--- /dev/null
+From af677166cf63c179dc2485053166e02c4aea01eb Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Thu, 9 Feb 2017 09:20:54 +0800
+Subject: ALSA: hda - adding a new NV HDMI/DP codec ID in the driver
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit af677166cf63c179dc2485053166e02c4aea01eb upstream.
+
+Without this change, the HDMI/DP codec will be recognised as a
+generic codec, and there is no sound when playing through this codec.
+
+As suggested by NVidia side, after adding the new ID in the driver,
+the sound playing works well.
+
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_hdmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -3638,6 +3638,7 @@ HDA_CODEC_ENTRY(0x10de0070, "GPU 70 HDMI
+ HDA_CODEC_ENTRY(0x10de0071, "GPU 71 HDMI/DP", patch_nvhdmi),
+ HDA_CODEC_ENTRY(0x10de0072, "GPU 72 HDMI/DP", patch_nvhdmi),
+ HDA_CODEC_ENTRY(0x10de007d, "GPU 7d HDMI/DP", patch_nvhdmi),
++HDA_CODEC_ENTRY(0x10de0080, "GPU 80 HDMI/DP", patch_nvhdmi),
+ HDA_CODEC_ENTRY(0x10de0082, "GPU 82 HDMI/DP", patch_nvhdmi),
+ HDA_CODEC_ENTRY(0x10de0083, "GPU 83 HDMI/DP", patch_nvhdmi),
+ HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI", patch_nvhdmi_2ch),
--- /dev/null
+From 37a7ea4a9b81f6a864c10a7cb0b96458df5310a3 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 6 Feb 2017 15:09:48 +0100
+Subject: ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 37a7ea4a9b81f6a864c10a7cb0b96458df5310a3 upstream.
+
+snd_seq_pool_done() syncs with closing of all opened threads, but it
+aborts the wait loop with a timeout, and proceeds to the release
+resource even if not all threads have been closed. The timeout was 5
+seconds, and if you run a crazy stuff, it can exceed easily, and may
+result in the access of the invalid memory address -- this is what
+syzkaller detected in a bug report.
+
+As a fix, let the code graduate from naiveness, simply remove the loop
+timeout.
+
+BugLink: http://lkml.kernel.org/r/CACT4Y+YdhDV2H5LLzDTJDVF-qiYHUHhtRaW4rbb4gUhTCQB81w@mail.gmail.com
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_memory.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+--- a/sound/core/seq/seq_memory.c
++++ b/sound/core/seq/seq_memory.c
+@@ -419,7 +419,6 @@ int snd_seq_pool_done(struct snd_seq_poo
+ {
+ unsigned long flags;
+ struct snd_seq_event_cell *ptr;
+- int max_count = 5 * HZ;
+
+ if (snd_BUG_ON(!pool))
+ return -EINVAL;
+@@ -432,14 +431,8 @@ int snd_seq_pool_done(struct snd_seq_poo
+ if (waitqueue_active(&pool->output_sleep))
+ wake_up(&pool->output_sleep);
+
+- while (atomic_read(&pool->counter) > 0) {
+- if (max_count == 0) {
+- pr_warn("ALSA: snd_seq_pool_done timeout: %d cells remain\n", atomic_read(&pool->counter));
+- break;
+- }
++ while (atomic_read(&pool->counter) > 0)
+ schedule_timeout_uninterruptible(1);
+- max_count--;
+- }
+
+ /* release all resources */
+ spin_lock_irqsave(&pool->lock, flags);
--- /dev/null
+From 4842e98f26dd80be3623c4714a244ba52ea096a8 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 8 Feb 2017 12:35:39 +0100
+Subject: ALSA: seq: Fix race at creating a queue
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 4842e98f26dd80be3623c4714a244ba52ea096a8 upstream.
+
+When a sequencer queue is created in snd_seq_queue_alloc(),it adds the
+new queue element to the public list before referencing it. Thus the
+queue might be deleted before the call of snd_seq_queue_use(), and it
+results in the use-after-free error, as spotted by syzkaller.
+
+The fix is to reference the queue object at the right time.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_queue.c | 33 ++++++++++++++++++++-------------
+ 1 file changed, 20 insertions(+), 13 deletions(-)
+
+--- a/sound/core/seq/seq_queue.c
++++ b/sound/core/seq/seq_queue.c
+@@ -181,6 +181,8 @@ void __exit snd_seq_queues_delete(void)
+ }
+ }
+
++static void queue_use(struct snd_seq_queue *queue, int client, int use);
++
+ /* allocate a new queue -
+ * return queue index value or negative value for error
+ */
+@@ -192,11 +194,11 @@ int snd_seq_queue_alloc(int client, int
+ if (q == NULL)
+ return -ENOMEM;
+ q->info_flags = info_flags;
++ queue_use(q, client, 1);
+ if (queue_list_add(q) < 0) {
+ queue_delete(q);
+ return -ENOMEM;
+ }
+- snd_seq_queue_use(q->queue, client, 1); /* use this queue */
+ return q->queue;
+ }
+
+@@ -502,19 +504,9 @@ int snd_seq_queue_timer_set_tempo(int qu
+ return result;
+ }
+
+-
+-/* use or unuse this queue -
+- * if it is the first client, starts the timer.
+- * if it is not longer used by any clients, stop the timer.
+- */
+-int snd_seq_queue_use(int queueid, int client, int use)
++/* use or unuse this queue */
++static void queue_use(struct snd_seq_queue *queue, int client, int use)
+ {
+- struct snd_seq_queue *queue;
+-
+- queue = queueptr(queueid);
+- if (queue == NULL)
+- return -EINVAL;
+- mutex_lock(&queue->timer_mutex);
+ if (use) {
+ if (!test_and_set_bit(client, queue->clients_bitmap))
+ queue->clients++;
+@@ -529,6 +521,21 @@ int snd_seq_queue_use(int queueid, int c
+ } else {
+ snd_seq_timer_close(queue);
+ }
++}
++
++/* use or unuse this queue -
++ * if it is the first client, starts the timer.
++ * if it is not longer used by any clients, stop the timer.
++ */
++int snd_seq_queue_use(int queueid, int client, int use)
++{
++ struct snd_seq_queue *queue;
++
++ queue = queueptr(queueid);
++ if (queue == NULL)
++ return -EINVAL;
++ mutex_lock(&queue->timer_mutex);
++ queue_use(queue, client, use);
+ mutex_unlock(&queue->timer_mutex);
+ queuefree(queue);
+ return 0;
--- /dev/null
+From 2a362249187a8d0f6d942d6e1d763d150a296f47 Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Mon, 6 Feb 2017 19:39:09 -0500
+Subject: btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+commit 2a362249187a8d0f6d942d6e1d763d150a296f47 upstream.
+
+Commit 4c63c2454ef incorrectly assumed that returning -ENOIOCTLCMD would
+cause the native ioctl to be called. The ->compat_ioctl callback is
+expected to handle all ioctls, not just compat variants. As a result,
+when using 32-bit userspace on 64-bit kernels, everything except those
+three ioctls would return -ENOTTY.
+
+Fixes: 4c63c2454ef ("btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in btrfs_ioctl")
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/ioctl.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -5648,6 +5648,10 @@ long btrfs_ioctl(struct file *file, unsi
+ #ifdef CONFIG_COMPAT
+ long btrfs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ {
++ /*
++ * These all access 32-bit values anyway so no further
++ * handling is necessary.
++ */
+ switch (cmd) {
+ case FS_IOC32_GETFLAGS:
+ cmd = FS_IOC_GETFLAGS;
+@@ -5658,8 +5662,6 @@ long btrfs_compat_ioctl(struct file *fil
+ case FS_IOC32_GETVERSION:
+ cmd = FS_IOC_GETVERSION;
+ break;
+- default:
+- return -ENOIOCTLCMD;
+ }
+
+ return btrfs_ioctl(file, cmd, (unsigned long) compat_ptr(arg));
--- /dev/null
+From 647bf3d8a8e5777319da92af672289b2a6c4dc66 Mon Sep 17 00:00:00 2001
+From: Eyal Itkin <eyal.itkin@gmail.com>
+Date: Tue, 7 Feb 2017 16:45:19 +0300
+Subject: IB/rxe: Fix mem_check_range integer overflow
+
+From: Eyal Itkin <eyal.itkin@gmail.com>
+
+commit 647bf3d8a8e5777319da92af672289b2a6c4dc66 upstream.
+
+Update the range check to avoid integer-overflow in edge case.
+Resolves CVE 2016-8636.
+
+Signed-off-by: Eyal Itkin <eyal.itkin@gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/sw/rxe/rxe_mr.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/sw/rxe/rxe_mr.c
++++ b/drivers/infiniband/sw/rxe/rxe_mr.c
+@@ -59,9 +59,11 @@ int mem_check_range(struct rxe_mem *mem,
+
+ case RXE_MEM_TYPE_MR:
+ case RXE_MEM_TYPE_FMR:
+- return ((iova < mem->iova) ||
+- ((iova + length) > (mem->iova + mem->length))) ?
+- -EFAULT : 0;
++ if (iova < mem->iova ||
++ length > mem->length ||
++ iova > mem->iova + mem->length - length)
++ return -EFAULT;
++ return 0;
+
+ default:
+ return -EFAULT;
--- /dev/null
+From 628f07d33c1f2e7bf31e0a4a988bb07914bd5e73 Mon Sep 17 00:00:00 2001
+From: Eyal Itkin <eyal.itkin@gmail.com>
+Date: Tue, 7 Feb 2017 16:43:05 +0300
+Subject: IB/rxe: Fix resid update
+
+From: Eyal Itkin <eyal.itkin@gmail.com>
+
+commit 628f07d33c1f2e7bf31e0a4a988bb07914bd5e73 upstream.
+
+Update the response's resid field when larger than MTU, instead of only
+updating the local resid variable.
+
+Fixes: 8700e3e7c485 ("Soft RoCE driver")
+Signed-off-by: Eyal Itkin <eyal.itkin@gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/sw/rxe/rxe_resp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/sw/rxe/rxe_resp.c
++++ b/drivers/infiniband/sw/rxe/rxe_resp.c
+@@ -472,7 +472,7 @@ static enum resp_states check_rkey(struc
+ goto err2;
+ }
+
+- resid = mtu;
++ qp->resp.resid = mtu;
+ } else {
+ if (pktlen != resid) {
+ state = RESPST_ERR_LENGTH;
--- /dev/null
+From 90c1e3c2fafec57fcb55b5d69bcf293b1a5fc8b3 Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Mon, 6 Feb 2017 13:05:16 +1100
+Subject: powerpc/mm/radix: Update ERAT flushes when invalidating TLB
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit 90c1e3c2fafec57fcb55b5d69bcf293b1a5fc8b3 upstream.
+
+Three tiny changes to the ERAT flushing logic: First don't make
+it depend on DD1. It hasn't been decided yet but we might run
+DD2 in a mode that also requires explicit flushes for performance
+reasons so make it unconditional. We also add a missing isync, and
+finally remove the flush from _tlbiel_va as it is only necessary
+for congruence-class invalidations (PID, LPID and full TLB), not
+targetted invalidations.
+
+Fixes: 96ed1fe511a8 ("powerpc/mm/radix: Invalidate ERAT on tlbiel for POWER9 DD1")
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/tlb-radix.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/arch/powerpc/mm/tlb-radix.c
++++ b/arch/powerpc/mm/tlb-radix.c
+@@ -50,9 +50,7 @@ static inline void _tlbiel_pid(unsigned
+ for (set = 0; set < POWER9_TLB_SETS_RADIX ; set++) {
+ __tlbiel_pid(pid, set, ric);
+ }
+- if (cpu_has_feature(CPU_FTR_POWER9_DD1))
+- asm volatile(PPC_INVALIDATE_ERAT : : :"memory");
+- return;
++ asm volatile(PPC_INVALIDATE_ERAT "; isync" : : :"memory");
+ }
+
+ static inline void _tlbie_pid(unsigned long pid, unsigned long ric)
+@@ -85,8 +83,6 @@ static inline void _tlbiel_va(unsigned l
+ asm volatile(PPC_TLBIEL(%0, %4, %3, %2, %1)
+ : : "r"(rb), "i"(r), "i"(prs), "i"(ric), "r"(rs) : "memory");
+ asm volatile("ptesync": : :"memory");
+- if (cpu_has_feature(CPU_FTR_POWER9_DD1))
+- asm volatile(PPC_INVALIDATE_ERAT : : :"memory");
+ }
+
+ static inline void _tlbie_va(unsigned long va, unsigned long pid,
--- /dev/null
+From 9b256714979fad61ae11d90b53cf67dd5e6484eb Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Tue, 7 Feb 2017 11:35:31 +1100
+Subject: powerpc/powernv: Fix CPU hotplug to handle waking on HVI
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit 9b256714979fad61ae11d90b53cf67dd5e6484eb upstream.
+
+The IPIs come in as HVI not EE, so we need to test the appropriate
+SRR1 bits. The encoding is such that it won't have false positives
+on P7 and P8 so we can just test it like that. We also need to handle
+the icp-opal variant of the flush.
+
+Fixes: d74361881f0d ("powerpc/xics: Add ICP OPAL backend")
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/reg.h | 3 ++-
+ arch/powerpc/include/asm/xics.h | 1 +
+ arch/powerpc/platforms/powernv/smp.c | 12 ++++++++++--
+ arch/powerpc/sysdev/xics/icp-opal.c | 29 +++++++++++++++++++++++++++++
+ 4 files changed, 42 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/include/asm/reg.h
++++ b/arch/powerpc/include/asm/reg.h
+@@ -641,9 +641,10 @@
+ #define SRR1_ISI_N_OR_G 0x10000000 /* ISI: Access is no-exec or G */
+ #define SRR1_ISI_PROT 0x08000000 /* ISI: Other protection fault */
+ #define SRR1_WAKEMASK 0x00380000 /* reason for wakeup */
+-#define SRR1_WAKEMASK_P8 0x003c0000 /* reason for wakeup on POWER8 */
++#define SRR1_WAKEMASK_P8 0x003c0000 /* reason for wakeup on POWER8 and 9 */
+ #define SRR1_WAKESYSERR 0x00300000 /* System error */
+ #define SRR1_WAKEEE 0x00200000 /* External interrupt */
++#define SRR1_WAKEHVI 0x00240000 /* Hypervisor Virtualization Interrupt (P9) */
+ #define SRR1_WAKEMT 0x00280000 /* mtctrl */
+ #define SRR1_WAKEHMI 0x00280000 /* Hypervisor maintenance */
+ #define SRR1_WAKEDEC 0x00180000 /* Decrementer interrupt */
+--- a/arch/powerpc/include/asm/xics.h
++++ b/arch/powerpc/include/asm/xics.h
+@@ -44,6 +44,7 @@ static inline int icp_hv_init(void) { re
+
+ #ifdef CONFIG_PPC_POWERNV
+ extern int icp_opal_init(void);
++extern void icp_opal_flush_interrupt(void);
+ #else
+ static inline int icp_opal_init(void) { return -ENODEV; }
+ #endif
+--- a/arch/powerpc/platforms/powernv/smp.c
++++ b/arch/powerpc/platforms/powernv/smp.c
+@@ -155,8 +155,10 @@ static void pnv_smp_cpu_kill_self(void)
+ wmask = SRR1_WAKEMASK_P8;
+
+ idle_states = pnv_get_supported_cpuidle_states();
++
+ /* We don't want to take decrementer interrupts while we are offline,
+- * so clear LPCR:PECE1. We keep PECE2 enabled.
++ * so clear LPCR:PECE1. We keep PECE2 (and LPCR_PECE_HVEE on P9)
++ * enabled as to let IPIs in.
+ */
+ mtspr(SPRN_LPCR, mfspr(SPRN_LPCR) & ~(u64)LPCR_PECE1);
+
+@@ -206,8 +208,12 @@ static void pnv_smp_cpu_kill_self(void)
+ * contains 0.
+ */
+ if (((srr1 & wmask) == SRR1_WAKEEE) ||
++ ((srr1 & wmask) == SRR1_WAKEHVI) ||
+ (local_paca->irq_happened & PACA_IRQ_EE)) {
+- icp_native_flush_interrupt();
++ if (cpu_has_feature(CPU_FTR_ARCH_300))
++ icp_opal_flush_interrupt();
++ else
++ icp_native_flush_interrupt();
+ } else if ((srr1 & wmask) == SRR1_WAKEHDBELL) {
+ unsigned long msg = PPC_DBELL_TYPE(PPC_DBELL_SERVER);
+ asm volatile(PPC_MSGCLR(%0) : : "r" (msg));
+@@ -221,6 +227,8 @@ static void pnv_smp_cpu_kill_self(void)
+ if (srr1 && !generic_check_cpu_restart(cpu))
+ DBG("CPU%d Unexpected exit while offline !\n", cpu);
+ }
++
++ /* Re-enable decrementer interrupts */
+ mtspr(SPRN_LPCR, mfspr(SPRN_LPCR) | LPCR_PECE1);
+ DBG("CPU%d coming online...\n", cpu);
+ }
+--- a/arch/powerpc/sysdev/xics/icp-opal.c
++++ b/arch/powerpc/sysdev/xics/icp-opal.c
+@@ -132,6 +132,35 @@ static irqreturn_t icp_opal_ipi_action(i
+ return smp_ipi_demux();
+ }
+
++/*
++ * Called when an interrupt is received on an off-line CPU to
++ * clear the interrupt, so that the CPU can go back to nap mode.
++ */
++void icp_opal_flush_interrupt(void)
++{
++ unsigned int xirr;
++ unsigned int vec;
++
++ do {
++ xirr = icp_opal_get_xirr();
++ vec = xirr & 0x00ffffff;
++ if (vec == XICS_IRQ_SPURIOUS)
++ break;
++ if (vec == XICS_IPI) {
++ /* Clear pending IPI */
++ int cpu = smp_processor_id();
++ kvmppc_set_host_ipi(cpu, 0);
++ opal_int_set_mfrr(get_hard_smp_processor_id(cpu), 0xff);
++ } else {
++ pr_err("XICS: hw interrupt 0x%x to offline cpu, "
++ "disabling\n", vec);
++ xics_mask_unknown_vec(vec);
++ }
++
++ /* EOI the interrupt */
++ } while (opal_int_eoi(xirr) > 0);
++}
++
+ #endif /* CONFIG_SMP */
+
+ static const struct icp_ops icp_opal_ops = {
--- /dev/null
+From f3d83317a69e7d658e7c83e24f8b31ac533c39e3 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 7 Feb 2017 09:32:30 +0100
+Subject: Revert "ALSA: line6: Only determine control port properties if needed"
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit f3d83317a69e7d658e7c83e24f8b31ac533c39e3 upstream.
+
+This reverts commit f6a0dd107ad0c8b59d1c9735eea4b8cb9f460949.
+
+The commit caused a regression on LINE6 Transport that has no control
+caps. Although reverting the commit may result back in a spurious
+error message for some device again, it's the simplest regression fix,
+hence it's taken as is at first. The further code fix will follow
+later.
+
+Fixes: f6a0dd107ad0 ("ALSA: line6: Only determine control port properties if needed")
+Reported-by: Igor Zinovev <zinigor@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/line6/driver.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/line6/driver.c
++++ b/sound/usb/line6/driver.c
+@@ -754,8 +754,9 @@ int line6_probe(struct usb_interface *in
+ goto error;
+ }
+
++ line6_get_interval(line6);
++
+ if (properties->capabilities & LINE6_CAP_CONTROL) {
+- line6_get_interval(line6);
+ ret = line6_init_cap_control(line6);
+ if (ret < 0)
+ goto error;
--- /dev/null
+From 8af8e1c22f9994bb1849c01d66c24fe23f9bc9a0 Mon Sep 17 00:00:00 2001
+From: Dave Carroll <david.carroll@microsemi.com>
+Date: Thu, 9 Feb 2017 11:04:47 -0700
+Subject: scsi: aacraid: Fix INTx/MSI-x issue with older controllers
+
+From: Dave Carroll <david.carroll@microsemi.com>
+
+commit 8af8e1c22f9994bb1849c01d66c24fe23f9bc9a0 upstream.
+
+commit 78cbccd3bd68 ("aacraid: Fix for KDUMP driver hang")
+
+caused a problem on older controllers which do not support MSI-x (namely
+ASR3405,ASR3805). This patch conditionalizes the previous patch to
+controllers which support MSI-x
+
+Fixes: 78cbccd3bd68 ("aacraid: Fix for KDUMP driver hang")
+Reported-by: Arkadiusz Miskiewicz <a.miskiewicz@gmail.com>
+Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
+Reviewed-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/aacraid/comminit.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/aacraid/comminit.c
++++ b/drivers/scsi/aacraid/comminit.c
+@@ -50,9 +50,13 @@ struct aac_common aac_config = {
+
+ static inline int aac_is_msix_mode(struct aac_dev *dev)
+ {
+- u32 status;
++ u32 status = 0;
+
+- status = src_readl(dev, MUnit.OMR);
++ if (dev->pdev->device == PMC_DEVICE_S6 ||
++ dev->pdev->device == PMC_DEVICE_S7 ||
++ dev->pdev->device == PMC_DEVICE_S8) {
++ status = src_readl(dev, MUnit.OMR);
++ }
+ return (status & AAC_INT_MODE_MSIX);
+ }
+
--- /dev/null
+From ffdadd68af5a397b8a52289ab39d62e1acb39e63 Mon Sep 17 00:00:00 2001
+From: ojab <ojab@ojab.ru>
+Date: Wed, 28 Dec 2016 11:05:24 +0000
+Subject: scsi: mpt3sas: disable ASPM for MPI2 controllers
+
+From: ojab <ojab@ojab.ru>
+
+commit ffdadd68af5a397b8a52289ab39d62e1acb39e63 upstream.
+
+MPI2 controllers sometimes got lost (i.e. disappear from
+/sys/bus/pci/devices) if ASMP is enabled.
+
+Signed-off-by: Slava Kardakov <ojab@ojab.ru>
+Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=60644
+Acked-by: Sreekanth Reddy <Sreekanth.Reddy@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+@@ -51,6 +51,7 @@
+ #include <linux/workqueue.h>
+ #include <linux/delay.h>
+ #include <linux/pci.h>
++#include <linux/pci-aspm.h>
+ #include <linux/interrupt.h>
+ #include <linux/aer.h>
+ #include <linux/raid_class.h>
+@@ -8706,6 +8707,8 @@ _scsih_probe(struct pci_dev *pdev, const
+
+ switch (hba_mpi_version) {
+ case MPI2_VERSION:
++ pci_disable_link_state(pdev, PCIE_LINK_STATE_L0S |
++ PCIE_LINK_STATE_L1 | PCIE_LINK_STATE_CLKPM);
+ /* Use mpt2sas driver host template for SAS 2.0 HBA's */
+ shost = scsi_host_alloc(&mpt2sas_driver_template,
+ sizeof(struct MPT3SAS_ADAPTER));
--- /dev/null
+From 2780f3c8f0233de90b6b47a23fc422b7780c5436 Mon Sep 17 00:00:00 2001
+From: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
+Date: Wed, 25 Jan 2017 22:07:06 -0200
+Subject: scsi: qla2xxx: Avoid that issuing a LIP triggers a kernel crash
+
+From: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
+
+commit 2780f3c8f0233de90b6b47a23fc422b7780c5436 upstream.
+
+Avoid that issuing a LIP as follows:
+
+ find /sys -name 'issue_lip'|while read f; do echo 1 > $f; done
+
+triggers the following:
+
+BUG: unable to handle kernel NULL pointer dereference at (null)
+Call Trace:
+ qla2x00_abort_all_cmds+0xed/0x140 [qla2xxx]
+ qla2x00_abort_isp_cleanup+0x1e3/0x280 [qla2xxx]
+ qla2x00_abort_isp+0xef/0x690 [qla2xxx]
+ qla2x00_do_dpc+0x36c/0x880 [qla2xxx]
+ kthread+0x10c/0x140
+
+[mkp: consolidated Mauricio's and Bart's fixes]
+
+Signed-off-by: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
+Reported-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Fixes: 1535aa75a3d8 ("qla2xxx: fix invalid DMA access after command aborts in PCI device remove")
+Cc: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_os.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -1459,7 +1459,7 @@ qla2x00_abort_all_cmds(scsi_qla_host_t *
+ /* Don't abort commands in adapter during EEH
+ * recovery as it's not accessible/responding.
+ */
+- if (!ha->flags.eeh_busy) {
++ if (GET_CMD_SP(sp) && !ha->flags.eeh_busy) {
+ /* Get a reference to the sp and drop the lock.
+ * The reference ensures this sp->done() call
+ * - and not the call in qla2xxx_eh_abort() -
--- /dev/null
+From 2dfa6688aafdc3f74efeb1cf05fb871465d67f79 Mon Sep 17 00:00:00 2001
+From: Steffen Maier <maier@linux.vnet.ibm.com>
+Date: Wed, 8 Feb 2017 15:34:22 +0100
+Subject: scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send
+
+From: Steffen Maier <maier@linux.vnet.ibm.com>
+
+commit 2dfa6688aafdc3f74efeb1cf05fb871465d67f79 upstream.
+
+Dan Carpenter kindly reported:
+<quote>
+The patch d27a7cb91960: "zfcp: trace on request for open and close of
+WKA port" from Aug 10, 2016, leads to the following static checker
+warning:
+
+ drivers/s390/scsi/zfcp_fsf.c:1615 zfcp_fsf_open_wka_port()
+ warn: 'req' was already freed.
+
+drivers/s390/scsi/zfcp_fsf.c
+ 1609 zfcp_fsf_start_timer(req, ZFCP_FSF_REQUEST_TIMEOUT);
+ 1610 retval = zfcp_fsf_req_send(req);
+ 1611 if (retval)
+ 1612 zfcp_fsf_req_free(req);
+ ^^^
+Freed.
+
+ 1613 out:
+ 1614 spin_unlock_irq(&qdio->req_q_lock);
+ 1615 if (req && !IS_ERR(req))
+ 1616 zfcp_dbf_rec_run_wka("fsowp_1", wka_port, req->req_id);
+ ^^^^^^^^^^^
+Use after free.
+
+ 1617 return retval;
+ 1618 }
+
+Same thing for zfcp_fsf_close_wka_port() as well.
+</quote>
+
+Rather than relying on req being NULL (or ERR_PTR) for all cases where
+we don't want to trace or should not trace,
+simply check retval which is unconditionally initialized with -EIO != 0
+and it can only become 0 on successful retval = zfcp_fsf_req_send(req).
+With that we can also remove the then again unnecessary unconditional
+initialization of req which was introduced with that earlier commit.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Suggested-by: Benjamin Block <bblock@linux.vnet.ibm.com>
+Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
+Fixes: d27a7cb91960 ("zfcp: trace on request for open and close of WKA port")
+Reviewed-by: Benjamin Block <bblock@linux.vnet.ibm.com>
+Reviewed-by: Jens Remus <jremus@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/scsi/zfcp_fsf.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/s390/scsi/zfcp_fsf.c
++++ b/drivers/s390/scsi/zfcp_fsf.c
+@@ -1583,7 +1583,7 @@ out:
+ int zfcp_fsf_open_wka_port(struct zfcp_fc_wka_port *wka_port)
+ {
+ struct zfcp_qdio *qdio = wka_port->adapter->qdio;
+- struct zfcp_fsf_req *req = NULL;
++ struct zfcp_fsf_req *req;
+ int retval = -EIO;
+
+ spin_lock_irq(&qdio->req_q_lock);
+@@ -1612,7 +1612,7 @@ int zfcp_fsf_open_wka_port(struct zfcp_f
+ zfcp_fsf_req_free(req);
+ out:
+ spin_unlock_irq(&qdio->req_q_lock);
+- if (req && !IS_ERR(req))
++ if (!retval)
+ zfcp_dbf_rec_run_wka("fsowp_1", wka_port, req->req_id);
+ return retval;
+ }
+@@ -1638,7 +1638,7 @@ static void zfcp_fsf_close_wka_port_hand
+ int zfcp_fsf_close_wka_port(struct zfcp_fc_wka_port *wka_port)
+ {
+ struct zfcp_qdio *qdio = wka_port->adapter->qdio;
+- struct zfcp_fsf_req *req = NULL;
++ struct zfcp_fsf_req *req;
+ int retval = -EIO;
+
+ spin_lock_irq(&qdio->req_q_lock);
+@@ -1667,7 +1667,7 @@ int zfcp_fsf_close_wka_port(struct zfcp_
+ zfcp_fsf_req_free(req);
+ out:
+ spin_unlock_irq(&qdio->req_q_lock);
+- if (req && !IS_ERR(req))
++ if (!retval)
+ zfcp_dbf_rec_run_wka("fscwp_1", wka_port, req->req_id);
+ return retval;
+ }
drivers-hv-vmbus-on-write-cleanup-the-logic-to-interrupt-the-host.patch
drivers-hv-vmbus-on-the-read-path-cleanup-the-logic-to-interrupt-the-host.patch
drivers-hv-vmbus-finally-fix-hv_need_to_signal_on_read.patch
+scsi-zfcp-fix-use-after-free-by-not-tracing-wka-port-open-close-on-failed-send.patch
+scsi-aacraid-fix-intx-msi-x-issue-with-older-controllers.patch
+scsi-mpt3sas-disable-aspm-for-mpi2-controllers.patch
+scsi-qla2xxx-avoid-that-issuing-a-lip-triggers-a-kernel-crash.patch
+btrfs-fix-btrfs_compat_ioctl-failures-on-non-compat-ioctls.patch
+tick-nohz-fix-possible-missing-clock-reprog-after-tick-soft-restart.patch
+powerpc-mm-radix-update-erat-flushes-when-invalidating-tlb.patch
+powerpc-powernv-fix-cpu-hotplug-to-handle-waking-on-hvi.patch
+xen-netfront-delete-rx_refill_timer-in-xennet_disconnect_backend.patch
+alsa-hda-adding-a-new-nv-hdmi-dp-codec-id-in-the-driver.patch
+alsa-seq-fix-race-at-creating-a-queue.patch
+alsa-seq-don-t-handle-loop-timeout-at-snd_seq_pool_done.patch
+revert-alsa-line6-only-determine-control-port-properties-if-needed.patch
+x86-mm-ptdump-fix-soft-lockup-in-page-table-walker.patch
+x86-cpu-amd-bring-back-compute-unit-id.patch
+x86-cpu-amd-fix-zen-smt-topology.patch
+ib-rxe-fix-resid-update.patch
+ib-rxe-fix-mem_check_range-integer-overflow.patch
--- /dev/null
+From 7bdb59f1ad474bd7161adc8f923cdef10f2638d1 Mon Sep 17 00:00:00 2001
+From: Frederic Weisbecker <fweisbec@gmail.com>
+Date: Tue, 7 Feb 2017 17:44:54 +0100
+Subject: tick/nohz: Fix possible missing clock reprog after tick soft restart
+
+From: Frederic Weisbecker <fweisbec@gmail.com>
+
+commit 7bdb59f1ad474bd7161adc8f923cdef10f2638d1 upstream.
+
+ts->next_tick keeps track of the next tick deadline in order to optimize
+clock programmation on irq exit and avoid redundant clock device writes.
+
+Now if ts->next_tick missed an update, we may spuriously miss a clock
+reprog later as the nohz code is fooled by an obsolete next_tick value.
+
+This is what happens here on a specific path: when we observe an
+expired timer from the nohz update code on irq exit, we perform a soft
+tick restart which simply fires the closest possible tick without
+actually exiting the nohz mode and restoring a periodic state. But we
+forget to update ts->next_tick accordingly.
+
+As a result, after the next tick resulting from such soft tick restart,
+the nohz code sees a stale value on ts->next_tick which doesn't match
+the clock deadline that just expired. If that obsolete ts->next_tick
+value happens to collide with the actual next tick deadline to be
+scheduled, we may spuriously bypass the clock reprogramming. In the
+worst case, the tick may never fire again.
+
+Fix this with a ts->next_tick reset on soft tick restart.
+
+Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
+Reviewed: Wanpeng Li <wanpeng.li@hotmail.com>
+Acked-by: Rik van Riel <riel@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/1486485894-29173-1-git-send-email-fweisbec@gmail.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/tick-sched.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/kernel/time/tick-sched.c
++++ b/kernel/time/tick-sched.c
+@@ -730,6 +730,11 @@ static ktime_t tick_nohz_stop_sched_tick
+ */
+ if (delta == 0) {
+ tick_nohz_restart(ts, now);
++ /*
++ * Make sure next tick stop doesn't get fooled by past
++ * clock deadline
++ */
++ ts->next_tick = 0;
+ goto out;
+ }
+ }
--- /dev/null
+From 79a8b9aa388b0620cc1d525d7c0f0d9a8a85e08e Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Sun, 5 Feb 2017 11:50:21 +0100
+Subject: x86/CPU/AMD: Bring back Compute Unit ID
+
+From: Borislav Petkov <bp@suse.de>
+
+commit 79a8b9aa388b0620cc1d525d7c0f0d9a8a85e08e upstream.
+
+Commit:
+
+ a33d331761bc ("x86/CPU/AMD: Fix Bulldozer topology")
+
+restored the initial approach we had with the Fam15h topology of
+enumerating CU (Compute Unit) threads as cores. And this is still
+correct - they're beefier than HT threads but still have some
+shared functionality.
+
+Our current approach has a problem with the Mad Max Steam game, for
+example. Yves Dionne reported a certain "choppiness" while playing on
+v4.9.5.
+
+That problem stems most likely from the fact that the CU threads share
+resources within one CU and when we schedule to a thread of a different
+compute unit, this incurs latency due to migrating the working set to a
+different CU through the caches.
+
+When the thread siblings mask mirrors that aspect of the CUs and
+threads, the scheduler pays attention to it and tries to schedule within
+one CU first. Which takes care of the latency, of course.
+
+Reported-by: Yves Dionne <yves.dionne@gmail.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Brice Goglin <Brice.Goglin@inria.fr>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Yazen Ghannam <yazen.ghannam@amd.com>
+Link: http://lkml.kernel.org/r/20170205105022.8705-1-bp@alien8.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/processor.h | 1 +
+ arch/x86/kernel/cpu/amd.c | 9 ++++++++-
+ arch/x86/kernel/cpu/common.c | 1 +
+ arch/x86/kernel/smpboot.c | 12 +++++++++---
+ 4 files changed, 19 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/include/asm/processor.h
++++ b/arch/x86/include/asm/processor.h
+@@ -104,6 +104,7 @@ struct cpuinfo_x86 {
+ __u8 x86_phys_bits;
+ /* CPUID returned core id bits: */
+ __u8 x86_coreid_bits;
++ __u8 cu_id;
+ /* Max extended CPUID function supported: */
+ __u32 extended_cpuid_level;
+ /* Maximum supported CPUID level, -1=no CPUID: */
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -309,8 +309,15 @@ static void amd_get_topology(struct cpui
+
+ /* get information required for multi-node processors */
+ if (boot_cpu_has(X86_FEATURE_TOPOEXT)) {
++ u32 eax, ebx, ecx, edx;
+
+- node_id = cpuid_ecx(0x8000001e) & 7;
++ cpuid(0x8000001e, &eax, &ebx, &ecx, &edx);
++
++ node_id = ecx & 0xff;
++ smp_num_siblings = ((ebx >> 8) & 0xff) + 1;
++
++ if (c->x86 == 0x15)
++ c->cu_id = ebx & 0xff;
+
+ /*
+ * We may have multiple LLCs if L3 caches exist, so check if we
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -1015,6 +1015,7 @@ static void identify_cpu(struct cpuinfo_
+ c->x86_model_id[0] = '\0'; /* Unset */
+ c->x86_max_cores = 1;
+ c->x86_coreid_bits = 0;
++ c->cu_id = 0xff;
+ #ifdef CONFIG_X86_64
+ c->x86_clflush_size = 64;
+ c->x86_phys_bits = 36;
+--- a/arch/x86/kernel/smpboot.c
++++ b/arch/x86/kernel/smpboot.c
+@@ -423,9 +423,15 @@ static bool match_smt(struct cpuinfo_x86
+ int cpu1 = c->cpu_index, cpu2 = o->cpu_index;
+
+ if (c->phys_proc_id == o->phys_proc_id &&
+- per_cpu(cpu_llc_id, cpu1) == per_cpu(cpu_llc_id, cpu2) &&
+- c->cpu_core_id == o->cpu_core_id)
+- return topology_sane(c, o, "smt");
++ per_cpu(cpu_llc_id, cpu1) == per_cpu(cpu_llc_id, cpu2)) {
++ if (c->cpu_core_id == o->cpu_core_id)
++ return topology_sane(c, o, "smt");
++
++ if ((c->cu_id != 0xff) &&
++ (o->cu_id != 0xff) &&
++ (c->cu_id == o->cu_id))
++ return topology_sane(c, o, "smt");
++ }
+
+ } else if (c->phys_proc_id == o->phys_proc_id &&
+ c->cpu_core_id == o->cpu_core_id) {
--- /dev/null
+From 08b259631b5a1d912af4832847b5642f377d9101 Mon Sep 17 00:00:00 2001
+From: Yazen Ghannam <Yazen.Ghannam@amd.com>
+Date: Sun, 5 Feb 2017 11:50:22 +0100
+Subject: x86/CPU/AMD: Fix Zen SMT topology
+
+From: Yazen Ghannam <Yazen.Ghannam@amd.com>
+
+commit 08b259631b5a1d912af4832847b5642f377d9101 upstream.
+
+After:
+
+ a33d331761bc ("x86/CPU/AMD: Fix Bulldozer topology")
+
+our SMT scheduling topology for Fam17h systems is broken, because
+the ThreadId is included in the ApicId when SMT is enabled.
+
+So, without further decoding cpu_core_id is unique for each thread
+rather than the same for threads on the same core. This didn't affect
+systems with SMT disabled. Make cpu_core_id be what it is defined to be.
+
+Signed-off-by: Yazen Ghannam <Yazen.Ghannam@amd.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20170205105022.8705-2-bp@alien8.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/amd.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -319,6 +319,13 @@ static void amd_get_topology(struct cpui
+ if (c->x86 == 0x15)
+ c->cu_id = ebx & 0xff;
+
++ if (c->x86 >= 0x17) {
++ c->cpu_core_id = ebx & 0xff;
++
++ if (smp_num_siblings > 1)
++ c->x86_max_cores /= smp_num_siblings;
++ }
++
+ /*
+ * We may have multiple LLCs if L3 caches exist, so check if we
+ * have an L3 cache by looking at the L3 cache CPUID leaf.
--- /dev/null
+From 146fbb766934dc003fcbf755b519acef683576bf Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Date: Fri, 10 Feb 2017 12:54:05 +0300
+Subject: x86/mm/ptdump: Fix soft lockup in page table walker
+
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+
+commit 146fbb766934dc003fcbf755b519acef683576bf upstream.
+
+CONFIG_KASAN=y needs a lot of virtual memory mapped for its shadow.
+In that case ptdump_walk_pgd_level_core() takes a lot of time to
+walk across all page tables and doing this without
+a rescheduling causes soft lockups:
+
+ NMI watchdog: BUG: soft lockup - CPU#3 stuck for 23s! [swapper/0:1]
+ ...
+ Call Trace:
+ ptdump_walk_pgd_level_core+0x40c/0x550
+ ptdump_walk_pgd_level_checkwx+0x17/0x20
+ mark_rodata_ro+0x13b/0x150
+ kernel_init+0x2f/0x120
+ ret_from_fork+0x2c/0x40
+
+I guess that this issue might arise even without KASAN on huge machines
+with several terabytes of RAM.
+
+Stick cond_resched() in pgd loop to fix this.
+
+Reported-by: Tobias Regnery <tobias.regnery@gmail.com>
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: kasan-dev@googlegroups.com
+Cc: Alexander Potapenko <glider@google.com>
+Cc: "Paul E . McKenney" <paulmck@linux.vnet.ibm.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Link: http://lkml.kernel.org/r/20170210095405.31802-1-aryabinin@virtuozzo.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/dump_pagetables.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/mm/dump_pagetables.c
++++ b/arch/x86/mm/dump_pagetables.c
+@@ -15,6 +15,7 @@
+ #include <linux/debugfs.h>
+ #include <linux/mm.h>
+ #include <linux/init.h>
++#include <linux/sched.h>
+ #include <linux/seq_file.h>
+
+ #include <asm/pgtable.h>
+@@ -406,6 +407,7 @@ static void ptdump_walk_pgd_level_core(s
+ } else
+ note_page(m, &st, __pgprot(0), 1);
+
++ cond_resched();
+ start++;
+ }
+
--- /dev/null
+From 74470954857c264168d2b5a113904cf0cfd27d18 Mon Sep 17 00:00:00 2001
+From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Date: Mon, 30 Jan 2017 12:45:46 -0500
+Subject: xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()
+
+From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+
+commit 74470954857c264168d2b5a113904cf0cfd27d18 upstream.
+
+rx_refill_timer should be deleted as soon as we disconnect from the
+backend since otherwise it is possible for the timer to go off before
+we get to xennet_destroy_queues(). If this happens we may dereference
+queue->rx.sring which is set to NULL in xennet_disconnect_backend().
+
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/xen-netfront.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -1397,6 +1397,8 @@ static void xennet_disconnect_backend(st
+ for (i = 0; i < num_queues && info->queues; ++i) {
+ struct netfront_queue *queue = &info->queues[i];
+
++ del_timer_sync(&queue->rx_refill_timer);
++
+ if (queue->tx_irq && (queue->tx_irq == queue->rx_irq))
+ unbind_from_irqhandler(queue->tx_irq, queue);
+ if (queue->tx_irq && (queue->tx_irq != queue->rx_irq)) {
+@@ -1751,7 +1753,6 @@ static void xennet_destroy_queues(struct
+
+ if (netif_running(info->netdev))
+ napi_disable(&queue->napi);
+- del_timer_sync(&queue->rx_refill_timer);
+ netif_napi_del(&queue->napi);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
