--- /dev/null
+From ba3021b2c79b2fa9114f92790a99deb27a65b728 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 2 Jun 2017 17:26:56 +0200
+Subject: ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit ba3021b2c79b2fa9114f92790a99deb27a65b728 upstream.
+
+snd_timer_user_tselect() reallocates the queue buffer dynamically, but
+it forgot to reset its indices. Since the read may happen
+concurrently with ioctl and snd_timer_user_tselect() allocates the
+buffer via kmalloc(), this may lead to the leak of uninitialized
+kernel-space data, as spotted via KMSAN:
+
+ BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10
+ CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ #2739
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ Call Trace:
+ __dump_stack lib/dump_stack.c:16
+ dump_stack+0x143/0x1b0 lib/dump_stack.c:52
+ kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007
+ kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086
+ copy_to_user ./arch/x86/include/asm/uaccess.h:725
+ snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004
+ do_loop_readv_writev fs/read_write.c:716
+ __do_readv_writev+0x94c/0x1380 fs/read_write.c:864
+ do_readv_writev fs/read_write.c:894
+ vfs_readv fs/read_write.c:908
+ do_readv+0x52a/0x5d0 fs/read_write.c:934
+ SYSC_readv+0xb6/0xd0 fs/read_write.c:1021
+ SyS_readv+0x87/0xb0 fs/read_write.c:1018
+
+This patch adds the missing reset of queue indices. Together with the
+previous fix for the ioctl/read race, we cover the whole problem.
+
+Reported-by: Alexander Potapenko <glider@google.com>
+Tested-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1623,6 +1623,7 @@ static int snd_timer_user_tselect(struct
+ if (err < 0)
+ goto __err;
+
++ tu->qhead = tu->qtail = tu->qused = 0;
+ kfree(tu->queue);
+ tu->queue = NULL;
+ kfree(tu->tqueue);
--- /dev/null
+From d11662f4f798b50d8c8743f433842c3e40fe3378 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 2 Jun 2017 15:03:38 +0200
+Subject: ALSA: timer: Fix race between read and ioctl
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit d11662f4f798b50d8c8743f433842c3e40fe3378 upstream.
+
+The read from ALSA timer device, the function snd_timer_user_tread(),
+may access to an uninitialized struct snd_timer_user fields when the
+read is concurrently performed while the ioctl like
+snd_timer_user_tselect() is invoked. We have already fixed the races
+among ioctls via a mutex, but we seem to have forgotten the race
+between read vs ioctl.
+
+This patch simply applies (more exactly extends the already applied
+range of) tu->ioctl_lock in snd_timer_user_tread() for closing the
+race window.
+
+Reported-by: Alexander Potapenko <glider@google.com>
+Tested-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1964,6 +1964,7 @@ static ssize_t snd_timer_user_read(struc
+
+ tu = file->private_data;
+ unit = tu->tread ? sizeof(struct snd_timer_tread) : sizeof(struct snd_timer_read);
++ mutex_lock(&tu->ioctl_lock);
+ spin_lock_irq(&tu->qlock);
+ while ((long)count - result >= unit) {
+ while (!tu->qused) {
+@@ -1979,7 +1980,9 @@ static ssize_t snd_timer_user_read(struc
+ add_wait_queue(&tu->qchange_sleep, &wait);
+
+ spin_unlock_irq(&tu->qlock);
++ mutex_unlock(&tu->ioctl_lock);
+ schedule();
++ mutex_lock(&tu->ioctl_lock);
+ spin_lock_irq(&tu->qlock);
+
+ remove_wait_queue(&tu->qchange_sleep, &wait);
+@@ -1999,7 +2002,6 @@ static ssize_t snd_timer_user_read(struc
+ tu->qused--;
+ spin_unlock_irq(&tu->qlock);
+
+- mutex_lock(&tu->ioctl_lock);
+ if (tu->tread) {
+ if (copy_to_user(buffer, &tu->tqueue[qhead],
+ sizeof(struct snd_timer_tread)))
+@@ -2009,7 +2011,6 @@ static ssize_t snd_timer_user_read(struc
+ sizeof(struct snd_timer_read)))
+ err = -EFAULT;
+ }
+- mutex_unlock(&tu->ioctl_lock);
+
+ spin_lock_irq(&tu->qlock);
+ if (err < 0)
+@@ -2019,6 +2020,7 @@ static ssize_t snd_timer_user_read(struc
+ }
+ _error:
+ spin_unlock_irq(&tu->qlock);
++ mutex_unlock(&tu->ioctl_lock);
+ return result > 0 ? result : err;
+ }
+
--- /dev/null
+From 4efda5f2130da033aeedc5b3205569893b910de2 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 24 May 2017 10:19:45 +0200
+Subject: ASoC: Fix use-after-free at card unregistration
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 4efda5f2130da033aeedc5b3205569893b910de2 upstream.
+
+soc_cleanup_card_resources() call snd_card_free() at the last of its
+procedure. This turned out to lead to a use-after-free.
+PCM runtimes have been already removed via soc_remove_pcm_runtimes(),
+while it's dereferenced later in soc_pcm_free() called via
+snd_card_free().
+
+The fix is simple: just move the snd_card_free() call to the beginning
+of the whole procedure. This also gives another benefit: it
+guarantees that all operations have been shut down before actually
+releasing the resources, which was racy until now.
+
+Reported-and-tested-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/soc-core.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/soc-core.c
++++ b/sound/soc/soc-core.c
+@@ -2286,6 +2286,9 @@ static int soc_cleanup_card_resources(st
+ list_for_each_entry(rtd, &card->rtd_list, list)
+ flush_delayed_work(&rtd->delayed_work);
+
++ /* free the ALSA card at first; this syncs with pending operations */
++ snd_card_free(card->snd_card);
++
+ /* remove and free each DAI */
+ soc_remove_dai_links(card);
+ soc_remove_pcm_runtimes(card);
+@@ -2300,9 +2303,7 @@ static int soc_cleanup_card_resources(st
+ if (card->remove)
+ card->remove(card);
+
+- snd_card_free(card->snd_card);
+ return 0;
+-
+ }
+
+ /* removes a socdev */
--- /dev/null
+From 310b4816a5d8082416b4ab83e5a7b3cb92883a4d Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Mon, 1 May 2017 15:24:14 -0400
+Subject: cgroup: mark cgroup_get() with __maybe_unused
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 310b4816a5d8082416b4ab83e5a7b3cb92883a4d upstream.
+
+a590b90d472f ("cgroup: fix spurious warnings on cgroup_is_dead() from
+cgroup_sk_alloc()") converted most cgroup_get() usages to
+cgroup_get_live() leaving cgroup_sk_alloc() the sole user of
+cgroup_get(). When !CONFIG_SOCK_CGROUP_DATA, this ends up triggering
+unused warning for cgroup_get().
+
+Silence the warning by adding __maybe_unused to cgroup_get().
+
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Link: http://lkml.kernel.org/r/20170501145340.17e8ef86@canb.auug.org.au
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cgroup/cgroup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -436,7 +436,7 @@ out_unlock:
+ return css;
+ }
+
+-static void cgroup_get(struct cgroup *cgrp)
++static void __maybe_unused cgroup_get(struct cgroup *cgrp)
+ {
+ css_get(&cgrp->self);
+ }
--- /dev/null
+From 40da1b11f01e43aad1aa6cea64681b6125e8a2a7 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Fri, 2 Jun 2017 16:27:14 +0200
+Subject: cpu/hotplug: Drop the device lock on error
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+commit 40da1b11f01e43aad1aa6cea64681b6125e8a2a7 upstream.
+
+If a custom CPU target is specified and that one is not available _or_
+can't be interrupted then the code returns to userland without dropping a
+lock as notices by lockdep:
+
+|echo 133 > /sys/devices/system/cpu/cpu7/hotplug/target
+| ================================================
+| [ BUG: lock held when returning to user space! ]
+| ------------------------------------------------
+| bash/503 is leaving the kernel with locks still held!
+| 1 lock held by bash/503:
+| #0: (device_hotplug_lock){+.+...}, at: [<ffffffff815b5650>] lock_device_hotplug_sysfs+0x10/0x40
+
+So release the lock then.
+
+Fixes: 757c989b9994 ("cpu/hotplug: Make target state writeable")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20170602142714.3ogo25f2wbq6fjpj@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cpu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -1656,13 +1656,13 @@ static ssize_t write_cpuhp_target(struct
+ ret = !sp->name || sp->cant_stop ? -EINVAL : 0;
+ mutex_unlock(&cpuhp_state_mutex);
+ if (ret)
+- return ret;
++ goto out;
+
+ if (st->state < target)
+ ret = do_cpu_up(dev->id, target);
+ else
+ ret = do_cpu_down(dev->id, target);
+-
++out:
+ unlock_device_hotplug();
+ return ret ? ret : count;
+ }
--- /dev/null
+From 32829da54d9368103a2f03269a5120aa9ee4d5da Mon Sep 17 00:00:00 2001
+From: Julius Werner <jwerner@chromium.org>
+Date: Fri, 2 Jun 2017 15:36:39 -0700
+Subject: drivers: char: mem: Fix wraparound check to allow mappings up to the end
+
+From: Julius Werner <jwerner@chromium.org>
+
+commit 32829da54d9368103a2f03269a5120aa9ee4d5da upstream.
+
+A recent fix to /dev/mem prevents mappings from wrapping around the end
+of physical address space. However, the check was written in a way that
+also prevents a mapping reaching just up to the end of physical address
+space, which may be a valid use case (especially on 32-bit systems).
+This patch fixes it by checking the last mapped address (instead of the
+first address behind that) for overflow.
+
+Fixes: b299cde245 ("drivers: char: mem: Check for address space wraparound with mmap()")
+Reported-by: Nico Huber <nico.h@gmx.de>
+Signed-off-by: Julius Werner <jwerner@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/mem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/mem.c
++++ b/drivers/char/mem.c
+@@ -343,7 +343,7 @@ static int mmap_mem(struct file *file, s
+ phys_addr_t offset = (phys_addr_t)vma->vm_pgoff << PAGE_SHIFT;
+
+ /* It's illegal to wrap around the end of the physical address space. */
+- if (offset + (phys_addr_t)size < offset)
++ if (offset + (phys_addr_t)size - 1 < offset)
+ return -EINVAL;
+
+ if (!valid_mmap_phys_addr_range(vma->vm_pgoff, size))
--- /dev/null
+From 668e3b014afb66ab29e134bca7c258527273ac75 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Thu, 27 Apr 2017 19:02:20 +0300
+Subject: drm/i915: Fix runtime PM for LPE audio
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 668e3b014afb66ab29e134bca7c258527273ac75 upstream.
+
+Not calling pm_runtime_enable() means that runtime PM can't be
+enabled at all via sysfs. So we definitely need to call it
+from somewhere.
+
+Calling it from the driver seems like a bad idea because it
+would have to be paired with a pm_runtime_disable() at driver
+unload time, otherwise the core gets upset. Also if there's
+no LPE audio driver loaded then we couldn't runtime suspend
+i915 either.
+
+So it looks like a better plan is to call it from i915 when
+we register the platform device. That seems to match how
+pci generally does things. I cargo culted the
+pm_runtime_forbid() and pm_runtime_set_active() calls from
+pci as well.
+
+The exposed runtime PM API is massive an thorougly misleading, so
+I don't actually know if this is how you're supposed to use the API
+or not. But it seems to work. I can now runtime suspend i915 again
+with or without the LPE audio driver loaded, and reloading the
+LPE audio driver also seems to work.
+
+Note that powertop won't auto-tune runtime PM for platform devices,
+which is a little annoying. So I'm not sure that leaving runtime
+PM in "on" mode by default is the best choice here. But I've left
+it like that for now at least.
+
+Also remove the comment about there not being much benefit from
+LPE audio runtime PM. Not allowing runtime PM blocks i915 runtime
+PM, which will also block s0ix, and that could have a measurable
+impact on power consumption.
+
+Cc: Takashi Iwai <tiwai@suse.de>
+Cc: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Fixes: 0b6b524f3915 ("ALSA: x86: Don't enable runtime PM as default")
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20170427160231.13337-2-ville.syrjala@linux.intel.com
+Reviewed-by: Takashi Iwai <tiwai@suse.de>
+(cherry picked from commit 183c00350ccda86781f6695840e6c5f5b22efbd1)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_lpe_audio.c | 5 +++++
+ sound/x86/intel_hdmi_audio.c | 4 ----
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_lpe_audio.c
++++ b/drivers/gpu/drm/i915/intel_lpe_audio.c
+@@ -63,6 +63,7 @@
+ #include <linux/acpi.h>
+ #include <linux/device.h>
+ #include <linux/pci.h>
++#include <linux/pm_runtime.h>
+
+ #include "i915_drv.h"
+ #include <linux/delay.h>
+@@ -121,6 +122,10 @@ lpe_audio_platdev_create(struct drm_i915
+
+ kfree(rsc);
+
++ pm_runtime_forbid(&platdev->dev);
++ pm_runtime_set_active(&platdev->dev);
++ pm_runtime_enable(&platdev->dev);
++
+ return platdev;
+
+ err:
+--- a/sound/x86/intel_hdmi_audio.c
++++ b/sound/x86/intel_hdmi_audio.c
+@@ -1809,10 +1809,6 @@ static int hdmi_lpe_audio_probe(struct p
+ pdata->notify_pending = false;
+ spin_unlock_irq(&pdata->lpe_audio_slock);
+
+- /* runtime PM isn't enabled as default, since it won't save much on
+- * BYT/CHT devices; user who want the runtime PM should adjust the
+- * power/ontrol and power/autosuspend_delay_ms sysfs entries instead
+- */
+ pm_runtime_use_autosuspend(&pdev->dev);
+ pm_runtime_mark_last_busy(&pdev->dev);
+ pm_runtime_set_active(&pdev->dev);
--- /dev/null
+From d86b18a06cf361e12ccdf61ae240d432182d8d6b Mon Sep 17 00:00:00 2001
+From: Jon Bloomfield <jon.bloomfield@intel.com>
+Date: Wed, 24 May 2017 08:54:11 -0700
+Subject: drm/i915: Serialize GTT/Aperture accesses on BXT
+
+From: Jon Bloomfield <jon.bloomfield@intel.com>
+
+commit d86b18a06cf361e12ccdf61ae240d432182d8d6b upstream.
+
+BXT has a H/W issue with IOMMU which can lead to system hangs when
+Aperture accesses are queued within the GAM behind GTT Accesses.
+
+This patch avoids the condition by wrapping all GTT updates in stop_machine
+and using a flushing read prior to restarting the machine.
+
+The stop_machine guarantees no new Aperture accesses can begin while
+the PTE writes are being emmitted. The flushing read ensures that
+any following Aperture accesses cannot begin until the PTE writes
+have been cleared out of the GAM's fifo.
+
+Only FOLLOWING Aperture accesses need to be separated from in flight
+PTE updates. PTE Writes may follow tightly behind already in flight
+Aperture accesses, so no flushing read is required at the start of
+a PTE update sequence.
+
+This issue was reproduced by running
+ igt/gem_readwrite and
+ igt/gem_render_copy
+simultaneously from different processes, each in a tight loop,
+with INTEL_IOMMU enabled.
+
+This patch was originally published as:
+ drm/i915: Serialize GTT Updates on BXT
+
+[Note: This will cause a performance penalty for some use cases, but
+avoiding hangs trumps performance hits. This may need to be worked
+around in Mesa to recover the lost performance.]
+
+v2: Move bxt/iommu detection into static function
+ Remove #ifdef CONFIG_INTEL_IOMMU protection
+ Make function names more reflective of purpose
+ Move flushing read into static function
+
+v3: Tidy up for checkpatch.pl
+
+Testcase: igt/gem_concurrent_blit
+Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
+Cc: John Harrison <john.C.Harrison@intel.com>
+Cc: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Daniel Vetter <daniel.vetter@intel.com>
+Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/1495641251-30022-1-git-send-email-jon.bloomfield@intel.com
+Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+(cherry picked from commit 0ef34ad6222abfa513117515fec720c33a58f105)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_drv.h | 10 +++
+ drivers/gpu/drm/i915/i915_gem_gtt.c | 103 ++++++++++++++++++++++++++++++++++++
+ 2 files changed, 113 insertions(+)
+
+--- a/drivers/gpu/drm/i915/i915_drv.h
++++ b/drivers/gpu/drm/i915/i915_drv.h
+@@ -2916,6 +2916,16 @@ static inline bool intel_scanout_needs_v
+ return false;
+ }
+
++static inline bool
++intel_ggtt_update_needs_vtd_wa(struct drm_i915_private *dev_priv)
++{
++#ifdef CONFIG_INTEL_IOMMU
++ if (IS_BROXTON(dev_priv) && intel_iommu_gfx_mapped)
++ return true;
++#endif
++ return false;
++}
++
+ int intel_sanitize_enable_ppgtt(struct drm_i915_private *dev_priv,
+ int enable_ppgtt);
+
+--- a/drivers/gpu/drm/i915/i915_gem_gtt.c
++++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
+@@ -2554,6 +2554,101 @@ static void gen8_ggtt_clear_range(struct
+ readl(gtt_base);
+ }
+
++static void bxt_vtd_ggtt_wa(struct i915_address_space *vm)
++{
++ struct drm_i915_private *dev_priv = vm->i915;
++
++ /*
++ * Make sure the internal GAM fifo has been cleared of all GTT
++ * writes before exiting stop_machine(). This guarantees that
++ * any aperture accesses waiting to start in another process
++ * cannot back up behind the GTT writes causing a hang.
++ * The register can be any arbitrary GAM register.
++ */
++ POSTING_READ(GFX_FLSH_CNTL_GEN6);
++}
++
++struct insert_page {
++ struct i915_address_space *vm;
++ dma_addr_t addr;
++ u64 offset;
++ enum i915_cache_level level;
++};
++
++static int bxt_vtd_ggtt_insert_page__cb(void *_arg)
++{
++ struct insert_page *arg = _arg;
++
++ gen8_ggtt_insert_page(arg->vm, arg->addr, arg->offset, arg->level, 0);
++ bxt_vtd_ggtt_wa(arg->vm);
++
++ return 0;
++}
++
++static void bxt_vtd_ggtt_insert_page__BKL(struct i915_address_space *vm,
++ dma_addr_t addr,
++ u64 offset,
++ enum i915_cache_level level,
++ u32 unused)
++{
++ struct insert_page arg = { vm, addr, offset, level };
++
++ stop_machine(bxt_vtd_ggtt_insert_page__cb, &arg, NULL);
++}
++
++struct insert_entries {
++ struct i915_address_space *vm;
++ struct sg_table *st;
++ u64 start;
++ enum i915_cache_level level;
++};
++
++static int bxt_vtd_ggtt_insert_entries__cb(void *_arg)
++{
++ struct insert_entries *arg = _arg;
++
++ gen8_ggtt_insert_entries(arg->vm, arg->st, arg->start, arg->level, 0);
++ bxt_vtd_ggtt_wa(arg->vm);
++
++ return 0;
++}
++
++static void bxt_vtd_ggtt_insert_entries__BKL(struct i915_address_space *vm,
++ struct sg_table *st,
++ u64 start,
++ enum i915_cache_level level,
++ u32 unused)
++{
++ struct insert_entries arg = { vm, st, start, level };
++
++ stop_machine(bxt_vtd_ggtt_insert_entries__cb, &arg, NULL);
++}
++
++struct clear_range {
++ struct i915_address_space *vm;
++ u64 start;
++ u64 length;
++};
++
++static int bxt_vtd_ggtt_clear_range__cb(void *_arg)
++{
++ struct clear_range *arg = _arg;
++
++ gen8_ggtt_clear_range(arg->vm, arg->start, arg->length);
++ bxt_vtd_ggtt_wa(arg->vm);
++
++ return 0;
++}
++
++static void bxt_vtd_ggtt_clear_range__BKL(struct i915_address_space *vm,
++ u64 start,
++ u64 length)
++{
++ struct clear_range arg = { vm, start, length };
++
++ stop_machine(bxt_vtd_ggtt_clear_range__cb, &arg, NULL);
++}
++
+ static void gen6_ggtt_clear_range(struct i915_address_space *vm,
+ uint64_t start,
+ uint64_t length)
+@@ -3120,6 +3215,14 @@ static int gen6_gmch_probe(struct i915_g
+ ggtt->base.unbind_vma = ggtt_unbind_vma;
+ ggtt->base.cleanup = gen6_gmch_remove;
+
++ /* Serialize GTT updates with aperture access on BXT if VT-d is on. */
++ if (intel_ggtt_update_needs_vtd_wa(dev_priv)) {
++ ggtt->base.insert_entries = bxt_vtd_ggtt_insert_entries__BKL;
++ ggtt->base.insert_page = bxt_vtd_ggtt_insert_page__BKL;
++ if (ggtt->base.clear_range != nop_clear_range)
++ ggtt->base.clear_range = bxt_vtd_ggtt_clear_range__BKL;
++ }
++
+ ggtt->invalidate = gen6_ggtt_invalidate;
+
+ if (HAS_EDRAM(dev_priv))
--- /dev/null
+From ca7a45ba6fb9e7ceca56d10b91db29c2f3451a2e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20Winiarski?= <michal.winiarski@intel.com>
+Date: Mon, 27 Feb 2017 12:22:56 +0100
+Subject: drm/i915/skl: Add missing SKL ID
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michał Winiarski <michal.winiarski@intel.com>
+
+commit ca7a45ba6fb9e7ceca56d10b91db29c2f3451a2e upstream.
+
+Used by production device:
+ Intel(R) Iris(TM) Graphics P555
+
+Cc: Mika Kuoppala <mika.kuoppala@intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Michał Winiarski <michal.winiarski@intel.com>
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Reviewed-by: Mika Kuoppala <mika.kuoppala@intel.com>
+Signed-off-by: Mika Kuoppala <mika.kuoppala@intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20170227112256.20060-1-michal.winiarski@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/drm/i915_pciids.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/drm/i915_pciids.h
++++ b/include/drm/i915_pciids.h
+@@ -265,7 +265,8 @@
+ INTEL_VGA_DEVICE(0x1923, info), /* ULT GT3 */ \
+ INTEL_VGA_DEVICE(0x1926, info), /* ULT GT3 */ \
+ INTEL_VGA_DEVICE(0x1927, info), /* ULT GT3 */ \
+- INTEL_VGA_DEVICE(0x192B, info) /* Halo GT3 */ \
++ INTEL_VGA_DEVICE(0x192B, info), /* Halo GT3 */ \
++ INTEL_VGA_DEVICE(0x192D, info) /* SRV GT3 */
+
+ #define INTEL_SKL_GT4_IDS(info) \
+ INTEL_VGA_DEVICE(0x1932, info), /* DT GT4 */ \
--- /dev/null
+From b4e382ca7586a63b6c1e5221ce0863ff867c2df6 Mon Sep 17 00:00:00 2001
+From: Ben Skeggs <bskeggs@redhat.com>
+Date: Mon, 5 Jun 2017 17:23:32 +1000
+Subject: drm/nouveau/tmr: fully separate alarm execution/pending lists
+
+From: Ben Skeggs <bskeggs@redhat.com>
+
+commit b4e382ca7586a63b6c1e5221ce0863ff867c2df6 upstream.
+
+Reusing the list_head for both is a bad idea. Callback execution is done
+with the lock dropped so that alarms can be rescheduled from the callback,
+which means that with some unfortunate timing, lists can get corrupted.
+
+The execution list should not require its own locking, the single function
+that uses it can only be called from a single context.
+
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/nouveau/include/nvkm/subdev/timer.h | 1 +
+ drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c | 7 ++++---
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/include/nvkm/subdev/timer.h
++++ b/drivers/gpu/drm/nouveau/include/nvkm/subdev/timer.h
+@@ -4,6 +4,7 @@
+
+ struct nvkm_alarm {
+ struct list_head head;
++ struct list_head exec;
+ u64 timestamp;
+ void (*func)(struct nvkm_alarm *);
+ };
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c
+@@ -50,7 +50,8 @@ nvkm_timer_alarm_trigger(struct nvkm_tim
+ /* Move to completed list. We'll drop the lock before
+ * executing the callback so it can reschedule itself.
+ */
+- list_move_tail(&alarm->head, &exec);
++ list_del_init(&alarm->head);
++ list_add(&alarm->exec, &exec);
+ }
+
+ /* Shut down interrupt if no more pending alarms. */
+@@ -59,8 +60,8 @@ nvkm_timer_alarm_trigger(struct nvkm_tim
+ spin_unlock_irqrestore(&tmr->lock, flags);
+
+ /* Execute completed callbacks. */
+- list_for_each_entry_safe(alarm, atemp, &exec, head) {
+- list_del_init(&alarm->head);
++ list_for_each_entry_safe(alarm, atemp, &exec, exec) {
++ list_del(&alarm->exec);
+ alarm->func(alarm);
+ }
+ }
--- /dev/null
+From f0c62e9878024300319ba2438adc7b06c6b9c448 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 27 Apr 2017 12:12:08 +0300
+Subject: drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit f0c62e9878024300319ba2438adc7b06c6b9c448 upstream.
+
+If vmalloc() fails then we need to a bit of cleanup before returning.
+
+Fixes: fb1d9738ca05 ("drm/vmwgfx: Add DRM driver for VMware Virtual GPU")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Sinclair Yeh <syeh@vmware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
+@@ -368,6 +368,8 @@ static void *vmw_local_fifo_reserve(stru
+ return fifo_state->static_buffer;
+ else {
+ fifo_state->dynamic_buffer = vmalloc(bytes);
++ if (!fifo_state->dynamic_buffer)
++ goto out_err;
+ return fifo_state->dynamic_buffer;
+ }
+ }
--- /dev/null
+From ee9c4e681ec4f58e42a83cb0c22a0289ade1aacf Mon Sep 17 00:00:00 2001
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Fri, 2 Jun 2017 07:42:09 +0200
+Subject: drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl()
+
+From: Vladis Dronov <vdronov@redhat.com>
+
+commit ee9c4e681ec4f58e42a83cb0c22a0289ade1aacf upstream.
+
+The 'req->mip_levels' parameter in vmw_gb_surface_define_ioctl() is
+a user-controlled 'uint32_t' value which is used as a loop count limit.
+This can lead to a kernel lockup and DoS. Add check for 'req->mip_levels'.
+
+References:
+https://bugzilla.redhat.com/show_bug.cgi?id=1437431
+
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+Reviewed-by: Sinclair Yeh <syeh@vmware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+@@ -1280,6 +1280,9 @@ int vmw_gb_surface_define_ioctl(struct d
+ if (req->multisample_count != 0)
+ return -EINVAL;
+
++ if (req->mip_levels > DRM_VMW_MAX_MIP_LEVELS)
++ return -EINVAL;
++
+ if (unlikely(vmw_user_surface_size == 0))
+ vmw_user_surface_size = ttm_round_pot(sizeof(*user_srf)) +
+ 128;
--- /dev/null
+From 07678eca2cf9c9a18584e546c2b2a0d0c9a3150c Mon Sep 17 00:00:00 2001
+From: Sinclair Yeh <syeh@vmware.com>
+Date: Fri, 2 Jun 2017 07:50:57 +0200
+Subject: drm/vmwgfx: Make sure backup_handle is always valid
+
+From: Sinclair Yeh <syeh@vmware.com>
+
+commit 07678eca2cf9c9a18584e546c2b2a0d0c9a3150c upstream.
+
+When vmw_gb_surface_define_ioctl() is called with an existing buffer,
+we end up returning an uninitialized variable in the backup_handle.
+
+The fix is to first initialize backup_handle to 0 just to be sure, and
+second, when a user-provided buffer is found, we will use the
+req->buffer_handle as the backup_handle.
+
+Reported-by: Murray McAllister <murray.mcallister@insomniasec.com>
+Signed-off-by: Sinclair Yeh <syeh@vmware.com>
+Reviewed-by: Deepak Rawat <drawat@vmware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+@@ -1275,7 +1275,7 @@ int vmw_gb_surface_define_ioctl(struct d
+ struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile;
+ int ret;
+ uint32_t size;
+- uint32_t backup_handle;
++ uint32_t backup_handle = 0;
+
+ if (req->multisample_count != 0)
+ return -EINVAL;
+@@ -1318,12 +1318,16 @@ int vmw_gb_surface_define_ioctl(struct d
+ ret = vmw_user_dmabuf_lookup(tfile, req->buffer_handle,
+ &res->backup,
+ &user_srf->backup_base);
+- if (ret == 0 && res->backup->base.num_pages * PAGE_SIZE <
+- res->backup_size) {
+- DRM_ERROR("Surface backup buffer is too small.\n");
+- vmw_dmabuf_unreference(&res->backup);
+- ret = -EINVAL;
+- goto out_unlock;
++ if (ret == 0) {
++ if (res->backup->base.num_pages * PAGE_SIZE <
++ res->backup_size) {
++ DRM_ERROR("Surface backup buffer is too small.\n");
++ vmw_dmabuf_unreference(&res->backup);
++ ret = -EINVAL;
++ goto out_unlock;
++ } else {
++ backup_handle = req->buffer_handle;
++ }
+ }
+ } else if (req->drm_surface_flags & drm_vmw_surface_flag_create_buffer)
+ ret = vmw_user_dmabuf_alloc(dev_priv, tfile,
--- /dev/null
+From d6dbdd3c8558cad3b6d74cc357b408622d122331 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Mon, 5 Jun 2017 19:17:18 +0100
+Subject: KVM: arm/arm64: Handle possible NULL stage2 pud when ageing pages
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit d6dbdd3c8558cad3b6d74cc357b408622d122331 upstream.
+
+Under memory pressure, we start ageing pages, which amounts to parsing
+the page tables. Since we don't want to allocate any extra level,
+we pass NULL for our private allocation cache. Which means that
+stage2_get_pud() is allowed to fail. This results in the following
+splat:
+
+[ 1520.409577] Unable to handle kernel NULL pointer dereference at virtual address 00000008
+[ 1520.417741] pgd = ffff810f52fef000
+[ 1520.421201] [00000008] *pgd=0000010f636c5003, *pud=0000010f56f48003, *pmd=0000000000000000
+[ 1520.429546] Internal error: Oops: 96000006 [#1] PREEMPT SMP
+[ 1520.435156] Modules linked in:
+[ 1520.438246] CPU: 15 PID: 53550 Comm: qemu-system-aar Tainted: G W 4.12.0-rc4-00027-g1885c397eaec #7205
+[ 1520.448705] Hardware name: FOXCONN R2-1221R-A4/C2U4N_MB, BIOS G31FB12A 10/26/2016
+[ 1520.463726] task: ffff800ac5fb4e00 task.stack: ffff800ce04e0000
+[ 1520.469666] PC is at stage2_get_pmd+0x34/0x110
+[ 1520.474119] LR is at kvm_age_hva_handler+0x44/0xf0
+[ 1520.478917] pc : [<ffff0000080b137c>] lr : [<ffff0000080b149c>] pstate: 40000145
+[ 1520.486325] sp : ffff800ce04e33d0
+[ 1520.489644] x29: ffff800ce04e33d0 x28: 0000000ffff40064
+[ 1520.494967] x27: 0000ffff27e00000 x26: 0000000000000000
+[ 1520.500289] x25: ffff81051ba65008 x24: 0000ffff40065000
+[ 1520.505618] x23: 0000ffff40064000 x22: 0000000000000000
+[ 1520.510947] x21: ffff810f52b20000 x20: 0000000000000000
+[ 1520.516274] x19: 0000000058264000 x18: 0000000000000000
+[ 1520.521603] x17: 0000ffffa6fe7438 x16: ffff000008278b70
+[ 1520.526940] x15: 000028ccd8000000 x14: 0000000000000008
+[ 1520.532264] x13: ffff7e0018298000 x12: 0000000000000002
+[ 1520.537582] x11: ffff000009241b93 x10: 0000000000000940
+[ 1520.542908] x9 : ffff0000092ef800 x8 : 0000000000000200
+[ 1520.548229] x7 : ffff800ce04e36a8 x6 : 0000000000000000
+[ 1520.553552] x5 : 0000000000000001 x4 : 0000000000000000
+[ 1520.558873] x3 : 0000000000000000 x2 : 0000000000000008
+[ 1520.571696] x1 : ffff000008fd5000 x0 : ffff0000080b149c
+[ 1520.577039] Process qemu-system-aar (pid: 53550, stack limit = 0xffff800ce04e0000)
+[...]
+[ 1521.510735] [<ffff0000080b137c>] stage2_get_pmd+0x34/0x110
+[ 1521.516221] [<ffff0000080b149c>] kvm_age_hva_handler+0x44/0xf0
+[ 1521.522054] [<ffff0000080b0610>] handle_hva_to_gpa+0xb8/0xe8
+[ 1521.527716] [<ffff0000080b3434>] kvm_age_hva+0x44/0xf0
+[ 1521.532854] [<ffff0000080a58b0>] kvm_mmu_notifier_clear_flush_young+0x70/0xc0
+[ 1521.539992] [<ffff000008238378>] __mmu_notifier_clear_flush_young+0x88/0xd0
+[ 1521.546958] [<ffff00000821eca0>] page_referenced_one+0xf0/0x188
+[ 1521.552881] [<ffff00000821f36c>] rmap_walk_anon+0xec/0x250
+[ 1521.558370] [<ffff000008220f78>] rmap_walk+0x78/0xa0
+[ 1521.563337] [<ffff000008221104>] page_referenced+0x164/0x180
+[ 1521.569002] [<ffff0000081f1af0>] shrink_active_list+0x178/0x3b8
+[ 1521.574922] [<ffff0000081f2058>] shrink_node_memcg+0x328/0x600
+[ 1521.580758] [<ffff0000081f23f4>] shrink_node+0xc4/0x328
+[ 1521.585986] [<ffff0000081f2718>] do_try_to_free_pages+0xc0/0x340
+[ 1521.592000] [<ffff0000081f2a64>] try_to_free_pages+0xcc/0x240
+[...]
+
+The trivial fix is to handle this NULL pud value early, rather than
+dereferencing it blindly.
+
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Reviewed-by: Christoffer Dall <cdall@linaro.org>
+Signed-off-by: Christoffer Dall <cdall@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kvm/mmu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/arm/kvm/mmu.c
++++ b/arch/arm/kvm/mmu.c
+@@ -879,6 +879,9 @@ static pmd_t *stage2_get_pmd(struct kvm
+ pmd_t *pmd;
+
+ pud = stage2_get_pud(kvm, cache, addr);
++ if (!pud)
++ return NULL;
++
+ if (stage2_pud_none(*pud)) {
+ if (!cache)
+ return NULL;
--- /dev/null
+From 246096690be0742d9bb5f3456d2cb95b68f7b46d Mon Sep 17 00:00:00 2001
+From: Timur Tabi <timur@codeaurora.org>
+Date: Thu, 1 Jun 2017 16:08:13 -0500
+Subject: net: qcom/emac: do not use hardware mdio automatic polling
+
+From: Timur Tabi <timur@codeaurora.org>
+
+commit 246096690be0742d9bb5f3456d2cb95b68f7b46d upstream.
+
+Use software polling (PHY_POLL) to check for link state changes instead
+of relying on the EMAC's hardware polling feature. Some PHY drivers
+are unable to get a functioning link because the HW polling is not
+robust enough.
+
+The EMAC is able to poll the PHY on the MDIO bus looking for link state
+changes (via the Link Status bit in the Status Register at address 0x1).
+When the link state changes, the EMAC triggers an interrupt and tells the
+driver what the new state is. The feature eliminates the need for
+software to poll the MDIO bus.
+
+Unfortunately, this feature is incompatible with phylib, because it
+ignores everything that the PHY core and PHY drivers are trying to do.
+In particular:
+
+1. It assumes a compatible register set, so PHYs with different registers
+ may not work.
+
+2. It doesn't allow for hardware errata that have work-arounds implemented
+ in the PHY driver.
+
+3. It doesn't support multiple register pages. If the PHY core switches
+ the register set to another page, the EMAC won't know the page has
+ changed and will still attempt to read the same PHY register.
+
+4. It only checks the copper side of the link, not the SGMII side. Some
+ PHY drivers (e.g. at803x) may also check the SGMII side, and
+ report the link as not ready during autonegotiation if the SGMII link
+ is still down. Phylib then waits for another interrupt to query
+ the PHY again, but the EMAC won't send another interrupt because it
+ thinks the link is up.
+
+Tested-by: Manoj Iyer <manoj.iyer@canonical.com>
+Signed-off-by: Timur Tabi <timur@codeaurora.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/qualcomm/emac/emac-mac.c | 2
+ drivers/net/ethernet/qualcomm/emac/emac-phy.c | 75 +-------------------------
+ drivers/net/ethernet/qualcomm/emac/emac.c | 22 -------
+ 3 files changed, 6 insertions(+), 93 deletions(-)
+
+--- a/drivers/net/ethernet/qualcomm/emac/emac-mac.c
++++ b/drivers/net/ethernet/qualcomm/emac/emac-mac.c
+@@ -931,7 +931,7 @@ int emac_mac_up(struct emac_adapter *adp
+ emac_mac_config(adpt);
+ emac_mac_rx_descs_refill(adpt, &adpt->rx_q);
+
+- adpt->phydev->irq = PHY_IGNORE_INTERRUPT;
++ adpt->phydev->irq = PHY_POLL;
+ ret = phy_connect_direct(netdev, adpt->phydev, emac_adjust_link,
+ PHY_INTERFACE_MODE_SGMII);
+ if (ret) {
+--- a/drivers/net/ethernet/qualcomm/emac/emac-phy.c
++++ b/drivers/net/ethernet/qualcomm/emac/emac-phy.c
+@@ -13,15 +13,11 @@
+ /* Qualcomm Technologies, Inc. EMAC PHY Controller driver.
+ */
+
+-#include <linux/module.h>
+-#include <linux/of.h>
+-#include <linux/of_net.h>
+ #include <linux/of_mdio.h>
+ #include <linux/phy.h>
+ #include <linux/iopoll.h>
+ #include <linux/acpi.h>
+ #include "emac.h"
+-#include "emac-mac.h"
+
+ /* EMAC base register offsets */
+ #define EMAC_MDIO_CTRL 0x001414
+@@ -52,62 +48,10 @@
+
+ #define MDIO_WAIT_TIMES 1000
+
+-#define EMAC_LINK_SPEED_DEFAULT (\
+- EMAC_LINK_SPEED_10_HALF |\
+- EMAC_LINK_SPEED_10_FULL |\
+- EMAC_LINK_SPEED_100_HALF |\
+- EMAC_LINK_SPEED_100_FULL |\
+- EMAC_LINK_SPEED_1GB_FULL)
+-
+-/**
+- * emac_phy_mdio_autopoll_disable() - disable mdio autopoll
+- * @adpt: the emac adapter
+- *
+- * The autopoll feature takes over the MDIO bus. In order for
+- * the PHY driver to be able to talk to the PHY over the MDIO
+- * bus, we need to temporarily disable the autopoll feature.
+- */
+-static int emac_phy_mdio_autopoll_disable(struct emac_adapter *adpt)
+-{
+- u32 val;
+-
+- /* disable autopoll */
+- emac_reg_update32(adpt->base + EMAC_MDIO_CTRL, MDIO_AP_EN, 0);
+-
+- /* wait for any mdio polling to complete */
+- if (!readl_poll_timeout(adpt->base + EMAC_MDIO_CTRL, val,
+- !(val & MDIO_BUSY), 100, MDIO_WAIT_TIMES * 100))
+- return 0;
+-
+- /* failed to disable; ensure it is enabled before returning */
+- emac_reg_update32(adpt->base + EMAC_MDIO_CTRL, 0, MDIO_AP_EN);
+-
+- return -EBUSY;
+-}
+-
+-/**
+- * emac_phy_mdio_autopoll_disable() - disable mdio autopoll
+- * @adpt: the emac adapter
+- *
+- * The EMAC has the ability to poll the external PHY on the MDIO
+- * bus for link state changes. This eliminates the need for the
+- * driver to poll the phy. If if the link state does change,
+- * the EMAC issues an interrupt on behalf of the PHY.
+- */
+-static void emac_phy_mdio_autopoll_enable(struct emac_adapter *adpt)
+-{
+- emac_reg_update32(adpt->base + EMAC_MDIO_CTRL, 0, MDIO_AP_EN);
+-}
+-
+ static int emac_mdio_read(struct mii_bus *bus, int addr, int regnum)
+ {
+ struct emac_adapter *adpt = bus->priv;
+ u32 reg;
+- int ret;
+-
+- ret = emac_phy_mdio_autopoll_disable(adpt);
+- if (ret)
+- return ret;
+
+ emac_reg_update32(adpt->base + EMAC_PHY_STS, PHY_ADDR_BMSK,
+ (addr << PHY_ADDR_SHFT));
+@@ -122,24 +66,15 @@ static int emac_mdio_read(struct mii_bus
+ if (readl_poll_timeout(adpt->base + EMAC_MDIO_CTRL, reg,
+ !(reg & (MDIO_START | MDIO_BUSY)),
+ 100, MDIO_WAIT_TIMES * 100))
+- ret = -EIO;
+- else
+- ret = (reg >> MDIO_DATA_SHFT) & MDIO_DATA_BMSK;
+-
+- emac_phy_mdio_autopoll_enable(adpt);
++ return -EIO;
+
+- return ret;
++ return (reg >> MDIO_DATA_SHFT) & MDIO_DATA_BMSK;
+ }
+
+ static int emac_mdio_write(struct mii_bus *bus, int addr, int regnum, u16 val)
+ {
+ struct emac_adapter *adpt = bus->priv;
+ u32 reg;
+- int ret;
+-
+- ret = emac_phy_mdio_autopoll_disable(adpt);
+- if (ret)
+- return ret;
+
+ emac_reg_update32(adpt->base + EMAC_PHY_STS, PHY_ADDR_BMSK,
+ (addr << PHY_ADDR_SHFT));
+@@ -155,11 +90,9 @@ static int emac_mdio_write(struct mii_bu
+ if (readl_poll_timeout(adpt->base + EMAC_MDIO_CTRL, reg,
+ !(reg & (MDIO_START | MDIO_BUSY)), 100,
+ MDIO_WAIT_TIMES * 100))
+- ret = -EIO;
+-
+- emac_phy_mdio_autopoll_enable(adpt);
++ return -EIO;
+
+- return ret;
++ return 0;
+ }
+
+ /* Configure the MDIO bus and connect the external PHY */
+--- a/drivers/net/ethernet/qualcomm/emac/emac.c
++++ b/drivers/net/ethernet/qualcomm/emac/emac.c
+@@ -50,19 +50,7 @@
+ #define DMAR_DLY_CNT_DEF 15
+ #define DMAW_DLY_CNT_DEF 4
+
+-#define IMR_NORMAL_MASK (\
+- ISR_ERROR |\
+- ISR_GPHY_LINK |\
+- ISR_TX_PKT |\
+- GPHY_WAKEUP_INT)
+-
+-#define IMR_EXTENDED_MASK (\
+- SW_MAN_INT |\
+- ISR_OVER |\
+- ISR_ERROR |\
+- ISR_GPHY_LINK |\
+- ISR_TX_PKT |\
+- GPHY_WAKEUP_INT)
++#define IMR_NORMAL_MASK (ISR_ERROR | ISR_OVER | ISR_TX_PKT)
+
+ #define ISR_TX_PKT (\
+ TX_PKT_INT |\
+@@ -70,10 +58,6 @@
+ TX_PKT_INT2 |\
+ TX_PKT_INT3)
+
+-#define ISR_GPHY_LINK (\
+- GPHY_LINK_UP_INT |\
+- GPHY_LINK_DOWN_INT)
+-
+ #define ISR_OVER (\
+ RFD0_UR_INT |\
+ RFD1_UR_INT |\
+@@ -187,10 +171,6 @@ irqreturn_t emac_isr(int _irq, void *dat
+ if (status & ISR_OVER)
+ net_warn_ratelimited("warning: TX/RX overflow\n");
+
+- /* link event */
+- if (status & ISR_GPHY_LINK)
+- phy_mac_interrupt(adpt->phydev, !!(status & GPHY_LINK_UP_INT));
+-
+ exit:
+ /* enable the interrupt */
+ writel(irq->mask, adpt->base + EMAC_INT_MASK);
--- /dev/null
+From cc1582c231ea041fbc68861dfaf957eaf902b829 Mon Sep 17 00:00:00 2001
+From: Jin Yao <yao.jin@linux.intel.com>
+Date: Thu, 25 May 2017 18:09:07 +0800
+Subject: perf/core: Drop kernel samples even though :u is specified
+
+From: Jin Yao <yao.jin@linux.intel.com>
+
+commit cc1582c231ea041fbc68861dfaf957eaf902b829 upstream.
+
+When doing sampling, for example:
+
+ perf record -e cycles:u ...
+
+On workloads that do a lot of kernel entry/exits we see kernel
+samples, even though :u is specified. This is due to skid existing.
+
+This might be a security issue because it can leak kernel addresses even
+though kernel sampling support is disabled.
+
+The patch drops the kernel samples if exclude_kernel is specified.
+
+For example, test on Haswell desktop:
+
+ perf record -e cycles:u <mgen>
+ perf report --stdio
+
+Before patch applied:
+
+ 99.77% mgen mgen [.] buf_read
+ 0.20% mgen mgen [.] rand_buf_init
+ 0.01% mgen [kernel.vmlinux] [k] apic_timer_interrupt
+ 0.00% mgen mgen [.] last_free_elem
+ 0.00% mgen libc-2.23.so [.] __random_r
+ 0.00% mgen libc-2.23.so [.] _int_malloc
+ 0.00% mgen mgen [.] rand_array_init
+ 0.00% mgen [kernel.vmlinux] [k] page_fault
+ 0.00% mgen libc-2.23.so [.] __random
+ 0.00% mgen libc-2.23.so [.] __strcasestr
+ 0.00% mgen ld-2.23.so [.] strcmp
+ 0.00% mgen ld-2.23.so [.] _dl_start
+ 0.00% mgen libc-2.23.so [.] sched_setaffinity@@GLIBC_2.3.4
+ 0.00% mgen ld-2.23.so [.] _start
+
+We can see kernel symbols apic_timer_interrupt and page_fault.
+
+After patch applied:
+
+ 99.79% mgen mgen [.] buf_read
+ 0.19% mgen mgen [.] rand_buf_init
+ 0.00% mgen libc-2.23.so [.] __random_r
+ 0.00% mgen mgen [.] rand_array_init
+ 0.00% mgen mgen [.] last_free_elem
+ 0.00% mgen libc-2.23.so [.] vfprintf
+ 0.00% mgen libc-2.23.so [.] rand
+ 0.00% mgen libc-2.23.so [.] __random
+ 0.00% mgen libc-2.23.so [.] _int_malloc
+ 0.00% mgen libc-2.23.so [.] _IO_doallocbuf
+ 0.00% mgen ld-2.23.so [.] do_lookup_x
+ 0.00% mgen ld-2.23.so [.] open_verify.constprop.7
+ 0.00% mgen ld-2.23.so [.] _dl_important_hwcaps
+ 0.00% mgen libc-2.23.so [.] sched_setaffinity@@GLIBC_2.3.4
+ 0.00% mgen ld-2.23.so [.] _start
+
+There are only userspace symbols.
+
+Signed-off-by: Jin Yao <yao.jin@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: acme@kernel.org
+Cc: jolsa@kernel.org
+Cc: kan.liang@intel.com
+Cc: mark.rutland@arm.com
+Cc: will.deacon@arm.com
+Cc: yao.jin@intel.com
+Link: http://lkml.kernel.org/r/1495706947-3744-1-git-send-email-yao.jin@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/core.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -7184,6 +7184,21 @@ int perf_event_account_interrupt(struct
+ return __perf_event_account_interrupt(event, 1);
+ }
+
++static bool sample_is_allowed(struct perf_event *event, struct pt_regs *regs)
++{
++ /*
++ * Due to interrupt latency (AKA "skid"), we may enter the
++ * kernel before taking an overflow, even if the PMU is only
++ * counting user events.
++ * To avoid leaking information to userspace, we must always
++ * reject kernel samples when exclude_kernel is set.
++ */
++ if (event->attr.exclude_kernel && !user_mode(regs))
++ return false;
++
++ return true;
++}
++
+ /*
+ * Generic event overflow handling, sampling.
+ */
+@@ -7205,6 +7220,12 @@ static int __perf_event_overflow(struct
+ ret = __perf_event_account_interrupt(event, throttle);
+
+ /*
++ * For security, drop the skid kernel samples if necessary.
++ */
++ if (!sample_is_allowed(event, regs))
++ return ret;
++
++ /*
+ * XXX event_limit might not quite work as expected on inherited
+ * events
+ */
--- /dev/null
+From a9de080bbcd5c4e213a3d7bbb1e314d60980e943 Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Tue, 25 Apr 2017 06:22:05 +0000
+Subject: pinctrl: cherryview: Add terminate entry for dmi_system_id tables
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+commit a9de080bbcd5c4e213a3d7bbb1e314d60980e943 upstream.
+
+Make sure dmi_system_id tables are NULL terminated.
+
+Fixes: 703650278372 ("pinctrl: cherryview: Add a quirk to make Acer
+Chromebook keyboard work again")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Cc: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/intel/pinctrl-cherryview.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/intel/pinctrl-cherryview.c
++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c
+@@ -1542,7 +1542,8 @@ static const struct dmi_system_id chv_no
+ DMI_MATCH(DMI_PRODUCT_NAME, "Edgar"),
+ DMI_MATCH(DMI_BIOS_DATE, "05/21/2016"),
+ },
+- }
++ },
++ {}
+ };
+
+ static int chv_gpio_probe(struct chv_pinctrl *pctrl, int irq)
--- /dev/null
+From dc421b200f91930c9c6a9586810ff8c232cf10fc Mon Sep 17 00:00:00 2001
+From: Michael Bringmann <mwb@linux.vnet.ibm.com>
+Date: Mon, 22 May 2017 15:44:37 -0500
+Subject: powerpc/hotplug-mem: Fix missing endian conversion of aa_index
+
+From: Michael Bringmann <mwb@linux.vnet.ibm.com>
+
+commit dc421b200f91930c9c6a9586810ff8c232cf10fc upstream.
+
+When adding or removing memory, the aa_index (affinity value) for the
+memblock must also be converted to match the endianness of the rest
+of the 'ibm,dynamic-memory' property. Otherwise, subsequent retrieval
+of the attribute will likely lead to non-existent nodes, followed by
+using the default node in the code inappropriately.
+
+Fixes: 5f97b2a0d176 ("powerpc/pseries: Implement memory hotplug add in the kernel")
+Signed-off-by: Michael Bringmann <mwb@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/pseries/hotplug-memory.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/powerpc/platforms/pseries/hotplug-memory.c
++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c
+@@ -124,6 +124,7 @@ static struct property *dlpar_clone_drco
+ for (i = 0; i < num_lmbs; i++) {
+ lmbs[i].base_addr = be64_to_cpu(lmbs[i].base_addr);
+ lmbs[i].drc_index = be32_to_cpu(lmbs[i].drc_index);
++ lmbs[i].aa_index = be32_to_cpu(lmbs[i].aa_index);
+ lmbs[i].flags = be32_to_cpu(lmbs[i].flags);
+ }
+
+@@ -147,6 +148,7 @@ static void dlpar_update_drconf_property
+ for (i = 0; i < num_lmbs; i++) {
+ lmbs[i].base_addr = cpu_to_be64(lmbs[i].base_addr);
+ lmbs[i].drc_index = cpu_to_be32(lmbs[i].drc_index);
++ lmbs[i].aa_index = cpu_to_be32(lmbs[i].aa_index);
+ lmbs[i].flags = cpu_to_be32(lmbs[i].flags);
+ }
+
--- /dev/null
+From 1195892c091a15cc862f4e202482a36adc924e12 Mon Sep 17 00:00:00 2001
+From: Breno Leitao <leitao@debian.org>
+Date: Fri, 2 Jun 2017 18:43:30 -0300
+Subject: powerpc/kernel: Fix FP and vector register restoration
+
+From: Breno Leitao <leitao@debian.org>
+
+commit 1195892c091a15cc862f4e202482a36adc924e12 upstream.
+
+Currently tsk->thread->load_vec and load_fp are not initialized during
+task creation, which can lead to garbage values in these variables (non-zero
+values).
+
+These variables will be checked later in restore_math() to validate if the
+FP and vector registers are being utilized. Since these values might be
+non-zero, the restore_math() will continue to save the FP and vectors even if
+they were never utilized by the userspace application. load_fp and load_vec
+counters will then overflow (they wrap at 255) and the FP and Altivec will be
+finally disabled, but before that condition is reached (counter overflow)
+several context switches will have restored FP and vector registers without
+need, causing a performance degradation.
+
+Fixes: 70fe3d980f5f ("powerpc: Restore FPU/VEC/VSX if previously used")
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Signed-off-by: Gustavo Romero <gusbromero@gmail.com>
+Acked-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/process.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/powerpc/kernel/process.c
++++ b/arch/powerpc/kernel/process.c
+@@ -1666,6 +1666,7 @@ void start_thread(struct pt_regs *regs,
+ #ifdef CONFIG_VSX
+ current->thread.used_vsr = 0;
+ #endif
++ current->thread.load_fp = 0;
+ memset(¤t->thread.fp_state, 0, sizeof(current->thread.fp_state));
+ current->thread.fp_save_area = NULL;
+ #ifdef CONFIG_ALTIVEC
+@@ -1674,6 +1675,7 @@ void start_thread(struct pt_regs *regs,
+ current->thread.vr_save_area = NULL;
+ current->thread.vrsave = 0;
+ current->thread.used_vr = 0;
++ current->thread.load_vec = 0;
+ #endif /* CONFIG_ALTIVEC */
+ #ifdef CONFIG_SPE
+ memset(current->thread.evr, 0, sizeof(current->thread.evr));
--- /dev/null
+From 7f22ced4377628074e2ac25f41a88f98eb3b03f1 Mon Sep 17 00:00:00 2001
+From: Breno Leitao <leitao@debian.org>
+Date: Mon, 5 Jun 2017 11:40:59 -0300
+Subject: powerpc/kernel: Initialize load_tm on task creation
+
+From: Breno Leitao <leitao@debian.org>
+
+commit 7f22ced4377628074e2ac25f41a88f98eb3b03f1 upstream.
+
+Currently tsk->thread.load_tm is not initialized in the task creation
+and can contain garbage on a new task.
+
+This is an undesired behaviour, since it affects the timing to enable
+and disable the transactional memory laziness (disabling and enabling
+the MSR TM bit, which affects TM reclaim and recheckpoint in the
+scheduling process).
+
+Fixes: 5d176f751ee3 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace")
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/process.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/powerpc/kernel/process.c
++++ b/arch/powerpc/kernel/process.c
+@@ -1687,6 +1687,7 @@ void start_thread(struct pt_regs *regs,
+ current->thread.tm_tfhar = 0;
+ current->thread.tm_texasr = 0;
+ current->thread.tm_tfiar = 0;
++ current->thread.load_tm = 0;
+ #endif /* CONFIG_PPC_TRANSACTIONAL_MEM */
+ }
+ EXPORT_SYMBOL(start_thread);
--- /dev/null
+From ba4a648f12f4cd0a8003dd229b6ca8a53348ee4b Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Tue, 6 Jun 2017 20:23:57 +1000
+Subject: powerpc/numa: Fix percpu allocations to be NUMA aware
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit ba4a648f12f4cd0a8003dd229b6ca8a53348ee4b upstream.
+
+In commit 8c272261194d ("powerpc/numa: Enable USE_PERCPU_NUMA_NODE_ID"), we
+switched to the generic implementation of cpu_to_node(), which uses a percpu
+variable to hold the NUMA node for each CPU.
+
+Unfortunately we neglected to notice that we use cpu_to_node() in the allocation
+of our percpu areas, leading to a chicken and egg problem. In practice what
+happens is when we are setting up the percpu areas, cpu_to_node() reports that
+all CPUs are on node 0, so we allocate all percpu areas on node 0.
+
+This is visible in the dmesg output, as all pcpu allocs being in group 0:
+
+ pcpu-alloc: [0] 00 01 02 03 [0] 04 05 06 07
+ pcpu-alloc: [0] 08 09 10 11 [0] 12 13 14 15
+ pcpu-alloc: [0] 16 17 18 19 [0] 20 21 22 23
+ pcpu-alloc: [0] 24 25 26 27 [0] 28 29 30 31
+ pcpu-alloc: [0] 32 33 34 35 [0] 36 37 38 39
+ pcpu-alloc: [0] 40 41 42 43 [0] 44 45 46 47
+
+To fix it we need an early_cpu_to_node() which can run prior to percpu being
+setup. We already have the numa_cpu_lookup_table we can use, so just plumb it
+in. With the patch dmesg output shows two groups, 0 and 1:
+
+ pcpu-alloc: [0] 00 01 02 03 [0] 04 05 06 07
+ pcpu-alloc: [0] 08 09 10 11 [0] 12 13 14 15
+ pcpu-alloc: [0] 16 17 18 19 [0] 20 21 22 23
+ pcpu-alloc: [1] 24 25 26 27 [1] 28 29 30 31
+ pcpu-alloc: [1] 32 33 34 35 [1] 36 37 38 39
+ pcpu-alloc: [1] 40 41 42 43 [1] 44 45 46 47
+
+We can also check the data_offset in the paca of various CPUs, with the fix we
+see:
+
+ CPU 0: data_offset = 0x0ffe8b0000
+ CPU 24: data_offset = 0x1ffe5b0000
+
+And we can see from dmesg that CPU 24 has an allocation on node 1:
+
+ node 0: [mem 0x0000000000000000-0x0000000fffffffff]
+ node 1: [mem 0x0000001000000000-0x0000001fffffffff]
+
+Fixes: 8c272261194d ("powerpc/numa: Enable USE_PERCPU_NUMA_NODE_ID")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/topology.h | 14 ++++++++++++++
+ arch/powerpc/kernel/setup_64.c | 4 ++--
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/include/asm/topology.h
++++ b/arch/powerpc/include/asm/topology.h
+@@ -44,8 +44,22 @@ extern void __init dump_numa_cpu_topolog
+ extern int sysfs_add_device_to_node(struct device *dev, int nid);
+ extern void sysfs_remove_device_from_node(struct device *dev, int nid);
+
++static inline int early_cpu_to_node(int cpu)
++{
++ int nid;
++
++ nid = numa_cpu_lookup_table[cpu];
++
++ /*
++ * Fall back to node 0 if nid is unset (it should be, except bugs).
++ * This allows callers to safely do NODE_DATA(early_cpu_to_node(cpu)).
++ */
++ return (nid < 0) ? 0 : nid;
++}
+ #else
+
++static inline int early_cpu_to_node(int cpu) { return 0; }
++
+ static inline void dump_numa_cpu_topology(void) {}
+
+ static inline int sysfs_add_device_to_node(struct device *dev, int nid)
+--- a/arch/powerpc/kernel/setup_64.c
++++ b/arch/powerpc/kernel/setup_64.c
+@@ -650,7 +650,7 @@ void __init emergency_stack_init(void)
+
+ static void * __init pcpu_fc_alloc(unsigned int cpu, size_t size, size_t align)
+ {
+- return __alloc_bootmem_node(NODE_DATA(cpu_to_node(cpu)), size, align,
++ return __alloc_bootmem_node(NODE_DATA(early_cpu_to_node(cpu)), size, align,
+ __pa(MAX_DMA_ADDRESS));
+ }
+
+@@ -661,7 +661,7 @@ static void __init pcpu_fc_free(void *pt
+
+ static int pcpu_cpu_distance(unsigned int from, unsigned int to)
+ {
+- if (cpu_to_node(from) == cpu_to_node(to))
++ if (early_cpu_to_node(from) == early_cpu_to_node(to))
+ return LOCAL_DISTANCE;
+ else
+ return REMOTE_DISTANCE;
--- /dev/null
+From 6f553912eedafae13ff20b322a65e471fe7f5236 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Wed, 24 May 2017 10:01:55 +0200
+Subject: powerpc/sysdev/simple_gpio: Fix oops in gpio save_regs function
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+commit 6f553912eedafae13ff20b322a65e471fe7f5236 upstream.
+
+of_mm_gpiochip_add_data() generates an oops for NULL pointer dereference.
+
+of_mm_gpiochip_add_data() calls mm_gc->save_regs() before
+setting the data, therefore ->save_regs() cannot use gpiochip_get_data()
+
+Fixes: 937daafca774 ("powerpc: simple-gpio: use gpiochip data pointer")
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/sysdev/simple_gpio.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/sysdev/simple_gpio.c
++++ b/arch/powerpc/sysdev/simple_gpio.c
+@@ -75,7 +75,8 @@ static int u8_gpio_dir_out(struct gpio_c
+
+ static void u8_gpio_save_regs(struct of_mm_gpio_chip *mm_gc)
+ {
+- struct u8_gpio_chip *u8_gc = gpiochip_get_data(&mm_gc->gc);
++ struct u8_gpio_chip *u8_gc =
++ container_of(mm_gc, struct u8_gpio_chip, mm_gc);
+
+ u8_gc->data = in_8(mm_gc->regs);
+ }
--- /dev/null
+From 3e4240da0e3673637c1c995bdd14cfdbc8f4dc4c Mon Sep 17 00:00:00 2001
+From: Andrew Lunn <andrew@lunn.ch>
+Date: Wed, 24 May 2017 01:39:35 +0200
+Subject: Revert "ata: sata_mv: Convert to devm_ioremap_resource()"
+
+From: Andrew Lunn <andrew@lunn.ch>
+
+commit 3e4240da0e3673637c1c995bdd14cfdbc8f4dc4c upstream.
+
+This reverts commit 368e5fbdfc60732643f34f538823ed4bc8829827.
+
+devm_ioremap_resource() enforces that there are no overlapping
+resources, where as devm_ioremap() does not. The sata phy driver needs
+a subset of the sata IO address space, so maps some of the sata
+address space. As a result, sata_mv now fails to probe, reporting it
+cannot get its resources, and so we don't have any SATA disks.
+
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Acked-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/sata_mv.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/ata/sata_mv.c
++++ b/drivers/ata/sata_mv.c
+@@ -4067,7 +4067,6 @@ static int mv_platform_probe(struct plat
+ struct ata_host *host;
+ struct mv_host_priv *hpriv;
+ struct resource *res;
+- void __iomem *mmio;
+ int n_ports = 0, irq = 0;
+ int rc;
+ int port;
+@@ -4086,9 +4085,8 @@ static int mv_platform_probe(struct plat
+ * Get the register base first
+ */
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+- mmio = devm_ioremap_resource(&pdev->dev, res);
+- if (IS_ERR(mmio))
+- return PTR_ERR(mmio);
++ if (res == NULL)
++ return -EINVAL;
+
+ /* allocate host */
+ if (pdev->dev.of_node) {
+@@ -4132,7 +4130,12 @@ static int mv_platform_probe(struct plat
+ hpriv->board_idx = chip_soc;
+
+ host->iomap = NULL;
+- hpriv->base = mmio - SATAHC0_REG_BASE;
++ hpriv->base = devm_ioremap(&pdev->dev, res->start,
++ resource_size(res));
++ if (!hpriv->base)
++ return -ENOMEM;
++
++ hpriv->base -= SATAHC0_REG_BASE;
+
+ hpriv->clk = clk_get(&pdev->dev, NULL);
+ if (IS_ERR(hpriv->clk))
--- /dev/null
+From ddff7ed45edce4a4c92949d3c61cd25d229c4a14 Mon Sep 17 00:00:00 2001
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Tue, 23 May 2017 16:50:47 +0200
+Subject: scsi: qla2xxx: don't disable a not previously enabled PCI device
+
+From: Johannes Thumshirn <jthumshirn@suse.de>
+
+commit ddff7ed45edce4a4c92949d3c61cd25d229c4a14 upstream.
+
+When pci_enable_device() or pci_enable_device_mem() fail in
+qla2x00_probe_one() we bail out but do a call to
+pci_disable_device(). This causes the dev_WARN_ON() in
+pci_disable_device() to trigger, as the device wasn't enabled
+previously.
+
+So instead of taking the 'probe_out' error path we can directly return
+*iff* one of the pci_enable_device() calls fails.
+
+Additionally rename the 'probe_out' goto label's name to the more
+descriptive 'disable_device'.
+
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Fixes: e315cd28b9ef ("[SCSI] qla2xxx: Code changes for qla data structure refactoring")
+Reviewed-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Reviewed-by: Giridhar Malavali <giridhar.malavali@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_os.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -2626,10 +2626,10 @@ qla2x00_probe_one(struct pci_dev *pdev,
+
+ if (mem_only) {
+ if (pci_enable_device_mem(pdev))
+- goto probe_out;
++ return ret;
+ } else {
+ if (pci_enable_device(pdev))
+- goto probe_out;
++ return ret;
+ }
+
+ /* This may fail but that's ok */
+@@ -2639,7 +2639,7 @@ qla2x00_probe_one(struct pci_dev *pdev,
+ if (!ha) {
+ ql_log_pci(ql_log_fatal, pdev, 0x0009,
+ "Unable to allocate memory for ha.\n");
+- goto probe_out;
++ goto disable_device;
+ }
+ ql_dbg_pci(ql_dbg_init, pdev, 0x000a,
+ "Memory allocated for ha=%p.\n", ha);
+@@ -3258,7 +3258,7 @@ iospace_config_failed:
+ kfree(ha);
+ ha = NULL;
+
+-probe_out:
++disable_device:
+ pci_disable_device(pdev);
+ return ret;
+ }
--- /dev/null
+From b95b9452aacf80659ea67bf0948cbfa7e28e5e0b Mon Sep 17 00:00:00 2001
+From: Sawan Chandak <sawan.chandak@cavium.com>
+Date: Wed, 24 May 2017 18:06:20 -0700
+Subject: scsi: qla2xxx: Fix crash due to mismatch mumber of Q-pair creation for Multi queue
+
+From: Sawan Chandak <sawan.chandak@cavium.com>
+
+commit b95b9452aacf80659ea67bf0948cbfa7e28e5e0b upstream.
+
+when driver is loaded with Multi Queue enabled, it was noticed that
+there was one less queue pair created.
+
+Following message would indicate this:
+
+"No resources to create additional q pair."
+
+The result of one less queue pair means that system can crash, if the
+block mq layer thinks there is an extra hardware queue available, and
+the driver will use a NULL ptr qpair in that instance.
+
+Following stack trace is seen in one of the crash:
+
+irq_create_affinity_masks+0x98/0x530
+irq_create_affinity_masks+0x98/0x530
+__pci_enable_msix+0x321/0x4e0
+mutex_lock+0x12/0x40
+pci_alloc_irq_vectors_affinity+0xb5/0x140
+qla24xx_enable_msix+0x79/0x530 [qla2xxx]
+qla2x00_request_irqs+0x61/0x2d0 [qla2xxx]
+qla2x00_probe_one+0xc73/0x2390 [qla2xxx]
+ida_simple_get+0x98/0x100
+kernfs_next_descendant_post+0x40/0x50
+local_pci_probe+0x45/0xa0
+pci_device_probe+0xfc/0x140
+driver_probe_device+0x2c5/0x470
+__driver_attach+0xdd/0xe0
+driver_probe_device+0x470/0x470
+bus_for_each_dev+0x6c/0xc0
+driver_attach+0x1e/0x20
+bus_add_driver+0x45/0x270
+driver_register+0x60/0xe0
+__pci_register_driver+0x4c/0x50
+qla2x00_module_init+0x1ce/0x21e [qla2xxx]
+
+Signed-off-by: Sawan Chandak <sawan.chandak@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_def.h | 1 +
+ drivers/scsi/qla2xxx/qla_init.c | 5 ++++-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_def.h
++++ b/drivers/scsi/qla2xxx/qla_def.h
+@@ -3425,6 +3425,7 @@ struct qla_hw_data {
+ uint8_t max_req_queues;
+ uint8_t max_rsp_queues;
+ uint8_t max_qpairs;
++ uint8_t num_qpairs;
+ struct qla_qpair *base_qpair;
+ struct qla_npiv_entry *npiv_info;
+ uint16_t nvram_npiv_size;
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -7543,12 +7543,13 @@ struct qla_qpair *qla2xxx_create_qpair(s
+ /* Assign available que pair id */
+ mutex_lock(&ha->mq_lock);
+ qpair_id = find_first_zero_bit(ha->qpair_qid_map, ha->max_qpairs);
+- if (qpair_id >= ha->max_qpairs) {
++ if (ha->num_qpairs >= ha->max_qpairs) {
+ mutex_unlock(&ha->mq_lock);
+ ql_log(ql_log_warn, vha, 0x0183,
+ "No resources to create additional q pair.\n");
+ goto fail_qid_map;
+ }
++ ha->num_qpairs++;
+ set_bit(qpair_id, ha->qpair_qid_map);
+ ha->queue_pair_map[qpair_id] = qpair;
+ qpair->id = qpair_id;
+@@ -7635,6 +7636,7 @@ fail_rsp:
+ fail_msix:
+ ha->queue_pair_map[qpair_id] = NULL;
+ clear_bit(qpair_id, ha->qpair_qid_map);
++ ha->num_qpairs--;
+ mutex_unlock(&ha->mq_lock);
+ fail_qid_map:
+ kfree(qpair);
+@@ -7660,6 +7662,7 @@ int qla2xxx_delete_qpair(struct scsi_qla
+ mutex_lock(&ha->mq_lock);
+ ha->queue_pair_map[qpair->id] = NULL;
+ clear_bit(qpair->id, ha->qpair_qid_map);
++ ha->num_qpairs--;
+ list_del(&qpair->qp_list_elem);
+ if (list_empty(&vha->qp_list))
+ vha->flags.qpairs_available = 0;
--- /dev/null
+From 74939a0bc772d642b1c12827966c4c3a3c90ea2c Mon Sep 17 00:00:00 2001
+From: Joe Carnuccio <joe.carnuccio@qlogic.com>
+Date: Wed, 24 May 2017 18:06:23 -0700
+Subject: scsi: qla2xxx: Fix mailbox pointer error in fwdump capture
+
+From: Joe Carnuccio <joe.carnuccio@qlogic.com>
+
+commit 74939a0bc772d642b1c12827966c4c3a3c90ea2c upstream.
+
+Signed-off-by: Joe Carnuccio <joe.carnuccio@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_dbg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_dbg.c
++++ b/drivers/scsi/qla2xxx/qla_dbg.c
+@@ -1131,7 +1131,7 @@ qla24xx_fw_dump(scsi_qla_host_t *vha, in
+
+ /* Mailbox registers. */
+ mbx_reg = ®->mailbox0;
+- for (cnt = 0; cnt < sizeof(fw->mailbox_reg) / 2; cnt++, dmp_reg++)
++ for (cnt = 0; cnt < sizeof(fw->mailbox_reg) / 2; cnt++, mbx_reg++)
+ fw->mailbox_reg[cnt] = htons(RD_REG_WORD(mbx_reg));
+
+ /* Transfer sequence registers. */
+@@ -2090,7 +2090,7 @@ qla83xx_fw_dump(scsi_qla_host_t *vha, in
+
+ /* Mailbox registers. */
+ mbx_reg = ®->mailbox0;
+- for (cnt = 0; cnt < sizeof(fw->mailbox_reg) / 2; cnt++, dmp_reg++)
++ for (cnt = 0; cnt < sizeof(fw->mailbox_reg) / 2; cnt++, mbx_reg++)
+ fw->mailbox_reg[cnt] = htons(RD_REG_WORD(mbx_reg));
+
+ /* Transfer sequence registers. */
--- /dev/null
+From 0ea88662b5c6404a8f7af6b040b3cf1f0e8c3a66 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <quinn.tran@cavium.com>
+Date: Wed, 24 May 2017 18:06:19 -0700
+Subject: scsi: qla2xxx: Fix NULL pointer access due to redundant fc_host_port_name call
+
+From: Quinn Tran <quinn.tran@cavium.com>
+
+commit 0ea88662b5c6404a8f7af6b040b3cf1f0e8c3a66 upstream.
+
+Remove redundant fc_host_port_name calls to prevent early access of
+scsi_host->shost_data buffer. This prevent null pointer access.
+
+Following stack trace is seen:
+
+BUG: unable to handle kernel NULL pointer dereference at 00000000000008
+IP: qla24xx_report_id_acquisition+0x22d/0x3a0 [qla2xxx]
+
+Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_mbx.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_mbx.c
++++ b/drivers/scsi/qla2xxx/qla_mbx.c
+@@ -3676,15 +3676,6 @@ qla24xx_report_id_acquisition(scsi_qla_h
+ qlt_update_host_map(vha, id);
+ }
+
+- fc_host_port_name(vha->host) =
+- wwn_to_u64(vha->port_name);
+-
+- if (qla_ini_mode_enabled(vha))
+- ql_dbg(ql_dbg_mbx, vha, 0x1018,
+- "FA-WWN portname %016llx (%x)\n",
+- fc_host_port_name(vha->host),
+- rptid_entry->vp_status);
+-
+ set_bit(REGISTER_FC4_NEEDED, &vha->dpc_flags);
+ set_bit(REGISTER_FDMI_NEEDED, &vha->dpc_flags);
+ } else {
--- /dev/null
+From cb590700e04d4f59179c44f360217f5ad04ae262 Mon Sep 17 00:00:00 2001
+From: "himanshu.madhani@cavium.com" <himanshu.madhani@cavium.com>
+Date: Wed, 24 May 2017 18:06:18 -0700
+Subject: scsi: qla2xxx: Fix recursive loop during target mode configuration for ISP25XX leaving system unresponsive
+
+From: himanshu.madhani@cavium.com <himanshu.madhani@cavium.com>
+
+commit cb590700e04d4f59179c44f360217f5ad04ae262 upstream.
+
+Following messages are seen into system logs
+
+qla2xxx [0000:09:00.0]-00af:9: Performing ISP error recovery - ha=ffff98315ee30000.
+qla2xxx [0000:09:00.0]-504b:9: RISC paused -- HCCR=40, Dumping firmware.
+qla2xxx [0000:09:00.0]-d009:9: Firmware has been previously dumped (ffffba488c001000) -- ignoring request.
+qla2xxx [0000:09:00.0]-504b:9: RISC paused -- HCCR=40, Dumping firmware.
+
+See Bugzilla for details
+https://bugzilla.kernel.org/show_bug.cgi?id=195285
+
+Fixes: d74595278f4ab ("scsi: qla2xxx: Add multiple queue pair functionality.")
+Reported-by: Laurence Oberman <loberman@redhat.com>
+Reported-by: Anthony Bloodoff <anthony.bloodoff@gmail.com>
+Tested-by: Laurence Oberman <loberman@redhat.com>
+Tested-by: Anthony Bloodoff <anthony.bloodoff@gmail.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Giridhar Malavali <giridhar.malavali@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_isr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_isr.c
++++ b/drivers/scsi/qla2xxx/qla_isr.c
+@@ -3282,7 +3282,7 @@ msix_register_fail:
+ }
+
+ /* Enable MSI-X vector for response queue update for queue 0 */
+- if (IS_QLA83XX(ha) || IS_QLA27XX(ha)) {
++ if (IS_QLA25XX(ha) || IS_QLA83XX(ha) || IS_QLA27XX(ha)) {
+ if (ha->msixbase && ha->mqiobase &&
+ (ha->max_rsp_queues > 1 || ha->max_req_queues > 1 ||
+ ql2xmqsupport))
--- /dev/null
+From ce6c668b146cc4f4442111e2bcee4c3af94e1ddf Mon Sep 17 00:00:00 2001
+From: Joe Carnuccio <joe.carnuccio@cavium.com>
+Date: Wed, 24 May 2017 18:06:21 -0700
+Subject: scsi: qla2xxx: Modify T262 FW dump template to specify same start/end to debug customer issues
+
+From: Joe Carnuccio <joe.carnuccio@cavium.com>
+
+commit ce6c668b146cc4f4442111e2bcee4c3af94e1ddf upstream.
+
+Firmware dump allows for debugging customer issues. This patch fixes
+start/end pointer calculation to capture T262 template entry for dump
+tool.
+
+Signed-off-by: Joe Carnuccio <joe.carnuccio@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_tmpl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_tmpl.c
++++ b/drivers/scsi/qla2xxx/qla_tmpl.c
+@@ -371,7 +371,7 @@ qla27xx_fwdt_entry_t262(struct scsi_qla_
+ goto done;
+ }
+
+- if (end <= start || start == 0 || end == 0) {
++ if (end < start || start == 0 || end == 0) {
+ ql_dbg(ql_dbg_misc, vha, 0xd023,
+ "%s: unusable range (start=%x end=%x)\n", __func__,
+ ent->t262.end_addr, ent->t262.start_addr);
--- /dev/null
+From 1d63496516c61e2e1351f10e6becbfc9ee511395 Mon Sep 17 00:00:00 2001
+From: Joe Carnuccio <joe.carnuccio@cavium.com>
+Date: Wed, 24 May 2017 18:06:22 -0700
+Subject: scsi: qla2xxx: Set bit 15 for DIAG_ECHO_TEST MBC
+
+From: Joe Carnuccio <joe.carnuccio@cavium.com>
+
+commit 1d63496516c61e2e1351f10e6becbfc9ee511395 upstream.
+
+Set bit (BIT_15) to send right ECHO payload information for Diagnostic
+Echo Test command.
+
+Signed-off-by: Joe Carnuccio <joe.carnuccio@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_bsg.c | 9 +++++----
+ drivers/scsi/qla2xxx/qla_mbx.c | 4 ++--
+ 2 files changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_bsg.c
++++ b/drivers/scsi/qla2xxx/qla_bsg.c
+@@ -730,6 +730,8 @@ qla2x00_process_loopback(struct bsg_job
+ return -EIO;
+ }
+
++ memset(&elreq, 0, sizeof(elreq));
++
+ elreq.req_sg_cnt = dma_map_sg(&ha->pdev->dev,
+ bsg_job->request_payload.sg_list, bsg_job->request_payload.sg_cnt,
+ DMA_TO_DEVICE);
+@@ -795,10 +797,9 @@ qla2x00_process_loopback(struct bsg_job
+
+ if (atomic_read(&vha->loop_state) == LOOP_READY &&
+ (ha->current_topology == ISP_CFG_F ||
+- ((IS_QLA81XX(ha) || IS_QLA8031(ha) || IS_QLA8044(ha)) &&
+- le32_to_cpu(*(uint32_t *)req_data) == ELS_OPCODE_BYTE
+- && req_data_len == MAX_ELS_FRAME_PAYLOAD)) &&
+- elreq.options == EXTERNAL_LOOPBACK) {
++ (le32_to_cpu(*(uint32_t *)req_data) == ELS_OPCODE_BYTE &&
++ req_data_len == MAX_ELS_FRAME_PAYLOAD)) &&
++ elreq.options == EXTERNAL_LOOPBACK) {
+ type = "FC_BSG_HST_VENDOR_ECHO_DIAG";
+ ql_dbg(ql_dbg_user, vha, 0x701e,
+ "BSG request type: %s.\n", type);
+--- a/drivers/scsi/qla2xxx/qla_mbx.c
++++ b/drivers/scsi/qla2xxx/qla_mbx.c
+@@ -4812,9 +4812,9 @@ qla2x00_echo_test(scsi_qla_host_t *vha,
+
+ memset(mcp->mb, 0 , sizeof(mcp->mb));
+ mcp->mb[0] = MBC_DIAGNOSTIC_ECHO;
+- mcp->mb[1] = mreq->options | BIT_6; /* BIT_6 specifies 64bit address */
++ /* BIT_6 specifies 64bit address */
++ mcp->mb[1] = mreq->options | BIT_15 | BIT_6;
+ if (IS_CNA_CAPABLE(ha)) {
+- mcp->mb[1] |= BIT_15;
+ mcp->mb[2] = vha->fcoe_fcf_idx;
+ }
+ mcp->mb[16] = LSW(mreq->rcv_dma);
--- /dev/null
+From 3c9101766b502a0163d1d437fada5801cf616be2 Mon Sep 17 00:00:00 2001
+From: Takatoshi Akiyama <takatoshi.akiyama.kj@ps.hitachi-solutions.com>
+Date: Mon, 27 Feb 2017 15:56:31 +0900
+Subject: serial: sh-sci: Fix panic when serial console and DMA are enabled
+
+From: Takatoshi Akiyama <takatoshi.akiyama.kj@ps.hitachi-solutions.com>
+
+commit 3c9101766b502a0163d1d437fada5801cf616be2 upstream.
+
+This patch fixes an issue that kernel panic happens when DMA is enabled
+and we press enter key while the kernel booting on the serial console.
+
+* An interrupt may occur after sci_request_irq().
+* DMA transfer area is initialized by setup_timer() in sci_request_dma()
+ and used in interrupt.
+
+If an interrupt occurred between sci_request_irq() and setup_timer() in
+sci_request_dma(), DMA transfer area has not been initialized yet.
+So, this patch changes the order of sci_request_irq() and
+sci_request_dma().
+
+Fixes: 73a19e4c0301 ("serial: sh-sci: Add DMA support.")
+Signed-off-by: Takatoshi Akiyama <takatoshi.akiyama.kj@ps.hitachi-solutions.com>
+[Shimoda changes the commit log]
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Cc: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/sh-sci.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -1985,11 +1985,13 @@ static int sci_startup(struct uart_port
+
+ dev_dbg(port->dev, "%s(%d)\n", __func__, port->line);
+
++ sci_request_dma(port);
++
+ ret = sci_request_irq(s);
+- if (unlikely(ret < 0))
++ if (unlikely(ret < 0)) {
++ sci_free_dma(port);
+ return ret;
+-
+- sci_request_dma(port);
++ }
+
+ return 0;
+ }
+@@ -2021,8 +2023,8 @@ static void sci_shutdown(struct uart_por
+ }
+ #endif
+
+- sci_free_dma(port);
+ sci_free_irq(s);
++ sci_free_dma(port);
+ }
+
+ static int sci_sck_calc(struct sci_port *s, unsigned int bps,
btrfs-fix-memory-leak-in-update_space_info-failure-path.patch
btrfs-fix-race-with-relocation-recovery-and-fs_root-setup.patch
btrfs-fix-delalloc-accounting-leak-caused-by-u32-overflow.patch
+kvm-arm-arm64-handle-possible-null-stage2-pud-when-ageing-pages.patch
+scsi-qla2xxx-don-t-disable-a-not-previously-enabled-pci-device.patch
+scsi-qla2xxx-fix-recursive-loop-during-target-mode-configuration-for-isp25xx-leaving-system-unresponsive.patch
+scsi-qla2xxx-fix-crash-due-to-mismatch-mumber-of-q-pair-creation-for-multi-queue.patch
+scsi-qla2xxx-fix-null-pointer-access-due-to-redundant-fc_host_port_name-call.patch
+scsi-qla2xxx-modify-t262-fw-dump-template-to-specify-same-start-end-to-debug-customer-issues.patch
+scsi-qla2xxx-set-bit-15-for-diag_echo_test-mbc.patch
+scsi-qla2xxx-fix-mailbox-pointer-error-in-fwdump-capture.patch
+powerpc-sysdev-simple_gpio-fix-oops-in-gpio-save_regs-function.patch
+powerpc-numa-fix-percpu-allocations-to-be-numa-aware.patch
+powerpc-hotplug-mem-fix-missing-endian-conversion-of-aa_index.patch
+powerpc-kernel-fix-fp-and-vector-register-restoration.patch
+powerpc-kernel-initialize-load_tm-on-task-creation.patch
+revert-ata-sata_mv-convert-to-devm_ioremap_resource.patch
+perf-core-drop-kernel-samples-even-though-u-is-specified.patch
+srcu-allow-use-of-classic-srcu-from-both-process-and-interrupt-context.patch
+net-qcom-emac-do-not-use-hardware-mdio-automatic-polling.patch
+drm-vmwgfx-handle-vmalloc-failure-in-vmw_local_fifo_reserve.patch
+drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_surface_define_ioctl.patch
+drm-vmwgfx-make-sure-backup_handle-is-always-valid.patch
+x86-microcode-intel-clear-patch-pointer-before-jettisoning-the-initrd.patch
+drm-nouveau-tmr-fully-separate-alarm-execution-pending-lists.patch
+alsa-timer-fix-race-between-read-and-ioctl.patch
+alsa-timer-fix-missing-queue-indices-reset-at-sndrv_timer_ioctl_select.patch
+asoc-fix-use-after-free-at-card-unregistration.patch
+cpu-hotplug-drop-the-device-lock-on-error.patch
+drivers-char-mem-fix-wraparound-check-to-allow-mappings-up-to-the-end.patch
+drm-i915-serialize-gtt-aperture-accesses-on-bxt.patch
+drm-i915-fix-runtime-pm-for-lpe-audio.patch
+drm-i915-skl-add-missing-skl-id.patch
+serial-sh-sci-fix-panic-when-serial-console-and-dma-are-enabled.patch
+pinctrl-cherryview-add-terminate-entry-for-dmi_system_id-tables.patch
+cgroup-mark-cgroup_get-with-__maybe_unused.patch
--- /dev/null
+From 1123a6041654e8f889014659593bad4168e542c2 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 31 May 2017 14:03:11 +0200
+Subject: srcu: Allow use of Classic SRCU from both process and interrupt context
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 1123a6041654e8f889014659593bad4168e542c2 upstream.
+
+Linu Cherian reported a WARN in cleanup_srcu_struct() when shutting
+down a guest running iperf on a VFIO assigned device. This happens
+because irqfd_wakeup() calls srcu_read_lock(&kvm->irq_srcu) in interrupt
+context, while a worker thread does the same inside kvm_set_irq(). If the
+interrupt happens while the worker thread is executing __srcu_read_lock(),
+updates to the Classic SRCU ->lock_count[] field or the Tree SRCU
+->srcu_lock_count[] field can be lost.
+
+The docs say you are not supposed to call srcu_read_lock() and
+srcu_read_unlock() from irq context, but KVM interrupt injection happens
+from (host) interrupt context and it would be nice if SRCU supported the
+use case. KVM is using SRCU here not really for the "sleepable" part,
+but rather due to its IPI-free fast detection of grace periods. It is
+therefore not desirable to switch back to RCU, which would effectively
+revert commit 719d93cd5f5c ("kvm/irqchip: Speed up KVM_SET_GSI_ROUTING",
+2014-01-16).
+
+However, the docs are overly conservative. You can have an SRCU instance
+only has users in irq context, and you can mix process and irq context
+as long as process context users disable interrupts. In addition,
+__srcu_read_unlock() actually uses this_cpu_dec() on both Tree SRCU and
+Classic SRCU. For those two implementations, only srcu_read_lock()
+is unsafe.
+
+When Classic SRCU's __srcu_read_unlock() was changed to use this_cpu_dec(),
+in commit 5a41344a3d83 ("srcu: Simplify __srcu_read_unlock() via
+this_cpu_dec()", 2012-11-29), __srcu_read_lock() did two increments.
+Therefore it kept __this_cpu_inc(), with preempt_disable/enable in
+the caller. Tree SRCU however only does one increment, so on most
+architectures it is more efficient for __srcu_read_lock() to use
+this_cpu_inc(), and any performance differences appear to be down in
+the noise.
+
+Fixes: 719d93cd5f5c ("kvm/irqchip: Speed up KVM_SET_GSI_ROUTING")
+Reported-by: Linu Cherian <linuc.decode@gmail.com>
+Suggested-by: Linu Cherian <linuc.decode@gmail.com>
+Cc: kvm@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/srcu.h | 2 --
+ kernel/rcu/srcu.c | 5 ++---
+ 2 files changed, 2 insertions(+), 5 deletions(-)
+
+--- a/include/linux/srcu.h
++++ b/include/linux/srcu.h
+@@ -232,9 +232,7 @@ static inline int srcu_read_lock(struct
+ {
+ int retval;
+
+- preempt_disable();
+ retval = __srcu_read_lock(sp);
+- preempt_enable();
+ rcu_lock_acquire(&(sp)->dep_map);
+ return retval;
+ }
+--- a/kernel/rcu/srcu.c
++++ b/kernel/rcu/srcu.c
+@@ -257,7 +257,7 @@ EXPORT_SYMBOL_GPL(cleanup_srcu_struct);
+
+ /*
+ * Counts the new reader in the appropriate per-CPU element of the
+- * srcu_struct. Must be called from process context.
++ * srcu_struct.
+ * Returns an index that must be passed to the matching srcu_read_unlock().
+ */
+ int __srcu_read_lock(struct srcu_struct *sp)
+@@ -265,7 +265,7 @@ int __srcu_read_lock(struct srcu_struct
+ int idx;
+
+ idx = READ_ONCE(sp->completed) & 0x1;
+- __this_cpu_inc(sp->per_cpu_ref->lock_count[idx]);
++ this_cpu_inc(sp->per_cpu_ref->lock_count[idx]);
+ smp_mb(); /* B */ /* Avoid leaking the critical section. */
+ return idx;
+ }
+@@ -275,7 +275,6 @@ EXPORT_SYMBOL_GPL(__srcu_read_lock);
+ * Removes the count for the old reader from the appropriate per-CPU
+ * element of the srcu_struct. Note that this may well be a different
+ * CPU than that which was incremented by the corresponding srcu_read_lock().
+- * Must be called from process context.
+ */
+ void __srcu_read_unlock(struct srcu_struct *sp, int idx)
+ {
--- /dev/null
+From 5b0bc9ac2ce4881ee318a21f31140584ce4dbdad Mon Sep 17 00:00:00 2001
+From: Dominik Brodowski <linux@dominikbrodowski.net>
+Date: Wed, 7 Jun 2017 11:58:19 +0200
+Subject: x86/microcode/intel: Clear patch pointer before jettisoning the initrd
+
+From: Dominik Brodowski <linux@dominikbrodowski.net>
+
+commit 5b0bc9ac2ce4881ee318a21f31140584ce4dbdad upstream.
+
+During early boot, load_ucode_intel_ap() uses __load_ucode_intel()
+to obtain a pointer to the relevant microcode patch (embedded in the
+initrd), and stores this value in 'intel_ucode_patch' to speed up the
+microcode patch application for subsequent CPUs.
+
+On resuming from suspend-to-RAM, however, load_ucode_ap() calls
+load_ucode_intel_ap() for each non-boot-CPU. By then the initramfs is
+long gone so the pointer stored in 'intel_ucode_patch' no longer points to
+a valid microcode patch.
+
+Clear that pointer so that we effectively fall back to the CPU hotplug
+notifier callbacks to update the microcode.
+
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+[ Edit and massage commit message. ]
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20170607095819.9754-1-bp@alien8.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/microcode/intel.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/kernel/cpu/microcode/intel.c
++++ b/arch/x86/kernel/cpu/microcode/intel.c
+@@ -619,6 +619,9 @@ int __init save_microcode_in_initrd_inte
+
+ show_saved_mc();
+
++ /* initrd is going away, clear patch ptr. */
++ intel_ucode_patch = NULL;
++
+ return 0;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
