--- /dev/null
+From 4a7c94c721074eafb27298d93dbcc339aa28e745 Mon Sep 17 00:00:00 2001
+From: Erik Schmauss <erik.schmauss@intel.com>
+Date: Fri, 10 Aug 2018 14:42:58 -0700
+Subject: ACPICA: AML Parser: skip opcodes that open a scope upon parse failure
+
+From: Erik Schmauss <erik.schmauss@intel.com>
+
+commit 4a7c94c721074eafb27298d93dbcc339aa28e745 upstream.
+
+This change skips the entire length of opcodes that open a scope
+(Device, Scope, Processor, etc) if the creation of the op fails. The
+failure could be caused by various errors including AE_ALREADY_EXISTS
+and AE_NOT_FOUND.
+
+Reported-by: Jeremy Linton <jeremy.linton@arm.com>
+Tested-by: Jeremy Linton <jeremy.linton@arm.com>
+Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
+Cc: 4.17+ <stable@vger.kernel.org> # 4.17+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/acpica/psloop.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/drivers/acpi/acpica/psloop.c
++++ b/drivers/acpi/acpica/psloop.c
+@@ -22,6 +22,7 @@
+ #include "acdispat.h"
+ #include "amlcode.h"
+ #include "acconvert.h"
++#include "acnamesp.h"
+
+ #define _COMPONENT ACPI_PARSER
+ ACPI_MODULE_NAME("psloop")
+@@ -527,12 +528,18 @@ acpi_status acpi_ps_parse_loop(struct ac
+ if (ACPI_FAILURE(status)) {
+ return_ACPI_STATUS(status);
+ }
+- if (walk_state->opcode == AML_SCOPE_OP) {
++ if (acpi_ns_opens_scope
++ (acpi_ps_get_opcode_info
++ (walk_state->opcode)->object_type)) {
+ /*
+- * If the scope op fails to parse, skip the body of the
+- * scope op because the parse failure indicates that the
+- * device may not exist.
++ * If the scope/device op fails to parse, skip the body of
++ * the scope op because the parse failure indicates that
++ * the device may not exist.
+ */
++ ACPI_ERROR((AE_INFO,
++ "Skip parsing opcode %s",
++ acpi_ps_get_opcode_name
++ (walk_state->opcode)));
+ walk_state->parser_state.aml =
+ walk_state->aml + 1;
+ walk_state->parser_state.aml =
+@@ -540,8 +547,6 @@ acpi_status acpi_ps_parse_loop(struct ac
+ (&walk_state->parser_state);
+ walk_state->aml =
+ walk_state->parser_state.aml;
+- ACPI_ERROR((AE_INFO,
+- "Skipping Scope block"));
+ }
+
+ continue;
--- /dev/null
+From f317c7dc12b73eb9d67fdae404563deb907dcfb7 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Sun, 12 Aug 2018 12:50:09 +0200
+Subject: ACPICA: Clear status of all events when entering sleep states
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit f317c7dc12b73eb9d67fdae404563deb907dcfb7 upstream.
+
+Commit fa85015c0d95 (ACPICA: Clear status of all events when entering
+S5) made the sleep state entry code in ACPICA clear the status of all
+ACPI events when entering S5 to fix a functional regression reported
+against commit 18996f2db918 (ACPICA: Events: Stop unconditionally
+clearing ACPI IRQs during suspend/resume). However, it is reported
+now that the regression also affects system states other than S5 on
+some systems and causes them to wake up from sleep prematurely.
+
+For this reason, make the code in question clear the status of all
+ACPI events when entering all sleep states (in addition to S5) to
+avoid the premature wakeups (this may cause some wakeup events to
+be missed in theory, but the likelihood of that is small and the
+change here simply restores the previous behavior of the code).
+
+Fixes: 18996f2db918 (ACPICA: Events: Stop unconditionally clearing ACPI IRQs during suspend/resume)
+Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Tested-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Cc: 4.17+ <stable@vger.kernel.org> # 4.17+: fa85015c0d95 ACPICA: Clear status ...
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/acpica/hwsleep.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+--- a/drivers/acpi/acpica/hwsleep.c
++++ b/drivers/acpi/acpica/hwsleep.c
+@@ -56,14 +56,9 @@ acpi_status acpi_hw_legacy_sleep(u8 slee
+ if (ACPI_FAILURE(status)) {
+ return_ACPI_STATUS(status);
+ }
+- /*
+- * If the target sleep state is S5, clear all GPEs and fixed events too
+- */
+- if (sleep_state == ACPI_STATE_S5) {
+- status = acpi_hw_clear_acpi_status();
+- if (ACPI_FAILURE(status)) {
+- return_ACPI_STATUS(status);
+- }
++ status = acpi_hw_clear_acpi_status();
++ if (ACPI_FAILURE(status)) {
++ return_ACPI_STATUS(status);
+ }
+ acpi_gbl_system_awake_and_running = FALSE;
+
--- /dev/null
+From d15ec0b482ff502e4e19e43d15aa5072e4290199 Mon Sep 17 00:00:00 2001
+From: Lihua Yao <ylhuajnu@163.com>
+Date: Wed, 15 Aug 2018 23:20:34 +0800
+Subject: ALSA: ac97: fix check of pm_runtime_get_sync failure
+
+From: Lihua Yao <ylhuajnu@163.com>
+
+commit d15ec0b482ff502e4e19e43d15aa5072e4290199 upstream.
+
+pm_runtime_get_sync returns negative on failure.
+
+Fixes: 74426fbff66e ("ALSA: ac97: add an ac97 bus")
+Signed-off-by: Lihua Yao <ylhuajnu@163.com>
+Acked-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/ac97/bus.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/ac97/bus.c
++++ b/sound/ac97/bus.c
+@@ -503,7 +503,7 @@ static int ac97_bus_remove(struct device
+ int ret;
+
+ ret = pm_runtime_get_sync(dev);
+- if (ret)
++ if (ret < 0)
+ return ret;
+
+ ret = adrv->remove(adev);
--- /dev/null
+From c7b8170790c19293acd835dc50b8247ec207d4a3 Mon Sep 17 00:00:00 2001
+From: Lihua Yao <ylhuajnu@163.com>
+Date: Wed, 15 Aug 2018 20:59:46 +0800
+Subject: ALSA: ac97: fix device initialization in the compat layer
+
+From: Lihua Yao <ylhuajnu@163.com>
+
+commit c7b8170790c19293acd835dc50b8247ec207d4a3 upstream.
+
+ac97->dev is an object of 'struct device' type. It should be initialized
+via device_initialize() or device_register().
+
+Fixes: 74426fbff66e ("ALSA: ac97: add an ac97 bus")
+Signed-off-by: Lihua Yao <ylhuajnu@163.com>
+Tested-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Acked-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/ac97/snd_ac97_compat.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+--- a/sound/ac97/snd_ac97_compat.c
++++ b/sound/ac97/snd_ac97_compat.c
+@@ -15,6 +15,11 @@
+
+ #include "ac97_core.h"
+
++static void compat_ac97_release(struct device *dev)
++{
++ kfree(to_ac97_t(dev));
++}
++
+ static void compat_ac97_reset(struct snd_ac97 *ac97)
+ {
+ struct ac97_codec_device *adev = to_ac97_device(ac97->private_data);
+@@ -65,21 +70,31 @@ static struct snd_ac97_bus compat_soc_ac
+ struct snd_ac97 *snd_ac97_compat_alloc(struct ac97_codec_device *adev)
+ {
+ struct snd_ac97 *ac97;
++ int ret;
+
+ ac97 = kzalloc(sizeof(struct snd_ac97), GFP_KERNEL);
+ if (ac97 == NULL)
+ return ERR_PTR(-ENOMEM);
+
+- ac97->dev = adev->dev;
+ ac97->private_data = adev;
+ ac97->bus = &compat_soc_ac97_bus;
++
++ ac97->dev.parent = &adev->dev;
++ ac97->dev.release = compat_ac97_release;
++ dev_set_name(&ac97->dev, "%s-compat", dev_name(&adev->dev));
++ ret = device_register(&ac97->dev);
++ if (ret) {
++ put_device(&ac97->dev);
++ return ERR_PTR(ret);
++ }
++
+ return ac97;
+ }
+ EXPORT_SYMBOL_GPL(snd_ac97_compat_alloc);
+
+ void snd_ac97_compat_release(struct snd_ac97 *ac97)
+ {
+- kfree(ac97);
++ device_unregister(&ac97->dev);
+ }
+ EXPORT_SYMBOL_GPL(snd_ac97_compat_release);
+
--- /dev/null
+From 250ea7c5f56e350cdafebe6b87478b00db4f7af8 Mon Sep 17 00:00:00 2001
+From: Lihua Yao <ylhuajnu@163.com>
+Date: Wed, 15 Aug 2018 23:20:35 +0800
+Subject: ALSA: ac97: fix unbalanced pm_runtime_enable
+
+From: Lihua Yao <ylhuajnu@163.com>
+
+commit 250ea7c5f56e350cdafebe6b87478b00db4f7af8 upstream.
+
+Runtime PM is enabled at ac97_bus_probe() and should be disabled
+at ac97_bus_remove().
+
+Fixes: 74426fbff66e ("ALSA: ac97: add an ac97 bus")
+Signed-off-by: Lihua Yao <ylhuajnu@163.com>
+Acked-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/ac97/bus.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/ac97/bus.c
++++ b/sound/ac97/bus.c
+@@ -511,6 +511,8 @@ static int ac97_bus_remove(struct device
+ if (ret == 0)
+ ac97_put_disable_clk(adev);
+
++ pm_runtime_disable(dev);
++
+ return ret;
+ }
+
--- /dev/null
+From 5f3cc16483d40bbc609a828511ff851296fc62b6 Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@ti.com>
+Date: Tue, 29 May 2018 12:00:55 +0300
+Subject: ARM: dts: am57xx-idk: Enable dual role for USB2 port
+
+From: Roger Quadros <rogerq@ti.com>
+
+commit 5f3cc16483d40bbc609a828511ff851296fc62b6 upstream.
+
+Dual-role support was added in v4.12. We should be using
+it for USB2 port on the am57xx-idk.
+
+Cc: <stable@vger.kernel.org> [4.16+]
+Reported-by: Bin Liu <b-liu@ti.com>
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/am571x-idk.dts | 4 ----
+ arch/arm/boot/dts/am572x-idk-common.dtsi | 4 ----
+ arch/arm/boot/dts/am57xx-idk-common.dtsi | 7 ++++++-
+ 3 files changed, 6 insertions(+), 9 deletions(-)
+
+--- a/arch/arm/boot/dts/am571x-idk.dts
++++ b/arch/arm/boot/dts/am571x-idk.dts
+@@ -66,10 +66,6 @@
+ };
+ };
+
+-&omap_dwc3_2 {
+- extcon = <&extcon_usb2>;
+-};
+-
+ &extcon_usb2 {
+ id-gpio = <&gpio5 7 GPIO_ACTIVE_HIGH>;
+ vbus-gpio = <&gpio7 22 GPIO_ACTIVE_HIGH>;
+--- a/arch/arm/boot/dts/am572x-idk-common.dtsi
++++ b/arch/arm/boot/dts/am572x-idk-common.dtsi
+@@ -57,10 +57,6 @@
+ };
+ };
+
+-&omap_dwc3_2 {
+- extcon = <&extcon_usb2>;
+-};
+-
+ &extcon_usb2 {
+ id-gpio = <&gpio3 16 GPIO_ACTIVE_HIGH>;
+ vbus-gpio = <&gpio3 26 GPIO_ACTIVE_HIGH>;
+--- a/arch/arm/boot/dts/am57xx-idk-common.dtsi
++++ b/arch/arm/boot/dts/am57xx-idk-common.dtsi
+@@ -395,8 +395,13 @@
+ dr_mode = "host";
+ };
+
++&omap_dwc3_2 {
++ extcon = <&extcon_usb2>;
++};
++
+ &usb2 {
+- dr_mode = "peripheral";
++ extcon = <&extcon_usb2>;
++ dr_mode = "otg";
+ };
+
+ &mmc1 {
--- /dev/null
+From 6e1811900b6fe6f2b4665dba6bd6ed32c6b98575 Mon Sep 17 00:00:00 2001
+From: Jon Hunter <jonathanh@nvidia.com>
+Date: Tue, 3 Jul 2018 09:59:47 +0100
+Subject: ARM: tegra: Fix Tegra30 Cardhu PCA954x reset
+
+From: Jon Hunter <jonathanh@nvidia.com>
+
+commit 6e1811900b6fe6f2b4665dba6bd6ed32c6b98575 upstream.
+
+On all versions of Tegra30 Cardhu, the reset signal to the NXP PCA9546
+I2C mux is connected to the Tegra GPIO BB0. Currently, this pin on the
+Tegra is not configured as a GPIO but as a special-function IO (SFIO)
+that is multiplexing the pin to an I2S controller. On exiting system
+suspend, I2C commands sent to the PCA9546 are failing because there is
+no ACK. Although it is not possible to see exactly what is happening
+to the reset during suspend, by ensuring it is configured as a GPIO
+and driven high, to de-assert the reset, the failures are no longer
+seen.
+
+Please note that this GPIO is also used to drive the reset signal
+going to the camera connector on the board. However, given that there
+is no camera support currently for Cardhu, this should not have any
+impact.
+
+Fixes: 40431d16ff11 ("ARM: tegra: enable PCA9546 on Cardhu")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/tegra30-cardhu.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/boot/dts/tegra30-cardhu.dtsi
++++ b/arch/arm/boot/dts/tegra30-cardhu.dtsi
+@@ -206,6 +206,7 @@
+ #address-cells = <1>;
+ #size-cells = <0>;
+ reg = <0x70>;
++ reset-gpio = <&gpio TEGRA_GPIO(BB, 0) GPIO_ACTIVE_LOW>;
+ };
+ };
+
--- /dev/null
+From fc8ebd01deeb12728c83381f6ec923e4a192ffd3 Mon Sep 17 00:00:00 2001
+From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>
+Date: Wed, 15 Aug 2018 23:56:45 +0200
+Subject: block, bfq: return nbytes and not zero from struct cftype .write() method
+
+From: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+
+commit fc8ebd01deeb12728c83381f6ec923e4a192ffd3 upstream.
+
+The value that struct cftype .write() method returns is then directly
+returned to userspace as the value returned by write() syscall, so it
+should be the number of bytes actually written (or consumed) and not zero.
+
+Returning zero from write() syscall makes programs like /bin/echo or bash
+spin.
+
+Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+Fixes: e21b7a0b9887 ("block, bfq: add full hierarchical scheduling and cgroups support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/bfq-cgroup.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/block/bfq-cgroup.c
++++ b/block/bfq-cgroup.c
+@@ -913,7 +913,8 @@ static ssize_t bfq_io_set_weight(struct
+ if (ret)
+ return ret;
+
+- return bfq_io_set_weight_legacy(of_css(of), NULL, weight);
++ ret = bfq_io_set_weight_legacy(of_css(of), NULL, weight);
++ return ret ?: nbytes;
+ }
+
+ #ifdef CONFIG_DEBUG_BLK_CGROUP
--- /dev/null
+From 2a3eb51e30b9ac66fe1b75877627a7e4aaeca24a Mon Sep 17 00:00:00 2001
+From: Henry Willard <henry.willard@oracle.com>
+Date: Tue, 14 Aug 2018 17:01:02 -0700
+Subject: cpufreq: governor: Avoid accessing invalid governor_data
+
+From: Henry Willard <henry.willard@oracle.com>
+
+commit 2a3eb51e30b9ac66fe1b75877627a7e4aaeca24a upstream.
+
+If cppc_cpufreq.ko is deleted at the same time that tuned-adm is
+changing profiles, there is a small chance that a race can occur
+between cpufreq_dbs_governor_exit() and cpufreq_dbs_governor_limits()
+resulting in a system failure when the latter tries to use
+policy->governor_data that has been freed by the former.
+
+This patch uses gov_dbs_data_mutex to synchronize access.
+
+Fixes: e788892ba3cc (cpufreq: governor: Get rid of governor events)
+Signed-off-by: Henry Willard <henry.willard@oracle.com>
+[ rjw: Subject, minor white space adjustment ]
+Cc: 4.8+ <stable@vger.kernel.org> # 4.8+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/cpufreq_governor.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/cpufreq/cpufreq_governor.c
++++ b/drivers/cpufreq/cpufreq_governor.c
+@@ -555,12 +555,20 @@ EXPORT_SYMBOL_GPL(cpufreq_dbs_governor_s
+
+ void cpufreq_dbs_governor_limits(struct cpufreq_policy *policy)
+ {
+- struct policy_dbs_info *policy_dbs = policy->governor_data;
++ struct policy_dbs_info *policy_dbs;
++
++ /* Protect gov->gdbs_data against cpufreq_dbs_governor_exit() */
++ mutex_lock(&gov_dbs_data_mutex);
++ policy_dbs = policy->governor_data;
++ if (!policy_dbs)
++ goto out;
+
+ mutex_lock(&policy_dbs->update_mutex);
+ cpufreq_policy_apply_limits(policy);
+ gov_update_sample_delay(policy_dbs, 0);
+-
+ mutex_unlock(&policy_dbs->update_mutex);
++
++out:
++ mutex_unlock(&gov_dbs_data_mutex);
+ }
+ EXPORT_SYMBOL_GPL(cpufreq_dbs_governor_limits);
--- /dev/null
+From 5ef499cd571c293b74a30d77e7ef512edb6ded6b Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Tue, 14 Aug 2018 12:34:40 +0200
+Subject: cpuidle: menu: Handle stopped tick more aggressively
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit 5ef499cd571c293b74a30d77e7ef512edb6ded6b upstream.
+
+Commit 87c9fe6ee495 (cpuidle: menu: Avoid selecting shallow states
+with stopped tick) missed the case when the target residencies of
+deep idle states of CPUs are above the tick boundary which may cause
+the CPU to get stuck in a shallow idle state for a long time.
+
+Say there are two CPU idle states available: one shallow, with the
+target residency much below the tick boundary and one deep, with
+the target residency significantly above the tick boundary. In
+that case, if the tick has been stopped already and the expected
+next timer event is relatively far in the future, the governor will
+assume the idle duration to be equal to TICK_USEC and it will select
+the idle state for the CPU accordingly. However, that will cause the
+shallow state to be selected even though it would have been more
+energy-efficient to select the deep one.
+
+To address this issue, modify the governor to always use the time
+till the closest timer event instead of the predicted idle duration
+if the latter is less than the tick period length and the tick has
+been stopped already. Also make it extend the search for a matching
+idle state if the tick is stopped to avoid settling on a shallow
+state if deep states with target residencies above the tick period
+length are available.
+
+In addition, make it always indicate that the tick should be stopped
+if it has been stopped already for consistency.
+
+Fixes: 87c9fe6ee495 (cpuidle: menu: Avoid selecting shallow states with stopped tick)
+Reported-by: Leo Yan <leo.yan@linaro.org>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: 4.17+ <stable@vger.kernel.org> # 4.17+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpuidle/governors/menu.c | 36 ++++++++++++++++++++++++------------
+ 1 file changed, 24 insertions(+), 12 deletions(-)
+
+--- a/drivers/cpuidle/governors/menu.c
++++ b/drivers/cpuidle/governors/menu.c
+@@ -349,14 +349,12 @@ static int menu_select(struct cpuidle_dr
+ * If the tick is already stopped, the cost of possible short
+ * idle duration misprediction is much higher, because the CPU
+ * may be stuck in a shallow idle state for a long time as a
+- * result of it. In that case say we might mispredict and try
+- * to force the CPU into a state for which we would have stopped
+- * the tick, unless a timer is going to expire really soon
+- * anyway.
++ * result of it. In that case say we might mispredict and use
++ * the known time till the closest timer event for the idle
++ * state selection.
+ */
+ if (data->predicted_us < TICK_USEC)
+- data->predicted_us = min_t(unsigned int, TICK_USEC,
+- ktime_to_us(delta_next));
++ data->predicted_us = ktime_to_us(delta_next);
+ } else {
+ /*
+ * Use the performance multiplier and the user-configurable
+@@ -381,8 +379,22 @@ static int menu_select(struct cpuidle_dr
+ continue;
+ if (idx == -1)
+ idx = i; /* first enabled state */
+- if (s->target_residency > data->predicted_us)
+- break;
++ if (s->target_residency > data->predicted_us) {
++ if (!tick_nohz_tick_stopped())
++ break;
++
++ /*
++ * If the state selected so far is shallow and this
++ * state's target residency matches the time till the
++ * closest timer event, select this one to avoid getting
++ * stuck in the shallow one for too long.
++ */
++ if (drv->states[idx].target_residency < TICK_USEC &&
++ s->target_residency <= ktime_to_us(delta_next))
++ idx = i;
++
++ goto out;
++ }
+ if (s->exit_latency > latency_req) {
+ /*
+ * If we break out of the loop for latency reasons, use
+@@ -403,14 +415,13 @@ static int menu_select(struct cpuidle_dr
+ * Don't stop the tick if the selected state is a polling one or if the
+ * expected idle duration is shorter than the tick period length.
+ */
+- if ((drv->states[idx].flags & CPUIDLE_FLAG_POLLING) ||
+- expected_interval < TICK_USEC) {
++ if (((drv->states[idx].flags & CPUIDLE_FLAG_POLLING) ||
++ expected_interval < TICK_USEC) && !tick_nohz_tick_stopped()) {
+ unsigned int delta_next_us = ktime_to_us(delta_next);
+
+ *stop_tick = false;
+
+- if (!tick_nohz_tick_stopped() && idx > 0 &&
+- drv->states[idx].target_residency > delta_next_us) {
++ if (idx > 0 && drv->states[idx].target_residency > delta_next_us) {
+ /*
+ * The tick is not going to be stopped and the target
+ * residency of the state to be returned is not within
+@@ -429,6 +440,7 @@ static int menu_select(struct cpuidle_dr
+ }
+ }
+
++out:
+ data->last_state_idx = idx;
+
+ return data->last_state_idx;
--- /dev/null
+From c8bd134a4bddafe5917d163eea73873932c15e83 Mon Sep 17 00:00:00 2001
+From: Peter Kalauskas <peskal@google.com>
+Date: Tue, 21 Aug 2018 21:54:02 -0700
+Subject: drivers/block/zram/zram_drv.c: fix bug storing backing_dev
+
+From: Peter Kalauskas <peskal@google.com>
+
+commit c8bd134a4bddafe5917d163eea73873932c15e83 upstream.
+
+The call to strlcpy in backing_dev_store is incorrect. It should take
+the size of the destination buffer instead of the size of the source
+buffer. Additionally, ignore the newline character (\n) when reading
+the new file_name buffer. This makes it possible to set the backing_dev
+as follows:
+
+ echo /dev/sdX > /sys/block/zram0/backing_dev
+
+The reason it worked before was the fact that strlcpy() copies 'len - 1'
+bytes, which is strlen(buf) - 1 in our case, so it accidentally didn't
+copy the trailing new line symbol. Which also means that "echo -n
+/dev/sdX" most likely was broken.
+
+Signed-off-by: Peter Kalauskas <peskal@google.com>
+Link: http://lkml.kernel.org/r/20180813061623.GC64836@rodete-desktop-imager.corp.google.com
+Acked-by: Minchan Kim <minchan@kernel.org>
+Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Cc: <stable@vger.kernel.org> [4.14+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/zram/zram_drv.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/zram/zram_drv.c
++++ b/drivers/block/zram/zram_drv.c
+@@ -337,6 +337,7 @@ static ssize_t backing_dev_store(struct
+ struct device_attribute *attr, const char *buf, size_t len)
+ {
+ char *file_name;
++ size_t sz;
+ struct file *backing_dev = NULL;
+ struct inode *inode;
+ struct address_space *mapping;
+@@ -357,7 +358,11 @@ static ssize_t backing_dev_store(struct
+ goto out;
+ }
+
+- strlcpy(file_name, buf, len);
++ strlcpy(file_name, buf, PATH_MAX);
++ /* ignore trailing newline */
++ sz = strlen(file_name);
++ if (sz > 0 && file_name[sz - 1] == '\n')
++ file_name[sz - 1] = 0x00;
+
+ backing_dev = filp_open(file_name, O_RDWR|O_LARGEFILE, 0);
+ if (IS_ERR(backing_dev)) {
--- /dev/null
+From 9d9a152ebaa86a9dede4624919566483c955d0a7 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 29 Aug 2018 15:06:31 +0200
+Subject: i2c: designware: Re-init controllers with pm_disabled set on resume
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 9d9a152ebaa86a9dede4624919566483c955d0a7 upstream.
+
+On Bay Trail and Cherry Trail devices we set the pm_disabled flag for I2C
+busses which the OS shares with the PUNIT as these need special handling.
+Until now we called dev_pm_syscore_device(dev, true) for I2C controllers
+with this flag set to keep these I2C controllers always on.
+
+After commit 12864ff8545f ("ACPI / LPSS: Avoid PM quirks on suspend and
+resume from hibernation"), this no longer works. This commit modifies
+lpss_iosf_exit_d3_state() to only run if lpss_iosf_enter_d3_state() has ran
+before it, so that it does not run on a resume from hibernate (or from S3).
+
+On these systems the conditions for lpss_iosf_enter_d3_state() to run
+never become true, so lpss_iosf_exit_d3_state() never gets called and
+the 2 LPSS DMA controllers never get forced into D0 mode, instead they
+are left in their default automatic power-on when needed mode.
+
+The not forcing of D0 mode for the DMA controllers enables these systems
+to properly enter S0ix modes, which is a good thing.
+
+But after entering S0ix modes the I2C controller connected to the PMIC
+no longer works, leading to e.g. broken battery monitoring.
+
+The _PS3 method for this I2C controller looks like this:
+
+ Method (_PS3, 0, NotSerialized) // _PS3: Power State 3
+ {
+ If ((((PMID == 0x04) || (PMID == 0x05)) || (PMID == 0x06)))
+ {
+ Return (Zero)
+ }
+
+ PSAT |= 0x03
+ Local0 = PSAT /* \_SB_.I2C5.PSAT */
+ }
+
+Where PMID = 0x05, so we enter the Return (Zero) path on these systems.
+
+So even if we were to not call dev_pm_syscore_device(dev, true) the
+I2C controller will be left in D0 rather then be switched to D3.
+
+Yet on other Bay and Cherry Trail devices S0ix is not entered unless *all*
+I2C controllers are in D3 mode. This combined with the I2C controller no
+longer working now that we reach S0ix states on these systems leads to me
+believing that the PUNIT itself puts the I2C controller in D3 when all
+other conditions for entering S0ix states are true.
+
+Since now the I2C controller is put in D3 over a suspend/resume we must
+re-initialize it afterwards and that does indeed fix it no longer working.
+
+This commit implements this fix by:
+
+1) Making the suspend_late callback a no-op if pm_disabled is set and
+making the resume_early callback skip the clock re-enable (since it now was
+not disabled) while still doing the necessary I2C controller re-init.
+
+2) Removing the dev_pm_syscore_device(dev, true) call, so that the suspend
+and resume callbacks are actually called. Normally this would cause the
+ACPI pm code to call _PS3 putting the I2C controller in D3, wreaking havoc
+since it is shared with the PUNIT, but in this special case the _PS3 method
+is a no-op so we can safely allow a "fake" suspend / resume.
+
+Fixes: 12864ff8545f ("ACPI / LPSS: Avoid PM quirks on suspend and resume ...")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=200861
+Cc: 4.15+ <stable@vger.kernel.org> # 4.15+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-designware-master.c | 1 -
+ drivers/i2c/busses/i2c-designware-platdrv.c | 7 ++++++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-designware-master.c
++++ b/drivers/i2c/busses/i2c-designware-master.c
+@@ -693,7 +693,6 @@ int i2c_dw_probe(struct dw_i2c_dev *dev)
+ i2c_set_adapdata(adap, dev);
+
+ if (dev->pm_disabled) {
+- dev_pm_syscore_device(dev->dev, true);
+ irq_flags = IRQF_NO_SUSPEND;
+ } else {
+ irq_flags = IRQF_SHARED | IRQF_COND_SUSPEND;
+--- a/drivers/i2c/busses/i2c-designware-platdrv.c
++++ b/drivers/i2c/busses/i2c-designware-platdrv.c
+@@ -448,6 +448,9 @@ static int dw_i2c_plat_suspend(struct de
+ {
+ struct dw_i2c_dev *i_dev = dev_get_drvdata(dev);
+
++ if (i_dev->pm_disabled)
++ return 0;
++
+ i_dev->disable(i_dev);
+ i2c_dw_prepare_clk(i_dev, false);
+
+@@ -458,7 +461,9 @@ static int dw_i2c_plat_resume(struct dev
+ {
+ struct dw_i2c_dev *i_dev = dev_get_drvdata(dev);
+
+- i2c_dw_prepare_clk(i_dev, true);
++ if (!i_dev->pm_disabled)
++ i2c_dw_prepare_clk(i_dev, true);
++
+ i_dev->init(i_dev);
+
+ return 0;
--- /dev/null
+From 8cfbdbdc24815417a3ab35101ccf706b9a23ff17 Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Thu, 23 Aug 2018 10:08:58 +1000
+Subject: KVM: PPC: Book3S: Fix guest DMA when guest partially backed by THP pages
+
+From: Paul Mackerras <paulus@ozlabs.org>
+
+commit 8cfbdbdc24815417a3ab35101ccf706b9a23ff17 upstream.
+
+Commit 76fa4975f3ed ("KVM: PPC: Check if IOMMU page is contained in
+the pinned physical page", 2018-07-17) added some checks to ensure
+that guest DMA mappings don't attempt to map more than the guest is
+entitled to access. However, errors in the logic mean that legitimate
+guest requests to map pages for DMA are being denied in some
+situations. Specifically, if the first page of the range passed to
+mm_iommu_get() is mapped with a normal page, and subsequent pages are
+mapped with transparent huge pages, we end up with mem->pageshift ==
+0. That means that the page size checks in mm_iommu_ua_to_hpa() and
+mm_iommu_up_to_hpa_rm() will always fail for every page in that
+region, and thus the guest can never map any memory in that region for
+DMA, typically leading to a flood of error messages like this:
+
+ qemu-system-ppc64: VFIO_MAP_DMA: -22
+ qemu-system-ppc64: vfio_dma_map(0x10005f47780, 0x800000000000000, 0x10000, 0x7fff63ff0000) = -22 (Invalid argument)
+
+The logic errors in mm_iommu_get() are:
+
+ (a) use of 'ua' not 'ua + (i << PAGE_SHIFT)' in the find_linux_pte()
+ call (meaning that find_linux_pte() returns the pte for the
+ first address in the range, not the address we are currently up
+ to);
+ (b) use of 'pageshift' as the variable to receive the hugepage shift
+ returned by find_linux_pte() - for a normal page this gets set
+ to 0, leading to us setting mem->pageshift to 0 when we conclude
+ that the pte returned by find_linux_pte() didn't match the page
+ we were looking at;
+ (c) comparing 'compshift', which is a page order, i.e. log base 2 of
+ the number of pages, with 'pageshift', which is a log base 2 of
+ the number of bytes.
+
+To fix these problems, this patch introduces 'cur_ua' to hold the
+current user address and uses that in the find_linux_pte() call;
+introduces 'pteshift' to hold the hugepage shift found by
+find_linux_pte(); and compares 'pteshift' with 'compshift +
+PAGE_SHIFT' rather than 'compshift'.
+
+The patch also moves the local_irq_restore to the point after the PTE
+pointer returned by find_linux_pte() has been dereferenced because
+otherwise the PTE could change underneath us, and adds a check to
+avoid doing the find_linux_pte() call once mem->pageshift has been
+reduced to PAGE_SHIFT, as an optimization.
+
+Fixes: 76fa4975f3ed ("KVM: PPC: Check if IOMMU page is contained in the pinned physical page")
+Cc: stable@vger.kernel.org # v4.12+
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/mmu_context_iommu.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+--- a/arch/powerpc/mm/mmu_context_iommu.c
++++ b/arch/powerpc/mm/mmu_context_iommu.c
+@@ -129,6 +129,7 @@ long mm_iommu_get(struct mm_struct *mm,
+ long i, j, ret = 0, locked_entries = 0;
+ unsigned int pageshift;
+ unsigned long flags;
++ unsigned long cur_ua;
+ struct page *page = NULL;
+
+ mutex_lock(&mem_list_mutex);
+@@ -177,7 +178,8 @@ long mm_iommu_get(struct mm_struct *mm,
+ }
+
+ for (i = 0; i < entries; ++i) {
+- if (1 != get_user_pages_fast(ua + (i << PAGE_SHIFT),
++ cur_ua = ua + (i << PAGE_SHIFT);
++ if (1 != get_user_pages_fast(cur_ua,
+ 1/* pages */, 1/* iswrite */, &page)) {
+ ret = -EFAULT;
+ for (j = 0; j < i; ++j)
+@@ -196,7 +198,7 @@ long mm_iommu_get(struct mm_struct *mm,
+ if (is_migrate_cma_page(page)) {
+ if (mm_iommu_move_page_from_cma(page))
+ goto populate;
+- if (1 != get_user_pages_fast(ua + (i << PAGE_SHIFT),
++ if (1 != get_user_pages_fast(cur_ua,
+ 1/* pages */, 1/* iswrite */,
+ &page)) {
+ ret = -EFAULT;
+@@ -210,20 +212,21 @@ long mm_iommu_get(struct mm_struct *mm,
+ }
+ populate:
+ pageshift = PAGE_SHIFT;
+- if (PageCompound(page)) {
++ if (mem->pageshift > PAGE_SHIFT && PageCompound(page)) {
+ pte_t *pte;
+ struct page *head = compound_head(page);
+ unsigned int compshift = compound_order(head);
++ unsigned int pteshift;
+
+ local_irq_save(flags); /* disables as well */
+- pte = find_linux_pte(mm->pgd, ua, NULL, &pageshift);
+- local_irq_restore(flags);
++ pte = find_linux_pte(mm->pgd, cur_ua, NULL, &pteshift);
+
+ /* Double check it is still the same pinned page */
+ if (pte && pte_page(*pte) == head &&
+- pageshift == compshift)
+- pageshift = max_t(unsigned int, pageshift,
++ pteshift == compshift + PAGE_SHIFT)
++ pageshift = max_t(unsigned int, pteshift,
+ PAGE_SHIFT);
++ local_irq_restore(flags);
+ }
+ mem->pageshift = min(mem->pageshift, pageshift);
+ mem->hpas[i] = page_to_pfn(page) << PAGE_SHIFT;
--- /dev/null
+From 0027ff2a75f9dcf0537ac0a65c5840b0e21a4950 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 22 Aug 2018 16:43:39 +0200
+Subject: KVM: VMX: fixes for vmentry_l1d_flush module parameter
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 0027ff2a75f9dcf0537ac0a65c5840b0e21a4950 upstream.
+
+Two bug fixes:
+
+1) missing entries in the l1d_param array; this can cause a host crash
+if an access attempts to reach the missing entry. Future-proof the get
+function against any overflows as well. However, the two entries
+VMENTER_L1D_FLUSH_EPT_DISABLED and VMENTER_L1D_FLUSH_NOT_REQUIRED must
+not be accepted by the parse function, so disable them there.
+
+2) invalid values must be rejected even if the CPU does not have the
+bug, so test for them before checking boot_cpu_has(X86_BUG_L1TF)
+
+... and a small refactoring, since the .cmd field is redundant with
+the index in the array.
+
+Reported-by: Bandan Das <bsd@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: a7b9020b06ec6d7c3f3b0d4ef1a9eba12654f4f7
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 26 ++++++++++++++++----------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -197,12 +197,14 @@ static enum vmx_l1d_flush_state __read_m
+
+ static const struct {
+ const char *option;
+- enum vmx_l1d_flush_state cmd;
++ bool for_parse;
+ } vmentry_l1d_param[] = {
+- {"auto", VMENTER_L1D_FLUSH_AUTO},
+- {"never", VMENTER_L1D_FLUSH_NEVER},
+- {"cond", VMENTER_L1D_FLUSH_COND},
+- {"always", VMENTER_L1D_FLUSH_ALWAYS},
++ [VMENTER_L1D_FLUSH_AUTO] = {"auto", true},
++ [VMENTER_L1D_FLUSH_NEVER] = {"never", true},
++ [VMENTER_L1D_FLUSH_COND] = {"cond", true},
++ [VMENTER_L1D_FLUSH_ALWAYS] = {"always", true},
++ [VMENTER_L1D_FLUSH_EPT_DISABLED] = {"EPT disabled", false},
++ [VMENTER_L1D_FLUSH_NOT_REQUIRED] = {"not required", false},
+ };
+
+ #define L1D_CACHE_ORDER 4
+@@ -286,8 +288,9 @@ static int vmentry_l1d_flush_parse(const
+
+ if (s) {
+ for (i = 0; i < ARRAY_SIZE(vmentry_l1d_param); i++) {
+- if (sysfs_streq(s, vmentry_l1d_param[i].option))
+- return vmentry_l1d_param[i].cmd;
++ if (vmentry_l1d_param[i].for_parse &&
++ sysfs_streq(s, vmentry_l1d_param[i].option))
++ return i;
+ }
+ }
+ return -EINVAL;
+@@ -297,13 +300,13 @@ static int vmentry_l1d_flush_set(const c
+ {
+ int l1tf, ret;
+
+- if (!boot_cpu_has(X86_BUG_L1TF))
+- return 0;
+-
+ l1tf = vmentry_l1d_flush_parse(s);
+ if (l1tf < 0)
+ return l1tf;
+
++ if (!boot_cpu_has(X86_BUG_L1TF))
++ return 0;
++
+ /*
+ * Has vmx_init() run already? If not then this is the pre init
+ * parameter parsing. In that case just store the value and let
+@@ -323,6 +326,9 @@ static int vmentry_l1d_flush_set(const c
+
+ static int vmentry_l1d_flush_get(char *s, const struct kernel_param *kp)
+ {
++ if (WARN_ON_ONCE(l1tf_vmx_mitigation >= ARRAY_SIZE(vmentry_l1d_param)))
++ return sprintf(s, "???\n");
++
+ return sprintf(s, "%s\n", vmentry_l1d_param[l1tf_vmx_mitigation].option);
+ }
+
--- /dev/null
+From 64bed6cbe38bc95689fb9399872d9ce250192f90 Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Fri, 13 Jul 2018 17:22:24 +0300
+Subject: nfsd: fix leaked file lock with nfs exported overlayfs
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 64bed6cbe38bc95689fb9399872d9ce250192f90 upstream.
+
+nfsd and lockd call vfs_lock_file() to lock/unlock the inode
+returned by locks_inode(file).
+
+Many places in nfsd/lockd code use the inode returned by
+file_inode(file) for lock manipulation. With Overlayfs, file_inode()
+(the underlying inode) is not the same object as locks_inode() (the
+overlay inode). This can result in "Leaked POSIX lock" messages
+and eventually to a kernel crash as reported by Eddie Horng:
+https://marc.info/?l=linux-unionfs&m=153086643202072&w=2
+
+Fix all the call sites in nfsd/lockd that should use locks_inode().
+This is a correctness bug that manifested when overlayfs gained
+NFS export support in v4.16.
+
+Reported-by: Eddie Horng <eddiehorng.tw@gmail.com>
+Tested-by: Eddie Horng <eddiehorng.tw@gmail.com>
+Cc: Jeff Layton <jlayton@kernel.org>
+Fixes: 8383f1748829 ("ovl: wire up NFS export operations")
+Cc: stable@vger.kernel.org
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/lockd/clntlock.c | 2 +-
+ fs/lockd/clntproc.c | 2 +-
+ fs/lockd/svclock.c | 16 ++++++++--------
+ fs/lockd/svcsubs.c | 4 ++--
+ fs/nfsd/nfs4state.c | 2 +-
+ include/linux/lockd/lockd.h | 4 ++--
+ 6 files changed, 15 insertions(+), 15 deletions(-)
+
+--- a/fs/lockd/clntlock.c
++++ b/fs/lockd/clntlock.c
+@@ -187,7 +187,7 @@ __be32 nlmclnt_grant(const struct sockad
+ continue;
+ if (!rpc_cmp_addr(nlm_addr(block->b_host), addr))
+ continue;
+- if (nfs_compare_fh(NFS_FH(file_inode(fl_blocked->fl_file)) ,fh) != 0)
++ if (nfs_compare_fh(NFS_FH(locks_inode(fl_blocked->fl_file)), fh) != 0)
+ continue;
+ /* Alright, we found a lock. Set the return status
+ * and wake up the caller
+--- a/fs/lockd/clntproc.c
++++ b/fs/lockd/clntproc.c
+@@ -128,7 +128,7 @@ static void nlmclnt_setlockargs(struct n
+ char *nodename = req->a_host->h_rpcclnt->cl_nodename;
+
+ nlmclnt_next_cookie(&argp->cookie);
+- memcpy(&lock->fh, NFS_FH(file_inode(fl->fl_file)), sizeof(struct nfs_fh));
++ memcpy(&lock->fh, NFS_FH(locks_inode(fl->fl_file)), sizeof(struct nfs_fh));
+ lock->caller = nodename;
+ lock->oh.data = req->a_owner;
+ lock->oh.len = snprintf(req->a_owner, sizeof(req->a_owner), "%u@%s",
+--- a/fs/lockd/svclock.c
++++ b/fs/lockd/svclock.c
+@@ -405,8 +405,8 @@ nlmsvc_lock(struct svc_rqst *rqstp, stru
+ __be32 ret;
+
+ dprintk("lockd: nlmsvc_lock(%s/%ld, ty=%d, pi=%d, %Ld-%Ld, bl=%d)\n",
+- file_inode(file->f_file)->i_sb->s_id,
+- file_inode(file->f_file)->i_ino,
++ locks_inode(file->f_file)->i_sb->s_id,
++ locks_inode(file->f_file)->i_ino,
+ lock->fl.fl_type, lock->fl.fl_pid,
+ (long long)lock->fl.fl_start,
+ (long long)lock->fl.fl_end,
+@@ -511,8 +511,8 @@ nlmsvc_testlock(struct svc_rqst *rqstp,
+ __be32 ret;
+
+ dprintk("lockd: nlmsvc_testlock(%s/%ld, ty=%d, %Ld-%Ld)\n",
+- file_inode(file->f_file)->i_sb->s_id,
+- file_inode(file->f_file)->i_ino,
++ locks_inode(file->f_file)->i_sb->s_id,
++ locks_inode(file->f_file)->i_ino,
+ lock->fl.fl_type,
+ (long long)lock->fl.fl_start,
+ (long long)lock->fl.fl_end);
+@@ -566,8 +566,8 @@ nlmsvc_unlock(struct net *net, struct nl
+ int error;
+
+ dprintk("lockd: nlmsvc_unlock(%s/%ld, pi=%d, %Ld-%Ld)\n",
+- file_inode(file->f_file)->i_sb->s_id,
+- file_inode(file->f_file)->i_ino,
++ locks_inode(file->f_file)->i_sb->s_id,
++ locks_inode(file->f_file)->i_ino,
+ lock->fl.fl_pid,
+ (long long)lock->fl.fl_start,
+ (long long)lock->fl.fl_end);
+@@ -595,8 +595,8 @@ nlmsvc_cancel_blocked(struct net *net, s
+ int status = 0;
+
+ dprintk("lockd: nlmsvc_cancel(%s/%ld, pi=%d, %Ld-%Ld)\n",
+- file_inode(file->f_file)->i_sb->s_id,
+- file_inode(file->f_file)->i_ino,
++ locks_inode(file->f_file)->i_sb->s_id,
++ locks_inode(file->f_file)->i_ino,
+ lock->fl.fl_pid,
+ (long long)lock->fl.fl_start,
+ (long long)lock->fl.fl_end);
+--- a/fs/lockd/svcsubs.c
++++ b/fs/lockd/svcsubs.c
+@@ -44,7 +44,7 @@ static inline void nlm_debug_print_fh(ch
+
+ static inline void nlm_debug_print_file(char *msg, struct nlm_file *file)
+ {
+- struct inode *inode = file_inode(file->f_file);
++ struct inode *inode = locks_inode(file->f_file);
+
+ dprintk("lockd: %s %s/%ld\n",
+ msg, inode->i_sb->s_id, inode->i_ino);
+@@ -414,7 +414,7 @@ nlmsvc_match_sb(void *datap, struct nlm_
+ {
+ struct super_block *sb = datap;
+
+- return sb == file_inode(file->f_file)->i_sb;
++ return sb == locks_inode(file->f_file)->i_sb;
+ }
+
+ /**
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -6293,7 +6293,7 @@ check_for_locks(struct nfs4_file *fp, st
+ return status;
+ }
+
+- inode = file_inode(filp);
++ inode = locks_inode(filp);
+ flctx = inode->i_flctx;
+
+ if (flctx && !list_empty_careful(&flctx->flc_posix)) {
+--- a/include/linux/lockd/lockd.h
++++ b/include/linux/lockd/lockd.h
+@@ -299,7 +299,7 @@ int nlmsvc_unlock_all_by_ip(st
+
+ static inline struct inode *nlmsvc_file_inode(struct nlm_file *file)
+ {
+- return file_inode(file->f_file);
++ return locks_inode(file->f_file);
+ }
+
+ static inline int __nlm_privileged_request4(const struct sockaddr *sap)
+@@ -359,7 +359,7 @@ static inline int nlm_privileged_request
+ static inline int nlm_compare_locks(const struct file_lock *fl1,
+ const struct file_lock *fl2)
+ {
+- return file_inode(fl1->fl_file) == file_inode(fl2->fl_file)
++ return locks_inode(fl1->fl_file) == locks_inode(fl2->fl_file)
+ && fl1->fl_pid == fl2->fl_pid
+ && fl1->fl_owner == fl2->fl_owner
+ && fl1->fl_start == fl2->fl_start
--- /dev/null
+From 0f90be132cbf1537d87a6a8b9e80867adac892f6 Mon Sep 17 00:00:00 2001
+From: Bill Baker <Bill.Baker@Oracle.com>
+Date: Tue, 19 Jun 2018 16:24:58 -0500
+Subject: NFSv4 client live hangs after live data migration recovery
+
+From: Bill Baker <Bill.Baker@Oracle.com>
+
+commit 0f90be132cbf1537d87a6a8b9e80867adac892f6 upstream.
+
+After a live data migration event at the NFS server, the client may send
+I/O requests to the wrong server, causing a live hang due to repeated
+recovery events. On the wire, this will appear as an I/O request failing
+with NFS4ERR_BADSESSION, followed by successful CREATE_SESSION, repeatedly.
+NFS4ERR_BADSSESSION is returned because the session ID being used was
+issued by the other server and is not valid at the old server.
+
+The failure is caused by async worker threads having cached the transport
+(xprt) in the rpc_task structure. After the migration recovery completes,
+the task is redispatched and the task resends the request to the wrong
+server based on the old value still present in tk_xprt.
+
+The solution is to recompute the tk_xprt field of the rpc_task structure
+so that the request goes to the correct server.
+
+Signed-off-by: Bill Baker <bill.baker@oracle.com>
+Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
+Tested-by: Helen Chao <helen.chao@oracle.com>
+Fixes: fb43d17210ba ("SUNRPC: Use the multipath iterator to assign a ...")
+Cc: stable@vger.kernel.org # v4.9+
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 9 ++++++++-
+ include/linux/sunrpc/clnt.h | 1 +
+ net/sunrpc/clnt.c | 28 ++++++++++++++++++++--------
+ 3 files changed, 29 insertions(+), 9 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -581,8 +581,15 @@ nfs4_async_handle_exception(struct rpc_t
+ ret = -EIO;
+ return ret;
+ out_retry:
+- if (ret == 0)
++ if (ret == 0) {
+ exception->retry = 1;
++ /*
++ * For NFS4ERR_MOVED, the client transport will need to
++ * be recomputed after migration recovery has completed.
++ */
++ if (errorcode == -NFS4ERR_MOVED)
++ rpc_task_release_transport(task);
++ }
+ return ret;
+ }
+
+--- a/include/linux/sunrpc/clnt.h
++++ b/include/linux/sunrpc/clnt.h
+@@ -156,6 +156,7 @@ int rpc_switch_client_transport(struct
+
+ void rpc_shutdown_client(struct rpc_clnt *);
+ void rpc_release_client(struct rpc_clnt *);
++void rpc_task_release_transport(struct rpc_task *);
+ void rpc_task_release_client(struct rpc_task *);
+
+ int rpcb_create_local(struct net *);
+--- a/net/sunrpc/clnt.c
++++ b/net/sunrpc/clnt.c
+@@ -965,10 +965,20 @@ out:
+ }
+ EXPORT_SYMBOL_GPL(rpc_bind_new_program);
+
++void rpc_task_release_transport(struct rpc_task *task)
++{
++ struct rpc_xprt *xprt = task->tk_xprt;
++
++ if (xprt) {
++ task->tk_xprt = NULL;
++ xprt_put(xprt);
++ }
++}
++EXPORT_SYMBOL_GPL(rpc_task_release_transport);
++
+ void rpc_task_release_client(struct rpc_task *task)
+ {
+ struct rpc_clnt *clnt = task->tk_client;
+- struct rpc_xprt *xprt = task->tk_xprt;
+
+ if (clnt != NULL) {
+ /* Remove from client task list */
+@@ -979,12 +989,14 @@ void rpc_task_release_client(struct rpc_
+
+ rpc_release_client(clnt);
+ }
++ rpc_task_release_transport(task);
++}
+
+- if (xprt != NULL) {
+- task->tk_xprt = NULL;
+-
+- xprt_put(xprt);
+- }
++static
++void rpc_task_set_transport(struct rpc_task *task, struct rpc_clnt *clnt)
++{
++ if (!task->tk_xprt)
++ task->tk_xprt = xprt_iter_get_next(&clnt->cl_xpi);
+ }
+
+ static
+@@ -992,8 +1004,7 @@ void rpc_task_set_client(struct rpc_task
+ {
+
+ if (clnt != NULL) {
+- if (task->tk_xprt == NULL)
+- task->tk_xprt = xprt_iter_get_next(&clnt->cl_xpi);
++ rpc_task_set_transport(task, clnt);
+ task->tk_client = clnt;
+ atomic_inc(&clnt->cl_count);
+ if (clnt->cl_softrtry)
+@@ -1512,6 +1523,7 @@ call_start(struct rpc_task *task)
+ clnt->cl_program->version[clnt->cl_vers]->counts[idx]++;
+ clnt->cl_stats->rpccnt++;
+ task->tk_action = call_reserve;
++ rpc_task_set_transport(task, clnt);
+ }
+
+ /*
--- /dev/null
+From 8618289c46556fd4dd259a1af02ccc448032f48d Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trondmy@gmail.com>
+Date: Tue, 14 Aug 2018 17:55:56 -0400
+Subject: NFSv4: Fix a sleep in atomic context in nfs4_callback_sequence()
+
+From: Trond Myklebust <trondmy@gmail.com>
+
+commit 8618289c46556fd4dd259a1af02ccc448032f48d upstream.
+
+We must drop the lock before we can sleep in referring_call_exists().
+
+Reported-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Fixes: 045d2a6d076a ("NFSv4.1: Delay callback processing...")
+Cc: stable@vger.kernel.org # v4.9+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/callback_proc.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs/callback_proc.c
++++ b/fs/nfs/callback_proc.c
+@@ -441,11 +441,14 @@ validate_seqid(const struct nfs4_slot_ta
+ * a match. If the slot is in use and the sequence numbers match, the
+ * client is still waiting for a response to the original request.
+ */
+-static bool referring_call_exists(struct nfs_client *clp,
++static int referring_call_exists(struct nfs_client *clp,
+ uint32_t nrclists,
+- struct referring_call_list *rclists)
++ struct referring_call_list *rclists,
++ spinlock_t *lock)
++ __releases(lock)
++ __acquires(lock)
+ {
+- bool status = false;
++ int status = 0;
+ int i, j;
+ struct nfs4_session *session;
+ struct nfs4_slot_table *tbl;
+@@ -468,8 +471,10 @@ static bool referring_call_exists(struct
+
+ for (j = 0; j < rclist->rcl_nrefcalls; j++) {
+ ref = &rclist->rcl_refcalls[j];
++ spin_unlock(lock);
+ status = nfs4_slot_wait_on_seqid(tbl, ref->rc_slotid,
+ ref->rc_sequenceid, HZ >> 1) < 0;
++ spin_lock(lock);
+ if (status)
+ goto out;
+ }
+@@ -546,7 +551,8 @@ __be32 nfs4_callback_sequence(void *argp
+ * related callback was received before the response to the original
+ * call.
+ */
+- if (referring_call_exists(clp, args->csa_nrclists, args->csa_rclists)) {
++ if (referring_call_exists(clp, args->csa_nrclists, args->csa_rclists,
++ &tbl->slot_tbl_lock) < 0) {
+ status = htonl(NFS4ERR_DELAY);
+ goto out_unlock;
+ }
--- /dev/null
+From d0fbb1d8a194c0ec0180c1d073ad709e45503a43 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trondmy@gmail.com>
+Date: Tue, 14 Aug 2018 17:25:37 -0400
+Subject: NFSv4: Fix locking in pnfs_generic_recover_commit_reqs
+
+From: Trond Myklebust <trondmy@gmail.com>
+
+commit d0fbb1d8a194c0ec0180c1d073ad709e45503a43 upstream.
+
+The use of the inode->i_lock was converted to a mutex, but we forgot
+to remove the old inode unlock/lock() pair that allowed the layout
+segment to be put inside the loop.
+
+Reported-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Fixes: e824f99adaaf1 ("NFSv4: Use a mutex to protect the per-inode commit...")
+Cc: stable@vger.kernel.org # v4.14+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pnfs_nfs.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+--- a/fs/nfs/pnfs_nfs.c
++++ b/fs/nfs/pnfs_nfs.c
+@@ -61,7 +61,7 @@ EXPORT_SYMBOL_GPL(pnfs_generic_commit_re
+
+ /* The generic layer is about to remove the req from the commit list.
+ * If this will make the bucket empty, it will need to put the lseg reference.
+- * Note this must be called holding i_lock
++ * Note this must be called holding nfsi->commit_mutex
+ */
+ void
+ pnfs_generic_clear_request_commit(struct nfs_page *req,
+@@ -149,9 +149,7 @@ restart:
+ if (list_empty(&b->written)) {
+ freeme = b->wlseg;
+ b->wlseg = NULL;
+- spin_unlock(&cinfo->inode->i_lock);
+ pnfs_put_lseg(freeme);
+- spin_lock(&cinfo->inode->i_lock);
+ goto restart;
+ }
+ }
+@@ -167,7 +165,7 @@ static void pnfs_generic_retry_commit(st
+ LIST_HEAD(pages);
+ int i;
+
+- spin_lock(&cinfo->inode->i_lock);
++ mutex_lock(&NFS_I(cinfo->inode)->commit_mutex);
+ for (i = idx; i < fl_cinfo->nbuckets; i++) {
+ bucket = &fl_cinfo->buckets[i];
+ if (list_empty(&bucket->committing))
+@@ -177,12 +175,12 @@ static void pnfs_generic_retry_commit(st
+ list_for_each(pos, &bucket->committing)
+ cinfo->ds->ncommitting--;
+ list_splice_init(&bucket->committing, &pages);
+- spin_unlock(&cinfo->inode->i_lock);
++ mutex_unlock(&NFS_I(cinfo->inode)->commit_mutex);
+ nfs_retry_commit(&pages, freeme, cinfo, i);
+ pnfs_put_lseg(freeme);
+- spin_lock(&cinfo->inode->i_lock);
++ mutex_lock(&NFS_I(cinfo->inode)->commit_mutex);
+ }
+- spin_unlock(&cinfo->inode->i_lock);
++ mutex_unlock(&NFS_I(cinfo->inode)->commit_mutex);
+ }
+
+ static unsigned int
+@@ -222,13 +220,13 @@ void pnfs_fetch_commit_bucket_list(struc
+ struct list_head *pos;
+
+ bucket = &cinfo->ds->buckets[data->ds_commit_index];
+- spin_lock(&cinfo->inode->i_lock);
++ mutex_lock(&NFS_I(cinfo->inode)->commit_mutex);
+ list_for_each(pos, &bucket->committing)
+ cinfo->ds->ncommitting--;
+ list_splice_init(&bucket->committing, pages);
+ data->lseg = bucket->clseg;
+ bucket->clseg = NULL;
+- spin_unlock(&cinfo->inode->i_lock);
++ mutex_unlock(&NFS_I(cinfo->inode)->commit_mutex);
+
+ }
+
--- /dev/null
+From 3df6f61fff49632492490fb6e42646b803a9958a Mon Sep 17 00:00:00 2001
+From: "zhangyi (F)" <yi.zhang@huawei.com>
+Date: Tue, 14 Aug 2018 10:34:42 +0800
+Subject: PM / sleep: wakeup: Fix build error caused by missing SRCU support
+
+From: zhangyi (F) <yi.zhang@huawei.com>
+
+commit 3df6f61fff49632492490fb6e42646b803a9958a upstream.
+
+Commit ea0212f40c6 (power: auto select CONFIG_SRCU) made the code in
+drivers/base/power/wakeup.c use SRCU instead of RCU, but it forgot to
+select CONFIG_SRCU in Kconfig, which leads to the following build
+error if CONFIG_SRCU is not selected somewhere else:
+
+drivers/built-in.o: In function `wakeup_source_remove':
+(.text+0x3c6fc): undefined reference to `synchronize_srcu'
+drivers/built-in.o: In function `pm_print_active_wakeup_sources':
+(.text+0x3c7a8): undefined reference to `__srcu_read_lock'
+drivers/built-in.o: In function `pm_print_active_wakeup_sources':
+(.text+0x3c84c): undefined reference to `__srcu_read_unlock'
+drivers/built-in.o: In function `device_wakeup_arm_wake_irqs':
+(.text+0x3d1d8): undefined reference to `__srcu_read_lock'
+drivers/built-in.o: In function `device_wakeup_arm_wake_irqs':
+(.text+0x3d228): undefined reference to `__srcu_read_unlock'
+drivers/built-in.o: In function `device_wakeup_disarm_wake_irqs':
+(.text+0x3d24c): undefined reference to `__srcu_read_lock'
+drivers/built-in.o: In function `device_wakeup_disarm_wake_irqs':
+(.text+0x3d29c): undefined reference to `__srcu_read_unlock'
+drivers/built-in.o:(.data+0x4158): undefined reference to `process_srcu'
+
+Fix this error by selecting CONFIG_SRCU when PM_SLEEP is enabled.
+
+Fixes: ea0212f40c6 (power: auto select CONFIG_SRCU)
+Cc: 4.2+ <stable@vger.kernel.org> # 4.2+
+Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
+[ rjw: Minor subject/changelog fixups ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/power/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/power/Kconfig
++++ b/kernel/power/Kconfig
+@@ -105,6 +105,7 @@ config PM_SLEEP
+ def_bool y
+ depends on SUSPEND || HIBERNATE_CALLBACKS
+ select PM
++ select SRCU
+
+ config PM_SLEEP_SMP
+ def_bool y
--- /dev/null
+From 0914bb965e38a055e9245637aed117efbe976e91 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 4 Jul 2018 12:59:58 +0300
+Subject: pnfs/blocklayout: off by one in bl_map_stripe()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 0914bb965e38a055e9245637aed117efbe976e91 upstream.
+
+"dev->nr_children" is the number of children which were parsed
+successfully in bl_parse_stripe(). It could be all of them and then, in
+that case, it is equal to v->stripe.volumes_count. Either way, the >
+should be >= so that we don't go beyond the end of what we're supposed
+to.
+
+Fixes: 5c83746a0cf2 ("pnfs/blocklayout: in-kernel GETDEVICEINFO XDR parsing")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Cc: stable@vger.kernel.org # 3.17+
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/blocklayout/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/blocklayout/dev.c
++++ b/fs/nfs/blocklayout/dev.c
+@@ -204,7 +204,7 @@ static bool bl_map_stripe(struct pnfs_bl
+ chunk = div_u64(offset, dev->chunk_size);
+ div_u64_rem(chunk, dev->nr_children, &chunk_idx);
+
+- if (chunk_idx > dev->nr_children) {
++ if (chunk_idx >= dev->nr_children) {
+ dprintk("%s: invalid chunk idx %d (%lld/%lld)\n",
+ __func__, chunk_idx, offset, dev->chunk_size);
+ /* error, should not happen */
--- /dev/null
+From 7059b36636beab57c3c43c62104483e5449bee95 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Thu, 9 Aug 2018 19:08:34 +0200
+Subject: sched: idle: Avoid retaining the tick when it has been stopped
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit 7059b36636beab57c3c43c62104483e5449bee95 upstream.
+
+If the tick has been stopped already, but the governor has not asked to
+stop it (which it can do sometimes), the idle loop should invoke
+tick_nohz_idle_stop_tick(), to let tick_nohz_stop_tick() take care
+of this case properly.
+
+Fixes: 554c8aa8ecad (sched: idle: Select idle state before stopping the tick)
+Cc: 4.17+ <stable@vger.kernel.org> # 4.17+
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/idle.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/sched/idle.c
++++ b/kernel/sched/idle.c
+@@ -190,7 +190,7 @@ static void cpuidle_idle_call(void)
+ */
+ next_state = cpuidle_select(drv, dev, &stop_tick);
+
+- if (stop_tick)
++ if (stop_tick || tick_nohz_tick_stopped())
+ tick_nohz_idle_stop_tick();
+ else
+ tick_nohz_idle_retain_tick();
uprobes-use-synchronize_rcu-not-synchronize_sched.patch
mfd-hi655x-fix-regmap-area-declared-size-for-hi655x.patch
ovl-fix-wrong-use-of-impure-dir-cache-in-ovl_iterate.patch
+acpica-aml-parser-skip-opcodes-that-open-a-scope-upon-parse-failure.patch
+acpica-clear-status-of-all-events-when-entering-sleep-states.patch
+drivers-block-zram-zram_drv.c-fix-bug-storing-backing_dev.patch
+sched-idle-avoid-retaining-the-tick-when-it-has-been-stopped.patch
+cpuidle-menu-handle-stopped-tick-more-aggressively.patch
+cpufreq-governor-avoid-accessing-invalid-governor_data.patch
+pm-sleep-wakeup-fix-build-error-caused-by-missing-srcu-support.patch
+alsa-ac97-fix-device-initialization-in-the-compat-layer.patch
+alsa-ac97-fix-check-of-pm_runtime_get_sync-failure.patch
+alsa-ac97-fix-unbalanced-pm_runtime_enable.patch
+i2c-designware-re-init-controllers-with-pm_disabled-set-on-resume.patch
+kvm-vmx-fixes-for-vmentry_l1d_flush-module-parameter.patch
+kvm-ppc-book3s-fix-guest-dma-when-guest-partially-backed-by-thp-pages.patch
+xtensa-limit-offsets-in-__loop_cache_-all-page.patch
+xtensa-increase-ranges-in-___invalidate_-i-d-cache_all.patch
+block-bfq-return-nbytes-and-not-zero-from-struct-cftype-.write-method.patch
+pnfs-blocklayout-off-by-one-in-bl_map_stripe.patch
+nfsd-fix-leaked-file-lock-with-nfs-exported-overlayfs.patch
+nfsv4-client-live-hangs-after-live-data-migration-recovery.patch
+nfsv4-fix-locking-in-pnfs_generic_recover_commit_reqs.patch
+nfsv4-fix-a-sleep-in-atomic-context-in-nfs4_callback_sequence.patch
+arm-tegra-fix-tegra30-cardhu-pca954x-reset.patch
+arm-dts-am57xx-idk-enable-dual-role-for-usb2-port.patch
--- /dev/null
+From fec3259c9f747c039f90e99570540114c8d81a14 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Fri, 10 Aug 2018 22:21:22 -0700
+Subject: xtensa: increase ranges in ___invalidate_{i,d}cache_all
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+commit fec3259c9f747c039f90e99570540114c8d81a14 upstream.
+
+Cache invalidation macros use cache line size to iterate over
+invalidated cache lines, assuming that all cache ways are invalidated by
+single instruction, but xtensa ISA recommends to not assume that for
+future compatibility:
+ In some implementations all ways at index Addry-1..z are invalidated
+ regardless of the specified way, but for future compatibility this
+ behavior should not be assumed.
+
+Iterate over all cache ways in ___invalidate_icache_all and
+___invalidate_dcache_all.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/xtensa/include/asm/cacheasm.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/xtensa/include/asm/cacheasm.h
++++ b/arch/xtensa/include/asm/cacheasm.h
+@@ -123,7 +123,7 @@
+ .macro ___invalidate_dcache_all ar at
+
+ #if XCHAL_DCACHE_SIZE
+- __loop_cache_all \ar \at dii __stringify(DCACHE_WAY_SIZE) \
++ __loop_cache_all \ar \at dii XCHAL_DCACHE_SIZE \
+ XCHAL_DCACHE_LINEWIDTH 1020
+ #endif
+
+@@ -133,7 +133,7 @@
+ .macro ___invalidate_icache_all ar at
+
+ #if XCHAL_ICACHE_SIZE
+- __loop_cache_all \ar \at iii __stringify(ICACHE_WAY_SIZE) \
++ __loop_cache_all \ar \at iii XCHAL_ICACHE_SIZE \
+ XCHAL_ICACHE_LINEWIDTH 1020
+ #endif
+
--- /dev/null
+From be75de25251f7cf3e399ca1f584716a95510d24a Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Fri, 10 Aug 2018 20:43:48 -0700
+Subject: xtensa: limit offsets in __loop_cache_{all,page}
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+commit be75de25251f7cf3e399ca1f584716a95510d24a upstream.
+
+When building kernel for xtensa cores with big cache lines (e.g. 128
+bytes or more) __loop_cache_all and __loop_cache_page may generate
+assembly instructions with immediate fields that are too big. This
+results in the following build errors:
+
+ arch/xtensa/mm/misc.S: Assembler messages:
+ arch/xtensa/mm/misc.S:464: Error: operand 2 of 'diwbi' has invalid value '256'
+ arch/xtensa/mm/misc.S:464: Error: operand 2 of 'diwbi' has invalid value '384'
+ arch/xtensa/kernel/head.S: Assembler messages:
+ arch/xtensa/kernel/head.S:172: Error: operand 2 of 'diu' has invalid value '256'
+ arch/xtensa/kernel/head.S:172: Error: operand 2 of 'diu' has invalid value '384'
+ arch/xtensa/kernel/head.S:176: Error: operand 2 of 'iiu' has invalid value '256'
+ arch/xtensa/kernel/head.S:176: Error: operand 2 of 'iiu' has invalid value '384'
+ arch/xtensa/kernel/head.S:255: Error: operand 2 of 'diwb' has invalid value '256'
+ arch/xtensa/kernel/head.S:255: Error: operand 2 of 'diwb' has invalid value '384'
+
+Add parameter max_immed to these macros and use it to limit values of
+immediate operands. Extract common code of these macros into the new
+macro __loop_cache_unroll.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/xtensa/include/asm/cacheasm.h | 65 ++++++++++++++++++++++---------------
+ 1 file changed, 40 insertions(+), 25 deletions(-)
+
+--- a/arch/xtensa/include/asm/cacheasm.h
++++ b/arch/xtensa/include/asm/cacheasm.h
+@@ -31,16 +31,32 @@
+ *
+ */
+
+- .macro __loop_cache_all ar at insn size line_width
+
+- movi \ar, 0
++ .macro __loop_cache_unroll ar at insn size line_width max_immed
++
++ .if (1 << (\line_width)) > (\max_immed)
++ .set _reps, 1
++ .elseif (2 << (\line_width)) > (\max_immed)
++ .set _reps, 2
++ .else
++ .set _reps, 4
++ .endif
++
++ __loopi \ar, \at, \size, (_reps << (\line_width))
++ .set _index, 0
++ .rep _reps
++ \insn \ar, _index << (\line_width)
++ .set _index, _index + 1
++ .endr
++ __endla \ar, \at, _reps << (\line_width)
++
++ .endm
++
+
+- __loopi \ar, \at, \size, (4 << (\line_width))
+- \insn \ar, 0 << (\line_width)
+- \insn \ar, 1 << (\line_width)
+- \insn \ar, 2 << (\line_width)
+- \insn \ar, 3 << (\line_width)
+- __endla \ar, \at, 4 << (\line_width)
++ .macro __loop_cache_all ar at insn size line_width max_immed
++
++ movi \ar, 0
++ __loop_cache_unroll \ar, \at, \insn, \size, \line_width, \max_immed
+
+ .endm
+
+@@ -57,14 +73,9 @@
+ .endm
+
+
+- .macro __loop_cache_page ar at insn line_width
++ .macro __loop_cache_page ar at insn line_width max_immed
+
+- __loopi \ar, \at, PAGE_SIZE, 4 << (\line_width)
+- \insn \ar, 0 << (\line_width)
+- \insn \ar, 1 << (\line_width)
+- \insn \ar, 2 << (\line_width)
+- \insn \ar, 3 << (\line_width)
+- __endla \ar, \at, 4 << (\line_width)
++ __loop_cache_unroll \ar, \at, \insn, PAGE_SIZE, \line_width, \max_immed
+
+ .endm
+
+@@ -72,7 +83,8 @@
+ .macro ___unlock_dcache_all ar at
+
+ #if XCHAL_DCACHE_LINE_LOCKABLE && XCHAL_DCACHE_SIZE
+- __loop_cache_all \ar \at diu XCHAL_DCACHE_SIZE XCHAL_DCACHE_LINEWIDTH
++ __loop_cache_all \ar \at diu XCHAL_DCACHE_SIZE \
++ XCHAL_DCACHE_LINEWIDTH 240
+ #endif
+
+ .endm
+@@ -81,7 +93,8 @@
+ .macro ___unlock_icache_all ar at
+
+ #if XCHAL_ICACHE_LINE_LOCKABLE && XCHAL_ICACHE_SIZE
+- __loop_cache_all \ar \at iiu XCHAL_ICACHE_SIZE XCHAL_ICACHE_LINEWIDTH
++ __loop_cache_all \ar \at iiu XCHAL_ICACHE_SIZE \
++ XCHAL_ICACHE_LINEWIDTH 240
+ #endif
+
+ .endm
+@@ -90,7 +103,8 @@
+ .macro ___flush_invalidate_dcache_all ar at
+
+ #if XCHAL_DCACHE_SIZE
+- __loop_cache_all \ar \at diwbi XCHAL_DCACHE_SIZE XCHAL_DCACHE_LINEWIDTH
++ __loop_cache_all \ar \at diwbi XCHAL_DCACHE_SIZE \
++ XCHAL_DCACHE_LINEWIDTH 240
+ #endif
+
+ .endm
+@@ -99,7 +113,8 @@
+ .macro ___flush_dcache_all ar at
+
+ #if XCHAL_DCACHE_SIZE
+- __loop_cache_all \ar \at diwb XCHAL_DCACHE_SIZE XCHAL_DCACHE_LINEWIDTH
++ __loop_cache_all \ar \at diwb XCHAL_DCACHE_SIZE \
++ XCHAL_DCACHE_LINEWIDTH 240
+ #endif
+
+ .endm
+@@ -109,7 +124,7 @@
+
+ #if XCHAL_DCACHE_SIZE
+ __loop_cache_all \ar \at dii __stringify(DCACHE_WAY_SIZE) \
+- XCHAL_DCACHE_LINEWIDTH
++ XCHAL_DCACHE_LINEWIDTH 1020
+ #endif
+
+ .endm
+@@ -119,7 +134,7 @@
+
+ #if XCHAL_ICACHE_SIZE
+ __loop_cache_all \ar \at iii __stringify(ICACHE_WAY_SIZE) \
+- XCHAL_ICACHE_LINEWIDTH
++ XCHAL_ICACHE_LINEWIDTH 1020
+ #endif
+
+ .endm
+@@ -166,7 +181,7 @@
+ .macro ___flush_invalidate_dcache_page ar as
+
+ #if XCHAL_DCACHE_SIZE
+- __loop_cache_page \ar \as dhwbi XCHAL_DCACHE_LINEWIDTH
++ __loop_cache_page \ar \as dhwbi XCHAL_DCACHE_LINEWIDTH 1020
+ #endif
+
+ .endm
+@@ -175,7 +190,7 @@
+ .macro ___flush_dcache_page ar as
+
+ #if XCHAL_DCACHE_SIZE
+- __loop_cache_page \ar \as dhwb XCHAL_DCACHE_LINEWIDTH
++ __loop_cache_page \ar \as dhwb XCHAL_DCACHE_LINEWIDTH 1020
+ #endif
+
+ .endm
+@@ -184,7 +199,7 @@
+ .macro ___invalidate_dcache_page ar as
+
+ #if XCHAL_DCACHE_SIZE
+- __loop_cache_page \ar \as dhi XCHAL_DCACHE_LINEWIDTH
++ __loop_cache_page \ar \as dhi XCHAL_DCACHE_LINEWIDTH 1020
+ #endif
+
+ .endm
+@@ -193,7 +208,7 @@
+ .macro ___invalidate_icache_page ar as
+
+ #if XCHAL_ICACHE_SIZE
+- __loop_cache_page \ar \as ihi XCHAL_ICACHE_LINEWIDTH
++ __loop_cache_page \ar \as ihi XCHAL_ICACHE_LINEWIDTH 1020
+ #endif
+
+ .endm
projects / thirdparty / kernel / stable-queue.git / commitdiff
