--- /dev/null
+From 511c54a2f69195b28afb9dd119f03787b1625bb4 Mon Sep 17 00:00:00 2001
+From: Pavel Shilovsky <pshilov@microsoft.com>
+Date: Sat, 8 Jul 2017 14:32:00 -0700
+Subject: CIFS: Reconnect expired SMB sessions
+
+From: Pavel Shilovsky <pshilov@microsoft.com>
+
+commit 511c54a2f69195b28afb9dd119f03787b1625bb4 upstream.
+
+According to the MS-SMB2 spec (3.2.5.1.6) once the client receives
+STATUS_NETWORK_SESSION_EXPIRED error code from a server it should
+reconnect the current SMB session. Currently the client doesn't do
+that. This can result in subsequent client requests failing by
+the server. The patch adds an additional logic to the demultiplex
+thread to identify expired sessions and reconnect them.
+
+Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/cifsglob.h | 2 ++
+ fs/cifs/cifssmb.c | 7 +++++++
+ fs/cifs/connect.c | 7 +++++++
+ fs/cifs/smb2ops.c | 23 +++++++++++++++++++++++
+ 4 files changed, 39 insertions(+)
+
+--- a/fs/cifs/cifsglob.h
++++ b/fs/cifs/cifsglob.h
+@@ -367,6 +367,8 @@ struct smb_version_operations {
+ unsigned int (*calc_smb_size)(void *);
+ /* check for STATUS_PENDING and process it in a positive case */
+ bool (*is_status_pending)(char *, struct TCP_Server_Info *, int);
++ /* check for STATUS_NETWORK_SESSION_EXPIRED */
++ bool (*is_session_expired)(char *);
+ /* send oplock break response */
+ int (*oplock_response)(struct cifs_tcon *, struct cifs_fid *,
+ struct cifsInodeInfo *);
+--- a/fs/cifs/cifssmb.c
++++ b/fs/cifs/cifssmb.c
+@@ -1460,6 +1460,13 @@ cifs_readv_receive(struct TCP_Server_Inf
+ return length;
+ server->total_read += length;
+
++ if (server->ops->is_session_expired &&
++ server->ops->is_session_expired(buf)) {
++ cifs_reconnect(server);
++ wake_up(&server->response_q);
++ return -1;
++ }
++
+ if (server->ops->is_status_pending &&
+ server->ops->is_status_pending(buf, server, 0)) {
+ cifs_discard_remaining_data(server);
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -812,6 +812,13 @@ cifs_handle_standard(struct TCP_Server_I
+ cifs_dump_mem("Bad SMB: ", buf,
+ min_t(unsigned int, server->total_read, 48));
+
++ if (server->ops->is_session_expired &&
++ server->ops->is_session_expired(buf)) {
++ cifs_reconnect(server);
++ wake_up(&server->response_q);
++ return -1;
++ }
++
+ if (server->ops->is_status_pending &&
+ server->ops->is_status_pending(buf, server, length))
+ return -1;
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -1036,6 +1036,18 @@ smb2_is_status_pending(char *buf, struct
+ return true;
+ }
+
++static bool
++smb2_is_session_expired(char *buf)
++{
++ struct smb2_sync_hdr *shdr = get_sync_hdr(buf);
++
++ if (shdr->Status != STATUS_NETWORK_SESSION_EXPIRED)
++ return false;
++
++ cifs_dbg(FYI, "Session expired\n");
++ return true;
++}
++
+ static int
+ smb2_oplock_response(struct cifs_tcon *tcon, struct cifs_fid *fid,
+ struct cifsInodeInfo *cinode)
+@@ -2058,6 +2070,13 @@ handle_read_data(struct TCP_Server_Info
+ return -ENOTSUPP;
+ }
+
++ if (server->ops->is_session_expired &&
++ server->ops->is_session_expired(buf)) {
++ cifs_reconnect(server);
++ wake_up(&server->response_q);
++ return -1;
++ }
++
+ if (server->ops->is_status_pending &&
+ server->ops->is_status_pending(buf, server, 0))
+ return -1;
+@@ -2375,6 +2394,7 @@ struct smb_version_operations smb20_oper
+ .close_dir = smb2_close_dir,
+ .calc_smb_size = smb2_calc_size,
+ .is_status_pending = smb2_is_status_pending,
++ .is_session_expired = smb2_is_session_expired,
+ .oplock_response = smb2_oplock_response,
+ .queryfs = smb2_queryfs,
+ .mand_lock = smb2_mand_lock,
+@@ -2458,6 +2478,7 @@ struct smb_version_operations smb21_oper
+ .close_dir = smb2_close_dir,
+ .calc_smb_size = smb2_calc_size,
+ .is_status_pending = smb2_is_status_pending,
++ .is_session_expired = smb2_is_session_expired,
+ .oplock_response = smb2_oplock_response,
+ .queryfs = smb2_queryfs,
+ .mand_lock = smb2_mand_lock,
+@@ -2543,6 +2564,7 @@ struct smb_version_operations smb30_oper
+ .close_dir = smb2_close_dir,
+ .calc_smb_size = smb2_calc_size,
+ .is_status_pending = smb2_is_status_pending,
++ .is_session_expired = smb2_is_session_expired,
+ .oplock_response = smb2_oplock_response,
+ .queryfs = smb2_queryfs,
+ .mand_lock = smb2_mand_lock,
+@@ -2638,6 +2660,7 @@ struct smb_version_operations smb311_ope
+ .close_dir = smb2_close_dir,
+ .calc_smb_size = smb2_calc_size,
+ .is_status_pending = smb2_is_status_pending,
++ .is_session_expired = smb2_is_session_expired,
+ .oplock_response = smb2_oplock_response,
+ .queryfs = smb2_queryfs,
+ .mand_lock = smb2_mand_lock,
--- /dev/null
+From 4e0973a918b9a42e217093f078e04a61e5dd95a5 Mon Sep 17 00:00:00 2001
+From: Devin Heitmueller <dheitmueller@kernellabs.com>
+Date: Sat, 20 Sep 2014 09:23:44 -0300
+Subject: [media] cx88: Fix regression in initial video standard setting
+
+From: Devin Heitmueller <dheitmueller@kernellabs.com>
+
+commit 4e0973a918b9a42e217093f078e04a61e5dd95a5 upstream.
+
+Setting initial standard at the top of cx8800_initdev would cause the
+first call to cx88_set_tvnorm() to return without programming any
+registers (leaving the driver saying it's set to NTSC but the hardware
+isn't programmed). Even worse, any subsequent attempt to explicitly
+set it to NTSC-M will return success but actually fail to program the
+underlying registers unless first changing the standard to something
+other than NTSC-M.
+
+Set the initial standard later in the process, and make sure the field
+is zero at the beginning to ensure that the call always goes through.
+
+This regression was introduced in the following commit:
+
+commit ccd6f1d488e7 ("[media] cx88: move width, height and field to core
+struct")
+
+Author: Hans Verkuil <hans.verkuil@cisco.com>
+
+[media] cx88: move width, height and field to core struct
+
+Signed-off-by: Devin Heitmueller <dheitmueller@kernellabs.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/pci/cx88/cx88-cards.c | 9 ++++++++-
+ drivers/media/pci/cx88/cx88-video.c | 2 +-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/pci/cx88/cx88-cards.c
++++ b/drivers/media/pci/cx88/cx88-cards.c
+@@ -3681,7 +3681,14 @@ struct cx88_core *cx88_core_create(struc
+ core->nr = nr;
+ sprintf(core->name, "cx88[%d]", core->nr);
+
+- core->tvnorm = V4L2_STD_NTSC_M;
++ /*
++ * Note: Setting initial standard here would cause first call to
++ * cx88_set_tvnorm() to return without programming any registers. Leave
++ * it blank for at this point and it will get set later in
++ * cx8800_initdev()
++ */
++ core->tvnorm = 0;
++
+ core->width = 320;
+ core->height = 240;
+ core->field = V4L2_FIELD_INTERLACED;
+--- a/drivers/media/pci/cx88/cx88-video.c
++++ b/drivers/media/pci/cx88/cx88-video.c
+@@ -1435,7 +1435,7 @@ static int cx8800_initdev(struct pci_dev
+
+ /* initial device configuration */
+ mutex_lock(&core->lock);
+- cx88_set_tvnorm(core, core->tvnorm);
++ cx88_set_tvnorm(core, V4L2_STD_NTSC_M);
+ v4l2_ctrl_handler_setup(&core->video_hdl);
+ v4l2_ctrl_handler_setup(&core->audio_hdl);
+ cx88_video_mux(core, 0);
--- /dev/null
+From 4d49f1b4a1fcab16b6dd1c79ef14f2b6531d50a6 Mon Sep 17 00:00:00 2001
+From: Heinz Mauelshagen <heinzm@redhat.com>
+Date: Fri, 30 Jun 2017 15:45:58 +0200
+Subject: dm raid: stop using BUG() in __rdev_sectors()
+
+From: Heinz Mauelshagen <heinzm@redhat.com>
+
+commit 4d49f1b4a1fcab16b6dd1c79ef14f2b6531d50a6 upstream.
+
+Return 0 rather than BUG() if __rdev_sectors() fails and catch invalid
+rdev size in the constructor.
+
+Reported-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-raid.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/dm-raid.c
++++ b/drivers/md/dm-raid.c
+@@ -1571,7 +1571,7 @@ static sector_t __rdev_sectors(struct ra
+ return rdev->sectors;
+ }
+
+- BUG(); /* Constructor ensures we got some. */
++ return 0;
+ }
+
+ /* Calculate the sectors per device and per array used for @rs */
+@@ -2941,7 +2941,7 @@ static int raid_ctr(struct dm_target *ti
+ bool resize;
+ struct raid_type *rt;
+ unsigned int num_raid_params, num_raid_devs;
+- sector_t calculated_dev_sectors;
++ sector_t calculated_dev_sectors, rdev_sectors;
+ struct raid_set *rs = NULL;
+ const char *arg;
+ struct rs_layout rs_layout;
+@@ -3017,7 +3017,14 @@ static int raid_ctr(struct dm_target *ti
+ if (r)
+ goto bad;
+
+- resize = calculated_dev_sectors != __rdev_sectors(rs);
++ rdev_sectors = __rdev_sectors(rs);
++ if (!rdev_sectors) {
++ ti->error = "Invalid rdev size";
++ r = -EINVAL;
++ goto bad;
++ }
++
++ resize = calculated_dev_sectors != rdev_sectors;
+
+ INIT_WORK(&rs->md.event_work, do_table_event);
+ ti->private = rs;
--- /dev/null
+From 9156e723301c0a7a7def4cde820e018ce791b842 Mon Sep 17 00:00:00 2001
+From: Tom St Denis <tom.stdenis@amd.com>
+Date: Tue, 23 May 2017 11:35:22 -0400
+Subject: drm/amd/amdgpu: Return error if initiating read out of range on vram
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tom St Denis <tom.stdenis@amd.com>
+
+commit 9156e723301c0a7a7def4cde820e018ce791b842 upstream.
+
+If you initiate a read that is out of the VRAM address space return
+ENXIO instead of 0.
+
+Reads that begin below that point will read upto the VRAM limit as
+before.
+
+Signed-off-by: Tom St Denis <tom.stdenis@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+@@ -1462,6 +1462,9 @@ static ssize_t amdgpu_ttm_vram_read(stru
+ if (size & 0x3 || *pos & 0x3)
+ return -EINVAL;
+
++ if (*pos >= adev->mc.mc_vram_size)
++ return -ENXIO;
++
+ while (size) {
+ unsigned long flags;
+ uint32_t value;
--- /dev/null
+From 73cc90798ff765341a1d9c2cfe18153ab231c9bb Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Fri, 30 Jun 2017 09:58:34 -0400
+Subject: drm/amdgpu/cgs: always set reference clock in mode_info
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 73cc90798ff765341a1d9c2cfe18153ab231c9bb upstream.
+
+It's relevent regardless of whether there are displays
+enabled. Fixes garbage values for ref clock in powerplay
+leading to incorrect fan speed reporting when displays
+are disabled.
+
+bug: https://bugs.freedesktop.org/show_bug.cgi?id=101653
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c
+@@ -838,9 +838,12 @@ static int amdgpu_cgs_get_active_display
+ return -EINVAL;
+
+ mode_info = info->mode_info;
+- if (mode_info)
++ if (mode_info) {
+ /* if the displays are off, vblank time is max */
+ mode_info->vblank_time_us = 0xffffffff;
++ /* always set the reference clock */
++ mode_info->ref_clock = adev->clock.spll.reference_freq;
++ }
+
+ if (adev->mode_info.num_crtc && adev->mode_info.mode_config_initialized) {
+ list_for_each_entry(crtc,
--- /dev/null
+From 7bc7b7777ee0e3b3d995aebaf26a462d5a23e3d7 Mon Sep 17 00:00:00 2001
+From: John Brooks <john@fastquake.com>
+Date: Mon, 3 Jul 2017 14:05:35 -0400
+Subject: drm/amdgpu: Don't call amd_powerplay_destroy() if we don't have powerplay
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John Brooks <john@fastquake.com>
+
+commit 7bc7b7777ee0e3b3d995aebaf26a462d5a23e3d7 upstream.
+
+amd_powerplay_destroy() expects a handle pointing to a struct pp_instance.
+On chips without PowerPlay, pp_handle points to a struct amdgpu_device. The
+resulting attempt to kfree() fields of the wrong struct ends in fire:
+
+[ 91.560405] BUG: unable to handle kernel paging request at ffffebe000000620
+[ 91.560414] IP: kfree+0x57/0x160
+[ 91.560416] PGD 0
+[ 91.560416] P4D 0
+
+[ 91.560420] Oops: 0000 [#1] SMP
+[ 91.560422] Modules linked in: tun x86_pkg_temp_thermal crc32_pclmul ghash_clmulni_intel efivarfs amdgpu(-) i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm
+[ 91.560438] CPU: 6 PID: 3598 Comm: rmmod Not tainted 4.12.0-rc5-drm-next-4.13-ttmpatch+ #1
+[ 91.560443] Hardware name: Gigabyte Technology Co., Ltd. Z97X-UD3H-BK/Z97X-UD3H-BK-CF, BIOS F6 06/17/2014
+[ 91.560448] task: ffff8805063d6a00 task.stack: ffffc90003400000
+[ 91.560451] RIP: 0010:kfree+0x57/0x160
+[ 91.560454] RSP: 0018:ffffc90003403cc0 EFLAGS: 00010286
+[ 91.560457] RAX: 000077ff80000000 RBX: 00000000000186a0 RCX: 0000000180400035
+[ 91.560460] RDX: 0000000180400036 RSI: ffffea001418e740 RDI: ffffea0000000000
+[ 91.560463] RBP: ffffc90003403cd8 R08: 000000000639d201 R09: 0000000180400035
+[ 91.560467] R10: ffffebe000000600 R11: 0000000000000300 R12: ffff880500530030
+[ 91.560470] R13: ffffffffa01e70fc R14: 00000000ffffffff R15: ffff880500530000
+[ 91.560473] FS: 00007f7e500c3700(0000) GS:ffff88051ed80000(0000) knlGS:0000000000000000
+[ 91.560478] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 91.560480] CR2: ffffebe000000620 CR3: 0000000503103000 CR4: 00000000001406e0
+[ 91.560483] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 91.560487] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 91.560489] Call Trace:
+[ 91.560530] amd_powerplay_destroy+0x1c/0x60 [amdgpu]
+[ 91.560558] amdgpu_pp_late_fini+0x44/0x60 [amdgpu]
+[ 91.560575] amdgpu_fini+0x254/0x490 [amdgpu]
+[ 91.560593] amdgpu_device_fini+0x58/0x1b0 [amdgpu]
+[ 91.560610] amdgpu_driver_unload_kms+0x4f/0xa0 [amdgpu]
+[ 91.560622] drm_dev_unregister+0x3c/0xe0 [drm]
+[ 91.560638] amdgpu_pci_remove+0x19/0x30 [amdgpu]
+[ 91.560643] pci_device_remove+0x39/0xc0
+[ 91.560648] device_release_driver_internal+0x155/0x210
+[ 91.560651] driver_detach+0x38/0x70
+[ 91.560655] bus_remove_driver+0x4c/0xa0
+[ 91.560658] driver_unregister+0x2c/0x40
+[ 91.560662] pci_unregister_driver+0x21/0x90
+[ 91.560689] amdgpu_exit+0x15/0x406 [amdgpu]
+[ 91.560694] SyS_delete_module+0x1a8/0x270
+[ 91.560698] ? exit_to_usermode_loop+0x92/0xa0
+[ 91.560702] entry_SYSCALL_64_fastpath+0x13/0x94
+[ 91.560705] RIP: 0033:0x7f7e4fc118e7
+[ 91.560708] RSP: 002b:00007fff978ca118 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
+[ 91.560713] RAX: ffffffffffffffda RBX: 000055afe21bc200 RCX: 00007f7e4fc118e7
+[ 91.560716] RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055afe21bc268
+[ 91.560719] RBP: 0000000000000003 R08: 0000000000000000 R09: 1999999999999999
+[ 91.560722] R10: 0000000000000883 R11: 0000000000000206 R12: 00007fff978c9100
+[ 91.560725] R13: 0000000000000000 R14: 0000000000000000 R15: 000055afe21bc200
+[ 91.560728] Code: 00 00 00 80 ff 77 00 00 48 bf 00 00 00 00 00 ea ff ff 49 01 da 48 0f 42 05 57 33 bd 00 49 01 c2 49 c1 ea 0c 49 c1 e2 06 49 01 fa <49> 8b 42 20 48 8d 78 ff a8 01 4c 0f 45 d7 49 8b 52 20 48 8d 42
+[ 91.560759] RIP: kfree+0x57/0x160 RSP: ffffc90003403cc0
+[ 91.560761] CR2: ffffebe000000620
+[ 91.560765] ---[ end trace 08a9f3cd82223c1d ]---
+
+Fixes: 1c8638024846 (drm/amd/powerplay: refine powerplay interface.)
+Signed-off-by: John Brooks <john@fastquake.com>
+Acked-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_powerplay.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_powerplay.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_powerplay.c
+@@ -208,7 +208,8 @@ static void amdgpu_pp_late_fini(void *ha
+ if (adev->pp_enabled && adev->pm.dpm_enabled)
+ amdgpu_pm_sysfs_fini(adev);
+
+- amd_powerplay_destroy(adev->powerplay.pp_handle);
++ if (adev->pp_enabled)
++ amd_powerplay_destroy(adev->powerplay.pp_handle);
+ }
+
+ static int amdgpu_pp_suspend(void *handle)
--- /dev/null
+From 67bef0f7908a3a6b10e5a29d8e8c09e27f90c9f8 Mon Sep 17 00:00:00 2001
+From: Huang Rui <ray.huang@amd.com>
+Date: Thu, 29 Jun 2017 14:21:49 +0800
+Subject: drm/amdgpu: fix the memory corruption on S3
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Huang Rui <ray.huang@amd.com>
+
+commit 67bef0f7908a3a6b10e5a29d8e8c09e27f90c9f8 upstream.
+
+psp->cmd will be used on resume phase, so we can not free it on hw_init.
+Otherwise, a memory corruption will be triggered.
+
+Signed-off-by: Huang Rui <ray.huang@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Tested-by: Xiaojie Yuan <Xiaojie.Yuan@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
+@@ -319,14 +319,11 @@ static int psp_load_fw(struct amdgpu_dev
+ {
+ int ret;
+ struct psp_context *psp = &adev->psp;
+- struct psp_gfx_cmd_resp *cmd;
+
+- cmd = kzalloc(sizeof(struct psp_gfx_cmd_resp), GFP_KERNEL);
+- if (!cmd)
++ psp->cmd = kzalloc(sizeof(struct psp_gfx_cmd_resp), GFP_KERNEL);
++ if (!psp->cmd)
+ return -ENOMEM;
+
+- psp->cmd = cmd;
+-
+ ret = amdgpu_bo_create_kernel(adev, PSP_1_MEG, PSP_1_MEG,
+ AMDGPU_GEM_DOMAIN_GTT,
+ &psp->fw_pri_bo,
+@@ -365,8 +362,6 @@ static int psp_load_fw(struct amdgpu_dev
+ if (ret)
+ goto failed_mem;
+
+- kfree(cmd);
+-
+ return 0;
+
+ failed_mem:
+@@ -376,7 +371,8 @@ failed_mem1:
+ amdgpu_bo_free_kernel(&psp->fw_pri_bo,
+ &psp->fw_pri_mc_addr, &psp->fw_pri_buf);
+ failed:
+- kfree(cmd);
++ kfree(psp->cmd);
++ psp->cmd = NULL;
+ return ret;
+ }
+
+@@ -436,6 +432,9 @@ static int psp_hw_fini(void *handle)
+ amdgpu_bo_free_kernel(&psp->fence_buf_bo,
+ &psp->fence_buf_mc_addr, &psp->fence_buf);
+
++ kfree(psp->cmd);
++ psp->cmd = NULL;
++
+ return 0;
+ }
+
--- /dev/null
+From beb3777682d5c296cc15a2a424f5a7a98476def0 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Thu, 29 Jun 2017 16:08:49 -0400
+Subject: drm/amdgpu: fix vblank_time when displays are off
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit beb3777682d5c296cc15a2a424f5a7a98476def0 upstream.
+
+If the displays are off, set the vblank time to max to make
+sure mclk switching is enabled. Avoid mclk getting set
+to high when no displays are attached.
+
+bug: https://bugs.freedesktop.org/show_bug.cgi?id=101528
+fixes: 09be4a5219 (drm/amd/powerplay/smu7: add vblank check for mclk switching (v2))
+Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c
+@@ -838,6 +838,9 @@ static int amdgpu_cgs_get_active_display
+ return -EINVAL;
+
+ mode_info = info->mode_info;
++ if (mode_info)
++ /* if the displays are off, vblank time is max */
++ mode_info->vblank_time_us = 0xffffffff;
+
+ if (adev->mode_info.num_crtc && adev->mode_info.mode_config_initialized) {
+ list_for_each_entry(crtc,
--- /dev/null
+From 943c05bdb53da273c43ec44eec37c6a70409b5e9 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 31 May 2017 10:05:04 -0400
+Subject: drm/amdgpu/gfx8: drop per-APU CU limits
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 943c05bdb53da273c43ec44eec37c6a70409b5e9 upstream.
+
+Always use the max for the family rather than the per sku limits.
+This makes sure the mask is always the max size to avoid reporting
+the wrong number of CUs.
+
+Reviewed-by: Alex Xie <AlexBin.Xie@amd.com>
+Reviewed-by: Andres Rodriguez <andresx7@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 71 ----------------------------------
+ 1 file changed, 2 insertions(+), 69 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c
+@@ -1907,46 +1907,7 @@ static int gfx_v8_0_gpu_early_init(struc
+ adev->gfx.config.max_tile_pipes = 2;
+ adev->gfx.config.max_sh_per_se = 1;
+ adev->gfx.config.max_backends_per_se = 2;
+-
+- switch (adev->pdev->revision) {
+- case 0xc4:
+- case 0x84:
+- case 0xc8:
+- case 0xcc:
+- case 0xe1:
+- case 0xe3:
+- /* B10 */
+- adev->gfx.config.max_cu_per_sh = 8;
+- break;
+- case 0xc5:
+- case 0x81:
+- case 0x85:
+- case 0xc9:
+- case 0xcd:
+- case 0xe2:
+- case 0xe4:
+- /* B8 */
+- adev->gfx.config.max_cu_per_sh = 6;
+- break;
+- case 0xc6:
+- case 0xca:
+- case 0xce:
+- case 0x88:
+- case 0xe6:
+- /* B6 */
+- adev->gfx.config.max_cu_per_sh = 6;
+- break;
+- case 0xc7:
+- case 0x87:
+- case 0xcb:
+- case 0xe5:
+- case 0x89:
+- default:
+- /* B4 */
+- adev->gfx.config.max_cu_per_sh = 4;
+- break;
+- }
+-
++ adev->gfx.config.max_cu_per_sh = 8;
+ adev->gfx.config.max_texture_channel_caches = 2;
+ adev->gfx.config.max_gprs = 256;
+ adev->gfx.config.max_gs_threads = 32;
+@@ -1963,35 +1924,7 @@ static int gfx_v8_0_gpu_early_init(struc
+ adev->gfx.config.max_tile_pipes = 2;
+ adev->gfx.config.max_sh_per_se = 1;
+ adev->gfx.config.max_backends_per_se = 1;
+-
+- switch (adev->pdev->revision) {
+- case 0x80:
+- case 0x81:
+- case 0xc0:
+- case 0xc1:
+- case 0xc2:
+- case 0xc4:
+- case 0xc8:
+- case 0xc9:
+- case 0xd6:
+- case 0xda:
+- case 0xe9:
+- case 0xea:
+- adev->gfx.config.max_cu_per_sh = 3;
+- break;
+- case 0x83:
+- case 0xd0:
+- case 0xd1:
+- case 0xd2:
+- case 0xd4:
+- case 0xdb:
+- case 0xe1:
+- case 0xe2:
+- default:
+- adev->gfx.config.max_cu_per_sh = 2;
+- break;
+- }
+-
++ adev->gfx.config.max_cu_per_sh = 3;
+ adev->gfx.config.max_texture_channel_caches = 2;
+ adev->gfx.config.max_gprs = 256;
+ adev->gfx.config.max_gs_threads = 16;
--- /dev/null
+From 8555137e26618490cbeb12c243818539875d12f4 Mon Sep 17 00:00:00 2001
+From: Eric Anholt <eric@anholt.net>
+Date: Mon, 10 Apr 2017 18:44:13 -0700
+Subject: drm/etnaviv: Expose our reservation object when exporting a dmabuf.
+
+From: Eric Anholt <eric@anholt.net>
+
+commit 8555137e26618490cbeb12c243818539875d12f4 upstream.
+
+Without this, polling on the dma-buf (and presumably other devices
+synchronizing against our rendering) would return immediately, even
+while the BO was busy.
+
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Cc: Lucas Stach <l.stach@pengutronix.de>
+Cc: Russell King <linux+etnaviv@armlinux.org.uk>
+Cc: Christian Gmeiner <christian.gmeiner@gmail.com>
+Cc: etnaviv@lists.freedesktop.org
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/etnaviv/etnaviv_drv.c | 1 +
+ drivers/gpu/drm/etnaviv/etnaviv_drv.h | 1 +
+ drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c | 7 +++++++
+ 3 files changed, 9 insertions(+)
+
+--- a/drivers/gpu/drm/etnaviv/etnaviv_drv.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_drv.c
+@@ -495,6 +495,7 @@ static struct drm_driver etnaviv_drm_dri
+ .prime_fd_to_handle = drm_gem_prime_fd_to_handle,
+ .gem_prime_export = drm_gem_prime_export,
+ .gem_prime_import = drm_gem_prime_import,
++ .gem_prime_res_obj = etnaviv_gem_prime_res_obj,
+ .gem_prime_pin = etnaviv_gem_prime_pin,
+ .gem_prime_unpin = etnaviv_gem_prime_unpin,
+ .gem_prime_get_sg_table = etnaviv_gem_prime_get_sg_table,
+--- a/drivers/gpu/drm/etnaviv/etnaviv_drv.h
++++ b/drivers/gpu/drm/etnaviv/etnaviv_drv.h
+@@ -80,6 +80,7 @@ void *etnaviv_gem_prime_vmap(struct drm_
+ void etnaviv_gem_prime_vunmap(struct drm_gem_object *obj, void *vaddr);
+ int etnaviv_gem_prime_mmap(struct drm_gem_object *obj,
+ struct vm_area_struct *vma);
++struct reservation_object *etnaviv_gem_prime_res_obj(struct drm_gem_object *obj);
+ struct drm_gem_object *etnaviv_gem_prime_import_sg_table(struct drm_device *dev,
+ struct dma_buf_attachment *attach, struct sg_table *sg);
+ int etnaviv_gem_prime_pin(struct drm_gem_object *obj);
+--- a/drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c
+@@ -150,3 +150,10 @@ fail:
+
+ return ERR_PTR(ret);
+ }
++
++struct reservation_object *etnaviv_gem_prime_res_obj(struct drm_gem_object *obj)
++{
++ struct etnaviv_gem_object *etnaviv_obj = to_etnaviv_bo(obj);
++
++ return etnaviv_obj->resv;
++}
--- /dev/null
+From ab03d9fe508f4e2914a8f4a9eef1b21051cacd0f Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Thu, 11 May 2017 13:14:14 -0400
+Subject: drm/radeon/ci: disable mclk switching for high refresh rates (v2)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit ab03d9fe508f4e2914a8f4a9eef1b21051cacd0f upstream.
+
+Even if the vblank period would allow it, it still seems to
+be problematic on some cards.
+
+v2: fix logic inversion (Nils)
+
+bug: https://bugs.freedesktop.org/show_bug.cgi?id=96868
+
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/ci_dpm.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/gpu/drm/radeon/ci_dpm.c
++++ b/drivers/gpu/drm/radeon/ci_dpm.c
+@@ -782,6 +782,12 @@ bool ci_dpm_vblank_too_short(struct rade
+ if (r600_dpm_get_vrefresh(rdev) > 120)
+ return true;
+
++ /* disable mclk switching if the refresh is >120Hz, even if the
++ * blanking period would allow it
++ */
++ if (r600_dpm_get_vrefresh(rdev) > 120)
++ return true;
++
+ if (vblank_time < switch_limit)
+ return true;
+ else
--- /dev/null
+From 564d8a2cf3abf16575af48bdc3e86e92ee8a617d Mon Sep 17 00:00:00 2001
+From: Mario Kleiner <mario.kleiner.de@gmail.com>
+Date: Fri, 7 Jul 2017 04:57:04 +0200
+Subject: drm/radeon: Fix eDP for single-display iMac10,1 (v2)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mario Kleiner <mario.kleiner.de@gmail.com>
+
+commit 564d8a2cf3abf16575af48bdc3e86e92ee8a617d upstream.
+
+The late 2009, 27 inch Apple iMac10,1 has an
+internal eDP display and an external Mini-
+Displayport output, driven by a DCE-3.2, RV730
+Radeon Mobility HD-4670.
+
+The machine worked fine in a dual-display setup
+with eDP panel + externally connected HDMI
+or DVI-D digital display sink, connected via
+MiniDP to DVI or HDMI adapter.
+
+However, booting the machine single-display with
+only eDP panel results in a completely black
+display - even backlight powering off, as soon as
+the radeon modesetting driver loads.
+
+This patch fixes the single dispay eDP case by
+assigning encoders based on dig->linkb, similar
+to DCE-4+. While this should not be generally
+necessary (Alex: "...atom on normal boards
+should be able to handle any mapping."), Apple
+seems to use some special routing here.
+
+One remaining problem not solved by this patch
+is that an external Minidisplayport->DP sink
+does still not work on iMac10,1, whereas external
+DVI and HDMI sinks continue to work.
+
+The problem affects at least all tested kernels
+since Linux 3.13 - didn't test earlier kernels, so
+backporting to stable probably makes sense.
+
+v2: With the original patch from 2016, Alex was worried it
+ will break other DCE3.2 systems. Use dmi_match() to
+ apply this special encoder assignment only for the
+ Apple iMac 10,1 from late 2009.
+
+Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: Michel Dänzer <michel.daenzer@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/atombios_encoders.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/atombios_encoders.c
++++ b/drivers/gpu/drm/radeon/atombios_encoders.c
+@@ -31,6 +31,7 @@
+ #include "radeon_asic.h"
+ #include "atom.h"
+ #include <linux/backlight.h>
++#include <linux/dmi.h>
+
+ extern int atom_debug;
+
+@@ -2184,9 +2185,17 @@ int radeon_atom_pick_dig_encoder(struct
+ goto assigned;
+ }
+
+- /* on DCE32 and encoder can driver any block so just crtc id */
++ /*
++ * On DCE32 any encoder can drive any block so usually just use crtc id,
++ * but Apple thinks different at least on iMac10,1, so there use linkb,
++ * otherwise the internal eDP panel will stay dark.
++ */
+ if (ASIC_IS_DCE32(rdev)) {
+- enc_idx = radeon_crtc->crtc_id;
++ if (dmi_match(DMI_PRODUCT_NAME, "iMac10,1"))
++ enc_idx = (dig->linkb) ? 1 : 0;
++ else
++ enc_idx = radeon_crtc->crtc_id;
++
+ goto assigned;
+ }
+
--- /dev/null
+From 8046e1955465e3f24e9154d0f2a2e0a8e3f8dccf Mon Sep 17 00:00:00 2001
+From: John Brooks <john@fastquake.com>
+Date: Mon, 3 Jul 2017 14:05:34 -0400
+Subject: drm/ttm: Fix use-after-free in ttm_bo_clean_mm
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John Brooks <john@fastquake.com>
+
+commit 8046e1955465e3f24e9154d0f2a2e0a8e3f8dccf upstream.
+
+We unref the man->move fence in ttm_bo_clean_mm() and then call
+ttm_bo_force_list_clean() which waits on it, except the refcount is now
+zero so a warning is generated (or worse):
+
+[149492.279301] refcount_t: increment on 0; use-after-free.
+[149492.279309] ------------[ cut here ]------------
+[149492.279315] WARNING: CPU: 3 PID: 18726 at lib/refcount.c:150 refcount_inc+0x2b/0x30
+[149492.279315] Modules linked in: vhost_net vhost tun x86_pkg_temp_thermal crc32_pclmul ghash_clmulni_intel efivarfs amdgpu(
+-) i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm
+[149492.279326] CPU: 3 PID: 18726 Comm: rmmod Not tainted 4.12.0-rc5-drm-next-4.13-ttmpatch+ #1
+[149492.279326] Hardware name: Gigabyte Technology Co., Ltd. Z97X-UD3H-BK/Z97X-UD3H-BK-CF, BIOS F6 06/17/2014
+[149492.279327] task: ffff8804ddfedcc0 task.stack: ffffc90008d20000
+[149492.279329] RIP: 0010:refcount_inc+0x2b/0x30
+[149492.279330] RSP: 0018:ffffc90008d23c30 EFLAGS: 00010286
+[149492.279331] RAX: 000000000000002b RBX: 0000000000000170 RCX: 0000000000000000
+[149492.279331] RDX: 0000000000000000 RSI: ffff88051ecccbe8 RDI: ffff88051ecccbe8
+[149492.279332] RBP: ffffc90008d23c30 R08: 0000000000000001 R09: 00000000000003ee
+[149492.279333] R10: ffffc90008d23bb0 R11: 00000000000003ee R12: ffff88043aaac960
+[149492.279333] R13: ffff8805005e28a8 R14: 0000000000000002 R15: ffff88050115e178
+[149492.279334] FS: 00007fc540168700(0000) GS:ffff88051ecc0000(0000) knlGS:0000000000000000
+[149492.279335] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[149492.279336] CR2: 00007fc3e8654140 CR3: 000000027ba77000 CR4: 00000000001426e0
+[149492.279337] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[149492.279337] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[149492.279338] Call Trace:
+[149492.279345] ttm_bo_force_list_clean+0xb9/0x110 [ttm]
+[149492.279348] ttm_bo_clean_mm+0x7a/0xe0 [ttm]
+[149492.279375] amdgpu_ttm_fini+0xc9/0x1f0 [amdgpu]
+[149492.279392] amdgpu_bo_fini+0x12/0x40 [amdgpu]
+[149492.279415] gmc_v7_0_sw_fini+0x32/0x40 [amdgpu]
+[149492.279430] amdgpu_fini+0x2c9/0x490 [amdgpu]
+[149492.279445] amdgpu_device_fini+0x58/0x1b0 [amdgpu]
+[149492.279461] amdgpu_driver_unload_kms+0x4f/0xa0 [amdgpu]
+[149492.279470] drm_dev_unregister+0x3c/0xe0 [drm]
+[149492.279485] amdgpu_pci_remove+0x19/0x30 [amdgpu]
+[149492.279487] pci_device_remove+0x39/0xc0
+[149492.279490] device_release_driver_internal+0x155/0x210
+[149492.279491] driver_detach+0x38/0x70
+[149492.279493] bus_remove_driver+0x4c/0xa0
+[149492.279494] driver_unregister+0x2c/0x40
+[149492.279496] pci_unregister_driver+0x21/0x90
+[149492.279520] amdgpu_exit+0x15/0x406 [amdgpu]
+[149492.279523] SyS_delete_module+0x1a8/0x270
+[149492.279525] ? exit_to_usermode_loop+0x92/0xa0
+[149492.279528] entry_SYSCALL_64_fastpath+0x13/0x94
+[149492.279529] RIP: 0033:0x7fc53fcb68e7
+[149492.279529] RSP: 002b:00007ffcfbfaabb8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
+[149492.279531] RAX: ffffffffffffffda RBX: 0000563117adb200 RCX: 00007fc53fcb68e7
+[149492.279531] RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000563117adb268
+[149492.279532] RBP: 0000000000000003 R08: 0000000000000000 R09: 1999999999999999
+[149492.279533] R10: 0000000000000883 R11: 0000000000000206 R12: 00007ffcfbfa9ba0
+[149492.279533] R13: 0000000000000000 R14: 0000000000000000 R15: 0000563117adb200
+[149492.279534] Code: 55 48 89 e5 e8 77 fe ff ff 84 c0 74 02 5d c3 80 3d 40 f2 a4 00 00 75 f5 48 c7 c7 20 3c ca 81 c6 05 30 f2 a4 00 01 e8 91 f0 d7 ff <0f> ff 5d c3 90 55 48 89 fe bf 01 00 00 00 48 89 e5 e8 9f fe ff
+[149492.279557] ---[ end trace 2d4e0ffcb66a1016 ]---
+
+Unref the fence *after* waiting for it.
+
+v2: Set man->move to NULL after dropping the last ref (Christian König)
+
+Fixes: aff98ba1fdb8 (drm/ttm: wait for eviction in ttm_bo_force_list_clean)
+Signed-off-by: John Brooks <john@fastquake.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ttm/ttm_bo.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/ttm/ttm_bo.c
++++ b/drivers/gpu/drm/ttm/ttm_bo.c
+@@ -1353,7 +1353,6 @@ int ttm_bo_clean_mm(struct ttm_bo_device
+ mem_type);
+ return ret;
+ }
+- dma_fence_put(man->move);
+
+ man->use_type = false;
+ man->has_type = false;
+@@ -1369,6 +1368,9 @@ int ttm_bo_clean_mm(struct ttm_bo_device
+ ret = (*man->func->takedown)(man);
+ }
+
++ dma_fence_put(man->move);
++ man->move = NULL;
++
+ return ret;
+ }
+ EXPORT_SYMBOL(ttm_bo_clean_mm);
--- /dev/null
+From a992f2d38e4ce17b8c7d1f7f67b2de0eebdea069 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 21 Jun 2017 14:34:15 +0200
+Subject: ext2: Don't clear SGID when inheriting ACLs
+
+From: Jan Kara <jack@suse.cz>
+
+commit a992f2d38e4ce17b8c7d1f7f67b2de0eebdea069 upstream.
+
+When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
+set, DIR1 is expected to have SGID bit set (and owning group equal to
+the owning group of 'DIR0'). However when 'DIR0' also has some default
+ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
+'DIR1' to get cleared if user is not member of the owning group.
+
+Fix the problem by creating __ext2_set_acl() function that does not call
+posix_acl_update_mode() and use it when inheriting ACLs. That prevents
+SGID bit clearing and the mode has been properly set by
+posix_acl_create() anyway.
+
+Fixes: 073931017b49d9458aa351605b43a7e34598caef
+CC: linux-ext4@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext2/acl.c | 36 ++++++++++++++++++++++--------------
+ 1 file changed, 22 insertions(+), 14 deletions(-)
+
+--- a/fs/ext2/acl.c
++++ b/fs/ext2/acl.c
+@@ -175,11 +175,8 @@ ext2_get_acl(struct inode *inode, int ty
+ return acl;
+ }
+
+-/*
+- * inode->i_mutex: down
+- */
+-int
+-ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
++static int
++__ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
+ {
+ int name_index;
+ void *value = NULL;
+@@ -189,13 +186,6 @@ ext2_set_acl(struct inode *inode, struct
+ switch(type) {
+ case ACL_TYPE_ACCESS:
+ name_index = EXT2_XATTR_INDEX_POSIX_ACL_ACCESS;
+- if (acl) {
+- error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+- if (error)
+- return error;
+- inode->i_ctime = current_time(inode);
+- mark_inode_dirty(inode);
+- }
+ break;
+
+ case ACL_TYPE_DEFAULT:
+@@ -222,6 +212,24 @@ ext2_set_acl(struct inode *inode, struct
+ }
+
+ /*
++ * inode->i_mutex: down
++ */
++int
++ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
++{
++ int error;
++
++ if (type == ACL_TYPE_ACCESS && acl) {
++ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
++ if (error)
++ return error;
++ inode->i_ctime = current_time(inode);
++ mark_inode_dirty(inode);
++ }
++ return __ext2_set_acl(inode, acl, type);
++}
++
++/*
+ * Initialize the ACLs of a new inode. Called from ext2_new_inode.
+ *
+ * dir->i_mutex: down
+@@ -238,12 +246,12 @@ ext2_init_acl(struct inode *inode, struc
+ return error;
+
+ if (default_acl) {
+- error = ext2_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
++ error = __ext2_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
+ posix_acl_release(default_acl);
+ }
+ if (acl) {
+ if (!error)
+- error = ext2_set_acl(inode, acl, ACL_TYPE_ACCESS);
++ error = __ext2_set_acl(inode, acl, ACL_TYPE_ACCESS);
+ posix_acl_release(acl);
+ }
+ return error;
--- /dev/null
+From acfd2810c75b0625897fc119a2d3a9c26cc0e405 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <damien.lemoal@wdc.com>
+Date: Fri, 26 May 2017 17:04:40 +0900
+Subject: f2fs: Do not issue small discards in LFS mode
+
+From: Damien Le Moal <damien.lemoal@wdc.com>
+
+commit acfd2810c75b0625897fc119a2d3a9c26cc0e405 upstream.
+
+clear_prefree_segments() issues small discards after discarding full
+segments. These small discards may not be section aligned, so not zone
+aligned on a zoned block device, causing __f2fs_iissue_discard_zone() to fail.
+Fix this by not issuing small discards for a volume mounted with the BLKZONED
+feature enabled.
+
+Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/segment.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -1329,7 +1329,8 @@ find_next:
+ sbi->blocks_per_seg, cur_pos);
+ len = next_pos - cur_pos;
+
+- if (force && len < cpc->trim_minlen)
++ if (f2fs_sb_mounted_blkzoned(sbi->sb) ||
++ (force && len < cpc->trim_minlen))
+ goto skip;
+
+ f2fs_issue_discard(sbi, entry->start_blkaddr + cur_pos,
--- /dev/null
+From c925dc162f770578ff4a65ec9b08270382dba9e6 Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Tue, 11 Jul 2017 14:56:49 -0700
+Subject: f2fs: Don't clear SGID when inheriting ACLs
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit c925dc162f770578ff4a65ec9b08270382dba9e6 upstream.
+
+This patch copies commit b7f8a09f80:
+"btrfs: Don't clear SGID when inheriting ACLs" written by Jan.
+
+Fixes: 073931017b49d9458aa351605b43a7e34598caef
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/acl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/f2fs/acl.c
++++ b/fs/f2fs/acl.c
+@@ -211,7 +211,7 @@ static int __f2fs_set_acl(struct inode *
+ switch (type) {
+ case ACL_TYPE_ACCESS:
+ name_index = F2FS_XATTR_INDEX_POSIX_ACL_ACCESS;
+- if (acl) {
++ if (acl && !ipage) {
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
+ return error;
--- /dev/null
+From 93607124c5450148e592c3d18ac533b4e5f25b8b Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Tue, 16 May 2017 13:20:16 -0700
+Subject: f2fs: load inode's flag from disk
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit 93607124c5450148e592c3d18ac533b4e5f25b8b upstream.
+
+This patch fixes missing inode flag loaded from disk, reported by Tom.
+
+[tom@localhost ~]$ sudo mount /dev/loop0 /mnt/
+[tom@localhost ~]$ sudo chown tom:tom /mnt/
+[tom@localhost ~]$ touch /mnt/testfile
+[tom@localhost ~]$ sudo chattr +i /mnt/testfile
+[tom@localhost ~]$ echo test > /mnt/testfile
+bash: /mnt/testfile: Operation not permitted
+[tom@localhost ~]$ rm /mnt/testfile
+rm: cannot remove '/mnt/testfile': Operation not permitted
+[tom@localhost ~]$ sudo umount /mnt/
+[tom@localhost ~]$ sudo mount /dev/loop0 /mnt/
+[tom@localhost ~]$ lsattr /mnt/testfile
+----i-------------- /mnt/testfile
+[tom@localhost ~]$ echo test > /mnt/testfile
+[tom@localhost ~]$ rm /mnt/testfile
+[tom@localhost ~]$ sudo umount /mnt/
+
+Reported-by: Tom Yan <tom.ty89@outlook.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/file.c | 1 +
+ fs/f2fs/inode.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -1493,6 +1493,7 @@ static int f2fs_ioc_setflags(struct file
+
+ inode->i_ctime = current_time(inode);
+ f2fs_set_inode_flags(inode);
++ f2fs_mark_inode_dirty_sync(inode, false);
+
+ inode_unlock(inode);
+ out:
+--- a/fs/f2fs/inode.c
++++ b/fs/f2fs/inode.c
+@@ -44,7 +44,6 @@ void f2fs_set_inode_flags(struct inode *
+ new_fl |= S_DIRSYNC;
+ inode_set_flags(inode, new_fl,
+ S_SYNC|S_APPEND|S_IMMUTABLE|S_NOATIME|S_DIRSYNC);
+- f2fs_mark_inode_dirty_sync(inode, false);
+ }
+
+ static void __get_inode_rdev(struct inode *inode, struct f2fs_inode *ri)
+@@ -226,6 +225,7 @@ make_now:
+ ret = -EIO;
+ goto bad_inode;
+ }
++ f2fs_set_inode_flags(inode);
+ unlock_new_inode(inode);
+ trace_f2fs_iget(inode);
+ return inode;
--- /dev/null
+From 15d3042a937c13f5d9244241c7a9c8416ff6e82a Mon Sep 17 00:00:00 2001
+From: Jin Qian <jinqian@google.com>
+Date: Mon, 15 May 2017 10:45:08 -0700
+Subject: f2fs: sanity check checkpoint segno and blkoff
+
+From: Jin Qian <jinqian@google.com>
+
+commit 15d3042a937c13f5d9244241c7a9c8416ff6e82a upstream.
+
+Make sure segno and blkoff read from raw image are valid.
+
+Signed-off-by: Jin Qian <jinqian@google.com>
+[Jaegeuk Kim: adjust minor coding style]
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/super.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -1521,6 +1521,8 @@ int sanity_check_ckpt(struct f2fs_sb_inf
+ struct f2fs_super_block *raw_super = F2FS_RAW_SUPER(sbi);
+ struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi);
+ unsigned int ovp_segments, reserved_segments;
++ unsigned int main_segs, blocks_per_seg;
++ int i;
+
+ total = le32_to_cpu(raw_super->segment_count);
+ fsmeta = le32_to_cpu(raw_super->segment_count_ckpt);
+@@ -1542,6 +1544,20 @@ int sanity_check_ckpt(struct f2fs_sb_inf
+ return 1;
+ }
+
++ main_segs = le32_to_cpu(raw_super->segment_count_main);
++ blocks_per_seg = sbi->blocks_per_seg;
++
++ for (i = 0; i < NR_CURSEG_NODE_TYPE; i++) {
++ if (le32_to_cpu(ckpt->cur_node_segno[i]) >= main_segs ||
++ le16_to_cpu(ckpt->cur_node_blkoff[i]) >= blocks_per_seg)
++ return 1;
++ }
++ for (i = 0; i < NR_CURSEG_DATA_TYPE; i++) {
++ if (le32_to_cpu(ckpt->cur_data_segno[i]) >= main_segs ||
++ le16_to_cpu(ckpt->cur_data_blkoff[i]) >= blocks_per_seg)
++ return 1;
++ }
++
+ if (unlikely(f2fs_cp_error(sbi))) {
+ f2fs_msg(sbi->sb, KERN_ERR, "A bug case: need to run fsck");
+ return 1;
--- /dev/null
+From 21d3f8e1c3b7996ce239ab6fa82e9f7a8c47d84d Mon Sep 17 00:00:00 2001
+From: Jin Qian <jinqian@android.com>
+Date: Thu, 1 Jun 2017 11:18:30 -0700
+Subject: f2fs: sanity check size of nat and sit cache
+
+From: Jin Qian <jinqian@android.com>
+
+commit 21d3f8e1c3b7996ce239ab6fa82e9f7a8c47d84d upstream.
+
+Make sure number of entires doesn't exceed max journal size.
+
+Signed-off-by: Jin Qian <jinqian@android.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/segment.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -2463,6 +2463,8 @@ static int read_normal_summaries(struct
+
+ static int restore_curseg_summaries(struct f2fs_sb_info *sbi)
+ {
++ struct f2fs_journal *sit_j = CURSEG_I(sbi, CURSEG_COLD_DATA)->journal;
++ struct f2fs_journal *nat_j = CURSEG_I(sbi, CURSEG_HOT_DATA)->journal;
+ int type = CURSEG_HOT_DATA;
+ int err;
+
+@@ -2489,6 +2491,11 @@ static int restore_curseg_summaries(stru
+ return err;
+ }
+
++ /* sanity check for summary blocks */
++ if (nats_in_cursum(nat_j) > NAT_JOURNAL_ENTRIES ||
++ sits_in_cursum(sit_j) > SIT_JOURNAL_ENTRIES)
++ return -EINVAL;
++
+ return 0;
+ }
+
--- /dev/null
+From 1d7be2708277edfef95171d52fb65ee26eaa076b Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Wed, 17 May 2017 10:36:58 -0700
+Subject: f2fs: try to freeze in gc and discard threads
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit 1d7be2708277edfef95171d52fb65ee26eaa076b upstream.
+
+This allows to freeze gc and discard threads.
+
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/gc.c | 9 +++++----
+ fs/f2fs/segment.c | 25 ++++++++++++++++---------
+ 2 files changed, 21 insertions(+), 13 deletions(-)
+
+--- a/fs/f2fs/gc.c
++++ b/fs/f2fs/gc.c
+@@ -32,13 +32,14 @@ static int gc_thread_func(void *data)
+
+ wait_ms = gc_th->min_sleep_time;
+
++ set_freezable();
+ do {
++ wait_event_interruptible_timeout(*wq,
++ kthread_should_stop() || freezing(current),
++ msecs_to_jiffies(wait_ms));
++
+ if (try_to_freeze())
+ continue;
+- else
+- wait_event_interruptible_timeout(*wq,
+- kthread_should_stop(),
+- msecs_to_jiffies(wait_ms));
+ if (kthread_should_stop())
+ break;
+
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -16,6 +16,7 @@
+ #include <linux/kthread.h>
+ #include <linux/swap.h>
+ #include <linux/timer.h>
++#include <linux/freezer.h>
+
+ #include "f2fs.h"
+ #include "segment.h"
+@@ -1060,18 +1061,24 @@ static int issue_discard_thread(void *da
+ struct f2fs_sb_info *sbi = data;
+ struct discard_cmd_control *dcc = SM_I(sbi)->dcc_info;
+ wait_queue_head_t *q = &dcc->discard_wait_queue;
+-repeat:
+- if (kthread_should_stop())
+- return 0;
+
+- __issue_discard_cmd(sbi, true);
+- __wait_discard_cmd(sbi, true);
++ set_freezable();
+
+- congestion_wait(BLK_RW_SYNC, HZ/50);
++ do {
++ wait_event_interruptible(*q, kthread_should_stop() ||
++ freezing(current) ||
++ atomic_read(&dcc->discard_cmd_cnt));
++ if (try_to_freeze())
++ continue;
++ if (kthread_should_stop())
++ return 0;
+
+- wait_event_interruptible(*q, kthread_should_stop() ||
+- atomic_read(&dcc->discard_cmd_cnt));
+- goto repeat;
++ __issue_discard_cmd(sbi, true);
++ __wait_discard_cmd(sbi, true);
++
++ congestion_wait(BLK_RW_SYNC, HZ/50);
++ } while (!kthread_should_stop());
++ return 0;
+ }
+
+ #ifdef CONFIG_BLK_DEV_ZONED
--- /dev/null
+From d1aa245354ae4605d1183f542ed8d45811c439f6 Mon Sep 17 00:00:00 2001
+From: Chao Yu <yuchao0@huawei.com>
+Date: Fri, 7 Jul 2017 14:10:15 +0800
+Subject: f2fs: use spin_{,un}lock_irq{save,restore}
+
+From: Chao Yu <yuchao0@huawei.com>
+
+commit d1aa245354ae4605d1183f542ed8d45811c439f6 upstream.
+
+generic/361 reports below warning, this is because: once, there is
+someone entering into critical region of sbi.cp_lock, if write_end_io.
+f2fs_stop_checkpoint is invoked from an triggered IRQ, we will encounter
+deadlock.
+
+So this patch changes to use spin_{,un}lock_irq{save,restore} to create
+critical region without IRQ enabled to avoid potential deadlock.
+
+ irq event stamp: 83391573
+ loop: Write error at byte offset 438729728, length 1024.
+ hardirqs last enabled at (83391573): [<c1809752>] restore_all+0xf/0x65
+ hardirqs last disabled at (83391572): [<c1809eac>] reschedule_interrupt+0x30/0x3c
+ loop: Write error at byte offset 438860288, length 1536.
+ softirqs last enabled at (83389244): [<c180cc4e>] __do_softirq+0x1ae/0x476
+ softirqs last disabled at (83389237): [<c101ca7c>] do_softirq_own_stack+0x2c/0x40
+ loop: Write error at byte offset 438990848, length 2048.
+ ================================
+ WARNING: inconsistent lock state
+ 4.12.0-rc2+ #30 Tainted: G O
+ --------------------------------
+ inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
+ xfs_io/7959 [HC1[1]:SC0[0]:HE0:SE1] takes:
+ (&(&sbi->cp_lock)->rlock){?.+...}, at: [<f96f96cc>] f2fs_stop_checkpoint+0x1c/0x50 [f2fs]
+ {HARDIRQ-ON-W} state was registered at:
+ __lock_acquire+0x527/0x7b0
+ lock_acquire+0xae/0x220
+ _raw_spin_lock+0x42/0x50
+ do_checkpoint+0x165/0x9e0 [f2fs]
+ write_checkpoint+0x33f/0x740 [f2fs]
+ __f2fs_sync_fs+0x92/0x1f0 [f2fs]
+ f2fs_sync_fs+0x12/0x20 [f2fs]
+ sync_filesystem+0x67/0x80
+ generic_shutdown_super+0x27/0x100
+ kill_block_super+0x22/0x50
+ kill_f2fs_super+0x3a/0x40 [f2fs]
+ deactivate_locked_super+0x3d/0x70
+ deactivate_super+0x40/0x60
+ cleanup_mnt+0x39/0x70
+ __cleanup_mnt+0x10/0x20
+ task_work_run+0x69/0x80
+ exit_to_usermode_loop+0x57/0x85
+ do_fast_syscall_32+0x18c/0x1b0
+ entry_SYSENTER_32+0x4c/0x7b
+ irq event stamp: 1957420
+ hardirqs last enabled at (1957419): [<c1808f37>] _raw_spin_unlock_irq+0x27/0x50
+ hardirqs last disabled at (1957420): [<c1809f9c>] call_function_single_interrupt+0x30/0x3c
+ softirqs last enabled at (1953784): [<c180cc4e>] __do_softirq+0x1ae/0x476
+ softirqs last disabled at (1953773): [<c101ca7c>] do_softirq_own_stack+0x2c/0x40
+
+ other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&(&sbi->cp_lock)->rlock);
+ <Interrupt>
+ lock(&(&sbi->cp_lock)->rlock);
+
+ *** DEADLOCK ***
+
+ 2 locks held by xfs_io/7959:
+ #0: (sb_writers#13){.+.+.+}, at: [<c11fd7ca>] vfs_write+0x16a/0x190
+ #1: (&sb->s_type->i_mutex_key#16){+.+.+.}, at: [<f96e33f5>] f2fs_file_write_iter+0x25/0x140 [f2fs]
+
+ stack backtrace:
+ CPU: 2 PID: 7959 Comm: xfs_io Tainted: G O 4.12.0-rc2+ #30
+ Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+ Call Trace:
+ dump_stack+0x5f/0x92
+ print_usage_bug+0x1d3/0x1dd
+ ? check_usage_backwards+0xe0/0xe0
+ mark_lock+0x23d/0x280
+ __lock_acquire+0x699/0x7b0
+ ? __this_cpu_preempt_check+0xf/0x20
+ ? trace_hardirqs_off_caller+0x91/0xe0
+ lock_acquire+0xae/0x220
+ ? f2fs_stop_checkpoint+0x1c/0x50 [f2fs]
+ _raw_spin_lock+0x42/0x50
+ ? f2fs_stop_checkpoint+0x1c/0x50 [f2fs]
+ f2fs_stop_checkpoint+0x1c/0x50 [f2fs]
+ f2fs_write_end_io+0x147/0x150 [f2fs]
+ bio_endio+0x7a/0x1e0
+ blk_update_request+0xad/0x410
+ blk_mq_end_request+0x16/0x60
+ lo_complete_rq+0x3c/0x70
+ __blk_mq_complete_request_remote+0x11/0x20
+ flush_smp_call_function_queue+0x6d/0x120
+ ? debug_smp_processor_id+0x12/0x20
+ generic_smp_call_function_single_interrupt+0x12/0x30
+ smp_call_function_single_interrupt+0x25/0x40
+ call_function_single_interrupt+0x37/0x3c
+ EIP: _raw_spin_unlock_irq+0x2d/0x50
+ EFLAGS: 00000296 CPU: 2
+ EAX: 00000001 EBX: d2ccc51c ECX: 00000001 EDX: c1aacebd
+ ESI: 00000000 EDI: 00000000 EBP: c96c9d1c ESP: c96c9d18
+ DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
+ ? inherit_task_group.isra.98.part.99+0x6b/0xb0
+ __add_to_page_cache_locked+0x1d4/0x290
+ add_to_page_cache_lru+0x38/0xb0
+ pagecache_get_page+0x8e/0x200
+ f2fs_write_begin+0x96/0xf00 [f2fs]
+ ? trace_hardirqs_on_caller+0xdd/0x1c0
+ ? current_time+0x17/0x50
+ ? trace_hardirqs_on+0xb/0x10
+ generic_perform_write+0xa9/0x170
+ __generic_file_write_iter+0x1a2/0x1f0
+ ? f2fs_preallocate_blocks+0x137/0x160 [f2fs]
+ f2fs_file_write_iter+0x6e/0x140 [f2fs]
+ ? __lock_acquire+0x429/0x7b0
+ __vfs_write+0xc1/0x140
+ vfs_write+0x9b/0x190
+ SyS_pwrite64+0x63/0xa0
+ do_fast_syscall_32+0xa1/0x1b0
+ entry_SYSENTER_32+0x4c/0x7b
+ EIP: 0xb7786c61
+ EFLAGS: 00000293 CPU: 2
+ EAX: ffffffda EBX: 00000003 ECX: 08416000 EDX: 00001000
+ ESI: 18b24000 EDI: 00000000 EBP: 00000003 ESP: bf9b36b0
+ DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b
+
+Fixes: aaec2b1d1879 ("f2fs: introduce cp_lock to protect updating of ckpt_flags")
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/checkpoint.c | 11 ++++++-----
+ fs/f2fs/f2fs.h | 18 ++++++++++++------
+ 2 files changed, 18 insertions(+), 11 deletions(-)
+
+--- a/fs/f2fs/checkpoint.c
++++ b/fs/f2fs/checkpoint.c
+@@ -1051,8 +1051,9 @@ static void update_ckpt_flags(struct f2f
+ {
+ unsigned long orphan_num = sbi->im[ORPHAN_INO].ino_num;
+ struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi);
++ unsigned long flags;
+
+- spin_lock(&sbi->cp_lock);
++ spin_lock_irqsave(&sbi->cp_lock, flags);
+
+ if ((cpc->reason & CP_UMOUNT) &&
+ le32_to_cpu(ckpt->cp_pack_total_block_count) >
+@@ -1083,14 +1084,14 @@ static void update_ckpt_flags(struct f2f
+ /* set this flag to activate crc|cp_ver for recovery */
+ __set_ckpt_flags(ckpt, CP_CRC_RECOVERY_FLAG);
+
+- spin_unlock(&sbi->cp_lock);
++ spin_unlock_irqrestore(&sbi->cp_lock, flags);
+ }
+
+ static int do_checkpoint(struct f2fs_sb_info *sbi, struct cp_control *cpc)
+ {
+ struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi);
+ struct f2fs_nm_info *nm_i = NM_I(sbi);
+- unsigned long orphan_num = sbi->im[ORPHAN_INO].ino_num;
++ unsigned long orphan_num = sbi->im[ORPHAN_INO].ino_num, flags;
+ block_t start_blk;
+ unsigned int data_sum_blocks, orphan_blocks;
+ __u32 crc32 = 0;
+@@ -1132,12 +1133,12 @@ static int do_checkpoint(struct f2fs_sb_
+
+ /* 2 cp + n data seg summary + orphan inode blocks */
+ data_sum_blocks = npages_for_summary_flush(sbi, false);
+- spin_lock(&sbi->cp_lock);
++ spin_lock_irqsave(&sbi->cp_lock, flags);
+ if (data_sum_blocks < NR_CURSEG_DATA_TYPE)
+ __set_ckpt_flags(ckpt, CP_COMPACT_SUM_FLAG);
+ else
+ __clear_ckpt_flags(ckpt, CP_COMPACT_SUM_FLAG);
+- spin_unlock(&sbi->cp_lock);
++ spin_unlock_irqrestore(&sbi->cp_lock, flags);
+
+ orphan_blocks = GET_ORPHAN_BLOCKS(orphan_num);
+ ckpt->cp_pack_start_sum = cpu_to_le32(1 + cp_payload_blks +
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -1228,9 +1228,11 @@ static inline void __set_ckpt_flags(stru
+
+ static inline void set_ckpt_flags(struct f2fs_sb_info *sbi, unsigned int f)
+ {
+- spin_lock(&sbi->cp_lock);
++ unsigned long flags;
++
++ spin_lock_irqsave(&sbi->cp_lock, flags);
+ __set_ckpt_flags(F2FS_CKPT(sbi), f);
+- spin_unlock(&sbi->cp_lock);
++ spin_unlock_irqrestore(&sbi->cp_lock, flags);
+ }
+
+ static inline void __clear_ckpt_flags(struct f2fs_checkpoint *cp, unsigned int f)
+@@ -1244,22 +1246,26 @@ static inline void __clear_ckpt_flags(st
+
+ static inline void clear_ckpt_flags(struct f2fs_sb_info *sbi, unsigned int f)
+ {
+- spin_lock(&sbi->cp_lock);
++ unsigned long flags;
++
++ spin_lock_irqsave(&sbi->cp_lock, flags);
+ __clear_ckpt_flags(F2FS_CKPT(sbi), f);
+- spin_unlock(&sbi->cp_lock);
++ spin_unlock_irqrestore(&sbi->cp_lock, flags);
+ }
+
+ static inline void disable_nat_bits(struct f2fs_sb_info *sbi, bool lock)
+ {
++ unsigned long flags;
++
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
+
+ if (lock)
+- spin_lock(&sbi->cp_lock);
++ spin_lock_irqsave(&sbi->cp_lock, flags);
+ __clear_ckpt_flags(F2FS_CKPT(sbi), CP_NAT_BITS_FLAG);
+ kfree(NM_I(sbi)->nat_bits);
+ NM_I(sbi)->nat_bits = NULL;
+ if (lock)
+- spin_unlock(&sbi->cp_lock);
++ spin_unlock_irqrestore(&sbi->cp_lock, flags);
+ }
+
+ static inline bool enabled_nat_bits(struct f2fs_sb_info *sbi,
--- /dev/null
+From e31b98215779e66a490471c6ad886ae231316699 Mon Sep 17 00:00:00 2001
+From: Chao Yu <yuchao0@huawei.com>
+Date: Fri, 19 May 2017 23:46:44 +0800
+Subject: f2fs: wake up all waiters in f2fs_submit_discard_endio
+
+From: Chao Yu <yuchao0@huawei.com>
+
+commit e31b98215779e66a490471c6ad886ae231316699 upstream.
+
+There could be more than one waiter waiting discard IO completion, so we
+need use complete_all() instead of complete() in f2fs_submit_discard_endio
+to avoid hungtask.
+
+Fixes: ec9895add2c5 ("f2fs: don't hold cmd_lock during waiting discard
+command")
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/segment.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -751,7 +751,7 @@ static void f2fs_submit_discard_endio(st
+
+ dc->error = bio->bi_error;
+ dc->state = D_DONE;
+- complete(&dc->wait);
++ complete_all(&dc->wait);
+ bio_put(bio);
+ }
+
--- /dev/null
+From 4495ec6d770e1bca7a04e93ac453ab6720c56c5d Mon Sep 17 00:00:00 2001
+From: Corey Minyard <cminyard@mvista.com>
+Date: Fri, 30 Jun 2017 07:18:08 -0500
+Subject: ipmi:ssif: Add missing unlock in error branch
+
+From: Corey Minyard <cminyard@mvista.com>
+
+commit 4495ec6d770e1bca7a04e93ac453ab6720c56c5d upstream.
+
+When getting flags, a response to a different message would
+result in a deadlock because of a missing unlock. Add that
+unlock and a comment. Found by static analysis.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/ipmi/ipmi_ssif.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/char/ipmi/ipmi_ssif.c
++++ b/drivers/char/ipmi/ipmi_ssif.c
+@@ -761,6 +761,11 @@ static void msg_done_handler(struct ssif
+ result, len, data[2]);
+ } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2
+ || data[1] != IPMI_GET_MSG_FLAGS_CMD) {
++ /*
++ * Don't abort here, maybe it was a queued
++ * response to a previous command.
++ */
++ ipmi_ssif_unlock_cond(ssif_info, flags);
+ pr_warn(PFX "Invalid response getting flags: %x %x\n",
+ data[0], data[1]);
+ } else {
--- /dev/null
+From cdea46566bb21ce309725a024208322a409055cc Mon Sep 17 00:00:00 2001
+From: Tony Camuso <tcamuso@redhat.com>
+Date: Mon, 19 Jun 2017 13:17:33 -0400
+Subject: ipmi: use rcu lock around call to intf->handlers->sender()
+
+From: Tony Camuso <tcamuso@redhat.com>
+
+commit cdea46566bb21ce309725a024208322a409055cc upstream.
+
+A vendor with a system having more than 128 CPUs occasionally encounters
+the following crash during shutdown. This is not an easily reproduceable
+event, but the vendor was able to provide the following analysis of the
+crash, which exhibits the same footprint each time.
+
+crash> bt
+PID: 0 TASK: ffff88017c70ce70 CPU: 5 COMMAND: "swapper/5"
+ #0 [ffff88085c143ac8] machine_kexec at ffffffff81059c8b
+ #1 [ffff88085c143b28] __crash_kexec at ffffffff811052e2
+ #2 [ffff88085c143bf8] crash_kexec at ffffffff811053d0
+ #3 [ffff88085c143c10] oops_end at ffffffff8168ef88
+ #4 [ffff88085c143c38] no_context at ffffffff8167ebb3
+ #5 [ffff88085c143c88] __bad_area_nosemaphore at ffffffff8167ec49
+ #6 [ffff88085c143cd0] bad_area_nosemaphore at ffffffff8167edb3
+ #7 [ffff88085c143ce0] __do_page_fault at ffffffff81691d1e
+ #8 [ffff88085c143d40] do_page_fault at ffffffff81691ec5
+ #9 [ffff88085c143d70] page_fault at ffffffff8168e188
+ [exception RIP: unknown or invalid address]
+ RIP: ffffffffa053c800 RSP: ffff88085c143e28 RFLAGS: 00010206
+ RAX: ffff88017c72bfd8 RBX: ffff88017a8dc000 RCX: ffff8810588b5ac8
+ RDX: ffff8810588b5a00 RSI: ffffffffa053c800 RDI: ffff8810588b5a00
+ RBP: ffff88085c143e58 R8: ffff88017c70d408 R9: ffff88017a8dc000
+ R10: 0000000000000002 R11: ffff88085c143da0 R12: ffff8810588b5ac8
+ R13: 0000000000000100 R14: ffffffffa053c800 R15: ffff8810588b5a00
+ ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
+ <IRQ stack>
+ [exception RIP: cpuidle_enter_state+82]
+ RIP: ffffffff81514192 RSP: ffff88017c72be50 RFLAGS: 00000202
+ RAX: 0000001e4c3c6f16 RBX: 000000000000f8a0 RCX: 0000000000000018
+ RDX: 0000000225c17d03 RSI: ffff88017c72bfd8 RDI: 0000001e4c3c6f16
+ RBP: ffff88017c72be78 R8: 000000000000237e R9: 0000000000000018
+ R10: 0000000000002494 R11: 0000000000000001 R12: ffff88017c72be20
+ R13: ffff88085c14f8e0 R14: 0000000000000082 R15: 0000001e4c3bb400
+ ORIG_RAX: ffffffffffffff10 CS: 0010 SS: 0018
+
+This is the corresponding stack trace
+
+It has crashed because the area pointed with RIP extracted from timer
+element is already removed during a shutdown process.
+
+The function is smi_timeout().
+
+And we think ffff8810588b5a00 in RDX is a parameter struct smi_info
+
+crash> rd ffff8810588b5a00 20
+ffff8810588b5a00: ffff8810588b6000 0000000000000000 .`.X............
+ffff8810588b5a10: ffff880853264400 ffffffffa05417e0 .D&S......T.....
+ffff8810588b5a20: 24a024a000000000 0000000000000000 .....$.$........
+ffff8810588b5a30: 0000000000000000 0000000000000000 ................
+ffff8810588b5a30: 0000000000000000 0000000000000000 ................
+ffff8810588b5a40: ffffffffa053a040 ffffffffa053a060 @.S.....`.S.....
+ffff8810588b5a50: 0000000000000000 0000000100000001 ................
+ffff8810588b5a60: 0000000000000000 0000000000000e00 ................
+ffff8810588b5a70: ffffffffa053a580 ffffffffa053a6e0 ..S.......S.....
+ffff8810588b5a80: ffffffffa053a4a0 ffffffffa053a250 ..S.....P.S.....
+ffff8810588b5a90: 0000000500000002 0000000000000000 ................
+
+Unfortunately the top of this area is already detroyed by someone.
+But because of two reasonns we think this is struct smi_info
+ 1) The address included in between ffff8810588b5a70 and ffff8810588b5a80:
+ are inside of ipmi_si_intf.c see crash> module ffff88085779d2c0
+
+ 2) We've found the area which point this.
+ It is offset 0x68 of ffff880859df4000
+
+crash> rd ffff880859df4000 100
+ffff880859df4000: 0000000000000000 0000000000000001 ................
+ffff880859df4010: ffffffffa0535290 dead000000000200 .RS.............
+ffff880859df4020: ffff880859df4020 ffff880859df4020 @.Y.... @.Y....
+ffff880859df4030: 0000000000000002 0000000000100010 ................
+ffff880859df4040: ffff880859df4040 ffff880859df4040 @@.Y....@@.Y....
+ffff880859df4050: 0000000000000000 0000000000000000 ................
+ffff880859df4060: 0000000000000000 ffff8810588b5a00 .........Z.X....
+ffff880859df4070: 0000000000000001 ffff880859df4078 ........x@.Y....
+
+ If we regards it as struct ipmi_smi in shutdown process
+ it looks consistent.
+
+The remedy for this apparent race is affixed below.
+
+Signed-off-by: Tony Camuso <tcamuso@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+This was first introduced in 7ea0ed2b5be817 ipmi: Make the
+message handler easier to use for SMI interfaces
+where some code was moved outside of the rcu_read_lock()
+and the lock was not added.
+
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+
+---
+ drivers/char/ipmi/ipmi_msghandler.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/char/ipmi/ipmi_msghandler.c
++++ b/drivers/char/ipmi/ipmi_msghandler.c
+@@ -3878,6 +3878,9 @@ static void smi_recv_tasklet(unsigned lo
+ * because the lower layer is allowed to hold locks while calling
+ * message delivery.
+ */
++
++ rcu_read_lock();
++
+ if (!run_to_completion)
+ spin_lock_irqsave(&intf->xmit_msgs_lock, flags);
+ if (intf->curr_msg == NULL && !intf->in_shutdown) {
+@@ -3900,6 +3903,8 @@ static void smi_recv_tasklet(unsigned lo
+ if (newmsg)
+ intf->handlers->sender(intf->send_info, newmsg);
+
++ rcu_read_unlock();
++
+ handle_new_recv_msgs(intf);
+ }
+
--- /dev/null
+From c13c43d54f2c6a3be1c675766778ac1ad8dfbfcc Mon Sep 17 00:00:00 2001
+From: Vishal Verma <vishal.l.verma@intel.com>
+Date: Thu, 29 Jun 2017 16:59:11 -0600
+Subject: libnvdimm, btt: fix btt_rw_page not returning errors
+
+From: Vishal Verma <vishal.l.verma@intel.com>
+
+commit c13c43d54f2c6a3be1c675766778ac1ad8dfbfcc upstream.
+
+btt_rw_page was not propagating errors frm btt_do_bvec, resulting in any
+IO errors via the rw_page path going unnoticed. the pmem driver recently
+fixed this in e10624f pmem: fail io-requests to known bad blocks
+but same problem in BTT went neglected.
+
+Fixes: 5212e11fde4d ("nd_btt: atomic sector updates")
+Cc: Toshi Kani <toshi.kani@hpe.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Jeff Moyer <jmoyer@redhat.com>
+Signed-off-by: Vishal Verma <vishal.l.verma@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/btt.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/nvdimm/btt.c
++++ b/drivers/nvdimm/btt.c
+@@ -1248,10 +1248,13 @@ static int btt_rw_page(struct block_devi
+ struct page *page, bool is_write)
+ {
+ struct btt *btt = bdev->bd_disk->private_data;
++ int rc;
+
+- btt_do_bvec(btt, NULL, page, PAGE_SIZE, 0, is_write, sector);
+- page_endio(page, is_write, 0);
+- return 0;
++ rc = btt_do_bvec(btt, NULL, page, PAGE_SIZE, 0, is_write, sector);
++ if (rc == 0)
++ page_endio(page, is_write, 0);
++
++ return rc;
+ }
+
+
--- /dev/null
+From 4e3f0701f25ab194c5362576b1146a1e6cc6c2e7 Mon Sep 17 00:00:00 2001
+From: Toshi Kani <toshi.kani@hpe.com>
+Date: Fri, 7 Jul 2017 17:44:26 -0600
+Subject: libnvdimm: fix badblock range handling of ARS range
+
+From: Toshi Kani <toshi.kani@hpe.com>
+
+commit 4e3f0701f25ab194c5362576b1146a1e6cc6c2e7 upstream.
+
+__add_badblock_range() does not account sector alignment when
+it sets 'num_sectors'. Therefore, an ARS error record range
+spanning across two sectors is set to a single sector length,
+which leaves the 2nd sector unprotected.
+
+Change __add_badblock_range() to set 'num_sectors' properly.
+
+Fixes: 0caeef63e6d2 ("libnvdimm: Add a poison list and export badblocks")
+Signed-off-by: Toshi Kani <toshi.kani@hpe.com>
+Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/core.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/nvdimm/core.c
++++ b/drivers/nvdimm/core.c
+@@ -421,14 +421,15 @@ static void set_badblock(struct badblock
+ static void __add_badblock_range(struct badblocks *bb, u64 ns_offset, u64 len)
+ {
+ const unsigned int sector_size = 512;
+- sector_t start_sector;
++ sector_t start_sector, end_sector;
+ u64 num_sectors;
+ u32 rem;
+
+ start_sector = div_u64(ns_offset, sector_size);
+- num_sectors = div_u64_rem(len, sector_size, &rem);
++ end_sector = div_u64_rem(ns_offset + len, sector_size, &rem);
+ if (rem)
+- num_sectors++;
++ end_sector++;
++ num_sectors = end_sector - start_sector;
+
+ if (unlikely(num_sectors > (u64)INT_MAX)) {
+ u64 remaining = num_sectors;
--- /dev/null
+From 7e5a21dfe5524a85705d3bc7b540c849cc13e9a1 Mon Sep 17 00:00:00 2001
+From: Vishal Verma <vishal.l.verma@intel.com>
+Date: Fri, 30 Jun 2017 18:32:52 -0600
+Subject: libnvdimm: fix the clear-error check in nsio_rw_bytes
+
+From: Vishal Verma <vishal.l.verma@intel.com>
+
+commit 7e5a21dfe5524a85705d3bc7b540c849cc13e9a1 upstream.
+
+A leftover from the 'bandaid' fix that disabled BTT error clearing in
+rw_bytes resulted in an incorrect check. After we converted these checks
+over to use the NVDIMM_IO_ATOMIC flag, the ndns->claim check was both
+redundant, and incorrect. Remove it.
+
+Fixes: 3ae3d67ba705 ("libnvdimm: add an atomic vs process context flag to rw_bytes")
+Cc: Dave Jiang <dave.jiang@intel.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Vishal Verma <vishal.l.verma@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/claim.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/nvdimm/claim.c
++++ b/drivers/nvdimm/claim.c
+@@ -260,8 +260,7 @@ static int nsio_rw_bytes(struct nd_names
+ * work around this collision.
+ */
+ if (IS_ALIGNED(offset, 512) && IS_ALIGNED(size, 512)
+- && !(flags & NVDIMM_IO_ATOMIC)
+- && !ndns->claim) {
++ && !(flags & NVDIMM_IO_ATOMIC)) {
+ long cleared;
+
+ cleared = nvdimm_clear_poison(&ndns->dev,
--- /dev/null
+From b5d27718f38843a74552e9a93d32e2391fd3999f Mon Sep 17 00:00:00 2001
+From: Xiao Ni <xni@redhat.com>
+Date: Wed, 5 Jul 2017 17:34:04 +0800
+Subject: Raid5 should update rdev->sectors after reshape
+
+From: Xiao Ni <xni@redhat.com>
+
+commit b5d27718f38843a74552e9a93d32e2391fd3999f upstream.
+
+The raid5 md device is created by the disks which we don't use the total size. For example,
+the size of the device is 5G and it just uses 3G of the devices to create one raid5 device.
+Then change the chunksize and wait reshape to finish. After reshape finishing stop the raid
+and assemble it again. It fails.
+mdadm -CR /dev/md0 -l5 -n3 /dev/loop[0-2] --size=3G --chunk=32 --assume-clean
+mdadm /dev/md0 --grow --chunk=64
+wait reshape to finish
+mdadm -S /dev/md0
+mdadm -As
+The error messages:
+[197519.814302] md: loop1 does not have a valid v1.2 superblock, not importing!
+[197519.821686] md: md_import_device returned -22
+
+After reshape the data offset is changed. It selects backwards direction in this condition.
+In function super_1_load it compares the available space of the underlying device with
+sb->data_size. The new data offset gets bigger after reshape. So super_1_load returns -EINVAL.
+rdev->sectors is updated in md_finish_reshape. Then sb->data_size is set in super_1_sync based
+on rdev->sectors. So add md_finish_reshape in end_reshape.
+
+Signed-off-by: Xiao Ni <xni@redhat.com>
+Acked-by: Guoqing Jiang <gqjiang@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid5.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -7951,12 +7951,10 @@ static void end_reshape(struct r5conf *c
+ {
+
+ if (!test_bit(MD_RECOVERY_INTR, &conf->mddev->recovery)) {
+- struct md_rdev *rdev;
+
+ spin_lock_irq(&conf->device_lock);
+ conf->previous_raid_disks = conf->raid_disks;
+- rdev_for_each(rdev, conf->mddev)
+- rdev->data_offset = rdev->new_data_offset;
++ md_finish_reshape(conf->mddev);
+ smp_wmb();
+ conf->reshape_progress = MaxSector;
+ conf->mddev->reshape_position = MaxSector;
--- /dev/null
+From b2aceb739b5af6a8abc5ea6ab9e6a0409a3b5b1d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?David=20H=C3=A4rdeman?= <david@hardeman.nu>
+Date: Thu, 27 Apr 2017 17:33:58 -0300
+Subject: [media] rc-core: fix input repeat handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David Härdeman <david@hardeman.nu>
+
+commit b2aceb739b5af6a8abc5ea6ab9e6a0409a3b5b1d upstream.
+
+The call to input_register_device() needs to take place
+before the repeat parameters are set or the input subsystem
+repeat handling will be disabled (as was already noted in
+the comments in that function).
+
+Signed-off-by: David Härdeman <david@hardeman.nu>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/rc/rc-main.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+--- a/drivers/media/rc/rc-main.c
++++ b/drivers/media/rc/rc-main.c
+@@ -1703,6 +1703,16 @@ static int rc_setup_rx_device(struct rc_
+ if (dev->close)
+ dev->input_dev->close = ir_close;
+
++ dev->input_dev->dev.parent = &dev->dev;
++ memcpy(&dev->input_dev->id, &dev->input_id, sizeof(dev->input_id));
++ dev->input_dev->phys = dev->input_phys;
++ dev->input_dev->name = dev->input_name;
++
++ /* rc_open will be called here */
++ rc = input_register_device(dev->input_dev);
++ if (rc)
++ goto out_table;
++
+ /*
+ * Default delay of 250ms is too short for some protocols, especially
+ * since the timeout is currently set to 250ms. Increase it to 500ms,
+@@ -1718,16 +1728,6 @@ static int rc_setup_rx_device(struct rc_
+ */
+ dev->input_dev->rep[REP_PERIOD] = 125;
+
+- dev->input_dev->dev.parent = &dev->dev;
+- memcpy(&dev->input_dev->id, &dev->input_id, sizeof(dev->input_id));
+- dev->input_dev->phys = dev->input_phys;
+- dev->input_dev->name = dev->input_name;
+-
+- /* rc_open will be called here */
+- rc = input_register_device(dev->input_dev);
+- if (rc)
+- goto out_table;
+-
+ return 0;
+
+ out_table:
--- /dev/null
+From c46fc0424ced3fb71208e72bd597d91b9169a781 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Thu, 29 Jun 2017 11:38:11 +0200
+Subject: s390/syscalls: Fix out of bounds arguments access
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+commit c46fc0424ced3fb71208e72bd597d91b9169a781 upstream.
+
+Zorro reported following crash while having enabled
+syscall tracing (CONFIG_FTRACE_SYSCALLS):
+
+ Unable to handle kernel pointer dereference at virtual ...
+ Oops: 0011 [#1] SMP DEBUG_PAGEALLOC
+
+ SNIP
+
+ Call Trace:
+ ([<000000000024d79c>] ftrace_syscall_enter+0xec/0x1d8)
+ [<00000000001099c6>] do_syscall_trace_enter+0x236/0x2f8
+ [<0000000000730f1c>] sysc_tracesys+0x1a/0x32
+ [<000003fffcf946a2>] 0x3fffcf946a2
+ INFO: lockdep is turned off.
+ Last Breaking-Event-Address:
+ [<000000000022dd44>] rb_event_data+0x34/0x40
+ ---[ end trace 8c795f86b1b3f7b9 ]---
+
+The crash happens in syscall_get_arguments function for
+syscalls with zero arguments, that will try to access
+first argument (args[0]) in event entry, but it's not
+allocated.
+
+Bail out of there are no arguments.
+
+Reported-by: Zorro Lang <zlang@redhat.com>
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/include/asm/syscall.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/s390/include/asm/syscall.h
++++ b/arch/s390/include/asm/syscall.h
+@@ -64,6 +64,12 @@ static inline void syscall_get_arguments
+ {
+ unsigned long mask = -1UL;
+
++ /*
++ * No arguments for this syscall, there's nothing to do.
++ */
++ if (!n)
++ return;
++
+ BUG_ON(i + n > 6);
+ #ifdef CONFIG_COMPAT
+ if (test_tsk_thread_flag(task, TIF_31BIT))
--- /dev/null
+From 4ab3c51e0540ba8464fe34d84cc35821bb77ae92 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 17 Jul 2017 11:34:23 +0300
+Subject: serial: sh-sci: Uninitialized variables in sysfs files
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 4ab3c51e0540ba8464fe34d84cc35821bb77ae92 upstream.
+
+The kstrtol() function returns -ERANGE as well as -EINVAL so these tests
+are not enough. It's not a super serious bug, but my static checker
+correctly complains that the "r" variable might be used uninitialized.
+
+Fixes: 5d23188a473d ("serial: sh-sci: make RX FIFO parameters tunable via sysfs")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/sh-sci.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -1085,10 +1085,12 @@ static ssize_t rx_trigger_store(struct d
+ {
+ struct uart_port *port = dev_get_drvdata(dev);
+ struct sci_port *sci = to_sci_port(port);
++ int ret;
+ long r;
+
+- if (kstrtol(buf, 0, &r) == -EINVAL)
+- return -EINVAL;
++ ret = kstrtol(buf, 0, &r);
++ if (ret)
++ return ret;
+
+ sci->rx_trigger = scif_set_rtrg(port, r);
+ if (port->type == PORT_SCIFA || port->type == PORT_SCIFB)
+@@ -1116,10 +1118,12 @@ static ssize_t rx_fifo_timeout_store(str
+ {
+ struct uart_port *port = dev_get_drvdata(dev);
+ struct sci_port *sci = to_sci_port(port);
++ int ret;
+ long r;
+
+- if (kstrtol(buf, 0, &r) == -EINVAL)
+- return -EINVAL;
++ ret = kstrtol(buf, 0, &r);
++ if (ret)
++ return ret;
+ sci->rx_fifo_timeout = r;
+ scif_set_rtrg(port, 1);
+ if (r > 0)
--- /dev/null
+From 2b01bfaeb41e1563322448d9b392ac924cbf22ef Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 17 Jul 2017 11:12:38 +0300
+Subject: serial: st-asc: Potential error pointer dereference
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 2b01bfaeb41e1563322448d9b392ac924cbf22ef upstream.
+
+It looks like we intended to return an error code here, because we
+dereference "ascport->pinctrl" on the next lines.
+
+Fixes: 6929cb00a501 ("serial: st-asc: Read in all Pinctrl states")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/st-asc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/tty/serial/st-asc.c
++++ b/drivers/tty/serial/st-asc.c
+@@ -758,6 +758,7 @@ static int asc_init_port(struct asc_port
+ if (IS_ERR(ascport->pinctrl)) {
+ ret = PTR_ERR(ascport->pinctrl);
+ dev_err(&pdev->dev, "Failed to get Pinctrl: %d\n", ret);
++ return ret;
+ }
+
+ ascport->states[DEFAULT] =
md-don-t-use-flush_signals-in-userspace-processes.patch
md-fix-deadlock-between-mddev_suspend-and-md_write_start.patch
x86-xen-allow-userspace-access-during-hypercalls.patch
+cx88-fix-regression-in-initial-video-standard-setting.patch
+rc-core-fix-input-repeat-handling.patch
+tools-testing-nvdimm-fix-nfit_test-buffer-overflow.patch
+libnvdimm-btt-fix-btt_rw_page-not-returning-errors.patch
+libnvdimm-fix-the-clear-error-check-in-nsio_rw_bytes.patch
+libnvdimm-fix-badblock-range-handling-of-ars-range.patch
+ext2-don-t-clear-sgid-when-inheriting-acls.patch
+dm-raid-stop-using-bug-in-__rdev_sectors.patch
+raid5-should-update-rdev-sectors-after-reshape.patch
+s390-syscalls-fix-out-of-bounds-arguments-access.patch
+drm-amdgpu-gfx8-drop-per-apu-cu-limits.patch
+drm-amdgpu-fix-vblank_time-when-displays-are-off.patch
+drm-amdgpu-cgs-always-set-reference-clock-in-mode_info.patch
+drm-amd-amdgpu-return-error-if-initiating-read-out-of-range-on-vram.patch
+drm-amdgpu-fix-the-memory-corruption-on-s3.patch
+drm-amdgpu-don-t-call-amd_powerplay_destroy-if-we-don-t-have-powerplay.patch
+drm-radeon-ci-disable-mclk-switching-for-high-refresh-rates-v2.patch
+drm-radeon-fix-edp-for-single-display-imac10-1-v2.patch
+drm-ttm-fix-use-after-free-in-ttm_bo_clean_mm.patch
+drm-etnaviv-expose-our-reservation-object-when-exporting-a-dmabuf.patch
+ipmi-use-rcu-lock-around-call-to-intf-handlers-sender.patch
+ipmi-ssif-add-missing-unlock-in-error-branch.patch
+xfs-don-t-clear-sgid-when-inheriting-acls.patch
+cifs-reconnect-expired-smb-sessions.patch
+f2fs-load-inode-s-flag-from-disk.patch
+f2fs-wake-up-all-waiters-in-f2fs_submit_discard_endio.patch
+f2fs-sanity-check-checkpoint-segno-and-blkoff.patch
+f2fs-try-to-freeze-in-gc-and-discard-threads.patch
+f2fs-do-not-issue-small-discards-in-lfs-mode.patch
+f2fs-sanity-check-size-of-nat-and-sit-cache.patch
+f2fs-use-spin_-un-lock_irq-save-restore.patch
+f2fs-don-t-clear-sgid-when-inheriting-acls.patch
+serial-st-asc-potential-error-pointer-dereference.patch
+serial-sh-sci-uninitialized-variables-in-sysfs-files.patch
--- /dev/null
+From a117699c6c4a4b1b4e90ed51e393590986567cb4 Mon Sep 17 00:00:00 2001
+From: Yasunori Goto <y-goto@jp.fujitsu.com>
+Date: Thu, 15 Jun 2017 14:04:16 +0900
+Subject: tools/testing/nvdimm: fix nfit_test buffer overflow
+
+From: Yasunori Goto <y-goto@jp.fujitsu.com>
+
+commit a117699c6c4a4b1b4e90ed51e393590986567cb4 upstream.
+
+The root cause of panic is the num_pm of nfit_test1 is wrong.
+Though 1 is specified for num_pm at nfit_test_init(), it must be 2,
+because nfit_test1->spa_set[] array has 2 elements.
+
+Since the array is smaller than expected, the driver breaks other area.
+(it is often the link list of devres).
+
+As a result, panic occurs like the following example.
+
+ CPU: 4 PID: 2233 Comm: lt-libndctl Tainted: G O 4.12.0-rc1+ #12
+ RIP: 0010:__list_del_entry_valid+0x6c/0xa0
+ Call Trace:
+ release_nodes+0x76/0x260
+ devres_release_all+0x3c/0x50
+ device_release_driver_internal+0x159/0x200
+ device_release_driver+0x12/0x20
+ bus_remove_device+0xfd/0x170
+ device_del+0x1e8/0x330
+ platform_device_del+0x28/0x90
+ platform_device_unregister+0x12/0x30
+ nfit_test_exit+0x2a/0x93b [nfit_test]
+
+Signed-off-by: Yasunori Goto <y-goto@jp.fujitsu.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/testing/nvdimm/test/nfit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/nvdimm/test/nfit.c
++++ b/tools/testing/nvdimm/test/nfit.c
+@@ -1943,7 +1943,7 @@ static __init int nfit_test_init(void)
+ nfit_test->setup = nfit_test0_setup;
+ break;
+ case 1:
+- nfit_test->num_pm = 1;
++ nfit_test->num_pm = 2;
+ nfit_test->dcr_idx = NUM_DCR;
+ nfit_test->num_dcr = 2;
+ nfit_test->alloc = nfit_test1_alloc;
--- /dev/null
+From 8ba358756aa08414fa9e65a1a41d28304ed6fd7f Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 26 Jun 2017 08:48:18 -0700
+Subject: xfs: Don't clear SGID when inheriting ACLs
+
+From: Jan Kara <jack@suse.cz>
+
+commit 8ba358756aa08414fa9e65a1a41d28304ed6fd7f upstream.
+
+When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
+set, DIR1 is expected to have SGID bit set (and owning group equal to
+the owning group of 'DIR0'). However when 'DIR0' also has some default
+ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
+'DIR1' to get cleared if user is not member of the owning group.
+
+Fix the problem by calling __xfs_set_acl() instead of xfs_set_acl() when
+setting up inode in xfs_generic_create(). That prevents SGID bit
+clearing and mode is properly set by posix_acl_create() anyway. We also
+reorder arguments of __xfs_set_acl() to match the ordering of
+xfs_set_acl() to make things consistent.
+
+Fixes: 073931017b49d9458aa351605b43a7e34598caef
+CC: Darrick J. Wong <darrick.wong@oracle.com>
+CC: linux-xfs@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_acl.c | 6 +++---
+ fs/xfs/xfs_acl.h | 1 +
+ fs/xfs/xfs_iops.c | 4 ++--
+ 3 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/fs/xfs/xfs_acl.c
++++ b/fs/xfs/xfs_acl.c
+@@ -170,8 +170,8 @@ xfs_get_acl(struct inode *inode, int typ
+ return acl;
+ }
+
+-STATIC int
+-__xfs_set_acl(struct inode *inode, int type, struct posix_acl *acl)
++int
++__xfs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
+ {
+ struct xfs_inode *ip = XFS_I(inode);
+ unsigned char *ea_name;
+@@ -268,5 +268,5 @@ xfs_set_acl(struct inode *inode, struct
+ }
+
+ set_acl:
+- return __xfs_set_acl(inode, type, acl);
++ return __xfs_set_acl(inode, acl, type);
+ }
+--- a/fs/xfs/xfs_acl.h
++++ b/fs/xfs/xfs_acl.h
+@@ -24,6 +24,7 @@ struct posix_acl;
+ #ifdef CONFIG_XFS_POSIX_ACL
+ extern struct posix_acl *xfs_get_acl(struct inode *inode, int type);
+ extern int xfs_set_acl(struct inode *inode, struct posix_acl *acl, int type);
++extern int __xfs_set_acl(struct inode *inode, struct posix_acl *acl, int type);
+ #else
+ static inline struct posix_acl *xfs_get_acl(struct inode *inode, int type)
+ {
+--- a/fs/xfs/xfs_iops.c
++++ b/fs/xfs/xfs_iops.c
+@@ -190,12 +190,12 @@ xfs_generic_create(
+
+ #ifdef CONFIG_XFS_POSIX_ACL
+ if (default_acl) {
+- error = xfs_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
++ error = __xfs_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
+ if (error)
+ goto out_cleanup_inode;
+ }
+ if (acl) {
+- error = xfs_set_acl(inode, acl, ACL_TYPE_ACCESS);
++ error = __xfs_set_acl(inode, acl, ACL_TYPE_ACCESS);
+ if (error)
+ goto out_cleanup_inode;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
