--- /dev/null
+From 7aa135fcf26377f92dc0680a57566b4c7f3e281b Mon Sep 17 00:00:00 2001
+From: Martijn Coenen <maco@android.com>
+Date: Wed, 28 Mar 2018 11:14:50 +0200
+Subject: ANDROID: binder: prevent transactions into own process.
+
+From: Martijn Coenen <maco@android.com>
+
+commit 7aa135fcf26377f92dc0680a57566b4c7f3e281b upstream.
+
+This can't happen with normal nodes (because you can't get a ref
+to a node you own), but it could happen with the context manager;
+to make the behavior consistent with regular nodes, reject
+transactions into the context manager by the process owning it.
+
+Reported-by: syzbot+09e05aba06723a94d43d@syzkaller.appspotmail.com
+Signed-off-by: Martijn Coenen <maco@android.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -2839,6 +2839,14 @@ static void binder_transaction(struct bi
+ else
+ return_error = BR_DEAD_REPLY;
+ mutex_unlock(&context->context_mgr_node_lock);
++ if (target_node && target_proc == proc) {
++ binder_user_error("%d:%d got transaction to context manager from process owning it\n",
++ proc->pid, thread->pid);
++ return_error = BR_FAILED_REPLY;
++ return_error_param = -EINVAL;
++ return_error_line = __LINE__;
++ goto err_invalid_target_handle;
++ }
+ }
+ if (!target_node) {
+ /*
--- /dev/null
+From d2ffed5185df9d8d9ccd150e4340e3b6f96a8381 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Tue, 10 Apr 2018 15:21:45 +0200
+Subject: ARM: amba: Don't read past the end of sysfs "driver_override" buffer
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit d2ffed5185df9d8d9ccd150e4340e3b6f96a8381 upstream.
+
+When printing the driver_override parameter when it is 4095 and 4094
+bytes long, the printing code would access invalid memory because we
+need count + 1 bytes for printing.
+
+Cfr. commits 4efe874aace57dba ("PCI: Don't read past the end of sysfs
+"driver_override" buffer") and bf563b01c2895a4b ("driver core: platform:
+Don't read past the end of "driver_override" buffer").
+
+Fixes: 3cf385713460eb2b ("ARM: 8256/1: driver coamba: add device binding path 'driver_override'")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Todd Kjos <tkjos@google.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/amba/bus.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/amba/bus.c
++++ b/drivers/amba/bus.c
+@@ -84,7 +84,8 @@ static ssize_t driver_override_store(str
+ struct amba_device *dev = to_amba_device(_dev);
+ char *driver_override, *old, *cp;
+
+- if (count > PATH_MAX)
++ /* We need to keep extra room for a newline */
++ if (count >= (PAGE_SIZE - 1))
+ return -EINVAL;
+
+ driver_override = kstrndup(buf, count, GFP_KERNEL);
--- /dev/null
+From 6a7228d90d42bcacfe38786756ba62762b91c20a Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Tue, 10 Apr 2018 15:21:44 +0200
+Subject: ARM: amba: Fix race condition with driver_override
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit 6a7228d90d42bcacfe38786756ba62762b91c20a upstream.
+
+The driver_override implementation is susceptible to a race condition
+when different threads are reading vs storing a different driver
+override. Add locking to avoid this race condition.
+
+Cfr. commits 6265539776a0810b ("driver core: platform: fix race
+condition with driver_override") and 9561475db680f714 ("PCI: Fix race
+condition with driver_override").
+
+Fixes: 3cf385713460eb2b ("ARM: 8256/1: driver coamba: add device binding path 'driver_override'")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Todd Kjos <tkjos@google.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/amba/bus.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/amba/bus.c
++++ b/drivers/amba/bus.c
+@@ -69,8 +69,12 @@ static ssize_t driver_override_show(stru
+ struct device_attribute *attr, char *buf)
+ {
+ struct amba_device *dev = to_amba_device(_dev);
++ ssize_t len;
+
+- return sprintf(buf, "%s\n", dev->driver_override);
++ device_lock(_dev);
++ len = sprintf(buf, "%s\n", dev->driver_override);
++ device_unlock(_dev);
++ return len;
+ }
+
+ static ssize_t driver_override_store(struct device *_dev,
+@@ -78,7 +82,7 @@ static ssize_t driver_override_store(str
+ const char *buf, size_t count)
+ {
+ struct amba_device *dev = to_amba_device(_dev);
+- char *driver_override, *old = dev->driver_override, *cp;
++ char *driver_override, *old, *cp;
+
+ if (count > PATH_MAX)
+ return -EINVAL;
+@@ -91,12 +95,15 @@ static ssize_t driver_override_store(str
+ if (cp)
+ *cp = '\0';
+
++ device_lock(_dev);
++ old = dev->driver_override;
+ if (strlen(driver_override)) {
+ dev->driver_override = driver_override;
+ } else {
+ kfree(driver_override);
+ dev->driver_override = NULL;
+ }
++ device_unlock(_dev);
+
+ kfree(old);
+
--- /dev/null
+From 5f53624662eaac89598641cee6cd54fc192572d9 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Tue, 10 Apr 2018 15:21:43 +0200
+Subject: ARM: amba: Make driver_override output consistent with other buses
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit 5f53624662eaac89598641cee6cd54fc192572d9 upstream.
+
+For AMBA devices with unconfigured driver override, the
+"driver_override" sysfs virtual file is empty, while it contains
+"(null)" for platform and PCI devices.
+
+Make AMBA consistent with other buses by dropping the test for a NULL
+pointer.
+
+Note that contrary to popular belief, sprintf() handles NULL pointers
+fine; they are printed as "(null)".
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Todd Kjos <tkjos@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/amba/bus.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/amba/bus.c
++++ b/drivers/amba/bus.c
+@@ -70,9 +70,6 @@ static ssize_t driver_override_show(stru
+ {
+ struct amba_device *dev = to_amba_device(_dev);
+
+- if (!dev->driver_override)
+- return 0;
+-
+ return sprintf(buf, "%s\n", dev->driver_override);
+ }
+
--- /dev/null
+From 1c3bc8fb10c1803f8651911722ed584db3dfb0f2 Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Tue, 17 Apr 2018 10:53:11 +0200
+Subject: ARM: dts: Fix NAS4220B pin config
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit 1c3bc8fb10c1803f8651911722ed584db3dfb0f2 upstream.
+
+The DTS file for the NAS4220B had the pin config for the
+ethernet interface set to the pins in the SL3512 SoC while
+this system is using SL3516. Fix it by referencing the
+right SL3516 pins instead of the SL3512 pins.
+
+Cc: stable@vger.kernel.org
+Cc: Hans Ulli Kroll <ulli.kroll@googlemail.com>
+Reported-by: Andreas Fiedler <andreas.fiedler@gmx.net>
+Reported-by: Roman Yeryomin <roman@advem.lv>
+Tested-by: Roman Yeryomin <roman@advem.lv>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/gemini-nas4220b.dts | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+--- a/arch/arm/boot/dts/gemini-nas4220b.dts
++++ b/arch/arm/boot/dts/gemini-nas4220b.dts
+@@ -134,37 +134,37 @@
+ function = "gmii";
+ groups = "gmii_gmac0_grp";
+ };
+- /* Settings come from OpenWRT */
++ /* Settings come from OpenWRT, pins on SL3516 */
+ conf0 {
+- pins = "R8 GMAC0 RXDV", "U11 GMAC1 RXDV";
++ pins = "V8 GMAC0 RXDV", "T10 GMAC1 RXDV";
+ skew-delay = <0>;
+ };
+ conf1 {
+- pins = "T8 GMAC0 RXC", "T11 GMAC1 RXC";
++ pins = "Y7 GMAC0 RXC", "Y11 GMAC1 RXC";
+ skew-delay = <15>;
+ };
+ conf2 {
+- pins = "P8 GMAC0 TXEN", "V11 GMAC1 TXEN";
++ pins = "T8 GMAC0 TXEN", "W11 GMAC1 TXEN";
+ skew-delay = <7>;
+ };
+ conf3 {
+- pins = "V7 GMAC0 TXC";
++ pins = "U8 GMAC0 TXC";
+ skew-delay = <11>;
+ };
+ conf4 {
+- pins = "P10 GMAC1 TXC";
++ pins = "V11 GMAC1 TXC";
+ skew-delay = <10>;
+ };
+ conf5 {
+ /* The data lines all have default skew */
+- pins = "U8 GMAC0 RXD0", "V8 GMAC0 RXD1",
+- "P9 GMAC0 RXD2", "R9 GMAC0 RXD3",
+- "U7 GMAC0 TXD0", "T7 GMAC0 TXD1",
+- "R7 GMAC0 TXD2", "P7 GMAC0 TXD3",
+- "R11 GMAC1 RXD0", "P11 GMAC1 RXD1",
+- "V12 GMAC1 RXD2", "U12 GMAC1 RXD3",
+- "R10 GMAC1 TXD0", "T10 GMAC1 TXD1",
+- "U10 GMAC1 TXD2", "V10 GMAC1 TXD3";
++ pins = "W8 GMAC0 RXD0", "V9 GMAC0 RXD1",
++ "Y8 GMAC0 RXD2", "U9 GMAC0 RXD3",
++ "T7 GMAC0 TXD0", "U6 GMAC0 TXD1",
++ "V7 GMAC0 TXD2", "U7 GMAC0 TXD3",
++ "Y12 GMAC1 RXD0", "V12 GMAC1 RXD1",
++ "T11 GMAC1 RXD2", "W12 GMAC1 RXD3",
++ "U10 GMAC1 TXD0", "Y10 GMAC1 TXD1",
++ "W10 GMAC1 TXD2", "T9 GMAC1 TXD3";
+ skew-delay = <7>;
+ };
+ /* Set up drive strength on GMAC0 to 16 mA */
--- /dev/null
+From 6e8fe39989720b87439fee7817a5ca362b16d931 Mon Sep 17 00:00:00 2001
+From: Thor Thayer <thor.thayer@linux.intel.com>
+Date: Mon, 26 Mar 2018 14:50:00 -0500
+Subject: ARM: socfpga_defconfig: Remove QSPI Sector 4K size force
+
+From: Thor Thayer <thor.thayer@linux.intel.com>
+
+commit 6e8fe39989720b87439fee7817a5ca362b16d931 upstream.
+
+Remove QSPI Sector 4K size force which is causing QSPI boot
+problems with the JFFS2 root filesystem.
+
+Fixes the following error:
+ "Magic bitmask 0x1985 not found at ..."
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Thor Thayer <thor.thayer@linux.intel.com>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/configs/socfpga_defconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/configs/socfpga_defconfig
++++ b/arch/arm/configs/socfpga_defconfig
+@@ -57,6 +57,7 @@ CONFIG_MTD_M25P80=y
+ CONFIG_MTD_NAND=y
+ CONFIG_MTD_NAND_DENALI_DT=y
+ CONFIG_MTD_SPI_NOR=y
++# CONFIG_MTD_SPI_NOR_USE_4K_SECTORS is not set
+ CONFIG_SPI_CADENCE_QUADSPI=y
+ CONFIG_OF_OVERLAY=y
+ CONFIG_OF_CONFIGFS=y
--- /dev/null
+From 573eda59c772d11fc2b56d525dfb698b0f87ddb3 Mon Sep 17 00:00:00 2001
+From: Tero Kristo <t-kristo@ti.com>
+Date: Thu, 12 Apr 2018 11:23:15 +0300
+Subject: ASoC: dmic: Fix clock parenting
+
+From: Tero Kristo <t-kristo@ti.com>
+
+commit 573eda59c772d11fc2b56d525dfb698b0f87ddb3 upstream.
+
+In 4.16 the clock hierarchy got changed by
+a5c82a09d876 ARM: dts: omap4: add clkctrl nodes
+
+The fck of dmic is no longer a mux clock, it's parent is.
+
+Signed-off-by: Tero Kristo <t-kristo@ti.com>
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org # 4.16+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/omap/omap-dmic.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/sound/soc/omap/omap-dmic.c
++++ b/sound/soc/omap/omap-dmic.c
+@@ -281,7 +281,7 @@ static int omap_dmic_dai_trigger(struct
+ static int omap_dmic_select_fclk(struct omap_dmic *dmic, int clk_id,
+ unsigned int freq)
+ {
+- struct clk *parent_clk;
++ struct clk *parent_clk, *mux;
+ char *parent_clk_name;
+ int ret = 0;
+
+@@ -329,14 +329,21 @@ static int omap_dmic_select_fclk(struct
+ return -ENODEV;
+ }
+
++ mux = clk_get_parent(dmic->fclk);
++ if (IS_ERR(mux)) {
++ dev_err(dmic->dev, "can't get fck mux parent\n");
++ clk_put(parent_clk);
++ return -ENODEV;
++ }
++
+ mutex_lock(&dmic->mutex);
+ if (dmic->active) {
+ /* disable clock while reparenting */
+ pm_runtime_put_sync(dmic->dev);
+- ret = clk_set_parent(dmic->fclk, parent_clk);
++ ret = clk_set_parent(mux, parent_clk);
+ pm_runtime_get_sync(dmic->dev);
+ } else {
+- ret = clk_set_parent(dmic->fclk, parent_clk);
++ ret = clk_set_parent(mux, parent_clk);
+ }
+ mutex_unlock(&dmic->mutex);
+
+@@ -349,6 +356,7 @@ static int omap_dmic_select_fclk(struct
+ dmic->fclk_freq = freq;
+
+ err_busy:
++ clk_put(mux);
+ clk_put(parent_clk);
+
+ return ret;
--- /dev/null
+From c656941df9bc80f7ec65b92ca73c42f8b0b62628 Mon Sep 17 00:00:00 2001
+From: Nicolin Chen <nicoleotsuka@gmail.com>
+Date: Sun, 8 Apr 2018 16:57:35 -0700
+Subject: ASoC: fsl_esai: Fix divisor calculation failure at lower ratio
+
+From: Nicolin Chen <nicoleotsuka@gmail.com>
+
+commit c656941df9bc80f7ec65b92ca73c42f8b0b62628 upstream.
+
+When the desired ratio is less than 256, the savesub (tolerance)
+in the calculation would become 0. This will then fail the loop-
+search immediately without reporting any errors.
+
+But if the ratio is smaller enough, there is no need to calculate
+the tolerance because PM divisor alone is enough to get the ratio.
+
+So a simple fix could be just to set PM directly instead of going
+into the loop-search.
+
+Reported-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Tested-by: Marek Vasut <marex@denx.de>
+Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/fsl/fsl_esai.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/sound/soc/fsl/fsl_esai.c
++++ b/sound/soc/fsl/fsl_esai.c
+@@ -144,6 +144,13 @@ static int fsl_esai_divisor_cal(struct s
+
+ psr = ratio <= 256 * maxfp ? ESAI_xCCR_xPSR_BYPASS : ESAI_xCCR_xPSR_DIV8;
+
++ /* Do not loop-search if PM (1 ~ 256) alone can serve the ratio */
++ if (ratio <= 256) {
++ pm = ratio;
++ fp = 1;
++ goto out;
++ }
++
+ /* Set the max fluctuation -- 0.1% of the max devisor */
+ savesub = (psr ? 1 : 8) * 256 * maxfp / 1000;
+
--- /dev/null
+From c0f7f5b6c69107ca92909512533e70258ee19188 Mon Sep 17 00:00:00 2001
+From: Shilpasri G Bhat <shilpa.bhat@linux.vnet.ibm.com>
+Date: Wed, 25 Apr 2018 16:29:31 +0530
+Subject: cpufreq: powernv: Fix hardlockup due to synchronous smp_call in timer interrupt
+
+From: Shilpasri G Bhat <shilpa.bhat@linux.vnet.ibm.com>
+
+commit c0f7f5b6c69107ca92909512533e70258ee19188 upstream.
+
+gpstate_timer_handler() uses synchronous smp_call to set the pstate
+on the requested core. This causes the below hard lockup:
+
+ smp_call_function_single+0x110/0x180 (unreliable)
+ smp_call_function_any+0x180/0x250
+ gpstate_timer_handler+0x1e8/0x580
+ call_timer_fn+0x50/0x1c0
+ expire_timers+0x138/0x1f0
+ run_timer_softirq+0x1e8/0x270
+ __do_softirq+0x158/0x3e4
+ irq_exit+0xe8/0x120
+ timer_interrupt+0x9c/0xe0
+ decrementer_common+0x114/0x120
+ -- interrupt: 901 at doorbell_global_ipi+0x34/0x50
+ LR = arch_send_call_function_ipi_mask+0x120/0x130
+ arch_send_call_function_ipi_mask+0x4c/0x130
+ smp_call_function_many+0x340/0x450
+ pmdp_invalidate+0x98/0xe0
+ change_huge_pmd+0xe0/0x270
+ change_protection_range+0xb88/0xe40
+ mprotect_fixup+0x140/0x340
+ SyS_mprotect+0x1b4/0x350
+ system_call+0x58/0x6c
+
+One way to avoid this is removing the smp-call. We can ensure that the
+timer always runs on one of the policy-cpus. If the timer gets
+migrated to a cpu outside the policy then re-queue it back on the
+policy->cpus. This way we can get rid of the smp-call which was being
+used to set the pstate on the policy->cpus.
+
+Fixes: 7bc54b652f13 ("timers, cpufreq/powernv: Initialize the gpstate timer as pinned")
+Cc: stable@vger.kernel.org # v4.8+
+Reported-by: Nicholas Piggin <npiggin@gmail.com>
+Reported-by: Pridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
+Signed-off-by: Shilpasri G Bhat <shilpa.bhat@linux.vnet.ibm.com>
+Acked-by: Nicholas Piggin <npiggin@gmail.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Acked-by: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/powernv-cpufreq.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/cpufreq/powernv-cpufreq.c
++++ b/drivers/cpufreq/powernv-cpufreq.c
+@@ -679,6 +679,16 @@ void gpstate_timer_handler(struct timer_
+
+ if (!spin_trylock(&gpstates->gpstate_lock))
+ return;
++ /*
++ * If the timer has migrated to the different cpu then bring
++ * it back to one of the policy->cpus
++ */
++ if (!cpumask_test_cpu(raw_smp_processor_id(), policy->cpus)) {
++ gpstates->timer.expires = jiffies + msecs_to_jiffies(1);
++ add_timer_on(&gpstates->timer, cpumask_first(policy->cpus));
++ spin_unlock(&gpstates->gpstate_lock);
++ return;
++ }
+
+ /*
+ * If PMCR was last updated was using fast_swtich then
+@@ -718,10 +728,8 @@ void gpstate_timer_handler(struct timer_
+ if (gpstate_idx != gpstates->last_lpstate_idx)
+ queue_gpstate_timer(gpstates);
+
++ set_pstate(&freq_data);
+ spin_unlock(&gpstates->gpstate_lock);
+-
+- /* Timer may get migrated to a different cpu on cpu hot unplug */
+- smp_call_function_any(policy->cpus, set_pstate, &freq_data, 1);
+ }
+
+ /*
--- /dev/null
+From eea0d3ea7546961f69f55b26714ac8fd71c7c020 Mon Sep 17 00:00:00 2001
+From: Stephan Mueller <smueller@chronox.de>
+Date: Thu, 12 Apr 2018 08:40:55 +0200
+Subject: crypto: drbg - set freed buffers to NULL
+
+From: Stephan Mueller <smueller@chronox.de>
+
+commit eea0d3ea7546961f69f55b26714ac8fd71c7c020 upstream.
+
+During freeing of the internal buffers used by the DRBG, set the pointer
+to NULL. It is possible that the context with the freed buffers is
+reused. In case of an error during initialization where the pointers
+do not yet point to allocated memory, the NULL value prevents a double
+free.
+
+Cc: stable@vger.kernel.org
+Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers")
+Signed-off-by: Stephan Mueller <smueller@chronox.de>
+Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/drbg.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/crypto/drbg.c
++++ b/crypto/drbg.c
+@@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(st
+ if (!drbg)
+ return;
+ kzfree(drbg->Vbuf);
++ drbg->Vbuf = NULL;
+ drbg->V = NULL;
+ kzfree(drbg->Cbuf);
++ drbg->Cbuf = NULL;
+ drbg->C = NULL;
+ kzfree(drbg->scratchpadbuf);
+ drbg->scratchpadbuf = NULL;
--- /dev/null
+From f2877656809386d7bc62c2b1c1b4e58404c486d4 Mon Sep 17 00:00:00 2001
+From: Harry Wentland <harry.wentland@amd.com>
+Date: Mon, 16 Apr 2018 17:28:11 -0400
+Subject: drm/amd/display: Disallow enabling CRTC without primary plane with FB
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Harry Wentland <harry.wentland@amd.com>
+
+commit f2877656809386d7bc62c2b1c1b4e58404c486d4 upstream.
+
+The below commit
+
+ "drm/atomic: Try to preserve the crtc enabled state in drm_atomic_remove_fb, v2"
+
+introduces a slight behavioral change to rmfb. Instead of disabling a crtc
+when the primary plane is disabled, it now preserves it.
+
+Since DC is currently not equipped to handle this we need to fail such
+a commit, otherwise we might see a corrupted screen.
+
+This is based on Shirish's previous approach but avoids adding all
+planes to the new atomic state which leads to a full update in DC for
+any commit, and is not what we intend.
+
+Theoretically DM should be able to deal with states with fully populated planes,
+even for simple updates, such as cursor updates. This should still be
+addressed in the future.
+
+Signed-off-by: Harry Wentland <harry.wentland@amd.com>
+Tested-by: Michel Dänzer <michel.daenzer@amd.com>
+Reviewed-by: Tony Cheng <Tony.Cheng@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -4506,6 +4506,7 @@ static int dm_update_crtcs_state(struct
+ struct amdgpu_dm_connector *aconnector = NULL;
+ struct drm_connector_state *new_con_state = NULL;
+ struct dm_connector_state *dm_conn_state = NULL;
++ struct drm_plane_state *new_plane_state = NULL;
+
+ new_stream = NULL;
+
+@@ -4513,6 +4514,13 @@ static int dm_update_crtcs_state(struct
+ dm_new_crtc_state = to_dm_crtc_state(new_crtc_state);
+ acrtc = to_amdgpu_crtc(crtc);
+
++ new_plane_state = drm_atomic_get_new_plane_state(state, new_crtc_state->crtc->primary);
++
++ if (new_crtc_state->enable && new_plane_state && !new_plane_state->fb) {
++ ret = -EINVAL;
++ goto fail;
++ }
++
+ aconnector = amdgpu_dm_find_first_crtc_matching_connector(state, crtc);
+
+ /* TODO This hack should go away */
+@@ -4685,7 +4693,7 @@ static int dm_update_planes_state(struct
+ if (!dm_old_crtc_state->stream)
+ continue;
+
+- DRM_DEBUG_DRIVER("Disabling DRM plane: %d on DRM crtc %d\n",
++ DRM_DEBUG_ATOMIC("Disabling DRM plane: %d on DRM crtc %d\n",
+ plane->base.id, old_plane_crtc->base.id);
+
+ if (!dc_remove_plane_from_context(
--- /dev/null
+From c7b8de00384be49dc1617a838b0ce89a0235f319 Mon Sep 17 00:00:00 2001
+From: Harry Wentland <harry.wentland@amd.com>
+Date: Thu, 8 Mar 2018 22:05:35 -0500
+Subject: drm/amd/display: Don't read EDID in atomic_check
+
+From: Harry Wentland <harry.wentland@amd.com>
+
+commit c7b8de00384be49dc1617a838b0ce89a0235f319 upstream.
+
+We shouldn't attempt to read EDID in atomic_check. We really shouldn't
+even be modifying the connector object, or any other non-state object,
+but this is a start at least.
+
+Moving EDID cleanup to dm_dp_mst_connector_destroy from
+dm_dp_destroy_mst_connector to ensure the EDID is still available for
+headless mode.
+
+Signed-off-by: Harry Wentland <harry.wentland@amd.com>
+Reviewed-by: Tony Cheng <Tony.Cheng@amd.com>
+Acked-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 32 +++---------
+ 1 file changed, 10 insertions(+), 22 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
+@@ -157,6 +157,11 @@ dm_dp_mst_connector_destroy(struct drm_c
+ struct amdgpu_dm_connector *amdgpu_dm_connector = to_amdgpu_dm_connector(connector);
+ struct amdgpu_encoder *amdgpu_encoder = amdgpu_dm_connector->mst_encoder;
+
++ if (amdgpu_dm_connector->edid) {
++ kfree(amdgpu_dm_connector->edid);
++ amdgpu_dm_connector->edid = NULL;
++ }
++
+ drm_encoder_cleanup(&amdgpu_encoder->base);
+ kfree(amdgpu_encoder);
+ drm_connector_cleanup(connector);
+@@ -183,28 +188,22 @@ static int dm_connector_update_modes(str
+ void dm_dp_mst_dc_sink_create(struct drm_connector *connector)
+ {
+ struct amdgpu_dm_connector *aconnector = to_amdgpu_dm_connector(connector);
+- struct edid *edid;
+ struct dc_sink *dc_sink;
+ struct dc_sink_init_data init_params = {
+ .link = aconnector->dc_link,
+ .sink_signal = SIGNAL_TYPE_DISPLAY_PORT_MST };
+
++ /* FIXME none of this is safe. we shouldn't touch aconnector here in
++ * atomic_check
++ */
++
+ /*
+ * TODO: Need to further figure out why ddc.algo is NULL while MST port exists
+ */
+ if (!aconnector->port || !aconnector->port->aux.ddc.algo)
+ return;
+
+- edid = drm_dp_mst_get_edid(connector, &aconnector->mst_port->mst_mgr, aconnector->port);
+-
+- if (!edid) {
+- drm_mode_connector_update_edid_property(
+- &aconnector->base,
+- NULL);
+- return;
+- }
+-
+- aconnector->edid = edid;
++ ASSERT(aconnector->edid);
+
+ dc_sink = dc_link_add_remote_sink(
+ aconnector->dc_link,
+@@ -217,9 +216,6 @@ void dm_dp_mst_dc_sink_create(struct drm
+
+ amdgpu_dm_add_sink_to_freesync_module(
+ connector, aconnector->edid);
+-
+- drm_mode_connector_update_edid_property(
+- &aconnector->base, aconnector->edid);
+ }
+
+ static int dm_dp_mst_get_modes(struct drm_connector *connector)
+@@ -426,14 +422,6 @@ static void dm_dp_destroy_mst_connector(
+ dc_sink_release(aconnector->dc_sink);
+ aconnector->dc_sink = NULL;
+ }
+- if (aconnector->edid) {
+- kfree(aconnector->edid);
+- aconnector->edid = NULL;
+- }
+-
+- drm_mode_connector_update_edid_property(
+- &aconnector->base,
+- NULL);
+
+ aconnector->mst_connected = false;
+ }
--- /dev/null
+From ad64dc0137968f09800e58174bbfd5eac9fe5418 Mon Sep 17 00:00:00 2001
+From: Mikita Lipski <mikita.lipski@amd.com>
+Date: Wed, 10 Jan 2018 10:01:38 -0500
+Subject: drm/amd/display: Fix deadlock when flushing irq
+
+From: Mikita Lipski <mikita.lipski@amd.com>
+
+commit ad64dc0137968f09800e58174bbfd5eac9fe5418 upstream.
+
+Lock irq table when reading a work in queue,
+unlock to flush the work, lock again till all tasks
+are cleared
+
+Signed-off-by: Mikita Lipski <mikita.lipski@amd.com>
+Reviewed-by: Harry Wentland <Harry.Wentland@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_irq.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_irq.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_irq.c
+@@ -400,14 +400,15 @@ void amdgpu_dm_irq_fini(struct amdgpu_de
+ {
+ int src;
+ struct irq_list_head *lh;
++ unsigned long irq_table_flags;
+ DRM_DEBUG_KMS("DM_IRQ: releasing resources.\n");
+-
+ for (src = 0; src < DAL_IRQ_SOURCES_NUMBER; src++) {
+-
++ DM_IRQ_TABLE_LOCK(adev, irq_table_flags);
+ /* The handler was removed from the table,
+ * it means it is safe to flush all the 'work'
+ * (because no code can schedule a new one). */
+ lh = &adev->dm.irq_handler_list_low_tab[src];
++ DM_IRQ_TABLE_UNLOCK(adev, irq_table_flags);
+ flush_work(&lh->work);
+ }
+
--- /dev/null
+From 75569c182e4f65cd8826a5853dc9cbca703cbd0e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nicolai=20H=C3=A4hnle?= <nicolai.haehnle@amd.com>
+Date: Thu, 12 Apr 2018 16:34:19 +0200
+Subject: drm/amdgpu: set COMPUTE_PGM_RSRC1 for SGPR/VGPR clearing shaders
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nicolai Hähnle <nicolai.haehnle@amd.com>
+
+commit 75569c182e4f65cd8826a5853dc9cbca703cbd0e upstream.
+
+Otherwise, the SQ may skip some of the register writes, or shader waves may
+be allocated where we don't expect them, so that as a result we don't actually
+reset all of the register SRAMs. This can lead to spurious ECC errors later on
+if a shader uses an uninitialized register.
+
+Signed-off-by: Nicolai Hähnle <nicolai.haehnle@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c
+@@ -1459,10 +1459,11 @@ static const u32 sgpr_init_compute_shade
+ static const u32 vgpr_init_regs[] =
+ {
+ mmCOMPUTE_STATIC_THREAD_MGMT_SE0, 0xffffffff,
+- mmCOMPUTE_RESOURCE_LIMITS, 0,
++ mmCOMPUTE_RESOURCE_LIMITS, 0x1000000, /* CU_GROUP_COUNT=1 */
+ mmCOMPUTE_NUM_THREAD_X, 256*4,
+ mmCOMPUTE_NUM_THREAD_Y, 1,
+ mmCOMPUTE_NUM_THREAD_Z, 1,
++ mmCOMPUTE_PGM_RSRC1, 0x100004f, /* VGPRS=15 (64 logical VGPRs), SGPRS=1 (16 SGPRs), BULKY=1 */
+ mmCOMPUTE_PGM_RSRC2, 20,
+ mmCOMPUTE_USER_DATA_0, 0xedcedc00,
+ mmCOMPUTE_USER_DATA_1, 0xedcedc01,
+@@ -1479,10 +1480,11 @@ static const u32 vgpr_init_regs[] =
+ static const u32 sgpr1_init_regs[] =
+ {
+ mmCOMPUTE_STATIC_THREAD_MGMT_SE0, 0x0f,
+- mmCOMPUTE_RESOURCE_LIMITS, 0x1000000,
++ mmCOMPUTE_RESOURCE_LIMITS, 0x1000000, /* CU_GROUP_COUNT=1 */
+ mmCOMPUTE_NUM_THREAD_X, 256*5,
+ mmCOMPUTE_NUM_THREAD_Y, 1,
+ mmCOMPUTE_NUM_THREAD_Z, 1,
++ mmCOMPUTE_PGM_RSRC1, 0x240, /* SGPRS=9 (80 GPRS) */
+ mmCOMPUTE_PGM_RSRC2, 20,
+ mmCOMPUTE_USER_DATA_0, 0xedcedc00,
+ mmCOMPUTE_USER_DATA_1, 0xedcedc01,
+@@ -1503,6 +1505,7 @@ static const u32 sgpr2_init_regs[] =
+ mmCOMPUTE_NUM_THREAD_X, 256*5,
+ mmCOMPUTE_NUM_THREAD_Y, 1,
+ mmCOMPUTE_NUM_THREAD_Z, 1,
++ mmCOMPUTE_PGM_RSRC1, 0x240, /* SGPRS=9 (80 GPRS) */
+ mmCOMPUTE_PGM_RSRC2, 20,
+ mmCOMPUTE_USER_DATA_0, 0xedcedc00,
+ mmCOMPUTE_USER_DATA_1, 0xedcedc01,
--- /dev/null
+From 1f6b8eef11c3d097bc8a6b2bbb868eb47ec6f7d8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Tue, 24 Apr 2018 16:02:50 +0300
+Subject: drm/edid: Reset more of the display info
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 1f6b8eef11c3d097bc8a6b2bbb868eb47ec6f7d8 upstream.
+
+We're currently failing to reset everything in display_info.hdmi
+which will potentially cause us to use stale information when
+swapping monitors. Eg. if the user replaces a HDMI 2.0 monitor
+with a HDMI 1.x monitor we will continue to think that the monitor
+supports scrambling. That will lead to a black screen since the
+HDMI 1.x monitor won't understand the scrambled signal.
+
+Fix the problem by clearing display_info.hdmi fully. And while at
+eliminate some duplicated code by calling drm_reset_display_info()
+in drm_add_display_info().
+
+Cc: stable@vger.kernel.org
+Cc: Antony Chen <antonychen@qnap.com>
+Cc: Shashank Sharma <shashank.sharma@intel.com>
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105655
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180424130250.7028-1-ville.syrjala@linux.intel.com
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Tested-by: Antony Chen <antonychen@qnap.com>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_edid.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/drm_edid.c
++++ b/drivers/gpu/drm/drm_edid.c
+@@ -4450,6 +4450,7 @@ drm_reset_display_info(struct drm_connec
+ info->max_tmds_clock = 0;
+ info->dvi_dual = false;
+ info->has_hdmi_infoframe = false;
++ memset(&info->hdmi, 0, sizeof(info->hdmi));
+
+ info->non_desktop = 0;
+ }
+@@ -4461,17 +4462,11 @@ u32 drm_add_display_info(struct drm_conn
+
+ u32 quirks = edid_get_quirks(edid);
+
++ drm_reset_display_info(connector);
++
+ info->width_mm = edid->width_cm * 10;
+ info->height_mm = edid->height_cm * 10;
+
+- /* driver figures it out in this case */
+- info->bpc = 0;
+- info->color_formats = 0;
+- info->cea_rev = 0;
+- info->max_tmds_clock = 0;
+- info->dvi_dual = false;
+- info->has_hdmi_infoframe = false;
+-
+ info->non_desktop = !!(quirks & EDID_QUIRK_NON_DESKTOP);
+
+ DRM_DEBUG_KMS("non_desktop set to %d\n", info->non_desktop);
--- /dev/null
+From 904e1b1ff4c70044334f395aa751c8e73fb42714 Mon Sep 17 00:00:00 2001
+From: Abhay Kumar <abhay.kumar@intel.com>
+Date: Wed, 18 Apr 2018 13:37:07 +0300
+Subject: drm/i915/audio: set minimum CD clock to twice the BCLK
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Abhay Kumar <abhay.kumar@intel.com>
+
+commit 904e1b1ff4c70044334f395aa751c8e73fb42714 upstream.
+
+In GLK when the device boots with only 1366x768 panel without audio, HDA
+codec doesn't come up. In this case, the CDCLK is less than twice the
+BCLK. Even though audio isn't being enabled, having a too low CDCLK
+leads to audio probe failing altogether.
+
+Require CDCLK to be at least twice the BLCK regardless of audio. This is
+a minimal fix to improve things. Unfortunately, this a) leads to too
+high CDCLK being used when audio is not used, and b) is still not enough
+to fix audio probe when no outputs are connected at probe time.
+
+The proper fix would be to increase CDCLK dynamically from the audio
+component hooks.
+
+v2:
+ - Address comment (Jani)
+ - New design approach
+v3: - Typo fix on top of v1
+
+v4 by Jani: rewrite commit message, add comment in code
+
+Cc: stable@vger.kernel.org
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Dhinakaran Pandiyan <dhinakaran.pandiyan@gmail.com>
+Cc: Wenkai Du <wenkai.du@intel.com>
+Reviewed-by: Wenkai Du <wenkai.du@intel.com>
+Tested-by: Wenkai Du <wenkai.du@intel.com>
+Acked-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=102937
+Signed-off-by: Abhay Kumar <abhay.kumar@intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180418103707.14645-1-jani.nikula@intel.com
+(cherry picked from commit 2a5b95b448485e143ec3e004eabe53b31db78eb3)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_cdclk.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_cdclk.c
++++ b/drivers/gpu/drm/i915/intel_cdclk.c
+@@ -1946,10 +1946,22 @@ int intel_crtc_compute_min_cdclk(const s
+ }
+ }
+
+- /* According to BSpec, "The CD clock frequency must be at least twice
++ /*
++ * According to BSpec, "The CD clock frequency must be at least twice
+ * the frequency of the Azalia BCLK." and BCLK is 96 MHz by default.
++ *
++ * FIXME: Check the actual, not default, BCLK being used.
++ *
++ * FIXME: This does not depend on ->has_audio because the higher CDCLK
++ * is required for audio probe, also when there are no audio capable
++ * displays connected at probe time. This leads to unnecessarily high
++ * CDCLK when audio is not required.
++ *
++ * FIXME: This limit is only applied when there are displays connected
++ * at probe time. If we probe without displays, we'll still end up using
++ * the platform minimum CDCLK, failing audio probe.
+ */
+- if (crtc_state->has_audio && INTEL_GEN(dev_priv) >= 9)
++ if (INTEL_GEN(dev_priv) >= 9)
+ min_cdclk = max(2 * 96000, min_cdclk);
+
+ /*
--- /dev/null
+From ac315c621f01d4b8a53dec317c7ae322fd26ff38 Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Thu, 19 Apr 2018 18:51:09 +0300
+Subject: drm/i915: Enable display WA#1183 from its correct spot
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Imre Deak <imre.deak@intel.com>
+
+commit ac315c621f01d4b8a53dec317c7ae322fd26ff38 upstream.
+
+The DMC FW specific part of display WA#1183 is supposed to be enabled
+whenever enabling DC5 or DC6, so move it to the DC6 enable function
+from the DC6 disable function.
+
+I noticed this after Daniel's patch to remove the unused
+skl_disable_dc6() function.
+
+Fixes: 53421c2fe99c ("drm/i915: Apply Display WA #1183 on skl, kbl, and cfl")
+Cc: Lucas De Marchi <lucas.demarchi@intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180419155109.29451-1-imre.deak@intel.com
+(cherry picked from commit b49be6622f08187129561cff0409f7b06b33de57)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_runtime_pm.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_runtime_pm.c
++++ b/drivers/gpu/drm/i915/intel_runtime_pm.c
+@@ -624,19 +624,18 @@ void skl_enable_dc6(struct drm_i915_priv
+
+ DRM_DEBUG_KMS("Enabling DC6\n");
+
+- gen9_set_dc_state(dev_priv, DC_STATE_EN_UPTO_DC6);
++ /* Wa Display #1183: skl,kbl,cfl */
++ if (IS_GEN9_BC(dev_priv))
++ I915_WRITE(GEN8_CHICKEN_DCPR_1, I915_READ(GEN8_CHICKEN_DCPR_1) |
++ SKL_SELECT_ALTERNATE_DC_EXIT);
+
++ gen9_set_dc_state(dev_priv, DC_STATE_EN_UPTO_DC6);
+ }
+
+ void skl_disable_dc6(struct drm_i915_private *dev_priv)
+ {
+ DRM_DEBUG_KMS("Disabling DC6\n");
+
+- /* Wa Display #1183: skl,kbl,cfl */
+- if (IS_GEN9_BC(dev_priv))
+- I915_WRITE(GEN8_CHICKEN_DCPR_1, I915_READ(GEN8_CHICKEN_DCPR_1) |
+- SKL_SELECT_ALTERNATE_DC_EXIT);
+-
+ gen9_set_dc_state(dev_priv, DC_STATE_DISABLE);
+ }
+
--- /dev/null
+From 0b551f1e0fc50ee4e3cde2dd639cb010dae5b997 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Roberto=20de=20Souza?= <jose.souza@intel.com>
+Date: Wed, 18 Apr 2018 16:41:58 -0700
+Subject: drm/i915/fbdev: Enable late fbdev initial configuration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Roberto de Souza <jose.souza@intel.com>
+
+commit 0b551f1e0fc50ee4e3cde2dd639cb010dae5b997 upstream.
+
+If the initial fbdev configuration (intel_fbdev_initial_config()) runs
+and there still no sink connected it will cause
+drm_fb_helper_initial_config() to return 0 as no error happened (but
+internally the return is -EAGAIN). Because no framebuffer was
+allocated, when a sink is connected intel_fbdev_output_poll_changed()
+will not execute drm_fb_helper_hotplug_event() that would trigger
+another try to do the initial fbdev configuration.
+
+So here allowing drm_fb_helper_hotplug_event() to be executed when there
+is no framebuffer allocated and fbdev was not set up yet.
+
+This issue also happens when a MST DP sink is connected since boot, as
+the MST topology is discovered in parallel if
+intel_fbdev_initial_config() is executed before the first sink MST is
+discovered it will cause this same issue.
+
+This is a follow-up patch of
+https://patchwork.freedesktop.org/patch/196089/
+
+Changes from v1:
+- not creating a dump framebuffer anymore, instead just allowing
+ drm_fb_helper_hotplug_event() to execute when fbdev is not setup yet.
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=104158
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=104425
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Cc: stable@vger.kernel.org # v4.15+
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: José Roberto de Souza <jose.souza@intel.com>
+Tested-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Tested-by: frederik <frederik.schwan@linux.com> # 4.15.17
+Tested-by: Ian Pilcher <arequipeno@gmail.com>
+Acked-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180418234158.9388-1-jose.souza@intel.com
+(cherry picked from commit df9e6521749ab33cde306e8a4350b0ac7889220a)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_fbdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/intel_fbdev.c
++++ b/drivers/gpu/drm/i915/intel_fbdev.c
+@@ -801,7 +801,7 @@ void intel_fbdev_output_poll_changed(str
+ return;
+
+ intel_fbdev_sync(ifbdev);
+- if (ifbdev->vma)
++ if (ifbdev->vma || ifbdev->helper.deferred_setup)
+ drm_fb_helper_hotplug_event(&ifbdev->helper);
+ }
+
--- /dev/null
+From dd709e72cb934eefd44de8d9969097173fbf45dc Mon Sep 17 00:00:00 2001
+From: Daniel Kurtz <djkurtz@chromium.org>
+Date: Fri, 6 Apr 2018 17:21:53 -0600
+Subject: earlycon: Use a pointer table to fix __earlycon_table stride
+
+From: Daniel Kurtz <djkurtz@chromium.org>
+
+commit dd709e72cb934eefd44de8d9969097173fbf45dc upstream.
+
+Commit 99492c39f39f ("earlycon: Fix __earlycon_table stride") tried to fix
+__earlycon_table stride by forcing the earlycon_id struct alignment to 32
+and asking the linker to 32-byte align the __earlycon_table symbol. This
+fix was based on commit 07fca0e57fca92 ("tracing: Properly align linker
+defined symbols") which tried a similar fix for the tracing subsystem.
+
+However, this fix doesn't quite work because there is no guarantee that
+gcc will place structures packed into an array format. In fact, gcc 4.9
+chooses to 64-byte align these structs by inserting additional padding
+between the entries because it has no clue that they are supposed to be in
+an array. If we are unlucky, the linker will assign symbol
+"__earlycon_table" to a 32-byte aligned address which does not correspond
+to the 64-byte aligned contents of section "__earlycon_table".
+
+To address this same problem, the fix to the tracing system was
+subsequently re-implemented using a more robust table of pointers approach
+by commits:
+ 3d56e331b653 ("tracing: Replace syscall_meta_data struct array with pointer array")
+ 654986462939 ("tracepoints: Fix section alignment using pointer array")
+ e4a9ea5ee7c8 ("tracing: Replace trace_event struct array with pointer array")
+
+Let's use this same "array of pointers to structs" approach for
+EARLYCON_TABLE.
+
+Fixes: 99492c39f39f ("earlycon: Fix __earlycon_table stride")
+Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
+Suggested-by: Aaron Durbin <adurbin@chromium.org>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Tested-by: Guenter Roeck <groeck@chromium.org>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/of/fdt.c | 7 +++++--
+ drivers/tty/serial/earlycon.c | 6 ++++--
+ include/asm-generic/vmlinux.lds.h | 2 +-
+ include/linux/serial_core.h | 21 ++++++++++++++-------
+ 4 files changed, 24 insertions(+), 12 deletions(-)
+
+--- a/drivers/of/fdt.c
++++ b/drivers/of/fdt.c
+@@ -942,7 +942,7 @@ int __init early_init_dt_scan_chosen_std
+ int offset;
+ const char *p, *q, *options = NULL;
+ int l;
+- const struct earlycon_id *match;
++ const struct earlycon_id **p_match;
+ const void *fdt = initial_boot_params;
+
+ offset = fdt_path_offset(fdt, "/chosen");
+@@ -969,7 +969,10 @@ int __init early_init_dt_scan_chosen_std
+ return 0;
+ }
+
+- for (match = __earlycon_table; match < __earlycon_table_end; match++) {
++ for (p_match = __earlycon_table; p_match < __earlycon_table_end;
++ p_match++) {
++ const struct earlycon_id *match = *p_match;
++
+ if (!match->compatible[0])
+ continue;
+
+--- a/drivers/tty/serial/earlycon.c
++++ b/drivers/tty/serial/earlycon.c
+@@ -169,7 +169,7 @@ static int __init register_earlycon(char
+ */
+ int __init setup_earlycon(char *buf)
+ {
+- const struct earlycon_id *match;
++ const struct earlycon_id **p_match;
+
+ if (!buf || !buf[0])
+ return -EINVAL;
+@@ -177,7 +177,9 @@ int __init setup_earlycon(char *buf)
+ if (early_con.flags & CON_ENABLED)
+ return -EALREADY;
+
+- for (match = __earlycon_table; match < __earlycon_table_end; match++) {
++ for (p_match = __earlycon_table; p_match < __earlycon_table_end;
++ p_match++) {
++ const struct earlycon_id *match = *p_match;
+ size_t len = strlen(match->name);
+
+ if (strncmp(buf, match->name, len))
+--- a/include/asm-generic/vmlinux.lds.h
++++ b/include/asm-generic/vmlinux.lds.h
+@@ -179,7 +179,7 @@
+ #endif
+
+ #ifdef CONFIG_SERIAL_EARLYCON
+-#define EARLYCON_TABLE() STRUCT_ALIGN(); \
++#define EARLYCON_TABLE() . = ALIGN(8); \
+ VMLINUX_SYMBOL(__earlycon_table) = .; \
+ KEEP(*(__earlycon_table)) \
+ VMLINUX_SYMBOL(__earlycon_table_end) = .;
+--- a/include/linux/serial_core.h
++++ b/include/linux/serial_core.h
+@@ -351,10 +351,10 @@ struct earlycon_id {
+ char name[16];
+ char compatible[128];
+ int (*setup)(struct earlycon_device *, const char *options);
+-} __aligned(32);
++};
+
+-extern const struct earlycon_id __earlycon_table[];
+-extern const struct earlycon_id __earlycon_table_end[];
++extern const struct earlycon_id *__earlycon_table[];
++extern const struct earlycon_id *__earlycon_table_end[];
+
+ #if defined(CONFIG_SERIAL_EARLYCON) && !defined(MODULE)
+ #define EARLYCON_USED_OR_UNUSED __used
+@@ -362,12 +362,19 @@ extern const struct earlycon_id __earlyc
+ #define EARLYCON_USED_OR_UNUSED __maybe_unused
+ #endif
+
+-#define OF_EARLYCON_DECLARE(_name, compat, fn) \
+- static const struct earlycon_id __UNIQUE_ID(__earlycon_##_name) \
+- EARLYCON_USED_OR_UNUSED __section(__earlycon_table) \
++#define _OF_EARLYCON_DECLARE(_name, compat, fn, unique_id) \
++ static const struct earlycon_id unique_id \
++ EARLYCON_USED_OR_UNUSED __initconst \
+ = { .name = __stringify(_name), \
+ .compatible = compat, \
+- .setup = fn }
++ .setup = fn }; \
++ static const struct earlycon_id EARLYCON_USED_OR_UNUSED \
++ __section(__earlycon_table) \
++ * const __PASTE(__p, unique_id) = &unique_id
++
++#define OF_EARLYCON_DECLARE(_name, compat, fn) \
++ _OF_EARLYCON_DECLARE(_name, compat, fn, \
++ __UNIQUE_ID(__earlycon_##_name))
+
+ #define EARLYCON_DECLARE(_name, fn) OF_EARLYCON_DECLARE(_name, "", fn)
+
--- /dev/null
+From 881c93c0fb73328845898344208fa0bf0d62cac6 Mon Sep 17 00:00:00 2001
+From: Anatolij Gustschin <agust@denx.de>
+Date: Sun, 15 Apr 2018 11:33:08 -0700
+Subject: fpga-manager: altera-ps-spi: preserve nCONFIG state
+
+From: Anatolij Gustschin <agust@denx.de>
+
+commit 881c93c0fb73328845898344208fa0bf0d62cac6 upstream.
+
+If the driver module is loaded when FPGA is configured, the FPGA
+is reset because nconfig is pulled low (low-active gpio inited
+with GPIOD_OUT_HIGH activates the signal which means setting its
+value to low). Init nconfig with GPIOD_OUT_LOW to prevent this.
+
+Signed-off-by: Anatolij Gustschin <agust@denx.de>
+Acked-by: Alan Tull <atull@kernel.org>
+Signed-off-by: Moritz Fischer <mdf@kernel.org>
+Cc: stable <stable@vger.kernel.org> # 4.14+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/fpga/altera-ps-spi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/fpga/altera-ps-spi.c
++++ b/drivers/fpga/altera-ps-spi.c
+@@ -249,7 +249,7 @@ static int altera_ps_probe(struct spi_de
+
+ conf->data = of_id->data;
+ conf->spi = spi;
+- conf->config = devm_gpiod_get(&spi->dev, "nconfig", GPIOD_OUT_HIGH);
++ conf->config = devm_gpiod_get(&spi->dev, "nconfig", GPIOD_OUT_LOW);
+ if (IS_ERR(conf->config)) {
+ dev_err(&spi->dev, "Failed to get config gpio: %ld\n",
+ PTR_ERR(conf->config));
--- /dev/null
+From f0cf47d939d0b4b4f660c5aaa4276fa3488f3391 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Wed, 4 Apr 2018 14:48:24 +0100
+Subject: KVM: arm/arm64: Close VMID generation race
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit f0cf47d939d0b4b4f660c5aaa4276fa3488f3391 upstream.
+
+Before entering the guest, we check whether our VMID is still
+part of the current generation. In order to avoid taking a lock,
+we start with checking that the generation is still current, and
+only if not current do we take the lock, recheck, and update the
+generation and VMID.
+
+This leaves open a small race: A vcpu can bump up the global
+generation number as well as the VM's, but has not updated
+the VMID itself yet.
+
+At that point another vcpu from the same VM comes in, checks
+the generation (and finds it not needing anything), and jumps
+into the guest. At this point, we end-up with two vcpus belonging
+to the same VM running with two different VMIDs. Eventually, the
+VMID used by the second vcpu will get reassigned, and things will
+really go wrong...
+
+A simple solution would be to drop this initial check, and always take
+the lock. This is likely to cause performance issues. A middle ground
+is to convert the spinlock to a rwlock, and only take the read lock
+on the fast path. If the check fails at that point, drop it and
+acquire the write lock, rechecking the condition.
+
+This ensures that the above scenario doesn't occur.
+
+Cc: stable@vger.kernel.org
+Reported-by: Mark Rutland <mark.rutland@arm.com>
+Tested-by: Shannon Zhao <zhaoshenglong@huawei.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/arm.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/virt/kvm/arm/arm.c
++++ b/virt/kvm/arm/arm.c
+@@ -63,7 +63,7 @@ static DEFINE_PER_CPU(struct kvm_vcpu *,
+ static atomic64_t kvm_vmid_gen = ATOMIC64_INIT(1);
+ static u32 kvm_next_vmid;
+ static unsigned int kvm_vmid_bits __read_mostly;
+-static DEFINE_SPINLOCK(kvm_vmid_lock);
++static DEFINE_RWLOCK(kvm_vmid_lock);
+
+ static bool vgic_present;
+
+@@ -470,11 +470,16 @@ static void update_vttbr(struct kvm *kvm
+ {
+ phys_addr_t pgd_phys;
+ u64 vmid;
++ bool new_gen;
+
+- if (!need_new_vmid_gen(kvm))
++ read_lock(&kvm_vmid_lock);
++ new_gen = need_new_vmid_gen(kvm);
++ read_unlock(&kvm_vmid_lock);
++
++ if (!new_gen)
+ return;
+
+- spin_lock(&kvm_vmid_lock);
++ write_lock(&kvm_vmid_lock);
+
+ /*
+ * We need to re-check the vmid_gen here to ensure that if another vcpu
+@@ -482,7 +487,7 @@ static void update_vttbr(struct kvm *kvm
+ * use the same vmid.
+ */
+ if (!need_new_vmid_gen(kvm)) {
+- spin_unlock(&kvm_vmid_lock);
++ write_unlock(&kvm_vmid_lock);
+ return;
+ }
+
+@@ -516,7 +521,7 @@ static void update_vttbr(struct kvm *kvm
+ vmid = ((u64)(kvm->arch.vmid) << VTTBR_VMID_SHIFT) & VTTBR_VMID_MASK(kvm_vmid_bits);
+ kvm->arch.vttbr = kvm_phys_to_vttbr(pgd_phys) | vmid;
+
+- spin_unlock(&kvm_vmid_lock);
++ write_unlock(&kvm_vmid_lock);
+ }
+
+ static int kvm_vcpu_first_run_init(struct kvm_vcpu *vcpu)
--- /dev/null
+From 7b4c443d139f1d2b5570da475f7a9cbcef86740c Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Mon, 23 Apr 2018 15:25:10 +0200
+Subject: libceph: reschedule a tick in finish_hunting()
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 7b4c443d139f1d2b5570da475f7a9cbcef86740c upstream.
+
+If we go without an established session for a while, backoff delay will
+climb to 30 seconds. The keepalive timeout is also 30 seconds, so it's
+pretty easily hit after a prolonged hunting for a monitor: we don't get
+a chance to send out a keepalive in time, which means we never get back
+a keepalive ack in time, cutting an established session and attempting
+to connect to a different monitor every 30 seconds:
+
+ [Sun Apr 1 23:37:05 2018] libceph: mon0 10.80.20.99:6789 session established
+ [Sun Apr 1 23:37:36 2018] libceph: mon0 10.80.20.99:6789 session lost, hunting for new mon
+ [Sun Apr 1 23:37:36 2018] libceph: mon2 10.80.20.103:6789 session established
+ [Sun Apr 1 23:38:07 2018] libceph: mon2 10.80.20.103:6789 session lost, hunting for new mon
+ [Sun Apr 1 23:38:07 2018] libceph: mon1 10.80.20.100:6789 session established
+ [Sun Apr 1 23:38:37 2018] libceph: mon1 10.80.20.100:6789 session lost, hunting for new mon
+ [Sun Apr 1 23:38:37 2018] libceph: mon2 10.80.20.103:6789 session established
+ [Sun Apr 1 23:39:08 2018] libceph: mon2 10.80.20.103:6789 session lost, hunting for new mon
+
+The regular keepalive interval is 10 seconds. After ->hunting is
+cleared in finish_hunting(), call __schedule_delayed() to ensure we
+send out a keepalive after 10 seconds.
+
+Cc: stable@vger.kernel.org # 4.7+
+Link: http://tracker.ceph.com/issues/23537
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Jason Dillaman <dillaman@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/mon_client.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ceph/mon_client.c
++++ b/net/ceph/mon_client.c
+@@ -1133,6 +1133,7 @@ static void finish_hunting(struct ceph_m
+ monc->hunting = false;
+ monc->had_a_connection = true;
+ un_backoff(monc);
++ __schedule_delayed(monc);
+ }
+ }
+
--- /dev/null
+From facb9f6eba3df4e8027301cc0e514dc582a1b366 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Mon, 23 Apr 2018 15:25:10 +0200
+Subject: libceph: un-backoff on tick when we have a authenticated session
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit facb9f6eba3df4e8027301cc0e514dc582a1b366 upstream.
+
+This means that if we do some backoff, then authenticate, and are
+healthy for an extended period of time, a subsequent failure won't
+leave us starting our hunting sequence with a large backoff.
+
+Mirrors ceph.git commit d466bc6e66abba9b464b0b69687cf45c9dccf383.
+
+Cc: stable@vger.kernel.org # 4.7+
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Jason Dillaman <dillaman@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/mon_client.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/net/ceph/mon_client.c
++++ b/net/ceph/mon_client.c
+@@ -209,6 +209,14 @@ static void reopen_session(struct ceph_m
+ __open_session(monc);
+ }
+
++static void un_backoff(struct ceph_mon_client *monc)
++{
++ monc->hunt_mult /= 2; /* reduce by 50% */
++ if (monc->hunt_mult < 1)
++ monc->hunt_mult = 1;
++ dout("%s hunt_mult now %d\n", __func__, monc->hunt_mult);
++}
++
+ /*
+ * Reschedule delayed work timer.
+ */
+@@ -963,6 +971,7 @@ static void delayed_work(struct work_str
+ if (!monc->hunting) {
+ ceph_con_keepalive(&monc->con);
+ __validate_auth(monc);
++ un_backoff(monc);
+ }
+
+ if (is_auth &&
+@@ -1123,9 +1132,7 @@ static void finish_hunting(struct ceph_m
+ dout("%s found mon%d\n", __func__, monc->cur_mon);
+ monc->hunting = false;
+ monc->had_a_connection = true;
+- monc->hunt_mult /= 2; /* reduce by 50% */
+- if (monc->hunt_mult < 1)
+- monc->hunt_mult = 1;
++ un_backoff(monc);
+ }
+ }
+
--- /dev/null
+From 9c55ad1c214d9f8c4594ac2c3fa392c1c32431a7 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Tue, 24 Apr 2018 19:10:55 +0200
+Subject: libceph: validate con->state at the top of try_write()
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 9c55ad1c214d9f8c4594ac2c3fa392c1c32431a7 upstream.
+
+ceph_con_workfn() validates con->state before calling try_read() and
+then try_write(). However, try_read() temporarily releases con->mutex,
+notably in process_message() and ceph_con_in_msg_alloc(), opening the
+window for ceph_con_close() to sneak in, close the connection and
+release con->sock. When try_write() is called on the assumption that
+con->state is still valid (i.e. not STANDBY or CLOSED), a NULL sock
+gets passed to the networking stack:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
+ IP: selinux_socket_sendmsg+0x5/0x20
+
+Make sure con->state is valid at the top of try_write() and add an
+explicit BUG_ON for this, similar to try_read().
+
+Cc: stable@vger.kernel.org
+Link: https://tracker.ceph.com/issues/23706
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Jason Dillaman <dillaman@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/messenger.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/ceph/messenger.c
++++ b/net/ceph/messenger.c
+@@ -2531,6 +2531,11 @@ static int try_write(struct ceph_connect
+ int ret = 1;
+
+ dout("try_write start %p state %lu\n", con, con->state);
++ if (con->state != CON_STATE_PREOPEN &&
++ con->state != CON_STATE_CONNECTING &&
++ con->state != CON_STATE_NEGOTIATING &&
++ con->state != CON_STATE_OPEN)
++ return 0;
+
+ more:
+ dout("try_write out_kvec_bytes %d\n", con->out_kvec_bytes);
+@@ -2556,6 +2561,8 @@ more:
+ }
+
+ more_kvec:
++ BUG_ON(!con->sock);
++
+ /* kvec data queued? */
+ if (con->out_kvec_left) {
+ ret = write_partial_kvec(con);
--- /dev/null
+From be71eda5383faa663efdba9ef54a6b8255e3c7f0 Mon Sep 17 00:00:00 2001
+From: Thomas Richter <tmricht@linux.ibm.com>
+Date: Wed, 18 Apr 2018 09:14:36 +0200
+Subject: module: Fix display of wrong module .text address
+
+From: Thomas Richter <tmricht@linux.ibm.com>
+
+commit be71eda5383faa663efdba9ef54a6b8255e3c7f0 upstream.
+
+Reading file /proc/modules shows the correct address:
+[root@s35lp76 ~]# cat /proc/modules | egrep '^qeth_l2'
+qeth_l2 94208 1 - Live 0x000003ff80401000
+
+and reading file /sys/module/qeth_l2/sections/.text
+[root@s35lp76 ~]# cat /sys/module/qeth_l2/sections/.text
+0x0000000018ea8363
+displays a random address.
+
+This breaks the perf tool which uses this address on s390
+to calculate start of .text section in memory.
+
+Fix this by printing the correct (unhashed) address.
+
+Thanks to Jessica Yu for helping on this.
+
+Fixes: ef0010a30935 ("vsprintf: don't use 'restricted_pointer()' when not restricting")
+Cc: <stable@vger.kernel.org> # v4.15+
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Cc: Jessica Yu <jeyu@kernel.org>
+Signed-off-by: Jessica Yu <jeyu@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/module.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -1472,7 +1472,8 @@ static ssize_t module_sect_show(struct m
+ {
+ struct module_sect_attr *sattr =
+ container_of(mattr, struct module_sect_attr, mattr);
+- return sprintf(buf, "0x%pK\n", (void *)sattr->address);
++ return sprintf(buf, "0x%px\n", kptr_restrict < 2 ?
++ (void *)sattr->address : NULL);
+ }
+
+ static void free_sect_attrs(struct module_sect_attrs *sect_attrs)
--- /dev/null
+From 854e55ad289ef8888e7991f0ada85d5846f5afb9 Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Thu, 15 Mar 2018 22:11:54 -0500
+Subject: objtool, perf: Fix GCC 8 -Wrestrict error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+commit 854e55ad289ef8888e7991f0ada85d5846f5afb9 upstream.
+
+Starting with recent GCC 8 builds, objtool and perf fail to build with
+the following error:
+
+ ../str_error_r.c: In function ‘str_error_r’:
+ ../str_error_r.c:25:3: error: passing argument 1 to restrict-qualified parameter aliases with argument 5 [-Werror=restrict]
+ snprintf(buf, buflen, "INTERNAL ERROR: strerror_r(%d, %p, %zd)=%d", errnum, buf, buflen, err);
+
+The code seems harmless, but there's probably no benefit in printing the
+'buf' pointer in this situation anyway, so just remove it to make GCC
+happy.
+
+Reported-by: Laura Abbott <labbott@redhat.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Tested-by: Laura Abbott <labbott@redhat.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Wang Nan <wangnan0@huawei.com>
+Link: http://lkml.kernel.org/r/20180316031154.juk2uncs7baffctp@treble
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Fredrik Schön <fredrikschon@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/lib/str_error_r.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/lib/str_error_r.c
++++ b/tools/lib/str_error_r.c
+@@ -22,6 +22,6 @@ char *str_error_r(int errnum, char *buf,
+ {
+ int err = strerror_r(errnum, buf, buflen);
+ if (err)
+- snprintf(buf, buflen, "INTERNAL ERROR: strerror_r(%d, %p, %zd)=%d", errnum, buf, buflen, err);
++ snprintf(buf, buflen, "INTERNAL ERROR: strerror_r(%d, [buf], %zd)=%d", errnum, buflen, err);
+ return buf;
+ }
--- /dev/null
+From 660661afcd40ed7f515ef3369721ed58e80c0fc5 Mon Sep 17 00:00:00 2001
+From: Victor Gu <xigu@marvell.com>
+Date: Fri, 6 Apr 2018 16:55:31 +0200
+Subject: PCI: aardvark: Fix logic in advk_pcie_{rd,wr}_conf()
+
+From: Victor Gu <xigu@marvell.com>
+
+commit 660661afcd40ed7f515ef3369721ed58e80c0fc5 upstream.
+
+The PCI configuration space read/write functions were special casing
+the situation where PCI_SLOT(devfn) != 0, and returned
+PCIBIOS_DEVICE_NOT_FOUND in this case.
+
+However, while this is what is intended for the root bus, it is not
+intended for the child busses, as it prevents discovering devices with
+PCI_SLOT(x) != 0. Therefore, we return PCIBIOS_DEVICE_NOT_FOUND only
+if we're on the root bus.
+
+Fixes: 8c39d710363c1 ("PCI: aardvark: Add Aardvark PCI host controller driver")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Victor Gu <xigu@marvell.com>
+Reviewed-by: Wilson Ding <dingwei@marvell.com>
+Reviewed-by: Nadav Haklai <nadavh@marvell.com>
+[Thomas: tweak commit log.]
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/host/pci-aardvark.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/pci/host/pci-aardvark.c
++++ b/drivers/pci/host/pci-aardvark.c
+@@ -437,7 +437,7 @@ static int advk_pcie_rd_conf(struct pci_
+ u32 reg;
+ int ret;
+
+- if (PCI_SLOT(devfn) != 0) {
++ if ((bus->number == pcie->root_bus_nr) && PCI_SLOT(devfn) != 0) {
+ *val = 0xffffffff;
+ return PCIBIOS_DEVICE_NOT_FOUND;
+ }
+@@ -491,7 +491,7 @@ static int advk_pcie_wr_conf(struct pci_
+ int offset;
+ int ret;
+
+- if (PCI_SLOT(devfn) != 0)
++ if ((bus->number == pcie->root_bus_nr) && PCI_SLOT(devfn) != 0)
+ return PCIBIOS_DEVICE_NOT_FOUND;
+
+ if (where % size)
--- /dev/null
+From fc31c4e347c9dad50544d01d5ee98b22c7df88bb Mon Sep 17 00:00:00 2001
+From: Evan Wang <xswang@marvell.com>
+Date: Fri, 6 Apr 2018 16:55:34 +0200
+Subject: PCI: aardvark: Fix PCIe Max Read Request Size setting
+
+From: Evan Wang <xswang@marvell.com>
+
+commit fc31c4e347c9dad50544d01d5ee98b22c7df88bb upstream.
+
+There is an obvious typo issue in the definition of the PCIe maximum
+read request size: a bit shift is directly used as a value, while it
+should be used to shift the correct value.
+
+Fixes: 8c39d710363c1 ("PCI: aardvark: Add Aardvark PCI host controller driver")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Evan Wang <xswang@marvell.com>
+Reviewed-by: Victor Gu <xigu@marvell.com>
+Reviewed-by: Nadav Haklai <nadavh@marvell.com>
+[Thomas: tweak commit log.]
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/host/pci-aardvark.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/host/pci-aardvark.c
++++ b/drivers/pci/host/pci-aardvark.c
+@@ -29,6 +29,7 @@
+ #define PCIE_CORE_DEV_CTRL_STATS_MAX_PAYLOAD_SZ_SHIFT 5
+ #define PCIE_CORE_DEV_CTRL_STATS_SNOOP_DISABLE (0 << 11)
+ #define PCIE_CORE_DEV_CTRL_STATS_MAX_RD_REQ_SIZE_SHIFT 12
++#define PCIE_CORE_DEV_CTRL_STATS_MAX_RD_REQ_SZ 0x2
+ #define PCIE_CORE_LINK_CTRL_STAT_REG 0xd0
+ #define PCIE_CORE_LINK_L0S_ENTRY BIT(0)
+ #define PCIE_CORE_LINK_TRAINING BIT(5)
+@@ -295,7 +296,8 @@ static void advk_pcie_setup_hw(struct ad
+ reg = PCIE_CORE_DEV_CTRL_STATS_RELAX_ORDER_DISABLE |
+ (7 << PCIE_CORE_DEV_CTRL_STATS_MAX_PAYLOAD_SZ_SHIFT) |
+ PCIE_CORE_DEV_CTRL_STATS_SNOOP_DISABLE |
+- PCIE_CORE_DEV_CTRL_STATS_MAX_RD_REQ_SIZE_SHIFT;
++ (PCIE_CORE_DEV_CTRL_STATS_MAX_RD_REQ_SZ <<
++ PCIE_CORE_DEV_CTRL_STATS_MAX_RD_REQ_SIZE_SHIFT);
+ advk_writel(pcie, reg, PCIE_CORE_DEV_CTRL_STATS_REG);
+
+ /* Program PCIe Control 2 to disable strict ordering */
--- /dev/null
+From 4fa3999ee672c54a5498ce98e20fe3fdf9c1cbb4 Mon Sep 17 00:00:00 2001
+From: Victor Gu <xigu@marvell.com>
+Date: Fri, 6 Apr 2018 16:55:32 +0200
+Subject: PCI: aardvark: Set PIO_ADDR_LS correctly in advk_pcie_rd_conf()
+
+From: Victor Gu <xigu@marvell.com>
+
+commit 4fa3999ee672c54a5498ce98e20fe3fdf9c1cbb4 upstream.
+
+When setting the PIO_ADDR_LS register during a configuration read, we
+were properly passing the device number, function number and register
+number, but not the bus number, causing issues when reading the
+configuration of PCIe devices.
+
+Fixes: 8c39d710363c1 ("PCI: aardvark: Add Aardvark PCI host controller driver")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Victor Gu <xigu@marvell.com>
+Reviewed-by: Wilson Ding <dingwei@marvell.com>
+Reviewed-by: Nadav Haklai <nadavh@marvell.com>
+[Thomas: tweak commit log.]
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/host/pci-aardvark.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/pci/host/pci-aardvark.c
++++ b/drivers/pci/host/pci-aardvark.c
+@@ -172,8 +172,6 @@
+ #define PCIE_CONFIG_WR_TYPE0 0xa
+ #define PCIE_CONFIG_WR_TYPE1 0xb
+
+-/* PCI_BDF shifts 8bit, so we need extra 4bit shift */
+-#define PCIE_BDF(dev) (dev << 4)
+ #define PCIE_CONF_BUS(bus) (((bus) & 0xff) << 20)
+ #define PCIE_CONF_DEV(dev) (((dev) & 0x1f) << 15)
+ #define PCIE_CONF_FUNC(fun) (((fun) & 0x7) << 12)
+@@ -456,7 +454,7 @@ static int advk_pcie_rd_conf(struct pci_
+ advk_writel(pcie, reg, PIO_CTRL);
+
+ /* Program the address registers */
+- reg = PCIE_BDF(devfn) | PCIE_CONF_REG(where);
++ reg = PCIE_CONF_ADDR(bus->number, devfn, where);
+ advk_writel(pcie, reg, PIO_ADDR_LS);
+ advk_writel(pcie, 0, PIO_ADDR_MS);
+
--- /dev/null
+From 3430f924a62905891c8fa9a3b97ea52007795bc3 Mon Sep 17 00:00:00 2001
+From: Victor Gu <xigu@marvell.com>
+Date: Fri, 6 Apr 2018 16:55:33 +0200
+Subject: PCI: aardvark: Use ISR1 instead of ISR0 interrupt in legacy irq mode
+
+From: Victor Gu <xigu@marvell.com>
+
+commit 3430f924a62905891c8fa9a3b97ea52007795bc3 upstream.
+
+The Aardvark has two interrupts sets:
+
+ - first set is bit[23:16] of PCIe ISR 0 register(RD0074840h)
+
+ - second set is bit[11:8] of PCIe ISR 1 register(RD0074848h)
+
+Only one set should be used, while another set should be masked.
+
+The second set, ISR1, is more advanced, the Legacy INT_X status bit is
+asserted once Assert_INTX message is received, and de-asserted after
+Deassert_INTX message is received which matches what the driver is
+currently doing in the ->irq_mask() and ->irq_unmask() functions.
+
+The ISR0 requires additional work to deassert the interrupt, which the
+driver does not currently implement, therefore it needs fixing.
+
+Update the driver to use ISR1 register set, fixing current
+implementation.
+
+Fixes: 8c39d710363c1 ("PCI: aardvark: Add Aardvark PCI host controller driver")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=196339
+Signed-off-by: Victor Gu <xigu@marvell.com>
+[Thomas: tweak commit log.]
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+[lorenzo.pieralisi@arm.com: updated the commit log]
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Evan Wang <xswang@marvell.com>
+Reviewed-by: Nadav Haklai <nadavh@marvell.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/host/pci-aardvark.c | 43 +++++++++++++++++++++++-----------------
+ 1 file changed, 25 insertions(+), 18 deletions(-)
+
+--- a/drivers/pci/host/pci-aardvark.c
++++ b/drivers/pci/host/pci-aardvark.c
+@@ -100,7 +100,8 @@
+ #define PCIE_ISR1_MASK_REG (CONTROL_BASE_ADDR + 0x4C)
+ #define PCIE_ISR1_POWER_STATE_CHANGE BIT(4)
+ #define PCIE_ISR1_FLUSH BIT(5)
+-#define PCIE_ISR1_ALL_MASK GENMASK(5, 4)
++#define PCIE_ISR1_INTX_ASSERT(val) BIT(8 + (val))
++#define PCIE_ISR1_ALL_MASK GENMASK(11, 4)
+ #define PCIE_MSI_ADDR_LOW_REG (CONTROL_BASE_ADDR + 0x50)
+ #define PCIE_MSI_ADDR_HIGH_REG (CONTROL_BASE_ADDR + 0x54)
+ #define PCIE_MSI_STATUS_REG (CONTROL_BASE_ADDR + 0x58)
+@@ -607,9 +608,9 @@ static void advk_pcie_irq_mask(struct ir
+ irq_hw_number_t hwirq = irqd_to_hwirq(d);
+ u32 mask;
+
+- mask = advk_readl(pcie, PCIE_ISR0_MASK_REG);
+- mask |= PCIE_ISR0_INTX_ASSERT(hwirq);
+- advk_writel(pcie, mask, PCIE_ISR0_MASK_REG);
++ mask = advk_readl(pcie, PCIE_ISR1_MASK_REG);
++ mask |= PCIE_ISR1_INTX_ASSERT(hwirq);
++ advk_writel(pcie, mask, PCIE_ISR1_MASK_REG);
+ }
+
+ static void advk_pcie_irq_unmask(struct irq_data *d)
+@@ -618,9 +619,9 @@ static void advk_pcie_irq_unmask(struct
+ irq_hw_number_t hwirq = irqd_to_hwirq(d);
+ u32 mask;
+
+- mask = advk_readl(pcie, PCIE_ISR0_MASK_REG);
+- mask &= ~PCIE_ISR0_INTX_ASSERT(hwirq);
+- advk_writel(pcie, mask, PCIE_ISR0_MASK_REG);
++ mask = advk_readl(pcie, PCIE_ISR1_MASK_REG);
++ mask &= ~PCIE_ISR1_INTX_ASSERT(hwirq);
++ advk_writel(pcie, mask, PCIE_ISR1_MASK_REG);
+ }
+
+ static int advk_pcie_irq_map(struct irq_domain *h,
+@@ -763,29 +764,35 @@ static void advk_pcie_handle_msi(struct
+
+ static void advk_pcie_handle_int(struct advk_pcie *pcie)
+ {
+- u32 val, mask, status;
++ u32 isr0_val, isr0_mask, isr0_status;
++ u32 isr1_val, isr1_mask, isr1_status;
+ int i, virq;
+
+- val = advk_readl(pcie, PCIE_ISR0_REG);
+- mask = advk_readl(pcie, PCIE_ISR0_MASK_REG);
+- status = val & ((~mask) & PCIE_ISR0_ALL_MASK);
+-
+- if (!status) {
+- advk_writel(pcie, val, PCIE_ISR0_REG);
++ isr0_val = advk_readl(pcie, PCIE_ISR0_REG);
++ isr0_mask = advk_readl(pcie, PCIE_ISR0_MASK_REG);
++ isr0_status = isr0_val & ((~isr0_mask) & PCIE_ISR0_ALL_MASK);
++
++ isr1_val = advk_readl(pcie, PCIE_ISR1_REG);
++ isr1_mask = advk_readl(pcie, PCIE_ISR1_MASK_REG);
++ isr1_status = isr1_val & ((~isr1_mask) & PCIE_ISR1_ALL_MASK);
++
++ if (!isr0_status && !isr1_status) {
++ advk_writel(pcie, isr0_val, PCIE_ISR0_REG);
++ advk_writel(pcie, isr1_val, PCIE_ISR1_REG);
+ return;
+ }
+
+ /* Process MSI interrupts */
+- if (status & PCIE_ISR0_MSI_INT_PENDING)
++ if (isr0_status & PCIE_ISR0_MSI_INT_PENDING)
+ advk_pcie_handle_msi(pcie);
+
+ /* Process legacy interrupts */
+ for (i = 0; i < PCI_NUM_INTX; i++) {
+- if (!(status & PCIE_ISR0_INTX_ASSERT(i)))
++ if (!(isr1_status & PCIE_ISR1_INTX_ASSERT(i)))
+ continue;
+
+- advk_writel(pcie, PCIE_ISR0_INTX_ASSERT(i),
+- PCIE_ISR0_REG);
++ advk_writel(pcie, PCIE_ISR1_INTX_ASSERT(i),
++ PCIE_ISR1_REG);
+
+ virq = irq_find_mapping(pcie->irq_domain, i);
+ generic_handle_irq(virq);
--- /dev/null
+From ae860a19f37c686e7c5816e96640168b7174a096 Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Fri, 20 Apr 2018 15:22:02 +0300
+Subject: PCI / PM: Do not clear state_saved in pci_pm_freeze() when smart suspend is set
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit ae860a19f37c686e7c5816e96640168b7174a096 upstream.
+
+If a driver uses DPM_FLAG_SMART_SUSPEND and the device is already
+runtime suspended when hibernate is started PCI core skips runtime
+resuming the device but still clears pci_dev->state_saved. After the
+hibernation image is written pci_pm_thaw_noirq() makes sure subsequent
+thaw phases for the device are also skipped leaving it runtime suspended
+with pci_dev->state_saved == false.
+
+When the device is eventually runtime resumed pci_pm_runtime_resume()
+restores config space by calling pci_restore_standard_config(), however
+because pci_dev->state_saved == false pci_restore_state() never actually
+restores the config space leaving the device in a state that is not what
+the driver might expect.
+
+For example here is what happens for intel-lpss I2C devices once the
+hibernation snapshot is taken:
+
+ intel-lpss 0000:00:15.0: power state changed by ACPI to D0
+ intel-lpss 0000:00:1e.0: power state changed by ACPI to D3cold
+ video LNXVIDEO:00: Restoring backlight state
+ PM: hibernation exit
+ i2c_designware i2c_designware.1: Unknown Synopsys component type: 0xffffffff
+ i2c_designware i2c_designware.0: Unknown Synopsys component type: 0xffffffff
+ i2c_designware i2c_designware.1: timeout in disabling adapter
+ i2c_designware i2c_designware.0: timeout in disabling adapter
+
+Since PCI config space is not restored the device is still in D3hot
+making MMIO register reads return 0xffffffff.
+
+Fix this by clearing pci_dev->state_saved only if we actually end up
+runtime resuming the device.
+
+Fixes: c4b65157aeef (PCI / PM: Take SMART_SUSPEND driver flag into account)
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Cc: 4.15+ <stable@vger.kernel.org> # 4.15+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pci-driver.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/pci/pci-driver.c
++++ b/drivers/pci/pci-driver.c
+@@ -945,10 +945,11 @@ static int pci_pm_freeze(struct device *
+ * devices should not be touched during freeze/thaw transitions,
+ * however.
+ */
+- if (!dev_pm_test_driver_flags(dev, DPM_FLAG_SMART_SUSPEND))
++ if (!dev_pm_smart_suspend_and_suspended(dev)) {
+ pm_runtime_resume(dev);
++ pci_dev->state_saved = false;
++ }
+
+- pci_dev->state_saved = false;
+ if (pm->freeze) {
+ int error;
+
--- /dev/null
+From 75ecfb49516c53da00c57b9efe48fa3f5504a791 Mon Sep 17 00:00:00 2001
+From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+Date: Mon, 23 Apr 2018 10:29:27 +0530
+Subject: powerpc/mce: Fix a bug where mce loops on memory UE.
+
+From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+
+commit 75ecfb49516c53da00c57b9efe48fa3f5504a791 upstream.
+
+The current code extracts the physical address for UE errors and then
+hooks it up into memory failure infrastructure. On successful
+extraction of physical address it wrongly sets "handled = 1" which
+means this UE error has been recovered. Since MCE handler gets return
+value as handled = 1, it assumes that error has been recovered and
+goes back to same NIP. This causes MCE interrupt again and again in a
+loop leading to hard lockup.
+
+Also, initialize phys_addr to ULONG_MAX so that we don't end up
+queuing undesired page to hwpoison.
+
+Without this patch we see:
+ Severe Machine check interrupt [Recovered]
+ NIP: [000000001002588c] PID: 7109 Comm: find
+ Initiator: CPU
+ Error type: UE [Load/Store]
+ Effective address: 00007fffd2755940
+ Physical address: 000020181a080000
+ ...
+ Severe Machine check interrupt [Recovered]
+ NIP: [000000001002588c] PID: 7109 Comm: find
+ Initiator: CPU
+ Error type: UE [Load/Store]
+ Effective address: 00007fffd2755940
+ Physical address: 000020181a080000
+ Severe Machine check interrupt [Recovered]
+ NIP: [000000001002588c] PID: 7109 Comm: find
+ Initiator: CPU
+ Error type: UE [Load/Store]
+ Effective address: 00007fffd2755940
+ Physical address: 000020181a080000
+ Memory failure: 0x20181a08: recovery action for dirty LRU page: Recovered
+ Memory failure: 0x20181a08: already hardware poisoned
+ Memory failure: 0x20181a08: already hardware poisoned
+ Memory failure: 0x20181a08: already hardware poisoned
+ Memory failure: 0x20181a08: already hardware poisoned
+ Memory failure: 0x20181a08: already hardware poisoned
+ Memory failure: 0x20181a08: already hardware poisoned
+ ...
+ Watchdog CPU:38 Hard LOCKUP
+
+After this patch we see:
+
+ Severe Machine check interrupt [Not recovered]
+ NIP: [00007fffaae585f4] PID: 7168 Comm: find
+ Initiator: CPU
+ Error type: UE [Load/Store]
+ Effective address: 00007fffaafe28ac
+ Physical address: 00002017c0bd0000
+ find[7168]: unhandled signal 7 at 00007fffaae585f4 nip 00007fffaae585f4 lr 00007fffaae585e0 code 4
+ Memory failure: 0x2017c0bd: recovery action for dirty LRU page: Recovered
+
+Fixes: 01eaac2b0591 ("powerpc/mce: Hookup ierror (instruction) UE errors")
+Fixes: ba41e1e1ccb9 ("powerpc/mce: Hookup derror (load/store) UE errors")
+Cc: stable@vger.kernel.org # v4.15+
+Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+Signed-off-by: Balbir Singh <bsingharora@gmail.com>
+Reviewed-by: Balbir Singh <bsingharora@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/mce_power.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/arch/powerpc/kernel/mce_power.c
++++ b/arch/powerpc/kernel/mce_power.c
+@@ -441,7 +441,6 @@ static int mce_handle_ierror(struct pt_r
+ if (pfn != ULONG_MAX) {
+ *phys_addr =
+ (pfn << PAGE_SHIFT);
+- handled = 1;
+ }
+ }
+ }
+@@ -532,9 +531,7 @@ static int mce_handle_derror(struct pt_r
+ * kernel/exception-64s.h
+ */
+ if (get_paca()->in_mce < MAX_MCE_DEPTH)
+- if (!mce_find_instr_ea_and_pfn(regs, addr,
+- phys_addr))
+- handled = 1;
++ mce_find_instr_ea_and_pfn(regs, addr, phys_addr);
+ }
+ found = 1;
+ }
+@@ -572,7 +569,7 @@ static long mce_handle_error(struct pt_r
+ const struct mce_ierror_table itable[])
+ {
+ struct mce_error_info mce_err = { 0 };
+- uint64_t addr, phys_addr;
++ uint64_t addr, phys_addr = ULONG_MAX;
+ uint64_t srr1 = regs->msr;
+ long handled;
+
--- /dev/null
+From fb5924fddf9ee31db04da7ad4e8c3434a387101b Mon Sep 17 00:00:00 2001
+From: Balbir Singh <bsingharora@gmail.com>
+Date: Fri, 6 Apr 2018 15:24:23 +1000
+Subject: powerpc/mm: Flush cache on memory hot(un)plug
+
+From: Balbir Singh <bsingharora@gmail.com>
+
+commit fb5924fddf9ee31db04da7ad4e8c3434a387101b upstream.
+
+This patch adds support for flushing potentially dirty cache lines
+when memory is hot-plugged/hot-un-plugged. The support is currently
+limited to 64 bit systems.
+
+The bug was exposed when mappings for a device were actually
+hot-unplugged and plugged in back later. A similar issue was observed
+during the development of memtrace, but memtrace does it's own
+flushing of region via a custom routine.
+
+These patches do a flush both on hotplug/unplug to clear any stale
+data in the cache w.r.t mappings, there is a small race window where a
+clean cache line may be created again just prior to tearing down the
+mapping.
+
+The patches were tested by disabling the flush routines in memtrace
+and doing I/O on the trace file. The system immediately
+checkstops (quite reliablly if prior to the hot-unplug of the memtrace
+region, we memset the regions we are about to hot unplug). After these
+patches no custom flushing is needed in the memtrace code.
+
+Fixes: 9d5171a8f248 ("powerpc/powernv: Enable removal of memory for in memory tracing")
+Cc: stable@vger.kernel.org # v4.14+
+Signed-off-by: Balbir Singh <bsingharora@gmail.com>
+Acked-by: Reza Arbab <arbab@linux.ibm.com>
+Reviewed-by: Rashmica Gupta <rashmica.g@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/mem.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/powerpc/mm/mem.c
++++ b/arch/powerpc/mm/mem.c
+@@ -143,6 +143,7 @@ int arch_add_memory(int nid, u64 start,
+ start, start + size, rc);
+ return -EFAULT;
+ }
++ flush_inval_dcache_range(start, start + size);
+
+ return __add_pages(nid, start_pfn, nr_pages, altmap, want_memblock);
+ }
+@@ -169,6 +170,7 @@ int arch_remove_memory(u64 start, u64 si
+
+ /* Remove htab bolted mappings for this section of memory */
+ start = (unsigned long)__va(start);
++ flush_inval_dcache_range(start, start + size);
+ ret = remove_section_mapping(start, start + size);
+
+ /* Ensure all vmalloc mappings are flushed in case they also
--- /dev/null
+From d0cf9b561ca97d5245bb9e0c4774b7fadd897d67 Mon Sep 17 00:00:00 2001
+From: Alistair Popple <alistair@popple.id.au>
+Date: Tue, 17 Apr 2018 19:11:28 +1000
+Subject: powerpc/powernv/npu: Do a PID GPU TLB flush when invalidating a large address range
+
+From: Alistair Popple <alistair@popple.id.au>
+
+commit d0cf9b561ca97d5245bb9e0c4774b7fadd897d67 upstream.
+
+The NPU has a limited number of address translation shootdown (ATSD)
+registers and the GPU has limited bandwidth to process ATSDs. This can
+result in contention of ATSD registers leading to soft lockups on some
+threads, particularly when invalidating a large address range in
+pnv_npu2_mn_invalidate_range().
+
+At some threshold it becomes more efficient to flush the entire GPU
+TLB for the given MM context (PID) than individually flushing each
+address in the range. This patch will result in ranges greater than
+2MB being converted from 32+ ATSDs into a single ATSD which will flush
+the TLB for the given PID on each GPU.
+
+Fixes: 1ab66d1fbada ("powerpc/powernv: Introduce address translation services for Nvlink2")
+Cc: stable@vger.kernel.org # v4.12+
+Signed-off-by: Alistair Popple <alistair@popple.id.au>
+Acked-by: Balbir Singh <bsingharora@gmail.com>
+Tested-by: Balbir Singh <bsingharora@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/powernv/npu-dma.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+--- a/arch/powerpc/platforms/powernv/npu-dma.c
++++ b/arch/powerpc/platforms/powernv/npu-dma.c
+@@ -34,6 +34,13 @@
+ #define npu_to_phb(x) container_of(x, struct pnv_phb, npu)
+
+ /*
++ * When an address shootdown range exceeds this threshold we invalidate the
++ * entire TLB on the GPU for the given PID rather than each specific address in
++ * the range.
++ */
++#define ATSD_THRESHOLD (2*1024*1024)
++
++/*
+ * Other types of TCE cache invalidation are not functional in the
+ * hardware.
+ */
+@@ -627,11 +634,19 @@ static void pnv_npu2_mn_invalidate_range
+ struct npu_context *npu_context = mn_to_npu_context(mn);
+ unsigned long address;
+
+- for (address = start; address < end; address += PAGE_SIZE)
+- mmio_invalidate(npu_context, 1, address, false);
++ if (end - start > ATSD_THRESHOLD) {
++ /*
++ * Just invalidate the entire PID if the address range is too
++ * large.
++ */
++ mmio_invalidate(npu_context, 0, 0, true);
++ } else {
++ for (address = start; address < end; address += PAGE_SIZE)
++ mmio_invalidate(npu_context, 1, address, false);
+
+- /* Do the flush only on the final addess == end */
+- mmio_invalidate(npu_context, 1, address, true);
++ /* Do the flush only on the final addess == end */
++ mmio_invalidate(npu_context, 1, address, true);
++ }
+ }
+
+ static const struct mmu_notifier_ops nv_nmmu_notifier_ops = {
--- /dev/null
+From 682e6b4da5cbe8e9a53f979a58c2a9d7dc997175 Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Tue, 10 Apr 2018 21:49:32 +1000
+Subject: rtc: opal: Fix OPAL RTC driver OPAL_BUSY loops
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit 682e6b4da5cbe8e9a53f979a58c2a9d7dc997175 upstream.
+
+The OPAL RTC driver does not sleep in case it gets OPAL_BUSY or
+OPAL_BUSY_EVENT from firmware, which causes large scheduling
+latencies, up to 50 seconds have been observed here when RTC stops
+responding (BMC reboot can do it).
+
+Fix this by converting it to the standard form OPAL_BUSY loop that
+sleeps.
+
+Fixes: 628daa8d5abf ("powerpc/powernv: Add RTC and NVRAM support plus RTAS fallbacks")
+Cc: stable@vger.kernel.org # v3.2+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Acked-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/powernv/opal-rtc.c | 8 ++++--
+ drivers/rtc/rtc-opal.c | 37 ++++++++++++++++++------------
+ 2 files changed, 28 insertions(+), 17 deletions(-)
+
+--- a/arch/powerpc/platforms/powernv/opal-rtc.c
++++ b/arch/powerpc/platforms/powernv/opal-rtc.c
+@@ -48,10 +48,12 @@ unsigned long __init opal_get_boot_time(
+
+ while (rc == OPAL_BUSY || rc == OPAL_BUSY_EVENT) {
+ rc = opal_rtc_read(&__y_m_d, &__h_m_s_ms);
+- if (rc == OPAL_BUSY_EVENT)
++ if (rc == OPAL_BUSY_EVENT) {
++ mdelay(OPAL_BUSY_DELAY_MS);
+ opal_poll_events(NULL);
+- else if (rc == OPAL_BUSY)
+- mdelay(10);
++ } else if (rc == OPAL_BUSY) {
++ mdelay(OPAL_BUSY_DELAY_MS);
++ }
+ }
+ if (rc != OPAL_SUCCESS)
+ return 0;
+--- a/drivers/rtc/rtc-opal.c
++++ b/drivers/rtc/rtc-opal.c
+@@ -57,7 +57,7 @@ static void tm_to_opal(struct rtc_time *
+
+ static int opal_get_rtc_time(struct device *dev, struct rtc_time *tm)
+ {
+- long rc = OPAL_BUSY;
++ s64 rc = OPAL_BUSY;
+ int retries = 10;
+ u32 y_m_d;
+ u64 h_m_s_ms;
+@@ -66,13 +66,17 @@ static int opal_get_rtc_time(struct devi
+
+ while (rc == OPAL_BUSY || rc == OPAL_BUSY_EVENT) {
+ rc = opal_rtc_read(&__y_m_d, &__h_m_s_ms);
+- if (rc == OPAL_BUSY_EVENT)
++ if (rc == OPAL_BUSY_EVENT) {
++ msleep(OPAL_BUSY_DELAY_MS);
+ opal_poll_events(NULL);
+- else if (retries-- && (rc == OPAL_HARDWARE
+- || rc == OPAL_INTERNAL_ERROR))
+- msleep(10);
+- else if (rc != OPAL_BUSY && rc != OPAL_BUSY_EVENT)
+- break;
++ } else if (rc == OPAL_BUSY) {
++ msleep(OPAL_BUSY_DELAY_MS);
++ } else if (rc == OPAL_HARDWARE || rc == OPAL_INTERNAL_ERROR) {
++ if (retries--) {
++ msleep(10); /* Wait 10ms before retry */
++ rc = OPAL_BUSY; /* go around again */
++ }
++ }
+ }
+
+ if (rc != OPAL_SUCCESS)
+@@ -87,21 +91,26 @@ static int opal_get_rtc_time(struct devi
+
+ static int opal_set_rtc_time(struct device *dev, struct rtc_time *tm)
+ {
+- long rc = OPAL_BUSY;
++ s64 rc = OPAL_BUSY;
+ int retries = 10;
+ u32 y_m_d = 0;
+ u64 h_m_s_ms = 0;
+
+ tm_to_opal(tm, &y_m_d, &h_m_s_ms);
++
+ while (rc == OPAL_BUSY || rc == OPAL_BUSY_EVENT) {
+ rc = opal_rtc_write(y_m_d, h_m_s_ms);
+- if (rc == OPAL_BUSY_EVENT)
++ if (rc == OPAL_BUSY_EVENT) {
++ msleep(OPAL_BUSY_DELAY_MS);
+ opal_poll_events(NULL);
+- else if (retries-- && (rc == OPAL_HARDWARE
+- || rc == OPAL_INTERNAL_ERROR))
+- msleep(10);
+- else if (rc != OPAL_BUSY && rc != OPAL_BUSY_EVENT)
+- break;
++ } else if (rc == OPAL_BUSY) {
++ msleep(OPAL_BUSY_DELAY_MS);
++ } else if (rc == OPAL_HARDWARE || rc == OPAL_INTERNAL_ERROR) {
++ if (retries--) {
++ msleep(10); /* Wait 10ms before retry */
++ rc = OPAL_BUSY; /* go around again */
++ }
++ }
+ }
+
+ return rc == OPAL_SUCCESS ? 0 : -EIO;
bfq-iosched-ensure-to-clear-bic-bfqq-pointers-when-preparing-request.patch
block-do-not-use-interruptible-wait-anywhere.patch
vfio-ccw-process-ssch-with-interrupts-disabled.patch
+smb311-fix-reconnect.patch
+android-binder-prevent-transactions-into-own-process.patch
+pci-aardvark-fix-logic-in-advk_pcie_-rd-wr-_conf.patch
+pci-aardvark-set-pio_addr_ls-correctly-in-advk_pcie_rd_conf.patch
+pci-aardvark-use-isr1-instead-of-isr0-interrupt-in-legacy-irq-mode.patch
+pci-aardvark-fix-pcie-max-read-request-size-setting.patch
+arm-amba-make-driver_override-output-consistent-with-other-buses.patch
+arm-amba-fix-race-condition-with-driver_override.patch
+arm-amba-don-t-read-past-the-end-of-sysfs-driver_override-buffer.patch
+arm-dts-fix-nas4220b-pin-config.patch
+arm-socfpga_defconfig-remove-qspi-sector-4k-size-force.patch
+kvm-arm-arm64-close-vmid-generation-race.patch
+slimbus-fix-out-of-bounds-access-in-slim_slicesize.patch
+powerpc-mm-flush-cache-on-memory-hot-un-plug.patch
+powerpc-mce-fix-a-bug-where-mce-loops-on-memory-ue.patch
+powerpc-powernv-npu-do-a-pid-gpu-tlb-flush-when-invalidating-a-large-address-range.patch
+crypto-drbg-set-freed-buffers-to-null.patch
+asoc-dmic-fix-clock-parenting.patch
+asoc-fsl_esai-fix-divisor-calculation-failure-at-lower-ratio.patch
+libceph-un-backoff-on-tick-when-we-have-a-authenticated-session.patch
+libceph-reschedule-a-tick-in-finish_hunting.patch
+libceph-validate-con-state-at-the-top-of-try_write.patch
+pci-pm-do-not-clear-state_saved-in-pci_pm_freeze-when-smart-suspend-is-set.patch
+virt-vbox-move-declarations-of-vboxguest-private-functions-to-private-header.patch
+virt-vbox-add-vbg_req_free-helper-function.patch
+virt-vbox-use-__get_free_pages-instead-of-kmalloc-for-dma32-memory.patch
+fpga-manager-altera-ps-spi-preserve-nconfig-state.patch
+module-fix-display-of-wrong-module-.text-address.patch
+earlycon-use-a-pointer-table-to-fix-__earlycon_table-stride.patch
+cpufreq-powernv-fix-hardlockup-due-to-synchronous-smp_call-in-timer-interrupt.patch
+rtc-opal-fix-opal-rtc-driver-opal_busy-loops.patch
+drm-edid-reset-more-of-the-display-info.patch
+drm-amdgpu-set-compute_pgm_rsrc1-for-sgpr-vgpr-clearing-shaders.patch
+drm-i915-fbdev-enable-late-fbdev-initial-configuration.patch
+drm-i915-audio-set-minimum-cd-clock-to-twice-the-bclk.patch
+drm-i915-enable-display-wa-1183-from-its-correct-spot.patch
+drm-amd-display-fix-deadlock-when-flushing-irq.patch
+drm-amd-display-don-t-read-edid-in-atomic_check.patch
+drm-amd-display-disallow-enabling-crtc-without-primary-plane-with-fb.patch
+objtool-perf-fix-gcc-8-wrestrict-error.patch
--- /dev/null
+From e33bbe69149b802c0c77bfb822685772f85388ca Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Sun, 8 Apr 2018 11:02:34 +0200
+Subject: slimbus: Fix out-of-bounds access in slim_slicesize()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+commit e33bbe69149b802c0c77bfb822685772f85388ca upstream.
+
+With gcc-4.1.2:
+
+ slimbus/messaging.c: In function ‘slim_slicesize’:
+ slimbus/messaging.c:186: warning: statement with no effect
+
+Indeed, clamp() is a macro not operating in-place, but returning the
+clamped value. Hence the value is not clamped at all, which may lead to
+an out-of-bounds access.
+
+Fix this by assigning the clamped value.
+
+Fixes: afbdcc7c384b0d44 ("slimbus: Add messaging APIs to slimbus framework")
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/slimbus/messaging.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/slimbus/messaging.c
++++ b/drivers/slimbus/messaging.c
+@@ -183,7 +183,7 @@ static u16 slim_slicesize(int code)
+ 0, 1, 2, 3, 3, 4, 4, 5, 5, 5, 5, 6, 6, 6, 6, 7
+ };
+
+- clamp(code, 1, (int)ARRAY_SIZE(sizetocode));
++ code = clamp(code, 1, (int)ARRAY_SIZE(sizetocode));
+
+ return sizetocode[code - 1];
+ }
--- /dev/null
+From 0d5ec281c0175d10f8d9be4d4a9c5fb37767ed00 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Sun, 22 Apr 2018 19:51:22 -0500
+Subject: SMB311: Fix reconnect
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 0d5ec281c0175d10f8d9be4d4a9c5fb37767ed00 upstream.
+
+The preauth hash was not being recalculated properly on reconnect
+of SMB3.11 dialect mounts (which caused access denied repeatedly
+on auto-reconnect).
+
+Fixes: 8bd68c6e47ab ("CIFS: implement v3.11 preauth integrity")
+
+Signed-off-by: Steve French <smfrench@gmail.com>
+CC: Stable <stable@vger.kernel.org>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/transport.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/transport.c
++++ b/fs/cifs/transport.c
+@@ -753,7 +753,7 @@ cifs_send_recv(const unsigned int xid, s
+ goto out;
+
+ #ifdef CONFIG_CIFS_SMB311
+- if (ses->status == CifsNew)
++ if ((ses->status == CifsNew) || (optype & CIFS_NEG_OP))
+ smb311_update_preauth_hash(ses, rqst->rq_iov+1,
+ rqst->rq_nvec-1);
+ #endif
+@@ -797,7 +797,7 @@ cifs_send_recv(const unsigned int xid, s
+ *resp_buf_type = CIFS_SMALL_BUFFER;
+
+ #ifdef CONFIG_CIFS_SMB311
+- if (ses->status == CifsNew) {
++ if ((ses->status == CifsNew) || (optype & CIFS_NEG_OP)) {
+ struct kvec iov = {
+ .iov_base = buf + 4,
+ .iov_len = get_rfc1002_length(buf)
--- /dev/null
+From f6f9885b0531163f72c7bf898a0ab1ba4c7d5de6 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 18 Apr 2018 15:24:48 +0200
+Subject: virt: vbox: Add vbg_req_free() helper function
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit f6f9885b0531163f72c7bf898a0ab1ba4c7d5de6 upstream.
+
+This is a preparation patch for fixing issues on x86_64 virtual-machines
+with more then 4G of RAM, atm we pass __GFP_DMA32 to kmalloc, but kmalloc
+does not honor that, so we need to switch to get_pages, which means we
+will not be able to use kfree to free memory allocated with vbg_alloc_req.
+
+While at it also remove a comment on a vbg_alloc_req call which talks
+about Windows (inherited from the vbox upstream cross-platform code).
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virt/vboxguest/vboxguest_core.c | 66 ++++++++++++++++---------------
+ drivers/virt/vboxguest/vboxguest_core.h | 1
+ drivers/virt/vboxguest/vboxguest_utils.c | 14 +++++-
+ 3 files changed, 47 insertions(+), 34 deletions(-)
+
+--- a/drivers/virt/vboxguest/vboxguest_core.c
++++ b/drivers/virt/vboxguest/vboxguest_core.c
+@@ -114,7 +114,7 @@ static void vbg_guest_mappings_init(stru
+ }
+
+ out:
+- kfree(req);
++ vbg_req_free(req, sizeof(*req));
+ kfree(pages);
+ }
+
+@@ -144,7 +144,7 @@ static void vbg_guest_mappings_exit(stru
+
+ rc = vbg_req_perform(gdev, req);
+
+- kfree(req);
++ vbg_req_free(req, sizeof(*req));
+
+ if (rc < 0) {
+ vbg_err("%s error: %d\n", __func__, rc);
+@@ -214,8 +214,8 @@ static int vbg_report_guest_info(struct
+ ret = vbg_status_code_to_errno(rc);
+
+ out_free:
+- kfree(req2);
+- kfree(req1);
++ vbg_req_free(req2, sizeof(*req2));
++ vbg_req_free(req1, sizeof(*req1));
+ return ret;
+ }
+
+@@ -245,7 +245,7 @@ static int vbg_report_driver_status(stru
+ if (rc == VERR_NOT_IMPLEMENTED) /* Compatibility with older hosts. */
+ rc = VINF_SUCCESS;
+
+- kfree(req);
++ vbg_req_free(req, sizeof(*req));
+
+ return vbg_status_code_to_errno(rc);
+ }
+@@ -431,7 +431,7 @@ static int vbg_heartbeat_host_config(str
+ rc = vbg_req_perform(gdev, req);
+ do_div(req->interval_ns, 1000000); /* ns -> ms */
+ gdev->heartbeat_interval_ms = req->interval_ns;
+- kfree(req);
++ vbg_req_free(req, sizeof(*req));
+
+ return vbg_status_code_to_errno(rc);
+ }
+@@ -454,12 +454,6 @@ static int vbg_heartbeat_init(struct vbg
+ if (ret < 0)
+ return ret;
+
+- /*
+- * Preallocate the request to use it from the timer callback because:
+- * 1) on Windows vbg_req_alloc must be called at IRQL <= APC_LEVEL
+- * and the timer callback runs at DISPATCH_LEVEL;
+- * 2) avoid repeated allocations.
+- */
+ gdev->guest_heartbeat_req = vbg_req_alloc(
+ sizeof(*gdev->guest_heartbeat_req),
+ VMMDEVREQ_GUEST_HEARTBEAT);
+@@ -481,8 +475,8 @@ static void vbg_heartbeat_exit(struct vb
+ {
+ del_timer_sync(&gdev->heartbeat_timer);
+ vbg_heartbeat_host_config(gdev, false);
+- kfree(gdev->guest_heartbeat_req);
+-
++ vbg_req_free(gdev->guest_heartbeat_req,
++ sizeof(*gdev->guest_heartbeat_req));
+ }
+
+ /**
+@@ -543,7 +537,7 @@ static int vbg_reset_host_event_filter(s
+ if (rc < 0)
+ vbg_err("%s error, rc: %d\n", __func__, rc);
+
+- kfree(req);
++ vbg_req_free(req, sizeof(*req));
+ return vbg_status_code_to_errno(rc);
+ }
+
+@@ -617,7 +611,7 @@ static int vbg_set_session_event_filter(
+
+ out:
+ mutex_unlock(&gdev->session_mutex);
+- kfree(req);
++ vbg_req_free(req, sizeof(*req));
+
+ return ret;
+ }
+@@ -642,7 +636,7 @@ static int vbg_reset_host_capabilities(s
+ if (rc < 0)
+ vbg_err("%s error, rc: %d\n", __func__, rc);
+
+- kfree(req);
++ vbg_req_free(req, sizeof(*req));
+ return vbg_status_code_to_errno(rc);
+ }
+
+@@ -712,7 +706,7 @@ static int vbg_set_session_capabilities(
+
+ out:
+ mutex_unlock(&gdev->session_mutex);
+- kfree(req);
++ vbg_req_free(req, sizeof(*req));
+
+ return ret;
+ }
+@@ -749,7 +743,7 @@ static int vbg_query_host_version(struct
+ }
+
+ out:
+- kfree(req);
++ vbg_req_free(req, sizeof(*req));
+ return ret;
+ }
+
+@@ -847,11 +841,16 @@ int vbg_core_init(struct vbg_dev *gdev,
+ return 0;
+
+ err_free_reqs:
+- kfree(gdev->mouse_status_req);
+- kfree(gdev->ack_events_req);
+- kfree(gdev->cancel_req);
+- kfree(gdev->mem_balloon.change_req);
+- kfree(gdev->mem_balloon.get_req);
++ vbg_req_free(gdev->mouse_status_req,
++ sizeof(*gdev->mouse_status_req));
++ vbg_req_free(gdev->ack_events_req,
++ sizeof(*gdev->ack_events_req));
++ vbg_req_free(gdev->cancel_req,
++ sizeof(*gdev->cancel_req));
++ vbg_req_free(gdev->mem_balloon.change_req,
++ sizeof(*gdev->mem_balloon.change_req));
++ vbg_req_free(gdev->mem_balloon.get_req,
++ sizeof(*gdev->mem_balloon.get_req));
+ return ret;
+ }
+
+@@ -872,11 +871,16 @@ void vbg_core_exit(struct vbg_dev *gdev)
+ vbg_reset_host_capabilities(gdev);
+ vbg_core_set_mouse_status(gdev, 0);
+
+- kfree(gdev->mouse_status_req);
+- kfree(gdev->ack_events_req);
+- kfree(gdev->cancel_req);
+- kfree(gdev->mem_balloon.change_req);
+- kfree(gdev->mem_balloon.get_req);
++ vbg_req_free(gdev->mouse_status_req,
++ sizeof(*gdev->mouse_status_req));
++ vbg_req_free(gdev->ack_events_req,
++ sizeof(*gdev->ack_events_req));
++ vbg_req_free(gdev->cancel_req,
++ sizeof(*gdev->cancel_req));
++ vbg_req_free(gdev->mem_balloon.change_req,
++ sizeof(*gdev->mem_balloon.change_req));
++ vbg_req_free(gdev->mem_balloon.get_req,
++ sizeof(*gdev->mem_balloon.get_req));
+ }
+
+ /**
+@@ -1415,7 +1419,7 @@ static int vbg_ioctl_write_core_dump(str
+ req->flags = dump->u.in.flags;
+ dump->hdr.rc = vbg_req_perform(gdev, req);
+
+- kfree(req);
++ vbg_req_free(req, sizeof(*req));
+ return 0;
+ }
+
+@@ -1513,7 +1517,7 @@ int vbg_core_set_mouse_status(struct vbg
+ if (rc < 0)
+ vbg_err("%s error, rc: %d\n", __func__, rc);
+
+- kfree(req);
++ vbg_req_free(req, sizeof(*req));
+ return vbg_status_code_to_errno(rc);
+ }
+
+--- a/drivers/virt/vboxguest/vboxguest_core.h
++++ b/drivers/virt/vboxguest/vboxguest_core.h
+@@ -173,6 +173,7 @@ void vbg_linux_mouse_event(struct vbg_de
+
+ /* Private (non exported) functions form vboxguest_utils.c */
+ void *vbg_req_alloc(size_t len, enum vmmdev_request_type req_type);
++void vbg_req_free(void *req, size_t len);
+ int vbg_req_perform(struct vbg_dev *gdev, void *req);
+ int vbg_hgcm_call32(
+ struct vbg_dev *gdev, u32 client_id, u32 function, u32 timeout_ms,
+--- a/drivers/virt/vboxguest/vboxguest_utils.c
++++ b/drivers/virt/vboxguest/vboxguest_utils.c
+@@ -82,6 +82,14 @@ void *vbg_req_alloc(size_t len, enum vmm
+ return req;
+ }
+
++void vbg_req_free(void *req, size_t len)
++{
++ if (!req)
++ return;
++
++ kfree(req);
++}
++
+ /* Note this function returns a VBox status code, not a negative errno!! */
+ int vbg_req_perform(struct vbg_dev *gdev, void *req)
+ {
+@@ -137,7 +145,7 @@ int vbg_hgcm_connect(struct vbg_dev *gde
+ rc = hgcm_connect->header.result;
+ }
+
+- kfree(hgcm_connect);
++ vbg_req_free(hgcm_connect, sizeof(*hgcm_connect));
+
+ *vbox_status = rc;
+ return 0;
+@@ -166,7 +174,7 @@ int vbg_hgcm_disconnect(struct vbg_dev *
+ if (rc >= 0)
+ rc = hgcm_disconnect->header.result;
+
+- kfree(hgcm_disconnect);
++ vbg_req_free(hgcm_disconnect, sizeof(*hgcm_disconnect));
+
+ *vbox_status = rc;
+ return 0;
+@@ -623,7 +631,7 @@ int vbg_hgcm_call(struct vbg_dev *gdev,
+ }
+
+ if (!leak_it)
+- kfree(call);
++ vbg_req_free(call, size);
+
+ free_bounce_bufs:
+ if (bounce_bufs) {
--- /dev/null
+From 02cfde67df1f440c7c3c7038cc97992afb81804f Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 18 Apr 2018 15:24:47 +0200
+Subject: virt: vbox: Move declarations of vboxguest private functions to private header
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 02cfde67df1f440c7c3c7038cc97992afb81804f upstream.
+
+Move the declarations of functions from vboxguest_utils.c which are only
+meant for vboxguest internal use from include/linux/vbox_utils.h to
+drivers/virt/vboxguest/vboxguest_core.h.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virt/vboxguest/vboxguest_core.h | 8 ++++++++
+ include/linux/vbox_utils.h | 23 -----------------------
+ 2 files changed, 8 insertions(+), 23 deletions(-)
+
+--- a/drivers/virt/vboxguest/vboxguest_core.h
++++ b/drivers/virt/vboxguest/vboxguest_core.h
+@@ -171,4 +171,12 @@ irqreturn_t vbg_core_isr(int irq, void *
+
+ void vbg_linux_mouse_event(struct vbg_dev *gdev);
+
++/* Private (non exported) functions form vboxguest_utils.c */
++void *vbg_req_alloc(size_t len, enum vmmdev_request_type req_type);
++int vbg_req_perform(struct vbg_dev *gdev, void *req);
++int vbg_hgcm_call32(
++ struct vbg_dev *gdev, u32 client_id, u32 function, u32 timeout_ms,
++ struct vmmdev_hgcm_function_parameter32 *parm32, u32 parm_count,
++ int *vbox_status);
++
+ #endif
+--- a/include/linux/vbox_utils.h
++++ b/include/linux/vbox_utils.h
+@@ -24,24 +24,6 @@ __printf(1, 2) void vbg_debug(const char
+ #define vbg_debug pr_debug
+ #endif
+
+-/**
+- * Allocate memory for generic request and initialize the request header.
+- *
+- * Return: the allocated memory
+- * @len: Size of memory block required for the request.
+- * @req_type: The generic request type.
+- */
+-void *vbg_req_alloc(size_t len, enum vmmdev_request_type req_type);
+-
+-/**
+- * Perform a generic request.
+- *
+- * Return: VBox status code
+- * @gdev: The Guest extension device.
+- * @req: Pointer to the request structure.
+- */
+-int vbg_req_perform(struct vbg_dev *gdev, void *req);
+-
+ int vbg_hgcm_connect(struct vbg_dev *gdev,
+ struct vmmdev_hgcm_service_location *loc,
+ u32 *client_id, int *vbox_status);
+@@ -52,11 +34,6 @@ int vbg_hgcm_call(struct vbg_dev *gdev,
+ u32 timeout_ms, struct vmmdev_hgcm_function_parameter *parms,
+ u32 parm_count, int *vbox_status);
+
+-int vbg_hgcm_call32(
+- struct vbg_dev *gdev, u32 client_id, u32 function, u32 timeout_ms,
+- struct vmmdev_hgcm_function_parameter32 *parm32, u32 parm_count,
+- int *vbox_status);
+-
+ /**
+ * Convert a VirtualBox status code to a standard Linux kernel return value.
+ * Return: 0 or negative errno value.
--- /dev/null
+From faf6a2a44164c0fb2c2a82692ab9051917514bce Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 18 Apr 2018 15:24:49 +0200
+Subject: virt: vbox: Use __get_free_pages instead of kmalloc for DMA32 memory
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit faf6a2a44164c0fb2c2a82692ab9051917514bce upstream.
+
+It is not possible to get DMA32 zone memory through kmalloc, causing
+the vboxguest driver to malfunction due to getting memory above
+4G which the PCI device cannot handle.
+
+This commit changes the kmalloc calls where the 4G limit matters to
+using __get_free_pages() fixing vboxguest not working on x86_64 guests
+with more then 4G RAM.
+
+Cc: stable@vger.kernel.org
+Reported-by: Eloy Coto Pereiro <eloy.coto@gmail.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virt/vboxguest/vboxguest_linux.c | 19 ++++++++++++++++---
+ drivers/virt/vboxguest/vboxguest_utils.c | 5 +++--
+ 2 files changed, 19 insertions(+), 5 deletions(-)
+
+--- a/drivers/virt/vboxguest/vboxguest_linux.c
++++ b/drivers/virt/vboxguest/vboxguest_linux.c
+@@ -87,6 +87,7 @@ static long vbg_misc_device_ioctl(struct
+ struct vbg_session *session = filp->private_data;
+ size_t returned_size, size;
+ struct vbg_ioctl_hdr hdr;
++ bool is_vmmdev_req;
+ int ret = 0;
+ void *buf;
+
+@@ -106,8 +107,17 @@ static long vbg_misc_device_ioctl(struct
+ if (size > SZ_16M)
+ return -E2BIG;
+
+- /* __GFP_DMA32 because IOCTL_VMMDEV_REQUEST passes this to the host */
+- buf = kmalloc(size, GFP_KERNEL | __GFP_DMA32);
++ /*
++ * IOCTL_VMMDEV_REQUEST needs the buffer to be below 4G to avoid
++ * the need for a bounce-buffer and another copy later on.
++ */
++ is_vmmdev_req = (req & ~IOCSIZE_MASK) == VBG_IOCTL_VMMDEV_REQUEST(0) ||
++ req == VBG_IOCTL_VMMDEV_REQUEST_BIG;
++
++ if (is_vmmdev_req)
++ buf = vbg_req_alloc(size, VBG_IOCTL_HDR_TYPE_DEFAULT);
++ else
++ buf = kmalloc(size, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+
+@@ -132,7 +142,10 @@ static long vbg_misc_device_ioctl(struct
+ ret = -EFAULT;
+
+ out:
+- kfree(buf);
++ if (is_vmmdev_req)
++ vbg_req_free(buf, size);
++ else
++ kfree(buf);
+
+ return ret;
+ }
+--- a/drivers/virt/vboxguest/vboxguest_utils.c
++++ b/drivers/virt/vboxguest/vboxguest_utils.c
+@@ -65,8 +65,9 @@ VBG_LOG(vbg_debug, pr_debug);
+ void *vbg_req_alloc(size_t len, enum vmmdev_request_type req_type)
+ {
+ struct vmmdev_request_header *req;
++ int order = get_order(PAGE_ALIGN(len));
+
+- req = kmalloc(len, GFP_KERNEL | __GFP_DMA32);
++ req = (void *)__get_free_pages(GFP_KERNEL | GFP_DMA32, order);
+ if (!req)
+ return NULL;
+
+@@ -87,7 +88,7 @@ void vbg_req_free(void *req, size_t len)
+ if (!req)
+ return;
+
+- kfree(req);
++ free_pages((unsigned long)req, get_order(PAGE_ALIGN(len)));
+ }
+
+ /* Note this function returns a VBox status code, not a negative errno!! */
projects / thirdparty / kernel / stable-queue.git / commitdiff
