--- /dev/null
+From f429e7e494afaded76e62c6f98211a635aa03098 Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Tue, 5 Dec 2017 15:38:24 +0800
+Subject: ALSA: hda/realtek - New codec support for ALC257
+
+From: Kailang Yang <kailang@realtek.com>
+
+commit f429e7e494afaded76e62c6f98211a635aa03098 upstream.
+
+Add new support for ALC257 codec.
+
+[ It's supposed to be almost equivalent with other ALC25x variants,
+ just adding another type and id -- tiwai ]
+
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -330,6 +330,7 @@ static void alc_fill_eapd_coef(struct hd
+ case 0x10ec0236:
+ case 0x10ec0255:
+ case 0x10ec0256:
++ case 0x10ec0257:
+ case 0x10ec0282:
+ case 0x10ec0283:
+ case 0x10ec0286:
+@@ -2749,6 +2750,7 @@ enum {
+ ALC269_TYPE_ALC298,
+ ALC269_TYPE_ALC255,
+ ALC269_TYPE_ALC256,
++ ALC269_TYPE_ALC257,
+ ALC269_TYPE_ALC215,
+ ALC269_TYPE_ALC225,
+ ALC269_TYPE_ALC294,
+@@ -2782,6 +2784,7 @@ static int alc269_parse_auto_config(stru
+ case ALC269_TYPE_ALC298:
+ case ALC269_TYPE_ALC255:
+ case ALC269_TYPE_ALC256:
++ case ALC269_TYPE_ALC257:
+ case ALC269_TYPE_ALC215:
+ case ALC269_TYPE_ALC225:
+ case ALC269_TYPE_ALC294:
+@@ -6839,6 +6842,10 @@ static int patch_alc269(struct hda_codec
+ spec->gen.mixer_nid = 0; /* ALC256 does not have any loopback mixer path */
+ alc_update_coef_idx(codec, 0x36, 1 << 13, 1 << 5); /* Switch pcbeep path to Line in path*/
+ break;
++ case 0x10ec0257:
++ spec->codec_variant = ALC269_TYPE_ALC257;
++ spec->gen.mixer_nid = 0;
++ break;
+ case 0x10ec0215:
+ case 0x10ec0285:
+ case 0x10ec0289:
+@@ -7886,6 +7893,7 @@ static const struct hda_device_id snd_hd
+ HDA_CODEC_ENTRY(0x10ec0236, "ALC236", patch_alc269),
+ HDA_CODEC_ENTRY(0x10ec0255, "ALC255", patch_alc269),
+ HDA_CODEC_ENTRY(0x10ec0256, "ALC256", patch_alc269),
++ HDA_CODEC_ENTRY(0x10ec0257, "ALC257", patch_alc269),
+ HDA_CODEC_ENTRY(0x10ec0260, "ALC260", patch_alc260),
+ HDA_CODEC_ENTRY(0x10ec0262, "ALC262", patch_alc262),
+ HDA_CODEC_ENTRY(0x10ec0267, "ALC267", patch_alc268),
--- /dev/null
+From 362bca57f5d78220f8b5907b875961af9436e229 Mon Sep 17 00:00:00 2001
+From: Robb Glasser <rglasser@google.com>
+Date: Tue, 5 Dec 2017 09:16:55 -0800
+Subject: ALSA: pcm: prevent UAF in snd_pcm_info
+
+From: Robb Glasser <rglasser@google.com>
+
+commit 362bca57f5d78220f8b5907b875961af9436e229 upstream.
+
+When the device descriptor is closed, the `substream->runtime` pointer
+is freed. But another thread may be in the ioctl handler, case
+SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which
+calls snd_pcm_info() which accesses the now freed `substream->runtime`.
+
+Note: this fixes CVE-2017-0861
+
+Signed-off-by: Robb Glasser <rglasser@google.com>
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/core/pcm.c
++++ b/sound/core/pcm.c
+@@ -153,7 +153,9 @@ static int snd_pcm_control_ioctl(struct
+ err = -ENXIO;
+ goto _error;
+ }
++ mutex_lock(&pcm->open_mutex);
+ err = snd_pcm_info_user(substream, info);
++ mutex_unlock(&pcm->open_mutex);
+ _error:
+ mutex_unlock(®ister_mutex);
+ return err;
--- /dev/null
+From 43a3542870328601be02fcc9d27b09db467336ef Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 30 Nov 2017 10:08:28 +0100
+Subject: ALSA: seq: Remove spurious WARN_ON() at timer check
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 43a3542870328601be02fcc9d27b09db467336ef upstream.
+
+The use of snd_BUG_ON() in ALSA sequencer timer may lead to a spurious
+WARN_ON() when a slave timer is deployed as its backend and a
+corresponding master timer stops meanwhile. The symptom was triggered
+by syzkaller spontaneously.
+
+Since the NULL timer is valid there, rip off snd_BUG_ON().
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_timer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/core/seq/seq_timer.c
++++ b/sound/core/seq/seq_timer.c
+@@ -355,7 +355,7 @@ static int initialize_timer(struct snd_s
+ unsigned long freq;
+
+ t = tmr->timeri->timer;
+- if (snd_BUG_ON(!t))
++ if (!t)
+ return -EINVAL;
+
+ freq = tmr->preferred_resolution;
--- /dev/null
+From 89b89d121ffcf8d9546633b98ded9d18b8f75891 Mon Sep 17 00:00:00 2001
+From: Jaejoong Kim <climbbb.kim@gmail.com>
+Date: Mon, 4 Dec 2017 15:31:49 +0900
+Subject: ALSA: usb-audio: Add check return value for usb_string()
+
+From: Jaejoong Kim <climbbb.kim@gmail.com>
+
+commit 89b89d121ffcf8d9546633b98ded9d18b8f75891 upstream.
+
+snd_usb_copy_string_desc() returns zero if usb_string() fails.
+In case of failure, we need to check the snd_usb_copy_string_desc()'s
+return value and add an exception case
+
+Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -2178,13 +2178,14 @@ static int parse_audio_selector_unit(str
+ if (len)
+ ;
+ else if (nameid)
+- snd_usb_copy_string_desc(state, nameid, kctl->id.name,
++ len = snd_usb_copy_string_desc(state, nameid, kctl->id.name,
+ sizeof(kctl->id.name));
+- else {
++ else
+ len = get_term_name(state, &state->oterm,
+ kctl->id.name, sizeof(kctl->id.name), 0);
+- if (!len)
+- strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
++
++ if (!len) {
++ strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
+
+ if (desc->bDescriptorSubtype == UAC2_CLOCK_SELECTOR)
+ append_ctl_name(kctl, " Clock Source");
--- /dev/null
+From 251552a2b0d454badc8f486e6d79100970c744b0 Mon Sep 17 00:00:00 2001
+From: Jaejoong Kim <climbbb.kim@gmail.com>
+Date: Mon, 4 Dec 2017 15:31:48 +0900
+Subject: ALSA: usb-audio: Fix out-of-bound error
+
+From: Jaejoong Kim <climbbb.kim@gmail.com>
+
+commit 251552a2b0d454badc8f486e6d79100970c744b0 upstream.
+
+The snd_usb_copy_string_desc() retrieves the usb string corresponding to
+the index number through the usb_string(). The problem is that the
+usb_string() returns the length of the string (>= 0) when successful, but
+it can also return a negative value about the error case or status of
+usb_control_msg().
+
+If iClockSource is '0' as shown below, usb_string() will returns -EINVAL.
+This will result in '0' being inserted into buf[-22], and the following
+KASAN out-of-bound error message will be output.
+
+AudioControl Interface Descriptor:
+ bLength 8
+ bDescriptorType 36
+ bDescriptorSubtype 10 (CLOCK_SOURCE)
+ bClockID 1
+ bmAttributes 0x07 Internal programmable Clock (synced to SOF)
+ bmControls 0x07
+ Clock Frequency Control (read/write)
+ Clock Validity Control (read-only)
+ bAssocTerminal 0
+ iClockSource 0
+
+To fix it, check usb_string()'return value and bail out.
+
+==================================================================
+BUG: KASAN: stack-out-of-bounds in parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
+Write of size 1 at addr ffff88007e66735a by task systemd-udevd/18376
+
+CPU: 0 PID: 18376 Comm: systemd-udevd Not tainted 4.13.0+ #3
+Hardware name: LG Electronics 15N540-RFLGL/White Tip Mountain, BIOS 15N5
+Call Trace:
+dump_stack+0x63/0x8d
+print_address_description+0x70/0x290
+? parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
+kasan_report+0x265/0x350
+__asan_store1+0x4a/0x50
+parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
+? save_stack+0xb5/0xd0
+? save_stack_trace+0x1b/0x20
+? save_stack+0x46/0xd0
+? kasan_kmalloc+0xad/0xe0
+? kmem_cache_alloc_trace+0xff/0x230
+? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
+? usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
+? usb_probe_interface+0x1f5/0x440
+? driver_probe_device+0x3ed/0x660
+? build_feature_ctl+0xb10/0xb10 [snd_usb_audio]
+? save_stack_trace+0x1b/0x20
+? init_object+0x69/0xa0
+? snd_usb_find_csint_desc+0xa8/0xf0 [snd_usb_audio]
+snd_usb_mixer_controls+0x1dc/0x370 [snd_usb_audio]
+? build_audio_procunit+0x890/0x890 [snd_usb_audio]
+? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
+? kmem_cache_alloc_trace+0xff/0x230
+? usb_ifnum_to_if+0xbd/0xf0
+snd_usb_create_mixer+0x25b/0x4b0 [snd_usb_audio]
+? snd_usb_create_stream+0x255/0x2c0 [snd_usb_audio]
+usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
+? snd_usb_autosuspend.part.7+0x30/0x30 [snd_usb_audio]
+? __pm_runtime_idle+0x90/0x90
+? kernfs_activate+0xa6/0xc0
+? usb_match_one_id_intf+0xdc/0x130
+? __pm_runtime_set_status+0x2d4/0x450
+usb_probe_interface+0x1f5/0x440
+
+Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -204,6 +204,10 @@ static int snd_usb_copy_string_desc(stru
+ int index, char *buf, int maxlen)
+ {
+ int len = usb_string(state->chip->dev, index, buf, maxlen - 1);
++
++ if (len < 0)
++ return 0;
++
+ buf[len] = 0;
+ return len;
+ }
--- /dev/null
+From 5553b142be11e794ebc0805950b2e8313f93d718 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Thu, 16 Nov 2017 17:58:21 +0000
+Subject: arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 5553b142be11e794ebc0805950b2e8313f93d718 upstream.
+
+VTTBR_BADDR_MASK is used to sanity check the size and alignment of the
+VTTBR address. It seems to currently be off by one, thereby only
+allowing up to 39-bit addresses (instead of 40-bit) and also
+insufficiently checking the alignment. This patch fixes it.
+
+This patch is the 32bit pendent of Kristina's arm64 fix, and
+she deserves the actual kudos for pinpointing that one.
+
+Fixes: f7ed45be3ba52 ("KVM: ARM: World-switch implementation")
+Reported-by: Kristina Martsenko <kristina.martsenko@arm.com>
+Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/include/asm/kvm_arm.h | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/arm/include/asm/kvm_arm.h
++++ b/arch/arm/include/asm/kvm_arm.h
+@@ -161,8 +161,7 @@
+ #else
+ #define VTTBR_X (5 - KVM_T0SZ)
+ #endif
+-#define VTTBR_BADDR_SHIFT (VTTBR_X - 1)
+-#define VTTBR_BADDR_MASK (((_AC(1, ULL) << (40 - VTTBR_X)) - 1) << VTTBR_BADDR_SHIFT)
++#define VTTBR_BADDR_MASK (((_AC(1, ULL) << (40 - VTTBR_X)) - 1) << VTTBR_X)
+ #define VTTBR_VMID_SHIFT _AC(48, ULL)
+ #define VTTBR_VMID_MASK(size) (_AT(u64, (1 << size) - 1) << VTTBR_VMID_SHIFT)
+
--- /dev/null
+From 071b6d4a5d343046f253a5a8835d477d93992002 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Tue, 5 Dec 2017 14:56:42 +0000
+Subject: arm64: fpsimd: Prevent registers leaking from dead tasks
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit 071b6d4a5d343046f253a5a8835d477d93992002 upstream.
+
+Currently, loading of a task's fpsimd state into the CPU registers
+is skipped if that task's state is already present in the registers
+of that CPU.
+
+However, the code relies on the struct fpsimd_state * (and by
+extension struct task_struct *) to unambiguously identify a task.
+
+There is a particular case in which this doesn't work reliably:
+when a task exits, its task_struct may be recycled to describe a
+new task.
+
+Consider the following scenario:
+
+ 1) Task P loads its fpsimd state onto cpu C.
+ per_cpu(fpsimd_last_state, C) := P;
+ P->thread.fpsimd_state.cpu := C;
+
+ 2) Task X is scheduled onto C and loads its fpsimd state on C.
+ per_cpu(fpsimd_last_state, C) := X;
+ X->thread.fpsimd_state.cpu := C;
+
+ 3) X exits, causing X's task_struct to be freed.
+
+ 4) P forks a new child T, which obtains X's recycled task_struct.
+ T == X.
+ T->thread.fpsimd_state.cpu == C (inherited from P).
+
+ 5) T is scheduled on C.
+ T's fpsimd state is not loaded, because
+ per_cpu(fpsimd_last_state, C) == T (== X) &&
+ T->thread.fpsimd_state.cpu == C.
+
+ (This is the check performed by fpsimd_thread_switch().)
+
+So, T gets X's registers because the last registers loaded onto C
+were those of X, in (2).
+
+This patch fixes the problem by ensuring that the sched-in check
+fails in (5): fpsimd_flush_task_state(T) is called when T is
+forked, so that T->thread.fpsimd_state.cpu == C cannot be true.
+This relies on the fact that T is not schedulable until after
+copy_thread() completes.
+
+Once T's fpsimd state has been loaded on some CPU C there may still
+be other cpus D for which per_cpu(fpsimd_last_state, D) ==
+&X->thread.fpsimd_state. But D is necessarily != C in this case,
+and the check in (5) must fail.
+
+An alternative fix would be to do refcounting on task_struct. This
+would result in each CPU holding a reference to the last task whose
+fpsimd state was loaded there. It's not clear whether this is
+preferable, and it involves higher overhead than the fix proposed
+in this patch. It would also move all the task_struct freeing
+work into the context switch critical section, or otherwise some
+deferred cleanup mechanism would need to be introduced, neither of
+which seems obviously justified.
+
+Fixes: 005f78cd8849 ("arm64: defer reloading a task's FPSIMD state to userland resume")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+[will: word-smithed the comment so it makes more sense]
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/process.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/arch/arm64/kernel/process.c
++++ b/arch/arm64/kernel/process.c
+@@ -258,6 +258,15 @@ int copy_thread(unsigned long clone_flag
+
+ memset(&p->thread.cpu_context, 0, sizeof(struct cpu_context));
+
++ /*
++ * In case p was allocated the same task_struct pointer as some
++ * other recently-exited task, make sure p is disassociated from
++ * any cpu that may have run that now-exited task recently.
++ * Otherwise we could erroneously skip reloading the FPSIMD
++ * registers for p.
++ */
++ fpsimd_flush_task_state(p);
++
+ if (likely(!(p->flags & PF_KTHREAD))) {
+ *childregs = *current_pt_regs();
+ childregs->regs[0] = 0;
--- /dev/null
+From 26aa7b3b1c0fb3f1a6176a0c1847204ef4355693 Mon Sep 17 00:00:00 2001
+From: Kristina Martsenko <kristina.martsenko@arm.com>
+Date: Thu, 16 Nov 2017 17:58:20 +0000
+Subject: arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one
+
+From: Kristina Martsenko <kristina.martsenko@arm.com>
+
+commit 26aa7b3b1c0fb3f1a6176a0c1847204ef4355693 upstream.
+
+VTTBR_BADDR_MASK is used to sanity check the size and alignment of the
+VTTBR address. It seems to currently be off by one, thereby only
+allowing up to 47-bit addresses (instead of 48-bit) and also
+insufficiently checking the alignment. This patch fixes it.
+
+As an example, with 4k pages, before this patch we have:
+
+ PHYS_MASK_SHIFT = 48
+ VTTBR_X = 37 - 24 = 13
+ VTTBR_BADDR_SHIFT = 13 - 1 = 12
+ VTTBR_BADDR_MASK = ((1 << 35) - 1) << 12 = 0x00007ffffffff000
+
+Which is wrong, because the mask doesn't allow bit 47 of the VTTBR
+address to be set, and only requires the address to be 12-bit (4k)
+aligned, while it actually needs to be 13-bit (8k) aligned because we
+concatenate two 4k tables.
+
+With this patch, the mask becomes 0x0000ffffffffe000, which is what we
+want.
+
+Fixes: 0369f6a34b9f ("arm64: KVM: EL2 register definitions")
+Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/kvm_arm.h | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/arm64/include/asm/kvm_arm.h
++++ b/arch/arm64/include/asm/kvm_arm.h
+@@ -170,8 +170,7 @@
+ #define VTCR_EL2_FLAGS (VTCR_EL2_COMMON_BITS | VTCR_EL2_TGRAN_FLAGS)
+ #define VTTBR_X (VTTBR_X_TGRAN_MAGIC - VTCR_EL2_T0SZ_IPA)
+
+-#define VTTBR_BADDR_SHIFT (VTTBR_X - 1)
+-#define VTTBR_BADDR_MASK (((UL(1) << (PHYS_MASK_SHIFT - VTTBR_X)) - 1) << VTTBR_BADDR_SHIFT)
++#define VTTBR_BADDR_MASK (((UL(1) << (PHYS_MASK_SHIFT - VTTBR_X)) - 1) << VTTBR_X)
+ #define VTTBR_VMID_SHIFT (UL(48))
+ #define VTTBR_VMID_MASK(size) (_AT(u64, (1 << size) - 1) << VTTBR_VMID_SHIFT)
+
--- /dev/null
+From 0adbdfde8cfc9415aeed2a4955d2d17b3bd9bf13 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Wed, 6 Dec 2017 10:42:10 +0000
+Subject: arm64: SW PAN: Point saved ttbr0 at the zero page when switching to init_mm
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit 0adbdfde8cfc9415aeed2a4955d2d17b3bd9bf13 upstream.
+
+update_saved_ttbr0 mandates that mm->pgd is not swapper, since swapper
+contains kernel mappings and should never be installed into ttbr0. However,
+this means that callers must avoid passing the init_mm to update_saved_ttbr0
+which in turn can cause the saved ttbr0 value to be out-of-date in the context
+of the idle thread. For example, EFI runtime services may leave the saved ttbr0
+pointing at the EFI page table, and kernel threads may end up with stale
+references to freed page tables.
+
+This patch changes update_saved_ttbr0 so that the init_mm points the saved
+ttbr0 value to the empty zero page, which always exists and never contains
+valid translations. EFI and switch can then call into update_saved_ttbr0
+unconditionally.
+
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Vinayak Menon <vinmenon@codeaurora.org>
+Fixes: 39bc88e5e38e9b21 ("arm64: Disable TTBR0_EL1 during normal kernel execution")
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Reviewed-by: Mark Rutland <mark.rutland@arm.com>
+Reported-by: Vinayak Menon <vinmenon@codeaurora.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/efi.h | 4 +---
+ arch/arm64/include/asm/mmu_context.h | 22 +++++++++++++---------
+ 2 files changed, 14 insertions(+), 12 deletions(-)
+
+--- a/arch/arm64/include/asm/efi.h
++++ b/arch/arm64/include/asm/efi.h
+@@ -132,11 +132,9 @@ static inline void efi_set_pgd(struct mm
+ * Defer the switch to the current thread's TTBR0_EL1
+ * until uaccess_enable(). Restore the current
+ * thread's saved ttbr0 corresponding to its active_mm
+- * (if different from init_mm).
+ */
+ cpu_set_reserved_ttbr0();
+- if (current->active_mm != &init_mm)
+- update_saved_ttbr0(current, current->active_mm);
++ update_saved_ttbr0(current, current->active_mm);
+ }
+ }
+ }
+--- a/arch/arm64/include/asm/mmu_context.h
++++ b/arch/arm64/include/asm/mmu_context.h
+@@ -174,11 +174,17 @@ enter_lazy_tlb(struct mm_struct *mm, str
+ static inline void update_saved_ttbr0(struct task_struct *tsk,
+ struct mm_struct *mm)
+ {
+- if (system_uses_ttbr0_pan()) {
+- BUG_ON(mm->pgd == swapper_pg_dir);
+- task_thread_info(tsk)->ttbr0 =
+- virt_to_phys(mm->pgd) | ASID(mm) << 48;
+- }
++ u64 ttbr;
++
++ if (!system_uses_ttbr0_pan())
++ return;
++
++ if (mm == &init_mm)
++ ttbr = __pa_symbol(empty_zero_page);
++ else
++ ttbr = virt_to_phys(mm->pgd) | ASID(mm) << 48;
++
++ task_thread_info(tsk)->ttbr0 = ttbr;
+ }
+ #else
+ static inline void update_saved_ttbr0(struct task_struct *tsk,
+@@ -214,11 +220,9 @@ switch_mm(struct mm_struct *prev, struct
+ * Update the saved TTBR0_EL1 of the scheduled-in task as the previous
+ * value may have not been initialised yet (activate_mm caller) or the
+ * ASID has changed since the last run (following the context switch
+- * of another thread of the same process). Avoid setting the reserved
+- * TTBR0_EL1 to swapper_pg_dir (init_mm; e.g. via idle_task_exit).
++ * of another thread of the same process).
+ */
+- if (next != &init_mm)
+- update_saved_ttbr0(tsk, next);
++ update_saved_ttbr0(tsk, next);
+ }
+
+ #define deactivate_mm(tsk,mm) do { } while (0)
--- /dev/null
+From d96cc49bff5a7735576cc6f6f111f875d101cec8 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Wed, 6 Dec 2017 10:51:12 +0000
+Subject: arm64: SW PAN: Update saved ttbr0 value on enter_lazy_tlb
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit d96cc49bff5a7735576cc6f6f111f875d101cec8 upstream.
+
+enter_lazy_tlb is called when a kernel thread rides on the back of
+another mm, due to a context switch or an explicit call to unuse_mm
+where a call to switch_mm is elided.
+
+In these cases, it's important to keep the saved ttbr value up to date
+with the active mm, otherwise we can end up with a stale value which
+points to a potentially freed page table.
+
+This patch implements enter_lazy_tlb for arm64, so that the saved ttbr0
+is kept up-to-date with the active mm for kernel threads.
+
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Vinayak Menon <vinmenon@codeaurora.org>
+Fixes: 39bc88e5e38e9b21 ("arm64: Disable TTBR0_EL1 during normal kernel execution")
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Reviewed-by: Mark Rutland <mark.rutland@arm.com>
+Reported-by: Vinayak Menon <vinmenon@codeaurora.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/mmu_context.h | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+--- a/arch/arm64/include/asm/mmu_context.h
++++ b/arch/arm64/include/asm/mmu_context.h
+@@ -156,20 +156,6 @@ void check_and_switch_context(struct mm_
+
+ #define init_new_context(tsk,mm) ({ atomic64_set(&(mm)->context.id, 0); 0; })
+
+-/*
+- * This is called when "tsk" is about to enter lazy TLB mode.
+- *
+- * mm: describes the currently active mm context
+- * tsk: task which is entering lazy tlb
+- * cpu: cpu number which is entering lazy tlb
+- *
+- * tsk->mm will be NULL
+- */
+-static inline void
+-enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
+-{
+-}
+-
+ #ifdef CONFIG_ARM64_SW_TTBR0_PAN
+ static inline void update_saved_ttbr0(struct task_struct *tsk,
+ struct mm_struct *mm)
+@@ -193,6 +179,16 @@ static inline void update_saved_ttbr0(st
+ }
+ #endif
+
++static inline void
++enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
++{
++ /*
++ * We don't actually care about the ttbr0 mapping, so point it at the
++ * zero page.
++ */
++ update_saved_ttbr0(tsk, &init_mm);
++}
++
+ static inline void __switch_mm(struct mm_struct *next)
+ {
+ unsigned int cpu = smp_processor_id();
--- /dev/null
+From 81a7be2cd69b412ab6aeacfe5ebf1bb6e5bce955 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 8 Dec 2017 15:13:27 +0000
+Subject: ASN.1: check for error from ASN1_OP_END__ACT actions
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 81a7be2cd69b412ab6aeacfe5ebf1bb6e5bce955 upstream.
+
+asn1_ber_decoder() was ignoring errors from actions associated with the
+opcodes ASN1_OP_END_SEQ_ACT, ASN1_OP_END_SET_ACT,
+ASN1_OP_END_SEQ_OF_ACT, and ASN1_OP_END_SET_OF_ACT. In practice, this
+meant the pkcs7_note_signed_info() action (since that was the only user
+of those opcodes). Fix it by checking for the error, just like the
+decoder does for actions associated with the other opcodes.
+
+This bug allowed users to leak slab memory by repeatedly trying to add a
+specially crafted "pkcs7_test" key (requires CONFIG_PKCS7_TEST_KEY).
+
+In theory, this bug could also be used to bypass module signature
+verification, by providing a PKCS#7 message that is misparsed such that
+a signature's ->authattrs do not contain its ->msgdigest. But it
+doesn't seem practical in normal cases, due to restrictions on the
+format of the ->authattrs.
+
+Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/asn1_decoder.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/lib/asn1_decoder.c
++++ b/lib/asn1_decoder.c
+@@ -439,6 +439,8 @@ next_op:
+ else
+ act = machine[pc + 1];
+ ret = actions[act](context, hdr, 0, data + tdp, len);
++ if (ret < 0)
++ return ret;
+ }
+ pc += asn1_op_lengths[op];
+ goto next_op;
--- /dev/null
+From e0058f3a874ebb48b25be7ff79bc3b4e59929f90 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 8 Dec 2017 15:13:27 +0000
+Subject: ASN.1: fix out-of-bounds read when parsing indefinite length item
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit e0058f3a874ebb48b25be7ff79bc3b4e59929f90 upstream.
+
+In asn1_ber_decoder(), indefinitely-sized ASN.1 items were being passed
+to the action functions before their lengths had been computed, using
+the bogus length of 0x80 (ASN1_INDEFINITE_LENGTH). This resulted in
+reading data past the end of the input buffer, when given a specially
+crafted message.
+
+Fix it by rearranging the code so that the indefinite length is resolved
+before the action is called.
+
+This bug was originally found by fuzzing the X.509 parser in userspace
+using libFuzzer from the LLVM project.
+
+KASAN report (cleaned up slightly):
+
+ BUG: KASAN: slab-out-of-bounds in memcpy ./include/linux/string.h:341 [inline]
+ BUG: KASAN: slab-out-of-bounds in x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366
+ Read of size 128 at addr ffff880035dd9eaf by task keyctl/195
+
+ CPU: 1 PID: 195 Comm: keyctl Not tainted 4.14.0-09238-g1d3b78bbc6e9 #26
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
+ Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0xd1/0x175 lib/dump_stack.c:53
+ print_address_description+0x78/0x260 mm/kasan/report.c:252
+ kasan_report_error mm/kasan/report.c:351 [inline]
+ kasan_report+0x23f/0x350 mm/kasan/report.c:409
+ memcpy+0x1f/0x50 mm/kasan/kasan.c:302
+ memcpy ./include/linux/string.h:341 [inline]
+ x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366
+ asn1_ber_decoder+0xb4a/0x1fd0 lib/asn1_decoder.c:447
+ x509_cert_parse+0x1c7/0x620 crypto/asymmetric_keys/x509_cert_parser.c:89
+ x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174
+ asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388
+ key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850
+ SYSC_add_key security/keys/keyctl.c:122 [inline]
+ SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62
+ entry_SYSCALL_64_fastpath+0x1f/0x96
+
+ Allocated by task 195:
+ __do_kmalloc_node mm/slab.c:3675 [inline]
+ __kmalloc_node+0x47/0x60 mm/slab.c:3682
+ kvmalloc ./include/linux/mm.h:540 [inline]
+ SYSC_add_key security/keys/keyctl.c:104 [inline]
+ SyS_add_key+0x19e/0x290 security/keys/keyctl.c:62
+ entry_SYSCALL_64_fastpath+0x1f/0x96
+
+Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
+Reported-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/asn1_decoder.c | 47 ++++++++++++++++++++++++++---------------------
+ 1 file changed, 26 insertions(+), 21 deletions(-)
+
+--- a/lib/asn1_decoder.c
++++ b/lib/asn1_decoder.c
+@@ -313,42 +313,47 @@ next_op:
+
+ /* Decide how to handle the operation */
+ switch (op) {
+- case ASN1_OP_MATCH_ANY_ACT:
+- case ASN1_OP_MATCH_ANY_ACT_OR_SKIP:
+- case ASN1_OP_COND_MATCH_ANY_ACT:
+- case ASN1_OP_COND_MATCH_ANY_ACT_OR_SKIP:
+- ret = actions[machine[pc + 1]](context, hdr, tag, data + dp, len);
+- if (ret < 0)
+- return ret;
+- goto skip_data;
+-
+- case ASN1_OP_MATCH_ACT:
+- case ASN1_OP_MATCH_ACT_OR_SKIP:
+- case ASN1_OP_COND_MATCH_ACT_OR_SKIP:
+- ret = actions[machine[pc + 2]](context, hdr, tag, data + dp, len);
+- if (ret < 0)
+- return ret;
+- goto skip_data;
+-
+ case ASN1_OP_MATCH:
+ case ASN1_OP_MATCH_OR_SKIP:
++ case ASN1_OP_MATCH_ACT:
++ case ASN1_OP_MATCH_ACT_OR_SKIP:
+ case ASN1_OP_MATCH_ANY:
+ case ASN1_OP_MATCH_ANY_OR_SKIP:
++ case ASN1_OP_MATCH_ANY_ACT:
++ case ASN1_OP_MATCH_ANY_ACT_OR_SKIP:
+ case ASN1_OP_COND_MATCH_OR_SKIP:
++ case ASN1_OP_COND_MATCH_ACT_OR_SKIP:
+ case ASN1_OP_COND_MATCH_ANY:
+ case ASN1_OP_COND_MATCH_ANY_OR_SKIP:
+- skip_data:
++ case ASN1_OP_COND_MATCH_ANY_ACT:
++ case ASN1_OP_COND_MATCH_ANY_ACT_OR_SKIP:
++
+ if (!(flags & FLAG_CONS)) {
+ if (flags & FLAG_INDEFINITE_LENGTH) {
++ size_t tmp = dp;
++
+ ret = asn1_find_indefinite_length(
+- data, datalen, &dp, &len, &errmsg);
++ data, datalen, &tmp, &len, &errmsg);
+ if (ret < 0)
+ goto error;
+- } else {
+- dp += len;
+ }
+ pr_debug("- LEAF: %zu\n", len);
+ }
++
++ if (op & ASN1_OP_MATCH__ACT) {
++ unsigned char act;
++
++ if (op & ASN1_OP_MATCH__ANY)
++ act = machine[pc + 1];
++ else
++ act = machine[pc + 2];
++ ret = actions[act](context, hdr, tag, data + dp, len);
++ if (ret < 0)
++ return ret;
++ }
++
++ if (!(flags & FLAG_CONS))
++ dp += len;
+ pc += asn1_op_lengths[op];
+ goto next_op;
+
--- /dev/null
+From 5c3de777bdaf48bd0cfb43097c0d0fb85056cab7 Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Sat, 25 Nov 2017 21:39:25 +0100
+Subject: brcmfmac: change driver unbind order of the sdio function devices
+
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+
+commit 5c3de777bdaf48bd0cfb43097c0d0fb85056cab7 upstream.
+
+In the function brcmf_sdio_firmware_callback() the driver is
+unbound from the sdio function devices in the error path.
+However, the order in which it is done resulted in a use-after-free
+issue (see brcmf_ops_sdio_remove() in bcmsdh.c). Hence change
+the order and first unbind sdio function #2 device and then
+unbind sdio function #1 device.
+
+Fixes: 7a51461fc2da ("brcmfmac: unbind all devices upon failure in firmware callback")
+Reported-by: Stefan Wahren <stefan.wahren@i2se.com>
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -4096,8 +4096,8 @@ release:
+ sdio_release_host(sdiodev->func[1]);
+ fail:
+ brcmf_dbg(TRACE, "failed: dev=%s, err=%d\n", dev_name(dev), err);
+- device_release_driver(dev);
+ device_release_driver(&sdiodev->func[2]->dev);
++ device_release_driver(dev);
+ }
+
+ struct brcmf_sdio *brcmf_sdio_probe(struct brcmf_sdio_dev *sdiodev)
--- /dev/null
+From e19182c0fff451e3744c1107d98f072e7ca377a0 Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Mon, 4 Dec 2017 13:11:45 -0500
+Subject: btrfs: fix missing error return in btrfs_drop_snapshot
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+commit e19182c0fff451e3744c1107d98f072e7ca377a0 upstream.
+
+If btrfs_del_root fails in btrfs_drop_snapshot, we'll pick up the
+error but then return 0 anyway due to mixing err and ret.
+
+Fixes: 79787eaab4612 ("btrfs: replace many BUG_ONs with proper error handling")
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent-tree.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -9283,6 +9283,7 @@ int btrfs_drop_snapshot(struct btrfs_roo
+ ret = btrfs_del_root(trans, fs_info, &root->root_key);
+ if (ret) {
+ btrfs_abort_transaction(trans, ret);
++ err = ret;
+ goto out_end_trans;
+ }
+
--- /dev/null
+From 692826b2738101549f032a761a9191636e83be4e Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Tue, 21 Nov 2017 13:58:49 -0500
+Subject: btrfs: handle errors while updating refcounts in update_ref_for_cow
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+commit 692826b2738101549f032a761a9191636e83be4e upstream.
+
+Since commit fb235dc06fa (btrfs: qgroup: Move half of the qgroup
+accounting time out of commit trans) the assumption that
+btrfs_add_delayed_{data,tree}_ref can only return 0 or -ENOMEM has
+been false. The qgroup operations call into btrfs_search_slot
+and friends and can now return the full spectrum of error codes.
+
+Fortunately, the fix here is easy since update_ref_for_cow failing
+is already handled so we just need to bail early with the error
+code.
+
+Fixes: fb235dc06fa (btrfs: qgroup: Move half of the qgroup accounting ...)
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Reviewed-by: Edmund Nadolski <enadolski@suse.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/ctree.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -1032,14 +1032,17 @@ static noinline int update_ref_for_cow(s
+ root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) &&
+ !(flags & BTRFS_BLOCK_FLAG_FULL_BACKREF)) {
+ ret = btrfs_inc_ref(trans, root, buf, 1);
+- BUG_ON(ret); /* -ENOMEM */
++ if (ret)
++ return ret;
+
+ if (root->root_key.objectid ==
+ BTRFS_TREE_RELOC_OBJECTID) {
+ ret = btrfs_dec_ref(trans, root, buf, 0);
+- BUG_ON(ret); /* -ENOMEM */
++ if (ret)
++ return ret;
+ ret = btrfs_inc_ref(trans, root, cow, 1);
+- BUG_ON(ret); /* -ENOMEM */
++ if (ret)
++ return ret;
+ }
+ new_flags |= BTRFS_BLOCK_FLAG_FULL_BACKREF;
+ } else {
+@@ -1049,7 +1052,8 @@ static noinline int update_ref_for_cow(s
+ ret = btrfs_inc_ref(trans, root, cow, 1);
+ else
+ ret = btrfs_inc_ref(trans, root, cow, 0);
+- BUG_ON(ret); /* -ENOMEM */
++ if (ret)
++ return ret;
+ }
+ if (new_flags != 0) {
+ int level = btrfs_header_level(buf);
+@@ -1068,9 +1072,11 @@ static noinline int update_ref_for_cow(s
+ ret = btrfs_inc_ref(trans, root, cow, 1);
+ else
+ ret = btrfs_inc_ref(trans, root, cow, 0);
+- BUG_ON(ret); /* -ENOMEM */
++ if (ret)
++ return ret;
+ ret = btrfs_dec_ref(trans, root, buf, 1);
+- BUG_ON(ret); /* -ENOMEM */
++ if (ret)
++ return ret;
+ }
+ clean_tree_block(fs_info, buf);
+ *last_ref = 1;
--- /dev/null
+From 4608af8aa53e7f3922ddee695d023b7bcd5cb35b Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Tue, 3 Oct 2017 18:14:13 +0100
+Subject: bus: arm-cci: Fix use of smp_processor_id() in preemptible context
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 4608af8aa53e7f3922ddee695d023b7bcd5cb35b upstream.
+
+The ARM CCI driver seem to be using smp_processor_id() in a
+preemptible context, which is likely to make a DEBUG_PREMPT
+kernel scream at boot time.
+
+Turn this into a get_cpu()/put_cpu() that extends over the CPU
+hotplug registration, making sure that we don't race against
+a CPU down operation.
+
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Pawel Moll <pawel.moll@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bus/arm-cci.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/bus/arm-cci.c
++++ b/drivers/bus/arm-cci.c
+@@ -1755,14 +1755,17 @@ static int cci_pmu_probe(struct platform
+ raw_spin_lock_init(&cci_pmu->hw_events.pmu_lock);
+ mutex_init(&cci_pmu->reserve_mutex);
+ atomic_set(&cci_pmu->active_events, 0);
+- cpumask_set_cpu(smp_processor_id(), &cci_pmu->cpus);
++ cpumask_set_cpu(get_cpu(), &cci_pmu->cpus);
+
+ ret = cci_pmu_init(cci_pmu, pdev);
+- if (ret)
++ if (ret) {
++ put_cpu();
+ return ret;
++ }
+
+ cpuhp_state_add_instance_nocalls(CPUHP_AP_PERF_ARM_CCI_ONLINE,
+ &cci_pmu->node);
++ put_cpu();
+ pr_info("ARM %s PMU driver probed", cci_pmu->model->name);
+ return 0;
+ }
--- /dev/null
+From 24771179c5c138f0ea3ef88b7972979f62f2d5db Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 27 Aug 2017 11:06:50 +0100
+Subject: bus: arm-ccn: Check memory allocation failure
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 24771179c5c138f0ea3ef88b7972979f62f2d5db upstream.
+
+Check memory allocation failures and return -ENOMEM in such cases
+
+This avoids a potential NULL pointer dereference.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Scott Branden <scott.branden@broadcom.com>
+Signed-off-by: Pawel Moll <pawel.moll@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bus/arm-ccn.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/bus/arm-ccn.c
++++ b/drivers/bus/arm-ccn.c
+@@ -1271,6 +1271,10 @@ static int arm_ccn_pmu_init(struct arm_c
+ int len = snprintf(NULL, 0, "ccn_%d", ccn->dt.id);
+
+ name = devm_kzalloc(ccn->dev, len + 1, GFP_KERNEL);
++ if (!name) {
++ err = -ENOMEM;
++ goto error_choose_name;
++ }
+ snprintf(name, len + 1, "ccn_%d", ccn->dt.id);
+ }
+
+@@ -1318,6 +1322,7 @@ static int arm_ccn_pmu_init(struct arm_c
+
+ error_pmu_register:
+ error_set_affinity:
++error_choose_name:
+ ida_simple_remove(&arm_ccn_pmu_ida, ccn->dt.id);
+ for (i = 0; i < ccn->num_xps; i++)
+ writel(0, ccn->xp[i].base + CCN_XP_DT_CONTROL);
--- /dev/null
+From b69f63ebf553504739cc8534cbed31bd530c6f0b Mon Sep 17 00:00:00 2001
+From: Kim Phillips <kim.phillips@arm.com>
+Date: Wed, 11 Oct 2017 22:33:24 +0100
+Subject: bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left.
+
+From: Kim Phillips <kim.phillips@arm.com>
+
+commit b69f63ebf553504739cc8534cbed31bd530c6f0b upstream.
+
+Unregistering the driver before calling cpuhp_remove_multi_state() removes
+any remaining hotplug cpu instances so __cpuhp_remove_state_cpuslocked()
+doesn't emit this warning:
+
+[ 268.748362] Error: Removing state 147 which has instances left.
+[ 268.748373] ------------[ cut here ]------------
+[ 268.748386] WARNING: CPU: 2 PID: 5476 at kernel/cpu.c:1734 __cpuhp_remove_state_cpuslocked+0x454/0x4f0
+[ 268.748389] Modules linked in: arm_ccn(-) [last unloaded: arm_ccn]
+[ 268.748403] CPU: 2 PID: 5476 Comm: rmmod Tainted: G W 4.14.0-rc4+ #3
+[ 268.748406] Hardware name: AMD Seattle/Seattle, BIOS 10:18:39 Dec 8 2016
+[ 268.748410] task: ffff8001a18ca000 task.stack: ffff80019c120000
+[ 268.748416] PC is at __cpuhp_remove_state_cpuslocked+0x454/0x4f0
+[ 268.748421] LR is at __cpuhp_remove_state_cpuslocked+0x448/0x4f0
+[ 268.748425] pc : [<ffff2000081729ec>] lr : [<ffff2000081729e0>] pstate: 60000145
+[ 268.748427] sp : ffff80019c127d30
+[ 268.748430] x29: ffff80019c127d30 x28: ffff8001a18ca000
+[ 268.748437] x27: ffff20000c2cb000 x26: 1fffe4000042d490
+[ 268.748443] x25: ffff20000216a480 x24: 0000000000000000
+[ 268.748449] x23: ffff20000b08e000 x22: 0000000000000001
+[ 268.748455] x21: 0000000000000093 x20: 00000000000016f8
+[ 268.748460] x19: ffff20000c2cbb80 x18: 0000ffffb5fe7c58
+[ 268.748466] x17: 00000000004402d0 x16: 1fffe40001864f01
+[ 268.748472] x15: ffff20000c4bf8b0 x14: 0000000000000000
+[ 268.748477] x13: 0000000000007032 x12: ffff20000829ae48
+[ 268.748483] x11: ffff20000c4bf000 x10: 0000000000000004
+[ 268.748488] x9 : 0000000000006fbc x8 : ffff20000c318a40
+[ 268.748494] x7 : 0000000000000000 x6 : ffff040001864f02
+[ 268.748500] x5 : 0000000000000000 x4 : 0000000000000000
+[ 268.748505] x3 : 0000000000000007 x2 : dfff200000000000
+[ 268.748510] x1 : 000000000000ad3d x0 : 00000000000001f0
+[ 268.748516] Call trace:
+[ 268.748521] Exception stack(0xffff80019c127bf0 to 0xffff80019c127d30)
+[ 268.748526] 7be0: 00000000000001f0 000000000000ad3d
+[ 268.748531] 7c00: dfff200000000000 0000000000000007 0000000000000000 0000000000000000
+[ 268.748535] 7c20: ffff040001864f02 0000000000000000 ffff20000c318a40 0000000000006fbc
+[ 268.748539] 7c40: 0000000000000004 ffff20000c4bf000 ffff20000829ae48 0000000000007032
+[ 268.748544] 7c60: 0000000000000000 ffff20000c4bf8b0 1fffe40001864f01 00000000004402d0
+[ 268.748548] 7c80: 0000ffffb5fe7c58 ffff20000c2cbb80 00000000000016f8 0000000000000093
+[ 268.748553] 7ca0: 0000000000000001 ffff20000b08e000 0000000000000000 ffff20000216a480
+[ 268.748557] 7cc0: 1fffe4000042d490 ffff20000c2cb000 ffff8001a18ca000 ffff80019c127d30
+[ 268.748562] 7ce0: ffff2000081729e0 ffff80019c127d30 ffff2000081729ec 0000000060000145
+[ 268.748566] 7d00: 00000000000001f0 0000000000000000 0001000000000000 0000000000000000
+[ 268.748569] 7d20: ffff80019c127d30 ffff2000081729ec
+[ 268.748575] [<ffff2000081729ec>] __cpuhp_remove_state_cpuslocked+0x454/0x4f0
+[ 268.748580] [<ffff200008172adc>] __cpuhp_remove_state+0x54/0x80
+[ 268.748597] [<ffff20000215dd84>] arm_ccn_exit+0x2c/0x70 [arm_ccn]
+[ 268.748604] [<ffff20000834cfbc>] SyS_delete_module+0x5a4/0x708
+[ 268.748607] Exception stack(0xffff80019c127ec0 to 0xffff80019c128000)
+[ 268.748612] 7ec0: 0000000019bb7258 0000000000000800 ba64d0fb3d26a800 00000000000000da
+[ 268.748616] 7ee0: 0000ffffb6144e28 0000ffffcd95b409 fefefefefefefeff 7f7f7f7f7f7f7f7f
+[ 268.748621] 7f00: 000000000000006a 1999999999999999 0000ffffb6179000 0000000000bbcc6d
+[ 268.748625] 7f20: 0000ffffb6176b98 0000ffffcd95c2d0 0000ffffb5fe7b58 0000ffffb6163000
+[ 268.748630] 7f40: 0000ffffb60ad3e0 00000000004402d0 0000ffffb5fe7c58 0000000019bb71f0
+[ 268.748634] 7f60: 0000ffffcd95c740 0000000000000000 0000000019bb71f0 0000000000416700
+[ 268.748639] 7f80: 0000000000000000 00000000004402e8 0000000019bb6010 0000ffffcd95c748
+[ 268.748643] 7fa0: 0000000000000000 0000ffffcd95c460 00000000004113a8 0000ffffcd95c460
+[ 268.748648] 7fc0: 0000ffffb60ad3e8 0000000080000000 0000000019bb7258 000000000000006a
+[ 268.748652] 7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+[ 268.748657] [<ffff200008084f9c>] __sys_trace_return+0x0/0x4
+[ 268.748661] ---[ end trace a996d358dcaa7f9c ]---
+
+Fixes: 8df038725ad5 ("bus/arm-ccn: Use cpu-hp's multi instance support instead custom list")
+Signed-off-by: Kim Phillips <kim.phillips@arm.com>
+Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Pawel Moll <pawel.moll@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bus/arm-ccn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/bus/arm-ccn.c
++++ b/drivers/bus/arm-ccn.c
+@@ -1587,8 +1587,8 @@ static int __init arm_ccn_init(void)
+
+ static void __exit arm_ccn_exit(void)
+ {
+- cpuhp_remove_multi_state(CPUHP_AP_PERF_ARM_CCN_ONLINE);
+ platform_driver_unregister(&arm_ccn_driver);
++ cpuhp_remove_multi_state(CPUHP_AP_PERF_ARM_CCN_ONLINE);
+ }
+
+ module_init(arm_ccn_init);
--- /dev/null
+From b18c2b9487d8e797fc0a757e57ac3645348c5fba Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Tue, 3 Oct 2017 18:14:12 +0100
+Subject: bus: arm-ccn: Fix use of smp_processor_id() in preemptible context
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit b18c2b9487d8e797fc0a757e57ac3645348c5fba upstream.
+
+Booting a DEBUG_PREEMPT enabled kernel on a CCN-based system
+results in the following splat:
+
+[...]
+arm-ccn e8000000.ccn: No access to interrupts, using timer.
+BUG: using smp_processor_id() in preemptible [00000000] code: swapper/0/1
+caller is debug_smp_processor_id+0x1c/0x28
+CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.13.0 #6111
+Hardware name: AMD Seattle/Seattle, BIOS 17:08:23 Jun 26 2017
+Call trace:
+[<ffff000008089e78>] dump_backtrace+0x0/0x278
+[<ffff00000808a22c>] show_stack+0x24/0x30
+[<ffff000008bc3bc4>] dump_stack+0x8c/0xb0
+[<ffff00000852b534>] check_preemption_disabled+0xfc/0x100
+[<ffff00000852b554>] debug_smp_processor_id+0x1c/0x28
+[<ffff000008551bd8>] arm_ccn_probe+0x358/0x4f0
+[...]
+
+as we use smp_processor_id() in the wrong context.
+
+Turn this into a get_cpu()/put_cpu() that extends over the CPU hotplug
+registration, making sure that we don't race against a CPU down operation.
+
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Pawel Moll <pawel.moll@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bus/arm-ccn.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/bus/arm-ccn.c
++++ b/drivers/bus/arm-ccn.c
+@@ -1301,7 +1301,7 @@ static int arm_ccn_pmu_init(struct arm_c
+ }
+
+ /* Pick one CPU which we will use to collect data from CCN... */
+- cpumask_set_cpu(smp_processor_id(), &ccn->dt.cpu);
++ cpumask_set_cpu(get_cpu(), &ccn->dt.cpu);
+
+ /* Also make sure that the overflow interrupt is handled by this CPU */
+ if (ccn->irq) {
+@@ -1318,10 +1318,12 @@ static int arm_ccn_pmu_init(struct arm_c
+
+ cpuhp_state_add_instance_nocalls(CPUHP_AP_PERF_ARM_CCN_ONLINE,
+ &ccn->dt.node);
++ put_cpu();
+ return 0;
+
+ error_pmu_register:
+ error_set_affinity:
++ put_cpu();
+ error_choose_name:
+ ida_simple_remove(&arm_ccn_pmu_ida, ccn->dt.id);
+ for (i = 0; i < ccn->num_xps; i++)
--- /dev/null
+From 7fa32e5ec28b1609abc0b797b58267f725fc3964 Mon Sep 17 00:00:00 2001
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Tue, 14 Nov 2017 06:53:33 -0700
+Subject: Drivers: hv: vmbus: Fix a rescind issue
+
+From: K. Y. Srinivasan <kys@microsoft.com>
+
+commit 7fa32e5ec28b1609abc0b797b58267f725fc3964 upstream.
+
+The current rescind processing code will not correctly handle
+the case where the host immediately rescinds a channel that has
+been offerred. In this case, we could be blocked in the open call and
+since the channel is rescinded, the host will not respond and we could
+be blocked forever in the vmbus open call.i Fix this problem.
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/channel.c | 10 ++++++++--
+ drivers/hv/channel_mgmt.c | 7 ++++---
+ include/linux/hyperv.h | 1 +
+ 3 files changed, 13 insertions(+), 5 deletions(-)
+
+--- a/drivers/hv/channel.c
++++ b/drivers/hv/channel.c
+@@ -640,22 +640,28 @@ void vmbus_close(struct vmbus_channel *c
+ */
+ return;
+ }
+- mutex_lock(&vmbus_connection.channel_mutex);
+ /*
+ * Close all the sub-channels first and then close the
+ * primary channel.
+ */
+ list_for_each_safe(cur, tmp, &channel->sc_list) {
+ cur_channel = list_entry(cur, struct vmbus_channel, sc_list);
+- vmbus_close_internal(cur_channel);
+ if (cur_channel->rescind) {
++ wait_for_completion(&cur_channel->rescind_event);
++ mutex_lock(&vmbus_connection.channel_mutex);
++ vmbus_close_internal(cur_channel);
+ hv_process_channel_removal(
+ cur_channel->offermsg.child_relid);
++ } else {
++ mutex_lock(&vmbus_connection.channel_mutex);
++ vmbus_close_internal(cur_channel);
+ }
++ mutex_unlock(&vmbus_connection.channel_mutex);
+ }
+ /*
+ * Now close the primary.
+ */
++ mutex_lock(&vmbus_connection.channel_mutex);
+ vmbus_close_internal(channel);
+ mutex_unlock(&vmbus_connection.channel_mutex);
+ }
+--- a/drivers/hv/channel_mgmt.c
++++ b/drivers/hv/channel_mgmt.c
+@@ -333,6 +333,7 @@ static struct vmbus_channel *alloc_chann
+ return NULL;
+
+ spin_lock_init(&channel->lock);
++ init_completion(&channel->rescind_event);
+
+ INIT_LIST_HEAD(&channel->sc_list);
+ INIT_LIST_HEAD(&channel->percpu_list);
+@@ -883,6 +884,7 @@ static void vmbus_onoffer_rescind(struct
+ /*
+ * Now wait for offer handling to complete.
+ */
++ vmbus_rescind_cleanup(channel);
+ while (READ_ONCE(channel->probe_done) == false) {
+ /*
+ * We wait here until any channel offer is currently
+@@ -898,7 +900,6 @@ static void vmbus_onoffer_rescind(struct
+ if (channel->device_obj) {
+ if (channel->chn_rescind_callback) {
+ channel->chn_rescind_callback(channel);
+- vmbus_rescind_cleanup(channel);
+ return;
+ }
+ /*
+@@ -907,7 +908,6 @@ static void vmbus_onoffer_rescind(struct
+ */
+ dev = get_device(&channel->device_obj->device);
+ if (dev) {
+- vmbus_rescind_cleanup(channel);
+ vmbus_device_unregister(channel->device_obj);
+ put_device(dev);
+ }
+@@ -921,13 +921,14 @@ static void vmbus_onoffer_rescind(struct
+ * 2. Then close the primary channel.
+ */
+ mutex_lock(&vmbus_connection.channel_mutex);
+- vmbus_rescind_cleanup(channel);
+ if (channel->state == CHANNEL_OPEN_STATE) {
+ /*
+ * The channel is currently not open;
+ * it is safe for us to cleanup the channel.
+ */
+ hv_process_channel_removal(rescind->child_relid);
++ } else {
++ complete(&channel->rescind_event);
+ }
+ mutex_unlock(&vmbus_connection.channel_mutex);
+ }
+--- a/include/linux/hyperv.h
++++ b/include/linux/hyperv.h
+@@ -708,6 +708,7 @@ struct vmbus_channel {
+ u8 monitor_bit;
+
+ bool rescind; /* got rescind msg */
++ struct completion rescind_event;
+
+ u32 ringbuffer_gpadlhandle;
+
--- /dev/null
+From 510353a63796d467b41237ab4f136136f68c297d Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Tue, 21 Nov 2017 08:49:36 +0100
+Subject: drm/bridge: analogix dp: Fix runtime PM state in get_modes() callback
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit 510353a63796d467b41237ab4f136136f68c297d upstream.
+
+get_modes() callback might be called asynchronously from the DRM core and
+it is not synchronized with bridge_enable(), which sets proper runtime PM
+state of the main DP device. Fix this by calling pm_runtime_get_sync()
+before calling drm_get_edid(), which in turn calls drm_dp_i2c_xfer() and
+analogix_dp_transfer() to ensure that main DP device is runtime active
+when doing any access to its registers.
+
+This fixes the following kernel issue on Samsung Exynos5250 Snow board:
+Unhandled fault: imprecise external abort (0x406) at 0x00000000
+pgd = c0004000
+[00000000] *pgd=00000000
+Internal error: : 406 [#1] PREEMPT SMP ARM
+Modules linked in:
+CPU: 0 PID: 62 Comm: kworker/0:2 Not tainted 4.13.0-rc2-00364-g4a97a3da420b #3357
+Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
+Workqueue: events output_poll_execute
+task: edc14800 task.stack: edcb2000
+PC is at analogix_dp_transfer+0x15c/0x2fc
+LR is at analogix_dp_transfer+0x134/0x2fc
+pc : [<c0468538>] lr : [<c0468510>] psr: 60000013
+sp : edcb3be8 ip : 0000002a fp : 00000001
+r10: 00000000 r9 : edcb3cd8 r8 : edcb3c40
+r7 : 00000000 r6 : edd3b380 r5 : edd3b010 r4 : 00000064
+r3 : 00000000 r2 : f0ad3000 r1 : edcb3c40 r0 : edd3b010
+Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+Control: 10c5387d Table: 4000406a DAC: 00000051
+Process kworker/0:2 (pid: 62, stack limit = 0xedcb2210)
+Stack: (0xedcb3be8 to 0xedcb4000)
+[<c0468538>] (analogix_dp_transfer) from [<c0424ba4>] (drm_dp_i2c_do_msg+0x8c/0x2b4)
+[<c0424ba4>] (drm_dp_i2c_do_msg) from [<c0424e64>] (drm_dp_i2c_xfer+0x98/0x214)
+[<c0424e64>] (drm_dp_i2c_xfer) from [<c057b2d8>] (__i2c_transfer+0x140/0x29c)
+[<c057b2d8>] (__i2c_transfer) from [<c057b4a4>] (i2c_transfer+0x70/0xe4)
+[<c057b4a4>] (i2c_transfer) from [<c0441de4>] (drm_do_probe_ddc_edid+0xb4/0x114)
+[<c0441de4>] (drm_do_probe_ddc_edid) from [<c0441e5c>] (drm_probe_ddc+0x18/0x28)
+[<c0441e5c>] (drm_probe_ddc) from [<c0445728>] (drm_get_edid+0x124/0x2d4)
+[<c0445728>] (drm_get_edid) from [<c0465ea0>] (analogix_dp_get_modes+0x90/0x114)
+[<c0465ea0>] (analogix_dp_get_modes) from [<c0425e8c>] (drm_helper_probe_single_connector_modes+0x198/0x68c)
+[<c0425e8c>] (drm_helper_probe_single_connector_modes) from [<c04325d4>] (drm_setup_crtcs+0x1b4/0xd18)
+[<c04325d4>] (drm_setup_crtcs) from [<c04344a8>] (drm_fb_helper_hotplug_event+0x94/0xd0)
+[<c04344a8>] (drm_fb_helper_hotplug_event) from [<c0425a50>] (drm_kms_helper_hotplug_event+0x24/0x28)
+[<c0425a50>] (drm_kms_helper_hotplug_event) from [<c04263ec>] (output_poll_execute+0x6c/0x174)
+[<c04263ec>] (output_poll_execute) from [<c0136f18>] (process_one_work+0x188/0x3fc)
+[<c0136f18>] (process_one_work) from [<c01371f4>] (worker_thread+0x30/0x4b8)
+[<c01371f4>] (worker_thread) from [<c013daf8>] (kthread+0x128/0x164)
+[<c013daf8>] (kthread) from [<c0108510>] (ret_from_fork+0x14/0x24)
+Code: 0a000002 ea000009 e2544001 0a00004a (e59537c8)
+---[ end trace cddc7919c79f7878 ]---
+
+Reported-by: Misha Komarovskiy <zombah@gmail.com>
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Signed-off-by: Archit Taneja <architt@codeaurora.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20171121074936.22520-1-m.szyprowski@samsung.com
+
+---
+ drivers/gpu/drm/bridge/analogix/analogix_dp_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c
++++ b/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c
+@@ -946,7 +946,9 @@ static int analogix_dp_get_modes(struct
+ return 0;
+ }
+
++ pm_runtime_get_sync(dp->dev);
+ edid = drm_get_edid(connector, &dp->aux.ddc);
++ pm_runtime_put(dp->dev);
+ if (edid) {
+ drm_mode_connector_update_edid_property(&dp->connector,
+ edid);
--- /dev/null
+From 120a264f9c2782682027d931d83dcbd22e01da80 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Wed, 22 Nov 2017 14:14:47 +0100
+Subject: drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit 120a264f9c2782682027d931d83dcbd22e01da80 upstream.
+
+When no IOMMU is available, all GEM buffers allocated by Exynos DRM driver
+are contiguous, because of the underlying dma_alloc_attrs() function
+provides only such buffers. In such case it makes no sense to keep
+BO_NONCONTIG flag for the allocated GEM buffers. This allows to avoid
+failures for buffer contiguity checks in the subsequent operations on GEM
+objects.
+
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/exynos/exynos_drm_gem.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/gpu/drm/exynos/exynos_drm_gem.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_gem.c
+@@ -247,6 +247,15 @@ struct exynos_drm_gem *exynos_drm_gem_cr
+ if (IS_ERR(exynos_gem))
+ return exynos_gem;
+
++ if (!is_drm_iommu_supported(dev) && (flags & EXYNOS_BO_NONCONTIG)) {
++ /*
++ * when no IOMMU is available, all allocated buffers are
++ * contiguous anyway, so drop EXYNOS_BO_NONCONTIG flag
++ */
++ flags &= ~EXYNOS_BO_NONCONTIG;
++ DRM_WARN("Non-contiguous allocation is not supported without IOMMU, falling back to contiguous buffer\n");
++ }
++
+ /* set memory type and cache attribute from user side. */
+ exynos_gem->flags = flags;
+
--- /dev/null
+From a87e55f89f0b0dc541d89248a8445635936a3858 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Wed, 29 Nov 2017 17:37:30 +0200
+Subject: drm/i915: Fix vblank timestamp/frame counter jumps on gen2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit a87e55f89f0b0dc541d89248a8445635936a3858 upstream.
+
+Previously I was under the impression that the scanline counter
+reads 0 when the pipe is off. Turns out that's not correct, and
+instead the scanline counter simply stops when the pipe stops, and
+it retains it's last value until the pipe starts up again, at which
+point the scanline counter jumps to vblank start.
+
+These jumps can cause the timestamp to jump backwards by one frame.
+Since we use the timestamps to guesstimage also the frame counter
+value on gen2, that would cause the frame counter to also jump
+backwards, which leads to a massice difference from the previous value.
+The end result is that flips/vblank events don't appear to complete as
+they're stuck waiting for the frame counter to catch up to that massive
+difference.
+
+Fix the problem properly by actually making sure the scanline counter
+has started to move before we assume that it's safe to enable vblank
+processing.
+
+v2: Less pointless duplication in the code (Chris)
+
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Chris Wilson <chris@chris-wilson.co.uk>
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Fixes: b7792d8b54cc ("drm/i915: Wait for pipe to start before sampling vblank timestamps on gen2")
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20171129153732.3612-1-ville.syrjala@linux.intel.com
+(cherry picked from commit 8fedd64dabc86d0f31a0d1e152be3aa23c323553)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_display.c | 53 +++++++++++++++++++++++------------
+ 1 file changed, 36 insertions(+), 17 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -1000,7 +1000,8 @@ enum transcoder intel_pipe_to_cpu_transc
+ return crtc->config->cpu_transcoder;
+ }
+
+-static bool pipe_dsl_stopped(struct drm_i915_private *dev_priv, enum pipe pipe)
++static bool pipe_scanline_is_moving(struct drm_i915_private *dev_priv,
++ enum pipe pipe)
+ {
+ i915_reg_t reg = PIPEDSL(pipe);
+ u32 line1, line2;
+@@ -1015,7 +1016,28 @@ static bool pipe_dsl_stopped(struct drm_
+ msleep(5);
+ line2 = I915_READ(reg) & line_mask;
+
+- return line1 == line2;
++ return line1 != line2;
++}
++
++static void wait_for_pipe_scanline_moving(struct intel_crtc *crtc, bool state)
++{
++ struct drm_i915_private *dev_priv = to_i915(crtc->base.dev);
++ enum pipe pipe = crtc->pipe;
++
++ /* Wait for the display line to settle/start moving */
++ if (wait_for(pipe_scanline_is_moving(dev_priv, pipe) == state, 100))
++ DRM_ERROR("pipe %c scanline %s wait timed out\n",
++ pipe_name(pipe), onoff(state));
++}
++
++static void intel_wait_for_pipe_scanline_stopped(struct intel_crtc *crtc)
++{
++ wait_for_pipe_scanline_moving(crtc, false);
++}
++
++static void intel_wait_for_pipe_scanline_moving(struct intel_crtc *crtc)
++{
++ wait_for_pipe_scanline_moving(crtc, true);
+ }
+
+ /*
+@@ -1038,7 +1060,6 @@ static void intel_wait_for_pipe_off(stru
+ {
+ struct drm_i915_private *dev_priv = to_i915(crtc->base.dev);
+ enum transcoder cpu_transcoder = crtc->config->cpu_transcoder;
+- enum pipe pipe = crtc->pipe;
+
+ if (INTEL_GEN(dev_priv) >= 4) {
+ i915_reg_t reg = PIPECONF(cpu_transcoder);
+@@ -1049,9 +1070,7 @@ static void intel_wait_for_pipe_off(stru
+ 100))
+ WARN(1, "pipe_off wait timed out\n");
+ } else {
+- /* Wait for the display line to settle */
+- if (wait_for(pipe_dsl_stopped(dev_priv, pipe), 100))
+- WARN(1, "pipe_off wait timed out\n");
++ intel_wait_for_pipe_scanline_stopped(crtc);
+ }
+ }
+
+@@ -1944,15 +1963,14 @@ static void intel_enable_pipe(struct int
+ POSTING_READ(reg);
+
+ /*
+- * Until the pipe starts DSL will read as 0, which would cause
+- * an apparent vblank timestamp jump, which messes up also the
+- * frame count when it's derived from the timestamps. So let's
+- * wait for the pipe to start properly before we call
+- * drm_crtc_vblank_on()
+- */
+- if (dev->max_vblank_count == 0 &&
+- wait_for(intel_get_crtc_scanline(crtc) != crtc->scanline_offset, 50))
+- DRM_ERROR("pipe %c didn't start\n", pipe_name(pipe));
++ * Until the pipe starts PIPEDSL reads will return a stale value,
++ * which causes an apparent vblank timestamp jump when PIPEDSL
++ * resets to its proper value. That also messes up the frame count
++ * when it's derived from the timestamps. So let's wait for the
++ * pipe to start properly before we call drm_crtc_vblank_on()
++ */
++ if (dev->max_vblank_count == 0)
++ intel_wait_for_pipe_scanline_moving(crtc);
+ }
+
+ /**
+@@ -14682,6 +14700,8 @@ void i830_enable_pipe(struct drm_i915_pr
+
+ void i830_disable_pipe(struct drm_i915_private *dev_priv, enum pipe pipe)
+ {
++ struct intel_crtc *crtc = intel_get_crtc_for_pipe(dev_priv, pipe);
++
+ DRM_DEBUG_KMS("disabling pipe %c due to force quirk\n",
+ pipe_name(pipe));
+
+@@ -14691,8 +14711,7 @@ void i830_disable_pipe(struct drm_i915_p
+ I915_WRITE(PIPECONF(pipe), 0);
+ POSTING_READ(PIPECONF(pipe));
+
+- if (wait_for(pipe_dsl_stopped(dev_priv, pipe), 100))
+- DRM_ERROR("pipe %c off wait timed out\n", pipe_name(pipe));
++ intel_wait_for_pipe_scanline_stopped(crtc);
+
+ I915_WRITE(DPLL(pipe), DPLL_VGA_MODE_DIS);
+ POSTING_READ(DPLL(pipe));
--- /dev/null
+From a703c55004e1c5076d57e43771b3e11117796ea0 Mon Sep 17 00:00:00 2001
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Mon, 4 Dec 2017 21:48:18 +0100
+Subject: drm: safely free connectors from connector_iter
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+commit a703c55004e1c5076d57e43771b3e11117796ea0 upstream.
+
+In
+
+commit 613051dac40da1751ab269572766d3348d45a197
+Author: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Wed Dec 14 00:08:06 2016 +0100
+
+ drm: locking&new iterators for connector_list
+
+we've went to extreme lengths to make sure connector iterations works
+in any context, without introducing any additional locking context.
+This worked, except for a small fumble in the implementation:
+
+When we actually race with a concurrent connector unplug event, and
+our temporary connector reference turns out to be the final one, then
+everything breaks: We call the connector release function from
+whatever context we happen to be in, which can be an irq/atomic
+context. And connector freeing grabs all kinds of locks and stuff.
+
+Fix this by creating a specially safe put function for connetor_iter,
+which (in this rare case) punts the cleanup to a worker.
+
+Reported-by: Ben Widawsky <ben@bwidawsk.net>
+Cc: Ben Widawsky <ben@bwidawsk.net>
+Fixes: 613051dac40d ("drm: locking&new iterators for connector_list")
+Cc: Dave Airlie <airlied@gmail.com>
+Cc: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Sean Paul <seanpaul@chromium.org>
+Reviewed-by: Dave Airlie <airlied@gmail.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20171204204818.24745-1-daniel.vetter@ffwll.ch
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_connector.c | 28 ++++++++++++++++++++++++++--
+ drivers/gpu/drm/drm_mode_config.c | 2 ++
+ include/drm/drm_connector.h | 8 ++++++++
+ 3 files changed, 36 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/drm_connector.c
++++ b/drivers/gpu/drm/drm_connector.c
+@@ -152,6 +152,16 @@ static void drm_connector_free(struct kr
+ connector->funcs->destroy(connector);
+ }
+
++static void drm_connector_free_work_fn(struct work_struct *work)
++{
++ struct drm_connector *connector =
++ container_of(work, struct drm_connector, free_work);
++ struct drm_device *dev = connector->dev;
++
++ drm_mode_object_unregister(dev, &connector->base);
++ connector->funcs->destroy(connector);
++}
++
+ /**
+ * drm_connector_init - Init a preallocated connector
+ * @dev: DRM device
+@@ -181,6 +191,8 @@ int drm_connector_init(struct drm_device
+ if (ret)
+ return ret;
+
++ INIT_WORK(&connector->free_work, drm_connector_free_work_fn);
++
+ connector->base.properties = &connector->properties;
+ connector->dev = dev;
+ connector->funcs = funcs;
+@@ -525,6 +537,18 @@ void drm_connector_list_iter_begin(struc
+ }
+ EXPORT_SYMBOL(drm_connector_list_iter_begin);
+
++/*
++ * Extra-safe connector put function that works in any context. Should only be
++ * used from the connector_iter functions, where we never really expect to
++ * actually release the connector when dropping our final reference.
++ */
++static void
++drm_connector_put_safe(struct drm_connector *conn)
++{
++ if (refcount_dec_and_test(&conn->base.refcount.refcount))
++ schedule_work(&conn->free_work);
++}
++
+ /**
+ * drm_connector_list_iter_next - return next connector
+ * @iter: connectr_list iterator
+@@ -557,7 +581,7 @@ drm_connector_list_iter_next(struct drm_
+ spin_unlock_irqrestore(&config->connector_list_lock, flags);
+
+ if (old_conn)
+- drm_connector_put(old_conn);
++ drm_connector_put_safe(old_conn);
+
+ return iter->conn;
+ }
+@@ -576,7 +600,7 @@ void drm_connector_list_iter_end(struct
+ {
+ iter->dev = NULL;
+ if (iter->conn)
+- drm_connector_put(iter->conn);
++ drm_connector_put_safe(iter->conn);
+ lock_release(&connector_list_iter_dep_map, 0, _RET_IP_);
+ }
+ EXPORT_SYMBOL(drm_connector_list_iter_end);
+--- a/drivers/gpu/drm/drm_mode_config.c
++++ b/drivers/gpu/drm/drm_mode_config.c
+@@ -428,6 +428,8 @@ void drm_mode_config_cleanup(struct drm_
+ drm_connector_put(connector);
+ }
+ drm_connector_list_iter_end(&conn_iter);
++ /* connector_iter drops references in a work item. */
++ flush_scheduled_work();
+ if (WARN_ON(!list_empty(&dev->mode_config.connector_list))) {
+ drm_connector_list_iter_begin(dev, &conn_iter);
+ drm_for_each_connector_iter(connector, &conn_iter)
+--- a/include/drm/drm_connector.h
++++ b/include/drm/drm_connector.h
+@@ -905,6 +905,14 @@ struct drm_connector {
+ uint8_t num_h_tile, num_v_tile;
+ uint8_t tile_h_loc, tile_v_loc;
+ uint16_t tile_h_size, tile_v_size;
++
++ /**
++ * @free_work:
++ *
++ * Work used only by &drm_connector_iter to be able to clean up a
++ * connector from any context.
++ */
++ struct work_struct free_work;
+ };
+
+ #define obj_to_connector(x) container_of(x, struct drm_connector, base)
--- /dev/null
+From 89c5a2d34bda58319e3075e8e7dd727ea25a435c Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Wed, 6 Dec 2017 09:50:09 +0000
+Subject: efi/esrt: Use memunmap() instead of kfree() to free the remapping
+
+From: Pan Bian <bianpan2016@163.com>
+
+commit 89c5a2d34bda58319e3075e8e7dd727ea25a435c upstream.
+
+The remapping result of memremap() should be freed with memunmap(), not kfree().
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20171206095010.24170-3-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/efi/esrt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/firmware/efi/esrt.c
++++ b/drivers/firmware/efi/esrt.c
+@@ -428,7 +428,7 @@ err_remove_group:
+ err_remove_esrt:
+ kobject_put(esrt_kobj);
+ err:
+- kfree(esrt);
++ memunmap(esrt);
+ esrt = NULL;
+ return error;
+ }
--- /dev/null
+From af97a77bc01ce49a466f9d4c0125479e2e2230b6 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 6 Dec 2017 09:50:08 +0000
+Subject: efi: Move some sysfs files to be read-only by root
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit af97a77bc01ce49a466f9d4c0125479e2e2230b6 upstream.
+
+Thanks to the scripts/leaking_addresses.pl script, it was found that
+some EFI values should not be readable by non-root users.
+
+So make them root-only, and to do that, add a __ATTR_RO_MODE() macro to
+make this easier, and use it in other places at the same time.
+
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Tested-by: Dave Young <dyoung@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20171206095010.24170-2-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/efi/efi.c | 3 +--
+ drivers/firmware/efi/esrt.c | 15 ++++++---------
+ drivers/firmware/efi/runtime-map.c | 10 +++++-----
+ include/linux/sysfs.h | 6 ++++++
+ 4 files changed, 18 insertions(+), 16 deletions(-)
+
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -143,8 +143,7 @@ static ssize_t systab_show(struct kobjec
+ return str - buf;
+ }
+
+-static struct kobj_attribute efi_attr_systab =
+- __ATTR(systab, 0400, systab_show, NULL);
++static struct kobj_attribute efi_attr_systab = __ATTR_RO_MODE(systab, 0400);
+
+ #define EFI_FIELD(var) efi.var
+
+--- a/drivers/firmware/efi/esrt.c
++++ b/drivers/firmware/efi/esrt.c
+@@ -106,7 +106,7 @@ static const struct sysfs_ops esre_attr_
+ };
+
+ /* Generic ESRT Entry ("ESRE") support. */
+-static ssize_t esre_fw_class_show(struct esre_entry *entry, char *buf)
++static ssize_t fw_class_show(struct esre_entry *entry, char *buf)
+ {
+ char *str = buf;
+
+@@ -117,18 +117,16 @@ static ssize_t esre_fw_class_show(struct
+ return str - buf;
+ }
+
+-static struct esre_attribute esre_fw_class = __ATTR(fw_class, 0400,
+- esre_fw_class_show, NULL);
++static struct esre_attribute esre_fw_class = __ATTR_RO_MODE(fw_class, 0400);
+
+ #define esre_attr_decl(name, size, fmt) \
+-static ssize_t esre_##name##_show(struct esre_entry *entry, char *buf) \
++static ssize_t name##_show(struct esre_entry *entry, char *buf) \
+ { \
+ return sprintf(buf, fmt "\n", \
+ le##size##_to_cpu(entry->esre.esre1->name)); \
+ } \
+ \
+-static struct esre_attribute esre_##name = __ATTR(name, 0400, \
+- esre_##name##_show, NULL)
++static struct esre_attribute esre_##name = __ATTR_RO_MODE(name, 0400)
+
+ esre_attr_decl(fw_type, 32, "%u");
+ esre_attr_decl(fw_version, 32, "%u");
+@@ -193,14 +191,13 @@ static int esre_create_sysfs_entry(void
+
+ /* support for displaying ESRT fields at the top level */
+ #define esrt_attr_decl(name, size, fmt) \
+-static ssize_t esrt_##name##_show(struct kobject *kobj, \
++static ssize_t name##_show(struct kobject *kobj, \
+ struct kobj_attribute *attr, char *buf)\
+ { \
+ return sprintf(buf, fmt "\n", le##size##_to_cpu(esrt->name)); \
+ } \
+ \
+-static struct kobj_attribute esrt_##name = __ATTR(name, 0400, \
+- esrt_##name##_show, NULL)
++static struct kobj_attribute esrt_##name = __ATTR_RO_MODE(name, 0400)
+
+ esrt_attr_decl(fw_resource_count, 32, "%u");
+ esrt_attr_decl(fw_resource_count_max, 32, "%u");
+--- a/drivers/firmware/efi/runtime-map.c
++++ b/drivers/firmware/efi/runtime-map.c
+@@ -63,11 +63,11 @@ static ssize_t map_attr_show(struct kobj
+ return map_attr->show(entry, buf);
+ }
+
+-static struct map_attribute map_type_attr = __ATTR_RO(type);
+-static struct map_attribute map_phys_addr_attr = __ATTR_RO(phys_addr);
+-static struct map_attribute map_virt_addr_attr = __ATTR_RO(virt_addr);
+-static struct map_attribute map_num_pages_attr = __ATTR_RO(num_pages);
+-static struct map_attribute map_attribute_attr = __ATTR_RO(attribute);
++static struct map_attribute map_type_attr = __ATTR_RO_MODE(type, 0400);
++static struct map_attribute map_phys_addr_attr = __ATTR_RO_MODE(phys_addr, 0400);
++static struct map_attribute map_virt_addr_attr = __ATTR_RO_MODE(virt_addr, 0400);
++static struct map_attribute map_num_pages_attr = __ATTR_RO_MODE(num_pages, 0400);
++static struct map_attribute map_attribute_attr = __ATTR_RO_MODE(attribute, 0400);
+
+ /*
+ * These are default attributes that are added for every memmap entry.
+--- a/include/linux/sysfs.h
++++ b/include/linux/sysfs.h
+@@ -117,6 +117,12 @@ struct attribute_group {
+ .show = _name##_show, \
+ }
+
++#define __ATTR_RO_MODE(_name, _mode) { \
++ .attr = { .name = __stringify(_name), \
++ .mode = VERIFY_OCTAL_PERMISSIONS(_mode) }, \
++ .show = _name##_show, \
++}
++
+ #define __ATTR_WO(_name) { \
+ .attr = { .name = __stringify(_name), .mode = S_IWUSR }, \
+ .store = _name##_store, \
--- /dev/null
+From 0946b2fb38fdb6585a5ac3ca84ac73924f645952 Mon Sep 17 00:00:00 2001
+From: "Robin H. Johnson" <robbat2@gentoo.org>
+Date: Thu, 16 Nov 2017 14:36:12 -0800
+Subject: firmware: cleanup FIRMWARE_IN_KERNEL message
+
+From: Robin H. Johnson <robbat2@gentoo.org>
+
+commit 0946b2fb38fdb6585a5ac3ca84ac73924f645952 upstream.
+
+The help for FIRMWARE_IN_KERNEL still references the firmware_install
+command that was recently removed by commit 5620a0d1aacd ("firmware:
+delete in-kernel firmware").
+
+Clean up the message to direct the user to their distribution's
+linux-firmware package, and remove any reference to firmware being
+included in the kernel source tree.
+
+Fixes: 5620a0d1aacd ("firmware: delete in-kernel firmware").
+Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/Kconfig | 25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+
+--- a/drivers/base/Kconfig
++++ b/drivers/base/Kconfig
+@@ -91,22 +91,23 @@ config FIRMWARE_IN_KERNEL
+ depends on FW_LOADER
+ default y
+ help
+- The kernel source tree includes a number of firmware 'blobs'
+- that are used by various drivers. The recommended way to
+- use these is to run "make firmware_install", which, after
+- converting ihex files to binary, copies all of the needed
+- binary files in firmware/ to /lib/firmware/ on your system so
+- that they can be loaded by userspace helpers on request.
++ Various drivers in the kernel source tree may require firmware,
++ which is generally available in your distribution's linux-firmware
++ package.
++
++ The linux-firmware package should install firmware into
++ /lib/firmware/ on your system, so they can be loaded by userspace
++ helpers on request.
+
+ Enabling this option will build each required firmware blob
+- into the kernel directly, where request_firmware() will find
+- them without having to call out to userspace. This may be
+- useful if your root file system requires a device that uses
+- such firmware and do not wish to use an initrd.
++ specified by EXTRA_FIRMWARE into the kernel directly, where
++ request_firmware() will find them without having to call out to
++ userspace. This may be useful if your root file system requires a
++ device that uses such firmware and you do not wish to use an
++ initrd.
+
+ This single option controls the inclusion of firmware for
+- every driver that uses request_firmware() and ships its
+- firmware in the kernel source tree, which avoids a
++ every driver that uses request_firmware(), which avoids a
+ proliferation of 'Include firmware for xxx device' options.
+
+ Say 'N' and let firmware be loaded from userspace.
--- /dev/null
+From 811d7e0215fb738fb9a9f0bcb1276516ad161ed1 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Wed, 15 Nov 2017 13:00:43 -0800
+Subject: firmware: vpd: Destroy vpd sections in remove function
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 811d7e0215fb738fb9a9f0bcb1276516ad161ed1 upstream.
+
+vpd sections are initialized during probe and thus should be destroyed
+in the remove function.
+
+Fixes: 049a59db34eb ("firmware: Google VPD sysfs driver")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/google/vpd.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/firmware/google/vpd.c
++++ b/drivers/firmware/google/vpd.c
+@@ -298,8 +298,17 @@ static int vpd_probe(struct platform_dev
+ return vpd_sections_init(entry.cbmem_addr);
+ }
+
++static int vpd_remove(struct platform_device *pdev)
++{
++ vpd_section_destroy(&ro_vpd);
++ vpd_section_destroy(&rw_vpd);
++
++ return 0;
++}
++
+ static struct platform_driver vpd_driver = {
+ .probe = vpd_probe,
++ .remove = vpd_remove,
+ .driver = {
+ .name = "vpd",
+ },
+@@ -324,8 +333,6 @@ static int __init vpd_platform_init(void
+
+ static void __exit vpd_platform_exit(void)
+ {
+- vpd_section_destroy(&ro_vpd);
+- vpd_section_destroy(&rw_vpd);
+ kobject_put(vpd_kobj);
+ }
+
--- /dev/null
+From 0631fb8b027f5968c2f5031f0b3ff7be3e4bebcc Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Wed, 15 Nov 2017 13:00:45 -0800
+Subject: firmware: vpd: Fix platform driver and device registration/unregistration
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 0631fb8b027f5968c2f5031f0b3ff7be3e4bebcc upstream.
+
+The driver exit function needs to unregister both platform device and
+driver. Also, during registration, register driver first and perform
+error checks.
+
+Fixes: 049a59db34eb ("firmware: Google VPD sysfs driver")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/google/vpd.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/drivers/firmware/google/vpd.c
++++ b/drivers/firmware/google/vpd.c
+@@ -326,21 +326,29 @@ static struct platform_driver vpd_driver
+ },
+ };
+
++static struct platform_device *vpd_pdev;
++
+ static int __init vpd_platform_init(void)
+ {
+- struct platform_device *pdev;
+-
+- pdev = platform_device_register_simple("vpd", -1, NULL, 0);
+- if (IS_ERR(pdev))
+- return PTR_ERR(pdev);
++ int ret;
+
+- platform_driver_register(&vpd_driver);
++ ret = platform_driver_register(&vpd_driver);
++ if (ret)
++ return ret;
++
++ vpd_pdev = platform_device_register_simple("vpd", -1, NULL, 0);
++ if (IS_ERR(vpd_pdev)) {
++ platform_driver_unregister(&vpd_driver);
++ return PTR_ERR(vpd_pdev);
++ }
+
+ return 0;
+ }
+
+ static void __exit vpd_platform_exit(void)
+ {
++ platform_device_unregister(vpd_pdev);
++ platform_driver_unregister(&vpd_driver);
+ }
+
+ module_init(vpd_platform_init);
--- /dev/null
+From e4b28b3c3a405b251fa25db58abe1512814a680a Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Wed, 15 Nov 2017 13:00:44 -0800
+Subject: firmware: vpd: Tie firmware kobject to device lifetime
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit e4b28b3c3a405b251fa25db58abe1512814a680a upstream.
+
+It doesn't make sense to have /sys/firmware/vpd if the device is not
+instantiated, so tie its lifetime to the device.
+
+Fixes: 049a59db34eb ("firmware: Google VPD sysfs driver")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/google/vpd.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+--- a/drivers/firmware/google/vpd.c
++++ b/drivers/firmware/google/vpd.c
+@@ -295,7 +295,17 @@ static int vpd_probe(struct platform_dev
+ if (ret)
+ return ret;
+
+- return vpd_sections_init(entry.cbmem_addr);
++ vpd_kobj = kobject_create_and_add("vpd", firmware_kobj);
++ if (!vpd_kobj)
++ return -ENOMEM;
++
++ ret = vpd_sections_init(entry.cbmem_addr);
++ if (ret) {
++ kobject_put(vpd_kobj);
++ return ret;
++ }
++
++ return 0;
+ }
+
+ static int vpd_remove(struct platform_device *pdev)
+@@ -303,6 +313,8 @@ static int vpd_remove(struct platform_de
+ vpd_section_destroy(&ro_vpd);
+ vpd_section_destroy(&rw_vpd);
+
++ kobject_put(vpd_kobj);
++
+ return 0;
+ }
+
+@@ -322,10 +334,6 @@ static int __init vpd_platform_init(void
+ if (IS_ERR(pdev))
+ return PTR_ERR(pdev);
+
+- vpd_kobj = kobject_create_and_add("vpd", firmware_kobj);
+- if (!vpd_kobj)
+- return -ENOMEM;
+-
+ platform_driver_register(&vpd_driver);
+
+ return 0;
+@@ -333,7 +341,6 @@ static int __init vpd_platform_init(void
+
+ static void __exit vpd_platform_exit(void)
+ {
+- kobject_put(vpd_kobj);
+ }
+
+ module_init(vpd_platform_init);
--- /dev/null
+From 297d6b6e56c2977fc504c61bbeeaa21296923f89 Mon Sep 17 00:00:00 2001
+From: Paul Meyer <Paul.Meyer@microsoft.com>
+Date: Tue, 14 Nov 2017 13:06:47 -0700
+Subject: hv: kvp: Avoid reading past allocated blocks from KVP file
+
+From: Paul Meyer <Paul.Meyer@microsoft.com>
+
+commit 297d6b6e56c2977fc504c61bbeeaa21296923f89 upstream.
+
+While reading in more than one block (50) of KVP records, the allocation
+goes per block, but the reads used the total number of allocated records
+(without resetting the pointer/stream). This causes the records buffer to
+overrun when the refresh reads more than one block over the previous
+capacity (e.g. reading more than 100 KVP records whereas the in-memory
+database was empty before).
+
+Fix this by reading the correct number of KVP records from file each time.
+
+Signed-off-by: Paul Meyer <Paul.Meyer@microsoft.com>
+Signed-off-by: Long Li <longli@microsoft.com>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/hv/hv_kvp_daemon.c | 70 +++++++++--------------------------------------
+ 1 file changed, 14 insertions(+), 56 deletions(-)
+
+--- a/tools/hv/hv_kvp_daemon.c
++++ b/tools/hv/hv_kvp_daemon.c
+@@ -193,11 +193,14 @@ static void kvp_update_mem_state(int poo
+ for (;;) {
+ readp = &record[records_read];
+ records_read += fread(readp, sizeof(struct kvp_record),
+- ENTRIES_PER_BLOCK * num_blocks,
+- filep);
++ ENTRIES_PER_BLOCK * num_blocks - records_read,
++ filep);
+
+ if (ferror(filep)) {
+- syslog(LOG_ERR, "Failed to read file, pool: %d", pool);
++ syslog(LOG_ERR,
++ "Failed to read file, pool: %d; error: %d %s",
++ pool, errno, strerror(errno));
++ kvp_release_lock(pool);
+ exit(EXIT_FAILURE);
+ }
+
+@@ -210,6 +213,7 @@ static void kvp_update_mem_state(int poo
+
+ if (record == NULL) {
+ syslog(LOG_ERR, "malloc failed");
++ kvp_release_lock(pool);
+ exit(EXIT_FAILURE);
+ }
+ continue;
+@@ -224,15 +228,11 @@ static void kvp_update_mem_state(int poo
+ fclose(filep);
+ kvp_release_lock(pool);
+ }
++
+ static int kvp_file_init(void)
+ {
+ int fd;
+- FILE *filep;
+- size_t records_read;
+ char *fname;
+- struct kvp_record *record;
+- struct kvp_record *readp;
+- int num_blocks;
+ int i;
+ int alloc_unit = sizeof(struct kvp_record) * ENTRIES_PER_BLOCK;
+
+@@ -246,61 +246,19 @@ static int kvp_file_init(void)
+
+ for (i = 0; i < KVP_POOL_COUNT; i++) {
+ fname = kvp_file_info[i].fname;
+- records_read = 0;
+- num_blocks = 1;
+ sprintf(fname, "%s/.kvp_pool_%d", KVP_CONFIG_LOC, i);
+ fd = open(fname, O_RDWR | O_CREAT | O_CLOEXEC, 0644 /* rw-r--r-- */);
+
+ if (fd == -1)
+ return 1;
+
+-
+- filep = fopen(fname, "re");
+- if (!filep) {
+- close(fd);
+- return 1;
+- }
+-
+- record = malloc(alloc_unit * num_blocks);
+- if (record == NULL) {
+- fclose(filep);
+- close(fd);
+- return 1;
+- }
+- for (;;) {
+- readp = &record[records_read];
+- records_read += fread(readp, sizeof(struct kvp_record),
+- ENTRIES_PER_BLOCK,
+- filep);
+-
+- if (ferror(filep)) {
+- syslog(LOG_ERR, "Failed to read file, pool: %d",
+- i);
+- exit(EXIT_FAILURE);
+- }
+-
+- if (!feof(filep)) {
+- /*
+- * We have more data to read.
+- */
+- num_blocks++;
+- record = realloc(record, alloc_unit *
+- num_blocks);
+- if (record == NULL) {
+- fclose(filep);
+- close(fd);
+- return 1;
+- }
+- continue;
+- }
+- break;
+- }
+ kvp_file_info[i].fd = fd;
+- kvp_file_info[i].num_blocks = num_blocks;
+- kvp_file_info[i].records = record;
+- kvp_file_info[i].num_records = records_read;
+- fclose(filep);
+-
++ kvp_file_info[i].num_blocks = 1;
++ kvp_file_info[i].records = malloc(alloc_unit);
++ if (kvp_file_info[i].records == NULL)
++ return 1;
++ kvp_file_info[i].num_records = 0;
++ kvp_update_mem_state(i);
+ }
+
+ return 0;
--- /dev/null
+From 2e4c85c6edc80fa532b2c7e1eb3597ef4d4bbb8f Mon Sep 17 00:00:00 2001
+From: Parav Pandit <parav@mellanox.com>
+Date: Thu, 2 Nov 2017 15:22:27 +0200
+Subject: IB/core: Avoid unnecessary return value check
+
+From: Parav Pandit <parav@mellanox.com>
+
+commit 2e4c85c6edc80fa532b2c7e1eb3597ef4d4bbb8f upstream.
+
+Since there is nothing done with non zero return value, such check is
+avoided.
+
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/security.c | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+--- a/drivers/infiniband/core/security.c
++++ b/drivers/infiniband/core/security.c
+@@ -697,20 +697,13 @@ void ib_mad_agent_security_cleanup(struc
+
+ int ib_mad_enforce_security(struct ib_mad_agent_private *map, u16 pkey_index)
+ {
+- int ret;
+-
+ if (map->agent.qp->qp_type == IB_QPT_SMI && !map->agent.smp_allowed)
+ return -EACCES;
+
+- ret = ib_security_pkey_access(map->agent.device,
+- map->agent.port_num,
+- pkey_index,
+- map->agent.security);
+-
+- if (ret)
+- return ret;
+-
+- return 0;
++ return ib_security_pkey_access(map->agent.device,
++ map->agent.port_num,
++ pkey_index,
++ map->agent.security);
+ }
+
+ #endif /* CONFIG_SECURITY_INFINIBAND */
--- /dev/null
+From 315d160c5a4e034a576a13aa21e7235d5c9ec609 Mon Sep 17 00:00:00 2001
+From: Daniel Jurgens <danielj@mellanox.com>
+Date: Wed, 29 Nov 2017 20:10:39 +0200
+Subject: IB/core: Only enforce security for InfiniBand
+
+From: Daniel Jurgens <danielj@mellanox.com>
+
+commit 315d160c5a4e034a576a13aa21e7235d5c9ec609 upstream.
+
+For now the only LSM security enforcement mechanism available is
+specific to InfiniBand. Bypass enforcement for non-IB link types.
+
+This fixes a regression where modify_qp fails for iWARP because
+querying the PKEY returns -EINVAL.
+
+Cc: Paul Moore <paul@paul-moore.com>
+Cc: Don Dutile <ddutile@redhat.com>
+Reported-by: Potnuri Bharat Teja <bharat@chelsio.com>
+Fixes: d291f1a65232("IB/core: Enforce PKey security on QPs")
+Fixes: 47a2b338fe63("IB/core: Enforce security on management datagrams")
+Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
+Reviewed-by: Parav Pandit <parav@mellanox.com>
+Tested-by: Potnuri Bharat Teja <bharat@chelsio.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/security.c | 50 ++++++++++++++++++++++++++++++++++---
+ 1 file changed, 46 insertions(+), 4 deletions(-)
+
+--- a/drivers/infiniband/core/security.c
++++ b/drivers/infiniband/core/security.c
+@@ -417,8 +417,17 @@ void ib_close_shared_qp_security(struct
+
+ int ib_create_qp_security(struct ib_qp *qp, struct ib_device *dev)
+ {
++ u8 i = rdma_start_port(dev);
++ bool is_ib = false;
+ int ret;
+
++ while (i <= rdma_end_port(dev) && !is_ib)
++ is_ib = rdma_protocol_ib(dev, i++);
++
++ /* If this isn't an IB device don't create the security context */
++ if (!is_ib)
++ return 0;
++
+ qp->qp_sec = kzalloc(sizeof(*qp->qp_sec), GFP_KERNEL);
+ if (!qp->qp_sec)
+ return -ENOMEM;
+@@ -441,6 +450,10 @@ EXPORT_SYMBOL(ib_create_qp_security);
+
+ void ib_destroy_qp_security_begin(struct ib_qp_security *sec)
+ {
++ /* Return if not IB */
++ if (!sec)
++ return;
++
+ mutex_lock(&sec->mutex);
+
+ /* Remove the QP from the lists so it won't get added to
+@@ -470,6 +483,10 @@ void ib_destroy_qp_security_abort(struct
+ int ret;
+ int i;
+
++ /* Return if not IB */
++ if (!sec)
++ return;
++
+ /* If a concurrent cache update is in progress this
+ * QP security could be marked for an error state
+ * transition. Wait for this to complete.
+@@ -505,6 +522,10 @@ void ib_destroy_qp_security_end(struct i
+ {
+ int i;
+
++ /* Return if not IB */
++ if (!sec)
++ return;
++
+ /* If a concurrent cache update is occurring we must
+ * wait until this QP security structure is processed
+ * in the QP to error flow before destroying it because
+@@ -557,7 +578,7 @@ int ib_security_modify_qp(struct ib_qp *
+ {
+ int ret = 0;
+ struct ib_ports_pkeys *tmp_pps;
+- struct ib_ports_pkeys *new_pps;
++ struct ib_ports_pkeys *new_pps = NULL;
+ struct ib_qp *real_qp = qp->real_qp;
+ bool special_qp = (real_qp->qp_type == IB_QPT_SMI ||
+ real_qp->qp_type == IB_QPT_GSI ||
+@@ -565,18 +586,27 @@ int ib_security_modify_qp(struct ib_qp *
+ bool pps_change = ((qp_attr_mask & (IB_QP_PKEY_INDEX | IB_QP_PORT)) ||
+ (qp_attr_mask & IB_QP_ALT_PATH));
+
++ WARN_ONCE((qp_attr_mask & IB_QP_PORT &&
++ rdma_protocol_ib(real_qp->device, qp_attr->port_num) &&
++ !real_qp->qp_sec),
++ "%s: QP security is not initialized for IB QP: %d\n",
++ __func__, real_qp->qp_num);
++
+ /* The port/pkey settings are maintained only for the real QP. Open
+ * handles on the real QP will be in the shared_qp_list. When
+ * enforcing security on the real QP all the shared QPs will be
+ * checked as well.
+ */
+
+- if (pps_change && !special_qp) {
++ if (pps_change && !special_qp && real_qp->qp_sec) {
+ mutex_lock(&real_qp->qp_sec->mutex);
+ new_pps = get_new_pps(real_qp,
+ qp_attr,
+ qp_attr_mask);
+-
++ if (!new_pps) {
++ mutex_unlock(&real_qp->qp_sec->mutex);
++ return -ENOMEM;
++ }
+ /* Add this QP to the lists for the new port
+ * and pkey settings before checking for permission
+ * in case there is a concurrent cache update
+@@ -600,7 +630,7 @@ int ib_security_modify_qp(struct ib_qp *
+ qp_attr_mask,
+ udata);
+
+- if (pps_change && !special_qp) {
++ if (new_pps) {
+ /* Clean up the lists and free the appropriate
+ * ports_pkeys structure.
+ */
+@@ -631,6 +661,9 @@ int ib_security_pkey_access(struct ib_de
+ u16 pkey;
+ int ret;
+
++ if (!rdma_protocol_ib(dev, port_num))
++ return 0;
++
+ ret = ib_get_cached_pkey(dev, port_num, pkey_index, &pkey);
+ if (ret)
+ return ret;
+@@ -665,6 +698,9 @@ int ib_mad_agent_security_setup(struct i
+ {
+ int ret;
+
++ if (!rdma_protocol_ib(agent->device, agent->port_num))
++ return 0;
++
+ ret = security_ib_alloc_security(&agent->security);
+ if (ret)
+ return ret;
+@@ -690,6 +726,9 @@ int ib_mad_agent_security_setup(struct i
+
+ void ib_mad_agent_security_cleanup(struct ib_mad_agent *agent)
+ {
++ if (!rdma_protocol_ib(agent->device, agent->port_num))
++ return;
++
+ security_ib_free_security(agent->security);
+ if (agent->lsm_nb_reg)
+ unregister_lsm_notifier(&agent->lsm_nb);
+@@ -697,6 +736,9 @@ void ib_mad_agent_security_cleanup(struc
+
+ int ib_mad_enforce_security(struct ib_mad_agent_private *map, u16 pkey_index)
+ {
++ if (!rdma_protocol_ib(map->agent.device, map->agent.port_num))
++ return 0;
++
+ if (map->agent.qp->qp_type == IB_QPT_SMI && !map->agent.smp_allowed)
+ return -EACCES;
+
--- /dev/null
+From 81b039ec36a41a5451e1e36f05bb055eceab1dc8 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Mon, 13 Nov 2017 00:01:20 +0800
+Subject: iio: adc: cpcap: fix incorrect validation
+
+From: Pan Bian <bianpan2016@163.com>
+
+commit 81b039ec36a41a5451e1e36f05bb055eceab1dc8 upstream.
+
+Function platform_get_irq_byname() returns a negative error code on
+failure, and a zero or positive number on success. However, in function
+cpcap_adc_probe(), positive IRQ numbers are also taken as error cases.
+Use "if (ddata->irq < 0)" instead of "if (!ddata->irq)" to validate the
+return value of platform_get_irq_byname().
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Fixes: 25ec249632d50 ("iio: adc: cpcap: Add minimal support for CPCAP PMIC ADC")
+Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/cpcap-adc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/cpcap-adc.c
++++ b/drivers/iio/adc/cpcap-adc.c
+@@ -1012,7 +1012,7 @@ static int cpcap_adc_probe(struct platfo
+ platform_set_drvdata(pdev, indio_dev);
+
+ ddata->irq = platform_get_irq_byname(pdev, "adcdone");
+- if (!ddata->irq)
++ if (ddata->irq < 0)
+ return -ENODEV;
+
+ error = devm_request_threaded_irq(&pdev->dev, ddata->irq, NULL,
--- /dev/null
+From 7a6b0420d2fe4ce59437bd318826fe468f0d71ae Mon Sep 17 00:00:00 2001
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Tue, 31 Oct 2017 21:01:43 +0100
+Subject: iio: adc: meson-saradc: fix the bit_idx of the adc_en clock
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+commit 7a6b0420d2fe4ce59437bd318826fe468f0d71ae upstream.
+
+Meson8 and Meson8b SoCs use the the SAR ADC gate clock provided by the
+MESON_SAR_ADC_REG3 register within the SAR ADC register area.
+According to the datasheet (and the existing MESON_SAR_ADC_REG3_CLK_EN
+definition) the gate is on bit 30.
+The fls() function returns the last set bit, which is "bit index + 1"
+(fls(MESON_SAR_ADC_REG3_CLK_EN) returns 31). Fix this by switching to
+__ffs() which returns the first set bit, which is bit 30 in our case.
+
+This off by one error results in the ADC not being usable on devices
+where the bootloader did not enable the clock.
+
+Fixes: 3adbf3427330 ("iio: adc: add a driver for the SAR ADC found in Amlogic Meson SoCs")
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/meson_saradc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/meson_saradc.c
++++ b/drivers/iio/adc/meson_saradc.c
+@@ -600,7 +600,7 @@ static int meson_sar_adc_clk_init(struct
+ init.num_parents = 1;
+
+ priv->clk_gate.reg = base + MESON_SAR_ADC_REG3;
+- priv->clk_gate.bit_idx = fls(MESON_SAR_ADC_REG3_CLK_EN);
++ priv->clk_gate.bit_idx = __ffs(MESON_SAR_ADC_REG3_CLK_EN);
+ priv->clk_gate.hw.init = &init;
+
+ priv->adc_clk = devm_clk_register(&indio_dev->dev, &priv->clk_gate.hw);
--- /dev/null
+From d85eed9f576369bc90322659de96b7dbea1f9a57 Mon Sep 17 00:00:00 2001
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Tue, 31 Oct 2017 21:01:44 +0100
+Subject: iio: adc: meson-saradc: initialize the bandgap correctly on older SoCs
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+commit d85eed9f576369bc90322659de96b7dbea1f9a57 upstream.
+
+Meson8 and Meson8b do not have the MESON_SAR_ADC_REG11 register. The
+bandgap setting for these SoCs is configured in the
+MESON_SAR_ADC_DELTA_10 register instead.
+Make the driver aware of this difference and use the correct bandgap
+register depending on the SoC.
+This has worked fine on Meson8 and Meson8b because the bootloader is
+already initializing the bandgap setting.
+
+Fixes: 6c76ed31cd05 ("iio: adc: meson-saradc: add Meson8b SoC compatibility")
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/meson_saradc.c | 33 ++++++++++++++++++++++++++-------
+ 1 file changed, 26 insertions(+), 7 deletions(-)
+
+--- a/drivers/iio/adc/meson_saradc.c
++++ b/drivers/iio/adc/meson_saradc.c
+@@ -221,6 +221,7 @@ enum meson_sar_adc_chan7_mux_sel {
+
+ struct meson_sar_adc_data {
+ bool has_bl30_integration;
++ u32 bandgap_reg;
+ unsigned int resolution;
+ const char *name;
+ };
+@@ -685,6 +686,20 @@ static int meson_sar_adc_init(struct iio
+ return 0;
+ }
+
++static void meson_sar_adc_set_bandgap(struct iio_dev *indio_dev, bool on_off)
++{
++ struct meson_sar_adc_priv *priv = iio_priv(indio_dev);
++ u32 enable_mask;
++
++ if (priv->data->bandgap_reg == MESON_SAR_ADC_REG11)
++ enable_mask = MESON_SAR_ADC_REG11_BANDGAP_EN;
++ else
++ enable_mask = MESON_SAR_ADC_DELTA_10_TS_VBG_EN;
++
++ regmap_update_bits(priv->regmap, priv->data->bandgap_reg, enable_mask,
++ on_off ? enable_mask : 0);
++}
++
+ static int meson_sar_adc_hw_enable(struct iio_dev *indio_dev)
+ {
+ struct meson_sar_adc_priv *priv = iio_priv(indio_dev);
+@@ -717,9 +732,9 @@ static int meson_sar_adc_hw_enable(struc
+ regval = FIELD_PREP(MESON_SAR_ADC_REG0_FIFO_CNT_IRQ_MASK, 1);
+ regmap_update_bits(priv->regmap, MESON_SAR_ADC_REG0,
+ MESON_SAR_ADC_REG0_FIFO_CNT_IRQ_MASK, regval);
+- regmap_update_bits(priv->regmap, MESON_SAR_ADC_REG11,
+- MESON_SAR_ADC_REG11_BANDGAP_EN,
+- MESON_SAR_ADC_REG11_BANDGAP_EN);
++
++ meson_sar_adc_set_bandgap(indio_dev, true);
++
+ regmap_update_bits(priv->regmap, MESON_SAR_ADC_REG3,
+ MESON_SAR_ADC_REG3_ADC_EN,
+ MESON_SAR_ADC_REG3_ADC_EN);
+@@ -739,8 +754,7 @@ static int meson_sar_adc_hw_enable(struc
+ err_adc_clk:
+ regmap_update_bits(priv->regmap, MESON_SAR_ADC_REG3,
+ MESON_SAR_ADC_REG3_ADC_EN, 0);
+- regmap_update_bits(priv->regmap, MESON_SAR_ADC_REG11,
+- MESON_SAR_ADC_REG11_BANDGAP_EN, 0);
++ meson_sar_adc_set_bandgap(indio_dev, false);
+ clk_disable_unprepare(priv->sana_clk);
+ err_sana_clk:
+ clk_disable_unprepare(priv->core_clk);
+@@ -765,8 +779,8 @@ static int meson_sar_adc_hw_disable(stru
+
+ regmap_update_bits(priv->regmap, MESON_SAR_ADC_REG3,
+ MESON_SAR_ADC_REG3_ADC_EN, 0);
+- regmap_update_bits(priv->regmap, MESON_SAR_ADC_REG11,
+- MESON_SAR_ADC_REG11_BANDGAP_EN, 0);
++
++ meson_sar_adc_set_bandgap(indio_dev, false);
+
+ clk_disable_unprepare(priv->sana_clk);
+ clk_disable_unprepare(priv->core_clk);
+@@ -845,30 +859,35 @@ static const struct iio_info meson_sar_a
+
+ static const struct meson_sar_adc_data meson_sar_adc_meson8_data = {
+ .has_bl30_integration = false,
++ .bandgap_reg = MESON_SAR_ADC_DELTA_10,
+ .resolution = 10,
+ .name = "meson-meson8-saradc",
+ };
+
+ static const struct meson_sar_adc_data meson_sar_adc_meson8b_data = {
+ .has_bl30_integration = false,
++ .bandgap_reg = MESON_SAR_ADC_DELTA_10,
+ .resolution = 10,
+ .name = "meson-meson8b-saradc",
+ };
+
+ static const struct meson_sar_adc_data meson_sar_adc_gxbb_data = {
+ .has_bl30_integration = true,
++ .bandgap_reg = MESON_SAR_ADC_REG11,
+ .resolution = 10,
+ .name = "meson-gxbb-saradc",
+ };
+
+ static const struct meson_sar_adc_data meson_sar_adc_gxl_data = {
+ .has_bl30_integration = true,
++ .bandgap_reg = MESON_SAR_ADC_REG11,
+ .resolution = 12,
+ .name = "meson-gxl-saradc",
+ };
+
+ static const struct meson_sar_adc_data meson_sar_adc_gxm_data = {
+ .has_bl30_integration = true,
++ .bandgap_reg = MESON_SAR_ADC_REG11,
+ .resolution = 12,
+ .name = "meson-gxm-saradc",
+ };
--- /dev/null
+From 96748823c483c6eed8321f78bd128dd33f09c55c Mon Sep 17 00:00:00 2001
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Tue, 31 Oct 2017 21:01:45 +0100
+Subject: iio: adc: meson-saradc: Meson8 and Meson8b do not have REG11 and REG13
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+commit 96748823c483c6eed8321f78bd128dd33f09c55c upstream.
+
+The Meson GXBB and newer SoCs have a few more registers than the older
+Meson8 and Meson8b SoCs.
+Use a separate regmap config to limit the older SoCs to the DELTA_10
+register.
+
+Fixes: 6c76ed31cd05 ("iio: adc: meson-saradc: add Meson8b SoC compatibility")
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/meson_saradc.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/adc/meson_saradc.c
++++ b/drivers/iio/adc/meson_saradc.c
+@@ -224,6 +224,7 @@ struct meson_sar_adc_data {
+ u32 bandgap_reg;
+ unsigned int resolution;
+ const char *name;
++ const struct regmap_config *regmap_config;
+ };
+
+ struct meson_sar_adc_priv {
+@@ -243,13 +244,20 @@ struct meson_sar_adc_priv {
+ int calibscale;
+ };
+
+-static const struct regmap_config meson_sar_adc_regmap_config = {
++static const struct regmap_config meson_sar_adc_regmap_config_gxbb = {
+ .reg_bits = 8,
+ .val_bits = 32,
+ .reg_stride = 4,
+ .max_register = MESON_SAR_ADC_REG13,
+ };
+
++static const struct regmap_config meson_sar_adc_regmap_config_meson8 = {
++ .reg_bits = 8,
++ .val_bits = 32,
++ .reg_stride = 4,
++ .max_register = MESON_SAR_ADC_DELTA_10,
++};
++
+ static unsigned int meson_sar_adc_get_fifo_count(struct iio_dev *indio_dev)
+ {
+ struct meson_sar_adc_priv *priv = iio_priv(indio_dev);
+@@ -860,6 +868,7 @@ static const struct iio_info meson_sar_a
+ static const struct meson_sar_adc_data meson_sar_adc_meson8_data = {
+ .has_bl30_integration = false,
+ .bandgap_reg = MESON_SAR_ADC_DELTA_10,
++ .regmap_config = &meson_sar_adc_regmap_config_meson8,
+ .resolution = 10,
+ .name = "meson-meson8-saradc",
+ };
+@@ -867,6 +876,7 @@ static const struct meson_sar_adc_data m
+ static const struct meson_sar_adc_data meson_sar_adc_meson8b_data = {
+ .has_bl30_integration = false,
+ .bandgap_reg = MESON_SAR_ADC_DELTA_10,
++ .regmap_config = &meson_sar_adc_regmap_config_meson8,
+ .resolution = 10,
+ .name = "meson-meson8b-saradc",
+ };
+@@ -874,6 +884,7 @@ static const struct meson_sar_adc_data m
+ static const struct meson_sar_adc_data meson_sar_adc_gxbb_data = {
+ .has_bl30_integration = true,
+ .bandgap_reg = MESON_SAR_ADC_REG11,
++ .regmap_config = &meson_sar_adc_regmap_config_gxbb,
+ .resolution = 10,
+ .name = "meson-gxbb-saradc",
+ };
+@@ -881,6 +892,7 @@ static const struct meson_sar_adc_data m
+ static const struct meson_sar_adc_data meson_sar_adc_gxl_data = {
+ .has_bl30_integration = true,
+ .bandgap_reg = MESON_SAR_ADC_REG11,
++ .regmap_config = &meson_sar_adc_regmap_config_gxbb,
+ .resolution = 12,
+ .name = "meson-gxl-saradc",
+ };
+@@ -888,6 +900,7 @@ static const struct meson_sar_adc_data m
+ static const struct meson_sar_adc_data meson_sar_adc_gxm_data = {
+ .has_bl30_integration = true,
+ .bandgap_reg = MESON_SAR_ADC_REG11,
++ .regmap_config = &meson_sar_adc_regmap_config_gxbb,
+ .resolution = 12,
+ .name = "meson-gxm-saradc",
+ };
+@@ -965,7 +978,7 @@ static int meson_sar_adc_probe(struct pl
+ return ret;
+
+ priv->regmap = devm_regmap_init_mmio(&pdev->dev, base,
+- &meson_sar_adc_regmap_config);
++ priv->data->regmap_config);
+ if (IS_ERR(priv->regmap))
+ return PTR_ERR(priv->regmap);
+
--- /dev/null
+From ad44a9f804c1591ba2a2ec0ac8d916a515d2790c Mon Sep 17 00:00:00 2001
+From: Peter Meerwald-Stadler <pmeerw@pmeerw.net>
+Date: Fri, 27 Oct 2017 21:45:31 +0200
+Subject: iio: health: max30102: Temperature should be in milli Celsius
+
+From: Peter Meerwald-Stadler <pmeerw@pmeerw.net>
+
+commit ad44a9f804c1591ba2a2ec0ac8d916a515d2790c upstream.
+
+As per ABI temperature should be in milli Celsius after scaling,
+not Celsius
+
+Note on stable cc. This driver is breaking the standard IIO
+ABI. (JC)
+
+Signed-off-by: Peter Meerwald-Stadler <pmeerw@pmeerw.net>
+Acked-by: Matt Ranostay <matt.ranostay@konsulko.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/health/max30102.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/health/max30102.c
++++ b/drivers/iio/health/max30102.c
+@@ -371,7 +371,7 @@ static int max30102_read_raw(struct iio_
+ mutex_unlock(&indio_dev->mlock);
+ break;
+ case IIO_CHAN_INFO_SCALE:
+- *val = 1; /* 0.0625 */
++ *val = 1000; /* 62.5 */
+ *val2 = 16;
+ ret = IIO_VAL_FRACTIONAL;
+ break;
--- /dev/null
+From 6d745ee8b5e81f3a33791e3c854fbbfd6f3e585e Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 6 Sep 2017 14:56:50 +0200
+Subject: iio: stm32: fix adc/trigger link error
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 6d745ee8b5e81f3a33791e3c854fbbfd6f3e585e upstream.
+
+The ADC driver can trigger on either the timer or the lptim
+trigger, but it only uses a Kconfig 'select' statement
+to ensure that the first of the two is present. When the lptim
+trigger is enabled as a loadable module, and the adc driver
+is built-in, we now get a link error:
+
+drivers/iio/adc/stm32-adc.o: In function `stm32_adc_get_trig_extsel':
+stm32-adc.c:(.text+0x4e0): undefined reference to `is_stm32_lptim_trigger'
+
+We could use a second 'select' statement and always have both
+trigger drivers enabled when the adc driver is, but it seems that
+the lptimer trigger was intentionally left optional, so it seems
+better to keep it that way.
+
+This adds a hack to use 'IS_REACHABLE()' rather than 'IS_ENABLED()',
+which avoids the link error, but instead leads to the lptimer trigger
+not being used in the broken configuration. I've added a runtime
+warning for this case to help users figure out what they did wrong
+if this should ever be done by accident.
+
+Fixes: f0b638a7f6db ("iio: adc: stm32: add support for lptimer triggers")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/iio/timer/stm32-lptim-trigger.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/include/linux/iio/timer/stm32-lptim-trigger.h
++++ b/include/linux/iio/timer/stm32-lptim-trigger.h
+@@ -16,11 +16,14 @@
+ #define LPTIM2_OUT "lptim2_out"
+ #define LPTIM3_OUT "lptim3_out"
+
+-#if IS_ENABLED(CONFIG_IIO_STM32_LPTIMER_TRIGGER)
++#if IS_REACHABLE(CONFIG_IIO_STM32_LPTIMER_TRIGGER)
+ bool is_stm32_lptim_trigger(struct iio_trigger *trig);
+ #else
+ static inline bool is_stm32_lptim_trigger(struct iio_trigger *trig)
+ {
++#if IS_ENABLED(CONFIG_IIO_STM32_LPTIMER_TRIGGER)
++ pr_warn_once("stm32 lptim_trigger not linked in\n");
++#endif
+ return false;
+ }
+ #endif
--- /dev/null
+From 29a90b70893817e2f2bb3cea40a29f5308e21b21 Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Thu, 28 Sep 2017 15:14:01 +0100
+Subject: iommu/vt-d: Fix scatterlist offset handling
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+commit 29a90b70893817e2f2bb3cea40a29f5308e21b21 upstream.
+
+The intel-iommu DMA ops fail to correctly handle scatterlists where
+sg->offset is greater than PAGE_SIZE - the IOVA allocation is computed
+appropriately based on the page-aligned portion of the offset, but the
+mapping is set up relative to sg->page, which means it fails to actually
+cover the whole buffer (and in the worst case doesn't cover it at all):
+
+ (sg->dma_address + sg->dma_len) ----+
+ sg->dma_address ---------+ |
+ iov_pfn------+ | |
+ | | |
+ v v v
+iova: a b c d e f
+ |--------|--------|--------|--------|--------|
+ <...calculated....>
+ [_____mapped______]
+pfn: 0 1 2 3 4 5
+ |--------|--------|--------|--------|--------|
+ ^ ^ ^
+ | | |
+ sg->page ----+ | |
+ sg->offset --------------+ |
+ (sg->offset + sg->length) ----------+
+
+As a result, the caller ends up overrunning the mapping into whatever
+lies beyond, which usually goes badly:
+
+[ 429.645492] DMAR: DRHD: handling fault status reg 2
+[ 429.650847] DMAR: [DMA Write] Request device [02:00.4] fault addr f2682000 ...
+
+Whilst this is a fairly rare occurrence, it can happen from the result
+of intermediate scatterlist processing such as scatterwalk_ffwd() in the
+crypto layer. Whilst that particular site could be fixed up, it still
+seems worthwhile to bring intel-iommu in line with other DMA API
+implementations in handling this robustly.
+
+To that end, fix the intel_map_sg() path to line up the mapping
+correctly (in units of MM pages rather than VT-d pages to match the
+aligned_nrpages() calculation) regardless of the offset, and use
+sg_phys() consistently for clarity.
+
+Reported-by: Harsh Jain <Harsh@chelsio.com>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Reviewed by: Ashok Raj <ashok.raj@intel.com>
+Tested by: Jacob Pan <jacob.jun.pan@intel.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/intel-iommu.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -2254,10 +2254,12 @@ static int __domain_mapping(struct dmar_
+ uint64_t tmp;
+
+ if (!sg_res) {
++ unsigned int pgoff = sg->offset & ~PAGE_MASK;
++
+ sg_res = aligned_nrpages(sg->offset, sg->length);
+- sg->dma_address = ((dma_addr_t)iov_pfn << VTD_PAGE_SHIFT) + sg->offset;
++ sg->dma_address = ((dma_addr_t)iov_pfn << VTD_PAGE_SHIFT) + pgoff;
+ sg->dma_length = sg->length;
+- pteval = page_to_phys(sg_page(sg)) | prot;
++ pteval = (sg_phys(sg) - pgoff) | prot;
+ phys_pfn = pteval >> VTD_PAGE_SHIFT;
+ }
+
+@@ -3790,7 +3792,7 @@ static int intel_nontranslate_map_sg(str
+
+ for_each_sg(sglist, sg, nelems, i) {
+ BUG_ON(!sg_page(sg));
+- sg->dma_address = page_to_phys(sg_page(sg)) + sg->offset;
++ sg->dma_address = sg_phys(sg);
+ sg->dma_length = sg->length;
+ }
+ return nelems;
--- /dev/null
+From 5a244727f428a06634f22bb890e78024ab0c89f3 Mon Sep 17 00:00:00 2001
+From: William Breathitt Gray <vilhelm.gray@gmail.com>
+Date: Wed, 8 Nov 2017 10:23:11 -0500
+Subject: isa: Prevent NULL dereference in isa_bus driver callbacks
+
+From: William Breathitt Gray <vilhelm.gray@gmail.com>
+
+commit 5a244727f428a06634f22bb890e78024ab0c89f3 upstream.
+
+The isa_driver structure for an isa_bus device is stored in the device
+platform_data member of the respective device structure. This
+platform_data member may be reset to NULL if isa_driver match callback
+for the device fails, indicating a device unsupported by the ISA driver.
+
+This patch fixes a possible NULL pointer dereference if one of the
+isa_driver callbacks to attempted for an unsupported device. This error
+should not occur in practice since ISA devices are typically manually
+configured and loaded by the users, but we may as well prevent this
+error from popping up for the 0day testers.
+
+Fixes: a5117ba7da37 ("[PATCH] Driver model: add ISA bus")
+Signed-off-by: William Breathitt Gray <vilhelm.gray@gmail.com>
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/isa.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/base/isa.c
++++ b/drivers/base/isa.c
+@@ -39,7 +39,7 @@ static int isa_bus_probe(struct device *
+ {
+ struct isa_driver *isa_driver = dev->platform_data;
+
+- if (isa_driver->probe)
++ if (isa_driver && isa_driver->probe)
+ return isa_driver->probe(dev, to_isa_dev(dev)->id);
+
+ return 0;
+@@ -49,7 +49,7 @@ static int isa_bus_remove(struct device
+ {
+ struct isa_driver *isa_driver = dev->platform_data;
+
+- if (isa_driver->remove)
++ if (isa_driver && isa_driver->remove)
+ return isa_driver->remove(dev, to_isa_dev(dev)->id);
+
+ return 0;
+@@ -59,7 +59,7 @@ static void isa_bus_shutdown(struct devi
+ {
+ struct isa_driver *isa_driver = dev->platform_data;
+
+- if (isa_driver->shutdown)
++ if (isa_driver && isa_driver->shutdown)
+ isa_driver->shutdown(dev, to_isa_dev(dev)->id);
+ }
+
+@@ -67,7 +67,7 @@ static int isa_bus_suspend(struct device
+ {
+ struct isa_driver *isa_driver = dev->platform_data;
+
+- if (isa_driver->suspend)
++ if (isa_driver && isa_driver->suspend)
+ return isa_driver->suspend(dev, to_isa_dev(dev)->id, state);
+
+ return 0;
+@@ -77,7 +77,7 @@ static int isa_bus_resume(struct device
+ {
+ struct isa_driver *isa_driver = dev->platform_data;
+
+- if (isa_driver->resume)
++ if (isa_driver && isa_driver->resume)
+ return isa_driver->resume(dev, to_isa_dev(dev)->id);
+
+ return 0;
--- /dev/null
+From 567deca8e72df3ceb6c07c63f8541a4928f64d3b Mon Sep 17 00:00:00 2001
+From: Ihab Zhaika <ihab.zhaika@intel.com>
+Date: Thu, 16 Nov 2017 09:29:19 +0200
+Subject: iwlwifi: add new cards for 9260 and 22000 series
+
+From: Ihab Zhaika <ihab.zhaika@intel.com>
+
+commit 567deca8e72df3ceb6c07c63f8541a4928f64d3b upstream.
+
+add 1 PCI ID for 9260 series and 1 for 22000 series.
+
+Signed-off-by: Ihab Zhaika <ihab.zhaika@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+@@ -551,6 +551,7 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x271B, 0x0014, iwl9160_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x271B, 0x0210, iwl9160_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x271B, 0x0214, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x271C, 0x0214, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x2720, 0x0034, iwl9560_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x2720, 0x0038, iwl9560_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x2720, 0x003C, iwl9560_2ac_cfg)},
+@@ -662,6 +663,7 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x2720, 0x0310, iwla000_2ac_cfg_hr_cdb)},
+ {IWL_PCI_DEVICE(0x40C0, 0x0000, iwla000_2ax_cfg_hr)},
+ {IWL_PCI_DEVICE(0x40C0, 0x0A10, iwla000_2ax_cfg_hr)},
++ {IWL_PCI_DEVICE(0xA0F0, 0x0000, iwla000_2ax_cfg_hr)},
+
+ #endif /* CONFIG_IWLMVM */
+
--- /dev/null
+From 0b9832b712d6767d6c7b01965fd788d1ca84fc92 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Mon, 13 Nov 2017 09:50:47 +0200
+Subject: iwlwifi: mvm: don't use transmit queue hang detection when it is not possible
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 0b9832b712d6767d6c7b01965fd788d1ca84fc92 upstream.
+
+When we act as an AP, new firmware versions handle
+internally the power saving clients and the driver doesn't
+know that the peers went to sleep. It is, hence, possible
+that a peer goes to sleep for a long time and stop pulling
+frames. This will cause its transmit queue to hang which is
+a condition that triggers the recovery flow in the driver.
+
+While this client is certainly buggy (it should have pulled
+the frame based on the TIM IE in the beacon), we can't blow
+up because of a buggy client.
+
+Change the current implementation to not enable the
+transmit queue hang detection on queues that serve peers
+when we act as an AP / GO.
+
+We can still enable this mechanism using the debug
+configuration which can come in handy when we want to
+debug why the client doesn't wake up.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/utils.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/utils.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/utils.c
+@@ -1143,9 +1143,18 @@ unsigned int iwl_mvm_get_wd_timeout(stru
+ unsigned int default_timeout =
+ cmd_q ? IWL_DEF_WD_TIMEOUT : mvm->cfg->base_params->wd_timeout;
+
+- if (!iwl_fw_dbg_trigger_enabled(mvm->fw, FW_DBG_TRIGGER_TXQ_TIMERS))
++ if (!iwl_fw_dbg_trigger_enabled(mvm->fw, FW_DBG_TRIGGER_TXQ_TIMERS)) {
++ /*
++ * We can't know when the station is asleep or awake, so we
++ * must disable the queue hang detection.
++ */
++ if (fw_has_capa(&mvm->fw->ucode_capa,
++ IWL_UCODE_TLV_CAPA_STA_PM_NOTIF) &&
++ vif && vif->type == NL80211_IFTYPE_AP)
++ return IWL_WATCHDOG_DISABLED;
+ return iwlmvm_mod_params.tfd_q_hang_detect ?
+ default_timeout : IWL_WATCHDOG_DISABLED;
++ }
+
+ trigger = iwl_fw_dbg_get_trigger(mvm->fw, FW_DBG_TRIGGER_TXQ_TIMERS);
+ txq_timer = (void *)trigger->data;
--- /dev/null
+From 9d0fc5a50a0548f8e5d61243e5e5f26d5c405aef Mon Sep 17 00:00:00 2001
+From: David Spinadel <david.spinadel@intel.com>
+Date: Mon, 21 Nov 2016 17:01:25 +0200
+Subject: iwlwifi: mvm: enable RX offloading with TKIP and WEP
+
+From: David Spinadel <david.spinadel@intel.com>
+
+commit 9d0fc5a50a0548f8e5d61243e5e5f26d5c405aef upstream.
+
+Set the flag that indicates that ICV was stripped on if
+this option was enabled in the HW.
+
+[this is needed for the 9000-series HW to work properly]
+Signed-off-by: David Spinadel <david.spinadel@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/iwl-trans.h | 4 +++-
+ drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 12 +++++++++---
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-trans.h
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-trans.h
+@@ -117,6 +117,7 @@
+ #define FH_RSCSR_FRAME_INVALID 0x55550000
+ #define FH_RSCSR_FRAME_ALIGN 0x40
+ #define FH_RSCSR_RPA_EN BIT(25)
++#define FH_RSCSR_RADA_EN BIT(26)
+ #define FH_RSCSR_RXQ_POS 16
+ #define FH_RSCSR_RXQ_MASK 0x3F0000
+
+@@ -128,7 +129,8 @@ struct iwl_rx_packet {
+ * 31: flag flush RB request
+ * 30: flag ignore TC (terminal counter) request
+ * 29: flag fast IRQ request
+- * 28-26: Reserved
++ * 28-27: Reserved
++ * 26: RADA enabled
+ * 25: Offload enabled
+ * 24: RPF enabled
+ * 23: RSS enabled
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+@@ -232,8 +232,8 @@ static void iwl_mvm_get_signal_strength(
+
+ static int iwl_mvm_rx_crypto(struct iwl_mvm *mvm, struct ieee80211_hdr *hdr,
+ struct ieee80211_rx_status *stats,
+- struct iwl_rx_mpdu_desc *desc, int queue,
+- u8 *crypt_len)
++ struct iwl_rx_mpdu_desc *desc, u32 pkt_flags,
++ int queue, u8 *crypt_len)
+ {
+ u16 status = le16_to_cpu(desc->status);
+
+@@ -272,6 +272,10 @@ static int iwl_mvm_rx_crypto(struct iwl_
+ if ((status & IWL_RX_MPDU_STATUS_SEC_MASK) ==
+ IWL_RX_MPDU_STATUS_SEC_WEP)
+ *crypt_len = IEEE80211_WEP_IV_LEN;
++
++ if (pkt_flags & FH_RSCSR_RADA_EN)
++ stats->flag |= RX_FLAG_ICV_STRIPPED;
++
+ return 0;
+ case IWL_RX_MPDU_STATUS_SEC_EXT_ENC:
+ if (!(status & IWL_RX_MPDU_STATUS_MIC_OK))
+@@ -812,7 +816,9 @@ void iwl_mvm_rx_mpdu_mq(struct iwl_mvm *
+
+ rx_status = IEEE80211_SKB_RXCB(skb);
+
+- if (iwl_mvm_rx_crypto(mvm, hdr, rx_status, desc, queue, &crypt_len)) {
++ if (iwl_mvm_rx_crypto(mvm, hdr, rx_status, desc,
++ le32_to_cpu(pkt->len_n_flags), queue,
++ &crypt_len)) {
+ kfree_skb(skb);
+ return;
+ }
--- /dev/null
+From b13f43a48571f0cd0fda271b5046b65f1f268db5 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Sun, 19 Nov 2017 10:35:14 +0200
+Subject: iwlwifi: mvm: fix packet injection
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit b13f43a48571f0cd0fda271b5046b65f1f268db5 upstream.
+
+We need to have a station and a queue for the monitor
+interface to be able to inject traffic. We used to have
+this traffic routed to the auxiliary queue, but this queue
+isn't scheduled for the station we had linked to the
+monitor vif.
+
+Allocate a new queue, link it to the monitor vif's station
+and make that queue use the BE fifo.
+
+This fixes https://bugzilla.kernel.org/show_bug.cgi?id=196715
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/fw/api/txq.h | 4 +
+ drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c | 2
+ drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 1
+ drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 1
+ drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 53 ++++++++++++++++------
+ drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 3 -
+ 6 files changed, 49 insertions(+), 15 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/fw/api/txq.h
++++ b/drivers/net/wireless/intel/iwlwifi/fw/api/txq.h
+@@ -68,6 +68,9 @@
+ * @IWL_MVM_DQA_CMD_QUEUE: a queue reserved for sending HCMDs to the FW
+ * @IWL_MVM_DQA_AUX_QUEUE: a queue reserved for aux frames
+ * @IWL_MVM_DQA_P2P_DEVICE_QUEUE: a queue reserved for P2P device frames
++ * @IWL_MVM_DQA_INJECT_MONITOR_QUEUE: a queue reserved for injection using
++ * monitor mode. Note this queue is the same as the queue for P2P device
++ * but we can't have active monitor mode along with P2P device anyway.
+ * @IWL_MVM_DQA_GCAST_QUEUE: a queue reserved for P2P GO/SoftAP GCAST frames
+ * @IWL_MVM_DQA_BSS_CLIENT_QUEUE: a queue reserved for BSS activity, to ensure
+ * that we are never left without the possibility to connect to an AP.
+@@ -87,6 +90,7 @@ enum iwl_mvm_dqa_txq {
+ IWL_MVM_DQA_CMD_QUEUE = 0,
+ IWL_MVM_DQA_AUX_QUEUE = 1,
+ IWL_MVM_DQA_P2P_DEVICE_QUEUE = 2,
++ IWL_MVM_DQA_INJECT_MONITOR_QUEUE = 2,
+ IWL_MVM_DQA_GCAST_QUEUE = 3,
+ IWL_MVM_DQA_BSS_CLIENT_QUEUE = 4,
+ IWL_MVM_DQA_MIN_MGMT_QUEUE = 5,
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
+@@ -787,7 +787,7 @@ static int iwl_mvm_mac_ctxt_cmd_listener
+ u32 action)
+ {
+ struct iwl_mac_ctx_cmd cmd = {};
+- u32 tfd_queue_msk = 0;
++ u32 tfd_queue_msk = BIT(mvm->snif_queue);
+ int ret;
+
+ WARN_ON(vif->type != NL80211_IFTYPE_MONITOR);
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+@@ -954,6 +954,7 @@ struct iwl_mvm {
+
+ /* Tx queues */
+ u16 aux_queue;
++ u16 snif_queue;
+ u16 probe_queue;
+ u16 p2p_dev_queue;
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+@@ -622,6 +622,7 @@ iwl_op_mode_mvm_start(struct iwl_trans *
+ mvm->fw_restart = iwlwifi_mod_params.fw_restart ? -1 : 0;
+
+ mvm->aux_queue = IWL_MVM_DQA_AUX_QUEUE;
++ mvm->snif_queue = IWL_MVM_DQA_INJECT_MONITOR_QUEUE;
+ mvm->probe_queue = IWL_MVM_DQA_AP_PROBE_RESP_QUEUE;
+ mvm->p2p_dev_queue = IWL_MVM_DQA_P2P_DEVICE_QUEUE;
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+@@ -1700,29 +1700,29 @@ void iwl_mvm_dealloc_int_sta(struct iwl_
+ sta->sta_id = IWL_MVM_INVALID_STA;
+ }
+
+-static void iwl_mvm_enable_aux_queue(struct iwl_mvm *mvm)
++static void iwl_mvm_enable_aux_snif_queue(struct iwl_mvm *mvm, u16 *queue,
++ u8 sta_id, u8 fifo)
+ {
+ unsigned int wdg_timeout = iwlmvm_mod_params.tfd_q_hang_detect ?
+ mvm->cfg->base_params->wd_timeout :
+ IWL_WATCHDOG_DISABLED;
+
+ if (iwl_mvm_has_new_tx_api(mvm)) {
+- int queue = iwl_mvm_tvqm_enable_txq(mvm, mvm->aux_queue,
+- mvm->aux_sta.sta_id,
+- IWL_MAX_TID_COUNT,
+- wdg_timeout);
+- mvm->aux_queue = queue;
++ int tvqm_queue =
++ iwl_mvm_tvqm_enable_txq(mvm, *queue, sta_id,
++ IWL_MAX_TID_COUNT,
++ wdg_timeout);
++ *queue = tvqm_queue;
+ } else {
+ struct iwl_trans_txq_scd_cfg cfg = {
+- .fifo = IWL_MVM_TX_FIFO_MCAST,
+- .sta_id = mvm->aux_sta.sta_id,
++ .fifo = fifo,
++ .sta_id = sta_id,
+ .tid = IWL_MAX_TID_COUNT,
+ .aggregate = false,
+ .frame_limit = IWL_FRAME_LIMIT,
+ };
+
+- iwl_mvm_enable_txq(mvm, mvm->aux_queue, mvm->aux_queue, 0, &cfg,
+- wdg_timeout);
++ iwl_mvm_enable_txq(mvm, *queue, *queue, 0, &cfg, wdg_timeout);
+ }
+ }
+
+@@ -1741,7 +1741,9 @@ int iwl_mvm_add_aux_sta(struct iwl_mvm *
+
+ /* Map Aux queue to fifo - needs to happen before adding Aux station */
+ if (!iwl_mvm_has_new_tx_api(mvm))
+- iwl_mvm_enable_aux_queue(mvm);
++ iwl_mvm_enable_aux_snif_queue(mvm, &mvm->aux_queue,
++ mvm->aux_sta.sta_id,
++ IWL_MVM_TX_FIFO_MCAST);
+
+ ret = iwl_mvm_add_int_sta_common(mvm, &mvm->aux_sta, NULL,
+ MAC_INDEX_AUX, 0);
+@@ -1755,7 +1757,9 @@ int iwl_mvm_add_aux_sta(struct iwl_mvm *
+ * to firmware so enable queue here - after the station was added
+ */
+ if (iwl_mvm_has_new_tx_api(mvm))
+- iwl_mvm_enable_aux_queue(mvm);
++ iwl_mvm_enable_aux_snif_queue(mvm, &mvm->aux_queue,
++ mvm->aux_sta.sta_id,
++ IWL_MVM_TX_FIFO_MCAST);
+
+ return 0;
+ }
+@@ -1763,10 +1767,31 @@ int iwl_mvm_add_aux_sta(struct iwl_mvm *
+ int iwl_mvm_add_snif_sta(struct iwl_mvm *mvm, struct ieee80211_vif *vif)
+ {
+ struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif);
++ int ret;
+
+ lockdep_assert_held(&mvm->mutex);
+- return iwl_mvm_add_int_sta_common(mvm, &mvm->snif_sta, vif->addr,
++
++ /* Map snif queue to fifo - must happen before adding snif station */
++ if (!iwl_mvm_has_new_tx_api(mvm))
++ iwl_mvm_enable_aux_snif_queue(mvm, &mvm->snif_queue,
++ mvm->snif_sta.sta_id,
++ IWL_MVM_TX_FIFO_BE);
++
++ ret = iwl_mvm_add_int_sta_common(mvm, &mvm->snif_sta, vif->addr,
+ mvmvif->id, 0);
++ if (ret)
++ return ret;
++
++ /*
++ * For 22000 firmware and on we cannot add queue to a station unknown
++ * to firmware so enable queue here - after the station was added
++ */
++ if (iwl_mvm_has_new_tx_api(mvm))
++ iwl_mvm_enable_aux_snif_queue(mvm, &mvm->snif_queue,
++ mvm->snif_sta.sta_id,
++ IWL_MVM_TX_FIFO_BE);
++
++ return 0;
+ }
+
+ int iwl_mvm_rm_snif_sta(struct iwl_mvm *mvm, struct ieee80211_vif *vif)
+@@ -1775,6 +1800,8 @@ int iwl_mvm_rm_snif_sta(struct iwl_mvm *
+
+ lockdep_assert_held(&mvm->mutex);
+
++ iwl_mvm_disable_txq(mvm, mvm->snif_queue, mvm->snif_queue,
++ IWL_MAX_TID_COUNT, 0);
+ ret = iwl_mvm_rm_sta_common(mvm, mvm->snif_sta.sta_id);
+ if (ret)
+ IWL_WARN(mvm, "Failed sending remove station\n");
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+@@ -657,7 +657,8 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mv
+ if (ap_sta_id != IWL_MVM_INVALID_STA)
+ sta_id = ap_sta_id;
+ } else if (info.control.vif->type == NL80211_IFTYPE_MONITOR) {
+- queue = mvm->aux_queue;
++ queue = mvm->snif_queue;
++ sta_id = mvm->snif_sta.sta_id;
+ }
+ }
+
--- /dev/null
+From 6c2d49fdc5d947c5fe89935bd52e69f10000f4cb Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 13 Nov 2017 17:26:09 +0100
+Subject: iwlwifi: mvm: flush queue before deleting ROC
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 6c2d49fdc5d947c5fe89935bd52e69f10000f4cb upstream.
+
+Before deleting a time event (remain-on-channel instance), flush
+the queue so that frames cannot get stuck on it. We already flush
+the AUX STA queues, but a separate station is used for the P2P
+Device queue.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 2 +
+ drivers/net/wireless/intel/iwlwifi/mvm/time-event.c | 24 ++++++++++++++++++--
+ 2 files changed, 24 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+@@ -1042,6 +1042,7 @@ struct iwl_mvm {
+ * @IWL_MVM_STATUS_ROC_AUX_RUNNING: AUX remain-on-channel is running
+ * @IWL_MVM_STATUS_D3_RECONFIG: D3 reconfiguration is being done
+ * @IWL_MVM_STATUS_FIRMWARE_RUNNING: firmware is running
++ * @IWL_MVM_STATUS_NEED_FLUSH_P2P: need to flush P2P bcast STA
+ */
+ enum iwl_mvm_status {
+ IWL_MVM_STATUS_HW_RFKILL,
+@@ -1053,6 +1054,7 @@ enum iwl_mvm_status {
+ IWL_MVM_STATUS_ROC_AUX_RUNNING,
+ IWL_MVM_STATUS_D3_RECONFIG,
+ IWL_MVM_STATUS_FIRMWARE_RUNNING,
++ IWL_MVM_STATUS_NEED_FLUSH_P2P,
+ };
+
+ /* Keep track of completed init configuration */
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
+@@ -132,6 +132,24 @@ void iwl_mvm_roc_done_wk(struct work_str
+ * executed, and a new time event means a new command.
+ */
+ iwl_mvm_flush_sta(mvm, &mvm->aux_sta, true, CMD_ASYNC);
++
++ /* Do the same for the P2P device queue (STA) */
++ if (test_and_clear_bit(IWL_MVM_STATUS_NEED_FLUSH_P2P, &mvm->status)) {
++ struct iwl_mvm_vif *mvmvif;
++
++ /*
++ * NB: access to this pointer would be racy, but the flush bit
++ * can only be set when we had a P2P-Device VIF, and we have a
++ * flush of this work in iwl_mvm_prepare_mac_removal() so it's
++ * not really racy.
++ */
++
++ if (!WARN_ON(!mvm->p2p_device_vif)) {
++ mvmvif = iwl_mvm_vif_from_mac80211(mvm->p2p_device_vif);
++ iwl_mvm_flush_sta(mvm, &mvmvif->bcast_sta, true,
++ CMD_ASYNC);
++ }
++ }
+ }
+
+ static void iwl_mvm_roc_finished(struct iwl_mvm *mvm)
+@@ -855,10 +873,12 @@ void iwl_mvm_stop_roc(struct iwl_mvm *mv
+
+ mvmvif = iwl_mvm_vif_from_mac80211(te_data->vif);
+
+- if (te_data->vif->type == NL80211_IFTYPE_P2P_DEVICE)
++ if (te_data->vif->type == NL80211_IFTYPE_P2P_DEVICE) {
+ iwl_mvm_remove_time_event(mvm, mvmvif, te_data);
+- else
++ set_bit(IWL_MVM_STATUS_NEED_FLUSH_P2P, &mvm->status);
++ } else {
+ iwl_mvm_remove_aux_roc_te(mvm, mvmvif, te_data);
++ }
+
+ iwl_mvm_roc_finished(mvm);
+ }
--- /dev/null
+From bf19037074e770aad74b3b90f37b8b98db3f3748 Mon Sep 17 00:00:00 2001
+From: Sara Sharon <sara.sharon@intel.com>
+Date: Mon, 8 Feb 2016 23:30:47 +0200
+Subject: iwlwifi: mvm: mark MIC stripped MPDUs
+
+From: Sara Sharon <sara.sharon@intel.com>
+
+commit bf19037074e770aad74b3b90f37b8b98db3f3748 upstream.
+
+When RADA is active, the hardware decrypts the packets and strips off
+the MIC as it is useless after decryption. Indicate that to mac80211.
+
+[this is needed for the 9000-series HW to work properly]
+Signed-off-by: Sara Sharon <sara.sharon@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+@@ -253,6 +253,8 @@ static int iwl_mvm_rx_crypto(struct iwl_
+ return -1;
+
+ stats->flag |= RX_FLAG_DECRYPTED;
++ if (pkt_flags & FH_RSCSR_RADA_EN)
++ stats->flag |= RX_FLAG_MIC_STRIPPED;
+ *crypt_len = IEEE80211_CCMP_HDR_LEN;
+ return 0;
+ case IWL_RX_MPDU_STATUS_SEC_TKIP:
--- /dev/null
+From c07d35338081d107e57cf37572d8cc931a8e32e2 Mon Sep 17 00:00:00 2001
+From: Daniel Thompson <daniel.thompson@linaro.org>
+Date: Mon, 2 Mar 2015 14:13:36 +0000
+Subject: kdb: Fix handling of kallsyms_symbol_next() return value
+
+From: Daniel Thompson <daniel.thompson@linaro.org>
+
+commit c07d35338081d107e57cf37572d8cc931a8e32e2 upstream.
+
+kallsyms_symbol_next() returns a boolean (true on success). Currently
+kdb_read() tests the return value with an inequality that
+unconditionally evaluates to true.
+
+This is fixed in the obvious way and, since the conditional branch is
+supposed to be unreachable, we also add a WARN_ON().
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/debug/kdb/kdb_io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/debug/kdb/kdb_io.c
++++ b/kernel/debug/kdb/kdb_io.c
+@@ -350,7 +350,7 @@ poll_again:
+ }
+ kdb_printf("\n");
+ for (i = 0; i < count; i++) {
+- if (kallsyms_symbol_next(p_tmp, i) < 0)
++ if (WARN_ON(!kallsyms_symbol_next(p_tmp, i)))
+ break;
+ kdb_printf("%s ", p_tmp);
+ *(p_tmp + len) = '\0';
--- /dev/null
+From 4dca6ea1d9432052afb06baf2e3ae78188a4410b Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 8 Dec 2017 15:13:27 +0000
+Subject: KEYS: add missing permission check for request_key() destination
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 4dca6ea1d9432052afb06baf2e3ae78188a4410b upstream.
+
+When the request_key() syscall is not passed a destination keyring, it
+links the requested key (if constructed) into the "default" request-key
+keyring. This should require Write permission to the keyring. However,
+there is actually no permission check.
+
+This can be abused to add keys to any keyring to which only Search
+permission is granted. This is because Search permission allows joining
+the keyring. keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_SESSION_KEYRING)
+then will set the default request-key keyring to the session keyring.
+Then, request_key() can be used to add keys to the keyring.
+
+Both negatively and positively instantiated keys can be added using this
+method. Adding negative keys is trivial. Adding a positive key is a
+bit trickier. It requires that either /sbin/request-key positively
+instantiates the key, or that another thread adds the key to the process
+keyring at just the right time, such that request_key() misses it
+initially but then finds it in construct_alloc_key().
+
+Fix this bug by checking for Write permission to the keyring in
+construct_get_dest_keyring() when the default keyring is being used.
+
+We don't do the permission check for non-default keyrings because that
+was already done by the earlier call to lookup_user_key(). Also,
+request_key_and_link() is currently passed a 'struct key *' rather than
+a key_ref_t, so the "possessed" bit is unavailable.
+
+We also don't do the permission check for the "requestor keyring", to
+continue to support the use case described by commit 8bbf4976b59f
+("KEYS: Alter use of key instantiation link-to-keyring argument") where
+/sbin/request-key recursively calls request_key() to add keys to the
+original requestor's destination keyring. (I don't know of any users
+who actually do that, though...)
+
+Fixes: 3e30148c3d52 ("[PATCH] Keys: Make request-key create an authorisation key")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/keys/request_key.c | 46 +++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 37 insertions(+), 9 deletions(-)
+
+--- a/security/keys/request_key.c
++++ b/security/keys/request_key.c
+@@ -251,11 +251,12 @@ static int construct_key(struct key *key
+ * The keyring selected is returned with an extra reference upon it which the
+ * caller must release.
+ */
+-static void construct_get_dest_keyring(struct key **_dest_keyring)
++static int construct_get_dest_keyring(struct key **_dest_keyring)
+ {
+ struct request_key_auth *rka;
+ const struct cred *cred = current_cred();
+ struct key *dest_keyring = *_dest_keyring, *authkey;
++ int ret;
+
+ kenter("%p", dest_keyring);
+
+@@ -264,6 +265,8 @@ static void construct_get_dest_keyring(s
+ /* the caller supplied one */
+ key_get(dest_keyring);
+ } else {
++ bool do_perm_check = true;
++
+ /* use a default keyring; falling through the cases until we
+ * find one that we actually have */
+ switch (cred->jit_keyring) {
+@@ -278,8 +281,10 @@ static void construct_get_dest_keyring(s
+ dest_keyring =
+ key_get(rka->dest_keyring);
+ up_read(&authkey->sem);
+- if (dest_keyring)
++ if (dest_keyring) {
++ do_perm_check = false;
+ break;
++ }
+ }
+
+ case KEY_REQKEY_DEFL_THREAD_KEYRING:
+@@ -314,11 +319,29 @@ static void construct_get_dest_keyring(s
+ default:
+ BUG();
+ }
++
++ /*
++ * Require Write permission on the keyring. This is essential
++ * because the default keyring may be the session keyring, and
++ * joining a keyring only requires Search permission.
++ *
++ * However, this check is skipped for the "requestor keyring" so
++ * that /sbin/request-key can itself use request_key() to add
++ * keys to the original requestor's destination keyring.
++ */
++ if (dest_keyring && do_perm_check) {
++ ret = key_permission(make_key_ref(dest_keyring, 1),
++ KEY_NEED_WRITE);
++ if (ret) {
++ key_put(dest_keyring);
++ return ret;
++ }
++ }
+ }
+
+ *_dest_keyring = dest_keyring;
+ kleave(" [dk %d]", key_serial(dest_keyring));
+- return;
++ return 0;
+ }
+
+ /*
+@@ -444,11 +467,15 @@ static struct key *construct_key_and_lin
+ if (ctx->index_key.type == &key_type_keyring)
+ return ERR_PTR(-EPERM);
+
+- user = key_user_lookup(current_fsuid());
+- if (!user)
+- return ERR_PTR(-ENOMEM);
++ ret = construct_get_dest_keyring(&dest_keyring);
++ if (ret)
++ goto error;
+
+- construct_get_dest_keyring(&dest_keyring);
++ user = key_user_lookup(current_fsuid());
++ if (!user) {
++ ret = -ENOMEM;
++ goto error_put_dest_keyring;
++ }
+
+ ret = construct_alloc_key(ctx, dest_keyring, flags, user, &key);
+ key_user_put(user);
+@@ -463,7 +490,7 @@ static struct key *construct_key_and_lin
+ } else if (ret == -EINPROGRESS) {
+ ret = 0;
+ } else {
+- goto couldnt_alloc_key;
++ goto error_put_dest_keyring;
+ }
+
+ key_put(dest_keyring);
+@@ -473,8 +500,9 @@ static struct key *construct_key_and_lin
+ construction_failed:
+ key_negate_and_link(key, key_negative_timeout, NULL, NULL);
+ key_put(key);
+-couldnt_alloc_key:
++error_put_dest_keyring:
+ key_put(dest_keyring);
++error:
+ kleave(" = %d", ret);
+ return ERR_PTR(ret);
+ }
--- /dev/null
+From 18026d866801d0c52e5550210563222bd6c7191d Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 8 Dec 2017 15:13:29 +0000
+Subject: KEYS: reject NULL restriction string when type is specified
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 18026d866801d0c52e5550210563222bd6c7191d upstream.
+
+keyctl_restrict_keyring() allows through a NULL restriction when the
+"type" is non-NULL, which causes a NULL pointer dereference in
+asymmetric_lookup_restriction() when it calls strcmp() on the
+restriction string.
+
+But no key types actually use a "NULL restriction" to mean anything, so
+update keyctl_restrict_keyring() to reject it with EINVAL.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Fixes: 97d3aa0f3134 ("KEYS: Add a lookup_restriction function for the asymmetric key type")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/keys/keyctl.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -1588,9 +1588,8 @@ error_keyring:
+ * The caller must have Setattr permission to change keyring restrictions.
+ *
+ * The requested type name may be a NULL pointer to reject all attempts
+- * to link to the keyring. If _type is non-NULL, _restriction can be
+- * NULL or a pointer to a string describing the restriction. If _type is
+- * NULL, _restriction must also be NULL.
++ * to link to the keyring. In this case, _restriction must also be NULL.
++ * Otherwise, both _type and _restriction must be non-NULL.
+ *
+ * Returns 0 if successful.
+ */
+@@ -1598,7 +1597,6 @@ long keyctl_restrict_keyring(key_serial_
+ const char __user *_restriction)
+ {
+ key_ref_t key_ref;
+- bool link_reject = !_type;
+ char type[32];
+ char *restriction = NULL;
+ long ret;
+@@ -1607,31 +1605,29 @@ long keyctl_restrict_keyring(key_serial_
+ if (IS_ERR(key_ref))
+ return PTR_ERR(key_ref);
+
++ ret = -EINVAL;
+ if (_type) {
++ if (!_restriction)
++ goto error;
++
+ ret = key_get_type_from_user(type, _type, sizeof(type));
+ if (ret < 0)
+ goto error;
+- }
+-
+- if (_restriction) {
+- if (!_type) {
+- ret = -EINVAL;
+- goto error;
+- }
+
+ restriction = strndup_user(_restriction, PAGE_SIZE);
+ if (IS_ERR(restriction)) {
+ ret = PTR_ERR(restriction);
+ goto error;
+ }
++ } else {
++ if (_restriction)
++ goto error;
+ }
+
+- ret = keyring_restrict(key_ref, link_reject ? NULL : type, restriction);
++ ret = keyring_restrict(key_ref, _type ? type : NULL, restriction);
+ kfree(restriction);
+-
+ error:
+ key_ref_put(key_ref);
+-
+ return ret;
+ }
+
--- /dev/null
+From fc396e066318c0a02208c1d3f0b62950a7714999 Mon Sep 17 00:00:00 2001
+From: Christoffer Dall <christoffer.dall@linaro.org>
+Date: Sun, 3 Dec 2017 23:54:41 +0100
+Subject: KVM: arm/arm64: Fix broken GICH_ELRSR big endian conversion
+
+From: Christoffer Dall <christoffer.dall@linaro.org>
+
+commit fc396e066318c0a02208c1d3f0b62950a7714999 upstream.
+
+We are incorrectly rearranging 32-bit words inside a 64-bit typed value
+for big endian systems, which would result in never marking a virtual
+interrupt as inactive on big endian systems (assuming 32 or fewer LRs on
+the hardware). Fix this by not doing any word order manipulation for
+the typed values.
+
+Acked-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/hyp/vgic-v2-sr.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/virt/kvm/arm/hyp/vgic-v2-sr.c
++++ b/virt/kvm/arm/hyp/vgic-v2-sr.c
+@@ -34,11 +34,7 @@ static void __hyp_text save_elrsr(struct
+ else
+ elrsr1 = 0;
+
+-#ifdef CONFIG_CPU_BIG_ENDIAN
+- cpu_if->vgic_elrsr = ((u64)elrsr0 << 32) | elrsr1;
+-#else
+ cpu_if->vgic_elrsr = ((u64)elrsr1 << 32) | elrsr0;
+-#endif
+ }
+
+ static void __hyp_text save_lrs(struct kvm_vcpu *vcpu, void __iomem *base)
--- /dev/null
+From 150009e2c70cc3c6e97f00e7595055765d32fb85 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Thu, 16 Nov 2017 17:58:15 +0000
+Subject: KVM: arm/arm64: vgic-irqfd: Fix MSI entry allocation
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 150009e2c70cc3c6e97f00e7595055765d32fb85 upstream.
+
+Using the size of the structure we're allocating is a good idea
+and avoids any surprise... In this case, we're happilly confusing
+kvm_kernel_irq_routing_entry and kvm_irq_routing_entry...
+
+Fixes: 95b110ab9a09 ("KVM: arm/arm64: Enable irqchip routing")
+Reported-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/vgic/vgic-irqfd.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/virt/kvm/arm/vgic/vgic-irqfd.c
++++ b/virt/kvm/arm/vgic/vgic-irqfd.c
+@@ -112,8 +112,7 @@ int kvm_vgic_setup_default_irq_routing(s
+ u32 nr = dist->nr_spis;
+ int i, ret;
+
+- entries = kcalloc(nr, sizeof(struct kvm_kernel_irq_routing_entry),
+- GFP_KERNEL);
++ entries = kcalloc(nr, sizeof(*entries), GFP_KERNEL);
+ if (!entries)
+ return -ENOMEM;
+
--- /dev/null
+From 686f294f2f1ae40705283dd413ca1e4c14f20f93 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Thu, 16 Nov 2017 17:58:18 +0000
+Subject: KVM: arm/arm64: vgic-its: Check result of allocation before use
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 686f294f2f1ae40705283dd413ca1e4c14f20f93 upstream.
+
+We miss a test against NULL after allocation.
+
+Fixes: 6d03a68f8054 ("KVM: arm64: vgic-its: Turn device_id validation into generic ID validation")
+Reported-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Acked-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/vgic/vgic-its.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/virt/kvm/arm/vgic/vgic-its.c
++++ b/virt/kvm/arm/vgic/vgic-its.c
+@@ -775,6 +775,8 @@ static int vgic_its_alloc_collection(str
+ return E_ITS_MAPC_COLLECTION_OOR;
+
+ collection = kzalloc(sizeof(*collection), GFP_KERNEL);
++ if (!collection)
++ return -ENOMEM;
+
+ collection->collection_id = coll_id;
+ collection->target_addr = COLLECTION_NOT_MAPPED;
--- /dev/null
+From ddb4b0102cb9cdd2398d98b3e1e024e08a2f4239 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Thu, 16 Nov 2017 17:58:16 +0000
+Subject: KVM: arm/arm64: vgic: Preserve the revious read from the pending table
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit ddb4b0102cb9cdd2398d98b3e1e024e08a2f4239 upstream.
+
+The current pending table parsing code assumes that we keep the
+previous read of the pending bits, but keep that variable in
+the current block, making sure it is discarded on each loop.
+
+We end-up using whatever is on the stack. Who knows, it might
+just be the right thing...
+
+Fixes: 280771252c1ba ("KVM: arm64: vgic-v3: KVM_DEV_ARM_VGIC_SAVE_PENDING_TABLES")
+Reported-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/vgic/vgic-v3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/virt/kvm/arm/vgic/vgic-v3.c
++++ b/virt/kvm/arm/vgic/vgic-v3.c
+@@ -324,13 +324,13 @@ int vgic_v3_save_pending_tables(struct k
+ int last_byte_offset = -1;
+ struct vgic_irq *irq;
+ int ret;
++ u8 val;
+
+ list_for_each_entry(irq, &dist->lpi_list_head, lpi_list) {
+ int byte_offset, bit_nr;
+ struct kvm_vcpu *vcpu;
+ gpa_t pendbase, ptr;
+ bool stored;
+- u8 val;
+
+ vcpu = irq->target_vcpu;
+ if (!vcpu)
--- /dev/null
+From ca76ec9ca871e67d8cd0b6caba24aca3d3ac4546 Mon Sep 17 00:00:00 2001
+From: Janosch Frank <frankja@linux.vnet.ibm.com>
+Date: Mon, 4 Dec 2017 12:19:11 +0100
+Subject: KVM: s390: Fix skey emulation permission check
+
+From: Janosch Frank <frankja@linux.vnet.ibm.com>
+
+commit ca76ec9ca871e67d8cd0b6caba24aca3d3ac4546 upstream.
+
+All skey functions call skey_check_enable at their start, which checks
+if we are in the PSTATE and injects a privileged operation exception
+if we are.
+
+Unfortunately they continue processing afterwards and perform the
+operation anyhow as skey_check_enable does not deliver an error if the
+exception injection was successful.
+
+Let's move the PSTATE check into the skey functions and exit them on
+such an occasion, also we now do not enable skey handling anymore in
+such a case.
+
+Signed-off-by: Janosch Frank <frankja@linux.vnet.ibm.com>
+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Fixes: a7e19ab ("KVM: s390: handle missing storage-key facility")
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/priv.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/kvm/priv.c
++++ b/arch/s390/kvm/priv.c
+@@ -235,8 +235,6 @@ static int try_handle_skey(struct kvm_vc
+ VCPU_EVENT(vcpu, 4, "%s", "retrying storage key operation");
+ return -EAGAIN;
+ }
+- if (vcpu->arch.sie_block->gpsw.mask & PSW_MASK_PSTATE)
+- return kvm_s390_inject_program_int(vcpu, PGM_PRIVILEGED_OP);
+ return 0;
+ }
+
+@@ -247,6 +245,9 @@ static int handle_iske(struct kvm_vcpu *
+ int reg1, reg2;
+ int rc;
+
++ if (vcpu->arch.sie_block->gpsw.mask & PSW_MASK_PSTATE)
++ return kvm_s390_inject_program_int(vcpu, PGM_PRIVILEGED_OP);
++
+ rc = try_handle_skey(vcpu);
+ if (rc)
+ return rc != -EAGAIN ? rc : 0;
+@@ -276,6 +277,9 @@ static int handle_rrbe(struct kvm_vcpu *
+ int reg1, reg2;
+ int rc;
+
++ if (vcpu->arch.sie_block->gpsw.mask & PSW_MASK_PSTATE)
++ return kvm_s390_inject_program_int(vcpu, PGM_PRIVILEGED_OP);
++
+ rc = try_handle_skey(vcpu);
+ if (rc)
+ return rc != -EAGAIN ? rc : 0;
+@@ -311,6 +315,9 @@ static int handle_sske(struct kvm_vcpu *
+ int reg1, reg2;
+ int rc;
+
++ if (vcpu->arch.sie_block->gpsw.mask & PSW_MASK_PSTATE)
++ return kvm_s390_inject_program_int(vcpu, PGM_PRIVILEGED_OP);
++
+ rc = try_handle_skey(vcpu);
+ if (rc)
+ return rc != -EAGAIN ? rc : 0;
--- /dev/null
+From d59d51f088014f25c2562de59b9abff4f42a7468 Mon Sep 17 00:00:00 2001
+From: Andrew Honig <ahonig@google.com>
+Date: Fri, 1 Dec 2017 10:21:09 -0800
+Subject: KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrew Honig <ahonig@google.com>
+
+commit d59d51f088014f25c2562de59b9abff4f42a7468 upstream.
+
+This fixes CVE-2017-1000407.
+
+KVM allows guests to directly access I/O port 0x80 on Intel hosts. If
+the guest floods this port with writes it generates exceptions and
+instability in the host kernel, leading to a crash. With this change
+guest writes to port 0x80 on Intel will behave the same as they
+currently behave on AMD systems.
+
+Prevent the flooding by removing the code that sets port 0x80 as a
+passthrough port. This is essentially the same as upstream patch
+99f85a28a78e96d28907fe036e1671a218fee597, except that patch was
+for AMD chipsets and this patch is for Intel.
+
+Signed-off-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Fixes: fdef3ad1b386 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs")
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -6750,12 +6750,7 @@ static __init int hardware_setup(void)
+ memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE);
+ memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE);
+
+- /*
+- * Allow direct access to the PC debug port (it is often used for I/O
+- * delays, but the vmexits simply slow things down).
+- */
+ memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE);
+- clear_bit(0x80, vmx_io_bitmap_a);
+
+ memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
+
--- /dev/null
+From b1394e745b9453dcb5b0671c205b770e87dedb87 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Thu, 30 Nov 2017 19:05:45 +0100
+Subject: KVM: x86: fix APIC page invalidation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Radim Krčmář <rkrcmar@redhat.com>
+
+commit b1394e745b9453dcb5b0671c205b770e87dedb87 upstream.
+
+Implementation of the unpinned APIC page didn't update the VMCS address
+cache when invalidation was done through range mmu notifiers.
+This became a problem when the page notifier was removed.
+
+Re-introduce the arch-specific helper and call it from ...range_start.
+
+Reported-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Fixes: 38b9917350cb ("kvm: vmx: Implement set_apic_access_page_addr")
+Fixes: 369ea8242c0f ("mm/rmap: update to new mmu_notifier semantic v2")
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
+Tested-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Tested-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/kvm_host.h | 3 +++
+ arch/x86/kvm/x86.c | 14 ++++++++++++++
+ virt/kvm/kvm_main.c | 8 ++++++++
+ 3 files changed, 25 insertions(+)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -1426,4 +1426,7 @@ static inline int kvm_cpu_get_apicid(int
+ #endif
+ }
+
++void kvm_arch_mmu_notifier_invalidate_range(struct kvm *kvm,
++ unsigned long start, unsigned long end);
++
+ #endif /* _ASM_X86_KVM_HOST_H */
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -6745,6 +6745,20 @@ static void kvm_vcpu_flush_tlb(struct kv
+ kvm_x86_ops->tlb_flush(vcpu);
+ }
+
++void kvm_arch_mmu_notifier_invalidate_range(struct kvm *kvm,
++ unsigned long start, unsigned long end)
++{
++ unsigned long apic_address;
++
++ /*
++ * The physical address of apic access page is stored in the VMCS.
++ * Update it when it becomes invalid.
++ */
++ apic_address = gfn_to_hva(kvm, APIC_DEFAULT_PHYS_BASE >> PAGE_SHIFT);
++ if (start <= apic_address && apic_address < end)
++ kvm_make_all_cpus_request(kvm, KVM_REQ_APIC_PAGE_RELOAD);
++}
++
+ void kvm_vcpu_reload_apic_access_page(struct kvm_vcpu *vcpu)
+ {
+ struct page *page = NULL;
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -136,6 +136,11 @@ static void kvm_uevent_notify_change(uns
+ static unsigned long long kvm_createvm_count;
+ static unsigned long long kvm_active_vms;
+
++__weak void kvm_arch_mmu_notifier_invalidate_range(struct kvm *kvm,
++ unsigned long start, unsigned long end)
++{
++}
++
+ bool kvm_is_reserved_pfn(kvm_pfn_t pfn)
+ {
+ if (pfn_valid(pfn))
+@@ -361,6 +366,9 @@ static void kvm_mmu_notifier_invalidate_
+ kvm_flush_remote_tlbs(kvm);
+
+ spin_unlock(&kvm->mmu_lock);
++
++ kvm_arch_mmu_notifier_invalidate_range(kvm, start, end);
++
+ srcu_read_unlock(&kvm->srcu, idx);
+ }
+
--- /dev/null
+From ff35f58e8f8eb520367879a0ccc6f2ec4b62b17b Mon Sep 17 00:00:00 2001
+From: Song Liu <songliubraving@fb.com>
+Date: Sun, 19 Nov 2017 22:17:00 -0800
+Subject: md/r5cache: move mddev_lock() out of r5c_journal_mode_set()
+
+From: Song Liu <songliubraving@fb.com>
+
+commit ff35f58e8f8eb520367879a0ccc6f2ec4b62b17b upstream.
+
+r5c_journal_mode_set() is called by r5c_journal_mode_store() and
+raid_ctr() in dm-raid. We don't need mddev_lock() when calling from
+raid_ctr(). This patch fixes this by moves the mddev_lock() to
+r5c_journal_mode_store().
+
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid5-cache.c | 22 +++++++++-------------
+ 1 file changed, 9 insertions(+), 13 deletions(-)
+
+--- a/drivers/md/raid5-cache.c
++++ b/drivers/md/raid5-cache.c
+@@ -2571,31 +2571,22 @@ static ssize_t r5c_journal_mode_show(str
+ int r5c_journal_mode_set(struct mddev *mddev, int mode)
+ {
+ struct r5conf *conf;
+- int err;
+
+ if (mode < R5C_JOURNAL_MODE_WRITE_THROUGH ||
+ mode > R5C_JOURNAL_MODE_WRITE_BACK)
+ return -EINVAL;
+
+- err = mddev_lock(mddev);
+- if (err)
+- return err;
+ conf = mddev->private;
+- if (!conf || !conf->log) {
+- mddev_unlock(mddev);
++ if (!conf || !conf->log)
+ return -ENODEV;
+- }
+
+ if (raid5_calc_degraded(conf) > 0 &&
+- mode == R5C_JOURNAL_MODE_WRITE_BACK) {
+- mddev_unlock(mddev);
++ mode == R5C_JOURNAL_MODE_WRITE_BACK)
+ return -EINVAL;
+- }
+
+ mddev_suspend(mddev);
+ conf->log->r5c_journal_mode = mode;
+ mddev_resume(mddev);
+- mddev_unlock(mddev);
+
+ pr_debug("md/raid:%s: setting r5c cache mode to %d: %s\n",
+ mdname(mddev), mode, r5c_journal_mode_str[mode]);
+@@ -2608,6 +2599,7 @@ static ssize_t r5c_journal_mode_store(st
+ {
+ int mode = ARRAY_SIZE(r5c_journal_mode_str);
+ size_t len = length;
++ int ret;
+
+ if (len < 2)
+ return -EINVAL;
+@@ -2619,8 +2611,12 @@ static ssize_t r5c_journal_mode_store(st
+ if (strlen(r5c_journal_mode_str[mode]) == len &&
+ !strncmp(page, r5c_journal_mode_str[mode], len))
+ break;
+-
+- return r5c_journal_mode_set(mddev, mode) ?: length;
++ ret = mddev_lock(mddev);
++ if (ret)
++ return ret;
++ ret = r5c_journal_mode_set(mddev, mode);
++ mddev_unlock(mddev);
++ return ret ?: length;
+ }
+
+ struct md_sysfs_entry
--- /dev/null
+From 6d33377f2abbf9f0e561b116dd468d1c3ff36a6a Mon Sep 17 00:00:00 2001
+From: Laurent Caumont <lcaumont2@gmail.com>
+Date: Sat, 11 Nov 2017 12:44:46 -0500
+Subject: media: dvb: i2c transfers over usb cannot be done from stack
+
+From: Laurent Caumont <lcaumont2@gmail.com>
+
+commit 6d33377f2abbf9f0e561b116dd468d1c3ff36a6a upstream.
+
+Signed-off-by: Laurent Caumont <lcaumont2@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/dibusb-common.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb/dibusb-common.c
++++ b/drivers/media/usb/dvb-usb/dibusb-common.c
+@@ -223,8 +223,20 @@ EXPORT_SYMBOL(dibusb_i2c_algo);
+
+ int dibusb_read_eeprom_byte(struct dvb_usb_device *d, u8 offs, u8 *val)
+ {
+- u8 wbuf[1] = { offs };
+- return dibusb_i2c_msg(d, 0x50, wbuf, 1, val, 1);
++ u8 *buf;
++ int rc;
++
++ buf = kmalloc(2, GFP_KERNEL);
++ if (!buf)
++ return -ENOMEM;
++
++ buf[0] = offs;
++
++ rc = dibusb_i2c_msg(d, 0x50, &buf[0], 1, &buf[1], 1);
++ *val = buf[1];
++ kfree(buf);
++
++ return rc;
+ }
+ EXPORT_SYMBOL(dibusb_read_eeprom_byte);
+
--- /dev/null
+From 67f0f15ad5c47490e19f2526f8f9cea97c5ce1a6 Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Sun, 19 Nov 2017 16:57:27 -0500
+Subject: media: rc: partial revert of "media: rc: per-protocol repeat period"
+
+From: Sean Young <sean@mess.org>
+
+commit 67f0f15ad5c47490e19f2526f8f9cea97c5ce1a6 upstream.
+
+Since commit d57ea877af38 ("media: rc: per-protocol repeat period"), most
+IR protocols have a lower keyup timeout. This causes problems on the
+ite-cir, which has default IR timeout of 200ms.
+
+Since the IR decoders read the trailing space, with a IR timeout of 200ms,
+the last keydown will have at least a delay of 200ms. This is more than
+the protocol timeout of e.g. rc-6 (which is 164ms). As a result the last
+IR will be interpreted as a new keydown event, and we get two keypresses.
+
+Revert the protocol timeout to 250ms, except for cec which needs a timeout
+of 550ms.
+
+Fixes: d57ea877af38 ("media: rc: per-protocol repeat period")
+
+Reported-by: Matthias Reichl <hias@horus.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Tested-by: Matthias Reichl <hias@horus.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/rc/rc-main.c | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+--- a/drivers/media/rc/rc-main.c
++++ b/drivers/media/rc/rc-main.c
+@@ -38,41 +38,41 @@ static const struct {
+ [RC_PROTO_UNKNOWN] = { .name = "unknown", .repeat_period = 250 },
+ [RC_PROTO_OTHER] = { .name = "other", .repeat_period = 250 },
+ [RC_PROTO_RC5] = { .name = "rc-5",
+- .scancode_bits = 0x1f7f, .repeat_period = 164 },
++ .scancode_bits = 0x1f7f, .repeat_period = 250 },
+ [RC_PROTO_RC5X_20] = { .name = "rc-5x-20",
+- .scancode_bits = 0x1f7f3f, .repeat_period = 164 },
++ .scancode_bits = 0x1f7f3f, .repeat_period = 250 },
+ [RC_PROTO_RC5_SZ] = { .name = "rc-5-sz",
+- .scancode_bits = 0x2fff, .repeat_period = 164 },
++ .scancode_bits = 0x2fff, .repeat_period = 250 },
+ [RC_PROTO_JVC] = { .name = "jvc",
+ .scancode_bits = 0xffff, .repeat_period = 250 },
+ [RC_PROTO_SONY12] = { .name = "sony-12",
+- .scancode_bits = 0x1f007f, .repeat_period = 100 },
++ .scancode_bits = 0x1f007f, .repeat_period = 250 },
+ [RC_PROTO_SONY15] = { .name = "sony-15",
+- .scancode_bits = 0xff007f, .repeat_period = 100 },
++ .scancode_bits = 0xff007f, .repeat_period = 250 },
+ [RC_PROTO_SONY20] = { .name = "sony-20",
+- .scancode_bits = 0x1fff7f, .repeat_period = 100 },
++ .scancode_bits = 0x1fff7f, .repeat_period = 250 },
+ [RC_PROTO_NEC] = { .name = "nec",
+- .scancode_bits = 0xffff, .repeat_period = 160 },
++ .scancode_bits = 0xffff, .repeat_period = 250 },
+ [RC_PROTO_NECX] = { .name = "nec-x",
+- .scancode_bits = 0xffffff, .repeat_period = 160 },
++ .scancode_bits = 0xffffff, .repeat_period = 250 },
+ [RC_PROTO_NEC32] = { .name = "nec-32",
+- .scancode_bits = 0xffffffff, .repeat_period = 160 },
++ .scancode_bits = 0xffffffff, .repeat_period = 250 },
+ [RC_PROTO_SANYO] = { .name = "sanyo",
+ .scancode_bits = 0x1fffff, .repeat_period = 250 },
+ [RC_PROTO_MCIR2_KBD] = { .name = "mcir2-kbd",
+- .scancode_bits = 0xffff, .repeat_period = 150 },
++ .scancode_bits = 0xffff, .repeat_period = 250 },
+ [RC_PROTO_MCIR2_MSE] = { .name = "mcir2-mse",
+- .scancode_bits = 0x1fffff, .repeat_period = 150 },
++ .scancode_bits = 0x1fffff, .repeat_period = 250 },
+ [RC_PROTO_RC6_0] = { .name = "rc-6-0",
+- .scancode_bits = 0xffff, .repeat_period = 164 },
++ .scancode_bits = 0xffff, .repeat_period = 250 },
+ [RC_PROTO_RC6_6A_20] = { .name = "rc-6-6a-20",
+- .scancode_bits = 0xfffff, .repeat_period = 164 },
++ .scancode_bits = 0xfffff, .repeat_period = 250 },
+ [RC_PROTO_RC6_6A_24] = { .name = "rc-6-6a-24",
+- .scancode_bits = 0xffffff, .repeat_period = 164 },
++ .scancode_bits = 0xffffff, .repeat_period = 250 },
+ [RC_PROTO_RC6_6A_32] = { .name = "rc-6-6a-32",
+- .scancode_bits = 0xffffffff, .repeat_period = 164 },
++ .scancode_bits = 0xffffffff, .repeat_period = 250 },
+ [RC_PROTO_RC6_MCE] = { .name = "rc-6-mce",
+- .scancode_bits = 0xffff7fff, .repeat_period = 164 },
++ .scancode_bits = 0xffff7fff, .repeat_period = 250 },
+ [RC_PROTO_SHARP] = { .name = "sharp",
+ .scancode_bits = 0x1fff, .repeat_period = 250 },
+ [RC_PROTO_XMP] = { .name = "xmp", .repeat_period = 250 },
--- /dev/null
+From 30b4e122d71cbec2944a5f8b558b88936ee42f10 Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Wed, 8 Nov 2017 16:19:45 -0500
+Subject: media: rc: sir_ir: detect presence of port
+
+From: Sean Young <sean@mess.org>
+
+commit 30b4e122d71cbec2944a5f8b558b88936ee42f10 upstream.
+
+Without this test, sir_ir clumsy claims resources for a device which
+does not exist.
+
+The 0-day kernel test robot reports the following errors (in a loop):
+ sir_ir sir_ir.0: Trapped in interrupt
+ genirq: Flags mismatch irq 4. 00000000 (ttyS0) vs. 00000000 (sir_ir)
+
+When sir_ir is loaded with the default io and irq, the following happens:
+ - sir_ir claims irq 4
+ - user space opens /dev/ttyS0
+ - in serial8250_do_startup(), some setup is done for ttyS0, which causes
+ irq 4 to fire (in THRE test)
+ - sir_ir does not realise it was not for it, and spins until the "trapped
+ in interrupt"
+ - now serial driver calls setup_irq() and fails and we get the
+ "Flags mismatch" error.
+
+There is no port present at 0x3e8 so simply check for the presence of a
+port, as suggested by Linus.
+
+Reported-by: kbuild test robot <fengguang.wu@intel.com>
+Tested-by: Fengguang Wu <fengguang.wu@intel.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/rc/sir_ir.c | 40 ++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 36 insertions(+), 4 deletions(-)
+
+--- a/drivers/media/rc/sir_ir.c
++++ b/drivers/media/rc/sir_ir.c
+@@ -57,7 +57,7 @@ static void add_read_queue(int flag, uns
+ static irqreturn_t sir_interrupt(int irq, void *dev_id);
+ static void send_space(unsigned long len);
+ static void send_pulse(unsigned long len);
+-static void init_hardware(void);
++static int init_hardware(void);
+ static void drop_hardware(void);
+ /* Initialisation */
+
+@@ -263,11 +263,36 @@ static void send_pulse(unsigned long len
+ }
+ }
+
+-static void init_hardware(void)
++static int init_hardware(void)
+ {
++ u8 scratch, scratch2, scratch3;
+ unsigned long flags;
+
+ spin_lock_irqsave(&hardware_lock, flags);
++
++ /*
++ * This is a simple port existence test, borrowed from the autoconfig
++ * function in drivers/tty/serial/8250/8250_port.c
++ */
++ scratch = sinp(UART_IER);
++ soutp(UART_IER, 0);
++#ifdef __i386__
++ outb(0xff, 0x080);
++#endif
++ scratch2 = sinp(UART_IER) & 0x0f;
++ soutp(UART_IER, 0x0f);
++#ifdef __i386__
++ outb(0x00, 0x080);
++#endif
++ scratch3 = sinp(UART_IER) & 0x0f;
++ soutp(UART_IER, scratch);
++ if (scratch2 != 0 || scratch3 != 0x0f) {
++ /* we fail, there's nothing here */
++ spin_unlock_irqrestore(&hardware_lock, flags);
++ pr_err("port existence test failed, cannot continue\n");
++ return -ENODEV;
++ }
++
+ /* reset UART */
+ outb(0, io + UART_MCR);
+ outb(0, io + UART_IER);
+@@ -285,6 +310,8 @@ static void init_hardware(void)
+ /* turn on UART */
+ outb(UART_MCR_DTR | UART_MCR_RTS | UART_MCR_OUT2, io + UART_MCR);
+ spin_unlock_irqrestore(&hardware_lock, flags);
++
++ return 0;
+ }
+
+ static void drop_hardware(void)
+@@ -334,14 +361,19 @@ static int sir_ir_probe(struct platform_
+ pr_err("IRQ %d already in use.\n", irq);
+ return retval;
+ }
++
++ retval = init_hardware();
++ if (retval) {
++ del_timer_sync(&timerlist);
++ return retval;
++ }
++
+ pr_info("I/O port 0x%.4x, IRQ %d.\n", io, irq);
+
+ retval = devm_rc_register_device(&sir_ir_dev->dev, rcdev);
+ if (retval < 0)
+ return retval;
+
+- init_hardware();
+-
+ return 0;
+ }
+
--- /dev/null
+From 6702abb3bf2394f250af0ee04070227bb5dda788 Mon Sep 17 00:00:00 2001
+From: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Date: Tue, 14 Nov 2017 17:51:50 +0100
+Subject: pinctrl: armada-37xx: Fix direction_output() callback behavior
+
+From: Gregory CLEMENT <gregory.clement@free-electrons.com>
+
+commit 6702abb3bf2394f250af0ee04070227bb5dda788 upstream.
+
+The direction_output callback of the gpio_chip structure is supposed to
+set the output direction but also to set the value of the gpio. For the
+armada-37xx driver this callback acted as the gpio_set_direction callback
+for the pinctrl.
+
+This patch fixes the behavior of the direction_output callback by also
+applying the value received as parameter.
+
+Fixes: 5715092a458c ("pinctrl: armada-37xx: Add gpio support")
+Reported-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
++++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
+@@ -408,12 +408,21 @@ static int armada_37xx_gpio_direction_ou
+ {
+ struct armada_37xx_pinctrl *info = gpiochip_get_data(chip);
+ unsigned int reg = OUTPUT_EN;
+- unsigned int mask;
++ unsigned int mask, val, ret;
+
+ armada_37xx_update_reg(®, offset);
+ mask = BIT(offset);
+
+- return regmap_update_bits(info->regmap, reg, mask, mask);
++ ret = regmap_update_bits(info->regmap, reg, mask, mask);
++
++ if (ret)
++ return ret;
++
++ reg = OUTPUT_VAL;
++ val = value ? mask : 0;
++ regmap_update_bits(info->regmap, reg, mask, val);
++
++ return 0;
+ }
+
+ static int armada_37xx_gpio_get(struct gpio_chip *chip, unsigned int offset)
--- /dev/null
+From 371b80447ff33ddac392c189cf884a5a3e18faeb Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Wed, 6 Dec 2017 18:21:14 +1000
+Subject: powerpc/64s: Initialize ISAv3 MMU registers before setting partition table
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit 371b80447ff33ddac392c189cf884a5a3e18faeb upstream.
+
+kexec can leave MMU registers set when booting into a new kernel,
+the PIDR (Process Identification Register) in particular. The boot
+sequence does not zero PIDR, so it only gets set when CPUs first
+switch to a userspace processes (until then it's running a kernel
+thread with effective PID = 0).
+
+This leaves a window where a process table entry and page tables are
+set up due to user processes running on other CPUs, that happen to
+match with a stale PID. The CPU with that PID may cause speculative
+accesses that address quadrant 0 (aka userspace addresses), which will
+result in cached translations and PWC (Page Walk Cache) for that
+process, on a CPU which is not in the mm_cpumask and so they will not
+be invalidated properly.
+
+The most common result is the kernel hanging in infinite page fault
+loops soon after kexec (usually in schedule_tail, which is usually the
+first non-speculative quadrant 0 access to a new PID) due to a stale
+PWC. However being a stale translation error, it could result in
+anything up to security and data corruption problems.
+
+Fix this by zeroing out PIDR at boot and kexec.
+
+Fixes: 7e381c0ff618 ("powerpc/mm/radix: Add mmu context handling callback for radix")
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/cpu_setup_power.S | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/powerpc/kernel/cpu_setup_power.S
++++ b/arch/powerpc/kernel/cpu_setup_power.S
+@@ -102,6 +102,7 @@ _GLOBAL(__setup_cpu_power9)
+ li r0,0
+ mtspr SPRN_PSSCR,r0
+ mtspr SPRN_LPID,r0
++ mtspr SPRN_PID,r0
+ mfspr r3,SPRN_LPCR
+ LOAD_REG_IMMEDIATE(r4, LPCR_PECEDH | LPCR_PECE_HVEE | LPCR_HVICE | LPCR_HEIC)
+ or r3, r3, r4
+@@ -126,6 +127,7 @@ _GLOBAL(__restore_cpu_power9)
+ li r0,0
+ mtspr SPRN_PSSCR,r0
+ mtspr SPRN_LPID,r0
++ mtspr SPRN_PID,r0
+ mfspr r3,SPRN_LPCR
+ LOAD_REG_IMMEDIATE(r4, LPCR_PECEDH | LPCR_PECE_HVEE | LPCR_HVICE | LPCR_HEIC)
+ or r3, r3, r4
--- /dev/null
+From e501506d3ea00eefa64463ebd9e5c13ee70990bd Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <fabio.estevam@nxp.com>
+Date: Wed, 15 Nov 2017 10:03:53 -0200
+Subject: Revert "ARM: dts: imx53: add srtc node"
+
+From: Fabio Estevam <fabio.estevam@nxp.com>
+
+commit e501506d3ea00eefa64463ebd9e5c13ee70990bd upstream.
+
+This reverts commit 5b725054147deaf966b3919e10a86c6bfe946a18.
+
+The rtc block on i.MX53 is a completely different hardware than the
+one found on i.MX25.
+
+Reported-by: Noel Vellemans <Noel.Vellemans@visionbms.com>
+Suggested-by: Juergen Borleis <jbe@pengutronix.de>
+Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/imx53.dtsi | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+--- a/arch/arm/boot/dts/imx53.dtsi
++++ b/arch/arm/boot/dts/imx53.dtsi
+@@ -433,15 +433,6 @@
+ clock-names = "ipg", "per";
+ };
+
+- srtc: srtc@53fa4000 {
+- compatible = "fsl,imx53-rtc", "fsl,imx25-rtc";
+- reg = <0x53fa4000 0x4000>;
+- interrupts = <24>;
+- interrupt-parent = <&tzic>;
+- clocks = <&clks IMX5_CLK_SRTC_GATE>;
+- clock-names = "ipg";
+- };
+-
+ iomuxc: iomuxc@53fa8000 {
+ compatible = "fsl,imx53-iomuxc";
+ reg = <0x53fa8000 0x4000>;
--- /dev/null
+From ab9dbf771ff9b6b7e814e759213ed01d7f0de320 Mon Sep 17 00:00:00 2001
+From: David Gibson <david@gibson.dropbear.id.au>
+Date: Mon, 4 Dec 2017 16:27:25 +1100
+Subject: Revert "powerpc: Do not call ppc_md.panic in fadump panic notifier"
+
+From: David Gibson <david@gibson.dropbear.id.au>
+
+commit ab9dbf771ff9b6b7e814e759213ed01d7f0de320 upstream.
+
+This reverts commit a3b2cb30f252b21a6f962e0dd107c8b897ca65e4.
+
+That commit tried to fix problems with panic on powerpc in certain
+circumstances, where some output from the generic panic code was being
+dropped.
+
+Unfortunately, it breaks things worse in other circumstances. In
+particular when running a PAPR guest, it will now attempt to reboot
+instead of informing the hypervisor (KVM or PowerVM) that the guest
+has crashed. The crash notification is important to some
+virtualization management layers.
+
+Revert it for now until we can come up with a better solution.
+
+Fixes: a3b2cb30f252 ("powerpc: Do not call ppc_md.panic in fadump panic notifier")
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+[mpe: Tweak change log a bit]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/machdep.h | 1 +
+ arch/powerpc/include/asm/setup.h | 1 +
+ arch/powerpc/kernel/fadump.c | 22 ----------------------
+ arch/powerpc/kernel/setup-common.c | 27 +++++++++++++++++++++++++++
+ arch/powerpc/platforms/ps3/setup.c | 15 +++++++++++++++
+ arch/powerpc/platforms/pseries/setup.c | 1 +
+ 6 files changed, 45 insertions(+), 22 deletions(-)
+
+--- a/arch/powerpc/include/asm/machdep.h
++++ b/arch/powerpc/include/asm/machdep.h
+@@ -76,6 +76,7 @@ struct machdep_calls {
+
+ void __noreturn (*restart)(char *cmd);
+ void __noreturn (*halt)(void);
++ void (*panic)(char *str);
+ void (*cpu_die)(void);
+
+ long (*time_init)(void); /* Optional, may be NULL */
+--- a/arch/powerpc/include/asm/setup.h
++++ b/arch/powerpc/include/asm/setup.h
+@@ -24,6 +24,7 @@ extern void reloc_got2(unsigned long);
+
+ void check_for_initrd(void);
+ void initmem_init(void);
++void setup_panic(void);
+ #define ARCH_PANIC_TIMEOUT 180
+
+ #ifdef CONFIG_PPC_PSERIES
+--- a/arch/powerpc/kernel/fadump.c
++++ b/arch/powerpc/kernel/fadump.c
+@@ -1453,25 +1453,6 @@ static void fadump_init_files(void)
+ return;
+ }
+
+-static int fadump_panic_event(struct notifier_block *this,
+- unsigned long event, void *ptr)
+-{
+- /*
+- * If firmware-assisted dump has been registered then trigger
+- * firmware-assisted dump and let firmware handle everything
+- * else. If this returns, then fadump was not registered, so
+- * go through the rest of the panic path.
+- */
+- crash_fadump(NULL, ptr);
+-
+- return NOTIFY_DONE;
+-}
+-
+-static struct notifier_block fadump_panic_block = {
+- .notifier_call = fadump_panic_event,
+- .priority = INT_MIN /* may not return; must be done last */
+-};
+-
+ /*
+ * Prepare for firmware-assisted dump.
+ */
+@@ -1504,9 +1485,6 @@ int __init setup_fadump(void)
+ init_fadump_mem_struct(&fdm, fw_dump.reserve_dump_area_start);
+ fadump_init_files();
+
+- atomic_notifier_chain_register(&panic_notifier_list,
+- &fadump_panic_block);
+-
+ return 1;
+ }
+ subsys_initcall(setup_fadump);
+--- a/arch/powerpc/kernel/setup-common.c
++++ b/arch/powerpc/kernel/setup-common.c
+@@ -704,6 +704,30 @@ int check_legacy_ioport(unsigned long ba
+ }
+ EXPORT_SYMBOL(check_legacy_ioport);
+
++static int ppc_panic_event(struct notifier_block *this,
++ unsigned long event, void *ptr)
++{
++ /*
++ * If firmware-assisted dump has been registered then trigger
++ * firmware-assisted dump and let firmware handle everything else.
++ */
++ crash_fadump(NULL, ptr);
++ ppc_md.panic(ptr); /* May not return */
++ return NOTIFY_DONE;
++}
++
++static struct notifier_block ppc_panic_block = {
++ .notifier_call = ppc_panic_event,
++ .priority = INT_MIN /* may not return; must be done last */
++};
++
++void __init setup_panic(void)
++{
++ if (!ppc_md.panic)
++ return;
++ atomic_notifier_chain_register(&panic_notifier_list, &ppc_panic_block);
++}
++
+ #ifdef CONFIG_CHECK_CACHE_COHERENCY
+ /*
+ * For platforms that have configurable cache-coherency. This function
+@@ -848,6 +872,9 @@ void __init setup_arch(char **cmdline_p)
+ /* Probe the machine type, establish ppc_md. */
+ probe_machine();
+
++ /* Setup panic notifier if requested by the platform. */
++ setup_panic();
++
+ /*
+ * Configure ppc_md.power_save (ppc32 only, 64-bit machines do
+ * it from their respective probe() function.
+--- a/arch/powerpc/platforms/ps3/setup.c
++++ b/arch/powerpc/platforms/ps3/setup.c
+@@ -104,6 +104,20 @@ static void __noreturn ps3_halt(void)
+ ps3_sys_manager_halt(); /* never returns */
+ }
+
++static void ps3_panic(char *str)
++{
++ DBG("%s:%d %s\n", __func__, __LINE__, str);
++
++ smp_send_stop();
++ printk("\n");
++ printk(" System does not reboot automatically.\n");
++ printk(" Please press POWER button.\n");
++ printk("\n");
++
++ while(1)
++ lv1_pause(1);
++}
++
+ #if defined(CONFIG_FB_PS3) || defined(CONFIG_FB_PS3_MODULE) || \
+ defined(CONFIG_PS3_FLASH) || defined(CONFIG_PS3_FLASH_MODULE)
+ static void __init prealloc(struct ps3_prealloc *p)
+@@ -255,6 +269,7 @@ define_machine(ps3) {
+ .probe = ps3_probe,
+ .setup_arch = ps3_setup_arch,
+ .init_IRQ = ps3_init_IRQ,
++ .panic = ps3_panic,
+ .get_boot_time = ps3_get_boot_time,
+ .set_dabr = ps3_set_dabr,
+ .calibrate_decr = ps3_calibrate_decr,
+--- a/arch/powerpc/platforms/pseries/setup.c
++++ b/arch/powerpc/platforms/pseries/setup.c
+@@ -726,6 +726,7 @@ define_machine(pseries) {
+ .pcibios_fixup = pSeries_final_fixup,
+ .restart = rtas_restart,
+ .halt = rtas_halt,
++ .panic = rtas_os_term,
+ .get_boot_time = rtas_get_boot_time,
+ .get_rtc_time = rtas_get_rtc_time,
+ .set_rtc_time = rtas_set_rtc_time,
--- /dev/null
+From fbbd7f1a51965b50dd12924841da0d478f3da71b Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Mon, 20 Nov 2017 12:38:44 +0100
+Subject: s390: always save and restore all registers on context switch
+
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+commit fbbd7f1a51965b50dd12924841da0d478f3da71b upstream.
+
+The switch_to() macro has an optimization to avoid saving and
+restoring register contents that aren't needed for kernel threads.
+
+There is however the possibility that a kernel thread execve's a user
+space program. In such a case the execve'd process can partially see
+the contents of the previous process, which shouldn't be allowed.
+
+To avoid this, simply always save and restore register contents on
+context switch.
+
+Fixes: fdb6d070effba ("switch_to: dont restore/save access & fpu regs for kernel threads")
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/include/asm/switch_to.h | 27 +++++++++++++--------------
+ 1 file changed, 13 insertions(+), 14 deletions(-)
+
+--- a/arch/s390/include/asm/switch_to.h
++++ b/arch/s390/include/asm/switch_to.h
+@@ -30,21 +30,20 @@ static inline void restore_access_regs(u
+ asm volatile("lam 0,15,%0" : : "Q" (*(acrstype *)acrs));
+ }
+
+-#define switch_to(prev,next,last) do { \
+- if (prev->mm) { \
+- save_fpu_regs(); \
+- save_access_regs(&prev->thread.acrs[0]); \
+- save_ri_cb(prev->thread.ri_cb); \
+- save_gs_cb(prev->thread.gs_cb); \
+- } \
++#define switch_to(prev, next, last) do { \
++ /* save_fpu_regs() sets the CIF_FPU flag, which enforces \
++ * a restore of the floating point / vector registers as \
++ * soon as the next task returns to user space \
++ */ \
++ save_fpu_regs(); \
++ save_access_regs(&prev->thread.acrs[0]); \
++ save_ri_cb(prev->thread.ri_cb); \
++ save_gs_cb(prev->thread.gs_cb); \
+ update_cr_regs(next); \
+- if (next->mm) { \
+- set_cpu_flag(CIF_FPU); \
+- restore_access_regs(&next->thread.acrs[0]); \
+- restore_ri_cb(next->thread.ri_cb, prev->thread.ri_cb); \
+- restore_gs_cb(next->thread.gs_cb); \
+- } \
+- prev = __switch_to(prev,next); \
++ restore_access_regs(&next->thread.acrs[0]); \
++ restore_ri_cb(next->thread.ri_cb, prev->thread.ri_cb); \
++ restore_gs_cb(next->thread.gs_cb); \
++ prev = __switch_to(prev, next); \
+ } while (0)
+
+ #endif /* __ASM_SWITCH_TO_H */
--- /dev/null
+From e779498df587dd2189b30fe5b9245aefab870eb8 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Wed, 6 Dec 2017 16:11:27 +0100
+Subject: s390: fix compat system call table
+
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+commit e779498df587dd2189b30fe5b9245aefab870eb8 upstream.
+
+When wiring up the socket system calls the compat entries were
+incorrectly set. Not all of them point to the corresponding compat
+wrapper functions, which clear the upper 33 bits of user space
+pointers, like it is required.
+
+Fixes: 977108f89c989 ("s390: wire up separate socketcalls system calls")
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kernel/syscalls.S | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/s390/kernel/syscalls.S
++++ b/arch/s390/kernel/syscalls.S
+@@ -370,10 +370,10 @@ SYSCALL(sys_recvmmsg,compat_sys_recvmmsg
+ SYSCALL(sys_sendmmsg,compat_sys_sendmmsg)
+ SYSCALL(sys_socket,sys_socket)
+ SYSCALL(sys_socketpair,compat_sys_socketpair) /* 360 */
+-SYSCALL(sys_bind,sys_bind)
+-SYSCALL(sys_connect,sys_connect)
++SYSCALL(sys_bind,compat_sys_bind)
++SYSCALL(sys_connect,compat_sys_connect)
+ SYSCALL(sys_listen,sys_listen)
+-SYSCALL(sys_accept4,sys_accept4)
++SYSCALL(sys_accept4,compat_sys_accept4)
+ SYSCALL(sys_getsockopt,compat_sys_getsockopt) /* 365 */
+ SYSCALL(sys_setsockopt,compat_sys_setsockopt)
+ SYSCALL(sys_getsockname,compat_sys_getsockname)
--- /dev/null
+From 8d306f53b63099fec2d56300149e400d181ba4f5 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Mon, 4 Dec 2017 09:42:45 +0100
+Subject: s390/mm: fix off-by-one bug in 5-level page table handling
+
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+commit 8d306f53b63099fec2d56300149e400d181ba4f5 upstream.
+
+Martin Cermak reported that setting a uprobe doesn't work. Reason for
+this is that the common uprobes code tries to get an unmapped area at
+the last possible page within an address space.
+
+This broke with commit 1aea9b3f9210 ("s390/mm: implement 5 level pages
+tables") which introduced an off-by-one bug which prevents to map
+anything at the last possible page within an address space.
+
+The check with the off-by-one bug however can be removed since with
+commit 8ab867cb0806 ("s390/mm: fix BUG_ON in crst_table_upgrade") the
+necessary check is done at both call sites.
+
+Reported-by: Martin Cermak <mcermak@redhat.com>
+Bisected-by: Thomas Richter <tmricht@linux.vnet.ibm.com>
+Fixes: 1aea9b3f9210 ("s390/mm: implement 5 level pages tables")
+Reviewed-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/mm/pgalloc.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/arch/s390/mm/pgalloc.c
++++ b/arch/s390/mm/pgalloc.c
+@@ -85,8 +85,6 @@ int crst_table_upgrade(struct mm_struct
+
+ /* upgrade should only happen from 3 to 4, 3 to 5, or 4 to 5 levels */
+ VM_BUG_ON(mm->context.asce_limit < _REGION2_SIZE);
+- if (end >= TASK_SIZE_MAX)
+- return -ENOMEM;
+ rc = 0;
+ notify = 0;
+ while (mm->context.asce_limit < end) {
--- /dev/null
+From 860dd4424f344400b491b212ee4acb3a358ba9d9 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Tue, 21 Nov 2017 14:23:37 +0100
+Subject: scsi: dma-mapping: always provide dma_get_cache_alignment
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 860dd4424f344400b491b212ee4acb3a358ba9d9 upstream.
+
+Provide the dummy version of dma_get_cache_alignment that always returns
+1 even if CONFIG_HAS_DMA is not set, so that drivers and subsystems can
+use it without ifdefs.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/dma-mapping.h | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/include/linux/dma-mapping.h
++++ b/include/linux/dma-mapping.h
+@@ -697,7 +697,6 @@ static inline void *dma_zalloc_coherent(
+ return ret;
+ }
+
+-#ifdef CONFIG_HAS_DMA
+ static inline int dma_get_cache_alignment(void)
+ {
+ #ifdef ARCH_DMA_MINALIGN
+@@ -705,7 +704,6 @@ static inline int dma_get_cache_alignmen
+ #endif
+ return 1;
+ }
+-#endif
+
+ /* flags for the coherent memory api */
+ #define DMA_MEMORY_EXCLUSIVE 0x01
--- /dev/null
+From c2e8fbf908afd81ad502b567a6639598f92c9b9d Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Tue, 21 Nov 2017 14:23:39 +0100
+Subject: scsi: libsas: align sata_device's rps_resp on a cacheline
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit c2e8fbf908afd81ad502b567a6639598f92c9b9d upstream.
+
+The rps_resp buffer in ata_device is a DMA target, but it isn't
+explicitly cacheline aligned. Due to this, adjacent fields can be
+overwritten with stale data from memory on non-coherent architectures.
+As a result, the kernel is sometimes unable to communicate with an SATA
+device behind a SAS expander.
+
+Fix this by ensuring that the rps_resp buffer is cacheline aligned.
+
+This issue is similar to that fixed by Commit 84bda12af31f93 ("libata:
+align ap->sector_buf") and Commit 4ee34ea3a12396f35b26 ("libata: Align
+ata_device's id on a cacheline").
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/scsi/libsas.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/scsi/libsas.h
++++ b/include/scsi/libsas.h
+@@ -165,11 +165,11 @@ struct expander_device {
+
+ struct sata_device {
+ unsigned int class;
+- struct smp_resp rps_resp; /* report_phy_sata_resp */
+ u8 port_no; /* port number, if this is a PM (Port) */
+
+ struct ata_port *ap;
+ struct ata_host ata_host;
++ struct smp_resp rps_resp ____cacheline_aligned; /* report_phy_sata_resp */
+ u8 fis[ATA_RESP_FIS_SIZE];
+ };
+
--- /dev/null
+From 90addc6b3c9cda0146fbd62a08e234c2b224a80c Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Tue, 21 Nov 2017 14:23:38 +0100
+Subject: scsi: use dma_get_cache_alignment() as minimum DMA alignment
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit 90addc6b3c9cda0146fbd62a08e234c2b224a80c upstream.
+
+In non-coherent DMA mode, kernel uses cache flushing operations to
+maintain I/O coherency, so scsi's block queue should be aligned to the
+value returned by dma_get_cache_alignment(). Otherwise, If a DMA buffer
+and a kernel structure share a same cache line, and if the kernel
+structure has dirty data, cache_invalidate (no writeback) will cause
+data corruption.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+[hch: rebased and updated the comment and changelog]
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_lib.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -2126,11 +2126,13 @@ void __scsi_init_queue(struct Scsi_Host
+ q->limits.cluster = 0;
+
+ /*
+- * set a reasonable default alignment on word boundaries: the
+- * host and device may alter it using
+- * blk_queue_update_dma_alignment() later.
++ * Set a reasonable default alignment: The larger of 32-byte (dword),
++ * which is a common minimum for HBAs, and the minimum DMA alignment,
++ * which is set by the platform.
++ *
++ * Devices that require a bigger alignment can increase it later.
+ */
+- blk_queue_dma_alignment(q, 0x03);
++ blk_queue_dma_alignment(q, max(4, dma_get_cache_alignment()) - 1);
+ }
+ EXPORT_SYMBOL_GPL(__scsi_init_queue);
+
can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch
can-usb_8dev-cancel-urb-on-epipe-and-eproto.patch
can-peak-pcie_fd-fix-potential-bug-in-restarting-tx-queue.patch
+virtio-release-virtio-index-when-fail-to-device_register.patch
+iio-stm32-fix-adc-trigger-link-error.patch
+iio-health-max30102-temperature-should-be-in-milli-celsius.patch
+iio-adc-cpcap-fix-incorrect-validation.patch
+iio-adc-meson-saradc-fix-the-bit_idx-of-the-adc_en-clock.patch
+iio-adc-meson-saradc-initialize-the-bandgap-correctly-on-older-socs.patch
+iio-adc-meson-saradc-meson8-and-meson8b-do-not-have-reg11-and-reg13.patch
+pinctrl-armada-37xx-fix-direction_output-callback-behavior.patch
+drivers-hv-vmbus-fix-a-rescind-issue.patch
+hv-kvp-avoid-reading-past-allocated-blocks-from-kvp-file.patch
+firmware-cleanup-firmware_in_kernel-message.patch
+firmware-vpd-destroy-vpd-sections-in-remove-function.patch
+firmware-vpd-tie-firmware-kobject-to-device-lifetime.patch
+firmware-vpd-fix-platform-driver-and-device-registration-unregistration.patch
+isa-prevent-null-dereference-in-isa_bus-driver-callbacks.patch
+scsi-dma-mapping-always-provide-dma_get_cache_alignment.patch
+scsi-use-dma_get_cache_alignment-as-minimum-dma-alignment.patch
+scsi-libsas-align-sata_device-s-rps_resp-on-a-cacheline.patch
+efi-move-some-sysfs-files-to-be-read-only-by-root.patch
+efi-esrt-use-memunmap-instead-of-kfree-to-free-the-remapping.patch
+asn.1-fix-out-of-bounds-read-when-parsing-indefinite-length-item.patch
+asn.1-check-for-error-from-asn1_op_end__act-actions.patch
+keys-add-missing-permission-check-for-request_key-destination.patch
+keys-reject-null-restriction-string-when-type-is-specified.patch
+x.509-reject-invalid-bit-string-for-subjectpublickey.patch
+x.509-fix-comparisons-of-pkey_algo.patch
+x86-idt-load-idt-early-in-start_secondary.patch
+x86-pci-make-broadcom_postcore_init-check-acpi_disabled.patch
+kvm-x86-fix-apic-page-invalidation.patch
+btrfs-fix-missing-error-return-in-btrfs_drop_snapshot.patch
+btrfs-handle-errors-while-updating-refcounts-in-update_ref_for_cow.patch
+alsa-hda-realtek-new-codec-support-for-alc257.patch
+alsa-pcm-prevent-uaf-in-snd_pcm_info.patch
+alsa-seq-remove-spurious-warn_on-at-timer-check.patch
+alsa-usb-audio-fix-out-of-bound-error.patch
+alsa-usb-audio-add-check-return-value-for-usb_string.patch
+iommu-vt-d-fix-scatterlist-offset-handling.patch
+smp-hotplug-move-step-cpuhp_ap_smpcfd_dying-to-the-correct-place.patch
+s390-always-save-and-restore-all-registers-on-context-switch.patch
+s390-mm-fix-off-by-one-bug-in-5-level-page-table-handling.patch
+s390-fix-compat-system-call-table.patch
+kvm-s390-fix-skey-emulation-permission-check.patch
+revert-powerpc-do-not-call-ppc_md.panic-in-fadump-panic-notifier.patch
+powerpc-64s-initialize-isav3-mmu-registers-before-setting-partition-table.patch
+iwlwifi-mvm-mark-mic-stripped-mpdus.patch
+iwlwifi-mvm-don-t-use-transmit-queue-hang-detection-when-it-is-not-possible.patch
+iwlwifi-mvm-flush-queue-before-deleting-roc.patch
+iwlwifi-add-new-cards-for-9260-and-22000-series.patch
+iwlwifi-mvm-fix-packet-injection.patch
+iwlwifi-mvm-enable-rx-offloading-with-tkip-and-wep.patch
+brcmfmac-change-driver-unbind-order-of-the-sdio-function-devices.patch
+kdb-fix-handling-of-kallsyms_symbol_next-return-value.patch
+md-r5cache-move-mddev_lock-out-of-r5c_journal_mode_set.patch
+drm-bridge-analogix-dp-fix-runtime-pm-state-in-get_modes-callback.patch
+drm-exynos-gem-drop-noncontig-flag-for-buffers-allocated-without-iommu.patch
+drm-i915-fix-vblank-timestamp-frame-counter-jumps-on-gen2.patch
+drm-safely-free-connectors-from-connector_iter.patch
+media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch
+media-rc-sir_ir-detect-presence-of-port.patch
+media-rc-partial-revert-of-media-rc-per-protocol-repeat-period.patch
+arm64-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch
+arm-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch
+kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch
+kvm-arm-arm64-fix-broken-gich_elrsr-big-endian-conversion.patch
+kvm-arm-arm64-vgic-irqfd-fix-msi-entry-allocation.patch
+kvm-arm-arm64-vgic-preserve-the-revious-read-from-the-pending-table.patch
+kvm-arm-arm64-vgic-its-check-result-of-allocation-before-use.patch
+arm64-fpsimd-prevent-registers-leaking-from-dead-tasks.patch
+arm64-sw-pan-point-saved-ttbr0-at-the-zero-page-when-switching-to-init_mm.patch
+arm64-sw-pan-update-saved-ttbr0-value-on-enter_lazy_tlb.patch
+revert-arm-dts-imx53-add-srtc-node.patch
+bus-arm-cci-fix-use-of-smp_processor_id-in-preemptible-context.patch
+bus-arm-ccn-check-memory-allocation-failure.patch
+bus-arm-ccn-fix-use-of-smp_processor_id-in-preemptible-context.patch
+bus-arm-ccn-fix-module-unloading-error-removing-state-147-which-has-instances-left.patch
+ib-core-avoid-unnecessary-return-value-check.patch
+ib-core-only-enforce-security-for-infiniband.patch
--- /dev/null
+From 46febd37f9c758b05cd25feae8512f22584742fe Mon Sep 17 00:00:00 2001
+From: Lai Jiangshan <jiangshanlai@gmail.com>
+Date: Tue, 28 Nov 2017 21:19:53 +0800
+Subject: smp/hotplug: Move step CPUHP_AP_SMPCFD_DYING to the correct place
+
+From: Lai Jiangshan <jiangshanlai@gmail.com>
+
+commit 46febd37f9c758b05cd25feae8512f22584742fe upstream.
+
+Commit 31487f8328f2 ("smp/cfd: Convert core to hotplug state machine")
+accidently put this step on the wrong place. The step should be at the
+cpuhp_ap_states[] rather than the cpuhp_bp_states[].
+
+grep smpcfd /sys/devices/system/cpu/hotplug/states
+ 40: smpcfd:prepare
+129: smpcfd:dying
+
+"smpcfd:dying" was missing before.
+So was the invocation of the function smpcfd_dying_cpu().
+
+Fixes: 31487f8328f2 ("smp/cfd: Convert core to hotplug state machine")
+Signed-off-by: Lai Jiangshan <jiangshanlai@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Link: https://lkml.kernel.org/r/20171128131954.81229-1-jiangshanlai@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cpu.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -1289,11 +1289,6 @@ static struct cpuhp_step cpuhp_bp_states
+ .teardown.single = NULL,
+ .cant_stop = true,
+ },
+- [CPUHP_AP_SMPCFD_DYING] = {
+- .name = "smpcfd:dying",
+- .startup.single = NULL,
+- .teardown.single = smpcfd_dying_cpu,
+- },
+ /*
+ * Handled on controll processor until the plugged processor manages
+ * this itself.
+@@ -1335,6 +1330,11 @@ static struct cpuhp_step cpuhp_ap_states
+ .startup.single = NULL,
+ .teardown.single = rcutree_dying_cpu,
+ },
++ [CPUHP_AP_SMPCFD_DYING] = {
++ .name = "smpcfd:dying",
++ .startup.single = NULL,
++ .teardown.single = smpcfd_dying_cpu,
++ },
+ /* Entry state on starting. Interrupts enabled from here on. Transient
+ * state for synchronsization */
+ [CPUHP_AP_ONLINE] = {
--- /dev/null
+From e60ea67bb60459b95a50a156296041a13e0e380e Mon Sep 17 00:00:00 2001
+From: weiping zhang <zwp10758@gmail.com>
+Date: Wed, 29 Nov 2017 09:23:01 +0800
+Subject: virtio: release virtio index when fail to device_register
+
+From: weiping zhang <zwp10758@gmail.com>
+
+commit e60ea67bb60459b95a50a156296041a13e0e380e upstream.
+
+index can be reused by other virtio device.
+
+Signed-off-by: weiping zhang <zhangweiping@didichuxing.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virtio/virtio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/virtio/virtio.c
++++ b/drivers/virtio/virtio.c
+@@ -333,6 +333,8 @@ int register_virtio_device(struct virtio
+ /* device_register() causes the bus infrastructure to look for a
+ * matching driver. */
+ err = device_register(&dev->dev);
++ if (err)
++ ida_simple_remove(&virtio_index_ida, dev->index);
+ out:
+ if (err)
+ virtio_add_status(dev, VIRTIO_CONFIG_S_FAILED);
--- /dev/null
+From 54c1fb39fe0495f846539ab765925b008f86801c Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 8 Dec 2017 15:13:29 +0000
+Subject: X.509: fix comparisons of ->pkey_algo
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 54c1fb39fe0495f846539ab765925b008f86801c upstream.
+
+->pkey_algo used to be an enum, but was changed to a string by commit
+4e8ae72a75aa ("X.509: Make algo identifiers text instead of enum"). But
+two comparisons were not updated. Fix them to use strcmp().
+
+This bug broke signature verification in certain configurations,
+depending on whether the string constants were deduplicated or not.
+
+Fixes: 4e8ae72a75aa ("X.509: Make algo identifiers text instead of enum")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/asymmetric_keys/pkcs7_verify.c | 2 +-
+ crypto/asymmetric_keys/x509_public_key.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/crypto/asymmetric_keys/pkcs7_verify.c
++++ b/crypto/asymmetric_keys/pkcs7_verify.c
+@@ -150,7 +150,7 @@ static int pkcs7_find_key(struct pkcs7_m
+ pr_devel("Sig %u: Found cert serial match X.509[%u]\n",
+ sinfo->index, certix);
+
+- if (x509->pub->pkey_algo != sinfo->sig->pkey_algo) {
++ if (strcmp(x509->pub->pkey_algo, sinfo->sig->pkey_algo) != 0) {
+ pr_warn("Sig %u: X.509 algo and PKCS#7 sig algo don't match\n",
+ sinfo->index);
+ continue;
+--- a/crypto/asymmetric_keys/x509_public_key.c
++++ b/crypto/asymmetric_keys/x509_public_key.c
+@@ -135,7 +135,7 @@ int x509_check_for_self_signed(struct x5
+ }
+
+ ret = -EKEYREJECTED;
+- if (cert->pub->pkey_algo != cert->sig->pkey_algo)
++ if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0)
+ goto out;
+
+ ret = public_key_verify_signature(cert->pub, cert->sig);
--- /dev/null
+From 0f30cbea005bd3077bd98cd29277d7fc2699c1da Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 8 Dec 2017 15:13:27 +0000
+Subject: X.509: reject invalid BIT STRING for subjectPublicKey
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 0f30cbea005bd3077bd98cd29277d7fc2699c1da upstream.
+
+Adding a specially crafted X.509 certificate whose subjectPublicKey
+ASN.1 value is zero-length caused x509_extract_key_data() to set the
+public key size to SIZE_MAX, as it subtracted the nonexistent BIT STRING
+metadata byte. Then, x509_cert_parse() called kmemdup() with that bogus
+size, triggering the WARN_ON_ONCE() in kmalloc_slab().
+
+This appears to be harmless, but it still must be fixed since WARNs are
+never supposed to be user-triggerable.
+
+Fix it by updating x509_cert_parse() to validate that the value has a
+BIT STRING metadata byte, and that the byte is 0 which indicates that
+the number of bits in the bitstring is a multiple of 8.
+
+It would be nice to handle the metadata byte in asn1_ber_decoder()
+instead. But that would be tricky because in the general case a BIT
+STRING could be implicitly tagged, and/or could legitimately have a
+length that is not a whole number of bytes.
+
+Here was the WARN (cleaned up slightly):
+
+ WARNING: CPU: 1 PID: 202 at mm/slab_common.c:971 kmalloc_slab+0x5d/0x70 mm/slab_common.c:971
+ Modules linked in:
+ CPU: 1 PID: 202 Comm: keyctl Tainted: G B 4.14.0-09238-g1d3b78bbc6e9 #26
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
+ task: ffff880033014180 task.stack: ffff8800305c8000
+ Call Trace:
+ __do_kmalloc mm/slab.c:3706 [inline]
+ __kmalloc_track_caller+0x22/0x2e0 mm/slab.c:3726
+ kmemdup+0x17/0x40 mm/util.c:118
+ kmemdup include/linux/string.h:414 [inline]
+ x509_cert_parse+0x2cb/0x620 crypto/asymmetric_keys/x509_cert_parser.c:106
+ x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174
+ asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388
+ key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850
+ SYSC_add_key security/keys/keyctl.c:122 [inline]
+ SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62
+ entry_SYSCALL_64_fastpath+0x1f/0x96
+
+Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/asymmetric_keys/x509_cert_parser.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/crypto/asymmetric_keys/x509_cert_parser.c
++++ b/crypto/asymmetric_keys/x509_cert_parser.c
+@@ -409,6 +409,8 @@ int x509_extract_key_data(void *context,
+ ctx->cert->pub->pkey_algo = "rsa";
+
+ /* Discard the BIT STRING metadata */
++ if (vlen < 1 || *(const u8 *)value != 0)
++ return -EBADMSG;
+ ctx->key = value + 1;
+ ctx->key_size = vlen - 1;
+ return 0;
--- /dev/null
+From 55d2d0ad2fb4325f615d1950486fbc5e6fba1769 Mon Sep 17 00:00:00 2001
+From: Chunyu Hu <chuhu@redhat.com>
+Date: Mon, 27 Nov 2017 22:21:39 +0800
+Subject: x86/idt: Load idt early in start_secondary
+
+From: Chunyu Hu <chuhu@redhat.com>
+
+commit 55d2d0ad2fb4325f615d1950486fbc5e6fba1769 upstream.
+
+On a secondary, idt is first loaded in cpu_init() with load_current_idt(),
+i.e. no exceptions can be handled before that point.
+
+The conversion of WARN() to use UD requires the IDT being loaded earlier as
+any warning between start_secondary() and load_curren_idt() in cpu_init()
+will result in an unhandled @UD exception and therefore fail the bringup of
+the CPU.
+
+Install the IDT handlers right in start_secondary() before calling cpu_init().
+
+[ tglx: Massaged changelog ]
+
+Fixes: 9a93848fe787 ("x86/debug: Implement __WARN() using UD0")
+Signed-off-by: Chunyu Hu <chuhu@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: peterz@infradead.org
+Cc: bp@alien8.de
+Cc: rostedt@goodmis.org
+Cc: luto@kernel.org
+Link: https://lkml.kernel.org/r/1511792499-4073-1-git-send-email-chuhu@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/smpboot.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/smpboot.c
++++ b/arch/x86/kernel/smpboot.c
+@@ -239,7 +239,7 @@ static void notrace start_secondary(void
+ load_cr3(swapper_pg_dir);
+ __flush_tlb_all();
+ #endif
+-
++ load_current_idt();
+ cpu_init();
+ x86_cpuinit.early_percpu_clock_init();
+ preempt_disable();
--- /dev/null
+From ddec3bdee05b06f1dda20ded003c3e10e4184cab Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Fri, 1 Dec 2017 15:08:12 +0100
+Subject: x86/PCI: Make broadcom_postcore_init() check acpi_disabled
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit ddec3bdee05b06f1dda20ded003c3e10e4184cab upstream.
+
+acpi_os_get_root_pointer() may return a valid address even if acpi_disabled
+is set, but the host bridge information from the ACPI tables is not going
+to be used in that case and the Broadcom host bridge initialization should
+not be skipped then, So make broadcom_postcore_init() check acpi_disabled
+too to avoid this issue.
+
+Fixes: 6361d72b04d1 (x86/PCI: read Broadcom CNB20LE host bridge info before PCI scan)
+Reported-by: Dave Hansen <dave.hansen@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Bjorn Helgaas <bhelgaas@google.com>
+Cc: Linux PCI <linux-pci@vger.kernel.org>
+Link: https://lkml.kernel.org/r/3186627.pxZj1QbYNg@aspire.rjw.lan
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/pci/broadcom_bus.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/pci/broadcom_bus.c
++++ b/arch/x86/pci/broadcom_bus.c
+@@ -97,7 +97,7 @@ static int __init broadcom_postcore_init
+ * We should get host bridge information from ACPI unless the BIOS
+ * doesn't support it.
+ */
+- if (acpi_os_get_root_pointer())
++ if (!acpi_disabled && acpi_os_get_root_pointer())
+ return 0;
+ #endif
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
