--- /dev/null
+From 6bad9b210a228d2fe0e0efe26d9b115348529cee Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Thu, 9 Aug 2018 07:53:36 -0700
+Subject: blkcg: Introduce blkg_root_lookup()
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+commit 6bad9b210a228d2fe0e0efe26d9b115348529cee upstream.
+
+This new function will be used in a later patch to verify whether a
+queue has been dissociated from the cgroup controller before being
+released.
+
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Ming Lei <ming.lei@redhat.com>
+Cc: Omar Sandoval <osandov@fb.com>
+Cc: Johannes Thumshirn <jthumshirn@suse.de>
+Cc: Alexandru Moise <00moses.alexander00@gmail.com>
+Cc: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/blk-cgroup.h | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/include/linux/blk-cgroup.h
++++ b/include/linux/blk-cgroup.h
+@@ -296,6 +296,23 @@ static inline struct blkcg_gq *blkg_look
+ }
+
+ /**
++ * blkg_lookup - look up blkg for the specified request queue
++ * @q: request_queue of interest
++ *
++ * Lookup blkg for @q at the root level. See also blkg_lookup().
++ */
++static inline struct blkcg_gq *blkg_root_lookup(struct request_queue *q)
++{
++ struct blkcg_gq *blkg;
++
++ rcu_read_lock();
++ blkg = blkg_lookup(&blkcg_root, q);
++ rcu_read_unlock();
++
++ return blkg;
++}
++
++/**
+ * blkg_to_pdata - get policy private data
+ * @blkg: blkg of interest
+ * @pol: policy of interest
+@@ -737,6 +754,7 @@ struct blkcg_policy {
+ #ifdef CONFIG_BLOCK
+
+ static inline struct blkcg_gq *blkg_lookup(struct blkcg *blkcg, void *key) { return NULL; }
++static inline struct blkcg_gq *blkg_root_lookup(struct request_queue *q) { return NULL; }
+ static inline int blkcg_init_queue(struct request_queue *q) { return 0; }
+ static inline void blkcg_drain_queue(struct request_queue *q) { }
+ static inline void blkcg_exit_queue(struct request_queue *q) { }
--- /dev/null
+From 54648cf1ec2d7f4b6a71767799c45676a138ca24 Mon Sep 17 00:00:00 2001
+From: xiao jin <jin.xiao@intel.com>
+Date: Mon, 30 Jul 2018 14:11:12 +0800
+Subject: block: blk_init_allocated_queue() set q->fq as NULL in the fail case
+
+From: xiao jin <jin.xiao@intel.com>
+
+commit 54648cf1ec2d7f4b6a71767799c45676a138ca24 upstream.
+
+We find the memory use-after-free issue in __blk_drain_queue()
+on the kernel 4.14. After read the latest kernel 4.18-rc6 we
+think it has the same problem.
+
+Memory is allocated for q->fq in the blk_init_allocated_queue().
+If the elevator init function called with error return, it will
+run into the fail case to free the q->fq.
+
+Then the __blk_drain_queue() uses the same memory after the free
+of the q->fq, it will lead to the unpredictable event.
+
+The patch is to set q->fq as NULL in the fail case of
+blk_init_allocated_queue().
+
+Fixes: commit 7c94e1c157a2 ("block: introduce blk_flush_queue to drive flush machinery")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
+Signed-off-by: xiao jin <jin.xiao@intel.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -1180,6 +1180,7 @@ out_exit_flush_rq:
+ q->exit_rq_fn(q, q->fq->flush_rq);
+ out_free_flush_queue:
+ blk_free_flush_queue(q->fq);
++ q->fq = NULL;
+ return -ENOMEM;
+ }
+ EXPORT_SYMBOL(blk_init_allocated_queue);
--- /dev/null
+From 24ecc3585348b616993a3c4d6dc2c6b8007e358c Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Thu, 9 Aug 2018 07:53:38 -0700
+Subject: block: Ensure that a request queue is dissociated from the cgroup controller
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+commit 24ecc3585348b616993a3c4d6dc2c6b8007e358c upstream.
+
+Several block drivers call alloc_disk() followed by put_disk() if
+something fails before device_add_disk() is called without calling
+blk_cleanup_queue(). Make sure that also for this scenario a request
+queue is dissociated from the cgroup controller. This patch avoids
+that loading the parport_pc, paride and pf drivers triggers the
+following kernel crash:
+
+BUG: KASAN: null-ptr-deref in pi_init+0x42e/0x580 [paride]
+Read of size 4 at addr 0000000000000008 by task modprobe/744
+Call Trace:
+dump_stack+0x9a/0xeb
+kasan_report+0x139/0x350
+pi_init+0x42e/0x580 [paride]
+pf_init+0x2bb/0x1000 [pf]
+do_one_initcall+0x8e/0x405
+do_init_module+0xd9/0x2f2
+load_module+0x3ab4/0x4700
+SYSC_finit_module+0x176/0x1a0
+do_syscall_64+0xee/0x2b0
+entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+Reported-by: Alexandru Moise <00moses.alexander00@gmail.com>
+Fixes: a063057d7c73 ("block: Fix a race between request queue removal and the block cgroup controller") # v4.17
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Tested-by: Alexandru Moise <00moses.alexander00@gmail.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Ming Lei <ming.lei@redhat.com>
+Cc: Alexandru Moise <00moses.alexander00@gmail.com>
+Cc: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-sysfs.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/block/blk-sysfs.c
++++ b/block/blk-sysfs.c
+@@ -804,6 +804,21 @@ static void __blk_release_queue(struct w
+ blk_stat_remove_callback(q, q->poll_cb);
+ blk_stat_free_callback(q->poll_cb);
+
++ if (!blk_queue_dead(q)) {
++ /*
++ * Last reference was dropped without having called
++ * blk_cleanup_queue().
++ */
++ WARN_ONCE(blk_queue_init_done(q),
++ "request queue %p has been registered but blk_cleanup_queue() has not been called for that queue\n",
++ q);
++ blk_exit_queue(q);
++ }
++
++ WARN(blkg_root_lookup(q),
++ "request queue %p is being released but it has not yet been removed from the blkcg controller\n",
++ q);
++
+ blk_free_queue_stats(q->stats);
+
+ blk_exit_rl(q, &q->root_rl);
--- /dev/null
+From b88aef36b87c9787a4db724923ec4f57dfd513f3 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 3 Jul 2018 13:34:22 -0400
+Subject: block: fix infinite loop if the device loses discard capability
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit b88aef36b87c9787a4db724923ec4f57dfd513f3 upstream.
+
+If __blkdev_issue_discard is in progress and a device mapper device is
+reloaded with a table that doesn't support discard,
+q->limits.max_discard_sectors is set to zero. This results in infinite
+loop in __blkdev_issue_discard.
+
+This patch checks if max_discard_sectors is zero and aborts with
+-EOPNOTSUPP.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Tested-by: Zdenek Kabelac <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-lib.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/block/blk-lib.c
++++ b/block/blk-lib.c
+@@ -68,6 +68,8 @@ int __blkdev_issue_discard(struct block_
+ */
+ req_sects = min_t(sector_t, nr_sects,
+ q->limits.max_discard_sectors);
++ if (!req_sects)
++ goto fail;
+ if (req_sects > UINT_MAX >> 9)
+ req_sects = UINT_MAX >> 9;
+
+@@ -105,6 +107,14 @@ int __blkdev_issue_discard(struct block_
+
+ *biop = bio;
+ return 0;
++
++fail:
++ if (bio) {
++ submit_bio_wait(bio);
++ bio_put(bio);
++ }
++ *biop = NULL;
++ return -EOPNOTSUPP;
+ }
+ EXPORT_SYMBOL(__blkdev_issue_discard);
+
--- /dev/null
+From 4cf6324b17e96b7b7ab4021c6929500934d46750 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Thu, 9 Aug 2018 07:53:37 -0700
+Subject: block: Introduce blk_exit_queue()
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+commit 4cf6324b17e96b7b7ab4021c6929500934d46750 upstream.
+
+This patch does not change any functionality.
+
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Ming Lei <ming.lei@redhat.com>
+Cc: Omar Sandoval <osandov@fb.com>
+Cc: Alexandru Moise <00moses.alexander00@gmail.com>
+Cc: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-core.c | 54 ++++++++++++++++++++++++++++++------------------------
+ block/blk.h | 1 +
+ 2 files changed, 31 insertions(+), 24 deletions(-)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -715,6 +715,35 @@ void blk_set_queue_dying(struct request_
+ }
+ EXPORT_SYMBOL_GPL(blk_set_queue_dying);
+
++/* Unconfigure the I/O scheduler and dissociate from the cgroup controller. */
++void blk_exit_queue(struct request_queue *q)
++{
++ /*
++ * Since the I/O scheduler exit code may access cgroup information,
++ * perform I/O scheduler exit before disassociating from the block
++ * cgroup controller.
++ */
++ if (q->elevator) {
++ ioc_clear_queue(q);
++ elevator_exit(q, q->elevator);
++ q->elevator = NULL;
++ }
++
++ /*
++ * Remove all references to @q from the block cgroup controller before
++ * restoring @q->queue_lock to avoid that restoring this pointer causes
++ * e.g. blkcg_print_blkgs() to crash.
++ */
++ blkcg_exit_queue(q);
++
++ /*
++ * Since the cgroup code may dereference the @q->backing_dev_info
++ * pointer, only decrease its reference count after having removed the
++ * association with the block cgroup controller.
++ */
++ bdi_put(q->backing_dev_info);
++}
++
+ /**
+ * blk_cleanup_queue - shutdown a request queue
+ * @q: request queue to shutdown
+@@ -780,30 +809,7 @@ void blk_cleanup_queue(struct request_qu
+ */
+ WARN_ON_ONCE(q->kobj.state_in_sysfs);
+
+- /*
+- * Since the I/O scheduler exit code may access cgroup information,
+- * perform I/O scheduler exit before disassociating from the block
+- * cgroup controller.
+- */
+- if (q->elevator) {
+- ioc_clear_queue(q);
+- elevator_exit(q, q->elevator);
+- q->elevator = NULL;
+- }
+-
+- /*
+- * Remove all references to @q from the block cgroup controller before
+- * restoring @q->queue_lock to avoid that restoring this pointer causes
+- * e.g. blkcg_print_blkgs() to crash.
+- */
+- blkcg_exit_queue(q);
+-
+- /*
+- * Since the cgroup code may dereference the @q->backing_dev_info
+- * pointer, only decrease its reference count after having removed the
+- * association with the block cgroup controller.
+- */
+- bdi_put(q->backing_dev_info);
++ blk_exit_queue(q);
+
+ if (q->mq_ops)
+ blk_mq_free_queue(q);
+--- a/block/blk.h
++++ b/block/blk.h
+@@ -130,6 +130,7 @@ void blk_free_flush_queue(struct blk_flu
+ int blk_init_rl(struct request_list *rl, struct request_queue *q,
+ gfp_t gfp_mask);
+ void blk_exit_rl(struct request_queue *q, struct request_list *rl);
++void blk_exit_queue(struct request_queue *q);
+ void blk_rq_bio_prep(struct request_queue *q, struct request *rq,
+ struct bio *bio);
+ void blk_queue_bypass_start(struct request_queue *q);
--- /dev/null
+From b233f127042dba991229e3882c6217c80492f6ef Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Mon, 30 Jul 2018 20:02:19 +0800
+Subject: block: really disable runtime-pm for blk-mq
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit b233f127042dba991229e3882c6217c80492f6ef upstream.
+
+Runtime PM isn't ready for blk-mq yet, and commit 765e40b675a9 ("block:
+disable runtime-pm for blk-mq") tried to disable it. Unfortunately,
+it can't take effect in that way since user space still can switch
+it on via 'echo auto > /sys/block/sdN/device/power/control'.
+
+This patch disables runtime-pm for blk-mq really by pm_runtime_disable()
+and fixes all kinds of PM related kernel crash.
+
+Cc: Tomas Janousek <tomi@nomi.cz>
+Cc: Przemek Socha <soprwa@gmail.com>
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Tested-by: Patrick Steinhardt <ps@pks.im>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-core.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -3764,9 +3764,11 @@ EXPORT_SYMBOL(blk_finish_plug);
+ */
+ void blk_pm_runtime_init(struct request_queue *q, struct device *dev)
+ {
+- /* not support for RQF_PM and ->rpm_status in blk-mq yet */
+- if (q->mq_ops)
++ /* Don't enable runtime PM for blk-mq until it is ready */
++ if (q->mq_ops) {
++ pm_runtime_disable(dev);
+ return;
++ }
+
+ q->dev = dev;
+ q->rpm_status = RPM_ACTIVE;
--- /dev/null
+From 26caddf274cf1e89fd4ce44ab2b8dbc7a7f97681 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Tue, 21 Aug 2018 15:05:55 +0300
+Subject: mmc: block: Fix unsupported parallel dispatch of requests
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 26caddf274cf1e89fd4ce44ab2b8dbc7a7f97681 upstream.
+
+The mmc block driver does not support parallel dispatch of requests. In
+normal circumstances, all requests are anyway funneled through a single
+work item, so parallel dispatch never happens. However it can happen if
+there is no elevator.
+
+Fix that by detecting if a dispatch is in progress and returning busy
+(BLK_STS_RESOURCE) in that case
+
+Fixes: 81196976ed94 ("mmc: block: Add blk-mq support")
+Cc: stable@vger.kernel.org # v4.16+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/core/queue.c | 12 +++++++-----
+ drivers/mmc/core/queue.h | 1 +
+ 2 files changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/mmc/core/queue.c
++++ b/drivers/mmc/core/queue.c
+@@ -238,10 +238,6 @@ static void mmc_mq_exit_request(struct b
+ mmc_exit_request(mq->queue, req);
+ }
+
+-/*
+- * We use BLK_MQ_F_BLOCKING and have only 1 hardware queue, which means requests
+- * will not be dispatched in parallel.
+- */
+ static blk_status_t mmc_mq_queue_rq(struct blk_mq_hw_ctx *hctx,
+ const struct blk_mq_queue_data *bd)
+ {
+@@ -264,7 +260,7 @@ static blk_status_t mmc_mq_queue_rq(stru
+
+ spin_lock_irq(q->queue_lock);
+
+- if (mq->recovery_needed) {
++ if (mq->recovery_needed || mq->busy) {
+ spin_unlock_irq(q->queue_lock);
+ return BLK_STS_RESOURCE;
+ }
+@@ -291,6 +287,9 @@ static blk_status_t mmc_mq_queue_rq(stru
+ break;
+ }
+
++ /* Parallel dispatch of requests is not supported at the moment */
++ mq->busy = true;
++
+ mq->in_flight[issue_type] += 1;
+ get_card = (mmc_tot_in_flight(mq) == 1);
+ cqe_retune_ok = (mmc_cqe_qcnt(mq) == 1);
+@@ -333,9 +332,12 @@ static blk_status_t mmc_mq_queue_rq(stru
+ mq->in_flight[issue_type] -= 1;
+ if (mmc_tot_in_flight(mq) == 0)
+ put_card = true;
++ mq->busy = false;
+ spin_unlock_irq(q->queue_lock);
+ if (put_card)
+ mmc_put_card(card, &mq->ctx);
++ } else {
++ WRITE_ONCE(mq->busy, false);
+ }
+
+ return ret;
+--- a/drivers/mmc/core/queue.h
++++ b/drivers/mmc/core/queue.h
+@@ -81,6 +81,7 @@ struct mmc_queue {
+ unsigned int cqe_busy;
+ #define MMC_CQE_DCMD_BUSY BIT(0)
+ #define MMC_CQE_QUEUE_FULL BIT(1)
++ bool busy;
+ bool use_cqe;
+ bool recovery_needed;
+ bool in_recovery;
--- /dev/null
+From 9faf870e559a710c44e747ba20383ea82d8ac5d2 Mon Sep 17 00:00:00 2001
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Date: Wed, 22 Aug 2018 21:28:01 +0300
+Subject: mmc: renesas_sdhi_internal_dmac: fix #define RST_RESERVED_BITS
+
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+
+commit 9faf870e559a710c44e747ba20383ea82d8ac5d2 upstream.
+
+The DM_CM_RST register actually has bits 0-31 defaulting to 1s and bits
+32-63 defaulting to 0s -- fix off-by-one in #define RST_RESERVED_BITS.
+
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Fixes: 2a68ea7896e3 ("mmc: renesas-sdhi: add support for R-Car Gen3 SDHI DMAC")
+Cc: stable@vger.kernel.org # v4.14+
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/renesas_sdhi_internal_dmac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/renesas_sdhi_internal_dmac.c
++++ b/drivers/mmc/host/renesas_sdhi_internal_dmac.c
+@@ -45,7 +45,7 @@
+ /* DM_CM_RST */
+ #define RST_DTRANRST1 BIT(9)
+ #define RST_DTRANRST0 BIT(8)
+-#define RST_RESERVED_BITS GENMASK_ULL(32, 0)
++#define RST_RESERVED_BITS GENMASK_ULL(31, 0)
+
+ /* DM_CM_INFO1 and DM_CM_INFO1_MASK */
+ #define INFO1_CLEAR 0
--- /dev/null
+From d2332f887ddfba50fee93b8e1736376517c2df0c Mon Sep 17 00:00:00 2001
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Date: Wed, 22 Aug 2018 21:22:26 +0300
+Subject: mmc: renesas_sdhi_internal_dmac: mask DMAC interrupts
+
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+
+commit d2332f887ddfba50fee93b8e1736376517c2df0c upstream.
+
+I have encountered an interrupt storm during the eMMC chip probing (and
+the chip finally didn't get detected). It turned out that U-Boot left
+the SDHI DMA interrupts enabled while the Linux driver didn't use those.
+Masking those interrupts in renesas_sdhi_internal_dmac_request_dma() gets
+rid of both issues...
+
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Fixes: 2a68ea7896e3 ("mmc: renesas-sdhi: add support for R-Car Gen3 SDHI DMAC")
+Cc: stable@vger.kernel.org # v4.14+
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/renesas_sdhi_internal_dmac.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/mmc/host/renesas_sdhi_internal_dmac.c
++++ b/drivers/mmc/host/renesas_sdhi_internal_dmac.c
+@@ -49,10 +49,12 @@
+
+ /* DM_CM_INFO1 and DM_CM_INFO1_MASK */
+ #define INFO1_CLEAR 0
++#define INFO1_MASK_CLEAR GENMASK_ULL(31, 0)
+ #define INFO1_DTRANEND1 BIT(17)
+ #define INFO1_DTRANEND0 BIT(16)
+
+ /* DM_CM_INFO2 and DM_CM_INFO2_MASK */
++#define INFO2_MASK_CLEAR GENMASK_ULL(31, 0)
+ #define INFO2_DTRANERR1 BIT(17)
+ #define INFO2_DTRANERR0 BIT(16)
+
+@@ -236,6 +238,12 @@ renesas_sdhi_internal_dmac_request_dma(s
+ {
+ struct renesas_sdhi *priv = host_to_priv(host);
+
++ /* Disable DMAC interrupts, we don't use them */
++ renesas_sdhi_internal_dmac_dm_write(host, DM_CM_INFO1_MASK,
++ INFO1_MASK_CLEAR);
++ renesas_sdhi_internal_dmac_dm_write(host, DM_CM_INFO2_MASK,
++ INFO2_MASK_CLEAR);
++
+ /* Each value is set to non-zero to assume "enabling" each DMA */
+ host->chan_rx = host->chan_tx = (void *)0xdeadbeaf;
+
--- /dev/null
+From dc30b96ab6d569060741572cf30517d3179429a8 Mon Sep 17 00:00:00 2001
+From: Markus Stockhausen <stockhausen@collogia.de>
+Date: Fri, 27 Jul 2018 09:09:53 -0600
+Subject: readahead: stricter check for bdi io_pages
+
+From: Markus Stockhausen <stockhausen@collogia.de>
+
+commit dc30b96ab6d569060741572cf30517d3179429a8 upstream.
+
+ondemand_readahead() checks bdi->io_pages to cap the maximum pages
+that need to be processed. This works until the readit section. If
+we would do an async only readahead (async size = sync size) and
+target is at beginning of window we expand the pages by another
+get_next_ra_size() pages. Btrace for large reads shows that kernel
+always issues a doubled size read at the beginning of processing.
+Add an additional check for io_pages in the lower part of the func.
+The fix helps devices that hard limit bio pages and rely on proper
+handling of max_hw_read_sectors (e.g. older FusionIO cards). For
+that reason it could qualify for stable.
+
+Fixes: 9491ae4a ("mm: don't cap request size based on read-ahead setting")
+Cc: stable@vger.kernel.org
+Signed-off-by: Markus Stockhausen stockhausen@collogia.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/readahead.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/mm/readahead.c
++++ b/mm/readahead.c
+@@ -385,6 +385,7 @@ ondemand_readahead(struct address_space
+ {
+ struct backing_dev_info *bdi = inode_to_bdi(mapping->host);
+ unsigned long max_pages = ra->ra_pages;
++ unsigned long add_pages;
+ pgoff_t prev_offset;
+
+ /*
+@@ -474,10 +475,17 @@ readit:
+ * Will this read hit the readahead marker made by itself?
+ * If so, trigger the readahead marker hit now, and merge
+ * the resulted next readahead window into the current one.
++ * Take care of maximum IO pages as above.
+ */
+ if (offset == ra->start && ra->size == ra->async_size) {
+- ra->async_size = get_next_ra_size(ra, max_pages);
+- ra->size += ra->async_size;
++ add_pages = get_next_ra_size(ra, max_pages);
++ if (ra->size + add_pages <= max_pages) {
++ ra->async_size = add_pages;
++ ra->size += add_pages;
++ } else {
++ ra->size = max_pages;
++ ra->async_size = max_pages >> 1;
++ }
+ }
+
+ return ra_submit(ra, mapping, filp);
net-6lowpan-fix-reserved-space-for-single-frames.patch
net-mac802154-tx-expand-tailroom-if-necessary.patch
9p-net-fix-zero-copy-path-in-the-9p-virtio-transport.patch
+spi-davinci-fix-a-null-pointer-dereference.patch
+spi-pxa2xx-add-support-for-intel-ice-lake.patch
+spi-spi-fsl-dspi-fix-imprecise-abort-on-vf500-during-probe.patch
+spi-cadence-change-usleep_range-to-udelay-for-atomic-context.patch
+mmc-block-fix-unsupported-parallel-dispatch-of-requests.patch
+mmc-renesas_sdhi_internal_dmac-mask-dmac-interrupts.patch
+mmc-renesas_sdhi_internal_dmac-fix-define-rst_reserved_bits.patch
+readahead-stricter-check-for-bdi-io_pages.patch
+block-fix-infinite-loop-if-the-device-loses-discard-capability.patch
+block-blk_init_allocated_queue-set-q-fq-as-null-in-the-fail-case.patch
+block-really-disable-runtime-pm-for-blk-mq.patch
+blkcg-introduce-blkg_root_lookup.patch
+block-introduce-blk_exit_queue.patch
+block-ensure-that-a-request-queue-is-dissociated-from-the-cgroup-controller.patch
--- /dev/null
+From 931c4e9a72ae91d59c5332ffb6812911a749da8e Mon Sep 17 00:00:00 2001
+From: Janek Kotas <jank@cadence.com>
+Date: Mon, 4 Jun 2018 11:24:44 +0000
+Subject: spi: cadence: Change usleep_range() to udelay(), for atomic context
+
+From: Janek Kotas <jank@cadence.com>
+
+commit 931c4e9a72ae91d59c5332ffb6812911a749da8e upstream.
+
+The path "spi: cadence: Add usleep_range() for
+cdns_spi_fill_tx_fifo()" added a usleep_range() function call,
+which cannot be used in atomic context.
+However the cdns_spi_fill_tx_fifo() function can be called during
+an interrupt which may result in a kernel panic:
+
+BUG: scheduling while atomic: grep/561/0x00010002
+Modules linked in:
+Preemption disabled at:
+[<ffffff800858ea28>] wait_for_common+0x48/0x178
+CPU: 0 PID: 561 Comm: grep Not tainted 4.17.0 #1
+Hardware name: Cadence CSP (DT)
+Call trace:
+ dump_backtrace+0x0/0x198
+ show_stack+0x14/0x20
+ dump_stack+0x8c/0xac
+ __schedule_bug+0x6c/0xb8
+ __schedule+0x570/0x5d8
+ schedule+0x34/0x98
+ schedule_hrtimeout_range_clock+0x98/0x110
+ schedule_hrtimeout_range+0x10/0x18
+ usleep_range+0x64/0x98
+ cdns_spi_fill_tx_fifo+0x70/0xb0
+ cdns_spi_irq+0xd0/0xe0
+ __handle_irq_event_percpu+0x9c/0x128
+ handle_irq_event_percpu+0x34/0x88
+ handle_irq_event+0x48/0x78
+ handle_fasteoi_irq+0xbc/0x1b0
+ generic_handle_irq+0x24/0x38
+ __handle_domain_irq+0x84/0xf8
+ gic_handle_irq+0xc4/0x180
+
+This patch replaces the function call with udelay() which can be
+used in an atomic context, like an interrupt.
+
+Signed-off-by: Jan Kotas <jank@cadence.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-cadence.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-cadence.c
++++ b/drivers/spi/spi-cadence.c
+@@ -319,7 +319,7 @@ static void cdns_spi_fill_tx_fifo(struct
+ */
+ if (cdns_spi_read(xspi, CDNS_SPI_ISR) &
+ CDNS_SPI_IXR_TXFULL)
+- usleep_range(10, 20);
++ udelay(10);
+
+ if (xspi->txbuf)
+ cdns_spi_write(xspi, CDNS_SPI_TXD, *xspi->txbuf++);
--- /dev/null
+From 563a53f3906a6b43692498e5b3ae891fac93a4af Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Date: Fri, 10 Aug 2018 11:13:52 +0200
+Subject: spi: davinci: fix a NULL pointer dereference
+
+From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+
+commit 563a53f3906a6b43692498e5b3ae891fac93a4af upstream.
+
+On non-OF systems spi->controlled_data may be NULL. This causes a NULL
+pointer derefence on dm365-evm.
+
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-davinci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-davinci.c
++++ b/drivers/spi/spi-davinci.c
+@@ -217,7 +217,7 @@ static void davinci_spi_chipselect(struc
+ pdata = &dspi->pdata;
+
+ /* program delay transfers if tx_delay is non zero */
+- if (spicfg->wdelay)
++ if (spicfg && spicfg->wdelay)
+ spidat1 |= SPIDAT1_WDEL;
+
+ /*
--- /dev/null
+From 22d71a5097ec7059b6cbbee678a4f88484695941 Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Thu, 28 Jun 2018 13:52:23 +0300
+Subject: spi: pxa2xx: Add support for Intel Ice Lake
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit 22d71a5097ec7059b6cbbee678a4f88484695941 upstream.
+
+Intel Ice Lake SPI host controller follows the Intel Cannon Lake but the
+PCI IDs are different. Add the new PCI IDs to the driver supported
+devices list.
+
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-pxa2xx.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/spi/spi-pxa2xx.c
++++ b/drivers/spi/spi-pxa2xx.c
+@@ -1391,6 +1391,10 @@ static const struct pci_device_id pxa2xx
+ { PCI_VDEVICE(INTEL, 0x31c2), LPSS_BXT_SSP },
+ { PCI_VDEVICE(INTEL, 0x31c4), LPSS_BXT_SSP },
+ { PCI_VDEVICE(INTEL, 0x31c6), LPSS_BXT_SSP },
++ /* ICL-LP */
++ { PCI_VDEVICE(INTEL, 0x34aa), LPSS_CNL_SSP },
++ { PCI_VDEVICE(INTEL, 0x34ab), LPSS_CNL_SSP },
++ { PCI_VDEVICE(INTEL, 0x34fb), LPSS_CNL_SSP },
+ /* APL */
+ { PCI_VDEVICE(INTEL, 0x5ac2), LPSS_BXT_SSP },
+ { PCI_VDEVICE(INTEL, 0x5ac4), LPSS_BXT_SSP },
--- /dev/null
+From d8ffee2f551a627ffb7b216e2da322cb9a037f77 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Fri, 29 Jun 2018 13:33:09 +0200
+Subject: spi: spi-fsl-dspi: Fix imprecise abort on VF500 during probe
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit d8ffee2f551a627ffb7b216e2da322cb9a037f77 upstream.
+
+Registers of DSPI should not be accessed before enabling its clock. On
+Toradex Colibri VF50 on Iris carrier board this could be seen during
+bootup as imprecise abort:
+
+ Unhandled fault: imprecise external abort (0x1c06) at 0x00000000
+ Internal error: : 1c06 [#1] ARM
+ Modules linked in:
+ CPU: 0 PID: 1 Comm: swapper Not tainted 4.14.39-dirty #97
+ Hardware name: Freescale Vybrid VF5xx/VF6xx (Device Tree)
+ Backtrace:
+ [<804166a8>] (regmap_write) from [<80466b5c>] (dspi_probe+0x1f0/0x8dc)
+ [<8046696c>] (dspi_probe) from [<8040107c>] (platform_drv_probe+0x54/0xb8)
+ [<80401028>] (platform_drv_probe) from [<803ff53c>] (driver_probe_device+0x280/0x2f8)
+ [<803ff2bc>] (driver_probe_device) from [<803ff674>] (__driver_attach+0xc0/0xc4)
+ [<803ff5b4>] (__driver_attach) from [<803fd818>] (bus_for_each_dev+0x70/0xa4)
+ [<803fd7a8>] (bus_for_each_dev) from [<803fee74>] (driver_attach+0x24/0x28)
+ [<803fee50>] (driver_attach) from [<803fe980>] (bus_add_driver+0x1a0/0x218)
+ [<803fe7e0>] (bus_add_driver) from [<803fffe8>] (driver_register+0x80/0x100)
+ [<803fff68>] (driver_register) from [<80400fdc>] (__platform_driver_register+0x48/0x50)
+ [<80400f94>] (__platform_driver_register) from [<8091cf7c>] (fsl_dspi_driver_init+0x1c/0x20)
+ [<8091cf60>] (fsl_dspi_driver_init) from [<8010195c>] (do_one_initcall+0x4c/0x174)
+ [<80101910>] (do_one_initcall) from [<80900e8c>] (kernel_init_freeable+0x144/0x1d8)
+ [<80900d48>] (kernel_init_freeable) from [<805ff6a8>] (kernel_init+0x10/0x114)
+ [<805ff698>] (kernel_init) from [<80107be8>] (ret_from_fork+0x14/0x2c)
+
+Cc: <stable@vger.kernel.org>
+Fixes: 5ee67b587a2b ("spi: dspi: clear SPI_SR before enable interrupt")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-fsl-dspi.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+--- a/drivers/spi/spi-fsl-dspi.c
++++ b/drivers/spi/spi-fsl-dspi.c
+@@ -1029,31 +1029,31 @@ static int dspi_probe(struct platform_de
+ goto out_master_put;
+ }
+
++ dspi->clk = devm_clk_get(&pdev->dev, "dspi");
++ if (IS_ERR(dspi->clk)) {
++ ret = PTR_ERR(dspi->clk);
++ dev_err(&pdev->dev, "unable to get clock\n");
++ goto out_master_put;
++ }
++ ret = clk_prepare_enable(dspi->clk);
++ if (ret)
++ goto out_master_put;
++
+ dspi_init(dspi);
+ dspi->irq = platform_get_irq(pdev, 0);
+ if (dspi->irq < 0) {
+ dev_err(&pdev->dev, "can't get platform irq\n");
+ ret = dspi->irq;
+- goto out_master_put;
++ goto out_clk_put;
+ }
+
+ ret = devm_request_irq(&pdev->dev, dspi->irq, dspi_interrupt, 0,
+ pdev->name, dspi);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "Unable to attach DSPI interrupt\n");
+- goto out_master_put;
++ goto out_clk_put;
+ }
+
+- dspi->clk = devm_clk_get(&pdev->dev, "dspi");
+- if (IS_ERR(dspi->clk)) {
+- ret = PTR_ERR(dspi->clk);
+- dev_err(&pdev->dev, "unable to get clock\n");
+- goto out_master_put;
+- }
+- ret = clk_prepare_enable(dspi->clk);
+- if (ret)
+- goto out_master_put;
+-
+ if (dspi->devtype_data->trans_mode == DSPI_DMA_MODE) {
+ ret = dspi_request_dma(dspi, res->start);
+ if (ret < 0) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
