--- /dev/null
+From 098a0a62c1554f5a3813ef1b8539563214ada8f6 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 17 Oct 2017 16:38:55 +0200
+Subject: ALSA: hda: Abort capability probe at invalid register read
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 098a0a62c1554f5a3813ef1b8539563214ada8f6 upstream.
+
+The loop in snd_hdac_bus_parse_capabilities() may go to nirvana when
+it hits an invalid register value read:
+
+ BUG: unable to handle kernel paging request at ffffad5dc41f3fff
+ IP: pci_azx_readl+0x5/0x10 [snd_hda_intel]
+ Call Trace:
+ snd_hdac_bus_parse_capabilities+0x3c/0x1f0 [snd_hda_core]
+ azx_probe_continue+0x7d5/0x940 [snd_hda_intel]
+ .....
+
+This happened on a new Intel machine, and we need to check the value
+and abort the loop accordingly.
+
+[Note: the fixes tag below indicates only the commit where this patch
+ can be applied; the original problem was introduced even before that
+ commit]
+
+Fixes: 6720b38420a0 ("ALSA: hda - move bus_parse_capabilities to core")
+Acked-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/hda/hdac_controller.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/sound/hda/hdac_controller.c
++++ b/sound/hda/hdac_controller.c
+@@ -284,6 +284,11 @@ int snd_hdac_bus_parse_capabilities(stru
+ dev_dbg(bus->dev, "HDA capability ID: 0x%x\n",
+ (cur_cap & AZX_CAP_HDR_ID_MASK) >> AZX_CAP_HDR_ID_OFF);
+
++ if (cur_cap == -1) {
++ dev_dbg(bus->dev, "Invalid capability reg read\n");
++ break;
++ }
++
+ switch ((cur_cap & AZX_CAP_HDR_ID_MASK) >> AZX_CAP_HDR_ID_OFF) {
+ case AZX_ML_CAP_ID:
+ dev_dbg(bus->dev, "Found ML capability\n");
--- /dev/null
+From 6bf88a343db2b3c160edf9b82a74966b31cc80bd Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 17 Oct 2017 11:58:17 +0200
+Subject: ALSA: hda: Remove superfluous '-' added by printk conversion
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 6bf88a343db2b3c160edf9b82a74966b31cc80bd upstream.
+
+While converting the error messages to the standard macros in the
+commit 4e76a8833fac ("ALSA: hda - Replace with standard printk"), a
+superfluous '-' slipped in the code mistakenly. Its influence is
+almost negligible, merely shows a dB value as negative integer instead
+of positive integer (or vice versa) in the rare error message.
+So let's kill this embarrassing byte to show more correct value.
+
+Fixes: 4e76a8833fac ("ALSA: hda - Replace with standard printk")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_codec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -1824,7 +1824,7 @@ static int get_kctl_0dB_offset(struct hd
+ return -1;
+ if (*step_to_check && *step_to_check != step) {
+ codec_err(codec, "Mismatching dB step for vmaster slave (%d!=%d)\n",
+-- *step_to_check, step);
++ *step_to_check, step);
+ return -1;
+ }
+ *step_to_check = step;
--- /dev/null
+From 8009d506a1dd00cf436b0c4cca0dcec130580a21 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Wed, 18 Oct 2017 00:45:49 +0100
+Subject: ALSA: seq: Enable 'use' locking in all configurations
+
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+
+commit 8009d506a1dd00cf436b0c4cca0dcec130580a21 upstream.
+
+The 'use' locking macros are no-ops if neither SMP or SND_DEBUG is
+enabled. This might once have been OK in non-preemptible
+configurations, but even in that case snd_seq_read() may sleep while
+relying on a 'use' lock. So always use the proper implementations.
+
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_lock.c | 4 ----
+ sound/core/seq/seq_lock.h | 12 ------------
+ 2 files changed, 16 deletions(-)
+
+--- a/sound/core/seq/seq_lock.c
++++ b/sound/core/seq/seq_lock.c
+@@ -23,8 +23,6 @@
+ #include <sound/core.h>
+ #include "seq_lock.h"
+
+-#if defined(CONFIG_SMP) || defined(CONFIG_SND_DEBUG)
+-
+ /* wait until all locks are released */
+ void snd_use_lock_sync_helper(snd_use_lock_t *lockp, const char *file, int line)
+ {
+@@ -41,5 +39,3 @@ void snd_use_lock_sync_helper(snd_use_lo
+ }
+ }
+ EXPORT_SYMBOL(snd_use_lock_sync_helper);
+-
+-#endif
+--- a/sound/core/seq/seq_lock.h
++++ b/sound/core/seq/seq_lock.h
+@@ -3,8 +3,6 @@
+
+ #include <linux/sched.h>
+
+-#if defined(CONFIG_SMP) || defined(CONFIG_SND_DEBUG)
+-
+ typedef atomic_t snd_use_lock_t;
+
+ /* initialize lock */
+@@ -20,14 +18,4 @@ typedef atomic_t snd_use_lock_t;
+ void snd_use_lock_sync_helper(snd_use_lock_t *lock, const char *file, int line);
+ #define snd_use_lock_sync(lockp) snd_use_lock_sync_helper(lockp, __BASE_FILE__, __LINE__)
+
+-#else /* SMP || CONFIG_SND_DEBUG */
+-
+-typedef spinlock_t snd_use_lock_t; /* dummy */
+-#define snd_use_lock_init(lockp) /**/
+-#define snd_use_lock_use(lockp) /**/
+-#define snd_use_lock_free(lockp) /**/
+-#define snd_use_lock_sync(lockp) /**/
+-
+-#endif /* SMP || CONFIG_SND_DEBUG */
+-
+ #endif /* __SND_SEQ_LOCK_H */
--- /dev/null
+From a231d2783c332ef3e3ba238e82dbe599ff41ba14 Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Fri, 8 Sep 2017 15:50:09 +0800
+Subject: ARM: dts: sun6i: Fix endpoint IDs in second display pipeline
+
+From: Chen-Yu Tsai <wens@csie.org>
+
+commit a231d2783c332ef3e3ba238e82dbe599ff41ba14 upstream.
+
+When the second display pipeline device nodes for the A31/A31s were
+added, it was not known that the TCONs could (through either DRCs)
+select either backend as their input. Thus in the endpoints connecting
+these components together, the endpoint IDs were set to 0, while in
+fact they should have been set to 1.
+
+Fixes: 9a26882a7378 ("ARM: dts: sun6i: Add second display pipeline device
+ nodes")
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/sun6i-a31.dtsi | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/arch/arm/boot/dts/sun6i-a31.dtsi
++++ b/arch/arm/boot/dts/sun6i-a31.dtsi
+@@ -311,8 +311,8 @@
+ #size-cells = <0>;
+ reg = <0>;
+
+- tcon1_in_drc1: endpoint@0 {
+- reg = <0>;
++ tcon1_in_drc1: endpoint@1 {
++ reg = <1>;
+ remote-endpoint = <&drc1_out_tcon1>;
+ };
+ };
+@@ -1012,8 +1012,8 @@
+ #size-cells = <0>;
+ reg = <1>;
+
+- be1_out_drc1: endpoint@0 {
+- reg = <0>;
++ be1_out_drc1: endpoint@1 {
++ reg = <1>;
+ remote-endpoint = <&drc1_in_be1>;
+ };
+ };
+@@ -1042,8 +1042,8 @@
+ #size-cells = <0>;
+ reg = <0>;
+
+- drc1_in_be1: endpoint@0 {
+- reg = <0>;
++ drc1_in_be1: endpoint@1 {
++ reg = <1>;
+ remote-endpoint = <&be1_out_drc1>;
+ };
+ };
+@@ -1053,8 +1053,8 @@
+ #size-cells = <0>;
+ reg = <1>;
+
+- drc1_out_tcon1: endpoint@0 {
+- reg = <0>;
++ drc1_out_tcon1: endpoint@1 {
++ reg = <1>;
+ remote-endpoint = <&tcon1_in_drc1>;
+ };
+ };
--- /dev/null
+From dd2349121bb1b8ff688c3ca6a2a0bea9d8c142ca Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@chromium.org>
+Date: Sat, 16 Sep 2017 21:08:24 -0700
+Subject: brcmfmac: Add check for short event packets
+
+From: Kevin Cernekee <cernekee@chromium.org>
+
+commit dd2349121bb1b8ff688c3ca6a2a0bea9d8c142ca upstream.
+
+The length of the data in the received skb is currently passed into
+brcmf_fweh_process_event() as packet_len, but this value is not checked.
+event_packet should be followed by DATALEN bytes of additional event
+data. Ensure that the received packet actually contains at least
+DATALEN bytes of additional data, to avoid copying uninitialized memory
+into event->data.
+
+Suggested-by: Mattias Nissler <mnissler@chromium.org>
+Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+@@ -429,7 +429,8 @@ void brcmf_fweh_process_event(struct brc
+ if (code != BRCMF_E_IF && !fweh->evt_handler[code])
+ return;
+
+- if (datalen > BRCMF_DCMD_MAXLEN)
++ if (datalen > BRCMF_DCMD_MAXLEN ||
++ datalen + sizeof(*event_packet) > packet_len)
+ return;
+
+ if (in_interrupt())
--- /dev/null
+From c503dd38f850be28867ef7a42d9abe5ade81a9bd Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 22 Sep 2017 23:29:12 +0200
+Subject: brcmsmac: make some local variables 'static const' to reduce stack size
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit c503dd38f850be28867ef7a42d9abe5ade81a9bd upstream.
+
+With KASAN and a couple of other patches applied, this driver is one
+of the few remaining ones that actually use more than 2048 bytes of
+kernel stack:
+
+broadcom/brcm80211/brcmsmac/phy/phy_n.c: In function 'wlc_phy_workarounds_nphy_gainctrl':
+broadcom/brcm80211/brcmsmac/phy/phy_n.c:16065:1: warning: the frame size of 3264 bytes is larger than 2048 bytes [-Wframe-larger-than=]
+broadcom/brcm80211/brcmsmac/phy/phy_n.c: In function 'wlc_phy_workarounds_nphy':
+broadcom/brcm80211/brcmsmac/phy/phy_n.c:17138:1: warning: the frame size of 2864 bytes is larger than 2048 bytes [-Wframe-larger-than=]
+
+Here, I'm reducing the stack size by marking as many local variables as
+'static const' as I can without changing the actual code.
+
+This is the first of three patches to improve the stack usage in this
+driver. It would be good to have this backported to stabl kernels
+to get all drivers in 'allmodconfig' below the 2048 byte limit so
+we can turn on the frame warning again globally, but I realize that
+the patch is larger than the normal limit for stable backports.
+
+The other two patches do not need to be backported.
+
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c | 197 +++++------
+ 1 file changed, 97 insertions(+), 100 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c
+@@ -14764,8 +14764,8 @@ static void wlc_phy_ipa_restore_tx_digi_
+ }
+
+ static void
+-wlc_phy_set_rfseq_nphy(struct brcms_phy *pi, u8 cmd, u8 *events, u8 *dlys,
+- u8 len)
++wlc_phy_set_rfseq_nphy(struct brcms_phy *pi, u8 cmd, const u8 *events,
++ const u8 *dlys, u8 len)
+ {
+ u32 t1_offset, t2_offset;
+ u8 ctr;
+@@ -15240,16 +15240,16 @@ static void wlc_phy_workarounds_nphy_gai
+ static void wlc_phy_workarounds_nphy_gainctrl_2057_rev6(struct brcms_phy *pi)
+ {
+ u16 currband;
+- s8 lna1G_gain_db_rev7[] = { 9, 14, 19, 24 };
+- s8 *lna1_gain_db = NULL;
+- s8 *lna1_gain_db_2 = NULL;
+- s8 *lna2_gain_db = NULL;
+- s8 tiaA_gain_db_rev7[] = { -9, -6, -3, 0, 3, 3, 3, 3, 3, 3 };
+- s8 *tia_gain_db;
+- s8 tiaA_gainbits_rev7[] = { 0, 1, 2, 3, 4, 4, 4, 4, 4, 4 };
+- s8 *tia_gainbits;
+- u16 rfseqA_init_gain_rev7[] = { 0x624f, 0x624f };
+- u16 *rfseq_init_gain;
++ static const s8 lna1G_gain_db_rev7[] = { 9, 14, 19, 24 };
++ const s8 *lna1_gain_db = NULL;
++ const s8 *lna1_gain_db_2 = NULL;
++ const s8 *lna2_gain_db = NULL;
++ static const s8 tiaA_gain_db_rev7[] = { -9, -6, -3, 0, 3, 3, 3, 3, 3, 3 };
++ const s8 *tia_gain_db;
++ static const s8 tiaA_gainbits_rev7[] = { 0, 1, 2, 3, 4, 4, 4, 4, 4, 4 };
++ const s8 *tia_gainbits;
++ static const u16 rfseqA_init_gain_rev7[] = { 0x624f, 0x624f };
++ const u16 *rfseq_init_gain;
+ u16 init_gaincode;
+ u16 clip1hi_gaincode;
+ u16 clip1md_gaincode = 0;
+@@ -15310,10 +15310,9 @@ static void wlc_phy_workarounds_nphy_gai
+
+ if ((freq <= 5080) || (freq == 5825)) {
+
+- s8 lna1A_gain_db_rev7[] = { 11, 16, 20, 24 };
+- s8 lna1A_gain_db_2_rev7[] = {
+- 11, 17, 22, 25};
+- s8 lna2A_gain_db_rev7[] = { -1, 6, 10, 14 };
++ static const s8 lna1A_gain_db_rev7[] = { 11, 16, 20, 24 };
++ static const s8 lna1A_gain_db_2_rev7[] = { 11, 17, 22, 25};
++ static const s8 lna2A_gain_db_rev7[] = { -1, 6, 10, 14 };
+
+ crsminu_th = 0x3e;
+ lna1_gain_db = lna1A_gain_db_rev7;
+@@ -15321,10 +15320,9 @@ static void wlc_phy_workarounds_nphy_gai
+ lna2_gain_db = lna2A_gain_db_rev7;
+ } else if ((freq >= 5500) && (freq <= 5700)) {
+
+- s8 lna1A_gain_db_rev7[] = { 11, 17, 21, 25 };
+- s8 lna1A_gain_db_2_rev7[] = {
+- 12, 18, 22, 26};
+- s8 lna2A_gain_db_rev7[] = { 1, 8, 12, 16 };
++ static const s8 lna1A_gain_db_rev7[] = { 11, 17, 21, 25 };
++ static const s8 lna1A_gain_db_2_rev7[] = { 12, 18, 22, 26};
++ static const s8 lna2A_gain_db_rev7[] = { 1, 8, 12, 16 };
+
+ crsminu_th = 0x45;
+ clip1md_gaincode_B = 0x14;
+@@ -15335,10 +15333,9 @@ static void wlc_phy_workarounds_nphy_gai
+ lna2_gain_db = lna2A_gain_db_rev7;
+ } else {
+
+- s8 lna1A_gain_db_rev7[] = { 12, 18, 22, 26 };
+- s8 lna1A_gain_db_2_rev7[] = {
+- 12, 18, 22, 26};
+- s8 lna2A_gain_db_rev7[] = { -1, 6, 10, 14 };
++ static const s8 lna1A_gain_db_rev7[] = { 12, 18, 22, 26 };
++ static const s8 lna1A_gain_db_2_rev7[] = { 12, 18, 22, 26};
++ static const s8 lna2A_gain_db_rev7[] = { -1, 6, 10, 14 };
+
+ crsminu_th = 0x41;
+ lna1_gain_db = lna1A_gain_db_rev7;
+@@ -15450,65 +15447,65 @@ static void wlc_phy_workarounds_nphy_gai
+ NPHY_RFSEQ_CMD_CLR_HIQ_DIS,
+ NPHY_RFSEQ_CMD_SET_HPF_BW
+ };
+- u8 rfseq_updategainu_dlys[] = { 10, 30, 1 };
+- s8 lna1G_gain_db[] = { 7, 11, 16, 23 };
+- s8 lna1G_gain_db_rev4[] = { 8, 12, 17, 25 };
+- s8 lna1G_gain_db_rev5[] = { 9, 13, 18, 26 };
+- s8 lna1G_gain_db_rev6[] = { 8, 13, 18, 25 };
+- s8 lna1G_gain_db_rev6_224B0[] = { 10, 14, 19, 27 };
+- s8 lna1A_gain_db[] = { 7, 11, 17, 23 };
+- s8 lna1A_gain_db_rev4[] = { 8, 12, 18, 23 };
+- s8 lna1A_gain_db_rev5[] = { 6, 10, 16, 21 };
+- s8 lna1A_gain_db_rev6[] = { 6, 10, 16, 21 };
+- s8 *lna1_gain_db = NULL;
+- s8 lna2G_gain_db[] = { -5, 6, 10, 14 };
+- s8 lna2G_gain_db_rev5[] = { -3, 7, 11, 16 };
+- s8 lna2G_gain_db_rev6[] = { -5, 6, 10, 14 };
+- s8 lna2G_gain_db_rev6_224B0[] = { -5, 6, 10, 15 };
+- s8 lna2A_gain_db[] = { -6, 2, 6, 10 };
+- s8 lna2A_gain_db_rev4[] = { -5, 2, 6, 10 };
+- s8 lna2A_gain_db_rev5[] = { -7, 0, 4, 8 };
+- s8 lna2A_gain_db_rev6[] = { -7, 0, 4, 8 };
+- s8 *lna2_gain_db = NULL;
+- s8 tiaG_gain_db[] = {
++ static const u8 rfseq_updategainu_dlys[] = { 10, 30, 1 };
++ static const s8 lna1G_gain_db[] = { 7, 11, 16, 23 };
++ static const s8 lna1G_gain_db_rev4[] = { 8, 12, 17, 25 };
++ static const s8 lna1G_gain_db_rev5[] = { 9, 13, 18, 26 };
++ static const s8 lna1G_gain_db_rev6[] = { 8, 13, 18, 25 };
++ static const s8 lna1G_gain_db_rev6_224B0[] = { 10, 14, 19, 27 };
++ static const s8 lna1A_gain_db[] = { 7, 11, 17, 23 };
++ static const s8 lna1A_gain_db_rev4[] = { 8, 12, 18, 23 };
++ static const s8 lna1A_gain_db_rev5[] = { 6, 10, 16, 21 };
++ static const s8 lna1A_gain_db_rev6[] = { 6, 10, 16, 21 };
++ const s8 *lna1_gain_db = NULL;
++ static const s8 lna2G_gain_db[] = { -5, 6, 10, 14 };
++ static const s8 lna2G_gain_db_rev5[] = { -3, 7, 11, 16 };
++ static const s8 lna2G_gain_db_rev6[] = { -5, 6, 10, 14 };
++ static const s8 lna2G_gain_db_rev6_224B0[] = { -5, 6, 10, 15 };
++ static const s8 lna2A_gain_db[] = { -6, 2, 6, 10 };
++ static const s8 lna2A_gain_db_rev4[] = { -5, 2, 6, 10 };
++ static const s8 lna2A_gain_db_rev5[] = { -7, 0, 4, 8 };
++ static const s8 lna2A_gain_db_rev6[] = { -7, 0, 4, 8 };
++ const s8 *lna2_gain_db = NULL;
++ static const s8 tiaG_gain_db[] = {
+ 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A };
+- s8 tiaA_gain_db[] = {
++ static const s8 tiaA_gain_db[] = {
+ 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13 };
+- s8 tiaA_gain_db_rev4[] = {
++ static const s8 tiaA_gain_db_rev4[] = {
+ 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d };
+- s8 tiaA_gain_db_rev5[] = {
++ static const s8 tiaA_gain_db_rev5[] = {
+ 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d };
+- s8 tiaA_gain_db_rev6[] = {
++ static const s8 tiaA_gain_db_rev6[] = {
+ 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d };
+- s8 *tia_gain_db;
+- s8 tiaG_gainbits[] = {
++ const s8 *tia_gain_db;
++ static const s8 tiaG_gainbits[] = {
+ 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03 };
+- s8 tiaA_gainbits[] = {
++ static const s8 tiaA_gainbits[] = {
+ 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06 };
+- s8 tiaA_gainbits_rev4[] = {
++ static const s8 tiaA_gainbits_rev4[] = {
+ 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04 };
+- s8 tiaA_gainbits_rev5[] = {
++ static const s8 tiaA_gainbits_rev5[] = {
+ 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04 };
+- s8 tiaA_gainbits_rev6[] = {
++ static const s8 tiaA_gainbits_rev6[] = {
+ 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04 };
+- s8 *tia_gainbits;
+- s8 lpf_gain_db[] = { 0x00, 0x06, 0x0c, 0x12, 0x12, 0x12 };
+- s8 lpf_gainbits[] = { 0x00, 0x01, 0x02, 0x03, 0x03, 0x03 };
+- u16 rfseqG_init_gain[] = { 0x613f, 0x613f, 0x613f, 0x613f };
+- u16 rfseqG_init_gain_rev4[] = { 0x513f, 0x513f, 0x513f, 0x513f };
+- u16 rfseqG_init_gain_rev5[] = { 0x413f, 0x413f, 0x413f, 0x413f };
+- u16 rfseqG_init_gain_rev5_elna[] = {
++ const s8 *tia_gainbits;
++ static const s8 lpf_gain_db[] = { 0x00, 0x06, 0x0c, 0x12, 0x12, 0x12 };
++ static const s8 lpf_gainbits[] = { 0x00, 0x01, 0x02, 0x03, 0x03, 0x03 };
++ static const u16 rfseqG_init_gain[] = { 0x613f, 0x613f, 0x613f, 0x613f };
++ static const u16 rfseqG_init_gain_rev4[] = { 0x513f, 0x513f, 0x513f, 0x513f };
++ static const u16 rfseqG_init_gain_rev5[] = { 0x413f, 0x413f, 0x413f, 0x413f };
++ static const u16 rfseqG_init_gain_rev5_elna[] = {
+ 0x013f, 0x013f, 0x013f, 0x013f };
+- u16 rfseqG_init_gain_rev6[] = { 0x513f, 0x513f };
+- u16 rfseqG_init_gain_rev6_224B0[] = { 0x413f, 0x413f };
+- u16 rfseqG_init_gain_rev6_elna[] = { 0x113f, 0x113f };
+- u16 rfseqA_init_gain[] = { 0x516f, 0x516f, 0x516f, 0x516f };
+- u16 rfseqA_init_gain_rev4[] = { 0x614f, 0x614f, 0x614f, 0x614f };
+- u16 rfseqA_init_gain_rev4_elna[] = {
++ static const u16 rfseqG_init_gain_rev6[] = { 0x513f, 0x513f };
++ static const u16 rfseqG_init_gain_rev6_224B0[] = { 0x413f, 0x413f };
++ static const u16 rfseqG_init_gain_rev6_elna[] = { 0x113f, 0x113f };
++ static const u16 rfseqA_init_gain[] = { 0x516f, 0x516f, 0x516f, 0x516f };
++ static const u16 rfseqA_init_gain_rev4[] = { 0x614f, 0x614f, 0x614f, 0x614f };
++ static const u16 rfseqA_init_gain_rev4_elna[] = {
+ 0x314f, 0x314f, 0x314f, 0x314f };
+- u16 rfseqA_init_gain_rev5[] = { 0x714f, 0x714f, 0x714f, 0x714f };
+- u16 rfseqA_init_gain_rev6[] = { 0x714f, 0x714f };
+- u16 *rfseq_init_gain;
++ static const u16 rfseqA_init_gain_rev5[] = { 0x714f, 0x714f, 0x714f, 0x714f };
++ static const u16 rfseqA_init_gain_rev6[] = { 0x714f, 0x714f };
++ const u16 *rfseq_init_gain;
+ u16 initG_gaincode = 0x627e;
+ u16 initG_gaincode_rev4 = 0x527e;
+ u16 initG_gaincode_rev5 = 0x427e;
+@@ -15538,10 +15535,10 @@ static void wlc_phy_workarounds_nphy_gai
+ u16 clip1mdA_gaincode_rev6 = 0x2084;
+ u16 clip1md_gaincode = 0;
+ u16 clip1loG_gaincode = 0x0074;
+- u16 clip1loG_gaincode_rev5[] = {
++ static const u16 clip1loG_gaincode_rev5[] = {
+ 0x0062, 0x0064, 0x006a, 0x106a, 0x106c, 0x1074, 0x107c, 0x207c
+ };
+- u16 clip1loG_gaincode_rev6[] = {
++ static const u16 clip1loG_gaincode_rev6[] = {
+ 0x106a, 0x106c, 0x1074, 0x107c, 0x007e, 0x107e, 0x207e, 0x307e
+ };
+ u16 clip1loG_gaincode_rev6_224B0 = 0x1074;
+@@ -16066,7 +16063,7 @@ static void wlc_phy_workarounds_nphy_gai
+
+ static void wlc_phy_workarounds_nphy(struct brcms_phy *pi)
+ {
+- u8 rfseq_rx2tx_events[] = {
++ static const u8 rfseq_rx2tx_events[] = {
+ NPHY_RFSEQ_CMD_NOP,
+ NPHY_RFSEQ_CMD_RXG_FBW,
+ NPHY_RFSEQ_CMD_TR_SWITCH,
+@@ -16076,7 +16073,7 @@ static void wlc_phy_workarounds_nphy(str
+ NPHY_RFSEQ_CMD_EXT_PA
+ };
+ u8 rfseq_rx2tx_dlys[] = { 8, 6, 6, 2, 4, 60, 1 };
+- u8 rfseq_tx2rx_events[] = {
++ static const u8 rfseq_tx2rx_events[] = {
+ NPHY_RFSEQ_CMD_NOP,
+ NPHY_RFSEQ_CMD_EXT_PA,
+ NPHY_RFSEQ_CMD_TX_GAIN,
+@@ -16085,8 +16082,8 @@ static void wlc_phy_workarounds_nphy(str
+ NPHY_RFSEQ_CMD_RXG_FBW,
+ NPHY_RFSEQ_CMD_CLR_HIQ_DIS
+ };
+- u8 rfseq_tx2rx_dlys[] = { 8, 6, 2, 4, 4, 6, 1 };
+- u8 rfseq_tx2rx_events_rev3[] = {
++ static const u8 rfseq_tx2rx_dlys[] = { 8, 6, 2, 4, 4, 6, 1 };
++ static const u8 rfseq_tx2rx_events_rev3[] = {
+ NPHY_REV3_RFSEQ_CMD_EXT_PA,
+ NPHY_REV3_RFSEQ_CMD_INT_PA_PU,
+ NPHY_REV3_RFSEQ_CMD_TX_GAIN,
+@@ -16096,7 +16093,7 @@ static void wlc_phy_workarounds_nphy(str
+ NPHY_REV3_RFSEQ_CMD_CLR_HIQ_DIS,
+ NPHY_REV3_RFSEQ_CMD_END
+ };
+- u8 rfseq_tx2rx_dlys_rev3[] = { 8, 4, 2, 2, 4, 4, 6, 1 };
++ static const u8 rfseq_tx2rx_dlys_rev3[] = { 8, 4, 2, 2, 4, 4, 6, 1 };
+ u8 rfseq_rx2tx_events_rev3[] = {
+ NPHY_REV3_RFSEQ_CMD_NOP,
+ NPHY_REV3_RFSEQ_CMD_RXG_FBW,
+@@ -16110,7 +16107,7 @@ static void wlc_phy_workarounds_nphy(str
+ };
+ u8 rfseq_rx2tx_dlys_rev3[] = { 8, 6, 6, 4, 4, 18, 42, 1, 1 };
+
+- u8 rfseq_rx2tx_events_rev3_ipa[] = {
++ static const u8 rfseq_rx2tx_events_rev3_ipa[] = {
+ NPHY_REV3_RFSEQ_CMD_NOP,
+ NPHY_REV3_RFSEQ_CMD_RXG_FBW,
+ NPHY_REV3_RFSEQ_CMD_TR_SWITCH,
+@@ -16121,15 +16118,15 @@ static void wlc_phy_workarounds_nphy(str
+ NPHY_REV3_RFSEQ_CMD_INT_PA_PU,
+ NPHY_REV3_RFSEQ_CMD_END
+ };
+- u8 rfseq_rx2tx_dlys_rev3_ipa[] = { 8, 6, 6, 4, 4, 16, 43, 1, 1 };
+- u16 rfseq_rx2tx_dacbufpu_rev7[] = { 0x10f, 0x10f };
++ static const u8 rfseq_rx2tx_dlys_rev3_ipa[] = { 8, 6, 6, 4, 4, 16, 43, 1, 1 };
++ static const u16 rfseq_rx2tx_dacbufpu_rev7[] = { 0x10f, 0x10f };
+
+ s16 alpha0, alpha1, alpha2;
+ s16 beta0, beta1, beta2;
+ u32 leg_data_weights, ht_data_weights, nss1_data_weights,
+ stbc_data_weights;
+ u8 chan_freq_range = 0;
+- u16 dac_control = 0x0002;
++ static const u16 dac_control = 0x0002;
+ u16 aux_adc_vmid_rev7_core0[] = { 0x8e, 0x96, 0x96, 0x96 };
+ u16 aux_adc_vmid_rev7_core1[] = { 0x8f, 0x9f, 0x9f, 0x96 };
+ u16 aux_adc_vmid_rev4[] = { 0xa2, 0xb4, 0xb4, 0x89 };
+@@ -16139,8 +16136,8 @@ static void wlc_phy_workarounds_nphy(str
+ u16 aux_adc_gain_rev4[] = { 0x02, 0x02, 0x02, 0x00 };
+ u16 aux_adc_gain_rev3[] = { 0x02, 0x02, 0x02, 0x00 };
+ u16 *aux_adc_gain;
+- u16 sk_adc_vmid[] = { 0xb4, 0xb4, 0xb4, 0x24 };
+- u16 sk_adc_gain[] = { 0x02, 0x02, 0x02, 0x02 };
++ static const u16 sk_adc_vmid[] = { 0xb4, 0xb4, 0xb4, 0x24 };
++ static const u16 sk_adc_gain[] = { 0x02, 0x02, 0x02, 0x02 };
+ s32 min_nvar_val = 0x18d;
+ s32 min_nvar_offset_6mbps = 20;
+ u8 pdetrange;
+@@ -16151,9 +16148,9 @@ static void wlc_phy_workarounds_nphy(str
+ u16 rfseq_rx2tx_lpf_h_hpc_rev7 = 0x77;
+ u16 rfseq_tx2rx_lpf_h_hpc_rev7 = 0x77;
+ u16 rfseq_pktgn_lpf_h_hpc_rev7 = 0x77;
+- u16 rfseq_htpktgn_lpf_hpc_rev7[] = { 0x77, 0x11, 0x11 };
+- u16 rfseq_pktgn_lpf_hpc_rev7[] = { 0x11, 0x11 };
+- u16 rfseq_cckpktgn_lpf_hpc_rev7[] = { 0x11, 0x11 };
++ static const u16 rfseq_htpktgn_lpf_hpc_rev7[] = { 0x77, 0x11, 0x11 };
++ static const u16 rfseq_pktgn_lpf_hpc_rev7[] = { 0x11, 0x11 };
++ static const u16 rfseq_cckpktgn_lpf_hpc_rev7[] = { 0x11, 0x11 };
+ u16 ipalvlshift_3p3_war_en = 0;
+ u16 rccal_bcap_val, rccal_scap_val;
+ u16 rccal_tx20_11b_bcap = 0;
+@@ -24291,13 +24288,13 @@ static void wlc_phy_update_txcal_ladder_
+ u16 bbmult;
+ u16 tblentry;
+
+- struct nphy_txiqcal_ladder ladder_lo[] = {
++ static const struct nphy_txiqcal_ladder ladder_lo[] = {
+ {3, 0}, {4, 0}, {6, 0}, {9, 0}, {13, 0}, {18, 0},
+ {25, 0}, {25, 1}, {25, 2}, {25, 3}, {25, 4}, {25, 5},
+ {25, 6}, {25, 7}, {35, 7}, {50, 7}, {71, 7}, {100, 7}
+ };
+
+- struct nphy_txiqcal_ladder ladder_iq[] = {
++ static const struct nphy_txiqcal_ladder ladder_iq[] = {
+ {3, 0}, {4, 0}, {6, 0}, {9, 0}, {13, 0}, {18, 0},
+ {25, 0}, {35, 0}, {50, 0}, {71, 0}, {100, 0}, {100, 1},
+ {100, 2}, {100, 3}, {100, 4}, {100, 5}, {100, 6}, {100, 7}
+@@ -25773,67 +25770,67 @@ wlc_phy_cal_txiqlo_nphy(struct brcms_phy
+ u16 cal_gain[2];
+ struct nphy_iqcal_params cal_params[2];
+ u32 tbl_len;
+- void *tbl_ptr;
++ const void *tbl_ptr;
+ bool ladder_updated[2];
+ u8 mphase_cal_lastphase = 0;
+ int bcmerror = 0;
+ bool phyhang_avoid_state = false;
+
+- u16 tbl_tx_iqlo_cal_loft_ladder_20[] = {
++ static const u16 tbl_tx_iqlo_cal_loft_ladder_20[] = {
+ 0x0300, 0x0500, 0x0700, 0x0900, 0x0d00, 0x1100, 0x1900, 0x1901,
+ 0x1902,
+ 0x1903, 0x1904, 0x1905, 0x1906, 0x1907, 0x2407, 0x3207, 0x4607,
+ 0x6407
+ };
+
+- u16 tbl_tx_iqlo_cal_iqimb_ladder_20[] = {
++ static const u16 tbl_tx_iqlo_cal_iqimb_ladder_20[] = {
+ 0x0200, 0x0300, 0x0600, 0x0900, 0x0d00, 0x1100, 0x1900, 0x2400,
+ 0x3200,
+ 0x4600, 0x6400, 0x6401, 0x6402, 0x6403, 0x6404, 0x6405, 0x6406,
+ 0x6407
+ };
+
+- u16 tbl_tx_iqlo_cal_loft_ladder_40[] = {
++ static const u16 tbl_tx_iqlo_cal_loft_ladder_40[] = {
+ 0x0200, 0x0300, 0x0400, 0x0700, 0x0900, 0x0c00, 0x1200, 0x1201,
+ 0x1202,
+ 0x1203, 0x1204, 0x1205, 0x1206, 0x1207, 0x1907, 0x2307, 0x3207,
+ 0x4707
+ };
+
+- u16 tbl_tx_iqlo_cal_iqimb_ladder_40[] = {
++ static const u16 tbl_tx_iqlo_cal_iqimb_ladder_40[] = {
+ 0x0100, 0x0200, 0x0400, 0x0700, 0x0900, 0x0c00, 0x1200, 0x1900,
+ 0x2300,
+ 0x3200, 0x4700, 0x4701, 0x4702, 0x4703, 0x4704, 0x4705, 0x4706,
+ 0x4707
+ };
+
+- u16 tbl_tx_iqlo_cal_startcoefs[] = {
++ static const u16 tbl_tx_iqlo_cal_startcoefs[] = {
+ 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
+ 0x0000
+ };
+
+- u16 tbl_tx_iqlo_cal_cmds_fullcal[] = {
++ static const u16 tbl_tx_iqlo_cal_cmds_fullcal[] = {
+ 0x8123, 0x8264, 0x8086, 0x8245, 0x8056,
+ 0x9123, 0x9264, 0x9086, 0x9245, 0x9056
+ };
+
+- u16 tbl_tx_iqlo_cal_cmds_recal[] = {
++ static const u16 tbl_tx_iqlo_cal_cmds_recal[] = {
+ 0x8101, 0x8253, 0x8053, 0x8234, 0x8034,
+ 0x9101, 0x9253, 0x9053, 0x9234, 0x9034
+ };
+
+- u16 tbl_tx_iqlo_cal_startcoefs_nphyrev3[] = {
++ static const u16 tbl_tx_iqlo_cal_startcoefs_nphyrev3[] = {
+ 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
+ 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
+ 0x0000
+ };
+
+- u16 tbl_tx_iqlo_cal_cmds_fullcal_nphyrev3[] = {
++ static const u16 tbl_tx_iqlo_cal_cmds_fullcal_nphyrev3[] = {
+ 0x8434, 0x8334, 0x8084, 0x8267, 0x8056, 0x8234,
+ 0x9434, 0x9334, 0x9084, 0x9267, 0x9056, 0x9234
+ };
+
+- u16 tbl_tx_iqlo_cal_cmds_recal_nphyrev3[] = {
++ static const u16 tbl_tx_iqlo_cal_cmds_recal_nphyrev3[] = {
+ 0x8423, 0x8323, 0x8073, 0x8256, 0x8045, 0x8223,
+ 0x9423, 0x9323, 0x9073, 0x9256, 0x9045, 0x9223
+ };
--- /dev/null
+From 2bbbd96357ce76cc45ec722c00f654aa7b189112 Mon Sep 17 00:00:00 2001
+From: Jan Luebbe <jlu@pengutronix.de>
+Date: Mon, 28 Aug 2017 17:25:16 +0200
+Subject: bus: mbus: fix window size calculation for 4GB windows
+
+From: Jan Luebbe <jlu@pengutronix.de>
+
+commit 2bbbd96357ce76cc45ec722c00f654aa7b189112 upstream.
+
+At least the Armada XP SoC supports 4GB on a single DRAM window. Because
+the size register values contain the actual size - 1, the MSB is set in
+that case. For example, the SDRAM window's control register's value is
+0xffffffe1 for 4GB (bits 31 to 24 contain the size).
+
+The MBUS driver reads back each window's size from registers and
+calculates the actual size as (control_reg | ~DDR_SIZE_MASK) + 1, which
+overflows for 32 bit values, resulting in other miscalculations further
+on (a bad RAM window for the CESA crypto engine calculated by
+mvebu_mbus_setup_cpu_target_nooverlap() in my case).
+
+This patch changes the type in 'struct mbus_dram_window' from u32 to
+u64, which allows us to keep using the same register calculation code in
+most MBUS-using drivers (which calculate ->size - 1 again).
+
+Fixes: fddddb52a6c4 ("bus: introduce an Marvell EBU MBus driver")
+Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bus/mvebu-mbus.c | 2 +-
+ include/linux/mbus.h | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/bus/mvebu-mbus.c
++++ b/drivers/bus/mvebu-mbus.c
+@@ -720,7 +720,7 @@ mvebu_mbus_default_setup_cpu_target(stru
+ if (mbus->hw_io_coherency)
+ w->mbus_attr |= ATTR_HW_COHERENCY;
+ w->base = base & DDR_BASE_CS_LOW_MASK;
+- w->size = (size | ~DDR_SIZE_MASK) + 1;
++ w->size = (u64)(size | ~DDR_SIZE_MASK) + 1;
+ }
+ }
+ mvebu_mbus_dram_info.num_cs = cs;
+--- a/include/linux/mbus.h
++++ b/include/linux/mbus.h
+@@ -31,8 +31,8 @@ struct mbus_dram_target_info
+ struct mbus_dram_window {
+ u8 cs_index;
+ u8 mbus_attr;
+- u32 base;
+- u32 size;
++ u64 base;
++ u64 size;
+ } cs[4];
+ };
+
--- /dev/null
+From eb39a7c0355393c5a8d930f342ad7a6231b552c4 Mon Sep 17 00:00:00 2001
+From: David Kozub <zub@linux.fjfi.cvut.cz>
+Date: Thu, 19 Oct 2017 22:57:02 +0200
+Subject: clockevents/drivers/cs5535: Improve resilience to spurious interrupts
+
+From: David Kozub <zub@linux.fjfi.cvut.cz>
+
+commit eb39a7c0355393c5a8d930f342ad7a6231b552c4 upstream.
+
+The interrupt handler mfgpt_tick() is not robust versus spurious interrupts
+which happen before the clock event device is registered and fully
+initialized.
+
+The reason is that the safe guard against spurious interrupts solely checks
+for the clockevents shutdown state, but lacks a check for detached
+state. If the interrupt hits while the device is in detached state it
+passes the safe guard and dereferences the event handler call back which is
+NULL.
+
+Add the missing state check.
+
+Fixes: 8f9327cbb6e8 ("clockevents/drivers/cs5535: Migrate to new 'set-state' interface")
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: David Kozub <zub@linux.fjfi.cvut.cz>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lkml.kernel.org/r/20171020093103.3317F6004D@linux.fjfi.cvut.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clocksource/cs5535-clockevt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/clocksource/cs5535-clockevt.c
++++ b/drivers/clocksource/cs5535-clockevt.c
+@@ -117,7 +117,8 @@ static irqreturn_t mfgpt_tick(int irq, v
+ /* Turn off the clock (and clear the event) */
+ disable_timer(cs5535_event_clock);
+
+- if (clockevent_state_shutdown(&cs5535_clockevent))
++ if (clockevent_state_detached(&cs5535_clockevent) ||
++ clockevent_state_shutdown(&cs5535_clockevent))
+ return IRQ_HANDLED;
+
+ /* Clear the counter */
--- /dev/null
+From fbe776cc3a753618877f7ce87a28ae3480743348 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Fri, 13 Oct 2017 16:47:35 +0100
+Subject: drm/i915: Use bdw_ddi_translations_fdi for Broadwell
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit fbe776cc3a753618877f7ce87a28ae3480743348 upstream.
+
+The compiler warns:
+
+ drivers/gpu/drm/i915/intel_ddi.c:118:35: warning: ‘bdw_ddi_translations_fdi’ defined but not used
+
+Lo and behold, if we look at intel_ddi_get_buf_trans_fdi(), it uses
+hsw_ddi_translations_fdi[] for both Haswell and *Broadwell*
+
+Fixes: 7d1c42e679f9 ("drm/i915: Refactor code to select the DDI buf translation table")
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: David Weinehall <david.weinehall@linux.intel.com>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20171013154735.27163-1-chris@chris-wilson.co.uk
+Reviewed-by: Jani Nikula <jani.nikula@linux.intel.com>
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+(cherry picked from commit 1210d3889077653b90b0bfd2cc54e19f4766e4e6)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_ddi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_ddi.c
++++ b/drivers/gpu/drm/i915/intel_ddi.c
+@@ -664,8 +664,8 @@ intel_ddi_get_buf_trans_fdi(struct drm_i
+ int *n_entries)
+ {
+ if (IS_BROADWELL(dev_priv)) {
+- *n_entries = ARRAY_SIZE(hsw_ddi_translations_fdi);
+- return hsw_ddi_translations_fdi;
++ *n_entries = ARRAY_SIZE(bdw_ddi_translations_fdi);
++ return bdw_ddi_translations_fdi;
+ } else if (IS_HASWELL(dev_priv)) {
+ *n_entries = ARRAY_SIZE(hsw_ddi_translations_fdi);
+ return hsw_ddi_translations_fdi;
--- /dev/null
+From 194d68dd051c2dd5ac2b522ae16100e774e8d869 Mon Sep 17 00:00:00 2001
+From: Ilia Mirkin <imirkin@alum.mit.edu>
+Date: Sun, 1 Oct 2017 13:52:43 -0400
+Subject: drm/nouveau/bsp/g92: disable by default
+
+From: Ilia Mirkin <imirkin@alum.mit.edu>
+
+commit 194d68dd051c2dd5ac2b522ae16100e774e8d869 upstream.
+
+G92's seem to require some additional bit of initialization before the
+BSP engine can work. It feels like clocks are not set up for the
+underlying VLD engine, which means that all commands submitted to the
+xtensa chip end up hanging. VP seems to work fine though.
+
+This still allows people to force-enable the bsp engine if they want to
+play around with it, but makes it harder for the card to hang by
+default.
+
+Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/nouveau/nvkm/engine/bsp/g84.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/bsp/g84.c
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/bsp/g84.c
+@@ -39,5 +39,5 @@ int
+ g84_bsp_new(struct nvkm_device *device, int index, struct nvkm_engine **pengine)
+ {
+ return nvkm_xtensa_new_(&g84_bsp, device, index,
+- true, 0x103000, pengine);
++ device->chipset != 0x92, 0x103000, pengine);
+ }
--- /dev/null
+From 227f66d2f9954f68375736af62ebcd73c6754d69 Mon Sep 17 00:00:00 2001
+From: Ben Skeggs <bskeggs@redhat.com>
+Date: Tue, 3 Oct 2017 16:24:28 +1000
+Subject: drm/nouveau/kms/nv50: fix oops during DP IRQ handling on non-MST boards
+
+From: Ben Skeggs <bskeggs@redhat.com>
+
+commit 227f66d2f9954f68375736af62ebcd73c6754d69 upstream.
+
+Reported-by: Woody Suwalski <terraluna977@gmail.com>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/nouveau/nv50_display.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/nouveau/nv50_display.c
++++ b/drivers/gpu/drm/nouveau/nv50_display.c
+@@ -3281,11 +3281,14 @@ nv50_mstm = {
+ void
+ nv50_mstm_service(struct nv50_mstm *mstm)
+ {
+- struct drm_dp_aux *aux = mstm->mgr.aux;
++ struct drm_dp_aux *aux = mstm ? mstm->mgr.aux : NULL;
+ bool handled = true;
+ int ret;
+ u8 esi[8] = {};
+
++ if (!aux)
++ return;
++
+ while (handled) {
+ ret = drm_dp_dpcd_read(aux, DP_SINK_COUNT_ESI, esi, 8);
+ if (ret != 8) {
--- /dev/null
+From 77913bbcb43ac9a07a6fe849c2fd3bf85fc8bdd8 Mon Sep 17 00:00:00 2001
+From: Ben Skeggs <bskeggs@redhat.com>
+Date: Mon, 25 Sep 2017 15:05:38 +1000
+Subject: drm/nouveau/mmu: flush tlbs before deleting page tables
+
+From: Ben Skeggs <bskeggs@redhat.com>
+
+commit 77913bbcb43ac9a07a6fe849c2fd3bf85fc8bdd8 upstream.
+
+Even though we've zeroed the PDE, the GPU may have cached the PD, so we
+need to flush when deleting them.
+
+Noticed while working on replacement MMU code, but a backport might be a
+good idea, so let's fix it in the current code too.
+
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/nouveau/nvkm/subdev/mmu/base.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/base.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/base.c
+@@ -241,6 +241,8 @@ nvkm_vm_unmap_pgt(struct nvkm_vm *vm, in
+ mmu->func->map_pgt(vpgd->obj, pde, vpgt->mem);
+ }
+
++ mmu->func->flush(vm);
++
+ nvkm_memory_del(&pgt);
+ }
+ }
--- /dev/null
+From f66665c09ab489a11ca490d6a82df57cfc1bea3e Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 9 Oct 2017 12:51:27 -0700
+Subject: ecryptfs: fix dereference of NULL user_key_payload
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit f66665c09ab489a11ca490d6a82df57cfc1bea3e upstream.
+
+In eCryptfs, we failed to verify that the authentication token keys are
+not revoked before dereferencing their payloads, which is problematic
+because the payload of a revoked key is NULL. request_key() *does* skip
+revoked keys, but there is still a window where the key can be revoked
+before we acquire the key semaphore.
+
+Fix it by updating ecryptfs_get_key_payload_data() to return
+-EKEYREVOKED if the key payload is NULL. For completeness we check this
+for "encrypted" keys as well as "user" keys, although encrypted keys
+cannot be revoked currently.
+
+Alternatively we could use key_validate(), but since we'll also need to
+fix ecryptfs_get_key_payload_data() to validate the payload length, it
+seems appropriate to just check the payload pointer.
+
+Fixes: 237fead61998 ("[PATCH] ecryptfs: fs/Makefile and fs/Kconfig")
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+Cc: Michael Halcrow <mhalcrow@google.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ecryptfs/ecryptfs_kernel.h | 24 +++++++++++++++++-------
+ fs/ecryptfs/keystore.c | 9 ++++++++-
+ 2 files changed, 25 insertions(+), 8 deletions(-)
+
+--- a/fs/ecryptfs/ecryptfs_kernel.h
++++ b/fs/ecryptfs/ecryptfs_kernel.h
+@@ -84,11 +84,16 @@ struct ecryptfs_page_crypt_context {
+ static inline struct ecryptfs_auth_tok *
+ ecryptfs_get_encrypted_key_payload_data(struct key *key)
+ {
+- if (key->type == &key_type_encrypted)
+- return (struct ecryptfs_auth_tok *)
+- (&((struct encrypted_key_payload *)key->payload.data[0])->payload_data);
+- else
++ struct encrypted_key_payload *payload;
++
++ if (key->type != &key_type_encrypted)
+ return NULL;
++
++ payload = key->payload.data[0];
++ if (!payload)
++ return ERR_PTR(-EKEYREVOKED);
++
++ return (struct ecryptfs_auth_tok *)payload->payload_data;
+ }
+
+ static inline struct key *ecryptfs_get_encrypted_key(char *sig)
+@@ -114,12 +119,17 @@ static inline struct ecryptfs_auth_tok *
+ ecryptfs_get_key_payload_data(struct key *key)
+ {
+ struct ecryptfs_auth_tok *auth_tok;
++ struct user_key_payload *ukp;
+
+ auth_tok = ecryptfs_get_encrypted_key_payload_data(key);
+- if (!auth_tok)
+- return (struct ecryptfs_auth_tok *)user_key_payload_locked(key)->data;
+- else
++ if (auth_tok)
+ return auth_tok;
++
++ ukp = user_key_payload_locked(key);
++ if (!ukp)
++ return ERR_PTR(-EKEYREVOKED);
++
++ return (struct ecryptfs_auth_tok *)ukp->data;
+ }
+
+ #define ECRYPTFS_MAX_KEYSET_SIZE 1024
+--- a/fs/ecryptfs/keystore.c
++++ b/fs/ecryptfs/keystore.c
+@@ -459,7 +459,8 @@ out:
+ * @auth_tok_key: key containing the authentication token
+ * @auth_tok: authentication token
+ *
+- * Returns zero on valid auth tok; -EINVAL otherwise
++ * Returns zero on valid auth tok; -EINVAL if the payload is invalid; or
++ * -EKEYREVOKED if the key was revoked before we acquired its semaphore.
+ */
+ static int
+ ecryptfs_verify_auth_tok_from_key(struct key *auth_tok_key,
+@@ -468,6 +469,12 @@ ecryptfs_verify_auth_tok_from_key(struct
+ int rc = 0;
+
+ (*auth_tok) = ecryptfs_get_key_payload_data(auth_tok_key);
++ if (IS_ERR(*auth_tok)) {
++ rc = PTR_ERR(*auth_tok);
++ *auth_tok = NULL;
++ goto out;
++ }
++
+ if (ecryptfs_verify_version((*auth_tok)->version)) {
+ printk(KERN_ERR "Data structure version mismatch. Userspace "
+ "tools must match eCryptfs kernel module with major "
--- /dev/null
+From d124b2c53c7bee6569d2a2d0b18b4a1afde00134 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 9 Oct 2017 12:40:00 -0700
+Subject: FS-Cache: fix dereference of NULL user_key_payload
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit d124b2c53c7bee6569d2a2d0b18b4a1afde00134 upstream.
+
+When the file /proc/fs/fscache/objects (available with
+CONFIG_FSCACHE_OBJECT_LIST=y) is opened, we request a user key with
+description "fscache:objlist", then access its payload. However, a
+revoked key has a NULL payload, and we failed to check for this.
+request_key() *does* skip revoked keys, but there is still a window
+where the key can be revoked before we access its payload.
+
+Fix it by checking for a NULL payload, treating it like a key which was
+already revoked at the time it was requested.
+
+Fixes: 4fbf4291aa15 ("FS-Cache: Allow the current state of all objects to be dumped")
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fscache/object-list.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/fscache/object-list.c
++++ b/fs/fscache/object-list.c
+@@ -330,6 +330,13 @@ static void fscache_objlist_config(struc
+ rcu_read_lock();
+
+ confkey = user_key_payload_rcu(key);
++ if (!confkey) {
++ /* key was revoked */
++ rcu_read_unlock();
++ key_put(key);
++ goto no_config;
++ }
++
+ buf = confkey->data;
+
+ for (len = confkey->datalen - 1; len >= 0; len--) {
--- /dev/null
+From d60b5b7854c3d135b869f74fb93eaf63cbb1991a Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 9 Oct 2017 12:46:18 -0700
+Subject: fscrypt: fix dereference of NULL user_key_payload
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit d60b5b7854c3d135b869f74fb93eaf63cbb1991a upstream.
+
+When an fscrypt-encrypted file is opened, we request the file's master
+key from the keyrings service as a logon key, then access its payload.
+However, a revoked key has a NULL payload, and we failed to check for
+this. request_key() *does* skip revoked keys, but there is still a
+window where the key can be revoked before we acquire its semaphore.
+
+Fix it by checking for a NULL payload, treating it like a key which was
+already revoked at the time it was requested.
+
+Fixes: 88bd6ccdcdd6 ("ext4 crypto: add encryption key management facilities")
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/crypto/keyinfo.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/crypto/keyinfo.c
++++ b/fs/crypto/keyinfo.c
+@@ -109,6 +109,11 @@ static int validate_user_key(struct fscr
+ goto out;
+ }
+ ukp = user_key_payload_locked(keyring_key);
++ if (!ukp) {
++ /* key was revoked before we acquired its semaphore */
++ res = -EKEYREVOKED;
++ goto out;
++ }
+ if (ukp->datalen != sizeof(struct fscrypt_key)) {
+ res = -EINVAL;
+ goto out;
--- /dev/null
+From c6ebcedbab7ca78984959386012a17b21183e1a3 Mon Sep 17 00:00:00 2001
+From: Pontus Andersson <epontan@gmail.com>
+Date: Mon, 2 Oct 2017 14:45:19 +0200
+Subject: i2c: ismt: Separate I2C block read from SMBus block read
+
+From: Pontus Andersson <epontan@gmail.com>
+
+commit c6ebcedbab7ca78984959386012a17b21183e1a3 upstream.
+
+Commit b6c159a9cb69 ("i2c: ismt: Don't duplicate the receive length for
+block reads") broke I2C block reads. It aimed to fix normal SMBus block
+read, but changed the correct behavior of I2C block read in the process.
+
+According to Documentation/i2c/smbus-protocol, one vital difference
+between normal SMBus block read and I2C block read is that there is no
+byte count prefixed in the data sent on the wire:
+
+ SMBus Block Read: i2c_smbus_read_block_data()
+ S Addr Wr [A] Comm [A]
+ S Addr Rd [A] [Count] A [Data] A [Data] A ... A [Data] NA P
+
+ I2C Block Read: i2c_smbus_read_i2c_block_data()
+ S Addr Wr [A] Comm [A]
+ S Addr Rd [A] [Data] A [Data] A ... A [Data] NA P
+
+Therefore the two transaction types need to be processed differently in
+the driver by copying of the dma_buffer as done previously for the
+I2C_SMBUS_I2C_BLOCK_DATA case.
+
+Fixes: b6c159a9cb69 ("i2c: ismt: Don't duplicate the receive length for block reads")
+Signed-off-by: Pontus Andersson <epontan@gmail.com>
+Tested-by: Stephen Douthit <stephend@adiengineering.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-ismt.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-ismt.c
++++ b/drivers/i2c/busses/i2c-ismt.c
+@@ -340,12 +340,15 @@ static int ismt_process_desc(const struc
+ data->word = dma_buffer[0] | (dma_buffer[1] << 8);
+ break;
+ case I2C_SMBUS_BLOCK_DATA:
+- case I2C_SMBUS_I2C_BLOCK_DATA:
+ if (desc->rxbytes != dma_buffer[0] + 1)
+ return -EMSGSIZE;
+
+ memcpy(data->block, dma_buffer, desc->rxbytes);
+ break;
++ case I2C_SMBUS_I2C_BLOCK_DATA:
++ memcpy(&data->block[1], dma_buffer, desc->rxbytes);
++ data->block[0] = desc->rxbytes;
++ break;
+ }
+ return 0;
+ }
--- /dev/null
+From 0fe16195f89173652cf111d7b384941b00c5aabd Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Sat, 15 Jul 2017 16:51:26 -0700
+Subject: i2c: piix4: Fix SMBus port selection for AMD Family 17h chips
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 0fe16195f89173652cf111d7b384941b00c5aabd upstream.
+
+AMD Family 17h uses the KERNCZ SMBus controller. While its documentation
+is not publicly available, it is documented in the BIOS and Kernel
+Developer’s Guide for AMD Family 15h Models 60h-6Fh Processors.
+
+On this SMBus controller, the port select register is at PMx register
+0x02, bit 4:3 (PMx00 register bit 20:19).
+
+Without this patch, the 4 SMBus channels on AMD Family 17h chips are
+mirrored and report the same chips on all channels.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-piix4.c | 30 ++++++++++++++++++++++++++----
+ 1 file changed, 26 insertions(+), 4 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-piix4.c
++++ b/drivers/i2c/busses/i2c-piix4.c
+@@ -94,6 +94,12 @@
+ #define SB800_PIIX4_PORT_IDX_ALT 0x2e
+ #define SB800_PIIX4_PORT_IDX_SEL 0x2f
+ #define SB800_PIIX4_PORT_IDX_MASK 0x06
++#define SB800_PIIX4_PORT_IDX_SHIFT 1
++
++/* On kerncz, SmBus0Sel is at bit 20:19 of PMx00 DecodeEn */
++#define SB800_PIIX4_PORT_IDX_KERNCZ 0x02
++#define SB800_PIIX4_PORT_IDX_MASK_KERNCZ 0x18
++#define SB800_PIIX4_PORT_IDX_SHIFT_KERNCZ 3
+
+ /* insmod parameters */
+
+@@ -149,6 +155,8 @@ static const struct dmi_system_id piix4_
+ */
+ static DEFINE_MUTEX(piix4_mutex_sb800);
+ static u8 piix4_port_sel_sb800;
++static u8 piix4_port_mask_sb800;
++static u8 piix4_port_shift_sb800;
+ static const char *piix4_main_port_names_sb800[PIIX4_MAX_ADAPTERS] = {
+ " port 0", " port 2", " port 3", " port 4"
+ };
+@@ -347,7 +355,19 @@ static int piix4_setup_sb800(struct pci_
+
+ /* Find which register is used for port selection */
+ if (PIIX4_dev->vendor == PCI_VENDOR_ID_AMD) {
+- piix4_port_sel_sb800 = SB800_PIIX4_PORT_IDX_ALT;
++ switch (PIIX4_dev->device) {
++ case PCI_DEVICE_ID_AMD_KERNCZ_SMBUS:
++ piix4_port_sel_sb800 = SB800_PIIX4_PORT_IDX_KERNCZ;
++ piix4_port_mask_sb800 = SB800_PIIX4_PORT_IDX_MASK_KERNCZ;
++ piix4_port_shift_sb800 = SB800_PIIX4_PORT_IDX_SHIFT_KERNCZ;
++ break;
++ case PCI_DEVICE_ID_AMD_HUDSON2_SMBUS:
++ default:
++ piix4_port_sel_sb800 = SB800_PIIX4_PORT_IDX_ALT;
++ piix4_port_mask_sb800 = SB800_PIIX4_PORT_IDX_MASK;
++ piix4_port_shift_sb800 = SB800_PIIX4_PORT_IDX_SHIFT;
++ break;
++ }
+ } else {
+ mutex_lock(&piix4_mutex_sb800);
+ outb_p(SB800_PIIX4_PORT_IDX_SEL, SB800_PIIX4_SMB_IDX);
+@@ -355,6 +375,8 @@ static int piix4_setup_sb800(struct pci_
+ piix4_port_sel_sb800 = (port_sel & 0x01) ?
+ SB800_PIIX4_PORT_IDX_ALT :
+ SB800_PIIX4_PORT_IDX;
++ piix4_port_mask_sb800 = SB800_PIIX4_PORT_IDX_MASK;
++ piix4_port_shift_sb800 = SB800_PIIX4_PORT_IDX_SHIFT;
+ mutex_unlock(&piix4_mutex_sb800);
+ }
+
+@@ -616,8 +638,8 @@ static s32 piix4_access_sb800(struct i2c
+ smba_en_lo = inb_p(SB800_PIIX4_SMB_IDX + 1);
+
+ port = adapdata->port;
+- if ((smba_en_lo & SB800_PIIX4_PORT_IDX_MASK) != port)
+- outb_p((smba_en_lo & ~SB800_PIIX4_PORT_IDX_MASK) | port,
++ if ((smba_en_lo & piix4_port_mask_sb800) != port)
++ outb_p((smba_en_lo & ~piix4_port_mask_sb800) | port,
+ SB800_PIIX4_SMB_IDX + 1);
+
+ retval = piix4_access(adap, addr, flags, read_write,
+@@ -706,7 +728,7 @@ static int piix4_add_adapter(struct pci_
+
+ adapdata->smba = smba;
+ adapdata->sb800_main = sb800_main;
+- adapdata->port = port << 1;
++ adapdata->port = port << piix4_port_shift_sb800;
+
+ /* set up the sysfs linkage to our parent device */
+ adap->dev.parent = &dev->dev;
--- /dev/null
+From c9bfb2f0031a2de664147ebbfb90f95bb12fdf79 Mon Sep 17 00:00:00 2001
+From: Chanwoo Choi <cw00.choi@samsung.com>
+Date: Wed, 18 Oct 2017 17:28:36 -0700
+Subject: Input: stmfts - fix setting ABS_MT_POSITION_* maximum size
+
+From: Chanwoo Choi <cw00.choi@samsung.com>
+
+commit c9bfb2f0031a2de664147ebbfb90f95bb12fdf79 upstream.
+
+The commit 78bcac7b2ae1e ("Input: add support for the STMicroelectronics
+FingerTip touchscreen) used the 'touchscreen_parse_properties()' helper
+function in order to get the value of common properties.
+
+But, commit 78bcac7b2ae1e didn't set the capability of ABS_MT_POSITION_*
+before calling touchscreen_parse_properties(). In result, the max_x and
+max_y of 'struct touchscreen_properties' were not set.
+
+Fixes: 78bcac7b2ae1e ("Input: add support for the STMicroelectronics FingerTip touchscreen")
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/stmfts.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/input/touchscreen/stmfts.c
++++ b/drivers/input/touchscreen/stmfts.c
+@@ -663,12 +663,10 @@ static int stmfts_probe(struct i2c_clien
+ sdata->input->open = stmfts_input_open;
+ sdata->input->close = stmfts_input_close;
+
++ input_set_capability(sdata->input, EV_ABS, ABS_MT_POSITION_X);
++ input_set_capability(sdata->input, EV_ABS, ABS_MT_POSITION_Y);
+ touchscreen_parse_properties(sdata->input, true, &sdata->prop);
+
+- input_set_abs_params(sdata->input, ABS_MT_POSITION_X, 0,
+- sdata->prop.max_x, 0, 0);
+- input_set_abs_params(sdata->input, ABS_MT_POSITION_Y, 0,
+- sdata->prop.max_y, 0, 0);
+ input_set_abs_params(sdata->input, ABS_MT_TOUCH_MAJOR, 0, 255, 0, 0);
+ input_set_abs_params(sdata->input, ABS_MT_TOUCH_MINOR, 0, 255, 0, 0);
+ input_set_abs_params(sdata->input, ABS_MT_ORIENTATION, 0, 255, 0, 0);
--- /dev/null
+From 60ff5b2f547af3828aebafd54daded44cfb0807a Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 12 Oct 2017 16:00:41 +0100
+Subject: KEYS: don't let add_key() update an uninstantiated key
+
+From: David Howells <dhowells@redhat.com>
+
+commit 60ff5b2f547af3828aebafd54daded44cfb0807a upstream.
+
+Currently, when passed a key that already exists, add_key() will call the
+key's ->update() method if such exists. But this is heavily broken in the
+case where the key is uninstantiated because it doesn't call
+__key_instantiate_and_link(). Consequently, it doesn't do most of the
+things that are supposed to happen when the key is instantiated, such as
+setting the instantiation state, clearing KEY_FLAG_USER_CONSTRUCT and
+awakening tasks waiting on it, and incrementing key->user->nikeys.
+
+It also never takes key_construction_mutex, which means that
+->instantiate() can run concurrently with ->update() on the same key. In
+the case of the "user" and "logon" key types this causes a memory leak, at
+best. Maybe even worse, the ->update() methods of the "encrypted" and
+"trusted" key types actually just dereference a NULL pointer when passed an
+uninstantiated key.
+
+Change key_create_or_update() to wait interruptibly for the key to finish
+construction before continuing.
+
+This patch only affects *uninstantiated* keys. For now we still allow a
+negatively instantiated key to be updated (thereby positively
+instantiating it), although that's broken too (the next patch fixes it)
+and I'm not sure that anyone actually uses that functionality either.
+
+Here is a simple reproducer for the bug using the "encrypted" key type
+(requires CONFIG_ENCRYPTED_KEYS=y), though as noted above the bug
+pertained to more than just the "encrypted" key type:
+
+ #include <stdlib.h>
+ #include <unistd.h>
+ #include <keyutils.h>
+
+ int main(void)
+ {
+ int ringid = keyctl_join_session_keyring(NULL);
+
+ if (fork()) {
+ for (;;) {
+ const char payload[] = "update user:foo 32";
+
+ usleep(rand() % 10000);
+ add_key("encrypted", "desc", payload, sizeof(payload), ringid);
+ keyctl_clear(ringid);
+ }
+ } else {
+ for (;;)
+ request_key("encrypted", "desc", "callout_info", ringid);
+ }
+ }
+
+It causes:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
+ IP: encrypted_update+0xb0/0x170
+ PGD 7a178067 P4D 7a178067 PUD 77269067 PMD 0
+ PREEMPT SMP
+ CPU: 0 PID: 340 Comm: reproduce Tainted: G D 4.14.0-rc1-00025-g428490e38b2e #796
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ task: ffff8a467a39a340 task.stack: ffffb15c40770000
+ RIP: 0010:encrypted_update+0xb0/0x170
+ RSP: 0018:ffffb15c40773de8 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: ffff8a467a275b00 RCX: 0000000000000000
+ RDX: 0000000000000005 RSI: ffff8a467a275b14 RDI: ffffffffb742f303
+ RBP: ffffb15c40773e20 R08: 0000000000000000 R09: ffff8a467a275b17
+ R10: 0000000000000020 R11: 0000000000000000 R12: 0000000000000000
+ R13: 0000000000000000 R14: ffff8a4677057180 R15: ffff8a467a275b0f
+ FS: 00007f5d7fb08700(0000) GS:ffff8a467f200000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000018 CR3: 0000000077262005 CR4: 00000000001606f0
+ Call Trace:
+ key_create_or_update+0x2bc/0x460
+ SyS_add_key+0x10c/0x1d0
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+ RIP: 0033:0x7f5d7f211259
+ RSP: 002b:00007ffed03904c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8
+ RAX: ffffffffffffffda RBX: 000000003b2a7955 RCX: 00007f5d7f211259
+ RDX: 00000000004009e4 RSI: 00000000004009ff RDI: 0000000000400a04
+ RBP: 0000000068db8bad R08: 000000003b2a7955 R09: 0000000000000004
+ R10: 000000000000001a R11: 0000000000000246 R12: 0000000000400868
+ R13: 00007ffed03905d0 R14: 0000000000000000 R15: 0000000000000000
+ Code: 77 28 e8 64 34 1f 00 45 31 c0 31 c9 48 8d 55 c8 48 89 df 48 8d 75 d0 e8 ff f9 ff ff 85 c0 41 89 c4 0f 88 84 00 00 00 4c 8b 7d c8 <49> 8b 75 18 4c 89 ff e8 24 f8 ff ff 85 c0 41 89 c4 78 6d 49 8b
+ RIP: encrypted_update+0xb0/0x170 RSP: ffffb15c40773de8
+ CR2: 0000000000000018
+
+Reported-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/keys/key.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/security/keys/key.c
++++ b/security/keys/key.c
+@@ -945,6 +945,16 @@ error:
+ */
+ __key_link_end(keyring, &index_key, edit);
+
++ key = key_ref_to_ptr(key_ref);
++ if (test_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) {
++ ret = wait_for_key_construction(key, true);
++ if (ret < 0) {
++ key_ref_put(key_ref);
++ key_ref = ERR_PTR(ret);
++ goto error_free_prep;
++ }
++ }
++
+ key_ref = __key_update(key_ref, &prep);
+ goto error_free_prep;
+ }
--- /dev/null
+From 363b02dab09b3226f3bd1420dad9c72b79a42a76 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 4 Oct 2017 16:43:25 +0100
+Subject: KEYS: Fix race between updating and finding a negative key
+
+From: David Howells <dhowells@redhat.com>
+
+commit 363b02dab09b3226f3bd1420dad9c72b79a42a76 upstream.
+
+Consolidate KEY_FLAG_INSTANTIATED, KEY_FLAG_NEGATIVE and the rejection
+error into one field such that:
+
+ (1) The instantiation state can be modified/read atomically.
+
+ (2) The error can be accessed atomically with the state.
+
+ (3) The error isn't stored unioned with the payload pointers.
+
+This deals with the problem that the state is spread over three different
+objects (two bits and a separate variable) and reading or updating them
+atomically isn't practical, given that not only can uninstantiated keys
+change into instantiated or rejected keys, but rejected keys can also turn
+into instantiated keys - and someone accessing the key might not be using
+any locking.
+
+The main side effect of this problem is that what was held in the payload
+may change, depending on the state. For instance, you might observe the
+key to be in the rejected state. You then read the cached error, but if
+the key semaphore wasn't locked, the key might've become instantiated
+between the two reads - and you might now have something in hand that isn't
+actually an error code.
+
+The state is now KEY_IS_UNINSTANTIATED, KEY_IS_POSITIVE or a negative error
+code if the key is negatively instantiated. The key_is_instantiated()
+function is replaced with key_is_positive() to avoid confusion as negative
+keys are also 'instantiated'.
+
+Additionally, barriering is included:
+
+ (1) Order payload-set before state-set during instantiation.
+
+ (2) Order state-read before payload-read when using the key.
+
+Further separate barriering is necessary if RCU is being used to access the
+payload content after reading the payload pointers.
+
+Fixes: 146aa8b1453b ("KEYS: Merge the type-specific data with the payload data")
+Reported-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/key.h | 47 +++++++++++++++++++------------
+ net/dns_resolver/dns_key.c | 2 -
+ security/keys/big_key.c | 4 +-
+ security/keys/encrypted-keys/encrypted.c | 2 -
+ security/keys/gc.c | 8 ++---
+ security/keys/key.c | 31 +++++++++++++-------
+ security/keys/keyctl.c | 9 ++---
+ security/keys/keyring.c | 10 +++---
+ security/keys/proc.c | 7 +++-
+ security/keys/process_keys.c | 2 -
+ security/keys/request_key.c | 7 +---
+ security/keys/request_key_auth.c | 2 -
+ security/keys/trusted.c | 2 -
+ security/keys/user_defined.c | 4 +-
+ 14 files changed, 80 insertions(+), 57 deletions(-)
+
+--- a/include/linux/key.h
++++ b/include/linux/key.h
+@@ -138,6 +138,11 @@ struct key_restriction {
+ struct key_type *keytype;
+ };
+
++enum key_state {
++ KEY_IS_UNINSTANTIATED,
++ KEY_IS_POSITIVE, /* Positively instantiated */
++};
++
+ /*****************************************************************************/
+ /*
+ * authentication token / access credential / keyring
+@@ -169,6 +174,7 @@ struct key {
+ * - may not match RCU dereferenced payload
+ * - payload should contain own length
+ */
++ short state; /* Key state (+) or rejection error (-) */
+
+ #ifdef KEY_DEBUGGING
+ unsigned magic;
+@@ -176,18 +182,16 @@ struct key {
+ #endif
+
+ unsigned long flags; /* status flags (change with bitops) */
+-#define KEY_FLAG_INSTANTIATED 0 /* set if key has been instantiated */
+-#define KEY_FLAG_DEAD 1 /* set if key type has been deleted */
+-#define KEY_FLAG_REVOKED 2 /* set if key had been revoked */
+-#define KEY_FLAG_IN_QUOTA 3 /* set if key consumes quota */
+-#define KEY_FLAG_USER_CONSTRUCT 4 /* set if key is being constructed in userspace */
+-#define KEY_FLAG_NEGATIVE 5 /* set if key is negative */
+-#define KEY_FLAG_ROOT_CAN_CLEAR 6 /* set if key can be cleared by root without permission */
+-#define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */
+-#define KEY_FLAG_BUILTIN 8 /* set if key is built in to the kernel */
+-#define KEY_FLAG_ROOT_CAN_INVAL 9 /* set if key can be invalidated by root without permission */
+-#define KEY_FLAG_KEEP 10 /* set if key should not be removed */
+-#define KEY_FLAG_UID_KEYRING 11 /* set if key is a user or user session keyring */
++#define KEY_FLAG_DEAD 0 /* set if key type has been deleted */
++#define KEY_FLAG_REVOKED 1 /* set if key had been revoked */
++#define KEY_FLAG_IN_QUOTA 2 /* set if key consumes quota */
++#define KEY_FLAG_USER_CONSTRUCT 3 /* set if key is being constructed in userspace */
++#define KEY_FLAG_ROOT_CAN_CLEAR 4 /* set if key can be cleared by root without permission */
++#define KEY_FLAG_INVALIDATED 5 /* set if key has been invalidated */
++#define KEY_FLAG_BUILTIN 6 /* set if key is built in to the kernel */
++#define KEY_FLAG_ROOT_CAN_INVAL 7 /* set if key can be invalidated by root without permission */
++#define KEY_FLAG_KEEP 8 /* set if key should not be removed */
++#define KEY_FLAG_UID_KEYRING 9 /* set if key is a user or user session keyring */
+
+ /* the key type and key description string
+ * - the desc is used to match a key against search criteria
+@@ -213,7 +217,6 @@ struct key {
+ struct list_head name_link;
+ struct assoc_array keys;
+ };
+- int reject_error;
+ };
+
+ /* This is set on a keyring to restrict the addition of a link to a key
+@@ -353,17 +356,27 @@ extern void key_set_timeout(struct key *
+ #define KEY_NEED_SETATTR 0x20 /* Require permission to change attributes */
+ #define KEY_NEED_ALL 0x3f /* All the above permissions */
+
++static inline short key_read_state(const struct key *key)
++{
++ /* Barrier versus mark_key_instantiated(). */
++ return smp_load_acquire(&key->state);
++}
++
+ /**
+- * key_is_instantiated - Determine if a key has been positively instantiated
++ * key_is_positive - Determine if a key has been positively instantiated
+ * @key: The key to check.
+ *
+ * Return true if the specified key has been positively instantiated, false
+ * otherwise.
+ */
+-static inline bool key_is_instantiated(const struct key *key)
++static inline bool key_is_positive(const struct key *key)
++{
++ return key_read_state(key) == KEY_IS_POSITIVE;
++}
++
++static inline bool key_is_negative(const struct key *key)
+ {
+- return test_bit(KEY_FLAG_INSTANTIATED, &key->flags) &&
+- !test_bit(KEY_FLAG_NEGATIVE, &key->flags);
++ return key_read_state(key) < 0;
+ }
+
+ #define dereference_key_rcu(KEY) \
+--- a/net/dns_resolver/dns_key.c
++++ b/net/dns_resolver/dns_key.c
+@@ -224,7 +224,7 @@ static int dns_resolver_match_preparse(s
+ static void dns_resolver_describe(const struct key *key, struct seq_file *m)
+ {
+ seq_puts(m, key->description);
+- if (key_is_instantiated(key)) {
++ if (key_is_positive(key)) {
+ int err = PTR_ERR(key->payload.data[dns_key_error]);
+
+ if (err)
+--- a/security/keys/big_key.c
++++ b/security/keys/big_key.c
+@@ -247,7 +247,7 @@ void big_key_revoke(struct key *key)
+
+ /* clear the quota */
+ key_payload_reserve(key, 0);
+- if (key_is_instantiated(key) &&
++ if (key_is_positive(key) &&
+ (size_t)key->payload.data[big_key_len] > BIG_KEY_FILE_THRESHOLD)
+ vfs_truncate(path, 0);
+ }
+@@ -279,7 +279,7 @@ void big_key_describe(const struct key *
+
+ seq_puts(m, key->description);
+
+- if (key_is_instantiated(key))
++ if (key_is_positive(key))
+ seq_printf(m, ": %zu [%s]",
+ datalen,
+ datalen > BIG_KEY_FILE_THRESHOLD ? "file" : "buff");
+--- a/security/keys/encrypted-keys/encrypted.c
++++ b/security/keys/encrypted-keys/encrypted.c
+@@ -854,7 +854,7 @@ static int encrypted_update(struct key *
+ size_t datalen = prep->datalen;
+ int ret = 0;
+
+- if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
++ if (key_is_negative(key))
+ return -ENOKEY;
+ if (datalen <= 0 || datalen > 32767 || !prep->data)
+ return -EINVAL;
+--- a/security/keys/gc.c
++++ b/security/keys/gc.c
+@@ -129,15 +129,15 @@ static noinline void key_gc_unused_keys(
+ while (!list_empty(keys)) {
+ struct key *key =
+ list_entry(keys->next, struct key, graveyard_link);
++ short state = key->state;
++
+ list_del(&key->graveyard_link);
+
+ kdebug("- %u", key->serial);
+ key_check(key);
+
+ /* Throw away the key data if the key is instantiated */
+- if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags) &&
+- !test_bit(KEY_FLAG_NEGATIVE, &key->flags) &&
+- key->type->destroy)
++ if (state == KEY_IS_POSITIVE && key->type->destroy)
+ key->type->destroy(key);
+
+ security_key_free(key);
+@@ -151,7 +151,7 @@ static noinline void key_gc_unused_keys(
+ }
+
+ atomic_dec(&key->user->nkeys);
+- if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
++ if (state != KEY_IS_UNINSTANTIATED)
+ atomic_dec(&key->user->nikeys);
+
+ key_user_put(key->user);
+--- a/security/keys/key.c
++++ b/security/keys/key.c
+@@ -402,6 +402,18 @@ int key_payload_reserve(struct key *key,
+ EXPORT_SYMBOL(key_payload_reserve);
+
+ /*
++ * Change the key state to being instantiated.
++ */
++static void mark_key_instantiated(struct key *key, int reject_error)
++{
++ /* Commit the payload before setting the state; barrier versus
++ * key_read_state().
++ */
++ smp_store_release(&key->state,
++ (reject_error < 0) ? reject_error : KEY_IS_POSITIVE);
++}
++
++/*
+ * Instantiate a key and link it into the target keyring atomically. Must be
+ * called with the target keyring's semaphore writelocked. The target key's
+ * semaphore need not be locked as instantiation is serialised by
+@@ -424,14 +436,14 @@ static int __key_instantiate_and_link(st
+ mutex_lock(&key_construction_mutex);
+
+ /* can't instantiate twice */
+- if (!test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) {
++ if (key->state == KEY_IS_UNINSTANTIATED) {
+ /* instantiate the key */
+ ret = key->type->instantiate(key, prep);
+
+ if (ret == 0) {
+ /* mark the key as being instantiated */
+ atomic_inc(&key->user->nikeys);
+- set_bit(KEY_FLAG_INSTANTIATED, &key->flags);
++ mark_key_instantiated(key, 0);
+
+ if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags))
+ awaken = 1;
+@@ -577,13 +589,10 @@ int key_reject_and_link(struct key *key,
+ mutex_lock(&key_construction_mutex);
+
+ /* can't instantiate twice */
+- if (!test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) {
++ if (key->state == KEY_IS_UNINSTANTIATED) {
+ /* mark the key as being negatively instantiated */
+ atomic_inc(&key->user->nikeys);
+- key->reject_error = -error;
+- smp_wmb();
+- set_bit(KEY_FLAG_NEGATIVE, &key->flags);
+- set_bit(KEY_FLAG_INSTANTIATED, &key->flags);
++ mark_key_instantiated(key, -error);
+ now = current_kernel_time();
+ key->expiry = now.tv_sec + timeout;
+ key_schedule_gc(key->expiry + key_gc_delay);
+@@ -752,8 +761,8 @@ static inline key_ref_t __key_update(key
+
+ ret = key->type->update(key, prep);
+ if (ret == 0)
+- /* updating a negative key instantiates it */
+- clear_bit(KEY_FLAG_NEGATIVE, &key->flags);
++ /* Updating a negative key positively instantiates it */
++ mark_key_instantiated(key, 0);
+
+ up_write(&key->sem);
+
+@@ -986,8 +995,8 @@ int key_update(key_ref_t key_ref, const
+
+ ret = key->type->update(key, &prep);
+ if (ret == 0)
+- /* updating a negative key instantiates it */
+- clear_bit(KEY_FLAG_NEGATIVE, &key->flags);
++ /* Updating a negative key positively instantiates it */
++ mark_key_instantiated(key, 0);
+
+ up_write(&key->sem);
+
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -766,10 +766,9 @@ long keyctl_read_key(key_serial_t keyid,
+
+ key = key_ref_to_ptr(key_ref);
+
+- if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) {
+- ret = -ENOKEY;
+- goto error2;
+- }
++ ret = key_read_state(key);
++ if (ret < 0)
++ goto error2; /* Negatively instantiated */
+
+ /* see if we can read it directly */
+ ret = key_permission(key_ref, KEY_NEED_READ);
+@@ -901,7 +900,7 @@ long keyctl_chown_key(key_serial_t id, u
+ atomic_dec(&key->user->nkeys);
+ atomic_inc(&newowner->nkeys);
+
+- if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) {
++ if (key->state != KEY_IS_UNINSTANTIATED) {
+ atomic_dec(&key->user->nikeys);
+ atomic_inc(&newowner->nikeys);
+ }
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -414,7 +414,7 @@ static void keyring_describe(const struc
+ else
+ seq_puts(m, "[anon]");
+
+- if (key_is_instantiated(keyring)) {
++ if (key_is_positive(keyring)) {
+ if (keyring->keys.nr_leaves_on_tree != 0)
+ seq_printf(m, ": %lu", keyring->keys.nr_leaves_on_tree);
+ else
+@@ -553,7 +553,8 @@ static int keyring_search_iterator(const
+ {
+ struct keyring_search_context *ctx = iterator_data;
+ const struct key *key = keyring_ptr_to_key(object);
+- unsigned long kflags = key->flags;
++ unsigned long kflags = READ_ONCE(key->flags);
++ short state = READ_ONCE(key->state);
+
+ kenter("{%d}", key->serial);
+
+@@ -597,9 +598,8 @@ static int keyring_search_iterator(const
+
+ if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) {
+ /* we set a different error code if we pass a negative key */
+- if (kflags & (1 << KEY_FLAG_NEGATIVE)) {
+- smp_rmb();
+- ctx->result = ERR_PTR(key->reject_error);
++ if (state < 0) {
++ ctx->result = ERR_PTR(state);
+ kleave(" = %d [neg]", ctx->skipped_ret);
+ goto skipped;
+ }
+--- a/security/keys/proc.c
++++ b/security/keys/proc.c
+@@ -182,6 +182,7 @@ static int proc_keys_show(struct seq_fil
+ unsigned long timo;
+ key_ref_t key_ref, skey_ref;
+ char xbuf[16];
++ short state;
+ int rc;
+
+ struct keyring_search_context ctx = {
+@@ -240,17 +241,19 @@ static int proc_keys_show(struct seq_fil
+ sprintf(xbuf, "%luw", timo / (60*60*24*7));
+ }
+
++ state = key_read_state(key);
++
+ #define showflag(KEY, LETTER, FLAG) \
+ (test_bit(FLAG, &(KEY)->flags) ? LETTER : '-')
+
+ seq_printf(m, "%08x %c%c%c%c%c%c%c %5d %4s %08x %5d %5d %-9.9s ",
+ key->serial,
+- showflag(key, 'I', KEY_FLAG_INSTANTIATED),
++ state != KEY_IS_UNINSTANTIATED ? 'I' : '-',
+ showflag(key, 'R', KEY_FLAG_REVOKED),
+ showflag(key, 'D', KEY_FLAG_DEAD),
+ showflag(key, 'Q', KEY_FLAG_IN_QUOTA),
+ showflag(key, 'U', KEY_FLAG_USER_CONSTRUCT),
+- showflag(key, 'N', KEY_FLAG_NEGATIVE),
++ state < 0 ? 'N' : '-',
+ showflag(key, 'i', KEY_FLAG_INVALIDATED),
+ refcount_read(&key->usage),
+ xbuf,
+--- a/security/keys/process_keys.c
++++ b/security/keys/process_keys.c
+@@ -730,7 +730,7 @@ try_again:
+
+ ret = -EIO;
+ if (!(lflags & KEY_LOOKUP_PARTIAL) &&
+- !test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
++ key_read_state(key) == KEY_IS_UNINSTANTIATED)
+ goto invalid_key;
+
+ /* check the permissions */
+--- a/security/keys/request_key.c
++++ b/security/keys/request_key.c
+@@ -595,10 +595,9 @@ int wait_for_key_construction(struct key
+ intr ? TASK_INTERRUPTIBLE : TASK_UNINTERRUPTIBLE);
+ if (ret)
+ return -ERESTARTSYS;
+- if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) {
+- smp_rmb();
+- return key->reject_error;
+- }
++ ret = key_read_state(key);
++ if (ret < 0)
++ return ret;
+ return key_validate(key);
+ }
+ EXPORT_SYMBOL(wait_for_key_construction);
+--- a/security/keys/request_key_auth.c
++++ b/security/keys/request_key_auth.c
+@@ -73,7 +73,7 @@ static void request_key_auth_describe(co
+
+ seq_puts(m, "key:");
+ seq_puts(m, key->description);
+- if (key_is_instantiated(key))
++ if (key_is_positive(key))
+ seq_printf(m, " pid:%d ci:%zu", rka->pid, rka->callout_len);
+ }
+
+--- a/security/keys/trusted.c
++++ b/security/keys/trusted.c
+@@ -1066,7 +1066,7 @@ static int trusted_update(struct key *ke
+ char *datablob;
+ int ret = 0;
+
+- if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
++ if (key_is_negative(key))
+ return -ENOKEY;
+ p = key->payload.data[0];
+ if (!p->migratable)
+--- a/security/keys/user_defined.c
++++ b/security/keys/user_defined.c
+@@ -114,7 +114,7 @@ int user_update(struct key *key, struct
+
+ /* attach the new data, displacing the old */
+ key->expiry = prep->expiry;
+- if (!test_bit(KEY_FLAG_NEGATIVE, &key->flags))
++ if (key_is_positive(key))
+ zap = dereference_key_locked(key);
+ rcu_assign_keypointer(key, prep->payload.data[0]);
+ prep->payload.data[0] = NULL;
+@@ -162,7 +162,7 @@ EXPORT_SYMBOL_GPL(user_destroy);
+ void user_describe(const struct key *key, struct seq_file *m)
+ {
+ seq_puts(m, key->description);
+- if (key_is_instantiated(key))
++ if (key_is_positive(key))
+ seq_printf(m, ": %u", key->datalen);
+ }
+
--- /dev/null
+From 192cabd6a296cbc57b3d8c05c4c89d87fc102506 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 9 Oct 2017 12:43:20 -0700
+Subject: lib/digsig: fix dereference of NULL user_key_payload
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 192cabd6a296cbc57b3d8c05c4c89d87fc102506 upstream.
+
+digsig_verify() requests a user key, then accesses its payload.
+However, a revoked key has a NULL payload, and we failed to check for
+this. request_key() *does* skip revoked keys, but there is still a
+window where the key can be revoked before we acquire its semaphore.
+
+Fix it by checking for a NULL payload, treating it like a key which was
+already revoked at the time it was requested.
+
+Fixes: 051dbb918c7f ("crypto: digital signature verification support")
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+Cc: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/digsig.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/lib/digsig.c
++++ b/lib/digsig.c
+@@ -87,6 +87,12 @@ static int digsig_verify_rsa(struct key
+ down_read(&key->sem);
+ ukp = user_key_payload_locked(key);
+
++ if (!ukp) {
++ /* key was revoked before we acquired its semaphore */
++ err = -EKEYREVOKED;
++ goto err1;
++ }
++
+ if (ukp->datalen < sizeof(*pkh))
+ goto err1;
+
--- /dev/null
+From 845d6524d69b40bd6abd61dc1264a8657159aa55 Mon Sep 17 00:00:00 2001
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+Date: Thu, 14 Sep 2017 11:23:38 -0400
+Subject: media: cec: Respond to unregistered initiators, when applicable
+
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+
+commit 845d6524d69b40bd6abd61dc1264a8657159aa55 upstream.
+
+Running CEC 1.4 compliance test we get the following error on test
+11.1.6.2: "ERROR: The DUT did not broadcast a
+<Report Physical Address> message to the unregistered device."
+
+Fix this by letting GIVE_PHYSICAL_ADDR message respond to unregistered
+device. Also, GIVE_DEVICE_VENDOR_ID and GIVE_FEATURES fall in the
+same category so, respond also to these messages.
+
+With this fix we pass CEC 1.4 official compliance.
+
+Signed-off-by: Jose Abreu <joabreu@synopsys.com>
+Cc: Joao Pinto <jpinto@synopsys.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/cec/cec-adap.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/cec/cec-adap.c
++++ b/drivers/media/cec/cec-adap.c
+@@ -1726,12 +1726,19 @@ static int cec_receive_notify(struct cec
+ */
+ switch (msg->msg[1]) {
+ case CEC_MSG_GET_CEC_VERSION:
+- case CEC_MSG_GIVE_DEVICE_VENDOR_ID:
+ case CEC_MSG_ABORT:
+ case CEC_MSG_GIVE_DEVICE_POWER_STATUS:
+- case CEC_MSG_GIVE_PHYSICAL_ADDR:
+ case CEC_MSG_GIVE_OSD_NAME:
++ /*
++ * These messages reply with a directed message, so ignore if
++ * the initiator is Unregistered.
++ */
++ if (!adap->passthrough && from_unregistered)
++ return 0;
++ /* Fall through */
++ case CEC_MSG_GIVE_DEVICE_VENDOR_ID:
+ case CEC_MSG_GIVE_FEATURES:
++ case CEC_MSG_GIVE_PHYSICAL_ADDR:
+ /*
+ * Skip processing these messages if the passthrough mode
+ * is on.
+@@ -1739,7 +1746,7 @@ static int cec_receive_notify(struct cec
+ if (adap->passthrough)
+ goto skip_processing;
+ /* Ignore if addressing is wrong */
+- if (is_broadcast || from_unregistered)
++ if (is_broadcast)
+ return 0;
+ break;
+
--- /dev/null
+From b4756707152700c96acdfe149cb1ca4cec306c7a Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Sat, 2 Sep 2017 07:42:42 -0400
+Subject: media: dvb: i2c transfers over usb cannot be done from stack
+
+From: Sean Young <sean@mess.org>
+
+commit b4756707152700c96acdfe149cb1ca4cec306c7a upstream.
+
+Since commit 29d2fef8be11 ("usb: catch attempts to submit urbs
+with a vmalloc'd transfer buffer"), the AverMedia AverTV DVB-T
+USB 2.0 (a800) fails to probe.
+
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/dvb-frontends/dib3000mc.c | 50 +++++++++++++++++++++------
+ drivers/media/dvb-frontends/dvb-pll.c | 22 +++++++++--
+ drivers/media/tuners/mt2060.c | 59 +++++++++++++++++++++++++-------
+ 3 files changed, 103 insertions(+), 28 deletions(-)
+
+--- a/drivers/media/dvb-frontends/dib3000mc.c
++++ b/drivers/media/dvb-frontends/dib3000mc.c
+@@ -55,29 +55,57 @@ struct dib3000mc_state {
+
+ static u16 dib3000mc_read_word(struct dib3000mc_state *state, u16 reg)
+ {
+- u8 wb[2] = { (reg >> 8) | 0x80, reg & 0xff };
+- u8 rb[2];
+ struct i2c_msg msg[2] = {
+- { .addr = state->i2c_addr >> 1, .flags = 0, .buf = wb, .len = 2 },
+- { .addr = state->i2c_addr >> 1, .flags = I2C_M_RD, .buf = rb, .len = 2 },
++ { .addr = state->i2c_addr >> 1, .flags = 0, .len = 2 },
++ { .addr = state->i2c_addr >> 1, .flags = I2C_M_RD, .len = 2 },
+ };
++ u16 word;
++ u8 *b;
++
++ b = kmalloc(4, GFP_KERNEL);
++ if (!b)
++ return 0;
++
++ b[0] = (reg >> 8) | 0x80;
++ b[1] = reg;
++ b[2] = 0;
++ b[3] = 0;
++
++ msg[0].buf = b;
++ msg[1].buf = b + 2;
+
+ if (i2c_transfer(state->i2c_adap, msg, 2) != 2)
+ dprintk("i2c read error on %d\n",reg);
+
+- return (rb[0] << 8) | rb[1];
++ word = (b[2] << 8) | b[3];
++ kfree(b);
++
++ return word;
+ }
+
+ static int dib3000mc_write_word(struct dib3000mc_state *state, u16 reg, u16 val)
+ {
+- u8 b[4] = {
+- (reg >> 8) & 0xff, reg & 0xff,
+- (val >> 8) & 0xff, val & 0xff,
+- };
+ struct i2c_msg msg = {
+- .addr = state->i2c_addr >> 1, .flags = 0, .buf = b, .len = 4
++ .addr = state->i2c_addr >> 1, .flags = 0, .len = 4
+ };
+- return i2c_transfer(state->i2c_adap, &msg, 1) != 1 ? -EREMOTEIO : 0;
++ int rc;
++ u8 *b;
++
++ b = kmalloc(4, GFP_KERNEL);
++ if (!b)
++ return -ENOMEM;
++
++ b[0] = reg >> 8;
++ b[1] = reg;
++ b[2] = val >> 8;
++ b[3] = val;
++
++ msg.buf = b;
++
++ rc = i2c_transfer(state->i2c_adap, &msg, 1) != 1 ? -EREMOTEIO : 0;
++ kfree(b);
++
++ return rc;
+ }
+
+ static int dib3000mc_identify(struct dib3000mc_state *state)
+--- a/drivers/media/dvb-frontends/dvb-pll.c
++++ b/drivers/media/dvb-frontends/dvb-pll.c
+@@ -753,13 +753,19 @@ struct dvb_frontend *dvb_pll_attach(stru
+ struct i2c_adapter *i2c,
+ unsigned int pll_desc_id)
+ {
+- u8 b1 [] = { 0 };
+- struct i2c_msg msg = { .addr = pll_addr, .flags = I2C_M_RD,
+- .buf = b1, .len = 1 };
++ u8 *b1;
++ struct i2c_msg msg = { .addr = pll_addr, .flags = I2C_M_RD, .len = 1 };
+ struct dvb_pll_priv *priv = NULL;
+ int ret;
+ const struct dvb_pll_desc *desc;
+
++ b1 = kmalloc(1, GFP_KERNEL);
++ if (!b1)
++ return NULL;
++
++ b1[0] = 0;
++ msg.buf = b1;
++
+ if ((id[dvb_pll_devcount] > DVB_PLL_UNDEFINED) &&
+ (id[dvb_pll_devcount] < ARRAY_SIZE(pll_list)))
+ pll_desc_id = id[dvb_pll_devcount];
+@@ -773,15 +779,19 @@ struct dvb_frontend *dvb_pll_attach(stru
+ fe->ops.i2c_gate_ctrl(fe, 1);
+
+ ret = i2c_transfer (i2c, &msg, 1);
+- if (ret != 1)
++ if (ret != 1) {
++ kfree(b1);
+ return NULL;
++ }
+ if (fe->ops.i2c_gate_ctrl)
+ fe->ops.i2c_gate_ctrl(fe, 0);
+ }
+
+ priv = kzalloc(sizeof(struct dvb_pll_priv), GFP_KERNEL);
+- if (priv == NULL)
++ if (!priv) {
++ kfree(b1);
+ return NULL;
++ }
+
+ priv->pll_i2c_address = pll_addr;
+ priv->i2c = i2c;
+@@ -811,6 +821,8 @@ struct dvb_frontend *dvb_pll_attach(stru
+ "insmod option" : "autodetected");
+ }
+
++ kfree(b1);
++
+ return fe;
+ }
+ EXPORT_SYMBOL(dvb_pll_attach);
+--- a/drivers/media/tuners/mt2060.c
++++ b/drivers/media/tuners/mt2060.c
+@@ -38,41 +38,74 @@ MODULE_PARM_DESC(debug, "Turn on/off deb
+ static int mt2060_readreg(struct mt2060_priv *priv, u8 reg, u8 *val)
+ {
+ struct i2c_msg msg[2] = {
+- { .addr = priv->cfg->i2c_address, .flags = 0, .buf = ®, .len = 1 },
+- { .addr = priv->cfg->i2c_address, .flags = I2C_M_RD, .buf = val, .len = 1 },
++ { .addr = priv->cfg->i2c_address, .flags = 0, .len = 1 },
++ { .addr = priv->cfg->i2c_address, .flags = I2C_M_RD, .len = 1 },
+ };
++ int rc = 0;
++ u8 *b;
++
++ b = kmalloc(2, GFP_KERNEL);
++ if (!b)
++ return -ENOMEM;
++
++ b[0] = reg;
++ b[1] = 0;
++
++ msg[0].buf = b;
++ msg[1].buf = b + 1;
+
+ if (i2c_transfer(priv->i2c, msg, 2) != 2) {
+ printk(KERN_WARNING "mt2060 I2C read failed\n");
+- return -EREMOTEIO;
++ rc = -EREMOTEIO;
+ }
+- return 0;
++ *val = b[1];
++ kfree(b);
++
++ return rc;
+ }
+
+ // Writes a single register
+ static int mt2060_writereg(struct mt2060_priv *priv, u8 reg, u8 val)
+ {
+- u8 buf[2] = { reg, val };
+ struct i2c_msg msg = {
+- .addr = priv->cfg->i2c_address, .flags = 0, .buf = buf, .len = 2
++ .addr = priv->cfg->i2c_address, .flags = 0, .len = 2
+ };
++ u8 *buf;
++ int rc = 0;
++
++ buf = kmalloc(2, GFP_KERNEL);
++ if (!buf)
++ return -ENOMEM;
++
++ buf[0] = reg;
++ buf[1] = val;
++
++ msg.buf = buf;
+
+ if (i2c_transfer(priv->i2c, &msg, 1) != 1) {
+ printk(KERN_WARNING "mt2060 I2C write failed\n");
+- return -EREMOTEIO;
++ rc = -EREMOTEIO;
+ }
+- return 0;
++ kfree(buf);
++ return rc;
+ }
+
+ // Writes a set of consecutive registers
+ static int mt2060_writeregs(struct mt2060_priv *priv,u8 *buf, u8 len)
+ {
+ int rem, val_len;
+- u8 xfer_buf[16];
++ u8 *xfer_buf;
++ int rc = 0;
+ struct i2c_msg msg = {
+- .addr = priv->cfg->i2c_address, .flags = 0, .buf = xfer_buf
++ .addr = priv->cfg->i2c_address, .flags = 0
+ };
+
++ xfer_buf = kmalloc(16, GFP_KERNEL);
++ if (!xfer_buf)
++ return -ENOMEM;
++
++ msg.buf = xfer_buf;
++
+ for (rem = len - 1; rem > 0; rem -= priv->i2c_max_regs) {
+ val_len = min_t(int, rem, priv->i2c_max_regs);
+ msg.len = 1 + val_len;
+@@ -81,11 +114,13 @@ static int mt2060_writeregs(struct mt206
+
+ if (i2c_transfer(priv->i2c, &msg, 1) != 1) {
+ printk(KERN_WARNING "mt2060 I2C write failed (len=%i)\n", val_len);
+- return -EREMOTEIO;
++ rc = -EREMOTEIO;
++ break;
+ }
+ }
+
+- return 0;
++ kfree(xfer_buf);
++ return rc;
+ }
+
+ // Initialisation sequences
--- /dev/null
+From e949f61461ab83b094cad564c89a8d2b078b4508 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Thu, 31 Aug 2017 12:56:10 -0400
+Subject: media: s5p-cec: add NACK detection support
+
+From: Hans Verkuil <hverkuil@xs4all.nl>
+
+commit e949f61461ab83b094cad564c89a8d2b078b4508 upstream.
+
+The s5p-cec driver returned CEC_TX_STATUS_ERROR for the NACK condition.
+
+Some digging into the datasheet uncovered the S5P_CEC_TX_STAT1 register where
+bit 0 indicates if the transmit was nacked or not.
+
+Use this to return the correct CEC_TX_STATUS_NACK status to userspace.
+
+This was the only driver that couldn't tell a NACK from another error, and
+that was very unusual. And a potential problem for applications as well.
+
+Tested with my Odroid-U3.
+
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Acked-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/s5p-cec/exynos_hdmi_cecctrl.c | 3 ++-
+ drivers/media/platform/s5p-cec/s5p_cec.c | 11 ++++++++++-
+ drivers/media/platform/s5p-cec/s5p_cec.h | 2 ++
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/platform/s5p-cec/exynos_hdmi_cecctrl.c
++++ b/drivers/media/platform/s5p-cec/exynos_hdmi_cecctrl.c
+@@ -172,7 +172,8 @@ u32 s5p_cec_get_status(struct s5p_cec_de
+ {
+ u32 status = 0;
+
+- status = readb(cec->reg + S5P_CEC_STATUS_0);
++ status = readb(cec->reg + S5P_CEC_STATUS_0) & 0xf;
++ status |= (readb(cec->reg + S5P_CEC_TX_STAT1) & 0xf) << 4;
+ status |= readb(cec->reg + S5P_CEC_STATUS_1) << 8;
+ status |= readb(cec->reg + S5P_CEC_STATUS_2) << 16;
+ status |= readb(cec->reg + S5P_CEC_STATUS_3) << 24;
+--- a/drivers/media/platform/s5p-cec/s5p_cec.c
++++ b/drivers/media/platform/s5p-cec/s5p_cec.c
+@@ -92,7 +92,10 @@ static irqreturn_t s5p_cec_irq_handler(i
+ dev_dbg(cec->dev, "irq received\n");
+
+ if (status & CEC_STATUS_TX_DONE) {
+- if (status & CEC_STATUS_TX_ERROR) {
++ if (status & CEC_STATUS_TX_NACK) {
++ dev_dbg(cec->dev, "CEC_STATUS_TX_NACK set\n");
++ cec->tx = STATE_NACK;
++ } else if (status & CEC_STATUS_TX_ERROR) {
+ dev_dbg(cec->dev, "CEC_STATUS_TX_ERROR set\n");
+ cec->tx = STATE_ERROR;
+ } else {
+@@ -135,6 +138,12 @@ static irqreturn_t s5p_cec_irq_handler_t
+ cec_transmit_done(cec->adap, CEC_TX_STATUS_OK, 0, 0, 0, 0);
+ cec->tx = STATE_IDLE;
+ break;
++ case STATE_NACK:
++ cec_transmit_done(cec->adap,
++ CEC_TX_STATUS_MAX_RETRIES | CEC_TX_STATUS_NACK,
++ 0, 1, 0, 0);
++ cec->tx = STATE_IDLE;
++ break;
+ case STATE_ERROR:
+ cec_transmit_done(cec->adap,
+ CEC_TX_STATUS_MAX_RETRIES | CEC_TX_STATUS_ERROR,
+--- a/drivers/media/platform/s5p-cec/s5p_cec.h
++++ b/drivers/media/platform/s5p-cec/s5p_cec.h
+@@ -35,6 +35,7 @@
+ #define CEC_STATUS_TX_TRANSFERRING (1 << 1)
+ #define CEC_STATUS_TX_DONE (1 << 2)
+ #define CEC_STATUS_TX_ERROR (1 << 3)
++#define CEC_STATUS_TX_NACK (1 << 4)
+ #define CEC_STATUS_TX_BYTES (0xFF << 8)
+ #define CEC_STATUS_RX_RUNNING (1 << 16)
+ #define CEC_STATUS_RX_RECEIVING (1 << 17)
+@@ -55,6 +56,7 @@ enum cec_state {
+ STATE_IDLE,
+ STATE_BUSY,
+ STATE_DONE,
++ STATE_NACK,
+ STATE_ERROR
+ };
+
--- /dev/null
+From eb701ce16a45ed9880897c48f05ee608d77c72e3 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Mon, 9 Oct 2017 10:24:01 +0300
+Subject: mmc: sdhci-pci: Fix default d3_retune for Intel host controllers
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit eb701ce16a45ed9880897c48f05ee608d77c72e3 upstream.
+
+The default for d3_retune is true, but that was not being set in all cases,
+which results in eMMC errors because re-tuning has not been done.
+Fix by initializing d3_retune to true.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Fixes: c959a6b00ff5 ("mmc: sdhci-pci: Don't re-tune with runtime pm for some Intel devices")
+Reported-and-tested-by: ojab <ojab@ojab.ru>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-pci-core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-pci-core.c
++++ b/drivers/mmc/host/sdhci-pci-core.c
+@@ -449,6 +449,8 @@ static void intel_dsm_init(struct intel_
+ int err;
+ u32 val;
+
++ intel_host->d3_retune = true;
++
+ err = __intel_dsm(intel_host, dev, INTEL_DSM_FNS, &intel_host->dsm_fns);
+ if (err) {
+ pr_debug("%s: DSM not supported, error %d\n",
--- /dev/null
+From 68a1fdbbf8bd3378325e45c19e167a165f9ffc3a Mon Sep 17 00:00:00 2001
+From: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
+Date: Sun, 8 Oct 2017 20:02:32 +0200
+Subject: pkcs7: Prevent NULL pointer dereference, since sinfo is not always set.
+
+From: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
+
+commit 68a1fdbbf8bd3378325e45c19e167a165f9ffc3a upstream.
+
+The ASN.1 parser does not necessarily set the sinfo field,
+this patch prevents a NULL pointer dereference on broken
+input.
+
+Fixes: 99db44350672 ("PKCS#7: Appropriately restrict authenticated attributes and content type")
+Signed-off-by: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/asymmetric_keys/pkcs7_parser.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/crypto/asymmetric_keys/pkcs7_parser.c
++++ b/crypto/asymmetric_keys/pkcs7_parser.c
+@@ -88,6 +88,9 @@ static int pkcs7_check_authattrs(struct
+ bool want = false;
+
+ sinfo = msg->signed_infos;
++ if (!sinfo)
++ goto inconsistent;
++
+ if (sinfo->authattrs) {
+ want = true;
+ msg->have_authattrs = true;
--- /dev/null
+From c97cc7dbce2fe6f46e137f4b040f915a0181ee85 Mon Sep 17 00:00:00 2001
+From: Len Brown <len.brown@intel.com>
+Date: Tue, 17 Oct 2017 16:00:02 -0400
+Subject: Revert "tools/power turbostat: stop migrating, unless '-m'"
+
+From: Len Brown <len.brown@intel.com>
+
+commit c97cc7dbce2fe6f46e137f4b040f915a0181ee85 upstream.
+
+This reverts commit c91fc8519d87715a3a173475ea3778794c139996.
+
+That change caused a C6 and PC6 residency regression on large idle systems.
+
+Users also complained about new output indicating jitter:
+
+turbostat: cpu6 jitter 3794 9142
+
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/power/x86/turbostat/turbostat.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -92,7 +92,6 @@ unsigned int do_ring_perf_limit_reasons;
+ unsigned int crystal_hz;
+ unsigned long long tsc_hz;
+ int base_cpu;
+-int do_migrate;
+ double discover_bclk(unsigned int family, unsigned int model);
+ unsigned int has_hwp; /* IA32_PM_ENABLE, IA32_HWP_CAPABILITIES */
+ /* IA32_HWP_REQUEST, IA32_HWP_STATUS */
+@@ -303,9 +302,6 @@ int for_all_cpus(int (func)(struct threa
+
+ int cpu_migrate(int cpu)
+ {
+- if (!do_migrate)
+- return 0;
+-
+ CPU_ZERO_S(cpu_affinity_setsize, cpu_affinity_set);
+ CPU_SET_S(cpu, cpu_affinity_setsize, cpu_affinity_set);
+ if (sched_setaffinity(0, cpu_affinity_setsize, cpu_affinity_set) == -1)
+@@ -5007,7 +5003,6 @@ void cmdline(int argc, char **argv)
+ {"hide", required_argument, 0, 'H'}, // meh, -h taken by --help
+ {"Joules", no_argument, 0, 'J'},
+ {"list", no_argument, 0, 'l'},
+- {"migrate", no_argument, 0, 'm'},
+ {"out", required_argument, 0, 'o'},
+ {"quiet", no_argument, 0, 'q'},
+ {"show", required_argument, 0, 's'},
+@@ -5019,7 +5014,7 @@ void cmdline(int argc, char **argv)
+
+ progname = argv[0];
+
+- while ((opt = getopt_long_only(argc, argv, "+C:c:Ddhi:Jmo:qST:v",
++ while ((opt = getopt_long_only(argc, argv, "+C:c:Ddhi:JM:m:o:qST:v",
+ long_options, &option_index)) != -1) {
+ switch (opt) {
+ case 'a':
+@@ -5062,9 +5057,6 @@ void cmdline(int argc, char **argv)
+ list_header_only++;
+ quiet++;
+ break;
+- case 'm':
+- do_migrate = 1;
+- break;
+ case 'o':
+ outf = fopen_or_die(optarg, "w");
+ break;
--- /dev/null
+From b8b8b16352cd90c6083033fd4487f04fae935c18 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Wed, 20 Sep 2017 16:15:05 -0500
+Subject: rtlwifi: rtl8821ae: Fix connection lost problem
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit b8b8b16352cd90c6083033fd4487f04fae935c18 upstream.
+
+In commit 40b368af4b75 ("rtlwifi: Fix alignment issues"), the read
+of REG_DBI_READ was changed from 16 to 8 bits. For unknown reasonsi
+this change results in reduced stability for the wireless connection.
+This regression was located using bisection.
+
+Fixes: 40b368af4b75 ("rtlwifi: Fix alignment issues")
+Reported-and-tested-by: James Cameron <quozl@laptop.org>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Cc: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c
+@@ -1122,7 +1122,7 @@ static u8 _rtl8821ae_dbi_read(struct rtl
+ }
+ if (0 == tmp) {
+ read_addr = REG_DBI_RDATA + addr % 4;
+- ret = rtl_read_byte(rtlpriv, read_addr);
++ ret = rtl_read_word(rtlpriv, read_addr);
+ }
+ return ret;
+ }
can-flexcan-fix-i.mx28-state-transition-issue.patch
can-flexcan-fix-p1010-state-transition-issue.patch
keys-encrypted-fix-dereference-of-null-user_key_payload.patch
+mmc-sdhci-pci-fix-default-d3_retune-for-intel-host-controllers.patch
+drm-i915-use-bdw_ddi_translations_fdi-for-broadwell.patch
+drm-nouveau-kms-nv50-fix-oops-during-dp-irq-handling-on-non-mst-boards.patch
+drm-nouveau-bsp-g92-disable-by-default.patch
+drm-nouveau-mmu-flush-tlbs-before-deleting-page-tables.patch
+media-s5p-cec-add-nack-detection-support.patch
+media-cec-respond-to-unregistered-initiators-when-applicable.patch
+media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch
+tracing-samples-fix-creation-and-deletion-of-simple_thread_fn-creation.patch
+alsa-seq-enable-use-locking-in-all-configurations.patch
+alsa-hda-remove-superfluous-added-by-printk-conversion.patch
+alsa-hda-abort-capability-probe-at-invalid-register-read.patch
+i2c-ismt-separate-i2c-block-read-from-smbus-block-read.patch
+i2c-piix4-fix-smbus-port-selection-for-amd-family-17h-chips.patch
+revert-tools-power-turbostat-stop-migrating-unless-m.patch
+input-stmfts-fix-setting-abs_mt_position_-maximum-size.patch
+brcmfmac-add-check-for-short-event-packets.patch
+brcmsmac-make-some-local-variables-static-const-to-reduce-stack-size.patch
+arm-dts-sun6i-fix-endpoint-ids-in-second-display-pipeline.patch
+bus-mbus-fix-window-size-calculation-for-4gb-windows.patch
+clockevents-drivers-cs5535-improve-resilience-to-spurious-interrupts.patch
+rtlwifi-rtl8821ae-fix-connection-lost-problem.patch
+x86-microcode-intel-disable-late-loading-on-model-79.patch
+lib-digsig-fix-dereference-of-null-user_key_payload.patch
+fscrypt-fix-dereference-of-null-user_key_payload.patch
+ecryptfs-fix-dereference-of-null-user_key_payload.patch
+keys-fix-race-between-updating-and-finding-a-negative-key.patch
+fs-cache-fix-dereference-of-null-user_key_payload.patch
+keys-don-t-let-add_key-update-an-uninstantiated-key.patch
+pkcs7-prevent-null-pointer-dereference-since-sinfo-is-not-always-set.patch
--- /dev/null
+From 6575257c60e1a26a5319ccf2b5ce5b6449001017 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Tue, 17 Oct 2017 14:55:24 -0400
+Subject: tracing/samples: Fix creation and deletion of simple_thread_fn creation
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 6575257c60e1a26a5319ccf2b5ce5b6449001017 upstream.
+
+Commit 7496946a8 ("tracing: Add samples of DECLARE_EVENT_CLASS() and
+DEFINE_EVENT()") added template examples for all the events. It created a
+DEFINE_EVENT_FN() example which reused the foo_bar_reg and foo_bar_unreg
+functions.
+
+Enabling both the TRACE_EVENT_FN() and DEFINE_EVENT_FN() example trace
+events caused the foo_bar_reg to be called twice, creating the test thread
+twice. The foo_bar_unreg would remove it only once, even if it was called
+multiple times, leaving a thread existing when the module is unloaded,
+causing an oops.
+
+Add a ref count and allow foo_bar_reg() and foo_bar_unreg() be called by
+multiple trace events.
+
+Fixes: 7496946a8 ("tracing: Add samples of DECLARE_EVENT_CLASS() and DEFINE_EVENT()")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ samples/trace_events/trace-events-sample.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/samples/trace_events/trace-events-sample.c
++++ b/samples/trace_events/trace-events-sample.c
+@@ -78,29 +78,37 @@ static int simple_thread_fn(void *arg)
+ }
+
+ static DEFINE_MUTEX(thread_mutex);
++static bool simple_thread_cnt;
+
+ int foo_bar_reg(void)
+ {
++ mutex_lock(&thread_mutex);
++ if (simple_thread_cnt++)
++ goto out;
++
+ pr_info("Starting thread for foo_bar_fn\n");
+ /*
+ * We shouldn't be able to start a trace when the module is
+ * unloading (there's other locks to prevent that). But
+ * for consistency sake, we still take the thread_mutex.
+ */
+- mutex_lock(&thread_mutex);
+ simple_tsk_fn = kthread_run(simple_thread_fn, NULL, "event-sample-fn");
++ out:
+ mutex_unlock(&thread_mutex);
+ return 0;
+ }
+
+ void foo_bar_unreg(void)
+ {
+- pr_info("Killing thread for foo_bar_fn\n");
+- /* protect against module unloading */
+ mutex_lock(&thread_mutex);
++ if (--simple_thread_cnt)
++ goto out;
++
++ pr_info("Killing thread for foo_bar_fn\n");
+ if (simple_tsk_fn)
+ kthread_stop(simple_tsk_fn);
+ simple_tsk_fn = NULL;
++ out:
+ mutex_unlock(&thread_mutex);
+ }
+
--- /dev/null
+From 723f2828a98c8ca19842042f418fb30dd8cfc0f7 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Wed, 18 Oct 2017 13:12:25 +0200
+Subject: x86/microcode/intel: Disable late loading on model 79
+
+From: Borislav Petkov <bp@suse.de>
+
+commit 723f2828a98c8ca19842042f418fb30dd8cfc0f7 upstream.
+
+Blacklist Broadwell X model 79 for late loading due to an erratum.
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: Tony Luck <tony.luck@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20171018111225.25635-1-bp@alien8.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/microcode/intel.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/arch/x86/kernel/cpu/microcode/intel.c
++++ b/arch/x86/kernel/cpu/microcode/intel.c
+@@ -34,6 +34,7 @@
+ #include <linux/mm.h>
+
+ #include <asm/microcode_intel.h>
++#include <asm/intel-family.h>
+ #include <asm/processor.h>
+ #include <asm/tlbflush.h>
+ #include <asm/setup.h>
+@@ -917,6 +918,18 @@ static int get_ucode_fw(void *to, const
+ return 0;
+ }
+
++static bool is_blacklisted(unsigned int cpu)
++{
++ struct cpuinfo_x86 *c = &cpu_data(cpu);
++
++ if (c->x86 == 6 && c->x86_model == INTEL_FAM6_BROADWELL_X) {
++ pr_err_once("late loading on model 79 is disabled.\n");
++ return true;
++ }
++
++ return false;
++}
++
+ static enum ucode_state request_microcode_fw(int cpu, struct device *device,
+ bool refresh_fw)
+ {
+@@ -925,6 +938,9 @@ static enum ucode_state request_microcod
+ const struct firmware *firmware;
+ enum ucode_state ret;
+
++ if (is_blacklisted(cpu))
++ return UCODE_NFOUND;
++
+ sprintf(name, "intel-ucode/%02x-%02x-%02x",
+ c->x86, c->x86_model, c->x86_mask);
+
+@@ -949,6 +965,9 @@ static int get_ucode_user(void *to, cons
+ static enum ucode_state
+ request_microcode_user(int cpu, const void __user *buf, size_t size)
+ {
++ if (is_blacklisted(cpu))
++ return UCODE_NFOUND;
++
+ return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
