--- /dev/null
+From b579f924a90f42fa561afd8201514fc216b71949 Mon Sep 17 00:00:00 2001
+From: Michel Thierry <michel.thierry@intel.com>
+Date: Mon, 14 May 2018 09:54:45 -0700
+Subject: drm/i915/gen9: Add WaClearHIZ_WM_CHICKEN3 for bxt and glk
+
+From: Michel Thierry <michel.thierry@intel.com>
+
+commit b579f924a90f42fa561afd8201514fc216b71949 upstream.
+
+Factor in clear values wherever required while updating destination
+min/max.
+
+References: HSDES#1604444184
+Signed-off-by: Michel Thierry <michel.thierry@intel.com>
+Cc: mesa-dev@lists.freedesktop.org
+Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
+Cc: Oscar Mateo <oscar.mateo@intel.com>
+Reviewed-by: Mika Kuoppala <mika.kuoppala@linux.intel.com>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180510200708.18097-1-michel.thierry@intel.com
+Cc: stable@vger.kernel.org
+Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180514165445.9198-1-michel.thierry@intel.com
+(backported from commit 0c79f9cb77eae28d48a4f9fc1b3341aacbbd260c)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_reg.h | 3 +++
+ drivers/gpu/drm/i915/intel_engine_cs.c | 4 ++++
+ 2 files changed, 7 insertions(+)
+
+--- a/drivers/gpu/drm/i915/i915_reg.h
++++ b/drivers/gpu/drm/i915/i915_reg.h
+@@ -7044,6 +7044,9 @@ enum {
+ #define SLICE_ECO_CHICKEN0 _MMIO(0x7308)
+ #define PIXEL_MASK_CAMMING_DISABLE (1 << 14)
+
++#define GEN9_WM_CHICKEN3 _MMIO(0x5588)
++#define GEN9_FACTOR_IN_CLR_VAL_HIZ (1 << 9)
++
+ /* WaCatErrorRejectionIssue */
+ #define GEN7_SQ_CHICKEN_MBCUNIT_CONFIG _MMIO(0x9030)
+ #define GEN7_SQ_CHICKEN_MBCUNIT_SQINTMOB (1<<11)
+--- a/drivers/gpu/drm/i915/intel_engine_cs.c
++++ b/drivers/gpu/drm/i915/intel_engine_cs.c
+@@ -900,6 +900,10 @@ static int gen9_init_workarounds(struct
+ I915_WRITE(GEN8_L3SQCREG4, (I915_READ(GEN8_L3SQCREG4) |
+ GEN8_LQSC_FLUSH_COHERENT_LINES));
+
++ /* WaClearHIZ_WM_CHICKEN3:bxt,glk */
++ if (IS_GEN9_LP(dev_priv))
++ WA_SET_BIT_MASKED(GEN9_WM_CHICKEN3, GEN9_FACTOR_IN_CLR_VAL_HIZ);
++
+ /* WaVFEStateAfterPipeControlwithMediaStateClear:skl,bxt,glk,cfl */
+ ret = wa_ring_whitelist_reg(engine, GEN9_CTX_PREEMPT_REG);
+ if (ret)
--- /dev/null
+From 7f6df440b8623c441c42d070bf592e2d2c1fa9bb Mon Sep 17 00:00:00 2001
+From: Haneen Mohammed <hamohammed.sa@gmail.com>
+Date: Fri, 11 May 2018 07:15:42 +0300
+Subject: drm: Match sysfs name in link removal to link creation
+
+From: Haneen Mohammed <hamohammed.sa@gmail.com>
+
+commit 7f6df440b8623c441c42d070bf592e2d2c1fa9bb upstream.
+
+This patch matches the sysfs name used in the unlinking with the
+linking function. Otherwise, remove_compat_control_link() fails to remove
+sysfs created by create_compat_control_link() in drm_dev_register().
+
+Fixes: 6449b088dd51 ("drm: Add fake controlD* symlinks for backwards
+compat")
+Cc: Dave Airlie <airlied@gmail.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: Emil Velikov <emil.l.velikov@gmail.com>
+Cc: David Herrmann <dh.herrmann@gmail.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Daniel Vetter <daniel.vetter@intel.com>
+Cc: Gustavo Padovan <gustavo@padovan.org>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Sean Paul <seanpaul@chromium.org>
+Cc: David Airlie <airlied@linux.ie>
+Cc: dri-devel@lists.freedesktop.org
+Cc: <stable@vger.kernel.org> # v4.10+
+Signed-off-by: Haneen Mohammed <hamohammed.sa@gmail.com>
+[seanpaul added Fixes and Cc tags]
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180511041542.GA4253@haneen-vb
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_drv.c
++++ b/drivers/gpu/drm/drm_drv.c
+@@ -749,7 +749,7 @@ static void remove_compat_control_link(s
+ if (!minor)
+ return;
+
+- name = kasprintf(GFP_KERNEL, "controlD%d", minor->index);
++ name = kasprintf(GFP_KERNEL, "controlD%d", minor->index + 64);
+ if (!name)
+ return;
+
--- /dev/null
+From 1e3054b98c5415d5cb5f8824fc33b548ae5644c3 Mon Sep 17 00:00:00 2001
+From: Matthew Wilcox <mawilcox@microsoft.com>
+Date: Fri, 18 May 2018 16:08:44 -0700
+Subject: lib/test_bitmap.c: fix bitmap optimisation tests to report errors correctly
+
+From: Matthew Wilcox <mawilcox@microsoft.com>
+
+commit 1e3054b98c5415d5cb5f8824fc33b548ae5644c3 upstream.
+
+I had neglected to increment the error counter when the tests failed,
+which made the tests noisy when they fail, but not actually return an
+error code.
+
+Link: http://lkml.kernel.org/r/20180509114328.9887-1-mpe@ellerman.id.au
+Fixes: 3cc78125a081 ("lib/test_bitmap.c: add optimisation tests")
+Signed-off-by: Matthew Wilcox <mawilcox@microsoft.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Reported-by: Michael Ellerman <mpe@ellerman.id.au>
+Tested-by: Michael Ellerman <mpe@ellerman.id.au>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Cc: Yury Norov <ynorov@caviumnetworks.com>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: <stable@vger.kernel.org> [4.13+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/test_bitmap.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+--- a/lib/test_bitmap.c
++++ b/lib/test_bitmap.c
+@@ -434,23 +434,32 @@ static void noinline __init test_mem_opt
+ unsigned int start, nbits;
+
+ for (start = 0; start < 1024; start += 8) {
+- memset(bmap1, 0x5a, sizeof(bmap1));
+- memset(bmap2, 0x5a, sizeof(bmap2));
+ for (nbits = 0; nbits < 1024 - start; nbits += 8) {
++ memset(bmap1, 0x5a, sizeof(bmap1));
++ memset(bmap2, 0x5a, sizeof(bmap2));
++
+ bitmap_set(bmap1, start, nbits);
+ __bitmap_set(bmap2, start, nbits);
+- if (!bitmap_equal(bmap1, bmap2, 1024))
++ if (!bitmap_equal(bmap1, bmap2, 1024)) {
+ printk("set not equal %d %d\n", start, nbits);
+- if (!__bitmap_equal(bmap1, bmap2, 1024))
++ failed_tests++;
++ }
++ if (!__bitmap_equal(bmap1, bmap2, 1024)) {
+ printk("set not __equal %d %d\n", start, nbits);
++ failed_tests++;
++ }
+
+ bitmap_clear(bmap1, start, nbits);
+ __bitmap_clear(bmap2, start, nbits);
+- if (!bitmap_equal(bmap1, bmap2, 1024))
++ if (!bitmap_equal(bmap1, bmap2, 1024)) {
+ printk("clear not equal %d %d\n", start, nbits);
+- if (!__bitmap_equal(bmap1, bmap2, 1024))
++ failed_tests++;
++ }
++ if (!__bitmap_equal(bmap1, bmap2, 1024)) {
+ printk("clear not __equal %d %d\n", start,
+ nbits);
++ failed_tests++;
++ }
+ }
+ }
+ }
--- /dev/null
+From ab1e8d8960b68f54af42b6484b5950bd13a4054b Mon Sep 17 00:00:00 2001
+From: Pavel Tatashin <pasha.tatashin@oracle.com>
+Date: Fri, 18 May 2018 16:09:13 -0700
+Subject: mm: don't allow deferred pages with NEED_PER_CPU_KM
+
+From: Pavel Tatashin <pasha.tatashin@oracle.com>
+
+commit ab1e8d8960b68f54af42b6484b5950bd13a4054b upstream.
+
+It is unsafe to do virtual to physical translations before mm_init() is
+called if struct page is needed in order to determine the memory section
+number (see SECTION_IN_PAGE_FLAGS). This is because only in mm_init()
+we initialize struct pages for all the allocated memory when deferred
+struct pages are used.
+
+My recent fix in commit c9e97a1997 ("mm: initialize pages on demand
+during boot") exposed this problem, because it greatly reduced number of
+pages that are initialized before mm_init(), but the problem existed
+even before my fix, as Fengguang Wu found.
+
+Below is a more detailed explanation of the problem.
+
+We initialize struct pages in four places:
+
+1. Early in boot a small set of struct pages is initialized to fill the
+ first section, and lower zones.
+
+2. During mm_init() we initialize "struct pages" for all the memory that
+ is allocated, i.e reserved in memblock.
+
+3. Using on-demand logic when pages are allocated after mm_init call
+ (when memblock is finished)
+
+4. After smp_init() when the rest free deferred pages are initialized.
+
+The problem occurs if we try to do va to phys translation of a memory
+between steps 1 and 2. Because we have not yet initialized struct pages
+for all the reserved pages, it is inherently unsafe to do va to phys if
+the translation itself requires access of "struct page" as in case of
+this combination: CONFIG_SPARSE && !CONFIG_SPARSE_VMEMMAP
+
+The following path exposes the problem:
+
+ start_kernel()
+ trap_init()
+ setup_cpu_entry_areas()
+ setup_cpu_entry_area(cpu)
+ get_cpu_gdt_paddr(cpu)
+ per_cpu_ptr_to_phys(addr)
+ pcpu_addr_to_page(addr)
+ virt_to_page(addr)
+ pfn_to_page(__pa(addr) >> PAGE_SHIFT)
+
+We disable this path by not allowing NEED_PER_CPU_KM with deferred
+struct pages feature.
+
+The problems are discussed in these threads:
+ http://lkml.kernel.org/r/20180418135300.inazvpxjxowogyge@wfg-t540p.sh.intel.com
+ http://lkml.kernel.org/r/20180419013128.iurzouiqxvcnpbvz@wfg-t540p.sh.intel.com
+ http://lkml.kernel.org/r/20180426202619.2768-1-pasha.tatashin@oracle.com
+
+Link: http://lkml.kernel.org/r/20180515175124.1770-1-pasha.tatashin@oracle.com
+Fixes: 3a80a7fa7989 ("mm: meminit: initialise a subset of struct pages if CONFIG_DEFERRED_STRUCT_PAGE_INIT is set")
+Signed-off-by: Pavel Tatashin <pasha.tatashin@oracle.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Steven Sistare <steven.sistare@oracle.com>
+Cc: Daniel Jordan <daniel.m.jordan@oracle.com>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Fengguang Wu <fengguang.wu@intel.com>
+Cc: Dennis Zhou <dennisszhou@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/Kconfig
++++ b/mm/Kconfig
+@@ -649,6 +649,7 @@ config DEFERRED_STRUCT_PAGE_INIT
+ depends on ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT
+ depends on NO_BOOTMEM && MEMORY_HOTPLUG
+ depends on !FLATMEM
++ depends on !NEED_PER_CPU_KM
+ help
+ Ordinarily all struct pages are initialised during early boot in a
+ single thread. On very large machines this can take a considerable
--- /dev/null
+From 9f418224e8114156d995b98fa4e0f4fd21f685fe Mon Sep 17 00:00:00 2001
+From: Ross Zwisler <ross.zwisler@linux.intel.com>
+Date: Fri, 18 May 2018 16:09:06 -0700
+Subject: radix tree: fix multi-order iteration race
+
+From: Ross Zwisler <ross.zwisler@linux.intel.com>
+
+commit 9f418224e8114156d995b98fa4e0f4fd21f685fe upstream.
+
+Fix a race in the multi-order iteration code which causes the kernel to
+hit a GP fault. This was first seen with a production v4.15 based
+kernel (4.15.6-300.fc27.x86_64) utilizing a DAX workload which used
+order 9 PMD DAX entries.
+
+The race has to do with how we tear down multi-order sibling entries
+when we are removing an item from the tree. Remember for example that
+an order 2 entry looks like this:
+
+ struct radix_tree_node.slots[] = [entry][sibling][sibling][sibling]
+
+where 'entry' is in some slot in the struct radix_tree_node, and the
+three slots following 'entry' contain sibling pointers which point back
+to 'entry.'
+
+When we delete 'entry' from the tree, we call :
+
+ radix_tree_delete()
+ radix_tree_delete_item()
+ __radix_tree_delete()
+ replace_slot()
+
+replace_slot() first removes the siblings in order from the first to the
+last, then at then replaces 'entry' with NULL. This means that for a
+brief period of time we end up with one or more of the siblings removed,
+so:
+
+ struct radix_tree_node.slots[] = [entry][NULL][sibling][sibling]
+
+This causes an issue if you have a reader iterating over the slots in
+the tree via radix_tree_for_each_slot() while only under
+rcu_read_lock()/rcu_read_unlock() protection. This is a common case in
+mm/filemap.c.
+
+The issue is that when __radix_tree_next_slot() => skip_siblings() tries
+to skip over the sibling entries in the slots, it currently does so with
+an exact match on the slot directly preceding our current slot.
+Normally this works:
+
+ V preceding slot
+ struct radix_tree_node.slots[] = [entry][sibling][sibling][sibling]
+ ^ current slot
+
+This lets you find the first sibling, and you skip them all in order.
+
+But in the case where one of the siblings is NULL, that slot is skipped
+and then our sibling detection is interrupted:
+
+ V preceding slot
+ struct radix_tree_node.slots[] = [entry][NULL][sibling][sibling]
+ ^ current slot
+
+This means that the sibling pointers aren't recognized since they point
+all the way back to 'entry', so we think that they are normal internal
+radix tree pointers. This causes us to think we need to walk down to a
+struct radix_tree_node starting at the address of 'entry'.
+
+In a real running kernel this will crash the thread with a GP fault when
+you try and dereference the slots in your broken node starting at
+'entry'.
+
+We fix this race by fixing the way that skip_siblings() detects sibling
+nodes. Instead of testing against the preceding slot we instead look
+for siblings via is_sibling_entry() which compares against the position
+of the struct radix_tree_node.slots[] array. This ensures that sibling
+entries are properly identified, even if they are no longer contiguous
+with the 'entry' they point to.
+
+Link: http://lkml.kernel.org/r/20180503192430.7582-6-ross.zwisler@linux.intel.com
+Fixes: 148deab223b2 ("radix-tree: improve multiorder iterators")
+Signed-off-by: Ross Zwisler <ross.zwisler@linux.intel.com>
+Reported-by: CR, Sapthagirish <sapthagirish.cr@intel.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Dave Chinner <david@fromorbit.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/radix-tree.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/lib/radix-tree.c
++++ b/lib/radix-tree.c
+@@ -1613,11 +1613,9 @@ static void set_iter_tags(struct radix_t
+ static void __rcu **skip_siblings(struct radix_tree_node **nodep,
+ void __rcu **slot, struct radix_tree_iter *iter)
+ {
+- void *sib = node_to_entry(slot - 1);
+-
+ while (iter->index < iter->next_index) {
+ *nodep = rcu_dereference_raw(*slot);
+- if (*nodep && *nodep != sib)
++ if (*nodep && !is_sibling_entry(iter->node, *nodep))
+ return slot;
+ slot++;
+ iter->index = __radix_tree_iter_add(iter, 1);
+@@ -1632,7 +1630,7 @@ void __rcu **__radix_tree_next_slot(void
+ struct radix_tree_iter *iter, unsigned flags)
+ {
+ unsigned tag = flags & RADIX_TREE_ITER_TAG_MASK;
+- struct radix_tree_node *node = rcu_dereference_raw(*slot);
++ struct radix_tree_node *node;
+
+ slot = skip_siblings(&node, slot, iter);
+
--- /dev/null
+From 4bbaf2584b86b0772413edeac22ff448f36351b1 Mon Sep 17 00:00:00 2001
+From: Hendrik Brueckner <brueckner@linux.ibm.com>
+Date: Thu, 3 May 2018 15:56:15 +0200
+Subject: s390/cpum_sf: ensure sample frequency of perf event attributes is non-zero
+
+From: Hendrik Brueckner <brueckner@linux.ibm.com>
+
+commit 4bbaf2584b86b0772413edeac22ff448f36351b1 upstream.
+
+Correct a trinity finding for the perf_event_open() system call with
+a perf event attribute structure that uses a frequency but has the
+sampling frequency set to zero. This causes a FP divide exception during
+the sample rate initialization for the hardware sampling facility.
+
+Fixes: 8c069ff4bd606 ("s390/perf: add support for the CPU-Measurement Sampling Facility")
+Cc: stable@vger.kernel.org # 3.14+
+Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kernel/perf_cpum_sf.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/s390/kernel/perf_cpum_sf.c
++++ b/arch/s390/kernel/perf_cpum_sf.c
+@@ -739,6 +739,10 @@ static int __hw_perf_event_init(struct p
+ */
+ rate = 0;
+ if (attr->freq) {
++ if (!attr->sample_freq) {
++ err = -EINVAL;
++ goto out;
++ }
+ rate = freq_to_sample_rate(&si, attr->sample_freq);
+ rate = hw_limit_rate(&si, rate);
+ attr->freq = 0;
--- /dev/null
+From 467a3bf219cee12259182c5cb4821f88fd518a51 Mon Sep 17 00:00:00 2001
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Date: Mon, 23 Apr 2018 14:31:36 +0200
+Subject: s390/crc32-vx: use expoline for indirect branches
+
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+
+commit 467a3bf219cee12259182c5cb4821f88fd518a51 upstream.
+
+The return from the crc32_le_vgfm_16/crc32c_le_vgfm_16 and the
+crc32_be_vgfm_16 functions are done with "br %r14". These are indirect
+branches as well and need to use execute trampolines for CONFIG_EXPOLINE=y.
+
+Cc: stable@vger.kernel.org # 4.16
+Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches")
+Reviewed-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/crypto/crc32be-vx.S | 5 ++++-
+ arch/s390/crypto/crc32le-vx.S | 4 +++-
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/crypto/crc32be-vx.S
++++ b/arch/s390/crypto/crc32be-vx.S
+@@ -13,6 +13,7 @@
+ */
+
+ #include <linux/linkage.h>
++#include <asm/nospec-insn.h>
+ #include <asm/vx-insn.h>
+
+ /* Vector register range containing CRC-32 constants */
+@@ -67,6 +68,8 @@
+
+ .previous
+
++ GEN_BR_THUNK %r14
++
+ .text
+ /*
+ * The CRC-32 function(s) use these calling conventions:
+@@ -203,6 +206,6 @@ ENTRY(crc32_be_vgfm_16)
+
+ .Ldone:
+ VLGVF %r2,%v2,3
+- br %r14
++ BR_EX %r14
+
+ .previous
+--- a/arch/s390/crypto/crc32le-vx.S
++++ b/arch/s390/crypto/crc32le-vx.S
+@@ -14,6 +14,7 @@
+ */
+
+ #include <linux/linkage.h>
++#include <asm/nospec-insn.h>
+ #include <asm/vx-insn.h>
+
+ /* Vector register range containing CRC-32 constants */
+@@ -76,6 +77,7 @@
+
+ .previous
+
++ GEN_BR_THUNK %r14
+
+ .text
+
+@@ -264,6 +266,6 @@ crc32_le_vgfm_generic:
+
+ .Ldone:
+ VLGVF %r2,%v2,2
+- br %r14
++ BR_EX %r14
+
+ .previous
--- /dev/null
+From c50c84c3ac4d5db683904bdb3257798b6ef980ae Mon Sep 17 00:00:00 2001
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Date: Wed, 25 Apr 2018 18:41:30 +0200
+Subject: s390/kernel: use expoline for indirect branches
+
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+
+commit c50c84c3ac4d5db683904bdb3257798b6ef980ae upstream.
+
+The assember code in arch/s390/kernel uses a few more indirect branches
+which need to be done with execute trampolines for CONFIG_EXPOLINE=y.
+
+Cc: stable@vger.kernel.org # 4.16
+Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches")
+Reviewed-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kernel/base.S | 24 ++++++++++++++----------
+ arch/s390/kernel/reipl.S | 7 +++++--
+ arch/s390/kernel/swsusp.S | 10 ++++++----
+ 3 files changed, 25 insertions(+), 16 deletions(-)
+
+--- a/arch/s390/kernel/base.S
++++ b/arch/s390/kernel/base.S
+@@ -9,18 +9,22 @@
+
+ #include <linux/linkage.h>
+ #include <asm/asm-offsets.h>
++#include <asm/nospec-insn.h>
+ #include <asm/ptrace.h>
+ #include <asm/sigp.h>
+
++ GEN_BR_THUNK %r9
++ GEN_BR_THUNK %r14
++
+ ENTRY(s390_base_mcck_handler)
+ basr %r13,0
+ 0: lg %r15,__LC_PANIC_STACK # load panic stack
+ aghi %r15,-STACK_FRAME_OVERHEAD
+ larl %r1,s390_base_mcck_handler_fn
+- lg %r1,0(%r1)
+- ltgr %r1,%r1
++ lg %r9,0(%r1)
++ ltgr %r9,%r9
+ jz 1f
+- basr %r14,%r1
++ BASR_EX %r14,%r9
+ 1: la %r1,4095
+ lmg %r0,%r15,__LC_GPREGS_SAVE_AREA-4095(%r1)
+ lpswe __LC_MCK_OLD_PSW
+@@ -37,10 +41,10 @@ ENTRY(s390_base_ext_handler)
+ basr %r13,0
+ 0: aghi %r15,-STACK_FRAME_OVERHEAD
+ larl %r1,s390_base_ext_handler_fn
+- lg %r1,0(%r1)
+- ltgr %r1,%r1
++ lg %r9,0(%r1)
++ ltgr %r9,%r9
+ jz 1f
+- basr %r14,%r1
++ BASR_EX %r14,%r9
+ 1: lmg %r0,%r15,__LC_SAVE_AREA_ASYNC
+ ni __LC_EXT_OLD_PSW+1,0xfd # clear wait state bit
+ lpswe __LC_EXT_OLD_PSW
+@@ -57,10 +61,10 @@ ENTRY(s390_base_pgm_handler)
+ basr %r13,0
+ 0: aghi %r15,-STACK_FRAME_OVERHEAD
+ larl %r1,s390_base_pgm_handler_fn
+- lg %r1,0(%r1)
+- ltgr %r1,%r1
++ lg %r9,0(%r1)
++ ltgr %r9,%r9
+ jz 1f
+- basr %r14,%r1
++ BASR_EX %r14,%r9
+ lmg %r0,%r15,__LC_SAVE_AREA_SYNC
+ lpswe __LC_PGM_OLD_PSW
+ 1: lpswe disabled_wait_psw-0b(%r13)
+@@ -117,7 +121,7 @@ ENTRY(diag308_reset)
+ larl %r4,.Lcontinue_psw # Restore PSW flags
+ lpswe 0(%r4)
+ .Lcontinue:
+- br %r14
++ BR_EX %r14
+ .align 16
+ .Lrestart_psw:
+ .long 0x00080000,0x80000000 + .Lrestart_part2
+--- a/arch/s390/kernel/reipl.S
++++ b/arch/s390/kernel/reipl.S
+@@ -7,8 +7,11 @@
+
+ #include <linux/linkage.h>
+ #include <asm/asm-offsets.h>
++#include <asm/nospec-insn.h>
+ #include <asm/sigp.h>
+
++ GEN_BR_THUNK %r9
++
+ #
+ # Issue "store status" for the current CPU to its prefix page
+ # and call passed function afterwards
+@@ -67,9 +70,9 @@ ENTRY(store_status)
+ st %r4,0(%r1)
+ st %r5,4(%r1)
+ stg %r2,8(%r1)
+- lgr %r1,%r2
++ lgr %r9,%r2
+ lgr %r2,%r3
+- br %r1
++ BR_EX %r9
+
+ .section .bss
+ .align 8
+--- a/arch/s390/kernel/swsusp.S
++++ b/arch/s390/kernel/swsusp.S
+@@ -13,6 +13,7 @@
+ #include <asm/ptrace.h>
+ #include <asm/thread_info.h>
+ #include <asm/asm-offsets.h>
++#include <asm/nospec-insn.h>
+ #include <asm/sigp.h>
+
+ /*
+@@ -24,6 +25,8 @@
+ * (see below) in the resume process.
+ * This function runs with disabled interrupts.
+ */
++ GEN_BR_THUNK %r14
++
+ .section .text
+ ENTRY(swsusp_arch_suspend)
+ stmg %r6,%r15,__SF_GPRS(%r15)
+@@ -103,7 +106,7 @@ ENTRY(swsusp_arch_suspend)
+ spx 0x318(%r1)
+ lmg %r6,%r15,STACK_FRAME_OVERHEAD + __SF_GPRS(%r15)
+ lghi %r2,0
+- br %r14
++ BR_EX %r14
+
+ /*
+ * Restore saved memory image to correct place and restore register context.
+@@ -197,11 +200,10 @@ pgm_check_entry:
+ larl %r15,init_thread_union
+ ahi %r15,1<<(PAGE_SHIFT+THREAD_SIZE_ORDER)
+ larl %r2,.Lpanic_string
+- larl %r3,sclp_early_printk
+ lghi %r1,0
+ sam31
+ sigp %r1,%r0,SIGP_SET_ARCHITECTURE
+- basr %r14,%r3
++ brasl %r14,sclp_early_printk
+ larl %r3,.Ldisabled_wait_31
+ lpsw 0(%r3)
+ 4:
+@@ -267,7 +269,7 @@ restore_registers:
+ /* Return 0 */
+ lmg %r6,%r15,STACK_FRAME_OVERHEAD + __SF_GPRS(%r15)
+ lghi %r2,0
+- br %r14
++ BR_EX %r14
+
+ .section .data..nosave,"aw",@progbits
+ .align 8
--- /dev/null
+From 2e68adcd2fb21b7188ba449f0fab3bee2910e500 Mon Sep 17 00:00:00 2001
+From: Julian Wiedmann <jwi@linux.ibm.com>
+Date: Wed, 2 May 2018 08:28:34 +0200
+Subject: s390/qdio: don't release memory in qdio_setup_irq()
+
+From: Julian Wiedmann <jwi@linux.ibm.com>
+
+commit 2e68adcd2fb21b7188ba449f0fab3bee2910e500 upstream.
+
+Calling qdio_release_memory() on error is just plain wrong. It frees
+the main qdio_irq struct, when following code still uses it.
+
+Also, no other error path in qdio_establish() does this. So trust
+callers to clean up via qdio_free() if some step of the QDIO
+initialization fails.
+
+Fixes: 779e6e1c724d ("[S390] qdio: new qdio driver.")
+Cc: <stable@vger.kernel.org> #v2.6.27+
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/cio/qdio_setup.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+--- a/drivers/s390/cio/qdio_setup.c
++++ b/drivers/s390/cio/qdio_setup.c
+@@ -456,7 +456,6 @@ int qdio_setup_irq(struct qdio_initializ
+ {
+ struct ciw *ciw;
+ struct qdio_irq *irq_ptr = init_data->cdev->private->qdio_data;
+- int rc;
+
+ memset(&irq_ptr->qib, 0, sizeof(irq_ptr->qib));
+ memset(&irq_ptr->siga_flag, 0, sizeof(irq_ptr->siga_flag));
+@@ -493,16 +492,14 @@ int qdio_setup_irq(struct qdio_initializ
+ ciw = ccw_device_get_ciw(init_data->cdev, CIW_TYPE_EQUEUE);
+ if (!ciw) {
+ DBF_ERROR("%4x NO EQ", irq_ptr->schid.sch_no);
+- rc = -EINVAL;
+- goto out_err;
++ return -EINVAL;
+ }
+ irq_ptr->equeue = *ciw;
+
+ ciw = ccw_device_get_ciw(init_data->cdev, CIW_TYPE_AQUEUE);
+ if (!ciw) {
+ DBF_ERROR("%4x NO AQ", irq_ptr->schid.sch_no);
+- rc = -EINVAL;
+- goto out_err;
++ return -EINVAL;
+ }
+ irq_ptr->aqueue = *ciw;
+
+@@ -510,9 +507,6 @@ int qdio_setup_irq(struct qdio_initializ
+ irq_ptr->orig_handler = init_data->cdev->handler;
+ init_data->cdev->handler = qdio_int_handler;
+ return 0;
+-out_err:
+- qdio_release_memory(irq_ptr);
+- return rc;
+ }
+
+ void qdio_print_subchannel_info(struct qdio_irq *irq_ptr,
--- /dev/null
+From e521813468f786271a87e78e8644243bead48fad Mon Sep 17 00:00:00 2001
+From: Julian Wiedmann <jwi@linux.ibm.com>
+Date: Wed, 2 May 2018 08:48:43 +0200
+Subject: s390/qdio: fix access to uninitialized qdio_q fields
+
+From: Julian Wiedmann <jwi@linux.ibm.com>
+
+commit e521813468f786271a87e78e8644243bead48fad upstream.
+
+Ever since CQ/QAOB support was added, calling qdio_free() straight after
+qdio_alloc() results in qdio_release_memory() accessing uninitialized
+memory (ie. q->u.out.use_cq and q->u.out.aobs). Followed by a
+kmem_cache_free() on the random AOB addresses.
+
+For older kernels that don't have 6e30c549f6ca, the same applies if
+qdio_establish() fails in the DEV_STATE_ONLINE check.
+
+While initializing q->u.out.use_cq would be enough to fix this
+particular bug, the more future-proof change is to just zero-alloc the
+whole struct.
+
+Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks")
+Cc: <stable@vger.kernel.org> #v3.2+
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/cio/qdio_setup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/s390/cio/qdio_setup.c
++++ b/drivers/s390/cio/qdio_setup.c
+@@ -140,7 +140,7 @@ static int __qdio_allocate_qs(struct qdi
+ int i;
+
+ for (i = 0; i < nr_queues; i++) {
+- q = kmem_cache_alloc(qdio_q_cache, GFP_KERNEL);
++ q = kmem_cache_zalloc(qdio_q_cache, GFP_KERNEL);
+ if (!q)
+ return -ENOMEM;
+
--- /dev/null
+From 9f18fff63cfd6f559daa1eaae60640372c65f84b Mon Sep 17 00:00:00 2001
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Date: Tue, 24 Apr 2018 11:18:49 +0200
+Subject: s390: remove indirect branch from do_softirq_own_stack
+
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+
+commit 9f18fff63cfd6f559daa1eaae60640372c65f84b upstream.
+
+The inline assembly to call __do_softirq on the irq stack uses
+an indirect branch. This can be replaced with a normal relative
+branch.
+
+Cc: stable@vger.kernel.org # 4.16
+Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches")
+Reviewed-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kernel/irq.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/arch/s390/kernel/irq.c
++++ b/arch/s390/kernel/irq.c
+@@ -176,10 +176,9 @@ void do_softirq_own_stack(void)
+ new -= STACK_FRAME_OVERHEAD;
+ ((struct stack_frame *) new)->back_chain = old;
+ asm volatile(" la 15,0(%0)\n"
+- " basr 14,%2\n"
++ " brasl 14,__do_softirq\n"
+ " la 15,0(%1)\n"
+- : : "a" (new), "a" (old),
+- "a" (__do_softirq)
++ : : "a" (new), "a" (old)
+ : "0", "1", "2", "3", "4", "5", "14",
+ "cc", "memory" );
+ } else {
netfilter-nf_socket-fix-out-of-bounds-access-in-nf_sk_lookup_slow_v-4-6.patch
i2c-designware-fix-poll-after-enable-regression.patch
powerpc-powernv-fix-nvram-sleep-in-invalid-context-when-crashing.patch
+drm-match-sysfs-name-in-link-removal-to-link-creation.patch
+lib-test_bitmap.c-fix-bitmap-optimisation-tests-to-report-errors-correctly.patch
+radix-tree-fix-multi-order-iteration-race.patch
+mm-don-t-allow-deferred-pages-with-need_per_cpu_km.patch
+drm-i915-gen9-add-waclearhiz_wm_chicken3-for-bxt-and-glk.patch
+s390-crc32-vx-use-expoline-for-indirect-branches.patch
+s390-qdio-fix-access-to-uninitialized-qdio_q-fields.patch
+s390-cpum_sf-ensure-sample-frequency-of-perf-event-attributes-is-non-zero.patch
+s390-qdio-don-t-release-memory-in-qdio_setup_irq.patch
+s390-kernel-use-expoline-for-indirect-branches.patch
+s390-remove-indirect-branch-from-do_softirq_own_stack.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
