--- /dev/null
+From aea808172018ca01abf53db808323aed23281835 Mon Sep 17 00:00:00 2001
+From: Dennis Wassenberg <dennis.wassenberg@secunet.com>
+Date: Thu, 8 Mar 2018 15:49:03 +0100
+Subject: ALSA: hda: add dock and led support for HP EliteBook 820 G3
+
+From: Dennis Wassenberg <dennis.wassenberg@secunet.com>
+
+commit aea808172018ca01abf53db808323aed23281835 upstream.
+
+This patch adds missing initialisation for HP 2013 UltraSlim Dock
+Line-In/Out PINs and activates keyboard mute/micmute leds
+for HP EliteBook 820 G3
+
+Signed-off-by: Dennis Wassenberg <dennis.wassenberg@secunet.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_conexant.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -849,6 +849,7 @@ static const struct snd_pci_quirk cxt506
+ SND_PCI_QUIRK(0x1025, 0x054c, "Acer Aspire 3830TG", CXT_FIXUP_ASPIRE_DMIC),
+ SND_PCI_QUIRK(0x1025, 0x054f, "Acer Aspire 4830T", CXT_FIXUP_ASPIRE_DMIC),
+ SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK),
++ SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
+ SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC),
+ SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
--- /dev/null
+From 099fd6ca0ad25bc19c5ade2ea4b25b8fadaa11b3 Mon Sep 17 00:00:00 2001
+From: Dennis Wassenberg <dennis.wassenberg@secunet.com>
+Date: Thu, 8 Mar 2018 15:49:24 +0100
+Subject: ALSA: hda: add dock and led support for HP ProBook 640 G2
+
+From: Dennis Wassenberg <dennis.wassenberg@secunet.com>
+
+commit 099fd6ca0ad25bc19c5ade2ea4b25b8fadaa11b3 upstream.
+
+This patch adds missing initialisation for HP 2013 UltraSlim Dock
+Line-In/Out PINs and activates keyboard mute/micmute leds
+for HP ProBook 640 G2
+
+Signed-off-by: Dennis Wassenberg <dennis.wassenberg@secunet.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_conexant.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -850,6 +850,7 @@ static const struct snd_pci_quirk cxt506
+ SND_PCI_QUIRK(0x1025, 0x054f, "Acer Aspire 4830T", CXT_FIXUP_ASPIRE_DMIC),
+ SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK),
++ SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
+ SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC),
+ SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
--- /dev/null
+From d5078193e56bb24f4593f00102a3b5e07bb84ee0 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Fri, 2 Mar 2018 13:05:36 +0800
+Subject: ALSA: hda - Fix a wrong FIXUP for alc289 on Dell machines
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit d5078193e56bb24f4593f00102a3b5e07bb84ee0 upstream.
+
+With the alc289, the Pin 0x1b is Headphone-Mic, so we should assign
+ALC269_FIXUP_DELL4_MIC_NO_PRESENCE rather than
+ALC225_FIXUP_DELL1_MIC_NO_PRESENCE to it. And this change is suggested
+by Kailang of Realtek and is verified on the machine.
+
+Fixes: 3f2f7c553d07 ("ALSA: hda - Fix headset mic detection problem for two Dell machines")
+Cc: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6071,7 +6071,7 @@ static const struct snd_hda_pin_quirk al
+ {0x12, 0x90a60120},
+ {0x14, 0x90170110},
+ {0x21, 0x0321101f}),
+- SND_HDA_PIN_QUIRK(0x10ec0289, 0x1028, "Dell", ALC225_FIXUP_DELL1_MIC_NO_PRESENCE,
++ SND_HDA_PIN_QUIRK(0x10ec0289, 0x1028, "Dell", ALC269_FIXUP_DELL4_MIC_NO_PRESENCE,
+ {0x12, 0xb7a60130},
+ {0x14, 0x90170110},
+ {0x21, 0x04211020}),
--- /dev/null
+From e312a869cd726c698a75caca0d9e5c22fd3f1534 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 6 Mar 2018 12:14:17 +0100
+Subject: ALSA: hda/realtek - Fix dock line-out volume on Dell Precision 7520
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit e312a869cd726c698a75caca0d9e5c22fd3f1534 upstream.
+
+The dock line-out pin (NID 0x17 of ALC3254 codec) on Dell Precision
+7520 may route to three different DACs, 0x02, 0x03 and 0x06. The
+first two DACS have the volume amp controls while the last one
+doesn't. And unfortunately, the auto-parser assigns this pin to DAC3,
+resulting in the non-working volume control for the line out.
+
+Fix it by disabling the routing to DAC3 on the corresponding pin.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199029
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -4722,6 +4722,16 @@ static void alc298_fixup_speaker_volume(
+ }
+ }
+
++/* disable DAC3 (0x06) selection on NID 0x17 as it has no volume amp control */
++static void alc295_fixup_disable_dac3(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ if (action == HDA_FIXUP_ACT_PRE_PROBE) {
++ hda_nid_t conn[2] = { 0x02, 0x03 };
++ snd_hda_override_conn_list(codec, 0x17, 2, conn);
++ }
++}
++
+ /* Hook to update amp GPIO4 for automute */
+ static void alc280_hp_gpio4_automute_hook(struct hda_codec *codec,
+ struct hda_jack_callback *jack)
+@@ -4871,6 +4881,7 @@ enum {
+ ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY,
+ ALC255_FIXUP_DELL_SPK_NOISE,
+ ALC225_FIXUP_DELL1_MIC_NO_PRESENCE,
++ ALC295_FIXUP_DISABLE_DAC3,
+ ALC280_FIXUP_HP_HEADSET_MIC,
+ ALC221_FIXUP_HP_FRONT_MIC,
+ ALC292_FIXUP_TPT460,
+@@ -5560,6 +5571,10 @@ static const struct hda_fixup alc269_fix
+ .chained = true,
+ .chain_id = ALC298_FIXUP_DELL_AIO_MIC_NO_PRESENCE,
+ },
++ [ALC295_FIXUP_DISABLE_DAC3] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc295_fixup_disable_dac3,
++ },
+ [ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER] = {
+ .type = HDA_FIXUP_PINS,
+ .v.pins = (const struct hda_pintbl[]) {
+@@ -5617,6 +5632,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1028, 0x0725, "Dell Inspiron 3162", ALC255_FIXUP_DELL_SPK_NOISE),
+ SND_PCI_QUIRK(0x1028, 0x075b, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
+ SND_PCI_QUIRK(0x1028, 0x075d, "Dell AIO", ALC298_FIXUP_SPK_VOLUME),
++ SND_PCI_QUIRK(0x1028, 0x07b0, "Dell Precision 7520", ALC295_FIXUP_DISABLE_DAC3),
+ SND_PCI_QUIRK(0x1028, 0x0798, "Dell Inspiron 17 7000 Gaming", ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER),
+ SND_PCI_QUIRK(0x1028, 0x082a, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
+ SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
--- /dev/null
+From d85739367c6d56e475c281945c68fdb05ca74b4c Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 5 Mar 2018 22:00:55 +0100
+Subject: ALSA: seq: Don't allow resizing pool in use
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit d85739367c6d56e475c281945c68fdb05ca74b4c upstream.
+
+This is a fix for a (sort of) fallout in the recent commit
+d15d662e89fc ("ALSA: seq: Fix racy pool initializations") for
+CVE-2018-1000004.
+As the pool resize deletes the existing cells, it may lead to a race
+when another thread is writing concurrently, eventually resulting a
+UAF.
+
+A simple workaround is not to allow the pool resizing when the pool is
+in use. It's an invalid behavior in anyway.
+
+Fixes: d15d662e89fc ("ALSA: seq: Fix racy pool initializations")
+Reported-by: 范龙飞 <long7573@126.com>
+Reported-by: Nicolai Stange <nstange@suse.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_clientmgr.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -1924,6 +1924,9 @@ static int snd_seq_ioctl_set_client_pool
+ (! snd_seq_write_pool_allocated(client) ||
+ info.output_pool != client->pool->size)) {
+ if (snd_seq_write_pool_allocated(client)) {
++ /* is the pool in use? */
++ if (atomic_read(&client->pool->counter))
++ return -EBUSY;
+ /* remove all existing cells */
+ snd_seq_pool_mark_closing(client->pool);
+ snd_seq_queue_client_leave_cells(client->number);
--- /dev/null
+From 7bd80091567789f1c0cb70eb4737aac8bcd2b6b9 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 5 Mar 2018 22:06:09 +0100
+Subject: ALSA: seq: More protection for concurrent write and ioctl races
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 7bd80091567789f1c0cb70eb4737aac8bcd2b6b9 upstream.
+
+This patch is an attempt for further hardening against races between
+the concurrent write and ioctls. The previous fix d15d662e89fc
+("ALSA: seq: Fix racy pool initializations") covered the race of the
+pool initialization at writer and the pool resize ioctl by the
+client->ioctl_mutex (CVE-2018-1000004). However, basically this mutex
+should be applied more widely to the whole write operation for
+avoiding the unexpected pool operations by another thread.
+
+The only change outside snd_seq_write() is the additional mutex
+argument to helper functions, so that we can unlock / relock the given
+mutex temporarily during schedule() call for blocking write.
+
+Fixes: d15d662e89fc ("ALSA: seq: Fix racy pool initializations")
+Reported-by: 范龙飞 <long7573@126.com>
+Reported-by: Nicolai Stange <nstange@suse.de>
+Reviewed-and-tested-by: Nicolai Stange <nstange@suse.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_clientmgr.c | 18 +++++++++++-------
+ sound/core/seq/seq_fifo.c | 2 +-
+ sound/core/seq/seq_memory.c | 14 ++++++++++----
+ sound/core/seq/seq_memory.h | 3 ++-
+ 4 files changed, 24 insertions(+), 13 deletions(-)
+
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -919,7 +919,8 @@ int snd_seq_dispatch_event(struct snd_se
+ static int snd_seq_client_enqueue_event(struct snd_seq_client *client,
+ struct snd_seq_event *event,
+ struct file *file, int blocking,
+- int atomic, int hop)
++ int atomic, int hop,
++ struct mutex *mutexp)
+ {
+ struct snd_seq_event_cell *cell;
+ int err;
+@@ -957,7 +958,8 @@ static int snd_seq_client_enqueue_event(
+ return -ENXIO; /* queue is not allocated */
+
+ /* allocate an event cell */
+- err = snd_seq_event_dup(client->pool, event, &cell, !blocking || atomic, file);
++ err = snd_seq_event_dup(client->pool, event, &cell, !blocking || atomic,
++ file, mutexp);
+ if (err < 0)
+ return err;
+
+@@ -1026,12 +1028,11 @@ static ssize_t snd_seq_write(struct file
+ return -ENXIO;
+
+ /* allocate the pool now if the pool is not allocated yet */
++ mutex_lock(&client->ioctl_mutex);
+ if (client->pool->size > 0 && !snd_seq_write_pool_allocated(client)) {
+- mutex_lock(&client->ioctl_mutex);
+ err = snd_seq_pool_init(client->pool);
+- mutex_unlock(&client->ioctl_mutex);
+ if (err < 0)
+- return -ENOMEM;
++ goto out;
+ }
+
+ /* only process whole events */
+@@ -1082,7 +1083,7 @@ static ssize_t snd_seq_write(struct file
+ /* ok, enqueue it */
+ err = snd_seq_client_enqueue_event(client, &event, file,
+ !(file->f_flags & O_NONBLOCK),
+- 0, 0);
++ 0, 0, &client->ioctl_mutex);
+ if (err < 0)
+ break;
+
+@@ -1093,6 +1094,8 @@ static ssize_t snd_seq_write(struct file
+ written += len;
+ }
+
++ out:
++ mutex_unlock(&client->ioctl_mutex);
+ return written ? written : err;
+ }
+
+@@ -2350,7 +2353,8 @@ static int kernel_client_enqueue(int cli
+ if (! cptr->accept_output)
+ result = -EPERM;
+ else /* send it */
+- result = snd_seq_client_enqueue_event(cptr, ev, file, blocking, atomic, hop);
++ result = snd_seq_client_enqueue_event(cptr, ev, file, blocking,
++ atomic, hop, NULL);
+
+ snd_seq_client_unlock(cptr);
+ return result;
+--- a/sound/core/seq/seq_fifo.c
++++ b/sound/core/seq/seq_fifo.c
+@@ -123,7 +123,7 @@ int snd_seq_fifo_event_in(struct snd_seq
+ return -EINVAL;
+
+ snd_use_lock_use(&f->use_lock);
+- err = snd_seq_event_dup(f->pool, event, &cell, 1, NULL); /* always non-blocking */
++ err = snd_seq_event_dup(f->pool, event, &cell, 1, NULL, NULL); /* always non-blocking */
+ if (err < 0) {
+ if ((err == -ENOMEM) || (err == -EAGAIN))
+ atomic_inc(&f->overflow);
+--- a/sound/core/seq/seq_memory.c
++++ b/sound/core/seq/seq_memory.c
+@@ -221,7 +221,8 @@ void snd_seq_cell_free(struct snd_seq_ev
+ */
+ static int snd_seq_cell_alloc(struct snd_seq_pool *pool,
+ struct snd_seq_event_cell **cellp,
+- int nonblock, struct file *file)
++ int nonblock, struct file *file,
++ struct mutex *mutexp)
+ {
+ struct snd_seq_event_cell *cell;
+ unsigned long flags;
+@@ -245,7 +246,11 @@ static int snd_seq_cell_alloc(struct snd
+ set_current_state(TASK_INTERRUPTIBLE);
+ add_wait_queue(&pool->output_sleep, &wait);
+ spin_unlock_irq(&pool->lock);
++ if (mutexp)
++ mutex_unlock(mutexp);
+ schedule();
++ if (mutexp)
++ mutex_lock(mutexp);
+ spin_lock_irq(&pool->lock);
+ remove_wait_queue(&pool->output_sleep, &wait);
+ /* interrupted? */
+@@ -288,7 +293,7 @@ __error:
+ */
+ int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event,
+ struct snd_seq_event_cell **cellp, int nonblock,
+- struct file *file)
++ struct file *file, struct mutex *mutexp)
+ {
+ int ncells, err;
+ unsigned int extlen;
+@@ -305,7 +310,7 @@ int snd_seq_event_dup(struct snd_seq_poo
+ if (ncells >= pool->total_elements)
+ return -ENOMEM;
+
+- err = snd_seq_cell_alloc(pool, &cell, nonblock, file);
++ err = snd_seq_cell_alloc(pool, &cell, nonblock, file, mutexp);
+ if (err < 0)
+ return err;
+
+@@ -331,7 +336,8 @@ int snd_seq_event_dup(struct snd_seq_poo
+ int size = sizeof(struct snd_seq_event);
+ if (len < size)
+ size = len;
+- err = snd_seq_cell_alloc(pool, &tmp, nonblock, file);
++ err = snd_seq_cell_alloc(pool, &tmp, nonblock, file,
++ mutexp);
+ if (err < 0)
+ goto __error;
+ if (cell->event.data.ext.ptr == NULL)
+--- a/sound/core/seq/seq_memory.h
++++ b/sound/core/seq/seq_memory.h
+@@ -66,7 +66,8 @@ struct snd_seq_pool {
+ void snd_seq_cell_free(struct snd_seq_event_cell *cell);
+
+ int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event,
+- struct snd_seq_event_cell **cellp, int nonblock, struct file *file);
++ struct snd_seq_event_cell **cellp, int nonblock,
++ struct file *file, struct mutex *mutexp);
+
+ /* return number of unused (free) cells */
+ static inline int snd_seq_unused_cells(struct snd_seq_pool *pool)
--- /dev/null
+From 86755b7a96faed57f910f9e6b8061e019ac1ec08 Mon Sep 17 00:00:00 2001
+From: Michael Lyle <mlyle@lyle.org>
+Date: Mon, 5 Mar 2018 13:41:55 -0800
+Subject: bcache: don't attach backing with duplicate UUID
+
+From: Michael Lyle <mlyle@lyle.org>
+
+commit 86755b7a96faed57f910f9e6b8061e019ac1ec08 upstream.
+
+This can happen e.g. during disk cloning.
+
+This is an incomplete fix: it does not catch duplicate UUIDs earlier
+when things are still unattached. It does not unregister the device.
+Further changes to cope better with this are planned but conflict with
+Coly's ongoing improvements to handling device errors. In the meantime,
+one can manually stop the device after this has happened.
+
+Attempts to attach a duplicate device result in:
+
+[ 136.372404] loop: module loaded
+[ 136.424461] bcache: register_bdev() registered backing device loop0
+[ 136.424464] bcache: bch_cached_dev_attach() Tried to attach loop0 but duplicate UUID already attached
+
+My test procedure is:
+
+ dd if=/dev/sdb1 of=imgfile bs=1024 count=262144
+ losetup -f imgfile
+
+Signed-off-by: Michael Lyle <mlyle@lyle.org>
+Reviewed-by: Tang Junhui <tang.junhui@zte.com.cn>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/super.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -935,6 +935,7 @@ int bch_cached_dev_attach(struct cached_
+ uint32_t rtime = cpu_to_le32(get_seconds());
+ struct uuid_entry *u;
+ char buf[BDEVNAME_SIZE];
++ struct cached_dev *exist_dc, *t;
+
+ bdevname(dc->bdev, buf);
+
+@@ -958,6 +959,16 @@ int bch_cached_dev_attach(struct cached_
+ return -EINVAL;
+ }
+
++ /* Check whether already attached */
++ list_for_each_entry_safe(exist_dc, t, &c->cached_devs, list) {
++ if (!memcmp(dc->sb.uuid, exist_dc->sb.uuid, 16)) {
++ pr_err("Tried to attach %s but duplicate UUID already attached",
++ buf);
++
++ return -EINVAL;
++ }
++ }
++
+ u = uuid_find(c, dc->sb.uuid);
+
+ if (u &&
--- /dev/null
+From 25c058ccaf2ebbc3e250ec1e199e161f91fe27d4 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 14 Feb 2018 06:41:25 +0100
+Subject: drm: Allow determining if current task is output poll worker
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 25c058ccaf2ebbc3e250ec1e199e161f91fe27d4 upstream.
+
+Introduce a helper to determine if the current task is an output poll
+worker.
+
+This allows us to fix a long-standing deadlock in several DRM drivers
+wherein the ->runtime_suspend callback waits for the output poll worker
+to finish and the worker in turn calls a ->detect callback which waits
+for runtime suspend to finish. The ->detect callback is invoked from
+multiple call sites and waiting for runtime suspend to finish is the
+correct thing to do except if it's executing in the context of the
+worker.
+
+v2: Expand kerneldoc to specifically mention deadlock between
+ output poll worker and autosuspend worker as use case. (Lyude)
+
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Ben Skeggs <bskeggs@redhat.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/3549ce32e7f1467102e70d3e9cbf70c46bfe108e.1518593424.git.lukas@wunner.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_probe_helper.c | 20 ++++++++++++++++++++
+ include/drm/drm_crtc_helper.h | 1 +
+ 2 files changed, 21 insertions(+)
+
+--- a/drivers/gpu/drm/drm_probe_helper.c
++++ b/drivers/gpu/drm/drm_probe_helper.c
+@@ -412,6 +412,26 @@ out:
+ }
+
+ /**
++ * drm_kms_helper_is_poll_worker - is %current task an output poll worker?
++ *
++ * Determine if %current task is an output poll worker. This can be used
++ * to select distinct code paths for output polling versus other contexts.
++ *
++ * One use case is to avoid a deadlock between the output poll worker and
++ * the autosuspend worker wherein the latter waits for polling to finish
++ * upon calling drm_kms_helper_poll_disable(), while the former waits for
++ * runtime suspend to finish upon calling pm_runtime_get_sync() in a
++ * connector ->detect hook.
++ */
++bool drm_kms_helper_is_poll_worker(void)
++{
++ struct work_struct *work = current_work();
++
++ return work && work->func == output_poll_execute;
++}
++EXPORT_SYMBOL(drm_kms_helper_is_poll_worker);
++
++/**
+ * drm_kms_helper_poll_disable - disable output polling
+ * @dev: drm_device
+ *
+--- a/include/drm/drm_crtc_helper.h
++++ b/include/drm/drm_crtc_helper.h
+@@ -241,5 +241,6 @@ extern void drm_kms_helper_hotplug_event
+ extern void drm_kms_helper_poll_disable(struct drm_device *dev);
+ extern void drm_kms_helper_poll_enable(struct drm_device *dev);
+ extern void drm_kms_helper_poll_enable_locked(struct drm_device *dev);
++extern bool drm_kms_helper_is_poll_worker(void);
+
+ #endif
--- /dev/null
+From aa0aad57909eb321746325951d66af88a83bc956 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Sun, 11 Feb 2018 10:38:28 +0100
+Subject: drm/amdgpu: Fix deadlock on runtime suspend
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit aa0aad57909eb321746325951d66af88a83bc956 upstream.
+
+amdgpu's ->runtime_suspend hook calls drm_kms_helper_poll_disable(),
+which waits for the output poll worker to finish if it's running.
+
+The output poll worker meanwhile calls pm_runtime_get_sync() in
+amdgpu's ->detect hooks, which waits for the ongoing suspend to finish,
+causing a deadlock.
+
+Fix by not acquiring a runtime PM ref if the ->detect hooks are called
+in the output poll worker's context. This is safe because the poll
+worker is only enabled while runtime active and we know that
+->runtime_suspend waits for it to finish.
+
+Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
+Cc: stable@vger.kernel.org # v4.2+: 27d4ee03078a: workqueue: Allow retrieval of current task's work struct
+Cc: stable@vger.kernel.org # v4.2+: 25c058ccaf2e: drm: Allow determining if current task is output poll worker
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Tested-by: Mike Lothian <mike@fireburn.co.uk>
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/4c9bf72aacae1eef062bd134cd112e0770a7f121.1518338789.git.lukas@wunner.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 58 ++++++++++++++++---------
+ 1 file changed, 38 insertions(+), 20 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
+@@ -739,9 +739,11 @@ amdgpu_connector_lvds_detect(struct drm_
+ enum drm_connector_status ret = connector_status_disconnected;
+ int r;
+
+- r = pm_runtime_get_sync(connector->dev->dev);
+- if (r < 0)
+- return connector_status_disconnected;
++ if (!drm_kms_helper_is_poll_worker()) {
++ r = pm_runtime_get_sync(connector->dev->dev);
++ if (r < 0)
++ return connector_status_disconnected;
++ }
+
+ if (encoder) {
+ struct amdgpu_encoder *amdgpu_encoder = to_amdgpu_encoder(encoder);
+@@ -760,8 +762,12 @@ amdgpu_connector_lvds_detect(struct drm_
+ /* check acpi lid status ??? */
+
+ amdgpu_connector_update_scratch_regs(connector, ret);
+- pm_runtime_mark_last_busy(connector->dev->dev);
+- pm_runtime_put_autosuspend(connector->dev->dev);
++
++ if (!drm_kms_helper_is_poll_worker()) {
++ pm_runtime_mark_last_busy(connector->dev->dev);
++ pm_runtime_put_autosuspend(connector->dev->dev);
++ }
++
+ return ret;
+ }
+
+@@ -862,9 +868,11 @@ amdgpu_connector_vga_detect(struct drm_c
+ enum drm_connector_status ret = connector_status_disconnected;
+ int r;
+
+- r = pm_runtime_get_sync(connector->dev->dev);
+- if (r < 0)
+- return connector_status_disconnected;
++ if (!drm_kms_helper_is_poll_worker()) {
++ r = pm_runtime_get_sync(connector->dev->dev);
++ if (r < 0)
++ return connector_status_disconnected;
++ }
+
+ encoder = amdgpu_connector_best_single_encoder(connector);
+ if (!encoder)
+@@ -918,8 +926,10 @@ amdgpu_connector_vga_detect(struct drm_c
+ amdgpu_connector_update_scratch_regs(connector, ret);
+
+ out:
+- pm_runtime_mark_last_busy(connector->dev->dev);
+- pm_runtime_put_autosuspend(connector->dev->dev);
++ if (!drm_kms_helper_is_poll_worker()) {
++ pm_runtime_mark_last_busy(connector->dev->dev);
++ pm_runtime_put_autosuspend(connector->dev->dev);
++ }
+
+ return ret;
+ }
+@@ -981,9 +991,11 @@ amdgpu_connector_dvi_detect(struct drm_c
+ enum drm_connector_status ret = connector_status_disconnected;
+ bool dret = false, broken_edid = false;
+
+- r = pm_runtime_get_sync(connector->dev->dev);
+- if (r < 0)
+- return connector_status_disconnected;
++ if (!drm_kms_helper_is_poll_worker()) {
++ r = pm_runtime_get_sync(connector->dev->dev);
++ if (r < 0)
++ return connector_status_disconnected;
++ }
+
+ if (!force && amdgpu_connector_check_hpd_status_unchanged(connector)) {
+ ret = connector->status;
+@@ -1108,8 +1120,10 @@ out:
+ amdgpu_connector_update_scratch_regs(connector, ret);
+
+ exit:
+- pm_runtime_mark_last_busy(connector->dev->dev);
+- pm_runtime_put_autosuspend(connector->dev->dev);
++ if (!drm_kms_helper_is_poll_worker()) {
++ pm_runtime_mark_last_busy(connector->dev->dev);
++ pm_runtime_put_autosuspend(connector->dev->dev);
++ }
+
+ return ret;
+ }
+@@ -1351,9 +1365,11 @@ amdgpu_connector_dp_detect(struct drm_co
+ struct drm_encoder *encoder = amdgpu_connector_best_single_encoder(connector);
+ int r;
+
+- r = pm_runtime_get_sync(connector->dev->dev);
+- if (r < 0)
+- return connector_status_disconnected;
++ if (!drm_kms_helper_is_poll_worker()) {
++ r = pm_runtime_get_sync(connector->dev->dev);
++ if (r < 0)
++ return connector_status_disconnected;
++ }
+
+ if (!force && amdgpu_connector_check_hpd_status_unchanged(connector)) {
+ ret = connector->status;
+@@ -1421,8 +1437,10 @@ amdgpu_connector_dp_detect(struct drm_co
+
+ amdgpu_connector_update_scratch_regs(connector, ret);
+ out:
+- pm_runtime_mark_last_busy(connector->dev->dev);
+- pm_runtime_put_autosuspend(connector->dev->dev);
++ if (!drm_kms_helper_is_poll_worker()) {
++ pm_runtime_mark_last_busy(connector->dev->dev);
++ pm_runtime_put_autosuspend(connector->dev->dev);
++ }
+
+ return ret;
+ }
--- /dev/null
+From 545b0bcde7fbd3ee408fa842ea0731451dc4bd0a Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Thu, 1 Mar 2018 11:05:31 -0500
+Subject: drm/amdgpu: fix KV harvesting
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 545b0bcde7fbd3ee408fa842ea0731451dc4bd0a upstream.
+
+Always set the graphics values to the max for the
+asic type. E.g., some 1 RB chips are actually 1 RB chips,
+others are actually harvested 2 RB chips.
+
+Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=99353
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c | 30 ++----------------------------
+ 1 file changed, 2 insertions(+), 28 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c
+@@ -2104,34 +2104,8 @@ static void gfx_v7_0_gpu_init(struct amd
+ case CHIP_KAVERI:
+ adev->gfx.config.max_shader_engines = 1;
+ adev->gfx.config.max_tile_pipes = 4;
+- if ((adev->pdev->device == 0x1304) ||
+- (adev->pdev->device == 0x1305) ||
+- (adev->pdev->device == 0x130C) ||
+- (adev->pdev->device == 0x130F) ||
+- (adev->pdev->device == 0x1310) ||
+- (adev->pdev->device == 0x1311) ||
+- (adev->pdev->device == 0x131C)) {
+- adev->gfx.config.max_cu_per_sh = 8;
+- adev->gfx.config.max_backends_per_se = 2;
+- } else if ((adev->pdev->device == 0x1309) ||
+- (adev->pdev->device == 0x130A) ||
+- (adev->pdev->device == 0x130D) ||
+- (adev->pdev->device == 0x1313) ||
+- (adev->pdev->device == 0x131D)) {
+- adev->gfx.config.max_cu_per_sh = 6;
+- adev->gfx.config.max_backends_per_se = 2;
+- } else if ((adev->pdev->device == 0x1306) ||
+- (adev->pdev->device == 0x1307) ||
+- (adev->pdev->device == 0x130B) ||
+- (adev->pdev->device == 0x130E) ||
+- (adev->pdev->device == 0x1315) ||
+- (adev->pdev->device == 0x131B)) {
+- adev->gfx.config.max_cu_per_sh = 4;
+- adev->gfx.config.max_backends_per_se = 1;
+- } else {
+- adev->gfx.config.max_cu_per_sh = 3;
+- adev->gfx.config.max_backends_per_se = 1;
+- }
++ adev->gfx.config.max_cu_per_sh = 8;
++ adev->gfx.config.max_backends_per_se = 2;
+ adev->gfx.config.max_sh_per_se = 1;
+ adev->gfx.config.max_texture_channel_caches = 4;
+ adev->gfx.config.max_gprs = 256;
--- /dev/null
+From 1bced75f4ab04bec55aecb57d99435dc6d0ae5a0 Mon Sep 17 00:00:00 2001
+From: Rex Zhu <Rex.Zhu@amd.com>
+Date: Tue, 27 Feb 2018 18:20:53 +0800
+Subject: drm/amdgpu: Notify sbios device ready before send request
+
+From: Rex Zhu <Rex.Zhu@amd.com>
+
+commit 1bced75f4ab04bec55aecb57d99435dc6d0ae5a0 upstream.
+
+it is required if a platform supports PCIe root complex
+core voltage reduction. After receiving this notification,
+SBIOS can apply default PCIe root complex power policy.
+
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Rex Zhu <Rex.Zhu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
+@@ -585,6 +585,9 @@ int amdgpu_acpi_pcie_performance_request
+ size_t size;
+ u32 retry = 3;
+
++ if (amdgpu_acpi_pcie_notify_device_ready(adev))
++ return -EINVAL;
++
+ /* Get the device handle */
+ handle = ACPI_HANDLE(&adev->pdev->dev);
+ if (!handle)
--- /dev/null
+From d61a5c1063515e855bedb1b81e20e50b0ac3541e Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Sun, 11 Feb 2018 10:38:28 +0100
+Subject: drm/nouveau: Fix deadlock on runtime suspend
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit d61a5c1063515e855bedb1b81e20e50b0ac3541e upstream.
+
+nouveau's ->runtime_suspend hook calls drm_kms_helper_poll_disable(),
+which waits for the output poll worker to finish if it's running.
+
+The output poll worker meanwhile calls pm_runtime_get_sync() in
+nouveau_connector_detect() which waits for the ongoing suspend to finish,
+causing a deadlock.
+
+Fix by not acquiring a runtime PM ref if nouveau_connector_detect() is
+called in the output poll worker's context. This is safe because
+the poll worker is only enabled while runtime active and we know that
+->runtime_suspend waits for it to finish.
+
+Other contexts calling nouveau_connector_detect() do require a runtime
+PM ref, these comprise:
+
+ status_store() drm sysfs interface
+ ->fill_modes drm callback
+ drm_fb_helper_probe_connector_modes()
+ drm_mode_getconnector()
+ nouveau_connector_hotplug()
+ nouveau_display_hpd_work()
+ nv17_tv_set_property()
+
+Stack trace for posterity:
+
+ INFO: task kworker/0:1:58 blocked for more than 120 seconds.
+ Workqueue: events output_poll_execute [drm_kms_helper]
+ Call Trace:
+ schedule+0x28/0x80
+ rpm_resume+0x107/0x6e0
+ __pm_runtime_resume+0x47/0x70
+ nouveau_connector_detect+0x7e/0x4a0 [nouveau]
+ nouveau_connector_detect_lvds+0x132/0x180 [nouveau]
+ drm_helper_probe_detect_ctx+0x85/0xd0 [drm_kms_helper]
+ output_poll_execute+0x11e/0x1c0 [drm_kms_helper]
+ process_one_work+0x184/0x380
+ worker_thread+0x2e/0x390
+
+ INFO: task kworker/0:2:252 blocked for more than 120 seconds.
+ Workqueue: pm pm_runtime_work
+ Call Trace:
+ schedule+0x28/0x80
+ schedule_timeout+0x1e3/0x370
+ wait_for_completion+0x123/0x190
+ flush_work+0x142/0x1c0
+ nouveau_pmops_runtime_suspend+0x7e/0xd0 [nouveau]
+ pci_pm_runtime_suspend+0x5c/0x180
+ vga_switcheroo_runtime_suspend+0x1e/0xa0
+ __rpm_callback+0xc1/0x200
+ rpm_callback+0x1f/0x70
+ rpm_suspend+0x13c/0x640
+ pm_runtime_work+0x6e/0x90
+ process_one_work+0x184/0x380
+ worker_thread+0x2e/0x390
+
+Bugzilla: https://bugs.archlinux.org/task/53497
+Bugzilla: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870523
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=70388#c33
+Fixes: 5addcf0a5f0f ("nouveau: add runtime PM support (v0.9)")
+Cc: stable@vger.kernel.org # v3.12+: 27d4ee03078a: workqueue: Allow retrieval of current task's work struct
+Cc: stable@vger.kernel.org # v3.12+: 25c058ccaf2e: drm: Allow determining if current task is output poll worker
+Cc: Ben Skeggs <bskeggs@redhat.com>
+Cc: Dave Airlie <airlied@redhat.com>
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/b7d2cbb609a80f59ccabfdf479b9d5907c603ea1.1518338789.git.lukas@wunner.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/nouveau/nouveau_connector.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_connector.c
++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
+@@ -253,9 +253,15 @@ nouveau_connector_detect(struct drm_conn
+ nv_connector->edid = NULL;
+ }
+
+- ret = pm_runtime_get_sync(connector->dev->dev);
+- if (ret < 0 && ret != -EACCES)
+- return conn_status;
++ /* Outputs are only polled while runtime active, so acquiring a
++ * runtime PM ref here is unnecessary (and would deadlock upon
++ * runtime suspend because it waits for polling to finish).
++ */
++ if (!drm_kms_helper_is_poll_worker()) {
++ ret = pm_runtime_get_sync(connector->dev->dev);
++ if (ret < 0 && ret != -EACCES)
++ return conn_status;
++ }
+
+ nv_encoder = nouveau_connector_ddc_detect(connector);
+ if (nv_encoder && (i2c = nv_encoder->i2c) != NULL) {
+@@ -323,8 +329,10 @@ detect_analog:
+
+ out:
+
+- pm_runtime_mark_last_busy(connector->dev->dev);
+- pm_runtime_put_autosuspend(connector->dev->dev);
++ if (!drm_kms_helper_is_poll_worker()) {
++ pm_runtime_mark_last_busy(connector->dev->dev);
++ pm_runtime_put_autosuspend(connector->dev->dev);
++ }
+
+ return conn_status;
+ }
--- /dev/null
+From 15734feff2bdac24aa3266c437cffa42851990e3 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Sun, 11 Feb 2018 10:38:28 +0100
+Subject: drm/radeon: Fix deadlock on runtime suspend
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 15734feff2bdac24aa3266c437cffa42851990e3 upstream.
+
+radeon's ->runtime_suspend hook calls drm_kms_helper_poll_disable(),
+which waits for the output poll worker to finish if it's running.
+
+The output poll worker meanwhile calls pm_runtime_get_sync() in
+radeon's ->detect hooks, which waits for the ongoing suspend to finish,
+causing a deadlock.
+
+Fix by not acquiring a runtime PM ref if the ->detect hooks are called
+in the output poll worker's context. This is safe because the poll
+worker is only enabled while runtime active and we know that
+->runtime_suspend waits for it to finish.
+
+Stack trace for posterity:
+
+ INFO: task kworker/0:3:31847 blocked for more than 120 seconds
+ Workqueue: events output_poll_execute [drm_kms_helper]
+ Call Trace:
+ schedule+0x3c/0x90
+ rpm_resume+0x1e2/0x690
+ __pm_runtime_resume+0x3f/0x60
+ radeon_lvds_detect+0x39/0xf0 [radeon]
+ output_poll_execute+0xda/0x1e0 [drm_kms_helper]
+ process_one_work+0x14b/0x440
+ worker_thread+0x48/0x4a0
+
+ INFO: task kworker/2:0:10493 blocked for more than 120 seconds.
+ Workqueue: pm pm_runtime_work
+ Call Trace:
+ schedule+0x3c/0x90
+ schedule_timeout+0x1b3/0x240
+ wait_for_common+0xc2/0x180
+ wait_for_completion+0x1d/0x20
+ flush_work+0xfc/0x1a0
+ __cancel_work_timer+0xa5/0x1d0
+ cancel_delayed_work_sync+0x13/0x20
+ drm_kms_helper_poll_disable+0x1f/0x30 [drm_kms_helper]
+ radeon_pmops_runtime_suspend+0x3d/0xa0 [radeon]
+ pci_pm_runtime_suspend+0x61/0x1a0
+ vga_switcheroo_runtime_suspend+0x21/0x70
+ __rpm_callback+0x32/0x70
+ rpm_callback+0x24/0x80
+ rpm_suspend+0x12b/0x640
+ pm_runtime_work+0x6f/0xb0
+ process_one_work+0x14b/0x440
+ worker_thread+0x48/0x4a0
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=94147
+Fixes: 10ebc0bc0934 ("drm/radeon: add runtime PM support (v2)")
+Cc: stable@vger.kernel.org # v3.13+: 27d4ee03078a: workqueue: Allow retrieval of current task's work struct
+Cc: stable@vger.kernel.org # v3.13+: 25c058ccaf2e: drm: Allow determining if current task is output poll worker
+Cc: Ismo Toijala <ismo.toijala@gmail.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: Dave Airlie <airlied@redhat.com>
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/64ea02c44f91dda19bc563902b97bbc699040392.1518338789.git.lukas@wunner.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/radeon_connectors.c | 74 +++++++++++++++++++----------
+ 1 file changed, 49 insertions(+), 25 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_connectors.c
++++ b/drivers/gpu/drm/radeon/radeon_connectors.c
+@@ -891,9 +891,11 @@ radeon_lvds_detect(struct drm_connector
+ enum drm_connector_status ret = connector_status_disconnected;
+ int r;
+
+- r = pm_runtime_get_sync(connector->dev->dev);
+- if (r < 0)
+- return connector_status_disconnected;
++ if (!drm_kms_helper_is_poll_worker()) {
++ r = pm_runtime_get_sync(connector->dev->dev);
++ if (r < 0)
++ return connector_status_disconnected;
++ }
+
+ if (encoder) {
+ struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder);
+@@ -916,8 +918,12 @@ radeon_lvds_detect(struct drm_connector
+ /* check acpi lid status ??? */
+
+ radeon_connector_update_scratch_regs(connector, ret);
+- pm_runtime_mark_last_busy(connector->dev->dev);
+- pm_runtime_put_autosuspend(connector->dev->dev);
++
++ if (!drm_kms_helper_is_poll_worker()) {
++ pm_runtime_mark_last_busy(connector->dev->dev);
++ pm_runtime_put_autosuspend(connector->dev->dev);
++ }
++
+ return ret;
+ }
+
+@@ -1020,9 +1026,11 @@ radeon_vga_detect(struct drm_connector *
+ enum drm_connector_status ret = connector_status_disconnected;
+ int r;
+
+- r = pm_runtime_get_sync(connector->dev->dev);
+- if (r < 0)
+- return connector_status_disconnected;
++ if (!drm_kms_helper_is_poll_worker()) {
++ r = pm_runtime_get_sync(connector->dev->dev);
++ if (r < 0)
++ return connector_status_disconnected;
++ }
+
+ encoder = radeon_best_single_encoder(connector);
+ if (!encoder)
+@@ -1089,8 +1097,10 @@ radeon_vga_detect(struct drm_connector *
+ radeon_connector_update_scratch_regs(connector, ret);
+
+ out:
+- pm_runtime_mark_last_busy(connector->dev->dev);
+- pm_runtime_put_autosuspend(connector->dev->dev);
++ if (!drm_kms_helper_is_poll_worker()) {
++ pm_runtime_mark_last_busy(connector->dev->dev);
++ pm_runtime_put_autosuspend(connector->dev->dev);
++ }
+
+ return ret;
+ }
+@@ -1153,9 +1163,11 @@ radeon_tv_detect(struct drm_connector *c
+ if (!radeon_connector->dac_load_detect)
+ return ret;
+
+- r = pm_runtime_get_sync(connector->dev->dev);
+- if (r < 0)
+- return connector_status_disconnected;
++ if (!drm_kms_helper_is_poll_worker()) {
++ r = pm_runtime_get_sync(connector->dev->dev);
++ if (r < 0)
++ return connector_status_disconnected;
++ }
+
+ encoder = radeon_best_single_encoder(connector);
+ if (!encoder)
+@@ -1167,8 +1179,12 @@ radeon_tv_detect(struct drm_connector *c
+ if (ret == connector_status_connected)
+ ret = radeon_connector_analog_encoder_conflict_solve(connector, encoder, ret, false);
+ radeon_connector_update_scratch_regs(connector, ret);
+- pm_runtime_mark_last_busy(connector->dev->dev);
+- pm_runtime_put_autosuspend(connector->dev->dev);
++
++ if (!drm_kms_helper_is_poll_worker()) {
++ pm_runtime_mark_last_busy(connector->dev->dev);
++ pm_runtime_put_autosuspend(connector->dev->dev);
++ }
++
+ return ret;
+ }
+
+@@ -1230,9 +1246,11 @@ radeon_dvi_detect(struct drm_connector *
+ enum drm_connector_status ret = connector_status_disconnected;
+ bool dret = false, broken_edid = false;
+
+- r = pm_runtime_get_sync(connector->dev->dev);
+- if (r < 0)
+- return connector_status_disconnected;
++ if (!drm_kms_helper_is_poll_worker()) {
++ r = pm_runtime_get_sync(connector->dev->dev);
++ if (r < 0)
++ return connector_status_disconnected;
++ }
+
+ if (radeon_connector->detected_hpd_without_ddc) {
+ force = true;
+@@ -1415,8 +1433,10 @@ out:
+ }
+
+ exit:
+- pm_runtime_mark_last_busy(connector->dev->dev);
+- pm_runtime_put_autosuspend(connector->dev->dev);
++ if (!drm_kms_helper_is_poll_worker()) {
++ pm_runtime_mark_last_busy(connector->dev->dev);
++ pm_runtime_put_autosuspend(connector->dev->dev);
++ }
+
+ return ret;
+ }
+@@ -1666,9 +1686,11 @@ radeon_dp_detect(struct drm_connector *c
+ if (radeon_dig_connector->is_mst)
+ return connector_status_disconnected;
+
+- r = pm_runtime_get_sync(connector->dev->dev);
+- if (r < 0)
+- return connector_status_disconnected;
++ if (!drm_kms_helper_is_poll_worker()) {
++ r = pm_runtime_get_sync(connector->dev->dev);
++ if (r < 0)
++ return connector_status_disconnected;
++ }
+
+ if (!force && radeon_check_hpd_status_unchanged(connector)) {
+ ret = connector->status;
+@@ -1755,8 +1777,10 @@ radeon_dp_detect(struct drm_connector *c
+ }
+
+ out:
+- pm_runtime_mark_last_busy(connector->dev->dev);
+- pm_runtime_put_autosuspend(connector->dev->dev);
++ if (!drm_kms_helper_is_poll_worker()) {
++ pm_runtime_mark_last_busy(connector->dev->dev);
++ pm_runtime_put_autosuspend(connector->dev->dev);
++ }
+
+ return ret;
+ }
--- /dev/null
+From 0b58d90f89545e021d188c289fa142e5ff9e708b Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Thu, 1 Mar 2018 11:03:27 -0500
+Subject: drm/radeon: fix KV harvesting
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 0b58d90f89545e021d188c289fa142e5ff9e708b upstream.
+
+Always set the graphics values to the max for the
+asic type. E.g., some 1 RB chips are actually 1 RB chips,
+others are actually harvested 2 RB chips.
+
+Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=99353
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/cik.c | 31 ++-----------------------------
+ 1 file changed, 2 insertions(+), 29 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/cik.c
++++ b/drivers/gpu/drm/radeon/cik.c
+@@ -3599,35 +3599,8 @@ static void cik_gpu_init(struct radeon_d
+ case CHIP_KAVERI:
+ rdev->config.cik.max_shader_engines = 1;
+ rdev->config.cik.max_tile_pipes = 4;
+- if ((rdev->pdev->device == 0x1304) ||
+- (rdev->pdev->device == 0x1305) ||
+- (rdev->pdev->device == 0x130C) ||
+- (rdev->pdev->device == 0x130F) ||
+- (rdev->pdev->device == 0x1310) ||
+- (rdev->pdev->device == 0x1311) ||
+- (rdev->pdev->device == 0x131C)) {
+- rdev->config.cik.max_cu_per_sh = 8;
+- rdev->config.cik.max_backends_per_se = 2;
+- } else if ((rdev->pdev->device == 0x1309) ||
+- (rdev->pdev->device == 0x130A) ||
+- (rdev->pdev->device == 0x130D) ||
+- (rdev->pdev->device == 0x1313) ||
+- (rdev->pdev->device == 0x131D)) {
+- rdev->config.cik.max_cu_per_sh = 6;
+- rdev->config.cik.max_backends_per_se = 2;
+- } else if ((rdev->pdev->device == 0x1306) ||
+- (rdev->pdev->device == 0x1307) ||
+- (rdev->pdev->device == 0x130B) ||
+- (rdev->pdev->device == 0x130E) ||
+- (rdev->pdev->device == 0x1315) ||
+- (rdev->pdev->device == 0x1318) ||
+- (rdev->pdev->device == 0x131B)) {
+- rdev->config.cik.max_cu_per_sh = 4;
+- rdev->config.cik.max_backends_per_se = 1;
+- } else {
+- rdev->config.cik.max_cu_per_sh = 3;
+- rdev->config.cik.max_backends_per_se = 1;
+- }
++ rdev->config.cik.max_cu_per_sh = 8;
++ rdev->config.cik.max_backends_per_se = 2;
+ rdev->config.cik.max_sh_per_se = 1;
+ rdev->config.cik.max_texture_channel_caches = 4;
+ rdev->config.cik.max_gprs = 256;
--- /dev/null
+From ea4f7bd2aca9f68470e9aac0fc9432fd180b1fe7 Mon Sep 17 00:00:00 2001
+From: Zhang Bo <zbsdta@126.com>
+Date: Mon, 5 Feb 2018 14:56:21 -0800
+Subject: Input: matrix_keypad - fix race when disabling interrupts
+
+From: Zhang Bo <zbsdta@126.com>
+
+commit ea4f7bd2aca9f68470e9aac0fc9432fd180b1fe7 upstream.
+
+If matrix_keypad_stop() is executing and the keypad interrupt is triggered,
+disable_row_irqs() may be called by both matrix_keypad_interrupt() and
+matrix_keypad_stop() at the same time, causing interrupts to be disabled
+twice and the keypad being "stuck" after resuming.
+
+Take lock when setting keypad->stopped to ensure that ISR will not race
+with matrix_keypad_stop() disabling interrupts.
+
+Signed-off-by: Zhang Bo <zbsdta@126.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/keyboard/matrix_keypad.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/keyboard/matrix_keypad.c
++++ b/drivers/input/keyboard/matrix_keypad.c
+@@ -216,8 +216,10 @@ static void matrix_keypad_stop(struct in
+ {
+ struct matrix_keypad *keypad = input_get_drvdata(dev);
+
++ spin_lock_irq(&keypad->lock);
+ keypad->stopped = true;
+- mb();
++ spin_unlock_irq(&keypad->lock);
++
+ flush_work(&keypad->work.work);
+ /*
+ * matrix_keypad_scan() will leave IRQs enabled;
--- /dev/null
+From 55fe6da9efba102866e2fb5b40b04b6a4b26c19e Mon Sep 17 00:00:00 2001
+From: James Hogan <jhogan@kernel.org>
+Date: Thu, 8 Mar 2018 11:02:46 +0000
+Subject: kbuild: Handle builtin dtb file names containing hyphens
+
+From: James Hogan <jhogan@kernel.org>
+
+commit 55fe6da9efba102866e2fb5b40b04b6a4b26c19e upstream.
+
+cmd_dt_S_dtb constructs the assembly source to incorporate a devicetree
+FDT (that is, the .dtb file) as binary data in the kernel image. This
+assembly source contains labels before and after the binary data. The
+label names incorporate the file name of the corresponding .dtb file.
+Hyphens are not legal characters in labels, so .dtb files built into the
+kernel with hyphens in the file name result in errors like the
+following:
+
+bcm3368-netgear-cvg834g.dtb.S: Assembler messages:
+bcm3368-netgear-cvg834g.dtb.S:5: Error: : no such section
+bcm3368-netgear-cvg834g.dtb.S:5: Error: junk at end of line, first unrecognized character is `-'
+bcm3368-netgear-cvg834g.dtb.S:6: Error: unrecognized opcode `__dtb_bcm3368-netgear-cvg834g_begin:'
+bcm3368-netgear-cvg834g.dtb.S:8: Error: unrecognized opcode `__dtb_bcm3368-netgear-cvg834g_end:'
+bcm3368-netgear-cvg834g.dtb.S:9: Error: : no such section
+bcm3368-netgear-cvg834g.dtb.S:9: Error: junk at end of line, first unrecognized character is `-'
+
+Fix this by updating cmd_dt_S_dtb to transform all hyphens from the file
+name to underscores when constructing the labels.
+
+As of v4.16-rc2, 1139 .dts files across ARM64, ARM, MIPS and PowerPC
+contain hyphens in their names, but the issue only currently manifests
+on Broadcom MIPS platforms, as that is the only place where such files
+are built into the kernel. For example when CONFIG_DT_NETGEAR_CVG834G=y,
+or on BMIPS kernels when the dtbs target is used (in the latter case it
+admittedly shouldn't really build all the dtb.o files, but thats a
+separate issue).
+
+Fixes: 695835511f96 ("MIPS: BMIPS: rename bcm96358nb4ser to bcm6358-neufbox4-sercom")
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Reviewed-by: Frank Rowand <frowand.list@gmail.com>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: Michal Marek <michal.lkml@markovi.net>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Florian Fainelli <f.fainelli@gmail.com>
+Cc: Kevin Cernekee <cernekee@gmail.com>
+Cc: <stable@vger.kernel.org> # 4.9+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ scripts/Makefile.lib | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/scripts/Makefile.lib
++++ b/scripts/Makefile.lib
+@@ -270,11 +270,11 @@ cmd_dt_S_dtb= \
+ echo '\#include <asm-generic/vmlinux.lds.h>'; \
+ echo '.section .dtb.init.rodata,"a"'; \
+ echo '.balign STRUCT_ALIGNMENT'; \
+- echo '.global __dtb_$(*F)_begin'; \
+- echo '__dtb_$(*F)_begin:'; \
++ echo '.global __dtb_$(subst -,_,$(*F))_begin'; \
++ echo '__dtb_$(subst -,_,$(*F))_begin:'; \
+ echo '.incbin "$<" '; \
+- echo '__dtb_$(*F)_end:'; \
+- echo '.global __dtb_$(*F)_end'; \
++ echo '__dtb_$(subst -,_,$(*F))_end:'; \
++ echo '.global __dtb_$(subst -,_,$(*F))_end'; \
+ echo '.balign STRUCT_ALIGNMENT'; \
+ ) > $@
+
--- /dev/null
+From 1d037577c323e5090ce281e96bc313ab2eee5be2 Mon Sep 17 00:00:00 2001
+From: Ross Zwisler <ross.zwisler@linux.intel.com>
+Date: Fri, 9 Mar 2018 08:36:36 -0700
+Subject: loop: Fix lost writes caused by missing flag
+
+From: Ross Zwisler <ross.zwisler@linux.intel.com>
+
+commit 1d037577c323e5090ce281e96bc313ab2eee5be2 upstream.
+
+The following commit:
+
+commit aa4d86163e4e ("block: loop: switch to VFS ITER_BVEC")
+
+replaced __do_lo_send_write(), which used ITER_KVEC iterators, with
+lo_write_bvec() which uses ITER_BVEC iterators. In this change, though,
+the WRITE flag was lost:
+
+- iov_iter_kvec(&from, ITER_KVEC | WRITE, &kvec, 1, len);
++ iov_iter_bvec(&i, ITER_BVEC, bvec, 1, bvec->bv_len);
+
+This flag is necessary for the DAX case because we make decisions based on
+whether or not the iterator is a READ or a WRITE in dax_iomap_actor() and
+in dax_iomap_rw().
+
+We end up going through this path in configurations where we combine a PMEM
+device with 4k sectors, a loopback device and DAX. The consequence of this
+missed flag is that what we intend as a write actually turns into a read in
+the DAX code, so no data is ever written.
+
+The very simplest test case is to create a loopback device and try and
+write a small string to it, then hexdump a few bytes of the device to see
+if the write took. Without this patch you read back all zeros, with this
+you read back the string you wrote.
+
+For XFS this causes us to fail or panic during the following xfstests:
+
+ xfs/074 xfs/078 xfs/216 xfs/217 xfs/250
+
+For ext4 we have a similar issue where writes never happen, but we don't
+currently have any xfstests that use loopback and show this issue.
+
+Fix this by restoring the WRITE flag argument to iov_iter_bvec(). This
+causes the xfstests to all pass.
+
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: stable@vger.kernel.org
+Fixes: commit aa4d86163e4e ("block: loop: switch to VFS ITER_BVEC")
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Ross Zwisler <ross.zwisler@linux.intel.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/loop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -263,7 +263,7 @@ static int lo_write_bvec(struct file *fi
+ struct iov_iter i;
+ ssize_t bw;
+
+- iov_iter_bvec(&i, ITER_BVEC, bvec, 1, bvec->bv_len);
++ iov_iter_bvec(&i, ITER_BVEC | WRITE, bvec, 1, bvec->bv_len);
+
+ file_start_write(file);
+ bw = vfs_iter_write(file, &i, ppos);
--- /dev/null
+From 1b22b4b28fd5fbc51855219e3238b3ab81da8466 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 22 Feb 2018 17:50:12 +0000
+Subject: MIPS: ath25: Check for kzalloc allocation failure
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 1b22b4b28fd5fbc51855219e3238b3ab81da8466 upstream.
+
+Currently there is no null check on a failed allocation of board_data,
+and hence a null pointer dereference will occurr. Fix this by checking
+for the out of memory null pointer.
+
+Fixes: a7473717483e ("MIPS: ath25: add board configuration detection")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: <stable@vger.kernel.org> # 3.19+
+Patchwork: https://patchwork.linux-mips.org/patch/18657/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/ath25/board.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/mips/ath25/board.c
++++ b/arch/mips/ath25/board.c
+@@ -135,6 +135,8 @@ int __init ath25_find_config(phys_addr_t
+ }
+
+ board_data = kzalloc(BOARD_CONFIG_BUFSZ, GFP_KERNEL);
++ if (!board_data)
++ goto error;
+ ath25_board.config = (struct ath25_boarddata *)board_data;
+ memcpy_fromio(board_data, bcfg, 0x100);
+ if (broken_boarddata) {
--- /dev/null
+From 06a3f0c9f2725f5d7c63c4203839373c9bd00c28 Mon Sep 17 00:00:00 2001
+From: Justin Chen <justinpopo6@gmail.com>
+Date: Wed, 27 Sep 2017 17:15:15 -0700
+Subject: MIPS: BMIPS: Do not mask IPIs during suspend
+
+From: Justin Chen <justinpopo6@gmail.com>
+
+commit 06a3f0c9f2725f5d7c63c4203839373c9bd00c28 upstream.
+
+Commit a3e6c1eff548 ("MIPS: IRQ: Fix disable_irq on CPU IRQs") fixes an
+issue where disable_irq did not actually disable the irq. The bug caused
+our IPIs to not be disabled, which actually is the correct behavior.
+
+With the addition of commit a3e6c1eff548 ("MIPS: IRQ: Fix disable_irq on
+CPU IRQs"), the IPIs were getting disabled going into suspend, thus
+schedule_ipi() was not being called. This caused deadlocks where
+schedulable task were not being scheduled and other cpus were waiting
+for them to do something.
+
+Add the IRQF_NO_SUSPEND flag so an irq_disable will not be called on the
+IPIs during suspend.
+
+Signed-off-by: Justin Chen <justinpopo6@gmail.com>
+Fixes: a3e6c1eff548 ("MIPS: IRQ: Fix disabled_irq on CPU IRQs")
+Cc: Florian Fainelli <f.fainelli@gmail.com>
+Cc: linux-mips@linux-mips.org
+Cc: stable@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/17385/
+[jhogan@kernel.org: checkpatch: wrap long lines and fix commit refs]
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/smp-bmips.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/mips/kernel/smp-bmips.c
++++ b/arch/mips/kernel/smp-bmips.c
+@@ -166,11 +166,11 @@ static void bmips_prepare_cpus(unsigned
+ return;
+ }
+
+- if (request_irq(IPI0_IRQ, bmips_ipi_interrupt, IRQF_PERCPU,
+- "smp_ipi0", NULL))
++ if (request_irq(IPI0_IRQ, bmips_ipi_interrupt,
++ IRQF_PERCPU | IRQF_NO_SUSPEND, "smp_ipi0", NULL))
+ panic("Can't request IPI0 interrupt");
+- if (request_irq(IPI1_IRQ, bmips_ipi_interrupt, IRQF_PERCPU,
+- "smp_ipi1", NULL))
++ if (request_irq(IPI1_IRQ, bmips_ipi_interrupt,
++ IRQF_PERCPU | IRQF_NO_SUSPEND, "smp_ipi1", NULL))
+ panic("Can't request IPI1 interrupt");
+ }
+
--- /dev/null
+From 902f4d067a50ccf645a58dd5fb1d113b6e0f9b5b Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 22 Feb 2018 18:08:53 +0000
+Subject: MIPS: OCTEON: irq: Check for null return on kzalloc allocation
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 902f4d067a50ccf645a58dd5fb1d113b6e0f9b5b upstream.
+
+The allocation of host_data is not null checked, leading to a null
+pointer dereference if the allocation fails. Fix this by adding a null
+check and return with -ENOMEM.
+
+Fixes: 64b139f97c01 ("MIPS: OCTEON: irq: add CIB and other fixes")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Acked-by: David Daney <david.daney@cavium.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: "Steven J. Hill" <Steven.Hill@cavium.com>
+Cc: linux-mips@linux-mips.org
+Cc: <stable@vger.kernel.org> # 4.0+
+Patchwork: https://patchwork.linux-mips.org/patch/18658/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/cavium-octeon/octeon-irq.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/mips/cavium-octeon/octeon-irq.c
++++ b/arch/mips/cavium-octeon/octeon-irq.c
+@@ -2246,6 +2246,8 @@ static int __init octeon_irq_init_cib(st
+ }
+
+ host_data = kzalloc(sizeof(*host_data), GFP_KERNEL);
++ if (!host_data)
++ return -ENOMEM;
+ raw_spin_lock_init(&host_data->lock);
+
+ addr = of_get_address(ciu_node, 0, NULL, NULL);
--- /dev/null
+From 1514839b366417934e2f1328edb50ed1e8a719f5 Mon Sep 17 00:00:00 2001
+From: "himanshu.madhani@cavium.com" <himanshu.madhani@cavium.com>
+Date: Mon, 12 Feb 2018 10:28:14 -0800
+Subject: scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS
+
+From: himanshu.madhani@cavium.com <himanshu.madhani@cavium.com>
+
+commit 1514839b366417934e2f1328edb50ed1e8a719f5 upstream.
+
+This patch fixes NULL pointer crash due to active timer running for abort
+IOCB.
+
+From crash dump analysis it was discoverd that get_next_timer_interrupt()
+encountered a corrupted entry on the timer list.
+
+ #9 [ffff95e1f6f0fd40] page_fault at ffffffff914fe8f8
+ [exception RIP: get_next_timer_interrupt+440]
+ RIP: ffffffff90ea3088 RSP: ffff95e1f6f0fdf0 RFLAGS: 00010013
+ RAX: ffff95e1f6451028 RBX: 000218e2389e5f40 RCX: 00000001232ad600
+ RDX: 0000000000000001 RSI: ffff95e1f6f0fdf0 RDI: 0000000001232ad6
+ RBP: ffff95e1f6f0fe40 R8: ffff95e1f6451188 R9: 0000000000000001
+ R10: 0000000000000016 R11: 0000000000000016 R12: 00000001232ad5f6
+ R13: ffff95e1f6450000 R14: ffff95e1f6f0fdf8 R15: ffff95e1f6f0fe10
+ ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
+
+Looking at the assembly of get_next_timer_interrupt(), address came
+from %r8 (ffff95e1f6451188) which is pointing to list_head with single
+entry at ffff95e5ff621178.
+
+ 0xffffffff90ea307a <get_next_timer_interrupt+426>: mov (%r8),%rdx
+ 0xffffffff90ea307d <get_next_timer_interrupt+429>: cmp %r8,%rdx
+ 0xffffffff90ea3080 <get_next_timer_interrupt+432>: je 0xffffffff90ea30a7 <get_next_timer_interrupt+471>
+ 0xffffffff90ea3082 <get_next_timer_interrupt+434>: nopw 0x0(%rax,%rax,1)
+ 0xffffffff90ea3088 <get_next_timer_interrupt+440>: testb $0x1,0x18(%rdx)
+
+ crash> rd ffff95e1f6451188 10
+ ffff95e1f6451188: ffff95e5ff621178 ffff95e5ff621178 x.b.....x.b.....
+ ffff95e1f6451198: ffff95e1f6451198 ffff95e1f6451198 ..E.......E.....
+ ffff95e1f64511a8: ffff95e1f64511a8 ffff95e1f64511a8 ..E.......E.....
+ ffff95e1f64511b8: ffff95e77cf509a0 ffff95e77cf509a0 ...|.......|....
+ ffff95e1f64511c8: ffff95e1f64511c8 ffff95e1f64511c8 ..E.......E.....
+
+ crash> rd ffff95e5ff621178 10
+ ffff95e5ff621178: 0000000000000001 ffff95e15936aa00 ..........6Y....
+ ffff95e5ff621188: 0000000000000000 00000000ffffffff ................
+ ffff95e5ff621198: 00000000000000a0 0000000000000010 ................
+ ffff95e5ff6211a8: ffff95e5ff621198 000000000000000c ..b.............
+ ffff95e5ff6211b8: 00000f5800000000 ffff95e751f8d720 ....X... ..Q....
+
+ ffff95e5ff621178 belongs to freed mempool object at ffff95e5ff621080.
+
+ CACHE NAME OBJSIZE ALLOCATED TOTAL SLABS SSIZE
+ ffff95dc7fd74d00 mnt_cache 384 19785 24948 594 16k
+ SLAB MEMORY NODE TOTAL ALLOCATED FREE
+ ffffdc5dabfd8800 ffff95e5ff620000 1 42 29 13
+ FREE / [ALLOCATED]
+ ffff95e5ff621080 (cpu 6 cache)
+
+Examining the contents of that memory reveals a pointer to a constant string
+in the driver, "abort\0", which is set by qla24xx_async_abort_cmd().
+
+ crash> rd ffffffffc059277c 20
+ ffffffffc059277c: 6e490074726f6261 0074707572726574 abort.Interrupt.
+ ffffffffc059278c: 00676e696c6c6f50 6920726576697244 Polling.Driver i
+ ffffffffc059279c: 646f6d207325206e 6974736554000a65 n %s mode..Testi
+ ffffffffc05927ac: 636976656420676e 786c252074612065 ng device at %lx
+ ffffffffc05927bc: 6b63656843000a2e 646f727020676e69 ...Checking prod
+ ffffffffc05927cc: 6f20444920746375 0a2e706968632066 uct ID of chip..
+ ffffffffc05927dc: 5120646e756f4600 204130303232414c .Found QLA2200A
+ ffffffffc05927ec: 43000a2e70696843 20676e696b636568 Chip...Checking
+ ffffffffc05927fc: 65786f626c69616d 6c636e69000a2e73 mailboxes...incl
+ ffffffffc059280c: 756e696c2f656475 616d2d616d642f78 ude/linux/dma-ma
+
+ crash> struct -ox srb_iocb
+ struct srb_iocb {
+ union {
+ struct {...} logio;
+ struct {...} els_logo;
+ struct {...} tmf;
+ struct {...} fxiocb;
+ struct {...} abt;
+ struct ct_arg ctarg;
+ struct {...} mbx;
+ struct {...} nack;
+ [0x0 ] } u;
+ [0xb8] struct timer_list timer;
+ [0x108] void (*timeout)(void *);
+ }
+ SIZE: 0x110
+
+ crash> ! bc
+ ibase=16
+ obase=10
+ B8+40
+ F8
+
+The object is a srb_t, and at offset 0xf8 within that structure
+(i.e. ffff95e5ff621080 + f8 -> ffff95e5ff621178) is a struct timer_list.
+
+Cc: <stable@vger.kernel.org> #4.4+
+Fixes: 4440e46d5db7 ("[SCSI] qla2xxx: Add IOCB Abort command asynchronous handling.")
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_init.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -365,6 +365,7 @@ qla24xx_abort_sp_done(void *data, void *
+ srb_t *sp = (srb_t *)ptr;
+ struct srb_iocb *abt = &sp->u.iocb_cmd;
+
++ del_timer(&sp->u.iocb_cmd.timer);
+ complete(&abt->u.abt.comp);
+ }
+
rdma-ucma-limit-possible-option-size.patch
rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch
rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch
+scsi-qla2xxx-fix-null-pointer-crash-due-to-active-timer-for-abts.patch
+workqueue-allow-retrieval-of-current-task-s-work-struct.patch
+drm-allow-determining-if-current-task-is-output-poll-worker.patch
+drm-nouveau-fix-deadlock-on-runtime-suspend.patch
+drm-radeon-fix-deadlock-on-runtime-suspend.patch
+drm-amdgpu-fix-deadlock-on-runtime-suspend.patch
+drm-amdgpu-notify-sbios-device-ready-before-send-request.patch
+drm-radeon-fix-kv-harvesting.patch
+drm-amdgpu-fix-kv-harvesting.patch
+mips-bmips-do-not-mask-ipis-during-suspend.patch
+mips-ath25-check-for-kzalloc-allocation-failure.patch
+mips-octeon-irq-check-for-null-return-on-kzalloc-allocation.patch
+input-matrix_keypad-fix-race-when-disabling-interrupts.patch
+loop-fix-lost-writes-caused-by-missing-flag.patch
+kbuild-handle-builtin-dtb-file-names-containing-hyphens.patch
+bcache-don-t-attach-backing-with-duplicate-uuid.patch
+x86-mce-serialize-sysfs-changes.patch
+alsa-hda-realtek-fix-dock-line-out-volume-on-dell-precision-7520.patch
+alsa-seq-don-t-allow-resizing-pool-in-use.patch
+alsa-seq-more-protection-for-concurrent-write-and-ioctl-races.patch
+alsa-hda-fix-a-wrong-fixup-for-alc289-on-dell-machines.patch
+alsa-hda-add-dock-and-led-support-for-hp-elitebook-820-g3.patch
+alsa-hda-add-dock-and-led-support-for-hp-probook-640-g2.patch
--- /dev/null
+From 27d4ee03078aba88c5e07dcc4917e8d01d046f38 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Sun, 11 Feb 2018 10:38:28 +0100
+Subject: workqueue: Allow retrieval of current task's work struct
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 27d4ee03078aba88c5e07dcc4917e8d01d046f38 upstream.
+
+Introduce a helper to retrieve the current task's work struct if it is
+a workqueue worker.
+
+This allows us to fix a long-standing deadlock in several DRM drivers
+wherein the ->runtime_suspend callback waits for a specific worker to
+finish and that worker in turn calls a function which waits for runtime
+suspend to finish. That function is invoked from multiple call sites
+and waiting for runtime suspend to finish is the correct thing to do
+except if it's executing in the context of the worker.
+
+Cc: Lai Jiangshan <jiangshanlai@gmail.com>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Ben Skeggs <bskeggs@redhat.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/2d8f603074131eb87e588d2b803a71765bd3a2fd.1518338788.git.lukas@wunner.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/workqueue.h | 1 +
+ kernel/workqueue.c | 16 ++++++++++++++++
+ 2 files changed, 17 insertions(+)
+
+--- a/include/linux/workqueue.h
++++ b/include/linux/workqueue.h
+@@ -451,6 +451,7 @@ extern bool cancel_delayed_work_sync(str
+
+ extern void workqueue_set_max_active(struct workqueue_struct *wq,
+ int max_active);
++extern struct work_struct *current_work(void);
+ extern bool current_is_workqueue_rescuer(void);
+ extern bool workqueue_congested(int cpu, struct workqueue_struct *wq);
+ extern unsigned int work_busy(struct work_struct *work);
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -4048,6 +4048,22 @@ void workqueue_set_max_active(struct wor
+ EXPORT_SYMBOL_GPL(workqueue_set_max_active);
+
+ /**
++ * current_work - retrieve %current task's work struct
++ *
++ * Determine if %current task is a workqueue worker and what it's working on.
++ * Useful to find out the context that the %current task is running in.
++ *
++ * Return: work struct if %current task is a workqueue worker, %NULL otherwise.
++ */
++struct work_struct *current_work(void)
++{
++ struct worker *worker = current_wq_worker();
++
++ return worker ? worker->current_work : NULL;
++}
++EXPORT_SYMBOL(current_work);
++
++/**
+ * current_is_workqueue_rescuer - is %current workqueue rescuer?
+ *
+ * Determine whether %current is a workqueue rescuer. Can be used from
--- /dev/null
+From b3b7c4795ccab5be71f080774c45bbbcc75c2aaf Mon Sep 17 00:00:00 2001
+From: Seunghun Han <kkamagui@gmail.com>
+Date: Tue, 6 Mar 2018 15:21:43 +0100
+Subject: x86/MCE: Serialize sysfs changes
+
+From: Seunghun Han <kkamagui@gmail.com>
+
+commit b3b7c4795ccab5be71f080774c45bbbcc75c2aaf upstream.
+
+The check_interval file in
+
+ /sys/devices/system/machinecheck/machinecheck<cpu number>
+
+directory is a global timer value for MCE polling. If it is changed by one
+CPU, mce_restart() broadcasts the event to other CPUs to delete and restart
+the MCE polling timer and __mcheck_cpu_init_timer() reinitializes the
+mce_timer variable.
+
+If more than one CPU writes a specific value to the check_interval file
+concurrently, mce_timer is not protected from such concurrent accesses and
+all kinds of explosions happen. Since only root can write to those sysfs
+variables, the issue is not a big deal security-wise.
+
+However, concurrent writes to these configuration variables is void of
+reason so the proper thing to do is to serialize the access with a mutex.
+
+Boris:
+
+ - Make store_int_with_restart() use device_store_ulong() to filter out
+ negative intervals
+ - Limit min interval to 1 second
+ - Correct locking
+ - Massage commit message
+
+Signed-off-by: Seunghun Han <kkamagui@gmail.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/20180302202706.9434-1-kkamagui@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/mcheck/mce.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/cpu/mcheck/mce.c
++++ b/arch/x86/kernel/cpu/mcheck/mce.c
+@@ -60,6 +60,9 @@ static DEFINE_MUTEX(mce_chrdev_read_mute
+ smp_load_acquire(&(p)); \
+ })
+
++/* sysfs synchronization */
++static DEFINE_MUTEX(mce_sysfs_mutex);
++
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/mce.h>
+
+@@ -2220,6 +2223,7 @@ static ssize_t set_ignore_ce(struct devi
+ if (kstrtou64(buf, 0, &new) < 0)
+ return -EINVAL;
+
++ mutex_lock(&mce_sysfs_mutex);
+ if (mca_cfg.ignore_ce ^ !!new) {
+ if (new) {
+ /* disable ce features */
+@@ -2232,6 +2236,8 @@ static ssize_t set_ignore_ce(struct devi
+ on_each_cpu(mce_enable_ce, (void *)1, 1);
+ }
+ }
++ mutex_unlock(&mce_sysfs_mutex);
++
+ return size;
+ }
+
+@@ -2244,6 +2250,7 @@ static ssize_t set_cmci_disabled(struct
+ if (kstrtou64(buf, 0, &new) < 0)
+ return -EINVAL;
+
++ mutex_lock(&mce_sysfs_mutex);
+ if (mca_cfg.cmci_disabled ^ !!new) {
+ if (new) {
+ /* disable cmci */
+@@ -2255,6 +2262,8 @@ static ssize_t set_cmci_disabled(struct
+ on_each_cpu(mce_enable_ce, NULL, 1);
+ }
+ }
++ mutex_unlock(&mce_sysfs_mutex);
++
+ return size;
+ }
+
+@@ -2262,8 +2271,19 @@ static ssize_t store_int_with_restart(st
+ struct device_attribute *attr,
+ const char *buf, size_t size)
+ {
+- ssize_t ret = device_store_int(s, attr, buf, size);
++ unsigned long old_check_interval = check_interval;
++ ssize_t ret = device_store_ulong(s, attr, buf, size);
++
++ if (check_interval == old_check_interval)
++ return ret;
++
++ if (check_interval < 1)
++ check_interval = 1;
++
++ mutex_lock(&mce_sysfs_mutex);
+ mce_restart();
++ mutex_unlock(&mce_sysfs_mutex);
++
+ return ret;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
