--- /dev/null
+From 5ee39a71fd89ab7240c5339d04161c44a8e03269 Mon Sep 17 00:00:00 2001
+From: Michael Weiser <michael.weiser@gmx.de>
+Date: Thu, 1 Feb 2018 23:13:38 +0100
+Subject: arm64: Disable unhandled signal log messages by default
+
+From: Michael Weiser <michael.weiser@gmx.de>
+
+commit 5ee39a71fd89ab7240c5339d04161c44a8e03269 upstream.
+
+aarch64 unhandled signal kernel messages are very verbose, suggesting
+them to be more of a debugging aid:
+
+sigsegv[33]: unhandled level 2 translation fault (11) at 0x00000000, esr
+0x92000046, in sigsegv[400000+71000]
+CPU: 1 PID: 33 Comm: sigsegv Tainted: G W 4.15.0-rc3+ #3
+Hardware name: linux,dummy-virt (DT)
+pstate: 60000000 (nZCv daif -PAN -UAO)
+pc : 0x4003f4
+lr : 0x4006bc
+sp : 0000fffffe94a060
+x29: 0000fffffe94a070 x28: 0000000000000000
+x27: 0000000000000000 x26: 0000000000000000
+x25: 0000000000000000 x24: 00000000004001b0
+x23: 0000000000486ac8 x22: 00000000004001c8
+x21: 0000000000000000 x20: 0000000000400be8
+x19: 0000000000400b30 x18: 0000000000484728
+x17: 000000000865ffc8 x16: 000000000000270f
+x15: 00000000000000b0 x14: 0000000000000002
+x13: 0000000000000001 x12: 0000000000000000
+x11: 0000000000000000 x10: 0008000020008008
+x9 : 000000000000000f x8 : ffffffffffffffff
+x7 : 0004000000000000 x6 : ffffffffffffffff
+x5 : 0000000000000000 x4 : 0000000000000000
+x3 : 00000000004003e4 x2 : 0000fffffe94a1e8
+x1 : 000000000000000a x0 : 0000000000000000
+
+Disable them by default, so they can be enabled using
+/proc/sys/debug/exception-trace.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/traps.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/traps.c
++++ b/arch/arm64/kernel/traps.c
+@@ -45,7 +45,7 @@ static const char *handler[]= {
+ "Error"
+ };
+
+-int show_unhandled_signals = 1;
++int show_unhandled_signals = 0;
+
+ /*
+ * Dump out the contents of some memory nicely...
--- /dev/null
+From bee92d06157fc39d5d7836a061c7d41289a55797 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 2 Feb 2018 16:31:23 +0100
+Subject: cfg80211: fix cfg80211_beacon_dup
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit bee92d06157fc39d5d7836a061c7d41289a55797 upstream.
+
+gcc-8 warns about some obviously incorrect code:
+
+net/mac80211/cfg.c: In function 'cfg80211_beacon_dup':
+net/mac80211/cfg.c:2896:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict]
+
+From the context, I conclude that we want to copy from beacon into
+new_beacon, as we do in the rest of the function.
+
+Cc: stable@vger.kernel.org
+Fixes: 73da7d5bab79 ("mac80211: add channel switch command and beacon callbacks")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/cfg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -2769,7 +2769,7 @@ cfg80211_beacon_dup(struct cfg80211_beac
+ }
+ if (beacon->probe_resp_len) {
+ new_beacon->probe_resp_len = beacon->probe_resp_len;
+- beacon->probe_resp = pos;
++ new_beacon->probe_resp = pos;
+ memcpy(pos, beacon->probe_resp, beacon->probe_resp_len);
+ pos += beacon->probe_resp_len;
+ }
--- /dev/null
+From f027e0b3a774e10302207e91d304bbf99e3a8b36 Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Wed, 14 Feb 2018 15:43:00 +0100
+Subject: iio: adis_lib: Initialize trigger before requesting interrupt
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+commit f027e0b3a774e10302207e91d304bbf99e3a8b36 upstream.
+
+The adis_probe_trigger() creates a new IIO trigger and requests an
+interrupt associated with the trigger. The interrupt uses the generic
+iio_trigger_generic_data_rdy_poll() function as its interrupt handler.
+
+Currently the driver initializes some fields of the trigger structure after
+the interrupt has been requested. But an interrupt can fire as soon as it
+has been requested. This opens up a race condition.
+
+iio_trigger_generic_data_rdy_poll() will access the trigger data structure
+and dereference the ops field. If the ops field is not yet initialized this
+will result in a NULL pointer deref.
+
+It is not expected that the device generates an interrupt at this point, so
+typically this issue did not surface unless e.g. due to a hardware
+misconfiguration (wrong interrupt number, wrong polarity, etc.).
+
+But some newer devices from the ADIS family start to generate periodic
+interrupts in their power-on reset configuration and unfortunately the
+interrupt can not be masked in the device. This makes the race condition
+much more visible and the following crash has been observed occasionally
+when booting a system using the ADIS16460.
+
+ Unable to handle kernel NULL pointer dereference at virtual address 00000008
+ pgd = c0004000
+ [00000008] *pgd=00000000
+ Internal error: Oops: 5 [#1] PREEMPT SMP ARM
+ Modules linked in:
+ CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.9.0-04126-gf9739f0-dirty #257
+ Hardware name: Xilinx Zynq Platform
+ task: ef04f640 task.stack: ef050000
+ PC is at iio_trigger_notify_done+0x30/0x68
+ LR is at iio_trigger_generic_data_rdy_poll+0x18/0x20
+ pc : [<c042d868>] lr : [<c042d924>] psr: 60000193
+ sp : ef051bb8 ip : 00000000 fp : ef106400
+ r10: c081d80a r9 : ef3bfa00 r8 : 00000087
+ r7 : ef051bec r6 : 00000000 r5 : ef3bfa00 r4 : ee92ab00
+ r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : ee97e400
+ Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment none
+ Control: 18c5387d Table: 0000404a DAC: 00000051
+ Process swapper/0 (pid: 1, stack limit = 0xef050210)
+ [<c042d868>] (iio_trigger_notify_done) from [<c0065b10>] (__handle_irq_event_percpu+0x88/0x118)
+ [<c0065b10>] (__handle_irq_event_percpu) from [<c0065bbc>] (handle_irq_event_percpu+0x1c/0x58)
+ [<c0065bbc>] (handle_irq_event_percpu) from [<c0065c30>] (handle_irq_event+0x38/0x5c)
+ [<c0065c30>] (handle_irq_event) from [<c0068e28>] (handle_level_irq+0xa4/0x130)
+ [<c0068e28>] (handle_level_irq) from [<c0064e74>] (generic_handle_irq+0x24/0x34)
+ [<c0064e74>] (generic_handle_irq) from [<c021ab7c>] (zynq_gpio_irqhandler+0xb8/0x13c)
+ [<c021ab7c>] (zynq_gpio_irqhandler) from [<c0064e74>] (generic_handle_irq+0x24/0x34)
+ [<c0064e74>] (generic_handle_irq) from [<c0065370>] (__handle_domain_irq+0x5c/0xb4)
+ [<c0065370>] (__handle_domain_irq) from [<c000940c>] (gic_handle_irq+0x48/0x8c)
+ [<c000940c>] (gic_handle_irq) from [<c0013e8c>] (__irq_svc+0x6c/0xa8)
+
+To fix this make sure that the trigger is fully initialized before
+requesting the interrupt.
+
+Fixes: ccd2b52f4ac6 ("staging:iio: Add common ADIS library")
+Reported-by: Robin Getz <Robin.Getz@analog.com>
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/imu/adis_trigger.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/iio/imu/adis_trigger.c
++++ b/drivers/iio/imu/adis_trigger.c
+@@ -47,6 +47,10 @@ int adis_probe_trigger(struct adis *adis
+ if (adis->trig == NULL)
+ return -ENOMEM;
+
++ adis->trig->dev.parent = &adis->spi->dev;
++ adis->trig->ops = &adis_trigger_ops;
++ iio_trigger_set_drvdata(adis->trig, adis);
++
+ ret = request_irq(adis->spi->irq,
+ &iio_trigger_generic_data_rdy_poll,
+ IRQF_TRIGGER_RISING,
+@@ -55,9 +59,6 @@ int adis_probe_trigger(struct adis *adis
+ if (ret)
+ goto error_free_trig;
+
+- adis->trig->dev.parent = &adis->spi->dev;
+- adis->trig->ops = &adis_trigger_ops;
+- iio_trigger_set_drvdata(adis->trig, adis);
+ ret = iio_trigger_register(adis->trig);
+
+ indio_dev->trig = iio_trigger_get(adis->trig);
--- /dev/null
+From 4cd140bda6494543f1c1b0ccceceaa44b676eef6 Mon Sep 17 00:00:00 2001
+From: Stefan Windfeldt-Prytz <stefan.windfeldt@axis.com>
+Date: Thu, 15 Feb 2018 15:02:53 +0100
+Subject: iio: buffer: check if a buffer has been set up when poll is called
+
+From: Stefan Windfeldt-Prytz <stefan.windfeldt@axis.com>
+
+commit 4cd140bda6494543f1c1b0ccceceaa44b676eef6 upstream.
+
+If no iio buffer has been set up and poll is called return 0.
+Without this check there will be a null pointer dereference when
+calling poll on a iio driver without an iio buffer.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Stefan Windfeldt-Prytz <stefan.windfeldt@axis.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/industrialio-buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/industrialio-buffer.c
++++ b/drivers/iio/industrialio-buffer.c
+@@ -92,7 +92,7 @@ unsigned int iio_buffer_poll(struct file
+ struct iio_dev *indio_dev = filp->private_data;
+ struct iio_buffer *rb = indio_dev->buffer;
+
+- if (!indio_dev->info)
++ if (!indio_dev->info || rb == NULL)
+ return 0;
+
+ poll_wait(filp, &rb->pollq, wait);
--- /dev/null
+From 21ec30c0ef5234fb1039cc7c7737d885bf875a9e Mon Sep 17 00:00:00 2001
+From: Shanker Donthineni <shankerd@codeaurora.org>
+Date: Wed, 31 Jan 2018 18:03:42 -0600
+Subject: irqchip/gic-v3: Use wmb() instead of smb_wmb() in gic_raise_softirq()
+
+From: Shanker Donthineni <shankerd@codeaurora.org>
+
+commit 21ec30c0ef5234fb1039cc7c7737d885bf875a9e upstream.
+
+A DMB instruction can be used to ensure the relative order of only
+memory accesses before and after the barrier. Since writes to system
+registers are not memory operations, barrier DMB is not sufficient
+for observability of memory accesses that occur before ICC_SGI1R_EL1
+writes.
+
+A DSB instruction ensures that no instructions that appear in program
+order after the DSB instruction, can execute until the DSB instruction
+has completed.
+
+Cc: stable@vger.kernel.org
+Acked-by: Will Deacon <will.deacon@arm.com>,
+Signed-off-by: Shanker Donthineni <shankerd@codeaurora.org>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-gic-v3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/irqchip/irq-gic-v3.c
++++ b/drivers/irqchip/irq-gic-v3.c
+@@ -503,7 +503,7 @@ static void gic_raise_softirq(const stru
+ * Ensure that stores to Normal memory are visible to the
+ * other CPUs before issuing the IPI.
+ */
+- smp_wmb();
++ wmb();
+
+ for_each_cpu_mask(cpu, *mask) {
+ u64 cluster_id = cpu_logical_map(cpu) & ~0xffUL;
--- /dev/null
+From c39813652700f3df552b6557530f1e5f782dbe2f Mon Sep 17 00:00:00 2001
+From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Date: Tue, 23 Jan 2018 20:11:32 -0600
+Subject: scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info
+
+From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+
+commit c39813652700f3df552b6557530f1e5f782dbe2f upstream.
+
+The fcp_rsp_info structure as defined in the FC spec has an initial 3
+bytes reserved field. The ibmvfc driver mistakenly defined this field as
+4 bytes resulting in the rsp_code field being defined in what should be
+the start of the second reserved field and thus always being reported as
+zero by the driver.
+
+Ideally, we should wire ibmvfc up with libfc for the sake of code
+deduplication, and ease of maintaining standardized structures in a
+single place. However, for now simply fixup the definition in ibmvfc for
+backporting to distros on older kernels. Wiring up with libfc will be
+done in a followup patch.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ibmvscsi/ibmvfc.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/ibmvscsi/ibmvfc.h
++++ b/drivers/scsi/ibmvscsi/ibmvfc.h
+@@ -366,7 +366,7 @@ enum ibmvfc_fcp_rsp_info_codes {
+ };
+
+ struct ibmvfc_fcp_rsp_info {
+- __be16 reserved;
++ u8 reserved[3];
+ u8 rsp_code;
+ u8 reserved2[4];
+ }__attribute__((packed, aligned (2)));
netfilter-drop-outermost-socket-lock-in-getsockopt.patch
pci-keystone-fix-interrupt-controller-node-lookup.patch
+xtensa-fix-high-memory-reserved-memory-collision.patch
+scsi-ibmvfc-fix-misdefined-reserved-field-in-ibmvfc_fcp_rsp_info.patch
+cfg80211-fix-cfg80211_beacon_dup.patch
+iio-buffer-check-if-a-buffer-has-been-set-up-when-poll-is-called.patch
+iio-adis_lib-initialize-trigger-before-requesting-interrupt.patch
+x86-oprofile-fix-bogus-gcc-8-warning-in-nmi_setup.patch
+irqchip-gic-v3-use-wmb-instead-of-smb_wmb-in-gic_raise_softirq.patch
+arm64-disable-unhandled-signal-log-messages-by-default.patch
+usb-dwc3-gadget-set-maxpacket-size-for-ep0-in.patch
+usb-gadget-f_fs-process-all-descriptors-during-bind.patch
--- /dev/null
+From 6180026341e852a250e1f97ebdcf71684a3c81b9 Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Fri, 12 Jan 2018 18:18:05 -0800
+Subject: usb: dwc3: gadget: Set maxpacket size for ep0 IN
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+commit 6180026341e852a250e1f97ebdcf71684a3c81b9 upstream.
+
+There are 2 control endpoint structures for DWC3. However, the driver
+only updates the OUT direction control endpoint structure during
+ConnectDone event. DWC3 driver needs to update the endpoint max packet
+size for control IN endpoint as well. If the max packet size is not
+properly set, then the driver will incorrectly calculate the data
+transfer size and fail to send ZLP for HS/FS 3-stage control read
+transfer.
+
+The fix is simply to update the max packet size for the ep0 IN direction
+during ConnectDone event.
+
+Cc: stable@vger.kernel.org
+Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver")
+Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/gadget.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -2345,6 +2345,8 @@ static void dwc3_gadget_conndone_interru
+ break;
+ }
+
++ dwc->eps[1]->endpoint.maxpacket = dwc->gadget.ep0->maxpacket;
++
+ /* Enable USB2 LPM Capability */
+
+ if ((dwc->revision > DWC3_REVISION_194A)
--- /dev/null
+From 6cf439e0d37463e42784271179c8a308fd7493c6 Mon Sep 17 00:00:00 2001
+From: Jack Pham <jackp@codeaurora.org>
+Date: Wed, 24 Jan 2018 00:11:53 -0800
+Subject: usb: gadget: f_fs: Process all descriptors during bind
+
+From: Jack Pham <jackp@codeaurora.org>
+
+commit 6cf439e0d37463e42784271179c8a308fd7493c6 upstream.
+
+During _ffs_func_bind(), the received descriptors are evaluated
+to prepare for binding with the gadget in order to allocate
+endpoints and optionally set up OS descriptors. However, the
+high- and super-speed descriptors are only parsed based on
+whether the gadget_is_dualspeed() and gadget_is_superspeed()
+calls are true, respectively.
+
+This is a problem in case a userspace program always provides
+all of the {full,high,super,OS} descriptors when configuring a
+function. Then, for example if a gadget device is not capable
+of SuperSpeed, the call to ffs_do_descs() for the SS descriptors
+is skipped, resulting in an incorrect offset calculation for
+the vla_ptr when moving on to the OS descriptors that follow.
+This causes ffs_do_os_descs() to fail as it is now looking at
+the SS descriptors' offset within the raw_descs buffer instead.
+
+_ffs_func_bind() should evaluate the descriptors unconditionally,
+so remove the checks for gadget speed.
+
+Fixes: f0175ab51993 ("usb: gadget: f_fs: OS descriptors support")
+Cc: stable@vger.kernel.org
+Co-Developed-by: Mayank Rana <mrana@codeaurora.org>
+Signed-off-by: Mayank Rana <mrana@codeaurora.org>
+Signed-off-by: Jack Pham <jackp@codeaurora.org>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_fs.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -2727,10 +2727,8 @@ static int _ffs_func_bind(struct usb_con
+ struct ffs_data *ffs = func->ffs;
+
+ const int full = !!func->ffs->fs_descs_count;
+- const int high = gadget_is_dualspeed(func->gadget) &&
+- func->ffs->hs_descs_count;
+- const int super = gadget_is_superspeed(func->gadget) &&
+- func->ffs->ss_descs_count;
++ const int high = !!func->ffs->hs_descs_count;
++ const int super = !!func->ffs->ss_descs_count;
+
+ int fs_len, hs_len, ss_len, ret, i;
+
--- /dev/null
+From 85c615eb52222bc5fab6c7190d146bc59fac289e Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 20 Feb 2018 21:58:21 +0100
+Subject: x86/oprofile: Fix bogus GCC-8 warning in nmi_setup()
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 85c615eb52222bc5fab6c7190d146bc59fac289e upstream.
+
+GCC-8 shows a warning for the x86 oprofile code that copies per-CPU
+data from CPU 0 to all other CPUs, which when building a non-SMP
+kernel turns into a memcpy() with identical source and destination
+pointers:
+
+ arch/x86/oprofile/nmi_int.c: In function 'mux_clone':
+ arch/x86/oprofile/nmi_int.c:285:2: error: 'memcpy' source argument is the same as destination [-Werror=restrict]
+ memcpy(per_cpu(cpu_msrs, cpu).multiplex,
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ per_cpu(cpu_msrs, 0).multiplex,
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ sizeof(struct op_msr) * model->num_virt_counters);
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ arch/x86/oprofile/nmi_int.c: In function 'nmi_setup':
+ arch/x86/oprofile/nmi_int.c:466:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict]
+ arch/x86/oprofile/nmi_int.c:470:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict]
+
+I have analyzed a number of such warnings now: some are valid and the
+GCC warning is welcome. Others turned out to be false-positives, and
+GCC was changed to not warn about those any more. This is a corner case
+that is a false-positive but the GCC developers feel it's better to keep
+warning about it.
+
+In this case, it seems best to work around it by telling GCC
+a little more clearly that this code path is never hit with
+an IS_ENABLED() configuration check.
+
+Cc:stable as we also want old kernels to build cleanly with GCC-8.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Cc: Jessica Yu <jeyu@kernel.org>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Martin Sebor <msebor@gcc.gnu.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Robert Richter <rric@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: oprofile-list@lists.sf.net
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/20180220205826.2008875-1-arnd@arndb.de
+Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84095
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/oprofile/nmi_int.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/oprofile/nmi_int.c
++++ b/arch/x86/oprofile/nmi_int.c
+@@ -471,7 +471,7 @@ static int nmi_setup(void)
+ goto fail;
+
+ for_each_possible_cpu(cpu) {
+- if (!cpu)
++ if (!IS_ENABLED(CONFIG_SMP) || !cpu)
+ continue;
+
+ memcpy(per_cpu(cpu_msrs, cpu).counters,
--- /dev/null
+From 6ac5a11dc674bc5016ea716e8082fff61f524dc1 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Tue, 13 Feb 2018 15:31:05 -0800
+Subject: xtensa: fix high memory/reserved memory collision
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+commit 6ac5a11dc674bc5016ea716e8082fff61f524dc1 upstream.
+
+Xtensa memory initialization code frees high memory pages without
+checking whether they are in the reserved memory regions or not. That
+results in invalid value of totalram_pages and duplicate page usage by
+CMA and highmem. It produces a bunch of BUGs at startup looking like
+this:
+
+BUG: Bad page state in process swapper pfn:70800
+page:be60c000 count:0 mapcount:-127 mapping: (null) index:0x1
+flags: 0x80000000()
+raw: 80000000 00000000 00000001 ffffff80 00000000 be60c014 be60c014 0000000a
+page dumped because: nonzero mapcount
+Modules linked in:
+CPU: 0 PID: 1 Comm: swapper Tainted: G B 4.16.0-rc1-00015-g7928b2cbe55b-dirty #23
+Stack:
+ bd839d33 00000000 00000018 ba97b64c a106578c bd839d70 be60c000 00000000
+ a1378054 bd86a000 00000003 ba97b64c a1066166 bd839da0 be60c000 ffe00000
+ a1066b58 bd839dc0 be504000 00000000 000002f4 bd838000 00000000 0000001e
+Call Trace:
+ [<a1065734>] bad_page+0xac/0xd0
+ [<a106578c>] free_pages_check_bad+0x34/0x4c
+ [<a1066166>] __free_pages_ok+0xae/0x14c
+ [<a1066b58>] __free_pages+0x30/0x64
+ [<a1365de5>] init_cma_reserved_pageblock+0x35/0x44
+ [<a13682dc>] cma_init_reserved_areas+0xf4/0x148
+ [<a10034b8>] do_one_initcall+0x80/0xf8
+ [<a1361c16>] kernel_init_freeable+0xda/0x13c
+ [<a125b59d>] kernel_init+0x9/0xd0
+ [<a1004304>] ret_from_kernel_thread+0xc/0x18
+
+Only free high memory pages that are not reserved.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/xtensa/mm/init.c | 70 +++++++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 63 insertions(+), 7 deletions(-)
+
+--- a/arch/xtensa/mm/init.c
++++ b/arch/xtensa/mm/init.c
+@@ -307,19 +307,75 @@ void __init zones_init(void)
+ free_area_init_node(0, zones_size, ARCH_PFN_OFFSET, NULL);
+ }
+
++#ifdef CONFIG_HIGHMEM
++static void __init free_area_high(unsigned long pfn, unsigned long end)
++{
++ for (; pfn < end; pfn++)
++ free_highmem_page(pfn_to_page(pfn));
++}
++
++static void __init free_highpages(void)
++{
++ unsigned long max_low = max_low_pfn;
++ struct memblock_region *mem, *res;
++
++ reset_all_zones_managed_pages();
++ /* set highmem page free */
++ for_each_memblock(memory, mem) {
++ unsigned long start = memblock_region_memory_base_pfn(mem);
++ unsigned long end = memblock_region_memory_end_pfn(mem);
++
++ /* Ignore complete lowmem entries */
++ if (end <= max_low)
++ continue;
++
++ if (memblock_is_nomap(mem))
++ continue;
++
++ /* Truncate partial highmem entries */
++ if (start < max_low)
++ start = max_low;
++
++ /* Find and exclude any reserved regions */
++ for_each_memblock(reserved, res) {
++ unsigned long res_start, res_end;
++
++ res_start = memblock_region_reserved_base_pfn(res);
++ res_end = memblock_region_reserved_end_pfn(res);
++
++ if (res_end < start)
++ continue;
++ if (res_start < start)
++ res_start = start;
++ if (res_start > end)
++ res_start = end;
++ if (res_end > end)
++ res_end = end;
++ if (res_start != start)
++ free_area_high(start, res_start);
++ start = res_end;
++ if (start == end)
++ break;
++ }
++
++ /* And now free anything which remains */
++ if (start < end)
++ free_area_high(start, end);
++ }
++}
++#else
++static void __init free_highpages(void)
++{
++}
++#endif
++
+ /*
+ * Initialize memory pages.
+ */
+
+ void __init mem_init(void)
+ {
+-#ifdef CONFIG_HIGHMEM
+- unsigned long tmp;
+-
+- reset_all_zones_managed_pages();
+- for (tmp = max_low_pfn; tmp < max_pfn; tmp++)
+- free_highmem_page(pfn_to_page(tmp));
+-#endif
++ free_highpages();
+
+ max_mapnr = max_pfn - ARCH_PFN_OFFSET;
+ high_memory = (void *)__va(max_low_pfn << PAGE_SHIFT);
projects / thirdparty / kernel / stable-queue.git / commitdiff
