--- /dev/null
+From a00ebd1cf12c378a1d4f7a1d6daf1d76c1eaad82 Mon Sep 17 00:00:00 2001
+From: Lars Ellenberg <lars.ellenberg@linbit.com>
+Date: Thu, 11 May 2017 10:21:46 +0200
+Subject: drbd: fix request leak introduced by locking/atomic, kref: Kill kref_sub()
+
+From: Lars Ellenberg <lars.ellenberg@linbit.com>
+
+commit a00ebd1cf12c378a1d4f7a1d6daf1d76c1eaad82 upstream.
+
+When killing kref_sub(), the unconditional additional kref_get()
+was not properly paired with the necessary kref_put(), causing
+a leak of struct drbd_requests (~ 224 Bytes) per submitted bio,
+and breaking DRBD in general, as the destructor of those "drbd_requests"
+does more than just the mempoll_free().
+
+Fixes: bdfafc4ffdd2 ("locking/atomic, kref: Kill kref_sub()")
+Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/drbd/drbd_req.c | 27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+
+--- a/drivers/block/drbd/drbd_req.c
++++ b/drivers/block/drbd/drbd_req.c
+@@ -314,24 +314,32 @@ void drbd_req_complete(struct drbd_reque
+ }
+
+ /* still holds resource->req_lock */
+-static int drbd_req_put_completion_ref(struct drbd_request *req, struct bio_and_error *m, int put)
++static void drbd_req_put_completion_ref(struct drbd_request *req, struct bio_and_error *m, int put)
+ {
+ struct drbd_device *device = req->device;
+ D_ASSERT(device, m || (req->rq_state & RQ_POSTPONED));
+
++ if (!put)
++ return;
++
+ if (!atomic_sub_and_test(put, &req->completion_ref))
+- return 0;
++ return;
+
+ drbd_req_complete(req, m);
+
++ /* local completion may still come in later,
++ * we need to keep the req object around. */
++ if (req->rq_state & RQ_LOCAL_ABORTED)
++ return;
++
+ if (req->rq_state & RQ_POSTPONED) {
+ /* don't destroy the req object just yet,
+ * but queue it for retry */
+ drbd_restart_request(req);
+- return 0;
++ return;
+ }
+
+- return 1;
++ kref_put(&req->kref, drbd_req_destroy);
+ }
+
+ static void set_if_null_req_next(struct drbd_peer_device *peer_device, struct drbd_request *req)
+@@ -518,12 +526,8 @@ static void mod_rq_state(struct drbd_req
+ if (req->i.waiting)
+ wake_up(&device->misc_wait);
+
+- if (c_put) {
+- if (drbd_req_put_completion_ref(req, m, c_put))
+- kref_put(&req->kref, drbd_req_destroy);
+- } else {
+- kref_put(&req->kref, drbd_req_destroy);
+- }
++ drbd_req_put_completion_ref(req, m, c_put);
++ kref_put(&req->kref, drbd_req_destroy);
+ }
+
+ static void drbd_report_io_error(struct drbd_device *device, struct drbd_request *req)
+@@ -1363,8 +1367,7 @@ nodata:
+ }
+
+ out:
+- if (drbd_req_put_completion_ref(req, &m, 1))
+- kref_put(&req->kref, drbd_req_destroy);
++ drbd_req_put_completion_ref(req, &m, 1);
+ spin_unlock_irq(&resource->req_lock);
+
+ /* Even though above is a kref_put(), this is safe.
--- /dev/null
+From b299cde245b0b76c977f4291162cf668e087b408 Mon Sep 17 00:00:00 2001
+From: Julius Werner <jwerner@chromium.org>
+Date: Fri, 12 May 2017 14:42:58 -0700
+Subject: drivers: char: mem: Check for address space wraparound with mmap()
+
+From: Julius Werner <jwerner@chromium.org>
+
+commit b299cde245b0b76c977f4291162cf668e087b408 upstream.
+
+/dev/mem currently allows mmap() mappings that wrap around the end of
+the physical address space, which should probably be illegal. It
+circumvents the existing STRICT_DEVMEM permission check because the loop
+immediately terminates (as the start address is already higher than the
+end address). On the x86_64 architecture it will then cause a panic
+(from the BUG(start >= end) in arch/x86/mm/pat.c:reserve_memtype()).
+
+This patch adds an explicit check to make sure offset + size will not
+wrap around in the physical address type.
+
+Signed-off-by: Julius Werner <jwerner@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/mem.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/char/mem.c
++++ b/drivers/char/mem.c
+@@ -340,6 +340,11 @@ static const struct vm_operations_struct
+ static int mmap_mem(struct file *file, struct vm_area_struct *vma)
+ {
+ size_t size = vma->vm_end - vma->vm_start;
++ phys_addr_t offset = (phys_addr_t)vma->vm_pgoff << PAGE_SHIFT;
++
++ /* It's illegal to wrap around the end of the physical address space. */
++ if (offset + (phys_addr_t)size < offset)
++ return -EINVAL;
+
+ if (!valid_mmap_phys_addr_range(vma->vm_pgoff, size))
+ return -EINVAL;
--- /dev/null
+From e345da82bd6bdfa8492f80b3ce4370acfd868d95 Mon Sep 17 00:00:00 2001
+From: Mario Kleiner <mario.kleiner.de@gmail.com>
+Date: Fri, 21 Apr 2017 17:05:08 +0200
+Subject: drm/edid: Add 10 bpc quirk for LGD 764 panel in HP zBook 17 G2
+
+From: Mario Kleiner <mario.kleiner.de@gmail.com>
+
+commit e345da82bd6bdfa8492f80b3ce4370acfd868d95 upstream.
+
+The builtin eDP panel in the HP zBook 17 G2 supports 10 bpc,
+as advertised by the Laptops product specs and verified via
+injecting a fixed edid + photometer measurements, but edid
+reports unknown depth, so drivers fall back to 6 bpc.
+
+Add a quirk to get the full 10 bpc.
+
+Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
+Acked-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: http://patchwork.freedesktop.org/patch/msgid/1492787108-23959-1-git-send-email-mario.kleiner.de@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_edid.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/gpu/drm/drm_edid.c
++++ b/drivers/gpu/drm/drm_edid.c
+@@ -79,6 +79,8 @@
+ #define EDID_QUIRK_FORCE_12BPC (1 << 9)
+ /* Force 6bpc */
+ #define EDID_QUIRK_FORCE_6BPC (1 << 10)
++/* Force 10bpc */
++#define EDID_QUIRK_FORCE_10BPC (1 << 11)
+
+ struct detailed_mode_closure {
+ struct drm_connector *connector;
+@@ -121,6 +123,9 @@ static const struct edid_quirk {
+ { "FCM", 13600, EDID_QUIRK_PREFER_LARGE_75 |
+ EDID_QUIRK_DETAILED_IN_CM },
+
++ /* LGD panel of HP zBook 17 G2, eDP 10 bpc, but reports unknown bpc */
++ { "LGD", 764, EDID_QUIRK_FORCE_10BPC },
++
+ /* LG Philips LCD LP154W01-A5 */
+ { "LPL", 0, EDID_QUIRK_DETAILED_USE_MAXIMUM_SIZE },
+ { "LPL", 0x2a00, EDID_QUIRK_DETAILED_USE_MAXIMUM_SIZE },
+@@ -4174,6 +4179,9 @@ int drm_add_edid_modes(struct drm_connec
+ if (quirks & EDID_QUIRK_FORCE_8BPC)
+ connector->display_info.bpc = 8;
+
++ if (quirks & EDID_QUIRK_FORCE_10BPC)
++ connector->display_info.bpc = 10;
++
+ if (quirks & EDID_QUIRK_FORCE_12BPC)
+ connector->display_info.bpc = 12;
+
--- /dev/null
+From 04a68a35ce6d7b54749989f943993020f48fed62 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Wed, 9 Nov 2016 10:39:05 +0000
+Subject: drm/i915/gvt: Disable access to stolen memory as a guest
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit 04a68a35ce6d7b54749989f943993020f48fed62 upstream.
+
+Explicitly disable stolen memory when running as a guest in a virtual
+machine, since the memory is not mediated between clients and reserved
+entirely for the host. The actual size should be reported as zero, but
+like every other quirk we want to tell the user what is happening.
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=99028
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Zhenyu Wang <zhenyuw@linux.intel.com>
+Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20161109103905.17860-1-chris@chris-wilson.co.uk
+Reviewed-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_gem_stolen.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/gpu/drm/i915/i915_gem_stolen.c
++++ b/drivers/gpu/drm/i915/i915_gem_stolen.c
+@@ -410,6 +410,11 @@ int i915_gem_init_stolen(struct drm_i915
+ return 0;
+ }
+
++ if (intel_vgpu_active(dev_priv)) {
++ DRM_INFO("iGVT-g active, disabling use of stolen memory\n");
++ return 0;
++ }
++
+ #ifdef CONFIG_INTEL_IOMMU
+ if (intel_iommu_gfx_mapped && INTEL_GEN(dev_priv) < 8) {
+ DRM_INFO("DMAR active, disabling use of stolen memory\n");
--- /dev/null
+From 76cefef8e838304a71725a0b5007c375619d78fb Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 11 Jan 2017 12:53:05 +0100
+Subject: firmware: ti_sci: fix strncat length check
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 76cefef8e838304a71725a0b5007c375619d78fb upstream.
+
+gcc-7 notices that the length we pass to strncat is wrong:
+
+drivers/firmware/ti_sci.c: In function 'ti_sci_probe':
+drivers/firmware/ti_sci.c:204:32: error: specified bound 50 equals the size of the destination [-Werror=stringop-overflow=]
+
+Instead of the total length, we must pass the length of the
+remaining space here.
+
+Fixes: aa276781a64a ("firmware: Add basic support for TI System Control Interface (TI-SCI) protocol")
+Acked-by: Nishanth Menon <nm@ti.com>
+Acked-by: Santosh Shilimkar <ssantosh@kernel.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/ti_sci.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/firmware/ti_sci.c
++++ b/drivers/firmware/ti_sci.c
+@@ -202,7 +202,8 @@ static int ti_sci_debugfs_create(struct
+ info->debug_buffer[info->debug_region_size] = 0;
+
+ info->d = debugfs_create_file(strncat(debug_name, dev_name(dev),
+- sizeof(debug_name)),
++ sizeof(debug_name) -
++ sizeof("ti_sci_debug@")),
+ 0444, NULL, info, &ti_sci_debug_fops);
+ if (IS_ERR(info->d))
+ return PTR_ERR(info->d);
--- /dev/null
+From 6a623e07694437ad09f382a13f76cffc32239a7f Mon Sep 17 00:00:00 2001
+From: Alexander Couzens <lynxis@fe80.eu>
+Date: Tue, 2 May 2017 12:19:00 +0200
+Subject: mtd: nand: add ooblayout for old hamming layout
+
+From: Alexander Couzens <lynxis@fe80.eu>
+
+commit 6a623e07694437ad09f382a13f76cffc32239a7f upstream.
+
+The old 1-bit hamming layout requires ECC data to be placed at a
+fixed offset, and not necessarily at the end of the OOB area.
+Add this old layout back in order to fix legacy setups.
+
+Fixes: 41b207a70d3a ("mtd: nand: implement the default mtd_ooblayout_ops")
+Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
+Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/nand_base.c | 70 ++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 69 insertions(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/nand_base.c
++++ b/drivers/mtd/nand/nand_base.c
+@@ -139,6 +139,74 @@ const struct mtd_ooblayout_ops nand_oobl
+ };
+ EXPORT_SYMBOL_GPL(nand_ooblayout_lp_ops);
+
++/*
++ * Support the old "large page" layout used for 1-bit Hamming ECC where ECC
++ * are placed at a fixed offset.
++ */
++static int nand_ooblayout_ecc_lp_hamming(struct mtd_info *mtd, int section,
++ struct mtd_oob_region *oobregion)
++{
++ struct nand_chip *chip = mtd_to_nand(mtd);
++ struct nand_ecc_ctrl *ecc = &chip->ecc;
++
++ if (section)
++ return -ERANGE;
++
++ switch (mtd->oobsize) {
++ case 64:
++ oobregion->offset = 40;
++ break;
++ case 128:
++ oobregion->offset = 80;
++ break;
++ default:
++ return -EINVAL;
++ }
++
++ oobregion->length = ecc->total;
++ if (oobregion->offset + oobregion->length > mtd->oobsize)
++ return -ERANGE;
++
++ return 0;
++}
++
++static int nand_ooblayout_free_lp_hamming(struct mtd_info *mtd, int section,
++ struct mtd_oob_region *oobregion)
++{
++ struct nand_chip *chip = mtd_to_nand(mtd);
++ struct nand_ecc_ctrl *ecc = &chip->ecc;
++ int ecc_offset = 0;
++
++ if (section < 0 || section > 1)
++ return -ERANGE;
++
++ switch (mtd->oobsize) {
++ case 64:
++ ecc_offset = 40;
++ break;
++ case 128:
++ ecc_offset = 80;
++ break;
++ default:
++ return -EINVAL;
++ }
++
++ if (section == 0) {
++ oobregion->offset = 2;
++ oobregion->length = ecc_offset - 2;
++ } else {
++ oobregion->offset = ecc_offset + ecc->total;
++ oobregion->length = mtd->oobsize - oobregion->offset;
++ }
++
++ return 0;
++}
++
++const struct mtd_ooblayout_ops nand_ooblayout_lp_hamming_ops = {
++ .ecc = nand_ooblayout_ecc_lp_hamming,
++ .free = nand_ooblayout_free_lp_hamming,
++};
++
+ static int check_offs_len(struct mtd_info *mtd,
+ loff_t ofs, uint64_t len)
+ {
+@@ -4653,7 +4721,7 @@ int nand_scan_tail(struct mtd_info *mtd)
+ break;
+ case 64:
+ case 128:
+- mtd_set_ooblayout(mtd, &nand_ooblayout_lp_ops);
++ mtd_set_ooblayout(mtd, &nand_ooblayout_lp_hamming_ops);
+ break;
+ default:
+ WARN(1, "No oob scheme defined for oobsize %d\n",
--- /dev/null
+From 2d283ede59869159f4bb84ae689258c5caffce54 Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@ti.com>
+Date: Thu, 30 Mar 2017 10:37:50 +0300
+Subject: mtd: nand: omap2: Fix partition creation via cmdline mtdparts
+
+From: Roger Quadros <rogerq@ti.com>
+
+commit 2d283ede59869159f4bb84ae689258c5caffce54 upstream.
+
+commit c9711ec5250b ("mtd: nand: omap: Clean up device tree support")
+caused the parent device name to be changed from "omap2-nand.0"
+to "<base address>.nand" (e.g. 30000000.nand on omap3 platforms).
+This caused mtd->name to be changed as well. This breaks partition
+creation via mtdparts passed by u-boot as it uses "omap2-nand.0"
+for the mtd-id.
+
+Fix this by explicitly setting the mtd->name to "omap2-nand.<CS number>"
+if it isn't already set by nand_set_flash_node(). CS number is the
+NAND controller instance ID.
+
+Fixes: c9711ec5250b ("mtd: nand: omap: Clean up device tree support")
+Reported-by: Leto Enrico <enrico.leto@siemens.com>
+Reported-by: Adam Ford <aford173@gmail.com>
+Suggested-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Tested-by: Adam Ford <aford173@gmail.com>
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/omap2.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/mtd/nand/omap2.c
++++ b/drivers/mtd/nand/omap2.c
+@@ -1856,6 +1856,15 @@ static int omap_nand_probe(struct platfo
+ nand_chip->ecc.priv = NULL;
+ nand_set_flash_node(nand_chip, dev->of_node);
+
++ if (!mtd->name) {
++ mtd->name = devm_kasprintf(&pdev->dev, GFP_KERNEL,
++ "omap2-nand.%d", info->gpmc_cs);
++ if (!mtd->name) {
++ dev_err(&pdev->dev, "Failed to set MTD name\n");
++ return -ENOMEM;
++ }
++ }
++
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ nand_chip->IO_ADDR_R = devm_ioremap_resource(&pdev->dev, res);
+ if (IS_ERR(nand_chip->IO_ADDR_R))
--- /dev/null
+From 675b11d94ce9baa5eb365a51b35d2793f77c8ab8 Mon Sep 17 00:00:00 2001
+From: Simon Baatz <gmbnomis@gmail.com>
+Date: Mon, 27 Mar 2017 20:02:07 +0200
+Subject: mtd: nand: orion: fix clk handling
+
+From: Simon Baatz <gmbnomis@gmail.com>
+
+commit 675b11d94ce9baa5eb365a51b35d2793f77c8ab8 upstream.
+
+The clk handling in orion_nand.c had two problems:
+
+- In the probe function, clk_put() was called for an enabled clock,
+ which violates the API (see documentation for clk_put() in
+ include/linux/clk.h)
+
+- In the error path of the probe function, clk_put() could be called
+ twice for the same clock.
+
+In order to clean this up, use the managed function devm_clk_get() and
+store the pointer to the clk in the driver data.
+
+Fixes: baffab28b13120694fa3ebab08d3e99667a851d2 ('ARM: Orion: fix driver probe error handling with respect to clk')
+Signed-off-by: Simon Baatz <gmbnomis@gmail.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/orion_nand.c | 42 +++++++++++++++++++++---------------------
+ 1 file changed, 21 insertions(+), 21 deletions(-)
+
+--- a/drivers/mtd/nand/orion_nand.c
++++ b/drivers/mtd/nand/orion_nand.c
+@@ -23,6 +23,11 @@
+ #include <asm/sizes.h>
+ #include <linux/platform_data/mtd-orion_nand.h>
+
++struct orion_nand_info {
++ struct nand_chip chip;
++ struct clk *clk;
++};
++
+ static void orion_nand_cmd_ctrl(struct mtd_info *mtd, int cmd, unsigned int ctrl)
+ {
+ struct nand_chip *nc = mtd_to_nand(mtd);
+@@ -75,20 +80,21 @@ static void orion_nand_read_buf(struct m
+
+ static int __init orion_nand_probe(struct platform_device *pdev)
+ {
++ struct orion_nand_info *info;
+ struct mtd_info *mtd;
+ struct nand_chip *nc;
+ struct orion_nand_data *board;
+ struct resource *res;
+- struct clk *clk;
+ void __iomem *io_base;
+ int ret = 0;
+ u32 val = 0;
+
+- nc = devm_kzalloc(&pdev->dev,
+- sizeof(struct nand_chip),
++ info = devm_kzalloc(&pdev->dev,
++ sizeof(struct orion_nand_info),
+ GFP_KERNEL);
+- if (!nc)
++ if (!info)
+ return -ENOMEM;
++ nc = &info->chip;
+ mtd = nand_to_mtd(nc);
+
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+@@ -145,15 +151,13 @@ static int __init orion_nand_probe(struc
+ if (board->dev_ready)
+ nc->dev_ready = board->dev_ready;
+
+- platform_set_drvdata(pdev, mtd);
++ platform_set_drvdata(pdev, info);
+
+ /* Not all platforms can gate the clock, so it is not
+ an error if the clock does not exists. */
+- clk = clk_get(&pdev->dev, NULL);
+- if (!IS_ERR(clk)) {
+- clk_prepare_enable(clk);
+- clk_put(clk);
+- }
++ info->clk = devm_clk_get(&pdev->dev, NULL);
++ if (!IS_ERR(info->clk))
++ clk_prepare_enable(info->clk);
+
+ ret = nand_scan(mtd, 1);
+ if (ret)
+@@ -169,26 +173,22 @@ static int __init orion_nand_probe(struc
+ return 0;
+
+ no_dev:
+- if (!IS_ERR(clk)) {
+- clk_disable_unprepare(clk);
+- clk_put(clk);
+- }
++ if (!IS_ERR(info->clk))
++ clk_disable_unprepare(info->clk);
+
+ return ret;
+ }
+
+ static int orion_nand_remove(struct platform_device *pdev)
+ {
+- struct mtd_info *mtd = platform_get_drvdata(pdev);
+- struct clk *clk;
++ struct orion_nand_info *info = platform_get_drvdata(pdev);
++ struct nand_chip *chip = &info->chip;
++ struct mtd_info *mtd = nand_to_mtd(chip);
+
+ nand_release(mtd);
+
+- clk = clk_get(&pdev->dev, NULL);
+- if (!IS_ERR(clk)) {
+- clk_disable_unprepare(clk);
+- clk_put(clk);
+- }
++ if (!IS_ERR(info->clk))
++ clk_disable_unprepare(info->clk);
+
+ return 0;
+ }
--- /dev/null
+From 1f84ccdf37d0db3a70714d02d51b0b6d45887fb8 Mon Sep 17 00:00:00 2001
+From: Fred Isaman <fred.isaman@gmail.com>
+Date: Fri, 14 Apr 2017 14:24:28 -0400
+Subject: NFS: Fix use after free in write error path
+
+From: Fred Isaman <fred.isaman@gmail.com>
+
+commit 1f84ccdf37d0db3a70714d02d51b0b6d45887fb8 upstream.
+
+Signed-off-by: Fred Isaman <fred.isaman@gmail.com>
+Fixes: 0bcbf039f6b2b ("nfs: handle request add failure properly")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/write.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -548,9 +548,9 @@ static void nfs_write_error_remove_page(
+ {
+ nfs_unlock_request(req);
+ nfs_end_page_writeback(req);
+- nfs_release_request(req);
+ generic_error_remove_page(page_file_mapping(req->wb_page),
+ req->wb_page);
++ nfs_release_request(req);
+ }
+
+ /*
--- /dev/null
+From ae97aa524ef495b6276fd26f5d5449fb22975d7c Mon Sep 17 00:00:00 2001
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Wed, 19 Apr 2017 10:11:33 -0400
+Subject: NFS: Use GFP_NOIO for two allocations in writeback
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+commit ae97aa524ef495b6276fd26f5d5449fb22975d7c upstream.
+
+Prevent a deadlock that can occur if we wait on allocations
+that try to write back our pages.
+
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Fixes: 00bfa30abe869 ("NFS: Create a common pgio_alloc and pgio_release...")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pagelist.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs/pagelist.c
++++ b/fs/nfs/pagelist.c
+@@ -29,13 +29,14 @@
+ static struct kmem_cache *nfs_page_cachep;
+ static const struct rpc_call_ops nfs_pgio_common_ops;
+
+-static bool nfs_pgarray_set(struct nfs_page_array *p, unsigned int pagecount)
++static bool nfs_pgarray_set(struct nfs_page_array *p, unsigned int pagecount,
++ gfp_t gfp_flags)
+ {
+ p->npages = pagecount;
+ if (pagecount <= ARRAY_SIZE(p->page_array))
+ p->pagevec = p->page_array;
+ else {
+- p->pagevec = kcalloc(pagecount, sizeof(struct page *), GFP_KERNEL);
++ p->pagevec = kcalloc(pagecount, sizeof(struct page *), gfp_flags);
+ if (!p->pagevec)
+ p->npages = 0;
+ }
+@@ -681,6 +682,7 @@ void nfs_pageio_init(struct nfs_pageio_d
+ {
+ struct nfs_pgio_mirror *new;
+ int i;
++ gfp_t gfp_flags = GFP_KERNEL;
+
+ desc->pg_moreio = 0;
+ desc->pg_inode = inode;
+@@ -700,8 +702,10 @@ void nfs_pageio_init(struct nfs_pageio_d
+ if (pg_ops->pg_get_mirror_count) {
+ /* until we have a request, we don't have an lseg and no
+ * idea how many mirrors there will be */
++ if (desc->pg_rw_ops->rw_mode == FMODE_WRITE)
++ gfp_flags = GFP_NOIO;
+ new = kcalloc(NFS_PAGEIO_DESCRIPTOR_MIRROR_MAX,
+- sizeof(struct nfs_pgio_mirror), GFP_KERNEL);
++ sizeof(struct nfs_pgio_mirror), gfp_flags);
+ desc->pg_mirrors_dynamic = new;
+ desc->pg_mirrors = new;
+
+@@ -755,9 +759,12 @@ int nfs_generic_pgio(struct nfs_pageio_d
+ struct list_head *head = &mirror->pg_list;
+ struct nfs_commit_info cinfo;
+ unsigned int pagecount, pageused;
++ gfp_t gfp_flags = GFP_KERNEL;
+
+ pagecount = nfs_page_array_len(mirror->pg_base, mirror->pg_count);
+- if (!nfs_pgarray_set(&hdr->page_array, pagecount)) {
++ if (desc->pg_rw_ops->rw_mode == FMODE_WRITE)
++ gfp_flags = GFP_NOIO;
++ if (!nfs_pgarray_set(&hdr->page_array, pagecount, gfp_flags)) {
+ nfs_pgio_error(hdr);
+ desc->pg_error = -ENOMEM;
+ return desc->pg_error;
--- /dev/null
+From 51f567777799c9d85a778302b9eb61cf15214a98 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Thu, 6 Apr 2017 22:36:31 -0400
+Subject: nfsd: check for oversized NFSv2/v3 arguments
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit 51f567777799c9d85a778302b9eb61cf15214a98 upstream.
+
+A client can append random data to the end of an NFSv2 or NFSv3 RPC call
+without our complaining; we'll just stop parsing at the end of the
+expected data and ignore the rest.
+
+Encoded arguments and replies are stored together in an array of pages,
+and if a call is too large it could leave inadequate space for the
+reply. This is normally OK because NFS RPC's typically have either
+short arguments and long replies (like READ) or long arguments and short
+replies (like WRITE). But a client that sends an incorrectly long reply
+can violate those assumptions. This was observed to cause crashes.
+
+So, insist that the argument not be any longer than we expect.
+
+Also, several operations increment rq_next_page in the decode routine
+before checking the argument size, which can leave rq_next_page pointing
+well past the end of the page array, causing trouble later in
+svc_free_pages.
+
+As followup we may also want to rewrite the encoding routines to check
+more carefully that they aren't running off the end of the page array.
+
+Reported-by: Tuomas Haanpää <thaan@synopsys.com>
+Reported-by: Ari Kauppi <ari@synopsys.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs3xdr.c | 23 +++++++++++++++++------
+ fs/nfsd/nfsxdr.c | 13 ++++++++++---
+ include/linux/sunrpc/svc.h | 3 +--
+ 3 files changed, 28 insertions(+), 11 deletions(-)
+
+--- a/fs/nfsd/nfs3xdr.c
++++ b/fs/nfsd/nfs3xdr.c
+@@ -334,8 +334,11 @@ nfs3svc_decode_readargs(struct svc_rqst
+ if (!p)
+ return 0;
+ p = xdr_decode_hyper(p, &args->offset);
+-
+ args->count = ntohl(*p++);
++
++ if (!xdr_argsize_check(rqstp, p))
++ return 0;
++
+ len = min(args->count, max_blocksize);
+
+ /* set up the kvec */
+@@ -349,7 +352,7 @@ nfs3svc_decode_readargs(struct svc_rqst
+ v++;
+ }
+ args->vlen = v;
+- return xdr_argsize_check(rqstp, p);
++ return 1;
+ }
+
+ int
+@@ -541,9 +544,11 @@ nfs3svc_decode_readlinkargs(struct svc_r
+ p = decode_fh(p, &args->fh);
+ if (!p)
+ return 0;
++ if (!xdr_argsize_check(rqstp, p))
++ return 0;
+ args->buffer = page_address(*(rqstp->rq_next_page++));
+
+- return xdr_argsize_check(rqstp, p);
++ return 1;
+ }
+
+ int
+@@ -569,10 +574,14 @@ nfs3svc_decode_readdirargs(struct svc_rq
+ args->verf = p; p += 2;
+ args->dircount = ~0;
+ args->count = ntohl(*p++);
++
++ if (!xdr_argsize_check(rqstp, p))
++ return 0;
++
+ args->count = min_t(u32, args->count, PAGE_SIZE);
+ args->buffer = page_address(*(rqstp->rq_next_page++));
+
+- return xdr_argsize_check(rqstp, p);
++ return 1;
+ }
+
+ int
+@@ -590,6 +599,9 @@ nfs3svc_decode_readdirplusargs(struct sv
+ args->dircount = ntohl(*p++);
+ args->count = ntohl(*p++);
+
++ if (!xdr_argsize_check(rqstp, p))
++ return 0;
++
+ len = args->count = min(args->count, max_blocksize);
+ while (len > 0) {
+ struct page *p = *(rqstp->rq_next_page++);
+@@ -597,8 +609,7 @@ nfs3svc_decode_readdirplusargs(struct sv
+ args->buffer = page_address(p);
+ len -= PAGE_SIZE;
+ }
+-
+- return xdr_argsize_check(rqstp, p);
++ return 1;
+ }
+
+ int
+--- a/fs/nfsd/nfsxdr.c
++++ b/fs/nfsd/nfsxdr.c
+@@ -257,6 +257,9 @@ nfssvc_decode_readargs(struct svc_rqst *
+ len = args->count = ntohl(*p++);
+ p++; /* totalcount - unused */
+
++ if (!xdr_argsize_check(rqstp, p))
++ return 0;
++
+ len = min_t(unsigned int, len, NFSSVC_MAXBLKSIZE_V2);
+
+ /* set up somewhere to store response.
+@@ -272,7 +275,7 @@ nfssvc_decode_readargs(struct svc_rqst *
+ v++;
+ }
+ args->vlen = v;
+- return xdr_argsize_check(rqstp, p);
++ return 1;
+ }
+
+ int
+@@ -362,9 +365,11 @@ nfssvc_decode_readlinkargs(struct svc_rq
+ p = decode_fh(p, &args->fh);
+ if (!p)
+ return 0;
++ if (!xdr_argsize_check(rqstp, p))
++ return 0;
+ args->buffer = page_address(*(rqstp->rq_next_page++));
+
+- return xdr_argsize_check(rqstp, p);
++ return 1;
+ }
+
+ int
+@@ -402,9 +407,11 @@ nfssvc_decode_readdirargs(struct svc_rqs
+ args->cookie = ntohl(*p++);
+ args->count = ntohl(*p++);
+ args->count = min_t(u32, args->count, PAGE_SIZE);
++ if (!xdr_argsize_check(rqstp, p))
++ return 0;
+ args->buffer = page_address(*(rqstp->rq_next_page++));
+
+- return xdr_argsize_check(rqstp, p);
++ return 1;
+ }
+
+ /*
+--- a/include/linux/sunrpc/svc.h
++++ b/include/linux/sunrpc/svc.h
+@@ -336,8 +336,7 @@ xdr_argsize_check(struct svc_rqst *rqstp
+ {
+ char *cp = (char *)p;
+ struct kvec *vec = &rqstp->rq_arg.head[0];
+- return cp >= (char*)vec->iov_base
+- && cp <= (char*)vec->iov_base + vec->iov_len;
++ return cp == (char *)vec->iov_base + vec->iov_len;
+ }
+
+ static inline int
--- /dev/null
+From f961e3f2acae94b727380c0b74e2d3954d0edf79 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Fri, 5 May 2017 16:17:57 -0400
+Subject: nfsd: encoders mustn't use unitialized values in error cases
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit f961e3f2acae94b727380c0b74e2d3954d0edf79 upstream.
+
+In error cases, lgp->lg_layout_type may be out of bounds; so we
+shouldn't be using it until after the check of nfserr.
+
+This was seen to crash nfsd threads when the server receives a LAYOUTGET
+request with a large layout type.
+
+GETDEVICEINFO has the same problem.
+
+Reported-by: Ari Kauppi <Ari.Kauppi@synopsys.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4xdr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -4119,8 +4119,7 @@ nfsd4_encode_getdeviceinfo(struct nfsd4_
+ struct nfsd4_getdeviceinfo *gdev)
+ {
+ struct xdr_stream *xdr = &resp->xdr;
+- const struct nfsd4_layout_ops *ops =
+- nfsd4_layout_ops[gdev->gd_layout_type];
++ const struct nfsd4_layout_ops *ops;
+ u32 starting_len = xdr->buf->len, needed_len;
+ __be32 *p;
+
+@@ -4137,6 +4136,7 @@ nfsd4_encode_getdeviceinfo(struct nfsd4_
+
+ /* If maxcount is 0 then just update notifications */
+ if (gdev->gd_maxcount != 0) {
++ ops = nfsd4_layout_ops[gdev->gd_layout_type];
+ nfserr = ops->encode_getdeviceinfo(xdr, gdev);
+ if (nfserr) {
+ /*
+@@ -4189,8 +4189,7 @@ nfsd4_encode_layoutget(struct nfsd4_comp
+ struct nfsd4_layoutget *lgp)
+ {
+ struct xdr_stream *xdr = &resp->xdr;
+- const struct nfsd4_layout_ops *ops =
+- nfsd4_layout_ops[lgp->lg_layout_type];
++ const struct nfsd4_layout_ops *ops;
+ __be32 *p;
+
+ dprintk("%s: err %d\n", __func__, nfserr);
+@@ -4213,6 +4212,7 @@ nfsd4_encode_layoutget(struct nfsd4_comp
+ *p++ = cpu_to_be32(lgp->lg_seg.iomode);
+ *p++ = cpu_to_be32(lgp->lg_layout_type);
+
++ ops = nfsd4_layout_ops[lgp->lg_layout_type];
+ nfserr = ops->encode_layoutget(xdr, lgp);
+ out:
+ kfree(lgp->lg_content);
--- /dev/null
+From b550a32e60a4941994b437a8d662432a486235a5 Mon Sep 17 00:00:00 2001
+From: Ari Kauppi <ari@synopsys.com>
+Date: Fri, 5 May 2017 16:07:55 -0400
+Subject: nfsd: fix undefined behavior in nfsd4_layout_verify
+
+From: Ari Kauppi <ari@synopsys.com>
+
+commit b550a32e60a4941994b437a8d662432a486235a5 upstream.
+
+ UBSAN: Undefined behaviour in fs/nfsd/nfs4proc.c:1262:34
+ shift exponent 128 is too large for 32-bit type 'int'
+
+Depending on compiler+architecture, this may cause the check for
+layout_type to succeed for overly large values (which seems to be the
+case with amd64). The large value will be later used in de-referencing
+nfsd4_layout_ops for function pointers.
+
+Reported-by: Jani Tuovila <tuovila@synopsys.com>
+Signed-off-by: Ari Kauppi <ari@synopsys.com>
+[colin.king@canonical.com: use LAYOUT_TYPE_MAX instead of 32]
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4proc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1259,7 +1259,8 @@ nfsd4_layout_verify(struct svc_export *e
+ return NULL;
+ }
+
+- if (!(exp->ex_layout_types & (1 << layout_type))) {
++ if (layout_type >= LAYOUT_TYPE_MAX ||
++ !(exp->ex_layout_types & (1 << layout_type))) {
+ dprintk("%s: layout type %d not supported\n",
+ __func__, layout_type);
+ return NULL;
--- /dev/null
+From b26b78cb726007533d81fdf90a62e915002ef5c8 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Tue, 9 May 2017 16:24:59 -0400
+Subject: nfsd: Fix up the "supattr_exclcreat" attributes
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit b26b78cb726007533d81fdf90a62e915002ef5c8 upstream.
+
+If an NFSv4 client asks us for the supattr_exclcreat, then we must
+not return attributes that are unsupported by this minor version.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Fixes: 75976de6556f ("NFSD: Return word2 bitmask if setting security..,")
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4xdr.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -2831,9 +2831,14 @@ out_acl:
+ }
+ #endif /* CONFIG_NFSD_PNFS */
+ if (bmval2 & FATTR4_WORD2_SUPPATTR_EXCLCREAT) {
+- status = nfsd4_encode_bitmap(xdr, NFSD_SUPPATTR_EXCLCREAT_WORD0,
+- NFSD_SUPPATTR_EXCLCREAT_WORD1,
+- NFSD_SUPPATTR_EXCLCREAT_WORD2);
++ u32 supp[3];
++
++ memcpy(supp, nfsd_suppattrs[minorversion], sizeof(supp));
++ supp[0] &= NFSD_SUPPATTR_EXCLCREAT_WORD0;
++ supp[1] &= NFSD_SUPPATTR_EXCLCREAT_WORD1;
++ supp[2] &= NFSD_SUPPATTR_EXCLCREAT_WORD2;
++
++ status = nfsd4_encode_bitmap(xdr, supp[0], supp[1], supp[2]);
+ if (status)
+ goto out;
+ }
--- /dev/null
+From 56e0d71ef12f026d96213e45a662bde6bbff4676 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Sat, 15 Apr 2017 19:20:01 -0400
+Subject: NFSv4: Fix a hang in OPEN related to server reboot
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit 56e0d71ef12f026d96213e45a662bde6bbff4676 upstream.
+
+If the server fails to return the attributes as part of an OPEN
+reply, and then reboots, we can end up hanging. The reason is that
+the client attempts to send a GETATTR in order to pick up the
+missing OPEN call, but fails to release the slot first, causing
+reboot recovery to deadlock.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Fixes: 2e80dbe7ac51a ("NFSv4.1: Close callback races for OPEN, LAYOUTGET...")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -2300,8 +2300,10 @@ static int _nfs4_proc_open(struct nfs4_o
+ if (status != 0)
+ return status;
+ }
+- if (!(o_res->f_attr->valid & NFS_ATTR_FATTR))
++ if (!(o_res->f_attr->valid & NFS_ATTR_FATTR)) {
++ nfs4_sequence_free_slot(&o_res->seq_res);
+ nfs4_proc_getattr(server, &o_res->fh, o_res->f_attr, o_res->f_label);
++ }
+ return 0;
+ }
+
--- /dev/null
+From 2e84611b3f4fa50e1f4c12f2966fcc7fb955d944 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Fri, 5 May 2017 13:02:42 -0400
+Subject: NFSv4: Fix an rcu lock leak
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit 2e84611b3f4fa50e1f4c12f2966fcc7fb955d944 upstream.
+
+The intention in the original patch was to release the lock when
+we put the inode, however something got screwed up.
+
+Reported-by: Jason Yan <yanaijie@huawei.com>
+Fixes: 7b410d9ce460f ("pNFS: Delay getting the layout header in..")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/callback_proc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/callback_proc.c
++++ b/fs/nfs/callback_proc.c
+@@ -131,10 +131,11 @@ restart:
+ if (!inode)
+ continue;
+ if (!nfs_sb_active(inode->i_sb)) {
+- rcu_read_lock();
++ rcu_read_unlock();
+ spin_unlock(&clp->cl_lock);
+ iput(inode);
+ spin_lock(&clp->cl_lock);
++ rcu_read_lock();
+ goto restart;
+ }
+ return inode;
+@@ -170,10 +171,11 @@ restart:
+ if (!inode)
+ continue;
+ if (!nfs_sb_active(inode->i_sb)) {
+- rcu_read_lock();
++ rcu_read_unlock();
+ spin_unlock(&clp->cl_lock);
+ iput(inode);
+ spin_lock(&clp->cl_lock);
++ rcu_read_lock();
+ goto restart;
+ }
+ return inode;
--- /dev/null
+From a8c39544a6eb2093c04afd5005b6192bd0e880c6 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 14 May 2017 21:47:25 -0400
+Subject: osf_wait4(): fix infoleak
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit a8c39544a6eb2093c04afd5005b6192bd0e880c6 upstream.
+
+failing sys_wait4() won't fill struct rusage...
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/alpha/kernel/osf_sys.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/alpha/kernel/osf_sys.c
++++ b/arch/alpha/kernel/osf_sys.c
+@@ -1199,8 +1199,10 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
+ if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur)))
+ return -EFAULT;
+
+- err = 0;
+- err |= put_user(status, ustatus);
++ err = put_user(status, ustatus);
++ if (ret < 0)
++ return err ? err : ret;
++
+ err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec);
+ err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec);
+ err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec);
--- /dev/null
+From cd183740480f045600aa1fa38fe70809b5498f05 Mon Sep 17 00:00:00 2001
+From: Tomasz Nowicki <tn@semihalf.com>
+Date: Wed, 29 Mar 2017 14:16:13 +0200
+Subject: PCI/ACPI: Add ThunderX pass2.x 2nd node MCFG quirk
+
+From: Tomasz Nowicki <tn@semihalf.com>
+
+commit cd183740480f045600aa1fa38fe70809b5498f05 upstream.
+
+Currently SoCs pass2.x do not emulate EA headers for ACPI boot method at
+all. However, for pass2.x some devices (like EDAC) advertise incorrect
+base addresses in their BARs which results in driver probe failure during
+resource request. Since all problematic blocks are on 2nd NUMA node under
+domain 10 add necessary quirk entry to obtain BAR addresses correction
+using EA header emulation.
+
+Fixes: 44f22bd91e88 ("PCI: Add MCFG quirks for Cavium ThunderX pass2.x host controller")
+Signed-off-by: Tomasz Nowicki <tn@semihalf.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: Robert Richter <rrichter@cavium.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/pci_mcfg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/acpi/pci_mcfg.c
++++ b/drivers/acpi/pci_mcfg.c
+@@ -101,6 +101,7 @@ static struct mcfg_fixup mcfg_quirks[] =
+ /* SoC pass2.x */
+ THUNDER_PEM_QUIRK(1, 0),
+ THUNDER_PEM_QUIRK(1, 1),
++ THUNDER_ECAM_QUIRK(1, 10),
+
+ /* SoC pass1.x */
+ THUNDER_PEM_QUIRK(2, 0), /* off-chip devices */
--- /dev/null
+From ced414a14f709fc0af60bd381ba8a566dc566869 Mon Sep 17 00:00:00 2001
+From: Bjorn Helgaas <bhelgaas@google.com>
+Date: Fri, 21 Apr 2017 11:42:54 -0500
+Subject: PCI/ACPI: Tidy up MCFG quirk whitespace
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+commit ced414a14f709fc0af60bd381ba8a566dc566869 upstream.
+
+With no blank lines, it's not obvious where the macro definitions end and
+the uses begin. Add some blank lines and reorder the ThunderX definitions.
+No functional change intended.
+
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/pci_mcfg.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/acpi/pci_mcfg.c
++++ b/drivers/acpi/pci_mcfg.c
+@@ -54,6 +54,7 @@ static struct mcfg_fixup mcfg_quirks[] =
+
+ #define QCOM_ECAM32(seg) \
+ { "QCOM ", "QDF2432 ", 1, seg, MCFG_BUS_ANY, &pci_32b_ops }
++
+ QCOM_ECAM32(0),
+ QCOM_ECAM32(1),
+ QCOM_ECAM32(2),
+@@ -68,6 +69,7 @@ static struct mcfg_fixup mcfg_quirks[] =
+ { "HISI ", table_id, 0, (seg) + 1, MCFG_BUS_ANY, ops }, \
+ { "HISI ", table_id, 0, (seg) + 2, MCFG_BUS_ANY, ops }, \
+ { "HISI ", table_id, 0, (seg) + 3, MCFG_BUS_ANY, ops }
++
+ HISI_QUAD_DOM("HIP05 ", 0, &hisi_pcie_ops),
+ HISI_QUAD_DOM("HIP06 ", 0, &hisi_pcie_ops),
+ HISI_QUAD_DOM("HIP07 ", 0, &hisi_pcie_ops),
+@@ -77,6 +79,7 @@ static struct mcfg_fixup mcfg_quirks[] =
+
+ #define THUNDER_PEM_RES(addr, node) \
+ DEFINE_RES_MEM((addr) + ((u64) (node) << 44), 0x39 * SZ_16M)
++
+ #define THUNDER_PEM_QUIRK(rev, node) \
+ { "CAVIUM", "THUNDERX", rev, 4 + (10 * (node)), MCFG_BUS_ANY, \
+ &thunder_pem_ecam_ops, THUNDER_PEM_RES(0x88001f000000UL, node) }, \
+@@ -90,13 +93,15 @@ static struct mcfg_fixup mcfg_quirks[] =
+ &thunder_pem_ecam_ops, THUNDER_PEM_RES(0x894057000000UL, node) }, \
+ { "CAVIUM", "THUNDERX", rev, 9 + (10 * (node)), MCFG_BUS_ANY, \
+ &thunder_pem_ecam_ops, THUNDER_PEM_RES(0x89808f000000UL, node) }
+- /* SoC pass2.x */
+- THUNDER_PEM_QUIRK(1, 0),
+- THUNDER_PEM_QUIRK(1, 1),
+
+ #define THUNDER_ECAM_QUIRK(rev, seg) \
+ { "CAVIUM", "THUNDERX", rev, seg, MCFG_BUS_ANY, \
+ &pci_thunder_ecam_ops }
++
++ /* SoC pass2.x */
++ THUNDER_PEM_QUIRK(1, 0),
++ THUNDER_PEM_QUIRK(1, 1),
++
+ /* SoC pass1.x */
+ THUNDER_PEM_QUIRK(2, 0), /* off-chip devices */
+ THUNDER_PEM_QUIRK(2, 1), /* off-chip devices */
+@@ -112,9 +117,11 @@ static struct mcfg_fixup mcfg_quirks[] =
+ #define XGENE_V1_ECAM_MCFG(rev, seg) \
+ {"APM ", "XGENE ", rev, seg, MCFG_BUS_ANY, \
+ &xgene_v1_pcie_ecam_ops }
++
+ #define XGENE_V2_ECAM_MCFG(rev, seg) \
+ {"APM ", "XGENE ", rev, seg, MCFG_BUS_ANY, \
+ &xgene_v2_pcie_ecam_ops }
++
+ /* X-Gene SoC with v1 PCIe controller */
+ XGENE_V1_ECAM_MCFG(1, 0),
+ XGENE_V1_ECAM_MCFG(1, 1),
--- /dev/null
+From 17caf56731311c9596e7d38a70c88fcb6afa6a1b Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw@amazon.co.uk>
+Date: Wed, 12 Apr 2017 13:25:51 +0100
+Subject: PCI: Fix another sanity check bug in /proc/pci mmap
+
+From: David Woodhouse <dwmw@amazon.co.uk>
+
+commit 17caf56731311c9596e7d38a70c88fcb6afa6a1b upstream.
+
+Don't match MMIO maps with I/O BARs and vice versa.
+
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/proc.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/pci/proc.c
++++ b/drivers/pci/proc.c
+@@ -231,14 +231,20 @@ static int proc_bus_pci_mmap(struct file
+ {
+ struct pci_dev *dev = PDE_DATA(file_inode(file));
+ struct pci_filp_private *fpriv = file->private_data;
+- int i, ret, write_combine;
++ int i, ret, write_combine, res_bit;
+
+ if (!capable(CAP_SYS_RAWIO))
+ return -EPERM;
+
++ if (fpriv->mmap_state == pci_mmap_io)
++ res_bit = IORESOURCE_IO;
++ else
++ res_bit = IORESOURCE_MEM;
++
+ /* Make sure the caller is mapping a real resource for this device */
+ for (i = 0; i < PCI_ROM_RESOURCE; i++) {
+- if (pci_mmap_fits(dev, i, vma, PCI_MMAP_PROCFS))
++ if (dev->resource[i].flags & res_bit &&
++ pci_mmap_fits(dev, i, vma, PCI_MMAP_PROCFS))
+ break;
+ }
+
--- /dev/null
+From 6bccc7f426abd640f08d8c75fb22f99483f201b4 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw@amazon.co.uk>
+Date: Wed, 12 Apr 2017 13:25:50 +0100
+Subject: PCI: Fix pci_mmap_fits() for HAVE_PCI_RESOURCE_TO_USER platforms
+
+From: David Woodhouse <dwmw@amazon.co.uk>
+
+commit 6bccc7f426abd640f08d8c75fb22f99483f201b4 upstream.
+
+In the PCI_MMAP_PROCFS case when the address being passed by the user is a
+'user visible' resource address based on the bus window, and not the actual
+contents of the resource, that's what we need to be checking it against.
+
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pci-sysfs.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/pci/pci-sysfs.c
++++ b/drivers/pci/pci-sysfs.c
+@@ -985,15 +985,19 @@ void pci_remove_legacy_files(struct pci_
+ int pci_mmap_fits(struct pci_dev *pdev, int resno, struct vm_area_struct *vma,
+ enum pci_mmap_api mmap_api)
+ {
+- unsigned long nr, start, size, pci_start;
++ unsigned long nr, start, size;
++ resource_size_t pci_start = 0, pci_end;
+
+ if (pci_resource_len(pdev, resno) == 0)
+ return 0;
+ nr = vma_pages(vma);
+ start = vma->vm_pgoff;
+ size = ((pci_resource_len(pdev, resno) - 1) >> PAGE_SHIFT) + 1;
+- pci_start = (mmap_api == PCI_MMAP_PROCFS) ?
+- pci_resource_start(pdev, resno) >> PAGE_SHIFT : 0;
++ if (mmap_api == PCI_MMAP_PROCFS) {
++ pci_resource_to_user(pdev, resno, &pdev->resource[resno],
++ &pci_start, &pci_end);
++ pci_start >>= PAGE_SHIFT;
++ }
+ if (start >= pci_start && start < pci_start + size &&
+ start + nr <= pci_start + size)
+ return 1;
--- /dev/null
+From ea00353f36b64375518662a8ad15e39218a1f324 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Tue, 18 Apr 2017 20:44:30 +0200
+Subject: PCI: Freeze PME scan before suspending devices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit ea00353f36b64375518662a8ad15e39218a1f324 upstream.
+
+Laurent Pinchart reported that the Renesas R-Car H2 Lager board (r8a7790)
+crashes during suspend tests. Geert Uytterhoeven managed to reproduce the
+issue on an M2-W Koelsch board (r8a7791):
+
+ It occurs when the PME scan runs, once per second. During PME scan, the
+ PCI host bridge (rcar-pci) registers are accessed while its module clock
+ has already been disabled, leading to the crash.
+
+One reproducer is to configure s2ram to use "s2idle" instead of "deep"
+suspend:
+
+ # echo 0 > /sys/module/printk/parameters/console_suspend
+ # echo s2idle > /sys/power/mem_sleep
+ # echo mem > /sys/power/state
+
+Another reproducer is to write either "platform" or "processors" to
+/sys/power/pm_test. It does not (or is less likely) to happen during full
+system suspend ("core" or "none") because system suspend also disables
+timers, and thus the workqueue handling PME scans no longer runs. Geert
+believes the issue may still happen in the small window between disabling
+module clocks and disabling timers:
+
+ # echo 0 > /sys/module/printk/parameters/console_suspend
+ # echo platform > /sys/power/pm_test # Or "processors"
+ # echo mem > /sys/power/state
+
+(Make sure CONFIG_PCI_RCAR_GEN2 and CONFIG_USB_OHCI_HCD_PCI are enabled.)
+
+Rafael Wysocki agrees that PME scans should be suspended before the host
+bridge registers become inaccessible. To that end, queue the task on a
+workqueue that gets frozen before devices suspend.
+
+Rafael notes however that as a result, some wakeup events may be missed if
+they are delivered via PME from a device without working IRQ (which hence
+must be polled) and occur after the workqueue has been frozen. If that
+turns out to be an issue in practice, it may be possible to solve it by
+calling pci_pme_list_scan() once directly from one of the host bridge's
+pm_ops callbacks.
+
+Stacktrace for posterity:
+
+ PM: Syncing filesystems ... [ 38.566237] done.
+ PM: Preparing system for sleep (mem)
+ Freezing user space processes ... [ 38.579813] (elapsed 0.001 seconds) done.
+ Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done.
+ PM: Suspending system (mem)
+ PM: suspend of devices complete after 152.456 msecs
+ PM: late suspend of devices complete after 2.809 msecs
+ PM: noirq suspend of devices complete after 29.863 msecs
+ suspend debug: Waiting for 5 second(s).
+ Unhandled fault: asynchronous external abort (0x1211) at 0x00000000
+ pgd = c0003000
+ [00000000] *pgd=80000040004003, *pmd=00000000
+ Internal error: : 1211 [#1] SMP ARM
+ Modules linked in:
+ CPU: 1 PID: 20 Comm: kworker/1:1 Not tainted
+ 4.9.0-rc1-koelsch-00011-g68db9bc814362e7f #3383
+ Hardware name: Generic R8A7791 (Flattened Device Tree)
+ Workqueue: events pci_pme_list_scan
+ task: eb56e140 task.stack: eb58e000
+ PC is at pci_generic_config_read+0x64/0x6c
+ LR is at rcar_pci_cfg_base+0x64/0x84
+ pc : [<c041d7b4>] lr : [<c04309a0>] psr: 600d0093
+ sp : eb58fe98 ip : c041d750 fp : 00000008
+ r10: c0e2283c r9 : 00000000 r8 : 600d0013
+ r7 : 00000008 r6 : eb58fed6 r5 : 00000002 r4 : eb58feb4
+ r3 : 00000000 r2 : 00000044 r1 : 00000008 r0 : 00000000
+ Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
+ Control: 30c5387d Table: 6a9f6c80 DAC: 55555555
+ Process kworker/1:1 (pid: 20, stack limit = 0xeb58e210)
+ Stack: (0xeb58fe98 to 0xeb590000)
+ fe80: 00000002 00000044
+ fea0: eb6f5800 c041d9b0 eb58feb4 00000008 00000044 00000000 eb78a000 eb78a000
+ fec0: 00000044 00000000 eb9aff00 c0424bf0 eb78a000 00000000 eb78a000 c0e22830
+ fee0: ea8a6fc0 c0424c5c eaae79c0 c0424ce0 eb55f380 c0e22838 eb9a9800 c0235fbc
+ ff00: eb55f380 c0e22838 eb55f380 eb9a9800 eb9a9800 eb58e000 eb9a9824 c0e02100
+ ff20: eb55f398 c02366c4 eb56e140 eb5631c0 00000000 eb55f380 c023641c 00000000
+ ff40: 00000000 00000000 00000000 c023a928 cd105598 00000000 40506a34 eb55f380
+ ff60: 00000000 00000000 dead4ead ffffffff ffffffff eb58ff74 eb58ff74 00000000
+ ff80: 00000000 dead4ead ffffffff ffffffff eb58ff90 eb58ff90 eb58ffac eb5631c0
+ ffa0: c023a844 00000000 00000000 c0206d68 00000000 00000000 00000000 00000000
+ ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+ ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 3a81336c 10ccd1dd
+ [<c041d7b4>] (pci_generic_config_read) from [<c041d9b0>]
+ (pci_bus_read_config_word+0x58/0x80)
+ [<c041d9b0>] (pci_bus_read_config_word) from [<c0424bf0>]
+ (pci_check_pme_status+0x34/0x78)
+ [<c0424bf0>] (pci_check_pme_status) from [<c0424c5c>] (pci_pme_wakeup+0x28/0x54)
+ [<c0424c5c>] (pci_pme_wakeup) from [<c0424ce0>] (pci_pme_list_scan+0x58/0xb4)
+ [<c0424ce0>] (pci_pme_list_scan) from [<c0235fbc>]
+ (process_one_work+0x1bc/0x308)
+ [<c0235fbc>] (process_one_work) from [<c02366c4>] (worker_thread+0x2a8/0x3e0)
+ [<c02366c4>] (worker_thread) from [<c023a928>] (kthread+0xe4/0xfc)
+ [<c023a928>] (kthread) from [<c0206d68>] (ret_from_fork+0x14/0x2c)
+ Code: ea000000 e5903000 f57ff04f e3a00000 (e5843000)
+ ---[ end trace 667d43ba3aa9e589 ]---
+
+Fixes: df17e62e5bff ("PCI: Add support for polling PME state on suspended legacy PCI devices")
+Reported-and-tested-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Reported-and-tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
+Cc: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Cc: Simon Horman <horms+renesas@verge.net.au>
+Cc: Yinghai Lu <yinghai@kernel.org>
+Cc: Matthew Garrett <mjg59@srcf.ucam.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pci.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -1782,8 +1782,8 @@ static void pci_pme_list_scan(struct wor
+ }
+ }
+ if (!list_empty(&pci_pme_list))
+- schedule_delayed_work(&pci_pme_work,
+- msecs_to_jiffies(PME_TIMEOUT));
++ queue_delayed_work(system_freezable_wq, &pci_pme_work,
++ msecs_to_jiffies(PME_TIMEOUT));
+ mutex_unlock(&pci_pme_list_mutex);
+ }
+
+@@ -1848,8 +1848,9 @@ void pci_pme_active(struct pci_dev *dev,
+ mutex_lock(&pci_pme_list_mutex);
+ list_add(&pme_dev->list, &pci_pme_list);
+ if (list_is_singular(&pci_pme_list))
+- schedule_delayed_work(&pci_pme_work,
+- msecs_to_jiffies(PME_TIMEOUT));
++ queue_delayed_work(system_freezable_wq,
++ &pci_pme_work,
++ msecs_to_jiffies(PME_TIMEOUT));
+ mutex_unlock(&pci_pme_list_mutex);
+ } else {
+ mutex_lock(&pci_pme_list_mutex);
--- /dev/null
+From 59c58ceeea9cdc6144d7b0303753e6bd26d87455 Mon Sep 17 00:00:00 2001
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Fri, 24 Mar 2017 11:07:22 -0700
+Subject: PCI: hv: Allocate interrupt descriptors with GFP_ATOMIC
+
+From: K. Y. Srinivasan <kys@microsoft.com>
+
+commit 59c58ceeea9cdc6144d7b0303753e6bd26d87455 upstream.
+
+The memory allocation here needs to be non-blocking. Fix the issue.
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Long Li <longli@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/host/pci-hyperv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pci/host/pci-hyperv.c
++++ b/drivers/pci/host/pci-hyperv.c
+@@ -876,7 +876,7 @@ static void hv_compose_msi_msg(struct ir
+ hv_int_desc_free(hpdev, int_desc);
+ }
+
+- int_desc = kzalloc(sizeof(*int_desc), GFP_KERNEL);
++ int_desc = kzalloc(sizeof(*int_desc), GFP_ATOMIC);
+ if (!int_desc)
+ goto drop_reference;
+
--- /dev/null
+From 433fcf6b7b31f1f233dd50aeb9d066a0f6ed4b9d Mon Sep 17 00:00:00 2001
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Fri, 24 Mar 2017 11:07:21 -0700
+Subject: PCI: hv: Specify CPU_AFFINITY_ALL for MSI affinity when >= 32 CPUs
+
+From: K. Y. Srinivasan <kys@microsoft.com>
+
+commit 433fcf6b7b31f1f233dd50aeb9d066a0f6ed4b9d upstream.
+
+When we have 32 or more CPUs in the affinity mask, we should use a special
+constant to specify that to the host. Fix this issue.
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Long Li <longli@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/host/pci-hyperv.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/pci/host/pci-hyperv.c
++++ b/drivers/pci/host/pci-hyperv.c
+@@ -72,6 +72,7 @@ enum {
+ PCI_PROTOCOL_VERSION_CURRENT = PCI_PROTOCOL_VERSION_1_1
+ };
+
++#define CPU_AFFINITY_ALL -1ULL
+ #define PCI_CONFIG_MMIO_LENGTH 0x2000
+ #define CFG_PAGE_OFFSET 0x1000
+ #define CFG_PAGE_SIZE (PCI_CONFIG_MMIO_LENGTH - CFG_PAGE_OFFSET)
+@@ -897,9 +898,13 @@ static void hv_compose_msi_msg(struct ir
+ * processors because Hyper-V only supports 64 in a guest.
+ */
+ affinity = irq_data_get_affinity_mask(data);
+- for_each_cpu_and(cpu, affinity, cpu_online_mask) {
+- int_pkt->int_desc.cpu_mask |=
+- (1ULL << vmbus_cpu_number_to_vp_number(cpu));
++ if (cpumask_weight(affinity) >= 32) {
++ int_pkt->int_desc.cpu_mask = CPU_AFFINITY_ALL;
++ } else {
++ for_each_cpu_and(cpu, affinity, cpu_online_mask) {
++ int_pkt->int_desc.cpu_mask |=
++ (1ULL << vmbus_cpu_number_to_vp_number(cpu));
++ }
+ }
+
+ ret = vmbus_sendpacket(hpdev->hbus->hdev->channel, int_pkt,
--- /dev/null
+From cef4d02305a06be581bb7f4353446717a1b319ec Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw@amazon.co.uk>
+Date: Wed, 12 Apr 2017 13:25:52 +0100
+Subject: PCI: Only allow WC mmap on prefetchable resources
+
+From: David Woodhouse <dwmw@amazon.co.uk>
+
+commit cef4d02305a06be581bb7f4353446717a1b319ec upstream.
+
+The /proc/bus/pci mmap interface allows the user to specify whether they
+want WC or not. Don't let them do so on non-prefetchable BARs.
+
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/proc.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/pci/proc.c
++++ b/drivers/pci/proc.c
+@@ -231,7 +231,7 @@ static int proc_bus_pci_mmap(struct file
+ {
+ struct pci_dev *dev = PDE_DATA(file_inode(file));
+ struct pci_filp_private *fpriv = file->private_data;
+- int i, ret, write_combine, res_bit;
++ int i, ret, write_combine = 0, res_bit;
+
+ if (!capable(CAP_SYS_RAWIO))
+ return -EPERM;
+@@ -251,10 +251,13 @@ static int proc_bus_pci_mmap(struct file
+ if (i >= PCI_ROM_RESOURCE)
+ return -ENODEV;
+
+- if (fpriv->mmap_state == pci_mmap_mem)
+- write_combine = fpriv->write_combine;
+- else
+- write_combine = 0;
++ if (fpriv->mmap_state == pci_mmap_mem &&
++ fpriv->write_combine) {
++ if (dev->resource[i].flags & IORESOURCE_PREFETCH)
++ write_combine = 1;
++ else
++ return -EINVAL;
++ }
+ ret = pci_mmap_page_range(dev, vma,
+ fpriv->mmap_state, write_combine);
+ if (ret < 0)
--- /dev/null
+From 260f32adb88dadfaac29f47f761a088238ca164c Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Thu, 20 Apr 2017 14:33:06 -0400
+Subject: pNFS/flexfiles: Check the result of nfs4_pnfs_ds_connect
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit 260f32adb88dadfaac29f47f761a088238ca164c upstream.
+
+The check in nfs4_ff_layout_prepare_ds() seems to be missing.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Fixes: a33e4b036d461 ("pNFS: return status from nfs4_pnfs_ds_connect")
+Cc: Weston Andros Adamson <dros@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/flexfilelayout/flexfilelayoutdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c
++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+@@ -415,7 +415,7 @@ nfs4_ff_layout_prepare_ds(struct pnfs_la
+ mirror->mirror_ds->ds_versions[0].minor_version);
+
+ /* connect success, check rsize/wsize limit */
+- if (ds->ds_clp) {
++ if (!status) {
+ max_payload =
+ nfs_block_size(rpc_max_payload(ds->ds_clp->cl_rpcclient),
+ NULL);
kvm-arm-arm64-fix-race-in-resetting-stage2-pgd.patch
kvm-arm-arm64-fix-use-after-free-of-stage2-page-table.patch
kvm-arm-arm64-force-reading-uncached-stage2-pgd.patch
+osf_wait4-fix-infoleak.patch
+drbd-fix-request-leak-introduced-by-locking-atomic-kref-kill-kref_sub.patch
+um-fix-to-call-read_initrd-after-init_bootmem.patch
+firmware-ti_sci-fix-strncat-length-check.patch
+tracing-kprobes-enforce-kprobes-teardown-after-testing.patch
+thermal-mt8173-minor-mtk_thermal.c-cleanups.patch
+pci-acpi-tidy-up-mcfg-quirk-whitespace.patch
+pci-acpi-add-thunderx-pass2.x-2nd-node-mcfg-quirk.patch
+pci-hv-allocate-interrupt-descriptors-with-gfp_atomic.patch
+pci-hv-specify-cpu_affinity_all-for-msi-affinity-when-32-cpus.patch
+pci-fix-pci_mmap_fits-for-have_pci_resource_to_user-platforms.patch
+pci-fix-another-sanity-check-bug-in-proc-pci-mmap.patch
+pci-only-allow-wc-mmap-on-prefetchable-resources.patch
+pci-freeze-pme-scan-before-suspending-devices.patch
+mtd-nand-orion-fix-clk-handling.patch
+mtd-nand-omap2-fix-partition-creation-via-cmdline-mtdparts.patch
+mtd-nand-add-ooblayout-for-old-hamming-layout.patch
+drm-edid-add-10-bpc-quirk-for-lgd-764-panel-in-hp-zbook-17-g2.patch
+nfsd-check-for-oversized-nfsv2-v3-arguments.patch
+nfsv4-fix-a-hang-in-open-related-to-server-reboot.patch
+nfs-fix-use-after-free-in-write-error-path.patch
+nfs-use-gfp_noio-for-two-allocations-in-writeback.patch
+pnfs-flexfiles-check-the-result-of-nfs4_pnfs_ds_connect.patch
+nfsv4-fix-an-rcu-lock-leak.patch
+nfsd-fix-undefined-behavior-in-nfsd4_layout_verify.patch
+nfsd-encoders-mustn-t-use-unitialized-values-in-error-cases.patch
+nfsd-fix-up-the-supattr_exclcreat-attributes.patch
+drivers-char-mem-check-for-address-space-wraparound-with-mmap.patch
+drm-i915-gvt-disable-access-to-stolen-memory-as-a-guest.patch
--- /dev/null
+From 05d7839aa290901429d8edcd8f7974c9df2bcaa5 Mon Sep 17 00:00:00 2001
+From: Dawei Chien <dawei.chien@mediatek.com>
+Date: Tue, 21 Feb 2017 20:26:52 +0800
+Subject: thermal: mt8173: minor mtk_thermal.c cleanups
+
+From: Dawei Chien <dawei.chien@mediatek.com>
+
+commit 05d7839aa290901429d8edcd8f7974c9df2bcaa5 upstream.
+
+If thermal bank with 4 sensors, thermal driver should read TEMP_MSR3.
+
+However, currently thermal driver would not read TEMP_MSR3 since mt8173
+thermal driver only use 3 sensors on each thermal bank at the same time,
+so this patch would not effect temperature.
+Only if mt mt8173 thermal driver use 4 sensors on any thermal bank, would
+read third sensor two times, and lose fourth sensor of vale.
+
+Fixes: b7cf0053738c ("thermal: Add Mediatek thermal driver for mt2701.")
+Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Dawei Chien <dawei.chien@mediatek.com>
+Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/thermal/mtk_thermal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/thermal/mtk_thermal.c
++++ b/drivers/thermal/mtk_thermal.c
+@@ -191,7 +191,7 @@ static const int mt8173_bank_data[MT8173
+ };
+
+ static const int mt8173_msr[MT8173_NUM_SENSORS_PER_ZONE] = {
+- TEMP_MSR0, TEMP_MSR1, TEMP_MSR2, TEMP_MSR2
++ TEMP_MSR0, TEMP_MSR1, TEMP_MSR2, TEMP_MSR3
+ };
+
+ static const int mt8173_adcpnp[MT8173_NUM_SENSORS_PER_ZONE] = {
--- /dev/null
+From 30e7d894c1478c88d50ce94ddcdbd7f9763d9cdd Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 17 May 2017 10:19:49 +0200
+Subject: tracing/kprobes: Enforce kprobes teardown after testing
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 30e7d894c1478c88d50ce94ddcdbd7f9763d9cdd upstream.
+
+Enabling the tracer selftest triggers occasionally the warning in
+text_poke(), which warns when the to be modified page is not marked
+reserved.
+
+The reason is that the tracer selftest installs kprobes on functions marked
+__init for testing. These probes are removed after the tests, but that
+removal schedules the delayed kprobes_optimizer work, which will do the
+actual text poke. If the work is executed after the init text is freed,
+then the warning triggers. The bug can be reproduced reliably when the work
+delay is increased.
+
+Flush the optimizer work and wait for the optimizing/unoptimizing lists to
+become empty before returning from the kprobes tracer selftest. That
+ensures that all operations which were queued due to the probes removal
+have completed.
+
+Link: http://lkml.kernel.org/r/20170516094802.76a468bb@gandalf.local.home
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Fixes: 6274de498 ("kprobes: Support delayed unoptimizing")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/kprobes.h | 3 +++
+ kernel/kprobes.c | 2 +-
+ kernel/trace/trace_kprobe.c | 5 +++++
+ 3 files changed, 9 insertions(+), 1 deletion(-)
+
+--- a/include/linux/kprobes.h
++++ b/include/linux/kprobes.h
+@@ -347,6 +347,9 @@ extern int proc_kprobes_optimization_han
+ int write, void __user *buffer,
+ size_t *length, loff_t *ppos);
+ #endif
++extern void wait_for_kprobe_optimizer(void);
++#else
++static inline void wait_for_kprobe_optimizer(void) { }
+ #endif /* CONFIG_OPTPROBES */
+ #ifdef CONFIG_KPROBES_ON_FTRACE
+ extern void kprobe_ftrace_handler(unsigned long ip, unsigned long parent_ip,
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -598,7 +598,7 @@ static void kprobe_optimizer(struct work
+ }
+
+ /* Wait for completing optimization and unoptimization */
+-static void wait_for_kprobe_optimizer(void)
++void wait_for_kprobe_optimizer(void)
+ {
+ mutex_lock(&kprobe_mutex);
+
+--- a/kernel/trace/trace_kprobe.c
++++ b/kernel/trace/trace_kprobe.c
+@@ -1511,6 +1511,11 @@ static __init int kprobe_trace_self_test
+
+ end:
+ release_all_trace_kprobes();
++ /*
++ * Wait for the optimizer work to finish. Otherwise it might fiddle
++ * with probes in already freed __init text.
++ */
++ wait_for_kprobe_optimizer();
+ if (warn)
+ pr_cont("NG: Some tests are failed. Please check them.\n");
+ else
--- /dev/null
+From 5b4236e17cc1bd9fa14b2b0c7a4ae632d41f2e20 Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Thu, 27 Apr 2017 12:15:10 +0900
+Subject: um: Fix to call read_initrd after init_bootmem
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit 5b4236e17cc1bd9fa14b2b0c7a4ae632d41f2e20 upstream.
+
+Since read_initrd() invokes alloc_bootmem() for allocating
+memory to load initrd image, it must be called after init_bootmem.
+
+This makes read_initrd() called directly from setup_arch()
+after init_bootmem() and mem_total_pages().
+
+Fixes: b63236972e1 ("um: Setup physical memory in setup_arch()")
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/um/kernel/initrd.c | 4 +---
+ arch/um/kernel/um_arch.c | 6 ++++++
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+--- a/arch/um/kernel/initrd.c
++++ b/arch/um/kernel/initrd.c
+@@ -14,7 +14,7 @@
+ static char *initrd __initdata = NULL;
+ static int load_initrd(char *filename, void *buf, int size);
+
+-static int __init read_initrd(void)
++int __init read_initrd(void)
+ {
+ void *area;
+ long long size;
+@@ -46,8 +46,6 @@ static int __init read_initrd(void)
+ return 0;
+ }
+
+-__uml_postsetup(read_initrd);
+-
+ static int __init uml_initrd_setup(char *line, int *add)
+ {
+ initrd = line;
+--- a/arch/um/kernel/um_arch.c
++++ b/arch/um/kernel/um_arch.c
+@@ -338,11 +338,17 @@ int __init linux_main(int argc, char **a
+ return start_uml();
+ }
+
++int __init __weak read_initrd(void)
++{
++ return 0;
++}
++
+ void __init setup_arch(char **cmdline_p)
+ {
+ stack_protections((unsigned long) &init_thread_info);
+ setup_physmem(uml_physmem, uml_reserved, physmem_size, highmem);
+ mem_total_pages(physmem_size, iomem_size, highmem);
++ read_initrd();
+
+ paging_init();
+ strlcpy(boot_command_line, command_line, COMMAND_LINE_SIZE);
projects / thirdparty / kernel / stable-queue.git / commitdiff
