--- /dev/null
+From b299cde245b0b76c977f4291162cf668e087b408 Mon Sep 17 00:00:00 2001
+From: Julius Werner <jwerner@chromium.org>
+Date: Fri, 12 May 2017 14:42:58 -0700
+Subject: drivers: char: mem: Check for address space wraparound with mmap()
+
+From: Julius Werner <jwerner@chromium.org>
+
+commit b299cde245b0b76c977f4291162cf668e087b408 upstream.
+
+/dev/mem currently allows mmap() mappings that wrap around the end of
+the physical address space, which should probably be illegal. It
+circumvents the existing STRICT_DEVMEM permission check because the loop
+immediately terminates (as the start address is already higher than the
+end address). On the x86_64 architecture it will then cause a panic
+(from the BUG(start >= end) in arch/x86/mm/pat.c:reserve_memtype()).
+
+This patch adds an explicit check to make sure offset + size will not
+wrap around in the physical address type.
+
+Signed-off-by: Julius Werner <jwerner@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/mem.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/char/mem.c
++++ b/drivers/char/mem.c
+@@ -343,6 +343,11 @@ static const struct vm_operations_struct
+ static int mmap_mem(struct file *file, struct vm_area_struct *vma)
+ {
+ size_t size = vma->vm_end - vma->vm_start;
++ phys_addr_t offset = (phys_addr_t)vma->vm_pgoff << PAGE_SHIFT;
++
++ /* It's illegal to wrap around the end of the physical address space. */
++ if (offset + (phys_addr_t)size < offset)
++ return -EINVAL;
+
+ if (!valid_mmap_phys_addr_range(vma->vm_pgoff, size))
+ return -EINVAL;
--- /dev/null
+From e345da82bd6bdfa8492f80b3ce4370acfd868d95 Mon Sep 17 00:00:00 2001
+From: Mario Kleiner <mario.kleiner.de@gmail.com>
+Date: Fri, 21 Apr 2017 17:05:08 +0200
+Subject: drm/edid: Add 10 bpc quirk for LGD 764 panel in HP zBook 17 G2
+
+From: Mario Kleiner <mario.kleiner.de@gmail.com>
+
+commit e345da82bd6bdfa8492f80b3ce4370acfd868d95 upstream.
+
+The builtin eDP panel in the HP zBook 17 G2 supports 10 bpc,
+as advertised by the Laptops product specs and verified via
+injecting a fixed edid + photometer measurements, but edid
+reports unknown depth, so drivers fall back to 6 bpc.
+
+Add a quirk to get the full 10 bpc.
+
+Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
+Acked-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: http://patchwork.freedesktop.org/patch/msgid/1492787108-23959-1-git-send-email-mario.kleiner.de@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_edid.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/gpu/drm/drm_edid.c
++++ b/drivers/gpu/drm/drm_edid.c
+@@ -75,6 +75,8 @@
+ #define EDID_QUIRK_FORCE_12BPC (1 << 9)
+ /* Force 6bpc */
+ #define EDID_QUIRK_FORCE_6BPC (1 << 10)
++/* Force 10bpc */
++#define EDID_QUIRK_FORCE_10BPC (1 << 11)
+
+ struct detailed_mode_closure {
+ struct drm_connector *connector;
+@@ -117,6 +119,9 @@ static struct edid_quirk {
+ { "FCM", 13600, EDID_QUIRK_PREFER_LARGE_75 |
+ EDID_QUIRK_DETAILED_IN_CM },
+
++ /* LGD panel of HP zBook 17 G2, eDP 10 bpc, but reports unknown bpc */
++ { "LGD", 764, EDID_QUIRK_FORCE_10BPC },
++
+ /* LG Philips LCD LP154W01-A5 */
+ { "LPL", 0, EDID_QUIRK_DETAILED_USE_MAXIMUM_SIZE },
+ { "LPL", 0x2a00, EDID_QUIRK_DETAILED_USE_MAXIMUM_SIZE },
+@@ -3834,6 +3839,9 @@ int drm_add_edid_modes(struct drm_connec
+ if (quirks & EDID_QUIRK_FORCE_8BPC)
+ connector->display_info.bpc = 8;
+
++ if (quirks & EDID_QUIRK_FORCE_10BPC)
++ connector->display_info.bpc = 10;
++
+ if (quirks & EDID_QUIRK_FORCE_12BPC)
+ connector->display_info.bpc = 12;
+
--- /dev/null
+From 04a68a35ce6d7b54749989f943993020f48fed62 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Wed, 9 Nov 2016 10:39:05 +0000
+Subject: drm/i915/gvt: Disable access to stolen memory as a guest
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit 04a68a35ce6d7b54749989f943993020f48fed62 upstream.
+
+Explicitly disable stolen memory when running as a guest in a virtual
+machine, since the memory is not mediated between clients and reserved
+entirely for the host. The actual size should be reported as zero, but
+like every other quirk we want to tell the user what is happening.
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=99028
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Zhenyu Wang <zhenyuw@linux.intel.com>
+Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20161109103905.17860-1-chris@chris-wilson.co.uk
+Reviewed-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_gem_stolen.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/gpu/drm/i915/i915_gem_stolen.c
++++ b/drivers/gpu/drm/i915/i915_gem_stolen.c
+@@ -405,6 +405,11 @@ int i915_gem_init_stolen(struct drm_devi
+
+ mutex_init(&dev_priv->mm.stolen_lock);
+
++ if (intel_vgpu_active(dev_priv)) {
++ DRM_INFO("iGVT-g active, disabling use of stolen memory\n");
++ return 0;
++ }
++
+ #ifdef CONFIG_INTEL_IOMMU
+ if (intel_iommu_gfx_mapped && INTEL_INFO(dev)->gen < 8) {
+ DRM_INFO("DMAR active, disabling use of stolen memory\n");
--- /dev/null
+From 51f567777799c9d85a778302b9eb61cf15214a98 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Thu, 6 Apr 2017 22:36:31 -0400
+Subject: nfsd: check for oversized NFSv2/v3 arguments
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit 51f567777799c9d85a778302b9eb61cf15214a98 upstream.
+
+A client can append random data to the end of an NFSv2 or NFSv3 RPC call
+without our complaining; we'll just stop parsing at the end of the
+expected data and ignore the rest.
+
+Encoded arguments and replies are stored together in an array of pages,
+and if a call is too large it could leave inadequate space for the
+reply. This is normally OK because NFS RPC's typically have either
+short arguments and long replies (like READ) or long arguments and short
+replies (like WRITE). But a client that sends an incorrectly long reply
+can violate those assumptions. This was observed to cause crashes.
+
+So, insist that the argument not be any longer than we expect.
+
+Also, several operations increment rq_next_page in the decode routine
+before checking the argument size, which can leave rq_next_page pointing
+well past the end of the page array, causing trouble later in
+svc_free_pages.
+
+As followup we may also want to rewrite the encoding routines to check
+more carefully that they aren't running off the end of the page array.
+
+Reported-by: Tuomas Haanpää <thaan@synopsys.com>
+Reported-by: Ari Kauppi <ari@synopsys.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs3xdr.c | 23 +++++++++++++++++------
+ fs/nfsd/nfsxdr.c | 13 ++++++++++---
+ include/linux/sunrpc/svc.h | 3 +--
+ 3 files changed, 28 insertions(+), 11 deletions(-)
+
+--- a/fs/nfsd/nfs3xdr.c
++++ b/fs/nfsd/nfs3xdr.c
+@@ -334,8 +334,11 @@ nfs3svc_decode_readargs(struct svc_rqst
+ if (!p)
+ return 0;
+ p = xdr_decode_hyper(p, &args->offset);
+-
+ args->count = ntohl(*p++);
++
++ if (!xdr_argsize_check(rqstp, p))
++ return 0;
++
+ len = min(args->count, max_blocksize);
+
+ /* set up the kvec */
+@@ -349,7 +352,7 @@ nfs3svc_decode_readargs(struct svc_rqst
+ v++;
+ }
+ args->vlen = v;
+- return xdr_argsize_check(rqstp, p);
++ return 1;
+ }
+
+ int
+@@ -540,9 +543,11 @@ nfs3svc_decode_readlinkargs(struct svc_r
+ p = decode_fh(p, &args->fh);
+ if (!p)
+ return 0;
++ if (!xdr_argsize_check(rqstp, p))
++ return 0;
+ args->buffer = page_address(*(rqstp->rq_next_page++));
+
+- return xdr_argsize_check(rqstp, p);
++ return 1;
+ }
+
+ int
+@@ -568,10 +573,14 @@ nfs3svc_decode_readdirargs(struct svc_rq
+ args->verf = p; p += 2;
+ args->dircount = ~0;
+ args->count = ntohl(*p++);
++
++ if (!xdr_argsize_check(rqstp, p))
++ return 0;
++
+ args->count = min_t(u32, args->count, PAGE_SIZE);
+ args->buffer = page_address(*(rqstp->rq_next_page++));
+
+- return xdr_argsize_check(rqstp, p);
++ return 1;
+ }
+
+ int
+@@ -589,6 +598,9 @@ nfs3svc_decode_readdirplusargs(struct sv
+ args->dircount = ntohl(*p++);
+ args->count = ntohl(*p++);
+
++ if (!xdr_argsize_check(rqstp, p))
++ return 0;
++
+ len = args->count = min(args->count, max_blocksize);
+ while (len > 0) {
+ struct page *p = *(rqstp->rq_next_page++);
+@@ -596,8 +608,7 @@ nfs3svc_decode_readdirplusargs(struct sv
+ args->buffer = page_address(p);
+ len -= PAGE_SIZE;
+ }
+-
+- return xdr_argsize_check(rqstp, p);
++ return 1;
+ }
+
+ int
+--- a/fs/nfsd/nfsxdr.c
++++ b/fs/nfsd/nfsxdr.c
+@@ -257,6 +257,9 @@ nfssvc_decode_readargs(struct svc_rqst *
+ len = args->count = ntohl(*p++);
+ p++; /* totalcount - unused */
+
++ if (!xdr_argsize_check(rqstp, p))
++ return 0;
++
+ len = min_t(unsigned int, len, NFSSVC_MAXBLKSIZE_V2);
+
+ /* set up somewhere to store response.
+@@ -272,7 +275,7 @@ nfssvc_decode_readargs(struct svc_rqst *
+ v++;
+ }
+ args->vlen = v;
+- return xdr_argsize_check(rqstp, p);
++ return 1;
+ }
+
+ int
+@@ -362,9 +365,11 @@ nfssvc_decode_readlinkargs(struct svc_rq
+ p = decode_fh(p, &args->fh);
+ if (!p)
+ return 0;
++ if (!xdr_argsize_check(rqstp, p))
++ return 0;
+ args->buffer = page_address(*(rqstp->rq_next_page++));
+
+- return xdr_argsize_check(rqstp, p);
++ return 1;
+ }
+
+ int
+@@ -402,9 +407,11 @@ nfssvc_decode_readdirargs(struct svc_rqs
+ args->cookie = ntohl(*p++);
+ args->count = ntohl(*p++);
+ args->count = min_t(u32, args->count, PAGE_SIZE);
++ if (!xdr_argsize_check(rqstp, p))
++ return 0;
+ args->buffer = page_address(*(rqstp->rq_next_page++));
+
+- return xdr_argsize_check(rqstp, p);
++ return 1;
+ }
+
+ /*
+--- a/include/linux/sunrpc/svc.h
++++ b/include/linux/sunrpc/svc.h
+@@ -335,8 +335,7 @@ xdr_argsize_check(struct svc_rqst *rqstp
+ {
+ char *cp = (char *)p;
+ struct kvec *vec = &rqstp->rq_arg.head[0];
+- return cp >= (char*)vec->iov_base
+- && cp <= (char*)vec->iov_base + vec->iov_len;
++ return cp == (char *)vec->iov_base + vec->iov_len;
+ }
+
+ static inline int
--- /dev/null
+From f961e3f2acae94b727380c0b74e2d3954d0edf79 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Fri, 5 May 2017 16:17:57 -0400
+Subject: nfsd: encoders mustn't use unitialized values in error cases
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit f961e3f2acae94b727380c0b74e2d3954d0edf79 upstream.
+
+In error cases, lgp->lg_layout_type may be out of bounds; so we
+shouldn't be using it until after the check of nfserr.
+
+This was seen to crash nfsd threads when the server receives a LAYOUTGET
+request with a large layout type.
+
+GETDEVICEINFO has the same problem.
+
+Reported-by: Ari Kauppi <Ari.Kauppi@synopsys.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4xdr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -4041,8 +4041,7 @@ nfsd4_encode_getdeviceinfo(struct nfsd4_
+ struct nfsd4_getdeviceinfo *gdev)
+ {
+ struct xdr_stream *xdr = &resp->xdr;
+- const struct nfsd4_layout_ops *ops =
+- nfsd4_layout_ops[gdev->gd_layout_type];
++ const struct nfsd4_layout_ops *ops;
+ u32 starting_len = xdr->buf->len, needed_len;
+ __be32 *p;
+
+@@ -4059,6 +4058,7 @@ nfsd4_encode_getdeviceinfo(struct nfsd4_
+
+ /* If maxcount is 0 then just update notifications */
+ if (gdev->gd_maxcount != 0) {
++ ops = nfsd4_layout_ops[gdev->gd_layout_type];
+ nfserr = ops->encode_getdeviceinfo(xdr, gdev);
+ if (nfserr) {
+ /*
+@@ -4111,8 +4111,7 @@ nfsd4_encode_layoutget(struct nfsd4_comp
+ struct nfsd4_layoutget *lgp)
+ {
+ struct xdr_stream *xdr = &resp->xdr;
+- const struct nfsd4_layout_ops *ops =
+- nfsd4_layout_ops[lgp->lg_layout_type];
++ const struct nfsd4_layout_ops *ops;
+ __be32 *p;
+
+ dprintk("%s: err %d\n", __func__, nfserr);
+@@ -4135,6 +4134,7 @@ nfsd4_encode_layoutget(struct nfsd4_comp
+ *p++ = cpu_to_be32(lgp->lg_seg.iomode);
+ *p++ = cpu_to_be32(lgp->lg_layout_type);
+
++ ops = nfsd4_layout_ops[lgp->lg_layout_type];
+ nfserr = ops->encode_layoutget(xdr, lgp);
+ out:
+ kfree(lgp->lg_content);
--- /dev/null
+From b26b78cb726007533d81fdf90a62e915002ef5c8 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Tue, 9 May 2017 16:24:59 -0400
+Subject: nfsd: Fix up the "supattr_exclcreat" attributes
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit b26b78cb726007533d81fdf90a62e915002ef5c8 upstream.
+
+If an NFSv4 client asks us for the supattr_exclcreat, then we must
+not return attributes that are unsupported by this minor version.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Fixes: 75976de6556f ("NFSD: Return word2 bitmask if setting security..,")
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4xdr.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -2753,9 +2753,14 @@ out_acl:
+ }
+ #endif /* CONFIG_NFSD_PNFS */
+ if (bmval2 & FATTR4_WORD2_SUPPATTR_EXCLCREAT) {
+- status = nfsd4_encode_bitmap(xdr, NFSD_SUPPATTR_EXCLCREAT_WORD0,
+- NFSD_SUPPATTR_EXCLCREAT_WORD1,
+- NFSD_SUPPATTR_EXCLCREAT_WORD2);
++ u32 supp[3];
++
++ memcpy(supp, nfsd_suppattrs[minorversion], sizeof(supp));
++ supp[0] &= NFSD_SUPPATTR_EXCLCREAT_WORD0;
++ supp[1] &= NFSD_SUPPATTR_EXCLCREAT_WORD1;
++ supp[2] &= NFSD_SUPPATTR_EXCLCREAT_WORD2;
++
++ status = nfsd4_encode_bitmap(xdr, supp[0], supp[1], supp[2]);
+ if (status)
+ goto out;
+ }
--- /dev/null
+From a8c39544a6eb2093c04afd5005b6192bd0e880c6 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 14 May 2017 21:47:25 -0400
+Subject: osf_wait4(): fix infoleak
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit a8c39544a6eb2093c04afd5005b6192bd0e880c6 upstream.
+
+failing sys_wait4() won't fill struct rusage...
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/alpha/kernel/osf_sys.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/alpha/kernel/osf_sys.c
++++ b/arch/alpha/kernel/osf_sys.c
+@@ -1188,8 +1188,10 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
+ if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur)))
+ return -EFAULT;
+
+- err = 0;
+- err |= put_user(status, ustatus);
++ err = put_user(status, ustatus);
++ if (ret < 0)
++ return err ? err : ret;
++
+ err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec);
+ err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec);
+ err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec);
--- /dev/null
+From 6bccc7f426abd640f08d8c75fb22f99483f201b4 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw@amazon.co.uk>
+Date: Wed, 12 Apr 2017 13:25:50 +0100
+Subject: PCI: Fix pci_mmap_fits() for HAVE_PCI_RESOURCE_TO_USER platforms
+
+From: David Woodhouse <dwmw@amazon.co.uk>
+
+commit 6bccc7f426abd640f08d8c75fb22f99483f201b4 upstream.
+
+In the PCI_MMAP_PROCFS case when the address being passed by the user is a
+'user visible' resource address based on the bus window, and not the actual
+contents of the resource, that's what we need to be checking it against.
+
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pci-sysfs.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/pci/pci-sysfs.c
++++ b/drivers/pci/pci-sysfs.c
+@@ -973,15 +973,19 @@ void pci_remove_legacy_files(struct pci_
+ int pci_mmap_fits(struct pci_dev *pdev, int resno, struct vm_area_struct *vma,
+ enum pci_mmap_api mmap_api)
+ {
+- unsigned long nr, start, size, pci_start;
++ unsigned long nr, start, size;
++ resource_size_t pci_start = 0, pci_end;
+
+ if (pci_resource_len(pdev, resno) == 0)
+ return 0;
+ nr = vma_pages(vma);
+ start = vma->vm_pgoff;
+ size = ((pci_resource_len(pdev, resno) - 1) >> PAGE_SHIFT) + 1;
+- pci_start = (mmap_api == PCI_MMAP_PROCFS) ?
+- pci_resource_start(pdev, resno) >> PAGE_SHIFT : 0;
++ if (mmap_api == PCI_MMAP_PROCFS) {
++ pci_resource_to_user(pdev, resno, &pdev->resource[resno],
++ &pci_start, &pci_end);
++ pci_start >>= PAGE_SHIFT;
++ }
+ if (start >= pci_start && start < pci_start + size &&
+ start + nr <= pci_start + size)
+ return 1;
--- /dev/null
+From ea00353f36b64375518662a8ad15e39218a1f324 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Tue, 18 Apr 2017 20:44:30 +0200
+Subject: PCI: Freeze PME scan before suspending devices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit ea00353f36b64375518662a8ad15e39218a1f324 upstream.
+
+Laurent Pinchart reported that the Renesas R-Car H2 Lager board (r8a7790)
+crashes during suspend tests. Geert Uytterhoeven managed to reproduce the
+issue on an M2-W Koelsch board (r8a7791):
+
+ It occurs when the PME scan runs, once per second. During PME scan, the
+ PCI host bridge (rcar-pci) registers are accessed while its module clock
+ has already been disabled, leading to the crash.
+
+One reproducer is to configure s2ram to use "s2idle" instead of "deep"
+suspend:
+
+ # echo 0 > /sys/module/printk/parameters/console_suspend
+ # echo s2idle > /sys/power/mem_sleep
+ # echo mem > /sys/power/state
+
+Another reproducer is to write either "platform" or "processors" to
+/sys/power/pm_test. It does not (or is less likely) to happen during full
+system suspend ("core" or "none") because system suspend also disables
+timers, and thus the workqueue handling PME scans no longer runs. Geert
+believes the issue may still happen in the small window between disabling
+module clocks and disabling timers:
+
+ # echo 0 > /sys/module/printk/parameters/console_suspend
+ # echo platform > /sys/power/pm_test # Or "processors"
+ # echo mem > /sys/power/state
+
+(Make sure CONFIG_PCI_RCAR_GEN2 and CONFIG_USB_OHCI_HCD_PCI are enabled.)
+
+Rafael Wysocki agrees that PME scans should be suspended before the host
+bridge registers become inaccessible. To that end, queue the task on a
+workqueue that gets frozen before devices suspend.
+
+Rafael notes however that as a result, some wakeup events may be missed if
+they are delivered via PME from a device without working IRQ (which hence
+must be polled) and occur after the workqueue has been frozen. If that
+turns out to be an issue in practice, it may be possible to solve it by
+calling pci_pme_list_scan() once directly from one of the host bridge's
+pm_ops callbacks.
+
+Stacktrace for posterity:
+
+ PM: Syncing filesystems ... [ 38.566237] done.
+ PM: Preparing system for sleep (mem)
+ Freezing user space processes ... [ 38.579813] (elapsed 0.001 seconds) done.
+ Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done.
+ PM: Suspending system (mem)
+ PM: suspend of devices complete after 152.456 msecs
+ PM: late suspend of devices complete after 2.809 msecs
+ PM: noirq suspend of devices complete after 29.863 msecs
+ suspend debug: Waiting for 5 second(s).
+ Unhandled fault: asynchronous external abort (0x1211) at 0x00000000
+ pgd = c0003000
+ [00000000] *pgd=80000040004003, *pmd=00000000
+ Internal error: : 1211 [#1] SMP ARM
+ Modules linked in:
+ CPU: 1 PID: 20 Comm: kworker/1:1 Not tainted
+ 4.9.0-rc1-koelsch-00011-g68db9bc814362e7f #3383
+ Hardware name: Generic R8A7791 (Flattened Device Tree)
+ Workqueue: events pci_pme_list_scan
+ task: eb56e140 task.stack: eb58e000
+ PC is at pci_generic_config_read+0x64/0x6c
+ LR is at rcar_pci_cfg_base+0x64/0x84
+ pc : [<c041d7b4>] lr : [<c04309a0>] psr: 600d0093
+ sp : eb58fe98 ip : c041d750 fp : 00000008
+ r10: c0e2283c r9 : 00000000 r8 : 600d0013
+ r7 : 00000008 r6 : eb58fed6 r5 : 00000002 r4 : eb58feb4
+ r3 : 00000000 r2 : 00000044 r1 : 00000008 r0 : 00000000
+ Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
+ Control: 30c5387d Table: 6a9f6c80 DAC: 55555555
+ Process kworker/1:1 (pid: 20, stack limit = 0xeb58e210)
+ Stack: (0xeb58fe98 to 0xeb590000)
+ fe80: 00000002 00000044
+ fea0: eb6f5800 c041d9b0 eb58feb4 00000008 00000044 00000000 eb78a000 eb78a000
+ fec0: 00000044 00000000 eb9aff00 c0424bf0 eb78a000 00000000 eb78a000 c0e22830
+ fee0: ea8a6fc0 c0424c5c eaae79c0 c0424ce0 eb55f380 c0e22838 eb9a9800 c0235fbc
+ ff00: eb55f380 c0e22838 eb55f380 eb9a9800 eb9a9800 eb58e000 eb9a9824 c0e02100
+ ff20: eb55f398 c02366c4 eb56e140 eb5631c0 00000000 eb55f380 c023641c 00000000
+ ff40: 00000000 00000000 00000000 c023a928 cd105598 00000000 40506a34 eb55f380
+ ff60: 00000000 00000000 dead4ead ffffffff ffffffff eb58ff74 eb58ff74 00000000
+ ff80: 00000000 dead4ead ffffffff ffffffff eb58ff90 eb58ff90 eb58ffac eb5631c0
+ ffa0: c023a844 00000000 00000000 c0206d68 00000000 00000000 00000000 00000000
+ ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+ ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 3a81336c 10ccd1dd
+ [<c041d7b4>] (pci_generic_config_read) from [<c041d9b0>]
+ (pci_bus_read_config_word+0x58/0x80)
+ [<c041d9b0>] (pci_bus_read_config_word) from [<c0424bf0>]
+ (pci_check_pme_status+0x34/0x78)
+ [<c0424bf0>] (pci_check_pme_status) from [<c0424c5c>] (pci_pme_wakeup+0x28/0x54)
+ [<c0424c5c>] (pci_pme_wakeup) from [<c0424ce0>] (pci_pme_list_scan+0x58/0xb4)
+ [<c0424ce0>] (pci_pme_list_scan) from [<c0235fbc>]
+ (process_one_work+0x1bc/0x308)
+ [<c0235fbc>] (process_one_work) from [<c02366c4>] (worker_thread+0x2a8/0x3e0)
+ [<c02366c4>] (worker_thread) from [<c023a928>] (kthread+0xe4/0xfc)
+ [<c023a928>] (kthread) from [<c0206d68>] (ret_from_fork+0x14/0x2c)
+ Code: ea000000 e5903000 f57ff04f e3a00000 (e5843000)
+ ---[ end trace 667d43ba3aa9e589 ]---
+
+Fixes: df17e62e5bff ("PCI: Add support for polling PME state on suspended legacy PCI devices")
+Reported-and-tested-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Reported-and-tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
+Cc: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Cc: Simon Horman <horms+renesas@verge.net.au>
+Cc: Yinghai Lu <yinghai@kernel.org>
+Cc: Matthew Garrett <mjg59@srcf.ucam.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pci.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -1732,8 +1732,8 @@ static void pci_pme_list_scan(struct wor
+ }
+ }
+ if (!list_empty(&pci_pme_list))
+- schedule_delayed_work(&pci_pme_work,
+- msecs_to_jiffies(PME_TIMEOUT));
++ queue_delayed_work(system_freezable_wq, &pci_pme_work,
++ msecs_to_jiffies(PME_TIMEOUT));
+ mutex_unlock(&pci_pme_list_mutex);
+ }
+
+@@ -1798,8 +1798,9 @@ void pci_pme_active(struct pci_dev *dev,
+ mutex_lock(&pci_pme_list_mutex);
+ list_add(&pme_dev->list, &pci_pme_list);
+ if (list_is_singular(&pci_pme_list))
+- schedule_delayed_work(&pci_pme_work,
+- msecs_to_jiffies(PME_TIMEOUT));
++ queue_delayed_work(system_freezable_wq,
++ &pci_pme_work,
++ msecs_to_jiffies(PME_TIMEOUT));
+ mutex_unlock(&pci_pme_list_mutex);
+ } else {
+ mutex_lock(&pci_pme_list_mutex);
stackprotector-increase-the-per-task-stack-canary-s-random-range-from-32-bits-to-64-bits-on-64-bit-platforms.patch
uwb-fix-device-quirk-on-big-endian-hosts.patch
genirq-fix-chained-interrupt-data-ordering.patch
+osf_wait4-fix-infoleak.patch
+tracing-kprobes-enforce-kprobes-teardown-after-testing.patch
+pci-fix-pci_mmap_fits-for-have_pci_resource_to_user-platforms.patch
+pci-freeze-pme-scan-before-suspending-devices.patch
+drm-edid-add-10-bpc-quirk-for-lgd-764-panel-in-hp-zbook-17-g2.patch
+nfsd-check-for-oversized-nfsv2-v3-arguments.patch
+nfsd-encoders-mustn-t-use-unitialized-values-in-error-cases.patch
+nfsd-fix-up-the-supattr_exclcreat-attributes.patch
+drivers-char-mem-check-for-address-space-wraparound-with-mmap.patch
+drm-i915-gvt-disable-access-to-stolen-memory-as-a-guest.patch
--- /dev/null
+From 30e7d894c1478c88d50ce94ddcdbd7f9763d9cdd Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 17 May 2017 10:19:49 +0200
+Subject: tracing/kprobes: Enforce kprobes teardown after testing
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 30e7d894c1478c88d50ce94ddcdbd7f9763d9cdd upstream.
+
+Enabling the tracer selftest triggers occasionally the warning in
+text_poke(), which warns when the to be modified page is not marked
+reserved.
+
+The reason is that the tracer selftest installs kprobes on functions marked
+__init for testing. These probes are removed after the tests, but that
+removal schedules the delayed kprobes_optimizer work, which will do the
+actual text poke. If the work is executed after the init text is freed,
+then the warning triggers. The bug can be reproduced reliably when the work
+delay is increased.
+
+Flush the optimizer work and wait for the optimizing/unoptimizing lists to
+become empty before returning from the kprobes tracer selftest. That
+ensures that all operations which were queued due to the probes removal
+have completed.
+
+Link: http://lkml.kernel.org/r/20170516094802.76a468bb@gandalf.local.home
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Fixes: 6274de498 ("kprobes: Support delayed unoptimizing")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/kprobes.h | 4 +++-
+ kernel/kprobes.c | 2 +-
+ kernel/trace/trace_kprobe.c | 5 +++++
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/include/linux/kprobes.h
++++ b/include/linux/kprobes.h
+@@ -330,7 +330,9 @@ extern int proc_kprobes_optimization_han
+ int write, void __user *buffer,
+ size_t *length, loff_t *ppos);
+ #endif
+-
++extern void wait_for_kprobe_optimizer(void);
++#else
++static inline void wait_for_kprobe_optimizer(void) { }
+ #endif /* CONFIG_OPTPROBES */
+ #ifdef CONFIG_KPROBES_ON_FTRACE
+ extern void kprobe_ftrace_handler(unsigned long ip, unsigned long parent_ip,
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -563,7 +563,7 @@ static void kprobe_optimizer(struct work
+ }
+
+ /* Wait for completing optimization and unoptimization */
+-static void wait_for_kprobe_optimizer(void)
++void wait_for_kprobe_optimizer(void)
+ {
+ mutex_lock(&kprobe_mutex);
+
+--- a/kernel/trace/trace_kprobe.c
++++ b/kernel/trace/trace_kprobe.c
+@@ -1471,6 +1471,11 @@ static __init int kprobe_trace_self_test
+
+ end:
+ release_all_trace_kprobes();
++ /*
++ * Wait for the optimizer work to finish. Otherwise it might fiddle
++ * with probes in already freed __init text.
++ */
++ wait_for_kprobe_optimizer();
+ if (warn)
+ pr_cont("NG: Some tests are failed. Please check them.\n");
+ else
projects / thirdparty / kernel / stable-queue.git / commitdiff
