--- /dev/null
+From 238064f13d057390a8c5e1a6a80f4f0a0ec46499 Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Tue, 27 Mar 2018 15:01:02 -0700
+Subject: Drivers: hv: vmbus: do not mark HV_PCIE as perf_device
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit 238064f13d057390a8c5e1a6a80f4f0a0ec46499 upstream.
+
+The pci-hyperv driver's channel callback hv_pci_onchannelcallback() is not
+really a hot path, so we don't need to mark it as a perf_device, meaning
+with this patch all HV_PCIE channels' target_cpu will be CPU0.
+
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Cc: stable@vger.kernel.org
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/channel_mgmt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hv/channel_mgmt.c
++++ b/drivers/hv/channel_mgmt.c
+@@ -71,7 +71,7 @@ static const struct vmbus_device vmbus_d
+ /* PCIE */
+ { .dev_type = HV_PCIE,
+ HV_PCIE_GUID,
+- .perf_device = true,
++ .perf_device = false,
+ },
+
+ /* Synthetic Frame Buffer */
--- /dev/null
+From 19ce7909ed11c49f7eddf59e7f49cd3062bf83d5 Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Fri, 6 Apr 2018 03:56:30 +1000
+Subject: KVM: PPC: Book3S HV: trace_tlbie must not be called in realmode
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit 19ce7909ed11c49f7eddf59e7f49cd3062bf83d5 upstream.
+
+This crashes with a "Bad real address for load" attempting to load
+from the vmalloc region in realmode (faulting address is in DAR).
+
+ Oops: Bad interrupt in KVM entry/exit code, sig: 6 [#1]
+ LE SMP NR_CPUS=2048 NUMA PowerNV
+ CPU: 53 PID: 6582 Comm: qemu-system-ppc Not tainted 4.16.0-01530-g43d1859f0994
+ NIP: c0000000000155ac LR: c0000000000c2430 CTR: c000000000015580
+ REGS: c000000fff76dd80 TRAP: 0200 Not tainted (4.16.0-01530-g43d1859f0994)
+ MSR: 9000000000201003 <SF,HV,ME,RI,LE> CR: 48082222 XER: 00000000
+ CFAR: 0000000102900ef0 DAR: d00017fffd941a28 DSISR: 00000040 SOFTE: 3
+ NIP [c0000000000155ac] perf_trace_tlbie+0x2c/0x1a0
+ LR [c0000000000c2430] do_tlbies+0x230/0x2f0
+
+I suspect the reason is the per-cpu data is not in the linear chunk.
+This could be restored if that was able to be fixed, but for now,
+just remove the tracepoints.
+
+Fixes: 0428491cba92 ("powerpc/mm: Trace tlbie(l) instructions")
+Cc: stable@vger.kernel.org # v4.13+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/book3s_hv_rm_mmu.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/arch/powerpc/kvm/book3s_hv_rm_mmu.c
++++ b/arch/powerpc/kvm/book3s_hv_rm_mmu.c
+@@ -447,8 +447,6 @@ static void do_tlbies(struct kvm *kvm, u
+ for (i = 0; i < npages; ++i) {
+ asm volatile(PPC_TLBIE_5(%0,%1,0,0,0) : :
+ "r" (rbvalues[i]), "r" (kvm->arch.lpid));
+- trace_tlbie(kvm->arch.lpid, 0, rbvalues[i],
+- kvm->arch.lpid, 0, 0, 0);
+ }
+ asm volatile("eieio; tlbsync; ptesync" : : : "memory");
+ kvm->arch.tlbie_lock = 0;
+@@ -458,8 +456,6 @@ static void do_tlbies(struct kvm *kvm, u
+ for (i = 0; i < npages; ++i) {
+ asm volatile(PPC_TLBIEL(%0,%1,0,0,0) : :
+ "r" (rbvalues[i]), "r" (0));
+- trace_tlbie(kvm->arch.lpid, 1, rbvalues[i],
+- 0, 0, 0, 0);
+ }
+ asm volatile("ptesync" : : : "memory");
+ }
--- /dev/null
+From d5654e156bc4d68a87bbaa6d7e020baceddf6e68 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sat, 24 Mar 2018 21:18:25 +0100
+Subject: parisc: Fix HPMC handler by increasing size to multiple of 16 bytes
+
+From: Helge Deller <deller@gmx.de>
+
+commit d5654e156bc4d68a87bbaa6d7e020baceddf6e68 upstream.
+
+Make sure that the HPMC (High Priority Machine Check) handler is 16-byte
+aligned and that it's length in the IVT is a multiple of 16 bytes.
+Otherwise PDC may decide not to call the HPMC crash handler.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/hpmc.S | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/parisc/kernel/hpmc.S
++++ b/arch/parisc/kernel/hpmc.S
+@@ -84,6 +84,7 @@ END(hpmc_pim_data)
+ .text
+
+ .import intr_save, code
++ .align 16
+ ENTRY_CFI(os_hpmc)
+ .os_hpmc:
+
+@@ -300,12 +301,15 @@ os_hpmc_6:
+
+ b .
+ nop
++ .align 16 /* make function length multiple of 16 bytes */
+ ENDPROC_CFI(os_hpmc)
+ .os_hpmc_end:
+
+
+ __INITRODATA
++.globl os_hpmc_size
+ .align 4
+- .export os_hpmc_size
++ .type os_hpmc_size, @object
++ .size os_hpmc_size, 4
+ os_hpmc_size:
+ .word .os_hpmc_end-.os_hpmc
--- /dev/null
+From 615b2665fd20c327b631ff1e79426775de748094 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sun, 25 Mar 2018 23:53:22 +0200
+Subject: parisc: Fix out of array access in match_pci_device()
+
+From: Helge Deller <deller@gmx.de>
+
+commit 615b2665fd20c327b631ff1e79426775de748094 upstream.
+
+As found by the ubsan checker, the value of the 'index' variable can be
+out of range for the bc[] array:
+
+UBSAN: Undefined behaviour in arch/parisc/kernel/drivers.c:655:21
+index 6 is out of range for type 'char [6]'
+Backtrace:
+ [<104fa850>] __ubsan_handle_out_of_bounds+0x68/0x80
+ [<1019d83c>] check_parent+0xc0/0x170
+ [<1019d91c>] descend_children+0x30/0x6c
+ [<1059e164>] device_for_each_child+0x60/0x98
+ [<1019cd54>] parse_tree_node+0x40/0x54
+ [<1019d86c>] check_parent+0xf0/0x170
+ [<1019d91c>] descend_children+0x30/0x6c
+ [<1059e164>] device_for_each_child+0x60/0x98
+ [<1019d938>] descend_children+0x4c/0x6c
+ [<1059e164>] device_for_each_child+0x60/0x98
+ [<1019cd54>] parse_tree_node+0x40/0x54
+ [<1019cffc>] hwpath_to_device+0xa4/0xc4
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/drivers.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/parisc/kernel/drivers.c
++++ b/arch/parisc/kernel/drivers.c
+@@ -651,6 +651,10 @@ static int match_pci_device(struct devic
+ (modpath->mod == PCI_FUNC(devfn)));
+ }
+
++ /* index might be out of bounds for bc[] */
++ if (index >= 6)
++ return 0;
++
+ id = PCI_SLOT(pdev->devfn) | (PCI_FUNC(pdev->devfn) << 5);
+ return (modpath->bc[index] == id);
+ }
--- /dev/null
+From 021ad274d7dc31611d4f47f7dd4ac7a224526f30 Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Thu, 15 Mar 2018 14:20:53 +0000
+Subject: PCI: hv: Serialize the present and eject work items
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit 021ad274d7dc31611d4f47f7dd4ac7a224526f30 upstream.
+
+When we hot-remove the device, we first receive a PCI_EJECT message and
+then receive a PCI_BUS_RELATIONS message with bus_rel->device_count == 0.
+
+The first message is offloaded to hv_eject_device_work(), and the second
+is offloaded to pci_devices_present_work(). Both the paths can be running
+list_del(&hpdev->list_entry), causing general protection fault, because
+system_wq can run them concurrently.
+
+The patch eliminates the race condition.
+
+Since access to present/eject work items is serialized, we do not need the
+hbus->enum_sem anymore, so remove it.
+
+Fixes: 4daace0d8ce8 ("PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs")
+Link: https://lkml.kernel.org/r/KL1P15301MB00064DA6B4D221123B5241CFBFD70@KL1P15301MB0006.APCP153.PROD.OUTLOOK.COM
+Tested-by: Adrian Suhov <v-adsuho@microsoft.com>
+Tested-by: Chris Valean <v-chvale@microsoft.com>
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+[lorenzo.pieralisi@arm.com: squashed semaphore removal patch]
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Acked-by: Haiyang Zhang <haiyangz@microsoft.com>
+Cc: <stable@vger.kernel.org> # v4.6+
+Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
+Cc: Jack Morgenstein <jackm@mellanox.com>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/host/pci-hyperv.c | 34 ++++++++++++++++------------------
+ 1 file changed, 16 insertions(+), 18 deletions(-)
+
+--- a/drivers/pci/host/pci-hyperv.c
++++ b/drivers/pci/host/pci-hyperv.c
+@@ -457,7 +457,6 @@ struct hv_pcibus_device {
+ spinlock_t device_list_lock; /* Protect lists below */
+ void __iomem *cfg_addr;
+
+- struct semaphore enum_sem;
+ struct list_head resources_for_children;
+
+ struct list_head children;
+@@ -471,6 +470,8 @@ struct hv_pcibus_device {
+ struct retarget_msi_interrupt retarget_msi_interrupt_params;
+
+ spinlock_t retarget_msi_interrupt_lock;
++
++ struct workqueue_struct *wq;
+ };
+
+ /*
+@@ -1604,12 +1605,8 @@ static struct hv_pci_dev *get_pcichild_w
+ * It must also treat the omission of a previously observed device as
+ * notification that the device no longer exists.
+ *
+- * Note that this function is a work item, and it may not be
+- * invoked in the order that it was queued. Back to back
+- * updates of the list of present devices may involve queuing
+- * multiple work items, and this one may run before ones that
+- * were sent later. As such, this function only does something
+- * if is the last one in the queue.
++ * Note that this function is serialized with hv_eject_device_work(),
++ * because both are pushed to the ordered workqueue hbus->wq.
+ */
+ static void pci_devices_present_work(struct work_struct *work)
+ {
+@@ -1630,11 +1627,6 @@ static void pci_devices_present_work(str
+
+ INIT_LIST_HEAD(&removed);
+
+- if (down_interruptible(&hbus->enum_sem)) {
+- put_hvpcibus(hbus);
+- return;
+- }
+-
+ /* Pull this off the queue and process it if it was the last one. */
+ spin_lock_irqsave(&hbus->device_list_lock, flags);
+ while (!list_empty(&hbus->dr_list)) {
+@@ -1651,7 +1643,6 @@ static void pci_devices_present_work(str
+ spin_unlock_irqrestore(&hbus->device_list_lock, flags);
+
+ if (!dr) {
+- up(&hbus->enum_sem);
+ put_hvpcibus(hbus);
+ return;
+ }
+@@ -1738,7 +1729,6 @@ static void pci_devices_present_work(str
+ break;
+ }
+
+- up(&hbus->enum_sem);
+ put_hvpcibus(hbus);
+ kfree(dr);
+ }
+@@ -1784,7 +1774,7 @@ static void hv_pci_devices_present(struc
+ spin_unlock_irqrestore(&hbus->device_list_lock, flags);
+
+ get_hvpcibus(hbus);
+- schedule_work(&dr_wrk->wrk);
++ queue_work(hbus->wq, &dr_wrk->wrk);
+ }
+
+ /**
+@@ -1862,7 +1852,7 @@ static void hv_pci_eject_device(struct h
+ get_pcichild(hpdev, hv_pcidev_ref_pnp);
+ INIT_WORK(&hpdev->wrk, hv_eject_device_work);
+ get_hvpcibus(hpdev->hbus);
+- schedule_work(&hpdev->wrk);
++ queue_work(hpdev->hbus->wq, &hpdev->wrk);
+ }
+
+ /**
+@@ -2475,13 +2465,18 @@ static int hv_pci_probe(struct hv_device
+ spin_lock_init(&hbus->config_lock);
+ spin_lock_init(&hbus->device_list_lock);
+ spin_lock_init(&hbus->retarget_msi_interrupt_lock);
+- sema_init(&hbus->enum_sem, 1);
+ init_completion(&hbus->remove_event);
++ hbus->wq = alloc_ordered_workqueue("hv_pci_%x", 0,
++ hbus->sysdata.domain);
++ if (!hbus->wq) {
++ ret = -ENOMEM;
++ goto free_bus;
++ }
+
+ ret = vmbus_open(hdev->channel, pci_ring_size, pci_ring_size, NULL, 0,
+ hv_pci_onchannelcallback, hbus);
+ if (ret)
+- goto free_bus;
++ goto destroy_wq;
+
+ hv_set_drvdata(hdev, hbus);
+
+@@ -2550,6 +2545,8 @@ free_config:
+ hv_free_config_window(hbus);
+ close:
+ vmbus_close(hdev->channel);
++destroy_wq:
++ destroy_workqueue(hbus->wq);
+ free_bus:
+ free_page((unsigned long)hbus);
+ return ret;
+@@ -2629,6 +2626,7 @@ static int hv_pci_remove(struct hv_devic
+ irq_domain_free_fwnode(hbus->sysdata.fwnode);
+ put_hvpcibus(hbus);
+ wait_for_completion(&hbus->remove_event);
++ destroy_workqueue(hbus->wq);
+ free_page((unsigned long)hbus);
+ return 0;
+ }
--- /dev/null
+From 621b6d2ea297d0fb6030452c5bcd221f12165fcf Mon Sep 17 00:00:00 2001
+From: Prashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>
+Date: Mon, 9 Apr 2018 19:03:46 +0900
+Subject: perf/core: Fix use-after-free in uprobe_perf_close()
+
+From: Prashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>
+
+commit 621b6d2ea297d0fb6030452c5bcd221f12165fcf upstream.
+
+A use-after-free bug was caught by KASAN while running usdt related
+code (BCC project. bcc/tests/python/test_usdt2.py):
+
+ ==================================================================
+ BUG: KASAN: use-after-free in uprobe_perf_close+0x222/0x3b0
+ Read of size 4 at addr ffff880384f9b4a4 by task test_usdt2.py/870
+
+ CPU: 4 PID: 870 Comm: test_usdt2.py Tainted: G W 4.16.0-next-20180409 #215
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
+ Call Trace:
+ dump_stack+0xc7/0x15b
+ ? show_regs_print_info+0x5/0x5
+ ? printk+0x9c/0xc3
+ ? kmsg_dump_rewind_nolock+0x6e/0x6e
+ ? uprobe_perf_close+0x222/0x3b0
+ print_address_description+0x83/0x3a0
+ ? uprobe_perf_close+0x222/0x3b0
+ kasan_report+0x1dd/0x460
+ ? uprobe_perf_close+0x222/0x3b0
+ uprobe_perf_close+0x222/0x3b0
+ ? probes_open+0x180/0x180
+ ? free_filters_list+0x290/0x290
+ trace_uprobe_register+0x1bb/0x500
+ ? perf_event_attach_bpf_prog+0x310/0x310
+ ? probe_event_disable+0x4e0/0x4e0
+ perf_uprobe_destroy+0x63/0xd0
+ _free_event+0x2bc/0xbd0
+ ? lockdep_rcu_suspicious+0x100/0x100
+ ? ring_buffer_attach+0x550/0x550
+ ? kvm_sched_clock_read+0x1a/0x30
+ ? perf_event_release_kernel+0x3e4/0xc00
+ ? __mutex_unlock_slowpath+0x12e/0x540
+ ? wait_for_completion+0x430/0x430
+ ? lock_downgrade+0x3c0/0x3c0
+ ? lock_release+0x980/0x980
+ ? do_raw_spin_trylock+0x118/0x150
+ ? do_raw_spin_unlock+0x121/0x210
+ ? do_raw_spin_trylock+0x150/0x150
+ perf_event_release_kernel+0x5d4/0xc00
+ ? put_event+0x30/0x30
+ ? fsnotify+0xd2d/0xea0
+ ? sched_clock_cpu+0x18/0x1a0
+ ? __fsnotify_update_child_dentry_flags.part.0+0x1b0/0x1b0
+ ? pvclock_clocksource_read+0x152/0x2b0
+ ? pvclock_read_flags+0x80/0x80
+ ? kvm_sched_clock_read+0x1a/0x30
+ ? sched_clock_cpu+0x18/0x1a0
+ ? pvclock_clocksource_read+0x152/0x2b0
+ ? locks_remove_file+0xec/0x470
+ ? pvclock_read_flags+0x80/0x80
+ ? fcntl_setlk+0x880/0x880
+ ? ima_file_free+0x8d/0x390
+ ? lockdep_rcu_suspicious+0x100/0x100
+ ? ima_file_check+0x110/0x110
+ ? fsnotify+0xea0/0xea0
+ ? kvm_sched_clock_read+0x1a/0x30
+ ? rcu_note_context_switch+0x600/0x600
+ perf_release+0x21/0x40
+ __fput+0x264/0x620
+ ? fput+0xf0/0xf0
+ ? do_raw_spin_unlock+0x121/0x210
+ ? do_raw_spin_trylock+0x150/0x150
+ ? SyS_fchdir+0x100/0x100
+ ? fsnotify+0xea0/0xea0
+ task_work_run+0x14b/0x1e0
+ ? task_work_cancel+0x1c0/0x1c0
+ ? copy_fd_bitmaps+0x150/0x150
+ ? vfs_read+0xe5/0x260
+ exit_to_usermode_loop+0x17b/0x1b0
+ ? trace_event_raw_event_sys_exit+0x1a0/0x1a0
+ do_syscall_64+0x3f6/0x490
+ ? syscall_return_slowpath+0x2c0/0x2c0
+ ? lockdep_sys_exit+0x1f/0xaa
+ ? syscall_return_slowpath+0x1a3/0x2c0
+ ? lockdep_sys_exit+0x1f/0xaa
+ ? prepare_exit_to_usermode+0x11c/0x1e0
+ ? enter_from_user_mode+0x30/0x30
+ random: crng init done
+ ? __put_user_4+0x1c/0x30
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+ RIP: 0033:0x7f41d95f9340
+ RSP: 002b:00007fffe71e4268 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
+ RAX: 0000000000000000 RBX: 000000000000000d RCX: 00007f41d95f9340
+ RDX: 0000000000000000 RSI: 0000000000002401 RDI: 000000000000000d
+ RBP: 0000000000000000 R08: 00007f41ca8ff700 R09: 00007f41d996dd1f
+ R10: 00007fffe71e41e0 R11: 0000000000000246 R12: 00007fffe71e4330
+ R13: 0000000000000000 R14: fffffffffffffffc R15: 00007fffe71e4290
+
+ Allocated by task 870:
+ kasan_kmalloc+0xa0/0xd0
+ kmem_cache_alloc_node+0x11a/0x430
+ copy_process.part.19+0x11a0/0x41c0
+ _do_fork+0x1be/0xa20
+ do_syscall_64+0x198/0x490
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+ Freed by task 0:
+ __kasan_slab_free+0x12e/0x180
+ kmem_cache_free+0x102/0x4d0
+ free_task+0xfe/0x160
+ __put_task_struct+0x189/0x290
+ delayed_put_task_struct+0x119/0x250
+ rcu_process_callbacks+0xa6c/0x1b60
+ __do_softirq+0x238/0x7ae
+
+ The buggy address belongs to the object at ffff880384f9b480
+ which belongs to the cache task_struct of size 12928
+
+It occurs because task_struct is freed before perf_event which refers
+to the task and task flags are checked while teardown of the event.
+perf_event_alloc() assigns task_struct to hw.target of perf_event,
+but there is no reference counting for it.
+
+As a fix we get_task_struct() in perf_event_alloc() at above mentioned
+assignment and put_task_struct() in _free_event().
+
+Signed-off-by: Prashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>
+Reviewed-by: Oleg Nesterov <oleg@redhat.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: <stable@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 63b6da39bb38e8f1a1ef3180d32a39d6 ("perf: Fix perf_event_exit_task() race")
+Link: http://lkml.kernel.org/r/20180409100346.6416-1-bhole_prashant_q7@lab.ntt.co.jp
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -4199,6 +4199,9 @@ static void _free_event(struct perf_even
+ if (event->ctx)
+ put_ctx(event->ctx);
+
++ if (event->hw.target)
++ put_task_struct(event->hw.target);
++
+ exclusive_event_destroy(event);
+ module_put(event->pmu->module);
+
+@@ -9508,6 +9511,7 @@ perf_event_alloc(struct perf_event_attr
+ * and we cannot use the ctx information because we need the
+ * pmu before we get a ctx.
+ */
++ get_task_struct(task);
+ event->hw.target = task;
+ }
+
+@@ -9623,6 +9627,8 @@ err_ns:
+ perf_detach_cgroup(event);
+ if (event->ns)
+ put_pid_ns(event->ns);
++ if (event->hw.target)
++ put_task_struct(event->hw.target);
+ kfree(event);
+
+ return ERR_PTR(err);
--- /dev/null
+From 1c196a6c771c47a2faa63d38d913e03284f73a16 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Wed, 7 Mar 2018 16:02:23 +0200
+Subject: perf intel-pt: Fix error recovery from missing TIP packet
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 1c196a6c771c47a2faa63d38d913e03284f73a16 upstream.
+
+When a TIP packet is expected but there is a different packet, it is an
+error. However the unexpected packet might be something important like a
+TSC packet, so after the error, it is necessary to continue from there,
+rather than the next packet. That is achieved by setting pkt_step to
+zero.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/1520431349-30689-4-git-send-email-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+@@ -1616,6 +1616,7 @@ static int intel_pt_walk_fup_tip(struct
+ case INTEL_PT_PWRX:
+ intel_pt_log("ERROR: Missing TIP after FUP\n");
+ decoder->pkt_state = INTEL_PT_STATE_ERR3;
++ decoder->pkt_step = 0;
+ return -ENOENT;
+
+ case INTEL_PT_OVF:
--- /dev/null
+From 117db4b27bf08dba412faf3924ba55fe970c57b8 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Wed, 7 Mar 2018 16:02:21 +0200
+Subject: perf intel-pt: Fix overlap detection to identify consecutive buffers correctly
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 117db4b27bf08dba412faf3924ba55fe970c57b8 upstream.
+
+Overlap detection was not not updating the buffer's 'consecutive' flag.
+Marking buffers consecutive has the advantage that decoding begins from
+the start of the buffer instead of the first PSB. Fix overlap detection
+to identify consecutive buffers correctly.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/1520431349-30689-2-git-send-email-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 62 +++++++++-----------
+ tools/perf/util/intel-pt-decoder/intel-pt-decoder.h | 2
+ tools/perf/util/intel-pt.c | 5 +
+ 3 files changed, 34 insertions(+), 35 deletions(-)
+
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+@@ -2390,14 +2390,6 @@ const struct intel_pt_state *intel_pt_de
+ return &decoder->state;
+ }
+
+-static bool intel_pt_at_psb(unsigned char *buf, size_t len)
+-{
+- if (len < INTEL_PT_PSB_LEN)
+- return false;
+- return memmem(buf, INTEL_PT_PSB_LEN, INTEL_PT_PSB_STR,
+- INTEL_PT_PSB_LEN);
+-}
+-
+ /**
+ * intel_pt_next_psb - move buffer pointer to the start of the next PSB packet.
+ * @buf: pointer to buffer pointer
+@@ -2486,6 +2478,7 @@ static unsigned char *intel_pt_last_psb(
+ * @buf: buffer
+ * @len: size of buffer
+ * @tsc: TSC value returned
++ * @rem: returns remaining size when TSC is found
+ *
+ * Find a TSC packet in @buf and return the TSC value. This function assumes
+ * that @buf starts at a PSB and that PSB+ will contain TSC and so stops if a
+@@ -2493,7 +2486,8 @@ static unsigned char *intel_pt_last_psb(
+ *
+ * Return: %true if TSC is found, false otherwise.
+ */
+-static bool intel_pt_next_tsc(unsigned char *buf, size_t len, uint64_t *tsc)
++static bool intel_pt_next_tsc(unsigned char *buf, size_t len, uint64_t *tsc,
++ size_t *rem)
+ {
+ struct intel_pt_pkt packet;
+ int ret;
+@@ -2504,6 +2498,7 @@ static bool intel_pt_next_tsc(unsigned c
+ return false;
+ if (packet.type == INTEL_PT_TSC) {
+ *tsc = packet.payload;
++ *rem = len;
+ return true;
+ }
+ if (packet.type == INTEL_PT_PSBEND)
+@@ -2554,6 +2549,8 @@ static int intel_pt_tsc_cmp(uint64_t tsc
+ * @len_a: size of first buffer
+ * @buf_b: second buffer
+ * @len_b: size of second buffer
++ * @consecutive: returns true if there is data in buf_b that is consecutive
++ * to buf_a
+ *
+ * If the trace contains TSC we can look at the last TSC of @buf_a and the
+ * first TSC of @buf_b in order to determine if the buffers overlap, and then
+@@ -2566,33 +2563,41 @@ static int intel_pt_tsc_cmp(uint64_t tsc
+ static unsigned char *intel_pt_find_overlap_tsc(unsigned char *buf_a,
+ size_t len_a,
+ unsigned char *buf_b,
+- size_t len_b)
++ size_t len_b, bool *consecutive)
+ {
+ uint64_t tsc_a, tsc_b;
+ unsigned char *p;
+- size_t len;
++ size_t len, rem_a, rem_b;
+
+ p = intel_pt_last_psb(buf_a, len_a);
+ if (!p)
+ return buf_b; /* No PSB in buf_a => no overlap */
+
+ len = len_a - (p - buf_a);
+- if (!intel_pt_next_tsc(p, len, &tsc_a)) {
++ if (!intel_pt_next_tsc(p, len, &tsc_a, &rem_a)) {
+ /* The last PSB+ in buf_a is incomplete, so go back one more */
+ len_a -= len;
+ p = intel_pt_last_psb(buf_a, len_a);
+ if (!p)
+ return buf_b; /* No full PSB+ => assume no overlap */
+ len = len_a - (p - buf_a);
+- if (!intel_pt_next_tsc(p, len, &tsc_a))
++ if (!intel_pt_next_tsc(p, len, &tsc_a, &rem_a))
+ return buf_b; /* No TSC in buf_a => assume no overlap */
+ }
+
+ while (1) {
+ /* Ignore PSB+ with no TSC */
+- if (intel_pt_next_tsc(buf_b, len_b, &tsc_b) &&
+- intel_pt_tsc_cmp(tsc_a, tsc_b) < 0)
+- return buf_b; /* tsc_a < tsc_b => no overlap */
++ if (intel_pt_next_tsc(buf_b, len_b, &tsc_b, &rem_b)) {
++ int cmp = intel_pt_tsc_cmp(tsc_a, tsc_b);
++
++ /* Same TSC, so buffers are consecutive */
++ if (!cmp && rem_b >= rem_a) {
++ *consecutive = true;
++ return buf_b + len_b - (rem_b - rem_a);
++ }
++ if (cmp < 0)
++ return buf_b; /* tsc_a < tsc_b => no overlap */
++ }
+
+ if (!intel_pt_step_psb(&buf_b, &len_b))
+ return buf_b + len_b; /* No PSB in buf_b => no data */
+@@ -2606,6 +2611,8 @@ static unsigned char *intel_pt_find_over
+ * @buf_b: second buffer
+ * @len_b: size of second buffer
+ * @have_tsc: can use TSC packets to detect overlap
++ * @consecutive: returns true if there is data in buf_b that is consecutive
++ * to buf_a
+ *
+ * When trace samples or snapshots are recorded there is the possibility that
+ * the data overlaps. Note that, for the purposes of decoding, data is only
+@@ -2616,7 +2623,7 @@ static unsigned char *intel_pt_find_over
+ */
+ unsigned char *intel_pt_find_overlap(unsigned char *buf_a, size_t len_a,
+ unsigned char *buf_b, size_t len_b,
+- bool have_tsc)
++ bool have_tsc, bool *consecutive)
+ {
+ unsigned char *found;
+
+@@ -2628,7 +2635,8 @@ unsigned char *intel_pt_find_overlap(uns
+ return buf_b; /* No overlap */
+
+ if (have_tsc) {
+- found = intel_pt_find_overlap_tsc(buf_a, len_a, buf_b, len_b);
++ found = intel_pt_find_overlap_tsc(buf_a, len_a, buf_b, len_b,
++ consecutive);
+ if (found)
+ return found;
+ }
+@@ -2643,28 +2651,16 @@ unsigned char *intel_pt_find_overlap(uns
+ }
+
+ /* Now len_b >= len_a */
+- if (len_b > len_a) {
+- /* The leftover buffer 'b' must start at a PSB */
+- while (!intel_pt_at_psb(buf_b + len_a, len_b - len_a)) {
+- if (!intel_pt_step_psb(&buf_a, &len_a))
+- return buf_b; /* No overlap */
+- }
+- }
+-
+ while (1) {
+ /* Potential overlap so check the bytes */
+ found = memmem(buf_a, len_a, buf_b, len_a);
+- if (found)
++ if (found) {
++ *consecutive = true;
+ return buf_b + len_a;
++ }
+
+ /* Try again at next PSB in buffer 'a' */
+ if (!intel_pt_step_psb(&buf_a, &len_a))
+ return buf_b; /* No overlap */
+-
+- /* The leftover buffer 'b' must start at a PSB */
+- while (!intel_pt_at_psb(buf_b + len_a, len_b - len_a)) {
+- if (!intel_pt_step_psb(&buf_a, &len_a))
+- return buf_b; /* No overlap */
+- }
+ }
+ }
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h
+@@ -117,7 +117,7 @@ const struct intel_pt_state *intel_pt_de
+
+ unsigned char *intel_pt_find_overlap(unsigned char *buf_a, size_t len_a,
+ unsigned char *buf_b, size_t len_b,
+- bool have_tsc);
++ bool have_tsc, bool *consecutive);
+
+ int intel_pt__strerror(int code, char *buf, size_t buflen);
+
+--- a/tools/perf/util/intel-pt.c
++++ b/tools/perf/util/intel-pt.c
+@@ -209,14 +209,17 @@ static void intel_pt_dump_event(struct i
+ static int intel_pt_do_fix_overlap(struct intel_pt *pt, struct auxtrace_buffer *a,
+ struct auxtrace_buffer *b)
+ {
++ bool consecutive = false;
+ void *start;
+
+ start = intel_pt_find_overlap(a->data, a->size, b->data, b->size,
+- pt->have_tsc);
++ pt->have_tsc, &consecutive);
+ if (!start)
+ return -EINVAL;
+ b->use_size = b->data + b->size - start;
+ b->use_data = start;
++ if (b->use_size && consecutive)
++ b->consecutive = true;
+ return 0;
+ }
+
--- /dev/null
+From 63d8e38f6ae6c36dd5b5ba0e8c112e8861532ea2 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Wed, 7 Mar 2018 16:02:22 +0200
+Subject: perf intel-pt: Fix sync_switch
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 63d8e38f6ae6c36dd5b5ba0e8c112e8861532ea2 upstream.
+
+sync_switch is a facility to synchronize decoding more closely with the
+point in the kernel when the context actually switched.
+
+The flag when sync_switch is enabled was global to the decoding, whereas
+it is really specific to the CPU.
+
+The trace data for different CPUs is put on different queues, so add
+sync_switch to the intel_pt_queue structure and use that in preference
+to the global setting in the intel_pt structure.
+
+That fixes problems decoding one CPU's trace because sync_switch was
+disabled on a different CPU's queue.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/1520431349-30689-3-git-send-email-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/intel-pt.c | 32 +++++++++++++++++++++++++-------
+ 1 file changed, 25 insertions(+), 7 deletions(-)
+
+--- a/tools/perf/util/intel-pt.c
++++ b/tools/perf/util/intel-pt.c
+@@ -145,6 +145,7 @@ struct intel_pt_queue {
+ bool stop;
+ bool step_through_buffers;
+ bool use_buffer_pid_tid;
++ bool sync_switch;
+ pid_t pid, tid;
+ int cpu;
+ int switch_state;
+@@ -965,10 +966,12 @@ static int intel_pt_setup_queue(struct i
+ if (pt->timeless_decoding || !pt->have_sched_switch)
+ ptq->use_buffer_pid_tid = true;
+ }
++
++ ptq->sync_switch = pt->sync_switch;
+ }
+
+ if (!ptq->on_heap &&
+- (!pt->sync_switch ||
++ (!ptq->sync_switch ||
+ ptq->switch_state != INTEL_PT_SS_EXPECTING_SWITCH_EVENT)) {
+ const struct intel_pt_state *state;
+ int ret;
+@@ -1552,7 +1555,7 @@ static int intel_pt_sample(struct intel_
+ if (pt->synth_opts.last_branch)
+ intel_pt_update_last_branch_rb(ptq);
+
+- if (!pt->sync_switch)
++ if (!ptq->sync_switch)
+ return 0;
+
+ if (intel_pt_is_switch_ip(ptq, state->to_ip)) {
+@@ -1633,6 +1636,21 @@ static u64 intel_pt_switch_ip(struct int
+ return switch_ip;
+ }
+
++static void intel_pt_enable_sync_switch(struct intel_pt *pt)
++{
++ unsigned int i;
++
++ pt->sync_switch = true;
++
++ for (i = 0; i < pt->queues.nr_queues; i++) {
++ struct auxtrace_queue *queue = &pt->queues.queue_array[i];
++ struct intel_pt_queue *ptq = queue->priv;
++
++ if (ptq)
++ ptq->sync_switch = true;
++ }
++}
++
+ static int intel_pt_run_decoder(struct intel_pt_queue *ptq, u64 *timestamp)
+ {
+ const struct intel_pt_state *state = ptq->state;
+@@ -1649,7 +1667,7 @@ static int intel_pt_run_decoder(struct i
+ if (pt->switch_ip) {
+ intel_pt_log("switch_ip: %"PRIx64" ptss_ip: %"PRIx64"\n",
+ pt->switch_ip, pt->ptss_ip);
+- pt->sync_switch = true;
++ intel_pt_enable_sync_switch(pt);
+ }
+ }
+ }
+@@ -1665,9 +1683,9 @@ static int intel_pt_run_decoder(struct i
+ if (state->err) {
+ if (state->err == INTEL_PT_ERR_NODATA)
+ return 1;
+- if (pt->sync_switch &&
++ if (ptq->sync_switch &&
+ state->from_ip >= pt->kernel_start) {
+- pt->sync_switch = false;
++ ptq->sync_switch = false;
+ intel_pt_next_tid(pt, ptq);
+ }
+ if (pt->synth_opts.errors) {
+@@ -1693,7 +1711,7 @@ static int intel_pt_run_decoder(struct i
+ state->timestamp, state->est_timestamp);
+ ptq->timestamp = state->est_timestamp;
+ /* Use estimated TSC in unknown switch state */
+- } else if (pt->sync_switch &&
++ } else if (ptq->sync_switch &&
+ ptq->switch_state == INTEL_PT_SS_UNKNOWN &&
+ intel_pt_is_switch_ip(ptq, state->to_ip) &&
+ ptq->next_tid == -1) {
+@@ -1840,7 +1858,7 @@ static int intel_pt_sync_switch(struct i
+ return 1;
+
+ ptq = intel_pt_cpu_to_ptq(pt, cpu);
+- if (!ptq)
++ if (!ptq || !ptq->sync_switch)
+ return 1;
+
+ switch (ptq->switch_state) {
--- /dev/null
+From 91d29b288aed3406caf7c454bf2b898c96cfd177 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Wed, 7 Mar 2018 16:02:24 +0200
+Subject: perf intel-pt: Fix timestamp following overflow
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 91d29b288aed3406caf7c454bf2b898c96cfd177 upstream.
+
+timestamp_insn_cnt is used to estimate the timestamp based on the number of
+instructions since the last known timestamp.
+
+If the estimate is not accurate enough decoding might not be correctly
+synchronized with side-band events causing more trace errors.
+
+However there are always timestamps following an overflow, so the
+estimate is not needed and can indeed result in more errors.
+
+Suppress the estimate by setting timestamp_insn_cnt to zero.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/1520431349-30689-5-git-send-email-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+@@ -1378,6 +1378,7 @@ static int intel_pt_overflow(struct inte
+ intel_pt_clear_tx_flags(decoder);
+ decoder->have_tma = false;
+ decoder->cbr = 0;
++ decoder->timestamp_insn_cnt = 0;
+ decoder->pkt_state = INTEL_PT_STATE_ERR_RESYNC;
+ decoder->overflow = true;
+ return -EOVERFLOW;
--- /dev/null
+From c02216acf4177c4411d33735c81cad687790fa59 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 16 Feb 2018 16:26:57 +0100
+Subject: radeon: hide pointless #warning when compile testing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit c02216acf4177c4411d33735c81cad687790fa59 upstream.
+
+In randconfig testing, we sometimes get this warning:
+
+drivers/gpu/drm/radeon/radeon_object.c: In function 'radeon_bo_create':
+drivers/gpu/drm/radeon/radeon_object.c:242:2: error: #warning Please enable CONFIG_MTRR and CONFIG_X86_PAT for better performance thanks to write-combining [-Werror=cpp]
+ #warning Please enable CONFIG_MTRR and CONFIG_X86_PAT for better performance \
+
+This is rather annoying since almost all other code produces no build-time
+output unless we have found a real bug. We already fixed this in the
+amdgpu driver in commit 31bb90f1cd08 ("drm/amdgpu: shut up #warning for
+compile testing") by adding a CONFIG_COMPILE_TEST check last year and
+agreed to do the same here, but both Michel and I then forgot about it
+until I came across the issue again now.
+
+For stable kernels, as this is one of very few remaining randconfig
+warnings in 4.14.
+
+Cc: stable@vger.kernel.org
+Link: https://patchwork.kernel.org/patch/9550009/
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/radeon_object.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_object.c
++++ b/drivers/gpu/drm/radeon/radeon_object.c
+@@ -240,9 +240,10 @@ int radeon_bo_create(struct radeon_devic
+ * may be slow
+ * See https://bugs.freedesktop.org/show_bug.cgi?id=88758
+ */
+-
++#ifndef CONFIG_COMPILE_TEST
+ #warning Please enable CONFIG_MTRR and CONFIG_X86_PAT for better performance \
+ thanks to write-combining
++#endif
+
+ if (bo->flags & RADEON_GEM_GTT_WC)
+ DRM_INFO_ONCE("Please enable CONFIG_MTRR and CONFIG_X86_PAT for "
lan78xx-correctly-indicate-invalid-otp.patch
media-v4l2-compat-ioctl32-don-t-oops-on-overlay.patch
media-v4l-vsp1-fix-header-display-list-status-check-in-continuous-mode.patch
+parisc-fix-out-of-array-access-in-match_pci_device.patch
+parisc-fix-hpmc-handler-by-increasing-size-to-multiple-of-16-bytes.patch
+drivers-hv-vmbus-do-not-mark-hv_pcie-as-perf_device.patch
+pci-hv-serialize-the-present-and-eject-work-items.patch
+kvm-ppc-book3s-hv-trace_tlbie-must-not-be-called-in-realmode.patch
+perf-intel-pt-fix-overlap-detection-to-identify-consecutive-buffers-correctly.patch
+perf-intel-pt-fix-sync_switch.patch
+perf-intel-pt-fix-error-recovery-from-missing-tip-packet.patch
+perf-intel-pt-fix-timestamp-following-overflow.patch
+perf-core-fix-use-after-free-in-uprobe_perf_close.patch
+radeon-hide-pointless-warning-when-compile-testing.patch
+x86-apic-fix-restoring-boot-irq-mode-in-reboot-and-kexec-kdump.patch
+x86-mce-amd-define-a-function-to-get-smca-bank-type.patch
+x86-mce-report-only-dram-ecc-as-memory-errors-on-amd-systems.patch
+x86-mce-amd-pass-the-bank-number-to-smca_get_bank_type.patch
+x86-mce-amd-edac-mce_amd-enumerate-reserved-smca-bank-type.patch
+x86-mce-amd-get-address-from-already-initialized-block.patch
--- /dev/null
+From 339b2ae0cd5d4a58f9efe06e4ee36adbeca59228 Mon Sep 17 00:00:00 2001
+From: Baoquan He <bhe@redhat.com>
+Date: Wed, 14 Feb 2018 13:46:53 +0800
+Subject: x86/apic: Fix restoring boot IRQ mode in reboot and kexec/kdump
+
+From: Baoquan He <bhe@redhat.com>
+
+commit 339b2ae0cd5d4a58f9efe06e4ee36adbeca59228 upstream.
+
+This is a regression fix.
+
+Before, to fix erratum AVR31, the following commit:
+
+ 522e66464467 ("x86/apic: Disable I/O APIC before shutdown of the local APIC")
+
+... moved the lapic_shutdown() call to after disable_IO_APIC() in the reboot
+and kexec/kdump code paths.
+
+This introduced the following regression: disable_IO_APIC() not only clears
+the IO-APIC, but it also restores boot IRQ mode by setting the
+LAPIC/APIC/IMCR, calling lapic_shutdown() after disable_IO_APIC() will
+disable LAPIC and ruin the possible virtual wire mode setting which
+the code has been trying to do all along.
+
+The consequence is that a KVM guest kernel always prints the warning below
+during kexec/kdump as the kernel boots up:
+
+ [ 0.001000] WARNING: CPU: 0 PID: 0 at arch/x86/kernel/apic/apic.c:1467 setup_local_APIC+0x228/0x330
+ [ ........]
+ [ 0.001000] Call Trace:
+ [ 0.001000] apic_bsp_setup+0x56/0x74
+ [ 0.001000] x86_late_time_init+0x11/0x16
+ [ 0.001000] start_kernel+0x3c9/0x486
+ [ 0.001000] secondary_startup_64+0xa5/0xb0
+ [ ........]
+ [ 0.001000] masked ExtINT on CPU#0
+
+To fix this, just call clear_IO_APIC() to stop the IO-APIC where
+disable_IO_APIC() was called, and call restore_boot_irq_mode() to
+restore boot IRQ mode before a reboot or a kexec/kdump jump.
+
+Signed-off-by: Baoquan He <bhe@redhat.com>
+Reviewed-by: Eric W. Biederman <ebiederm@xmission.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: douly.fnst@cn.fujitsu.com
+Cc: joro@8bytes.org
+Cc: prarit@redhat.com
+Cc: stable@vger.kernel.org
+Cc: uobergfe@redhat.com
+Fixes: commit 522e66464467 ("x86/apic: Disable I/O APIC before shutdown of the local APIC")
+Link: http://lkml.kernel.org/r/20180214054656.3780-4-bhe@redhat.com
+[ Rewrote the changelog. ]
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/crash.c | 3 ++-
+ arch/x86/kernel/reboot.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/crash.c
++++ b/arch/x86/kernel/crash.c
+@@ -199,9 +199,10 @@ void native_machine_crash_shutdown(struc
+ #ifdef CONFIG_X86_IO_APIC
+ /* Prevent crash_kexec() from deadlocking on ioapic_lock. */
+ ioapic_zap_locks();
+- disable_IO_APIC();
++ clear_IO_APIC();
+ #endif
+ lapic_shutdown();
++ restore_boot_irq_mode();
+ #ifdef CONFIG_HPET_TIMER
+ hpet_disable();
+ #endif
+--- a/arch/x86/kernel/reboot.c
++++ b/arch/x86/kernel/reboot.c
+@@ -666,7 +666,7 @@ void native_machine_shutdown(void)
+ * Even without the erratum, it still makes sense to quiet IO APIC
+ * before disabling Local APIC.
+ */
+- disable_IO_APIC();
++ clear_IO_APIC();
+ #endif
+
+ #ifdef CONFIG_SMP
+@@ -680,6 +680,7 @@ void native_machine_shutdown(void)
+ #endif
+
+ lapic_shutdown();
++ restore_boot_irq_mode();
+
+ #ifdef CONFIG_HPET_TIMER
+ hpet_disable();
--- /dev/null
+From 11cf887728a3d1de77cc12ce247b64ef32608891 Mon Sep 17 00:00:00 2001
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+Date: Mon, 18 Dec 2017 12:37:12 +0100
+Subject: x86/MCE/AMD: Define a function to get SMCA bank type
+
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+
+commit 11cf887728a3d1de77cc12ce247b64ef32608891 upstream.
+
+Scalable MCA systems have various types of banks. The bank's type
+can determine how we handle errors from it. For example, if a bank
+represents a UMC (Unified Memory Controller) then we will need to
+convert its address from a normalized address to a system physical
+address before handling the error.
+
+[ bp: Verify m->bank is within range and use bank pointer. ]
+
+Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20171207203955.118171-1-Yazen.Ghannam@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/mcheck/mce_amd.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c
++++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c
+@@ -110,6 +110,20 @@ const char *smca_get_long_name(enum smca
+ }
+ EXPORT_SYMBOL_GPL(smca_get_long_name);
+
++static enum smca_bank_types smca_get_bank_type(struct mce *m)
++{
++ struct smca_bank *b;
++
++ if (m->bank >= N_SMCA_BANK_TYPES)
++ return N_SMCA_BANK_TYPES;
++
++ b = &smca_banks[m->bank];
++ if (!b->hwid)
++ return N_SMCA_BANK_TYPES;
++
++ return b->hwid->bank_type;
++}
++
+ static struct smca_hwid smca_hwid_mcatypes[] = {
+ /* { bank_type, hwid_mcatype, xec_bitmap } */
+
--- /dev/null
+From 68627a697c195937672ce07683094c72b1174786 Mon Sep 17 00:00:00 2001
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+Date: Wed, 21 Feb 2018 11:18:58 +0100
+Subject: x86/mce/AMD, EDAC/mce_amd: Enumerate Reserved SMCA bank type
+
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+
+commit 68627a697c195937672ce07683094c72b1174786 upstream.
+
+Currently, bank 4 is reserved on Fam17h, so we chose not to initialize
+bank 4 in the smca_banks array. This means that when we check if a bank
+is initialized, like during boot or resume, we will see that bank 4 is
+not initialized and try to initialize it.
+
+This will cause a call trace, when resuming from suspend, due to
+rdmsr_*on_cpu() calls in the init path. The rdmsr_*on_cpu() calls issue
+an IPI but we're running with interrupts disabled. This triggers:
+
+ WARNING: CPU: 0 PID: 11523 at kernel/smp.c:291 smp_call_function_single+0xdc/0xe0
+ ...
+
+Reserved banks will be read-as-zero, so their MCA_IPID register will be
+zero. So, like the smca_banks array, the threshold_banks array will not
+have an entry for a reserved bank since all its MCA_MISC* registers will
+be zero.
+
+Enumerate a "Reserved" bank type that matches on a HWID_MCATYPE of 0,0.
+
+Use the "Reserved" type when checking if a bank is reserved. It's
+possible that other bank numbers may be reserved on future systems.
+
+Don't try to find the block address on reserved banks.
+
+Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: <stable@vger.kernel.org> # 4.14.x
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20180221101900.10326-7-bp@alien8.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/mce.h | 1 +
+ arch/x86/kernel/cpu/mcheck/mce_amd.c | 7 +++++++
+ drivers/edac/mce_amd.c | 11 +++++++----
+ 3 files changed, 15 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/include/asm/mce.h
++++ b/arch/x86/include/asm/mce.h
+@@ -346,6 +346,7 @@ enum smca_bank_types {
+ SMCA_IF, /* Instruction Fetch */
+ SMCA_L2_CACHE, /* L2 Cache */
+ SMCA_DE, /* Decoder Unit */
++ SMCA_RESERVED, /* Reserved */
+ SMCA_EX, /* Execution Unit */
+ SMCA_FP, /* Floating Point */
+ SMCA_L3_CACHE, /* L3 Cache */
+--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c
++++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c
+@@ -82,6 +82,7 @@ static struct smca_bank_name smca_names[
+ [SMCA_IF] = { "insn_fetch", "Instruction Fetch Unit" },
+ [SMCA_L2_CACHE] = { "l2_cache", "L2 Cache" },
+ [SMCA_DE] = { "decode_unit", "Decode Unit" },
++ [SMCA_RESERVED] = { "reserved", "Reserved" },
+ [SMCA_EX] = { "execution_unit", "Execution Unit" },
+ [SMCA_FP] = { "floating_point", "Floating Point Unit" },
+ [SMCA_L3_CACHE] = { "l3_cache", "L3 Cache" },
+@@ -127,6 +128,9 @@ static enum smca_bank_types smca_get_ban
+ static struct smca_hwid smca_hwid_mcatypes[] = {
+ /* { bank_type, hwid_mcatype, xec_bitmap } */
+
++ /* Reserved type */
++ { SMCA_RESERVED, HWID_MCATYPE(0x00, 0x0), 0x0 },
++
+ /* ZN Core (HWID=0xB0) MCA types */
+ { SMCA_LS, HWID_MCATYPE(0xB0, 0x0), 0x1FFFEF },
+ { SMCA_IF, HWID_MCATYPE(0xB0, 0x1), 0x3FFF },
+@@ -431,6 +435,9 @@ static u32 get_block_address(unsigned in
+ u32 addr = 0, offset = 0;
+
+ if (mce_flags.smca) {
++ if (smca_get_bank_type(bank) == SMCA_RESERVED)
++ return addr;
++
+ if (!block) {
+ addr = MSR_AMD64_SMCA_MCx_MISC(bank);
+ } else {
+--- a/drivers/edac/mce_amd.c
++++ b/drivers/edac/mce_amd.c
+@@ -854,21 +854,24 @@ static void decode_mc6_mce(struct mce *m
+ static void decode_smca_error(struct mce *m)
+ {
+ struct smca_hwid *hwid;
+- unsigned int bank_type;
++ enum smca_bank_types bank_type;
+ const char *ip_name;
+ u8 xec = XEC(m->status, xec_mask);
+
+ if (m->bank >= ARRAY_SIZE(smca_banks))
+ return;
+
+- if (x86_family(m->cpuid) >= 0x17 && m->bank == 4)
+- pr_emerg(HW_ERR "Bank 4 is reserved on Fam17h.\n");
+-
+ hwid = smca_banks[m->bank].hwid;
+ if (!hwid)
+ return;
+
+ bank_type = hwid->bank_type;
++
++ if (bank_type == SMCA_RESERVED) {
++ pr_emerg(HW_ERR "Bank %d is reserved.\n", m->bank);
++ return;
++ }
++
+ ip_name = smca_get_long_name(bank_type);
+
+ pr_emerg(HW_ERR "%s Extended Error Code: %d\n", ip_name, xec);
--- /dev/null
+From 27bd59502702fe51d9eb00450a75b727ec6bfcb4 Mon Sep 17 00:00:00 2001
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+Date: Wed, 21 Feb 2018 11:18:59 +0100
+Subject: x86/mce/AMD: Get address from already initialized block
+
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+
+commit 27bd59502702fe51d9eb00450a75b727ec6bfcb4 upstream.
+
+The block address is saved after the block is initialized when
+threshold_init_device() is called.
+
+Use the saved block address, if available, rather than trying to
+rediscover it.
+
+This will avoid a call trace, when resuming from suspend, due to the
+rdmsr_safe_on_cpu() call in get_block_address(). The rdmsr_safe_on_cpu()
+call issues an IPI but we're running with interrupts disabled. This
+triggers:
+
+ WARNING: CPU: 0 PID: 11523 at kernel/smp.c:291 smp_call_function_single+0xdc/0xe0
+
+Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: <stable@vger.kernel.org> # 4.14.x
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20180221101900.10326-8-bp@alien8.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/mcheck/mce_amd.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c
++++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c
+@@ -434,6 +434,21 @@ static u32 get_block_address(unsigned in
+ {
+ u32 addr = 0, offset = 0;
+
++ if ((bank >= mca_cfg.banks) || (block >= NR_BLOCKS))
++ return addr;
++
++ /* Get address from already initialized block. */
++ if (per_cpu(threshold_banks, cpu)) {
++ struct threshold_bank *bankp = per_cpu(threshold_banks, cpu)[bank];
++
++ if (bankp && bankp->blocks) {
++ struct threshold_block *blockp = &bankp->blocks[block];
++
++ if (blockp)
++ return blockp->address;
++ }
++ }
++
+ if (mce_flags.smca) {
+ if (smca_get_bank_type(bank) == SMCA_RESERVED)
+ return addr;
--- /dev/null
+From e5d6a126d4c473499f354254a15ca0c2d8c84ca3 Mon Sep 17 00:00:00 2001
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+Date: Wed, 21 Feb 2018 11:18:57 +0100
+Subject: x86/mce/AMD: Pass the bank number to smca_get_bank_type()
+
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+
+commit e5d6a126d4c473499f354254a15ca0c2d8c84ca3 upstream.
+
+Pass the bank number to smca_get_bank_type() since that's all we need.
+
+Also, we should compare the bank number to MAX_NR_BANKS (size of the
+smca_banks array) not the number of bank types. Bank types are reused
+for multiple banks, so the number of types can be different from the
+number of banks in a system and thus we could return an invalid bank
+type.
+
+Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: <stable@vger.kernel.org> # 4.14.x
+Cc: <stable@vger.kernel.org> # 4.14.x: 11cf887728a3 x86/MCE/AMD: Define a function to get SMCA bank type
+Cc: <stable@vger.kernel.org> # 4.14.x: c6708d50f166 x86/MCE: Report only DRAM ECC as memory errors on AMD systems
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20180221101900.10326-6-bp@alien8.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/mcheck/mce_amd.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c
++++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c
+@@ -110,14 +110,14 @@ const char *smca_get_long_name(enum smca
+ }
+ EXPORT_SYMBOL_GPL(smca_get_long_name);
+
+-static enum smca_bank_types smca_get_bank_type(struct mce *m)
++static enum smca_bank_types smca_get_bank_type(unsigned int bank)
+ {
+ struct smca_bank *b;
+
+- if (m->bank >= N_SMCA_BANK_TYPES)
++ if (bank >= MAX_NR_BANKS)
+ return N_SMCA_BANK_TYPES;
+
+- b = &smca_banks[m->bank];
++ b = &smca_banks[bank];
+ if (!b->hwid)
+ return N_SMCA_BANK_TYPES;
+
+@@ -758,7 +758,7 @@ bool amd_mce_is_memory_error(struct mce
+ u8 xec = (m->status >> 16) & 0x1f;
+
+ if (mce_flags.smca)
+- return smca_get_bank_type(m) == SMCA_UMC && xec == 0x0;
++ return smca_get_bank_type(m->bank) == SMCA_UMC && xec == 0x0;
+
+ return m->bank == 4 && xec == 0x8;
+ }
+@@ -1061,7 +1061,7 @@ static struct kobj_type threshold_ktype
+
+ static const char *get_name(unsigned int bank, struct threshold_block *b)
+ {
+- unsigned int bank_type;
++ enum smca_bank_types bank_type;
+
+ if (!mce_flags.smca) {
+ if (b && bank == 4)
+@@ -1070,11 +1070,10 @@ static const char *get_name(unsigned int
+ return th_names[bank];
+ }
+
+- if (!smca_banks[bank].hwid)
++ bank_type = smca_get_bank_type(bank);
++ if (bank_type >= N_SMCA_BANK_TYPES)
+ return NULL;
+
+- bank_type = smca_banks[bank].hwid->bank_type;
+-
+ if (b && bank_type == SMCA_UMC) {
+ if (b->block < ARRAY_SIZE(smca_umc_block_names))
+ return smca_umc_block_names[b->block];
--- /dev/null
+From c6708d50f166bea2d763c96485d31fdbc50204f1 Mon Sep 17 00:00:00 2001
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+Date: Mon, 18 Dec 2017 12:37:13 +0100
+Subject: x86/MCE: Report only DRAM ECC as memory errors on AMD systems
+
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+
+commit c6708d50f166bea2d763c96485d31fdbc50204f1 upstream.
+
+The MCA_STATUS[ErrorCodeExt] field is very bank type specific.
+We currently check if the ErrorCodeExt value is 0x0 or 0x8 in
+mce_is_memory_error(), but we don't check the bank number. This means
+that we could flag non-memory errors as memory errors.
+
+We know that we want to flag DRAM ECC errors as memory errors, so let's do
+those cases first. We can add more cases later when needed.
+
+Define a wrapper function in mce_amd.c so we can use SMCA enums.
+
+[ bp: Remove brackets around return statements. ]
+
+Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20171207203955.118171-2-Yazen.Ghannam@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/mce.h | 2 ++
+ arch/x86/kernel/cpu/mcheck/mce.c | 4 +---
+ arch/x86/kernel/cpu/mcheck/mce_amd.c | 11 +++++++++++
+ 3 files changed, 14 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/include/asm/mce.h
++++ b/arch/x86/include/asm/mce.h
+@@ -376,6 +376,7 @@ struct smca_bank {
+ extern struct smca_bank smca_banks[MAX_NR_BANKS];
+
+ extern const char *smca_get_long_name(enum smca_bank_types t);
++extern bool amd_mce_is_memory_error(struct mce *m);
+
+ extern int mce_threshold_create_device(unsigned int cpu);
+ extern int mce_threshold_remove_device(unsigned int cpu);
+@@ -384,6 +385,7 @@ extern int mce_threshold_remove_device(u
+
+ static inline int mce_threshold_create_device(unsigned int cpu) { return 0; };
+ static inline int mce_threshold_remove_device(unsigned int cpu) { return 0; };
++static inline bool amd_mce_is_memory_error(struct mce *m) { return false; };
+
+ #endif
+
+--- a/arch/x86/kernel/cpu/mcheck/mce.c
++++ b/arch/x86/kernel/cpu/mcheck/mce.c
+@@ -512,10 +512,8 @@ static int mce_usable_address(struct mce
+ bool mce_is_memory_error(struct mce *m)
+ {
+ if (m->cpuvendor == X86_VENDOR_AMD) {
+- /* ErrCodeExt[20:16] */
+- u8 xec = (m->status >> 16) & 0x1f;
++ return amd_mce_is_memory_error(m);
+
+- return (xec == 0x0 || xec == 0x8);
+ } else if (m->cpuvendor == X86_VENDOR_INTEL) {
+ /*
+ * Intel SDM Volume 3B - 15.9.2 Compound Error Codes
+--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c
++++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c
+@@ -752,6 +752,17 @@ out_err:
+ }
+ EXPORT_SYMBOL_GPL(umc_normaddr_to_sysaddr);
+
++bool amd_mce_is_memory_error(struct mce *m)
++{
++ /* ErrCodeExt[20:16] */
++ u8 xec = (m->status >> 16) & 0x1f;
++
++ if (mce_flags.smca)
++ return smca_get_bank_type(m) == SMCA_UMC && xec == 0x0;
++
++ return m->bank == 4 && xec == 0x8;
++}
++
+ static void __log_error(unsigned int bank, u64 status, u64 addr, u64 misc)
+ {
+ struct mce m;
projects / thirdparty / kernel / stable-queue.git / commitdiff
