--- /dev/null
+From 932b50c7c1c65e6f23002e075b97ee083c4a9e71 Mon Sep 17 00:00:00 2001
+From: Shanker Donthineni <shankerd@codeaurora.org>
+Date: Mon, 11 Dec 2017 16:42:32 -0600
+Subject: arm64: Add software workaround for Falkor erratum 1041
+
+From: Shanker Donthineni <shankerd@codeaurora.org>
+
+commit 932b50c7c1c65e6f23002e075b97ee083c4a9e71 upstream.
+
+The ARM architecture defines the memory locations that are permitted
+to be accessed as the result of a speculative instruction fetch from
+an exception level for which all stages of translation are disabled.
+Specifically, the core is permitted to speculatively fetch from the
+4KB region containing the current program counter 4K and next 4K.
+
+When translation is changed from enabled to disabled for the running
+exception level (SCTLR_ELn[M] changed from a value of 1 to 0), the
+Falkor core may errantly speculatively access memory locations outside
+of the 4KB region permitted by the architecture. The errant memory
+access may lead to one of the following unexpected behaviors.
+
+1) A System Error Interrupt (SEI) being raised by the Falkor core due
+ to the errant memory access attempting to access a region of memory
+ that is protected by a slave-side memory protection unit.
+2) Unpredictable device behavior due to a speculative read from device
+ memory. This behavior may only occur if the instruction cache is
+ disabled prior to or coincident with translation being changed from
+ enabled to disabled.
+
+The conditions leading to this erratum will not occur when either of the
+following occur:
+ 1) A higher exception level disables translation of a lower exception level
+ (e.g. EL2 changing SCTLR_EL1[M] from a value of 1 to 0).
+ 2) An exception level disabling its stage-1 translation if its stage-2
+ translation is enabled (e.g. EL1 changing SCTLR_EL1[M] from a value of 1
+ to 0 when HCR_EL2[VM] has a value of 1).
+
+To avoid the errant behavior, software must execute an ISB immediately
+prior to executing the MSR that will change SCTLR_ELn[M] from 1 to 0.
+
+Signed-off-by: Shanker Donthineni <shankerd@codeaurora.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Cc: Timur Tabi <timur@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/arm64/silicon-errata.txt | 1 +
+ arch/arm64/Kconfig | 10 ++++++++++
+ arch/arm64/include/asm/assembler.h | 10 ++++++++++
+ arch/arm64/kernel/cpu-reset.S | 1 +
+ arch/arm64/kernel/efi-entry.S | 2 ++
+ arch/arm64/kernel/head.S | 1 +
+ arch/arm64/kernel/relocate_kernel.S | 1 +
+ arch/arm64/kvm/hyp-init.S | 1 +
+ 8 files changed, 27 insertions(+)
+
+--- a/Documentation/arm64/silicon-errata.txt
++++ b/Documentation/arm64/silicon-errata.txt
+@@ -74,3 +74,4 @@ stable kernels.
+ | Qualcomm Tech. | Falkor v1 | E1003 | QCOM_FALKOR_ERRATUM_1003 |
+ | Qualcomm Tech. | Falkor v1 | E1009 | QCOM_FALKOR_ERRATUM_1009 |
+ | Qualcomm Tech. | QDF2400 ITS | E0065 | QCOM_QDF2400_ERRATUM_0065 |
++| Qualcomm Tech. | Falkor v{1,2} | E1041 | QCOM_FALKOR_ERRATUM_1041 |
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -539,6 +539,16 @@ config QCOM_QDF2400_ERRATUM_0065
+
+ If unsure, say Y.
+
++config QCOM_FALKOR_ERRATUM_E1041
++ bool "Falkor E1041: Speculative instruction fetches might cause errant memory access"
++ default y
++ help
++ Falkor CPU may speculatively fetch instructions from an improper
++ memory location when MMU translation is changed from SCTLR_ELn[M]=1
++ to SCTLR_ELn[M]=0. Prefix an ISB instruction to fix the problem.
++
++ If unsure, say Y.
++
+ endmenu
+
+
+--- a/arch/arm64/include/asm/assembler.h
++++ b/arch/arm64/include/asm/assembler.h
+@@ -499,4 +499,14 @@ alternative_else_nop_endif
+ #endif
+ .endm
+
++/**
++ * Errata workaround prior to disable MMU. Insert an ISB immediately prior
++ * to executing the MSR that will change SCTLR_ELn[M] from a value of 1 to 0.
++ */
++ .macro pre_disable_mmu_workaround
++#ifdef CONFIG_QCOM_FALKOR_ERRATUM_E1041
++ isb
++#endif
++ .endm
++
+ #endif /* __ASM_ASSEMBLER_H */
+--- a/arch/arm64/kernel/cpu-reset.S
++++ b/arch/arm64/kernel/cpu-reset.S
+@@ -37,6 +37,7 @@ ENTRY(__cpu_soft_restart)
+ mrs x12, sctlr_el1
+ ldr x13, =SCTLR_ELx_FLAGS
+ bic x12, x12, x13
++ pre_disable_mmu_workaround
+ msr sctlr_el1, x12
+ isb
+
+--- a/arch/arm64/kernel/efi-entry.S
++++ b/arch/arm64/kernel/efi-entry.S
+@@ -96,6 +96,7 @@ ENTRY(entry)
+ mrs x0, sctlr_el2
+ bic x0, x0, #1 << 0 // clear SCTLR.M
+ bic x0, x0, #1 << 2 // clear SCTLR.C
++ pre_disable_mmu_workaround
+ msr sctlr_el2, x0
+ isb
+ b 2f
+@@ -103,6 +104,7 @@ ENTRY(entry)
+ mrs x0, sctlr_el1
+ bic x0, x0, #1 << 0 // clear SCTLR.M
+ bic x0, x0, #1 << 2 // clear SCTLR.C
++ pre_disable_mmu_workaround
+ msr sctlr_el1, x0
+ isb
+ 2:
+--- a/arch/arm64/kernel/head.S
++++ b/arch/arm64/kernel/head.S
+@@ -732,6 +732,7 @@ __primary_switch:
+ * to take into account by discarding the current kernel mapping and
+ * creating a new one.
+ */
++ pre_disable_mmu_workaround
+ msr sctlr_el1, x20 // disable the MMU
+ isb
+ bl __create_page_tables // recreate kernel mapping
+--- a/arch/arm64/kernel/relocate_kernel.S
++++ b/arch/arm64/kernel/relocate_kernel.S
+@@ -45,6 +45,7 @@ ENTRY(arm64_relocate_new_kernel)
+ mrs x0, sctlr_el2
+ ldr x1, =SCTLR_ELx_FLAGS
+ bic x0, x0, x1
++ pre_disable_mmu_workaround
+ msr sctlr_el2, x0
+ isb
+ 1:
+--- a/arch/arm64/kvm/hyp-init.S
++++ b/arch/arm64/kvm/hyp-init.S
+@@ -151,6 +151,7 @@ reset:
+ mrs x5, sctlr_el2
+ ldr x6, =SCTLR_ELx_FLAGS
+ bic x5, x5, x6 // Clear SCTL_M and etc
++ pre_disable_mmu_workaround
+ msr sctlr_el2, x5
+ isb
+
--- /dev/null
+From c622cc013cece073722592cff1ac6643a33b1622 Mon Sep 17 00:00:00 2001
+From: Shanker Donthineni <shankerd@codeaurora.org>
+Date: Mon, 11 Dec 2017 16:42:31 -0600
+Subject: arm64: Define cputype macros for Falkor CPU
+
+From: Shanker Donthineni <shankerd@codeaurora.org>
+
+commit c622cc013cece073722592cff1ac6643a33b1622 upstream.
+
+Add cputype definition macros for Qualcomm Datacenter Technologies
+Falkor CPU in cputype.h. It's unfortunate that the first revision
+of the Falkor CPU used the wrong part number 0x800, got fixed in v2
+chip with part number 0xC00, and would be used the same value for
+future revisions.
+
+Signed-off-by: Shanker Donthineni <shankerd@codeaurora.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Cc: Timur Tabi <timur@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/cputype.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/include/asm/cputype.h
++++ b/arch/arm64/include/asm/cputype.h
+@@ -91,6 +91,7 @@
+ #define BRCM_CPU_PART_VULCAN 0x516
+
+ #define QCOM_CPU_PART_FALKOR_V1 0x800
++#define QCOM_CPU_PART_FALKOR 0xC00
+
+ #define MIDR_CORTEX_A53 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A53)
+ #define MIDR_CORTEX_A57 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A57)
+@@ -99,6 +100,7 @@
+ #define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX)
+ #define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX)
+ #define MIDR_QCOM_FALKOR_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_FALKOR_V1)
++#define MIDR_QCOM_FALKOR MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_FALKOR)
+
+ #ifndef __ASSEMBLY__
+
--- /dev/null
+From 9aca7e454415f7878b28524e76bebe1170911a88 Mon Sep 17 00:00:00 2001
+From: Daniel N Pettersson <danielnp@axis.com>
+Date: Thu, 11 Jan 2018 16:00:12 +0100
+Subject: cifs: Fix autonegotiate security settings mismatch
+
+From: Daniel N Pettersson <danielnp@axis.com>
+
+commit 9aca7e454415f7878b28524e76bebe1170911a88 upstream.
+
+Autonegotiation gives a security settings mismatch error if the SMB
+server selects an SMBv3 dialect that isn't SMB3.02. The exact error is
+"protocol revalidation - security settings mismatch".
+This can be tested using Samba v4.2 or by setting the global Samba
+setting max protocol = SMB3_00.
+
+The check that fails in smb3_validate_negotiate is the dialect
+verification of the negotiate info response. This is because it tries
+to verify against the protocol_id in the global smbdefault_values. The
+protocol_id in smbdefault_values is SMB3.02.
+In SMB2_negotiate the protocol_id in smbdefault_values isn't updated,
+it is global so it probably shouldn't be, but server->dialect is.
+
+This patch changes the check in smb3_validate_negotiate to use
+server->dialect instead of server->vals->protocol_id. The patch works
+with autonegotiate and when using a specific version in the vers mount
+option.
+
+Signed-off-by: Daniel N Pettersson <danielnp@axis.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -733,8 +733,7 @@ int smb3_validate_negotiate(const unsign
+ }
+
+ /* check validate negotiate info response matches what we got earlier */
+- if (pneg_rsp->Dialect !=
+- cpu_to_le16(tcon->ses->server->vals->protocol_id))
++ if (pneg_rsp->Dialect != cpu_to_le16(tcon->ses->server->dialect))
+ goto vneg_out;
+
+ if (pneg_rsp->SecurityMode != cpu_to_le16(tcon->ses->server->sec_mode))
--- /dev/null
+From f04a703c3d613845ae3141bfaf223489de8ab3eb Mon Sep 17 00:00:00 2001
+From: Matthew Wilcox <mawilcox@microsoft.com>
+Date: Fri, 15 Dec 2017 12:48:32 -0800
+Subject: cifs: Fix missing put_xid in cifs_file_strict_mmap
+
+From: Matthew Wilcox <mawilcox@microsoft.com>
+
+commit f04a703c3d613845ae3141bfaf223489de8ab3eb upstream.
+
+If cifs_zap_mapping() returned an error, we would return without putting
+the xid that we got earlier. Restructure cifs_file_strict_mmap() and
+cifs_file_mmap() to be more similar to each other and have a single
+point of return that always puts the xid.
+
+Signed-off-by: Matthew Wilcox <mawilcox@microsoft.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/file.c | 26 ++++++++++++--------------
+ 1 file changed, 12 insertions(+), 14 deletions(-)
+
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -3488,20 +3488,18 @@ static const struct vm_operations_struct
+
+ int cifs_file_strict_mmap(struct file *file, struct vm_area_struct *vma)
+ {
+- int rc, xid;
++ int xid, rc = 0;
+ struct inode *inode = file_inode(file);
+
+ xid = get_xid();
+
+- if (!CIFS_CACHE_READ(CIFS_I(inode))) {
++ if (!CIFS_CACHE_READ(CIFS_I(inode)))
+ rc = cifs_zap_mapping(inode);
+- if (rc)
+- return rc;
+- }
+-
+- rc = generic_file_mmap(file, vma);
+- if (rc == 0)
++ if (!rc)
++ rc = generic_file_mmap(file, vma);
++ if (!rc)
+ vma->vm_ops = &cifs_file_vm_ops;
++
+ free_xid(xid);
+ return rc;
+ }
+@@ -3511,16 +3509,16 @@ int cifs_file_mmap(struct file *file, st
+ int rc, xid;
+
+ xid = get_xid();
++
+ rc = cifs_revalidate_file(file);
+- if (rc) {
++ if (rc)
+ cifs_dbg(FYI, "Validation prior to mmap failed, error=%d\n",
+ rc);
+- free_xid(xid);
+- return rc;
+- }
+- rc = generic_file_mmap(file, vma);
+- if (rc == 0)
++ if (!rc)
++ rc = generic_file_mmap(file, vma);
++ if (!rc)
+ vma->vm_ops = &cifs_file_vm_ops;
++
+ free_xid(xid);
+ return rc;
+ }
--- /dev/null
+From 97f4b7276b829a8927ac903a119bef2f963ccc58 Mon Sep 17 00:00:00 2001
+From: Aurelien Aptel <aaptel@suse.com>
+Date: Thu, 25 Jan 2018 15:59:39 +0100
+Subject: CIFS: zero sensitive data when freeing
+
+From: Aurelien Aptel <aaptel@suse.com>
+
+commit 97f4b7276b829a8927ac903a119bef2f963ccc58 upstream.
+
+also replaces memset()+kfree() by kzfree().
+
+Signed-off-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/cifsencrypt.c | 3 +--
+ fs/cifs/connect.c | 6 +++---
+ fs/cifs/misc.c | 14 ++++----------
+ 3 files changed, 8 insertions(+), 15 deletions(-)
+
+--- a/fs/cifs/cifsencrypt.c
++++ b/fs/cifs/cifsencrypt.c
+@@ -325,9 +325,8 @@ int calc_lanman_hash(const char *passwor
+ {
+ int i;
+ int rc;
+- char password_with_pad[CIFS_ENCPWD_SIZE];
++ char password_with_pad[CIFS_ENCPWD_SIZE] = {0};
+
+- memset(password_with_pad, 0, CIFS_ENCPWD_SIZE);
+ if (password)
+ strncpy(password_with_pad, password, CIFS_ENCPWD_SIZE);
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -1707,7 +1707,7 @@ cifs_parse_mount_options(const char *mou
+ tmp_end++;
+ if (!(tmp_end < end && tmp_end[1] == delim)) {
+ /* No it is not. Set the password to NULL */
+- kfree(vol->password);
++ kzfree(vol->password);
+ vol->password = NULL;
+ break;
+ }
+@@ -1745,7 +1745,7 @@ cifs_parse_mount_options(const char *mou
+ options = end;
+ }
+
+- kfree(vol->password);
++ kzfree(vol->password);
+ /* Now build new password string */
+ temp_len = strlen(value);
+ vol->password = kzalloc(temp_len+1, GFP_KERNEL);
+@@ -4235,7 +4235,7 @@ cifs_construct_tcon(struct cifs_sb_info
+ reset_cifs_unix_caps(0, tcon, NULL, vol_info);
+ out:
+ kfree(vol_info->username);
+- kfree(vol_info->password);
++ kzfree(vol_info->password);
+ kfree(vol_info);
+
+ return tcon;
+--- a/fs/cifs/misc.c
++++ b/fs/cifs/misc.c
+@@ -98,14 +98,11 @@ sesInfoFree(struct cifs_ses *buf_to_free
+ kfree(buf_to_free->serverOS);
+ kfree(buf_to_free->serverDomain);
+ kfree(buf_to_free->serverNOS);
+- if (buf_to_free->password) {
+- memset(buf_to_free->password, 0, strlen(buf_to_free->password));
+- kfree(buf_to_free->password);
+- }
++ kzfree(buf_to_free->password);
+ kfree(buf_to_free->user_name);
+ kfree(buf_to_free->domainName);
+- kfree(buf_to_free->auth_key.response);
+- kfree(buf_to_free);
++ kzfree(buf_to_free->auth_key.response);
++ kzfree(buf_to_free);
+ }
+
+ struct cifs_tcon *
+@@ -136,10 +133,7 @@ tconInfoFree(struct cifs_tcon *buf_to_fr
+ }
+ atomic_dec(&tconInfoAllocCount);
+ kfree(buf_to_free->nativeFileSystem);
+- if (buf_to_free->password) {
+- memset(buf_to_free->password, 0, strlen(buf_to_free->password));
+- kfree(buf_to_free->password);
+- }
++ kzfree(buf_to_free->password);
+ kfree(buf_to_free);
+ }
+
--- /dev/null
+From 6066998cbd2b1012a8d5bc9a2957cfd0ad53150e Mon Sep 17 00:00:00 2001
+From: Andrew-sh Cheng <andrew-sh.cheng@mediatek.com>
+Date: Fri, 8 Dec 2017 14:07:56 +0800
+Subject: cpufreq: mediatek: add mediatek related projects into blacklist
+
+From: Andrew-sh Cheng <andrew-sh.cheng@mediatek.com>
+
+commit 6066998cbd2b1012a8d5bc9a2957cfd0ad53150e upstream.
+
+mediatek projects will use mediate-cpufreq.c as cpufreq driver,
+instead of using cpufreq_dt.c
+Add mediatek related projects into cpufreq-dt blacklist
+
+Signed-off-by: Andrew-sh Cheng <andrew-sh.cheng@mediatek.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/cpufreq-dt-platdev.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/cpufreq/cpufreq-dt-platdev.c
++++ b/drivers/cpufreq/cpufreq-dt-platdev.c
+@@ -111,6 +111,14 @@ static const struct of_device_id blackli
+
+ { .compatible = "marvell,armadaxp", },
+
++ { .compatible = "mediatek,mt2701", },
++ { .compatible = "mediatek,mt2712", },
++ { .compatible = "mediatek,mt7622", },
++ { .compatible = "mediatek,mt7623", },
++ { .compatible = "mediatek,mt817x", },
++ { .compatible = "mediatek,mt8173", },
++ { .compatible = "mediatek,mt8176", },
++
+ { .compatible = "nvidia,tegra124", },
+
+ { .compatible = "st,stih407", },
--- /dev/null
+From 69c64866ce072dea1d1e59a0d61e0f66c0dffb76 Mon Sep 17 00:00:00 2001
+From: Mohamed Ghannam <simo.ghannam@gmail.com>
+Date: Tue, 5 Dec 2017 20:58:35 +0000
+Subject: dccp: CVE-2017-8824: use-after-free in DCCP code
+
+From: Mohamed Ghannam <simo.ghannam@gmail.com>
+
+commit 69c64866ce072dea1d1e59a0d61e0f66c0dffb76 upstream.
+
+Whenever the sock object is in DCCP_CLOSED state,
+dccp_disconnect() must free dccps_hc_tx_ccid and
+dccps_hc_rx_ccid and set to NULL.
+
+Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/dccp/proto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int
+ {
+ struct inet_connection_sock *icsk = inet_csk(sk);
+ struct inet_sock *inet = inet_sk(sk);
++ struct dccp_sock *dp = dccp_sk(sk);
+ int err = 0;
+ const int old_state = sk->sk_state;
+
+@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int
+ sk->sk_err = ECONNRESET;
+
+ dccp_clear_xmit_timers(sk);
++ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
++ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
++ dp->dccps_hc_rx_ccid = NULL;
++ dp->dccps_hc_tx_ccid = NULL;
+
+ __skb_queue_purge(&sk->sk_receive_queue);
+ __skb_queue_purge(&sk->sk_write_queue);
--- /dev/null
+From 66b3bd2356e0a1531c71a3dcf96944621e25c17c Mon Sep 17 00:00:00 2001
+From: Yang Shunyong <shunyong.yang@hxt-semitech.com>
+Date: Mon, 29 Jan 2018 14:40:11 +0800
+Subject: dmaengine: dmatest: fix container_of member in dmatest_callback
+
+From: Yang Shunyong <shunyong.yang@hxt-semitech.com>
+
+commit 66b3bd2356e0a1531c71a3dcf96944621e25c17c upstream.
+
+The type of arg passed to dmatest_callback is struct dmatest_done.
+It refers to test_done in struct dmatest_thread, not done_wait.
+
+Fixes: 6f6a23a213be ("dmaengine: dmatest: move callback wait ...")
+Signed-off-by: Yang Shunyong <shunyong.yang@hxt-semitech.com>
+Acked-by: Adam Wallis <awallis@codeaurora.org>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/dmatest.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma/dmatest.c
++++ b/drivers/dma/dmatest.c
+@@ -355,7 +355,7 @@ static void dmatest_callback(void *arg)
+ {
+ struct dmatest_done *done = arg;
+ struct dmatest_thread *thread =
+- container_of(arg, struct dmatest_thread, done_wait);
++ container_of(done, struct dmatest_thread, test_done);
+ if (!thread->done) {
+ done->done = true;
+ wake_up_all(done->wait);
--- /dev/null
+From d87ce76402950b8e4d5117276d44465658e886a4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Fri, 17 Nov 2017 21:19:08 +0200
+Subject: drm/i915: Add .get_hw_state() method for planes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit d87ce76402950b8e4d5117276d44465658e886a4 upstream.
+
+Add a .get_hw_state() method for planes, returning true or false
+depending on whether the plane is enabled. Use it to rewrite the
+plane enabled/disabled asserts in platform agnostic fashion.
+
+We do lose the pre-gen4 plane<->pipe mapping checks, but since we're
+supposed sanitize that anyway it doesn't really matter.
+
+v2: Reoder patches to not depend on enum old_plane_id
+ Just call assert_plane_disabled() from assert_planes_disabled()
+v3: Deal with disabled power wells in .get_hw_state()
+v4: Rebase due skl primary plane code removal
+
+Cc: Thierry Reding <thierry.reding@gmail.com>
+Cc: Alex VillacÃs Lasso <alexvillacislasso@hotmail.com>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> #v2
+Tested-by: Thierry Reding <thierry.reding@gmail.com> #v2
+Link: https://patchwork.freedesktop.org/patch/msgid/20171117191917.11506-2-ville.syrjala@linux.intel.com
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+(cherry picked from commit 51f5a096398433a881e845d3685a2c1dac756019)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/gpu/drm/i915/intel_display.c | 188 ++++++++++++++++-------------------
+ drivers/gpu/drm/i915/intel_drv.h | 2
+ drivers/gpu/drm/i915/intel_sprite.c | 83 +++++++++++++++
+ 3 files changed, 175 insertions(+), 98 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -1211,23 +1211,6 @@ void assert_panel_unlocked(struct drm_i9
+ pipe_name(pipe));
+ }
+
+-static void assert_cursor(struct drm_i915_private *dev_priv,
+- enum pipe pipe, bool state)
+-{
+- bool cur_state;
+-
+- if (IS_I845G(dev_priv) || IS_I865G(dev_priv))
+- cur_state = I915_READ(CURCNTR(PIPE_A)) & CURSOR_ENABLE;
+- else
+- cur_state = I915_READ(CURCNTR(pipe)) & CURSOR_MODE;
+-
+- I915_STATE_WARN(cur_state != state,
+- "cursor on pipe %c assertion failure (expected %s, current %s)\n",
+- pipe_name(pipe), onoff(state), onoff(cur_state));
+-}
+-#define assert_cursor_enabled(d, p) assert_cursor(d, p, true)
+-#define assert_cursor_disabled(d, p) assert_cursor(d, p, false)
+-
+ void assert_pipe(struct drm_i915_private *dev_priv,
+ enum pipe pipe, bool state)
+ {
+@@ -1255,77 +1238,25 @@ void assert_pipe(struct drm_i915_private
+ pipe_name(pipe), onoff(state), onoff(cur_state));
+ }
+
+-static void assert_plane(struct drm_i915_private *dev_priv,
+- enum plane plane, bool state)
++static void assert_plane(struct intel_plane *plane, bool state)
+ {
+- u32 val;
+- bool cur_state;
++ bool cur_state = plane->get_hw_state(plane);
+
+- val = I915_READ(DSPCNTR(plane));
+- cur_state = !!(val & DISPLAY_PLANE_ENABLE);
+ I915_STATE_WARN(cur_state != state,
+- "plane %c assertion failure (expected %s, current %s)\n",
+- plane_name(plane), onoff(state), onoff(cur_state));
++ "%s assertion failure (expected %s, current %s)\n",
++ plane->base.name, onoff(state), onoff(cur_state));
+ }
+
+-#define assert_plane_enabled(d, p) assert_plane(d, p, true)
+-#define assert_plane_disabled(d, p) assert_plane(d, p, false)
+-
+-static void assert_planes_disabled(struct drm_i915_private *dev_priv,
+- enum pipe pipe)
+-{
+- int i;
+-
+- /* Primary planes are fixed to pipes on gen4+ */
+- if (INTEL_GEN(dev_priv) >= 4) {
+- u32 val = I915_READ(DSPCNTR(pipe));
+- I915_STATE_WARN(val & DISPLAY_PLANE_ENABLE,
+- "plane %c assertion failure, should be disabled but not\n",
+- plane_name(pipe));
+- return;
+- }
+-
+- /* Need to check both planes against the pipe */
+- for_each_pipe(dev_priv, i) {
+- u32 val = I915_READ(DSPCNTR(i));
+- enum pipe cur_pipe = (val & DISPPLANE_SEL_PIPE_MASK) >>
+- DISPPLANE_SEL_PIPE_SHIFT;
+- I915_STATE_WARN((val & DISPLAY_PLANE_ENABLE) && pipe == cur_pipe,
+- "plane %c assertion failure, should be off on pipe %c but is still active\n",
+- plane_name(i), pipe_name(pipe));
+- }
+-}
++#define assert_plane_enabled(p) assert_plane(p, true)
++#define assert_plane_disabled(p) assert_plane(p, false)
+
+-static void assert_sprites_disabled(struct drm_i915_private *dev_priv,
+- enum pipe pipe)
++static void assert_planes_disabled(struct intel_crtc *crtc)
+ {
+- int sprite;
++ struct drm_i915_private *dev_priv = to_i915(crtc->base.dev);
++ struct intel_plane *plane;
+
+- if (INTEL_GEN(dev_priv) >= 9) {
+- for_each_sprite(dev_priv, pipe, sprite) {
+- u32 val = I915_READ(PLANE_CTL(pipe, sprite));
+- I915_STATE_WARN(val & PLANE_CTL_ENABLE,
+- "plane %d assertion failure, should be off on pipe %c but is still active\n",
+- sprite, pipe_name(pipe));
+- }
+- } else if (IS_VALLEYVIEW(dev_priv) || IS_CHERRYVIEW(dev_priv)) {
+- for_each_sprite(dev_priv, pipe, sprite) {
+- u32 val = I915_READ(SPCNTR(pipe, PLANE_SPRITE0 + sprite));
+- I915_STATE_WARN(val & SP_ENABLE,
+- "sprite %c assertion failure, should be off on pipe %c but is still active\n",
+- sprite_name(pipe, sprite), pipe_name(pipe));
+- }
+- } else if (INTEL_GEN(dev_priv) >= 7) {
+- u32 val = I915_READ(SPRCTL(pipe));
+- I915_STATE_WARN(val & SPRITE_ENABLE,
+- "sprite %c assertion failure, should be off on pipe %c but is still active\n",
+- plane_name(pipe), pipe_name(pipe));
+- } else if (INTEL_GEN(dev_priv) >= 5 || IS_G4X(dev_priv)) {
+- u32 val = I915_READ(DVSCNTR(pipe));
+- I915_STATE_WARN(val & DVS_ENABLE,
+- "sprite %c assertion failure, should be off on pipe %c but is still active\n",
+- plane_name(pipe), pipe_name(pipe));
+- }
++ for_each_intel_plane_on_crtc(&dev_priv->drm, crtc, plane)
++ assert_plane_disabled(plane);
+ }
+
+ static void assert_vblank_disabled(struct drm_crtc *crtc)
+@@ -1926,9 +1857,7 @@ static void intel_enable_pipe(struct int
+
+ DRM_DEBUG_KMS("enabling pipe %c\n", pipe_name(pipe));
+
+- assert_planes_disabled(dev_priv, pipe);
+- assert_cursor_disabled(dev_priv, pipe);
+- assert_sprites_disabled(dev_priv, pipe);
++ assert_planes_disabled(crtc);
+
+ /*
+ * A pipe without a PLL won't actually be able to drive bits from
+@@ -1997,9 +1926,7 @@ static void intel_disable_pipe(struct in
+ * Make sure planes won't keep trying to pump pixels to us,
+ * or we might hang the display.
+ */
+- assert_planes_disabled(dev_priv, pipe);
+- assert_cursor_disabled(dev_priv, pipe);
+- assert_sprites_disabled(dev_priv, pipe);
++ assert_planes_disabled(crtc);
+
+ reg = PIPECONF(cpu_transcoder);
+ val = I915_READ(reg);
+@@ -3397,6 +3324,31 @@ static void i9xx_disable_primary_plane(s
+ spin_unlock_irqrestore(&dev_priv->uncore.lock, irqflags);
+ }
+
++static bool i9xx_plane_get_hw_state(struct intel_plane *primary)
++{
++
++ struct drm_i915_private *dev_priv = to_i915(primary->base.dev);
++ enum intel_display_power_domain power_domain;
++ enum plane plane = primary->plane;
++ enum pipe pipe = primary->pipe;
++ bool ret;
++
++ /*
++ * Not 100% correct for planes that can move between pipes,
++ * but that's only the case for gen2-4 which don't have any
++ * display power wells.
++ */
++ power_domain = POWER_DOMAIN_PIPE(pipe);
++ if (!intel_display_power_get_if_enabled(dev_priv, power_domain))
++ return false;
++
++ ret = I915_READ(DSPCNTR(plane)) & DISPLAY_PLANE_ENABLE;
++
++ intel_display_power_put(dev_priv, power_domain);
++
++ return ret;
++}
++
+ static u32
+ intel_fb_stride_alignment(const struct drm_framebuffer *fb, int plane)
+ {
+@@ -4973,7 +4925,8 @@ void hsw_enable_ips(struct intel_crtc *c
+ * a vblank wait.
+ */
+
+- assert_plane_enabled(dev_priv, crtc->plane);
++ assert_plane_enabled(to_intel_plane(crtc->base.primary));
++
+ if (IS_BROADWELL(dev_priv)) {
+ mutex_lock(&dev_priv->rps.hw_lock);
+ WARN_ON(sandybridge_pcode_write(dev_priv, DISPLAY_IPS_CONTROL, 0xc0000000));
+@@ -5005,7 +4958,8 @@ void hsw_disable_ips(struct intel_crtc *
+ if (!crtc->config->ips_enabled)
+ return;
+
+- assert_plane_enabled(dev_priv, crtc->plane);
++ assert_plane_enabled(to_intel_plane(crtc->base.primary));
++
+ if (IS_BROADWELL(dev_priv)) {
+ mutex_lock(&dev_priv->rps.hw_lock);
+ WARN_ON(sandybridge_pcode_write(dev_priv, DISPLAY_IPS_CONTROL, 0));
+@@ -9577,6 +9531,23 @@ static void i845_disable_cursor(struct i
+ i845_update_cursor(plane, NULL, NULL);
+ }
+
++static bool i845_cursor_get_hw_state(struct intel_plane *plane)
++{
++ struct drm_i915_private *dev_priv = to_i915(plane->base.dev);
++ enum intel_display_power_domain power_domain;
++ bool ret;
++
++ power_domain = POWER_DOMAIN_PIPE(PIPE_A);
++ if (!intel_display_power_get_if_enabled(dev_priv, power_domain))
++ return false;
++
++ ret = I915_READ(CURCNTR(PIPE_A)) & CURSOR_ENABLE;
++
++ intel_display_power_put(dev_priv, power_domain);
++
++ return ret;
++}
++
+ static u32 i9xx_cursor_ctl(const struct intel_crtc_state *crtc_state,
+ const struct intel_plane_state *plane_state)
+ {
+@@ -9770,6 +9741,28 @@ static void i9xx_disable_cursor(struct i
+ i9xx_update_cursor(plane, NULL, NULL);
+ }
+
++static bool i9xx_cursor_get_hw_state(struct intel_plane *plane)
++{
++ struct drm_i915_private *dev_priv = to_i915(plane->base.dev);
++ enum intel_display_power_domain power_domain;
++ enum pipe pipe = plane->pipe;
++ bool ret;
++
++ /*
++ * Not 100% correct for planes that can move between pipes,
++ * but that's only the case for gen2-3 which don't have any
++ * display power wells.
++ */
++ power_domain = POWER_DOMAIN_PIPE(pipe);
++ if (!intel_display_power_get_if_enabled(dev_priv, power_domain))
++ return false;
++
++ ret = I915_READ(CURCNTR(pipe)) & CURSOR_MODE;
++
++ intel_display_power_put(dev_priv, power_domain);
++
++ return ret;
++}
+
+ /* VESA 640x480x72Hz mode to set on the pipe */
+ static struct drm_display_mode load_detect_mode = {
+@@ -13240,6 +13233,7 @@ intel_primary_plane_create(struct drm_i9
+
+ primary->update_plane = skylake_update_primary_plane;
+ primary->disable_plane = skylake_disable_primary_plane;
++ primary->get_hw_state = skl_plane_get_hw_state;
+ } else if (INTEL_GEN(dev_priv) >= 9) {
+ intel_primary_formats = skl_primary_formats;
+ num_formats = ARRAY_SIZE(skl_primary_formats);
+@@ -13250,6 +13244,7 @@ intel_primary_plane_create(struct drm_i9
+
+ primary->update_plane = skylake_update_primary_plane;
+ primary->disable_plane = skylake_disable_primary_plane;
++ primary->get_hw_state = skl_plane_get_hw_state;
+ } else if (INTEL_GEN(dev_priv) >= 4) {
+ intel_primary_formats = i965_primary_formats;
+ num_formats = ARRAY_SIZE(i965_primary_formats);
+@@ -13257,6 +13252,7 @@ intel_primary_plane_create(struct drm_i9
+
+ primary->update_plane = i9xx_update_primary_plane;
+ primary->disable_plane = i9xx_disable_primary_plane;
++ primary->get_hw_state = i9xx_plane_get_hw_state;
+ } else {
+ intel_primary_formats = i8xx_primary_formats;
+ num_formats = ARRAY_SIZE(i8xx_primary_formats);
+@@ -13264,6 +13260,7 @@ intel_primary_plane_create(struct drm_i9
+
+ primary->update_plane = i9xx_update_primary_plane;
+ primary->disable_plane = i9xx_disable_primary_plane;
++ primary->get_hw_state = i9xx_plane_get_hw_state;
+ }
+
+ if (INTEL_GEN(dev_priv) >= 9)
+@@ -13353,10 +13350,12 @@ intel_cursor_plane_create(struct drm_i91
+ if (IS_I845G(dev_priv) || IS_I865G(dev_priv)) {
+ cursor->update_plane = i845_update_cursor;
+ cursor->disable_plane = i845_disable_cursor;
++ cursor->get_hw_state = i845_cursor_get_hw_state;
+ cursor->check_plane = i845_check_cursor;
+ } else {
+ cursor->update_plane = i9xx_update_cursor;
+ cursor->disable_plane = i9xx_disable_cursor;
++ cursor->get_hw_state = i9xx_cursor_get_hw_state;
+ cursor->check_plane = i9xx_check_cursor;
+ }
+
+@@ -14704,8 +14703,8 @@ void i830_disable_pipe(struct drm_i915_p
+ DRM_DEBUG_KMS("disabling pipe %c due to force quirk\n",
+ pipe_name(pipe));
+
+- assert_plane_disabled(dev_priv, PLANE_A);
+- assert_plane_disabled(dev_priv, PLANE_B);
++ assert_planes_disabled(intel_get_crtc_for_pipe(dev_priv, PIPE_A));
++ assert_planes_disabled(intel_get_crtc_for_pipe(dev_priv, PIPE_B));
+
+ I915_WRITE(PIPECONF(pipe), 0);
+ POSTING_READ(PIPECONF(pipe));
+@@ -14918,20 +14917,13 @@ void i915_redisable_vga(struct drm_i915_
+ intel_display_power_put(dev_priv, POWER_DOMAIN_VGA);
+ }
+
+-static bool primary_get_hw_state(struct intel_plane *plane)
+-{
+- struct drm_i915_private *dev_priv = to_i915(plane->base.dev);
+-
+- return I915_READ(DSPCNTR(plane->plane)) & DISPLAY_PLANE_ENABLE;
+-}
+-
+ /* FIXME read out full plane state for all planes */
+ static void readout_plane_state(struct intel_crtc *crtc)
+ {
+ struct intel_plane *primary = to_intel_plane(crtc->base.primary);
+ bool visible;
+
+- visible = crtc->active && primary_get_hw_state(primary);
++ visible = crtc->active && primary->get_hw_state(primary);
+
+ intel_set_plane_visible(to_intel_crtc_state(crtc->base.state),
+ to_intel_plane_state(primary->base.state),
+--- a/drivers/gpu/drm/i915/intel_drv.h
++++ b/drivers/gpu/drm/i915/intel_drv.h
+@@ -863,6 +863,7 @@ struct intel_plane {
+ const struct intel_plane_state *plane_state);
+ void (*disable_plane)(struct intel_plane *plane,
+ struct intel_crtc *crtc);
++ bool (*get_hw_state)(struct intel_plane *plane);
+ int (*check_plane)(struct intel_plane *plane,
+ struct intel_crtc_state *crtc_state,
+ struct intel_plane_state *state);
+@@ -1885,6 +1886,7 @@ int intel_sprite_set_colorkey(struct drm
+ struct drm_file *file_priv);
+ void intel_pipe_update_start(struct intel_crtc *crtc);
+ void intel_pipe_update_end(struct intel_crtc *crtc);
++bool skl_plane_get_hw_state(struct intel_plane *plane);
+
+ /* intel_tv.c */
+ void intel_tv_init(struct drm_i915_private *dev_priv);
+--- a/drivers/gpu/drm/i915/intel_sprite.c
++++ b/drivers/gpu/drm/i915/intel_sprite.c
+@@ -324,6 +324,26 @@ skl_disable_plane(struct intel_plane *pl
+ spin_unlock_irqrestore(&dev_priv->uncore.lock, irqflags);
+ }
+
++bool
++skl_plane_get_hw_state(struct intel_plane *plane)
++{
++ struct drm_i915_private *dev_priv = to_i915(plane->base.dev);
++ enum intel_display_power_domain power_domain;
++ enum plane_id plane_id = plane->id;
++ enum pipe pipe = plane->pipe;
++ bool ret;
++
++ power_domain = POWER_DOMAIN_PIPE(pipe);
++ if (!intel_display_power_get_if_enabled(dev_priv, power_domain))
++ return false;
++
++ ret = I915_READ(PLANE_CTL(pipe, plane_id)) & PLANE_CTL_ENABLE;
++
++ intel_display_power_put(dev_priv, power_domain);
++
++ return ret;
++}
++
+ static void
+ chv_update_csc(struct intel_plane *plane, uint32_t format)
+ {
+@@ -501,6 +521,26 @@ vlv_disable_plane(struct intel_plane *pl
+ spin_unlock_irqrestore(&dev_priv->uncore.lock, irqflags);
+ }
+
++static bool
++vlv_plane_get_hw_state(struct intel_plane *plane)
++{
++ struct drm_i915_private *dev_priv = to_i915(plane->base.dev);
++ enum intel_display_power_domain power_domain;
++ enum plane_id plane_id = plane->id;
++ enum pipe pipe = plane->pipe;
++ bool ret;
++
++ power_domain = POWER_DOMAIN_PIPE(pipe);
++ if (!intel_display_power_get_if_enabled(dev_priv, power_domain))
++ return false;
++
++ ret = I915_READ(SPCNTR(pipe, plane_id)) & SP_ENABLE;
++
++ intel_display_power_put(dev_priv, power_domain);
++
++ return ret;
++}
++
+ static u32 ivb_sprite_ctl(const struct intel_crtc_state *crtc_state,
+ const struct intel_plane_state *plane_state)
+ {
+@@ -641,6 +681,25 @@ ivb_disable_plane(struct intel_plane *pl
+ spin_unlock_irqrestore(&dev_priv->uncore.lock, irqflags);
+ }
+
++static bool
++ivb_plane_get_hw_state(struct intel_plane *plane)
++{
++ struct drm_i915_private *dev_priv = to_i915(plane->base.dev);
++ enum intel_display_power_domain power_domain;
++ enum pipe pipe = plane->pipe;
++ bool ret;
++
++ power_domain = POWER_DOMAIN_PIPE(pipe);
++ if (!intel_display_power_get_if_enabled(dev_priv, power_domain))
++ return false;
++
++ ret = I915_READ(SPRCTL(pipe)) & SPRITE_ENABLE;
++
++ intel_display_power_put(dev_priv, power_domain);
++
++ return ret;
++}
++
+ static u32 g4x_sprite_ctl(const struct intel_crtc_state *crtc_state,
+ const struct intel_plane_state *plane_state)
+ {
+@@ -772,6 +831,25 @@ g4x_disable_plane(struct intel_plane *pl
+ spin_unlock_irqrestore(&dev_priv->uncore.lock, irqflags);
+ }
+
++static bool
++g4x_plane_get_hw_state(struct intel_plane *plane)
++{
++ struct drm_i915_private *dev_priv = to_i915(plane->base.dev);
++ enum intel_display_power_domain power_domain;
++ enum pipe pipe = plane->pipe;
++ bool ret;
++
++ power_domain = POWER_DOMAIN_PIPE(pipe);
++ if (!intel_display_power_get_if_enabled(dev_priv, power_domain))
++ return false;
++
++ ret = I915_READ(DVSCNTR(pipe)) & DVS_ENABLE;
++
++ intel_display_power_put(dev_priv, power_domain);
++
++ return ret;
++}
++
+ static int
+ intel_check_sprite_plane(struct intel_plane *plane,
+ struct intel_crtc_state *crtc_state,
+@@ -1227,6 +1305,7 @@ intel_sprite_plane_create(struct drm_i91
+
+ intel_plane->update_plane = skl_update_plane;
+ intel_plane->disable_plane = skl_disable_plane;
++ intel_plane->get_hw_state = skl_plane_get_hw_state;
+
+ plane_formats = skl_plane_formats;
+ num_plane_formats = ARRAY_SIZE(skl_plane_formats);
+@@ -1237,6 +1316,7 @@ intel_sprite_plane_create(struct drm_i91
+
+ intel_plane->update_plane = skl_update_plane;
+ intel_plane->disable_plane = skl_disable_plane;
++ intel_plane->get_hw_state = skl_plane_get_hw_state;
+
+ plane_formats = skl_plane_formats;
+ num_plane_formats = ARRAY_SIZE(skl_plane_formats);
+@@ -1247,6 +1327,7 @@ intel_sprite_plane_create(struct drm_i91
+
+ intel_plane->update_plane = vlv_update_plane;
+ intel_plane->disable_plane = vlv_disable_plane;
++ intel_plane->get_hw_state = vlv_plane_get_hw_state;
+
+ plane_formats = vlv_plane_formats;
+ num_plane_formats = ARRAY_SIZE(vlv_plane_formats);
+@@ -1262,6 +1343,7 @@ intel_sprite_plane_create(struct drm_i91
+
+ intel_plane->update_plane = ivb_update_plane;
+ intel_plane->disable_plane = ivb_disable_plane;
++ intel_plane->get_hw_state = ivb_plane_get_hw_state;
+
+ plane_formats = snb_plane_formats;
+ num_plane_formats = ARRAY_SIZE(snb_plane_formats);
+@@ -1272,6 +1354,7 @@ intel_sprite_plane_create(struct drm_i91
+
+ intel_plane->update_plane = g4x_update_plane;
+ intel_plane->disable_plane = g4x_disable_plane;
++ intel_plane->get_hw_state = g4x_plane_get_hw_state;
+
+ modifiers = i9xx_plane_format_modifiers;
+ if (IS_GEN6(dev_priv)) {
--- /dev/null
+From 4488496d58200c7511842e049a4cc891d928da56 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Wed, 29 Nov 2017 14:54:11 +0200
+Subject: drm/i915: Fix deadlock in i830_disable_pipe()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 4488496d58200c7511842e049a4cc891d928da56 upstream.
+
+i830_disable_pipe() gets called from the power well code, and thus
+we're already holding the power domain mutex. That means we can't
+call plane->get_hw_state() as it will also try to grab the
+same mutex and will thus deadlock.
+
+Replace the assert_plane() calls (which calls ->get_hw_state()) with
+just raw register reads in i830_disable_pipe(). As a bonus we can
+now get a warning if plane C is enabled even though we don't even
+expose it as a drm plane.
+
+v2: Do a separate WARN_ON() for each plane (Chris)
+
+Cc: Chris Wilson <chris@chris-wilson.co.uk>
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Fixes: d87ce7640295 ("drm/i915: Add .get_hw_state() method for planes")
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20171129125411.29055-1-ville.syrjala@linux.intel.com
+(cherry picked from commit 5816d9cbc0a0fbf232fe297cefcb85361a3cde90)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_display.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -14717,8 +14717,11 @@ void i830_disable_pipe(struct drm_i915_p
+ DRM_DEBUG_KMS("disabling pipe %c due to force quirk\n",
+ pipe_name(pipe));
+
+- assert_planes_disabled(intel_get_crtc_for_pipe(dev_priv, PIPE_A));
+- assert_planes_disabled(intel_get_crtc_for_pipe(dev_priv, PIPE_B));
++ WARN_ON(I915_READ(DSPCNTR(PLANE_A)) & DISPLAY_PLANE_ENABLE);
++ WARN_ON(I915_READ(DSPCNTR(PLANE_B)) & DISPLAY_PLANE_ENABLE);
++ WARN_ON(I915_READ(DSPCNTR(PLANE_C)) & DISPLAY_PLANE_ENABLE);
++ WARN_ON(I915_READ(CURCNTR(PIPE_A)) & CURSOR_MODE);
++ WARN_ON(I915_READ(CURCNTR(PIPE_B)) & CURSOR_MODE);
+
+ I915_WRITE(PIPECONF(pipe), 0);
+ POSTING_READ(PIPECONF(pipe));
--- /dev/null
+From 23ac12732825901b3fc6ac720958d8bff9a0d6ec Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Fri, 17 Nov 2017 21:19:09 +0200
+Subject: drm/i915: Redo plane sanitation during readout
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 23ac12732825901b3fc6ac720958d8bff9a0d6ec upstream.
+
+Unify the plane disabling during state readout by pulling the code into
+a new helper intel_plane_disable_noatomic(). We'll also read out the
+state of all planes, so that we know which planes really need to be
+diabled.
+
+Additonally we change the plane<->pipe mapping sanitation to work by
+simply disabling the offending planes instead of entire pipes. And
+we do it before we otherwise sanitize the crtcs, which means we don't
+have to worry about misassigned planes during crtc sanitation anymore.
+
+v2: Reoder patches to not depend on enum old_plane_id
+v3: s/for_each_pipe/for_each_intel_crtc/
+
+Cc: Thierry Reding <thierry.reding@gmail.com>
+Cc: Alex VillacÃs Lasso <alexvillacislasso@hotmail.com>
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=103223
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Tested-by: Thierry Reding <thierry.reding@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20171117191917.11506-3-ville.syrjala@linux.intel.com
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+(cherry picked from commit b1e01595a66dc206a2c75401ec4c285740537f3f)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_display.c | 114 +++++++++++++++++++----------------
+ 1 file changed, 65 insertions(+), 49 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -2756,6 +2756,23 @@ intel_set_plane_visible(struct intel_crt
+ crtc_state->active_planes);
+ }
+
++static void intel_plane_disable_noatomic(struct intel_crtc *crtc,
++ struct intel_plane *plane)
++{
++ struct intel_crtc_state *crtc_state =
++ to_intel_crtc_state(crtc->base.state);
++ struct intel_plane_state *plane_state =
++ to_intel_plane_state(plane->base.state);
++
++ intel_set_plane_visible(crtc_state, plane_state, false);
++
++ if (plane->id == PLANE_PRIMARY)
++ intel_pre_disable_primary_noatomic(&crtc->base);
++
++ trace_intel_disable_plane(&plane->base, crtc);
++ plane->disable_plane(plane, crtc);
++}
++
+ static void
+ intel_find_initial_plane_obj(struct intel_crtc *intel_crtc,
+ struct intel_initial_plane_config *plane_config)
+@@ -2813,12 +2830,7 @@ intel_find_initial_plane_obj(struct inte
+ * simplest solution is to just disable the primary plane now and
+ * pretend the BIOS never had it enabled.
+ */
+- intel_set_plane_visible(to_intel_crtc_state(crtc_state),
+- to_intel_plane_state(plane_state),
+- false);
+- intel_pre_disable_primary_noatomic(&intel_crtc->base);
+- trace_intel_disable_plane(primary, intel_crtc);
+- intel_plane->disable_plane(intel_plane, intel_crtc);
++ intel_plane_disable_noatomic(intel_crtc, intel_plane);
+
+ return;
+
+@@ -5954,6 +5966,7 @@ static void intel_crtc_disable_noatomic(
+ struct intel_crtc *intel_crtc = to_intel_crtc(crtc);
+ struct drm_i915_private *dev_priv = to_i915(crtc->dev);
+ enum intel_display_power_domain domain;
++ struct intel_plane *plane;
+ u64 domains;
+ struct drm_atomic_state *state;
+ struct intel_crtc_state *crtc_state;
+@@ -5962,11 +5975,12 @@ static void intel_crtc_disable_noatomic(
+ if (!intel_crtc->active)
+ return;
+
+- if (crtc->primary->state->visible) {
+- intel_pre_disable_primary_noatomic(crtc);
++ for_each_intel_plane_on_crtc(&dev_priv->drm, intel_crtc, plane) {
++ const struct intel_plane_state *plane_state =
++ to_intel_plane_state(plane->base.state);
+
+- intel_crtc_disable_planes(crtc, 1 << drm_plane_index(crtc->primary));
+- crtc->primary->state->visible = false;
++ if (plane_state->base.visible)
++ intel_plane_disable_noatomic(intel_crtc, plane);
+ }
+
+ state = drm_atomic_state_alloc(crtc->dev);
+@@ -14715,22 +14729,36 @@ void i830_disable_pipe(struct drm_i915_p
+ POSTING_READ(DPLL(pipe));
+ }
+
+-static bool
+-intel_check_plane_mapping(struct intel_crtc *crtc)
++static bool intel_plane_mapping_ok(struct intel_crtc *crtc,
++ struct intel_plane *primary)
+ {
+ struct drm_i915_private *dev_priv = to_i915(crtc->base.dev);
+- u32 val;
++ enum plane plane = primary->plane;
++ u32 val = I915_READ(DSPCNTR(plane));
+
+- if (INTEL_INFO(dev_priv)->num_pipes == 1)
+- return true;
++ return (val & DISPLAY_PLANE_ENABLE) == 0 ||
++ (val & DISPPLANE_SEL_PIPE_MASK) == DISPPLANE_SEL_PIPE(crtc->pipe);
++}
+
+- val = I915_READ(DSPCNTR(!crtc->plane));
++static void
++intel_sanitize_plane_mapping(struct drm_i915_private *dev_priv)
++{
++ struct intel_crtc *crtc;
+
+- if ((val & DISPLAY_PLANE_ENABLE) &&
+- (!!(val & DISPPLANE_SEL_PIPE_MASK) == crtc->pipe))
+- return false;
++ if (INTEL_GEN(dev_priv) >= 4)
++ return;
+
+- return true;
++ for_each_intel_crtc(&dev_priv->drm, crtc) {
++ struct intel_plane *plane =
++ to_intel_plane(crtc->base.primary);
++
++ if (intel_plane_mapping_ok(crtc, plane))
++ continue;
++
++ DRM_DEBUG_KMS("%s attached to the wrong pipe, disabling plane\n",
++ plane->base.name);
++ intel_plane_disable_noatomic(crtc, plane);
++ }
+ }
+
+ static bool intel_crtc_has_encoders(struct intel_crtc *crtc)
+@@ -14786,33 +14814,15 @@ static void intel_sanitize_crtc(struct i
+
+ /* Disable everything but the primary plane */
+ for_each_intel_plane_on_crtc(dev, crtc, plane) {
+- if (plane->base.type == DRM_PLANE_TYPE_PRIMARY)
+- continue;
++ const struct intel_plane_state *plane_state =
++ to_intel_plane_state(plane->base.state);
+
+- trace_intel_disable_plane(&plane->base, crtc);
+- plane->disable_plane(plane, crtc);
++ if (plane_state->base.visible &&
++ plane->base.type != DRM_PLANE_TYPE_PRIMARY)
++ intel_plane_disable_noatomic(crtc, plane);
+ }
+ }
+
+- /* We need to sanitize the plane -> pipe mapping first because this will
+- * disable the crtc (and hence change the state) if it is wrong. Note
+- * that gen4+ has a fixed plane -> pipe mapping. */
+- if (INTEL_GEN(dev_priv) < 4 && !intel_check_plane_mapping(crtc)) {
+- bool plane;
+-
+- DRM_DEBUG_KMS("[CRTC:%d:%s] wrong plane connection detected!\n",
+- crtc->base.base.id, crtc->base.name);
+-
+- /* Pipe has the wrong plane attached and the plane is active.
+- * Temporarily change the plane mapping and disable everything
+- * ... */
+- plane = crtc->plane;
+- crtc->base.primary->state->visible = true;
+- crtc->plane = !plane;
+- intel_crtc_disable_noatomic(&crtc->base, ctx);
+- crtc->plane = plane;
+- }
+-
+ /* Adjust the state of the output pipe according to whether we
+ * have active connectors/encoders. */
+ if (crtc->active && !intel_crtc_has_encoders(crtc))
+@@ -14920,14 +14930,18 @@ void i915_redisable_vga(struct drm_i915_
+ /* FIXME read out full plane state for all planes */
+ static void readout_plane_state(struct intel_crtc *crtc)
+ {
+- struct intel_plane *primary = to_intel_plane(crtc->base.primary);
+- bool visible;
++ struct drm_i915_private *dev_priv = to_i915(crtc->base.dev);
++ struct intel_crtc_state *crtc_state =
++ to_intel_crtc_state(crtc->base.state);
++ struct intel_plane *plane;
+
+- visible = crtc->active && primary->get_hw_state(primary);
++ for_each_intel_plane_on_crtc(&dev_priv->drm, crtc, plane) {
++ struct intel_plane_state *plane_state =
++ to_intel_plane_state(plane->base.state);
++ bool visible = plane->get_hw_state(plane);
+
+- intel_set_plane_visible(to_intel_crtc_state(crtc->base.state),
+- to_intel_plane_state(primary->base.state),
+- visible);
++ intel_set_plane_visible(crtc_state, plane_state, visible);
++ }
+ }
+
+ static void intel_modeset_readout_hw_state(struct drm_device *dev)
+@@ -15129,6 +15143,8 @@ intel_modeset_setup_hw_state(struct drm_
+ /* HW state is read out, now we need to sanitize this mess. */
+ get_encoder_power_domains(dev_priv);
+
++ intel_sanitize_plane_mapping(dev_priv);
++
+ for_each_intel_encoder(dev, encoder) {
+ intel_sanitize_encoder(encoder);
+ }
--- /dev/null
+From 2a266f23550be997d783f27e704b9b40c4010292 Mon Sep 17 00:00:00 2001
+From: Haozhong Zhang <haozhong.zhang@intel.com>
+Date: Wed, 10 Jan 2018 21:44:42 +0800
+Subject: KVM MMU: check pending exception before injecting APF
+
+From: Haozhong Zhang <haozhong.zhang@intel.com>
+
+commit 2a266f23550be997d783f27e704b9b40c4010292 upstream.
+
+For example, when two APF's for page ready happen after one exit and
+the first one becomes pending, the second one will result in #DF.
+Instead, just handle the second page fault synchronously.
+
+Reported-by: Ross Zwisler <zwisler@gmail.com>
+Message-ID: <CAOxpaSUBf8QoOZQ1p4KfUp0jq76OKfGY4Uxs-Gg8ngReD99xww@mail.gmail.com>
+Reported-by: Alec Blayne <ab@tevsa.net>
+Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/mmu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -3784,7 +3784,8 @@ static int kvm_arch_setup_async_pf(struc
+ bool kvm_can_do_async_pf(struct kvm_vcpu *vcpu)
+ {
+ if (unlikely(!lapic_in_kernel(vcpu) ||
+- kvm_event_needs_reinjection(vcpu)))
++ kvm_event_needs_reinjection(vcpu) ||
++ vcpu->arch.exception.pending))
+ return false;
+
+ if (!vcpu->arch.apf.delivery_as_pf_vmexit && is_guest_mode(vcpu))
--- /dev/null
+From 1b689a95ce7427075f9ac9fb4aea1af530742b7f Mon Sep 17 00:00:00 2001
+From: Michal Suchanek <msuchanek@suse.de>
+Date: Mon, 15 Jan 2018 14:30:03 +0100
+Subject: powerpc/pseries: include linux/types.h in asm/hvcall.h
+
+From: Michal Suchanek <msuchanek@suse.de>
+
+commit 1b689a95ce7427075f9ac9fb4aea1af530742b7f upstream.
+
+Commit 6e032b350cd1 ("powerpc/powernv: Check device-tree for RFI flush
+settings") uses u64 in asm/hvcall.h without including linux/types.h
+
+This breaks hvcall.h users that do not include the header themselves.
+
+Fixes: 6e032b350cd1 ("powerpc/powernv: Check device-tree for RFI flush settings")
+Signed-off-by: Michal Suchanek <msuchanek@suse.de>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/hvcall.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/powerpc/include/asm/hvcall.h
++++ b/arch/powerpc/include/asm/hvcall.h
+@@ -353,6 +353,7 @@
+ #define PROC_TABLE_GTSE 0x01
+
+ #ifndef __ASSEMBLY__
++#include <linux/types.h>
+
+ /**
+ * plpar_hcall_norets: - Make a pseries hypervisor call with no return arguments
--- /dev/null
+From 364f56653708ba8bcdefd4f0da2a42904baa8eeb Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Tue, 23 Jan 2018 20:45:38 -0500
+Subject: sched/rt: Up the root domain ref count when passing it around via IPIs
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 364f56653708ba8bcdefd4f0da2a42904baa8eeb upstream.
+
+When issuing an IPI RT push, where an IPI is sent to each CPU that has more
+than one RT task scheduled on it, it references the root domain's rto_mask,
+that contains all the CPUs within the root domain that has more than one RT
+task in the runable state. The problem is, after the IPIs are initiated, the
+rq->lock is released. This means that the root domain that is associated to
+the run queue could be freed while the IPIs are going around.
+
+Add a sched_get_rd() and a sched_put_rd() that will increment and decrement
+the root domain's ref count respectively. This way when initiating the IPIs,
+the scheduler will up the root domain's ref count before releasing the
+rq->lock, ensuring that the root domain does not go away until the IPI round
+is complete.
+
+Reported-by: Pavan Kondeti <pkondeti@codeaurora.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 4bdced5c9a292 ("sched/rt: Simplify the IPI based RT balancing logic")
+Link: http://lkml.kernel.org/r/CAEU1=PkiHO35Dzna8EQqNSKW1fr1y1zRQ5y66X117MG06sQtNA@mail.gmail.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/rt.c | 9 +++++++--
+ kernel/sched/sched.h | 2 ++
+ kernel/sched/topology.c | 13 +++++++++++++
+ 3 files changed, 22 insertions(+), 2 deletions(-)
+
+--- a/kernel/sched/rt.c
++++ b/kernel/sched/rt.c
+@@ -1990,8 +1990,11 @@ static void tell_cpu_to_push(struct rq *
+
+ rto_start_unlock(&rq->rd->rto_loop_start);
+
+- if (cpu >= 0)
++ if (cpu >= 0) {
++ /* Make sure the rd does not get freed while pushing */
++ sched_get_rd(rq->rd);
+ irq_work_queue_on(&rq->rd->rto_push_work, cpu);
++ }
+ }
+
+ /* Called from hardirq context */
+@@ -2021,8 +2024,10 @@ void rto_push_irq_work_func(struct irq_w
+
+ raw_spin_unlock(&rd->rto_lock);
+
+- if (cpu < 0)
++ if (cpu < 0) {
++ sched_put_rd(rd);
+ return;
++ }
+
+ /* Try the next RT overloaded CPU */
+ irq_work_queue_on(&rd->rto_push_work, cpu);
+--- a/kernel/sched/sched.h
++++ b/kernel/sched/sched.h
+@@ -661,6 +661,8 @@ extern struct mutex sched_domains_mutex;
+ extern void init_defrootdomain(void);
+ extern int sched_init_domains(const struct cpumask *cpu_map);
+ extern void rq_attach_root(struct rq *rq, struct root_domain *rd);
++extern void sched_get_rd(struct root_domain *rd);
++extern void sched_put_rd(struct root_domain *rd);
+
+ #ifdef HAVE_RT_PUSH_IPI
+ extern void rto_push_irq_work_func(struct irq_work *work);
+--- a/kernel/sched/topology.c
++++ b/kernel/sched/topology.c
+@@ -258,6 +258,19 @@ void rq_attach_root(struct rq *rq, struc
+ call_rcu_sched(&old_rd->rcu, free_rootdomain);
+ }
+
++void sched_get_rd(struct root_domain *rd)
++{
++ atomic_inc(&rd->refcount);
++}
++
++void sched_put_rd(struct root_domain *rd)
++{
++ if (!atomic_dec_and_test(&rd->refcount))
++ return;
++
++ call_rcu_sched(&rd->rcu, free_rootdomain);
++}
++
+ static int init_rootdomain(struct root_domain *rd)
+ {
+ if (!zalloc_cpumask_var(&rd->span, GFP_KERNEL))
--- /dev/null
+From ad0f1d9d65938aec72a698116cd73a980916895e Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Tue, 23 Jan 2018 20:45:37 -0500
+Subject: sched/rt: Use container_of() to get root domain in rto_push_irq_work_func()
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit ad0f1d9d65938aec72a698116cd73a980916895e upstream.
+
+When the rto_push_irq_work_func() is called, it looks at the RT overloaded
+bitmask in the root domain via the runqueue (rq->rd). The problem is that
+during CPU up and down, nothing here stops rq->rd from changing between
+taking the rq->rd->rto_lock and releasing it. That means the lock that is
+released is not the same lock that was taken.
+
+Instead of using this_rq()->rd to get the root domain, as the irq work is
+part of the root domain, we can simply get the root domain from the irq work
+that is passed to the routine:
+
+ container_of(work, struct root_domain, rto_push_work)
+
+This keeps the root domain consistent.
+
+Reported-by: Pavan Kondeti <pkondeti@codeaurora.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 4bdced5c9a292 ("sched/rt: Simplify the IPI based RT balancing logic")
+Link: http://lkml.kernel.org/r/CAEU1=PkiHO35Dzna8EQqNSKW1fr1y1zRQ5y66X117MG06sQtNA@mail.gmail.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/rt.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/kernel/sched/rt.c
++++ b/kernel/sched/rt.c
+@@ -1907,9 +1907,8 @@ static void push_rt_tasks(struct rq *rq)
+ * the rt_loop_next will cause the iterator to perform another scan.
+ *
+ */
+-static int rto_next_cpu(struct rq *rq)
++static int rto_next_cpu(struct root_domain *rd)
+ {
+- struct root_domain *rd = rq->rd;
+ int next;
+ int cpu;
+
+@@ -1985,7 +1984,7 @@ static void tell_cpu_to_push(struct rq *
+ * Otherwise it is finishing up and an ipi needs to be sent.
+ */
+ if (rq->rd->rto_cpu < 0)
+- cpu = rto_next_cpu(rq);
++ cpu = rto_next_cpu(rq->rd);
+
+ raw_spin_unlock(&rq->rd->rto_lock);
+
+@@ -1998,6 +1997,8 @@ static void tell_cpu_to_push(struct rq *
+ /* Called from hardirq context */
+ void rto_push_irq_work_func(struct irq_work *work)
+ {
++ struct root_domain *rd =
++ container_of(work, struct root_domain, rto_push_work);
+ struct rq *rq;
+ int cpu;
+
+@@ -2013,18 +2014,18 @@ void rto_push_irq_work_func(struct irq_w
+ raw_spin_unlock(&rq->lock);
+ }
+
+- raw_spin_lock(&rq->rd->rto_lock);
++ raw_spin_lock(&rd->rto_lock);
+
+ /* Pass the IPI to the next rt overloaded queue */
+- cpu = rto_next_cpu(rq);
++ cpu = rto_next_cpu(rd);
+
+- raw_spin_unlock(&rq->rd->rto_lock);
++ raw_spin_unlock(&rd->rto_lock);
+
+ if (cpu < 0)
+ return;
+
+ /* Try the next RT overloaded CPU */
+- irq_work_queue_on(&rq->rd->rto_push_work, cpu);
++ irq_work_queue_on(&rd->rto_push_work, cpu);
+ }
+ #endif /* HAVE_RT_PUSH_IPI */
+
--- /dev/null
+From c6b9d9a33029014446bd9ed84c1688f6d3d4eab9 Mon Sep 17 00:00:00 2001
+From: Omar Sandoval <osandov@fb.com>
+Date: Tue, 5 Dec 2017 23:15:31 -0800
+Subject: sched/wait: Fix add_wait_queue() behavioral change
+
+From: Omar Sandoval <osandov@fb.com>
+
+commit c6b9d9a33029014446bd9ed84c1688f6d3d4eab9 upstream.
+
+The following cleanup commit:
+
+ 50816c48997a ("sched/wait: Standardize internal naming of wait-queue entries")
+
+... unintentionally changed the behavior of add_wait_queue() from
+inserting the wait entry at the head of the wait queue to the tail
+of the wait queue.
+
+Beyond a negative performance impact this change in behavior
+theoretically also breaks wait queues which mix exclusive and
+non-exclusive waiters, as non-exclusive waiters will not be
+woken up if they are queued behind enough exclusive waiters.
+
+Signed-off-by: Omar Sandoval <osandov@fb.com>
+Reviewed-by: Jens Axboe <axboe@kernel.dk>
+Acked-by: Peter Zijlstra <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: kernel-team@fb.com
+Fixes: ("sched/wait: Standardize internal naming of wait-queue entries")
+Link: http://lkml.kernel.org/r/a16c8ccffd39bd08fdaa45a5192294c784b803a7.1512544324.git.osandov@fb.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/wait.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/sched/wait.c
++++ b/kernel/sched/wait.c
+@@ -27,7 +27,7 @@ void add_wait_queue(struct wait_queue_he
+
+ wq_entry->flags &= ~WQ_FLAG_EXCLUSIVE;
+ spin_lock_irqsave(&wq_head->lock, flags);
+- __add_wait_queue_entry_tail(wq_head, wq_entry);
++ __add_wait_queue(wq_head, wq_entry);
+ spin_unlock_irqrestore(&wq_head->lock, flags);
+ }
+ EXPORT_SYMBOL(add_wait_queue);
watchdog-indydog-add-dependency-on-sgi_has_indydog.patch
+powerpc-pseries-include-linux-types.h-in-asm-hvcall.h.patch
+cifs-fix-missing-put_xid-in-cifs_file_strict_mmap.patch
+cifs-fix-autonegotiate-security-settings-mismatch.patch
+cifs-zero-sensitive-data-when-freeing.patch
+cpufreq-mediatek-add-mediatek-related-projects-into-blacklist.patch
+dmaengine-dmatest-fix-container_of-member-in-dmatest_callback.patch
+sched-wait-fix-add_wait_queue-behavioral-change.patch
+watchdog-gpio_wdt-set-wdog_hw_running-in-gpio_wdt_stop.patch
+arm64-define-cputype-macros-for-falkor-cpu.patch
+arm64-add-software-workaround-for-falkor-erratum-1041.patch
+kvm-mmu-check-pending-exception-before-injecting-apf.patch
+sched-rt-use-container_of-to-get-root-domain-in-rto_push_irq_work_func.patch
+sched-rt-up-the-root-domain-ref-count-when-passing-it-around-via-ipis.patch
+drm-i915-add-.get_hw_state-method-for-planes.patch
+drm-i915-redo-plane-sanitation-during-readout.patch
+drm-i915-fix-deadlock-in-i830_disable_pipe.patch
+dccp-cve-2017-8824-use-after-free-in-dccp-code.patch
--- /dev/null
+From bc137dfdbec27c0ec5731a89002daded4a4aa1ea Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Date: Thu, 9 Nov 2017 14:39:55 +0100
+Subject: watchdog: gpio_wdt: set WDOG_HW_RUNNING in gpio_wdt_stop
+
+From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+
+commit bc137dfdbec27c0ec5731a89002daded4a4aa1ea upstream.
+
+The first patch above (https://patchwork.kernel.org/patch/9970181/)
+makes the oops go away, but it just papers over the problem. The real
+problem is that the watchdog core clears WDOG_HW_RUNNING in
+watchdog_stop, and the gpio driver fails to set it in its stop
+function when it doesn't actually stop it. This means that the core
+doesn't know that it now has responsibility for petting the device, in
+turn causing the device to reset the system (I hadn't noticed this
+because the board I'm working on has that reset logic disabled).
+
+How about this (other drivers may of course have the same problem, I
+haven't checked). One might say that ->stop should return an error
+when the device can't be stopped, but OTOH this brings parity between
+a device without a ->stop method and a GPIO wd that has always-running
+set. IOW, I think ->stop should only return an error when an actual
+attempt to stop the hardware failed.
+
+From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+
+The watchdog framework clears WDOG_HW_RUNNING before calling
+->stop. If the driver is unable to stop the device, it is supposed to
+set that bit again so that the watchdog core takes care of sending
+heart-beats while the device is not open from user-space. Update the
+gpio_wdt driver to honour that contract (and get rid of the redundant
+clearing of WDOG_HW_RUNNING).
+
+Fixes: 3c10bbde10 ("watchdog: core: Clear WDOG_HW_RUNNING before calling the stop function")
+Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/watchdog/gpio_wdt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/watchdog/gpio_wdt.c
++++ b/drivers/watchdog/gpio_wdt.c
+@@ -80,7 +80,8 @@ static int gpio_wdt_stop(struct watchdog
+
+ if (!priv->always_running) {
+ gpio_wdt_disable(priv);
+- clear_bit(WDOG_HW_RUNNING, &wdd->status);
++ } else {
++ set_bit(WDOG_HW_RUNNING, &wdd->status);
+ }
+
+ return 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
