--- /dev/null
+From 064c3db9c564cc5be514ac21fb4aa26cc33db746 Mon Sep 17 00:00:00 2001
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Date: Mon, 12 Dec 2016 23:13:27 +0530
+Subject: ata: sata_mv:- Handle return value of devm_ioremap.
+
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+
+commit 064c3db9c564cc5be514ac21fb4aa26cc33db746 upstream.
+
+Here, If devm_ioremap will fail. It will return NULL.
+Then hpriv->base = NULL - 0x20000; Kernel can run into
+a NULL-pointer dereference. This error check will avoid
+NULL pointer dereference.
+
+Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/sata_mv.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/ata/sata_mv.c
++++ b/drivers/ata/sata_mv.c
+@@ -4132,6 +4132,9 @@ static int mv_platform_probe(struct plat
+ host->iomap = NULL;
+ hpriv->base = devm_ioremap(&pdev->dev, res->start,
+ resource_size(res));
++ if (!hpriv->base)
++ return -ENOMEM;
++
+ hpriv->base -= SATAHC0_REG_BASE;
+
+ hpriv->clk = clk_get(&pdev->dev, NULL);
--- /dev/null
+From e0edc8c546463f268d41d064d855bcff994c52fa Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Fri, 6 Jan 2017 11:48:50 -0500
+Subject: libata: apply MAX_SEC_1024 to all CX1-JB*-HP devices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tejun Heo <tj@kernel.org>
+
+commit e0edc8c546463f268d41d064d855bcff994c52fa upstream.
+
+Marko reports that CX1-JB512-HP shows the same timeout issues as
+CX1-JB256-HP. Let's apply MAX_SEC_128 to all devices in the series.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Marko Koski-Vähälä <marko@koski-vahala.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libata-core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -4316,10 +4316,10 @@ static const struct ata_blacklist_entry
+ { "ST380013AS", "3.20", ATA_HORKAGE_MAX_SEC_1024 },
+
+ /*
+- * Device times out with higher max sects.
++ * These devices time out with higher max sects.
+ * https://bugzilla.kernel.org/show_bug.cgi?id=121671
+ */
+- { "LITEON CX1-JB256-HP", NULL, ATA_HORKAGE_MAX_SEC_1024 },
++ { "LITEON CX1-JB*-HP", NULL, ATA_HORKAGE_MAX_SEC_1024 },
+
+ /* Devices we expect to fail diagnostics */
+
--- /dev/null
+From 2dae99558e86894e9e5dbf097477baaa5eb70134 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <damien.lemoal@wdc.com>
+Date: Mon, 19 Dec 2016 10:17:40 +0900
+Subject: libata: Fix ATA request sense
+
+From: Damien Le Moal <damien.lemoal@wdc.com>
+
+commit 2dae99558e86894e9e5dbf097477baaa5eb70134 upstream.
+
+For an ATA device supporting the sense data reporting feature set, a
+failed command will trigger the execution of ata_eh_request_sense if
+the result task file of the failed command has the ATA_SENSE bit set
+(sense data available bit). ata_eh_request_sense executes the REQUEST
+SENSE DATA EXT command to retrieve the sense data of the failed
+command. On success of REQUEST SENSE DATA EXT, the ATA_SENSE bit will
+NOT be set (the command succeeded) but ata_eh_request_sense
+nevertheless tests the availability of sense data by testing that bit
+presence in the result tf of the REQUEST SENSE DATA EXT command. This
+leads us to falsely assume that request sense data failed and to the
+warning message:
+
+atax.xx: request sense failed stat 50 emask 0
+
+Upon success of REQUEST SENSE DATA EXT, set the ATA_SENSE bit in the
+result task file command so that sense data can be returned by
+ata_eh_request_sense.
+
+Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libata-core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -1695,6 +1695,8 @@ unsigned ata_exec_internal_sg(struct ata
+
+ if (qc->err_mask & ~AC_ERR_OTHER)
+ qc->err_mask &= ~AC_ERR_OTHER;
++ } else if (qc->tf.command == ATA_CMD_REQ_SENSE_DATA) {
++ qc->result_tf.command |= ATA_SENSE;
+ }
+
+ /* finish up */
--- /dev/null
+From d19fb70dd68c4e960e2ac09b0b9c79dfdeefa726 Mon Sep 17 00:00:00 2001
+From: Kinglong Mee <kinglongmee@gmail.com>
+Date: Wed, 18 Jan 2017 19:04:42 +0800
+Subject: NFSD: Fix a null reference case in find_or_create_lock_stateid()
+
+From: Kinglong Mee <kinglongmee@gmail.com>
+
+commit d19fb70dd68c4e960e2ac09b0b9c79dfdeefa726 upstream.
+
+nfsd assigns the nfs4_free_lock_stateid to .sc_free in init_lock_stateid().
+
+If nfsd doesn't go through init_lock_stateid() and put stateid at end,
+there is a NULL reference to .sc_free when calling nfs4_put_stid(ns).
+
+This patch let the nfs4_stid.sc_free assignment to nfs4_alloc_stid().
+
+Fixes: 356a95ece7aa "nfsd: clean up races in lock stateid searching..."
+Signed-off-by: Kinglong Mee <kinglongmee@gmail.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4layouts.c | 5 +++--
+ fs/nfsd/nfs4state.c | 19 ++++++++-----------
+ fs/nfsd/state.h | 4 ++--
+ 3 files changed, 13 insertions(+), 15 deletions(-)
+
+--- a/fs/nfsd/nfs4layouts.c
++++ b/fs/nfsd/nfs4layouts.c
+@@ -223,10 +223,11 @@ nfsd4_alloc_layout_stateid(struct nfsd4_
+ struct nfs4_layout_stateid *ls;
+ struct nfs4_stid *stp;
+
+- stp = nfs4_alloc_stid(cstate->clp, nfs4_layout_stateid_cache);
++ stp = nfs4_alloc_stid(cstate->clp, nfs4_layout_stateid_cache,
++ nfsd4_free_layout_stateid);
+ if (!stp)
+ return NULL;
+- stp->sc_free = nfsd4_free_layout_stateid;
++
+ get_nfs4_file(fp);
+ stp->sc_file = fp;
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -633,8 +633,8 @@ out:
+ return co;
+ }
+
+-struct nfs4_stid *nfs4_alloc_stid(struct nfs4_client *cl,
+- struct kmem_cache *slab)
++struct nfs4_stid *nfs4_alloc_stid(struct nfs4_client *cl, struct kmem_cache *slab,
++ void (*sc_free)(struct nfs4_stid *))
+ {
+ struct nfs4_stid *stid;
+ int new_id;
+@@ -650,6 +650,8 @@ struct nfs4_stid *nfs4_alloc_stid(struct
+ idr_preload_end();
+ if (new_id < 0)
+ goto out_free;
++
++ stid->sc_free = sc_free;
+ stid->sc_client = cl;
+ stid->sc_stateid.si_opaque.so_id = new_id;
+ stid->sc_stateid.si_opaque.so_clid = cl->cl_clientid;
+@@ -675,15 +677,12 @@ out_free:
+ static struct nfs4_ol_stateid * nfs4_alloc_open_stateid(struct nfs4_client *clp)
+ {
+ struct nfs4_stid *stid;
+- struct nfs4_ol_stateid *stp;
+
+- stid = nfs4_alloc_stid(clp, stateid_slab);
++ stid = nfs4_alloc_stid(clp, stateid_slab, nfs4_free_ol_stateid);
+ if (!stid)
+ return NULL;
+
+- stp = openlockstateid(stid);
+- stp->st_stid.sc_free = nfs4_free_ol_stateid;
+- return stp;
++ return openlockstateid(stid);
+ }
+
+ static void nfs4_free_deleg(struct nfs4_stid *stid)
+@@ -781,11 +780,10 @@ alloc_init_deleg(struct nfs4_client *clp
+ goto out_dec;
+ if (delegation_blocked(¤t_fh->fh_handle))
+ goto out_dec;
+- dp = delegstateid(nfs4_alloc_stid(clp, deleg_slab));
++ dp = delegstateid(nfs4_alloc_stid(clp, deleg_slab, nfs4_free_deleg));
+ if (dp == NULL)
+ goto out_dec;
+
+- dp->dl_stid.sc_free = nfs4_free_deleg;
+ /*
+ * delegation seqid's are never incremented. The 4.1 special
+ * meaning of seqid 0 isn't meaningful, really, but let's avoid
+@@ -5580,7 +5578,6 @@ init_lock_stateid(struct nfs4_ol_stateid
+ stp->st_stateowner = nfs4_get_stateowner(&lo->lo_owner);
+ get_nfs4_file(fp);
+ stp->st_stid.sc_file = fp;
+- stp->st_stid.sc_free = nfs4_free_lock_stateid;
+ stp->st_access_bmap = 0;
+ stp->st_deny_bmap = open_stp->st_deny_bmap;
+ stp->st_openstp = open_stp;
+@@ -5623,7 +5620,7 @@ find_or_create_lock_stateid(struct nfs4_
+ lst = find_lock_stateid(lo, fi);
+ if (lst == NULL) {
+ spin_unlock(&clp->cl_lock);
+- ns = nfs4_alloc_stid(clp, stateid_slab);
++ ns = nfs4_alloc_stid(clp, stateid_slab, nfs4_free_lock_stateid);
+ if (ns == NULL)
+ return NULL;
+
+--- a/fs/nfsd/state.h
++++ b/fs/nfsd/state.h
+@@ -603,8 +603,8 @@ extern __be32 nfs4_preprocess_stateid_op
+ __be32 nfsd4_lookup_stateid(struct nfsd4_compound_state *cstate,
+ stateid_t *stateid, unsigned char typemask,
+ struct nfs4_stid **s, struct nfsd_net *nn);
+-struct nfs4_stid *nfs4_alloc_stid(struct nfs4_client *cl,
+- struct kmem_cache *slab);
++struct nfs4_stid *nfs4_alloc_stid(struct nfs4_client *cl, struct kmem_cache *slab,
++ void (*sc_free)(struct nfs4_stid *));
+ void nfs4_unhash_stid(struct nfs4_stid *s);
+ void nfs4_put_stid(struct nfs4_stid *s);
+ void nfs4_inc_and_copy_stateid(stateid_t *dst, struct nfs4_stid *stid);
--- /dev/null
+From 0b3589be9b98994ce3d5aeca52445d1f5627c4ba Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 26 Jan 2017 23:15:08 +0100
+Subject: perf/core: Fix PERF_RECORD_MMAP2 prot/flags for anonymous memory
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 0b3589be9b98994ce3d5aeca52445d1f5627c4ba upstream.
+
+Andres reported that MMAP2 records for anonymous memory always have
+their protection field 0.
+
+Turns out, someone daft put the prot/flags generation code in the file
+branch, leaving them unset for anonymous memory.
+
+Reported-by: Andres Freund <andres@anarazel.de>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Don Zickus <dzickus@redhat.com
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@gmail.com>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: acme@kernel.org
+Cc: anton@ozlabs.org
+Cc: namhyung@kernel.org
+Fixes: f972eb63b100 ("perf: Pass protection and flags bits through mmap2 interface")
+Link: http://lkml.kernel.org/r/20170126221508.GF6536@twins.programming.kicks-ass.net
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/core.c | 42 +++++++++++++++++++++---------------------
+ 1 file changed, 21 insertions(+), 21 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -6606,6 +6606,27 @@ static void perf_event_mmap_event(struct
+ char *buf = NULL;
+ char *name;
+
++ if (vma->vm_flags & VM_READ)
++ prot |= PROT_READ;
++ if (vma->vm_flags & VM_WRITE)
++ prot |= PROT_WRITE;
++ if (vma->vm_flags & VM_EXEC)
++ prot |= PROT_EXEC;
++
++ if (vma->vm_flags & VM_MAYSHARE)
++ flags = MAP_SHARED;
++ else
++ flags = MAP_PRIVATE;
++
++ if (vma->vm_flags & VM_DENYWRITE)
++ flags |= MAP_DENYWRITE;
++ if (vma->vm_flags & VM_MAYEXEC)
++ flags |= MAP_EXECUTABLE;
++ if (vma->vm_flags & VM_LOCKED)
++ flags |= MAP_LOCKED;
++ if (vma->vm_flags & VM_HUGETLB)
++ flags |= MAP_HUGETLB;
++
+ if (file) {
+ struct inode *inode;
+ dev_t dev;
+@@ -6632,27 +6653,6 @@ static void perf_event_mmap_event(struct
+ maj = MAJOR(dev);
+ min = MINOR(dev);
+
+- if (vma->vm_flags & VM_READ)
+- prot |= PROT_READ;
+- if (vma->vm_flags & VM_WRITE)
+- prot |= PROT_WRITE;
+- if (vma->vm_flags & VM_EXEC)
+- prot |= PROT_EXEC;
+-
+- if (vma->vm_flags & VM_MAYSHARE)
+- flags = MAP_SHARED;
+- else
+- flags = MAP_PRIVATE;
+-
+- if (vma->vm_flags & VM_DENYWRITE)
+- flags |= MAP_DENYWRITE;
+- if (vma->vm_flags & VM_MAYEXEC)
+- flags |= MAP_EXECUTABLE;
+- if (vma->vm_flags & VM_LOCKED)
+- flags |= MAP_LOCKED;
+- if (vma->vm_flags & VM_HUGETLB)
+- flags |= MAP_HUGETLB;
+-
+ goto got_name;
+ } else {
+ if (vma->vm_ops && vma->vm_ops->name) {
--- /dev/null
+From a76a82a3e38c8d3fb6499e3dfaeb0949241ab588 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 26 Jan 2017 16:39:55 +0100
+Subject: perf/core: Fix use-after-free bug
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit a76a82a3e38c8d3fb6499e3dfaeb0949241ab588 upstream.
+
+Dmitry reported a KASAN use-after-free on event->group_leader.
+
+It turns out there's a hole in perf_remove_from_context() due to
+event_function_call() not calling its function when the task
+associated with the event is already dead.
+
+In this case the event will have been detached from the task, but the
+grouping will have been retained, such that group operations might
+still work properly while there are live child events etc.
+
+This does however mean that we can miss a perf_group_detach() call
+when the group decomposes, this in turn can then lead to
+use-after-free.
+
+Fix it by explicitly doing the group detach if its still required.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Tested-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: syzkaller <syzkaller@googlegroups.com>
+Fixes: 63b6da39bb38 ("perf: Fix perf_event_exit_task() race")
+Link: http://lkml.kernel.org/r/20170126153955.GD6515@twins.programming.kicks-ass.net
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/core.c | 27 +++++++++++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -1469,7 +1469,6 @@ ctx_group_list(struct perf_event *event,
+ static void
+ list_add_event(struct perf_event *event, struct perf_event_context *ctx)
+ {
+-
+ lockdep_assert_held(&ctx->lock);
+
+ WARN_ON_ONCE(event->attach_state & PERF_ATTACH_CONTEXT);
+@@ -1624,6 +1623,8 @@ static void perf_group_attach(struct per
+ {
+ struct perf_event *group_leader = event->group_leader, *pos;
+
++ lockdep_assert_held(&event->ctx->lock);
++
+ /*
+ * We can have double attach due to group movement in perf_event_open.
+ */
+@@ -1697,6 +1698,8 @@ static void perf_group_detach(struct per
+ struct perf_event *sibling, *tmp;
+ struct list_head *list = NULL;
+
++ lockdep_assert_held(&event->ctx->lock);
++
+ /*
+ * We can have double detach due to exit/hot-unplug + close.
+ */
+@@ -1895,9 +1898,29 @@ __perf_remove_from_context(struct perf_e
+ */
+ static void perf_remove_from_context(struct perf_event *event, unsigned long flags)
+ {
+- lockdep_assert_held(&event->ctx->mutex);
++ struct perf_event_context *ctx = event->ctx;
++
++ lockdep_assert_held(&ctx->mutex);
+
+ event_function_call(event, __perf_remove_from_context, (void *)flags);
++
++ /*
++ * The above event_function_call() can NO-OP when it hits
++ * TASK_TOMBSTONE. In that case we must already have been detached
++ * from the context (by perf_event_exit_event()) but the grouping
++ * might still be in-tact.
++ */
++ WARN_ON_ONCE(event->attach_state & PERF_ATTACH_CONTEXT);
++ if ((flags & DETACH_GROUP) &&
++ (event->attach_state & PERF_ATTACH_GROUP)) {
++ /*
++ * Since in that case we cannot possibly be scheduled, simply
++ * detach now.
++ */
++ raw_spin_lock_irq(&ctx->lock);
++ perf_group_detach(event);
++ raw_spin_unlock_irq(&ctx->lock);
++ }
+ }
+
+ /*
--- /dev/null
+From af2b7fa17eb92e52b65f96604448ff7a2a89ee99 Mon Sep 17 00:00:00 2001
+From: Darren Stevens <darren@stevens-zone.net>
+Date: Mon, 23 Jan 2017 19:42:54 +0000
+Subject: powerpc: Add missing error check to prom_find_boot_cpu()
+
+From: Darren Stevens <darren@stevens-zone.net>
+
+commit af2b7fa17eb92e52b65f96604448ff7a2a89ee99 upstream.
+
+prom_init.c calls 'instance-to-package' twice, but the return
+is not checked during prom_find_boot_cpu(). The result is then
+passed to prom_getprop(), which could be PROM_ERROR. Add a return check
+to prevent this.
+
+This was found on a pasemi system, where CFE doesn't have a working
+'instance-to package' prom call.
+
+Before Commit 5c0484e25ec0 ('powerpc: Endian safe trampoline') the area
+around addr 0 was mostly 0's and this doesn't cause a problem. Once the
+macro 'FIXUP_ENDIAN' has been added to head_64.S, the low memory area
+now has non-zero values, which cause the prom_getprop() call
+to hang.
+
+mpe: Also confirmed that under SLOF if 'instance-to-package' did fail
+with PROM_ERROR we would crash in SLOF. So the bug is not specific to
+CFE, it's just that other open firmwares don't trigger it because they
+have a working 'instance-to-package'.
+
+Fixes: 5c0484e25ec0 ("powerpc: Endian safe trampoline")
+Signed-off-by: Darren Stevens <darren@stevens-zone.net>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/prom_init.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/powerpc/kernel/prom_init.c
++++ b/arch/powerpc/kernel/prom_init.c
+@@ -2747,6 +2747,9 @@ static void __init prom_find_boot_cpu(vo
+
+ cpu_pkg = call_prom("instance-to-package", 1, 1, prom_cpu);
+
++ if (!PHANDLE_VALID(cpu_pkg))
++ return;
++
+ prom_getprop(cpu_pkg, "reg", &rval, sizeof(rval));
+ prom.cpu = be32_to_cpu(rval);
+
--- /dev/null
+From f05fea5b3574a5926c53865eea27139bb40b2f2b Mon Sep 17 00:00:00 2001
+From: Gavin Shan <gwshan@linux.vnet.ibm.com>
+Date: Thu, 19 Jan 2017 10:10:16 +1100
+Subject: powerpc/eeh: Fix wrong flag passed to eeh_unfreeze_pe()
+
+From: Gavin Shan <gwshan@linux.vnet.ibm.com>
+
+commit f05fea5b3574a5926c53865eea27139bb40b2f2b upstream.
+
+In __eeh_clear_pe_frozen_state(), we should pass the flag's value
+instead of its address to eeh_unfreeze_pe(). The isolated flag is
+cleared if no error returned from __eeh_clear_pe_frozen_state(). We
+never observed the error from the function. So the isolated flag should
+have been always cleared, no real issue is caused because of the misused
+@flag.
+
+This fixes the code by passing the value of @flag to eeh_unfreeze_pe().
+
+Fixes: 5cfb20b96f6 ("powerpc/eeh: Emulate EEH recovery for VFIO devices")
+Signed-off-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/eeh_driver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/eeh_driver.c
++++ b/arch/powerpc/kernel/eeh_driver.c
+@@ -545,7 +545,7 @@ static void *eeh_pe_detach_dev(void *dat
+ static void *__eeh_clear_pe_frozen_state(void *data, void *flag)
+ {
+ struct eeh_pe *pe = (struct eeh_pe *)data;
+- bool *clear_sw_state = flag;
++ bool clear_sw_state = *(bool *)flag;
+ int i, rc = 1;
+
+ for (i = 0; rc && i < 3; i++)
--- /dev/null
+From b5fa0f7f88edcde37df1807fdf9ff10ec787a60e Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Tue, 24 Jan 2017 16:36:57 +1100
+Subject: powerpc: Fix build failure with clang due to BUILD_BUG_ON()
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit b5fa0f7f88edcde37df1807fdf9ff10ec787a60e upstream.
+
+Anton says: In commit 4db7327194db ("powerpc: Add option to use jump
+label for cpu_has_feature()") and commit c12e6f24d413 ("powerpc: Add
+option to use jump label for mmu_has_feature()") we added:
+
+ BUILD_BUG_ON(!__builtin_constant_p(feature))
+
+to cpu_has_feature() and mmu_has_feature() in order to catch usage
+issues (such as cpu_has_feature(cpu_has_feature(X), which has happened
+once in the past). Unfortunately LLVM isn't smart enough to resolve
+this, and it errors out.
+
+I work around it in my clang/LLVM builds of the kernel, but I have just
+discovered that it causes a lot of issues for the bcc (eBPF) trace tool
+(which uses LLVM).
+
+For now just #ifdef it away for clang builds.
+
+Fixes: 4db7327194db ("powerpc: Add option to use jump label for cpu_has_feature()")
+Fixes: c12e6f24d413 ("powerpc: Add option to use jump label for mmu_has_feature()")
+Reported-by: Anton Blanchard <anton@samba.org>
+Tested-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/cpu_has_feature.h | 2 ++
+ arch/powerpc/include/asm/mmu.h | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/arch/powerpc/include/asm/cpu_has_feature.h
++++ b/arch/powerpc/include/asm/cpu_has_feature.h
+@@ -23,7 +23,9 @@ static __always_inline bool cpu_has_feat
+ {
+ int i;
+
++#ifndef __clang__ /* clang can't cope with this */
+ BUILD_BUG_ON(!__builtin_constant_p(feature));
++#endif
+
+ #ifdef CONFIG_JUMP_LABEL_FEATURE_CHECK_DEBUG
+ if (!static_key_initialized) {
+--- a/arch/powerpc/include/asm/mmu.h
++++ b/arch/powerpc/include/asm/mmu.h
+@@ -160,7 +160,9 @@ static __always_inline bool mmu_has_feat
+ {
+ int i;
+
++#ifndef __clang__ /* clang can't cope with this */
+ BUILD_BUG_ON(!__builtin_constant_p(feature));
++#endif
+
+ #ifdef CONFIG_JUMP_LABEL_FEATURE_CHECK_DEBUG
+ if (!static_key_initialized) {
--- /dev/null
+From a0615a16f7d0ceb5804d295203c302d496d8ee91 Mon Sep 17 00:00:00 2001
+From: Reza Arbab <arbab@linux.vnet.ibm.com>
+Date: Wed, 25 Jan 2017 09:54:33 -0600
+Subject: powerpc/mm: Use the correct pointer when setting a 2MB pte
+
+From: Reza Arbab <arbab@linux.vnet.ibm.com>
+
+commit a0615a16f7d0ceb5804d295203c302d496d8ee91 upstream.
+
+When setting a 2MB pte, radix__map_kernel_page() is using the address
+
+ ptep = (pte_t *)pudp;
+
+Fix this conversion to use pmdp instead. Use pmdp_ptep() to do this
+instead of casting the pointer.
+
+Fixes: 2bfd65e45e87 ("powerpc/mm/radix: Add radix callbacks for early init routines")
+Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Signed-off-by: Reza Arbab <arbab@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/pgtable-radix.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/mm/pgtable-radix.c
++++ b/arch/powerpc/mm/pgtable-radix.c
+@@ -65,7 +65,7 @@ int radix__map_kernel_page(unsigned long
+ if (!pmdp)
+ return -ENOMEM;
+ if (map_page_size == PMD_SIZE) {
+- ptep = (pte_t *)pudp;
++ ptep = pmdp_ptep(pmdp);
+ goto set_the_pte;
+ }
+ ptep = pte_alloc_kernel(pmdp, ea);
+@@ -90,7 +90,7 @@ int radix__map_kernel_page(unsigned long
+ }
+ pmdp = pmd_offset(pudp, ea);
+ if (map_page_size == PMD_SIZE) {
+- ptep = (pte_t *)pudp;
++ ptep = pmdp_ptep(pmdp);
+ goto set_the_pte;
+ }
+ if (!pmd_present(*pmdp)) {
drm-nouveau-nv1a-nv1f-disp-fix-memory-clock-rate-retrieval.patch
crypto-api-clear-crypto_alg_dead-bit-before-registering-an-alg.patch
crypto-arm64-aes-blk-honour-iv_out-requirement-in-cbc-and-ctr-modes.patch
+perf-core-fix-use-after-free-bug.patch
+perf-core-fix-perf_record_mmap2-prot-flags-for-anonymous-memory.patch
+ata-sata_mv-handle-return-value-of-devm_ioremap.patch
+libata-apply-max_sec_1024-to-all-cx1-jb-hp-devices.patch
+libata-fix-ata-request-sense.patch
+powerpc-eeh-fix-wrong-flag-passed-to-eeh_unfreeze_pe.patch
+powerpc-add-missing-error-check-to-prom_find_boot_cpu.patch
+powerpc-fix-build-failure-with-clang-due-to-build_bug_on.patch
+powerpc-mm-use-the-correct-pointer-when-setting-a-2mb-pte.patch
+nfsd-fix-a-null-reference-case-in-find_or_create_lock_stateid.patch
+svcrpc-fix-oops-in-absence-of-krb5-module.patch
+zswap-disable-changing-params-if-init-fails.patch
--- /dev/null
+From 034dd34ff4916ec1f8f74e39ca3efb04eab2f791 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Tue, 31 Jan 2017 11:37:50 -0500
+Subject: svcrpc: fix oops in absence of krb5 module
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit 034dd34ff4916ec1f8f74e39ca3efb04eab2f791 upstream.
+
+Olga Kornievskaia says: "I ran into this oops in the nfsd (below)
+(4.10-rc3 kernel). To trigger this I had a client (unsuccessfully) try
+to mount the server with krb5 where the server doesn't have the
+rpcsec_gss_krb5 module built."
+
+The problem is that rsci.cred is copied from a svc_cred structure that
+gss_proxy didn't properly initialize. Fix that.
+
+[120408.542387] general protection fault: 0000 [#1] SMP
+...
+[120408.565724] CPU: 0 PID: 3601 Comm: nfsd Not tainted 4.10.0-rc3+ #16
+[120408.567037] Hardware name: VMware, Inc. VMware Virtual =
+Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
+[120408.569225] task: ffff8800776f95c0 task.stack: ffffc90003d58000
+[120408.570483] RIP: 0010:gss_mech_put+0xb/0x20 [auth_rpcgss]
+...
+[120408.584946] ? rsc_free+0x55/0x90 [auth_rpcgss]
+[120408.585901] gss_proxy_save_rsc+0xb2/0x2a0 [auth_rpcgss]
+[120408.587017] svcauth_gss_proxy_init+0x3cc/0x520 [auth_rpcgss]
+[120408.588257] ? __enqueue_entity+0x6c/0x70
+[120408.589101] svcauth_gss_accept+0x391/0xb90 [auth_rpcgss]
+[120408.590212] ? try_to_wake_up+0x4a/0x360
+[120408.591036] ? wake_up_process+0x15/0x20
+[120408.592093] ? svc_xprt_do_enqueue+0x12e/0x2d0 [sunrpc]
+[120408.593177] svc_authenticate+0xe1/0x100 [sunrpc]
+[120408.594168] svc_process_common+0x203/0x710 [sunrpc]
+[120408.595220] svc_process+0x105/0x1c0 [sunrpc]
+[120408.596278] nfsd+0xe9/0x160 [nfsd]
+[120408.597060] kthread+0x101/0x140
+[120408.597734] ? nfsd_destroy+0x60/0x60 [nfsd]
+[120408.598626] ? kthread_park+0x90/0x90
+[120408.599448] ret_from_fork+0x22/0x30
+
+Fixes: 1d658336b05f "SUNRPC: Add RPC based upcall mechanism for RPCGSS auth"
+Cc: Simo Sorce <simo@redhat.com>
+Reported-by: Olga Kornievskaia <kolga@netapp.com>
+Tested-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/auth_gss/gss_rpc_xdr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c
++++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c
+@@ -260,7 +260,7 @@ static int gssx_dec_option_array(struct
+ if (!oa->data)
+ return -ENOMEM;
+
+- creds = kmalloc(sizeof(struct svc_cred), GFP_KERNEL);
++ creds = kzalloc(sizeof(struct svc_cred), GFP_KERNEL);
+ if (!creds) {
+ kfree(oa->data);
+ return -ENOMEM;
--- /dev/null
+From d7b028f56a971a2e4d8d7887540a144eeefcd4ab Mon Sep 17 00:00:00 2001
+From: Dan Streetman <ddstreet@ieee.org>
+Date: Fri, 3 Feb 2017 13:13:09 -0800
+Subject: zswap: disable changing params if init fails
+
+From: Dan Streetman <ddstreet@ieee.org>
+
+commit d7b028f56a971a2e4d8d7887540a144eeefcd4ab upstream.
+
+Add zswap_init_failed bool that prevents changing any of the module
+params, if init_zswap() fails, and set zswap_enabled to false. Change
+'enabled' param to a callback, and check zswap_init_failed before
+allowing any change to 'enabled', 'zpool', or 'compressor' params.
+
+Any driver that is built-in to the kernel will not be unloaded if its
+init function returns error, and its module params remain accessible for
+users to change via sysfs. Since zswap uses param callbacks, which
+assume that zswap has been initialized, changing the zswap params after
+a failed initialization will result in WARNING due to the param
+callbacks expecting a pool to already exist. This prevents that by
+immediately exiting any of the param callbacks if initialization failed.
+
+This was reported here:
+ https://marc.info/?l=linux-mm&m=147004228125528&w=4
+
+And fixes this WARNING:
+ [ 429.723476] WARNING: CPU: 0 PID: 5140 at mm/zswap.c:503 __zswap_pool_current+0x56/0x60
+
+The warning is just noise, and not serious. However, when init fails,
+zswap frees all its percpu dstmem pages and its kmem cache. The kmem
+cache might be serious, if kmem_cache_alloc(NULL, gfp) has problems; but
+the percpu dstmem pages are definitely a problem, as they're used as
+temporary buffer for compressed pages before copying into place in the
+zpool.
+
+If the user does get zswap enabled after an init failure, then zswap
+will likely Oops on the first page it tries to compress (or worse, start
+corrupting memory).
+
+Fixes: 90b0fc26d5db ("zswap: change zpool/compressor at runtime")
+Link: http://lkml.kernel.org/r/20170124200259.16191-2-ddstreet@ieee.org
+Signed-off-by: Dan Streetman <dan.streetman@canonical.com>
+Reported-by: Marcin Miroslaw <marcin@mejor.pl>
+Cc: Seth Jennings <sjenning@redhat.com>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/zswap.c | 30 +++++++++++++++++++++++++++++-
+ 1 file changed, 29 insertions(+), 1 deletion(-)
+
+--- a/mm/zswap.c
++++ b/mm/zswap.c
+@@ -78,7 +78,13 @@ static u64 zswap_duplicate_entry;
+
+ /* Enable/disable zswap (disabled by default) */
+ static bool zswap_enabled;
+-module_param_named(enabled, zswap_enabled, bool, 0644);
++static int zswap_enabled_param_set(const char *,
++ const struct kernel_param *);
++static struct kernel_param_ops zswap_enabled_param_ops = {
++ .set = zswap_enabled_param_set,
++ .get = param_get_bool,
++};
++module_param_cb(enabled, &zswap_enabled_param_ops, &zswap_enabled, 0644);
+
+ /* Crypto compressor to use */
+ #define ZSWAP_COMPRESSOR_DEFAULT "lzo"
+@@ -176,6 +182,9 @@ static atomic_t zswap_pools_count = ATOM
+ /* used by param callback function */
+ static bool zswap_init_started;
+
++/* fatal error during init */
++static bool zswap_init_failed;
++
+ /*********************************
+ * helpers and fwd declarations
+ **********************************/
+@@ -706,6 +715,11 @@ static int __zswap_param_set(const char
+ char *s = strstrip((char *)val);
+ int ret;
+
++ if (zswap_init_failed) {
++ pr_err("can't set param, initialization failed\n");
++ return -ENODEV;
++ }
++
+ /* no change required */
+ if (!strcmp(s, *(char **)kp->arg))
+ return 0;
+@@ -785,6 +799,17 @@ static int zswap_zpool_param_set(const c
+ return __zswap_param_set(val, kp, NULL, zswap_compressor);
+ }
+
++static int zswap_enabled_param_set(const char *val,
++ const struct kernel_param *kp)
++{
++ if (zswap_init_failed) {
++ pr_err("can't enable, initialization failed\n");
++ return -ENODEV;
++ }
++
++ return param_set_bool(val, kp);
++}
++
+ /*********************************
+ * writeback code
+ **********************************/
+@@ -1271,6 +1296,9 @@ pool_fail:
+ dstmem_fail:
+ zswap_entry_cache_destroy();
+ cache_fail:
++ /* if built-in, we aren't unloaded on failure; don't allow use */
++ zswap_init_failed = true;
++ zswap_enabled = false;
+ return -ENOMEM;
+ }
+ /* must be late so crypto has time to come up */
projects / thirdparty / kernel / stable-queue.git / commitdiff
