--- /dev/null
+From 48d0e023af9799cd7220335baf8e3ba61eeafbeb Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Tue, 2 May 2017 10:16:05 -0400
+Subject: audit: fix the RCU locking for the auditd_connection structure
+
+From: Paul Moore <paul@paul-moore.com>
+
+commit 48d0e023af9799cd7220335baf8e3ba61eeafbeb upstream.
+
+Cong Wang correctly pointed out that the RCU read locking of the
+auditd_connection struct was wrong, this patch correct this by
+adopting a more traditional, and correct RCU locking model.
+
+This patch is heavily based on an earlier prototype by Cong Wang.
+
+Reported-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ kernel/audit.c | 167 +++++++++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 115 insertions(+), 52 deletions(-)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -110,18 +110,19 @@ struct audit_net {
+ * @pid: auditd PID
+ * @portid: netlink portid
+ * @net: the associated network namespace
+- * @lock: spinlock to protect write access
++ * @rcu: RCU head
+ *
+ * Description:
+ * This struct is RCU protected; you must either hold the RCU lock for reading
+- * or the included spinlock for writing.
++ * or the associated spinlock for writing.
+ */
+ static struct auditd_connection {
+ int pid;
+ u32 portid;
+ struct net *net;
+- spinlock_t lock;
+-} auditd_conn;
++ struct rcu_head rcu;
++} *auditd_conn = NULL;
++static DEFINE_SPINLOCK(auditd_conn_lock);
+
+ /* If audit_rate_limit is non-zero, limit the rate of sending audit records
+ * to that number per second. This prevents DoS attacks, but results in
+@@ -223,15 +224,39 @@ struct audit_reply {
+ int auditd_test_task(const struct task_struct *task)
+ {
+ int rc;
++ struct auditd_connection *ac;
+
+ rcu_read_lock();
+- rc = (auditd_conn.pid && task->tgid == auditd_conn.pid ? 1 : 0);
++ ac = rcu_dereference(auditd_conn);
++ rc = (ac && ac->pid == task->tgid ? 1 : 0);
+ rcu_read_unlock();
+
+ return rc;
+ }
+
+ /**
++ * auditd_pid_vnr - Return the auditd PID relative to the namespace
++ *
++ * Description:
++ * Returns the PID in relation to the namespace, 0 on failure.
++ */
++static pid_t auditd_pid_vnr(void)
++{
++ pid_t pid;
++ const struct auditd_connection *ac;
++
++ rcu_read_lock();
++ ac = rcu_dereference(auditd_conn);
++ if (!ac)
++ pid = 0;
++ else
++ pid = ac->pid;
++ rcu_read_unlock();
++
++ return pid;
++}
++
++/**
+ * audit_get_sk - Return the audit socket for the given network namespace
+ * @net: the destination network namespace
+ *
+@@ -427,6 +452,23 @@ static int audit_set_failure(u32 state)
+ }
+
+ /**
++ * auditd_conn_free - RCU helper to release an auditd connection struct
++ * @rcu: RCU head
++ *
++ * Description:
++ * Drop any references inside the auditd connection tracking struct and free
++ * the memory.
++ */
++static void auditd_conn_free(struct rcu_head *rcu)
++{
++ struct auditd_connection *ac;
++
++ ac = container_of(rcu, struct auditd_connection, rcu);
++ put_net(ac->net);
++ kfree(ac);
++}
++
++/**
+ * auditd_set - Set/Reset the auditd connection state
+ * @pid: auditd PID
+ * @portid: auditd netlink portid
+@@ -434,22 +476,33 @@ static int audit_set_failure(u32 state)
+ *
+ * Description:
+ * This function will obtain and drop network namespace references as
+- * necessary.
++ * necessary. Returns zero on success, negative values on failure.
+ */
+-static void auditd_set(int pid, u32 portid, struct net *net)
++static int auditd_set(int pid, u32 portid, struct net *net)
+ {
+ unsigned long flags;
++ struct auditd_connection *ac_old, *ac_new;
+
+- spin_lock_irqsave(&auditd_conn.lock, flags);
+- auditd_conn.pid = pid;
+- auditd_conn.portid = portid;
+- if (auditd_conn.net)
+- put_net(auditd_conn.net);
+- if (net)
+- auditd_conn.net = get_net(net);
+- else
+- auditd_conn.net = NULL;
+- spin_unlock_irqrestore(&auditd_conn.lock, flags);
++ if (!pid || !net)
++ return -EINVAL;
++
++ ac_new = kzalloc(sizeof(*ac_new), GFP_KERNEL);
++ if (!ac_new)
++ return -ENOMEM;
++ ac_new->pid = pid;
++ ac_new->portid = portid;
++ ac_new->net = get_net(net);
++
++ spin_lock_irqsave(&auditd_conn_lock, flags);
++ ac_old = rcu_dereference_protected(auditd_conn,
++ lockdep_is_held(&auditd_conn_lock));
++ rcu_assign_pointer(auditd_conn, ac_new);
++ spin_unlock_irqrestore(&auditd_conn_lock, flags);
++
++ if (ac_old)
++ call_rcu(&ac_old->rcu, auditd_conn_free);
++
++ return 0;
+ }
+
+ /**
+@@ -544,13 +597,19 @@ static void kauditd_retry_skb(struct sk_
+ */
+ static void auditd_reset(void)
+ {
++ unsigned long flags;
+ struct sk_buff *skb;
++ struct auditd_connection *ac_old;
+
+ /* if it isn't already broken, break the connection */
+- rcu_read_lock();
+- if (auditd_conn.pid)
+- auditd_set(0, 0, NULL);
+- rcu_read_unlock();
++ spin_lock_irqsave(&auditd_conn_lock, flags);
++ ac_old = rcu_dereference_protected(auditd_conn,
++ lockdep_is_held(&auditd_conn_lock));
++ rcu_assign_pointer(auditd_conn, NULL);
++ spin_unlock_irqrestore(&auditd_conn_lock, flags);
++
++ if (ac_old)
++ call_rcu(&ac_old->rcu, auditd_conn_free);
+
+ /* flush all of the main and retry queues to the hold queue */
+ while ((skb = skb_dequeue(&audit_retry_queue)))
+@@ -576,6 +635,7 @@ static int auditd_send_unicast_skb(struc
+ u32 portid;
+ struct net *net;
+ struct sock *sk;
++ struct auditd_connection *ac;
+
+ /* NOTE: we can't call netlink_unicast while in the RCU section so
+ * take a reference to the network namespace and grab local
+@@ -585,15 +645,15 @@ static int auditd_send_unicast_skb(struc
+ * section netlink_unicast() should safely return an error */
+
+ rcu_read_lock();
+- if (!auditd_conn.pid) {
++ ac = rcu_dereference(auditd_conn);
++ if (!ac) {
+ rcu_read_unlock();
+ rc = -ECONNREFUSED;
+ goto err;
+ }
+- net = auditd_conn.net;
+- get_net(net);
++ net = get_net(ac->net);
+ sk = audit_get_sk(net);
+- portid = auditd_conn.portid;
++ portid = ac->portid;
+ rcu_read_unlock();
+
+ rc = netlink_unicast(sk, skb, portid, 0);
+@@ -728,6 +788,7 @@ static int kauditd_thread(void *dummy)
+ u32 portid = 0;
+ struct net *net = NULL;
+ struct sock *sk = NULL;
++ struct auditd_connection *ac;
+
+ #define UNICAST_RETRIES 5
+
+@@ -735,14 +796,14 @@ static int kauditd_thread(void *dummy)
+ while (!kthread_should_stop()) {
+ /* NOTE: see the lock comments in auditd_send_unicast_skb() */
+ rcu_read_lock();
+- if (!auditd_conn.pid) {
++ ac = rcu_dereference(auditd_conn);
++ if (!ac) {
+ rcu_read_unlock();
+ goto main_queue;
+ }
+- net = auditd_conn.net;
+- get_net(net);
++ net = get_net(ac->net);
+ sk = audit_get_sk(net);
+- portid = auditd_conn.portid;
++ portid = ac->portid;
+ rcu_read_unlock();
+
+ /* attempt to flush the hold queue */
+@@ -1102,9 +1163,7 @@ static int audit_receive_msg(struct sk_b
+ memset(&s, 0, sizeof(s));
+ s.enabled = audit_enabled;
+ s.failure = audit_failure;
+- rcu_read_lock();
+- s.pid = auditd_conn.pid;
+- rcu_read_unlock();
++ s.pid = auditd_pid_vnr();
+ s.rate_limit = audit_rate_limit;
+ s.backlog_limit = audit_backlog_limit;
+ s.lost = atomic_read(&audit_lost);
+@@ -1143,38 +1202,44 @@ static int audit_receive_msg(struct sk_b
+ /* test the auditd connection */
+ audit_replace(requesting_pid);
+
+- rcu_read_lock();
+- auditd_pid = auditd_conn.pid;
++ auditd_pid = auditd_pid_vnr();
+ /* only the current auditd can unregister itself */
+ if ((!new_pid) && (requesting_pid != auditd_pid)) {
+- rcu_read_unlock();
+ audit_log_config_change("audit_pid", new_pid,
+ auditd_pid, 0);
+ return -EACCES;
+ }
+ /* replacing a healthy auditd is not allowed */
+ if (auditd_pid && new_pid) {
+- rcu_read_unlock();
+ audit_log_config_change("audit_pid", new_pid,
+ auditd_pid, 0);
+ return -EEXIST;
+ }
+- rcu_read_unlock();
+-
+- if (audit_enabled != AUDIT_OFF)
+- audit_log_config_change("audit_pid", new_pid,
+- auditd_pid, 1);
+
+ if (new_pid) {
+ /* register a new auditd connection */
+- auditd_set(new_pid,
+- NETLINK_CB(skb).portid,
+- sock_net(NETLINK_CB(skb).sk));
++ err = auditd_set(new_pid,
++ NETLINK_CB(skb).portid,
++ sock_net(NETLINK_CB(skb).sk));
++ if (audit_enabled != AUDIT_OFF)
++ audit_log_config_change("audit_pid",
++ new_pid,
++ auditd_pid,
++ err ? 0 : 1);
++ if (err)
++ return err;
++
+ /* try to process any backlog */
+ wake_up_interruptible(&kauditd_wait);
+- } else
++ } else {
++ if (audit_enabled != AUDIT_OFF)
++ audit_log_config_change("audit_pid",
++ new_pid,
++ auditd_pid, 1);
++
+ /* unregister the auditd connection */
+ auditd_reset();
++ }
+ }
+ if (s.mask & AUDIT_STATUS_RATE_LIMIT) {
+ err = audit_set_rate_limit(s.rate_limit);
+@@ -1447,10 +1512,11 @@ static void __net_exit audit_net_exit(st
+ {
+ struct audit_net *aunet = net_generic(net, audit_net_id);
+
+- rcu_read_lock();
+- if (net == auditd_conn.net)
+- auditd_reset();
+- rcu_read_unlock();
++ /* NOTE: you would think that we would want to check the auditd
++ * connection and potentially reset it here if it lives in this
++ * namespace, but since the auditd connection tracking struct holds a
++ * reference to this namespace (see auditd_set()) we are only ever
++ * going to get here after that connection has been released */
+
+ netlink_kernel_release(aunet->sk);
+ }
+@@ -1470,9 +1536,6 @@ static int __init audit_init(void)
+ if (audit_initialized == AUDIT_DISABLED)
+ return 0;
+
+- memset(&auditd_conn, 0, sizeof(auditd_conn));
+- spin_lock_init(&auditd_conn.lock);
+-
+ skb_queue_head_init(&audit_queue);
+ skb_queue_head_init(&audit_retry_queue);
+ skb_queue_head_init(&audit_hold_queue);
+++ /dev/null
-From d86b18a06cf361e12ccdf61ae240d432182d8d6b Mon Sep 17 00:00:00 2001
-From: Jon Bloomfield <jon.bloomfield@intel.com>
-Date: Wed, 24 May 2017 08:54:11 -0700
-Subject: drm/i915: Serialize GTT/Aperture accesses on BXT
-
-From: Jon Bloomfield <jon.bloomfield@intel.com>
-
-commit d86b18a06cf361e12ccdf61ae240d432182d8d6b upstream.
-
-BXT has a H/W issue with IOMMU which can lead to system hangs when
-Aperture accesses are queued within the GAM behind GTT Accesses.
-
-This patch avoids the condition by wrapping all GTT updates in stop_machine
-and using a flushing read prior to restarting the machine.
-
-The stop_machine guarantees no new Aperture accesses can begin while
-the PTE writes are being emmitted. The flushing read ensures that
-any following Aperture accesses cannot begin until the PTE writes
-have been cleared out of the GAM's fifo.
-
-Only FOLLOWING Aperture accesses need to be separated from in flight
-PTE updates. PTE Writes may follow tightly behind already in flight
-Aperture accesses, so no flushing read is required at the start of
-a PTE update sequence.
-
-This issue was reproduced by running
- igt/gem_readwrite and
- igt/gem_render_copy
-simultaneously from different processes, each in a tight loop,
-with INTEL_IOMMU enabled.
-
-This patch was originally published as:
- drm/i915: Serialize GTT Updates on BXT
-
-[Note: This will cause a performance penalty for some use cases, but
-avoiding hangs trumps performance hits. This may need to be worked
-around in Mesa to recover the lost performance.]
-
-v2: Move bxt/iommu detection into static function
- Remove #ifdef CONFIG_INTEL_IOMMU protection
- Make function names more reflective of purpose
- Move flushing read into static function
-
-v3: Tidy up for checkpatch.pl
-
-Testcase: igt/gem_concurrent_blit
-Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
-Cc: John Harrison <john.C.Harrison@intel.com>
-Cc: Chris Wilson <chris@chris-wilson.co.uk>
-Cc: Daniel Vetter <daniel.vetter@intel.com>
-Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
-Link: http://patchwork.freedesktop.org/patch/msgid/1495641251-30022-1-git-send-email-jon.bloomfield@intel.com
-Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
-Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
-(cherry picked from commit 0ef34ad6222abfa513117515fec720c33a58f105)
-Signed-off-by: Jani Nikula <jani.nikula@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/gpu/drm/i915/i915_drv.h | 10 +++
- drivers/gpu/drm/i915/i915_gem_gtt.c | 103 ++++++++++++++++++++++++++++++++++++
- 2 files changed, 113 insertions(+)
-
---- a/drivers/gpu/drm/i915/i915_drv.h
-+++ b/drivers/gpu/drm/i915/i915_drv.h
-@@ -2916,6 +2916,16 @@ static inline bool intel_scanout_needs_v
- return false;
- }
-
-+static inline bool
-+intel_ggtt_update_needs_vtd_wa(struct drm_i915_private *dev_priv)
-+{
-+#ifdef CONFIG_INTEL_IOMMU
-+ if (IS_BROXTON(dev_priv) && intel_iommu_gfx_mapped)
-+ return true;
-+#endif
-+ return false;
-+}
-+
- int intel_sanitize_enable_ppgtt(struct drm_i915_private *dev_priv,
- int enable_ppgtt);
-
---- a/drivers/gpu/drm/i915/i915_gem_gtt.c
-+++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
-@@ -2554,6 +2554,101 @@ static void gen8_ggtt_clear_range(struct
- readl(gtt_base);
- }
-
-+static void bxt_vtd_ggtt_wa(struct i915_address_space *vm)
-+{
-+ struct drm_i915_private *dev_priv = vm->i915;
-+
-+ /*
-+ * Make sure the internal GAM fifo has been cleared of all GTT
-+ * writes before exiting stop_machine(). This guarantees that
-+ * any aperture accesses waiting to start in another process
-+ * cannot back up behind the GTT writes causing a hang.
-+ * The register can be any arbitrary GAM register.
-+ */
-+ POSTING_READ(GFX_FLSH_CNTL_GEN6);
-+}
-+
-+struct insert_page {
-+ struct i915_address_space *vm;
-+ dma_addr_t addr;
-+ u64 offset;
-+ enum i915_cache_level level;
-+};
-+
-+static int bxt_vtd_ggtt_insert_page__cb(void *_arg)
-+{
-+ struct insert_page *arg = _arg;
-+
-+ gen8_ggtt_insert_page(arg->vm, arg->addr, arg->offset, arg->level, 0);
-+ bxt_vtd_ggtt_wa(arg->vm);
-+
-+ return 0;
-+}
-+
-+static void bxt_vtd_ggtt_insert_page__BKL(struct i915_address_space *vm,
-+ dma_addr_t addr,
-+ u64 offset,
-+ enum i915_cache_level level,
-+ u32 unused)
-+{
-+ struct insert_page arg = { vm, addr, offset, level };
-+
-+ stop_machine(bxt_vtd_ggtt_insert_page__cb, &arg, NULL);
-+}
-+
-+struct insert_entries {
-+ struct i915_address_space *vm;
-+ struct sg_table *st;
-+ u64 start;
-+ enum i915_cache_level level;
-+};
-+
-+static int bxt_vtd_ggtt_insert_entries__cb(void *_arg)
-+{
-+ struct insert_entries *arg = _arg;
-+
-+ gen8_ggtt_insert_entries(arg->vm, arg->st, arg->start, arg->level, 0);
-+ bxt_vtd_ggtt_wa(arg->vm);
-+
-+ return 0;
-+}
-+
-+static void bxt_vtd_ggtt_insert_entries__BKL(struct i915_address_space *vm,
-+ struct sg_table *st,
-+ u64 start,
-+ enum i915_cache_level level,
-+ u32 unused)
-+{
-+ struct insert_entries arg = { vm, st, start, level };
-+
-+ stop_machine(bxt_vtd_ggtt_insert_entries__cb, &arg, NULL);
-+}
-+
-+struct clear_range {
-+ struct i915_address_space *vm;
-+ u64 start;
-+ u64 length;
-+};
-+
-+static int bxt_vtd_ggtt_clear_range__cb(void *_arg)
-+{
-+ struct clear_range *arg = _arg;
-+
-+ gen8_ggtt_clear_range(arg->vm, arg->start, arg->length);
-+ bxt_vtd_ggtt_wa(arg->vm);
-+
-+ return 0;
-+}
-+
-+static void bxt_vtd_ggtt_clear_range__BKL(struct i915_address_space *vm,
-+ u64 start,
-+ u64 length)
-+{
-+ struct clear_range arg = { vm, start, length };
-+
-+ stop_machine(bxt_vtd_ggtt_clear_range__cb, &arg, NULL);
-+}
-+
- static void gen6_ggtt_clear_range(struct i915_address_space *vm,
- uint64_t start,
- uint64_t length)
-@@ -3120,6 +3215,14 @@ static int gen6_gmch_probe(struct i915_g
- ggtt->base.unbind_vma = ggtt_unbind_vma;
- ggtt->base.cleanup = gen6_gmch_remove;
-
-+ /* Serialize GTT updates with aperture access on BXT if VT-d is on. */
-+ if (intel_ggtt_update_needs_vtd_wa(dev_priv)) {
-+ ggtt->base.insert_entries = bxt_vtd_ggtt_insert_entries__BKL;
-+ ggtt->base.insert_page = bxt_vtd_ggtt_insert_page__BKL;
-+ if (ggtt->base.clear_range != nop_clear_range)
-+ ggtt->base.clear_range = bxt_vtd_ggtt_clear_range__BKL;
-+ }
-+
- ggtt->invalidate = gen6_ggtt_invalidate;
-
- if (HAS_EDRAM(dev_priv))
--- /dev/null
+From 665788572c6410b7efadc2e3009c5d830b6d8ef9 Mon Sep 17 00:00:00 2001
+From: Jani Nikula <jani.nikula@intel.com>
+Date: Fri, 10 Mar 2017 15:27:57 +0200
+Subject: drm/i915/vbt: don't propagate errors from intel_bios_init()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jani Nikula <jani.nikula@intel.com>
+
+commit 665788572c6410b7efadc2e3009c5d830b6d8ef9 upstream.
+
+We don't use the error return for anything other than reporting and
+logging that there is no VBT. We can pull the logging in the function,
+and remove the error status return. Moreover, if we needed the
+information for something later on, we'd probably be better off storing
+the bit in dev_priv, and using it where it's needed, instead of using
+the error return.
+
+While at it, improve the comments.
+
+Cc: Manasi Navare <manasi.d.navare@intel.com>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/438ebbb0d5f0d321c625065b9cc78532a1dab24f.1489152288.git.jani.nikula@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_drv.c | 4 +---
+ drivers/gpu/drm/i915/i915_drv.h | 2 +-
+ drivers/gpu/drm/i915/intel_bios.c | 31 ++++++++++++++++---------------
+ 3 files changed, 18 insertions(+), 19 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_drv.c
++++ b/drivers/gpu/drm/i915/i915_drv.c
+@@ -565,9 +565,7 @@ static int i915_load_modeset_init(struct
+ if (i915_inject_load_failure())
+ return -ENODEV;
+
+- ret = intel_bios_init(dev_priv);
+- if (ret)
+- DRM_INFO("failed to find VBIOS tables\n");
++ intel_bios_init(dev_priv);
+
+ /* If we have > 1 VGA cards, then we need to arbitrate access
+ * to the common VGA resources.
+--- a/drivers/gpu/drm/i915/i915_drv.h
++++ b/drivers/gpu/drm/i915/i915_drv.h
+@@ -3629,7 +3629,7 @@ static inline bool intel_gmbus_is_forced
+ extern void intel_i2c_reset(struct drm_i915_private *dev_priv);
+
+ /* intel_bios.c */
+-int intel_bios_init(struct drm_i915_private *dev_priv);
++void intel_bios_init(struct drm_i915_private *dev_priv);
+ bool intel_bios_is_valid_vbt(const void *buf, size_t size);
+ bool intel_bios_is_tv_present(struct drm_i915_private *dev_priv);
+ bool intel_bios_is_lvds_present(struct drm_i915_private *dev_priv, u8 *i2c_pin);
+--- a/drivers/gpu/drm/i915/intel_bios.c
++++ b/drivers/gpu/drm/i915/intel_bios.c
+@@ -1462,36 +1462,35 @@ static const struct vbt_header *find_vbt
+ * intel_bios_init - find VBT and initialize settings from the BIOS
+ * @dev_priv: i915 device instance
+ *
+- * Loads the Video BIOS and checks that the VBT exists. Sets scratch registers
+- * to appropriate values.
+- *
+- * Returns 0 on success, nonzero on failure.
++ * Parse and initialize settings from the Video BIOS Tables (VBT). If the VBT
++ * was not found in ACPI OpRegion, try to find it in PCI ROM first. Also
++ * initialize some defaults if the VBT is not present at all.
+ */
+-int
+-intel_bios_init(struct drm_i915_private *dev_priv)
++void intel_bios_init(struct drm_i915_private *dev_priv)
+ {
+ struct pci_dev *pdev = dev_priv->drm.pdev;
+ const struct vbt_header *vbt = dev_priv->opregion.vbt;
+ const struct bdb_header *bdb;
+ u8 __iomem *bios = NULL;
+
+- if (HAS_PCH_NOP(dev_priv))
+- return -ENODEV;
++ if (HAS_PCH_NOP(dev_priv)) {
++ DRM_DEBUG_KMS("Skipping VBT init due to disabled display.\n");
++ return;
++ }
+
+ init_vbt_defaults(dev_priv);
+
++ /* If the OpRegion does not have VBT, look in PCI ROM. */
+ if (!vbt) {
+ size_t size;
+
+ bios = pci_map_rom(pdev, &size);
+ if (!bios)
+- return -1;
++ goto out;
+
+ vbt = find_vbt(bios, size);
+- if (!vbt) {
+- pci_unmap_rom(pdev, bios);
+- return -1;
+- }
++ if (!vbt)
++ goto out;
+
+ DRM_DEBUG_KMS("Found valid VBT in PCI ROM\n");
+ }
+@@ -1516,10 +1515,12 @@ intel_bios_init(struct drm_i915_private
+ parse_mipi_sequence(dev_priv, bdb);
+ parse_ddi_ports(dev_priv, bdb);
+
++out:
++ if (!vbt)
++ DRM_INFO("Failed to find VBIOS tables (VBT)\n");
++
+ if (bios)
+ pci_unmap_rom(pdev, bios);
+-
+- return 0;
+ }
+
+ /**
--- /dev/null
+From bb1d132935c2f87cd261eb559759fe49d5e5dc43 Mon Sep 17 00:00:00 2001
+From: Jani Nikula <jani.nikula@intel.com>
+Date: Fri, 10 Mar 2017 15:27:58 +0200
+Subject: drm/i915/vbt: split out defaults that are set when there is no VBT
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jani Nikula <jani.nikula@intel.com>
+
+commit bb1d132935c2f87cd261eb559759fe49d5e5dc43 upstream.
+
+The main thing are the DDI ports. If there's a VBT that says there are
+no outputs, we should trust that, and not have semi-random
+defaults. Unfortunately, the defaults have resulted in some Chromebooks
+without VBT to rely on this behaviour, so we split out the defaults for
+the missing VBT case.
+
+Reviewed-by: Manasi Navare <manasi.d.navare@intel.com>
+Cc: Manasi Navare <manasi.d.navare@intel.com>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/95c26079ff640d43f53b944f17e9fc356b36daec.1489152288.git.jani.nikula@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_bios.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/intel_bios.c
++++ b/drivers/gpu/drm/i915/intel_bios.c
+@@ -1341,6 +1341,7 @@ parse_device_mapping(struct drm_i915_pri
+ return;
+ }
+
++/* Common defaults which may be overridden by VBT. */
+ static void
+ init_vbt_defaults(struct drm_i915_private *dev_priv)
+ {
+@@ -1377,6 +1378,18 @@ init_vbt_defaults(struct drm_i915_privat
+ &dev_priv->vbt.ddi_port_info[port];
+
+ info->hdmi_level_shift = HDMI_LEVEL_SHIFT_UNKNOWN;
++ }
++}
++
++/* Defaults to initialize only if there is no VBT. */
++static void
++init_vbt_missing_defaults(struct drm_i915_private *dev_priv)
++{
++ enum port port;
++
++ for (port = PORT_A; port < I915_MAX_PORTS; port++) {
++ struct ddi_vbt_port_info *info =
++ &dev_priv->vbt.ddi_port_info[port];
+
+ info->supports_dvi = (port != PORT_A && port != PORT_E);
+ info->supports_hdmi = info->supports_dvi;
+@@ -1516,8 +1529,10 @@ void intel_bios_init(struct drm_i915_pri
+ parse_ddi_ports(dev_priv, bdb);
+
+ out:
+- if (!vbt)
++ if (!vbt) {
+ DRM_INFO("Failed to find VBIOS tables (VBT)\n");
++ init_vbt_missing_defaults(dev_priv);
++ }
+
+ if (bios)
+ pci_unmap_rom(pdev, bios);
--- /dev/null
+From 90b4f30b6d15222a509dacf47f29efef2b22571e Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 10 May 2017 16:30:12 +0200
+Subject: hwmon: (coretemp) Handle frozen hotplug state correctly
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 90b4f30b6d15222a509dacf47f29efef2b22571e upstream.
+
+The recent conversion to the hotplug state machine missed that the original
+hotplug notifiers did not execute in the frozen state, which is used on
+suspend on resume.
+
+This does not matter on single socket machines, but on multi socket systems
+this breaks when the device for a non-boot socket is removed when the last
+CPU of that socket is brought offline. The device removal locks up the
+machine hard w/o any debug output.
+
+Prevent executing the hotplug callbacks when cpuhp_tasks_frozen is true.
+
+Thanks to Tommi for providing debug information patiently while I failed to
+spot the obvious.
+
+Fixes: e00ca5df37ad ("hwmon: (coretemp) Convert to hotplug state machine")
+Reported-by: Tommi Rantala <tt.rantala@gmail.com>
+Tested-by: Tommi Rantala <tt.rantala@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Cc: "Chen, Yu C" <yu.c.chen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/coretemp.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/hwmon/coretemp.c
++++ b/drivers/hwmon/coretemp.c
+@@ -605,6 +605,13 @@ static int coretemp_cpu_online(unsigned
+ struct platform_data *pdata;
+
+ /*
++ * Don't execute this on resume as the offline callback did
++ * not get executed on suspend.
++ */
++ if (cpuhp_tasks_frozen)
++ return 0;
++
++ /*
+ * CPUID.06H.EAX[0] indicates whether the CPU has thermal
+ * sensors. We check this bit only, all the early CPUs
+ * without thermal sensors will be filtered out.
+@@ -654,6 +661,13 @@ static int coretemp_cpu_offline(unsigned
+ struct temp_data *tdata;
+ int indx, target;
+
++ /*
++ * Don't execute this on suspend as the device remove locks
++ * up the machine.
++ */
++ if (cpuhp_tasks_frozen)
++ return 0;
++
+ /* If the physical CPU device does not exist, just return */
+ if (!pdev)
+ return 0;
--- /dev/null
+From a008c31c7ef9a4106dbadf21b3bcb7e89826a5d7 Mon Sep 17 00:00:00 2001
+From: Chandan Rajendra <chandan@linux.vnet.ibm.com>
+Date: Wed, 12 Apr 2017 11:03:20 -0700
+Subject: iomap_dio_rw: Prevent reading file data beyond iomap_dio->i_size
+
+From: Chandan Rajendra <chandan@linux.vnet.ibm.com>
+
+commit a008c31c7ef9a4106dbadf21b3bcb7e89826a5d7 upstream.
+
+On a ppc64 machine executing overlayfs/019 with xfs as the lower and
+upper filesystem causes the following call trace,
+
+WARNING: CPU: 2 PID: 8034 at /root/repos/linux/fs/iomap.c:765 .iomap_dio_actor+0xcc/0x420
+Modules linked in:
+CPU: 2 PID: 8034 Comm: fsstress Tainted: G L 4.11.0-rc5-next-20170405 #100
+task: c000000631314880 task.stack: c0000003915d4000
+NIP: c00000000035a72c LR: c00000000035a6f4 CTR: c00000000035a660
+REGS: c0000003915d7570 TRAP: 0700 Tainted: G L (4.11.0-rc5-next-20170405)
+MSR: 800000000282b032 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI>
+ CR: 24004284 XER: 00000000
+CFAR: c0000000006f7190 SOFTE: 1
+GPR00: c00000000035a6f4 c0000003915d77f0 c0000000015a3f00 000000007c22f600
+GPR04: 000000000022d000 0000000000002600 c0000003b2d56360 c0000003915d7960
+GPR08: c0000003915d7cd0 0000000000000002 0000000000002600 c000000000521cc0
+GPR12: 0000000024004284 c00000000fd80a00 000000004b04ae64 ffffffffffffffff
+GPR16: 000000001000ca70 0000000000000000 c0000003b2d56380 c00000000153d2b8
+GPR20: 0000000000000010 c0000003bc87bac8 0000000000223000 000000000022f5ff
+GPR24: c0000003b2d56360 000000000000000c 0000000000002600 000000000022d000
+GPR28: 0000000000000000 c0000003915d7960 c0000003b2d56360 00000000000001ff
+NIP [c00000000035a72c] .iomap_dio_actor+0xcc/0x420
+LR [c00000000035a6f4] .iomap_dio_actor+0x94/0x420
+Call Trace:
+[c0000003915d77f0] [c00000000035a6f4] .iomap_dio_actor+0x94/0x420 (unreliable)
+[c0000003915d78f0] [c00000000035b9f4] .iomap_apply+0xf4/0x1f0
+[c0000003915d79d0] [c00000000035c320] .iomap_dio_rw+0x230/0x420
+[c0000003915d7ae0] [c000000000512a14] .xfs_file_dio_aio_read+0x84/0x160
+[c0000003915d7b80] [c000000000512d24] .xfs_file_read_iter+0x104/0x130
+[c0000003915d7c10] [c0000000002d6234] .__vfs_read+0x114/0x1a0
+[c0000003915d7cf0] [c0000000002d7a8c] .vfs_read+0xac/0x1a0
+[c0000003915d7d90] [c0000000002d96b8] .SyS_read+0x58/0x100
+[c0000003915d7e30] [c00000000000b8e0] system_call+0x38/0xfc
+Instruction dump:
+78630020 7f831b78 7ffc07b4 7c7ce039 40820360 a13d0018 2f890003 419e0288
+2f890004 419e00a0 2f890001 419e02a8 <0fe00000> 3b80fffb 38210100 7f83e378
+
+The above problem can also be recreated on a regular xfs filesystem
+using the command,
+
+$ fsstress -d /mnt -l 1000 -n 1000 -p 1000
+
+The reason for the call trace is,
+1. When 'reserving' blocks for delayed allocation , XFS reserves more
+ blocks (i.e. past file's current EOF) than required. This is done
+ because XFS assumes that userspace might write more data and hence
+ 'reserving' more blocks might lead to the file's new data being
+ stored contiguously on disk.
+2. The in-memory 'struct xfs_bmbt_irec' mapping the file's last extent would
+ then cover the prealloc-ed EOF blocks in addition to the regular blocks.
+3. When flushing the dirty blocks to disk, we only flush data till the
+ file's EOF. But before writing out the dirty data, we allocate blocks
+ on the disk for holding the file's new data. This allocation includes
+ the blocks that are part of the 'prealloc EOF blocks'.
+4. Later, when the last reference to the inode is being closed, XFS frees the
+ unused 'prealloc EOF blocks' in xfs_inactive().
+
+In step 3 above, When allocating space on disk for the delayed allocation
+range, the space allocator might sometimes allocate less blocks than
+required. If such an allocation ends right at the current EOF of the
+file, We will not be able to clear the "delayed allocation" flag for the
+'prealloc EOF blocks', since we won't have dirty buffer heads associated
+with that range of the file.
+
+In such a situation if a Direct I/O read operation is performed on file
+range [X, Y] (where X < EOF and Y > EOF), we flush dirty data in the
+range [X, Y] and invalidate page cache for that range (Refer to
+iomap_dio_rw()). Later for performing the Direct I/O read, XFS obtains
+the extent items (which are still cached in memory) for the file
+range. When doing so we are not supposed to get an extent item with
+IOMAP_DELALLOC flag set, since the previous "flush" operation should
+have converted any delayed allocation data in the range [X, Y]. Hence we
+end up hitting a WARN_ON_ONCE(1) statement in iomap_dio_actor().
+
+This commit fixes the bug by preventing the read operation from going
+beyond iomap_dio->i_size.
+
+Reported-by: Santhosh G <santhog4@linux.vnet.ibm.com>
+Signed-off-by: Chandan Rajendra <chandan@linux.vnet.ibm.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/iomap.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/iomap.c
++++ b/fs/iomap.c
+@@ -909,6 +909,9 @@ iomap_dio_rw(struct kiocb *iocb, struct
+ break;
+ }
+ pos += ret;
++
++ if (iov_iter_rw(iter) == READ && pos >= dio->i_size)
++ break;
+ } while ((count = iov_iter_count(iter)) > 0);
+ blk_finish_plug(&plug);
+
asoc-fix-use-after-free-at-card-unregistration.patch
cpu-hotplug-drop-the-device-lock-on-error.patch
drivers-char-mem-fix-wraparound-check-to-allow-mappings-up-to-the-end.patch
-drm-i915-serialize-gtt-aperture-accesses-on-bxt.patch
drm-i915-fix-runtime-pm-for-lpe-audio.patch
drm-i915-skl-add-missing-skl-id.patch
serial-sh-sci-fix-panic-when-serial-console-and-dma-are-enabled.patch
pinctrl-cherryview-add-terminate-entry-for-dmi_system_id-tables.patch
cgroup-mark-cgroup_get-with-__maybe_unused.patch
+iomap_dio_rw-prevent-reading-file-data-beyond-iomap_dio-i_size.patch
+tracing-use-strlcpy-instead-of-strcpy-in-__trace_find_cmdline.patch
+hwmon-coretemp-handle-frozen-hotplug-state-correctly.patch
+audit-fix-the-rcu-locking-for-the-auditd_connection-structure.patch
+drm-i915-vbt-don-t-propagate-errors-from-intel_bios_init.patch
+drm-i915-vbt-split-out-defaults-that-are-set-when-there-is-no-vbt.patch
--- /dev/null
+From e09e28671cda63e6308b31798b997639120e2a21 Mon Sep 17 00:00:00 2001
+From: Amey Telawane <ameyt@codeaurora.org>
+Date: Wed, 3 May 2017 15:41:14 +0530
+Subject: tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()
+
+From: Amey Telawane <ameyt@codeaurora.org>
+
+commit e09e28671cda63e6308b31798b997639120e2a21 upstream.
+
+Strcpy is inherently not safe, and strlcpy() should be used instead.
+__trace_find_cmdline() uses strcpy() because the comms saved must have a
+terminating nul character, but it doesn't hurt to add the extra protection
+of using strlcpy() instead of strcpy().
+
+Link: http://lkml.kernel.org/r/1493806274-13936-1-git-send-email-amit.pundir@linaro.org
+
+Signed-off-by: Amey Telawane <ameyt@codeaurora.org>
+[AmitP: Cherry-picked this commit from CodeAurora kernel/msm-3.10
+https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477]
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+[ Updated change log and removed the "- 1" from len parameter ]
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -1899,7 +1899,7 @@ static void __trace_find_cmdline(int pid
+
+ map = savedcmd->map_pid_to_cmdline[pid];
+ if (map != NO_CMDLINE_MAP)
+- strcpy(comm, get_saved_cmdlines(map));
++ strlcpy(comm, get_saved_cmdlines(map), TASK_COMM_LEN);
+ else
+ strcpy(comm, "<...>");
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
