--- /dev/null
+From 71105998845fb012937332fe2e806d443c09e026 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 9 Oct 2017 11:09:20 +0200
+Subject: ALSA: seq: Fix use-after-free at creating a port
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 71105998845fb012937332fe2e806d443c09e026 upstream.
+
+There is a potential race window opened at creating and deleting a
+port via ioctl, as spotted by fuzzing. snd_seq_create_port() creates
+a port object and returns its pointer, but it doesn't take the
+refcount, thus it can be deleted immediately by another thread.
+Meanwhile, snd_seq_ioctl_create_port() still calls the function
+snd_seq_system_client_ev_port_start() with the created port object
+that is being deleted, and this triggers use-after-free like:
+
+ BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
+ =============================================================================
+ BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
+ -----------------------------------------------------------------------------
+ INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
+ ___slab_alloc+0x425/0x460
+ __slab_alloc+0x20/0x40
+ kmem_cache_alloc_trace+0x150/0x190
+ snd_seq_create_port+0x94/0x9b0 [snd_seq]
+ snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
+ snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
+ snd_seq_ioctl+0x40/0x80 [snd_seq]
+ do_vfs_ioctl+0x54b/0xda0
+ SyS_ioctl+0x79/0x90
+ entry_SYSCALL_64_fastpath+0x16/0x75
+ INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
+ __slab_free+0x204/0x310
+ kfree+0x15f/0x180
+ port_delete+0x136/0x1a0 [snd_seq]
+ snd_seq_delete_port+0x235/0x350 [snd_seq]
+ snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
+ snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
+ snd_seq_ioctl+0x40/0x80 [snd_seq]
+ do_vfs_ioctl+0x54b/0xda0
+ SyS_ioctl+0x79/0x90
+ entry_SYSCALL_64_fastpath+0x16/0x75
+ Call Trace:
+ [<ffffffff81b03781>] dump_stack+0x63/0x82
+ [<ffffffff81531b3b>] print_trailer+0xfb/0x160
+ [<ffffffff81536db4>] object_err+0x34/0x40
+ [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
+ [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
+ [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
+ [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
+ [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
+ [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
+ [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
+ [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
+ [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
+ [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
+ .....
+
+We may fix this in a few different ways, and in this patch, it's fixed
+simply by taking the refcount properly at snd_seq_create_port() and
+letting the caller unref the object after use. Also, there is another
+potential use-after-free by sprintf() call in snd_seq_create_port(),
+and this is moved inside the lock.
+
+This fix covers CVE-2017-15265.
+
+Reported-and-tested-by: Michael23 Yu <ycqzsy@gmail.com>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_clientmgr.c | 6 +++++-
+ sound/core/seq/seq_ports.c | 7 +++++--
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -1259,6 +1259,7 @@ static int snd_seq_ioctl_create_port(str
+ struct snd_seq_port_info *info = arg;
+ struct snd_seq_client_port *port;
+ struct snd_seq_port_callback *callback;
++ int port_idx;
+
+ /* it is not allowed to create the port for an another client */
+ if (info->addr.client != client->number)
+@@ -1269,7 +1270,9 @@ static int snd_seq_ioctl_create_port(str
+ return -ENOMEM;
+
+ if (client->type == USER_CLIENT && info->kernel) {
+- snd_seq_delete_port(client, port->addr.port);
++ port_idx = port->addr.port;
++ snd_seq_port_unlock(port);
++ snd_seq_delete_port(client, port_idx);
+ return -EINVAL;
+ }
+ if (client->type == KERNEL_CLIENT) {
+@@ -1290,6 +1293,7 @@ static int snd_seq_ioctl_create_port(str
+
+ snd_seq_set_port_info(port, info);
+ snd_seq_system_client_ev_port_start(port->addr.client, port->addr.port);
++ snd_seq_port_unlock(port);
+
+ return 0;
+ }
+--- a/sound/core/seq/seq_ports.c
++++ b/sound/core/seq/seq_ports.c
+@@ -122,7 +122,9 @@ static void port_subs_info_init(struct s
+ }
+
+
+-/* create a port, port number is returned (-1 on failure) */
++/* create a port, port number is returned (-1 on failure);
++ * the caller needs to unref the port via snd_seq_port_unlock() appropriately
++ */
+ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
+ int port)
+ {
+@@ -151,6 +153,7 @@ struct snd_seq_client_port *snd_seq_crea
+ snd_use_lock_init(&new_port->use_lock);
+ port_subs_info_init(&new_port->c_src);
+ port_subs_info_init(&new_port->c_dest);
++ snd_use_lock_use(&new_port->use_lock);
+
+ num = port >= 0 ? port : 0;
+ mutex_lock(&client->ports_mutex);
+@@ -165,9 +168,9 @@ struct snd_seq_client_port *snd_seq_crea
+ list_add_tail(&new_port->list, &p->list);
+ client->num_ports++;
+ new_port->addr.port = num; /* store the port number in the port */
++ sprintf(new_port->name, "port-%d", num);
+ write_unlock_irqrestore(&client->ports_lock, flags);
+ mutex_unlock(&client->ports_mutex);
+- sprintf(new_port->name, "port-%d", num);
+
+ return new_port;
+ }
--- /dev/null
+From 124751d5e63c823092060074bd0abaae61aaa9c4 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 10 Oct 2017 14:10:32 +0200
+Subject: ALSA: usb-audio: Kill stray URB at exiting
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 124751d5e63c823092060074bd0abaae61aaa9c4 upstream.
+
+USB-audio driver may leave a stray URB for the mixer interrupt when it
+exits by some error during probe. This leads to a use-after-free
+error as spotted by syzkaller like:
+ ==================================================================
+ BUG: KASAN: use-after-free in snd_usb_mixer_interrupt+0x604/0x6f0
+ Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:16
+ dump_stack+0x292/0x395 lib/dump_stack.c:52
+ print_address_description+0x78/0x280 mm/kasan/report.c:252
+ kasan_report_error mm/kasan/report.c:351
+ kasan_report+0x23d/0x350 mm/kasan/report.c:409
+ __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
+ snd_usb_mixer_interrupt+0x604/0x6f0 sound/usb/mixer.c:2490
+ __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779
+ ....
+
+ Allocated by task 1484:
+ save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:447
+ set_track mm/kasan/kasan.c:459
+ kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
+ kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
+ kmalloc ./include/linux/slab.h:493
+ kzalloc ./include/linux/slab.h:666
+ snd_usb_create_mixer+0x145/0x1010 sound/usb/mixer.c:2540
+ create_standard_mixer_quirk+0x58/0x80 sound/usb/quirks.c:516
+ snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
+ create_composite_quirk+0x1c4/0x3e0 sound/usb/quirks.c:59
+ snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
+ usb_audio_probe+0x1040/0x2c10 sound/usb/card.c:618
+ ....
+
+ Freed by task 1484:
+ save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:447
+ set_track mm/kasan/kasan.c:459
+ kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
+ slab_free_hook mm/slub.c:1390
+ slab_free_freelist_hook mm/slub.c:1412
+ slab_free mm/slub.c:2988
+ kfree+0xf6/0x2f0 mm/slub.c:3919
+ snd_usb_mixer_free+0x11a/0x160 sound/usb/mixer.c:2244
+ snd_usb_mixer_dev_free+0x36/0x50 sound/usb/mixer.c:2250
+ __snd_device_free+0x1ff/0x380 sound/core/device.c:91
+ snd_device_free_all+0x8f/0xe0 sound/core/device.c:244
+ snd_card_do_free sound/core/init.c:461
+ release_card_device+0x47/0x170 sound/core/init.c:181
+ device_release+0x13f/0x210 drivers/base/core.c:814
+ ....
+
+Actually such a URB is killed properly at disconnection when the
+device gets probed successfully, and what we need is to apply it for
+the error-path, too.
+
+In this patch, we apply snd_usb_mixer_disconnect() at releasing.
+Also introduce a new flag, disconnected, to struct usb_mixer_interface
+for not performing the disconnection procedure twice.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 12 ++++++++++--
+ sound/usb/mixer.h | 2 ++
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -2228,6 +2228,9 @@ static int parse_audio_unit(struct mixer
+
+ static void snd_usb_mixer_free(struct usb_mixer_interface *mixer)
+ {
++ /* kill pending URBs */
++ snd_usb_mixer_disconnect(mixer);
++
+ kfree(mixer->id_elems);
+ if (mixer->urb) {
+ kfree(mixer->urb->transfer_buffer);
+@@ -2578,8 +2581,13 @@ _error:
+
+ void snd_usb_mixer_disconnect(struct usb_mixer_interface *mixer)
+ {
+- usb_kill_urb(mixer->urb);
+- usb_kill_urb(mixer->rc_urb);
++ if (mixer->disconnected)
++ return;
++ if (mixer->urb)
++ usb_kill_urb(mixer->urb);
++ if (mixer->rc_urb)
++ usb_kill_urb(mixer->rc_urb);
++ mixer->disconnected = true;
+ }
+
+ #ifdef CONFIG_PM
+--- a/sound/usb/mixer.h
++++ b/sound/usb/mixer.h
+@@ -22,6 +22,8 @@ struct usb_mixer_interface {
+ struct urb *rc_urb;
+ struct usb_ctrlrequest *rc_setup_packet;
+ u8 rc_buffer[6];
++
++ bool disconnected;
+ };
+
+ #define MAX_CHANNELS 16 /* max logical channels */
--- /dev/null
+From b61907bb42409adf9b3120f741af7c57dd7e3db2 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Mon, 9 Oct 2017 23:30:02 +0800
+Subject: crypto: shash - Fix zero-length shash ahash digest crash
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit b61907bb42409adf9b3120f741af7c57dd7e3db2 upstream.
+
+The shash ahash digest adaptor function may crash if given a
+zero-length input together with a null SG list. This is because
+it tries to read the SG list before looking at the length.
+
+This patch fixes it by checking the length first.
+
+Reported-by: Stephan Müller<smueller@chronox.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Tested-by: Stephan Müller <smueller@chronox.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/shash.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/crypto/shash.c
++++ b/crypto/shash.c
+@@ -275,12 +275,14 @@ static int shash_async_finup(struct ahas
+
+ int shash_ahash_digest(struct ahash_request *req, struct shash_desc *desc)
+ {
+- struct scatterlist *sg = req->src;
+- unsigned int offset = sg->offset;
+ unsigned int nbytes = req->nbytes;
++ struct scatterlist *sg;
++ unsigned int offset;
+ int err;
+
+- if (nbytes < min(sg->length, ((unsigned int)(PAGE_SIZE)) - offset)) {
++ if (nbytes &&
++ (sg = req->src, offset = sg->offset,
++ nbytes < min(sg->length, ((unsigned int)(PAGE_SIZE)) - offset))) {
+ void *data;
+
+ data = kmap_atomic(sg_page(sg));
--- /dev/null
+From 0cabf2af6f5ac3c88cb106c4e06087a5a39b8e1e Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Sat, 7 Oct 2017 11:29:48 +0800
+Subject: crypto: skcipher - Fix crash on zero-length input
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 0cabf2af6f5ac3c88cb106c4e06087a5a39b8e1e upstream.
+
+The skcipher walk interface doesn't handle zero-length input
+properly as the old blkcipher walk interface did. This is due
+to the fact that the length check is done too late.
+
+This patch moves the length check forward so that it does the
+right thing.
+
+Fixes: b286d8b1a690 ("crypto: skcipher - Add skcipher walk...")
+Reported-by: Stephan Müller <smueller@chronox.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/skcipher.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/crypto/skcipher.c
++++ b/crypto/skcipher.c
+@@ -426,14 +426,9 @@ static int skcipher_copy_iv(struct skcip
+
+ static int skcipher_walk_first(struct skcipher_walk *walk)
+ {
+- walk->nbytes = 0;
+-
+ if (WARN_ON_ONCE(in_irq()))
+ return -EDEADLK;
+
+- if (unlikely(!walk->total))
+- return 0;
+-
+ walk->buffer = NULL;
+ if (unlikely(((unsigned long)walk->iv & walk->alignmask))) {
+ int err = skcipher_copy_iv(walk);
+@@ -452,10 +447,15 @@ static int skcipher_walk_skcipher(struct
+ {
+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+
++ walk->total = req->cryptlen;
++ walk->nbytes = 0;
++
++ if (unlikely(!walk->total))
++ return 0;
++
+ scatterwalk_start(&walk->in, req->src);
+ scatterwalk_start(&walk->out, req->dst);
+
+- walk->total = req->cryptlen;
+ walk->iv = req->iv;
+ walk->oiv = req->iv;
+
+@@ -509,6 +509,11 @@ static int skcipher_walk_aead_common(str
+ struct crypto_aead *tfm = crypto_aead_reqtfm(req);
+ int err;
+
++ walk->nbytes = 0;
++
++ if (unlikely(!walk->total))
++ return 0;
++
+ walk->flags &= ~SKCIPHER_WALK_PHYS;
+
+ scatterwalk_start(&walk->in, req->src);
--- /dev/null
+From 5ab894aee0f171a682bcd90dd5d1930cb53c55dc Mon Sep 17 00:00:00 2001
+From: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Date: Mon, 9 Oct 2017 16:28:37 +0300
+Subject: device property: Track owner device of device property
+
+From: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+
+commit 5ab894aee0f171a682bcd90dd5d1930cb53c55dc upstream.
+
+Deletion of subdevice will remove device properties associated to parent
+when they share the same firmware node after commit 478573c93abd (driver
+core: Don't leak secondary fwnode on device removal). This was observed
+with a driver adding subdevice that driver wasn't able to read device
+properties after rmmod/modprobe cycle.
+
+Consider the lifecycle of it:
+
+parent device registration
+ ACPI_COMPANION_SET()
+ device_add_properties()
+ pset_copy_set()
+ set_secondary_fwnode(dev, &p->fwnode)
+ device_add()
+
+parent probe
+ read device properties
+ ACPI_COMPANION_SET(subdevice, ACPI_COMPANION(parent))
+ device_add(subdevice)
+
+parent remove
+ device_del(subdevice)
+ device_remove_properties()
+ set_secondary_fwnode(dev, NULL);
+ pset_free()
+
+Parent device will have its primary firmware node pointing to an ACPI
+node and secondary firmware node point to device properties.
+
+ACPI_COMPANION_SET() call in parent probe will set the subdevice's
+firmware node to point to the same 'struct fwnode_handle' and the
+associated secondary firmware node, i.e. the device properties as the
+parent.
+
+When subdevice is deleted in parent remove that will remove those
+device properties and attempt to read device properties in next
+parent probe call will fail.
+
+Fix this by tracking the owner device of device properties and delete
+them only when owner device is being deleted.
+
+Fixes: 478573c93abd (driver core: Don't leak secondary fwnode on device removal)
+Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/property.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/base/property.c
++++ b/drivers/base/property.c
+@@ -21,6 +21,7 @@
+ #include <linux/phy.h>
+
+ struct property_set {
++ struct device *dev;
+ struct fwnode_handle fwnode;
+ const struct property_entry *properties;
+ };
+@@ -855,6 +856,7 @@ static struct property_set *pset_copy_se
+ void device_remove_properties(struct device *dev)
+ {
+ struct fwnode_handle *fwnode;
++ struct property_set *pset;
+
+ fwnode = dev_fwnode(dev);
+ if (!fwnode)
+@@ -864,16 +866,16 @@ void device_remove_properties(struct dev
+ * the pset. If there is no real firmware node (ACPI/DT) primary
+ * will hold the pset.
+ */
+- if (is_pset_node(fwnode)) {
++ pset = to_pset_node(fwnode);
++ if (pset) {
+ set_primary_fwnode(dev, NULL);
+- pset_free_set(to_pset_node(fwnode));
+ } else {
+- fwnode = fwnode->secondary;
+- if (!IS_ERR(fwnode) && is_pset_node(fwnode)) {
++ pset = to_pset_node(fwnode->secondary);
++ if (pset && dev == pset->dev)
+ set_secondary_fwnode(dev, NULL);
+- pset_free_set(to_pset_node(fwnode));
+- }
+ }
++ if (pset && dev == pset->dev)
++ pset_free_set(pset);
+ }
+ EXPORT_SYMBOL_GPL(device_remove_properties);
+
+@@ -903,6 +905,7 @@ int device_add_properties(struct device
+ p->fwnode.type = FWNODE_PDATA;
+ p->fwnode.ops = &pset_fwnode_ops;
+ set_secondary_fwnode(dev, &p->fwnode);
++ p->dev = dev;
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(device_add_properties);
--- /dev/null
+From 87a2f622cc6446c7d09ac655b7b9b04886f16a4c Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Mon, 18 Sep 2017 11:16:26 +0300
+Subject: dmaengine: edma: Align the memcpy acnt array size with the transfer
+
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+
+commit 87a2f622cc6446c7d09ac655b7b9b04886f16a4c upstream.
+
+Memory to Memory transfers does not have any special alignment needs
+regarding to acnt array size, but if one of the areas are in memory mapped
+regions (like PCIe memory), we need to make sure that the acnt array size
+is aligned with the mem copy parameters.
+
+Before "dmaengine: edma: Optimize memcpy operation" change the memcpy was set
+up in a different way: acnt == number of bytes in a word based on
+__ffs((src | dest | len), bcnt and ccnt for looping the necessary number of
+words to comlete the trasnfer.
+
+Instead of reverting the commit we can fix it to make sure that the ACNT size
+is aligned to the traswnfer.
+
+Fixes: df6694f80365a (dmaengine: edma: Optimize memcpy operation)
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/edma.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/drivers/dma/edma.c
++++ b/drivers/dma/edma.c
+@@ -1143,11 +1143,24 @@ static struct dma_async_tx_descriptor *e
+ struct edma_desc *edesc;
+ struct device *dev = chan->device->dev;
+ struct edma_chan *echan = to_edma_chan(chan);
+- unsigned int width, pset_len;
++ unsigned int width, pset_len, array_size;
+
+ if (unlikely(!echan || !len))
+ return NULL;
+
++ /* Align the array size (acnt block) with the transfer properties */
++ switch (__ffs((src | dest | len))) {
++ case 0:
++ array_size = SZ_32K - 1;
++ break;
++ case 1:
++ array_size = SZ_32K - 2;
++ break;
++ default:
++ array_size = SZ_32K - 4;
++ break;
++ }
++
+ if (len < SZ_64K) {
+ /*
+ * Transfer size less than 64K can be handled with one paRAM
+@@ -1169,7 +1182,7 @@ static struct dma_async_tx_descriptor *e
+ * When the full_length is multibple of 32767 one slot can be
+ * used to complete the transfer.
+ */
+- width = SZ_32K - 1;
++ width = array_size;
+ pset_len = rounddown(len, width);
+ /* One slot is enough for lengths multiple of (SZ_32K -1) */
+ if (unlikely(pset_len == len))
+@@ -1217,7 +1230,7 @@ static struct dma_async_tx_descriptor *e
+ }
+ dest += pset_len;
+ src += pset_len;
+- pset_len = width = len % (SZ_32K - 1);
++ pset_len = width = len % array_size;
+
+ ret = edma_config_pset(chan, &edesc->pset[1], src, dest, 1,
+ width, pset_len, DMA_MEM_TO_MEM);
--- /dev/null
+From 2ccb4837c938357233a0b8818e3ca3e58242c952 Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Thu, 21 Sep 2017 14:35:32 +0300
+Subject: dmaengine: ti-dma-crossbar: Fix possible race condition with dma_inuse
+
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+
+commit 2ccb4837c938357233a0b8818e3ca3e58242c952 upstream.
+
+When looking for unused xbar_out lane we should also protect the set_bit()
+call with the same mutex to protect against concurrent threads picking the
+same ID.
+
+Fixes: ec9bfa1e1a796 ("dmaengine: ti-dma-crossbar: dra7: Use bitops instead of idr")
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/ti-dma-crossbar.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/dma/ti-dma-crossbar.c
++++ b/drivers/dma/ti-dma-crossbar.c
+@@ -262,13 +262,14 @@ static void *ti_dra7_xbar_route_allocate
+ mutex_lock(&xbar->mutex);
+ map->xbar_out = find_first_zero_bit(xbar->dma_inuse,
+ xbar->dma_requests);
+- mutex_unlock(&xbar->mutex);
+ if (map->xbar_out == xbar->dma_requests) {
++ mutex_unlock(&xbar->mutex);
+ dev_err(&pdev->dev, "Run out of free DMA requests\n");
+ kfree(map);
+ return ERR_PTR(-ENOMEM);
+ }
+ set_bit(map->xbar_out, xbar->dma_inuse);
++ mutex_unlock(&xbar->mutex);
+
+ map->xbar_in = (u16)dma_spec->args[0];
+
--- /dev/null
+From f892760aa66a2d657deaf59538fb69433036767c Mon Sep 17 00:00:00 2001
+From: Matthew Wilcox <willy@infradead.org>
+Date: Fri, 13 Oct 2017 15:58:15 -0700
+Subject: fs/mpage.c: fix mpage_writepage() for pages with buffers
+
+From: Matthew Wilcox <willy@infradead.org>
+
+commit f892760aa66a2d657deaf59538fb69433036767c upstream.
+
+When using FAT on a block device which supports rw_page, we can hit
+BUG_ON(!PageLocked(page)) in try_to_free_buffers(). This is because we
+call clean_buffers() after unlocking the page we've written. Introduce
+a new clean_page_buffers() which cleans all buffers associated with a
+page and call it from within bdev_write_page().
+
+[akpm@linux-foundation.org: s/PAGE_SIZE/~0U/ per Linus and Matthew]
+Link: http://lkml.kernel.org/r/20171006211541.GA7409@bombadil.infradead.org
+Signed-off-by: Matthew Wilcox <mawilcox@microsoft.com>
+Reported-by: Toshi Kani <toshi.kani@hpe.com>
+Reported-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Tested-by: Toshi Kani <toshi.kani@hpe.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/block_dev.c | 6 ++++--
+ fs/mpage.c | 14 +++++++++++---
+ include/linux/buffer_head.h | 1 +
+ 3 files changed, 16 insertions(+), 5 deletions(-)
+
+--- a/fs/block_dev.c
++++ b/fs/block_dev.c
+@@ -716,10 +716,12 @@ int bdev_write_page(struct block_device
+
+ set_page_writeback(page);
+ result = ops->rw_page(bdev, sector + get_start_sect(bdev), page, true);
+- if (result)
++ if (result) {
+ end_page_writeback(page);
+- else
++ } else {
++ clean_page_buffers(page);
+ unlock_page(page);
++ }
+ blk_queue_exit(bdev->bd_queue);
+ return result;
+ }
+--- a/fs/mpage.c
++++ b/fs/mpage.c
+@@ -468,6 +468,16 @@ static void clean_buffers(struct page *p
+ try_to_free_buffers(page);
+ }
+
++/*
++ * For situations where we want to clean all buffers attached to a page.
++ * We don't need to calculate how many buffers are attached to the page,
++ * we just need to specify a number larger than the maximum number of buffers.
++ */
++void clean_page_buffers(struct page *page)
++{
++ clean_buffers(page, ~0U);
++}
++
+ static int __mpage_writepage(struct page *page, struct writeback_control *wbc,
+ void *data)
+ {
+@@ -605,10 +615,8 @@ alloc_new:
+ if (bio == NULL) {
+ if (first_unmapped == blocks_per_page) {
+ if (!bdev_write_page(bdev, blocks[0] << (blkbits - 9),
+- page, wbc)) {
+- clean_buffers(page, first_unmapped);
++ page, wbc))
+ goto out;
+- }
+ }
+ bio = mpage_alloc(bdev, blocks[0] << (blkbits - 9),
+ BIO_MAX_PAGES, GFP_NOFS|__GFP_HIGH);
+--- a/include/linux/buffer_head.h
++++ b/include/linux/buffer_head.h
+@@ -232,6 +232,7 @@ int generic_write_end(struct file *, str
+ loff_t, unsigned, unsigned,
+ struct page *, void *);
+ void page_zero_new_buffers(struct page *page, unsigned from, unsigned to);
++void clean_page_buffers(struct page *page);
+ int cont_write_begin(struct file *, struct address_space *, loff_t,
+ unsigned, unsigned, struct page **, void **,
+ get_block_t *, loff_t *);
--- /dev/null
+From f043bfc98c193c284e2cd768fefabe18ac2fed9b Mon Sep 17 00:00:00 2001
+From: Jaejoong Kim <climbbb.kim@gmail.com>
+Date: Thu, 28 Sep 2017 19:16:30 +0900
+Subject: HID: usbhid: fix out-of-bounds bug
+
+From: Jaejoong Kim <climbbb.kim@gmail.com>
+
+commit f043bfc98c193c284e2cd768fefabe18ac2fed9b upstream.
+
+The hid descriptor identifies the length and type of subordinate
+descriptors for a device. If the received hid descriptor is smaller than
+the size of the struct hid_descriptor, it is possible to cause
+out-of-bounds.
+
+In addition, if bNumDescriptors of the hid descriptor have an incorrect
+value, this can also cause out-of-bounds while approaching hdesc->desc[n].
+
+So check the size of hid descriptor and bNumDescriptors.
+
+ BUG: KASAN: slab-out-of-bounds in usbhid_parse+0x9b1/0xa20
+ Read of size 1 at addr ffff88006c5f8edf by task kworker/1:2/1261
+
+ CPU: 1 PID: 1261 Comm: kworker/1:2 Not tainted
+ 4.14.0-rc1-42251-gebb2c2437d80 #169
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ Workqueue: usb_hub_wq hub_event
+ Call Trace:
+ __dump_stack lib/dump_stack.c:16
+ dump_stack+0x292/0x395 lib/dump_stack.c:52
+ print_address_description+0x78/0x280 mm/kasan/report.c:252
+ kasan_report_error mm/kasan/report.c:351
+ kasan_report+0x22f/0x340 mm/kasan/report.c:409
+ __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
+ usbhid_parse+0x9b1/0xa20 drivers/hid/usbhid/hid-core.c:1004
+ hid_add_device+0x16b/0xb30 drivers/hid/hid-core.c:2944
+ usbhid_probe+0xc28/0x1100 drivers/hid/usbhid/hid-core.c:1369
+ usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
+ really_probe drivers/base/dd.c:413
+ driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
+ __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
+ bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
+ __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
+ device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
+ bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
+ device_add+0xd0b/0x1660 drivers/base/core.c:1835
+ usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
+ generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
+ usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
+ really_probe drivers/base/dd.c:413
+ driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
+ __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
+ bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
+ __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
+ device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
+ bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
+ device_add+0xd0b/0x1660 drivers/base/core.c:1835
+ usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
+ hub_port_connect drivers/usb/core/hub.c:4903
+ hub_port_connect_change drivers/usb/core/hub.c:5009
+ port_event drivers/usb/core/hub.c:5115
+ hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
+ process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
+ worker_thread+0x221/0x1850 kernel/workqueue.c:2253
+ kthread+0x3a1/0x470 kernel/kthread.c:231
+ ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/usbhid/hid-core.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/usbhid/hid-core.c
++++ b/drivers/hid/usbhid/hid-core.c
+@@ -975,6 +975,8 @@ static int usbhid_parse(struct hid_devic
+ unsigned int rsize = 0;
+ char *rdesc;
+ int ret, n;
++ int num_descriptors;
++ size_t offset = offsetof(struct hid_descriptor, desc);
+
+ quirks = usbhid_lookup_quirk(le16_to_cpu(dev->descriptor.idVendor),
+ le16_to_cpu(dev->descriptor.idProduct));
+@@ -997,10 +999,18 @@ static int usbhid_parse(struct hid_devic
+ return -ENODEV;
+ }
+
++ if (hdesc->bLength < sizeof(struct hid_descriptor)) {
++ dbg_hid("hid descriptor is too short\n");
++ return -EINVAL;
++ }
++
+ hid->version = le16_to_cpu(hdesc->bcdHID);
+ hid->country = hdesc->bCountryCode;
+
+- for (n = 0; n < hdesc->bNumDescriptors; n++)
++ num_descriptors = min_t(int, hdesc->bNumDescriptors,
++ (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
++
++ for (n = 0; n < num_descriptors; n++)
+ if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
+ rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
+
--- /dev/null
+From ce76353f169a6471542d999baf3d29b121dce9c0 Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <jroedel@suse.de>
+Date: Fri, 13 Oct 2017 14:32:37 +0200
+Subject: iommu/amd: Finish TLB flush in amd_iommu_unmap()
+
+From: Joerg Roedel <jroedel@suse.de>
+
+commit ce76353f169a6471542d999baf3d29b121dce9c0 upstream.
+
+The function only sends the flush command to the IOMMU(s),
+but does not wait for its completion when it returns. Fix
+that.
+
+Fixes: 601367d76bd1 ('x86/amd-iommu: Remove iommu_flush_domain function')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/amd_iommu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -3262,6 +3262,7 @@ static size_t amd_iommu_unmap(struct iom
+ mutex_unlock(&domain->api_lock);
+
+ domain_flush_tlb_pde(domain);
++ domain_flush_complete(domain);
+
+ return unmap_size;
+ }
--- /dev/null
+From 829ee279aed43faa5cb1e4d65c0cad52f2426c53 Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek@redhat.com>
+Date: Thu, 5 Oct 2017 11:10:23 +0200
+Subject: KVM: MMU: always terminate page walks at level 1
+
+From: Ladi Prosek <lprosek@redhat.com>
+
+commit 829ee279aed43faa5cb1e4d65c0cad52f2426c53 upstream.
+
+is_last_gpte() is not equivalent to the pseudo-code given in commit
+6bb69c9b69c31 ("KVM: MMU: simplify last_pte_bitmap") because an incorrect
+value of last_nonleaf_level may override the result even if level == 1.
+
+It is critical for is_last_gpte() to return true on level == 1 to
+terminate page walks. Otherwise memory corruption may occur as level
+is used as an index to various data structures throughout the page
+walking code. Even though the actual bug would be wherever the MMU is
+initialized (as in the previous patch), be defensive and ensure here
+that is_last_gpte() returns the correct value.
+
+This patch is also enough to fix CVE-2017-12188.
+
+Fixes: 6bb69c9b69c315200ddc2bc79aee14c0184cf5b2
+Cc: Andy Honig <ahonig@google.com>
+Signed-off-by: Ladi Prosek <lprosek@redhat.com>
+[Panic if walk_addr_generic gets an incorrect level; this is a serious
+ bug and it's not worth a WARN_ON where the recovery path might hide
+ further exploitable issues; suggested by Andrew Honig. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/mmu.c | 14 +++++++-------
+ arch/x86/kvm/paging_tmpl.h | 3 ++-
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -3935,19 +3935,19 @@ static inline bool is_last_gpte(struct k
+ unsigned level, unsigned gpte)
+ {
+ /*
+- * PT_PAGE_TABLE_LEVEL always terminates. The RHS has bit 7 set
+- * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means
+- * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then.
+- */
+- gpte |= level - PT_PAGE_TABLE_LEVEL - 1;
+-
+- /*
+ * The RHS has bit 7 set iff level < mmu->last_nonleaf_level.
+ * If it is clear, there are no large pages at this level, so clear
+ * PT_PAGE_SIZE_MASK in gpte if that is the case.
+ */
+ gpte &= level - mmu->last_nonleaf_level;
+
++ /*
++ * PT_PAGE_TABLE_LEVEL always terminates. The RHS has bit 7 set
++ * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means
++ * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then.
++ */
++ gpte |= level - PT_PAGE_TABLE_LEVEL - 1;
++
+ return gpte & PT_PAGE_SIZE_MASK;
+ }
+
+--- a/arch/x86/kvm/paging_tmpl.h
++++ b/arch/x86/kvm/paging_tmpl.h
+@@ -334,10 +334,11 @@ retry_walk:
+ --walker->level;
+
+ index = PT_INDEX(addr, walker->level);
+-
+ table_gfn = gpte_to_gfn(pte);
+ offset = index * sizeof(pt_element_t);
+ pte_gpa = gfn_to_gpa(table_gfn) + offset;
++
++ BUG_ON(walker->level < 1);
+ walker->table_gfn[walker->level - 1] = table_gfn;
+ walker->pte_gpa[walker->level - 1] = pte_gpa;
+
--- /dev/null
+From 8eb3f87d903168bdbd1222776a6b1e281f50513e Mon Sep 17 00:00:00 2001
+From: Haozhong Zhang <haozhong.zhang@intel.com>
+Date: Tue, 10 Oct 2017 15:01:22 +0800
+Subject: KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
+
+From: Haozhong Zhang <haozhong.zhang@intel.com>
+
+commit 8eb3f87d903168bdbd1222776a6b1e281f50513e upstream.
+
+When KVM emulates an exit from L2 to L1, it loads L1 CR4 into the
+guest CR4. Before this CR4 loading, the guest CR4 refers to L2
+CR4. Because these two CR4's are in different levels of guest, we
+should vmx_set_cr4() rather than kvm_set_cr4() here. The latter, which
+is used to handle guest writes to its CR4, checks the guest change to
+CR4 and may fail if the change is invalid.
+
+The failure may cause trouble. Consider we start
+ a L1 guest with non-zero L1 PCID in use,
+ (i.e. L1 CR4.PCIDE == 1 && L1 CR3.PCID != 0)
+and
+ a L2 guest with L2 PCID disabled,
+ (i.e. L2 CR4.PCIDE == 0)
+and following events may happen:
+
+1. If kvm_set_cr4() is used in load_vmcs12_host_state() to load L1 CR4
+ into guest CR4 (in VMCS01) for L2 to L1 exit, it will fail because
+ of PCID check. As a result, the guest CR4 recorded in L0 KVM (i.e.
+ vcpu->arch.cr4) is left to the value of L2 CR4.
+
+2. Later, if L1 attempts to change its CR4, e.g., clearing VMXE bit,
+ kvm_set_cr4() in L0 KVM will think L1 also wants to enable PCID,
+ because the wrong L2 CR4 is used by L0 KVM as L1 CR4. As L1
+ CR3.PCID != 0, L0 KVM will inject GP to L1 guest.
+
+Fixes: 4704d0befb072 ("KVM: nVMX: Exiting from L2 to L1")
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -11013,7 +11013,7 @@ static void load_vmcs12_host_state(struc
+
+ /* Same as above - no reason to call set_cr4_guest_host_mask(). */
+ vcpu->arch.cr4_guest_owned_bits = ~vmcs_readl(CR4_GUEST_HOST_MASK);
+- kvm_set_cr4(vcpu, vmcs12->host_cr4);
++ vmx_set_cr4(vcpu, vmcs12->host_cr4);
+
+ nested_ept_uninit_mmu_context(vcpu);
+
--- /dev/null
+From b42dc0635bf0a6aa59fe4d7c826796ff659908c7 Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Tue, 26 Sep 2017 09:18:27 +0300
+Subject: mei: always use domain runtime pm callbacks.
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit b42dc0635bf0a6aa59fe4d7c826796ff659908c7 upstream.
+
+This patch fixes a regression caused by the new changes
+in the "run wake" handlers.
+
+The mei devices that support D0i3 are no longer receiving an interrupt
+after entering runtime suspend state and will stall.
+
+pci_dev_run_wake function now returns "true" for some devices
+(including mei) for which it used to return "false",
+arguably incorrectly as "run wake" used to mean that
+wakeup signals can be generated for a device in
+the working state of the system, so it could not be enabled
+or disabled before too.
+
+MEI maps runtime suspend/resume to its own defined
+power gating (PG) states, (D0i3 or other depending on generation),
+hence we need to go around the native PCI runtime service which
+eventually brings the device into D3cold/hot state,
+but the mei devices cannot wake up from D3 unlike from D0i3/PG state,
+which keeps irq running.
+To get around PCI device native runtime pm,
+MEI uses runtime pm domain handlers which take precedence.
+
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/mei/pci-me.c | 21 +++++++++++----------
+ drivers/misc/mei/pci-txe.c | 30 +++++++++++-------------------
+ 2 files changed, 22 insertions(+), 29 deletions(-)
+
+--- a/drivers/misc/mei/pci-me.c
++++ b/drivers/misc/mei/pci-me.c
+@@ -222,12 +222,15 @@ static int mei_me_probe(struct pci_dev *
+ pdev->dev_flags |= PCI_DEV_FLAGS_NEEDS_RESUME;
+
+ /*
+- * For not wake-able HW runtime pm framework
+- * can't be used on pci device level.
+- * Use domain runtime pm callbacks instead.
+- */
+- if (!pci_dev_run_wake(pdev))
+- mei_me_set_pm_domain(dev);
++ * ME maps runtime suspend/resume to D0i states,
++ * hence we need to go around native PCI runtime service which
++ * eventually brings the device into D3cold/hot state,
++ * but the mei device cannot wake up from D3 unlike from D0i3.
++ * To get around the PCI device native runtime pm,
++ * ME uses runtime pm domain handlers which take precedence
++ * over the driver's pm handlers.
++ */
++ mei_me_set_pm_domain(dev);
+
+ if (mei_pg_is_enabled(dev))
+ pm_runtime_put_noidle(&pdev->dev);
+@@ -267,8 +270,7 @@ static void mei_me_shutdown(struct pci_d
+ dev_dbg(&pdev->dev, "shutdown\n");
+ mei_stop(dev);
+
+- if (!pci_dev_run_wake(pdev))
+- mei_me_unset_pm_domain(dev);
++ mei_me_unset_pm_domain(dev);
+
+ mei_disable_interrupts(dev);
+ free_irq(pdev->irq, dev);
+@@ -296,8 +298,7 @@ static void mei_me_remove(struct pci_dev
+ dev_dbg(&pdev->dev, "stop\n");
+ mei_stop(dev);
+
+- if (!pci_dev_run_wake(pdev))
+- mei_me_unset_pm_domain(dev);
++ mei_me_unset_pm_domain(dev);
+
+ mei_disable_interrupts(dev);
+
+--- a/drivers/misc/mei/pci-txe.c
++++ b/drivers/misc/mei/pci-txe.c
+@@ -144,12 +144,14 @@ static int mei_txe_probe(struct pci_dev
+ pdev->dev_flags |= PCI_DEV_FLAGS_NEEDS_RESUME;
+
+ /*
+- * For not wake-able HW runtime pm framework
+- * can't be used on pci device level.
+- * Use domain runtime pm callbacks instead.
+- */
+- if (!pci_dev_run_wake(pdev))
+- mei_txe_set_pm_domain(dev);
++ * TXE maps runtime suspend/resume to own power gating states,
++ * hence we need to go around native PCI runtime service which
++ * eventually brings the device into D3cold/hot state.
++ * But the TXE device cannot wake up from D3 unlike from own
++ * power gating. To get around PCI device native runtime pm,
++ * TXE uses runtime pm domain handlers which take precedence.
++ */
++ mei_txe_set_pm_domain(dev);
+
+ pm_runtime_put_noidle(&pdev->dev);
+
+@@ -186,8 +188,7 @@ static void mei_txe_shutdown(struct pci_
+ dev_dbg(&pdev->dev, "shutdown\n");
+ mei_stop(dev);
+
+- if (!pci_dev_run_wake(pdev))
+- mei_txe_unset_pm_domain(dev);
++ mei_txe_unset_pm_domain(dev);
+
+ mei_disable_interrupts(dev);
+ free_irq(pdev->irq, dev);
+@@ -215,8 +216,7 @@ static void mei_txe_remove(struct pci_de
+
+ mei_stop(dev);
+
+- if (!pci_dev_run_wake(pdev))
+- mei_txe_unset_pm_domain(dev);
++ mei_txe_unset_pm_domain(dev);
+
+ mei_disable_interrupts(dev);
+ free_irq(pdev->irq, dev);
+@@ -318,15 +318,7 @@ static int mei_txe_pm_runtime_suspend(st
+ else
+ ret = -EAGAIN;
+
+- /*
+- * If everything is okay we're about to enter PCI low
+- * power state (D3) therefor we need to disable the
+- * interrupts towards host.
+- * However if device is not wakeable we do not enter
+- * D-low state and we need to keep the interrupt kicking
+- */
+- if (!ret && pci_dev_run_wake(pdev))
+- mei_disable_interrupts(dev);
++ /* keep irq on we are staying in D0 */
+
+ dev_dbg(&pdev->dev, "rpm: txe: runtime suspend ret=%d\n", ret);
+
--- /dev/null
+From 94c3390ab84a6b449accc7351ffda4a0c17bdb92 Mon Sep 17 00:00:00 2001
+From: Matt Redfearn <matt.redfearn@imgtec.com>
+Date: Wed, 27 Sep 2017 09:14:58 +0100
+Subject: MIPS: bpf: Fix uninitialised target compiler error
+
+From: Matt Redfearn <matt.redfearn@imgtec.com>
+
+commit 94c3390ab84a6b449accc7351ffda4a0c17bdb92 upstream.
+
+Compiling ebpf_jit.c with gcc 4.9 results in a (likely spurious)
+compiler warning, as gcc has detected that the variable "target" may be
+used uninitialised. Since -Werror is active, this is treated as an error
+and causes a kernel build failure whenever CONFIG_MIPS_EBPF_JIT is
+enabled.
+
+arch/mips/net/ebpf_jit.c: In function 'build_one_insn':
+arch/mips/net/ebpf_jit.c:1118:80: error: 'target' may be used
+uninitialized in this function [-Werror=maybe-uninitialized]
+ emit_instr(ctx, j, target);
+ ^
+cc1: all warnings being treated as errors
+
+Fix this by initialising "target" to 0. If it really is used
+uninitialised this would result in a jump to 0 and a detectable run time
+failure.
+
+Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
+Fixes: b6bd53f9c4e8 ("MIPS: Add missing file for eBPF JIT.")
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: David Daney <david.daney@cavium.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Colin Ian King <colin.king@canonical.com>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/17375/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/net/ebpf_jit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/net/ebpf_jit.c
++++ b/arch/mips/net/ebpf_jit.c
+@@ -679,7 +679,7 @@ static int build_one_insn(const struct b
+ {
+ int src, dst, r, td, ts, mem_off, b_off;
+ bool need_swap, did_move, cmp_eq;
+- unsigned int target;
++ unsigned int target = 0;
+ u64 t64;
+ s64 t64s;
+
--- /dev/null
+From ca8eb05b5f332a9e1ab3e2ece498d49f4d683470 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@imgtec.com>
+Date: Fri, 8 Sep 2017 15:12:21 -0700
+Subject: MIPS: math-emu: Remove pr_err() calls from fpu_emu()
+
+From: Paul Burton <paul.burton@imgtec.com>
+
+commit ca8eb05b5f332a9e1ab3e2ece498d49f4d683470 upstream.
+
+The FPU emulator includes 2 calls to pr_err() which are triggered by
+invalid instruction encodings for MIPSr6 cmp.cond.fmt instructions.
+These cases are not kernel errors, merely invalid instructions which are
+already handled by delivering a SIGILL which will provide notification
+that something failed in cases where that makes sense.
+
+In cases where that SIGILL is somewhat expected & being handled, for
+example when crashme happens to generate one of the affected bad
+encodings, the message is printed with no useful context about what
+triggered it & spams the kernel log for no good reason.
+
+Remove the pr_err() calls to make crashme run silently & treat the bad
+encodings the same way we do others, with a SIGILL & no further kernel
+log output.
+
+Signed-off-by: Paul Burton <paul.burton@imgtec.com>
+Fixes: f8c3c6717a71 ("MIPS: math-emu: Add support for the CMP.condn.fmt R6 instruction")
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/17253/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/math-emu/cp1emu.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/arch/mips/math-emu/cp1emu.c
++++ b/arch/mips/math-emu/cp1emu.c
+@@ -2387,7 +2387,6 @@ dcopuop:
+ break;
+ default:
+ /* Reserved R6 ops */
+- pr_err("Reserved MIPS R6 CMP.condn.S operation\n");
+ return SIGILL;
+ }
+ }
+@@ -2461,7 +2460,6 @@ dcopuop:
+ break;
+ default:
+ /* Reserved R6 ops */
+- pr_err("Reserved MIPS R6 CMP.condn.D operation\n");
+ return SIGILL;
+ }
+ }
--- /dev/null
+From 0a47df11bfc31e1ceae7f91cea84d3bff500475d Mon Sep 17 00:00:00 2001
+From: Scott Mayhew <smayhew@redhat.com>
+Date: Fri, 29 Sep 2017 09:36:43 -0400
+Subject: nfs/filelayout: fix oops when freeing filelayout segment
+
+From: Scott Mayhew <smayhew@redhat.com>
+
+commit 0a47df11bfc31e1ceae7f91cea84d3bff500475d upstream.
+
+Check for a NULL dsaddr in filelayout_free_lseg() before calling
+nfs4_fl_put_deviceid(). This fixes the following oops:
+
+[ 1967.645207] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
+[ 1967.646010] IP: [<ffffffffc06d6aea>] nfs4_put_deviceid_node+0xa/0x90 [nfsv4]
+[ 1967.646010] PGD c08bc067 PUD 915d3067 PMD 0
+[ 1967.753036] Oops: 0000 [#1] SMP
+[ 1967.753036] Modules linked in: nfs_layout_nfsv41_files ext4 mbcache jbd2 loop rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache amd64_edac_mod ipmi_ssif edac_mce_amd edac_core kvm_amd sg kvm ipmi_si ipmi_devintf irqbypass pcspkr k8temp ipmi_msghandler i2c_piix4 shpchp nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c sd_mod crc_t10dif crct10dif_generic crct10dif_common amdkfd amd_iommu_v2 radeon i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops mptsas ttm scsi_transport_sas mptscsih drm mptbase serio_raw i2c_core bnx2 dm_mirror dm_region_hash dm_log dm_mod
+[ 1967.790031] CPU: 2 PID: 1370 Comm: ls Not tainted 3.10.0-709.el7.test.bz1463784.x86_64 #1
+[ 1967.790031] Hardware name: IBM BladeCenter LS21 -[7971AC1]-/Server Blade, BIOS -[BAE155AUS-1.10]- 06/03/2009
+[ 1967.790031] task: ffff8800c42a3f40 ti: ffff8800c4064000 task.ti: ffff8800c4064000
+[ 1967.790031] RIP: 0010:[<ffffffffc06d6aea>] [<ffffffffc06d6aea>] nfs4_put_deviceid_node+0xa/0x90 [nfsv4]
+[ 1967.790031] RSP: 0000:ffff8800c4067978 EFLAGS: 00010246
+[ 1967.790031] RAX: ffffffffc062f000 RBX: ffff8801d468a540 RCX: dead000000000200
+[ 1967.790031] RDX: ffff8800c40679f8 RSI: ffff8800c4067a0c RDI: 0000000000000000
+[ 1967.790031] RBP: ffff8800c4067980 R08: ffff8801d468a540 R09: 0000000000000000
+[ 1967.790031] R10: 0000000000000000 R11: ffffffffffffffff R12: ffff8801d468a540
+[ 1967.790031] R13: ffff8800c40679f8 R14: ffff8801d5645300 R15: ffff880126f15ff0
+[ 1967.790031] FS: 00007f11053c9800(0000) GS:ffff88012bd00000(0000) knlGS:0000000000000000
+[ 1967.790031] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+[ 1967.790031] CR2: 0000000000000030 CR3: 0000000094b55000 CR4: 00000000000007e0
+[ 1967.790031] Stack:
+[ 1967.790031] ffff8801d468a540 ffff8800c4067990 ffffffffc062d2fe ffff8800c40679b0
+[ 1967.790031] ffffffffc062b5b4 ffff8800c40679f8 ffff8801d468a540 ffff8800c40679d8
+[ 1967.790031] ffffffffc06d39af ffff8800c40679f8 ffff880126f16078 0000000000000001
+[ 1967.790031] Call Trace:
+[ 1967.790031] [<ffffffffc062d2fe>] nfs4_fl_put_deviceid+0xe/0x10 [nfs_layout_nfsv41_files]
+[ 1967.790031] [<ffffffffc062b5b4>] filelayout_free_lseg+0x24/0x90 [nfs_layout_nfsv41_files]
+[ 1967.790031] [<ffffffffc06d39af>] pnfs_free_lseg_list+0x5f/0x80 [nfsv4]
+[ 1967.790031] [<ffffffffc06d5a67>] _pnfs_return_layout+0x157/0x270 [nfsv4]
+[ 1967.790031] [<ffffffffc06c17dd>] nfs4_evict_inode+0x4d/0x70 [nfsv4]
+[ 1967.790031] [<ffffffff8121de19>] evict+0xa9/0x180
+[ 1967.790031] [<ffffffff8121e729>] iput+0xf9/0x190
+[ 1967.790031] [<ffffffffc0652cea>] nfs_dentry_iput+0x3a/0x50 [nfs]
+[ 1967.790031] [<ffffffff8121ab4f>] shrink_dentry_list+0x20f/0x490
+[ 1967.790031] [<ffffffff8121b018>] d_invalidate+0xd8/0x150
+[ 1967.790031] [<ffffffffc065446b>] nfs_readdir_page_filler+0x40b/0x600 [nfs]
+[ 1967.790031] [<ffffffffc0654bbd>] nfs_readdir_xdr_to_array+0x20d/0x3b0 [nfs]
+[ 1967.790031] [<ffffffff811f3482>] ? __mem_cgroup_commit_charge+0xe2/0x2f0
+[ 1967.790031] [<ffffffff81183208>] ? __add_to_page_cache_locked+0x48/0x170
+[ 1967.790031] [<ffffffffc0654d60>] ? nfs_readdir_xdr_to_array+0x3b0/0x3b0 [nfs]
+[ 1967.790031] [<ffffffffc0654d82>] nfs_readdir_filler+0x22/0x90 [nfs]
+[ 1967.790031] [<ffffffff8118351f>] do_read_cache_page+0x7f/0x190
+[ 1967.790031] [<ffffffff81215d30>] ? fillonedir+0xe0/0xe0
+[ 1967.790031] [<ffffffff8118366c>] read_cache_page+0x1c/0x30
+[ 1967.790031] [<ffffffffc0654f9b>] nfs_readdir+0x1ab/0x6b0 [nfs]
+[ 1967.790031] [<ffffffffc06bd1c0>] ? nfs4_xdr_dec_layoutget+0x270/0x270 [nfsv4]
+[ 1967.790031] [<ffffffff81215d30>] ? fillonedir+0xe0/0xe0
+[ 1967.790031] [<ffffffff81215c20>] vfs_readdir+0xb0/0xe0
+[ 1967.790031] [<ffffffff81216045>] SyS_getdents+0x95/0x120
+[ 1967.790031] [<ffffffff816b9449>] system_call_fastpath+0x16/0x1b
+[ 1967.790031] Code: 90 31 d2 48 89 d0 5d c3 85 f6 74 f5 8d 4e 01 89 f0 f0 0f b1 0f 39 f0 74 e2 89 c6 eb eb 0f 1f 40 00 66 66 66 66 90 55 48 89 e5 53 <48> 8b 47 30 48 89 fb a8 04 74 3b 8b 57 60 83 fa 02 74 19 8d 4a
+[ 1967.790031] RIP [<ffffffffc06d6aea>] nfs4_put_deviceid_node+0xa/0x90 [nfsv4]
+[ 1967.790031] RSP <ffff8800c4067978>
+[ 1967.790031] CR2: 0000000000000030
+
+Signed-off-by: Scott Mayhew <smayhew@redhat.com>
+Fixes: 1ebf98012792 ("NFS/filelayout: Fix racy setting of fl->dsaddr...")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/filelayout/filelayout.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfs/filelayout/filelayout.c
++++ b/fs/nfs/filelayout/filelayout.c
+@@ -745,7 +745,8 @@ filelayout_free_lseg(struct pnfs_layout_
+ struct nfs4_filelayout_segment *fl = FILELAYOUT_LSEG(lseg);
+
+ dprintk("--> %s\n", __func__);
+- nfs4_fl_put_deviceid(fl->dsaddr);
++ if (fl->dsaddr != NULL)
++ nfs4_fl_put_deviceid(fl->dsaddr);
+ /* This assumes a single RW lseg */
+ if (lseg->pls_range.iomode == IOMODE_RW) {
+ struct nfs4_filelayout *flo;
--- /dev/null
+From 68ebf8fe3bce8c167cf83fbd681c1eb1ed419c6c Mon Sep 17 00:00:00 2001
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Fri, 22 Sep 2017 07:57:10 -0400
+Subject: NFS: Fix uninitialized rpc_wait_queue
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+commit 68ebf8fe3bce8c167cf83fbd681c1eb1ed419c6c upstream.
+
+Michael Sterrett reports a NULL pointer dereference on NFSv3 mounts when
+CONFIG_NFS_V4 is not set because the NFS UOC rpc_wait_queue has not been
+initialized. Move the initialization of the queue out of the CONFIG_NFS_V4
+conditional setion.
+
+Fixes: 7d6ddf88c4db ("NFS: Add an iocounter wait function for async RPC tasks")
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/client.c
++++ b/fs/nfs/client.c
+@@ -218,7 +218,6 @@ static void nfs_cb_idr_remove_locked(str
+ static void pnfs_init_server(struct nfs_server *server)
+ {
+ rpc_init_wait_queue(&server->roc_rpcwaitq, "pNFS ROC");
+- rpc_init_wait_queue(&server->uoc_rpcwaitq, "NFS UOC");
+ }
+
+ #else
+@@ -888,6 +887,7 @@ struct nfs_server *nfs_alloc_server(void
+ ida_init(&server->openowner_id);
+ ida_init(&server->lockowner_id);
+ pnfs_init_server(server);
++ rpc_init_wait_queue(&server->uoc_rpcwaitq, "NFS UOC");
+
+ return server;
+ }
--- /dev/null
+From 83b31c2a5fdd4fb3a4ec84c59a962e816d0bc9de Mon Sep 17 00:00:00 2001
+From: Petr Mladek <pmladek@suse.com>
+Date: Tue, 26 Sep 2017 15:51:28 +0200
+Subject: pinctrl/amd: Fix build dependency on pinmux code
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Petr Mladek <pmladek@suse.com>
+
+commit 83b31c2a5fdd4fb3a4ec84c59a962e816d0bc9de upstream.
+
+The commit 79d2c8bede2c93f943 ("pinctrl/amd: save pin registers over
+suspend/resume") caused the following compilation errors:
+
+drivers/pinctrl/pinctrl-amd.c: In function ‘amd_gpio_should_save’:
+drivers/pinctrl/pinctrl-amd.c:741:8: error: ‘const struct pin_desc’ has no member named ‘mux_owner’
+ if (pd->mux_owner || pd->gpio_owner ||
+ ^
+drivers/pinctrl/pinctrl-amd.c:741:25: error: ‘const struct pin_desc’ has no member named ‘gpio_owner’
+ if (pd->mux_owner || pd->gpio_owner ||
+
+We need to enable CONFIG_PINMUX for this driver as well.
+
+Fixes: 79d2c8bede2c93f943 ("pinctrl/amd: save pin registers over suspend/resume")
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/pinctrl/Kconfig
++++ b/drivers/pinctrl/Kconfig
+@@ -100,6 +100,7 @@ config PINCTRL_AMD
+ tristate "AMD GPIO pin control"
+ depends on GPIOLIB
+ select GPIOLIB_IRQCHIP
++ select PINMUX
+ select PINCONF
+ select GENERIC_PINCONF
+ help
--- /dev/null
+From b8c8a338f75e052d9fa2fed851259320af412e3f Mon Sep 17 00:00:00 2001
+From: Johannes Weiner <hannes@cmpxchg.org>
+Date: Fri, 13 Oct 2017 15:58:05 -0700
+Subject: Revert "vmalloc: back off when the current task is killed"
+
+From: Johannes Weiner <hannes@cmpxchg.org>
+
+commit b8c8a338f75e052d9fa2fed851259320af412e3f upstream.
+
+This reverts commits 5d17a73a2ebe ("vmalloc: back off when the current
+task is killed") and 171012f56127 ("mm: don't warn when vmalloc() fails
+due to a fatal signal").
+
+Commit 5d17a73a2ebe ("vmalloc: back off when the current task is
+killed") made all vmalloc allocations from a signal-killed task fail.
+We have seen crashes in the tty driver from this, where a killed task
+exiting tries to switch back to N_TTY, fails n_tty_open because of the
+vmalloc failing, and later crashes when dereferencing tty->disc_data.
+
+Arguably, relying on a vmalloc() call to succeed in order to properly
+exit a task is not the most robust way of doing things. There will be a
+follow-up patch to the tty code to fall back to the N_NULL ldisc.
+
+But the justification to make that vmalloc() call fail like this isn't
+convincing, either. The patch mentions an OOM victim exhausting the
+memory reserves and thus deadlocking the machine. But the OOM killer is
+only one, improbable source of fatal signals. It doesn't make sense to
+fail allocations preemptively with plenty of memory in most cases.
+
+The patch doesn't mention real-life instances where vmalloc sites would
+exhaust memory, which makes it sound more like a theoretical issue to
+begin with. But just in case, the OOM access to memory reserves has
+been restricted on the allocator side in cd04ae1e2dc8 ("mm, oom: do not
+rely on TIF_MEMDIE for memory reserves access"), which should take care
+of any theoretical concerns on that front.
+
+Revert this patch, and the follow-up that suppresses the allocation
+warnings when we fail the allocations due to a signal.
+
+Link: http://lkml.kernel.org/r/20171004185906.GB2136@cmpxchg.org
+Fixes: 171012f56127 ("mm: don't warn when vmalloc() fails due to a fatal signal")
+Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Alan Cox <alan@llwyncelyn.cymru>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/vmalloc.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/mm/vmalloc.c
++++ b/mm/vmalloc.c
+@@ -1697,11 +1697,6 @@ static void *__vmalloc_area_node(struct
+ for (i = 0; i < area->nr_pages; i++) {
+ struct page *page;
+
+- if (fatal_signal_pending(current)) {
+- area->nr_pages = i;
+- goto fail_no_warn;
+- }
+-
+ if (node == NUMA_NO_NODE)
+ page = alloc_page(alloc_mask|highmem_mask);
+ else
+@@ -1725,7 +1720,6 @@ fail:
+ warn_alloc(gfp_mask, NULL,
+ "vmalloc: allocation failure, allocated %ld of %ld bytes",
+ (area->nr_pages*PAGE_SIZE), area->size);
+-fail_no_warn:
+ vfree(area->addr);
+ return NULL;
+ }
--- /dev/null
+usb-dummy-hcd-fix-deadlock-caused-by-disconnect-detection.patch
+mips-math-emu-remove-pr_err-calls-from-fpu_emu.patch
+mips-bpf-fix-uninitialised-target-compiler-error.patch
+mei-always-use-domain-runtime-pm-callbacks.patch
+dmaengine-edma-align-the-memcpy-acnt-array-size-with-the-transfer.patch
+dmaengine-ti-dma-crossbar-fix-possible-race-condition-with-dma_inuse.patch
+nfs-fix-uninitialized-rpc_wait_queue.patch
+nfs-filelayout-fix-oops-when-freeing-filelayout-segment.patch
+hid-usbhid-fix-out-of-bounds-bug.patch
+crypto-skcipher-fix-crash-on-zero-length-input.patch
+crypto-shash-fix-zero-length-shash-ahash-digest-crash.patch
+kvm-mmu-always-terminate-page-walks-at-level-1.patch
+kvm-nvmx-fix-guest-cr4-loading-when-emulating-l2-to-l1-exit.patch
+usb-renesas_usbhs-fix-dmac-sequence-for-receiving-zero-length-packet.patch
+pinctrl-amd-fix-build-dependency-on-pinmux-code.patch
+iommu-amd-finish-tlb-flush-in-amd_iommu_unmap.patch
+device-property-track-owner-device-of-device-property.patch
+revert-vmalloc-back-off-when-the-current-task-is-killed.patch
+fs-mpage.c-fix-mpage_writepage-for-pages-with-buffers.patch
+alsa-usb-audio-kill-stray-urb-at-exiting.patch
+alsa-seq-fix-use-after-free-at-creating-a-port.patch
--- /dev/null
+From ab219221a5064abfff9f78c323c4a257b16cdb81 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 6 Oct 2017 10:27:44 -0400
+Subject: USB: dummy-hcd: Fix deadlock caused by disconnect detection
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit ab219221a5064abfff9f78c323c4a257b16cdb81 upstream.
+
+The dummy-hcd driver calls the gadget driver's disconnect callback
+under the wrong conditions. It should invoke the callback when Vbus
+power is turned off, but instead it does so when the D+ pullup is
+turned off.
+
+This can cause a deadlock in the composite core when a gadget driver
+is unregistered:
+
+[ 88.361471] ============================================
+[ 88.362014] WARNING: possible recursive locking detected
+[ 88.362580] 4.14.0-rc2+ #9 Not tainted
+[ 88.363010] --------------------------------------------
+[ 88.363561] v4l_id/526 is trying to acquire lock:
+[ 88.364062] (&(&cdev->lock)->rlock){....}, at: [<ffffffffa0547e03>] composite_disconnect+0x43/0x100 [libcomposite]
+[ 88.365051]
+[ 88.365051] but task is already holding lock:
+[ 88.365826] (&(&cdev->lock)->rlock){....}, at: [<ffffffffa0547b09>] usb_function_deactivate+0x29/0x80 [libcomposite]
+[ 88.366858]
+[ 88.366858] other info that might help us debug this:
+[ 88.368301] Possible unsafe locking scenario:
+[ 88.368301]
+[ 88.369304] CPU0
+[ 88.369701] ----
+[ 88.370101] lock(&(&cdev->lock)->rlock);
+[ 88.370623] lock(&(&cdev->lock)->rlock);
+[ 88.371145]
+[ 88.371145] *** DEADLOCK ***
+[ 88.371145]
+[ 88.372211] May be due to missing lock nesting notation
+[ 88.372211]
+[ 88.373191] 2 locks held by v4l_id/526:
+[ 88.373715] #0: (&(&cdev->lock)->rlock){....}, at: [<ffffffffa0547b09>] usb_function_deactivate+0x29/0x80 [libcomposite]
+[ 88.374814] #1: (&(&dum_hcd->dum->lock)->rlock){....}, at: [<ffffffffa05bd48d>] dummy_pullup+0x7d/0xf0 [dummy_hcd]
+[ 88.376289]
+[ 88.376289] stack backtrace:
+[ 88.377726] CPU: 0 PID: 526 Comm: v4l_id Not tainted 4.14.0-rc2+ #9
+[ 88.378557] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
+[ 88.379504] Call Trace:
+[ 88.380019] dump_stack+0x86/0xc7
+[ 88.380605] __lock_acquire+0x841/0x1120
+[ 88.381252] lock_acquire+0xd5/0x1c0
+[ 88.381865] ? composite_disconnect+0x43/0x100 [libcomposite]
+[ 88.382668] _raw_spin_lock_irqsave+0x40/0x54
+[ 88.383357] ? composite_disconnect+0x43/0x100 [libcomposite]
+[ 88.384290] composite_disconnect+0x43/0x100 [libcomposite]
+[ 88.385490] set_link_state+0x2d4/0x3c0 [dummy_hcd]
+[ 88.386436] dummy_pullup+0xa7/0xf0 [dummy_hcd]
+[ 88.387195] usb_gadget_disconnect+0xd8/0x160 [udc_core]
+[ 88.387990] usb_gadget_deactivate+0xd3/0x160 [udc_core]
+[ 88.388793] usb_function_deactivate+0x64/0x80 [libcomposite]
+[ 88.389628] uvc_function_disconnect+0x1e/0x40 [usb_f_uvc]
+
+This patch changes the code to test the port-power status bit rather
+than the port-connect status bit when deciding whether to isue the
+callback.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: David Tulloh <david@tulloh.id.au>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/dummy_hcd.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/udc/dummy_hcd.c
++++ b/drivers/usb/gadget/udc/dummy_hcd.c
+@@ -420,6 +420,7 @@ static void set_link_state_by_speed(stru
+ static void set_link_state(struct dummy_hcd *dum_hcd)
+ {
+ struct dummy *dum = dum_hcd->dum;
++ unsigned int power_bit;
+
+ dum_hcd->active = 0;
+ if (dum->pullup)
+@@ -430,17 +431,19 @@ static void set_link_state(struct dummy_
+ return;
+
+ set_link_state_by_speed(dum_hcd);
++ power_bit = (dummy_hcd_to_hcd(dum_hcd)->speed == HCD_USB3 ?
++ USB_SS_PORT_STAT_POWER : USB_PORT_STAT_POWER);
+
+ if ((dum_hcd->port_status & USB_PORT_STAT_ENABLE) == 0 ||
+ dum_hcd->active)
+ dum_hcd->resuming = 0;
+
+ /* Currently !connected or in reset */
+- if ((dum_hcd->port_status & USB_PORT_STAT_CONNECTION) == 0 ||
++ if ((dum_hcd->port_status & power_bit) == 0 ||
+ (dum_hcd->port_status & USB_PORT_STAT_RESET) != 0) {
+- unsigned disconnect = USB_PORT_STAT_CONNECTION &
++ unsigned int disconnect = power_bit &
+ dum_hcd->old_status & (~dum_hcd->port_status);
+- unsigned reset = USB_PORT_STAT_RESET &
++ unsigned int reset = USB_PORT_STAT_RESET &
+ (~dum_hcd->old_status) & dum_hcd->port_status;
+
+ /* Report reset and disconnect events to the driver */
--- /dev/null
+From 29c7f3e68eec4ae94d85ad7b5dfdafdb8089f513 Mon Sep 17 00:00:00 2001
+From: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
+Date: Mon, 2 Oct 2017 14:01:41 +0900
+Subject: usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet
+
+From: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
+
+commit 29c7f3e68eec4ae94d85ad7b5dfdafdb8089f513 upstream.
+
+The DREQE bit of the DnFIFOSEL should be set to 1 after the DE bit of
+USB-DMAC on R-Car SoCs is set to 1 after the USB-DMAC received a
+zero-length packet. Otherwise, a transfer completion interruption
+of USB-DMAC doesn't happen. Even if the driver changes the sequence,
+normal operations (transmit/receive without zero-length packet) will
+not cause any side-effects. So, this patch fixes the sequence anyway.
+
+Signed-off-by: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
+[shimoda: revise the commit log]
+Fixes: e73a9891b3a1 ("usb: renesas_usbhs: add DMAEngine support")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/renesas_usbhs/fifo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/renesas_usbhs/fifo.c
++++ b/drivers/usb/renesas_usbhs/fifo.c
+@@ -857,9 +857,9 @@ static void xfer_work(struct work_struct
+ fifo->name, usbhs_pipe_number(pipe), pkt->length, pkt->zero);
+
+ usbhs_pipe_running(pipe, 1);
+- usbhsf_dma_start(pipe, fifo);
+ usbhs_pipe_set_trans_count_if_bulk(pipe, pkt->trans);
+ dma_async_issue_pending(chan);
++ usbhsf_dma_start(pipe, fifo);
+ usbhs_pipe_enable(pipe);
+
+ xfer_work_end:
projects / thirdparty / kernel / stable-queue.git / commitdiff
