--- /dev/null
+From 20e2b791796bd68816fa115f12be5320de2b8021 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 6 Jul 2017 12:34:40 +0200
+Subject: ALSA: msnd: Optimize / harden DSP and MIDI loops
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 20e2b791796bd68816fa115f12be5320de2b8021 upstream.
+
+The ISA msnd drivers have loops fetching the ring-buffer head, tail
+and size values inside the loops. Such codes are inefficient and
+fragile.
+
+This patch optimizes it, and also adds the sanity check to avoid the
+endless loops.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=196131
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=196133
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: grygorii tertychnyi <gtertych@cisco.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/isa/msnd/msnd_midi.c | 28 ++++++++++++++--------------
+ sound/isa/msnd/msnd_pinnacle.c | 23 ++++++++++++-----------
+ 2 files changed, 26 insertions(+), 25 deletions(-)
+
+--- a/sound/isa/msnd/msnd_midi.c
++++ b/sound/isa/msnd/msnd_midi.c
+@@ -120,24 +120,24 @@ void snd_msndmidi_input_read(void *mpuv)
+ unsigned long flags;
+ struct snd_msndmidi *mpu = mpuv;
+ void *pwMIDQData = mpu->dev->mappedbase + MIDQ_DATA_BUFF;
++ u16 head, tail, size;
+
+ spin_lock_irqsave(&mpu->input_lock, flags);
+- while (readw(mpu->dev->MIDQ + JQS_wTail) !=
+- readw(mpu->dev->MIDQ + JQS_wHead)) {
+- u16 wTmp, val;
+- val = readw(pwMIDQData + 2 * readw(mpu->dev->MIDQ + JQS_wHead));
++ head = readw(mpu->dev->MIDQ + JQS_wHead);
++ tail = readw(mpu->dev->MIDQ + JQS_wTail);
++ size = readw(mpu->dev->MIDQ + JQS_wSize);
++ if (head > size || tail > size)
++ goto out;
++ while (head != tail) {
++ unsigned char val = readw(pwMIDQData + 2 * head);
+
+- if (test_bit(MSNDMIDI_MODE_BIT_INPUT_TRIGGER,
+- &mpu->mode))
+- snd_rawmidi_receive(mpu->substream_input,
+- (unsigned char *)&val, 1);
+-
+- wTmp = readw(mpu->dev->MIDQ + JQS_wHead) + 1;
+- if (wTmp > readw(mpu->dev->MIDQ + JQS_wSize))
+- writew(0, mpu->dev->MIDQ + JQS_wHead);
+- else
+- writew(wTmp, mpu->dev->MIDQ + JQS_wHead);
++ if (test_bit(MSNDMIDI_MODE_BIT_INPUT_TRIGGER, &mpu->mode))
++ snd_rawmidi_receive(mpu->substream_input, &val, 1);
++ if (++head > size)
++ head = 0;
++ writew(head, mpu->dev->MIDQ + JQS_wHead);
+ }
++ out:
+ spin_unlock_irqrestore(&mpu->input_lock, flags);
+ }
+ EXPORT_SYMBOL(snd_msndmidi_input_read);
+--- a/sound/isa/msnd/msnd_pinnacle.c
++++ b/sound/isa/msnd/msnd_pinnacle.c
+@@ -170,23 +170,24 @@ static irqreturn_t snd_msnd_interrupt(in
+ {
+ struct snd_msnd *chip = dev_id;
+ void *pwDSPQData = chip->mappedbase + DSPQ_DATA_BUFF;
++ u16 head, tail, size;
+
+ /* Send ack to DSP */
+ /* inb(chip->io + HP_RXL); */
+
+ /* Evaluate queued DSP messages */
+- while (readw(chip->DSPQ + JQS_wTail) != readw(chip->DSPQ + JQS_wHead)) {
+- u16 wTmp;
+-
+- snd_msnd_eval_dsp_msg(chip,
+- readw(pwDSPQData + 2 * readw(chip->DSPQ + JQS_wHead)));
+-
+- wTmp = readw(chip->DSPQ + JQS_wHead) + 1;
+- if (wTmp > readw(chip->DSPQ + JQS_wSize))
+- writew(0, chip->DSPQ + JQS_wHead);
+- else
+- writew(wTmp, chip->DSPQ + JQS_wHead);
++ head = readw(chip->DSPQ + JQS_wHead);
++ tail = readw(chip->DSPQ + JQS_wTail);
++ size = readw(chip->DSPQ + JQS_wSize);
++ if (head > size || tail > size)
++ goto out;
++ while (head != tail) {
++ snd_msnd_eval_dsp_msg(chip, readw(pwDSPQData + 2 * head));
++ if (++head > size)
++ head = 0;
++ writew(head, chip->DSPQ + JQS_wHead);
+ }
++ out:
+ /* Send ack to DSP */
+ inb(chip->io + HP_RXL);
+ return IRQ_HANDLED;
--- /dev/null
+From 6c6b5a39c4bf3dbd8cf629c9f5450e983c19dbb9 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Tue, 4 Jul 2017 21:49:06 +1000
+Subject: btrfs: resume qgroup rescan on rw remount
+
+From: Aleksa Sarai <asarai@suse.de>
+
+commit 6c6b5a39c4bf3dbd8cf629c9f5450e983c19dbb9 upstream.
+
+Several distributions mount the "proper root" as ro during initrd and
+then remount it as rw before pivot_root(2). Thus, if a rescan had been
+aborted by a previous shutdown, the rescan would never be resumed.
+
+This issue would manifest itself as several btrfs ioctl(2)s causing the
+entire machine to hang when btrfs_qgroup_wait_for_completion was hit
+(due to the fs_info->qgroup_rescan_running flag being set but the rescan
+itself not being resumed). Notably, Docker's btrfs storage driver makes
+regular use of BTRFS_QUOTA_CTL_DISABLE and BTRFS_IOC_QUOTA_RESCAN_WAIT
+(causing this problem to be manifested on boot for some machines).
+
+Cc: Jeff Mahoney <jeffm@suse.com>
+Fixes: b382a324b60f ("Btrfs: fix qgroup rescan resume on mount")
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Tested-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/super.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -1828,6 +1828,8 @@ static int btrfs_remount(struct super_bl
+ goto restore;
+ }
+
++ btrfs_qgroup_rescan_resume(fs_info);
++
+ if (!fs_info->uuid_root) {
+ btrfs_info(fs_info, "creating UUID tree");
+ ret = btrfs_create_uuid_tree(fs_info);
--- /dev/null
+From 64531a3b70b17c8d3e77f2e49e5e1bb70f571266 Mon Sep 17 00:00:00 2001
+From: Brijesh Singh <brijesh.singh@amd.com>
+Date: Mon, 7 Aug 2017 14:11:30 -0500
+Subject: KVM: SVM: Limit PFERR_NESTED_GUEST_PAGE error_code check to L1 guest
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Brijesh Singh <brijesh.singh@amd.com>
+
+commit 64531a3b70b17c8d3e77f2e49e5e1bb70f571266 upstream.
+
+Commit 147277540bbc ("kvm: svm: Add support for additional SVM NPF error
+codes", 2016-11-23) added a new error code to aid nested page fault
+handling. The commit unprotects (kvm_mmu_unprotect_page) the page when
+we get a NPF due to guest page table walk where the page was marked RO.
+
+However, if an L0->L2 shadow nested page table can also be marked read-only
+when a page is read only in L1's nested page table. If such a page
+is accessed by L2 while walking page tables it can cause a nested
+page fault (page table walks are write accesses). However, after
+kvm_mmu_unprotect_page we may get another page fault, and again in an
+endless stream.
+
+To cover this use case, we qualify the new error_code check with
+vcpu->arch.mmu_direct_map so that the error_code check would run on L1
+guest, and not the L2 guest. This avoids hitting the above scenario.
+
+Fixes: 147277540bbc54119172481c8ef6d930cc9fbfc2
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Thomas Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/mmu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -4759,7 +4759,8 @@ int kvm_mmu_page_fault(struct kvm_vcpu *
+ * Note: AMD only (since it supports the PFERR_GUEST_PAGE_MASK used
+ * in PFERR_NEXT_GUEST_PAGE)
+ */
+- if (error_code == PFERR_NESTED_GUEST_PAGE) {
++ if (vcpu->arch.mmu.direct_map &&
++ error_code == PFERR_NESTED_GUEST_PAGE) {
+ kvm_mmu_unprotect_page(vcpu->kvm, gpa_to_gfn(cr2));
+ return 1;
+ }
--- /dev/null
+From 8606a1a94da5c4e49c0fb28af62d2e75c6747716 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Fri, 8 Sep 2017 16:13:25 -0700
+Subject: mm: kvfree the swap cluster info if the swap file is unsatisfactory
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+commit 8606a1a94da5c4e49c0fb28af62d2e75c6747716 upstream.
+
+If initializing a small swap file fails because the swap file has a
+problem (holes, etc.) then we need to free the cluster info as part of
+cleanup. Unfortunately a previous patch changed the code to use kvzalloc
+but did not change all the vfree calls to use kvfree.
+
+Found by running generic/357 from xfstests.
+
+Link: http://lkml.kernel.org/r/20170831233515.GR3775@magnolia
+Fixes: 54f180d3c181 ("mm, swap: use kvzalloc to allocate some swap data structures")
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: "Huang, Ying" <ying.huang@intel.com>
+Acked-by: David Rientjes <rientjes@google.com>
+Cc: Hugh Dickins <hughd@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/swapfile.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/swapfile.c
++++ b/mm/swapfile.c
+@@ -2903,7 +2903,7 @@ bad_swap:
+ p->flags = 0;
+ spin_unlock(&swap_lock);
+ vfree(swap_map);
+- vfree(cluster_info);
++ kvfree(cluster_info);
+ if (swap_file) {
+ if (inode && S_ISREG(inode->i_mode)) {
+ inode_unlock(inode);
--- /dev/null
+From de0c799bba2610a8e1e9a50d76a28614520a4cd4 Mon Sep 17 00:00:00 2001
+From: Laurent Dufour <ldufour@linux.vnet.ibm.com>
+Date: Fri, 8 Sep 2017 16:13:12 -0700
+Subject: mm/memory.c: fix mem_cgroup_oom_disable() call missing
+
+From: Laurent Dufour <ldufour@linux.vnet.ibm.com>
+
+commit de0c799bba2610a8e1e9a50d76a28614520a4cd4 upstream.
+
+Seen while reading the code, in handle_mm_fault(), in the case
+arch_vma_access_permitted() is failing the call to
+mem_cgroup_oom_disable() is not made.
+
+To fix that, move the call to mem_cgroup_oom_enable() after calling
+arch_vma_access_permitted() as it should not have entered the memcg OOM.
+
+Link: http://lkml.kernel.org/r/1504625439-31313-1-git-send-email-ldufour@linux.vnet.ibm.com
+Fixes: bae473a423f6 ("mm: introduce fault_env")
+Signed-off-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
+Acked-by: Kirill A. Shutemov <kirill@shutemov.name>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memory.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -3843,6 +3843,11 @@ int handle_mm_fault(struct vm_area_struc
+ /* do counter updates before entering really critical section. */
+ check_sync_rss_stat(current);
+
++ if (!arch_vma_access_permitted(vma, flags & FAULT_FLAG_WRITE,
++ flags & FAULT_FLAG_INSTRUCTION,
++ flags & FAULT_FLAG_REMOTE))
++ return VM_FAULT_SIGSEGV;
++
+ /*
+ * Enable the memcg OOM handling for faults triggered in user
+ * space. Kernel faults are handled more gracefully.
+@@ -3850,11 +3855,6 @@ int handle_mm_fault(struct vm_area_struc
+ if (flags & FAULT_FLAG_USER)
+ mem_cgroup_oom_enable();
+
+- if (!arch_vma_access_permitted(vma, flags & FAULT_FLAG_WRITE,
+- flags & FAULT_FLAG_INSTRUCTION,
+- flags & FAULT_FLAG_REMOTE))
+- return VM_FAULT_SIGSEGV;
+-
+ if (unlikely(is_vm_hugetlb_page(vma)))
+ ret = hugetlb_fault(vma->vm_mm, vma, address, flags);
+ else
--- /dev/null
+From b6b1fd2a6bedd533aeed83924d7be0e944fded9f Mon Sep 17 00:00:00 2001
+From: David Rientjes <rientjes@google.com>
+Date: Fri, 8 Sep 2017 16:13:29 -0700
+Subject: mm/swapfile.c: fix swapon frontswap_map memory leak on error
+
+From: David Rientjes <rientjes@google.com>
+
+commit b6b1fd2a6bedd533aeed83924d7be0e944fded9f upstream.
+
+Free frontswap_map if an error is encountered before enable_swap_info().
+
+Signed-off-by: David Rientjes <rientjes@google.com>
+Reviewed-by: "Huang, Ying" <ying.huang@intel.com>
+Cc: Darrick J. Wong <darrick.wong@oracle.com>
+Cc: Hugh Dickins <hughd@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/swapfile.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/swapfile.c
++++ b/mm/swapfile.c
+@@ -2904,6 +2904,7 @@ bad_swap:
+ spin_unlock(&swap_lock);
+ vfree(swap_map);
+ kvfree(cluster_info);
++ kvfree(frontswap_map);
+ if (swap_file) {
+ if (inode && S_ISREG(inode->i_mode)) {
+ inode_unlock(inode);
--- /dev/null
+From fd213b5bae800dc00a2930dcd07f63ab9bbff3f9 Mon Sep 17 00:00:00 2001
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Sat, 5 Aug 2017 14:16:24 +0200
+Subject: mtd: nand: hynix: add support for 20nm NAND chips
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+commit fd213b5bae800dc00a2930dcd07f63ab9bbff3f9 upstream.
+
+According to the datasheet of the H27UCG8T2BTR the NAND Technology field
+(6th byte of the "Device Identifier Description", bits 0-2) the
+following values are possible:
+- 0x0 = 48nm
+- 0x1 = 41nm
+- 0x2 = 32nm
+- 0x3 = 26nm
+- 0x4 = 20nm
+- (all others are reserved)
+
+Fix this by extending the mask for this field to allow detecting value
+0x4 (20nm) as valid NAND technology.
+Without this the detection of the ECC requirements fails, because the
+code assumes that the device is a 48nm device (0x4 & 0x3 = 0x0) and
+aborts with "Invalid ECC requirements" because it cannot map the "ECC
+Level". Extending the mask makes the ECC requirement detection code
+recognize this chip as <= 26nm and sets up the ECC step size and ECC
+strength correctly.
+
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Fixes: 78f3482d7480 ("mtd: nand: hynix: Rework NAND ID decoding to extract more information")
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/nand_hynix.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/nand/nand_hynix.c
++++ b/drivers/mtd/nand/nand_hynix.c
+@@ -477,7 +477,7 @@ static void hynix_nand_extract_ecc_requi
+ * The ECC requirements field meaning depends on the
+ * NAND technology.
+ */
+- u8 nand_tech = chip->id.data[5] & 0x3;
++ u8 nand_tech = chip->id.data[5] & 0x7;
+
+ if (nand_tech < 3) {
+ /* > 26nm, reference: H27UBG8T2A datasheet */
+@@ -533,7 +533,7 @@ static void hynix_nand_extract_scramblin
+ if (nand_tech > 0)
+ chip->options |= NAND_NEED_SCRAMBLING;
+ } else {
+- nand_tech = chip->id.data[5] & 0x3;
++ nand_tech = chip->id.data[5] & 0x7;
+
+ /* < 32nm */
+ if (nand_tech > 2)
--- /dev/null
+From 69fc01296c92814b62dbfba1600fe7ed2ed304f5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lothar=20Wa=C3=9Fmann?= <LW@KARO-electronics.de>
+Date: Tue, 29 Aug 2017 12:17:12 +0200
+Subject: mtd: nand: make Samsung SLC NAND usable again
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lothar Waßmann <LW@KARO-electronics.de>
+
+commit 69fc01296c92814b62dbfba1600fe7ed2ed304f5 upstream.
+
+commit c51d0ac59f24 ("mtd: nand: Move Samsung specific init/detection
+logic in nand_samsung.c") introduced a regression for Samsung SLC NAND
+chips. Prior to this commit chip->bits_per_cell was initialized by calling
+nand_get_bits_per_cell() before using nand_is_slc().
+With the offending commit this call is skipped, leaving
+chip->bits_per_cell cleared to zero when the manufacturer specific
+'.detect' function calls nand_is_slc() which in turn interprets
+bits_per_cell != 1 as indication for an MLC chip.
+The effect is that e.g. a K9F1G08U0F NAND chip is falsely detected as
+MLC NAND with 4KiB page size rather than SLC with 2KiB page size.
+
+Add a call to nand_get_bits_per_cell() before calling the .detect hook
+function in nand_manufacturer_detect(), so that the nand_is_slc()
+calls in the manufacturer specific code will return correct results.
+
+Fixes: c51d0ac59f24 ("mtd: nand: Move Samsung specific init/detection logic in nand_samsung.c")
+Signed-off-by: Lothar Waßmann <LW@KARO-electronics.de>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/nand_base.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/nand/nand_base.c
++++ b/drivers/mtd/nand/nand_base.c
+@@ -3972,10 +3972,13 @@ static void nand_manufacturer_detect(str
+ * nand_decode_ext_id() otherwise.
+ */
+ if (chip->manufacturer.desc && chip->manufacturer.desc->ops &&
+- chip->manufacturer.desc->ops->detect)
++ chip->manufacturer.desc->ops->detect) {
++ /* The 3rd id byte holds MLC / multichip data */
++ chip->bits_per_cell = nand_get_bits_per_cell(chip->id.data[2]);
+ chip->manufacturer.desc->ops->detect(chip);
+- else
++ } else {
+ nand_decode_ext_id(chip);
++ }
+ }
+
+ /*
--- /dev/null
+From 3bff08dffe3115a25ce04b95ea75f6d868572c60 Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+Date: Fri, 25 Nov 2016 11:32:32 +0100
+Subject: mtd: nand: mxc: Fix mxc_v1 ooblayout
+
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+
+commit 3bff08dffe3115a25ce04b95ea75f6d868572c60 upstream.
+
+Commit a894cf6c5a82 ("mtd: nand: mxc: switch to mtd_ooblayout_ops")
+introduced a bug in the OOB layout description. Even if the driver claims
+that 3 ECC bytes are reserved to protect 512 bytes of data, it's actually
+5 ECC bytes to protect 512+6 bytes of data (some OOB bytes are also
+protected using extra ECC bytes).
+
+Fix the mxc_v1_ooblayout_{free,ecc}() functions to reflect this behavior.
+
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Fixes: a894cf6c5a82 ("mtd: nand: mxc: switch to mtd_ooblayout_ops")
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/mxc_nand.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/mtd/nand/mxc_nand.c
++++ b/drivers/mtd/nand/mxc_nand.c
+@@ -877,6 +877,8 @@ static void mxc_do_addr_cycle(struct mtd
+ }
+ }
+
++#define MXC_V1_ECCBYTES 5
++
+ static int mxc_v1_ooblayout_ecc(struct mtd_info *mtd, int section,
+ struct mtd_oob_region *oobregion)
+ {
+@@ -886,7 +888,7 @@ static int mxc_v1_ooblayout_ecc(struct m
+ return -ERANGE;
+
+ oobregion->offset = (section * 16) + 6;
+- oobregion->length = nand_chip->ecc.bytes;
++ oobregion->length = MXC_V1_ECCBYTES;
+
+ return 0;
+ }
+@@ -908,8 +910,7 @@ static int mxc_v1_ooblayout_free(struct
+ oobregion->length = 4;
+ }
+ } else {
+- oobregion->offset = ((section - 1) * 16) +
+- nand_chip->ecc.bytes + 6;
++ oobregion->offset = ((section - 1) * 16) + MXC_V1_ECCBYTES + 6;
+ if (section < nand_chip->ecc.steps)
+ oobregion->length = (section * 16) + 6 -
+ oobregion->offset;
--- /dev/null
+From 10777de570016471fd929869c7830a7772893e39 Mon Sep 17 00:00:00 2001
+From: Abhishek Sahu <absahu@codeaurora.org>
+Date: Thu, 3 Aug 2017 17:56:39 +0200
+Subject: mtd: nand: qcom: fix config error for BCH
+
+From: Abhishek Sahu <absahu@codeaurora.org>
+
+commit 10777de570016471fd929869c7830a7772893e39 upstream.
+
+The configuration for BCH is not correct in the current driver.
+The ECC_CFG_ECC_DISABLE bit defines whether to enable or disable the
+BCH ECC in which
+
+ 0x1 : BCH_DISABLED
+ 0x0 : BCH_ENABLED
+
+But currently host->bch_enabled is being assigned to BCH_DISABLED.
+
+Fixes: c76b78d8ec05a ("mtd: nand: Qualcomm NAND controller driver")
+Signed-off-by: Abhishek Sahu <absahu@codeaurora.org>
+Reviewed-by: Archit Taneja <architt@codeaurora.org>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/qcom_nandc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/qcom_nandc.c
++++ b/drivers/mtd/nand/qcom_nandc.c
+@@ -1900,7 +1900,7 @@ static int qcom_nand_host_setup(struct q
+ | wide_bus << WIDE_FLASH
+ | 1 << DEV0_CFG1_ECC_DISABLE;
+
+- host->ecc_bch_cfg = host->bch_enabled << ECC_CFG_ECC_DISABLE
++ host->ecc_bch_cfg = !host->bch_enabled << ECC_CFG_ECC_DISABLE
+ | 0 << ECC_SW_RESET
+ | host->cw_data << ECC_NUM_DATA_BYTES
+ | 1 << ECC_FORCE_CLK_OPEN
--- /dev/null
+From d8a9b320a26c1ea28e51e4f3ecfb593d5aac2910 Mon Sep 17 00:00:00 2001
+From: Abhishek Sahu <absahu@codeaurora.org>
+Date: Fri, 11 Aug 2017 17:09:16 +0530
+Subject: mtd: nand: qcom: fix read failure without complete bootchain
+
+From: Abhishek Sahu <absahu@codeaurora.org>
+
+commit d8a9b320a26c1ea28e51e4f3ecfb593d5aac2910 upstream.
+
+The NAND page read fails without complete boot chain since
+NAND_DEV_CMD_VLD value is not proper. The default power on reset
+value for this register is
+
+ 0xe - ERASE_START_VALID | WRITE_START_VALID | READ_STOP_VALID
+
+The READ_START_VALID should be enabled for sending PAGE_READ
+command. READ_STOP_VALID should be cleared since normal NAND
+page read does not require READ_STOP command.
+
+Fixes: c76b78d8ec05a ("mtd: nand: Qualcomm NAND controller driver")
+Reviewed-by: Archit Taneja <architt@codeaurora.org>
+Signed-off-by: Abhishek Sahu <absahu@codeaurora.org>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/qcom_nandc.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/mtd/nand/qcom_nandc.c
++++ b/drivers/mtd/nand/qcom_nandc.c
+@@ -109,7 +109,11 @@
+ #define READ_ADDR 0
+
+ /* NAND_DEV_CMD_VLD bits */
+-#define READ_START_VLD 0
++#define READ_START_VLD BIT(0)
++#define READ_STOP_VLD BIT(1)
++#define WRITE_START_VLD BIT(2)
++#define ERASE_START_VLD BIT(3)
++#define SEQ_READ_START_VLD BIT(4)
+
+ /* NAND_EBI2_ECC_BUF_CFG bits */
+ #define NUM_STEPS 0
+@@ -148,6 +152,10 @@
+ #define FETCH_ID 0xb
+ #define RESET_DEVICE 0xd
+
++/* Default Value for NAND_DEV_CMD_VLD */
++#define NAND_DEV_CMD_VLD_VAL (READ_START_VLD | WRITE_START_VLD | \
++ ERASE_START_VLD | SEQ_READ_START_VLD)
++
+ /*
+ * the NAND controller performs reads/writes with ECC in 516 byte chunks.
+ * the driver calls the chunks 'step' or 'codeword' interchangeably
+@@ -672,8 +680,7 @@ static int nandc_param(struct qcom_nand_
+
+ /* configure CMD1 and VLD for ONFI param probing */
+ nandc_set_reg(nandc, NAND_DEV_CMD_VLD,
+- (nandc->vld & ~(1 << READ_START_VLD))
+- | 0 << READ_START_VLD);
++ (nandc->vld & ~READ_START_VLD));
+ nandc_set_reg(nandc, NAND_DEV_CMD1,
+ (nandc->cmd1 & ~(0xFF << READ_ADDR))
+ | NAND_CMD_PARAM << READ_ADDR);
+@@ -1972,13 +1979,14 @@ static int qcom_nandc_setup(struct qcom_
+ {
+ /* kill onenand */
+ nandc_write(nandc, SFLASHC_BURST_CFG, 0);
++ nandc_write(nandc, NAND_DEV_CMD_VLD, NAND_DEV_CMD_VLD_VAL);
+
+ /* enable ADM DMA */
+ nandc_write(nandc, NAND_FLASH_CHIP_SELECT, DM_EN);
+
+ /* save the original values of these registers */
+ nandc->cmd1 = nandc_read(nandc, NAND_DEV_CMD1);
+- nandc->vld = nandc_read(nandc, NAND_DEV_CMD_VLD);
++ nandc->vld = NAND_DEV_CMD_VLD_VAL;
+
+ return 0;
+ }
--- /dev/null
+From 40a5fce495715c48c2e02668144e68a507ac5a30 Mon Sep 17 00:00:00 2001
+From: Daniel Verkamp <daniel.verkamp@intel.com>
+Date: Wed, 30 Aug 2017 15:18:19 -0700
+Subject: nvme-fabrics: generate spec-compliant UUID NQNs
+
+From: Daniel Verkamp <daniel.verkamp@intel.com>
+
+commit 40a5fce495715c48c2e02668144e68a507ac5a30 upstream.
+
+The default host NQN, which is generated based on the host's UUID,
+does not follow the UUID-based NQN format laid out in the NVMe 1.3
+specification. Remove the "NVMf:" portion of the NQN to match the spec.
+
+Signed-off-by: Daniel Verkamp <daniel.verkamp@intel.com>
+Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvme/host/fabrics.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/fabrics.c
++++ b/drivers/nvme/host/fabrics.c
+@@ -77,7 +77,7 @@ static struct nvmf_host *nvmf_host_defau
+ kref_init(&host->ref);
+ uuid_be_gen(&host->id);
+ snprintf(host->nqn, NVMF_NQN_SIZE,
+- "nqn.2014-08.org.nvmexpress:NVMf:uuid:%pUb", &host->id);
++ "nqn.2014-08.org.nvmexpress:uuid:%pUb", &host->id);
+
+ mutex_lock(&nvmf_hosts_mutex);
+ list_add_tail(&host->list, &nvmf_hosts);
--- /dev/null
+From bc9ae2247ac92fd4d962507bafa3afffff6660ff Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 8 Sep 2017 16:15:54 -0700
+Subject: radix-tree: must check __radix_tree_preload() return value
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit bc9ae2247ac92fd4d962507bafa3afffff6660ff upstream.
+
+__radix_tree_preload() only disables preemption if no error is returned.
+
+So we really need to make sure callers always check the return value.
+
+idr_preload() contract is to always disable preemption, so we need
+to add a missing preempt_disable() if an error happened.
+
+Similarly, ida_pre_get() only needs to call preempt_enable() in the
+case no error happened.
+
+Link: http://lkml.kernel.org/r/1504637190.15310.62.camel@edumazet-glaptop3.roam.corp.google.com
+Fixes: 0a835c4f090a ("Reimplement IDR and IDA using the radix tree")
+Fixes: 7ad3d4d85c7a ("ida: Move ida_bitmap to a percpu variable")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Matthew Wilcox <mawilcox@microsoft.com>
+Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/radix-tree.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/lib/radix-tree.c
++++ b/lib/radix-tree.c
+@@ -463,7 +463,7 @@ radix_tree_node_free(struct radix_tree_n
+ * To make use of this facility, the radix tree must be initialised without
+ * __GFP_DIRECT_RECLAIM being passed to INIT_RADIX_TREE().
+ */
+-static int __radix_tree_preload(gfp_t gfp_mask, unsigned nr)
++static __must_check int __radix_tree_preload(gfp_t gfp_mask, unsigned nr)
+ {
+ struct radix_tree_preload *rtp;
+ struct radix_tree_node *node;
+@@ -2103,7 +2103,8 @@ EXPORT_SYMBOL(radix_tree_tagged);
+ */
+ void idr_preload(gfp_t gfp_mask)
+ {
+- __radix_tree_preload(gfp_mask, IDR_PRELOAD_SIZE);
++ if (__radix_tree_preload(gfp_mask, IDR_PRELOAD_SIZE))
++ preempt_disable();
+ }
+ EXPORT_SYMBOL(idr_preload);
+
+@@ -2117,13 +2118,13 @@ EXPORT_SYMBOL(idr_preload);
+ */
+ int ida_pre_get(struct ida *ida, gfp_t gfp)
+ {
+- __radix_tree_preload(gfp, IDA_PRELOAD_SIZE);
+ /*
+ * The IDA API has no preload_end() equivalent. Instead,
+ * ida_get_new() can return -EAGAIN, prompting the caller
+ * to return to the ida_pre_get() step.
+ */
+- preempt_enable();
++ if (!__radix_tree_preload(gfp, IDA_PRELOAD_SIZE))
++ preempt_enable();
+
+ if (!this_cpu_read(ida_bitmap)) {
+ struct ida_bitmap *bitmap = kmalloc(sizeof(*bitmap), gfp);
--- /dev/null
+From a33fcba6ec01efcca33b1afad91057020f247f15 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Mon, 4 Sep 2017 12:51:33 -0500
+Subject: rtlwifi: btcoexist: Fix breakage of ant_sel for rtl8723be
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit a33fcba6ec01efcca33b1afad91057020f247f15 upstream.
+
+In commit bcd37f4a0831 ("rtlwifi: btcoex: 23b 2ant: let bt transmit when
+hw initialisation done"), there is an additional error when the module
+parameter ant_sel is used to select the auxilary antenna. The error is
+that the antenna selection is not checked when writing the antenna
+selection register.
+
+Fixes: bcd37f4a0831 ("rtlwifi: btcoex: 23b 2ant: let bt transmit when hw initialisation done")
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Cc: Ping-Ke Shih <pkshih@realtek.com>
+Cc: Yan-Hsuan Chuang <yhchuang@realtek.com>
+Cc: Birming Chiu <birming@realtek.com>
+Cc: Shaofu <shaofu@realtek.com>
+Cc: Steven Ting <steventing@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtc8723b2ant.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtc8723b2ant.c
++++ b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtc8723b2ant.c
+@@ -1153,7 +1153,10 @@ static void btc8723b2ant_set_ant_path(st
+ }
+
+ /* fixed internal switch S1->WiFi, S0->BT */
+- btcoexist->btc_write_4byte(btcoexist, 0x948, 0x0);
++ if (board_info->btdm_ant_pos == BTC_ANTENNA_AT_MAIN_PORT)
++ btcoexist->btc_write_2byte(btcoexist, 0x948, 0x0);
++ else
++ btcoexist->btc_write_2byte(btcoexist, 0x948, 0x280);
+
+ switch (antpos_type) {
+ case BTC_ANT_WIFI_AT_MAIN:
--- /dev/null
+From 23d98c204386a98d9ef9f9e744f41443ece4929f Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Tue, 1 Aug 2017 07:11:36 -0700
+Subject: selftests/x86/fsgsbase: Test selectors 1, 2, and 3
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 23d98c204386a98d9ef9f9e744f41443ece4929f upstream.
+
+Those are funny cases. Make sure they work.
+
+(Something is screwy with signal handling if a selector is 1, 2, or 3.
+Anyone who wants to dive into that rabbit hole is welcome to do so.)
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Borislav Petkov <bpetkov@suse.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Chang Seok <chang.seok.bae@intel.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/testing/selftests/x86/fsgsbase.c | 41 ++++++++++++++++++++++++++++-----
+ 1 file changed, 35 insertions(+), 6 deletions(-)
+
+--- a/tools/testing/selftests/x86/fsgsbase.c
++++ b/tools/testing/selftests/x86/fsgsbase.c
+@@ -285,9 +285,12 @@ static void *threadproc(void *ctx)
+ }
+ }
+
+-static void set_gs_and_switch_to(unsigned long local, unsigned long remote)
++static void set_gs_and_switch_to(unsigned long local,
++ unsigned short force_sel,
++ unsigned long remote)
+ {
+ unsigned long base;
++ unsigned short sel_pre_sched, sel_post_sched;
+
+ bool hard_zero = false;
+ if (local == HARD_ZERO) {
+@@ -297,6 +300,8 @@ static void set_gs_and_switch_to(unsigne
+
+ printf("[RUN]\tARCH_SET_GS(0x%lx)%s, then schedule to 0x%lx\n",
+ local, hard_zero ? " and clear gs" : "", remote);
++ if (force_sel)
++ printf("\tBefore schedule, set selector to 0x%hx\n", force_sel);
+ if (syscall(SYS_arch_prctl, ARCH_SET_GS, local) != 0)
+ err(1, "ARCH_SET_GS");
+ if (hard_zero)
+@@ -307,18 +312,35 @@ static void set_gs_and_switch_to(unsigne
+ printf("[FAIL]\tGSBASE wasn't set as expected\n");
+ }
+
++ if (force_sel) {
++ asm volatile ("mov %0, %%gs" : : "rm" (force_sel));
++ sel_pre_sched = force_sel;
++ local = read_base(GS);
++
++ /*
++ * Signal delivery seems to mess up weird selectors. Put it
++ * back.
++ */
++ asm volatile ("mov %0, %%gs" : : "rm" (force_sel));
++ } else {
++ asm volatile ("mov %%gs, %0" : "=rm" (sel_pre_sched));
++ }
++
+ remote_base = remote;
+ ftx = 1;
+ syscall(SYS_futex, &ftx, FUTEX_WAKE, 0, NULL, NULL, 0);
+ while (ftx != 0)
+ syscall(SYS_futex, &ftx, FUTEX_WAIT, 1, NULL, NULL, 0);
+
++ asm volatile ("mov %%gs, %0" : "=rm" (sel_post_sched));
+ base = read_base(GS);
+- if (base == local) {
+- printf("[OK]\tGSBASE remained 0x%lx\n", local);
++ if (base == local && sel_pre_sched == sel_post_sched) {
++ printf("[OK]\tGS/BASE remained 0x%hx/0x%lx\n",
++ sel_pre_sched, local);
+ } else {
+ nerrs++;
+- printf("[FAIL]\tGSBASE changed to 0x%lx\n", base);
++ printf("[FAIL]\tGS/BASE changed from 0x%hx/0x%lx to 0x%hx/0x%lx\n",
++ sel_pre_sched, local, sel_post_sched, base);
+ }
+ }
+
+@@ -381,8 +403,15 @@ int main()
+
+ for (int local = 0; local < 4; local++) {
+ for (int remote = 0; remote < 4; remote++) {
+- set_gs_and_switch_to(bases_with_hard_zero[local],
+- bases_with_hard_zero[remote]);
++ for (unsigned short s = 0; s < 5; s++) {
++ unsigned short sel = s;
++ if (s == 4)
++ asm ("mov %%ss, %0" : "=rm" (sel));
++ set_gs_and_switch_to(
++ bases_with_hard_zero[local],
++ sel,
++ bases_with_hard_zero[remote]);
++ }
+ }
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
