From 80fe9a0a119cb00b0769ed7fae1e46a0be49501c Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 28 Aug 2017 09:18:13 +0200
Subject: [PATCH] 4.4-stable patches

added patches:
	acpi-apei-add-missing-synchronize_rcu-on-notify_sci-removal.patch
	acpi-ioapic-clear-on-stack-resource-before-using-it.patch
	ntb_transport-fix-bug-calculating-num_qps_mw.patch
	ntb_transport-fix-qp-count-bug.patch
---
 ...ynchronize_rcu-on-notify_sci-removal.patch | 34 +++++++++++++
 ...ar-on-stack-resource-before-using-it.patch | 42 +++++++++++++++
 ...sport-fix-bug-calculating-num_qps_mw.patch | 51 +++++++++++++++++++
 .../ntb_transport-fix-qp-count-bug.patch      | 42 +++++++++++++++
 queue-4.4/series                              |  4 ++
 5 files changed, 173 insertions(+)
 create mode 100644 queue-4.4/acpi-apei-add-missing-synchronize_rcu-on-notify_sci-removal.patch
 create mode 100644 queue-4.4/acpi-ioapic-clear-on-stack-resource-before-using-it.patch
 create mode 100644 queue-4.4/ntb_transport-fix-bug-calculating-num_qps_mw.patch
 create mode 100644 queue-4.4/ntb_transport-fix-qp-count-bug.patch

diff --git a/queue-4.4/acpi-apei-add-missing-synchronize_rcu-on-notify_sci-removal.patch b/queue-4.4/acpi-apei-add-missing-synchronize_rcu-on-notify_sci-removal.patch
new file mode 100644
index 00000000000..0fe541c909c
--- /dev/null
+++ b/queue-4.4/acpi-apei-add-missing-synchronize_rcu-on-notify_sci-removal.patch
@@ -0,0 +1,34 @@
+From 7d64f82cceb21e6d95db312d284f5f195e120154 Mon Sep 17 00:00:00 2001
+From: James Morse <james.morse@arm.com>
+Date: Thu, 16 Mar 2017 14:30:39 +0000
+Subject: ACPI / APEI: Add missing synchronize_rcu() on NOTIFY_SCI removal
+
+From: James Morse <james.morse@arm.com>
+
+commit 7d64f82cceb21e6d95db312d284f5f195e120154 upstream.
+
+When removing a GHES device notified by SCI, list_del_rcu() is used,
+ghes_remove() should call synchronize_rcu() before it goes on to call
+kfree(ghes), otherwise concurrent RCU readers may still hold this list
+entry after it has been freed.
+
+Signed-off-by: James Morse <james.morse@arm.com>
+Reviewed-by: "Huang, Ying" <ying.huang@intel.com>
+Fixes: 81e88fdc432a (ACPI, APEI, Generic Hardware Error Source POLL/IRQ/NMI notification type support)
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/apei/ghes.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/acpi/apei/ghes.c
++++ b/drivers/acpi/apei/ghes.c
+@@ -1067,6 +1067,7 @@ static int ghes_remove(struct platform_d
+ 		if (list_empty(&ghes_sci))
+ 			unregister_acpi_hed_notifier(&ghes_notifier_sci);
+ 		mutex_unlock(&ghes_list_mutex);
++		synchronize_rcu();
+ 		break;
+ 	case ACPI_HEST_NOTIFY_NMI:
+ 		ghes_nmi_remove(ghes);
diff --git a/queue-4.4/acpi-ioapic-clear-on-stack-resource-before-using-it.patch b/queue-4.4/acpi-ioapic-clear-on-stack-resource-before-using-it.patch
new file mode 100644
index 00000000000..d0facf04619
--- /dev/null
+++ b/queue-4.4/acpi-ioapic-clear-on-stack-resource-before-using-it.patch
@@ -0,0 +1,42 @@
+From e3d5092b6756b9e0b08f94bbeafcc7afe19f0996 Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <jroedel@suse.de>
+Date: Wed, 22 Mar 2017 18:33:23 +0100
+Subject: ACPI: ioapic: Clear on-stack resource before using it
+
+From: Joerg Roedel <jroedel@suse.de>
+
+commit e3d5092b6756b9e0b08f94bbeafcc7afe19f0996 upstream.
+
+The on-stack resource-window 'win' in setup_res() is not
+properly initialized. This causes the pointers in the
+embedded 'struct resource' to contain stale addresses.
+
+These pointers (in my case the ->child pointer) later get
+propagated to the global iomem_resources list, causing a #GP
+exception when the list is traversed in
+iomem_map_sanity_check().
+
+Fixes: c183619b63ec (x86/irq, ACPI: Implement ACPI driver to support IOAPIC hotplug)
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/ioapic.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/acpi/ioapic.c
++++ b/drivers/acpi/ioapic.c
+@@ -45,6 +45,12 @@ static acpi_status setup_res(struct acpi
+ 	struct resource *res = data;
+ 	struct resource_win win;
+ 
++	/*
++	 * We might assign this to 'res' later, make sure all pointers are
++	 * cleared before the resource is added to the global list
++	 */
++	memset(&win, 0, sizeof(win));
++
+ 	res->flags = 0;
+ 	if (acpi_dev_filter_resource_type(acpi_res, IORESOURCE_MEM) == 0)
+ 		return AE_OK;
diff --git a/queue-4.4/ntb_transport-fix-bug-calculating-num_qps_mw.patch b/queue-4.4/ntb_transport-fix-bug-calculating-num_qps_mw.patch
new file mode 100644
index 00000000000..2011a216c31
--- /dev/null
+++ b/queue-4.4/ntb_transport-fix-bug-calculating-num_qps_mw.patch
@@ -0,0 +1,51 @@
+From 8e8496e0e9564b66165f5219a4e8ed20b0d3fc6b Mon Sep 17 00:00:00 2001
+From: Logan Gunthorpe <logang@deltatee.com>
+Date: Mon, 5 Jun 2017 14:00:53 -0600
+Subject: ntb_transport: fix bug calculating num_qps_mw
+
+From: Logan Gunthorpe <logang@deltatee.com>
+
+commit 8e8496e0e9564b66165f5219a4e8ed20b0d3fc6b upstream.
+
+A divide by zero error occurs if qp_count is less than mw_count because
+num_qps_mw is calculated to be zero. The calculation appears to be
+incorrect.
+
+The requirement is for num_qps_mw to be set to qp_count / mw_count
+with any remainder divided among the earlier mws.
+
+For example, if mw_count is 5 and qp_count is 12 then mws 0 and 1
+will have 3 qps per window and mws 2 through 4 will have 2 qps per window.
+Thus, when mw_num < qp_count % mw_count, num_qps_mw is 1 higher
+than when mw_num >= qp_count.
+
+Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
+Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers")
+Acked-by: Allen Hubbe <Allen.Hubbe@dell.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ntb/ntb_transport.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -599,7 +599,7 @@ static int ntb_transport_setup_qp_mw(str
+ 	if (!mw->virt_addr)
+ 		return -ENOMEM;
+ 
+-	if (qp_count % mw_count && mw_num + 1 < qp_count / mw_count)
++	if (mw_num < qp_count % mw_count)
+ 		num_qps_mw = qp_count / mw_count + 1;
+ 	else
+ 		num_qps_mw = qp_count / mw_count;
+@@ -947,7 +947,7 @@ static int ntb_transport_init_queue(stru
+ 	qp->event_handler = NULL;
+ 	ntb_qp_link_down_reset(qp);
+ 
+-	if (qp_count % mw_count && mw_num + 1 < qp_count / mw_count)
++	if (mw_num < qp_count % mw_count)
+ 		num_qps_mw = qp_count / mw_count + 1;
+ 	else
+ 		num_qps_mw = qp_count / mw_count;
diff --git a/queue-4.4/ntb_transport-fix-qp-count-bug.patch b/queue-4.4/ntb_transport-fix-qp-count-bug.patch
new file mode 100644
index 00000000000..9ac948f0f5f
--- /dev/null
+++ b/queue-4.4/ntb_transport-fix-qp-count-bug.patch
@@ -0,0 +1,42 @@
+From cb827ee6ccc3e480f0d9c0e8e53eef55be5b0414 Mon Sep 17 00:00:00 2001
+From: Logan Gunthorpe <logang@deltatee.com>
+Date: Mon, 5 Jun 2017 14:00:52 -0600
+Subject: ntb_transport: fix qp count bug
+
+From: Logan Gunthorpe <logang@deltatee.com>
+
+commit cb827ee6ccc3e480f0d9c0e8e53eef55be5b0414 upstream.
+
+In cases where there are more mw's than spads/2-2, the mw count gets
+reduced to match the limitation. ntb_transport also tries to ensure that
+there are fewer qps than mws but uses the full mw count instead of
+the reduced one. When this happens, the math in
+'ntb_transport_setup_qp_mw' will get confused and result in a kernel
+paging request bug.
+
+This patch fixes the bug by reducing qp_count to the reduced mw count
+instead of the full mw count.
+
+Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
+Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers")
+Acked-by: Allen Hubbe <Allen.Hubbe@dell.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ntb/ntb_transport.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -1065,8 +1065,8 @@ static int ntb_transport_probe(struct nt
+ 	qp_count = ilog2(qp_bitmap);
+ 	if (max_num_clients && max_num_clients < qp_count)
+ 		qp_count = max_num_clients;
+-	else if (mw_count < qp_count)
+-		qp_count = mw_count;
++	else if (nt->mw_count < qp_count)
++		qp_count = nt->mw_count;
+ 
+ 	qp_bitmap &= BIT_ULL(qp_count) - 1;
+ 
diff --git a/queue-4.4/series b/queue-4.4/series
index ebbaa5930f3..4c1060fffcf 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -47,3 +47,7 @@ asoc-rsnd-avoid-pointless-loop-in-rsnd_mod_interrupt.patch
 asoc-rsnd-add-missing-initialization-of-adg-req_rate.patch
 asoc-rsnd-ssi-24bit-data-needs-right-aligned-settings.patch
 asoc-rsnd-don-t-call-update-callback-if-it-was-null.patch
+ntb_transport-fix-qp-count-bug.patch
+ntb_transport-fix-bug-calculating-num_qps_mw.patch
+acpi-ioapic-clear-on-stack-resource-before-using-it.patch
+acpi-apei-add-missing-synchronize_rcu-on-notify_sci-removal.patch
-- 
2.47.3