--- /dev/null
+From b03b99a329a14b7302f37c3ea6da3848db41c8c5 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Mon, 27 Mar 2017 21:53:38 -0700
+Subject: acpi, nfit, libnvdimm: fix interleave set cookie calculation (64-bit comparison)
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit b03b99a329a14b7302f37c3ea6da3848db41c8c5 upstream.
+
+While reviewing the -stable patch for commit 86ef58a4e35e "nfit,
+libnvdimm: fix interleave set cookie calculation" Ben noted:
+
+ "This is returning an int, thus it's effectively doing a 32-bit
+ comparison and not the 64-bit comparison you say is needed."
+
+Update the compare operation to be immune to this integer demotion problem.
+
+Cc: Nicholas Moulin <nicholas.w.moulin@linux.intel.com>
+Fixes: 86ef58a4e35e ("nfit, libnvdimm: fix interleave set cookie calculation")
+Reported-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/nfit/core.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/nfit/core.c
++++ b/drivers/acpi/nfit/core.c
+@@ -1617,7 +1617,11 @@ static int cmp_map(const void *m0, const
+ const struct nfit_set_info_map *map0 = m0;
+ const struct nfit_set_info_map *map1 = m1;
+
+- return map0->region_offset - map1->region_offset;
++ if (map0->region_offset < map1->region_offset)
++ return -1;
++ else if (map0->region_offset > map1->region_offset)
++ return 1;
++ return 0;
+ }
+
+ /* Retrieve the nth entry referencing this spa */
--- /dev/null
+From f406270bf73d71ea7b35ee3f7a08a44f6594c9b1 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Tue, 11 Apr 2017 00:23:42 +0200
+Subject: ACPI / scan: Set the visited flag for all enumerated devices
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit f406270bf73d71ea7b35ee3f7a08a44f6594c9b1 upstream.
+
+Commit 10c7e20b2ff3 (ACPI / scan: fix enumeration (visited) flags for
+bus rescans) attempted to fix a problem with ACPI-based enumerateion
+of I2C/SPI devices, but it forgot to ensure that the visited flag
+will be set for all of the other enumerated devices, so fix that.
+
+Fixes: 10c7e20b2ff3 (ACPI / scan: fix enumeration (visited) flags for bus rescans)
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=194885
+Reported-and-tested-by: Kevin Locke <kevin@kevinlocke.name>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/scan.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -1827,15 +1827,20 @@ static void acpi_bus_attach(struct acpi_
+ return;
+
+ device->flags.match_driver = true;
+- if (!ret) {
+- ret = device_attach(&device->dev);
+- if (ret < 0)
+- return;
+-
+- if (!ret && device->pnp.type.platform_id)
+- acpi_default_enumeration(device);
++ if (ret > 0) {
++ acpi_device_set_enumerated(device);
++ goto ok;
+ }
+
++ ret = device_attach(&device->dev);
++ if (ret < 0)
++ return;
++
++ if (ret > 0 || !device->pnp.type.platform_id)
++ acpi_device_set_enumerated(device);
++ else
++ acpi_default_enumeration(device);
++
+ ok:
+ list_for_each_entry(child, &device->children, node)
+ acpi_bus_attach(child);
--- /dev/null
+From 57c1d4c33e8f7ec90976d79127059c1919cc0651 Mon Sep 17 00:00:00 2001
+From: Markus Marb <markus@marb.org>
+Date: Fri, 17 Mar 2017 23:14:47 +0100
+Subject: can: ifi: use correct register to read rx status
+
+From: Markus Marb <markus@marb.org>
+
+commit 57c1d4c33e8f7ec90976d79127059c1919cc0651 upstream.
+
+The incorrect offset was used when trying to read the RXSTCMD register.
+
+Signed-off-by: Markus Marb <markus@marb.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/ifi_canfd/ifi_canfd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/ifi_canfd/ifi_canfd.c
++++ b/drivers/net/can/ifi_canfd/ifi_canfd.c
+@@ -557,7 +557,7 @@ static int ifi_canfd_poll(struct napi_st
+ int work_done = 0;
+
+ u32 stcmd = readl(priv->base + IFI_CANFD_STCMD);
+- u32 rxstcmd = readl(priv->base + IFI_CANFD_STCMD);
++ u32 rxstcmd = readl(priv->base + IFI_CANFD_RXSTCMD);
+ u32 errctr = readl(priv->base + IFI_CANFD_ERROR_CTR);
+
+ /* Handle bus state changes */
--- /dev/null
+From c4a3fa261b16858416f1fd7db03a33d7ef5fc0b3 Mon Sep 17 00:00:00 2001
+From: Chen Yu <yu.c.chen@intel.com>
+Date: Sun, 9 Apr 2017 13:45:16 +0800
+Subject: cpufreq: Bring CPUs up even if cpufreq_online() failed
+
+From: Chen Yu <yu.c.chen@intel.com>
+
+commit c4a3fa261b16858416f1fd7db03a33d7ef5fc0b3 upstream.
+
+There is a report that after commit 27622b061eb4 ("cpufreq: Convert
+to hotplug state machine"), the normal CPU offline/online cycle
+fails on some platforms.
+
+According to the ftrace result, this problem was triggered on
+platforms using acpi-cpufreq as the default cpufreq driver,
+and due to the lack of some ACPI freq method (eg. _PCT),
+cpufreq_online() failed and returned a negative value, so the CPU
+hotplug state machine rolled back the CPU online process. Actually,
+from the user's perspective, the failure of cpufreq_online() should
+not prevent that CPU from being brought up, although cpufreq might
+not work on that CPU.
+
+BTW, during system startup cpufreq_online() is not invoked via CPU
+online but by the cpufreq device creation process, so the APs can be
+brought up even though cpufreq_online() fails in that stage.
+
+This patch ignores the return value of cpufreq_online/offline() and
+lets the cpufreq framework deal with the failure. cpufreq_online()
+itself will do a proper rollback in that case and if _PCT is missing,
+the ACPI cpufreq driver will print a warning if the corresponding
+debug options have been enabled.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=194581
+Fixes: 27622b061eb4 ("cpufreq: Convert to hotplug state machine")
+Reported-and-tested-by: Tomasz Maciej Nowak <tmn505@gmail.com>
+Signed-off-by: Chen Yu <yu.c.chen@intel.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/cpufreq.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -2404,6 +2404,20 @@ EXPORT_SYMBOL_GPL(cpufreq_boost_enabled)
+ *********************************************************************/
+ static enum cpuhp_state hp_online;
+
++static int cpuhp_cpufreq_online(unsigned int cpu)
++{
++ cpufreq_online(cpu);
++
++ return 0;
++}
++
++static int cpuhp_cpufreq_offline(unsigned int cpu)
++{
++ cpufreq_offline(cpu);
++
++ return 0;
++}
++
+ /**
+ * cpufreq_register_driver - register a CPU Frequency driver
+ * @driver_data: A struct cpufreq_driver containing the values#
+@@ -2466,8 +2480,8 @@ int cpufreq_register_driver(struct cpufr
+ }
+
+ ret = cpuhp_setup_state_nocalls(CPUHP_AP_ONLINE_DYN, "cpufreq:online",
+- cpufreq_online,
+- cpufreq_offline);
++ cpuhp_cpufreq_online,
++ cpuhp_cpufreq_offline);
+ if (ret < 0)
+ goto err_if_unreg;
+ hp_online = ret;
--- /dev/null
+From 55d728a40d368ba80443be85c02e641fc9082a3f Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Tue, 4 Apr 2017 16:27:44 +0100
+Subject: efi/fb: Avoid reconfiguration of BAR that covers the framebuffer
+
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+commit 55d728a40d368ba80443be85c02e641fc9082a3f upstream.
+
+On UEFI systems, the PCI subsystem is enumerated by the firmware,
+and if a graphical framebuffer is exposed via a PCI device, its base
+address and size are exposed to the OS via the Graphics Output
+Protocol (GOP).
+
+On arm64 PCI systems, the entire PCI hierarchy is reconfigured from
+scratch at boot. This may result in the GOP framebuffer address to
+become stale, if the BAR covering the framebuffer is modified. This
+will cause the framebuffer to become unresponsive, and may in some
+cases result in unpredictable behavior if the range is reassigned to
+another device.
+
+So add a non-x86 quirk to the EFI fb driver to find the BAR associated
+with the GOP base address, and claim the BAR resource so that the PCI
+core will not move it.
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Peter Jones <pjones@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: leif.lindholm@linaro.org
+Cc: linux-efi@vger.kernel.org
+Cc: lorenzo.pieralisi@arm.com
+Fixes: 9822504c1fa5 ("efifb: Enable the efi-framebuffer platform driver ...")
+Link: http://lkml.kernel.org/r/20170404152744.26687-3-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/efifb.c | 66 +++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 65 insertions(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/efifb.c
++++ b/drivers/video/fbdev/efifb.c
+@@ -10,6 +10,7 @@
+ #include <linux/efi.h>
+ #include <linux/errno.h>
+ #include <linux/fb.h>
++#include <linux/pci.h>
+ #include <linux/platform_device.h>
+ #include <linux/screen_info.h>
+ #include <video/vga.h>
+@@ -118,6 +119,8 @@ static inline bool fb_base_is_valid(void
+ return false;
+ }
+
++static bool pci_dev_disabled; /* FB base matches BAR of a disabled device */
++
+ static int efifb_probe(struct platform_device *dev)
+ {
+ struct fb_info *info;
+@@ -127,7 +130,7 @@ static int efifb_probe(struct platform_d
+ unsigned int size_total;
+ char *option = NULL;
+
+- if (screen_info.orig_video_isVGA != VIDEO_TYPE_EFI)
++ if (screen_info.orig_video_isVGA != VIDEO_TYPE_EFI || pci_dev_disabled)
+ return -ENODEV;
+
+ if (fb_get_options("efifb", &option))
+@@ -327,3 +330,64 @@ static struct platform_driver efifb_driv
+ };
+
+ builtin_platform_driver(efifb_driver);
++
++#if defined(CONFIG_PCI) && !defined(CONFIG_X86)
++
++static bool pci_bar_found; /* did we find a BAR matching the efifb base? */
++
++static void claim_efifb_bar(struct pci_dev *dev, int idx)
++{
++ u16 word;
++
++ pci_bar_found = true;
++
++ pci_read_config_word(dev, PCI_COMMAND, &word);
++ if (!(word & PCI_COMMAND_MEMORY)) {
++ pci_dev_disabled = true;
++ dev_err(&dev->dev,
++ "BAR %d: assigned to efifb but device is disabled!\n",
++ idx);
++ return;
++ }
++
++ if (pci_claim_resource(dev, idx)) {
++ pci_dev_disabled = true;
++ dev_err(&dev->dev,
++ "BAR %d: failed to claim resource for efifb!\n", idx);
++ return;
++ }
++
++ dev_info(&dev->dev, "BAR %d: assigned to efifb\n", idx);
++}
++
++static void efifb_fixup_resources(struct pci_dev *dev)
++{
++ u64 base = screen_info.lfb_base;
++ u64 size = screen_info.lfb_size;
++ int i;
++
++ if (pci_bar_found || screen_info.orig_video_isVGA != VIDEO_TYPE_EFI)
++ return;
++
++ if (screen_info.capabilities & VIDEO_CAPABILITY_64BIT_BASE)
++ base |= (u64)screen_info.ext_lfb_base << 32;
++
++ if (!base)
++ return;
++
++ for (i = 0; i < PCI_STD_RESOURCE_END; i++) {
++ struct resource *res = &dev->resource[i];
++
++ if (!(res->flags & IORESOURCE_MEM))
++ continue;
++
++ if (res->start <= base && res->end >= base + size - 1) {
++ claim_efifb_bar(dev, i);
++ break;
++ }
++ }
++}
++DECLARE_PCI_FIXUP_CLASS_HEADER(PCI_ANY_ID, PCI_ANY_ID, PCI_BASE_CLASS_DISPLAY,
++ 16, efifb_fixup_resources);
++
++#endif
--- /dev/null
+From 540f4c0e894f7e46a66dfa424b16424cbdc12c38 Mon Sep 17 00:00:00 2001
+From: "Cohen, Eugene" <eugene@hp.com>
+Date: Tue, 4 Apr 2017 16:27:43 +0100
+Subject: efi/libstub: Skip GOP with PIXEL_BLT_ONLY format
+
+From: Cohen, Eugene <eugene@hp.com>
+
+commit 540f4c0e894f7e46a66dfa424b16424cbdc12c38 upstream.
+
+The UEFI Specification permits Graphics Output Protocol (GOP) instances
+without direct framebuffer access. This is indicated in the Mode structure
+with a PixelFormat enumeration value of PIXEL_BLT_ONLY. Given that the
+kernel does not know how to drive a Blt() only framebuffer (which is only
+permitted before ExitBootServices() anyway), we should disregard such
+framebuffers when looking for a GOP instance that is suitable for use as
+the boot console.
+
+So modify the EFI GOP initialization to not use a PIXEL_BLT_ONLY instance,
+preventing attempts later in boot to use an invalid screen_info.lfb_base
+address.
+
+Signed-off-by: Eugene Cohen <eugene@hp.com>
+[ Moved the Blt() only check into the loop and clarified that Blt() only GOPs are unusable by the kernel. ]
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: leif.lindholm@linaro.org
+Cc: linux-efi@vger.kernel.org
+Cc: lorenzo.pieralisi@arm.com
+Fixes: 9822504c1fa5 ("efifb: Enable the efi-framebuffer platform driver ...")
+Link: http://lkml.kernel.org/r/20170404152744.26687-2-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/efi/libstub/gop.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/firmware/efi/libstub/gop.c
++++ b/drivers/firmware/efi/libstub/gop.c
+@@ -149,7 +149,8 @@ setup_gop32(efi_system_table_t *sys_tabl
+
+ status = __gop_query32(sys_table_arg, gop32, &info, &size,
+ ¤t_fb_base);
+- if (status == EFI_SUCCESS && (!first_gop || conout_found)) {
++ if (status == EFI_SUCCESS && (!first_gop || conout_found) &&
++ info->pixel_format != PIXEL_BLT_ONLY) {
+ /*
+ * Systems that use the UEFI Console Splitter may
+ * provide multiple GOP devices, not all of which are
+@@ -266,7 +267,8 @@ setup_gop64(efi_system_table_t *sys_tabl
+
+ status = __gop_query64(sys_table_arg, gop64, &info, &size,
+ ¤t_fb_base);
+- if (status == EFI_SUCCESS && (!first_gop || conout_found)) {
++ if (status == EFI_SUCCESS && (!first_gop || conout_found) &&
++ info->pixel_format != PIXEL_BLT_ONLY) {
+ /*
+ * Systems that use the UEFI Console Splitter may
+ * provide multiple GOP devices, not all of which are
--- /dev/null
+From 82cc4fc2e70ec5baeff8f776f2773abc8b2cc0ae Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Fri, 14 Apr 2017 17:45:45 -0400
+Subject: ftrace: Fix removing of second function probe
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 82cc4fc2e70ec5baeff8f776f2773abc8b2cc0ae upstream.
+
+When two function probes are added to set_ftrace_filter, and then one of
+them is removed, the update to the function locations is not performed, and
+the record keeping of the function states are corrupted, and causes an
+ftrace_bug() to occur.
+
+This is easily reproducable by adding two probes, removing one, and then
+adding it back again.
+
+ # cd /sys/kernel/debug/tracing
+ # echo schedule:traceoff > set_ftrace_filter
+ # echo do_IRQ:traceoff > set_ftrace_filter
+ # echo \!do_IRQ:traceoff > /debug/tracing/set_ftrace_filter
+ # echo do_IRQ:traceoff > set_ftrace_filter
+
+Causes:
+ ------------[ cut here ]------------
+ WARNING: CPU: 2 PID: 1098 at kernel/trace/ftrace.c:2369 ftrace_get_addr_curr+0x143/0x220
+ Modules linked in: [...]
+ CPU: 2 PID: 1098 Comm: bash Not tainted 4.10.0-test+ #405
+ Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012
+ Call Trace:
+ dump_stack+0x68/0x9f
+ __warn+0x111/0x130
+ ? trace_irq_work_interrupt+0xa0/0xa0
+ warn_slowpath_null+0x1d/0x20
+ ftrace_get_addr_curr+0x143/0x220
+ ? __fentry__+0x10/0x10
+ ftrace_replace_code+0xe3/0x4f0
+ ? ftrace_int3_handler+0x90/0x90
+ ? printk+0x99/0xb5
+ ? 0xffffffff81000000
+ ftrace_modify_all_code+0x97/0x110
+ arch_ftrace_update_code+0x10/0x20
+ ftrace_run_update_code+0x1c/0x60
+ ftrace_run_modify_code.isra.48.constprop.62+0x8e/0xd0
+ register_ftrace_function_probe+0x4b6/0x590
+ ? ftrace_startup+0x310/0x310
+ ? debug_lockdep_rcu_enabled.part.4+0x1a/0x30
+ ? update_stack_state+0x88/0x110
+ ? ftrace_regex_write.isra.43.part.44+0x1d3/0x320
+ ? preempt_count_sub+0x18/0xd0
+ ? mutex_lock_nested+0x104/0x800
+ ? ftrace_regex_write.isra.43.part.44+0x1d3/0x320
+ ? __unwind_start+0x1c0/0x1c0
+ ? _mutex_lock_nest_lock+0x800/0x800
+ ftrace_trace_probe_callback.isra.3+0xc0/0x130
+ ? func_set_flag+0xe0/0xe0
+ ? __lock_acquire+0x642/0x1790
+ ? __might_fault+0x1e/0x20
+ ? trace_get_user+0x398/0x470
+ ? strcmp+0x35/0x60
+ ftrace_trace_onoff_callback+0x48/0x70
+ ftrace_regex_write.isra.43.part.44+0x251/0x320
+ ? match_records+0x420/0x420
+ ftrace_filter_write+0x2b/0x30
+ __vfs_write+0xd7/0x330
+ ? do_loop_readv_writev+0x120/0x120
+ ? locks_remove_posix+0x90/0x2f0
+ ? do_lock_file_wait+0x160/0x160
+ ? __lock_is_held+0x93/0x100
+ ? rcu_read_lock_sched_held+0x5c/0xb0
+ ? preempt_count_sub+0x18/0xd0
+ ? __sb_start_write+0x10a/0x230
+ ? vfs_write+0x222/0x240
+ vfs_write+0xef/0x240
+ SyS_write+0xab/0x130
+ ? SyS_read+0x130/0x130
+ ? trace_hardirqs_on_caller+0x182/0x280
+ ? trace_hardirqs_on_thunk+0x1a/0x1c
+ entry_SYSCALL_64_fastpath+0x18/0xad
+ RIP: 0033:0x7fe61c157c30
+ RSP: 002b:00007ffe87890258 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+ RAX: ffffffffffffffda RBX: ffffffff8114a410 RCX: 00007fe61c157c30
+ RDX: 0000000000000010 RSI: 000055814798f5e0 RDI: 0000000000000001
+ RBP: ffff8800c9027f98 R08: 00007fe61c422740 R09: 00007fe61ca53700
+ R10: 0000000000000073 R11: 0000000000000246 R12: 0000558147a36400
+ R13: 00007ffe8788f160 R14: 0000000000000024 R15: 00007ffe8788f15c
+ ? trace_hardirqs_off_caller+0xc0/0x110
+ ---[ end trace 99fa09b3d9869c2c ]---
+ Bad trampoline accounting at: ffffffff81cc3b00 (do_IRQ+0x0/0x150)
+
+Fixes: 59df055f1991 ("ftrace: trace different functions with a different tracer")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ftrace.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -3736,23 +3736,24 @@ static void __enable_ftrace_function_pro
+ ftrace_probe_registered = 1;
+ }
+
+-static void __disable_ftrace_function_probe(void)
++static bool __disable_ftrace_function_probe(void)
+ {
+ int i;
+
+ if (!ftrace_probe_registered)
+- return;
++ return false;
+
+ for (i = 0; i < FTRACE_FUNC_HASHSIZE; i++) {
+ struct hlist_head *hhd = &ftrace_func_hash[i];
+ if (hhd->first)
+- return;
++ return false;
+ }
+
+ /* no more funcs left */
+ ftrace_shutdown(&trace_probe_ops, 0);
+
+ ftrace_probe_registered = 0;
++ return true;
+ }
+
+
+@@ -3882,6 +3883,7 @@ static void
+ __unregister_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
+ void *data, int flags)
+ {
++ struct ftrace_ops_hash old_hash_ops;
+ struct ftrace_func_entry *rec_entry;
+ struct ftrace_func_probe *entry;
+ struct ftrace_func_probe *p;
+@@ -3893,6 +3895,7 @@ __unregister_ftrace_function_probe(char
+ struct hlist_node *tmp;
+ char str[KSYM_SYMBOL_LEN];
+ int i, ret;
++ bool disabled;
+
+ if (glob && (strcmp(glob, "*") == 0 || !strlen(glob)))
+ func_g.search = NULL;
+@@ -3911,6 +3914,10 @@ __unregister_ftrace_function_probe(char
+
+ mutex_lock(&trace_probe_ops.func_hash->regex_lock);
+
++ old_hash_ops.filter_hash = old_hash;
++ /* Probes only have filters */
++ old_hash_ops.notrace_hash = NULL;
++
+ hash = alloc_and_copy_ftrace_hash(FTRACE_HASH_DEFAULT_BITS, *orig_hash);
+ if (!hash)
+ /* Hmm, should report this somehow */
+@@ -3948,12 +3955,17 @@ __unregister_ftrace_function_probe(char
+ }
+ }
+ mutex_lock(&ftrace_lock);
+- __disable_ftrace_function_probe();
++ disabled = __disable_ftrace_function_probe();
+ /*
+ * Remove after the disable is called. Otherwise, if the last
+ * probe is removed, a null hash means *all enabled*.
+ */
+ ret = ftrace_hash_move(&trace_probe_ops, 1, orig_hash, hash);
++
++ /* still need to update the function call sites */
++ if (ftrace_enabled && !disabled)
++ ftrace_run_modify_code(&trace_probe_ops, FTRACE_UPDATE_CALLS,
++ &old_hash_ops);
+ synchronize_sched();
+ if (!ret)
+ free_ftrace_hash_rcu(old_hash);
--- /dev/null
+From 75eb5e1e7b4edbc8e8f930de59004d21cb46961f Mon Sep 17 00:00:00 2001
+From: Tyler Baker <tyler.baker@linaro.org>
+Date: Thu, 13 Apr 2017 15:27:31 -0700
+Subject: irqchip/irq-imx-gpcv2: Fix spinlock initialization
+
+From: Tyler Baker <tyler.baker@linaro.org>
+
+commit 75eb5e1e7b4edbc8e8f930de59004d21cb46961f upstream.
+
+The raw_spinlock in the IMX GPCV2 interupt chip is not initialized before
+usage. That results in a lockdep splat:
+
+ INFO: trying to register non-static key.
+ the code is fine but needs lockdep annotation.
+ turning off the locking correctness validator.
+
+Add the missing raw_spin_lock_init() to the setup code.
+
+Fixes: e324c4dc4a59 ("irqchip/imx-gpcv2: IMX GPCv2 driver for wakeup sources")
+Signed-off-by: Tyler Baker <tyler.baker@linaro.org>
+Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
+Cc: jason@lakedaemon.net
+Cc: marc.zyngier@arm.com
+Cc: shawnguo@kernel.org
+Cc: andrew.smirnov@gmail.com
+Cc: linux-arm-kernel@lists.infradead.org
+Link: http://lkml.kernel.org/r/20170413222731.5917-1-tyler.baker@linaro.org
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-imx-gpcv2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/irqchip/irq-imx-gpcv2.c
++++ b/drivers/irqchip/irq-imx-gpcv2.c
+@@ -230,6 +230,8 @@ static int __init imx_gpcv2_irqchip_init
+ return -ENOMEM;
+ }
+
++ raw_spin_lock_init(&cd->rlock);
++
+ cd->gpc_base = of_iomap(node, 0);
+ if (!cd->gpc_base) {
+ pr_err("fsl-gpcv2: unable to map gpc registers\n");
--- /dev/null
+From 1c99de981f30b3e7868b8d20ce5479fa1c0fea46 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Sun, 2 Apr 2017 13:36:44 -0700
+Subject: iscsi-target: Drop work-around for legacy GlobalSAN initiator
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 1c99de981f30b3e7868b8d20ce5479fa1c0fea46 upstream.
+
+Once upon a time back in 2009, a work-around was added to support
+the GlobalSAN iSCSI initiator v3.3 for MacOSX, which during login
+did not propose nor respond to MaxBurstLength, FirstBurstLength,
+DefaultTime2Wait and DefaultTime2Retain keys.
+
+The work-around in iscsi_check_proposer_for_optional_reply()
+allowed the missing keys to be proposed, but did not require
+waiting for a response before moving to full feature phase
+operation. This allowed GlobalSAN v3.3 to work out-of-the
+box, and for many years we didn't run into login interopt
+issues with any other initiators..
+
+Until recently, when Martin tried a QLogic 57840S iSCSI Offload
+HBA on Windows 2016 which completed login, but subsequently
+failed with:
+
+ Got unknown iSCSI OpCode: 0x43
+
+The issue was QLogic MSFT side did not propose DefaultTime2Wait +
+DefaultTime2Retain, so LIO proposes them itself, and immediately
+transitions to full feature phase because of the GlobalSAN hack.
+However, the QLogic MSFT side still attempts to respond to
+DefaultTime2Retain + DefaultTime2Wait, even though LIO has set
+ISCSI_FLAG_LOGIN_NEXT_STAGE3 + ISCSI_FLAG_LOGIN_TRANSIT
+in last login response.
+
+So while the QLogic MSFT side should have been proposing these
+two keys to start, it was doing the correct thing per RFC-3720
+attempting to respond to proposed keys before transitioning to
+full feature phase.
+
+All that said, recent versions of GlobalSAN iSCSI (v5.3.0.541)
+does correctly propose the four keys during login, making the
+original work-around moot.
+
+So in order to allow QLogic MSFT to run unmodified as-is, go
+ahead and drop this long standing work-around.
+
+Reported-by: Martin Svec <martin.svec@zoner.cz>
+Cc: Martin Svec <martin.svec@zoner.cz>
+Cc: Himanshu Madhani <Himanshu.Madhani@cavium.com>
+Cc: Arun Easi <arun.easi@cavium.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_parameters.c | 16 ----------------
+ 1 file changed, 16 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target_parameters.c
++++ b/drivers/target/iscsi/iscsi_target_parameters.c
+@@ -782,22 +782,6 @@ static void iscsi_check_proposer_for_opt
+ if (!strcmp(param->name, MAXRECVDATASEGMENTLENGTH))
+ SET_PSTATE_REPLY_OPTIONAL(param);
+ /*
+- * The GlobalSAN iSCSI Initiator for MacOSX does
+- * not respond to MaxBurstLength, FirstBurstLength,
+- * DefaultTime2Wait or DefaultTime2Retain parameter keys.
+- * So, we set them to 'reply optional' here, and assume the
+- * the defaults from iscsi_parameters.h if the initiator
+- * is not RFC compliant and the keys are not negotiated.
+- */
+- if (!strcmp(param->name, MAXBURSTLENGTH))
+- SET_PSTATE_REPLY_OPTIONAL(param);
+- if (!strcmp(param->name, FIRSTBURSTLENGTH))
+- SET_PSTATE_REPLY_OPTIONAL(param);
+- if (!strcmp(param->name, DEFAULTTIME2WAIT))
+- SET_PSTATE_REPLY_OPTIONAL(param);
+- if (!strcmp(param->name, DEFAULTTIME2RETAIN))
+- SET_PSTATE_REPLY_OPTIONAL(param);
+- /*
+ * Required for gPXE iSCSI boot client
+ */
+ if (!strcmp(param->name, MAXCONNECTIONS))
--- /dev/null
+From efb2ea770bb3b0f40007530bc8b0c22f36e1c5eb Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Thu, 23 Mar 2017 17:19:24 -0700
+Subject: iscsi-target: Fix TMR reference leak during session shutdown
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit efb2ea770bb3b0f40007530bc8b0c22f36e1c5eb upstream.
+
+This patch fixes a iscsi-target specific TMR reference leak
+during session shutdown, that could occur when a TMR was
+quiesced before the hand-off back to iscsi-target code
+via transport_cmd_check_stop_to_fabric().
+
+The reference leak happens because iscsit_free_cmd() was
+incorrectly skipping the final target_put_sess_cmd() for
+TMRs when transport_generic_free_cmd() returned zero because
+the se_cmd->cmd_kref did not reach zero, due to the missing
+se_cmd assignment in original code.
+
+The result was iscsi_cmd and it's associated se_cmd memory
+would be freed once se_sess->sess_cmd_map where released,
+but the associated se_tmr_req was leaked and remained part
+of se_device->dev_tmr_list.
+
+This bug would manfiest itself as kernel paging request
+OOPsen in core_tmr_lun_reset(), when a left-over se_tmr_req
+attempted to dereference it's se_cmd pointer that had
+already been released during normal session shutdown.
+
+To address this bug, go ahead and treat ISCSI_OP_SCSI_CMD
+and ISCSI_OP_SCSI_TMFUNC the same when there is an extra
+se_cmd->cmd_kref to drop in iscsit_free_cmd(), and use
+op_scsi to signal __iscsit_free_cmd() when the former
+needs to clear any further iscsi related I/O state.
+
+Reported-by: Rob Millner <rlm@daterainc.com>
+Cc: Rob Millner <rlm@daterainc.com>
+Reported-by: Chu Yuan Lin <cyl@datera.io>
+Cc: Chu Yuan Lin <cyl@datera.io>
+Tested-by: Chu Yuan Lin <cyl@datera.io>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_util.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target_util.c
++++ b/drivers/target/iscsi/iscsi_target_util.c
+@@ -735,21 +735,23 @@ void iscsit_free_cmd(struct iscsi_cmd *c
+ {
+ struct se_cmd *se_cmd = NULL;
+ int rc;
++ bool op_scsi = false;
+ /*
+ * Determine if a struct se_cmd is associated with
+ * this struct iscsi_cmd.
+ */
+ switch (cmd->iscsi_opcode) {
+ case ISCSI_OP_SCSI_CMD:
+- se_cmd = &cmd->se_cmd;
+- __iscsit_free_cmd(cmd, true, shutdown);
++ op_scsi = true;
+ /*
+ * Fallthrough
+ */
+ case ISCSI_OP_SCSI_TMFUNC:
+- rc = transport_generic_free_cmd(&cmd->se_cmd, shutdown);
+- if (!rc && shutdown && se_cmd && se_cmd->se_sess) {
+- __iscsit_free_cmd(cmd, true, shutdown);
++ se_cmd = &cmd->se_cmd;
++ __iscsit_free_cmd(cmd, op_scsi, shutdown);
++ rc = transport_generic_free_cmd(se_cmd, shutdown);
++ if (!rc && shutdown && se_cmd->se_sess) {
++ __iscsit_free_cmd(cmd, op_scsi, shutdown);
+ target_put_sess_cmd(se_cmd);
+ }
+ break;
--- /dev/null
+From fe514739d8538783749d3ce72f78e5a999ea5668 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Tue, 4 Apr 2017 15:08:36 -0700
+Subject: libnvdimm: fix blk free space accounting
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit fe514739d8538783749d3ce72f78e5a999ea5668 upstream.
+
+Commit a1f3e4d6a0c3 "libnvdimm, region: update nd_region_available_dpa()
+for multi-pmem support" reworked blk dpa (DIMM Physical Address)
+accounting to comprehend multiple pmem namespace allocations aliasing
+with a given blk-dpa range.
+
+The following call trace is a result of failing to account for allocated
+blk capacity.
+
+ WARNING: CPU: 1 PID: 2433 at tools/testing/nvdimm/../../../drivers/nvdimm/names
+4 size_store+0x6f3/0x930 [libnvdimm]
+ nd_region region5: allocation underrun: 0x0 of 0x1000000 bytes
+ [..]
+ Call Trace:
+ dump_stack+0x86/0xc3
+ __warn+0xcb/0xf0
+ warn_slowpath_fmt+0x5f/0x80
+ size_store+0x6f3/0x930 [libnvdimm]
+ dev_attr_store+0x18/0x30
+
+If a given blk-dpa allocation does not alias with any pmem ranges then
+the full allocation should be accounted as busy space, not the size of
+the current pmem contribution to the region.
+
+The thinkos that led to this confusion was not realizing that the struct
+resource management is already guaranteeing no collisions between pmem
+allocations and blk allocations on the same dimm. Also, we do not try to
+support blk allocations in aliased pmem holes.
+
+This patch also fixes a case where the available blk goes negative.
+
+Fixes: a1f3e4d6a0c3 ("libnvdimm, region: update nd_region_available_dpa() for multi-pmem support").
+Reported-by: Dariusz Dokupil <dariusz.dokupil@intel.com>
+Reported-by: Dave Jiang <dave.jiang@intel.com>
+Reported-by: Vishal Verma <vishal.l.verma@intel.com>
+Tested-by: Dave Jiang <dave.jiang@intel.com>
+Tested-by: Vishal Verma <vishal.l.verma@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/dimm_devs.c | 77 ++++++---------------------------------------
+ 1 file changed, 11 insertions(+), 66 deletions(-)
+
+--- a/drivers/nvdimm/dimm_devs.c
++++ b/drivers/nvdimm/dimm_devs.c
+@@ -388,7 +388,7 @@ EXPORT_SYMBOL_GPL(nvdimm_create);
+
+ int alias_dpa_busy(struct device *dev, void *data)
+ {
+- resource_size_t map_end, blk_start, new, busy;
++ resource_size_t map_end, blk_start, new;
+ struct blk_alloc_info *info = data;
+ struct nd_mapping *nd_mapping;
+ struct nd_region *nd_region;
+@@ -429,29 +429,19 @@ int alias_dpa_busy(struct device *dev, v
+ retry:
+ /*
+ * Find the free dpa from the end of the last pmem allocation to
+- * the end of the interleave-set mapping that is not already
+- * covered by a blk allocation.
++ * the end of the interleave-set mapping.
+ */
+- busy = 0;
+ for_each_dpa_resource(ndd, res) {
++ if (strncmp(res->name, "pmem", 4) != 0)
++ continue;
+ if ((res->start >= blk_start && res->start < map_end)
+ || (res->end >= blk_start
+ && res->end <= map_end)) {
+- if (strncmp(res->name, "pmem", 4) == 0) {
+- new = max(blk_start, min(map_end + 1,
+- res->end + 1));
+- if (new != blk_start) {
+- blk_start = new;
+- goto retry;
+- }
+- } else
+- busy += min(map_end, res->end)
+- - max(nd_mapping->start, res->start) + 1;
+- } else if (nd_mapping->start > res->start
+- && map_end < res->end) {
+- /* total eclipse of the PMEM region mapping */
+- busy += nd_mapping->size;
+- break;
++ new = max(blk_start, min(map_end + 1, res->end + 1));
++ if (new != blk_start) {
++ blk_start = new;
++ goto retry;
++ }
+ }
+ }
+
+@@ -463,52 +453,11 @@ int alias_dpa_busy(struct device *dev, v
+ return 1;
+ }
+
+- info->available -= blk_start - nd_mapping->start + busy;
++ info->available -= blk_start - nd_mapping->start;
+
+ return 0;
+ }
+
+-static int blk_dpa_busy(struct device *dev, void *data)
+-{
+- struct blk_alloc_info *info = data;
+- struct nd_mapping *nd_mapping;
+- struct nd_region *nd_region;
+- resource_size_t map_end;
+- int i;
+-
+- if (!is_nd_pmem(dev))
+- return 0;
+-
+- nd_region = to_nd_region(dev);
+- for (i = 0; i < nd_region->ndr_mappings; i++) {
+- nd_mapping = &nd_region->mapping[i];
+- if (nd_mapping->nvdimm == info->nd_mapping->nvdimm)
+- break;
+- }
+-
+- if (i >= nd_region->ndr_mappings)
+- return 0;
+-
+- map_end = nd_mapping->start + nd_mapping->size - 1;
+- if (info->res->start >= nd_mapping->start
+- && info->res->start < map_end) {
+- if (info->res->end <= map_end) {
+- info->busy = 0;
+- return 1;
+- } else {
+- info->busy -= info->res->end - map_end;
+- return 0;
+- }
+- } else if (info->res->end >= nd_mapping->start
+- && info->res->end <= map_end) {
+- info->busy -= nd_mapping->start - info->res->start;
+- return 0;
+- } else {
+- info->busy -= nd_mapping->size;
+- return 0;
+- }
+-}
+-
+ /**
+ * nd_blk_available_dpa - account the unused dpa of BLK region
+ * @nd_mapping: container of dpa-resource-root + labels
+@@ -538,11 +487,7 @@ resource_size_t nd_blk_available_dpa(str
+ for_each_dpa_resource(ndd, res) {
+ if (strncmp(res->name, "blk", 3) != 0)
+ continue;
+-
+- info.res = res;
+- info.busy = resource_size(res);
+- device_for_each_child(&nvdimm_bus->dev, &info, blk_dpa_busy);
+- info.available -= info.busy;
++ info.available -= resource_size(res);
+ }
+
+ return info.available;
--- /dev/null
+From 0beb2012a1722633515c8aaa263c73449636c893 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Fri, 7 Apr 2017 09:47:24 -0700
+Subject: libnvdimm: fix reconfig_mutex, mmap_sem, and jbd2_handle lockdep splat
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit 0beb2012a1722633515c8aaa263c73449636c893 upstream.
+
+Holding the reconfig_mutex over a potential userspace fault sets up a
+lockdep dependency chain between filesystem-DAX and the libnvdimm ioctl
+path. Move the user access outside of the lock.
+
+ [ INFO: possible circular locking dependency detected ]
+ 4.11.0-rc3+ #13 Tainted: G W O
+ -------------------------------------------------------
+ fallocate/16656 is trying to acquire lock:
+ (&nvdimm_bus->reconfig_mutex){+.+.+.}, at: [<ffffffffa00080b1>] nvdimm_bus_lock+0x21/0x30 [libnvdimm]
+ but task is already holding lock:
+ (jbd2_handle){++++..}, at: [<ffffffff813b4944>] start_this_handle+0x104/0x460
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+
+ -> #2 (jbd2_handle){++++..}:
+ lock_acquire+0xbd/0x200
+ start_this_handle+0x16a/0x460
+ jbd2__journal_start+0xe9/0x2d0
+ __ext4_journal_start_sb+0x89/0x1c0
+ ext4_dirty_inode+0x32/0x70
+ __mark_inode_dirty+0x235/0x670
+ generic_update_time+0x87/0xd0
+ touch_atime+0xa9/0xd0
+ ext4_file_mmap+0x90/0xb0
+ mmap_region+0x370/0x5b0
+ do_mmap+0x415/0x4f0
+ vm_mmap_pgoff+0xd7/0x120
+ SyS_mmap_pgoff+0x1c5/0x290
+ SyS_mmap+0x22/0x30
+ entry_SYSCALL_64_fastpath+0x1f/0xc2
+
+ -> #1 (&mm->mmap_sem){++++++}:
+ lock_acquire+0xbd/0x200
+ __might_fault+0x70/0xa0
+ __nd_ioctl+0x683/0x720 [libnvdimm]
+ nvdimm_ioctl+0x8b/0xe0 [libnvdimm]
+ do_vfs_ioctl+0xa8/0x740
+ SyS_ioctl+0x79/0x90
+ do_syscall_64+0x6c/0x200
+ return_from_SYSCALL_64+0x0/0x7a
+
+ -> #0 (&nvdimm_bus->reconfig_mutex){+.+.+.}:
+ __lock_acquire+0x16b6/0x1730
+ lock_acquire+0xbd/0x200
+ __mutex_lock+0x88/0x9b0
+ mutex_lock_nested+0x1b/0x20
+ nvdimm_bus_lock+0x21/0x30 [libnvdimm]
+ nvdimm_forget_poison+0x25/0x50 [libnvdimm]
+ nvdimm_clear_poison+0x106/0x140 [libnvdimm]
+ pmem_do_bvec+0x1c2/0x2b0 [nd_pmem]
+ pmem_make_request+0xf9/0x270 [nd_pmem]
+ generic_make_request+0x118/0x3b0
+ submit_bio+0x75/0x150
+
+Fixes: 62232e45f4a2 ("libnvdimm: control (ioctl) messages for nvdimm_bus and nvdimm devices")
+Cc: Dave Jiang <dave.jiang@intel.com>
+Reported-by: Vishal Verma <vishal.l.verma@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/bus.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/nvdimm/bus.c
++++ b/drivers/nvdimm/bus.c
+@@ -934,8 +934,14 @@ static int __nd_ioctl(struct nvdimm_bus
+ rc = nd_desc->ndctl(nd_desc, nvdimm, cmd, buf, buf_len, NULL);
+ if (rc < 0)
+ goto out_unlock;
++ nvdimm_bus_unlock(&nvdimm_bus->dev);
++
+ if (copy_to_user(p, buf, buf_len))
+ rc = -EFAULT;
++
++ vfree(buf);
++ return rc;
++
+ out_unlock:
+ nvdimm_bus_unlock(&nvdimm_bus->dev);
+ out:
--- /dev/null
+From 3278682123811dd8ef07de5eb701fc4548fcebf2 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 17 Feb 2017 20:16:34 -0500
+Subject: make skb_copy_datagram_msg() et.al. preserve ->msg_iter on error
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 3278682123811dd8ef07de5eb701fc4548fcebf2 upstream.
+
+Fixes the mess observed in e.g. rsync over a noisy link we'd been
+seeing since last Summer. What happens is that we copy part of
+a datagram before noticing a checksum mismatch. Datagram will be
+resent, all right, but we want the next try go into the same place,
+not after it...
+
+All this family of primitives (copy/checksum and copy a datagram
+into destination) is "all or nothing" sort of interface - either
+we get 0 (meaning that copy had been successful) or we get an
+error (and no way to tell how much had been copied before we ran
+into whatever error it had been). Make all of them leave iterator
+unadvanced in case of errors - all callers must be able to cope
+with that (an error might've been caught before the iterator had
+been advanced), it costs very little to arrange, it's safer for
+callers and actually fixes at least one bug in said callers.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/datagram.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/net/core/datagram.c
++++ b/net/core/datagram.c
+@@ -378,7 +378,7 @@ int skb_copy_datagram_iter(const struct
+ struct iov_iter *to, int len)
+ {
+ int start = skb_headlen(skb);
+- int i, copy = start - offset;
++ int i, copy = start - offset, start_off = offset, n;
+ struct sk_buff *frag_iter;
+
+ trace_skb_copy_datagram_iovec(skb, len);
+@@ -387,11 +387,12 @@ int skb_copy_datagram_iter(const struct
+ if (copy > 0) {
+ if (copy > len)
+ copy = len;
+- if (copy_to_iter(skb->data + offset, copy, to) != copy)
++ n = copy_to_iter(skb->data + offset, copy, to);
++ offset += n;
++ if (n != copy)
+ goto short_copy;
+ if ((len -= copy) == 0)
+ return 0;
+- offset += copy;
+ }
+
+ /* Copy paged appendix. Hmm... why does this look so complicated? */
+@@ -405,13 +406,14 @@ int skb_copy_datagram_iter(const struct
+ if ((copy = end - offset) > 0) {
+ if (copy > len)
+ copy = len;
+- if (copy_page_to_iter(skb_frag_page(frag),
++ n = copy_page_to_iter(skb_frag_page(frag),
+ frag->page_offset + offset -
+- start, copy, to) != copy)
++ start, copy, to);
++ offset += n;
++ if (n != copy)
+ goto short_copy;
+ if (!(len -= copy))
+ return 0;
+- offset += copy;
+ }
+ start = end;
+ }
+@@ -443,6 +445,7 @@ int skb_copy_datagram_iter(const struct
+ */
+
+ fault:
++ iov_iter_revert(to, offset - start_off);
+ return -EFAULT;
+
+ short_copy:
+@@ -593,7 +596,7 @@ static int skb_copy_and_csum_datagram(co
+ __wsum *csump)
+ {
+ int start = skb_headlen(skb);
+- int i, copy = start - offset;
++ int i, copy = start - offset, start_off = offset;
+ struct sk_buff *frag_iter;
+ int pos = 0;
+ int n;
+@@ -603,11 +606,11 @@ static int skb_copy_and_csum_datagram(co
+ if (copy > len)
+ copy = len;
+ n = csum_and_copy_to_iter(skb->data + offset, copy, csump, to);
++ offset += n;
+ if (n != copy)
+ goto fault;
+ if ((len -= copy) == 0)
+ return 0;
+- offset += copy;
+ pos = copy;
+ }
+
+@@ -629,12 +632,12 @@ static int skb_copy_and_csum_datagram(co
+ offset - start, copy,
+ &csum2, to);
+ kunmap(page);
++ offset += n;
+ if (n != copy)
+ goto fault;
+ *csump = csum_block_add(*csump, csum2, pos);
+ if (!(len -= copy))
+ return 0;
+- offset += copy;
+ pos += copy;
+ }
+ start = end;
+@@ -667,6 +670,7 @@ static int skb_copy_and_csum_datagram(co
+ return 0;
+
+ fault:
++ iov_iter_revert(to, offset - start_off);
+ return -EFAULT;
+ }
+
+@@ -751,6 +755,7 @@ int skb_copy_and_csum_datagram_msg(struc
+ }
+ return 0;
+ csum_error:
++ iov_iter_revert(&msg->msg_iter, chunk);
+ return -EINVAL;
+ fault:
+ return -EFAULT;
--- /dev/null
+From 27c0e3748e41ca79171ffa3e97415a20af6facd0 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 17 Feb 2017 18:42:24 -0500
+Subject: [iov_iter] new privimitive: iov_iter_revert()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 27c0e3748e41ca79171ffa3e97415a20af6facd0 upstream.
+
+opposite to iov_iter_advance(); the caller is responsible for never
+using it to move back past the initial position.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/uio.h | 6 ++++
+ lib/iov_iter.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 68 insertions(+), 1 deletion(-)
+
+--- a/include/linux/uio.h
++++ b/include/linux/uio.h
+@@ -39,7 +39,10 @@ struct iov_iter {
+ };
+ union {
+ unsigned long nr_segs;
+- int idx;
++ struct {
++ int idx;
++ int start_idx;
++ };
+ };
+ };
+
+@@ -81,6 +84,7 @@ unsigned long iov_shorten(struct iovec *
+ size_t iov_iter_copy_from_user_atomic(struct page *page,
+ struct iov_iter *i, unsigned long offset, size_t bytes);
+ void iov_iter_advance(struct iov_iter *i, size_t bytes);
++void iov_iter_revert(struct iov_iter *i, size_t bytes);
+ int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes);
+ size_t iov_iter_single_seg_count(const struct iov_iter *i);
+ size_t copy_page_to_iter(struct page *page, size_t offset, size_t bytes,
+--- a/lib/iov_iter.c
++++ b/lib/iov_iter.c
+@@ -734,6 +734,68 @@ void iov_iter_advance(struct iov_iter *i
+ }
+ EXPORT_SYMBOL(iov_iter_advance);
+
++void iov_iter_revert(struct iov_iter *i, size_t unroll)
++{
++ if (!unroll)
++ return;
++ i->count += unroll;
++ if (unlikely(i->type & ITER_PIPE)) {
++ struct pipe_inode_info *pipe = i->pipe;
++ int idx = i->idx;
++ size_t off = i->iov_offset;
++ while (1) {
++ size_t n = off - pipe->bufs[idx].offset;
++ if (unroll < n) {
++ off -= (n - unroll);
++ break;
++ }
++ unroll -= n;
++ if (!unroll && idx == i->start_idx) {
++ off = 0;
++ break;
++ }
++ if (!idx--)
++ idx = pipe->buffers - 1;
++ off = pipe->bufs[idx].offset + pipe->bufs[idx].len;
++ }
++ i->iov_offset = off;
++ i->idx = idx;
++ pipe_truncate(i);
++ return;
++ }
++ if (unroll <= i->iov_offset) {
++ i->iov_offset -= unroll;
++ return;
++ }
++ unroll -= i->iov_offset;
++ if (i->type & ITER_BVEC) {
++ const struct bio_vec *bvec = i->bvec;
++ while (1) {
++ size_t n = (--bvec)->bv_len;
++ i->nr_segs++;
++ if (unroll <= n) {
++ i->bvec = bvec;
++ i->iov_offset = n - unroll;
++ return;
++ }
++ unroll -= n;
++ }
++ } else { /* same logics for iovec and kvec */
++ const struct iovec *iov = i->iov;
++ while (1) {
++ size_t n = (--iov)->iov_len;
++ i->nr_segs++;
++ if (unroll <= n) {
++ i->iov = iov;
++ i->iov_offset = n - unroll;
++ return;
++ }
++ unroll -= n;
++ }
++ }
++}
++EXPORT_SYMBOL(iov_iter_revert);
++
+ /*
+ * Return the count of just the current iov_iter segment.
+ */
+@@ -787,6 +849,7 @@ void iov_iter_pipe(struct iov_iter *i, i
+ i->idx = (pipe->curbuf + pipe->nrbufs) & (pipe->buffers - 1);
+ i->iov_offset = 0;
+ i->count = count;
++ i->start_idx = i->idx;
+ }
+ EXPORT_SYMBOL(iov_iter_pipe);
+
--- /dev/null
+From 409c1b250e30ad0e48b4d15d7319b4e18c046c4f Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Fri, 14 Apr 2017 14:15:20 -0400
+Subject: parisc: fix bugs in pa_memcpy
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 409c1b250e30ad0e48b4d15d7319b4e18c046c4f upstream.
+
+The patch 554bfeceb8a22d448cd986fc9efce25e833278a1 ("parisc: Fix access
+fault handling in pa_memcpy()") reimplements the pa_memcpy function.
+Unfortunatelly, it makes the kernel unbootable. The crash happens in the
+function ide_complete_cmd where memcpy is called with the same source
+and destination address.
+
+This patch fixes a few bugs in pa_memcpy:
+
+* When jumping to .Lcopy_loop_16 for the first time, don't skip the
+ instruction "ldi 31,t0" (this bug made the kernel unbootable)
+* Use the COND macro when comparing length, so that the comparison is
+ 64-bit (a theoretical issue, in case the length is greater than
+ 0xffffffff)
+* Don't use the COND macro after the "extru" instruction (the PA-RISC
+ specification says that the upper 32-bits of extru result are undefined,
+ although they are set to zero in practice)
+* Fix exception addresses in .Lcopy16_fault and .Lcopy8_fault
+* Rename .Lcopy_loop_4 to .Lcopy_loop_8 (so that it is consistent with
+ .Lcopy8_fault)
+
+Fixes: 554bfeceb8a2 ("parisc: Fix access fault handling in pa_memcpy()")
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/lib/lusercopy.S | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+--- a/arch/parisc/lib/lusercopy.S
++++ b/arch/parisc/lib/lusercopy.S
+@@ -201,7 +201,7 @@ ENTRY_CFI(pa_memcpy)
+ add dst,len,end
+
+ /* short copy with less than 16 bytes? */
+- cmpib,>>=,n 15,len,.Lbyte_loop
++ cmpib,COND(>>=),n 15,len,.Lbyte_loop
+
+ /* same alignment? */
+ xor src,dst,t0
+@@ -216,7 +216,7 @@ ENTRY_CFI(pa_memcpy)
+ /* loop until we are 64-bit aligned */
+ .Lalign_loop64:
+ extru dst,31,3,t1
+- cmpib,=,n 0,t1,.Lcopy_loop_16
++ cmpib,=,n 0,t1,.Lcopy_loop_16_start
+ 20: ldb,ma 1(srcspc,src),t1
+ 21: stb,ma t1,1(dstspc,dst)
+ b .Lalign_loop64
+@@ -225,6 +225,7 @@ ENTRY_CFI(pa_memcpy)
+ ASM_EXCEPTIONTABLE_ENTRY(20b,.Lcopy_done)
+ ASM_EXCEPTIONTABLE_ENTRY(21b,.Lcopy_done)
+
++.Lcopy_loop_16_start:
+ ldi 31,t0
+ .Lcopy_loop_16:
+ cmpb,COND(>>=),n t0,len,.Lword_loop
+@@ -267,7 +268,7 @@ ENTRY_CFI(pa_memcpy)
+ /* loop until we are 32-bit aligned */
+ .Lalign_loop32:
+ extru dst,31,2,t1
+- cmpib,=,n 0,t1,.Lcopy_loop_4
++ cmpib,=,n 0,t1,.Lcopy_loop_8
+ 20: ldb,ma 1(srcspc,src),t1
+ 21: stb,ma t1,1(dstspc,dst)
+ b .Lalign_loop32
+@@ -277,7 +278,7 @@ ENTRY_CFI(pa_memcpy)
+ ASM_EXCEPTIONTABLE_ENTRY(21b,.Lcopy_done)
+
+
+-.Lcopy_loop_4:
++.Lcopy_loop_8:
+ cmpib,COND(>>=),n 15,len,.Lbyte_loop
+
+ 10: ldw 0(srcspc,src),t1
+@@ -299,7 +300,7 @@ ENTRY_CFI(pa_memcpy)
+ ASM_EXCEPTIONTABLE_ENTRY(16b,.Lcopy_done)
+ ASM_EXCEPTIONTABLE_ENTRY(17b,.Lcopy_done)
+
+- b .Lcopy_loop_4
++ b .Lcopy_loop_8
+ ldo -16(len),len
+
+ .Lbyte_loop:
+@@ -324,7 +325,7 @@ ENTRY_CFI(pa_memcpy)
+ .Lunaligned_copy:
+ /* align until dst is 32bit-word-aligned */
+ extru dst,31,2,t1
+- cmpib,COND(=),n 0,t1,.Lcopy_dstaligned
++ cmpib,=,n 0,t1,.Lcopy_dstaligned
+ 20: ldb 0(srcspc,src),t1
+ ldo 1(src),src
+ 21: stb,ma t1,1(dstspc,dst)
+@@ -362,7 +363,7 @@ ENTRY_CFI(pa_memcpy)
+ cmpiclr,<> 1,t0,%r0
+ b,n .Lcase1
+ .Lcase0:
+- cmpb,= %r0,len,.Lcda_finish
++ cmpb,COND(=) %r0,len,.Lcda_finish
+ nop
+
+ 1: ldw,ma 4(srcspc,src), a3
+@@ -376,7 +377,7 @@ ENTRY_CFI(pa_memcpy)
+ 1: ldw,ma 4(srcspc,src), a3
+ ASM_EXCEPTIONTABLE_ENTRY(1b,.Lcda_rdfault)
+ ldo -1(len),len
+- cmpb,=,n %r0,len,.Ldo0
++ cmpb,COND(=),n %r0,len,.Ldo0
+ .Ldo4:
+ 1: ldw,ma 4(srcspc,src), a0
+ ASM_EXCEPTIONTABLE_ENTRY(1b,.Lcda_rdfault)
+@@ -402,7 +403,7 @@ ENTRY_CFI(pa_memcpy)
+ 1: stw,ma t0, 4(dstspc,dst)
+ ASM_EXCEPTIONTABLE_ENTRY(1b,.Lcopy_done)
+ ldo -4(len),len
+- cmpb,<> %r0,len,.Ldo4
++ cmpb,COND(<>) %r0,len,.Ldo4
+ nop
+ .Ldo0:
+ shrpw a2, a3, %sar, t0
+@@ -436,14 +437,14 @@ ENTRY_CFI(pa_memcpy)
+ /* fault exception fixup handlers: */
+ #ifdef CONFIG_64BIT
+ .Lcopy16_fault:
+-10: b .Lcopy_done
+- std,ma t1,8(dstspc,dst)
++ b .Lcopy_done
++10: std,ma t1,8(dstspc,dst)
+ ASM_EXCEPTIONTABLE_ENTRY(10b,.Lcopy_done)
+ #endif
+
+ .Lcopy8_fault:
+-10: b .Lcopy_done
+- stw,ma t1,4(dstspc,dst)
++ b .Lcopy_done
++10: stw,ma t1,4(dstspc,dst)
+ ASM_EXCEPTIONTABLE_ENTRY(10b,.Lcopy_done)
+
+ .exit
--- /dev/null
+From a900152b5c29aea8134cc7a4c5db25552b3cd8f7 Mon Sep 17 00:00:00 2001
+From: David Wu <david.wu@rock-chips.com>
+Date: Wed, 1 Mar 2017 19:10:55 +0800
+Subject: pwm: rockchip: State of PWM clock should synchronize with PWM enabled state
+
+From: David Wu <david.wu@rock-chips.com>
+
+commit a900152b5c29aea8134cc7a4c5db25552b3cd8f7 upstream.
+
+If the PWM was not enabled at U-Boot loader, PWM could not work for
+clock always disabled at PWM driver. The PWM clock is enabled at
+beginning of pwm_apply(), but disabled at end of pwm_apply().
+
+If the PWM was enabled at U-Boot loader, PWM clock is always enabled
+unless closed by ATF. The pwm-backlight might turn off the power at
+early suspend, should disable PWM clock for saving power consume.
+
+It is important to provide opportunity to enable/disable clock at PWM
+driver, the PWM consumer should ensure correct order to call PWM enable
+and disable, and PWM driver ensure state of PWM clock synchronized with
+PWM enabled state.
+
+Fixes: 2bf1c98aa5a4 ("pwm: rockchip: Add support for atomic update")
+Signed-off-by: David Wu <david.wu@rock-chips.com>
+Reviewed-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pwm/pwm-rockchip.c | 40 +++++++++++++++++++++++++++++++++-------
+ 1 file changed, 33 insertions(+), 7 deletions(-)
+
+--- a/drivers/pwm/pwm-rockchip.c
++++ b/drivers/pwm/pwm-rockchip.c
+@@ -191,6 +191,28 @@ static int rockchip_pwm_config(struct pw
+ return 0;
+ }
+
++static int rockchip_pwm_enable(struct pwm_chip *chip,
++ struct pwm_device *pwm,
++ bool enable,
++ enum pwm_polarity polarity)
++{
++ struct rockchip_pwm_chip *pc = to_rockchip_pwm_chip(chip);
++ int ret;
++
++ if (enable) {
++ ret = clk_enable(pc->clk);
++ if (ret)
++ return ret;
++ }
++
++ pc->data->set_enable(chip, pwm, enable, polarity);
++
++ if (!enable)
++ clk_disable(pc->clk);
++
++ return 0;
++}
++
+ static int rockchip_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm,
+ struct pwm_state *state)
+ {
+@@ -207,22 +229,26 @@ static int rockchip_pwm_apply(struct pwm
+ return ret;
+
+ if (state->polarity != curstate.polarity && enabled) {
+- pc->data->set_enable(chip, pwm, false, state->polarity);
++ ret = rockchip_pwm_enable(chip, pwm, false, state->polarity);
++ if (ret)
++ goto out;
+ enabled = false;
+ }
+
+ ret = rockchip_pwm_config(chip, pwm, state->duty_cycle, state->period);
+ if (ret) {
+ if (enabled != curstate.enabled)
+- pc->data->set_enable(chip, pwm, !enabled,
+- state->polarity);
+-
++ rockchip_pwm_enable(chip, pwm, !enabled,
++ state->polarity);
+ goto out;
+ }
+
+- if (state->enabled != enabled)
+- pc->data->set_enable(chip, pwm, state->enabled,
+- state->polarity);
++ if (state->enabled != enabled) {
++ ret = rockchip_pwm_enable(chip, pwm, state->enabled,
++ state->polarity);
++ if (ret)
++ goto out;
++ }
+
+ /*
+ * Update the state with the real hardware, which can differ a bit
--- /dev/null
+From bf6061b17a8d47ef0d9344d3ef576a4ff0edf793 Mon Sep 17 00:00:00 2001
+From: Sawan Chandak <sawan.chandak@cavium.com>
+Date: Fri, 31 Mar 2017 14:37:03 -0700
+Subject: scsi: qla2xxx: Add fix to read correct register value for ISP82xx.
+
+From: Sawan Chandak <sawan.chandak@cavium.com>
+
+commit bf6061b17a8d47ef0d9344d3ef576a4ff0edf793 upstream.
+
+Add fix to read correct register value for ISP82xx, during check for
+register disconnect.ISP82xx has different base register.
+
+Fixes: a465537ad1a4 ("qla2xxx: Disable the adapter and skip error recovery in case of register disconnect")
+Signed-off-by: Sawan Chandak <sawan.chandak@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_os.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -968,8 +968,13 @@ static inline
+ uint32_t qla2x00_isp_reg_stat(struct qla_hw_data *ha)
+ {
+ struct device_reg_24xx __iomem *reg = &ha->iobase->isp24;
++ struct device_reg_82xx __iomem *reg82 = &ha->iobase->isp82;
+
+- return ((RD_REG_DWORD(®->host_status)) == ISP_REG_DISCONNECT);
++ if (IS_P3P_TYPE(ha))
++ return ((RD_REG_DWORD(®82->host_int)) == ISP_REG_DISCONNECT);
++ else
++ return ((RD_REG_DWORD(®->host_status)) ==
++ ISP_REG_DISCONNECT);
+ }
+
+ /**************************************************************************
--- /dev/null
+From 6780414519f91c2a84da9baa963a940ac916f803 Mon Sep 17 00:00:00 2001
+From: Fam Zheng <famz@redhat.com>
+Date: Tue, 28 Mar 2017 12:41:26 +0800
+Subject: scsi: sd: Consider max_xfer_blocks if opt_xfer_blocks is unusable
+
+From: Fam Zheng <famz@redhat.com>
+
+commit 6780414519f91c2a84da9baa963a940ac916f803 upstream.
+
+If device reports a small max_xfer_blocks and a zero opt_xfer_blocks, we
+end up using BLK_DEF_MAX_SECTORS, which is wrong and r/w of that size
+may get error.
+
+[mkp: tweaked to avoid setting rw_max twice and added typecast]
+
+Fixes: ca369d51b3e ("block/sd: Fix device-imposed transfer length limits")
+Signed-off-by: Fam Zheng <famz@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -2877,7 +2877,8 @@ static int sd_revalidate_disk(struct gen
+ q->limits.io_opt = logical_to_bytes(sdp, sdkp->opt_xfer_blocks);
+ rw_max = logical_to_sectors(sdp, sdkp->opt_xfer_blocks);
+ } else
+- rw_max = BLK_DEF_MAX_SECTORS;
++ rw_max = min_not_zero(logical_to_sectors(sdp, dev_max),
++ (sector_t)BLK_DEF_MAX_SECTORS);
+
+ /* Combine with controller limits */
+ q->limits.max_sectors = min(rw_max, queue_max_hw_sectors(q));
--- /dev/null
+From 7c856152cb92f8eee2df29ef325a1b1f43161aff Mon Sep 17 00:00:00 2001
+From: "Martin K. Petersen" <martin.petersen@oracle.com>
+Date: Tue, 4 Apr 2017 10:42:30 -0400
+Subject: scsi: sd: Fix capacity calculation with 32-bit sector_t
+
+From: Martin K. Petersen <martin.petersen@oracle.com>
+
+commit 7c856152cb92f8eee2df29ef325a1b1f43161aff upstream.
+
+We previously made sure that the reported disk capacity was less than
+0xffffffff blocks when the kernel was not compiled with large sector_t
+support (CONFIG_LBDAF). However, this check assumed that the capacity
+was reported in units of 512 bytes.
+
+Add a sanity check function to ensure that we only enable disks if the
+entire reported capacity can be expressed in terms of sector_t.
+
+Reported-by: Steve Magnani <steve.magnani@digidescorp.com>
+Cc: Bart Van Assche <Bart.VanAssche@sandisk.com>
+Reviewed-by: Bart Van Assche <Bart.VanAssche@sandisk.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sd.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -2057,6 +2057,22 @@ static void read_capacity_error(struct s
+
+ #define READ_CAPACITY_RETRIES_ON_RESET 10
+
++/*
++ * Ensure that we don't overflow sector_t when CONFIG_LBDAF is not set
++ * and the reported logical block size is bigger than 512 bytes. Note
++ * that last_sector is a u64 and therefore logical_to_sectors() is not
++ * applicable.
++ */
++static bool sd_addressable_capacity(u64 lba, unsigned int sector_size)
++{
++ u64 last_sector = (lba + 1ULL) << (ilog2(sector_size) - 9);
++
++ if (sizeof(sector_t) == 4 && last_sector > U32_MAX)
++ return false;
++
++ return true;
++}
++
+ static int read_capacity_16(struct scsi_disk *sdkp, struct scsi_device *sdp,
+ unsigned char *buffer)
+ {
+@@ -2122,7 +2138,7 @@ static int read_capacity_16(struct scsi_
+ return -ENODEV;
+ }
+
+- if ((sizeof(sdkp->capacity) == 4) && (lba >= 0xffffffffULL)) {
++ if (!sd_addressable_capacity(lba, sector_size)) {
+ sd_printk(KERN_ERR, sdkp, "Too big for this kernel. Use a "
+ "kernel compiled with support for large block "
+ "devices.\n");
+@@ -2208,7 +2224,7 @@ static int read_capacity_10(struct scsi_
+ return sector_size;
+ }
+
+- if ((sizeof(sdkp->capacity) == 4) && (lba == 0xffffffff)) {
++ if (!sd_addressable_capacity(lba, sector_size)) {
+ sd_printk(KERN_ERR, sdkp, "Too big for this kernel. Use a "
+ "kernel compiled with support for large block "
+ "devices.\n");
--- /dev/null
+From a00a7862513089f17209b732f230922f1942e0b9 Mon Sep 17 00:00:00 2001
+From: "Martin K. Petersen" <martin.petersen@oracle.com>
+Date: Fri, 17 Mar 2017 08:47:14 -0400
+Subject: scsi: sr: Sanity check returned mode data
+
+From: Martin K. Petersen <martin.petersen@oracle.com>
+
+commit a00a7862513089f17209b732f230922f1942e0b9 upstream.
+
+Kefeng Wang discovered that old versions of the QEMU CD driver would
+return mangled mode data causing us to walk off the end of the buffer in
+an attempt to parse it. Sanity check the returned mode sense data.
+
+Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Tested-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sr.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/sr.c
++++ b/drivers/scsi/sr.c
+@@ -833,6 +833,7 @@ static void get_capabilities(struct scsi
+ unsigned char *buffer;
+ struct scsi_mode_data data;
+ struct scsi_sense_hdr sshdr;
++ unsigned int ms_len = 128;
+ int rc, n;
+
+ static const char *loadmech[] =
+@@ -859,10 +860,11 @@ static void get_capabilities(struct scsi
+ scsi_test_unit_ready(cd->device, SR_TIMEOUT, MAX_RETRIES, &sshdr);
+
+ /* ask for mode page 0x2a */
+- rc = scsi_mode_sense(cd->device, 0, 0x2a, buffer, 128,
++ rc = scsi_mode_sense(cd->device, 0, 0x2a, buffer, ms_len,
+ SR_TIMEOUT, 3, &data, NULL);
+
+- if (!scsi_status_is_good(rc)) {
++ if (!scsi_status_is_good(rc) || data.length > ms_len ||
++ data.header_length + data.block_descriptor_length > data.length) {
+ /* failed, drive doesn't have capabilities mode page */
+ cd->cdi.speed = 1;
+ cd->cdi.mask |= (CDC_CD_R | CDC_CD_RW | CDC_DVD_R |
x86-pmem-fix-broken-__copy_user_nocache-cache-bypass-assumptions.patch
x86-vdso-ensure-vdso32_enabled-gets-set-to-valid-values-only.patch
x86-vdso-plug-race-between-mapping-and-elf-header-setup.patch
+acpi-nfit-libnvdimm-fix-interleave-set-cookie-calculation-64-bit-comparison.patch
+acpi-scan-set-the-visited-flag-for-all-enumerated-devices.patch
+parisc-fix-bugs-in-pa_memcpy.patch
+efi-libstub-skip-gop-with-pixel_blt_only-format.patch
+efi-fb-avoid-reconfiguration-of-bar-that-covers-the-framebuffer.patch
+iscsi-target-fix-tmr-reference-leak-during-session-shutdown.patch
+iscsi-target-drop-work-around-for-legacy-globalsan-initiator.patch
+scsi-sr-sanity-check-returned-mode-data.patch
+scsi-sd-consider-max_xfer_blocks-if-opt_xfer_blocks-is-unusable.patch
+scsi-qla2xxx-add-fix-to-read-correct-register-value-for-isp82xx.patch
+scsi-sd-fix-capacity-calculation-with-32-bit-sector_t.patch
+target-avoid-mappedlun-symlink-creation-during-lun-shutdown.patch
+xen-fbfront-fix-connecting-to-backend.patch
+new-privimitive-iov_iter_revert.patch
+make-skb_copy_datagram_msg-et.al.-preserve-msg_iter-on-error.patch
+libnvdimm-fix-blk-free-space-accounting.patch
+libnvdimm-fix-reconfig_mutex-mmap_sem-and-jbd2_handle-lockdep-splat.patch
+can-ifi-use-correct-register-to-read-rx-status.patch
+pwm-rockchip-state-of-pwm-clock-should-synchronize-with-pwm-enabled-state.patch
+cpufreq-bring-cpus-up-even-if-cpufreq_online-failed.patch
+irqchip-irq-imx-gpcv2-fix-spinlock-initialization.patch
+ftrace-fix-removing-of-second-function-probe.patch
--- /dev/null
+From 49cb77e297dc611a1b795cfeb79452b3002bd331 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Mon, 27 Mar 2017 16:12:43 -0700
+Subject: target: Avoid mappedlun symlink creation during lun shutdown
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 49cb77e297dc611a1b795cfeb79452b3002bd331 upstream.
+
+This patch closes a race between se_lun deletion during configfs
+unlink in target_fabric_port_unlink() -> core_dev_del_lun()
+-> core_tpg_remove_lun(), when transport_clear_lun_ref() blocks
+waiting for percpu_ref RCU grace period to finish, but a new
+NodeACL mappedlun is added before the RCU grace period has
+completed.
+
+This can happen in target_fabric_mappedlun_link() because it
+only checks for se_lun->lun_se_dev, which is not cleared until
+after transport_clear_lun_ref() percpu_ref RCU grace period
+finishes.
+
+This bug originally manifested as NULL pointer dereference
+OOPsen in target_stat_scsi_att_intr_port_show_attr_dev() on
+v4.1.y code, because it dereferences lun->lun_se_dev without
+a explicit NULL pointer check.
+
+In post v4.1 code with target-core RCU conversion, the code
+in target_stat_scsi_att_intr_port_show_attr_dev() no longer
+uses se_lun->lun_se_dev, but the same race still exists.
+
+To address the bug, go ahead and set se_lun>lun_shutdown as
+early as possible in core_tpg_remove_lun(), and ensure new
+NodeACL mappedlun creation in target_fabric_mappedlun_link()
+fails during se_lun shutdown.
+
+Reported-by: James Shen <jcs@datera.io>
+Cc: James Shen <jcs@datera.io>
+Tested-by: James Shen <jcs@datera.io>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_fabric_configfs.c | 5 +++++
+ drivers/target/target_core_tpg.c | 4 ++++
+ include/target/target_core_base.h | 1 +
+ 3 files changed, 10 insertions(+)
+
+--- a/drivers/target/target_core_fabric_configfs.c
++++ b/drivers/target/target_core_fabric_configfs.c
+@@ -92,6 +92,11 @@ static int target_fabric_mappedlun_link(
+ pr_err("Source se_lun->lun_se_dev does not exist\n");
+ return -EINVAL;
+ }
++ if (lun->lun_shutdown) {
++ pr_err("Unable to create mappedlun symlink because"
++ " lun->lun_shutdown=true\n");
++ return -EINVAL;
++ }
+ se_tpg = lun->lun_tpg;
+
+ nacl_ci = &lun_acl_ci->ci_parent->ci_group->cg_item;
+--- a/drivers/target/target_core_tpg.c
++++ b/drivers/target/target_core_tpg.c
+@@ -640,6 +640,8 @@ void core_tpg_remove_lun(
+ */
+ struct se_device *dev = rcu_dereference_raw(lun->lun_se_dev);
+
++ lun->lun_shutdown = true;
++
+ core_clear_lun_from_tpg(lun, tpg);
+ /*
+ * Wait for any active I/O references to percpu se_lun->lun_ref to
+@@ -661,6 +663,8 @@ void core_tpg_remove_lun(
+ }
+ if (!(dev->se_hba->hba_flags & HBA_FLAGS_INTERNAL_USE))
+ hlist_del_rcu(&lun->link);
++
++ lun->lun_shutdown = false;
+ mutex_unlock(&tpg->tpg_lun_mutex);
+
+ percpu_ref_exit(&lun->lun_ref);
+--- a/include/target/target_core_base.h
++++ b/include/target/target_core_base.h
+@@ -705,6 +705,7 @@ struct se_lun {
+ u64 unpacked_lun;
+ #define SE_LUN_LINK_MAGIC 0xffff7771
+ u32 lun_link_magic;
++ bool lun_shutdown;
+ bool lun_access_ro;
+ u32 lun_index;
+
--- /dev/null
+From 9121b15b5628b38b4695282dc18c553440e0f79b Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Fri, 7 Apr 2017 17:28:23 +0200
+Subject: xen, fbfront: fix connecting to backend
+
+From: Juergen Gross <jgross@suse.com>
+
+commit 9121b15b5628b38b4695282dc18c553440e0f79b upstream.
+
+Connecting to the backend isn't working reliably in xen-fbfront: in
+case XenbusStateInitWait of the backend has been missed the backend
+transition to XenbusStateConnected will trigger the connected state
+only without doing the actions required when the backend has
+connected.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/xen-fbfront.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/video/fbdev/xen-fbfront.c
++++ b/drivers/video/fbdev/xen-fbfront.c
+@@ -644,7 +644,6 @@ static void xenfb_backend_changed(struct
+ break;
+
+ case XenbusStateInitWait:
+-InitWait:
+ xenbus_switch_state(dev, XenbusStateConnected);
+ break;
+
+@@ -655,7 +654,8 @@ InitWait:
+ * get Connected twice here.
+ */
+ if (dev->state != XenbusStateConnected)
+- goto InitWait; /* no InitWait seen yet, fudge it */
++ /* no InitWait seen yet, fudge it */
++ xenbus_switch_state(dev, XenbusStateConnected);
+
+ if (xenbus_scanf(XBT_NIL, info->xbdev->otherend,
+ "request-update", "%d", &val) < 0)
projects / thirdparty / kernel / stable-queue.git / commitdiff
