--- /dev/null
+From 5e388e95815408c27f3612190d089afc0774b870 Mon Sep 17 00:00:00 2001
+From: Nikolay Borisov <nborisov@suse.com>
+Date: Wed, 18 Apr 2018 09:41:54 +0300
+Subject: btrfs: Fix race condition between delayed refs and blockgroup removal
+
+From: Nikolay Borisov <nborisov@suse.com>
+
+commit 5e388e95815408c27f3612190d089afc0774b870 upstream.
+
+When the delayed refs for a head are all run, eventually
+cleanup_ref_head is called which (in case of deletion) obtains a
+reference for the relevant btrfs_space_info struct by querying the bg
+for the range. This is problematic because when the last extent of a
+bg is deleted a race window emerges between removal of that bg and the
+subsequent invocation of cleanup_ref_head. This can result in cache being null
+and either a null pointer dereference or assertion failure.
+
+ task: ffff8d04d31ed080 task.stack: ffff9e5dc10cc000
+ RIP: 0010:assfail.constprop.78+0x18/0x1a [btrfs]
+ RSP: 0018:ffff9e5dc10cfbe8 EFLAGS: 00010292
+ RAX: 0000000000000044 RBX: 0000000000000000 RCX: 0000000000000000
+ RDX: ffff8d04ffc1f868 RSI: ffff8d04ffc178c8 RDI: ffff8d04ffc178c8
+ RBP: ffff8d04d29e5ea0 R08: 00000000000001f0 R09: 0000000000000001
+ R10: ffff9e5dc0507d58 R11: 0000000000000001 R12: ffff8d04d29e5ea0
+ R13: ffff8d04d29e5f08 R14: ffff8d04efe29b40 R15: ffff8d04efe203e0
+ FS: 00007fbf58ead500(0000) GS:ffff8d04ffc00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007fe6c6975648 CR3: 0000000013b2a000 CR4: 00000000000006f0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ __btrfs_run_delayed_refs+0x10e7/0x12c0 [btrfs]
+ btrfs_run_delayed_refs+0x68/0x250 [btrfs]
+ btrfs_should_end_transaction+0x42/0x60 [btrfs]
+ btrfs_truncate_inode_items+0xaac/0xfc0 [btrfs]
+ btrfs_evict_inode+0x4c6/0x5c0 [btrfs]
+ evict+0xc6/0x190
+ do_unlinkat+0x19c/0x300
+ do_syscall_64+0x74/0x140
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+ RIP: 0033:0x7fbf589c57a7
+
+To fix this, introduce a new flag "is_system" to head_ref structs,
+which is populated at insertion time. This allows to decouple the
+querying for the spaceinfo from querying the possibly deleted bg.
+
+Fixes: d7eae3403f46 ("Btrfs: rework delayed ref total_bytes_pinned accounting")
+CC: stable@vger.kernel.org # 4.14+
+Suggested-by: Omar Sandoval <osandov@osandov.com>
+Signed-off-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: Omar Sandoval <osandov@fb.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/delayed-ref.c | 19 ++++++++++++++-----
+ fs/btrfs/delayed-ref.h | 1 +
+ fs/btrfs/extent-tree.c | 16 +++++++++++-----
+ 3 files changed, 26 insertions(+), 10 deletions(-)
+
+--- a/fs/btrfs/delayed-ref.c
++++ b/fs/btrfs/delayed-ref.c
+@@ -553,8 +553,10 @@ add_delayed_ref_head(struct btrfs_fs_inf
+ struct btrfs_delayed_ref_head *head_ref,
+ struct btrfs_qgroup_extent_record *qrecord,
+ u64 bytenr, u64 num_bytes, u64 ref_root, u64 reserved,
+- int action, int is_data, int *qrecord_inserted_ret,
++ int action, int is_data, int is_system,
++ int *qrecord_inserted_ret,
+ int *old_ref_mod, int *new_ref_mod)
++
+ {
+ struct btrfs_delayed_ref_head *existing;
+ struct btrfs_delayed_ref_root *delayed_refs;
+@@ -598,6 +600,7 @@ add_delayed_ref_head(struct btrfs_fs_inf
+ head_ref->ref_mod = count_mod;
+ head_ref->must_insert_reserved = must_insert_reserved;
+ head_ref->is_data = is_data;
++ head_ref->is_system = is_system;
+ head_ref->ref_tree = RB_ROOT;
+ INIT_LIST_HEAD(&head_ref->ref_add_list);
+ RB_CLEAR_NODE(&head_ref->href_node);
+@@ -785,6 +788,7 @@ int btrfs_add_delayed_tree_ref(struct bt
+ struct btrfs_delayed_ref_root *delayed_refs;
+ struct btrfs_qgroup_extent_record *record = NULL;
+ int qrecord_inserted;
++ int is_system = (ref_root == BTRFS_CHUNK_TREE_OBJECTID);
+
+ BUG_ON(extent_op && extent_op->is_data);
+ ref = kmem_cache_alloc(btrfs_delayed_tree_ref_cachep, GFP_NOFS);
+@@ -813,8 +817,8 @@ int btrfs_add_delayed_tree_ref(struct bt
+ */
+ head_ref = add_delayed_ref_head(fs_info, trans, head_ref, record,
+ bytenr, num_bytes, 0, 0, action, 0,
+- &qrecord_inserted, old_ref_mod,
+- new_ref_mod);
++ is_system, &qrecord_inserted,
++ old_ref_mod, new_ref_mod);
+
+ add_delayed_tree_ref(fs_info, trans, head_ref, &ref->node, bytenr,
+ num_bytes, parent, ref_root, level, action);
+@@ -881,7 +885,7 @@ int btrfs_add_delayed_data_ref(struct bt
+ */
+ head_ref = add_delayed_ref_head(fs_info, trans, head_ref, record,
+ bytenr, num_bytes, ref_root, reserved,
+- action, 1, &qrecord_inserted,
++ action, 1, 0, &qrecord_inserted,
+ old_ref_mod, new_ref_mod);
+
+ add_delayed_data_ref(fs_info, trans, head_ref, &ref->node, bytenr,
+@@ -911,9 +915,14 @@ int btrfs_add_delayed_extent_op(struct b
+ delayed_refs = &trans->transaction->delayed_refs;
+ spin_lock(&delayed_refs->lock);
+
++ /*
++ * extent_ops just modify the flags of an extent and they don't result
++ * in ref count changes, hence it's safe to pass false/0 for is_system
++ * argument
++ */
+ add_delayed_ref_head(fs_info, trans, head_ref, NULL, bytenr,
+ num_bytes, 0, 0, BTRFS_UPDATE_DELAYED_HEAD,
+- extent_op->is_data, NULL, NULL, NULL);
++ extent_op->is_data, 0, NULL, NULL, NULL);
+
+ spin_unlock(&delayed_refs->lock);
+ return 0;
+--- a/fs/btrfs/delayed-ref.h
++++ b/fs/btrfs/delayed-ref.h
+@@ -139,6 +139,7 @@ struct btrfs_delayed_ref_head {
+ */
+ unsigned int must_insert_reserved:1;
+ unsigned int is_data:1;
++ unsigned int is_system:1;
+ unsigned int processing:1;
+ };
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -2615,13 +2615,19 @@ static int cleanup_ref_head(struct btrfs
+ trace_run_delayed_ref_head(fs_info, head, 0);
+
+ if (head->total_ref_mod < 0) {
+- struct btrfs_block_group_cache *cache;
++ struct btrfs_space_info *space_info;
++ u64 flags;
+
+- cache = btrfs_lookup_block_group(fs_info, head->bytenr);
+- ASSERT(cache);
+- percpu_counter_add(&cache->space_info->total_bytes_pinned,
++ if (head->is_data)
++ flags = BTRFS_BLOCK_GROUP_DATA;
++ else if (head->is_system)
++ flags = BTRFS_BLOCK_GROUP_SYSTEM;
++ else
++ flags = BTRFS_BLOCK_GROUP_METADATA;
++ space_info = __find_space_info(fs_info, flags);
++ ASSERT(space_info);
++ percpu_counter_add(&space_info->total_bytes_pinned,
+ -head->num_bytes);
+- btrfs_put_block_group(cache);
+
+ if (head->is_data) {
+ spin_lock(&delayed_refs->lock);
--- /dev/null
+From 92d32170847bfff2dd08af2c016085779f2fd2a1 Mon Sep 17 00:00:00 2001
+From: David Sterba <dsterba@suse.com>
+Date: Mon, 16 Apr 2018 21:10:14 +0200
+Subject: btrfs: fix unaligned access in readdir
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David Sterba <dsterba@suse.com>
+
+commit 92d32170847bfff2dd08af2c016085779f2fd2a1 upstream.
+
+The last update to readdir introduced a temporary buffer to store the
+emitted readdir data, but as there are file names of variable length,
+there's a lot of unaligned access.
+
+This was observed on a sparc64 machine:
+
+ Kernel unaligned access at TPC[102f3080] btrfs_real_readdir+0x51c/0x718 [btrfs]
+
+Fixes: 23b5ec74943 ("btrfs: fix readdir deadlock with pagefault")
+CC: stable@vger.kernel.org # 4.14+
+Reported-and-tested-by: René Rebe <rene@exactcode.com>
+Reviewed-by: Liu Bo <bo.liu@linux.alibaba.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/inode.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -44,6 +44,7 @@
+ #include <linux/uio.h>
+ #include <linux/magic.h>
+ #include <linux/iversion.h>
++#include <asm/unaligned.h>
+ #include "ctree.h"
+ #include "disk-io.h"
+ #include "transaction.h"
+@@ -5951,11 +5952,13 @@ static int btrfs_filldir(void *addr, int
+ struct dir_entry *entry = addr;
+ char *name = (char *)(entry + 1);
+
+- ctx->pos = entry->offset;
+- if (!dir_emit(ctx, name, entry->name_len, entry->ino,
+- entry->type))
++ ctx->pos = get_unaligned(&entry->offset);
++ if (!dir_emit(ctx, name, get_unaligned(&entry->name_len),
++ get_unaligned(&entry->ino),
++ get_unaligned(&entry->type)))
+ return 1;
+- addr += sizeof(struct dir_entry) + entry->name_len;
++ addr += sizeof(struct dir_entry) +
++ get_unaligned(&entry->name_len);
+ ctx->pos++;
+ }
+ return 0;
+@@ -6045,14 +6048,15 @@ again:
+ }
+
+ entry = addr;
+- entry->name_len = name_len;
++ put_unaligned(name_len, &entry->name_len);
+ name_ptr = (char *)(entry + 1);
+ read_extent_buffer(leaf, name_ptr, (unsigned long)(di + 1),
+ name_len);
+- entry->type = btrfs_filetype_table[btrfs_dir_type(leaf, di)];
++ put_unaligned(btrfs_filetype_table[btrfs_dir_type(leaf, di)],
++ &entry->type);
+ btrfs_dir_item_key_to_cpu(leaf, di, &location);
+- entry->ino = location.objectid;
+- entry->offset = found_key.offset;
++ put_unaligned(location.objectid, &entry->ino);
++ put_unaligned(found_key.offset, &entry->offset);
+ entries++;
+ addr += sizeof(struct dir_entry) + name_len;
+ total_len += sizeof(struct dir_entry) + name_len;
--- /dev/null
+From 1d0cffa674cfa7d185a302c8c6850fc50b893bed Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Fri, 20 Apr 2018 12:19:07 -0500
+Subject: cifs: do not allow creating sockets except with SMB1 posix exensions
+
+From: Steve French <smfrench@gmail.com>
+
+commit 1d0cffa674cfa7d185a302c8c6850fc50b893bed upstream.
+
+RHBZ: 1453123
+
+Since at least the 3.10 kernel and likely a lot earlier we have
+not been able to create unix domain sockets in a cifs share
+when mounted using the SFU mount option (except when mounted
+with the cifs unix extensions to Samba e.g.)
+Trying to create a socket, for example using the af_unix command from
+xfstests will cause :
+BUG: unable to handle kernel NULL pointer dereference at 00000000
+00000040
+
+Since no one uses or depends on being able to create unix domains sockets
+on a cifs share the easiest fix to stop this vulnerability is to simply
+not allow creation of any other special files than char or block devices
+when sfu is used.
+
+Added update to Ronnie's patch to handle a tcon link leak, and
+to address a buf leak noticed by Gustavo and Colin.
+
+Acked-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+CC: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Reported-by: Eryu Guan <eguan@redhat.com>
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/dir.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -684,6 +684,9 @@ int cifs_mknod(struct inode *inode, stru
+ goto mknod_out;
+ }
+
++ if (!S_ISCHR(mode) && !S_ISBLK(mode))
++ goto mknod_out;
++
+ if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UNX_EMUL))
+ goto mknod_out;
+
+@@ -692,10 +695,8 @@ int cifs_mknod(struct inode *inode, stru
+
+ buf = kmalloc(sizeof(FILE_ALL_INFO), GFP_KERNEL);
+ if (buf == NULL) {
+- kfree(full_path);
+ rc = -ENOMEM;
+- free_xid(xid);
+- return rc;
++ goto mknod_out;
+ }
+
+ if (backup_cred(cifs_sb))
+@@ -742,7 +743,7 @@ int cifs_mknod(struct inode *inode, stru
+ pdev->minor = cpu_to_le64(MINOR(device_number));
+ rc = tcon->ses->server->ops->sync_write(xid, &fid, &io_parms,
+ &bytes_written, iov, 1);
+- } /* else if (S_ISFIFO) */
++ }
+ tcon->ses->server->ops->close(xid, tcon, &fid);
+ d_drop(direntry);
+
--- /dev/null
+From ab60ee7bf9a84954f50a66a3d835860e80f99b7f Mon Sep 17 00:00:00 2001
+From: Long Li <longli@microsoft.com>
+Date: Tue, 17 Apr 2018 12:17:05 -0700
+Subject: cifs: smbd: Check for iov length on sending the last iov
+
+From: Long Li <longli@microsoft.com>
+
+commit ab60ee7bf9a84954f50a66a3d835860e80f99b7f upstream.
+
+When sending the last iov that breaks into smaller buffers to fit the
+transfer size, it's necessary to check if this is the last iov.
+
+If this is the latest iov, stop and proceed to send pages.
+
+Signed-off-by: Long Li <longli@microsoft.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smbdirect.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/cifs/smbdirect.c
++++ b/fs/cifs/smbdirect.c
+@@ -2194,6 +2194,8 @@ int smbd_send(struct smbd_connection *in
+ goto done;
+ }
+ i++;
++ if (i == rqst->rq_nvec)
++ break;
+ }
+ start = i;
+ buflen = 0;
--- /dev/null
+From 7407188489c62a7b5694bc75a6db2b82af94c9a5 Mon Sep 17 00:00:00 2001
+From: Anson Huang <Anson.Huang@nxp.com>
+Date: Thu, 19 Apr 2018 14:04:43 +0800
+Subject: clocksource/imx-tpm: Correct -ETIME return condition check
+
+From: Anson Huang <Anson.Huang@nxp.com>
+
+commit 7407188489c62a7b5694bc75a6db2b82af94c9a5 upstream.
+
+The additional brakects added to tpm_set_next_event's return value
+computation causes (int) forced type conversion NOT taking effect, and the
+incorrect value return will cause various system timer issue, like RCU
+stall etc..
+
+Remove the additional brackets to make sure tpm_set_next_event always
+returns correct value.
+
+Fixes: 059ab7b82eec ("clocksource/drivers/imx-tpm: Add imx tpm timer support")
+Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Dong Aisheng <Aisheng.dong@nxp.com>
+Cc: stable@vger.kernel.org
+Cc: daniel.lezcano@linaro.org
+Cc: Linux-imx@nxp.com
+Link: https://lkml.kernel.org/r/1524117883-2484-1-git-send-email-Anson.Huang@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clocksource/timer-imx-tpm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clocksource/timer-imx-tpm.c
++++ b/drivers/clocksource/timer-imx-tpm.c
+@@ -105,7 +105,7 @@ static int tpm_set_next_event(unsigned l
+ * of writing CNT registers which may cause the min_delta event got
+ * missed, so we need add a ETIME check here in case it happened.
+ */
+- return (int)((next - now) <= 0) ? -ETIME : 0;
++ return (int)(next - now) <= 0 ? -ETIME : 0;
+ }
+
+ static int tpm_set_state_oneshot(struct clock_event_device *evt)
--- /dev/null
+From b4615730530be85fc45ab4631c2ad6d8e2d0b97d Mon Sep 17 00:00:00 2001
+From: Gaurav K Singh <gaurav.k.singh@intel.com>
+Date: Tue, 17 Apr 2018 23:52:18 +0530
+Subject: drm/i915/audio: Fix audio detection issue on GLK
+
+From: Gaurav K Singh <gaurav.k.singh@intel.com>
+
+commit b4615730530be85fc45ab4631c2ad6d8e2d0b97d upstream.
+
+On Geminilake, sometimes audio card is not getting
+detected after reboot. This is a spurious issue happening on
+Geminilake. HW codec and HD audio controller link was going
+out of sync for which there was a fix in i915 driver but
+was not getting invoked for GLK. Extending this fix to GLK as well.
+
+Tested by Du,Wenkai on GLK board.
+
+Bspec: 21829
+
+v2: Instead of checking GEN9_BC, BXT and GLK macros, use IS_GEN9 macro (Jani N)
+
+Cc: <stable@vger.kernel.org> # b651bd2a3ae3 ("drm/i915/audio: Fix audio enumeration issue on BXT")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Gaurav K Singh <gaurav.k.singh@intel.com>
+Reviewed-by: Abhay Kumar <abhay.Kumar@intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1523989338-29677-1-git-send-email-gaurav.k.singh@intel.com
+(cherry picked from commit 8221229046e862977ae93ec9d34aa583fbd10397)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_audio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/intel_audio.c
++++ b/drivers/gpu/drm/i915/intel_audio.c
+@@ -729,7 +729,7 @@ static void i915_audio_component_codec_w
+ struct drm_i915_private *dev_priv = kdev_to_i915(kdev);
+ u32 tmp;
+
+- if (!IS_GEN9_BC(dev_priv))
++ if (!IS_GEN9(dev_priv))
+ return;
+
+ i915_audio_component_get_power(kdev);
--- /dev/null
+From a3520b8992e57bc94ab6ec9f95f09c6c932555fd Mon Sep 17 00:00:00 2001
+From: Jani Nikula <jani.nikula@intel.com>
+Date: Wed, 11 Apr 2018 16:15:18 +0300
+Subject: drm/i915/bios: filter out invalid DDC pins from VBT child devices
+
+From: Jani Nikula <jani.nikula@intel.com>
+
+commit a3520b8992e57bc94ab6ec9f95f09c6c932555fd upstream.
+
+The VBT contains the DDC pin to use for specific ports. Alas, sometimes
+the field appears to contain bogus data, and while we check for it later
+on in intel_gmbus_get_adapter() we fail to check the returned NULL on
+errors. Oops results.
+
+The simplest approach seems to be to catch and ignore the bogus DDC pins
+already at the VBT parsing phase, reverting to fixed per port default
+pins. This doesn't guarantee display working, but at least it prevents
+the oops. And we continue to be fuzzed by VBT.
+
+One affected machine is Dell Latitude 5590 where a BIOS upgrade added
+invalid DDC pins.
+
+Typical backtrace:
+
+[ 35.461411] WARN_ON(!intel_gmbus_is_valid_pin(dev_priv, pin))
+[ 35.461432] WARNING: CPU: 6 PID: 411 at drivers/gpu/drm/i915/intel_i2c.c:844 intel_gmbus_get_adapter+0x32/0x37 [i915]
+[ 35.461437] Modules linked in: i915 ahci libahci dm_snapshot dm_bufio dm_raid raid456 async_raid6_recov async_pq raid6_pq async_xor xor async_memcpy async_tx
+[ 35.461445] CPU: 6 PID: 411 Comm: kworker/u16:2 Not tainted 4.16.0-rc7.x64-g1cda370ffded #1
+[ 35.461447] Hardware name: Dell Inc. Latitude 5590/0MM81M, BIOS 1.1.9 03/13/2018
+[ 35.461450] Workqueue: events_unbound async_run_entry_fn
+[ 35.461465] RIP: 0010:intel_gmbus_get_adapter+0x32/0x37 [i915]
+[ 35.461467] RSP: 0018:ffff9b4e43d47c40 EFLAGS: 00010286
+[ 35.461469] RAX: 0000000000000000 RBX: ffff98f90639f800 RCX: ffffffffae051960
+[ 35.461471] RDX: 0000000000000001 RSI: 0000000000000092 RDI: 0000000000000246
+[ 35.461472] RBP: ffff98f905410000 R08: 0000004d062a83f6 R09: 00000000000003bd
+[ 35.461474] R10: 0000000000000031 R11: ffffffffad4eda58 R12: ffff98f905410000
+[ 35.461475] R13: ffff98f9064c1000 R14: ffff9b4e43d47cf0 R15: ffff98f905410000
+[ 35.461477] FS: 0000000000000000(0000) GS:ffff98f92e580000(0000) knlGS:0000000000000000
+[ 35.461479] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 35.461481] CR2: 00007f5682359008 CR3: 00000001b700c005 CR4: 00000000003606e0
+[ 35.461483] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 35.461484] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 35.461486] Call Trace:
+[ 35.461501] intel_hdmi_set_edid+0x37/0x27f [i915]
+[ 35.461515] intel_hdmi_detect+0x7c/0x97 [i915]
+[ 35.461518] drm_helper_probe_single_connector_modes+0xe1/0x6c0
+[ 35.461521] drm_setup_crtcs+0x129/0xa6a
+[ 35.461523] ? __switch_to_asm+0x34/0x70
+[ 35.461525] ? __switch_to_asm+0x34/0x70
+[ 35.461527] ? __switch_to_asm+0x40/0x70
+[ 35.461528] ? __switch_to_asm+0x34/0x70
+[ 35.461529] ? __switch_to_asm+0x40/0x70
+[ 35.461531] ? __switch_to_asm+0x34/0x70
+[ 35.461532] ? __switch_to_asm+0x40/0x70
+[ 35.461534] ? __switch_to_asm+0x34/0x70
+[ 35.461536] __drm_fb_helper_initial_config_and_unlock+0x34/0x46f
+[ 35.461538] ? __switch_to_asm+0x40/0x70
+[ 35.461541] ? _cond_resched+0x10/0x33
+[ 35.461557] intel_fbdev_initial_config+0xf/0x1c [i915]
+[ 35.461560] async_run_entry_fn+0x2e/0xf5
+[ 35.461563] process_one_work+0x15b/0x364
+[ 35.461565] worker_thread+0x2c/0x3a0
+[ 35.461567] ? process_one_work+0x364/0x364
+[ 35.461568] kthread+0x10c/0x122
+[ 35.461570] ? _kthread_create_on_node+0x5d/0x5d
+[ 35.461572] ret_from_fork+0x35/0x40
+[ 35.461574] Code: 74 16 89 f6 48 8d 04 b6 48 c1 e0 05 48 29 f0 48 8d 84 c7 e8 11 00 00 c3 48 c7 c6 b0 19 1e c0 48 c7 c7 64 8a 1c c0 e8 47 88 ed ec <0f> 0b 31 c0 c3 8b 87 a4 04 00 00 80 e4 fc 09 c6 89 b7 a4 04 00
+[ 35.461604] WARNING: CPU: 6 PID: 411 at drivers/gpu/drm/i915/intel_i2c.c:844 intel_gmbus_get_adapter+0x32/0x37 [i915]
+[ 35.461606] ---[ end trace 4fe1e63e2dd93373 ]---
+[ 35.461609] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
+[ 35.461613] IP: i2c_transfer+0x4/0x86
+[ 35.461614] PGD 0 P4D 0
+[ 35.461616] Oops: 0000 [#1] SMP PTI
+[ 35.461618] Modules linked in: i915 ahci libahci dm_snapshot dm_bufio dm_raid raid456 async_raid6_recov async_pq raid6_pq async_xor xor async_memcpy async_tx
+[ 35.461624] CPU: 6 PID: 411 Comm: kworker/u16:2 Tainted: G W 4.16.0-rc7.x64-g1cda370ffded #1
+[ 35.461625] Hardware name: Dell Inc. Latitude 5590/0MM81M, BIOS 1.1.9 03/13/2018
+[ 35.461628] Workqueue: events_unbound async_run_entry_fn
+[ 35.461630] RIP: 0010:i2c_transfer+0x4/0x86
+[ 35.461631] RSP: 0018:ffff9b4e43d47b30 EFLAGS: 00010246
+[ 35.461633] RAX: ffff9b4e43d47b6e RBX: 0000000000000005 RCX: 0000000000000001
+[ 35.461635] RDX: 0000000000000002 RSI: ffff9b4e43d47b80 RDI: 0000000000000000
+[ 35.461636] RBP: ffff9b4e43d47bd8 R08: 0000004d062a83f6 R09: 00000000000003bd
+[ 35.461638] R10: 0000000000000031 R11: ffffffffad4eda58 R12: 0000000000000002
+[ 35.461639] R13: 0000000000000001 R14: ffff9b4e43d47b6f R15: ffff9b4e43d47c07
+[ 35.461641] FS: 0000000000000000(0000) GS:ffff98f92e580000(0000) knlGS:0000000000000000
+[ 35.461643] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 35.461645] CR2: 0000000000000010 CR3: 00000001b700c005 CR4: 00000000003606e0
+[ 35.461646] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 35.461647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 35.461649] Call Trace:
+[ 35.461652] drm_do_probe_ddc_edid+0xb3/0x128
+[ 35.461654] drm_get_edid+0xe5/0x38d
+[ 35.461669] intel_hdmi_set_edid+0x45/0x27f [i915]
+[ 35.461684] intel_hdmi_detect+0x7c/0x97 [i915]
+[ 35.461687] drm_helper_probe_single_connector_modes+0xe1/0x6c0
+[ 35.461689] drm_setup_crtcs+0x129/0xa6a
+[ 35.461691] ? __switch_to_asm+0x34/0x70
+[ 35.461693] ? __switch_to_asm+0x34/0x70
+[ 35.461694] ? __switch_to_asm+0x40/0x70
+[ 35.461696] ? __switch_to_asm+0x34/0x70
+[ 35.461697] ? __switch_to_asm+0x40/0x70
+[ 35.461698] ? __switch_to_asm+0x34/0x70
+[ 35.461700] ? __switch_to_asm+0x40/0x70
+[ 35.461701] ? __switch_to_asm+0x34/0x70
+[ 35.461703] __drm_fb_helper_initial_config_and_unlock+0x34/0x46f
+[ 35.461705] ? __switch_to_asm+0x40/0x70
+[ 35.461707] ? _cond_resched+0x10/0x33
+[ 35.461724] intel_fbdev_initial_config+0xf/0x1c [i915]
+[ 35.461727] async_run_entry_fn+0x2e/0xf5
+[ 35.461729] process_one_work+0x15b/0x364
+[ 35.461731] worker_thread+0x2c/0x3a0
+[ 35.461733] ? process_one_work+0x364/0x364
+[ 35.461734] kthread+0x10c/0x122
+[ 35.461736] ? _kthread_create_on_node+0x5d/0x5d
+[ 35.461738] ret_from_fork+0x35/0x40
+[ 35.461739] Code: 5c fa e1 ad 48 89 df e8 ea fb ff ff e9 2a ff ff ff 0f 1f 44 00 00 31 c0 e9 43 fd ff ff 31 c0 45 31 e4 e9 c5 fd ff ff 41 54 55 53 <48> 8b 47 10 48 83 78 10 00 74 70 41 89 d4 48 89 f5 48 89 fb 65
+[ 35.461756] RIP: i2c_transfer+0x4/0x86 RSP: ffff9b4e43d47b30
+[ 35.461757] CR2: 0000000000000010
+[ 35.461759] ---[ end trace 4fe1e63e2dd93374 ]---
+
+Based on a patch by Fei Li.
+
+v2: s/reverting/sticking/ (Chris)
+
+Cc: stable@vger.kernel.org
+Cc: Fei Li <fei.li@intel.com>
+Co-developed-by: Fei Li <fei.li@intel.com>
+Reported-by: Pavel Nakonechnyi <zorg1331@gmail.com>
+Reported-and-tested-by: Seweryn Kokot <sewkokot@gmail.com>
+Reported-and-tested-by: Laszlo Valko <valko@linux.karinthy.hu>
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105549
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105961
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180411131519.9091-1-jani.nikula@intel.com
+(cherry picked from commit f212bf9abe5de9f938fecea7df07046e74052dde)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_bios.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_bios.c
++++ b/drivers/gpu/drm/i915/intel_bios.c
+@@ -1255,7 +1255,6 @@ static void parse_ddi_port(struct drm_i9
+ return;
+
+ aux_channel = child->aux_channel;
+- ddc_pin = child->ddc_pin;
+
+ is_dvi = child->device_type & DEVICE_TYPE_TMDS_DVI_SIGNALING;
+ is_dp = child->device_type & DEVICE_TYPE_DISPLAYPORT_OUTPUT;
+@@ -1302,9 +1301,15 @@ static void parse_ddi_port(struct drm_i9
+ DRM_DEBUG_KMS("Port %c is internal DP\n", port_name(port));
+
+ if (is_dvi) {
+- info->alternate_ddc_pin = map_ddc_pin(dev_priv, ddc_pin);
+-
+- sanitize_ddc_pin(dev_priv, port);
++ ddc_pin = map_ddc_pin(dev_priv, child->ddc_pin);
++ if (intel_gmbus_is_valid_pin(dev_priv, ddc_pin)) {
++ info->alternate_ddc_pin = ddc_pin;
++ sanitize_ddc_pin(dev_priv, port);
++ } else {
++ DRM_DEBUG_KMS("Port %c has invalid DDC pin %d, "
++ "sticking to defaults\n",
++ port_name(port), ddc_pin);
++ }
+ }
+
+ if (is_dp) {
--- /dev/null
+From fcf1fadf4c65eea6c519c773d2d9901e8ad94f5f Mon Sep 17 00:00:00 2001
+From: Xidong Wang <wangxidong_97@163.com>
+Date: Wed, 4 Apr 2018 10:38:24 +0100
+Subject: drm/i915: Do no use kfree() to free a kmem_cache_alloc() return value
+
+From: Xidong Wang <wangxidong_97@163.com>
+
+commit fcf1fadf4c65eea6c519c773d2d9901e8ad94f5f upstream.
+
+Along the eb_lookup_vmas() error path, the return value from
+kmem_cache_alloc() was freed using kfree(). Fix it to use the proper
+kmem_cache_free() instead.
+
+Fixes: d1b48c1e7184 ("drm/i915: Replace execbuf vma ht with an idr")
+Signed-off-by: Xidong Wang <wangxidong_97@163.com>
+Cc: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Cc: <stable@vger.kernel.org> # v4.14+
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180404093824.9313-1-chris@chris-wilson.co.uk
+(cherry picked from commit 6be1187dbffa0027ea379c53f7ca0c782515c610)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+@@ -728,7 +728,7 @@ static int eb_lookup_vmas(struct i915_ex
+
+ err = radix_tree_insert(handles_vma, handle, vma);
+ if (unlikely(err)) {
+- kfree(lut);
++ kmem_cache_free(eb->i915->luts, lut);
+ goto err_obj;
+ }
+
--- /dev/null
+From 7eb2c4dd54ff841f2fe509a84973eb25fa20bda2 Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Mon, 16 Apr 2018 18:53:09 +0300
+Subject: drm/i915: Fix LSPCON TMDS output buffer enabling from low-power state
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Imre Deak <imre.deak@intel.com>
+
+commit 7eb2c4dd54ff841f2fe509a84973eb25fa20bda2 upstream.
+
+LSPCON adapters in low-power state may ignore the first I2C write during
+TMDS output buffer enabling, resulting in a blank screen even with an
+otherwise enabled pipe. Fix this by reading back and validating the
+written value a few times.
+
+The problem was noticed on GLK machines with an onboard LSPCON adapter
+after entering/exiting DC5 power state. Doing an I2C read of the adapter
+ID as the first transaction - instead of the I2C write to enable the
+TMDS buffers - returns the correct value. Based on this we assume that
+the transaction itself is sent properly, it's only the adapter that is
+not ready for some reason to accept this first write after waking from
+low-power state. In my case the second I2C write attempt always
+succeeded.
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105854
+Cc: Clinton Taylor <clinton.a.taylor@intel.com>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180416155309.11100-1-imre.deak@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_dp_dual_mode_helper.c | 39 ++++++++++++++++++++++++------
+ 1 file changed, 32 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/drm_dp_dual_mode_helper.c
++++ b/drivers/gpu/drm/drm_dp_dual_mode_helper.c
+@@ -350,19 +350,44 @@ int drm_dp_dual_mode_set_tmds_output(enu
+ {
+ uint8_t tmds_oen = enable ? 0 : DP_DUAL_MODE_TMDS_DISABLE;
+ ssize_t ret;
++ int retry;
+
+ if (type < DRM_DP_DUAL_MODE_TYPE2_DVI)
+ return 0;
+
+- ret = drm_dp_dual_mode_write(adapter, DP_DUAL_MODE_TMDS_OEN,
+- &tmds_oen, sizeof(tmds_oen));
+- if (ret) {
+- DRM_DEBUG_KMS("Failed to %s TMDS output buffers\n",
+- enable ? "enable" : "disable");
+- return ret;
++ /*
++ * LSPCON adapters in low-power state may ignore the first write, so
++ * read back and verify the written value a few times.
++ */
++ for (retry = 0; retry < 3; retry++) {
++ uint8_t tmp;
++
++ ret = drm_dp_dual_mode_write(adapter, DP_DUAL_MODE_TMDS_OEN,
++ &tmds_oen, sizeof(tmds_oen));
++ if (ret) {
++ DRM_DEBUG_KMS("Failed to %s TMDS output buffers (%d attempts)\n",
++ enable ? "enable" : "disable",
++ retry + 1);
++ return ret;
++ }
++
++ ret = drm_dp_dual_mode_read(adapter, DP_DUAL_MODE_TMDS_OEN,
++ &tmp, sizeof(tmp));
++ if (ret) {
++ DRM_DEBUG_KMS("I2C read failed during TMDS output buffer %s (%d attempts)\n",
++ enable ? "enabling" : "disabling",
++ retry + 1);
++ return ret;
++ }
++
++ if (tmp == tmds_oen)
++ return 0;
+ }
+
+- return 0;
++ DRM_DEBUG_KMS("I2C write value mismatch during TMDS output buffer %s\n",
++ enable ? "enabling" : "disabling");
++
++ return -EIO;
+ }
+ EXPORT_SYMBOL(drm_dp_dual_mode_set_tmds_output);
+
--- /dev/null
+From 10996f802109c83421ca30556cfe36ffc3bebae3 Mon Sep 17 00:00:00 2001
+From: Tina Zhang <tina.zhang@intel.com>
+Date: Wed, 28 Mar 2018 13:49:29 +0800
+Subject: drm/i915/gvt: Add drm_format_mod update
+
+From: Tina Zhang <tina.zhang@intel.com>
+
+commit 10996f802109c83421ca30556cfe36ffc3bebae3 upstream.
+
+Add drm_format_mod update, which is omitted.
+
+Fixes: e546e281("drm/i915/gvt: Dmabuf support for GVT-g")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tina Zhang <tina.zhang@intel.com>
+Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/gvt/dmabuf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/i915/gvt/dmabuf.c
++++ b/drivers/gpu/drm/i915/gvt/dmabuf.c
+@@ -323,6 +323,7 @@ static void update_fb_info(struct vfio_d
+ struct intel_vgpu_fb_info *fb_info)
+ {
+ gvt_dmabuf->drm_format = fb_info->drm_format;
++ gvt_dmabuf->drm_format_mod = fb_info->drm_format_mod;
+ gvt_dmabuf->width = fb_info->width;
+ gvt_dmabuf->height = fb_info->height;
+ gvt_dmabuf->stride = fb_info->stride;
--- /dev/null
+From 9f591ae60e1be026901398ef99eede91237aa3a1 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 21 Mar 2018 15:08:47 +0100
+Subject: drm/i915/gvt: throw error on unhandled vfio ioctls
+
+From: Gerd Hoffmann <kraxel@redhat.com>
+
+commit 9f591ae60e1be026901398ef99eede91237aa3a1 upstream.
+
+On unknown/unhandled ioctls the driver should return an error, so
+userspace knows it tried to use something unsupported.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/gvt/kvmgt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/gvt/kvmgt.c
++++ b/drivers/gpu/drm/i915/gvt/kvmgt.c
+@@ -1284,7 +1284,7 @@ static long intel_vgpu_ioctl(struct mdev
+
+ }
+
+- return 0;
++ return -ENOTTY;
+ }
+
+ static ssize_t
--- /dev/null
+From c0db1b677e1d584fab5d7ac76a32e1c0157542e0 Mon Sep 17 00:00:00 2001
+From: Daniel J Blueman <daniel@quora.org>
+Date: Mon, 2 Apr 2018 15:10:35 +0800
+Subject: drm/vc4: Fix memory leak during BO teardown
+
+From: Daniel J Blueman <daniel@quora.org>
+
+commit c0db1b677e1d584fab5d7ac76a32e1c0157542e0 upstream.
+
+During BO teardown, an indirect list 'uniform_addr_offsets' wasn't being
+freed leading to leaking many 128B allocations. Fix the memory leak by
+releasing it at teardown time.
+
+Cc: stable@vger.kernel.org
+Fixes: 6d45c81d229d ("drm/vc4: Add support for branching in shader validation.")
+Signed-off-by: Daniel J Blueman <daniel@quora.org>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180402071035.25356-1-daniel@quora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/vc4/vc4_bo.c | 2 ++
+ drivers/gpu/drm/vc4/vc4_validate_shaders.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/vc4/vc4_bo.c
++++ b/drivers/gpu/drm/vc4/vc4_bo.c
+@@ -195,6 +195,7 @@ static void vc4_bo_destroy(struct vc4_bo
+ vc4_bo_set_label(obj, -1);
+
+ if (bo->validated_shader) {
++ kfree(bo->validated_shader->uniform_addr_offsets);
+ kfree(bo->validated_shader->texture_samples);
+ kfree(bo->validated_shader);
+ bo->validated_shader = NULL;
+@@ -591,6 +592,7 @@ void vc4_free_object(struct drm_gem_obje
+ }
+
+ if (bo->validated_shader) {
++ kfree(bo->validated_shader->uniform_addr_offsets);
+ kfree(bo->validated_shader->texture_samples);
+ kfree(bo->validated_shader);
+ bo->validated_shader = NULL;
+--- a/drivers/gpu/drm/vc4/vc4_validate_shaders.c
++++ b/drivers/gpu/drm/vc4/vc4_validate_shaders.c
+@@ -942,6 +942,7 @@ vc4_validate_shader(struct drm_gem_cma_o
+ fail:
+ kfree(validation_state.branch_targets);
+ if (validated_shader) {
++ kfree(validated_shader->uniform_addr_offsets);
+ kfree(validated_shader->texture_samples);
+ kfree(validated_shader);
+ }
--- /dev/null
+From c3bca5d450b620dd3d36e14b5e1f43639fd47d6b Mon Sep 17 00:00:00 2001
+From: Laura Abbott <labbott@redhat.com>
+Date: Tue, 17 Apr 2018 14:57:42 -0700
+Subject: posix-cpu-timers: Ensure set_process_cpu_timer is always evaluated
+
+From: Laura Abbott <labbott@redhat.com>
+
+commit c3bca5d450b620dd3d36e14b5e1f43639fd47d6b upstream.
+
+Commit a9445e47d897 ("posix-cpu-timers: Make set_process_cpu_timer()
+more robust") moved the check into the 'if' statement. Unfortunately,
+it did so on the right side of an && which means that it may get short
+circuited and never evaluated. This is easily reproduced with:
+
+$ cat loop.c
+void main() {
+ struct rlimit res;
+ /* set the CPU time limit */
+ getrlimit(RLIMIT_CPU,&res);
+ res.rlim_cur = 2;
+ res.rlim_max = 2;
+ setrlimit(RLIMIT_CPU,&res);
+
+ while (1);
+}
+
+Which will hang forever instead of being killed. Fix this by pulling the
+evaluation out of the if statement but checking the return value instead.
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1568337
+Fixes: a9445e47d897 ("posix-cpu-timers: Make set_process_cpu_timer() more robust")
+Signed-off-by: Laura Abbott <labbott@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Cc: "Max R . P . Grossmann" <m@max.pm>
+Cc: John Stultz <john.stultz@linaro.org>
+Link: https://lkml.kernel.org/r/20180417215742.2521-1-labbott@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/posix-cpu-timers.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/time/posix-cpu-timers.c
++++ b/kernel/time/posix-cpu-timers.c
+@@ -1205,10 +1205,12 @@ void set_process_cpu_timer(struct task_s
+ u64 *newval, u64 *oldval)
+ {
+ u64 now;
++ int ret;
+
+ WARN_ON_ONCE(clock_idx == CPUCLOCK_SCHED);
++ ret = cpu_timer_sample_group(clock_idx, tsk, &now);
+
+- if (oldval && cpu_timer_sample_group(clock_idx, tsk, &now) != -EINVAL) {
++ if (oldval && ret != -EINVAL) {
+ /*
+ * We are setting itimer. The *oldval is absolute and we update
+ * it to be relative, *newval argument is relative and we update
--- /dev/null
+From 10daf10ab154e31237a8c07242be3063fb6a9bf4 Mon Sep 17 00:00:00 2001
+From: Dou Liyang <douly.fnst@cn.fujitsu.com>
+Date: Thu, 12 Apr 2018 09:40:52 +0800
+Subject: x86/acpi: Prevent X2APIC id 0xffffffff from being accounted
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dou Liyang <douly.fnst@cn.fujitsu.com>
+
+commit 10daf10ab154e31237a8c07242be3063fb6a9bf4 upstream.
+
+RongQing reported that there are some X2APIC id 0xffffffff in his machine's
+ACPI MADT table, which makes the number of possible CPU inaccurate.
+
+The reason is that the ACPI X2APIC parser has no sanity check for APIC ID
+0xffffffff, which is an invalid id in all APIC types. See "Intel® 64
+Architecture x2APIC Specification", Chapter 2.4.1.
+
+Add a sanity check to acpi_parse_x2apic() which ignores the invalid id.
+
+Reported-by: Li RongQing <lirongqing@baidu.com>
+Signed-off-by: Dou Liyang <douly.fnst@cn.fujitsu.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Cc: len.brown@intel.com
+Cc: rjw@rjwysocki.net
+Cc: hpa@zytor.com
+Link: https://lkml.kernel.org/r/20180412014052.25186-1-douly.fnst@cn.fujitsu.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/acpi/boot.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/x86/kernel/acpi/boot.c
++++ b/arch/x86/kernel/acpi/boot.c
+@@ -215,6 +215,10 @@ acpi_parse_x2apic(struct acpi_subtable_h
+ apic_id = processor->local_apic_id;
+ enabled = processor->lapic_flags & ACPI_MADT_ENABLED;
+
++ /* Ignore invalid ID */
++ if (apic_id == 0xffffffff)
++ return 0;
++
+ /*
+ * We need to register disabled CPU as well to permit
+ * counting disabled CPUs. This allows us to size
--- /dev/null
+From d3878e164dcd3925a237a20e879432400e369172 Mon Sep 17 00:00:00 2001
+From: Xiaoming Gao <gxm.linux.kernel@gmail.com>
+Date: Fri, 13 Apr 2018 17:48:08 +0800
+Subject: x86/tsc: Prevent 32bit truncation in calc_hpet_ref()
+
+From: Xiaoming Gao <gxm.linux.kernel@gmail.com>
+
+commit d3878e164dcd3925a237a20e879432400e369172 upstream.
+
+The TSC calibration code uses HPET as reference. The conversion normalizes
+the delta of two HPET timestamps:
+
+ hpetref = ((tshpet1 - tshpet2) * HPET_PERIOD) / 1e6
+
+and then divides the normalized delta of the corresponding TSC timestamps
+by the result to calulate the TSC frequency.
+
+ tscfreq = ((tstsc1 - tstsc2 ) * 1e6) / hpetref
+
+This uses do_div() which takes an u32 as the divisor, which worked so far
+because the HPET frequency was low enough that 'hpetref' never exceeded
+32bit.
+
+On Skylake machines the HPET frequency increased so 'hpetref' can exceed
+32bit. do_div() truncates the divisor, which causes the calibration to
+fail.
+
+Use div64_u64() to avoid the problem.
+
+[ tglx: Fixes whitespace mangled patch and rewrote changelog ]
+
+Signed-off-by: Xiaoming Gao <newtongao@tencent.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Cc: peterz@infradead.org
+Cc: hpa@zytor.com
+Link: https://lkml.kernel.org/r/38894564-4fc9-b8ec-353f-de702839e44e@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/tsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/tsc.c
++++ b/arch/x86/kernel/tsc.c
+@@ -317,7 +317,7 @@ static unsigned long calc_hpet_ref(u64 d
+ hpet2 -= hpet1;
+ tmp = ((u64)hpet2 * hpet_readl(HPET_PERIOD));
+ do_div(tmp, 1000000);
+- do_div(deltatsc, tmp);
++ deltatsc = div64_u64(deltatsc, tmp);
+
+ return (unsigned long) deltatsc;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
