--- /dev/null
+From 7a1646d922577b5b48c0d222e03831141664bb59 Mon Sep 17 00:00:00 2001
+From: Jack Stocker <jackstocker.93@gmail.com>
+Date: Thu, 15 Feb 2018 18:24:10 +0000
+Subject: Add delay-init quirk for Corsair K70 RGB keyboards
+
+From: Jack Stocker <jackstocker.93@gmail.com>
+
+commit 7a1646d922577b5b48c0d222e03831141664bb59 upstream.
+
+Following on from this patch: https://lkml.org/lkml/2017/11/3/516,
+Corsair K70 RGB keyboards also require the DELAY_INIT quirk to
+start correctly at boot.
+
+Device ids found here:
+usb 3-3: New USB device found, idVendor=1b1c, idProduct=1b13
+usb 3-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
+usb 3-3: Product: Corsair K70 RGB Gaming Keyboard
+
+Signed-off-by: Jack Stocker <jackstocker.93@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/quirks.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -225,6 +225,9 @@ static const struct usb_device_id usb_qu
+ { USB_DEVICE(0x1a0a, 0x0200), .driver_info =
+ USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
+
++ /* Corsair K70 RGB */
++ { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT },
++
+ /* Corsair Strafe RGB */
+ { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT },
+
--- /dev/null
+From 5ee39a71fd89ab7240c5339d04161c44a8e03269 Mon Sep 17 00:00:00 2001
+From: Michael Weiser <michael.weiser@gmx.de>
+Date: Thu, 1 Feb 2018 23:13:38 +0100
+Subject: arm64: Disable unhandled signal log messages by default
+
+From: Michael Weiser <michael.weiser@gmx.de>
+
+commit 5ee39a71fd89ab7240c5339d04161c44a8e03269 upstream.
+
+aarch64 unhandled signal kernel messages are very verbose, suggesting
+them to be more of a debugging aid:
+
+sigsegv[33]: unhandled level 2 translation fault (11) at 0x00000000, esr
+0x92000046, in sigsegv[400000+71000]
+CPU: 1 PID: 33 Comm: sigsegv Tainted: G W 4.15.0-rc3+ #3
+Hardware name: linux,dummy-virt (DT)
+pstate: 60000000 (nZCv daif -PAN -UAO)
+pc : 0x4003f4
+lr : 0x4006bc
+sp : 0000fffffe94a060
+x29: 0000fffffe94a070 x28: 0000000000000000
+x27: 0000000000000000 x26: 0000000000000000
+x25: 0000000000000000 x24: 00000000004001b0
+x23: 0000000000486ac8 x22: 00000000004001c8
+x21: 0000000000000000 x20: 0000000000400be8
+x19: 0000000000400b30 x18: 0000000000484728
+x17: 000000000865ffc8 x16: 000000000000270f
+x15: 00000000000000b0 x14: 0000000000000002
+x13: 0000000000000001 x12: 0000000000000000
+x11: 0000000000000000 x10: 0008000020008008
+x9 : 000000000000000f x8 : ffffffffffffffff
+x7 : 0004000000000000 x6 : ffffffffffffffff
+x5 : 0000000000000000 x4 : 0000000000000000
+x3 : 00000000004003e4 x2 : 0000fffffe94a1e8
+x1 : 000000000000000a x0 : 0000000000000000
+
+Disable them by default, so they can be enabled using
+/proc/sys/debug/exception-trace.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/traps.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/traps.c
++++ b/arch/arm64/kernel/traps.c
+@@ -50,7 +50,7 @@ static const char *handler[]= {
+ "Error"
+ };
+
+-int show_unhandled_signals = 1;
++int show_unhandled_signals = 0;
+
+ /*
+ * Dump out the contents of some kernel memory nicely...
--- /dev/null
+From bee92d06157fc39d5d7836a061c7d41289a55797 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 2 Feb 2018 16:31:23 +0100
+Subject: cfg80211: fix cfg80211_beacon_dup
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit bee92d06157fc39d5d7836a061c7d41289a55797 upstream.
+
+gcc-8 warns about some obviously incorrect code:
+
+net/mac80211/cfg.c: In function 'cfg80211_beacon_dup':
+net/mac80211/cfg.c:2896:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict]
+
+From the context, I conclude that we want to copy from beacon into
+new_beacon, as we do in the rest of the function.
+
+Cc: stable@vger.kernel.org
+Fixes: 73da7d5bab79 ("mac80211: add channel switch command and beacon callbacks")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/cfg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -2792,7 +2792,7 @@ cfg80211_beacon_dup(struct cfg80211_beac
+ }
+ if (beacon->probe_resp_len) {
+ new_beacon->probe_resp_len = beacon->probe_resp_len;
+- beacon->probe_resp = pos;
++ new_beacon->probe_resp = pos;
+ memcpy(pos, beacon->probe_resp, beacon->probe_resp_len);
+ pos += beacon->probe_resp_len;
+ }
--- /dev/null
+From 052c299080cd6859f82a8154a7a673fafabe644c Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 20 Dec 2017 13:29:58 -0500
+Subject: drm/amdgpu: add atpx quirk handling (v2)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 052c299080cd6859f82a8154a7a673fafabe644c upstream.
+
+Add quirks for handling PX/HG systems. In this case, add
+a quirk for a weston dGPU that only seems to properly power
+down using ATPX power control rather than HG (_PR3).
+
+v2: append a new weston XT
+
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Junwei Zhang <Jerry.Zhang@amd.com> (v2)
+Reviewed-and-Tested-by: Junwei Zhang <Jerry.Zhang@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Acked-by: Christian König <christian.koenig@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c | 57 ++++++++++++++++++++---
+ 1 file changed, 50 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c
+@@ -14,6 +14,16 @@
+
+ #include "amd_acpi.h"
+
++#define AMDGPU_PX_QUIRK_FORCE_ATPX (1 << 0)
++
++struct amdgpu_px_quirk {
++ u32 chip_vendor;
++ u32 chip_device;
++ u32 subsys_vendor;
++ u32 subsys_device;
++ u32 px_quirk_flags;
++};
++
+ struct amdgpu_atpx_functions {
+ bool px_params;
+ bool power_cntl;
+@@ -35,6 +45,7 @@ struct amdgpu_atpx {
+ static struct amdgpu_atpx_priv {
+ bool atpx_detected;
+ bool bridge_pm_usable;
++ unsigned int quirks;
+ /* handle for device - and atpx */
+ acpi_handle dhandle;
+ acpi_handle other_handle;
+@@ -205,13 +216,19 @@ static int amdgpu_atpx_validate(struct a
+
+ atpx->is_hybrid = false;
+ if (valid_bits & ATPX_MS_HYBRID_GFX_SUPPORTED) {
+- printk("ATPX Hybrid Graphics\n");
+- /*
+- * Disable legacy PM methods only when pcie port PM is usable,
+- * otherwise the device might fail to power off or power on.
+- */
+- atpx->functions.power_cntl = !amdgpu_atpx_priv.bridge_pm_usable;
+- atpx->is_hybrid = true;
++ if (amdgpu_atpx_priv.quirks & AMDGPU_PX_QUIRK_FORCE_ATPX) {
++ printk("ATPX Hybrid Graphics, forcing to ATPX\n");
++ atpx->functions.power_cntl = true;
++ atpx->is_hybrid = false;
++ } else {
++ printk("ATPX Hybrid Graphics\n");
++ /*
++ * Disable legacy PM methods only when pcie port PM is usable,
++ * otherwise the device might fail to power off or power on.
++ */
++ atpx->functions.power_cntl = !amdgpu_atpx_priv.bridge_pm_usable;
++ atpx->is_hybrid = true;
++ }
+ }
+
+ atpx->dgpu_req_power_for_displays = false;
+@@ -547,6 +564,30 @@ static const struct vga_switcheroo_handl
+ .get_client_id = amdgpu_atpx_get_client_id,
+ };
+
++static const struct amdgpu_px_quirk amdgpu_px_quirk_list[] = {
++ /* HG _PR3 doesn't seem to work on this A+A weston board */
++ { 0x1002, 0x6900, 0x1002, 0x0124, AMDGPU_PX_QUIRK_FORCE_ATPX },
++ { 0x1002, 0x6900, 0x1028, 0x0812, AMDGPU_PX_QUIRK_FORCE_ATPX },
++ { 0, 0, 0, 0, 0 },
++};
++
++static void amdgpu_atpx_get_quirks(struct pci_dev *pdev)
++{
++ const struct amdgpu_px_quirk *p = amdgpu_px_quirk_list;
++
++ /* Apply PX quirks */
++ while (p && p->chip_device != 0) {
++ if (pdev->vendor == p->chip_vendor &&
++ pdev->device == p->chip_device &&
++ pdev->subsystem_vendor == p->subsys_vendor &&
++ pdev->subsystem_device == p->subsys_device) {
++ amdgpu_atpx_priv.quirks |= p->px_quirk_flags;
++ break;
++ }
++ ++p;
++ }
++}
++
+ /**
+ * amdgpu_atpx_detect - detect whether we have PX
+ *
+@@ -570,6 +611,7 @@ static bool amdgpu_atpx_detect(void)
+
+ parent_pdev = pci_upstream_bridge(pdev);
+ d3_supported |= parent_pdev && parent_pdev->bridge_d3;
++ amdgpu_atpx_get_quirks(pdev);
+ }
+
+ while ((pdev = pci_get_class(PCI_CLASS_DISPLAY_OTHER << 8, pdev)) != NULL) {
+@@ -579,6 +621,7 @@ static bool amdgpu_atpx_detect(void)
+
+ parent_pdev = pci_upstream_bridge(pdev);
+ d3_supported |= parent_pdev && parent_pdev->bridge_d3;
++ amdgpu_atpx_get_quirks(pdev);
+ }
+
+ if (has_atpx && vga_count == 2) {
--- /dev/null
+From f2e5262f75ecb40a6e56554e156a292ab9e1d1b7 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Tue, 21 Nov 2017 12:10:57 -0500
+Subject: drm/amdgpu: Add dpm quirk for Jet PRO (v2)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit f2e5262f75ecb40a6e56554e156a292ab9e1d1b7 upstream.
+
+Fixes stability issues.
+
+v2: clamp sclk to 600 Mhz
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103370
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/si_dpm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/si_dpm.c
++++ b/drivers/gpu/drm/amd/amdgpu/si_dpm.c
+@@ -3507,6 +3507,11 @@ static void si_apply_state_adjust_rules(
+ max_sclk = 75000;
+ max_mclk = 80000;
+ }
++ if ((adev->pdev->revision == 0xC3) ||
++ (adev->pdev->device == 0x6665)) {
++ max_sclk = 60000;
++ max_mclk = 80000;
++ }
+ } else if (adev->asic_type == CHIP_OLAND) {
+ if ((adev->pdev->revision == 0xC7) ||
+ (adev->pdev->revision == 0x80) ||
--- /dev/null
+From 6e59de2048eb375a9bfcd39461ef841cd2a78962 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Thu, 8 Feb 2018 17:46:01 +0800
+Subject: drm/amdgpu: add new device to use atpx quirk
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 6e59de2048eb375a9bfcd39461ef841cd2a78962 upstream.
+
+The affected system (0x0813) is pretty similar to another one (0x0812),
+it also needs to use ATPX power control.
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c
+@@ -568,6 +568,7 @@ static const struct amdgpu_px_quirk amdg
+ /* HG _PR3 doesn't seem to work on this A+A weston board */
+ { 0x1002, 0x6900, 0x1002, 0x0124, AMDGPU_PX_QUIRK_FORCE_ATPX },
+ { 0x1002, 0x6900, 0x1028, 0x0812, AMDGPU_PX_QUIRK_FORCE_ATPX },
++ { 0x1002, 0x6900, 0x1028, 0x0813, AMDGPU_PX_QUIRK_FORCE_ATPX },
+ { 0, 0, 0, 0, 0 },
+ };
+
--- /dev/null
+From 458d876eb869d5a88b53074c6c271b8b9adc0f07 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 22 Jan 2018 23:13:32 -0500
+Subject: drm/amdgpu: Avoid leaking PM domain on driver unbind (v2)
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 458d876eb869d5a88b53074c6c271b8b9adc0f07 upstream.
+
+We only support vga_switcheroo and runtime pm on PX/HG systems
+so forcing runpm to 1 doesn't do anything useful anyway.
+
+Only call vga_switcheroo_init_domain_pm_ops() for PX/HG so
+that the cleanup path is correct as well. This mirrors what
+radeon does as well.
+
+v2: rework the patch originally sent by Lukas (Alex)
+
+Acked-by: Lukas Wunner <lukas@wunner.de>
+Reported-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Lukas Wunner <lukas@wunner.de> (v1)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -1678,8 +1678,6 @@ int amdgpu_device_init(struct amdgpu_dev
+ * ignore it */
+ vga_client_register(adev->pdev, adev, NULL, amdgpu_vga_set_decode);
+
+- if (amdgpu_runtime_pm == 1)
+- runtime = true;
+ if (amdgpu_device_is_px(ddev))
+ runtime = true;
+ vga_switcheroo_register_client(adev->pdev, &amdgpu_switcheroo_ops, runtime);
--- /dev/null
+From 06998a756a3865817b87a129a7e5d5bb66dc1ec3 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Sun, 18 Feb 2018 16:53:59 +0800
+Subject: drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 06998a756a3865817b87a129a7e5d5bb66dc1ec3 upstream.
+
+Similar to commit e10aec652f31 ("drm/edid: Add 6 bpc quirk for display
+AEO model 0."), the EDID reports "DFP 1.x compliant TMDS" but it support
+6bpc instead of 8 bpc.
+
+Hence, use 6 bpc quirk for this panel.
+
+Fixes: 196f954e2509 ("drm/i915/dp: Revert "drm/i915/dp: fall back to 18 bpp when sink capability is unknown"")
+BugLink: https://bugs.launchpad.net/bugs/1749420
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Reviewed-by: Mario Kleiner <mario.kleiner.de@gmail.com>
+Cc: <stable@vger.kernel.org> # v4.8+
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180218085359.7817-1-kai.heng.feng@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_edid.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/drm_edid.c
++++ b/drivers/gpu/drm/drm_edid.c
+@@ -107,6 +107,9 @@ static const struct edid_quirk {
+ /* AEO model 0 reports 8 bpc, but is a 6 bpc panel */
+ { "AEO", 0, EDID_QUIRK_FORCE_6BPC },
+
++ /* CPT panel of Asus UX303LA reports 8 bpc, but is a 6 bpc panel */
++ { "CPT", 0x17df, EDID_QUIRK_FORCE_6BPC },
++
+ /* Belinea 10 15 55 */
+ { "MAX", 1516, EDID_QUIRK_PREFER_LARGE_60 },
+ { "MAX", 0x77e, EDID_QUIRK_PREFER_LARGE_60 },
--- /dev/null
+From f027e0b3a774e10302207e91d304bbf99e3a8b36 Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Wed, 14 Feb 2018 15:43:00 +0100
+Subject: iio: adis_lib: Initialize trigger before requesting interrupt
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+commit f027e0b3a774e10302207e91d304bbf99e3a8b36 upstream.
+
+The adis_probe_trigger() creates a new IIO trigger and requests an
+interrupt associated with the trigger. The interrupt uses the generic
+iio_trigger_generic_data_rdy_poll() function as its interrupt handler.
+
+Currently the driver initializes some fields of the trigger structure after
+the interrupt has been requested. But an interrupt can fire as soon as it
+has been requested. This opens up a race condition.
+
+iio_trigger_generic_data_rdy_poll() will access the trigger data structure
+and dereference the ops field. If the ops field is not yet initialized this
+will result in a NULL pointer deref.
+
+It is not expected that the device generates an interrupt at this point, so
+typically this issue did not surface unless e.g. due to a hardware
+misconfiguration (wrong interrupt number, wrong polarity, etc.).
+
+But some newer devices from the ADIS family start to generate periodic
+interrupts in their power-on reset configuration and unfortunately the
+interrupt can not be masked in the device. This makes the race condition
+much more visible and the following crash has been observed occasionally
+when booting a system using the ADIS16460.
+
+ Unable to handle kernel NULL pointer dereference at virtual address 00000008
+ pgd = c0004000
+ [00000008] *pgd=00000000
+ Internal error: Oops: 5 [#1] PREEMPT SMP ARM
+ Modules linked in:
+ CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.9.0-04126-gf9739f0-dirty #257
+ Hardware name: Xilinx Zynq Platform
+ task: ef04f640 task.stack: ef050000
+ PC is at iio_trigger_notify_done+0x30/0x68
+ LR is at iio_trigger_generic_data_rdy_poll+0x18/0x20
+ pc : [<c042d868>] lr : [<c042d924>] psr: 60000193
+ sp : ef051bb8 ip : 00000000 fp : ef106400
+ r10: c081d80a r9 : ef3bfa00 r8 : 00000087
+ r7 : ef051bec r6 : 00000000 r5 : ef3bfa00 r4 : ee92ab00
+ r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : ee97e400
+ Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment none
+ Control: 18c5387d Table: 0000404a DAC: 00000051
+ Process swapper/0 (pid: 1, stack limit = 0xef050210)
+ [<c042d868>] (iio_trigger_notify_done) from [<c0065b10>] (__handle_irq_event_percpu+0x88/0x118)
+ [<c0065b10>] (__handle_irq_event_percpu) from [<c0065bbc>] (handle_irq_event_percpu+0x1c/0x58)
+ [<c0065bbc>] (handle_irq_event_percpu) from [<c0065c30>] (handle_irq_event+0x38/0x5c)
+ [<c0065c30>] (handle_irq_event) from [<c0068e28>] (handle_level_irq+0xa4/0x130)
+ [<c0068e28>] (handle_level_irq) from [<c0064e74>] (generic_handle_irq+0x24/0x34)
+ [<c0064e74>] (generic_handle_irq) from [<c021ab7c>] (zynq_gpio_irqhandler+0xb8/0x13c)
+ [<c021ab7c>] (zynq_gpio_irqhandler) from [<c0064e74>] (generic_handle_irq+0x24/0x34)
+ [<c0064e74>] (generic_handle_irq) from [<c0065370>] (__handle_domain_irq+0x5c/0xb4)
+ [<c0065370>] (__handle_domain_irq) from [<c000940c>] (gic_handle_irq+0x48/0x8c)
+ [<c000940c>] (gic_handle_irq) from [<c0013e8c>] (__irq_svc+0x6c/0xa8)
+
+To fix this make sure that the trigger is fully initialized before
+requesting the interrupt.
+
+Fixes: ccd2b52f4ac6 ("staging:iio: Add common ADIS library")
+Reported-by: Robin Getz <Robin.Getz@analog.com>
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/imu/adis_trigger.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/iio/imu/adis_trigger.c
++++ b/drivers/iio/imu/adis_trigger.c
+@@ -47,6 +47,10 @@ int adis_probe_trigger(struct adis *adis
+ if (adis->trig == NULL)
+ return -ENOMEM;
+
++ adis->trig->dev.parent = &adis->spi->dev;
++ adis->trig->ops = &adis_trigger_ops;
++ iio_trigger_set_drvdata(adis->trig, adis);
++
+ ret = request_irq(adis->spi->irq,
+ &iio_trigger_generic_data_rdy_poll,
+ IRQF_TRIGGER_RISING,
+@@ -55,9 +59,6 @@ int adis_probe_trigger(struct adis *adis
+ if (ret)
+ goto error_free_trig;
+
+- adis->trig->dev.parent = &adis->spi->dev;
+- adis->trig->ops = &adis_trigger_ops;
+- iio_trigger_set_drvdata(adis->trig, adis);
+ ret = iio_trigger_register(adis->trig);
+
+ indio_dev->trig = iio_trigger_get(adis->trig);
--- /dev/null
+From 4cd140bda6494543f1c1b0ccceceaa44b676eef6 Mon Sep 17 00:00:00 2001
+From: Stefan Windfeldt-Prytz <stefan.windfeldt@axis.com>
+Date: Thu, 15 Feb 2018 15:02:53 +0100
+Subject: iio: buffer: check if a buffer has been set up when poll is called
+
+From: Stefan Windfeldt-Prytz <stefan.windfeldt@axis.com>
+
+commit 4cd140bda6494543f1c1b0ccceceaa44b676eef6 upstream.
+
+If no iio buffer has been set up and poll is called return 0.
+Without this check there will be a null pointer dereference when
+calling poll on a iio driver without an iio buffer.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Stefan Windfeldt-Prytz <stefan.windfeldt@axis.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/industrialio-buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/industrialio-buffer.c
++++ b/drivers/iio/industrialio-buffer.c
+@@ -174,7 +174,7 @@ unsigned int iio_buffer_poll(struct file
+ struct iio_dev *indio_dev = filp->private_data;
+ struct iio_buffer *rb = indio_dev->buffer;
+
+- if (!indio_dev->info)
++ if (!indio_dev->info || rb == NULL)
+ return 0;
+
+ poll_wait(filp, &rb->pollq, wait);
--- /dev/null
+From 21ec30c0ef5234fb1039cc7c7737d885bf875a9e Mon Sep 17 00:00:00 2001
+From: Shanker Donthineni <shankerd@codeaurora.org>
+Date: Wed, 31 Jan 2018 18:03:42 -0600
+Subject: irqchip/gic-v3: Use wmb() instead of smb_wmb() in gic_raise_softirq()
+
+From: Shanker Donthineni <shankerd@codeaurora.org>
+
+commit 21ec30c0ef5234fb1039cc7c7737d885bf875a9e upstream.
+
+A DMB instruction can be used to ensure the relative order of only
+memory accesses before and after the barrier. Since writes to system
+registers are not memory operations, barrier DMB is not sufficient
+for observability of memory accesses that occur before ICC_SGI1R_EL1
+writes.
+
+A DSB instruction ensures that no instructions that appear in program
+order after the DSB instruction, can execute until the DSB instruction
+has completed.
+
+Cc: stable@vger.kernel.org
+Acked-by: Will Deacon <will.deacon@arm.com>,
+Signed-off-by: Shanker Donthineni <shankerd@codeaurora.org>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-gic-v3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/irqchip/irq-gic-v3.c
++++ b/drivers/irqchip/irq-gic-v3.c
+@@ -616,7 +616,7 @@ static void gic_raise_softirq(const stru
+ * Ensure that stores to Normal memory are visible to the
+ * other CPUs before issuing the IPI.
+ */
+- smp_wmb();
++ wmb();
+
+ for_each_cpu(cpu, mask) {
+ unsigned long cluster_id = cpu_logical_map(cpu) & ~0xffUL;
--- /dev/null
+From 101110f6271ce956a049250c907bc960030577f8 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 21 Feb 2018 14:45:20 -0800
+Subject: Kbuild: always define endianess in kconfig.h
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 101110f6271ce956a049250c907bc960030577f8 upstream.
+
+Build testing with LTO found a couple of files that get compiled
+differently depending on whether asm/byteorder.h gets included early
+enough or not. In particular, include/asm-generic/qrwlock_types.h is
+affected by this, but there are probably others as well.
+
+The symptom is a series of LTO link time warnings, including these:
+
+ net/netlabel/netlabel_unlabeled.h:223: error: type of 'netlbl_unlhsh_add' does not match original declaration [-Werror=lto-type-mismatch]
+ int netlbl_unlhsh_add(struct net *net,
+ net/netlabel/netlabel_unlabeled.c:377: note: 'netlbl_unlhsh_add' was previously declared here
+
+ include/net/ipv6.h:360: error: type of 'ipv6_renew_options_kern' does not match original declaration [-Werror=lto-type-mismatch]
+ ipv6_renew_options_kern(struct sock *sk,
+ net/ipv6/exthdrs.c:1162: note: 'ipv6_renew_options_kern' was previously declared here
+
+ net/core/dev.c:761: note: 'dev_get_by_name_rcu' was previously declared here
+ struct net_device *dev_get_by_name_rcu(struct net *net, const char *name)
+ net/core/dev.c:761: note: code may be misoptimized unless -fno-strict-aliasing is used
+
+ drivers/gpu/drm/i915/i915_drv.h:3377: error: type of 'i915_gem_object_set_to_wc_domain' does not match original declaration [-Werror=lto-type-mismatch]
+ i915_gem_object_set_to_wc_domain(struct drm_i915_gem_object *obj, bool write);
+ drivers/gpu/drm/i915/i915_gem.c:3639: note: 'i915_gem_object_set_to_wc_domain' was previously declared here
+
+ include/linux/debugfs.h:92:9: error: type of 'debugfs_attr_read' does not match original declaration [-Werror=lto-type-mismatch]
+ ssize_t debugfs_attr_read(struct file *file, char __user *buf,
+ fs/debugfs/file.c:318: note: 'debugfs_attr_read' was previously declared here
+
+ include/linux/rwlock_api_smp.h:30: error: type of '_raw_read_unlock' does not match original declaration [-Werror=lto-type-mismatch]
+ void __lockfunc _raw_read_unlock(rwlock_t *lock) __releases(lock);
+ kernel/locking/spinlock.c:246:26: note: '_raw_read_unlock' was previously declared here
+
+ include/linux/fs.h:3308:5: error: type of 'simple_attr_open' does not match original declaration [-Werror=lto-type-mismatch]
+ int simple_attr_open(struct inode *inode, struct file *file,
+ fs/libfs.c:795: note: 'simple_attr_open' was previously declared here
+
+All of the above are caused by include/asm-generic/qrwlock_types.h
+failing to include asm/byteorder.h after commit e0d02285f16e
+("locking/qrwlock: Use 'struct qrwlock' instead of 'struct __qrwlock'")
+in linux-4.15.
+
+Similar bugs may or may not exist in older kernels as well, but there is
+no easy way to test those with link-time optimizations, and kernels
+before 4.14 are harder to fix because they don't have Babu's patch
+series
+
+We had similar issues with CONFIG_ symbols in the past and ended up
+always including the configuration headers though linux/kconfig.h. This
+works around the issue through that same file, defining either
+__BIG_ENDIAN or __LITTLE_ENDIAN depending on CONFIG_CPU_BIG_ENDIAN,
+which is now always set on all architectures since commit 4c97a0c8fee3
+("arch: define CPU_BIG_ENDIAN for all fixed big endian archs").
+
+Link: http://lkml.kernel.org/r/20180202154104.1522809-2-arnd@arndb.de
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Cc: Babu Moger <babu.moger@amd.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
+Cc: Nicolas Pitre <nico@linaro.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/kconfig.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/include/linux/kconfig.h
++++ b/include/linux/kconfig.h
+@@ -3,6 +3,12 @@
+
+ #include <generated/autoconf.h>
+
++#ifdef CONFIG_CPU_BIG_ENDIAN
++#define __BIG_ENDIAN 4321
++#else
++#define __LITTLE_ENDIAN 1234
++#endif
++
+ #define __ARG_PLACEHOLDER_1 0,
+ #define __take_second_arg(__ignored, val, ...) val
+
--- /dev/null
+From b2685bdacdaab065c172b97b55ab46c6be77a037 Mon Sep 17 00:00:00 2001
+From: Shigeru Yoshida <shigeru.yoshida@windriver.com>
+Date: Fri, 2 Feb 2018 13:51:39 +0800
+Subject: ohci-hcd: Fix race condition caused by ohci_urb_enqueue() and io_watchdog_func()
+
+From: Shigeru Yoshida <shigeru.yoshida@windriver.com>
+
+commit b2685bdacdaab065c172b97b55ab46c6be77a037 upstream.
+
+Running io_watchdog_func() while ohci_urb_enqueue() is running can
+cause a race condition where ohci->prev_frame_no is corrupted and the
+watchdog can mis-detect following error:
+
+ ohci-platform 664a0800.usb: frame counter not updating; disabled
+ ohci-platform 664a0800.usb: HC died; cleaning up
+
+Specifically, following scenario causes a race condition:
+
+ 1. ohci_urb_enqueue() calls spin_lock_irqsave(&ohci->lock, flags)
+ and enters the critical section
+ 2. ohci_urb_enqueue() calls timer_pending(&ohci->io_watchdog) and it
+ returns false
+ 3. ohci_urb_enqueue() sets ohci->prev_frame_no to a frame number
+ read by ohci_frame_no(ohci)
+ 4. ohci_urb_enqueue() schedules io_watchdog_func() with mod_timer()
+ 5. ohci_urb_enqueue() calls spin_unlock_irqrestore(&ohci->lock,
+ flags) and exits the critical section
+ 6. Later, ohci_urb_enqueue() is called
+ 7. ohci_urb_enqueue() calls spin_lock_irqsave(&ohci->lock, flags)
+ and enters the critical section
+ 8. The timer scheduled on step 4 expires and io_watchdog_func() runs
+ 9. io_watchdog_func() calls spin_lock_irqsave(&ohci->lock, flags)
+ and waits on it because ohci_urb_enqueue() is already in the
+ critical section on step 7
+ 10. ohci_urb_enqueue() calls timer_pending(&ohci->io_watchdog) and it
+ returns false
+ 11. ohci_urb_enqueue() sets ohci->prev_frame_no to new frame number
+ read by ohci_frame_no(ohci) because the frame number proceeded
+ between step 3 and 6
+ 12. ohci_urb_enqueue() schedules io_watchdog_func() with mod_timer()
+ 13. ohci_urb_enqueue() calls spin_unlock_irqrestore(&ohci->lock,
+ flags) and exits the critical section, then wake up
+ io_watchdog_func() which is waiting on step 9
+ 14. io_watchdog_func() enters the critical section
+ 15. io_watchdog_func() calls ohci_frame_no(ohci) and set frame_no
+ variable to the frame number
+ 16. io_watchdog_func() compares frame_no and ohci->prev_frame_no
+
+On step 16, because this calling of io_watchdog_func() is scheduled on
+step 4, the frame number set in ohci->prev_frame_no is expected to the
+number set on step 3. However, ohci->prev_frame_no is overwritten on
+step 11. Because step 16 is executed soon after step 11, the frame
+number might not proceed, so ohci->prev_frame_no must equals to
+frame_no.
+
+To address above scenario, this patch introduces a special sentinel
+value IO_WATCHDOG_OFF and set this value to ohci->prev_frame_no when
+the watchdog is not pending or running. When ohci_urb_enqueue()
+schedules the watchdog (step 4 and 12 above), it compares
+ohci->prev_frame_no to IO_WATCHDOG_OFF so that ohci->prev_frame_no is
+not overwritten while io_watchdog_func() is running.
+
+Signed-off-by: Shigeru Yoshida <Shigeru.Yoshida@windriver.com>
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/ohci-hcd.c | 10 +++++++---
+ drivers/usb/host/ohci-hub.c | 4 +++-
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/host/ohci-hcd.c
++++ b/drivers/usb/host/ohci-hcd.c
+@@ -73,6 +73,7 @@ static const char hcd_name [] = "ohci_hc
+
+ #define STATECHANGE_DELAY msecs_to_jiffies(300)
+ #define IO_WATCHDOG_DELAY msecs_to_jiffies(275)
++#define IO_WATCHDOG_OFF 0xffffff00
+
+ #include "ohci.h"
+ #include "pci-quirks.h"
+@@ -230,7 +231,7 @@ static int ohci_urb_enqueue (
+ }
+
+ /* Start up the I/O watchdog timer, if it's not running */
+- if (!timer_pending(&ohci->io_watchdog) &&
++ if (ohci->prev_frame_no == IO_WATCHDOG_OFF &&
+ list_empty(&ohci->eds_in_use) &&
+ !(ohci->flags & OHCI_QUIRK_QEMU)) {
+ ohci->prev_frame_no = ohci_frame_no(ohci);
+@@ -501,6 +502,7 @@ static int ohci_init (struct ohci_hcd *o
+
+ setup_timer(&ohci->io_watchdog, io_watchdog_func,
+ (unsigned long) ohci);
++ ohci->prev_frame_no = IO_WATCHDOG_OFF;
+
+ ohci->hcca = dma_alloc_coherent (hcd->self.controller,
+ sizeof(*ohci->hcca), &ohci->hcca_dma, GFP_KERNEL);
+@@ -730,7 +732,7 @@ static void io_watchdog_func(unsigned lo
+ u32 head;
+ struct ed *ed;
+ struct td *td, *td_start, *td_next;
+- unsigned frame_no;
++ unsigned frame_no, prev_frame_no = IO_WATCHDOG_OFF;
+ unsigned long flags;
+
+ spin_lock_irqsave(&ohci->lock, flags);
+@@ -835,7 +837,7 @@ static void io_watchdog_func(unsigned lo
+ }
+ }
+ if (!list_empty(&ohci->eds_in_use)) {
+- ohci->prev_frame_no = frame_no;
++ prev_frame_no = frame_no;
+ ohci->prev_wdh_cnt = ohci->wdh_cnt;
+ ohci->prev_donehead = ohci_readl(ohci,
+ &ohci->regs->donehead);
+@@ -845,6 +847,7 @@ static void io_watchdog_func(unsigned lo
+ }
+
+ done:
++ ohci->prev_frame_no = prev_frame_no;
+ spin_unlock_irqrestore(&ohci->lock, flags);
+ }
+
+@@ -973,6 +976,7 @@ static void ohci_stop (struct usb_hcd *h
+ if (quirk_nec(ohci))
+ flush_work(&ohci->nec_work);
+ del_timer_sync(&ohci->io_watchdog);
++ ohci->prev_frame_no = IO_WATCHDOG_OFF;
+
+ ohci_writel (ohci, OHCI_INTR_MIE, &ohci->regs->intrdisable);
+ ohci_usb_reset(ohci);
+--- a/drivers/usb/host/ohci-hub.c
++++ b/drivers/usb/host/ohci-hub.c
+@@ -310,8 +310,10 @@ static int ohci_bus_suspend (struct usb_
+ rc = ohci_rh_suspend (ohci, 0);
+ spin_unlock_irq (&ohci->lock);
+
+- if (rc == 0)
++ if (rc == 0) {
+ del_timer_sync(&ohci->io_watchdog);
++ ohci->prev_frame_no = IO_WATCHDOG_OFF;
++ }
+ return rc;
+ }
+
--- /dev/null
+From 7dcf688d4c78a18ba9538b2bf1b11dc7a43fe9be Mon Sep 17 00:00:00 2001
+From: Casey Leedom <leedom@chelsio.com>
+Date: Thu, 15 Feb 2018 20:03:18 +0530
+Subject: PCI/cxgb4: Extend T3 PCI quirk to T4+ devices
+
+From: Casey Leedom <leedom@chelsio.com>
+
+commit 7dcf688d4c78a18ba9538b2bf1b11dc7a43fe9be upstream.
+
+We've run into a problem where our device is attached
+to a Virtual Machine and the use of the new pci_set_vpd_size()
+API doesn't help. The VM kernel has been informed that
+the accesses are okay, but all of the actual VPD Capability
+Accesses are trapped down into the KVM Hypervisor where it
+goes ahead and imposes the silent denials.
+
+The right idea is to follow the kernel.org
+commit 1c7de2b4ff88 ("PCI: Enable access to non-standard VPD for
+Chelsio devices (cxgb3)") which Alexey Kardashevskiy authored
+to establish a PCI Quirk for our T3-based adapters. This commit
+extends that PCI Quirk to cover Chelsio T4 devices and later.
+
+The advantage of this approach is that the VPD Size gets set early
+in the Base OS/Hypervisor Boot and doesn't require that the cxgb4
+driver even be available in the Base OS/Hypervisor. Thus PF4 can
+be exported to a Virtual Machine and everything should work.
+
+Fixes: 67e658794ca1 ("cxgb4: Set VPD size so we can read both VPD structures")
+Cc: <stable@vger.kernel.org> # v4.9+
+Signed-off-by: Casey Leedom <leedom@chelsio.com>
+Signed-off-by: Arjun Vynipadath <arjun@chelsio.com>
+Signed-off-by: Ganesh Goudar <ganeshgr@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 10 --------
+ drivers/pci/quirks.c | 35 +++++++++++++++++------------
+ 2 files changed, 21 insertions(+), 24 deletions(-)
+
+--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
+@@ -2596,7 +2596,6 @@ void t4_get_regs(struct adapter *adap, v
+ }
+
+ #define EEPROM_STAT_ADDR 0x7bfc
+-#define VPD_SIZE 0x800
+ #define VPD_BASE 0x400
+ #define VPD_BASE_OLD 0
+ #define VPD_LEN 1024
+@@ -2634,15 +2633,6 @@ int t4_get_raw_vpd_params(struct adapter
+ if (!vpd)
+ return -ENOMEM;
+
+- /* We have two VPD data structures stored in the adapter VPD area.
+- * By default, Linux calculates the size of the VPD area by traversing
+- * the first VPD area at offset 0x0, so we need to tell the OS what
+- * our real VPD size is.
+- */
+- ret = pci_set_vpd_size(adapter->pdev, VPD_SIZE);
+- if (ret < 0)
+- goto out;
+-
+ /* Card information normally starts at VPD_BASE but early cards had
+ * it at 0.
+ */
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -3369,22 +3369,29 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_IN
+
+ static void quirk_chelsio_extend_vpd(struct pci_dev *dev)
+ {
+- pci_set_vpd_size(dev, 8192);
++ int chip = (dev->device & 0xf000) >> 12;
++ int func = (dev->device & 0x0f00) >> 8;
++ int prod = (dev->device & 0x00ff) >> 0;
++
++ /*
++ * If this is a T3-based adapter, there's a 1KB VPD area at offset
++ * 0xc00 which contains the preferred VPD values. If this is a T4 or
++ * later based adapter, the special VPD is at offset 0x400 for the
++ * Physical Functions (the SR-IOV Virtual Functions have no VPD
++ * Capabilities). The PCI VPD Access core routines will normally
++ * compute the size of the VPD by parsing the VPD Data Structure at
++ * offset 0x000. This will result in silent failures when attempting
++ * to accesses these other VPD areas which are beyond those computed
++ * limits.
++ */
++ if (chip == 0x0 && prod >= 0x20)
++ pci_set_vpd_size(dev, 8192);
++ else if (chip >= 0x4 && func < 0x8)
++ pci_set_vpd_size(dev, 2048);
+ }
+
+-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x20, quirk_chelsio_extend_vpd);
+-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x21, quirk_chelsio_extend_vpd);
+-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x22, quirk_chelsio_extend_vpd);
+-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x23, quirk_chelsio_extend_vpd);
+-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x24, quirk_chelsio_extend_vpd);
+-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x25, quirk_chelsio_extend_vpd);
+-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x26, quirk_chelsio_extend_vpd);
+-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x30, quirk_chelsio_extend_vpd);
+-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x31, quirk_chelsio_extend_vpd);
+-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x32, quirk_chelsio_extend_vpd);
+-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x35, quirk_chelsio_extend_vpd);
+-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x36, quirk_chelsio_extend_vpd);
+-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x37, quirk_chelsio_extend_vpd);
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, PCI_ANY_ID,
++ quirk_chelsio_extend_vpd);
+
+ #ifdef CONFIG_ACPI
+ /*
--- /dev/null
+From 971b42c038dc83e3327872d294fe7131bab152fc Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 22 Feb 2018 14:38:33 +0000
+Subject: PKCS#7: fix certificate chain verification
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 971b42c038dc83e3327872d294fe7131bab152fc upstream.
+
+When pkcs7_verify_sig_chain() is building the certificate chain for a
+SignerInfo using the certificates in the PKCS#7 message, it is passing
+the wrong arguments to public_key_verify_signature(). Consequently,
+when the next certificate is supposed to be used to verify the previous
+certificate, the next certificate is actually used to verify itself.
+
+An attacker can use this bug to create a bogus certificate chain that
+has no cryptographic relationship between the beginning and end.
+
+Fortunately I couldn't quite find a way to use this to bypass the
+overall signature verification, though it comes very close. Here's the
+reasoning: due to the bug, every certificate in the chain beyond the
+first actually has to be self-signed (where "self-signed" here refers to
+the actual key and signature; an attacker might still manipulate the
+certificate fields such that the self_signed flag doesn't actually get
+set, and thus the chain doesn't end immediately). But to pass trust
+validation (pkcs7_validate_trust()), either the SignerInfo or one of the
+certificates has to actually be signed by a trusted key. Since only
+self-signed certificates can be added to the chain, the only way for an
+attacker to introduce a trusted signature is to include a self-signed
+trusted certificate.
+
+But, when pkcs7_validate_trust_one() reaches that certificate, instead
+of trying to verify the signature on that certificate, it will actually
+look up the corresponding trusted key, which will succeed, and then try
+to verify the *previous* certificate, which will fail. Thus, disaster
+is narrowly averted (as far as I could tell).
+
+Fixes: 6c2dc5ae4ab7 ("X.509: Extract signature digest and make self-signed cert checks earlier")
+Cc: <stable@vger.kernel.org> # v4.7+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/asymmetric_keys/pkcs7_verify.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/crypto/asymmetric_keys/pkcs7_verify.c
++++ b/crypto/asymmetric_keys/pkcs7_verify.c
+@@ -261,7 +261,7 @@ static int pkcs7_verify_sig_chain(struct
+ sinfo->index);
+ return 0;
+ }
+- ret = public_key_verify_signature(p->pub, p->sig);
++ ret = public_key_verify_signature(p->pub, x509->sig);
+ if (ret < 0)
+ return ret;
+ x509->signer = p;
--- /dev/null
+From 3f802b162dbf4a558ff98986449eddc717826209 Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Tue, 13 Feb 2018 12:18:41 +0200
+Subject: RDMA/uverbs: Protect from command mask overflow
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+commit 3f802b162dbf4a558ff98986449eddc717826209 upstream.
+
+The command number is not bounds checked against the command mask before it
+is shifted, resulting in an ubsan hit. This does not cause malfunction since
+the command number is eventually bounds checked, but we can make this ubsan
+clean by moving the bounds check to before the mask check.
+
+================================================================================
+UBSAN: Undefined behaviour in
+drivers/infiniband/core/uverbs_main.c:647:21
+shift exponent 207 is too large for 64-bit type 'long long unsigned int'
+CPU: 0 PID: 446 Comm: syz-executor3 Not tainted 4.15.0-rc2+ #61
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
+Call Trace:
+dump_stack+0xde/0x164
+? dma_virt_map_sg+0x22c/0x22c
+ubsan_epilogue+0xe/0x81
+__ubsan_handle_shift_out_of_bounds+0x293/0x2f7
+? debug_check_no_locks_freed+0x340/0x340
+? __ubsan_handle_load_invalid_value+0x19b/0x19b
+? lock_acquire+0x440/0x440
+? lock_acquire+0x19d/0x440
+? __might_fault+0xf4/0x240
+? ib_uverbs_write+0x68d/0xe20
+ib_uverbs_write+0x68d/0xe20
+? __lock_acquire+0xcf7/0x3940
+? uverbs_devnode+0x110/0x110
+? cyc2ns_read_end+0x10/0x10
+? sched_clock_cpu+0x18/0x200
+? sched_clock_cpu+0x18/0x200
+__vfs_write+0x10d/0x700
+? uverbs_devnode+0x110/0x110
+? kernel_read+0x170/0x170
+? __fget+0x35b/0x5d0
+? security_file_permission+0x93/0x260
+vfs_write+0x1b0/0x550
+SyS_write+0xc7/0x1a0
+? SyS_read+0x1a0/0x1a0
+? trace_hardirqs_on_thunk+0x1a/0x1c
+entry_SYSCALL_64_fastpath+0x18/0x85
+RIP: 0033:0x448e29
+RSP: 002b:00007f033f567c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00007f033f5686bc RCX: 0000000000448e29
+RDX: 0000000000000060 RSI: 0000000020001000 RDI: 0000000000000012
+RBP: 000000000070bea0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 00000000000056a0 R14: 00000000006e8740 R15: 0000000000000000
+================================================================================
+
+Cc: syzkaller <syzkaller@googlegroups.com>
+Cc: <stable@vger.kernel.org> # 4.5
+Fixes: 2dbd5186a39c ("IB/core: IB/core: Allow legacy verbs through extended interfaces")
+Reported-by: Noa Osherovich <noaos@mellanox.com>
+Reviewed-by: Matan Barak <matanb@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/uverbs_main.c | 27 ++++++++++++++++++++-------
+ 1 file changed, 20 insertions(+), 7 deletions(-)
+
+--- a/drivers/infiniband/core/uverbs_main.c
++++ b/drivers/infiniband/core/uverbs_main.c
+@@ -735,12 +735,21 @@ static int verify_command_mask(struct ib
+ return -1;
+ }
+
++static bool verify_command_idx(u32 command, bool extended)
++{
++ if (extended)
++ return command < ARRAY_SIZE(uverbs_ex_cmd_table);
++
++ return command < ARRAY_SIZE(uverbs_cmd_table);
++}
++
+ static ssize_t ib_uverbs_write(struct file *filp, const char __user *buf,
+ size_t count, loff_t *pos)
+ {
+ struct ib_uverbs_file *file = filp->private_data;
+ struct ib_device *ib_dev;
+ struct ib_uverbs_cmd_hdr hdr;
++ bool extended_command;
+ __u32 command;
+ __u32 flags;
+ int srcu_key;
+@@ -770,6 +779,15 @@ static ssize_t ib_uverbs_write(struct fi
+ }
+
+ command = hdr.command & IB_USER_VERBS_CMD_COMMAND_MASK;
++ flags = (hdr.command &
++ IB_USER_VERBS_CMD_FLAGS_MASK) >> IB_USER_VERBS_CMD_FLAGS_SHIFT;
++
++ extended_command = flags & IB_USER_VERBS_CMD_FLAG_EXTENDED;
++ if (!verify_command_idx(command, extended_command)) {
++ ret = -EINVAL;
++ goto out;
++ }
++
+ if (verify_command_mask(ib_dev, command)) {
+ ret = -EOPNOTSUPP;
+ goto out;
+@@ -781,12 +799,8 @@ static ssize_t ib_uverbs_write(struct fi
+ goto out;
+ }
+
+- flags = (hdr.command &
+- IB_USER_VERBS_CMD_FLAGS_MASK) >> IB_USER_VERBS_CMD_FLAGS_SHIFT;
+-
+ if (!flags) {
+- if (command >= ARRAY_SIZE(uverbs_cmd_table) ||
+- !uverbs_cmd_table[command]) {
++ if (!uverbs_cmd_table[command]) {
+ ret = -EINVAL;
+ goto out;
+ }
+@@ -807,8 +821,7 @@ static ssize_t ib_uverbs_write(struct fi
+ struct ib_udata uhw;
+ size_t written_count = count;
+
+- if (command >= ARRAY_SIZE(uverbs_ex_cmd_table) ||
+- !uverbs_ex_cmd_table[command]) {
++ if (!uverbs_ex_cmd_table[command]) {
+ ret = -ENOSYS;
+ goto out;
+ }
--- /dev/null
+From 44eb5e12b845cc8a0634f21b70ef07d774eb4b25 Mon Sep 17 00:00:00 2001
+From: Bin Liu <b-liu@ti.com>
+Date: Tue, 20 Feb 2018 07:31:35 -0600
+Subject: Revert "usb: musb: host: don't start next rx urb if current one failed"
+
+From: Bin Liu <b-liu@ti.com>
+
+commit 44eb5e12b845cc8a0634f21b70ef07d774eb4b25 upstream.
+
+This reverts commit dbac5d07d13e330e6706813c9fde477140fb5d80.
+
+commit dbac5d07d13e ("usb: musb: host: don't start next rx urb if current one failed")
+along with commit b5801212229f ("usb: musb: host: clear rxcsr error bit if set")
+try to solve the issue described in [1], but the latter alone is
+sufficient, and the former causes the issue as in [2], so now revert it.
+
+[1] https://marc.info/?l=linux-usb&m=146173995117456&w=2
+[2] https://marc.info/?l=linux-usb&m=151689238420622&w=2
+
+Cc: stable@vger.kernel.org # v4.7+
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/musb/musb_host.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/drivers/usb/musb/musb_host.c
++++ b/drivers/usb/musb/musb_host.c
+@@ -418,13 +418,7 @@ static void musb_advance_schedule(struct
+ }
+ }
+
+- /*
+- * The pipe must be broken if current urb->status is set, so don't
+- * start next urb.
+- * TODO: to minimize the risk of regression, only check urb->status
+- * for RX, until we have a test case to understand the behavior of TX.
+- */
+- if ((!status || !is_in) && qh && qh->is_ready) {
++ if (qh != NULL && qh->is_ready) {
+ musb_dbg(musb, "... next ep%d %cX urb %p",
+ hw_ep->epnum, is_in ? 'R' : 'T', next_urb(qh));
+ musb_start_urb(musb, is_in, qh);
--- /dev/null
+From c39813652700f3df552b6557530f1e5f782dbe2f Mon Sep 17 00:00:00 2001
+From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Date: Tue, 23 Jan 2018 20:11:32 -0600
+Subject: scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info
+
+From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+
+commit c39813652700f3df552b6557530f1e5f782dbe2f upstream.
+
+The fcp_rsp_info structure as defined in the FC spec has an initial 3
+bytes reserved field. The ibmvfc driver mistakenly defined this field as
+4 bytes resulting in the rsp_code field being defined in what should be
+the start of the second reserved field and thus always being reported as
+zero by the driver.
+
+Ideally, we should wire ibmvfc up with libfc for the sake of code
+deduplication, and ease of maintaining standardized structures in a
+single place. However, for now simply fixup the definition in ibmvfc for
+backporting to distros on older kernels. Wiring up with libfc will be
+done in a followup patch.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ibmvscsi/ibmvfc.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/ibmvscsi/ibmvfc.h
++++ b/drivers/scsi/ibmvscsi/ibmvfc.h
+@@ -367,7 +367,7 @@ enum ibmvfc_fcp_rsp_info_codes {
+ };
+
+ struct ibmvfc_fcp_rsp_info {
+- __be16 reserved;
++ u8 reserved[3];
+ u8 rsp_code;
+ u8 reserved2[4];
+ }__attribute__((packed, aligned (2)));
netfilter-drop-outermost-socket-lock-in-getsockopt.patch
+xtensa-fix-high-memory-reserved-memory-collision.patch
+scsi-ibmvfc-fix-misdefined-reserved-field-in-ibmvfc_fcp_rsp_info.patch
+cfg80211-fix-cfg80211_beacon_dup.patch
+x.509-fix-bug_on-when-hash-algorithm-is-unsupported.patch
+pkcs-7-fix-certificate-chain-verification.patch
+rdma-uverbs-protect-from-command-mask-overflow.patch
+iio-buffer-check-if-a-buffer-has-been-set-up-when-poll-is-called.patch
+iio-adis_lib-initialize-trigger-before-requesting-interrupt.patch
+kbuild-always-define-endianess-in-kconfig.h.patch
+x86-oprofile-fix-bogus-gcc-8-warning-in-nmi_setup.patch
+irqchip-gic-v3-use-wmb-instead-of-smb_wmb-in-gic_raise_softirq.patch
+pci-cxgb4-extend-t3-pci-quirk-to-t4-devices.patch
+ohci-hcd-fix-race-condition-caused-by-ohci_urb_enqueue-and-io_watchdog_func.patch
+usb-ohci-proper-handling-of-ed_rm_list-to-handle-race-condition-between-usb_kill_urb-and-finish_unlinks.patch
+arm64-disable-unhandled-signal-log-messages-by-default.patch
+add-delay-init-quirk-for-corsair-k70-rgb-keyboards.patch
+drm-edid-add-6-bpc-quirk-for-cpt-panel-in-asus-ux303la.patch
+usb-dwc3-gadget-set-maxpacket-size-for-ep0-in.patch
+usb-ldusb-add-pids-for-new-cassy-devices-supported-by-this-driver.patch
+revert-usb-musb-host-don-t-start-next-rx-urb-if-current-one-failed.patch
+usb-gadget-f_fs-process-all-descriptors-during-bind.patch
+usb-renesas_usbhs-missed-the-running-flag-in-usb_dmac-with-rx-path.patch
+drm-amdgpu-add-dpm-quirk-for-jet-pro-v2.patch
+drm-amdgpu-add-atpx-quirk-handling-v2.patch
+drm-amdgpu-avoid-leaking-pm-domain-on-driver-unbind-v2.patch
+drm-amdgpu-add-new-device-to-use-atpx-quirk.patch
--- /dev/null
+From 6180026341e852a250e1f97ebdcf71684a3c81b9 Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Fri, 12 Jan 2018 18:18:05 -0800
+Subject: usb: dwc3: gadget: Set maxpacket size for ep0 IN
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+commit 6180026341e852a250e1f97ebdcf71684a3c81b9 upstream.
+
+There are 2 control endpoint structures for DWC3. However, the driver
+only updates the OUT direction control endpoint structure during
+ConnectDone event. DWC3 driver needs to update the endpoint max packet
+size for control IN endpoint as well. If the max packet size is not
+properly set, then the driver will incorrectly calculate the data
+transfer size and fail to send ZLP for HS/FS 3-stage control read
+transfer.
+
+The fix is simply to update the max packet size for the ep0 IN direction
+during ConnectDone event.
+
+Cc: stable@vger.kernel.org
+Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver")
+Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/gadget.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -2528,6 +2528,8 @@ static void dwc3_gadget_conndone_interru
+ break;
+ }
+
++ dwc->eps[1]->endpoint.maxpacket = dwc->gadget.ep0->maxpacket;
++
+ /* Enable USB2 LPM Capability */
+
+ if ((dwc->revision > DWC3_REVISION_194A) &&
--- /dev/null
+From 6cf439e0d37463e42784271179c8a308fd7493c6 Mon Sep 17 00:00:00 2001
+From: Jack Pham <jackp@codeaurora.org>
+Date: Wed, 24 Jan 2018 00:11:53 -0800
+Subject: usb: gadget: f_fs: Process all descriptors during bind
+
+From: Jack Pham <jackp@codeaurora.org>
+
+commit 6cf439e0d37463e42784271179c8a308fd7493c6 upstream.
+
+During _ffs_func_bind(), the received descriptors are evaluated
+to prepare for binding with the gadget in order to allocate
+endpoints and optionally set up OS descriptors. However, the
+high- and super-speed descriptors are only parsed based on
+whether the gadget_is_dualspeed() and gadget_is_superspeed()
+calls are true, respectively.
+
+This is a problem in case a userspace program always provides
+all of the {full,high,super,OS} descriptors when configuring a
+function. Then, for example if a gadget device is not capable
+of SuperSpeed, the call to ffs_do_descs() for the SS descriptors
+is skipped, resulting in an incorrect offset calculation for
+the vla_ptr when moving on to the OS descriptors that follow.
+This causes ffs_do_os_descs() to fail as it is now looking at
+the SS descriptors' offset within the raw_descs buffer instead.
+
+_ffs_func_bind() should evaluate the descriptors unconditionally,
+so remove the checks for gadget speed.
+
+Fixes: f0175ab51993 ("usb: gadget: f_fs: OS descriptors support")
+Cc: stable@vger.kernel.org
+Co-Developed-by: Mayank Rana <mrana@codeaurora.org>
+Signed-off-by: Mayank Rana <mrana@codeaurora.org>
+Signed-off-by: Jack Pham <jackp@codeaurora.org>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_fs.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -2956,10 +2956,8 @@ static int _ffs_func_bind(struct usb_con
+ struct ffs_data *ffs = func->ffs;
+
+ const int full = !!func->ffs->fs_descs_count;
+- const int high = gadget_is_dualspeed(func->gadget) &&
+- func->ffs->hs_descs_count;
+- const int super = gadget_is_superspeed(func->gadget) &&
+- func->ffs->ss_descs_count;
++ const int high = !!func->ffs->hs_descs_count;
++ const int super = !!func->ffs->ss_descs_count;
+
+ int fs_len, hs_len, ss_len, ret, i;
+ struct ffs_ep *eps_ptr;
--- /dev/null
+From 52ad2bd8918158266fc88a05f95429b56b6a33c5 Mon Sep 17 00:00:00 2001
+From: Karsten Koop <kkoop@ld-didactic.de>
+Date: Fri, 9 Feb 2018 09:12:06 +0000
+Subject: usb: ldusb: add PIDs for new CASSY devices supported by this driver
+
+From: Karsten Koop <kkoop@ld-didactic.de>
+
+commit 52ad2bd8918158266fc88a05f95429b56b6a33c5 upstream.
+
+This patch adds support for new CASSY devices to the ldusb driver. The
+PIDs are also added to the ignore list in hid-quirks.
+
+Signed-off-by: Karsten Koop <kkoop@ld-didactic.de>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-core.c | 3 +++
+ drivers/hid/hid-ids.h | 3 +++
+ drivers/usb/misc/ldusb.c | 6 ++++++
+ 3 files changed, 12 insertions(+)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -2443,6 +2443,9 @@ static const struct hid_device_id hid_ig
+ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTIME) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYPH) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_POWERANALYSERCASSY) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MACHINETESTCASSY) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_JWM) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_DMMP) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_UMIP) },
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -608,6 +608,9 @@
+ #define USB_DEVICE_ID_LD_MICROCASSYTIME 0x1033
+ #define USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE 0x1035
+ #define USB_DEVICE_ID_LD_MICROCASSYPH 0x1038
++#define USB_DEVICE_ID_LD_POWERANALYSERCASSY 0x1040
++#define USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY 0x1042
++#define USB_DEVICE_ID_LD_MACHINETESTCASSY 0x1043
+ #define USB_DEVICE_ID_LD_JWM 0x1080
+ #define USB_DEVICE_ID_LD_DMMP 0x1081
+ #define USB_DEVICE_ID_LD_UMIP 0x1090
+--- a/drivers/usb/misc/ldusb.c
++++ b/drivers/usb/misc/ldusb.c
+@@ -46,6 +46,9 @@
+ #define USB_DEVICE_ID_LD_MICROCASSYTIME 0x1033 /* USB Product ID of Micro-CASSY Time (reserved) */
+ #define USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE 0x1035 /* USB Product ID of Micro-CASSY Temperature */
+ #define USB_DEVICE_ID_LD_MICROCASSYPH 0x1038 /* USB Product ID of Micro-CASSY pH */
++#define USB_DEVICE_ID_LD_POWERANALYSERCASSY 0x1040 /* USB Product ID of Power Analyser CASSY */
++#define USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY 0x1042 /* USB Product ID of Converter Controller CASSY */
++#define USB_DEVICE_ID_LD_MACHINETESTCASSY 0x1043 /* USB Product ID of Machine Test CASSY */
+ #define USB_DEVICE_ID_LD_JWM 0x1080 /* USB Product ID of Joule and Wattmeter */
+ #define USB_DEVICE_ID_LD_DMMP 0x1081 /* USB Product ID of Digital Multimeter P (reserved) */
+ #define USB_DEVICE_ID_LD_UMIP 0x1090 /* USB Product ID of UMI P */
+@@ -88,6 +91,9 @@ static const struct usb_device_id ld_usb
+ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTIME) },
+ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE) },
+ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYPH) },
++ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_POWERANALYSERCASSY) },
++ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY) },
++ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MACHINETESTCASSY) },
+ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_JWM) },
+ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_DMMP) },
+ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_UMIP) },
--- /dev/null
+From 46408ea558df13b110e0866b99624384a33bdeba Mon Sep 17 00:00:00 2001
+From: AMAN DEEP <aman.deep@samsung.com>
+Date: Thu, 8 Feb 2018 11:55:01 +0800
+Subject: usb: ohci: Proper handling of ed_rm_list to handle race condition between usb_kill_urb() and finish_unlinks()
+
+From: AMAN DEEP <aman.deep@samsung.com>
+
+commit 46408ea558df13b110e0866b99624384a33bdeba upstream.
+
+There is a race condition between finish_unlinks->finish_urb() function
+and usb_kill_urb() in ohci controller case. The finish_urb calls
+spin_unlock(&ohci->lock) before usb_hcd_giveback_urb() function call,
+then if during this time, usb_kill_urb is called for another endpoint,
+then new ed will be added to ed_rm_list at beginning for unlink, and
+ed_rm_list will point to newly added.
+
+When finish_urb() is completed in finish_unlinks() and ed->td_list
+becomes empty as in below code (in finish_unlinks() function):
+
+ if (list_empty(&ed->td_list)) {
+ *last = ed->ed_next;
+ ed->ed_next = NULL;
+ } else if (ohci->rh_state == OHCI_RH_RUNNING) {
+ *last = ed->ed_next;
+ ed->ed_next = NULL;
+ ed_schedule(ohci, ed);
+ }
+
+The *last = ed->ed_next will make ed_rm_list to point to ed->ed_next
+and previously added ed by usb_kill_urb will be left unreferenced by
+ed_rm_list. This causes usb_kill_urb() hang forever waiting for
+finish_unlink to remove added ed from ed_rm_list.
+
+The main reason for hang in this race condtion is addition and removal
+of ed from ed_rm_list in the beginning during usb_kill_urb and later
+last* is modified in finish_unlinks().
+
+As suggested by Alan Stern, the solution for proper handling of
+ohci->ed_rm_list is to remove ed from the ed_rm_list before finishing
+any URBs. Then at the end, we can add ed back to the list if necessary.
+
+This properly handle the updated ohci->ed_rm_list in usb_kill_urb().
+
+Fixes: 977dcfdc6031 ("USB: OHCI: don't lose track of EDs when a controller dies")
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+CC: <stable@vger.kernel.org>
+Signed-off-by: Aman Deep <aman.deep@samsung.com>
+Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/ohci-q.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/host/ohci-q.c
++++ b/drivers/usb/host/ohci-q.c
+@@ -1018,6 +1018,8 @@ skip_ed:
+ * have modified this list. normally it's just prepending
+ * entries (which we'd ignore), but paranoia won't hurt.
+ */
++ *last = ed->ed_next;
++ ed->ed_next = NULL;
+ modified = 0;
+
+ /* unlink urbs as requested, but rescan the list after
+@@ -1076,21 +1078,22 @@ rescan_this:
+ goto rescan_this;
+
+ /*
+- * If no TDs are queued, take ED off the ed_rm_list.
++ * If no TDs are queued, ED is now idle.
+ * Otherwise, if the HC is running, reschedule.
+- * If not, leave it on the list for further dequeues.
++ * If the HC isn't running, add ED back to the
++ * start of the list for later processing.
+ */
+ if (list_empty(&ed->td_list)) {
+- *last = ed->ed_next;
+- ed->ed_next = NULL;
+ ed->state = ED_IDLE;
+ list_del(&ed->in_use_list);
+ } else if (ohci->rh_state == OHCI_RH_RUNNING) {
+- *last = ed->ed_next;
+- ed->ed_next = NULL;
+ ed_schedule(ohci, ed);
+ } else {
+- last = &ed->ed_next;
++ ed->ed_next = ohci->ed_rm_list;
++ ohci->ed_rm_list = ed;
++ /* Don't loop on the same ED */
++ if (last == &ohci->ed_rm_list)
++ last = &ed->ed_next;
+ }
+
+ if (modified)
--- /dev/null
+From 17aa31f13cad25daa19d3f923323f552e87bc874 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Mon, 5 Feb 2018 17:12:35 +0900
+Subject: usb: renesas_usbhs: missed the "running" flag in usb_dmac with rx path
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 17aa31f13cad25daa19d3f923323f552e87bc874 upstream.
+
+This fixes an issue that a gadget driver (usb_f_fs) is possible to
+stop rx transactions after the usb-dmac is used because the following
+functions missed to set/check the "running" flag.
+ - usbhsf_dma_prepare_pop_with_usb_dmac()
+ - usbhsf_dma_pop_done_with_usb_dmac()
+
+So, if next transaction uses pio, the usbhsf_prepare_pop() can not
+start the transaction because the "running" flag is 0.
+
+Fixes: 8355b2b3082d ("usb: renesas_usbhs: fix the behavior of some usbhs_pkt_handle")
+Cc: <stable@vger.kernel.org> # v3.19+
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/renesas_usbhs/fifo.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/renesas_usbhs/fifo.c
++++ b/drivers/usb/renesas_usbhs/fifo.c
+@@ -1001,6 +1001,10 @@ static int usbhsf_dma_prepare_pop_with_u
+ if ((uintptr_t)pkt->buf & (USBHS_USB_DMAC_XFER_SIZE - 1))
+ goto usbhsf_pio_prepare_pop;
+
++ /* return at this time if the pipe is running */
++ if (usbhs_pipe_is_running(pipe))
++ return 0;
++
+ usbhs_pipe_config_change_bfre(pipe, 1);
+
+ ret = usbhsf_fifo_select(pipe, fifo, 0);
+@@ -1191,6 +1195,7 @@ static int usbhsf_dma_pop_done_with_usb_
+ usbhsf_fifo_clear(pipe, fifo);
+ pkt->actual = usbhs_dma_calc_received_size(pkt, chan, rcv_len);
+
++ usbhs_pipe_running(pipe, 0);
+ usbhsf_dma_stop(pipe, fifo);
+ usbhsf_dma_unmap(pkt);
+ usbhsf_fifo_unselect(pipe, pipe->fifo);
--- /dev/null
+From 437499eea4291ae9621e8763a41df027c110a1ef Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 22 Feb 2018 14:38:33 +0000
+Subject: X.509: fix BUG_ON() when hash algorithm is unsupported
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 437499eea4291ae9621e8763a41df027c110a1ef upstream.
+
+The X.509 parser mishandles the case where the certificate's signature's
+hash algorithm is not available in the crypto API. In this case,
+x509_get_sig_params() doesn't allocate the cert->sig->digest buffer;
+this part seems to be intentional. However,
+public_key_verify_signature() is still called via
+x509_check_for_self_signed(), which triggers the 'BUG_ON(!sig->digest)'.
+
+Fix this by making public_key_verify_signature() return -ENOPKG if the
+hash buffer has not been allocated.
+
+Reproducer when all the CONFIG_CRYPTO_SHA512* options are disabled:
+
+ openssl req -new -sha512 -x509 -batch -nodes -outform der \
+ | keyctl padd asymmetric desc @s
+
+Fixes: 6c2dc5ae4ab7 ("X.509: Extract signature digest and make self-signed cert checks earlier")
+Reported-by: Paolo Valente <paolo.valente@linaro.org>
+Cc: Paolo Valente <paolo.valente@linaro.org>
+Cc: <stable@vger.kernel.org> # v4.7+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/asymmetric_keys/public_key.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/crypto/asymmetric_keys/public_key.c
++++ b/crypto/asymmetric_keys/public_key.c
+@@ -93,9 +93,11 @@ int public_key_verify_signature(const st
+
+ BUG_ON(!pkey);
+ BUG_ON(!sig);
+- BUG_ON(!sig->digest);
+ BUG_ON(!sig->s);
+
++ if (!sig->digest)
++ return -ENOPKG;
++
+ alg_name = sig->pkey_algo;
+ if (strcmp(sig->pkey_algo, "rsa") == 0) {
+ /* The data wangled by the RSA algorithm is typically padded
--- /dev/null
+From 85c615eb52222bc5fab6c7190d146bc59fac289e Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 20 Feb 2018 21:58:21 +0100
+Subject: x86/oprofile: Fix bogus GCC-8 warning in nmi_setup()
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 85c615eb52222bc5fab6c7190d146bc59fac289e upstream.
+
+GCC-8 shows a warning for the x86 oprofile code that copies per-CPU
+data from CPU 0 to all other CPUs, which when building a non-SMP
+kernel turns into a memcpy() with identical source and destination
+pointers:
+
+ arch/x86/oprofile/nmi_int.c: In function 'mux_clone':
+ arch/x86/oprofile/nmi_int.c:285:2: error: 'memcpy' source argument is the same as destination [-Werror=restrict]
+ memcpy(per_cpu(cpu_msrs, cpu).multiplex,
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ per_cpu(cpu_msrs, 0).multiplex,
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ sizeof(struct op_msr) * model->num_virt_counters);
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ arch/x86/oprofile/nmi_int.c: In function 'nmi_setup':
+ arch/x86/oprofile/nmi_int.c:466:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict]
+ arch/x86/oprofile/nmi_int.c:470:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict]
+
+I have analyzed a number of such warnings now: some are valid and the
+GCC warning is welcome. Others turned out to be false-positives, and
+GCC was changed to not warn about those any more. This is a corner case
+that is a false-positive but the GCC developers feel it's better to keep
+warning about it.
+
+In this case, it seems best to work around it by telling GCC
+a little more clearly that this code path is never hit with
+an IS_ENABLED() configuration check.
+
+Cc:stable as we also want old kernels to build cleanly with GCC-8.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Cc: Jessica Yu <jeyu@kernel.org>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Martin Sebor <msebor@gcc.gnu.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Robert Richter <rric@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: oprofile-list@lists.sf.net
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/20180220205826.2008875-1-arnd@arndb.de
+Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84095
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/oprofile/nmi_int.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/oprofile/nmi_int.c
++++ b/arch/x86/oprofile/nmi_int.c
+@@ -472,7 +472,7 @@ static int nmi_setup(void)
+ goto fail;
+
+ for_each_possible_cpu(cpu) {
+- if (!cpu)
++ if (!IS_ENABLED(CONFIG_SMP) || !cpu)
+ continue;
+
+ memcpy(per_cpu(cpu_msrs, cpu).counters,
--- /dev/null
+From 6ac5a11dc674bc5016ea716e8082fff61f524dc1 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Tue, 13 Feb 2018 15:31:05 -0800
+Subject: xtensa: fix high memory/reserved memory collision
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+commit 6ac5a11dc674bc5016ea716e8082fff61f524dc1 upstream.
+
+Xtensa memory initialization code frees high memory pages without
+checking whether they are in the reserved memory regions or not. That
+results in invalid value of totalram_pages and duplicate page usage by
+CMA and highmem. It produces a bunch of BUGs at startup looking like
+this:
+
+BUG: Bad page state in process swapper pfn:70800
+page:be60c000 count:0 mapcount:-127 mapping: (null) index:0x1
+flags: 0x80000000()
+raw: 80000000 00000000 00000001 ffffff80 00000000 be60c014 be60c014 0000000a
+page dumped because: nonzero mapcount
+Modules linked in:
+CPU: 0 PID: 1 Comm: swapper Tainted: G B 4.16.0-rc1-00015-g7928b2cbe55b-dirty #23
+Stack:
+ bd839d33 00000000 00000018 ba97b64c a106578c bd839d70 be60c000 00000000
+ a1378054 bd86a000 00000003 ba97b64c a1066166 bd839da0 be60c000 ffe00000
+ a1066b58 bd839dc0 be504000 00000000 000002f4 bd838000 00000000 0000001e
+Call Trace:
+ [<a1065734>] bad_page+0xac/0xd0
+ [<a106578c>] free_pages_check_bad+0x34/0x4c
+ [<a1066166>] __free_pages_ok+0xae/0x14c
+ [<a1066b58>] __free_pages+0x30/0x64
+ [<a1365de5>] init_cma_reserved_pageblock+0x35/0x44
+ [<a13682dc>] cma_init_reserved_areas+0xf4/0x148
+ [<a10034b8>] do_one_initcall+0x80/0xf8
+ [<a1361c16>] kernel_init_freeable+0xda/0x13c
+ [<a125b59d>] kernel_init+0x9/0xd0
+ [<a1004304>] ret_from_kernel_thread+0xc/0x18
+
+Only free high memory pages that are not reserved.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/xtensa/mm/init.c | 70 +++++++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 63 insertions(+), 7 deletions(-)
+
+--- a/arch/xtensa/mm/init.c
++++ b/arch/xtensa/mm/init.c
+@@ -77,19 +77,75 @@ void __init zones_init(void)
+ free_area_init_node(0, zones_size, ARCH_PFN_OFFSET, NULL);
+ }
+
++#ifdef CONFIG_HIGHMEM
++static void __init free_area_high(unsigned long pfn, unsigned long end)
++{
++ for (; pfn < end; pfn++)
++ free_highmem_page(pfn_to_page(pfn));
++}
++
++static void __init free_highpages(void)
++{
++ unsigned long max_low = max_low_pfn;
++ struct memblock_region *mem, *res;
++
++ reset_all_zones_managed_pages();
++ /* set highmem page free */
++ for_each_memblock(memory, mem) {
++ unsigned long start = memblock_region_memory_base_pfn(mem);
++ unsigned long end = memblock_region_memory_end_pfn(mem);
++
++ /* Ignore complete lowmem entries */
++ if (end <= max_low)
++ continue;
++
++ if (memblock_is_nomap(mem))
++ continue;
++
++ /* Truncate partial highmem entries */
++ if (start < max_low)
++ start = max_low;
++
++ /* Find and exclude any reserved regions */
++ for_each_memblock(reserved, res) {
++ unsigned long res_start, res_end;
++
++ res_start = memblock_region_reserved_base_pfn(res);
++ res_end = memblock_region_reserved_end_pfn(res);
++
++ if (res_end < start)
++ continue;
++ if (res_start < start)
++ res_start = start;
++ if (res_start > end)
++ res_start = end;
++ if (res_end > end)
++ res_end = end;
++ if (res_start != start)
++ free_area_high(start, res_start);
++ start = res_end;
++ if (start == end)
++ break;
++ }
++
++ /* And now free anything which remains */
++ if (start < end)
++ free_area_high(start, end);
++ }
++}
++#else
++static void __init free_highpages(void)
++{
++}
++#endif
++
+ /*
+ * Initialize memory pages.
+ */
+
+ void __init mem_init(void)
+ {
+-#ifdef CONFIG_HIGHMEM
+- unsigned long tmp;
+-
+- reset_all_zones_managed_pages();
+- for (tmp = max_low_pfn; tmp < max_pfn; tmp++)
+- free_highmem_page(pfn_to_page(tmp));
+-#endif
++ free_highpages();
+
+ max_mapnr = max_pfn - ARCH_PFN_OFFSET;
+ high_memory = (void *)__va(max_low_pfn << PAGE_SHIFT);
projects / thirdparty / kernel / stable-queue.git / commitdiff
