--- /dev/null
+From a64a62ce9a380213dc9e192f762266d70c9b40ec Mon Sep 17 00:00:00 2001
+From: Lv Zheng <lv.zheng@intel.com>
+Date: Tue, 26 Sep 2017 16:54:09 +0800
+Subject: ACPI / EC: Fix regression related to PM ops support in ECDT device
+
+From: Lv Zheng <lv.zheng@intel.com>
+
+commit a64a62ce9a380213dc9e192f762266d70c9b40ec upstream.
+
+On platforms (ASUS X550ZE and possibly all ASUS X series) with valid ECDT
+EC but invalid DSDT EC, EC PM ops won't be invoked as ECDT EC is not an
+ACPI device. Thus the following commit actually removed post-resume
+acpi_ec_enable_event() invocation for such platforms, and triggered a
+regression on them that after being resumed, EC (actually should be ECDT)
+driver stops handling EC events:
+
+ Commit: c2b46d679b30c5c0d7eb47a21085943242bdd8dc
+ Subject: ACPI / EC: Add PM operations to improve event handling for resume process
+
+Notice that the root cause actually is "ECDT is not an ACPI device" rather
+than "the timing of acpi_ec_enable_event() invocation", this patch fixes
+this issue by enumerating ECDT EC as an ACPI device. Due to the existence
+of the noirq stage, the ability of tuning the timing of
+acpi_ec_enable_event() invocation is still meaningful.
+
+This patch is a little bit different from the posted fix by moving
+acpi_config_boot_ec() from acpi_ec_ecdt_start() to acpi_ec_add() to make
+sure that EC event handling won't be stopped as long as the ACPI EC driver
+is bound. Thus the following sequence shouldn't disable EC event handling:
+unbind,suspend,resume,bind.
+
+Fixes: c2b46d679b30 (ACPI / EC: Add PM operations to improve event handling for resume process)
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=196847
+Reported-by: Luya Tshimbalanga <luya@fedoraproject.org>
+Tested-by: Luya Tshimbalanga <luya@fedoraproject.org>
+Signed-off-by: Lv Zheng <lv.zheng@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/ec.c | 69 ++++++++++++++++++++++++++++----------------
+ drivers/acpi/internal.h | 1
+ drivers/acpi/scan.c | 21 +++++++++++++
+ include/acpi/acpi_bus.h | 1
+ include/acpi/acpi_drivers.h | 1
+ 5 files changed, 69 insertions(+), 24 deletions(-)
+
+--- a/drivers/acpi/ec.c
++++ b/drivers/acpi/ec.c
+@@ -1597,32 +1597,41 @@ static int acpi_ec_add(struct acpi_devic
+ {
+ struct acpi_ec *ec = NULL;
+ int ret;
++ bool is_ecdt = false;
++ acpi_status status;
+
+ strcpy(acpi_device_name(device), ACPI_EC_DEVICE_NAME);
+ strcpy(acpi_device_class(device), ACPI_EC_CLASS);
+
+- ec = acpi_ec_alloc();
+- if (!ec)
+- return -ENOMEM;
+- if (ec_parse_device(device->handle, 0, ec, NULL) !=
+- AE_CTRL_TERMINATE) {
++ if (!strcmp(acpi_device_hid(device), ACPI_ECDT_HID)) {
++ is_ecdt = true;
++ ec = boot_ec;
++ } else {
++ ec = acpi_ec_alloc();
++ if (!ec)
++ return -ENOMEM;
++ status = ec_parse_device(device->handle, 0, ec, NULL);
++ if (status != AE_CTRL_TERMINATE) {
+ ret = -EINVAL;
+ goto err_alloc;
++ }
+ }
+
+ if (acpi_is_boot_ec(ec)) {
+- boot_ec_is_ecdt = false;
+- /*
+- * Trust PNP0C09 namespace location rather than ECDT ID.
+- *
+- * But trust ECDT GPE rather than _GPE because of ASUS quirks,
+- * so do not change boot_ec->gpe to ec->gpe.
+- */
+- boot_ec->handle = ec->handle;
+- acpi_handle_debug(ec->handle, "duplicated.\n");
+- acpi_ec_free(ec);
+- ec = boot_ec;
+- ret = acpi_config_boot_ec(ec, ec->handle, true, false);
++ boot_ec_is_ecdt = is_ecdt;
++ if (!is_ecdt) {
++ /*
++ * Trust PNP0C09 namespace location rather than
++ * ECDT ID. But trust ECDT GPE rather than _GPE
++ * because of ASUS quirks, so do not change
++ * boot_ec->gpe to ec->gpe.
++ */
++ boot_ec->handle = ec->handle;
++ acpi_handle_debug(ec->handle, "duplicated.\n");
++ acpi_ec_free(ec);
++ ec = boot_ec;
++ }
++ ret = acpi_config_boot_ec(ec, ec->handle, true, is_ecdt);
+ } else
+ ret = acpi_ec_setup(ec, true);
+ if (ret)
+@@ -1635,8 +1644,10 @@ static int acpi_ec_add(struct acpi_devic
+ ret = !!request_region(ec->command_addr, 1, "EC cmd");
+ WARN(!ret, "Could not request EC cmd io port 0x%lx", ec->command_addr);
+
+- /* Reprobe devices depending on the EC */
+- acpi_walk_dep_device_list(ec->handle);
++ if (!is_ecdt) {
++ /* Reprobe devices depending on the EC */
++ acpi_walk_dep_device_list(ec->handle);
++ }
+ acpi_handle_debug(ec->handle, "enumerated.\n");
+ return 0;
+
+@@ -1692,6 +1703,7 @@ ec_parse_io_ports(struct acpi_resource *
+
+ static const struct acpi_device_id ec_device_ids[] = {
+ {"PNP0C09", 0},
++ {ACPI_ECDT_HID, 0},
+ {"", 0},
+ };
+
+@@ -1764,11 +1776,14 @@ static int __init acpi_ec_ecdt_start(voi
+ * Note: ec->handle can be valid if this function is called after
+ * acpi_ec_add(), hence the fast path.
+ */
+- if (boot_ec->handle != ACPI_ROOT_OBJECT)
+- handle = boot_ec->handle;
+- else if (!acpi_ec_ecdt_get_handle(&handle))
+- return -ENODEV;
+- return acpi_config_boot_ec(boot_ec, handle, true, true);
++ if (boot_ec->handle == ACPI_ROOT_OBJECT) {
++ if (!acpi_ec_ecdt_get_handle(&handle))
++ return -ENODEV;
++ boot_ec->handle = handle;
++ }
++
++ /* Register to ACPI bus with PM ops attached */
++ return acpi_bus_register_early_device(ACPI_BUS_TYPE_ECDT_EC);
+ }
+
+ #if 0
+@@ -2020,6 +2035,12 @@ int __init acpi_ec_init(void)
+
+ /* Drivers must be started after acpi_ec_query_init() */
+ dsdt_fail = acpi_bus_register_driver(&acpi_ec_driver);
++ /*
++ * Register ECDT to ACPI bus only when PNP0C09 probe fails. This is
++ * useful for platforms (confirmed on ASUS X550ZE) with valid ECDT
++ * settings but invalid DSDT settings.
++ * https://bugzilla.kernel.org/show_bug.cgi?id=196847
++ */
+ ecdt_fail = acpi_ec_ecdt_start();
+ return ecdt_fail && dsdt_fail ? -ENODEV : 0;
+ }
+--- a/drivers/acpi/internal.h
++++ b/drivers/acpi/internal.h
+@@ -115,6 +115,7 @@ bool acpi_device_is_present(const struct
+ bool acpi_device_is_battery(struct acpi_device *adev);
+ bool acpi_device_is_first_physical_node(struct acpi_device *adev,
+ const struct device *dev);
++int acpi_bus_register_early_device(int type);
+
+ /* --------------------------------------------------------------------------
+ Device Matching and Notification
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -1024,6 +1024,9 @@ static void acpi_device_get_busid(struct
+ case ACPI_BUS_TYPE_SLEEP_BUTTON:
+ strcpy(device->pnp.bus_id, "SLPF");
+ break;
++ case ACPI_BUS_TYPE_ECDT_EC:
++ strcpy(device->pnp.bus_id, "ECDT");
++ break;
+ default:
+ acpi_get_name(device->handle, ACPI_SINGLE_NAME, &buffer);
+ /* Clean up trailing underscores (if any) */
+@@ -1304,6 +1307,9 @@ static void acpi_set_pnp_ids(acpi_handle
+ case ACPI_BUS_TYPE_SLEEP_BUTTON:
+ acpi_add_id(pnp, ACPI_BUTTON_HID_SLEEPF);
+ break;
++ case ACPI_BUS_TYPE_ECDT_EC:
++ acpi_add_id(pnp, ACPI_ECDT_HID);
++ break;
+ }
+ }
+
+@@ -2049,6 +2055,21 @@ void acpi_bus_trim(struct acpi_device *a
+ }
+ EXPORT_SYMBOL_GPL(acpi_bus_trim);
+
++int acpi_bus_register_early_device(int type)
++{
++ struct acpi_device *device = NULL;
++ int result;
++
++ result = acpi_add_single_object(&device, NULL,
++ type, ACPI_STA_DEFAULT);
++ if (result)
++ return result;
++
++ device->flags.match_driver = true;
++ return device_attach(&device->dev);
++}
++EXPORT_SYMBOL_GPL(acpi_bus_register_early_device);
++
+ static int acpi_bus_scan_fixed(void)
+ {
+ int result = 0;
+--- a/include/acpi/acpi_bus.h
++++ b/include/acpi/acpi_bus.h
+@@ -105,6 +105,7 @@ enum acpi_bus_device_type {
+ ACPI_BUS_TYPE_THERMAL,
+ ACPI_BUS_TYPE_POWER_BUTTON,
+ ACPI_BUS_TYPE_SLEEP_BUTTON,
++ ACPI_BUS_TYPE_ECDT_EC,
+ ACPI_BUS_DEVICE_TYPE_COUNT
+ };
+
+--- a/include/acpi/acpi_drivers.h
++++ b/include/acpi/acpi_drivers.h
+@@ -58,6 +58,7 @@
+ #define ACPI_VIDEO_HID "LNXVIDEO"
+ #define ACPI_BAY_HID "LNXIOBAY"
+ #define ACPI_DOCK_HID "LNXDOCK"
++#define ACPI_ECDT_HID "LNXEC"
+ /* Quirk for broken IBM BIOSes */
+ #define ACPI_SMBUS_IBM_HID "SMBUSIBM"
+
--- /dev/null
+From b12cbb21586277f72533769832c24cc6c1d60ab3 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 22 Nov 2017 07:33:38 -0800
+Subject: apparmor: fix oops in audit_signal_cb hook
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit b12cbb21586277f72533769832c24cc6c1d60ab3 upstream.
+
+The apparmor_audit_data struct ordering got messed up during a merge
+conflict, resulting in the signal integer and peer pointer being in
+a union instead of a struct.
+
+For most of the 4.13 and 4.14 life cycle, this was hidden by
+commit 651e28c5537a ("apparmor: add base infastructure for socket
+mediation") which fixed the apparmor_audit_data struct when its data
+was added. When that commit was reverted in -rc7 the signal audit bug
+was exposed, and unfortunately it never showed up in any of the
+testing until after 4.14 was released. Shaun Khan, Zephaniah
+E. Loss-Cutler-Hull filed nearly simultaneous bug reports (with
+different oopes, the smaller of which is included below).
+
+Full credit goes to Tetsuo Handa for jumping on this as well and
+noticing the audit data struct problem and reporting it.
+
+[ 76.178568] BUG: unable to handle kernel paging request at
+ffffffff0eee3bc0
+[ 76.178579] IP: audit_signal_cb+0x6c/0xe0
+[ 76.178581] PGD 1a640a067 P4D 1a640a067 PUD 0
+[ 76.178586] Oops: 0000 [#1] PREEMPT SMP
+[ 76.178589] Modules linked in: fuse rfcomm bnep usblp uvcvideo btusb
+btrtl btbcm btintel bluetooth ecdh_generic ip6table_filter ip6_tables
+xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack
+iptable_filter ip_tables x_tables intel_rapl joydev wmi_bmof serio_raw
+iwldvm iwlwifi shpchp kvm_intel kvm irqbypass autofs4 algif_skcipher
+nls_iso8859_1 nls_cp437 crc32_pclmul ghash_clmulni_intel
+[ 76.178620] CPU: 0 PID: 10675 Comm: pidgin Not tainted
+4.14.0-f1-dirty #135
+[ 76.178623] Hardware name: Hewlett-Packard HP EliteBook Folio
+9470m/18DF, BIOS 68IBD Ver. F.62 10/22/2015
+[ 76.178625] task: ffff9c7a94c31dc0 task.stack: ffffa09b02a4c000
+[ 76.178628] RIP: 0010:audit_signal_cb+0x6c/0xe0
+[ 76.178631] RSP: 0018:ffffa09b02a4fc08 EFLAGS: 00010292
+[ 76.178634] RAX: ffffa09b02a4fd60 RBX: ffff9c7aee0741f8 RCX:
+0000000000000000
+[ 76.178636] RDX: ffffffffee012290 RSI: 0000000000000006 RDI:
+ffff9c7a9493d800
+[ 76.178638] RBP: ffffa09b02a4fd40 R08: 000000000000004d R09:
+ffffa09b02a4fc46
+[ 76.178641] R10: ffffa09b02a4fcb8 R11: ffff9c7ab44f5072 R12:
+ffffa09b02a4fd40
+[ 76.178643] R13: ffffffff9e447be0 R14: ffff9c7a94c31dc0 R15:
+0000000000000001
+[ 76.178646] FS: 00007f8b11ba2a80(0000) GS:ffff9c7afea00000(0000)
+knlGS:0000000000000000
+[ 76.178648] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 76.178650] CR2: ffffffff0eee3bc0 CR3: 00000003d5209002 CR4:
+00000000001606f0
+[ 76.178652] Call Trace:
+[ 76.178660] common_lsm_audit+0x1da/0x780
+[ 76.178665] ? d_absolute_path+0x60/0x90
+[ 76.178669] ? aa_check_perms+0xcd/0xe0
+[ 76.178672] aa_check_perms+0xcd/0xe0
+[ 76.178675] profile_signal_perm.part.0+0x90/0xa0
+[ 76.178679] aa_may_signal+0x16e/0x1b0
+[ 76.178686] apparmor_task_kill+0x51/0x120
+[ 76.178690] security_task_kill+0x44/0x60
+[ 76.178695] group_send_sig_info+0x25/0x60
+[ 76.178699] kill_pid_info+0x36/0x60
+[ 76.178703] SYSC_kill+0xdb/0x180
+[ 76.178707] ? preempt_count_sub+0x92/0xd0
+[ 76.178712] ? _raw_write_unlock_irq+0x13/0x30
+[ 76.178716] ? task_work_run+0x6a/0x90
+[ 76.178720] ? exit_to_usermode_loop+0x80/0xa0
+[ 76.178723] entry_SYSCALL_64_fastpath+0x13/0x94
+[ 76.178727] RIP: 0033:0x7f8b0e58b767
+[ 76.178729] RSP: 002b:00007fff19efd4d8 EFLAGS: 00000206 ORIG_RAX:
+000000000000003e
+[ 76.178732] RAX: ffffffffffffffda RBX: 0000557f3e3c2050 RCX:
+00007f8b0e58b767
+[ 76.178735] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
+000000000000263b
+[ 76.178737] RBP: 0000000000000000 R08: 0000557f3e3c2270 R09:
+0000000000000001
+[ 76.178739] R10: 000000000000022d R11: 0000000000000206 R12:
+0000000000000000
+[ 76.178741] R13: 0000000000000001 R14: 0000557f3e3c13c0 R15:
+0000000000000000
+[ 76.178745] Code: 48 8b 55 18 48 89 df 41 b8 20 00 08 01 5b 5d 48 8b
+42 10 48 8b 52 30 48 63 48 4c 48 8b 44 c8 48 31 c9 48 8b 70 38 e9 f4 fd
+00 00 <48> 8b 14 d5 40 27 e5 9e 48 c7 c6 7d 07 19 9f 48 89 df e8 fd 35
+[ 76.178794] RIP: audit_signal_cb+0x6c/0xe0 RSP: ffffa09b02a4fc08
+[ 76.178796] CR2: ffffffff0eee3bc0
+[ 76.178799] ---[ end trace 514af9529297f1a3 ]---
+
+Fixes: cd1dbf76b23d ("apparmor: add the ability to mediate signals")
+Reported-by: Zephaniah E. Loss-Cutler-Hull <warp-spam_kernel@aehallh.com>
+Reported-by: Shuah Khan <shuahkh@osg.samsung.com>
+Suggested-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Tested-by: Ivan Kozik <ivan@ludios.org>
+Tested-by: Zephaniah E. Loss-Cutler-Hull <warp-spam_kernel@aehallh.com>
+Tested-by: Christian Boltz <apparmor@cboltz.de>
+Tested-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/include/audit.h | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/security/apparmor/include/audit.h
++++ b/security/apparmor/include/audit.h
+@@ -121,17 +121,19 @@ struct apparmor_audit_data {
+ /* these entries require a custom callback fn */
+ struct {
+ struct aa_label *peer;
+- struct {
+- const char *target;
+- kuid_t ouid;
+- } fs;
++ union {
++ struct {
++ const char *target;
++ kuid_t ouid;
++ } fs;
++ int signal;
++ };
+ };
+ struct {
+ struct aa_profile *profile;
+ const char *ns;
+ long pos;
+ } iface;
+- int signal;
+ struct {
+ int rlim;
+ unsigned long max;
--- /dev/null
+From be0f272bfc83797f70d44faca86954df62e2bbc0 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Mon, 20 Nov 2017 17:41:30 +0000
+Subject: arm64: ftrace: emit ftrace-mod.o contents through code
+
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+commit be0f272bfc83797f70d44faca86954df62e2bbc0 upstream.
+
+When building the arm64 kernel with both CONFIG_ARM64_MODULE_PLTS and
+CONFIG_DYNAMIC_FTRACE enabled, the ftrace-mod.o object file is built
+with the kernel and contains a trampoline that is linked into each
+module, so that modules can be loaded far away from the kernel and
+still reach the ftrace entry point in the core kernel with an ordinary
+relative branch, as is emitted by the compiler instrumentation code
+dynamic ftrace relies on.
+
+In order to be able to build out of tree modules, this object file
+needs to be included into the linux-headers or linux-devel packages,
+which is undesirable, as it makes arm64 a special case (although a
+precedent does exist for 32-bit PPC).
+
+Given that the trampoline essentially consists of a PLT entry, let's
+not bother with a source or object file for it, and simply patch it
+in whenever the trampoline is being populated, using the existing
+PLT support routines.
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/Makefile | 3 ---
+ arch/arm64/include/asm/module.h | 2 +-
+ arch/arm64/kernel/Makefile | 3 ---
+ arch/arm64/kernel/ftrace-mod.S | 18 ------------------
+ arch/arm64/kernel/ftrace.c | 14 ++++++++------
+ arch/arm64/kernel/module-plts.c | 12 ++++++++++++
+ arch/arm64/kernel/module.lds | 1 +
+ 7 files changed, 22 insertions(+), 31 deletions(-)
+
+--- a/arch/arm64/Makefile
++++ b/arch/arm64/Makefile
+@@ -77,9 +77,6 @@ endif
+
+ ifeq ($(CONFIG_ARM64_MODULE_PLTS),y)
+ KBUILD_LDFLAGS_MODULE += -T $(srctree)/arch/arm64/kernel/module.lds
+-ifeq ($(CONFIG_DYNAMIC_FTRACE),y)
+-KBUILD_LDFLAGS_MODULE += $(objtree)/arch/arm64/kernel/ftrace-mod.o
+-endif
+ endif
+
+ # Default value
+--- a/arch/arm64/include/asm/module.h
++++ b/arch/arm64/include/asm/module.h
+@@ -32,7 +32,7 @@ struct mod_arch_specific {
+ struct mod_plt_sec init;
+
+ /* for CONFIG_DYNAMIC_FTRACE */
+- void *ftrace_trampoline;
++ struct plt_entry *ftrace_trampoline;
+ };
+ #endif
+
+--- a/arch/arm64/kernel/Makefile
++++ b/arch/arm64/kernel/Makefile
+@@ -63,6 +63,3 @@ extra-y += $(head-y) vmlinux.lds
+ ifeq ($(CONFIG_DEBUG_EFI),y)
+ AFLAGS_head.o += -DVMLINUX_PATH="\"$(realpath $(objtree)/vmlinux)\""
+ endif
+-
+-# will be included by each individual module but not by the core kernel itself
+-extra-$(CONFIG_DYNAMIC_FTRACE) += ftrace-mod.o
+--- a/arch/arm64/kernel/ftrace-mod.S
++++ /dev/null
+@@ -1,18 +0,0 @@
+-/*
+- * Copyright (C) 2017 Linaro Ltd <ard.biesheuvel@linaro.org>
+- *
+- * This program is free software; you can redistribute it and/or modify
+- * it under the terms of the GNU General Public License version 2 as
+- * published by the Free Software Foundation.
+- */
+-
+-#include <linux/linkage.h>
+-#include <asm/assembler.h>
+-
+- .section ".text.ftrace_trampoline", "ax"
+- .align 3
+-0: .quad 0
+-__ftrace_trampoline:
+- ldr x16, 0b
+- br x16
+-ENDPROC(__ftrace_trampoline)
+--- a/arch/arm64/kernel/ftrace.c
++++ b/arch/arm64/kernel/ftrace.c
+@@ -76,7 +76,7 @@ int ftrace_make_call(struct dyn_ftrace *
+
+ if (offset < -SZ_128M || offset >= SZ_128M) {
+ #ifdef CONFIG_ARM64_MODULE_PLTS
+- unsigned long *trampoline;
++ struct plt_entry trampoline;
+ struct module *mod;
+
+ /*
+@@ -104,22 +104,24 @@ int ftrace_make_call(struct dyn_ftrace *
+ * is added in the future, but for now, the pr_err() below
+ * deals with a theoretical issue only.
+ */
+- trampoline = (unsigned long *)mod->arch.ftrace_trampoline;
+- if (trampoline[0] != addr) {
+- if (trampoline[0] != 0) {
++ trampoline = get_plt_entry(addr);
++ if (!plt_entries_equal(mod->arch.ftrace_trampoline,
++ &trampoline)) {
++ if (!plt_entries_equal(mod->arch.ftrace_trampoline,
++ &(struct plt_entry){})) {
+ pr_err("ftrace: far branches to multiple entry points unsupported inside a single module\n");
+ return -EINVAL;
+ }
+
+ /* point the trampoline to our ftrace entry point */
+ module_disable_ro(mod);
+- trampoline[0] = addr;
++ *mod->arch.ftrace_trampoline = trampoline;
+ module_enable_ro(mod, true);
+
+ /* update trampoline before patching in the branch */
+ smp_wmb();
+ }
+- addr = (unsigned long)&trampoline[1];
++ addr = (unsigned long)(void *)mod->arch.ftrace_trampoline;
+ #else /* CONFIG_ARM64_MODULE_PLTS */
+ return -EINVAL;
+ #endif /* CONFIG_ARM64_MODULE_PLTS */
+--- a/arch/arm64/kernel/module-plts.c
++++ b/arch/arm64/kernel/module-plts.c
+@@ -120,6 +120,7 @@ int module_frob_arch_sections(Elf_Ehdr *
+ unsigned long core_plts = 0;
+ unsigned long init_plts = 0;
+ Elf64_Sym *syms = NULL;
++ Elf_Shdr *tramp = NULL;
+ int i;
+
+ /*
+@@ -131,6 +132,10 @@ int module_frob_arch_sections(Elf_Ehdr *
+ mod->arch.core.plt = sechdrs + i;
+ else if (!strcmp(secstrings + sechdrs[i].sh_name, ".init.plt"))
+ mod->arch.init.plt = sechdrs + i;
++ else if (IS_ENABLED(CONFIG_DYNAMIC_FTRACE) &&
++ !strcmp(secstrings + sechdrs[i].sh_name,
++ ".text.ftrace_trampoline"))
++ tramp = sechdrs + i;
+ else if (sechdrs[i].sh_type == SHT_SYMTAB)
+ syms = (Elf64_Sym *)sechdrs[i].sh_addr;
+ }
+@@ -181,5 +186,12 @@ int module_frob_arch_sections(Elf_Ehdr *
+ mod->arch.init.plt_num_entries = 0;
+ mod->arch.init.plt_max_entries = init_plts;
+
++ if (tramp) {
++ tramp->sh_type = SHT_NOBITS;
++ tramp->sh_flags = SHF_EXECINSTR | SHF_ALLOC;
++ tramp->sh_addralign = __alignof__(struct plt_entry);
++ tramp->sh_size = sizeof(struct plt_entry);
++ }
++
+ return 0;
+ }
+--- a/arch/arm64/kernel/module.lds
++++ b/arch/arm64/kernel/module.lds
+@@ -1,4 +1,5 @@
+ SECTIONS {
+ .plt (NOLOAD) : { BYTE(0) }
+ .init.plt (NOLOAD) : { BYTE(0) }
++ .text.ftrace_trampoline (NOLOAD) : { BYTE(0) }
+ }
--- /dev/null
+From 7e8b9c1d2e2f5f45db7d40b50d14f606097c25de Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Mon, 20 Nov 2017 17:41:29 +0000
+Subject: arm64: module-plts: factor out PLT generation code for ftrace
+
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+commit 7e8b9c1d2e2f5f45db7d40b50d14f606097c25de upstream.
+
+To allow the ftrace trampoline code to reuse the PLT entry routines,
+factor it out and move it into asm/module.h.
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/module.h | 44 ++++++++++++++++++++++++++++++++++++++++
+ arch/arm64/kernel/module-plts.c | 38 +---------------------------------
+ 2 files changed, 46 insertions(+), 36 deletions(-)
+
+--- a/arch/arm64/include/asm/module.h
++++ b/arch/arm64/include/asm/module.h
+@@ -45,4 +45,48 @@ extern u64 module_alloc_base;
+ #define module_alloc_base ((u64)_etext - MODULES_VSIZE)
+ #endif
+
++struct plt_entry {
++ /*
++ * A program that conforms to the AArch64 Procedure Call Standard
++ * (AAPCS64) must assume that a veneer that alters IP0 (x16) and/or
++ * IP1 (x17) may be inserted at any branch instruction that is
++ * exposed to a relocation that supports long branches. Since that
++ * is exactly what we are dealing with here, we are free to use x16
++ * as a scratch register in the PLT veneers.
++ */
++ __le32 mov0; /* movn x16, #0x.... */
++ __le32 mov1; /* movk x16, #0x...., lsl #16 */
++ __le32 mov2; /* movk x16, #0x...., lsl #32 */
++ __le32 br; /* br x16 */
++};
++
++static inline struct plt_entry get_plt_entry(u64 val)
++{
++ /*
++ * MOVK/MOVN/MOVZ opcode:
++ * +--------+------------+--------+-----------+-------------+---------+
++ * | sf[31] | opc[30:29] | 100101 | hw[22:21] | imm16[20:5] | Rd[4:0] |
++ * +--------+------------+--------+-----------+-------------+---------+
++ *
++ * Rd := 0x10 (x16)
++ * hw := 0b00 (no shift), 0b01 (lsl #16), 0b10 (lsl #32)
++ * opc := 0b11 (MOVK), 0b00 (MOVN), 0b10 (MOVZ)
++ * sf := 1 (64-bit variant)
++ */
++ return (struct plt_entry){
++ cpu_to_le32(0x92800010 | (((~val ) & 0xffff)) << 5),
++ cpu_to_le32(0xf2a00010 | ((( val >> 16) & 0xffff)) << 5),
++ cpu_to_le32(0xf2c00010 | ((( val >> 32) & 0xffff)) << 5),
++ cpu_to_le32(0xd61f0200)
++ };
++}
++
++static inline bool plt_entries_equal(const struct plt_entry *a,
++ const struct plt_entry *b)
++{
++ return a->mov0 == b->mov0 &&
++ a->mov1 == b->mov1 &&
++ a->mov2 == b->mov2;
++}
++
+ #endif /* __ASM_MODULE_H */
+--- a/arch/arm64/kernel/module-plts.c
++++ b/arch/arm64/kernel/module-plts.c
+@@ -11,21 +11,6 @@
+ #include <linux/module.h>
+ #include <linux/sort.h>
+
+-struct plt_entry {
+- /*
+- * A program that conforms to the AArch64 Procedure Call Standard
+- * (AAPCS64) must assume that a veneer that alters IP0 (x16) and/or
+- * IP1 (x17) may be inserted at any branch instruction that is
+- * exposed to a relocation that supports long branches. Since that
+- * is exactly what we are dealing with here, we are free to use x16
+- * as a scratch register in the PLT veneers.
+- */
+- __le32 mov0; /* movn x16, #0x.... */
+- __le32 mov1; /* movk x16, #0x...., lsl #16 */
+- __le32 mov2; /* movk x16, #0x...., lsl #32 */
+- __le32 br; /* br x16 */
+-};
+-
+ static bool in_init(const struct module *mod, void *loc)
+ {
+ return (u64)loc - (u64)mod->init_layout.base < mod->init_layout.size;
+@@ -40,33 +25,14 @@ u64 module_emit_plt_entry(struct module
+ int i = pltsec->plt_num_entries;
+ u64 val = sym->st_value + rela->r_addend;
+
+- /*
+- * MOVK/MOVN/MOVZ opcode:
+- * +--------+------------+--------+-----------+-------------+---------+
+- * | sf[31] | opc[30:29] | 100101 | hw[22:21] | imm16[20:5] | Rd[4:0] |
+- * +--------+------------+--------+-----------+-------------+---------+
+- *
+- * Rd := 0x10 (x16)
+- * hw := 0b00 (no shift), 0b01 (lsl #16), 0b10 (lsl #32)
+- * opc := 0b11 (MOVK), 0b00 (MOVN), 0b10 (MOVZ)
+- * sf := 1 (64-bit variant)
+- */
+- plt[i] = (struct plt_entry){
+- cpu_to_le32(0x92800010 | (((~val ) & 0xffff)) << 5),
+- cpu_to_le32(0xf2a00010 | ((( val >> 16) & 0xffff)) << 5),
+- cpu_to_le32(0xf2c00010 | ((( val >> 32) & 0xffff)) << 5),
+- cpu_to_le32(0xd61f0200)
+- };
++ plt[i] = get_plt_entry(val);
+
+ /*
+ * Check if the entry we just created is a duplicate. Given that the
+ * relocations are sorted, this will be the last entry we allocated.
+ * (if one exists).
+ */
+- if (i > 0 &&
+- plt[i].mov0 == plt[i - 1].mov0 &&
+- plt[i].mov1 == plt[i - 1].mov1 &&
+- plt[i].mov2 == plt[i - 1].mov2)
++ if (i > 0 && plt_entries_equal(plt + i, plt + i - 1))
+ return (u64)&plt[i - 1];
+
+ pltsec->plt_num_entries++;
--- /dev/null
+From cf33c1ee5254c6a430bc1538232b49c3ea13e613 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Fri, 24 Nov 2017 15:14:25 -0800
+Subject: bcache: Fix building error on MIPS
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit cf33c1ee5254c6a430bc1538232b49c3ea13e613 upstream.
+
+This patch try to fix the building error on MIPS. The reason is MIPS
+has already defined the PTR macro, which conflicts with the PTR macro
+in include/uapi/linux/bcache.h.
+
+[fixed by mlyle: corrected a line-length issue]
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Signed-off-by: Michael Lyle <mlyle@lyle.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/alloc.c | 2 +-
+ drivers/md/bcache/extents.c | 2 +-
+ drivers/md/bcache/journal.c | 2 +-
+ include/uapi/linux/bcache.h | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/md/bcache/alloc.c
++++ b/drivers/md/bcache/alloc.c
+@@ -480,7 +480,7 @@ int __bch_bucket_alloc_set(struct cache_
+ if (b == -1)
+ goto err;
+
+- k->ptr[i] = PTR(ca->buckets[b].gen,
++ k->ptr[i] = MAKE_PTR(ca->buckets[b].gen,
+ bucket_to_sector(c, b),
+ ca->sb.nr_this_dev);
+
+--- a/drivers/md/bcache/extents.c
++++ b/drivers/md/bcache/extents.c
+@@ -585,7 +585,7 @@ static bool bch_extent_merge(struct btre
+ return false;
+
+ for (i = 0; i < KEY_PTRS(l); i++)
+- if (l->ptr[i] + PTR(0, KEY_SIZE(l), 0) != r->ptr[i] ||
++ if (l->ptr[i] + MAKE_PTR(0, KEY_SIZE(l), 0) != r->ptr[i] ||
+ PTR_BUCKET_NR(b->c, l, i) != PTR_BUCKET_NR(b->c, r, i))
+ return false;
+
+--- a/drivers/md/bcache/journal.c
++++ b/drivers/md/bcache/journal.c
+@@ -507,7 +507,7 @@ static void journal_reclaim(struct cache
+ continue;
+
+ ja->cur_idx = next;
+- k->ptr[n++] = PTR(0,
++ k->ptr[n++] = MAKE_PTR(0,
+ bucket_to_sector(c, ca->sb.d[ja->cur_idx]),
+ ca->sb.nr_this_dev);
+ }
+--- a/include/uapi/linux/bcache.h
++++ b/include/uapi/linux/bcache.h
+@@ -91,7 +91,7 @@ PTR_FIELD(PTR_GEN, 0, 8)
+
+ #define PTR_CHECK_DEV ((1 << PTR_DEV_BITS) - 1)
+
+-#define PTR(gen, offset, dev) \
++#define MAKE_PTR(gen, offset, dev) \
+ ((((__u64) dev) << 51) | ((__u64) offset) << 8 | gen)
+
+ /* Bkey utility code */
--- /dev/null
+From d59b23795933678c9638fd20c942d2b4f3cd6185 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Mon, 30 Oct 2017 14:46:31 -0700
+Subject: bcache: only permit to recovery read error when cache device is clean
+
+From: Coly Li <colyli@suse.de>
+
+commit d59b23795933678c9638fd20c942d2b4f3cd6185 upstream.
+
+When bcache does read I/Os, for example in writeback or writethrough mode,
+if a read request on cache device is failed, bcache will try to recovery
+the request by reading from cached device. If the data on cached device is
+not synced with cache device, then requester will get a stale data.
+
+For critical storage system like database, providing stale data from
+recovery may result an application level data corruption, which is
+unacceptible.
+
+With this patch, for a failed read request in writeback or writethrough
+mode, recovery a recoverable read request only happens when cache device
+is clean. That is to say, all data on cached device is up to update.
+
+For other cache modes in bcache, read request will never hit
+cached_dev_read_error(), they don't need this patch.
+
+Please note, because cache mode can be switched arbitrarily in run time, a
+writethrough mode might be switched from a writeback mode. Therefore
+checking dc->has_data in writethrough mode still makes sense.
+
+Changelog:
+V4: Fix parens error pointed by Michael Lyle.
+v3: By response from Kent Oversteet, he thinks recovering stale data is a
+ bug to fix, and option to permit it is unnecessary. So this version
+ the sysfs file is removed.
+v2: rename sysfs entry from allow_stale_data_on_failure to
+ allow_stale_data_on_failure, and fix the confusing commit log.
+v1: initial patch posted.
+
+[small change to patch comment spelling by mlyle]
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Michael Lyle <mlyle@lyle.org>
+Reported-by: Arne Wolf <awolf@lenovo.com>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Cc: Kent Overstreet <kent.overstreet@gmail.com>
+Cc: Nix <nix@esperi.org.uk>
+Cc: Kai Krakow <hurikhan77@gmail.com>
+Cc: Eric Wheeler <bcache@lists.ewheeler.net>
+Cc: Junhui Tang <tang.junhui@zte.com.cn>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/request.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/request.c
++++ b/drivers/md/bcache/request.c
+@@ -698,8 +698,16 @@ static void cached_dev_read_error(struct
+ {
+ struct search *s = container_of(cl, struct search, cl);
+ struct bio *bio = &s->bio.bio;
++ struct cached_dev *dc = container_of(s->d, struct cached_dev, disk);
+
+- if (s->recoverable) {
++ /*
++ * If cache device is dirty (dc->has_dirty is non-zero), then
++ * recovery a failed read request from cached device may get a
++ * stale data back. So read failure recovery is only permitted
++ * when cache device is clean.
++ */
++ if (s->recoverable &&
++ (dc && !atomic_read(&dc->has_dirty))) {
+ /* Retry from the backing device: */
+ trace_bcache_read_retry(s->orig_bio);
+
--- /dev/null
+From e393aa2446150536929140739f09c6ecbcbea7f0 Mon Sep 17 00:00:00 2001
+From: Rui Hua <huarui.dev@gmail.com>
+Date: Fri, 24 Nov 2017 15:14:26 -0800
+Subject: bcache: recover data from backing when data is clean
+
+From: Rui Hua <huarui.dev@gmail.com>
+
+commit e393aa2446150536929140739f09c6ecbcbea7f0 upstream.
+
+When we send a read request and hit the clean data in cache device, there
+is a situation called cache read race in bcache(see the commit in the tail
+of cache_look_up(), the following explaination just copy from there):
+The bucket we're reading from might be reused while our bio is in flight,
+and we could then end up reading the wrong data. We guard against this
+by checking (in bch_cache_read_endio()) if the pointer is stale again;
+if so, we treat it as an error (s->iop.error = -EINTR) and reread from
+the backing device (but we don't pass that error up anywhere)
+
+It should be noted that cache read race happened under normal
+circumstances, not the circumstance when SSD failed, it was counted
+and shown in /sys/fs/bcache/XXX/internal/cache_read_races.
+
+Without this patch, when we use writeback mode, we will never reread from
+the backing device when cache read race happened, until the whole cache
+device is clean, because the condition
+(s->recoverable && (dc && !atomic_read(&dc->has_dirty))) is false in
+cached_dev_read_error(). In this situation, the s->iop.error(= -EINTR)
+will be passed up, at last, user will receive -EINTR when it's bio end,
+this is not suitable, and wield to up-application.
+
+In this patch, we use s->read_dirty_data to judge whether the read
+request hit dirty data in cache device, it is safe to reread data from
+the backing device when the read request hit clean data. This can not
+only handle cache read race, but also recover data when failed read
+request from cache device.
+
+[edited by mlyle to fix up whitespace, commit log title, comment
+spelling]
+
+Fixes: d59b23795933 ("bcache: only permit to recovery read error when cache device is clean")
+Signed-off-by: Hua Rui <huarui.dev@gmail.com>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Reviewed-by: Coly Li <colyli@suse.de>
+Signed-off-by: Michael Lyle <mlyle@lyle.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/request.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/drivers/md/bcache/request.c
++++ b/drivers/md/bcache/request.c
+@@ -698,16 +698,15 @@ static void cached_dev_read_error(struct
+ {
+ struct search *s = container_of(cl, struct search, cl);
+ struct bio *bio = &s->bio.bio;
+- struct cached_dev *dc = container_of(s->d, struct cached_dev, disk);
+
+ /*
+- * If cache device is dirty (dc->has_dirty is non-zero), then
+- * recovery a failed read request from cached device may get a
+- * stale data back. So read failure recovery is only permitted
+- * when cache device is clean.
++ * If read request hit dirty data (s->read_dirty_data is true),
++ * then recovery a failed read request from cached device may
++ * get a stale data back. So read failure recovery is only
++ * permitted when read request hit clean data in cache device,
++ * or when cache read race happened.
+ */
+- if (s->recoverable &&
+- (dc && !atomic_read(&dc->has_dirty))) {
++ if (s->recoverable && !s->read_dirty_data) {
+ /* Retry from the backing device: */
+ trace_bcache_read_retry(s->orig_bio);
+
--- /dev/null
+From 8e138e0d92c6c9d3d481674fb14e3439b495be37 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <jbacik@fb.com>
+Date: Fri, 17 Nov 2017 14:50:46 -0500
+Subject: btrfs: clear space cache inode generation always
+
+From: Josef Bacik <jbacik@fb.com>
+
+commit 8e138e0d92c6c9d3d481674fb14e3439b495be37 upstream.
+
+We discovered a box that had double allocations, and suspected the space
+cache may be to blame. While auditing the write out path I noticed that
+if we've already setup the space cache we will just carry on. This
+means that any error we hit after cache_save_setup before we go to
+actually write the cache out we won't reset the inode generation, so
+whatever was already written will be considered correct, except it'll be
+stale. Fix this by _always_ resetting the generation on the block group
+inode, this way we only ever have valid or invalid cache.
+
+With this patch I was no longer able to reproduce cache corruption with
+dm-log-writes and my bpf error injection tool.
+
+Signed-off-by: Josef Bacik <jbacik@fb.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent-tree.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -3526,13 +3526,6 @@ again:
+ goto again;
+ }
+
+- /* We've already setup this transaction, go ahead and exit */
+- if (block_group->cache_generation == trans->transid &&
+- i_size_read(inode)) {
+- dcs = BTRFS_DC_SETUP;
+- goto out_put;
+- }
+-
+ /*
+ * We want to set the generation to 0, that way if anything goes wrong
+ * from here on out we know not to trust this cache when we load up next
+@@ -3556,6 +3549,13 @@ again:
+ }
+ WARN_ON(ret);
+
++ /* We've already setup this transaction, go ahead and exit */
++ if (block_group->cache_generation == trans->transid &&
++ i_size_read(inode)) {
++ dcs = BTRFS_DC_SETUP;
++ goto out_put;
++ }
++
+ if (i_size_read(inode) > 0) {
+ ret = btrfs_check_trunc_cache_free_space(fs_info,
+ &fs_info->global_block_rsv);
--- /dev/null
+From 7d2c3f54e6f646887d019faa45f35d6fe9fe82ce Mon Sep 17 00:00:00 2001
+From: Stephan Mueller <smueller@chronox.de>
+Date: Fri, 10 Nov 2017 13:20:55 +0100
+Subject: crypto: af_alg - remove locking in async callback
+
+From: Stephan Mueller <smueller@chronox.de>
+
+commit 7d2c3f54e6f646887d019faa45f35d6fe9fe82ce upstream.
+
+The code paths protected by the socket-lock do not use or modify the
+socket in a non-atomic fashion. The actions pertaining the socket do not
+even need to be handled as an atomic operation. Thus, the socket-lock
+can be safely ignored.
+
+This fixes a bug regarding scheduling in atomic as the callback function
+may be invoked in interrupt context.
+
+In addition, the sock_hold is moved before the AIO encrypt/decrypt
+operation to ensure that the socket is always present. This avoids a
+tiny race window where the socket is unprotected and yet used by the AIO
+operation.
+
+Finally, the release of resources for a crypto operation is moved into a
+common function of af_alg_free_resources.
+
+Fixes: e870456d8e7c8 ("crypto: algif_skcipher - overhaul memory management")
+Fixes: d887c52d6ae43 ("crypto: algif_aead - overhaul memory management")
+Reported-by: Romain Izard <romain.izard.pro@gmail.com>
+Signed-off-by: Stephan Mueller <smueller@chronox.de>
+Tested-by: Romain Izard <romain.izard.pro@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/af_alg.c | 21 ++++++++++++++-------
+ crypto/algif_aead.c | 23 ++++++++++++-----------
+ crypto/algif_skcipher.c | 23 ++++++++++++-----------
+ include/crypto/if_alg.h | 1 +
+ 4 files changed, 39 insertions(+), 29 deletions(-)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -1048,6 +1048,18 @@ unlock:
+ EXPORT_SYMBOL_GPL(af_alg_sendpage);
+
+ /**
++ * af_alg_free_resources - release resources required for crypto request
++ */
++void af_alg_free_resources(struct af_alg_async_req *areq)
++{
++ struct sock *sk = areq->sk;
++
++ af_alg_free_areq_sgls(areq);
++ sock_kfree_s(sk, areq, areq->areqlen);
++}
++EXPORT_SYMBOL_GPL(af_alg_free_resources);
++
++/**
+ * af_alg_async_cb - AIO callback handler
+ *
+ * This handler cleans up the struct af_alg_async_req upon completion of the
+@@ -1063,18 +1075,13 @@ void af_alg_async_cb(struct crypto_async
+ struct kiocb *iocb = areq->iocb;
+ unsigned int resultlen;
+
+- lock_sock(sk);
+-
+ /* Buffer size written by crypto operation. */
+ resultlen = areq->outlen;
+
+- af_alg_free_areq_sgls(areq);
+- sock_kfree_s(sk, areq, areq->areqlen);
+- __sock_put(sk);
++ af_alg_free_resources(areq);
++ sock_put(sk);
+
+ iocb->ki_complete(iocb, err ? err : resultlen, 0);
+-
+- release_sock(sk);
+ }
+ EXPORT_SYMBOL_GPL(af_alg_async_cb);
+
+--- a/crypto/algif_aead.c
++++ b/crypto/algif_aead.c
+@@ -283,12 +283,23 @@ static int _aead_recvmsg(struct socket *
+
+ if (msg->msg_iocb && !is_sync_kiocb(msg->msg_iocb)) {
+ /* AIO operation */
++ sock_hold(sk);
+ areq->iocb = msg->msg_iocb;
+ aead_request_set_callback(&areq->cra_u.aead_req,
+ CRYPTO_TFM_REQ_MAY_BACKLOG,
+ af_alg_async_cb, areq);
+ err = ctx->enc ? crypto_aead_encrypt(&areq->cra_u.aead_req) :
+ crypto_aead_decrypt(&areq->cra_u.aead_req);
++
++ /* AIO operation in progress */
++ if (err == -EINPROGRESS || err == -EBUSY) {
++ /* Remember output size that will be generated. */
++ areq->outlen = outlen;
++
++ return -EIOCBQUEUED;
++ }
++
++ sock_put(sk);
+ } else {
+ /* Synchronous operation */
+ aead_request_set_callback(&areq->cra_u.aead_req,
+@@ -300,19 +311,9 @@ static int _aead_recvmsg(struct socket *
+ &ctx->completion);
+ }
+
+- /* AIO operation in progress */
+- if (err == -EINPROGRESS) {
+- sock_hold(sk);
+-
+- /* Remember output size that will be generated. */
+- areq->outlen = outlen;
+-
+- return -EIOCBQUEUED;
+- }
+
+ free:
+- af_alg_free_areq_sgls(areq);
+- sock_kfree_s(sk, areq, areq->areqlen);
++ af_alg_free_resources(areq);
+
+ return err ? err : outlen;
+ }
+--- a/crypto/algif_skcipher.c
++++ b/crypto/algif_skcipher.c
+@@ -117,6 +117,7 @@ static int _skcipher_recvmsg(struct sock
+
+ if (msg->msg_iocb && !is_sync_kiocb(msg->msg_iocb)) {
+ /* AIO operation */
++ sock_hold(sk);
+ areq->iocb = msg->msg_iocb;
+ skcipher_request_set_callback(&areq->cra_u.skcipher_req,
+ CRYPTO_TFM_REQ_MAY_SLEEP,
+@@ -124,6 +125,16 @@ static int _skcipher_recvmsg(struct sock
+ err = ctx->enc ?
+ crypto_skcipher_encrypt(&areq->cra_u.skcipher_req) :
+ crypto_skcipher_decrypt(&areq->cra_u.skcipher_req);
++
++ /* AIO operation in progress */
++ if (err == -EINPROGRESS || err == -EBUSY) {
++ /* Remember output size that will be generated. */
++ areq->outlen = len;
++
++ return -EIOCBQUEUED;
++ }
++
++ sock_put(sk);
+ } else {
+ /* Synchronous operation */
+ skcipher_request_set_callback(&areq->cra_u.skcipher_req,
+@@ -137,19 +148,9 @@ static int _skcipher_recvmsg(struct sock
+ &ctx->completion);
+ }
+
+- /* AIO operation in progress */
+- if (err == -EINPROGRESS) {
+- sock_hold(sk);
+-
+- /* Remember output size that will be generated. */
+- areq->outlen = len;
+-
+- return -EIOCBQUEUED;
+- }
+
+ free:
+- af_alg_free_areq_sgls(areq);
+- sock_kfree_s(sk, areq, areq->areqlen);
++ af_alg_free_resources(areq);
+
+ return err ? err : len;
+ }
+--- a/include/crypto/if_alg.h
++++ b/include/crypto/if_alg.h
+@@ -255,6 +255,7 @@ int af_alg_sendmsg(struct socket *sock,
+ unsigned int ivsize);
+ ssize_t af_alg_sendpage(struct socket *sock, struct page *page,
+ int offset, size_t size, int flags);
++void af_alg_free_resources(struct af_alg_async_req *areq);
+ void af_alg_async_cb(struct crypto_async_request *_req, int err);
+ unsigned int af_alg_poll(struct file *file, struct socket *sock,
+ poll_table *wait);
--- /dev/null
+From 8e1fa89aa8bc2870009b4486644e4a58f2e2a4f5 Mon Sep 17 00:00:00 2001
+From: Stephan Mueller <smueller@chronox.de>
+Date: Fri, 10 Nov 2017 11:04:52 +0100
+Subject: crypto: algif_aead - skip SGL entries with NULL page
+
+From: Stephan Mueller <smueller@chronox.de>
+
+commit 8e1fa89aa8bc2870009b4486644e4a58f2e2a4f5 upstream.
+
+The TX SGL may contain SGL entries that are assigned a NULL page. This
+may happen if a multi-stage AIO operation is performed where the data
+for each stage is pointed to by one SGL entry. Upon completion of that
+stage, af_alg_pull_tsgl will assign NULL to the SGL entry.
+
+The NULL cipher used to copy the AAD from TX SGL to the destination
+buffer, however, cannot handle the case where the SGL starts with an SGL
+entry having a NULL page. Thus, the code needs to advance the start
+pointer into the SGL to the first non-NULL entry.
+
+This fixes a crash visible on Intel x86 32 bit using the libkcapi test
+suite.
+
+Fixes: 72548b093ee38 ("crypto: algif_aead - copy AAD from src to dst")
+Signed-off-by: Stephan Mueller <smueller@chronox.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/algif_aead.c | 33 ++++++++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+
+--- a/crypto/algif_aead.c
++++ b/crypto/algif_aead.c
+@@ -101,10 +101,10 @@ static int _aead_recvmsg(struct socket *
+ struct aead_tfm *aeadc = pask->private;
+ struct crypto_aead *tfm = aeadc->aead;
+ struct crypto_skcipher *null_tfm = aeadc->null_tfm;
+- unsigned int as = crypto_aead_authsize(tfm);
++ unsigned int i, as = crypto_aead_authsize(tfm);
+ struct af_alg_async_req *areq;
+- struct af_alg_tsgl *tsgl;
+- struct scatterlist *src;
++ struct af_alg_tsgl *tsgl, *tmp;
++ struct scatterlist *rsgl_src, *tsgl_src = NULL;
+ int err = 0;
+ size_t used = 0; /* [in] TX bufs to be en/decrypted */
+ size_t outlen = 0; /* [out] RX bufs produced by kernel */
+@@ -178,7 +178,22 @@ static int _aead_recvmsg(struct socket *
+ }
+
+ processed = used + ctx->aead_assoclen;
+- tsgl = list_first_entry(&ctx->tsgl_list, struct af_alg_tsgl, list);
++ list_for_each_entry_safe(tsgl, tmp, &ctx->tsgl_list, list) {
++ for (i = 0; i < tsgl->cur; i++) {
++ struct scatterlist *process_sg = tsgl->sg + i;
++
++ if (!(process_sg->length) || !sg_page(process_sg))
++ continue;
++ tsgl_src = process_sg;
++ break;
++ }
++ if (tsgl_src)
++ break;
++ }
++ if (processed && !tsgl_src) {
++ err = -EFAULT;
++ goto free;
++ }
+
+ /*
+ * Copy of AAD from source to destination
+@@ -194,7 +209,7 @@ static int _aead_recvmsg(struct socket *
+ */
+
+ /* Use the RX SGL as source (and destination) for crypto op. */
+- src = areq->first_rsgl.sgl.sg;
++ rsgl_src = areq->first_rsgl.sgl.sg;
+
+ if (ctx->enc) {
+ /*
+@@ -207,7 +222,7 @@ static int _aead_recvmsg(struct socket *
+ * v v
+ * RX SGL: AAD || PT || Tag
+ */
+- err = crypto_aead_copy_sgl(null_tfm, tsgl->sg,
++ err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
+ areq->first_rsgl.sgl.sg, processed);
+ if (err)
+ goto free;
+@@ -225,7 +240,7 @@ static int _aead_recvmsg(struct socket *
+ */
+
+ /* Copy AAD || CT to RX SGL buffer for in-place operation. */
+- err = crypto_aead_copy_sgl(null_tfm, tsgl->sg,
++ err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
+ areq->first_rsgl.sgl.sg, outlen);
+ if (err)
+ goto free;
+@@ -257,11 +272,11 @@ static int _aead_recvmsg(struct socket *
+ areq->tsgl);
+ } else
+ /* no RX SGL present (e.g. authentication only) */
+- src = areq->tsgl;
++ rsgl_src = areq->tsgl;
+ }
+
+ /* Initialize the crypto operation */
+- aead_request_set_crypt(&areq->cra_u.aead_req, src,
++ aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
+ areq->first_rsgl.sgl.sg, used, ctx->iv);
+ aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
+ aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
--- /dev/null
+From c14ca8386539a298c1c19b003fe55e37d0f0e89c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ondrej=20Mosn=C3=A1=C4=8Dek?= <omosnacek@gmail.com>
+Date: Thu, 23 Nov 2017 13:49:06 +0100
+Subject: crypto: skcipher - Fix skcipher_walk_aead_common
+
+From: Ondrej Mosnáček <omosnacek@gmail.com>
+
+commit c14ca8386539a298c1c19b003fe55e37d0f0e89c upstream.
+
+The skcipher_walk_aead_common function calls scatterwalk_copychunks on
+the input and output walks to skip the associated data. If the AD end
+at an SG list entry boundary, then after these calls the walks will
+still be pointing to the end of the skipped region.
+
+These offsets are later checked for alignment in skcipher_walk_next,
+so the skcipher_walk may detect the alignment incorrectly.
+
+This patch fixes it by calling scatterwalk_done after the copychunks
+calls to ensure that the offsets refer to the right SG list entry.
+
+Fixes: b286d8b1a690 ("crypto: skcipher - Add skcipher walk interface")
+Signed-off-by: Ondrej Mosnacek <omosnacek@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/skcipher.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/crypto/skcipher.c
++++ b/crypto/skcipher.c
+@@ -522,6 +522,9 @@ static int skcipher_walk_aead_common(str
+ scatterwalk_copychunks(NULL, &walk->in, req->assoclen, 2);
+ scatterwalk_copychunks(NULL, &walk->out, req->assoclen, 2);
+
++ scatterwalk_done(&walk->in, 0, walk->total);
++ scatterwalk_done(&walk->out, 0, walk->total);
++
+ walk->iv = req->iv;
+ walk->oiv = req->iv;
+
--- /dev/null
+From 12841f87b7a8ceb3d54f171660f72a86941bfcb3 Mon Sep 17 00:00:00 2001
+From: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+Date: Thu, 23 Nov 2017 09:08:57 +0530
+Subject: cxl: Check if vphb exists before iterating over AFU devices
+
+From: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+
+commit 12841f87b7a8ceb3d54f171660f72a86941bfcb3 upstream.
+
+During an eeh a kernel-oops is reported if no vPHB is allocated to the
+AFU. This happens as during AFU init, an error in creation of vPHB is
+a non-fatal error. Hence afu->phb should always be checked for NULL
+before iterating over it for the virtual AFU pci devices.
+
+This patch fixes the kenel-oops by adding a NULL pointer check for
+afu->phb before it is dereferenced.
+
+Fixes: 9e8df8a21963 ("cxl: EEH support")
+Signed-off-by: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+Acked-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+Acked-by: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/cxl/pci.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/misc/cxl/pci.c
++++ b/drivers/misc/cxl/pci.c
+@@ -2043,6 +2043,9 @@ static pci_ers_result_t cxl_vphb_error_d
+ /* There should only be one entry, but go through the list
+ * anyway
+ */
++ if (afu->phb == NULL)
++ return result;
++
+ list_for_each_entry(afu_dev, &afu->phb->bus->devices, bus_list) {
+ if (!afu_dev->driver)
+ continue;
+@@ -2084,8 +2087,7 @@ static pci_ers_result_t cxl_pci_error_de
+ * Tell the AFU drivers; but we don't care what they
+ * say, we're going away.
+ */
+- if (afu->phb != NULL)
+- cxl_vphb_error_detected(afu, state);
++ cxl_vphb_error_detected(afu, state);
+ }
+ return PCI_ERS_RESULT_DISCONNECT;
+ }
+@@ -2225,6 +2227,9 @@ static pci_ers_result_t cxl_pci_slot_res
+ if (cxl_afu_select_best_mode(afu))
+ goto err;
+
++ if (afu->phb == NULL)
++ continue;
++
+ list_for_each_entry(afu_dev, &afu->phb->bus->devices, bus_list) {
+ /* Reset the device context.
+ * TODO: make this less disruptive
+@@ -2287,6 +2292,9 @@ static void cxl_pci_resume(struct pci_de
+ for (i = 0; i < adapter->slices; i++) {
+ afu = adapter->afu[i];
+
++ if (afu->phb == NULL)
++ continue;
++
+ list_for_each_entry(afu_dev, &afu->phb->bus->devices, bus_list) {
+ if (afu_dev->driver && afu_dev->driver->err_handler &&
+ afu_dev->driver->err_handler->resume)
--- /dev/null
+From bf25dac38f71d392a31ec074f55cbc941f1eaf1d Mon Sep 17 00:00:00 2001
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Date: Thu, 16 Nov 2017 09:50:19 +0100
+Subject: drm: omapdrm: Fix DPI on platforms using the DSI VDDS
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+commit bf25dac38f71d392a31ec074f55cbc941f1eaf1d upstream.
+
+Commit d178e034d565 ("drm: omapdrm: Move FEAT_DPI_USES_VDDS_DSI feature
+to dpi code") replaced usage of platform data version with SoC matching
+to configure DPI VDDS. The SoC match entries were incorrect, they should
+have matched on the machine name instead of the SoC family. Fix it.
+
+The result was observed on OpenPandora with OMAP3530 where the panel only
+had the Blue channel and Red&Green were missing. It was not observed on
+GTA04 with DM3730.
+
+Fixes: d178e034d565 ("drm: omapdrm: Move FEAT_DPI_USES_VDDS_DSI feature to dpi code")
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reported-by: H. Nikolaus Schaller <hns@goldelico.com>
+Tested-by: H. Nikolaus Schaller <hns@goldelico.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/omapdrm/dss/dpi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/omapdrm/dss/dpi.c
++++ b/drivers/gpu/drm/omapdrm/dss/dpi.c
+@@ -566,8 +566,8 @@ static int dpi_verify_pll(struct dss_pll
+ }
+
+ static const struct soc_device_attribute dpi_soc_devices[] = {
+- { .family = "OMAP3[456]*" },
+- { .family = "[AD]M37*" },
++ { .machine = "OMAP3[456]*" },
++ { .machine = "[AD]M37*" },
+ { /* sentinel */ }
+ };
+
--- /dev/null
+From d9bcd462daf34aebb8de9ad7f76de0198bb5a0f0 Mon Sep 17 00:00:00 2001
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Fri, 24 Nov 2017 07:47:50 +0100
+Subject: eeprom: at24: check at24_read/write arguments
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+commit d9bcd462daf34aebb8de9ad7f76de0198bb5a0f0 upstream.
+
+So far we completely rely on the caller to provide valid arguments.
+To be on the safe side perform an own sanity check.
+
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/eeprom/at24.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/misc/eeprom/at24.c
++++ b/drivers/misc/eeprom/at24.c
+@@ -507,6 +507,9 @@ static int at24_read(void *priv, unsigne
+ if (unlikely(!count))
+ return count;
+
++ if (off + count > at24->chip.byte_len)
++ return -EINVAL;
++
+ /*
+ * Read data from chip, protecting against concurrent updates
+ * from this host, but not from other I2C masters.
+@@ -539,6 +542,9 @@ static int at24_write(void *priv, unsign
+ if (unlikely(!count))
+ return -EINVAL;
+
++ if (off + count > at24->chip.byte_len)
++ return -EINVAL;
++
+ /*
+ * Write data to chip, protecting against concurrent updates
+ * from this host, but not from other I2C masters.
--- /dev/null
+From 5478e478eee3b096b8d998d4ed445da30da2dfbc Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <brgl@bgdev.pl>
+Date: Mon, 27 Nov 2017 22:06:13 +0100
+Subject: eeprom: at24: correctly set the size for at24mac402
+
+From: Bartosz Golaszewski <brgl@bgdev.pl>
+
+commit 5478e478eee3b096b8d998d4ed445da30da2dfbc upstream.
+
+There's an ilog2() expansion in AT24_DEVICE_MAGIC() which rounds down
+the actual size of EUI-48 byte array in at24mac402 eeproms to 4 from 6,
+making it impossible to read it all.
+
+Fix it by manually adjusting the value in probe().
+
+This patch contains a temporary fix that is suitable for stable
+branches. Eventually we'll probably remove the call to ilog2() while
+converting the magic values to actual structs.
+
+Fixes: 0b813658c115 ("eeprom: at24: add support for at24mac series")
+Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/eeprom/at24.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/misc/eeprom/at24.c
++++ b/drivers/misc/eeprom/at24.c
+@@ -632,6 +632,16 @@ static int at24_probe(struct i2c_client
+ dev_warn(&client->dev,
+ "page_size looks suspicious (no power of 2)!\n");
+
++ /*
++ * REVISIT: the size of the EUI-48 byte array is 6 in at24mac402, while
++ * the call to ilog2() in AT24_DEVICE_MAGIC() rounds it down to 4.
++ *
++ * Eventually we'll get rid of the magic values altoghether in favor of
++ * real structs, but for now just manually set the right size.
++ */
++ if (chip.flags & AT24_FLAG_MAC && chip.byte_len == 4)
++ chip.byte_len = 6;
++
+ /* Use I2C operations unless we're stuck with SMBus extensions. */
+ if (!i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
+ if (chip.flags & AT24_FLAG_ADDR16)
--- /dev/null
+From 644a1f19c6c8393d0c4168a5adf79056da6822eb Mon Sep 17 00:00:00 2001
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Mon, 27 Nov 2017 20:46:22 +0100
+Subject: eeprom: at24: fix reading from 24MAC402/24MAC602
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+commit 644a1f19c6c8393d0c4168a5adf79056da6822eb upstream.
+
+Chip datasheet mentions that word addresses other than the actual
+start position of the MAC delivers undefined results. So fix this.
+Current implementation doesn't work due to this wrong offset.
+
+Fixes: 0b813658c115 ("eeprom: at24: add support for at24mac series")
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/eeprom/at24.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/misc/eeprom/at24.c
++++ b/drivers/misc/eeprom/at24.c
+@@ -365,7 +365,8 @@ static ssize_t at24_eeprom_read_mac(stru
+ memset(msg, 0, sizeof(msg));
+ msg[0].addr = client->addr;
+ msg[0].buf = addrbuf;
+- addrbuf[0] = 0x90 + offset;
++ /* EUI-48 starts from 0x9a, EUI-64 from 0x98 */
++ addrbuf[0] = 0xa0 - at24->chip.byte_len + offset;
+ msg[0].len = 1;
+ msg[1].addr = client->addr;
+ msg[1].flags = I2C_M_RD;
--- /dev/null
+From 6e0c9507bf51e1517a80ad0ac171e5402528fcef Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 22 Nov 2017 12:28:17 +0100
+Subject: i2c: i801: Fix Failed to allocate irq -2147483648 error
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 6e0c9507bf51e1517a80ad0ac171e5402528fcef upstream.
+
+On Apollo Lake devices the BIOS does not set up IRQ routing for the i801
+SMBUS controller IRQ, so we end up with dev->irq set to IRQ_NOTCONNECTED.
+
+Detect this and do not try to use the irq in this case silencing:
+i801_smbus 0000:00:1f.1: Failed to allocate irq -2147483648: -107
+
+BugLink: https://communities.intel.com/thread/114759
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-i801.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-i801.c
++++ b/drivers/i2c/busses/i2c-i801.c
+@@ -1617,6 +1617,9 @@ static int i801_probe(struct pci_dev *de
+ /* Default timeout in interrupt mode: 200 ms */
+ priv->adapter.timeout = HZ / 5;
+
++ if (dev->irq == IRQ_NOTCONNECTED)
++ priv->features &= ~FEATURE_IRQ;
++
+ if (priv->features & FEATURE_IRQ) {
+ u16 pcictl, pcists;
+
--- /dev/null
+From 12806ba937382fdfdbad62a399aa2dce65c10fcd Mon Sep 17 00:00:00 2001
+From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Date: Fri, 17 Nov 2017 11:52:50 +0000
+Subject: KVM: lapic: Fixup LDR on load in x2apic
+
+From: Dr. David Alan Gilbert <dgilbert@redhat.com>
+
+commit 12806ba937382fdfdbad62a399aa2dce65c10fcd upstream.
+
+In x2apic mode the LDR is fixed based on the ID rather
+than separately loadable like it was before x2.
+When kvm_apic_set_state is called, the base is set, and if
+it has the X2APIC_ENABLE flag set then the LDR is calculated;
+however that value gets overwritten by the memcpy a few lines
+below overwriting it with the value that came from userland.
+
+The symptom is a lack of EOI after loading the state
+(e.g. after a QEMU migration) and is due to the EOI bitmap
+being wrong due to the incorrect LDR. This was seen with
+a Win2016 guest under Qemu with irqchip=split whose USB mouse
+didn't work after a VM migration.
+
+This corresponds to RH bug:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1502591
+
+Reported-by: Yiqian Wei <yiwei@redhat.com>
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+[Applied fixup from Liran Alon. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/lapic.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -2201,6 +2201,7 @@ static int kvm_apic_state_fixup(struct k
+ {
+ if (apic_x2apic_mode(vcpu->arch.apic)) {
+ u32 *id = (u32 *)(s->regs + APIC_ID);
++ u32 *ldr = (u32 *)(s->regs + APIC_LDR);
+
+ if (vcpu->kvm->arch.x2apic_format) {
+ if (*id != vcpu->vcpu_id)
+@@ -2211,6 +2212,10 @@ static int kvm_apic_state_fixup(struct k
+ else
+ *id <<= 24;
+ }
++
++ /* In x2APIC mode, the LDR is fixed and based on the id */
++ if (set)
++ *ldr = kvm_apic_calc_x2apic_ldr(*id);
+ }
+
+ return 0;
--- /dev/null
+From e872fa94662d0644057c7c80b3071bdb9249e5ab Mon Sep 17 00:00:00 2001
+From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Date: Fri, 17 Nov 2017 11:52:49 +0000
+Subject: KVM: lapic: Split out x2apic ldr calculation
+
+From: Dr. David Alan Gilbert <dgilbert@redhat.com>
+
+commit e872fa94662d0644057c7c80b3071bdb9249e5ab upstream.
+
+Split out the ldr calculation from kvm_apic_set_x2apic_id
+since we're about to reuse it in the following patch.
+
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/lapic.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -266,9 +266,14 @@ static inline void kvm_apic_set_ldr(stru
+ recalculate_apic_map(apic->vcpu->kvm);
+ }
+
++static inline u32 kvm_apic_calc_x2apic_ldr(u32 id)
++{
++ return ((id >> 4) << 16) | (1 << (id & 0xf));
++}
++
+ static inline void kvm_apic_set_x2apic_id(struct kvm_lapic *apic, u32 id)
+ {
+- u32 ldr = ((id >> 4) << 16) | (1 << (id & 0xf));
++ u32 ldr = kvm_apic_calc_x2apic_ldr(id);
+
+ WARN_ON_ONCE(id != apic->vcpu->vcpu_id);
+
--- /dev/null
+From 61cb57c9ed631c95b54f8e9090c89d18b3695b3c Mon Sep 17 00:00:00 2001
+From: Liran Alon <liran.alon@oracle.com>
+Date: Sun, 5 Nov 2017 16:56:32 +0200
+Subject: KVM: x86: Exit to user-mode on #UD intercept when emulator requires
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Liran Alon <liran.alon@oracle.com>
+
+commit 61cb57c9ed631c95b54f8e9090c89d18b3695b3c upstream.
+
+Instruction emulation after trapping a #UD exception can result in an
+MMIO access, for example when emulating a MOVBE on a processor that
+doesn't support the instruction. In this case, the #UD vmexit handler
+must exit to user mode, but there wasn't any code to do so. Add it for
+both VMX and SVM.
+
+Signed-off-by: Liran Alon <liran.alon@oracle.com>
+Reviewed-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/svm.c | 2 ++
+ arch/x86/kvm/vmx.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -2189,6 +2189,8 @@ static int ud_interception(struct vcpu_s
+ int er;
+
+ er = emulate_instruction(&svm->vcpu, EMULTYPE_TRAP_UD);
++ if (er == EMULATE_USER_EXIT)
++ return 0;
+ if (er != EMULATE_DONE)
+ kvm_queue_exception(&svm->vcpu, UD_VECTOR);
+ return 1;
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -5914,6 +5914,8 @@ static int handle_exception(struct kvm_v
+ return 1;
+ }
+ er = emulate_instruction(vcpu, EMULTYPE_TRAP_UD);
++ if (er == EMULATE_USER_EXIT)
++ return 0;
+ if (er != EMULATE_DONE)
+ kvm_queue_exception(vcpu, UD_VECTOR);
+ return 1;
--- /dev/null
+From 6ea6e84309ca7e0e850b3083e6b09344ee15c290 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Fri, 10 Nov 2017 10:49:38 +0100
+Subject: KVM: x86: inject exceptions produced by x86_decode_insn
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 6ea6e84309ca7e0e850b3083e6b09344ee15c290 upstream.
+
+Sometimes, a processor might execute an instruction while another
+processor is updating the page tables for that instruction's code page,
+but before the TLB shootdown completes. The interesting case happens
+if the page is in the TLB.
+
+In general, the processor will succeed in executing the instruction and
+nothing bad happens. However, what if the instruction is an MMIO access?
+If *that* happens, KVM invokes the emulator, and the emulator gets the
+updated page tables. If the update side had marked the code page as non
+present, the page table walk then will fail and so will x86_decode_insn.
+
+Unfortunately, even though kvm_fetch_guest_virt is correctly returning
+X86EMUL_PROPAGATE_FAULT, x86_decode_insn's caller treats the failure as
+a fatal error if the instruction cannot simply be reexecuted (as is the
+case for MMIO). And this in fact happened sometimes when rebooting
+Windows 2012r2 guests. Just checking ctxt->have_exception and injecting
+the exception if true is enough to fix the case.
+
+Thanks to Eduardo Habkost for helping in the debugging of this issue.
+
+Reported-by: Yanan Fu <yfu@redhat.com>
+Cc: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -5708,6 +5708,8 @@ int x86_emulate_instruction(struct kvm_v
+ if (reexecute_instruction(vcpu, cr2, write_fault_to_spt,
+ emulation_type))
+ return EMULATE_DONE;
++ if (ctxt->have_exception && inject_emulated_exception(vcpu))
++ return EMULATE_DONE;
+ if (emulation_type & EMULTYPE_SKIP)
+ return EMULATE_FAIL;
+ return handle_emulation_failure(vcpu);
--- /dev/null
+From 51c4b8bba674cfd2260d173602c4dac08e4c3a99 Mon Sep 17 00:00:00 2001
+From: Liran Alon <liran.alon@oracle.com>
+Date: Sun, 5 Nov 2017 16:11:30 +0200
+Subject: KVM: x86: pvclock: Handle first-time write to pvclock-page contains random junk
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Liran Alon <liran.alon@oracle.com>
+
+commit 51c4b8bba674cfd2260d173602c4dac08e4c3a99 upstream.
+
+When guest passes KVM it's pvclock-page GPA via WRMSR to
+MSR_KVM_SYSTEM_TIME / MSR_KVM_SYSTEM_TIME_NEW, KVM don't initialize
+pvclock-page to some start-values. It just requests a clock-update which
+will happen before entering to guest.
+
+The clock-update logic will call kvm_setup_pvclock_page() to update the
+pvclock-page with info. However, kvm_setup_pvclock_page() *wrongly*
+assumes that the version-field is initialized to an even number. This is
+wrong because at first-time write, field could be any-value.
+
+Fix simply makes sure that if first-time version-field is odd, increment
+it once more to make it even and only then start standard logic.
+This follows same logic as done in other pvclock shared-pages (See
+kvm_write_wall_clock() and record_steal_time()).
+
+Signed-off-by: Liran Alon <liran.alon@oracle.com>
+Reviewed-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1830,6 +1830,9 @@ static void kvm_setup_pvclock_page(struc
+ */
+ BUILD_BUG_ON(offsetof(struct pvclock_vcpu_time_info, version) != 0);
+
++ if (guest_hv_clock.version & 1)
++ ++guest_hv_clock.version; /* first time write, random junk */
++
+ vcpu->hv_clock.version = guest_hv_clock.version + 1;
+ kvm_write_guest_cached(v->kvm, &vcpu->pv_time,
+ &vcpu->hv_clock,
--- /dev/null
+From 3a2b19d1ee5633f76ae8a88da7bc039a5d1732aa Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 2 Nov 2017 13:03:42 +0300
+Subject: lockd: lost rollback of set_grace_period() in lockd_down_net()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 3a2b19d1ee5633f76ae8a88da7bc039a5d1732aa upstream.
+
+Commit efda760fe95ea ("lockd: fix lockd shutdown race") is incorrect,
+it removes lockd_manager and disarm grace_period_end for init_net only.
+
+If nfsd was started from another net namespace lockd_up_net() calls
+set_grace_period() that adds lockd_manager into per-netns list
+and queues grace_period_end delayed work.
+
+These action should be reverted in lockd_down_net().
+Otherwise it can lead to double list_add on after restart nfsd in netns,
+and to use-after-free if non-disarmed delayed work will be executed after netns destroy.
+
+Fixes: efda760fe95e ("lockd: fix lockd shutdown race")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/lockd/svc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/lockd/svc.c
++++ b/fs/lockd/svc.c
+@@ -274,6 +274,8 @@ static void lockd_down_net(struct svc_se
+ if (ln->nlmsvc_users) {
+ if (--ln->nlmsvc_users == 0) {
+ nlm_shutdown_hosts_net(net);
++ cancel_delayed_work_sync(&ln->grace_period_end);
++ locks_end_grace(&ln->lockd_manager);
+ svc_shutdown_net(serv, net);
+ dprintk("lockd_down_net: per-net data destroyed; net=%p\n", net);
+ }
--- /dev/null
+From fb8e456e547ed2c699f64665bd8a3b9bde7b9728 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Tue, 21 Nov 2017 15:42:28 +0200
+Subject: mmc: block: Check return value of blk_get_request()
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit fb8e456e547ed2c699f64665bd8a3b9bde7b9728 upstream.
+
+blk_get_request() can fail, always check the return value.
+
+Fixes: 0493f6fe5bde ("mmc: block: Move boot partition locking into a driver op")
+Fixes: 3ecd8cf23f88 ("mmc: block: move multi-ioctl() to use block layer")
+Fixes: 614f0388f580 ("mmc: block: move single ioctl() commands to block requests")
+Fixes: 627c3ccfb46a ("mmc: debugfs: Move block debugfs into block module")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/core/block.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -204,6 +204,10 @@ static ssize_t power_ro_lock_store(struc
+
+ /* Dispatch locking to the block layer */
+ req = blk_get_request(mq->queue, REQ_OP_DRV_OUT, __GFP_RECLAIM);
++ if (IS_ERR(req)) {
++ count = PTR_ERR(req);
++ goto out_put;
++ }
+ req_to_mmc_queue_req(req)->drv_op = MMC_DRV_OP_BOOT_WP;
+ blk_execute_rq(mq->queue, NULL, req, 0);
+ ret = req_to_mmc_queue_req(req)->drv_op_result;
+@@ -220,7 +224,7 @@ static ssize_t power_ro_lock_store(struc
+ set_disk_ro(part_md->disk, 1);
+ }
+ }
+-
++out_put:
+ mmc_blk_put(md);
+ return count;
+ }
+@@ -581,6 +585,10 @@ static int mmc_blk_ioctl_cmd(struct mmc_
+ req = blk_get_request(mq->queue,
+ idata->ic.write_flag ? REQ_OP_DRV_OUT : REQ_OP_DRV_IN,
+ __GFP_RECLAIM);
++ if (IS_ERR(req)) {
++ err = PTR_ERR(req);
++ goto cmd_done;
++ }
+ idatas[0] = idata;
+ req_to_mmc_queue_req(req)->drv_op = MMC_DRV_OP_IOCTL;
+ req_to_mmc_queue_req(req)->drv_op_data = idatas;
+@@ -644,6 +652,10 @@ static int mmc_blk_ioctl_multi_cmd(struc
+ req = blk_get_request(mq->queue,
+ idata[0]->ic.write_flag ? REQ_OP_DRV_OUT : REQ_OP_DRV_IN,
+ __GFP_RECLAIM);
++ if (IS_ERR(req)) {
++ err = PTR_ERR(req);
++ goto cmd_err;
++ }
+ req_to_mmc_queue_req(req)->drv_op = MMC_DRV_OP_IOCTL;
+ req_to_mmc_queue_req(req)->drv_op_data = idata;
+ req_to_mmc_queue_req(req)->ioc_count = num_of_cmds;
+@@ -2315,6 +2327,8 @@ static int mmc_dbg_card_status_get(void
+
+ /* Ask the block layer about the card status */
+ req = blk_get_request(mq->queue, REQ_OP_DRV_IN, __GFP_RECLAIM);
++ if (IS_ERR(req))
++ return PTR_ERR(req);
+ req_to_mmc_queue_req(req)->drv_op = MMC_DRV_OP_GET_CARD_STATUS;
+ blk_execute_rq(mq->queue, NULL, req, 0);
+ ret = req_to_mmc_queue_req(req)->drv_op_result;
+@@ -2349,6 +2363,10 @@ static int mmc_ext_csd_open(struct inode
+
+ /* Ask the block layer for the EXT CSD */
+ req = blk_get_request(mq->queue, REQ_OP_DRV_IN, __GFP_RECLAIM);
++ if (IS_ERR(req)) {
++ err = PTR_ERR(req);
++ goto out_free;
++ }
+ req_to_mmc_queue_req(req)->drv_op = MMC_DRV_OP_GET_EXT_CSD;
+ req_to_mmc_queue_req(req)->drv_op_data = &ext_csd;
+ blk_execute_rq(mq->queue, NULL, req, 0);
--- /dev/null
+From f9f0da98819503b06b35e61869d18cf3a8cd3323 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Tue, 21 Nov 2017 15:42:30 +0200
+Subject: mmc: block: Ensure that debugfs files are removed
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit f9f0da98819503b06b35e61869d18cf3a8cd3323 upstream.
+
+The card is not necessarily being removed, but the debugfs files must be
+removed when the driver is removed, otherwise they will continue to exist
+after unbinding the card from the driver. e.g.
+
+ # echo "mmc1:0001" > /sys/bus/mmc/drivers/mmcblk/unbind
+ # cat /sys/kernel/debug/mmc1/mmc1\:0001/ext_csd
+ [ 173.634584] BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
+ [ 173.643356] IP: mmc_ext_csd_open+0x5e/0x170
+
+A complication is that the debugfs_root may have already been removed, so
+check for that too.
+
+Fixes: 627c3ccfb46a ("mmc: debugfs: Move block debugfs into block module")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/core/block.c | 44 +++++++++++++++++++++++++++++++++++++-------
+ drivers/mmc/core/debugfs.c | 1 +
+ 2 files changed, 38 insertions(+), 7 deletions(-)
+
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -119,6 +119,10 @@ struct mmc_blk_data {
+ struct device_attribute force_ro;
+ struct device_attribute power_ro_lock;
+ int area_type;
++
++ /* debugfs files (only in main mmc_blk_data) */
++ struct dentry *status_dentry;
++ struct dentry *ext_csd_dentry;
+ };
+
+ static DEFINE_MUTEX(open_lock);
+@@ -2417,7 +2421,7 @@ static const struct file_operations mmc_
+ .llseek = default_llseek,
+ };
+
+-static int mmc_blk_add_debugfs(struct mmc_card *card)
++static int mmc_blk_add_debugfs(struct mmc_card *card, struct mmc_blk_data *md)
+ {
+ struct dentry *root;
+
+@@ -2427,28 +2431,53 @@ static int mmc_blk_add_debugfs(struct mm
+ root = card->debugfs_root;
+
+ if (mmc_card_mmc(card) || mmc_card_sd(card)) {
+- if (!debugfs_create_file("status", S_IRUSR, root, card,
+- &mmc_dbg_card_status_fops))
++ md->status_dentry =
++ debugfs_create_file("status", S_IRUSR, root, card,
++ &mmc_dbg_card_status_fops);
++ if (!md->status_dentry)
+ return -EIO;
+ }
+
+ if (mmc_card_mmc(card)) {
+- if (!debugfs_create_file("ext_csd", S_IRUSR, root, card,
+- &mmc_dbg_ext_csd_fops))
++ md->ext_csd_dentry =
++ debugfs_create_file("ext_csd", S_IRUSR, root, card,
++ &mmc_dbg_ext_csd_fops);
++ if (!md->ext_csd_dentry)
+ return -EIO;
+ }
+
+ return 0;
+ }
+
++static void mmc_blk_remove_debugfs(struct mmc_card *card,
++ struct mmc_blk_data *md)
++{
++ if (!card->debugfs_root)
++ return;
++
++ if (!IS_ERR_OR_NULL(md->status_dentry)) {
++ debugfs_remove(md->status_dentry);
++ md->status_dentry = NULL;
++ }
++
++ if (!IS_ERR_OR_NULL(md->ext_csd_dentry)) {
++ debugfs_remove(md->ext_csd_dentry);
++ md->ext_csd_dentry = NULL;
++ }
++}
+
+ #else
+
+-static int mmc_blk_add_debugfs(struct mmc_card *card)
++static int mmc_blk_add_debugfs(struct mmc_card *card, struct mmc_blk_data *md)
+ {
+ return 0;
+ }
+
++static void mmc_blk_remove_debugfs(struct mmc_card *card,
++ struct mmc_blk_data *md)
++{
++}
++
+ #endif /* CONFIG_DEBUG_FS */
+
+ static int mmc_blk_probe(struct mmc_card *card)
+@@ -2488,7 +2517,7 @@ static int mmc_blk_probe(struct mmc_card
+ }
+
+ /* Add two debugfs entries */
+- mmc_blk_add_debugfs(card);
++ mmc_blk_add_debugfs(card, md);
+
+ pm_runtime_set_autosuspend_delay(&card->dev, 3000);
+ pm_runtime_use_autosuspend(&card->dev);
+@@ -2514,6 +2543,7 @@ static void mmc_blk_remove(struct mmc_ca
+ {
+ struct mmc_blk_data *md = dev_get_drvdata(&card->dev);
+
++ mmc_blk_remove_debugfs(card, md);
+ mmc_blk_remove_parts(card, md);
+ pm_runtime_get_sync(&card->dev);
+ mmc_claim_host(card->host);
+--- a/drivers/mmc/core/debugfs.c
++++ b/drivers/mmc/core/debugfs.c
+@@ -314,4 +314,5 @@ err:
+ void mmc_remove_card_debugfs(struct mmc_card *card)
+ {
+ debugfs_remove_recursive(card->debugfs_root);
++ card->debugfs_root = NULL;
+ }
--- /dev/null
+From 34c089e806793a66e450b11bd167db6047399fcd Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Tue, 21 Nov 2017 15:42:27 +0200
+Subject: mmc: block: Fix missing blk_put_request()
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 34c089e806793a66e450b11bd167db6047399fcd upstream.
+
+Ensure blk_get_request() is paired with blk_put_request().
+
+Fixes: 0493f6fe5bde ("mmc: block: Move boot partition locking into a driver op")
+Fixes: 627c3ccfb46a ("mmc: debugfs: Move block debugfs into block module")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/core/block.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -207,6 +207,7 @@ static ssize_t power_ro_lock_store(struc
+ req_to_mmc_queue_req(req)->drv_op = MMC_DRV_OP_BOOT_WP;
+ blk_execute_rq(mq->queue, NULL, req, 0);
+ ret = req_to_mmc_queue_req(req)->drv_op_result;
++ blk_put_request(req);
+
+ if (!ret) {
+ pr_info("%s: Locking boot partition ro until next power on\n",
+@@ -2321,6 +2322,7 @@ static int mmc_dbg_card_status_get(void
+ *val = ret;
+ ret = 0;
+ }
++ blk_put_request(req);
+
+ return ret;
+ }
+@@ -2351,6 +2353,7 @@ static int mmc_ext_csd_open(struct inode
+ req_to_mmc_queue_req(req)->drv_op_data = &ext_csd;
+ blk_execute_rq(mq->queue, NULL, req, 0);
+ err = req_to_mmc_queue_req(req)->drv_op_result;
++ blk_put_request(req);
+ if (err) {
+ pr_err("FAILED %d\n", err);
+ goto out_free;
--- /dev/null
+From ebe7dd45cf49e3b49cacbaace17f9f878f21fbea Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Tue, 21 Nov 2017 15:42:29 +0200
+Subject: mmc: core: Do not leave the block driver in a suspended state
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit ebe7dd45cf49e3b49cacbaace17f9f878f21fbea upstream.
+
+The block driver must be resumed if the mmc bus fails to suspend the card.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/core/bus.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/mmc/core/bus.c
++++ b/drivers/mmc/core/bus.c
+@@ -157,6 +157,9 @@ static int mmc_bus_suspend(struct device
+ return ret;
+
+ ret = host->bus_ops->suspend(host);
++ if (ret)
++ pm_generic_resume(dev);
++
+ return ret;
+ }
+
--- /dev/null
+From c892b0d81705c566f575e489efc3c50762db1bde Mon Sep 17 00:00:00 2001
+From: Bastian Stender <bst@pengutronix.de>
+Date: Tue, 28 Nov 2017 09:24:07 +0100
+Subject: mmc: core: prepend 0x to OCR entry in sysfs
+
+From: Bastian Stender <bst@pengutronix.de>
+
+commit c892b0d81705c566f575e489efc3c50762db1bde upstream.
+
+The sysfs entry "ocr" was missing the 0x prefix to identify it as hex
+formatted.
+
+Fixes: 5fb06af7a33b ("mmc: core: Extend sysfs with OCR register")
+Signed-off-by: Bastian Stender <bst@pengutronix.de>
+[Ulf: Amended change to also cover SD-cards]
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/core/mmc.c | 2 +-
+ drivers/mmc/core/sd.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/core/mmc.c
++++ b/drivers/mmc/core/mmc.c
+@@ -790,7 +790,7 @@ MMC_DEV_ATTR(enhanced_area_offset, "%llu
+ MMC_DEV_ATTR(enhanced_area_size, "%u\n", card->ext_csd.enhanced_area_size);
+ MMC_DEV_ATTR(raw_rpmb_size_mult, "%#x\n", card->ext_csd.raw_rpmb_size_mult);
+ MMC_DEV_ATTR(rel_sectors, "%#x\n", card->ext_csd.rel_sectors);
+-MMC_DEV_ATTR(ocr, "%08x\n", card->ocr);
++MMC_DEV_ATTR(ocr, "0x%08x\n", card->ocr);
+ MMC_DEV_ATTR(cmdq_en, "%d\n", card->ext_csd.cmdq_en);
+
+ static ssize_t mmc_fwrev_show(struct device *dev,
+--- a/drivers/mmc/core/sd.c
++++ b/drivers/mmc/core/sd.c
+@@ -675,7 +675,7 @@ MMC_DEV_ATTR(manfid, "0x%06x\n", card->c
+ MMC_DEV_ATTR(name, "%s\n", card->cid.prod_name);
+ MMC_DEV_ATTR(oemid, "0x%04x\n", card->cid.oemid);
+ MMC_DEV_ATTR(serial, "0x%08x\n", card->cid.serial);
+-MMC_DEV_ATTR(ocr, "%08x\n", card->ocr);
++MMC_DEV_ATTR(ocr, "0x%08x\n", card->ocr);
+
+
+ static ssize_t mmc_dsr_show(struct device *dev,
--- /dev/null
+From 80a780a167d9267c72867b806142bd6ec69ba123 Mon Sep 17 00:00:00 2001
+From: Bastian Stender <bst@pengutronix.de>
+Date: Tue, 28 Nov 2017 09:24:06 +0100
+Subject: mmc: core: prepend 0x to pre_eol_info entry in sysfs
+
+From: Bastian Stender <bst@pengutronix.de>
+
+commit 80a780a167d9267c72867b806142bd6ec69ba123 upstream.
+
+The sysfs entry "pre_eol_info" was missing the 0x prefix to identify it
+as hex formatted.
+
+Fixes: 46bc5c408e4e ("mmc: core: Export device lifetime information through sysfs")
+Signed-off-by: Bastian Stender <bst@pengutronix.de>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/core/mmc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/core/mmc.c
++++ b/drivers/mmc/core/mmc.c
+@@ -780,7 +780,7 @@ MMC_DEV_ATTR(manfid, "0x%06x\n", card->c
+ MMC_DEV_ATTR(name, "%s\n", card->cid.prod_name);
+ MMC_DEV_ATTR(oemid, "0x%04x\n", card->cid.oemid);
+ MMC_DEV_ATTR(prv, "0x%x\n", card->cid.prv);
+-MMC_DEV_ATTR(pre_eol_info, "%02x\n", card->ext_csd.pre_eol_info);
++MMC_DEV_ATTR(pre_eol_info, "0x%02x\n", card->ext_csd.pre_eol_info);
+ MMC_DEV_ATTR(life_time, "0x%02x 0x%02x\n",
+ card->ext_csd.device_life_time_est_typ_a,
+ card->ext_csd.device_life_time_est_typ_b);
--- /dev/null
+From 250dcd11466e06df64b92520e2c56bdae453581b Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Mon, 27 Nov 2017 11:28:50 +0100
+Subject: mmc: sdhci: Avoid swiotlb buffer being full
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit 250dcd11466e06df64b92520e2c56bdae453581b upstream.
+
+The commit de3ee99b097d ("mmc: Delete bounce buffer handling") deletes the
+bounce buffer handling, but also causes the max_req_size for sdhci to be
+increased, in case when max_segs == 1. This causes errors for sdhci-pci
+Ricoh variant, about the swiotlb buffer to become full.
+
+Fix the issue, by taking IO_TLB_SEGSIZE and IO_TLB_SHIFT into account when
+deciding the max_req_size for sdhci.
+
+Reported-by: Jiri Slaby <jslaby@suse.cz>
+Fixes: de3ee99b097d ("mmc: Delete bounce buffer handling")
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Tested-by: Jiri Slaby <jslaby@suse.cz>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -21,6 +21,7 @@
+ #include <linux/dma-mapping.h>
+ #include <linux/slab.h>
+ #include <linux/scatterlist.h>
++#include <linux/swiotlb.h>
+ #include <linux/regulator/consumer.h>
+ #include <linux/pm_runtime.h>
+ #include <linux/of.h>
+@@ -3651,22 +3652,29 @@ int sdhci_setup_host(struct sdhci_host *
+ spin_lock_init(&host->lock);
+
+ /*
++ * Maximum number of sectors in one transfer. Limited by SDMA boundary
++ * size (512KiB). Note some tuning modes impose a 4MiB limit, but this
++ * is less anyway.
++ */
++ mmc->max_req_size = 524288;
++
++ /*
+ * Maximum number of segments. Depends on if the hardware
+ * can do scatter/gather or not.
+ */
+- if (host->flags & SDHCI_USE_ADMA)
++ if (host->flags & SDHCI_USE_ADMA) {
+ mmc->max_segs = SDHCI_MAX_SEGS;
+- else if (host->flags & SDHCI_USE_SDMA)
++ } else if (host->flags & SDHCI_USE_SDMA) {
+ mmc->max_segs = 1;
+- else /* PIO */
++ if (swiotlb_max_segment()) {
++ unsigned int max_req_size = (1 << IO_TLB_SHIFT) *
++ IO_TLB_SEGSIZE;
++ mmc->max_req_size = min(mmc->max_req_size,
++ max_req_size);
++ }
++ } else { /* PIO */
+ mmc->max_segs = SDHCI_MAX_SEGS;
+-
+- /*
+- * Maximum number of sectors in one transfer. Limited by SDMA boundary
+- * size (512KiB). Note some tuning modes impose a 4MiB limit, but this
+- * is less anyway.
+- */
+- mmc->max_req_size = 524288;
++ }
+
+ /*
+ * Maximum segment size. Could be one segment with the maximum number
--- /dev/null
+From d8a1a000555ecd1b824ac1ed6df8fe364dfbbbb0 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Fri, 3 Nov 2017 08:00:11 -0400
+Subject: nfsd: Fix another OPEN stateid race
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit d8a1a000555ecd1b824ac1ed6df8fe364dfbbbb0 upstream.
+
+If nfsd4_process_open2() is initialising a new stateid, and yet the
+call to nfs4_get_vfs_file() fails for some reason, then we must
+declare the stateid closed, and unhash it before dropping the mutex.
+
+Right now, we unhash the stateid after dropping the mutex, and without
+changing the stateid type, meaning that another OPEN could theoretically
+look it up and attempt to use it.
+
+Reported-by: Andrew W Elble <aweits@rit.edu>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4state.c | 28 +++++++++++++---------------
+ 1 file changed, 13 insertions(+), 15 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -4452,6 +4452,7 @@ nfsd4_process_open2(struct svc_rqst *rqs
+ struct nfs4_ol_stateid *stp = NULL;
+ struct nfs4_delegation *dp = NULL;
+ __be32 status;
++ bool new_stp = false;
+
+ /*
+ * Lookup file; if found, lookup stateid and check open request,
+@@ -4471,11 +4472,19 @@ nfsd4_process_open2(struct svc_rqst *rqs
+ goto out;
+ }
+
++ if (!stp) {
++ stp = init_open_stateid(fp, open);
++ if (!open->op_stp)
++ new_stp = true;
++ }
++
+ /*
+ * OPEN the file, or upgrade an existing OPEN.
+ * If truncate fails, the OPEN fails.
++ *
++ * stp is already locked.
+ */
+- if (stp) {
++ if (!new_stp) {
+ /* Stateid was found, this is an OPEN upgrade */
+ status = nfs4_upgrade_open(rqstp, fp, current_fh, stp, open);
+ if (status) {
+@@ -4483,22 +4492,11 @@ nfsd4_process_open2(struct svc_rqst *rqs
+ goto out;
+ }
+ } else {
+- /* stp is returned locked. */
+- stp = init_open_stateid(fp, open);
+- /* See if we lost the race to some other thread */
+- if (stp->st_access_bmap != 0) {
+- status = nfs4_upgrade_open(rqstp, fp, current_fh,
+- stp, open);
+- if (status) {
+- mutex_unlock(&stp->st_mutex);
+- goto out;
+- }
+- goto upgrade_out;
+- }
+ status = nfs4_get_vfs_file(rqstp, fp, current_fh, stp, open);
+ if (status) {
+- mutex_unlock(&stp->st_mutex);
++ stp->st_stid.sc_type = NFS4_CLOSED_STID;
+ release_open_stateid(stp);
++ mutex_unlock(&stp->st_mutex);
+ goto out;
+ }
+
+@@ -4507,7 +4505,7 @@ nfsd4_process_open2(struct svc_rqst *rqs
+ if (stp->st_clnt_odstate == open->op_odstate)
+ open->op_odstate = NULL;
+ }
+-upgrade_out:
++
+ nfs4_inc_and_copy_stateid(&open->op_stateid, &stp->st_stid);
+ mutex_unlock(&stp->st_mutex);
+
--- /dev/null
+From 64ebe12494fd5d193f014ce38e1fd83cc57883c8 Mon Sep 17 00:00:00 2001
+From: Naofumi Honda <honda@math.sci.hokudai.ac.jp>
+Date: Thu, 9 Nov 2017 10:57:16 -0500
+Subject: nfsd: fix panic in posix_unblock_lock called from nfs4_laundromat
+
+From: Naofumi Honda <honda@math.sci.hokudai.ac.jp>
+
+commit 64ebe12494fd5d193f014ce38e1fd83cc57883c8 upstream.
+
+From kernel 4.9, my two nfsv4 servers sometimes suffer from
+ "panic: unable to handle kernel page request"
+in posix_unblock_lock() called from nfs4_laundromat().
+
+These panics diseappear if we revert the commit "nfsd: add a LRU list
+for blocked locks".
+
+The cause appears to be a typo in nfs4_laundromat(), which is also
+present in nfs4_state_shutdown_net().
+
+Fixes: 7919d0a27f1e "nfsd: add a LRU list for blocked locks"
+Cc: jlayton@redhat.com
+Reveiwed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4state.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -4732,7 +4732,7 @@ nfs4_laundromat(struct nfsd_net *nn)
+ spin_unlock(&nn->blocked_locks_lock);
+
+ while (!list_empty(&reaplist)) {
+- nbl = list_first_entry(&nn->blocked_locks_lru,
++ nbl = list_first_entry(&reaplist,
+ struct nfsd4_blocked_lock, nbl_lru);
+ list_del_init(&nbl->nbl_lru);
+ posix_unblock_lock(&nbl->nbl_lock);
+@@ -7152,7 +7152,7 @@ nfs4_state_shutdown_net(struct net *net)
+ spin_unlock(&nn->blocked_locks_lock);
+
+ while (!list_empty(&reaplist)) {
+- nbl = list_first_entry(&nn->blocked_locks_lru,
++ nbl = list_first_entry(&reaplist,
+ struct nfsd4_blocked_lock, nbl_lru);
+ list_del_init(&nbl->nbl_lru);
+ posix_unblock_lock(&nbl->nbl_lock);
--- /dev/null
+From 15ca08d3299682dc49bad73251677b2c5017ef08 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Fri, 3 Nov 2017 08:00:10 -0400
+Subject: nfsd: Fix stateid races between OPEN and CLOSE
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit 15ca08d3299682dc49bad73251677b2c5017ef08 upstream.
+
+Open file stateids can linger on the nfs4_file list of stateids even
+after they have been closed. In order to avoid reusing such a
+stateid, and confusing the client, we need to recheck the
+nfs4_stid's type after taking the mutex.
+Otherwise, we risk reusing an old stateid that was already closed,
+which will confuse clients that expect new stateids to conform to
+RFC7530 Sections 9.1.4.2 and 16.2.5 or RFC5661 Sections 8.2.2 and 18.2.4.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4state.c | 67 +++++++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 59 insertions(+), 8 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -3512,7 +3512,9 @@ nfsd4_find_existing_open(struct nfs4_fil
+ /* ignore lock owners */
+ if (local->st_stateowner->so_is_open_owner == 0)
+ continue;
+- if (local->st_stateowner == &oo->oo_owner) {
++ if (local->st_stateowner != &oo->oo_owner)
++ continue;
++ if (local->st_stid.sc_type == NFS4_OPEN_STID) {
+ ret = local;
+ atomic_inc(&ret->st_stid.sc_count);
+ break;
+@@ -3521,6 +3523,52 @@ nfsd4_find_existing_open(struct nfs4_fil
+ return ret;
+ }
+
++static __be32
++nfsd4_verify_open_stid(struct nfs4_stid *s)
++{
++ __be32 ret = nfs_ok;
++
++ switch (s->sc_type) {
++ default:
++ break;
++ case NFS4_CLOSED_STID:
++ case NFS4_CLOSED_DELEG_STID:
++ ret = nfserr_bad_stateid;
++ break;
++ case NFS4_REVOKED_DELEG_STID:
++ ret = nfserr_deleg_revoked;
++ }
++ return ret;
++}
++
++/* Lock the stateid st_mutex, and deal with races with CLOSE */
++static __be32
++nfsd4_lock_ol_stateid(struct nfs4_ol_stateid *stp)
++{
++ __be32 ret;
++
++ mutex_lock(&stp->st_mutex);
++ ret = nfsd4_verify_open_stid(&stp->st_stid);
++ if (ret != nfs_ok)
++ mutex_unlock(&stp->st_mutex);
++ return ret;
++}
++
++static struct nfs4_ol_stateid *
++nfsd4_find_and_lock_existing_open(struct nfs4_file *fp, struct nfsd4_open *open)
++{
++ struct nfs4_ol_stateid *stp;
++ for (;;) {
++ spin_lock(&fp->fi_lock);
++ stp = nfsd4_find_existing_open(fp, open);
++ spin_unlock(&fp->fi_lock);
++ if (!stp || nfsd4_lock_ol_stateid(stp) == nfs_ok)
++ break;
++ nfs4_put_stid(&stp->st_stid);
++ }
++ return stp;
++}
++
+ static struct nfs4_openowner *
+ alloc_init_open_stateowner(unsigned int strhashval, struct nfsd4_open *open,
+ struct nfsd4_compound_state *cstate)
+@@ -3565,6 +3613,7 @@ init_open_stateid(struct nfs4_file *fp,
+ mutex_init(&stp->st_mutex);
+ mutex_lock(&stp->st_mutex);
+
++retry:
+ spin_lock(&oo->oo_owner.so_client->cl_lock);
+ spin_lock(&fp->fi_lock);
+
+@@ -3589,7 +3638,11 @@ out_unlock:
+ spin_unlock(&fp->fi_lock);
+ spin_unlock(&oo->oo_owner.so_client->cl_lock);
+ if (retstp) {
+- mutex_lock(&retstp->st_mutex);
++ /* Handle races with CLOSE */
++ if (nfsd4_lock_ol_stateid(retstp) != nfs_ok) {
++ nfs4_put_stid(&retstp->st_stid);
++ goto retry;
++ }
+ /* To keep mutex tracking happy */
+ mutex_unlock(&stp->st_mutex);
+ stp = retstp;
+@@ -4410,9 +4463,7 @@ nfsd4_process_open2(struct svc_rqst *rqs
+ status = nfs4_check_deleg(cl, open, &dp);
+ if (status)
+ goto out;
+- spin_lock(&fp->fi_lock);
+- stp = nfsd4_find_existing_open(fp, open);
+- spin_unlock(&fp->fi_lock);
++ stp = nfsd4_find_and_lock_existing_open(fp, open);
+ } else {
+ open->op_file = NULL;
+ status = nfserr_bad_stateid;
+@@ -4426,7 +4477,6 @@ nfsd4_process_open2(struct svc_rqst *rqs
+ */
+ if (stp) {
+ /* Stateid was found, this is an OPEN upgrade */
+- mutex_lock(&stp->st_mutex);
+ status = nfs4_upgrade_open(rqstp, fp, current_fh, stp, open);
+ if (status) {
+ mutex_unlock(&stp->st_mutex);
+@@ -5317,7 +5367,6 @@ static void nfsd4_close_open_stateid(str
+ bool unhashed;
+ LIST_HEAD(reaplist);
+
+- s->st_stid.sc_type = NFS4_CLOSED_STID;
+ spin_lock(&clp->cl_lock);
+ unhashed = unhash_open_stateid(s, &reaplist);
+
+@@ -5357,10 +5406,12 @@ nfsd4_close(struct svc_rqst *rqstp, stru
+ nfsd4_bump_seqid(cstate, status);
+ if (status)
+ goto out;
++
++ stp->st_stid.sc_type = NFS4_CLOSED_STID;
+ nfs4_inc_and_copy_stateid(&close->cl_stateid, &stp->st_stid);
+- mutex_unlock(&stp->st_mutex);
+
+ nfsd4_close_open_stateid(stp);
++ mutex_unlock(&stp->st_mutex);
+
+ /* put reference from nfs4_preprocess_seqid_op */
+ nfs4_put_stid(&stp->st_stid);
--- /dev/null
+From 23970e150a0a49f9a966c46e5d22fed06226098f Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Mon, 20 Nov 2017 11:51:40 +0200
+Subject: omapdrm: hdmi4: Correct the SoC revision matching
+
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+
+commit 23970e150a0a49f9a966c46e5d22fed06226098f upstream.
+
+I believe the intention of the commit 2c9fc9bf45f8
+("drm: omapdrm: Move FEAT_HDMI_* features to hdmi4 driver")
+was to identify omap4430 ES1.x, omap4430 ES2.x and other OMAP4 revisions,
+like omap4460.
+
+By using family=OMAP4 in the match the code will treat omap4460 ES1.x in a
+same way as it would treat omap4430 ES1.x
+
+This breaks HDMI audio on OMAP4460 devices (PandaES for example).
+
+Correct the match rule so we are not going to get false positive match.
+
+Fixes: 2c9fc9bf45f8 ("drm: omapdrm: Move FEAT_HDMI_* features to hdmi4 driver")
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/omapdrm/dss/hdmi4_core.c | 23 +++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/omapdrm/dss/hdmi4_core.c
++++ b/drivers/gpu/drm/omapdrm/dss/hdmi4_core.c
+@@ -889,25 +889,36 @@ struct hdmi4_features {
+ bool audio_use_mclk;
+ };
+
+-static const struct hdmi4_features hdmi4_es1_features = {
++static const struct hdmi4_features hdmi4430_es1_features = {
+ .cts_swmode = false,
+ .audio_use_mclk = false,
+ };
+
+-static const struct hdmi4_features hdmi4_es2_features = {
++static const struct hdmi4_features hdmi4430_es2_features = {
+ .cts_swmode = true,
+ .audio_use_mclk = false,
+ };
+
+-static const struct hdmi4_features hdmi4_es3_features = {
++static const struct hdmi4_features hdmi4_features = {
+ .cts_swmode = true,
+ .audio_use_mclk = true,
+ };
+
+ static const struct soc_device_attribute hdmi4_soc_devices[] = {
+- { .family = "OMAP4", .revision = "ES1.?", .data = &hdmi4_es1_features },
+- { .family = "OMAP4", .revision = "ES2.?", .data = &hdmi4_es2_features },
+- { .family = "OMAP4", .data = &hdmi4_es3_features },
++ {
++ .machine = "OMAP4430",
++ .revision = "ES1.?",
++ .data = &hdmi4430_es1_features,
++ },
++ {
++ .machine = "OMAP4430",
++ .revision = "ES2.?",
++ .data = &hdmi4430_es2_features,
++ },
++ {
++ .family = "OMAP4",
++ .data = &hdmi4_features,
++ },
+ { /* sentinel */ }
+ };
+
--- /dev/null
+From 2621e945fbf1d6df5f3f0ba7be5bae3d2cf9b6a5 Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Fri, 24 Nov 2017 14:51:02 +1100
+Subject: powerpc/kexec: Fix kexec/kdump in P9 guest kernels
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit 2621e945fbf1d6df5f3f0ba7be5bae3d2cf9b6a5 upstream.
+
+The code that cleans up the IAMR/AMOR before kexec'ing failed to
+remember that when we're running as a guest AMOR is not writable, it's
+hypervisor privileged.
+
+They symptom is that the kexec stops before entering purgatory and
+nothing else is seen on the console. If you examine the state of the
+system all threads will be in the 0x700 program check handler.
+
+Fix it by making the write to AMOR dependent on HV mode.
+
+Fixes: 1e2a516e89fc ("powerpc/kexec: Fix radix to hash kexec due to IAMR/AMOR")
+Reported-by: Yilin Zhang <yilzhang@redhat.com>
+Debugged-by: David Gibson <david@gibson.dropbear.id.au>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Acked-by: Balbir Singh <bsingharora@gmail.com>
+Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
+Tested-by: David Gibson <david@gibson.dropbear.id.au>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/misc_64.S | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/powerpc/kernel/misc_64.S
++++ b/arch/powerpc/kernel/misc_64.S
+@@ -623,7 +623,9 @@ BEGIN_FTR_SECTION
+ * NOTE, we rely on r0 being 0 from above.
+ */
+ mtspr SPRN_IAMR,r0
++BEGIN_FTR_SECTION_NESTED(42)
+ mtspr SPRN_AMOR,r0
++END_FTR_SECTION_NESTED_IFSET(CPU_FTR_HVMODE, 42)
+ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
+
+ /* save regs for local vars on new stack.
--- /dev/null
+From a3961f824cdbe7eb431254dc7d8f6f6767f474aa Mon Sep 17 00:00:00 2001
+From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+Date: Wed, 22 Nov 2017 23:02:07 +0530
+Subject: powerpc/powernv: Fix kexec crashes caused by tlbie tracing
+
+From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+
+commit a3961f824cdbe7eb431254dc7d8f6f6767f474aa upstream.
+
+Rebooting into a new kernel with kexec fails in trace_tlbie() which is
+called from native_hpte_clear(). This happens if the running kernel
+has CONFIG_LOCKDEP enabled. With lockdep enabled, the tracepoints
+always execute few RCU checks regardless of whether tracing is on or
+off. We are already in the last phase of kexec sequence in real mode
+with HILE_BE set. At this point the RCU check ends up in
+RCU_LOCKDEP_WARN and causes kexec to fail.
+
+Fix this by not calling trace_tlbie() from native_hpte_clear().
+
+mpe: It's not safe to call trace points at this point in the kexec
+path, even if we could avoid the RCU checks/warnings. The only
+solution is to not call them.
+
+Fixes: 0428491cba92 ("powerpc/mm: Trace tlbie(l) instructions")
+Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+Reported-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
+Acked-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/hash_native_64.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/mm/hash_native_64.c
++++ b/arch/powerpc/mm/hash_native_64.c
+@@ -47,7 +47,8 @@
+
+ DEFINE_RAW_SPINLOCK(native_tlbie_lock);
+
+-static inline void __tlbie(unsigned long vpn, int psize, int apsize, int ssize)
++static inline unsigned long ___tlbie(unsigned long vpn, int psize,
++ int apsize, int ssize)
+ {
+ unsigned long va;
+ unsigned int penc;
+@@ -100,7 +101,15 @@ static inline void __tlbie(unsigned long
+ : "memory");
+ break;
+ }
+- trace_tlbie(0, 0, va, 0, 0, 0, 0);
++ return va;
++}
++
++static inline void __tlbie(unsigned long vpn, int psize, int apsize, int ssize)
++{
++ unsigned long rb;
++
++ rb = ___tlbie(vpn, psize, apsize, ssize);
++ trace_tlbie(0, 0, rb, 0, 0, 0, 0);
+ }
+
+ static inline void __tlbiel(unsigned long vpn, int psize, int apsize, int ssize)
+@@ -652,7 +661,7 @@ static void native_hpte_clear(void)
+ if (hpte_v & HPTE_V_VALID) {
+ hpte_decode(hptep, slot, &psize, &apsize, &ssize, &vpn);
+ hptep->v = 0;
+- __tlbie(vpn, psize, apsize, ssize);
++ ___tlbie(vpn, psize, apsize, ssize);
+ }
+ }
+
--- /dev/null
+From 345f8f34bb473241d62803951c18a844dd705f8d Mon Sep 17 00:00:00 2001
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Date: Fri, 24 Nov 2017 16:23:15 +0100
+Subject: s390: revert ELF_ET_DYN_BASE base changes
+
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+
+commit 345f8f34bb473241d62803951c18a844dd705f8d upstream.
+
+This reverts commit a73dc5370e153ac63718d850bddf0c9aa9d871e6.
+
+Reducing the base address for 31-bit PIE executables from
+(STACK_TOP/3)*2 to 4MB broke several compat programs which
+use -fpie to move the executable out of the lower 16MB.
+
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/include/asm/elf.h | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/arch/s390/include/asm/elf.h
++++ b/arch/s390/include/asm/elf.h
+@@ -194,13 +194,14 @@ struct arch_elf_state {
+ #define CORE_DUMP_USE_REGSET
+ #define ELF_EXEC_PAGESIZE PAGE_SIZE
+
+-/*
+- * This is the base location for PIE (ET_DYN with INTERP) loads. On
+- * 64-bit, this is raised to 4GB to leave the entire 32-bit address
+- * space open for things that want to use the area for 32-bit pointers.
+- */
+-#define ELF_ET_DYN_BASE (is_compat_task() ? 0x000400000UL : \
+- 0x100000000UL)
++/* This is the location that an ET_DYN program is loaded if exec'ed. Typical
++ use of this is to invoke "./ld.so someprog" to test out a new version of
++ the loader. We need to make sure that it is out of the way of the program
++ that it will "exec", and that there is sufficient room for the brk. 64-bit
++ tasks are aligned to 4GB. */
++#define ELF_ET_DYN_BASE (is_compat_task() ? \
++ (STACK_TOP / 3 * 2) : \
++ (STACK_TOP / 3 * 2) & ~((1UL << 32) - 1))
+
+ /* This yields a mask that user programs can use to figure out what
+ instruction set this CPU supports. */
autofs-revert-autofs-take-more-care-to-not-update-last_used-on-path-walk.patch
autofs-revert-autofs-fix-at_no_automount-not-being-honored.patch
mm-hugetlb-fix-null-pointer-dereference-on-5-level-paging-machine.patch
+btrfs-clear-space-cache-inode-generation-always.patch
+nfsd-fix-stateid-races-between-open-and-close.patch
+nfsd-fix-another-open-stateid-race.patch
+nfsd-fix-panic-in-posix_unblock_lock-called-from-nfs4_laundromat.patch
+crypto-algif_aead-skip-sgl-entries-with-null-page.patch
+crypto-af_alg-remove-locking-in-async-callback.patch
+crypto-skcipher-fix-skcipher_walk_aead_common.patch
+lockd-lost-rollback-of-set_grace_period-in-lockd_down_net.patch
+s390-revert-elf_et_dyn_base-base-changes.patch
+drm-omapdrm-fix-dpi-on-platforms-using-the-dsi-vdds.patch
+omapdrm-hdmi4-correct-the-soc-revision-matching.patch
+apparmor-fix-oops-in-audit_signal_cb-hook.patch
+arm64-module-plts-factor-out-plt-generation-code-for-ftrace.patch
+arm64-ftrace-emit-ftrace-mod.o-contents-through-code.patch
+powerpc-powernv-fix-kexec-crashes-caused-by-tlbie-tracing.patch
+powerpc-kexec-fix-kexec-kdump-in-p9-guest-kernels.patch
+kvm-x86-pvclock-handle-first-time-write-to-pvclock-page-contains-random-junk.patch
+kvm-x86-exit-to-user-mode-on-ud-intercept-when-emulator-requires.patch
+kvm-x86-inject-exceptions-produced-by-x86_decode_insn.patch
+kvm-lapic-split-out-x2apic-ldr-calculation.patch
+kvm-lapic-fixup-ldr-on-load-in-x2apic.patch
+mmc-sdhci-avoid-swiotlb-buffer-being-full.patch
+mmc-block-fix-missing-blk_put_request.patch
+mmc-block-check-return-value-of-blk_get_request.patch
+mmc-core-do-not-leave-the-block-driver-in-a-suspended-state.patch
+mmc-block-ensure-that-debugfs-files-are-removed.patch
+mmc-core-prepend-0x-to-pre_eol_info-entry-in-sysfs.patch
+mmc-core-prepend-0x-to-ocr-entry-in-sysfs.patch
+acpi-ec-fix-regression-related-to-pm-ops-support-in-ecdt-device.patch
+eeprom-at24-fix-reading-from-24mac402-24mac602.patch
+eeprom-at24-correctly-set-the-size-for-at24mac402.patch
+eeprom-at24-check-at24_read-write-arguments.patch
+i2c-i801-fix-failed-to-allocate-irq-2147483648-error.patch
+cxl-check-if-vphb-exists-before-iterating-over-afu-devices.patch
+bcache-fix-building-error-on-mips.patch
+bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch
+bcache-recover-data-from-backing-when-data-is-clean.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
