--- /dev/null
+From 4e0973a918b9a42e217093f078e04a61e5dd95a5 Mon Sep 17 00:00:00 2001
+From: Devin Heitmueller <dheitmueller@kernellabs.com>
+Date: Sat, 20 Sep 2014 09:23:44 -0300
+Subject: [media] cx88: Fix regression in initial video standard setting
+
+From: Devin Heitmueller <dheitmueller@kernellabs.com>
+
+commit 4e0973a918b9a42e217093f078e04a61e5dd95a5 upstream.
+
+Setting initial standard at the top of cx8800_initdev would cause the
+first call to cx88_set_tvnorm() to return without programming any
+registers (leaving the driver saying it's set to NTSC but the hardware
+isn't programmed). Even worse, any subsequent attempt to explicitly
+set it to NTSC-M will return success but actually fail to program the
+underlying registers unless first changing the standard to something
+other than NTSC-M.
+
+Set the initial standard later in the process, and make sure the field
+is zero at the beginning to ensure that the call always goes through.
+
+This regression was introduced in the following commit:
+
+commit ccd6f1d488e7 ("[media] cx88: move width, height and field to core
+struct")
+
+Author: Hans Verkuil <hans.verkuil@cisco.com>
+
+[media] cx88: move width, height and field to core struct
+
+Signed-off-by: Devin Heitmueller <dheitmueller@kernellabs.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/pci/cx88/cx88-cards.c | 9 ++++++++-
+ drivers/media/pci/cx88/cx88-video.c | 2 +-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/pci/cx88/cx88-cards.c
++++ b/drivers/media/pci/cx88/cx88-cards.c
+@@ -3691,7 +3691,14 @@ struct cx88_core *cx88_core_create(struc
+ core->nr = nr;
+ sprintf(core->name, "cx88[%d]", core->nr);
+
+- core->tvnorm = V4L2_STD_NTSC_M;
++ /*
++ * Note: Setting initial standard here would cause first call to
++ * cx88_set_tvnorm() to return without programming any registers. Leave
++ * it blank for at this point and it will get set later in
++ * cx8800_initdev()
++ */
++ core->tvnorm = 0;
++
+ core->width = 320;
+ core->height = 240;
+ core->field = V4L2_FIELD_INTERLACED;
+--- a/drivers/media/pci/cx88/cx88-video.c
++++ b/drivers/media/pci/cx88/cx88-video.c
+@@ -1422,7 +1422,7 @@ static int cx8800_initdev(struct pci_dev
+
+ /* initial device configuration */
+ mutex_lock(&core->lock);
+- cx88_set_tvnorm(core, core->tvnorm);
++ cx88_set_tvnorm(core, V4L2_STD_NTSC_M);
+ v4l2_ctrl_handler_setup(&core->video_hdl);
+ v4l2_ctrl_handler_setup(&core->audio_hdl);
+ cx88_video_mux(core, 0);
--- /dev/null
+From 9156e723301c0a7a7def4cde820e018ce791b842 Mon Sep 17 00:00:00 2001
+From: Tom St Denis <tom.stdenis@amd.com>
+Date: Tue, 23 May 2017 11:35:22 -0400
+Subject: drm/amd/amdgpu: Return error if initiating read out of range on vram
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tom St Denis <tom.stdenis@amd.com>
+
+commit 9156e723301c0a7a7def4cde820e018ce791b842 upstream.
+
+If you initiate a read that is out of the VRAM address space return
+ENXIO instead of 0.
+
+Reads that begin below that point will read upto the VRAM limit as
+before.
+
+Signed-off-by: Tom St Denis <tom.stdenis@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+@@ -1419,6 +1419,9 @@ static ssize_t amdgpu_ttm_vram_read(stru
+ if (size & 0x3 || *pos & 0x3)
+ return -EINVAL;
+
++ if (*pos >= adev->mc.mc_vram_size)
++ return -ENXIO;
++
+ while (size) {
+ unsigned long flags;
+ uint32_t value;
--- /dev/null
+From ab03d9fe508f4e2914a8f4a9eef1b21051cacd0f Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Thu, 11 May 2017 13:14:14 -0400
+Subject: drm/radeon/ci: disable mclk switching for high refresh rates (v2)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit ab03d9fe508f4e2914a8f4a9eef1b21051cacd0f upstream.
+
+Even if the vblank period would allow it, it still seems to
+be problematic on some cards.
+
+v2: fix logic inversion (Nils)
+
+bug: https://bugs.freedesktop.org/show_bug.cgi?id=96868
+
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/ci_dpm.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/gpu/drm/radeon/ci_dpm.c
++++ b/drivers/gpu/drm/radeon/ci_dpm.c
+@@ -782,6 +782,12 @@ bool ci_dpm_vblank_too_short(struct rade
+ if (r600_dpm_get_vrefresh(rdev) > 120)
+ return true;
+
++ /* disable mclk switching if the refresh is >120Hz, even if the
++ * blanking period would allow it
++ */
++ if (r600_dpm_get_vrefresh(rdev) > 120)
++ return true;
++
+ if (vblank_time < switch_limit)
+ return true;
+ else
--- /dev/null
+From 564d8a2cf3abf16575af48bdc3e86e92ee8a617d Mon Sep 17 00:00:00 2001
+From: Mario Kleiner <mario.kleiner.de@gmail.com>
+Date: Fri, 7 Jul 2017 04:57:04 +0200
+Subject: drm/radeon: Fix eDP for single-display iMac10,1 (v2)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mario Kleiner <mario.kleiner.de@gmail.com>
+
+commit 564d8a2cf3abf16575af48bdc3e86e92ee8a617d upstream.
+
+The late 2009, 27 inch Apple iMac10,1 has an
+internal eDP display and an external Mini-
+Displayport output, driven by a DCE-3.2, RV730
+Radeon Mobility HD-4670.
+
+The machine worked fine in a dual-display setup
+with eDP panel + externally connected HDMI
+or DVI-D digital display sink, connected via
+MiniDP to DVI or HDMI adapter.
+
+However, booting the machine single-display with
+only eDP panel results in a completely black
+display - even backlight powering off, as soon as
+the radeon modesetting driver loads.
+
+This patch fixes the single dispay eDP case by
+assigning encoders based on dig->linkb, similar
+to DCE-4+. While this should not be generally
+necessary (Alex: "...atom on normal boards
+should be able to handle any mapping."), Apple
+seems to use some special routing here.
+
+One remaining problem not solved by this patch
+is that an external Minidisplayport->DP sink
+does still not work on iMac10,1, whereas external
+DVI and HDMI sinks continue to work.
+
+The problem affects at least all tested kernels
+since Linux 3.13 - didn't test earlier kernels, so
+backporting to stable probably makes sense.
+
+v2: With the original patch from 2016, Alex was worried it
+ will break other DCE3.2 systems. Use dmi_match() to
+ apply this special encoder assignment only for the
+ Apple iMac 10,1 from late 2009.
+
+Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: Michel Dänzer <michel.daenzer@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/atombios_encoders.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/atombios_encoders.c
++++ b/drivers/gpu/drm/radeon/atombios_encoders.c
+@@ -30,6 +30,7 @@
+ #include "radeon_audio.h"
+ #include "atom.h"
+ #include <linux/backlight.h>
++#include <linux/dmi.h>
+
+ extern int atom_debug;
+
+@@ -2183,9 +2184,17 @@ int radeon_atom_pick_dig_encoder(struct
+ goto assigned;
+ }
+
+- /* on DCE32 and encoder can driver any block so just crtc id */
++ /*
++ * On DCE32 any encoder can drive any block so usually just use crtc id,
++ * but Apple thinks different at least on iMac10,1, so there use linkb,
++ * otherwise the internal eDP panel will stay dark.
++ */
+ if (ASIC_IS_DCE32(rdev)) {
+- enc_idx = radeon_crtc->crtc_id;
++ if (dmi_match(DMI_PRODUCT_NAME, "iMac10,1"))
++ enc_idx = (dig->linkb) ? 1 : 0;
++ else
++ enc_idx = radeon_crtc->crtc_id;
++
+ goto assigned;
+ }
+
--- /dev/null
+From a992f2d38e4ce17b8c7d1f7f67b2de0eebdea069 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 21 Jun 2017 14:34:15 +0200
+Subject: ext2: Don't clear SGID when inheriting ACLs
+
+From: Jan Kara <jack@suse.cz>
+
+commit a992f2d38e4ce17b8c7d1f7f67b2de0eebdea069 upstream.
+
+When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
+set, DIR1 is expected to have SGID bit set (and owning group equal to
+the owning group of 'DIR0'). However when 'DIR0' also has some default
+ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
+'DIR1' to get cleared if user is not member of the owning group.
+
+Fix the problem by creating __ext2_set_acl() function that does not call
+posix_acl_update_mode() and use it when inheriting ACLs. That prevents
+SGID bit clearing and the mode has been properly set by
+posix_acl_create() anyway.
+
+Fixes: 073931017b49d9458aa351605b43a7e34598caef
+CC: linux-ext4@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext2/acl.c | 36 ++++++++++++++++++++++--------------
+ 1 file changed, 22 insertions(+), 14 deletions(-)
+
+--- a/fs/ext2/acl.c
++++ b/fs/ext2/acl.c
+@@ -175,11 +175,8 @@ ext2_get_acl(struct inode *inode, int ty
+ return acl;
+ }
+
+-/*
+- * inode->i_mutex: down
+- */
+-int
+-ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
++static int
++__ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
+ {
+ int name_index;
+ void *value = NULL;
+@@ -189,13 +186,6 @@ ext2_set_acl(struct inode *inode, struct
+ switch(type) {
+ case ACL_TYPE_ACCESS:
+ name_index = EXT2_XATTR_INDEX_POSIX_ACL_ACCESS;
+- if (acl) {
+- error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+- if (error)
+- return error;
+- inode->i_ctime = current_time(inode);
+- mark_inode_dirty(inode);
+- }
+ break;
+
+ case ACL_TYPE_DEFAULT:
+@@ -222,6 +212,24 @@ ext2_set_acl(struct inode *inode, struct
+ }
+
+ /*
++ * inode->i_mutex: down
++ */
++int
++ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
++{
++ int error;
++
++ if (type == ACL_TYPE_ACCESS && acl) {
++ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
++ if (error)
++ return error;
++ inode->i_ctime = current_time(inode);
++ mark_inode_dirty(inode);
++ }
++ return __ext2_set_acl(inode, acl, type);
++}
++
++/*
+ * Initialize the ACLs of a new inode. Called from ext2_new_inode.
+ *
+ * dir->i_mutex: down
+@@ -238,12 +246,12 @@ ext2_init_acl(struct inode *inode, struc
+ return error;
+
+ if (default_acl) {
+- error = ext2_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
++ error = __ext2_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
+ posix_acl_release(default_acl);
+ }
+ if (acl) {
+ if (!error)
+- error = ext2_set_acl(inode, acl, ACL_TYPE_ACCESS);
++ error = __ext2_set_acl(inode, acl, ACL_TYPE_ACCESS);
+ posix_acl_release(acl);
+ }
+ return error;
--- /dev/null
+From c925dc162f770578ff4a65ec9b08270382dba9e6 Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Tue, 11 Jul 2017 14:56:49 -0700
+Subject: f2fs: Don't clear SGID when inheriting ACLs
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit c925dc162f770578ff4a65ec9b08270382dba9e6 upstream.
+
+This patch copies commit b7f8a09f80:
+"btrfs: Don't clear SGID when inheriting ACLs" written by Jan.
+
+Fixes: 073931017b49d9458aa351605b43a7e34598caef
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/acl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/f2fs/acl.c
++++ b/fs/f2fs/acl.c
+@@ -211,7 +211,7 @@ static int __f2fs_set_acl(struct inode *
+ switch (type) {
+ case ACL_TYPE_ACCESS:
+ name_index = F2FS_XATTR_INDEX_POSIX_ACL_ACCESS;
+- if (acl) {
++ if (acl && !ipage) {
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
+ return error;
--- /dev/null
+From 21d3f8e1c3b7996ce239ab6fa82e9f7a8c47d84d Mon Sep 17 00:00:00 2001
+From: Jin Qian <jinqian@android.com>
+Date: Thu, 1 Jun 2017 11:18:30 -0700
+Subject: f2fs: sanity check size of nat and sit cache
+
+From: Jin Qian <jinqian@android.com>
+
+commit 21d3f8e1c3b7996ce239ab6fa82e9f7a8c47d84d upstream.
+
+Make sure number of entires doesn't exceed max journal size.
+
+Signed-off-by: Jin Qian <jinqian@android.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/segment.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -1805,6 +1805,8 @@ static int read_normal_summaries(struct
+
+ static int restore_curseg_summaries(struct f2fs_sb_info *sbi)
+ {
++ struct f2fs_journal *sit_j = CURSEG_I(sbi, CURSEG_COLD_DATA)->journal;
++ struct f2fs_journal *nat_j = CURSEG_I(sbi, CURSEG_HOT_DATA)->journal;
+ int type = CURSEG_HOT_DATA;
+ int err;
+
+@@ -1831,6 +1833,11 @@ static int restore_curseg_summaries(stru
+ return err;
+ }
+
++ /* sanity check for summary blocks */
++ if (nats_in_cursum(nat_j) > NAT_JOURNAL_ENTRIES ||
++ sits_in_cursum(sit_j) > SIT_JOURNAL_ENTRIES)
++ return -EINVAL;
++
+ return 0;
+ }
+
--- /dev/null
+From 4495ec6d770e1bca7a04e93ac453ab6720c56c5d Mon Sep 17 00:00:00 2001
+From: Corey Minyard <cminyard@mvista.com>
+Date: Fri, 30 Jun 2017 07:18:08 -0500
+Subject: ipmi:ssif: Add missing unlock in error branch
+
+From: Corey Minyard <cminyard@mvista.com>
+
+commit 4495ec6d770e1bca7a04e93ac453ab6720c56c5d upstream.
+
+When getting flags, a response to a different message would
+result in a deadlock because of a missing unlock. Add that
+unlock and a comment. Found by static analysis.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/ipmi/ipmi_ssif.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/char/ipmi/ipmi_ssif.c
++++ b/drivers/char/ipmi/ipmi_ssif.c
+@@ -762,6 +762,11 @@ static void msg_done_handler(struct ssif
+ result, len, data[2]);
+ } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2
+ || data[1] != IPMI_GET_MSG_FLAGS_CMD) {
++ /*
++ * Don't abort here, maybe it was a queued
++ * response to a previous command.
++ */
++ ipmi_ssif_unlock_cond(ssif_info, flags);
+ pr_warn(PFX "Invalid response getting flags: %x %x\n",
+ data[0], data[1]);
+ } else {
--- /dev/null
+From cdea46566bb21ce309725a024208322a409055cc Mon Sep 17 00:00:00 2001
+From: Tony Camuso <tcamuso@redhat.com>
+Date: Mon, 19 Jun 2017 13:17:33 -0400
+Subject: ipmi: use rcu lock around call to intf->handlers->sender()
+
+From: Tony Camuso <tcamuso@redhat.com>
+
+commit cdea46566bb21ce309725a024208322a409055cc upstream.
+
+A vendor with a system having more than 128 CPUs occasionally encounters
+the following crash during shutdown. This is not an easily reproduceable
+event, but the vendor was able to provide the following analysis of the
+crash, which exhibits the same footprint each time.
+
+crash> bt
+PID: 0 TASK: ffff88017c70ce70 CPU: 5 COMMAND: "swapper/5"
+ #0 [ffff88085c143ac8] machine_kexec at ffffffff81059c8b
+ #1 [ffff88085c143b28] __crash_kexec at ffffffff811052e2
+ #2 [ffff88085c143bf8] crash_kexec at ffffffff811053d0
+ #3 [ffff88085c143c10] oops_end at ffffffff8168ef88
+ #4 [ffff88085c143c38] no_context at ffffffff8167ebb3
+ #5 [ffff88085c143c88] __bad_area_nosemaphore at ffffffff8167ec49
+ #6 [ffff88085c143cd0] bad_area_nosemaphore at ffffffff8167edb3
+ #7 [ffff88085c143ce0] __do_page_fault at ffffffff81691d1e
+ #8 [ffff88085c143d40] do_page_fault at ffffffff81691ec5
+ #9 [ffff88085c143d70] page_fault at ffffffff8168e188
+ [exception RIP: unknown or invalid address]
+ RIP: ffffffffa053c800 RSP: ffff88085c143e28 RFLAGS: 00010206
+ RAX: ffff88017c72bfd8 RBX: ffff88017a8dc000 RCX: ffff8810588b5ac8
+ RDX: ffff8810588b5a00 RSI: ffffffffa053c800 RDI: ffff8810588b5a00
+ RBP: ffff88085c143e58 R8: ffff88017c70d408 R9: ffff88017a8dc000
+ R10: 0000000000000002 R11: ffff88085c143da0 R12: ffff8810588b5ac8
+ R13: 0000000000000100 R14: ffffffffa053c800 R15: ffff8810588b5a00
+ ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
+ <IRQ stack>
+ [exception RIP: cpuidle_enter_state+82]
+ RIP: ffffffff81514192 RSP: ffff88017c72be50 RFLAGS: 00000202
+ RAX: 0000001e4c3c6f16 RBX: 000000000000f8a0 RCX: 0000000000000018
+ RDX: 0000000225c17d03 RSI: ffff88017c72bfd8 RDI: 0000001e4c3c6f16
+ RBP: ffff88017c72be78 R8: 000000000000237e R9: 0000000000000018
+ R10: 0000000000002494 R11: 0000000000000001 R12: ffff88017c72be20
+ R13: ffff88085c14f8e0 R14: 0000000000000082 R15: 0000001e4c3bb400
+ ORIG_RAX: ffffffffffffff10 CS: 0010 SS: 0018
+
+This is the corresponding stack trace
+
+It has crashed because the area pointed with RIP extracted from timer
+element is already removed during a shutdown process.
+
+The function is smi_timeout().
+
+And we think ffff8810588b5a00 in RDX is a parameter struct smi_info
+
+crash> rd ffff8810588b5a00 20
+ffff8810588b5a00: ffff8810588b6000 0000000000000000 .`.X............
+ffff8810588b5a10: ffff880853264400 ffffffffa05417e0 .D&S......T.....
+ffff8810588b5a20: 24a024a000000000 0000000000000000 .....$.$........
+ffff8810588b5a30: 0000000000000000 0000000000000000 ................
+ffff8810588b5a30: 0000000000000000 0000000000000000 ................
+ffff8810588b5a40: ffffffffa053a040 ffffffffa053a060 @.S.....`.S.....
+ffff8810588b5a50: 0000000000000000 0000000100000001 ................
+ffff8810588b5a60: 0000000000000000 0000000000000e00 ................
+ffff8810588b5a70: ffffffffa053a580 ffffffffa053a6e0 ..S.......S.....
+ffff8810588b5a80: ffffffffa053a4a0 ffffffffa053a250 ..S.....P.S.....
+ffff8810588b5a90: 0000000500000002 0000000000000000 ................
+
+Unfortunately the top of this area is already detroyed by someone.
+But because of two reasonns we think this is struct smi_info
+ 1) The address included in between ffff8810588b5a70 and ffff8810588b5a80:
+ are inside of ipmi_si_intf.c see crash> module ffff88085779d2c0
+
+ 2) We've found the area which point this.
+ It is offset 0x68 of ffff880859df4000
+
+crash> rd ffff880859df4000 100
+ffff880859df4000: 0000000000000000 0000000000000001 ................
+ffff880859df4010: ffffffffa0535290 dead000000000200 .RS.............
+ffff880859df4020: ffff880859df4020 ffff880859df4020 @.Y.... @.Y....
+ffff880859df4030: 0000000000000002 0000000000100010 ................
+ffff880859df4040: ffff880859df4040 ffff880859df4040 @@.Y....@@.Y....
+ffff880859df4050: 0000000000000000 0000000000000000 ................
+ffff880859df4060: 0000000000000000 ffff8810588b5a00 .........Z.X....
+ffff880859df4070: 0000000000000001 ffff880859df4078 ........x@.Y....
+
+ If we regards it as struct ipmi_smi in shutdown process
+ it looks consistent.
+
+The remedy for this apparent race is affixed below.
+
+Signed-off-by: Tony Camuso <tcamuso@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+This was first introduced in 7ea0ed2b5be817 ipmi: Make the
+message handler easier to use for SMI interfaces
+where some code was moved outside of the rcu_read_lock()
+and the lock was not added.
+
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+
+---
+ drivers/char/ipmi/ipmi_msghandler.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/char/ipmi/ipmi_msghandler.c
++++ b/drivers/char/ipmi/ipmi_msghandler.c
+@@ -3877,6 +3877,9 @@ static void smi_recv_tasklet(unsigned lo
+ * because the lower layer is allowed to hold locks while calling
+ * message delivery.
+ */
++
++ rcu_read_lock();
++
+ if (!run_to_completion)
+ spin_lock_irqsave(&intf->xmit_msgs_lock, flags);
+ if (intf->curr_msg == NULL && !intf->in_shutdown) {
+@@ -3899,6 +3902,8 @@ static void smi_recv_tasklet(unsigned lo
+ if (newmsg)
+ intf->handlers->sender(intf->send_info, newmsg);
+
++ rcu_read_unlock();
++
+ handle_new_recv_msgs(intf);
+ }
+
--- /dev/null
+From c13c43d54f2c6a3be1c675766778ac1ad8dfbfcc Mon Sep 17 00:00:00 2001
+From: Vishal Verma <vishal.l.verma@intel.com>
+Date: Thu, 29 Jun 2017 16:59:11 -0600
+Subject: libnvdimm, btt: fix btt_rw_page not returning errors
+
+From: Vishal Verma <vishal.l.verma@intel.com>
+
+commit c13c43d54f2c6a3be1c675766778ac1ad8dfbfcc upstream.
+
+btt_rw_page was not propagating errors frm btt_do_bvec, resulting in any
+IO errors via the rw_page path going unnoticed. the pmem driver recently
+fixed this in e10624f pmem: fail io-requests to known bad blocks
+but same problem in BTT went neglected.
+
+Fixes: 5212e11fde4d ("nd_btt: atomic sector updates")
+Cc: Toshi Kani <toshi.kani@hpe.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Jeff Moyer <jmoyer@redhat.com>
+Signed-off-by: Vishal Verma <vishal.l.verma@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/btt.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/nvdimm/btt.c
++++ b/drivers/nvdimm/btt.c
+@@ -1203,10 +1203,13 @@ static int btt_rw_page(struct block_devi
+ struct page *page, bool is_write)
+ {
+ struct btt *btt = bdev->bd_disk->private_data;
++ int rc;
+
+- btt_do_bvec(btt, NULL, page, PAGE_SIZE, 0, is_write, sector);
+- page_endio(page, is_write, 0);
+- return 0;
++ rc = btt_do_bvec(btt, NULL, page, PAGE_SIZE, 0, is_write, sector);
++ if (rc == 0)
++ page_endio(page, is_write, 0);
++
++ return rc;
+ }
+
+
--- /dev/null
+From 4e3f0701f25ab194c5362576b1146a1e6cc6c2e7 Mon Sep 17 00:00:00 2001
+From: Toshi Kani <toshi.kani@hpe.com>
+Date: Fri, 7 Jul 2017 17:44:26 -0600
+Subject: libnvdimm: fix badblock range handling of ARS range
+
+From: Toshi Kani <toshi.kani@hpe.com>
+
+commit 4e3f0701f25ab194c5362576b1146a1e6cc6c2e7 upstream.
+
+__add_badblock_range() does not account sector alignment when
+it sets 'num_sectors'. Therefore, an ARS error record range
+spanning across two sectors is set to a single sector length,
+which leaves the 2nd sector unprotected.
+
+Change __add_badblock_range() to set 'num_sectors' properly.
+
+Fixes: 0caeef63e6d2 ("libnvdimm: Add a poison list and export badblocks")
+Signed-off-by: Toshi Kani <toshi.kani@hpe.com>
+Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/core.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/nvdimm/core.c
++++ b/drivers/nvdimm/core.c
+@@ -450,14 +450,15 @@ static void set_badblock(struct badblock
+ static void __add_badblock_range(struct badblocks *bb, u64 ns_offset, u64 len)
+ {
+ const unsigned int sector_size = 512;
+- sector_t start_sector;
++ sector_t start_sector, end_sector;
+ u64 num_sectors;
+ u32 rem;
+
+ start_sector = div_u64(ns_offset, sector_size);
+- num_sectors = div_u64_rem(len, sector_size, &rem);
++ end_sector = div_u64_rem(ns_offset + len, sector_size, &rem);
+ if (rem)
+- num_sectors++;
++ end_sector++;
++ num_sectors = end_sector - start_sector;
+
+ if (unlikely(num_sectors > (u64)INT_MAX)) {
+ u64 remaining = num_sectors;
--- /dev/null
+From b5d27718f38843a74552e9a93d32e2391fd3999f Mon Sep 17 00:00:00 2001
+From: Xiao Ni <xni@redhat.com>
+Date: Wed, 5 Jul 2017 17:34:04 +0800
+Subject: Raid5 should update rdev->sectors after reshape
+
+From: Xiao Ni <xni@redhat.com>
+
+commit b5d27718f38843a74552e9a93d32e2391fd3999f upstream.
+
+The raid5 md device is created by the disks which we don't use the total size. For example,
+the size of the device is 5G and it just uses 3G of the devices to create one raid5 device.
+Then change the chunksize and wait reshape to finish. After reshape finishing stop the raid
+and assemble it again. It fails.
+mdadm -CR /dev/md0 -l5 -n3 /dev/loop[0-2] --size=3G --chunk=32 --assume-clean
+mdadm /dev/md0 --grow --chunk=64
+wait reshape to finish
+mdadm -S /dev/md0
+mdadm -As
+The error messages:
+[197519.814302] md: loop1 does not have a valid v1.2 superblock, not importing!
+[197519.821686] md: md_import_device returned -22
+
+After reshape the data offset is changed. It selects backwards direction in this condition.
+In function super_1_load it compares the available space of the underlying device with
+sb->data_size. The new data offset gets bigger after reshape. So super_1_load returns -EINVAL.
+rdev->sectors is updated in md_finish_reshape. Then sb->data_size is set in super_1_sync based
+on rdev->sectors. So add md_finish_reshape in end_reshape.
+
+Signed-off-by: Xiao Ni <xni@redhat.com>
+Acked-by: Guoqing Jiang <gqjiang@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid5.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -7560,12 +7560,10 @@ static void end_reshape(struct r5conf *c
+ {
+
+ if (!test_bit(MD_RECOVERY_INTR, &conf->mddev->recovery)) {
+- struct md_rdev *rdev;
+
+ spin_lock_irq(&conf->device_lock);
+ conf->previous_raid_disks = conf->raid_disks;
+- rdev_for_each(rdev, conf->mddev)
+- rdev->data_offset = rdev->new_data_offset;
++ md_finish_reshape(conf->mddev);
+ smp_wmb();
+ conf->reshape_progress = MaxSector;
+ conf->mddev->reshape_position = MaxSector;
--- /dev/null
+From c46fc0424ced3fb71208e72bd597d91b9169a781 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Thu, 29 Jun 2017 11:38:11 +0200
+Subject: s390/syscalls: Fix out of bounds arguments access
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+commit c46fc0424ced3fb71208e72bd597d91b9169a781 upstream.
+
+Zorro reported following crash while having enabled
+syscall tracing (CONFIG_FTRACE_SYSCALLS):
+
+ Unable to handle kernel pointer dereference at virtual ...
+ Oops: 0011 [#1] SMP DEBUG_PAGEALLOC
+
+ SNIP
+
+ Call Trace:
+ ([<000000000024d79c>] ftrace_syscall_enter+0xec/0x1d8)
+ [<00000000001099c6>] do_syscall_trace_enter+0x236/0x2f8
+ [<0000000000730f1c>] sysc_tracesys+0x1a/0x32
+ [<000003fffcf946a2>] 0x3fffcf946a2
+ INFO: lockdep is turned off.
+ Last Breaking-Event-Address:
+ [<000000000022dd44>] rb_event_data+0x34/0x40
+ ---[ end trace 8c795f86b1b3f7b9 ]---
+
+The crash happens in syscall_get_arguments function for
+syscalls with zero arguments, that will try to access
+first argument (args[0]) in event entry, but it's not
+allocated.
+
+Bail out of there are no arguments.
+
+Reported-by: Zorro Lang <zlang@redhat.com>
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/include/asm/syscall.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/s390/include/asm/syscall.h
++++ b/arch/s390/include/asm/syscall.h
+@@ -64,6 +64,12 @@ static inline void syscall_get_arguments
+ {
+ unsigned long mask = -1UL;
+
++ /*
++ * No arguments for this syscall, there's nothing to do.
++ */
++ if (!n)
++ return;
++
+ BUG_ON(i + n > 6);
+ #ifdef CONFIG_COMPAT
+ if (test_tsk_thread_flag(task, TIF_31BIT))
usb-renesas_usbhs-gadget-disable-all-eps-when-the-driver-stops.patch
md-don-t-use-flush_signals-in-userspace-processes.patch
x86-xen-allow-userspace-access-during-hypercalls.patch
+cx88-fix-regression-in-initial-video-standard-setting.patch
+libnvdimm-btt-fix-btt_rw_page-not-returning-errors.patch
+libnvdimm-fix-badblock-range-handling-of-ars-range.patch
+ext2-don-t-clear-sgid-when-inheriting-acls.patch
+raid5-should-update-rdev-sectors-after-reshape.patch
+s390-syscalls-fix-out-of-bounds-arguments-access.patch
+drm-amd-amdgpu-return-error-if-initiating-read-out-of-range-on-vram.patch
+drm-radeon-ci-disable-mclk-switching-for-high-refresh-rates-v2.patch
+drm-radeon-fix-edp-for-single-display-imac10-1-v2.patch
+ipmi-use-rcu-lock-around-call-to-intf-handlers-sender.patch
+ipmi-ssif-add-missing-unlock-in-error-branch.patch
+xfs-don-t-clear-sgid-when-inheriting-acls.patch
+f2fs-sanity-check-size-of-nat-and-sit-cache.patch
+f2fs-don-t-clear-sgid-when-inheriting-acls.patch
--- /dev/null
+From 8ba358756aa08414fa9e65a1a41d28304ed6fd7f Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 26 Jun 2017 08:48:18 -0700
+Subject: xfs: Don't clear SGID when inheriting ACLs
+
+From: Jan Kara <jack@suse.cz>
+
+commit 8ba358756aa08414fa9e65a1a41d28304ed6fd7f upstream.
+
+When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
+set, DIR1 is expected to have SGID bit set (and owning group equal to
+the owning group of 'DIR0'). However when 'DIR0' also has some default
+ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
+'DIR1' to get cleared if user is not member of the owning group.
+
+Fix the problem by calling __xfs_set_acl() instead of xfs_set_acl() when
+setting up inode in xfs_generic_create(). That prevents SGID bit
+clearing and mode is properly set by posix_acl_create() anyway. We also
+reorder arguments of __xfs_set_acl() to match the ordering of
+xfs_set_acl() to make things consistent.
+
+Fixes: 073931017b49d9458aa351605b43a7e34598caef
+CC: Darrick J. Wong <darrick.wong@oracle.com>
+CC: linux-xfs@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_acl.c | 6 +++---
+ fs/xfs/xfs_acl.h | 1 +
+ fs/xfs/xfs_iops.c | 4 ++--
+ 3 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/fs/xfs/xfs_acl.c
++++ b/fs/xfs/xfs_acl.c
+@@ -170,8 +170,8 @@ xfs_get_acl(struct inode *inode, int typ
+ return acl;
+ }
+
+-STATIC int
+-__xfs_set_acl(struct inode *inode, int type, struct posix_acl *acl)
++int
++__xfs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
+ {
+ struct xfs_inode *ip = XFS_I(inode);
+ unsigned char *ea_name;
+@@ -268,5 +268,5 @@ xfs_set_acl(struct inode *inode, struct
+ }
+
+ set_acl:
+- return __xfs_set_acl(inode, type, acl);
++ return __xfs_set_acl(inode, acl, type);
+ }
+--- a/fs/xfs/xfs_acl.h
++++ b/fs/xfs/xfs_acl.h
+@@ -24,6 +24,7 @@ struct posix_acl;
+ #ifdef CONFIG_XFS_POSIX_ACL
+ extern struct posix_acl *xfs_get_acl(struct inode *inode, int type);
+ extern int xfs_set_acl(struct inode *inode, struct posix_acl *acl, int type);
++extern int __xfs_set_acl(struct inode *inode, struct posix_acl *acl, int type);
+ #else
+ static inline struct posix_acl *xfs_get_acl(struct inode *inode, int type)
+ {
+--- a/fs/xfs/xfs_iops.c
++++ b/fs/xfs/xfs_iops.c
+@@ -190,12 +190,12 @@ xfs_generic_create(
+
+ #ifdef CONFIG_XFS_POSIX_ACL
+ if (default_acl) {
+- error = xfs_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
++ error = __xfs_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
+ if (error)
+ goto out_cleanup_inode;
+ }
+ if (acl) {
+- error = xfs_set_acl(inode, acl, ACL_TYPE_ACCESS);
++ error = __xfs_set_acl(inode, acl, ACL_TYPE_ACCESS);
+ if (error)
+ goto out_cleanup_inode;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
