--- /dev/null
+From dc9e0a9347e932e3fd3cd03e7ff241022ed6ea8a Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Thu, 15 Mar 2018 19:49:14 -0700
+Subject: acpi, numa: fix pxm to online numa node associations
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit dc9e0a9347e932e3fd3cd03e7ff241022ed6ea8a upstream.
+
+Commit 99759869faf1 "acpi: Add acpi_map_pxm_to_online_node()" added
+support for mapping a given proximity to its nearest, by SLIT distance,
+online node. However, it sometimes returns unexpected results due to the
+fact that it switches from comparing the PXM node to the last node that
+was closer than the current max.
+
+ for_each_online_node(n) {
+ dist = node_distance(node, n);
+ if (dist < min_dist) {
+ min_dist = dist;
+ node = n; <---- from this point we're using the
+ wrong node for node_distance()
+
+
+Fixes: 99759869faf1 ("acpi: Add acpi_map_pxm_to_online_node()")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Toshi Kani <toshi.kani@hp.com>
+Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/numa.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/acpi/numa.c
++++ b/drivers/acpi/numa.c
+@@ -103,25 +103,27 @@ int acpi_map_pxm_to_node(int pxm)
+ */
+ int acpi_map_pxm_to_online_node(int pxm)
+ {
+- int node, n, dist, min_dist;
++ int node, min_node;
+
+ node = acpi_map_pxm_to_node(pxm);
+
+ if (node == NUMA_NO_NODE)
+ node = 0;
+
++ min_node = node;
+ if (!node_online(node)) {
+- min_dist = INT_MAX;
++ int min_dist = INT_MAX, dist, n;
++
+ for_each_online_node(n) {
+ dist = node_distance(node, n);
+ if (dist < min_dist) {
+ min_dist = dist;
+- node = n;
++ min_node = n;
+ }
+ }
+ }
+
+- return node;
++ return min_node;
+ }
+ EXPORT_SYMBOL(acpi_map_pxm_to_online_node);
+
--- /dev/null
+From 455f3e76cfc0d893585a5f358b9ddbe9c1e1e53b Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Wed, 28 Feb 2018 21:15:20 +0100
+Subject: brcmfmac: fix P2P_DEVICE ethernet address generation
+
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+
+commit 455f3e76cfc0d893585a5f358b9ddbe9c1e1e53b upstream.
+
+The firmware has a requirement that the P2P_DEVICE address should
+be different from the address of the primary interface. When not
+specified by user-space, the driver generates the MAC address for
+the P2P_DEVICE interface using the MAC address of the primary
+interface and setting the locally administered bit. However, the MAC
+address of the primary interface may already have that bit set causing
+the creation of the P2P_DEVICE interface to fail with -EBUSY. Fix this
+by using a random address instead to determine the P2P_DEVICE address.
+
+Cc: stable@vger.kernel.org # 3.10.y
+Reported-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/brcm80211/brcmfmac/p2p.c | 24 +++++++++++-------------
+ 1 file changed, 11 insertions(+), 13 deletions(-)
+
+--- a/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
++++ b/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
+@@ -461,25 +461,23 @@ static int brcmf_p2p_set_firmware(struct
+ * @dev_addr: optional device address.
+ *
+ * P2P needs mac addresses for P2P device and interface. If no device
+- * address it specified, these are derived from the primary net device, ie.
+- * the permanent ethernet address of the device.
++ * address it specified, these are derived from a random ethernet
++ * address.
+ */
+ static void brcmf_p2p_generate_bss_mac(struct brcmf_p2p_info *p2p, u8 *dev_addr)
+ {
+- struct brcmf_if *pri_ifp = p2p->bss_idx[P2PAPI_BSSCFG_PRIMARY].vif->ifp;
+- bool local_admin = false;
++ bool random_addr = false;
+
+- if (!dev_addr || is_zero_ether_addr(dev_addr)) {
+- dev_addr = pri_ifp->mac_addr;
+- local_admin = true;
+- }
++ if (!dev_addr || is_zero_ether_addr(dev_addr))
++ random_addr = true;
+
+- /* Generate the P2P Device Address. This consists of the device's
+- * primary MAC address with the locally administered bit set.
++ /* Generate the P2P Device Address obtaining a random ethernet
++ * address with the locally administered bit set.
+ */
+- memcpy(p2p->dev_addr, dev_addr, ETH_ALEN);
+- if (local_admin)
+- p2p->dev_addr[0] |= 0x02;
++ if (random_addr)
++ eth_random_addr(p2p->dev_addr);
++ else
++ memcpy(p2p->dev_addr, dev_addr, ETH_ALEN);
+
+ /* Generate the P2P Interface Address. If the discovery and connection
+ * BSSCFGs need to simultaneously co-exist, then this address must be
--- /dev/null
+From 746201235b3f876792099079f4c6fea941d76183 Mon Sep 17 00:00:00 2001
+From: Andri Yngvason <andri.yngvason@marel.com>
+Date: Wed, 14 Mar 2018 11:52:57 +0000
+Subject: can: cc770: Fix queue stall & dropped RTR reply
+
+From: Andri Yngvason <andri.yngvason@marel.com>
+
+commit 746201235b3f876792099079f4c6fea941d76183 upstream.
+
+While waiting for the TX object to send an RTR, an external message with a
+matching id can overwrite the TX data. In this case we must call the rx
+routine and then try transmitting the message that was overwritten again.
+
+The queue was being stalled because the RX event did not generate an
+interrupt to wake up the queue again and the TX event did not happen
+because the TXRQST flag is reset by the chip when new data is received.
+
+According to the CC770 datasheet the id of a message object should not be
+changed while the MSGVAL bit is set. This has been fixed by resetting the
+MSGVAL bit before modifying the object in the transmit function and setting
+it after. It is not enough to set & reset CPUUPD.
+
+It is important to keep the MSGVAL bit reset while the message object is
+being modified. Otherwise, during RTR transmission, a frame with matching
+id could trigger an rx-interrupt, which would cause a race condition
+between the interrupt routine and the transmit function.
+
+Signed-off-by: Andri Yngvason <andri.yngvason@marel.com>
+Tested-by: Richard Weinberger <richard@nod.at>
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/cc770/cc770.c | 94 +++++++++++++++++++++++++++++-------------
+ drivers/net/can/cc770/cc770.h | 2
+ 2 files changed, 68 insertions(+), 28 deletions(-)
+
+--- a/drivers/net/can/cc770/cc770.c
++++ b/drivers/net/can/cc770/cc770.c
+@@ -390,37 +390,23 @@ static int cc770_get_berr_counter(const
+ return 0;
+ }
+
+-static netdev_tx_t cc770_start_xmit(struct sk_buff *skb, struct net_device *dev)
++static void cc770_tx(struct net_device *dev, int mo)
+ {
+ struct cc770_priv *priv = netdev_priv(dev);
+- struct net_device_stats *stats = &dev->stats;
+- struct can_frame *cf = (struct can_frame *)skb->data;
+- unsigned int mo = obj2msgobj(CC770_OBJ_TX);
++ struct can_frame *cf = (struct can_frame *)priv->tx_skb->data;
+ u8 dlc, rtr;
+ u32 id;
+ int i;
+
+- if (can_dropped_invalid_skb(dev, skb))
+- return NETDEV_TX_OK;
+-
+- if ((cc770_read_reg(priv,
+- msgobj[mo].ctrl1) & TXRQST_UNC) == TXRQST_SET) {
+- netdev_err(dev, "TX register is still occupied!\n");
+- return NETDEV_TX_BUSY;
+- }
+-
+- netif_stop_queue(dev);
+-
+ dlc = cf->can_dlc;
+ id = cf->can_id;
+- if (cf->can_id & CAN_RTR_FLAG)
+- rtr = 0;
+- else
+- rtr = MSGCFG_DIR;
++ rtr = cf->can_id & CAN_RTR_FLAG ? 0 : MSGCFG_DIR;
++
++ cc770_write_reg(priv, msgobj[mo].ctrl0,
++ MSGVAL_RES | TXIE_RES | RXIE_RES | INTPND_RES);
+ cc770_write_reg(priv, msgobj[mo].ctrl1,
+ RMTPND_RES | TXRQST_RES | CPUUPD_SET | NEWDAT_RES);
+- cc770_write_reg(priv, msgobj[mo].ctrl0,
+- MSGVAL_SET | TXIE_SET | RXIE_RES | INTPND_RES);
++
+ if (id & CAN_EFF_FLAG) {
+ id &= CAN_EFF_MASK;
+ cc770_write_reg(priv, msgobj[mo].config,
+@@ -439,13 +425,30 @@ static netdev_tx_t cc770_start_xmit(stru
+ for (i = 0; i < dlc; i++)
+ cc770_write_reg(priv, msgobj[mo].data[i], cf->data[i]);
+
+- /* Store echo skb before starting the transfer */
+- can_put_echo_skb(skb, dev, 0);
+-
+ cc770_write_reg(priv, msgobj[mo].ctrl1,
+- RMTPND_RES | TXRQST_SET | CPUUPD_RES | NEWDAT_UNC);
++ RMTPND_UNC | TXRQST_SET | CPUUPD_RES | NEWDAT_UNC);
++ cc770_write_reg(priv, msgobj[mo].ctrl0,
++ MSGVAL_SET | TXIE_SET | RXIE_SET | INTPND_UNC);
++}
++
++static netdev_tx_t cc770_start_xmit(struct sk_buff *skb, struct net_device *dev)
++{
++ struct cc770_priv *priv = netdev_priv(dev);
++ unsigned int mo = obj2msgobj(CC770_OBJ_TX);
++
++ if (can_dropped_invalid_skb(dev, skb))
++ return NETDEV_TX_OK;
++
++ netif_stop_queue(dev);
++
++ if ((cc770_read_reg(priv,
++ msgobj[mo].ctrl1) & TXRQST_UNC) == TXRQST_SET) {
++ netdev_err(dev, "TX register is still occupied!\n");
++ return NETDEV_TX_BUSY;
++ }
+
+- stats->tx_bytes += dlc;
++ priv->tx_skb = skb;
++ cc770_tx(dev, mo);
+
+ return NETDEV_TX_OK;
+ }
+@@ -671,13 +674,47 @@ static void cc770_tx_interrupt(struct ne
+ struct cc770_priv *priv = netdev_priv(dev);
+ struct net_device_stats *stats = &dev->stats;
+ unsigned int mo = obj2msgobj(o);
++ struct can_frame *cf;
++ u8 ctrl1;
++
++ ctrl1 = cc770_read_reg(priv, msgobj[mo].ctrl1);
+
+- /* Nothing more to send, switch off interrupts */
+ cc770_write_reg(priv, msgobj[mo].ctrl0,
+ MSGVAL_RES | TXIE_RES | RXIE_RES | INTPND_RES);
++ cc770_write_reg(priv, msgobj[mo].ctrl1,
++ RMTPND_RES | TXRQST_RES | MSGLST_RES | NEWDAT_RES);
+
+- stats->tx_packets++;
++ if (unlikely(!priv->tx_skb)) {
++ netdev_err(dev, "missing tx skb in tx interrupt\n");
++ return;
++ }
++
++ if (unlikely(ctrl1 & MSGLST_SET)) {
++ stats->rx_over_errors++;
++ stats->rx_errors++;
++ }
++
++ /* When the CC770 is sending an RTR message and it receives a regular
++ * message that matches the id of the RTR message, it will overwrite the
++ * outgoing message in the TX register. When this happens we must
++ * process the received message and try to transmit the outgoing skb
++ * again.
++ */
++ if (unlikely(ctrl1 & NEWDAT_SET)) {
++ cc770_rx(dev, mo, ctrl1);
++ cc770_tx(dev, mo);
++ return;
++ }
++
++ can_put_echo_skb(priv->tx_skb, dev, 0);
+ can_get_echo_skb(dev, 0);
++
++ cf = (struct can_frame *)priv->tx_skb->data;
++ stats->tx_bytes += cf->can_dlc;
++ stats->tx_packets++;
++
++ priv->tx_skb = NULL;
++
+ netif_wake_queue(dev);
+ }
+
+@@ -789,6 +826,7 @@ struct net_device *alloc_cc770dev(int si
+ priv->can.do_set_bittiming = cc770_set_bittiming;
+ priv->can.do_set_mode = cc770_set_mode;
+ priv->can.ctrlmode_supported = CAN_CTRLMODE_3_SAMPLES;
++ priv->tx_skb = NULL;
+
+ memcpy(priv->obj_flags, cc770_obj_flags, sizeof(cc770_obj_flags));
+
+--- a/drivers/net/can/cc770/cc770.h
++++ b/drivers/net/can/cc770/cc770.h
+@@ -193,6 +193,8 @@ struct cc770_priv {
+ u8 cpu_interface; /* CPU interface register */
+ u8 clkout; /* Clock out register */
+ u8 bus_config; /* Bus conffiguration register */
++
++ struct sk_buff *tx_skb;
+ };
+
+ struct net_device *alloc_cc770dev(int sizeof_priv);
--- /dev/null
+From f4353daf4905c0099fd25fa742e2ffd4a4bab26a Mon Sep 17 00:00:00 2001
+From: Andri Yngvason <andri.yngvason@marel.com>
+Date: Wed, 14 Mar 2018 11:52:56 +0000
+Subject: can: cc770: Fix stalls on rt-linux, remove redundant IRQ ack
+
+From: Andri Yngvason <andri.yngvason@marel.com>
+
+commit f4353daf4905c0099fd25fa742e2ffd4a4bab26a upstream.
+
+This has been reported to cause stalls on rt-linux.
+
+Suggested-by: Richard Weinberger <richard@nod.at>
+Tested-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Andri Yngvason <andri.yngvason@marel.com>
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/cc770/cc770.c | 15 ---------------
+ 1 file changed, 15 deletions(-)
+
+--- a/drivers/net/can/cc770/cc770.c
++++ b/drivers/net/can/cc770/cc770.c
+@@ -447,15 +447,6 @@ static netdev_tx_t cc770_start_xmit(stru
+
+ stats->tx_bytes += dlc;
+
+-
+- /*
+- * HM: We had some cases of repeated IRQs so make sure the
+- * INT is acknowledged I know it's already further up, but
+- * doing again fixed the issue
+- */
+- cc770_write_reg(priv, msgobj[mo].ctrl0,
+- MSGVAL_UNC | TXIE_UNC | RXIE_UNC | INTPND_RES);
+-
+ return NETDEV_TX_OK;
+ }
+
+@@ -684,12 +675,6 @@ static void cc770_tx_interrupt(struct ne
+ /* Nothing more to send, switch off interrupts */
+ cc770_write_reg(priv, msgobj[mo].ctrl0,
+ MSGVAL_RES | TXIE_RES | RXIE_RES | INTPND_RES);
+- /*
+- * We had some cases of repeated IRQ so make sure the
+- * INT is acknowledged
+- */
+- cc770_write_reg(priv, msgobj[mo].ctrl0,
+- MSGVAL_UNC | TXIE_UNC | RXIE_UNC | INTPND_RES);
+
+ stats->tx_packets++;
+ can_get_echo_skb(dev, 0);
--- /dev/null
+From 9ffd7503944ec7c0ef41c3245d1306c221aef2be Mon Sep 17 00:00:00 2001
+From: Andri Yngvason <andri.yngvason@marel.com>
+Date: Thu, 15 Mar 2018 18:23:17 +0000
+Subject: can: cc770: Fix use after free in cc770_tx_interrupt()
+
+From: Andri Yngvason <andri.yngvason@marel.com>
+
+commit 9ffd7503944ec7c0ef41c3245d1306c221aef2be upstream.
+
+This fixes use after free introduced by the last cc770 patch.
+
+Signed-off-by: Andri Yngvason <andri.yngvason@marel.com>
+Fixes: 746201235b3f ("can: cc770: Fix queue stall & dropped RTR reply")
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/cc770/cc770.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/can/cc770/cc770.c
++++ b/drivers/net/can/cc770/cc770.c
+@@ -706,13 +706,12 @@ static void cc770_tx_interrupt(struct ne
+ return;
+ }
+
+- can_put_echo_skb(priv->tx_skb, dev, 0);
+- can_get_echo_skb(dev, 0);
+-
+ cf = (struct can_frame *)priv->tx_skb->data;
+ stats->tx_bytes += cf->can_dlc;
+ stats->tx_packets++;
+
++ can_put_echo_skb(priv->tx_skb, dev, 0);
++ can_get_echo_skb(dev, 0);
+ priv->tx_skb = NULL;
+
+ netif_wake_queue(dev);
--- /dev/null
+From 2681bc79eeb640562c932007bfebbbdc55bf6a7d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <michel.daenzer@amd.com>
+Date: Wed, 14 Mar 2018 18:14:04 +0100
+Subject: drm/radeon: Don't turn off DP sink when disconnected
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michel Dänzer <michel.daenzer@amd.com>
+
+commit 2681bc79eeb640562c932007bfebbbdc55bf6a7d upstream.
+
+Turning off the sink in this case causes various issues, because
+userspace expects it to stay on until it turns it off explicitly.
+
+Instead, turn the sink off and back on when a display is connected
+again. This dance seems necessary for link training to work correctly.
+
+Bugzilla: https://bugs.freedesktop.org/105308
+Cc: stable@vger.kernel.org
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/radeon_connectors.c | 29 +++++++++++------------------
+ 1 file changed, 11 insertions(+), 18 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_connectors.c
++++ b/drivers/gpu/drm/radeon/radeon_connectors.c
+@@ -89,25 +89,18 @@ void radeon_connector_hotplug(struct drm
+ /* don't do anything if sink is not display port, i.e.,
+ * passive dp->(dvi|hdmi) adaptor
+ */
+- if (dig_connector->dp_sink_type == CONNECTOR_OBJECT_ID_DISPLAYPORT) {
+- int saved_dpms = connector->dpms;
+- /* Only turn off the display if it's physically disconnected */
+- if (!radeon_hpd_sense(rdev, radeon_connector->hpd.hpd)) {
+- drm_helper_connector_dpms(connector, DRM_MODE_DPMS_OFF);
+- } else if (radeon_dp_needs_link_train(radeon_connector)) {
+- /* Don't try to start link training before we
+- * have the dpcd */
+- if (!radeon_dp_getdpcd(radeon_connector))
+- return;
++ if (dig_connector->dp_sink_type == CONNECTOR_OBJECT_ID_DISPLAYPORT &&
++ radeon_hpd_sense(rdev, radeon_connector->hpd.hpd) &&
++ radeon_dp_needs_link_train(radeon_connector)) {
++ /* Don't start link training before we have the DPCD */
++ if (!radeon_dp_getdpcd(radeon_connector))
++ return;
+
+- /* set it to OFF so that drm_helper_connector_dpms()
+- * won't return immediately since the current state
+- * is ON at this point.
+- */
+- connector->dpms = DRM_MODE_DPMS_OFF;
+- drm_helper_connector_dpms(connector, DRM_MODE_DPMS_ON);
+- }
+- connector->dpms = saved_dpms;
++ /* Turn the connector off and back on immediately, which
++ * will trigger link training
++ */
++ drm_helper_connector_dpms(connector, DRM_MODE_DPMS_OFF);
++ drm_helper_connector_dpms(connector, DRM_MODE_DPMS_ON);
+ }
+ }
+ }
--- /dev/null
+From 3b82a4db8eaccce735dffd50b4d4e1578099b8e8 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 21 Mar 2018 16:45:53 +0100
+Subject: drm: udl: Properly check framebuffer mmap offsets
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 3b82a4db8eaccce735dffd50b4d4e1578099b8e8 upstream.
+
+The memmap options sent to the udl framebuffer driver were not being
+checked for all sets of possible crazy values. Fix this up by properly
+bounding the allowed values.
+
+Reported-by: Eyal Itkin <eyalit@checkpoint.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180321154553.GA18454@kroah.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/udl/udl_fb.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/udl/udl_fb.c
++++ b/drivers/gpu/drm/udl/udl_fb.c
+@@ -256,10 +256,15 @@ static int udl_fb_mmap(struct fb_info *i
+ {
+ unsigned long start = vma->vm_start;
+ unsigned long size = vma->vm_end - vma->vm_start;
+- unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
++ unsigned long offset;
+ unsigned long page, pos;
+
+- if (offset + size > info->fix.smem_len)
++ if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
++ return -EINVAL;
++
++ offset = vma->vm_pgoff << PAGE_SHIFT;
++
++ if (offset > info->fix.smem_len || size > info->fix.smem_len - offset)
+ return -EINVAL;
+
+ pos = (unsigned long)info->fix.smem_start + offset;
--- /dev/null
+From 73a88250b70954a8f27c2444e1c2411bba3c29d9 Mon Sep 17 00:00:00 2001
+From: Thomas Hellstrom <thellstrom@vmware.com>
+Date: Wed, 21 Mar 2018 10:18:38 +0100
+Subject: drm/vmwgfx: Fix a destoy-while-held mutex problem.
+
+From: Thomas Hellstrom <thellstrom@vmware.com>
+
+commit 73a88250b70954a8f27c2444e1c2411bba3c29d9 upstream.
+
+When validating legacy surfaces, the backup bo might be destroyed at
+surface validate time. However, the kms resource validation code may have
+the bo reserved, so we will destroy a locked mutex. While there shouldn't
+be any other users of that mutex when it is destroyed, it causes a lock
+leak and thus throws a lockdep error.
+
+Fix this by having the kms resource validation code hold a reference to
+the bo while we have it reserved. We do this by introducing a validation
+context which might come in handy when the kms code is extended to validate
+multiple resources or buffers.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
+Reviewed-by: Brian Paul <brianp@vmware.com>
+Reviewed-by: Sinclair Yeh <syeh@vmware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 28 +++++++++++++++++++---------
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.h | 12 +++++++++---
+ drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c | 5 +++--
+ drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 5 +++--
+ 4 files changed, 34 insertions(+), 16 deletions(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+@@ -27,7 +27,6 @@
+
+ #include "vmwgfx_kms.h"
+
+-
+ /* Might need a hrtimer here? */
+ #define VMWGFX_PRESENT_RATE ((HZ / 60 > 0) ? HZ / 60 : 1)
+
+@@ -1910,9 +1909,12 @@ void vmw_kms_helper_buffer_finish(struct
+ * Helper to be used if an error forces the caller to undo the actions of
+ * vmw_kms_helper_resource_prepare.
+ */
+-void vmw_kms_helper_resource_revert(struct vmw_resource *res)
++void vmw_kms_helper_resource_revert(struct vmw_validation_ctx *ctx)
+ {
+- vmw_kms_helper_buffer_revert(res->backup);
++ struct vmw_resource *res = ctx->res;
++
++ vmw_kms_helper_buffer_revert(ctx->buf);
++ vmw_dmabuf_unreference(&ctx->buf);
+ vmw_resource_unreserve(res, false, NULL, 0);
+ mutex_unlock(&res->dev_priv->cmdbuf_mutex);
+ }
+@@ -1929,10 +1931,14 @@ void vmw_kms_helper_resource_revert(stru
+ * interrupted by a signal.
+ */
+ int vmw_kms_helper_resource_prepare(struct vmw_resource *res,
+- bool interruptible)
++ bool interruptible,
++ struct vmw_validation_ctx *ctx)
+ {
+ int ret = 0;
+
++ ctx->buf = NULL;
++ ctx->res = res;
++
+ if (interruptible)
+ ret = mutex_lock_interruptible(&res->dev_priv->cmdbuf_mutex);
+ else
+@@ -1951,6 +1957,8 @@ int vmw_kms_helper_resource_prepare(stru
+ res->dev_priv->has_mob);
+ if (ret)
+ goto out_unreserve;
++
++ ctx->buf = vmw_dmabuf_reference(res->backup);
+ }
+ ret = vmw_resource_validate(res);
+ if (ret)
+@@ -1958,7 +1966,7 @@ int vmw_kms_helper_resource_prepare(stru
+ return 0;
+
+ out_revert:
+- vmw_kms_helper_buffer_revert(res->backup);
++ vmw_kms_helper_buffer_revert(ctx->buf);
+ out_unreserve:
+ vmw_resource_unreserve(res, false, NULL, 0);
+ out_unlock:
+@@ -1974,11 +1982,13 @@ out_unlock:
+ * @out_fence: Optional pointer to a fence pointer. If non-NULL, a
+ * ref-counted fence pointer is returned here.
+ */
+-void vmw_kms_helper_resource_finish(struct vmw_resource *res,
+- struct vmw_fence_obj **out_fence)
++void vmw_kms_helper_resource_finish(struct vmw_validation_ctx *ctx,
++ struct vmw_fence_obj **out_fence)
+ {
+- if (res->backup || out_fence)
+- vmw_kms_helper_buffer_finish(res->dev_priv, NULL, res->backup,
++ struct vmw_resource *res = ctx->res;
++
++ if (ctx->buf || out_fence)
++ vmw_kms_helper_buffer_finish(res->dev_priv, NULL, ctx->buf,
+ out_fence, NULL);
+
+ vmw_resource_unreserve(res, false, NULL, 0);
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h
+@@ -180,6 +180,11 @@ struct vmw_display_unit {
+ bool is_implicit;
+ };
+
++struct vmw_validation_ctx {
++ struct vmw_resource *res;
++ struct vmw_dma_buffer *buf;
++};
++
+ #define vmw_crtc_to_du(x) \
+ container_of(x, struct vmw_display_unit, crtc)
+ #define vmw_connector_to_du(x) \
+@@ -230,9 +235,10 @@ void vmw_kms_helper_buffer_finish(struct
+ struct drm_vmw_fence_rep __user *
+ user_fence_rep);
+ int vmw_kms_helper_resource_prepare(struct vmw_resource *res,
+- bool interruptible);
+-void vmw_kms_helper_resource_revert(struct vmw_resource *res);
+-void vmw_kms_helper_resource_finish(struct vmw_resource *res,
++ bool interruptible,
++ struct vmw_validation_ctx *ctx);
++void vmw_kms_helper_resource_revert(struct vmw_validation_ctx *ctx);
++void vmw_kms_helper_resource_finish(struct vmw_validation_ctx *ctx,
+ struct vmw_fence_obj **out_fence);
+ int vmw_kms_readback(struct vmw_private *dev_priv,
+ struct drm_file *file_priv,
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c
+@@ -841,12 +841,13 @@ int vmw_kms_sou_do_surface_dirty(struct
+ struct vmw_framebuffer_surface *vfbs =
+ container_of(framebuffer, typeof(*vfbs), base);
+ struct vmw_kms_sou_surface_dirty sdirty;
++ struct vmw_validation_ctx ctx;
+ int ret;
+
+ if (!srf)
+ srf = &vfbs->surface->res;
+
+- ret = vmw_kms_helper_resource_prepare(srf, true);
++ ret = vmw_kms_helper_resource_prepare(srf, true, &ctx);
+ if (ret)
+ return ret;
+
+@@ -865,7 +866,7 @@ int vmw_kms_sou_do_surface_dirty(struct
+ ret = vmw_kms_helper_dirty(dev_priv, framebuffer, clips, vclips,
+ dest_x, dest_y, num_clips, inc,
+ &sdirty.base);
+- vmw_kms_helper_resource_finish(srf, out_fence);
++ vmw_kms_helper_resource_finish(&ctx, out_fence);
+
+ return ret;
+ }
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c
+@@ -1003,12 +1003,13 @@ int vmw_kms_stdu_surface_dirty(struct vm
+ struct vmw_framebuffer_surface *vfbs =
+ container_of(framebuffer, typeof(*vfbs), base);
+ struct vmw_stdu_dirty sdirty;
++ struct vmw_validation_ctx ctx;
+ int ret;
+
+ if (!srf)
+ srf = &vfbs->surface->res;
+
+- ret = vmw_kms_helper_resource_prepare(srf, true);
++ ret = vmw_kms_helper_resource_prepare(srf, true, &ctx);
+ if (ret)
+ return ret;
+
+@@ -1031,7 +1032,7 @@ int vmw_kms_stdu_surface_dirty(struct vm
+ dest_x, dest_y, num_clips, inc,
+ &sdirty.base);
+ out_finish:
+- vmw_kms_helper_resource_finish(srf, out_fence);
++ vmw_kms_helper_resource_finish(&ctx, out_fence);
+
+ return ret;
+ }
--- /dev/null
+From b6bdb7517c3d3f41f20e5c2948d6bc3f8897394e Mon Sep 17 00:00:00 2001
+From: Toshi Kani <toshi.kani@hpe.com>
+Date: Thu, 22 Mar 2018 16:17:20 -0700
+Subject: mm/vmalloc: add interfaces to free unmapped page table
+
+From: Toshi Kani <toshi.kani@hpe.com>
+
+commit b6bdb7517c3d3f41f20e5c2948d6bc3f8897394e upstream.
+
+On architectures with CONFIG_HAVE_ARCH_HUGE_VMAP set, ioremap() may
+create pud/pmd mappings. A kernel panic was observed on arm64 systems
+with Cortex-A75 in the following steps as described by Hanjun Guo.
+
+ 1. ioremap a 4K size, valid page table will build,
+ 2. iounmap it, pte0 will set to 0;
+ 3. ioremap the same address with 2M size, pgd/pmd is unchanged,
+ then set the a new value for pmd;
+ 4. pte0 is leaked;
+ 5. CPU may meet exception because the old pmd is still in TLB,
+ which will lead to kernel panic.
+
+This panic is not reproducible on x86. INVLPG, called from iounmap,
+purges all levels of entries associated with purged address on x86. x86
+still has memory leak.
+
+The patch changes the ioremap path to free unmapped page table(s) since
+doing so in the unmap path has the following issues:
+
+ - The iounmap() path is shared with vunmap(). Since vmap() only
+ supports pte mappings, making vunmap() to free a pte page is an
+ overhead for regular vmap users as they do not need a pte page freed
+ up.
+
+ - Checking if all entries in a pte page are cleared in the unmap path
+ is racy, and serializing this check is expensive.
+
+ - The unmap path calls free_vmap_area_noflush() to do lazy TLB purges.
+ Clearing a pud/pmd entry before the lazy TLB purges needs extra TLB
+ purge.
+
+Add two interfaces, pud_free_pmd_page() and pmd_free_pte_page(), which
+clear a given pud/pmd entry and free up a page for the lower level
+entries.
+
+This patch implements their stub functions on x86 and arm64, which work
+as workaround.
+
+[akpm@linux-foundation.org: fix typo in pmd_free_pte_page() stub]
+Link: http://lkml.kernel.org/r/20180314180155.19492-2-toshi.kani@hpe.com
+Fixes: e61ce6ade404e ("mm: change ioremap to set up huge I/O mappings")
+Reported-by: Lei Li <lious.lilei@hisilicon.com>
+Signed-off-by: Toshi Kani <toshi.kani@hpe.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Wang Xuefeng <wxf.wang@hisilicon.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Hanjun Guo <guohanjun@huawei.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Chintan Pandya <cpandya@codeaurora.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/mm/mmu.c | 10 ++++++++++
+ arch/x86/mm/pgtable.c | 24 ++++++++++++++++++++++++
+ include/asm-generic/pgtable.h | 10 ++++++++++
+ lib/ioremap.c | 6 ++++--
+ 4 files changed, 48 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/mm/mmu.c
++++ b/arch/arm64/mm/mmu.c
+@@ -697,3 +697,13 @@ void *__init fixmap_remap_fdt(phys_addr_
+
+ return dt_virt;
+ }
++
++int pud_free_pmd_page(pud_t *pud)
++{
++ return pud_none(*pud);
++}
++
++int pmd_free_pte_page(pmd_t *pmd)
++{
++ return pmd_none(*pmd);
++}
+--- a/arch/x86/mm/pgtable.c
++++ b/arch/x86/mm/pgtable.c
+@@ -666,4 +666,28 @@ int pmd_clear_huge(pmd_t *pmd)
+
+ return 0;
+ }
++
++/**
++ * pud_free_pmd_page - Clear pud entry and free pmd page.
++ * @pud: Pointer to a PUD.
++ *
++ * Context: The pud range has been unmaped and TLB purged.
++ * Return: 1 if clearing the entry succeeded. 0 otherwise.
++ */
++int pud_free_pmd_page(pud_t *pud)
++{
++ return pud_none(*pud);
++}
++
++/**
++ * pmd_free_pte_page - Clear pmd entry and free pte page.
++ * @pmd: Pointer to a PMD.
++ *
++ * Context: The pmd range has been unmaped and TLB purged.
++ * Return: 1 if clearing the entry succeeded. 0 otherwise.
++ */
++int pmd_free_pte_page(pmd_t *pmd)
++{
++ return pmd_none(*pmd);
++}
+ #endif /* CONFIG_HAVE_ARCH_HUGE_VMAP */
+--- a/include/asm-generic/pgtable.h
++++ b/include/asm-generic/pgtable.h
+@@ -755,6 +755,8 @@ int pud_set_huge(pud_t *pud, phys_addr_t
+ int pmd_set_huge(pmd_t *pmd, phys_addr_t addr, pgprot_t prot);
+ int pud_clear_huge(pud_t *pud);
+ int pmd_clear_huge(pmd_t *pmd);
++int pud_free_pmd_page(pud_t *pud);
++int pmd_free_pte_page(pmd_t *pmd);
+ #else /* !CONFIG_HAVE_ARCH_HUGE_VMAP */
+ static inline int pud_set_huge(pud_t *pud, phys_addr_t addr, pgprot_t prot)
+ {
+@@ -772,6 +774,14 @@ static inline int pmd_clear_huge(pmd_t *
+ {
+ return 0;
+ }
++static inline int pud_free_pmd_page(pud_t *pud)
++{
++ return 0;
++}
++static inline int pmd_free_pte_page(pmd_t *pmd)
++{
++ return 0;
++}
+ #endif /* CONFIG_HAVE_ARCH_HUGE_VMAP */
+
+ #endif /* !__ASSEMBLY__ */
+--- a/lib/ioremap.c
++++ b/lib/ioremap.c
+@@ -83,7 +83,8 @@ static inline int ioremap_pmd_range(pud_
+
+ if (ioremap_pmd_enabled() &&
+ ((next - addr) == PMD_SIZE) &&
+- IS_ALIGNED(phys_addr + addr, PMD_SIZE)) {
++ IS_ALIGNED(phys_addr + addr, PMD_SIZE) &&
++ pmd_free_pte_page(pmd)) {
+ if (pmd_set_huge(pmd, phys_addr + addr, prot))
+ continue;
+ }
+@@ -109,7 +110,8 @@ static inline int ioremap_pud_range(pgd_
+
+ if (ioremap_pud_enabled() &&
+ ((next - addr) == PUD_SIZE) &&
+- IS_ALIGNED(phys_addr + addr, PUD_SIZE)) {
++ IS_ALIGNED(phys_addr + addr, PUD_SIZE) &&
++ pud_free_pmd_page(pud)) {
+ if (pud_set_huge(pud, phys_addr + addr, prot))
+ continue;
+ }
--- /dev/null
+From fa8e6d58c5bc260f4369c6699683d69695daed0a Mon Sep 17 00:00:00 2001
+From: Jagdish Gediya <jagdish.gediya@nxp.com>
+Date: Wed, 21 Mar 2018 04:31:36 +0530
+Subject: mtd: nand: fsl_ifc: Fix nand waitfunc return value
+
+From: Jagdish Gediya <jagdish.gediya@nxp.com>
+
+commit fa8e6d58c5bc260f4369c6699683d69695daed0a upstream.
+
+As per the IFC hardware manual, Most significant 2 bytes in
+nand_fsr register are the outcome of NAND READ STATUS command.
+
+So status value need to be shifted and aligned as per the nand
+framework requirement.
+
+Fixes: 82771882d960 ("NAND Machine support for Integrated Flash Controller")
+Cc: stable@vger.kernel.org # v3.18+
+Signed-off-by: Jagdish Gediya <jagdish.gediya@nxp.com>
+Reviewed-by: Prabhakar Kushwaha <prabhakar.kushwaha@nxp.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/fsl_ifc_nand.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/nand/fsl_ifc_nand.c
++++ b/drivers/mtd/nand/fsl_ifc_nand.c
+@@ -726,6 +726,7 @@ static int fsl_ifc_wait(struct mtd_info
+ struct fsl_ifc_ctrl *ctrl = priv->ctrl;
+ struct fsl_ifc_regs __iomem *ifc = ctrl->regs;
+ u32 nand_fsr;
++ int status;
+
+ /* Use READ_STATUS command, but wait for the device to be ready */
+ ifc_out32((IFC_FIR_OP_CW0 << IFC_NAND_FIR0_OP0_SHIFT) |
+@@ -740,12 +741,12 @@ static int fsl_ifc_wait(struct mtd_info
+ fsl_ifc_run_command(mtd);
+
+ nand_fsr = ifc_in32(&ifc->ifc_nand.nand_fsr);
+-
++ status = nand_fsr >> 24;
+ /*
+ * The chip always seems to report that it is
+ * write-protected, even when it is not.
+ */
+- return nand_fsr | NAND_STATUS_WP;
++ return status | NAND_STATUS_WP;
+ }
+
+ static int fsl_ifc_read_page(struct mtd_info *mtd, struct nand_chip *chip,
--- /dev/null
+From 78dc897b7ee67205423dbbc6b56be49fb18d15b5 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Thu, 22 Feb 2018 14:28:59 -0600
+Subject: rtlwifi: rtl8723be: Fix loss of signal
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 78dc897b7ee67205423dbbc6b56be49fb18d15b5 upstream.
+
+In commit c713fb071edc ("rtlwifi: rtl8821ae: Fix connection lost problem
+correctly") a problem in rtl8821ae that caused loss of signal was fixed.
+That same problem has now been reported for rtl8723be. Accordingly,
+the ASPM L1 latency has been increased from 0 to 7 to fix the instability.
+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Cc: Stable <stable@vger.kernel.org>
+Tested-by: James Cameron <quozl@laptop.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c
+@@ -1123,7 +1123,8 @@ static void _rtl8723be_enable_aspm_back_
+
+ /* Configuration Space offset 0x70f BIT7 is used to control L0S */
+ tmp8 = _rtl8723be_dbi_read(rtlpriv, 0x70f);
+- _rtl8723be_dbi_write(rtlpriv, 0x70f, tmp8 | BIT(7));
++ _rtl8723be_dbi_write(rtlpriv, 0x70f, tmp8 | BIT(7) |
++ ASPM_L1_LATENCY << 3);
+
+ /* Configuration Space offset 0x719 Bit3 is for L1
+ * BIT4 is for clock request
libata-apply-nolpm-quirk-to-crucial-m500-480-and-960gb-ssds.patch
libata-make-crucial-bx100-500gb-lpm-quirk-apply-to-all-firmware-versions.patch
libata-modify-quirks-for-mx100-to-limit-ncq_trim-quirk-to-mu01-version.patch
+mm-vmalloc-add-interfaces-to-free-unmapped-page-table.patch
+x86-mm-implement-free-pmd-pte-page-interfaces.patch
+drm-vmwgfx-fix-a-destoy-while-held-mutex-problem.patch
+drm-radeon-don-t-turn-off-dp-sink-when-disconnected.patch
+drm-udl-properly-check-framebuffer-mmap-offsets.patch
+acpi-numa-fix-pxm-to-online-numa-node-associations.patch
+brcmfmac-fix-p2p_device-ethernet-address-generation.patch
+rtlwifi-rtl8723be-fix-loss-of-signal.patch
+tracing-probeevent-fix-to-support-minus-offset-from-symbol.patch
+mtd-nand-fsl_ifc-fix-nand-waitfunc-return-value.patch
+staging-ncpfs-memory-corruption-in-ncp_read_kernel.patch
+can-cc770-fix-stalls-on-rt-linux-remove-redundant-irq-ack.patch
+can-cc770-fix-queue-stall-dropped-rtr-reply.patch
+can-cc770-fix-use-after-free-in-cc770_tx_interrupt.patch
--- /dev/null
+From 4c41aa24baa4ed338241d05494f2c595c885af8f Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 19 Mar 2018 14:07:45 +0300
+Subject: staging: ncpfs: memory corruption in ncp_read_kernel()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 4c41aa24baa4ed338241d05494f2c595c885af8f upstream.
+
+If the server is malicious then *bytes_read could be larger than the
+size of the "target" buffer. It would lead to memory corruption when we
+do the memcpy().
+
+Reported-by: Dr Silvio Cesare of InfoSect <Silvio Cesare <silvio.cesare@gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ncpfs/ncplib_kernel.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/ncpfs/ncplib_kernel.c
++++ b/fs/ncpfs/ncplib_kernel.c
+@@ -980,6 +980,10 @@ ncp_read_kernel(struct ncp_server *serve
+ goto out;
+ }
+ *bytes_read = ncp_reply_be16(server, 0);
++ if (*bytes_read > to_read) {
++ result = -EINVAL;
++ goto out;
++ }
+ source = ncp_reply_data(server, 2 + (offset & 1));
+
+ memcpy(target, source, *bytes_read);
--- /dev/null
+From c5d343b6b7badd1f5fe0873eff2e8d63a193e732 Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Sat, 17 Mar 2018 21:38:10 +0900
+Subject: tracing: probeevent: Fix to support minus offset from symbol
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit c5d343b6b7badd1f5fe0873eff2e8d63a193e732 upstream.
+
+In Documentation/trace/kprobetrace.txt, it says
+
+ @SYM[+|-offs] : Fetch memory at SYM +|- offs (SYM should be a data symbol)
+
+However, the parser doesn't parse minus offset correctly, since
+commit 2fba0c8867af ("tracing/kprobes: Fix probe offset to be
+unsigned") drops minus ("-") offset support for kprobe probe
+address usage.
+
+This fixes the traceprobe_split_symbol_offset() to parse minus
+offset again with checking the offset range, and add a minus
+offset check in kprobe probe address usage.
+
+Link: http://lkml.kernel.org/r/152129028983.31874.13419301530285775521.stgit@devbox
+
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Tom Zanussi <tom.zanussi@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
+Cc: stable@vger.kernel.org
+Fixes: 2fba0c8867af ("tracing/kprobes: Fix probe offset to be unsigned")
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_kprobe.c | 4 ++--
+ kernel/trace/trace_probe.c | 8 +++-----
+ kernel/trace/trace_probe.h | 2 +-
+ 3 files changed, 6 insertions(+), 8 deletions(-)
+
+--- a/kernel/trace/trace_kprobe.c
++++ b/kernel/trace/trace_kprobe.c
+@@ -599,7 +599,7 @@ static int create_trace_kprobe(int argc,
+ bool is_return = false, is_delete = false;
+ char *symbol = NULL, *event = NULL, *group = NULL;
+ char *arg;
+- unsigned long offset = 0;
++ long offset = 0;
+ void *addr = NULL;
+ char buf[MAX_EVENT_NAME_LEN];
+
+@@ -667,7 +667,7 @@ static int create_trace_kprobe(int argc,
+ symbol = argv[1];
+ /* TODO: support .init module functions */
+ ret = traceprobe_split_symbol_offset(symbol, &offset);
+- if (ret) {
++ if (ret || offset < 0 || offset > UINT_MAX) {
+ pr_info("Failed to parse either an address or a symbol.\n");
+ return ret;
+ }
+--- a/kernel/trace/trace_probe.c
++++ b/kernel/trace/trace_probe.c
+@@ -293,7 +293,7 @@ static fetch_func_t get_fetch_size_funct
+ }
+
+ /* Split symbol and offset. */
+-int traceprobe_split_symbol_offset(char *symbol, unsigned long *offset)
++int traceprobe_split_symbol_offset(char *symbol, long *offset)
+ {
+ char *tmp;
+ int ret;
+@@ -301,13 +301,11 @@ int traceprobe_split_symbol_offset(char
+ if (!offset)
+ return -EINVAL;
+
+- tmp = strchr(symbol, '+');
++ tmp = strpbrk(symbol, "+-");
+ if (tmp) {
+- /* skip sign because kstrtoul doesn't accept '+' */
+- ret = kstrtoul(tmp + 1, 0, offset);
++ ret = kstrtol(tmp, 0, offset);
+ if (ret)
+ return ret;
+-
+ *tmp = '\0';
+ } else
+ *offset = 0;
+--- a/kernel/trace/trace_probe.h
++++ b/kernel/trace/trace_probe.h
+@@ -335,7 +335,7 @@ extern int traceprobe_conflict_field_nam
+ extern void traceprobe_update_arg(struct probe_arg *arg);
+ extern void traceprobe_free_probe_arg(struct probe_arg *arg);
+
+-extern int traceprobe_split_symbol_offset(char *symbol, unsigned long *offset);
++extern int traceprobe_split_symbol_offset(char *symbol, long *offset);
+
+ extern ssize_t traceprobe_probes_write(struct file *file,
+ const char __user *buffer, size_t count, loff_t *ppos,
--- /dev/null
+From 28ee90fe6048fa7b7ceaeb8831c0e4e454a4cf89 Mon Sep 17 00:00:00 2001
+From: Toshi Kani <toshi.kani@hpe.com>
+Date: Thu, 22 Mar 2018 16:17:24 -0700
+Subject: x86/mm: implement free pmd/pte page interfaces
+
+From: Toshi Kani <toshi.kani@hpe.com>
+
+commit 28ee90fe6048fa7b7ceaeb8831c0e4e454a4cf89 upstream.
+
+Implement pud_free_pmd_page() and pmd_free_pte_page() on x86, which
+clear a given pud/pmd entry and free up lower level page table(s).
+
+The address range associated with the pud/pmd entry must have been
+purged by INVLPG.
+
+Link: http://lkml.kernel.org/r/20180314180155.19492-3-toshi.kani@hpe.com
+Fixes: e61ce6ade404e ("mm: change ioremap to set up huge I/O mappings")
+Signed-off-by: Toshi Kani <toshi.kani@hpe.com>
+Reported-by: Lei Li <lious.lilei@hisilicon.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/pgtable.c | 28 ++++++++++++++++++++++++++--
+ 1 file changed, 26 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/mm/pgtable.c
++++ b/arch/x86/mm/pgtable.c
+@@ -676,7 +676,22 @@ int pmd_clear_huge(pmd_t *pmd)
+ */
+ int pud_free_pmd_page(pud_t *pud)
+ {
+- return pud_none(*pud);
++ pmd_t *pmd;
++ int i;
++
++ if (pud_none(*pud))
++ return 1;
++
++ pmd = (pmd_t *)pud_page_vaddr(*pud);
++
++ for (i = 0; i < PTRS_PER_PMD; i++)
++ if (!pmd_free_pte_page(&pmd[i]))
++ return 0;
++
++ pud_clear(pud);
++ free_page((unsigned long)pmd);
++
++ return 1;
+ }
+
+ /**
+@@ -688,6 +703,15 @@ int pud_free_pmd_page(pud_t *pud)
+ */
+ int pmd_free_pte_page(pmd_t *pmd)
+ {
+- return pmd_none(*pmd);
++ pte_t *pte;
++
++ if (pmd_none(*pmd))
++ return 1;
++
++ pte = (pte_t *)pmd_page_vaddr(*pmd);
++ pmd_clear(pmd);
++ free_page((unsigned long)pte);
++
++ return 1;
+ }
+ #endif /* CONFIG_HAVE_ARCH_HUGE_VMAP */
projects / thirdparty / kernel / stable-queue.git / commitdiff
