (\"rtlwifi: Rework rtl_lps_leave() and\nrtl_lps_enter() to use work queue\"), the tests for enter/exit\npower-save mode were inverted. With this change applied, the\nwifi connection becomes much more stable.\n\nFixes: a269913c52ad (\"rtlwifi: Rework rtl_lps_leave() and rtl_lps_enter() to use work queue\")\nSigned-off-by: Wang YanQing \u003cudknight@gmail.com\u003e\nCC: Stable \u003cstable@vger.kernel.org\u003e [3.10+]\nAcked-by: Larry Finger \u003cLarry.Finger@lwfinger.net\u003e\nSigned-off-by: Kalle Valo \u003ckvalo@codeaurora.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nrtlwifi: pci: use dev_kfree_skb_irq instead of kfree_skb in rtl_pci_reset_trx_ring\n\n[ Upstream commit cf968937d27751296920e6b82ffa89735e3a0023 ]\n\nWe can\u0027t use kfree_skb in irq disable context, because spin_lock_irqsave\nmake sure we are always in irq disable context, use dev_kfree_skb_irq\ninstead of kfree_skb is better than dev_kfree_skb_any.\n\nThis patch fix below kernel warning:\n[ 7612.095528] ------------[ cut here ]------------\n[ 7612.095546] WARNING: CPU: 3 PID: 4460 at kernel/softirq.c:150 __local_bh_enable_ip+0x58/0x80()\n[ 7612.095550] Modules linked in: rtl8723be x86_pkg_temp_thermal btcoexist rtl_pci rtlwifi rtl8723_common\n[ 7612.095567] CPU: 3 PID: 4460 Comm: ifconfig Tainted: G        W       4.4.0+ #4\n[ 7612.095570] Hardware name: LENOVO 20DFA04FCD/20DFA04FCD, BIOS J5ET48WW (1.19 ) 08/27/2015\n[ 7612.095574]  00000000 00000000 da37fc70 c12ce7c5 00000000 da37fca0 c104cc59 c19d4454\n[ 7612.095584]  00000003 0000116c c19d4784 00000096 c10508a8 c10508a8 00000200 c1b42400\n[ 7612.095594]  f29be780 da37fcb0 c104ccad 00000009 00000000 da37fcbc c10508a8 f21f08b8\n[ 7612.095604] Call Trace:\n[ 7612.095614]  [\u003cc12ce7c5\u003e] dump_stack+0x41/0x5c\n[ 7612.095620]  [\u003cc104cc59\u003e] warn_slowpath_common+0x89/0xc0\n[ 7612.095628]  [\u003cc10508a8\u003e] ? __local_bh_enable_ip+0x58/0x80\n[ 7612.095634]  [\u003cc10508a8\u003e] ? __local_bh_enable_ip+0x58/0x80\n[ 7612.095640]  [\u003cc104ccad\u003e] warn_slowpath_null+0x1d/0x20\n[ 7612.095646]  [\u003cc10508a8\u003e] __local_bh_enable_ip+0x58/0x80\n[ 7612.095653]  [\u003cc16b7d34\u003e] destroy_conntrack+0x64/0xa0\n[ 7612.095660]  [\u003cc16b300f\u003e] nf_conntrack_destroy+0xf/0x20\n[ 7612.095665]  [\u003cc1677565\u003e] skb_release_head_state+0x55/0xa0\n[ 7612.095670]  [\u003cc16775bb\u003e] skb_release_all+0xb/0x20\n[ 7612.095674]  [\u003cc167760b\u003e] __kfree_skb+0xb/0x60\n[ 7612.095679]  [\u003cc16776f0\u003e] kfree_skb+0x30/0x70\n[ 7612.095686]  [\u003cf81b869d\u003e] ? rtl_pci_reset_trx_ring+0x22d/0x370 [rtl_pci]\n[ 7612.095692]  [\u003cf81b869d\u003e] rtl_pci_reset_trx_ring+0x22d/0x370 [rtl_pci]\n[ 7612.095698]  [\u003cf81b87f9\u003e] rtl_pci_start+0x19/0x190 [rtl_pci]\n[ 7612.095705]  [\u003cf81970e6\u003e] rtl_op_start+0x56/0x90 [rtlwifi]\n[ 7612.095712]  [\u003cc17e3f16\u003e] drv_start+0x36/0xc0\n[ 7612.095717]  [\u003cc17f5ab3\u003e] ieee80211_do_open+0x2d3/0x890\n[ 7612.095725]  [\u003cc16820fe\u003e] ? call_netdevice_notifiers_info+0x2e/0x60\n[ 7612.095730]  [\u003cc17f60bd\u003e] ieee80211_open+0x4d/0x50\n[ 7612.095736]  [\u003cc16891b3\u003e] __dev_open+0xa3/0x130\n[ 7612.095742]  [\u003cc183fa53\u003e] ? _raw_spin_unlock_bh+0x13/0x20\n[ 7612.095748]  [\u003cc1689499\u003e] __dev_change_flags+0x89/0x140\n[ 7612.095753]  [\u003cc127c70d\u003e] ? selinux_capable+0xd/0x10\n[ 7612.095759]  [\u003cc1689589\u003e] dev_change_flags+0x29/0x60\n[ 7612.095765]  [\u003cc1700b93\u003e] devinet_ioctl+0x553/0x670\n[ 7612.095772]  [\u003cc12db758\u003e] ? _copy_to_user+0x28/0x40\n[ 7612.095777]  [\u003cc17018b5\u003e] inet_ioctl+0x85/0xb0\n[ 7612.095783]  [\u003cc166e647\u003e] sock_ioctl+0x67/0x260\n[ 7612.095788]  [\u003cc166e5e0\u003e] ? sock_fasync+0x80/0x80\n[ 7612.095795]  [\u003cc115c99b\u003e] do_vfs_ioctl+0x6b/0x550\n[ 7612.095800]  [\u003cc127c812\u003e] ? selinux_file_ioctl+0x102/0x1e0\n[ 7612.095807]  [\u003cc10a8914\u003e] ? timekeeping_suspend+0x294/0x320\n[ 7612.095813]  [\u003cc10a256a\u003e] ? __hrtimer_run_queues+0x14a/0x210\n[ 7612.095820]  [\u003cc1276e24\u003e] ? security_file_ioctl+0x34/0x50\n[ 7612.095827]  [\u003cc115cef0\u003e] SyS_ioctl+0x70/0x80\n[ 7612.095832]  [\u003cc1001804\u003e] do_fast_syscall_32+0x84/0x120\n[ 7612.095839]  [\u003cc183ff91\u003e] sysenter_past_esp+0x36/0x55\n[ 7612.095844] ---[ end trace 97e9c637a20e8348 ]---\n\nSigned-off-by: Wang YanQing \u003cudknight@gmail.com\u003e\nCc: Stable \u003cstable@vger.kernel.org\u003e\nAcked-by: Larry Finger \u003cLarry.Finger@lwfinger.net\u003e\nSigned-off-by: Kalle Valo \u003ckvalo@codeaurora.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nsched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded systems\n\n[ Upstream commit 20878232c52329f92423d27a60e48b6a6389e0dd ]\n\nSystems show a minimal load average of 0.00, 0.01, 0.05 even when they\nhave no load at all.\n\nUptime and /proc/loadavg on all systems with kernels released during the\nlast five years up until kernel version 4.6-rc5, show a 5- and 15-minute\nminimum loadavg of 0.01 and 0.05 respectively. This should be 0.00 on\nidle systems, but the way the kernel calculates this value prevents it\nfrom getting lower than the mentioned values.\n\nLikewise but not as obviously noticeable, a fully loaded system with no\nprocesses waiting, shows a maximum 1/5/15 loadavg of 1.00, 0.99, 0.95\n(multiplied by number of cores).\n\nOnce the (old) load becomes 93 or higher, it mathematically can never\nget lower than 93, even when the active (load) remains 0 forever.\nThis results in the strange 0.00, 0.01, 0.05 uptime values on idle\nsystems.  Note: 93/2048 \u003d 0.0454..., which rounds up to 0.05.\n\nIt is not correct to add a 0.5 rounding (\u003d1024/2048) here, since the\nresult from this function is fed back into the next iteration again,\nso the result of that +0.5 rounding value then gets multiplied by\n(2048-2037), and then rounded again, so there is a virtual \"ghost\"\nload created, next to the old and active load terms.\n\nBy changing the way the internally kept value is rounded, that internal\nvalue equivalent now can reach 0.00 on idle, and 1.00 on full load. Upon\nincreasing load, the internally kept load value is rounded up, when the\nload is decreasing, the load value is rounded down.\n\nThe modified code was tested on nohz\u003doff and nohz kernels. It was tested\non vanilla kernel 4.6-rc5 and on centos 7.1 kernel 3.10.0-327. It was\ntested on single, dual, and octal cores system. It was tested on virtual\nhosts and bare hardware. No unwanted effects have been observed, and the\nproblems that the patch intended to fix were indeed gone.\n\nTested-by: Damien Wyart \u003cdamien.wyart@free.fr\u003e\nSigned-off-by: Vik Heyndrickx \u003cvik.heyndrickx@veribox.net\u003e\nSigned-off-by: Peter Zijlstra (Intel) \u003cpeterz@infradead.org\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nCc: Doug Smythies \u003cdsmythies@telus.net\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Mike Galbraith \u003cefault@gmx.de\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nFixes: 0f004f5a696a (\"sched: Cure more NO_HZ load average woes\")\nLink: http://lkml.kernel.org/r/e8d32bff-d544-7748-72b5-3c86cc71f09f@veribox.net\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\npowerpc/eeh: Don\u0027t report error in eeh_pe_reset_and_recover()\n\n[ Upstream commit affeb0f2d3a9af419ad7ef4ac782e1540b2f7b28 ]\n\nThe function eeh_pe_reset_and_recover() is used to recover EEH\nerror when the passthrough device are transferred to guest and\nbackwards, meaning the device\u0027s driver is vfio-pci or none.\nWhen the driver is vfio-pci that provides error_detected() error\nhandler only, the handler simply stops the guest and it\u0027s not\nexpected behaviour. On the other hand, no error handlers will\nbe called if we don\u0027t have a bound driver.\n\nThis ignores the error handler in eeh_pe_reset_and_recover()\nthat reports the error to device driver to avoid the exceptional\nbehaviour.\n\nFixes: 5cfb20b9 (\"powerpc/eeh: Emulate EEH recovery for VFIO devices\")\nCc: stable@vger.kernel.org #v3.18+\nSigned-off-by: Gavin Shan \u003cgwshan@linux.vnet.ibm.com\u003e\nReviewed-by: Russell Currey \u003cruscur@russell.cc\u003e\nSigned-off-by: Michael Ellerman \u003cmpe@ellerman.id.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\npowerpc/eeh: Restore initial state in eeh_pe_reset_and_recover()\n\n[ Upstream commit 5a0cdbfd17b90a89c64a71d8aec9773ecdb20d0d ]\n\nThe function eeh_pe_reset_and_recover() is used to recover EEH\nerror when the passthrou device are transferred to guest and\nbackwards. The content in the device\u0027s config space will be lost\non PE reset issued in the middle of the recovery. The function\nsaves/restores it before/after the reset. However, config access\nto some adapters like Broadcom BCM5719 at this point will causes\nfenced PHB. The config space is always blocked and we save 0xFF\u0027s\nthat are restored at late point. The memory BARs are totally\ncorrupted, causing another EEH error upon access to one of the\nmemory BARs.\n\nThis restores the config space on those adapters like BCM5719\nfrom the content saved to the EEH device when it\u0027s populated,\nto resolve above issue.\n\nFixes: 5cfb20b9 (\"powerpc/eeh: Emulate EEH recovery for VFIO devices\")\nCc: stable@vger.kernel.org #v3.18+\nSigned-off-by: Gavin Shan \u003cgwshan@linux.vnet.ibm.com\u003e\nReviewed-by: Russell Currey \u003cruscur@russell.cc\u003e\nSigned-off-by: Michael Ellerman \u003cmpe@ellerman.id.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nMIPS: math-emu: Fix jalr emulation when rd \u003d\u003d $0\n\n[ Upstream commit ab4a92e66741b35ca12f8497896bafbe579c28a1 ]\n\nWhen emulating a jalr instruction with rd \u003d\u003d $0, the code in\nisBranchInstr was incorrectly writing to GPR $0 which should actually\nalways remain zeroed. This would lead to any further instructions\nemulated which use $0 operating on a bogus value until the task is next\ncontext switched, at which point the value of $0 in the task context\nwould be restored to the correct zero by a store in SAVE_SOME. Fix this\nby not writing to rd if it is $0.\n\nFixes: 102cedc32a6e (\"MIPS: microMIPS: Floating point support.\")\nSigned-off-by: Paul Burton \u003cpaul.burton@imgtec.com\u003e\nCc: Maciej W. Rozycki \u003cmacro@imgtec.com\u003e\nCc: James Hogan \u003cjames.hogan@imgtec.com\u003e\nCc: linux-mips@linux-mips.org\nCc: linux-kernel@vger.kernel.org\nCc: stable \u003cstable@vger.kernel.org\u003e # v3.10\nPatchwork: https://patchwork.linux-mips.org/patch/13160/\nSigned-off-by: Ralf Baechle \u003cralf@linux-mips.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nring-buffer: Add unlikelys to make fast path the default\n\n[ Upstream commit 3205f8063b6cc54b20d5080fb79dfcbd9c39e93d ]\n\nI was running the trace_event benchmark and noticed that the times\nto record a trace_event was all over the place. I looked at the assembly\nof the ring_buffer_lock_reserver() and saw this:\n\n \u003cring_buffer_lock_reserve\u003e:\n       31 c0                   xor    %eax,%eax\n       48 83 3d 76 47 bd 00    cmpq   $0x1,0xbd4776(%rip)        # ffffffff81d10d60 \u003cring_buffer_flags\u003e\n       01\n       55                      push   %rbp\n       48 89 e5                mov    %rsp,%rbp\n       75 1d                   jne    ffffffff8113c60d \u003cring_buffer_lock_reserve+0x2d\u003e\n       65 ff 05 69 e3 ec 7e    incl   %gs:0x7eece369(%rip)        # a960 \u003c__preempt_count\u003e\n       8b 47 08                mov    0x8(%rdi),%eax\n       85 c0                   test   %eax,%eax\n +---- 74 12                   je     ffffffff8113c610 \u003cring_buffer_lock_reserve+0x30\u003e\n |     65 ff 0d 5b e3 ec 7e    decl   %gs:0x7eece35b(%rip)        # a960 \u003c__preempt_count\u003e\n |     0f 84 85 00 00 00       je     ffffffff8113c690 \u003cring_buffer_lock_reserve+0xb0\u003e\n |     31 c0                   xor    %eax,%eax\n |     5d                      pop    %rbp\n |     c3                      retq\n |     90                      nop\n +---\u003e 65 44 8b 05 48 e3 ec    mov    %gs:0x7eece348(%rip),%r8d        # a960 \u003c__preempt_count\u003e\n       7e\n       41 81 e0 ff ff ff 7f    and    $0x7fffffff,%r8d\n       b0 08                   mov    $0x8,%al\n       65 8b 0d 58 36 ed 7e    mov    %gs:0x7eed3658(%rip),%ecx        # fc80 \u003ccurrent_context\u003e\n       41 f7 c0 00 ff 1f 00    test   $0x1fff00,%r8d\n       74 1e                   je     ffffffff8113c64f \u003cring_buffer_lock_reserve+0x6f\u003e\n       41 f7 c0 00 00 10 00    test   $0x100000,%r8d\n       b0 01                   mov    $0x1,%al\n       75 13                   jne    ffffffff8113c64f \u003cring_buffer_lock_reserve+0x6f\u003e\n       41 81 e0 00 00 0f 00    and    $0xf0000,%r8d\n       49 83 f8 01             cmp    $0x1,%r8\n       19 c0                   sbb    %eax,%eax\n       83 e0 02                and    $0x2,%eax\n       83 c0 02                add    $0x2,%eax\n       85 c8                   test   %ecx,%eax\n       75 ab                   jne    ffffffff8113c5fe \u003cring_buffer_lock_reserve+0x1e\u003e\n       09 c8                   or     %ecx,%eax\n       65 89 05 24 36 ed 7e    mov    %eax,%gs:0x7eed3624(%rip)        # fc80 \u003ccurrent_context\u003e\n\nThe arrow is the fast path.\n\nAfter adding the unlikely\u0027s, the fast path looks a bit better:\n\n \u003cring_buffer_lock_reserve\u003e:\n       31 c0                   xor    %eax,%eax\n       48 83 3d 76 47 bd 00    cmpq   $0x1,0xbd4776(%rip)        # ffffffff81d10d60 \u003cring_buffer_flags\u003e\n       01\n       55                      push   %rbp\n       48 89 e5                mov    %rsp,%rbp\n       75 7b                   jne    ffffffff8113c66b \u003cring_buffer_lock_reserve+0x8b\u003e\n       65 ff 05 69 e3 ec 7e    incl   %gs:0x7eece369(%rip)        # a960 \u003c__preempt_count\u003e\n       8b 47 08                mov    0x8(%rdi),%eax\n       85 c0                   test   %eax,%eax\n       0f 85 9f 00 00 00       jne    ffffffff8113c6a1 \u003cring_buffer_lock_reserve+0xc1\u003e\n       65 8b 0d 57 e3 ec 7e    mov    %gs:0x7eece357(%rip),%ecx        # a960 \u003c__preempt_count\u003e\n       81 e1 ff ff ff 7f       and    $0x7fffffff,%ecx\n       b0 08                   mov    $0x8,%al\n       65 8b 15 68 36 ed 7e    mov    %gs:0x7eed3668(%rip),%edx        # fc80 \u003ccurrent_context\u003e\n       f7 c1 00 ff 1f 00       test   $0x1fff00,%ecx\n       75 50                   jne    ffffffff8113c670 \u003cring_buffer_lock_reserve+0x90\u003e\n       85 d0                   test   %edx,%eax\n       75 7d                   jne    ffffffff8113c6a1 \u003cring_buffer_lock_reserve+0xc1\u003e\n       09 d0                   or     %edx,%eax\n       65 89 05 53 36 ed 7e    mov    %eax,%gs:0x7eed3653(%rip)        # fc80 \u003ccurrent_context\u003e\n       65 8b 05 fc da ec 7e    mov    %gs:0x7eecdafc(%rip),%eax        # a130 \u003ccpu_number\u003e\n       89 c2                   mov    %eax,%edx\n\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nring-buffer: Remove duplicate use of \u0027\u0026\u0027 in recursive code\n\n[ Upstream commit d631c8cceb1d1d06f372878935949d421585186b ]\n\nA clean up of the recursive protection code changed\n\n  val \u003d this_cpu_read(current_context);\n  val--;\n  val \u0026\u003d this_cpu_read(current_context);\n\nto\n\n  val \u003d this_cpu_read(current_context);\n  val \u0026\u003d val \u0026 (val - 1);\n\nWhich has a duplicate use of \u0027\u0026\u0027 as the above is the same as\n\n  val \u003d val \u0026 (val - 1);\n\nActually, it would be best to remove that line altogether and\njust add it to where it is used.\n\nAnd Christoph even mentioned that it can be further compacted to\njust a single line:\n\n  __this_cpu_and(current_context, __this_cpu_read(current_context) - 1);\n\nLink: http://lkml.kernel.org/alpine.DEB.2.11.1503271423580.23114@gentwo.org\n\nSuggested-by: Christoph Lameter \u003ccl@linux.com\u003e\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nring-buffer: Move recursive check to per_cpu descriptor\n\n[ Upstream commit 58a09ec6e3ec88c9c7e061479f1ef7fe93324a87 ]\n\nInstead of using a global per_cpu variable to perform the recursive\nchecks into the ring buffer, use the already existing per_cpu descriptor\nthat is part of the ring buffer itself.\n\nNot only does this simplify the code, it also allows for one ring buffer\nto be used within the guts of the use of another ring buffer. For example\ntrace_printk() can now be used within the ring buffer to record changes\ndone by an instance into the main ring buffer. The recursion checks\nwill prevent the trace_printk() itself from causing recursive issues\nwith the main ring buffer (it is just ignored), but the recursive\nchecks wont prevent the trace_printk() from recording other ring buffers.\n\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nring-buffer: Use long for nr_pages to avoid overflow failures\n\n[ Upstream commit 9b94a8fba501f38368aef6ac1b30e7335252a220 ]\n\nThe size variable to change the ring buffer in ftrace is a long. The\nnr_pages used to update the ring buffer based on the size is int. On 64 bit\nmachines this can cause an overflow problem.\n\nFor example, the following will cause the ring buffer to crash:\n\n # cd /sys/kernel/debug/tracing\n # echo 10 \u003e buffer_size_kb\n # echo 8556384240 \u003e buffer_size_kb\n\nThen you get the warning of:\n\n WARNING: CPU: 1 PID: 318 at kernel/trace/ring_buffer.c:1527 rb_update_pages+0x22f/0x260\n\nWhich is:\n\n  RB_WARN_ON(cpu_buffer, nr_removed);\n\nNote each ring buffer page holds 4080 bytes.\n\nThis is because:\n\n 1) 10 causes the ring buffer to have 3 pages.\n    (10kb requires 3 * 4080 pages to hold)\n\n 2) (2^31 / 2^10  + 1) * 4080 \u003d 8556384240\n    The value written into buffer_size_kb is shifted by 10 and then passed\n    to ring_buffer_resize(). 8556384240 * 2^10 \u003d 8761737461760\n\n 3) The size passed to ring_buffer_resize() is then divided by BUF_PAGE_SIZE\n    which is 4080. 8761737461760 / 4080 \u003d 2147484672\n\n 4) nr_pages is subtracted from the current nr_pages (3) and we get:\n    2147484669. This value is saved in a signed integer nr_pages_to_update\n\n 5) 2147484669 is greater than 2^31 but smaller than 2^32, a signed int\n    turns into the value of -2147482627\n\n 6) As the value is a negative number, in update_pages_handler() it is\n    negated and passed to rb_remove_pages() and 2147482627 pages will\n    be removed, which is much larger than 3 and it causes the warning\n    because not all the pages asked to be removed were removed.\n\nLink: https://bugzilla.kernel.org/show_bug.cgi?id\u003d118001\n\nCc: stable@vger.kernel.org # 2.6.28+\nFixes: 7a8e76a3829f1 (\"tracing: unified trace buffer\")\nReported-by: Hao Qin \u003cQEver.cn@gmail.com\u003e\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmmc: mmc: Fix partition switch timeout for some eMMCs\n\n[ Upstream commit 1c447116d017a98c90f8f71c8c5a611e0aa42178 ]\n\nSome eMMCs set the partition switch timeout too low.\n\nNow typically eMMCs are considered a critical component (e.g. because\nthey store the root file system) and consequently are expected to be\nreliable.  Thus we can neglect the use case where eMMCs can\u0027t switch\nreliably and we might want a lower timeout to facilitate speedy\nrecovery.\n\nAlthough we could employ a quirk for the cards that are affected (if\nwe could identify them all), as described above, there is little\nbenefit to having a low timeout, so instead simply set a minimum\ntimeout.\n\nThe minimum is set to 300ms somewhat arbitrarily - the examples that\nhave been seen had a timeout of 10ms but were sometimes taking 60-70ms.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Adrian Hunter \u003cadrian.hunter@intel.com\u003e\nSigned-off-by: Ulf Hansson \u003culf.hansson@linaro.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nPCI: Disable all BAR sizing for devices with non-compliant BARs\n\n[ Upstream commit ad67b437f187ea818b2860524d10f878fadfdd99 ]\n\nb84106b4e229 (\"PCI: Disable IO/MEM decoding for devices with non-compliant\nBARs\") disabled BAR sizing for BARs 0-5 of devices that don\u0027t comply with\nthe PCI spec.  But it didn\u0027t do anything for expansion ROM BARs, so we\nstill try to size them, resulting in warnings like this on Broadwell-EP:\n\n  pci 0000:ff:12.0: BAR 6: failed to assign [mem size 0x00000001 pref]\n\nMove the non-compliant BAR check from __pci_read_base() up to\npci_read_bases() so it applies to the expansion ROM BAR as well as\nto BARs 0-5.\n\nNote that direct callers of __pci_read_base(), like sriov_init(), will now\nbypass this check.  We haven\u0027t had reports of devices with broken SR-IOV\nBARs yet.\n\n[bhelgaas: changelog]\nFixes: b84106b4e229 (\"PCI: Disable IO/MEM decoding for devices with non-compliant BARs\")\nSigned-off-by: Prarit Bhargava \u003cprarit@redhat.com\u003e\nSigned-off-by: Bjorn Helgaas \u003cbhelgaas@google.com\u003e\nCC: stable@vger.kernel.org\nCC: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCC: Ingo Molnar \u003cmingo@redhat.com\u003e\nCC: \"H. Peter Anvin\" \u003chpa@zytor.com\u003e\nCC: Andi Kleen \u003cak@linux.intel.com\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nMIPS: MSA: Fix a link error on `_init_msa_upper\u0027 with older GCC\n\n[ Upstream commit e49d38488515057dba8f0c2ba4cfde5be4a7281f ]\n\nFix a build regression from commit c9017757c532 (\"MIPS: init upper 64b\nof vector registers when MSA is first used\"):\n\narch/mips/built-in.o: In function `enable_restore_fp_context\u0027:\ntraps.c:(.text+0xbb90): undefined reference to `_init_msa_upper\u0027\ntraps.c:(.text+0xbb90): relocation truncated to fit: R_MIPS_26 against `_init_msa_upper\u0027\ntraps.c:(.text+0xbef0): undefined reference to `_init_msa_upper\u0027\ntraps.c:(.text+0xbef0): relocation truncated to fit: R_MIPS_26 against `_init_msa_upper\u0027\n\nto !CONFIG_CPU_HAS_MSA configurations with older GCC versions, which are\nunable to figure out that calls to `_init_msa_upper\u0027 are indeed dead.\nOf the many ways to tackle this failure choose the approach we have\nalready taken in `thread_msa_context_live\u0027.\n\n[ralf@linux-mips.org: Drop patch segment to junk file.]\n\nSigned-off-by: Maciej W. Rozycki \u003cmacro@imgtec.com\u003e\nCc: stable@vger.kernel.org # v3.16+\nCc: linux-mips@linux-mips.org\nPatchwork: https://patchwork.linux-mips.org/patch/13271/\nSigned-off-by: Ralf Baechle \u003cralf@linux-mips.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/fb_helper: Fix references to dev-\u003emode_config.num_connector\n\n[ Upstream commit 255f0e7c418ad95a4baeda017ae6182ba9b3c423 ]\n\nDuring boot, MST hotplugs are generally expected (even if no physical\nhotplugging occurs) and result in DRM\u0027s connector topology changing.\nThis means that using num_connector from the current mode configuration\ncan lead to the number of connectors changing under us. This can lead to\nsome nasty scenarios in fbcon:\n\n- We allocate an array to the size of dev-\u003emode_config.num_connectors.\n- MST hotplug occurs, dev-\u003emode_config.num_connectors gets incremented.\n- We try to loop through each element in the array using the new value\n  of dev-\u003emode_config.num_connectors, and end up going out of bounds\n  since dev-\u003emode_config.num_connectors is now larger then the array we\n  allocated.\n\nfb_helper-\u003econnector_count however, will always remain consistent while\nwe do a modeset in fb_helper.\n\nNote: This is just polish for 4.7, Dave Airlie\u0027s drm_connector\nrefcounting fixed these bugs for real. But it\u0027s good enough duct-tape\nfor stable kernel backporting, since backporting the refcounting\nchanges is way too invasive.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Lyude \u003ccpaul@redhat.com\u003e\n[danvet: Clarify why we need this. Also remove the now unused \"dev\"\nlocal variable to appease gcc.]\nSigned-off-by: Daniel Vetter \u003cdaniel.vetter@ffwll.ch\u003e\nLink: http://patchwork.freedesktop.org/patch/msgid/1463065021-18280-3-git-send-email-cpaul@redhat.com\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nfs/cifs: correctly to anonymous authentication via NTLMSSP\n\n[ Upstream commit cfda35d98298131bf38fbad3ce4cd5ecb3cf18db ]\n\nSee [MS-NLMP] 3.2.5.1.2 Server Receives an AUTHENTICATE_MESSAGE from the Client:\n\n   ...\n   Set NullSession to FALSE\n   If (AUTHENTICATE_MESSAGE.UserNameLen \u003d\u003d 0 AND\n      AUTHENTICATE_MESSAGE.NtChallengeResponse.Length \u003d\u003d 0 AND\n      (AUTHENTICATE_MESSAGE.LmChallengeResponse \u003d\u003d Z(1)\n       OR\n       AUTHENTICATE_MESSAGE.LmChallengeResponse.Length \u003d\u003d 0))\n       -- Special case: client requested anonymous authentication\n       Set NullSession to TRUE\n   ...\n\nOnly server which map unknown users to guest will allow\naccess using a non-null NTChallengeResponse.\n\nFor Samba it\u0027s the \"map to guest \u003d bad user\" option.\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id\u003d11913\n\nCC: Stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Stefan Metzmacher \u003cmetze@samba.org\u003e\nSigned-off-by: Steve French \u003csmfrench@gmail.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nfs/cifs: correctly to anonymous authentication for the LANMAN authentication\n\n[ Upstream commit fa8f3a354bb775ec586e4475bcb07f7dece97e0c ]\n\nOnly server which map unknown users to guest will allow\naccess using a non-null LMChallengeResponse.\n\nFor Samba it\u0027s the \"map to guest \u003d bad user\" option.\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id\u003d11913\n\nSigned-off-by: Stefan Metzmacher \u003cmetze@samba.org\u003e\nCC: Stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Steve French \u003csmfrench@gmail.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nfs/cifs: correctly to anonymous authentication for the NTLM(v1) authentication\n\n[ Upstream commit 777f69b8d26bf35ade4a76b08f203c11e048365d ]\n\nOnly server which map unknown users to guest will allow\naccess using a non-null NTChallengeResponse.\n\nFor Samba it\u0027s the \"map to guest \u003d bad user\" option.\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id\u003d11913\n\nSigned-off-by: Stefan Metzmacher \u003cmetze@samba.org\u003e\nCC: Stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Steve French \u003csmfrench@gmail.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nfs/cifs: correctly to anonymous authentication for the NTLM(v2) authentication\n\n[ Upstream commit 1a967d6c9b39c226be1b45f13acd4d8a5ab3dc44 ]\n\nOnly server which map unknown users to guest will allow\naccess using a non-null NTLMv2_Response.\n\nFor Samba it\u0027s the \"map to guest \u003d bad user\" option.\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id\u003d11913\n\nSigned-off-by: Stefan Metzmacher \u003cmetze@samba.org\u003e\nCC: Stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Steve French \u003csmfrench@gmail.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nremove directory incorrectly tries to set delete on close on non-empty directories\n\n[ Upstream commit 897fba1172d637d344f009d700f7eb8a1fa262f1 ]\n\nWrong return code was being returned on SMB3 rmdir of\nnon-empty directory.\n\nFor SMB3 (unlike for cifs), we attempt to delete a directory by\nset of delete on close flag on the open. Windows clients set\nthis flag via a set info (SET_FILE_DISPOSITION to set this flag)\nwhich properly checks if the directory is empty.\n\nWith this patch on smb3 mounts we correctly return\n \"DIRECTORY NOT EMPTY\"\non attempts to remove a non-empty directory.\n\nSigned-off-by: Steve French \u003csteve.french@primarydata.com\u003e\nCC: Stable \u003cstable@vger.kernel.org\u003e\nAcked-by: Sachin Prabhu \u003csprabhu@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nxfs: xfs_iflush_cluster fails to abort on error\n\n[ Upstream commit b1438f477934f5a4d5a44df26f3079a7575d5946 ]\n\nWhen a failure due to an inode buffer occurs, the error handling\nfails to abort the inode writeback correctly. This can result in the\ninode being reclaimed whilst still in the AIL, leading to\nuse-after-free situations as well as filesystems that cannot be\nunmounted as the inode log items left in the AIL never get removed.\n\nFix this by ensuring fatal errors from xfs_imap_to_bp() result in\nthe inode flush being aborted correctly.\n\ncc: \u003cstable@vger.kernel.org\u003e # 3.10.x-\nReported-by: Shyam Kaushik \u003cshyam@zadarastorage.com\u003e\nDiagnosed-by: Shyam Kaushik \u003cshyam@zadarastorage.com\u003e\nTested-by: Shyam Kaushik \u003cshyam@zadarastorage.com\u003e\nSigned-off-by: Dave Chinner \u003cdchinner@redhat.com\u003e\nReviewed-by: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Dave Chinner \u003cdavid@fromorbit.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nxfs: fix inode validity check in xfs_iflush_cluster\n\n[ Upstream commit 51b07f30a71c27405259a0248206ed4e22adbee2 ]\n\nSome careless idiot(*) wrote crap code in commit 1a3e8f3 (\"xfs:\nconvert inode cache lookups to use RCU locking\") back in late 2010,\nand so xfs_iflush_cluster checks the wrong inode for whether it is\nstill valid under RCU protection. Fix it to lock and check the\ncorrect inode.\n\n(*) Careless-idiot: Dave Chinner \u003cdchinner@redhat.com\u003e\n\ncc: \u003cstable@vger.kernel.org\u003e # 3.10.x-\nDiscovered-by: Brain Foster \u003cbfoster@redhat.com\u003e\nSigned-off-by: Dave Chinner \u003cdchinner@redhat.com\u003e\nReviewed-by: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Dave Chinner \u003cdavid@fromorbit.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nxfs: skip stale inodes in xfs_iflush_cluster\n\n[ Upstream commit 7d3aa7fe970791f1a674b14572a411accf2f4d4e ]\n\nWe don\u0027t write back stale inodes so we should skip them in\nxfs_iflush_cluster, too.\n\ncc: \u003cstable@vger.kernel.org\u003e # 3.10.x-\nSigned-off-by: Dave Chinner \u003cdchinner@redhat.com\u003e\nReviewed-by: Brian Foster \u003cbfoster@redhat.com\u003e\nReviewed-by: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Dave Chinner \u003cdavid@fromorbit.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nASoC: ak4642: Fix up max_register setting\n\n[ Upstream commit f8ea6cebcfa6499949392da71fc427567c9e5a0e ]\n\nThe max_register setting for ak4642, ak4643 and ak4648 are wrong, fix it.\n\nAccording to the datasheet:\n        the maximum valid register for ak4642 is 0x1f\n        the maximum valid register for ak4643 is 0x24\n        the maximum valid register for ak4648 is 0x27\n\nThe default settings for ak4642 and ak4643 are the same for 0x0 ~ 0x1f\nregisters, so it\u0027s fine to use the same reg_default table with differnt\nnum_reg_defaults setting.\n\nSigned-off-by: Axel Lin \u003caxel.lin@ingics.com\u003e\nTested-by: Kuninori Morimoto \u003ckuninori.morimoto.gx@renesas.com\u003e\nSigned-off-by: Mark Brown \u003cbroonie@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nASoC: ak4642: Enable cache usage to fix crashes on resume\n\n[ Upstream commit d3030d11961a8c103cf07aed59905276ddfc06c2 ]\n\nThe ak4642 driver is using a regmap cache sync to restore the\nconfiguration of the chip on resume but (as Peter observed) does not\nactually define a register cache which means that the resume is never\ngoing to work and we trigger asserts in regmap.  Fix this by enabling\ncaching.\n\nReported-by: Geert Uytterhoeven \u003cgeert@linux-m68k.org\u003e\nReported-by: Peter Ujfalusi \u003cpeter.ujfalusi@ti.com\u003e\nTested-by: Geert Uytterhoeven \u003cgeert+renesas@glider.be\u003e\nSigned-off-by: Mark Brown \u003cbroonie@kernel.org\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ncifs: Create dedicated keyring for spnego operations\n\n[ Upstream commit b74cb9a80268be5c80cf4c87c74debf0ff2129ac ]\n\nThe session key is the default keyring set for request_key operations.\nThis session key is revoked when the user owning the session logs out.\nAny long running daemon processes started by this session ends up with\nrevoked session keyring which prevents these processes from using the\nrequest_key mechanism from obtaining the krb5 keys.\n\nThe problem has been reported by a large number of autofs users. The\nproblem is also seen with multiuser mounts where the share may be used\nby processes run by a user who has since logged out. A reproducer using\nautomount is available on the Red Hat bz.\n\nThe patch creates a new keyring which is used to cache cifs spnego\nupcalls.\n\nRed Hat bz: 1267754\n\nSigned-off-by: Sachin Prabhu \u003csprabhu@redhat.com\u003e\nReported-by: Scott Mayhew \u003csmayhew@redhat.com\u003e\nReviewed-by: Shirish Pargaonkar \u003cshirishpargaonkar@gmail.com\u003e\nCC: Stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Steve French \u003csmfrench@gmail.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nInput: uinput - handle compat ioctl for UI_SET_PHYS\n\n[ Upstream commit affa80bd97f7ca282d1faa91667b3ee9e4c590e6 ]\n\nWhen running a 32-bit userspace on a 64-bit kernel, the UI_SET_PHYS\nioctl needs to be treated with special care, as it has the pointer\nsize encoded in the command.\n\nSigned-off-by: Ricky Liang \u003cjcliang@chromium.org\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Dmitry Torokhov \u003cdmitry.torokhov@gmail.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nPM / sleep: Handle failures in device_suspend_late() consistently\n\n[ Upstream commit 3a17fb329da68cb00558721aff876a80bba2fdb9 ]\n\nGrygorii Strashko reports:\n\n The PM runtime will be left disabled for the device if its\n .suspend_late() callback fails and async suspend is not allowed\n for this device. In this case device will not be added in\n dpm_late_early_list and dpm_resume_early() will ignore this\n device, as result PM runtime will be disabled for it forever\n (side effect: after 8 subsequent failures for the same device\n the PM runtime will be reenabled due to disable_depth overflow).\n\nTo fix this problem, add devices to dpm_late_early_list regardless\nof whether or not device_suspend_late() returns errors for them.\n\nThat will ensure failures in there to be handled consistently for\nall devices regardless of their async suspend/resume status.\n\nReported-by: Grygorii Strashko \u003cgrygorii.strashko@ti.com\u003e\nTested-by: Grygorii Strashko \u003cgrygorii.strashko@ti.com\u003e\nSigned-off-by: Rafael J. Wysocki \u003crafael.j.wysocki@intel.com\u003e\nCc: All applicable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/i915: Don\u0027t leave old junk in ilk active watermarks on readout\n\n[ Upstream commit 7045c3689f148a0c95f42bae8ef3eb2829ac7de9 ]\n\nWhen we read out the watermark state from the hardware we\u0027re supposed to\ntransfer that into the active watermarks, but currently we fail to any\npart of the active watermarks that isn\u0027t explicitly written. Let\u0027s clear\nit all upfront.\n\nLooks like this has been like this since the beginning, when I added the\nreadout. No idea why I didn\u0027t clear it up.\n\nCc: Matt Roper \u003cmatthew.d.roper@intel.com\u003e\nFixes: 243e6a44b9ca (\"drm/i915: Init HSW watermark tracking in intel_modeset_setup_hw_state()\")\nCc: stable@vger.kernel.org\nSigned-off-by: Ville Syrjälä \u003cville.syrjala@linux.intel.com\u003e\nReviewed-by: Matt Roper \u003cmatthew.d.roper@intel.com\u003e\nSigned-off-by: Matt Roper \u003cmatthew.d.roper@intel.com\u003e\nLink: http://patchwork.freedesktop.org/patch/msgid/1463151318-14719-2-git-send-email-ville.syrjala@linux.intel.com\n(cherry picked from commit 15606534bf0a65d8a74a90fd57b8712d147dbca6)\nSigned-off-by: Jani Nikula \u003cjani.nikula@intel.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmmc: longer timeout for long read time quirk\n\n[ Upstream commit 32ecd320db39bcb007679ed42f283740641b81ea ]\n\n008GE0 Toshiba mmc in some Intel Baytrail tablets responds to\nMMC_SEND_EXT_CSD in 450-600ms.\n\nThis patch will...\n\n() Increase the long read time quirk timeout from 300ms to 600ms. Original\n   author of that quirk says 300ms was only a guess and that the number\n   may need to be raised in the future.\n\n() Add this specific MMC to the quirk\n\nSigned-off-by: Matt Gumbel \u003cmatthew.k.gumbel@intel.com\u003e\nSigned-off-by: Adrian Hunter \u003cadrian.hunter@intel.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Ulf Hansson \u003culf.hansson@linaro.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmmc: sdhci-acpi: Add two host capabilities for Intel\n\n[ Upstream commit 9d65cb88e5979d43f47c899601353ca61973ba90 ]\n\nIntel host controllers are capable of doing the bus\nwidth test and of waiting while busy, so add the\ncapability flags.\n\nSigned-off-by: Adrian Hunter \u003cadrian.hunter@intel.com\u003e\nSigned-off-by: Ulf Hansson \u003culf.hansson@linaro.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmmc: sdhci-acpi: Remove MMC_CAP_BUS_WIDTH_TEST for Intel controllers\n\n[ Upstream commit 265984b36ce82fec67957d452dd2b22e010611e4 ]\n\nThe CMD19/CMD14 bus width test has been found to be unreliable in\nsome cases.  It is not essential, so simply remove it.\n\nSigned-off-by: Adrian Hunter \u003cadrian.hunter@intel.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Ulf Hansson \u003culf.hansson@linaro.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nsunrpc: fix stripping of padded MIC tokens\n\n[ Upstream commit c0cb8bf3a8e4bd82e640862cdd8891400405cb89 ]\n\nThe length of the GSS MIC token need not be a multiple of four bytes.\nIt is then padded by XDR to a multiple of 4 B, but unwrap_integ_data()\nwould previously only trim mic.len + 4 B. The remaining up to three\nbytes would then trigger a check in nfs4svc_decode_compoundargs(),\nleading to a \"garbage args\" error and mount failure:\n\nnfs4svc_decode_compoundargs: compound not properly padded!\nnfsd: failed to decode arguments!\n\nThis would prevent older clients using the pre-RFC 4121 MIC format\n(37-byte MIC including a 9-byte OID) from mounting exports from v3.9+\nservers using krb5i.\n\nThe trimming was introduced by commit 4c190e2f913f (\"sunrpc: trim off\ntrailing checksum before returning decrypted or integrity authenticated\nbuffer\").\n\nFixes: 4c190e2f913f \"unrpc: trim off trailing checksum...\"\nSigned-off-by: Tomáš Trnka \u003cttrnka@mail.muni.cz\u003e\nCc: stable@vger.kernel.org\nAcked-by: Jeff Layton \u003cjlayton@poochiereds.net\u003e\nSigned-off-by: J. Bruce Fields \u003cbfields@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nwait/ptrace: assume __WALL if the child is traced\n\n[ Upstream commit bf959931ddb88c4e4366e96dd22e68fa0db9527c ]\n\nThe following program (simplified version of generated by syzkaller)\n\n\t#include \u003cpthread.h\u003e\n\t#include \u003cunistd.h\u003e\n\t#include \u003csys/ptrace.h\u003e\n\t#include \u003cstdio.h\u003e\n\t#include \u003csignal.h\u003e\n\n\tvoid *thread_func(void *arg)\n\t{\n\t\tptrace(PTRACE_TRACEME, 0,0,0);\n\t\treturn 0;\n\t}\n\n\tint main(void)\n\t{\n\t\tpthread_t thread;\n\n\t\tif (fork())\n\t\t\treturn 0;\n\n\t\twhile (getppid() !\u003d 1)\n\t\t\t;\n\n\t\tpthread_create(\u0026thread, NULL, thread_func, NULL);\n\t\tpthread_join(thread, NULL);\n\t\treturn 0;\n\t}\n\ncreates an unreapable zombie if /sbin/init doesn\u0027t use __WALL.\n\nThis is not a kernel bug, at least in a sense that everything works as\nexpected: debugger should reap a traced sub-thread before it can reap the\nleader, but without __WALL/__WCLONE do_wait() ignores sub-threads.\n\nUnfortunately, it seems that /sbin/init in most (all?) distributions\ndoesn\u0027t use it and we have to change the kernel to avoid the problem.\nNote also that most init\u0027s use sys_waitid() which doesn\u0027t allow __WALL, so\nthe necessary user-space fix is not that trivial.\n\nThis patch just adds the \"ptrace\" check into eligible_child().  To some\ndegree this matches the \"tsk-\u003eptrace\" in exit_notify(), -\u003eexit_signal is\nmostly ignored when the tracee reports to debugger.  Or WSTOPPED, the\ntracer doesn\u0027t need to set this flag to wait for the stopped tracee.\n\nThis obviously means the user-visible change: __WCLONE and __WALL no\nlonger have any meaning for debugger.  And I can only hope that this won\u0027t\nbreak something, but at least strace/gdb won\u0027t suffer.\n\nWe could make a more conservative change.  Say, we can take __WCLONE into\naccount, or !thread_group_leader().  But it would be nice to not\ncomplicate these historical/confusing checks.\n\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nReported-by: Dmitry Vyukov \u003cdvyukov@google.com\u003e\nCc: Denys Vlasenko \u003cdvlasenk@redhat.com\u003e\nCc: Jan Kratochvil \u003cjan.kratochvil@redhat.com\u003e\nCc: \"Michael Kerrisk (man-pages)\" \u003cmtk.manpages@gmail.com\u003e\nCc: Pedro Alves \u003cpalves@redhat.com\u003e\nCc: Roland McGrath \u003croland@hack.frob.com\u003e\nCc: \u003csyzkaller@googlegroups.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nx86/xen: Override ACPI IRQ management callback __acpi_unregister_gsi\n\n[ Upstream commit 8abb850a03a3a8b11a0e92949e5b99d9cc178e35 ]\n\nXen overrides __acpi_register_gsi and leaves __acpi_unregister_gsi as is.\nThat means, an IRQ allocated by acpi_register_gsi_xen_hvm() or\nacpi_register_gsi_xen() will be freed by acpi_unregister_gsi_ioapic(),\nwhich may cause undesired effects. So override __acpi_unregister_gsi to\nNULL for safety.\n\nSigned-off-by: Jiang Liu \u003cjiang.liu@linux.intel.com\u003e\nTested-by: Sander Eikelenboom \u003clinux@eikelenboom.it\u003e\nCc: Tony Luck \u003ctony.luck@intel.com\u003e\nCc: xen-devel@lists.xenproject.org\nCc: Konrad Rzeszutek Wilk \u003ckonrad.wilk@oracle.com\u003e\nCc: David Vrabel \u003cdavid.vrabel@citrix.com\u003e\nCc: Bjorn Helgaas \u003cbhelgaas@google.com\u003e\nCc: Graeme Gregory \u003cgraeme.gregory@linaro.org\u003e\nCc: Lv Zheng \u003clv.zheng@intel.com\u003e\nLink: http://lkml.kernel.org/r/1421720467-7709-4-git-send-email-jiang.liu@linux.intel.com\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nxen/x86: actually allocate legacy interrupts on PV guests\n\n[ Upstream commit 702f926067d2a4b28c10a3c41a1172dd62d9e735 ]\n\nb4ff8389ed14 is incomplete: relies on nr_legacy_irqs() to get the number\nof legacy interrupts when actually nr_legacy_irqs() returns 0 after\nprobe_8259A(). Use NR_IRQS_LEGACY instead.\n\nSigned-off-by: Stefano Stabellini \u003csstabellini@kernel.org\u003e\nCC: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nxen/events: Don\u0027t move disabled irqs\n\n[ Upstream commit f0f393877c71ad227d36705d61d1e4062bc29cf5 ]\n\nCommit ff1e22e7a638 (\"xen/events: Mask a moving irq\") open-coded\nirq_move_irq() but left out checking if the IRQ is disabled. This broke\nresuming from suspend since it tries to move a (disabled) irq without\nholding the IRQ\u0027s desc-\u003elock. Fix it by adding in a check for disabled\nIRQs.\n\nThe resulting stacktrace was:\nkernel BUG at /build/linux-UbQGH5/linux-4.4.0/kernel/irq/migration.c:31!\ninvalid opcode: 0000 [#1] SMP\nModules linked in: xenfs xen_privcmd ...\nCPU: 0 PID: 9 Comm: migration/0 Not tainted 4.4.0-22-generic #39-Ubuntu\nHardware name: Xen HVM domU, BIOS 4.6.1-xs125180 05/04/2016\ntask: ffff88003d75ee00 ti: ffff88003d7bc000 task.ti: ffff88003d7bc000\nRIP: 0010:[\u003cffffffff810e26e2\u003e]  [\u003cffffffff810e26e2\u003e] irq_move_masked_irq+0xd2/0xe0\nRSP: 0018:ffff88003d7bfc50  EFLAGS: 00010046\nRAX: 0000000000000000 RBX: ffff88003d40ba00 RCX: 0000000000000001\nRDX: 0000000000000001 RSI: 0000000000000100 RDI: ffff88003d40bad8\nRBP: ffff88003d7bfc68 R08: 0000000000000000 R09: ffff88003d000000\nR10: 0000000000000000 R11: 000000000000023c R12: ffff88003d40bad0\nR13: ffffffff81f3a4a0 R14: 0000000000000010 R15: 00000000ffffffff\nFS:  0000000000000000(0000) GS:ffff88003da00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fd4264de624 CR3: 0000000037922000 CR4: 00000000003406f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nStack:\n ffff88003d40ba38 0000000000000024 0000000000000000 ffff88003d7bfca0\n ffffffff814c8d92 00000010813ef89d 00000000805ea732 0000000000000009\n 0000000000000024 ffff88003cc39b80 ffff88003d7bfce0 ffffffff814c8f66\nCall Trace:\n [\u003cffffffff814c8d92\u003e] eoi_pirq+0xb2/0xf0\n [\u003cffffffff814c8f66\u003e] __startup_pirq+0xe6/0x150\n [\u003cffffffff814ca659\u003e] xen_irq_resume+0x319/0x360\n [\u003cffffffff814c7e75\u003e] xen_suspend+0xb5/0x180\n [\u003cffffffff81120155\u003e] multi_cpu_stop+0xb5/0xe0\n [\u003cffffffff811200a0\u003e] ? cpu_stop_queue_work+0x80/0x80\n [\u003cffffffff811203d0\u003e] cpu_stopper_thread+0xb0/0x140\n [\u003cffffffff810a94e6\u003e] ? finish_task_switch+0x76/0x220\n [\u003cffffffff810ca731\u003e] ? __raw_callee_save___pv_queued_spin_unlock+0x11/0x20\n [\u003cffffffff810a3935\u003e] smpboot_thread_fn+0x105/0x160\n [\u003cffffffff810a3830\u003e] ? sort_range+0x30/0x30\n [\u003cffffffff810a0588\u003e] kthread+0xd8/0xf0\n [\u003cffffffff810a04b0\u003e] ? kthread_create_on_node+0x1e0/0x1e0\n [\u003cffffffff8182568f\u003e] ret_from_fork+0x3f/0x70\n [\u003cffffffff810a04b0\u003e] ? kthread_create_on_node+0x1e0/0x1e0\n\nSigned-off-by: Ross Lagerwall \u003cross.lagerwall@citrix.com\u003e\nReviewed-by: Boris Ostrovsky \u003cboris.ostrovsky@oracle.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: David Vrabel \u003cdavid.vrabel@citrix.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUBI: Fix static volume checks when Fastmap is used\n\n[ Upstream commit 1900149c835ab5b48bea31a823ea5e5a401fb560 ]\n\nEzequiel reported that he\u0027s facing UBI going into read-only\nmode after power cut. It turned out that this behavior happens\nonly when updating a static volume is interrupted and Fastmap is\nused.\n\nA possible trace can look like:\nubi0 warning: ubi_io_read_vid_hdr [ubi]: no VID header found at PEB 2323, only 0xFF bytes\nubi0 warning: ubi_eba_read_leb [ubi]: switch to read-only mode\nCPU: 0 PID: 833 Comm: ubiupdatevol Not tainted 4.6.0-rc2-ARCH #4\nHardware name: SAMSUNG ELECTRONICS CO., LTD. 300E4C/300E5C/300E7C/NP300E5C-AD8AR, BIOS P04RAP 10/15/2012\n0000000000000286 00000000eba949bd ffff8800c45a7b38 ffffffff8140d841\nffff8801964be000 ffff88018eaa4800 ffff8800c45a7bb8 ffffffffa003abf6\nffffffff850e2ac0 8000000000000163 ffff8801850e2ac0 ffff8801850e2ac0\nCall Trace:\n[\u003cffffffff8140d841\u003e] dump_stack+0x63/0x82\n[\u003cffffffffa003abf6\u003e] ubi_eba_read_leb+0x486/0x4a0 [ubi]\n[\u003cffffffffa00453b3\u003e] ubi_check_volume+0x83/0xf0 [ubi]\n[\u003cffffffffa0039d97\u003e] ubi_open_volume+0x177/0x350 [ubi]\n[\u003cffffffffa00375d8\u003e] vol_cdev_open+0x58/0xb0 [ubi]\n[\u003cffffffff8124b08e\u003e] chrdev_open+0xae/0x1d0\n[\u003cffffffff81243bcf\u003e] do_dentry_open+0x1ff/0x300\n[\u003cffffffff8124afe0\u003e] ? cdev_put+0x30/0x30\n[\u003cffffffff81244d36\u003e] vfs_open+0x56/0x60\n[\u003cffffffff812545f4\u003e] path_openat+0x4f4/0x1190\n[\u003cffffffff81256621\u003e] do_filp_open+0x91/0x100\n[\u003cffffffff81263547\u003e] ? __alloc_fd+0xc7/0x190\n[\u003cffffffff812450df\u003e] do_sys_open+0x13f/0x210\n[\u003cffffffff812451ce\u003e] SyS_open+0x1e/0x20\n[\u003cffffffff81a99e32\u003e] entry_SYSCALL_64_fastpath+0x1a/0xa4\n\nUBI checks static volumes for data consistency and reads the\nwhole volume upon first open. If the volume is found erroneous\nusers of UBI cannot read from it, but another volume update is\npossible to fix it. The check is performed by running\nubi_eba_read_leb() on every allocated LEB of the volume.\nFor static volumes ubi_eba_read_leb() computes the checksum of all\ndata stored in a LEB. To verify the computed checksum it has to read\nthe LEB\u0027s volume header which stores the original checksum.\nIf the volume header is not found UBI treats this as fatal internal\nerror and switches to RO mode. If the UBI device was attached via a\nfull scan the assumption is correct, the volume header has to be\npresent as it had to be there while scanning to get known as mapped.\nIf the attach operation happened via Fastmap the assumption is no\nlonger correct. When attaching via Fastmap UBI learns the mapping\ntable from Fastmap\u0027s snapshot of the system state and not via a full\nscan. It can happen that a LEB got unmapped after a Fastmap was\nwritten to the flash. Then UBI can learn the LEB still as mapped and\naccessing it returns only 0xFF bytes. As UBI is not a FTL it is\nallowed to have mappings to empty PEBs, it assumes that the layer\nabove takes care of LEB accounting and referencing.\nUBIFS does so using the LEB property tree (LPT).\nFor static volumes UBI blindly assumes that all LEBs are present and\ntherefore special actions have to be taken.\n\nThe described situation can happen when updating a static volume is\ninterrupted, either by a user or a power cut.\nThe volume update code first unmaps all LEBs of a volume and then\nwrites LEB by LEB. If the sequence of operations is interrupted UBI\ndetects this either by the absence of LEBs, no volume header present\nat scan time, or corrupted payload, detected via checksum.\nIn the Fastmap case the former method won\u0027t trigger as no scan\nhappened and UBI automatically thinks all LEBs are present.\nOnly by reading data from a LEB it detects that the volume header is\nmissing and incorrectly treats this as fatal error.\nTo deal with the situation ubi_eba_read_leb() from now on checks\nwhether we attached via Fastmap and handles the absence of a\nvolume header like a data corruption error.\nThis way interrupted static volume updates will correctly get detected\nalso when Fastmap is used.\n\nCc: \u003cstable@vger.kernel.org\u003e\nReported-by: Ezequiel Garcia \u003cezequiel@vanguardiasur.com.ar\u003e\nTested-by: Ezequiel Garcia \u003cezequiel@vanguardiasur.com.ar\u003e\nSigned-off-by: Richard Weinberger \u003crichard@nod.at\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndma-debug: avoid spinlock recursion when disabling dma-debug\n\n[ Upstream commit 3017cd63f26fc655d56875aaf497153ba60e9edf ]\n\nWith netconsole (at least) the pr_err(\"...  disablingn\") call can\nrecurse back into the dma-debug code, where it\u0027ll try to grab\nfree_entries_lock again.  Avoid the problem by doing the printk after\ndropping the lock.\n\nLink: http://lkml.kernel.org/r/1463678421-18683-1-git-send-email-ville.syrjala@linux.intel.com\nSigned-off-by: Ville Syrjälä \u003cville.syrjala@linux.intel.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nLinux 3.18.35\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ncrypto: public_key: select CRYPTO_AKCIPHER\n\n[ Upstream commit bad6a185b4d6f81d0ed2b6e4c16307969f160b95 ]\n\nIn some rare randconfig builds, we can end up with\nASYMMETRIC_PUBLIC_KEY_SUBTYPE enabled but CRYPTO_AKCIPHER disabled,\nwhich fails to link because of the reference to crypto_alloc_akcipher:\n\ncrypto/built-in.o: In function `public_key_verify_signature\u0027:\n:(.text+0x110e4): undefined reference to `crypto_alloc_akcipher\u0027\n\nThis adds a Kconfig \u0027select\u0027 statement to ensure the dependency\nis always there.\n\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nscsi_lib: correctly retry failed zero length REQ_TYPE_FS commands\n\n[ Upstream commit a621bac3044ed6f7ec5fa0326491b2d4838bfa93 ]\n\nWhen SCSI was written, all commands coming from the filesystem\n(REQ_TYPE_FS commands) had data.  This meant that our signal for needing\nto complete the command was the number of bytes completed being equal to\nthe number of bytes in the request.  Unfortunately, with the advent of\nflush barriers, we can now get zero length REQ_TYPE_FS commands, which\nconfuse this logic because they satisfy the condition every time.  This\nmeans they never get retried even for retryable conditions, like UNIT\nATTENTION because we complete them early assuming they\u0027re done.  Fix\nthis by special casing the early completion condition to recognise zero\nlength commands with errors and let them drop through to the retry code.\n\nCc: stable@vger.kernel.org\nReported-by: Sebastian Parschauer \u003cs.parschauer@gmx.de\u003e\nSigned-off-by: James E.J. Bottomley \u003cjejb@linux.vnet.ibm.com\u003e\nTested-by: Jack Wang \u003cjinpu.wang@profitbricks.com\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ncrypto: ccp - Fix AES XTS error for request sizes above 4096\n\n[ Upstream commit ab6a11a7c8ef47f996974dd3c648c2c0b1a36ab1 ]\n\nThe ccp-crypto module for AES XTS support has a bug that can allow requests\ngreater than 4096 bytes in size to be passed to the CCP hardware. The CCP\nhardware does not support request sizes larger than 4096, resulting in\nincorrect output. The request should actually be handled by the fallback\nmechanism instantiated by the ccp-crypto module.\n\nAdd a check to insure the request size is less than or equal to the maximum\nsupported size and use the fallback mechanism if it is not.\n\nCc: \u003cstable@vger.kernel.org\u003e # 3.14.x-\nSigned-off-by: Tom Lendacky \u003cthomas.lendacky@amd.com\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\npowerpc/pseries/eeh: Handle RTAS delay requests in configure_bridge\n\n[ Upstream commit 871e178e0f2c4fa788f694721a10b4758d494ce1 ]\n\nIn the \"ibm,configure-pe\" and \"ibm,configure-bridge\" RTAS calls, the\nspec states that values of 9900-9905 can be returned, indicating that\nsoftware should delay for 10^x (where x is the last digit, i.e. 990x)\nmilliseconds and attempt the call again. Currently, the kernel doesn\u0027t\nknow about this, and respecting it fixes some PCI failures when the\nhypervisor is busy.\n\nThe delay is capped at 0.2 seconds.\n\nCc: \u003cstable@vger.kernel.org\u003e # 3.10+\nSigned-off-by: Russell Currey \u003cruscur@russell.cc\u003e\nAcked-by: Gavin Shan \u003cgwshan@linux.vnet.ibm.com\u003e\nSigned-off-by: Michael Ellerman \u003cmpe@ellerman.id.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\npowerpc: Fix definition of SIAR and SDAR registers\n\n[ Upstream commit d23fac2b27d94aeb7b65536a50d32bfdc21fe01e ]\n\nThe SIAR and SDAR registers are available twice, one time as SPRs\n780 / 781 (unprivileged, but read-only), and one time as the SPRs\n796 / 797 (privileged, but read and write). The Linux kernel code\ncurrently uses the unprivileged  SPRs - while this is OK for reading,\nwriting to that register of course does not work.\nSince the KVM code tries to write to this register, too (see the mtspr\nin book3s_hv_rmhandlers.S), the contents of this register sometimes get\nlost for the guests, e.g. during migration of a VM.\nTo fix this issue, simply switch to the privileged SPR numbers instead.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Thomas Huth \u003cthuth@redhat.com\u003e\nAcked-by: Paul Mackerras \u003cpaulus@ozlabs.org\u003e\nSigned-off-by: Michael Ellerman \u003cmpe@ellerman.id.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\npowerpc: Use privileged SPR number for MMCR2\n\n[ Upstream commit 8dd75ccb571f3c92c48014b3dabd3d51a115ab41 ]\n\nWe are already using the privileged versions of MMCR0, MMCR1\nand MMCRA in the kernel, so for MMCR2, we should better use\nthe privileged versions, too, to be consistent.\n\nFixes: 240686c13687 (\"powerpc: Initialise PMU related regs on Power8\")\nCc: stable@vger.kernel.org # v3.10+\nSuggested-by: Paul Mackerras \u003cpaulus@ozlabs.org\u003e\nSigned-off-by: Thomas Huth \u003cthuth@redhat.com\u003e\nAcked-by: Paul Mackerras \u003cpaulus@ozlabs.org\u003e\nSigned-off-by: Michael Ellerman \u003cmpe@ellerman.id.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmac80211_hwsim: Add missing check for HWSIM_ATTR_SIGNAL\n\n[ Upstream commit 62397da50bb20a6b812c949ef465d7e69fe54bb6 ]\n\nA wmediumd that does not send this attribute causes a NULL pointer\ndereference, as the attribute is accessed even if it does not exist.\n\nThe attribute was required but never checked ever since userspace frame\nforwarding has been introduced. The issue gets more problematic once we\nallow wmediumd registration from user namespaces.\n\nCc: stable@vger.kernel.org\nFixes: 7882513bacb1 (\"mac80211_hwsim driver support userspace frame tx/rx\")\nSigned-off-by: Martin Willi \u003cmartin@strongswan.org\u003e\nSigned-off-by: Johannes Berg \u003cjohannes.berg@intel.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmac80211: mesh: flush mesh paths unconditionally\n\n[ Upstream commit fe7a7c57629e8dcbc0e297363a9b2366d67a6dc5 ]\n\nCurrently, the mesh paths associated with a nexthop station are cleaned\nup in the following code path:\n\n    __sta_info_destroy_part1\n    synchronize_net()\n    __sta_info_destroy_part2\n     -\u003e cleanup_single_sta\n       -\u003e mesh_sta_cleanup\n         -\u003e mesh_plink_deactivate\n           -\u003e mesh_path_flush_by_nexthop\n\nHowever, there are a couple of problems here:\n\n1) the paths aren\u0027t flushed at all if the MPM is running in userspace\n   (e.g. when using wpa_supplicant or authsae)\n\n2) there is no synchronize_rcu between removing the path and readers\n   accessing the nexthop, which means the following race is possible:\n\nCPU0                            CPU1\n~~~~                            ~~~~\n                                sta_info_destroy_part1()\n                                synchronize_net()\nrcu_read_lock()\nmesh_nexthop_resolve()\n  mpath \u003d mesh_path_lookup()\n                                [...] -\u003e mesh_path_flush_by_nexthop()\n  sta \u003d rcu_dereference(\n    mpath-\u003enext_hop)\n                                kfree(sta)\n  access sta \u003c-- CRASH\n\nFix both of these by unconditionally flushing paths before destroying\nthe sta, and by adding a synchronize_net() after path flush to ensure\nno active readers can still dereference the sta.\n\nFixes this crash:\n\n[  348.529295] BUG: unable to handle kernel paging request at 00020040\n[  348.530014] IP: [\u003cf929245d\u003e] ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211]\n[  348.530014] *pde \u003d 00000000\n[  348.530014] Oops: 0000 [#1] PREEMPT\n[  348.530014] Modules linked in: drbg ansi_cprng ctr ccm ppp_generic slhc ipt_MASQUERADE nf_nat_masquerade_ipv4 8021q ]\n[  348.530014] CPU: 0 PID: 20597 Comm: wget Tainted: G           O 4.6.0-rc5-wt\u003dV1 #1\n[  348.530014] Hardware name: To Be Filled By O.E.M./To be filled by O.E.M., BIOS 080016  11/07/2014\n[  348.530014] task: f64fa280 ti: f4f9c000 task.ti: f4f9c000\n[  348.530014] EIP: 0060:[\u003cf929245d\u003e] EFLAGS: 00010246 CPU: 0\n[  348.530014] EIP is at ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211]\n[  348.530014] EAX: f4ce63e0 EBX: 00000088 ECX: f3788416 EDX: 00020008\n[  348.530014] ESI: 00000000 EDI: 00000088 EBP: f6409a4c ESP: f6409a40\n[  348.530014]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068\n[  348.530014] CR0: 80050033 CR2: 00020040 CR3: 33190000 CR4: 00000690\n[  348.530014] Stack:\n[  348.530014]  00000000 f4ce63e0 f5f9bd80 f6409a64 f9291d80 0000ce67 f5d51e00 f4ce63e0\n[  348.530014]  f3788416 f6409a80 f9291dc1 f4ce8320 f4ce63e0 f5d51e00 f4ce63e0 f4ce8320\n[  348.530014]  f6409a98 f9277f6f 00000000 00000000 0000007c 00000000 f6409b2c f9278dd1\n[  348.530014] Call Trace:\n[  348.530014]  [\u003cf9291d80\u003e] mesh_nexthop_lookup+0xbb/0xc8 [mac80211]\n[  348.530014]  [\u003cf9291dc1\u003e] mesh_nexthop_resolve+0x34/0xd8 [mac80211]\n[  348.530014]  [\u003cf9277f6f\u003e] ieee80211_xmit+0x92/0xc1 [mac80211]\n[  348.530014]  [\u003cf9278dd1\u003e] __ieee80211_subif_start_xmit+0x807/0x83c [mac80211]\n[  348.530014]  [\u003cc04df012\u003e] ? sch_direct_xmit+0xd7/0x1b3\n[  348.530014]  [\u003cc022a8c6\u003e] ? __local_bh_enable_ip+0x5d/0x7b\n[  348.530014]  [\u003cf956870c\u003e] ? nf_nat_ipv4_out+0x4c/0xd0 [nf_nat_ipv4]\n[  348.530014]  [\u003cf957e036\u003e] ? iptable_nat_ipv4_fn+0xf/0xf [iptable_nat]\n[  348.530014]  [\u003cc04c6f45\u003e] ? netif_skb_features+0x14d/0x30a\n[  348.530014]  [\u003cf9278e10\u003e] ieee80211_subif_start_xmit+0xa/0xe [mac80211]\n[  348.530014]  [\u003cc04c769c\u003e] dev_hard_start_xmit+0x1f8/0x267\n[  348.530014]  [\u003cc04c7261\u003e] ?  validate_xmit_skb.isra.120.part.121+0x10/0x253\n[  348.530014]  [\u003cc04defc6\u003e] sch_direct_xmit+0x8b/0x1b3\n[  348.530014]  [\u003cc04c7a9c\u003e] __dev_queue_xmit+0x2c8/0x513\n[  348.530014]  [\u003cc04c7cfb\u003e] dev_queue_xmit+0xa/0xc\n[  348.530014]  [\u003cf91bfc7a\u003e] batadv_send_skb_packet+0xd6/0xec [batman_adv]\n[  348.530014]  [\u003cf91bfdc4\u003e] batadv_send_unicast_skb+0x15/0x4a [batman_adv]\n[  348.530014]  [\u003cf91b5938\u003e] batadv_dat_send_data+0x27e/0x310 [batman_adv]\n[  348.530014]  [\u003cf91c30b5\u003e] ? batadv_tt_global_hash_find.isra.11+0x8/0xa [batman_adv]\n[  348.530014]  [\u003cf91b63f3\u003e] batadv_dat_snoop_outgoing_arp_request+0x208/0x23d [batman_adv]\n[  348.530014]  [\u003cf91c0cd9\u003e] batadv_interface_tx+0x206/0x385 [batman_adv]\n[  348.530014]  [\u003cc04c769c\u003e] dev_hard_start_xmit+0x1f8/0x267\n[  348.530014]  [\u003cc04c7261\u003e] ?  validate_xmit_skb.isra.120.part.121+0x10/0x253\n[  348.530014]  [\u003cc04defc6\u003e] sch_direct_xmit+0x8b/0x1b3\n[  348.530014]  [\u003cc04c7a9c\u003e] __dev_queue_xmit+0x2c8/0x513\n[  348.530014]  [\u003cf80cbd2a\u003e] ? igb_xmit_frame+0x57/0x72 [igb]\n[  348.530014]  [\u003cc04c7cfb\u003e] dev_queue_xmit+0xa/0xc\n[  348.530014]  [\u003cf843a326\u003e] br_dev_queue_push_xmit+0xeb/0xfb [bridge]\n[  348.530014]  [\u003cf843a35f\u003e] br_forward_finish+0x29/0x74 [bridge]\n[  348.530014]  [\u003cf843a23b\u003e] ? deliver_clone+0x3b/0x3b [bridge]\n[  348.530014]  [\u003cf843a714\u003e] __br_forward+0x89/0xe7 [bridge]\n[  348.530014]  [\u003cf843a336\u003e] ? br_dev_queue_push_xmit+0xfb/0xfb [bridge]\n[  348.530014]  [\u003cf843a234\u003e] deliver_clone+0x34/0x3b [bridge]\n[  348.530014]  [\u003cf843a68b\u003e] ? br_flood+0x95/0x95 [bridge]\n[  348.530014]  [\u003cf843a66d\u003e] br_flood+0x77/0x95 [bridge]\n[  348.530014]  [\u003cf843a809\u003e] br_flood_forward+0x13/0x1a [bridge]\n[  348.530014]  [\u003cf843a68b\u003e] ? br_flood+0x95/0x95 [bridge]\n[  348.530014]  [\u003cf843b877\u003e] br_handle_frame_finish+0x392/0x3db [bridge]\n[  348.530014]  [\u003cc04e9b2b\u003e] ? nf_iterate+0x2b/0x6b\n[  348.530014]  [\u003cf843baa6\u003e] br_handle_frame+0x1e6/0x240 [bridge]\n[  348.530014]  [\u003cf843b4e5\u003e] ? br_handle_local_finish+0x6a/0x6a [bridge]\n[  348.530014]  [\u003cc04c4ba0\u003e] __netif_receive_skb_core+0x43a/0x66b\n[  348.530014]  [\u003cf843b8c0\u003e] ? br_handle_frame_finish+0x3db/0x3db [bridge]\n[  348.530014]  [\u003cc023cea4\u003e] ? resched_curr+0x19/0x37\n[  348.530014]  [\u003cc0240707\u003e] ? check_preempt_wakeup+0xbf/0xfe\n[  348.530014]  [\u003cc0255dec\u003e] ? ktime_get_with_offset+0x5c/0xfc\n[  348.530014]  [\u003cc04c4fc1\u003e] __netif_receive_skb+0x47/0x55\n[  348.530014]  [\u003cc04c57ba\u003e] netif_receive_skb_internal+0x40/0x5a\n[  348.530014]  [\u003cc04c61ef\u003e] napi_gro_receive+0x3a/0x94\n[  348.530014]  [\u003cf80ce8d5\u003e] igb_poll+0x6fd/0x9ad [igb]\n[  348.530014]  [\u003cc0242bd8\u003e] ? swake_up_locked+0x14/0x26\n[  348.530014]  [\u003cc04c5d29\u003e] net_rx_action+0xde/0x250\n[  348.530014]  [\u003cc022a743\u003e] __do_softirq+0x8a/0x163\n[  348.530014]  [\u003cc022a6b9\u003e] ? __hrtimer_tasklet_trampoline+0x19/0x19\n[  348.530014]  [\u003cc021100f\u003e] do_softirq_own_stack+0x26/0x2c\n[  348.530014]  \u003cIRQ\u003e\n[  348.530014]  [\u003cc022a957\u003e] irq_exit+0x31/0x6f\n[  348.530014]  [\u003cc0210eb2\u003e] do_IRQ+0x8d/0xa0\n[  348.530014]  [\u003cc058152c\u003e] common_interrupt+0x2c/0x40\n[  348.530014] Code: e7 8c 00 66 81 ff 88 00 75 12 85 d2 75 0e b2 c3 b8 83 e9 29 f9 e8 a7 5f f9 c6 eb 74 66 81 e3 8c 005\n[  348.530014] EIP: [\u003cf929245d\u003e] ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211] SS:ESP 0068:f6409a40\n[  348.530014] CR2: 0000000000020040\n[  348.530014] ---[ end trace 48556ac26779732e ]---\n[  348.530014] Kernel panic - not syncing: Fatal exception in interrupt\n[  348.530014] Kernel Offset: disabled\n\nCc: stable@vger.kernel.org\nReported-by: Fred Veldini \u003cfred.veldini@gmail.com\u003e\nTested-by: Fred Veldini \u003cfred.veldini@gmail.com\u003e\nSigned-off-by: Bob Copeland \u003cme@bobcopeland.com\u003e\nSigned-off-by: Johannes Berg \u003cjohannes.berg@intel.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nscsi: Add QEMU CD-ROM to VPD Inquiry Blacklist\n\n[ Upstream commit fbd83006e3e536fcb103228d2422ea63129ccb03 ]\n\nLinux fails to boot as a guest with a QEMU CD-ROM:\n\n[    4.439488] ata2.00: ATAPI: QEMU CD-ROM, 0.8.2, max UDMA/100\n[    4.443649] ata2.00: configured for MWDMA2\n[    4.450267] scsi 1:0:0:0: CD-ROM            QEMU     QEMU CD-ROM      0.8. PQ: 0 ANSI: 5\n[    4.464317] ata2.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen\n[    4.464319] ata2.00: BMDMA stat 0x5\n[    4.464339] ata2.00: cmd a0/01:00:00:00:01/00:00:00:00:00/a0 tag 0 dma 16640 in\n[    4.464339]          Inquiry 12 01 00 00 ff 00res 48/20:02:00:24:00/00:00:00:00:00/a0 Emask 0x2 (HSM violation)\n[    4.464341] ata2.00: status: { DRDY DRQ }\n[    4.465864] ata2: soft resetting link\n[    4.625971] ata2.00: configured for MWDMA2\n[    4.628290] ata2: EH complete\n[    4.646670] ata2.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen\n[    4.646671] ata2.00: BMDMA stat 0x5\n[    4.646683] ata2.00: cmd a0/01:00:00:00:01/00:00:00:00:00/a0 tag 0 dma 16640 in\n[    4.646683]          Inquiry 12 01 00 00 ff 00res 48/20:02:00:24:00/00:00:00:00:00/a0 Emask 0x2 (HSM violation)\n[    4.646685] ata2.00: status: { DRDY DRQ }\n[    4.648193] ata2: soft resetting link\n\n...\n\nFix this by suppressing VPD inquiry for this device.\n\nSigned-off-by: Ewan D. Milne \u003cemilne@redhat.com\u003e\nReported-by: Jan Stancek \u003cjstancek@redhat.com\u003e\nTested-by: Jan Stancek \u003cjstancek@redhat.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nReviewed-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/fb-helper: Propagate errors from initial config failure\n\n[ Upstream commit 01934c2a691882185b3021d437df13bcba07711d ]\n\nMake drm_fb_helper_initial_config() return an int rather than a bool so\nthat the error can be properly propagated. While at it, update drivers\nto propagate errors further rather than just ignore them.\n\nv2:\n- cirrus: No cleanup is required, the top-level cirrus_driver_load()\n  will do it as part of cirrus_driver_unload() in its cleanup path.\n  Reported-by: Fengguang Wu \u003cfengguang.wu@intel.com\u003e\n\nCc: David Airlie \u003cairlied@linux.ie\u003e\nCc: Daniel Vetter \u003cdaniel.vetter@ffwll.ch\u003e\nCc: Patrik Jakobsson \u003cpatrik.r.jakobsson@gmail.com\u003e\nCc: Rob Clark \u003crobdclark@gmail.com\u003e\nCc: Tomi Valkeinen \u003ctomi.valkeinen@ti.com\u003e\nCc: Alex Deucher \u003calexander.deucher@amd.com\u003e\nCc: Christian König \u003cchristian.koenig@amd.com\u003e\nCc: Ben Skeggs \u003cbskeggs@redhat.com\u003e\nSigned-off-by: Thierry Reding \u003ctreding@nvidia.com\u003e\nReviewed-by: Alex Deucher \u003calexander.deucher@amd.com\u003e\nReviewed-by: Patrik Jakobsson \u003cpatrik.r.jakobsson@gmail.com\u003e\nReviewed-by: Christian König \u003cchristian.koenig@amd.com\u003e\n[danvet: Squash in simplification patch from kbuild.]\nSigned-off-by: Daniel Vetter \u003cdaniel.vetter@ffwll.ch\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/nouveau/fbcon: fix out-of-bounds memory accesses\n\n[ Upstream commit f045f459d925138fe7d6193a8c86406bda7e49da ]\n\nReported by KASAN.\n\nSigned-off-by: Ben Skeggs \u003cbskeggs@redhat.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nARM: fix PTRACE_SETVFPREGS on SMP systems\n\n[ Upstream commit e2dfb4b880146bfd4b6aa8e138c0205407cebbaf ]\n\nPTRACE_SETVFPREGS fails to properly mark the VFP register set to be\nreloaded, because it undoes one of the effects of vfp_flush_hwstate().\n\nSpecifically vfp_flush_hwstate() sets thread-\u003evfpstate.hard.cpu to\nan invalid CPU number, but vfp_set() overwrites this with the original\nCPU number, thereby rendering the hardware state as apparently \"valid\",\neven though the software state is more recent.\n\nFix this by reverting the previous change.\n\nCc: \u003cstable@vger.kernel.org\u003e\nFixes: 8130b9d7b9d8 (\"ARM: 7308/1: vfp: flush thread hwstate before copying ptrace registers\")\nAcked-by: Will Deacon \u003cwill.deacon@arm.com\u003e\nTested-by: Simon Marchi \u003csimon.marchi@ericsson.com\u003e\nSigned-off-by: Russell King \u003crmk+kernel@armlinux.org.uk\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nKVM: irqfd: fix NULL pointer dereference in kvm_irq_map_gsi\n\n[ Upstream commit c622a3c21ede892e370b56e1ceb9eb28f8bbda6b ]\n\nFound by syzkaller:\n\n    BUG: unable to handle kernel NULL pointer dereference at 0000000000000120\n    IP: [\u003cffffffffa0797202\u003e] kvm_irq_map_gsi+0x12/0x90 [kvm]\n    PGD 6f80b067 PUD b6535067 PMD 0\n    Oops: 0000 [#1] SMP\n    CPU: 3 PID: 4988 Comm: a.out Not tainted 4.4.9-300.fc23.x86_64 #1\n    [...]\n    Call Trace:\n     [\u003cffffffffa0795f62\u003e] irqfd_update+0x32/0xc0 [kvm]\n     [\u003cffffffffa0796c7c\u003e] kvm_irqfd+0x3dc/0x5b0 [kvm]\n     [\u003cffffffffa07943f4\u003e] kvm_vm_ioctl+0x164/0x6f0 [kvm]\n     [\u003cffffffff81241648\u003e] do_vfs_ioctl+0x298/0x480\n     [\u003cffffffff812418a9\u003e] SyS_ioctl+0x79/0x90\n     [\u003cffffffff817a1062\u003e] tracesys_phase2+0x84/0x89\n    Code: b5 71 a7 e0 5b 41 5c 41 5d 5d f3 c3 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 8b 8f 10 2e 00 00 31 c0 48 89 e5 \u003c39\u003e 91 20 01 00 00 76 6a 48 63 d2 48 8b 94 d1 28 01 00 00 48 85\n    RIP  [\u003cffffffffa0797202\u003e] kvm_irq_map_gsi+0x12/0x90 [kvm]\n     RSP \u003cffff8800926cbca8\u003e\n    CR2: 0000000000000120\n\nTestcase:\n\n    #include \u003cunistd.h\u003e\n    #include \u003csys/syscall.h\u003e\n    #include \u003cstring.h\u003e\n    #include \u003cstdint.h\u003e\n    #include \u003clinux/kvm.h\u003e\n    #include \u003cfcntl.h\u003e\n    #include \u003csys/ioctl.h\u003e\n\n    long r[26];\n\n    int main()\n    {\n        memset(r, -1, sizeof(r));\n        r[2] \u003d open(\"/dev/kvm\", 0);\n        r[3] \u003d ioctl(r[2], KVM_CREATE_VM, 0);\n\n        struct kvm_irqfd ifd;\n        ifd.fd \u003d syscall(SYS_eventfd2, 5, 0);\n        ifd.gsi \u003d 3;\n        ifd.flags \u003d 2;\n        ifd.resamplefd \u003d ifd.fd;\n        r[25] \u003d ioctl(r[3], KVM_IRQFD, \u0026ifd);\n        return 0;\n    }\n\nReported-by: Dmitry Vyukov \u003cdvyukov@google.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\nSigned-off-by: Radim Krčmář \u003crkrcmar@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nKVM: x86: fix OOPS after invalid KVM_SET_DEBUGREGS\n\n[ Upstream commit d14bdb553f9196169f003058ae1cdabe514470e6 ]\n\nMOV to DR6 or DR7 causes a #GP if an attempt is made to write a 1 to\nany of bits 63:32.  However, this is not detected at KVM_SET_DEBUGREGS\ntime, and the next KVM_RUN oopses:\n\n   general protection fault: 0000 [#1] SMP\n   CPU: 2 PID: 14987 Comm: a.out Not tainted 4.4.9-300.fc23.x86_64 #1\n   Hardware name: LENOVO 2325F51/2325F51, BIOS G2ET32WW (1.12 ) 05/30/2012\n   [...]\n   Call Trace:\n    [\u003cffffffffa072c93d\u003e] kvm_arch_vcpu_ioctl_run+0x141d/0x14e0 [kvm]\n    [\u003cffffffffa071405d\u003e] kvm_vcpu_ioctl+0x33d/0x620 [kvm]\n    [\u003cffffffff81241648\u003e] do_vfs_ioctl+0x298/0x480\n    [\u003cffffffff812418a9\u003e] SyS_ioctl+0x79/0x90\n    [\u003cffffffff817a0f2e\u003e] entry_SYSCALL_64_fastpath+0x12/0x71\n   Code: 55 83 ff 07 48 89 e5 77 27 89 ff ff 24 fd 90 87 80 81 0f 23 fe 5d c3 0f 23 c6 5d c3 0f 23 ce 5d c3 0f 23 d6 5d c3 0f 23 de 5d c3 \u003c0f\u003e 23 f6 5d c3 0f 0b 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00\n   RIP  [\u003cffffffff810639eb\u003e] native_set_debugreg+0x2b/0x40\n    RSP \u003cffff88005836bd50\u003e\n\nTestcase (beautified/reduced from syzkaller output):\n\n    #include \u003cunistd.h\u003e\n    #include \u003csys/syscall.h\u003e\n    #include \u003cstring.h\u003e\n    #include \u003cstdint.h\u003e\n    #include \u003clinux/kvm.h\u003e\n    #include \u003cfcntl.h\u003e\n    #include \u003csys/ioctl.h\u003e\n\n    long r[8];\n\n    int main()\n    {\n        struct kvm_debugregs dr \u003d { 0 };\n\n        r[2] \u003d open(\"/dev/kvm\", O_RDONLY);\n        r[3] \u003d ioctl(r[2], KVM_CREATE_VM, 0);\n        r[4] \u003d ioctl(r[3], KVM_CREATE_VCPU, 7);\n\n        memcpy(\u0026dr,\n               \"\\x5d\\x6a\\x6b\\xe8\\x57\\x3b\\x4b\\x7e\\xcf\\x0d\\xa1\\x72\"\n               \"\\xa3\\x4a\\x29\\x0c\\xfc\\x6d\\x44\\x00\\xa7\\x52\\xc7\\xd8\"\n               \"\\x00\\xdb\\x89\\x9d\\x78\\xb5\\x54\\x6b\\x6b\\x13\\x1c\\xe9\"\n               \"\\x5e\\xd3\\x0e\\x40\\x6f\\xb4\\x66\\xf7\\x5b\\xe3\\x36\\xcb\",\n               48);\n        r[7] \u003d ioctl(r[4], KVM_SET_DEBUGREGS, \u0026dr);\n        r[6] \u003d ioctl(r[4], KVM_RUN, 0);\n    }\n\nReported-by: Dmitry Vyukov \u003cdvyukov@google.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\nSigned-off-by: Radim Krčmář \u003crkrcmar@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\narm64: GICv3: introduce symbolic names for GICv3 ICC_SGI1R_EL1 fields\n\n[ Upstream commit 7e5802781c3e109558ddfd8b02155ad24d872ee7 ]\n\nThe gic_send_sgi() function used hardcoded bit shift values to\ngenerate the ICC_SGI1R_EL1 register value.\nReplace this with symbolic names to allow reusing them later.\n\nSigned-off-by: Andre Przywara \u003candre.przywara@arm.com\u003e\nReviewed-by: Christoffer Dall \u003cchristoffer.dall@linaro.org\u003e\nSigned-off-by: Christoffer Dall \u003cchristoffer.dall@linaro.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nirqchip/gic-v3: Fix ICC_SGI1R_EL1.INTID decoding mask\n\n[ Upstream commit dd5f1b049dc139876801db3cdd0f20d21fd428cc ]\n\nThe INTID mask is wrong, and is made a signed value, which has\nnteresting effects in the KVM emulation. Let\u0027s sanitize it.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \u003cmarc.zyngier@arm.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nlocking/ww_mutex: Report recursive ww_mutex locking early\n\n[ Upstream commit 0422e83d84ae24b933e4b0d4c1e0f0b4ae8a0a3b ]\n\nRecursive locking for ww_mutexes was originally conceived as an\nexception. However, it is heavily used by the DRM atomic modesetting\ncode. Currently, the recursive deadlock is checked after we have queued\nup for a busy-spin and as we never release the lock, we spin until\nkicked, whereupon the deadlock is discovered and reported.\n\nA simple solution for the now common problem is to move the recursive\ndeadlock discovery to the first action when taking the ww_mutex.\n\nSuggested-by: Maarten Lankhorst \u003cmaarten.lankhorst@linux.intel.com\u003e\nSigned-off-by: Chris Wilson \u003cchris@chris-wilson.co.uk\u003e\nSigned-off-by: Peter Zijlstra (Intel) \u003cpeterz@infradead.org\u003e\nReviewed-by: Maarten Lankhorst \u003cmaarten.lankhorst@linux.intel.com\u003e\nCc: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: stable@vger.kernel.org\nLink: http://lkml.kernel.org/r/1464293297-19777-1-git-send-email-chris@chris-wilson.co.uk\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nALSA: hda - Fix headset mic detection problem for Dell machine\n\n[ Upstream commit f90d83b301701026b2e4c437a3613f377f63290e ]\n\nAdd the pin configuration value of this machine into the pin_quirk\ntable to make DELL1_MIC_NO_PRESENCE apply to this machine.\n\nSigned-off-by: AceLan Kao \u003cacelan.kao@canonical.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nof: irq: fix of_irq_get[_byname]() kernel-doc\n\n[ Upstream commit 3993546646baf1dab5f5c4f7d9bb58f2046fd1c1 ]\n\nThe kernel-doc for the of_irq_get[_byname]()  is clearly inadequate in\ndescribing the return values -- of_irq_get_byname() is documented better\nthan of_irq_get() but it  still doesn\u0027t mention that 0 is returned iff\nirq_create_of_mapping() fails (it doesn\u0027t return an error code in this\ncase). Document all possible return value variants, making the writing\nof the word \"IRQ\" consistent, while at it...\n\nFixes: 9ec36cafe43b (\"of/irq: do irq resolution in platform_get_irq\")\nFixes: ad69674e73a1 (\"of/irq: do irq resolution in platform_get_irq_byname()\")\nSigned-off-by: Sergei Shtylyov \u003csergei.shtylyov@cogentembedded.com\u003e\nCC: stable@vger.kernel.org\nSigned-off-by: Rob Herring \u003crobh@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nparisc: Fix pagefault crash in unaligned __get_user() call\n\n[ Upstream commit 8b78f260887df532da529f225c49195d18fef36b ]\n\nOne of the debian buildd servers had this crash in the syslog without\nany other information:\n\n Unaligned handler failed, ret \u003d -2\n clock_adjtime (pid 22578): Unaligned data reference (code 28)\n CPU: 1 PID: 22578 Comm: clock_adjtime Tainted: G  E  4.5.0-2-parisc64-smp #1 Debian 4.5.4-1\n task: 000000007d9960f8 ti: 00000001bde7c000 task.ti: 00000001bde7c000\n\n      YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI\n PSW: 00001000000001001111100000001111 Tainted: G            E\n r00-03  000000ff0804f80f 00000001bde7c2b0 00000000402d2be8 00000001bde7c2b0\n r04-07  00000000409e1fd0 00000000fa6f7fff 00000001bde7c148 00000000fa6f7fff\n r08-11  0000000000000000 00000000ffffffff 00000000fac9bb7b 000000000002b4d4\n r12-15  000000000015241c 000000000015242c 000000000000002d 00000000fac9bb7b\n r16-19  0000000000028800 0000000000000001 0000000000000070 00000001bde7c218\n r20-23  0000000000000000 00000001bde7c210 0000000000000002 0000000000000000\n r24-27  0000000000000000 0000000000000000 00000001bde7c148 00000000409e1fd0\n r28-31  0000000000000001 00000001bde7c320 00000001bde7c350 00000001bde7c218\n sr00-03  0000000001200000 0000000001200000 0000000000000000 0000000001200000\n sr04-07  0000000000000000 0000000000000000 0000000000000000 0000000000000000\n\n IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000402d2e84 00000000402d2e88\n  IIR: 0ca0d089    ISR: 0000000001200000  IOR: 00000000fa6f7fff\n  CPU:        1   CR30: 00000001bde7c000 CR31: ffffffffffffffff\n  ORIG_R28: 00000002369fe628\n  IAOQ[0]: compat_get_timex+0x2dc/0x3c0\n  IAOQ[1]: compat_get_timex+0x2e0/0x3c0\n  RP(r2): compat_get_timex+0x40/0x3c0\n Backtrace:\n  [\u003c00000000402d4608\u003e] compat_SyS_clock_adjtime+0x40/0xc0\n  [\u003c0000000040205024\u003e] syscall_exit+0x0/0x14\n\nThis means the userspace program clock_adjtime called the clock_adjtime()\nsyscall and then crashed inside the compat_get_timex() function.\nSyscalls should never crash programs, but instead return EFAULT.\n\nThe IIR register contains the executed instruction, which disassebles\ninto \"ldw 0(sr3,r5),r9\".\nThis load-word instruction is part of __get_user() which tried to read the word\nat %r5/IOR (0xfa6f7fff). This means the unaligned handler jumped in.  The\nunaligned handler is able to emulate all ldw instructions, but it fails if it\nfails to read the source e.g. because of page fault.\n\nThe following program reproduces the problem:\n\nint main(void) {\n        /* allocate 8k */\n        char *ptr \u003d mmap(NULL, 2*4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);\n        /* free second half (upper 4k) and make it invalid. */\n        munmap(ptr+4096, 4096);\n        /* syscall where first int is unaligned and clobbers into invalid memory region */\n        /* syscall should return EFAULT */\n        return syscall(__NR_clock_adjtime, 0, ptr+4095);\n}\n\nTo fix this issue we simply need to check if the faulting instruction address\nis in the exception fixup table when the unaligned handler failed. If it\nis, call the fixup routine instead of crashing.\n\nWhile looking at the unaligned handler I found another issue as well: The\ntarget register should not be modified if the handler was unsuccessful.\n\nSigned-off-by: Helge Deller \u003cdeller@gmx.de\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmnt: If fs_fully_visible fails call put_filesystem.\n\n[ Upstream commit 97c1df3e54e811aed484a036a798b4b25d002ecf ]\n\nAdd this trivial missing error handling.\n\nCc: stable@vger.kernel.org\nFixes: 1b852bceb0d1 (\"mnt: Refactor the logic for mounting sysfs and proc in a user namespace\")\nSigned-off-by: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmnt: fs_fully_visible test the proper mount for MNT_LOCKED\n\n[ Upstream commit d71ed6c930ac7d8f88f3cef6624a7e826392d61f ]\n\nMNT_LOCKED implies on a child mount implies the child is locked to the\nparent.  So while looping through the children the children should be\ntested (not their parent).\n\nTypically an unshare of a mount namespace locks all mounts together\nmaking both the parent and the slave as locked but there are a few\ncorner cases where other things work.\n\nCc: stable@vger.kernel.org\nFixes: ceeb0e5d39fc (\"vfs: Ignore unlocked mounts in fs_fully_visible\")\nReported-by: Seth Forshee \u003cseth.forshee@canonical.com\u003e\nSigned-off-by: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nx86, build: copy ldlinux.c32 to image.iso\n\n[ Upstream commit 9c77679cadb118c0aa99e6f88533d91765a131ba ]\n\nFor newer versions of Syslinux, we need ldlinux.c32 in addition to\nisolinux.bin to reside on the boot disk, so if the latter is found,\ncopy it, too, to the isoimage tree.\n\nSigned-off-by: H. Peter Anvin \u003chpa@zytor.com\u003e\nCc: Linux Stable Tree \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nof: fix autoloading due to broken modalias with no \u0027compatible\u0027\n\n[ Upstream commit b3c0a4dab7e35a9b6d69c0415641d2280fdefb2b ]\n\nBecause of an improper dereference, a stray \u0027C\u0027 character was output to\nthe modalias when no \u0027compatible\u0027 was specified. This is the case for\nsome old PowerMac drivers which only set the \u0027name\u0027 property. Fix it to\nlet them match again.\n\nReported-by: Mathieu Malaterre \u003cmalat@debian.org\u003e\nSigned-off-by: Wolfram Sang \u003cwsa@the-dreams.de\u003e\nTested-by: Mathieu Malaterre \u003cmalat@debian.org\u003e\nCc: Philipp Zabel \u003cp.zabel@pengutronix.de\u003e\nCc: Andreas Schwab \u003cschwab@linux-m68k.org\u003e\nFixes: 6543becf26fff6 (\"mod/file2alias: make modalias generation safe for cross compiling\")\nCc: stable@vger.kernel.org # v3.9+\nSigned-off-by: Michael Ellerman \u003cmpe@ellerman.id.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ncpufreq: intel_pstate: Fix -\u003eset_policy() interface for no_turbo\n\n[ Upstream commit 983e600e88835f0321d1a0ea06f52d48b7b5a544 ]\n\nWhen turbo is disabled, the -\u003eset_policy() interface is broken.\n\nFor example, when turbo is disabled and cpuinfo.max \u003d 2900000 (full\nmax turbo frequency), setting the limits results in frequency less\nthan the requested one:\nSet 1000000 KHz results in 0700000 KHz\nSet 1500000 KHz results in 1100000 KHz\nSet 2000000 KHz results in  1500000 KHz\n\nThis is because the limits-\u003emax_perf fraction is calculated using\nthe max turbo frequency as the reference, but when the max P-State is\ncapped in intel_pstate_get_min_max(), the reference is not the max\nturbo P-State. This results in reducing max P-State.\n\nOne option is to always use max turbo as reference for calculating\nlimits. But this will not be correct. By definition the intel_pstate\nsysfs limits, shows percentage of available performance. So when\nBIOS has disabled turbo, the available performance is max non turbo.\nSo the max_perf_pct should still show 100%.\n\nSigned-off-by: Srinivas Pandruvada \u003csrinivas.pandruvada@linux.intel.com\u003e\n[ rjw : Subject \u0026 changelog, rewrite in fewer lines of code ]\nCc: All applicable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Rafael J. Wysocki \u003crafael.j.wysocki@intel.com\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nfix d_walk()/non-delayed __d_free() race\n\n[ Upstream commit 3d56c25e3bb0726a5c5e16fc2d9e38f8ed763085 ]\n\nAscend-to-parent logics in d_walk() depends on all encountered child\ndentries not getting freed without an RCU delay.  Unfortunately, in\nquite a few cases it is not true, with hard-to-hit oopsable race as\nthe result.\n\nFortunately, the fix is simiple; right now the rule is \"if it ever\nbeen hashed, freeing must be delayed\" and changing it to \"if it\never had a parent, freeing must be delayed\" closes that hole and\ncovers all cases the old rule used to cover.  Moreover, pipes and\nsockets remain _not_ covered, so we do not introduce RCU delay in\nthe cases which are the reason for having that delay conditional\nin the first place.\n\nCc: stable@vger.kernel.org # v3.2+ (and watch out for __d_materialise_dentry())\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ngpiolib: Fix NULL pointer deference\n\n[ Upstream commit 11f33a6d15bfa397867ac0d7f3481b6dd683286f ]\n\nUnder some circumstances, a gpiochip might be half cleaned from the\ngpio_device list.\n\nThis patch makes sure that the chip pointer is still valid, before\ncalling the match function.\n\n[  104.088296] BUG: unable to handle kernel NULL pointer dereference at\n0000000000000090\n[  104.089772] IP: [\u003cffffffff813d2045\u003e] of_gpiochip_find_and_xlate+0x15/0x80\n[  104.128273] Call Trace:\n[  104.129802]  [\u003cffffffff813d2030\u003e] ? of_parse_own_gpio+0x1f0/0x1f0\n[  104.131353]  [\u003cffffffff813cd910\u003e] gpiochip_find+0x60/0x90\n[  104.132868]  [\u003cffffffff813d21ba\u003e] of_get_named_gpiod_flags+0x9a/0x120\n...\n[  104.141586]  [\u003cffffffff8163d12b\u003e] gpio_led_probe+0x11b/0x360\n\nCc: stable@vger.kernel.org\nSigned-off-by: Ricardo Ribalda Delgado \u003cricardo.ribalda@gmail.com\u003e\nSigned-off-by: Linus Walleij \u003clinus.walleij@linaro.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ngpio: bcm-kona: fix bcm_kona_gpio_reset() warnings\n\n[ Upstream commit b66b2a0adf0e48973b582e055758b9907a7eee7c ]\n\nThe bcm_kona_gpio_reset() calls bcm_kona_gpio_write_lock_regs()\nwith what looks like the wrong parameter. The write_lock_regs\nfunction takes a pointer to the registers, not the bcm_kona_gpio\nstructure.\n\nFix the warning, and probably bug by changing the function to\npass reg_base instead of kona_gpio, fixing the following warning:\n\ndrivers/gpio/gpio-bcm-kona.c:550:47: warning: incorrect type in argument 1\n  (different address spaces)\n  expected void [noderef] \u003casn:2\u003e*reg_base\n  got struct bcm_kona_gpio *kona_gpio\n  warning: incorrect type in argument 1 (different address spaces)\n  expected void [noderef] \u003casn:2\u003e*reg_base\n  got struct bcm_kona_gpio *kona_gpio\n\nCc: stable@vger.kernel.org\nSigned-off-by: Ben Dooks \u003cben.dooks@codethink.co.uk\u003e\nAcked-by: Ray Jui \u003cray.jui@broadcom.com\u003e\nReviewed-by: Markus Mayer \u003cmmayer@broadcom.com\u003e\nSigned-off-by: Linus Walleij \u003clinus.walleij@linaro.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nwext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel\n\n[ Upstream commit 3d5fdff46c4b2b9534fa2f9fc78e90a48e0ff724 ]\n\niwpriv app uses iw_point structure to send data to Kernel. The iw_point\nstructure holds a pointer. For compatibility Kernel converts the pointer\nas required for WEXT IOCTLs (SIOCIWFIRST to SIOCIWLAST). Some drivers\nmay use iw_handler_def.private_args to populate iwpriv commands instead\nof iw_handler_def.private. For those case, the IOCTLs from\nSIOCIWFIRSTPRIV to SIOCIWLASTPRIV will follow the path ndo_do_ioctl().\nAccordingly when the filled up iw_point structure comes from 32 bit\niwpriv to 64 bit Kernel, Kernel will not convert the pointer and sends\nit to driver. So, the driver may get the invalid data.\n\nThe pointer conversion for the IOCTLs (SIOCIWFIRSTPRIV to\nSIOCIWLASTPRIV), which follow the path ndo_do_ioctl(), is mandatory.\nThis patch adds pointer conversion from 32 bit to 64 bit and vice versa,\nif the ioctl comes from 32 bit iwpriv to 64 bit Kernel.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Prasun Maiti \u003cprasunmaiti87@gmail.com\u003e\nSigned-off-by: Ujjal Roy \u003croyujjal@gmail.com\u003e\nTested-by: Dibyajyoti Ghosh \u003cdibyajyotig@gmail.com\u003e\nSigned-off-by: Johannes Berg \u003cjohannes.berg@intel.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\necryptfs: forbid opening files without mmap handler\n\n[ Upstream commit 2f36db71009304b3f0b95afacd8eba1f9f046b87 ]\n\nThis prevents users from triggering a stack overflow through a recursive\ninvocation of pagefault handling that involves mapping procfs files into\nvirtual memory.\n\nSigned-off-by: Jann Horn \u003cjannh@google.com\u003e\nAcked-by: Tyler Hicks \u003ctyhicks@canonical.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nLinux 3.18.36\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nVFS: net/unix: d_backing_inode() annotations\n\n[ Upstream commit a25b376bded1ba7fd1d455e140d723b7de2e343c ]\n\nplaces where we are dealing with S_ISSOCK file creation/lookups.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nVFS: AF_UNIX sockets should call mknod on the top layer only\n\n[ Upstream commit ee8ac4d61c2cf43bdd427e70db97ac330e61570d ]\n\nAF_UNIX sockets should call mknod on the top layer only and should not attempt\nto modify the lower layer in a layered filesystem such as overlayfs.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nhope i fixed correctly not sure about-pjoenix591 conflict\naf_unix: Fix splice-bind deadlock\n\n[ Upstream commit c845acb324aa85a39650a14e7696982ceea75dc1 ]\n\nOn 2015/11/06, Dmitry Vyukov reported a deadlock involving the splice\nsystem call and AF_UNIX sockets,\n\nhttp://lists.openwall.net/netdev/2015/11/06/24\n\nThe situation was analyzed as\n\n(a while ago) A: socketpair()\nB: splice() from a pipe to /mnt/regular_file\n\tdoes sb_start_write() on /mnt\nC: try to freeze /mnt\n\twait for B to finish with /mnt\nA: bind() try to bind our socket to /mnt/new_socket_name\n\tlock our socket, see it not bound yet\n\tdecide that it needs to create something in /mnt\n\ttry to do sb_start_write() on /mnt, block (it\u0027s\n\twaiting for C).\nD: splice() from the same pipe to our socket\n\tlock the pipe, see that socket is connected\n\ttry to lock the socket, block waiting for A\nB:\tget around to actually feeding a chunk from\n\tpipe to file, try to lock the pipe.  Deadlock.\n\non 2015/11/10 by Al Viro,\n\nhttp://lists.openwall.net/netdev/2015/11/10/4\n\nThe patch fixes this by removing the kern_path_create related code from\nunix_mknod and executing it as part of unix_bind prior acquiring the\nreadlock of the socket in question. This means that A (as used above)\nwill sb_start_write on /mnt before it acquires the readlock, hence, it\nwon\u0027t indirectly block B which first did a sb_start_write and then\nwaited for a thread trying to acquire the readlock. Consequently, A\nbeing blocked by C waiting for B won\u0027t cause a deadlock anymore\n(effectively, both A and B acquire two locks in opposite order in the\nsituation described above).\n\nDmitry Vyukov(\u003cdvyukov@google.com\u003e) tested the original patch.\n\nSigned-off-by: Rainer Weikusat \u003crweikusat@mobileactivedefense.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ncgroup: remove redundant cleanup in css_create\n\n[ Upstream commit b00c52dae6d9ee8d0f2407118ef6544ae5524781 ]\n\nWhen create css failed, before call css_free_rcu_fn, we remove the css\nid and exit the percpu_ref, but we will do these again in\ncss_free_work_fn, so they are redundant.  Especially the css id, that\nwould cause problem if we remove it twice, since it may be assigned to\nanother css after the first remove.\n\ntj: This was broken by two commits updating the free path without\n    synchronizing the creation failure path.  This can be easily\n    triggered by trying to create more than 64k memory cgroups.\n\nSigned-off-by: Wenwei Tao \u003cww.tao0320@gmail.com\u003e\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nCc: Vladimir Davydov \u003cvdavydov@parallels.com\u003e\nFixes: 9a1049da9bd2 (\"percpu-refcount: require percpu_ref to be exited explicitly\")\nFixes: 01e586598b22 (\"cgroup: release css-\u003eid after css_free\")\nCc: stable@vger.kernel.org # v3.17+\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nusb: dwc3: exynos: Remove local variable for clock from probe\n\n[ Upstream commit c1a3acaadde7eb260f4fd4ec87cb87d3ffeed979 ]\n\nThere\u0027s no need to keep one local variable for clock, and\nthen assign the same to \u0027clk\u0027 member of dwc3_exynos.\nJust cleaning it up.\n\nSigned-off-by: Vivek Gautam \u003cgautam.vivek@samsung.com\u003e\nSigned-off-by: Felipe Balbi \u003cbalbi@ti.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nusb: dwc3: exynos: Fix deferred probing storm.\n\n[ Upstream commit 4879efb34f7d49235fac334d76d9c6a77a021413 ]\n\ndwc3-exynos has two problems during init if the regulators are slow\nto come up (for instance if the I2C bus driver is not on the initramfs)\nand return probe deferral. First, every time this happens, the driver\nleaks the USB phys created; they need to be deallocated on error.\n\nSecond, since the phy devices are created before the regulators fail,\nthis means that there\u0027s a new device to re-trigger deferred probing,\nwhich causes it to essentially go into a busy loop of re-probing the\ndevice until the regulators come up.\n\nMove the phy creation to after the regulators have succeeded, and also\nfix cleanup on failure. On my ODROID XU4 system (with Debian\u0027s initramfs\nwhich doesn\u0027t contain the I2C driver), this reduces the number of probe\nattempts (for each of the two controllers) from more than 2000 to eight.\n\nSigned-off-by: Steinar H. Gunderson \u003csesse@google.com\u003e\nReviewed-by: Krzysztof Kozlowski \u003ck.kozlowski@samsung.com\u003e\nReviewed-by: Vivek Gautam \u003cgautam.vivek@samsung.com\u003e\nFixes: d720f057fda4 (\"usb: dwc3: exynos: add nop transceiver support\")\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Felipe Balbi \u003cfelipe.balbi@linux.intel.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nusb: gadget: fix spinlock dead lock in gadgetfs\n\n[ Upstream commit d246dcb2331c5783743720e6510892eb1d2801d9 ]\n\n[   40.467381] \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n[   40.473013] [ INFO: possible recursive locking detected ]\n[   40.478651] 4.6.0-08691-g7f3db9a #37 Not tainted\n[   40.483466] ---------------------------------------------\n[   40.489098] usb/733 is trying to acquire lock:\n[   40.493734]  (\u0026(\u0026dev-\u003elock)-\u003erlock){-.....}, at: [\u003cbf129288\u003e] ep0_complete+0x18/0xdc [gadgetfs]\n[   40.502882]\n[   40.502882] but task is already holding lock:\n[   40.508967]  (\u0026(\u0026dev-\u003elock)-\u003erlock){-.....}, at: [\u003cbf12a420\u003e] ep0_read+0x20/0x5e0 [gadgetfs]\n[   40.517811]\n[   40.517811] other info that might help us debug this:\n[   40.524623]  Possible unsafe locking scenario:\n[   40.524623]\n[   40.530798]        CPU0\n[   40.533346]        ----\n[   40.535894]   lock(\u0026(\u0026dev-\u003elock)-\u003erlock);\n[   40.540088]   lock(\u0026(\u0026dev-\u003elock)-\u003erlock);\n[   40.544284]\n[   40.544284]  *** DEADLOCK ***\n[   40.544284]\n[   40.550461]  May be due to missing lock nesting notation\n[   40.550461]\n[   40.557544] 2 locks held by usb/733:\n[   40.561271]  #0:  (\u0026f-\u003ef_pos_lock){+.+.+.}, at: [\u003cc02a6114\u003e] __fdget_pos+0x40/0x48\n[   40.569219]  #1:  (\u0026(\u0026dev-\u003elock)-\u003erlock){-.....}, at: [\u003cbf12a420\u003e] ep0_read+0x20/0x5e0 [gadgetfs]\n[   40.578523]\n[   40.578523] stack backtrace:\n[   40.583075] CPU: 0 PID: 733 Comm: usb Not tainted 4.6.0-08691-g7f3db9a #37\n[   40.590246] Hardware name: Generic AM33XX (Flattened Device Tree)\n[   40.596625] [\u003cc010ffbc\u003e] (unwind_backtrace) from [\u003cc010c1bc\u003e] (show_stack+0x10/0x14)\n[   40.604718] [\u003cc010c1bc\u003e] (show_stack) from [\u003cc04207fc\u003e] (dump_stack+0xb0/0xe4)\n[   40.612267] [\u003cc04207fc\u003e] (dump_stack) from [\u003cc01886ec\u003e] (__lock_acquire+0xf68/0x1994)\n[   40.620440] [\u003cc01886ec\u003e] (__lock_acquire) from [\u003cc0189528\u003e] (lock_acquire+0xd8/0x238)\n[   40.628621] [\u003cc0189528\u003e] (lock_acquire) from [\u003cc06ad6b4\u003e] (_raw_spin_lock_irqsave+0x38/0x4c)\n[   40.637440] [\u003cc06ad6b4\u003e] (_raw_spin_lock_irqsave) from [\u003cbf129288\u003e] (ep0_complete+0x18/0xdc [gadgetfs])\n[   40.647339] [\u003cbf129288\u003e] (ep0_complete [gadgetfs]) from [\u003cbf10a728\u003e] (musb_g_giveback+0x118/0x1b0 [musb_hdrc])\n[   40.657842] [\u003cbf10a728\u003e] (musb_g_giveback [musb_hdrc]) from [\u003cbf108768\u003e] (musb_g_ep0_queue+0x16c/0x188 [musb_hdrc])\n[   40.668772] [\u003cbf108768\u003e] (musb_g_ep0_queue [musb_hdrc]) from [\u003cbf12a944\u003e] (ep0_read+0x544/0x5e0 [gadgetfs])\n[   40.678963] [\u003cbf12a944\u003e] (ep0_read [gadgetfs]) from [\u003cc0284470\u003e] (__vfs_read+0x20/0x110)\n[   40.687414] [\u003cc0284470\u003e] (__vfs_read) from [\u003cc0285324\u003e] (vfs_read+0x88/0x114)\n[   40.694864] [\u003cc0285324\u003e] (vfs_read) from [\u003cc0286150\u003e] (SyS_read+0x44/0x9c)\n[   40.702051] [\u003cc0286150\u003e] (SyS_read) from [\u003cc0107820\u003e] (ret_fast_syscall+0x0/0x1c)\n\nThis is caused by the spinlock bug in ep0_read().\nFix the two other deadlock sources in gadgetfs_setup() too.\n\nCc: \u003cstable@vger.kernel.org\u003e # v3.16+\nSigned-off-by: Bin Liu \u003cb-liu@ti.com\u003e\nSigned-off-by: Felipe Balbi \u003cfelipe.balbi@linux.intel.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nHID: elo: kill not flush the work\n\n[ Upstream commit ed596a4a88bd161f868ccba078557ee7ede8a6ef ]\n\nFlushing a work that reschedules itself is not a sensible operation. It needs\nto be killed. Failure to do so leads to a kernel panic in the timer code.\n\nCC: stable@vger.kernel.org\nSigned-off-by: Oliver Neukum \u003cONeukum@suse.com\u003e\nReviewed-by: Benjamin Tissoires \u003cbenjamin.tissoires@redhat.com\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.cz\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nxhci: Fix handling timeouted commands on hosts in weird states.\n\n[ Upstream commit 3425aa03f484d45dc21e0e791c2f6c74ea656421 ]\n\nIf commands timeout we mark them for abortion, then stop the command\nring, and turn the commands to no-ops and finally restart the command\nring.\n\nIf the host is working properly the no-op commands will finish and\npending completions are called.\nIf we notice the host is failing, driver clears the command ring and\ncompletes, deletes and frees all pending commands.\n\nThere are two separate cases reported where host is believed to work\nproperly but is not. In the first case we successfully stop the ring\nbut no abort or stop command ring event is ever sent and host locks up.\n\nThe second case is if a host is removed, command times out and driver\nbelieves the ring is stopped, and assumes it will be restarted, but\nactually ends up timing out on the same command forever.\nIf one of the pending commands has the xhci-\u003emutex held it will block\nxhci_stop() in the remove codepath which otherwise would cleanup pending\ncommands.\n\nAdd a check that clears all pending commands in case host is removed,\nor we are stuck timing out on the same command. Also restart the\ncommand timeout timer when stopping the command ring to ensure we\nrecive an ring stop/abort event.\n\nCc: stable \u003cstable@vger.kernel.org\u003e\nTested-by: Joe Lawrence \u003cjoe.lawrence@stratus.com\u003e\nSigned-off-by: Mathias Nyman \u003cmathias.nyman@linux.intel.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nusb: xhci-plat: properly handle probe deferral for devm_clk_get()\n\n[ Upstream commit de95c40d5beaa47f6dc8fe9ac4159b4672b51523 ]\n\nOn some platforms, the clocks might be registered by a platform\ndriver. When this is the case, the clock platform driver may very well\nbe probed after xhci-plat, in which case the first probe() invocation\nof xhci-plat will receive -EPROBE_DEFER as the return value of\ndevm_clk_get().\n\nThe current code handles that as a normal error, and simply assumes\nthat this means that the system doesn\u0027t have a clock for the XHCI\ncontroller, and continues probing without calling\nclk_prepare_enable(). Unfortunately, this doesn\u0027t work on systems\nwhere the XHCI controller does have a clock, but that clock is\nprovided by another platform driver. In order to fix this situation,\nwe handle the -EPROBE_DEFER error condition specially, and abort the\nXHCI controller probe(). It will be retried later automatically, the\nclock will be available, devm_clk_get() will succeed, and the probe()\nwill continue with the clock prepared and enabled as expected.\n\nIn practice, such issue is seen on the ARM64 Marvell 7K/8K platform,\nwhere the clocks are registered by a platform driver.\n\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Thomas Petazzoni \u003cthomas.petazzoni@free-electrons.com\u003e\nSigned-off-by: Mathias Nyman \u003cmathias.nyman@linux.intel.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nusb: quirks: Fix sorting\n\n[ Upstream commit 81099f97bd31e25ff2719a435b1860fc3876122f ]\n\nProperly sort all the entries by vendor id.\n\nSigned-off-by: Hans de Goede \u003chdegoede@redhat.com\u003e\nCc: stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nusb: quirks: Add no-lpm quirk for Acer C120 LED Projector\n\n[ Upstream commit 32cb0b37098f4beeff5ad9e325f11b42a6ede56c ]\n\nThe Acer C120 LED Projector is a USB-3 connected pico projector which\ntakes both its power and video data from USB-3.\n\nIn combination with some hubs this device does not play well with\nlpm, so disable lpm for it.\n\nSigned-off-by: Hans de Goede \u003chdegoede@redhat.com\u003e\nCc: stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUSB: xhci: Add broken streams quirk for Frescologic device id 1009\n\n[ Upstream commit d95815ba6a0f287213118c136e64d8c56daeaeab ]\n\nI got one of these cards for testing uas with, it seems that with streams\nit dma-s all over the place, corrupting memory. On my first tests it\nmanaged to dma over the BIOS of the motherboard somehow and completely\nbricked it.\n\nTests on another motherboard show that it does work with streams disabled.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Hans de Goede \u003chdegoede@redhat.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nusb: musb: Ensure rx reinit occurs for shared_fifo endpoints\n\n[ Upstream commit f3eec0cf784e0d6c47822ca6b66df3d5812af7e6 ]\n\nshared_fifo endpoints would only get a previous tx state cleared\nout, the rx state was only cleared for non shared_fifo endpoints\nChange this so that the rx state is cleared for all endpoints.\nThis addresses an issue that resulted in rx packets being dropped\nsilently.\n\nSigned-off-by: Andrew Goodbody \u003candrew.goodbody@cambrionix.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Bin Liu \u003cb-liu@ti.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nusb: musb: Stop bulk endpoint while queue is rotated\n\n[ Upstream commit 7b2c17f829545df27a910e8d82e133c21c9a8c9c ]\n\nEnsure that the endpoint is stopped by clearing REQPKT before\nclearing DATAERR_NAKTIMEOUT before rotating the queue on the\ndedicated bulk endpoint.\nThis addresses an issue where a race could result in the endpoint\nreceiving data before it was reprogrammed resulting in a warning\nabout such data from musb_rx_reinit before it was thrown away.\nThe data thrown away was a valid packet that had been correctly\nACKed which meant the host and device got out of sync.\n\nSigned-off-by: Andrew Goodbody \u003candrew.goodbody@cambrionix.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Bin Liu \u003cb-liu@ti.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nusb: host: ehci-tegra: Grab the correct UTMI pads reset\n\n[ Upstream commit f8a15a9650694feaa0dabf197b0c94d37cd3fb42 ]\n\nThere are three EHCI controllers on Tegra SoCs, each with its own reset\nline. However, the first controller contains a set of UTMI configuration\nregisters that are shared with its siblings. These registers will only\nbe reset as part of the first controller\u0027s reset. For proper operation\nit must be ensured that the UTMI configuration registers are reset\nbefore any of the EHCI controllers are enabled, irrespective of the\nprobe order.\n\nCommit a47cc24cd1e5 (\"USB: EHCI: tegra: Fix probe order issue leading to\nbroken USB\") introduced code that ensures the first controller is always\nreset before setting up any of the controllers, and is never again reset\nafterwards.\n\nThis code, however, grabs the wrong reset. Each EHCI controller has two\nreset controls attached: 1) the USB controller reset and 2) the UTMI\npads reset (really the first controller\u0027s reset). In order to reset the\nUTMI pads registers the code must grab the second reset, but instead it\ngrabbing the first.\n\nFixes: a47cc24cd1e5 (\"USB: EHCI: tegra: Fix probe order issue leading to broken USB\")\nAcked-by: Jon Hunter \u003cjonathanh@nvidia.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Thierry Reding \u003ctreding@nvidia.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nscsi: fix race between simultaneous decrements of -\u003ehost_failed\n\n[ Upstream commit 72d8c36ec364c82bf1bf0c64dfa1041cfaf139f7 ]\n\nsas_ata_strategy_handler() adds the works of the ata error handler to\nsystem_unbound_wq. This workqueue asynchronously runs work items, so the\nata error handler will be performed concurrently on different CPUs. In\nthis case, -\u003ehost_failed will be decreased simultaneously in\nscsi_eh_finish_cmd() on different CPUs, and become abnormal.\n\nIt will lead to permanently inequality between -\u003ehost_failed and\n-\u003ehost_busy, and scsi error handler thread won\u0027t start running. IO\nerrors after that won\u0027t be handled.\n\nSince all scmds must have been handled in the strategy handler, just\nremove the decrement in scsi_eh_finish_cmd() and zero -\u003ehost_busy after\nthe strategy handler to fix this race.\n\nFixes: 50824d6c5657 (\"[SCSI] libsas: async ata-eh\")\nCc: stable@vger.kernel.org\nSigned-off-by: Wei Fang \u003cfangwei1@huawei.com\u003e\nReviewed-by: James Bottomley \u003cjejb@linux.vnet.ibm.com\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nARM: 8578/1: mm: ensure pmd_present only checks the valid bit\n\n[ Upstream commit 624531886987f0f1b5d01fb598034d039198e090 ]\n\nIn a subsequent patch, pmd_mknotpresent will clear the valid bit of the\npmd entry, resulting in a not-present entry from the hardware\u0027s\nperspective. Unfortunately, pmd_present simply checks for a non-zero pmd\nvalue and will therefore continue to return true even after a\npmd_mknotpresent operation. Since pmd_mknotpresent is only used for\nmanaging huge entries, this is only an issue for the 3-level case.\n\nThis patch fixes the 3-level pmd_present implementation to take into\naccount the valid bit. For bisectability, the change is made before the\nfix to pmd_mknotpresent.\n\n[catalin.marinas@arm.com: comment update regarding pmd_mknotpresent patch]\n\nFixes: 8d9625070073 (\"ARM: mm: Transparent huge page support for LPAE systems.\")\nCc: \u003cstable@vger.kernel.org\u003e # 3.11+\nCc: Russell King \u003clinux@armlinux.org.uk\u003e\nCc: Steve Capper \u003cSteve.Capper@arm.com\u003e\nSigned-off-by: Will Deacon \u003cwill.deacon@arm.com\u003e\nSigned-off-by: Catalin Marinas \u003ccatalin.marinas@arm.com\u003e\nSigned-off-by: Russell King \u003crmk+kernel@arm.linux.org.uk\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nARM: 8579/1: mm: Fix definition of pmd_mknotpresent\n\n[ Upstream commit 56530f5d2ddc9b9fade7ef8db9cb886e9dc689b5 ]\n\nCurrently pmd_mknotpresent will use a zero entry to respresent an\ninvalidated pmd.\n\nUnfortunately this definition clashes with pmd_none, thus it is\npossible for a race condition to occur if zap_pmd_range sees pmd_none\nwhilst __split_huge_pmd_locked is running too with pmdp_invalidate\njust called.\n\nThis patch fixes the race condition by modifying pmd_mknotpresent to\ncreate non-zero faulting entries (as is done in other architectures),\nremoving the ambiguity with pmd_none.\n\n[catalin.marinas@arm.com: using L_PMD_SECT_VALID instead of PMD_TYPE_SECT]\n\nFixes: 8d9625070073 (\"ARM: mm: Transparent huge page support for LPAE systems.\")\nCc: \u003cstable@vger.kernel.org\u003e # 3.11+\nReported-by: Kirill A. Shutemov \u003ckirill.shutemov@linux.intel.com\u003e\nAcked-by: Will Deacon \u003cwill.deacon@arm.com\u003e\nCc: Russell King \u003clinux@armlinux.org.uk\u003e\nSigned-off-by: Steve Capper \u003csteve.capper@arm.com\u003e\nSigned-off-by: Catalin Marinas \u003ccatalin.marinas@arm.com\u003e\nSigned-off-by: Russell King \u003crmk+kernel@arm.linux.org.uk\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ncrypto: ux500 - memmove the right size\n\n[ Upstream commit 19ced623db2fe91604d69f7d86b03144c5107739 ]\n\nThe hash buffer is really HASH_BLOCK_SIZE bytes, someone\nmust have thought that memmove takes n*u32 words by mistake.\nTests work as good/bad as before after this patch.\n\nCc: Joakim Bech \u003cjoakim.bech@linaro.org\u003e\nCc: stable@vger.kernel.org\nReported-by: David Binderman \u003clinuxdev.baldrick@gmail.com\u003e\nSigned-off-by: Linus Walleij \u003clinus.walleij@linaro.org\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/radeon: fix asic initialization for virtualized environments\n\n[ Upstream commit 05082b8bbd1a0ffc74235449c4b8930a8c240f85 ]\n\nWhen executing in a PCI passthrough based virtuzliation environment, the\nhypervisor will usually attempt to send a PCIe bus reset signal to the\nASIC when the VM reboots. In this scenario, the card is not correctly\ninitialized, but we still consider it to be posted. Therefore, in a\npassthrough based environemnt we should always post the card to guarantee\nit is in a good state for driver initialization.\n\nPorted from amdgpu commit:\namdgpu: fix asic initialization for virtualized environments\n\nCc: Andres Rodriguez \u003candres.rodriguez@amd.com\u003e\nCc: Alex Williamson \u003calex.williamson@redhat.com\u003e\nSigned-off-by: Alex Deucher \u003calexander.deucher@amd.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nusb: common: otg-fsm: add license to usb-otg-fsm\n\n[ Upstream commit ea1d39a31d3b1b6060b6e83e5a29c069a124c68a ]\n\nFix warning about tainted kernel because usb-otg-fsm has no license.\nWARNING: with this patch usb-otg-fsm module can be loaded\nbut then the kernel will hang. Tested with a udoo quad board.\n\nCc: \u003cstable@vger.kernel.org\u003e #v4.1+\nSigned-off-by: Oscar \u003coscar@naiandei.net\u003e\nSigned-off-by: Peter Chen \u003cpeter.chen@nxp.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nMIPS: KVM: Fix modular KVM under QEMU\n\n[ Upstream commit 797179bc4fe06c89e47a9f36f886f68640b423f8 ]\n\nCopy __kvm_mips_vcpu_run() into unmapped memory, so that we can never\nget a TLB refill exception in it when KVM is built as a module.\n\nThis was observed to happen with the host MIPS kernel running under\nQEMU, due to a not entirely transparent optimisation in the QEMU TLB\nhandling where TLB entries replaced with TLBWR are copied to a separate\npart of the TLB array. Code in those pages continue to be executable,\nbut those mappings persist only until the next ASID switch, even if they\nare marked global.\n\nAn ASID switch happens in __kvm_mips_vcpu_run() at exception level after\nswitching to the guest exception base. Subsequent TLB mapped kernel\ninstructions just prior to switching to the guest trigger a TLB refill\nexception, which enters the guest exception handlers without updating\nEPC. This appears as a guest triggered TLB refill on a host kernel\nmapped (host KSeg2) address, which is not handled correctly as user\n(guest) mode accesses to kernel (host) segments always generate address\nerror exceptions.\n\nSigned-off-by: James Hogan \u003cjames.hogan@imgtec.com\u003e\nCc: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\nCc: Radim Krčmář \u003crkrcmar@redhat.com\u003e\nCc: Ralf Baechle \u003cralf@linux-mips.org\u003e\nCc: kvm@vger.kernel.org\nCc: linux-mips@linux-mips.org\nCc: \u003cstable@vger.kernel.org\u003e # 3.10.x-\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nspi: sun4i: fix FIFO limit\n\n[ Upstream commit 6d9fe44bd73d567d04d3a68a2d2fa521ab9532f2 ]\n\nWhen testing SPI without DMA I noticed that filling the FIFO on the\nspi controller causes timeout.\n\nAlways leave room for one byte in the FIFO.\n\nSigned-off-by: Michal Suchanek \u003chramrach@gmail.com\u003e\nAcked-by: Maxime Ripard \u003cmaxime.ripard@free-electrons.com\u003e\nSigned-off-by: Mark Brown \u003cbroonie@kernel.org\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nspi: sun4i: allow transfers to set transmission speed\n\n[ Upstream commit 47284e3e0f3c427c93f8583549b6c938e8a18015 ]\n\nAllow transfers to set the transmission speed rather than using the\ndevice max_speed_hz value. The SPI core makes sure that the speed_hz\nvalue is always set on the transfer.\n\nSigned-off-by: Marcus Weseloh \u003cmweseloh42@gmail.com\u003e\nSigned-off-by: Mark Brown \u003cbroonie@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nspi: sunxi: fix transfer timeout\n\n[ Upstream commit 719bd6542044efd9b338a53dba1bef45f40ca169 ]\n\nThe trasfer timeout is fixed at 1000 ms. Reading a 4Mbyte flash over\n1MHz SPI bus takes way longer than that. Calculate the timeout from the\nactual time the transfer is supposed to take and multiply by 2 for good\nmeasure.\n\nSigned-off-by: Michal Suchanek \u003chramrach@gmail.com\u003e\nAcked-by: Maxime Ripard \u003cmaxime.ripard@free-electrons.com\u003e\nSigned-off-by: Mark Brown \u003cbroonie@kernel.org\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nkprobes/x86: Clear TF bit in fault on single-stepping\n\n[ Upstream commit dcfc47248d3f7d28df6f531e6426b933de94370d ]\n\nFix kprobe_fault_handler() to clear the TF (trap flag) bit of\nthe flags register in the case of a fault fixup on single-stepping.\n\nIf we put a kprobe on the instruction which caused a\npage fault (e.g. actual mov instructions in copy_user_*),\nthat fault happens on the single-stepping buffer. In this\ncase, kprobes resets running instance so that the CPU can\nretry execution on the original ip address.\n\nHowever, current code forgets to reset the TF bit. Since this\nfault happens with TF bit set for enabling single-stepping,\nwhen it retries, it causes a debug exception and kprobes\ncan not handle it because it already reset itself.\n\nOn the most of x86-64 platform, it can be easily reproduced\nby using kprobe tracer. E.g.\n\n  # cd /sys/kernel/debug/tracing\n  # echo p copy_user_enhanced_fast_string+5 \u003e kprobe_events\n  # echo 1 \u003e events/kprobes/enable\n\nAnd you\u0027ll see a kernel panic on do_debug(), since the debug\ntrap is not handled by kprobes.\n\nTo fix this problem, we just need to clear the TF bit when\nresetting running kprobe.\n\nSigned-off-by: Masami Hiramatsu \u003cmhiramat@kernel.org\u003e\nReviewed-by: Ananth N Mavinakayanahalli \u003cananth@linux.vnet.ibm.com\u003e\nAcked-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nCc: Alexander Shishkin \u003calexander.shishkin@linux.intel.com\u003e\nCc: Andy Lutomirski \u003cluto@kernel.org\u003e\nCc: Arnaldo Carvalho de Melo \u003cacme@redhat.com\u003e\nCc: Borislav Petkov \u003cbp@alien8.de\u003e\nCc: Brian Gerst \u003cbrgerst@gmail.com\u003e\nCc: Denys Vlasenko \u003cdvlasenk@redhat.com\u003e\nCc: H. Peter Anvin \u003chpa@zytor.com\u003e\nCc: Jiri Olsa \u003cjolsa@redhat.com\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Stephane Eranian \u003ceranian@google.com\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Vince Weaver \u003cvincent.weaver@maine.edu\u003e\nCc: systemtap@sourceware.org\nCc: stable@vger.kernel.org # All the way back to ancient kernels\nLink: http://lkml.kernel.org/r/20160611140648.25885.37482.stgit@devbox\n[ Updated the comments. ]\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/i915/ilk: Don\u0027t disable SSC source if it\u0027s in use\n\n[ Upstream commit 476490a945e1f0f6bd58e303058d2d8ca93a974c ]\n\nThanks to Ville Syrjälä for pointing me towards the cause of this issue.\n\nUnfortunately one of the sideaffects of having the refclk for a DPLL set\nto SSC is that as long as it\u0027s set to SSC, the GPU will prevent us from\npowering down any of the pipes or transcoders using it. A couple of\nBIOSes enable SSC in both PCH_DREF_CONTROL and in the DPLL\nconfigurations. This causes issues on the first modeset, since we don\u0027t\nexpect SSC to be left on and as a result, can\u0027t successfully power down\nthe pipes or the transcoders using it. Here\u0027s an example from this Dell\nOptiPlex 990:\n\n[drm:intel_modeset_init] SSC enabled by BIOS, overriding VBT which says disabled\n[drm:intel_modeset_init] 2 display pipes available.\n[drm:intel_update_cdclk] Current CD clock rate: 400000 kHz\n[drm:intel_update_max_cdclk] Max CD clock rate: 400000 kHz\n[drm:intel_update_max_cdclk] Max dotclock rate: 360000 kHz\nvgaarb: device changed decodes: PCI:0000:00:02.0,olddecodes\u003dio+mem,decodes\u003dio+mem:owns\u003dio+mem\n[drm:intel_crt_reset] crt adpa set to 0xf40000\n[drm:intel_dp_init_connector] Adding DP connector on port C\n[drm:intel_dp_aux_init] registering DPDDC-C bus for card0-DP-1\n[drm:ironlake_init_pch_refclk] has_panel 0 has_lvds 0 has_ck505 0\n[drm:ironlake_init_pch_refclk] Disabling SSC entirely\n… later we try committing the first modeset …\n[drm:intel_dump_pipe_config] [CRTC:26][modeset] config ffff88041b02e800 for pipe A\n[drm:intel_dump_pipe_config] cpu_transcoder: A\n…\n[drm:intel_dump_pipe_config] dpll_hw_state: dpll: 0xc4016001, dpll_md: 0x0, fp0: 0x20e08, fp1: 0x30d07\n[drm:intel_dump_pipe_config] planes on this crtc\n[drm:intel_dump_pipe_config] STANDARD PLANE:23 plane: 0.0 idx: 0 enabled\n[drm:intel_dump_pipe_config]     FB:42, fb \u003d 800x600 format \u003d 0x34325258\n[drm:intel_dump_pipe_config]     scaler:0 src (0, 0) 800x600 dst (0, 0) 800x600\n[drm:intel_dump_pipe_config] CURSOR PLANE:25 plane: 0.1 idx: 1 disabled, scaler_id \u003d 0\n[drm:intel_dump_pipe_config] STANDARD PLANE:27 plane: 0.1 idx: 2 disabled, scaler_id \u003d 0\n[drm:intel_get_shared_dpll] CRTC:26 allocated PCH DPLL A\n[drm:intel_get_shared_dpll] using PCH DPLL A for pipe A\n[drm:ilk_audio_codec_disable] Disable audio codec on port C, pipe A\n[drm:intel_disable_pipe] disabling pipe A\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 130 at drivers/gpu/drm/i915/intel_display.c:1146 intel_disable_pipe+0x297/0x2d0 [i915]\npipe_off wait timed out\n…\n---[ end trace 94fc8aa03ae139e8 ]---\n[drm:intel_dp_link_down]\n[drm:ironlake_crtc_disable [i915]] *ERROR* failed to disable transcoder A\n\nLater modesets succeed since they reset the DPLL\u0027s configuration anyway,\nbut this is enough to get stuck with a big fat warning in dmesg.\n\nA better solution would be to add refcounts for the SSC source, but for\nnow leaving the source clock on should suffice.\n\nChanges since v4:\n - Fix calculation of final for systems with LVDS panels (fixes BUG() on\n   CI test suite)\nChanges since v3:\n - Move temp variable into loop\n - Move checks for using_ssc_source to after we\u0027ve figured out has_ck505\n - Add using_ssc_source to debug output\nChanges since v2:\n - Fix debug output for when we disable the CPU source\nChanges since v1:\n - Leave the SSC source clock on instead of just shutting it off on all\n   of the DPLL configurations.\n\nCc: stable@vger.kernel.org\nReviewed-by: Ville Syrjälä \u003cville.syrjala@linux.intel.com\u003e\nSigned-off-by: Lyude \u003ccpaul@redhat.com\u003e\nSigned-off-by: Daniel Vetter \u003cdaniel.vetter@ffwll.ch\u003e\nLink: http://patchwork.freedesktop.org/patch/msgid/1465916649-10228-1-git-send-email-cpaul@redhat.com\nSigned-off-by: Daniel Vetter \u003cdaniel.vetter@ffwll.ch\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnfsd4/rpc: move backchannel create logic into rpc code\n\n[ Upstream commit d50039ea5ee63c589b0434baa5ecf6e5075bb6f9 ]\n\nAlso simplify the logic a bit.\n\nCc: stable@vger.kernel.org\nSigned-off-by: J. Bruce Fields \u003cbfields@redhat.com\u003e\nAcked-by: Trond Myklebust \u003ctrondmy@primarydata.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nbase: make module_create_drivers_dir race-free\n\n[ Upstream commit 7e1b1fc4dabd6ec8e28baa0708866e13fa93c9b3 ]\n\nModules which register drivers via standard path (driver_register) in\nparallel can cause a warning:\nWARNING: CPU: 2 PID: 3492 at ../fs/sysfs/dir.c:31 sysfs_warn_dup+0x62/0x80\nsysfs: cannot create duplicate filename \u0027/module/saa7146/drivers\u0027\nModules linked in: hexium_gemini(+) mxb(+) ...\n...\nCall Trace:\n...\n [\u003cffffffff812e63a2\u003e] sysfs_warn_dup+0x62/0x80\n [\u003cffffffff812e6487\u003e] sysfs_create_dir_ns+0x77/0x90\n [\u003cffffffff8140f2c4\u003e] kobject_add_internal+0xb4/0x340\n [\u003cffffffff8140f5b8\u003e] kobject_add+0x68/0xb0\n [\u003cffffffff8140f631\u003e] kobject_create_and_add+0x31/0x70\n [\u003cffffffff8157a703\u003e] module_add_driver+0xc3/0xd0\n [\u003cffffffff8155e5d4\u003e] bus_add_driver+0x154/0x280\n [\u003cffffffff815604c0\u003e] driver_register+0x60/0xe0\n [\u003cffffffff8145bed0\u003e] __pci_register_driver+0x60/0x70\n [\u003cffffffffa0273e14\u003e] saa7146_register_extension+0x64/0x90 [saa7146]\n [\u003cffffffffa0033011\u003e] hexium_init_module+0x11/0x1000 [hexium_gemini]\n...\n\nAs can be (mostly) seen, driver_register causes this call sequence:\n  -\u003e bus_add_driver\n    -\u003e module_add_driver\n      -\u003e module_create_drivers_dir\nThe last one creates \"drivers\" directory in /sys/module/\u003c...\u003e. When\nthis is done in parallel, the directory is attempted to be created\ntwice at the same time.\n\nThis can be easily reproduced by loading mxb and hexium_gemini in\nparallel:\nwhile :; do\n  modprobe mxb \u0026\n  modprobe hexium_gemini\n  wait\n  rmmod mxb hexium_gemini saa7146_vv saa7146\ndone\n\nsaa7146 calls pci_register_driver for both mxb and hexium_gemini,\nwhich means /sys/module/saa7146/drivers is to be created for both of\nthem.\n\nFix this by a new mutex in module_create_drivers_dir which makes the\ntest-and-create \"drivers\" dir atomic.\n\nI inverted the condition and removed \u0027return\u0027 to avoid multiple\nunlocks or a goto.\n\nSigned-off-by: Jiri Slaby \u003cjslaby@suse.cz\u003e\nFixes: fe480a2675ed (Modules: only add drivers/ direcory if needed)\nCc: v2.6.21+ \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nkvm: Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES\n\n[ Upstream commit caf1ff26e1aa178133df68ac3d40815fed2187d9 ]\n\nThese days, we experienced one guest crash with 8 cores and 3 disks,\nwith qemu error logs as bellow:\n\nqemu-system-x86_64: /build/qemu-2.0.0/kvm-all.c:984:\nkvm_irqchip_commit_routes: Assertion `ret \u003d\u003d 0\u0027 failed.\n\nAnd then we found one patch(bdf026317d) in qemu tree, which said\ncould fix this bug.\n\nExecute the following script will reproduce the BUG quickly:\n\nirq_affinity.sh\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nvda_irq_num\u003d25\nvdb_irq_num\u003d27\nwhile [ 1 ]\ndo\n    for irq in {1,2,4,8,10,20,40,80}\n        do\n            echo $irq \u003e /proc/irq/$vda_irq_num/smp_affinity\n            echo $irq \u003e /proc/irq/$vdb_irq_num/smp_affinity\n            dd if\u003d/dev/vda of\u003d/dev/zero bs\u003d4K count\u003d100 iflag\u003ddirect\n            dd if\u003d/dev/vdb of\u003d/dev/zero bs\u003d4K count\u003d100 iflag\u003ddirect\n        done\ndone\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nThe following qemu log is added in the qemu code and is displayed when\nthis bug reproduced:\n\nkvm_irqchip_commit_routes: max gsi: 1008, nr_allocated_irq_routes: 1024,\nirq_routes-\u003enr: 1024, gsi_count: 1024.\n\nThat\u0027s to say when irq_routes-\u003enr \u003d\u003d 1024, there are 1024 routing entries,\nbut in the kernel code when routes-\u003enr \u003e\u003d 1024, will just return -EINVAL;\n\nThe nr is the number of the routing entries which is in of\n[1 ~ KVM_MAX_IRQ_ROUTES], not the index in [0 ~ KVM_MAX_IRQ_ROUTES - 1].\n\nThis patch fix the BUG above.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Xiubo Li \u003clixiubo@cmss.chinamobile.com\u003e\nSigned-off-by: Wei Tang \u003ctangwei@cmss.chinamobile.com\u003e\nSigned-off-by: Zhang Zhuoyu \u003czhangzhuoyu@cmss.chinamobile.com\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nBtrfs: make btrfs_abort_transaction consider existence of new block groups\n\n[ Upstream commit c92f6be34c501406daf5e61f3569a1813f985393 ]\n\nIf the transaction handle doesn\u0027t have used blocks but has created new block\ngroups make sure we turn the fs into readonly mode too. This is because the\nnew block groups didn\u0027t get all their metadata persisted into the chunk and\ndevice trees, and therefore if a subsequent transaction starts, allocates\nspace from the new block groups, writes data or metadata into that space,\ncommits successfully and then after we unmount and mount the filesystem\nagain, the same space can be allocated again for a new block group,\nresulting in file data or metadata corruption.\n\nExample where we don\u0027t abort the transaction when we fail to finish the\nchunk allocation (add items to the chunk and device trees) and later a\nfuture transaction where the block group is removed fails because it can\u0027t\nfind the chunk item in the chunk tree:\n\n[25230.404300] WARNING: CPU: 0 PID: 7721 at fs/btrfs/super.c:260 __btrfs_abort_transaction+0x50/0xfc [btrfs]()\n[25230.404301] BTRFS: Transaction aborted (error -28)\n[25230.404302] Modules linked in: btrfs dm_flakey nls_utf8 fuse xor raid6_pq ntfs vfat msdos fat xfs crc32c_generic libcrc32c ext3 jbd ext2 dm_mod nfsd auth_rpcgss oid_registry nfs_acl nfs lockd fscache sunrpc loop psmouse i2c_piix4 i2ccore parport_pc parport processor button pcspkr serio_raw thermal_sys evdev microcode ext4 crc16 jbd2 mbcache sr_mod cdrom ata_generic sg sd_mod crc_t10dif crct10dif_generic crct10dif_common virtio_scsi floppy e1000 ata_piix libata virtio_pci virtio_ring scsi_mod virtio [last unloaded: btrfs]\n[25230.404325] CPU: 0 PID: 7721 Comm: xfs_io Not tainted 3.17.0-rc5-btrfs-next-1+ #1\n[25230.404326] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014\n[25230.404328]  0000000000000000 ffff88004581bb08 ffffffff813e7a13 ffff88004581bb50\n[25230.404330]  ffff88004581bb40 ffffffff810423aa ffffffffa049386a 00000000ffffffe4\n[25230.404332]  ffffffffa05214c0 000000000000240c ffff88010fc8f800 ffff88004581bba8\n[25230.404334] Call Trace:\n[25230.404338]  [\u003cffffffff813e7a13\u003e] dump_stack+0x45/0x56\n[25230.404342]  [\u003cffffffff810423aa\u003e] warn_slowpath_common+0x7f/0x98\n[25230.404351]  [\u003cffffffffa049386a\u003e] ? __btrfs_abort_transaction+0x50/0xfc [btrfs]\n[25230.404353]  [\u003cffffffff8104240b\u003e] warn_slowpath_fmt+0x48/0x50\n[25230.404362]  [\u003cffffffffa049386a\u003e] __btrfs_abort_transaction+0x50/0xfc [btrfs]\n[25230.404374]  [\u003cffffffffa04a8c43\u003e] btrfs_create_pending_block_groups+0x10c/0x135 [btrfs]\n[25230.404387]  [\u003cffffffffa04b77fd\u003e] __btrfs_end_transaction+0x7e/0x2de [btrfs]\n[25230.404398]  [\u003cffffffffa04b7a6d\u003e] btrfs_end_transaction+0x10/0x12 [btrfs]\n[25230.404408]  [\u003cffffffffa04a3d64\u003e] btrfs_check_data_free_space+0x111/0x1f0 [btrfs]\n[25230.404421]  [\u003cffffffffa04c53bd\u003e] __btrfs_buffered_write+0x160/0x48d [btrfs]\n[25230.404425]  [\u003cffffffff811a9268\u003e] ? cap_inode_need_killpriv+0x2d/0x37\n[25230.404429]  [\u003cffffffff810f6501\u003e] ? get_page+0x1a/0x2b\n[25230.404441]  [\u003cffffffffa04c7c95\u003e] btrfs_file_write_iter+0x321/0x42f [btrfs]\n[25230.404443]  [\u003cffffffff8110f5d9\u003e] ? handle_mm_fault+0x7f3/0x846\n[25230.404446]  [\u003cffffffff813e98c5\u003e] ? mutex_unlock+0x16/0x18\n[25230.404449]  [\u003cffffffff81138d68\u003e] new_sync_write+0x7c/0xa0\n[25230.404450]  [\u003cffffffff81139401\u003e] vfs_write+0xb0/0x112\n[25230.404452]  [\u003cffffffff81139c9d\u003e] SyS_pwrite64+0x66/0x84\n[25230.404454]  [\u003cffffffff813ebf52\u003e] system_call_fastpath+0x16/0x1b\n[25230.404455] ---[ end trace 5aa5684fdf47ab38 ]---\n[25230.404458] BTRFS warning (device sdc): btrfs_create_pending_block_groups:9228: Aborting unused transaction(No space left).\n[25288.084814] BTRFS: error (device sdc) in btrfs_free_chunk:2509: errno\u003d-2 No such entry (Failed lookup while freeing chunk.)\n\nSigned-off-by: Filipe Manana \u003cfdmanana@suse.com\u003e\nReviewed-by: Josef Bacik \u003cjbacik@fb.com\u003e\nSigned-off-by: Chris Mason \u003cclm@fb.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nbtrfs: account for non-CoW\u0027d blocks in btrfs_abort_transaction\n\n[ Upstream commit 64c12921e11b3a0c10d088606e328c58e29274d8 ]\n\nThe test for !trans-\u003eblocks_used in btrfs_abort_transaction is\ninsufficient to determine whether it\u0027s safe to drop the transaction\nhandle on the floor.  btrfs_cow_block, informed by should_cow_block,\ncan return blocks that have already been CoW\u0027d in the current\ntransaction.  trans-\u003eblocks_used is only incremented for new block\nallocations. If an operation overlaps the blocks in the current\ntransaction entirely and must abort the transaction, we\u0027ll happily\nlet it clean up the trans handle even though it may have modified\nthe blocks and will commit an incomplete operation.\n\nIn the long-term, I\u0027d like to do closer tracking of when the fs\nis actually modified so we can still recover as gracefully as possible,\nbut that approach will need some discussion.  In the short term,\nsince this is the only code using trans-\u003eblocks_used, let\u0027s just\nswitch it to a bool indicating whether any blocks were used and set\nit when should_cow_block returns false.\n\nCc: stable@vger.kernel.org # 3.4+\nSigned-off-by: Jeff Mahoney \u003cjeffm@suse.com\u003e\nReviewed-by: Filipe Manana \u003cfdmanana@suse.com\u003e\nSigned-off-by: David Sterba \u003cdsterba@suse.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nIB/mlx4: Properly initialize GRH TClass and FlowLabel in AHs\n\n[ Upstream commit 8c5122e45a10a9262f872b53f151a592e870f905 ]\n\nWhen this code was reworked for IBoE support the order of assignments\nfor the sl_tclass_flowlabel got flipped around resulting in\nTClass \u0026 FlowLabel being permanently set to 0 in the packet headers.\n\nThis breaks IB routers that rely on these headers, but only affects\nkernel users - libmlx4 does this properly for user space.\n\nCc: stable@vger.kernel.org\nFixes: fa417f7b520e (\"IB/mlx4: Add support for IBoE\")\nSigned-off-by: Jason Gunthorpe \u003cjgunthorpe@obsidianresearch.com\u003e\nSigned-off-by: Doug Ledford \u003cdledford@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ncan: c_can: Update D_CAN TX and RX functions to 32 bit - fix Altera Cyclone access\n\n[ Upstream commit 427460c83cdf55069eee49799a0caef7dde8df69 ]\n\nWhen testing CAN write floods on Altera\u0027s CycloneV, the first 2 bytes\nare sometimes 0x00, 0x00 or corrupted instead of the values sent. Also\nobserved bytes 4 \u0026 5 were corrupted in some cases.\n\nThe D_CAN Data registers are 32 bits and changing from 16 bit writes to\n32 bit writes fixes the problem.\n\nTesting performed on Altera CycloneV (D_CAN).  Requesting tests on other\nC_CAN \u0026 D_CAN platforms.\n\nReported-by: Richard Andrysek \u003crichard.andrysek@gomtec.de\u003e\nSigned-off-by: Thor Thayer \u003ctthayer@opensource.altera.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Marc Kleine-Budde \u003cmkl@pengutronix.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ncan: at91_can: RX queue could get stuck at high bus load\n\n[ Upstream commit 43200a4480cbbe660309621817f54cbb93907108 ]\n\nAt high bus load it could happen that \"at91_poll()\" enters with all RX\nmessage boxes filled up. If then at the end the \"quota\" is exceeded as\nwell, \"rx_next\" will not be reset to the first RX mailbox and hence the\ninterrupts remain disabled.\n\nSigned-off-by: Wolfgang Grandegger \u003cwg@grandegger.com\u003e\nTested-by: Amr Bekhit \u003camrbekhit@gmail.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Marc Kleine-Budde \u003cmkl@pengutronix.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ntracing: Handle NULL formats in hold_module_trace_bprintk_format()\n\n[ Upstream commit 70c8217acd4383e069fe1898bbad36ea4fcdbdcc ]\n\nIf a task uses a non constant string for the format parameter in\ntrace_printk(), then the trace_printk_fmt variable is set to NULL. This\nvariable is then saved in the __trace_printk_fmt section.\n\nThe function hold_module_trace_bprintk_format() checks to see if duplicate\nformats are used by modules, and reuses them if so (saves them to the list\nif it is new). But this function calls lookup_format() that does a strcmp()\nto the value (which is now NULL) and can cause a kernel oops.\n\nThis wasn\u0027t an issue till 3debb0a9ddb (\"tracing: Fix trace_printk() to print\nwhen not using bprintk()\") which added \"__used\" to the trace_printk_fmt\nvariable, and before that, the kernel simply optimized it out (no NULL value\nwas saved).\n\nThe fix is simply to handle the NULL pointer in lookup_format() and have the\ncaller ignore the value if it was NULL.\n\nLink: http://lkml.kernel.org/r/1464769870-18344-1-git-send-email-zhengjun.xing@intel.com\n\nReported-by: xingzhen \u003czhengjun.xing@intel.com\u003e\nAcked-by: Namhyung Kim \u003cnamhyung@kernel.org\u003e\nFixes: 3debb0a9ddb (\"tracing: Fix trace_printk() to print when not using bprintk()\")\nCc: stable@vger.kernel.org # v3.5+\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\narm64: mm: remove page_mapping check in __sync_icache_dcache\n\n[ Upstream commit 20c27a4270c775d7ed661491af8ac03264d60fc6 ]\n\n__sync_icache_dcache unconditionally skips the cache maintenance for\nanonymous pages, under the assumption that flushing is only required in\nthe presence of D-side aliases [see 7249b79f6b4cc (\"arm64: Do not flush\nthe D-cache for anonymous pages\")].\n\nUnfortunately, this breaks migration of anonymous pages holding\nself-modifying code, where userspace cannot be reasonably expected to\nreissue maintenance instructions in response to a migration.\n\nThis patch fixes the problem by removing the broken page_mapping(page)\ncheck from the cache syncing code, otherwise we may end up fetching and\nexecuting stale instructions from the PoU.\n\nCc: Catalin Marinas \u003ccatalin.marinas@arm.com\u003e\nCc: Will Deacon \u003cwill.deacon@arm.com\u003e\nCc: Mark Rutland \u003cmark.rutland@arm.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nReviewed-by: Catalin Marinas \u003ccatalin.marinas@arm.com\u003e\nSigned-off-by: Shaokun Zhang \u003czhangshaokun@hisilicon.com\u003e\nSigned-off-by: Will Deacon \u003cwill.deacon@arm.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\npinctrl: imx: Do not treat a PIN without MUX register as an error\n\n[ Upstream commit ba562d5e54fd3136bfea0457add3675850247774 ]\n\nSome PINs do not have a MUX register, it is not an error.\nIt is necessary to allow the continuation of the PINs configuration,\notherwise the whole PIN-group will be configured incorrectly.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Alexander Shiyan \u003cshc_work@mail.ru\u003e\nSigned-off-by: Linus Walleij \u003clinus.walleij@linaro.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\npinctrl: single: Fix missing flush of posted write for a wakeirq\n\n[ Upstream commit 0ac3c0a4025f41748a083bdd4970cb3ede802b15 ]\n\nWith many repeated suspend resume cycles, the pin specific wakeirq\nmay not always work on omaps. This is because the write to enable the\npin interrupt may not have reached the device over the interconnect\nbefore suspend happens.\n\nLet\u0027s fix the issue with a flush of posted write with a readback.\n\nCc: stable@vger.kernel.org\nReported-by: Nishanth Menon \u003cnm@ti.com\u003e\nSigned-off-by: Tony Lindgren \u003ctony@atomide.com\u003e\nSigned-off-by: Linus Walleij \u003clinus.walleij@linaro.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmm: Export migrate_page_move_mapping and migrate_page_copy\n\n[ Upstream commit 1118dce773d84f39ebd51a9fe7261f9169cb056e ]\n\nExport these symbols such that UBIFS can implement\n-\u003emigratepage.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Richard Weinberger \u003crichard@nod.at\u003e\nAcked-by: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUBIFS: Implement -\u003emigratepage()\n\n[ Upstream commit 4ac1c17b2044a1b4b2fbed74451947e905fc2992 ]\n\nDuring page migrations UBIFS might get confused\nand the following assert triggers:\n[  213.480000] UBIFS assert failed in ubifs_set_page_dirty at 1451 (pid 436)\n[  213.490000] CPU: 0 PID: 436 Comm: drm-stress-test Not tainted 4.4.4-00176-geaa802524636-dirty #1008\n[  213.490000] Hardware name: Allwinner sun4i/sun5i Families\n[  213.490000] [\u003cc0015e70\u003e] (unwind_backtrace) from [\u003cc0012cdc\u003e] (show_stack+0x10/0x14)\n[  213.490000] [\u003cc0012cdc\u003e] (show_stack) from [\u003cc02ad834\u003e] (dump_stack+0x8c/0xa0)\n[  213.490000] [\u003cc02ad834\u003e] (dump_stack) from [\u003cc0236ee8\u003e] (ubifs_set_page_dirty+0x44/0x50)\n[  213.490000] [\u003cc0236ee8\u003e] (ubifs_set_page_dirty) from [\u003cc00fa0bc\u003e] (try_to_unmap_one+0x10c/0x3a8)\n[  213.490000] [\u003cc00fa0bc\u003e] (try_to_unmap_one) from [\u003cc00fadb4\u003e] (rmap_walk+0xb4/0x290)\n[  213.490000] [\u003cc00fadb4\u003e] (rmap_walk) from [\u003cc00fb1bc\u003e] (try_to_unmap+0x64/0x80)\n[  213.490000] [\u003cc00fb1bc\u003e] (try_to_unmap) from [\u003cc010dc28\u003e] (migrate_pages+0x328/0x7a0)\n[  213.490000] [\u003cc010dc28\u003e] (migrate_pages) from [\u003cc00d0cb0\u003e] (alloc_contig_range+0x168/0x2f4)\n[  213.490000] [\u003cc00d0cb0\u003e] (alloc_contig_range) from [\u003cc010ec00\u003e] (cma_alloc+0x170/0x2c0)\n[  213.490000] [\u003cc010ec00\u003e] (cma_alloc) from [\u003cc001a958\u003e] (__alloc_from_contiguous+0x38/0xd8)\n[  213.490000] [\u003cc001a958\u003e] (__alloc_from_contiguous) from [\u003cc001ad44\u003e] (__dma_alloc+0x23c/0x274)\n[  213.490000] [\u003cc001ad44\u003e] (__dma_alloc) from [\u003cc001ae08\u003e] (arm_dma_alloc+0x54/0x5c)\n[  213.490000] [\u003cc001ae08\u003e] (arm_dma_alloc) from [\u003cc035cecc\u003e] (drm_gem_cma_create+0xb8/0xf0)\n[  213.490000] [\u003cc035cecc\u003e] (drm_gem_cma_create) from [\u003cc035cf20\u003e] (drm_gem_cma_create_with_handle+0x1c/0xe8)\n[  213.490000] [\u003cc035cf20\u003e] (drm_gem_cma_create_with_handle) from [\u003cc035d088\u003e] (drm_gem_cma_dumb_create+0x3c/0x48)\n[  213.490000] [\u003cc035d088\u003e] (drm_gem_cma_dumb_create) from [\u003cc0341ed8\u003e] (drm_ioctl+0x12c/0x444)\n[  213.490000] [\u003cc0341ed8\u003e] (drm_ioctl) from [\u003cc0121adc\u003e] (do_vfs_ioctl+0x3f4/0x614)\n[  213.490000] [\u003cc0121adc\u003e] (do_vfs_ioctl) from [\u003cc0121d30\u003e] (SyS_ioctl+0x34/0x5c)\n[  213.490000] [\u003cc0121d30\u003e] (SyS_ioctl) from [\u003cc000f2c0\u003e] (ret_fast_syscall+0x0/0x34)\n\nUBIFS is using PagePrivate() which can have different meanings across\nfilesystems. Therefore the generic page migration code cannot handle this\ncase correctly.\nWe have to implement our own migration function which basically does a\nplain copy but also duplicates the page private flag.\nUBIFS is not a block device filesystem and cannot use buffer_migrate_page().\n\nCc: stable@vger.kernel.org\nSigned-off-by: Kirill A. Shutemov \u003ckirill.shutemov@linux.intel.com\u003e\n[rw: Massaged changelog, build fixes, etc...]\nSigned-off-by: Richard Weinberger \u003crichard@nod.at\u003e\nAcked-by: Christoph Hellwig \u003chch@lst.de\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ncan: fix handling of unmodifiable configuration options fix\n\n[ Upstream commit bce271f255dae8335dc4d2ee2c4531e09cc67f5a ]\n\nWith upstream commit bb208f144cf3f59 (can: fix handling of unmodifiable\nconfiguration options) a new can_validate() function was introduced.\n\nWhen invoking \u0027ip link set can0 type can\u0027 without any configuration data\ncan_validate() tries to validate the content without taking into account that\nthere\u0027s totally no content. This patch adds a check for missing content.\n\nReported-by: ajneu \u003cajneu1@gmail.com\u003e\nSigned-off-by: Oliver Hartkopp \u003csocketcan@hartkopp.net\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Marc Kleine-Budde \u003cmkl@pengutronix.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ncan: fix oops caused by wrong rtnl dellink usage\n\n[ Upstream commit 25e1ed6e64f52a692ba3191c4fde650aab3ecc07 ]\n\nFor \u0027real\u0027 hardware CAN devices the netlink interface is used to set CAN\nspecific communication parameters. Real CAN hardware can not be created nor\nremoved with the ip tool ...\n\nThis patch adds a private dellink function for the CAN device driver interface\nthat does just nothing.\n\nIt\u0027s a follow up to commit 993e6f2fd (\"can: fix oops caused by wrong rtnl\nnewlink usage\") but for dellink.\n\nReported-by: ajneu \u003cajneu1@gmail.com\u003e\nSigned-off-by: Oliver Hartkopp \u003csocketcan@hartkopp.net\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Marc Kleine-Budde \u003cmkl@pengutronix.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nxen/pciback: Fix conf_space read/write overlap check.\n\n[ Upstream commit 02ef871ecac290919ea0c783d05da7eedeffc10e ]\n\nCurrent overlap check is evaluating to false a case where a filter\nfield is fully contained (proper subset) of a r/w request.  This\nchange applies classical overlap check instead to include all the\nscenarios.\n\nMore specifically, for (Hilscher GmbH CIFX 50E-DP(M/S)) device driver\nthe logic is such that the entire confspace is read and written in 4\nbyte chunks. In this case as an example, CACHE_LINE_SIZE,\nLATENCY_TIMER and PCI_BIST are arriving together in one call to\nxen_pcibk_config_write() with offset \u003d\u003d 0xc and size \u003d\u003d 4.  With the\nexsisting overlap check the LATENCY_TIMER field (offset \u003d\u003d 0xd, length\n\u003d\u003d 1) is fully contained in the write request and hence is excluded\nfrom write, which is incorrect.\n\nSigned-off-by: Andrey Grodzovsky \u003candrey2805@gmail.com\u003e\nReviewed-by: Boris Ostrovsky \u003cboris.ostrovsky@oracle.com\u003e\nReviewed-by: Jan Beulich \u003cJBeulich@suse.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: David Vrabel \u003cdavid.vrabel@citrix.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nInput: wacom_w8001 - w8001_MAX_LENGTH should be 13\n\n[ Upstream commit 12afb34400eb2b301f06b2aa3535497d14faee59 ]\n\nSomehow the patch that added two-finger touch support forgot to update\nW8001_MAX_LENGTH from 11 to 13.\n\nSigned-off-by: Ping Cheng \u003cpingc@wacom.com\u003e\nReviewed-by: Peter Hutterer \u003cpeter.hutterer@who-t.net\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Dmitry Torokhov \u003cdmitry.torokhov@gmail.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nInput: elantech - add new icbody type\n\n[ Upstream commit 692dd1916436164e228608803dfb6cb768d6355a ]\n\nThis adds new icbody type to the list recognized by Elantech PS/2 driver.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Sam Hung \u003csam.hung@emc.com.tw\u003e\nSigned-off-by: Dmitry Torokhov \u003cdmitry.torokhov@gmail.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nInput: elantech - add more IC body types to the list\n\n[ Upstream commit 226ba707744a51acb4244724e09caacb1d96aed9 ]\n\nThe touchpad in HP Pavilion 14-ab057ca reports it\u0027s version as 12 and\naccording to Elan both 11 and 12 are valid IC types and should be\nidentified as hw_version 4.\n\nReported-by: Patrick Lessard \u003cPatrick.Lessard@cogeco.com\u003e\nTested-by: Patrick Lessard \u003cPatrick.Lessard@cogeco.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Dmitry Torokhov \u003cdmitry.torokhov@gmail.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/nouveau: fix for disabled fbdev emulation\n\n[ Upstream commit 52dfcc5ccfbb6697ac3cac7f7ff1e712760e1216 ]\n\nHello,\n\nafter this commit:\n\ncommit f045f459d925138fe7d6193a8c86406bda7e49da\nAuthor: Ben Skeggs \u003cbskeggs@redhat.com\u003e\nDate:   Thu Jun 2 12:23:31 2016 +1000\n    drm/nouveau/fbcon: fix out-of-bounds memory accesses\n\nkernel started to oops when loading nouveau module when using GTX 780 Ti\nvideo adapter. This patch fixes the problem.\n\nBug report: https://bugzilla.kernel.org/show_bug.cgi?id\u003d120591\n\nSigned-off-by: Dmitrii Tcvetkov \u003cdemfloro@demfloro.ru\u003e\nSuggested-by: Ilia Mirkin \u003cimirkin@alum.mit.edu\u003e\nFixes: f045f459d925 (\"nouveau_fbcon_init()\")\nSigned-off-by: Ben Skeggs \u003cbskeggs@redhat.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndecode_negTokenInit had wrong calling sequence\n\n[ Upstream commit ebdd207e29164d5de70d2b027b8a3a14c603d42c ]\n\nFor krb5 enablement of SMB3, decoding negprot, caller now passes\nserver struct not the old sec_type\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\n[SMB3] Fix sec\u003dkrb5 on smb3 mounts\n\n[ Upstream commit ceb1b0b9b4d1089e9f2731a314689ae17784c861 ]\n\nKerberos, which is very important for security, was only enabled for\nCIFS not SMB2/SMB3 mounts (e.g. vers\u003d3.0)\n\nPatch based on the information detailed in\nhttp://thread.gmane.org/gmane.linux.kernel.cifs/10081/focus\u003d10307\nto enable Kerberized SMB2/SMB3\n\na) SMB2_negotiate: enable/use decode_negTokenInit in SMB2_negotiate\nb) SMB2_sess_setup: handle Kerberos sectype and replicate Kerberos\n   SMB1 processing done in sess_auth_kerberos\n\nSigned-off-by: Noel Power \u003cnoel.power@suse.com\u003e\nSigned-off-by: Jim McDonough \u003cjmcd@samba.org\u003e\nCC: Stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Steve French \u003csteve.french@primarydata.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ncifs: dynamic allocation of ntlmssp blob\n\n[ Upstream commit b8da344b74c822e966c6d19d6b2321efe82c5d97 ]\n\nIn sess_auth_rawntlmssp_authenticate(), the ntlmssp blob is allocated\nstatically and its size is an \"empirical\" 5*sizeof(struct\n_AUTHENTICATE_MESSAGE) (320B on x86_64). I don\u0027t know where this value\ncomes from or if it was ever appropriate, but it is currently\ninsufficient: the user and domain name in UTF16 could take 1kB by\nthemselves. Because of that, build_ntlmssp_auth_blob() might corrupt\nmemory (out-of-bounds write). The size of ntlmssp_blob in\nSMB2_sess_setup() is too small too (sizeof(struct _NEGOTIATE_MESSAGE)\n+ 500).\n\nThis patch allocates the blob dynamically in\nbuild_ntlmssp_auth_blob().\n\nSigned-off-by: Jerome Marchand \u003cjmarchan@redhat.com\u003e\nSigned-off-by: Steve French \u003csmfrench@gmail.com\u003e\nCC: Stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nALSA: hda - remove one pin from ALC292_STANDARD_PINS\n\n[ Upstream commit 21e9d017b88ea0baa367ef0b6516d794fa23e85e ]\n\nOne more Dell laptop with alc293 codec needs\nALC293_FIXUP_DELL1_MIC_NO_PRESENCE, but the pin 0x1e does not match\nthe corresponding one in the ALC292_STANDARD_PINS. To use this macro\nfor this machine, we need to remove pin 0x1e from it.\n\nBugLink: https://bugs.launchpad.net/bugs/1476888\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Hui Wang \u003chui.wang@canonical.com\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nALSA: dummy: Fix a use-after-free at closing\n\n[ Upstream commit d5dbbe6569481bf12dcbe3e12cff72c5f78d272c ]\n\nsyzkaller fuzzer spotted a potential use-after-free case in snd-dummy\ndriver when hrtimer is used as backend:\n\u003e \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\u003e BUG: KASAN: use-after-free in rb_erase+0x1b17/0x2010 at addr ffff88005e5b6f68\n\u003e  Read of size 8 by task syz-executor/8984\n\u003e \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\u003e BUG kmalloc-192 (Not tainted): kasan: bad access detected\n\u003e -----------------------------------------------------------------------------\n\u003e\n\u003e Disabling lock debugging due to kernel taint\n\u003e INFO: Allocated in 0xbbbbbbbbbbbbbbbb age\u003d18446705582212484632\n\u003e ....\n\u003e [\u003c      none      \u003e] dummy_hrtimer_create+0x49/0x1a0 sound/drivers/dummy.c:464\n\u003e ....\n\u003e INFO: Freed in 0xfffd8e09 age\u003d18446705496313138713 cpu\u003d2164287125 pid\u003d-1\n\u003e [\u003c      none      \u003e] dummy_hrtimer_free+0x68/0x80 sound/drivers/dummy.c:481\n\u003e ....\n\u003e Call Trace:\n\u003e  [\u003cffffffff8179e59e\u003e] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:333\n\u003e  [\u003c     inline     \u003e] rb_set_parent include/linux/rbtree_augmented.h:111\n\u003e  [\u003c     inline     \u003e] __rb_erase_augmented include/linux/rbtree_augmented.h:218\n\u003e  [\u003cffffffff82ca5787\u003e] rb_erase+0x1b17/0x2010 lib/rbtree.c:427\n\u003e  [\u003cffffffff82cb02e8\u003e] timerqueue_del+0x78/0x170 lib/timerqueue.c:86\n\u003e  [\u003cffffffff814d0c80\u003e] __remove_hrtimer+0x90/0x220 kernel/time/hrtimer.c:903\n\u003e  [\u003c     inline     \u003e] remove_hrtimer kernel/time/hrtimer.c:945\n\u003e  [\u003cffffffff814d23da\u003e] hrtimer_try_to_cancel+0x22a/0x570 kernel/time/hrtimer.c:1046\n\u003e  [\u003cffffffff814d2742\u003e] hrtimer_cancel+0x22/0x40 kernel/time/hrtimer.c:1066\n\u003e  [\u003cffffffff85420531\u003e] dummy_hrtimer_stop+0x91/0xb0 sound/drivers/dummy.c:417\n\u003e  [\u003cffffffff854228bf\u003e] dummy_pcm_trigger+0x17f/0x1e0 sound/drivers/dummy.c:507\n\u003e  [\u003cffffffff85392170\u003e] snd_pcm_do_stop+0x160/0x1b0 sound/core/pcm_native.c:1106\n\u003e  [\u003cffffffff85391b26\u003e] snd_pcm_action_single+0x76/0x120 sound/core/pcm_native.c:956\n\u003e  [\u003cffffffff85391e01\u003e] snd_pcm_action+0x231/0x290 sound/core/pcm_native.c:974\n\u003e  [\u003c     inline     \u003e] snd_pcm_stop sound/core/pcm_native.c:1139\n\u003e  [\u003cffffffff8539754d\u003e] snd_pcm_drop+0x12d/0x1d0 sound/core/pcm_native.c:1784\n\u003e  [\u003cffffffff8539d3be\u003e] snd_pcm_common_ioctl1+0xfae/0x2150 sound/core/pcm_native.c:2805\n\u003e  [\u003cffffffff8539ee91\u003e] snd_pcm_capture_ioctl1+0x2a1/0x5e0 sound/core/pcm_native.c:2976\n\u003e  [\u003cffffffff8539f2ec\u003e] snd_pcm_kernel_ioctl+0x11c/0x160 sound/core/pcm_native.c:3020\n\u003e  [\u003cffffffff853d9a44\u003e] snd_pcm_oss_sync+0x3a4/0xa30 sound/core/oss/pcm_oss.c:1693\n\u003e  [\u003cffffffff853da27d\u003e] snd_pcm_oss_release+0x1ad/0x280 sound/core/oss/pcm_oss.c:2483\n\u003e  .....\n\nA workaround is to call hrtimer_cancel() in dummy_hrtimer_sync() which\nis called certainly before other blocking ops.\n\nReported-by: Dmitry Vyukov \u003cdvyukov@google.com\u003e\nTested-by: Dmitry Vyukov \u003cdvyukov@google.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nFix reconnect to not defer smb3 session reconnect long after socket reconnect\n\n[ Upstream commit 4fcd1813e6404dd4420c7d12fb483f9320f0bf93 ]\n\nAzure server blocks clients that open a socket and don\u0027t do anything on it.\nIn our reconnect scenarios, we can reconnect the tcp session and\ndetect the socket is available but we defer the negprot and SMB3 session\nsetup and tree connect reconnection until the next i/o is requested, but\nthis looks suspicous to some servers who expect SMB3 negprog and session\nsetup soon after a socket is created.\n\nIn the echo thread, reconnect SMB3 sessions and tree connections\nthat are disconnected.  A later patch will replay persistent (and\nresilient) handle opens.\n\nCC: Stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Steve French \u003csteve.french@primarydata.com\u003e\nAcked-by: Pavel Shilovsky \u003cpshilovsky@samba.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nFile names with trailing period or space need special case conversion\n\n[ Upstream commit 45e8a2583d97ca758a55c608f78c4cef562644d1 ]\n\nPOSIX allows files with trailing spaces or a trailing period but\nSMB3 does not, so convert these using the normal Services For Mac\nmapping as we do for other reserved characters such as\n\t: \u003c \u003e | ? *\nThis is similar to what Macs do for the same problem over SMB3.\n\nCC: Stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Steve French \u003csteve.french@primarydata.com\u003e\nAcked-by: Pavel Shilovsky \u003cpshilovsky@samba.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUSB: EHCI: declare hostpc register as zero-length array\n\n[ Upstream commit 7e8b3dfef16375dbfeb1f36a83eb9f27117c51fd ]\n\nThe HOSTPC extension registers found in some EHCI implementations form\na variable-length array, with one element for each port.  Therefore\nthe hostpc field in struct ehci_regs should be declared as a\nzero-length array, not a single-element array.\n\nThis fixes a problem reported by UBSAN.\n\nSigned-off-by: Alan Stern \u003cstern@rowland.harvard.edu\u003e\nReported-by: Wilfried Klaebe \u003clinux-kernel@lebenslange-mailadresse.de\u003e\nTested-by: Wilfried Klaebe \u003clinux-kernel@lebenslange-mailadresse.de\u003e\nCC: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ntmpfs: don\u0027t undo fallocate past its last page\n\n[ Upstream commit b9b4bb26af017dbe930cd4df7f9b2fc3a0497bfe ]\n\nWhen fallocate is interrupted it will undo a range that extends one byte\npast its range of allocated pages.  This can corrupt an in-use page by\nzeroing out its first byte.  Instead, undo using the inclusive byte\nrange.\n\nFixes: 1635f6a74152f1d (\"tmpfs: undo fallocation on failure\")\nLink: http://lkml.kernel.org/r/1462713387-16724-1-git-send-email-anthony.romano@coreos.com\nSigned-off-by: Anthony Romano \u003canthony.romano@coreos.com\u003e\nCc: Vlastimil Babka \u003cvbabka@suse.cz\u003e\nCc: Hugh Dickins \u003chughd@google.com\u003e\nCc: Brandon Philips \u003cbrandon@ifup.co\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmm: rename deactivate_page to deactivate_file_page\n\n[ Upstream commit cc5993bd7b8cff4a3e37042ee1358d1d5eafa70c ]\n\n\"deactivate_page\" was created for file invalidation so it has too\nspecific logic for file-backed pages.  So, let\u0027s change the name of the\nfunction and date to a file-specific one and yield the generic name.\n\nSigned-off-by: Minchan Kim \u003cminchan@kernel.org\u003e\nCc: Michal Hocko \u003cmhocko@suse.cz\u003e\nCc: Johannes Weiner \u003channes@cmpxchg.org\u003e\nCc: Mel Gorman \u003cmgorman@suse.de\u003e\nCc: Rik van Riel \u003criel@redhat.com\u003e\nCc: Shaohua Li \u003cshli@kernel.org\u003e\nCc: Wang, Yalin \u003cYalin.Wang@sonymobile.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmm/swap.c: flush lru pvecs on compound page arrival\n\n[ Upstream commit 8f182270dfec432e93fae14f9208a6b9af01009f ]\n\nCurrently we can have compound pages held on per cpu pagevecs, which\nleads to a lot of memory unavailable for reclaim when needed.  In the\nsystems with hundreads of processors it can be GBs of memory.\n\nOn of the way of reproducing the problem is to not call munmap\nexplicitly on all mapped regions (i.e.  after receiving SIGTERM).  After\nthat some pages (with THP enabled also huge pages) may end up on\nlru_add_pvec, example below.\n\n  void main() {\n  #pragma omp parallel\n  {\n\tsize_t size \u003d 55 * 1000 * 1000; // smaller than  MEM/CPUS\n\tvoid *p \u003d mmap(NULL, size, PROT_READ | PROT_WRITE,\n\t\tMAP_PRIVATE | MAP_ANONYMOUS , -1, 0);\n\tif (p !\u003d MAP_FAILED)\n\t\tmemset(p, 0, size);\n\t//munmap(p, size); // uncomment to make the problem go away\n  }\n  }\n\nWhen we run it with THP enabled it will leave significant amount of\nmemory on lru_add_pvec.  This memory will be not reclaimed if we hit\nOOM, so when we run above program in a loop:\n\n\tfor i in `seq 100`; do ./a.out; done\n\nmany processes (95% in my case) will be killed by OOM.\n\nThe primary point of the LRU add cache is to save the zone lru_lock\ncontention with a hope that more pages will belong to the same zone and\nso their addition can be batched.  The huge page is already a form of\nbatched addition (it will add 512 worth of memory in one go) so skipping\nthe batching seems like a safer option when compared to a potential\nexcess in the caching which can be quite large and much harder to fix\nbecause lru_add_drain_all is way to expensive and it is not really clear\nwhat would be a good moment to call it.\n\nSimilarly we can reproduce the problem on lru_deactivate_pvec by adding:\nmadvise(p, size, MADV_FREE); after memset.\n\nThis patch flushes lru pvecs on compound page arrival making the problem\nless severe - after applying it kill rate of above example drops to 0%,\ndue to reducing maximum amount of memory held on pvec from 28MB (with\nTHP) to 56kB per CPU.\n\nSuggested-by: Michal Hocko \u003cmhocko@suse.com\u003e\nLink: http://lkml.kernel.org/r/1466180198-18854-1-git-send-email-lukasz.odzioba@intel.com\nSigned-off-by: Lukasz Odzioba \u003clukasz.odzioba@intel.com\u003e\nAcked-by: Michal Hocko \u003cmhocko@suse.com\u003e\nCc: Kirill Shutemov \u003ckirill.shutemov@linux.intel.com\u003e\nCc: Andrea Arcangeli \u003caarcange@redhat.com\u003e\nCc: Vladimir Davydov \u003cvdavydov@parallels.com\u003e\nCc: Ming Li \u003cmingli199x@qq.com\u003e\nCc: Minchan Kim \u003cminchan@kernel.org\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmm, compaction: skip compound pages by order in free scanner\n\n[ Upstream commit 683854270f84daa09baffe2b21d64ec88c614fa9 ]\n\n[ Upstream commit 9fcd6d2e052eef525e94a9ae58dbe7ed4df4f5a7 ]\n\nThe compaction free scanner is looking for PageBuddy() pages and\nskipping all others.  For large compound pages such as THP or hugetlbfs,\nwe can save a lot of iterations if we skip them at once using their\ncompound_order().  This is generally unsafe and we can read a bogus\nvalue of order due to a race, but if we are careful, the only danger is\nskipping too much.\n\nWhen tested with stress-highalloc from mmtests on 4GB system with 1GB\nhugetlbfs pages, the vmstat compact_free_scanned count decreased by at\nleast 15%.\n\nSigned-off-by: Vlastimil Babka \u003cvbabka@suse.cz\u003e\nCc: Minchan Kim \u003cminchan@kernel.org\u003e\nCc: Mel Gorman \u003cmgorman@suse.de\u003e\nAcked-by: Joonsoo Kim \u003ciamjoonsoo.kim@lge.com\u003e\nAcked-by: Michal Nazarewicz \u003cmina86@mina86.com\u003e\nCc: Naoya Horiguchi \u003cn-horiguchi@ah.jp.nec.com\u003e\nCc: Christoph Lameter \u003ccl@linux.com\u003e\nCc: Rik van Riel \u003criel@redhat.com\u003e\nCc: David Rientjes \u003crientjes@google.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmm, compaction: abort free scanner if split fails\n\n[ Upstream commit 284f69fb49e2e385203f52441b324b9a68461d6b ]\n\n[ Upstream commit a4f04f2c6955aff5e2c08dcb40aca247ff4d7370 ]\n\nIf the memory compaction free scanner cannot successfully split a free\npage (only possible due to per-zone low watermark), terminate the free\nscanner rather than continuing to scan memory needlessly.  If the\nwatermark is insufficient for a free page of order \u003c\u003d cc-\u003eorder, then\nterminate the scanner since all future splits will also likely fail.\n\nThis prevents the compaction freeing scanner from scanning all memory on\nvery large zones (very noticeable for zones \u003e 128GB, for instance) when\nall splits will likely fail while holding zone-\u003elock.\n\ncompaction_alloc() iterating a 128GB zone has been benchmarked to take\nover 400ms on some systems whereas any free page isolated and ready to\nbe split ends up failing in split_free_page() because of the low\nwatermark check and thus the iteration continues.\n\nThe next time compaction occurs, the freeing scanner will likely start\nat the end of the zone again since no success was made previously and we\nget the same lengthy iteration until the zone is brought above the low\nwatermark.  All thp page faults can take \u003e400ms in such a state without\nthis fix.\n\nLink: http://lkml.kernel.org/r/alpine.DEB.2.10.1606211820350.97086@chino.kir.corp.google.com\nSigned-off-by: David Rientjes \u003crientjes@google.com\u003e\nAcked-by: Vlastimil Babka \u003cvbabka@suse.cz\u003e\nCc: Minchan Kim \u003cminchan@kernel.org\u003e\nCc: Joonsoo Kim \u003ciamjoonsoo.kim@lge.com\u003e\nCc: Mel Gorman \u003cmgorman@techsingularity.net\u003e\nCc: Hugh Dickins \u003chughd@google.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nfs/nilfs2: fix potential underflow in call to crc32_le\n\n[ Upstream commit 63d2f95d63396059200c391ca87161897b99e74a ]\n\nThe value `bytes\u0027 comes from the filesystem which is about to be\nmounted.  We cannot trust that the value is always in the range we\nexpect it to be.\n\nCheck its value before using it to calculate the length for the crc32_le\ncall.  It value must be larger (or equal) sumoff + 4.\n\nThis fixes a kernel bug when accidentially mounting an image file which\nhad the nilfs2 magic value 0x3434 at the right offset 0x406 by chance.\nThe bytes 0x01 0x00 were stored at 0x408 and were interpreted as a\ns_bytes value of 1.  This caused an underflow when substracting sumoff +\n4 (20) in the call to crc32_le.\n\n  BUG: unable to handle kernel paging request at ffff88021e600000\n  IP:  crc32_le+0x36/0x100\n  ...\n  Call Trace:\n    nilfs_valid_sb.part.5+0x52/0x60 [nilfs2]\n    nilfs_load_super_block+0x142/0x300 [nilfs2]\n    init_nilfs+0x60/0x390 [nilfs2]\n    nilfs_mount+0x302/0x520 [nilfs2]\n    mount_fs+0x38/0x160\n    vfs_kern_mount+0x67/0x110\n    do_mount+0x269/0xe00\n    SyS_mount+0x9f/0x100\n    entry_SYSCALL_64_fastpath+0x16/0x71\n\nLink: http://lkml.kernel.org/r/1466778587-5184-2-git-send-email-konishi.ryusuke@lab.ntt.co.jp\nSigned-off-by: Torsten Hilbrich \u003ctorsten.hilbrich@secunet.com\u003e\nTested-by: Torsten Hilbrich \u003ctorsten.hilbrich@secunet.com\u003e\nSigned-off-by: Ryusuke Konishi \u003ckonishi.ryusuke@lab.ntt.co.jp\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\npowerpc/tm: Always reclaim in start_thread() for exec() class syscalls\n\n[ Upstream commit 8e96a87c5431c256feb65bcfc5aec92d9f7839b6 ]\n\nUserspace can quite legitimately perform an exec() syscall with a\nsuspended transaction. exec() does not return to the old process, rather\nit load a new one and starts that, the expectation therefore is that the\nnew process starts not in a transaction. Currently exec() is not treated\nany differently to any other syscall which creates problems.\n\nFirstly it could allow a new process to start with a suspended\ntransaction for a binary that no longer exists. This means that the\ncheckpointed state won\u0027t be valid and if the suspended transaction were\never to be resumed and subsequently aborted (a possibility which is\nexceedingly likely as exec()ing will likely doom the transaction) the\nnew process will jump to invalid state.\n\nSecondly the incorrect attempt to keep the transactional state while\nstill zeroing state for the new process creates at least two TM Bad\nThings. The first triggers on the rfid to return to userspace as\nstart_thread() has given the new process a \u0027clean\u0027 MSR but the suspend\nwill still be set in the hardware MSR. The second TM Bad Thing triggers\nin __switch_to() as the processor is still transactionally suspended but\n__switch_to() wants to zero the TM sprs for the new process.\n\nThis is an example of the outcome of calling exec() with a suspended\ntransaction. Note the first 700 is likely the first TM bad thing\ndecsribed earlier only the kernel can\u0027t report it as we\u0027ve loaded\nuserspace registers. c000000000009980 is the rfid in\nfast_exception_return()\n\n  Bad kernel stack pointer 3fffcfa1a370 at c000000000009980\n  Oops: Bad kernel stack pointer, sig: 6 [#1]\n  CPU: 0 PID: 2006 Comm: tm-execed Not tainted\n  NIP: c000000000009980 LR: 0000000000000000 CTR: 0000000000000000\n  REGS: c00000003ffefd40 TRAP: 0700   Not tainted\n  MSR: 8000000300201031 \u003cSF,ME,IR,DR,LE,TM[SE]\u003e  CR: 00000000  XER: 00000000\n  CFAR: c0000000000098b4 SOFTE: 0\n  PACATMSCRATCH: b00000010000d033\n  GPR00: 0000000000000000 00003fffcfa1a370 0000000000000000 0000000000000000\n  GPR04: 0000000000000000 0000000000000000 0000000000000000 0000000000000000\n  GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000\n  GPR12: 00003fff966611c0 0000000000000000 0000000000000000 0000000000000000\n  NIP [c000000000009980] fast_exception_return+0xb0/0xb8\n  LR [0000000000000000]           (null)\n  Call Trace:\n  Instruction dump:\n  f84d0278 e9a100d8 7c7b03a6 e84101a0 7c4ff120 e8410170 7c5a03a6 e8010070\n  e8410080 e8610088 e8810090 e8210078 \u003c4c000024\u003e 48000000 e8610178 88ed023b\n\n  Kernel BUG at c000000000043e80 [verbose debug info unavailable]\n  Unexpected TM Bad Thing exception at c000000000043e80 (msr 0x201033)\n  Oops: Unrecoverable exception, sig: 6 [#2]\n  CPU: 0 PID: 2006 Comm: tm-execed Tainted: G      D\n  task: c0000000fbea6d80 ti: c00000003ffec000 task.ti: c0000000fb7ec000\n  NIP: c000000000043e80 LR: c000000000015a24 CTR: 0000000000000000\n  REGS: c00000003ffef7e0 TRAP: 0700   Tainted: G      D\n  MSR: 8000000300201033 \u003cSF,ME,IR,DR,RI,LE,TM[SE]\u003e  CR: 28002828  XER: 00000000\n  CFAR: c000000000015a20 SOFTE: 0\n  PACATMSCRATCH: b00000010000d033\n  GPR00: 0000000000000000 c00000003ffefa60 c000000000db5500 c0000000fbead000\n  GPR04: 8000000300001033 2222222222222222 2222222222222222 00000000ff160000\n  GPR08: 0000000000000000 800000010000d033 c0000000fb7e3ea0 c00000000fe00004\n  GPR12: 0000000000002200 c00000000fe00000 0000000000000000 0000000000000000\n  GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000\n  GPR20: 0000000000000000 0000000000000000 c0000000fbea7410 00000000ff160000\n  GPR24: c0000000ffe1f600 c0000000fbea8700 c0000000fbea8700 c0000000fbead000\n  GPR28: c000000000e20198 c0000000fbea6d80 c0000000fbeab680 c0000000fbea6d80\n  NIP [c000000000043e80] tm_restore_sprs+0xc/0x1c\n  LR [c000000000015a24] __switch_to+0x1f4/0x420\n  Call Trace:\n  Instruction dump:\n  7c800164 4e800020 7c0022a6 f80304a8 7c0222a6 f80304b0 7c0122a6 f80304b8\n  4e800020 e80304a8 7c0023a6 e80304b0 \u003c7c0223a6\u003e e80304b8 7c0123a6 4e800020\n\nThis fixes CVE-2016-5828.\n\nFixes: bc2a9408fa65 (\"powerpc: Hook in new transactional memory code\")\nCc: stable@vger.kernel.org # v3.9+\nSigned-off-by: Cyril Bur \u003ccyrilbur@gmail.com\u003e\nSigned-off-by: Michael Ellerman \u003cmpe@ellerman.id.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nKVM: arm/arm64: Stop leaking vcpu pid references\n\n[ Upstream commit 591d215afcc2f94e8e2c69a63c924c044677eb31 ]\n\nkvm provides kvm_vcpu_uninit(), which amongst other things, releases the\nlast reference to the struct pid of the task that was last running the vcpu.\n\nOn arm64 built with CONFIG_DEBUG_KMEMLEAK, starting a guest with kvmtool,\nthen killing it with SIGKILL results (after some considerable time) in:\n\u003e cat /sys/kernel/debug/kmemleak\n\u003e unreferenced object 0xffff80007d5ea080 (size 128):\n\u003e  comm \"lkvm\", pid 2025, jiffies 4294942645 (age 1107.776s)\n\u003e  hex dump (first 32 bytes):\n\u003e    01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n\u003e    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n\u003e  backtrace:\n\u003e    [\u003cffff8000001b30ec\u003e] create_object+0xfc/0x278\n\u003e    [\u003cffff80000071da34\u003e] kmemleak_alloc+0x34/0x70\n\u003e    [\u003cffff80000019fa2c\u003e] kmem_cache_alloc+0x16c/0x1d8\n\u003e    [\u003cffff8000000d0474\u003e] alloc_pid+0x34/0x4d0\n\u003e    [\u003cffff8000000b5674\u003e] copy_process.isra.6+0x79c/0x1338\n\u003e    [\u003cffff8000000b633c\u003e] _do_fork+0x74/0x320\n\u003e    [\u003cffff8000000b66b0\u003e] SyS_clone+0x18/0x20\n\u003e    [\u003cffff800000085cb0\u003e] el0_svc_naked+0x24/0x28\n\u003e    [\u003cffffffffffffffff\u003e] 0xffffffffffffffff\n\nOn x86 kvm_vcpu_uninit() is called on the path from kvm_arch_destroy_vm(),\non arm no equivalent call is made. Add the call to kvm_arch_vcpu_free().\n\nSigned-off-by: James Morse \u003cjames.morse@arm.com\u003e\nFixes: 749cf76c5a36 (\"KVM: ARM: Initial skeleton to compile KVM support\")\nCc: \u003cstable@vger.kernel.org\u003e # 3.10+\nAcked-by: Marc Zyngier \u003cmarc.zyngier@arm.com\u003e\nSigned-off-by: Christoffer Dall \u003cchristoffer.dall@linaro.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmake nfs_atomic_open() call d_drop() on all -\u003eopen_context() errors.\n\n[ Upstream commit d20cb71dbf3487f24549ede1a8e2d67579b4632e ]\n\nIn \"NFSv4: Move dentry instantiation into the NFSv4-specific atomic open code\"\nunconditional d_drop() after the -\u003eopen_context() had been removed.  It had\nbeen correct for success cases (there -\u003eopen_context() itself had been doing\ndcache manipulations), but not for error ones.  Only one of those (ENOENT)\ngot a compensatory d_drop() added in that commit, but in fact it should\u0027ve\nbeen done for all errors.  As it is, the case of O_CREAT non-exclusive open\non a hashed negative dentry racing with e.g. symlink creation from another\nclient ended up with -\u003eopen_context() getting an error and proceeding to\ncall nfs_lookup().  On a hashed dentry, which would\u0027ve instantly triggered\nBUG_ON() in d_materialise_unique() (or, these days, its equivalent in\nd_splice_alias()).\n\nCc: stable@vger.kernel.org # v3.10+\nTested-by: Oleg Drokin \u003cgreen@linuxhacker.ru\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Trond Myklebust \u003ctrond.myklebust@primarydata.com\u003e\nSigned-off-by: Anna Schumaker \u003cAnna.Schumaker@Netapp.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUSB: don\u0027t free bandwidth_mutex too early\n(removed our own check of the hcd that was added in lg powercore)\n[ Upstream commit ab2a4bf83902c170d29ba130a8abb5f9d90559e1 ]\n\nThe USB core contains a bug that can show up when a USB-3 host\ncontroller is removed.  If the primary (USB-2) hcd structure is\nreleased before the shared (USB-3) hcd, the core will try to do a\ndouble-free of the common bandwidth_mutex.\n\nThe problem was described in graphical form by Chung-Geol Kim, who\nfirst reported it:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n     At *remove USB(3.0) Storage\n     sequence \u003c1\u003e --\u003e \u003c5\u003e ((Problem Case))\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n                                  VOLD\n------------------------------------|------------\n                                 (uevent)\n                            ________|_________\n                           |\u003c1\u003e               |\n                           |dwc3_otg_sm_work  |\n                           |usb_put_hcd       |\n                           |peer_hcd(kref\u003d2)|\n                           |__________________|\n                            ________|_________\n                           |\u003c2\u003e               |\n                           |New USB BUS #2    |\n                           |                  |\n                           |peer_hcd(kref\u003d1)  |\n                           |                  |\n                         --(Link)-bandXX_mutex|\n                         | |__________________|\n                         |\n    ___________________  |\n   |\u003c3\u003e                | |\n   |dwc3_otg_sm_work   | |\n   |usb_put_hcd        | |\n   |primary_hcd(kref\u003d1)| |\n   |___________________| |\n    _________|_________  |\n   |\u003c4\u003e                | |\n   |New USB BUS #1     | |\n   |hcd_release        | |\n   |primary_hcd(kref\u003d0)| |\n   |                   | |\n   |bandXX_mutex(free) |\u003c-\n   |___________________|\n                               (( VOLD ))\n                            ______|___________\n                           |\u003c5\u003e               |\n                           |      SCSI        |\n                           |usb_put_hcd       |\n                           |peer_hcd(kref\u003d0)  |\n                           |*hcd_release      |\n                           |bandXX_mutex(free*)|\u003c- double free\n                           |__________________|\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nThis happens because hcd_release() frees the bandwidth_mutex whenever\nit sees a primary hcd being released (which is not a very good idea\nin any case), but in the course of releasing the primary hcd, it\nchanges the pointers in the shared hcd in such a way that the shared\nhcd will appear to be primary when it gets released.\n\nThis patch fixes the problem by changing hcd_release() so that it\ndeallocates the bandwidth_mutex only when the _last_ hcd structure\nreferencing it is released.  The patch also removes an unnecessary\ntest, so that when an hcd is released, both the shared_hcd and\nprimary_hcd pointers in the hcd\u0027s peer will be cleared.\n\nSigned-off-by: Alan Stern \u003cstern@rowland.harvard.edu\u003e\nReported-by: Chung-Geol Kim \u003cchunggeol.kim@samsung.com\u003e\nTested-by: Chung-Geol Kim \u003cchunggeol.kim@samsung.com\u003e\nCC: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nARC: unwind: ensure that .debug_frame is generated (vs. .eh_frame)\n\n[ Upstream commit f52e126cc7476196f44f3c313b7d9f0699a881fc ]\n\nWith recent binutils update to support dwarf CFI pseudo-ops in gas, we\nnow get .eh_frame vs. .debug_frame. Although the call frame info is\nexactly the same in both, the CIE differs, which the current kernel\nunwinder can\u0027t cope with.\n\nThis broke both the kernel unwinder as well as loadable modules (latter\nbecause of a new unhandled relo R_ARC_32_PCREL from .rela.eh_frame in\nthe module loader)\n\nThe ideal solution would be to switch unwinder to .eh_frame.\nFor now however we can make do by just ensureing .debug_frame is\ngenerated by removing -fasynchronous-unwind-tables\n\n .eh_frame    generated with -gdwarf-2 -fasynchronous-unwind-tables\n .debug_frame generated with -gdwarf-2\n\nFixes STAR 9001058196\n\nCc: stable@vger.kernel.org\nSigned-off-by: Vineet Gupta \u003cvgupta@synopsys.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\narc: unwind: warn only once if DW2_UNWIND is disabled\n\n[ Upstream commit 9bd54517ee86cb164c734f72ea95aeba4804f10b ]\n\nIf CONFIG_ARC_DW2_UNWIND is disabled every time arc_unwind_core()\ngets called following message gets printed in debug console:\n-----------------\u003e8---------------\nCONFIG_ARC_DW2_UNWIND needs to be enabled\n-----------------\u003e8---------------\n\nThat message makes sense if user indeed wants to see a backtrace or\nget nice function call-graphs in perf but what if user disabled\nunwinder for the purpose? Why pollute his debug console?\n\nSo instead we\u0027ll warn user about possibly missing feature once and\nlet him decide if that was what he or she really wanted.\n\nSigned-off-by: Alexey Brodkin \u003cabrodkin@synopsys.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Vineet Gupta \u003cvgupta@synopsys.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nRevert \"s390/kdump: Clear subchannel ID to signal non-CCW/SCSI IPL\"\n\n[ Upstream commit 5419447e2142d6ed68c9f5c1a28630b3a290a845 ]\n\nThis reverts commit 852ffd0f4e23248b47531058e531066a988434b5.\n\nThere are use cases where an intermediate boot kernel (1) uses kexec\nto boot the final production kernel (2). For this scenario we should\nprovide the original boot information to the production kernel (2).\nTherefore clearing the boot information during kexec() should not\nbe done.\n\nCc: stable@vger.kernel.org # v3.17+\nReported-by: Steffen Maier \u003cmaier@linux.vnet.ibm.com\u003e\nSigned-off-by: Michael Holzheu \u003cholzheu@linux.vnet.ibm.com\u003e\nReviewed-by: Heiko Carstens \u003cheiko.carstens@de.ibm.com\u003e\nSigned-off-by: Martin Schwidefsky \u003cschwidefsky@de.ibm.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nNFS: Fix another OPEN_DOWNGRADE bug\n\n[ Upstream commit e547f2628327fec6afd2e03b46f113f614cca05b ]\n\nOlga Kornievskaia reports that the following test fails to trigger\nan OPEN_DOWNGRADE on the wire, and only triggers the final CLOSE.\n\n\tfd0 \u003d open(foo, RDRW)   -- should be open on the wire for \"both\"\n\tfd1 \u003d open(foo, RDONLY)  -- should be open on the wire for \"read\"\n\tclose(fd0) -- should trigger an open_downgrade\n\tread(fd1)\n\tclose(fd1)\n\nThe issue is that we\u0027re missing a check for whether or not the current\nstate transitioned from an O_RDWR state as opposed to having transitioned\nfrom a combination of O_RDONLY and O_WRONLY.\n\nReported-by: Olga Kornievskaia \u003caglo@umich.edu\u003e\nFixes: cd9288ffaea4 (\"NFSv4: Fix another bug in the close/open_downgrade code\")\nCc: stable@vger.kernel.org # 2.6.33+\nSigned-off-by: Trond Myklebust \u003ctrond.myklebust@primarydata.com\u003e\nSigned-off-by: Anna Schumaker \u003cAnna.Schumaker@Netapp.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnamespace: update event counter when umounting a deleted dentry\n\n[ Upstream commit e06b933e6ded42384164d28a2060b7f89243b895 ]\n\n- m_start() in fs/namespace.c expects that ns-\u003eevent is incremented each\n  time a mount added or removed from ns-\u003elist.\n- umount_tree() removes items from the list but does not increment event\n  counter, expecting that it\u0027s done before the function is called.\n- There are some codepaths that call umount_tree() without updating\n  \"event\" counter. e.g. from __detach_mounts().\n- When this happens m_start may reuse a cached mount structure that no\n  longer belongs to ns-\u003elist (i.e. use after free which usually leads\n  to infinite loop).\n\nThis change fixes the above problem by incrementing global event counter\nbefore invoking umount_tree().\n\nCc: stable@vger.kernel.org\nSigned-off-by: Andrey Ulanov \u003candreyu@google.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nlocks: use file_inode()\n\n[ Upstream commit 6343a2120862f7023006c8091ad95c1f16a32077 ]\n\n(Another one for the f_path debacle.)\n\nltp fcntl33 testcase caused an Oops in selinux_file_send_sigiotask.\n\nThe reason is that generic_add_lease() used filp-\u003ef_path.dentry-\u003einode\nwhile all the others use file_inode().  This makes a difference for files\nopened on overlayfs since the former will point to the overlay inode the\nlatter to the underlying inode.\n\nSo generic_add_lease() added the lease to the overlay inode and\ngeneric_delete_lease() removed it from the underlying inode.  When the file\nwas released the lease remained on the overlay inode\u0027s lock list, resulting\nin use after free.\n\nReported-by: Eryu Guan \u003ceguan@redhat.com\u003e\nFixes: 4bacc9c9234c (\"overlayfs: Make f_path always point to the overlay and f_inode to the underlay\")\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Miklos Szeredi \u003cmszeredi@redhat.com\u003e\nReviewed-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nSigned-off-by: J. Bruce Fields \u003cbfields@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nPCI: Move domain assignment from arm64 to generic code\n\n[ Upstream commit 7c674700098c87b305b99652e3c694c4ef195866 ]\n\nThe current logic in arm64 pci_bus_assign_domain_nr() is flawed in that\ndepending on the host controller configuration for a platform and the\ninitialization sequence, core code may end up allocating PCI domain numbers\nfrom both DT and the generic domain counter, which would result in PCI\ndomain allocation aliases/errors.\n\nFix the logic behind the PCI domain number assignment and move the\nresulting code to the PCI core so the same domain allocation logic is used\non all platforms that select CONFIG_PCI_DOMAINS_GENERIC.\n\n[bhelgaas: tidy changelog]\nSigned-off-by: Lorenzo Pieralisi \u003clorenzo.pieralisi@arm.com\u003e\nSigned-off-by: Bjorn Helgaas \u003cbhelgaas@google.com\u003e\nAcked-by: Liviu Dudau \u003cLiviu.Dudau@arm.com\u003e\nAcked-by: Arnd Bergmann \u003carnd@arndb.de\u003e\nCC: Rob Herring \u003crobh+dt@kernel.org\u003e\nCC: Catalin Marinas \u003ccatalin.marinas@arm.com\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nPCI: Allow a NULL \"parent\" pointer in pci_bus_assign_domain_nr()\n\n[ Upstream commit 54c6e2dd00c313d0add58e5befe62fe6f286d03b ]\n\npci_create_root_bus() passes a \"parent\" pointer to\npci_bus_assign_domain_nr().  When CONFIG_PCI_DOMAINS_GENERIC is defined,\npci_bus_assign_domain_nr() dereferences that pointer.  Many callers of\npci_create_root_bus() supply a NULL \"parent\" pointer, which leads to a NULL\npointer dereference error.\n\n7c674700098c (\"PCI: Move domain assignment from arm64 to generic code\")\nmoved the \"parent\" dereference from arm64 to generic code.  Only arm64 used\nthat code (because only arm64 defined CONFIG_PCI_DOMAINS_GENERIC), and it\nalways supplied a valid \"parent\" pointer.  Other arches supplied NULL\n\"parent\" pointers but didn\u0027t defined CONFIG_PCI_DOMAINS_GENERIC, so they\nused a no-op version of pci_bus_assign_domain_nr().\n\n8c7d14746abc (\"ARM/PCI: Move to generic PCI domains\") defined\nCONFIG_PCI_DOMAINS_GENERIC on ARM, and many ARM platforms use\npci_common_init(), which supplies a NULL \"parent\" pointer.\nThese platforms (cns3xxx, dove, footbridge, iop13xx, etc.) crash\nwith a NULL pointer dereference like this while probing PCI:\n\n  Unable to handle kernel NULL pointer dereference at virtual address 000000a4\n  PC is at pci_bus_assign_domain_nr+0x10/0x84\n  LR is at pci_create_root_bus+0x48/0x2e4\n  Kernel panic - not syncing: Attempted to kill init!\n\n[bhelgaas: changelog, add \"Reported:\" and \"Fixes:\" tags]\nReported: http://forum.doozan.com/read.php?2,17868,22070,quote\u003d1\nFixes: 8c7d14746abc (\"ARM/PCI: Move to generic PCI domains\")\nFixes: 7c674700098c (\"PCI: Move domain assignment from arm64 to generic code\")\nSigned-off-by: Krzysztof Hałasa \u003ckhalasa@piap.pl\u003e\nSigned-off-by: Bjorn Helgaas \u003cbhelgaas@google.com\u003e\nAcked-by: Lorenzo Pieralisi \u003clorenzo.pieralisi@arm.com\u003e\nCC: stable@vger.kernel.org\t# v4.0+\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nASoC: samsung: pass DMA channels as pointers\n\n[ Upstream commit b9a1a743818ea3265abf98f9431623afa8c50c86 ]\n\nARM64 allmodconfig produces a bunch of warnings when building the\nsamsung ASoC code:\n\nsound/soc/samsung/dmaengine.c: In function \u0027samsung_asoc_init_dma_data\u0027:\nsound/soc/samsung/dmaengine.c:53:32: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]\n   playback_data-\u003efilter_data \u003d (void *)playback-\u003echannel;\nsound/soc/samsung/dmaengine.c:60:31: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]\n   capture_data-\u003efilter_data \u003d (void *)capture-\u003echannel;\n\nWe could easily shut up the warning by adding an intermediate cast,\nbut there is a bigger underlying problem: The use of IORESOURCE_DMA\nto pass data from platform code to device drivers is dubious to start\nwith, as what we really want is a pointer that can be passed into\na filter function.\n\nNote that on s3c64xx, the pl08x DMA data is already a pointer, but\ngets cast to resource_size_t so we can pass it as a resource, and it\nthen gets converted back to a pointer. In contrast, the data we pass\nfor s3c24xx is an index into a device specific table, and we artificially\nconvert that into a pointer for the filter function.\n\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\nReviewed-by: Krzysztof Kozlowski \u003ck.kozlowski@samsung.com\u003e\nSigned-off-by: Mark Brown \u003cbroonie@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nHID: logitech: fix Dual Action gamepad support\n\n[ Upstream commit 5d74325a2201376a95520a4a38a1ce2c65761c49 ]\n\nThe patch that added Logitech Dual Action gamepad support forgot to\nupdate the special driver list for the device. This caused the logitech\ndriver not to probe unless kernel module load order was favorable.\nUpdate the special driver list to fix it. Thanks to Simon Wood for the\nidea.\n\nCc: Vitaly Katraew \u003czawullon@gmail.com\u003e\nFixes: 56d0c8b7c8fb (\"HID: add support for Logitech Dual Action gamepads\")\nSigned-off-by: Grazvydas Ignotas \u003cnotasas@gmail.com\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.cz\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\n8250: use callbacks to access UART_DLL/UART_DLM\n\n[ Upstream commit 0b41ce991052022c030fd868e03877700220b090 ]\n\nSome UART HW has a single register combining UART_DLL/UART_DLM\n(this was probably forgotten in the change that introduced the\ncallbacks, commit b32b19b8ffc05cbd3bf91c65e205f6a912ca15d9)\n\nFixes: b32b19b8ffc0 (\"[SERIAL] 8250: set divisor register correctly ...\")\n\nSigned-off-by: Sebastian Frias \u003csf84@laposte.net\u003e\nReviewed-by: Peter Hurley \u003cpeter@hurleysoftware.com\u003e\nCc: stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmtip32xx: Fix for rmmod crash when drive is in FTL rebuild\n\n[ Upstream commit 59cf70e236c96594d9f1e065755d8fce9df5356b ]\n\nWhen FTL rebuild is in progress, alloc_disk() initializes the disk\nbut device node will be created by add_disk() only after successful\ncompletion of FTL rebuild. So, skip deletion of device node in\nremoval path when FTL rebuild is in progress.\n\nSigned-off-by: Selvan Mani \u003csmani@micron.com\u003e\nSigned-off-by: Asai Thambi S P \u003casamymuthupa@micron.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Jens Axboe \u003caxboe@fb.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmtip32xx: Fix broken service thread handling\n\n[ Upstream commit cfc05bd31384c4898bf2437a4de5557f3cf9803a ]\n\nService thread does not detect the need for taskfile error hanlding. Fixed the\nflag condition to process taskfile error.\n\nSigned-off-by: Selvan Mani \u003csmani@micron.com\u003e\nSigned-off-by: Asai Thambi S P \u003casamymuthupa@micron.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Jens Axboe \u003caxboe@fb.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nhwmon: (max1111) Return -ENODEV from max1111_read_channel if not instantiated\n\n[ Upstream commit 3c2e2266a5bd2d1cef258e6e54dca1d99946379f ]\n\narm:pxa_defconfig can result in the following crash if the max1111 driver\nis not instantiated.\n\nUnhandled fault: page domain fault (0x01b) at 0x00000000\npgd \u003d c0004000\n[00000000] *pgd\u003d00000000\nInternal error: : 1b [#1] PREEMPT ARM\nModules linked in:\nCPU: 0 PID: 300 Comm: kworker/0:1 Not tainted 4.5.0-01301-g1701f680407c #10\nHardware name: SHARP Akita\nWorkqueue: events sharpsl_charge_toggle\ntask: c390a000 ti: c391e000 task.ti: c391e000\nPC is at max1111_read_channel+0x20/0x30\nLR is at sharpsl_pm_pxa_read_max1111+0x2c/0x3c\npc : [\u003cc03aaab0\u003e]    lr : [\u003cc0024b50\u003e]    psr: 20000013\n...\n[\u003cc03aaab0\u003e] (max1111_read_channel) from [\u003cc0024b50\u003e]\n\t\t\t\t\t(sharpsl_pm_pxa_read_max1111+0x2c/0x3c)\n[\u003cc0024b50\u003e] (sharpsl_pm_pxa_read_max1111) from [\u003cc00262e0\u003e]\n\t\t\t\t\t(spitzpm_read_devdata+0x5c/0xc4)\n[\u003cc00262e0\u003e] (spitzpm_read_devdata) from [\u003cc0024094\u003e]\n\t\t\t\t\t(sharpsl_check_battery_temp+0x78/0x110)\n[\u003cc0024094\u003e] (sharpsl_check_battery_temp) from [\u003cc0024f9c\u003e]\n\t\t\t\t\t(sharpsl_charge_toggle+0x48/0x110)\n[\u003cc0024f9c\u003e] (sharpsl_charge_toggle) from [\u003cc004429c\u003e]\n\t\t\t\t\t(process_one_work+0x14c/0x48c)\n[\u003cc004429c\u003e] (process_one_work) from [\u003cc0044618\u003e] (worker_thread+0x3c/0x5d4)\n[\u003cc0044618\u003e] (worker_thread) from [\u003cc004a238\u003e] (kthread+0xd0/0xec)\n[\u003cc004a238\u003e] (kthread) from [\u003cc000a670\u003e] (ret_from_fork+0x14/0x24)\n\nThis can occur because the SPI controller driver (SPI_PXA2XX) is built as\nmodule and thus not necessarily loaded. While building SPI_PXA2XX into the\nkernel would make the problem disappear, it appears prudent to ensure that\nthe driver is instantiated before accessing its data structures.\n\nCc: Arnd Bergmann \u003carnd@arndb.de\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Guenter Roeck \u003clinux@roeck-us.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nPKCS#7: pkcs7_validate_trust(): initialize the _trusted output argument\n\n[ Upstream commit e54358915d0a00399c11c2c23ae1be674cba188a ]\n\nDespite what the DocBook comment to pkcs7_validate_trust() says, the\n*_trusted argument is never set to false.\n\npkcs7_validate_trust() only positively sets *_trusted upon encountering\na trusted PKCS#7 SignedInfo block.\n\nThis is quite unfortunate since its callers, system_verify_data() for\nexample, depend on pkcs7_validate_trust() clearing *_trusted on non-trust.\n\nIndeed, UBSAN splats when attempting to load the uninitialized local\nvariable \u0027trusted\u0027 from system_verify_data() in pkcs7_validate_trust():\n\n  UBSAN: Undefined behaviour in crypto/asymmetric_keys/pkcs7_trust.c:194:14\n  load of value 82 is not a valid value for type \u0027_Bool\u0027\n  [...]\n  Call Trace:\n    [\u003cffffffff818c4d35\u003e] dump_stack+0xbc/0x117\n    [\u003cffffffff818c4c79\u003e] ? _atomic_dec_and_lock+0x169/0x169\n    [\u003cffffffff8194113b\u003e] ubsan_epilogue+0xd/0x4e\n    [\u003cffffffff819419fa\u003e] __ubsan_handle_load_invalid_value+0x111/0x158\n    [\u003cffffffff819418e9\u003e] ? val_to_string.constprop.12+0xcf/0xcf\n    [\u003cffffffff818334a4\u003e] ? x509_request_asymmetric_key+0x114/0x370\n    [\u003cffffffff814b83f0\u003e] ? kfree+0x220/0x370\n    [\u003cffffffff818312c2\u003e] ? public_key_verify_signature_2+0x32/0x50\n    [\u003cffffffff81835e04\u003e] pkcs7_validate_trust+0x524/0x5f0\n    [\u003cffffffff813c391a\u003e] system_verify_data+0xca/0x170\n    [\u003cffffffff813c3850\u003e] ? top_trace_array+0x9b/0x9b\n    [\u003cffffffff81510b29\u003e] ? __vfs_read+0x279/0x3d0\n    [\u003cffffffff8129372f\u003e] mod_verify_sig+0x1ff/0x290\n    [...]\n\nThe implication is that pkcs7_validate_trust() effectively grants trust\nwhen it really shouldn\u0027t have.\n\nFix this by explicitly setting *_trusted to false at the very beginning\nof pkcs7_validate_trust().\n\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Nicolai Stange \u003cnicstange@gmail.com\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nALSA: timer: Use mod_timer() for rearming the system timer\n\n[ Upstream commit 4a07083ed613644c96c34a7dd2853dc5d7c70902 ]\n\nALSA system timer backend stops the timer via del_timer() without sync\nand leaves del_timer_sync() at the close instead.  This is because of\nthe restriction by the design of ALSA timer: namely, the stop callback\nmay be called from the timer handler, and calling the sync shall lead\nto a hangup.  However, this also triggers a kernel BUG() when the\ntimer is rearmed immediately after stopping without sync:\n kernel BUG at kernel/time/timer.c:966!\n Call Trace:\n  \u003cIRQ\u003e\n  [\u003cffffffff8239c94e\u003e] snd_timer_s_start+0x13e/0x1a0\n  [\u003cffffffff8239e1f4\u003e] snd_timer_interrupt+0x504/0xec0\n  [\u003cffffffff8122fca0\u003e] ? debug_check_no_locks_freed+0x290/0x290\n  [\u003cffffffff8239ec64\u003e] snd_timer_s_function+0xb4/0x120\n  [\u003cffffffff81296b72\u003e] call_timer_fn+0x162/0x520\n  [\u003cffffffff81296add\u003e] ? call_timer_fn+0xcd/0x520\n  [\u003cffffffff8239ebb0\u003e] ? snd_timer_interrupt+0xec0/0xec0\n  ....\n\nIt\u0027s the place where add_timer() checks the pending timer.  It\u0027s clear\nthat this may happen after the immediate restart without sync in our\ncases.\n\nSo, the workaround here is just to use mod_timer() instead of\nadd_timer().  This looks like a band-aid fix, but it\u0027s a right move,\nas snd_timer_interrupt() takes care of the continuous rearm of timer.\n\nReported-by: Jiri Slaby \u003cjslaby@suse.cz\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmm: fix invalid node in alloc_migrate_target()\n\n[ Upstream commit 6f25a14a7053b69917e2ebea0d31dd444cd31fd5 ]\n\nIt is incorrect to use next_node to find a target node, it will return\nMAX_NUMNODES or invalid node.  This will lead to crash in buddy system\nallocation.\n\nFixes: c8721bbbdd36 (\"mm: memory-hotplug: enable memory hotplug to handle hugepage\")\nSigned-off-by: Xishi Qiu \u003cqiuxishi@huawei.com\u003e\nAcked-by: Vlastimil Babka \u003cvbabka@suse.cz\u003e\nAcked-by: Naoya Horiguchi \u003cn-horiguchi@ah.jp.nec.com\u003e\nCc: Joonsoo Kim \u003cjs1304@gmail.com\u003e\nCc: David Rientjes \u003crientjes@google.com\u003e\nCc: \"Laura Abbott\" \u003clauraa@codeaurora.org\u003e\nCc: Hui Zhu \u003czhuhui@xiaomi.com\u003e\nCc: Wang Xiaoqiang \u003cwangxq10@lzu.edu.cn\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/udl: Use unlocked gem unreferencing\n\n[ Upstream commit 72b9ff0612ad8fc969b910cd00ac16b57a1a9ba4 ]\n\nFor drm_gem_object_unreference callers are required to hold\ndev-\u003estruct_mutex, which these paths don\u0027t. Enforcing this requirement\nhas become a bit more strict with\n\ncommit ef4c6270bf2867e2f8032e9614d1a8cfc6c71663\nAuthor: Daniel Vetter \u003cdaniel.vetter@ffwll.ch\u003e\nDate:   Thu Oct 15 09:36:25 2015 +0200\n\n    drm/gem: Check locking in drm_gem_object_unreference\n\nCc: stable@vger.kernel.org\nSigned-off-by: Daniel Vetter \u003cdaniel.vetter@intel.com\u003e\nSigned-off-by: Dave Airlie \u003cairlied@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/radeon: add a dpm quirk for sapphire Dual-X R7 370 2G D5\n\n[ Upstream commit f971f2263deaa4a441e377b385c11aee0f3b3f9a ]\n\nbug:\nhttps://bugs.freedesktop.org/show_bug.cgi?id\u003d94692\n\nSigned-off-by: Alex Deucher \u003calexander.deucher@amd.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/radeon: add a dpm quirk for all R7 370 parts\n\n[ Upstream commit 0e5585dc870af947fab2af96a88c2d8b4270247c ]\n\nHigher mclk values are not stable due to a bug somewhere.\nLimit them for now.\n\nSigned-off-by: Alex Deucher \u003calexander.deucher@amd.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ntcp: convert cached rtt from usec to jiffies when feeding initial rto\n\n[ Upstream commit 9bdfb3b79e61c60e1a3e2dc05ad164528afa6b8a ]\n\nCurrently it\u0027s converted into msecs, thus HZ\u003d1000 intact.\n\nSigned-off-by: Konstantin Khlebnikov \u003ckhlebnikov@yandex-team.ru\u003e\nFixes: 740b0f1841f6 (\"tcp: switch rtt estimations to usec resolution\")\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnet: jme: fix suspend/resume on JMC260\n\n[ Upstream commit ee50c130c82175eaa0820c96b6d3763928af2241 ]\n\nThe JMC260 network card fails to suspend/resume because the call to\njme_start_irq() was too early, moving the call to jme_start_irq() after\nthe call to jme_reset_link() makes it work.\n\nPrior this change suspend/resume would fail unless /sys/power/pm_async\u003d0\nwas explicitly specified.\n\nRelevant bug report: https://bugzilla.kernel.org/show_bug.cgi?id\u003d112351\n\nSigned-off-by: Diego Viola \u003cdiego.viola@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnet: qca_spi: Don\u0027t clear IFF_BROADCAST\n\n[ Upstream commit 2b70bad23c89b121a3e4a00f8968d14ebb78887d ]\n\nCurrently qcaspi_netdev_setup accidentally clears IFF_BROADCAST.\nSo fix this by keeping the flags from ether_setup.\n\nReported-by: Michael Heimpold \u003cmichael.heimpold@i2se.com\u003e\nSigned-off-by: Stefan Wahren \u003cstefan.wahren@i2se.com\u003e\nFixes: 291ab06ecf67 (net: qualcomm: new Ethernet over SPI driver for QCA7000)\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnet: qca_spi: clear IFF_TX_SKB_SHARING\n\n[ Upstream commit a4690afeb0d2d7ba4d60dfa98a89f3bb1ce60ecd ]\n\nether_setup sets IFF_TX_SKB_SHARING but this is not supported by\nqca_spi as it modifies the skb on xmit.\n\nSigned-off-by: Stefan Wahren \u003cstefan.wahren@i2se.com\u003e\nFixes: 291ab06ecf67 (net: qualcomm: new Ethernet over SPI driver for QCA7000)\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nsctp: lack the check for ports in sctp_v6_cmp_addr\n\n[ Upstream commit 40b4f0fd74e46c017814618d67ec9127ff20f157 ]\n\nAs the member .cmp_addr of sctp_af_inet6, sctp_v6_cmp_addr should also check\nthe port of addresses, just like sctp_v4_cmp_addr, cause it\u0027s invoked by\nsctp_cmp_addr_exact().\n\nNow sctp_v6_cmp_addr just check the port when two addresses have different\nfamily, and lack the port check for two ipv6 addresses. that will make\nsctp_hash_cmp() cannot work well.\n\nso fix it by adding ports comparison in sctp_v6_cmp_addr().\n\nSigned-off-by: Xin Long \u003clucien.xin@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nqmi_wwan: add Sierra Wireless EM74xx device ID\n\n[ Upstream commit bf13c94ccb33c3182efc92ce4989506a0f541243 ]\n\nThe MC74xx and EM74xx modules use different IDs by default, according\nto the Lenovo EM7455 driver for Windows.\n\nSigned-off-by: Bjørn Mork \u003cbjorn@mork.no\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nipv6: re-enable fragment header matching in ipv6_find_hdr\n\n[ Upstream commit 5d150a985520bbe3cb2aa1ceef24a7e32f20c15f ]\n\nWhen ipv6_find_hdr is used to find a fragment header\n(caller specifies target NEXTHDR_FRAGMENT) we erronously return\n-ENOENT for all fragments with nonzero offset.\n\nBefore commit 9195bb8e381d, when target was specified, we did not\nenter the exthdr walk loop as nexthdr \u003d\u003d target so this used to work.\n\nNow we do (so we can skip empty route headers). When we then stumble upon\na frag with nonzero frag_off we must return -ENOENT (\"header not found\")\nonly if the caller did not specifically request NEXTHDR_FRAGMENT.\n\nThis allows nfables exthdr expression to match ipv6 fragments, e.g. via\n\nnft add rule ip6 filter input frag frag-off gt 0\n\nFixes: 9195bb8e381d (\"ipv6: improve ipv6_find_hdr() to skip empty routing headers\")\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ncdc_ncm: toggle altsetting to force reset before setup\n\n[ Upstream commit 48906f62c96cc2cd35753e59310cb70eb08cc6a5 ]\n\nSome devices will silently fail setup unless they are reset first.\nThis is necessary even if the data interface is already in\naltsetting 0, which it will be when the device is probed for the\nfirst time.  Briefly toggling the altsetting forces a function\nreset regardless of the initial state.\n\nThis fixes a setup problem observed on a number of Huawei devices,\nappearing to operate in NTB-32 mode even if we explicitly set them\nto NTB-16 mode.\n\nSigned-off-by: Bjørn Mork \u003cbjorn@mork.no\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nusbnet: cleanup after bind() in probe()\n\n[ Upstream commit 1666984c8625b3db19a9abc298931d35ab7bc64b ]\n\nIn case bind() works, but a later error forces bailing\nin probe() in error cases work and a timer may be scheduled.\nThey must be killed. This fixes an error case related to\nthe double free reported in\nhttp://www.spinics.net/lists/netdev/msg367669.html\nand needs to go on top of Linus\u0027 fix to cdc-ncm.\n\nSigned-off-by: Oliver Neukum \u003cONeukum@suse.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nudp6: fix UDP/IPv6 encap resubmit path\n\n[ Upstream commit 59dca1d8a6725a121dae6c452de0b2611d5865dc ]\n\nIPv4 interprets a negative return value from a protocol handler as a\nrequest to redispatch to a new protocol.  In contrast, IPv6 interprets a\nnegative value as an error, and interprets a positive value as a request\nfor redispatch.\n\nUDP for IPv6 was unaware of this difference.  Change __udp6_lib_rcv() to\nreturn a positive value for redispatch.  Note that the socket\u0027s\nencap_rcv hook still needs to return a negative value to request\ndispatch, and in the case of IPv6 packets, adjust IP6CB(skb)-\u003enhoff to\nidentify the byte containing the next protocol.\n\nSigned-off-by: Bill Sommerfeld \u003cwsommerfeld@google.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nsh_eth: fix NULL pointer dereference in sh_eth_ring_format()\n\n[ Upstream commit c1b7fca65070bfadca94dd53a4e6b71cd4f69715 ]\n\nIn a low memory situation, if netdev_alloc_skb() fails on a first RX ring\nloop iteration  in sh_eth_ring_format(), \u0027rxdesc\u0027 is still NULL.  Avoid\nkernel oops by adding the \u0027rxdesc\u0027 check after the loop.\n\nReported-by: Wolfram Sang \u003cwsa+renesas@sang-engineering.com\u003e\nSigned-off-by: Sergei Shtylyov \u003csergei.shtylyov@cogentembedded.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nsh_eth: Remove redundant alignment adjustment\n\n[ Upstream commit 450fa21942fe2c37f0c9f52d1a33bbc081eee288 ]\n\nPTR_ALIGN macro after skb_reserve is redundant, because skb_reserve\nfunction adjusts the alignment of skb-\u003edata.\n\nSigned-off-by: Mitsuhiro Kimura \u003cmitsuhiro.kimura.kc@renesas.com\u003e\nSigned-off-by: Yoshihiro Kaneko \u003cykaneko0929@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nsh_eth: Fix DMA-API usage for RX buffers\n\n[ Upstream commit 52b9fa3696c44151a2f1d361a00be7c5513db026 ]\n\n- Use the return value of dma_map_single(), rather than calling\n  virt_to_page() separately\n- Check for mapping failue\n- Call dma_unmap_single() rather than dma_sync_single_for_cpu()\n\nSigned-off-by: Ben Hutchings \u003cben.hutchings@codethink.co.uk\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nsh_eth: fix RX buffer size alignment\n\n[ Upstream commit ab8579169b79c062935dade949287113c7c1ba73 ]\n\nBoth  Renesas R-Car and RZ/A1 manuals state that RX buffer  length must be\na multiple of 32 bytes, while the driver  only uses 16 byte granularity...\n\nSigned-off-by: Sergei Shtylyov \u003csergei.shtylyov@cogentembedded.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nqlcnic: Remove unnecessary usage of atomic_t\n\n[ Upstream commit 5bf93251cee1fb66141d1d2eaff86e04a9397bdf ]\n\no atomic_t usage is incorrect as we are not implementing\nany atomicity.\n\nSigned-off-by: Rajesh Borundia \u003crajesh.borundia@qlogic.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nqlcnic: Fix mailbox completion handling during spurious interrupt\n\n[ Upstream commit 819bfe764dceec2f6b4551768453f374b4c60443 ]\n\no While the driver is in the middle of a MB completion processing\nand it receives a spurious MB interrupt, it is mistaken as a good MB\ncompletion interrupt leading to premature completion of the next MB\nrequest. Fix the driver to guard against this by checking the current\nstate of MB processing and ignore the spurious interrupt.\nAlso added a stats counter to record this condition.\n\nSigned-off-by: Rajesh Borundia \u003crajesh.borundia@qlogic.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmlx4: add missing braces in verify_qp_parameters\n\n[ Upstream commit baefd7015cdb304ce6c94f9679d0486c71954766 ]\n\nThe implementation of QP paravirtualization back in linux-3.7 included\nsome code that looks very dubious, and gcc-6 has grown smart enough\nto warn about it:\n\ndrivers/net/ethernet/mellanox/mlx4/resource_tracker.c: In function \u0027verify_qp_parameters\u0027:\ndrivers/net/ethernet/mellanox/mlx4/resource_tracker.c:3154:5: error: statement is indented as if it were guarded by... [-Werror\u003dmisleading-indentation]\n     if (optpar \u0026 MLX4_QP_OPTPAR_ALT_ADDR_PATH) {\n     ^~\ndrivers/net/ethernet/mellanox/mlx4/resource_tracker.c:3144:4: note: ...this \u0027if\u0027 clause, but it is not\n    if (slave !\u003d mlx4_master_func_num(dev))\n\n\u003eFrom looking at the context, I\u0027m reasonably sure that the indentation\nis correct but that it should have contained curly braces from the\nstart, as the update_gid() function in the same patch correctly does.\n\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\nFixes: 54679e148287 (\"mlx4: Implement QP paravirtualization and maintain phys_pkey_cache for smp_snoop\")\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nfarsync: fix off-by-one bug in fst_add_one\n\n[ Upstream commit e725a66c0202b5f36c2f9d59d26a65c53bbf21f7 ]\n\ngcc-6 finds an out of bounds access in the fst_add_one function\nwhen calculating the end of the mmio area:\n\ndrivers/net/wan/farsync.c: In function \u0027fst_add_one\u0027:\ndrivers/net/wan/farsync.c:418:53: error: index 2 denotes an offset greater than size of \u0027u8[2][8192] {aka unsigned char[2][8192]}\u0027 [-Werror\u003darray-bounds]\n #define BUF_OFFSET(X)   (BFM_BASE + offsetof(struct buf_window, X))\n                                                     ^\ninclude/linux/compiler-gcc.h:158:21: note: in definition of macro \u0027__compiler_offsetof\u0027\n  __builtin_offsetof(a, b)\n                     ^\ndrivers/net/wan/farsync.c:418:37: note: in expansion of macro \u0027offsetof\u0027\n #define BUF_OFFSET(X)   (BFM_BASE + offsetof(struct buf_window, X))\n                                     ^~~~~~~~\ndrivers/net/wan/farsync.c:2519:36: note: in expansion of macro \u0027BUF_OFFSET\u0027\n                                  + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER][0]);\n                                    ^~~~~~~~~~\n\nThe warning is correct, but not critical because this appears\nto be a write-only variable that is set by each WAN driver but\nnever accessed afterwards.\n\nI\u0027m taking the minimal fix here, using the correct pointer by\npointing \u0027mem_end\u0027 to the last byte inside of the register area\nas all other WAN drivers do, rather than the first byte outside of\nit. An alternative would be to just remove the mem_end member\nentirely.\n\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nath9k: fix buffer overrun for ar9287\n\n[ Upstream commit 83d6f1f15f8cce844b0a131cbc63e444620e48b5 ]\n\nCode that was added back in 2.6.38 has an obvious overflow\nwhen accessing a static array, and at the time it was added\nonly a code comment was put in front of it as a reminder\nto have it reviewed properly.\n\nThis has not happened, but gcc-6 now points to the specific\noverflow:\n\ndrivers/net/wireless/ath/ath9k/eeprom.c: In function \u0027ath9k_hw_get_gain_boundaries_pdadcs\u0027:\ndrivers/net/wireless/ath/ath9k/eeprom.c:483:44: error: array subscript is above array bounds [-Werror\u003darray-bounds]\n     maxPwrT4[i] \u003d data_9287[idxL].pwrPdg[i][4];\n                   ~~~~~~~~~~~~~~~~~~~~~~~~~^~~\n\nIt turns out that the correct array length exists in the local\n\u0027intercepts\u0027 variable of this function, so we can just use that\ninstead of hardcoding \u00274\u0027, so this patch changes all three\ninstances to use that variable. The other two instances were\nalready correct, but it\u0027s more consistent this way.\n\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\nFixes: 940cd2c12ebf (\"ath9k_hw: merge the ar9287 version of ath9k_hw_get_gain_boundaries_pdadcs\")\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nppp: ensure file-\u003eprivate_data can\u0027t be overridden\n\n[ Upstream commit e8e56ffd9d2973398b60ece1f1bebb8d67b4d032 ]\n\nLocking ppp_mutex must be done before dereferencing file-\u003eprivate_data,\notherwise it could be modified before ppp_unattached_ioctl() takes the\nlock. This could lead ppp_unattached_ioctl() to override -\u003eprivate_data,\nthus leaking reference to the ppp_file previously pointed to.\n\nv2: lock all ppp_ioctl() instead of just checking private_data in\n    ppp_unattached_ioctl(), to avoid ambiguous behaviour.\n\nFixes: f3ff8a4d80e8 (\"ppp: push BKL down into the driver\")\nSigned-off-by: Guillaume Nault \u003cg.nault@alphalink.fr\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nqlge: Fix receive packets drop.\n\n[ Upstream commit 2c9a266afefe137bff06bbe0fc48b4d3b3cb348c ]\n\nWhen running small packets [length \u003c 256 bytes] traffic, packets were\nbeing dropped due to invalid data in those packets which were\ndelivered by the driver upto the stack. Using pci_dma_sync_single_for_cpu\nensures copying latest and updated data into skb from the receive buffer.\n\nSigned-off-by: Sony Chacko \u003csony.chacko@qlogic.com\u003e\nSigned-off-by: Manish Chopra \u003cmanish.chopra@qlogic.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnet: bcmgenet: fix dma api length mismatch\n\n[ Upstream commit eee577232203842b4dcadb7ab477a298479633ed ]\n\nWhen un-mapping skb-\u003edata in __bcmgenet_tx_reclaim(),\nwe must use the length that was used in original dma_map_single(),\ninstead of skb-\u003elen that might be bigger (includes the frags)\n\nWe simply can store skb_len into tx_cb_ptr-\u003edma_len and use it\nat unmap time.\n\nFixes: 1c1008c793fa (\"net: bcmgenet: add main driver file\")\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nAcked-by: Florian Fainelli \u003cf.fainelli@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nipv4: fix broadcast packets reception\n\n[ Upstream commit ad0ea1989cc4d5905941d0a9e62c63ad6d859cef ]\n\nCurrently, ingress ipv4 broadcast datagrams are dropped since,\nin udp_v4_early_demux(), ip_check_mc_rcu() is invoked even on\nbcast packets.\n\nThis patch addresses the issue, invoking ip_check_mc_rcu()\nonly for mcast packets.\n\nFixes: 6e5403093261 (\"ipv4/udp: Verify multicast group is ours in upd_v4_early_demux()\")\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\nAcked-by: Hannes Frederic Sowa \u003channes@stressinduktion.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nqmi_wwan: add \"D-Link DWM-221 B1\" device id\n\n[ Upstream commit e84810c7b85a2d7897797b3ad3e879168a8e032a ]\n\nThomas reports:\n\"Windows:\n\n00 diagnostics\n01 modem\n02 at-port\n03 nmea\n04 nic\n\nLinux:\n\nT:  Bus\u003d02 Lev\u003d01 Prnt\u003d01 Port\u003d03 Cnt\u003d01 Dev#\u003d  4 Spd\u003d480 MxCh\u003d 0\nD:  Ver\u003d 2.00 Cls\u003d00(\u003eifc ) Sub\u003d00 Prot\u003d00 MxPS\u003d64 #Cfgs\u003d  1\nP:  Vendor\u003d2001 ProdID\u003d7e19 Rev\u003d02.32\nS:  Manufacturer\u003dMobile Connect\nS:  Product\u003dMobile Connect\nS:  SerialNumber\u003d0123456789ABCDEF\nC:  #Ifs\u003d 6 Cfg#\u003d 1 Atr\u003da0 MxPwr\u003d500mA\nI:  If#\u003d 0 Alt\u003d 0 #EPs\u003d 2 Cls\u003dff(vend.) Sub\u003dff Prot\u003dff Driver\u003doption\nI:  If#\u003d 1 Alt\u003d 0 #EPs\u003d 3 Cls\u003dff(vend.) Sub\u003d00 Prot\u003d00 Driver\u003doption\nI:  If#\u003d 2 Alt\u003d 0 #EPs\u003d 3 Cls\u003dff(vend.) Sub\u003d00 Prot\u003d00 Driver\u003doption\nI:  If#\u003d 3 Alt\u003d 0 #EPs\u003d 3 Cls\u003dff(vend.) Sub\u003d00 Prot\u003d00 Driver\u003doption\nI:  If#\u003d 4 Alt\u003d 0 #EPs\u003d 3 Cls\u003dff(vend.) Sub\u003dff Prot\u003dff Driver\u003dqmi_wwan\nI:  If#\u003d 5 Alt\u003d 0 #EPs\u003d 2 Cls\u003d08(stor.) Sub\u003d06 Prot\u003d50 Driver\u003dusb-storage\"\n\nReported-by: Thomas Schäfer \u003ctschaefer@t-online.de\u003e\nSigned-off-by: Bjørn Mork \u003cbjorn@mork.no\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nipv4: l2tp: fix a potential issue in l2tp_ip_recv\n\n[ Upstream commit 5745b8232e942abd5e16e85fa9b27cc21324acf0 ]\n\npskb_may_pull() can change skb-\u003edata, so we have to load ptr/optr at the\nright place.\n\nSigned-off-by: Haishuang Yan \u003cyanhaishuang@cmss.chinamobile.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nipv6: l2tp: fix a potential issue in l2tp_ip6_recv\n\n[ Upstream commit be447f305494e019dfc37ea4cdf3b0e4200b4eba ]\n\npskb_may_pull() can change skb-\u003edata, so we have to load ptr/optr at the\nright place.\n\nSigned-off-by: Haishuang Yan \u003cyanhaishuang@cmss.chinamobile.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nip6_tunnel: set rtnl_link_ops before calling register_netdevice\n\n[ Upstream commit b6ee376cb0b7fb4e7e07d6cd248bd40436fb9ba6 ]\n\nWhen creating an ip6tnl tunnel with ip tunnel, rtnl_link_ops is not set\nbefore ip6_tnl_create2 is called. When register_netdevice is called, there\nis no linkinfo attribute in the NEWLINK message because of that.\n\nSetting rtnl_link_ops before calling register_netdevice fixes that.\n\nFixes: 0b112457229d (\"ip6tnl: add support of link creation via rtnl\")\nSigned-off-by: Thadeu Lima de Souza Cascardo \u003ccascardo@redhat.com\u003e\nAcked-by: Nicolas Dichtel \u003cnicolas.dichtel@6wind.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\npinctrl: nomadik: fix pull debug print inversion\n\n[ Upstream commit 6ee334559324a55725e22463de633b99ad99fcad ]\n\nPull up was reported as pull down and vice versa. Fix this.\n\nFixes: 8f1774a2a971 \"pinctrl: nomadik: improve GPIO debug prints\"\nSigned-off-by: Linus Walleij \u003clinus.walleij@linaro.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\n[media] v4l: vsp1: Set the SRU CTRL0 register when starting the stream\n\n[ Upstream commit f6acfcdc5b8cdc9ddd53a459361820b9efe958c4 ]\n\nCommit 58f896d859ce (\"[media] v4l: vsp1: sru: Make the intensity\ncontrollable during streaming\") refactored the stream start code and\nremoved the SRU CTRL0 register write by mistake. Add it back.\n\nFixes: 58f896d859ce (\"[media] v4l: vsp1: sru: Make the intensity controllable during streaming\")\n\nSigned-off-by: Laurent Pinchart \u003claurent.pinchart+renesas@ideasonboard.com\u003e\nSigned-off-by: Mauro Carvalho Chehab \u003cmchehab@osg.samsung.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmac80211: fix unnecessary frame drops in mesh fwding\n\n[ Upstream commit cf44012810ccdd8fd947518e965cb04b7b8498be ]\n\nThe ieee80211_queue_stopped() expects hw queue\nnumber but it was given raw WMM AC number instead.\n\nThis could cause frame drops and problems with\ntraffic in some cases - most notably if driver\ndoesn\u0027t map AC numbers to queue numbers 1:1 and\nuses ieee80211_stop_queues() and\nieee80211_wake_queue() only without ever calling\nieee80211_wake_queues().\n\nOn ath10k it was possible to hit this problem in\nthe following case:\n\n  1. wlan0 uses queue 0\n     (ath10k maps queues per vif)\n  2. offchannel uses queue 15\n  3. queues 1-14 are unused\n  4. ieee80211_stop_queues()\n  5. ieee80211_wake_queue(q\u003d0)\n  6. ieee80211_wake_queue(q\u003d15)\n     (other queues are not woken up because both\n      driver and mac80211 know other queues are\n      unused)\n  7. ieee80211_rx_h_mesh_fwding()\n  8. ieee80211_select_queue_80211() returns 2\n  9. ieee80211_queue_stopped(q\u003d2) returns true\n 10. frame is dropped (oops!)\n\nFixes: d3c1597b8d1b (\"mac80211: fix forwarded mesh frame queue mapping\")\nSigned-off-by: Michal Kazior \u003cmichal.kazior@tieto.com\u003e\nSigned-off-by: Johannes Berg \u003cjohannes.berg@intel.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nfutex: Acknowledge a new waiter in counter before plist\n\n[ Upstream commit fe1bce9e2107ba3a8faffe572483b6974201a0e6 ]\n\nOtherwise an incoming waker on the dest hash bucket can miss\nthe waiter adding itself to the plist during the lockless\ncheck optimization (small window but still the correct way\nof doing this); similarly to the decrement counterpart.\n\nSuggested-by: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nSigned-off-by: Davidlohr Bueso \u003cdbueso@suse.de\u003e\nCc: Davidlohr Bueso \u003cdave@stgolabs.net\u003e\nCc: bigeasy@linutronix.de\nCc: dvhart@infradead.org\nCc: stable@kernel.org\nLink: http://lkml.kernel.org/r/1461208164-29150-1-git-send-email-dave@stgolabs.net\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\npowerpc: Update TM user feature bits in scan_features()\n\n[ Upstream commit 4705e02498d6d5a7ab98dfee9595cd5e91db2017 ]\n\nWe need to update the user TM feature bits (PPC_FEATURE2_HTM and\nPPC_FEATURE2_HTM) to mirror what we do with the kernel TM feature\nbit.\n\nAt the moment, if firmware reports TM is not available we turn off\nthe kernel TM feature bit but leave the userspace ones on. Userspace\nthinks it can execute TM instructions and it dies trying.\n\nThis (together with a QEMU patch) fixes PR KVM, which doesn\u0027t currently\nsupport TM.\n\nSigned-off-by: Anton Blanchard \u003canton@samba.org\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Michael Ellerman \u003cmpe@ellerman.id.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nInput: pmic8xxx-pwrkey - fix algorithm for converting trigger delay\n\n[ Upstream commit eda5ecc0a6b865561997e177c393f0b0136fe3b7 ]\n\nThe trigger delay algorithm that converts from microseconds to\nthe register value looks incorrect. According to most of the PMIC\ndocumentation, the equation is\n\n\tdelay (Seconds) \u003d (1 / 1024) * 2 ^ (x + 4)\n\nexcept for one case where the documentation looks to have a\nformatting issue and the equation looks like\n\n\tdelay (Seconds) \u003d (1 / 1024) * 2 x + 4\n\nMost likely this driver was written with the improper\ndocumentation to begin with. According to the downstream sources\nthe valid delays are from 2 seconds to 1/64 second, and the\nlatter equation just doesn\u0027t make sense for that. Let\u0027s fix the\nalgorithm and the range check to match the documentation and the\ndownstream sources.\n\nReported-by: Bjorn Andersson \u003cbjorn.andersson@linaro.org\u003e\nFixes: 92d57a73e410 (\"input: Add support for Qualcomm PMIC8XXX power key\")\nSigned-off-by: Stephen Boyd \u003csboyd@codeaurora.org\u003e\nTested-by: John Stultz \u003cjohn.stultz@linaro.org\u003e\nAcked-by: Bjorn Andersson \u003cbjorn.andersson@linaro.org\u003e\nSigned-off-by: Dmitry Torokhov \u003cdmitry.torokhov@gmail.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nxen kconfig: don\u0027t \"select INPUT_XEN_KBDDEV_FRONTEND\"\n\n[ Upstream commit 13aa38e291bdd4e4018f40dd2f75e464814dcbf3 ]\n\nThe Xen framebuffer driver selects the xen keyboard driver, so the latter\nwill be built-in if XEN_FBDEV_FRONTEND\u003dy. However, when CONFIG_INPUT\nis a loadable module, this configuration cannot work. On mainline kernels,\nthe symbol will be enabled but not used, while in combination with\na patch I have to detect such useless configurations, we get the\nexpected link failure:\n\ndrivers/input/built-in.o: In function `xenkbd_remove\u0027:\nxen-kbdfront.c:(.text+0x2f0): undefined reference to `input_unregister_device\u0027\nxen-kbdfront.c:(.text+0x30e): undefined reference to `input_unregister_device\u0027\n\nThis removes the extra \"select\", as it just causes more trouble than\nit helps. In theory, some defconfig file might break if it has\nXEN_FBDEV_FRONTEND in it but not INPUT_XEN_KBDDEV_FRONTEND. The Kconfig\nfragment we ship in the kernel (kernel/configs/xen.config) however\nalready enables both, and anyone using an old .config file would\nkeep having both enabled.\n\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\nSuggested-by: David Vrabel \u003cdavid.vrabel@citrix.com\u003e\nFixes: 36c1132e34bd (\"xen kconfig: fix select INPUT_XEN_KBDDEV_FRONTEND\")\nAcked-by: Stefano Stabellini \u003cstefano.stabellini@eu.citrix.com\u003e\nSigned-off-by: Tomi Valkeinen \u003ctomi.valkeinen@ti.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\npinctrl: single: Fix pcs_parse_bits_in_pinctrl_entry to use __ffs than ffs\n\n[ Upstream commit 56b367c0cd67d4c3006738e7dc9dda9273fd2bfe ]\n\npcs_parse_bits_in_pinctrl_entry uses ffs which gives bit indices\nranging from 1 to MAX. This leads to a corner case where we try to request\nthe pin number \u003d MAX and fails.\n\nbit_pos value is being calculted using ffs. pin_num_from_lsb uses\nbit_pos value. pins array is populated with:\n\npin + pin_num_from_lsb.\n\nThe above is 1 more than usual bit indices as bit_pos uses ffs to compute\nfirst set bit. Hence the last of the pins array is populated with the MAX\nvalue and not MAX - 1 which causes error when we call pin_request.\n\nmask_pos is rightly calculated as ((pcs-\u003efmask) \u003c\u003c (bit_pos - 1))\nConsequently val_pos and submask are correct.\n\nHence use __ffs which gives (ffs(x) - 1) as the first bit set.\n\nfixes: 4e7e8017a8 (\"pinctrl: pinctrl-single: enhance to configure multiple pins of different modules\")\nSigned-off-by: Keerthy \u003cj-keerthy@ti.com\u003e\nAcked-by: Tony Lindgren \u003ctony@atomide.com\u003e\nSigned-off-by: Linus Walleij \u003clinus.walleij@linaro.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ni2c: exynos5: Fix possible ABBA deadlock by keeping I2C clock prepared\n\n[ Upstream commit 10ff4c5239a137abfc896ec73ef3d15a0f86a16a ]\n\nThe exynos5 I2C controller driver always prepares and enables a clock\nbefore using it and then disables unprepares it when the clock is not\nused anymore.\n\nBut this can cause a possible ABBA deadlock in some scenarios since a\ndriver that uses regmap to access its I2C registers, will first grab\nthe regmap lock and then the I2C xfer function will grab the prepare\nlock when preparing the I2C clock. But since the clock driver also\nuses regmap for I2C accesses, preparing a clock will first grab the\nprepare lock and then the regmap lock when using the regmap API.\n\nAn example of this happens on the Exynos5422 Odroid XU4 board where a\ns2mps11 PMIC is used and both the s2mps11 regulators and clk drivers\nshare the same I2C regmap.\n\nThe possible deadlock is reported by the kernel lockdep:\n\n  Possible unsafe locking scenario:\n\n        CPU0                    CPU1\n        ----                    ----\n   lock(sec_core:428:(regmap)-\u003elock);\n                                lock(prepare_lock);\n                                lock(sec_core:428:(regmap)-\u003elock);\n   lock(prepare_lock);\n\n  *** DEADLOCK ***\n\nFix it by leaving the code prepared on probe and use {en,dis}able in\nthe I2C transfer function.\n\nThis patch is similar to commit 34e81ad5f0b6 (\"i2c: s3c2410: fix ABBA\ndeadlock by keeping clock prepared\") that fixes the same bug in other\ndriver for an I2C controller found in Samsung SoCs.\n\nReported-by: Anand Moon \u003clinux.amoon@gmail.com\u003e\nSigned-off-by: Javier Martinez Canillas \u003cjavier@osg.samsung.com\u003e\nReviewed-by: Anand Moon \u003clinux.amoon@gmail.com\u003e\nReviewed-by: Krzysztof Kozlowski \u003ck.kozlowski@samsung.com\u003e\nSigned-off-by: Wolfram Sang \u003cwsa@the-dreams.de\u003e\nCc: stable@kernel.org\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nASoC: s3c24xx: use const snd_soc_component_driver pointer\n\n[ Upstream commit ba4bc32eaa39ba7687f0958ae90eec94da613b46 ]\n\nAn older patch to convert the API in the s3c i2s driver\nended up passing a const pointer into a function that takes\na non-const pointer, so we now get a warning:\n\nsound/soc/samsung/s3c2412-i2s.c: In function \u0027s3c2412_iis_dev_probe\u0027:\nsound/soc/samsung/s3c2412-i2s.c:172:9: error: passing argument 3 of \u0027s3c_i2sv2_register_component\u0027 discards \u0027const\u0027 qualifier from pointer target type [-Werror\u003ddiscarded-qualifiers]\n\nHowever, the s3c_i2sv2_register_component() function again\npasses the pointer into another function taking a const, so\nwe just need to change its prototype.\n\nFixes: eca3b01d0885 (\"ASoC: switch over to use snd_soc_register_component() on s3c i2s\")\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\nReviewed-by: Krzysztof Kozlowski \u003ck.kozlowski@samsung.com\u003e\nSigned-off-by: Mark Brown \u003cbroonie@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nASoC: ssm4567: Reset device before regcache_sync()\n\n[ Upstream commit 712a8038cc24dba668afe82f0413714ca87184e0 ]\n\nWhen the ssm4567 is powered up the driver calles regcache_sync() to restore\nthe register map content. regcache_sync() assumes that the device is in its\npower-on reset state. Make sure that this is the case by explicitly\nresetting the ssm4567 register map before calling regcache_sync() otherwise\nwe might end up with a incorrect register map which leads to undefined\nbehaviour.\n\nOne such undefined behaviour was observed when returning from system\nsuspend while a playback stream is active, in that case the ssm4567 was\nkept muted after resume.\n\nFixes: 1ee44ce03011 (\"ASoC: ssm4567: Add driver for Analog Devices SSM4567 amplifier\")\nReported-by: Harsha Priya \u003charshapriya.n@intel.com\u003e\nTested-by: Fang, Yang A \u003cyang.a.fang@intel.com\u003e\nSigned-off-by: Lars-Peter Clausen \u003clars@metafoo.de\u003e\nSigned-off-by: Mark Brown \u003cbroonie@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nefi: Expose non-blocking set_variable() wrapper to efivars\n\n[ Upstream commit 9c6672ac9c91f7eb1ec436be1442b8c26d098e55 ]\n\nCommit 6d80dba1c9fe (\"efi: Provide a non-blocking SetVariable()\noperation\") implemented a non-blocking alternative for the UEFI\nSetVariable() invocation performed by efivars, since it may\noccur in atomic context. However, this version of the function\nwas never exposed via the efivars struct, so the non-blocking\nversions was not actually callable. Fix that.\n\nSigned-off-by: Ard Biesheuvel \u003card.biesheuvel@linaro.org\u003e\nSigned-off-by: Matt Fleming \u003cmatt@codeblueprint.co.uk\u003e\nCc: Borislav Petkov \u003cbp@alien8.de\u003e\nCc: Brian Gerst \u003cbrgerst@gmail.com\u003e\nCc: Denys Vlasenko \u003cdvlasenk@redhat.com\u003e\nCc: H. Peter Anvin \u003chpa@zytor.com\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: linux-efi@vger.kernel.org\nFixes: 6d80dba1c9fe (\"efi: Provide a non-blocking SetVariable() operation\")\nLink: http://lkml.kernel.org/r/1454364428-494-2-git-send-email-matt@codeblueprint.co.uk\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nUSB: usbip: fix potential out-of-bounds write\n\n[ Upstream commit b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb ]\n\nFix potential out-of-bounds write to urb-\u003etransfer_buffer\nusbip handles network communication directly in the kernel. When receiving a\npacket from its peer, usbip code parses headers according to protocol. As\npart of this parsing urb-\u003eactual_length is filled. Since the input for\nurb-\u003eactual_length comes from the network, it should be treated as untrusted.\nAny entity controlling the network may put any value in the input and the\npreallocated urb-\u003etransfer_buffer may not be large enough to hold the data.\nThus, the malicious entity is able to write arbitrary data to kernel memory.\n\nSigned-off-by: Ignat Korchagin \u003cignat.korchagin@gmail.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nspi/rockchip: Make sure spi clk is on in rockchip_spi_set_cs\n\n[ Upstream commit b920cc3191d7612f26f36ee494e05b5ffd9044c0 ]\n\nRockchip_spi_set_cs could be called by spi_setup, but\nspi_setup may be called by device driver after runtime suspend.\nThen the spi clock is closed, rockchip_spi_set_cs may access the\nspi registers, which causes cpu block in some socs.\n\nFixes: 64e36824b32 (\"spi/rockchip: add driver for Rockchip RK3xxx\")\nSigned-off-by: Huibin Hong \u003chuibin.hong@rock-chips.com\u003e\nSigned-off-by: Mark Brown \u003cbroonie@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nregulator: s5m8767: fix get_register() error handling\n\n[ Upstream commit e07ff9434167981c993a26d2edbbcb8e13801dbb ]\n\nThe s5m8767_pmic_probe() function calls s5m8767_get_register() to\nread data without checking the return code, which produces a compile-time\nwarning when that data is accessed:\n\ndrivers/regulator/s5m8767.c: In function \u0027s5m8767_pmic_probe\u0027:\ndrivers/regulator/s5m8767.c:924:7: error: \u0027enable_reg\u0027 may be used uninitialized in this function [-Werror\u003dmaybe-uninitialized]\ndrivers/regulator/s5m8767.c:944:30: error: \u0027enable_val\u0027 may be used uninitialized in this function [-Werror\u003dmaybe-uninitialized]\n\nThis changes the s5m8767_get_register() function to return a -EINVAL\nnot just for an invalid register number but also for an invalid\nregulator number, as both would result in returning uninitialized\ndata. The s5m8767_pmic_probe() function is then changed accordingly\nto fail on a read error, as all the other callers of s5m8767_get_register()\nalready do.\n\nIn practice this probably cannot happen, as we don\u0027t call\ns5m8767_get_register() with invalid arguments, but the gcc\nwarning seems valid in principle, in terms writing safe\nerror checking.\n\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\nFixes: 9c4c60554acf (\"regulator: s5m8767: Convert to use regulator_[enable|disable|is_enabled]_regmap\")\nSigned-off-by: Mark Brown \u003cbroonie@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nparide: make \u0027verbose\u0027 parameter an \u0027int\u0027 again\n\n[ Upstream commit dec63a4dec2d6d01346fd5d96062e67c0636852b ]\n\ngcc-6.0 found an ancient bug in the paride driver, which had a\n\"module_param(verbose, bool, 0);\" since before 2.6.12, but actually uses\nit to accept \u00270\u0027, \u00271\u0027 or \u00272\u0027 as arguments:\n\n  drivers/block/paride/pd.c: In function \u0027pd_init_dev_parms\u0027:\n  drivers/block/paride/pd.c:298:29: warning: comparison of constant \u00271\u0027 with boolean expression is always false [-Wbool-compare]\n   #define DBMSG(msg) ((verbose\u003e1)?(msg):NULL)\n\nIn 2012, Rusty did a cleanup patch that also changed the type of the\nvariable to \u0027bool\u0027, which introduced what is now a gcc warning.\n\nThis changes the type back to \u0027int\u0027 and adapts the module_param() line\ninstead, so it should work as documented in case anyone ever cares about\nrunning the ancient driver with debugging.\n\nFixes: 90ab5ee94171 (\"module_param: make bool parameters really bool (drivers \u0026 misc)\")\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\nRusty Russell \u003crusty@rustcorp.com.au\u003e\nCc: Tim Waugh \u003ctim@cyberelk.net\u003e\nCc: Sudip Mukherjee \u003csudipm.mukherjee@gmail.com\u003e\nCc: Jens Axboe \u003caxboe@fb.com\u003e\nCc: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nfbdev: da8xx-fb: fix videomodes of lcd panels\n\n[ Upstream commit 713fced8d10fa1c759c8fb6bf9aaa681bae68cad ]\n\nCommit 028cd86b794f4a (\"video: da8xx-fb: fix the polarities of the\nhsync/vsync pulse\") fixes polarities of HSYNC/VSYNC pulse but\nforgot to update known_lcd_panels[] which had sync values\naccording to old logic. This breaks LCD at least on DA850 EVM.\n\nThis patch fixes this issue and I have tested this for panel\n\"Sharp_LK043T1DG01\" using DA850 EVM board.\n\nFixes: 028cd86b794f4a (\"video: da8xx-fb: fix the polarities of the hsync/vsync pulse\")\nSigned-off-by: Sushaanth Srirangapathi \u003csushaanth.s@ti.com\u003e\nSigned-off-by: Tomi Valkeinen \u003ctomi.valkeinen@ti.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmisc/bmp085: Enable building as a module\n\n[ Upstream commit 50e6315dba721cbc24ccd6d7b299f1782f210a98 ]\n\nCommit 985087dbcb02 \u0027misc: add support for bmp18x chips to the bmp085\ndriver\u0027 changed the BMP085 config symbol to a boolean.  I see no\nreason why the shared code cannot be built as a module, so change it\nback to tristate.\n\nFixes: 985087dbcb02 (\"misc: add support for bmp18x chips to the bmp085 driver\")\nCc: Eric Andersson \u003ceric.andersson@unixphere.com\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\nAcked-by: Arnd Bergmann \u003carnd@arndb.de\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nrtc: hym8563: fix invalid year calculation\n\n[ Upstream commit d5861262210067fc01b2fb4f7af2fd85a3453f15 ]\n\nYear field must be in BCD format, according to\nhym8563 datasheet.\n\nDue to the bug year 2016 became 2010.\n\nFixes: dcaf03849352 (\"rtc: add hym8563 rtc-driver\")\nSigned-off-by: Alexander Kochetkov \u003cal.kochet@gmail.com\u003e\nSigned-off-by: Alexandre Belloni \u003calexandre.belloni@free-electrons.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nrtc: vr41xx: Wire up alarm_irq_enable\n\n[ Upstream commit a25f4a95ec3cded34c1250364eba704c5e4fdac4 ]\n\ndrivers/rtc/rtc-vr41xx.c:229: warning: ‘vr41xx_rtc_alarm_irq_enable’ defined but not used\n\nApparently the conversion to alarm_irq_enable forgot to wire up the\ncallback.\n\nFixes: 16380c153a69c378 (\"RTC: Convert rtc drivers to use the alarm_irq_enable method\")\nSigned-off-by: Geert Uytterhoeven \u003cgeert@linux-m68k.org\u003e\nSigned-off-by: Alexandre Belloni \u003calexandre.belloni@free-electrons.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nrtc: max77686: Properly handle regmap_irq_get_virq() error code\n\n[ Upstream commit fb166ba1d7f0a662f7332f4ff660a0d6f4d76915 ]\n\nThe regmap_irq_get_virq() can return 0 or -EINVAL in error conditions\nbut driver checked only for value of 0.\n\nThis could lead to a cast of -EINVAL to an unsigned int used as a\ninterrupt number for devm_request_threaded_irq(). Although this is not\nyet fatal (devm_request_threaded_irq() will just fail with -EINVAL) but\nmight be a misleading when diagnosing errors.\n\nSigned-off-by: Krzysztof Kozlowski \u003ck.kozlowski@samsung.com\u003e\nFixes: 6f1c1e71d933 (\"mfd: max77686: Convert to use regmap_irq\")\nReviewed-by: Javier Martinez Canillas \u003cjavier@osg.samsung.com\u003e\nSigned-off-by: Alexandre Belloni \u003calexandre.belloni@free-electrons.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrivers/misc/ad525x_dpot: AD5274 fix RDAC read back errors\n\n[ Upstream commit f3df53e4d70b5736368a8fe8aa1bb70c1cb1f577 ]\n\nFix RDAC read back errors caused by a typo. Value must shift by 2.\n\nFixes: a4bd394956f2 (\"drivers/misc/ad525x_dpot.c: new features\")\nSigned-off-by: Michael Hennerich \u003cmichael.hennerich@analog.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nx86/mm/kmmio: Fix mmiotrace for hugepages\n\n[ Upstream commit cfa52c0cfa4d727aa3e457bf29aeff296c528a08 ]\n\nBecause Linux might use bigger pages than the 4K pages to handle those mmio\nioremaps, the kmmio code shouldn\u0027t rely on the pade id as it currently does.\n\nUsing the memory address instead of the page id lets us look up how big the\npage is and what its base address is, so that we won\u0027t get a page fault\nwithin the same page twice anymore.\n\nTested-by: Pierre Moreau \u003cpierre.morrow@free.fr\u003e\nSigned-off-by: Karol Herbst \u003cnouveau@karolherbst.de\u003e\nCc: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nCc: Andy Lutomirski \u003cluto@amacapital.net\u003e\nCc: Borislav Petkov \u003cbp@alien8.de\u003e\nCc: Brian Gerst \u003cbrgerst@gmail.com\u003e\nCc: Denys Vlasenko \u003cdvlasenk@redhat.com\u003e\nCc: H. Peter Anvin \u003chpa@zytor.com\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Luis R. Rodriguez \u003cmcgrof@suse.com\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Toshi Kani \u003ctoshi.kani@hp.com\u003e\nCc: linux-mm@kvack.org\nCc: linux-x86_64@vger.kernel.org\nCc: nouveau@lists.freedesktop.org\nCc: pq@iki.fi\nCc: rostedt@goodmis.org\nLink: http://lkml.kernel.org/r/1456966991-6861-1-git-send-email-nouveau@karolherbst.de\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\next4: fix NULL pointer dereference in ext4_mark_inode_dirty()\n\n[ Upstream commit 5e1021f2b6dff1a86a468a1424d59faae2bc63c1 ]\n\next4_reserve_inode_write() in ext4_mark_inode_dirty() could fail on\nerror (e.g. EIO) and iloc.bh can be NULL in this case. But the error is\nignored in the following \"if\" condition and ext4_expand_extra_isize()\nmight be called with NULL iloc.bh set, which triggers NULL pointer\ndereference.\n\nThis is uncovered by commit 8b4953e13f4c (\"ext4: reserve code points for\nthe project quota feature\"), which enlarges the ext4_inode size, and\nrun the following script on new kernel but with old mke2fs:\n\n  #/bin/bash\n  mnt\u003d/mnt/ext4\n  devname\u003dext4-error\n  dev\u003d/dev/mapper/$devname\n  fsimg\u003d/home/fs.img\n\n  trap cleanup 0 1 2 3 9 15\n\n  cleanup()\n  {\n          umount $mnt \u003e/dev/null 2\u003e\u00261\n          dmsetup remove $devname\n          losetup -d $backend_dev\n          rm -f $fsimg\n          exit 0\n  }\n\n  rm -f $fsimg\n  fallocate -l 1g $fsimg\n  backend_dev\u003d`losetup -f --show $fsimg`\n  devsize\u003d`blockdev --getsz $backend_dev`\n\n  good_tab\u003d\"0 $devsize linear $backend_dev 0\"\n  error_tab\u003d\"0 $devsize error $backend_dev 0\"\n\n  dmsetup create $devname --table \"$good_tab\"\n\n  mkfs -t ext4 $dev\n  mount -t ext4 -o errors\u003dcontinue,strictatime $dev $mnt\n\n  dmsetup load $devname --table \"$error_tab\" \u0026\u0026 dmsetup resume $devname\n  echo 3 \u003e /proc/sys/vm/drop_caches\n  ls -l $mnt\n  exit 0\n\n[ Patch changed to simplify the function a tiny bit. -- Ted ]\n\nSigned-off-by: Eryu Guan \u003cguaneryu@gmail.com\u003e\nSigned-off-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nperf tools: handle spaces in file names obtained from /proc/pid/maps\n\n[ Upstream commit 89fee59b504f86925894fcc9ba79d5c933842f93 ]\n\nSteam frequently puts game binaries in folders with spaces.\n\nNote: \"(deleted)\" markers are now treated as part of the file name.\n\nSigned-off-by: Marcin Ślusarz \u003cmarcin.slusarz@gmail.com\u003e\nAcked-by: Namhyung Kim \u003cnamhyung@kernel.org\u003e\nFixes: 6064803313ba (\"perf tools: Use sscanf for parsing /proc/pid/maps\")\nLink: http://lkml.kernel.org/r/20160119190303.GA17579@marcin-Inspiron-7720\nSigned-off-by: Arnaldo Carvalho de Melo \u003cacme@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nperf stat: Document --detailed option\n\n[ Upstream commit f594bae08183fb6b57db55387794ece3e1edf6f6 ]\n\nI\u0027m surprised this remained undocumented since at least 2011. And it is\nactually a very useful switch, as Steve and I came to realize recently.\n\nAdd the text from\n\n  2cba3ffb9a9d (\"perf stat: Add -d -d and -d -d -d options to show more CPU events\")\n\nwhich added the incrementing aspect to -d.\n\nTested-by: Arnaldo Carvalho de Melo \u003cacme@redhat.com\u003e\nSigned-off-by: Borislav Petkov \u003cbp@suse.de\u003e\nSigned-off-by: Arnaldo Carvalho de Melo \u003cacme@redhat.com\u003e\nCc: Alexander Shishkin \u003calexander.shishkin@linux.intel.com\u003e\nCc: David Ahern \u003cdsahern@gmail.com\u003e\nCc: Davidlohr Bueso \u003cdbueso@suse.com\u003e\nCc: Jiri Olsa \u003cjolsa@redhat.com\u003e\nCc: Mel Gorman \u003cmgorman@suse.com\u003e\nCc: Namhyung Kim \u003cnamhyung@kernel.org\u003e\nCc: Peter Zijlstra \u003ca.p.zijlstra@chello.nl\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Steven Rostedt \u003crostedt@goodmis.org\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nFixes: 2cba3ffb9a9d (\"perf stat: Add -d -d and -d -d -d options to show more CPU events\")\nLink: http://lkml.kernel.org/r/1457347294-32546-1-git-send-email-bp@alien8.de\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nARM: OMAP3: Add cpuidle parameters table for omap3430\n\n[ Upstream commit 98f42221501353067251fbf11e732707dbb68ce3 ]\n\nBased on CPU type choose generic omap3 or omap3430 specific cpuidle\nparameters. Parameters for omap3430 were measured on Nokia N900 device and\nadded by commit 5a1b1d3a9efa (\"OMAP3: RX-51: Pass cpu idle parameters\")\nwhich were later removed by commit 231900afba52 (\"ARM: OMAP3: cpuidle -\nremove rx51 cpuidle parameters table\") due to huge code complexity.\n\nThis patch brings cpuidle parameters for omap3430 devices again, but uses\nsimple condition based on CPU type.\n\nFixes: 231900afba52 (\"ARM: OMAP3: cpuidle - remove rx51 cpuidle\nparameters table\")\nSigned-off-by: Pali Rohár \u003cpali.rohar@gmail.com\u003e\nAcked-by: Daniel Lezcano \u003cdaniel.lezcano@linaro.org\u003e\nSigned-off-by: Tony Lindgren \u003ctony@atomide.com\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\njme: Do not enable NIC WoL functions on S0\n\n[ Upstream commit 0772a99b818079e628a1da122ac7ee023faed83e ]\n\nOtherwise it might be back on resume right after going to suspend in\nsome hardware.\n\nReported-by: Diego Viola \u003cdiego.viola@gmail.com\u003e\nSigned-off-by: Guo-Fu Tseng \u003ccooldavid@cooldavid.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\njme: Fix device PM wakeup API usage\n\n[ Upstream commit 81422e672f8181d7ad1ee6c60c723aac649f538f ]\n\nAccording to Documentation/power/devices.txt\n\nThe driver should not use device_set_wakeup_enable() which is the policy\nfor user to decide.\n\nUsing device_init_wakeup() to initialize dev-\u003epower.should_wakeup and\ndev-\u003epower.can_wakeup on driver initialization.\n\nAnd use device_may_wakeup() on suspend to decide if WoL function should\nbe enabled on NIC.\n\nReported-by: Diego Viola \u003cdiego.viola@gmail.com\u003e\nSigned-off-by: Guo-Fu Tseng \u003ccooldavid@cooldavid.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nsunrpc/cache: drop reference when sunrpc_cache_pipe_upcall() detects a race\n\n[ Upstream commit a6ab1e8126d205238defbb55d23661a3a5c6a0d8 ]\n\nsunrpc_cache_pipe_upcall() can detect a race if CACHE_PENDING is no longer\nset.  In this case it aborts the queuing of the upcall.\nHowever it has already taken a new counted reference on \"h\" and\ndoesn\u0027t \"put\" it, even though it frees the data structure holding the reference.\n\nSo let\u0027s delay the \"cache_get\" until we know we need it.\n\nFixes: f9e1aedc6c79 (\"sunrpc/cache: remove races with queuing an upcall.\")\nSigned-off-by: NeilBrown \u003cneilb@suse.com\u003e\nSigned-off-by: J. Bruce Fields \u003cbfields@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nmegaraid_sas: add missing curly braces in ioctl handler\n\n[ Upstream commit 3deb9438d34a09f6796639b652a01d110aca9f75 ]\n\ngcc-6 found a dubious indentation in the megasas_mgmt_fw_ioctl\nfunction:\n\ndrivers/scsi/megaraid/megaraid_sas_base.c: In function \u0027megasas_mgmt_fw_ioctl\u0027:\ndrivers/scsi/megaraid/megaraid_sas_base.c:6658:4: warning: statement is indented as if it were guarded by... [-Wmisleading-indentation]\n    kbuff_arr[i] \u003d NULL;\n    ^~~~~~~~~\ndrivers/scsi/megaraid/megaraid_sas_base.c:6653:3: note: ...this \u0027if\u0027 clause, but it is not\n   if (kbuff_arr[i])\n   ^~\n\nThe code is actually correct, as there is no downside in clearing a NULL\npointer again.\n\nThis clarifies the code and avoids the warning by adding extra curly\nbraces.\n\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\nFixes: 90dc9d98f01b (\"megaraid_sas : MFI MPT linked list corruption fix\")\nReviewed-by: Hannes Reinecke \u003chare@suse.com\u003e\nAcked-by: Sumit Saxena \u003csumit.saxena@broadcom.com\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nipvs: correct initial offset of Call-ID header search in SIP persistence engine\n\n[ Upstream commit 7617a24f83b5d67f4dab1844956be1cebc44aec8 ]\n\nThe IPVS SIP persistence engine is not able to parse the SIP header\n\"Call-ID\" when such header is inserted in the first positions of\nthe SIP message.\n\nWhen IPVS is configured with \"--pe sip\" option, like for example:\nipvsadm -A -u 1.2.3.4:5060 -s rr --pe sip -p 120 -o\nsome particular messages (see below for details) do not create entries\nin the connection template table, which can be listed with:\nipvsadm -Lcn --persistent-conn\n\nProblematic SIP messages are SIP responses having \"Call-ID\" header\npositioned just after message first line:\nSIP/2.0 200 OK\n[Call-ID header here]\n[rest of the headers]\n\nWhen \"Call-ID\" header is positioned down (after a few other headers)\nit is correctly recognized.\n\nThis is due to the data offset used in get_callid function call inside\nip_vs_pe_sip.c file: since dptr already points to the start of the\nSIP message, the value of dataoff should be initially 0.\nOtherwise the header is searched starting from some bytes after the\nfirst character of the SIP message.\n\nFixes: 758ff0338722 (\"IPVS: sip persistence engine\")\nSigned-off-by: Marco Angaroni \u003cmarcoangaroni@gmail.com\u003e\nAcked-by: Julian Anastasov \u003cja@ssi.bg\u003e\nSigned-off-by: Simon Horman \u003chorms@verge.net.au\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnbd: ratelimit error msgs after socket close\n\n[ Upstream commit da6ccaaa79caca4f38b540b651238f87215217a2 ]\n\nMake the \"Attempted send on closed socket\" error messages generated in\nnbd_request_handler() ratelimited.\n\nWhen the nbd socket is shutdown, the nbd_request_handler() function emits\nan error message for every request remaining in its queue.  If the queue\nis large, this will spam a large amount of messages to the log.  There\u0027s\nno need for a separate error message for each request, so this patch\nratelimits it.\n\nIn the specific case this was found, the system was virtual and the error\nmessages were logged to the serial port, which overwhelmed it.\n\nFixes: 4d48a542b427 (\"nbd: fix I/O hang on disconnected nbds\")\nSigned-off-by: Dan Streetman \u003cdan.streetman@canonical.com\u003e\nSigned-off-by: Markus Pargmann \u003cmpa@pengutronix.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nclk: rockchip: free memory in error cases when registering clock branches\n\n[ Upstream commit 2467b6745e0ae9c6cdccff24c4cceeb14b1cce3f ]\n\nAdd free memeory if rockchip_clk_register_branch fails.\n\nFixes: a245fecbb806 (\"clk: rockchip: add basic infrastructure...\")\nSigned-off-by: Shawn Lin \u003cshawn.lin@rock-chips.com\u003e\nSigned-off-by: Heiko Stuebner \u003cheiko@sntech.de\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nclk: qcom: msm8960: fix ce3_core clk enable register\n\n[ Upstream commit 732d6913691848db9fabaa6a25b4d6fad10ddccf ]\n\nThis patch corrects the enable register offset which is actually 0x36cc\ninstead of 0x36c4\n\nSigned-off-by: Srinivas Kandagatla \u003csrinivas.kandagatla@linaro.org\u003e\nFixes: 5f775498bdc4 (\"clk: qcom: Fully support apq8064 global clock control\")\nSigned-off-by: Stephen Boyd \u003csboyd@codeaurora.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nclk: versatile: sp810: support reentrance\n\n[ Upstream commit ec7957a6aa0aaf981fb8356dc47a2cdd01cde03c ]\n\nDespite care take to allocate clocks state containers the\nSP810 driver actually just supports creating one instance:\nall clocks registered for every instance will end up with the\nexact same name and __clk_init() will fail.\n\nRename the timclken\u003c0\u003e .. timclken\u003cn\u003e to sp810_\u003cinstance\u003e_\u003cn\u003e\nso every clock on every instance gets a unique name.\n\nThis is necessary for the RealView PBA8 which has two SP810\nblocks: the second block will not register its clocks unless\nevery clock on every instance is unique and results in boot\nlogs like this:\n\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 0 at ../drivers/clk/versatile/clk-sp810.c:137\n  clk_sp810_of_setup+0x110/0x154()\nModules linked in:\nCPU: 0 PID: 0 Comm: swapper/0 Not tainted\n4.5.0-rc2-00030-g352718fc39f6-dirty #225\nHardware name: ARM RealView Machine (Device Tree Support)\n[\u003cc00167f8\u003e] (unwind_backtrace) from [\u003cc0013204\u003e]\n             (show_stack+0x10/0x14)\n[\u003cc0013204\u003e] (show_stack) from [\u003cc01a049c\u003e]\n             (dump_stack+0x84/0x9c)\n[\u003cc01a049c\u003e] (dump_stack) from [\u003cc0024990\u003e]\n             (warn_slowpath_common+0x74/0xb0)\n[\u003cc0024990\u003e] (warn_slowpath_common) from [\u003cc0024a68\u003e]\n             (warn_slowpath_null+0x1c/0x24)\n[\u003cc0024a68\u003e] (warn_slowpath_null) from [\u003cc051eb44\u003e]\n             (clk_sp810_of_setup+0x110/0x154)\n[\u003cc051eb44\u003e] (clk_sp810_of_setup) from [\u003cc051e3a4\u003e]\n             (of_clk_init+0x12c/0x1c8)\n[\u003cc051e3a4\u003e] (of_clk_init) from [\u003cc0504714\u003e]\n             (time_init+0x20/0x2c)\n[\u003cc0504714\u003e] (time_init) from [\u003cc0501b18\u003e]\n             (start_kernel+0x244/0x3c4)\n[\u003cc0501b18\u003e] (start_kernel) from [\u003c7000807c\u003e] (0x7000807c)\n---[ end trace cb88537fdc8fa200 ]---\n\nCc: Michael Turquette \u003cmturquette@baylibre.com\u003e\nCc: Pawel Moll \u003cpawel.moll@arm.com\u003e\nFixes: 6e973d2c4385 \"clk: vexpress: Add separate SP810 driver\"\nSigned-off-by: Linus Walleij \u003clinus.walleij@linaro.org\u003e\nSigned-off-by: Stephen Boyd \u003csboyd@codeaurora.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nclk: qcom: msm8960: Fix ce3_src register offset\n\n[ Upstream commit 0f75e1a370fd843c9e508fc1ccf0662833034827 ]\n\nThe offset seems to have been copied from the sata clk. Fix it so\nthat enabling the crypto engine source clk works.\n\nTested-by: Srinivas Kandagatla \u003csrinivas.kandagatla@linaro.org\u003e\nTested-by: Bjorn Andersson \u003cbjorn.andersson@linaro.org\u003e\nFixes: 5f775498bdc4 (\"clk: qcom: Fully support apq8064 global clock control\")\nSigned-off-by: Stephen Boyd \u003csboyd@codeaurora.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nlpfc: fix misleading indentation\n\n[ Upstream commit aeb6641f8ebdd61939f462a8255b316f9bfab707 ]\n\ngcc-6 complains about the indentation of the lpfc_destroy_vport_work_array()\ncall in lpfc_online(), which clearly doesn\u0027t look right:\n\ndrivers/scsi/lpfc/lpfc_init.c: In function \u0027lpfc_online\u0027:\ndrivers/scsi/lpfc/lpfc_init.c:2880:3: warning: statement is indented as if it were guarded by... [-Wmisleading-indentation]\n   lpfc_destroy_vport_work_array(phba, vports);\n   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ndrivers/scsi/lpfc/lpfc_init.c:2863:2: note: ...this \u0027if\u0027 clause, but it is not\n  if (vports !\u003d NULL)\n  ^~\n\nLooking at the patch that introduced this code, it\u0027s clear that the\nbehavior is correct and the indentation is wrong.\n\nThis fixes the indentation and adds curly braces around the previous\nif() block for clarity, as that is most likely what caused the code\nto be misindented in the first place.\n\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\nFixes: 549e55cd2a1b (\"[SCSI] lpfc 8.2.2 : Fix locking around HBA\u0027s port_list\")\nReviewed-by: Sebastian Herbszt \u003cherbszt@gmx.de\u003e\nReviewed-by: Hannes Reinecke \u003chare@suse.com\u003e\nReviewed-by: Ewan D. Milne \u003cemilne@redhat.com\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nInput: zforce_ts - fix dual touch recognition\n\n[ Upstream commit 6984ab1ab35f422292b7781c65284038bcc0f6a6 ]\n\nA wrong decoding of the touch coordinate message causes a wrong touch\nID. Touch ID for dual touch must be 0 or 1.\n\nAccording to the actual Neonode nine byte touch coordinate coding,\nthe state is transported in the lower nibble and the touch ID in\nthe higher nibble of payload byte five.\n\nSigned-off-by: Knut Wohlrab \u003cKnut.Wohlrab@de.bosch.com\u003e\nSigned-off-by: Oleksij Rempel \u003clinux@rempel-privat.de\u003e\nSigned-off-by: Dirk Behme \u003cdirk.behme@de.bosch.com\u003e\nSigned-off-by: Dmitry Torokhov \u003cdmitry.torokhov@gmail.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nbatman-adv: Check skb size before using encapsulated ETH+VLAN header\n\n[ Upstream commit c78296665c3d81f040117432ab9e1cb125521b0c ]\n\nThe encapsulated ethernet and VLAN header may be outside the received\nethernet frame. Thus the skb buffer size has to be checked before it can be\nparsed to find out if it encapsulates another batman-adv packet.\n\nFixes: 420193573f11 (\"batman-adv: softif bridge loop avoidance\")\nSigned-off-by: Sven Eckelmann \u003csven@narfation.org\u003e\nSigned-off-by: Marek Lindner \u003cmareklindner@neomailbox.ch\u003e\nSigned-off-by: Antonio Quartulli \u003ca@unstable.cc\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nbatman-adv: Fix broadcast/ogm queue limit on a removed interface\n\n[ Upstream commit c4fdb6cff2aa0ae740c5f19b6f745cbbe786d42f ]\n\nWhen removing a single interface while a broadcast or ogm packet is\nstill pending then we will free the forward packet without releasing the\nqueue slots again.\n\nThis patch is supposed to fix this issue.\n\nFixes: 6d5808d4ae1b (\"batman-adv: Add missing hardif_free_ref in forw_packet_free\")\nSigned-off-by: Linus Lüssing \u003clinus.luessing@c0d3.blue\u003e\n[sven@narfation.org: fix conflicts with current version]\nSigned-off-by: Sven Eckelmann \u003csven@narfation.org\u003e\nSigned-off-by: Marek Lindner \u003cmareklindner@neomailbox.ch\u003e\nSigned-off-by: Antonio Quartulli \u003ca@unstable.cc\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nbatman-adv: Reduce refcnt of removed router when updating route\n\n[ Upstream commit d1a65f1741bfd9c69f9e4e2ad447a89b6810427d ]\n\n_batadv_update_route rcu_derefences orig_ifinfo-\u003erouter outside of a\nspinlock protected region to print some information messages to the debug\nlog. But this pointer is not checked again when the new pointer is assigned\nin the spinlock protected region. Thus is can happen that the value of\norig_ifinfo-\u003erouter changed in the meantime and thus the reference counter\nof the wrong router gets reduced after the spinlock protected region.\n\nJust rcu_dereferencing the value of orig_ifinfo-\u003erouter inside the spinlock\nprotected region (which also set the new pointer) is enough to get the\ncorrect old router object.\n\nFixes: e1a5382f978b (\"batman-adv: Make orig_node-\u003erouter an rcu protected pointer\")\nSigned-off-by: Sven Eckelmann \u003csven@narfation.org\u003e\nSigned-off-by: Marek Lindner \u003cmareklindner@neomailbox.ch\u003e\nSigned-off-by: Antonio Quartulli \u003ca@unstable.cc\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndecnet: Do not build routes to devices without decnet private data.\n\n[ Upstream commit a36a0d4008488fa545c74445d69eaf56377d5d4e ]\n\nIn particular, make sure we check for decnet private presence\nfor loopback devices.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nroute: do not cache fib route info on local routes with oif\n\n[ Upstream commit d6d5e999e5df67f8ec20b6be45e2229455ee3699 ]\n\nFor local routes that require a particular output interface we do not want\nto cache the result.  Caching the result causes incorrect behaviour when\nthere are multiple source addresses on the interface.  The end result\nbeing that if the intended recipient is waiting on that interface for the\npacket he won\u0027t receive it because it will be delivered on the loopback\ninterface and the IP_PKTINFO ipi_ifindex will be set to the loopback\ninterface as well.\n\nThis can be tested by running a program such as \"dhcp_release\" which\nattempts to inject a packet on a particular interface so that it is\nreceived by another program on the same board.  The receiving process\nshould see an IP_PKTINFO ipi_ifndex value of the source interface\n(e.g., eth1) instead of the loopback interface (e.g., lo).  The packet\nwill still appear on the loopback interface in tcpdump but the important\naspect is that the CMSG info is correct.\n\nSample dhcp_release command line:\n\n   dhcp_release eth1 192.168.204.222 02:11:33:22:44:66\n\nSigned-off-by: Allain Legacy \u003callain.legacy@windriver.com\u003e\nSigned off-by: Chris Friesen \u003cchris.friesen@windriver.com\u003e\nReviewed-by: Julian Anastasov \u003cja@ssi.bg\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\npacket: fix heap info leak in PACKET_DIAG_MCLIST sock_diag interface\n\n[ Upstream commit 309cf37fe2a781279b7675d4bb7173198e532867 ]\n\nBecause we miss to wipe the remainder of i-\u003eaddr[] in packet_mc_add(),\npdiag_put_mclist() leaks uninitialized heap bytes via the\nPACKET_DIAG_MCLIST netlink attribute.\n\nFix this by explicitly memset(0)ing the remaining bytes in i-\u003eaddr[].\n\nFixes: eea68e2f1a00 (\"packet: Report socket mclist info via diag module\")\nSigned-off-by: Mathias Krause \u003cminipli@googlemail.com\u003e\nCc: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nCc: Pavel Emelyanov \u003cxemul@parallels.com\u003e\nAcked-by: Pavel Emelyanov \u003cxemul@virtuozzo.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnet: sched: do not requeue a NULL skb\n\n[ Upstream commit 3dcd493fbebfd631913df6e2773cc295d3bf7d22 ]\n\nA failure in validate_xmit_skb_list() triggered an unconditional call\nto dev_requeue_skb with skb\u003dNULL. This slowly grows the queue\ndiscipline\u0027s qlen count until all traffic through the queue stops.\n\nWe take the optimistic approach and continue running the queue after a\nfailure since it is unknown if later packets also will fail in the\nvalidate path.\n\nFixes: 55a93b3ea780 (\"qdisc: validate skb without holding lock\")\nSigned-off-by: Lars Persson \u003clarper@axis.com\u003e\nAcked-by: Eric Dumazet \u003cedumazet@google.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\natl2: Disable unimplemented scatter/gather feature\n\n[ Upstream commit f43bfaeddc79effbf3d0fcb53ca477cca66f3db8 ]\n\natl2 includes NETIF_F_SG in hw_features even though it has no support\nfor non-linear skbs.  This bug was originally harmless since the\ndriver does not claim to implement checksum offload and that used to\nbe a requirement for SG.\n\nNow that SG and checksum offload are independent features, if you\nexplicitly enable SG *and* use one of the rare protocols that can use\nSG without checkusm offload, this potentially leaks sensitive\ninformation (before you notice that it just isn\u0027t working).  Therefore\nthis obscure bug has been designated CVE-2016-2117.\n\nReported-by: Justin Yackoski \u003cjyackoski@crypto-nite.com\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\nFixes: ec5f06156423 (\"net: Kill link between CSUM and SG features.\")\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnet/mlx4_en: fix spurious timestamping callbacks\n\n[ Upstream commit fc96256c906362e845d848d0f6a6354450059e81 ]\n\nWhen multiple skb are TX-completed in a row, we might incorrectly keep\na timestamp of a prior skb and cause extra work.\n\nFixes: ec693d47010e8 (\"net/mlx4_en: Add HW timestamping (TS) support\")\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nCc: Willem de Bruijn \u003cwillemb@google.com\u003e\nReviewed-by: Eran Ben Elisha \u003ceranbe@mellanox.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nbpf: fix double-fdput in replace_map_fd_with_map_ptr()\n\n[ Upstream commit 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 ]\n\nWhen bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode\nreferences a non-map file descriptor as a map file descriptor, the error\nhandling code called fdput() twice instead of once (in __bpf_map_get() and\nin replace_map_fd_with_map_ptr()). If the file descriptor table of the\ncurrent task is shared, this causes f_count to be decremented too much,\nallowing the struct file to be freed while it is still in use\n(use-after-free). This can be exploited to gain root privileges by an\nunprivileged user.\n\nThis bug was introduced in\ncommit 0246e64d9a5f (\"bpf: handle pseudo BPF_LD_IMM64 insn\"), but is only\nexploitable since\ncommit 1be7f75d1668 (\"bpf: enable non-root eBPF programs\") because\npreviously, CAP_SYS_ADMIN was required to reach the vulnerable code.\n\n(posted publicly according to request by maintainer)\n\nSigned-off-by: Jann Horn \u003cjannh@google.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nAcked-by: Alexei Starovoitov \u003cast@kernel.org\u003e\nAcked-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnet_sched: introduce qdisc_replace() helper\n\n[ Upstream commit 86a7996cc8a078793670d82ed97d5a99bb4e8496 ]\n\nRemove nearly duplicated code and prepare for the following patch.\n\nCc: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nAcked-by: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nSigned-off-by: Cong Wang \u003cxiyou.wangcong@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnet_sched: update hierarchical backlog too\n\n[ Upstream commit 2ccccf5fb43ff62b2b96cc58d95fc0b3596516e4 ]\n\nWhen the bottom qdisc decides to, for example, drop some packet,\nit calls qdisc_tree_decrease_qlen() to update the queue length\nfor all its ancestors, we need to update the backlog too to\nkeep the stats on root qdisc accurate.\n\nCc: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nAcked-by: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nSigned-off-by: Cong Wang \u003cxiyou.wangcong@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nsch_htb: update backlog as well\n\n[ Upstream commit 431e3a8e36a05a37126f34b41aa3a5a6456af04e ]\n\nWe saw qlen!\u003d0 but backlog\u003d\u003d0 on our production machine:\n\nqdisc htb 1: dev eth0 root refcnt 2 r2q 10 default 1 direct_packets_stat 0 ver 3.17\n Sent 172680457356 bytes 222469449 pkt (dropped 0, overlimits 123575834 requeues 0)\n backlog 0b 72p requeues 0\n\nThe problem is we only count qlen for HTB qdisc but not backlog.\nWe need to update backlog too when we update qlen, so that we\ncan at least know the average packet length.\n\nCc: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nAcked-by: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nSigned-off-by: Cong Wang \u003cxiyou.wangcong@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nsch_dsmark: update backlog as well\n\n[ Upstream commit bdf17661f63a79c3cb4209b970b1cc39e34f7543 ]\n\nSimilarly, we need to update backlog too when we update qlen.\n\nCc: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nSigned-off-by: Cong Wang \u003cxiyou.wangcong@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnetem: Segment GSO packets on enqueue\n\n[ Upstream commit 6071bd1aa13ed9e41824bafad845b7b7f4df5cfd ]\n\nThis was recently reported to me, and reproduced on the latest net kernel,\nwhen attempting to run netperf from a host that had a netem qdisc attached\nto the egress interface:\n\n[  788.073771] ---------------------[ cut here ]---------------------------\n[  788.096716] WARNING: at net/core/dev.c:2253 skb_warn_bad_offload+0xcd/0xda()\n[  788.129521] bnx2: caps\u003d(0x00000001801949b3, 0x0000000000000000) len\u003d2962\ndata_len\u003d0 gso_size\u003d1448 gso_type\u003d1 ip_summed\u003d3\n[  788.182150] Modules linked in: sch_netem kvm_amd kvm crc32_pclmul ipmi_ssif\nghash_clmulni_intel sp5100_tco amd64_edac_mod aesni_intel lrw gf128mul\nglue_helper ablk_helper edac_mce_amd cryptd pcspkr sg edac_core hpilo ipmi_si\ni2c_piix4 k10temp fam15h_power hpwdt ipmi_msghandler shpchp acpi_power_meter\npcc_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c\nsd_mod crc_t10dif crct10dif_generic mgag200 syscopyarea sysfillrect sysimgblt\ni2c_algo_bit drm_kms_helper ahci ata_generic pata_acpi ttm libahci\ncrct10dif_pclmul pata_atiixp tg3 libata crct10dif_common drm crc32c_intel ptp\nserio_raw bnx2 r8169 hpsa pps_core i2c_core mii dm_mirror dm_region_hash dm_log\ndm_mod\n[  788.465294] CPU: 16 PID: 0 Comm: swapper/16 Tainted: G        W\n------------   3.10.0-327.el7.x86_64 #1\n[  788.511521] Hardware name: HP ProLiant DL385p Gen8, BIOS A28 12/17/2012\n[  788.542260]  ffff880437c036b8 f7afc56532a53db9 ffff880437c03670\nffffffff816351f1\n[  788.576332]  ffff880437c036a8 ffffffff8107b200 ffff880633e74200\nffff880231674000\n[  788.611943]  0000000000000001 0000000000000003 0000000000000000\nffff880437c03710\n[  788.647241] Call Trace:\n[  788.658817]  \u003cIRQ\u003e  [\u003cffffffff816351f1\u003e] dump_stack+0x19/0x1b\n[  788.686193]  [\u003cffffffff8107b200\u003e] warn_slowpath_common+0x70/0xb0\n[  788.713803]  [\u003cffffffff8107b29c\u003e] warn_slowpath_fmt+0x5c/0x80\n[  788.741314]  [\u003cffffffff812f92f3\u003e] ? ___ratelimit+0x93/0x100\n[  788.767018]  [\u003cffffffff81637f49\u003e] skb_warn_bad_offload+0xcd/0xda\n[  788.796117]  [\u003cffffffff8152950c\u003e] skb_checksum_help+0x17c/0x190\n[  788.823392]  [\u003cffffffffa01463a1\u003e] netem_enqueue+0x741/0x7c0 [sch_netem]\n[  788.854487]  [\u003cffffffff8152cb58\u003e] dev_queue_xmit+0x2a8/0x570\n[  788.880870]  [\u003cffffffff8156ae1d\u003e] ip_finish_output+0x53d/0x7d0\n...\n\nThe problem occurs because netem is not prepared to handle GSO packets (as it\nuses skb_checksum_help in its enqueue path, which cannot manipulate these\nframes).\n\nThe solution I think is to simply segment the skb in a simmilar fashion to the\nway we do in __dev_queue_xmit (via validate_xmit_skb), with some minor changes.\nWhen we decide to corrupt an skb, if the frame is GSO, we segment it, corrupt\nthe first segment, and enqueue the remaining ones.\n\ntested successfully by myself on the latest net kernel, to which this applies\n\nSigned-off-by: Neil Horman \u003cnhorman@tuxdriver.com\u003e\nCC: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nCC: \"David S. Miller\" \u003cdavem@davemloft.net\u003e\nCC: netem@lists.linux-foundation.org\nCC: eric.dumazet@gmail.com\nCC: stephen@networkplumber.org\nAcked-by: Eric Dumazet \u003cedumazet@google.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnet: fec: only clear a queue\u0027s work bit if the queue was emptied\n\n[ Upstream commit 1c021bb717a70aaeaa4b25c91f43c2aeddd922de ]\n\nIn the receive path a queue\u0027s work bit was cleared unconditionally even\nif fec_enet_rx_queue only read out a part of the available packets from\nthe hardware. This resulted in not reading any packets in the next napi\nturn and so packets were delayed or lost.\n\nThe obvious fix is to only clear a queue\u0027s bit when the queue was\nemptied.\n\nFixes: 4d494cdc92b3 (\"net: fec: change data structure to support multiqueue\")\nSigned-off-by: Uwe Kleine-König \u003cu.kleine-koenig@pengutronix.de\u003e\nReviewed-by: Lucas Stach \u003cl.stach@pengutronix.de\u003e\nTested-by: Fugang Duan \u003cfugang.duan@nxp.com\u003e\nAcked-by: Fugang Duan \u003cfugang.duan@nxp.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnet: fix infoleak in llc\n\n[ Upstream commit b8670c09f37bdf2847cc44f36511a53afc6161fd ]\n\nThe stack object “info” has a total size of 12 bytes. Its last byte\nis padding which is not initialized and leaked via “put_cmsg”.\n\nSigned-off-by: Kangjie Lu \u003ckjlu@gatech.edu\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nVSOCK: do not disconnect socket when peer has shutdown SEND only\n\n[ Upstream commit dedc58e067d8c379a15a8a183c5db318201295bb ]\n\nThe peer may be expecting a reply having sent a request and then done a\nshutdown(SHUT_WR), so tearing down the whole socket at this point seems\nwrong and breaks for me with a client which does a SHUT_WR.\n\nLooking at other socket family\u0027s stream_recvmsg callbacks doing a shutdown\nhere does not seem to be the norm and removing it does not seem to have\nhad any adverse effects that I can see.\n\nI\u0027m using Stefan\u0027s RFC virtio transport patches, I\u0027m unsure of the impact\non the vmci transport.\n\nSigned-off-by: Ian Campbell \u003cian.campbell@docker.com\u003e\nCc: \"David S. Miller\" \u003cdavem@davemloft.net\u003e\nCc: Stefan Hajnoczi \u003cstefanha@redhat.com\u003e\nCc: Claudio Imbrenda \u003cimbrenda@linux.vnet.ibm.com\u003e\nCc: Andy King \u003cacking@vmware.com\u003e\nCc: Dmitry Torokhov \u003cdtor@vmware.com\u003e\nCc: Jorgen Hansen \u003cjhansen@vmware.com\u003e\nCc: Adit Ranadive \u003caditr@vmware.com\u003e\nCc: netdev@vger.kernel.org\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnet: bridge: fix old ioctl unlocked net device walk\n\n[ Upstream commit 31ca0458a61a502adb7ed192bf9716c6d05791a5 ]\n\nget_bridge_ifindices() is used from the old \"deviceless\" bridge ioctl\ncalls which aren\u0027t called with rtnl held. The comment above says that it is\ncalled with rtnl but that is not really the case.\nHere\u0027s a sample output from a test ASSERT_RTNL() which I put in\nget_bridge_ifindices and executed \"brctl show\":\n[  957.422726] RTNL: assertion failed at net/bridge//br_ioctl.c (30)\n[  957.422925] CPU: 0 PID: 1862 Comm: brctl Tainted: G        W  O\n4.6.0-rc4+ #157\n[  957.423009] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS 1.8.1-20150318_183358- 04/01/2014\n[  957.423009]  0000000000000000 ffff880058adfdf0 ffffffff8138dec5\n0000000000000400\n[  957.423009]  ffffffff81ce8380 ffff880058adfe58 ffffffffa05ead32\n0000000000000001\n[  957.423009]  00007ffec1a444b0 0000000000000400 ffff880053c19130\n0000000000008940\n[  957.423009] Call Trace:\n[  957.423009]  [\u003cffffffff8138dec5\u003e] dump_stack+0x85/0xc0\n[  957.423009]  [\u003cffffffffa05ead32\u003e]\nbr_ioctl_deviceless_stub+0x212/0x2e0 [bridge]\n[  957.423009]  [\u003cffffffff81515beb\u003e] sock_ioctl+0x22b/0x290\n[  957.423009]  [\u003cffffffff8126ba75\u003e] do_vfs_ioctl+0x95/0x700\n[  957.423009]  [\u003cffffffff8126c159\u003e] SyS_ioctl+0x79/0x90\n[  957.423009]  [\u003cffffffff8163a4c0\u003e] entry_SYSCALL_64_fastpath+0x23/0xc1\n\nSince it only reads bridge ifindices, we can use rcu to safely walk the net\ndevice list. Also remove the wrong rtnl comment above.\n\nSigned-off-by: Nikolay Aleksandrov \u003cnikolay@cumulusnetworks.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnet: fix a kernel infoleak in x25 module\n\n[ Upstream commit 79e48650320e6fba48369fccf13fd045315b19b8 ]\n\nStack object \"dte_facilities\" is allocated in x25_rx_call_request(),\nwhich is supposed to be initialized in x25_negotiate_facilities.\nHowever, 5 fields (8 bytes in total) are not initialized. This\nobject is then copied to userland via copy_to_user, thus infoleak\noccurs.\n\nSigned-off-by: Kangjie Lu \u003ckjlu@gatech.edu\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ntcp: refresh skb timestamp at retransmit time\n\n[ Upstream commit 10a81980fc47e64ffac26a073139813d3f697b64 ]\n\nIn the very unlikely case __tcp_retransmit_skb() can not use the cloning\ndone in tcp_transmit_skb(), we need to refresh skb_mstamp before doing\nthe copy and transmit, otherwise TCP TS val will be an exact copy of\noriginal transmit.\n\nFixes: 7faee5c0d514 (\"tcp: remove TCP_SKB_CB(skb)-\u003ewhen\")\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nCc: Yuchung Cheng \u003cycheng@google.com\u003e\nAcked-by: Yuchung Cheng \u003cycheng@google.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ndrm/radeon: fix PLL sharing on DCE6.1 (v2)\n\n[ Upstream commit e3c00d87845ab375f90fa6e10a5e72a3a5778cd3 ]\n\nOn DCE6.1 PPLL2 is exclusively available to UNIPHYA, so it should not\nbe taken into consideration when looking for an already enabled PLL\nto be shared with other outputs.\n\nThis fixes the broken VGA port (TRAVIS DP-\u003eVGA bridge) on my Richland\nbased laptop, where the internal display is connected to UNIPHYA through\na TRAVIS DP-\u003eLVDS bridge.\n\nBug:\nhttps://bugs.freedesktop.org/show_bug.cgi?id\u003d78987\n\nv2: agd: add check in radeon_get_shared_nondp_ppll as well, drop\n    extra parameter.\n\nSigned-off-by: Lucas Stach \u003cdev@lynxeye.de\u003e\nSigned-off-by: Alex Deucher \u003calexander.deucher@amd.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nBtrfs: don\u0027t use src fd for printk\n\n[ Upstream commit c79b4713304f812d3d6c95826fc3e5fc2c0b0c14 ]\n\nThe fd we pass in may not be on a btrfs file system, so don\u0027t try to do\nBTRFS_I() on it.  Thanks,\n\nSigned-off-by: Josef Bacik \u003cjbacik@fb.com\u003e\nReviewed-by: David Sterba \u003cdsterba@suse.com\u003e\nSigned-off-by: David Sterba \u003cdsterba@suse.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ntty: vt, return error when con_startup fails\n\n[ Upstream commit 6798df4c5fe0a7e6d2065cf79649a794e5ba7114 ]\n\nWhen csw-\u003econ_startup() fails in do_register_con_driver, we return no\nerror (i.e. 0). This was changed back in 2006 by commit 3e795de763.\nBefore that we used to return -ENODEV.\n\nSo fix the return value to be -ENODEV in that case again.\n\nFixes: 3e795de763 (\"VT binding: Add binding/unbinding support for the VT console\")\nSigned-off-by: Jiri Slaby \u003cjslaby@suse.cz\u003e\nReported-by: \"Dan Carpenter\" \u003cdan.carpenter@oracle.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nserial: samsung: Reorder the sequence of clock control when call s3c24xx_serial_set_termios()\n\n[ Upstream commit b8995f527aac143e83d3900ff39357651ea4e0f6 ]\n\nThis patch fixes the broken serial log when changing the clock source\nof uart device. Before disabling the original clock source, this patch\nenables the new clock source to protect the clock off state for a split second.\n\nSigned-off-by: Chanwoo Choi \u003ccw00.choi@samsung.com\u003e\nReviewed-by: Marek Szyprowski \u003cm.szyprowski@samsung.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nMIPS: Reserve nosave data for hibernation\n\n[ Upstream commit a95d069204e178f18476f5499abab0d0d9cbc32c ]\n\nAfter commit 92923ca3aacef63c92d (\"mm: meminit: only set page reserved\nin the memblock region\"), the MIPS hibernation is broken. Because pages\nin nosave data section should be \"reserved\", but currently they aren\u0027t\nset to \"reserved\" at initialization. This patch makes hibernation work\nagain.\n\nSigned-off-by: Huacai Chen \u003cchenhc@lemote.com\u003e\nCc: Aurelien Jarno \u003caurelien@aurel32.net\u003e\nCc: Steven J . Hill \u003csjhill@realitydiluted.com\u003e\nCc: Fuxin Zhang \u003czhangfx@lemote.com\u003e\nCc: Zhangjin Wu \u003cwuzhangjin@gmail.com\u003e\nCc: linux-mips@linux-mips.org\nCc: stable@vger.kernel.org\nPatchwork: https://patchwork.linux-mips.org/patch/12888/\nSigned-off-by: Ralf Baechle \u003cralf@linux-mips.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nxfs: print name of verifier if it fails\n\n[ Upstream commit 233135b763db7c64d07b728a9c66745fb0376275 ]\n\nThis adds a name to each buf_ops structure, so that if\na verifier fails we can print the type of verifier that\nfailed it.  Should be a slight debugging aid, I hope.\n\nSigned-off-by: Eric Sandeen \u003csandeen@redhat.com\u003e\nReviewed-by: Brian Foster \u003cbfoster@redhat.com\u003e\nSigned-off-by: Dave Chinner \u003cdavid@fromorbit.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnetlink: Fix dump skb leak/double free\n\n[ Upstream commit 92964c79b357efd980812c4de5c1fd2ec8bb5520 ]\n\nWhen we free cb-\u003eskb after a dump, we do it after releasing the\nlock.  This means that a new dump could have started in the time\nbeing and we\u0027ll end up freeing their skb instead of ours.\n\nThis patch saves the skb and module before we unlock so we free\nthe right memory.\n\nFixes: 16b304f3404f (\"netlink: Eliminate kmalloc in netlink dump operation.\")\nReported-by: Baozeng Ding \u003csploving1@gmail.com\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nAcked-by: Cong Wang \u003cxiyou.wangcong@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ntuntap: correctly wake up process during uninit\n\n[ Upstream commit addf8fc4acb1cf79492ac64966f07178793cb3d7 ]\n\nWe used to check dev-\u003ereg_state against NETREG_REGISTERED after each\ntime we are woke up. But after commit 9e641bdcfa4e (\"net-tun:\nrestructure tun_do_read for better sleep/wakeup efficiency\"), it uses\nskb_recv_datagram() which does not check dev-\u003ereg_state. This will\nresult if we delete a tun/tap device after a process is blocked in the\nreading. The device will wait for the reference count which was held\nby that process for ever.\n\nFixes this by using RCV_SHUTDOWN which will be checked during\nsk_recv_datagram() before trying to wake up the process during uninit.\n\nFixes: 9e641bdcfa4e (\"net-tun: restructure tun_do_read for better\nsleep/wakeup efficiency\")\nCc: Eric Dumazet \u003cedumazet@google.com\u003e\nCc: Xi Wang \u003cxii@google.com\u003e\nCc: Michael S. Tsirkin \u003cmst@redhat.com\u003e\nSigned-off-by: Jason Wang \u003cjasowang@redhat.com\u003e\nAcked-by: Eric Dumazet \u003cedumazet@google.com\u003e\nAcked-by: Michael S. Tsirkin \u003cmst@redhat.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nsfc: on MC reset, clear PIO buffer linkage in TXQs\n\n[ Upstream commit c0795bf64cba4d1b796fdc5b74b33772841ed1bb ]\n\nOtherwise, if we fail to allocate new PIO buffers, our TXQs will try to\nuse the old ones, which aren\u0027t there any more.\n\nFixes: 183233bec810 \"sfc: Allocate and link PIO buffers; map them with write-combining\"\nSigned-off-by: Edward Cree \u003cecree@solarflare.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ntcp: record TLP and ER timer stats in v6 stats\n\n[ Upstream commit ce3cf4ec0305919fc69a972f6c2b2efd35d36abc ]\n\nThe v6 tcp stats scan do not provide TLP and ER timer information\ncorrectly like the v4 version . This patch fixes that.\n\nFixes: 6ba8a3b19e76 (\"tcp: Tail loss probe (TLP)\")\nFixes: eed530b6c676 (\"tcp: early retransmit\")\nSigned-off-by: Yuchung Cheng \u003cycheng@google.com\u003e\nSigned-off-by: Neal Cardwell \u003cncardwell@google.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nsparc: Fix system call tracing register handling.\n\n[ Upstream commit 1a40b95374f680625318ab61d81958e949e0afe3 ]\n\nA system call trace trigger on entry allows the tracing\nprocess to inspect and potentially change the traced\nprocess\u0027s registers.\n\nAccount for that by reloading the %g1 (syscall number)\nand %i0-%i5 (syscall argument) values.  We need to be\ncareful to revalidate the range of %g1, and reload the\nsystem call table entry it corresponds to into %l7.\n\nReported-by: Mike Frysinger \u003cvapier@gentoo.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nTested-by: Mike Frysinger \u003cvapier@gentoo.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nsparc64: Fix bootup regressions on some Kconfig combinations.\n\n[ Upstream commit 49fa5230462f9f2c4e97c81356473a6bdf06c422 ]\n\nThe system call tracing bug fix mentioned in the Fixes tag\nbelow increased the amount of assembler code in the sequence\nof assembler files included by head_64.S\n\nThis caused to total set of code to exceed 0x4000 bytes in\nsize, which overflows the expression in head_64.S that works\nto place swapper_tsb at address 0x408000.\n\nWhen this is violated, the TSB is not properly aligned, and\nalso the trap table is not aligned properly either.  All of\nthis together results in failed boots.\n\nSo, do two things:\n\n1) Simplify some code by using ba,a instead of ba/nop to get\n   those bytes back.\n\n2) Add a linker script assertion to make sure that if this\n   happens again the build will fail.\n\nFixes: 1a40b95374f6 (\"sparc: Fix system call tracing register handling.\")\nReported-by: Meelis Roos \u003cmroos@linux.ee\u003e\nReported-by: Joerg Abraham \u003cjoerg.abraham@nokia.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nsparc64: Fix numa node distance initialization\n\n[ Upstream commit 36beca6571c941b28b0798667608239731f9bc3a ]\n\nOrabug: 22495713\n\nCurrently, NUMA node distance matrix is initialized only\nwhen a machine descriptor (MD) exists. However, sun4u\nmachines (e.g. Sun Blade 2500) do not have an MD and thus\ndistance values were left uninitialized. The initialization\nis now moved such that it happens on both sun4u and sun4v.\n\nSigned-off-by: Nitin Gupta \u003cnitin.m.gupta@oracle.com\u003e\nTested-by: Mikael Pettersson \u003cmikpelinux@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nsparc64: Fix sparc64_set_context stack handling.\n\n[ Upstream commit 397d1533b6cce0ccb5379542e2e6d079f6936c46 ]\n\nLike a signal return, we should use synchronize_user_stack() rather\nthan flush_user_windows().\n\nReported-by: Ilya Malakhov \u003cilmalakhovthefirst@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nsparc/PCI: Fix for panic while enabling SR-IOV\n\n[ Upstream commit d0c31e02005764dae0aab130a57e9794d06b824d ]\n\nWe noticed this panic while enabling SR-IOV in sparc.\n\nmlx4_core: Mellanox ConnectX core driver v2.2-1 (Jan  1 2015)\nmlx4_core: Initializing 0007:01:00.0\nmlx4_core 0007:01:00.0: Enabling SR-IOV with 5 VFs\nmlx4_core: Initializing 0007:01:00.1\nUnable to handle kernel NULL pointer dereference\ninsmod(10010): Oops [#1]\nCPU: 391 PID: 10010 Comm: insmod Not tainted\n\t\t4.1.12-32.el6uek.kdump2.sparc64 #1\nTPC: \u003cdma_supported+0x20/0x80\u003e\nI7: \u003c__mlx4_init_one+0x324/0x500 [mlx4_core]\u003e\nCall Trace:\n [00000000104c5ea4] __mlx4_init_one+0x324/0x500 [mlx4_core]\n [00000000104c613c] mlx4_init_one+0xbc/0x120 [mlx4_core]\n [0000000000725f14] local_pci_probe+0x34/0xa0\n [0000000000726028] pci_call_probe+0xa8/0xe0\n [0000000000726310] pci_device_probe+0x50/0x80\n [000000000079f700] really_probe+0x140/0x420\n [000000000079fa24] driver_probe_device+0x44/0xa0\n [000000000079fb5c] __device_attach+0x3c/0x60\n [000000000079d85c] bus_for_each_drv+0x5c/0xa0\n [000000000079f588] device_attach+0x88/0xc0\n [000000000071acd0] pci_bus_add_device+0x30/0x80\n [0000000000736090] virtfn_add.clone.1+0x210/0x360\n [00000000007364a4] sriov_enable+0x2c4/0x520\n [000000000073672c] pci_enable_sriov+0x2c/0x40\n [00000000104c2d58] mlx4_enable_sriov+0xf8/0x180 [mlx4_core]\n [00000000104c49ac] mlx4_load_one+0x42c/0xd40 [mlx4_core]\nDisabling lock debugging due to kernel taint\nCaller[00000000104c5ea4]: __mlx4_init_one+0x324/0x500 [mlx4_core]\nCaller[00000000104c613c]: mlx4_init_one+0xbc/0x120 [mlx4_core]\nCaller[0000000000725f14]: local_pci_probe+0x34/0xa0\nCaller[0000000000726028]: pci_call_probe+0xa8/0xe0\nCaller[0000000000726310]: pci_device_probe+0x50/0x80\nCaller[000000000079f700]: really_probe+0x140/0x420\nCaller[000000000079fa24]: driver_probe_device+0x44/0xa0\nCaller[000000000079fb5c]: __device_attach+0x3c/0x60\nCaller[000000000079d85c]: bus_for_each_drv+0x5c/0xa0\nCaller[000000000079f588]: device_attach+0x88/0xc0\nCaller[000000000071acd0]: pci_bus_add_device+0x30/0x80\nCaller[0000000000736090]: virtfn_add.clone.1+0x210/0x360\nCaller[00000000007364a4]: sriov_enable+0x2c4/0x520\nCaller[000000000073672c]: pci_enable_sriov+0x2c/0x40\nCaller[00000000104c2d58]: mlx4_enable_sriov+0xf8/0x180 [mlx4_core]\nCaller[00000000104c49ac]: mlx4_load_one+0x42c/0xd40 [mlx4_core]\nCaller[00000000104c5f90]: __mlx4_init_one+0x410/0x500 [mlx4_core]\nCaller[00000000104c613c]: mlx4_init_one+0xbc/0x120 [mlx4_core]\nCaller[0000000000725f14]: local_pci_probe+0x34/0xa0\nCaller[0000000000726028]: pci_call_probe+0xa8/0xe0\nCaller[0000000000726310]: pci_device_probe+0x50/0x80\nCaller[000000000079f700]: really_probe+0x140/0x420\nCaller[000000000079fa24]: driver_probe_device+0x44/0xa0\nCaller[000000000079fb08]: __driver_attach+0x88/0xa0\nCaller[000000000079d90c]: bus_for_each_dev+0x6c/0xa0\nCaller[000000000079f29c]: driver_attach+0x1c/0x40\nCaller[000000000079e35c]: bus_add_driver+0x17c/0x220\nCaller[00000000007a02d4]: driver_register+0x74/0x120\nCaller[00000000007263fc]: __pci_register_driver+0x3c/0x60\nCaller[00000000104f62bc]: mlx4_init+0x60/0xcc [mlx4_core]\nKernel panic - not syncing: Fatal exception\nPress Stop-A (L1-A) to return to the boot prom\n---[ end Kernel panic - not syncing: Fatal exception\n\nDetails:\nHere is the call sequence\nvirtfn_add-\u003e__mlx4_init_one-\u003edma_set_mask-\u003edma_supported\n\nThe panic happened at line 760(file arch/sparc/kernel/iommu.c)\n\n758 int dma_supported(struct device *dev, u64 device_mask)\n759 {\n760         struct iommu *iommu \u003d dev-\u003earchdata.iommu;\n761         u64 dma_addr_mask \u003d iommu-\u003edma_addr_mask;\n762\n763         if (device_mask \u003e\u003d (1UL \u003c\u003c 32UL))\n764                 return 0;\n765\n766         if ((device_mask \u0026 dma_addr_mask) \u003d\u003d dma_addr_mask)\n767                 return 1;\n768\n769 #ifdef CONFIG_PCI\n770         if (dev_is_pci(dev))\n771\t\treturn pci64_dma_supported(to_pci_dev(dev), device_mask);\n772 #endif\n773\n774         return 0;\n775 }\n776 EXPORT_SYMBOL(dma_supported);\n\nSame panic happened with Intel ixgbe driver also.\n\nSR-IOV code looks for arch specific data while enabling\nVFs. When VF device is added, driver probe function makes set\nof calls to initialize the pci device. Because the VF device is\nadded different way than the normal PF device(which happens via\nof_create_pci_dev for sparc), some of the arch specific initialization\ndoes not happen for VF device.  That causes panic when archdata is\naccessed.\n\nTo fix this, I have used already defined weak function\npcibios_setup_device to copy archdata from PF to VF.\nAlso verified the fix.\n\nSigned-off-by: Babu Moger \u003cbabu.moger@oracle.com\u003e\nSigned-off-by: Sowmini Varadhan \u003csowmini.varadhan@oracle.com\u003e\nReviewed-by: Ethan Zhao \u003cethan.zhao@oracle.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nsparc64: Take ctx_alloc_lock properly in hugetlb_setup().\n\n[ Upstream commit 9ea46abe22550e3366ff7cee2f8391b35b12f730 ]\n\nOn cheetahplus chips we take the ctx_alloc_lock in order to\nmodify the TLB lookup parameters for the indexed TLBs, which\nare stored in the context register.\n\nThis is called with interrupts disabled, however ctx_alloc_lock\nis an IRQ safe lock, therefore we must take acquire/release it\nproperly with spin_{lock,unlock}_irq().\n\nReported-by: Meelis Roos \u003cmroos@linux.ee\u003e\nTested-by: Meelis Roos \u003cmroos@linux.ee\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nsparc: Harden signal return frame checks.\n\n[ Upstream commit d11c2a0de2824395656cf8ed15811580c9dd38aa ]\n\nAll signal frames must be at least 16-byte aligned, because that is\nthe alignment we explicitly create when we build signal return stack\nframes.\n\nAll stack pointers must be at least 8-byte aligned.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nsparc64: Fix return from trap window fill crashes.\n\n[ Upstream commit 7cafc0b8bf130f038b0ec2dcdd6a9de6dc59b65a ]\n\nWe must handle data access exception as well as memory address unaligned\nexceptions from return from trap window fill faults, not just normal\nTLB misses.\n\nOtherwise we can get an OOPS that looks like this:\n\nld-linux.so.2(36808): Kernel bad sw trap 5 [#1]\nCPU: 1 PID: 36808 Comm: ld-linux.so.2 Not tainted 4.6.0 #34\ntask: fff8000303be5c60 ti: fff8000301344000 task.ti: fff8000301344000\nTSTATE: 0000004410001601 TPC: 0000000000a1a784 TNPC: 0000000000a1a788 Y: 00000002    Not tainted\nTPC: \u003cdo_sparc64_fault+0x5c4/0x700\u003e\ng0: fff8000024fc8248 g1: 0000000000db04dc g2: 0000000000000000 g3: 0000000000000001\ng4: fff8000303be5c60 g5: fff800030e672000 g6: fff8000301344000 g7: 0000000000000001\no0: 0000000000b95ee8 o1: 000000000000012b o2: 0000000000000000 o3: 0000000200b9b358\no4: 0000000000000000 o5: fff8000301344040 sp: fff80003013475c1 ret_pc: 0000000000a1a77c\nRPC: \u003cdo_sparc64_fault+0x5bc/0x700\u003e\nl0: 00000000000007ff l1: 0000000000000000 l2: 000000000000005f l3: 0000000000000000\nl4: fff8000301347e98 l5: fff8000024ff3060 l6: 0000000000000000 l7: 0000000000000000\ni0: fff8000301347f60 i1: 0000000000102400 i2: 0000000000000000 i3: 0000000000000000\ni4: 0000000000000000 i5: 0000000000000000 i6: fff80003013476a1 i7: 0000000000404d4c\nI7: \u003cuser_rtt_fill_fixup+0x6c/0x7c\u003e\nCall Trace:\n [0000000000404d4c] user_rtt_fill_fixup+0x6c/0x7c\n\nThe window trap handlers are slightly clever, the trap table entries for them are\ncomposed of two pieces of code.  First comes the code that actually performs\nthe window fill or spill trap handling, and then there are three instructions at\nthe end which are for exception processing.\n\nThe userland register window fill handler is:\n\n\tadd\t%sp, STACK_BIAS + 0x00, %g1;\t\t\\\n\tldxa\t[%g1 + %g0] ASI, %l0;\t\t\t\\\n\tmov\t0x08, %g2;\t\t\t\t\\\n\tmov\t0x10, %g3;\t\t\t\t\\\n\tldxa\t[%g1 + %g2] ASI, %l1;\t\t\t\\\n\tmov\t0x18, %g5;\t\t\t\t\\\n\tldxa\t[%g1 + %g3] ASI, %l2;\t\t\t\\\n\tldxa\t[%g1 + %g5] ASI, %l3;\t\t\t\\\n\tadd\t%g1, 0x20, %g1;\t\t\t\t\\\n\tldxa\t[%g1 + %g0] ASI, %l4;\t\t\t\\\n\tldxa\t[%g1 + %g2] ASI, %l5;\t\t\t\\\n\tldxa\t[%g1 + %g3] ASI, %l6;\t\t\t\\\n\tldxa\t[%g1 + %g5] ASI, %l7;\t\t\t\\\n\tadd\t%g1, 0x20, %g1;\t\t\t\t\\\n\tldxa\t[%g1 + %g0] ASI, %i0;\t\t\t\\\n\tldxa\t[%g1 + %g2] ASI, %i1;\t\t\t\\\n\tldxa\t[%g1 + %g3] ASI, %i2;\t\t\t\\\n\tldxa\t[%g1 + %g5] ASI, %i3;\t\t\t\\\n\tadd\t%g1, 0x20, %g1;\t\t\t\t\\\n\tldxa\t[%g1 + %g0] ASI, %i4;\t\t\t\\\n\tldxa\t[%g1 + %g2] ASI, %i5;\t\t\t\\\n\tldxa\t[%g1 + %g3] ASI, %i6;\t\t\t\\\n\tldxa\t[%g1 + %g5] ASI, %i7;\t\t\t\\\n\trestored;\t\t\t\t\t\\\n\tretry; nop; nop; nop; nop;\t\t\t\\\n\tb,a,pt\t%xcc, fill_fixup_dax;\t\t\t\\\n\tb,a,pt\t%xcc, fill_fixup_mna;\t\t\t\\\n\tb,a,pt\t%xcc, fill_fixup;\n\nAnd the way this works is that if any of those memory accesses\ngenerate an exception, the exception handler can revector to one of\nthose final three branch instructions depending upon which kind of\nexception the memory access took.  In this way, the fault handler\ndoesn\u0027t have to know if it was a spill or a fill that it\u0027s handling\nthe fault for.  It just always branches to the last instruction in\nthe parent trap\u0027s handler.\n\nFor example, for a regular fault, the code goes:\n\nwinfix_trampoline:\n\trdpr\t%tpc, %g3\n\tor\t%g3, 0x7c, %g3\n\twrpr\t%g3, %tnpc\n\tdone\n\nAll window trap handlers are 0x80 aligned, so if we \"or\" 0x7c into the\ntrap time program counter, we\u0027ll get that final instruction in the\ntrap handler.\n\nOn return from trap, we have to pull the register window in but we do\nthis by hand instead of just executing a \"restore\" instruction for\nseveral reasons.  The largest being that from Niagara and onward we\nsimply don\u0027t have enough levels in the trap stack to fully resolve all\npossible exception cases of a window fault when we are already at\ntrap level 1 (which we enter to get ready to return from the original\ntrap).\n\nThis is executed inline via the FILL_*_RTRAP handlers.  rtrap_64.S\u0027s\ncode branches directly to these to do the window fill by hand if\nnecessary.  Now if you look at them, we\u0027ll see at the end:\n\n\t    ba,a,pt    %xcc, user_rtt_fill_fixup;\n\t    ba,a,pt    %xcc, user_rtt_fill_fixup;\n\t    ba,a,pt    %xcc, user_rtt_fill_fixup;\n\nAnd oops, all three cases are handled like a fault.\n\nThis doesn\u0027t work because each of these trap types (data access\nexception, memory address unaligned, and faults) store their auxiliary\ninfo in different registers to pass on to the C handler which does the\nreal work.\n\nSo in the case where the stack was unaligned, the unaligned trap\nhandler sets up the arg registers one way, and then we branched to\nthe fault handler which expects them setup another way.\n\nSo the FAULT_TYPE_* value ends up basically being garbage, and\nrandomly would generate the backtrace seen above.\n\nReported-by: Nick Alcock \u003cnix@esperi.org.uk\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nMIPS: Fix 64k page support for 32 bit kernels.\n\n[ Upstream commit d7de413475f443957a0c1d256e405d19b3a2cb22 ]\n\nTASK_SIZE was defined as 0x7fff8000UL which for 64k pages is not a\nmultiple of the page size.  Somewhere further down the math fails\nsuch that executing an ELF binary fails.\n\nSigned-off-by: Ralf Baechle \u003cralf@linux-mips.org\u003e\nTested-by: Joshua Henderson \u003cjoshua.henderson@microchip.com\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnetfilter: x_tables: don\u0027t move to non-existent next rule\n\n[ Upstream commit f24e230d257af1ad7476c6e81a8dc3127a74204e ]\n\nBen Hawkes says:\n\n In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it\n is possible for a user-supplied ipt_entry structure to have a large\n next_offset field. This field is not bounds checked prior to writing a\n counter value at the supplied offset.\n\nBase chains enforce absolute verdict.\n\nUser defined chains are supposed to end with an unconditional return,\nxtables userspace adds them automatically.\n\nBut if such return is missing we will move to non-existent next rule.\n\nReported-by: Ben Hawkes \u003chawkes@google.com\u003e\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnetfilter: x_tables: validate targets of jumps\n\n[ Upstream commit 36472341017529e2b12573093cc0f68719300997 ]\n\nWhen we see a jump also check that the offset gets us to beginning of\na rule (an ipt_entry).\n\nThe extra overhead is negible, even with absurd cases.\n\n300k custom rules, 300k jumps to \u0027next\u0027 user chain:\n[ plus one jump from INPUT to first userchain ]:\n\nBefore:\nreal    0m24.874s\nuser    0m7.532s\nsys     0m16.076s\n\nAfter:\nreal    0m27.464s\nuser    0m7.436s\nsys     0m18.840s\n\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnetfilter: x_tables: add and use xt_check_entry_offsets\n\n[ Upstream commit 7d35812c3214afa5b37a675113555259cfd67b98 ]\n\nCurrently arp/ip and ip6tables each implement a short helper to check that\nthe target offset is large enough to hold one xt_entry_target struct and\nthat t-\u003eu.target_size fits within the current rule.\n\nUnfortunately these checks are not sufficient.\n\nTo avoid adding new tests to all of ip/ip6/arptables move the current\nchecks into a helper, then extend this helper in followup patches.\n\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnetfilter: x_tables: kill check_entry helper\n\n[ Upstream commit aa412ba225dd3bc36d404c28cdc3d674850d80d0 ]\n\nOnce we add more sanity testing to xt_check_entry_offsets it\nbecomes relvant if we\u0027re expecting a 32bit \u0027config_compat\u0027 blob\nor a normal one.\n\nSince we already have a lot of similar-named functions (check_entry,\ncompat_check_entry, find_and_check_entry, etc.) and the current\nincarnation is short just fold its contents into the callers.\n\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnetfilter: x_tables: assert minimum target size\n\n[ Upstream commit a08e4e190b866579896c09af59b3bdca821da2cd ]\n\nThe target size includes the size of the xt_entry_target struct.\n\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnetfilter: x_tables: add compat version of xt_check_entry_offsets\n\n[ Upstream commit fc1221b3a163d1386d1052184202d5dc50d302d1 ]\n\n32bit rulesets have different layout and alignment requirements, so once\nmore integrity checks get added to xt_check_entry_offsets it will reject\nwell-formed 32bit rulesets.\n\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnetfilter: x_tables: check standard target size too\n\n[ Upstream commit 7ed2abddd20cf8f6bd27f65bd218f26fa5bf7f44 ]\n\nWe have targets and standard targets -- the latter carries a verdict.\n\nThe ip/ip6tables validation functions will access t-\u003everdict for the\nstandard targets to fetch the jump offset or verdict for chainloop\ndetection, but this happens before the targets get checked/validated.\n\nThus we also need to check for verdict presence here, else t-\u003everdict\ncan point right after a blob.\n\nSpotted with UBSAN while testing malformed blobs.\n\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnetfilter: x_tables: check for bogus target offset\n\n[ Upstream commit ce683e5f9d045e5d67d1312a42b359cb2ab2a13c ]\n\nWe\u0027re currently asserting that targetoff + targetsize \u003c\u003d nextoff.\n\nExtend it to also check that targetoff is \u003e\u003d sizeof(xt_entry).\nSince this is generic code, add an argument pointing to the start of the\nmatch/target, we can then derive the base structure size from the delta.\n\nWe also need the e-\u003eelems pointer in a followup change to validate matches.\n\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnetfilter: x_tables: validate all offsets and sizes in a rule\n\n[ Upstream commit 13631bfc604161a9d69cd68991dff8603edd66f9 ]\n\nValidate that all matches (if any) add up to the beginning of\nthe target and that each match covers at least the base structure size.\n\nThe compat path should be able to safely re-use the function\nas the structures only differ in alignment; added a\nBUILD_BUG_ON just in case we have an arch that adds padding as well.\n\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnetfilter: x_tables: don\u0027t reject valid target size on some architectures\n\n[ Upstream commit 7b7eba0f3515fca3296b8881d583f7c1042f5226 ]\n\nQuoting John Stultz:\n  In updating a 32bit arm device from 4.6 to Linus\u0027 current HEAD, I\n  noticed I was having some trouble with networking, and realized that\n  /proc/net/ip_tables_names was suddenly empty.\n  Digging through the registration process, it seems we\u0027re catching on the:\n\n   if (strcmp(t-\u003eu.user.name, XT_STANDARD_TARGET) \u003d\u003d 0 \u0026\u0026\n       target_offset + sizeof(struct xt_standard_target) !\u003d next_offset)\n         return -EINVAL;\n\n  Where next_offset seems to be 4 bytes larger then the\n  offset + standard_target struct size.\n\nnext_offset needs to be aligned via XT_ALIGN (so we can access all members\nof ip(6)t_entry struct).\n\nThis problem didn\u0027t show up on i686 as it only needs 4-byte alignment for\nu64, but iptables userspace on other 32bit arches does insert extra padding.\n\nReported-by: John Stultz \u003cjohn.stultz@linaro.org\u003e\nTested-by: John Stultz \u003cjohn.stultz@linaro.org\u003e\nFixes: 7ed2abddd20cf (\"netfilter: x_tables: check standard target size too\")\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnetfilter: arp_tables: simplify translate_compat_table args\n\n[ Upstream commit 8dddd32756f6fe8e4e82a63361119b7e2384e02f ]\n\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnetfilter: ip_tables: simplify translate_compat_table args\n\n[ Upstream commit 7d3f843eed29222254c9feab481f55175a1afcc9 ]\n\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnetfilter: ip6_tables: simplify translate_compat_table args\n\n[ Upstream commit 329a0807124f12fe1c8032f95d8a8eb47047fb0e ]\n\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnetfilter: x_tables: xt_compat_match_from_user doesn\u0027t need a retval\n\n[ Upstream commit 0188346f21e6546498c2a0f84888797ad4063fc5 ]\n\nAlways returned 0.\n\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnetfilter: x_tables: do compat validation via translate_table\n\n[ Upstream commit 09d9686047dbbe1cf4faa558d3ecc4aae2046054 ]\n\nThis looks like refactoring, but its also a bug fix.\n\nProblem is that the compat path (32bit iptables, 64bit kernel) lacks a few\nsanity tests that are done in the normal path.\n\nFor example, we do not check for underflows and the base chain policies.\n\nWhile its possible to also add such checks to the compat path, its more\ncopy\u0026pastry, for instance we cannot reuse check_underflow() helper as\ne-\u003etarget_offset differs in the compat case.\n\nOther problem is that it makes auditing for validation errors harder; two\nplaces need to be checked and kept in sync.\n\nAt a high level 32 bit compat works like this:\n1- initial pass over blob:\n   validate match/entry offsets, bounds checking\n   lookup all matches and targets\n   do bookkeeping wrt. size delta of 32/64bit structures\n   assign match/target.u.kernel pointer (points at kernel\n   implementation, needed to access -\u003ecompatsize etc.)\n\n2- allocate memory according to the total bookkeeping size to\n   contain the translated ruleset\n\n3- second pass over original blob:\n   for each entry, copy the 32bit representation to the newly allocated\n   memory.  This also does any special match translations (e.g.\n   adjust 32bit to 64bit longs, etc).\n\n4- check if ruleset is free of loops (chase all jumps)\n\n5-first pass over translated blob:\n   call the checkentry function of all matches and targets.\n\nThe alternative implemented by this patch is to drop steps 3\u00264 from the\ncompat process, the translation is changed into an intermediate step\nrather than a full 1:1 translate_table replacement.\n\nIn the 2nd pass (step #3), change the 64bit ruleset back to a kernel\nrepresentation, i.e. put() the kernel pointer and restore -\u003eu.user.name .\n\nThis gets us a 64bit ruleset that is in the format generated by a 64bit\niptables userspace -- we can then use translate_table() to get the\n\u0027native\u0027 sanity checks.\n\nThis has two drawbacks:\n\n1. we re-validate all the match and target entry structure sizes even\nthough compat translation is supposed to never generate bogus offsets.\n2. we put and then re-lookup each match and target.\n\nTHe upside is that we get all sanity tests and ruleset validations\nprovided by the normal path and can remove some duplicated compat code.\n\niptables-restore time of autogenerated ruleset with 300k chains of form\n-A CHAIN0001 -m limit --limit 1/s -j CHAIN0002\n-A CHAIN0002 -m limit --limit 1/s -j CHAIN0003\n\nshows no noticeable differences in restore times:\nold:   0m30.796s\nnew:   0m31.521s\n64bit: 0m25.674s\n\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nnetfilter: x_tables: introduce and use xt_copy_counters_from_user\n\n[ Upstream commit d7591f0c41ce3e67600a982bab6989ef0f07b3ce ]\n\nThe three variants use same copy\u0026pasted code, condense this into a\nhelper and use that.\n\nMake sure info.name is 0-terminated.\n\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\ntmpfs: fix regression hang in fallocate undo\n\n[ Upstream commit 7f556567036cb7f89aabe2f0954b08566b4efb53 ]\n\nThe well-spotted fallocate undo fix is good in most cases, but not when\nfallocate failed on the very first page.  index 0 then passes lend -1\nto shmem_undo_range(), and that has two bad effects: (a) that it will\nundo every fallocation throughout the file, unrestricted by the current\nrange; but more importantly (b) it can cause the undo to hang, because\nlend -1 is treated as truncation, which makes it keep on retrying until\nevery page has gone, but those already fully instantiated will never go\naway.  Big thank you to xfstests generic/269 which demonstrates this.\n\nFixes: b9b4bb26af01 (\"tmpfs: don\u0027t undo fallocate past its last page\")\nCc: stable@vger.kernel.org\nSigned-off-by: Hugh Dickins \u003chughd@google.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nLinux 3.18.37\n\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n\nALSA: echoaudio: Fix memory allocation\n\n[ Upstream commit 9c6795a9b3cbb56a9fbfaf43909c5c22999ba317 ]\n\n\u0027commpage_bak\u0027 is allocated with \u0027sizeof(struct echoaudio)\u0027 bytes.\nWe then copy \u0027sizeof(struct comm_page)\u0027 bytes in it.\nOn my system, smatch complains because one is 2960 and the other is 3072.\n\nThis would result in memory corruption or a oops.\n\nSigned-off-by: Christophe JAILLET \u003cchristophe.jaillet@wanadoo.fr\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nipr: Clear interrupt on croc/crocodile when running with LSI\n\n[ Upstream commit 54e430bbd490e18ab116afa4cd90dcc45787b3df ]\n\nIf we fall back to using LSI on the Croc or Crocodile chip we need to\nclear the interrupt so we don\u0027t hang the system.\n\nCc: \u003cstable@vger.kernel.org\u003e\nTested-by: Benjamin Herrenschmidt \u003cbenh@kernel.crashing.org\u003e\nSigned-off-by: Brian King \u003cbrking@linux.vnet.ibm.com\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nALSA: au88x0: Fix calculation in vortex_wtdma_bufshift()\n\n[ Upstream commit 62db7152c924e4c060e42b34a69cd39658e8a0dc ]\n\nvortex_wtdma_bufshift() function does calculate the page index\nwrongly, first masking then shift, which always results in zero.\nThe proper computation is to first shift, then mask.\n\nReported-by: Dan Carpenter \u003cdan.carpenter@oracle.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nx86/amd_nb: Fix boot crash on non-AMD systems\n\n[ Upstream commit 1ead852dd88779eda12cb09cc894a03d9abfe1ec ]\n\nFix boot crash that triggers if this driver is built into a kernel and\nrun on non-AMD systems.\n\nAMD northbridges users call amd_cache_northbridges() and it returns\na negative value to signal that we weren\u0027t able to cache/detect any\nnorthbridges on the system.\n\nAt least, it should do so as all its callers expect it to do so. But it\ndoes return a negative value only when kmalloc() fails.\n\nFix it to return -ENODEV if there are no NBs cached as otherwise, amd_nb\nusers like amd64_edac, for example, which relies on it to know whether\nit should load or not, gets loaded on systems like Intel Xeons where it\nshouldn\u0027t.\n\nReported-and-tested-by: Tony Battersby \u003ctonyb@cybernetics.com\u003e\nSigned-off-by: Borislav Petkov \u003cbp@suse.de\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nLink: http://lkml.kernel.org/r/1466097230-5333-2-git-send-email-bp@alien8.de\nLink: https://lkml.kernel.org/r/5761BEB0.9000807@cybernetics.com\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nALSA: timer: Fix negative queue usage by racy accesses\n\n[ Upstream commit 3fa6993fef634e05d200d141a85df0b044572364 ]\n\nThe user timer tu-\u003eqused counter may go to a negative value when\nmultiple concurrent reads are performed since both the check and the\ndecrement of tu-\u003eqused are done in two individual locked contexts.\nThis results in bogus read outs, and the endless loop in the\nuser-space side.\n\nThe fix is to move the decrement of the tu-\u003eqused counter into the\nsame spinlock context as the zero-check of the counter.\n\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nqeth: delete napi struct when removing a qeth device\n\n[ Upstream commit 7831b4ff0d926e0deeaabef9db8800ed069a2757 ]\n\nA qeth_card contains a napi_struct linked to the net_device during\ndevice probing. This struct must be deleted when removing the qeth\ndevice, otherwise Panic on oops can occur when qeth devices are\nrepeatedly removed and added.\n\nFixes: a1c3ed4c9ca (\"qeth: NAPI support for l2 and l3 discipline\")\nCc: stable@vger.kernel.org # v2.6.37+\nSigned-off-by: Ursula Braun \u003cubraun@linux.vnet.ibm.com\u003e\nTested-by: Alexander Klein \u003cALKL@de.ibm.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nMIPS: Fix page table corruption on THP permission changes.\n\n[ Upstream commit 88d02a2ba6c52350f9a73ff1b01a5be839c3ca17 ]\n\nWhen the core THP code is modifying the permissions of a huge page it\ncalls pmd_modify(), which unfortunately was clearing the _PAGE_HUGE bit\nof the page table entry.  The result can be kernel messages like:\n\nmm/memory.c:397: bad pmd 000000040080004d.\nmm/memory.c:397: bad pmd 00000003ff00004d.\nmm/memory.c:397: bad pmd 000000040100004d.\n\nor:\n\n------------[ cut here ]------------\nWARNING: at mm/mmap.c:3200 exit_mmap+0x150/0x158()\nModules linked in: ipv6 at24 octeon3_ethernet octeon_srio_nexus m25p80\nCPU: 12 PID: 1295 Comm: pmderr Not tainted 3.10.87-rt80-Cavium-Octeon #4\nStack : 0000000040808000 0000000014009ce1 0000000000400004 ffffffff81076ba0\n          0000000000000000 0000000000000000 ffffffff85110000 0000000000000119\n          0000000000000004 0000000000000000 0000000000000119 43617669756d2d4f\n          0000000000000000 ffffffff850fda40 ffffffff85110000 0000000000000000\n          0000000000000000 0000000000000009 ffffffff809207a0 0000000000000c80\n          ffffffff80f1bf20 0000000000000001 000000ffeca36828 0000000000000001\n          0000000000000000 0000000000000001 000000ffeca7e700 ffffffff80886924\n          80000003fd7a0000 80000003fd7a39b0 80000003fdea8000 ffffffff80885780\n          80000003fdea8000 ffffffff80f12218 000000000000000c 000000000000050f\n          0000000000000000 ffffffff80865c4c 0000000000000000 0000000000000000\n          ...\nCall Trace:\n[\u003cffffffff80865c4c\u003e] show_stack+0x6c/0xf8\n[\u003cffffffff80885780\u003e] warn_slowpath_common+0x78/0xa8\n[\u003cffffffff809207a0\u003e] exit_mmap+0x150/0x158\n[\u003cffffffff80882d44\u003e] mmput+0x5c/0x110\n[\u003cffffffff8088b450\u003e] do_exit+0x230/0xa68\n[\u003cffffffff8088be34\u003e] do_group_exit+0x54/0x1d0\n[\u003cffffffff8088bfc0\u003e] __wake_up_parent+0x0/0x18\n\n---[ end trace c7b38293191c57dc ]---\nBUG: Bad rss-counter state mm:80000003fa168000 idx:1 val:1536\n\nFix by not clearing _PAGE_HUGE bit.\n\nSigned-off-by: David Daney \u003cdavid.daney@cavium.com\u003e\nTested-by: Aaro Koskinen \u003caaro.koskinen@nokia.com\u003e\nCc: stable@vger.kernel.org\nCc: linux-mips@linux-mips.org\nPatchwork: https://patchwork.linux-mips.org/patch/13687/\nSigned-off-by: Ralf Baechle \u003cralf@linux-mips.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nxenbus: Add proper handling of XS_ERROR from Xenbus for transactions.\n\n[ Upstream commit a2e75bc2ee207351e6806e77a5379c6c1dd4598a ]\n\nIf Xenstore sends back a XS_ERROR for TRANSACTION_END, the driver BUGs\nbecause it cannot find the matching transaction in the list.  For\nTRANSACTION_START, it leaks memory.\n\nCheck the message as returned from xenbus_dev_request_and_reply(), and\nclean up for TRANSACTION_START or discard the error for\nTRANSACTION_END.\n\nSigned-off-by: Jennifer Herbert \u003cJennifer.Herbert@citrix.com\u003e\nSigned-off-by: David Vrabel \u003cdavid.vrabel@citrix.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nxenbus: don\u0027t BUG() on user mode induced condition\n\n[ Upstream commit 0beef634b86a1350c31da5fcc2992f0d7c8a622b ]\n\nInability to locate a user mode specified transaction ID should not\nlead to a kernel crash. For other than XS_TRANSACTION_START also\ndon\u0027t issue anything to xenbus if the specified ID doesn\u0027t match that\nof any active transaction.\n\nSigned-off-by: Jan Beulich \u003cjbeulich@suse.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: David Vrabel \u003cdavid.vrabel@citrix.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nRevert \"ecryptfs: forbid opening files without mmap handler\"\n\n[ Upstream commit 78c4e172412de5d0456dc00d2b34050aa0b683b5 ]\n\nThis reverts commit 2f36db71009304b3f0b95afacd8eba1f9f046b87.\n\nIt fixed a local root exploit but also introduced a dependency on\nthe lower file system implementing an mmap operation just to open a file,\nwhich is a bit of a heavy hammer.  The right fix is to have mmap depend\non the existence of the mmap handler instead.\n\nSigned-off-by: Jeff Mahoney \u003cjeffm@suse.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Tyler Hicks \u003ctyhicks@canonical.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nxenbus: don\u0027t bail early from xenbus_dev_request_and_reply()\n\n[ Upstream commit 7469be95a487319514adce2304ad2af3553d2fc9 ]\n\nxenbus_dev_request_and_reply() needs to track whether a transaction is\nopen.  For XS_TRANSACTION_START messages it calls transaction_start()\nand for XS_TRANSACTION_END messages it calls transaction_end().\n\nIf sending an XS_TRANSACTION_START message fails or responds with an\nan error, the transaction is not open and transaction_end() must be\ncalled.\n\nIf sending an XS_TRANSACTION_END message fails, the transaction is\nstill open, but if an error response is returned the transaction is\nclosed.\n\nCommit 027bd7e89906 (\"xen/xenbus: Avoid synchronous wait on XenBus\nstalling shutdown/restart\") introduced a regression where failed\nXS_TRANSACTION_START messages were leaving the transaction open.  This\ncan cause problems with suspend (and migration) as all transactions\nmust be closed before suspending.\n\nIt appears that the problematic change was added accidentally, so just\nremove it.\n\nSigned-off-by: Jan Beulich \u003cjbeulich@suse.com\u003e\nCc: Konrad Rzeszutek Wilk \u003ckonrad.wilk@oracle.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: David Vrabel \u003cdavid.vrabel@citrix.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nxen/acpi: allow xen-acpi-processor driver to load on Xen 4.7\n\n[ Upstream commit 6f2d9d99213514360034c6d52d2c3919290b3504 ]\n\nAs of Xen 4.7 PV CPUID doesn\u0027t expose either of CPUID[1].ECX[7] and\nCPUID[0x80000007].EDX[7] anymore, causing the driver to fail to load on\nboth Intel and AMD systems. Doing any kind of hardware capability\nchecks in the driver as a prerequisite was wrong anyway: With the\nhypervisor being in charge, all such checking should be done by it. If\nACPI data gets uploaded despite some missing capability, the hypervisor\nis free to ignore part or all of that data.\n\nDitch the entire check_prereq() function, and do the only valid check\n(xen_initial_domain()) in the caller in its place.\n\nSigned-off-by: Jan Beulich \u003cjbeulich@suse.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: David Vrabel \u003cdavid.vrabel@citrix.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\npowerpc: Fix build break due to missing PPC_FEATURE2_HTM_NOSC\n\nThe backport of 4705e02498d6 (\"powerpc: Update TM user feature bits in\nscan_features()\") (f49eb503f0f9), missed the fact that 4.1 doesn\u0027t\ninclude the commit that added PPC_FEATURE2_HTM_NOSC.\n\nThe correct fix is simply to omit PPC_FEATURE2_HTM_NOSC.\n\nFixes: f49eb503f0f9 (\"powerpc: Update TM user feature bits in scan_features()\")\nReported-by: Christian Zigotzky \u003cchzigotzky@bayern-mail.de\u003e\nSigned-off-by: Michael Ellerman \u003cmpe@ellerman.id.au\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\n4.1.28 Fix bad backport of 8f182270dfec \"mm/swap.c: flush lru pvecs on compound page arrival\"\n\nWhen I pulled in 4.1.28 into my stable 4.1-rt tree and ran the tests,\nit crashed with a severe OOM killing everything. I then tested 4.1.28\nwithout -rt and it had the same issue. I did a bisect between 4.1.27\nand 4.1.28 and found that the bug started at:\n\ncommit 8f182270dfec \"mm/swap.c: flush lru pvecs on compound page\narrival\"\n\nLooking at that patch and what\u0027s in mainline, I see that there\u0027s a\nmismatch in one of the hunks:\n\nMainline:\n\n@@ -391,9 +391,8 @@ static void __lru_cache_add(struct page *page)\n        struct pagevec *pvec \u003d \u0026get_cpu_var(lru_add_pvec);\n\n        get_page(page);\n-       if (!pagevec_space(pvec))\n+       if (!pagevec_add(pvec, page) || PageCompound(page))\n                __pagevec_lru_add(pvec);\n-       pagevec_add(pvec, page);\n        put_cpu_var(lru_add_pvec);\n }\n\nStable 4.1.28:\n\n@@ -631,9 +631,8 @@ static void __lru_cache_add(struct page *page)\n        struct pagevec *pvec \u003d \u0026get_cpu_var(lru_add_pvec);\n\n        page_cache_get(page);\n-       if (!pagevec_space(pvec))\n+       if (!pagevec_space(pvec) || PageCompound(page))\n                __pagevec_lru_add(pvec);\n-       pagevec_add(pvec, page);\n        put_cpu_var(lru_add_pvec);\n }\n\nWhere mainline replace pagevec_space() with pagevec_add, and stable did\nnot.\n\nFixing this makes the OOM go away.\n\nNote, 3.18 has the same bug.\n\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nLinux 3.18.38\n\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nRevert \"MIPS: Reserve nosave data for hibernation\"\n\nThis reverts commit 1dd0964204277108e3e06e7df4c1f06a79d55093.\n\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nRevert \"sparc64: Fix numa node distance initialization\"\n\nThis reverts commit 0396a871c4e3fbbaabb4f2632c1d388a04b68c84.\n\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nnetfilter: x_tables: speed up jump target validation\n\n[ Upstream commit f4dc77713f8016d2e8a3295e1c9c53a21f296def ]\n\nThe dummy ruleset I used to test the original validation change was broken,\nmost rules were unreachable and were not tested by mark_source_chains().\n\nIn some cases rulesets that used to load in a few seconds now require\nseveral minutes.\n\nsample ruleset that shows the behaviour:\n\necho \"*filter\"\nfor i in $(seq 0 100000);do\n        printf \":chain_%06x - [0:0]\\n\" $i\ndone\nfor i in $(seq 0 100000);do\n   printf -- \"-A INPUT -j chain_%06x\\n\" $i\n   printf -- \"-A INPUT -j chain_%06x\\n\" $i\n   printf -- \"-A INPUT -j chain_%06x\\n\" $i\ndone\necho COMMIT\n\n[ pipe result into iptables-restore ]\n\nThis ruleset will be about 74mbyte in size, with ~500k searches\nthough all 500k[1] rule entries. iptables-restore will take forever\n(gave up after 10 minutes)\n\nInstead of always searching the entire blob for a match, fill an\narray with the start offsets of every single ipt_entry struct,\nthen do a binary search to check if the jump target is present or not.\n\nAfter this change ruleset restore times get again close to what one\ngets when reverting 36472341017529e (~3 seconds on my workstation).\n\n[1] every user-defined rule gets an implicit RETURN, so we get\n300k jumps + 100k userchains + 100k returns -\u003e 500k rule entries\n\nFixes: 36472341017529e (\"netfilter: x_tables: validate targets of jumps\")\nReported-by: Jeff Wu \u003cwujiafu@gmail.com\u003e\nTested-by: Jeff Wu \u003cwujiafu@gmail.com\u003e\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nARM: mvebu: fix HW I/O coherency related deadlocks\n\n[ Upstream commit c5379ba8fccd99d5f99632c789f0393d84a57805 ]\n\nUntil now, our understanding for HW I/O coherency to work on the\nCortex-A9 based Marvell SoC was that only the PCIe regions should be\nmapped strongly-ordered. However, we were still encountering some\ndeadlocks, especially when testing the CESA crypto engine. After\nchecking with the HW designers, it was concluded that all the MMIO\nregisters should be mapped as strongly ordered for the HW I/O coherency\nmechanism to work properly.\n\nThis fixes some easy to reproduce deadlocks with the CESA crypto engine\ndriver (dmcrypt on a sufficiently large disk partition).\n\nTested-by: Terry Stockert \u003cstockert@inkblotadmirer.me\u003e\nTested-by: Romain Perier \u003cromain.perier@free-electrons.com\u003e\nCc: Terry Stockert \u003cstockert@inkblotadmirer.me\u003e\nCc: Romain Perier \u003cromain.perier@free-electrons.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Thomas Petazzoni \u003cthomas.petazzoni@free-electrons.com\u003e\nSigned-off-by: Gregory CLEMENT \u003cgregory.clement@free-electrons.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nInput: xpad - validate USB endpoint count during probe\n\n[ Upstream commit caca925fca4fb30c67be88cacbe908eec6721e43 ]\n\nThis prevents a malicious USB device from causing an oops.\n\nSigned-off-by: Cameron Gutman \u003caicommander@gmail.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Dmitry Torokhov \u003cdmitry.torokhov@gmail.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\ndrm/ttm: Make ttm_bo_mem_compat available\n\n[ Upstream commit 94477bff390aa4612d2332c8abafaae0a13d6923 ]\n\nThere are cases where it is desired to see if a proposed placement\nis compatible with a buffer object before calling ttm_bo_validate().\n\nSigned-off-by: Sinclair Yeh \u003csyeh@vmware.com\u003e\nReviewed-by: Thomas Hellstrom \u003cthellstrom@vmware.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\n---\nThis is the first of a 3-patch series to fix a black screen\nissue observed on Ubuntu 16.04 server.\n\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\novl: handle ATTR_KILL*\n\n[ Upstream commit b99c2d913810e56682a538c9f2394d76fca808f8 ]\n\nBefore 4bacc9c9234c (\"overlayfs: Make f_path...\") file-\u003ef_path pointed to\nthe underlying file, hence suid/sgid removal on write worked fine.\n\nAfter that patch file-\u003ef_path pointed to the overlay file, and the file\nmode bits weren\u0027t copied to overlay_inode-\u003ei_mode.  So the suid/sgid\nremoval simply stopped working.\n\nThe fix is to copy the mode bits, but then ovl_setattr() needs to clear\nATTR_MODE to avoid the BUG() in notify_change().  So do this first, then in\nthe next patch copy the mode.\n\nReported-by: Eryu Guan \u003ceguan@redhat.com\u003e\nSigned-off-by: Miklos Szeredi \u003cmszeredi@redhat.com\u003e\nFixes: 4bacc9c9234c (\"overlayfs: Make f_path always point to the overlay and f_inode to the underlay\")\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\novl: Copy up underlying inode\u0027s -\u003ei_mode to overlay inode\n\n[ Upstream commit 07a2daab49c549a37b5b744cbebb6e3f445f12bc ]\n\nRight now when a new overlay inode is created, we initialize overlay\ninode\u0027s -\u003ei_mode from underlying inode -\u003ei_mode but we retain only\nfile type bits (S_IFMT) and discard permission bits.\n\nThis patch changes it and retains permission bits too. This should allow\noverlay to do permission checks on overlay inode itself in task context.\n\n[SzM] It also fixes clearing suid/sgid bits on write.\n\nSigned-off-by: Vivek Goyal \u003cvgoyal@redhat.com\u003e\nReported-by: Eryu Guan \u003ceguan@redhat.com\u003e\nSigned-off-by: Miklos Szeredi \u003cmszeredi@redhat.com\u003e\nFixes: 4bacc9c9234c (\"overlayfs: Make f_path always point to the overlay and f_inode to the underlay\")\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nALSA: hda/realtek - add new pin definition in alc225 pin quirk table\n\n[ Upstream commit 8a132099f080d7384bb6ab4cc168f76cb4b47d08 ]\n\nWe have some Dell laptops which can\u0027t detect headset mic, the machines\nuse the codec ALC225, they have some new pin configuration values,\nafter adding them in the alc225 pin quirk table, they work well.\n\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Hui Wang \u003chui.wang@canonical.com\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nnet: mvneta: set real interrupt per packet for tx_done\n\n[ Upstream commit 06708f81528725148473c0869d6af5f809c6824b ]\n\nCommit aebea2ba0f74 (\"net: mvneta: fix Tx interrupt delay\") intended to\nset coalescing threshold to a value guaranteeing interrupt generation\nper each sent packet, so that buffers can be released with no delay.\n\nIn fact setting threshold to \u00271\u0027 was wrong, because it causes interrupt\nevery two packets. According to the documentation a reason behind it is\nfollowing - interrupt occurs once sent buffers counter reaches a value,\nwhich is higher than one specified in MVNETA_TXQ_SIZE_REG(q). This\nbehavior was confirmed during tests. Also when testing the SoC working\nas a NAS device, better performance was observed with int-per-packet,\nas it strongly depends on the fact that all transmitted packets are\nreleased immediately.\n\nThis commit enables NETA controller work in interrupt per sent packet mode\nby setting coalescing threshold to 0.\n\nSigned-off-by: Dmitri Epshtein \u003cdima@marvell.com\u003e\nSigned-off-by: Marcin Wojtas \u003cmw@semihalf.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e # v3.10+\nFixes aebea2ba0f74 (\"net: mvneta: fix Tx interrupt delay\")\nAcked-by: Willy Tarreau \u003cw@1wt.eu\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nx86/quirks: Add early quirk to reset Apple AirPort card\n\n[ Upstream commit abb2bafd295fe962bbadc329dbfb2146457283ac ]\n\nThe EFI firmware on Macs contains a full-fledged network stack for\ndownloading OS X images from osrecovery.apple.com. Unfortunately\non Macs introduced 2011 and 2012, EFI brings up the Broadcom 4331\nwireless card on every boot and leaves it enabled even after\nExitBootServices has been called. The card continues to assert its IRQ\nline, causing spurious interrupts if the IRQ is shared. It also corrupts\nmemory by DMAing received packets, allowing for remote code execution\nover the air. This only stops when a driver is loaded for the wireless\ncard, which may be never if the driver is not installed or blacklisted.\n\nThe issue seems to be constrained to the Broadcom 4331. Chris Milsted\nhas verified that the newer Broadcom 4360 built into the MacBookPro11,3\n(2013/2014) does not exhibit this behaviour. The chances that Apple will\never supply a firmware fix for the older machines appear to be zero.\n\nThe solution is to reset the card on boot by writing to a reset bit in\nits mmio space. This must be done as an early quirk and not as a plain\nvanilla PCI quirk to successfully combat memory corruption by DMAed\npackets: Matthew Garrett found out in 2012 that the packets are written\nto EfiBootServicesData memory (http://mjg59.dreamwidth.org/11235.html).\nThis type of memory is made available to the page allocator by\nefi_free_boot_services(). Plain vanilla PCI quirks run much later, in\nsubsys initcall level. In-between a time window would be open for memory\ncorruption. Random crashes occurring in this time window and attributed\nto DMAed packets have indeed been observed in the wild by Chris\nBainbridge.\n\nWhen Matthew Garrett analyzed the memory corruption issue in 2012, he\nsought to fix it with a grub quirk which transitions the card to D3hot:\nhttp://git.savannah.gnu.org/cgit/grub.git/commit/?id\u003d9d34bb85da56\n\nThis approach does not help users with other bootloaders and while it\nmay prevent DMAed packets, it does not cure the spurious interrupts\nemanating from the card. Unfortunately the card\u0027s mmio space is\ninaccessible in D3hot, so to reset it, we have to undo the effect of\nMatthew\u0027s grub patch and transition the card back to D0.\n\nNote that the quirk takes a few shortcuts to reduce the amount of code:\nThe size of BAR 0 and the location of the PM capability is identical\non all affected machines and therefore hardcoded. Only the address of\nBAR 0 differs between models. Also, it is assumed that the BCMA core\ncurrently mapped is the 802.11 core. The EFI driver seems to always take\ncare of this.\n\nMichael Büsch, Bjorn Helgaas and Matt Fleming contributed feedback\ntowards finding the best solution to this problem.\n\nThe following should be a comprehensive list of affected models:\n    iMac13,1        2012  21.5\"       [Root Port 00:1c.3 \u003d 8086:1e16]\n    iMac13,2        2012  27\"         [Root Port 00:1c.3 \u003d 8086:1e16]\n    Macmini5,1      2011  i5 2.3 GHz  [Root Port 00:1c.1 \u003d 8086:1c12]\n    Macmini5,2      2011  i5 2.5 GHz  [Root Port 00:1c.1 \u003d 8086:1c12]\n    Macmini5,3      2011  i7 2.0 GHz  [Root Port 00:1c.1 \u003d 8086:1c12]\n    Macmini6,1      2012  i5 2.5 GHz  [Root Port 00:1c.1 \u003d 8086:1e12]\n    Macmini6,2      2012  i7 2.3 GHz  [Root Port 00:1c.1 \u003d 8086:1e12]\n    MacBookPro8,1   2011  13\"         [Root Port 00:1c.1 \u003d 8086:1c12]\n    MacBookPro8,2   2011  15\"         [Root Port 00:1c.1 \u003d 8086:1c12]\n    MacBookPro8,3   2011  17\"         [Root Port 00:1c.1 \u003d 8086:1c12]\n    MacBookPro9,1   2012  15\"         [Root Port 00:1c.1 \u003d 8086:1e12]\n    MacBookPro9,2   2012  13\"         [Root Port 00:1c.1 \u003d 8086:1e12]\n    MacBookPro10,1  2012  15\"         [Root Port 00:1c.1 \u003d 8086:1e12]\n    MacBookPro10,2  2012  13\"         [Root Port 00:1c.1 \u003d 8086:1e12]\n\nFor posterity, spurious interrupts caused by the Broadcom 4331 wireless\ncard resulted in splats like this (stacktrace omitted):\n\n    irq 17: nobody cared (try booting with the \"irqpoll\" option)\n    handlers:\n    [\u003cffffffff81374370\u003e] pcie_isr\n    [\u003cffffffffc0704550\u003e] sdhci_irq [sdhci] threaded [\u003cffffffffc07013c0\u003e] sdhci_thread_irq [sdhci]\n    [\u003cffffffffc0a0b960\u003e] azx_interrupt [snd_hda_codec]\n    Disabling IRQ #17\n\nBugzilla: https://bugzilla.kernel.org/show_bug.cgi?id\u003d79301\nBugzilla: https://bugzilla.kernel.org/show_bug.cgi?id\u003d111781\nBugzilla: https://bugzilla.redhat.com/show_bug.cgi?id\u003d728916\nBugzilla: https://bugzilla.redhat.com/show_bug.cgi?id\u003d895951#c16\nBugzilla: https://bugzilla.redhat.com/show_bug.cgi?id\u003d1009819\nBugzilla: https://bugzilla.redhat.com/show_bug.cgi?id\u003d1098621\nBugzilla: https://bugzilla.redhat.com/show_bug.cgi?id\u003d1149632#c5\nBugzilla: https://bugzilla.redhat.com/show_bug.cgi?id\u003d1279130\nBugzilla: https://bugzilla.redhat.com/show_bug.cgi?id\u003d1332732\nTested-by: Konstantin Simanov \u003ck.simanov@stlk.ru\u003e        # [MacBookPro8,1]\nTested-by: Lukas Wunner \u003clukas@wunner.de\u003e                # [MacBookPro9,1]\nTested-by: Bryan Paradis \u003cbryan.paradis@gmail.com\u003e       # [MacBookPro9,2]\nTested-by: Andrew Worsley \u003camworsley@gmail.com\u003e          # [MacBookPro10,1]\nTested-by: Chris Bainbridge \u003cchris.bainbridge@gmail.com\u003e # [MacBookPro10,2]\nSigned-off-by: Lukas Wunner \u003clukas@wunner.de\u003e\nAcked-by: Rafał Miłecki \u003czajec5@gmail.com\u003e\nAcked-by: Matt Fleming \u003cmatt@codeblueprint.co.uk\u003e\nCc: Andy Lutomirski \u003cluto@kernel.org\u003e\nCc: Bjorn Helgaas \u003cbhelgaas@google.com\u003e\nCc: Borislav Petkov \u003cbp@alien8.de\u003e\nCc: Brian Gerst \u003cbrgerst@gmail.com\u003e\nCc: Chris Milsted \u003ccmilsted@redhat.com\u003e\nCc: Denys Vlasenko \u003cdvlasenk@redhat.com\u003e\nCc: H. Peter Anvin \u003chpa@zytor.com\u003e\nCc: Josh Poimboeuf \u003cjpoimboe@redhat.com\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Matthew Garrett \u003cmjg59@srcf.ucam.org\u003e\nCc: Michael Buesch \u003cm@bues.ch\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Yinghai Lu \u003cyinghai@kernel.org\u003e\nCc: b43-dev@lists.infradead.org\nCc: linux-pci@vger.kernel.org\nCc: linux-wireless@vger.kernel.org\nCc: stable@vger.kernel.org\nCc: stable@vger.kernel.org # 123456789abc: x86/quirks: Apply nvidia_bugs quirk only on root bus\nCc: stable@vger.kernel.org # 123456789abc: x86/quirks: Reintroduce scanning of secondary buses\nLink: http://lkml.kernel.org/r/48d0972ac82a53d460e5fce77a07b2560db95203.1465690253.git.lukas@wunner.de\n[ Did minor readability edits. ]\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\n\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nposix_cpu_timer: Exit early when process has been reaped\n\n[ Upstream commit 2c13ce8f6b2f6fd9ba2f9261b1939fc0f62d1307 ]\n\nVariable \"now\" seems to be genuinely used unintialized\nif branch\n\n\tif (CPUCLOCK_PERTHREAD(timer-\u003eit_clock)) {\n\nis not taken and branch\n\n\tif (unlikely(sighand \u003d\u003d NULL)) {\n\nis taken. In this case the process has been reaped and the timer is marked as\ndisarmed anyway. So none of the postprocessing of the sample is\nrequired. Return right away.\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nCc: stable@vger.kernel.org\nLink: http://lkml.kernel.org/r/20160707223911.GA26483@p183.telecom.by\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nALSA: hda - fix use-after-free after module unload\n\n[ Upstream commit ab58d8cc870ef3f0771c197700441936898d1f1d ]\n\nregister_vga_switcheroo() sets the PM ops from the hda structure which\nis freed later in azx_free. Make sure that these ops are cleared.\n\nCaught by KASAN, initially noticed due to a general protection fault.\n\nFixes: 246efa4a072f (\"snd/hda: add runtime suspend/resume on optimus support (v4)\")\nSigned-off-by: Peter Wu \u003cpeter@lekensteyn.nl\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nALSA: hda: add new AMD PCI IDs with proper driver caps\n\n[ Upstream commit 5022813ddb28b7679e8285812d52aaeb7e1e7657 ]\n\nFixes audio problems on newer asics\n\nSigned-off-by: Maruthi Bayyavarapu \u003cmaruthi.bayyavarapu@amd.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nALSA: hda: add AMD Stoney PCI ID with proper driver caps\n\n[ Upstream commit d716fb03f76411fc7e138692e33b749cada5c094 ]\n\nThis allows the device to correctly show up as ATI HDMI\nrather than a generic one and allows the driver to use\nthe available caps.\n\nSigned-off-by: Awais Belal \u003cawais_belal@mentor.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nmedia: fix airspy usb probe error path\n\n[ Upstream commit aa93d1fee85c890a34f2510a310e55ee76a27848 ]\n\nFix a memory leak on probe error of the airspy usb device driver.\n\nThe problem is triggered when more than 64 usb devices register with\nv4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.\n\nThe memory leak is caused by the probe function of the airspy driver\nmishandeling errors and not freeing the corresponding control structures\nwhen an error occours registering the device to v4l2 core.\n\nA badusb device can emulate 64 of these devices, and then through\ncontinual emulated connect/disconnect of the 65th device, cause the\nkernel to run out of RAM and crash the kernel, thus causing a local DOS\nvulnerability.\n\nFixes CVE-2016-5400\n\nSigned-off-by: James Patrick-Evans \u003cjames@jmp-e.com\u003e\nReviewed-by: Kees Cook \u003ckeescook@chromium.org\u003e\nCc: stable@vger.kernel.org # 3.17+\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nmmc: block: fix packed command header endianness\n\n[ Upstream commit f68381a70bb2b26c31b13fdaf67c778f92fd32b4 ]\n\nThe code that fills packed command header assumes that CPU runs in\nlittle-endian mode. Hence the header is malformed in big-endian mode\nand causes MMC data transfer errors:\n\n[  563.200828] mmcblk0: error -110 transferring data, sector 2048, nr 8, cmd response 0x900, card status 0xc40\n[  563.219647] mmcblk0: packed cmd failed, nr 2, sectors 16, failure index: -1\n\nConvert header data to LE.\n\nSigned-off-by: Taras Kondratiuk \u003ctakondra@cisco.com\u003e\nFixes: ce39f9d17c14 (\"mmc: support packed write command for eMMC4.5 devices\")\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Ulf Hansson \u003culf.hansson@linaro.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\ntty/vt/keyboard: fix OOB access in do_compute_shiftstate()\n\n[ Upstream commit 510cccb5b0c8868a2b302a0ab524da7912da648b ]\n\nThe size of individual keymap in drivers/tty/vt/keyboard.c is NR_KEYS,\nwhich is currently 256, whereas number of keys/buttons in input device (and\ntherefor in key_down) is much larger - KEY_CNT - 768, and that can cause\nout-of-bound access when we do\n\n\tsym \u003d U(key_maps[0][k]);\n\nwith large \u0027k\u0027.\n\nTo fix it we should not attempt iterating beyond smaller of NR_KEYS and\nKEY_CNT.\n\nAlso while at it let\u0027s switch to for_each_set_bit() instead of open-coding\nit.\n\nReported-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\nReviewed-by: Guenter Roeck \u003clinux@roeck-us.net\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Dmitry Torokhov \u003cdmitry.torokhov@gmail.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\novl: verify upper dentry in ovl_remove_and_whiteout()\n\n[ Upstream commit cfc9fde0b07c3b44b570057c5f93dda59dca1c94 ]\n\nThe upper dentry may become stale before we call ovl_lock_rename_workdir.\nFor example, someone could (mistakenly or maliciously) manually unlink(2)\nit directly from upperdir.\n\nTo ensure it is not stale, let\u0027s lookup it after ovl_lock_rename_workdir\nand and check if it matches the upper dentry.\n\nEssentially, it is the same problem and similar solution as in\ncommit 11f3710417d0 (\"ovl: verify upper dentry before unlink and rename\").\n\nSigned-off-by: Maxim Patlasov \u003cmpatlasov@virtuozzo.com\u003e\nSigned-off-by: Miklos Szeredi \u003cmszeredi@redhat.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nlibceph: set \u0027exists\u0027 flag for newly up osd\n\n[ Upstream commit 6dd74e44dc1df85f125982a8d6591bc4a76c9f5d ]\n\nSigned-off-by: Yan, Zheng \u003czyan@redhat.com\u003e\nReviewed-by: Sage Weil \u003csage@redhat.com\u003e\nSigned-off-by: Ilya Dryomov \u003cidryomov@gmail.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nlibceph: apply new_state before new_up_client on incrementals\n\n[ Upstream commit 930c532869774ebf8af9efe9484c597f896a7d46 ]\n\nCurrently, osd_weight and osd_state fields are updated in the encoding\norder.  This is wrong, because an incremental map may look like e.g.\n\n    new_up_client: { osd\u003d6, addr\u003d... } # set osd_state and addr\n    new_state: { osd\u003d6, xorstate\u003dEXISTS } # clear osd_state\n\nSuppose osd6\u0027s current osd_state is EXISTS (i.e. osd6 is down).  After\napplying new_up_client, osd_state is changed to EXISTS | UP.  Carrying\non with the new_state update, we flip EXISTS and leave osd6 in a weird\n\"!EXISTS but UP\" state.  A non-existent OSD is considered down by the\nmapping code\n\n2087    for (i \u003d 0; i \u003c pg-\u003epg_temp.len; i++) {\n2088            if (ceph_osd_is_down(osdmap, pg-\u003epg_temp.osds[i])) {\n2089                    if (ceph_can_shift_osds(pi))\n2090                            continue;\n2091\n2092                    temp-\u003eosds[temp-\u003esize++] \u003d CRUSH_ITEM_NONE;\n\nand so requests get directed to the second OSD in the set instead of\nthe first, resulting in OSD-side errors like:\n\n[WRN] : client.4239 192.168.122.21:0/2444980242 misdirected client.4239.1:2827 pg 2.5df899f2 to osd.4 not [1,4,6] in e680/680\n\nand hung rbds on the client:\n\n[  493.566367] rbd: rbd0: write 400000 at 11cc00000 (0)\n[  493.566805] rbd: rbd0:   result -6 xferred 400000\n[  493.567011] blk_update_request: I/O error, dev rbd0, sector 9330688\n\nThe fix is to decouple application from the decoding and:\n- apply new_weight first\n- apply new_state before new_up_client\n- twiddle osd_state flags if marking in\n- clear out some of the state if osd is destroyed\n\nFixes: http://tracker.ceph.com/issues/14901\n\nCc: stable@vger.kernel.org # 3.15+: 6dd74e44dc1d: libceph: set \u0027exists\u0027 flag for newly up osd\nCc: stable@vger.kernel.org # 3.15+\nSigned-off-by: Ilya Dryomov \u003cidryomov@gmail.com\u003e\nReviewed-by: Josh Durgin \u003cjdurgin@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nradix-tree: fix radix_tree_iter_retry() for tagged iterators.\n\n[ Upstream commit 3cb9185c67304b2a7ea9be73e7d13df6fb2793a1 ]\n\nradix_tree_iter_retry() resets slot to NULL, but it doesn\u0027t reset tags.\nThen NULL slot and non-zero iter.tags passed to radix_tree_next_slot()\nleading to crash:\n\n  RIP: radix_tree_next_slot include/linux/radix-tree.h:473\n    find_get_pages_tag+0x334/0x930 mm/filemap.c:1452\n  ....\n  Call Trace:\n    pagevec_lookup_tag+0x3a/0x80 mm/swap.c:960\n    mpage_prepare_extent_to_map+0x321/0xa90 fs/ext4/inode.c:2516\n    ext4_writepages+0x10be/0x2b20 fs/ext4/inode.c:2736\n    do_writepages+0x97/0x100 mm/page-writeback.c:2364\n    __filemap_fdatawrite_range+0x248/0x2e0 mm/filemap.c:300\n    filemap_write_and_wait_range+0x121/0x1b0 mm/filemap.c:490\n    ext4_sync_file+0x34d/0xdb0 fs/ext4/fsync.c:115\n    vfs_fsync_range+0x10a/0x250 fs/sync.c:195\n    vfs_fsync fs/sync.c:209\n    do_fsync+0x42/0x70 fs/sync.c:219\n    SYSC_fdatasync fs/sync.c:232\n    SyS_fdatasync+0x19/0x20 fs/sync.c:230\n    entry_SYSCALL_64_fastpath+0x23/0xc1 arch/x86/entry/entry_64.S:207\n\nWe must reset iterator\u0027s tags to bail out from radix_tree_next_slot()\nand go to the slow-path in radix_tree_next_chunk().\n\nFixes: 46437f9a554f (\"radix-tree: fix race in gang lookup\")\nLink: http://lkml.kernel.org/r/1468495196-10604-1-git-send-email-aryabinin@virtuozzo.com\nSigned-off-by: Andrey Ryabinin \u003caryabinin@virtuozzo.com\u003e\nReported-by: Dmitry Vyukov \u003cdvyukov@google.com\u003e\nAcked-by: Konstantin Khlebnikov \u003ckoct9i@gmail.com\u003e\nCc: Matthew Wilcox \u003cwilly@linux.intel.com\u003e\nCc: Hugh Dickins \u003chughd@google.com\u003e\nCc: Ross Zwisler \u003cross.zwisler@linux.intel.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\npps: do not crash when failed to register\n\n[ Upstream commit 368301f2fe4b07e5fb71dba3cc566bc59eb6705f ]\n\nWith this command sequence:\n\n  modprobe plip\n  modprobe pps_parport\n  rmmod pps_parport\n\nthe partport_pps modules causes this crash:\n\n  BUG: unable to handle kernel NULL pointer dereference at (null)\n  IP: parport_detach+0x1d/0x60 [pps_parport]\n  Oops: 0000 [#1] SMP\n  ...\n  Call Trace:\n    parport_unregister_driver+0x65/0xc0 [parport]\n    SyS_delete_module+0x187/0x210\n\nThe sequence that builds up to this is:\n\n 1) plip is loaded and takes the parport device for exclusive use:\n\n    plip0: Parallel port at 0x378, using IRQ 7.\n\n 2) pps_parport then fails to grab the device:\n\n    pps_parport: parallel port PPS client\n    parport0: cannot grant exclusive access for device pps_parport\n    pps_parport: couldn\u0027t register with parport0\n\n 3) rmmod of pps_parport is then killed because it tries to access\n    pardev-\u003ename, but pardev (taken from port-\u003ecad) is NULL.\n\nSo add a check for NULL in the test there too.\n\nLink: http://lkml.kernel.org/r/20160714115245.12651-1-jslaby@suse.cz\nSigned-off-by: Jiri Slaby \u003cjslaby@suse.cz\u003e\nAcked-by: Rodolfo Giometti \u003cgiometti@enneenne.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nx86/quirks: Apply nvidia_bugs quirk only on root bus\n\n[ Upstream commit 447d29d1d3aed839e74c2401ef63387780ac51ed ]\n\nSince the following commit:\n\n  8659c406ade3 (\"x86: only scan the root bus in early PCI quirks\")\n\n... early quirks are only applied to devices on the root bus.\n\nThe motivation was to prevent application of the nvidia_bugs quirk on\nsecondary buses.\n\nWe\u0027re about to reintroduce scanning of secondary buses for a quirk to\nreset the Broadcom 4331 wireless card on 2011/2012 Macs. To prevent\nregressions, open code the requirement to apply nvidia_bugs only on the\nroot bus.\n\nSigned-off-by: Lukas Wunner \u003clukas@wunner.de\u003e\nCc: Andy Lutomirski \u003cluto@kernel.org\u003e\nCc: Bjorn Helgaas \u003cbhelgaas@google.com\u003e\nCc: Borislav Petkov \u003cbp@alien8.de\u003e\nCc: Brian Gerst \u003cbrgerst@gmail.com\u003e\nCc: Denys Vlasenko \u003cdvlasenk@redhat.com\u003e\nCc: H. Peter Anvin \u003chpa@zytor.com\u003e\nCc: Josh Poimboeuf \u003cjpoimboe@redhat.com\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Yinghai Lu \u003cyinghai@kernel.org\u003e\nLink: http://lkml.kernel.org/r/4d5477c1d76b2f0387a780f2142bbcdd9fee869b.1465690253.git.lukas@wunner.de\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nx86/quirks: Reintroduce scanning of secondary buses\n\n[ Upstream commit 850c321027c2e31d0afc71588974719a4b565550 ]\n\nWe used to scan secondary buses until the following commit that\nwas applied in 2009:\n\n  8659c406ade3 (\"x86: only scan the root bus in early PCI quirks\")\n\nwhich commit constrained early quirks to the root bus only. Its\nmotivation was to prevent application of the nvidia_bugs quirk\non secondary buses.\n\nWe\u0027re about to add a quirk to reset the Broadcom 4331 wireless card on\n2011/2012 Macs, which is located on a secondary bus behind a PCIe root\nport. To facilitate that, reintroduce scanning of secondary buses.\n\nThe commit message of 8659c406ade3 notes that scanning only the root bus\n\"saves quite some unnecessary scanning work\". The algorithm used prior\nto 8659c406ade3 was particularly time consuming because it scanned\nbuses 0 to 31 brute force. To avoid lengthening boot time, employ a\nrecursive strategy which only scans buses that are actually reachable\nfrom the root bus.\n\nYinghai Lu pointed out that the secondary bus number read from a\nbridge\u0027s config space may be invalid, in particular a value of 0 would\ncause an infinite loop. The PCI core goes beyond that and recurses to a\nchild bus only if its bus number is greater than the parent bus number\n(see pci_scan_bridge()). Since the root bus is numbered 0, this implies\nthat secondary buses may not be 0. Do the same on early scanning.\n\nIf this algorithm is found to significantly impact boot time or cause\ninfinite loops on broken hardware, it would be possible to limit its\nrecursion depth: The Broadcom 4331 quirk applies at depth 1, all others\nat depth 0, so the bus need not be scanned deeper than that for now. An\nalternative approach would be to revert to scanning only the root bus,\nand apply the Broadcom 4331 quirk to the root ports 8086:1c12, 8086:1e12\nand 8086:1e16. Apple always positioned the card behind either of these\nthree ports. The quirk would then check presence of the card in slot 0\nbelow the root port and do its deed.\n\nSigned-off-by: Lukas Wunner \u003clukas@wunner.de\u003e\nCc: Andy Lutomirski \u003cluto@kernel.org\u003e\nCc: Bjorn Helgaas \u003cbhelgaas@google.com\u003e\nCc: Borislav Petkov \u003cbp@alien8.de\u003e\nCc: Brian Gerst \u003cbrgerst@gmail.com\u003e\nCc: Denys Vlasenko \u003cdvlasenk@redhat.com\u003e\nCc: H. Peter Anvin \u003chpa@zytor.com\u003e\nCc: Josh Poimboeuf \u003cjpoimboe@redhat.com\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Yinghai Lu \u003cyinghai@kernel.org\u003e\nCc: linux-pci@vger.kernel.org\nLink: http://lkml.kernel.org/r/f0daa70dac1a9b2483abdb31887173eb6ab77bdf.1465690253.git.lukas@wunner.de\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nLinux 3.18.39\n\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nRevert \"drm/i915/ilk: Don\u0027t disable SSC source if it\u0027s in use\"\n\nThis reverts commit bcb6659242e610b715fcfced0d048c01aec47960.\n\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nHID: uhid: fix timeout when probe races with IO\n\n[ Upstream commit 67f8ecc550b5bda03335f845dc869b8501d25fd0 ]\n\nMany devices use userspace bluetooth stacks like BlueZ or Bluedroid in combination\nwith uhid. If any of these stacks is used with a HID device for which the driver\nperforms a HID request as part .probe (or technically another HID operation),\nthis results in a deadlock situation. The deadlock results in a 5 second timeout\nfor I/O operations in HID drivers, so isn\u0027t fatal, but none of the I/O operations\nhave a chance of succeeding.\n\nThe root cause for the problem is that uhid only allows for one request to be\nprocessed at a time per uhid instance and locks out other operations. This means\nthat if a user space is creating a new HID device through \u0027UHID_CREATE\u0027, which\nultimately triggers \u0027.probe\u0027 through the HID layer. Then any HID request e.g. a\nread for calibration data would trigger a HID operation on uhid again, but it\nwon\u0027t go out to userspace, because it is still stuck in UHID_CREATE.\nIn addition bluetooth stacks are typically single threaded, so they wouldn\u0027t be\nable to handle any requests while waiting on uhid.\n\nLucikly the UHID spec is somewhat flexible and allows for fixing the issue,\nwithout breaking user space. The idea which the patch implements as discussed\nwith David Herrmann is to decouple adding of a hid device (which triggers .probe)\nfrom UHID_CREATE. The work will kick off roughly once UHID_CREATE completed (or\nelse will wait a tiny bit of time in .probe for a lock). A HID driver has to call\nHID to call \u0027hid_hw_start()\u0027 as part of .probe once it is ready for I/O, which\ntriggers UHID_START to user space. Any HID operations should function now within\n.probe and won\u0027t deadlock because userspace is stuck on UHID_CREATE.\n\nWe verified this patch on Bluedroid with Android 6.0 and on desktop Linux with\nBlueZ stacks. Prior to the patch they had the deadlock issue.\n\n[jkosina@suse.cz: reword subject]\nSigned-off-by: Roderick Colenbrander \u003croderick.colenbrander@sony.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.cz\u003e\n\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\ns5p-mfc: Set device name for reserved memory region devs\n\n[ Upstream commit 29debab0a94035a390801d1f177d171d014b7765 ]\n\nThe devices don\u0027t have a name set, so makes dev_name() returns NULL which\nmakes harder to identify the devices that are causing issues, for example:\n\nWARNING: CPU: 2 PID: 616 at drivers/base/core.c:251 device_release+0x8c/0x90\nDevice \u0027(null)\u0027 does not have a release() function, it is broken and must be fixed.\n\nAnd after setting the device name:\n\nWARNING: CPU: 0 PID: 591 at drivers/base/core.c:251 device_release+0x8c/0x90\nDevice \u0027s5p-mfc-l\u0027 does not have a release() function, it is broken and must be fixed.\n\nCc: \u003cstable@vger.kernel.org\u003e\nFixes: 6e83e6e25eb4 (\"[media] s5p-mfc: Fix kernel warning on memory init\")\nSigned-off-by: Javier Martinez Canillas \u003cjavier@osg.samsung.com\u003e\nTested-by: Marek Szyprowski \u003cm.szyprowski@samsung.com\u003e\nSigned-off-by: Sylwester Nawrocki \u003cs.nawrocki@samsung.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\ns5p-mfc: Add release callback for memory region devs\n\n[ Upstream commit 6311f1261f59ce5e51fbe5cc3b5e7737197316ac ]\n\nWhen s5p_mfc_remove() calls put_device() for the reserved memory region\ndevs, the driver core warns that the dev doesn\u0027t have a release callback:\n\nWARNING: CPU: 0 PID: 591 at drivers/base/core.c:251 device_release+0x8c/0x90\nDevice \u0027s5p-mfc-l\u0027 does not have a release() function, it is broken and must be fixed.\n\nAlso, the declared DMA memory using dma_declare_coherent_memory() isn\u0027t\nrelased so add a dev .release that calls dma_release_declared_memory().\n\nCc: \u003cstable@vger.kernel.org\u003e\nFixes: 6e83e6e25eb4 (\"[media] s5p-mfc: Fix kernel warning on memory init\")\nSigned-off-by: Javier Martinez Canillas \u003cjavier@osg.samsung.com\u003e\nTested-by: Marek Szyprowski \u003cm.szyprowski@samsung.com\u003e\nSigned-off-by: Sylwester Nawrocki \u003cs.nawrocki@samsung.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nnetlabel: add address family checks to netlbl_{sock,req}_delattr()\n\n[ Upstream commit 0e0e36774081534783aa8eeb9f6fbddf98d3c061 ]\n\nIt seems risky to always rely on the caller to ensure the socket\u0027s\naddress family is correct before passing it to the NetLabel kAPI,\nespecially since we see at least one LSM which didn\u0027t. Add address\nfamily checks to the *_delattr() functions to help prevent future\nproblems.\n\nCc: \u003cstable@vger.kernel.org\u003e\nReported-by: Maninder Singh \u003cmaninder1.s@samsung.com\u003e\nSigned-off-by: Paul Moore \u003cpaul@paul-moore.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nPCI: Mark Atheros AR9485 and QCA9882 to avoid bus reset\n\n[ Upstream commit 9ac0108c2bac3f1d0255f64fb89fc27e71131b24 ]\n\nSimilar to the AR93xx series, the AR94xx and the Qualcomm QCA988x also have\nthe same quirk for the Bus Reset.\n\nFixes: c3e59ee4e766 (\"PCI: Mark Atheros AR93xx to avoid bus reset\")\nSigned-off-by: Chris Blake \u003cchrisrblake93@gmail.com\u003e\nSigned-off-by: Bjorn Helgaas \u003cbhelgaas@google.com\u003e\nCC: stable@vger.kernel.org  # v3.14+\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\ngpio: pca953x: Fix NBANK calculation for PCA9536\n\n[ Upstream commit a246b8198f776a16d1d3a3bbfc2d437bad766b29 ]\n\nNBANK() macro assumes that ngpios is a multiple of 8(BANK_SZ) and\nhence results in 0 banks for PCA9536 which has just 4 gpios. This is\nwrong as PCA9356 has 1 bank with 4 gpios. This results in uninitialized\nPCA953X_INVERT register. Fix this by using DIV_ROUND_UP macro in\nNBANK().\n\nCc: stable@vger.kernel.org\nSigned-off-by: Vignesh R \u003cvigneshr@ti.com\u003e\nSigned-off-by: Linus Walleij \u003clinus.walleij@linaro.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nUpdate my main e-mails at the Kernel tree\n\n[ Upstream commit dc19ed1571dd3882b35e12fdaf50acbcc9b69714 ]\n\nFor the third time in three years, I\u0027m changing my e-mail at\nSamsung. That\u0027s bad, as it may stop communications with me for\na while. So, this time, I\u0027ll also the mchehab@kernel.org e-mail,\nas it remains stable since ever.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Mauro Carvalho Chehab \u003cmchehab@s-opensource.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nusb: dwc3: fix for the isoc transfer EP_BUSY flag\n\n[ Upstream commit 9cad39fe4e4a4fe95d8ea5a7b0692b0a6e89e38b ]\n\ncommit f3af36511e60 (\"usb: dwc3: gadget: always\nenable IOC on bulk/interrupt transfers\") ended up\nregressing Isochronous endpoints by clearing\nDWC3_EP_BUSY flag too early, which resulted in\nchoppy audio playback over USB.\n\nFix that by partially reverting original commit and\nmaking sure that we check for isochronous endpoints.\n\nFixes: f3af36511e60 (\"usb: dwc3: gadget: always enable IOC\n\t\ton bulk/interrupt transfers\")\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Konrad Leszczynski \u003ckonrad.leszczynski@intel.com\u003e\nSigned-off-by: Rafal Redzimski \u003crafal.f.redzimski@intel.com\u003e\nSigned-off-by: Felipe Balbi \u003cfelipe.balbi@linux.intel.com\u003e\n\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\ncrypto: gcm - Filter out async ghash if necessary\n\n[ Upstream commit b30bdfa86431afbafe15284a3ad5ac19b49b88e3 ]\n\nAs it is if you ask for a sync gcm you may actually end up with\nan async one because it does not filter out async implementations\nof ghash.\n\nThis patch fixes this by adding the necessary filter when looking\nfor ghash.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nof: fix memory leak related to safe_name()\n\n[ Upstream commit d9fc880723321dbf16b2981e3f3e916b73942210 ]\n\nFix a memory leak resulting from memory allocation in safe_name().\nThis patch fixes all call sites of safe_name().\n\nMathieu Malaterre reported the memory leak on boot:\n\nOn my PowerMac device-tree would generate a duplicate name:\n\n[    0.023043] device-tree: Duplicate name in PowerPC,G4@0, renamed to \"l2-cache#1\"\n\nin this case a newly allocated name is generated by `safe_name`. However\nin this case it is never deallocated.\n\nThe bug was found using kmemleak reported as:\n\nunreferenced object 0xdf532e60 (size 32):\n  comm \"swapper\", pid 1, jiffies 4294892300 (age 1993.532s)\n  hex dump (first 32 bytes):\n    6c 32 2d 63 61 63 68 65 23 31 00 dd e4 dd 1e c2  l2-cache#1......\n    ec d4 ba ce 04 ec cc de 8e 85 e9 ca c4 ec cc 9e  ................\n  backtrace:\n    [\u003cc02d3350\u003e] kvasprintf+0x64/0xc8\n    [\u003cc02d3400\u003e] kasprintf+0x4c/0x5c\n    [\u003cc0453814\u003e] safe_name.isra.1+0x80/0xc4\n    [\u003cc04545d8\u003e] __of_attach_node_sysfs+0x6c/0x11c\n    [\u003cc075f21c\u003e] of_core_init+0x8c/0xf8\n    [\u003cc0729594\u003e] kernel_init_freeable+0xd4/0x208\n    [\u003cc00047e8\u003e] kernel_init+0x24/0x11c\n    [\u003cc00158ec\u003e] ret_from_kernel_thread+0x5c/0x64\n\nLink: https://bugzilla.kernel.org/show_bug.cgi?id\u003d120331\n\nSigned-off-by: Frank Rowand \u003cfrank.rowand@am.sony.com\u003e\nReported-by: mathieu.malaterre@gmail.com\nTested-by: Mathieu Malaterre \u003cmathieu.malaterre@gmail.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Rob Herring \u003crobh@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nserial: samsung: Fix ERR pointer dereference on deferred probe\n\n[ Upstream commit e51e4d8a185de90424b03f30181b35f29c46a25a ]\n\nWhen the clk_get() of \"uart\" clock returns EPROBE_DEFER, the next re-probe\nfinishes with success but uses invalid (ERR_PTR) values.  This leads to\ndereferencing of ERR_PTR stored under ourport-\u003eclk:\n\n\t12c30000.serial: Controller clock not found\n\t(...)\n\t12c30000.serial: ttySAC3 at MMIO 0x12c30000 (irq \u003d 61, base_baud \u003d 0) is a S3C6400/10\n\tUnable to handle kernel paging request at virtual address fffffdfb\n\n\t(clk_prepare) from [\u003cc039f7d0\u003e] (s3c24xx_serial_pm+0x20/0x128)\n\t(s3c24xx_serial_pm) from [\u003cc0395414\u003e] (uart_change_pm+0x38/0x40)\n\t(uart_change_pm) from [\u003cc039689c\u003e] (uart_add_one_port+0x31c/0x44c)\n\t(uart_add_one_port) from [\u003cc03a035c\u003e] (s3c24xx_serial_probe+0x2a8/0x418)\n\t(s3c24xx_serial_probe) from [\u003cc03ee110\u003e] (platform_drv_probe+0x50/0xb0)\n\t(platform_drv_probe) from [\u003cc03ecb44\u003e] (driver_probe_device+0x1f4/0x2b0)\n\t(driver_probe_device) from [\u003cc03eb0c0\u003e] (bus_for_each_drv+0x44/0x8c)\n\t(bus_for_each_drv) from [\u003cc03ec8c8\u003e] (__device_attach+0x9c/0x100)\n\t(__device_attach) from [\u003cc03ebf54\u003e] (bus_probe_device+0x84/0x8c)\n\t(bus_probe_device) from [\u003cc03ec388\u003e] (deferred_probe_work_func+0x60/0x8c)\n\t(deferred_probe_work_func) from [\u003cc012fee4\u003e] (process_one_work+0x120/0x328)\n\t(process_one_work) from [\u003cc0130150\u003e] (worker_thread+0x2c/0x4ac)\n\t(worker_thread) from [\u003cc0135320\u003e] (kthread+0xd8/0xf4)\n\t(kthread) from [\u003cc0107978\u003e] (ret_from_fork+0x14/0x3c)\n\nThe first unsuccessful clk_get() causes s3c24xx_serial_init_port() to\nexit with failure but the s3c24xx_uart_port is left half-configured\n(e.g. port-\u003emapbase is set, clk contains ERR_PTR).  On next re-probe,\nthe function s3c24xx_serial_init_port() will exit early with success\nbecause of configured port-\u003emapbase and driver will use old values,\nincluding the ERR_PTR as clock.\n\nFix this by cleaning the port-\u003emapbase on error path so each re-probe\nwill initialize all of the port settings.\n\nFixes: 60e93575476f (\"serial: samsung: enable clock before clearing pending interrupts during init\")\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Krzysztof Kozlowski \u003ck.kozlowski@samsung.com\u003e\nReviewed-by: Javier Martinez Canillas \u003cjavier@osg.samsung.com\u003e\nTested-by: Javier Martinez Canillas \u003cjavier@osg.samsung.com\u003e\nTested-by: Kevin Hilman \u003ckhilman@baylibre.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nhp-wmi: Fix wifi cannot be hard-unblocked\n\n[ Upstream commit fc8a601e1175ae351f662506030f9939cb7fdbfe ]\n\nSeveral users reported wifi cannot be unblocked as discussed in [1].\nThis patch removes the use of the 2009 flag by BIOS but uses the actual\nWMI function calls - it will be skipped if WMI reports unsupported.\n\n[1] https://bugzilla.kernel.org/show_bug.cgi?id\u003d69131\n\nSigned-off-by: Alex Hung \u003calex.hung@canonical.com\u003e\nTested-by: Evgenii Shatokhin \u003ceugene.shatokhin@yandex.ru\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Darren Hart \u003cdvhart@linux.intel.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nusb: renesas_usbhs: fix the sequence in xfer_work()\n\n[ Upstream commit 9b53d9af7aac09cf249d72bfbf15f08e47c4f7fe ]\n\nThis patch fixes the setup sequence in xfer_work(). Otherwise,\nsometimes a usb transaction will get stuck.\n\nSigned-off-by: Yoshihiro Shimoda \u003cyoshihiro.shimoda.uh@renesas.com\u003e\nSigned-off-by: Felipe Balbi \u003cbalbi@ti.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nusb: renesas_usbhs: fix NULL pointer dereference in xfer_work()\n\n[ Upstream commit 4fdef698383db07d829da567e0e405fc41ff3a89 ]\n\nThis patch fixes an issue that the xfer_work() is possible to cause\nNULL pointer dereference if the usb cable is disconnected while data\ntransfer is running.\n\nIn such case, a gadget driver may call usb_ep_disable()) before\nxfer_work() is actually called. In this case, the usbhs_pkt_pop()\nwill call usbhsf_fifo_unselect(), and then usbhs_pipe_to_fifo()\nin xfer_work() will return NULL.\n\nFixes: e73a989 (\"usb: renesas_usbhs: add DMAEngine support\")\nCc: \u003cstable@vger.kernel.org\u003e # v3.1+\nSigned-off-by: Yoshihiro Shimoda \u003cyoshihiro.shimoda.uh@renesas.com\u003e\nSigned-off-by: Felipe Balbi \u003cfelipe.balbi@linux.intel.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nusb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable()\n\n[ Upstream commit 15e4292a2d21e9997fdb2b8c014cc461b3f268f0 ]\n\nThis patch fixes an issue that the CFIFOSEL register value is possible\nto be changed by usbhsg_ep_enable() wrongly. And then, a data transfer\nusing CFIFO may not work correctly.\n\nFor example:\n # modprobe g_multi file\u003dusb-storage.bin\n # ifconfig usb0 192.168.1.1 up\n (During the USB host is sending file to the mass storage)\n # ifconfig usb0 down\n\nIn this case, since the u_ether.c may call usb_ep_enable() in\neth_stop(), if the renesas_usbhs driver is also using CFIFO for\nmass storage, the mass storage may not work correctly.\n\nSo, this patch adds usbhs_lock() and usbhs_unlock() calling in\nusbhsg_ep_enable() to protect CFIFOSEL register. This is because:\n - CFIFOSEL.CURPIPE \u003d 0 is also needed for the pipe configuration\n - The CFIFOSEL (fifo-\u003esel) is already protected by usbhs_lock()\n\nFixes: 97664a207bc2 (\"usb: renesas_usbhs: shrink spin lock area\")\nCc: \u003cstable@vger.kernel.org\u003e # v3.1+\nSigned-off-by: Yoshihiro Shimoda \u003cyoshihiro.shimoda.uh@renesas.com\u003e\nSigned-off-by: Felipe Balbi \u003cfelipe.balbi@linux.intel.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\next4: check for extents that wrap around\n\n[ Upstream commit f70749ca42943faa4d4dcce46dfdcaadb1d0c4b6 ]\n\nAn extent with lblock \u003d 4294967295 and len \u003d 1 will pass the\next4_valid_extent() test:\n\n\text4_lblk_t last \u003d lblock + len - 1;\n\n\tif (len \u003d\u003d 0 || lblock \u003e last)\n\t\treturn 0;\n\nsince last \u003d 4294967295 + 1 - 1 \u003d 4294967295. This would later trigger\nthe BUG_ON(es-\u003ees_lblk + es-\u003ees_len \u003c es-\u003ees_lblk) in ext4_es_end().\n\nWe can simplify it by removing the - 1 altogether and changing the test\nto use lblock + len \u003c\u003d lblock, since now if len \u003d 0, then lblock + 0 \u003d\u003d\nlblock and it fails, and if len \u003e 0 then lblock + len \u003e lblock in order\nto pass (i.e. it doesn\u0027t overflow).\n\nFixes: 5946d0893 (\"ext4: check for overlapping extents in ext4_valid_extent_entries()\")\nFixes: 2f974865f (\"ext4: check for zero length extent explicitly\")\nCc: Eryu Guan \u003cguaneryu@gmail.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Phil Turnbull \u003cphil.turnbull@oracle.com\u003e\nSigned-off-by: Vegard Nossum \u003cvegard.nossum@oracle.com\u003e\nSigned-off-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\next4: don\u0027t call ext4_should_journal_data() on the journal inode\n\n[ Upstream commit 6a7fd522a7c94cdef0a3b08acf8e6702056e635c ]\n\nIf ext4_fill_super() fails early, it\u0027s possible for ext4_evict_inode()\nto call ext4_should_journal_data() before superblock options and flags\nare fully set up.  In that case, the iput() on the journal inode can\nend up causing a BUG().\n\nWork around this problem by reordering the tests so we only call\next4_should_journal_data() after we know it\u0027s not the journal inode.\n\nFixes: 2d859db3e4 (\"ext4: fix data corruption in inodes with journalled data\")\nFixes: 2b405bfa84 (\"ext4: fix data\u003djournal fast mount/umount hang\")\nCc: Jan Kara \u003cjack@suse.cz\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Vegard Nossum \u003cvegard.nossum@oracle.com\u003e\nSigned-off-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\nReviewed-by: Jan Kara \u003cjack@suse.cz\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nARM: dts: sunxi: Add a startup delay for fixed regulator enabled phys\n\n[ Upstream commit fc51b632c7b047c25807023b76f3877aed19c770 ]\n\nIt seems that recent kernels have a shorter timeout when scanning for\nethernet phys causing us to hit a timeout on boards where the phy\u0027s\nregulator gets enabled just before scanning, which leads to non working\nethernet.\n\nA 10ms startup delay seems to be enough to fix it, this commit adds a\n20ms startup delay just to be safe.\n\nThis has been tested on a sun4i-a10-a1000 and sun5i-a10s-wobo-i5 board,\nboth of which have non-working ethernet on recent kernels without this\nfix.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Hans de Goede \u003chdegoede@redhat.com\u003e\nSigned-off-by: Maxime Ripard \u003cmaxime.ripard@free-electrons.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\next4: validate s_reserved_gdt_blocks on mount\n\n[ Upstream commit e1d8c1feecf672379c50ab045fd94548468bc987 ]\n\n[ Upstream commit 5b9554dc5bf008ae7f68a52e3d7e76c0920938a2 ]\n\nIf s_reserved_gdt_blocks is extremely large, it\u0027s possible for\next4_init_block_bitmap(), which is called when ext4 sets up an\nuninitialized block bitmap, to corrupt random kernel memory.  Add the\nsame checks which e2fsck has --- it must never be larger than\nblocksize / sizeof(__u32) --- and then add a backup check in\next4_init_block_bitmap() in case the superblock gets modified after\nthe file system is mounted.\n\nReported-by: Vegard Nossum \u003cvegard.nossum@oracle.com\u003e\nSigned-off-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\ndrm/radeon: add a delay after ATPX dGPU power off\n\n[ Upstream commit d814b24fb74cb9797d70cb8053961447c5879a5c ]\n\nATPX dGPU power control requires a 200ms delay between\npower off and on.  This should fix dGPU failures on\nresume from power off.\n\nReviewed-by: Hawking Zhang \u003cHawking.Zhang@amd.com\u003e\nAcked-by: Christian König \u003cchristian.koenig@amd.com\u003e\nSigned-off-by: Alex Deucher \u003calexander.deucher@amd.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\ndrm/radeon: Poll for both connect/disconnect on analog connectors\n\n[ Upstream commit 14ff8d48f2235295dfb3117693008e367b49cdb5 ]\n\nDRM_CONNECTOR_POLL_CONNECT only enables polling for connections, not\ndisconnections. Because of this, we end up losing hotplug polling for\nanalog connectors once they get connected.\n\nEasy way to reproduce:\n - Grab a machine with a radeon GPU and a VGA port\n - Plug a monitor into the VGA port, wait for it to update the connector\n   from disconnected to connected\n - Disconnect the monitor on VGA, a hotplug event is never sent for the\n   removal of the connector.\n\nOriginally, only using DRM_CONNECTOR_POLL_CONNECT might have been a good\nidea since doing VGA polling can sometimes result in having to mess with\nthe DAC voltages to figure out whether or not there\u0027s actually something\nthere since VGA doesn\u0027t have HPD. Doing this would have the potential of\nshowing visible artifacts on the screen every time we ran a poll while a\nVGA display was connected. Luckily, radeon_vga_detect() only resorts to\nthis sort of polling if the poll is forced, and DRM\u0027s polling helper\ndoesn\u0027t force it\u0027s polls.\n\nAdditionally, this removes some assignments to connector-\u003epolled that\nweren\u0027t actually doing anything.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Lyude \u003ccpaul@redhat.com\u003e\nSigned-off-by: Alex Deucher \u003calexander.deucher@amd.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\n[media] media: dvb_ringbuffer: Add memory barriers\n\n[ Upstream commit ca6e6126db5494f18c6c6615060d4d803b528bff ]\n\nImplement memory barriers according to Documentation/circular-buffers.txt:\n- use smp_store_release() to update ringbuffer read/write pointers\n- use smp_load_acquire() to load write pointer on reader side\n- use ACCESS_ONCE() to load read pointer on writer side\n\nThis fixes data stream corruptions observed e.g. on an ARM Cortex-A9\nquad core system with different types (PCI, USB) of DVB tuners.\n\nSigned-off-by: Soeren Moch \u003csmoch@web.de\u003e\nCc: stable@vger.kernel.org # 3.14+\nSigned-off-by: Mauro Carvalho Chehab \u003cmchehab@s-opensource.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\n[media] Fix RC5 decoding with Fintek CIR chipset\n\n[ Upstream commit bbdb34c90aeb8b2253eae88029788ebe1d7f2fd4 ]\n\nFix RC5 decoding with Fintek CIR chipset\n\nCommit e87b540be2dd02552fb9244d50ae8b4e4619a34b tightened up the RC5\ndecoding by adding a check for trailing silence to ensure a valid RC5\ncommand had been received. Unfortunately the trailer length checked was\n10 units and the Fintek CIR device does not want to provide details of a\nspace longer than 6350us. This meant that RC5 remotes working on a\nFintek setup on 3.16 failed on 3.17 and later. Fix this by shortening\nthe trailer check to 6 units (allowing for a previous space in the\nreceived remote command).\n\nBugzilla: https://bugzilla.kernel.org/show_bug.cgi?id\u003d117221\n\nSigned-off-by: Jonathan McDowell \u003cnoodles@earth.li\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: David Härdeman \u003cdavid@hardeman.nu\u003e\nSigned-off-by: Mauro Carvalho Chehab \u003cmchehab@s-opensource.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nBluetooth: Add USB ID 13D3:3487 to ath3k\n\n[ Upstream commit 72f9f8b58bc743e6b6abdc68f60db98486c3ffcf ]\n\nAdd hw id to ath3k usb device list and btusb blacklist\n\nT:  Bus\u003d01 Lev\u003d01 Prnt\u003d01 Port\u003d08 Cnt\u003d02 Dev#\u003d  4 Spd\u003d12  MxCh\u003d 0\nD:  Ver\u003d 1.10 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 MxPS\u003d64 #Cfgs\u003d  1\nP:  Vendor\u003d13d3 ProdID\u003d3487 Rev\u003d00.02\nC:  #Ifs\u003d 2 Cfg#\u003d 1 Atr\u003de0 MxPwr\u003d100mA\nI:  If#\u003d 0 Alt\u003d 0 #EPs\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nI:  If#\u003d 1 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\n\nRequires these firmwares:\nar3k/AthrBT_0x11020100.dfu and ar3k/ramps_0x11020100_40.dfu\nFirmwares are available in linux-firmware.\n\nDevice found in a laptop ASUS model N552VW. It\u0027s an Atheros AR9462 chip.\n\nSigned-off-by: Lauro Costa \u003clauro@polilinux.com.br\u003e\nSigned-off-by: Marcel Holtmann \u003cmarcel@holtmann.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nBluetooth: Add support of 13d3:3490 AR3012 device\n\n[ Upstream commit 12d868964f7352e8b18e755488f7265a93431de1 ]\n\nT: Bus\u003d01 Lev\u003d01 Prnt\u003d01 Port\u003d07 Cnt\u003d05 Dev#\u003d 5 Spd\u003d12 MxCh\u003d 0\nD: Ver\u003d 1.10 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 MxPS\u003d64 #Cfgs\u003d 1\nP: Vendor\u003d13d3 ProdID\u003d3490 Rev\u003d00.01\nC: #Ifs\u003d 2 Cfg#\u003d 1 Atr\u003de0 MxPwr\u003d100mA\nI: If#\u003d 0 Alt\u003d 0 #EPs\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nI: If#\u003d 1 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\n\nBugLink: https://bugs.launchpad.net/bugs/1600623\n\nSigned-off-by: Dmitry Tunin \u003chanipouspilot@gmail.com\u003e\nSigned-off-by: Marcel Holtmann \u003cmarcel@holtmann.org\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\n[media] media: usbtv: prevent access to free\u0027d resources\n\n[ Upstream commit 2a00932f082aff93c3a55426e0c7af6d0ec03997 ]\n\nWhen disconnecting the usbtv device, the sound card is unregistered\nfrom ALSA and the snd member of the usbtv struct is set to NULL.  If\nthe usbtv snd_trigger work is running, this can cause a race condition\nwhere the kernel will attempt to access free\u0027d resources, shown in\n[1].\n\nThis patch fixes the disconnection code by cancelling any snd_trigger\nwork before unregistering the sound card from ALSA and checking that\nthe snd member still exists in the work function.\n\n[1]:\n usb 3-1.2: USB disconnect, device number 6\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000008\n IP: [\u003cffffffff81093850\u003e] process_one_work+0x30/0x480\n PGD 405bbf067 PUD 405bbe067 PMD 0\n Call Trace:\n  [\u003cffffffff81093ce8\u003e] worker_thread+0x48/0x4e0\n  [\u003cffffffff81093ca0\u003e] ? process_one_work+0x480/0x480\n  [\u003cffffffff81093ca0\u003e] ? process_one_work+0x480/0x480\n  [\u003cffffffff81099998\u003e] kthread+0xd8/0xf0\n  [\u003cffffffff815c73c2\u003e] ret_from_fork+0x22/0x40\n  [\u003cffffffff810998c0\u003e] ? kthread_worker_fn+0x170/0x170\n ---[ end trace 0f3dac5c1a38e610 ]---\n\nSigned-off-by: Matthew Leach \u003cmatthew@mattleach.net\u003e\nTested-by: Peter Sutton \u003cfoxxy@foxdogstudios.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Hans Verkuil \u003chans.verkuil@cisco.com\u003e\nSigned-off-by: Mauro Carvalho Chehab \u003cmchehab@s-opensource.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\ncifs: Check for existing directory when opening file with O_CREAT\n\n[ Upstream commit 8d9535b6efd86e6c07da59f97e68f44efb7fe080 ]\n\nWhen opening a file with O_CREAT flag, check to see if the file opened\nis an existing directory.\n\nThis prevents the directory from being opened which subsequently causes\na crash when the close function for directories cifs_closedir() is called\nwhich frees up the file-\u003eprivate_data memory while the file is still\nlisted on the open file list for the tcon.\n\nSigned-off-by: Sachin Prabhu \u003csprabhu@redhat.com\u003e\nSigned-off-by: Steve French \u003csmfrench@gmail.com\u003e\nCC: Stable \u003cstable@vger.kernel.org\u003e\nReported-by: Xiaoli Feng \u003cxifeng@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\ns390/mm: fix gmap tlb flush issues\n\n[ Upstream commit f045402984404ddc11016358411e445192919047 ]\n\n__tlb_flush_asce() should never be used if multiple asce belong to a mm.\n\nAs this function changes mm logic determining if local or global tlb\nflushes will be neded, we might end up flushing only the gmap asce on all\nCPUs and a follow up mm asce flushes will only flush on the local CPU,\nalthough that asce ran on multiple CPUs.\n\nThe missing tlb flushes will provoke strange faults in user space and even\nlow address protections in user space, crashing the kernel.\n\nFixes: 1b948d6caec4 (\"s390/mm,tlb: optimize TLB flushing for zEC12\")\nCc: stable@vger.kernel.org # 3.15+\nReported-by: Sascha Silbe \u003csilbe@linux.vnet.ibm.com\u003e\nAcked-by: Martin Schwidefsky \u003cschwidefsky@de.ibm.com\u003e\nSigned-off-by: David Hildenbrand \u003cdahi@linux.vnet.ibm.com\u003e\nSigned-off-by: Martin Schwidefsky \u003cschwidefsky@de.ibm.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nUSB: quirks: Fix another ELAN touchscreen\n\n[ Upstream commit df36c5bede207f734e4750beb2b14fb892050280 ]\n\nLike other buggy models that had their fixes [1], the touchscreen with\nid 04f3:21b8 from ELAN Microelectronics needs the device-qualifier\nquirk. Otherwise, it fails to respond, blocks the boot for a random\namount of time and pollutes dmesg with:\n\n[ 2887.373196] usb 1-5: new full-speed USB device number 41 using xhci_hcd\n[ 2889.502000] usb 1-5: unable to read config index 0 descriptor/start: -71\n[ 2889.502005] usb 1-5: can\u0027t read configurations, error -71\n[ 2889.654571] usb 1-5: new full-speed USB device number 42 using xhci_hcd\n[ 2891.783438] usb 1-5: unable to read config index 0 descriptor/start: -71\n[ 2891.783443] usb 1-5: can\u0027t read configurations, error -71\n\n[1]: See commits c68929f, 876af5d, d749947, a32c99e and dc703ec.\n\nTested-by: Adrien Vergé \u003cadrienverge@gmail.com\u003e\nSigned-off-by: Adrien Vergé \u003cadrienverge@gmail.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nusb: quirks: Add no-lpm quirk for Elan\n\n[ Upstream commit 25b1f9acc452209ae0fcc8c1332be852b5c52f53 ]\n\nBugLink: http://bugs.launchpad.net/bugs/1498667\n\nAs reported in BugLink, this device has an issue with Linux Power\nManagement so adding a quirk.  This quirk was reccomended by Alan Stern:\n\nhttp://lkml.iu.edu/hypermail/linux/kernel/1606.2/05590.html\n\nSigned-off-by: Joseph Salisbury \u003cjoseph.salisbury@canonical.com\u003e\nCc: stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nKVM: nVMX: Fix memory corruption when using VMCS shadowing\n\n[ Upstream commit 2f1fe81123f59271bddda673b60116bde9660385 ]\n\nWhen freeing the nested resources of a vcpu, there is an assumption that\nthe vcpu\u0027s vmcs01 is the current VMCS on the CPU that executes\nnested_release_vmcs12(). If this assumption is violated, the vcpu\u0027s\nvmcs01 may be made active on multiple CPUs at the same time, in\nviolation of Intel\u0027s specification. Moreover, since the vcpu\u0027s vmcs01 is\nnot VMCLEARed on every CPU on which it is active, it can linger in a\nCPU\u0027s VMCS cache after it has been freed and potentially\nrepurposed. Subsequent eviction from the CPU\u0027s VMCS cache on a capacity\nmiss can result in memory corruption.\n\nIt is not sufficient for vmx_free_vcpu() to call vmx_load_vmcs01(). If\nthe vcpu in question was last loaded on a different CPU, it must be\nmigrated to the current CPU before calling vmx_load_vmcs01().\n\nSigned-off-by: Jim Mattson \u003cjmattson@google.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\ndrm/radeon: support backlight control for UNIPHY3\n\n[ Upstream commit d3200be6c423afa1c34f7e39e9f6d04dd5b0af9d ]\n\nSame interface as other UNIPHY blocks\n\nSigned-off-by: Alex Deucher \u003calexander.deucher@amd.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\next4: short-cut orphan cleanup on error\n\n[ Upstream commit c65d5c6c81a1f27dec5f627f67840726fcd146de ]\n\nIf we encounter a filesystem error during orphan cleanup, we should stop.\nOtherwise, we may end up in an infinite loop where the same inode is\nprocessed again and again.\n\n    EXT4-fs (loop0): warning: checktime reached, running e2fsck is recommended\n    EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 2, block bitmap and bg descriptor inconsistent: 6117 vs 0 free clusters\n    Aborting journal on device loop0-8.\n    EXT4-fs (loop0): Remounting filesystem read-only\n    EXT4-fs error (device loop0) in ext4_free_blocks:4895: Journal has aborted\n    EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted\n    EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted\n    EXT4-fs error (device loop0) in ext4_ext_remove_space:3068: IO failure\n    EXT4-fs error (device loop0) in ext4_ext_truncate:4667: Journal has aborted\n    EXT4-fs error (device loop0) in ext4_orphan_del:2927: Journal has aborted\n    EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted\n    EXT4-fs (loop0): Inode 16 (00000000618192a0): orphan list check failed!\n    [...]\n    EXT4-fs (loop0): Inode 16 (0000000061819748): orphan list check failed!\n    [...]\n    EXT4-fs (loop0): Inode 16 (0000000061819bf0): orphan list check failed!\n    [...]\n\nSee-also: c9eb13a9105 (\"ext4: fix hang when processing corrupted orphaned inode list\")\nCc: Jan Kara \u003cjack@suse.cz\u003e\nSigned-off-by: Vegard Nossum \u003cvegard.nossum@oracle.com\u003e\nSigned-off-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\npowerpc/tm: Avoid SLB faults in treclaim/trecheckpoint when RI\u003d0\n\n[ Upstream commit 190ce8693c23eae09ba5f303a83bf2fbeb6478b1 ]\n\nCurrently we have 2 segments that are bolted for the kernel linear\nmapping (ie 0xc000... addresses). This is 0 to 1TB and also the kernel\nstacks. Anything accessed outside of these regions may need to be\nfaulted in. (In practice machines with TM always have 1T segments)\n\nIf a machine has \u003c 2TB of memory we never fault on the kernel linear\nmapping as these two segments cover all physical memory. If a machine\nhas \u003e 2TB of memory, there may be structures outside of these two\nsegments that need to be faulted in. This faulting can occur when\nrunning as a guest as the hypervisor may remove any SLB that\u0027s not\nbolted.\n\nWhen we treclaim and trecheckpoint we have a window where we need to\nrun with the userspace GPRs. This means that we no longer have a valid\nstack pointer in r1. For this window we therefore clear MSR RI to\nindicate that any exceptions taken at this point won\u0027t be able to be\nhandled. This means that we can\u0027t take segment misses in this RI\u003d0\nwindow.\n\nIn this RI\u003d0 region, we currently access the thread_struct for the\nprocess being context switched to or from. This thread_struct access\nmay cause a segment fault since it\u0027s not guaranteed to be covered by\nthe two bolted segment entries described above.\n\nWe\u0027ve seen this with a crash when running as a guest with \u003e 2TB of\nmemory on PowerVM:\n\n  Unrecoverable exception 4100 at c00000000004f138\n  Oops: Unrecoverable exception, sig: 6 [#1]\n  SMP NR_CPUS\u003d2048 NUMA pSeries\n  CPU: 1280 PID: 7755 Comm: kworker/1280:1 Tainted: G                 X 4.4.13-46-default #1\n  task: c000189001df4210 ti: c000189001d5c000 task.ti: c000189001d5c000\n  NIP: c00000000004f138 LR: 0000000010003a24 CTR: 0000000010001b20\n  REGS: c000189001d5f730 TRAP: 4100   Tainted: G                 X  (4.4.13-46-default)\n  MSR: 8000000100001031 \u003cSF,ME,IR,DR,LE\u003e  CR: 24000048  XER: 00000000\n  CFAR: c00000000004ed18 SOFTE: 0\n  GPR00: ffffffffc58d7b60 c000189001d5f9b0 00000000100d7d00 000000003a738288\n  GPR04: 0000000000002781 0000000000000006 0000000000000000 c0000d1f4d889620\n  GPR08: 000000000000c350 00000000000008ab 00000000000008ab 00000000100d7af0\n  GPR12: 00000000100d7ae8 00003ffe787e67a0 0000000000000000 0000000000000211\n  GPR16: 0000000010001b20 0000000000000000 0000000000800000 00003ffe787df110\n  GPR20: 0000000000000001 00000000100d1e10 0000000000000000 00003ffe787df050\n  GPR24: 0000000000000003 0000000000010000 0000000000000000 00003fffe79e2e30\n  GPR28: 00003fffe79e2e68 00000000003d0f00 00003ffe787e67a0 00003ffe787de680\n  NIP [c00000000004f138] restore_gprs+0xd0/0x16c\n  LR [0000000010003a24] 0x10003a24\n  Call Trace:\n  [c000189001d5f9b0] [c000189001d5f9f0] 0xc000189001d5f9f0 (unreliable)\n  [c000189001d5fb90] [c00000000001583c] tm_recheckpoint+0x6c/0xa0\n  [c000189001d5fbd0] [c000000000015c40] __switch_to+0x2c0/0x350\n  [c000189001d5fc30] [c0000000007e647c] __schedule+0x32c/0x9c0\n  [c000189001d5fcb0] [c0000000007e6b58] schedule+0x48/0xc0\n  [c000189001d5fce0] [c0000000000deabc] worker_thread+0x22c/0x5b0\n  [c000189001d5fd80] [c0000000000e7000] kthread+0x110/0x130\n  [c000189001d5fe30] [c000000000009538] ret_from_kernel_thread+0x5c/0xa4\n  Instruction dump:\n  7cb103a6 7cc0e3a6 7ca222a6 78a58402 38c00800 7cc62838 08860000 7cc000a6\n  38a00006 78c60022 7cc62838 0b060000 \u003ce8c701a0\u003e 7ccff120 e8270078 e8a70098\n  ---[ end trace 602126d0a1dedd54 ]---\n\nThis fixes this by copying the required data from the thread_struct to\nthe stack before we clear MSR RI. Then once we clear RI, we only access\nthe stack, guaranteeing there\u0027s no segment miss.\n\nWe also tighten the region over which we set RI\u003d0 on the treclaim()\npath. This may have a slight performance impact since we\u0027re adding an\nmtmsr instruction.\n\nFixes: 090b9284d725 (\"powerpc/tm: Clear MSR RI in non-recoverable TM code\")\nSigned-off-by: Michael Neuling \u003cmikey@neuling.org\u003e\nReviewed-by: Cyril Bur \u003ccyrilbur@gmail.com\u003e\nSigned-off-by: Michael Ellerman \u003cmpe@ellerman.id.au\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\npowerpc/tm: Fix stack pointer corruption in __tm_recheckpoint()\n\n[ Upstream commit 6bcb80143e792becfd2b9cc6a339ce523e4e2219 ]\n\nAt the start of __tm_recheckpoint() we save the kernel stack pointer\n(r1) in SPRG SCRATCH0 (SPRG2) so that we can restore it after the\ntrecheckpoint.\n\nUnfortunately, the same SPRG is used in the SLB miss handler.  If an\nSLB miss is taken between the save and restore of r1 to the SPRG, the\nSPRG is changed and hence r1 is also corrupted.  We can end up with\nthe following crash when we start using r1 again after the restore\nfrom the SPRG:\n\n  Oops: Bad kernel stack pointer, sig: 6 [#1]\n  SMP NR_CPUS\u003d2048 NUMA pSeries\n  CPU: 658 PID: 143777 Comm: htm_demo Tainted: G            EL   X 4.4.13-0-default #1\n  task: c0000b56993a7810 ti: c00000000cfec000 task.ti: c0000b56993bc000\n  NIP: c00000000004f188 LR: 00000000100040b8 CTR: 0000000010002570\n  REGS: c00000000cfefd40 TRAP: 0300   Tainted: G            EL   X  (4.4.13-0-default)\n  MSR: 8000000300001033 \u003cSF,ME,IR,DR,RI,LE\u003e  CR: 02000424  XER: 20000000\n  CFAR: c000000000008468 DAR: 00003ffd84e66880 DSISR: 40000000 SOFTE: 0\n  PACATMSCRATCH: 00003ffbc865e680\n  GPR00: fffffffcfabc4268 00003ffd84e667a0 00000000100d8c38 000000030544bb80\n  GPR04: 0000000000000002 00000000100cf200 0000000000000449 00000000100cf100\n  GPR08: 000000000000c350 0000000000002569 0000000000002569 00000000100d6c30\n  GPR12: 00000000100d6c28 c00000000e6a6b00 00003ffd84660000 0000000000000000\n  GPR16: 0000000000000003 0000000000000449 0000000010002570 0000010009684f20\n  GPR20: 0000000000800000 00003ffd84e5f110 00003ffd84e5f7a0 00000000100d0f40\n  GPR24: 0000000000000000 0000000000000000 0000000000000000 00003ffff0673f50\n  GPR28: 00003ffd84e5e960 00000000003d0f00 00003ffd84e667a0 00003ffd84e5e680\n  NIP [c00000000004f188] restore_gprs+0x110/0x17c\n  LR [00000000100040b8] 0x100040b8\n  Call Trace:\n  Instruction dump:\n  f8a1fff0 e8e700a8 38a00000 7ca10164 e8a1fff8 e821fff0 7c0007dd 7c421378\n  7db142a6 7c3242a6 38800002 7c810164 \u003ce9c100e0\u003e e9e100e8 ea0100f0 ea2100f8\n\nWe hit this on large memory machines (\u003e 2TB) but it can also be hit on\nsmaller machines when 1TB segments are disabled.\n\nTo hit this, you also need to be virtualised to ensure SLBs are\nperiodically removed by the hypervisor.\n\nThis patches moves the saving of r1 to the SPRG to the region where we\nare guaranteed not to take any further SLB misses.\n\nFixes: 98ae22e15b43 (\"powerpc: Add helper functions for transactional memory context switching\")\nCc: stable@vger.kernel.org # v3.9+\nSigned-off-by: Michael Neuling \u003cmikey@neuling.org\u003e\nAcked-by: Cyril Bur \u003ccyrilbur@gmail.com\u003e\nSigned-off-by: Michael Ellerman \u003cmpe@ellerman.id.au\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nUSB: serial: option: add support for Telit LE910 PID 0x1206\n\n[ Upstream commit 3c0415fa08548e3bc63ef741762664497ab187ed ]\n\nThis patch adds support for 0x1206 PID of Telit LE910.\n\nSince the interfaces positions are the same than the ones for\n0x1043 PID of Telit LE922, telit_le922_blacklist_usbcfg3 is used.\n\nSigned-off-by: Daniele Palmas \u003cdnlplm@gmail.com\u003e\nCc: stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nBluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU\n\n[ Upstream commit 23bc6ab0a0912146fd674a0becc758c3162baabc ]\n\nWhen we retrieve imtu value from userspace we should use 16 bit pointer\ncast instead of 32 as it\u0027s defined that way in headers. Fixes setsockopt\ncalls on big-endian platforms.\n\nSigned-off-by: Amadeusz Sławiński \u003camadeusz.slawinski@tieto.com\u003e\nSigned-off-by: Marcel Holtmann \u003cmarcel@holtmann.org\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\ncrypto: scatterwalk - Fix test in scatterwalk_done\n\n[ Upstream commit 5f070e81bee35f1b7bd1477bb223a873ff657803 ]\n\nWhen there is more data to be processed, the current test in\nscatterwalk_done may prevent us from calling pagedone even when\nwe should.\n\nIn particular, if we\u0027re on an SG entry spanning multiple pages\nwhere the last page is not a full page, we will incorrectly skip\ncalling pagedone on the second last page.\n\nThis patch fixes this by adding a separate test for whether we\u0027ve\nreached the end of a page.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\narm64: debug: unmask PSTATE.D earlier\n\n[ Upstream commit 2ce39ad15182604beb6c8fa8bed5e46b59fd1082 ]\n\nClearing PSTATE.D is one of the requirements for generating a debug\nexception. The arm64 booting protocol requires that PSTATE.D is set,\nsince many of the debug registers (for example, the hw_breakpoint\nregisters) are UNKNOWN out of reset and could potentially generate\nspurious, fatal debug exceptions in early boot code if PSTATE.D was\nclear. Once the debug registers have been safely initialised, PSTATE.D\nis cleared, however this is currently broken for two reasons:\n\n(1) The boot CPU clears PSTATE.D in a postcore_initcall and secondary\n    CPUs clear PSTATE.D in secondary_start_kernel. Since the initcall\n    runs after SMP (and the scheduler) have been initialised, there is\n    no guarantee that it is actually running on the boot CPU. In this\n    case, the boot CPU is left with PSTATE.D set and is not capable of\n    generating debug exceptions.\n\n(2) In a preemptible kernel, we may explicitly schedule on the IRQ\n    return path to EL1. If an IRQ occurs with PSTATE.D set in the idle\n    thread, then we may schedule the kthread_init thread, run the\n    postcore_initcall to clear PSTATE.D and then context switch back\n    to the idle thread before returning from the IRQ. The exception\n    return path will then restore PSTATE.D from the stack, and set it\n    again.\n\nThis patch fixes the problem by moving the clearing of PSTATE.D earlier\nto proc.S. This has the desirable effect of clearing it in one place for\nall CPUs, long before we have to worry about the scheduler or any\nexception handling. We ensure that the previous reset of MDSCR_EL1 has\ncompleted before unmasking the exception, so that any spurious\nexceptions resulting from UNKNOWN debug registers are not generated.\n\nWithout this patch applied, the kprobes selftests have been seen to fail\nunder KVM, where we end up attempting to step the OOL instruction buffer\nwith PSTATE.D set and therefore fail to complete the step.\n\nCc: \u003cstable@vger.kernel.org\u003e\nAcked-by: Mark Rutland \u003cmark.rutland@arm.com\u003e\nReported-by: Catalin Marinas \u003ccatalin.marinas@arm.com\u003e\nTested-by: Marc Zyngier \u003cmarc.zyngier@arm.com\u003e\nSigned-off-by: Will Deacon \u003cwill.deacon@arm.com\u003e\nReviewed-by: Catalin Marinas \u003ccatalin.marinas@arm.com\u003e\nTested-by: Catalin Marinas \u003ccatalin.marinas@arm.com\u003e\nSigned-off-by: Catalin Marinas \u003ccatalin.marinas@arm.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nmtd: nand: fix bug writing 1 byte less than page size\n\n[ Upstream commit 144f4c98399e2c0ca60eb414c15a2c68125c18b8 ]\n\nnand_do_write_ops() determines if it is writing a partial page with the\nformula:\n\tpart_pagewr \u003d (column || writelen \u003c (mtd-\u003ewritesize - 1))\n\nWhen \u0027writelen\u0027 is exactly 1 byte less than the NAND page size the formula\nequates to zero, so the code doesn\u0027t process it as a partial write,\nalthough it should.\nAs a consequence the function remains in the while(1) loop with \u0027writelen\u0027\nbecoming 0xffffffff and iterating endlessly.\n\nThe bug may not be easy to reproduce in Linux since user space tools\nusually force the padding or round-up the write size to a page-size\nmultiple.\nThis was discovered in U-Boot where the issue can be reproduced by\nwriting any size that is 1 byte less than a page-size multiple.\nFor example, on a NAND with 2K page (0x800):\n\t\u003d\u003e nand erase.part \u003cpartition\u003e\n\t\u003d\u003e nand write $loadaddr \u003cpartition\u003e 7ff\n\n[Editor\u0027s note: the bug was added in commit 29072b96078f, but moved\naround in commit 66507c7bc8895 (\"mtd: nand: Add support to use nand_base\npoi databuf as bounce buffer\")]\n\nFixes: 29072b96078f (\"[MTD] NAND: add subpage write support\")\nSigned-off-by: Hector Palacios \u003chector.palacios@digi.com\u003e\nAcked-by: Boris Brezillon \u003cboris.brezillon@free-electrons.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Brian Norris \u003ccomputersforpeace@gmail.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\ntarget: Fix missing complete during ABORT_TASK + CMD_T_FABRIC_STOP\n\n[ Upstream commit 5e2c956b8aa24d4f33ff7afef92d409eed164746 ]\n\nDuring transport_generic_free_cmd() with a concurrent TMR\nABORT_TASK and shutdown CMD_T_FABRIC_STOP bit set, the\ncaller will be blocked on se_cmd-\u003ecmd_wait_stop completion\nuntil the final kref_put() -\u003e target_release_cmd_kref()\nhas been invoked to call complete().\n\nHowever, when ABORT_TASK is completed with FUNCTION_COMPLETE\nin core_tmr_abort_task(), the aborted se_cmd will have already\nbeen removed from se_sess-\u003esess_cmd_list via list_del_init().\n\nThis results in target_release_cmd_kref() hitting the\nlegacy list_empty() \u003d\u003d true check, invoking -\u003erelease_cmd()\nbut skipping complete() to wakeup se_cmd-\u003ecmd_wait_stop\nblocked earlier in transport_generic_free_cmd() code.\n\nTo address this bug, it\u0027s safe to go ahead and drop the\noriginal list_empty() check so that fabric_stop invokes\nthe complete() as expected, since list_del_init() can\nsafely be used on a empty list.\n\nCc: Mike Christie \u003cmchristi@redhat.com\u003e\nCc: Quinn Tran \u003cquinn.tran@qlogic.com\u003e\nCc: Himanshu Madhani \u003chimanshu.madhani@qlogic.com\u003e\nCc: Christoph Hellwig \u003chch@lst.de\u003e\nCc: Hannes Reinecke \u003chare@suse.de\u003e\nCc: stable@vger.kernel.org # 3.14+\nTested-by: Nicholas Bellinger \u003cnab@linux-iscsi.org\u003e\nSigned-off-by: Nicholas Bellinger \u003cnab@linux-iscsi.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\ntarget: Fix race between iscsi-target connection shutdown + ABORT_TASK\n\n[ Upstream commit 064cdd2d91c2805d788876082f31cc63506f22c3 ]\n\nThis patch fixes a race in iscsit_release_commands_from_conn() -\u003e\niscsit_free_cmd() -\u003e transport_generic_free_cmd() + wait_for_tasks\u003d1,\nwhere CMD_T_FABRIC_STOP could end up being set after the final\nkref_put() is called from core_tmr_abort_task() context.\n\nThis results in transport_generic_free_cmd() blocking indefinately\non se_cmd-\u003ecmd_wait_comp, because the target_release_cmd_kref()\ncheck for CMD_T_FABRIC_STOP returns false.\n\nTo address this bug, make iscsit_release_commands_from_conn()\ndo list_splice and set CMD_T_FABRIC_STOP early while holding\niscsi_conn-\u003ecmd_lock.  Also make iscsit_aborted_task() only\nremove iscsi_cmd_t if CMD_T_FABRIC_STOP has not already been\nset.\n\nFinally in target_release_cmd_kref(), only honor fabric_stop\nif CMD_T_ABORTED has been set.\n\nCc: Mike Christie \u003cmchristi@redhat.com\u003e\nCc: Quinn Tran \u003cquinn.tran@qlogic.com\u003e\nCc: Himanshu Madhani \u003chimanshu.madhani@qlogic.com\u003e\nCc: Christoph Hellwig \u003chch@lst.de\u003e\nCc: Hannes Reinecke \u003chare@suse.de\u003e\nCc: stable@vger.kernel.org # 3.14+\nTested-by: Nicholas Bellinger \u003cnab@linux-iscsi.org\u003e\nSigned-off-by: Nicholas Bellinger \u003cnab@linux-iscsi.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\ncifs: fix crash due to race in hmac(md5) handling\n\n[ Upstream commit bd975d1eead2558b76e1079e861eacf1f678b73b ]\n\nThe secmech hmac(md5) structures are present in the TCP_Server_Info\nstruct and can be shared among multiple CIFS sessions.  However, the\nserver mutex is not currently held when these structures are allocated\nand used, which can lead to a kernel crashes, as in the scenario below:\n\nmount.cifs(8) #1\t\t\t\tmount.cifs(8) #2\n\nIs secmech.sdeschmaccmd5 allocated?\n// false\n\n\t\t\t\t\t\tIs secmech.sdeschmaccmd5 allocated?\n\t\t\t\t\t\t// false\n\nsecmech.hmacmd \u003d crypto_alloc_shash..\nsecmech.sdeschmaccmd5 \u003d kzalloc..\nsdeschmaccmd5-\u003eshash.tfm \u003d \u0026secmec.hmacmd;\n\n\t\t\t\t\t\tsecmech.sdeschmaccmd5 \u003d kzalloc\n\t\t\t\t\t\t// sdeschmaccmd5-\u003eshash.tfm\n\t\t\t\t\t\t// not yet assigned\n\ncrypto_shash_update()\n deref NULL sdeschmaccmd5-\u003eshash.tfm\n\n Unable to handle kernel paging request at virtual address 00000030\n epc   : 8027ba34 crypto_shash_update+0x38/0x158\n ra    : 8020f2e8 setup_ntlmv2_rsp+0x4bc/0xa84\n Call Trace:\n  crypto_shash_update+0x38/0x158\n  setup_ntlmv2_rsp+0x4bc/0xa84\n  build_ntlmssp_auth_blob+0xbc/0x34c\n  sess_auth_rawntlmssp_authenticate+0xac/0x248\n  CIFS_SessSetup+0xf0/0x178\n  cifs_setup_session+0x4c/0x84\n  cifs_get_smb_ses+0x2c8/0x314\n  cifs_mount+0x38c/0x76c\n  cifs_do_mount+0x98/0x440\n  mount_fs+0x20/0xc0\n  vfs_kern_mount+0x58/0x138\n  do_mount+0x1e8/0xccc\n  SyS_mount+0x88/0xd4\n  syscall_common+0x30/0x54\n\nFix this by locking the srv_mutex around the code which uses these\nhmac(md5) structures.  All the other secmech algos already have similar\nlocking.\n\nFixes: 95dc8dd14e2e84cc (\"Limit allocation of crypto mechanisms to dialect which requires\")\nSigned-off-by: Rabin Vincent \u003crabinv@axis.com\u003e\nAcked-by: Sachin Prabhu \u003csprabhu@redhat.com\u003e\nCC: Stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Steve French \u003csmfrench@gmail.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\niscsi-target: Fix panic when adding second TCP connection to iSCSI session\n\n[ Upstream commit 8abc718de6e9e52d8a6bfdb735060554aeae25e4 ]\n\nIn MC/S scenario, the conn-\u003esess has been set NULL in\niscsi_login_non_zero_tsih_s1 when the second connection comes here,\nthen kernel panic.\n\nThe conn-\u003esess will be assigned in iscsi_login_non_zero_tsih_s2. So\nwe should check whether it\u0027s NULL before calling.\n\nSigned-off-by: Feng Li \u003clifeng1519@gmail.com\u003e\nTested-by: Sumit Rai \u003csumit.rai@calsoftinc.com\u003e\nCc: stable@vger.kernel.org # 3.14+\nSigned-off-by: Nicholas Bellinger \u003cnab@linux-iscsi.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\ngpio: intel-mid: Remove potentially harmful code\n\n[ Upstream commit 3dbd3212f81b2b410a34a922055e2da792864829 ]\n\nThe commit d56d6b3d7d69 (\"gpio: langwell: add Intel Merrifield support\")\ndoesn\u0027t look at all as a proper support for Intel Merrifield and I dare to say\nthat it distorts the behaviour of the hardware.\n\nThe register map is different on Intel Merrifield, i.e. only 6 out of 8\nregister have the same purpose but none of them has same location in the\naddress space. The current case potentially harmful to existing hardware since\nit\u0027s poking registers on wrong offsets and may set some pin to be GPIO output\nwhen connected hardware doesn\u0027t expect such.\n\nBesides the above GPIO and pinctrl on Intel Merrifield have been located in\ndifferent IP blocks. The functionality has been extended as well, i.e. added\nsupport of level interrupts, special registers for wake capable sources and\nthus, in my opinion, requires a completele separate driver.\n\nIf someone wondering the existing gpio-intel-mid.c would be converted to actual\npinctrl (which by the fact it is now), though I wouldn\u0027t be a volunteer to do\nthat.\n\nFixes: d56d6b3d7d69 (\"gpio: langwell: add Intel Merrifield support\")\nCc: stable@vger.kernel.org # v3.13+\nSigned-off-by: Andy Shevchenko \u003candriy.shevchenko@linux.intel.com\u003e\nReviewed-by: Mika Westerberg \u003cmika.westerberg@linux.intel.com\u003e\nSigned-off-by: Linus Walleij \u003clinus.walleij@linaro.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nnfs: don\u0027t create zero-length requests\n\n[ Upstream commit 149a4fddd0a72d526abbeac0c8deaab03559836a ]\n\nNFS doesn\u0027t expect requests with wb_bytes set to zero and may make\nunexpected decisions about how to handle that request at the page IO layer.\nSkip request creation if we won\u0027t have any wb_bytes in the request.\n\nSigned-off-by: Benjamin Coddington \u003cbcodding@redhat.com\u003e\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nReviewed-by: Weston Andros Adamson \u003cdros@primarydata.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Trond Myklebust \u003ctrond.myklebust@primarydata.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\ndcache: let the dentry count go down to zero without taking d_lock\n\n[ Upstream commit 360f54796ed65939093ae373b92ebd5ef3341776 ]\n\nWe can be more aggressive about this, if we are clever and careful. This is subtle.\n\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nfs/dcache.c: avoid soft-lockup in dput()\n\n[ Upstream commit 47be61845c775643f1aa4d2a54343549f943c94c ]\n\nWe triggered soft-lockup under stress test which\nopen/access/write/close one file concurrently on more than\nfive different CPUs:\n\nWARN: soft lockup - CPU#0 stuck for 11s! [who:30631]\n...\n[\u003cffffffc0003986f8\u003e] dput+0x100/0x298\n[\u003cffffffc00038c2dc\u003e] terminate_walk+0x4c/0x60\n[\u003cffffffc00038f56c\u003e] path_lookupat+0x5cc/0x7a8\n[\u003cffffffc00038f780\u003e] filename_lookup+0x38/0xf0\n[\u003cffffffc000391180\u003e] user_path_at_empty+0x78/0xd0\n[\u003cffffffc0003911f4\u003e] user_path_at+0x1c/0x28\n[\u003cffffffc00037d4fc\u003e] SyS_faccessat+0xb4/0x230\n\n-\u003ed_lock trylock may failed many times because of concurrently\noperations, and dput() may execute a long time.\n\nFix this by replacing cpu_relax() with cond_resched().\ndput() used to be sleepable, so make it sleepable again\nshould be safe.\n\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Wei Fang \u003cfangwei1@huawei.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nnet/irda: fix NULL pointer dereference on memory allocation failure\n\n[ Upstream commit d3e6952cfb7ba5f4bfa29d4803ba91f96ce1204d ]\n\nI ran into this:\n\n    kasan: CONFIG_KASAN_INLINE enabled\n    kasan: GPF could be caused by NULL-ptr deref or user memory access\n    general protection fault: 0000 [#1] PREEMPT SMP KASAN\n    CPU: 2 PID: 2012 Comm: trinity-c3 Not tainted 4.7.0-rc7+ #19\n    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014\n    task: ffff8800b745f2c0 ti: ffff880111740000 task.ti: ffff880111740000\n    RIP: 0010:[\u003cffffffff82bbf066\u003e]  [\u003cffffffff82bbf066\u003e] irttp_connect_request+0x36/0x710\n    RSP: 0018:ffff880111747bb8  EFLAGS: 00010286\n    RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000069dd8358\n    RDX: 0000000000000009 RSI: 0000000000000027 RDI: 0000000000000048\n    RBP: ffff880111747c00 R08: 0000000000000000 R09: 0000000000000000\n    R10: 0000000069dd8358 R11: 1ffffffff0759723 R12: 0000000000000000\n    R13: ffff88011a7e4780 R14: 0000000000000027 R15: 0000000000000000\n    FS:  00007fc738404700(0000) GS:ffff88011af00000(0000) knlGS:0000000000000000\n    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n    CR2: 00007fc737fdfb10 CR3: 0000000118087000 CR4: 00000000000006e0\n    Stack:\n     0000000000000200 ffff880111747bd8 ffffffff810ee611 ffff880119f1f220\n     ffff880119f1f4f8 ffff880119f1f4f0 ffff88011a7e4780 ffff880119f1f232\n     ffff880119f1f220 ffff880111747d58 ffffffff82bca542 0000000000000000\n    Call Trace:\n     [\u003cffffffff82bca542\u003e] irda_connect+0x562/0x1190\n     [\u003cffffffff825ae582\u003e] SYSC_connect+0x202/0x2a0\n     [\u003cffffffff825b4489\u003e] SyS_connect+0x9/0x10\n     [\u003cffffffff8100334c\u003e] do_syscall_64+0x19c/0x410\n     [\u003cffffffff83295ca5\u003e] entry_SYSCALL64_slow_path+0x25/0x25\n    Code: 41 89 ca 48 89 e5 41 57 41 56 41 55 41 54 41 89 d7 53 48 89 fb 48 83 c7 48 48 89 fa 41 89 f6 48 c1 ea 03 48 83 ec 20 4c 8b 65 10 \u003c0f\u003e b6 04 02 84 c0 74 08 84 c0 0f 8e 4c 04 00 00 80 7b 48 00 74\n    RIP  [\u003cffffffff82bbf066\u003e] irttp_connect_request+0x36/0x710\n     RSP \u003cffff880111747bb8\u003e\n    ---[ end trace 4cda2588bc055b30 ]---\n\nThe problem is that irda_open_tsap() can fail and leave self-\u003etsap \u003d NULL,\nand then irttp_connect_request() almost immediately dereferences it.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Vegard Nossum \u003cvegard.nossum@oracle.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nmodule: Invalidate signatures on force-loaded modules\n\n[ Upstream commit bca014caaa6130e57f69b5bf527967aa8ee70fdd ]\n\nSigning a module should only make it trusted by the specific kernel it\nwas built for, not anything else.  Loading a signed module meant for a\nkernel with a different ABI could have interesting effects.\nTherefore, treat all signatures as invalid when a module is\nforce-loaded.\n\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Rusty Russell \u003crusty@rustcorp.com.au\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nDocumentation/module-signing.txt: Note need for version info if reusing a key\n\n[ Upstream commit b8612e517c3c9809e1200b72c474dbfd969e5a83 ]\n\nSigning a module should only make it trusted by the specific kernel it\nwas built for, not anything else.  If a module signing key is used for\nmultiple ABI-incompatible kernels, the modules need to include enough\nversion information to distinguish them.\n\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Rusty Russell \u003crusty@rustcorp.com.au\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nInput: i8042 - break load dependency between atkbd/psmouse and i8042\n\n[ Upstream commit 4097461897df91041382ff6fcd2bfa7ee6b2448c ]\n\nAs explained in 1407814240-4275-1-git-send-email-decui@microsoft.com we\nhave a hard load dependency between i8042 and atkbd which prevents\nkeyboard from working on Gen2 Hyper-V VMs.\n\n\u003e hyperv_keyboard invokes serio_interrupt(), which needs a valid serio\n\u003e driver like atkbd.c.  atkbd.c depends on libps2.c because it invokes\n\u003e ps2_command().  libps2.c depends on i8042.c because it invokes\n\u003e i8042_check_port_owner().  As a result, hyperv_keyboard actually\n\u003e depends on i8042.c.\n\u003e\n\u003e For a Generation 2 Hyper-V VM (meaning no i8042 device emulated), if a\n\u003e Linux VM (like Arch Linux) happens to configure CONFIG_SERIO_I8042\u003dm\n\u003e rather than \u003dy, atkbd.ko can\u0027t load because i8042.ko can\u0027t load(due to\n\u003e no i8042 device emulated) and finally hyperv_keyboard can\u0027t work and\n\u003e the user can\u0027t input: https://bugs.archlinux.org/task/39820\n\u003e (Ubuntu/RHEL/SUSE aren\u0027t affected since they use CONFIG_SERIO_I8042\u003dy)\n\nTo break the dependency we move away from using i8042_check_port_owner()\nand instead allow serio port owner specify a mutex that clients should use\nto serialize PS/2 command stream.\n\nReported-by: Mark Laws \u003cmdl@60hz.org\u003e\nTested-by: Mark Laws \u003cmdl@60hz.org\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Dmitry Torokhov \u003cdmitry.torokhov@gmail.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nfs/cifs: make share unaccessible at root level mountable\n\n[ Upstream commit a6b5058fafdf508904bbf16c29b24042cef3c496 ]\n\nif, when mounting //HOST/share/sub/dir/foo we can query /sub/dir/foo but\nnot any of the path components above:\n\n- store the /sub/dir/foo prefix in the cifs super_block info\n- in the superblock, set root dentry to the subpath dentry (instead of\n  the share root)\n- set a flag in the superblock to remember it\n- use prefixpath when building path from a dentry\n\nfixes bso#8950\n\nSigned-off-by: Aurelien Aptel \u003caaptel@suse.com\u003e\nCC: Stable \u003cstable@vger.kernel.org\u003e\nReviewed-by: Pavel Shilovsky \u003cpshilovsky@samba.org\u003e\nSigned-off-by: Steve French \u003csmfrench@gmail.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nCIFS: Fix a possible invalid memory access in smb2_query_symlink()\n\n[ Upstream commit 7893242e2465aea6f2cbc2639da8fa5ce96e8cc2 ]\n\nDuring following a symbolic link we received err_buf from SMB2_open().\nWhile the validity of SMB2 error response is checked previously\nin smb2_check_message() a symbolic link payload is not checked at all.\nFix it by adding such checks.\n\nCc: Dan Carpenter \u003cdan.carpenter@oracle.com\u003e\nCC: Stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Pavel Shilovsky \u003cpshilovsky@samba.org\u003e\nSigned-off-by: Steve French \u003csmfrench@gmail.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nKVM: PPC: Book3S HV: Pull out TM state save/restore into separate procedures\n\n[ Upstream commit f024ee098476a3e620232e4a78cfac505f121245 ]\n\nThis moves the transactional memory state save and restore sequences\nout of the guest entry/exit paths into separate procedures.  This is\nso that these sequences can be used in going into and out of nap\nin a subsequent patch.\n\nThe only code changes here are (a) saving and restore LR on the\nstack, since these new procedures get called with a bl instruction,\n(b) explicitly saving r1 into the PACA instead of assuming that\nHSTATE_HOST_R1(r13) is already set, and (c) removing an unnecessary\nand redundant setting of MSR[TM] that should have been removed by\ncommit 9d4d0bdd9e0a (\"KVM: PPC: Book3S HV: Add transactional memory\nsupport\", 2013-09-24) but wasn\u0027t.\n\nCc: stable@vger.kernel.org # v3.15+\nSigned-off-by: Paul Mackerras \u003cpaulus@ozlabs.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nKVM: PPC: Book3S HV: Save/restore TM state in H_CEDE\n\n[ Upstream commit 93d17397e4e2182fdaad503e2f9da46202c0f1c3 ]\n\nIt turns out that if the guest does a H_CEDE while the CPU is in\na transactional state, and the H_CEDE does a nap, and the nap\nloses the architected state of the CPU (which is is allowed to do),\nthen we lose the checkpointed state of the virtual CPU.  In addition,\nthe transactional-memory state recorded in the MSR gets reset back\nto non-transactional, and when we try to return to the guest, we take\na TM bad thing type of program interrupt because we are trying to\ntransition from non-transactional to transactional with a hrfid\ninstruction, which is not permitted.\n\nThe result of the program interrupt occurring at that point is that\nthe host CPU will hang in an infinite loop with interrupts disabled.\nThus this is a denial of service vulnerability in the host which can\nbe triggered by any guest (and depending on the guest kernel, it can\npotentially triggered by unprivileged userspace in the guest).\n\nThis vulnerability has been assigned the ID CVE-2016-5412.\n\nTo fix this, we save the TM state before napping and restore it\non exit from the nap, when handling a H_CEDE in real mode.  The\ncase where H_CEDE exits to host virtual mode is already OK (as are\nother hcalls which exit to host virtual mode) because the exit\npath saves the TM state.\n\nCc: stable@vger.kernel.org # v3.15+\nSigned-off-by: Paul Mackerras \u003cpaulus@ozlabs.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nKEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace\n\n[ Upstream commit 20f06ed9f61a185c6dabd662c310bed6189470df ]\n\nMIPS64 needs to use compat_sys_keyctl for 32-bit userspace rather than\ncalling sys_keyctl.  The latter will work in a lot of cases, thereby hiding\nthe issue.\n\nReported-by: Stephan Mueller \u003csmueller@chronox.de\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\ncc: stable@vger.kernel.org\nCc: linux-mips@linux-mips.org\nCc: linux-kernel@vger.kernel.org\nCc: linux-security-module@vger.kernel.org\nCc: keyrings@vger.kernel.org\nPatchwork: https://patchwork.linux-mips.org/patch/13832/\nSigned-off-by: Ralf Baechle \u003cralf@linux-mips.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\ndrm/radeon: fix firmware info version checks\n\n[ Upstream commit 3edc38a0facef45ee22af8afdce3737f421f36ab ]\n\nSome of the checks didn\u0027t handle frev 2 tables properly.\n\nSigned-off-by: Alex Deucher \u003calexander.deucher@amd.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nARC: mm: don\u0027t loose PTE_SPECIAL in pte_modify()\n\n[ Upstream commit 3925a16ae980c79d1a8fd182d7f9487da1edd4dc ]\n\nLTP madvise05 was generating mm splat\n\n| [ARCLinux]# /sd/ltp/testcases/bin/madvise05\n| BUG: Bad page map in process madvise05  pte:80e08211 pmd:9f7d4000\n| page:9fdcfc90 count:1 mapcount:-1 mapping:  (null) index:0x0 flags: 0x404(referenced|reserved)\n| page dumped because: bad pte\n| addr:200b8000 vm_flags:00000070 anon_vma:  (null) mapping:  (null) index:1005c\n| file:  (null) fault:  (null) mmap:  (null) readpage:  (null)\n| CPU: 2 PID: 6707 Comm: madvise05\n\nAnd for newer kernels, the system was rendered unusable afterwards.\n\nThe problem was mprotect-\u003epte_modify() clearing PTE_SPECIAL (which is\nset to identify the special zero page wired to the pte).\nWhen pte was finally unmapped, special casing for zero page was not\ndone, and instead it was treated as a \"normal\" page, tripping on the\nmap counts etc.\n\nThis fixes ARC STAR 9001053308\n\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Vineet Gupta \u003cvgupta@synopsys.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nfuse: fsync() did not return IO errors\n\n[ Upstream commit ac7f052b9e1534c8248f814b6f0068ad8d4a06d2 ]\n\nDue to implementation of fuse writeback filemap_write_and_wait_range() does\nnot catch errors. We have to do this directly after fuse_sync_writes()\n\nSigned-off-by: Alexey Kuznetsov \u003ckuznet@virtuozzo.com\u003e\nSigned-off-by: Maxim Patlasov \u003cmpatlasov@virtuozzo.com\u003e\nSigned-off-by: Miklos Szeredi \u003cmszeredi@redhat.com\u003e\nFixes: 4d99ff8f12eb (\"fuse: Turn writeback cache on\")\nCc: \u003cstable@vger.kernel.org\u003e # v3.15+\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nfuse: fuse_flush must check mapping-\u003eflags for errors\n\n[ Upstream commit 9ebce595f63a407c5cec98f98f9da8459b73740a ]\n\nfuse_flush() calls write_inode_now() that triggers writeback, but actual\nwriteback will happen later, on fuse_sync_writes(). If an error happens,\nfuse_writepage_end() will set error bit in mapping-\u003eflags. So, we have to\ncheck mapping-\u003eflags after fuse_sync_writes().\n\nSigned-off-by: Maxim Patlasov \u003cmpatlasov@virtuozzo.com\u003e\nSigned-off-by: Miklos Szeredi \u003cmszeredi@redhat.com\u003e\nFixes: 4d99ff8f12eb (\"fuse: Turn writeback cache on\")\nCc: \u003cstable@vger.kernel.org\u003e # v3.15+\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nfuse: fix wrong assignment of -\u003eflags in fuse_send_init()\n\n[ Upstream commit 9446385f05c9af25fed53dbed3cc75763730be52 ]\n\nFUSE_HAS_IOCTL_DIR should be assigned to -\u003eflags, it may be a typo.\n\nSigned-off-by: Wei Fang \u003cfangwei1@huawei.com\u003e\nSigned-off-by: Miklos Szeredi \u003cmszeredi@redhat.com\u003e\nFixes: 69fe05c90ed5 (\"fuse: add missing INIT flags\")\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nubi: Fix race condition between ubi device creation and udev\n\n[ Upstream commit 714fb87e8bc05ff78255afc0dca981e8c5242785 ]\n\nInstall the UBI device object before we arm sysfs.\nOtherwise udev tries to read sysfs attributes before UBI is ready and\nudev rules will not match.\n\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Iosif Harutyunov \u003ciharutyunov@sonicwall.com\u003e\n[rw: massaged commit message]\nSigned-off-by: Richard Weinberger \u003crichard@nod.at\u003e\n\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nubi: Make volume resize power cut aware\n\n[ Upstream commit 4946784bd3924b1374f05eebff2fd68660bae866 ]\n\nWhen the volume resize operation shrinks a volume,\nLEBs will be unmapped. Since unmapping will not erase these\nLEBs immediately we have to wait for that operation to finish.\nOtherwise in case of a power cut right after writing the new\nvolume table the UBI attach process can find more LEBs than the\nvolume table knows. This will render the UBI image unattachable.\n\nFix this issue by waiting for erase to complete and write the new\nvolume table afterward.\n\nCc: \u003cstable@vger.kernel.org\u003e\nReported-by: Boris Brezillon \u003cboris.brezillon@free-electrons.com\u003e\nReviewed-by: Boris Brezillon \u003cboris.brezillon@free-electrons.com\u003e\nSigned-off-by: Richard Weinberger \u003crichard@nod.at\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\ndrm/nouveau/fbcon: fix font width not divisible by 8\n\n[ Upstream commit 28668f43b8e421634e1623f72a879812288dd06b ]\n\nThe patch f045f459d925 (\"drm/nouveau/fbcon: fix out-of-bounds memory accesses\")\ntries to fix some out of memory accesses. Unfortunatelly, the patch breaks the\ndisplay when using fonts with width that is not divisiable by 8.\n\nThe monochrome bitmap for each character is stored in memory by lines from top\nto bottom. Each line is padded to a full byte.\n\nFor example, for 22x11 font, each line is padded to 16 bits, so each\ncharacter is consuming 44 bytes total, that is 11 32-bit words. The patch\nf045f459d925 changed the logic to \"dsize \u003d ALIGN(image-\u003ewidth *\nimage-\u003eheight, 32) \u003e\u003e 5\", that is just 8 words - this is incorrect and it\ncauses display corruption.\n\nThis patch adds the necesary padding of lines to 8 bytes.\n\nThis patch should be backported to stable kernels where f045f459d925 was\nbackported.\n\nSigned-off-by: Mikulas Patocka \u003cmpatocka@redhat.com\u003e\nFixes: f045f459d925 (\"drm/nouveau/fbcon: fix out-of-bounds memory accesses\")\nCc: stable@vger.kernel.org\nSigned-off-by: Ben Skeggs \u003cbskeggs@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nALSA: hda/realtek: Enable HP amp and mute LED on HP Folio 9480m [v3]\n\n[ Upstream commit 98973f2f083a5ec580da8bbb685e6baa93613546 ]\n\nThis laptop needs GPIO4 pulled high to enable the headphone amplifier,\nand has a mute LED on GPIO3. I modelled the patch on the existing\nGPIO4 code which pulls the line low for the same purpose; this time,\nthe HP amp line is pulled high.\n\nv2: Disable the headphone amplifier when no headphone is connected.\n    Don\u0027t disable power savings to preserve the LED state.\n\nv3: Remove headset-specific hooks and code; this is just a headphone.\n\nSigned-off-by: Keith Packard \u003ckeithp@keithp.com\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nx86/syscalls/64: Add compat_sys_keyctl for 32-bit userspace\n\n[ Upstream commit f7d665627e103e82d34306c7d3f6f46f387c0d8b ]\n\nx86_64 needs to use compat_sys_keyctl for 32-bit userspace rather than\ncalling sys_keyctl(). The latter will work in a lot of cases, thereby\nhiding the issue.\n\nReported-by: Stephan Mueller \u003csmueller@chronox.de\u003e\nTested-by: Stephan Mueller \u003csmueller@chronox.de\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Andy Lutomirski \u003cluto@kernel.org\u003e\nCc: Borislav Petkov \u003cbp@alien8.de\u003e\nCc: Brian Gerst \u003cbrgerst@gmail.com\u003e\nCc: Denys Vlasenko \u003cdvlasenk@redhat.com\u003e\nCc: H. Peter Anvin \u003chpa@zytor.com\u003e\nCc: Josh Poimboeuf \u003cjpoimboe@redhat.com\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: keyrings@vger.kernel.org\nCc: linux-security-module@vger.kernel.org\nCc: stable@vger.kernel.org\nLink: http://lkml.kernel.org/r/146961615805.14395.5581949237156769439.stgit@warthog.procyon.org.uk\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nballoon: check the number of available pages in leak balloon\n\n[ Upstream commit 37cf99e08c6fb4dcea0f9ad2b13b6daa8c76a711 ]\n\nThe balloon has a special mechanism that is subscribed to the oom\nnotification which leads to deflation for a fixed number of pages.\nThe number is always fixed even when the balloon is fully deflated.\nBut leak_balloon did not expect that the pages to deflate will be more\nthan taken, and raise a \"BUG\" in balloon_page_dequeue when page list\nwill be empty.\n\nSo, the simplest solution would be to check that the number of releases\npages is less or equal to the number taken pages.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Konstantin Neumoin \u003ckneumoin@virtuozzo.com\u003e\nSigned-off-by: Denis V. Lunev \u003cden@openvz.org\u003e\nCC: Michael S. Tsirkin \u003cmst@redhat.com\u003e\nSigned-off-by: Michael S. Tsirkin \u003cmst@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nftrace/recordmcount: Work around for addition of metag magic but not relocations\n\n[ Upstream commit b2e1c26f0b62531636509fbcb6dab65617ed8331 ]\n\nglibc recently did a sync up (94e73c95d9b5 \"elf.h: Sync with the gabi\nwebpage\") that added a #define for EM_METAG but did not add relocations\n\nThis triggers build errors:\n\nscripts/recordmcount.c: In function \u0027do_file\u0027:\nscripts/recordmcount.c:466:28: error: \u0027R_METAG_ADDR32\u0027 undeclared (first use in this function)\n  case EM_METAG:  reltype \u003d R_METAG_ADDR32;\n                            ^~~~~~~~~~~~~~\nscripts/recordmcount.c:466:28: note: each undeclared identifier is reported only once for each function it appears in\nscripts/recordmcount.c:468:20: error: \u0027R_METAG_NONE\u0027 undeclared (first use in this function)\n     rel_type_nop \u003d R_METAG_NONE;\n                    ^~~~~~~~~~~~\n\nWork around this change with some more #ifdefery for the relocations.\n\nFedora Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id\u003d1354034\n\nLink: http://lkml.kernel.org/r/1468005530-14757-1-git-send-email-labbott@redhat.com\n\nCc: stable@vger.kernel.org # v3.9+\nCc: James Hogan \u003cjames.hogan@imgtec.com\u003e\nFixes: 00512bdd4573 (\"metag: ftrace support\")\nReported-by: Ross Burton \u003cross.burton@intel.com\u003e\nSigned-off-by: Laura Abbott \u003clabbott@redhat.com\u003e\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\ndm flakey: error READ bios during the down_interval\n\n[ Upstream commit 99f3c90d0d85708e7401a81ce3314e50bf7f2819 ]\n\nWhen the corrupt_bio_byte feature was introduced it caused READ bios to\nno longer be errored with -EIO during the down_interval.  This had to do\nwith the complexity of needing to submit READs if the corrupt_bio_byte\nfeature was used.\n\nFix it so READ bios are properly errored with -EIO; doing so early in\nflakey_map() as long as there isn\u0027t a match for the corrupt_bio_byte\nfeature.\n\nFixes: a3998799fb4df (\"dm flakey: add corrupt_bio_byte feature\")\nReported-by: Akira Hayakawa \u003cruby.wktk@gmail.com\u003e\nSigned-off-by: Mike Snitzer \u003csnitzer@redhat.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nmm/hugetlb: avoid soft lockup in set_max_huge_pages()\n\n[ Upstream commit 649920c6ab93429b94bc7c1aa7c0e8395351be32 ]\n\nIn powerpc servers with large memory(32TB), we watched several soft\nlockups for hugepage under stress tests.\n\nThe call traces are as follows:\n1.\nget_page_from_freelist+0x2d8/0xd50\n__alloc_pages_nodemask+0x180/0xc20\nalloc_fresh_huge_page+0xb0/0x190\nset_max_huge_pages+0x164/0x3b0\n\n2.\nprep_new_huge_page+0x5c/0x100\nalloc_fresh_huge_page+0xc8/0x190\nset_max_huge_pages+0x164/0x3b0\n\nThis patch fixes such soft lockups.  It is safe to call cond_resched()\nthere because it is out of spin_lock/unlock section.\n\nLink: http://lkml.kernel.org/r/1469674442-14848-1-git-send-email-hejianet@gmail.com\nSigned-off-by: Jia He \u003chejianet@gmail.com\u003e\nReviewed-by: Naoya Horiguchi \u003cn-horiguchi@ah.jp.nec.com\u003e\nAcked-by: Michal Hocko \u003cmhocko@suse.com\u003e\nAcked-by: Dave Hansen \u003cdave.hansen@linux.intel.com\u003e\nCc: Mike Kravetz \u003cmike.kravetz@oracle.com\u003e\nCc: \"Kirill A. Shutemov\" \u003ckirill.shutemov@linux.intel.com\u003e\nCc: Paul Gortmaker \u003cpaul.gortmaker@windriver.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nsysv, ipc: fix security-layer leaking\n\n[ Upstream commit 9b24fef9f0410fb5364245d6cc2bd044cc064007 ]\n\nCommit 53dad6d3a8e5 (\"ipc: fix race with LSMs\") updated ipc_rcu_putref()\nto receive rcu freeing function but used generic ipc_rcu_free() instead\nof msg_rcu_free() which does security cleaning.\n\nRunning LTP msgsnd06 with kmemleak gives the following:\n\n  cat /sys/kernel/debug/kmemleak\n\n  unreferenced object 0xffff88003c0a11f8 (size 8):\n    comm \"msgsnd06\", pid 1645, jiffies 4294672526 (age 6.549s)\n    hex dump (first 8 bytes):\n      1b 00 00 00 01 00 00 00                          ........\n    backtrace:\n      kmemleak_alloc+0x23/0x40\n      kmem_cache_alloc_trace+0xe1/0x180\n      selinux_msg_queue_alloc_security+0x3f/0xd0\n      security_msg_queue_alloc+0x2e/0x40\n      newque+0x4e/0x150\n      ipcget+0x159/0x1b0\n      SyS_msgget+0x39/0x40\n      entry_SYSCALL_64_fastpath+0x13/0x8f\n\nManfred Spraul suggested to fix sem.c as well and Davidlohr Bueso to\nonly use ipc_rcu_free in case of security allocation failure in newary()\n\nFixes: 53dad6d3a8e (\"ipc: fix race with LSMs\")\nLink: http://lkml.kernel.org/r/1470083552-22966-1-git-send-email-fabf@skynet.be\nSigned-off-by: Fabian Frederick \u003cfabf@skynet.be\u003e\nCc: Davidlohr Bueso \u003cdbueso@suse.de\u003e\nCc: Manfred Spraul \u003cmanfred@colorfullife.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\t[3.12+]\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nALSA: hda: add AMD Bonaire AZ PCI ID with proper driver caps\n\n[ Upstream commit fd48331f9b71d2add941adaee3619f5b8527182d ]\n\nThis commit fixes garbled audio on Bonaire HDMI\n\nSigned-off-by: Maruthi Bayyavarapu \u003cmaruthi.bayyavarapu@amd.com\u003e\nReviewed-by: Alex Deucher \u003calexander.deucher@amd.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nmetag: Fix __cmpxchg_u32 asm constraint for CMP\n\n[ Upstream commit 6154c187b97ee7513046bb4eb317a89f738f13ef ]\n\nThe LNKGET based atomic sequence in __cmpxchg_u32 has slightly incorrect\nconstraints for the return value which under certain circumstances can\nallow an address unit register to be used as the first operand of a CMP\ninstruction. This isn\u0027t a valid instruction however as the encodings\nonly allow a data unit to be specified. This would result in an\nassembler error like the following:\n\n  Error: failed to assemble instruction: \"CMP A0.2,D0Ar6\"\n\nFix by changing the constraint from \"\u003d\u0026da\" (assigned, early clobbered,\ndata or address unit register) to \"\u003d\u0026d\" (data unit register only).\n\nThe constraint for the second operand, \"bd\" (an op2 register where op1\nis a data unit register and the instruction supports O2R) is already\ncorrect assuming the first operand is a data unit register.\n\nOther cases of CMP in inline asm have had their constraints checked, and\nappear to all be fine.\n\nFixes: 6006c0d8ce94 (\"metag: Atomics, locks and bitops\")\nSigned-off-by: James Hogan \u003cjames.hogan@imgtec.com\u003e\nCc: linux-metag@vger.kernel.org\nCc: \u003cstable@vger.kernel.org\u003e # 3.9.x-\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\npowerpc/iommu: Remove the dependency on EEH struct in DDW mechanism\n\n[ Upstream commit 8445a87f7092bc8336ea1305be9306f26b846d93 ]\n\nCommit 39baadbf36ce (\"powerpc/eeh: Remove eeh information from pci_dn\")\nchanged the pci_dn struct by removing its EEH-related members.\nAs part of this clean-up, DDW mechanism was modified to read the device\nconfiguration address from eeh_dev struct.\n\nAs a consequence, now if we disable EEH mechanism on kernel command-line\nfor example, the DDW mechanism will fail, generating a kernel oops by\ndereferencing a NULL pointer (which turns to be the eeh_dev pointer).\n\nThis patch just changes the configuration address calculation on DDW\nfunctions to a manual calculation based on pci_dn members instead of\nusing eeh_dev-based address.\n\nNo functional changes were made. This was tested on pSeries, both\nin PHyp and qemu guest.\n\nFixes: 39baadbf36ce (\"powerpc/eeh: Remove eeh information from pci_dn\")\nCc: stable@vger.kernel.org # v3.4+\nReviewed-by: Gavin Shan \u003cgwshan@linux.vnet.ibm.com\u003e\nSigned-off-by: Guilherme G. Piccoli \u003cgpiccoli@linux.vnet.ibm.com\u003e\nSigned-off-by: Michael Ellerman \u003cmpe@ellerman.id.au\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\npowerpc/pseries: Fix PCI config address for DDW\n\n[ Upstream commit 8a934efe94347eee843aeea65bdec8077a79e259 ]\n\nIn commit 8445a87f7092 \"powerpc/iommu: Remove the dependency on EEH\nstruct in DDW mechanism\", the PE address was replaced with the PCI\nconfig address in order to remove dependency on EEH. According to PAPR\nspec, firmware (pHyp or QEMU) should accept \"xxBBSSxx\" format PCI config\naddress, not \"xxxxBBSS\" provided by the patch. Note that \"BB\" is PCI bus\nnumber and \"SS\" is the combination of slot and function number.\n\nThis fixes the PCI address passed to DDW RTAS calls.\n\nFixes: 8445a87f7092 (\"powerpc/iommu: Remove the dependency on EEH struct in DDW mechanism\")\nCc: stable@vger.kernel.org # v3.4+\nReported-by: Guilherme G. Piccoli \u003cgpiccoli@linux.vnet.ibm.com\u003e\nSigned-off-by: Gavin Shan \u003cgwshan@linux.vnet.ibm.com\u003e\nTested-by: Guilherme G. Piccoli \u003cgpiccoli@linux.vnet.ibm.com\u003e\nSigned-off-by: Michael Ellerman \u003cmpe@ellerman.id.au\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nposix_acl: Add set_posix_acl\n\n[ Upstream commit 485e71e8fb6356c08c7fc6bcce4bf02c9a9a663f ]\n\nFactor out part of posix_acl_xattr_set into a common function that takes\na posix_acl, which nfsd can also call.\n\nThe prototype already exists in include/linux/posix_acl.h.\n\nSigned-off-by: Andreas Gruenbacher \u003cagruenba@redhat.com\u003e\nCc: stable@vger.kernel.org\nCc: Christoph Hellwig \u003chch@infradead.org\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: J. Bruce Fields \u003cbfields@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nnfsd: check permissions when setting ACLs\n\n[ Upstream commit 999653786df6954a31044528ac3f7a5dadca08f4 ]\n\nUse set_posix_acl, which includes proper permission checks, instead of\ncalling -\u003eset_acl directly.  Without this anyone may be able to grant\nthemselves permissions to a file by setting the ACL.\n\nLock the inode to make the new checks atomic with respect to set_acl.\n(Also, nfsd was the only caller of set_acl not locking the inode, so I\nsuspect this may fix other races.)\n\nThis also simplifies the code, and ensures our ACLs are checked by\nposix_acl_valid.\n\nThe permission checks and the inode locking were lost with commit\n4ac7249e, which changed nfsd to use the set_acl inode operation directly\ninstead of going through xattr handlers.\n\nReported-by: David Sinquin \u003cdavid@sinquin.eu\u003e\n[agreunba@redhat.com: use set_posix_acl]\nFixes: 4ac7249e\nCc: Christoph Hellwig \u003chch@infradead.org\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: J. Bruce Fields \u003cbfields@redhat.com\u003e\n\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nperf/x86: Fix undefined shift on 32-bit kernels\n\n[ Upstream commit 6d6f2833bfbf296101f9f085e10488aef2601ba5 ]\n\nJim reported:\n\n\tUBSAN: Undefined behaviour in arch/x86/events/intel/core.c:3708:12\n\tshift exponent 35 is too large for 32-bit type \u0027long unsigned int\u0027\n\nThe use of \u0027unsigned long\u0027 type obviously is not correct here, make it\n\u0027unsigned long long\u0027 instead.\n\nReported-by: Jim Cromie \u003cjim.cromie@gmail.com\u003e\nSigned-off-by: Andrey Ryabinin \u003caryabinin@virtuozzo.com\u003e\nSigned-off-by: Peter Zijlstra (Intel) \u003cpeterz@infradead.org\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nCc: Alexander Shishkin \u003calexander.shishkin@linux.intel.com\u003e\nCc: Arnaldo Carvalho de Melo \u003cacme@redhat.com\u003e\nCc: H. Peter Anvin \u003chpa@zytor.com\u003e\nCc: Imre Palik \u003cimrep@amazon.de\u003e\nCc: Jiri Olsa \u003cjolsa@redhat.com\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Stephane Eranian \u003ceranian@google.com\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Vince Weaver \u003cvincent.weaver@maine.edu\u003e\nFixes: 2c33645d366d (\"perf/x86: Honor the architectural performance monitoring version\")\nLink: http://lkml.kernel.org/r/1462974711-10037-1-git-send-email-aryabinin@virtuozzo.com\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nLinux 3.18.40\n\nSigned-off-by: Sasha Levin \u003calexander.levin@verizon.com\u003e\n\nRevert \"ext4: validate s_reserved_gdt_blocks on mount\"\ncauses issues booting for some reason\nThis reverts commit 03ed47b72a63d0eb2d1d702fdcade70cef0f7e76.\n\nfixed build errors that came from bad conflict resolution seems to work on my v20 us996\n\nChange-Id: I3426ae9faee30bfffd9efa9d679132a8fb459241\n","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_lge_msm8996/commit/91cf15b87c48ba78ff12e842cc0cd8c0dc338a60"}],"resolve_conflicts_web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_lge_msm8996/commit/91cf15b87c48ba78ff12e842cc0cd8c0dc338a60"}]},"branch":"refs/heads/cm-14.1"}},"requirements":[],"submit_records":[],"submit_requirements":[]}