--- /dev/null
+From 5607dddbfca774fb38bffadcb077fe03aa4ac5c6 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 27 Mar 2018 16:07:52 +0300
+Subject: ALSA: pcm: potential uninitialized return values
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 5607dddbfca774fb38bffadcb077fe03aa4ac5c6 upstream.
+
+Smatch complains that "tmp" can be uninitialized if we do a zero size
+write.
+
+Fixes: 02a5d6925cd3 ("ALSA: pcm: Avoid potential races between OSS ioctls and read/write")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/oss/pcm_oss.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/core/oss/pcm_oss.c
++++ b/sound/core/oss/pcm_oss.c
+@@ -1326,7 +1326,7 @@ static ssize_t snd_pcm_oss_write2(struct
+ static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const char __user *buf, size_t bytes)
+ {
+ size_t xfer = 0;
+- ssize_t tmp;
++ ssize_t tmp = 0;
+ struct snd_pcm_runtime *runtime = substream->runtime;
+
+ if (atomic_read(&substream->mmap_count))
+@@ -1433,7 +1433,7 @@ static ssize_t snd_pcm_oss_read2(struct
+ static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __user *buf, size_t bytes)
+ {
+ size_t xfer = 0;
+- ssize_t tmp;
++ ssize_t tmp = 0;
+ struct snd_pcm_runtime *runtime = substream->runtime;
+
+ if (atomic_read(&substream->mmap_count))
--- /dev/null
+From 9066ae7ff5d89c0b5daa271e2d573540097a94fa Mon Sep 17 00:00:00 2001
+From: Stefan Roese <sr@denx.de>
+Date: Mon, 26 Mar 2018 16:10:21 +0200
+Subject: ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()
+
+From: Stefan Roese <sr@denx.de>
+
+commit 9066ae7ff5d89c0b5daa271e2d573540097a94fa upstream.
+
+When trying to use the driver (e.g. aplay *.wav), the 4MiB DMA buffer
+will get mmapp'ed in 16KiB chunks. But this fails with the 2nd 16KiB
+area, as the page offset is outside of the VMA range (size), which is
+currently used as size parameter in snd_pcm_lib_default_mmap(). By
+using the DMA buffer size (dma_bytes) instead, the complete DMA buffer
+can be mmapp'ed and the issue is fixed.
+
+This issue was detected on an ARM platform (TI AM57xx) using the RME
+HDSP MADI PCIe soundcard.
+
+Fixes: 657b1989dacf ("ALSA: pcm - Use dma_mmap_coherent() if available")
+Signed-off-by: Stefan Roese <sr@denx.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm_native.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -3422,7 +3422,7 @@ int snd_pcm_lib_default_mmap(struct snd_
+ area,
+ substream->runtime->dma_area,
+ substream->runtime->dma_addr,
+- area->vm_end - area->vm_start);
++ substream->runtime->dma_bytes);
+ #endif /* CONFIG_X86 */
+ /* mmap with fault handler */
+ area->vm_ops = &snd_pcm_vm_ops_data_fault;
--- /dev/null
+From b00214865d65100163574ba250008f182cf90869 Mon Sep 17 00:00:00 2001
+From: Nobutaka Okabe <nob77413@gmail.com>
+Date: Fri, 23 Mar 2018 19:49:44 +0900
+Subject: ALSA: usb-audio: Add native DSD support for TEAC UD-301
+
+From: Nobutaka Okabe <nob77413@gmail.com>
+
+commit b00214865d65100163574ba250008f182cf90869 upstream.
+
+Add native DSD support quirk for TEAC UD-301 DAC,
+by adding the PID/VID 0644:804a.
+
+Signed-off-by: Nobutaka Okabe <nob77413@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/quirks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1171,6 +1171,7 @@ static bool is_teac_dsd_dac(unsigned int
+ switch (id) {
+ case USB_ID(0x0644, 0x8043): /* TEAC UD-501/UD-503/NT-503 */
+ case USB_ID(0x0644, 0x8044): /* Esoteric D-05X */
++ case USB_ID(0x0644, 0x804a): /* TEAC UD-301 */
+ return true;
+ }
+ return false;
--- /dev/null
+From 1328f02005bbbaed15b9d5b7f3ab5ec9d4d5268a Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@gmail.com>
+Date: Mon, 22 Jan 2018 12:20:26 +0100
+Subject: ARM: 8746/1: vfp: Go back to clearing vfp_current_hw_state[]
+
+From: Fabio Estevam <festevam@gmail.com>
+
+commit 1328f02005bbbaed15b9d5b7f3ab5ec9d4d5268a upstream.
+
+Commit 384b38b66947 ("ARM: 7873/1: vfp: clear vfp_current_hw_state
+for dying cpu") fixed the cpu dying notifier by clearing
+vfp_current_hw_state[]. However commit e5b61bafe704 ("arm: Convert VFP
+hotplug notifiers to state machine") incorrectly used the original
+vfp_force_reload() function in the cpu dying notifier.
+
+Fix it by going back to clearing vfp_current_hw_state[].
+
+Fixes: e5b61bafe704 ("arm: Convert VFP hotplug notifiers to state machine")
+Cc: linux-stable <stable@vger.kernel.org>
+Reported-by: Kohji Okuno <okuno.kohji@jp.panasonic.com>
+Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/vfp/vfpmodule.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/vfp/vfpmodule.c
++++ b/arch/arm/vfp/vfpmodule.c
+@@ -648,7 +648,7 @@ int vfp_restore_user_hwstate(struct user
+ */
+ static int vfp_dying_cpu(unsigned int cpu)
+ {
+- vfp_force_reload(cpu, current_thread_info());
++ vfp_current_hw_state[cpu] = NULL;
+ return 0;
+ }
+
--- /dev/null
+From 70b8d21496758dd7ff600ec9de0ee3812fac7a40 Mon Sep 17 00:00:00 2001
+From: Philipp Rossak <embed3d@gmail.com>
+Date: Wed, 14 Feb 2018 15:10:25 +0100
+Subject: ARM: dts: sun6i: a31s: bpi-m2: add missing regulators
+
+From: Philipp Rossak <embed3d@gmail.com>
+
+commit 70b8d21496758dd7ff600ec9de0ee3812fac7a40 upstream.
+
+This patch fixes a bootproblem with the Bananapi M2 board. Since there
+are some regulators missing we add them right now. Those values come
+from the schematic, below you can find a small overview:
+
+* reg_aldo1: 3,3V, powers the wifi
+* reg_aldo2: 2,5V, powers the IO of the RTL8211E
+* reg_aldo3: 3,3V, powers the audio
+
+* reg_dldo1: 3,0V, powers the RTL8211E
+* reg_dldo2: 2,8V, powers the analog part of the csi
+* reg_dldo3: 3,3V, powers misc
+* reg_eldo1: 1,8V, powers the csi
+* reg_ldo_io1:1,8V, powers the gpio
+
+* reg_dc5ldo: needs to be always on
+
+This patch updates also the vmmc-supply properties on the mmc0 and mmc2
+node to use the allready existent regulators.
+We can now remove the sunxi-common-regulators.dtsi include since we
+don't need it anymore.
+
+Fixes: 7daa21370075 ("ARM: dts: sunxi: Add regulators for Sinovoip BPI-M2")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Philipp Rossak <embed3d@gmail.com>
+Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts | 61 +++++++++++++++++++++--
+ 1 file changed, 58 insertions(+), 3 deletions(-)
+
+--- a/arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts
++++ b/arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts
+@@ -42,7 +42,6 @@
+
+ /dts-v1/;
+ #include "sun6i-a31s.dtsi"
+-#include "sunxi-common-regulators.dtsi"
+ #include <dt-bindings/gpio/gpio.h>
+
+ / {
+@@ -99,6 +98,7 @@
+ pinctrl-0 = <&gmac_pins_rgmii_a>, <&gmac_phy_reset_pin_bpi_m2>;
+ phy = <&phy1>;
+ phy-mode = "rgmii";
++ phy-supply = <®_dldo1>;
+ snps,reset-gpio = <&pio 0 21 GPIO_ACTIVE_HIGH>; /* PA21 */
+ snps,reset-active-low;
+ snps,reset-delays-us = <0 10000 30000>;
+@@ -118,7 +118,7 @@
+ &mmc0 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&mmc0_pins_a>, <&mmc0_cd_pin_bpi_m2>;
+- vmmc-supply = <®_vcc3v0>;
++ vmmc-supply = <®_dcdc1>;
+ bus-width = <4>;
+ cd-gpios = <&pio 0 4 GPIO_ACTIVE_HIGH>; /* PA4 */
+ cd-inverted;
+@@ -132,7 +132,7 @@
+ &mmc2 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&mmc2_pins_a>;
+- vmmc-supply = <®_vcc3v0>;
++ vmmc-supply = <®_aldo1>;
+ mmc-pwrseq = <&mmc2_pwrseq>;
+ bus-width = <4>;
+ non-removable;
+@@ -195,7 +195,28 @@
+
+ #include "axp22x.dtsi"
+
++®_aldo1 {
++ regulator-min-microvolt = <3300000>;
++ regulator-max-microvolt = <3300000>;
++ regulator-name = "vcc-wifi";
++};
++
++®_aldo2 {
++ regulator-always-on;
++ regulator-min-microvolt = <2500000>;
++ regulator-max-microvolt = <2500000>;
++ regulator-name = "vcc-gmac";
++};
++
++®_aldo3 {
++ regulator-always-on;
++ regulator-min-microvolt = <3000000>;
++ regulator-max-microvolt = <3000000>;
++ regulator-name = "avcc";
++};
++
+ ®_dc5ldo {
++ regulator-always-on;
+ regulator-min-microvolt = <700000>;
+ regulator-max-microvolt = <1320000>;
+ regulator-name = "vdd-cpus";
+@@ -235,6 +256,40 @@
+ regulator-name = "vcc-dram";
+ };
+
++®_dldo1 {
++ regulator-min-microvolt = <3000000>;
++ regulator-max-microvolt = <3000000>;
++ regulator-name = "vcc-mac";
++};
++
++®_dldo2 {
++ regulator-min-microvolt = <2800000>;
++ regulator-max-microvolt = <2800000>;
++ regulator-name = "avdd-csi";
++};
++
++®_dldo3 {
++ regulator-always-on;
++ regulator-min-microvolt = <3300000>;
++ regulator-max-microvolt = <3300000>;
++ regulator-name = "vcc-pb";
++};
++
++®_eldo1 {
++ regulator-min-microvolt = <1800000>;
++ regulator-max-microvolt = <1800000>;
++ regulator-name = "vdd-csi";
++ status = "okay";
++};
++
++®_ldo_io1 {
++ regulator-always-on;
++ regulator-min-microvolt = <1800000>;
++ regulator-max-microvolt = <1800000>;
++ regulator-name = "vcc-pm-cpus";
++ status = "okay";
++};
++
+ &uart0 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&uart0_pins_a>;
--- /dev/null
+From b23af6ad8d2f708c4c3f92dd8f82c233247ba8bf Mon Sep 17 00:00:00 2001
+From: Philipp Rossak <embed3d@gmail.com>
+Date: Wed, 14 Feb 2018 15:10:24 +0100
+Subject: ARM: dts: sun6i: a31s: bpi-m2: improve pmic properties
+
+From: Philipp Rossak <embed3d@gmail.com>
+
+commit b23af6ad8d2f708c4c3f92dd8f82c233247ba8bf upstream.
+
+The eldoin is supplied from the dcdc1 regulator. The N_VBUSEN pin is
+connected to an external power regulator (SY6280AAC).
+With this commit we update the pmic binding properties to support
+those features.
+
+Fixes: 7daa21370075 ("ARM: dts: sunxi: Add regulators for Sinovoip BPI-M2")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Philipp Rossak <embed3d@gmail.com>
+Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts
++++ b/arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts
+@@ -163,6 +163,8 @@
+ reg = <0x68>;
+ interrupt-parent = <&nmi_intc>;
+ interrupts = <0 IRQ_TYPE_LEVEL_LOW>;
++ eldoin-supply = <®_dcdc1>;
++ x-powers,drive-vbus-en;
+ };
+ };
+
--- /dev/null
+From eb85a355c3afd9379f5953cfe2df73632d14c884 Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Wed, 21 Mar 2018 08:16:29 -0700
+Subject: ARM: OMAP: Fix SRAM W+X mapping
+
+From: Tony Lindgren <tony@atomide.com>
+
+commit eb85a355c3afd9379f5953cfe2df73632d14c884 upstream.
+
+We are still using custom SRAM code for some SoCs and are not marking
+the PM code mapped to SRAM as read-only and executable after we're
+done. With CONFIG_DEBUG_WX=y, we will get "Found insecure W+X mapping
+at address" warning.
+
+Let's fix this issue the same way as commit 728bbe75c82f ("misc: sram:
+Introduce support code for protect-exec sram type") is doing for
+drivers/misc/sram-exec.c.
+
+On omap3, we need to restore SRAM when returning from off mode after
+idle, so init time configuration is not enough.
+
+And as we no longer have users for omap_sram_push_address() we can
+make it static while at it.
+
+Note that eventually we should be using sram-exec.c for all SoCs.
+
+Cc: stable@vger.kernel.org # v4.12+
+Cc: Dave Gerlach <d-gerlach@ti.com>
+Reported-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/plat-omap/include/plat/sram.h | 11 ----------
+ arch/arm/plat-omap/sram.c | 36 ++++++++++++++++++++++++++++++++-
+ 2 files changed, 36 insertions(+), 11 deletions(-)
+
+--- a/arch/arm/plat-omap/include/plat/sram.h
++++ b/arch/arm/plat-omap/include/plat/sram.h
+@@ -5,13 +5,4 @@ void omap_map_sram(unsigned long start,
+ unsigned long skip, int cached);
+ void omap_sram_reset(void);
+
+-extern void *omap_sram_push_address(unsigned long size);
+-
+-/* Macro to push a function to the internal SRAM, using the fncpy API */
+-#define omap_sram_push(funcp, size) ({ \
+- typeof(&(funcp)) _res = NULL; \
+- void *_sram_address = omap_sram_push_address(size); \
+- if (_sram_address) \
+- _res = fncpy(_sram_address, &(funcp), size); \
+- _res; \
+-})
++extern void *omap_sram_push(void *funcp, unsigned long size);
+--- a/arch/arm/plat-omap/sram.c
++++ b/arch/arm/plat-omap/sram.c
+@@ -23,6 +23,7 @@
+ #include <asm/fncpy.h>
+ #include <asm/tlb.h>
+ #include <asm/cacheflush.h>
++#include <asm/set_memory.h>
+
+ #include <asm/mach/map.h>
+
+@@ -42,7 +43,7 @@ static void __iomem *omap_sram_ceil;
+ * Note that fncpy requires the returned address to be aligned
+ * to an 8-byte boundary.
+ */
+-void *omap_sram_push_address(unsigned long size)
++static void *omap_sram_push_address(unsigned long size)
+ {
+ unsigned long available, new_ceil = (unsigned long)omap_sram_ceil;
+
+@@ -60,6 +61,30 @@ void *omap_sram_push_address(unsigned lo
+ return (void *)omap_sram_ceil;
+ }
+
++void *omap_sram_push(void *funcp, unsigned long size)
++{
++ void *sram;
++ unsigned long base;
++ int pages;
++ void *dst = NULL;
++
++ sram = omap_sram_push_address(size);
++ if (!sram)
++ return NULL;
++
++ base = (unsigned long)sram & PAGE_MASK;
++ pages = PAGE_ALIGN(size) / PAGE_SIZE;
++
++ set_memory_rw(base, pages);
++
++ dst = fncpy(sram, funcp, size);
++
++ set_memory_ro(base, pages);
++ set_memory_x(base, pages);
++
++ return dst;
++}
++
+ /*
+ * The SRAM context is lost during off-idle and stack
+ * needs to be reset.
+@@ -75,6 +100,9 @@ void omap_sram_reset(void)
+ void __init omap_map_sram(unsigned long start, unsigned long size,
+ unsigned long skip, int cached)
+ {
++ unsigned long base;
++ int pages;
++
+ if (size == 0)
+ return;
+
+@@ -95,4 +123,10 @@ void __init omap_map_sram(unsigned long
+ */
+ memset_io(omap_sram_base + omap_sram_skip, 0,
+ omap_sram_size - omap_sram_skip);
++
++ base = (unsigned long)omap_sram_base;
++ pages = PAGE_ALIGN(omap_sram_size) / PAGE_SIZE;
++
++ set_memory_ro(base, pages);
++ set_memory_x(base, pages);
+ }
--- /dev/null
+From 85784f9395987a422fa04263e7c0fb13da11eb5c Mon Sep 17 00:00:00 2001
+From: "Yan, Zheng" <zyan@redhat.com>
+Date: Fri, 16 Mar 2018 11:22:29 +0800
+Subject: ceph: only dirty ITER_IOVEC pages for direct read
+
+From: Yan, Zheng <zyan@redhat.com>
+
+commit 85784f9395987a422fa04263e7c0fb13da11eb5c upstream.
+
+If a page is already locked, attempting to dirty it leads to a deadlock
+in lock_page(). This is what currently happens to ITER_BVEC pages when
+a dio-enabled loop device is backed by ceph:
+
+ $ losetup --direct-io /dev/loop0 /mnt/cephfs/img
+ $ xfs_io -c 'pread 0 4k' /dev/loop0
+
+Follow other file systems and only dirty ITER_IOVEC pages.
+
+Cc: stable@kernel.org
+Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/file.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/fs/ceph/file.c
++++ b/fs/ceph/file.c
+@@ -635,7 +635,8 @@ static ssize_t ceph_sync_read(struct kio
+ struct ceph_aio_request {
+ struct kiocb *iocb;
+ size_t total_len;
+- int write;
++ bool write;
++ bool should_dirty;
+ int error;
+ struct list_head osd_reqs;
+ unsigned num_reqs;
+@@ -745,7 +746,7 @@ static void ceph_aio_complete_req(struct
+ }
+ }
+
+- ceph_put_page_vector(osd_data->pages, num_pages, !aio_req->write);
++ ceph_put_page_vector(osd_data->pages, num_pages, aio_req->should_dirty);
+ ceph_osdc_put_request(req);
+
+ if (rc < 0)
+@@ -842,6 +843,7 @@ ceph_direct_read_write(struct kiocb *ioc
+ size_t count = iov_iter_count(iter);
+ loff_t pos = iocb->ki_pos;
+ bool write = iov_iter_rw(iter) == WRITE;
++ bool should_dirty = !write && iter_is_iovec(iter);
+
+ if (write && ceph_snap(file_inode(file)) != CEPH_NOSNAP)
+ return -EROFS;
+@@ -909,6 +911,7 @@ ceph_direct_read_write(struct kiocb *ioc
+ if (aio_req) {
+ aio_req->iocb = iocb;
+ aio_req->write = write;
++ aio_req->should_dirty = should_dirty;
+ INIT_LIST_HEAD(&aio_req->osd_reqs);
+ if (write) {
+ aio_req->mtime = mtime;
+@@ -966,7 +969,7 @@ ceph_direct_read_write(struct kiocb *ioc
+ len = ret;
+ }
+
+- ceph_put_page_vector(pages, num_pages, !write);
++ ceph_put_page_vector(pages, num_pages, should_dirty);
+
+ ceph_osdc_put_request(req);
+ if (ret < 0)
--- /dev/null
+From 771b7bf05339081019d22452ebcab6929372e13e Mon Sep 17 00:00:00 2001
+From: Pierre-Yves MORDRET <pierre-yves.mordret@st.com>
+Date: Wed, 21 Mar 2018 17:48:40 +0100
+Subject: i2c: i2c-stm32f7: fix no check on returned setup
+
+From: Pierre-Yves MORDRET <pierre-yves.mordret@st.com>
+
+commit 771b7bf05339081019d22452ebcab6929372e13e upstream.
+
+Before assigning returned setup structure check if not null
+
+Fixes: 463a9215f3ca7600b5ff ("i2c: stm32f7: fix setup structure")
+Signed-off-by: Pierre-Yves MORDRET <pierre-yves.mordret@st.com>
+Acked-by: Alexandre TORGUE <alexandre.torgue@st.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-stm32f7.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-stm32f7.c
++++ b/drivers/i2c/busses/i2c-stm32f7.c
+@@ -888,6 +888,11 @@ static int stm32f7_i2c_probe(struct plat
+ }
+
+ setup = of_device_get_match_data(&pdev->dev);
++ if (!setup) {
++ dev_err(&pdev->dev, "Can't get device data\n");
++ ret = -ENODEV;
++ goto clk_free;
++ }
+ i2c_dev->setup = *setup;
+
+ ret = device_property_read_u32(i2c_dev->dev, "i2c-scl-rising-time-ns",
--- /dev/null
+From 3d942ee079b917b24e2a0c5f18d35ac8ec9fee48 Mon Sep 17 00:00:00 2001
+From: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Wed, 28 Mar 2018 16:01:01 -0700
+Subject: ipc/shm.c: add split function to shm_vm_ops
+
+From: Mike Kravetz <mike.kravetz@oracle.com>
+
+commit 3d942ee079b917b24e2a0c5f18d35ac8ec9fee48 upstream.
+
+If System V shmget/shmat operations are used to create a hugetlbfs
+backed mapping, it is possible to munmap part of the mapping and split
+the underlying vma such that it is not huge page aligned. This will
+untimately result in the following BUG:
+
+ kernel BUG at /build/linux-jWa1Fv/linux-4.15.0/mm/hugetlb.c:3310!
+ Oops: Exception in kernel mode, sig: 5 [#1]
+ LE SMP NR_CPUS=2048 NUMA PowerNV
+ Modules linked in: kcm nfc af_alg caif_socket caif phonet fcrypt
+ CPU: 18 PID: 43243 Comm: trinity-subchil Tainted: G C E 4.15.0-10-generic #11-Ubuntu
+ NIP: c00000000036e764 LR: c00000000036ee48 CTR: 0000000000000009
+ REGS: c000003fbcdcf810 TRAP: 0700 Tainted: G C E (4.15.0-10-generic)
+ MSR: 9000000000029033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 24002222 XER: 20040000
+ CFAR: c00000000036ee44 SOFTE: 1
+ NIP __unmap_hugepage_range+0xa4/0x760
+ LR __unmap_hugepage_range_final+0x28/0x50
+ Call Trace:
+ 0x7115e4e00000 (unreliable)
+ __unmap_hugepage_range_final+0x28/0x50
+ unmap_single_vma+0x11c/0x190
+ unmap_vmas+0x94/0x140
+ exit_mmap+0x9c/0x1d0
+ mmput+0xa8/0x1d0
+ do_exit+0x360/0xc80
+ do_group_exit+0x60/0x100
+ SyS_exit_group+0x24/0x30
+ system_call+0x58/0x6c
+ ---[ end trace ee88f958a1c62605 ]---
+
+This bug was introduced by commit 31383c6865a5 ("mm, hugetlbfs:
+introduce ->split() to vm_operations_struct"). A split function was
+added to vm_operations_struct to determine if a mapping can be split.
+This was mostly for device-dax and hugetlbfs mappings which have
+specific alignment constraints.
+
+Mappings initiated via shmget/shmat have their original vm_ops
+overwritten with shm_vm_ops. shm_vm_ops functions will call back to the
+original vm_ops if needed. Add such a split function to shm_vm_ops.
+
+Link: http://lkml.kernel.org/r/20180321161314.7711-1-mike.kravetz@oracle.com
+Fixes: 31383c6865a5 ("mm, hugetlbfs: introduce ->split() to vm_operations_struct")
+Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+Reported-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
+Reviewed-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
+Tested-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
+Reviewed-by: Dan Williams <dan.j.williams@intel.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ ipc/shm.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -386,6 +386,17 @@ static int shm_fault(struct vm_fault *vm
+ return sfd->vm_ops->fault(vmf);
+ }
+
++static int shm_split(struct vm_area_struct *vma, unsigned long addr)
++{
++ struct file *file = vma->vm_file;
++ struct shm_file_data *sfd = shm_file_data(file);
++
++ if (sfd->vm_ops && sfd->vm_ops->split)
++ return sfd->vm_ops->split(vma, addr);
++
++ return 0;
++}
++
+ #ifdef CONFIG_NUMA
+ static int shm_set_policy(struct vm_area_struct *vma, struct mempolicy *new)
+ {
+@@ -510,6 +521,7 @@ static const struct vm_operations_struct
+ .open = shm_open, /* callback for a new vm-area open */
+ .close = shm_close, /* callback for when the vm-area is released */
+ .fault = shm_fault,
++ .split = shm_split,
+ #if defined(CONFIG_NUMA)
+ .set_policy = shm_set_policy,
+ .get_policy = shm_get_policy,
--- /dev/null
+From 87a73eb5b56fd6e07c8e499fe8608ef2d8912b82 Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Sat, 3 Mar 2018 23:29:03 +0100
+Subject: mtd: jedec_probe: Fix crash in jedec_read_mfr()
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit 87a73eb5b56fd6e07c8e499fe8608ef2d8912b82 upstream.
+
+It turns out that the loop where we read manufacturer
+jedec_read_mfd() can under some circumstances get a
+CFI_MFR_CONTINUATION repeatedly, making the loop go
+over all banks and eventually hit the end of the
+map and crash because of an access violation:
+
+Unable to handle kernel paging request at virtual address c4980000
+pgd = (ptrval)
+[c4980000] *pgd=03808811, *pte=00000000, *ppte=00000000
+Internal error: Oops: 7 [#1] PREEMPT ARM
+CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc1+ #150
+Hardware name: Gemini (Device Tree)
+PC is at jedec_probe_chip+0x6ec/0xcd0
+LR is at 0x4
+pc : [<c03a2bf4>] lr : [<00000004>] psr: 60000013
+sp : c382dd18 ip : 0000ffff fp : 00000000
+r10: c0626388 r9 : 00020000 r8 : c0626340
+r7 : 00000000 r6 : 00000001 r5 : c3a71afc r4 : c382dd70
+r3 : 00000001 r2 : c4900000 r1 : 00000002 r0 : 00080000
+Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+Control: 0000397f Table: 00004000 DAC: 00000053
+Process swapper (pid: 1, stack limit = 0x(ptrval))
+
+Fix this by breaking the loop with a return 0 if
+the offset exceeds the map size.
+
+Fixes: 5c9c11e1c47c ("[MTD] [NOR] Add support for flash chips with ID in bank other than 0")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/chips/jedec_probe.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mtd/chips/jedec_probe.c
++++ b/drivers/mtd/chips/jedec_probe.c
+@@ -1889,6 +1889,8 @@ static inline u32 jedec_read_mfr(struct
+ do {
+ uint32_t ofs = cfi_build_cmd_addr(0 + (bank << 8), map, cfi);
+ mask = (1 << (cfi->device_type * 8)) - 1;
++ if (ofs >= map->size)
++ return 0;
+ result = map_read(map, base + ofs);
+ bank++;
+ } while ((result.x[0] & mask) == CFI_MFR_CONTINUATION);
--- /dev/null
+From 2b1b1b4ac716fd929a2d221bd4ade62263bed915 Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@bootlin.com>
+Date: Tue, 27 Mar 2018 19:01:58 +0200
+Subject: mtd: nand: atmel: Fix get_sectorsize() function
+
+From: Boris Brezillon <boris.brezillon@bootlin.com>
+
+commit 2b1b1b4ac716fd929a2d221bd4ade62263bed915 upstream.
+
+get_sectorsize() was not using the appropriate macro to extract the
+ECC sector size from the config cache, which led to buggy ECC when
+using 1024 byte sectors.
+
+Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
+Cc: <stable@vger.kernel.org>
+Reported-by: Olivier Schonken <olivier.schonken@gmail.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Reviewed-by: Richard Weinberger <richard@nod.at>
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Tested-by: Olivier Schonken <olivier.schonken@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/atmel/pmecc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/atmel/pmecc.c
++++ b/drivers/mtd/nand/atmel/pmecc.c
+@@ -426,7 +426,7 @@ static int get_strength(struct atmel_pme
+
+ static int get_sectorsize(struct atmel_pmecc_user *user)
+ {
+- return user->cache.cfg & PMECC_LOOKUP_TABLE_SIZE_1024 ? 1024 : 512;
++ return user->cache.cfg & PMECC_CFG_SECTOR1024 ? 1024 : 512;
+ }
+
+ static void atmel_pmecc_gen_syndrome(struct atmel_pmecc_user *user, int sector)
--- /dev/null
+From f67b15037a7a50c57f72e69a6d59941ad90a0f0f Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 26 Mar 2018 15:39:07 -1000
+Subject: perf/hwbp: Simplify the perf-hwbp code, fix documentation
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit f67b15037a7a50c57f72e69a6d59941ad90a0f0f upstream.
+
+Annoyingly, modify_user_hw_breakpoint() unnecessarily complicates the
+modification of a breakpoint - simplify it and remove the pointless
+local variables.
+
+Also update the stale Docbook while at it.
+
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: <stable@vger.kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/hw_breakpoint.c | 30 +++++++-----------------------
+ 1 file changed, 7 insertions(+), 23 deletions(-)
+
+--- a/kernel/events/hw_breakpoint.c
++++ b/kernel/events/hw_breakpoint.c
+@@ -427,16 +427,9 @@ EXPORT_SYMBOL_GPL(register_user_hw_break
+ * modify_user_hw_breakpoint - modify a user-space hardware breakpoint
+ * @bp: the breakpoint structure to modify
+ * @attr: new breakpoint attributes
+- * @triggered: callback to trigger when we hit the breakpoint
+- * @tsk: pointer to 'task_struct' of the process to which the address belongs
+ */
+ int modify_user_hw_breakpoint(struct perf_event *bp, struct perf_event_attr *attr)
+ {
+- u64 old_addr = bp->attr.bp_addr;
+- u64 old_len = bp->attr.bp_len;
+- int old_type = bp->attr.bp_type;
+- int err = 0;
+-
+ /*
+ * modify_user_hw_breakpoint can be invoked with IRQs disabled and hence it
+ * will not be possible to raise IPIs that invoke __perf_event_disable.
+@@ -451,27 +444,18 @@ int modify_user_hw_breakpoint(struct per
+ bp->attr.bp_addr = attr->bp_addr;
+ bp->attr.bp_type = attr->bp_type;
+ bp->attr.bp_len = attr->bp_len;
++ bp->attr.disabled = 1;
+
+- if (attr->disabled)
+- goto end;
+-
+- err = validate_hw_breakpoint(bp);
+- if (!err)
+- perf_event_enable(bp);
++ if (!attr->disabled) {
++ int err = validate_hw_breakpoint(bp);
+
+- if (err) {
+- bp->attr.bp_addr = old_addr;
+- bp->attr.bp_type = old_type;
+- bp->attr.bp_len = old_len;
+- if (!bp->attr.disabled)
+- perf_event_enable(bp);
++ if (err)
++ return err;
+
+- return err;
++ perf_event_enable(bp);
++ bp->attr.disabled = 0;
+ }
+
+-end:
+- bp->attr.disabled = attr->disabled;
+-
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(modify_user_hw_breakpoint);
--- /dev/null
+From 52396500f97c53860164debc7d4f759077853423 Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Fri, 23 Mar 2018 15:53:38 +1000
+Subject: powerpc/64s: Fix i-side SLB miss bad address handler saving nonvolatile GPRs
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit 52396500f97c53860164debc7d4f759077853423 upstream.
+
+The SLB bad address handler's trap number fixup does not preserve the
+low bit that indicates nonvolatile GPRs have not been saved. This
+leads save_nvgprs to skip saving them, and subsequent functions and
+return from interrupt will think they are saved.
+
+This causes kernel branch-to-garbage debugging to not have correct
+registers, can also cause userspace to have its registers clobbered
+after a segfault.
+
+Fixes: f0f558b131db ("powerpc/mm: Preserve CFAR value on SLB miss caused by access to bogus address")
+Cc: stable@vger.kernel.org # v4.9+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/exceptions-64s.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/exceptions-64s.S
++++ b/arch/powerpc/kernel/exceptions-64s.S
+@@ -706,7 +706,7 @@ EXC_COMMON_BEGIN(bad_addr_slb)
+ ld r3, PACA_EXSLB+EX_DAR(r13)
+ std r3, _DAR(r1)
+ beq cr6, 2f
+- li r10, 0x480 /* fix trap number for I-SLB miss */
++ li r10, 0x481 /* fix trap number for I-SLB miss */
+ std r10, _TRAP(r1)
+ 2: bl save_nvgprs
+ addi r3, r1, STACK_FRAME_OVERHEAD
--- /dev/null
+From ff6781fd1bb404d8a551c02c35c70cec1da17ff1 Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Wed, 21 Mar 2018 12:22:28 +1000
+Subject: powerpc/64s: Fix lost pending interrupt due to race causing lost update to irq_happened
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit ff6781fd1bb404d8a551c02c35c70cec1da17ff1 upstream.
+
+force_external_irq_replay() can be called in the do_IRQ path with
+interrupts hard enabled and soft disabled if may_hard_irq_enable() set
+MSR[EE]=1. It updates local_paca->irq_happened with a load, modify,
+store sequence. If a maskable interrupt hits during this sequence, it
+will go to the masked handler to be marked pending in irq_happened.
+This update will be lost when the interrupt returns and the store
+instruction executes. This can result in unpredictable latencies,
+timeouts, lockups, etc.
+
+Fix this by ensuring hard interrupts are disabled before modifying
+irq_happened.
+
+This could cause any maskable asynchronous interrupt to get lost, but
+it was noticed on P9 SMP system doing RDMA NVMe target over 100GbE,
+so very high external interrupt rate and high IPI rate. The hang was
+bisected down to enabling doorbell interrupts for IPIs. These provided
+an interrupt type that could run at high rates in the do_IRQ path,
+stressing the race.
+
+Fixes: 1d607bb3bd60 ("powerpc/irq: Add mechanism to force a replay of interrupts")
+Cc: stable@vger.kernel.org # v4.8+
+Reported-by: Carol L. Soto <clsoto@us.ibm.com>
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/irq.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/arch/powerpc/kernel/irq.c
++++ b/arch/powerpc/kernel/irq.c
+@@ -475,6 +475,14 @@ void force_external_irq_replay(void)
+ */
+ WARN_ON(!arch_irqs_disabled());
+
++ /*
++ * Interrupts must always be hard disabled before irq_happened is
++ * modified (to prevent lost update in case of interrupt between
++ * load and store).
++ */
++ __hard_irq_disable();
++ local_paca->irq_happened |= PACA_IRQ_HARD_DIS;
++
+ /* Indicate in the PACA that we have an interrupt to replay */
+ local_paca->irq_happened |= PACA_IRQ_EE;
+ }
--- /dev/null
+From aff6f8cb3e2170b9e58b0932bce7bfb492775e23 Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Fri, 23 Mar 2018 09:29:05 +1100
+Subject: powerpc/mm: Add tracking of the number of coprocessors using a context
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit aff6f8cb3e2170b9e58b0932bce7bfb492775e23 upstream.
+
+Currently, when using coprocessors (which use the Nest MMU), we
+simply increment the active_cpu count to force all TLB invalidations
+to be come broadcast.
+
+Unfortunately, due to an errata in POWER9, we will need to know
+more specifically that coprocessors are in use.
+
+This maintains a separate copros counter in the MMU context for
+that purpose.
+
+NB. The commit mentioned in the fixes tag below is not at fault for
+the bug we're fixing in this commit and the next, but this fix applies
+on top the infrastructure it introduced.
+
+Fixes: 03b8abedf4f4 ("cxl: Enable global TLBIs for cxl contexts")
+Cc: stable@vger.kernel.org # v4.15+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Tested-by: Balbir Singh <bsingharora@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/book3s/64/mmu.h | 3 +++
+ arch/powerpc/include/asm/mmu_context.h | 18 +++++++++++++-----
+ arch/powerpc/mm/mmu_context_book3s64.c | 1 +
+ 3 files changed, 17 insertions(+), 5 deletions(-)
+
+--- a/arch/powerpc/include/asm/book3s/64/mmu.h
++++ b/arch/powerpc/include/asm/book3s/64/mmu.h
+@@ -87,6 +87,9 @@ typedef struct {
+ /* Number of bits in the mm_cpumask */
+ atomic_t active_cpus;
+
++ /* Number of users of the external (Nest) MMU */
++ atomic_t copros;
++
+ /* NPU NMMU context */
+ struct npu_context *npu_context;
+
+--- a/arch/powerpc/include/asm/mmu_context.h
++++ b/arch/powerpc/include/asm/mmu_context.h
+@@ -92,15 +92,23 @@ static inline void dec_mm_active_cpus(st
+ static inline void mm_context_add_copro(struct mm_struct *mm)
+ {
+ /*
+- * On hash, should only be called once over the lifetime of
+- * the context, as we can't decrement the active cpus count
+- * and flush properly for the time being.
++ * If any copro is in use, increment the active CPU count
++ * in order to force TLB invalidations to be global as to
++ * propagate to the Nest MMU.
+ */
+- inc_mm_active_cpus(mm);
++ if (atomic_inc_return(&mm->context.copros) == 1)
++ inc_mm_active_cpus(mm);
+ }
+
+ static inline void mm_context_remove_copro(struct mm_struct *mm)
+ {
++ int c;
++
++ c = atomic_dec_if_positive(&mm->context.copros);
++
++ /* Detect imbalance between add and remove */
++ WARN_ON(c < 0);
++
+ /*
+ * Need to broadcast a global flush of the full mm before
+ * decrementing active_cpus count, as the next TLBI may be
+@@ -111,7 +119,7 @@ static inline void mm_context_remove_cop
+ * for the time being. Invalidations will remain global if
+ * used on hash.
+ */
+- if (radix_enabled()) {
++ if (c == 0 && radix_enabled()) {
+ flush_all_mm(mm);
+ dec_mm_active_cpus(mm);
+ }
+--- a/arch/powerpc/mm/mmu_context_book3s64.c
++++ b/arch/powerpc/mm/mmu_context_book3s64.c
+@@ -171,6 +171,7 @@ int init_new_context(struct task_struct
+ mm_iommu_init(mm);
+ #endif
+ atomic_set(&mm->context.active_cpus, 0);
++ atomic_set(&mm->context.copros, 0);
+
+ return 0;
+ }
--- /dev/null
+From 80a4ae202f2d319eced8bbf612a4e8b0f11c21f5 Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Fri, 23 Mar 2018 09:29:06 +1100
+Subject: powerpc/mm: Workaround Nest MMU bug with TLB invalidations
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit 80a4ae202f2d319eced8bbf612a4e8b0f11c21f5 upstream.
+
+On POWER9 the Nest MMU may fail to invalidate some translations when
+doing a tlbie "by PID" or "by LPID" that is targeted at the TLB only
+and not the page walk cache.
+
+This works around it by forcing such invalidations to escalate to
+RIC=2 (full invalidation of TLB *and* PWC) when a coprocessor is in
+use for the context.
+
+Fixes: 03b8abedf4f4 ("cxl: Enable global TLBIs for cxl contexts")
+Cc: stable@vger.kernel.org # v4.15+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Balbir Singh <bsingharora@gmail.com>
+[balbirs: fixed spelling and coding style to quiesce checkpatch.pl]
+Tested-by: Balbir Singh <bsingharora@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/tlb-radix.c | 50 +++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 43 insertions(+), 7 deletions(-)
+
+--- a/arch/powerpc/mm/tlb-radix.c
++++ b/arch/powerpc/mm/tlb-radix.c
+@@ -85,7 +85,23 @@ static inline void _tlbiel_pid(unsigned
+ static inline void _tlbie_pid(unsigned long pid, unsigned long ric)
+ {
+ asm volatile("ptesync": : :"memory");
+- __tlbie_pid(pid, ric);
++
++ /*
++ * Workaround the fact that the "ric" argument to __tlbie_pid
++ * must be a compile-time contraint to match the "i" constraint
++ * in the asm statement.
++ */
++ switch (ric) {
++ case RIC_FLUSH_TLB:
++ __tlbie_pid(pid, RIC_FLUSH_TLB);
++ break;
++ case RIC_FLUSH_PWC:
++ __tlbie_pid(pid, RIC_FLUSH_PWC);
++ break;
++ case RIC_FLUSH_ALL:
++ default:
++ __tlbie_pid(pid, RIC_FLUSH_ALL);
++ }
+ asm volatile("eieio; tlbsync; ptesync": : :"memory");
+ }
+
+@@ -245,6 +261,16 @@ void radix__local_flush_tlb_page(struct
+ }
+ EXPORT_SYMBOL(radix__local_flush_tlb_page);
+
++static bool mm_needs_flush_escalation(struct mm_struct *mm)
++{
++ /*
++ * P9 nest MMU has issues with the page walk cache
++ * caching PTEs and not flushing them properly when
++ * RIC = 0 for a PID/LPID invalidate
++ */
++ return atomic_read(&mm->context.copros) != 0;
++}
++
+ #ifdef CONFIG_SMP
+ void radix__flush_tlb_mm(struct mm_struct *mm)
+ {
+@@ -255,9 +281,12 @@ void radix__flush_tlb_mm(struct mm_struc
+ return;
+
+ preempt_disable();
+- if (!mm_is_thread_local(mm))
+- _tlbie_pid(pid, RIC_FLUSH_TLB);
+- else
++ if (!mm_is_thread_local(mm)) {
++ if (mm_needs_flush_escalation(mm))
++ _tlbie_pid(pid, RIC_FLUSH_ALL);
++ else
++ _tlbie_pid(pid, RIC_FLUSH_TLB);
++ } else
+ _tlbiel_pid(pid, RIC_FLUSH_TLB);
+ preempt_enable();
+ }
+@@ -369,10 +398,14 @@ void radix__flush_tlb_range(struct vm_ar
+ }
+
+ if (full) {
+- if (local)
++ if (local) {
+ _tlbiel_pid(pid, RIC_FLUSH_TLB);
+- else
+- _tlbie_pid(pid, RIC_FLUSH_TLB);
++ } else {
++ if (mm_needs_flush_escalation(mm))
++ _tlbie_pid(pid, RIC_FLUSH_ALL);
++ else
++ _tlbie_pid(pid, RIC_FLUSH_TLB);
++ }
+ } else {
+ bool hflush = false;
+ unsigned long hstart, hend;
+@@ -482,6 +515,9 @@ static inline void __radix__flush_tlb_ra
+ }
+
+ if (full) {
++ if (!local && mm_needs_flush_escalation(mm))
++ also_pwc = true;
++
+ if (local)
+ _tlbiel_pid(pid, also_pwc ? RIC_FLUSH_ALL : RIC_FLUSH_TLB);
+ else
--- /dev/null
+From 151ad17fbe5e56afa59709f41980508672c777ce Mon Sep 17 00:00:00 2001
+From: Andrew Banman <abanman@hpe.com>
+Date: Tue, 27 Mar 2018 17:09:06 -0500
+Subject: x86/platform/uv/BAU: Add APIC idt entry
+
+From: Andrew Banman <abanman@hpe.com>
+
+commit 151ad17fbe5e56afa59709f41980508672c777ce upstream.
+
+BAU uses the old alloc_initr_gate90 method to setup its interrupt. This
+fails silently as the BAU vector is in the range of APIC vectors that are
+registered to the spurious interrupt handler. As a consequence BAU
+broadcasts are not handled, and the broadcast source CPU hangs.
+
+Update BAU to use new idt structure.
+
+Fixes: dc20b2d52653 ("x86/idt: Move interrupt gate initialization to IDT code")
+Signed-off-by: Andrew Banman <abanman@hpe.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Mike Travis <mike.travis@hpe.com>
+Cc: Dimitri Sivanich <sivanich@hpe.com>
+Cc: Russ Anderson <rja@hpe.com>
+Cc: stable@vger.kernel.org
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Link: https://lkml.kernel.org/r/1522188546-196177-1-git-send-email-abanman@hpe.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/hw_irq.h | 1 +
+ arch/x86/kernel/idt.c | 3 +++
+ arch/x86/platform/uv/tlb_uv.c | 2 --
+ 3 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/include/asm/hw_irq.h
++++ b/arch/x86/include/asm/hw_irq.h
+@@ -36,6 +36,7 @@ extern asmlinkage void kvm_posted_intr_w
+ extern asmlinkage void kvm_posted_intr_nested_ipi(void);
+ extern asmlinkage void error_interrupt(void);
+ extern asmlinkage void irq_work_interrupt(void);
++extern asmlinkage void uv_bau_message_intr1(void);
+
+ extern asmlinkage void spurious_interrupt(void);
+ extern asmlinkage void thermal_interrupt(void);
+--- a/arch/x86/kernel/idt.c
++++ b/arch/x86/kernel/idt.c
+@@ -140,6 +140,9 @@ static const __initconst struct idt_data
+ # ifdef CONFIG_IRQ_WORK
+ INTG(IRQ_WORK_VECTOR, irq_work_interrupt),
+ # endif
++#ifdef CONFIG_X86_UV
++ INTG(UV_BAU_MESSAGE, uv_bau_message_intr1),
++#endif
+ INTG(SPURIOUS_APIC_VECTOR, spurious_interrupt),
+ INTG(ERROR_APIC_VECTOR, error_interrupt),
+ #endif
+--- a/arch/x86/platform/uv/tlb_uv.c
++++ b/arch/x86/platform/uv/tlb_uv.c
+@@ -2254,8 +2254,6 @@ static int __init uv_bau_init(void)
+ init_uvhub(uvhub, vector, uv_base_pnode);
+ }
+
+- alloc_intr_gate(vector, uv_bau_message_intr1);
+-
+ for_each_possible_blade(uvhub) {
+ if (uv_blade_nr_possible_cpus(uvhub)) {
+ unsigned long val;
projects / thirdparty / kernel / stable-queue.git / commitdiff
