--- /dev/null
+From 16e574d762ac5512eb922ac0ac5eed360b7db9d8 Mon Sep 17 00:00:00 2001
+From: Shanker Donthineni <shankerd@codeaurora.org>
+Date: Sun, 11 Feb 2018 19:16:15 -0600
+Subject: arm64: Add missing Falkor part number for branch predictor hardening
+
+From: Shanker Donthineni <shankerd@codeaurora.org>
+
+commit 16e574d762ac5512eb922ac0ac5eed360b7db9d8 upstream.
+
+References to CPU part number MIDR_QCOM_FALKOR were dropped from the
+mailing list patch due to mainline/arm64 branch dependency. So this
+patch adds the missing part number.
+
+Fixes: ec82b567a74f ("arm64: Implement branch predictor hardening for Falkor")
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Shanker Donthineni <shankerd@codeaurora.org>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/cpu_errata.c | 9 +++++++++
+ arch/arm64/kvm/hyp/switch.c | 4 +++-
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/cpu_errata.c
++++ b/arch/arm64/kernel/cpu_errata.c
+@@ -408,6 +408,15 @@ const struct arm64_cpu_capabilities arm6
+ },
+ {
+ .capability = ARM64_HARDEN_BRANCH_PREDICTOR,
++ MIDR_ALL_VERSIONS(MIDR_QCOM_FALKOR),
++ .enable = qcom_enable_link_stack_sanitization,
++ },
++ {
++ .capability = ARM64_HARDEN_BP_POST_GUEST_EXIT,
++ MIDR_ALL_VERSIONS(MIDR_QCOM_FALKOR),
++ },
++ {
++ .capability = ARM64_HARDEN_BRANCH_PREDICTOR,
+ MIDR_ALL_VERSIONS(MIDR_BRCM_VULCAN),
+ .enable = enable_smccc_arch_workaround_1,
+ },
+--- a/arch/arm64/kvm/hyp/switch.c
++++ b/arch/arm64/kvm/hyp/switch.c
+@@ -400,8 +400,10 @@ again:
+ u32 midr = read_cpuid_id();
+
+ /* Apply BTAC predictors mitigation to all Falkor chips */
+- if ((midr & MIDR_CPU_MODEL_MASK) == MIDR_QCOM_FALKOR_V1)
++ if (((midr & MIDR_CPU_MODEL_MASK) == MIDR_QCOM_FALKOR) ||
++ ((midr & MIDR_CPU_MODEL_MASK) == MIDR_QCOM_FALKOR_V1)) {
+ __qcom_hyp_sanitize_btac_predictors();
++ }
+ }
+
+ fp_enabled = __fpsimd_enabled();
--- /dev/null
+From 724ba8b30b044aa0d94b1cd374fc15806cdd6f18 Mon Sep 17 00:00:00 2001
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+Date: Mon, 15 Jan 2018 17:04:22 +0100
+Subject: console/dummy: leave .con_font_get set to NULL
+
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+
+commit 724ba8b30b044aa0d94b1cd374fc15806cdd6f18 upstream.
+
+When this method is set, the caller expects struct console_font fields
+to be properly initialized when it returns. Leave it unset otherwise
+nonsensical (leaked kernel stack) values are returned to user space.
+
+Signed-off-by: Nicolas Pitre <nico@linaro.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/console/dummycon.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/video/console/dummycon.c
++++ b/drivers/video/console/dummycon.c
+@@ -67,7 +67,6 @@ const struct consw dummy_con = {
+ .con_switch = DUMMY,
+ .con_blank = DUMMY,
+ .con_font_set = DUMMY,
+- .con_font_get = DUMMY,
+ .con_font_default = DUMMY,
+ .con_font_copy = DUMMY,
+ };
--- /dev/null
+From adab595d16abe48e9c097f000bf8921d35b28fb7 Mon Sep 17 00:00:00 2001
+From: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+Date: Wed, 17 Jan 2018 17:24:13 -0500
+Subject: drm/amd/powerplay: Fix smu_table_entry.handle type
+
+From: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+
+commit adab595d16abe48e9c097f000bf8921d35b28fb7 upstream.
+
+The handle describes kernel logical address, should be
+unsigned long and not uint32_t.
+Fixes KASAN error and GFP on driver unload.
+
+Reviewed-by: Rex Zhu <Rex.Zhu@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/powerplay/smumgr/rv_smumgr.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/powerplay/smumgr/rv_smumgr.h
++++ b/drivers/gpu/drm/amd/powerplay/smumgr/rv_smumgr.h
+@@ -40,7 +40,7 @@ struct smu_table_entry {
+ uint32_t table_addr_high;
+ uint32_t table_addr_low;
+ uint8_t *table;
+- uint32_t handle;
++ unsigned long handle;
+ };
+
+ struct smu_table_array {
--- /dev/null
+From 24b8ef699e8221d2b7f813adaab13eec053e1507 Mon Sep 17 00:00:00 2001
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Thu, 18 Jan 2018 16:40:16 +0100
+Subject: drm/ast: Load lut in crtc_commit
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+commit 24b8ef699e8221d2b7f813adaab13eec053e1507 upstream.
+
+In the past the ast driver relied upon the fbdev emulation helpers to
+call ->load_lut at boot-up. But since
+
+commit b8e2b0199cc377617dc238f5106352c06dcd3fa2
+Author: Peter Rosin <peda@axentia.se>
+Date: Tue Jul 4 12:36:57 2017 +0200
+
+ drm/fb-helper: factor out pseudo-palette
+
+that's cleaned up and drivers are expected to boot into a consistent
+lut state. This patch fixes that.
+
+Fixes: b8e2b0199cc3 ("drm/fb-helper: factor out pseudo-palette")
+Cc: Peter Rosin <peda@axenita.se>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: <stable@vger.kernel.org> # v4.14+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=198123
+Cc: Bill Fraser <bill.fraser@gmail.com>
+Reported-and-Tested-by: Bill Fraser <bill.fraser@gmail.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ast/ast_mode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/ast/ast_mode.c
++++ b/drivers/gpu/drm/ast/ast_mode.c
+@@ -644,6 +644,7 @@ static void ast_crtc_commit(struct drm_c
+ {
+ struct ast_private *ast = crtc->dev->dev_private;
+ ast_set_index_reg_mask(ast, AST_IO_SEQ_PORT, 0x1, 0xdf, 0);
++ ast_crtc_load_lut(crtc);
+ }
+
+
--- /dev/null
+From 761e05a702f5d537ffcca1ba933f9f0a968aa022 Mon Sep 17 00:00:00 2001
+From: Keith Packard <keithp@keithp.com>
+Date: Thu, 18 Jan 2018 17:51:59 -0800
+Subject: drm: Check for lessee in DROP_MASTER ioctl
+
+From: Keith Packard <keithp@keithp.com>
+
+commit 761e05a702f5d537ffcca1ba933f9f0a968aa022 upstream.
+
+Don't let a lessee control what the current DRM master is set to;
+that's the job of the "real" master. Otherwise, the lessee would
+disable all access to master operations for the owner and all lessees
+under it.
+
+This matches the same check made in the SET_MASTER ioctl.
+
+Signed-off-by: Keith Packard <keithp@keithp.com>
+Fixes: 2ed077e467ee ("drm: Add drm_object lease infrastructure [v5]")
+Cc: <stable@vger.kernel.org> # v4.15+
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180119015159.1606-1-keithp@keithp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_auth.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/gpu/drm/drm_auth.c
++++ b/drivers/gpu/drm/drm_auth.c
+@@ -230,6 +230,12 @@ int drm_dropmaster_ioctl(struct drm_devi
+ if (!dev->master)
+ goto out_unlock;
+
++ if (file_priv->master->lessor != NULL) {
++ DRM_DEBUG_LEASE("Attempt to drop lessee %d as master\n", file_priv->master->lessee_id);
++ ret = -EINVAL;
++ goto out_unlock;
++ }
++
+ ret = 0;
+ drm_drop_master(dev, file_priv);
+ out_unlock:
--- /dev/null
+From 9428088c90b6f7d5edd2a1b0d742c75339b36f6e Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Mon, 27 Nov 2017 16:50:10 -0500
+Subject: drm/qxl: reapply cursor after resetting primary
+
+From: Ray Strode <rstrode@redhat.com>
+
+commit 9428088c90b6f7d5edd2a1b0d742c75339b36f6e upstream.
+
+QXL associates mouse state with its primary plane.
+
+Destroying a primary plane and putting a new one in place has the side
+effect of destroying the cursor as well.
+
+This commit changes the driver to reapply the cursor any time a new
+primary is created. It achieves this by keeping a reference to the
+cursor bo on the qxl_crtc struct.
+
+This fix is very similar to
+
+commit 4532b241a4b7 ("drm/qxl: reapply cursor after SetCrtc calls")
+
+which got implicitly reverted as part of implementing the atomic
+modeset feature.
+
+Cc: Gerd Hoffmann <kraxel@redhat.com>
+Cc: Dave Airlie <airlied@redhat.com>
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1512097
+Fixes: 1277eed5fecb ("drm: qxl: Atomic phase 1: convert cursor to universal plane")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ray Strode <rstrode@redhat.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/qxl/qxl_display.c | 59 ++++++++++++++++++++++++++++++++++++++
+ drivers/gpu/drm/qxl/qxl_drv.h | 2 +
+ 2 files changed, 61 insertions(+)
+
+--- a/drivers/gpu/drm/qxl/qxl_display.c
++++ b/drivers/gpu/drm/qxl/qxl_display.c
+@@ -289,6 +289,7 @@ static void qxl_crtc_destroy(struct drm_
+ {
+ struct qxl_crtc *qxl_crtc = to_qxl_crtc(crtc);
+
++ qxl_bo_unref(&qxl_crtc->cursor_bo);
+ drm_crtc_cleanup(crtc);
+ kfree(qxl_crtc);
+ }
+@@ -495,6 +496,53 @@ static int qxl_primary_atomic_check(stru
+ return 0;
+ }
+
++static int qxl_primary_apply_cursor(struct drm_plane *plane)
++{
++ struct drm_device *dev = plane->dev;
++ struct qxl_device *qdev = dev->dev_private;
++ struct drm_framebuffer *fb = plane->state->fb;
++ struct qxl_crtc *qcrtc = to_qxl_crtc(plane->state->crtc);
++ struct qxl_cursor_cmd *cmd;
++ struct qxl_release *release;
++ int ret = 0;
++
++ if (!qcrtc->cursor_bo)
++ return 0;
++
++ ret = qxl_alloc_release_reserved(qdev, sizeof(*cmd),
++ QXL_RELEASE_CURSOR_CMD,
++ &release, NULL);
++ if (ret)
++ return ret;
++
++ ret = qxl_release_list_add(release, qcrtc->cursor_bo);
++ if (ret)
++ goto out_free_release;
++
++ ret = qxl_release_reserve_list(release, false);
++ if (ret)
++ goto out_free_release;
++
++ cmd = (struct qxl_cursor_cmd *)qxl_release_map(qdev, release);
++ cmd->type = QXL_CURSOR_SET;
++ cmd->u.set.position.x = plane->state->crtc_x + fb->hot_x;
++ cmd->u.set.position.y = plane->state->crtc_y + fb->hot_y;
++
++ cmd->u.set.shape = qxl_bo_physical_address(qdev, qcrtc->cursor_bo, 0);
++
++ cmd->u.set.visible = 1;
++ qxl_release_unmap(qdev, release, &cmd->release_info);
++
++ qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false);
++ qxl_release_fence_buffer_objects(release);
++
++ return ret;
++
++out_free_release:
++ qxl_release_free(qdev, release);
++ return ret;
++}
++
+ static void qxl_primary_atomic_update(struct drm_plane *plane,
+ struct drm_plane_state *old_state)
+ {
+@@ -510,6 +558,7 @@ static void qxl_primary_atomic_update(st
+ .x2 = qfb->base.width,
+ .y2 = qfb->base.height
+ };
++ int ret;
+ bool same_shadow = false;
+
+ if (old_state->fb) {
+@@ -531,6 +580,11 @@ static void qxl_primary_atomic_update(st
+ if (!same_shadow)
+ qxl_io_destroy_primary(qdev);
+ bo_old->is_primary = false;
++
++ ret = qxl_primary_apply_cursor(plane);
++ if (ret)
++ DRM_ERROR(
++ "could not set cursor after creating primary");
+ }
+
+ if (!bo->is_primary) {
+@@ -571,6 +625,7 @@ static void qxl_cursor_atomic_update(str
+ struct drm_device *dev = plane->dev;
+ struct qxl_device *qdev = dev->dev_private;
+ struct drm_framebuffer *fb = plane->state->fb;
++ struct qxl_crtc *qcrtc = to_qxl_crtc(plane->state->crtc);
+ struct qxl_release *release;
+ struct qxl_cursor_cmd *cmd;
+ struct qxl_cursor *cursor;
+@@ -628,6 +683,10 @@ static void qxl_cursor_atomic_update(str
+ cmd->u.set.shape = qxl_bo_physical_address(qdev,
+ cursor_bo, 0);
+ cmd->type = QXL_CURSOR_SET;
++
++ qxl_bo_unref(&qcrtc->cursor_bo);
++ qcrtc->cursor_bo = cursor_bo;
++ cursor_bo = NULL;
+ } else {
+
+ ret = qxl_release_reserve_list(release, true);
+--- a/drivers/gpu/drm/qxl/qxl_drv.h
++++ b/drivers/gpu/drm/qxl/qxl_drv.h
+@@ -111,6 +111,8 @@ struct qxl_bo_list {
+ struct qxl_crtc {
+ struct drm_crtc base;
+ int index;
++
++ struct qxl_bo *cursor_bo;
+ };
+
+ struct qxl_output {
--- /dev/null
+From 16c6db3688734b27487a42d0c2a1062d0b2bad03 Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Mon, 27 Nov 2017 16:50:09 -0500
+Subject: drm/qxl: unref cursor bo when finished with it
+
+From: Ray Strode <rstrode@redhat.com>
+
+commit 16c6db3688734b27487a42d0c2a1062d0b2bad03 upstream.
+
+qxl_cursor_atomic_update allocs a bo for the cursor that
+it never frees up at the end of the function.
+
+This commit fixes that.
+
+Signed-off-by: Ray Strode <rstrode@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/qxl/qxl_display.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/qxl/qxl_display.c
++++ b/drivers/gpu/drm/qxl/qxl_display.c
+@@ -575,7 +575,7 @@ static void qxl_cursor_atomic_update(str
+ struct qxl_cursor_cmd *cmd;
+ struct qxl_cursor *cursor;
+ struct drm_gem_object *obj;
+- struct qxl_bo *cursor_bo, *user_bo = NULL;
++ struct qxl_bo *cursor_bo = NULL, *user_bo = NULL;
+ int ret;
+ void *user_ptr;
+ int size = 64*64*4;
+@@ -645,6 +645,8 @@ static void qxl_cursor_atomic_update(str
+ qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false);
+ qxl_release_fence_buffer_objects(release);
+
++ qxl_bo_unref(&cursor_bo);
++
+ return;
+
+ out_backoff:
--- /dev/null
+From 239b5f64e12b1f09f506c164dff0374924782979 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Tue, 21 Nov 2017 12:09:38 -0500
+Subject: drm/radeon: Add dpm quirk for Jet PRO (v2)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 239b5f64e12b1f09f506c164dff0374924782979 upstream.
+
+Fixes stability issues.
+
+v2: clamp sclk to 600 Mhz
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103370
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/si_dpm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/gpu/drm/radeon/si_dpm.c
++++ b/drivers/gpu/drm/radeon/si_dpm.c
+@@ -2984,6 +2984,11 @@ static void si_apply_state_adjust_rules(
+ (rdev->pdev->device == 0x6667)) {
+ max_sclk = 75000;
+ }
++ if ((rdev->pdev->revision == 0xC3) ||
++ (rdev->pdev->device == 0x6665)) {
++ max_sclk = 60000;
++ max_mclk = 80000;
++ }
+ } else if (rdev->family == CHIP_OLAND) {
+ if ((rdev->pdev->revision == 0xC7) ||
+ (rdev->pdev->revision == 0x80) ||
--- /dev/null
+From 3a61b527b4e1f285d21b6e9e623dc45cf8bb391f Mon Sep 17 00:00:00 2001
+From: Julia Lawall <Julia.Lawall@lip6.fr>
+Date: Sat, 27 Jan 2018 15:28:15 +0100
+Subject: drm/radeon: adjust tested variable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Julia Lawall <Julia.Lawall@lip6.fr>
+
+commit 3a61b527b4e1f285d21b6e9e623dc45cf8bb391f upstream.
+
+Check the variable that was most recently initialized.
+
+The semantic match that finds this problem is as follows:
+(http://coccinelle.lip6.fr/)
+
+// <smpl>
+@@
+expression x, y, f, g, e, m;
+statement S1,S2,S3,S4;
+@@
+
+x = f(...);
+if (\(<+...x...+>\&e\)) S1 else S2
+(
+x = g(...);
+|
+m = g(...,&x,...);
+|
+y = g(...);
+*if (e)
+ S3 else S4
+)
+// </smpl>
+
+Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/radeon_uvd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_uvd.c
++++ b/drivers/gpu/drm/radeon/radeon_uvd.c
+@@ -995,7 +995,7 @@ int radeon_uvd_calc_upll_dividers(struct
+ /* calc dclk divider with current vco freq */
+ dclk_div = radeon_uvd_calc_upll_post_div(vco_freq, dclk,
+ pd_min, pd_even);
+- if (vclk_div > pd_max)
++ if (dclk_div > pd_max)
+ break; /* vco is too big, it has to stop */
+
+ /* calc score with current vco freq */
--- /dev/null
+From fd5002d6a3c602664b07668a24df4ef7a43bf078 Mon Sep 17 00:00:00 2001
+From: Felix Kuehling <Felix.Kuehling@amd.com>
+Date: Wed, 17 Jan 2018 23:52:03 -0500
+Subject: drm/ttm: Don't add swapped BOs to swap-LRU list
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Felix Kuehling <Felix.Kuehling@amd.com>
+
+commit fd5002d6a3c602664b07668a24df4ef7a43bf078 upstream.
+
+A BO that's already swapped would be added back to the swap-LRU list
+for example if its validation failed under high memory pressure. This
+could later lead to swapping it out again and leaking previous swap
+storage.
+
+This commit adds a condition to prevent that from happening.
+
+v2: Check page_flags instead of swap_storage
+
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ttm/ttm_bo.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/ttm/ttm_bo.c
++++ b/drivers/gpu/drm/ttm/ttm_bo.c
+@@ -175,7 +175,8 @@ void ttm_bo_add_to_lru(struct ttm_buffer
+ list_add_tail(&bo->lru, &man->lru[bo->priority]);
+ kref_get(&bo->list_kref);
+
+- if (bo->ttm && !(bo->ttm->page_flags & TTM_PAGE_FLAG_SG)) {
++ if (bo->ttm && !(bo->ttm->page_flags &
++ (TTM_PAGE_FLAG_SG | TTM_PAGE_FLAG_SWAPPED))) {
+ list_add_tail(&bo->swap,
+ &bo->glob->swap_lru[bo->priority]);
+ kref_get(&bo->list_kref);
--- /dev/null
+From 95244db2d3f743f37e69446a2807dd1a42750542 Mon Sep 17 00:00:00 2001
+From: Tom St Denis <tom.stdenis@amd.com>
+Date: Fri, 26 Jan 2018 09:32:29 -0500
+Subject: drm/ttm: Fix 'buf' pointer update in ttm_bo_vm_access_kmap() (v2)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tom St Denis <tom.stdenis@amd.com>
+
+commit 95244db2d3f743f37e69446a2807dd1a42750542 upstream.
+
+The buf pointer was not being incremented inside the loop
+meaning the same block of data would be read or written
+repeatedly.
+(v2) Change 'buf' pointer to uint8_t* type
+
+Cc: stable@vger.kernel.org
+Fixes: 09ac4fcb3f25 ("drm/ttm: Implement vm_operations_struct.access v2")
+
+Signed-off-by: Tom St Denis <tom.stdenis@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ttm/ttm_bo_vm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
++++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
+@@ -299,7 +299,7 @@ static void ttm_bo_vm_close(struct vm_ar
+
+ static int ttm_bo_vm_access_kmap(struct ttm_buffer_object *bo,
+ unsigned long offset,
+- void *buf, int len, int write)
++ uint8_t *buf, int len, int write)
+ {
+ unsigned long page = offset >> PAGE_SHIFT;
+ unsigned long bytes_left = len;
+@@ -328,6 +328,7 @@ static int ttm_bo_vm_access_kmap(struct
+ ttm_bo_kunmap(&map);
+
+ page++;
++ buf += bytes;
+ bytes_left -= bytes;
+ offset = 0;
+ } while (bytes_left);
--- /dev/null
+From 9f0372488cc9243018a812e8cfbf27de650b187b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ernesto=20A=2E=20Fern=C3=A1ndez?=
+ <ernesto.mnd.fernandez@gmail.com>
+Date: Thu, 11 Jan 2018 13:43:33 -0500
+Subject: ext4: correct documentation for grpid mount option
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+
+commit 9f0372488cc9243018a812e8cfbf27de650b187b upstream.
+
+The grpid option is currently described as being the same as nogrpid.
+
+Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/filesystems/ext4.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/filesystems/ext4.txt
++++ b/Documentation/filesystems/ext4.txt
+@@ -233,7 +233,7 @@ data_err=ignore(*) Just print an error m
+ data_err=abort Abort the journal if an error occurs in a file
+ data buffer in ordered mode.
+
+-grpid Give objects the same group ID as their creator.
++grpid New objects have the group ID of their parent.
+ bsdgroups
+
+ nogrpid (*) New objects have the group ID of their creator.
--- /dev/null
+From abbc3f9395c76d554a9ed27d4b1ebfb5d9b0e4ca Mon Sep 17 00:00:00 2001
+From: Harshad Shirwadkar <harshads@google.com>
+Date: Wed, 10 Jan 2018 00:13:13 -0500
+Subject: ext4: fix a race in the ext4 shutdown path
+
+From: Harshad Shirwadkar <harshads@google.com>
+
+commit abbc3f9395c76d554a9ed27d4b1ebfb5d9b0e4ca upstream.
+
+This patch fixes a race between the shutdown path and bio completion
+handling. In the ext4 direct io path with async io, after submitting a
+bio to the block layer, if journal starting fails,
+ext4_direct_IO_write() would bail out pretending that the IO
+failed. The caller would have had no way of knowing whether or not the
+IO was successfully submitted. So instead, we return -EIOCBQUEUED in
+this case. Now, the caller knows that the IO was submitted. The bio
+completion handler takes care of the error.
+
+Tested: Ran the shutdown xfstest test 461 in loop for over 2 hours across
+4 machines resulting in over 400 runs. Verified that the race didn't
+occur. Usually the race was seen in about 20-30 iterations.
+
+Signed-off-by: Harshad Shirwadkar <harshads@google.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -3767,10 +3767,18 @@ static ssize_t ext4_direct_IO_write(stru
+ /* Credits for sb + inode write */
+ handle = ext4_journal_start(inode, EXT4_HT_INODE, 2);
+ if (IS_ERR(handle)) {
+- /* This is really bad luck. We've written the data
+- * but cannot extend i_size. Bail out and pretend
+- * the write failed... */
+- ret = PTR_ERR(handle);
++ /*
++ * We wrote the data but cannot extend
++ * i_size. Bail out. In async io case, we do
++ * not return error here because we have
++ * already submmitted the corresponding
++ * bio. Returning error here makes the caller
++ * think that this IO is done and failed
++ * resulting in race with bio's completion
++ * handler.
++ */
++ if (!ret)
++ ret = PTR_ERR(handle);
+ if (inode->i_nlink)
+ ext4_orphan_del(NULL, inode);
+
--- /dev/null
+From 06f29cc81f0350261f59643a505010531130eea0 Mon Sep 17 00:00:00 2001
+From: Zhouyi Zhou <zhouzhouyi@gmail.com>
+Date: Wed, 10 Jan 2018 00:34:19 -0500
+Subject: ext4: save error to disk in __ext4_grp_locked_error()
+
+From: Zhouyi Zhou <zhouzhouyi@gmail.com>
+
+commit 06f29cc81f0350261f59643a505010531130eea0 upstream.
+
+In the function __ext4_grp_locked_error(), __save_error_info()
+is called to save error info in super block block, but does not sync
+that information to disk to info the subsequence fsck after reboot.
+
+This patch writes the error information to disk. After this patch,
+I think there is no obvious EXT4 error handle branches which leads to
+"Remounting filesystem read-only" will leave the disk partition miss
+the subsequence fsck.
+
+Signed-off-by: Zhouyi Zhou <zhouzhouyi@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -742,6 +742,7 @@ __acquires(bitlock)
+ }
+
+ ext4_unlock_group(sb, grp);
++ ext4_commit_super(sb, 1);
+ ext4_handle_error(sb);
+ /*
+ * We only get here in the ERRORS_RO case; relocking the group
--- /dev/null
+From f69120ce6c024aa634a8fc25787205e42f0ccbe6 Mon Sep 17 00:00:00 2001
+From: "Tobin C. Harding" <me@tobin.cc>
+Date: Wed, 10 Jan 2018 00:27:29 -0500
+Subject: jbd2: fix sphinx kernel-doc build warnings
+
+From: Tobin C. Harding <me@tobin.cc>
+
+commit f69120ce6c024aa634a8fc25787205e42f0ccbe6 upstream.
+
+Sphinx emits various (26) warnings when building make target 'htmldocs'.
+Currently struct definitions contain duplicate documentation, some as
+kernel-docs and some as standard c89 comments. We can reduce
+duplication while cleaning up the kernel docs.
+
+Move all kernel-docs to right above each struct member. Use the set of
+all existing comments (kernel-doc and c89). Add documentation for
+missing struct members and function arguments.
+
+Signed-off-by: Tobin C. Harding <me@tobin.cc>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/transaction.c | 5
+ include/linux/jbd2.h | 431 +++++++++++++++++++++++++++++++-------------------
+ 2 files changed, 272 insertions(+), 164 deletions(-)
+
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -495,8 +495,10 @@ void jbd2_journal_free_reserved(handle_t
+ EXPORT_SYMBOL(jbd2_journal_free_reserved);
+
+ /**
+- * int jbd2_journal_start_reserved(handle_t *handle) - start reserved handle
++ * int jbd2_journal_start_reserved() - start reserved handle
+ * @handle: handle to start
++ * @type: for handle statistics
++ * @line_no: for handle statistics
+ *
+ * Start handle that has been previously reserved with jbd2_journal_reserve().
+ * This attaches @handle to the running transaction (or creates one if there's
+@@ -626,6 +628,7 @@ error_out:
+ * int jbd2_journal_restart() - restart a handle .
+ * @handle: handle to restart
+ * @nblocks: nr credits requested
++ * @gfp_mask: memory allocation flags (for start_this_handle)
+ *
+ * Restart a handle for a multi-transaction filesystem
+ * operation.
+--- a/include/linux/jbd2.h
++++ b/include/linux/jbd2.h
+@@ -418,26 +418,41 @@ static inline void jbd_unlock_bh_journal
+ #define JI_WAIT_DATA (1 << __JI_WAIT_DATA)
+
+ /**
+- * struct jbd_inode is the structure linking inodes in ordered mode
+- * present in a transaction so that we can sync them during commit.
++ * struct jbd_inode - The jbd_inode type is the structure linking inodes in
++ * ordered mode present in a transaction so that we can sync them during commit.
+ */
+ struct jbd2_inode {
+- /* Which transaction does this inode belong to? Either the running
+- * transaction or the committing one. [j_list_lock] */
++ /**
++ * @i_transaction:
++ *
++ * Which transaction does this inode belong to? Either the running
++ * transaction or the committing one. [j_list_lock]
++ */
+ transaction_t *i_transaction;
+
+- /* Pointer to the running transaction modifying inode's data in case
+- * there is already a committing transaction touching it. [j_list_lock] */
++ /**
++ * @i_next_transaction:
++ *
++ * Pointer to the running transaction modifying inode's data in case
++ * there is already a committing transaction touching it. [j_list_lock]
++ */
+ transaction_t *i_next_transaction;
+
+- /* List of inodes in the i_transaction [j_list_lock] */
++ /**
++ * @i_list: List of inodes in the i_transaction [j_list_lock]
++ */
+ struct list_head i_list;
+
+- /* VFS inode this inode belongs to [constant during the lifetime
+- * of the structure] */
++ /**
++ * @i_vfs_inode:
++ *
++ * VFS inode this inode belongs to [constant for lifetime of structure]
++ */
+ struct inode *i_vfs_inode;
+
+- /* Flags of inode [j_list_lock] */
++ /**
++ * @i_flags: Flags of inode [j_list_lock]
++ */
+ unsigned long i_flags;
+ };
+
+@@ -447,12 +462,20 @@ struct jbd2_revoke_table_s;
+ * struct handle_s - The handle_s type is the concrete type associated with
+ * handle_t.
+ * @h_transaction: Which compound transaction is this update a part of?
++ * @h_journal: Which journal handle belongs to - used iff h_reserved set.
++ * @h_rsv_handle: Handle reserved for finishing the logical operation.
+ * @h_buffer_credits: Number of remaining buffers we are allowed to dirty.
+- * @h_ref: Reference count on this handle
+- * @h_err: Field for caller's use to track errors through large fs operations
+- * @h_sync: flag for sync-on-close
+- * @h_jdata: flag to force data journaling
+- * @h_aborted: flag indicating fatal error on handle
++ * @h_ref: Reference count on this handle.
++ * @h_err: Field for caller's use to track errors through large fs operations.
++ * @h_sync: Flag for sync-on-close.
++ * @h_jdata: Flag to force data journaling.
++ * @h_reserved: Flag for handle for reserved credits.
++ * @h_aborted: Flag indicating fatal error on handle.
++ * @h_type: For handle statistics.
++ * @h_line_no: For handle statistics.
++ * @h_start_jiffies: Handle Start time.
++ * @h_requested_credits: Holds @h_buffer_credits after handle is started.
++ * @saved_alloc_context: Saved context while transaction is open.
+ **/
+
+ /* Docbook can't yet cope with the bit fields, but will leave the documentation
+@@ -462,32 +485,23 @@ struct jbd2_revoke_table_s;
+ struct jbd2_journal_handle
+ {
+ union {
+- /* Which compound transaction is this update a part of? */
+ transaction_t *h_transaction;
+ /* Which journal handle belongs to - used iff h_reserved set */
+ journal_t *h_journal;
+ };
+
+- /* Handle reserved for finishing the logical operation */
+ handle_t *h_rsv_handle;
+-
+- /* Number of remaining buffers we are allowed to dirty: */
+ int h_buffer_credits;
+-
+- /* Reference count on this handle */
+ int h_ref;
+-
+- /* Field for caller's use to track errors through large fs */
+- /* operations */
+ int h_err;
+
+ /* Flags [no locking] */
+- unsigned int h_sync: 1; /* sync-on-close */
+- unsigned int h_jdata: 1; /* force data journaling */
+- unsigned int h_reserved: 1; /* handle with reserved credits */
+- unsigned int h_aborted: 1; /* fatal error on handle */
+- unsigned int h_type: 8; /* for handle statistics */
+- unsigned int h_line_no: 16; /* for handle statistics */
++ unsigned int h_sync: 1;
++ unsigned int h_jdata: 1;
++ unsigned int h_reserved: 1;
++ unsigned int h_aborted: 1;
++ unsigned int h_type: 8;
++ unsigned int h_line_no: 16;
+
+ unsigned long h_start_jiffies;
+ unsigned int h_requested_credits;
+@@ -729,228 +743,253 @@ jbd2_time_diff(unsigned long start, unsi
+ /**
+ * struct journal_s - The journal_s type is the concrete type associated with
+ * journal_t.
+- * @j_flags: General journaling state flags
+- * @j_errno: Is there an outstanding uncleared error on the journal (from a
+- * prior abort)?
+- * @j_sb_buffer: First part of superblock buffer
+- * @j_superblock: Second part of superblock buffer
+- * @j_format_version: Version of the superblock format
+- * @j_state_lock: Protect the various scalars in the journal
+- * @j_barrier_count: Number of processes waiting to create a barrier lock
+- * @j_barrier: The barrier lock itself
+- * @j_running_transaction: The current running transaction..
+- * @j_committing_transaction: the transaction we are pushing to disk
+- * @j_checkpoint_transactions: a linked circular list of all transactions
+- * waiting for checkpointing
+- * @j_wait_transaction_locked: Wait queue for waiting for a locked transaction
+- * to start committing, or for a barrier lock to be released
+- * @j_wait_done_commit: Wait queue for waiting for commit to complete
+- * @j_wait_commit: Wait queue to trigger commit
+- * @j_wait_updates: Wait queue to wait for updates to complete
+- * @j_wait_reserved: Wait queue to wait for reserved buffer credits to drop
+- * @j_checkpoint_mutex: Mutex for locking against concurrent checkpoints
+- * @j_head: Journal head - identifies the first unused block in the journal
+- * @j_tail: Journal tail - identifies the oldest still-used block in the
+- * journal.
+- * @j_free: Journal free - how many free blocks are there in the journal?
+- * @j_first: The block number of the first usable block
+- * @j_last: The block number one beyond the last usable block
+- * @j_dev: Device where we store the journal
+- * @j_blocksize: blocksize for the location where we store the journal.
+- * @j_blk_offset: starting block offset for into the device where we store the
+- * journal
+- * @j_fs_dev: Device which holds the client fs. For internal journal this will
+- * be equal to j_dev
+- * @j_reserved_credits: Number of buffers reserved from the running transaction
+- * @j_maxlen: Total maximum capacity of the journal region on disk.
+- * @j_list_lock: Protects the buffer lists and internal buffer state.
+- * @j_inode: Optional inode where we store the journal. If present, all journal
+- * block numbers are mapped into this inode via bmap().
+- * @j_tail_sequence: Sequence number of the oldest transaction in the log
+- * @j_transaction_sequence: Sequence number of the next transaction to grant
+- * @j_commit_sequence: Sequence number of the most recently committed
+- * transaction
+- * @j_commit_request: Sequence number of the most recent transaction wanting
+- * commit
+- * @j_uuid: Uuid of client object.
+- * @j_task: Pointer to the current commit thread for this journal
+- * @j_max_transaction_buffers: Maximum number of metadata buffers to allow in a
+- * single compound commit transaction
+- * @j_commit_interval: What is the maximum transaction lifetime before we begin
+- * a commit?
+- * @j_commit_timer: The timer used to wakeup the commit thread
+- * @j_revoke_lock: Protect the revoke table
+- * @j_revoke: The revoke table - maintains the list of revoked blocks in the
+- * current transaction.
+- * @j_revoke_table: alternate revoke tables for j_revoke
+- * @j_wbuf: array of buffer_heads for jbd2_journal_commit_transaction
+- * @j_wbufsize: maximum number of buffer_heads allowed in j_wbuf, the
+- * number that will fit in j_blocksize
+- * @j_last_sync_writer: most recent pid which did a synchronous write
+- * @j_history_lock: Protect the transactions statistics history
+- * @j_proc_entry: procfs entry for the jbd statistics directory
+- * @j_stats: Overall statistics
+- * @j_private: An opaque pointer to fs-private information.
+- * @j_trans_commit_map: Lockdep entity to track transaction commit dependencies
+ */
+-
+ struct journal_s
+ {
+- /* General journaling state flags [j_state_lock] */
++ /**
++ * @j_flags: General journaling state flags [j_state_lock]
++ */
+ unsigned long j_flags;
+
+- /*
++ /**
++ * @j_errno:
++ *
+ * Is there an outstanding uncleared error on the journal (from a prior
+ * abort)? [j_state_lock]
+ */
+ int j_errno;
+
+- /* The superblock buffer */
++ /**
++ * @j_sb_buffer: The first part of the superblock buffer.
++ */
+ struct buffer_head *j_sb_buffer;
++
++ /**
++ * @j_superblock: The second part of the superblock buffer.
++ */
+ journal_superblock_t *j_superblock;
+
+- /* Version of the superblock format */
++ /**
++ * @j_format_version: Version of the superblock format.
++ */
+ int j_format_version;
+
+- /*
+- * Protect the various scalars in the journal
++ /**
++ * @j_state_lock: Protect the various scalars in the journal.
+ */
+ rwlock_t j_state_lock;
+
+- /*
++ /**
++ * @j_barrier_count:
++ *
+ * Number of processes waiting to create a barrier lock [j_state_lock]
+ */
+ int j_barrier_count;
+
+- /* The barrier lock itself */
++ /**
++ * @j_barrier: The barrier lock itself.
++ */
+ struct mutex j_barrier;
+
+- /*
++ /**
++ * @j_running_transaction:
++ *
+ * Transactions: The current running transaction...
+ * [j_state_lock] [caller holding open handle]
+ */
+ transaction_t *j_running_transaction;
+
+- /*
++ /**
++ * @j_committing_transaction:
++ *
+ * the transaction we are pushing to disk
+ * [j_state_lock] [caller holding open handle]
+ */
+ transaction_t *j_committing_transaction;
+
+- /*
++ /**
++ * @j_checkpoint_transactions:
++ *
+ * ... and a linked circular list of all transactions waiting for
+ * checkpointing. [j_list_lock]
+ */
+ transaction_t *j_checkpoint_transactions;
+
+- /*
++ /**
++ * @j_wait_transaction_locked:
++ *
+ * Wait queue for waiting for a locked transaction to start committing,
+- * or for a barrier lock to be released
++ * or for a barrier lock to be released.
+ */
+ wait_queue_head_t j_wait_transaction_locked;
+
+- /* Wait queue for waiting for commit to complete */
++ /**
++ * @j_wait_done_commit: Wait queue for waiting for commit to complete.
++ */
+ wait_queue_head_t j_wait_done_commit;
+
+- /* Wait queue to trigger commit */
++ /**
++ * @j_wait_commit: Wait queue to trigger commit.
++ */
+ wait_queue_head_t j_wait_commit;
+
+- /* Wait queue to wait for updates to complete */
++ /**
++ * @j_wait_updates: Wait queue to wait for updates to complete.
++ */
+ wait_queue_head_t j_wait_updates;
+
+- /* Wait queue to wait for reserved buffer credits to drop */
++ /**
++ * @j_wait_reserved:
++ *
++ * Wait queue to wait for reserved buffer credits to drop.
++ */
+ wait_queue_head_t j_wait_reserved;
+
+- /* Semaphore for locking against concurrent checkpoints */
++ /**
++ * @j_checkpoint_mutex:
++ *
++ * Semaphore for locking against concurrent checkpoints.
++ */
+ struct mutex j_checkpoint_mutex;
+
+- /*
++ /**
++ * @j_chkpt_bhs:
++ *
+ * List of buffer heads used by the checkpoint routine. This
+ * was moved from jbd2_log_do_checkpoint() to reduce stack
+ * usage. Access to this array is controlled by the
+- * j_checkpoint_mutex. [j_checkpoint_mutex]
++ * @j_checkpoint_mutex. [j_checkpoint_mutex]
+ */
+ struct buffer_head *j_chkpt_bhs[JBD2_NR_BATCH];
+-
+- /*
++
++ /**
++ * @j_head:
++ *
+ * Journal head: identifies the first unused block in the journal.
+ * [j_state_lock]
+ */
+ unsigned long j_head;
+
+- /*
++ /**
++ * @j_tail:
++ *
+ * Journal tail: identifies the oldest still-used block in the journal.
+ * [j_state_lock]
+ */
+ unsigned long j_tail;
+
+- /*
++ /**
++ * @j_free:
++ *
+ * Journal free: how many free blocks are there in the journal?
+ * [j_state_lock]
+ */
+ unsigned long j_free;
+
+- /*
+- * Journal start and end: the block numbers of the first usable block
+- * and one beyond the last usable block in the journal. [j_state_lock]
++ /**
++ * @j_first:
++ *
++ * The block number of the first usable block in the journal
++ * [j_state_lock].
+ */
+ unsigned long j_first;
++
++ /**
++ * @j_last:
++ *
++ * The block number one beyond the last usable block in the journal
++ * [j_state_lock].
++ */
+ unsigned long j_last;
+
+- /*
+- * Device, blocksize and starting block offset for the location where we
+- * store the journal.
++ /**
++ * @j_dev: Device where we store the journal.
+ */
+ struct block_device *j_dev;
++
++ /**
++ * @j_blocksize: Block size for the location where we store the journal.
++ */
+ int j_blocksize;
++
++ /**
++ * @j_blk_offset:
++ *
++ * Starting block offset into the device where we store the journal.
++ */
+ unsigned long long j_blk_offset;
++
++ /**
++ * @j_devname: Journal device name.
++ */
+ char j_devname[BDEVNAME_SIZE+24];
+
+- /*
++ /**
++ * @j_fs_dev:
++ *
+ * Device which holds the client fs. For internal journal this will be
+ * equal to j_dev.
+ */
+ struct block_device *j_fs_dev;
+
+- /* Total maximum capacity of the journal region on disk. */
++ /**
++ * @j_maxlen: Total maximum capacity of the journal region on disk.
++ */
+ unsigned int j_maxlen;
+
+- /* Number of buffers reserved from the running transaction */
++ /**
++ * @j_reserved_credits:
++ *
++ * Number of buffers reserved from the running transaction.
++ */
+ atomic_t j_reserved_credits;
+
+- /*
+- * Protects the buffer lists and internal buffer state.
++ /**
++ * @j_list_lock: Protects the buffer lists and internal buffer state.
+ */
+ spinlock_t j_list_lock;
+
+- /* Optional inode where we store the journal. If present, all */
+- /* journal block numbers are mapped into this inode via */
+- /* bmap(). */
++ /**
++ * @j_inode:
++ *
++ * Optional inode where we store the journal. If present, all
++ * journal block numbers are mapped into this inode via bmap().
++ */
+ struct inode *j_inode;
+
+- /*
++ /**
++ * @j_tail_sequence:
++ *
+ * Sequence number of the oldest transaction in the log [j_state_lock]
+ */
+ tid_t j_tail_sequence;
+
+- /*
++ /**
++ * @j_transaction_sequence:
++ *
+ * Sequence number of the next transaction to grant [j_state_lock]
+ */
+ tid_t j_transaction_sequence;
+
+- /*
++ /**
++ * @j_commit_sequence:
++ *
+ * Sequence number of the most recently committed transaction
+ * [j_state_lock].
+ */
+ tid_t j_commit_sequence;
+
+- /*
++ /**
++ * @j_commit_request:
++ *
+ * Sequence number of the most recent transaction wanting commit
+ * [j_state_lock]
+ */
+ tid_t j_commit_request;
+
+- /*
++ /**
++ * @j_uuid:
++ *
+ * Journal uuid: identifies the object (filesystem, LVM volume etc)
+ * backed by this journal. This will eventually be replaced by an array
+ * of uuids, allowing us to index multiple devices within a single
+@@ -958,85 +997,151 @@ struct journal_s
+ */
+ __u8 j_uuid[16];
+
+- /* Pointer to the current commit thread for this journal */
++ /**
++ * @j_task: Pointer to the current commit thread for this journal.
++ */
+ struct task_struct *j_task;
+
+- /*
++ /**
++ * @j_max_transaction_buffers:
++ *
+ * Maximum number of metadata buffers to allow in a single compound
+- * commit transaction
++ * commit transaction.
+ */
+ int j_max_transaction_buffers;
+
+- /*
++ /**
++ * @j_commit_interval:
++ *
+ * What is the maximum transaction lifetime before we begin a commit?
+ */
+ unsigned long j_commit_interval;
+
+- /* The timer used to wakeup the commit thread: */
++ /**
++ * @j_commit_timer: The timer used to wakeup the commit thread.
++ */
+ struct timer_list j_commit_timer;
+
+- /*
+- * The revoke table: maintains the list of revoked blocks in the
+- * current transaction. [j_revoke_lock]
++ /**
++ * @j_revoke_lock: Protect the revoke table.
+ */
+ spinlock_t j_revoke_lock;
++
++ /**
++ * @j_revoke:
++ *
++ * The revoke table - maintains the list of revoked blocks in the
++ * current transaction.
++ */
+ struct jbd2_revoke_table_s *j_revoke;
++
++ /**
++ * @j_revoke_table: Alternate revoke tables for j_revoke.
++ */
+ struct jbd2_revoke_table_s *j_revoke_table[2];
+
+- /*
+- * array of bhs for jbd2_journal_commit_transaction
++ /**
++ * @j_wbuf: Array of bhs for jbd2_journal_commit_transaction.
+ */
+ struct buffer_head **j_wbuf;
++
++ /**
++ * @j_wbufsize:
++ *
++ * Size of @j_wbuf array.
++ */
+ int j_wbufsize;
+
+- /*
+- * this is the pid of hte last person to run a synchronous operation
+- * through the journal
++ /**
++ * @j_last_sync_writer:
++ *
++ * The pid of the last person to run a synchronous operation
++ * through the journal.
+ */
+ pid_t j_last_sync_writer;
+
+- /*
+- * the average amount of time in nanoseconds it takes to commit a
++ /**
++ * @j_average_commit_time:
++ *
++ * The average amount of time in nanoseconds it takes to commit a
+ * transaction to disk. [j_state_lock]
+ */
+ u64 j_average_commit_time;
+
+- /*
+- * minimum and maximum times that we should wait for
+- * additional filesystem operations to get batched into a
+- * synchronous handle in microseconds
++ /**
++ * @j_min_batch_time:
++ *
++ * Minimum time that we should wait for additional filesystem operations
++ * to get batched into a synchronous handle in microseconds.
+ */
+ u32 j_min_batch_time;
++
++ /**
++ * @j_max_batch_time:
++ *
++ * Maximum time that we should wait for additional filesystem operations
++ * to get batched into a synchronous handle in microseconds.
++ */
+ u32 j_max_batch_time;
+
+- /* This function is called when a transaction is closed */
++ /**
++ * @j_commit_callback:
++ *
++ * This function is called when a transaction is closed.
++ */
+ void (*j_commit_callback)(journal_t *,
+ transaction_t *);
+
+ /*
+ * Journal statistics
+ */
++
++ /**
++ * @j_history_lock: Protect the transactions statistics history.
++ */
+ spinlock_t j_history_lock;
++
++ /**
++ * @j_proc_entry: procfs entry for the jbd statistics directory.
++ */
+ struct proc_dir_entry *j_proc_entry;
++
++ /**
++ * @j_stats: Overall statistics.
++ */
+ struct transaction_stats_s j_stats;
+
+- /* Failed journal commit ID */
++ /**
++ * @j_failed_commit: Failed journal commit ID.
++ */
+ unsigned int j_failed_commit;
+
+- /*
++ /**
++ * @j_private:
++ *
+ * An opaque pointer to fs-private information. ext3 puts its
+- * superblock pointer here
++ * superblock pointer here.
+ */
+ void *j_private;
+
+- /* Reference to checksum algorithm driver via cryptoapi */
++ /**
++ * @j_chksum_driver:
++ *
++ * Reference to checksum algorithm driver via cryptoapi.
++ */
+ struct crypto_shash *j_chksum_driver;
+
+- /* Precomputed journal UUID checksum for seeding other checksums */
++ /**
++ * @j_csum_seed:
++ *
++ * Precomputed journal UUID checksum for seeding other checksums.
++ */
+ __u32 j_csum_seed;
+
+ #ifdef CONFIG_DEBUG_LOCK_ALLOC
+- /*
++ /**
++ * @j_trans_commit_map:
++ *
+ * Lockdep entity to track transaction commit dependencies. Handles
+ * hold this "lock" for read, when we wait for commit, we acquire the
+ * "lock" for writing. This matches the properties of jbd2 journalling
--- /dev/null
+From 3876bbe27d04b848750d5310a37d6b76b593f648 Mon Sep 17 00:00:00 2001
+From: Alexander Potapenko <glider@google.com>
+Date: Sun, 7 Jan 2018 16:22:35 -0500
+Subject: mbcache: initialize entry->e_referenced in mb_cache_entry_create()
+
+From: Alexander Potapenko <glider@google.com>
+
+commit 3876bbe27d04b848750d5310a37d6b76b593f648 upstream.
+
+KMSAN reported use of uninitialized |entry->e_referenced| in a condition
+in mb_cache_shrink():
+
+==================================================================
+BUG: KMSAN: use of uninitialized memory in mb_cache_shrink+0x3b4/0xc50 fs/mbcache.c:287
+CPU: 2 PID: 816 Comm: kswapd1 Not tainted 4.11.0-rc5+ #2877
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
+01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:16 [inline]
+ dump_stack+0x172/0x1c0 lib/dump_stack.c:52
+ kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:927
+ __msan_warning_32+0x61/0xb0 mm/kmsan/kmsan_instr.c:469
+ mb_cache_shrink+0x3b4/0xc50 fs/mbcache.c:287
+ mb_cache_scan+0x67/0x80 fs/mbcache.c:321
+ do_shrink_slab mm/vmscan.c:397 [inline]
+ shrink_slab+0xc3d/0x12d0 mm/vmscan.c:500
+ shrink_node+0x208f/0x2fd0 mm/vmscan.c:2603
+ kswapd_shrink_node mm/vmscan.c:3172 [inline]
+ balance_pgdat mm/vmscan.c:3289 [inline]
+ kswapd+0x160f/0x2850 mm/vmscan.c:3478
+ kthread+0x46c/0x5f0 kernel/kthread.c:230
+ ret_from_fork+0x29/0x40 arch/x86/entry/entry_64.S:430
+chained origin:
+ save_stack_trace+0x37/0x40 arch/x86/kernel/stacktrace.c:59
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:302 [inline]
+ kmsan_save_stack mm/kmsan/kmsan.c:317 [inline]
+ kmsan_internal_chain_origin+0x12a/0x1f0 mm/kmsan/kmsan.c:547
+ __msan_store_shadow_origin_1+0xac/0x110 mm/kmsan/kmsan_instr.c:257
+ mb_cache_entry_create+0x3b3/0xc60 fs/mbcache.c:95
+ ext4_xattr_cache_insert fs/ext4/xattr.c:1647 [inline]
+ ext4_xattr_block_set+0x4c82/0x5530 fs/ext4/xattr.c:1022
+ ext4_xattr_set_handle+0x1332/0x20a0 fs/ext4/xattr.c:1252
+ ext4_xattr_set+0x4d2/0x680 fs/ext4/xattr.c:1306
+ ext4_xattr_trusted_set+0x8d/0xa0 fs/ext4/xattr_trusted.c:36
+ __vfs_setxattr+0x703/0x790 fs/xattr.c:149
+ __vfs_setxattr_noperm+0x27a/0x6f0 fs/xattr.c:180
+ vfs_setxattr fs/xattr.c:223 [inline]
+ setxattr+0x6ae/0x790 fs/xattr.c:449
+ path_setxattr+0x1eb/0x380 fs/xattr.c:468
+ SYSC_lsetxattr+0x8d/0xb0 fs/xattr.c:490
+ SyS_lsetxattr+0x77/0xa0 fs/xattr.c:486
+ entry_SYSCALL_64_fastpath+0x13/0x94
+origin:
+ save_stack_trace+0x37/0x40 arch/x86/kernel/stacktrace.c:59
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:302 [inline]
+ kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:198
+ kmsan_kmalloc+0x7f/0xe0 mm/kmsan/kmsan.c:337
+ kmem_cache_alloc+0x1c2/0x1e0 mm/slub.c:2766
+ mb_cache_entry_create+0x283/0xc60 fs/mbcache.c:86
+ ext4_xattr_cache_insert fs/ext4/xattr.c:1647 [inline]
+ ext4_xattr_block_set+0x4c82/0x5530 fs/ext4/xattr.c:1022
+ ext4_xattr_set_handle+0x1332/0x20a0 fs/ext4/xattr.c:1252
+ ext4_xattr_set+0x4d2/0x680 fs/ext4/xattr.c:1306
+ ext4_xattr_trusted_set+0x8d/0xa0 fs/ext4/xattr_trusted.c:36
+ __vfs_setxattr+0x703/0x790 fs/xattr.c:149
+ __vfs_setxattr_noperm+0x27a/0x6f0 fs/xattr.c:180
+ vfs_setxattr fs/xattr.c:223 [inline]
+ setxattr+0x6ae/0x790 fs/xattr.c:449
+ path_setxattr+0x1eb/0x380 fs/xattr.c:468
+ SYSC_lsetxattr+0x8d/0xb0 fs/xattr.c:490
+ SyS_lsetxattr+0x77/0xa0 fs/xattr.c:486
+ entry_SYSCALL_64_fastpath+0x13/0x94
+==================================================================
+
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Cc: stable@vger.kernel.org # v4.6
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/mbcache.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/mbcache.c
++++ b/fs/mbcache.c
+@@ -94,6 +94,7 @@ int mb_cache_entry_create(struct mb_cach
+ entry->e_key = key;
+ entry->e_value = value;
+ entry->e_reusable = reusable;
++ entry->e_referenced = 0;
+ head = mb_cache_entry_head(cache, key);
+ hlist_bl_lock(head);
+ hlist_bl_for_each_entry(dup, dup_node, head, e_hash_list) {
--- /dev/null
+From 8dbc1864b74f5dea5a3f7c30ca8fd358a675132f Mon Sep 17 00:00:00 2001
+From: James Hogan <jhogan@kernel.org>
+Date: Fri, 2 Feb 2018 14:36:40 +0000
+Subject: MIPS: CPS: Fix MIPS_ISA_LEVEL_RAW fallout
+
+From: James Hogan <jhogan@kernel.org>
+
+commit 8dbc1864b74f5dea5a3f7c30ca8fd358a675132f upstream.
+
+Commit 17278a91e04f ("MIPS: CPS: Fix r1 .set mt assembler warning")
+added .set MIPS_ISA_LEVEL_RAW to silence warnings about .set mt on r1,
+however this can result in a MOVE being encoded as a 64-bit DADDU
+instruction on certain version of binutils (e.g. 2.22), and reserved
+instruction exceptions at runtime on 32-bit hardware.
+
+Reduce the sizes of the push/pop sections to include only instructions
+that are part of the MT ASE or which won't convert to 64-bit
+instructions after .set mips64r2/mips64r6.
+
+Reported-by: Greg Ungerer <gerg@linux-m68k.org>
+Fixes: 17278a91e04f ("MIPS: CPS: Fix r1 .set mt assembler warning")
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Paul Burton <paul.burton@mips.com>
+Cc: linux-mips@linux-mips.org
+Cc: <stable@vger.kernel.org> # 4.15
+Tested-by: Greg Ungerer <gerg@linux-m68k.org>
+Patchwork: https://patchwork.linux-mips.org/patch/18578/
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/cps-vec.S | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/arch/mips/kernel/cps-vec.S
++++ b/arch/mips/kernel/cps-vec.S
+@@ -388,15 +388,16 @@ LEAF(mips_cps_boot_vpes)
+
+ #elif defined(CONFIG_MIPS_MT)
+
+- .set push
+- .set MIPS_ISA_LEVEL_RAW
+- .set mt
+-
+ /* If the core doesn't support MT then return */
+ has_mt t0, 5f
+
+ /* Enter VPE configuration state */
++ .set push
++ .set MIPS_ISA_LEVEL_RAW
++ .set mt
+ dvpe
++ .set pop
++
+ PTR_LA t1, 1f
+ jr.hb t1
+ nop
+@@ -422,6 +423,10 @@ LEAF(mips_cps_boot_vpes)
+ mtc0 t0, CP0_VPECONTROL
+ ehb
+
++ .set push
++ .set MIPS_ISA_LEVEL_RAW
++ .set mt
++
+ /* Skip the VPE if its TC is not halted */
+ mftc0 t0, CP0_TCHALT
+ beqz t0, 2f
+@@ -495,6 +500,8 @@ LEAF(mips_cps_boot_vpes)
+ ehb
+ evpe
+
++ .set pop
++
+ /* Check whether this VPE is meant to be running */
+ li t0, 1
+ sll t0, t0, a1
+@@ -509,7 +516,7 @@ LEAF(mips_cps_boot_vpes)
+ 1: jr.hb t0
+ nop
+
+-2: .set pop
++2:
+
+ #endif /* CONFIG_MIPS_MT_SMP */
+
--- /dev/null
+From 67a3ba25aa955198196f40b76b329b3ab9ad415a Mon Sep 17 00:00:00 2001
+From: Marcin Nowakowski <marcin.nowakowski@mips.com>
+Date: Thu, 1 Feb 2018 12:37:21 +0100
+Subject: MIPS: Fix incorrect mem=X@Y handling
+
+From: Marcin Nowakowski <marcin.nowakowski@mips.com>
+
+commit 67a3ba25aa955198196f40b76b329b3ab9ad415a upstream.
+
+Commit 73fbc1eba7ff ("MIPS: fix mem=X@Y commandline processing") added a
+fix to ensure that the memory range between PHYS_OFFSET and low memory
+address specified by mem= cmdline argument is not later processed by
+free_all_bootmem. This change was incorrect for systems where the
+commandline specifies more than 1 mem argument, as it will cause all
+memory between PHYS_OFFSET and each of the memory offsets to be marked
+as reserved, which results in parts of the RAM marked as reserved
+(Creator CI20's u-boot has a default commandline argument 'mem=256M@0x0
+mem=768M@0x30000000').
+
+Change the behaviour to ensure that only the range between PHYS_OFFSET
+and the lowest start address of the memories is marked as protected.
+
+This change also ensures that the range is marked protected even if it's
+only defined through the devicetree and not only via commandline
+arguments.
+
+Reported-by: Mathieu Malaterre <mathieu.malaterre@gmail.com>
+Signed-off-by: Marcin Nowakowski <marcin.nowakowski@mips.com>
+Fixes: 73fbc1eba7ff ("MIPS: fix mem=X@Y commandline processing")
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: <stable@vger.kernel.org> # v4.11+
+Tested-by: Mathieu Malaterre <malat@debian.org>
+Patchwork: https://patchwork.linux-mips.org/patch/18562/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/setup.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/arch/mips/kernel/setup.c
++++ b/arch/mips/kernel/setup.c
+@@ -375,6 +375,7 @@ static void __init bootmem_init(void)
+ unsigned long reserved_end;
+ unsigned long mapstart = ~0UL;
+ unsigned long bootmap_size;
++ phys_addr_t ramstart = (phys_addr_t)ULLONG_MAX;
+ bool bootmap_valid = false;
+ int i;
+
+@@ -395,7 +396,8 @@ static void __init bootmem_init(void)
+ max_low_pfn = 0;
+
+ /*
+- * Find the highest page frame number we have available.
++ * Find the highest page frame number we have available
++ * and the lowest used RAM address
+ */
+ for (i = 0; i < boot_mem_map.nr_map; i++) {
+ unsigned long start, end;
+@@ -407,6 +409,8 @@ static void __init bootmem_init(void)
+ end = PFN_DOWN(boot_mem_map.map[i].addr
+ + boot_mem_map.map[i].size);
+
++ ramstart = min(ramstart, boot_mem_map.map[i].addr);
++
+ #ifndef CONFIG_HIGHMEM
+ /*
+ * Skip highmem here so we get an accurate max_low_pfn if low
+@@ -436,6 +440,13 @@ static void __init bootmem_init(void)
+ mapstart = max(reserved_end, start);
+ }
+
++ /*
++ * Reserve any memory between the start of RAM and PHYS_OFFSET
++ */
++ if (ramstart > PHYS_OFFSET)
++ add_memory_region(PHYS_OFFSET, ramstart - PHYS_OFFSET,
++ BOOT_MEM_RESERVED);
++
+ if (min_low_pfn >= max_low_pfn)
+ panic("Incorrect memory mapping !!!");
+ if (min_low_pfn > ARCH_PFN_OFFSET) {
+@@ -664,9 +675,6 @@ static int __init early_parse_mem(char *
+
+ add_memory_region(start, size, BOOT_MEM_RAM);
+
+- if (start && start > PHYS_OFFSET)
+- add_memory_region(PHYS_OFFSET, start - PHYS_OFFSET,
+- BOOT_MEM_RESERVED);
+ return 0;
+ }
+ early_param("mem", early_parse_mem);
--- /dev/null
+From 2e6522c565522a2e18409c315c49d78c8b74807b Mon Sep 17 00:00:00 2001
+From: Corentin Labbe <clabbe.montjoie@gmail.com>
+Date: Wed, 17 Jan 2018 19:56:38 +0100
+Subject: MIPS: Fix typo BIG_ENDIAN to CPU_BIG_ENDIAN
+
+From: Corentin Labbe <clabbe.montjoie@gmail.com>
+
+commit 2e6522c565522a2e18409c315c49d78c8b74807b upstream.
+
+MIPS_GENERIC selects some options conditional on BIG_ENDIAN which does
+not exist.
+
+Replace BIG_ENDIAN with CPU_BIG_ENDIAN which is the correct kconfig
+name. Note that BMIPS_GENERIC does the same which confirms that this
+patch is needed.
+
+Fixes: eed0eabd12ef0 ("MIPS: generic: Introduce generic DT-based board support")
+Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
+Reviewed-by: James Hogan <jhogan@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: <stable@vger.kernel.org> # 4.9+
+Patchwork: https://patchwork.linux-mips.org/patch/18495/
+[jhogan@kernel.org: Clean up commit message]
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/Kconfig | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/mips/Kconfig
++++ b/arch/mips/Kconfig
+@@ -119,12 +119,12 @@ config MIPS_GENERIC
+ select SYS_SUPPORTS_MULTITHREADING
+ select SYS_SUPPORTS_RELOCATABLE
+ select SYS_SUPPORTS_SMARTMIPS
+- select USB_EHCI_BIG_ENDIAN_DESC if BIG_ENDIAN
+- select USB_EHCI_BIG_ENDIAN_MMIO if BIG_ENDIAN
+- select USB_OHCI_BIG_ENDIAN_DESC if BIG_ENDIAN
+- select USB_OHCI_BIG_ENDIAN_MMIO if BIG_ENDIAN
+- select USB_UHCI_BIG_ENDIAN_DESC if BIG_ENDIAN
+- select USB_UHCI_BIG_ENDIAN_MMIO if BIG_ENDIAN
++ select USB_EHCI_BIG_ENDIAN_DESC if CPU_BIG_ENDIAN
++ select USB_EHCI_BIG_ENDIAN_MMIO if CPU_BIG_ENDIAN
++ select USB_OHCI_BIG_ENDIAN_DESC if CPU_BIG_ENDIAN
++ select USB_OHCI_BIG_ENDIAN_MMIO if CPU_BIG_ENDIAN
++ select USB_UHCI_BIG_ENDIAN_DESC if CPU_BIG_ENDIAN
++ select USB_UHCI_BIG_ENDIAN_MMIO if CPU_BIG_ENDIAN
+ select USE_OF
+ help
+ Select this to build a kernel which aims to support multiple boards,
--- /dev/null
+From 2572cf57d75a7f91835d9a38771e9e76d575d122 Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Mon, 5 Feb 2018 16:24:52 +0200
+Subject: mlx5: fix mlx5_get_vector_affinity to start from completion vector 0
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+commit 2572cf57d75a7f91835d9a38771e9e76d575d122 upstream.
+
+The consumers of this routine expects the affinity map of of vector
+index relative to the first completion vector. The upper layers are
+not aware of internal/private completion vectors that mlx5 allocates
+for its own usage.
+
+Hence, return the affinity map of vector index relative to the first
+completion vector.
+
+Fixes: 05e0cc84e00c ("net/mlx5: Fix get vector affinity helper function")
+Reported-by: Logan Gunthorpe <logang@deltatee.com>
+Tested-by: Max Gurtovoy <maxg@mellanox.com>
+Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
+Cc: <stable@vger.kernel.org> # v4.15
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/mlx5/driver.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -1238,7 +1238,7 @@ mlx5_get_vector_affinity(struct mlx5_cor
+ int eqn;
+ int err;
+
+- err = mlx5_vector2eqn(dev, vector, &eqn, &irq);
++ err = mlx5_vector2eqn(dev, MLX5_EQ_VEC_COMP_BASE + vector, &eqn, &irq);
+ if (err)
+ return NULL;
+
--- /dev/null
+From 10a0cd6e4932b5078215b1ec2c896597eec0eff9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20H=2E=20Sch=C3=B6nherr?= <jschoenh@amazon.de>
+Date: Fri, 19 Jan 2018 16:27:54 -0800
+Subject: mm: Fix memory size alignment in devm_memremap_pages_release()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jan H. Schönherr <jschoenh@amazon.de>
+
+commit 10a0cd6e4932b5078215b1ec2c896597eec0eff9 upstream.
+
+The functions devm_memremap_pages() and devm_memremap_pages_release() use
+different ways to calculate the section-aligned amount of memory. The
+latter function may use an incorrect size if the memory region is small
+but straddles a section border.
+
+Use the same code for both.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 5f29a77cd957 ("mm: fix mixed zone detection in devm_memremap_pages")
+Signed-off-by: Jan H. Schönherr <jschoenh@amazon.de>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/memremap.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/memremap.c
++++ b/kernel/memremap.c
+@@ -301,7 +301,8 @@ static void devm_memremap_pages_release(
+
+ /* pages are dead and unused, undo the arch mapping */
+ align_start = res->start & ~(SECTION_SIZE - 1);
+- align_size = ALIGN(resource_size(res), SECTION_SIZE);
++ align_size = ALIGN(res->start + resource_size(res), SECTION_SIZE)
++ - align_start;
+
+ mem_hotplug_begin();
+ arch_remove_memory(align_start, align_size);
--- /dev/null
+From af27d9403f5b80685b79c88425086edccecaf711 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 16 Feb 2018 16:25:53 +0100
+Subject: mm: hide a #warning for COMPILE_TEST
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit af27d9403f5b80685b79c88425086edccecaf711 upstream.
+
+We get a warning about some slow configurations in randconfig kernels:
+
+ mm/memory.c:83:2: error: #warning Unfortunate NUMA and NUMA Balancing config, growing page-frame for last_cpupid. [-Werror=cpp]
+
+The warning is reasonable by itself, but gets in the way of randconfig
+build testing, so I'm hiding it whenever CONFIG_COMPILE_TEST is set.
+
+The warning was added in 2013 in commit 75980e97dacc ("mm: fold
+page->_last_nid into page->flags where possible").
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memory.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -81,7 +81,7 @@
+
+ #include "internal.h"
+
+-#ifdef LAST_CPUPID_NOT_IN_PAGE_FLAGS
++#if defined(LAST_CPUPID_NOT_IN_PAGE_FLAGS) && !defined(CONFIG_COMPILE_TEST)
+ #warning Unfortunate NUMA and NUMA Balancing config, growing page-frame for last_cpupid.
+ #endif
+
--- /dev/null
+From 118032be389009b07ecb5a03ffe219a89d421def Mon Sep 17 00:00:00 2001
+From: Phil Elwell <phil@raspberrypi.org>
+Date: Mon, 12 Feb 2018 21:13:44 +0100
+Subject: mmc: bcm2835: Don't overwrite max frequency unconditionally
+
+From: Phil Elwell <phil@raspberrypi.org>
+
+commit 118032be389009b07ecb5a03ffe219a89d421def upstream.
+
+The optional DT parameter max-frequency could init the max bus frequency.
+So take care of this, before setting the max bus frequency.
+
+Fixes: 660fc733bd74 ("mmc: bcm2835: Add new driver for the sdhost controller.")
+Signed-off-by: Phil Elwell <phil@raspberrypi.org>
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Cc: <stable@vger.kernel.org> # 4.12+
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/bcm2835.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/bcm2835.c
++++ b/drivers/mmc/host/bcm2835.c
+@@ -1265,7 +1265,8 @@ static int bcm2835_add_host(struct bcm28
+ char pio_limit_string[20];
+ int ret;
+
+- mmc->f_max = host->max_clk;
++ if (!mmc->f_max || mmc->f_max > host->max_clk)
++ mmc->f_max = host->max_clk;
+ mmc->f_min = host->max_clk / SDCDIV_MAX_CDIV;
+
+ mmc->max_busy_timeout = ~0 / (mmc->f_max / 1000);
--- /dev/null
+From bd9b902798ab14d19ca116b10bde581ddff8f905 Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Mon, 29 Jan 2018 00:44:53 +0100
+Subject: mmc: sdhci: Implement an SDHCI-specific bounce buffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit bd9b902798ab14d19ca116b10bde581ddff8f905 upstream.
+
+The bounce buffer is gone from the MMC core, and now we found out
+that there are some (crippled) i.MX boards out there that have broken
+ADMA (cannot do scatter-gather), and also broken PIO so they must
+use SDMA. Closer examination shows a less significant slowdown
+also on SDMA-only capable Laptop hosts.
+
+SDMA sets down the number of segments to one, so that each segment
+gets turned into a singular request that ping-pongs to the block
+layer before the next request/segment is issued.
+
+Apparently it happens a lot that the block layer send requests
+that include a lot of physically discontiguous segments. My guess
+is that this phenomenon is coming from the file system.
+
+These devices that cannot handle scatterlists in hardware can see
+major benefits from a DMA-contiguous bounce buffer.
+
+This patch accumulates those fragmented scatterlists in a physically
+contiguous bounce buffer so that we can issue bigger DMA data chunks
+to/from the card.
+
+When tested with a PCI-integrated host (1217:8221) that
+only supports SDMA:
+0b:00.0 SD Host controller: O2 Micro, Inc. OZ600FJ0/OZ900FJ0/OZ600FJS
+ SD/MMC Card Reader Controller (rev 05)
+This patch gave ~1Mbyte/s improved throughput on large reads and
+writes when testing using iozone than without the patch.
+
+dmesg:
+sdhci-pci 0000:0b:00.0: SDHCI controller found [1217:8221] (rev 5)
+mmc0 bounce up to 128 segments into one, max segment size 65536 bytes
+mmc0: SDHCI controller on PCI [0000:0b:00.0] using DMA
+
+On the i.MX SDHCI controllers on the crippled i.MX 25 and i.MX 35
+the patch restores the performance to what it was before we removed
+the bounce buffers.
+
+Cc: Pierre Ossman <pierre@ossman.eu>
+Cc: Benoît Thébaudeau <benoit@wsystem.com>
+Cc: Fabio Estevam <fabio.estevam@nxp.com>
+Cc: Benjamin Beckmeyer <beckmeyer.b@rittal.de>
+Cc: stable@vger.kernel.org # v4.14+
+Fixes: de3ee99b097d ("mmc: Delete bounce buffer handling")
+Tested-by: Benjamin Beckmeyer <beckmeyer.b@rittal.de>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci.c | 164 ++++++++++++++++++++++++++++++++++++++++++++---
+ drivers/mmc/host/sdhci.h | 3
+ 2 files changed, 159 insertions(+), 8 deletions(-)
+
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -21,6 +21,7 @@
+ #include <linux/dma-mapping.h>
+ #include <linux/slab.h>
+ #include <linux/scatterlist.h>
++#include <linux/sizes.h>
+ #include <linux/swiotlb.h>
+ #include <linux/regulator/consumer.h>
+ #include <linux/pm_runtime.h>
+@@ -502,8 +503,35 @@ static int sdhci_pre_dma_transfer(struct
+ if (data->host_cookie == COOKIE_PRE_MAPPED)
+ return data->sg_count;
+
+- sg_count = dma_map_sg(mmc_dev(host->mmc), data->sg, data->sg_len,
+- mmc_get_dma_dir(data));
++ /* Bounce write requests to the bounce buffer */
++ if (host->bounce_buffer) {
++ unsigned int length = data->blksz * data->blocks;
++
++ if (length > host->bounce_buffer_size) {
++ pr_err("%s: asked for transfer of %u bytes exceeds bounce buffer %u bytes\n",
++ mmc_hostname(host->mmc), length,
++ host->bounce_buffer_size);
++ return -EIO;
++ }
++ if (mmc_get_dma_dir(data) == DMA_TO_DEVICE) {
++ /* Copy the data to the bounce buffer */
++ sg_copy_to_buffer(data->sg, data->sg_len,
++ host->bounce_buffer,
++ length);
++ }
++ /* Switch ownership to the DMA */
++ dma_sync_single_for_device(host->mmc->parent,
++ host->bounce_addr,
++ host->bounce_buffer_size,
++ mmc_get_dma_dir(data));
++ /* Just a dummy value */
++ sg_count = 1;
++ } else {
++ /* Just access the data directly from memory */
++ sg_count = dma_map_sg(mmc_dev(host->mmc),
++ data->sg, data->sg_len,
++ mmc_get_dma_dir(data));
++ }
+
+ if (sg_count == 0)
+ return -ENOSPC;
+@@ -673,6 +701,14 @@ static void sdhci_adma_table_post(struct
+ }
+ }
+
++static u32 sdhci_sdma_address(struct sdhci_host *host)
++{
++ if (host->bounce_buffer)
++ return host->bounce_addr;
++ else
++ return sg_dma_address(host->data->sg);
++}
++
+ static u8 sdhci_calc_timeout(struct sdhci_host *host, struct mmc_command *cmd)
+ {
+ u8 count;
+@@ -858,8 +894,8 @@ static void sdhci_prepare_data(struct sd
+ SDHCI_ADMA_ADDRESS_HI);
+ } else {
+ WARN_ON(sg_cnt != 1);
+- sdhci_writel(host, sg_dma_address(data->sg),
+- SDHCI_DMA_ADDRESS);
++ sdhci_writel(host, sdhci_sdma_address(host),
++ SDHCI_DMA_ADDRESS);
+ }
+ }
+
+@@ -2248,7 +2284,12 @@ static void sdhci_pre_req(struct mmc_hos
+
+ mrq->data->host_cookie = COOKIE_UNMAPPED;
+
+- if (host->flags & SDHCI_REQ_USE_DMA)
++ /*
++ * No pre-mapping in the pre hook if we're using the bounce buffer,
++ * for that we would need two bounce buffers since one buffer is
++ * in flight when this is getting called.
++ */
++ if (host->flags & SDHCI_REQ_USE_DMA && !host->bounce_buffer)
+ sdhci_pre_dma_transfer(host, mrq->data, COOKIE_PRE_MAPPED);
+ }
+
+@@ -2352,8 +2393,45 @@ static bool sdhci_request_done(struct sd
+ struct mmc_data *data = mrq->data;
+
+ if (data && data->host_cookie == COOKIE_MAPPED) {
+- dma_unmap_sg(mmc_dev(host->mmc), data->sg, data->sg_len,
+- mmc_get_dma_dir(data));
++ if (host->bounce_buffer) {
++ /*
++ * On reads, copy the bounced data into the
++ * sglist
++ */
++ if (mmc_get_dma_dir(data) == DMA_FROM_DEVICE) {
++ unsigned int length = data->bytes_xfered;
++
++ if (length > host->bounce_buffer_size) {
++ pr_err("%s: bounce buffer is %u bytes but DMA claims to have transferred %u bytes\n",
++ mmc_hostname(host->mmc),
++ host->bounce_buffer_size,
++ data->bytes_xfered);
++ /* Cap it down and continue */
++ length = host->bounce_buffer_size;
++ }
++ dma_sync_single_for_cpu(
++ host->mmc->parent,
++ host->bounce_addr,
++ host->bounce_buffer_size,
++ DMA_FROM_DEVICE);
++ sg_copy_from_buffer(data->sg,
++ data->sg_len,
++ host->bounce_buffer,
++ length);
++ } else {
++ /* No copying, just switch ownership */
++ dma_sync_single_for_cpu(
++ host->mmc->parent,
++ host->bounce_addr,
++ host->bounce_buffer_size,
++ mmc_get_dma_dir(data));
++ }
++ } else {
++ /* Unmap the raw data */
++ dma_unmap_sg(mmc_dev(host->mmc), data->sg,
++ data->sg_len,
++ mmc_get_dma_dir(data));
++ }
+ data->host_cookie = COOKIE_UNMAPPED;
+ }
+ }
+@@ -2636,7 +2714,8 @@ static void sdhci_data_irq(struct sdhci_
+ */
+ if (intmask & SDHCI_INT_DMA_END) {
+ u32 dmastart, dmanow;
+- dmastart = sg_dma_address(host->data->sg);
++
++ dmastart = sdhci_sdma_address(host);
+ dmanow = dmastart + host->data->bytes_xfered;
+ /*
+ * Force update to the next DMA block boundary.
+@@ -3217,6 +3296,68 @@ void __sdhci_read_caps(struct sdhci_host
+ }
+ EXPORT_SYMBOL_GPL(__sdhci_read_caps);
+
++static int sdhci_allocate_bounce_buffer(struct sdhci_host *host)
++{
++ struct mmc_host *mmc = host->mmc;
++ unsigned int max_blocks;
++ unsigned int bounce_size;
++ int ret;
++
++ /*
++ * Cap the bounce buffer at 64KB. Using a bigger bounce buffer
++ * has diminishing returns, this is probably because SD/MMC
++ * cards are usually optimized to handle this size of requests.
++ */
++ bounce_size = SZ_64K;
++ /*
++ * Adjust downwards to maximum request size if this is less
++ * than our segment size, else hammer down the maximum
++ * request size to the maximum buffer size.
++ */
++ if (mmc->max_req_size < bounce_size)
++ bounce_size = mmc->max_req_size;
++ max_blocks = bounce_size / 512;
++
++ /*
++ * When we just support one segment, we can get significant
++ * speedups by the help of a bounce buffer to group scattered
++ * reads/writes together.
++ */
++ host->bounce_buffer = devm_kmalloc(mmc->parent,
++ bounce_size,
++ GFP_KERNEL);
++ if (!host->bounce_buffer) {
++ pr_err("%s: failed to allocate %u bytes for bounce buffer, falling back to single segments\n",
++ mmc_hostname(mmc),
++ bounce_size);
++ /*
++ * Exiting with zero here makes sure we proceed with
++ * mmc->max_segs == 1.
++ */
++ return 0;
++ }
++
++ host->bounce_addr = dma_map_single(mmc->parent,
++ host->bounce_buffer,
++ bounce_size,
++ DMA_BIDIRECTIONAL);
++ ret = dma_mapping_error(mmc->parent, host->bounce_addr);
++ if (ret)
++ /* Again fall back to max_segs == 1 */
++ return 0;
++ host->bounce_buffer_size = bounce_size;
++
++ /* Lie about this since we're bouncing */
++ mmc->max_segs = max_blocks;
++ mmc->max_seg_size = bounce_size;
++ mmc->max_req_size = bounce_size;
++
++ pr_info("%s bounce up to %u segments into one, max segment size %u bytes\n",
++ mmc_hostname(mmc), max_blocks, bounce_size);
++
++ return 0;
++}
++
+ int sdhci_setup_host(struct sdhci_host *host)
+ {
+ struct mmc_host *mmc;
+@@ -3713,6 +3854,13 @@ int sdhci_setup_host(struct sdhci_host *
+ */
+ mmc->max_blk_count = (host->quirks & SDHCI_QUIRK_NO_MULTIBLOCK) ? 1 : 65535;
+
++ if (mmc->max_segs == 1) {
++ /* This may alter mmc->*_blk_* parameters */
++ ret = sdhci_allocate_bounce_buffer(host);
++ if (ret)
++ return ret;
++ }
++
+ return 0;
+
+ unreg:
+--- a/drivers/mmc/host/sdhci.h
++++ b/drivers/mmc/host/sdhci.h
+@@ -440,6 +440,9 @@ struct sdhci_host {
+
+ int irq; /* Device IRQ */
+ void __iomem *ioaddr; /* Mapped address */
++ char *bounce_buffer; /* For packing SDMA reads/writes */
++ dma_addr_t bounce_addr;
++ unsigned int bounce_buffer_size;
+
+ const struct sdhci_ops *ops; /* Low level hw interface */
+
--- /dev/null
+From 3968523f855050b8195134da951b87c20bd66130 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Wed, 7 Feb 2018 22:34:24 -0800
+Subject: mpls, nospec: Sanitize array index in mpls_label_ok()
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit 3968523f855050b8195134da951b87c20bd66130 upstream.
+
+mpls_label_ok() validates that the 'platform_label' array index from a
+userspace netlink message payload is valid. Under speculation the
+mpls_label_ok() result may not resolve in the CPU pipeline until after
+the index is used to access an array element. Sanitize the index to zero
+to prevent userspace-controlled arbitrary out-of-bounds speculation, a
+precursor for a speculative execution side channel vulnerability.
+
+Cc: <stable@vger.kernel.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mpls/af_mpls.c | 24 ++++++++++++++----------
+ 1 file changed, 14 insertions(+), 10 deletions(-)
+
+--- a/net/mpls/af_mpls.c
++++ b/net/mpls/af_mpls.c
+@@ -8,6 +8,7 @@
+ #include <linux/ipv6.h>
+ #include <linux/mpls.h>
+ #include <linux/netconf.h>
++#include <linux/nospec.h>
+ #include <linux/vmalloc.h>
+ #include <linux/percpu.h>
+ #include <net/ip.h>
+@@ -935,24 +936,27 @@ errout:
+ return err;
+ }
+
+-static bool mpls_label_ok(struct net *net, unsigned int index,
++static bool mpls_label_ok(struct net *net, unsigned int *index,
+ struct netlink_ext_ack *extack)
+ {
++ bool is_ok = true;
++
+ /* Reserved labels may not be set */
+- if (index < MPLS_LABEL_FIRST_UNRESERVED) {
++ if (*index < MPLS_LABEL_FIRST_UNRESERVED) {
+ NL_SET_ERR_MSG(extack,
+ "Invalid label - must be MPLS_LABEL_FIRST_UNRESERVED or higher");
+- return false;
++ is_ok = false;
+ }
+
+ /* The full 20 bit range may not be supported. */
+- if (index >= net->mpls.platform_labels) {
++ if (is_ok && *index >= net->mpls.platform_labels) {
+ NL_SET_ERR_MSG(extack,
+ "Label >= configured maximum in platform_labels");
+- return false;
++ is_ok = false;
+ }
+
+- return true;
++ *index = array_index_nospec(*index, net->mpls.platform_labels);
++ return is_ok;
+ }
+
+ static int mpls_route_add(struct mpls_route_config *cfg,
+@@ -975,7 +979,7 @@ static int mpls_route_add(struct mpls_ro
+ index = find_free_label(net);
+ }
+
+- if (!mpls_label_ok(net, index, extack))
++ if (!mpls_label_ok(net, &index, extack))
+ goto errout;
+
+ /* Append makes no sense with mpls */
+@@ -1052,7 +1056,7 @@ static int mpls_route_del(struct mpls_ro
+
+ index = cfg->rc_label;
+
+- if (!mpls_label_ok(net, index, extack))
++ if (!mpls_label_ok(net, &index, extack))
+ goto errout;
+
+ mpls_route_update(net, index, NULL, &cfg->rc_nlinfo);
+@@ -1810,7 +1814,7 @@ static int rtm_to_route_config(struct sk
+ goto errout;
+
+ if (!mpls_label_ok(cfg->rc_nlinfo.nl_net,
+- cfg->rc_label, extack))
++ &cfg->rc_label, extack))
+ goto errout;
+ break;
+ }
+@@ -2137,7 +2141,7 @@ static int mpls_getroute(struct sk_buff
+ goto errout;
+ }
+
+- if (!mpls_label_ok(net, in_label, extack)) {
++ if (!mpls_label_ok(net, &in_label, extack)) {
+ err = -EINVAL;
+ goto errout;
+ }
--- /dev/null
+From deb86999323661c019ef2740eb9d479d1e526b5c Mon Sep 17 00:00:00 2001
+From: Dongdong Liu <liudongdong3@huawei.com>
+Date: Thu, 28 Dec 2017 17:53:32 +0800
+Subject: PCI: Disable MSI for HiSilicon Hip06/Hip07 only in Root Port mode
+
+From: Dongdong Liu <liudongdong3@huawei.com>
+
+commit deb86999323661c019ef2740eb9d479d1e526b5c upstream.
+
+HiSilicon Hip06/Hip07 can operate as either a Root Port or an Endpoint. It
+always advertises an MSI capability, but it can only generate MSIs when in
+Endpoint mode.
+
+The device has the same Vendor and Device IDs in both modes, so check the
+Class Code and disable MSI only when operating as a Root Port.
+
+[bhelgaas: changelog]
+Fixes: 72f2ff0deb87 ("PCI: Disable MSI for HiSilicon Hip06/Hip07 Root Ports")
+Signed-off-by: Dongdong Liu <liudongdong3@huawei.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Zhou Wang <wangzhou1@hisilicon.com>
+Cc: stable@vger.kernel.org # v4.11+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/quirks.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -1636,8 +1636,8 @@ static void quirk_pcie_mch(struct pci_de
+ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_E7520_MCH, quirk_pcie_mch);
+ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_E7320_MCH, quirk_pcie_mch);
+ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_E7525_MCH, quirk_pcie_mch);
+-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_HUAWEI, 0x1610, quirk_pcie_mch);
+
++DECLARE_PCI_FIXUP_CLASS_FINAL(PCI_VENDOR_ID_HUAWEI, 0x1610, PCI_CLASS_BRIDGE_PCI, 8, quirk_pcie_mch);
+
+ /*
+ * It's possible for the MSI to get corrupted if shpc and acpi
--- /dev/null
+From 3b65ca50d24ce33cb92d88840e289135c92b40ed Mon Sep 17 00:00:00 2001
+From: Ray Jui <ray.jui@broadcom.com>
+Date: Thu, 11 Jan 2018 12:36:16 -0800
+Subject: PCI: iproc: Fix NULL pointer dereference for BCMA
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ray Jui <ray.jui@broadcom.com>
+
+commit 3b65ca50d24ce33cb92d88840e289135c92b40ed upstream.
+
+With the inbound DMA mapping supported added, the iProc PCIe driver
+parses DT property "dma-ranges" through call to
+"of_pci_dma_range_parser_init()". In the case of BCMA, this results in a
+NULL pointer deference due to a missing of_node.
+
+Fix this by adding a guard in pcie-iproc-platform.c to only enable the
+inbound DMA mapping logic when DT property "dma-ranges" is present.
+
+Fixes: dd9d4e7498de3 ("PCI: iproc: Add inbound DMA mapping support")
+Reported-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Ray Jui <ray.jui@broadcom.com>
+[lorenzo.pieralisi@arm.com: updated commit log]
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Tested-by: Rafał Miłecki <rafal@milecki.pl>
+cc: <stable@vger.kernel.org> # 4.10+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/host/pcie-iproc-platform.c | 7 +++++++
+ drivers/pci/host/pcie-iproc.c | 8 +++++---
+ drivers/pci/host/pcie-iproc.h | 2 ++
+ 3 files changed, 14 insertions(+), 3 deletions(-)
+
+--- a/drivers/pci/host/pcie-iproc-platform.c
++++ b/drivers/pci/host/pcie-iproc-platform.c
+@@ -92,6 +92,13 @@ static int iproc_pcie_pltfm_probe(struct
+ pcie->need_ob_cfg = true;
+ }
+
++ /*
++ * DT nodes are not used by all platforms that use the iProc PCIe
++ * core driver. For platforms that require explict inbound mapping
++ * configuration, "dma-ranges" would have been present in DT
++ */
++ pcie->need_ib_cfg = of_property_read_bool(np, "dma-ranges");
++
+ /* PHY use is optional */
+ pcie->phy = devm_phy_get(dev, "pcie-phy");
+ if (IS_ERR(pcie->phy)) {
+--- a/drivers/pci/host/pcie-iproc.c
++++ b/drivers/pci/host/pcie-iproc.c
+@@ -1378,9 +1378,11 @@ int iproc_pcie_setup(struct iproc_pcie *
+ }
+ }
+
+- ret = iproc_pcie_map_dma_ranges(pcie);
+- if (ret && ret != -ENOENT)
+- goto err_power_off_phy;
++ if (pcie->need_ib_cfg) {
++ ret = iproc_pcie_map_dma_ranges(pcie);
++ if (ret && ret != -ENOENT)
++ goto err_power_off_phy;
++ }
+
+ #ifdef CONFIG_ARM
+ pcie->sysdata.private_data = pcie;
+--- a/drivers/pci/host/pcie-iproc.h
++++ b/drivers/pci/host/pcie-iproc.h
+@@ -74,6 +74,7 @@ struct iproc_msi;
+ * @ob: outbound mapping related parameters
+ * @ob_map: outbound mapping related parameters specific to the controller
+ *
++ * @need_ib_cfg: indicates SW needs to configure the inbound mapping window
+ * @ib: inbound mapping related parameters
+ * @ib_map: outbound mapping region related parameters
+ *
+@@ -101,6 +102,7 @@ struct iproc_pcie {
+ struct iproc_pcie_ob ob;
+ const struct iproc_pcie_ob_map *ob_map;
+
++ bool need_ib_cfg;
+ struct iproc_pcie_ib ib;
+ const struct iproc_pcie_ib_map *ib_map;
+
--- /dev/null
+From eac56aa3bc8af3d9b9850345d0f2da9d83529134 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 17 Nov 2017 14:38:31 +0100
+Subject: PCI: keystone: Fix interrupt-controller-node lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit eac56aa3bc8af3d9b9850345d0f2da9d83529134 upstream.
+
+Fix child-node lookup during initialisation which was using the wrong
+OF-helper and ended up searching the whole device tree depth-first
+starting at the parent rather than just matching on its children.
+
+To make things worse, the parent pci node could end up being prematurely
+freed as of_find_node_by_name() drops a reference to its first argument.
+Any matching child interrupt-controller node was also leaked.
+
+Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver")
+Cc: stable <stable@vger.kernel.org> # 3.18
+Acked-by: Murali Karicheri <m-karicheri2@ti.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+[lorenzo.pieralisi@arm.com: updated commit subject]
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/dwc/pci-keystone.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/dwc/pci-keystone.c
++++ b/drivers/pci/dwc/pci-keystone.c
+@@ -178,7 +178,7 @@ static int ks_pcie_get_irq_controller_in
+ }
+
+ /* interrupt controller is in a child node */
+- *np_temp = of_find_node_by_name(np_pcie, controller);
++ *np_temp = of_get_child_by_name(np_pcie, controller);
+ if (!(*np_temp)) {
+ dev_err(dev, "Node for %s is absent\n", controller);
+ return -EINVAL;
+@@ -187,6 +187,7 @@ static int ks_pcie_get_irq_controller_in
+ temp = of_irq_count(*np_temp);
+ if (!temp) {
+ dev_err(dev, "No IRQ entries in %s\n", controller);
++ of_node_put(*np_temp);
+ return -EINVAL;
+ }
+
+@@ -204,6 +205,8 @@ static int ks_pcie_get_irq_controller_in
+ break;
+ }
+
++ of_node_put(*np_temp);
++
+ if (temp) {
+ *num_irqs = temp;
+ return 0;
--- /dev/null
+From 493fb50e958c1c6deef7feff0b8c3855def78d75 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 17 Jan 2018 16:48:39 +0100
+Subject: PCI: pciehp: Assume NoCompl+ for Thunderbolt ports
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 493fb50e958c1c6deef7feff0b8c3855def78d75 upstream.
+
+Certain Thunderbolt 1 controllers claim to support Command Completed events
+(value of 0b in the No Command Completed Support field of the Slot
+Capabilities register) but in reality they neither set the Command
+Completed bit in the Slot Status register nor signal a Command Completed
+interrupt:
+
+ 8086:1513 CV82524 [Light Ridge 4C 2010]
+ 8086:151a DSL2310 [Eagle Ridge 2C 2011]
+ 8086:151b CVL2510 [Light Peak 2C 2010]
+ 8086:1547 DSL3510 [Cactus Ridge 4C 2012]
+ 8086:1548 DSL3310 [Cactus Ridge 2C 2012]
+ 8086:1549 DSL2210 [Port Ridge 1C 2011]
+
+All known newer chips (Redwood Ridge and onwards) set No Command Completed
+Support, indicating that they do not support Command Completed events.
+
+The user-visible impact is that after unplugging such a device, 2 seconds
+elapse until pciehp is unbound. That's because on ->remove,
+pcie_write_cmd() is called via pcie_disable_notification() and every call
+to pcie_write_cmd() takes 2 seconds (1 second for each invocation of
+pcie_wait_cmd()):
+
+ [ 337.942727] pciehp 0000:0a:00.0:pcie204: Timeout on hotplug command 0x1038 (issued 21176 msec ago)
+ [ 340.014735] pciehp 0000:0a:00.0:pcie204: Timeout on hotplug command 0x0000 (issued 2072 msec ago)
+
+That by itself has always been unpleasant, but the situation has become
+worse with commit cc27b735ad3a ("PCI/portdrv: Turn off PCIe services during
+shutdown"): Now pciehp is unbound on ->shutdown. Because Thunderbolt
+controllers typically have 4 hotplug ports, every reboot and shutdown is
+now delayed by 8 seconds, plus another 2 seconds for every attached
+Thunderbolt 1 device.
+
+Thunderbolt hotplug slots are not physical slots that one inserts cards
+into, but rather logical hotplug slots implemented in silicon. Devices
+appear beyond those logical slots once a PCI tunnel is established on top
+of the Thunderbolt Converged I/O switch. One would expect commands written
+to the Slot Control register to be executed immediately by the silicon, so
+for simplicity we always assume NoCompl+ for Thunderbolt ports.
+
+Fixes: cc27b735ad3a ("PCI/portdrv: Turn off PCIe services during shutdown")
+Tested-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Cc: stable@vger.kernel.org # v4.12+
+Cc: Sinan Kaya <okaya@codeaurora.org>
+Cc: Yehezkel Bernat <yehezkel.bernat@intel.com>
+Cc: Michael Jamet <michael.jamet@intel.com>
+Cc: Andreas Noever <andreas.noever@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/hotplug/pciehp_hpc.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/pci/hotplug/pciehp_hpc.c
++++ b/drivers/pci/hotplug/pciehp_hpc.c
+@@ -848,6 +848,13 @@ struct controller *pcie_init(struct pcie
+ if (pdev->hotplug_user_indicators)
+ slot_cap &= ~(PCI_EXP_SLTCAP_AIP | PCI_EXP_SLTCAP_PIP);
+
++ /*
++ * We assume no Thunderbolt controllers support Command Complete events,
++ * but some controllers falsely claim they do.
++ */
++ if (pdev->is_thunderbolt)
++ slot_cap |= PCI_EXP_SLTCAP_NCCS;
++
+ ctrl->slot_cap = slot_cap;
+ mutex_init(&ctrl->ctrl_lock);
+ init_waitqueue_head(&ctrl->queue);
--- /dev/null
+From e573427a440fd67d3f522357d7ac901d59281948 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Tue, 16 Jan 2018 15:41:54 +0100
+Subject: rbd: whitelist RBD_FEATURE_OPERATIONS feature bit
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit e573427a440fd67d3f522357d7ac901d59281948 upstream.
+
+This feature bit restricts older clients from performing certain
+maintenance operations against an image (e.g. clone, snap create).
+krbd does not perform maintenance operations.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Jason Dillaman <dillaman@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/rbd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/rbd.c
++++ b/drivers/block/rbd.c
+@@ -124,11 +124,13 @@ static int atomic_dec_return_safe(atomic
+ #define RBD_FEATURE_STRIPINGV2 (1ULL<<1)
+ #define RBD_FEATURE_EXCLUSIVE_LOCK (1ULL<<2)
+ #define RBD_FEATURE_DATA_POOL (1ULL<<7)
++#define RBD_FEATURE_OPERATIONS (1ULL<<8)
+
+ #define RBD_FEATURES_ALL (RBD_FEATURE_LAYERING | \
+ RBD_FEATURE_STRIPINGV2 | \
+ RBD_FEATURE_EXCLUSIVE_LOCK | \
+- RBD_FEATURE_DATA_POOL)
++ RBD_FEATURE_DATA_POOL | \
++ RBD_FEATURE_OPERATIONS)
+
+ /* Features supported by this (client software) implementation. */
+
--- /dev/null
+From d6fa7588fd7a8def4c747c0c574ce85d453e3788 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 24 Jan 2018 19:35:45 +0100
+Subject: Revert "apple-gmux: lock iGP IO to protect from vgaarb changes"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit d6fa7588fd7a8def4c747c0c574ce85d453e3788 upstream.
+
+Commit 4eebd5a4e726 ("apple-gmux: lock iGP IO to protect from vgaarb
+changes") amended this driver's ->probe hook to lock decoding of normal
+(non-legacy) I/O space accesses to the integrated GPU on dual-GPU
+MacBook Pros. The lock stays in place until the driver is unbound.
+
+The change was made to work around an issue with the out-of-tree nvidia
+graphics driver (available at http://www.nvidia.com/object/unix.html).
+It contains the following sequence in nvidia/nv.c:
+
+ #if defined(CONFIG_VGA_ARB) && !defined(NVCPU_PPC64LE)
+ #if defined(VGA_DEFAULT_DEVICE)
+ vga_tryget(VGA_DEFAULT_DEVICE, VGA_RSRC_LEGACY_MASK);
+ #endif
+ vga_set_legacy_decoding(dev, VGA_RSRC_NONE);
+ #endif
+
+This code was reported to cause deadlocks with VFIO already in 2013:
+https://devtalk.nvidia.com/default/topic/545560
+
+I've reported the issue to Nvidia developers once more in 2017:
+https://www.spinics.net/lists/dri-devel/msg138754.html
+
+On the MacBookPro10,1, this code apparently breaks backlight control
+(which is handled by apple-gmux via an I/O region starting at 0x700),
+as reported by Petri Hodju:
+https://bugzilla.kernel.org/show_bug.cgi?id=86121
+
+I tried to replicate Petri's observations on my MacBook9,1, which uses
+the same Intel Ivy Bridge + Nvidia GeForce GT 650M architecture, to no
+avail. On my machine apple-gmux' I/O region remains accessible even
+with the nvidia driver loaded and commit 4eebd5a4e726 reverted.
+Petri reported that apple-gmux becomes accessible again after a
+suspend/resume cycle because the BIOS changed the VGA routing on the
+root port to the Nvidia GPU. Perhaps this is a BIOS issue after all
+that can be fixed with an update?
+
+In any case, the change made by commit 4eebd5a4e726 has turned out to
+cause two new issues:
+
+* Wilfried Klaebe reports a deadlock when launching Xorg because it
+ opens /dev/vga_arbiter and calls vga_get(), but apple-gmux is holding
+ a lock on I/O space indefinitely. It looks like apple-gmux' current
+ behavior is an abuse of the vgaarb API as locks are not meant to be
+ held for longer periods:
+ https://bugzilla.kernel.org/show_bug.cgi?id=88861#c11
+ https://bugzilla.kernel.org/attachment.cgi?id=217541
+
+* On dual GPU MacBook Pros introduced since 2013, the integrated GPU is
+ powergated on boot und thus becomes invisible to Linux unless a custom
+ EFI protocol is used to leave it powered on. (A patch exists but is
+ not in mainline yet due to several negative side effects.) On these
+ machines, locking I/O to the integrated GPU (as done by 4eebd5a4e726)
+ fails and backlight control is therefore broken:
+ https://bugzilla.kernel.org/show_bug.cgi?id=105051
+
+So let's revert commit 4eebd5a4e726 please. Users experiencing the
+issue with the proprietary nvidia driver can comment out the above-
+quoted problematic code as a workaround (or try updating the BIOS).
+
+Cc: Petri Hodju <petrihodju@yahoo.com>
+Cc: Bjorn Helgaas <bhelgaas@google.com>
+Cc: Bruno Prémont <bonbons@linux-vserver.org>
+Cc: Andy Ritger <aritger@nvidia.com>
+Cc: Ronald Tschalär <ronald@innovation.ch>
+Tested-by: Wilfried Klaebe <linux-kernel@lebenslange-mailadresse.de>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Darren Hart (VMware) <dvhart@infradead.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/platform/x86/apple-gmux.c | 48 --------------------------------------
+ 1 file changed, 1 insertion(+), 47 deletions(-)
+
+--- a/drivers/platform/x86/apple-gmux.c
++++ b/drivers/platform/x86/apple-gmux.c
+@@ -24,7 +24,6 @@
+ #include <linux/delay.h>
+ #include <linux/pci.h>
+ #include <linux/vga_switcheroo.h>
+-#include <linux/vgaarb.h>
+ #include <acpi/video.h>
+ #include <asm/io.h>
+
+@@ -54,7 +53,6 @@ struct apple_gmux_data {
+ bool indexed;
+ struct mutex index_lock;
+
+- struct pci_dev *pdev;
+ struct backlight_device *bdev;
+
+ /* switcheroo data */
+@@ -599,23 +597,6 @@ static int gmux_resume(struct device *de
+ return 0;
+ }
+
+-static struct pci_dev *gmux_get_io_pdev(void)
+-{
+- struct pci_dev *pdev = NULL;
+-
+- while ((pdev = pci_get_class(PCI_CLASS_DISPLAY_VGA << 8, pdev))) {
+- u16 cmd;
+-
+- pci_read_config_word(pdev, PCI_COMMAND, &cmd);
+- if (!(cmd & PCI_COMMAND_IO))
+- continue;
+-
+- return pdev;
+- }
+-
+- return NULL;
+-}
+-
+ static int is_thunderbolt(struct device *dev, void *data)
+ {
+ return to_pci_dev(dev)->is_thunderbolt;
+@@ -631,7 +612,6 @@ static int gmux_probe(struct pnp_dev *pn
+ int ret = -ENXIO;
+ acpi_status status;
+ unsigned long long gpe;
+- struct pci_dev *pdev = NULL;
+
+ if (apple_gmux_data)
+ return -EBUSY;
+@@ -682,7 +662,7 @@ static int gmux_probe(struct pnp_dev *pn
+ ver_minor = (version >> 16) & 0xff;
+ ver_release = (version >> 8) & 0xff;
+ } else {
+- pr_info("gmux device not present or IO disabled\n");
++ pr_info("gmux device not present\n");
+ ret = -ENODEV;
+ goto err_release;
+ }
+@@ -690,23 +670,6 @@ static int gmux_probe(struct pnp_dev *pn
+ pr_info("Found gmux version %d.%d.%d [%s]\n", ver_major, ver_minor,
+ ver_release, (gmux_data->indexed ? "indexed" : "classic"));
+
+- /*
+- * Apple systems with gmux are EFI based and normally don't use
+- * VGA. In addition changing IO+MEM ownership between IGP and dGPU
+- * disables IO/MEM used for backlight control on some systems.
+- * Lock IO+MEM to GPU with active IO to prevent switch.
+- */
+- pdev = gmux_get_io_pdev();
+- if (pdev && vga_tryget(pdev,
+- VGA_RSRC_NORMAL_IO | VGA_RSRC_NORMAL_MEM)) {
+- pr_err("IO+MEM vgaarb-locking for PCI:%s failed\n",
+- pci_name(pdev));
+- ret = -EBUSY;
+- goto err_release;
+- } else if (pdev)
+- pr_info("locked IO for PCI:%s\n", pci_name(pdev));
+- gmux_data->pdev = pdev;
+-
+ memset(&props, 0, sizeof(props));
+ props.type = BACKLIGHT_PLATFORM;
+ props.max_brightness = gmux_read32(gmux_data, GMUX_PORT_MAX_BRIGHTNESS);
+@@ -822,10 +785,6 @@ err_enable_gpe:
+ err_notify:
+ backlight_device_unregister(bdev);
+ err_release:
+- if (gmux_data->pdev)
+- vga_put(gmux_data->pdev,
+- VGA_RSRC_NORMAL_IO | VGA_RSRC_NORMAL_MEM);
+- pci_dev_put(pdev);
+ release_region(gmux_data->iostart, gmux_data->iolen);
+ err_free:
+ kfree(gmux_data);
+@@ -845,11 +804,6 @@ static void gmux_remove(struct pnp_dev *
+ &gmux_notify_handler);
+ }
+
+- if (gmux_data->pdev) {
+- vga_put(gmux_data->pdev,
+- VGA_RSRC_NORMAL_IO | VGA_RSRC_NORMAL_MEM);
+- pci_dev_put(gmux_data->pdev);
+- }
+ backlight_device_unregister(gmux_data->bdev);
+
+ release_region(gmux_data->iostart, gmux_data->iolen);
--- /dev/null
+From fe0e58048f005fdce315eb4d185e5c160be4ac01 Mon Sep 17 00:00:00 2001
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Mon, 12 Feb 2018 14:13:59 +0100
+Subject: Revert "mmc: meson-gx: include tx phase in the tuning process"
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+commit fe0e58048f005fdce315eb4d185e5c160be4ac01 upstream.
+
+This reverts commit 0a44697627d17a66d7dc98f17aeca07ca79c5c20.
+
+This commit was initially intended to fix problems with hs200 and hs400
+on some boards, mainly the odroid-c2. The OC2 (Rev 0.2) I have performs
+well in this modes, so I could not confirm these issues.
+
+We've had several reports about the issues being still present on (some)
+OC2, so apparently, this change does not do what it was supposed to do.
+Maybe the eMMC signal quality is on the edge on the board. This may
+explain the variability we see in term of stability, but this is just a
+guess. Lowering the max_frequency to 100Mhz seems to do trick for those
+affected by the issue
+
+Worse, the commit created new issues (CRC errors and hangs) on other
+boards, such as the kvim 1 and 2, the p200 or the libretech-cc.
+
+According to amlogic, the Tx phase should not be tuned and left in its
+default configuration, so it is best to just revert the commit.
+
+Fixes: 0a44697627d1 ("mmc: meson-gx: include tx phase in the tuning process")
+Cc: <stable@vger.kernel.org> # 4.14+
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/meson-gx-mmc.c | 19 +------------------
+ 1 file changed, 1 insertion(+), 18 deletions(-)
+
+--- a/drivers/mmc/host/meson-gx-mmc.c
++++ b/drivers/mmc/host/meson-gx-mmc.c
+@@ -716,22 +716,6 @@ static int meson_mmc_clk_phase_tuning(st
+ static int meson_mmc_execute_tuning(struct mmc_host *mmc, u32 opcode)
+ {
+ struct meson_host *host = mmc_priv(mmc);
+- int ret;
+-
+- /*
+- * If this is the initial tuning, try to get a sane Rx starting
+- * phase before doing the actual tuning.
+- */
+- if (!mmc->doing_retune) {
+- ret = meson_mmc_clk_phase_tuning(mmc, opcode, host->rx_clk);
+-
+- if (ret)
+- return ret;
+- }
+-
+- ret = meson_mmc_clk_phase_tuning(mmc, opcode, host->tx_clk);
+- if (ret)
+- return ret;
+
+ return meson_mmc_clk_phase_tuning(mmc, opcode, host->rx_clk);
+ }
+@@ -762,9 +746,8 @@ static void meson_mmc_set_ios(struct mmc
+ if (!IS_ERR(mmc->supply.vmmc))
+ mmc_regulator_set_ocr(mmc, mmc->supply.vmmc, ios->vdd);
+
+- /* Reset phases */
++ /* Reset rx phase */
+ clk_set_phase(host->rx_clk, 0);
+- clk_set_phase(host->tx_clk, 270);
+
+ break;
+
--- /dev/null
+From 5b8b58063029f02da573120ef4dc9079822e3cda Mon Sep 17 00:00:00 2001
+From: Stewart Smith <stewart@linux.vnet.ibm.com>
+Date: Tue, 2 Aug 2016 11:50:16 +1000
+Subject: rtc-opal: Fix handling of firmware error codes, prevent busy loops
+
+From: Stewart Smith <stewart@linux.vnet.ibm.com>
+
+commit 5b8b58063029f02da573120ef4dc9079822e3cda upstream.
+
+According to the OPAL docs:
+ skiboot-5.2.5/doc/opal-api/opal-rtc-read-3.txt
+ skiboot-5.2.5/doc/opal-api/opal-rtc-write-4.txt
+
+OPAL_HARDWARE may be returned from OPAL_RTC_READ or OPAL_RTC_WRITE and
+this indicates either a transient or permanent error.
+
+Prior to this patch, Linux was not dealing with OPAL_HARDWARE being a
+permanent error particularly well, in that you could end up in a busy
+loop.
+
+This was not too hard to trigger on an AMI BMC based OpenPOWER machine
+doing a continuous "ipmitool mc reset cold" to the BMC, the result of
+that being that we'd get stuck in an infinite loop in
+opal_get_rtc_time().
+
+We now retry a few times before returning the error higher up the
+stack.
+
+Fixes: 16b1d26e77b1 ("rtc/tpo: Driver to support rtc and wakeup on PowerNV platform")
+Cc: stable@vger.kernel.org # v3.19+
+Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/rtc/rtc-opal.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/rtc/rtc-opal.c
++++ b/drivers/rtc/rtc-opal.c
+@@ -58,6 +58,7 @@ static void tm_to_opal(struct rtc_time *
+ static int opal_get_rtc_time(struct device *dev, struct rtc_time *tm)
+ {
+ long rc = OPAL_BUSY;
++ int retries = 10;
+ u32 y_m_d;
+ u64 h_m_s_ms;
+ __be32 __y_m_d;
+@@ -67,8 +68,11 @@ static int opal_get_rtc_time(struct devi
+ rc = opal_rtc_read(&__y_m_d, &__h_m_s_ms);
+ if (rc == OPAL_BUSY_EVENT)
+ opal_poll_events(NULL);
+- else
++ else if (retries-- && (rc == OPAL_HARDWARE
++ || rc == OPAL_INTERNAL_ERROR))
+ msleep(10);
++ else if (rc != OPAL_BUSY && rc != OPAL_BUSY_EVENT)
++ break;
+ }
+
+ if (rc != OPAL_SUCCESS)
+@@ -84,6 +88,7 @@ static int opal_get_rtc_time(struct devi
+ static int opal_set_rtc_time(struct device *dev, struct rtc_time *tm)
+ {
+ long rc = OPAL_BUSY;
++ int retries = 10;
+ u32 y_m_d = 0;
+ u64 h_m_s_ms = 0;
+
+@@ -92,8 +97,11 @@ static int opal_set_rtc_time(struct devi
+ rc = opal_rtc_write(y_m_d, h_m_s_ms);
+ if (rc == OPAL_BUSY_EVENT)
+ opal_poll_events(NULL);
+- else
++ else if (retries-- && (rc == OPAL_HARDWARE
++ || rc == OPAL_INTERNAL_ERROR))
+ msleep(10);
++ else if (rc != OPAL_BUSY && rc != OPAL_BUSY_EVENT)
++ break;
+ }
+
+ return rc == OPAL_SUCCESS ? 0 : -EIO;
--- /dev/null
+From cf5eebae2cd28d37581507668605f4d23cd7218d Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 15 Nov 2017 11:34:58 +0100
+Subject: seq_file: fix incomplete reset on read from zero offset
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit cf5eebae2cd28d37581507668605f4d23cd7218d upstream.
+
+When resetting iterator on a zero offset we need to discard any data
+already in the buffer (count), and private state of the iterator (version).
+
+For example this bug results in first line being repeated in /proc/mounts
+if doing a zero size read before a non-zero size read.
+
+Reported-by: Rich Felker <dalias@libc.org>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: e522751d605d ("seq_file: reset iterator to first record for zero offset")
+Cc: <stable@vger.kernel.org> # v4.10
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/seq_file.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/seq_file.c
++++ b/fs/seq_file.c
+@@ -181,8 +181,11 @@ ssize_t seq_read(struct file *file, char
+ * if request is to read from zero offset, reset iterator to first
+ * record as it might have been already advanced by previous requests
+ */
+- if (*ppos == 0)
++ if (*ppos == 0) {
+ m->index = 0;
++ m->version = 0;
++ m->count = 0;
++ }
+
+ /* Don't assume *ppos is where we left it */
+ if (unlikely(*ppos != m->read_pos)) {
x86-spectre-fix-an-error-message.patch
x86-cpu-change-type-of-x86_cache_size-variable-to-unsigned-int.patch
x86-entry-64-fix-cr3-restore-in-paranoid_exit.patch
+drm-ttm-don-t-add-swapped-bos-to-swap-lru-list.patch
+drm-ttm-fix-buf-pointer-update-in-ttm_bo_vm_access_kmap-v2.patch
+drm-qxl-unref-cursor-bo-when-finished-with-it.patch
+drm-qxl-reapply-cursor-after-resetting-primary.patch
+drm-amd-powerplay-fix-smu_table_entry.handle-type.patch
+drm-ast-load-lut-in-crtc_commit.patch
+drm-check-for-lessee-in-drop_master-ioctl.patch
+arm64-add-missing-falkor-part-number-for-branch-predictor-hardening.patch
+drm-radeon-add-dpm-quirk-for-jet-pro-v2.patch
+drm-radeon-adjust-tested-variable.patch
+x86-smpboot-fix-uncore_pci_remove-indexing-bug-when-hot-removing-a-physical-cpu.patch
+rtc-opal-fix-handling-of-firmware-error-codes-prevent-busy-loops.patch
+mbcache-initialize-entry-e_referenced-in-mb_cache_entry_create.patch
+mmc-sdhci-implement-an-sdhci-specific-bounce-buffer.patch
+mmc-bcm2835-don-t-overwrite-max-frequency-unconditionally.patch
+revert-mmc-meson-gx-include-tx-phase-in-the-tuning-process.patch
+mlx5-fix-mlx5_get_vector_affinity-to-start-from-completion-vector-0.patch
+revert-apple-gmux-lock-igp-io-to-protect-from-vgaarb-changes.patch
+jbd2-fix-sphinx-kernel-doc-build-warnings.patch
+ext4-fix-a-race-in-the-ext4-shutdown-path.patch
+ext4-save-error-to-disk-in-__ext4_grp_locked_error.patch
+ext4-correct-documentation-for-grpid-mount-option.patch
+mm-hide-a-warning-for-compile_test.patch
+mm-fix-memory-size-alignment-in-devm_memremap_pages_release.patch
+mips-fix-typo-big_endian-to-cpu_big_endian.patch
+mips-cps-fix-mips_isa_level_raw-fallout.patch
+mips-fix-incorrect-mem-x-y-handling.patch
+pci-disable-msi-for-hisilicon-hip06-hip07-only-in-root-port-mode.patch
+pci-iproc-fix-null-pointer-dereference-for-bcma.patch
+pci-pciehp-assume-nocompl-for-thunderbolt-ports.patch
+pci-keystone-fix-interrupt-controller-node-lookup.patch
+video-fbdev-atmel_lcdfb-fix-display-timings-lookup.patch
+console-dummy-leave-.con_font_get-set-to-null.patch
+rbd-whitelist-rbd_feature_operations-feature-bit.patch
+xen-fix-set-clear-_foreign_p2m_mapping-on-autotranslating-guests.patch
+xenbus-track-caller-request-id.patch
+seq_file-fix-incomplete-reset-on-read-from-zero-offset.patch
+tracing-fix-parsing-of-globs-with-a-wildcard-at-the-beginning.patch
+mpls-nospec-sanitize-array-index-in-mpls_label_ok.patch
--- /dev/null
+From 07234021410bbc27b7c86c18de98616c29fbe667 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Mon, 5 Feb 2018 22:18:11 -0500
+Subject: tracing: Fix parsing of globs with a wildcard at the beginning
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 07234021410bbc27b7c86c18de98616c29fbe667 upstream.
+
+Al Viro reported:
+
+ For substring - sure, but what about something like "*a*b" and "a*b"?
+ AFAICS, filter_parse_regex() ends up with identical results in both
+ cases - MATCH_GLOB and *search = "a*b". And no way for the caller
+ to tell one from another.
+
+Testing this with the following:
+
+ # cd /sys/kernel/tracing
+ # echo '*raw*lock' > set_ftrace_filter
+ bash: echo: write error: Invalid argument
+
+With this patch:
+
+ # echo '*raw*lock' > set_ftrace_filter
+ # cat set_ftrace_filter
+_raw_read_trylock
+_raw_write_trylock
+_raw_read_unlock
+_raw_spin_unlock
+_raw_write_unlock
+_raw_spin_trylock
+_raw_spin_lock
+_raw_write_lock
+_raw_read_lock
+
+Al recommended not setting the search buffer to skip the first '*' unless we
+know we are not using MATCH_GLOB. This implements his suggested logic.
+
+Link: http://lkml.kernel.org/r/20180127170748.GF13338@ZenIV.linux.org.uk
+
+Cc: stable@vger.kernel.org
+Fixes: 60f1d5e3bac44 ("ftrace: Support full glob matching")
+Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
+Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+Suggsted-by: Al Viro <viro@ZenIV.linux.org.uk>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_events_filter.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/kernel/trace/trace_events_filter.c
++++ b/kernel/trace/trace_events_filter.c
+@@ -400,7 +400,6 @@ enum regex_type filter_parse_regex(char
+ for (i = 0; i < len; i++) {
+ if (buff[i] == '*') {
+ if (!i) {
+- *search = buff + 1;
+ type = MATCH_END_ONLY;
+ } else if (i == len - 1) {
+ if (type == MATCH_END_ONLY)
+@@ -410,14 +409,14 @@ enum regex_type filter_parse_regex(char
+ buff[i] = 0;
+ break;
+ } else { /* pattern continues, use full glob */
+- type = MATCH_GLOB;
+- break;
++ return MATCH_GLOB;
+ }
+ } else if (strchr("[?\\", buff[i])) {
+- type = MATCH_GLOB;
+- break;
++ return MATCH_GLOB;
+ }
+ }
++ if (buff[0] == '*')
++ *search = buff + 1;
+
+ return type;
+ }
--- /dev/null
+From 9cb18db0701f6b74f0c45c23ad767b3ebebe37f6 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 29 Dec 2017 19:48:43 +0100
+Subject: video: fbdev: atmel_lcdfb: fix display-timings lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 9cb18db0701f6b74f0c45c23ad767b3ebebe37f6 upstream.
+
+Fix child-node lookup during probe, which ended up searching the whole
+device tree depth-first starting at the parent rather than just matching
+on its children.
+
+To make things worse, the parent display node was also prematurely
+freed.
+
+Note that the display and timings node references are never put after a
+successful dt-initialisation so the nodes would leak on later probe
+deferrals and on driver unbind.
+
+Fixes: b985172b328a ("video: atmel_lcdfb: add device tree suport")
+Cc: stable <stable@vger.kernel.org> # 3.13
+Cc: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
+Cc: Nicolas Ferre <nicolas.ferre@microchip.com>
+Cc: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/atmel_lcdfb.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/atmel_lcdfb.c
++++ b/drivers/video/fbdev/atmel_lcdfb.c
+@@ -1119,7 +1119,7 @@ static int atmel_lcdfb_of_init(struct at
+ goto put_display_node;
+ }
+
+- timings_np = of_find_node_by_name(display_np, "display-timings");
++ timings_np = of_get_child_by_name(display_np, "display-timings");
+ if (!timings_np) {
+ dev_err(dev, "failed to find display-timings node\n");
+ ret = -ENODEV;
+@@ -1140,6 +1140,12 @@ static int atmel_lcdfb_of_init(struct at
+ fb_add_videomode(&fb_vm, &info->modelist);
+ }
+
++ /*
++ * FIXME: Make sure we are not referencing any fields in display_np
++ * and timings_np and drop our references to them before returning to
++ * avoid leaking the nodes on probe deferral and driver unbind.
++ */
++
+ return 0;
+
+ put_timings_node:
--- /dev/null
+From 295cc7eb314eb3321fb6d67ca6f7305f5c50d10f Mon Sep 17 00:00:00 2001
+From: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
+Date: Thu, 8 Feb 2018 09:19:08 -0500
+Subject: x86/smpboot: Fix uncore_pci_remove() indexing bug when hot-removing a physical CPU
+
+From: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
+
+commit 295cc7eb314eb3321fb6d67ca6f7305f5c50d10f upstream.
+
+When a physical CPU is hot-removed, the following warning messages
+are shown while the uncore device is removed in uncore_pci_remove():
+
+ WARNING: CPU: 120 PID: 5 at arch/x86/events/intel/uncore.c:988
+ uncore_pci_remove+0xf1/0x110
+ ...
+ CPU: 120 PID: 5 Comm: kworker/u1024:0 Not tainted 4.15.0-rc8 #1
+ Workqueue: kacpi_hotplug acpi_hotplug_work_fn
+ ...
+ Call Trace:
+ pci_device_remove+0x36/0xb0
+ device_release_driver_internal+0x145/0x210
+ pci_stop_bus_device+0x76/0xa0
+ pci_stop_root_bus+0x44/0x60
+ acpi_pci_root_remove+0x1f/0x80
+ acpi_bus_trim+0x54/0x90
+ acpi_bus_trim+0x2e/0x90
+ acpi_device_hotplug+0x2bc/0x4b0
+ acpi_hotplug_work_fn+0x1a/0x30
+ process_one_work+0x141/0x340
+ worker_thread+0x47/0x3e0
+ kthread+0xf5/0x130
+
+When uncore_pci_remove() runs, it tries to get the package ID to
+clear the value of uncore_extra_pci_dev[].dev[] by using
+topology_phys_to_logical_pkg(). The warning messesages are
+shown because topology_phys_to_logical_pkg() returns -1.
+
+ arch/x86/events/intel/uncore.c:
+ static void uncore_pci_remove(struct pci_dev *pdev)
+ {
+ ...
+ phys_id = uncore_pcibus_to_physid(pdev->bus);
+ ...
+ pkg = topology_phys_to_logical_pkg(phys_id); // returns -1
+ for (i = 0; i < UNCORE_EXTRA_PCI_DEV_MAX; i++) {
+ if (uncore_extra_pci_dev[pkg].dev[i] == pdev) {
+ uncore_extra_pci_dev[pkg].dev[i] = NULL;
+ break;
+ }
+ }
+ WARN_ON_ONCE(i >= UNCORE_EXTRA_PCI_DEV_MAX); // <=========== HERE!!
+
+topology_phys_to_logical_pkg() tries to find
+cpuinfo_x86->phys_proc_id that matches the phys_pkg argument.
+
+ arch/x86/kernel/smpboot.c:
+ int topology_phys_to_logical_pkg(unsigned int phys_pkg)
+ {
+ int cpu;
+
+ for_each_possible_cpu(cpu) {
+ struct cpuinfo_x86 *c = &cpu_data(cpu);
+
+ if (c->initialized && c->phys_proc_id == phys_pkg)
+ return c->logical_proc_id;
+ }
+ return -1;
+ }
+
+However, the phys_proc_id was already set to 0 by remove_siblinginfo()
+when the CPU was offlined.
+
+So, topology_phys_to_logical_pkg() cannot find the correct
+logical_proc_id and always returns -1.
+
+As the result, uncore_pci_remove() calls WARN_ON_ONCE() and the warning
+messages are shown.
+
+What is worse is that the bogus 'pkg' index results in two bugs:
+
+ - We dereference uncore_extra_pci_dev[] with a negative index
+ - We fail to clean up a stale pointer in uncore_extra_pci_dev[][]
+
+To fix these bugs, remove the clearing of ->phys_proc_id from remove_siblinginfo().
+
+This should not cause any problems, because ->phys_proc_id is not
+used after it is hot-removed and it is re-set while hot-adding.
+
+Signed-off-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: yasu.isimatu@gmail.com
+Cc: <stable@vger.kernel.org>
+Fixes: 30bb9811856f ("x86/topology: Avoid wasting 128k for package id array")
+Link: http://lkml.kernel.org/r/ed738d54-0f01-b38b-b794-c31dc118c207@gmail.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/smpboot.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/x86/kernel/smpboot.c
++++ b/arch/x86/kernel/smpboot.c
+@@ -1431,7 +1431,6 @@ static void remove_siblinginfo(int cpu)
+ cpumask_clear(cpu_llc_shared_mask(cpu));
+ cpumask_clear(topology_sibling_cpumask(cpu));
+ cpumask_clear(topology_core_cpumask(cpu));
+- c->phys_proc_id = 0;
+ c->cpu_core_id = 0;
+ cpumask_clear_cpu(cpu, cpu_sibling_setup_mask);
+ recompute_smt_state();
--- /dev/null
+From 781198f1f373c3e350dbeb3af04a7d4c81c1b8d7 Mon Sep 17 00:00:00 2001
+From: Simon Gaiser <simon@invisiblethingslab.com>
+Date: Wed, 7 Feb 2018 21:47:40 +0100
+Subject: xen: Fix {set,clear}_foreign_p2m_mapping on autotranslating guests
+
+From: Simon Gaiser <simon@invisiblethingslab.com>
+
+commit 781198f1f373c3e350dbeb3af04a7d4c81c1b8d7 upstream.
+
+Commit 82616f9599a7 ("xen: remove tests for pvh mode in pure pv paths")
+removed the check for autotranslation from {set,clear}_foreign_p2m_mapping
+but those are called by grant-table.c also on PVH/HVM guests.
+
+Cc: <stable@vger.kernel.org> # 4.14
+Fixes: 82616f9599a7 ("xen: remove tests for pvh mode in pure pv paths")
+Signed-off-by: Simon Gaiser <simon@invisiblethingslab.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/xen/p2m.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/x86/xen/p2m.c
++++ b/arch/x86/xen/p2m.c
+@@ -694,6 +694,9 @@ int set_foreign_p2m_mapping(struct gntta
+ int i, ret = 0;
+ pte_t *pte;
+
++ if (xen_feature(XENFEAT_auto_translated_physmap))
++ return 0;
++
+ if (kmap_ops) {
+ ret = HYPERVISOR_grant_table_op(GNTTABOP_map_grant_ref,
+ kmap_ops, count);
+@@ -736,6 +739,9 @@ int clear_foreign_p2m_mapping(struct gnt
+ {
+ int i, ret = 0;
+
++ if (xen_feature(XENFEAT_auto_translated_physmap))
++ return 0;
++
+ for (i = 0; i < count; i++) {
+ unsigned long mfn = __pfn_to_mfn(page_to_pfn(pages[i]));
+ unsigned long pfn = page_to_pfn(pages[i]);
--- /dev/null
+From 29fee6eed2811ff1089b30fc579a2d19d78016ab Mon Sep 17 00:00:00 2001
+From: Joao Martins <joao.m.martins@oracle.com>
+Date: Fri, 2 Feb 2018 17:42:33 +0000
+Subject: xenbus: track caller request id
+
+From: Joao Martins <joao.m.martins@oracle.com>
+
+commit 29fee6eed2811ff1089b30fc579a2d19d78016ab upstream.
+
+Commit fd8aa9095a95 ("xen: optimize xenbus driver for multiple concurrent
+xenstore accesses") optimized xenbus concurrent accesses but in doing so
+broke UABI of /dev/xen/xenbus. Through /dev/xen/xenbus applications are in
+charge of xenbus message exchange with the correct header and body. Now,
+after the mentioned commit the replies received by application will no
+longer have the header req_id echoed back as it was on request (see
+specification below for reference), because that particular field is being
+overwritten by kernel.
+
+struct xsd_sockmsg
+{
+ uint32_t type; /* XS_??? */
+ uint32_t req_id;/* Request identifier, echoed in daemon's response. */
+ uint32_t tx_id; /* Transaction id (0 if not related to a transaction). */
+ uint32_t len; /* Length of data following this. */
+
+ /* Generally followed by nul-terminated string(s). */
+};
+
+Before there was only one request at a time so req_id could simply be
+forwarded back and forth. To allow simultaneous requests we need a
+different req_id for each message thus kernel keeps a monotonic increasing
+counter for this field and is written on every request irrespective of
+userspace value.
+
+Forwarding again the req_id on userspace requests is not a solution because
+we would open the possibility of userspace-generated req_id colliding with
+kernel ones. So this patch instead takes another route which is to
+artificially keep user req_id while keeping the xenbus logic as is. We do
+that by saving the original req_id before xs_send(), use the private kernel
+counter as req_id and then once reply comes and was validated, we restore
+back the original req_id.
+
+Cc: <stable@vger.kernel.org> # 4.11
+Fixes: fd8aa9095a ("xen: optimize xenbus driver for multiple concurrent xenstore accesses")
+Reported-by: Bhavesh Davda <bhavesh.davda@oracle.com>
+Signed-off-by: Joao Martins <joao.m.martins@oracle.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/xenbus/xenbus.h | 1 +
+ drivers/xen/xenbus/xenbus_comms.c | 1 +
+ drivers/xen/xenbus/xenbus_xs.c | 3 +++
+ 3 files changed, 5 insertions(+)
+
+--- a/drivers/xen/xenbus/xenbus.h
++++ b/drivers/xen/xenbus/xenbus.h
+@@ -76,6 +76,7 @@ struct xb_req_data {
+ struct list_head list;
+ wait_queue_head_t wq;
+ struct xsd_sockmsg msg;
++ uint32_t caller_req_id;
+ enum xsd_sockmsg_type type;
+ char *body;
+ const struct kvec *vec;
+--- a/drivers/xen/xenbus/xenbus_comms.c
++++ b/drivers/xen/xenbus/xenbus_comms.c
+@@ -309,6 +309,7 @@ static int process_msg(void)
+ goto out;
+
+ if (req->state == xb_req_state_wait_reply) {
++ req->msg.req_id = req->caller_req_id;
+ req->msg.type = state.msg.type;
+ req->msg.len = state.msg.len;
+ req->body = state.body;
+--- a/drivers/xen/xenbus/xenbus_xs.c
++++ b/drivers/xen/xenbus/xenbus_xs.c
+@@ -227,6 +227,8 @@ static void xs_send(struct xb_req_data *
+ req->state = xb_req_state_queued;
+ init_waitqueue_head(&req->wq);
+
++ /* Save the caller req_id and restore it later in the reply */
++ req->caller_req_id = req->msg.req_id;
+ req->msg.req_id = xs_request_enter(req);
+
+ mutex_lock(&xb_write_mutex);
+@@ -310,6 +312,7 @@ static void *xs_talkv(struct xenbus_tran
+ req->num_vecs = num_vecs;
+ req->cb = xs_wake_up;
+
++ msg.req_id = 0;
+ msg.tx_id = t.id;
+ msg.type = type;
+ msg.len = 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
