commit d379ab2707cfa16e774e2698ff5e32a1f7b243b8
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Sun Mar 12 06:42:15 2017 +0100

    Linux 4.9.14

commit 371d0342a39710e45e6f7c316ca7786b3e34d90f
Author: Florian Westphal <fw@strlen.de>
Date:   Wed Jan 18 02:01:22 2017 +0100

    netfilter: conntrack: refine gc worker heuristics, redux
    
    commit e5072053b09642b8ff417d47da05b84720aea3ee upstream.
    
    This further refines the changes made to conntrack gc_worker in
    commit e0df8cae6c16 ("netfilter: conntrack: refine gc worker heuristics").
    
    The main idea of that change was to reduce the scan interval when evictions
    take place.
    
    However, on the reporters' setup, there are 1-2 million conntrack entries
    in total and roughly 8k new (and closing) connections per second.
    
    In this case we'll always evict at least one entry per gc cycle and scan
    interval is always at 1 jiffy because of this test:
    
     } else if (expired_count) {
         gc_work->next_gc_run /= 2U;
         next_run = msecs_to_jiffies(1);
    
    being true almost all the time.
    
    Given we scan ~10k entries per run its clearly wrong to reduce interval
    based on nonzero eviction count, it will only waste cpu cycles since a vast
    majorities of conntracks are not timed out.
    
    Thus only look at the ratio (scanned entries vs. evicted entries) to make
    a decision on whether to reduce or not.
    
    Because evictor is supposed to only kick in when system turns idle after
    a busy period, pick a high ratio -- this makes it 50%.  We thus keep
    the idea of increasing scan rate when its likely that table contains many
    expired entries.
    
    In order to not let timed-out entries hang around for too long
    (important when using event logging, in which case we want to timely
    destroy events), we now scan the full table within at most
    GC_MAX_SCAN_JIFFIES (16 seconds) even in worst-case scenario where all
    timed-out entries sit in same slot.
    
    I tested this with a vm under synflood (with
    sysctl net.netfilter.nf_conntrack_tcp_timeout_syn_recv=3).
    
    While flood is ongoing, interval now stays at its max rate
    (GC_MAX_SCAN_JIFFIES / GC_MAX_BUCKETS_DIV -> 125ms).
    
    With feedback from Nicolas Dichtel.
    
    Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
    Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
    Fixes: b87a2f9199ea82eaadc ("netfilter: conntrack: add gc worker to remove timed-out entries")
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Tested-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
    Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
    Tested-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5f7ff59d067e1888fec91fccefdd84f3987b605e
Author: Florian Westphal <fw@strlen.de>
Date:   Mon Jan 16 18:24:56 2017 +0100

    netfilter: conntrack: remove GC_MAX_EVICTS break
    
    commit 524b698db06b9b6da7192e749f637904e2f62d7b upstream.
    
    Instead of breaking loop and instant resched, don't bother checking
    this in first place (the loop calls cond_resched for every bucket anyway).
    
    Suggested-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dc8470f3c831c93ffcda17612e8e58a73210b88b
Author: Yan, Zheng <zyan@redhat.com>
Date:   Thu Jan 19 11:21:29 2017 +0800

    ceph: update readpages osd request according to size of pages
    
    commit d641df819db8b80198fd85d9de91137e8a823b07 upstream.
    
    add_to_page_cache_lru() can fails, so the actual pages to read
    can be smaller than the initial size of osd request. We need to
    update osd request size in that case.
    
    Signed-off-by: Yan, Zheng <zyan@redhat.com>
    Reviewed-by: Jeff Layton <jlayton@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 27ab5414b980b19ba127cb518546d628f40bd3dc
Author: James Smart <jsmart2021@gmail.com>
Date:   Sun Feb 12 13:52:25 2017 -0800

    scsi: lpfc: Correct WQ creation for pagesize
    
    commit 8ea73db486cda442f0671f4bc9c03a76be398a28 upstream.
    
    Correct WQ creation for pagesize
    
    The driver was calculating the adapter command pagesize indicator from
    the system pagesize. However, the buffers the driver allocates are only
    one size (SLI4_PAGE_SIZE), so no calculation was necessary.
    
    Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
    Signed-off-by: James Smart <james.smart@broadcom.com>
    Reviewed-by: Hannes Reinecke <hare@suse.com>
    Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Cc: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit aae02d1aafe7c1989a3f10ff1f6ca5eed855426e
Author: Ralf Baechle <ralf@linux-mips.org>
Date:   Thu Dec 15 12:39:22 2016 +0100

    MIPS: IP22: Fix build error due to binutils 2.25 uselessnes.
    
    commit ae2f5e5ed04a17c1aa1f0a3714c725e12c21d2a9 upstream.
    
    Fix the following build error with binutils 2.25.
    
      CC      arch/mips/mm/sc-ip22.o
    {standard input}: Assembler messages:
    {standard input}:132: Error: number (0x9000000080000000) larger than 32 bits
    {standard input}:159: Error: number (0x9000000080000000) larger than 32 bits
    {standard input}:200: Error: number (0x9000000080000000) larger than 32 bits
    scripts/Makefile.build:293: recipe for target 'arch/mips/mm/sc-ip22.o' failed
    make[1]: *** [arch/mips/mm/sc-ip22.o] Error 1
    
    MIPS has used .set mips3 to temporarily switch the assembler to 64 bit
    mode in 64 bit kernels virtually forever.  Binutils 2.25 broke this
    behavious partially by happily accepting 64 bit instructions in .set mips3
    mode but puking on 64 bit constants when generating 32 bit ELF.  Binutils
    2.26 restored the old behaviour again.
    
    Fix build with binutils 2.25 by open coding the offending
    
            dli $1, 0x9000000080000000
    
    as
    
            li      $1, 0x9000
            dsll    $1, $1, 48
    
    which is ugly be the only thing that will build on all binutils vintages.
    
    Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8a2307c7c0189a63810c23260be1f76346ad949a
Author: Ralf Baechle <ralf@linux-mips.org>
Date:   Thu Dec 15 12:27:21 2016 +0100

    MIPS: IP22: Reformat inline assembler code to modern standards.
    
    commit f9f1c8db1c37253805eaa32265e1e1af3ae7d0a4 upstream.
    
    Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 075be78c83989ba4e51ab05121bcb8f8b9c6ef6e
Author: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Date:   Wed Feb 22 10:42:02 2017 +0530

    powerpc/mm/hash: Always clear UPRT and Host Radix bits when setting up CPU
    
    commit fda2d27db6eae5c2468f9e4657539b72bbc238bb upstream.
    
    We will set LPCR with correct value for radix during int. This make sure we
    start with a sanitized value of LPCR. In case of kexec, cpus can have LPCR
    value based on the previous translation mode we were running.
    
    Fixes: fe036a0605d60 ("powerpc/64/kexec: Fix MMU cleanup on radix")
    Acked-by: Michael Neuling <mikey@neuling.org>
    Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3552f917154a3472d3095988f98289ebdda5a8d3
Author: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Date:   Tue Feb 7 00:09:27 2017 +0530

    powerpc/mm: Add MMU_FTR_KERNEL_RO to possible feature mask
    
    commit a5ecdad4847897007399d7a14c9109b65ce4c9b7 upstream.
    
    Without this we will always find the feature disabled.
    
    Fixes: 984d7a1ec6 ("powerpc/mm: Fixup kernel read only mapping")
    Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
    Acked-by: Balbir Singh <bsingharora@gmail.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fccb22e7d5df9b899228eb651747265202e5a321
Author: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
Date:   Tue Nov 22 14:55:59 2016 +0530

    powerpc/xmon: Fix data-breakpoint
    
    commit c21a493a2b44650707d06741601894329486f2ad upstream.
    
    Currently xmon data-breakpoint feature is broken.
    
    Whenever there is a watchpoint match occurs, hw_breakpoint_handler will
    be called by do_break via notifier chains mechanism. If watchpoint is
    registered by xmon, hw_breakpoint_handler won't find any associated
    perf_event and returns immediately with NOTIFY_STOP. Similarly, do_break
    also returns without notifying to xmon.
    
    Solve this by returning NOTIFY_DONE when hw_breakpoint_handler does not
    find any perf_event associated with matched watchpoint, rather than
    NOTIFY_STOP, which tells the core code to continue calling the other
    breakpoint handlers including the xmon one.
    
    Signed-off-by: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 86840a6305149ce9b466f3a841cffdb3c0fd2608
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Wed Feb 8 17:00:10 2017 -0500

    xprtrdma: Reduce required number of send SGEs
    
    commit 16f906d66cd76fb9895cbc628f447532a7ac1faa upstream.
    
    The MAX_SEND_SGES check introduced in commit 655fec6987be
    ("xprtrdma: Use gathered Send for large inline messages") fails
    for devices that have a small max_sge.
    
    Instead of checking for a large fixed maximum number of SGEs,
    check for a minimum small number. RPC-over-RDMA will switch to
    using a Read chunk if an xdr_buf has more pages than can fit in
    the device's max_sge limit. This is considerably better than
    failing all together to mount the server.
    
    This fix supports devices that have as few as three send SGEs
    available.
    
    Reported-by: Selvin Xavier <selvin.xavier@broadcom.com>
    Reported-by: Devesh Sharma <devesh.sharma@broadcom.com>
    Reported-by: Honggang Li <honli@redhat.com>
    Reported-by: Ram Amrani <Ram.Amrani@cavium.com>
    Fixes: 655fec6987be ("xprtrdma: Use gathered Send for large ...")
    Tested-by: Honggang Li <honli@redhat.com>
    Tested-by: Ram Amrani <Ram.Amrani@cavium.com>
    Tested-by: Steve Wise <swise@opengridcomputing.com>
    Reviewed-by: Parav Pandit <parav@mellanox.com>
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 73eea1c4000fd73c138dbf8826bc6e1fa901ae9b
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Wed Feb 8 17:00:02 2017 -0500

    xprtrdma: Disable pad optimization by default
    
    commit c95a3c6b88658bcb8f77f85f31a0b9d9036e8016 upstream.
    
    Commit d5440e27d3e5 ("xprtrdma: Enable pad optimization") made the
    Linux client omit XDR round-up padding in normal Read and Write
    chunks so that the client doesn't have to register and invalidate
    3-byte memory regions that contain no real data.
    
    Unfortunately, my cheery 2014 assessment that this optimization "is
    supported now by both Linux and Solaris servers" was premature.
    We've found bugs in Solaris in this area since commit d5440e27d3e5
    ("xprtrdma: Enable pad optimization") was merged (SYMLINK is the
    main offender).
    
    So for maximum interoperability, I'm disabling this optimization
    again. If a CM private message is exchanged when connecting, the
    client recognizes that the server is Linux, and enables the
    optimization for that connection.
    
    Until now the Solaris server bugs did not impact common operations,
    and were thus largely benign. Soon, less capable devices on Linux
    NFS/RDMA clients will make use of Read chunks more often, and these
    Solaris bugs will prevent interoperation in more cases.
    
    Fixes: 677eb17e94ed ("xprtrdma: Fix XDR tail buffer marshalling")
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fab6c2caa48f892c4f3446aea9e253ca8a6187a6
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Wed Feb 8 16:59:54 2017 -0500

    xprtrdma: Per-connection pad optimization
    
    commit b5f0afbea4f2ea52c613ac2b06cb6de2ea18cb6d upstream.
    
    Pad optimization is changed by echoing into
    /proc/sys/sunrpc/rdma_pad_optimize. This is a global setting,
    affecting all RPC-over-RDMA connections to all servers.
    
    The marshaling code picks up that value and uses it for decisions
    about how to construct each RPC-over-RDMA frame. Having it change
    suddenly in mid-operation can result in unexpected failures. And
    some servers a client mounts might need chunk round-up, while
    others don't.
    
    So instead, copy the pad_optimize setting into each connection's
    rpcrdma_ia when the transport is created, and use the copy, which
    can't change during the life of the connection, instead.
    
    This also removes a hack: rpcrdma_convert_iovs was using
    the remote-invalidation-expected flag to predict when it could leave
    out Write chunk padding. This is because the Linux server handles
    implicit XDR padding on Write chunks correctly, and only Linux
    servers can set the connection's remote-invalidation-expected flag.
    
    It's more sensible to use the pad optimization setting instead.
    
    Fixes: 677eb17e94ed ("xprtrdma: Fix XDR tail buffer marshalling")
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ec3bc2c5ed576c27e4c89a4fc1654755a0fe71bb
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Wed Feb 8 16:59:46 2017 -0500

    xprtrdma: Fix Read chunk padding
    
    commit 24abdf1be15c478e2821d6fc903a4a4440beff02 upstream.
    
    When pad optimization is disabled, rpcrdma_convert_iovs still
    does not add explicit XDR round-up padding to a Read chunk.
    
    Commit 677eb17e94ed ("xprtrdma: Fix XDR tail buffer marshalling")
    incorrectly short-circuited the test for whether round-up padding
    is needed that appears later in rpcrdma_convert_iovs.
    
    However, if this is indeed a regular Read chunk (and not a
    Position-Zero Read chunk), the tail iovec _always_ contains the
    chunk's padding, and never anything else.
    
    So, it's easy to just skip the tail when padding optimization is
    enabled, and add the tail in a subsequent Read chunk segment, if
    disabled.
    
    Fixes: 677eb17e94ed ("xprtrdma: Fix XDR tail buffer marshalling")
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 788d81d4e5d43ffc2dbcd4513dfec2808f5ff616
Author: Magnus Lilja <lilja.magnus@gmail.com>
Date:   Wed Dec 21 22:13:58 2016 +0100

    dmaengine: ipu: Make sure the interrupt routine checks all interrupts.
    
    commit adee40b265d7568296e218f079f478197ffa15bf upstream.
    
    Commit 3d8cc00073d6 ("dmaengine: ipu: Consolidate duplicated irq handlers")
    consolidated the two interrupts routines into one, but the remaining
    interrupt routine only checks the status of the error interrupts, not the
    normal interrupts.
    
    This patch fixes that problem (tested on i.MX31 PDK board).
    
    Fixes: 3d8cc00073d6 ("dmaengine: ipu: Consolidate duplicated irq handlers")
    Cc: Vinod Koul <vinod.koul@intel.com>
    Signed-off-by: Magnus Lilja <lilja.magnus@gmail.com>
    Signed-off-by: Vinod Koul <vinod.koul@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9d82393e658cf7010b90a79d7c065e1766e5480c
Author: Mark Marshall <mark.marshall@omicronenergy.com>
Date:   Thu Jan 26 16:18:27 2017 +0100

    mtd: nand: ifc: Fix location of eccstat registers for IFC V1.0
    
    commit 656441478ed55d960df5f3ccdf5a0f8c61dfd0b3 upstream.
    
    The commit 7a654172161c ("mtd/ifc: Add support for IFC controller
    version 2.0") added support for version 2.0 of the IFC controller.
    The version 2.0 controller has the ECC status registers at a different
    location to the previous versions.
    
    Correct the fsl_ifc_nand structure so that the ECC status can be read
    from the correct location for both version 1.0 and 2.0 of the controller.
    
    Fixes: 7a654172161c ("mtd/ifc: Add support for IFC controller version 2.0")
    Signed-off-by: Mark Marshall <mark.marshall@omicronenergy.com>
    Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 178d07a0b8c4dc1f6e8a924f04231a5cf9cf86d1
Author: Rafał Miłecki <rafal@milecki.pl>
Date:   Sat Jan 28 14:31:22 2017 +0100

    bcma: use (get|put)_device when probing/removing device driver
    
    commit a971df0b9d04674e325346c17de9a895425ca5e1 upstream.
    
    This allows tracking device state and e.g. makes devm work as expected.
    
    Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6f9c02ab9d0d5aefa15953ad3d55912e3a7abb57
Author: colyli@suse.de <colyli@suse.de>
Date:   Sat Jan 28 21:11:49 2017 +0800

    md linear: fix a race between linear_add() and linear_congested()
    
    commit 03a9e24ef2aaa5f1f9837356aed79c860521407a upstream.
    
    Recently I receive a bug report that on Linux v3.0 based kerenl, hot add
    disk to a md linear device causes kernel crash at linear_congested(). From
    the crash image analysis, I find in linear_congested(), mddev->raid_disks
    contains value N, but conf->disks[] only has N-1 pointers available. Then
    a NULL pointer deference crashes the kernel.
    
    There is a race between linear_add() and linear_congested(), RCU stuffs
    used in these two functions cannot avoid the race. Since Linuv v4.0
    RCU code is replaced by introducing mddev_suspend().  After checking the
    upstream code, it seems linear_congested() is not called in
    generic_make_request() code patch, so mddev_suspend() cannot provent it
    from being called. The possible race still exists.
    
    Here I explain how the race still exists in current code.  For a machine
    has many CPUs, on one CPU, linear_add() is called to add a hard disk to a
    md linear device; at the same time on other CPU, linear_congested() is
    called to detect whether this md linear device is congested before issuing
    an I/O request onto it.
    
    Now I use a possible code execution time sequence to demo how the possible
    race happens,
    
    seq    linear_add()                linear_congested()
     0                                 conf=mddev->private
     1   oldconf=mddev->private
     2   mddev->raid_disks++
     3                              for (i=0; i<mddev->raid_disks;i++)
     4                                bdev_get_queue(conf->disks[i].rdev->bdev)
     5   mddev->private=newconf
    
    In linear_add() mddev->raid_disks is increased in time seq 2, and on
    another CPU in linear_congested() the for-loop iterates conf->disks[i] by
    the increased mddev->raid_disks in time seq 3,4. But conf with one more
    element (which is a pointer to struct dev_info type) to conf->disks[] is
    not updated yet, accessing its structure member in time seq 4 will cause a
    NULL pointer deference fault.
    
    To fix this race, there are 2 parts of modification in the patch,
     1) Add 'int raid_disks' in struct linear_conf, as a copy of
        mddev->raid_disks. It is initialized in linear_conf(), always being
        consistent with pointers number of 'struct dev_info disks[]'. When
        iterating conf->disks[] in linear_congested(), use conf->raid_disks to
        replace mddev->raid_disks in the for-loop, then NULL pointer deference
        will not happen again.
     2) RCU stuffs are back again, and use kfree_rcu() in linear_add() to
        free oldconf memory. Because oldconf may be referenced as mddev->private
        in linear_congested(), kfree_rcu() makes sure that its memory will not
        be released until no one uses it any more.
    Also some code comments are added in this patch, to make this modification
    to be easier understandable.
    
    This patch can be applied for kernels since v4.0 after commit:
    3be260cc18f8 ("md/linear: remove rcu protections in favour of
    suspend/resume"). But this bug is reported on Linux v3.0 based kernel, for
    people who maintain kernels before Linux v4.0, they need to do some back
    back port to this patch.
    
    Changelog:
     - V3: add 'int raid_disks' in struct linear_conf, and use kfree_rcu() to
           replace rcu_call() in linear_add().
     - v2: add RCU stuffs by suggestion from Shaohua and Neil.
     - v1: initial effort.
    
    Signed-off-by: Coly Li <colyli@suse.de>
    Cc: Shaohua Li <shli@fb.com>
    Cc: Neil Brown <neilb@suse.com>
    Signed-off-by: Shaohua Li <shli@fb.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit de2aa5b3ee76e97dc3cea33cbd3d1bd443fda7a0
Author: Maxime Ripard <maxime.ripard@free-electrons.com>
Date:   Mon Jan 23 11:41:48 2017 +0100

    rtc: sun6i: Switch to the external oscillator
    
    commit fb61bb82cb46a932ef2fc62e1c731c8e7e6640d5 upstream.
    
    The RTC is clocked from either an internal, imprecise, oscillator or an
    external one, which is usually much more accurate.
    
    The difference perceived between the time elapsed and the time reported by
    the RTC is in a 10% scale, which prevents the RTC from being useful at all.
    
    Fortunately, the external oscillator is reported to be mandatory in the
    Allwinner datasheet, so we can just switch to it.
    
    Fixes: 9765d2d94309 ("rtc: sun6i: Add sun6i RTC driver")
    Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
    Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6aae7ffa33072e6d3a208039ac015c1a0fb51e37
Author: Maxime Ripard <maxime.ripard@free-electrons.com>
Date:   Mon Jan 23 11:41:47 2017 +0100

    rtc: sun6i: Add some locking
    
    commit a9422a19ce270a22fc520f2278fb7e80c58be508 upstream.
    
    Some registers have a read-modify-write access pattern that are not atomic.
    
    Add some locking to prevent from concurrent accesses.
    
    Acked-by: Chen-Yu Tsai <wens@csie.org>
    Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
    Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 616f5ef61338a53e997eebbe2c13b21c40df9b86
Author: Maxime Ripard <maxime.ripard@free-electrons.com>
Date:   Mon Jan 23 11:41:46 2017 +0100

    rtc: sun6i: Disable the build as a module
    
    commit 3753941475ae6501dcd1e41832bd0e6c35247d6a upstream.
    
    Since we have to provide the clock very early on, the RTC driver cannot be
    built as a module. Make sure that won't happen.
    
    Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
    Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8c53efc399565ef4be8945c9bf45c94153699221
Author: Jaegeuk Kim <jaegeuk@kernel.org>
Date:   Mon Feb 27 11:57:11 2017 -0800

    f2fs: avoid to issue redundant discard commands
    
    commit 8b107f5b97772c7c0c218302e9a4d15b4edf50b4 upstream.
    
    If segs_per_sec is over 1 like under SMR, previously f2fs issues discard
    commands redundantly on the same section, since we didn't move end position
    for the previous discard command.
    
    E.g.,
    
                           start  end
                             |    |
          prefree_bitmap = [01111100111100]
    
    And, after issue discard for this section,
                                 end      start
                                  |        |
          prefree_bitmap = [01111100111100]
    
    Select this section again by searching from (end + 1),
                                 start  end
                                    |   |
          prefree_bitmap = [01111100111100]
    
    Fixes: 36abef4e796d38 ("f2fs: introduce mode=lfs mount option")
    Cc: Damien Le Moal <damien.lemoal@wdc.com>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4992ba2840bd40a85887a1a0e5d69f688f58f9dd
Author: Hou Pengyang <houpengyang@huawei.com>
Date:   Thu Feb 16 12:34:31 2017 +0000

    f2fs: add ovp valid_blocks check for bg gc victim to fg_gc
    
    commit e93b9865251a0503d83fd570e7d5a7c8bc351715 upstream.
    
    For foreground gc, greedy algorithm should be adapted, which makes
    this formula work well:
    
            (2 * (100 / config.overprovision + 1) + 6)
    
    But currently, we fg_gc have a prior to select bg_gc victim segments to gc
    first, these victims are selected by cost-benefit algorithm, we can't guarantee
    such segments have the small valid blocks, which may destroy the f2fs rule, on
    the worstest case, would consume all the free segments.
    
    This patch fix this by add a filter in check_bg_victims, if segment's has # of
    valid blocks over overprovision ratio, skip such segments.
    
    Signed-off-by: Hou Pengyang <houpengyang@huawei.com>
    Reviewed-by: Chao Yu <yuchao0@huawei.com>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d00d1b71d98468ad6fbee590705c27fc1241f96e
Author: Jaegeuk Kim <jaegeuk@kernel.org>
Date:   Tue Feb 14 09:54:37 2017 -0800

    f2fs: fix multiple f2fs_add_link() calls having same name
    
    commit 88c5c13a5027b36d914536fdba23f069d7067204 upstream.
    
    It turns out a stakable filesystem like sdcardfs in AOSP can trigger multiple
    vfs_create() to lower filesystem. In that case, f2fs will add multiple dentries
    having same name which breaks filesystem consistency.
    
    Until upper layer fixes, let's work around by f2fs, which shows actually not
    much performance regression.
    
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ec160ad2acaad4a7de6eab7338ef5e3b2b19f907
Author: Yunlei He <heyunlei@huawei.com>
Date:   Mon Dec 19 20:10:48 2016 +0800

    f2fs: fix a problem of using memory after free
    
    commit 7855eba4d6102f811b6dd142d6c749f53b591fa3 upstream.
    
    This patch fix a problem of using memory after free
    in function __try_merge_extent_node.
    
    Fixes: 0f825ee6e873 ("f2fs: add new interfaces for extent tree")
    Signed-off-by: Yunlei He <heyunlei@huawei.com>
    Reviewed-by: Chao Yu <yuchao0@huawei.com>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d78f93384da1e21825144fdfac5dc0bc18db21bd
Author: Weston Andros Adamson <dros@primarydata.com>
Date:   Thu Feb 23 14:54:21 2017 -0500

    NFSv4: fix getacl ERANGE for some ACL buffer sizes
    
    commit ed92d8c137b7794c2c2aa14479298b9885967607 upstream.
    
    We're not taking into account that the space needed for the (variable
    length) attr bitmap, with the result that we'd sometimes get a spurious
    ERANGE when the ACL data got close to the end of a page.
    
    Just add in an extra page to make sure.
    
    Signed-off-by: Weston Andros Adamson <dros@primarydata.com>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3f22cc6f5ca335de95a49e9a217efaf1034e26ae
Author: J. Bruce Fields <bfields@redhat.com>
Date:   Thu Feb 23 14:53:39 2017 -0500

    NFSv4: fix getacl head length estimation
    
    commit 6682c14bbe505a8b912c57faf544f866777ee48d upstream.
    
    Bitmap and attrlen follow immediately after the op reply header.  This
    was an oversight from commit bf118a342f.
    
    Consequences of this are just minor efficiency (extra calls to
    xdr_shrink_bufhead).
    
    Fixes: bf118a342f10 "NFSv4: include bitmap in nfsv4 get acl data"
    Reviewed-by: Kinglong Mee <kinglongmee@gmail.com>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c65db336d6c6f82e30e0bdb771517297db8e880e
Author: Trond Myklebust <trond.myklebust@primarydata.com>
Date:   Fri Feb 17 19:49:09 2017 -0500

    pNFS/flexfiles: If the layout is invalid, it must be updated before retrying
    
    commit df3ab232e462bce20710596d697ade6b72497694 upstream.
    
    If we see that our pNFS READ/WRITE/COMMIT operation failed, but we
    also see that our layout segment is no longer valid, then we need to
    get a new layout segment before retrying.
    
    Fixes: 90816d1ddacf ("NFSv4.1/flexfiles: Don't mark the entire deviceid...")
    Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 77bbc0c7712a43442e2637247eaa4f01f73f0eb8
Author: Trond Myklebust <trond.myklebust@primarydata.com>
Date:   Fri Feb 17 18:42:32 2017 -0500

    NFSv4: Fix reboot recovery in copy offload
    
    commit 9d8cacbf5636657d2cd0dda17438a56d806d3224 upstream.
    
    Copy offload code needs to be hooked into the code for handling
    NFS4ERR_BAD_STATEID by ensuring that we set the "stateid" field
    in struct nfs4_exception.
    
    Reported-by: Olga Kornievskaia <aglo@umich.edu>
    Fixes: 2e72448b07dc3 ("NFS: Add COPY nfs operation")
    Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0465339eb54953f0be1f03e980b07eeb01e16fca
Author: Trond Myklebust <trond.myklebust@primarydata.com>
Date:   Wed Feb 8 11:29:46 2017 -0500

    NFSv4: Fix memory and state leak in _nfs4_open_and_get_state
    
    commit a974deee477af89411e0f80456bfb344ac433c98 upstream.
    
    If we exit because the file access check failed, we currently
    leak the struct nfs4_state. We need to attach it to the
    open context before returning.
    
    Fixes: 3efb9722475e ("NFSv4: Refactor _nfs4_open_and_get_state..")
    Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a3c6cbc4eac4473ed5461d5faae2794d3e5c0e44
Author: Christoph Hellwig <hch@lst.de>
Date:   Mon Feb 20 07:21:33 2017 +0100

    nfsd: special case truncates some more
    
    commit 783112f7401ff449d979530209b3f6c2594fdb4e upstream.
    
    Both the NFS protocols and the Linux VFS use a setattr operation with a
    bitmap of attributes to set to set various file attributes including the
    file size and the uid/gid.
    
    The Linux syscalls never mix size updates with unrelated updates like
    the uid/gid, and some file systems like XFS and GFS2 rely on the fact
    that truncates don't update random other attributes, and many other file
    systems handle the case but do not update the other attributes in the
    same transaction.  NFSD on the other hand passes the attributes it gets
    on the wire more or less directly through to the VFS, leading to updates
    the file systems don't expect.  XFS at least has an assert on the
    allowed attributes, which caught an unusual NFS client setting the size
    and group at the same time.
    
    To handle this issue properly this splits the notify_change call in
    nfsd_setattr into two separate ones.
    
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Tested-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9bdd39c146fc4f7da1ceb91ac1ebe80e7f1a8d41
Author: Christoph Hellwig <hch@lst.de>
Date:   Mon Feb 20 17:04:42 2017 -0500

    nfsd: minor nfsd_setattr cleanup
    
    commit 758e99fefe1d9230111296956335cd35995c0eaf upstream.
    
    Simplify exit paths, size_change use.
    
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5af94e637fd8b2b89ea49bfd112b37137fbecb0e
Author: Stefano Babic <sbabic@denx.de>
Date:   Fri Jan 20 10:38:20 2017 -0500

    VME: restore bus_remove function causing incomplete module unload
    
    commit 9797484ba83d68f18fe1cbd964b7cd830f78f0f7 upstream.
    
    Commit 050c3d52cc7810d9d17b8cd231708609af6876ae ("vme: make core
    vme support explicitly non-modular") dropped the remove function
    because it appeared as if it was for removal of the bus, which is
    not supported.
    
    However, vme_bus_remove() is called when a VME device is removed
    from the bus and not when the bus is removed; as it calls the VME
    device driver's cleanup function.  Without this function, the
    remove() in the VME device driver is never called and VME device
    drivers cannot be reloaded again.
    
    Here we restore the remove function that was deleted in that
    commit, and the reference to the function in the bus structure.
    
    Fixes: 050c3d52cc78 ("vme: make core vme support explicitly non-modular")
    Cc: Manohar Vanga <manohar.vanga@gmail.com>
    Acked-by: Martyn Welch <martyn@welchs.me.uk>
    Cc: devel@driverdev.osuosl.org
    Signed-off-by: Stefano Babic <sbabic@denx.de>
    Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5ea52fac0d827452cd2887722580ab58fdbd2d7d
Author: Larry Finger <Larry.Finger@lwfinger.net>
Date:   Sun Feb 5 10:24:22 2017 -0600

    rtlwifi: rtl8192c-common: Fix "BUG: KASAN:
    
    commit 6773386f977ce5af339f9678fa2918909a946c6b upstream.
    
    Kernels built with CONFIG_KASAN=y report the following BUG for rtl8192cu
    and rtl8192c-common:
    
    ==================================================================
    BUG: KASAN: slab-out-of-bounds in rtl92c_dm_bt_coexist+0x858/0x1e40
         [rtl8192c_common] at addr ffff8801c90edb08
    Read of size 1 by task kworker/0:1/38
    page:ffffea0007243800 count:1 mapcount:0 mapping:          (null)
         index:0x0 compound_mapcount: 0
    flags: 0x8000000000004000(head)
    page dumped because: kasan: bad access detected
    CPU: 0 PID: 38 Comm: kworker/0:1 Not tainted 4.9.7-gentoo #3
    Hardware name: Gigabyte Technology Co., Ltd. To be filled by
         O.E.M./Z77-DS3H, BIOS F11a 11/13/2013
    Workqueue: rtl92c_usb rtl_watchdog_wq_callback [rtlwifi]
      0000000000000000 ffffffff829eea33 ffff8801d7f0fa30 ffff8801c90edb08
      ffffffff824c0f09 ffff8801d4abee80 0000000000000004 0000000000000297
      ffffffffc070b57c ffff8801c7aa7c48 ffff880100000004 ffffffff000003e8
    Call Trace:
      [<ffffffff829eea33>] ? dump_stack+0x5c/0x79
      [<ffffffff824c0f09>] ? kasan_report_error+0x4b9/0x4e0
      [<ffffffffc070b57c>] ? _usb_read_sync+0x15c/0x280 [rtl_usb]
      [<ffffffff824c0f75>] ? __asan_report_load1_noabort+0x45/0x50
      [<ffffffffc06d7a88>] ? rtl92c_dm_bt_coexist+0x858/0x1e40 [rtl8192c_common]
      [<ffffffffc06d7a88>] ? rtl92c_dm_bt_coexist+0x858/0x1e40 [rtl8192c_common]
      [<ffffffffc06d0cbe>] ? rtl92c_dm_rf_saving+0x96e/0x1330 [rtl8192c_common]
    ...
    
    The problem is due to rtl8192ce and rtl8192cu sharing routines, and having
    different layouts of struct rtl_pci_priv, which is used by rtl8192ce, and
    struct rtl_usb_priv, which is used by rtl8192cu. The problem was resolved
    by placing the struct bt_coexist_info at the head of each of those private
    areas.
    
    Reported-and-tested-by: Dmitry Osipenko <digetx@gmail.com>
    Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
    Cc: Dmitry Osipenko <digetx@gmail.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d56dd01bc291962f5fb4b53f6ed6de852af0a0e3
Author: Ping-Ke Shih <pkshih@realtek.com>
Date:   Wed Dec 28 15:40:04 2016 -0600

    rtlwifi: Fix alignment issues
    
    commit 40b368af4b750863b2cb66a3a9513241db2f0793 upstream.
    
    The addresses of Wlan NIC registers are natural alignment, but some
    drivers have bugs. These are evident on platforms that need natural
    alignment to access registers.  This change contains the following:
     1. Function _rtl8821ae_dbi_read() is used to read one byte from DBI,
        thus it should use rtl_read_byte().
     2. Register 0x4C7 of 8192ee is single byte.
    
    Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
    Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 24d77f99a7b74b4b68682d54ee79992b8aed7421
Author: Bjorn Andersson <bjorn.andersson@linaro.org>
Date:   Fri Jan 27 02:06:36 2017 -0800

    remoteproc: qcom: mdt_loader: Don't overwrite firmware object
    
    commit 3e8b571a9a0881ba3381ca0915995696da145ab8 upstream.
    
    The "fw" firmware object is passed from the remoteproc core and should
    not be overwritten, as that results in leaked buffers and a double free
    of the the last firmware object.
    
    Fixes: 051fb70fd4ea ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5")
    Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4cf918c804c657c3a8b9cd4bb46171315bdfad62
Author: Andrew Price <anprice@redhat.com>
Date:   Wed Feb 22 12:05:03 2017 -0500

    gfs2: Add missing rcu locking for glock lookup
    
    commit f38e5fb95a1f8feda88531eedc98f69b24748712 upstream.
    
    We must hold the rcu read lock across looking up glocks and trying to
    bump their refcount to prevent the glocks from being freed in between.
    
    Signed-off-by: Andrew Price <anprice@redhat.com>
    Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
    Signed-off-by: Bob Peterson <rpeterso@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c8cdd9234caced510db1a03491af475938f9855a
Author: Steve Wise <swise@opengridcomputing.com>
Date:   Tue Feb 21 11:21:57 2017 -0800

    rdma_cm: fail iwarp accepts w/o connection params
    
    commit f2625f7db4dd0bbd16a9c7d2950e7621f9aa57ad upstream.
    
    cma_accept_iw() needs to return an error if conn_params is NULL.
    Since this is coming from user space, we can crash.
    
    Reported-by: Shaobo He <shaobo@cs.utah.edu>
    Acked-by: Sean Hefty <sean.hefty@intel.com>
    Signed-off-by: Steve Wise <swise@opengridcomputing.com>
    Signed-off-by: Doug Ledford <dledford@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 50fc62d5eeb3392f11161637b5ed4e0d340fed74
Author: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Date:   Thu Dec 22 18:07:52 2016 -0700

    RDMA/core: Fix incorrect structure packing for booleans
    
    commit 55efcfcd7776165b294f8b5cd6e05ca00ec89b7c upstream.
    
    The RDMA core uses ib_pack() to convert from unpacked CPU structs
    to on-the-wire bitpacked structs.
    
    This process requires that 1 bit fields are declared as u8 in the
    unpacked struct, otherwise the packing process does not read the
    value properly and the packed result is wired to 0. Several
    places wrongly used int.
    
    Crucially this means the kernel has never, set reversible
    correctly in the path record request. It has always asked for
    irreversible paths even if the ULP requests otherwise.
    
    When the kernel is used with a SM that supports this feature, it
    completely breaks communication management if reversible paths are
    not properly requested.
    
    The only reason this ever worked is because opensm ignores the
    reversible bit.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
    Signed-off-by: Doug Ledford <dledford@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fbff994b8a464cd5de50fbb2e0b8341becb70336
Author: K. Y. Srinivasan <kys@microsoft.com>
Date:   Thu Dec 22 16:54:03 2016 -0800

    Drivers: hv: util: Backup: Fix a rescind processing issue
    
    commit d77044d142e960f7b5f814a91ecb8bcf86aa552c upstream.
    
    VSS may use a char device to support the communication between
    the user level daemon and the driver. When the VSS channel is rescinded
    we need to make sure that the char device is fully cleaned up before
    we can process a new VSS offer from the host. Implement this logic.
    
    Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4db47d9bf99d8bc3acaa9fd4b6437ea856a2f037
Author: K. Y. Srinivasan <kys@microsoft.com>
Date:   Thu Dec 22 16:54:02 2016 -0800

    Drivers: hv: util: Fcopy: Fix a rescind processing issue
    
    commit 20951c7535b5e6af46bc37b7142105f716df739c upstream.
    
    Fcopy may use a char device to support the communication between
    the user level daemon and the driver. When the Fcopy channel is rescinded
    we need to make sure that the char device is fully cleaned up before
    we can process a new Fcopy offer from the host. Implement this logic.
    
    Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d4d5b507c6427b417f4ff5411649e55af4447c84
Author: K. Y. Srinivasan <kys@microsoft.com>
Date:   Thu Dec 22 16:54:01 2016 -0800

    Drivers: hv: util: kvp: Fix a rescind processing issue
    
    commit 5a66fecbf6aa528e375cbebccb1061cc58d80c84 upstream.
    
    KVP may use a char device to support the communication between
    the user level daemon and the driver. When the KVP channel is rescinded
    we need to make sure that the char device is fully cleaned up before
    we can process a new KVP offer from the host. Implement this logic.
    
    Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 728fe696fd3ee551c24e02e7826dd9bdb89f1d47
Author: K. Y. Srinivasan <kys@microsoft.com>
Date:   Thu Dec 22 16:54:00 2016 -0800

    Drivers: hv: vmbus: Fix a rescind handling bug
    
    commit ccb61f8a99e6c29df4fb96a65dad4fad740d5be9 upstream.
    
    The host can rescind a channel that has been offered to the
    guest and once the channel is rescinded, the host does not
    respond to any requests on that channel. Deal with the case where
    the guest may be blocked waiting for a response from the host.
    
    Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e44eab51e74c59a0b01c1fce2159c82b3c8a31b0
Author: K. Y. Srinivasan <kys@microsoft.com>
Date:   Wed Dec 7 01:16:28 2016 -0800

    Drivers: hv: vmbus: Prevent sending data on a rescinded channel
    
    commit e7e97dd8b77ee7366f2f8c70a033bf5fa05ec2e0 upstream.
    
    After the channel is rescinded, the host does not read from the rescinded channel.
    Fail writes to a channel that has already been rescinded. If we permit writes on a
    rescinded channel, since the host will not respond we will have situations where
    we will be unable to unload vmbus drivers that cannot have any outstanding requests
    to the host at the point they are unoaded.
    
    Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 664f72a17f2c072175a0083388f315f811ff1acb
Author: Vitaly Kuznetsov <vkuznets@redhat.com>
Date:   Wed Dec 7 01:16:27 2016 -0800

    hv: don't reset hv_context.tsc_page on crash
    
    commit 56ef6718a1d8d77745033c5291e025ce18504159 upstream.
    
    It may happen that secondary CPUs are still alive and resetting
    hv_context.tsc_page will cause a consequent crash in read_hv_clock_tsc()
    as we don't check for it being not NULL there. It is safe as we're not
    freeing this page anyways.
    
    Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
    Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6e936b06795ae5dcb5248e0c4344d8303de4c2db
Author: Vitaly Kuznetsov <vkuznets@redhat.com>
Date:   Wed Dec 7 01:16:26 2016 -0800

    hv: init percpu_list in hv_synic_alloc()
    
    commit 3c7630d35009e6635e5b58d62de554fd5b6db5df upstream.
    
    Initializing hv_context.percpu_list in hv_synic_alloc() helps to prevent a
    crash in percpu_channel_enq() when not all CPUs were online during
    initialization and it naturally belongs there.
    
    Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
    Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 879dc37cc3a81c99527410a83ae9cc35c637e8b1
Author: Vitaly Kuznetsov <vkuznets@redhat.com>
Date:   Wed Dec 7 01:16:25 2016 -0800

    hv: allocate synic pages for all present CPUs
    
    commit 421b8f20d3c381b215f988b42428f56fc3b82405 upstream.
    
    It may happen that not all CPUs are online when we do hv_synic_alloc() and
    in case more CPUs come online later we may try accessing these allocated
    structures.
    
    Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
    Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6d0511ed15db30965f8a3be8f0733bb6efd2b95e
Author: Krzysztof Opasiak <kopasiak90@gmail.com>
Date:   Thu Jan 19 18:55:29 2017 +0100

    usb: gadget: f_hid: Use spinlock instead of mutex
    
    commit 33e4c1a9987a1fc3b42c3b534100b5b006d55c61 upstream.
    
    As IN request has to be allocated in set_alt() and released in
    disable() we cannot use mutex to protect it as we cannot sleep
    in those funcitons. Let's replace this mutex with a spinlock.
    
    Tested-by: David Lechner <david@lechnology.com>
    Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
    Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d3acd94c0f79387b0d1855bdd4690f1596eb3f25
Author: Krzysztof Opasiak <kopasiak90@gmail.com>
Date:   Thu Jan 19 18:55:28 2017 +0100

    usb: gadget: f_hid: fix: Prevent accessing released memory
    
    commit aa65d11aa008f4de58a9cee7e121666d9d68505e upstream.
    
    When we unlock our spinlock to copy data to user we may get
    disabled by USB host and free the whole list of completed out
    requests including the one from which we are copying the data
    to user memory.
    
    To prevent from this let's remove our working element from
    the list and place it back only if there is sth left when we
    finish with it.
    
    Fixes: 99c515005857 ("usb: gadget: hidg: register OUT INT endpoint for SET_REPORT")
    Tested-by: David Lechner <david@lechnology.com>
    Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
    Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b6092a57150c1641dffb6bfeebbe2cbde7275d1f
Author: Krzysztof Opasiak <kopasiak90@gmail.com>
Date:   Thu Jan 19 18:55:27 2017 +0100

    usb: gadget: f_hid: fix: Free out requests
    
    commit 20d2ca955bd09639c7b01db5761d157c297aea0a upstream.
    
    Requests for out endpoint are allocated in bind() function
    but never released.
    
    This commit ensures that all pending requests are released
    when we disable out endpoint.
    
    Fixes: 99c515005857 ("usb: gadget: hidg: register OUT INT endpoint for SET_REPORT")
    Tested-by: David Lechner <david@lechnology.com>
    Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
    Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 92ee9483bc5fe7d4c2e6730515849467d818f8f7
Author: Magnus Lilja <lilja.magnus@gmail.com>
Date:   Wed Jan 25 22:07:59 2017 +0100

    usb: gadget: udc: fsl: Add missing complete function.
    
    commit 5528954a1a0c49c6974ef1b8d6eaceff536204d5 upstream.
    
    Commit 304f7e5e1d08 ("usb: gadget: Refactor request completion")
    removed check if req->req.complete is non-NULL, resulting in a NULL
    pointer derefence and a kernel panic.
    This patch adds an empty complete function instead of re-introducing
    the req->req.complete check.
    
    Fixes: 304f7e5e1d08 ("usb: gadget: Refactor request completion")
    
    Signed-off-by: Magnus Lilja <lilja.magnus@gmail.com>
    Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 881b5225558e2bad2f02aca4058b269dce0a834d
Author: Krzysztof Opasiak <k.opasiak@samsung.com>
Date:   Mon Jan 16 08:40:57 2017 +0100

    usb: gadget: udc-core: Rescan pending list on driver unbind
    
    commit 8236800da115a3e24b9165c573067343f51cf5ea upstream.
    
    Since:
    
    commit 855ed04a3758 ("usb: gadget: udc-core: independent registration
    of gadgets and gadget drivers")
    
    if we load gadget module but there is no free udc available
    then it will be stored on a pending gadgets list.
    
    $ modprobe g_zero.ko
    $ modprobe g_ether.ko
    [] udc-core: couldn't find an available UDC - added [g_ether] to list
    of pending drivers
    
    We scan this list each time when new UDC appears in system.
    But we can get a free UDC each time after gadget unbind.
    This commit add scanning of that list directly after unbinding
    gadget from udc.
    
    Thanks to this, when we unload first gadget:
    
    $ rmmod g_zero.ko
    
    gadget which is pending is automatically
    attached to that UDC (if name matches).
    
    Fixes: 855ed04a3758  ("usb: gadget: udc-core: independent registration of gadgets and gadget drivers")
    Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
    Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 82bd560d9552a7b30ad1123591de63684fe0a63e
Author: William wu <william.wu@rock-chips.com>
Date:   Tue Jan 17 15:32:07 2017 +0800

    usb: host: xhci: plat: check hcc_params after add hcd
    
    commit 5de4e1ea9a731cad195ce5152705c21daef3bbba upstream.
    
    The commit 4ac53087d6d4 ("usb: xhci: plat: Create both
    HCDs before adding them") move add hcd to the end of
    probe, this cause hcc_params uninitiated, because xHCI
    driver sets hcc_params in xhci_gen_setup() called from
    usb_add_hcd().
    
    This patch checks the Maximum Primary Stream Array Size
    in the hcc_params register after add primary hcd.
    
    Signed-off-by: William wu <william.wu@rock-chips.com>
    Acked-by: Roger Quadros <rogerq@ti.com>
    Fixes: 4ac53087d6d4 ("usb: xhci: plat: Create both HCDs before adding them")
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3ccf60e1ff5e6cbd47b860b95f6cb53ebd98113b
Author: Felipe Balbi <felipe.balbi@linux.intel.com>
Date:   Thu Jan 19 13:38:42 2017 +0200

    usb: dwc3: gadget: skip Set/Clear Halt when invalid
    
    commit ffb80fc672c3a7b6afd0cefcb1524fb99917b2f3 upstream.
    
    At least macOS seems to be sending
    ClearFeature(ENDPOINT_HALT) to endpoints which
    aren't Halted. This makes DWC3's CLEARSTALL command
    time out which causes several issues for the driver.
    
    Instead, let's just return 0 and bail out early.
    
    Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5413f432a1f33293b9183fadb1b44e29b168aa24
Author: Alexandre Bailon <abailon@baylibre.com>
Date:   Wed Feb 1 21:30:12 2017 -0600

    usb: musb: da8xx: Remove CPPI 3.0 quirk and methods
    
    commit a994ce2d7e66008381a0b184c73be9ae9b72eb5c upstream.
    
    DA8xx driver is registering and using the CPPI 3.0 DMA controller but
    actually, the DA8xx has a CPPI 4.1 DMA controller.
    Remove the CPPI 3.0 quirk and methods.
    
    Fixes: f8e9f34f80a2 ("usb: musb: Fix up DMA related macros")
    Fixes: 7f6283ed6fe8 ("usb: musb: Set up function pointers for DMA")
    Signed-off-by: Alexandre Bailon <abailon@baylibre.com>
    Acked-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
    Acked-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Bin Liu <b-liu@ti.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c259832acf57c51971582c84c89b2941a8a9e1ef
Author: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Date:   Wed Jan 18 21:31:11 2017 +0100

    w1: ds2490: USB transfer buffers need to be DMAable
    
    commit 61cd1b4cd1e8f7f7642ab64529d9bd52e8374641 upstream.
    
    ds2490 driver was doing USB transfers from / to buffers on a stack.
    This is not permitted and made the driver non-working with vmapped stacks.
    
    Since all these transfers are done under the same bus_mutex lock we can
    simply use shared buffers in a device private structure for two most common
    of them.
    
    While we are at it, let's also fix a comparison between int and size_t in
    ds9490r_search() which made the driver spin in this function if state
    register get requests were failing.
    
    Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
    Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1de86951101be4a3bcee9355a10f327bba491ec5
Author: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Date:   Sat Jan 21 23:50:18 2017 +0100

    w1: don't leak refcount on slave attach failure in w1_attach_slave_device()
    
    commit d2ce4ea1a0b0162e5d2d7e7942ab6f5cc2063d5a upstream.
    
    Near the beginning of w1_attach_slave_device() we increment a w1 master
    reference count.
    Later, when we are going to exit this function without actually attaching
    a slave device (due to failure of __w1_attach_slave_device()) we need to
    decrement this reference count back.
    
    Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
    Fixes: 9fcbbac5ded489 ("w1: process w1 netlink commands in w1_process thread")
    Cc: Evgeniy Polyakov <zbr@ioremap.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7afc0ee6ae73c23d8acc7a58113e269f6c1da2a2
Author: Marc Kleine-Budde <mkl@pengutronix.de>
Date:   Thu Mar 2 12:03:40 2017 +0100

    can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer
    
    commit 7c42631376306fb3f34d51fda546b50a9b6dd6ec upstream.
    
    The priv->cmd_msg_buffer is allocated in the probe function, but never
    kfree()ed. This patch converts the kzalloc() to resource-managed
    kzalloc.
    
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cec7abd27e878e3c83dc9af41ee87a2e9d483ac0
Author: Ethan Zonca <e@ethanzonca.com>
Date:   Fri Feb 24 11:27:36 2017 -0500

    can: gs_usb: Don't use stack memory for USB transfers
    
    commit c919a3069c775c1c876bec55e00b2305d5125caa upstream.
    
    Fixes: 05ca5270005c can: gs_usb: add ethtool set_phys_id callback to locate physical device
    
    The gs_usb driver is performing USB transfers using buffers allocated on
    the stack. This causes the driver to not function with vmapped stacks.
    Instead, allocate memory for the transfer buffers.
    
    Signed-off-by: Ethan Zonca <e@ethanzonca.com>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a34546c6234e77dc98f5ac40ad64ee5429c986e6
Author: Peter Rosin <peda@axentia.se>
Date:   Wed Feb 1 21:40:56 2017 +0100

    iio: pressure: mpl3115: do not rely on structure field ordering
    
    commit 9cf6cdba586ced75c69b8314b88b2d2f5ce9b3ed upstream.
    
    Fixes a regression triggered by a change in the layout of
    struct iio_chan_spec, but the real bug is in the driver which assumed
    a specific structure layout in the first place. Hint: the two bits were
    not OR:ed together as implied by the indentation prior to this patch,
    there was a comma between them, which accidentally moved the ..._SCALE
    bit to the next structure field. That field was .info_mask_shared_by_type
    before the _available attributes was added by commit 51239600074b
    ("iio:core: add a callback to allow drivers to provide _available
    attributes") and .info_mask_separate_available afterwards, and the
    regression happened.
    
    info_mask_shared_by_type is actually a better choice than the originally
    intended info_mask_separate for the ..._SCALE bit since a constant is
    returned from mpl3115_read_raw for the scale. Using
    info_mask_shared_by_type also preserves the behavior from before the
    regression and is therefore less likely to cause other interesting side
    effects.
    
    The above mentioned regression causes an unintended sysfs attibute to
    show up that is not backed by code, in turn causing the following NULL
    pointer defererence to happen on access.
    
    Segmentation fault
    
    Unable to handle kernel NULL pointer dereference at virtual address 00000000
    pgd = ecc3c000
    [00000000] *pgd=87f91831
    Internal error: Oops: 80000007 [#1] SMP ARM
    Modules linked in:
    CPU: 1 PID: 1051 Comm: cat Not tainted 4.10.0-rc5-00009-gffd8858-dirty #3
    Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
    task: ed54ec00 task.stack: ee2bc000
    PC is at 0x0
    LR is at iio_read_channel_info_avail+0x40/0x280
    pc : [<00000000>]    lr : [<c06fbc1c>]    psr: a0070013
    sp : ee2bdda8  ip : 00000000  fp : ee2bddf4
    r10: c0a53c74  r9 : ed79f000  r8 : ee8d1018
    r7 : 00001000  r6 : 00000fff  r5 : ee8b9a00  r4 : ed79f000
    r3 : ee2bddc4  r2 : ee2bddbc  r1 : c0a86dcc  r0 : ee8d1000
    Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
    Control: 10c5387d  Table: 3cc3c04a  DAC: 00000051
    Process cat (pid: 1051, stack limit = 0xee2bc210)
    Stack: (0xee2bdda8 to 0xee2be000)
    dda0:                   ee2bddc0 00000002 c016d720 c016d394 ed54ec00 00000000
    ddc0: 60070013 ed413780 00000001 edffd480 ee8b9a00 00000fff 00001000 ee8d1018
    dde0: ed79f000 c0a53c74 ee2bde0c ee2bddf8 c0513c58 c06fbbe8 edffd480 edffd540
    de00: ee2bde3c ee2bde10 c0293474 c0513c40 c02933e4 ee2bde60 00000001 ed413780
    de20: 00000001 ed413780 00000000 edffd480 ee2bde4c ee2bde40 c0291d00 c02933f0
    de40: ee2bde9c ee2bde50 c024679c c0291ce0 edffd4b0 b6e37000 00020000 ee2bdf78
    de60: 00000000 00000000 ed54ec00 ed013200 00000817 c0a111fc edffd540 ed413780
    de80: b6e37000 00020000 00020000 ee2bdf78 ee2bded4 ee2bdea0 c0292890 c0246604
    dea0: c0117940 c016ba50 00000025 c0a111fc b6e37000 ed413780 ee2bdf78 00020000
    dec0: ee2bc000 b6e37000 ee2bdf44 ee2bded8 c021d158 c0292770 c0117764 b6e36004
    dee0: c0f0d7c4 ee2bdfb0 b6f89228 00021008 ee2bdfac ee2bdf00 c0101374 c0117770
    df00: 00000000 00000000 ee2bc000 00000000 ee2bdf34 ee2bdf20 c016ba04 c0171080
    df20: 00000000 00020000 ed413780 b6e37000 00000000 ee2bdf78 ee2bdf74 ee2bdf48
    df40: c021e7a0 c021d130 c023e300 c023e280 ee2bdf74 00000000 00000000 ed413780
    df60: ed413780 00020000 ee2bdfa4 ee2bdf78 c021e870 c021e71c 00000000 00000000
    df80: 00020000 00020000 b6e37000 00000003 c0108084 00000000 00000000 ee2bdfa8
    dfa0: c0107ee0 c021e838 00020000 00020000 00000003 b6e37000 00020000 0001a2b4
    dfc0: 00020000 00020000 b6e37000 00000003 7fffe000 00000000 00000000 00020000
    dfe0: 00000000 be98eb4c 0000c740 b6f1985c 60070010 00000003 00000000 00000000
    Backtrace:
    [<c06fbbdc>] (iio_read_channel_info_avail) from [<c0513c58>] (dev_attr_show+0x24/0x50)
     r10:c0a53c74 r9:ed79f000 r8:ee8d1018 r7:00001000 r6:00000fff r5:ee8b9a00
     r4:edffd480
    [<c0513c34>] (dev_attr_show) from [<c0293474>] (sysfs_kf_seq_show+0x90/0x110)
     r5:edffd540 r4:edffd480
    [<c02933e4>] (sysfs_kf_seq_show) from [<c0291d00>] (kernfs_seq_show+0x2c/0x30)
     r10:edffd480 r9:00000000 r8:ed413780 r7:00000001 r6:ed413780 r5:00000001
     r4:ee2bde60 r3:c02933e4
    [<c0291cd4>] (kernfs_seq_show) from [<c024679c>] (seq_read+0x1a4/0x4e0)
    [<c02465f8>] (seq_read) from [<c0292890>] (kernfs_fop_read+0x12c/0x1cc)
     r10:ee2bdf78 r9:00020000 r8:00020000 r7:b6e37000 r6:ed413780 r5:edffd540
     r4:c0a111fc
    [<c0292764>] (kernfs_fop_read) from [<c021d158>] (__vfs_read+0x34/0x118)
     r10:b6e37000 r9:ee2bc000 r8:00020000 r7:ee2bdf78 r6:ed413780 r5:b6e37000
     r4:c0a111fc
    [<c021d124>] (__vfs_read) from [<c021e7a0>] (vfs_read+0x90/0x11c)
     r8:ee2bdf78 r7:00000000 r6:b6e37000 r5:ed413780 r4:00020000
    [<c021e710>] (vfs_read) from [<c021e870>] (SyS_read+0x44/0x90)
     r8:00020000 r7:ed413780 r6:ed413780 r5:00000000 r4:00000000
    [<c021e82c>] (SyS_read) from [<c0107ee0>] (ret_fast_syscall+0x0/0x1c)
     r10:00000000 r8:c0108084 r7:00000003 r6:b6e37000 r5:00020000 r4:00020000
    Code: bad PC value
    ---[ end trace 9c4938ccd0389004 ]---
    
    Fixes: cc26ad455f57 ("iio: Add Freescale MPL3115A2 pressure / temperature sensor driver")
    Fixes: 51239600074b ("iio:core: add a callback to allow drivers to provide _available attributes")
    Reported-by: Ken Lin <ken.lin@advantech.com>
    Tested-by: Ken Lin <ken.lin@advantech.com>
    Signed-off-by: Peter Rosin <peda@axentia.se>
    Signed-off-by: Jonathan Cameron <jic23@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 602bd10f6e947308ffa7f9c2d11d07b9997aaee5
Author: Peter Rosin <peda@axentia.se>
Date:   Wed Feb 1 21:40:57 2017 +0100

    iio: pressure: mpl115: do not rely on structure field ordering
    
    commit 6a6e1d56a0769795a36c0461c64bf5e5b9bbb4c0 upstream.
    
    Fixes a regression triggered by a change in the layout of
    struct iio_chan_spec, but the real bug is in the driver which assumed
    a specific structure layout in the first place. Hint: the three bits were
    not OR:ed together as implied by the indentation prior to this patch,
    there was a comma between the first two, which accidentally moved the
    ..._SCALE and ..._OFFSET bits to the next structure field. That field
    was .info_mask_shared_by_type before the _available attributes was added
    by commit 51239600074b ("iio:core: add a callback to allow drivers to
    provide _available attributes") and .info_mask_separate_available
    afterwards, and the regression happened.
    
    info_mask_shared_by_type is actually a better choice than the originally
    intended info_mask_separate for the ..._SCALE and ..._OFFSET bits since
    a constant is returned from mpl115_read_raw for the scale/offset. Using
    info_mask_shared_by_type also preserves the behavior from before the
    regression and is therefore less likely to cause other interesting side
    effects.
    
    The above mentioned regression causes unintended sysfs attibutes to
    show up that are not backed by code, in turn causing a NULL pointer
    defererence to happen on access.
    
    Fixes: 3017d90e8931 ("iio: Add Freescale MPL115A2 pressure / temperature sensor driver")
    Fixes: 51239600074b ("iio:core: add a callback to allow drivers to provide _available attributes")
    Signed-off-by: Peter Rosin <peda@axentia.se>
    Signed-off-by: Jonathan Cameron <jic23@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d408d23addbaa9af9e0db492f774d3245ecfeefd
Author: Shanker Donthineni <shankerd@codeaurora.org>
Date:   Thu Feb 2 20:30:03 2017 -0600

    KVM: arm/arm64: vgic: Stop injecting the MSI occurrence twice
    
    commit 0bdbf3b071986ba80731203683cf623d5c0cacb1 upstream.
    
    The IRQFD framework calls the architecture dependent function
    twice if the corresponding GSI type is edge triggered. For ARM,
    the function kvm_set_msi() is getting called twice whenever the
    IRQFD receives the event signal. The rest of the code path is
    trying to inject the MSI without any validation checks. No need
    to call the function vgic_its_inject_msi() second time to avoid
    an unnecessary overhead in IRQ queue logic. It also avoids the
    possibility of VM seeing the MSI twice.
    
    Simple fix, return -1 if the argument 'level' value is zero.
    
    Reviewed-by: Eric Auger <eric.auger@redhat.com>
    Reviewed-by: Christoffer Dall <cdall@linaro.org>
    Signed-off-by: Shanker Donthineni <shankerd@codeaurora.org>
    Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7127d43e1843400658e42c0b21dc598a59d603e4
Author: Mark Rutland <mark.rutland@arm.com>
Date:   Thu Feb 2 17:32:14 2017 +0000

    arm64: fix erroneous __raw_read_system_reg() cases
    
    commit 7d0928f18bf890d2853281f59aba0dd5a46b34f9 upstream.
    
    Since it was introduced in commit da8d02d19ffdd201 ("arm64/capabilities:
    Make use of system wide safe value"), __raw_read_system_reg() has
    erroneously mapped some sysreg IDs to other registers.
    
    For the fields in ID_ISAR5_EL1, our local feature detection will be
    erroneous. We may spuriously detect that a feature is uniformly
    supported, or may fail to detect when it actually is, meaning some
    compat hwcaps may be erroneous (or not enforced upon hotplug).
    
    This patch corrects the erroneous entries.
    
    Signed-off-by: Mark Rutland <mark.rutland@arm.com>
    Fixes: da8d02d19ffdd201 ("arm64/capabilities: Make use of system wide safe value")
    Reported-by: Catalin Marinas <catalin.marinas@arm.com>
    Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
    Cc: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a8123045c94638114a0b1ab19fd218dd3a5cd0b5
Author: Robin Murphy <robin.murphy@arm.com>
Date:   Wed Jan 25 18:31:31 2017 +0000

    arm64: dma-mapping: Fix dma_mapping_error() when bypassing SWIOTLB
    
    commit adbe7e26f4257f72817495b9bce114284060b0d7 upstream.
    
    When bypassing SWIOTLB on small-memory systems, we need to avoid calling
    into swiotlb_dma_mapping_error() in exactly the same way as we avoid
    swiotlb_dma_supported(), because the former also relies on SWIOTLB state
    being initialised.
    
    Under the assumptions for which we skip SWIOTLB, dma_map_{single,page}()
    will only ever return the DMA-offset-adjusted physical address of the
    page passed in, thus we can report success unconditionally.
    
    Fixes: b67a8b29df7e ("arm64: mm: only initialize swiotlb when necessary")
    CC: Jisheng Zhang <jszhang@marvell.com>
    Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
    Signed-off-by: Robin Murphy <robin.murphy@arm.com>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ac4c8fcf5ebceb0a2b6342707e4835a13f5bcf22
Author: Marc Zyngier <marc.zyngier@arm.com>
Date:   Wed Jan 25 12:29:59 2017 +0000

    arm/arm64: KVM: Enforce unconditional flush to PoC when mapping to stage-2
    
    commit 8f36ebaf21fdae99c091c67e8b6fab33969f2667 upstream.
    
    When we fault in a page, we flush it to the PoC (Point of Coherency)
    if the faulting vcpu has its own caches off, so that it can observe
    the page we just brought it.
    
    But if the vcpu has its caches on, we skip that step. Bad things
    happen when *another* vcpu tries to access that page with its own
    caches disabled. At that point, there is no garantee that the
    data has made it to the PoC, and we access stale data.
    
    The obvious fix is to always flush to PoC when a page is faulted
    in, no matter what the state of the vcpu is.
    
    Fixes: 2d58b733c876 ("arm64: KVM: force cache clean on page fault when caches are off")
    Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
    Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bfb55d4087cfc4346b1ec5a04cbac04e9df10ab4
Author: Dave Hansen <dave.hansen@linux.intel.com>
Date:   Thu Feb 23 14:26:03 2017 -0800

    x86/pkeys: Check against max pkey to avoid overflows
    
    commit 58ab9a088ddac4efe823471275859d64f735577e upstream.
    
    Kirill reported a warning from UBSAN about undefined behavior when using
    protection keys.  He is running on hardware that actually has support for
    it, which is not widely available.
    
    The warning triggers because of very large shifts of integers when doing a
    pkey_free() of a large, invalid value. This happens because we never check
    that the pkey "fits" into the mm_pkey_allocation_map().
    
    I do not believe there is any danger here of anything bad happening
    other than some aliasing issues where somebody could do:
    
            pkey_free(35);
    
    and the kernel would effectively execute:
    
            pkey_free(8);
    
    While this might be confusing to an app that was doing something stupid, it
    has to do something stupid and the effects are limited to the app shooting
    itself in the foot.
    
    Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
    Cc: linux-kselftest@vger.kernel.org
    Cc: shuah@kernel.org
    Cc: kirill.shutemov@linux.intel.com
    Link: http://lkml.kernel.org/r/20170223222603.A022ED65@viggo.jf.intel.com
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1e6be9c19c1286cdc3e87a27b06038361a0165ab
Author: Miklos Szeredi <mszeredi@redhat.com>
Date:   Wed Feb 22 20:08:25 2017 +0100

    fuse: add missing FR_FORCE
    
    commit 2e38bea99a80eab408adee27f873a188d57b76cb upstream.
    
    fuse_file_put() was missing the "force" flag for the RELEASE request when
    sending synchronously (fuseblk).
    
    If this flag is not set, then a sync request may be interrupted before it
    is dequeued by the userspace filesystem.  In this case the OPEN won't be
    balanced with a RELEASE.
    
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Fixes: 5a18ec176c93 ("fuse: fix hang of single threaded fuseblk filesystem")
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit abf74467e7fb19c957eb284798fc41cc8059dc41
Author: Laura Abbott <labbott@redhat.com>
Date:   Tue Feb 28 14:07:25 2017 -0800

    crypto: testmgr - Pad aes_ccm_enc_tv_template vector
    
    commit 1c68bb0f62bf8de8bb30123ea840d5168f25abea upstream.
    
    Running with KASAN and crypto tests currently gives
    
     BUG: KASAN: global-out-of-bounds in __test_aead+0x9d9/0x2200 at addr ffffffff8212fca0
     Read of size 16 by task cryptomgr_test/1107
     Address belongs to variable 0xffffffff8212fca0
     CPU: 0 PID: 1107 Comm: cryptomgr_test Not tainted 4.10.0+ #45
     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.1-1.fc24 04/01/2014
     Call Trace:
      dump_stack+0x63/0x8a
      kasan_report.part.1+0x4a7/0x4e0
      ? __test_aead+0x9d9/0x2200
      ? crypto_ccm_init_crypt+0x218/0x3c0 [ccm]
      kasan_report+0x20/0x30
      check_memory_region+0x13c/0x1a0
      memcpy+0x23/0x50
      __test_aead+0x9d9/0x2200
      ? kasan_unpoison_shadow+0x35/0x50
      ? alg_test_akcipher+0xf0/0xf0
      ? crypto_skcipher_init_tfm+0x2e3/0x310
      ? crypto_spawn_tfm2+0x37/0x60
      ? crypto_ccm_init_tfm+0xa9/0xd0 [ccm]
      ? crypto_aead_init_tfm+0x7b/0x90
      ? crypto_alloc_tfm+0xc4/0x190
      test_aead+0x28/0xc0
      alg_test_aead+0x54/0xd0
      alg_test+0x1eb/0x3d0
      ? alg_find_test+0x90/0x90
      ? __sched_text_start+0x8/0x8
      ? __wake_up_common+0x70/0xb0
      cryptomgr_test+0x4d/0x60
      kthread+0x173/0x1c0
      ? crypto_acomp_scomp_free_ctx+0x60/0x60
      ? kthread_create_on_node+0xa0/0xa0
      ret_from_fork+0x2c/0x40
     Memory state around the buggy address:
      ffffffff8212fb80: 00 00 00 00 01 fa fa fa fa fa fa fa 00 00 00 00
      ffffffff8212fc00: 00 01 fa fa fa fa fa fa 00 00 00 00 01 fa fa fa
     >ffffffff8212fc80: fa fa fa fa 00 05 fa fa fa fa fa fa 00 00 00 00
                                       ^
      ffffffff8212fd00: 01 fa fa fa fa fa fa fa 00 00 00 00 01 fa fa fa
      ffffffff8212fd80: fa fa fa fa 00 00 00 00 00 05 fa fa fa fa fa fa
    
    This always happens on the same IV which is less than 16 bytes.
    
    Per Ard,
    
    "CCM IVs are 16 bytes, but due to the way they are constructed
    internally, the final couple of bytes of input IV are dont-cares.
    
    Apparently, we do read all 16 bytes, which triggers the KASAN errors."
    
    Fix this by padding the IV with null bytes to be at least 16 bytes.
    
    Fixes: 0bc5a6c5c79a ("crypto: testmgr - Disable rfc4309 test and convert test vectors")
    Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
    Signed-off-by: Laura Abbott <labbott@redhat.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 11a4d644d6d84a34a393a389d5efd4e036b04a62
Author: Krister Johansen <kjlx@templeofstupid.com>
Date:   Thu Jan 5 22:23:31 2017 -0800

    perf callchain: Reference count maps
    
    commit aa33b9b9a2ebb00d33c83a5312d4fbf2d5aeba36 upstream.
    
    If dso__load_kcore frees all of the existing maps, but one has already
    been attached to a callchain cursor node, then we can get a SIGSEGV in
    any function that happens to try to use this invalid cursor.  Use the
    existing map refcount mechanism to forestall cleanup of a map until the
    cursor iterates past the node.
    
    Signed-off-by: Krister Johansen <kjlx@templeofstupid.com>
    Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Cc: Frederic Weisbecker <fweisbec@gmail.com>
    Cc: Masami Hiramatsu <mhiramat@kernel.org>
    Cc: Namhyung Kim <namhyung@kernel.org>
    Fixes: 84c2cafa2889 ("perf tools: Reference count struct map")
    Link: http://lkml.kernel.org/r/20170106062331.GB2707@templeofstupid.com
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 65013a93b6c335bd166c911d73c47ff4bcbdb8be
Author: Vitaly Kuznetsov <vkuznets@redhat.com>
Date:   Wed Dec 7 01:16:24 2016 -0800

    Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg()
    
    commit c0bb03924f1a80e7f65900e36c8e6b3dc167c5f8 upstream.
    
    DoS protection conditions were altered in WS2016 and now it's easy to get
    -EAGAIN returned from vmbus_post_msg() (e.g. when we try changing MTU on a
    netvsc device in a loop). All vmbus_post_msg() callers don't retry the
    operation and we usually end up with a non-functional device or crash.
    
    While host's DoS protection conditions are unknown to me my tests show that
    it can take up to 10 seconds before the message is sent so doing udelay()
    is not an option, we really need to sleep. Almost all vmbus_post_msg()
    callers are ready to sleep but there is one special case:
    vmbus_initiate_unload() which can be called from interrupt/NMI context and
    we can't sleep there. I'm also not sure about the lonely
    vmbus_send_tl_connect_request() which has no in-tree users but its external
    users are most likely waiting for the host to reply so sleeping there is
    also appropriate.
    
    Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
    Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 730b1b20c6cdc63f4ce32efc5a494fc9b141b854
Author: Ley Foon Tan <ley.foon.tan@intel.com>
Date:   Tue Feb 28 18:37:16 2017 +0800

    PCI: altera: Fix TLP_CFG_DW0 for TLP write
    
    commit 2a7275a3d867b228216886aae35e1f64291180b1 upstream.
    
    eb5767122feb ("PCI: altera: Simplify TLB_CFG_DW0 usage") used
    TLP_FMTTYPE_CFGRD* (instead of TLP_FMTTYPE_CFGWR*) for TLP writes, which
    causes writing to configuration space to fail.  Fix it by using correct
    FMTTYPE for write operation.
    
    Fixes: eb5767122feb ("PCI: altera: Simplify TLB_CFG_DW0 usage")
    Signed-off-by: Ley Foon Tan <ley.foon.tan@intel.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1fb738a3dc1304250c755e5e31715137c1c44c50
Author: Gavin Shan <gwshan@linux.vnet.ibm.com>
Date:   Thu Feb 16 10:22:34 2017 +1100

    pci/hotplug/pnv-php: Disable MSI and PCI device properly
    
    commit 49f4b08e61547a5ccd2db551d994c4503efe5666 upstream.
    
    pnv_php_disable_irq() can be called in two paths: Bailing path in
    pnv_php_enable_irq() or releasing slot. The MSI (or MSIx) interrupts
    is disabled unconditionally in pnv_php_disable_irq(). It's wrong
    because that might be enabled by drivers other than pnv-php.
    
    This disables MSI (or MSIx) interrupts and the PCI device only if
    it was enabled by pnv-php. In the error path of pnv_php_enable_irq(),
    we rely on the newly added parameter @disable_device. In the path
    of releasing slot, @pnv_php->irq is checked.
    
    Fixes: 360aebd85a4c ("drivers/pci/hotplug: Support surprise hotplug in powernv driver")
    Signed-off-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
    Reviewed-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bc5338a4fd3d9042107ce3fe40792c1c4839ebab
Author: Dexuan Cui <decui@microsoft.com>
Date:   Fri Feb 10 15:18:46 2017 -0600

    PCI: hv: Fix wslot_to_devfn() to fix warnings on device removal
    
    commit 60e2e2fbafdd1285ae1b4ad39ded41603e0c74d0 upstream.
    
    The devfn of 00:02.0 is 0x10.  devfn_to_wslot(0x10) == 0x2, and
    wslot_to_devfn(0x2) should be 0x10, while it's 0x2 in the current code.
    
    Due to this, hv_eject_device_work() -> pci_get_domain_bus_and_slot()
    returns NULL and pci_stop_and_remove_bus_device() is not called.
    
    Later when the real device driver's .remove() is invoked by
    hv_pci_remove() -> pci_stop_root_bus(), some warnings can be noticed
    because the VM has lost the access to the underlying device at that
    time.
    
    Signed-off-by: Jake Oshins <jakeo@microsoft.com>
    Signed-off-by: Dexuan Cui <decui@microsoft.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Acked-by: Haiyang Zhang <haiyangz@microsoft.com>
    CC: K. Y. Srinivasan <kys@microsoft.com>
    CC: Stephen Hemminger <sthemmin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 787fd7a6c8ede68e55321c5bfbea9f1ca89a8148
Author: Christian Lamparter <chunkeey@googlemail.com>
Date:   Tue Feb 14 20:10:30 2017 +0100

    ath9k: use correct OTP register offsets for the AR9340 and AR9550
    
    commit c9f1e32600816d695f817477d56490bfc2ba43c6 upstream.
    
    This patch fixes the OTP register definitions for the AR934x and AR9550
    WMAC SoC.
    
    Previously, the ath9k driver was unable to initialize the integrated
    WMAC on an Aerohive AP121:
    
    | ath: phy0: timeout (1000 us) on reg 0x30018: 0xbadc0ffe & 0x00000007 != 0x00000004
    | ath: phy0: timeout (1000 us) on reg 0x30018: 0xbadc0ffe & 0x00000007 != 0x00000004
    | ath: phy0: Unable to initialize hardware; initialization status: -5
    | ath9k ar934x_wmac: failed to initialize device
    | ath9k: probe of ar934x_wmac failed with error -5
    
    It turns out that the AR9300_OTP_STATUS and AR9300_OTP_DATA
    definitions contain a typo.
    
    Cc: Gabor Juhos <juhosg@openwrt.org>
    Fixes: add295a4afbdf5852d0 "ath9k: use correct OTP register offsets for AR9550"
    Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
    Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
    Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c41cae06bf6027d2f77ebbb12bc17da1cd6e131f
Author: Felix Fietkau <nbd@nbd.name>
Date:   Thu Feb 2 10:14:52 2017 +0100

    ath9k: fix race condition in enabling/disabling IRQs
    
    commit 3a5e969bb2f6692a256352649355d56d018d6b88 upstream.
    
    The code currently relies on refcounting to disable IRQs from within the
    IRQ handler and re-enabling them again after the tasklet has run.
    
    However, due to race conditions sometimes the IRQ handler might be
    called twice, or the tasklet may not run at all (if interrupted in the
    middle of a reset).
    
    This can cause nasty imbalances in the irq-disable refcount which will
    get the driver permanently stuck until the entire radio has been stopped
    and started again (ath_reset will not recover from this).
    
    Instead of using this fragile logic, change the code to ensure that
    running the irq handler during tasklet processing is safe, and leave the
    refcount untouched.
    
    Signed-off-by: Felix Fietkau <nbd@nbd.name>
    Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 93c1f1db1a7421545e9aae9fb6091668ca570f2b
Author: Felix Fietkau <nbd@nbd.name>
Date:   Wed Jan 11 16:32:13 2017 +0200

    ath5k: drop bogus warning on drv_set_key with unsupported cipher
    
    commit a70e1d6fd6b5e1a81fa6171600942bee34f5128f upstream.
    
    Simply return -EOPNOTSUPP instead.
    
    Signed-off-by: Felix Fietkau <nbd@nbd.name>
    Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bac7f7135d51144ff193002b296b8bdf06c9855f
Author: Tamizh chelvam <c_traja@qti.qualcomm.com>
Date:   Thu Feb 2 08:32:18 2017 +0200

    ath10k: fix boot failure in UTF mode/testmode
    
    commit cb4281528b62207918b1e95827cad7527aa4dbaa upstream.
    
    Rx filter reset and the dynamic tx switch mode (EXT_RESOURCE_CFG)
    configuration are causing the following errors when UTF firmware
    is loaded to the target.
    
    Error message 1:
    [ 598.015629] ath10k_pci 0001:01:00.0: failed to ping firmware: -110
    [ 598.020828] ath10k_pci 0001:01:00.0: failed to reset rx filter: -110
    [ 598.141556] ath10k_pci 0001:01:00.0: failed to start core (testmode): -110
    
    Error message 2:
    [ 668.615839] ath10k_ahb a000000.wifi: failed to send ext resource cfg command : -95
    [ 668.618902] ath10k_ahb a000000.wifi: failed to start core (testmode): -95
    
    Avoiding these configurations while bringing the target in
    testmode is solving the problem.
    
    Signed-off-by: Tamizh chelvam <c_traja@qti.qualcomm.com>
    Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d2a8cd3eee0fe9b14fe3a72c02cffa7df31a2383
Author: Alexander Usyskin <alexander.usyskin@intel.com>
Date:   Wed Feb 8 00:41:45 2017 +0200

    mei: remove support for broken parallel read
    
    commit cb97fbbcac15982406e0c74cd5512a8b6fcf10b3 upstream.
    
    Parallel reads from multiple threads on a file descriptor
    are not well defined and racy. It is safer to return to original
    behavior and simply fail the additional read.
    The solution is to remove request for next read credit.
    
    Fixes: ff1586a7ea57 ("mei: enqueue consecutive reads")
    Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
    Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d6407e10bcf540a67afbeca83e60a4323cba8b33
Author: Mathias Svensson <idolf@google.com>
Date:   Fri Jan 6 13:32:39 2017 -0800

    samples/seccomp: fix 64-bit comparison macros
    
    commit 916cafdc95843fb9af5fd5f83ca499d75473d107 upstream.
    
    There were some bugs in the JNE64 and JLT64 comparision macros. This fixes
    them, improves comments, and cleans up the file while we are at it.
    
    Reported-by: Stephen Röttger <sroettger@google.com>
    Signed-off-by: Mathias Svensson <idolf@google.com>
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: James Morris <james.l.morris@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d6dcec965bc53eb375e50642b3b1abb9b835c2a7
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Sun Feb 5 01:26:48 2017 -0500

    ext4: return EROFS if device is r/o and journal replay is needed
    
    commit 4753d8a24d4588657bc0a4cd66d4e282dff15c8c upstream.
    
    If the file system requires journal recovery, and the device is
    read-ony, return EROFS to the mount system call.  This allows xfstests
    generic/050 to pass.
    
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 269bf7b8c5db7544133dcff03bd741f980e1f110
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Sat Feb 4 23:38:06 2017 -0500

    ext4: preserve the needs_recovery flag when the journal is aborted
    
    commit 97abd7d4b5d9c48ec15c425485f054e1c15e591b upstream.
    
    If the journal is aborted, the needs_recovery feature flag should not
    be removed.  Otherwise, it's the journal might not get replayed and
    this could lead to more data getting lost.
    
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0b37d0c0c6b35317bfc3aee8cdf94f853d594e5f
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Sat Feb 4 23:04:00 2017 -0500

    ext4: fix inline data error paths
    
    commit eb5efbcb762aee4b454b04f7115f73ccbcf8f0ef upstream.
    
    The write_end() function must always unlock the page and drop its ref
    count, even on an error.
    
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 68ca0fdac41fa801e1e6c2f99e27a9c24e494532
Author: Eric Biggers <ebiggers@google.com>
Date:   Wed Feb 1 21:07:11 2017 -0500

    ext4: fix use-after-iput when fscrypt contexts are inconsistent
    
    commit dd01b690f8f4b1e414f89e5a9a5326bf720d6652 upstream.
    
    In the case where the child's encryption context was inconsistent with
    its parent directory, we were using inode->i_sb and inode->i_ino after
    the inode had already been iput().  Fix this by doing the iput() in the
    correct places.
    
    Note: only ext4 had this bug, not f2fs and ubifs.
    
    Fixes: d9cdc9033181 ("ext4 crypto: enforce context consistency")
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a5a9cf387de6dde4c79b6e7fb6311dbd7ec86f02
Author: Jan Kara <jack@suse.cz>
Date:   Fri Jan 27 14:35:38 2017 -0500

    ext4: fix data corruption in data=journal mode
    
    commit 3b136499e906460919f0d21a49db1aaccf0ae963 upstream.
    
    ext4_journalled_write_end() did not propely handle all the cases when
    generic_perform_write() did not copy all the data into the target page
    and could mark buffers with uninitialized contents as uptodate and dirty
    leading to possible data corruption (which would be quickly fixed by
    generic_perform_write() retrying the write but still). Fix the problem
    by carefully handling the case when the page that is written to is not
    uptodate.
    
    Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fc6c2da174edd7a7b760b12c60d432d300e05cca
Author: Jan Kara <jack@suse.cz>
Date:   Fri Jan 27 14:34:30 2017 -0500

    ext4: trim allocation requests to group size
    
    commit cd648b8a8fd5071d232242d5ee7ee3c0815776af upstream.
    
    If filesystem groups are artifically small (using parameter -g to
    mkfs.ext4), ext4_mb_normalize_request() can result in a request that is
    larger than a block group. Trim the request size to not confuse
    allocation code.
    
    Reported-by: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e0b53d67291334125531f7f21b2f3df3d6ccc6ec
Author: Roman Pen <roman.penyaev@profitbricks.com>
Date:   Sun Jan 8 21:00:35 2017 -0500

    ext4: do not polute the extents cache while shifting extents
    
    commit 03e916fa8b5577d85471452a3d0c5738aa658dae upstream.
    
    Inside ext4_ext_shift_extents() function ext4_find_extent() is called
    without EXT4_EX_NOCACHE flag, which should prevent cache population.
    
    This leads to oudated offsets in the extents tree and wrong blocks
    afterwards.
    
    Patch fixes the problem providing EXT4_EX_NOCACHE flag for each
    ext4_find_extents() call inside ext4_ext_shift_extents function.
    
    Fixes: 331573febb6a2
    Signed-off-by: Roman Pen <roman.penyaev@profitbricks.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Cc: Namjae Jeon <namjae.jeon@samsung.com>
    Cc: Andreas Dilger <adilger.kernel@dilger.ca>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 72ae476d0401c38c912ad740cadcc7ef302f5ef2
Author: Roman Pen <roman.penyaev@profitbricks.com>
Date:   Sun Jan 8 20:59:35 2017 -0500

    ext4: Include forgotten start block on fallocate insert range
    
    commit 2a9b8cba62c0741109c33a2be700ff3d7703a7c2 upstream.
    
    While doing 'insert range' start block should be also shifted right.
    The bug can be easily reproduced by the following test:
    
        ptr = malloc(4096);
        assert(ptr);
    
        fd = open("./ext4.file", O_CREAT | O_TRUNC | O_RDWR, 0600);
        assert(fd >= 0);
    
        rc = fallocate(fd, 0, 0, 8192);
        assert(rc == 0);
        for (i = 0; i < 2048; i++)
                *((unsigned short *)ptr + i) = 0xbeef;
        rc = pwrite(fd, ptr, 4096, 0);
        assert(rc == 4096);
        rc = pwrite(fd, ptr, 4096, 4096);
        assert(rc == 4096);
    
        for (block = 2; block < 1000; block++) {
                rc = fallocate(fd, FALLOC_FL_INSERT_RANGE, 4096, 4096);
                assert(rc == 0);
    
                for (i = 0; i < 2048; i++)
                        *((unsigned short *)ptr + i) = block;
    
                rc = pwrite(fd, ptr, 4096, 4096);
                assert(rc == 4096);
        }
    
    Because start block is not included in the range the hole appears at
    the wrong offset (just after the desired offset) and the following
    pwrite() overwrites already existent block, keeping hole untouched.
    
    Simple way to verify wrong behaviour is to check zeroed blocks after
    the test:
    
       $ hexdump ./ext4.file | grep '0000 0000'
    
    The root cause of the bug is a wrong range (start, stop], where start
    should be inclusive, i.e. [start, stop].
    
    This patch fixes the problem by including start into the range.  But
    not to break left shift (range collapse) stop points to the beginning
    of the a block, not to the end.
    
    The other not obvious change is an iterator check on validness in a
    main loop.  Because iterator is unsigned the following corner case
    should be considered with care: insert a block at 0 offset, when stop
    variables overflows and never becomes less than start, which is 0.
    To handle this special case iterator is set to NULL to indicate that
    end of the loop is reached.
    
    Fixes: 331573febb6a2
    Signed-off-by: Roman Pen <roman.penyaev@profitbricks.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Cc: Namjae Jeon <namjae.jeon@samsung.com>
    Cc: Andreas Dilger <adilger.kernel@dilger.ca>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8ca25e39ec2d67df1f69f08c1d4ad0d6310a5c5b
Author: Omar Sandoval <osandov@fb.com>
Date:   Wed Mar 1 10:42:38 2017 -0800

    loop: fix LO_FLAGS_PARTSCAN hang
    
    commit e02898b423802b1f3a3aaa7f16e896da069ba8f7 upstream.
    
    loop_reread_partitions() needs to do I/O, but we just froze the queue,
    so we end up waiting forever. This can easily be reproduced with losetup
    -P. Fix it by moving the reread to after we unfreeze the queue.
    
    Fixes: ecdd09597a57 ("block/loop: fix race between I/O and set_status")
    Reported-by: Tejun Heo <tj@kernel.org>
    Signed-off-by: Omar Sandoval <osandov@fb.com>
    Reviewed-by: Ming Lei <tom.leiming@gmail.com>
    Signed-off-by: Jens Axboe <axboe@fb.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 50447afd96145b6d3d7aea412da178dce95f1f9b
Author: Ming Lei <tom.leiming@gmail.com>
Date:   Sat Feb 11 11:40:45 2017 +0800

    block/loop: fix race between I/O and set_status
    
    commit ecdd09597a57251323b0de50e3d45e69298c4a83 upstream.
    
    Inside set_status, transfer need to setup again, so
    we have to drain IO before the transition, otherwise
    oops may be triggered like the following:
    
            divide error: 0000 [#1] SMP KASAN
            CPU: 0 PID: 2935 Comm: loop7 Not tainted 4.10.0-rc7+ #213
            Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
            01/01/2011
            task: ffff88006ba1e840 task.stack: ffff880067338000
            RIP: 0010:transfer_xor+0x1d1/0x440 drivers/block/loop.c:110
            RSP: 0018:ffff88006733f108 EFLAGS: 00010246
            RAX: 0000000000000000 RBX: ffff8800688d7000 RCX: 0000000000000059
            RDX: 0000000000000000 RSI: 1ffff1000d743f43 RDI: ffff880068891c08
            RBP: ffff88006733f160 R08: ffff8800688d7001 R09: 0000000000000000
            R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800688d7000
            R13: ffff880067b7d000 R14: dffffc0000000000 R15: 0000000000000000
            FS:  0000000000000000(0000) GS:ffff88006d000000(0000)
            knlGS:0000000000000000
            CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
            CR2: 00000000006c17e0 CR3: 0000000066e3b000 CR4: 00000000001406f0
            Call Trace:
             lo_do_transfer drivers/block/loop.c:251 [inline]
             lo_read_transfer drivers/block/loop.c:392 [inline]
             do_req_filebacked drivers/block/loop.c:541 [inline]
             loop_handle_cmd drivers/block/loop.c:1677 [inline]
             loop_queue_work+0xda0/0x49b0 drivers/block/loop.c:1689
             kthread_worker_fn+0x4c3/0xa30 kernel/kthread.c:630
             kthread+0x326/0x3f0 kernel/kthread.c:227
             ret_from_fork+0x31/0x40 arch/x86/entry/entry_64.S:430
            Code: 03 83 e2 07 41 29 df 42 0f b6 04 30 4d 8d 44 24 01 38 d0 7f 08
            84 c0 0f 85 62 02 00 00 44 89 f8 41 0f b6 48 ff 25 ff 01 00 00 99 <f7>
            7d c8 48 63 d2 48 03 55 d0 48 89 d0 48 89 d7 48 c1 e8 03 83
            RIP: transfer_xor+0x1d1/0x440 drivers/block/loop.c:110 RSP:
            ffff88006733f108
            ---[ end trace 0166f7bd3b0c0933 ]---
    
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: Ming Lei <tom.leiming@gmail.com>
    Tested-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: Jens Axboe <axboe@fb.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a9b0c14ba1e4be94036c5725c144818a2d3be191
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Sat Feb 4 23:14:19 2017 -0500

    jbd2: don't leak modified metadata buffers on an aborted journal
    
    commit e112666b4959b25a8552d63bc564e1059be703e8 upstream.
    
    If the journal has been aborted, we shouldn't mark the underlying
    buffer head as dirty, since that will cause the metadata block to get
    modified.  And if the journal has been aborted, we shouldn't allow
    this since it will almost certainly lead to a corrupted file system.
    
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3de5a92847c1d87d86ee945e6002f2051e02e868
Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date:   Thu Nov 3 10:29:28 2016 -0600

    Fix: Disable sys_membarrier when nohz_full is enabled
    
    commit 907565337ebf998a68cb5c5b2174ce5e5da065eb upstream.
    
    Userspace applications should be allowed to expect the membarrier system
    call with MEMBARRIER_CMD_SHARED command to issue memory barriers on
    nohz_full CPUs, but synchronize_sched() does not take those into
    account.
    
    Given that we do not want unrelated processes to be able to affect
    real-time sensitive nohz_full CPUs, simply return ENOSYS when membarrier
    is invoked on a kernel with enabled nohz_full CPUs.
    
    Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
    CC: Josh Triplett <josh@joshtriplett.org>
    CC: Steven Rostedt <rostedt@goodmis.org>
    Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
    Cc: Frederic Weisbecker <fweisbec@gmail.com>
    Cc: Chris Metcalf <cmetcalf@mellanox.com>
    Cc: Rik van Riel <riel@redhat.com>
    Acked-by: Lai Jiangshan <jiangshanlai@gmail.com>
    Reviewed-by: Josh Triplett <josh@joshtriplett.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 206af3d97f00d5c96de5bfd5a48045d444b3eec4
Author: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Date:   Tue Oct 25 11:37:59 2016 +0200

    power: reset: at91-poweroff: timely shutdown LPDDR memories
    
    commit 0b0408745e7ff24757cbfd571d69026c0ddb803c upstream.
    
    LPDDR memories can only handle up to 400 uncontrolled power off. Ensure the
    proper power off sequence is used before shutting down the platform.
    
    Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
    Signed-off-by: Sebastian Reichel <sre@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e9dc8334d765f7910114921c63a0324272f1f636
Author: Hannes Reinecke <hare@suse.de>
Date:   Fri Feb 17 09:02:45 2017 +0100

    scsi: use 'scsi_device_from_queue()' for scsi_dh
    
    commit 857de6e00778738dc3d61f75acbac35bdc48e533 upstream.
    
    The device handler needs to check if a given queue belongs to a scsi
    device; only then does it make sense to attach a device handler.
    
    [mkp: dropped flags]
    
    Signed-off-by: Hannes Reinecke <hare@suse.com>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 73f5176ecac265b03dcd8ef0aaed6950e5ecb828
Author: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
Date:   Thu Feb 16 12:51:21 2017 -0800

    scsi: aacraid: Reorder Adapter status check
    
    commit c421530bf848604e97d0785a03b3fe2c62775083 upstream.
    
    The driver currently checks the SELF_TEST_FAILED first and then
    KERNEL_PANIC next. Under error conditions(boot code failure) both
    SELF_TEST_FAILED and KERNEL_PANIC can be set at the same time.
    
    The driver has the capability to reset the controller on an KERNEL_PANIC,
    but not on SELF_TEST_FAILED.
    
    Fixed by first checking KERNEL_PANIC and then the others.
    
    Fixes: e8b12f0fb835223752 ([SCSI] aacraid: Add new code for PMC-Sierra's SRC base controller family)
    Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
    Reviewed-by: David Carroll <David.Carroll@microsemi.com>
    Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a50781fe6edabe33ecdef862fd9e7f2f35277de6
Author: Long Li <longli@microsoft.com>
Date:   Wed Dec 14 18:46:03 2016 -0800

    scsi: storvsc: properly set residual data length on errors
    
    commit 40630f462824ee24bc00d692865c86c3828094e0 upstream.
    
    On I/O errors, the Windows driver doesn't set data_transfer_length
    on error conditions other than SRB_STATUS_DATA_OVERRUN.
    In these cases we need to set data_transfer_length to 0,
    indicating there is no data transferred. On SRB_STATUS_DATA_OVERRUN,
    data_transfer_length is set by the Windows driver to the actual data transferred.
    
    Reported-by: Shiva Krishna <Shiva.Krishna@nimblestorage.com>
    Signed-off-by: Long Li <longli@microsoft.com>
    Reviewed-by: K. Y. Srinivasan <kys@microsoft.com>
    Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e59693753e08c70a4da76e951ba4279003c1228e
Author: Long Li <longli@microsoft.com>
Date:   Wed Dec 14 18:46:02 2016 -0800

    scsi: storvsc: properly handle SRB_ERROR when sense message is present
    
    commit bba5dc332ec2d3a685cb4dae668c793f6a3713a3 upstream.
    
    When sense message is present on error, we should pass along to the upper
    layer to decide how to deal with the error.
    This patch fixes connectivity issues with Fiber Channel devices.
    
    Signed-off-by: Long Li <longli@microsoft.com>
    Reviewed-by: K. Y. Srinivasan <kys@microsoft.com>
    Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 27f5ef378d2d56dad3c1a4c93c27fc5ce7c6eda0
Author: Long Li <longli@microsoft.com>
Date:   Wed Dec 14 18:46:01 2016 -0800

    scsi: storvsc: use tagged SRB requests if supported by the device
    
    commit 3cd6d3d9b1abab8dcdf0800224ce26daac24eea2 upstream.
    
    Properly set SRB flags when hosting device supports tagged queuing.
    This patch improves the performance on Fiber Channel disks.
    
    Signed-off-by: Long Li <longli@microsoft.com>
    Reviewed-by: K. Y. Srinivasan <kys@microsoft.com>
    Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2937e22c2314cdfe31d82e2cc36af4be863be978
Author: Heinz Mauelshagen <heinzm@redhat.com>
Date:   Tue Feb 28 19:17:49 2017 +0100

    dm raid: fix data corruption on reshape request
    
    commit d36a19541fe8f392778ac137d60f9be8dfdd8f9d upstream.
    
    The lvm2 sequence to manage dm-raid constructor flags that trigger a
    rebuild or a reshape is defined as:
    
    1) load table with flags (e.g. rebuild/delta_disks/data_offset)
    2) clear out the flags in lvm2 metadata
    3) store the lvm2 metadata, reload the table to reset the flags
       previously established during the initial load (1) -- in order to
       prevent repeatedly requesting a rebuild or a reshape on activation
    
    Currently, loading an inactive table with rebuild/reshape flags
    specified will cause dm-raid to rebuild/reshape on resume and thus start
    updating the raid metadata (about the progress).  When the second table
    reload, to reset the flags, occurs the constructor accesses the volatile
    progress state kept in the raid superblocks.  Because the active mapping
    is still processing the rebuild/reshape, that position will be stale by
    the time the device is resumed.
    
    In the reshape case, this causes data corruption by processing already
    reshaped stripes again.  In the rebuild case, it does _not_ cause data
    corruption but instead involves superfluous rebuilds.
    
    Fix by keeping the raid set frozen during the first resume and then
    allow the rebuild/reshape during the second resume.
    
    Fixes: 9dbd1aa3a ("dm raid: add reshaping support to the target")
    Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b7f874eedc9308a43b0d29e2a12f848be724fca7
Author: Mike Snitzer <snitzer@redhat.com>
Date:   Thu Feb 16 23:57:17 2017 -0500

    dm round robin: revert "use percpu 'repeat_count' and 'current_path'"
    
    commit 37a098e9d10db6e2efc05fe61e3a6ff2e9802c53 upstream.
    
    The sloppy nature of lockless access to percpu pointers
    (s->current_path) in rr_select_path(), from multiple threads, is
    causing some paths to used more than others -- which results in less
    IO performance being observed.
    
    Revert these upstream commits to restore truly symmetric round-robin
    IO submission in DM multipath:
    
    b0b477c dm round robin: use percpu 'repeat_count' and 'current_path'
    802934b dm round robin: do not use this_cpu_ptr() without having preemption disabled
    
    There is no benefit to all this complexity if repeat_count = 1 (which is
    the recommended default).
    
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bad6c16b81b68d81e95ada246649dacc3cdd5e1d
Author: Mikulas Patocka <mpatocka@redhat.com>
Date:   Wed Feb 15 12:06:19 2017 -0500

    dm stats: fix a leaked s->histogram_boundaries array
    
    commit 6085831883c25860264721df15f05bbded45e2a2 upstream.
    
    Fixes: dfcfac3e4cd9 ("dm stats: collect and report histogram of IO latencies")
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9987feba902cbd6429cf3b3a3b6614aa23a555c2
Author: Joe Thornber <ejt@redhat.com>
Date:   Thu Feb 9 11:46:18 2017 -0500

    dm cache: fix corruption seen when using cache > 2TB
    
    commit ca763d0a53b264a650342cee206512bc92ac7050 upstream.
    
    A rounding bug due to compiler generated temporary being 32bit was found
    in remap_to_cache().  A localized cast in remap_to_cache() fixes the
    corruption but this preferred fix (changing from uint32_t to sector_t)
    eliminates potential for future rounding errors elsewhere.
    
    Signed-off-by: Joe Thornber <ejt@redhat.com>
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fe8f92c7beba2f1c6b1235e52e199eafbe4aa39a
Author: Chanwoo Choi <cw00.choi@samsung.com>
Date:   Tue Jan 31 15:38:17 2017 +0900

    PM / devfreq: Fix wrong trans_stat of passive devfreq device
    
    commit 30582c25a4b4e0a5e456a309fde79b845e9473b2 upstream.
    
    Until now, the trans_stat information of passive devfreq is not updated.
    This patch updates the trans_stat information after setting the target
    frequency of passive devfreq device.
    
    Fixes: 996133119f57 ("PM / devfreq: Add new passive governor")
    Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
    Signed-off-by: MyungJoo Ham <myungjoo.ham@samsung.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2294b771a4b425d9365aabeaff8d33ccd0c0fffe
Author: Chanwoo Choi <cw00.choi@samsung.com>
Date:   Tue Jan 31 15:38:16 2017 +0900

    PM / devfreq: Fix available_governor sysfs
    
    commit bcf23c79c4e46130701370af4383b61a3cba755c upstream.
    
    The devfreq using passive governor is not able to change the governor.
    So, the user can not change the governor through 'available_governor' sysfs
    entry. Also, the devfreq which don't use the passive governor is not able to
    change to 'passive' governor on the fly.
    
    Fixes: 996133119f57 ("PM / devfreq: Add new passive governor")
    Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
    Signed-off-by: MyungJoo Ham <myungjoo.ham@samsung.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d9cc31683a16f5619217d80c3d8e608c23c41afc
Author: Mimi Zohar <zohar@linux.vnet.ibm.com>
Date:   Tue Jan 17 06:45:41 2017 -0500

    ima: fix ima_d_path() possible race with rename
    
    commit bc15ed663e7e53ee4dc3e60f8d09c93a0528c694 upstream.
    
    On failure to return a pathname from ima_d_path(), a pointer to
    dname is returned, which is subsequently used in the IMA measurement
    list, the IMA audit records, and other audit logging.  Saving the
    pointer to dname for later use has the potential to race with rename.
    
    Intead of returning a pointer to dname on failure, this patch returns
    a pointer to a copy of the filename.
    
    Reported-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 270e84a1e6effd6c0c6e9b13b196b5fdaa392954
Author: Davidlohr Bueso <dave@stgolabs.net>
Date:   Mon Feb 27 14:28:24 2017 -0800

    ipc/shm: Fix shmat mmap nil-page protection
    
    commit 95e91b831f87ac8e1f8ed50c14d709089b4e01b8 upstream.
    
    The issue is described here, with a nice testcase:
    
        https://bugzilla.kernel.org/show_bug.cgi?id=192931
    
    The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and
    the address rounded down to 0.  For the regular mmap case, the
    protection mentioned above is that the kernel gets to generate the
    address -- arch_get_unmapped_area() will always check for MAP_FIXED and
    return that address.  So by the time we do security_mmap_addr(0) things
    get funky for shmat().
    
    The testcase itself shows that while a regular user crashes, root will
    not have a problem attaching a nil-page.  There are two possible fixes
    to this.  The first, and which this patch does, is to simply allow root
    to crash as well -- this is also regular mmap behavior, ie when hacking
    up the testcase and adding mmap(...  |MAP_FIXED).  While this approach
    is the safer option, the second alternative is to ignore SHM_RND if the
    rounded address is 0, thus only having MAP_SHARED flags.  This makes the
    behavior of shmat() identical to the mmap() case.  The downside of this
    is obviously user visible, but does make sense in that it maintains
    semantics after the round-down wrt 0 address and mmap.
    
    Passes shm related ltp tests.
    
    Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.net
    Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
    Reported-by: Gareth Evans <gareth.evans@contextis.co.uk>
    Cc: Manfred Spraul <manfred@colorfullife.com>
    Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6d94a6b32e97c56dfbe96cc489517b338608f091
Author: Stas Sergeev <stsp@list.ru>
Date:   Mon Feb 27 14:27:25 2017 -0800

    sigaltstack: support SS_AUTODISARM for CONFIG_COMPAT
    
    commit 441398d378f29a5ad6d0fcda07918e54e4961800 upstream.
    
    Currently SS_AUTODISARM is not supported in compatibility mode, but does
    not return -EINVAL either.  This makes dosemu built with -m32 on x86_64
    to crash.  Also the kernel's sigaltstack selftest fails if compiled with
    -m32.
    
    This patch adds the needed support.
    
    Link: http://lkml.kernel.org/r/20170205101213.8163-2-stsp@list.ru
    Signed-off-by: Stas Sergeev <stsp@users.sourceforge.net>
    Cc: Milosz Tanski <milosz@adfin.com>
    Cc: Andy Lutomirski <luto@kernel.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Arnd Bergmann <arnd@arndb.de>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: Nicolas Pitre <nicolas.pitre@linaro.org>
    Cc: Waiman Long <Waiman.Long@hpe.com>
    Cc: Dave Hansen <dave.hansen@linux.intel.com>
    Cc: Dmitry Safonov <dsafonov@virtuozzo.com>
    Cc: Wang Xiaoqiang <wangxq10@lzu.edu.cn>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 521e92b198a89d3186930578e036d3b58a767081
Author: Michal Hocko <mhocko@suse.com>
Date:   Wed Feb 22 15:46:01 2017 -0800

    mm, vmscan: consider eligible zones in get_scan_count
    
    commit 71ab6cfe88dcf9f6e6a65eb85cf2bda20a257682 upstream.
    
    get_scan_count() considers the whole node LRU size when
    
     - doing SCAN_FILE due to many page cache inactive pages
     - calculating the number of pages to scan
    
    In both cases this might lead to unexpected behavior especially on 32b
    systems where we can expect lowmem memory pressure very often.
    
    A large highmem zone can easily distort SCAN_FILE heuristic because
    there might be only few file pages from the eligible zones on the node
    lru and we would still enforce file lru scanning which can lead to
    trashing while we could still scan anonymous pages.
    
    The later use of lruvec_lru_size can be problematic as well.  Especially
    when there are not many pages from the eligible zones.  We would have to
    skip over many pages to find anything to reclaim but shrink_node_memcg
    would only reduce the remaining number to scan by SWAP_CLUSTER_MAX at
    maximum.  Therefore we can end up going over a large LRU many times
    without actually having chance to reclaim much if anything at all.  The
    closer we are out of memory on lowmem zone the worse the problem will
    be.
    
    Fix this by filtering out all the ineligible zones when calculating the
    lru size for both paths and consider only sc->reclaim_idx zones.
    
    The patch would need to be tweaked a bit to apply to 4.10 and older but
    I will do that as soon as it hits the Linus tree in the next merge
    window.
    
    Link: http://lkml.kernel.org/r/20170117103702.28542-3-mhocko@kernel.org
    Fixes: b2e18757f2c9 ("mm, vmscan: begin reclaiming pages on a per-node basis")
    Signed-off-by: Michal Hocko <mhocko@suse.com>
    Tested-by: Trevor Cordes <trevor@tecnopolis.ca>
    Acked-by: Minchan Kim <minchan@kernel.org>
    Acked-by: Hillf Danton <hillf.zj@alibaba-inc.com>
    Acked-by: Mel Gorman <mgorman@suse.de>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 710531320af876192d76b2c1f68190a1df941b02
Author: Michal Hocko <mhocko@suse.com>
Date:   Wed Feb 22 15:45:58 2017 -0800

    mm, vmscan: cleanup lru size claculations
    
    commit fd538803731e50367b7c59ce4ad3454426a3d671 upstream.
    
    lruvec_lru_size returns the full size of the LRU list while we sometimes
    need a value reduced only to eligible zones (e.g.  for lowmem requests).
    inactive_list_is_low is one such user.  Later patches will add more of
    them.  Add a new parameter to lruvec_lru_size and allow it filter out
    zones which are not eligible for the given context.
    
    Link: http://lkml.kernel.org/r/20170117103702.28542-2-mhocko@kernel.org
    Signed-off-by: Michal Hocko <mhocko@suse.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Acked-by: Hillf Danton <hillf.zj@alibaba-inc.com>
    Acked-by: Minchan Kim <minchan@kernel.org>
    Acked-by: Mel Gorman <mgorman@suse.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8f6620e391a43d5da24fa09f98d9b51016545470
Author: Yisheng Xie <xieyisheng1@huawei.com>
Date:   Fri Feb 24 15:00:40 2017 -0800

    mm balloon: umount balloon_mnt when removing vb device
    
    commit 9c57b5808c625f4fc93da330b932647eaff321f7 upstream.
    
    With CONFIG_BALLOON_COMPACTION=y the kernel will mount balloon_mnt for
    balloon page migration when we probe a virtio_balloon device.  However
    we do not unmount it when removing the device.  Fix this.
    
    Fixes: b1123ea6d3b3 ("mm: balloon: use general non-lru movable page feature")
    Link: http://lkml.kernel.org/r/1486531318-35189-1-git-send-email-xieyisheng1@huawei.com
    Signed-off-by: Yisheng Xie <xieyisheng1@huawei.com>
    Acked-by: Minchan Kim <minchan@kernel.org>
    Cc: Rafael Aquini <aquini@redhat.com>
    Cc: Konstantin Khlebnikov <koct9i@gmail.com>
    Cc: Gioh Kim <gi-oh.kim@profitbricks.com>
    Cc: Vlastimil Babka <vbabka@suse.cz>
    Cc: Michal Hocko <mhocko@kernel.org>
    Cc: Michael S. Tsirkin <mst@redhat.com>
    Cc: Jason Wang <jasowang@redhat.com>
    Cc: Hanjun Guo <guohanjun@huawei.com>
    Cc: Xishi Qiu <qiuxishi@huawei.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2c290eede9b6375ad15025aa85a7c07c3ce1a3f3
Author: Minchan Kim <minchan@kernel.org>
Date:   Fri Feb 24 14:59:59 2017 -0800

    mm: do not access page->mapping directly on page_endio
    
    commit dd8416c47715cf324c9a16f13273f9fda87acfed upstream.
    
    With rw_page, page_endio is used for completing IO on a page and it
    propagates write error to the address space if the IO fails.  The
    problem is it accesses page->mapping directly which might be okay for
    file-backed pages but it shouldn't for anonymous page.  Otherwise, it
    can corrupt one of field from anon_vma under us and system goes panic
    randomly.
    
    swap_writepage
      bdev_writepage
        ops->rw_page
    
    I encountered the BUG during developing new zram feature and it was
    really hard to figure it out because it made random crash, somtime
    mmap_sem lockdep, sometime other places where places never related to
    zram/zsmalloc, and not reproducible with some configuration.
    
    When I consider how that bug is subtle and people do fast-swap test with
    brd, it's worth to add stable mark, I think.
    
    Fixes: dd6bd0d9c7db ("swap: use bdev_read_page() / bdev_write_page()")
    Signed-off-by: Minchan Kim <minchan@kernel.org>
    Acked-by: Michal Hocko <mhocko@suse.com>
    Cc: Matthew Wilcox <willy@infradead.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 58d1dbb904ba9ce1f8ac99c5d210ad7bb14eed08
Author: Vinayak Menon <vinmenon@codeaurora.org>
Date:   Fri Feb 24 14:59:39 2017 -0800

    mm: vmpressure: fix sending wrong events on underflow
    
    commit e1587a4945408faa58d0485002c110eb2454740c upstream.
    
    At the end of a window period, if the reclaimed pages is greater than
    scanned, an unsigned underflow can result in a huge pressure value and
    thus a critical event.  Reclaimed pages is found to go higher than
    scanned because of the addition of reclaimed slab pages to reclaimed in
    shrink_node without a corresponding increment to scanned pages.
    
    Minchan Kim mentioned that this can also happen in the case of a THP
    page where the scanned is 1 and reclaimed could be 512.
    
    Link: http://lkml.kernel.org/r/1486641577-11685-1-git-send-email-vinmenon@codeaurora.org
    Signed-off-by: Vinayak Menon <vinmenon@codeaurora.org>
    Acked-by: Minchan Kim <minchan@kernel.org>
    Acked-by: Michal Hocko <mhocko@suse.com>
    Cc: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Mel Gorman <mgorman@techsingularity.net>
    Cc: Vlastimil Babka <vbabka@suse.cz>
    Cc: Rik van Riel <riel@redhat.com>
    Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
    Cc: Anton Vorontsov <anton.vorontsov@linaro.org>
    Cc: Shiraz Hashim <shashim@codeaurora.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d1e8042628a31e28c8e92411ab83a28bd5e3f7c9
Author: Gavin Shan <gwshan@linux.vnet.ibm.com>
Date:   Fri Feb 24 14:59:33 2017 -0800

    mm/page_alloc: fix nodes for reclaim in fast path
    
    commit e02dc017c3032dcdce1b993af0db135462e1b4b7 upstream.
    
    When @node_reclaim_node isn't 0, the page allocator tries to reclaim
    pages if the amount of free memory in the zones are below the low
    watermark.  On Power platform, none of NUMA nodes are scanned for page
    reclaim because no nodes match the condition in zone_allows_reclaim().
    On Power platform, RECLAIM_DISTANCE is set to 10 which is the distance
    of Node-A to Node-A.  So the preferred node even won't be scanned for
    page reclaim.
    
       __alloc_pages_nodemask()
       get_page_from_freelist()
          zone_allows_reclaim()
    
    Anton proposed the test code as below:
    
       # cat alloc.c
          :
       int main(int argc, char *argv[])
       {
            void *p;
            unsigned long size;
            unsigned long start, end;
    
            start = time(NULL);
            size = strtoul(argv[1], NULL, 0);
            printf("To allocate %ldGB memory\n", size);
    
            size <<= 30;
            p = malloc(size);
            assert(p);
            memset(p, 0, size);
    
            end = time(NULL);
            printf("Used time: %ld seconds\n", end - start);
            sleep(3600);
            return 0;
       }
    
    The system I use for testing has two NUMA nodes.  Both have 128GB
    memory.  In below scnario, the page caches on node#0 should be reclaimed
    when it encounters pressure to accommodate request of allocation.
    
       # echo 2 > /proc/sys/vm/zone_reclaim_mode; \
         sync; \
         echo 3 > /proc/sys/vm/drop_caches; \
       # taskset -c 0 cat file.32G > /dev/null; \
         grep FilePages /sys/devices/system/node/node0/meminfo
         Node 0 FilePages:       33619712 kB
       # taskset -c 0 ./alloc 128
       # grep FilePages /sys/devices/system/node/node0/meminfo
         Node 0 FilePages:       33619840 kB
       # grep MemFree /sys/devices/system/node/node0/meminfo
         Node 0 MemFree:          186816 kB
    
    With the patch applied, the pagecache on node-0 is reclaimed when its
    free memory is running out.  It's the expected behaviour.
    
       # echo 2 > /proc/sys/vm/zone_reclaim_mode; \
         sync; \
         echo 3 > /proc/sys/vm/drop_caches
       # taskset -c 0 cat file.32G > /dev/null; \
         grep FilePages /sys/devices/system/node/node0/meminfo
         Node 0 FilePages:       33605568 kB
       # taskset -c 0 ./alloc 128
       # grep FilePages /sys/devices/system/node/node0/meminfo
         Node 0 FilePages:        1379520 kB
       # grep MemFree /sys/devices/system/node/node0/meminfo
         Node 0 MemFree:           317120 kB
    
    Fixes: 5f7a75acdb24 ("mm: page_alloc: do not cache reclaim distances")
    Link: http://lkml.kernel.org/r/1486532455-29613-1-git-send-email-gwshan@linux.vnet.ibm.com
    Signed-off-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
    Acked-by: Mel Gorman <mgorman@suse.de>
    Acked-by: Michal Hocko <mhocko@suse.com>
    Cc: Anton Blanchard <anton@samba.org>
    Cc: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f1faaec4843a6bfcb795887f5b1a280fb874789d
Author: Dan Williams <dan.j.williams@intel.com>
Date:   Fri Feb 24 14:55:45 2017 -0800

    mm, devm_memremap_pages: hold device_hotplug lock over mem_hotplug_{begin, done}
    
    commit b5d24fda9c3dce51fcb4eee459550a458eaaf1e2 upstream.
    
    The mem_hotplug_{begin,done} lock coordinates with {get,put}_online_mems()
    to hold off "readers" of the current state of memory from new hotplug
    actions.  mem_hotplug_begin() expects exclusive access, via the
    device_hotplug lock, to set mem_hotplug.active_writer.  Calling
    mem_hotplug_begin() without locking device_hotplug can lead to
    corrupting mem_hotplug.refcount and missed wakeups / soft lockups.
    
    [dan.j.williams@intel.com: v2]
      Link: http://lkml.kernel.org/r/148728203365.38457.17804568297887708345.stgit@dwillia2-desk3.amr.corp.intel.com
    Link: http://lkml.kernel.org/r/148693885680.16345.17802627926777862337.stgit@dwillia2-desk3.amr.corp.intel.com
    Fixes: f931ab479dd2 ("mm: fix devm_memremap_pages crash, use mem_hotplug_{begin, done}")
    Signed-off-by: Dan Williams <dan.j.williams@intel.com>
    Reported-by: Ben Hutchings <ben@decadent.org.uk>
    Cc: Michal Hocko <mhocko@suse.com>
    Cc: Toshi Kani <toshi.kani@hpe.com>
    Cc: Vlastimil Babka <vbabka@suse.cz>
    Cc: Logan Gunthorpe <logang@deltatee.com>
    Cc: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c06d74df4ebb9ab3fedcf6d623816944edd206f5
Author: Pavel Shilovsky <pshilov@microsoft.com>
Date:   Thu Jan 19 13:53:15 2017 -0800

    CIFS: Fix splice read for non-cached files
    
    commit 9c25702cee1405099f982894c865c163de7909a8 upstream.
    
    Currently we call copy_page_to_iter() for uncached reading into a pipe.
    This is wrong because it treats pages as VFS cache pages and copies references
    rather than actual data. When we are trying to read from the pipe we end up
    calling page_cache_pipe_buf_confirm() which returns -ENODATA. This error
    is translated into 0 which is returned to a user.
    
    This issue is reproduced by running xfs-tests suite (generic test #249)
    against mount points with "cache=none". Fix it by mapping pages manually
    and calling copy_to_iter() that copies data into the pipe.
    
    Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 24427cd71d2fbef3eeb087e802ff327c18c7275f
Author: Ashok Raj <ashok.raj@intel.com>
Date:   Mon Jan 30 09:39:53 2017 -0800

    iommu/vt-d: Tylersburg isoch identity map check is done too late.
    
    commit 21e722c4c8377b5bc82ad058fed12165af739c1b upstream.
    
    The check to set identity map for tylersburg is done too late. It needs
    to be done before the check for identity_map domain is done.
    
    To: Joerg Roedel <joro@8bytes.org>
    To: David Woodhouse <dwmw2@infradead.org>
    Cc: iommu@lists.linux-foundation.org
    Cc: linux-kernel@vger.kernel.org
    Cc: Ashok Raj <ashok.raj@intel.com>
    
    Fixes: 86080ccc22 ("iommu/vt-d: Allocate si_domain in init_dmars()")
    Signed-off-by: Ashok Raj <ashok.raj@intel.com>
    Reported-by: Yunhong Jiang <yunhong.jiang@intel.com>
    Signed-off-by: Joerg Roedel <jroedel@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 61cb3c6357fd77a2b1af49a9015955b9f82c68d4
Author: CQ Tang <cq.tang@intel.com>
Date:   Mon Jan 30 09:39:52 2017 -0800

    iommu/vt-d: Fix some macros that are incorrectly specified in intel-iommu
    
    commit aaa59306b0b7e0ca4ba92cc04c5db101cbb1c096 upstream.
    
    Some of the macros are incorrect with wrong bit-shifts resulting in picking
    the incorrect invalidation granularity. Incorrect Source-ID in extended
    devtlb invalidation caused device side errors.
    
    To: Joerg Roedel <joro@8bytes.org>
    To: David Woodhouse <dwmw2@infradead.org>
    Cc: iommu@lists.linux-foundation.org
    Cc: linux-kernel@vger.kernel.org
    Cc: CQ Tang <cq.tang@intel.com>
    Cc: Ashok Raj <ashok.raj@intel.com>
    
    Fixes: 2f26e0a9 ("iommu/vt-d: Add basic SVM PASID support")
    Signed-off-by: CQ Tang <cq.tang@intel.com>
    Signed-off-by: Ashok Raj <ashok.raj@intel.com>
    Tested-by: CQ Tang <cq.tang@intel.com>
    Signed-off-by: Joerg Roedel <jroedel@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 84c2697c9cd3c4ed05945d80fdfd4b7e906dd074
Author: Wei Yongjun <weiyongjun1@huawei.com>
Date:   Tue Feb 7 15:51:47 2017 +0000

    tpm_tis: fix the error handling of init_tis()
    
    commit 5939eaf4f9d432586dd2cdeea778506471e8088e upstream.
    
    Add the missing platform_driver_unregister() and remove the duplicate
    platform_device_unregister(force_pdev) in the error handling case.
    
    Fixes: 00194826e6be ("tpm_tis: Clean up the force=1 module parameter")
    Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
    Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
    Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
    Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2f714ba1282aa6f5f0158329a1b2d3858698618c
Author: Leonard Crestez <leonard.crestez@nxp.com>
Date:   Tue Feb 14 17:31:03 2017 +0200

    regulator: Fix regulator_summary for deviceless consumers
    
    commit e42a46b6f52473661ad192f76a128a68fe301df4 upstream.
    
    It is allowed to call regulator_get with a NULL dev argument
    (_regulator_get explicitly checks for it) but this causes an error later
    when printing /sys/kernel/debug/regulator_summary.
    
    Fix this by explicitly handling "deviceless" consumers in the debugfs code.
    
    Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 59cd503c8cfd3f69f8126165b274860bbbd058db
Author: Suzuki K Poulose <suzuki.poulose@arm.com>
Date:   Mon Jan 16 18:00:00 2017 +0000

    coresight: STM: Balance enable/disable
    
    commit 4474f4c40a9c607c7317e686b23619b7b768004f upstream.
    
    The stm is automatically enabled when an application sets the policy
    via ->link() call back by using coresight_enable(), which keeps the
    refcount of the current users of the STM. However, the unlink() callback
    issues stm_disable() directly, which leaves the STM turned off, without
    the coresight layer knowing about it. This prevents any further uses
    of the STM hardware as the coresight layer still thinks the STM is
    turned on and doesn't enable the hardware when required. Even manually
    enabling the STM via sysfs can't really enable the hw.
    
    e.g,
    
     $ echo 1 > $CS_DEVS/$ETR/enable_sink
     $ mkdir -p $CONFIG_FS/stp-policy/$source.0/stm_test/
     $ echo 32768 65535 > $CONFIG_FS/stp-policy/$source.0/stm_test/channels
     $ echo 64 > $CS_DEVS/$source/traceid
     $ ./stm_app
     Sending 64000 byte blocks of pattern 0 at 0us intervals
     Success to map channel(32768~32783) to 0xffffa95fa000
     Sending on channel 32768
     $ dd if=/dev/$ETR of=~/trace.bin.1
     597+1 records in
     597+1 records out
     305920 bytes (306 kB) copied, 0.399952 s, 765 kB/s
     $ ./stm_app
     Sending 64000 byte blocks of pattern 0 at 0us intervals
     Success to map channel(32768~32783) to 0xffff7e9e2000
     Sending on channel 32768
     $ dd if=/dev/$ETR of=~/trace.bin.2
     0+0 records in
     0+0 records out
     0 bytes (0 B) copied, 0.0232083 s, 0.0 kB/s
    
     Note that we don't get any data from the ETR for the second session.
    
     Also dmesg shows :
    
     [   77.520458] coresight-tmc 20800000.etr: TMC-ETR enabled
     [   77.537097] coresight-replicator etr_replicator@20890000: REPLICATOR enabled
     [   77.558828] coresight-replicator main_replicator@208a0000: REPLICATOR enabled
     [   77.581068] coresight-funnel 208c0000.main_funnel: FUNNEL inport 0 enabled
     [   77.602217] coresight-tmc 20840000.etf: TMC-ETF enabled
     [   77.618422] coresight-stm 20860000.stm: STM tracing enabled
     [  139.554252] coresight-stm 20860000.stm: STM tracing disabled
      # End of first tracing session
     [  146.351135] coresight-tmc 20800000.etr: TMC read start
     [  146.514486] coresight-tmc 20800000.etr: TMC read end
      # Note that the STM is not turned on via stm_generic_link()->coresight_enable()
      # and hence none of the components are turned on.
     [  152.479080] coresight-tmc 20800000.etr: TMC read start
     [  152.542632] coresight-tmc 20800000.etr: TMC read end
    
    This patch fixes the problem by balancing the unlink operation by using
    the coresight_disable(), keeping the coresight layer in sync with the
    hardware state and thus allowing normal usage of the STM component.
    
    Fixes: commit 237483aa5cf43 ("coresight: stm: adding driver for CoreSight STM component")
    Cc: Pratik Patel <pratikp@codeaurora.org>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Acked-by: Mathieu Poirier <mathieu.poirier@linaro.org>
    Reviewed-by: Chunyan Zhang <zhang.chunyan@linaro.org>
    Reported-by: Robert Walker <robert.walker@arm.com>
    Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c7472b964d9a1bfabe4953175cdbd5ccf44bc416
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Wed Jan 11 15:53:08 2017 +0100

    staging: rtl: fix possible NULL pointer dereference
    
    commit 6e017006022abfea5d2466cad936065f45763ad1 upstream.
    
    gcc-7 detects that wlanhdr_to_ethhdr() in two drivers calls memcpy() with
    a destination argument that an earlier function call may have set to NULL:
    
    staging/rtl8188eu/core/rtw_recv.c: In function 'wlanhdr_to_ethhdr':
    staging/rtl8188eu/core/rtw_recv.c:1318:2: warning: argument 1 null where non-null expected [-Wnonnull]
    staging/rtl8712/rtl871x_recv.c: In function 'r8712_wlanhdr_to_ethhdr':
    staging/rtl8712/rtl871x_recv.c:649:2: warning: argument 1 null where non-null expected [-Wnonnull]
    
    I'm fixing this by adding a NULL pointer check and returning failure
    from the function, which is hopefully already handled properly.
    
    This seems to date back to when the drivers were originally added,
    so backporting the fix to stable seems appropriate. There are other
    related realtek drivers in the kernel, but none of them contain a
    function with a similar name or produce this warning.
    
    Fixes: 1cc18a22b96b ("staging: r8188eu: Add files for new driver - part 5")
    Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel")
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 148c4526d76e1af4065fac629bff3fcc5019de1c
Author: Oleg Drokin <green@linuxhacker.ru>
Date:   Sun Feb 19 16:35:59 2017 -0500

    staging/lustre/lnet: Fix allocation size for sv_cpt_data
    
    commit dc7ffefdcc28a45214aa707fdc3df6a5e611ba09 upstream.
    
    This is unbreaking another of those "stealth" janitor
    patches that got in and subtly broke some things.
    
    sv_cpt_data is a pointer to pointer, so need to
    dereference it twice to allocate the correct structure size.
    
    Fixes: 9899cb68c6c2 ("Staging: lustre: rpc: Use sizeof type *pointer instead of sizeof type.")
    CC: Sandhya Bankar <bankarsandhya512@gmail.com>
    Signed-off-by: Oleg Drokin <green@linuxhacker.ru>
    Reviewed-by: James Simmons <jsimmons@infradead.org>
    Reviewed-by: Doug Oucharek <doug.s.oucharek@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2893a55e39fcfe3b9f5738584db98848b4957d9f
Author: Johan Hovold <johan@kernel.org>
Date:   Thu Jan 26 12:37:32 2017 +0100

    staging: greybus: loopback: fix broken udelay
    
    commit 33b8807a6fe10d0e675e0704444373a6fad93188 upstream.
    
    The loopback driver allows the user to set a minimum delay of up to one
    second to be inserted between test iterations (i.e. request
    submissions). The delay is currently specified in microseconds and is
    implemented using udelay.
    
    Busy looping for long periods is not just anti-social; udelay must not
    be used for delays longer than a few milliseconds due to the risk of
    integer overflow.
    
    Replace the broken udelay with a usleep_range with a 100 us range for
    short delays (< 20 ms) and otherwise revert to using msleep.
    
    Fixes: b36f04fa9417 ("greybus: loopback: Convert thread delay to microseconds")
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6c95eba9ca104fad6abd758c58b3ac55c44f627d
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Wed Feb 8 14:02:59 2017 -0800

    hwmon: (it87) Ensure that pwm control cache is current before updating values
    
    commit 82dbe987b70042b340f851bdc969a971081e5f02 upstream.
    
    If sensor attributes were never read, the pwm control data has not been
    initiialized, which can cause wrong driver behavior. Ensure that cached
    data is current before acting on it.
    
    Reported-by: Kevin Folz <kfolz@evertz.com>
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4401e4779e2e6edea43f80ba1dc8e25e9bec7abd
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Wed Feb 8 14:07:42 2017 -0800

    hwmon: (it87) Do not overwrite bit 2..6 of pwm control registers
    
    commit 4c7b8ca1ae5ed9e27014732c8a918ba11a86cf09 upstream.
    
    In IT8620E, after setting pwm control to manual, it was observed that
    pwm values for fan 4..6 have reversed results (writing 0 results in fans
    running at full speed, writing 255 results in fans turned off).
    
    With the new PWM control, pwm polarity for pwm control 4..6 is specified
    in its pwm control registers. Those registers are overwritten when setting
    the pwm mode or the temperature mapping. Do not touch bit 2..6 of pwm
    control registers on register writes to fix the problem.
    
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit acb06ff2d5d559c7a934fdb7f841cfc19eb4e4bd
Author: Hui Wang <hui.wang@canonical.com>
Date:   Mon Feb 27 10:11:47 2017 +0800

    ALSA: hda - Fix micmute hotkey problem for a lenovo AIO machine
    
    commit 29693efcea0f38cf40d0055d2401490a4f9bf8be upstream.
    
    On this machine, the micmute button is connected to Line2 of the
    codec and the micmute led is connected to GPIO2 of the codec.
    
    After applying this quirk, both hotkey and led work well.
    
    Signed-off-by: Hui Wang <hui.wang@canonical.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2abe620e01c9a39c3b76dd419f6c0e58fae4b885
Author: Takashi Iwai <tiwai@suse.de>
Date:   Tue Feb 28 17:27:57 2017 +0100

    ALSA: hda - Add subwoofer support for Dell Inspiron 17 7000 Gaming
    
    commit 493de342748cc6f52938096f5480cf291da58a0b upstream.
    
    Dell Inspiron 17 7000 Gaming laptop needs a similar quirk like
    Inspiron 7599 to support its subwoofer speaker.
    
    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=194191
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 09cd5d3479b930f5cde8ed4d66784e724ffcf08c
Author: Takashi Iwai <tiwai@suse.de>
Date:   Tue Feb 28 22:15:51 2017 +0100

    ALSA: seq: Fix link corruption by event error handling
    
    commit f3ac9f737603da80c2da3e84b89e74429836bb6d upstream.
    
    The sequencer FIFO management has a bug that may lead to a corruption
    (shortage) of the cell linked list.  When a sequencer client faces an
    error at the event delivery, it tries to put back the dequeued cell.
    When the first queue was put back, this forgot the tail pointer
    tracking, and the link will be screwed up.
    
    Although there is no memory corruption, the sequencer client may stall
    forever at exit while flushing the pending FIFO cells in
    snd_seq_pool_done(), as spotted by syzkaller.
    
    This patch addresses the missing tail pointer tracking at
    snd_seq_fifo_cell_putback().  Also the patch makes sure to clear the
    cell->enxt pointer at snd_seq_fifo_event_in() for avoiding a similar
    mess-up of the FIFO linked list.
    
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 074f6db61f962e302c83092ac2ee5692f9351454
Author: Takashi Iwai <tiwai@suse.de>
Date:   Tue Feb 28 17:16:48 2017 +0100

    ALSA: ctxfi: Fallback DMA mask to 32bit
    
    commit 15c75b09f8d190f89ab4db463b87d411ca349dfe upstream.
    
    Currently ctxfi driver tries to set only the 64bit DMA mask on 64bit
    architectures, and bails out if it fails.  This causes a problem on
    some platforms since the 64bit DMA isn't always guaranteed.  We should
    fall back to the default 32bit DMA when 64bit DMA fails.
    
    Fixes: 6d74b86d3c0f ("ALSA: ctxfi - Allow 64bit DMA")
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5ac9276dd15f6aeb55e8eb0ecf6e15759ae1f501
Author: Takashi Iwai <tiwai@suse.de>
Date:   Tue Feb 28 14:49:07 2017 +0100

    ALSA: timer: Reject user params with too small ticks
    
    commit 71321eb3f2d0df4e6c327e0b936eec4458a12054 upstream.
    
    When a user sets a too small ticks with a fine-grained timer like
    hrtimer, the kernel tries to fire up the timer irq too frequently.
    This may lead to the condensed locks, eventually the kernel spinlock
    lockup with warnings.
    
    For avoiding such a situation, we define a lower limit of the
    resolution, namely 1ms.  When the user passes a too small tick value
    that results in less than that, the kernel returns -EINVAL now.
    
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 51ce9867c2efd422519edb92e6d4ea5276b3f283
Author: Jaroslav Kysela <perex@perex.cz>
Date:   Wed Feb 15 17:09:42 2017 +0100

    ALSA: hda - fix Lewisburg audio issue
    
    commit e7480b34ad1ab84a63540b2c884cb92c0764ab74 upstream.
    
    Like for Sunrise Point, the total stream number of Lewisburg's
    input and output stream exceeds 15 (GCAP is 0x9701), which will
    cause some streams do not work because of the overflow on
    SDxCTL.STRM field if using the legacy stream tag allocation method.
    
    Fixes: 5cf92c8b3dc5 ("ALSA: hda - Add Intel Lewisburg device IDs Audio")
    Signed-off-by: Jaroslav Kysela <perex@perex.cz>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ebc3e95502aa9feebe1fd021b6d3c44dd27ecb48
Author: Kai-Heng Feng <kai.heng.feng@canonical.com>
Date:   Thu Feb 16 15:26:54 2017 +0800

    ALSA: hda/realtek - Cannot adjust speaker's volume on a Dell AIO
    
    commit 9f1bc2c4c58fcb2d86e0e26437dc8f3a18ac3276 upstream.
    
    The issue is the same as "dd9aa335c880 ALSA: hda/realtek - Can't adjust
    speaker's volume on a Dell AIO", the output requires to connect to a node
    with Amp-out capability.
    
    Applying the same fixup "ALC298_FIXUP_SPK_VOLUME" can fix the issue.
    
    Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9971863fdd623da5df091159cc889ea101b68202
Author: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Date:   Thu Jan 19 23:05:39 2017 +0100

    ARM: dts: at91: Enable DMA on sama5d2_xplained console
    
    commit 78162d48466d23c45a784034630c5928af631e3d upstream.
    
    Enable DMA on uart1 to get a more reliable console.
    
    Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
    Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f9a1949f8ff308d4320a44aa995c7f16ab40cf7f
Author: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Date:   Thu Jan 19 01:46:58 2017 +0100

    ARM: dts: at91: Enable DMA on sama5d4_xplained console
    
    commit ef8d02d4a2c36f7a93e74c95a9c419353b310117 upstream.
    
    Enable DMA on usart3 to get a more reliable console. This is especially
    useful for automation and kernelci were a kernel with PROVE_LOCKING enabled
    is quite susceptible to character loss, resulting in tests failure.
    
    Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
    Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 37e70c4de51bf80123292f175dfce6b19af9c5d8
Author: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Date:   Tue Oct 25 11:37:58 2016 +0200

    ARM: at91: define LPDDR types
    
    commit e3f0a4017c2143b4b813df6a93e8cf79e3f76936 upstream.
    
    The Atmel MPDDR controller support LPDDR2 and LPDDR3 memories, add their
    types.
    
    Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
    Signed-off-by: Sebastian Reichel <sre@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 404950add4ce0bfb95346a8233f5daba7fad8a54
Author: Andi Shyti <andi.shyti@samsung.com>
Date:   Fri Feb 10 11:20:19 2017 +0900

    spi: s3c64xx: fix inconsistency between binding and driver
    
    commit 379f831a927817c130a62e3ca0082ae685557324 upstream.
    
    Commit a92e7c3d82a1 ("spi: s3c64xx: consider the case when the CS
    line is not connected") introduced an inconsistency between the
    binding, where the disconnected CS line was marked as
    'no-cs-readback', and the driver.
    
    The driver is erroneously checking for that attribute with
    property name of 'broken-cs'.
    
    Check for 'no-cs-readback' in the driver as well.
    
    Fixes: a92e7c3d82a1 ("spi: s3c64xx: consider the case when the CS line is not connected")
    Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
    Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit da1e40237f8f3516581b534c484c236a79ccfd14
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Wed Jan 11 21:50:46 2017 -0500

    ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea()
    
    commit c755e251357a0cee0679081f08c3f4ba797a8009 upstream.
    
    The xattr_sem deadlock problems fixed in commit 2e81a4eeedca: "ext4:
    avoid deadlock when expanding inode size" didn't include the use of
    xattr_sem in fs/ext4/inline.c.  With the addition of project quota
    which added a new extra inode field, this exposed deadlocks in the
    inline_data code similar to the ones fixed by 2e81a4eeedca.
    
    The deadlock can be reproduced via:
    
       dmesg -n 7
       mke2fs -t ext4 -O inline_data -Fq -I 256 /dev/vdc 32768
       mount -t ext4 -o debug_want_extra_isize=24 /dev/vdc /vdc
       mkdir /vdc/a
       umount /vdc
       mount -t ext4 /dev/vdc /vdc
       echo foo > /vdc/a/foo
    
    and looks like this:
    
    [   11.158815]
    [   11.160276] =============================================
    [   11.161960] [ INFO: possible recursive locking detected ]
    [   11.161960] 4.10.0-rc3-00015-g011b30a8a3cf #160 Tainted: G        W
    [   11.161960] ---------------------------------------------
    [   11.161960] bash/2519 is trying to acquire lock:
    [   11.161960]  (&ei->xattr_sem){++++..}, at: [<c1225a4b>] ext4_expand_extra_isize_ea+0x3d/0x4cd
    [   11.161960]
    [   11.161960] but task is already holding lock:
    [   11.161960]  (&ei->xattr_sem){++++..}, at: [<c1227941>] ext4_try_add_inline_entry+0x3a/0x152
    [   11.161960]
    [   11.161960] other info that might help us debug this:
    [   11.161960]  Possible unsafe locking scenario:
    [   11.161960]
    [   11.161960]        CPU0
    [   11.161960]        ----
    [   11.161960]   lock(&ei->xattr_sem);
    [   11.161960]   lock(&ei->xattr_sem);
    [   11.161960]
    [   11.161960]  *** DEADLOCK ***
    [   11.161960]
    [   11.161960]  May be due to missing lock nesting notation
    [   11.161960]
    [   11.161960] 4 locks held by bash/2519:
    [   11.161960]  #0:  (sb_writers#3){.+.+.+}, at: [<c11a2414>] mnt_want_write+0x1e/0x3e
    [   11.161960]  #1:  (&type->i_mutex_dir_key){++++++}, at: [<c119508b>] path_openat+0x338/0x67a
    [   11.161960]  #2:  (jbd2_handle){++++..}, at: [<c123314a>] start_this_handle+0x582/0x622
    [   11.161960]  #3:  (&ei->xattr_sem){++++..}, at: [<c1227941>] ext4_try_add_inline_entry+0x3a/0x152
    [   11.161960]
    [   11.161960] stack backtrace:
    [   11.161960] CPU: 0 PID: 2519 Comm: bash Tainted: G        W       4.10.0-rc3-00015-g011b30a8a3cf #160
    [   11.161960] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1 04/01/2014
    [   11.161960] Call Trace:
    [   11.161960]  dump_stack+0x72/0xa3
    [   11.161960]  __lock_acquire+0xb7c/0xcb9
    [   11.161960]  ? kvm_clock_read+0x1f/0x29
    [   11.161960]  ? __lock_is_held+0x36/0x66
    [   11.161960]  ? __lock_is_held+0x36/0x66
    [   11.161960]  lock_acquire+0x106/0x18a
    [   11.161960]  ? ext4_expand_extra_isize_ea+0x3d/0x4cd
    [   11.161960]  down_write+0x39/0x72
    [   11.161960]  ? ext4_expand_extra_isize_ea+0x3d/0x4cd
    [   11.161960]  ext4_expand_extra_isize_ea+0x3d/0x4cd
    [   11.161960]  ? _raw_read_unlock+0x22/0x2c
    [   11.161960]  ? jbd2_journal_extend+0x1e2/0x262
    [   11.161960]  ? __ext4_journal_get_write_access+0x3d/0x60
    [   11.161960]  ext4_mark_inode_dirty+0x17d/0x26d
    [   11.161960]  ? ext4_add_dirent_to_inline.isra.12+0xa5/0xb2
    [   11.161960]  ext4_add_dirent_to_inline.isra.12+0xa5/0xb2
    [   11.161960]  ext4_try_add_inline_entry+0x69/0x152
    [   11.161960]  ext4_add_entry+0xa3/0x848
    [   11.161960]  ? __brelse+0x14/0x2f
    [   11.161960]  ? _raw_spin_unlock_irqrestore+0x44/0x4f
    [   11.161960]  ext4_add_nondir+0x17/0x5b
    [   11.161960]  ext4_create+0xcf/0x133
    [   11.161960]  ? ext4_mknod+0x12f/0x12f
    [   11.161960]  lookup_open+0x39e/0x3fb
    [   11.161960]  ? __wake_up+0x1a/0x40
    [   11.161960]  ? lock_acquire+0x11e/0x18a
    [   11.161960]  path_openat+0x35c/0x67a
    [   11.161960]  ? sched_clock_cpu+0xd7/0xf2
    [   11.161960]  do_filp_open+0x36/0x7c
    [   11.161960]  ? _raw_spin_unlock+0x22/0x2c
    [   11.161960]  ? __alloc_fd+0x169/0x173
    [   11.161960]  do_sys_open+0x59/0xcc
    [   11.161960]  SyS_open+0x1d/0x1f
    [   11.161960]  do_int80_syscall_32+0x4f/0x61
    [   11.161960]  entry_INT80_32+0x2f/0x2f
    [   11.161960] EIP: 0xb76ad469
    [   11.161960] EFLAGS: 00000286 CPU: 0
    [   11.161960] EAX: ffffffda EBX: 08168ac8 ECX: 00008241 EDX: 000001b6
    [   11.161960] ESI: b75e46bc EDI: b7755000 EBP: bfbdb108 ESP: bfbdafc0
    [   11.161960]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b
    
    Reported-by: George Spelvin <linux@sciencehorizons.net>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 719f1765b02c6a65eff5db3765c87444a1156cb9
Author: Sakari Ailus <sakari.ailus@linux.intel.com>
Date:   Mon Jan 2 08:32:47 2017 -0200

    media: Properly pass through media entity types in entity enumeration
    
    commit 98d85f3cb912fde14593ead54dea4c1a00b3966f upstream.
    
    When the functions replaced media entity types, the range which was
    allowed for the types was incorrect. This meant that media entity types
    for specific devices were not passed correctly to the userspace through
    MEDIA_IOC_ENUM_ENTITIES. Fix it.
    
    Fixes: commit b2cd27448b33 ("[media] media-device: map new functions into old types for legacy API")
    Reported-and-tested-by: Antti Laakso <antti.laakso@intel.com>
    
    Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
    Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ce1e60b492144b1d5ae0f67b781459325de0e884
Author: Sean Young <sean@mess.org>
Date:   Fri Dec 2 15:16:08 2016 -0200

    lirc_dev: LIRC_{G,S}ET_REC_MODE do not work
    
    commit bd291208d7f5d6b2d6a033fee449a429230b06df upstream.
    
    Since "273b902 [media] lirc_dev: use LIRC_CAN_REC() define" these
    ioctls no longer work.
    
    Signed-off-by: Sean Young <sean@mess.org>
    Reviewed-by: Andi Shyti <andi.shyti@samsung.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 238442c2b535ef39be70f54904a8882dfd0349ca
Author: Antti Palosaari <crope@iki.fi>
Date:   Mon Jan 16 19:27:41 2017 -0200

    cxd2820r: fix gpio null pointer dereference
    
    commit 0ffb94b6cc5df6376ab6bff5b80075641f6716f8 upstream.
    
    Setting GPIOs during probe causes null pointer deference when
    GPIOLIB was not selected by Kconfig. Initialize driver private
    field before calling set gpios.
    
    It is regressing bug since 4.9.
    
    Fixes: 07fdf7d9f19f ("[media] cxd2820r: add I2C driver bindings")
    
    Reported-by: Chris Rankin <rankincj@gmail.com>
    Tested-by: Chris Rankin <rankincj@gmail.com>
    Tested-by: Håkan Lennestål <hakan.lennestal@gmail.com>
    Signed-off-by: Antti Palosaari <crope@iki.fi>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7e5b7798d0c8021d5d9b7a9e7bd404c6bcbbd011
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Sat Jan 7 23:08:49 2017 -0200

    media: fix dm1105.c build error
    
    commit e3bb3cddd177550d63a3e4909cf1a7782f13414d upstream.
    
    Fix dm1105 build error when CONFIG_I2C_ALGOBIT=m and
    CONFIG_DVB_DM1105=y.
    
    drivers/built-in.o: In function `dm1105_probe':
    dm1105.c:(.text+0x2836e7): undefined reference to `i2c_bit_add_bus'
    
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Reported-by: kbuild test robot <fengguang.wu@intel.com>
    Cc: Javier Martinez Canillas <javier@osg.samsung.com>
    Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 02789ccd59ec10fe407cf5803e4fb081a5c14fa7
Author: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Date:   Mon Dec 12 09:16:51 2016 -0200

    uvcvideo: Fix a wrong macro
    
    commit 17c341ec0115837a610b2da15e32546e26068234 upstream.
    
    Don't mix up UVC_BUF_STATE_* and VB2_BUF_STATE_* codes.
    
    Fixes: 6998b6fb4b1c ("[media] uvcvideo: Use videobuf2-vmalloc")
    
    Signed-off-by: Guennadi Liakhovetski <guennadi.liakhovetski@intel.com>
    Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d6b88a09cc2291aa3fac1e6eefd479398c1d8793
Author: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Date:   Tue Dec 27 16:02:36 2016 -0200

    am437x-vpfe: always assign bpp variable
    
    commit 6ebf75774f823ddbdbd10921006989d4df222f4a upstream.
    
    In vpfe_s_fmt(), when the sensor format and the requested format were
    the same, bpp was assigned to vpfe->bpp without being initialized first.
    
    Grab the bpp value that is currently used by using __vpfe_get_format()
    instead of its wrapper, vpfe_try_fmt().
    
    This use of uninitialized variable has been found by compiling the
    kernel with clang.
    
    Fixes: 417d2e507edc ("[media] media: platform: add VPFE capture driver
    support for AM437X")
    
    Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
    Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 80bbadbc42f912b43fd6664e834ba16c9dd28889
Author: Zhang Rui <rui.zhang@intel.com>
Date:   Wed Jan 18 17:46:18 2017 +0800

    mmc: sdhci-acpi: support deferred probe
    
    commit e28d6f048799acb0014491e6b74e580d84bd7916 upstream.
    
    With commit 67bf5156edc4 ("gpio / ACPI: fix returned error from
    acpi_dev_gpio_irq_get()"), mmc_gpiod_request_cd() returns -EPROBE_DEFER if
    GPIO is not ready when sdhci-acpi driver is probed, and sdhci-acpi driver
    should be probed again later in this case.
    
    This fixes an order issue when both GPIO and sdhci-acpi drivers are built
    as modules.
    
    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=177101
    Tested-by: Jonas Aaberg <cja@gmx.net>
    Signed-off-by: Zhang Rui <rui.zhang@intel.com>
    Acked-by: Adrian Hunter <adrian.hunter@intel.com>
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8d06cbd365e1fccb5b84bb8146d9bf30c2a55f4a
Author: Paul Burton <paul.burton@imgtec.com>
Date:   Mon Nov 7 15:07:07 2016 +0000

    MIPS: Handle microMIPS jumps in the same way as MIPS32/MIPS64 jumps
    
    commit 096a0de427ea333f56f0ee00328cff2a2731bcf1 upstream.
    
    is_jump_ins() checks for plain jump ("j") instructions since commit
    e7438c4b893e ("MIPS: Fix sibling call handling in get_frame_info") but
    that commit didn't make the same change to the microMIPS code, leaving
    it inconsistent with the MIPS32/MIPS64 code. Handle the microMIPS
    encoding of the jump instruction too such that it behaves consistently.
    
    Signed-off-by: Paul Burton <paul.burton@imgtec.com>
    Fixes: e7438c4b893e ("MIPS: Fix sibling call handling in get_frame_info")
    Cc: Tony Wu <tung7970@gmail.com>
    Cc: linux-mips@linux-mips.org
    Patchwork: https://patchwork.linux-mips.org/patch/14533/
    Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 209ad1941daafab4255990c3b885cf184a05d72e
Author: Paul Burton <paul.burton@imgtec.com>
Date:   Mon Nov 7 15:07:06 2016 +0000

    MIPS: Calculate microMIPS ra properly when unwinding the stack
    
    commit bb9bc4689b9c635714fbcd5d335bad9934a7ebfc upstream.
    
    get_frame_info() calculates the offset of the return address within a
    stack frame simply by dividing a the bottom 16 bits of the instruction,
    treated as a signed integer, by the size of a long. Whilst this works
    for MIPS32 & MIPS64 ISAs where the sw or sd instructions are used, it's
    incorrect for microMIPS where encodings differ. The result is that we
    typically completely fail to unwind the stack on microMIPS.
    
    Fix this by adjusting is_ra_save_ins() to calculate the return address
    offset, and take into account the various different encodings there in
    the same place as we consider whether an instruction is storing the
    ra/$31 register.
    
    With this we are now able to unwind the stack for kernels targetting the
    microMIPS ISA, for example we can produce:
    
        Call Trace:
        [<80109e1f>] show_stack+0x63/0x7c
        [<8011ea17>] __warn+0x9b/0xac
        [<8011ea45>] warn_slowpath_fmt+0x1d/0x20
        [<8013fe53>] register_console+0x43/0x314
        [<8067c58d>] of_setup_earlycon+0x1dd/0x1ec
        [<8067f63f>] early_init_dt_scan_chosen_stdout+0xe7/0xf8
        [<8066c115>] do_early_param+0x75/0xac
        [<801302f9>] parse_args+0x1dd/0x308
        [<8066c459>] parse_early_options+0x25/0x28
        [<8066c48b>] parse_early_param+0x2f/0x38
        [<8066e8cf>] setup_arch+0x113/0x488
        [<8066c4f3>] start_kernel+0x57/0x328
        ---[ end trace 0000000000000000 ]---
    
    Whereas previously we only produced:
    
        Call Trace:
        [<80109e1f>] show_stack+0x63/0x7c
        ---[ end trace 0000000000000000 ]---
    
    Signed-off-by: Paul Burton <paul.burton@imgtec.com>
    Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.")
    Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
    Cc: linux-mips@linux-mips.org
    Patchwork: https://patchwork.linux-mips.org/patch/14532/
    Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b14e085086245a829a87f6cc44c996333c641390
Author: Paul Burton <paul.burton@imgtec.com>
Date:   Mon Nov 7 15:07:05 2016 +0000

    MIPS: Fix is_jump_ins() handling of 16b microMIPS instructions
    
    commit 67c75057709a6d85c681c78b9b2f9b71191f01a2 upstream.
    
    is_jump_ins() checks 16b instruction fields without verifying that the
    instruction is indeed 16b, as is done by is_ra_save_ins() &
    is_sp_move_ins(). Add the appropriate check.
    
    Signed-off-by: Paul Burton <paul.burton@imgtec.com>
    Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.")
    Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
    Cc: linux-mips@linux-mips.org
    Patchwork: https://patchwork.linux-mips.org/patch/14531/
    Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b0b4eb58c5efe31c5dbd8fc771b43bb13bf84430
Author: Paul Burton <paul.burton@imgtec.com>
Date:   Mon Nov 7 15:07:04 2016 +0000

    MIPS: Fix get_frame_info() handling of microMIPS function size
    
    commit b6c7a324df37bf05ef7a2c1580683cf10d082d97 upstream.
    
    get_frame_info() is meant to iterate over up to the first 128
    instructions within a function, but for microMIPS kernels it will not
    reach that many instructions unless the function is 512 bytes long since
    we calculate the maximum number of instructions to check by dividing the
    function length by the 4 byte size of a union mips_instruction. In
    microMIPS kernels this won't do since instructions are variable length.
    
    Fix this by instead checking whether the pointer to the current
    instruction has reached the end of the function, and use max_insns as a
    simple constant to check the number of iterations against.
    
    Signed-off-by: Paul Burton <paul.burton@imgtec.com>
    Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.")
    Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
    Cc: linux-mips@linux-mips.org
    Patchwork: https://patchwork.linux-mips.org/patch/14530/
    Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ce449cbdcff78a383741bc79d66f2779a556735b
Author: Paul Burton <paul.burton@imgtec.com>
Date:   Mon Nov 7 15:07:03 2016 +0000

    MIPS: Prevent unaligned accesses during stack unwinding
    
    commit a3552dace7d1d0cabf573e88fc3025cb90c4a601 upstream.
    
    During stack unwinding we call a number of functions to determine what
    type of instruction we're looking at. The union mips_instruction pointer
    provided to them may be pointing at a 2 byte, but not 4 byte, aligned
    address & we thus cannot directly access the 4 byte wide members of the
    union mips_instruction. To avoid this is_ra_save_ins() copies the
    required half-words of the microMIPS instruction to a correctly aligned
    union mips_instruction on the stack, which it can then access safely.
    The is_jump_ins() & is_sp_move_ins() functions do not correctly perform
    this temporary copy, and instead attempt to directly dereference 4 byte
    fields which may be misaligned and lead to an address exception.
    
    Fix this by copying the instruction halfwords to a temporary union
    mips_instruction in get_frame_info() such that we can provide a 4 byte
    aligned union mips_instruction to the is_*_ins() functions and they do
    not need to deal with misalignment themselves.
    
    Signed-off-by: Paul Burton <paul.burton@imgtec.com>
    Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.")
    Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
    Cc: linux-mips@linux-mips.org
    Patchwork: https://patchwork.linux-mips.org/patch/14529/
    Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d0eae5bbd1c3361659c3c0e349c14123f0aaba81
Author: Paul Burton <paul.burton@imgtec.com>
Date:   Mon Nov 7 15:07:02 2016 +0000

    MIPS: Clear ISA bit correctly in get_frame_info()
    
    commit ccaf7caf2c73c6db920772bf08bf1d47b2170634 upstream.
    
    get_frame_info() can be called in microMIPS kernels with the ISA bit
    already clear. For example this happens when unwind_stack_by_address()
    is called because we begin with a PC that has the ISA bit set & subtract
    the (odd) offset from the preceding symbol (which does not have the ISA
    bit set). Since get_frame_info() unconditionally subtracts 1 from the PC
    in microMIPS kernels it incorrectly misaligns the address it then
    attempts to access code at, leading to an address error exception.
    
    Fix this by using msk_isa16_mode() to clear the ISA bit, which allows
    get_frame_info() to function regardless of whether it is provided with a
    PC that has the ISA bit set or not.
    
    Signed-off-by: Paul Burton <paul.burton@imgtec.com>
    Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.")
    Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
    Cc: linux-mips@linux-mips.org
    Patchwork: https://patchwork.linux-mips.org/patch/14528/
    Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3660e62cfce7a1db86fe330dadb92db59d0bc039
Author: Felix Fietkau <nbd@nbd.name>
Date:   Thu Jan 19 14:20:09 2017 +0100

    MIPS: Lantiq: Keep ethernet enabled during boot
    
    commit 774f0c6419bb8f9d83901d33582c7fe3ba6a6cb3 upstream.
    
    Disabling ethernet during reboot (only to enable it again when the
    ethernet driver attaches) can put the chip into a faulty state where it
    corrupts the header of all incoming packets.
    
    This happens if packets arrive during the time window where the core is
    disabled, and it can be easily reproduced by rebooting while sending a
    flood ping to the broadcast address.
    
    Fixes: 95135bfa7ead ("MIPS: Lantiq: Deactivate most of the devices by default")
    Signed-off-by: Felix Fietkau <nbd@nbd.name>
    Acked-by: John Crispin <john@phrozen.org>
    Cc: hauke.mehrtens@lantiq.com
    Cc: linux-mips@linux-mips.org
    Patchwork: https://patchwork.linux-mips.org/patch/15078/
    Signed-off-by: James Hogan <james.hogan@imgtec.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6f35f1fc14b6188483f993ca989de4b0c85a5b1a
Author: James Cowgill <James.Cowgill@imgtec.com>
Date:   Mon Jan 9 16:52:28 2017 +0000

    MIPS: OCTEON: Fix copy_from_user fault handling for large buffers
    
    commit 884b426917e4b3c85f33b382c792a94305dfdd62 upstream.
    
    If copy_from_user is called with a large buffer (>= 128 bytes) and the
    userspace buffer refers partially to unreadable memory, then it is
    possible for Octeon's copy_from_user to report the wrong number of bytes
    have been copied. In the case where the buffer size is an exact multiple
    of 128 and the fault occurs in the last 64 bytes, copy_from_user will
    report that all the bytes were copied successfully but leave some
    garbage in the destination buffer.
    
    The bug is in the main __copy_user_common loop in octeon-memcpy.S where
    in the middle of the loop, src and dst are incremented by 128 bytes. The
    l_exc_copy fault handler is used after this but that assumes that
    "src < THREAD_BUADDR($28)". This is not the case if src has already been
    incremented.
    
    Fix by adding an extra fault handler which rewinds the src and dst
    pointers 128 bytes before falling though to l_exc_copy.
    
    Thanks to the pwritev test from the strace test suite for originally
    highlighting this bug!
    
    Fixes: 5b3b16880f40 ("MIPS: Add Cavium OCTEON processor support ...")
    Signed-off-by: James Cowgill <James.Cowgill@imgtec.com>
    Acked-by: David Daney <david.daney@cavium.com>
    Reviewed-by: James Hogan <james.hogan@imgtec.com>
    Cc: Ralf Baechle <ralf@linux-mips.org>
    Cc: linux-mips@linux-mips.org
    Patchwork: https://patchwork.linux-mips.org/patch/14978/
    Signed-off-by: James Hogan <james.hogan@imgtec.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ef9e73be031aa4998617a6e11581904687132e5e
Author: Mirko Parthey <mirko.parthey@web.de>
Date:   Wed Feb 15 23:31:30 2017 +0100

    MIPS: BCM47XX: Fix button inversion for Asus WL-500W
    
    commit bdfdaf1a016ef09cb941f2edad485a713510b8d5 upstream.
    
    The Asus WL-500W buttons are active high, but the software treats them
    as active low. Fix the inverted logic.
    
    Fixes: 3be972556fa1 ("MIPS: BCM47XX: Import buttons database from OpenWrt")
    Signed-off-by: Mirko Parthey <mirko.parthey@web.de>
    Acked-by: Rafał Miłecki <rafal@milecki.pl>
    Cc: Hauke Mehrtens <hauke@hauke-m.de>
    Cc: linux-mips@linux-mips.org
    Patchwork: https://patchwork.linux-mips.org/patch/15295/
    Signed-off-by: James Hogan <james.hogan@imgtec.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ef674c5eb8da4ecb028a2a670b0bb1eec9eed004
Author: Ralf Baechle <ralf@linux-mips.org>
Date:   Thu Jan 26 02:16:47 2017 +0100

    MIPS: Fix special case in 64 bit IP checksumming.
    
    commit 66fd848cadaa6be974a8c780fbeb328f0af4d3bd upstream.
    
    For certain arguments such as saddr = 0xc0a8fd60, daddr = 0xc0a8fda1,
    len = 80, proto = 17, sum = 0x7eae049d there will be a carry when
    folding the intermediate 64 bit checksum to 32 bit but the code doesn't
    add the carry back to the one's complement sum, thus an incorrect result
    will be generated.
    
    Reported-by: Mark Zhang <bomb.zhang@gmail.com>
    Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
    Reviewed-by: James Hogan <james.hogan@imgtec.com>
    Signed-off-by: James Hogan <james.hogan@imgtec.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a8af2054e98548e8515f5d7d5409bd50dcd77e82
Author: Purna Chandra Mandal <purna.mandal@microchip.com>
Date:   Thu Jun 2 14:51:42 2016 +0530

    MIPS: pic32mzda: Fix linker error for pic32_get_pbclk()
    
    commit a726f1d2dd4fee179aa4513176d688ad309de6cc upstream.
    
    Early clock API pic32_get_pbclk() is defined in early_clk.c and used by
    time.c and early_console.c. When CONFIG_EARLY_PRINTK isn't set,
    early_clk.c isn't compiled and time.c fails to link.
    
    Fix it by compiling early_clk.c always. Also sort files in alphabetical
    order.
    
    Fixes: 6e4ad1b41360 ("MIPS: pic32mzda: fix getting timer clock rate.")
    Reported-by: Harvey Hunt <harvey.hunt@imgtec.com>
    Signed-off-by: Purna Chandra Mandal <purna.mandal@microchip.com>
    Reviewed-by: Harvey Hunt <harvey.hunt@imgtec.com>
    Cc: Ralf Baechle <ralf@linux-mips.org>
    Cc: Joshua Henderson <digitalpeer@digitalpeer.com>
    Cc: linux-mips@linux-mips.org
    Patchwork: https://patchwork.linux-mips.org/patch/13383/
    Signed-off-by: James Hogan <james.hogan@imgtec.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>