--- /dev/null
+From 662591461c4b9a1e3b9b159dbf37648a585ebaae Mon Sep 17 00:00:00 2001
+From: Lv Zheng <lv.zheng@intel.com>
+Date: Wed, 12 Jul 2017 11:09:09 +0800
+Subject: ACPI / EC: Drop EC noirq hooks to fix a regression
+
+From: Lv Zheng <lv.zheng@intel.com>
+
+commit 662591461c4b9a1e3b9b159dbf37648a585ebaae upstream.
+
+According to bug reports, although the busy polling mode can make
+noirq stages execute faster, it causes abnormal fan blowing up after
+system resume (see the first link below for a video demonstration)
+on Lenovo ThinkPad X1 Carbon - the 5th Generation. The problem can
+be fixed by upgrading the EC firmware on that machine.
+
+However, many reporters confirm that the problem can be fixed by
+stopping busy polling during suspend/resume and for some of them
+upgrading the EC firmware is not an option.
+
+For this reason, drop the noirq stage hooks from the EC driver
+to fix the regression.
+
+Fixes: c3a696b6e8f8 (ACPI / EC: Use busy polling mode when GPE is not enabled)
+Link: https://youtu.be/9NQ9x-Jm99Q
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=196129
+Reported-by: Andreas Lindhe <andreas@lindhe.io>
+Tested-by: Gjorgji Jankovski <j.gjorgji@gmail.com>
+Tested-by: Damjan Georgievski <gdamjan@gmail.com>
+Tested-by: Fernando Chaves <nanochaves@gmail.com>
+Tested-by: Tomislav Ivek <tomislav.ivek@gmail.com>
+Tested-by: Denis P. <theoriginal.skullburner@gmail.com>
+Signed-off-by: Lv Zheng <lv.zheng@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/ec.c | 19 -------------------
+ 1 file changed, 19 deletions(-)
+
+--- a/drivers/acpi/ec.c
++++ b/drivers/acpi/ec.c
+@@ -1812,24 +1812,6 @@ error:
+ }
+
+ #ifdef CONFIG_PM_SLEEP
+-static int acpi_ec_suspend_noirq(struct device *dev)
+-{
+- struct acpi_ec *ec =
+- acpi_driver_data(to_acpi_device(dev));
+-
+- acpi_ec_enter_noirq(ec);
+- return 0;
+-}
+-
+-static int acpi_ec_resume_noirq(struct device *dev)
+-{
+- struct acpi_ec *ec =
+- acpi_driver_data(to_acpi_device(dev));
+-
+- acpi_ec_leave_noirq(ec);
+- return 0;
+-}
+-
+ static int acpi_ec_suspend(struct device *dev)
+ {
+ struct acpi_ec *ec =
+@@ -1851,7 +1833,6 @@ static int acpi_ec_resume(struct device
+ #endif
+
+ static const struct dev_pm_ops acpi_ec_pm = {
+- SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(acpi_ec_suspend_noirq, acpi_ec_resume_noirq)
+ SET_SYSTEM_SLEEP_PM_OPS(acpi_ec_suspend, acpi_ec_resume)
+ };
+
--- /dev/null
+From 84583cfb973c4313955c6231cc9cb3772d280b15 Mon Sep 17 00:00:00 2001
+From: "Yan, Zheng" <zyan@redhat.com>
+Date: Thu, 6 Jul 2017 11:12:21 +0800
+Subject: ceph: fix race in concurrent readdir
+
+From: Yan, Zheng <zyan@redhat.com>
+
+commit 84583cfb973c4313955c6231cc9cb3772d280b15 upstream.
+
+For a large directory, program needs to issue multiple readdir
+syscalls to get all dentries. When there are multiple programs
+read the directory concurrently. Following sequence of events
+can happen.
+
+ - program calls readdir with pos = 2. ceph sends readdir request
+ to mds. The reply contains N1 entries. ceph adds these N1 entries
+ to readdir cache.
+ - program calls readdir with pos = N1+2. The readdir is satisfied
+ by the readdir cache, N2 entries are returned. (Other program
+ calls readdir in the middle, which fills the cache)
+ - program calls readdir with pos = N1+N2+2. ceph sends readdir
+ request to mds. The reply contains N3 entries and it reaches
+ directory end. ceph adds these N3 entries to the readdir cache
+ and marks directory complete.
+
+The second readdir call does not update fi->readdir_cache_idx.
+ceph add the last N3 entries to wrong places.
+
+Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/dir.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/ceph/dir.c
++++ b/fs/ceph/dir.c
+@@ -271,6 +271,11 @@ out:
+ if (ret < 0)
+ err = ret;
+ dput(last);
++ /* last_name no longer match cache index */
++ if (fi->readdir_cache_idx >= 0) {
++ fi->readdir_cache_idx = -1;
++ fi->dir_release_count = 0;
++ }
+ }
+ return err;
+ }
--- /dev/null
+From b1e8b9c5b19c58e3159c2acc77167f4a4c74621f Mon Sep 17 00:00:00 2001
+From: Hawking Zhang <Hawking.Zhang@amd.com>
+Date: Tue, 6 Jun 2017 16:25:44 +0800
+Subject: drm/amd/powerplay: fix memory leak in cz_hwmgr backend
+
+From: Hawking Zhang <Hawking.Zhang@amd.com>
+
+commit b1e8b9c5b19c58e3159c2acc77167f4a4c74621f upstream.
+
+vddc_dep_on_dal_pwrl is allocated and initialized in cz_hwmgr_backend_init
+Thus free the memory in cz_hwmgr_backend_fini
+
+Signed-off-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/powerplay/hwmgr/cz_hwmgr.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/gpu/drm/amd/powerplay/hwmgr/cz_hwmgr.c
++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/cz_hwmgr.c
+@@ -1224,6 +1224,12 @@ static int cz_hwmgr_backend_fini(struct
+ phm_destroy_table(hwmgr, &(hwmgr->disable_dynamic_state_management));
+ phm_destroy_table(hwmgr, &(hwmgr->power_down_asic));
+ phm_destroy_table(hwmgr, &(hwmgr->setup_asic));
++
++ if (NULL != hwmgr->dyn_state.vddc_dep_on_dal_pwrl) {
++ kfree(hwmgr->dyn_state.vddc_dep_on_dal_pwrl);
++ hwmgr->dyn_state.vddc_dep_on_dal_pwrl = NULL;
++ }
++
+ kfree(hwmgr->backend);
+ hwmgr->backend = NULL;
+ }
--- /dev/null
+From 4086d90cffb8f48400d51fbab575fe50458512e3 Mon Sep 17 00:00:00 2001
+From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Date: Thu, 29 Jun 2017 13:59:54 +0200
+Subject: drm/atomic: Add missing drm_atomic_state_clear to atomic_remove_fb
+
+From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+
+commit 4086d90cffb8f48400d51fbab575fe50458512e3 upstream.
+
+All atomic state should be cleared when drm_modeset_backoff() is
+called, because it drops all locks and the state becomes invalid.
+
+The call to drm_atomic_state_clear was missing in atomic_remove_fb,
+so add the missing call there.
+
+Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20170629115954.26029-1-maarten.lankhorst@linux.intel.com
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Fixes: db8f6403e88a ("drm: Convert drm_framebuffer_remove to atomic, v4.")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_framebuffer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/drm_framebuffer.c
++++ b/drivers/gpu/drm/drm_framebuffer.c
+@@ -832,6 +832,7 @@ unlock:
+ drm_atomic_clean_old_fb(dev, plane_mask, ret);
+
+ if (ret == -EDEADLK) {
++ drm_atomic_state_clear(state);
+ drm_modeset_backoff(&ctx);
+ goto retry;
+ }
--- /dev/null
+From ce3f7163e4ce8fd583dcb36b6ee6b81fd1b419ae Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Mon, 26 Jun 2017 23:30:51 +0300
+Subject: drm/i915: Disable MSI for all pre-gen5
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit ce3f7163e4ce8fd583dcb36b6ee6b81fd1b419ae upstream.
+
+We have pretty clear evidence that MSIs are getting lost on g4x and
+somehow the interrupt logic doesn't seem to recover from that state
+even if we try hard to clear the IIR.
+
+Disabling IER around the normal IIR clearing in the irq handler isn't
+sufficient to avoid this, so the problem really seems to be further
+up the interrupt chain. This should guarantee that there's always
+an edge if any IIR bits are set after the interrupt handler is done,
+which should normally guarantee that the CPU interrupt is generated.
+That approach seems to work perfectly on VLV/CHV, but apparently
+not on g4x.
+
+MSI is documented to be broken on 965gm at least. The chipset spec
+says MSI is defeatured because interrupts can be delayed or lost,
+which fits well with what we're seeing on g4x. Previously we've
+already disabled GMBUS interrupts on g4x because somehow GMBUS
+manages to raise legacy interrupts even when MSI is enabled.
+
+Since there's such widespread MSI breakahge all over in the pre-gen5
+land let's just give up on MSI on these platforms.
+
+Seqno reporting might be negatively affected by this since the legcy
+interrupts aren't guaranteed to be ordered with the seqno writes,
+whereas MSI interrupts may be? But an occasioanlly missed seqno
+seems like a small price to pay for generally working interrupts.
+
+Cc: Diego Viola <diego.viola@gmail.com>
+Tested-by: Diego Viola <diego.viola@gmail.com>
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101261
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20170626203051.28480-1-ville.syrjala@linux.intel.com
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+(cherry picked from commit e38c2da01f76cca82b59ca612529b81df82a7cc7)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_drv.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_drv.c
++++ b/drivers/gpu/drm/i915/i915_drv.c
+@@ -1087,10 +1087,12 @@ static int i915_driver_init_hw(struct dr
+ * and the registers being closely associated.
+ *
+ * According to chipset errata, on the 965GM, MSI interrupts may
+- * be lost or delayed, but we use them anyways to avoid
+- * stuck interrupts on some machines.
++ * be lost or delayed, and was defeatured. MSI interrupts seem to
++ * get lost on g4x as well, and interrupt delivery seems to stay
++ * properly dead afterwards. So we'll just disable them for all
++ * pre-gen5 chipsets.
+ */
+- if (!IS_I945G(dev_priv) && !IS_I945GM(dev_priv)) {
++ if (INTEL_GEN(dev_priv) >= 5) {
+ if (pci_enable_msi(pdev) < 0)
+ DRM_DEBUG_DRIVER("can't enable MSI");
+ }
--- /dev/null
+From f16bd3dda2c8bf6699e808cd9cc540cfab10e60e Mon Sep 17 00:00:00 2001
+From: Chuanxiao Dong <chuanxiao.dong@intel.com>
+Date: Mon, 26 Jun 2017 15:20:50 +0800
+Subject: drm/i915/gvt: Fix inconsistent locks holding sequence
+
+From: Chuanxiao Dong <chuanxiao.dong@intel.com>
+
+commit f16bd3dda2c8bf6699e808cd9cc540cfab10e60e upstream.
+
+There are two kinds of locking sequence.
+
+One is in the thread which is started by vfio ioctl to do
+the iommu unmapping. The locking sequence is:
+ down_read(&group_lock) ----> mutex_lock(&cached_lock)
+
+The other is in the vfio release thread which will unpin all
+the cached pages. The lock sequence is:
+ mutex_lock(&cached_lock) ---> down_read(&group_lock)
+
+And, the cache_lock is used to protect the rb tree of the cache
+node and doing vfio unpin doesn't require this lock. Move the
+vfio unpin out of the cache_lock protected region.
+
+v2:
+- use for style instead of do{}while(1). (Zhenyu)
+
+Fixes: f30437c5e7bf ("drm/i915/gvt: add KVMGT support")
+Signed-off-by: Chuanxiao Dong <chuanxiao.dong@intel.com>
+Cc: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/gvt/kvmgt.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/i915/gvt/kvmgt.c
++++ b/drivers/gpu/drm/i915/gvt/kvmgt.c
+@@ -260,16 +260,20 @@ static void gvt_cache_destroy(struct int
+ struct device *dev = mdev_dev(vgpu->vdev.mdev);
+ unsigned long gfn;
+
+- mutex_lock(&vgpu->vdev.cache_lock);
+- while ((node = rb_first(&vgpu->vdev.cache))) {
++ for (;;) {
++ mutex_lock(&vgpu->vdev.cache_lock);
++ node = rb_first(&vgpu->vdev.cache);
++ if (!node) {
++ mutex_unlock(&vgpu->vdev.cache_lock);
++ break;
++ }
+ dma = rb_entry(node, struct gvt_dma, node);
+ gvt_dma_unmap_iova(vgpu, dma->iova);
+ gfn = dma->gfn;
+-
+- vfio_unpin_pages(dev, &gfn, 1);
+ __gvt_cache_remove_entry(vgpu, dma);
++ mutex_unlock(&vgpu->vdev.cache_lock);
++ vfio_unpin_pages(dev, &gfn, 1);
+ }
+- mutex_unlock(&vgpu->vdev.cache_lock);
+ }
+
+ static struct intel_vgpu_type *intel_gvt_find_vgpu_type(struct intel_gvt *gvt,
--- /dev/null
+From 62d02fd1f807bf5a259a242c483c9fb98a242630 Mon Sep 17 00:00:00 2001
+From: Chuanxiao Dong <chuanxiao.dong@intel.com>
+Date: Mon, 26 Jun 2017 15:20:49 +0800
+Subject: drm/i915/gvt: Fix possible recursive locking issue
+
+From: Chuanxiao Dong <chuanxiao.dong@intel.com>
+
+commit 62d02fd1f807bf5a259a242c483c9fb98a242630 upstream.
+
+vfio_unpin_pages will hold a read semaphore however it is already hold
+in the same thread by vfio ioctl. It will cause below warning:
+
+[ 5102.127454] ============================================
+[ 5102.133379] WARNING: possible recursive locking detected
+[ 5102.139304] 4.12.0-rc4+ #3 Not tainted
+[ 5102.143483] --------------------------------------------
+[ 5102.149407] qemu-system-x86/1620 is trying to acquire lock:
+[ 5102.155624] (&container->group_lock){++++++}, at: [<ffffffff817768c6>] vfio_unpin_pages+0x96/0xf0
+[ 5102.165626]
+but task is already holding lock:
+[ 5102.172134] (&container->group_lock){++++++}, at: [<ffffffff8177728f>] vfio_fops_unl_ioctl+0x5f/0x280
+[ 5102.182522]
+other info that might help us debug this:
+[ 5102.189806] Possible unsafe locking scenario:
+
+[ 5102.196411] CPU0
+[ 5102.199136] ----
+[ 5102.201861] lock(&container->group_lock);
+[ 5102.206527] lock(&container->group_lock);
+[ 5102.211191]
+---
+ drivers/gpu/drm/i915/gvt/gvt.h | 3 ++
+ drivers/gpu/drm/i915/gvt/kvmgt.c | 55 +++++++++++++++++++++++++++++++--------
+ 2 files changed, 48 insertions(+), 10 deletions(-)
+
+--- a/drivers/gpu/drm/i915/gvt/gvt.h
++++ b/drivers/gpu/drm/i915/gvt/gvt.h
+@@ -183,6 +183,9 @@ struct intel_vgpu {
+ struct kvm *kvm;
+ struct work_struct release_work;
+ atomic_t released;
++ struct work_struct unpin_work;
++ spinlock_t unpin_lock; /* To protect unpin_list */
++ struct list_head unpin_list;
+ } vdev;
+ #endif
+ };
+--- a/drivers/gpu/drm/i915/gvt/kvmgt.c
++++ b/drivers/gpu/drm/i915/gvt/kvmgt.c
+@@ -78,6 +78,7 @@ struct gvt_dma {
+ struct rb_node node;
+ gfn_t gfn;
+ unsigned long iova;
++ struct list_head list;
+ };
+
+ static inline bool handle_valid(unsigned long handle)
+@@ -166,6 +167,7 @@ static void gvt_cache_add(struct intel_v
+
+ new->gfn = gfn;
+ new->iova = iova;
++ INIT_LIST_HEAD(&new->list);
+
+ mutex_lock(&vgpu->vdev.cache_lock);
+ while (*link) {
+@@ -197,26 +199,52 @@ static void __gvt_cache_remove_entry(str
+ kfree(entry);
+ }
+
+-static void gvt_cache_remove(struct intel_vgpu *vgpu, gfn_t gfn)
++static void intel_vgpu_unpin_work(struct work_struct *work)
+ {
++ struct intel_vgpu *vgpu = container_of(work, struct intel_vgpu,
++ vdev.unpin_work);
+ struct device *dev = mdev_dev(vgpu->vdev.mdev);
+ struct gvt_dma *this;
+- unsigned long g1;
+- int rc;
++ unsigned long gfn;
++
++ for (;;) {
++ spin_lock(&vgpu->vdev.unpin_lock);
++ if (list_empty(&vgpu->vdev.unpin_list)) {
++ spin_unlock(&vgpu->vdev.unpin_lock);
++ break;
++ }
++ this = list_first_entry(&vgpu->vdev.unpin_list,
++ struct gvt_dma, list);
++ list_del(&this->list);
++ spin_unlock(&vgpu->vdev.unpin_lock);
++
++ gfn = this->gfn;
++ vfio_unpin_pages(dev, &gfn, 1);
++ kfree(this);
++ }
++}
++
++static bool gvt_cache_mark_remove(struct intel_vgpu *vgpu, gfn_t gfn)
++{
++ struct gvt_dma *this;
+
+ mutex_lock(&vgpu->vdev.cache_lock);
+ this = __gvt_cache_find(vgpu, gfn);
+ if (!this) {
+ mutex_unlock(&vgpu->vdev.cache_lock);
+- return;
++ return false;
+ }
+-
+- g1 = gfn;
+ gvt_dma_unmap_iova(vgpu, this->iova);
+- rc = vfio_unpin_pages(dev, &g1, 1);
+- WARN_ON(rc != 1);
+- __gvt_cache_remove_entry(vgpu, this);
++ /* remove this from rb tree */
++ rb_erase(&this->node, &vgpu->vdev.cache);
+ mutex_unlock(&vgpu->vdev.cache_lock);
++
++ /* put this to the unpin_list */
++ spin_lock(&vgpu->vdev.unpin_lock);
++ list_move_tail(&this->list, &vgpu->vdev.unpin_list);
++ spin_unlock(&vgpu->vdev.unpin_lock);
++
++ return true;
+ }
+
+ static void gvt_cache_init(struct intel_vgpu *vgpu)
+@@ -453,6 +481,9 @@ static int intel_vgpu_create(struct kobj
+ }
+
+ INIT_WORK(&vgpu->vdev.release_work, intel_vgpu_release_work);
++ INIT_WORK(&vgpu->vdev.unpin_work, intel_vgpu_unpin_work);
++ spin_lock_init(&vgpu->vdev.unpin_lock);
++ INIT_LIST_HEAD(&vgpu->vdev.unpin_list);
+
+ vgpu->vdev.mdev = mdev;
+ mdev_set_drvdata(mdev, vgpu);
+@@ -482,6 +513,7 @@ static int intel_vgpu_iommu_notifier(str
+ struct intel_vgpu *vgpu = container_of(nb,
+ struct intel_vgpu,
+ vdev.iommu_notifier);
++ bool sched_unmap = false;
+
+ if (action == VFIO_IOMMU_NOTIFY_DMA_UNMAP) {
+ struct vfio_iommu_type1_dma_unmap *unmap = data;
+@@ -491,7 +523,10 @@ static int intel_vgpu_iommu_notifier(str
+ end_gfn = gfn + unmap->size / PAGE_SIZE;
+
+ while (gfn < end_gfn)
+- gvt_cache_remove(vgpu, gfn++);
++ sched_unmap |= gvt_cache_mark_remove(vgpu, gfn++);
++
++ if (sched_unmap)
++ schedule_work(&vgpu->vdev.unpin_work);
+ }
+
+ return NOTIFY_OK;
--- /dev/null
+From 50740024bc393b608f7e391ac35e70f33938dd24 Mon Sep 17 00:00:00 2001
+From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Date: Mon, 26 Jun 2017 10:33:49 +0200
+Subject: drm/i915: Make DP-MST connector info work
+
+From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+
+commit 50740024bc393b608f7e391ac35e70f33938dd24 upstream.
+
+Commit 9a148a96fc3a ("drm/i915/debugfs: add dp mst info") adds support
+for DP-MST to intel_connector_info, but forgot to remove the early
+return for DP-MST.
+
+Remove it, and print out MST connectors directly.
+
+Fixes: 9a148a96fc3a ("drm/i915/debugfs: add dp mst info")
+Cc: Dhinakaran Pandiyan <dhinakaran.pandiyan@intel.com>
+Cc: Libin Yang <libin.yang@intel.com>
+Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20170626083349.24389-1-maarten.lankhorst@linux.intel.com
+Reviewed-by: Dhinakaran Pandiyan <dhinakaran.pandiyan@intel.com>
+(cherry picked from commit 77d1f615c78a73a04254fa2bff07ee9fa27145d9)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/i915_debugfs.c
++++ b/drivers/gpu/drm/i915/i915_debugfs.c
+@@ -3018,7 +3018,7 @@ static void intel_connector_info(struct
+ connector->display_info.cea_rev);
+ }
+
+- if (!intel_encoder || intel_encoder->type == INTEL_OUTPUT_DP_MST)
++ if (!intel_encoder)
+ return;
+
+ switch (connector->connector_type) {
--- /dev/null
+From 7f8b3987da54cb4d41ad2545cd4d7958b9a36bdf Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Wed, 19 Jul 2017 14:43:29 +0300
+Subject: drm/mst: Avoid dereferencing a NULL mstb in drm_dp_mst_handle_up_req()
+
+From: Imre Deak <imre.deak@intel.com>
+
+commit 7f8b3987da54cb4d41ad2545cd4d7958b9a36bdf upstream.
+
+In case of an unknown broadcast message is sent mstb will remain unset,
+so check for this.
+
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Lyude <lyude@redhat.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Reviewed-by: Lyude <lyude@redhat.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20170719114330.26540-3-imre.deak@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_dp_mst_topology.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_dp_mst_topology.c
++++ b/drivers/gpu/drm/drm_dp_mst_topology.c
+@@ -2324,7 +2324,9 @@ static int drm_dp_mst_handle_up_req(stru
+ DRM_DEBUG_KMS("Got RSN: pn: %d avail_pbn %d\n", msg.u.resource_stat.port_number, msg.u.resource_stat.available_pbn);
+ }
+
+- drm_dp_put_mst_branch_device(mstb);
++ if (mstb)
++ drm_dp_put_mst_branch_device(mstb);
++
+ memset(&mgr->up_req_recv, 0, sizeof(struct drm_dp_sideband_msg_rx));
+ }
+ return ret;
--- /dev/null
+From 636c4c3e762b62aa93632c645ca65879285b16e3 Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Wed, 19 Jul 2017 16:46:32 +0300
+Subject: drm/mst: Avoid processing partially received up/down message transactions
+
+From: Imre Deak <imre.deak@intel.com>
+
+commit 636c4c3e762b62aa93632c645ca65879285b16e3 upstream.
+
+Currently we may process up/down message transactions containing
+uninitialized data. This can happen if there was an error during the
+reception of any message in the transaction, but we happened to receive
+the last message correctly with the end-of-message flag set.
+
+To avoid this abort the reception of the transaction when the first
+error is detected, rejecting any messages until a message with the
+start-of-message flag is received (which will start a new transaction).
+This is also what the DP 1.4 spec 2.11.8.2 calls for in this case.
+
+In addtion this also prevents receiving bogus transactions without the
+first message with the the start-of-message flag set.
+
+v2:
+- unchanged
+v3:
+- git add the part that actually skips messages after an error in
+ drm_dp_sideband_msg_build()
+
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Lyude <lyude@redhat.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Reviewed-by: Lyude <lyude@redhat.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20170719134632.13366-1-imre.deak@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_dp_mst_topology.c | 31 ++++++++++++++++++++++++-------
+ 1 file changed, 24 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/drm_dp_mst_topology.c
++++ b/drivers/gpu/drm/drm_dp_mst_topology.c
+@@ -330,6 +330,13 @@ static bool drm_dp_sideband_msg_build(st
+ return false;
+ }
+
++ /*
++ * ignore out-of-order messages or messages that are part of a
++ * failed transaction
++ */
++ if (!recv_hdr.somt && !msg->have_somt)
++ return false;
++
+ /* get length contained in this portion */
+ msg->curchunk_len = recv_hdr.msg_len;
+ msg->curchunk_hdrlen = hdrlen;
+@@ -2164,7 +2171,7 @@ out_unlock:
+ }
+ EXPORT_SYMBOL(drm_dp_mst_topology_mgr_resume);
+
+-static void drm_dp_get_one_sb_msg(struct drm_dp_mst_topology_mgr *mgr, bool up)
++static bool drm_dp_get_one_sb_msg(struct drm_dp_mst_topology_mgr *mgr, bool up)
+ {
+ int len;
+ u8 replyblock[32];
+@@ -2179,12 +2186,12 @@ static void drm_dp_get_one_sb_msg(struct
+ replyblock, len);
+ if (ret != len) {
+ DRM_DEBUG_KMS("failed to read DPCD down rep %d %d\n", len, ret);
+- return;
++ return false;
+ }
+ ret = drm_dp_sideband_msg_build(msg, replyblock, len, true);
+ if (!ret) {
+ DRM_DEBUG_KMS("sideband msg build failed %d\n", replyblock[0]);
+- return;
++ return false;
+ }
+ replylen = msg->curchunk_len + msg->curchunk_hdrlen;
+
+@@ -2198,25 +2205,30 @@ static void drm_dp_get_one_sb_msg(struct
+ if (ret != len) {
+ DRM_DEBUG_KMS("failed to read a chunk (len %d, ret %d)\n",
+ len, ret);
+- return;
++ return false;
+ }
+
+ ret = drm_dp_sideband_msg_build(msg, replyblock, len, false);
+ if (!ret) {
+ DRM_DEBUG_KMS("failed to build sideband msg\n");
+- return;
++ return false;
+ }
+
+ curreply += len;
+ replylen -= len;
+ }
++ return true;
+ }
+
+ static int drm_dp_mst_handle_down_rep(struct drm_dp_mst_topology_mgr *mgr)
+ {
+ int ret = 0;
+
+- drm_dp_get_one_sb_msg(mgr, false);
++ if (!drm_dp_get_one_sb_msg(mgr, false)) {
++ memset(&mgr->down_rep_recv, 0,
++ sizeof(struct drm_dp_sideband_msg_rx));
++ return 0;
++ }
+
+ if (mgr->down_rep_recv.have_eomt) {
+ struct drm_dp_sideband_msg_tx *txmsg;
+@@ -2272,7 +2284,12 @@ static int drm_dp_mst_handle_down_rep(st
+ static int drm_dp_mst_handle_up_req(struct drm_dp_mst_topology_mgr *mgr)
+ {
+ int ret = 0;
+- drm_dp_get_one_sb_msg(mgr, true);
++
++ if (!drm_dp_get_one_sb_msg(mgr, true)) {
++ memset(&mgr->up_req_recv, 0,
++ sizeof(struct drm_dp_sideband_msg_rx));
++ return 0;
++ }
+
+ if (mgr->up_req_recv.have_eomt) {
+ struct drm_dp_sideband_msg_req_body msg;
--- /dev/null
+From 448421b5e93b9177c5698f0cf6f5e72d2995eeca Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Wed, 19 Jul 2017 14:43:28 +0300
+Subject: drm/mst: Fix error handling during MST sideband message reception
+
+From: Imre Deak <imre.deak@intel.com>
+
+commit 448421b5e93b9177c5698f0cf6f5e72d2995eeca upstream.
+
+Handle any error due to partial reads, timeouts etc. to avoid parsing
+uninitialized data subsequently. Also bail out if the parsing itself
+fails.
+
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Lyude <lyude@redhat.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Reviewed-by: Lyude <lyude@redhat.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20170719114330.26540-2-imre.deak@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_dp_mst_topology.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/drm_dp_mst_topology.c
++++ b/drivers/gpu/drm/drm_dp_mst_topology.c
+@@ -2196,11 +2196,17 @@ static void drm_dp_get_one_sb_msg(struct
+ ret = drm_dp_dpcd_read(mgr->aux, basereg + curreply,
+ replyblock, len);
+ if (ret != len) {
+- DRM_DEBUG_KMS("failed to read a chunk\n");
++ DRM_DEBUG_KMS("failed to read a chunk (len %d, ret %d)\n",
++ len, ret);
++ return;
+ }
++
+ ret = drm_dp_sideband_msg_build(msg, replyblock, len, false);
+- if (ret == false)
++ if (!ret) {
+ DRM_DEBUG_KMS("failed to build sideband msg\n");
++ return;
++ }
++
+ curreply += len;
+ replylen -= len;
+ }
--- /dev/null
+From 2e028c4fe12907f226b8221815f16c2486ad3aa7 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 12 Jul 2017 10:35:57 +0300
+Subject: ftrace: Fix uninitialized variable in match_records()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 2e028c4fe12907f226b8221815f16c2486ad3aa7 upstream.
+
+My static checker complains that if "func" is NULL then "clear_filter"
+is uninitialized. This seems like it could be true, although it's
+possible something subtle is happening that I haven't seen.
+
+ kernel/trace/ftrace.c:3844 match_records()
+ error: uninitialized symbol 'clear_filter'.
+
+Link: http://lkml.kernel.org/r/20170712073556.h6tkpjcdzjaozozs@mwanda
+
+Fixes: f0a3b154bd7 ("ftrace: Clarify code for mod command")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ftrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -3665,7 +3665,7 @@ match_records(struct ftrace_hash *hash,
+ int exclude_mod = 0;
+ int found = 0;
+ int ret;
+- int clear_filter;
++ int clear_filter = 0;
+
+ if (func) {
+ func_g.type = filter_parse_regex(func, len, &func_g.search,
--- /dev/null
+From 84969465ddc4f8aeb3b993123b571aa01c5f2683 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 21 Jun 2017 15:02:47 +0200
+Subject: hfsplus: Don't clear SGID when inheriting ACLs
+
+From: Jan Kara <jack@suse.cz>
+
+commit 84969465ddc4f8aeb3b993123b571aa01c5f2683 upstream.
+
+When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
+set, DIR1 is expected to have SGID bit set (and owning group equal to
+the owning group of 'DIR0'). However when 'DIR0' also has some default
+ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
+'DIR1' to get cleared if user is not member of the owning group.
+
+Fix the problem by creating __hfsplus_set_posix_acl() function that does
+not call posix_acl_update_mode() and use it when inheriting ACLs. That
+prevents SGID bit clearing and the mode has been properly set by
+posix_acl_create() anyway.
+
+Fixes: 073931017b49d9458aa351605b43a7e34598caef
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/hfsplus/posix_acl.c | 30 ++++++++++++++++++------------
+ 1 file changed, 18 insertions(+), 12 deletions(-)
+
+--- a/fs/hfsplus/posix_acl.c
++++ b/fs/hfsplus/posix_acl.c
+@@ -51,8 +51,8 @@ struct posix_acl *hfsplus_get_posix_acl(
+ return acl;
+ }
+
+-int hfsplus_set_posix_acl(struct inode *inode, struct posix_acl *acl,
+- int type)
++static int __hfsplus_set_posix_acl(struct inode *inode, struct posix_acl *acl,
++ int type)
+ {
+ int err;
+ char *xattr_name;
+@@ -64,12 +64,6 @@ int hfsplus_set_posix_acl(struct inode *
+ switch (type) {
+ case ACL_TYPE_ACCESS:
+ xattr_name = XATTR_NAME_POSIX_ACL_ACCESS;
+- if (acl) {
+- err = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+- if (err)
+- return err;
+- }
+- err = 0;
+ break;
+
+ case ACL_TYPE_DEFAULT:
+@@ -105,6 +99,18 @@ end_set_acl:
+ return err;
+ }
+
++int hfsplus_set_posix_acl(struct inode *inode, struct posix_acl *acl, int type)
++{
++ int err;
++
++ if (type == ACL_TYPE_ACCESS && acl) {
++ err = posix_acl_update_mode(inode, &inode->i_mode, &acl);
++ if (err)
++ return err;
++ }
++ return __hfsplus_set_posix_acl(inode, acl, type);
++}
++
+ int hfsplus_init_posix_acl(struct inode *inode, struct inode *dir)
+ {
+ int err = 0;
+@@ -122,15 +128,15 @@ int hfsplus_init_posix_acl(struct inode
+ return err;
+
+ if (default_acl) {
+- err = hfsplus_set_posix_acl(inode, default_acl,
+- ACL_TYPE_DEFAULT);
++ err = __hfsplus_set_posix_acl(inode, default_acl,
++ ACL_TYPE_DEFAULT);
+ posix_acl_release(default_acl);
+ }
+
+ if (acl) {
+ if (!err)
+- err = hfsplus_set_posix_acl(inode, acl,
+- ACL_TYPE_ACCESS);
++ err = __hfsplus_set_posix_acl(inode, acl,
++ ACL_TYPE_ACCESS);
+ posix_acl_release(acl);
+ }
+ return err;
--- /dev/null
+From bebb2a473a43c8f84a8210687d1cbdde503046d7 Mon Sep 17 00:00:00 2001
+From: Moni Shoua <monis@mellanox.com>
+Date: Tue, 23 May 2017 10:48:44 +0300
+Subject: IB/core: Namespace is mandatory input for address resolution
+
+From: Moni Shoua <monis@mellanox.com>
+
+commit bebb2a473a43c8f84a8210687d1cbdde503046d7 upstream.
+
+In function addr_resolve() the namespace is a required input parameter
+and not an output. It is passed later for searching the routing table
+and device addresses. Also, it shouldn't be copied back to the caller.
+
+Fixes: 565edd1d5555 ('IB/addr: Pass network namespace as a parameter')
+Signed-off-by: Moni Shoua <monis@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/addr.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/addr.c
++++ b/drivers/infiniband/core/addr.c
+@@ -510,6 +510,11 @@ static int addr_resolve(struct sockaddr
+ struct dst_entry *dst;
+ int ret;
+
++ if (!addr->net) {
++ pr_warn_ratelimited("%s: missing namespace\n", __func__);
++ return -EINVAL;
++ }
++
+ if (src_in->sa_family == AF_INET) {
+ struct rtable *rt = NULL;
+ const struct sockaddr_in *dst_in4 =
+@@ -547,7 +552,6 @@ static int addr_resolve(struct sockaddr
+ }
+
+ addr->bound_dev_if = ndev->ifindex;
+- addr->net = dev_net(ndev);
+ dev_put(ndev);
+
+ return ret;
--- /dev/null
+From c8c16d3bae967f1c7af541e8d016e5c51e4f010a Mon Sep 17 00:00:00 2001
+From: Vladimir Neyelov <vladimirn@mellanox.com>
+Date: Sun, 21 May 2017 19:17:31 +0300
+Subject: IB/iser: Fix connection teardown race condition
+
+From: Vladimir Neyelov <vladimirn@mellanox.com>
+
+commit c8c16d3bae967f1c7af541e8d016e5c51e4f010a upstream.
+
+Under heavy iser target(scst) start/stop stress during login/logout
+on iser intitiator side happened trace call provided below.
+
+The function iscsi_iser_slave_alloc iser_conn pointer could be NULL,
+due to the fact that function iscsi_iser_conn_stop can be called before
+and free iser connection. Let's protect that flow by introducing global mutex.
+
+BUG: unable to handle kernel paging request at 0000000000001018
+IP: [<ffffffffc0426f7e>] iscsi_iser_slave_alloc+0x1e/0x50 [ib_iser]
+Call Trace:
+? scsi_alloc_sdev+0x242/0x300
+scsi_probe_and_add_lun+0x9e1/0xea0
+? kfree_const+0x21/0x30
+? kobject_set_name_vargs+0x76/0x90
+? __pm_runtime_resume+0x5b/0x70
+__scsi_scan_target+0xf6/0x250
+scsi_scan_target+0xea/0x100
+iscsi_user_scan_session.part.13+0x101/0x130 [scsi_transport_iscsi]
+? iscsi_user_scan_session.part.13+0x130/0x130 [scsi_transport_iscsi]
+iscsi_user_scan_session+0x1e/0x30 [scsi_transport_iscsi]
+device_for_each_child+0x50/0x90
+iscsi_user_scan+0x44/0x60 [scsi_transport_iscsi]
+store_scan+0xa8/0x100
+? common_file_perm+0x5d/0x1c0
+dev_attr_store+0x18/0x30
+sysfs_kf_write+0x37/0x40
+kernfs_fop_write+0x12c/0x1c0
+__vfs_write+0x18/0x40
+vfs_write+0xb5/0x1a0
+SyS_write+0x55/0xc0
+
+Fixes: 318d311e8f01 ("iser: Accept arbitrary sg lists mapping if the device supports it")
+Signed-off-by: Vladimir Neyelov <vladimirn@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Reviewed-by: Sagi Grimberg <sagi@grimbeg.me>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/iser/iscsi_iser.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/infiniband/ulp/iser/iscsi_iser.c
++++ b/drivers/infiniband/ulp/iser/iscsi_iser.c
+@@ -83,6 +83,7 @@ static struct scsi_host_template iscsi_i
+ static struct iscsi_transport iscsi_iser_transport;
+ static struct scsi_transport_template *iscsi_iser_scsi_transport;
+ static struct workqueue_struct *release_wq;
++static DEFINE_MUTEX(unbind_iser_conn_mutex);
+ struct iser_global ig;
+
+ int iser_debug_level = 0;
+@@ -550,12 +551,14 @@ iscsi_iser_conn_stop(struct iscsi_cls_co
+ */
+ if (iser_conn) {
+ mutex_lock(&iser_conn->state_mutex);
++ mutex_lock(&unbind_iser_conn_mutex);
+ iser_conn_terminate(iser_conn);
+ iscsi_conn_stop(cls_conn, flag);
+
+ /* unbind */
+ iser_conn->iscsi_conn = NULL;
+ conn->dd_data = NULL;
++ mutex_unlock(&unbind_iser_conn_mutex);
+
+ complete(&iser_conn->stop_completion);
+ mutex_unlock(&iser_conn->state_mutex);
+@@ -977,13 +980,21 @@ static int iscsi_iser_slave_alloc(struct
+ struct iser_conn *iser_conn;
+ struct ib_device *ib_dev;
+
++ mutex_lock(&unbind_iser_conn_mutex);
++
+ session = starget_to_session(scsi_target(sdev))->dd_data;
+ iser_conn = session->leadconn->dd_data;
++ if (!iser_conn) {
++ mutex_unlock(&unbind_iser_conn_mutex);
++ return -ENOTCONN;
++ }
+ ib_dev = iser_conn->ib_conn.device->ib_device;
+
+ if (!(ib_dev->attrs.device_cap_flags & IB_DEVICE_SG_GAPS_REG))
+ blk_queue_virt_boundary(sdev->request_queue, ~MASK_4K);
+
++ mutex_unlock(&unbind_iser_conn_mutex);
++
+ return 0;
+ }
+
--- /dev/null
+From 340d394a789518018f834ff70f7534fc463d3226 Mon Sep 17 00:00:00 2001
+From: Chen Hong <chenhong3@huawei.com>
+Date: Sun, 2 Jul 2017 15:11:10 -0700
+Subject: Input: i8042 - fix crash at boot time
+
+From: Chen Hong <chenhong3@huawei.com>
+
+commit 340d394a789518018f834ff70f7534fc463d3226 upstream.
+
+The driver checks port->exists twice in i8042_interrupt(), first when
+trying to assign temporary "serio" variable, and second time when deciding
+whether it should call serio_interrupt(). The value of port->exists may
+change between the 2 checks, and we may end up calling serio_interrupt()
+with a NULL pointer:
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
+IP: [<ffffffff8150feaf>] _spin_lock_irqsave+0x1f/0x40
+PGD 0
+Oops: 0002 [#1] SMP
+last sysfs file:
+CPU 0
+Modules linked in:
+
+Pid: 1, comm: swapper Not tainted 2.6.32-358.el6.x86_64 #1 QEMU Standard PC (i440FX + PIIX, 1996)
+RIP: 0010:[<ffffffff8150feaf>] [<ffffffff8150feaf>] _spin_lock_irqsave+0x1f/0x40
+RSP: 0018:ffff880028203cc0 EFLAGS: 00010082
+RAX: 0000000000010000 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: 0000000000000282 RSI: 0000000000000098 RDI: 0000000000000050
+RBP: ffff880028203cc0 R08: ffff88013e79c000 R09: ffff880028203ee0
+R10: 0000000000000298 R11: 0000000000000282 R12: 0000000000000050
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000098
+FS: 0000000000000000(0000) GS:ffff880028200000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
+CR2: 0000000000000050 CR3: 0000000001a85000 CR4: 00000000001407f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+Process swapper (pid: 1, threadinfo ffff88013e79c000, task ffff88013e79b500)
+Stack:
+ffff880028203d00 ffffffff813de186 ffffffffffffff02 0000000000000000
+<d> 0000000000000000 0000000000000000 0000000000000000 0000000000000098
+<d> ffff880028203d70 ffffffff813e0162 ffff880028203d20 ffffffff8103b8ac
+Call Trace:
+<IRQ>
+ [<ffffffff813de186>] serio_interrupt+0x36/0xa0
+[<ffffffff813e0162>] i8042_interrupt+0x132/0x3a0
+[<ffffffff8103b8ac>] ? kvm_clock_read+0x1c/0x20
+[<ffffffff8103b8b9>] ? kvm_clock_get_cycles+0x9/0x10
+[<ffffffff810e1640>] handle_IRQ_event+0x60/0x170
+[<ffffffff8103b154>] ? kvm_guest_apic_eoi_write+0x44/0x50
+[<ffffffff810e3d8e>] handle_edge_irq+0xde/0x180
+[<ffffffff8100de89>] handle_irq+0x49/0xa0
+[<ffffffff81516c8c>] do_IRQ+0x6c/0xf0
+[<ffffffff8100b9d3>] ret_from_intr+0x0/0x11
+[<ffffffff81076f63>] ? __do_softirq+0x73/0x1e0
+[<ffffffff8109b75b>] ? hrtimer_interrupt+0x14b/0x260
+[<ffffffff8100c1cc>] ? call_softirq+0x1c/0x30
+[<ffffffff8100de05>] ? do_softirq+0x65/0xa0
+[<ffffffff81076d95>] ? irq_exit+0x85/0x90
+[<ffffffff81516d80>] ? smp_apic_timer_interrupt+0x70/0x9b
+[<ffffffff8100bb93>] ? apic_timer_interrupt+0x13/0x20
+
+To avoid the issue let's change the second check to test whether serio is
+NULL or not.
+
+Also, let's take i8042_lock in i8042_start() and i8042_stop() instead of
+trying to be overly smart and using memory barriers.
+
+Signed-off-by: Chen Hong <chenhong3@huawei.com>
+[dtor: take lock in i8042_start()/i8042_stop()]
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/serio/i8042.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/input/serio/i8042.c
++++ b/drivers/input/serio/i8042.c
+@@ -436,8 +436,10 @@ static int i8042_start(struct serio *ser
+ {
+ struct i8042_port *port = serio->port_data;
+
++ spin_lock_irq(&i8042_lock);
+ port->exists = true;
+- mb();
++ spin_unlock_irq(&i8042_lock);
++
+ return 0;
+ }
+
+@@ -450,16 +452,20 @@ static void i8042_stop(struct serio *ser
+ {
+ struct i8042_port *port = serio->port_data;
+
++ spin_lock_irq(&i8042_lock);
+ port->exists = false;
++ port->serio = NULL;
++ spin_unlock_irq(&i8042_lock);
+
+ /*
++ * We need to make sure that interrupt handler finishes using
++ * our serio port before we return from this function.
+ * We synchronize with both AUX and KBD IRQs because there is
+ * a (very unlikely) chance that AUX IRQ is raised for KBD port
+ * and vice versa.
+ */
+ synchronize_irq(I8042_AUX_IRQ);
+ synchronize_irq(I8042_KBD_IRQ);
+- port->serio = NULL;
+ }
+
+ /*
+@@ -576,7 +582,7 @@ static irqreturn_t i8042_interrupt(int i
+
+ spin_unlock_irqrestore(&i8042_lock, flags);
+
+- if (likely(port->exists && !filtered))
++ if (likely(serio && !filtered))
+ serio_interrupt(serio, data, dfl);
+
+ out:
--- /dev/null
+From 84c24379a783c514e5ff7c8fc8a21cf8d64fd05f Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Mon, 19 Jun 2017 16:41:56 +0100
+Subject: iommu/arm-smmu: Plumb in new ACPI identifiers
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+commit 84c24379a783c514e5ff7c8fc8a21cf8d64fd05f upstream.
+
+Revision C of IORT now allows us to identify ARM MMU-401 and the Cavium
+ThunderX implementation. Wire them up so that we can probe these models
+once firmware starts using the new codes in place of generic ones, and
+so that the appropriate features and quirks get enabled when we do.
+
+For the sake of backports and mitigating sychronisation problems with
+the ACPICA headers, we'll carry a backup copy of the new definitions
+locally for the short term to make life simpler.
+
+Acked-by: Robert Richter <rrichter@cavium.com>
+Tested-by: Robert Richter <rrichter@cavium.com>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/arm-smmu.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/iommu/arm-smmu.c
++++ b/drivers/iommu/arm-smmu.c
+@@ -312,6 +312,14 @@ enum arm_smmu_implementation {
+ CAVIUM_SMMUV2,
+ };
+
++/* Until ACPICA headers cover IORT rev. C */
++#ifndef ACPI_IORT_SMMU_CORELINK_MMU401
++#define ACPI_IORT_SMMU_CORELINK_MMU401 0x4
++#endif
++#ifndef ACPI_IORT_SMMU_CAVIUM_THUNDERX
++#define ACPI_IORT_SMMU_CAVIUM_THUNDERX 0x5
++#endif
++
+ struct arm_smmu_s2cr {
+ struct iommu_group *group;
+ int count;
+@@ -2073,6 +2081,10 @@ static int acpi_smmu_get_data(u32 model,
+ smmu->version = ARM_SMMU_V1;
+ smmu->model = GENERIC_SMMU;
+ break;
++ case ACPI_IORT_SMMU_CORELINK_MMU401:
++ smmu->version = ARM_SMMU_V1_64K;
++ smmu->model = GENERIC_SMMU;
++ break;
+ case ACPI_IORT_SMMU_V2:
+ smmu->version = ARM_SMMU_V2;
+ smmu->model = GENERIC_SMMU;
+@@ -2081,6 +2093,10 @@ static int acpi_smmu_get_data(u32 model,
+ smmu->version = ARM_SMMU_V2;
+ smmu->model = ARM_MMU500;
+ break;
++ case ACPI_IORT_SMMU_CAVIUM_THUNDERX:
++ smmu->version = ARM_SMMU_V2;
++ smmu->model = CAVIUM_SMMUV2;
++ break;
+ default:
+ ret = -ENODEV;
+ }
--- /dev/null
+From fce50a2fa4e9c6e103915c351b6d4a98661341d6 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Thu, 29 Jun 2017 22:21:31 -0700
+Subject: iser-target: Avoid isert_conn->cm_id dereference in isert_login_recv_done
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit fce50a2fa4e9c6e103915c351b6d4a98661341d6 upstream.
+
+This patch fixes a NULL pointer dereference in isert_login_recv_done()
+of isert_conn->cm_id due to isert_cma_handler() -> isert_connect_error()
+resetting isert_conn->cm_id = NULL during a failed login attempt.
+
+As per Sagi, we will always see the completion of all recv wrs posted
+on the qp (given that we assigned a ->done handler), this is a FLUSH
+error completion, we just don't get to verify that because we deref
+NULL before.
+
+The issue here, was the assumption that dereferencing the connection
+cm_id is always safe, which is not true since:
+
+ commit 4a579da2586bd3b79b025947ea24ede2bbfede62
+ Author: Sagi Grimberg <sagig@mellanox.com>
+ Date: Sun Mar 29 15:52:04 2015 +0300
+
+ iser-target: Fix possible deadlock in RDMA_CM connection error
+
+As I see it, we have a direct reference to the isert_device from
+isert_conn which is the one-liner fix that we actually need like
+we do in isert_rdma_read_done() and isert_rdma_write_done().
+
+Reported-by: Andrea Righi <righi.andrea@gmail.com>
+Tested-by: Andrea Righi <righi.andrea@gmail.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/isert/ib_isert.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -1452,7 +1452,7 @@ static void
+ isert_login_recv_done(struct ib_cq *cq, struct ib_wc *wc)
+ {
+ struct isert_conn *isert_conn = wc->qp->qp_context;
+- struct ib_device *ib_dev = isert_conn->cm_id->device;
++ struct ib_device *ib_dev = isert_conn->device->ib_device;
+
+ if (unlikely(wc->status != IB_WC_SUCCESS)) {
+ isert_print_wc(wc, "login recv");
--- /dev/null
+From a9db101b735a9d49295326ae41f610f6da62b08c Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@imgtec.com>
+Date: Fri, 16 Jun 2017 00:06:19 +0100
+Subject: MIPS: Actually decode JALX in `__compute_return_epc_for_insn'
+
+From: Maciej W. Rozycki <macro@imgtec.com>
+
+commit a9db101b735a9d49295326ae41f610f6da62b08c upstream.
+
+Complement commit fb6883e5809c ("MIPS: microMIPS: Support handling of
+delay slots.") and actually decode the regular MIPS JALX major
+instruction opcode, the handling of which has been added with the said
+commit for EPC calculation in `__compute_return_epc_for_insn'.
+
+Fixes: fb6883e5809c ("MIPS: microMIPS: Support handling of delay slots.")
+Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16394/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/branch.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/mips/kernel/branch.c
++++ b/arch/mips/kernel/branch.c
+@@ -556,6 +556,7 @@ int __compute_return_epc_for_insn(struct
+ /*
+ * These are unconditional and in j_format.
+ */
++ case jalx_op:
+ case jal_op:
+ regs->regs[31] = regs->cp0_epc + 8;
+ case j_op:
--- /dev/null
+From 27fe2200dad2de8207a694024a7b9037dff1b280 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@imgtec.com>
+Date: Fri, 16 Jun 2017 00:15:22 +0100
+Subject: MIPS: Fix a typo: s/preset/present/ in r2-to-r6 emulation error message
+
+From: Maciej W. Rozycki <macro@imgtec.com>
+
+commit 27fe2200dad2de8207a694024a7b9037dff1b280 upstream.
+
+This is a user-visible message, so we want it to be spelled correctly.
+
+Fixes: 5f9f41c474be ("MIPS: kernel: Prepare the JR instruction for emulation on MIPS R6")
+Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16400/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/branch.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kernel/branch.c
++++ b/arch/mips/kernel/branch.c
+@@ -823,7 +823,7 @@ sigill_dsp:
+ force_sig(SIGILL, current);
+ return -EFAULT;
+ sigill_r2r6:
+- pr_info("%s: R2 branch but r2-to-r6 emulator is not preset - sending SIGILL.\n",
++ pr_info("%s: R2 branch but r2-to-r6 emulator is not present - sending SIGILL.\n",
+ current->comm);
+ force_sig(SIGILL, current);
+ return -EFAULT;
--- /dev/null
+From e5f5a5b06e51a36f6ddf31a4a485358263953a3d Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@linux-mips.org>
+Date: Sat, 8 Jul 2017 23:24:44 +0100
+Subject: MIPS: Fix MIPS I ISA /proc/cpuinfo reporting
+
+From: Maciej W. Rozycki <macro@linux-mips.org>
+
+commit e5f5a5b06e51a36f6ddf31a4a485358263953a3d upstream.
+
+Correct a commit 515a6393dbac ("MIPS: kernel: proc: Add MIPS R6 support
+to /proc/cpuinfo") regression that caused MIPS I systems to show no ISA
+levels supported in /proc/cpuinfo, e.g.:
+
+system type : Digital DECstation 2100/3100
+machine : Unknown
+processor : 0
+cpu model : R3000 V2.0 FPU V2.0
+BogoMIPS : 10.69
+wait instruction : no
+microsecond timers : no
+tlb_entries : 64
+extra interrupt vector : no
+hardware watchpoint : no
+isa :
+ASEs implemented :
+shadow register sets : 1
+kscratch registers : 0
+package : 0
+core : 0
+VCED exceptions : not available
+VCEI exceptions : not available
+
+and similarly exclude `mips1' from the ISA list for any processors below
+MIPSr1. This is because the condition to show `mips1' on has been made
+`cpu_has_mips_r1' rather than newly-introduced `cpu_has_mips_1'. Use
+the correct condition then.
+
+Fixes: 515a6393dbac ("MIPS: kernel: proc: Add MIPS R6 support to /proc/cpuinfo")
+Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
+Reviewed-by: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16758/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/proc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kernel/proc.c
++++ b/arch/mips/kernel/proc.c
+@@ -83,7 +83,7 @@ static int show_cpuinfo(struct seq_file
+ }
+
+ seq_printf(m, "isa\t\t\t:");
+- if (cpu_has_mips_r1)
++ if (cpu_has_mips_1)
+ seq_printf(m, " mips1");
+ if (cpu_has_mips_2)
+ seq_printf(m, "%s", " mips2");
--- /dev/null
+From 2ec420b26f7b6ff332393f0bb5a7d245f7ad87f0 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Wed, 31 May 2017 16:19:47 +0100
+Subject: MIPS: Fix mips_atomic_set() retry condition
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 2ec420b26f7b6ff332393f0bb5a7d245f7ad87f0 upstream.
+
+The inline asm retry check in the MIPS_ATOMIC_SET operation of the
+sysmips system call has been backwards since commit f1e39a4a616c ("MIPS:
+Rewrite sysmips(MIPS_ATOMIC_SET, ...) in C with inline assembler")
+merged in v2.6.32, resulting in the non R10000_LLSC_WAR case retrying
+until the operation was inatomic, before returning the new value that
+was probably just written multiple times instead of the old value.
+
+Invert the branch condition to fix that particular issue.
+
+Fixes: f1e39a4a616c ("MIPS: Rewrite sysmips(MIPS_ATOMIC_SET, ...) in C with inline assembler")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16148/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/syscall.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kernel/syscall.c
++++ b/arch/mips/kernel/syscall.c
+@@ -134,7 +134,7 @@ static inline int mips_atomic_set(unsign
+ "1: ll %[old], (%[addr]) \n"
+ " move %[tmp], %[new] \n"
+ "2: sc %[tmp], (%[addr]) \n"
+- " bnez %[tmp], 4f \n"
++ " beqz %[tmp], 4f \n"
+ "3: \n"
+ " .insn \n"
+ " .subsection 2 \n"
--- /dev/null
+From 4915e1b043d6286928207b1f6968197b50407294 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Wed, 31 May 2017 16:19:49 +0100
+Subject: MIPS: Fix mips_atomic_set() with EVA
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 4915e1b043d6286928207b1f6968197b50407294 upstream.
+
+EVA linked loads (LLE) and conditional stores (SCE) should be used on
+EVA kernels for the MIPS_ATOMIC_SET operation of the sysmips system
+call, or else the atomic set will apply to the kernel view of the
+virtual address space (potentially unmapped on EVA kernels) rather than
+the user view (TLB mapped).
+
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16151/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/syscall.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/kernel/syscall.c
++++ b/arch/mips/kernel/syscall.c
+@@ -29,6 +29,7 @@
+ #include <linux/sched/task_stack.h>
+
+ #include <asm/asm.h>
++#include <asm/asm-eva.h>
+ #include <asm/branch.h>
+ #include <asm/cachectl.h>
+ #include <asm/cacheflush.h>
+@@ -131,9 +132,11 @@ static inline int mips_atomic_set(unsign
+ __asm__ __volatile__ (
+ " .set "MIPS_ISA_ARCH_LEVEL" \n"
+ " li %[err], 0 \n"
+- "1: ll %[old], (%[addr]) \n"
++ "1: \n"
++ user_ll("%[old]", "(%[addr])")
+ " move %[tmp], %[new] \n"
+- "2: sc %[tmp], (%[addr]) \n"
++ "2: \n"
++ user_sc("%[tmp]", "(%[addr])")
+ " beqz %[tmp], 4f \n"
+ "3: \n"
+ " .insn \n"
--- /dev/null
+From 11a3799dbeb620bf0400b1fda5cc2c6bea55f20a Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@imgtec.com>
+Date: Fri, 16 Jun 2017 00:07:34 +0100
+Subject: MIPS: Fix unaligned PC interpretation in `compute_return_epc'
+
+From: Maciej W. Rozycki <macro@imgtec.com>
+
+commit 11a3799dbeb620bf0400b1fda5cc2c6bea55f20a upstream.
+
+Fix a regression introduced with commit fb6883e5809c ("MIPS: microMIPS:
+Support handling of delay slots.") and defer to `__compute_return_epc'
+if the ISA bit is set in EPC with non-MIPS16, non-microMIPS hardware,
+which will then arrange for a SIGBUS due to an unaligned instruction
+reference. Returning EPC here is never correct as the API defines this
+function's result to be either a negative error code on failure or one
+of 0 and BRANCH_LIKELY_TAKEN on success.
+
+Fixes: fb6883e5809c ("MIPS: microMIPS: Support handling of delay slots.")
+Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16395/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/branch.h | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/arch/mips/include/asm/branch.h
++++ b/arch/mips/include/asm/branch.h
+@@ -74,10 +74,7 @@ static inline int compute_return_epc(str
+ return __microMIPS_compute_return_epc(regs);
+ if (cpu_has_mips16)
+ return __MIPS16e_compute_return_epc(regs);
+- return regs->cp0_epc;
+- }
+-
+- if (!delay_slot(regs)) {
++ } else if (!delay_slot(regs)) {
+ regs->cp0_epc += 4;
+ return 0;
+ }
--- /dev/null
+From 13769ebad0c42738831787e27c7c7f982e7da579 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@imgtec.com>
+Date: Fri, 16 Jun 2017 00:05:08 +0100
+Subject: MIPS: math-emu: Prevent wrong ISA mode instruction emulation
+
+From: Maciej W. Rozycki <macro@imgtec.com>
+
+commit 13769ebad0c42738831787e27c7c7f982e7da579 upstream.
+
+Terminate FPU emulation immediately whenever an ISA mode switch has been
+observed. This is so that we do not interpret machine code in the wrong
+mode, for example when a regular MIPS FPU instruction has been placed in
+a delay slot of a jump that switches into the MIPS16 mode, as with the
+following code (taken from a GCC test suite case):
+
+00400650 <set_fast_math>:
+ 400650: 3c020100 lui v0,0x100
+ 400654: 03e00008 jr ra
+ 400658: 44c2f800 ctc1 v0,c1_fcsr
+ 40065c: 00000000 nop
+
+[...]
+
+004012d0 <__libc_csu_init>:
+ 4012d0: f000 6a02 li v0,2
+ 4012d4: f150 0b1c la v1,3f9430 <_DYNAMIC-0x6df0>
+ 4012d8: f400 3240 sll v0,16
+ 4012dc: e269 addu v0,v1
+ 4012de: 659a move gp,v0
+ 4012e0: f00c 64f6 save a0-a2,48,ra,s0-s1
+ 4012e4: 673c move s1,gp
+ 4012e6: f010 9978 lw v1,-32744(s1)
+ 4012ea: d204 sw v0,16(sp)
+ 4012ec: eb40 jalr v1
+ 4012ee: 653b move t9,v1
+ 4012f0: f010 997c lw v1,-32740(s1)
+ 4012f4: f030 9920 lw s1,-32736(s1)
+ 4012f8: e32f subu v1,s1
+ 4012fa: 326b sra v0,v1,2
+ 4012fc: d206 sw v0,24(sp)
+ 4012fe: 220c beqz v0,401318 <__libc_csu_init+0x48>
+ 401300: 6800 li s0,0
+ 401302: 99e0 lw a3,0(s1)
+ 401304: 4801 addiu s0,1
+ 401306: 960e lw a2,56(sp)
+ 401308: 4904 addiu s1,4
+ 40130a: 950d lw a1,52(sp)
+ 40130c: 940c lw a0,48(sp)
+ 40130e: ef40 jalr a3
+ 401310: 653f move t9,a3
+ 401312: 9206 lw v0,24(sp)
+ 401314: ea0a cmp v0,s0
+ 401316: 61f5 btnez 401302 <__libc_csu_init+0x32>
+ 401318: 6476 restore 48,ra,s0-s1
+ 40131a: e8a0 jrc ra
+
+Here `set_fast_math' is called from `40130e' (`40130f' with the ISA bit)
+and emulation triggers for the CTC1 instruction. As it is in a jump
+delay slot emulation continues from `401312' (`401313' with the ISA
+bit). However we have no path to handle MIPS16 FPU code emulation,
+because there are no MIPS16 FPU instructions. So the default emulation
+path is taken, interpreting a 32-bit word fetched by `get_user' from
+`401313' as a regular MIPS instruction, which is:
+
+ 401313: f5ea0a92 sdc1 $f10,2706(t7)
+
+This makes the FPU emulator proceed with the supposed SDC1 instruction
+and consequently makes the program considered here terminate with
+SIGSEGV.
+
+A similar although less severe issue exists with pure-microMIPS
+processors in the case where similarly an FPU instruction is emulated in
+a delay slot of a register jump that (incorrectly) switches into the
+regular MIPS mode. A subsequent instruction fetch from the jump's
+target is supposed to cause an Address Error exception, however instead
+we proceed with regular MIPS FPU emulation.
+
+For simplicity then, always terminate the emulation loop whenever a mode
+change is detected, denoted by an ISA mode bit flip. As from commit
+377cb1b6c16a ("MIPS: Disable MIPS16/microMIPS crap for platforms not
+supporting these ASEs.") the result of `get_isa16_mode' can be hardcoded
+to 0, so we need to examine the ISA mode bit by hand.
+
+This complements commit 102cedc32a6e ("MIPS: microMIPS: Floating point
+support.") which added JALX decoding to FPU emulation.
+
+Fixes: 102cedc32a6e ("MIPS: microMIPS: Floating point support.")
+Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16393/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/math-emu/cp1emu.c | 38 ++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 38 insertions(+)
+
+--- a/arch/mips/math-emu/cp1emu.c
++++ b/arch/mips/math-emu/cp1emu.c
+@@ -2524,6 +2524,35 @@ dcopuop:
+ return 0;
+ }
+
++/*
++ * Emulate FPU instructions.
++ *
++ * If we use FPU hardware, then we have been typically called to handle
++ * an unimplemented operation, such as where an operand is a NaN or
++ * denormalized. In that case exit the emulation loop after a single
++ * iteration so as to let hardware execute any subsequent instructions.
++ *
++ * If we have no FPU hardware or it has been disabled, then continue
++ * emulating floating-point instructions until one of these conditions
++ * has occurred:
++ *
++ * - a non-FPU instruction has been encountered,
++ *
++ * - an attempt to emulate has ended with a signal,
++ *
++ * - the ISA mode has been switched.
++ *
++ * We need to terminate the emulation loop if we got switched to the
++ * MIPS16 mode, whether supported or not, so that we do not attempt
++ * to emulate a MIPS16 instruction as a regular MIPS FPU instruction.
++ * Similarly if we got switched to the microMIPS mode and only the
++ * regular MIPS mode is supported, so that we do not attempt to emulate
++ * a microMIPS instruction as a regular MIPS FPU instruction. Or if
++ * we got switched to the regular MIPS mode and only the microMIPS mode
++ * is supported, so that we do not attempt to emulate a regular MIPS
++ * instruction that should cause an Address Error exception instead.
++ * For simplicity we always terminate upon an ISA mode switch.
++ */
+ int fpu_emulator_cop1Handler(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
+ int has_fpu, void *__user *fault_addr)
+ {
+@@ -2609,6 +2638,15 @@ int fpu_emulator_cop1Handler(struct pt_r
+ break;
+ if (sig)
+ break;
++ /*
++ * We have to check for the ISA bit explicitly here,
++ * because `get_isa16_mode' may return 0 if support
++ * for code compression has been globally disabled,
++ * or otherwise we may produce the wrong signal or
++ * even proceed successfully where we must not.
++ */
++ if ((xcp->cp0_epc ^ prevepc) & 0x1)
++ break;
+
+ cond_resched();
+ } while (xcp->cp0_epc > prevepc);
--- /dev/null
+From 4f32a39d49b25eaa66d2420f1f03d371ea4cd906 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Thu, 29 Jun 2017 10:12:34 +0100
+Subject: MIPS: Negate error syscall return in trace
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 4f32a39d49b25eaa66d2420f1f03d371ea4cd906 upstream.
+
+The sys_exit trace event takes a single return value for the system
+call, which MIPS passes the value of the $v0 (result) register, however
+MIPS returns positive error codes in $v0 with $a3 specifying that $v0
+contains an error code. As a result erroring system calls are traced
+returning positive error numbers that can't always be distinguished from
+success.
+
+Use regs_return_value() to negate the error code if $a3 is set.
+
+Fixes: 1d7bf993e073 ("MIPS: ftrace: Add support for syscall tracepoints.")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16651/
+Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/ptrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -895,7 +895,7 @@ asmlinkage void syscall_trace_leave(stru
+ audit_syscall_exit(regs);
+
+ if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
+- trace_sys_exit(regs, regs->regs[2]);
++ trace_sys_exit(regs, regs_return_value(regs));
+
+ if (test_thread_flag(TIF_SYSCALL_TRACE))
+ tracehook_report_syscall_exit(regs, 0);
--- /dev/null
+From 1f4edde422961397cf4470b347958c13c6a740bb Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@imgtec.com>
+Date: Fri, 16 Jun 2017 00:09:23 +0100
+Subject: MIPS: Rename `sigill_r6' to `sigill_r2r6' in `__compute_return_epc_for_insn'
+
+From: Maciej W. Rozycki <macro@imgtec.com>
+
+commit 1f4edde422961397cf4470b347958c13c6a740bb upstream.
+
+Use the more accurate `sigill_r2r6' name for the label used in the case
+of sending SIGILL in the absence of the instruction emulator for an
+earlier ISA level instruction that has been removed as from the R6 ISA,
+so that the `sigill_r6' name is freed for the situation where an R6
+instruction is not supposed to be interpreted, because the executing
+processor does not support the R6 ISA.
+
+Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16397/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/branch.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/arch/mips/kernel/branch.c
++++ b/arch/mips/kernel/branch.c
+@@ -431,7 +431,7 @@ int __compute_return_epc_for_insn(struct
+ /* Fall through */
+ case jr_op:
+ if (NO_R6EMU && insn.r_format.func == jr_op)
+- goto sigill_r6;
++ goto sigill_r2r6;
+ regs->cp0_epc = regs->regs[insn.r_format.rs];
+ break;
+ }
+@@ -446,7 +446,7 @@ int __compute_return_epc_for_insn(struct
+ switch (insn.i_format.rt) {
+ case bltzl_op:
+ if (NO_R6EMU)
+- goto sigill_r6;
++ goto sigill_r2r6;
+ case bltz_op:
+ if ((long)regs->regs[insn.i_format.rs] < 0) {
+ epc = epc + 4 + (insn.i_format.simmediate << 2);
+@@ -459,7 +459,7 @@ int __compute_return_epc_for_insn(struct
+
+ case bgezl_op:
+ if (NO_R6EMU)
+- goto sigill_r6;
++ goto sigill_r2r6;
+ case bgez_op:
+ if ((long)regs->regs[insn.i_format.rs] >= 0) {
+ epc = epc + 4 + (insn.i_format.simmediate << 2);
+@@ -574,7 +574,7 @@ int __compute_return_epc_for_insn(struct
+ */
+ case beql_op:
+ if (NO_R6EMU)
+- goto sigill_r6;
++ goto sigill_r2r6;
+ case beq_op:
+ if (regs->regs[insn.i_format.rs] ==
+ regs->regs[insn.i_format.rt]) {
+@@ -588,7 +588,7 @@ int __compute_return_epc_for_insn(struct
+
+ case bnel_op:
+ if (NO_R6EMU)
+- goto sigill_r6;
++ goto sigill_r2r6;
+ case bne_op:
+ if (regs->regs[insn.i_format.rs] !=
+ regs->regs[insn.i_format.rt]) {
+@@ -602,7 +602,7 @@ int __compute_return_epc_for_insn(struct
+
+ case blezl_op: /* not really i_format */
+ if (!insn.i_format.rt && NO_R6EMU)
+- goto sigill_r6;
++ goto sigill_r2r6;
+ case blez_op:
+ /*
+ * Compact branches for R6 for the
+@@ -637,7 +637,7 @@ int __compute_return_epc_for_insn(struct
+
+ case bgtzl_op:
+ if (!insn.i_format.rt && NO_R6EMU)
+- goto sigill_r6;
++ goto sigill_r2r6;
+ case bgtz_op:
+ /*
+ * Compact branches for R6 for the
+@@ -836,7 +836,7 @@ sigill_dsp:
+ current->comm);
+ force_sig(SIGILL, current);
+ return -EFAULT;
+-sigill_r6:
++sigill_r2r6:
+ pr_info("%s: R2 branch but r2-to-r6 emulator is not preset - sending SIGILL.\n",
+ current->comm);
+ force_sig(SIGILL, current);
--- /dev/null
+From 49955d84cd9ccdca5a16a495e448e1a06fad9e49 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Wed, 31 May 2017 16:19:48 +0100
+Subject: MIPS: Save static registers before sysmips
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 49955d84cd9ccdca5a16a495e448e1a06fad9e49 upstream.
+
+The MIPS sysmips system call handler may return directly from the
+MIPS_ATOMIC_SET case (mips_atomic_set()) to syscall_exit. This path
+restores the static (callee saved) registers, however they won't have
+been saved on entry to the system call.
+
+Use the save_static_function() macro to create a __sys_sysmips wrapper
+function which saves the static registers before calling sys_sysmips, so
+that the correct static register state is restored by syscall_exit.
+
+Fixes: f1e39a4a616c ("MIPS: Rewrite sysmips(MIPS_ATOMIC_SET, ...) in C with inline assembler")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16149/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/scall32-o32.S | 2 +-
+ arch/mips/kernel/scall64-64.S | 2 +-
+ arch/mips/kernel/scall64-n32.S | 2 +-
+ arch/mips/kernel/scall64-o32.S | 2 +-
+ arch/mips/kernel/syscall.c | 6 ++++++
+ 5 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/arch/mips/kernel/scall32-o32.S
++++ b/arch/mips/kernel/scall32-o32.S
+@@ -371,7 +371,7 @@ EXPORT(sys_call_table)
+ PTR sys_writev
+ PTR sys_cacheflush
+ PTR sys_cachectl
+- PTR sys_sysmips
++ PTR __sys_sysmips
+ PTR sys_ni_syscall /* 4150 */
+ PTR sys_getsid
+ PTR sys_fdatasync
+--- a/arch/mips/kernel/scall64-64.S
++++ b/arch/mips/kernel/scall64-64.S
+@@ -311,7 +311,7 @@ EXPORT(sys_call_table)
+ PTR sys_sched_getaffinity
+ PTR sys_cacheflush
+ PTR sys_cachectl
+- PTR sys_sysmips
++ PTR __sys_sysmips
+ PTR sys_io_setup /* 5200 */
+ PTR sys_io_destroy
+ PTR sys_io_getevents
+--- a/arch/mips/kernel/scall64-n32.S
++++ b/arch/mips/kernel/scall64-n32.S
+@@ -302,7 +302,7 @@ EXPORT(sysn32_call_table)
+ PTR compat_sys_sched_getaffinity
+ PTR sys_cacheflush
+ PTR sys_cachectl
+- PTR sys_sysmips
++ PTR __sys_sysmips
+ PTR compat_sys_io_setup /* 6200 */
+ PTR sys_io_destroy
+ PTR compat_sys_io_getevents
+--- a/arch/mips/kernel/scall64-o32.S
++++ b/arch/mips/kernel/scall64-o32.S
+@@ -371,7 +371,7 @@ EXPORT(sys32_call_table)
+ PTR compat_sys_writev
+ PTR sys_cacheflush
+ PTR sys_cachectl
+- PTR sys_sysmips
++ PTR __sys_sysmips
+ PTR sys_ni_syscall /* 4150 */
+ PTR sys_getsid
+ PTR sys_fdatasync
+--- a/arch/mips/kernel/syscall.c
++++ b/arch/mips/kernel/syscall.c
+@@ -195,6 +195,12 @@ static inline int mips_atomic_set(unsign
+ unreachable();
+ }
+
++/*
++ * mips_atomic_set() normally returns directly via syscall_exit potentially
++ * clobbering static registers, so be sure to preserve them.
++ */
++save_static_function(sys_sysmips);
++
+ SYSCALL_DEFINE3(sysmips, long, cmd, long, arg1, long, arg2)
+ {
+ switch (cmd) {
--- /dev/null
+From 7b82c1058ac1f8f8b9f2b8786b1f710a57a870a8 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@imgtec.com>
+Date: Fri, 16 Jun 2017 00:08:29 +0100
+Subject: MIPS: Send SIGILL for BPOSGE32 in `__compute_return_epc_for_insn'
+
+From: Maciej W. Rozycki <macro@imgtec.com>
+
+commit 7b82c1058ac1f8f8b9f2b8786b1f710a57a870a8 upstream.
+
+Fix commit e50c0a8fa60d ("Support the MIPS32 / MIPS64 DSP ASE.") and
+send SIGILL rather than SIGBUS whenever an unimplemented BPOSGE32 DSP
+ASE instruction has been encountered in `__compute_return_epc_for_insn'
+as our Reserved Instruction exception handler would in response to an
+attempt to actually execute the instruction. Sending SIGBUS only makes
+sense for the unaligned PC case, since moved to `__compute_return_epc'.
+Adjust function documentation accordingly, correct formatting and use
+`pr_info' rather than `printk' as the other exit path already does.
+
+Fixes: e50c0a8fa60d ("Support the MIPS32 / MIPS64 DSP ASE.")
+Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16396/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/branch.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/mips/kernel/branch.c
++++ b/arch/mips/kernel/branch.c
+@@ -399,7 +399,7 @@ int __MIPS16e_compute_return_epc(struct
+ *
+ * @regs: Pointer to pt_regs
+ * @insn: branch instruction to decode
+- * @returns: -EFAULT on error and forces SIGBUS, and on success
++ * @returns: -EFAULT on error and forces SIGILL, and on success
+ * returns 0 or BRANCH_LIKELY_TAKEN as appropriate after
+ * evaluating the branch.
+ *
+@@ -832,8 +832,9 @@ int __compute_return_epc_for_insn(struct
+ return ret;
+
+ sigill_dsp:
+- printk("%s: DSP branch but not DSP ASE - sending SIGBUS.\n", current->comm);
+- force_sig(SIGBUS, current);
++ pr_info("%s: DSP branch but not DSP ASE - sending SIGILL.\n",
++ current->comm);
++ force_sig(SIGILL, current);
+ return -EFAULT;
+ sigill_r6:
+ pr_info("%s: R2 branch but r2-to-r6 emulator is not preset - sending SIGILL.\n",
--- /dev/null
+From fef40be6da856afead4177aaa9d869a66fb3381f Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@imgtec.com>
+Date: Fri, 16 Jun 2017 00:12:53 +0100
+Subject: MIPS: Send SIGILL for linked branches in `__compute_return_epc_for_insn'
+
+From: Maciej W. Rozycki <macro@imgtec.com>
+
+commit fef40be6da856afead4177aaa9d869a66fb3381f upstream.
+
+Fix commit 319824eabc3f ("MIPS: kernel: branch: Do not emulate the
+branch likelies on MIPS R6") and also send SIGILL rather than returning
+-SIGILL for BLTZAL, BLTZALL, BGEZAL and BGEZALL instruction encodings no
+longer supported in R6, except where emulated. Returning -SIGILL is
+never correct as the API defines this function's result upon error to be
+-EFAULT and a signal actually issued.
+
+Fixes: 319824eabc3f ("MIPS: kernel: branch: Do not emulate the branch likelies on MIPS R6")
+Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16398/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/branch.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+--- a/arch/mips/kernel/branch.c
++++ b/arch/mips/kernel/branch.c
+@@ -473,10 +473,8 @@ int __compute_return_epc_for_insn(struct
+ case bltzal_op:
+ case bltzall_op:
+ if (NO_R6EMU && (insn.i_format.rs ||
+- insn.i_format.rt == bltzall_op)) {
+- ret = -SIGILL;
+- break;
+- }
++ insn.i_format.rt == bltzall_op))
++ goto sigill_r2r6;
+ regs->regs[31] = epc + 8;
+ /*
+ * OK we are here either because we hit a NAL
+@@ -507,10 +505,8 @@ int __compute_return_epc_for_insn(struct
+ case bgezal_op:
+ case bgezall_op:
+ if (NO_R6EMU && (insn.i_format.rs ||
+- insn.i_format.rt == bgezall_op)) {
+- ret = -SIGILL;
+- break;
+- }
++ insn.i_format.rt == bgezall_op))
++ goto sigill_r2r6;
+ regs->regs[31] = epc + 8;
+ /*
+ * OK we are here either because we hit a BAL
--- /dev/null
+From a60b1a5bf88a250f1a77977c0224e502c901c77b Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@imgtec.com>
+Date: Fri, 16 Jun 2017 00:14:12 +0100
+Subject: MIPS: Send SIGILL for R6 branches in `__compute_return_epc_for_insn'
+
+From: Maciej W. Rozycki <macro@imgtec.com>
+
+commit a60b1a5bf88a250f1a77977c0224e502c901c77b upstream.
+
+Fix:
+
+* commit 8467ca0122e2 ("MIPS: Emulate the new MIPS R6 branch compact
+(BC) instruction"),
+
+* commit 84fef630127a ("MIPS: Emulate the new MIPS R6 BALC
+instruction"),
+
+* commit 69b9a2fd05a3 ("MIPS: Emulate the new MIPS R6 BEQZC and JIC
+instructions"),
+
+* commit 28d6f93d201d ("MIPS: Emulate the new MIPS R6 BNEZC and JIALC
+instructions"),
+
+* commit c893ce38b265 ("MIPS: Emulate the new MIPS R6 BOVC, BEQC and
+BEQZALC instructions")
+
+and send SIGILL rather than returning -SIGILL for R6 branch and jump
+instructions. Returning -SIGILL is never correct as the API defines
+this function's result upon error to be -EFAULT and a signal actually
+issued.
+
+Fixes: 8467ca0122e2 ("MIPS: Emulate the new MIPS R6 branch compact (BC) instruction")
+Fixes: 84fef630127a ("MIPS: Emulate the new MIPS R6 BALC instruction")
+Fixes: 69b9a2fd05a3 ("MIPS: Emulate the new MIPS R6 BEQZC and JIC instructions")
+Fixes: 28d6f93d201d ("MIPS: Emulate the new MIPS R6 BNEZC and JIALC instructions")
+Fixes: c893ce38b265 ("MIPS: Emulate the new MIPS R6 BOVC, BEQC and BEQZALC instructions")
+Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16399/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/branch.c | 35 +++++++++++++++--------------------
+ 1 file changed, 15 insertions(+), 20 deletions(-)
+
+--- a/arch/mips/kernel/branch.c
++++ b/arch/mips/kernel/branch.c
+@@ -771,35 +771,27 @@ int __compute_return_epc_for_insn(struct
+ #else
+ case bc6_op:
+ /* Only valid for MIPS R6 */
+- if (!cpu_has_mips_r6) {
+- ret = -SIGILL;
+- break;
+- }
++ if (!cpu_has_mips_r6)
++ goto sigill_r6;
+ regs->cp0_epc += 8;
+ break;
+ case balc6_op:
+- if (!cpu_has_mips_r6) {
+- ret = -SIGILL;
+- break;
+- }
++ if (!cpu_has_mips_r6)
++ goto sigill_r6;
+ /* Compact branch: BALC */
+ regs->regs[31] = epc + 4;
+ epc += 4 + (insn.i_format.simmediate << 2);
+ regs->cp0_epc = epc;
+ break;
+ case pop66_op:
+- if (!cpu_has_mips_r6) {
+- ret = -SIGILL;
+- break;
+- }
++ if (!cpu_has_mips_r6)
++ goto sigill_r6;
+ /* Compact branch: BEQZC || JIC */
+ regs->cp0_epc += 8;
+ break;
+ case pop76_op:
+- if (!cpu_has_mips_r6) {
+- ret = -SIGILL;
+- break;
+- }
++ if (!cpu_has_mips_r6)
++ goto sigill_r6;
+ /* Compact branch: BNEZC || JIALC */
+ if (!insn.i_format.rs) {
+ /* JIALC: set $31/ra */
+@@ -811,10 +803,8 @@ int __compute_return_epc_for_insn(struct
+ case pop10_op:
+ case pop30_op:
+ /* Only valid for MIPS R6 */
+- if (!cpu_has_mips_r6) {
+- ret = -SIGILL;
+- break;
+- }
++ if (!cpu_has_mips_r6)
++ goto sigill_r6;
+ /*
+ * Compact branches:
+ * bovc, beqc, beqzalc, bnvc, bnec, bnezlac
+@@ -837,6 +827,11 @@ sigill_r2r6:
+ current->comm);
+ force_sig(SIGILL, current);
+ return -EFAULT;
++sigill_r6:
++ pr_info("%s: R6 branch but no MIPSr6 ISA support - sending SIGILL.\n",
++ current->comm);
++ force_sig(SIGILL, current);
++ return -EFAULT;
+ }
+ EXPORT_SYMBOL_GPL(__compute_return_epc_for_insn);
+
--- /dev/null
+From 99975cd4fda52974a767aa44fe0b1a8f74950d9d Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+Date: Mon, 24 Apr 2017 15:15:28 -0700
+Subject: mlx5: Avoid that mlx5_ib_sg_to_klms() overflows the klms[] array
+
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+
+commit 99975cd4fda52974a767aa44fe0b1a8f74950d9d upstream.
+
+ib_map_mr_sg() can pass an SG-list to .map_mr_sg() that is larger
+than what fits into a single MR. .map_mr_sg() must not attempt to
+map more SG-list elements than what fits into a single MR.
+Hence make sure that mlx5_ib_sg_to_klms() does not write outside
+the MR klms[] array.
+
+Fixes: b005d3164713 ("mlx5: Add arbitrary sg list support")
+Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
+Cc: Sagi Grimberg <sagi@grimberg.me>
+Cc: Leon Romanovsky <leonro@mellanox.com>
+Cc: Israel Rukshin <israelr@mellanox.com>
+Acked-by: Leon Romanovsky <leonro@mellanox.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/mr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -1779,7 +1779,7 @@ mlx5_ib_sg_to_klms(struct mlx5_ib_mr *mr
+ mr->ndescs = sg_nents;
+
+ for_each_sg(sgl, sg, sg_nents, i) {
+- if (unlikely(i > mr->max_descs))
++ if (unlikely(i >= mr->max_descs))
+ break;
+ klms[i].va = cpu_to_be64(sg_dma_address(sg) + sg_offset);
+ klms[i].bcount = cpu_to_be32(sg_dma_len(sg) - sg_offset);
--- /dev/null
+From a186493237a9d8559997c2f97c33c4716d602fd2 Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+Date: Wed, 17 May 2017 10:47:50 +0200
+Subject: mtd: nand: tango: Fix incorrect use of SEQIN command
+
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+
+commit a186493237a9d8559997c2f97c33c4716d602fd2 upstream.
+
+SEQIN is supposed to be used when one wants to start programming a page.
+What we want here is just to change the column within the page, which is
+done with the RNDIN command.
+
+Fixes: 6956e2385a16 ("mtd: nand: add tango NAND flash controller support")
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Acked-by: Marc Gonzalez <marc_gonzalez@sigmadesigns.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/tango_nand.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/tango_nand.c
++++ b/drivers/mtd/nand/tango_nand.c
+@@ -340,7 +340,7 @@ static void aux_write(struct nand_chip *
+
+ if (!*buf) {
+ /* skip over "len" bytes */
+- chip->cmdfunc(mtd, NAND_CMD_SEQIN, *pos, -1);
++ chip->cmdfunc(mtd, NAND_CMD_RNDIN, *pos, -1);
+ } else {
+ tango_write_buf(mtd, *buf, len);
+ *buf += len;
--- /dev/null
+From 3ffbc1d65583394be12801655781dd2b079ce169 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Wed, 19 Jul 2017 14:05:01 +1000
+Subject: net/sunrpc/xprt_sock: fix regression in connection error reporting.
+
+From: NeilBrown <neilb@suse.com>
+
+commit 3ffbc1d65583394be12801655781dd2b079ce169 upstream.
+
+Commit 3d4762639dd3 ("tcp: remove poll() flakes when receiving
+RST") in v4.12 changed the order in which ->sk_state_change()
+and ->sk_error_report() are called when a socket is shut
+down - sk_state_change() is now called first.
+
+This causes xs_tcp_state_change() -> xs_sock_mark_closed() ->
+xprt_disconnect_done() to wake all pending tasked with -EAGAIN.
+When the ->sk_error_report() callback arrives, it is too late to
+pass the error on, and it is lost.
+
+As easy way to demonstrate the problem caused is to try to start
+rpc.nfsd while rcpbind isn't running.
+nfsd will attempt a tcp connection to rpcbind. A ECONNREFUSED
+error is returned, but sunrpc code loses the error and keeps
+retrying. If it saw the ECONNREFUSED, it would abort.
+
+To fix this, handle the sk->sk_err in the TCP_CLOSE branch of
+xs_tcp_state_change().
+
+Fixes: 3d4762639dd3 ("tcp: remove poll() flakes when receiving RST")
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/xprtsock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/sunrpc/xprtsock.c
++++ b/net/sunrpc/xprtsock.c
+@@ -1624,6 +1624,8 @@ static void xs_tcp_state_change(struct s
+ if (test_and_clear_bit(XPRT_SOCK_CONNECTING,
+ &transport->sock_state))
+ xprt_clear_connecting(xprt);
++ if (sk->sk_err)
++ xprt_wake_pending_tasks(xprt, -sk->sk_err);
+ xs_sock_mark_closed(xprt);
+ }
+ out:
--- /dev/null
+From 2eb3aea7d9c43325a12df312adfc7fb25bbd636b Mon Sep 17 00:00:00 2001
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Fri, 9 Jun 2017 11:03:23 -0400
+Subject: NFS: Fix initialization of nfs_page_array->npages
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+commit 2eb3aea7d9c43325a12df312adfc7fb25bbd636b upstream.
+
+Commit 8ef9b0b9e1c0 open-coded nfs_pgarray_set(), and left out the
+initialization of the nfs_page_array's npages. This mistake didn't show up
+until testing with block layouts, and there shows that all pNFS reads
+return -EIO.
+
+Fixes: 8ef9b0b9e1c0 ("NFS: move nfs_pgarray_set() to open code")
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pagelist.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/nfs/pagelist.c
++++ b/fs/nfs/pagelist.c
+@@ -779,6 +779,7 @@ int nfs_generic_pgio(struct nfs_pageio_d
+ gfp_t gfp_flags = GFP_KERNEL;
+
+ pagecount = nfs_page_array_len(mirror->pg_base, mirror->pg_count);
++ pg_array->npages = pagecount;
+
+ if (pagecount <= ARRAY_SIZE(pg_array->page_array))
+ pg_array->pagevec = pg_array->page_array;
--- /dev/null
+From cc89684c9a265828ce061037f1f79f4a68ccd3f7 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Wed, 5 Jul 2017 12:22:20 +1000
+Subject: NFS: only invalidate dentrys that are clearly invalid.
+
+From: NeilBrown <neilb@suse.com>
+
+commit cc89684c9a265828ce061037f1f79f4a68ccd3f7 upstream.
+
+Since commit bafc9b754f75 ("vfs: More precise tests in d_invalidate")
+in v3.18, a return of '0' from ->d_revalidate() will cause the dentry
+to be invalidated even if it has filesystems mounted on or it or on a
+descendant. The mounted filesystem is unmounted.
+
+This means we need to be careful not to return 0 unless the directory
+referred to truly is invalid. So -ESTALE or -ENOENT should invalidate
+the directory. Other errors such a -EPERM or -ERESTARTSYS should be
+returned from ->d_revalidate() so they are propagated to the caller.
+
+A particular problem can be demonstrated by:
+
+1/ mount an NFS filesystem using NFSv3 on /mnt
+2/ mount any other filesystem on /mnt/foo
+3/ ls /mnt/foo
+4/ turn off network, or otherwise make the server unable to respond
+5/ ls /mnt/foo &
+6/ cat /proc/$!/stack # note that nfs_lookup_revalidate is in the call stack
+7/ kill -9 $! # this results in -ERESTARTSYS being returned
+8/ observe that /mnt/foo has been unmounted.
+
+This patch changes nfs_lookup_revalidate() to only treat
+ -ESTALE from nfs_lookup_verify_inode() and
+ -ESTALE or -ENOENT from ->lookup()
+as indicating an invalid inode. Other errors are returned.
+
+Also nfs_check_inode_attributes() is changed to return -ESTALE rather
+than -EIO. This is consistent with the error returned in similar
+circumstances from nfs_update_inode().
+
+As this bug allows any user to unmount a filesystem mounted on an NFS
+filesystem, this fix is suitable for stable kernels.
+
+Fixes: bafc9b754f75 ("vfs: More precise tests in d_invalidate")
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/dir.c | 12 ++++++++----
+ fs/nfs/inode.c | 4 ++--
+ 2 files changed, 10 insertions(+), 6 deletions(-)
+
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -1115,11 +1115,13 @@ static int nfs_lookup_revalidate(struct
+ /* Force a full look up iff the parent directory has changed */
+ if (!nfs_is_exclusive_create(dir, flags) &&
+ nfs_check_verifier(dir, dentry, flags & LOOKUP_RCU)) {
+-
+- if (nfs_lookup_verify_inode(inode, flags)) {
++ error = nfs_lookup_verify_inode(inode, flags);
++ if (error) {
+ if (flags & LOOKUP_RCU)
+ return -ECHILD;
+- goto out_zap_parent;
++ if (error == -ESTALE)
++ goto out_zap_parent;
++ goto out_error;
+ }
+ nfs_advise_use_readdirplus(dir);
+ goto out_valid;
+@@ -1144,8 +1146,10 @@ static int nfs_lookup_revalidate(struct
+ trace_nfs_lookup_revalidate_enter(dir, dentry, flags);
+ error = NFS_PROTO(dir)->lookup(dir, &dentry->d_name, fhandle, fattr, label);
+ trace_nfs_lookup_revalidate_exit(dir, dentry, flags, error);
+- if (error)
++ if (error == -ESTALE || error == -ENOENT)
+ goto out_bad;
++ if (error)
++ goto out_error;
+ if (nfs_compare_fh(NFS_FH(inode), fhandle))
+ goto out_bad;
+ if ((error = nfs_refresh_inode(inode, fattr)) != 0)
+--- a/fs/nfs/inode.c
++++ b/fs/nfs/inode.c
+@@ -1315,9 +1315,9 @@ static int nfs_check_inode_attributes(st
+ return 0;
+ /* Has the inode gone and changed behind our back? */
+ if ((fattr->valid & NFS_ATTR_FATTR_FILEID) && nfsi->fileid != fattr->fileid)
+- return -EIO;
++ return -ESTALE;
+ if ((fattr->valid & NFS_ATTR_FATTR_TYPE) && (inode->i_mode & S_IFMT) != (fattr->mode & S_IFMT))
+- return -EIO;
++ return -ESTALE;
+
+ if (!nfs_file_has_buffered_writers(nfsi)) {
+ /* Verify a few of the more important attributes */
--- /dev/null
+From 5e599d73c1c1816af07f94ddba879499aa39b43c Mon Sep 17 00:00:00 2001
+From: Marta Rybczynska <mrybczyn@kalray.eu>
+Date: Tue, 6 Jun 2017 13:27:21 +0200
+Subject: nvme-rdma: remove race conditions from IB signalling
+
+From: Marta Rybczynska <mrybczyn@kalray.eu>
+
+commit 5e599d73c1c1816af07f94ddba879499aa39b43c upstream.
+
+This patch improves the way the RDMA IB signalling is done by using atomic
+operations for the signalling variable. This avoids race conditions on
+sig_count.
+
+The signalling interval changes slightly and is now the largest power of
+two not larger than queue depth / 2.
+
+ilog() usage idea by Bart Van Assche.
+
+Signed-off-by: Marta Rybczynska <marta.rybczynska@kalray.eu>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvme/host/rdma.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+--- a/drivers/nvme/host/rdma.c
++++ b/drivers/nvme/host/rdma.c
+@@ -88,7 +88,7 @@ enum nvme_rdma_queue_flags {
+
+ struct nvme_rdma_queue {
+ struct nvme_rdma_qe *rsp_ring;
+- u8 sig_count;
++ atomic_t sig_count;
+ int queue_size;
+ size_t cmnd_capsule_len;
+ struct nvme_rdma_ctrl *ctrl;
+@@ -553,6 +553,7 @@ static int nvme_rdma_init_queue(struct n
+ queue->cmnd_capsule_len = sizeof(struct nvme_command);
+
+ queue->queue_size = queue_size;
++ atomic_set(&queue->sig_count, 0);
+
+ queue->cm_id = rdma_create_id(&init_net, nvme_rdma_cm_handler, queue,
+ RDMA_PS_TCP, IB_QPT_RC);
+@@ -1040,17 +1041,16 @@ static void nvme_rdma_send_done(struct i
+ nvme_rdma_wr_error(cq, wc, "SEND");
+ }
+
+-static inline int nvme_rdma_queue_sig_limit(struct nvme_rdma_queue *queue)
++/*
++ * We want to signal completion at least every queue depth/2. This returns the
++ * largest power of two that is not above half of (queue size + 1) to optimize
++ * (avoid divisions).
++ */
++static inline bool nvme_rdma_queue_sig_limit(struct nvme_rdma_queue *queue)
+ {
+- int sig_limit;
++ int limit = 1 << ilog2((queue->queue_size + 1) / 2);
+
+- /*
+- * We signal completion every queue depth/2 and also handle the
+- * degenerated case of a device with queue_depth=1, where we
+- * would need to signal every message.
+- */
+- sig_limit = max(queue->queue_size / 2, 1);
+- return (++queue->sig_count % sig_limit) == 0;
++ return (atomic_inc_return(&queue->sig_count) & (limit - 1)) == 0;
+ }
+
+ static int nvme_rdma_post_send(struct nvme_rdma_queue *queue,
--- /dev/null
+From 8fc646b44385ff0a9853f6590497e43049eeb311 Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Tue, 11 Jul 2017 15:58:35 +0300
+Subject: ovl: fix random return value on mount
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 8fc646b44385ff0a9853f6590497e43049eeb311 upstream.
+
+On failure to prepare_creds(), mount fails with a random
+return value, as err was last set to an integer cast of
+a valid lower mnt pointer or set to 0 if inodes index feature
+is enabled.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Fixes: 3fe6e52f0626 ("ovl: override creds with the ones from ...")
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/super.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -946,6 +946,7 @@ static int ovl_fill_super(struct super_b
+ else
+ sb->s_d_op = &ovl_dentry_operations;
+
++ err = -ENOMEM;
+ ufs->creator_cred = cred = prepare_creds();
+ if (!cred)
+ goto out_put_lower_mnt;
--- /dev/null
+From ea3dad18dc5f778cfd931311a91a9315aa0065a3 Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Tue, 11 Jul 2017 15:58:34 +0300
+Subject: ovl: mark parent impure on ovl_link()
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit ea3dad18dc5f778cfd931311a91a9315aa0065a3 upstream.
+
+When linking a file with copy up origin into a new parent, mark the
+new parent dir "impure".
+
+Fixes: ee1d6d37b6b8 ("ovl: mark upper dir with type origin entries "impure"")
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/dir.c | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+--- a/fs/overlayfs/dir.c
++++ b/fs/overlayfs/dir.c
+@@ -478,17 +478,30 @@ out_cleanup:
+ }
+
+ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode,
+- struct cattr *attr, struct dentry *hardlink)
++ struct cattr *attr, struct dentry *hardlink,
++ bool origin)
+ {
+ int err;
+ const struct cred *old_cred;
+ struct cred *override_cred;
++ struct dentry *parent = dentry->d_parent;
+
+- err = ovl_copy_up(dentry->d_parent);
++ err = ovl_copy_up(parent);
+ if (err)
+ return err;
+
+ old_cred = ovl_override_creds(dentry->d_sb);
++
++ /*
++ * When linking a file with copy up origin into a new parent, mark the
++ * new parent dir "impure".
++ */
++ if (origin) {
++ err = ovl_set_impure(parent, ovl_dentry_upper(parent));
++ if (err)
++ goto out_revert_creds;
++ }
++
+ err = -ENOMEM;
+ override_cred = prepare_creds();
+ if (override_cred) {
+@@ -547,7 +560,7 @@ static int ovl_create_object(struct dent
+ inode_init_owner(inode, dentry->d_parent->d_inode, mode);
+ attr.mode = inode->i_mode;
+
+- err = ovl_create_or_link(dentry, inode, &attr, NULL);
++ err = ovl_create_or_link(dentry, inode, &attr, NULL, false);
+ if (err)
+ iput(inode);
+
+@@ -601,7 +614,8 @@ static int ovl_link(struct dentry *old,
+ inode = d_inode(old);
+ ihold(inode);
+
+- err = ovl_create_or_link(new, inode, NULL, ovl_dentry_upper(old));
++ err = ovl_create_or_link(new, inode, NULL, ovl_dentry_upper(old),
++ ovl_type_origin(old));
+ if (err)
+ iput(inode);
+
--- /dev/null
+From 80f62589fa52f530cffc50e78c0b5a2ae572d61e Mon Sep 17 00:00:00 2001
+From: Jin Yao <yao.jin@linux.intel.com>
+Date: Thu, 8 Jun 2017 14:01:44 +0800
+Subject: perf annotate: Fix broken arrow at row 0 connecting jmp instruction to its target
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jin Yao <yao.jin@linux.intel.com>
+
+commit 80f62589fa52f530cffc50e78c0b5a2ae572d61e upstream.
+
+When the jump instruction is displayed at the row 0 in annotate view,
+the arrow is broken. An example:
+
+ 16.86 │ ┌──je 82
+ 0.01 │ movsd (%rsp),%xmm0
+ │ movsd 0x8(%rsp),%xmm4
+ │ movsd 0x8(%rsp),%xmm1
+ │ movsd (%rsp),%xmm3
+ │ divsd %xmm4,%xmm0
+ │ divsd %xmm3,%xmm1
+ │ movsd (%rsp),%xmm2
+ │ addsd %xmm1,%xmm0
+ │ addsd %xmm2,%xmm0
+ │ movsd %xmm0,(%rsp)
+ │82: sub $0x1,%ebx
+ 83.03 │ ↑ jne 38
+ │ add $0x10,%rsp
+ │ xor %eax,%eax
+ │ pop %rbx
+ │ ← retq
+
+The patch increments the row number before checking with 0.
+
+Signed-off-by: Yao Jin <yao.jin@linux.intel.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Fixes: 944e1abed9e1 ("perf ui browser: Add method to draw up/down arrow line")
+Link: http://lkml.kernel.org/r/1496901704-30275-1-git-send-email-yao.jin@linux.intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/ui/browser.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/ui/browser.c
++++ b/tools/perf/ui/browser.c
+@@ -704,7 +704,7 @@ static void __ui_browser__line_arrow_dow
+ ui_browser__gotorc(browser, row, column + 1);
+ SLsmg_draw_hline(2);
+
+- if (row++ == 0)
++ if (++row == 0)
+ goto out;
+ } else
+ row = 0;
--- /dev/null
+From 3bda69c1c3993a2bddbae01397d12bfef6054011 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Tue, 18 Jul 2017 14:08:34 +0300
+Subject: perf/core: Fix scheduling regression of pinned groups
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 3bda69c1c3993a2bddbae01397d12bfef6054011 upstream.
+
+Vince Weaver reported:
+
+> I was tracking down some regressions in my perf_event_test testsuite.
+> Some of the tests broke in the 4.11-rc1 timeframe.
+>
+> I've bisected one of them, this report is about
+> tests/overflow/simul_oneshot_group_overflow
+> This test creates an event group containing two sampling events, set
+> to overflow to a signal handler (which disables and then refreshes the
+> event).
+>
+> On a good kernel you get the following:
+> Event perf::instructions with period 1000000
+> Event perf::instructions with period 2000000
+> fd 3 overflows: 946 (perf::instructions/1000000)
+> fd 4 overflows: 473 (perf::instructions/2000000)
+> Ending counts:
+> Count 0: 946379875
+> Count 1: 946365218
+>
+> With the broken kernels you get:
+> Event perf::instructions with period 1000000
+> Event perf::instructions with period 2000000
+> fd 3 overflows: 938 (perf::instructions/1000000)
+> fd 4 overflows: 318 (perf::instructions/2000000)
+> Ending counts:
+> Count 0: 946373080
+> Count 1: 653373058
+
+The root cause of the bug is that the following commit:
+
+ 487f05e18a ("perf/core: Optimize event rescheduling on active contexts")
+
+erronously assumed that event's 'pinned' setting determines whether the
+event belongs to a pinned group or not, but in fact, it's the group
+leader's pinned state that matters.
+
+This was discovered by Vince in the test case described above, where two instruction
+counters are grouped, the group leader is pinned, but the other event is not;
+in the regressed case the counters were off by 33% (the difference between events'
+periods), but should be the same within the error margin.
+
+Fix the problem by looking at the group leader's pinning.
+
+Reported-by: Vince Weaver <vincent.weaver@maine.edu>
+Tested-by: Vince Weaver <vincent.weaver@maine.edu>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 487f05e18a ("perf/core: Optimize event rescheduling on active contexts")
+Link: http://lkml.kernel.org/r/87lgnmvw7h.fsf@ashishki-desk.ger.corp.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/core.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -1456,6 +1456,13 @@ static enum event_type_t get_event_type(
+
+ lockdep_assert_held(&ctx->lock);
+
++ /*
++ * It's 'group type', really, because if our group leader is
++ * pinned, so are we.
++ */
++ if (event->group_leader != event)
++ event = event->group_leader;
++
+ event_type = event->attr.pinned ? EVENT_PINNED : EVENT_FLEXIBLE;
+ if (!ctx->task)
+ event_type |= EVENT_CPU;
--- /dev/null
+From a0bc01e0f1fa39702b5244b3bac699bea0d4f413 Mon Sep 17 00:00:00 2001
+From: Olga Kornievskaia <kolga@netapp.com>
+Date: Fri, 23 Jun 2017 10:26:58 -0400
+Subject: PNFS fix EACCESS on commit to DS handling
+
+From: Olga Kornievskaia <kolga@netapp.com>
+
+commit a0bc01e0f1fa39702b5244b3bac699bea0d4f413 upstream.
+
+Commit fabbbee0eb0f "PNFS fix fallback to MDS if got error on
+commit to DS" moved the pnfs_set_lo_fail() to unhandled errors
+which was not correct and lead to a kernel oops on umount.
+
+Instead, fix the original EACCESS on commit to DS error by
+getting the new layout and re-doing the IO.
+
+Fixes: fabbbee0eb0f ("PNFS fix fallback to MDS if got error on commit to DS")
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/filelayout/filelayout.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfs/filelayout/filelayout.c
++++ b/fs/nfs/filelayout/filelayout.c
+@@ -172,6 +172,7 @@ static int filelayout_async_handle_error
+ case -NFS4ERR_RETRY_UNCACHED_REP:
+ break;
+ /* Invalidate Layout errors */
++ case -NFS4ERR_ACCESS:
+ case -NFS4ERR_PNFS_NO_LAYOUT:
+ case -ESTALE: /* mapped NFS4ERR_STALE */
+ case -EBADHANDLE: /* mapped NFS4ERR_BADHANDLE */
+@@ -202,10 +203,10 @@ static int filelayout_async_handle_error
+ task->tk_status);
+ nfs4_mark_deviceid_unavailable(devid);
+ pnfs_error_mark_layout_for_return(inode, lseg);
++ pnfs_set_lo_fail(lseg);
+ rpc_wake_up(&tbl->slot_tbl_waitq);
+ /* fall through */
+ default:
+- pnfs_set_lo_fail(lseg);
+ reset:
+ dprintk("%s Retry through MDS. Error %d\n", __func__,
+ task->tk_status);
--- /dev/null
+From a62ab66b13a0f9bcb17b7b761f6670941ed5cd62 Mon Sep 17 00:00:00 2001
+From: "Ismail, Mustafa" <mustafa.ismail@intel.com>
+Date: Fri, 14 Jul 2017 09:41:31 -0500
+Subject: RDMA/core: Initialize port_num in qp_attr
+
+From: Ismail, Mustafa <mustafa.ismail@intel.com>
+
+commit a62ab66b13a0f9bcb17b7b761f6670941ed5cd62 upstream.
+
+Initialize the port_num for iWARP in rdma_init_qp_attr.
+
+Fixes: 5ecce4c9b17b("Check port number supplied by user verbs cmds")
+Reviewed-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Tested-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/cma.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -1044,6 +1044,8 @@ int rdma_init_qp_attr(struct rdma_cm_id
+ } else
+ ret = iw_cm_init_qp_attr(id_priv->cm_id.iw, qp_attr,
+ qp_attr_mask);
++ qp_attr->port_num = id_priv->id.port_num;
++ *qp_attr_mask |= IB_QP_PORT;
+ } else
+ ret = -ENOSYS;
+
--- /dev/null
+From 5a7a88f1b488e4ee49eb3d5b82612d4d9ffdf2c3 Mon Sep 17 00:00:00 2001
+From: "Ismail, Mustafa" <mustafa.ismail@intel.com>
+Date: Fri, 14 Jul 2017 09:41:30 -0500
+Subject: RDMA/uverbs: Fix the check for port number
+
+From: Ismail, Mustafa <mustafa.ismail@intel.com>
+
+commit 5a7a88f1b488e4ee49eb3d5b82612d4d9ffdf2c3 upstream.
+
+The port number is only valid if IB_QP_PORT is set in the mask.
+So only check port number if it is valid to prevent modify_qp from
+failing due to an invalid port number.
+
+Fixes: 5ecce4c9b17b("Check port number supplied by user verbs cmds")
+Reviewed-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Tested-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/uverbs_cmd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -1931,7 +1931,8 @@ static int modify_qp(struct ib_uverbs_fi
+ goto out;
+ }
+
+- if (!rdma_is_port_valid(qp->device, cmd->base.port_num)) {
++ if ((cmd->base.attr_mask & IB_QP_PORT) &&
++ !rdma_is_port_valid(qp->device, cmd->base.port_num)) {
+ ret = -EINVAL;
+ goto release_qp;
+ }
--- /dev/null
+From 9c40f956ce9b331493347d1b3cb7e384f7dc0581 Mon Sep 17 00:00:00 2001
+From: Lv Zheng <lv.zheng@intel.com>
+Date: Wed, 12 Jul 2017 11:09:17 +0800
+Subject: Revert "ACPI / EC: Enable event freeze mode..." to fix a regression
+
+From: Lv Zheng <lv.zheng@intel.com>
+
+commit 9c40f956ce9b331493347d1b3cb7e384f7dc0581 upstream.
+
+On Lenovo ThinkPad X1 Carbon - the 5th Generation, enabling an earlier
+EC event freezing timing causes acpitz-virtual-0 to report a stuck
+48C temparature. And with EC firmware revisioned as 1.14, without
+reverting back to old EC event freezing timing, the fan still blows
+up after a system resume.
+
+This reverts the culprit change so that the regression can be fixed
+without upgrading the EC firmware.
+
+Fixes: d30283057ecd (ACPI / EC: Enable event freeze mode to improve event handling)
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=191181#c168
+Tested-by: Damjan Georgievski <gdamjan@gmail.com>
+Signed-off-by: Lv Zheng <lv.zheng@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/ec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/acpi/ec.c
++++ b/drivers/acpi/ec.c
+@@ -147,7 +147,7 @@ static unsigned int ec_storm_threshold
+ module_param(ec_storm_threshold, uint, 0644);
+ MODULE_PARM_DESC(ec_storm_threshold, "Maxim false GPE numbers not considered as GPE storm");
+
+-static bool ec_freeze_events __read_mostly = true;
++static bool ec_freeze_events __read_mostly = false;
+ module_param(ec_freeze_events, bool, 0644);
+ MODULE_PARM_DESC(ec_freeze_events, "Disabling event handling during suspend/resume");
+
--- /dev/null
+From 6a8a75f3235724c5941a33e287b2f98966ad14c5 Mon Sep 17 00:00:00 2001
+From: Ingo Molnar <mingo@kernel.org>
+Date: Tue, 11 Jul 2017 10:56:54 +0200
+Subject: Revert "perf/core: Drop kernel samples even though :u is specified"
+
+From: Ingo Molnar <mingo@kernel.org>
+
+commit 6a8a75f3235724c5941a33e287b2f98966ad14c5 upstream.
+
+This reverts commit cc1582c231ea041fbc68861dfaf957eaf902b829.
+
+This commit introduced a regression that broke rr-project, which uses sampling
+events to receive a signal on overflow (but does not care about the contents
+of the sample). These signals are critical to the correct operation of rr.
+
+There's been some back and forth about how to fix it - but to not keep
+applications in limbo queue up a revert.
+
+Reported-by: Kyle Huey <me@kylehuey.com>
+Acked-by: Kyle Huey <me@kylehuey.com>
+Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Jin Yao <yao.jin@linux.intel.com>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Link: http://lkml.kernel.org/r/20170628105600.GC5981@leverpostej
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/core.c | 21 ---------------------
+ 1 file changed, 21 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -7323,21 +7323,6 @@ int perf_event_account_interrupt(struct
+ return __perf_event_account_interrupt(event, 1);
+ }
+
+-static bool sample_is_allowed(struct perf_event *event, struct pt_regs *regs)
+-{
+- /*
+- * Due to interrupt latency (AKA "skid"), we may enter the
+- * kernel before taking an overflow, even if the PMU is only
+- * counting user events.
+- * To avoid leaking information to userspace, we must always
+- * reject kernel samples when exclude_kernel is set.
+- */
+- if (event->attr.exclude_kernel && !user_mode(regs))
+- return false;
+-
+- return true;
+-}
+-
+ /*
+ * Generic event overflow handling, sampling.
+ */
+@@ -7359,12 +7344,6 @@ static int __perf_event_overflow(struct
+ ret = __perf_event_account_interrupt(event, throttle);
+
+ /*
+- * For security, drop the skid kernel samples if necessary.
+- */
+- if (!sample_is_allowed(event, regs))
+- return ret;
+-
+- /*
+ * XXX event_limit might not quite work as expected on inherited
+ * events
+ */
f2fs-don-t-clear-sgid-when-inheriting-acls.patch
serial-st-asc-potential-error-pointer-dereference.patch
serial-sh-sci-uninitialized-variables-in-sysfs-files.patch
+ovl-mark-parent-impure-on-ovl_link.patch
+ovl-fix-random-return-value-on-mount.patch
+drm-amd-powerplay-fix-memory-leak-in-cz_hwmgr-backend.patch
+drm-i915-disable-msi-for-all-pre-gen5.patch
+vfio-fix-group-release-deadlock.patch
+vfio-new-external-user-group-file-match.patch
+vfio-remove-unnecessary-uses-of-vfio_container.group_lock.patch
+nvme-rdma-remove-race-conditions-from-ib-signalling.patch
+ftrace-fix-uninitialized-variable-in-match_records.patch
+iommu-arm-smmu-plumb-in-new-acpi-identifiers.patch
+drm-i915-gvt-fix-possible-recursive-locking-issue.patch
+drm-i915-gvt-fix-inconsistent-locks-holding-sequence.patch
+drm-atomic-add-missing-drm_atomic_state_clear-to-atomic_remove_fb.patch
+mips-fix-mips_atomic_set-retry-condition.patch
+mips-fix-mips_atomic_set-with-eva.patch
+mips-negate-error-syscall-return-in-trace.patch
+mtd-nand-tango-fix-incorrect-use-of-seqin-command.patch
+ubifs-correctly-evict-xattr-inodes.patch
+ubifs-don-t-leak-kernel-memory-to-the-mtd.patch
+ubifs-don-t-encrypt-special-files-on-creation.patch
+ubifs-set-double-hash-cookie-also-for-rename_exchange.patch
+acpi-ec-drop-ec-noirq-hooks-to-fix-a-regression.patch
+revert-acpi-ec-enable-event-freeze-mode...-to-fix-a-regression.patch
+x86-acpi-prevent-out-of-bound-access-caused-by-broken-acpi-tables.patch
+x86-ioapic-pass-the-correct-data-to-unmask_ioapic_irq.patch
+mips-fix-mips-i-isa-proc-cpuinfo-reporting.patch
+mips-save-static-registers-before-sysmips.patch
+mips-actually-decode-jalx-in-__compute_return_epc_for_insn.patch
+mips-fix-unaligned-pc-interpretation-in-compute_return_epc.patch
+mips-math-emu-prevent-wrong-isa-mode-instruction-emulation.patch
+mips-send-sigill-for-bposge32-in-__compute_return_epc_for_insn.patch
+mips-rename-sigill_r6-to-sigill_r2r6-in-__compute_return_epc_for_insn.patch
+mips-send-sigill-for-linked-branches-in-__compute_return_epc_for_insn.patch
+mips-send-sigill-for-r6-branches-in-__compute_return_epc_for_insn.patch
+mips-fix-a-typo-s-preset-present-in-r2-to-r6-emulation-error-message.patch
+input-i8042-fix-crash-at-boot-time.patch
+ib-iser-fix-connection-teardown-race-condition.patch
+ib-core-namespace-is-mandatory-input-for-address-resolution.patch
+sunrpc-use-constant-time-memory-comparison-for-mac.patch
+net-sunrpc-xprt_sock-fix-regression-in-connection-error-reporting.patch
+nfs-fix-initialization-of-nfs_page_array-npages.patch
+pnfs-fix-eaccess-on-commit-to-ds-handling.patch
+nfs-only-invalidate-dentrys-that-are-clearly-invalid.patch
+udf-fix-races-with-i_size-changes-during-readpage.patch
+udf-fix-deadlock-between-writeback-and-udf_setsize.patch
+target-fix-compare_and_write-caw_sem-leak-during-se_cmd-quiesce.patch
+iser-target-avoid-isert_conn-cm_id-dereference-in-isert_login_recv_done.patch
+perf-annotate-fix-broken-arrow-at-row-0-connecting-jmp-instruction-to-its-target.patch
+perf-core-fix-scheduling-regression-of-pinned-groups.patch
+revert-perf-core-drop-kernel-samples-even-though-u-is-specified.patch
+staging-rtl8188eu-add-tl-wn722n-v2-support.patch
+staging-comedi-ni_mio_common-fix-ao-timer-off-by-one-regression.patch
+staging-sm750fb-avoid-conflicting-vesafb.patch
+staging-lustre-ko2iblnd-check-copy_from_iter-copy_to_iter-return-code.patch
+ceph-fix-race-in-concurrent-readdir.patch
+rdma-uverbs-fix-the-check-for-port-number.patch
+rdma-core-initialize-port_num-in-qp_attr.patch
+drm-mst-fix-error-handling-during-mst-sideband-message-reception.patch
+drm-mst-avoid-dereferencing-a-null-mstb-in-drm_dp_mst_handle_up_req.patch
+drm-mst-avoid-processing-partially-received-up-down-message-transactions.patch
+drm-i915-make-dp-mst-connector-info-work.patch
+mlx5-avoid-that-mlx5_ib_sg_to_klms-overflows-the-klms-array.patch
+hfsplus-don-t-clear-sgid-when-inheriting-acls.patch
--- /dev/null
+From 15d5193104a457d5151840247e3bce561c42e3e9 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Fri, 30 Jun 2017 12:02:18 +0100
+Subject: staging: comedi: ni_mio_common: fix AO timer off-by-one regression
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 15d5193104a457d5151840247e3bce561c42e3e9 upstream.
+
+As reported by Éric Piel on the Comedi mailing list (see
+<https://groups.google.com/forum/#!topic/comedi_list/ueZiR7vTLOU/discussion>),
+the analog output asynchronous commands are running too fast with a
+period 50 ns shorter than it should be. This affects all boards with AO
+command support that are supported by the "ni_pcimio", "ni_atmio", and
+"ni_mio_cs" drivers.
+
+This is a regression bug introduced by commit 080e6795cba3 ("staging:
+comedi: ni_mio_common: Cleans up/clarifies ni_ao_cmd"), specifically,
+this line in `ni_ao_cmd_set_update()`:
+
+ /* following line: N-1 per STC */
+ ni_stc_writel(dev, trigvar - 1, NISTC_AO_UI_LOADA_REG);
+
+The `trigvar` variable value comes from a call to `ni_ns_to_timer()`
+which converts a timer period in nanoseconds to a hardware divisor
+value. The function already reduces the divisor by 1 as required by the
+hardware, so the above line should not reduce it further by 1. Fix it
+by replacing `trigvar` by `trigvar - 1` in the above line, and remove
+the misleading comment.
+
+Reported-by: Éric Piel <piel@delmic.com>
+Fixes: 080e6795cba3 ("staging: comedi: ni_mio_common: Cleans up/clarifies ni_ao_cmd")
+Cc: Éric Piel <piel@delmic.com>
+Cc: Spencer E. Olson <olsonse@umich.edu>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/drivers/ni_mio_common.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/staging/comedi/drivers/ni_mio_common.c
++++ b/drivers/staging/comedi/drivers/ni_mio_common.c
+@@ -3116,8 +3116,7 @@ static void ni_ao_cmd_set_update(struct
+ /* following line: 2-1 per STC */
+ ni_stc_writel(dev, 1, NISTC_AO_UI_LOADA_REG);
+ ni_stc_writew(dev, NISTC_AO_CMD1_UI_LOAD, NISTC_AO_CMD1_REG);
+- /* following line: N-1 per STC */
+- ni_stc_writel(dev, trigvar - 1, NISTC_AO_UI_LOADA_REG);
++ ni_stc_writel(dev, trigvar, NISTC_AO_UI_LOADA_REG);
+ } else { /* TRIG_EXT */
+ /* FIXME: assert scan_begin_arg != 0, ret failure otherwise */
+ devpriv->ao_cmd2 |= NISTC_AO_CMD2_BC_GATE_ENA;
--- /dev/null
+From 566e1ce22e04426fa52328b2adcdf1df49acd98e Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Sat, 15 Jul 2017 11:32:08 -0400
+Subject: staging: lustre: ko2iblnd: check copy_from_iter/copy_to_iter return code
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 566e1ce22e04426fa52328b2adcdf1df49acd98e upstream.
+
+We now get a helpful warning for code that calls copy_{from,to}_iter
+without checking the return value, introduced by commit aa28de275a24
+("iov_iter/hardening: move object size checks to inlined part").
+
+drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c: In function 'kiblnd_send':
+drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c:1643:2: error: ignoring return value of 'copy_from_iter', declared with attribute warn_unused_result [-Werror=unused-result]
+drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c: In function 'kiblnd_recv':
+drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c:1744:3: error: ignoring return value of 'copy_to_iter', declared with attribute warn_unused_result [-Werror=unused-result]
+
+In case we get short copies here, we may get incorrect behavior.
+I've added failure handling for both rx and tx now, returning
+-EFAULT as expected.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: James Simmons <jsimmons@infradead.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c | 19 +++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c
++++ b/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c
+@@ -1640,8 +1640,13 @@ kiblnd_send(struct lnet_ni *ni, void *pr
+ ibmsg = tx->tx_msg;
+ ibmsg->ibm_u.immediate.ibim_hdr = *hdr;
+
+- copy_from_iter(&ibmsg->ibm_u.immediate.ibim_payload, IBLND_MSG_SIZE,
+- &from);
++ rc = copy_from_iter(&ibmsg->ibm_u.immediate.ibim_payload, payload_nob,
++ &from);
++ if (rc != payload_nob) {
++ kiblnd_pool_free_node(&tx->tx_pool->tpo_pool, &tx->tx_list);
++ return -EFAULT;
++ }
++
+ nob = offsetof(struct kib_immediate_msg, ibim_payload[payload_nob]);
+ kiblnd_init_tx_msg(ni, tx, IBLND_MSG_IMMEDIATE, nob);
+
+@@ -1741,8 +1746,14 @@ kiblnd_recv(struct lnet_ni *ni, void *pr
+ break;
+ }
+
+- copy_to_iter(&rxmsg->ibm_u.immediate.ibim_payload,
+- IBLND_MSG_SIZE, to);
++ rc = copy_to_iter(&rxmsg->ibm_u.immediate.ibim_payload, rlen,
++ to);
++ if (rc != rlen) {
++ rc = -EFAULT;
++ break;
++ }
++
++ rc = 0;
+ lnet_finalize(ni, lntmsg, 0);
+ break;
+
--- /dev/null
+From 5a1d4c5dd4eb2f1f8a9b30e61762f3b3b564df70 Mon Sep 17 00:00:00 2001
+From: Michael Gugino <michael.gugino.2@gmail.com>
+Date: Mon, 17 Jul 2017 13:29:09 -0400
+Subject: staging: rtl8188eu: add TL-WN722N v2 support
+
+From: Michael Gugino <michael.gugino.2@gmail.com>
+
+commit 5a1d4c5dd4eb2f1f8a9b30e61762f3b3b564df70 upstream.
+
+Add support for USB Device TP-Link TL-WN722N v2.
+VendorID: 0x2357, ProductID: 0x010c
+
+Signed-off-by: Michael Gugino <michael.gugino.2@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+@@ -43,6 +43,7 @@ static struct usb_device_id rtw_usb_id_t
+ {USB_DEVICE(0x2001, 0x330F)}, /* DLink DWA-125 REV D1 */
+ {USB_DEVICE(0x2001, 0x3310)}, /* Dlink DWA-123 REV D1 */
+ {USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */
++ {USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */
+ {USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */
+ {} /* Terminating entry */
+ };
--- /dev/null
+From 740c433ec35187b45abe08bb6c45a321a791be8e Mon Sep 17 00:00:00 2001
+From: Teddy Wang <teddy.wang@siliconmotion.com>
+Date: Fri, 30 Jun 2017 21:57:43 +0100
+Subject: staging: sm750fb: avoid conflicting vesafb
+
+From: Teddy Wang <teddy.wang@siliconmotion.com>
+
+commit 740c433ec35187b45abe08bb6c45a321a791be8e upstream.
+
+If vesafb is enabled in the config then /dev/fb0 is created by vesa
+and this sm750 driver gets fb1, fb2. But we need to be fb0 and fb1 to
+effectively work with xorg.
+So if it has been alloted fb1, then try to remove the other fb0.
+
+In the previous send, why #ifdef is used was asked.
+https://lkml.org/lkml/2017/6/25/57
+
+Answered at: https://lkml.org/lkml/2017/6/25/69
+Also pasting here for reference.
+
+'Did a quick research into "why".
+The patch d8801e4df91e ("x86/PCI: Set IORESOURCE_ROM_SHADOW only for the
+default VGA device") has started setting IORESOURCE_ROM_SHADOW in flags
+for a default VGA device and that is being done only for x86.
+And so, we will need that #ifdef to check IORESOURCE_ROM_SHADOW as that
+needs to be checked only for a x86 and not for other arch.'
+
+Signed-off-by: Teddy Wang <teddy.wang@siliconmotion.com>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/sm750fb/sm750.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+--- a/drivers/staging/sm750fb/sm750.c
++++ b/drivers/staging/sm750fb/sm750.c
+@@ -1053,6 +1053,26 @@ release_fb:
+ return err;
+ }
+
++static int lynxfb_kick_out_firmware_fb(struct pci_dev *pdev)
++{
++ struct apertures_struct *ap;
++ bool primary = false;
++
++ ap = alloc_apertures(1);
++ if (!ap)
++ return -ENOMEM;
++
++ ap->ranges[0].base = pci_resource_start(pdev, 0);
++ ap->ranges[0].size = pci_resource_len(pdev, 0);
++#ifdef CONFIG_X86
++ primary = pdev->resource[PCI_ROM_RESOURCE].flags &
++ IORESOURCE_ROM_SHADOW;
++#endif
++ remove_conflicting_framebuffers(ap, "sm750_fb1", primary);
++ kfree(ap);
++ return 0;
++}
++
+ static int lynxfb_pci_probe(struct pci_dev *pdev,
+ const struct pci_device_id *ent)
+ {
+@@ -1061,6 +1081,10 @@ static int lynxfb_pci_probe(struct pci_d
+ int fbidx;
+ int err;
+
++ err = lynxfb_kick_out_firmware_fb(pdev);
++ if (err)
++ return err;
++
+ /* enable device */
+ err = pcim_enable_device(pdev);
+ if (err)
--- /dev/null
+From 15a8b93fd5690de017ce665382ea45e5d61811a4 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sat, 10 Jun 2017 04:59:07 +0200
+Subject: sunrpc: use constant time memory comparison for mac
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+commit 15a8b93fd5690de017ce665382ea45e5d61811a4 upstream.
+
+Otherwise, we enable a MAC forgery via timing attack.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Cc: "J. Bruce Fields" <bfields@fieldses.org>
+Cc: Jeff Layton <jlayton@poochiereds.net>
+Cc: Trond Myklebust <trond.myklebust@primarydata.com>
+Cc: Anna Schumaker <anna.schumaker@netapp.com>
+Cc: linux-nfs@vger.kernel.org
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/auth_gss/gss_krb5_crypto.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sunrpc/auth_gss/gss_krb5_crypto.c
++++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c
+@@ -34,6 +34,7 @@
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
++#include <crypto/algapi.h>
+ #include <crypto/hash.h>
+ #include <crypto/skcipher.h>
+ #include <linux/err.h>
+@@ -927,7 +928,7 @@ gss_krb5_aes_decrypt(struct krb5_ctx *kc
+ if (ret)
+ goto out_err;
+
+- if (memcmp(pkt_hmac, our_hmac, kctx->gk5e->cksumlength) != 0) {
++ if (crypto_memneq(pkt_hmac, our_hmac, kctx->gk5e->cksumlength) != 0) {
+ ret = GSS_S_BAD_SIG;
+ goto out_err;
+ }
--- /dev/null
+From 1d6ef276594a781686058802996e09c8550fd767 Mon Sep 17 00:00:00 2001
+From: Jiang Yi <jiangyilism@gmail.com>
+Date: Sun, 25 Jun 2017 12:28:50 -0700
+Subject: target: Fix COMPARE_AND_WRITE caw_sem leak during se_cmd quiesce
+
+From: Jiang Yi <jiangyilism@gmail.com>
+
+commit 1d6ef276594a781686058802996e09c8550fd767 upstream.
+
+This patch addresses a COMPARE_AND_WRITE se_device->caw_sem leak,
+that would be triggered during normal se_cmd shutdown or abort
+via __transport_wait_for_tasks().
+
+This would occur because target_complete_cmd() would catch this
+early and do complete_all(&cmd->t_transport_stop_comp), but since
+target_complete_ok_work() or target_complete_failure_work() are
+never called to invoke se_cmd->transport_complete_callback(),
+the COMPARE_AND_WRITE specific callbacks never release caw_sem.
+
+To address this special case, go ahead and release caw_sem
+directly from target_complete_cmd().
+
+(Remove '&& success' from check, to release caw_sem regardless
+ of scsi_status - nab)
+
+Signed-off-by: Jiang Yi <jiangyilism@gmail.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_transport.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -730,6 +730,15 @@ void target_complete_cmd(struct se_cmd *
+ if (cmd->transport_state & CMD_T_ABORTED ||
+ cmd->transport_state & CMD_T_STOP) {
+ spin_unlock_irqrestore(&cmd->t_state_lock, flags);
++ /*
++ * If COMPARE_AND_WRITE was stopped by __transport_wait_for_tasks(),
++ * release se_device->caw_sem obtained by sbc_compare_and_write()
++ * since target_complete_ok_work() or target_complete_failure_work()
++ * won't be called to invoke the normal CAW completion callbacks.
++ */
++ if (cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) {
++ up(&dev->caw_sem);
++ }
+ complete_all(&cmd->t_transport_stop_comp);
+ return;
+ } else if (!success) {
--- /dev/null
+From 272eda8298dc82eb411ece82bbb2c62911087b24 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Wed, 17 May 2017 00:20:27 +0200
+Subject: ubifs: Correctly evict xattr inodes
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 272eda8298dc82eb411ece82bbb2c62911087b24 upstream.
+
+UBIFS handles extended attributes just like files, as consequence of
+that, they also have inodes.
+Therefore UBIFS does all the inode machinery also for xattrs. Since new
+inodes have i_nlink of 1, a file or xattr inode will be evicted
+if i_nlink goes down to 0 after an unlink. UBIFS assumes this model also
+for xattrs, which is not correct.
+One can create a file "foo" with xattr "user.test". By reading
+"user.test" an inode will be created, and by deleting "user.test" it
+will get evicted later. The assumption breaks if the file "foo", which
+hosts the xattrs, will be removed. VFS nor UBIFS does not remove each
+xattr via ubifs_xattr_remove(), it just removes the host inode from
+the TNC and all underlying xattr nodes too and the inode will remain
+in the cache and wastes memory.
+
+To solve this problem, remove xattr inodes from the VFS inode cache in
+ubifs_xattr_remove() to make sure that they get evicted.
+
+Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system")
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/tnc.c | 2 ++
+ fs/ubifs/ubifs.h | 1 +
+ fs/ubifs/xattr.c | 22 ++++++++++++++++++++++
+ 3 files changed, 25 insertions(+)
+
+--- a/fs/ubifs/tnc.c
++++ b/fs/ubifs/tnc.c
+@@ -2802,6 +2802,8 @@ int ubifs_tnc_remove_ino(struct ubifs_in
+ dbg_tnc("xent '%s', ino %lu", xent->name,
+ (unsigned long)xattr_inum);
+
++ ubifs_evict_xattr_inode(c, xattr_inum);
++
+ fname_name(&nm) = xent->name;
+ fname_len(&nm) = le16_to_cpu(xent->nlen);
+ err = ubifs_tnc_remove_nm(c, &key1, &nm);
+--- a/fs/ubifs/ubifs.h
++++ b/fs/ubifs/ubifs.h
+@@ -1757,6 +1757,7 @@ int ubifs_xattr_set(struct inode *host,
+ size_t size, int flags);
+ ssize_t ubifs_xattr_get(struct inode *host, const char *name, void *buf,
+ size_t size);
++void ubifs_evict_xattr_inode(struct ubifs_info *c, ino_t xattr_inum);
+
+ #ifdef CONFIG_UBIFS_FS_SECURITY
+ extern int ubifs_init_security(struct inode *dentry, struct inode *inode,
+--- a/fs/ubifs/xattr.c
++++ b/fs/ubifs/xattr.c
+@@ -513,6 +513,28 @@ out_cancel:
+ return err;
+ }
+
++/**
++ * ubifs_evict_xattr_inode - Evict an xattr inode.
++ * @c: UBIFS file-system description object
++ * @xattr_inum: xattr inode number
++ *
++ * When an inode that hosts xattrs is being removed we have to make sure
++ * that cached inodes of the xattrs also get removed from the inode cache
++ * otherwise we'd waste memory. This function looks up an inode from the
++ * inode cache and clears the link counter such that iput() will evict
++ * the inode.
++ */
++void ubifs_evict_xattr_inode(struct ubifs_info *c, ino_t xattr_inum)
++{
++ struct inode *inode;
++
++ inode = ilookup(c->vfs_sb, xattr_inum);
++ if (inode) {
++ clear_nlink(inode);
++ iput(inode);
++ }
++}
++
+ static int ubifs_xattr_remove(struct inode *host, const char *name)
+ {
+ struct inode *inode;
--- /dev/null
+From f34e87f58dabc31eb69f61cf4a79e951d4176743 Mon Sep 17 00:00:00 2001
+From: David Gstir <david@sigma-star.at>
+Date: Wed, 17 May 2017 13:36:16 +0200
+Subject: ubifs: Don't encrypt special files on creation
+
+From: David Gstir <david@sigma-star.at>
+
+commit f34e87f58dabc31eb69f61cf4a79e951d4176743 upstream.
+
+When a new inode is created, we check if the containing folder has a encryption
+policy set and inherit that. This should however only be done for regular
+files, links and subdirectories. Not for sockes fifos etc.
+
+Fixes: d475a507457b ("ubifs: Add skeleton for fscrypto")
+Signed-off-by: David Gstir <david@sigma-star.at>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/dir.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -143,6 +143,7 @@ struct inode *ubifs_new_inode(struct ubi
+ case S_IFBLK:
+ case S_IFCHR:
+ inode->i_op = &ubifs_file_inode_operations;
++ encrypted = false;
+ break;
+ default:
+ BUG();
--- /dev/null
+From 4acadda74ff8b949c448c0282765ae747e088c87 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 16 Jun 2017 16:21:44 +0200
+Subject: ubifs: Don't leak kernel memory to the MTD
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 4acadda74ff8b949c448c0282765ae747e088c87 upstream.
+
+When UBIFS prepares data structures which will be written to the MTD it
+ensues that their lengths are multiple of 8. Since it uses kmalloc() the
+padded bytes are left uninitialized and we leak a few bytes of kernel
+memory to the MTD.
+To make sure that all bytes are initialized, let's switch to kzalloc().
+Kzalloc() is fine in this case because the buffers are not huge and in
+the IO path the performance bottleneck is anyway the MTD.
+
+Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/journal.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/fs/ubifs/journal.c
++++ b/fs/ubifs/journal.c
+@@ -574,7 +574,7 @@ int ubifs_jnl_update(struct ubifs_info *
+ /* Make sure to also account for extended attributes */
+ len += host_ui->data_len;
+
+- dent = kmalloc(len, GFP_NOFS);
++ dent = kzalloc(len, GFP_NOFS);
+ if (!dent)
+ return -ENOMEM;
+
+@@ -967,7 +967,7 @@ int ubifs_jnl_xrename(struct ubifs_info
+ if (twoparents)
+ len += plen;
+
+- dent1 = kmalloc(len, GFP_NOFS);
++ dent1 = kzalloc(len, GFP_NOFS);
+ if (!dent1)
+ return -ENOMEM;
+
+@@ -1117,7 +1117,7 @@ int ubifs_jnl_rename(struct ubifs_info *
+ len = aligned_dlen1 + aligned_dlen2 + ALIGN(ilen, 8) + ALIGN(plen, 8);
+ if (move)
+ len += plen;
+- dent = kmalloc(len, GFP_NOFS);
++ dent = kzalloc(len, GFP_NOFS);
+ if (!dent)
+ return -ENOMEM;
+
+@@ -1500,7 +1500,7 @@ int ubifs_jnl_delete_xattr(struct ubifs_
+ hlen = host_ui->data_len + UBIFS_INO_NODE_SZ;
+ len = aligned_xlen + UBIFS_INO_NODE_SZ + ALIGN(hlen, 8);
+
+- xent = kmalloc(len, GFP_NOFS);
++ xent = kzalloc(len, GFP_NOFS);
+ if (!xent)
+ return -ENOMEM;
+
+@@ -1607,7 +1607,7 @@ int ubifs_jnl_change_xattr(struct ubifs_
+ aligned_len1 = ALIGN(len1, 8);
+ aligned_len = aligned_len1 + ALIGN(len2, 8);
+
+- ino = kmalloc(aligned_len, GFP_NOFS);
++ ino = kzalloc(aligned_len, GFP_NOFS);
+ if (!ino)
+ return -ENOMEM;
+
--- /dev/null
+From a6664433d383eeb71cbdeb9aea2c66eeea76e742 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Mon, 26 Jun 2017 13:49:04 +0200
+Subject: ubifs: Set double hash cookie also for RENAME_EXCHANGE
+
+From: Richard Weinberger <richard@nod.at>
+
+commit a6664433d383eeb71cbdeb9aea2c66eeea76e742 upstream.
+
+We developed RENAME_EXCHANGE and UBIFS_FLG_DOUBLE_HASH more or less in
+parallel and this case was forgotten. :-(
+
+Fixes: d63d61c16972 ("ubifs: Implement UBIFS_FLG_DOUBLE_HASH")
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/journal.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/ubifs/journal.c
++++ b/fs/ubifs/journal.c
+@@ -984,6 +984,7 @@ int ubifs_jnl_xrename(struct ubifs_info
+ dent1->nlen = cpu_to_le16(fname_len(snd_nm));
+ memcpy(dent1->name, fname_name(snd_nm), fname_len(snd_nm));
+ dent1->name[fname_len(snd_nm)] = '\0';
++ set_dent_cookie(c, dent1);
+ zero_dent_node_unused(dent1);
+ ubifs_prep_grp_node(c, dent1, dlen1, 0);
+
+@@ -996,6 +997,7 @@ int ubifs_jnl_xrename(struct ubifs_info
+ dent2->nlen = cpu_to_le16(fname_len(fst_nm));
+ memcpy(dent2->name, fname_name(fst_nm), fname_len(fst_nm));
+ dent2->name[fname_len(fst_nm)] = '\0';
++ set_dent_cookie(c, dent2);
+ zero_dent_node_unused(dent2);
+ ubifs_prep_grp_node(c, dent2, dlen2, 0);
+
--- /dev/null
+From f2e95355891153f66d4156bf3a142c6489cd78c6 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 13 Jun 2017 16:20:25 +0200
+Subject: udf: Fix deadlock between writeback and udf_setsize()
+
+From: Jan Kara <jack@suse.cz>
+
+commit f2e95355891153f66d4156bf3a142c6489cd78c6 upstream.
+
+udf_setsize() called truncate_setsize() with i_data_sem held. Thus
+truncate_pagecache() called from truncate_setsize() could lock a page
+under i_data_sem which can deadlock as page lock ranks below
+i_data_sem - e. g. writeback can hold page lock and try to acquire
+i_data_sem to map a block.
+
+Fix the problem by moving truncate_setsize() calls from under
+i_data_sem. It is safe for us to change i_size without holding
+i_data_sem as all the places that depend on i_size being stable already
+hold inode_lock.
+
+Fixes: 7e49b6f2480cb9a9e7322a91592e56a5c85361f5
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/udf/inode.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1222,8 +1222,8 @@ int udf_setsize(struct inode *inode, lof
+ return err;
+ }
+ set_size:
+- truncate_setsize(inode, newsize);
+ up_write(&iinfo->i_data_sem);
++ truncate_setsize(inode, newsize);
+ } else {
+ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
+ down_write(&iinfo->i_data_sem);
+@@ -1240,9 +1240,9 @@ set_size:
+ udf_get_block);
+ if (err)
+ return err;
++ truncate_setsize(inode, newsize);
+ down_write(&iinfo->i_data_sem);
+ udf_clear_extent_cache(inode);
+- truncate_setsize(inode, newsize);
+ udf_truncate_extents(inode);
+ up_write(&iinfo->i_data_sem);
+ }
--- /dev/null
+From 9795e0e8ac0d6a3ee092f1b555b284b57feef99e Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 13 Jun 2017 15:54:58 +0200
+Subject: udf: Fix races with i_size changes during readpage
+
+From: Jan Kara <jack@suse.cz>
+
+commit 9795e0e8ac0d6a3ee092f1b555b284b57feef99e upstream.
+
+__udf_adinicb_readpage() uses i_size several times. When truncate
+changes i_size while the function is running, it can observe several
+different values and thus e.g. expose uninitialized parts of page to
+userspace. Also use i_size_read() in the function since it does not hold
+inode_lock. Since i_size is guaranteed to be small, this cannot really
+cause any issues even on 32-bit archs but let's be careful.
+
+Fixes: 9c2fc0de1a6e638fe58c354a463f544f42a90a09
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/udf/file.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/fs/udf/file.c
++++ b/fs/udf/file.c
+@@ -43,10 +43,15 @@ static void __udf_adinicb_readpage(struc
+ struct inode *inode = page->mapping->host;
+ char *kaddr;
+ struct udf_inode_info *iinfo = UDF_I(inode);
++ loff_t isize = i_size_read(inode);
+
++ /*
++ * We have to be careful here as truncate can change i_size under us.
++ * So just sample it once and use the same value everywhere.
++ */
+ kaddr = kmap_atomic(page);
+- memcpy(kaddr, iinfo->i_ext.i_data + iinfo->i_lenEAttr, inode->i_size);
+- memset(kaddr + inode->i_size, 0, PAGE_SIZE - inode->i_size);
++ memcpy(kaddr, iinfo->i_ext.i_data + iinfo->i_lenEAttr, isize);
++ memset(kaddr + isize, 0, PAGE_SIZE - isize);
+ flush_dcache_page(page);
+ SetPageUptodate(page);
+ kunmap_atomic(kaddr);
--- /dev/null
+From 811642d8d8a82c0cce8dc2debfdaf23c5a144839 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Mon, 19 Jun 2017 09:10:32 -0600
+Subject: vfio: Fix group release deadlock
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit 811642d8d8a82c0cce8dc2debfdaf23c5a144839 upstream.
+
+If vfio_iommu_group_notifier() acquires a group reference and that
+reference becomes the last reference to the group, then vfio_group_put
+introduces a deadlock code path where we're trying to unregister from
+the iommu notifier chain from within a callout of that chain. Use a
+work_struct to release this reference asynchronously.
+
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Tested-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vfio/vfio.c | 37 ++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 36 insertions(+), 1 deletion(-)
+
+--- a/drivers/vfio/vfio.c
++++ b/drivers/vfio/vfio.c
+@@ -423,6 +423,34 @@ static void vfio_group_put(struct vfio_g
+ kref_put_mutex(&group->kref, vfio_group_release, &vfio.group_lock);
+ }
+
++struct vfio_group_put_work {
++ struct work_struct work;
++ struct vfio_group *group;
++};
++
++static void vfio_group_put_bg(struct work_struct *work)
++{
++ struct vfio_group_put_work *do_work;
++
++ do_work = container_of(work, struct vfio_group_put_work, work);
++
++ vfio_group_put(do_work->group);
++ kfree(do_work);
++}
++
++static void vfio_group_schedule_put(struct vfio_group *group)
++{
++ struct vfio_group_put_work *do_work;
++
++ do_work = kmalloc(sizeof(*do_work), GFP_KERNEL);
++ if (WARN_ON(!do_work))
++ return;
++
++ INIT_WORK(&do_work->work, vfio_group_put_bg);
++ do_work->group = group;
++ schedule_work(&do_work->work);
++}
++
+ /* Assume group_lock or group reference is held */
+ static void vfio_group_get(struct vfio_group *group)
+ {
+@@ -762,7 +790,14 @@ static int vfio_iommu_group_notifier(str
+ break;
+ }
+
+- vfio_group_put(group);
++ /*
++ * If we're the last reference to the group, the group will be
++ * released, which includes unregistering the iommu group notifier.
++ * We hold a read-lock on that notifier list, unregistering needs
++ * a write-lock... deadlock. Release our reference asynchronously
++ * to avoid that situation.
++ */
++ vfio_group_schedule_put(group);
+ return NOTIFY_OK;
+ }
+
--- /dev/null
+From 5d6dee80a1e94cc284d03e06d930e60e8d3ecf7d Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Wed, 28 Jun 2017 13:50:05 -0600
+Subject: vfio: New external user group/file match
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit 5d6dee80a1e94cc284d03e06d930e60e8d3ecf7d upstream.
+
+At the point where the kvm-vfio pseudo device wants to release its
+vfio group reference, we can't always acquire a new reference to make
+that happen. The group can be in a state where we wouldn't allow a
+new reference to be added. This new helper function allows a caller
+to match a file to a group to facilitate this. Given a file and
+group, report if they match. Thus the caller needs to already have a
+group reference to match to the file. This allows the deletion of a
+group without acquiring a new reference.
+
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Tested-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vfio/vfio.c | 9 +++++++++
+ include/linux/vfio.h | 2 ++
+ virt/kvm/vfio.c | 27 +++++++++++++++++++--------
+ 3 files changed, 30 insertions(+), 8 deletions(-)
+
+--- a/drivers/vfio/vfio.c
++++ b/drivers/vfio/vfio.c
+@@ -1776,6 +1776,15 @@ void vfio_group_put_external_user(struct
+ }
+ EXPORT_SYMBOL_GPL(vfio_group_put_external_user);
+
++bool vfio_external_group_match_file(struct vfio_group *test_group,
++ struct file *filep)
++{
++ struct vfio_group *group = filep->private_data;
++
++ return (filep->f_op == &vfio_group_fops) && (group == test_group);
++}
++EXPORT_SYMBOL_GPL(vfio_external_group_match_file);
++
+ int vfio_external_user_iommu_id(struct vfio_group *group)
+ {
+ return iommu_group_id(group->iommu_group);
+--- a/include/linux/vfio.h
++++ b/include/linux/vfio.h
+@@ -97,6 +97,8 @@ extern void vfio_unregister_iommu_driver
+ */
+ extern struct vfio_group *vfio_group_get_external_user(struct file *filep);
+ extern void vfio_group_put_external_user(struct vfio_group *group);
++extern bool vfio_external_group_match_file(struct vfio_group *group,
++ struct file *filep);
+ extern int vfio_external_user_iommu_id(struct vfio_group *group);
+ extern long vfio_external_check_extension(struct vfio_group *group,
+ unsigned long arg);
+--- a/virt/kvm/vfio.c
++++ b/virt/kvm/vfio.c
+@@ -51,6 +51,22 @@ static struct vfio_group *kvm_vfio_group
+ return vfio_group;
+ }
+
++static bool kvm_vfio_external_group_match_file(struct vfio_group *group,
++ struct file *filep)
++{
++ bool ret, (*fn)(struct vfio_group *, struct file *);
++
++ fn = symbol_get(vfio_external_group_match_file);
++ if (!fn)
++ return false;
++
++ ret = fn(group, filep);
++
++ symbol_put(vfio_external_group_match_file);
++
++ return ret;
++}
++
+ static void kvm_vfio_group_put_external_user(struct vfio_group *vfio_group)
+ {
+ void (*fn)(struct vfio_group *);
+@@ -231,18 +247,13 @@ static int kvm_vfio_set_group(struct kvm
+ if (!f.file)
+ return -EBADF;
+
+- vfio_group = kvm_vfio_group_get_external_user(f.file);
+- fdput(f);
+-
+- if (IS_ERR(vfio_group))
+- return PTR_ERR(vfio_group);
+-
+ ret = -ENOENT;
+
+ mutex_lock(&kv->lock);
+
+ list_for_each_entry(kvg, &kv->group_list, node) {
+- if (kvg->vfio_group != vfio_group)
++ if (!kvm_vfio_external_group_match_file(kvg->vfio_group,
++ f.file))
+ continue;
+
+ list_del(&kvg->node);
+@@ -260,7 +271,7 @@ static int kvm_vfio_set_group(struct kvm
+
+ mutex_unlock(&kv->lock);
+
+- kvm_vfio_group_put_external_user(vfio_group);
++ fdput(f);
+
+ kvm_vfio_update_coherency(dev);
+
--- /dev/null
+From 7f56c30bd0a232822aca38d288da475613bdff9b Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Fri, 7 Jul 2017 15:37:38 -0600
+Subject: vfio: Remove unnecessary uses of vfio_container.group_lock
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit 7f56c30bd0a232822aca38d288da475613bdff9b upstream.
+
+The original intent of vfio_container.group_lock is to protect
+vfio_container.group_list, however over time it's become a crutch to
+prevent changes in container composition any time we call into the
+iommu driver backend. This introduces problems when we start to have
+more complex interactions, for example when a user's DMA unmap request
+triggers a notification to an mdev vendor driver, who responds by
+attempting to unpin mappings within that request, re-entering the
+iommu backend. We incorrectly assume that the use of read-locks here
+allow for this nested locking behavior, but a poorly timed write-lock
+could in fact trigger a deadlock.
+
+The current use of group_lock seems to fall into the trap of locking
+code, not data. Correct that by removing uses of group_lock that are
+not directly related to group_list. Note that the vfio type1 iommu
+backend has its own mutex, vfio_iommu.lock, which it uses to protect
+itself for each of these interfaces anyway. The group_lock appears to
+be a redundancy for these interfaces and type1 even goes so far as to
+release its mutex to allow for exactly the re-entrant code path above.
+
+Reported-by: Chuanxiao Dong <chuanxiao.dong@intel.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Acked-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vfio/vfio.c | 38 --------------------------------------
+ 1 file changed, 38 deletions(-)
+
+--- a/drivers/vfio/vfio.c
++++ b/drivers/vfio/vfio.c
+@@ -1175,15 +1175,11 @@ static long vfio_fops_unl_ioctl(struct f
+ ret = vfio_ioctl_set_iommu(container, arg);
+ break;
+ default:
+- down_read(&container->group_lock);
+-
+ driver = container->iommu_driver;
+ data = container->iommu_data;
+
+ if (driver) /* passthrough all unrecognized ioctls */
+ ret = driver->ops->ioctl(data, cmd, arg);
+-
+- up_read(&container->group_lock);
+ }
+
+ return ret;
+@@ -1237,15 +1233,11 @@ static ssize_t vfio_fops_read(struct fil
+ struct vfio_iommu_driver *driver;
+ ssize_t ret = -EINVAL;
+
+- down_read(&container->group_lock);
+-
+ driver = container->iommu_driver;
+ if (likely(driver && driver->ops->read))
+ ret = driver->ops->read(container->iommu_data,
+ buf, count, ppos);
+
+- up_read(&container->group_lock);
+-
+ return ret;
+ }
+
+@@ -1256,15 +1248,11 @@ static ssize_t vfio_fops_write(struct fi
+ struct vfio_iommu_driver *driver;
+ ssize_t ret = -EINVAL;
+
+- down_read(&container->group_lock);
+-
+ driver = container->iommu_driver;
+ if (likely(driver && driver->ops->write))
+ ret = driver->ops->write(container->iommu_data,
+ buf, count, ppos);
+
+- up_read(&container->group_lock);
+-
+ return ret;
+ }
+
+@@ -1274,14 +1262,10 @@ static int vfio_fops_mmap(struct file *f
+ struct vfio_iommu_driver *driver;
+ int ret = -EINVAL;
+
+- down_read(&container->group_lock);
+-
+ driver = container->iommu_driver;
+ if (likely(driver && driver->ops->mmap))
+ ret = driver->ops->mmap(container->iommu_data, vma);
+
+- up_read(&container->group_lock);
+-
+ return ret;
+ }
+
+@@ -1993,8 +1977,6 @@ int vfio_pin_pages(struct device *dev, u
+ goto err_pin_pages;
+
+ container = group->container;
+- down_read(&container->group_lock);
+-
+ driver = container->iommu_driver;
+ if (likely(driver && driver->ops->pin_pages))
+ ret = driver->ops->pin_pages(container->iommu_data, user_pfn,
+@@ -2002,7 +1984,6 @@ int vfio_pin_pages(struct device *dev, u
+ else
+ ret = -ENOTTY;
+
+- up_read(&container->group_lock);
+ vfio_group_try_dissolve_container(group);
+
+ err_pin_pages:
+@@ -2042,8 +2023,6 @@ int vfio_unpin_pages(struct device *dev,
+ goto err_unpin_pages;
+
+ container = group->container;
+- down_read(&container->group_lock);
+-
+ driver = container->iommu_driver;
+ if (likely(driver && driver->ops->unpin_pages))
+ ret = driver->ops->unpin_pages(container->iommu_data, user_pfn,
+@@ -2051,7 +2030,6 @@ int vfio_unpin_pages(struct device *dev,
+ else
+ ret = -ENOTTY;
+
+- up_read(&container->group_lock);
+ vfio_group_try_dissolve_container(group);
+
+ err_unpin_pages:
+@@ -2073,8 +2051,6 @@ static int vfio_register_iommu_notifier(
+ return -EINVAL;
+
+ container = group->container;
+- down_read(&container->group_lock);
+-
+ driver = container->iommu_driver;
+ if (likely(driver && driver->ops->register_notifier))
+ ret = driver->ops->register_notifier(container->iommu_data,
+@@ -2082,7 +2058,6 @@ static int vfio_register_iommu_notifier(
+ else
+ ret = -ENOTTY;
+
+- up_read(&container->group_lock);
+ vfio_group_try_dissolve_container(group);
+
+ return ret;
+@@ -2100,8 +2075,6 @@ static int vfio_unregister_iommu_notifie
+ return -EINVAL;
+
+ container = group->container;
+- down_read(&container->group_lock);
+-
+ driver = container->iommu_driver;
+ if (likely(driver && driver->ops->unregister_notifier))
+ ret = driver->ops->unregister_notifier(container->iommu_data,
+@@ -2109,7 +2082,6 @@ static int vfio_unregister_iommu_notifie
+ else
+ ret = -ENOTTY;
+
+- up_read(&container->group_lock);
+ vfio_group_try_dissolve_container(group);
+
+ return ret;
+@@ -2127,7 +2099,6 @@ static int vfio_register_group_notifier(
+ unsigned long *events,
+ struct notifier_block *nb)
+ {
+- struct vfio_container *container;
+ int ret;
+ bool set_kvm = false;
+
+@@ -2145,9 +2116,6 @@ static int vfio_register_group_notifier(
+ if (ret)
+ return -EINVAL;
+
+- container = group->container;
+- down_read(&container->group_lock);
+-
+ ret = blocking_notifier_chain_register(&group->notifier, nb);
+
+ /*
+@@ -2158,7 +2126,6 @@ static int vfio_register_group_notifier(
+ blocking_notifier_call_chain(&group->notifier,
+ VFIO_GROUP_NOTIFY_SET_KVM, group->kvm);
+
+- up_read(&container->group_lock);
+ vfio_group_try_dissolve_container(group);
+
+ return ret;
+@@ -2167,19 +2134,14 @@ static int vfio_register_group_notifier(
+ static int vfio_unregister_group_notifier(struct vfio_group *group,
+ struct notifier_block *nb)
+ {
+- struct vfio_container *container;
+ int ret;
+
+ ret = vfio_group_add_container_user(group);
+ if (ret)
+ return -EINVAL;
+
+- container = group->container;
+- down_read(&container->group_lock);
+-
+ ret = blocking_notifier_chain_unregister(&group->notifier, nb);
+
+- up_read(&container->group_lock);
+ vfio_group_try_dissolve_container(group);
+
+ return ret;
--- /dev/null
+From dad5ab0db8deac535d03e3fe3d8f2892173fa6a4 Mon Sep 17 00:00:00 2001
+From: Seunghun Han <kkamagui@gmail.com>
+Date: Tue, 18 Jul 2017 20:03:51 +0900
+Subject: x86/acpi: Prevent out of bound access caused by broken ACPI tables
+
+From: Seunghun Han <kkamagui@gmail.com>
+
+commit dad5ab0db8deac535d03e3fe3d8f2892173fa6a4 upstream.
+
+The bus_irq argument of mp_override_legacy_irq() is used as the index into
+the isa_irq_to_gsi[] array. The bus_irq argument originates from
+ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI
+tables, but is nowhere sanity checked.
+
+That allows broken or malicious ACPI tables to overwrite memory, which
+might cause malfunction, panic or arbitrary code execution.
+
+Add a sanity check and emit a warning when that triggers.
+
+[ tglx: Added warning and rewrote changelog ]
+
+Signed-off-by: Seunghun Han <kkamagui@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: security@kernel.org
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/acpi/boot.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/arch/x86/kernel/acpi/boot.c
++++ b/arch/x86/kernel/acpi/boot.c
+@@ -347,6 +347,14 @@ static void __init mp_override_legacy_ir
+ struct mpc_intsrc mp_irq;
+
+ /*
++ * Check bus_irq boundary.
++ */
++ if (bus_irq >= NR_IRQS_LEGACY) {
++ pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq);
++ return;
++ }
++
++ /*
+ * Convert 'gsi' to 'ioapic.pin'.
+ */
+ ioapic = mp_find_ioapic(gsi);
--- /dev/null
+From e708e35ba6d89ff785b225cd07dcccab04fa954a Mon Sep 17 00:00:00 2001
+From: Seunghun Han <kkamagui@gmail.com>
+Date: Tue, 18 Jul 2017 18:20:44 +0900
+Subject: x86/ioapic: Pass the correct data to unmask_ioapic_irq()
+
+From: Seunghun Han <kkamagui@gmail.com>
+
+commit e708e35ba6d89ff785b225cd07dcccab04fa954a upstream.
+
+One of the rarely executed code pathes in check_timer() calls
+unmask_ioapic_irq() passing irq_get_chip_data(0) as argument.
+
+That's wrong as unmask_ioapic_irq() expects a pointer to the irq data of
+interrupt 0. irq_get_chip_data(0) returns NULL, so the following
+dereference in unmask_ioapic_irq() causes a kernel panic.
+
+The issue went unnoticed in the first place because irq_get_chip_data()
+returns a void pointer so the compiler cannot do a type check on the
+argument. The code path was added for machines with broken configuration,
+but it seems that those machines are either not running current kernels or
+simply do not longer exist.
+
+Hand in irq_get_irq_data(0) as argument which provides the correct data.
+
+[ tglx: Rewrote changelog ]
+
+Fixes: 4467715a44cc ("x86/irq: Move irq_cfg.irq_2_pin into io_apic.c")
+Signed-off-by: Seunghun Han <kkamagui@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/1500369644-45767-1-git-send-email-kkamagui@gmail.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/apic/io_apic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/apic/io_apic.c
++++ b/arch/x86/kernel/apic/io_apic.c
+@@ -2115,7 +2115,7 @@ static inline void __init check_timer(vo
+ int idx;
+ idx = find_irq_entry(apic1, pin1, mp_INT);
+ if (idx != -1 && irq_trigger(idx))
+- unmask_ioapic_irq(irq_get_chip_data(0));
++ unmask_ioapic_irq(irq_get_irq_data(0));
+ }
+ irq_domain_deactivate_irq(irq_data);
+ irq_domain_activate_irq(irq_data);
projects / thirdparty / kernel / stable-queue.git / commitdiff
