--- /dev/null
+From 26d99834f89e76514076d9cd06f61e56e6a509b8 Mon Sep 17 00:00:00 2001
+From: Greg Kurz <groug@kaod.org>
+Date: Mon, 22 Jan 2018 22:02:05 +0100
+Subject: 9p/trans_virtio: discard zero-length reply
+
+From: Greg Kurz <groug@kaod.org>
+
+commit 26d99834f89e76514076d9cd06f61e56e6a509b8 upstream.
+
+When a 9p request is successfully flushed, the server is expected to just
+mark it as used without sending a 9p reply (ie, without writing data into
+the buffer). In this case, virtqueue_get_buf() will return len == 0 and
+we must not report a REQ_STATUS_RCVD status to the client, otherwise the
+client will erroneously assume the request has not been flushed.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/9p/trans_virtio.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/9p/trans_virtio.c
++++ b/net/9p/trans_virtio.c
+@@ -160,7 +160,8 @@ static void req_done(struct virtqueue *v
+ spin_unlock_irqrestore(&chan->lock, flags);
+ /* Wakeup if anyone waiting for VirtIO ring space. */
+ wake_up(chan->vc_wq);
+- p9_client_cb(chan->client, req, REQ_STATUS_RCVD);
++ if (len)
++ p9_client_cb(chan->client, req, REQ_STATUS_RCVD);
+ }
+ }
+
--- /dev/null
+From 3f2f7c553d077be6a30cb96b2976a2c940bf5335 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Mon, 29 Jan 2018 14:23:15 +0800
+Subject: ALSA: hda - Fix headset mic detection problem for two Dell machines
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit 3f2f7c553d077be6a30cb96b2976a2c940bf5335 upstream.
+
+One of them has the codec of alc256 and the other one has the codec
+of alc289.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6585,6 +6585,11 @@ static const struct snd_hda_pin_quirk al
+ {0x14, 0x90170110},
+ {0x21, 0x02211020}),
+ SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
++ {0x12, 0x90a60130},
++ {0x14, 0x90170110},
++ {0x14, 0x01011020},
++ {0x21, 0x0221101f}),
++ SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
+ ALC256_STANDARD_PINS),
+ SND_HDA_PIN_QUIRK(0x10ec0256, 0x1043, "ASUS", ALC256_FIXUP_ASUS_MIC,
+ {0x14, 0x90170110},
+@@ -6653,6 +6658,10 @@ static const struct snd_hda_pin_quirk al
+ {0x12, 0x90a60120},
+ {0x14, 0x90170110},
+ {0x21, 0x0321101f}),
++ SND_HDA_PIN_QUIRK(0x10ec0289, 0x1028, "Dell", ALC225_FIXUP_DELL1_MIC_NO_PRESENCE,
++ {0x12, 0xb7a60130},
++ {0x14, 0x90170110},
++ {0x21, 0x04211020}),
+ SND_HDA_PIN_QUIRK(0x10ec0290, 0x103c, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1,
+ ALC290_STANDARD_PINS,
+ {0x15, 0x04211040},
--- /dev/null
+From 40e2c4e5a7efcd50983aacbddd3c617e776018bf Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Fri, 2 Feb 2018 15:13:09 +0800
+Subject: ALSA: hda/realtek - Add headset mode support for Dell laptop
+
+From: Kailang Yang <kailang@realtek.com>
+
+commit 40e2c4e5a7efcd50983aacbddd3c617e776018bf upstream.
+
+This platform had two Dmic and single Dmic.
+This update was for single Dmic.
+
+This commit was for two Dmic.
+
+Fixes: 75ee94b20b46 ("ALSA: hda - fix headset mic problem for Dell machines...")
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6176,6 +6176,8 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1028, 0x075d, "Dell AIO", ALC298_FIXUP_SPK_VOLUME),
+ SND_PCI_QUIRK(0x1028, 0x0798, "Dell Inspiron 17 7000 Gaming", ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER),
+ SND_PCI_QUIRK(0x1028, 0x082a, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
++ SND_PCI_QUIRK(0x1028, 0x084b, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB),
++ SND_PCI_QUIRK(0x1028, 0x084e, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB),
+ SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2),
--- /dev/null
+From 61fcf8ece9b6b09450250c4ca40cc3b81a96a68d Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Fri, 2 Feb 2018 15:26:46 +0800
+Subject: ALSA: hda/realtek - Enable Thinkpad Dock device for ALC298 platform
+
+From: Kailang Yang <kailang@realtek.com>
+
+commit 61fcf8ece9b6b09450250c4ca40cc3b81a96a68d upstream.
+
+Thinkpad Dock device support for ALC298 platform.
+It need to use SSID for the quirk table.
+Because IdeaPad also has ALC298 platform.
+Use verb for the quirk table will confuse.
+
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 42 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 42 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -4827,6 +4827,28 @@ static void alc_fixup_tpt440_dock(struct
+ }
+ }
+
++static void alc_fixup_tpt470_dock(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ static const struct hda_pintbl pincfgs[] = {
++ { 0x17, 0x21211010 }, /* dock headphone */
++ { 0x19, 0x21a11010 }, /* dock mic */
++ { }
++ };
++ struct alc_spec *spec = codec->spec;
++
++ if (action == HDA_FIXUP_ACT_PRE_PROBE) {
++ spec->parse_flags = HDA_PINCFG_NO_HP_FIXUP;
++ /* Enable DOCK device */
++ snd_hda_codec_write(codec, 0x17, 0,
++ AC_VERB_SET_CONFIG_DEFAULT_BYTES_3, 0);
++ /* Enable DOCK device */
++ snd_hda_codec_write(codec, 0x19, 0,
++ AC_VERB_SET_CONFIG_DEFAULT_BYTES_3, 0);
++ snd_hda_apply_pincfgs(codec, pincfgs);
++ }
++}
++
+ static void alc_shutup_dell_xps13(struct hda_codec *codec)
+ {
+ struct alc_spec *spec = codec->spec;
+@@ -5301,6 +5323,7 @@ enum {
+ ALC700_FIXUP_INTEL_REFERENCE,
+ ALC274_FIXUP_DELL_BIND_DACS,
+ ALC274_FIXUP_DELL_AIO_LINEOUT_VERB,
++ ALC298_FIXUP_TPT470_DOCK,
+ };
+
+ static const struct hda_fixup alc269_fixups[] = {
+@@ -6126,6 +6149,12 @@ static const struct hda_fixup alc269_fix
+ .chained = true,
+ .chain_id = ALC274_FIXUP_DELL_BIND_DACS
+ },
++ [ALC298_FIXUP_TPT470_DOCK] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc_fixup_tpt470_dock,
++ .chained = true,
++ .chain_id = ALC293_FIXUP_LENOVO_SPK_NOISE
++ },
+ };
+
+ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+@@ -6307,8 +6336,16 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x17aa, 0x2218, "Thinkpad X1 Carbon 2nd", ALC292_FIXUP_TPT440_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x2223, "ThinkPad T550", ALC292_FIXUP_TPT440_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x2226, "ThinkPad X250", ALC292_FIXUP_TPT440_DOCK),
++ SND_PCI_QUIRK(0x17aa, 0x222d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
++ SND_PCI_QUIRK(0x17aa, 0x222e, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x2231, "Thinkpad T560", ALC292_FIXUP_TPT460),
+ SND_PCI_QUIRK(0x17aa, 0x2233, "Thinkpad", ALC292_FIXUP_TPT460),
++ SND_PCI_QUIRK(0x17aa, 0x2245, "Thinkpad T470", ALC298_FIXUP_TPT470_DOCK),
++ SND_PCI_QUIRK(0x17aa, 0x2246, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
++ SND_PCI_QUIRK(0x17aa, 0x2247, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
++ SND_PCI_QUIRK(0x17aa, 0x224b, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
++ SND_PCI_QUIRK(0x17aa, 0x224c, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
++ SND_PCI_QUIRK(0x17aa, 0x224d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
+ SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
+ SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
+@@ -6329,7 +6366,12 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x17aa, 0x5050, "Thinkpad T560p", ALC292_FIXUP_TPT460),
+ SND_PCI_QUIRK(0x17aa, 0x5051, "Thinkpad L460", ALC292_FIXUP_TPT460),
+ SND_PCI_QUIRK(0x17aa, 0x5053, "Thinkpad T460", ALC292_FIXUP_TPT460),
++ SND_PCI_QUIRK(0x17aa, 0x505d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
++ SND_PCI_QUIRK(0x17aa, 0x505f, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
++ SND_PCI_QUIRK(0x17aa, 0x5062, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x5109, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
++ SND_PCI_QUIRK(0x17aa, 0x511e, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
++ SND_PCI_QUIRK(0x17aa, 0x511f, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x3bf8, "Quanta FL1", ALC269_FIXUP_PCM_44K),
+ SND_PCI_QUIRK(0x17aa, 0x9e54, "LENOVO NB", ALC269_FIXUP_LENOVO_EAPD),
+ SND_PCI_QUIRK(0x1b7d, 0xa831, "Ordissimo EVE2 ", ALC269VB_FIXUP_ORDISSIMO_EVE2), /* Also known as Malata PC-B1303 */
--- /dev/null
+From fdcc968a3b290407bcba9d4c90e2fba6d8d928f1 Mon Sep 17 00:00:00 2001
+From: Jan-Marek Glogowski <glogow@fbihome.de>
+Date: Wed, 14 Feb 2018 11:29:15 +0100
+Subject: ALSA: hda/realtek: PCI quirk for Fujitsu U7x7
+
+From: Jan-Marek Glogowski <glogow@fbihome.de>
+
+commit fdcc968a3b290407bcba9d4c90e2fba6d8d928f1 upstream.
+
+These laptops have a combined jack to attach headsets, the U727 on
+the left, the U757 on the right, but a headsets microphone doesn't
+work. Using hdajacksensetest I found that pin 0x19 changed the
+present state when plugging the headset, in addition to 0x21, but
+didn't have the correct configuration (shown as "Not connected").
+
+So this sets the configuration to the same values as the headphone
+pin 0x21 except for the device type microphone, which makes it
+work correctly. With the patch the configured pins for U727 are
+
+Pin 0x12 (Internal Mic, Mobile-In): present = No
+Pin 0x14 (Internal Speaker): present = No
+Pin 0x19 (Black Mic, Left side): present = No
+Pin 0x1d (Internal Aux): present = No
+Pin 0x21 (Black Headphone, Left side): present = No
+
+Signed-off-by: Jan-Marek Glogowski <glogow@fbihome.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -3355,6 +3355,19 @@ static void alc269_fixup_pincfg_no_hp_to
+ spec->parse_flags = HDA_PINCFG_NO_HP_FIXUP;
+ }
+
++static void alc269_fixup_pincfg_U7x7_headset_mic(struct hda_codec *codec,
++ const struct hda_fixup *fix,
++ int action)
++{
++ unsigned int cfg_headphone = snd_hda_codec_get_pincfg(codec, 0x21);
++ unsigned int cfg_headset_mic = snd_hda_codec_get_pincfg(codec, 0x19);
++
++ if (cfg_headphone && cfg_headset_mic == 0x411111f0)
++ snd_hda_codec_set_pincfg(codec, 0x19,
++ (cfg_headphone & ~AC_DEFCFG_DEVICE) |
++ (AC_JACK_MIC_IN << AC_DEFCFG_DEVICE_SHIFT));
++}
++
+ static void alc269_fixup_hweq(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+ {
+@@ -5228,6 +5241,7 @@ enum {
+ ALC269_FIXUP_LIFEBOOK_EXTMIC,
+ ALC269_FIXUP_LIFEBOOK_HP_PIN,
+ ALC269_FIXUP_LIFEBOOK_NO_HP_TO_LINEOUT,
++ ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC,
+ ALC269_FIXUP_AMIC,
+ ALC269_FIXUP_DMIC,
+ ALC269VB_FIXUP_AMIC,
+@@ -5434,6 +5448,10 @@ static const struct hda_fixup alc269_fix
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc269_fixup_pincfg_no_hp_to_lineout,
+ },
++ [ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc269_fixup_pincfg_U7x7_headset_mic,
++ },
+ [ALC269_FIXUP_AMIC] = {
+ .type = HDA_FIXUP_PINS,
+ .v.pins = (const struct hda_pintbl[]) {
+@@ -6308,6 +6326,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x10cf, 0x159f, "Lifebook E780", ALC269_FIXUP_LIFEBOOK_NO_HP_TO_LINEOUT),
+ SND_PCI_QUIRK(0x10cf, 0x15dc, "Lifebook T731", ALC269_FIXUP_LIFEBOOK_HP_PIN),
+ SND_PCI_QUIRK(0x10cf, 0x1757, "Lifebook E752", ALC269_FIXUP_LIFEBOOK_HP_PIN),
++ SND_PCI_QUIRK(0x10cf, 0x1629, "Lifebook U7x7", ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC),
+ SND_PCI_QUIRK(0x10cf, 0x1845, "Lifebook U904", ALC269_FIXUP_LIFEBOOK_EXTMIC),
+ SND_PCI_QUIRK(0x10ec, 0x10f2, "Intel Reference board", ALC700_FIXUP_INTEL_REFERENCE),
+ SND_PCI_QUIRK(0x144d, 0xc109, "Samsung Ativ book 9 (NP900X3G)", ALC269_FIXUP_INV_DMIC),
--- /dev/null
+From d15d662e89fc667b90cd294b0eb45694e33144da Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 12 Feb 2018 15:20:51 +0100
+Subject: ALSA: seq: Fix racy pool initializations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit d15d662e89fc667b90cd294b0eb45694e33144da upstream.
+
+ALSA sequencer core initializes the event pool on demand by invoking
+snd_seq_pool_init() when the first write happens and the pool is
+empty. Meanwhile user can reset the pool size manually via ioctl
+concurrently, and this may lead to UAF or out-of-bound accesses since
+the function tries to vmalloc / vfree the buffer.
+
+A simple fix is to just wrap the snd_seq_pool_init() call with the
+recently introduced client->ioctl_mutex; as the calls for
+snd_seq_pool_init() from other side are always protected with this
+mutex, we can avoid the race.
+
+Reported-by: 范龙飞 <long7573@126.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_clientmgr.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -999,7 +999,7 @@ static ssize_t snd_seq_write(struct file
+ {
+ struct snd_seq_client *client = file->private_data;
+ int written = 0, len;
+- int err = -EINVAL;
++ int err;
+ struct snd_seq_event event;
+
+ if (!(snd_seq_file_flags(file) & SNDRV_SEQ_LFLG_OUTPUT))
+@@ -1014,11 +1014,15 @@ static ssize_t snd_seq_write(struct file
+
+ /* allocate the pool now if the pool is not allocated yet */
+ if (client->pool->size > 0 && !snd_seq_write_pool_allocated(client)) {
+- if (snd_seq_pool_init(client->pool) < 0)
++ mutex_lock(&client->ioctl_mutex);
++ err = snd_seq_pool_init(client->pool);
++ mutex_unlock(&client->ioctl_mutex);
++ if (err < 0)
+ return -ENOMEM;
+ }
+
+ /* only process whole events */
++ err = -EINVAL;
+ while (count >= sizeof(struct snd_seq_event)) {
+ /* Read in the event header from the user */
+ len = sizeof(event);
--- /dev/null
+From 7c74866baef1827e18f8269aec85030063520bd4 Mon Sep 17 00:00:00 2001
+From: Daniel Mack <daniel@zonque.org>
+Date: Sun, 11 Feb 2018 09:50:27 -0400
+Subject: ALSA: usb: add more device quirks for USB DSD devices
+
+From: Daniel Mack <daniel@zonque.org>
+
+commit 7c74866baef1827e18f8269aec85030063520bd4 upstream.
+
+Add some more devices that need quirks to handle DSD modes correctly.
+
+Signed-off-by: Daniel Mack <daniel@zonque.org>
+Reported-and-tested-by: Thomas Gresens <tgresens@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/quirks.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1369,8 +1369,11 @@ u64 snd_usb_interface_dsd_format_quirks(
+ return SNDRV_PCM_FMTBIT_DSD_U32_BE;
+ break;
+
+- /* Amanero Combo384 USB interface with native DSD support */
+- case USB_ID(0x16d0, 0x071a):
++ /* Amanero Combo384 USB based DACs with native DSD support */
++ case USB_ID(0x16d0, 0x071a): /* Amanero - Combo384 */
++ case USB_ID(0x2ab6, 0x0004): /* T+A DAC8DSD-V2.0, MP1000E-V2.0, MP2000R-V2.0, MP2500R-V2.0, MP3100HV-V2.0 */
++ case USB_ID(0x2ab6, 0x0005): /* T+A USB HD Audio 1 */
++ case USB_ID(0x2ab6, 0x0006): /* T+A USB HD Audio 2 */
+ if (fp->altsetting == 2) {
+ switch (le16_to_cpu(chip->dev->descriptor.bcdDevice)) {
+ case 0x199:
--- /dev/null
+From 5e35dc0338d85ccebacf3f77eca1e5dea73155e8 Mon Sep 17 00:00:00 2001
+From: Lassi Ylikojola <lassi.ylikojola@gmail.com>
+Date: Fri, 9 Feb 2018 16:51:36 +0200
+Subject: ALSA: usb-audio: add implicit fb quirk for Behringer UFX1204
+
+From: Lassi Ylikojola <lassi.ylikojola@gmail.com>
+
+commit 5e35dc0338d85ccebacf3f77eca1e5dea73155e8 upstream.
+
+Add quirk to ensure a sync endpoint is properly configured.
+This patch is a fix for same symptoms on Behringer UFX1204 as patch
+from Albertto Aquirre on Dec 8 2016 for Axe-Fx II.
+
+Signed-off-by: Lassi Ylikojola <lassi.ylikojola@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/pcm.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/sound/usb/pcm.c
++++ b/sound/usb/pcm.c
+@@ -357,6 +357,15 @@ static int set_sync_ep_implicit_fb_quirk
+
+ alts = &iface->altsetting[1];
+ goto add_sync_ep;
++ case USB_ID(0x1397, 0x0002):
++ ep = 0x81;
++ iface = usb_ifnum_to_if(dev, 1);
++
++ if (!iface || iface->num_altsetting == 0)
++ return -EINVAL;
++
++ alts = &iface->altsetting[1];
++ goto add_sync_ep;
+
+ }
+ if (attr == USB_ENDPOINT_SYNC_ASYNC &&
--- /dev/null
+From 447cae58cecd69392b74a4a42cd0ab9cabd816af Mon Sep 17 00:00:00 2001
+From: Kirill Marinushkin <k.marinushkin@gmail.com>
+Date: Mon, 29 Jan 2018 06:37:55 +0100
+Subject: ALSA: usb-audio: Fix UAC2 get_ctl request with a RANGE attribute
+
+From: Kirill Marinushkin <k.marinushkin@gmail.com>
+
+commit 447cae58cecd69392b74a4a42cd0ab9cabd816af upstream.
+
+The layout of the UAC2 Control request and response varies depending on
+the request type. With the current implementation, only the Layout 2
+Parameter Block (with the 2-byte sized RANGE attribute) is handled
+properly. For the Control requests with the 1-byte sized RANGE attribute
+(Bass Control, Mid Control, Tremble Control), the response is parsed
+incorrectly.
+
+This commit:
+* fixes the wLength field value in the request
+* fixes parsing the range values from the response
+
+Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0")
+Signed-off-by: Kirill Marinushkin <k.marinushkin@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -347,17 +347,20 @@ static int get_ctl_value_v2(struct usb_m
+ int validx, int *value_ret)
+ {
+ struct snd_usb_audio *chip = cval->head.mixer->chip;
+- unsigned char buf[4 + 3 * sizeof(__u32)]; /* enough space for one range */
++ /* enough space for one range */
++ unsigned char buf[sizeof(__u16) + 3 * sizeof(__u32)];
+ unsigned char *val;
+- int idx = 0, ret, size;
++ int idx = 0, ret, val_size, size;
+ __u8 bRequest;
+
++ val_size = uac2_ctl_value_size(cval->val_type);
++
+ if (request == UAC_GET_CUR) {
+ bRequest = UAC2_CS_CUR;
+- size = uac2_ctl_value_size(cval->val_type);
++ size = val_size;
+ } else {
+ bRequest = UAC2_CS_RANGE;
+- size = sizeof(buf);
++ size = sizeof(__u16) + 3 * val_size;
+ }
+
+ memset(buf, 0, sizeof(buf));
+@@ -390,16 +393,17 @@ error:
+ val = buf + sizeof(__u16);
+ break;
+ case UAC_GET_MAX:
+- val = buf + sizeof(__u16) * 2;
++ val = buf + sizeof(__u16) + val_size;
+ break;
+ case UAC_GET_RES:
+- val = buf + sizeof(__u16) * 3;
++ val = buf + sizeof(__u16) + val_size * 2;
+ break;
+ default:
+ return -EINVAL;
+ }
+
+- *value_ret = convert_signed_value(cval, snd_usb_combine_bytes(val, sizeof(__u16)));
++ *value_ret = convert_signed_value(cval,
++ snd_usb_combine_bytes(val, val_size));
+
+ return 0;
+ }
--- /dev/null
+From 2ce77f6d8a9ae9ce6d80397d88bdceb84a2004cd Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Tue, 13 Feb 2018 13:14:09 +0000
+Subject: arm64: proc: Set PTE_NG for table entries to avoid traversing them twice
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit 2ce77f6d8a9ae9ce6d80397d88bdceb84a2004cd upstream.
+
+When KASAN is enabled, the swapper page table contains many identical
+mappings of the zero page, which can lead to a stall during boot whilst
+the G -> nG code continually walks the same page table entries looking
+for global mappings.
+
+This patch sets the nG bit (bit 11, which is IGNORED) in table entries
+after processing the subtree so we can easily skip them if we see them
+a second time.
+
+Tested-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/mm/proc.S | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/arch/arm64/mm/proc.S
++++ b/arch/arm64/mm/proc.S
+@@ -190,7 +190,8 @@ ENDPROC(idmap_cpu_replace_ttbr1)
+ dc cvac, cur_\()\type\()p // Ensure any existing dirty
+ dmb sy // lines are written back before
+ ldr \type, [cur_\()\type\()p] // loading the entry
+- tbz \type, #0, next_\()\type // Skip invalid entries
++ tbz \type, #0, skip_\()\type // Skip invalid and
++ tbnz \type, #11, skip_\()\type // non-global entries
+ .endm
+
+ .macro __idmap_kpti_put_pgtable_ent_ng, type
+@@ -249,8 +250,9 @@ ENTRY(idmap_kpti_install_ng_mappings)
+ add end_pgdp, cur_pgdp, #(PTRS_PER_PGD * 8)
+ do_pgd: __idmap_kpti_get_pgtable_ent pgd
+ tbnz pgd, #1, walk_puds
+- __idmap_kpti_put_pgtable_ent_ng pgd
+ next_pgd:
++ __idmap_kpti_put_pgtable_ent_ng pgd
++skip_pgd:
+ add cur_pgdp, cur_pgdp, #8
+ cmp cur_pgdp, end_pgdp
+ b.ne do_pgd
+@@ -278,8 +280,9 @@ walk_puds:
+ add end_pudp, cur_pudp, #(PTRS_PER_PUD * 8)
+ do_pud: __idmap_kpti_get_pgtable_ent pud
+ tbnz pud, #1, walk_pmds
+- __idmap_kpti_put_pgtable_ent_ng pud
+ next_pud:
++ __idmap_kpti_put_pgtable_ent_ng pud
++skip_pud:
+ add cur_pudp, cur_pudp, 8
+ cmp cur_pudp, end_pudp
+ b.ne do_pud
+@@ -298,8 +301,9 @@ walk_pmds:
+ add end_pmdp, cur_pmdp, #(PTRS_PER_PMD * 8)
+ do_pmd: __idmap_kpti_get_pgtable_ent pmd
+ tbnz pmd, #1, walk_ptes
+- __idmap_kpti_put_pgtable_ent_ng pmd
+ next_pmd:
++ __idmap_kpti_put_pgtable_ent_ng pmd
++skip_pmd:
+ add cur_pmdp, cur_pmdp, #8
+ cmp cur_pmdp, end_pmdp
+ b.ne do_pmd
+@@ -317,7 +321,7 @@ walk_ptes:
+ add end_ptep, cur_ptep, #(PTRS_PER_PTE * 8)
+ do_pte: __idmap_kpti_get_pgtable_ent pte
+ __idmap_kpti_put_pgtable_ent_ng pte
+-next_pte:
++skip_pte:
+ add cur_ptep, cur_ptep, #8
+ cmp cur_ptep, end_ptep
+ b.ne do_pte
--- /dev/null
+From 5235553d821433e1f4fa720fd025d2c4b7ee9994 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Mon, 5 Feb 2018 13:16:56 -0700
+Subject: blk-wbt: account flush requests correctly
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 5235553d821433e1f4fa720fd025d2c4b7ee9994 upstream.
+
+Mikulas reported a workload that saw bad performance, and figured
+out what it was due to various other types of requests being
+accounted as reads. Flush requests, for instance. Due to the
+high latency of those, we heavily throttle the writes to keep
+the latencies in balance. But they really should be accounted
+as writes.
+
+Fix this by checking the exact type of the request. If it's a
+read, account as a read, if it's a write or a flush, account
+as a write. Any other request we disregard. Previously everything
+would have been mistakenly accounted as reads.
+
+Reported-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org # v4.12+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-wbt.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/block/blk-wbt.c
++++ b/block/blk-wbt.c
+@@ -698,7 +698,15 @@ u64 wbt_default_latency_nsec(struct requ
+
+ static int wbt_data_dir(const struct request *rq)
+ {
+- return rq_data_dir(rq);
++ const int op = req_op(rq);
++
++ if (op == REQ_OP_READ)
++ return READ;
++ else if (op == REQ_OP_WRITE || op == REQ_OP_FLUSH)
++ return WRITE;
++
++ /* don't account */
++ return -1;
+ }
+
+ int wbt_init(struct request_queue *q)
--- /dev/null
+From e8f1bc1493855e32b7a2a019decc3c353d94daf6 Mon Sep 17 00:00:00 2001
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Thu, 25 Jan 2018 11:02:53 -0700
+Subject: Btrfs: fix btrfs_evict_inode to handle abnormal inodes correctly
+
+From: Liu Bo <bo.li.liu@oracle.com>
+
+commit e8f1bc1493855e32b7a2a019decc3c353d94daf6 upstream.
+
+This regression is introduced in
+commit 3d48d9810de4 ("btrfs: Handle uninitialised inode eviction").
+
+There are two problems,
+
+a) it is ->destroy_inode() that does the final free on inode, not
+ ->evict_inode(),
+b) clear_inode() must be called before ->evict_inode() returns.
+
+This could end up hitting BUG_ON(inode->i_state != (I_FREEING | I_CLEAR));
+in evict() because I_CLEAR is set in clear_inode().
+
+Fixes: commit 3d48d9810de4 ("btrfs: Handle uninitialised inode eviction")
+Cc: <stable@vger.kernel.org> # v4.7-rc6+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: Josef Bacik <jbacik@fb.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -5318,7 +5318,7 @@ void btrfs_evict_inode(struct inode *ino
+ trace_btrfs_inode_evict(inode);
+
+ if (!root) {
+- kmem_cache_free(btrfs_inode_cachep, BTRFS_I(inode));
++ clear_inode(inode);
+ return;
+ }
+
--- /dev/null
+From 1846430c24d66e85cc58286b3319c82cd54debb2 Mon Sep 17 00:00:00 2001
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Thu, 25 Jan 2018 11:02:51 -0700
+Subject: Btrfs: fix crash due to not cleaning up tree log block's dirty bits
+
+From: Liu Bo <bo.li.liu@oracle.com>
+
+commit 1846430c24d66e85cc58286b3319c82cd54debb2 upstream.
+
+In cases that the whole fs flips into readonly status due to failures in
+critical sections, then log tree's blocks are still dirty, and this leads
+to a crash during umount time, the crash is about use-after-free,
+
+umount
+ -> close_ctree
+ -> stop workers
+ -> iput(btree_inode)
+ -> iput_final
+ -> write_inode_now
+ -> ...
+ -> queue job on stop'd workers
+
+cc: <stable@vger.kernel.org> v3.12+
+Fixes: 681ae50917df ("Btrfs: cleanup reserved space when freeing tree log on error")
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: Josef Bacik <jbacik@fb.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/tree-log.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -2494,6 +2494,9 @@ static noinline int walk_down_log_tree(s
+ clean_tree_block(fs_info, next);
+ btrfs_wait_tree_block_writeback(next);
+ btrfs_tree_unlock(next);
++ } else {
++ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags))
++ clear_extent_buffer_dirty(next);
+ }
+
+ WARN_ON(root_owner !=
+@@ -2574,6 +2577,9 @@ static noinline int walk_up_log_tree(str
+ clean_tree_block(fs_info, next);
+ btrfs_wait_tree_block_writeback(next);
+ btrfs_tree_unlock(next);
++ } else {
++ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags))
++ clear_extent_buffer_dirty(next);
+ }
+
+ WARN_ON(root_owner != BTRFS_TREE_LOG_OBJECTID);
+@@ -2652,6 +2658,9 @@ static int walk_log_tree(struct btrfs_tr
+ clean_tree_block(fs_info, next);
+ btrfs_wait_tree_block_writeback(next);
+ btrfs_tree_unlock(next);
++ } else {
++ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags))
++ clear_extent_buffer_dirty(next);
+ }
+
+ WARN_ON(log->root_key.objectid !=
--- /dev/null
+From e89166990f11c3f21e1649d760dd35f9e410321c Mon Sep 17 00:00:00 2001
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Thu, 25 Jan 2018 11:02:50 -0700
+Subject: Btrfs: fix deadlock in run_delalloc_nocow
+
+From: Liu Bo <bo.li.liu@oracle.com>
+
+commit e89166990f11c3f21e1649d760dd35f9e410321c upstream.
+
+@cur_offset is not set back to what it should be (@cow_start) if
+btrfs_next_leaf() returns something wrong, and the range [cow_start,
+cur_offset) remains locked forever.
+
+cc: <stable@vger.kernel.org>
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: Josef Bacik <jbacik@fb.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/inode.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -1330,8 +1330,11 @@ next_slot:
+ leaf = path->nodes[0];
+ if (path->slots[0] >= btrfs_header_nritems(leaf)) {
+ ret = btrfs_next_leaf(root, path);
+- if (ret < 0)
++ if (ret < 0) {
++ if (cow_start != (u64)-1)
++ cur_offset = cow_start;
+ goto error;
++ }
+ if (ret > 0)
+ break;
+ leaf = path->nodes[0];
--- /dev/null
+From 55237a5f2431a72435e3ed39e4306e973c0446b7 Mon Sep 17 00:00:00 2001
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Thu, 25 Jan 2018 11:02:52 -0700
+Subject: Btrfs: fix extent state leak from tree log
+
+From: Liu Bo <bo.li.liu@oracle.com>
+
+commit 55237a5f2431a72435e3ed39e4306e973c0446b7 upstream.
+
+It's possible that btrfs_sync_log() bails out after one of the two
+btrfs_write_marked_extents() which convert extent state's state bit into
+EXTENT_NEED_WAIT from EXTENT_DIRTY/EXTENT_NEW, however only EXTENT_DIRTY
+and EXTENT_NEW are searched by free_log_tree() so that those extent states
+with EXTENT_NEED_WAIT lead to memory leak.
+
+cc: <stable@vger.kernel.org>
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: Josef Bacik <jbacik@fb.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/tree-log.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -3047,13 +3047,14 @@ static void free_log_tree(struct btrfs_t
+
+ while (1) {
+ ret = find_first_extent_bit(&log->dirty_log_pages,
+- 0, &start, &end, EXTENT_DIRTY | EXTENT_NEW,
++ 0, &start, &end,
++ EXTENT_DIRTY | EXTENT_NEW | EXTENT_NEED_WAIT,
+ NULL);
+ if (ret)
+ break;
+
+ clear_extent_bits(&log->dirty_log_pages, start, end,
+- EXTENT_DIRTY | EXTENT_NEW);
++ EXTENT_DIRTY | EXTENT_NEW | EXTENT_NEED_WAIT);
+ }
+
+ /*
--- /dev/null
+From 900c9981680067573671ecc5cbfa7c5770be3a40 Mon Sep 17 00:00:00 2001
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Thu, 25 Jan 2018 11:02:56 -0700
+Subject: Btrfs: fix unexpected -EEXIST when creating new inode
+
+From: Liu Bo <bo.li.liu@oracle.com>
+
+commit 900c9981680067573671ecc5cbfa7c5770be3a40 upstream.
+
+The highest objectid, which is assigned to new inode, is decided at
+the time of initializing fs roots. However, in cases where log replay
+gets processed, the btree which fs root owns might be changed, so we
+have to search it again for the highest objectid, otherwise creating
+new inode would end up with -EEXIST.
+
+cc: <stable@vger.kernel.org> v4.4-rc6+
+Fixes: f32e48e92596 ("Btrfs: Initialize btrfs_root->highest_objectid when loading tree root and subvolume roots")
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: Josef Bacik <jbacik@fb.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/tree-log.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -28,6 +28,7 @@
+ #include "hash.h"
+ #include "compression.h"
+ #include "qgroup.h"
++#include "inode-map.h"
+
+ /* magic values for the inode_only field in btrfs_log_inode:
+ *
+@@ -5715,6 +5716,23 @@ again:
+ path);
+ }
+
++ if (!ret && wc.stage == LOG_WALK_REPLAY_ALL) {
++ struct btrfs_root *root = wc.replay_dest;
++
++ btrfs_release_path(path);
++
++ /*
++ * We have just replayed everything, and the highest
++ * objectid of fs roots probably has changed in case
++ * some inode_item's got replayed.
++ *
++ * root->objectid_mutex is not acquired as log replay
++ * could only happen during mount.
++ */
++ ret = btrfs_find_highest_objectid(root,
++ &root->highest_objectid);
++ }
++
+ key.offset = found_key.offset - 1;
+ wc.replay_dest->log_root = NULL;
+ free_extent_buffer(log->node);
--- /dev/null
+From 1a932ef4e47984dee227834667b5ff5a334e4805 Mon Sep 17 00:00:00 2001
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Thu, 25 Jan 2018 11:02:54 -0700
+Subject: Btrfs: fix use-after-free on root->orphan_block_rsv
+
+From: Liu Bo <bo.li.liu@oracle.com>
+
+commit 1a932ef4e47984dee227834667b5ff5a334e4805 upstream.
+
+I got these from running generic/475,
+
+WARNING: CPU: 0 PID: 26384 at fs/btrfs/inode.c:3326 btrfs_orphan_commit_root+0x1ac/0x2b0 [btrfs]
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
+IP: btrfs_block_rsv_release+0x1c/0x70 [btrfs]
+Call Trace:
+ btrfs_orphan_release_metadata+0x9f/0x200 [btrfs]
+ btrfs_orphan_del+0x10d/0x170 [btrfs]
+ btrfs_setattr+0x500/0x640 [btrfs]
+ notify_change+0x7ae/0x870
+ do_truncate+0xca/0x130
+ vfs_truncate+0x2ee/0x3d0
+ do_sys_truncate+0xaf/0xf0
+ SyS_truncate+0xe/0x10
+ entry_SYSCALL_64_fastpath+0x1f/0x96
+
+The race is between btrfs_orphan_commit_root and btrfs_orphan_del,
+ t1 t2
+btrfs_orphan_commit_root btrfs_orphan_del
+ spin_lock
+ check (&root->orphan_inodes)
+ root->orphan_block_rsv = NULL;
+ spin_unlock
+ atomic_dec(&root->orphan_inodes);
+ access root->orphan_block_rsv
+
+Accessing root->orphan_block_rsv must be done before decreasing
+root->orphan_inodes.
+
+cc: <stable@vger.kernel.org> v3.12+
+Fixes: 703c88e03524 ("Btrfs: fix tracking of orphan inode count")
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: Josef Bacik <jbacik@fb.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/inode.c | 34 +++++++++++++++++++++-------------
+ 1 file changed, 21 insertions(+), 13 deletions(-)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -3371,6 +3371,11 @@ int btrfs_orphan_add(struct btrfs_trans_
+ ret = btrfs_orphan_reserve_metadata(trans, inode);
+ ASSERT(!ret);
+ if (ret) {
++ /*
++ * dec doesn't need spin_lock as ->orphan_block_rsv
++ * would be released only if ->orphan_inodes is
++ * zero.
++ */
+ atomic_dec(&root->orphan_inodes);
+ clear_bit(BTRFS_INODE_ORPHAN_META_RESERVED,
+ &inode->runtime_flags);
+@@ -3385,12 +3390,17 @@ int btrfs_orphan_add(struct btrfs_trans_
+ if (insert >= 1) {
+ ret = btrfs_insert_orphan_item(trans, root, btrfs_ino(inode));
+ if (ret) {
+- atomic_dec(&root->orphan_inodes);
+ if (reserve) {
+ clear_bit(BTRFS_INODE_ORPHAN_META_RESERVED,
+ &inode->runtime_flags);
+ btrfs_orphan_release_metadata(inode);
+ }
++ /*
++ * btrfs_orphan_commit_root may race with us and set
++ * ->orphan_block_rsv to zero, in order to avoid that,
++ * decrease ->orphan_inodes after everything is done.
++ */
++ atomic_dec(&root->orphan_inodes);
+ if (ret != -EEXIST) {
+ clear_bit(BTRFS_INODE_HAS_ORPHAN_ITEM,
+ &inode->runtime_flags);
+@@ -3422,28 +3432,26 @@ static int btrfs_orphan_del(struct btrfs
+ {
+ struct btrfs_root *root = inode->root;
+ int delete_item = 0;
+- int release_rsv = 0;
+ int ret = 0;
+
+- spin_lock(&root->orphan_lock);
+ if (test_and_clear_bit(BTRFS_INODE_HAS_ORPHAN_ITEM,
+ &inode->runtime_flags))
+ delete_item = 1;
+
++ if (delete_item && trans)
++ ret = btrfs_del_orphan_item(trans, root, btrfs_ino(inode));
++
+ if (test_and_clear_bit(BTRFS_INODE_ORPHAN_META_RESERVED,
+ &inode->runtime_flags))
+- release_rsv = 1;
+- spin_unlock(&root->orphan_lock);
++ btrfs_orphan_release_metadata(inode);
+
+- if (delete_item) {
++ /*
++ * btrfs_orphan_commit_root may race with us and set ->orphan_block_rsv
++ * to zero, in order to avoid that, decrease ->orphan_inodes after
++ * everything is done.
++ */
++ if (delete_item)
+ atomic_dec(&root->orphan_inodes);
+- if (trans)
+- ret = btrfs_del_orphan_item(trans, root,
+- btrfs_ino(inode));
+- }
+-
+- if (release_rsv)
+- btrfs_orphan_release_metadata(inode);
+
+ return ret;
+ }
--- /dev/null
+From 8dd601fa8317243be887458c49f6c29c2f3d719f Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Thu, 15 Feb 2018 20:00:15 +1100
+Subject: dm: correctly handle chained bios in dec_pending()
+
+From: NeilBrown <neilb@suse.com>
+
+commit 8dd601fa8317243be887458c49f6c29c2f3d719f upstream.
+
+dec_pending() is given an error status (possibly 0) to be recorded
+against a bio. It can be called several times on the one 'struct
+dm_io', and it is careful to only assign a non-zero error to
+io->status. However when it then assigned io->status to bio->bi_status,
+it is not careful and could overwrite a genuine error status with 0.
+
+This can happen when chained bios are in use. If a bio is chained
+beneath the bio that this dm_io is handling, the child bio might
+complete and set bio->bi_status before the dm_io completes.
+
+This has been possible since chained bios were introduced in 3.14, and
+has become a lot easier to trigger with commit 18a25da84354 ("dm: ensure
+bio submission follows a depth-first tree walk") as that commit caused
+dm to start using chained bios itself.
+
+A particular failure mode is that if a bio spans an 'error' target and a
+working target, the 'error' fragment will complete instantly and set the
+->bi_status, and the other fragment will normally complete a little
+later, and will clear ->bi_status.
+
+The fix is simply to only assign io_error to bio->bi_status when
+io_error is not zero.
+
+Reported-and-tested-by: Milan Broz <gmazyland@gmail.com>
+Cc: stable@vger.kernel.org (v3.14+)
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -815,7 +815,8 @@ static void dec_pending(struct dm_io *io
+ queue_io(md, bio);
+ } else {
+ /* done with normal IO or empty flush */
+- bio->bi_status = io_error;
++ if (io_error)
++ bio->bi_status = io_error;
+ bio_endio(bio);
+ }
+ }
--- /dev/null
+From 9428088c90b6f7d5edd2a1b0d742c75339b36f6e Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Mon, 27 Nov 2017 16:50:10 -0500
+Subject: drm/qxl: reapply cursor after resetting primary
+
+From: Ray Strode <rstrode@redhat.com>
+
+commit 9428088c90b6f7d5edd2a1b0d742c75339b36f6e upstream.
+
+QXL associates mouse state with its primary plane.
+
+Destroying a primary plane and putting a new one in place has the side
+effect of destroying the cursor as well.
+
+This commit changes the driver to reapply the cursor any time a new
+primary is created. It achieves this by keeping a reference to the
+cursor bo on the qxl_crtc struct.
+
+This fix is very similar to
+
+commit 4532b241a4b7 ("drm/qxl: reapply cursor after SetCrtc calls")
+
+which got implicitly reverted as part of implementing the atomic
+modeset feature.
+
+Cc: Gerd Hoffmann <kraxel@redhat.com>
+Cc: Dave Airlie <airlied@redhat.com>
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1512097
+Fixes: 1277eed5fecb ("drm: qxl: Atomic phase 1: convert cursor to universal plane")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ray Strode <rstrode@redhat.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/qxl/qxl_display.c | 59 ++++++++++++++++++++++++++++++++++++++
+ drivers/gpu/drm/qxl/qxl_drv.h | 2 +
+ 2 files changed, 61 insertions(+)
+
+--- a/drivers/gpu/drm/qxl/qxl_display.c
++++ b/drivers/gpu/drm/qxl/qxl_display.c
+@@ -289,6 +289,7 @@ static void qxl_crtc_destroy(struct drm_
+ {
+ struct qxl_crtc *qxl_crtc = to_qxl_crtc(crtc);
+
++ qxl_bo_unref(&qxl_crtc->cursor_bo);
+ drm_crtc_cleanup(crtc);
+ kfree(qxl_crtc);
+ }
+@@ -495,6 +496,53 @@ static int qxl_primary_atomic_check(stru
+ return 0;
+ }
+
++static int qxl_primary_apply_cursor(struct drm_plane *plane)
++{
++ struct drm_device *dev = plane->dev;
++ struct qxl_device *qdev = dev->dev_private;
++ struct drm_framebuffer *fb = plane->state->fb;
++ struct qxl_crtc *qcrtc = to_qxl_crtc(plane->state->crtc);
++ struct qxl_cursor_cmd *cmd;
++ struct qxl_release *release;
++ int ret = 0;
++
++ if (!qcrtc->cursor_bo)
++ return 0;
++
++ ret = qxl_alloc_release_reserved(qdev, sizeof(*cmd),
++ QXL_RELEASE_CURSOR_CMD,
++ &release, NULL);
++ if (ret)
++ return ret;
++
++ ret = qxl_release_list_add(release, qcrtc->cursor_bo);
++ if (ret)
++ goto out_free_release;
++
++ ret = qxl_release_reserve_list(release, false);
++ if (ret)
++ goto out_free_release;
++
++ cmd = (struct qxl_cursor_cmd *)qxl_release_map(qdev, release);
++ cmd->type = QXL_CURSOR_SET;
++ cmd->u.set.position.x = plane->state->crtc_x + fb->hot_x;
++ cmd->u.set.position.y = plane->state->crtc_y + fb->hot_y;
++
++ cmd->u.set.shape = qxl_bo_physical_address(qdev, qcrtc->cursor_bo, 0);
++
++ cmd->u.set.visible = 1;
++ qxl_release_unmap(qdev, release, &cmd->release_info);
++
++ qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false);
++ qxl_release_fence_buffer_objects(release);
++
++ return ret;
++
++out_free_release:
++ qxl_release_free(qdev, release);
++ return ret;
++}
++
+ static void qxl_primary_atomic_update(struct drm_plane *plane,
+ struct drm_plane_state *old_state)
+ {
+@@ -510,6 +558,7 @@ static void qxl_primary_atomic_update(st
+ .x2 = qfb->base.width,
+ .y2 = qfb->base.height
+ };
++ int ret;
+ bool same_shadow = false;
+
+ if (old_state->fb) {
+@@ -531,6 +580,11 @@ static void qxl_primary_atomic_update(st
+ if (!same_shadow)
+ qxl_io_destroy_primary(qdev);
+ bo_old->is_primary = false;
++
++ ret = qxl_primary_apply_cursor(plane);
++ if (ret)
++ DRM_ERROR(
++ "could not set cursor after creating primary");
+ }
+
+ if (!bo->is_primary) {
+@@ -571,6 +625,7 @@ static void qxl_cursor_atomic_update(str
+ struct drm_device *dev = plane->dev;
+ struct qxl_device *qdev = dev->dev_private;
+ struct drm_framebuffer *fb = plane->state->fb;
++ struct qxl_crtc *qcrtc = to_qxl_crtc(plane->state->crtc);
+ struct qxl_release *release;
+ struct qxl_cursor_cmd *cmd;
+ struct qxl_cursor *cursor;
+@@ -628,6 +683,10 @@ static void qxl_cursor_atomic_update(str
+ cmd->u.set.shape = qxl_bo_physical_address(qdev,
+ cursor_bo, 0);
+ cmd->type = QXL_CURSOR_SET;
++
++ qxl_bo_unref(&qcrtc->cursor_bo);
++ qcrtc->cursor_bo = cursor_bo;
++ cursor_bo = NULL;
+ } else {
+
+ ret = qxl_release_reserve_list(release, true);
+--- a/drivers/gpu/drm/qxl/qxl_drv.h
++++ b/drivers/gpu/drm/qxl/qxl_drv.h
+@@ -135,6 +135,8 @@ struct qxl_bo_list {
+ struct qxl_crtc {
+ struct drm_crtc base;
+ int index;
++
++ struct qxl_bo *cursor_bo;
+ };
+
+ struct qxl_output {
--- /dev/null
+From 1c130ae00b769a2e2df41bad3d6051ee8234b636 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 19 Jan 2018 14:36:29 +0100
+Subject: iscsi-target: make sure to wake up sleeping login worker
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 1c130ae00b769a2e2df41bad3d6051ee8234b636 upstream.
+
+Mike Christie reports:
+ Starting in 4.14 iscsi logins will fail around 50% of the time.
+
+Problem appears to be that iscsi_target_sk_data_ready() callback may
+return without doing anything in case it finds the login work queue
+is still blocked in sock_recvmsg().
+
+Nicholas Bellinger says:
+ It would indicate users providing their own ->sk_data_ready() callback
+ must be responsible for waking up a kthread context blocked on
+ sock_recvmsg(..., MSG_WAITALL), when a second ->sk_data_ready() is
+ received before the first sock_recvmsg(..., MSG_WAITALL) completes.
+
+So, do this and invoke the original data_ready() callback -- in
+case of tcp sockets this takes care of waking the thread.
+
+Disclaimer: I do not understand why this problem did not show up before
+tcp prequeue removal.
+
+(Drop WARN_ON usage - nab)
+
+Reported-by: Mike Christie <mchristi@redhat.com>
+Bisected-by: Mike Christie <mchristi@redhat.com>
+Tested-by: Mike Christie <mchristi@redhat.com>
+Diagnosed-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Fixes: e7942d0633c4 ("tcp: remove prequeue support")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Cc: stable@vger.kernel.org # 4.14+
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_nego.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/target/iscsi/iscsi_target_nego.c
++++ b/drivers/target/iscsi/iscsi_target_nego.c
+@@ -432,6 +432,9 @@ static void iscsi_target_sk_data_ready(s
+ if (test_and_set_bit(LOGIN_FLAGS_READ_ACTIVE, &conn->login_flags)) {
+ write_unlock_bh(&sk->sk_callback_lock);
+ pr_debug("Got LOGIN_FLAGS_READ_ACTIVE=1, conn: %p >>>>\n", conn);
++ if (iscsi_target_sk_data_ready == conn->orig_data_ready)
++ return;
++ conn->orig_data_ready(sk);
+ return;
+ }
+
--- /dev/null
+From ea56fb282368ea08c2a313af6b55cb597aec4db1 Mon Sep 17 00:00:00 2001
+From: Stefan Agner <stefan@agner.ch>
+Date: Fri, 9 Feb 2018 13:21:42 +0100
+Subject: mtd: nand: vf610: set correct ooblayout
+
+From: Stefan Agner <stefan@agner.ch>
+
+commit ea56fb282368ea08c2a313af6b55cb597aec4db1 upstream.
+
+With commit 3cf32d180227 ("mtd: nand: vf610: switch to
+mtd_ooblayout_ops") the driver started to use the NAND cores
+default large page ooblayout. However, shortly after commit
+6a623e076944 ("mtd: nand: add ooblayout for old hamming layout")
+changed the default layout to the old hamming layout, which is
+not what vf610_nfc is using. Specify the default large page
+layout explicitly.
+
+Fixes: 6a623e076944 ("mtd: nand: add ooblayout for old hamming layout")
+Cc: <stable@vger.kernel.org> # v4.12+
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/vf610_nfc.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/mtd/nand/vf610_nfc.c
++++ b/drivers/mtd/nand/vf610_nfc.c
+@@ -752,10 +752,8 @@ static int vf610_nfc_probe(struct platfo
+ if (mtd->oobsize > 64)
+ mtd->oobsize = 64;
+
+- /*
+- * mtd->ecclayout is not specified here because we're using the
+- * default large page ECC layout defined in NAND core.
+- */
++ /* Use default large page ECC layout defined in NAND core */
++ mtd_set_ooblayout(mtd, &nand_ooblayout_lp_ops);
+ if (chip->ecc.strength == 32) {
+ nfc->ecc_mode = ECC_60_BYTE;
+ chip->ecc.bytes = 60;
--- /dev/null
+From 7ac8ff95f48cbfa609a060fd6a1e361dd62feeb3 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun, 11 Feb 2018 18:10:28 -0500
+Subject: mvpp2: fix multicast address filter
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 7ac8ff95f48cbfa609a060fd6a1e361dd62feeb3 upstream.
+
+IPv6 doesn't work on the MacchiatoBIN board. It is caused by broken
+multicast address filter in the mvpp2 driver.
+
+The driver loads doesn't load any multicast entries if "allmulti" is not
+set. This condition should be reversed.
+
+The condition !netdev_mc_empty(dev) is useless (because
+netdev_for_each_mc_addr is nop if the list is empty).
+
+This patch also fixes a possible overflow of the multicast list - if
+mvpp2_prs_mac_da_accept fails, we set the allmulti flag and retry.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/marvell/mvpp2.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/mvpp2.c
++++ b/drivers/net/ethernet/marvell/mvpp2.c
+@@ -6888,6 +6888,7 @@ static void mvpp2_set_rx_mode(struct net
+ int id = port->id;
+ bool allmulti = dev->flags & IFF_ALLMULTI;
+
++retry:
+ mvpp2_prs_mac_promisc_set(priv, id, dev->flags & IFF_PROMISC);
+ mvpp2_prs_mac_multi_set(priv, id, MVPP2_PE_MAC_MC_ALL, allmulti);
+ mvpp2_prs_mac_multi_set(priv, id, MVPP2_PE_MAC_MC_IP6, allmulti);
+@@ -6895,9 +6896,13 @@ static void mvpp2_set_rx_mode(struct net
+ /* Remove all port->id's mcast enries */
+ mvpp2_prs_mcast_del_all(priv, id);
+
+- if (allmulti && !netdev_mc_empty(dev)) {
+- netdev_for_each_mc_addr(ha, dev)
+- mvpp2_prs_mac_da_accept(priv, id, ha->addr, true);
++ if (!allmulti) {
++ netdev_for_each_mc_addr(ha, dev) {
++ if (mvpp2_prs_mac_da_accept(priv, id, ha->addr, true)) {
++ allmulti = true;
++ goto retry;
++ }
++ }
+ }
+ }
+
--- /dev/null
+From 62676d10b483a2ff6e8b08c5e7c7d63a831343f5 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 19 Oct 2017 08:21:50 +0200
+Subject: qxl: alloc & use shadow for dumb buffers
+
+From: Gerd Hoffmann <kraxel@redhat.com>
+
+commit 62676d10b483a2ff6e8b08c5e7c7d63a831343f5 upstream.
+
+This patch changes the way the primary surface is used for dumb
+framebuffers. Instead of configuring the bo itself as primary surface
+a shadow bo is created and used instead. Framebuffers can share the
+shadow bo in case they have the same format and resolution.
+
+On atomic plane updates we don't have to update the primary surface in
+case we pageflip from one framebuffer to another framebuffer which
+shares the same shadow. This in turn avoids the flicker caused by the
+primary-destroy + primary-create cycle, which is very annonying when
+running wayland on qxl.
+
+The qxl driver never actually writes to the shadow bo. It sends qxl
+blit commands which update it though, and the spice server might
+actually execute them (and thereby write to the shadow) in case the
+local rendering is kicked for some reason. This happens for example in
+case qemu is asked to write out a dump of the guest display (screendump
+monitor command).
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Dave Airlie <airlied@redhat.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20171019062150.28090-3-kraxel@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/qxl/qxl_cmd.c | 6 +++-
+ drivers/gpu/drm/qxl/qxl_display.c | 49 +++++++++++++++++++++++++++++++++++---
+ drivers/gpu/drm/qxl/qxl_drv.h | 2 +
+ drivers/gpu/drm/qxl/qxl_dumb.c | 1
+ 4 files changed, 54 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/qxl/qxl_cmd.c
++++ b/drivers/gpu/drm/qxl/qxl_cmd.c
+@@ -388,7 +388,11 @@ void qxl_io_create_primary(struct qxl_de
+ create->width = bo->surf.width;
+ create->height = bo->surf.height;
+ create->stride = bo->surf.stride;
+- create->mem = qxl_bo_physical_address(qdev, bo, offset);
++ if (bo->shadow) {
++ create->mem = qxl_bo_physical_address(qdev, bo->shadow, offset);
++ } else {
++ create->mem = qxl_bo_physical_address(qdev, bo, offset);
++ }
+
+ QXL_INFO(qdev, "%s: mem = %llx, from %p\n", __func__, create->mem,
+ bo->kptr);
+--- a/drivers/gpu/drm/qxl/qxl_display.c
++++ b/drivers/gpu/drm/qxl/qxl_display.c
+@@ -305,7 +305,9 @@ static const struct drm_crtc_funcs qxl_c
+ void qxl_user_framebuffer_destroy(struct drm_framebuffer *fb)
+ {
+ struct qxl_framebuffer *qxl_fb = to_qxl_framebuffer(fb);
++ struct qxl_bo *bo = gem_to_qxl_bo(qxl_fb->obj);
+
++ WARN_ON(bo->shadow);
+ drm_gem_object_unreference_unlocked(qxl_fb->obj);
+ drm_framebuffer_cleanup(fb);
+ kfree(qxl_fb);
+@@ -508,6 +510,7 @@ static void qxl_primary_atomic_update(st
+ .x2 = qfb->base.width,
+ .y2 = qfb->base.height
+ };
++ bool same_shadow = false;
+
+ if (old_state->fb) {
+ qfb_old = to_qxl_framebuffer(old_state->fb);
+@@ -519,15 +522,23 @@ static void qxl_primary_atomic_update(st
+ if (bo == bo_old)
+ return;
+
++ if (bo_old && bo_old->shadow && bo->shadow &&
++ bo_old->shadow == bo->shadow) {
++ same_shadow = true;
++ }
++
+ if (bo_old && bo_old->is_primary) {
+- qxl_io_destroy_primary(qdev);
++ if (!same_shadow)
++ qxl_io_destroy_primary(qdev);
+ bo_old->is_primary = false;
+ }
+
+ if (!bo->is_primary) {
+- qxl_io_create_primary(qdev, 0, bo);
++ if (!same_shadow)
++ qxl_io_create_primary(qdev, 0, bo);
+ bo->is_primary = true;
+ }
++
+ qxl_draw_dirty_fb(qdev, qfb, bo, 0, 0, &norect, 1, 1);
+ }
+
+@@ -681,8 +692,9 @@ static void qxl_cursor_atomic_disable(st
+ static int qxl_plane_prepare_fb(struct drm_plane *plane,
+ struct drm_plane_state *new_state)
+ {
++ struct qxl_device *qdev = plane->dev->dev_private;
+ struct drm_gem_object *obj;
+- struct qxl_bo *user_bo;
++ struct qxl_bo *user_bo, *old_bo = NULL;
+ int ret;
+
+ if (!new_state->fb)
+@@ -691,6 +703,32 @@ static int qxl_plane_prepare_fb(struct d
+ obj = to_qxl_framebuffer(new_state->fb)->obj;
+ user_bo = gem_to_qxl_bo(obj);
+
++ if (plane->type == DRM_PLANE_TYPE_PRIMARY &&
++ user_bo->is_dumb && !user_bo->shadow) {
++ if (plane->state->fb) {
++ obj = to_qxl_framebuffer(plane->state->fb)->obj;
++ old_bo = gem_to_qxl_bo(obj);
++ }
++ if (old_bo && old_bo->shadow &&
++ user_bo->gem_base.size == old_bo->gem_base.size &&
++ plane->state->crtc == new_state->crtc &&
++ plane->state->crtc_w == new_state->crtc_w &&
++ plane->state->crtc_h == new_state->crtc_h &&
++ plane->state->src_x == new_state->src_x &&
++ plane->state->src_y == new_state->src_y &&
++ plane->state->src_w == new_state->src_w &&
++ plane->state->src_h == new_state->src_h &&
++ plane->state->rotation == new_state->rotation &&
++ plane->state->zpos == new_state->zpos) {
++ drm_gem_object_get(&old_bo->shadow->gem_base);
++ user_bo->shadow = old_bo->shadow;
++ } else {
++ qxl_bo_create(qdev, user_bo->gem_base.size,
++ true, true, QXL_GEM_DOMAIN_VRAM, NULL,
++ &user_bo->shadow);
++ }
++ }
++
+ ret = qxl_bo_pin(user_bo, QXL_GEM_DOMAIN_CPU, NULL);
+ if (ret)
+ return ret;
+@@ -715,6 +753,11 @@ static void qxl_plane_cleanup_fb(struct
+ obj = to_qxl_framebuffer(old_state->fb)->obj;
+ user_bo = gem_to_qxl_bo(obj);
+ qxl_bo_unpin(user_bo);
++
++ if (user_bo->shadow && !user_bo->is_primary) {
++ drm_gem_object_put_unlocked(&user_bo->shadow->gem_base);
++ user_bo->shadow = NULL;
++ }
+ }
+
+ static const uint32_t qxl_cursor_plane_formats[] = {
+--- a/drivers/gpu/drm/qxl/qxl_drv.h
++++ b/drivers/gpu/drm/qxl/qxl_drv.h
+@@ -113,6 +113,8 @@ struct qxl_bo {
+ /* Constant after initialization */
+ struct drm_gem_object gem_base;
+ bool is_primary; /* is this now a primary surface */
++ bool is_dumb;
++ struct qxl_bo *shadow;
+ bool hw_surf_alloc;
+ struct qxl_surface surf;
+ uint32_t surface_id;
+--- a/drivers/gpu/drm/qxl/qxl_dumb.c
++++ b/drivers/gpu/drm/qxl/qxl_dumb.c
+@@ -63,6 +63,7 @@ int qxl_mode_dumb_create(struct drm_file
+ &handle);
+ if (r)
+ return r;
++ qobj->is_dumb = true;
+ args->pitch = pitch;
+ args->handle = handle;
+ return 0;
--- /dev/null
+From c713fb071edc0efc01a955f65a006b0e1795d2eb Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Mon, 5 Feb 2018 12:38:11 -0600
+Subject: rtlwifi: rtl8821ae: Fix connection lost problem correctly
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit c713fb071edc0efc01a955f65a006b0e1795d2eb upstream.
+
+There has been a coding error in rtl8821ae since it was first introduced,
+namely that an 8-bit register was read using a 16-bit read in
+_rtl8821ae_dbi_read(). This error was fixed with commit 40b368af4b75
+("rtlwifi: Fix alignment issues"); however, this change led to
+instability in the connection. To restore stability, this change
+was reverted in commit b8b8b16352cd ("rtlwifi: rtl8821ae: Fix connection
+lost problem").
+
+Unfortunately, the unaligned access causes machine checks in ARM
+architecture, and we were finally forced to find the actual cause of the
+problem on x86 platforms. Following a suggestion from Pkshih
+<pkshih@realtek.com>, it was found that increasing the ASPM L1
+latency from 0 to 7 fixed the instability. This parameter was varied to
+see if a smaller value would work; however, it appears that 7 is the
+safest value. A new symbol is defined for this quantity, thus it can be
+easily changed if necessary.
+
+Fixes: b8b8b16352cd ("rtlwifi: rtl8821ae: Fix connection lost problem")
+Cc: Stable <stable@vger.kernel.org> # 4.14+
+Fix-suggested-by: Pkshih <pkshih@realtek.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Tested-by: James Cameron <quozl@laptop.org> # x86_64 OLPC NL3
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c | 5 +++--
+ drivers/net/wireless/realtek/rtlwifi/wifi.h | 1 +
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c
+@@ -1122,7 +1122,7 @@ static u8 _rtl8821ae_dbi_read(struct rtl
+ }
+ if (0 == tmp) {
+ read_addr = REG_DBI_RDATA + addr % 4;
+- ret = rtl_read_word(rtlpriv, read_addr);
++ ret = rtl_read_byte(rtlpriv, read_addr);
+ }
+ return ret;
+ }
+@@ -1164,7 +1164,8 @@ static void _rtl8821ae_enable_aspm_back_
+ }
+
+ tmp = _rtl8821ae_dbi_read(rtlpriv, 0x70f);
+- _rtl8821ae_dbi_write(rtlpriv, 0x70f, tmp | BIT(7));
++ _rtl8821ae_dbi_write(rtlpriv, 0x70f, tmp | BIT(7) |
++ ASPM_L1_LATENCY << 3);
+
+ tmp = _rtl8821ae_dbi_read(rtlpriv, 0x719);
+ _rtl8821ae_dbi_write(rtlpriv, 0x719, tmp | BIT(3) | BIT(4));
+--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h
++++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h
+@@ -99,6 +99,7 @@
+ #define RTL_USB_MAX_RX_COUNT 100
+ #define QBSS_LOAD_SIZE 5
+ #define MAX_WMMELE_LENGTH 64
++#define ASPM_L1_LATENCY 7
+
+ #define TOTAL_CAM_ENTRY 32
+
seq_file-fix-incomplete-reset-on-read-from-zero-offset.patch
tracing-fix-parsing-of-globs-with-a-wildcard-at-the-beginning.patch
mpls-nospec-sanitize-array-index-in-mpls_label_ok.patch
+rtlwifi-rtl8821ae-fix-connection-lost-problem-correctly.patch
+arm64-proc-set-pte_ng-for-table-entries-to-avoid-traversing-them-twice.patch
+qxl-alloc-use-shadow-for-dumb-buffers.patch
+drm-qxl-reapply-cursor-after-resetting-primary.patch
+xprtrdma-fix-calculation-of-ri_max_send_sges.patch
+xprtrdma-fix-bug-after-a-device-removal.patch
+blk-wbt-account-flush-requests-correctly.patch
+target-iscsi-avoid-null-dereference-in-chap-auth-error-path.patch
+iscsi-target-make-sure-to-wake-up-sleeping-login-worker.patch
+dm-correctly-handle-chained-bios-in-dec_pending.patch
+btrfs-fix-deadlock-in-run_delalloc_nocow.patch
+btrfs-fix-crash-due-to-not-cleaning-up-tree-log-block-s-dirty-bits.patch
+btrfs-fix-extent-state-leak-from-tree-log.patch
+btrfs-fix-btrfs_evict_inode-to-handle-abnormal-inodes-correctly.patch
+btrfs-fix-use-after-free-on-root-orphan_block_rsv.patch
+btrfs-fix-unexpected-eexist-when-creating-new-inode.patch
+9p-trans_virtio-discard-zero-length-reply.patch
+mtd-nand-vf610-set-correct-ooblayout.patch
+alsa-hda-fix-headset-mic-detection-problem-for-two-dell-machines.patch
+alsa-usb-audio-fix-uac2-get_ctl-request-with-a-range-attribute.patch
+alsa-hda-realtek-add-headset-mode-support-for-dell-laptop.patch
+alsa-hda-realtek-enable-thinkpad-dock-device-for-alc298-platform.patch
+alsa-hda-realtek-pci-quirk-for-fujitsu-u7x7.patch
+alsa-usb-audio-add-implicit-fb-quirk-for-behringer-ufx1204.patch
+alsa-usb-add-more-device-quirks-for-usb-dsd-devices.patch
+alsa-seq-fix-racy-pool-initializations.patch
+mvpp2-fix-multicast-address-filter.patch
--- /dev/null
+From ce512d79d0466a604793addb6b769d12ee326822 Mon Sep 17 00:00:00 2001
+From: David Disseldorp <ddiss@suse.de>
+Date: Wed, 13 Dec 2017 18:22:30 +0100
+Subject: target/iscsi: avoid NULL dereference in CHAP auth error path
+
+From: David Disseldorp <ddiss@suse.de>
+
+commit ce512d79d0466a604793addb6b769d12ee326822 upstream.
+
+If chap_server_compute_md5() fails early, e.g. via CHAP_N mismatch, then
+crypto_free_shash() is called with a NULL pointer which gets
+dereferenced in crypto_shash_tfm().
+
+Fixes: 69110e3cedbb ("iscsi-target: Use shash and ahash")
+Suggested-by: Markus Elfring <elfring@users.sourceforge.net>
+Signed-off-by: David Disseldorp <ddiss@suse.de>
+Cc: stable@vger.kernel.org # 4.6+
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_auth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/target/iscsi/iscsi_target_auth.c
++++ b/drivers/target/iscsi/iscsi_target_auth.c
+@@ -421,7 +421,8 @@ static int chap_server_compute_md5(
+ auth_ret = 0;
+ out:
+ kzfree(desc);
+- crypto_free_shash(tfm);
++ if (tfm)
++ crypto_free_shash(tfm);
+ kfree(challenge);
+ kfree(challenge_binhex);
+ return auth_ret;
--- /dev/null
+From e89e8d8fcdc6751e86ccad794b052fe67e6ad619 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Wed, 31 Jan 2018 12:34:13 -0500
+Subject: xprtrdma: Fix BUG after a device removal
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit e89e8d8fcdc6751e86ccad794b052fe67e6ad619 upstream.
+
+Michal Kalderon reports a BUG that occurs just after device removal:
+
+[ 169.112490] rpcrdma: removing device qedr0 for 192.168.110.146:20049
+[ 169.143909] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
+[ 169.181837] IP: rpcrdma_dma_unmap_regbuf+0xa/0x60 [rpcrdma]
+
+The RPC/RDMA client transport attempts to allocate some resources
+on demand. Registered buffers are one such resource. These are
+allocated (or re-allocated) by xprt_rdma_allocate to hold RPC Call
+and Reply messages. A hardware resource is associated with each of
+these buffers, as they can be used for a Send or Receive Work
+Request.
+
+If a device is removed from under an NFS/RDMA mount, the transport
+layer is responsible for releasing all hardware resources before
+the device can be finally unplugged. A BUG results when the NFS
+mount hasn't yet seen much activity: the transport tries to release
+resources that haven't yet been allocated.
+
+rpcrdma_free_regbuf() already checks for this case, so just move
+that check to cover the DEVICE_REMOVAL case as well.
+
+Reported-by: Michal Kalderon <Michal.Kalderon@cavium.com>
+Fixes: bebd031866ca ("xprtrdma: Support unplugging an HCA ...")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Tested-by: Michal Kalderon <Michal.Kalderon@cavium.com>
+Cc: stable@vger.kernel.org # v4.12+
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/xprtrdma/verbs.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/sunrpc/xprtrdma/verbs.c
++++ b/net/sunrpc/xprtrdma/verbs.c
+@@ -1331,6 +1331,9 @@ __rpcrdma_dma_map_regbuf(struct rpcrdma_
+ static void
+ rpcrdma_dma_unmap_regbuf(struct rpcrdma_regbuf *rb)
+ {
++ if (!rb)
++ return;
++
+ if (!rpcrdma_regbuf_is_mapped(rb))
+ return;
+
+@@ -1346,9 +1349,6 @@ rpcrdma_dma_unmap_regbuf(struct rpcrdma_
+ void
+ rpcrdma_free_regbuf(struct rpcrdma_regbuf *rb)
+ {
+- if (!rb)
+- return;
+-
+ rpcrdma_dma_unmap_regbuf(rb);
+ kfree(rb);
+ }
--- /dev/null
+From 1179e2c27efe21167ec9d882b14becefba2ee990 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Wed, 31 Jan 2018 12:34:05 -0500
+Subject: xprtrdma: Fix calculation of ri_max_send_sges
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit 1179e2c27efe21167ec9d882b14becefba2ee990 upstream.
+
+Commit 16f906d66cd7 ("xprtrdma: Reduce required number of send
+SGEs") introduced the rpcrdma_ia::ri_max_send_sges field. This fixes
+a problem where xprtrdma would not work if the device's max_sge
+capability was small (low single digits).
+
+At least RPCRDMA_MIN_SEND_SGES are needed for the inline parts of
+each RPC. ri_max_send_sges is set to this value:
+
+ ia->ri_max_send_sges = max_sge - RPCRDMA_MIN_SEND_SGES;
+
+Then when marshaling each RPC, rpcrdma_args_inline uses that value
+to determine whether the device has enough Send SGEs to convey an
+NFS WRITE payload inline, or whether instead a Read chunk is
+required.
+
+More recently, commit ae72950abf99 ("xprtrdma: Add data structure to
+manage RDMA Send arguments") used the ri_max_send_sges value to
+calculate the size of an array, but that commit erroneously assumed
+ri_max_send_sges contains a value similar to the device's max_sge,
+and not one that was reduced by the minimum SGE count.
+
+This assumption results in the calculated size of the sendctx's
+Send SGE array to be too small. When the array is used to marshal
+an RPC, the code can write Send SGEs into the following sendctx
+element in that array, corrupting it. When the device's max_sge is
+large, this issue is entirely harmless; but it results in an oops
+in the provider's post_send method, if dev.attrs.max_sge is small.
+
+So let's straighten this out: ri_max_send_sges will now contain a
+value with the same meaning as dev.attrs.max_sge, which makes
+the code easier to understand, and enables rpcrdma_sendctx_create
+to calculate the size of the SGE array correctly.
+
+Reported-by: Michal Kalderon <Michal.Kalderon@cavium.com>
+Fixes: 16f906d66cd7 ("xprtrdma: Reduce required number of send SGEs")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Tested-by: Michal Kalderon <Michal.Kalderon@cavium.com>
+Cc: stable@vger.kernel.org # v4.10+
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/xprtrdma/rpc_rdma.c | 2 +-
+ net/sunrpc/xprtrdma/verbs.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/sunrpc/xprtrdma/rpc_rdma.c
++++ b/net/sunrpc/xprtrdma/rpc_rdma.c
+@@ -142,7 +142,7 @@ static bool rpcrdma_args_inline(struct r
+ if (xdr->page_len) {
+ remaining = xdr->page_len;
+ offset = offset_in_page(xdr->page_base);
+- count = 0;
++ count = RPCRDMA_MIN_SEND_SGES;
+ while (remaining) {
+ remaining -= min_t(unsigned int,
+ PAGE_SIZE - offset, remaining);
+--- a/net/sunrpc/xprtrdma/verbs.c
++++ b/net/sunrpc/xprtrdma/verbs.c
+@@ -523,7 +523,7 @@ rpcrdma_ep_create(struct rpcrdma_ep *ep,
+ pr_warn("rpcrdma: HCA provides only %d send SGEs\n", max_sge);
+ return -ENOMEM;
+ }
+- ia->ri_max_send_sges = max_sge - RPCRDMA_MIN_SEND_SGES;
++ ia->ri_max_send_sges = max_sge;
+
+ if (ia->ri_device->attrs.max_qp_wr <= RPCRDMA_BACKWARD_WRS) {
+ dprintk("RPC: %s: insufficient wqe's available\n",
projects / thirdparty / kernel / stable-queue.git / commitdiff
