--- /dev/null
+From 99fee508245825765ff60155fed43f970ff83a8f Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 11 Oct 2017 16:39:02 +0200
+Subject: ALSA: caiaq: Fix stray URB at probe error path
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 99fee508245825765ff60155fed43f970ff83a8f upstream.
+
+caiaq driver doesn't kill the URB properly at its error path during
+the probe, which may lead to a use-after-free error later. This patch
+addresses it.
+
+Reported-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/caiaq/device.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/sound/usb/caiaq/device.c
++++ b/sound/usb/caiaq/device.c
+@@ -469,10 +469,12 @@ static int init_card(struct snd_usb_caia
+
+ err = snd_usb_caiaq_send_command(cdev, EP1_CMD_GET_DEVICE_INFO, NULL, 0);
+ if (err)
+- return err;
++ goto err_kill_urb;
+
+- if (!wait_event_timeout(cdev->ep1_wait_queue, cdev->spec_received, HZ))
+- return -ENODEV;
++ if (!wait_event_timeout(cdev->ep1_wait_queue, cdev->spec_received, HZ)) {
++ err = -ENODEV;
++ goto err_kill_urb;
++ }
+
+ usb_string(usb_dev, usb_dev->descriptor.iManufacturer,
+ cdev->vendor_name, CAIAQ_USB_STR_LEN);
+@@ -507,6 +509,10 @@ static int init_card(struct snd_usb_caia
+
+ setup_card(cdev);
+ return 0;
++
++ err_kill_urb:
++ usb_kill_urb(&cdev->ep1_in_urb);
++ return err;
+ }
+
+ static int snd_probe(struct usb_interface *intf,
--- /dev/null
+From c95072b3d88fac4be295815f2b67df366c0c297f Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 9 Oct 2017 14:51:23 +0200
+Subject: ALSA: line6: Fix leftover URB at error-path during probe
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit c95072b3d88fac4be295815f2b67df366c0c297f upstream.
+
+While line6_probe() may kick off URB for a control MIDI endpoint, the
+function doesn't clean up it properly at its error path. This results
+in a leftover URB action that is eventually triggered later and causes
+an Oops like:
+ general protection fault: 0000 [#1] PREEMPT SMP KASAN
+ CPU: 1 PID: 0 Comm: swapper/1 Not tainted
+ RIP: 0010:usb_fill_bulk_urb ./include/linux/usb.h:1619
+ RIP: 0010:line6_start_listen+0x3fe/0x9e0 sound/usb/line6/driver.c:76
+ Call Trace:
+ <IRQ>
+ line6_data_received+0x1f7/0x470 sound/usb/line6/driver.c:326
+ __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779
+ usb_hcd_giveback_urb+0x337/0x420 drivers/usb/core/hcd.c:1845
+ dummy_timer+0xba9/0x39f0 drivers/usb/gadget/udc/dummy_hcd.c:1965
+ call_timer_fn+0x2a2/0x940 kernel/time/timer.c:1281
+ ....
+
+Since the whole clean-up procedure is done in line6_disconnect()
+callback, we can simply call it in the error path instead of
+open-coding the whole again. It'll fix such an issue automagically.
+
+The bug was spotted by syzkaller.
+
+Fixes: eedd0e95d355 ("ALSA: line6: Don't forget to call driver's destructor at error path")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/line6/driver.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/sound/usb/line6/driver.c
++++ b/sound/usb/line6/driver.c
+@@ -779,9 +779,10 @@ int line6_probe(struct usb_interface *in
+ return 0;
+
+ error:
+- if (line6->disconnect)
+- line6->disconnect(line6);
+- snd_card_free(card);
++ /* we can call disconnect callback here because no close-sync is
++ * needed yet at this point
++ */
++ line6_disconnect(interface);
+ return ret;
+ }
+ EXPORT_SYMBOL_GPL(line6_probe);
--- /dev/null
+From cb02ffc76a53b5ea751b79b8d4f4d180e5868475 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 9 Oct 2017 14:32:15 +0200
+Subject: ALSA: line6: Fix missing initialization before error path
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit cb02ffc76a53b5ea751b79b8d4f4d180e5868475 upstream.
+
+The error path in podhd_init() tries to clear the pending timer, while
+the timer object is initialized at the end of init sequence, thus it
+may hit the uninitialized object, as spotted by syzkaller:
+
+ INFO: trying to register non-static key.
+ the code is fine but needs lockdep annotation.
+ turning off the locking correctness validator.
+ CPU: 1 PID: 1845 Comm: kworker/1:2 Not tainted
+ 4.14.0-rc2-42613-g1488251d1a98 #238
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ Workqueue: usb_hub_wq hub_event
+ Call Trace:
+ __dump_stack lib/dump_stack.c:16
+ dump_stack+0x292/0x395 lib/dump_stack.c:52
+ register_lock_class+0x6c4/0x1a00 kernel/locking/lockdep.c:769
+ __lock_acquire+0x27e/0x4550 kernel/locking/lockdep.c:3385
+ lock_acquire+0x259/0x620 kernel/locking/lockdep.c:4002
+ del_timer_sync+0x12c/0x280 kernel/time/timer.c:1237
+ podhd_disconnect+0x8c/0x160 sound/usb/line6/podhd.c:299
+ line6_probe+0x844/0x1310 sound/usb/line6/driver.c:783
+ podhd_probe+0x64/0x70 sound/usb/line6/podhd.c:474
+ ....
+
+For addressing it, assure the initializations of timer and work by
+moving them to the beginning of podhd_init().
+
+Fixes: 790869dacc3d ("ALSA: line6: Add support for POD X3")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/line6/podhd.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/line6/podhd.c
++++ b/sound/usb/line6/podhd.c
+@@ -318,6 +318,9 @@ static int podhd_init(struct usb_line6 *
+
+ line6->disconnect = podhd_disconnect;
+
++ init_timer(&pod->startup_timer);
++ INIT_WORK(&pod->startup_work, podhd_startup_workqueue);
++
+ if (pod->line6.properties->capabilities & LINE6_CAP_CONTROL) {
+ /* claim the data interface */
+ intf = usb_ifnum_to_if(line6->usbdev,
+@@ -359,8 +362,6 @@ static int podhd_init(struct usb_line6 *
+ }
+
+ /* init device and delay registering */
+- init_timer(&pod->startup_timer);
+- INIT_WORK(&pod->startup_work, podhd_startup_workqueue);
+ podhd_startup(pod);
+ return 0;
+ }
--- /dev/null
+From 54a4b2b45817ea2365b40c923c098a26af0c0dbb Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 9 Oct 2017 14:26:27 +0200
+Subject: ALSA: line6: Fix NULL dereference at podhd_disconnect()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 54a4b2b45817ea2365b40c923c098a26af0c0dbb upstream.
+
+When podhd_init() failed with the acquiring a ctrl i/f, the line6
+helper still calls the disconnect callback that eventually calls again
+usb_driver_release_interface() with the NULL intf.
+
+Put the proper NULL check before calling it for avoiding an Oops.
+
+Fixes: fc90172ba283 ("ALSA: line6: Claim pod x3 usb data interface")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/line6/podhd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/line6/podhd.c
++++ b/sound/usb/line6/podhd.c
+@@ -301,7 +301,8 @@ static void podhd_disconnect(struct usb_
+
+ intf = usb_ifnum_to_if(line6->usbdev,
+ pod->line6.properties->ctrl_if);
+- usb_driver_release_interface(&podhd_driver, intf);
++ if (intf)
++ usb_driver_release_interface(&podhd_driver, intf);
+ }
+ }
+
--- /dev/null
+From 5803b023881857db32ffefa0d269c90280a67ee0 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 9 Oct 2017 10:02:56 +0200
+Subject: ALSA: seq: Fix copy_from_user() call inside lock
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 5803b023881857db32ffefa0d269c90280a67ee0 upstream.
+
+The event handler in the virmidi sequencer code takes a read-lock for
+the linked list traverse, while it's calling snd_seq_dump_var_event()
+in the loop. The latter function may expand the user-space data
+depending on the event type. It eventually invokes copy_from_user(),
+which might be a potential dead-lock.
+
+The sequencer core guarantees that the user-space data is passed only
+with atomic=0 argument, but snd_virmidi_dev_receive_event() ignores it
+and always takes read-lock(). For avoiding the problem above, this
+patch introduces rwsem for non-atomic case, while keeping rwlock for
+atomic case.
+
+Also while we're at it: the superfluous irq flags is dropped in
+snd_virmidi_input_open().
+
+Reported-by: Jia-Ju Bai <baijiaju1990@163.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/sound/seq_virmidi.h | 1 +
+ sound/core/seq/seq_virmidi.c | 27 +++++++++++++++++++--------
+ 2 files changed, 20 insertions(+), 8 deletions(-)
+
+--- a/include/sound/seq_virmidi.h
++++ b/include/sound/seq_virmidi.h
+@@ -60,6 +60,7 @@ struct snd_virmidi_dev {
+ int port; /* created/attached port */
+ unsigned int flags; /* SNDRV_VIRMIDI_* */
+ rwlock_t filelist_lock;
++ struct rw_semaphore filelist_sem;
+ struct list_head filelist;
+ };
+
+--- a/sound/core/seq/seq_virmidi.c
++++ b/sound/core/seq/seq_virmidi.c
+@@ -77,13 +77,17 @@ static void snd_virmidi_init_event(struc
+ * decode input event and put to read buffer of each opened file
+ */
+ static int snd_virmidi_dev_receive_event(struct snd_virmidi_dev *rdev,
+- struct snd_seq_event *ev)
++ struct snd_seq_event *ev,
++ bool atomic)
+ {
+ struct snd_virmidi *vmidi;
+ unsigned char msg[4];
+ int len;
+
+- read_lock(&rdev->filelist_lock);
++ if (atomic)
++ read_lock(&rdev->filelist_lock);
++ else
++ down_read(&rdev->filelist_sem);
+ list_for_each_entry(vmidi, &rdev->filelist, list) {
+ if (!vmidi->trigger)
+ continue;
+@@ -97,7 +101,10 @@ static int snd_virmidi_dev_receive_event
+ snd_rawmidi_receive(vmidi->substream, msg, len);
+ }
+ }
+- read_unlock(&rdev->filelist_lock);
++ if (atomic)
++ read_unlock(&rdev->filelist_lock);
++ else
++ up_read(&rdev->filelist_sem);
+
+ return 0;
+ }
+@@ -115,7 +122,7 @@ int snd_virmidi_receive(struct snd_rawmi
+ struct snd_virmidi_dev *rdev;
+
+ rdev = rmidi->private_data;
+- return snd_virmidi_dev_receive_event(rdev, ev);
++ return snd_virmidi_dev_receive_event(rdev, ev, true);
+ }
+ #endif /* 0 */
+
+@@ -130,7 +137,7 @@ static int snd_virmidi_event_input(struc
+ rdev = private_data;
+ if (!(rdev->flags & SNDRV_VIRMIDI_USE))
+ return 0; /* ignored */
+- return snd_virmidi_dev_receive_event(rdev, ev);
++ return snd_virmidi_dev_receive_event(rdev, ev, atomic);
+ }
+
+ /*
+@@ -209,7 +216,6 @@ static int snd_virmidi_input_open(struct
+ struct snd_virmidi_dev *rdev = substream->rmidi->private_data;
+ struct snd_rawmidi_runtime *runtime = substream->runtime;
+ struct snd_virmidi *vmidi;
+- unsigned long flags;
+
+ vmidi = kzalloc(sizeof(*vmidi), GFP_KERNEL);
+ if (vmidi == NULL)
+@@ -223,9 +229,11 @@ static int snd_virmidi_input_open(struct
+ vmidi->client = rdev->client;
+ vmidi->port = rdev->port;
+ runtime->private_data = vmidi;
+- write_lock_irqsave(&rdev->filelist_lock, flags);
++ down_write(&rdev->filelist_sem);
++ write_lock_irq(&rdev->filelist_lock);
+ list_add_tail(&vmidi->list, &rdev->filelist);
+- write_unlock_irqrestore(&rdev->filelist_lock, flags);
++ write_unlock_irq(&rdev->filelist_lock);
++ up_write(&rdev->filelist_sem);
+ vmidi->rdev = rdev;
+ return 0;
+ }
+@@ -264,9 +272,11 @@ static int snd_virmidi_input_close(struc
+ struct snd_virmidi_dev *rdev = substream->rmidi->private_data;
+ struct snd_virmidi *vmidi = substream->runtime->private_data;
+
++ down_write(&rdev->filelist_sem);
+ write_lock_irq(&rdev->filelist_lock);
+ list_del(&vmidi->list);
+ write_unlock_irq(&rdev->filelist_lock);
++ up_write(&rdev->filelist_sem);
+ snd_midi_event_free(vmidi->parser);
+ substream->runtime->private_data = NULL;
+ kfree(vmidi);
+@@ -520,6 +530,7 @@ int snd_virmidi_new(struct snd_card *car
+ rdev->rmidi = rmidi;
+ rdev->device = device;
+ rdev->client = -1;
++ init_rwsem(&rdev->filelist_sem);
+ rwlock_init(&rdev->filelist_lock);
+ INIT_LIST_HEAD(&rdev->filelist);
+ rdev->seq_mode = SNDRV_VIRMIDI_SEQ_DISPATCH;
--- /dev/null
+From 1cfd0ddd82232804e03f3023f6a58b50dfef0574 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 24 Sep 2017 10:21:15 -0400
+Subject: bio_copy_user_iov(): don't ignore ->iov_offset
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 1cfd0ddd82232804e03f3023f6a58b50dfef0574 upstream.
+
+Since "block: support large requests in blk_rq_map_user_iov" we
+started to call it with partially drained iter; that works fine
+on the write side, but reads create a copy of iter for completion
+time. And that needs to take the possibility of ->iov_iter != 0
+into account...
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/bio.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -1235,8 +1235,8 @@ struct bio *bio_copy_user_iov(struct req
+ */
+ bmd->is_our_pages = map_data ? 0 : 1;
+ memcpy(bmd->iov, iter->iov, sizeof(struct iovec) * iter->nr_segs);
+- iov_iter_init(&bmd->iter, iter->type, bmd->iov,
+- iter->nr_segs, iter->count);
++ bmd->iter = *iter;
++ bmd->iter.iov = bmd->iov;
+
+ ret = -ENOMEM;
+ bio = bio_kmalloc(gfp_mask, nr_pages);
--- /dev/null
+From 899f0429c7d3eed886406cd72182bee3b96aa1f9 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Mon, 9 Oct 2017 11:13:18 +0200
+Subject: direct-io: Prevent NULL pointer access in submit_page_section
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit 899f0429c7d3eed886406cd72182bee3b96aa1f9 upstream.
+
+In the code added to function submit_page_section by commit b1058b981,
+sdio->bio can currently be NULL when calling dio_bio_submit. This then
+leads to a NULL pointer access in dio_bio_submit, so check for a NULL
+bio in submit_page_section before trying to submit it instead.
+
+Fixes xfstest generic/250 on gfs2.
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/direct-io.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/direct-io.c
++++ b/fs/direct-io.c
+@@ -838,7 +838,8 @@ out:
+ */
+ if (sdio->boundary) {
+ ret = dio_send_cur_page(dio, sdio, map_bh);
+- dio_bio_submit(dio, sdio);
++ if (sdio->bio)
++ dio_bio_submit(dio, sdio);
+ put_page(sdio->cur_page);
+ sdio->cur_page = NULL;
+ }
--- /dev/null
+From 78279127253a6c36ed8829eb2b7bc28ef48d9717 Mon Sep 17 00:00:00 2001
+From: Jeffy Chen <jeffy.chen@rock-chips.com>
+Date: Mon, 9 Oct 2017 14:46:41 +0800
+Subject: drm/atomic: Unref duplicated drm_atomic_state in drm_atomic_helper_resume()
+
+From: Jeffy Chen <jeffy.chen@rock-chips.com>
+
+commit 78279127253a6c36ed8829eb2b7bc28ef48d9717 upstream.
+
+Kmemleak reported memory leak after suspend and resume:
+unreferenced object 0xffffffc0e31d8880 (size 128):
+ comm "bash", pid 181, jiffies 4294763583 (age 24.694s)
+ hex dump (first 32 bytes):
+ 01 00 00 00 00 00 00 00 00 20 a2 eb c0 ff ff ff ......... ......
+ 01 00 00 00 00 00 00 00 80 87 1d e3 c0 ff ff ff ................
+ backtrace:
+ [<ffffffc00034bb64>] __save_stack_trace+0x48/0x6c
+ [<ffffffc00034c244>] create_object+0x138/0x254
+ [<ffffffc0009dd218>] kmemleak_alloc+0x58/0x8c
+ [<ffffffc000346de4>] kmem_cache_alloc_trace+0x188/0x254
+ [<ffffffc0005af4c0>] drm_atomic_state_alloc+0x3c/0x88
+ [<ffffffc000591f0c>] drm_atomic_helper_duplicate_state+0x28/0x158
+ [<ffffffc000592098>] drm_atomic_helper_suspend+0x5c/0xf0
+
+Problem here is that we are duplicating the drm_atomic_state in
+drm_atomic_helper_suspend(), but not unreference it in the resume path.
+
+Fixes: 1494276000db ("drm/atomic-helper: Implement subsystem-level suspend/resume")
+Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
+Reviewed-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20171009064641.15174-1-jeffy.chen@rock-chips.com
+Fixes: 0853695c3ba4 ("drm: Add reference counting to drm_atomic_state")
+(cherry picked from commit 6d281b1f79e194c02125da29ea77316810261ca8)
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_atomic_helper.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/drm_atomic_helper.c
++++ b/drivers/gpu/drm/drm_atomic_helper.c
+@@ -2756,6 +2756,7 @@ out:
+ drm_modeset_backoff(&ctx);
+ }
+
++ drm_atomic_state_put(state);
+ drm_modeset_drop_locks(&ctx);
+ drm_modeset_acquire_fini(&ctx);
+
--- /dev/null
+From ea850f64c2722278f150dc11de2141baeb24211c Mon Sep 17 00:00:00 2001
+From: Jani Nikula <jani.nikula@intel.com>
+Date: Thu, 28 Sep 2017 11:21:57 +0300
+Subject: drm/i915/bios: parse DDI ports also for CHV for HDMI DDC pin and DP AUX channel
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jani Nikula <jani.nikula@intel.com>
+
+commit ea850f64c2722278f150dc11de2141baeb24211c upstream.
+
+While technically CHV isn't DDI, we do look at the VBT based DDI port
+info for HDMI DDC pin and DP AUX channel. (We call these "alternate",
+but they're really just something that aren't platform defaults.)
+
+In commit e4ab73a13291 ("drm/i915: Respect alternate_ddc_pin for all DDI
+ports") Ville writes, "IIRC there may be CHV system that might actually
+need this."
+
+I'm not sure why there couldn't be even more platforms that need this,
+but start conservative, and parse the info for CHV in addition to DDI.
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=100553
+Reported-by: Marek Wilczewski <mw@3cte.pl>
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/d0815082cb98487618429b62414854137049b888.1506586821.git.jani.nikula@intel.com
+(cherry picked from commit 348e4058ebf53904e817eec7a1b25327143c2ed2)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_bios.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/intel_bios.c
++++ b/drivers/gpu/drm/i915/intel_bios.c
+@@ -1231,7 +1231,7 @@ static void parse_ddi_ports(struct drm_i
+ {
+ enum port port;
+
+- if (!HAS_DDI(dev_priv))
++ if (!HAS_DDI(dev_priv) && !IS_CHERRYVIEW(dev_priv))
+ return;
+
+ if (!dev_priv->vbt.child_dev_num)
--- /dev/null
+From d7ba25bd9ef802ff02414e9105f4222d1795f27a Mon Sep 17 00:00:00 2001
+From: Manasi Navare <manasi.d.navare@intel.com>
+Date: Wed, 4 Oct 2017 09:48:26 -0700
+Subject: drm/i915/edp: Get the Panel Power Off timestamp after panel is off
+
+From: Manasi Navare <manasi.d.navare@intel.com>
+
+commit d7ba25bd9ef802ff02414e9105f4222d1795f27a upstream.
+
+Kernel stores the time in jiffies at which the eDP panel is turned
+off. This should be obtained after the panel is off (after the
+wait_panel_off). When we next attempt to turn the panel on, we use the
+difference between the timestamp at which we want to turn the panel on
+and timestamp at which panel was turned off to ensure that this is equal
+to panel power cycle delay and if not we wait for the remaining
+time. Not waiting for the panel power cycle delay can cause the panel to
+not turn on giving rise to AUX timeouts for the attempted AUX
+transactions.
+
+v2:
+* Separate lines for bugzilla (Jani Nikula)
+* Suggested by tag (Daniel Vetter)
+
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101518
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101144
+Suggested-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Manasi Navare <manasi.d.navare@intel.com>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Reviewed-by: Jani Nikula <jani.nikula@linux.intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1507135706-17147-1-git-send-email-manasi.d.navare@intel.com
+(cherry picked from commit cbacf02e7796fea02e5c6e46c90ed7cbe9e6f2c0)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_dp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/intel_dp.c
++++ b/drivers/gpu/drm/i915/intel_dp.c
+@@ -2263,8 +2263,8 @@ static void edp_panel_off(struct intel_d
+ I915_WRITE(pp_ctrl_reg, pp);
+ POSTING_READ(pp_ctrl_reg);
+
+- intel_dp->panel_power_off_time = ktime_get_boottime();
+ wait_panel_off(intel_dp);
++ intel_dp->panel_power_off_time = ktime_get_boottime();
+
+ /* We got a reference when we enabled the VDD. */
+ intel_display_power_put(dev_priv, intel_dp->aux_power_domain);
--- /dev/null
+From 7b50f7b24cd6c98541f1af53bddc5b6e861ee8c8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Fri, 1 Apr 2016 18:37:25 +0300
+Subject: drm/i915: Read timings from the correct transcoder in intel_crtc_mode_get()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 7b50f7b24cd6c98541f1af53bddc5b6e861ee8c8 upstream.
+
+intel_crtc->config->cpu_transcoder isn't yet filled out when
+intel_crtc_mode_get() gets called during output probing, so we should
+not use it there. Instead intel_crtc_mode_get() figures out the correct
+transcoder on its own, and that's what we should use.
+
+If the BIOS boots LVDS on pipe B, intel_crtc_mode_get() would actually
+end up reading the timings from pipe A instead (since PIPE_A==0),
+which clearly isn't what we want.
+
+It looks to me like this may have been broken by
+commit eccb140bca67 ("drm/i915: hw state readout&check support for cpu_transcoder")
+as that one removed the early initialization of cpu_transcoder from
+intel_crtc_init().
+
+Cc: dri-devel@lists.freedesktop.org
+Cc: Rob Kramer <rob@solution-space.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Reported-by: Rob Kramer <rob@solution-space.com>
+Fixes: eccb140bca67 ("drm/i915: hw state readout&check support for cpu_transcoder")
+References: https://lists.freedesktop.org/archives/dri-devel/2016-April/104142.html
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Link: https://patchwork.freedesktop.org/patch/msgid/1459525046-19425-1-git-send-email-ville.syrjala@linux.intel.com
+(cherry picked from commit e30a154b5262b967b133b06ac40777e651045898)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_display.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -10059,13 +10059,10 @@ struct drm_display_mode *intel_crtc_mode
+ {
+ struct drm_i915_private *dev_priv = to_i915(dev);
+ struct intel_crtc *intel_crtc = to_intel_crtc(crtc);
+- enum transcoder cpu_transcoder = intel_crtc->config->cpu_transcoder;
++ enum transcoder cpu_transcoder;
+ struct drm_display_mode *mode;
+ struct intel_crtc_state *pipe_config;
+- int htot = I915_READ(HTOTAL(cpu_transcoder));
+- int hsync = I915_READ(HSYNC(cpu_transcoder));
+- int vtot = I915_READ(VTOTAL(cpu_transcoder));
+- int vsync = I915_READ(VSYNC(cpu_transcoder));
++ u32 htot, hsync, vtot, vsync;
+ enum pipe pipe = intel_crtc->pipe;
+
+ mode = kzalloc(sizeof(*mode), GFP_KERNEL);
+@@ -10093,6 +10090,13 @@ struct drm_display_mode *intel_crtc_mode
+ i9xx_crtc_clock_get(intel_crtc, pipe_config);
+
+ mode->clock = pipe_config->port_clock / pipe_config->pixel_multiplier;
++
++ cpu_transcoder = pipe_config->cpu_transcoder;
++ htot = I915_READ(HTOTAL(cpu_transcoder));
++ hsync = I915_READ(HSYNC(cpu_transcoder));
++ vtot = I915_READ(VTOTAL(cpu_transcoder));
++ vsync = I915_READ(VSYNC(cpu_transcoder));
++
+ mode->hdisplay = (htot & 0xffff) + 1;
+ mode->htotal = ((htot & 0xffff0000) >> 16) + 1;
+ mode->hsync_start = (hsync & 0xffff) + 1;
--- /dev/null
+From d6a55c63e6adcb58957bbdce2d390088970273da Mon Sep 17 00:00:00 2001
+From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Date: Thu, 5 Oct 2017 16:15:20 +0200
+Subject: drm/i915: Use crtc_state_is_legacy_gamma in intel_color_check
+
+From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+
+commit d6a55c63e6adcb58957bbdce2d390088970273da upstream.
+
+crtc_state_is_legacy_gamma also checks for CTM, which was missing from
+intel_color_check. By using the same condition for commit and check
+we reduce the chance of mismatches.
+
+This was spotted by KASAN while trying to rework kms_color igt test.
+
+[ 72.008660] ==================================================================
+[ 72.009326] BUG: KASAN: slab-out-of-bounds in bdw_load_gamma_lut.isra.3+0x15c/0x360 [i915]
+[ 72.009519] Read of size 2 at addr ffff880220216e50 by task kms_color/1158
+[ 72.009900] CPU: 2 PID: 1158 Comm: kms_color Tainted: G U W 4.14.0-rc3-patser+ #5281
+[ 72.009921] Hardware name: GIGABYTE GB-BKi3A-7100/MFLP3AP-00, BIOS F1 07/27/2016
+[ 72.009941] Call Trace:
+[ 72.009968] dump_stack+0xc5/0x151
+[ 72.009996] ? _atomic_dec_and_lock+0x10f/0x10f
+[ 72.010024] ? show_regs_print_info+0x3c/0x3c
+[ 72.010072] print_address_description+0x7f/0x240
+[ 72.010108] kasan_report+0x216/0x370
+[ 72.010308] ? bdw_load_gamma_lut.isra.3+0x15c/0x360 [i915]
+[ 72.010349] __asan_load2+0x74/0x80
+[ 72.010552] bdw_load_gamma_lut.isra.3+0x15c/0x360 [i915]
+[ 72.010772] broadwell_load_luts+0x1f0/0x300 [i915]
+[ 72.010997] intel_color_load_luts+0x36/0x40 [i915]
+[ 72.011205] intel_begin_crtc_commit+0xa1/0x310 [i915]
+[ 72.011283] drm_atomic_helper_commit_planes_on_crtc+0xa6/0x320 [drm_kms_helper]
+[ 72.011316] ? wait_for_completion_io+0x460/0x460
+[ 72.011524] intel_update_crtc+0xe3/0x100 [i915]
+[ 72.011720] skl_update_crtcs+0x360/0x3f0 [i915]
+[ 72.011945] ? intel_update_crtcs+0xf0/0xf0 [i915]
+[ 72.012010] ? drm_atomic_helper_wait_for_dependencies+0x3d9/0x400 [drm_kms_helper]
+[ 72.012231] intel_atomic_commit_tail+0x8db/0x1500 [i915]
+[ 72.012273] ? __lock_is_held+0x9c/0xc0
+[ 72.012494] ? skl_update_crtcs+0x3f0/0x3f0 [i915]
+[ 72.012518] ? find_next_bit+0xb/0x10
+[ 72.012544] ? cpumask_next+0x1a/0x20
+[ 72.012745] ? i915_sw_fence_complete+0x9d/0xe0 [i915]
+[ 72.012938] ? __i915_sw_fence_complete+0x5d0/0x5d0 [i915]
+[ 72.013176] intel_atomic_commit+0x528/0x570 [i915]
+[ 72.013280] ? drm_atomic_get_property+0xc00/0xc00 [drm]
+[ 72.013466] ? intel_atomic_commit_tail+0x1500/0x1500 [i915]
+[ 72.013496] ? kmem_cache_alloc_trace+0x266/0x280
+[ 72.013714] ? intel_atomic_commit_tail+0x1500/0x1500 [i915]
+[ 72.013812] drm_atomic_commit+0x77/0x80 [drm]
+[ 72.013911] set_property_atomic+0x14a/0x210 [drm]
+[ 72.014015] ? drm_object_property_get_value+0x70/0x70 [drm]
+[ 72.014080] ? mutex_unlock+0xd/0x10
+[ 72.014292] ? intel_atomic_commit_tail+0x1500/0x1500 [i915]
+[ 72.014379] drm_mode_obj_set_property_ioctl+0x1cf/0x310 [drm]
+[ 72.014481] ? drm_mode_obj_find_prop_id+0xa0/0xa0 [drm]
+[ 72.014510] ? lock_release+0x6c0/0x6c0
+[ 72.014602] ? drm_is_current_master+0x46/0x60 [drm]
+[ 72.014706] drm_ioctl_kernel+0x148/0x1d0 [drm]
+[ 72.014799] ? drm_mode_obj_find_prop_id+0xa0/0xa0 [drm]
+[ 72.014898] ? drm_ioctl_permit+0x100/0x100 [drm]
+[ 72.014936] ? kasan_check_write+0x14/0x20
+[ 72.015039] drm_ioctl+0x441/0x660 [drm]
+[ 72.015129] ? drm_mode_obj_find_prop_id+0xa0/0xa0 [drm]
+[ 72.015235] ? drm_getstats+0x20/0x20 [drm]
+[ 72.015287] ? ___might_sleep+0x159/0x340
+[ 72.015311] ? find_held_lock+0xcf/0xf0
+[ 72.015341] ? __schedule_bug+0x110/0x110
+[ 72.015405] do_vfs_ioctl+0xa88/0xb10
+[ 72.015449] ? ioctl_preallocate+0x1a0/0x1a0
+[ 72.015487] ? selinux_capable+0x20/0x20
+[ 72.015525] ? rcu_dynticks_momentary_idle+0x40/0x40
+[ 72.015607] SyS_ioctl+0x4e/0x80
+[ 72.015647] entry_SYSCALL_64_fastpath+0x18/0xad
+[ 72.015670] RIP: 0033:0x7ff74a3d04d7
+[ 72.015691] RSP: 002b:00007ffc594bec08 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+[ 72.015734] RAX: ffffffffffffffda RBX: ffffffff8718f54a RCX: 00007ff74a3d04d7
+[ 72.015756] RDX: 00007ffc594bec40 RSI: 00000000c01864ba RDI: 0000000000000003
+[ 72.015777] RBP: ffff880211c0ff98 R08: 0000000000000086 R09: 0000000000000000
+[ 72.015799] R10: 00007ff74a691b58 R11: 0000000000000246 R12: 0000000000000355
+[ 72.015821] R13: 00000000ff00eb00 R14: 0000000000000a00 R15: 00007ff746082000
+[ 72.015857] ? trace_hardirqs_off_caller+0xfa/0x110
+
+Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20171005141520.23990-1-maarten.lankhorst@linux.intel.com
+[mlankhorst: s/crtc_state_is_legacy/&_gamma/ (danvet)]
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Fixes: 82cf435b3134 ("drm/i915: Implement color management on bdw/skl/bxt/kbl")
+(cherry picked from commit 0c3767b28186c8129f2a2cfec06a93dcd6102391)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_color.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_color.c
++++ b/drivers/gpu/drm/i915/intel_color.c
+@@ -58,7 +58,7 @@
+ #define I9XX_CSC_COEFF_1_0 \
+ ((7 << 12) | I9XX_CSC_COEFF_FP(CTM_COEFF_1_0, 8))
+
+-static bool crtc_state_is_legacy(struct drm_crtc_state *state)
++static bool crtc_state_is_legacy_gamma(struct drm_crtc_state *state)
+ {
+ return !state->degamma_lut &&
+ !state->ctm &&
+@@ -245,7 +245,7 @@ static void cherryview_load_csc_matrix(s
+ }
+
+ mode = (state->ctm ? CGM_PIPE_MODE_CSC : 0);
+- if (!crtc_state_is_legacy(state)) {
++ if (!crtc_state_is_legacy_gamma(state)) {
+ mode |= (state->degamma_lut ? CGM_PIPE_MODE_DEGAMMA : 0) |
+ (state->gamma_lut ? CGM_PIPE_MODE_GAMMA : 0);
+ }
+@@ -426,7 +426,7 @@ static void broadwell_load_luts(struct d
+ struct intel_crtc_state *intel_state = to_intel_crtc_state(state);
+ enum pipe pipe = to_intel_crtc(state->crtc)->pipe;
+
+- if (crtc_state_is_legacy(state)) {
++ if (crtc_state_is_legacy_gamma(state)) {
+ haswell_load_luts(state);
+ return;
+ }
+@@ -486,7 +486,7 @@ static void glk_load_luts(struct drm_crt
+
+ glk_load_degamma_lut(state);
+
+- if (crtc_state_is_legacy(state)) {
++ if (crtc_state_is_legacy_gamma(state)) {
+ haswell_load_luts(state);
+ return;
+ }
+@@ -508,7 +508,7 @@ static void cherryview_load_luts(struct
+ uint32_t i, lut_size;
+ uint32_t word0, word1;
+
+- if (crtc_state_is_legacy(state)) {
++ if (crtc_state_is_legacy_gamma(state)) {
+ /* Turn off degamma/gamma on CGM block. */
+ I915_WRITE(CGM_PIPE_MODE(pipe),
+ (state->ctm ? CGM_PIPE_MODE_CSC : 0));
+@@ -589,12 +589,10 @@ int intel_color_check(struct drm_crtc *c
+ return 0;
+
+ /*
+- * We also allow no degamma lut and a gamma lut at the legacy
++ * We also allow no degamma lut/ctm and a gamma lut at the legacy
+ * size (256 entries).
+ */
+- if (!crtc_state->degamma_lut &&
+- crtc_state->gamma_lut &&
+- crtc_state->gamma_lut->length == LEGACY_LUT_LENGTH)
++ if (crtc_state_is_legacy_gamma(crtc_state))
+ return 0;
+
+ return -EINVAL;
--- /dev/null
+From 95d78c28b5a85bacbc29b8dba7c04babb9b0d467 Mon Sep 17 00:00:00 2001
+From: Vitaly Mayatskikh <v.mayatskih@gmail.com>
+Date: Fri, 22 Sep 2017 01:18:39 -0400
+Subject: fix unbalanced page refcounting in bio_map_user_iov
+
+From: Vitaly Mayatskikh <v.mayatskih@gmail.com>
+
+commit 95d78c28b5a85bacbc29b8dba7c04babb9b0d467 upstream.
+
+bio_map_user_iov and bio_unmap_user do unbalanced pages refcounting if
+IO vector has small consecutive buffers belonging to the same page.
+bio_add_pc_page merges them into one, but the page reference is never
+dropped.
+
+Signed-off-by: Vitaly Mayatskikh <v.mayatskih@gmail.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/bio.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -1379,6 +1379,7 @@ struct bio *bio_map_user_iov(struct requ
+ offset = offset_in_page(uaddr);
+ for (j = cur_page; j < page_limit; j++) {
+ unsigned int bytes = PAGE_SIZE - offset;
++ unsigned short prev_bi_vcnt = bio->bi_vcnt;
+
+ if (len <= 0)
+ break;
+@@ -1393,6 +1394,13 @@ struct bio *bio_map_user_iov(struct requ
+ bytes)
+ break;
+
++ /*
++ * check if vector was merged with previous
++ * drop page reference if needed
++ */
++ if (bio->bi_vcnt == prev_bi_vcnt)
++ put_page(pages[j]);
++
+ len -= bytes;
+ offset = 0;
+ }
--- /dev/null
+From 60b09c51bb4fb46e2331fdbb39f91520f31d35f7 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Mon, 9 Oct 2017 12:47:24 +0200
+Subject: genirq/cpuhotplug: Add sanity check for effective affinity mask
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 60b09c51bb4fb46e2331fdbb39f91520f31d35f7 upstream.
+
+The effective affinity mask handling has no safety net when the mask is not
+updated by the interrupt chip or the mask contains offline CPUs.
+
+If that happens the CPU unplug code fails to migrate interrupts.
+
+Add sanity checks and emit a warning when the mask contains only offline
+CPUs.
+
+Fixes: 415fcf1a2293 ("genirq/cpuhotplug: Use effective affinity mask")
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1710042208400.2406@nanos
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/irq/cpuhotplug.c | 28 +++++++++++++++++++++++++++-
+ 1 file changed, 27 insertions(+), 1 deletion(-)
+
+--- a/kernel/irq/cpuhotplug.c
++++ b/kernel/irq/cpuhotplug.c
+@@ -18,8 +18,34 @@
+ static inline bool irq_needs_fixup(struct irq_data *d)
+ {
+ const struct cpumask *m = irq_data_get_effective_affinity_mask(d);
++ unsigned int cpu = smp_processor_id();
+
+- return cpumask_test_cpu(smp_processor_id(), m);
++#ifdef CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK
++ /*
++ * The cpumask_empty() check is a workaround for interrupt chips,
++ * which do not implement effective affinity, but the architecture has
++ * enabled the config switch. Use the general affinity mask instead.
++ */
++ if (cpumask_empty(m))
++ m = irq_data_get_affinity_mask(d);
++
++ /*
++ * Sanity check. If the mask is not empty when excluding the outgoing
++ * CPU then it must contain at least one online CPU. The outgoing CPU
++ * has been removed from the online mask already.
++ */
++ if (cpumask_any_but(m, cpu) < nr_cpu_ids &&
++ cpumask_any_and(m, cpu_online_mask) >= nr_cpu_ids) {
++ /*
++ * If this happens then there was a missed IRQ fixup at some
++ * point. Warn about it and enforce fixup.
++ */
++ pr_warn("Eff. affinity %*pbl of IRQ %u contains only offline CPUs after offlining CPU %u\n",
++ cpumask_pr_args(m), d->irq, cpu);
++ return true;
++ }
++#endif
++ return cpumask_test_cpu(cpu, m);
+ }
+
+ static bool migrate_one_irq(struct irq_desc *desc)
--- /dev/null
+From e43b3b58548051f8809391eb7bec7a27ed3003ea Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 4 Oct 2017 21:07:38 +0200
+Subject: genirq/cpuhotplug: Enforce affinity setting on startup of managed irqs
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit e43b3b58548051f8809391eb7bec7a27ed3003ea upstream.
+
+Managed interrupts can end up in a stale state on CPU hotplug. If the
+interrupt is not targeting a single CPU, i.e. the affinity mask spawns
+multiple CPUs then the following can happen:
+
+After boot:
+
+dstate: 0x01601200
+ IRQD_ACTIVATED
+ IRQD_IRQ_STARTED
+ IRQD_SINGLE_TARGET
+ IRQD_AFFINITY_SET
+ IRQD_AFFINITY_MANAGED
+node: 0
+affinity: 24-31
+effectiv: 24
+pending: 0
+
+After offlining CPU 31 - 24
+
+dstate: 0x01a31000
+ IRQD_IRQ_DISABLED
+ IRQD_IRQ_MASKED
+ IRQD_SINGLE_TARGET
+ IRQD_AFFINITY_SET
+ IRQD_AFFINITY_MANAGED
+ IRQD_MANAGED_SHUTDOWN
+node: 0
+affinity: 24-31
+effectiv: 24
+pending: 0
+
+Now CPU 25 gets onlined again, so it should get the effective interrupt
+affinity for this interruopt, but due to the x86 interrupt affinity setter
+restrictions this ends up after restarting the interrupt with:
+
+dstate: 0x01601300
+ IRQD_ACTIVATED
+ IRQD_IRQ_STARTED
+ IRQD_SINGLE_TARGET
+ IRQD_AFFINITY_SET
+ IRQD_SETAFFINITY_PENDING
+ IRQD_AFFINITY_MANAGED
+node: 0
+affinity: 24-31
+effectiv: 24
+pending: 24-31
+
+So the interrupt is still affine to CPU 24, which was the last CPU to go
+offline of that affinity set and the move to an online CPU within 24-31,
+in this case 25, is pending. This mechanism is x86/ia64 specific as those
+architectures cannot move interrupts from thread context and do this when
+an interrupt is actually handled. So the move is set to pending.
+
+Whats worse is that offlining CPU 25 again results in:
+
+dstate: 0x01601300
+ IRQD_ACTIVATED
+ IRQD_IRQ_STARTED
+ IRQD_SINGLE_TARGET
+ IRQD_AFFINITY_SET
+ IRQD_SETAFFINITY_PENDING
+ IRQD_AFFINITY_MANAGED
+node: 0
+affinity: 24-31
+effectiv: 24
+pending: 24-31
+
+This means the interrupt has not been shut down, because the outgoing CPU
+is not in the effective affinity mask, but of course nothing notices that
+the effective affinity mask is pointing at an offline CPU.
+
+In the case of restarting a managed interrupt the move restriction does not
+apply, so the affinity setting can be made unconditional. This needs to be
+done _before_ the interrupt is started up as otherwise the condition for
+moving it from thread context would not longer be fulfilled.
+
+With that change applied onlining CPU 25 after offlining 31-24 results in:
+
+dstate: 0x01600200
+ IRQD_ACTIVATED
+ IRQD_IRQ_STARTED
+ IRQD_SINGLE_TARGET
+ IRQD_AFFINITY_MANAGED
+node: 0
+affinity: 24-31
+effectiv: 25
+pending:
+
+And after offlining CPU 25:
+
+dstate: 0x01a30000
+ IRQD_IRQ_DISABLED
+ IRQD_IRQ_MASKED
+ IRQD_SINGLE_TARGET
+ IRQD_AFFINITY_MANAGED
+ IRQD_MANAGED_SHUTDOWN
+node: 0
+affinity: 24-31
+effectiv: 25
+pending:
+
+which is the correct and expected result.
+
+Fixes: 761ea388e8c4 ("genirq: Handle managed irqs gracefully in irq_startup()")
+Reported-by: YASUAKI ISHIMATSU <yasu.isimatu@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: axboe@kernel.dk
+Cc: linux-scsi@vger.kernel.org
+Cc: Sumit Saxena <sumit.saxena@broadcom.com>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Cc: mpe@ellerman.id.au
+Cc: Shivasharan Srikanteshwara <shivasharan.srikanteshwara@broadcom.com>
+Cc: Kashyap Desai <kashyap.desai@broadcom.com>
+Cc: keith.busch@intel.com
+Cc: peterz@infradead.org
+Cc: Hannes Reinecke <hare@suse.de>
+Cc: Christoph Hellwig <hch@lst.de>
+Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1710042208400.2406@nanos
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/irq/chip.c | 2 +-
+ kernel/irq/manage.c | 3 +++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/kernel/irq/chip.c
++++ b/kernel/irq/chip.c
+@@ -265,8 +265,8 @@ int irq_startup(struct irq_desc *desc, b
+ irq_setup_affinity(desc);
+ break;
+ case IRQ_STARTUP_MANAGED:
++ irq_do_set_affinity(d, aff, false);
+ ret = __irq_startup(desc);
+- irq_set_affinity_locked(d, aff, false);
+ break;
+ case IRQ_STARTUP_ABORT:
+ return 0;
+--- a/kernel/irq/manage.c
++++ b/kernel/irq/manage.c
+@@ -175,6 +175,9 @@ int irq_do_set_affinity(struct irq_data
+ struct irq_chip *chip = irq_data_get_irq_chip(data);
+ int ret;
+
++ if (!chip || !chip->irq_set_affinity)
++ return -EINVAL;
++
+ ret = chip->irq_set_affinity(data, mask, force);
+ switch (ret) {
+ case IRQ_SET_MASK_OK:
--- /dev/null
+From 2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 23 Sep 2017 15:51:23 -0400
+Subject: more bio_map_user_iov() leak fixes
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058 upstream.
+
+we need to take care of failure exit as well - pages already
+in bio should be dropped by analogue of bio_unmap_pages(),
+since their refcounts had been bumped only once per reference
+in bio.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/bio.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -1327,6 +1327,7 @@ struct bio *bio_map_user_iov(struct requ
+ int ret, offset;
+ struct iov_iter i;
+ struct iovec iov;
++ struct bio_vec *bvec;
+
+ iov_for_each(iov, i, *iter) {
+ unsigned long uaddr = (unsigned long) iov.iov_base;
+@@ -1371,7 +1372,12 @@ struct bio *bio_map_user_iov(struct requ
+ ret = get_user_pages_fast(uaddr, local_nr_pages,
+ (iter->type & WRITE) != WRITE,
+ &pages[cur_page]);
+- if (ret < local_nr_pages) {
++ if (unlikely(ret < local_nr_pages)) {
++ for (j = cur_page; j < page_limit; j++) {
++ if (!pages[j])
++ break;
++ put_page(pages[j]);
++ }
+ ret = -EFAULT;
+ goto out_unmap;
+ }
+@@ -1427,10 +1433,8 @@ struct bio *bio_map_user_iov(struct requ
+ return bio;
+
+ out_unmap:
+- for (j = 0; j < nr_pages; j++) {
+- if (!pages[j])
+- break;
+- put_page(pages[j]);
++ bio_for_each_segment_all(bvec, bio, j) {
++ put_page(bvec->bv_page);
+ }
+ out:
+ kfree(pages);
--- /dev/null
+From 407dae1e4415acde2d9f48bb76361893c4653756 Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Date: Mon, 9 Oct 2017 09:00:49 +0200
+Subject: PCI: aardvark: Move to struct pci_host_bridge IRQ mapping functions
+
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+
+commit 407dae1e4415acde2d9f48bb76361893c4653756 upstream.
+
+struct pci_host_bridge gained hooks to map/swizzle IRQs, so that the IRQ
+mapping can be done automatically by PCI core code through the
+pci_assign_irq() function instead of resorting to arch-specific
+implementation callbacks to carry out the same task which force PCI host
+bridge drivers implementation to implement per-arch kludges to carry out a
+task that is inherently architecture agnostic.
+
+Commit 769b461fc0c0 ("arm64: PCI: Drop DT IRQ allocation from
+pcibios_alloc_irq()") was assuming all PCI host controller drivers had been
+converted to use ->map_irq(), but that wasn't the case: pci-aardvark had
+not been converted. Due to this, it broke the support for legacy PCI
+interrupts when using the pci-aardvark driver (used on Marvell Armada 3720
+platforms).
+
+In order to fix this, we make sure the ->map_irq and ->swizzle_irq fields
+of pci_host_bridge are properly filled in.
+
+Fixes: 769b461fc0c0 ("arm64: PCI: Drop DT IRQ allocation from pcibios_alloc_irq()")
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/host/pci-aardvark.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/pci/host/pci-aardvark.c
++++ b/drivers/pci/host/pci-aardvark.c
+@@ -936,6 +936,8 @@ static int advk_pcie_probe(struct platfo
+ bridge->sysdata = pcie;
+ bridge->busnr = 0;
+ bridge->ops = &advk_pcie_ops;
++ bridge->map_irq = of_irq_parse_and_map_pci;
++ bridge->swizzle_irq = pci_common_swizzle;
+
+ ret = pci_scan_root_bus_bridge(bridge);
+ if (ret < 0) {
--- /dev/null
+From e9516c0813aeb89ebd19ec0ed39fbfcd78b6ef3a Mon Sep 17 00:00:00 2001
+From: Mark Santaniello <marksan@fb.com>
+Date: Fri, 6 Oct 2017 01:07:22 -0700
+Subject: perf script: Add missing separator for "-F ip,brstack" (and brstackoff)
+
+From: Mark Santaniello <marksan@fb.com>
+
+commit e9516c0813aeb89ebd19ec0ed39fbfcd78b6ef3a upstream.
+
+Prior to commit 55b9b50811ca ("perf script: Support -F brstack,dso and
+brstacksym,dso"), we were printing a space before the brstack data. It
+seems that this space was important. Without it, parsing is difficult.
+
+Very sorry for the mistake.
+
+Notice here how the "ip" and "brstack" run together:
+
+$ perf script -F ip,brstack | head -n 1
+ 22e18c40x22e19e2/0x22e190b/P/-/-/0 0x22e19a1/0x22e19d0/P/-/-/0 0x22e195d/0x22e1990/P/-/-/0 0x22e18e9/0x22e1943/P/-/-/0 0x22e1a69/0x22e18c0/P/-/-/0 0x22e19f7/0x22e1a20/P/-/-/0 0x22e1910/0x22e19ee/P/-/-/0 0x22e19e2/0x22e190b/P/-/-/0 0x22e19a1/0x22e19d0/P/-/-/0 0x22e195d/0x22e1990/P/-/-/0 0x22e18e9/0x22e1943/P/-/-/0 0x22e1a69/0x22e18c0/P/-/-/0 0x22e19f7/0x22e1a20/P/-/-/0 0x22e1910/0x22e19ee/P/-/-/0 0x22e19e2/0x22e190b/P/-/-/0 0x22e19a1/0x22e19d0/P/-/-/0
+
+After this diff, sanity is restored:
+
+$ perf script -F ip,brstack | head -n 1
+ 22e18c4 0x22e19e2/0x22e190b/P/-/-/0 0x22e19a1/0x22e19d0/P/-/-/0 0x22e195d/0x22e1990/P/-/-/0 0x22e18e9/0x22e1943/P/-/-/0 0x22e1a69/0x22e18c0/P/-/-/0 0x22e19f7/0x22e1a20/P/-/-/0 0x22e1910/0x22e19ee/P/-/-/0 0x22e19e2/0x22e190b/P/-/-/0 0x22e19a1/0x22e19d0/P/-/-/0 0x22e195d/0x22e1990/P/-/-/0 0x22e18e9/0x22e1943/P/-/-/0 0x22e1a69/0x22e18c0/P/-/-/0 0x22e19f7/0x22e1a20/P/-/-/0 0x22e1910/0x22e19ee/P/-/-/0 0x22e19e2/0x22e190b/P/-/-/0 0x22e19a1/0x22e19d0/P/-/-/0
+
+Signed-off-by: Mark Santaniello <marksan@fb.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Fixes: 55b9b50811ca ("perf script: Support -F brstack,dso and brstacksym,dso")
+Link: http://lkml.kernel.org/r/20171006080722.3442046-1-marksan@fb.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/builtin-script.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/tools/perf/builtin-script.c
++++ b/tools/perf/builtin-script.c
+@@ -578,7 +578,7 @@ static void print_sample_brstack(struct
+ thread__find_addr_map(thread, sample->cpumode, MAP__FUNCTION, to, &alt);
+ }
+
+- printf("0x%"PRIx64, from);
++ printf(" 0x%"PRIx64, from);
+ if (PRINT_FIELD(DSO)) {
+ printf("(");
+ map__fprintf_dsoname(alf.map, stdout);
+@@ -673,7 +673,7 @@ static void print_sample_brstackoff(stru
+ if (alt.map && !alt.map->dso->adjust_symbols)
+ to = map__map_ip(alt.map, to);
+
+- printf("0x%"PRIx64, from);
++ printf(" 0x%"PRIx64, from);
+ if (PRINT_FIELD(DSO)) {
+ printf("(");
+ map__fprintf_dsoname(alf.map, stdout);
--- /dev/null
+From 8c2b4e3c3725801b57d7b858d216d38f83bdb35d Mon Sep 17 00:00:00 2001
+From: Thierry Reding <treding@nvidia.com>
+Date: Mon, 9 Oct 2017 12:29:35 +0200
+Subject: Revert "PCI: tegra: Do not allocate MSI target memory"
+
+From: Thierry Reding <treding@nvidia.com>
+
+commit 8c2b4e3c3725801b57d7b858d216d38f83bdb35d upstream.
+
+This reverts commit d7bd554f27c942e6b8b54100b4044f9be1038edf.
+
+It turns out that Tegra20 has a bug in the implementation of the MSI
+target address register (which is worked around by the existence of the
+struct tegra_pcie_soc.msi_base_shift parameter) that restricts the MSI
+target memory to the lower 32 bits of physical memory on that particular
+generation. The offending patch causes a regression on TrimSlice, which
+is a Tegra20-based device and has a PCI network interface card.
+
+An initial, simpler fix was to change the MSI target address for Tegra20
+only, but it was pointed out that the offending commit also prevents the
+use of 32-bit only MSI capable devices, even on later chips. Technically
+this was never guaranteed to work with the prior code in the first place
+because the allocated page could have resided beyond the 4 GiB boundary,
+but it is still possible that this could've introduced a regression.
+
+The proper fix that was settled on is to select a fixed address within
+the lowest 32 bits of physical address space that is otherwise unused,
+but testing of that patch has provided mixed results that are not fully
+understood yet.
+
+Given all of the above and the relative urgency to get this fixed in
+v4.13, revert the offending commit until a universal fix is found.
+
+Fixes: d7bd554f27c9 ("PCI: tegra: Do not allocate MSI target memory")
+Reported-by: Tomasz Maciej Nowak <tmn505@gmail.com>
+Reported-by: Erik Faye-Lund <kusmabite@gmail.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/host/pci-tegra.c | 22 ++++++----------------
+ 1 file changed, 6 insertions(+), 16 deletions(-)
+
+--- a/drivers/pci/host/pci-tegra.c
++++ b/drivers/pci/host/pci-tegra.c
+@@ -233,6 +233,7 @@ struct tegra_msi {
+ struct msi_controller chip;
+ DECLARE_BITMAP(used, INT_PCI_MSI_NR);
+ struct irq_domain *domain;
++ unsigned long pages;
+ struct mutex lock;
+ u64 phys;
+ int irq;
+@@ -1529,22 +1530,9 @@ static int tegra_pcie_enable_msi(struct
+ goto err;
+ }
+
+- /*
+- * The PCI host bridge on Tegra contains some logic that intercepts
+- * MSI writes, which means that the MSI target address doesn't have
+- * to point to actual physical memory. Rather than allocating one 4
+- * KiB page of system memory that's never used, we can simply pick
+- * an arbitrary address within an area reserved for system memory
+- * in the FPCI address map.
+- *
+- * However, in order to avoid confusion, we pick an address that
+- * doesn't map to physical memory. The FPCI address map reserves a
+- * 1012 GiB region for system memory and memory-mapped I/O. Since
+- * none of the Tegra SoCs that contain this PCI host bridge can
+- * address more than 16 GiB of system memory, the last 4 KiB of
+- * these 1012 GiB is a good candidate.
+- */
+- msi->phys = 0xfcfffff000;
++ /* setup AFI/FPCI range */
++ msi->pages = __get_free_pages(GFP_KERNEL, 0);
++ msi->phys = virt_to_phys((void *)msi->pages);
+
+ afi_writel(pcie, msi->phys >> soc->msi_base_shift, AFI_MSI_FPCI_BAR_ST);
+ afi_writel(pcie, msi->phys, AFI_MSI_AXI_BAR_ST);
+@@ -1596,6 +1584,8 @@ static int tegra_pcie_disable_msi(struct
+ afi_writel(pcie, 0, AFI_MSI_EN_VEC6);
+ afi_writel(pcie, 0, AFI_MSI_EN_VEC7);
+
++ free_pages(msi->pages, 0);
++
+ if (msi->irq > 0)
+ free_irq(msi->irq, pcie);
+
fs-mpage.c-fix-mpage_writepage-for-pages-with-buffers.patch
alsa-usb-audio-kill-stray-urb-at-exiting.patch
alsa-seq-fix-use-after-free-at-creating-a-port.patch
+alsa-seq-fix-copy_from_user-call-inside-lock.patch
+alsa-caiaq-fix-stray-urb-at-probe-error-path.patch
+alsa-line6-fix-null-dereference-at-podhd_disconnect.patch
+alsa-line6-fix-missing-initialization-before-error-path.patch
+alsa-line6-fix-leftover-urb-at-error-path-during-probe.patch
+drm-atomic-unref-duplicated-drm_atomic_state-in-drm_atomic_helper_resume.patch
+drm-i915-edp-get-the-panel-power-off-timestamp-after-panel-is-off.patch
+drm-i915-read-timings-from-the-correct-transcoder-in-intel_crtc_mode_get.patch
+drm-i915-bios-parse-ddi-ports-also-for-chv-for-hdmi-ddc-pin-and-dp-aux-channel.patch
+drm-i915-use-crtc_state_is_legacy_gamma-in-intel_color_check.patch
+usb-gadget-configfs-fix-memory-leak-of-interface-directory-data.patch
+usb-gadget-composite-fix-use-after-free-in-usb_composite_overwrite_options.patch
+pci-aardvark-move-to-struct-pci_host_bridge-irq-mapping-functions.patch
+revert-pci-tegra-do-not-allocate-msi-target-memory.patch
+direct-io-prevent-null-pointer-access-in-submit_page_section.patch
+fix-unbalanced-page-refcounting-in-bio_map_user_iov.patch
+more-bio_map_user_iov-leak-fixes.patch
+bio_copy_user_iov-don-t-ignore-iov_offset.patch
+perf-script-add-missing-separator-for-f-ip-brstack-and-brstackoff.patch
+genirq-cpuhotplug-enforce-affinity-setting-on-startup-of-managed-irqs.patch
+genirq-cpuhotplug-add-sanity-check-for-effective-affinity-mask.patch
+usb-serial-ftdi_sio-add-id-for-cypress-wiced-dev-board.patch
+usb-serial-cp210x-fix-partnum-regression.patch
+usb-serial-cp210x-add-support-for-elv-tfd500.patch
+usb-serial-option-add-support-for-tp-link-lte-module.patch
+usb-serial-qcserial-add-dell-dw5818-dw5819.patch
+usb-serial-console-fix-use-after-free-on-disconnect.patch
+usb-serial-console-fix-use-after-free-after-failed-setup.patch
--- /dev/null
+From aec17e1e249567e82b26dafbb86de7d07fde8729 Mon Sep 17 00:00:00 2001
+From: Andrew Gabbasov <andrew_gabbasov@mentor.com>
+Date: Sat, 30 Sep 2017 08:55:55 -0700
+Subject: usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options
+
+From: Andrew Gabbasov <andrew_gabbasov@mentor.com>
+
+commit aec17e1e249567e82b26dafbb86de7d07fde8729 upstream.
+
+KASAN enabled configuration reports an error
+
+ BUG: KASAN: use-after-free in usb_composite_overwrite_options+...
+ [libcomposite] at addr ...
+ Read of size 1 by task ...
+
+when some driver is un-bound and then bound again.
+For example, this happens with FunctionFS driver when "ffs-test"
+test application is run several times in a row.
+
+If the driver has empty manufacturer ID string in initial static data,
+it is then replaced with generated string. After driver unbinding
+the generated string is freed, but the driver data still keep that
+pointer. And if the driver is then bound again, that pointer
+is re-used for string emptiness check.
+
+The fix is to clean up the driver string data upon its unbinding
+to drop the pointer to freed memory.
+
+Fixes: cc2683c318a5 ("usb: gadget: Provide a default implementation of default manufacturer string")
+Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/composite.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -2026,6 +2026,8 @@ static DEVICE_ATTR_RO(suspended);
+ static void __composite_unbind(struct usb_gadget *gadget, bool unbind_driver)
+ {
+ struct usb_composite_dev *cdev = get_gadget_data(gadget);
++ struct usb_gadget_strings *gstr = cdev->driver->strings[0];
++ struct usb_string *dev_str = gstr->strings;
+
+ /* composite_disconnect() must already have been called
+ * by the underlying peripheral controller driver!
+@@ -2045,6 +2047,9 @@ static void __composite_unbind(struct us
+
+ composite_dev_cleanup(cdev);
+
++ if (dev_str[USB_GADGET_MANUFACTURER_IDX].s == cdev->def_manufacturer)
++ dev_str[USB_GADGET_MANUFACTURER_IDX].s = "";
++
+ kfree(cdev->def_manufacturer);
+ kfree(cdev);
+ set_gadget_data(gadget, NULL);
--- /dev/null
+From ff74745e6d3d97a865eda8c1f3fd29c13b79f0cc Mon Sep 17 00:00:00 2001
+From: Andrew Gabbasov <andrew_gabbasov@mentor.com>
+Date: Sat, 30 Sep 2017 08:54:52 -0700
+Subject: usb: gadget: configfs: Fix memory leak of interface directory data
+
+From: Andrew Gabbasov <andrew_gabbasov@mentor.com>
+
+commit ff74745e6d3d97a865eda8c1f3fd29c13b79f0cc upstream.
+
+Kmemleak checking configuration reports a memory leak in
+usb_os_desc_prepare_interf_dir function when rndis function
+instance is freed and then allocated again. For example, this
+happens with FunctionFS driver with RNDIS function enabled
+when "ffs-test" test application is run several times in a row.
+
+The data for intermediate "os_desc" group for interface directories
+is allocated as a single VLA chunk and (after a change of default
+groups handling) is not ever freed and actually not stored anywhere
+besides inside a list of default groups of a parent group.
+
+The fix is to make usb_os_desc_prepare_interf_dir function return
+a pointer to allocated data (as a pointer to the first VLA item)
+instead of (an unused) integer and to make the caller component
+(currently the only one is RNDIS function) responsible for storing
+the pointer and freeing the memory when appropriate.
+
+Fixes: 1ae1602de028 ("configfs: switch ->default groups to a linked list")
+Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/configfs.c | 15 ++++++++-------
+ drivers/usb/gadget/configfs.h | 11 ++++++-----
+ drivers/usb/gadget/function/f_rndis.c | 12 ++++++++++--
+ drivers/usb/gadget/function/u_rndis.h | 1 +
+ 4 files changed, 25 insertions(+), 14 deletions(-)
+
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -1143,11 +1143,12 @@ static struct configfs_attribute *interf
+ NULL
+ };
+
+-int usb_os_desc_prepare_interf_dir(struct config_group *parent,
+- int n_interf,
+- struct usb_os_desc **desc,
+- char **names,
+- struct module *owner)
++struct config_group *usb_os_desc_prepare_interf_dir(
++ struct config_group *parent,
++ int n_interf,
++ struct usb_os_desc **desc,
++ char **names,
++ struct module *owner)
+ {
+ struct config_group *os_desc_group;
+ struct config_item_type *os_desc_type, *interface_type;
+@@ -1159,7 +1160,7 @@ int usb_os_desc_prepare_interf_dir(struc
+
+ char *vlabuf = kzalloc(vla_group_size(data_chunk), GFP_KERNEL);
+ if (!vlabuf)
+- return -ENOMEM;
++ return ERR_PTR(-ENOMEM);
+
+ os_desc_group = vla_ptr(vlabuf, data_chunk, os_desc_group);
+ os_desc_type = vla_ptr(vlabuf, data_chunk, os_desc_type);
+@@ -1184,7 +1185,7 @@ int usb_os_desc_prepare_interf_dir(struc
+ configfs_add_default_group(&d->group, os_desc_group);
+ }
+
+- return 0;
++ return os_desc_group;
+ }
+ EXPORT_SYMBOL(usb_os_desc_prepare_interf_dir);
+
+--- a/drivers/usb/gadget/configfs.h
++++ b/drivers/usb/gadget/configfs.h
+@@ -5,11 +5,12 @@
+
+ void unregister_gadget_item(struct config_item *item);
+
+-int usb_os_desc_prepare_interf_dir(struct config_group *parent,
+- int n_interf,
+- struct usb_os_desc **desc,
+- char **names,
+- struct module *owner);
++struct config_group *usb_os_desc_prepare_interf_dir(
++ struct config_group *parent,
++ int n_interf,
++ struct usb_os_desc **desc,
++ char **names,
++ struct module *owner);
+
+ static inline struct usb_os_desc *to_usb_os_desc(struct config_item *item)
+ {
+--- a/drivers/usb/gadget/function/f_rndis.c
++++ b/drivers/usb/gadget/function/f_rndis.c
+@@ -892,6 +892,7 @@ static void rndis_free_inst(struct usb_f
+ free_netdev(opts->net);
+ }
+
++ kfree(opts->rndis_interf_group); /* single VLA chunk */
+ kfree(opts);
+ }
+
+@@ -900,6 +901,7 @@ static struct usb_function_instance *rnd
+ struct f_rndis_opts *opts;
+ struct usb_os_desc *descs[1];
+ char *names[1];
++ struct config_group *rndis_interf_group;
+
+ opts = kzalloc(sizeof(*opts), GFP_KERNEL);
+ if (!opts)
+@@ -920,8 +922,14 @@ static struct usb_function_instance *rnd
+ names[0] = "rndis";
+ config_group_init_type_name(&opts->func_inst.group, "",
+ &rndis_func_type);
+- usb_os_desc_prepare_interf_dir(&opts->func_inst.group, 1, descs,
+- names, THIS_MODULE);
++ rndis_interf_group =
++ usb_os_desc_prepare_interf_dir(&opts->func_inst.group, 1, descs,
++ names, THIS_MODULE);
++ if (IS_ERR(rndis_interf_group)) {
++ rndis_free_inst(&opts->func_inst);
++ return ERR_CAST(rndis_interf_group);
++ }
++ opts->rndis_interf_group = rndis_interf_group;
+
+ return &opts->func_inst;
+ }
+--- a/drivers/usb/gadget/function/u_rndis.h
++++ b/drivers/usb/gadget/function/u_rndis.h
+@@ -26,6 +26,7 @@ struct f_rndis_opts {
+ bool bound;
+ bool borrowed_net;
+
++ struct config_group *rndis_interf_group;
+ struct usb_os_desc rndis_os_desc;
+ char rndis_ext_compat_id[16];
+
--- /dev/null
+From 299d7572e46f98534033a9e65973f13ad1ce9047 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 4 Oct 2017 11:01:13 +0200
+Subject: USB: serial: console: fix use-after-free after failed setup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 299d7572e46f98534033a9e65973f13ad1ce9047 upstream.
+
+Make sure to reset the USB-console port pointer when console setup fails
+in order to avoid having the struct usb_serial be prematurely freed by
+the console code when the device is later disconnected.
+
+Fixes: 73e487fdb75f ("[PATCH] USB console: fix disconnection issues")
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/console.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/console.c
++++ b/drivers/usb/serial/console.c
+@@ -186,6 +186,7 @@ static int usb_console_setup(struct cons
+ tty_kref_put(tty);
+ reset_open_count:
+ port->port.count = 0;
++ info->port = NULL;
+ usb_autopm_put_interface(serial->interface);
+ error_get_interface:
+ usb_serial_put(serial);
--- /dev/null
+From bd998c2e0df0469707503023d50d46cf0b10c787 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 4 Oct 2017 11:01:12 +0200
+Subject: USB: serial: console: fix use-after-free on disconnect
+
+From: Johan Hovold <johan@kernel.org>
+
+commit bd998c2e0df0469707503023d50d46cf0b10c787 upstream.
+
+A clean-up patch removing two redundant NULL-checks from the console
+disconnect handler inadvertently also removed a third check. This could
+lead to the struct usb_serial being prematurely freed by the console
+code when a driver accepts but does not register any ports for an
+interface which also lacks endpoint descriptors.
+
+Fixes: 0e517c93dc02 ("USB: serial: console: clean up sanity checks")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/console.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/console.c
++++ b/drivers/usb/serial/console.c
+@@ -265,7 +265,7 @@ static struct console usbcons = {
+
+ void usb_serial_console_disconnect(struct usb_serial *serial)
+ {
+- if (serial->port[0] == usbcons_info.port) {
++ if (serial->port[0] && serial->port[0] == usbcons_info.port) {
+ usb_serial_console_exit();
+ usb_serial_put(serial);
+ }
--- /dev/null
+From c496ad835c31ad639b6865714270b3003df031f6 Mon Sep 17 00:00:00 2001
+From: Andreas Engel <anen-nospam@gmx.net>
+Date: Mon, 18 Sep 2017 21:11:57 +0200
+Subject: USB: serial: cp210x: add support for ELV TFD500
+
+From: Andreas Engel <anen-nospam@gmx.net>
+
+commit c496ad835c31ad639b6865714270b3003df031f6 upstream.
+
+Add the USB device id for the ELV TFD500 data logger.
+
+Signed-off-by: Andreas Engel <anen-nospam@gmx.net>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/cp210x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -177,6 +177,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */
+ { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */
+ { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */
++ { USB_DEVICE(0x18EF, 0xE032) }, /* ELV TFD500 Data Logger */
+ { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */
+ { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */
+ { USB_DEVICE(0x1901, 0x0194) }, /* GE Healthcare Remote Alarm Box */
--- /dev/null
+From 7eac35ea29dc54cbc8399de84c9bf16553575b89 Mon Sep 17 00:00:00 2001
+From: Sebastian Frei <dr.nop@gmx.net>
+Date: Tue, 12 Sep 2017 09:50:59 +0200
+Subject: USB: serial: cp210x: fix partnum regression
+
+From: Sebastian Frei <dr.nop@gmx.net>
+
+commit 7eac35ea29dc54cbc8399de84c9bf16553575b89 upstream.
+
+When adding GPIO support for the cp2105, the mentioned commit by Martyn
+Welch introduced a query for the part number of the chip. Unfortunately
+the driver aborts probing when this query fails, so currently the driver
+can not be used with chips not supporting this query.
+I have a data cable for Siemens mobile phones (ID 10ab:10c5) where this
+is the case.
+With this patch the driver can be bound even if the part number can not
+be queried.
+
+Fixes: cf5276ce7867 ("USB: serial: cp210x: Adding GPIO support for CP2105")
+Signed-off-by: Sebastian Frei <dr.nop@gmx.net>
+[ johan: amend commit message; shorten error message and demote to
+ warning; drop unnecessary move of usb_set_serial_data() ]
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/cp210x.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -352,6 +352,7 @@ static struct usb_serial_driver * const
+ #define CP210X_PARTNUM_CP2104 0x04
+ #define CP210X_PARTNUM_CP2105 0x05
+ #define CP210X_PARTNUM_CP2108 0x08
++#define CP210X_PARTNUM_UNKNOWN 0xFF
+
+ /* CP210X_GET_COMM_STATUS returns these 0x13 bytes */
+ struct cp210x_comm_status {
+@@ -1491,8 +1492,11 @@ static int cp210x_attach(struct usb_seri
+ result = cp210x_read_vendor_block(serial, REQTYPE_DEVICE_TO_HOST,
+ CP210X_GET_PARTNUM, &priv->partnum,
+ sizeof(priv->partnum));
+- if (result < 0)
+- goto err_free_priv;
++ if (result < 0) {
++ dev_warn(&serial->interface->dev,
++ "querying part number failed\n");
++ priv->partnum = CP210X_PARTNUM_UNKNOWN;
++ }
+
+ usb_set_serial_data(serial, priv);
+
+@@ -1505,10 +1509,6 @@ static int cp210x_attach(struct usb_seri
+ }
+
+ return 0;
+-err_free_priv:
+- kfree(priv);
+-
+- return result;
+ }
+
+ static void cp210x_disconnect(struct usb_serial *serial)
--- /dev/null
+From a6c215e21b0dc5fe9416dce90f9acc2ea53c4502 Mon Sep 17 00:00:00 2001
+From: Jeffrey Chu <jeffrey.chu@cypress.com>
+Date: Fri, 8 Sep 2017 21:08:58 +0000
+Subject: USB: serial: ftdi_sio: add id for Cypress WICED dev board
+
+From: Jeffrey Chu <jeffrey.chu@cypress.com>
+
+commit a6c215e21b0dc5fe9416dce90f9acc2ea53c4502 upstream.
+
+Add CYPRESS_VID vid and CYPRESS_WICED_BT_USB and CYPRESS_WICED_WL_USB
+device IDs to ftdi_sio driver.
+
+Signed-off-by: Jeffrey Chu <jeffrey.chu@cypress.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ftdi_sio.c | 2 ++
+ drivers/usb/serial/ftdi_sio_ids.h | 7 +++++++
+ 2 files changed, 9 insertions(+)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -1015,6 +1015,8 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(WICED_VID, WICED_USB20706V2_PID) },
+ { USB_DEVICE(TI_VID, TI_CC3200_LAUNCHPAD_PID),
+ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
++ { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_BT_USB_PID) },
++ { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_WL_USB_PID) },
+ { } /* Terminating entry */
+ };
+
+--- a/drivers/usb/serial/ftdi_sio_ids.h
++++ b/drivers/usb/serial/ftdi_sio_ids.h
+@@ -610,6 +610,13 @@
+ #define ADI_GNICEPLUS_PID 0xF001
+
+ /*
++ * Cypress WICED USB UART
++ */
++#define CYPRESS_VID 0x04B4
++#define CYPRESS_WICED_BT_USB_PID 0x009B
++#define CYPRESS_WICED_WL_USB_PID 0xF900
++
++/*
+ * Microchip Technology, Inc.
+ *
+ * MICROCHIP_VID (0x04D8) and MICROCHIP_USB_BOARD_PID (0x000A) are
--- /dev/null
+From 837ddc4793a69b256ac5e781a5e729b448a8d983 Mon Sep 17 00:00:00 2001
+From: Henryk Heisig <hyniu@o2.pl>
+Date: Mon, 11 Sep 2017 17:57:34 +0200
+Subject: USB: serial: option: add support for TP-Link LTE module
+
+From: Henryk Heisig <hyniu@o2.pl>
+
+commit 837ddc4793a69b256ac5e781a5e729b448a8d983 upstream.
+
+This commit adds support for TP-Link LTE mPCIe module is used
+in in TP-Link MR200v1, MR6400v1 and v2 routers.
+
+Signed-off-by: Henryk Heisig <hyniu@o2.pl>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -522,6 +522,7 @@ static void option_instat_callback(struc
+
+ /* TP-LINK Incorporated products */
+ #define TPLINK_VENDOR_ID 0x2357
++#define TPLINK_PRODUCT_LTE 0x000D
+ #define TPLINK_PRODUCT_MA180 0x0201
+
+ /* Changhong products */
+@@ -2011,6 +2012,7 @@ static const struct usb_device_id option
+ { USB_DEVICE(CELLIENT_VENDOR_ID, CELLIENT_PRODUCT_MEN200) },
+ { USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T_600A) },
+ { USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T_600E) },
++ { USB_DEVICE_AND_INTERFACE_INFO(TPLINK_VENDOR_ID, TPLINK_PRODUCT_LTE, 0xff, 0x00, 0x00) }, /* TP-Link LTE Module */
+ { USB_DEVICE(TPLINK_VENDOR_ID, TPLINK_PRODUCT_MA180),
+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+ { USB_DEVICE(TPLINK_VENDOR_ID, 0x9000), /* TP-Link MA260 */
--- /dev/null
+From f5d9644c5fca7d8e8972268598bb516a7eae17f9 Mon Sep 17 00:00:00 2001
+From: Shrirang Bagul <shrirang.bagul@canonical.com>
+Date: Fri, 29 Sep 2017 12:39:51 +0800
+Subject: USB: serial: qcserial: add Dell DW5818, DW5819
+
+From: Shrirang Bagul <shrirang.bagul@canonical.com>
+
+commit f5d9644c5fca7d8e8972268598bb516a7eae17f9 upstream.
+
+Dell Wireless 5819/5818 devices are re-branded Sierra Wireless MC74
+series which will by default boot with vid 0x413c and pid's 0x81cf,
+0x81d0, 0x81d1, 0x81d2.
+
+Signed-off-by: Shrirang Bagul <shrirang.bagul@canonical.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/qcserial.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/serial/qcserial.c
++++ b/drivers/usb/serial/qcserial.c
+@@ -174,6 +174,10 @@ static const struct usb_device_id id_tab
+ {DEVICE_SWI(0x413c, 0x81b3)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */
+ {DEVICE_SWI(0x413c, 0x81b5)}, /* Dell Wireless 5811e QDL */
+ {DEVICE_SWI(0x413c, 0x81b6)}, /* Dell Wireless 5811e QDL */
++ {DEVICE_SWI(0x413c, 0x81cf)}, /* Dell Wireless 5819 */
++ {DEVICE_SWI(0x413c, 0x81d0)}, /* Dell Wireless 5819 */
++ {DEVICE_SWI(0x413c, 0x81d1)}, /* Dell Wireless 5818 */
++ {DEVICE_SWI(0x413c, 0x81d2)}, /* Dell Wireless 5818 */
+
+ /* Huawei devices */
+ {DEVICE_HWI(0x03f0, 0x581d)}, /* HP lt4112 LTE/HSPA+ Gobi 4G Modem (Huawei me906e) */
projects / thirdparty / kernel / stable-queue.git / commitdiff
