--- /dev/null
+From 84583cfb973c4313955c6231cc9cb3772d280b15 Mon Sep 17 00:00:00 2001
+From: "Yan, Zheng" <zyan@redhat.com>
+Date: Thu, 6 Jul 2017 11:12:21 +0800
+Subject: ceph: fix race in concurrent readdir
+
+From: Yan, Zheng <zyan@redhat.com>
+
+commit 84583cfb973c4313955c6231cc9cb3772d280b15 upstream.
+
+For a large directory, program needs to issue multiple readdir
+syscalls to get all dentries. When there are multiple programs
+read the directory concurrently. Following sequence of events
+can happen.
+
+ - program calls readdir with pos = 2. ceph sends readdir request
+ to mds. The reply contains N1 entries. ceph adds these N1 entries
+ to readdir cache.
+ - program calls readdir with pos = N1+2. The readdir is satisfied
+ by the readdir cache, N2 entries are returned. (Other program
+ calls readdir in the middle, which fills the cache)
+ - program calls readdir with pos = N1+N2+2. ceph sends readdir
+ request to mds. The reply contains N3 entries and it reaches
+ directory end. ceph adds these N3 entries to the readdir cache
+ and marks directory complete.
+
+The second readdir call does not update fi->readdir_cache_idx.
+ceph add the last N3 entries to wrong places.
+
+Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/dir.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/ceph/dir.c
++++ b/fs/ceph/dir.c
+@@ -247,6 +247,11 @@ static int __dcache_readdir(struct file
+ if (ret < 0)
+ err = ret;
+ dput(last);
++ /* last_name no longer match cache index */
++ if (fi->readdir_cache_idx >= 0) {
++ fi->readdir_cache_idx = -1;
++ fi->dir_release_count = 0;
++ }
+ }
+ return err;
+ }
--- /dev/null
+From 7f8b3987da54cb4d41ad2545cd4d7958b9a36bdf Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Wed, 19 Jul 2017 14:43:29 +0300
+Subject: drm/mst: Avoid dereferencing a NULL mstb in drm_dp_mst_handle_up_req()
+
+From: Imre Deak <imre.deak@intel.com>
+
+commit 7f8b3987da54cb4d41ad2545cd4d7958b9a36bdf upstream.
+
+In case of an unknown broadcast message is sent mstb will remain unset,
+so check for this.
+
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Lyude <lyude@redhat.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Reviewed-by: Lyude <lyude@redhat.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20170719114330.26540-3-imre.deak@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_dp_mst_topology.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_dp_mst_topology.c
++++ b/drivers/gpu/drm/drm_dp_mst_topology.c
+@@ -2323,7 +2323,9 @@ static int drm_dp_mst_handle_up_req(stru
+ DRM_DEBUG_KMS("Got RSN: pn: %d avail_pbn %d\n", msg.u.resource_stat.port_number, msg.u.resource_stat.available_pbn);
+ }
+
+- drm_dp_put_mst_branch_device(mstb);
++ if (mstb)
++ drm_dp_put_mst_branch_device(mstb);
++
+ memset(&mgr->up_req_recv, 0, sizeof(struct drm_dp_sideband_msg_rx));
+ }
+ return ret;
--- /dev/null
+From 636c4c3e762b62aa93632c645ca65879285b16e3 Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Wed, 19 Jul 2017 16:46:32 +0300
+Subject: drm/mst: Avoid processing partially received up/down message transactions
+
+From: Imre Deak <imre.deak@intel.com>
+
+commit 636c4c3e762b62aa93632c645ca65879285b16e3 upstream.
+
+Currently we may process up/down message transactions containing
+uninitialized data. This can happen if there was an error during the
+reception of any message in the transaction, but we happened to receive
+the last message correctly with the end-of-message flag set.
+
+To avoid this abort the reception of the transaction when the first
+error is detected, rejecting any messages until a message with the
+start-of-message flag is received (which will start a new transaction).
+This is also what the DP 1.4 spec 2.11.8.2 calls for in this case.
+
+In addtion this also prevents receiving bogus transactions without the
+first message with the the start-of-message flag set.
+
+v2:
+- unchanged
+v3:
+- git add the part that actually skips messages after an error in
+ drm_dp_sideband_msg_build()
+
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Lyude <lyude@redhat.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Reviewed-by: Lyude <lyude@redhat.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20170719134632.13366-1-imre.deak@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_dp_mst_topology.c | 31 ++++++++++++++++++++++++-------
+ 1 file changed, 24 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/drm_dp_mst_topology.c
++++ b/drivers/gpu/drm/drm_dp_mst_topology.c
+@@ -330,6 +330,13 @@ static bool drm_dp_sideband_msg_build(st
+ return false;
+ }
+
++ /*
++ * ignore out-of-order messages or messages that are part of a
++ * failed transaction
++ */
++ if (!recv_hdr.somt && !msg->have_somt)
++ return false;
++
+ /* get length contained in this portion */
+ msg->curchunk_len = recv_hdr.msg_len;
+ msg->curchunk_hdrlen = hdrlen;
+@@ -2163,7 +2170,7 @@ out_unlock:
+ }
+ EXPORT_SYMBOL(drm_dp_mst_topology_mgr_resume);
+
+-static void drm_dp_get_one_sb_msg(struct drm_dp_mst_topology_mgr *mgr, bool up)
++static bool drm_dp_get_one_sb_msg(struct drm_dp_mst_topology_mgr *mgr, bool up)
+ {
+ int len;
+ u8 replyblock[32];
+@@ -2178,12 +2185,12 @@ static void drm_dp_get_one_sb_msg(struct
+ replyblock, len);
+ if (ret != len) {
+ DRM_DEBUG_KMS("failed to read DPCD down rep %d %d\n", len, ret);
+- return;
++ return false;
+ }
+ ret = drm_dp_sideband_msg_build(msg, replyblock, len, true);
+ if (!ret) {
+ DRM_DEBUG_KMS("sideband msg build failed %d\n", replyblock[0]);
+- return;
++ return false;
+ }
+ replylen = msg->curchunk_len + msg->curchunk_hdrlen;
+
+@@ -2197,25 +2204,30 @@ static void drm_dp_get_one_sb_msg(struct
+ if (ret != len) {
+ DRM_DEBUG_KMS("failed to read a chunk (len %d, ret %d)\n",
+ len, ret);
+- return;
++ return false;
+ }
+
+ ret = drm_dp_sideband_msg_build(msg, replyblock, len, false);
+ if (!ret) {
+ DRM_DEBUG_KMS("failed to build sideband msg\n");
+- return;
++ return false;
+ }
+
+ curreply += len;
+ replylen -= len;
+ }
++ return true;
+ }
+
+ static int drm_dp_mst_handle_down_rep(struct drm_dp_mst_topology_mgr *mgr)
+ {
+ int ret = 0;
+
+- drm_dp_get_one_sb_msg(mgr, false);
++ if (!drm_dp_get_one_sb_msg(mgr, false)) {
++ memset(&mgr->down_rep_recv, 0,
++ sizeof(struct drm_dp_sideband_msg_rx));
++ return 0;
++ }
+
+ if (mgr->down_rep_recv.have_eomt) {
+ struct drm_dp_sideband_msg_tx *txmsg;
+@@ -2271,7 +2283,12 @@ static int drm_dp_mst_handle_down_rep(st
+ static int drm_dp_mst_handle_up_req(struct drm_dp_mst_topology_mgr *mgr)
+ {
+ int ret = 0;
+- drm_dp_get_one_sb_msg(mgr, true);
++
++ if (!drm_dp_get_one_sb_msg(mgr, true)) {
++ memset(&mgr->up_req_recv, 0,
++ sizeof(struct drm_dp_sideband_msg_rx));
++ return 0;
++ }
+
+ if (mgr->up_req_recv.have_eomt) {
+ struct drm_dp_sideband_msg_req_body msg;
--- /dev/null
+From 448421b5e93b9177c5698f0cf6f5e72d2995eeca Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Wed, 19 Jul 2017 14:43:28 +0300
+Subject: drm/mst: Fix error handling during MST sideband message reception
+
+From: Imre Deak <imre.deak@intel.com>
+
+commit 448421b5e93b9177c5698f0cf6f5e72d2995eeca upstream.
+
+Handle any error due to partial reads, timeouts etc. to avoid parsing
+uninitialized data subsequently. Also bail out if the parsing itself
+fails.
+
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Lyude <lyude@redhat.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Reviewed-by: Lyude <lyude@redhat.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20170719114330.26540-2-imre.deak@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_dp_mst_topology.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/drm_dp_mst_topology.c
++++ b/drivers/gpu/drm/drm_dp_mst_topology.c
+@@ -2195,11 +2195,17 @@ static void drm_dp_get_one_sb_msg(struct
+ ret = drm_dp_dpcd_read(mgr->aux, basereg + curreply,
+ replyblock, len);
+ if (ret != len) {
+- DRM_DEBUG_KMS("failed to read a chunk\n");
++ DRM_DEBUG_KMS("failed to read a chunk (len %d, ret %d)\n",
++ len, ret);
++ return;
+ }
++
+ ret = drm_dp_sideband_msg_build(msg, replyblock, len, false);
+- if (ret == false)
++ if (!ret) {
+ DRM_DEBUG_KMS("failed to build sideband msg\n");
++ return;
++ }
++
+ curreply += len;
+ replylen -= len;
+ }
--- /dev/null
+From 2e028c4fe12907f226b8221815f16c2486ad3aa7 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 12 Jul 2017 10:35:57 +0300
+Subject: ftrace: Fix uninitialized variable in match_records()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 2e028c4fe12907f226b8221815f16c2486ad3aa7 upstream.
+
+My static checker complains that if "func" is NULL then "clear_filter"
+is uninitialized. This seems like it could be true, although it's
+possible something subtle is happening that I haven't seen.
+
+ kernel/trace/ftrace.c:3844 match_records()
+ error: uninitialized symbol 'clear_filter'.
+
+Link: http://lkml.kernel.org/r/20170712073556.h6tkpjcdzjaozozs@mwanda
+
+Fixes: f0a3b154bd7 ("ftrace: Clarify code for mod command")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ftrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -3535,7 +3535,7 @@ match_records(struct ftrace_hash *hash,
+ int exclude_mod = 0;
+ int found = 0;
+ int ret;
+- int clear_filter;
++ int clear_filter = 0;
+
+ if (func) {
+ func_g.type = filter_parse_regex(func, len, &func_g.search,
--- /dev/null
+From 340d394a789518018f834ff70f7534fc463d3226 Mon Sep 17 00:00:00 2001
+From: Chen Hong <chenhong3@huawei.com>
+Date: Sun, 2 Jul 2017 15:11:10 -0700
+Subject: Input: i8042 - fix crash at boot time
+
+From: Chen Hong <chenhong3@huawei.com>
+
+commit 340d394a789518018f834ff70f7534fc463d3226 upstream.
+
+The driver checks port->exists twice in i8042_interrupt(), first when
+trying to assign temporary "serio" variable, and second time when deciding
+whether it should call serio_interrupt(). The value of port->exists may
+change between the 2 checks, and we may end up calling serio_interrupt()
+with a NULL pointer:
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
+IP: [<ffffffff8150feaf>] _spin_lock_irqsave+0x1f/0x40
+PGD 0
+Oops: 0002 [#1] SMP
+last sysfs file:
+CPU 0
+Modules linked in:
+
+Pid: 1, comm: swapper Not tainted 2.6.32-358.el6.x86_64 #1 QEMU Standard PC (i440FX + PIIX, 1996)
+RIP: 0010:[<ffffffff8150feaf>] [<ffffffff8150feaf>] _spin_lock_irqsave+0x1f/0x40
+RSP: 0018:ffff880028203cc0 EFLAGS: 00010082
+RAX: 0000000000010000 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: 0000000000000282 RSI: 0000000000000098 RDI: 0000000000000050
+RBP: ffff880028203cc0 R08: ffff88013e79c000 R09: ffff880028203ee0
+R10: 0000000000000298 R11: 0000000000000282 R12: 0000000000000050
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000098
+FS: 0000000000000000(0000) GS:ffff880028200000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
+CR2: 0000000000000050 CR3: 0000000001a85000 CR4: 00000000001407f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+Process swapper (pid: 1, threadinfo ffff88013e79c000, task ffff88013e79b500)
+Stack:
+ffff880028203d00 ffffffff813de186 ffffffffffffff02 0000000000000000
+<d> 0000000000000000 0000000000000000 0000000000000000 0000000000000098
+<d> ffff880028203d70 ffffffff813e0162 ffff880028203d20 ffffffff8103b8ac
+Call Trace:
+<IRQ>
+ [<ffffffff813de186>] serio_interrupt+0x36/0xa0
+[<ffffffff813e0162>] i8042_interrupt+0x132/0x3a0
+[<ffffffff8103b8ac>] ? kvm_clock_read+0x1c/0x20
+[<ffffffff8103b8b9>] ? kvm_clock_get_cycles+0x9/0x10
+[<ffffffff810e1640>] handle_IRQ_event+0x60/0x170
+[<ffffffff8103b154>] ? kvm_guest_apic_eoi_write+0x44/0x50
+[<ffffffff810e3d8e>] handle_edge_irq+0xde/0x180
+[<ffffffff8100de89>] handle_irq+0x49/0xa0
+[<ffffffff81516c8c>] do_IRQ+0x6c/0xf0
+[<ffffffff8100b9d3>] ret_from_intr+0x0/0x11
+[<ffffffff81076f63>] ? __do_softirq+0x73/0x1e0
+[<ffffffff8109b75b>] ? hrtimer_interrupt+0x14b/0x260
+[<ffffffff8100c1cc>] ? call_softirq+0x1c/0x30
+[<ffffffff8100de05>] ? do_softirq+0x65/0xa0
+[<ffffffff81076d95>] ? irq_exit+0x85/0x90
+[<ffffffff81516d80>] ? smp_apic_timer_interrupt+0x70/0x9b
+[<ffffffff8100bb93>] ? apic_timer_interrupt+0x13/0x20
+
+To avoid the issue let's change the second check to test whether serio is
+NULL or not.
+
+Also, let's take i8042_lock in i8042_start() and i8042_stop() instead of
+trying to be overly smart and using memory barriers.
+
+Signed-off-by: Chen Hong <chenhong3@huawei.com>
+[dtor: take lock in i8042_start()/i8042_stop()]
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/serio/i8042.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/input/serio/i8042.c
++++ b/drivers/input/serio/i8042.c
+@@ -434,8 +434,10 @@ static int i8042_start(struct serio *ser
+ {
+ struct i8042_port *port = serio->port_data;
+
++ spin_lock_irq(&i8042_lock);
+ port->exists = true;
+- mb();
++ spin_unlock_irq(&i8042_lock);
++
+ return 0;
+ }
+
+@@ -448,16 +450,20 @@ static void i8042_stop(struct serio *ser
+ {
+ struct i8042_port *port = serio->port_data;
+
++ spin_lock_irq(&i8042_lock);
+ port->exists = false;
++ port->serio = NULL;
++ spin_unlock_irq(&i8042_lock);
+
+ /*
++ * We need to make sure that interrupt handler finishes using
++ * our serio port before we return from this function.
+ * We synchronize with both AUX and KBD IRQs because there is
+ * a (very unlikely) chance that AUX IRQ is raised for KBD port
+ * and vice versa.
+ */
+ synchronize_irq(I8042_AUX_IRQ);
+ synchronize_irq(I8042_KBD_IRQ);
+- port->serio = NULL;
+ }
+
+ /*
+@@ -574,7 +580,7 @@ static irqreturn_t i8042_interrupt(int i
+
+ spin_unlock_irqrestore(&i8042_lock, flags);
+
+- if (likely(port->exists && !filtered))
++ if (likely(serio && !filtered))
+ serio_interrupt(serio, data, dfl);
+
+ out:
--- /dev/null
+From a9db101b735a9d49295326ae41f610f6da62b08c Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@imgtec.com>
+Date: Fri, 16 Jun 2017 00:06:19 +0100
+Subject: MIPS: Actually decode JALX in `__compute_return_epc_for_insn'
+
+From: Maciej W. Rozycki <macro@imgtec.com>
+
+commit a9db101b735a9d49295326ae41f610f6da62b08c upstream.
+
+Complement commit fb6883e5809c ("MIPS: microMIPS: Support handling of
+delay slots.") and actually decode the regular MIPS JALX major
+instruction opcode, the handling of which has been added with the said
+commit for EPC calculation in `__compute_return_epc_for_insn'.
+
+Fixes: fb6883e5809c ("MIPS: microMIPS: Support handling of delay slots.")
+Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16394/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/branch.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/mips/kernel/branch.c
++++ b/arch/mips/kernel/branch.c
+@@ -556,6 +556,7 @@ int __compute_return_epc_for_insn(struct
+ /*
+ * These are unconditional and in j_format.
+ */
++ case jalx_op:
+ case jal_op:
+ regs->regs[31] = regs->cp0_epc + 8;
+ case j_op:
--- /dev/null
+From 27fe2200dad2de8207a694024a7b9037dff1b280 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@imgtec.com>
+Date: Fri, 16 Jun 2017 00:15:22 +0100
+Subject: MIPS: Fix a typo: s/preset/present/ in r2-to-r6 emulation error message
+
+From: Maciej W. Rozycki <macro@imgtec.com>
+
+commit 27fe2200dad2de8207a694024a7b9037dff1b280 upstream.
+
+This is a user-visible message, so we want it to be spelled correctly.
+
+Fixes: 5f9f41c474be ("MIPS: kernel: Prepare the JR instruction for emulation on MIPS R6")
+Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16400/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/branch.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kernel/branch.c
++++ b/arch/mips/kernel/branch.c
+@@ -845,7 +845,7 @@ sigill_dsp:
+ force_sig(SIGILL, current);
+ return -EFAULT;
+ sigill_r2r6:
+- pr_info("%s: R2 branch but r2-to-r6 emulator is not preset - sending SIGILL.\n",
++ pr_info("%s: R2 branch but r2-to-r6 emulator is not present - sending SIGILL.\n",
+ current->comm);
+ force_sig(SIGILL, current);
+ return -EFAULT;
--- /dev/null
+From e5f5a5b06e51a36f6ddf31a4a485358263953a3d Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@linux-mips.org>
+Date: Sat, 8 Jul 2017 23:24:44 +0100
+Subject: MIPS: Fix MIPS I ISA /proc/cpuinfo reporting
+
+From: Maciej W. Rozycki <macro@linux-mips.org>
+
+commit e5f5a5b06e51a36f6ddf31a4a485358263953a3d upstream.
+
+Correct a commit 515a6393dbac ("MIPS: kernel: proc: Add MIPS R6 support
+to /proc/cpuinfo") regression that caused MIPS I systems to show no ISA
+levels supported in /proc/cpuinfo, e.g.:
+
+system type : Digital DECstation 2100/3100
+machine : Unknown
+processor : 0
+cpu model : R3000 V2.0 FPU V2.0
+BogoMIPS : 10.69
+wait instruction : no
+microsecond timers : no
+tlb_entries : 64
+extra interrupt vector : no
+hardware watchpoint : no
+isa :
+ASEs implemented :
+shadow register sets : 1
+kscratch registers : 0
+package : 0
+core : 0
+VCED exceptions : not available
+VCEI exceptions : not available
+
+and similarly exclude `mips1' from the ISA list for any processors below
+MIPSr1. This is because the condition to show `mips1' on has been made
+`cpu_has_mips_r1' rather than newly-introduced `cpu_has_mips_1'. Use
+the correct condition then.
+
+Fixes: 515a6393dbac ("MIPS: kernel: proc: Add MIPS R6 support to /proc/cpuinfo")
+Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
+Reviewed-by: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16758/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/proc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kernel/proc.c
++++ b/arch/mips/kernel/proc.c
+@@ -83,7 +83,7 @@ static int show_cpuinfo(struct seq_file
+ }
+
+ seq_printf(m, "isa\t\t\t:");
+- if (cpu_has_mips_r1)
++ if (cpu_has_mips_1)
+ seq_printf(m, " mips1");
+ if (cpu_has_mips_2)
+ seq_printf(m, "%s", " mips2");
--- /dev/null
+From 2ec420b26f7b6ff332393f0bb5a7d245f7ad87f0 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Wed, 31 May 2017 16:19:47 +0100
+Subject: MIPS: Fix mips_atomic_set() retry condition
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 2ec420b26f7b6ff332393f0bb5a7d245f7ad87f0 upstream.
+
+The inline asm retry check in the MIPS_ATOMIC_SET operation of the
+sysmips system call has been backwards since commit f1e39a4a616c ("MIPS:
+Rewrite sysmips(MIPS_ATOMIC_SET, ...) in C with inline assembler")
+merged in v2.6.32, resulting in the non R10000_LLSC_WAR case retrying
+until the operation was inatomic, before returning the new value that
+was probably just written multiple times instead of the old value.
+
+Invert the branch condition to fix that particular issue.
+
+Fixes: f1e39a4a616c ("MIPS: Rewrite sysmips(MIPS_ATOMIC_SET, ...) in C with inline assembler")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16148/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/syscall.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kernel/syscall.c
++++ b/arch/mips/kernel/syscall.c
+@@ -141,7 +141,7 @@ static inline int mips_atomic_set(unsign
+ "1: ll %[old], (%[addr]) \n"
+ " move %[tmp], %[new] \n"
+ "2: sc %[tmp], (%[addr]) \n"
+- " bnez %[tmp], 4f \n"
++ " beqz %[tmp], 4f \n"
+ "3: \n"
+ " .insn \n"
+ " .subsection 2 \n"
--- /dev/null
+From 4915e1b043d6286928207b1f6968197b50407294 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Wed, 31 May 2017 16:19:49 +0100
+Subject: MIPS: Fix mips_atomic_set() with EVA
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 4915e1b043d6286928207b1f6968197b50407294 upstream.
+
+EVA linked loads (LLE) and conditional stores (SCE) should be used on
+EVA kernels for the MIPS_ATOMIC_SET operation of the sysmips system
+call, or else the atomic set will apply to the kernel view of the
+virtual address space (potentially unmapped on EVA kernels) rather than
+the user view (TLB mapped).
+
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16151/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/syscall.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/kernel/syscall.c
++++ b/arch/mips/kernel/syscall.c
+@@ -28,6 +28,7 @@
+ #include <linux/elf.h>
+
+ #include <asm/asm.h>
++#include <asm/asm-eva.h>
+ #include <asm/branch.h>
+ #include <asm/cachectl.h>
+ #include <asm/cacheflush.h>
+@@ -138,9 +139,11 @@ static inline int mips_atomic_set(unsign
+ __asm__ __volatile__ (
+ " .set "MIPS_ISA_ARCH_LEVEL" \n"
+ " li %[err], 0 \n"
+- "1: ll %[old], (%[addr]) \n"
++ "1: \n"
++ user_ll("%[old]", "(%[addr])")
+ " move %[tmp], %[new] \n"
+- "2: sc %[tmp], (%[addr]) \n"
++ "2: \n"
++ user_sc("%[tmp]", "(%[addr])")
+ " beqz %[tmp], 4f \n"
+ "3: \n"
+ " .insn \n"
--- /dev/null
+From 11a3799dbeb620bf0400b1fda5cc2c6bea55f20a Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@imgtec.com>
+Date: Fri, 16 Jun 2017 00:07:34 +0100
+Subject: MIPS: Fix unaligned PC interpretation in `compute_return_epc'
+
+From: Maciej W. Rozycki <macro@imgtec.com>
+
+commit 11a3799dbeb620bf0400b1fda5cc2c6bea55f20a upstream.
+
+Fix a regression introduced with commit fb6883e5809c ("MIPS: microMIPS:
+Support handling of delay slots.") and defer to `__compute_return_epc'
+if the ISA bit is set in EPC with non-MIPS16, non-microMIPS hardware,
+which will then arrange for a SIGBUS due to an unaligned instruction
+reference. Returning EPC here is never correct as the API defines this
+function's result to be either a negative error code on failure or one
+of 0 and BRANCH_LIKELY_TAKEN on success.
+
+Fixes: fb6883e5809c ("MIPS: microMIPS: Support handling of delay slots.")
+Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16395/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/branch.h | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/arch/mips/include/asm/branch.h
++++ b/arch/mips/include/asm/branch.h
+@@ -74,10 +74,7 @@ static inline int compute_return_epc(str
+ return __microMIPS_compute_return_epc(regs);
+ if (cpu_has_mips16)
+ return __MIPS16e_compute_return_epc(regs);
+- return regs->cp0_epc;
+- }
+-
+- if (!delay_slot(regs)) {
++ } else if (!delay_slot(regs)) {
+ regs->cp0_epc += 4;
+ return 0;
+ }
--- /dev/null
+From 13769ebad0c42738831787e27c7c7f982e7da579 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@imgtec.com>
+Date: Fri, 16 Jun 2017 00:05:08 +0100
+Subject: MIPS: math-emu: Prevent wrong ISA mode instruction emulation
+
+From: Maciej W. Rozycki <macro@imgtec.com>
+
+commit 13769ebad0c42738831787e27c7c7f982e7da579 upstream.
+
+Terminate FPU emulation immediately whenever an ISA mode switch has been
+observed. This is so that we do not interpret machine code in the wrong
+mode, for example when a regular MIPS FPU instruction has been placed in
+a delay slot of a jump that switches into the MIPS16 mode, as with the
+following code (taken from a GCC test suite case):
+
+00400650 <set_fast_math>:
+ 400650: 3c020100 lui v0,0x100
+ 400654: 03e00008 jr ra
+ 400658: 44c2f800 ctc1 v0,c1_fcsr
+ 40065c: 00000000 nop
+
+[...]
+
+004012d0 <__libc_csu_init>:
+ 4012d0: f000 6a02 li v0,2
+ 4012d4: f150 0b1c la v1,3f9430 <_DYNAMIC-0x6df0>
+ 4012d8: f400 3240 sll v0,16
+ 4012dc: e269 addu v0,v1
+ 4012de: 659a move gp,v0
+ 4012e0: f00c 64f6 save a0-a2,48,ra,s0-s1
+ 4012e4: 673c move s1,gp
+ 4012e6: f010 9978 lw v1,-32744(s1)
+ 4012ea: d204 sw v0,16(sp)
+ 4012ec: eb40 jalr v1
+ 4012ee: 653b move t9,v1
+ 4012f0: f010 997c lw v1,-32740(s1)
+ 4012f4: f030 9920 lw s1,-32736(s1)
+ 4012f8: e32f subu v1,s1
+ 4012fa: 326b sra v0,v1,2
+ 4012fc: d206 sw v0,24(sp)
+ 4012fe: 220c beqz v0,401318 <__libc_csu_init+0x48>
+ 401300: 6800 li s0,0
+ 401302: 99e0 lw a3,0(s1)
+ 401304: 4801 addiu s0,1
+ 401306: 960e lw a2,56(sp)
+ 401308: 4904 addiu s1,4
+ 40130a: 950d lw a1,52(sp)
+ 40130c: 940c lw a0,48(sp)
+ 40130e: ef40 jalr a3
+ 401310: 653f move t9,a3
+ 401312: 9206 lw v0,24(sp)
+ 401314: ea0a cmp v0,s0
+ 401316: 61f5 btnez 401302 <__libc_csu_init+0x32>
+ 401318: 6476 restore 48,ra,s0-s1
+ 40131a: e8a0 jrc ra
+
+Here `set_fast_math' is called from `40130e' (`40130f' with the ISA bit)
+and emulation triggers for the CTC1 instruction. As it is in a jump
+delay slot emulation continues from `401312' (`401313' with the ISA
+bit). However we have no path to handle MIPS16 FPU code emulation,
+because there are no MIPS16 FPU instructions. So the default emulation
+path is taken, interpreting a 32-bit word fetched by `get_user' from
+`401313' as a regular MIPS instruction, which is:
+
+ 401313: f5ea0a92 sdc1 $f10,2706(t7)
+
+This makes the FPU emulator proceed with the supposed SDC1 instruction
+and consequently makes the program considered here terminate with
+SIGSEGV.
+
+A similar although less severe issue exists with pure-microMIPS
+processors in the case where similarly an FPU instruction is emulated in
+a delay slot of a register jump that (incorrectly) switches into the
+regular MIPS mode. A subsequent instruction fetch from the jump's
+target is supposed to cause an Address Error exception, however instead
+we proceed with regular MIPS FPU emulation.
+
+For simplicity then, always terminate the emulation loop whenever a mode
+change is detected, denoted by an ISA mode bit flip. As from commit
+377cb1b6c16a ("MIPS: Disable MIPS16/microMIPS crap for platforms not
+supporting these ASEs.") the result of `get_isa16_mode' can be hardcoded
+to 0, so we need to examine the ISA mode bit by hand.
+
+This complements commit 102cedc32a6e ("MIPS: microMIPS: Floating point
+support.") which added JALX decoding to FPU emulation.
+
+Fixes: 102cedc32a6e ("MIPS: microMIPS: Floating point support.")
+Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16393/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/math-emu/cp1emu.c | 38 ++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 38 insertions(+)
+
+--- a/arch/mips/math-emu/cp1emu.c
++++ b/arch/mips/math-emu/cp1emu.c
+@@ -2496,6 +2496,35 @@ dcopuop:
+ return 0;
+ }
+
++/*
++ * Emulate FPU instructions.
++ *
++ * If we use FPU hardware, then we have been typically called to handle
++ * an unimplemented operation, such as where an operand is a NaN or
++ * denormalized. In that case exit the emulation loop after a single
++ * iteration so as to let hardware execute any subsequent instructions.
++ *
++ * If we have no FPU hardware or it has been disabled, then continue
++ * emulating floating-point instructions until one of these conditions
++ * has occurred:
++ *
++ * - a non-FPU instruction has been encountered,
++ *
++ * - an attempt to emulate has ended with a signal,
++ *
++ * - the ISA mode has been switched.
++ *
++ * We need to terminate the emulation loop if we got switched to the
++ * MIPS16 mode, whether supported or not, so that we do not attempt
++ * to emulate a MIPS16 instruction as a regular MIPS FPU instruction.
++ * Similarly if we got switched to the microMIPS mode and only the
++ * regular MIPS mode is supported, so that we do not attempt to emulate
++ * a microMIPS instruction as a regular MIPS FPU instruction. Or if
++ * we got switched to the regular MIPS mode and only the microMIPS mode
++ * is supported, so that we do not attempt to emulate a regular MIPS
++ * instruction that should cause an Address Error exception instead.
++ * For simplicity we always terminate upon an ISA mode switch.
++ */
+ int fpu_emulator_cop1Handler(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
+ int has_fpu, void *__user *fault_addr)
+ {
+@@ -2581,6 +2610,15 @@ int fpu_emulator_cop1Handler(struct pt_r
+ break;
+ if (sig)
+ break;
++ /*
++ * We have to check for the ISA bit explicitly here,
++ * because `get_isa16_mode' may return 0 if support
++ * for code compression has been globally disabled,
++ * or otherwise we may produce the wrong signal or
++ * even proceed successfully where we must not.
++ */
++ if ((xcp->cp0_epc ^ prevepc) & 0x1)
++ break;
+
+ cond_resched();
+ } while (xcp->cp0_epc > prevepc);
--- /dev/null
+From 4f32a39d49b25eaa66d2420f1f03d371ea4cd906 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Thu, 29 Jun 2017 10:12:34 +0100
+Subject: MIPS: Negate error syscall return in trace
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 4f32a39d49b25eaa66d2420f1f03d371ea4cd906 upstream.
+
+The sys_exit trace event takes a single return value for the system
+call, which MIPS passes the value of the $v0 (result) register, however
+MIPS returns positive error codes in $v0 with $a3 specifying that $v0
+contains an error code. As a result erroring system calls are traced
+returning positive error numbers that can't always be distinguished from
+success.
+
+Use regs_return_value() to negate the error code if $a3 is set.
+
+Fixes: 1d7bf993e073 ("MIPS: ftrace: Add support for syscall tracepoints.")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16651/
+Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/ptrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -927,7 +927,7 @@ asmlinkage void syscall_trace_leave(stru
+ audit_syscall_exit(regs);
+
+ if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
+- trace_sys_exit(regs, regs->regs[2]);
++ trace_sys_exit(regs, regs_return_value(regs));
+
+ if (test_thread_flag(TIF_SYSCALL_TRACE))
+ tracehook_report_syscall_exit(regs, 0);
--- /dev/null
+From 1f4edde422961397cf4470b347958c13c6a740bb Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@imgtec.com>
+Date: Fri, 16 Jun 2017 00:09:23 +0100
+Subject: MIPS: Rename `sigill_r6' to `sigill_r2r6' in `__compute_return_epc_for_insn'
+
+From: Maciej W. Rozycki <macro@imgtec.com>
+
+commit 1f4edde422961397cf4470b347958c13c6a740bb upstream.
+
+Use the more accurate `sigill_r2r6' name for the label used in the case
+of sending SIGILL in the absence of the instruction emulator for an
+earlier ISA level instruction that has been removed as from the R6 ISA,
+so that the `sigill_r6' name is freed for the situation where an R6
+instruction is not supposed to be interpreted, because the executing
+processor does not support the R6 ISA.
+
+Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16397/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/branch.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/arch/mips/kernel/branch.c
++++ b/arch/mips/kernel/branch.c
+@@ -431,7 +431,7 @@ int __compute_return_epc_for_insn(struct
+ /* Fall through */
+ case jr_op:
+ if (NO_R6EMU && insn.r_format.func == jr_op)
+- goto sigill_r6;
++ goto sigill_r2r6;
+ regs->cp0_epc = regs->regs[insn.r_format.rs];
+ break;
+ }
+@@ -446,7 +446,7 @@ int __compute_return_epc_for_insn(struct
+ switch (insn.i_format.rt) {
+ case bltzl_op:
+ if (NO_R6EMU)
+- goto sigill_r6;
++ goto sigill_r2r6;
+ case bltz_op:
+ if ((long)regs->regs[insn.i_format.rs] < 0) {
+ epc = epc + 4 + (insn.i_format.simmediate << 2);
+@@ -459,7 +459,7 @@ int __compute_return_epc_for_insn(struct
+
+ case bgezl_op:
+ if (NO_R6EMU)
+- goto sigill_r6;
++ goto sigill_r2r6;
+ case bgez_op:
+ if ((long)regs->regs[insn.i_format.rs] >= 0) {
+ epc = epc + 4 + (insn.i_format.simmediate << 2);
+@@ -574,7 +574,7 @@ int __compute_return_epc_for_insn(struct
+ */
+ case beql_op:
+ if (NO_R6EMU)
+- goto sigill_r6;
++ goto sigill_r2r6;
+ case beq_op:
+ if (regs->regs[insn.i_format.rs] ==
+ regs->regs[insn.i_format.rt]) {
+@@ -588,7 +588,7 @@ int __compute_return_epc_for_insn(struct
+
+ case bnel_op:
+ if (NO_R6EMU)
+- goto sigill_r6;
++ goto sigill_r2r6;
+ case bne_op:
+ if (regs->regs[insn.i_format.rs] !=
+ regs->regs[insn.i_format.rt]) {
+@@ -602,7 +602,7 @@ int __compute_return_epc_for_insn(struct
+
+ case blezl_op: /* not really i_format */
+ if (!insn.i_format.rt && NO_R6EMU)
+- goto sigill_r6;
++ goto sigill_r2r6;
+ case blez_op:
+ /*
+ * Compact branches for R6 for the
+@@ -637,7 +637,7 @@ int __compute_return_epc_for_insn(struct
+
+ case bgtzl_op:
+ if (!insn.i_format.rt && NO_R6EMU)
+- goto sigill_r6;
++ goto sigill_r2r6;
+ case bgtz_op:
+ /*
+ * Compact branches for R6 for the
+@@ -848,7 +848,7 @@ sigill_dsp:
+ current->comm);
+ force_sig(SIGILL, current);
+ return -EFAULT;
+-sigill_r6:
++sigill_r2r6:
+ pr_info("%s: R2 branch but r2-to-r6 emulator is not preset - sending SIGILL.\n",
+ current->comm);
+ force_sig(SIGILL, current);
--- /dev/null
+From 49955d84cd9ccdca5a16a495e448e1a06fad9e49 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Wed, 31 May 2017 16:19:48 +0100
+Subject: MIPS: Save static registers before sysmips
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 49955d84cd9ccdca5a16a495e448e1a06fad9e49 upstream.
+
+The MIPS sysmips system call handler may return directly from the
+MIPS_ATOMIC_SET case (mips_atomic_set()) to syscall_exit. This path
+restores the static (callee saved) registers, however they won't have
+been saved on entry to the system call.
+
+Use the save_static_function() macro to create a __sys_sysmips wrapper
+function which saves the static registers before calling sys_sysmips, so
+that the correct static register state is restored by syscall_exit.
+
+Fixes: f1e39a4a616c ("MIPS: Rewrite sysmips(MIPS_ATOMIC_SET, ...) in C with inline assembler")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16149/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/scall32-o32.S | 2 +-
+ arch/mips/kernel/scall64-64.S | 2 +-
+ arch/mips/kernel/scall64-n32.S | 2 +-
+ arch/mips/kernel/scall64-o32.S | 2 +-
+ arch/mips/kernel/syscall.c | 6 ++++++
+ 5 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/arch/mips/kernel/scall32-o32.S
++++ b/arch/mips/kernel/scall32-o32.S
+@@ -372,7 +372,7 @@ EXPORT(sys_call_table)
+ PTR sys_writev
+ PTR sys_cacheflush
+ PTR sys_cachectl
+- PTR sys_sysmips
++ PTR __sys_sysmips
+ PTR sys_ni_syscall /* 4150 */
+ PTR sys_getsid
+ PTR sys_fdatasync
+--- a/arch/mips/kernel/scall64-64.S
++++ b/arch/mips/kernel/scall64-64.S
+@@ -312,7 +312,7 @@ EXPORT(sys_call_table)
+ PTR sys_sched_getaffinity
+ PTR sys_cacheflush
+ PTR sys_cachectl
+- PTR sys_sysmips
++ PTR __sys_sysmips
+ PTR sys_io_setup /* 5200 */
+ PTR sys_io_destroy
+ PTR sys_io_getevents
+--- a/arch/mips/kernel/scall64-n32.S
++++ b/arch/mips/kernel/scall64-n32.S
+@@ -298,7 +298,7 @@ EXPORT(sysn32_call_table)
+ PTR compat_sys_sched_getaffinity
+ PTR sys_cacheflush
+ PTR sys_cachectl
+- PTR sys_sysmips
++ PTR __sys_sysmips
+ PTR compat_sys_io_setup /* 6200 */
+ PTR sys_io_destroy
+ PTR compat_sys_io_getevents
+--- a/arch/mips/kernel/scall64-o32.S
++++ b/arch/mips/kernel/scall64-o32.S
+@@ -367,7 +367,7 @@ EXPORT(sys32_call_table)
+ PTR compat_sys_writev
+ PTR sys_cacheflush
+ PTR sys_cachectl
+- PTR sys_sysmips
++ PTR __sys_sysmips
+ PTR sys_ni_syscall /* 4150 */
+ PTR sys_getsid
+ PTR sys_fdatasync
+--- a/arch/mips/kernel/syscall.c
++++ b/arch/mips/kernel/syscall.c
+@@ -202,6 +202,12 @@ static inline int mips_atomic_set(unsign
+ unreachable();
+ }
+
++/*
++ * mips_atomic_set() normally returns directly via syscall_exit potentially
++ * clobbering static registers, so be sure to preserve them.
++ */
++save_static_function(sys_sysmips);
++
+ SYSCALL_DEFINE3(sysmips, long, cmd, long, arg1, long, arg2)
+ {
+ switch (cmd) {
--- /dev/null
+From 7b82c1058ac1f8f8b9f2b8786b1f710a57a870a8 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@imgtec.com>
+Date: Fri, 16 Jun 2017 00:08:29 +0100
+Subject: MIPS: Send SIGILL for BPOSGE32 in `__compute_return_epc_for_insn'
+
+From: Maciej W. Rozycki <macro@imgtec.com>
+
+commit 7b82c1058ac1f8f8b9f2b8786b1f710a57a870a8 upstream.
+
+Fix commit e50c0a8fa60d ("Support the MIPS32 / MIPS64 DSP ASE.") and
+send SIGILL rather than SIGBUS whenever an unimplemented BPOSGE32 DSP
+ASE instruction has been encountered in `__compute_return_epc_for_insn'
+as our Reserved Instruction exception handler would in response to an
+attempt to actually execute the instruction. Sending SIGBUS only makes
+sense for the unaligned PC case, since moved to `__compute_return_epc'.
+Adjust function documentation accordingly, correct formatting and use
+`pr_info' rather than `printk' as the other exit path already does.
+
+Fixes: e50c0a8fa60d ("Support the MIPS32 / MIPS64 DSP ASE.")
+Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16396/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/branch.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/mips/kernel/branch.c
++++ b/arch/mips/kernel/branch.c
+@@ -399,7 +399,7 @@ int __MIPS16e_compute_return_epc(struct
+ *
+ * @regs: Pointer to pt_regs
+ * @insn: branch instruction to decode
+- * @returns: -EFAULT on error and forces SIGBUS, and on success
++ * @returns: -EFAULT on error and forces SIGILL, and on success
+ * returns 0 or BRANCH_LIKELY_TAKEN as appropriate after
+ * evaluating the branch.
+ *
+@@ -844,8 +844,9 @@ int __compute_return_epc_for_insn(struct
+ return ret;
+
+ sigill_dsp:
+- printk("%s: DSP branch but not DSP ASE - sending SIGBUS.\n", current->comm);
+- force_sig(SIGBUS, current);
++ pr_info("%s: DSP branch but not DSP ASE - sending SIGILL.\n",
++ current->comm);
++ force_sig(SIGILL, current);
+ return -EFAULT;
+ sigill_r6:
+ pr_info("%s: R2 branch but r2-to-r6 emulator is not preset - sending SIGILL.\n",
--- /dev/null
+From fef40be6da856afead4177aaa9d869a66fb3381f Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@imgtec.com>
+Date: Fri, 16 Jun 2017 00:12:53 +0100
+Subject: MIPS: Send SIGILL for linked branches in `__compute_return_epc_for_insn'
+
+From: Maciej W. Rozycki <macro@imgtec.com>
+
+commit fef40be6da856afead4177aaa9d869a66fb3381f upstream.
+
+Fix commit 319824eabc3f ("MIPS: kernel: branch: Do not emulate the
+branch likelies on MIPS R6") and also send SIGILL rather than returning
+-SIGILL for BLTZAL, BLTZALL, BGEZAL and BGEZALL instruction encodings no
+longer supported in R6, except where emulated. Returning -SIGILL is
+never correct as the API defines this function's result upon error to be
+-EFAULT and a signal actually issued.
+
+Fixes: 319824eabc3f ("MIPS: kernel: branch: Do not emulate the branch likelies on MIPS R6")
+Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16398/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/branch.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+--- a/arch/mips/kernel/branch.c
++++ b/arch/mips/kernel/branch.c
+@@ -473,10 +473,8 @@ int __compute_return_epc_for_insn(struct
+ case bltzal_op:
+ case bltzall_op:
+ if (NO_R6EMU && (insn.i_format.rs ||
+- insn.i_format.rt == bltzall_op)) {
+- ret = -SIGILL;
+- break;
+- }
++ insn.i_format.rt == bltzall_op))
++ goto sigill_r2r6;
+ regs->regs[31] = epc + 8;
+ /*
+ * OK we are here either because we hit a NAL
+@@ -507,10 +505,8 @@ int __compute_return_epc_for_insn(struct
+ case bgezal_op:
+ case bgezall_op:
+ if (NO_R6EMU && (insn.i_format.rs ||
+- insn.i_format.rt == bgezall_op)) {
+- ret = -SIGILL;
+- break;
+- }
++ insn.i_format.rt == bgezall_op))
++ goto sigill_r2r6;
+ regs->regs[31] = epc + 8;
+ /*
+ * OK we are here either because we hit a BAL
--- /dev/null
+From cc89684c9a265828ce061037f1f79f4a68ccd3f7 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Wed, 5 Jul 2017 12:22:20 +1000
+Subject: NFS: only invalidate dentrys that are clearly invalid.
+
+From: NeilBrown <neilb@suse.com>
+
+commit cc89684c9a265828ce061037f1f79f4a68ccd3f7 upstream.
+
+Since commit bafc9b754f75 ("vfs: More precise tests in d_invalidate")
+in v3.18, a return of '0' from ->d_revalidate() will cause the dentry
+to be invalidated even if it has filesystems mounted on or it or on a
+descendant. The mounted filesystem is unmounted.
+
+This means we need to be careful not to return 0 unless the directory
+referred to truly is invalid. So -ESTALE or -ENOENT should invalidate
+the directory. Other errors such a -EPERM or -ERESTARTSYS should be
+returned from ->d_revalidate() so they are propagated to the caller.
+
+A particular problem can be demonstrated by:
+
+1/ mount an NFS filesystem using NFSv3 on /mnt
+2/ mount any other filesystem on /mnt/foo
+3/ ls /mnt/foo
+4/ turn off network, or otherwise make the server unable to respond
+5/ ls /mnt/foo &
+6/ cat /proc/$!/stack # note that nfs_lookup_revalidate is in the call stack
+7/ kill -9 $! # this results in -ERESTARTSYS being returned
+8/ observe that /mnt/foo has been unmounted.
+
+This patch changes nfs_lookup_revalidate() to only treat
+ -ESTALE from nfs_lookup_verify_inode() and
+ -ESTALE or -ENOENT from ->lookup()
+as indicating an invalid inode. Other errors are returned.
+
+Also nfs_check_inode_attributes() is changed to return -ESTALE rather
+than -EIO. This is consistent with the error returned in similar
+circumstances from nfs_update_inode().
+
+As this bug allows any user to unmount a filesystem mounted on an NFS
+filesystem, this fix is suitable for stable kernels.
+
+Fixes: bafc9b754f75 ("vfs: More precise tests in d_invalidate")
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/dir.c | 12 ++++++++----
+ fs/nfs/inode.c | 4 ++--
+ 2 files changed, 10 insertions(+), 6 deletions(-)
+
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -1135,11 +1135,13 @@ static int nfs_lookup_revalidate(struct
+ /* Force a full look up iff the parent directory has changed */
+ if (!nfs_is_exclusive_create(dir, flags) &&
+ nfs_check_verifier(dir, dentry, flags & LOOKUP_RCU)) {
+-
+- if (nfs_lookup_verify_inode(inode, flags)) {
++ error = nfs_lookup_verify_inode(inode, flags);
++ if (error) {
+ if (flags & LOOKUP_RCU)
+ return -ECHILD;
+- goto out_zap_parent;
++ if (error == -ESTALE)
++ goto out_zap_parent;
++ goto out_error;
+ }
+ goto out_valid;
+ }
+@@ -1163,8 +1165,10 @@ static int nfs_lookup_revalidate(struct
+ trace_nfs_lookup_revalidate_enter(dir, dentry, flags);
+ error = NFS_PROTO(dir)->lookup(dir, &dentry->d_name, fhandle, fattr, label);
+ trace_nfs_lookup_revalidate_exit(dir, dentry, flags, error);
+- if (error)
++ if (error == -ESTALE || error == -ENOENT)
+ goto out_bad;
++ if (error)
++ goto out_error;
+ if (nfs_compare_fh(NFS_FH(inode), fhandle))
+ goto out_bad;
+ if ((error = nfs_refresh_inode(inode, fattr)) != 0)
+--- a/fs/nfs/inode.c
++++ b/fs/nfs/inode.c
+@@ -1241,9 +1241,9 @@ static int nfs_check_inode_attributes(st
+ return 0;
+ /* Has the inode gone and changed behind our back? */
+ if ((fattr->valid & NFS_ATTR_FATTR_FILEID) && nfsi->fileid != fattr->fileid)
+- return -EIO;
++ return -ESTALE;
+ if ((fattr->valid & NFS_ATTR_FATTR_TYPE) && (inode->i_mode & S_IFMT) != (fattr->mode & S_IFMT))
+- return -EIO;
++ return -ESTALE;
+
+ if ((fattr->valid & NFS_ATTR_FATTR_CHANGE) != 0 &&
+ inode->i_version != fattr->change_attr)
--- /dev/null
+From 80f62589fa52f530cffc50e78c0b5a2ae572d61e Mon Sep 17 00:00:00 2001
+From: Jin Yao <yao.jin@linux.intel.com>
+Date: Thu, 8 Jun 2017 14:01:44 +0800
+Subject: perf annotate: Fix broken arrow at row 0 connecting jmp instruction to its target
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jin Yao <yao.jin@linux.intel.com>
+
+commit 80f62589fa52f530cffc50e78c0b5a2ae572d61e upstream.
+
+When the jump instruction is displayed at the row 0 in annotate view,
+the arrow is broken. An example:
+
+ 16.86 │ ┌──je 82
+ 0.01 │ movsd (%rsp),%xmm0
+ │ movsd 0x8(%rsp),%xmm4
+ │ movsd 0x8(%rsp),%xmm1
+ │ movsd (%rsp),%xmm3
+ │ divsd %xmm4,%xmm0
+ │ divsd %xmm3,%xmm1
+ │ movsd (%rsp),%xmm2
+ │ addsd %xmm1,%xmm0
+ │ addsd %xmm2,%xmm0
+ │ movsd %xmm0,(%rsp)
+ │82: sub $0x1,%ebx
+ 83.03 │ ↑ jne 38
+ │ add $0x10,%rsp
+ │ xor %eax,%eax
+ │ pop %rbx
+ │ ← retq
+
+The patch increments the row number before checking with 0.
+
+Signed-off-by: Yao Jin <yao.jin@linux.intel.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Fixes: 944e1abed9e1 ("perf ui browser: Add method to draw up/down arrow line")
+Link: http://lkml.kernel.org/r/1496901704-30275-1-git-send-email-yao.jin@linux.intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/ui/browser.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/ui/browser.c
++++ b/tools/perf/ui/browser.c
+@@ -702,7 +702,7 @@ static void __ui_browser__line_arrow_dow
+ ui_browser__gotorc(browser, row, column + 1);
+ SLsmg_draw_hline(2);
+
+- if (row++ == 0)
++ if (++row == 0)
+ goto out;
+ } else
+ row = 0;
--- /dev/null
+From a62ab66b13a0f9bcb17b7b761f6670941ed5cd62 Mon Sep 17 00:00:00 2001
+From: "Ismail, Mustafa" <mustafa.ismail@intel.com>
+Date: Fri, 14 Jul 2017 09:41:31 -0500
+Subject: RDMA/core: Initialize port_num in qp_attr
+
+From: Ismail, Mustafa <mustafa.ismail@intel.com>
+
+commit a62ab66b13a0f9bcb17b7b761f6670941ed5cd62 upstream.
+
+Initialize the port_num for iWARP in rdma_init_qp_attr.
+
+Fixes: 5ecce4c9b17b("Check port number supplied by user verbs cmds")
+Reviewed-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Tested-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/cma.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -857,6 +857,8 @@ int rdma_init_qp_attr(struct rdma_cm_id
+ } else
+ ret = iw_cm_init_qp_attr(id_priv->cm_id.iw, qp_attr,
+ qp_attr_mask);
++ qp_attr->port_num = id_priv->id.port_num;
++ *qp_attr_mask |= IB_QP_PORT;
+ } else
+ ret = -ENOSYS;
+
--- /dev/null
+From 6a8a75f3235724c5941a33e287b2f98966ad14c5 Mon Sep 17 00:00:00 2001
+From: Ingo Molnar <mingo@kernel.org>
+Date: Tue, 11 Jul 2017 10:56:54 +0200
+Subject: Revert "perf/core: Drop kernel samples even though :u is specified"
+
+From: Ingo Molnar <mingo@kernel.org>
+
+commit 6a8a75f3235724c5941a33e287b2f98966ad14c5 upstream.
+
+This reverts commit cc1582c231ea041fbc68861dfaf957eaf902b829.
+
+This commit introduced a regression that broke rr-project, which uses sampling
+events to receive a signal on overflow (but does not care about the contents
+of the sample). These signals are critical to the correct operation of rr.
+
+There's been some back and forth about how to fix it - but to not keep
+applications in limbo queue up a revert.
+
+Reported-by: Kyle Huey <me@kylehuey.com>
+Acked-by: Kyle Huey <me@kylehuey.com>
+Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Jin Yao <yao.jin@linux.intel.com>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Link: http://lkml.kernel.org/r/20170628105600.GC5981@leverpostej
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/core.c | 21 ---------------------
+ 1 file changed, 21 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -6410,21 +6410,6 @@ static void perf_log_itrace_start(struct
+ perf_output_end(&handle);
+ }
+
+-static bool sample_is_allowed(struct perf_event *event, struct pt_regs *regs)
+-{
+- /*
+- * Due to interrupt latency (AKA "skid"), we may enter the
+- * kernel before taking an overflow, even if the PMU is only
+- * counting user events.
+- * To avoid leaking information to userspace, we must always
+- * reject kernel samples when exclude_kernel is set.
+- */
+- if (event->attr.exclude_kernel && !user_mode(regs))
+- return false;
+-
+- return true;
+-}
+-
+ /*
+ * Generic event overflow handling, sampling.
+ */
+@@ -6472,12 +6457,6 @@ static int __perf_event_overflow(struct
+ }
+
+ /*
+- * For security, drop the skid kernel samples if necessary.
+- */
+- if (!sample_is_allowed(event, regs))
+- return ret;
+-
+- /*
+ * XXX event_limit might not quite work as expected on inherited
+ * events
+ */
ipmi-use-rcu-lock-around-call-to-intf-handlers-sender.patch
ipmi-ssif-add-missing-unlock-in-error-branch.patch
f2fs-don-t-clear-sgid-when-inheriting-acls.patch
+vfio-fix-group-release-deadlock.patch
+vfio-new-external-user-group-file-match.patch
+ftrace-fix-uninitialized-variable-in-match_records.patch
+mips-fix-mips_atomic_set-retry-condition.patch
+mips-fix-mips_atomic_set-with-eva.patch
+mips-negate-error-syscall-return-in-trace.patch
+x86-acpi-prevent-out-of-bound-access-caused-by-broken-acpi-tables.patch
+x86-ioapic-pass-the-correct-data-to-unmask_ioapic_irq.patch
+mips-fix-mips-i-isa-proc-cpuinfo-reporting.patch
+mips-save-static-registers-before-sysmips.patch
+mips-actually-decode-jalx-in-__compute_return_epc_for_insn.patch
+mips-fix-unaligned-pc-interpretation-in-compute_return_epc.patch
+mips-math-emu-prevent-wrong-isa-mode-instruction-emulation.patch
+mips-send-sigill-for-bposge32-in-__compute_return_epc_for_insn.patch
+mips-rename-sigill_r6-to-sigill_r2r6-in-__compute_return_epc_for_insn.patch
+mips-send-sigill-for-linked-branches-in-__compute_return_epc_for_insn.patch
+mips-fix-a-typo-s-preset-present-in-r2-to-r6-emulation-error-message.patch
+input-i8042-fix-crash-at-boot-time.patch
+nfs-only-invalidate-dentrys-that-are-clearly-invalid.patch
+udf-fix-deadlock-between-writeback-and-udf_setsize.patch
+target-fix-compare_and_write-caw_sem-leak-during-se_cmd-quiesce.patch
+perf-annotate-fix-broken-arrow-at-row-0-connecting-jmp-instruction-to-its-target.patch
+revert-perf-core-drop-kernel-samples-even-though-u-is-specified.patch
+staging-rtl8188eu-add-tl-wn722n-v2-support.patch
+ceph-fix-race-in-concurrent-readdir.patch
+rdma-core-initialize-port_num-in-qp_attr.patch
+drm-mst-fix-error-handling-during-mst-sideband-message-reception.patch
+drm-mst-avoid-dereferencing-a-null-mstb-in-drm_dp_mst_handle_up_req.patch
+drm-mst-avoid-processing-partially-received-up-down-message-transactions.patch
--- /dev/null
+From 5a1d4c5dd4eb2f1f8a9b30e61762f3b3b564df70 Mon Sep 17 00:00:00 2001
+From: Michael Gugino <michael.gugino.2@gmail.com>
+Date: Mon, 17 Jul 2017 13:29:09 -0400
+Subject: staging: rtl8188eu: add TL-WN722N v2 support
+
+From: Michael Gugino <michael.gugino.2@gmail.com>
+
+commit 5a1d4c5dd4eb2f1f8a9b30e61762f3b3b564df70 upstream.
+
+Add support for USB Device TP-Link TL-WN722N v2.
+VendorID: 0x2357, ProductID: 0x010c
+
+Signed-off-by: Michael Gugino <michael.gugino.2@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+@@ -47,6 +47,7 @@ static struct usb_device_id rtw_usb_id_t
+ {USB_DEVICE(0x2001, 0x330F)}, /* DLink DWA-125 REV D1 */
+ {USB_DEVICE(0x2001, 0x3310)}, /* Dlink DWA-123 REV D1 */
+ {USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */
++ {USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */
+ {USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */
+ {} /* Terminating entry */
+ };
--- /dev/null
+From 1d6ef276594a781686058802996e09c8550fd767 Mon Sep 17 00:00:00 2001
+From: Jiang Yi <jiangyilism@gmail.com>
+Date: Sun, 25 Jun 2017 12:28:50 -0700
+Subject: target: Fix COMPARE_AND_WRITE caw_sem leak during se_cmd quiesce
+
+From: Jiang Yi <jiangyilism@gmail.com>
+
+commit 1d6ef276594a781686058802996e09c8550fd767 upstream.
+
+This patch addresses a COMPARE_AND_WRITE se_device->caw_sem leak,
+that would be triggered during normal se_cmd shutdown or abort
+via __transport_wait_for_tasks().
+
+This would occur because target_complete_cmd() would catch this
+early and do complete_all(&cmd->t_transport_stop_comp), but since
+target_complete_ok_work() or target_complete_failure_work() are
+never called to invoke se_cmd->transport_complete_callback(),
+the COMPARE_AND_WRITE specific callbacks never release caw_sem.
+
+To address this special case, go ahead and release caw_sem
+directly from target_complete_cmd().
+
+(Remove '&& success' from check, to release caw_sem regardless
+ of scsi_status - nab)
+
+Signed-off-by: Jiang Yi <jiangyilism@gmail.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_transport.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -728,6 +728,15 @@ void target_complete_cmd(struct se_cmd *
+ if (cmd->transport_state & CMD_T_ABORTED ||
+ cmd->transport_state & CMD_T_STOP) {
+ spin_unlock_irqrestore(&cmd->t_state_lock, flags);
++ /*
++ * If COMPARE_AND_WRITE was stopped by __transport_wait_for_tasks(),
++ * release se_device->caw_sem obtained by sbc_compare_and_write()
++ * since target_complete_ok_work() or target_complete_failure_work()
++ * won't be called to invoke the normal CAW completion callbacks.
++ */
++ if (cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) {
++ up(&dev->caw_sem);
++ }
+ complete_all(&cmd->t_transport_stop_comp);
+ return;
+ } else if (!success) {
--- /dev/null
+From f2e95355891153f66d4156bf3a142c6489cd78c6 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 13 Jun 2017 16:20:25 +0200
+Subject: udf: Fix deadlock between writeback and udf_setsize()
+
+From: Jan Kara <jack@suse.cz>
+
+commit f2e95355891153f66d4156bf3a142c6489cd78c6 upstream.
+
+udf_setsize() called truncate_setsize() with i_data_sem held. Thus
+truncate_pagecache() called from truncate_setsize() could lock a page
+under i_data_sem which can deadlock as page lock ranks below
+i_data_sem - e. g. writeback can hold page lock and try to acquire
+i_data_sem to map a block.
+
+Fix the problem by moving truncate_setsize() calls from under
+i_data_sem. It is safe for us to change i_size without holding
+i_data_sem as all the places that depend on i_size being stable already
+hold inode_lock.
+
+Fixes: 7e49b6f2480cb9a9e7322a91592e56a5c85361f5
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/udf/inode.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1235,8 +1235,8 @@ int udf_setsize(struct inode *inode, lof
+ return err;
+ }
+ set_size:
+- truncate_setsize(inode, newsize);
+ up_write(&iinfo->i_data_sem);
++ truncate_setsize(inode, newsize);
+ } else {
+ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
+ down_write(&iinfo->i_data_sem);
+@@ -1253,9 +1253,9 @@ set_size:
+ udf_get_block);
+ if (err)
+ return err;
++ truncate_setsize(inode, newsize);
+ down_write(&iinfo->i_data_sem);
+ udf_clear_extent_cache(inode);
+- truncate_setsize(inode, newsize);
+ udf_truncate_extents(inode);
+ up_write(&iinfo->i_data_sem);
+ }
--- /dev/null
+From 811642d8d8a82c0cce8dc2debfdaf23c5a144839 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Mon, 19 Jun 2017 09:10:32 -0600
+Subject: vfio: Fix group release deadlock
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit 811642d8d8a82c0cce8dc2debfdaf23c5a144839 upstream.
+
+If vfio_iommu_group_notifier() acquires a group reference and that
+reference becomes the last reference to the group, then vfio_group_put
+introduces a deadlock code path where we're trying to unregister from
+the iommu notifier chain from within a callout of that chain. Use a
+work_struct to release this reference asynchronously.
+
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Tested-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vfio/vfio.c | 37 ++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 36 insertions(+), 1 deletion(-)
+
+--- a/drivers/vfio/vfio.c
++++ b/drivers/vfio/vfio.c
+@@ -296,6 +296,34 @@ static void vfio_group_put(struct vfio_g
+ kref_put_mutex(&group->kref, vfio_group_release, &vfio.group_lock);
+ }
+
++struct vfio_group_put_work {
++ struct work_struct work;
++ struct vfio_group *group;
++};
++
++static void vfio_group_put_bg(struct work_struct *work)
++{
++ struct vfio_group_put_work *do_work;
++
++ do_work = container_of(work, struct vfio_group_put_work, work);
++
++ vfio_group_put(do_work->group);
++ kfree(do_work);
++}
++
++static void vfio_group_schedule_put(struct vfio_group *group)
++{
++ struct vfio_group_put_work *do_work;
++
++ do_work = kmalloc(sizeof(*do_work), GFP_KERNEL);
++ if (WARN_ON(!do_work))
++ return;
++
++ INIT_WORK(&do_work->work, vfio_group_put_bg);
++ do_work->group = group;
++ schedule_work(&do_work->work);
++}
++
+ /* Assume group_lock or group reference is held */
+ static void vfio_group_get(struct vfio_group *group)
+ {
+@@ -620,7 +648,14 @@ static int vfio_iommu_group_notifier(str
+ break;
+ }
+
+- vfio_group_put(group);
++ /*
++ * If we're the last reference to the group, the group will be
++ * released, which includes unregistering the iommu group notifier.
++ * We hold a read-lock on that notifier list, unregistering needs
++ * a write-lock... deadlock. Release our reference asynchronously
++ * to avoid that situation.
++ */
++ vfio_group_schedule_put(group);
+ return NOTIFY_OK;
+ }
+
--- /dev/null
+From 5d6dee80a1e94cc284d03e06d930e60e8d3ecf7d Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Wed, 28 Jun 2017 13:50:05 -0600
+Subject: vfio: New external user group/file match
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit 5d6dee80a1e94cc284d03e06d930e60e8d3ecf7d upstream.
+
+At the point where the kvm-vfio pseudo device wants to release its
+vfio group reference, we can't always acquire a new reference to make
+that happen. The group can be in a state where we wouldn't allow a
+new reference to be added. This new helper function allows a caller
+to match a file to a group to facilitate this. Given a file and
+group, report if they match. Thus the caller needs to already have a
+group reference to match to the file. This allows the deletion of a
+group without acquiring a new reference.
+
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Tested-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vfio/vfio.c | 9 +++++++++
+ include/linux/vfio.h | 2 ++
+ virt/kvm/vfio.c | 27 +++++++++++++++++++--------
+ 3 files changed, 30 insertions(+), 8 deletions(-)
+
+--- a/drivers/vfio/vfio.c
++++ b/drivers/vfio/vfio.c
+@@ -1587,6 +1587,15 @@ void vfio_group_put_external_user(struct
+ }
+ EXPORT_SYMBOL_GPL(vfio_group_put_external_user);
+
++bool vfio_external_group_match_file(struct vfio_group *test_group,
++ struct file *filep)
++{
++ struct vfio_group *group = filep->private_data;
++
++ return (filep->f_op == &vfio_group_fops) && (group == test_group);
++}
++EXPORT_SYMBOL_GPL(vfio_external_group_match_file);
++
+ int vfio_external_user_iommu_id(struct vfio_group *group)
+ {
+ return iommu_group_id(group->iommu_group);
+--- a/include/linux/vfio.h
++++ b/include/linux/vfio.h
+@@ -85,6 +85,8 @@ extern void vfio_unregister_iommu_driver
+ */
+ extern struct vfio_group *vfio_group_get_external_user(struct file *filep);
+ extern void vfio_group_put_external_user(struct vfio_group *group);
++extern bool vfio_external_group_match_file(struct vfio_group *group,
++ struct file *filep);
+ extern int vfio_external_user_iommu_id(struct vfio_group *group);
+ extern long vfio_external_check_extension(struct vfio_group *group,
+ unsigned long arg);
+--- a/virt/kvm/vfio.c
++++ b/virt/kvm/vfio.c
+@@ -47,6 +47,22 @@ static struct vfio_group *kvm_vfio_group
+ return vfio_group;
+ }
+
++static bool kvm_vfio_external_group_match_file(struct vfio_group *group,
++ struct file *filep)
++{
++ bool ret, (*fn)(struct vfio_group *, struct file *);
++
++ fn = symbol_get(vfio_external_group_match_file);
++ if (!fn)
++ return false;
++
++ ret = fn(group, filep);
++
++ symbol_put(vfio_external_group_match_file);
++
++ return ret;
++}
++
+ static void kvm_vfio_group_put_external_user(struct vfio_group *vfio_group)
+ {
+ void (*fn)(struct vfio_group *);
+@@ -171,18 +187,13 @@ static int kvm_vfio_set_group(struct kvm
+ if (!f.file)
+ return -EBADF;
+
+- vfio_group = kvm_vfio_group_get_external_user(f.file);
+- fdput(f);
+-
+- if (IS_ERR(vfio_group))
+- return PTR_ERR(vfio_group);
+-
+ ret = -ENOENT;
+
+ mutex_lock(&kv->lock);
+
+ list_for_each_entry(kvg, &kv->group_list, node) {
+- if (kvg->vfio_group != vfio_group)
++ if (!kvm_vfio_external_group_match_file(kvg->vfio_group,
++ f.file))
+ continue;
+
+ list_del(&kvg->node);
+@@ -196,7 +207,7 @@ static int kvm_vfio_set_group(struct kvm
+
+ mutex_unlock(&kv->lock);
+
+- kvm_vfio_group_put_external_user(vfio_group);
++ fdput(f);
+
+ kvm_vfio_update_coherency(dev);
+
--- /dev/null
+From dad5ab0db8deac535d03e3fe3d8f2892173fa6a4 Mon Sep 17 00:00:00 2001
+From: Seunghun Han <kkamagui@gmail.com>
+Date: Tue, 18 Jul 2017 20:03:51 +0900
+Subject: x86/acpi: Prevent out of bound access caused by broken ACPI tables
+
+From: Seunghun Han <kkamagui@gmail.com>
+
+commit dad5ab0db8deac535d03e3fe3d8f2892173fa6a4 upstream.
+
+The bus_irq argument of mp_override_legacy_irq() is used as the index into
+the isa_irq_to_gsi[] array. The bus_irq argument originates from
+ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI
+tables, but is nowhere sanity checked.
+
+That allows broken or malicious ACPI tables to overwrite memory, which
+might cause malfunction, panic or arbitrary code execution.
+
+Add a sanity check and emit a warning when that triggers.
+
+[ tglx: Added warning and rewrote changelog ]
+
+Signed-off-by: Seunghun Han <kkamagui@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: security@kernel.org
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/acpi/boot.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/arch/x86/kernel/acpi/boot.c
++++ b/arch/x86/kernel/acpi/boot.c
+@@ -329,6 +329,14 @@ static void __init mp_override_legacy_ir
+ struct mpc_intsrc mp_irq;
+
+ /*
++ * Check bus_irq boundary.
++ */
++ if (bus_irq >= NR_IRQS_LEGACY) {
++ pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq);
++ return;
++ }
++
++ /*
+ * Convert 'gsi' to 'ioapic.pin'.
+ */
+ ioapic = mp_find_ioapic(gsi);
--- /dev/null
+From e708e35ba6d89ff785b225cd07dcccab04fa954a Mon Sep 17 00:00:00 2001
+From: Seunghun Han <kkamagui@gmail.com>
+Date: Tue, 18 Jul 2017 18:20:44 +0900
+Subject: x86/ioapic: Pass the correct data to unmask_ioapic_irq()
+
+From: Seunghun Han <kkamagui@gmail.com>
+
+commit e708e35ba6d89ff785b225cd07dcccab04fa954a upstream.
+
+One of the rarely executed code pathes in check_timer() calls
+unmask_ioapic_irq() passing irq_get_chip_data(0) as argument.
+
+That's wrong as unmask_ioapic_irq() expects a pointer to the irq data of
+interrupt 0. irq_get_chip_data(0) returns NULL, so the following
+dereference in unmask_ioapic_irq() causes a kernel panic.
+
+The issue went unnoticed in the first place because irq_get_chip_data()
+returns a void pointer so the compiler cannot do a type check on the
+argument. The code path was added for machines with broken configuration,
+but it seems that those machines are either not running current kernels or
+simply do not longer exist.
+
+Hand in irq_get_irq_data(0) as argument which provides the correct data.
+
+[ tglx: Rewrote changelog ]
+
+Fixes: 4467715a44cc ("x86/irq: Move irq_cfg.irq_2_pin into io_apic.c")
+Signed-off-by: Seunghun Han <kkamagui@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/1500369644-45767-1-git-send-email-kkamagui@gmail.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/apic/io_apic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/apic/io_apic.c
++++ b/arch/x86/kernel/apic/io_apic.c
+@@ -2115,7 +2115,7 @@ static inline void __init check_timer(vo
+ int idx;
+ idx = find_irq_entry(apic1, pin1, mp_INT);
+ if (idx != -1 && irq_trigger(idx))
+- unmask_ioapic_irq(irq_get_chip_data(0));
++ unmask_ioapic_irq(irq_get_irq_data(0));
+ }
+ irq_domain_deactivate_irq(irq_data);
+ irq_domain_activate_irq(irq_data);
projects / thirdparty / kernel / stable-queue.git / commitdiff
