--- /dev/null
+From fa85015c0d95884c8dc42f38e2f2d6137d436b67 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Mon, 9 Jul 2018 11:01:07 +0200
+Subject: ACPICA: Clear status of all events when entering S5
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit fa85015c0d95884c8dc42f38e2f2d6137d436b67 upstream.
+
+After commit 18996f2db918 (ACPICA: Events: Stop unconditionally
+clearing ACPI IRQs during suspend/resume) the status of ACPI events
+is not cleared any more when entering the ACPI S5 system state (power
+off) which causes some systems to power up immediately after turing
+off power in certain situations.
+
+That is a functional regression, so address it by making the code
+clear the status of all ACPI events again when entering S5 (for
+system-wide suspend or hibernation the clearing of the status of all
+events is not desirable, as it might cause the kernel to miss wakeup
+events sometimes).
+
+Fixes: 18996f2db918 (ACPICA: Events: Stop unconditionally clearing ACPI IRQs during suspend/resume)
+Reported-by: Takashi Iwai <tiwai@suse.de>
+Tested-by: Thomas Hänig <haenig@cosifan.de>
+Cc: 4.17+ <stable@vger.kernel.org> # 4.17+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/acpica/hwsleep.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/drivers/acpi/acpica/hwsleep.c
++++ b/drivers/acpi/acpica/hwsleep.c
+@@ -51,16 +51,23 @@ acpi_status acpi_hw_legacy_sleep(u8 slee
+ return_ACPI_STATUS(status);
+ }
+
+- /*
+- * 1) Disable all GPEs
+- * 2) Enable all wakeup GPEs
+- */
++ /* Disable all GPEs */
+ status = acpi_hw_disable_all_gpes();
+ if (ACPI_FAILURE(status)) {
+ return_ACPI_STATUS(status);
+ }
++ /*
++ * If the target sleep state is S5, clear all GPEs and fixed events too
++ */
++ if (sleep_state == ACPI_STATE_S5) {
++ status = acpi_hw_clear_acpi_status();
++ if (ACPI_FAILURE(status)) {
++ return_ACPI_STATUS(status);
++ }
++ }
+ acpi_gbl_system_awake_and_running = FALSE;
+
++ /* Enable all wakeup GPEs */
+ status = acpi_hw_enable_all_wakeup_gpes();
+ if (ACPI_FAILURE(status)) {
+ return_ACPI_STATUS(status);
--- /dev/null
+From ba44579141f9e2c0229e6e7eeb00b5fa68f0f74a Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Wed, 27 Jun 2018 15:15:40 +0300
+Subject: ahci: Add Intel Ice Lake LP PCI ID
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit ba44579141f9e2c0229e6e7eeb00b5fa68f0f74a upstream.
+
+This should also be using the default LPM policy for mobile chipsets so
+add the PCI ID to the driver list of supported devices.
+
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/ahci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -400,6 +400,7 @@ static const struct pci_device_id ahci_p
+ { PCI_VDEVICE(INTEL, 0x0f23), board_ahci_mobile }, /* Bay Trail AHCI */
+ { PCI_VDEVICE(INTEL, 0x22a3), board_ahci_mobile }, /* Cherry Tr. AHCI */
+ { PCI_VDEVICE(INTEL, 0x5ae3), board_ahci_mobile }, /* ApolloLake AHCI */
++ { PCI_VDEVICE(INTEL, 0x34d3), board_ahci_mobile }, /* Ice Lake LP AHCI */
+
+ /* JMicron 360/1/3/5/6, match class to avoid IDE function */
+ { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
--- /dev/null
+From 240630e61870e62e39a97225048f9945848fa5f5 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sun, 1 Jul 2018 12:15:46 +0200
+Subject: ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 240630e61870e62e39a97225048f9945848fa5f5 upstream.
+
+There have been several reports of LPM related hard freezes about once
+a day on multiple Lenovo 50 series models. Strange enough these reports
+where not disk model specific as LPM issues usually are and some users
+with the exact same disk + laptop where seeing them while other users
+where not seeing these issues.
+
+It turns out that enabling LPM triggers a firmware bug somewhere, which
+has been fixed in later BIOS versions.
+
+This commit adds a new ahci_broken_lpm() function and a new ATA_FLAG_NO_LPM
+for dealing with this.
+
+The ahci_broken_lpm() function contains DMI match info for the 4 models
+which are known to be affected by this and the DMI BIOS date field for
+known good BIOS versions. If the BIOS date is older then the one in the
+table LPM will be disabled and a warning will be printed.
+
+Note the BIOS dates are for known good versions, some older versions may
+work too, but we don't know for sure, the table is using dates from BIOS
+versions for which users have confirmed that upgrading to that version
+makes the problem go away.
+
+Unfortunately I've been unable to get hold of the reporter who reported
+that BIOS version 2.35 fixed the problems on the W541 for him. I've been
+able to verify the DMI_SYS_VENDOR and DMI_PRODUCT_VERSION from an older
+dmidecode, but I don't know the exact BIOS date as reported in the DMI.
+Lenovo keeps a changelog with dates in their release notes, but the
+dates there are the release dates not the build dates which are in DMI.
+So I've chosen to set the date to which we compare to one day past the
+release date of the 2.34 BIOS. I plan to fix this with a follow up
+commit once I've the necessary info.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/ahci.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++
+ drivers/ata/libata-core.c | 3 ++
+ include/linux/libata.h | 1
+ 3 files changed, 63 insertions(+)
+
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -1281,6 +1281,59 @@ static bool ahci_broken_suspend(struct p
+ return strcmp(buf, dmi->driver_data) < 0;
+ }
+
++static bool ahci_broken_lpm(struct pci_dev *pdev)
++{
++ static const struct dmi_system_id sysids[] = {
++ /* Various Lenovo 50 series have LPM issues with older BIOSen */
++ {
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad X250"),
++ },
++ .driver_data = "20180406", /* 1.31 */
++ },
++ {
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L450"),
++ },
++ .driver_data = "20180420", /* 1.28 */
++ },
++ {
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad T450s"),
++ },
++ .driver_data = "20180315", /* 1.33 */
++ },
++ {
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad W541"),
++ },
++ /*
++ * Note date based on release notes, 2.35 has been
++ * reported to be good, but I've been unable to get
++ * a hold of the reporter to get the DMI BIOS date.
++ * TODO: fix this.
++ */
++ .driver_data = "20180310", /* 2.35 */
++ },
++ { } /* terminate list */
++ };
++ const struct dmi_system_id *dmi = dmi_first_match(sysids);
++ int year, month, date;
++ char buf[9];
++
++ if (!dmi)
++ return false;
++
++ dmi_get_date(DMI_BIOS_DATE, &year, &month, &date);
++ snprintf(buf, sizeof(buf), "%04d%02d%02d", year, month, date);
++
++ return strcmp(buf, dmi->driver_data) < 0;
++}
++
+ static bool ahci_broken_online(struct pci_dev *pdev)
+ {
+ #define ENCODE_BUSDEVFN(bus, slot, func) \
+@@ -1695,6 +1748,12 @@ static int ahci_init_one(struct pci_dev
+ "quirky BIOS, skipping spindown on poweroff\n");
+ }
+
++ if (ahci_broken_lpm(pdev)) {
++ pi.flags |= ATA_FLAG_NO_LPM;
++ dev_warn(&pdev->dev,
++ "BIOS update required for Link Power Management support\n");
++ }
++
+ if (ahci_broken_suspend(pdev)) {
+ hpriv->flags |= AHCI_HFLAG_NO_SUSPEND;
+ dev_warn(&pdev->dev,
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -2502,6 +2502,9 @@ int ata_dev_configure(struct ata_device
+ (id[ATA_ID_SATA_CAPABILITY] & 0xe) == 0x2)
+ dev->horkage |= ATA_HORKAGE_NOLPM;
+
++ if (ap->flags & ATA_FLAG_NO_LPM)
++ dev->horkage |= ATA_HORKAGE_NOLPM;
++
+ if (dev->horkage & ATA_HORKAGE_NOLPM) {
+ ata_dev_warn(dev, "LPM support broken, forcing max_power\n");
+ dev->link->ap->target_lpm_policy = ATA_LPM_MAX_POWER;
+--- a/include/linux/libata.h
++++ b/include/linux/libata.h
+@@ -211,6 +211,7 @@ enum {
+ ATA_FLAG_SLAVE_POSS = (1 << 0), /* host supports slave dev */
+ /* (doesn't imply presence) */
+ ATA_FLAG_SATA = (1 << 1),
++ ATA_FLAG_NO_LPM = (1 << 2), /* host not happy with LPM */
+ ATA_FLAG_NO_LOG_PAGE = (1 << 5), /* do not issue log page read */
+ ATA_FLAG_NO_ATAPI = (1 << 6), /* No ATAPI support */
+ ATA_FLAG_PIO_DMA = (1 << 7), /* PIO cmds via DMA */
--- /dev/null
+From 6edf1d4cb0acde3a0a5dac849f33031bd7abb7b1 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <damien.lemoal@wdc.com>
+Date: Tue, 26 Jun 2018 20:56:55 +0900
+Subject: ata: Fix ZBC_OUT all bit handling
+
+From: Damien Le Moal <damien.lemoal@wdc.com>
+
+commit 6edf1d4cb0acde3a0a5dac849f33031bd7abb7b1 upstream.
+
+If the ALL bit is set in the ZBC_OUT command, the command zone ID field
+(block) should be ignored.
+
+Reported-by: David Butterfield <david.butterfield@wdc.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libata-scsi.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -3802,7 +3802,14 @@ static unsigned int ata_scsi_zbc_out_xla
+ */
+ goto invalid_param_len;
+ }
+- if (block >= dev->n_sectors) {
++
++ all = cdb[14] & 0x1;
++ if (all) {
++ /*
++ * Ignore the block address (zone ID) as defined by ZBC.
++ */
++ block = 0;
++ } else if (block >= dev->n_sectors) {
+ /*
+ * Block must be a valid zone ID (a zone start LBA).
+ */
+@@ -3810,8 +3817,6 @@ static unsigned int ata_scsi_zbc_out_xla
+ goto invalid_fld;
+ }
+
+- all = cdb[14] & 0x1;
+-
+ if (ata_ncq_enabled(qc->dev) &&
+ ata_fpdma_zac_mgmt_out_supported(qc->dev)) {
+ tf->protocol = ATA_PROT_NCQ_NODATA;
--- /dev/null
+From b320a0a9f23c98f21631eb27bcbbca91c79b1c6e Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <damien.lemoal@wdc.com>
+Date: Tue, 26 Jun 2018 20:56:54 +0900
+Subject: ata: Fix ZBC_OUT command block check
+
+From: Damien Le Moal <damien.lemoal@wdc.com>
+
+commit b320a0a9f23c98f21631eb27bcbbca91c79b1c6e upstream.
+
+The block (LBA) specified must not exceed the last addressable LBA,
+which is dev->nr_sectors - 1. So fix the correct check is
+"if (block >= dev->n_sectors)" and not "if (block > dev->n_sectords)".
+
+Additionally, the asc/ascq to return for an LBA that is not a zone start
+LBA should be ILLEGAL REQUEST, regardless if the bad LBA is out of
+range.
+
+Reported-by: David Butterfield <david.butterfield@wdc.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libata-scsi.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -3802,8 +3802,13 @@ static unsigned int ata_scsi_zbc_out_xla
+ */
+ goto invalid_param_len;
+ }
+- if (block > dev->n_sectors)
+- goto out_of_range;
++ if (block >= dev->n_sectors) {
++ /*
++ * Block must be a valid zone ID (a zone start LBA).
++ */
++ fp = 2;
++ goto invalid_fld;
++ }
+
+ all = cdb[14] & 0x1;
+
+@@ -3834,10 +3839,6 @@ static unsigned int ata_scsi_zbc_out_xla
+ invalid_fld:
+ ata_scsi_set_invalid_field(qc->dev, scmd, fp, 0xff);
+ return 1;
+- out_of_range:
+- /* "Logical Block Address out of range" */
+- ata_scsi_set_sense(qc->dev, scmd, ILLEGAL_REQUEST, 0x21, 0x00);
+- return 1;
+ invalid_param_len:
+ /* "Parameter list length error" */
+ ata_scsi_set_sense(qc->dev, scmd, ILLEGAL_REQUEST, 0x1a, 0x0);
--- /dev/null
+From 2c83a726d6fbb5d130d8f2edd82a258adb675ac3 Mon Sep 17 00:00:00 2001
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Wed, 27 Jun 2018 15:58:13 +0200
+Subject: drm/etnaviv: bring back progress check in job timeout handler
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+commit 2c83a726d6fbb5d130d8f2edd82a258adb675ac3 upstream.
+
+When the hangcheck handler was replaced by the DRM scheduler timeout
+handling we dropped the forward progress check, as this might allow
+clients to hog the GPU for a long time with a big job.
+
+It turns out that even reasonably well behaved clients like the
+Armada Xorg driver occasionally trip over the 500ms timeout. Bring
+back the forward progress check to get rid of the userspace regression.
+
+We would still like to fix userspace to submit smaller batches
+if possible, but that is for another day.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 6d7a20c07760 (drm/etnaviv: replace hangcheck with scheduler timeout)
+Reported-by: Russell King <linux@armlinux.org.uk>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/etnaviv/etnaviv_gpu.h | 3 +++
+ drivers/gpu/drm/etnaviv/etnaviv_sched.c | 24 ++++++++++++++++++++++++
+ 2 files changed, 27 insertions(+)
+
+--- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.h
++++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.h
+@@ -142,6 +142,9 @@ struct etnaviv_gpu {
+ struct work_struct sync_point_work;
+ int sync_point_event;
+
++ /* hang detection */
++ u32 hangcheck_dma_addr;
++
+ void __iomem *mmio;
+ int irq;
+
+--- a/drivers/gpu/drm/etnaviv/etnaviv_sched.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_sched.c
+@@ -21,6 +21,7 @@
+ #include "etnaviv_gem.h"
+ #include "etnaviv_gpu.h"
+ #include "etnaviv_sched.h"
++#include "state.xml.h"
+
+ static int etnaviv_job_hang_limit = 0;
+ module_param_named(job_hang_limit, etnaviv_job_hang_limit, int , 0444);
+@@ -96,6 +97,29 @@ static void etnaviv_sched_timedout_job(s
+ {
+ struct etnaviv_gem_submit *submit = to_etnaviv_submit(sched_job);
+ struct etnaviv_gpu *gpu = submit->gpu;
++ u32 dma_addr;
++ int change;
++
++ /*
++ * If the GPU managed to complete this jobs fence, the timout is
++ * spurious. Bail out.
++ */
++ if (fence_completed(gpu, submit->out_fence->seqno))
++ return;
++
++ /*
++ * If the GPU is still making forward progress on the front-end (which
++ * should never loop) we shift out the timeout to give it a chance to
++ * finish the job.
++ */
++ dma_addr = gpu_read(gpu, VIVS_FE_DMA_ADDRESS);
++ change = dma_addr - gpu->hangcheck_dma_addr;
++ if (change < 0 || change > 16) {
++ gpu->hangcheck_dma_addr = dma_addr;
++ schedule_delayed_work(&sched_job->work_tdr,
++ sched_job->sched->timeout);
++ return;
++ }
+
+ /* block scheduler */
+ kthread_park(gpu->sched.thread);
--- /dev/null
+From 45a0faaba9c8c5ba1e31a08a391aed0bad327167 Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <fabio.estevam@nxp.com>
+Date: Wed, 27 Jun 2018 10:07:45 -0300
+Subject: drm/etnaviv: Check for platform_device_register_simple() failure
+
+From: Fabio Estevam <fabio.estevam@nxp.com>
+
+commit 45a0faaba9c8c5ba1e31a08a391aed0bad327167 upstream.
+
+platform_device_register_simple() may fail, so we should better
+check its return value and propagate it in the case of error.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 246774d17fc0 ("drm/etnaviv: remove the need for a gpu-subsystem DT node")
+Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
+Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/etnaviv/etnaviv_drv.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/etnaviv/etnaviv_drv.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_drv.c
+@@ -693,8 +693,11 @@ static struct platform_driver etnaviv_pl
+ },
+ };
+
++static struct platform_device *etnaviv_drm;
++
+ static int __init etnaviv_init(void)
+ {
++ struct platform_device *pdev;
+ int ret;
+ struct device_node *np;
+
+@@ -706,7 +709,7 @@ static int __init etnaviv_init(void)
+
+ ret = platform_driver_register(&etnaviv_platform_driver);
+ if (ret != 0)
+- platform_driver_unregister(&etnaviv_gpu_driver);
++ goto unregister_gpu_driver;
+
+ /*
+ * If the DT contains at least one available GPU device, instantiate
+@@ -715,12 +718,24 @@ static int __init etnaviv_init(void)
+ for_each_compatible_node(np, NULL, "vivante,gc") {
+ if (!of_device_is_available(np))
+ continue;
+-
+- platform_device_register_simple("etnaviv", -1, NULL, 0);
++ pdev = platform_device_register_simple("etnaviv", -1,
++ NULL, 0);
++ if (IS_ERR(pdev)) {
++ ret = PTR_ERR(pdev);
++ of_node_put(np);
++ goto unregister_platform_driver;
++ }
++ etnaviv_drm = pdev;
+ of_node_put(np);
+ break;
+ }
+
++ return 0;
++
++unregister_platform_driver:
++ platform_driver_unregister(&etnaviv_platform_driver);
++unregister_gpu_driver:
++ platform_driver_unregister(&etnaviv_gpu_driver);
+ return ret;
+ }
+ module_init(etnaviv_init);
--- /dev/null
+From bf6ba3aeb2962e5ee4a78e7535af579ecba630bb Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <fabio.estevam@nxp.com>
+Date: Wed, 27 Jun 2018 10:07:46 -0300
+Subject: drm/etnaviv: Fix driver unregistering
+
+From: Fabio Estevam <fabio.estevam@nxp.com>
+
+commit bf6ba3aeb2962e5ee4a78e7535af579ecba630bb upstream.
+
+Russell King reported:
+
+"When removing and reloading the etnaviv module, the following splat
+occurs:
+
+sysfs: cannot create duplicate filename '/devices/platform/etnaviv'
+CPU: 0 PID: 1471 Comm: modprobe Not tainted 4.17.0+ #1608
+Hardware name: Marvell Dove (Cubox)
+Backtrace:
+[<c00157d4>] (dump_backtrace) from [<c0015b8c>] (show_stack+0x18/0x1c)
+ r6:ef033e38 r5:ee07b340 r4:edb9d000 r3:00000000
+[<c0015b74>] (show_stack) from [<c0620784>] (dump_stack+0x20/0x28)
+[<c0620764>] (dump_stack) from [<c01bcd24>] (sysfs_warn_dup+0x5c/0x70)
+[<c01bccc8>] (sysfs_warn_dup) from [<c01bce14>] (sysfs_create_dir_ns+0x90/0x98)
+..."
+
+Commit 246774d17fc0 ("drm/etnaviv: remove the need for a gpu-subsystem
+DT node") introduced DRM registration via
+platform_device_register_simple(), but missed to call
+platform_device_unregister() inside etnaviv_exit().
+
+Fix the problem by calling platform_device_unregister() inside
+etnaviv_exit(). While at it, also rearrange the function calls
+in the exit path to make them happen in the opposite order of
+registration.
+
+Tested on a imx6-sabresd board.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 246774d17fc0 ("drm/etnaviv: remove the need for a gpu-subsystem DT node")
+Reported-by: Russell King <linux@armlinux.org.uk>
+Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
+Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/etnaviv/etnaviv_drv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/etnaviv/etnaviv_drv.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_drv.c
+@@ -742,8 +742,9 @@ module_init(etnaviv_init);
+
+ static void __exit etnaviv_exit(void)
+ {
+- platform_driver_unregister(&etnaviv_gpu_driver);
++ platform_device_unregister(etnaviv_drm);
+ platform_driver_unregister(&etnaviv_platform_driver);
++ platform_driver_unregister(&etnaviv_gpu_driver);
+ }
+ module_exit(etnaviv_exit);
+
--- /dev/null
+From a0341fc1981a950c1e902ab901e98f60e0e243f3 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Sat, 7 Jul 2018 04:16:33 +0200
+Subject: ibmasm: don't write out of bounds in read handler
+
+From: Jann Horn <jannh@google.com>
+
+commit a0341fc1981a950c1e902ab901e98f60e0e243f3 upstream.
+
+This read handler had a lot of custom logic and wrote outside the bounds of
+the provided buffer. This could lead to kernel and userspace memory
+corruption. Just use simple_read_from_buffer() with a stack buffer.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/ibmasm/ibmasmfs.c | 27 +++------------------------
+ 1 file changed, 3 insertions(+), 24 deletions(-)
+
+--- a/drivers/misc/ibmasm/ibmasmfs.c
++++ b/drivers/misc/ibmasm/ibmasmfs.c
+@@ -507,35 +507,14 @@ static int remote_settings_file_close(st
+ static ssize_t remote_settings_file_read(struct file *file, char __user *buf, size_t count, loff_t *offset)
+ {
+ void __iomem *address = (void __iomem *)file->private_data;
+- unsigned char *page;
+- int retval;
+ int len = 0;
+ unsigned int value;
+-
+- if (*offset < 0)
+- return -EINVAL;
+- if (count == 0 || count > 1024)
+- return 0;
+- if (*offset != 0)
+- return 0;
+-
+- page = (unsigned char *)__get_free_page(GFP_KERNEL);
+- if (!page)
+- return -ENOMEM;
++ char lbuf[20];
+
+ value = readl(address);
+- len = sprintf(page, "%d\n", value);
+-
+- if (copy_to_user(buf, page, len)) {
+- retval = -EFAULT;
+- goto exit;
+- }
+- *offset += len;
+- retval = len;
++ len = snprintf(lbuf, sizeof(lbuf), "%d\n", value);
+
+-exit:
+- free_page((unsigned long)page);
+- return retval;
++ return simple_read_from_buffer(buf, count, offset, lbuf, len);
+ }
+
+ static ssize_t remote_settings_file_write(struct file *file, const char __user *ubuff, size_t count, loff_t *offset)
--- /dev/null
+From b7a020bff31318fc8785e6f96b1d38c1625cf1fb Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Thu, 7 Jun 2018 00:31:48 +0300
+Subject: mei: discard messages from not connected client during power down.
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit b7a020bff31318fc8785e6f96b1d38c1625cf1fb upstream.
+
+This fixes regression introduced by
+commit 8d52af6795c0 ("mei: speed up the power down flow")
+
+In power down or suspend flow a message can still be received
+from the FW because the clients fake disconnection.
+In normal case we interpret messages w/o destination as corrupted
+and link reset is performed in order to clean the channel,
+but during power down link reset is already in progress resulting
+in endless loop. To resolve the issue under power down flow we
+discard messages silently.
+
+Cc: <stable@vger.kernel.org> 4.16+
+Fixes: 8d52af6795c0 ("mei: speed up the power down flow")
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199541
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/mei/interrupt.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/misc/mei/interrupt.c
++++ b/drivers/misc/mei/interrupt.c
+@@ -310,8 +310,11 @@ int mei_irq_read_handler(struct mei_devi
+ if (&cl->link == &dev->file_list) {
+ /* A message for not connected fixed address clients
+ * should be silently discarded
++ * On power down client may be force cleaned,
++ * silently discard such messages
+ */
+- if (hdr_is_fixed(mei_hdr)) {
++ if (hdr_is_fixed(mei_hdr) ||
++ dev->dev_state == MEI_DEV_POWER_DOWN) {
+ mei_irq_discard_msg(dev, mei_hdr);
+ ret = 0;
+ goto reset_slots;
--- /dev/null
+From 5a267832c2ec47b2dad0fdb291a96bb5b8869315 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@mips.com>
+Date: Fri, 22 Jun 2018 10:55:45 -0700
+Subject: MIPS: Call dump_stack() from show_regs()
+
+From: Paul Burton <paul.burton@mips.com>
+
+commit 5a267832c2ec47b2dad0fdb291a96bb5b8869315 upstream.
+
+The generic nmi_cpu_backtrace() function calls show_regs() when a struct
+pt_regs is available, and dump_stack() otherwise. If we were to make use
+of the generic nmi_cpu_backtrace() with MIPS' current implementation of
+show_regs() this would mean that we see only register data with no
+accompanying stack information, in contrast with our current
+implementation which calls dump_stack() regardless of whether register
+state is available.
+
+In preparation for making use of the generic nmi_cpu_backtrace() to
+implement arch_trigger_cpumask_backtrace(), have our implementation of
+show_regs() call dump_stack() and drop the explicit dump_stack() call in
+arch_dump_stack() which is invoked by arch_trigger_cpumask_backtrace().
+
+This will allow the output we produce to remain the same after a later
+patch switches to using nmi_cpu_backtrace(). It may mean that we produce
+extra stack output in other uses of show_regs(), but this:
+
+ 1) Seems harmless.
+ 2) Is good for consistency between arch_trigger_cpumask_backtrace()
+ and other users of show_regs().
+ 3) Matches the behaviour of the ARM & PowerPC architectures.
+
+Marked for stable back to v4.9 as a prerequisite of the following patch
+"MIPS: Call dump_stack() from show_regs()".
+
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/19596/
+Cc: James Hogan <jhogan@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Huacai Chen <chenhc@lemote.com>
+Cc: linux-mips@linux-mips.org
+Cc: stable@vger.kernel.org # v4.9+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/process.c | 4 ++--
+ arch/mips/kernel/traps.c | 1 +
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/kernel/process.c
++++ b/arch/mips/kernel/process.c
+@@ -663,8 +663,8 @@ static void arch_dump_stack(void *info)
+
+ if (regs)
+ show_regs(regs);
+-
+- dump_stack();
++ else
++ dump_stack();
+ }
+
+ void arch_trigger_cpumask_backtrace(const cpumask_t *mask, bool exclude_self)
+--- a/arch/mips/kernel/traps.c
++++ b/arch/mips/kernel/traps.c
+@@ -351,6 +351,7 @@ static void __show_regs(const struct pt_
+ void show_regs(struct pt_regs *regs)
+ {
+ __show_regs((struct pt_regs *)regs);
++ dump_stack();
+ }
+
+ void show_registers(struct pt_regs *regs)
--- /dev/null
+From 523402fa9101090c91d2033b7ebdfdcf65880488 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@mips.com>
+Date: Thu, 5 Jul 2018 14:37:52 -0700
+Subject: MIPS: Fix ioremap() RAM check
+
+From: Paul Burton <paul.burton@mips.com>
+
+commit 523402fa9101090c91d2033b7ebdfdcf65880488 upstream.
+
+We currently attempt to check whether a physical address range provided
+to __ioremap() may be in use by the page allocator by examining the
+value of PageReserved for each page in the region - lowmem pages not
+marked reserved are presumed to be in use by the page allocator, and
+requests to ioremap them fail.
+
+The way we check this has been broken since commit 92923ca3aace ("mm:
+meminit: only set page reserved in the memblock region"), because
+memblock will typically not have any knowledge of non-RAM pages and
+therefore those pages will not have the PageReserved flag set. Thus when
+we attempt to ioremap a region outside of RAM we incorrectly fail
+believing that the region is RAM that may be in use.
+
+In most cases ioremap() on MIPS will take a fast-path to use the
+unmapped kseg1 or xkphys virtual address spaces and never hit this path,
+so the only way to hit it is for a MIPS32 system to attempt to ioremap()
+an address range in lowmem with flags other than _CACHE_UNCACHED.
+Perhaps the most straightforward way to do this is using
+ioremap_uncached_accelerated(), which is how the problem was discovered.
+
+Fix this by making use of walk_system_ram_range() to test the address
+range provided to __ioremap() against only RAM pages, rather than all
+lowmem pages. This means that if we have a lowmem I/O region, which is
+very common for MIPS systems, we're free to ioremap() address ranges
+within it. A nice bonus is that the test is no longer limited to lowmem.
+
+The approach here matches the way x86 performed the same test after
+commit c81c8a1eeede ("x86, ioremap: Speed up check for RAM pages") until
+x86 moved towards a slightly more complicated check using walk_mem_res()
+for unrelated reasons with commit 0e4c12b45aa8 ("x86/mm, resource: Use
+PAGE_KERNEL protection for ioremap of memory pages").
+
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Reported-by: Serge Semin <fancer.lancer@gmail.com>
+Tested-by: Serge Semin <fancer.lancer@gmail.com>
+Fixes: 92923ca3aace ("mm: meminit: only set page reserved in the memblock region")
+Cc: James Hogan <jhogan@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: stable@vger.kernel.org # v4.2+
+Patchwork: https://patchwork.linux-mips.org/patch/19786/
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/mm/ioremap.c | 37 +++++++++++++++++++++++++------------
+ 1 file changed, 25 insertions(+), 12 deletions(-)
+
+--- a/arch/mips/mm/ioremap.c
++++ b/arch/mips/mm/ioremap.c
+@@ -9,6 +9,7 @@
+ #include <linux/export.h>
+ #include <asm/addrspace.h>
+ #include <asm/byteorder.h>
++#include <linux/ioport.h>
+ #include <linux/sched.h>
+ #include <linux/slab.h>
+ #include <linux/vmalloc.h>
+@@ -98,6 +99,20 @@ static int remap_area_pages(unsigned lon
+ return error;
+ }
+
++static int __ioremap_check_ram(unsigned long start_pfn, unsigned long nr_pages,
++ void *arg)
++{
++ unsigned long i;
++
++ for (i = 0; i < nr_pages; i++) {
++ if (pfn_valid(start_pfn + i) &&
++ !PageReserved(pfn_to_page(start_pfn + i)))
++ return 1;
++ }
++
++ return 0;
++}
++
+ /*
+ * Generic mapping function (not visible outside):
+ */
+@@ -116,8 +131,8 @@ static int remap_area_pages(unsigned lon
+
+ void __iomem * __ioremap(phys_addr_t phys_addr, phys_addr_t size, unsigned long flags)
+ {
++ unsigned long offset, pfn, last_pfn;
+ struct vm_struct * area;
+- unsigned long offset;
+ phys_addr_t last_addr;
+ void * addr;
+
+@@ -137,18 +152,16 @@ void __iomem * __ioremap(phys_addr_t phy
+ return (void __iomem *) CKSEG1ADDR(phys_addr);
+
+ /*
+- * Don't allow anybody to remap normal RAM that we're using..
++ * Don't allow anybody to remap RAM that may be allocated by the page
++ * allocator, since that could lead to races & data clobbering.
+ */
+- if (phys_addr < virt_to_phys(high_memory)) {
+- char *t_addr, *t_end;
+- struct page *page;
+-
+- t_addr = __va(phys_addr);
+- t_end = t_addr + (size - 1);
+-
+- for(page = virt_to_page(t_addr); page <= virt_to_page(t_end); page++)
+- if(!PageReserved(page))
+- return NULL;
++ pfn = PFN_DOWN(phys_addr);
++ last_pfn = PFN_DOWN(last_addr);
++ if (walk_system_ram_range(pfn, last_pfn - pfn + 1, NULL,
++ __ioremap_check_ram) == 1) {
++ WARN_ONCE(1, "ioremap on RAM at %pa - %pa\n",
++ &phys_addr, &last_addr);
++ return NULL;
+ }
+
+ /*
--- /dev/null
+From b63e132b6433a41cf311e8bc382d33fd2b73b505 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@mips.com>
+Date: Fri, 22 Jun 2018 10:55:46 -0700
+Subject: MIPS: Use async IPIs for arch_trigger_cpumask_backtrace()
+
+From: Paul Burton <paul.burton@mips.com>
+
+commit b63e132b6433a41cf311e8bc382d33fd2b73b505 upstream.
+
+The current MIPS implementation of arch_trigger_cpumask_backtrace() is
+broken because it attempts to use synchronous IPIs despite the fact that
+it may be run with interrupts disabled.
+
+This means that when arch_trigger_cpumask_backtrace() is invoked, for
+example by the RCU CPU stall watchdog, we may:
+
+ - Deadlock due to use of synchronous IPIs with interrupts disabled,
+ causing the CPU that's attempting to generate the backtrace output
+ to hang itself.
+
+ - Not succeed in generating the desired output from remote CPUs.
+
+ - Produce warnings about this from smp_call_function_many(), for
+ example:
+
+ [42760.526910] INFO: rcu_sched detected stalls on CPUs/tasks:
+ [42760.535755] 0-...!: (1 GPs behind) idle=ade/140000000000000/0 softirq=526944/526945 fqs=0
+ [42760.547874] 1-...!: (0 ticks this GP) idle=e4a/140000000000000/0 softirq=547885/547885 fqs=0
+ [42760.559869] (detected by 2, t=2162 jiffies, g=266689, c=266688, q=33)
+ [42760.568927] ------------[ cut here ]------------
+ [42760.576146] WARNING: CPU: 2 PID: 1216 at kernel/smp.c:416 smp_call_function_many+0x88/0x20c
+ [42760.587839] Modules linked in:
+ [42760.593152] CPU: 2 PID: 1216 Comm: sh Not tainted 4.15.4-00373-gee058bb4d0c2 #2
+ [42760.603767] Stack : 8e09bd20 8e09bd20 8e09bd20 fffffff0 00000007 00000006 00000000 8e09bca8
+ [42760.616937] 95b2b379 95b2b379 807a0080 00000007 81944518 0000018a 00000032 00000000
+ [42760.630095] 00000000 00000030 80000000 00000000 806eca74 00000009 8017e2b8 000001a0
+ [42760.643169] 00000000 00000002 00000000 8e09baa4 00000008 808b8008 86d69080 8e09bca0
+ [42760.656282] 8e09ad50 805e20aa 00000000 00000000 00000000 8017e2b8 00000009 801070ca
+ [42760.669424] ...
+ [42760.673919] Call Trace:
+ [42760.678672] [<27fde568>] show_stack+0x70/0xf0
+ [42760.685417] [<84751641>] dump_stack+0xaa/0xd0
+ [42760.692188] [<699d671c>] __warn+0x80/0x92
+ [42760.698549] [<68915d41>] warn_slowpath_null+0x28/0x36
+ [42760.705912] [<f7c76c1c>] smp_call_function_many+0x88/0x20c
+ [42760.713696] [<6bbdfc2a>] arch_trigger_cpumask_backtrace+0x30/0x4a
+ [42760.722216] [<f845bd33>] rcu_dump_cpu_stacks+0x6a/0x98
+ [42760.729580] [<796e7629>] rcu_check_callbacks+0x672/0x6ac
+ [42760.737476] [<059b3b43>] update_process_times+0x18/0x34
+ [42760.744981] [<6eb94941>] tick_sched_handle.isra.5+0x26/0x38
+ [42760.752793] [<478d3d70>] tick_sched_timer+0x1c/0x50
+ [42760.759882] [<e56ea39f>] __hrtimer_run_queues+0xc6/0x226
+ [42760.767418] [<e88bbcae>] hrtimer_interrupt+0x88/0x19a
+ [42760.775031] [<6765a19e>] gic_compare_interrupt+0x2e/0x3a
+ [42760.782761] [<0558bf5f>] handle_percpu_devid_irq+0x78/0x168
+ [42760.790795] [<90c11ba2>] generic_handle_irq+0x1e/0x2c
+ [42760.798117] [<1b6d462c>] gic_handle_local_int+0x38/0x86
+ [42760.805545] [<b2ada1c7>] gic_irq_dispatch+0xa/0x14
+ [42760.812534] [<90c11ba2>] generic_handle_irq+0x1e/0x2c
+ [42760.820086] [<c7521934>] do_IRQ+0x16/0x20
+ [42760.826274] [<9aef3ce6>] plat_irq_dispatch+0x62/0x94
+ [42760.833458] [<6a94b53c>] except_vec_vi_end+0x70/0x78
+ [42760.840655] [<22284043>] smp_call_function_many+0x1ba/0x20c
+ [42760.848501] [<54022b58>] smp_call_function+0x1e/0x2c
+ [42760.855693] [<ab9fc705>] flush_tlb_mm+0x2a/0x98
+ [42760.862730] [<0844cdd0>] tlb_flush_mmu+0x1c/0x44
+ [42760.869628] [<cb259b74>] arch_tlb_finish_mmu+0x26/0x3e
+ [42760.877021] [<1aeaaf74>] tlb_finish_mmu+0x18/0x66
+ [42760.883907] [<b3fce717>] exit_mmap+0x76/0xea
+ [42760.890428] [<c4c8a2f6>] mmput+0x80/0x11a
+ [42760.896632] [<a41a08f4>] do_exit+0x1f4/0x80c
+ [42760.903158] [<ee01cef6>] do_group_exit+0x20/0x7e
+ [42760.909990] [<13fa8d54>] __wake_up_parent+0x0/0x1e
+ [42760.917045] [<46cf89d0>] smp_call_function_many+0x1a2/0x20c
+ [42760.924893] [<8c21a93b>] syscall_common+0x14/0x1c
+ [42760.931765] ---[ end trace 02aa09da9dc52a60 ]---
+ [42760.938342] ------------[ cut here ]------------
+ [42760.945311] WARNING: CPU: 2 PID: 1216 at kernel/smp.c:291 smp_call_function_single+0xee/0xf8
+ ...
+
+This patch switches MIPS' arch_trigger_cpumask_backtrace() to use async
+IPIs & smp_call_function_single_async() in order to resolve this
+problem. We ensure use of the pre-allocated call_single_data_t
+structures is serialized by maintaining a cpumask indicating that
+they're busy, and refusing to attempt to send an IPI when a CPU's bit is
+set in this mask. This should only happen if a CPU hasn't responded to a
+previous backtrace IPI - ie. if it's hung - and we print a warning to
+the console in this case.
+
+I've marked this for stable branches as far back as v4.9, to which it
+applies cleanly. Strictly speaking the faulty MIPS implementation can be
+traced further back to commit 856839b76836 ("MIPS: Add
+arch_trigger_all_cpu_backtrace() function") in v3.19, but kernel
+versions v3.19 through v4.8 will require further work to backport due to
+the rework performed in commit 9a01c3ed5cdb ("nmi_backtrace: add more
+trigger_*_cpu_backtrace() methods").
+
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/19597/
+Cc: James Hogan <jhogan@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Huacai Chen <chenhc@lemote.com>
+Cc: linux-mips@linux-mips.org
+Cc: stable@vger.kernel.org # v4.9+
+Fixes: 856839b76836 ("MIPS: Add arch_trigger_all_cpu_backtrace() function")
+Fixes: 9a01c3ed5cdb ("nmi_backtrace: add more trigger_*_cpu_backtrace() methods")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/process.c | 45 ++++++++++++++++++++++++++++++---------------
+ 1 file changed, 30 insertions(+), 15 deletions(-)
+
+--- a/arch/mips/kernel/process.c
++++ b/arch/mips/kernel/process.c
+@@ -29,6 +29,7 @@
+ #include <linux/kallsyms.h>
+ #include <linux/random.h>
+ #include <linux/prctl.h>
++#include <linux/nmi.h>
+
+ #include <asm/asm.h>
+ #include <asm/bootinfo.h>
+@@ -655,28 +656,42 @@ unsigned long arch_align_stack(unsigned
+ return sp & ALMASK;
+ }
+
+-static void arch_dump_stack(void *info)
+-{
+- struct pt_regs *regs;
++static DEFINE_PER_CPU(call_single_data_t, backtrace_csd);
++static struct cpumask backtrace_csd_busy;
+
+- regs = get_irq_regs();
+-
+- if (regs)
+- show_regs(regs);
+- else
+- dump_stack();
++static void handle_backtrace(void *info)
++{
++ nmi_cpu_backtrace(get_irq_regs());
++ cpumask_clear_cpu(smp_processor_id(), &backtrace_csd_busy);
+ }
+
+-void arch_trigger_cpumask_backtrace(const cpumask_t *mask, bool exclude_self)
++static void raise_backtrace(cpumask_t *mask)
+ {
+- long this_cpu = get_cpu();
++ call_single_data_t *csd;
++ int cpu;
+
+- if (cpumask_test_cpu(this_cpu, mask) && !exclude_self)
+- dump_stack();
++ for_each_cpu(cpu, mask) {
++ /*
++ * If we previously sent an IPI to the target CPU & it hasn't
++ * cleared its bit in the busy cpumask then it didn't handle
++ * our previous IPI & it's not safe for us to reuse the
++ * call_single_data_t.
++ */
++ if (cpumask_test_and_set_cpu(cpu, &backtrace_csd_busy)) {
++ pr_warn("Unable to send backtrace IPI to CPU%u - perhaps it hung?\n",
++ cpu);
++ continue;
++ }
+
+- smp_call_function_many(mask, arch_dump_stack, NULL, 1);
++ csd = &per_cpu(backtrace_csd, cpu);
++ csd->func = handle_backtrace;
++ smp_call_function_single_async(cpu, csd);
++ }
++}
+
+- put_cpu();
++void arch_trigger_cpumask_backtrace(const cpumask_t *mask, bool exclude_self)
++{
++ nmi_trigger_cpumask_backtrace(mask, exclude_self, raise_backtrace);
+ }
+
+ int mips_get_process_fp_mode(struct task_struct *task)
--- /dev/null
+From 7a6b9f4d601dfce8cb68f0dcfd834270280e31e6 Mon Sep 17 00:00:00 2001
+From: x00270170 <xiaqing17@hisilicon.com>
+Date: Tue, 3 Jul 2018 15:06:27 +0800
+Subject: mmc: dw_mmc: fix card threshold control configuration
+
+From: x00270170 <xiaqing17@hisilicon.com>
+
+commit 7a6b9f4d601dfce8cb68f0dcfd834270280e31e6 upstream.
+
+Card write threshold control is supposed to be set since controller
+version 2.80a for data write in HS400 mode and data read in
+HS200/HS400/SDR104 mode. However the current code returns without
+configuring it in the case of data writing in HS400 mode.
+Meanwhile the patch fixes that the current code goes to
+'disable' when doing data reading in HS400 mode.
+
+Fixes: 7e4bf1bc9543 ("mmc: dw_mmc: add the card write threshold for HS400 mode")
+Signed-off-by: Qing Xia <xiaqing17@hisilicon.com>
+Cc: stable@vger.kernel.org # v4.8+
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/dw_mmc.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/mmc/host/dw_mmc.c
++++ b/drivers/mmc/host/dw_mmc.c
+@@ -1065,8 +1065,8 @@ static void dw_mci_ctrl_thld(struct dw_m
+ * It's used when HS400 mode is enabled.
+ */
+ if (data->flags & MMC_DATA_WRITE &&
+- !(host->timing != MMC_TIMING_MMC_HS400))
+- return;
++ host->timing != MMC_TIMING_MMC_HS400)
++ goto disable;
+
+ if (data->flags & MMC_DATA_WRITE)
+ enable = SDMMC_CARD_WR_THR_EN;
+@@ -1074,7 +1074,8 @@ static void dw_mci_ctrl_thld(struct dw_m
+ enable = SDMMC_CARD_RD_THR_EN;
+
+ if (host->timing != MMC_TIMING_MMC_HS200 &&
+- host->timing != MMC_TIMING_UHS_SDR104)
++ host->timing != MMC_TIMING_UHS_SDR104 &&
++ host->timing != MMC_TIMING_MMC_HS400)
+ goto disable;
+
+ blksz_depth = blksz / (1 << host->data_shift);
--- /dev/null
+From 25a98edd5795719c5187e16ea271e8de86e02809 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Fri, 29 Jun 2018 19:01:45 +0900
+Subject: mmc: renesas_sdhi_internal_dmac: Cannot clear the RX_IN_USE in abort
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 25a98edd5795719c5187e16ea271e8de86e02809 upstream.
+
+This patch is fixes an issue that the SDHI_INTERNAL_DMAC_RX_IN_USE
+flag cannot be cleared because tmio_mmc_core sets the host->data
+to NULL before the tmio_mmc_core calls tmio_mmc_abort_dma().
+
+So, this patch clears the SDHI_INTERNAL_DMAC_RX_IN_USE in
+the renesas_sdhi_internal_dmac_abort_dma() anyway. This doesn't
+cause any side effects.
+
+Fixes: 0cbc94daa554 ("mmc: renesas_sdhi_internal_dmac: limit DMA RX for old SoCs")
+Cc: <stable@vger.kernel.org> # v4.17+
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/renesas_sdhi_internal_dmac.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/mmc/host/renesas_sdhi_internal_dmac.c
++++ b/drivers/mmc/host/renesas_sdhi_internal_dmac.c
+@@ -139,8 +139,7 @@ renesas_sdhi_internal_dmac_abort_dma(str
+ renesas_sdhi_internal_dmac_dm_write(host, DM_CM_RST,
+ RST_RESERVED_BITS | val);
+
+- if (host->data && host->data->flags & MMC_DATA_READ)
+- clear_bit(SDHI_INTERNAL_DMAC_RX_IN_USE, &global_flags);
++ clear_bit(SDHI_INTERNAL_DMAC_RX_IN_USE, &global_flags);
+
+ renesas_sdhi_internal_dmac_enable_dma(host, true);
+ }
--- /dev/null
+From 92748beac07c471d995fbec642b63572dc01b3dc Mon Sep 17 00:00:00 2001
+From: Stefan Agner <stefan@agner.ch>
+Date: Wed, 4 Jul 2018 17:07:45 +0200
+Subject: mmc: sdhci-esdhc-imx: allow 1.8V modes without 100/200MHz pinctrl states
+
+From: Stefan Agner <stefan@agner.ch>
+
+commit 92748beac07c471d995fbec642b63572dc01b3dc upstream.
+
+If pinctrl nodes for 100/200MHz are missing, the controller should
+not select any mode which need signal frequencies 100MHz or higher.
+To prevent such speed modes the driver currently uses the quirk flag
+SDHCI_QUIRK2_NO_1_8_V. This works nicely for SD cards since 1.8V
+signaling is required for all faster modes and slower modes use 3.3V
+signaling only.
+
+However, there are eMMC modes which use 1.8V signaling and run below
+100MHz, e.g. DDR52 at 1.8V. With using SDHCI_QUIRK2_NO_1_8_V this
+mode is prevented. When using a fixed 1.8V regulator as vqmmc-supply
+the stack has no valid mode to use. In this tenuous situation the
+kernel continuously prints voltage switching errors:
+ mmc1: Switching to 3.3V signalling voltage failed
+
+Avoid using SDHCI_QUIRK2_NO_1_8_V and prevent faster modes by
+altering the SDHCI capability register. With that the stack is able
+to select 1.8V modes even if no faster pinctrl states are available:
+ # cat /sys/kernel/debug/mmc1/ios
+ ...
+ timing spec: 8 (mmc DDR52)
+ signal voltage: 1 (1.80 V)
+ ...
+
+Link: http://lkml.kernel.org/r/20180628081331.13051-1-stefan@agner.ch
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Fixes: ad93220de7da ("mmc: sdhci-esdhc-imx: change pinctrl state according
+to uhs mode")
+Cc: <stable@vger.kernel.org> # v4.13+
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-esdhc-imx.c | 21 +++++++++------------
+ 1 file changed, 9 insertions(+), 12 deletions(-)
+
+--- a/drivers/mmc/host/sdhci-esdhc-imx.c
++++ b/drivers/mmc/host/sdhci-esdhc-imx.c
+@@ -306,6 +306,15 @@ static u32 esdhc_readl_le(struct sdhci_h
+
+ if (imx_data->socdata->flags & ESDHC_FLAG_HS400)
+ val |= SDHCI_SUPPORT_HS400;
++
++ /*
++ * Do not advertise faster UHS modes if there are no
++ * pinctrl states for 100MHz/200MHz.
++ */
++ if (IS_ERR_OR_NULL(imx_data->pins_100mhz) ||
++ IS_ERR_OR_NULL(imx_data->pins_200mhz))
++ val &= ~(SDHCI_SUPPORT_SDR50 | SDHCI_SUPPORT_DDR50
++ | SDHCI_SUPPORT_SDR104 | SDHCI_SUPPORT_HS400);
+ }
+ }
+
+@@ -1136,18 +1145,6 @@ sdhci_esdhc_imx_probe_dt(struct platform
+ ESDHC_PINCTRL_STATE_100MHZ);
+ imx_data->pins_200mhz = pinctrl_lookup_state(imx_data->pinctrl,
+ ESDHC_PINCTRL_STATE_200MHZ);
+- if (IS_ERR(imx_data->pins_100mhz) ||
+- IS_ERR(imx_data->pins_200mhz)) {
+- dev_warn(mmc_dev(host->mmc),
+- "could not get ultra high speed state, work on normal mode\n");
+- /*
+- * fall back to not supporting uhs by specifying no
+- * 1.8v quirk
+- */
+- host->quirks2 |= SDHCI_QUIRK2_NO_1_8_V;
+- }
+- } else {
+- host->quirks2 |= SDHCI_QUIRK2_NO_1_8_V;
+ }
+
+ /* call to generic mmc_of_parse to support additional capabilities */
--- /dev/null
+From aa7eee8a143a7e8b530eb1e75fb86cae793d1e21 Mon Sep 17 00:00:00 2001
+From: Vignesh R <vigneshr@ti.com>
+Date: Sat, 30 Jun 2018 16:24:21 +0530
+Subject: mtd: spi-nor: cadence-quadspi: Fix direct mode write timeouts
+
+From: Vignesh R <vigneshr@ti.com>
+
+commit aa7eee8a143a7e8b530eb1e75fb86cae793d1e21 upstream.
+
+Sometimes when writing large size files to flash in direct/memory mapped
+mode, it is seen that flash write enable command times out with error:
+[ 503.146293] cadence-qspi 47040000.ospi: Flash command execution timed out.
+
+This is because, we need to make sure previous direct write operation
+is complete by polling for IDLE bit in CONFIG_REG before starting the
+next operation.
+
+Fix this by polling for IDLE bit after memory mapped write.
+
+Fixes: a27f2eaf2b27 ("mtd: spi-nor: cadence-quadspi: Add support for direct access mode")
+Cc: stable@vger.kernel.org
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Reviewed-by: Marek Vasut <marek.vasut@gmail.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/spi-nor/cadence-quadspi.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/spi-nor/cadence-quadspi.c
++++ b/drivers/mtd/spi-nor/cadence-quadspi.c
+@@ -920,10 +920,12 @@ static ssize_t cqspi_write(struct spi_no
+ if (ret)
+ return ret;
+
+- if (f_pdata->use_direct_mode)
++ if (f_pdata->use_direct_mode) {
+ memcpy_toio(cqspi->ahb_base + to, buf, len);
+- else
++ ret = cqspi_wait_idle(cqspi);
++ } else {
+ ret = cqspi_indirect_write_execute(nor, to, buf, len);
++ }
+ if (ret)
+ return ret;
+
bpf-reject-passing-modified-ctx-to-helper-functions.patch
+mips-call-dump_stack-from-show_regs.patch
+mips-use-async-ipis-for-arch_trigger_cpumask_backtrace.patch
+mips-fix-ioremap-ram-check.patch
+drm-etnaviv-check-for-platform_device_register_simple-failure.patch
+drm-etnaviv-fix-driver-unregistering.patch
+drm-etnaviv-bring-back-progress-check-in-job-timeout-handler.patch
+acpica-clear-status-of-all-events-when-entering-s5.patch
+mmc-sdhci-esdhc-imx-allow-1.8v-modes-without-100-200mhz-pinctrl-states.patch
+mmc-dw_mmc-fix-card-threshold-control-configuration.patch
+mmc-renesas_sdhi_internal_dmac-cannot-clear-the-rx_in_use-in-abort.patch
+ibmasm-don-t-write-out-of-bounds-in-read-handler.patch
+staging-rtl8723bs-prevent-an-underflow-in-rtw_check_beacon_data.patch
+staging-r8822be-fix-rtl8822be-can-t-find-any-wireless-ap.patch
+ata-fix-zbc_out-command-block-check.patch
+ata-fix-zbc_out-all-bit-handling.patch
+mei-discard-messages-from-not-connected-client-during-power-down.patch
+mtd-spi-nor-cadence-quadspi-fix-direct-mode-write-timeouts.patch
+tracing-kprobe-release-kprobe-print_fmt-properly.patch
+vmw_balloon-fix-inflation-with-batching.patch
+ahci-add-intel-ice-lake-lp-pci-id.patch
+ahci-disable-lpm-on-lenovo-50-series-laptops-with-a-too-old-bios.patch
--- /dev/null
+From d59d2f9995d28974877750f429e821324bd603c7 Mon Sep 17 00:00:00 2001
+From: Ping-Ke Shih <pkshih@realtek.com>
+Date: Fri, 6 Jul 2018 13:44:35 +0800
+Subject: staging: r8822be: Fix RTL8822be can't find any wireless AP
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+commit d59d2f9995d28974877750f429e821324bd603c7 upstream.
+
+RTL8822be can't bring up properly on ASUS X530UN, and dmesg says:
+[ 8.591333] r8822be: module is from the staging directory, the quality
+is unknown, you have been warned.
+[ 8.593122] r8822be 0000:02:00.0: enabling device (0000 -> 0003)
+[ 8.669163] r8822be: Using firmware rtlwifi/rtl8822befw.bin
+[ 9.289939] r8822be: rtlwifi: wireless switch is on
+[ 10.056426] r8822be 0000:02:00.0 wlp2s0: renamed from wlan0
+...
+[ 11.952534] r8822be: halmac_init_hal failed
+[ 11.955933] r8822be: halmac_init_hal failed
+[ 11.956227] r8822be: halmac_init_hal failed
+[ 22.007942] r8822be: halmac_init_hal failed
+
+Jian-Hong reported it works if turn off ASPM with module parameter aspm=0.
+In order to fix this problem kindly, this commit don't turn off aspm but
+enlarge ASPM L1 latency to 7.
+
+Reported-by: Jian-Hong Pan <jian-hong@endlessm.com>
+Tested-by: Jian-Hong Pan <jian-hong@endlessm.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtlwifi/rtl8822be/hw.c | 2 +-
+ drivers/staging/rtlwifi/wifi.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/rtlwifi/rtl8822be/hw.c
++++ b/drivers/staging/rtlwifi/rtl8822be/hw.c
+@@ -814,7 +814,7 @@ static void _rtl8822be_enable_aspm_back_
+ return;
+
+ pci_read_config_byte(rtlpci->pdev, 0x70f, &tmp);
+- pci_write_config_byte(rtlpci->pdev, 0x70f, tmp | BIT(7));
++ pci_write_config_byte(rtlpci->pdev, 0x70f, tmp | ASPM_L1_LATENCY << 3);
+
+ pci_read_config_byte(rtlpci->pdev, 0x719, &tmp);
+ pci_write_config_byte(rtlpci->pdev, 0x719, tmp | BIT(3) | BIT(4));
+--- a/drivers/staging/rtlwifi/wifi.h
++++ b/drivers/staging/rtlwifi/wifi.h
+@@ -99,6 +99,7 @@
+ #define RTL_USB_MAX_RX_COUNT 100
+ #define QBSS_LOAD_SIZE 5
+ #define MAX_WMMELE_LENGTH 64
++#define ASPM_L1_LATENCY 7
+
+ #define TOTAL_CAM_ENTRY 32
+
--- /dev/null
+From 920c92448839bd4f8eb87a92b08cad56d449caff Mon Sep 17 00:00:00 2001
+From: Murray McAllister <murray.mcallister@insomniasec.com>
+Date: Mon, 2 Jul 2018 13:07:28 +1200
+Subject: staging: rtl8723bs: Prevent an underflow in rtw_check_beacon_data().
+
+From: Murray McAllister <murray.mcallister@insomniasec.com>
+
+commit 920c92448839bd4f8eb87a92b08cad56d449caff upstream.
+
+Dan Carpenter reported an integer underflow issue in the rtl8188eu driver.
+This is also needed for the length (signed integer) in rtl8723bs, as it is
+later converted to an unsigned integer and used in a memcpy operation.
+
+Original issue is at https://patchwork.kernel.org/patch/9796371/
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Murray McAllister <murray.mcallister@insomniasec.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8723bs/core/rtw_ap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8723bs/core/rtw_ap.c
++++ b/drivers/staging/rtl8723bs/core/rtw_ap.c
+@@ -1059,7 +1059,7 @@ int rtw_check_beacon_data(struct adapter
+ return _FAIL;
+
+
+- if (len > MAX_IE_SZ)
++ if (len < 0 || len > MAX_IE_SZ)
+ return _FAIL;
+
+ pbss_network->IELength = len;
--- /dev/null
+From 0fc8c3581dd42bc8f530314ca86db2d861485731 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Mon, 9 Jul 2018 16:19:06 +0200
+Subject: tracing/kprobe: Release kprobe print_fmt properly
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+commit 0fc8c3581dd42bc8f530314ca86db2d861485731 upstream.
+
+We don't release tk->tp.call.print_fmt when destroying
+local uprobe. Also there's missing print_fmt kfree in
+create_local_trace_kprobe error path.
+
+Link: http://lkml.kernel.org/r/20180709141906.2390-1-jolsa@kernel.org
+
+Cc: stable@vger.kernel.org
+Fixes: e12f03d7031a ("perf/core: Implement the 'perf_kprobe' PMU")
+Acked-by: Song Liu <songliubraving@fb.com>
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_kprobe.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_kprobe.c
++++ b/kernel/trace/trace_kprobe.c
+@@ -1451,8 +1451,10 @@ create_local_trace_kprobe(char *func, vo
+ }
+
+ ret = __register_trace_kprobe(tk);
+- if (ret < 0)
++ if (ret < 0) {
++ kfree(tk->tp.call.print_fmt);
+ goto error;
++ }
+
+ return &tk->tp.call;
+ error:
+@@ -1472,6 +1474,8 @@ void destroy_local_trace_kprobe(struct t
+ }
+
+ __unregister_trace_kprobe(tk);
++
++ kfree(tk->tp.call.print_fmt);
+ free_trace_kprobe(tk);
+ }
+ #endif /* CONFIG_PERF_EVENTS */
--- /dev/null
+From 90d72ce079791399ac255c75728f3c9e747b093d Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@vmware.com>
+Date: Mon, 2 Jul 2018 19:27:13 -0700
+Subject: vmw_balloon: fix inflation with batching
+
+From: Nadav Amit <namit@vmware.com>
+
+commit 90d72ce079791399ac255c75728f3c9e747b093d upstream.
+
+Embarrassingly, the recent fix introduced worse problem than it solved,
+causing the balloon not to inflate. The VM informed the hypervisor that
+the pages for lock/unlock are sitting in the wrong address, as it used
+the page that is used the uninitialized page variable.
+
+Fixes: b23220fe054e9 ("vmw_balloon: fixing double free when batching mode is off")
+Cc: stable@vger.kernel.org
+Reviewed-by: Xavier Deguillard <xdeguillard@vmware.com>
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/vmw_balloon.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/misc/vmw_balloon.c
++++ b/drivers/misc/vmw_balloon.c
+@@ -467,7 +467,7 @@ static int vmballoon_send_batched_lock(s
+ unsigned int num_pages, bool is_2m_pages, unsigned int *target)
+ {
+ unsigned long status;
+- unsigned long pfn = page_to_pfn(b->page);
++ unsigned long pfn = PHYS_PFN(virt_to_phys(b->batch_page));
+
+ STATS_INC(b->stats.lock[is_2m_pages]);
+
+@@ -515,7 +515,7 @@ static bool vmballoon_send_batched_unloc
+ unsigned int num_pages, bool is_2m_pages, unsigned int *target)
+ {
+ unsigned long status;
+- unsigned long pfn = page_to_pfn(b->page);
++ unsigned long pfn = PHYS_PFN(virt_to_phys(b->batch_page));
+
+ STATS_INC(b->stats.unlock[is_2m_pages]);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
