--- /dev/null
+From 5a23699a39abc5328921a81b89383d088f6ba9cc Mon Sep 17 00:00:00 2001
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+Date: Tue, 27 Feb 2018 17:01:18 +0000
+Subject: ALSA: control: Fix memory corruption risk in snd_ctl_elem_read
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+commit 5a23699a39abc5328921a81b89383d088f6ba9cc upstream.
+
+The patch "ALSA: control: code refactoring for ELEM_READ/ELEM_WRITE
+operations" introduced a potential for kernel memory corruption due
+to an incorrect if statement allowing non-readable controls to fall
+through and call the get function. For TLV controls a driver can omit
+SNDRV_CTL_ELEM_ACCESS_READ to ensure that only the TLV get function
+can be called. Instead the normal get() can be invoked unexpectedly
+and as the driver expects that this will only be called for controls
+<= 512 bytes, potentially try to copy >512 bytes into the 512 byte
+return array, so corrupting kernel memory.
+
+The problem is an attempt to refactor the snd_ctl_elem_read function
+to invert the logic so that it conditionally aborted if the control
+is unreadable instead of conditionally executing. But the if statement
+wasn't inverted correctly.
+
+The correct inversion of
+
+ if (a && !b)
+
+is
+ if (!a || b)
+
+Fixes: becf9e5d553c2 ("ALSA: control: code refactoring for ELEM_READ/ELEM_WRITE operations")
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/control.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/core/control.c
++++ b/sound/core/control.c
+@@ -888,7 +888,7 @@ static int snd_ctl_elem_read(struct snd_
+
+ index_offset = snd_ctl_get_ioff(kctl, &control->id);
+ vd = &kctl->vd[index_offset];
+- if (!(vd->access & SNDRV_CTL_ELEM_ACCESS_READ) && kctl->get == NULL)
++ if (!(vd->access & SNDRV_CTL_ELEM_ACCESS_READ) || kctl->get == NULL)
+ return -EPERM;
+
+ snd_ctl_build_ioff(&control->id, kctl, index_offset);
--- /dev/null
+From 1ba8f9d308174e647b864c36209b4d7934d99888 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Thu, 22 Feb 2018 14:20:35 +0100
+Subject: ALSA: hda: Add a power_save blacklist
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 1ba8f9d308174e647b864c36209b4d7934d99888 upstream.
+
+On some boards setting power_save to a non 0 value leads to clicking /
+popping sounds when ever we enter/leave powersaving mode. Ideally we would
+figure out how to avoid these sounds, but that is not always feasible.
+
+This commit adds a blacklist for devices where powersaving is known to
+cause problems and disables it on these devices.
+
+Note I tried to put this blacklist in userspace first:
+https://github.com/systemd/systemd/pull/8128
+
+But the systemd maintainers rightfully pointed out that it would be
+impossible to then later remove entries once we actually find a way to
+make power-saving work on listed boards without issues. Having this list
+in the kernel will allow removal of the blacklist entry in the same commit
+which fixes the clicks / plops.
+
+The blacklist only applies to the default power_save module-option value,
+if a user explicitly sets the module-option then the blacklist is not
+used.
+
+[ added an ifdef CONFIG_PM for the build error -- tiwai]
+
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1525104
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=198611
+Cc: stable@vger.kernel.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_intel.c | 38 ++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 36 insertions(+), 2 deletions(-)
+
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -181,7 +181,7 @@ static const struct kernel_param_ops par
+ };
+ #define param_check_xint param_check_int
+
+-static int power_save = CONFIG_SND_HDA_POWER_SAVE_DEFAULT;
++static int power_save = -1;
+ module_param(power_save, xint, 0644);
+ MODULE_PARM_DESC(power_save, "Automatic power-saving timeout "
+ "(in second, 0 = disable).");
+@@ -2186,6 +2186,24 @@ out_free:
+ return err;
+ }
+
++#ifdef CONFIG_PM
++/* On some boards setting power_save to a non 0 value leads to clicking /
++ * popping sounds when ever we enter/leave powersaving mode. Ideally we would
++ * figure out how to avoid these sounds, but that is not always feasible.
++ * So we keep a list of devices where we disable powersaving as its known
++ * to causes problems on these devices.
++ */
++static struct snd_pci_quirk power_save_blacklist[] = {
++ /* https://bugzilla.redhat.com/show_bug.cgi?id=1525104 */
++ SND_PCI_QUIRK(0x1849, 0x0c0c, "Asrock B85M-ITX", 0),
++ /* https://bugzilla.redhat.com/show_bug.cgi?id=1525104 */
++ SND_PCI_QUIRK(0x1043, 0x8733, "Asus Prime X370-Pro", 0),
++ /* https://bugzilla.kernel.org/show_bug.cgi?id=198611 */
++ SND_PCI_QUIRK(0x17aa, 0x2227, "Lenovo X1 Carbon 3rd Gen", 0),
++ {}
++};
++#endif /* CONFIG_PM */
++
+ /* number of codec slots for each chipset: 0 = default slots (i.e. 4) */
+ static unsigned int azx_max_codecs[AZX_NUM_DRIVERS] = {
+ [AZX_DRIVER_NVIDIA] = 8,
+@@ -2198,6 +2216,7 @@ static int azx_probe_continue(struct azx
+ struct hdac_bus *bus = azx_bus(chip);
+ struct pci_dev *pci = chip->pci;
+ int dev = chip->dev_index;
++ int val;
+ int err;
+
+ hda->probe_continued = 1;
+@@ -2278,7 +2297,22 @@ static int azx_probe_continue(struct azx
+
+ chip->running = 1;
+ azx_add_card_list(chip);
+- snd_hda_set_power_save(&chip->bus, power_save * 1000);
++
++ val = power_save;
++#ifdef CONFIG_PM
++ if (val == -1) {
++ const struct snd_pci_quirk *q;
++
++ val = CONFIG_SND_HDA_POWER_SAVE_DEFAULT;
++ q = snd_pci_quirk_lookup(chip->pci, power_save_blacklist);
++ if (q && val) {
++ dev_info(chip->card->dev, "device %04x:%04x is on the power_save blacklist, forcing power_save to 0\n",
++ q->subvendor, q->subdevice);
++ val = 0;
++ }
++ }
++#endif /* CONFIG_PM */
++ snd_hda_set_power_save(&chip->bus, val * 1000);
+ if (azx_has_pm_runtime(chip) || hda->use_vga_switcheroo)
+ pm_runtime_put_autosuspend(&pci->dev);
+
--- /dev/null
+From 71db96ddfa72671bd43cacdcc99ca178d90ba267 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 26 Feb 2018 15:36:38 +0100
+Subject: ALSA: hda - Fix pincfg at resume on Lenovo T470 dock
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 71db96ddfa72671bd43cacdcc99ca178d90ba267 upstream.
+
+We've added a quirk to enable the recent Lenovo dock support, where it
+overwrites the pin configs of NID 0x17 and 19, not only updating the
+pin config cache. It works right after the boot, but the problem is
+that the pin configs are occasionally cleared when the machine goes to
+PM. Meanwhile the quirk writes the pin configs only at the pre-probe,
+so this won't be applied any longer.
+
+For addressing that issue, this patch moves the code to overwrite the
+pin configs into HDA_FIXUP_ACT_INIT section so that it's always
+applied at both probe and resume time.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195161
+Fixes: 61fcf8ece9b6 ("ALSA: hda/realtek - Enable Thinkpad Dock device for ALC298 platform")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -4875,13 +4875,14 @@ static void alc_fixup_tpt470_dock(struct
+
+ if (action == HDA_FIXUP_ACT_PRE_PROBE) {
+ spec->parse_flags = HDA_PINCFG_NO_HP_FIXUP;
++ snd_hda_apply_pincfgs(codec, pincfgs);
++ } else if (action == HDA_FIXUP_ACT_INIT) {
+ /* Enable DOCK device */
+ snd_hda_codec_write(codec, 0x17, 0,
+ AC_VERB_SET_CONFIG_DEFAULT_BYTES_3, 0);
+ /* Enable DOCK device */
+ snd_hda_codec_write(codec, 0x19, 0,
+ AC_VERB_SET_CONFIG_DEFAULT_BYTES_3, 0);
+- snd_hda_apply_pincfgs(codec, pincfgs);
+ }
+ }
+
--- /dev/null
+From 240a8af929c7c57dcde28682725b29cf8474e8e5 Mon Sep 17 00:00:00 2001
+From: Erik Veijola <erik.veijola@gmail.com>
+Date: Fri, 23 Feb 2018 14:06:52 +0200
+Subject: ALSA: usb-audio: Add a quirck for B&W PX headphones
+
+From: Erik Veijola <erik.veijola@gmail.com>
+
+commit 240a8af929c7c57dcde28682725b29cf8474e8e5 upstream.
+
+The capture interface doesn't work and the playback interface only
+supports 48 kHz sampling rate even though it advertises more rates.
+
+Signed-off-by: Erik Veijola <erik.veijola@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/quirks-table.h | 47 +++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 47 insertions(+)
+
+--- a/sound/usb/quirks-table.h
++++ b/sound/usb/quirks-table.h
+@@ -3277,4 +3277,51 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge
+ }
+ },
+
++{
++ /*
++ * Bower's & Wilkins PX headphones only support the 48 kHz sample rate
++ * even though it advertises more. The capture interface doesn't work
++ * even on windows.
++ */
++ USB_DEVICE(0x19b5, 0x0021),
++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
++ .ifnum = QUIRK_ANY_INTERFACE,
++ .type = QUIRK_COMPOSITE,
++ .data = (const struct snd_usb_audio_quirk[]) {
++ {
++ .ifnum = 0,
++ .type = QUIRK_AUDIO_STANDARD_MIXER,
++ },
++ /* Capture */
++ {
++ .ifnum = 1,
++ .type = QUIRK_IGNORE_INTERFACE,
++ },
++ /* Playback */
++ {
++ .ifnum = 2,
++ .type = QUIRK_AUDIO_FIXED_ENDPOINT,
++ .data = &(const struct audioformat) {
++ .formats = SNDRV_PCM_FMTBIT_S16_LE,
++ .channels = 2,
++ .iface = 2,
++ .altsetting = 1,
++ .altset_idx = 1,
++ .attributes = UAC_EP_CS_ATTR_FILL_MAX |
++ UAC_EP_CS_ATTR_SAMPLE_RATE,
++ .endpoint = 0x03,
++ .ep_attr = USB_ENDPOINT_XFER_ISOC,
++ .rates = SNDRV_PCM_RATE_48000,
++ .rate_min = 48000,
++ .rate_max = 48000,
++ .nr_rates = 1,
++ .rate_table = (unsigned int[]) {
++ 48000
++ }
++ }
++ },
++ }
++ }
++},
++
+ #undef USB_DEVICE_VENDOR_SPEC
--- /dev/null
+From 350144069abf351c743d766b2fba9cb9b7cd32a1 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 28 Feb 2018 08:36:06 +0100
+Subject: ALSA: x86: Fix missing spinlock and mutex initializations
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 350144069abf351c743d766b2fba9cb9b7cd32a1 upstream.
+
+The commit change for supporting the multiple ports moved involved
+some code shuffling, and there the initializations of spinlock and
+mutex in snd_intelhad object were dropped mistakenly.
+
+This patch adds the missing initializations again for each port.
+
+Fixes: b4eb0d522fcb ("ALSA: x86: Split snd_intelhad into card and PCM specific structures")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/x86/intel_hdmi_audio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/x86/intel_hdmi_audio.c
++++ b/sound/x86/intel_hdmi_audio.c
+@@ -1827,6 +1827,8 @@ static int hdmi_lpe_audio_probe(struct p
+ ctx->port = port;
+ ctx->pipe = -1;
+
++ spin_lock_init(&ctx->had_spinlock);
++ mutex_init(&ctx->mutex);
+ INIT_WORK(&ctx->hdmi_audio_wq, had_audio_wq);
+
+ ret = snd_pcm_new(card, INTEL_HAD, port, MAX_PB_STREAMS,
--- /dev/null
+From 7c5a0dcf557c6511a61e092ba887de28882fe857 Mon Sep 17 00:00:00 2001
+From: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+Date: Tue, 27 Feb 2018 20:10:03 +0800
+Subject: block: fix the count of PGPGOUT for WRITE_SAME
+
+From: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+
+commit 7c5a0dcf557c6511a61e092ba887de28882fe857 upstream.
+
+The vm counters is counted in sectors, so we should do the conversation
+in submit_bio.
+
+Fixes: 74d46992e0d9 ("block: replace bi_bdev with a gendisk pointer and partitions index")
+Cc: stable@vger.kernel.org
+Reviewed-by: Omar Sandoval <osandov@fb.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -2401,7 +2401,7 @@ blk_qc_t submit_bio(struct bio *bio)
+ unsigned int count;
+
+ if (unlikely(bio_op(bio) == REQ_OP_WRITE_SAME))
+- count = queue_logical_block_size(bio->bi_disk->queue);
++ count = queue_logical_block_size(bio->bi_disk->queue) >> 9;
+ else
+ count = bio_sectors(bio);
+
--- /dev/null
+From ba989a01469d027861e55c8f1121edadef757797 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Fri, 23 Feb 2018 23:36:57 +0800
+Subject: block: kyber: fix domain token leak during requeue
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit ba989a01469d027861e55c8f1121edadef757797 upstream.
+
+When requeuing request, the domain token should have been freed
+before re-inserting the request to io scheduler. Otherwise, the
+assigned domain token will be leaked, and IO hang can be caused.
+
+Cc: Paolo Valente <paolo.valente@linaro.org>
+Cc: Omar Sandoval <osandov@fb.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/kyber-iosched.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/block/kyber-iosched.c
++++ b/block/kyber-iosched.c
+@@ -833,6 +833,7 @@ static struct elevator_type kyber_sched
+ .limit_depth = kyber_limit_depth,
+ .prepare_request = kyber_prepare_request,
+ .finish_request = kyber_finish_request,
++ .requeue_request = kyber_finish_request,
+ .completed_request = kyber_completed_request,
+ .dispatch_request = kyber_dispatch_request,
+ .has_work = kyber_has_work,
--- /dev/null
+From 0bd1ed4860d0f5f836aa8371797689a3779d1bf5 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Sat, 10 Feb 2018 08:46:17 +0800
+Subject: block: pass inclusive 'lend' parameter to truncate_inode_pages_range
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit 0bd1ed4860d0f5f836aa8371797689a3779d1bf5 upstream.
+
+The 'lend' parameter of truncate_inode_pages_range is required to be
+inclusive, so follow the rule.
+
+This patch fixes one memory corruption triggered by discard.
+
+Cc: <stable@vger.kernel.org>
+Cc: Dmitry Monakhov <dmonakhov@openvz.org>
+Fixes: 351499a172c0 ("block: Invalidate cache on discard v2")
+Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/block/ioctl.c
++++ b/block/ioctl.c
+@@ -225,7 +225,7 @@ static int blk_ioctl_discard(struct bloc
+
+ if (start + len > i_size_read(bdev->bd_inode))
+ return -EINVAL;
+- truncate_inode_pages_range(mapping, start, start + len);
++ truncate_inode_pages_range(mapping, start, start + len - 1);
+ return blkdev_issue_discard(bdev, start >> 9, len >> 9,
+ GFP_KERNEL, flags);
+ }
--- /dev/null
+From 3c181c12c431fe33b669410d663beb9cceefcd1b Mon Sep 17 00:00:00 2001
+From: Anand Jain <anand.jain@oracle.com>
+Date: Thu, 22 Feb 2018 21:58:42 +0800
+Subject: btrfs: use proper endianness accessors for super_copy
+
+From: Anand Jain <anand.jain@oracle.com>
+
+commit 3c181c12c431fe33b669410d663beb9cceefcd1b upstream.
+
+The fs_info::super_copy is a byte copy of the on-disk structure and all
+members must use the accessor macros/functions to obtain the right
+value. This was missing in update_super_roots and in sysfs readers.
+
+Moving between opposite endianness hosts will report bogus numbers in
+sysfs, and mount may fail as the root will not be restored correctly. If
+the filesystem is always used on a same endian host, this will not be a
+problem.
+
+Fix this by using the btrfs_set_super...() functions to set
+fs_info::super_copy values, and for the sysfs, use the cached
+fs_info::nodesize/sectorsize values.
+
+CC: stable@vger.kernel.org
+Fixes: df93589a17378 ("btrfs: export more from FS_INFO to sysfs")
+Signed-off-by: Anand Jain <anand.jain@oracle.com>
+Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+[ update changelog ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/sysfs.c | 8 +++-----
+ fs/btrfs/transaction.c | 20 ++++++++++++--------
+ 2 files changed, 15 insertions(+), 13 deletions(-)
+
+--- a/fs/btrfs/sysfs.c
++++ b/fs/btrfs/sysfs.c
+@@ -423,7 +423,7 @@ static ssize_t btrfs_nodesize_show(struc
+ {
+ struct btrfs_fs_info *fs_info = to_fs_info(kobj);
+
+- return snprintf(buf, PAGE_SIZE, "%u\n", fs_info->super_copy->nodesize);
++ return snprintf(buf, PAGE_SIZE, "%u\n", fs_info->nodesize);
+ }
+
+ BTRFS_ATTR(, nodesize, btrfs_nodesize_show);
+@@ -433,8 +433,7 @@ static ssize_t btrfs_sectorsize_show(str
+ {
+ struct btrfs_fs_info *fs_info = to_fs_info(kobj);
+
+- return snprintf(buf, PAGE_SIZE, "%u\n",
+- fs_info->super_copy->sectorsize);
++ return snprintf(buf, PAGE_SIZE, "%u\n", fs_info->sectorsize);
+ }
+
+ BTRFS_ATTR(, sectorsize, btrfs_sectorsize_show);
+@@ -444,8 +443,7 @@ static ssize_t btrfs_clone_alignment_sho
+ {
+ struct btrfs_fs_info *fs_info = to_fs_info(kobj);
+
+- return snprintf(buf, PAGE_SIZE, "%u\n",
+- fs_info->super_copy->sectorsize);
++ return snprintf(buf, PAGE_SIZE, "%u\n", fs_info->sectorsize);
+ }
+
+ BTRFS_ATTR(, clone_alignment, btrfs_clone_alignment_show);
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -1723,19 +1723,23 @@ static void update_super_roots(struct bt
+
+ super = fs_info->super_copy;
+
++ /* update latest btrfs_super_block::chunk_root refs */
+ root_item = &fs_info->chunk_root->root_item;
+- super->chunk_root = root_item->bytenr;
+- super->chunk_root_generation = root_item->generation;
+- super->chunk_root_level = root_item->level;
++ btrfs_set_super_chunk_root(super, root_item->bytenr);
++ btrfs_set_super_chunk_root_generation(super, root_item->generation);
++ btrfs_set_super_chunk_root_level(super, root_item->level);
+
++ /* update latest btrfs_super_block::root refs */
+ root_item = &fs_info->tree_root->root_item;
+- super->root = root_item->bytenr;
+- super->generation = root_item->generation;
+- super->root_level = root_item->level;
++ btrfs_set_super_root(super, root_item->bytenr);
++ btrfs_set_super_generation(super, root_item->generation);
++ btrfs_set_super_root_level(super, root_item->level);
++
+ if (btrfs_test_opt(fs_info, SPACE_CACHE))
+- super->cache_generation = root_item->generation;
++ btrfs_set_super_cache_generation(super, root_item->generation);
+ if (test_bit(BTRFS_FS_UPDATE_UUID_TREE_GEN, &fs_info->flags))
+- super->uuid_tree_generation = root_item->generation;
++ btrfs_set_super_uuid_tree_generation(super,
++ root_item->generation);
+ }
+
+ int btrfs_transaction_in_commit(struct btrfs_fs_info *info)
--- /dev/null
+From 0373ca74831b0f93cd4cdbf7ad3aec3c33a479a5 Mon Sep 17 00:00:00 2001
+From: Viresh Kumar <viresh.kumar@linaro.org>
+Date: Fri, 23 Feb 2018 09:38:28 +0530
+Subject: cpufreq: s3c24xx: Fix broken s3c_cpufreq_init()
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+commit 0373ca74831b0f93cd4cdbf7ad3aec3c33a479a5 upstream.
+
+commit a307a1e6bc0d "cpufreq: s3c: use cpufreq_generic_init()"
+accidentally broke cpufreq on s3c2410 and s3c2412.
+
+These two platforms don't have a CPU frequency table and used to skip
+calling cpufreq_table_validate_and_show() for them. But with the
+above commit, we started calling it unconditionally and that will
+eventually fail as the frequency table pointer is NULL.
+
+Fix this by calling cpufreq_table_validate_and_show() conditionally
+again.
+
+Fixes: a307a1e6bc0d "cpufreq: s3c: use cpufreq_generic_init()"
+Cc: 3.13+ <stable@vger.kernel.org> # v3.13+
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/s3c24xx-cpufreq.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/cpufreq/s3c24xx-cpufreq.c
++++ b/drivers/cpufreq/s3c24xx-cpufreq.c
+@@ -351,7 +351,13 @@ struct clk *s3c_cpufreq_clk_get(struct d
+ static int s3c_cpufreq_init(struct cpufreq_policy *policy)
+ {
+ policy->clk = clk_arm;
+- return cpufreq_generic_init(policy, ftab, cpu_cur.info->latency);
++
++ policy->cpuinfo.transition_latency = cpu_cur.info->latency;
++
++ if (ftab)
++ return cpufreq_table_validate_and_show(policy, ftab);
++
++ return 0;
+ }
+
+ static int __init s3c_cpufreq_initclks(void)
--- /dev/null
+From 230f5a8969d8345fc9bbe3683f068246cf1be4b8 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Wed, 21 Feb 2018 17:08:01 -0800
+Subject: dax: fix vma_is_fsdax() helper
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit 230f5a8969d8345fc9bbe3683f068246cf1be4b8 upstream.
+
+Gerd reports that ->i_mode may contain other bits besides S_IFCHR. Use
+S_ISCHR() instead. Otherwise, get_user_pages_longterm() may fail on
+device-dax instances when those are meant to be explicitly allowed.
+
+Fixes: 2bb6d2837083 ("mm: introduce get_user_pages_longterm")
+Cc: <stable@vger.kernel.org>
+Reported-by: Gerd Rausch <gerd.rausch@oracle.com>
+Acked-by: Jane Chu <jane.chu@oracle.com>
+Reported-by: Haozhong Zhang <haozhong.zhang@intel.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/fs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -3204,7 +3204,7 @@ static inline bool vma_is_fsdax(struct v
+ if (!vma_is_dax(vma))
+ return false;
+ inode = file_inode(vma->vm_file);
+- if (inode->i_mode == S_IFCHR)
++ if (S_ISCHR(inode->i_mode))
+ return false; /* device-dax */
+ return true;
+ }
--- /dev/null
+From d9c10e5b8863cfb6886d1640386455075c6e979d Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 26 Feb 2018 12:51:43 +0100
+Subject: direct-io: Fix sleep in atomic due to sync AIO
+
+From: Jan Kara <jack@suse.cz>
+
+commit d9c10e5b8863cfb6886d1640386455075c6e979d upstream.
+
+Commit e864f39569f4 "fs: add RWF_DSYNC aand RWF_SYNC" added additional
+way for direct IO to become synchronous and thus trigger fsync from the
+IO completion handler. Then commit 9830f4be159b "fs: Use RWF_* flags for
+AIO operations" allowed these flags to be set for AIO as well. However
+that commit forgot to update the condition checking whether the IO
+completion handling should be defered to a workqueue and thus AIO DIO
+with RWF_[D]SYNC set will call fsync() from IRQ context resulting in
+sleep in atomic.
+
+Fix the problem by checking directly iocb flags (the same way as it is
+done in dio_complete()) instead of checking all conditions that could
+lead to IO being synchronous.
+
+CC: Christoph Hellwig <hch@lst.de>
+CC: Goldwyn Rodrigues <rgoldwyn@suse.com>
+CC: stable@vger.kernel.org
+Reported-by: Mark Rutland <mark.rutland@arm.com>
+Tested-by: Mark Rutland <mark.rutland@arm.com>
+Fixes: 9830f4be159b29399d107bffb99e0132bc5aedd4
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/direct-io.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/direct-io.c
++++ b/fs/direct-io.c
+@@ -1252,8 +1252,7 @@ do_blockdev_direct_IO(struct kiocb *iocb
+ */
+ if (dio->is_async && iov_iter_rw(iter) == WRITE) {
+ retval = 0;
+- if ((iocb->ki_filp->f_flags & O_DSYNC) ||
+- IS_SYNC(iocb->ki_filp->f_mapping->host))
++ if (iocb->ki_flags & IOCB_DSYNC)
+ retval = dio_set_defer_completion(dio);
+ else if (!dio->inode->i_sb->s_dio_done_wq) {
+ /*
--- /dev/null
+From 5b43df8b4c1a7f0c3fbf793c9566068e6b1e570c Mon Sep 17 00:00:00 2001
+From: Shawn Lin <shawn.lin@rock-chips.com>
+Date: Fri, 23 Feb 2018 16:47:25 +0800
+Subject: mmc: dw_mmc: Avoid accessing registers in runtime suspended state
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+commit 5b43df8b4c1a7f0c3fbf793c9566068e6b1e570c upstream.
+
+cat /sys/kernel/debug/mmc0/regs will hang up the system since
+it's in runtime suspended state, so the genpd and biu_clk is
+off. This patch fixes this problem by calling pm_runtime_get_sync
+to wake it up before reading the registers.
+
+Fixes: e9ed8835e990 ("mmc: dw_mmc: add runtime PM callback")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Reviewed-by: Jaehoon Chung <jh80.chung@samsung.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/dw_mmc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/mmc/host/dw_mmc.c
++++ b/drivers/mmc/host/dw_mmc.c
+@@ -165,6 +165,8 @@ static int dw_mci_regs_show(struct seq_f
+ {
+ struct dw_mci *host = s->private;
+
++ pm_runtime_get_sync(host->dev);
++
+ seq_printf(s, "STATUS:\t0x%08x\n", mci_readl(host, STATUS));
+ seq_printf(s, "RINTSTS:\t0x%08x\n", mci_readl(host, RINTSTS));
+ seq_printf(s, "CMD:\t0x%08x\n", mci_readl(host, CMD));
+@@ -172,6 +174,8 @@ static int dw_mci_regs_show(struct seq_f
+ seq_printf(s, "INTMASK:\t0x%08x\n", mci_readl(host, INTMASK));
+ seq_printf(s, "CLKENA:\t0x%08x\n", mci_readl(host, CLKENA));
+
++ pm_runtime_put_autosuspend(host->dev);
++
+ return 0;
+ }
+
--- /dev/null
+From a4faa4929ed3be15e2d500d2405f992f6dedc8eb Mon Sep 17 00:00:00 2001
+From: Shawn Lin <shawn.lin@rock-chips.com>
+Date: Sat, 24 Feb 2018 14:17:22 +0800
+Subject: mmc: dw_mmc: Factor out dw_mci_init_slot_caps
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+commit a4faa4929ed3be15e2d500d2405f992f6dedc8eb upstream.
+
+Factor out dw_mci_init_slot_caps to consolidate parsing
+all differents types of capabilities from host contrllers.
+No functional change intended.
+
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Fixes: 800d78bfccb3 ("mmc: dw_mmc: add support for implementation specific callbacks")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/dw_mmc.c | 73 +++++++++++++++++++++++++++-------------------
+ 1 file changed, 43 insertions(+), 30 deletions(-)
+
+--- a/drivers/mmc/host/dw_mmc.c
++++ b/drivers/mmc/host/dw_mmc.c
+@@ -2782,12 +2782,50 @@ static irqreturn_t dw_mci_interrupt(int
+ return IRQ_HANDLED;
+ }
+
++static int dw_mci_init_slot_caps(struct dw_mci_slot *slot)
++{
++ struct dw_mci *host = slot->host;
++ const struct dw_mci_drv_data *drv_data = host->drv_data;
++ struct mmc_host *mmc = slot->mmc;
++ int ctrl_id;
++
++ if (host->pdata->caps)
++ mmc->caps = host->pdata->caps;
++
++ /*
++ * Support MMC_CAP_ERASE by default.
++ * It needs to use trim/discard/erase commands.
++ */
++ mmc->caps |= MMC_CAP_ERASE;
++
++ if (host->pdata->pm_caps)
++ mmc->pm_caps = host->pdata->pm_caps;
++
++ if (host->dev->of_node) {
++ ctrl_id = of_alias_get_id(host->dev->of_node, "mshc");
++ if (ctrl_id < 0)
++ ctrl_id = 0;
++ } else {
++ ctrl_id = to_platform_device(host->dev)->id;
++ }
++ if (drv_data && drv_data->caps)
++ mmc->caps |= drv_data->caps[ctrl_id];
++
++ if (host->pdata->caps2)
++ mmc->caps2 = host->pdata->caps2;
++
++ /* Process SDIO IRQs through the sdio_irq_work. */
++ if (mmc->caps & MMC_CAP_SDIO_IRQ)
++ mmc->caps2 |= MMC_CAP2_SDIO_IRQ_NOTHREAD;
++
++ return 0;
++}
++
+ static int dw_mci_init_slot(struct dw_mci *host)
+ {
+ struct mmc_host *mmc;
+ struct dw_mci_slot *slot;
+- const struct dw_mci_drv_data *drv_data = host->drv_data;
+- int ctrl_id, ret;
++ int ret;
+ u32 freq[2];
+
+ mmc = mmc_alloc_host(sizeof(struct dw_mci_slot), host->dev);
+@@ -2821,38 +2859,13 @@ static int dw_mci_init_slot(struct dw_mc
+ if (!mmc->ocr_avail)
+ mmc->ocr_avail = MMC_VDD_32_33 | MMC_VDD_33_34;
+
+- if (host->pdata->caps)
+- mmc->caps = host->pdata->caps;
+-
+- /*
+- * Support MMC_CAP_ERASE by default.
+- * It needs to use trim/discard/erase commands.
+- */
+- mmc->caps |= MMC_CAP_ERASE;
+-
+- if (host->pdata->pm_caps)
+- mmc->pm_caps = host->pdata->pm_caps;
+-
+- if (host->dev->of_node) {
+- ctrl_id = of_alias_get_id(host->dev->of_node, "mshc");
+- if (ctrl_id < 0)
+- ctrl_id = 0;
+- } else {
+- ctrl_id = to_platform_device(host->dev)->id;
+- }
+- if (drv_data && drv_data->caps)
+- mmc->caps |= drv_data->caps[ctrl_id];
+-
+- if (host->pdata->caps2)
+- mmc->caps2 = host->pdata->caps2;
+-
+ ret = mmc_of_parse(mmc);
+ if (ret)
+ goto err_host_allocated;
+
+- /* Process SDIO IRQs through the sdio_irq_work. */
+- if (mmc->caps & MMC_CAP_SDIO_IRQ)
+- mmc->caps2 |= MMC_CAP2_SDIO_IRQ_NOTHREAD;
++ ret = dw_mci_init_slot_caps(slot);
++ if (ret)
++ goto err_host_allocated;
+
+ /* Useful defaults if platform data is unset. */
+ if (host->use_dma == TRANS_MODE_IDMAC) {
--- /dev/null
+From 0d84b9e5631d923744767dc6608672df906dd092 Mon Sep 17 00:00:00 2001
+From: Shawn Lin <shawn.lin@rock-chips.com>
+Date: Sat, 24 Feb 2018 14:17:23 +0800
+Subject: mmc: dw_mmc: Fix out-of-bounds access for slot's caps
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+commit 0d84b9e5631d923744767dc6608672df906dd092 upstream.
+
+Add num_caps field for dw_mci_drv_data to validate the controller
+id from DT alias and non-DT ways.
+
+Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Fixes: 800d78bfccb3 ("mmc: dw_mmc: add support for implementation specific callbacks")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/dw_mmc-exynos.c | 1 +
+ drivers/mmc/host/dw_mmc-k3.c | 1 +
+ drivers/mmc/host/dw_mmc-rockchip.c | 1 +
+ drivers/mmc/host/dw_mmc-zx.c | 1 +
+ drivers/mmc/host/dw_mmc.c | 9 ++++++++-
+ drivers/mmc/host/dw_mmc.h | 2 ++
+ 6 files changed, 14 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/dw_mmc-exynos.c
++++ b/drivers/mmc/host/dw_mmc-exynos.c
+@@ -487,6 +487,7 @@ static unsigned long exynos_dwmmc_caps[4
+
+ static const struct dw_mci_drv_data exynos_drv_data = {
+ .caps = exynos_dwmmc_caps,
++ .num_caps = ARRAY_SIZE(exynos_dwmmc_caps),
+ .init = dw_mci_exynos_priv_init,
+ .set_ios = dw_mci_exynos_set_ios,
+ .parse_dt = dw_mci_exynos_parse_dt,
+--- a/drivers/mmc/host/dw_mmc-k3.c
++++ b/drivers/mmc/host/dw_mmc-k3.c
+@@ -210,6 +210,7 @@ static int dw_mci_hi6220_execute_tuning(
+
+ static const struct dw_mci_drv_data hi6220_data = {
+ .caps = dw_mci_hi6220_caps,
++ .num_caps = ARRAY_SIZE(dw_mci_hi6220_caps),
+ .switch_voltage = dw_mci_hi6220_switch_voltage,
+ .set_ios = dw_mci_hi6220_set_ios,
+ .parse_dt = dw_mci_hi6220_parse_dt,
+--- a/drivers/mmc/host/dw_mmc-rockchip.c
++++ b/drivers/mmc/host/dw_mmc-rockchip.c
+@@ -319,6 +319,7 @@ static const struct dw_mci_drv_data rk29
+
+ static const struct dw_mci_drv_data rk3288_drv_data = {
+ .caps = dw_mci_rk3288_dwmmc_caps,
++ .num_caps = ARRAY_SIZE(dw_mci_rk3288_dwmmc_caps),
+ .set_ios = dw_mci_rk3288_set_ios,
+ .execute_tuning = dw_mci_rk3288_execute_tuning,
+ .parse_dt = dw_mci_rk3288_parse_dt,
+--- a/drivers/mmc/host/dw_mmc-zx.c
++++ b/drivers/mmc/host/dw_mmc-zx.c
+@@ -195,6 +195,7 @@ static unsigned long zx_dwmmc_caps[3] =
+
+ static const struct dw_mci_drv_data zx_drv_data = {
+ .caps = zx_dwmmc_caps,
++ .num_caps = ARRAY_SIZE(zx_dwmmc_caps),
+ .execute_tuning = dw_mci_zx_execute_tuning,
+ .prepare_hs400_tuning = dw_mci_zx_prepare_hs400_tuning,
+ .parse_dt = dw_mci_zx_parse_dt,
+--- a/drivers/mmc/host/dw_mmc.c
++++ b/drivers/mmc/host/dw_mmc.c
+@@ -2808,8 +2808,15 @@ static int dw_mci_init_slot_caps(struct
+ } else {
+ ctrl_id = to_platform_device(host->dev)->id;
+ }
+- if (drv_data && drv_data->caps)
++
++ if (drv_data && drv_data->caps) {
++ if (ctrl_id >= drv_data->num_caps) {
++ dev_err(host->dev, "invalid controller id %d\n",
++ ctrl_id);
++ return -EINVAL;
++ }
+ mmc->caps |= drv_data->caps[ctrl_id];
++ }
+
+ if (host->pdata->caps2)
+ mmc->caps2 = host->pdata->caps2;
+--- a/drivers/mmc/host/dw_mmc.h
++++ b/drivers/mmc/host/dw_mmc.h
+@@ -543,6 +543,7 @@ struct dw_mci_slot {
+ /**
+ * dw_mci driver data - dw-mshc implementation specific driver data.
+ * @caps: mmc subsystem specified capabilities of the controller(s).
++ * @num_caps: number of capabilities specified by @caps.
+ * @init: early implementation specific initialization.
+ * @set_ios: handle bus specific extensions.
+ * @parse_dt: parse implementation specific device tree properties.
+@@ -554,6 +555,7 @@ struct dw_mci_slot {
+ */
+ struct dw_mci_drv_data {
+ unsigned long *caps;
++ u32 num_caps;
+ int (*init)(struct dw_mci *host);
+ void (*set_ios)(struct dw_mci *host, struct mmc_ios *ios);
+ int (*parse_dt)(struct dw_mci *host);
--- /dev/null
+From 325501d9360eb42c7c51e6daa0d733844c1e790b Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 23 Feb 2018 13:44:19 +0100
+Subject: mmc: dw_mmc-k3: Fix out-of-bounds access through DT alias
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit 325501d9360eb42c7c51e6daa0d733844c1e790b upstream.
+
+The hs_timing_cfg[] array is indexed using a value derived from the
+"mshcN" alias in DT, which may lead to an out-of-bounds access.
+
+Fix this by adding a range check.
+
+Fixes: 361c7fe9b02eee7e ("mmc: dw_mmc-k3: add sd support for hi3660")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Shawn Lin <shawn.lin@rock-chips.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/dw_mmc-k3.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/mmc/host/dw_mmc-k3.c
++++ b/drivers/mmc/host/dw_mmc-k3.c
+@@ -135,6 +135,9 @@ static int dw_mci_hi6220_parse_dt(struct
+ if (priv->ctrl_id < 0)
+ priv->ctrl_id = 0;
+
++ if (priv->ctrl_id >= TIMING_MODE)
++ return -EINVAL;
++
+ host->priv = priv;
+ return 0;
+ }
--- /dev/null
+From f8870ae6e2d6be75b1accc2db981169fdfbea7ab Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Wed, 14 Feb 2018 15:57:43 +0200
+Subject: mmc: sdhci-pci: Fix S0i3 for Intel BYT-based controllers
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit f8870ae6e2d6be75b1accc2db981169fdfbea7ab upstream.
+
+Tuning can leave the IP in an active state (Buffer Read Enable bit set)
+which prevents the entry to low power states (i.e. S0i3). Data reset will
+clear it.
+
+Generally tuning is followed by a data transfer which will anyway sort out
+the state, so it is rare that S0i3 is actually prevented.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-pci-core.c | 35 +++++++++++++++++++++++++++++++----
+ 1 file changed, 31 insertions(+), 4 deletions(-)
+
+--- a/drivers/mmc/host/sdhci-pci-core.c
++++ b/drivers/mmc/host/sdhci-pci-core.c
+@@ -593,9 +593,36 @@ static void byt_read_dsm(struct sdhci_pc
+ slot->chip->rpm_retune = intel_host->d3_retune;
+ }
+
+-static int byt_emmc_probe_slot(struct sdhci_pci_slot *slot)
++static int intel_execute_tuning(struct mmc_host *mmc, u32 opcode)
++{
++ int err = sdhci_execute_tuning(mmc, opcode);
++ struct sdhci_host *host = mmc_priv(mmc);
++
++ if (err)
++ return err;
++
++ /*
++ * Tuning can leave the IP in an active state (Buffer Read Enable bit
++ * set) which prevents the entry to low power states (i.e. S0i3). Data
++ * reset will clear it.
++ */
++ sdhci_reset(host, SDHCI_RESET_DATA);
++
++ return 0;
++}
++
++static void byt_probe_slot(struct sdhci_pci_slot *slot)
+ {
++ struct mmc_host_ops *ops = &slot->host->mmc_host_ops;
++
+ byt_read_dsm(slot);
++
++ ops->execute_tuning = intel_execute_tuning;
++}
++
++static int byt_emmc_probe_slot(struct sdhci_pci_slot *slot)
++{
++ byt_probe_slot(slot);
+ slot->host->mmc->caps |= MMC_CAP_8_BIT_DATA | MMC_CAP_NONREMOVABLE |
+ MMC_CAP_HW_RESET | MMC_CAP_1_8V_DDR |
+ MMC_CAP_CMD_DURING_TFR |
+@@ -650,7 +677,7 @@ static int ni_byt_sdio_probe_slot(struct
+ {
+ int err;
+
+- byt_read_dsm(slot);
++ byt_probe_slot(slot);
+
+ err = ni_set_max_freq(slot);
+ if (err)
+@@ -663,7 +690,7 @@ static int ni_byt_sdio_probe_slot(struct
+
+ static int byt_sdio_probe_slot(struct sdhci_pci_slot *slot)
+ {
+- byt_read_dsm(slot);
++ byt_probe_slot(slot);
+ slot->host->mmc->caps |= MMC_CAP_POWER_OFF_CARD | MMC_CAP_NONREMOVABLE |
+ MMC_CAP_WAIT_WHILE_BUSY;
+ return 0;
+@@ -671,7 +698,7 @@ static int byt_sdio_probe_slot(struct sd
+
+ static int byt_sd_probe_slot(struct sdhci_pci_slot *slot)
+ {
+- byt_read_dsm(slot);
++ byt_probe_slot(slot);
+ slot->host->mmc->caps |= MMC_CAP_WAIT_WHILE_BUSY |
+ MMC_CAP_AGGRESSIVE_PM | MMC_CAP_CD_WAKE;
+ slot->cd_idx = 0;
--- /dev/null
+From 0adb24e03a124b79130c9499731936b11ce2677d Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Tue, 27 Feb 2018 08:16:07 -0500
+Subject: parisc: Fix ordering of cache and TLB flushes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit 0adb24e03a124b79130c9499731936b11ce2677d upstream.
+
+The change to flush_kernel_vmap_range() wasn't sufficient to avoid the
+SMP stalls. The problem is some drivers call these routines with
+interrupts disabled. Interrupts need to be enabled for flush_tlb_all()
+and flush_cache_all() to work. This version adds checks to ensure
+interrupts are not disabled before calling routines that need IPI
+interrupts. When interrupts are disabled, we now drop into slower code.
+
+The attached change fixes the ordering of cache and TLB flushes in
+several cases. When we flush the cache using the existing PTE/TLB
+entries, we need to flush the TLB after doing the cache flush. We don't
+need to do this when we flush the entire instruction and data caches as
+these flushes don't use the existing TLB entries. The same is true for
+tmpalias region flushes.
+
+The flush_kernel_vmap_range() and invalidate_kernel_vmap_range()
+routines have been updated.
+
+Secondly, we added a new purge_kernel_dcache_range_asm() routine to
+pacache.S and use it in invalidate_kernel_vmap_range(). Nominally,
+purges are faster than flushes as the cache lines don't have to be
+written back to memory.
+
+Hopefully, this is sufficient to resolve the remaining problems due to
+cache speculation. So far, testing indicates that this is the case. I
+did work up a patch using tmpalias flushes, but there is a performance
+hit because we need the physical address for each page, and we also need
+to sequence access to the tmpalias flush code. This increases the
+probability of stalls.
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Cc: stable@vger.kernel.org # 4.9+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/include/asm/cacheflush.h | 1
+ arch/parisc/kernel/cache.c | 57 +++++++++++++++++++----------------
+ arch/parisc/kernel/pacache.S | 22 +++++++++++++
+ 3 files changed, 54 insertions(+), 26 deletions(-)
+
+--- a/arch/parisc/include/asm/cacheflush.h
++++ b/arch/parisc/include/asm/cacheflush.h
+@@ -26,6 +26,7 @@ void flush_user_icache_range_asm(unsigne
+ void flush_kernel_icache_range_asm(unsigned long, unsigned long);
+ void flush_user_dcache_range_asm(unsigned long, unsigned long);
+ void flush_kernel_dcache_range_asm(unsigned long, unsigned long);
++void purge_kernel_dcache_range_asm(unsigned long, unsigned long);
+ void flush_kernel_dcache_page_asm(void *);
+ void flush_kernel_icache_page(void *);
+
+--- a/arch/parisc/kernel/cache.c
++++ b/arch/parisc/kernel/cache.c
+@@ -465,10 +465,10 @@ EXPORT_SYMBOL(copy_user_page);
+ int __flush_tlb_range(unsigned long sid, unsigned long start,
+ unsigned long end)
+ {
+- unsigned long flags, size;
++ unsigned long flags;
+
+- size = (end - start);
+- if (size >= parisc_tlb_flush_threshold) {
++ if ((!IS_ENABLED(CONFIG_SMP) || !arch_irqs_disabled()) &&
++ end - start >= parisc_tlb_flush_threshold) {
+ flush_tlb_all();
+ return 1;
+ }
+@@ -539,13 +539,11 @@ void flush_cache_mm(struct mm_struct *mm
+ struct vm_area_struct *vma;
+ pgd_t *pgd;
+
+- /* Flush the TLB to avoid speculation if coherency is required. */
+- if (parisc_requires_coherency())
+- flush_tlb_all();
+-
+ /* Flushing the whole cache on each cpu takes forever on
+ rp3440, etc. So, avoid it if the mm isn't too big. */
+- if (mm_total_size(mm) >= parisc_cache_flush_threshold) {
++ if ((!IS_ENABLED(CONFIG_SMP) || !arch_irqs_disabled()) &&
++ mm_total_size(mm) >= parisc_cache_flush_threshold) {
++ flush_tlb_all();
+ flush_cache_all();
+ return;
+ }
+@@ -553,9 +551,9 @@ void flush_cache_mm(struct mm_struct *mm
+ if (mm->context == mfsp(3)) {
+ for (vma = mm->mmap; vma; vma = vma->vm_next) {
+ flush_user_dcache_range_asm(vma->vm_start, vma->vm_end);
+- if ((vma->vm_flags & VM_EXEC) == 0)
+- continue;
+- flush_user_icache_range_asm(vma->vm_start, vma->vm_end);
++ if (vma->vm_flags & VM_EXEC)
++ flush_user_icache_range_asm(vma->vm_start, vma->vm_end);
++ flush_tlb_range(vma, vma->vm_start, vma->vm_end);
+ }
+ return;
+ }
+@@ -581,14 +579,9 @@ void flush_cache_mm(struct mm_struct *mm
+ void flush_cache_range(struct vm_area_struct *vma,
+ unsigned long start, unsigned long end)
+ {
+- BUG_ON(!vma->vm_mm->context);
+-
+- /* Flush the TLB to avoid speculation if coherency is required. */
+- if (parisc_requires_coherency())
++ if ((!IS_ENABLED(CONFIG_SMP) || !arch_irqs_disabled()) &&
++ end - start >= parisc_cache_flush_threshold) {
+ flush_tlb_range(vma, start, end);
+-
+- if ((end - start) >= parisc_cache_flush_threshold
+- || vma->vm_mm->context != mfsp(3)) {
+ flush_cache_all();
+ return;
+ }
+@@ -596,6 +589,7 @@ void flush_cache_range(struct vm_area_st
+ flush_user_dcache_range_asm(start, end);
+ if (vma->vm_flags & VM_EXEC)
+ flush_user_icache_range_asm(start, end);
++ flush_tlb_range(vma, start, end);
+ }
+
+ void
+@@ -604,8 +598,7 @@ flush_cache_page(struct vm_area_struct *
+ BUG_ON(!vma->vm_mm->context);
+
+ if (pfn_valid(pfn)) {
+- if (parisc_requires_coherency())
+- flush_tlb_page(vma, vmaddr);
++ flush_tlb_page(vma, vmaddr);
+ __flush_cache_page(vma, vmaddr, PFN_PHYS(pfn));
+ }
+ }
+@@ -613,21 +606,33 @@ flush_cache_page(struct vm_area_struct *
+ void flush_kernel_vmap_range(void *vaddr, int size)
+ {
+ unsigned long start = (unsigned long)vaddr;
++ unsigned long end = start + size;
+
+- if ((unsigned long)size > parisc_cache_flush_threshold)
++ if ((!IS_ENABLED(CONFIG_SMP) || !arch_irqs_disabled()) &&
++ (unsigned long)size >= parisc_cache_flush_threshold) {
++ flush_tlb_kernel_range(start, end);
+ flush_data_cache();
+- else
+- flush_kernel_dcache_range_asm(start, start + size);
++ return;
++ }
++
++ flush_kernel_dcache_range_asm(start, end);
++ flush_tlb_kernel_range(start, end);
+ }
+ EXPORT_SYMBOL(flush_kernel_vmap_range);
+
+ void invalidate_kernel_vmap_range(void *vaddr, int size)
+ {
+ unsigned long start = (unsigned long)vaddr;
++ unsigned long end = start + size;
+
+- if ((unsigned long)size > parisc_cache_flush_threshold)
++ if ((!IS_ENABLED(CONFIG_SMP) || !arch_irqs_disabled()) &&
++ (unsigned long)size >= parisc_cache_flush_threshold) {
++ flush_tlb_kernel_range(start, end);
+ flush_data_cache();
+- else
+- flush_kernel_dcache_range_asm(start, start + size);
++ return;
++ }
++
++ purge_kernel_dcache_range_asm(start, end);
++ flush_tlb_kernel_range(start, end);
+ }
+ EXPORT_SYMBOL(invalidate_kernel_vmap_range);
+--- a/arch/parisc/kernel/pacache.S
++++ b/arch/parisc/kernel/pacache.S
+@@ -1110,6 +1110,28 @@ ENTRY_CFI(flush_kernel_dcache_range_asm)
+ .procend
+ ENDPROC_CFI(flush_kernel_dcache_range_asm)
+
++ENTRY_CFI(purge_kernel_dcache_range_asm)
++ .proc
++ .callinfo NO_CALLS
++ .entry
++
++ ldil L%dcache_stride, %r1
++ ldw R%dcache_stride(%r1), %r23
++ ldo -1(%r23), %r21
++ ANDCM %r26, %r21, %r26
++
++1: cmpb,COND(<<),n %r26, %r25,1b
++ pdc,m %r23(%r26)
++
++ sync
++ syncdma
++ bv %r0(%r2)
++ nop
++ .exit
++
++ .procend
++ENDPROC_CFI(purge_kernel_dcache_range_asm)
++
+ ENTRY_CFI(flush_user_icache_range_asm)
+ .proc
+ .callinfo NO_CALLS
--- /dev/null
+From fd8d0ca2563151204f3fe555dc8ca4bcfe8677a3 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Fri, 12 Jan 2018 22:57:15 +0100
+Subject: parisc: Hide virtual kernel memory layout
+
+From: Helge Deller <deller@gmx.de>
+
+commit fd8d0ca2563151204f3fe555dc8ca4bcfe8677a3 upstream.
+
+For security reasons do not expose the virtual kernel memory layout to
+userspace.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Suggested-by: Kees Cook <keescook@chromium.org>
+Cc: stable@vger.kernel.org # 4.15
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/mm/init.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/parisc/mm/init.c
++++ b/arch/parisc/mm/init.c
+@@ -629,7 +629,12 @@ void __init mem_init(void)
+ #endif
+
+ mem_init_print_info(NULL);
+-#ifdef CONFIG_DEBUG_KERNEL /* double-sanity-check paranoia */
++
++#if 0
++ /*
++ * Do not expose the virtual kernel memory layout to userspace.
++ * But keep code for debugging purposes.
++ */
+ printk("virtual kernel memory layout:\n"
+ " vmalloc : 0x%px - 0x%px (%4ld MB)\n"
+ " memory : 0x%px - 0x%px (%4ld MB)\n"
--- /dev/null
+From 636a415bcc7f4fd020ece8fd5fc648c4cef19c34 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Mon, 12 Feb 2018 21:43:55 +0100
+Subject: parisc: Reduce irq overhead when run in qemu
+
+From: Helge Deller <deller@gmx.de>
+
+commit 636a415bcc7f4fd020ece8fd5fc648c4cef19c34 upstream.
+
+When run under QEMU, calling mfctl(16) creates some overhead because the
+qemu timer has to be scaled and moved into the register. This patch
+reduces the number of calls to mfctl(16) by moving the calls out of the
+loops.
+
+Additionally, increase the minimal time interval to 8000 cycles instead
+of 500 to compensate possible QEMU delays when delivering interrupts.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # 4.14+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/time.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/arch/parisc/kernel/time.c
++++ b/arch/parisc/kernel/time.c
+@@ -76,10 +76,10 @@ irqreturn_t __irq_entry timer_interrupt(
+ next_tick = cpuinfo->it_value;
+
+ /* Calculate how many ticks have elapsed. */
++ now = mfctl(16);
+ do {
+ ++ticks_elapsed;
+ next_tick += cpt;
+- now = mfctl(16);
+ } while (next_tick - now > cpt);
+
+ /* Store (in CR16 cycles) up to when we are accounting right now. */
+@@ -103,16 +103,17 @@ irqreturn_t __irq_entry timer_interrupt(
+ * if one or the other wrapped. If "now" is "bigger" we'll end up
+ * with a very large unsigned number.
+ */
+- while (next_tick - mfctl(16) > cpt)
++ now = mfctl(16);
++ while (next_tick - now > cpt)
+ next_tick += cpt;
+
+ /* Program the IT when to deliver the next interrupt.
+ * Only bottom 32-bits of next_tick are writable in CR16!
+ * Timer interrupt will be delivered at least a few hundred cycles
+- * after the IT fires, so if we are too close (<= 500 cycles) to the
++ * after the IT fires, so if we are too close (<= 8000 cycles) to the
+ * next cycle, simply skip it.
+ */
+- if (next_tick - mfctl(16) <= 500)
++ if (next_tick - now <= 8000)
+ next_tick += cpt;
+ mtctl(next_tick, 16);
+
--- /dev/null
+From 5ffa8518851f1401817c15d2a7eecc0373c26ff9 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Fri, 12 Jan 2018 22:44:00 +0100
+Subject: parisc: Use cr16 interval timers unconditionally on qemu
+
+From: Helge Deller <deller@gmx.de>
+
+commit 5ffa8518851f1401817c15d2a7eecc0373c26ff9 upstream.
+
+When running on qemu we know that the (emulated) cr16 cpu-internal
+clocks are syncronized. So let's use them unconditionally on qemu.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # 4.14+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/include/asm/processor.h | 2 ++
+ arch/parisc/kernel/time.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/parisc/include/asm/processor.h
++++ b/arch/parisc/include/asm/processor.h
+@@ -316,6 +316,8 @@ extern int _parisc_requires_coherency;
+ #define parisc_requires_coherency() (0)
+ #endif
+
++extern int running_on_qemu;
++
+ #endif /* __ASSEMBLY__ */
+
+ #endif /* __ASM_PARISC_PROCESSOR_H */
+--- a/arch/parisc/kernel/time.c
++++ b/arch/parisc/kernel/time.c
+@@ -248,7 +248,7 @@ static int __init init_cr16_clocksource(
+ * different sockets, so mark them unstable and lower rating on
+ * multi-socket SMP systems.
+ */
+- if (num_online_cpus() > 1) {
++ if (num_online_cpus() > 1 && !running_on_qemu) {
+ int cpu;
+ unsigned long cpu0_loc;
+ cpu0_loc = per_cpu(cpu_data, 0).cpu_loc;
tpm_i2c_infineon-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch
tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch
tpm_tis-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch
+alsa-usb-audio-add-a-quirck-for-b-w-px-headphones.patch
+alsa-control-fix-memory-corruption-risk-in-snd_ctl_elem_read.patch
+alsa-x86-fix-missing-spinlock-and-mutex-initializations.patch
+alsa-hda-add-a-power_save-blacklist.patch
+alsa-hda-fix-pincfg-at-resume-on-lenovo-t470-dock.patch
+mmc-sdhci-pci-fix-s0i3-for-intel-byt-based-controllers.patch
+mmc-dw_mmc-k3-fix-out-of-bounds-access-through-dt-alias.patch
+mmc-dw_mmc-avoid-accessing-registers-in-runtime-suspended-state.patch
+mmc-dw_mmc-factor-out-dw_mci_init_slot_caps.patch
+mmc-dw_mmc-fix-out-of-bounds-access-for-slot-s-caps.patch
+timers-forward-timer-base-before-migrating-timers.patch
+parisc-use-cr16-interval-timers-unconditionally-on-qemu.patch
+parisc-reduce-irq-overhead-when-run-in-qemu.patch
+parisc-fix-ordering-of-cache-and-tlb-flushes.patch
+parisc-hide-virtual-kernel-memory-layout.patch
+btrfs-use-proper-endianness-accessors-for-super_copy.patch
+block-fix-the-count-of-pgpgout-for-write_same.patch
+block-kyber-fix-domain-token-leak-during-requeue.patch
+block-pass-inclusive-lend-parameter-to-truncate_inode_pages_range.patch
+vfio-disable-filesystem-dax-page-pinning.patch
+cpufreq-s3c24xx-fix-broken-s3c_cpufreq_init.patch
+dax-fix-vma_is_fsdax-helper.patch
+direct-io-fix-sleep-in-atomic-due-to-sync-aio.patch
+x86-xen-zero-msr_ia32_spec_ctrl-before-suspend.patch
+x86-platform-intel-mid-handle-intel-edison-reboot-correctly.patch
+x86-cpu_entry_area-sync-cpu_entry_area-to-initial_page_table.patch
--- /dev/null
+From c52232a49e203a65a6e1a670cd5262f59e9364a0 Mon Sep 17 00:00:00 2001
+From: Lingutla Chandrasekhar <clingutla@codeaurora.org>
+Date: Thu, 18 Jan 2018 17:20:22 +0530
+Subject: timers: Forward timer base before migrating timers
+
+From: Lingutla Chandrasekhar <clingutla@codeaurora.org>
+
+commit c52232a49e203a65a6e1a670cd5262f59e9364a0 upstream.
+
+On CPU hotunplug the enqueued timers of the unplugged CPU are migrated to a
+live CPU. This happens from the control thread which initiated the unplug.
+
+If the CPU on which the control thread runs came out from a longer idle
+period then the base clock of that CPU might be stale because the control
+thread runs prior to any event which forwards the clock.
+
+In such a case the timers from the unplugged CPU are queued on the live CPU
+based on the stale clock which can cause large delays due to increased
+granularity of the outer timer wheels which are far away from base:;clock.
+
+But there is a worse problem than that. The following sequence of events
+illustrates it:
+
+ - CPU0 timer1 is queued expires = 59969 and base->clk = 59131.
+
+ The timer is queued at wheel level 2, with resulting expiry time = 60032
+ (due to level granularity).
+
+ - CPU1 enters idle @60007, with next timer expiry @60020.
+
+ - CPU0 is hotplugged at @60009
+
+ - CPU1 exits idle and runs the control thread which migrates the
+ timers from CPU0
+
+ timer1 is now queued in level 0 for immediate handling in the next
+ softirq because the requested expiry time 59969 is before CPU1 base->clk
+ 60007
+
+ - CPU1 runs code which forwards the base clock which succeeds because the
+ next expiring timer. which was collected at idle entry time is still set
+ to 60020.
+
+ So it forwards beyond 60007 and therefore misses to expire the migrated
+ timer1. That timer gets expired when the wheel wraps around again, which
+ takes between 63 and 630ms depending on the HZ setting.
+
+Address both problems by invoking forward_timer_base() for the control CPUs
+timer base. All other places, which might run into a similar problem
+(mod_timer()/add_timer_on()) already invoke forward_timer_base() to avoid
+that.
+
+[ tglx: Massaged comment and changelog ]
+
+Fixes: a683f390b93f ("timers: Forward the wheel clock whenever possible")
+Co-developed-by: Neeraj Upadhyay <neeraju@codeaurora.org>
+Signed-off-by: Neeraj Upadhyay <neeraju@codeaurora.org>
+Signed-off-by: Lingutla Chandrasekhar <clingutla@codeaurora.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Cc: linux-arm-msm@vger.kernel.org
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20180118115022.6368-1-clingutla@codeaurora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/timer.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/kernel/time/timer.c
++++ b/kernel/time/timer.c
+@@ -1886,6 +1886,12 @@ int timers_dead_cpu(unsigned int cpu)
+ raw_spin_lock_irq(&new_base->lock);
+ raw_spin_lock_nested(&old_base->lock, SINGLE_DEPTH_NESTING);
+
++ /*
++ * The current CPUs base clock might be stale. Update it
++ * before moving the timers over.
++ */
++ forward_timer_base(new_base);
++
+ BUG_ON(old_base->running_timer);
+
+ for (i = 0; i < WHEEL_SIZE; i++)
--- /dev/null
+From 94db151dc89262bfa82922c44e8320cea2334667 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Sun, 4 Feb 2018 10:34:02 -0800
+Subject: vfio: disable filesystem-dax page pinning
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit 94db151dc89262bfa82922c44e8320cea2334667 upstream.
+
+Filesystem-DAX is incompatible with 'longterm' page pinning. Without
+page cache indirection a DAX mapping maps filesystem blocks directly.
+This means that the filesystem must not modify a file's block map while
+any page in a mapping is pinned. In order to prevent the situation of
+userspace holding of filesystem operations indefinitely, disallow
+'longterm' Filesystem-DAX mappings.
+
+RDMA has the same conflict and the plan there is to add a 'with lease'
+mechanism to allow the kernel to notify userspace that the mapping is
+being torn down for block-map maintenance. Perhaps something similar can
+be put in place for vfio.
+
+Note that xfs and ext4 still report:
+
+ "DAX enabled. Warning: EXPERIMENTAL, use at your own risk"
+
+...at mount time, and resolving the dax-dma-vs-truncate problem is one
+of the last hurdles to remove that designation.
+
+Acked-by: Alex Williamson <alex.williamson@redhat.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: kvm@vger.kernel.org
+Cc: <stable@vger.kernel.org>
+Reported-by: Haozhong Zhang <haozhong.zhang@intel.com>
+Tested-by: Haozhong Zhang <haozhong.zhang@intel.com>
+Fixes: d475c6346a38 ("dax,ext2: replace XIP read and write with DAX I/O")
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vfio/vfio_iommu_type1.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+--- a/drivers/vfio/vfio_iommu_type1.c
++++ b/drivers/vfio/vfio_iommu_type1.c
+@@ -338,11 +338,12 @@ static int vaddr_get_pfn(struct mm_struc
+ {
+ struct page *page[1];
+ struct vm_area_struct *vma;
++ struct vm_area_struct *vmas[1];
+ int ret;
+
+ if (mm == current->mm) {
+- ret = get_user_pages_fast(vaddr, 1, !!(prot & IOMMU_WRITE),
+- page);
++ ret = get_user_pages_longterm(vaddr, 1, !!(prot & IOMMU_WRITE),
++ page, vmas);
+ } else {
+ unsigned int flags = 0;
+
+@@ -351,7 +352,18 @@ static int vaddr_get_pfn(struct mm_struc
+
+ down_read(&mm->mmap_sem);
+ ret = get_user_pages_remote(NULL, mm, vaddr, 1, flags, page,
+- NULL, NULL);
++ vmas, NULL);
++ /*
++ * The lifetime of a vaddr_get_pfn() page pin is
++ * userspace-controlled. In the fs-dax case this could
++ * lead to indefinite stalls in filesystem operations.
++ * Disallow attempts to pin fs-dax pages via this
++ * interface.
++ */
++ if (ret > 0 && vma_is_fsdax(vmas[0])) {
++ ret = -EOPNOTSUPP;
++ put_page(page[0]);
++ }
+ up_read(&mm->mmap_sem);
+ }
+
--- /dev/null
+From 945fd17ab6bab8a4d05da6c3170519fbcfe62ddb Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 28 Feb 2018 21:14:26 +0100
+Subject: x86/cpu_entry_area: Sync cpu_entry_area to initial_page_table
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 945fd17ab6bab8a4d05da6c3170519fbcfe62ddb upstream.
+
+The separation of the cpu_entry_area from the fixmap missed the fact that
+on 32bit non-PAE kernels the cpu_entry_area mapping might not be covered in
+initial_page_table by the previous synchronizations.
+
+This results in suspend/resume failures because 32bit utilizes initial page
+table for resume. The absence of the cpu_entry_area mapping results in a
+triple fault, aka. insta reboot.
+
+With PAE enabled this works by chance because the PGD entry which covers
+the fixmap and other parts incindentally provides the cpu_entry_area
+mapping as well.
+
+Synchronize the initial page table after setting up the cpu entry
+area. Instead of adding yet another copy of the same code, move it to a
+function and invoke it from the various places.
+
+It needs to be investigated if the existing calls in setup_arch() and
+setup_per_cpu_areas() can be replaced by the later invocation from
+setup_cpu_entry_areas(), but that's beyond the scope of this fix.
+
+Fixes: 92a0f81d8957 ("x86/cpu_entry_area: Move it out of the fixmap")
+Reported-by: Woody Suwalski <terraluna977@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Woody Suwalski <terraluna977@gmail.com>
+Cc: William Grant <william.grant@canonical.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1802282137290.1392@nanos.tec.linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/pgtable_32.h | 1 +
+ arch/x86/include/asm/pgtable_64.h | 1 +
+ arch/x86/kernel/setup.c | 17 +++++------------
+ arch/x86/kernel/setup_percpu.c | 17 ++++-------------
+ arch/x86/mm/cpu_entry_area.c | 6 ++++++
+ arch/x86/mm/init_32.c | 15 +++++++++++++++
+ 6 files changed, 32 insertions(+), 25 deletions(-)
+
+--- a/arch/x86/include/asm/pgtable_32.h
++++ b/arch/x86/include/asm/pgtable_32.h
+@@ -32,6 +32,7 @@ extern pmd_t initial_pg_pmd[];
+ static inline void pgtable_cache_init(void) { }
+ static inline void check_pgt_cache(void) { }
+ void paging_init(void);
++void sync_initial_page_table(void);
+
+ /*
+ * Define this if things work differently on an i386 and an i486:
+--- a/arch/x86/include/asm/pgtable_64.h
++++ b/arch/x86/include/asm/pgtable_64.h
+@@ -28,6 +28,7 @@ extern pgd_t init_top_pgt[];
+ #define swapper_pg_dir init_top_pgt
+
+ extern void paging_init(void);
++static inline void sync_initial_page_table(void) { }
+
+ #define pte_ERROR(e) \
+ pr_err("%s:%d: bad pte %p(%016lx)\n", \
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -1205,20 +1205,13 @@ void __init setup_arch(char **cmdline_p)
+
+ kasan_init();
+
+-#ifdef CONFIG_X86_32
+- /* sync back kernel address range */
+- clone_pgd_range(initial_page_table + KERNEL_PGD_BOUNDARY,
+- swapper_pg_dir + KERNEL_PGD_BOUNDARY,
+- KERNEL_PGD_PTRS);
+-
+ /*
+- * sync back low identity map too. It is used for example
+- * in the 32-bit EFI stub.
++ * Sync back kernel address range.
++ *
++ * FIXME: Can the later sync in setup_cpu_entry_areas() replace
++ * this call?
+ */
+- clone_pgd_range(initial_page_table,
+- swapper_pg_dir + KERNEL_PGD_BOUNDARY,
+- min(KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
+-#endif
++ sync_initial_page_table();
+
+ tboot_probe();
+
+--- a/arch/x86/kernel/setup_percpu.c
++++ b/arch/x86/kernel/setup_percpu.c
+@@ -287,24 +287,15 @@ void __init setup_per_cpu_areas(void)
+ /* Setup cpu initialized, callin, callout masks */
+ setup_cpu_local_masks();
+
+-#ifdef CONFIG_X86_32
+ /*
+ * Sync back kernel address range again. We already did this in
+ * setup_arch(), but percpu data also needs to be available in
+ * the smpboot asm. We can't reliably pick up percpu mappings
+ * using vmalloc_fault(), because exception dispatch needs
+ * percpu data.
++ *
++ * FIXME: Can the later sync in setup_cpu_entry_areas() replace
++ * this call?
+ */
+- clone_pgd_range(initial_page_table + KERNEL_PGD_BOUNDARY,
+- swapper_pg_dir + KERNEL_PGD_BOUNDARY,
+- KERNEL_PGD_PTRS);
+-
+- /*
+- * sync back low identity map too. It is used for example
+- * in the 32-bit EFI stub.
+- */
+- clone_pgd_range(initial_page_table,
+- swapper_pg_dir + KERNEL_PGD_BOUNDARY,
+- min(KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
+-#endif
++ sync_initial_page_table();
+ }
+--- a/arch/x86/mm/cpu_entry_area.c
++++ b/arch/x86/mm/cpu_entry_area.c
+@@ -163,4 +163,10 @@ void __init setup_cpu_entry_areas(void)
+
+ for_each_possible_cpu(cpu)
+ setup_cpu_entry_area(cpu);
++
++ /*
++ * This is the last essential update to swapper_pgdir which needs
++ * to be synchronized to initial_page_table on 32bit.
++ */
++ sync_initial_page_table();
+ }
+--- a/arch/x86/mm/init_32.c
++++ b/arch/x86/mm/init_32.c
+@@ -453,6 +453,21 @@ static inline void permanent_kmaps_init(
+ }
+ #endif /* CONFIG_HIGHMEM */
+
++void __init sync_initial_page_table(void)
++{
++ clone_pgd_range(initial_page_table + KERNEL_PGD_BOUNDARY,
++ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
++ KERNEL_PGD_PTRS);
++
++ /*
++ * sync back low identity map too. It is used for example
++ * in the 32-bit EFI stub.
++ */
++ clone_pgd_range(initial_page_table,
++ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
++ min(KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
++}
++
+ void __init native_pagetable_init(void)
+ {
+ unsigned long pfn, va;
--- /dev/null
+From 028091f82eefd5e84f81cef81a7673016ecbe78b Mon Sep 17 00:00:00 2001
+From: Sebastian Panceac <sebastian@resin.io>
+Date: Wed, 28 Feb 2018 11:40:49 +0200
+Subject: x86/platform/intel-mid: Handle Intel Edison reboot correctly
+
+From: Sebastian Panceac <sebastian@resin.io>
+
+commit 028091f82eefd5e84f81cef81a7673016ecbe78b upstream.
+
+When the Intel Edison module is powered with 3.3V, the reboot command makes
+the module stuck. If the module is powered at a greater voltage, like 4.4V
+(as the Edison Mini Breakout board does), reboot works OK.
+
+The official Intel Edison BSP sends the IPCMSG_COLD_RESET message to the
+SCU by default. The IPCMSG_COLD_BOOT which is used by the upstream kernel
+is only sent when explicitely selected on the kernel command line.
+
+Use IPCMSG_COLD_RESET unconditionally which makes reboot work independent
+of the power supply voltage.
+
+[ tglx: Massaged changelog ]
+
+Fixes: bda7b072de99 ("x86/platform/intel-mid: Implement power off sequence")
+Signed-off-by: Sebastian Panceac <sebastian@resin.io>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/1519810849-15131-1-git-send-email-sebastian@resin.io
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/platform/intel-mid/intel-mid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/platform/intel-mid/intel-mid.c
++++ b/arch/x86/platform/intel-mid/intel-mid.c
+@@ -79,7 +79,7 @@ static void intel_mid_power_off(void)
+
+ static void intel_mid_reboot(void)
+ {
+- intel_scu_ipc_simple_command(IPCMSG_COLD_BOOT, 0);
++ intel_scu_ipc_simple_command(IPCMSG_COLD_RESET, 0);
+ }
+
+ static unsigned long __init intel_mid_calibrate_tsc(void)
--- /dev/null
+From 71c208dd54ab971036d83ff6d9837bae4976e623 Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Mon, 26 Feb 2018 15:08:18 +0100
+Subject: x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend
+
+From: Juergen Gross <jgross@suse.com>
+
+commit 71c208dd54ab971036d83ff6d9837bae4976e623 upstream.
+
+Older Xen versions (4.5 and before) might have problems migrating pv
+guests with MSR_IA32_SPEC_CTRL having a non-zero value. So before
+suspending zero that MSR and restore it after being resumed.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Cc: stable@vger.kernel.org
+Cc: xen-devel@lists.xenproject.org
+Cc: boris.ostrovsky@oracle.com
+Link: https://lkml.kernel.org/r/20180226140818.4849-1-jgross@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/xen/suspend.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/arch/x86/xen/suspend.c
++++ b/arch/x86/xen/suspend.c
+@@ -1,12 +1,15 @@
+ // SPDX-License-Identifier: GPL-2.0
+ #include <linux/types.h>
+ #include <linux/tick.h>
++#include <linux/percpu-defs.h>
+
+ #include <xen/xen.h>
+ #include <xen/interface/xen.h>
+ #include <xen/grant_table.h>
+ #include <xen/events.h>
+
++#include <asm/cpufeatures.h>
++#include <asm/msr-index.h>
+ #include <asm/xen/hypercall.h>
+ #include <asm/xen/page.h>
+ #include <asm/fixmap.h>
+@@ -15,6 +18,8 @@
+ #include "mmu.h"
+ #include "pmu.h"
+
++static DEFINE_PER_CPU(u64, spec_ctrl);
++
+ void xen_arch_pre_suspend(void)
+ {
+ xen_save_time_memory_area();
+@@ -35,6 +40,9 @@ void xen_arch_post_suspend(int cancelled
+
+ static void xen_vcpu_notify_restore(void *data)
+ {
++ if (xen_pv_domain() && boot_cpu_has(X86_FEATURE_SPEC_CTRL))
++ wrmsrl(MSR_IA32_SPEC_CTRL, this_cpu_read(spec_ctrl));
++
+ /* Boot processor notified via generic timekeeping_resume() */
+ if (smp_processor_id() == 0)
+ return;
+@@ -44,7 +52,15 @@ static void xen_vcpu_notify_restore(void
+
+ static void xen_vcpu_notify_suspend(void *data)
+ {
++ u64 tmp;
++
+ tick_suspend_local();
++
++ if (xen_pv_domain() && boot_cpu_has(X86_FEATURE_SPEC_CTRL)) {
++ rdmsrl(MSR_IA32_SPEC_CTRL, tmp);
++ this_cpu_write(spec_ctrl, tmp);
++ wrmsrl(MSR_IA32_SPEC_CTRL, 0);
++ }
+ }
+
+ void xen_arch_resume(void)
projects / thirdparty / kernel / stable-queue.git / commitdiff
