--- /dev/null
+From bb82e0b4a7e96494f0c1004ce50cec3d7b5fb3d1 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 14 Dec 2017 13:31:16 +0100
+Subject: ACPI: APEI / ERST: Fix missing error handling in erst_reader()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit bb82e0b4a7e96494f0c1004ce50cec3d7b5fb3d1 upstream.
+
+The commit f6f828513290 ("pstore: pass allocated memory region back to
+caller") changed the check of the return value from erst_read() in
+erst_reader() in the following way:
+
+ if (len == -ENOENT)
+ goto skip;
+- else if (len < 0) {
+- rc = -1;
++ else if (len < sizeof(*rcd)) {
++ rc = -EIO;
+ goto out;
+
+This introduced another bug: since the comparison with sizeof() is
+cast to unsigned, a negative len value doesn't hit any longer.
+As a result, when an error is returned from erst_read(), the code
+falls through, and it may eventually lead to some weird thing like
+memory corruption.
+
+This patch adds the negative error value check more explicitly for
+addressing the issue.
+
+Fixes: f6f828513290 (pstore: pass allocated memory region back to caller)
+Tested-by: Jerry Tang <jtang@suse.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Acked-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/apei/erst.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/acpi/apei/erst.c
++++ b/drivers/acpi/apei/erst.c
+@@ -1020,7 +1020,7 @@ skip:
+ /* The record may be cleared by others, try read next record */
+ if (len == -ENOENT)
+ goto skip;
+- else if (len < sizeof(*rcd)) {
++ else if (len < 0 || len < sizeof(*rcd)) {
+ rc = -EIO;
+ goto out;
+ }
--- /dev/null
+From c1cfd9025cc394fd137a01159d74335c5ac978ce Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 14 Dec 2017 16:44:12 +0100
+Subject: ALSA: rawmidi: Avoid racy info ioctl via ctl device
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit c1cfd9025cc394fd137a01159d74335c5ac978ce upstream.
+
+The rawmidi also allows to obtaining the information via ioctl of ctl
+API. It means that user can issue an ioctl to the rawmidi device even
+when it's being removed as long as the control device is present.
+Although the code has some protection via the global register_mutex,
+its range is limited to the search of the corresponding rawmidi
+object, and the mutex is already unlocked at accessing the rawmidi
+object. This may lead to a use-after-free.
+
+For avoiding it, this patch widens the application of register_mutex
+to the whole snd_rawmidi_info_select() function. We have another
+mutex per rawmidi object, but this operation isn't very hot path, so
+it shouldn't matter from the performance POV.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/rawmidi.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/sound/core/rawmidi.c
++++ b/sound/core/rawmidi.c
+@@ -579,15 +579,14 @@ static int snd_rawmidi_info_user(struct
+ return 0;
+ }
+
+-int snd_rawmidi_info_select(struct snd_card *card, struct snd_rawmidi_info *info)
++static int __snd_rawmidi_info_select(struct snd_card *card,
++ struct snd_rawmidi_info *info)
+ {
+ struct snd_rawmidi *rmidi;
+ struct snd_rawmidi_str *pstr;
+ struct snd_rawmidi_substream *substream;
+
+- mutex_lock(®ister_mutex);
+ rmidi = snd_rawmidi_search(card, info->device);
+- mutex_unlock(®ister_mutex);
+ if (!rmidi)
+ return -ENXIO;
+ if (info->stream < 0 || info->stream > 1)
+@@ -603,6 +602,16 @@ int snd_rawmidi_info_select(struct snd_c
+ }
+ return -ENXIO;
+ }
++
++int snd_rawmidi_info_select(struct snd_card *card, struct snd_rawmidi_info *info)
++{
++ int ret;
++
++ mutex_lock(®ister_mutex);
++ ret = __snd_rawmidi_info_select(card, info);
++ mutex_unlock(®ister_mutex);
++ return ret;
++}
+ EXPORT_SYMBOL(snd_rawmidi_info_select);
+
+ static int snd_rawmidi_info_select_user(struct snd_card *card,
--- /dev/null
+From 5a15f289ee87eaf33f13f08a4909ec99d837ec5f Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 18 Dec 2017 23:36:57 +0100
+Subject: ALSA: usb-audio: Fix the missing ctl name suffix at parsing SU
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 5a15f289ee87eaf33f13f08a4909ec99d837ec5f upstream.
+
+The commit 89b89d121ffc ("ALSA: usb-audio: Add check return value for
+usb_string()") added the check of the return value from
+snd_usb_copy_string_desc(), which is correct per se, but it introduced
+a regression. In the original code, either the "Clock Source",
+"Playback Source" or "Capture Source" suffix is added after the
+terminal string, while the commit changed it to add the suffix only
+when get_term_name() is failing. It ended up with an incorrect ctl
+name like "PCM" instead of "PCM Capture Source".
+
+Also, even the original code has a similar bug: when the ctl name is
+generated from snd_usb_copy_string_desc() for the given iSelector, it
+also doesn't put the suffix.
+
+This patch addresses these issues: the suffix is added always when no
+static mapping is found. Also the patch tries to put more comments
+and cleans up the if/else block for better readability in order to
+avoid the same pitfall again.
+
+Fixes: 89b89d121ffc ("ALSA: usb-audio: Add check return value for usb_string()")
+Reported-and-tested-by: Mauro Santos <registo.mailling@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -2101,20 +2101,25 @@ static int parse_audio_selector_unit(str
+ kctl->private_value = (unsigned long)namelist;
+ kctl->private_free = usb_mixer_selector_elem_free;
+
+- nameid = uac_selector_unit_iSelector(desc);
++ /* check the static mapping table at first */
+ len = check_mapped_name(map, kctl->id.name, sizeof(kctl->id.name));
+- if (len)
+- ;
+- else if (nameid)
+- len = snd_usb_copy_string_desc(state, nameid, kctl->id.name,
+- sizeof(kctl->id.name));
+- else
+- len = get_term_name(state, &state->oterm,
+- kctl->id.name, sizeof(kctl->id.name), 0);
+-
+ if (!len) {
+- strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
++ /* no mapping ? */
++ /* if iSelector is given, use it */
++ nameid = uac_selector_unit_iSelector(desc);
++ if (nameid)
++ len = snd_usb_copy_string_desc(state, nameid,
++ kctl->id.name,
++ sizeof(kctl->id.name));
++ /* ... or pick up the terminal name at next */
++ if (!len)
++ len = get_term_name(state, &state->oterm,
++ kctl->id.name, sizeof(kctl->id.name), 0);
++ /* ... or use the fixed string "USB" as the last resort */
++ if (!len)
++ strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
+
++ /* and add the proper suffix */
+ if (desc->bDescriptorSubtype == UAC2_CLOCK_SELECTOR)
+ append_ctl_name(kctl, " Clock Source");
+ else if ((state->oterm.type & 0xff00) == 0x0100)
--- /dev/null
+From 9abffc6f2efe46c3564c04312e52e07622d40e51 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Thu, 30 Nov 2017 13:39:27 +0100
+Subject: crypto: mcryptd - protect the per-CPU queue with a lock
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+commit 9abffc6f2efe46c3564c04312e52e07622d40e51 upstream.
+
+mcryptd_enqueue_request() grabs the per-CPU queue struct and protects
+access to it with disabled preemption. Then it schedules a worker on the
+same CPU. The worker in mcryptd_queue_worker() guards access to the same
+per-CPU variable with disabled preemption.
+
+If we take CPU-hotplug into account then it is possible that between
+queue_work_on() and the actual invocation of the worker the CPU goes
+down and the worker will be scheduled on _another_ CPU. And here the
+preempt_disable() protection does not work anymore. The easiest thing is
+to add a spin_lock() to guard access to the list.
+
+Another detail: mcryptd_queue_worker() is not processing more than
+MCRYPTD_BATCH invocation in a row. If there are still items left, then
+it will invoke queue_work() to proceed with more later. *I* would
+suggest to simply drop that check because it does not use a system
+workqueue and the workqueue is already marked as "CPU_INTENSIVE". And if
+preemption is required then the scheduler should do it.
+However if queue_work() is used then the work item is marked as CPU
+unbound. That means it will try to run on the local CPU but it may run
+on another CPU as well. Especially with CONFIG_DEBUG_WQ_FORCE_RR_CPU=y.
+Again, the preempt_disable() won't work here but lock which was
+introduced will help.
+In order to keep work-item on the local CPU (and avoid RR) I changed it
+to queue_work_on().
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/mcryptd.c | 23 ++++++++++-------------
+ include/crypto/mcryptd.h | 1 +
+ 2 files changed, 11 insertions(+), 13 deletions(-)
+
+--- a/crypto/mcryptd.c
++++ b/crypto/mcryptd.c
+@@ -80,6 +80,7 @@ static int mcryptd_init_queue(struct mcr
+ pr_debug("cpu_queue #%d %p\n", cpu, queue->cpu_queue);
+ crypto_init_queue(&cpu_queue->queue, max_cpu_qlen);
+ INIT_WORK(&cpu_queue->work, mcryptd_queue_worker);
++ spin_lock_init(&cpu_queue->q_lock);
+ }
+ return 0;
+ }
+@@ -103,15 +104,16 @@ static int mcryptd_enqueue_request(struc
+ int cpu, err;
+ struct mcryptd_cpu_queue *cpu_queue;
+
+- cpu = get_cpu();
+- cpu_queue = this_cpu_ptr(queue->cpu_queue);
+- rctx->tag.cpu = cpu;
++ cpu_queue = raw_cpu_ptr(queue->cpu_queue);
++ spin_lock(&cpu_queue->q_lock);
++ cpu = smp_processor_id();
++ rctx->tag.cpu = smp_processor_id();
+
+ err = crypto_enqueue_request(&cpu_queue->queue, request);
+ pr_debug("enqueue request: cpu %d cpu_queue %p request %p\n",
+ cpu, cpu_queue, request);
++ spin_unlock(&cpu_queue->q_lock);
+ queue_work_on(cpu, kcrypto_wq, &cpu_queue->work);
+- put_cpu();
+
+ return err;
+ }
+@@ -164,16 +166,11 @@ static void mcryptd_queue_worker(struct
+ cpu_queue = container_of(work, struct mcryptd_cpu_queue, work);
+ i = 0;
+ while (i < MCRYPTD_BATCH || single_task_running()) {
+- /*
+- * preempt_disable/enable is used to prevent
+- * being preempted by mcryptd_enqueue_request()
+- */
+- local_bh_disable();
+- preempt_disable();
++
++ spin_lock_bh(&cpu_queue->q_lock);
+ backlog = crypto_get_backlog(&cpu_queue->queue);
+ req = crypto_dequeue_request(&cpu_queue->queue);
+- preempt_enable();
+- local_bh_enable();
++ spin_unlock_bh(&cpu_queue->q_lock);
+
+ if (!req) {
+ mcryptd_opportunistic_flush();
+@@ -188,7 +185,7 @@ static void mcryptd_queue_worker(struct
+ ++i;
+ }
+ if (cpu_queue->queue.qlen)
+- queue_work(kcrypto_wq, &cpu_queue->work);
++ queue_work_on(smp_processor_id(), kcrypto_wq, &cpu_queue->work);
+ }
+
+ void mcryptd_flusher(struct work_struct *__work)
+--- a/include/crypto/mcryptd.h
++++ b/include/crypto/mcryptd.h
+@@ -26,6 +26,7 @@ static inline struct mcryptd_ahash *__mc
+
+ struct mcryptd_cpu_queue {
+ struct crypto_queue queue;
++ spinlock_t q_lock;
+ struct work_struct work;
+ };
+
--- /dev/null
+From d73235d17ba63b53dc0e1051dbc10a1f1be91b71 Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Thu, 7 Dec 2017 00:30:08 -0800
+Subject: KVM: X86: Fix load RFLAGS w/o the fixed bit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+commit d73235d17ba63b53dc0e1051dbc10a1f1be91b71 upstream.
+
+ *** Guest State ***
+ CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7
+ CR4: actual=0x0000000000002050, shadow=0x0000000000000000, gh_mask=ffffffffffffe871
+ CR3 = 0x00000000fffbc000
+ RSP = 0x0000000000000000 RIP = 0x0000000000000000
+ RFLAGS=0x00000000 DR7 = 0x0000000000000400
+ ^^^^^^^^^^
+
+The failed vmentry is triggered by the following testcase when ept=Y:
+
+ #include <unistd.h>
+ #include <sys/syscall.h>
+ #include <string.h>
+ #include <stdint.h>
+ #include <linux/kvm.h>
+ #include <fcntl.h>
+ #include <sys/ioctl.h>
+
+ long r[5];
+ int main()
+ {
+ r[2] = open("/dev/kvm", O_RDONLY);
+ r[3] = ioctl(r[2], KVM_CREATE_VM, 0);
+ r[4] = ioctl(r[3], KVM_CREATE_VCPU, 7);
+ struct kvm_regs regs = {
+ .rflags = 0,
+ };
+ ioctl(r[4], KVM_SET_REGS, ®s);
+ ioctl(r[4], KVM_RUN, 0);
+ }
+
+X86 RFLAGS bit 1 is fixed set, userspace can simply clearing bit 1
+of RFLAGS with KVM_SET_REGS ioctl which results in vmentry fails.
+This patch fixes it by oring X86_EFLAGS_FIXED during ioctl.
+
+Suggested-by: Jim Mattson <jmattson@google.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Quan Xu <quan.xu0@gmail.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Jim Mattson <jmattson@google.com>
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -6941,7 +6941,7 @@ int kvm_arch_vcpu_ioctl_set_regs(struct
+ #endif
+
+ kvm_rip_write(vcpu, regs->rip);
+- kvm_set_rflags(vcpu, regs->rflags);
++ kvm_set_rflags(vcpu, regs->rflags | X86_EFLAGS_FIXED);
+
+ vcpu->arch.exception.pending = false;
+
--- /dev/null
+From fae1a3e775cca8c3a9e0eb34443b310871a15a92 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu, 21 Dec 2017 00:49:14 +0100
+Subject: kvm: x86: fix RSM when PCID is non-zero
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit fae1a3e775cca8c3a9e0eb34443b310871a15a92 upstream.
+
+rsm_load_state_64() and rsm_enter_protected_mode() load CR3, then
+CR4 & ~PCIDE, then CR0, then CR4.
+
+However, setting CR4.PCIDE fails if CR3[11:0] != 0. It's probably easier
+in the long run to replace rsm_enter_protected_mode() with an emulator
+callback that sets all the special registers (like KVM_SET_SREGS would
+do). For now, set the PCID field of CR3 only after CR4.PCIDE is 1.
+
+Reported-by: Laszlo Ersek <lersek@redhat.com>
+Tested-by: Laszlo Ersek <lersek@redhat.com>
+Fixes: 660a5d517aaab9187f93854425c4c63f4a09195c
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 32 +++++++++++++++++++++++++-------
+ 1 file changed, 25 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -2383,9 +2383,21 @@ static int rsm_load_seg_64(struct x86_em
+ }
+
+ static int rsm_enter_protected_mode(struct x86_emulate_ctxt *ctxt,
+- u64 cr0, u64 cr4)
++ u64 cr0, u64 cr3, u64 cr4)
+ {
+ int bad;
++ u64 pcid;
++
++ /* In order to later set CR4.PCIDE, CR3[11:0] must be zero. */
++ pcid = 0;
++ if (cr4 & X86_CR4_PCIDE) {
++ pcid = cr3 & 0xfff;
++ cr3 &= ~0xfff;
++ }
++
++ bad = ctxt->ops->set_cr(ctxt, 3, cr3);
++ if (bad)
++ return X86EMUL_UNHANDLEABLE;
+
+ /*
+ * First enable PAE, long mode needs it before CR0.PG = 1 is set.
+@@ -2404,6 +2416,12 @@ static int rsm_enter_protected_mode(stru
+ bad = ctxt->ops->set_cr(ctxt, 4, cr4);
+ if (bad)
+ return X86EMUL_UNHANDLEABLE;
++ if (pcid) {
++ bad = ctxt->ops->set_cr(ctxt, 3, cr3 | pcid);
++ if (bad)
++ return X86EMUL_UNHANDLEABLE;
++ }
++
+ }
+
+ return X86EMUL_CONTINUE;
+@@ -2414,11 +2432,11 @@ static int rsm_load_state_32(struct x86_
+ struct desc_struct desc;
+ struct desc_ptr dt;
+ u16 selector;
+- u32 val, cr0, cr4;
++ u32 val, cr0, cr3, cr4;
+ int i;
+
+ cr0 = GET_SMSTATE(u32, smbase, 0x7ffc);
+- ctxt->ops->set_cr(ctxt, 3, GET_SMSTATE(u32, smbase, 0x7ff8));
++ cr3 = GET_SMSTATE(u32, smbase, 0x7ff8);
+ ctxt->eflags = GET_SMSTATE(u32, smbase, 0x7ff4) | X86_EFLAGS_FIXED;
+ ctxt->_eip = GET_SMSTATE(u32, smbase, 0x7ff0);
+
+@@ -2460,14 +2478,14 @@ static int rsm_load_state_32(struct x86_
+
+ ctxt->ops->set_smbase(ctxt, GET_SMSTATE(u32, smbase, 0x7ef8));
+
+- return rsm_enter_protected_mode(ctxt, cr0, cr4);
++ return rsm_enter_protected_mode(ctxt, cr0, cr3, cr4);
+ }
+
+ static int rsm_load_state_64(struct x86_emulate_ctxt *ctxt, u64 smbase)
+ {
+ struct desc_struct desc;
+ struct desc_ptr dt;
+- u64 val, cr0, cr4;
++ u64 val, cr0, cr3, cr4;
+ u32 base3;
+ u16 selector;
+ int i, r;
+@@ -2484,7 +2502,7 @@ static int rsm_load_state_64(struct x86_
+ ctxt->ops->set_dr(ctxt, 7, (val & DR7_VOLATILE) | DR7_FIXED_1);
+
+ cr0 = GET_SMSTATE(u64, smbase, 0x7f58);
+- ctxt->ops->set_cr(ctxt, 3, GET_SMSTATE(u64, smbase, 0x7f50));
++ cr3 = GET_SMSTATE(u64, smbase, 0x7f50);
+ cr4 = GET_SMSTATE(u64, smbase, 0x7f48);
+ ctxt->ops->set_smbase(ctxt, GET_SMSTATE(u32, smbase, 0x7f00));
+ val = GET_SMSTATE(u64, smbase, 0x7ed0);
+@@ -2512,7 +2530,7 @@ static int rsm_load_state_64(struct x86_
+ dt.address = GET_SMSTATE(u64, smbase, 0x7e68);
+ ctxt->ops->set_gdt(ctxt, &dt);
+
+- r = rsm_enter_protected_mode(ctxt, cr0, cr4);
++ r = rsm_enter_protected_mode(ctxt, cr0, cr3, cr4);
+ if (r != X86EMUL_CONTINUE)
+ return r;
+
--- /dev/null
+From 15d8374874ded0bec37ef27f8301a6d54032c0e5 Mon Sep 17 00:00:00 2001
+From: Jon Hunter <jonathanh@nvidia.com>
+Date: Tue, 14 Nov 2017 14:43:27 +0000
+Subject: mfd: cros ec: spi: Don't send first message too soon
+
+From: Jon Hunter <jonathanh@nvidia.com>
+
+commit 15d8374874ded0bec37ef27f8301a6d54032c0e5 upstream.
+
+On the Tegra124 Nyan-Big chromebook the very first SPI message sent to
+the EC is failing.
+
+The Tegra SPI driver configures the SPI chip-selects to be active-high
+by default (and always has for many years). The EC SPI requires an
+active-low chip-select and so the Tegra chip-select is reconfigured to
+be active-low when the EC SPI driver calls spi_setup(). The problem is
+that if the first SPI message to the EC is sent too soon after
+reconfiguring the SPI chip-select, it fails.
+
+The EC SPI driver prevents back-to-back SPI messages being sent too
+soon by keeping track of the time the last transfer was sent via the
+variable 'last_transfer_ns'. To prevent the very first transfer being
+sent too soon, initialise the 'last_transfer_ns' variable after calling
+spi_setup() and before sending the first SPI message.
+
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Reviewed-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Acked-by: Benson Leung <bleung@chromium.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/cros_ec_spi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mfd/cros_ec_spi.c
++++ b/drivers/mfd/cros_ec_spi.c
+@@ -660,6 +660,7 @@ static int cros_ec_spi_probe(struct spi_
+ sizeof(struct ec_response_get_protocol_info);
+ ec_dev->dout_size = sizeof(struct ec_host_request);
+
++ ec_spi->last_transfer_ns = ktime_get_ns();
+
+ err = cros_ec_register(ec_dev);
+ if (err) {
--- /dev/null
+From 0a423772de2f3d7b00899987884f62f63ae00dcb Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Sat, 11 Nov 2017 16:38:43 +0100
+Subject: mfd: twl4030-audio: Fix sibling-node lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 0a423772de2f3d7b00899987884f62f63ae00dcb upstream.
+
+A helper purported to look up a child node based on its name was using
+the wrong of-helper and ended up prematurely freeing the parent of-node
+while leaking any matching node.
+
+To make things worse, any matching node would not even necessarily be a
+child node as the whole device tree was searched depth-first starting at
+the parent.
+
+Fixes: 019a7e6b7b31 ("mfd: twl4030-audio: Add DT support")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/twl4030-audio.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/mfd/twl4030-audio.c
++++ b/drivers/mfd/twl4030-audio.c
+@@ -159,13 +159,18 @@ unsigned int twl4030_audio_get_mclk(void
+ EXPORT_SYMBOL_GPL(twl4030_audio_get_mclk);
+
+ static bool twl4030_audio_has_codec(struct twl4030_audio_data *pdata,
+- struct device_node *node)
++ struct device_node *parent)
+ {
++ struct device_node *node;
++
+ if (pdata && pdata->codec)
+ return true;
+
+- if (of_find_node_by_name(node, "codec"))
++ node = of_get_child_by_name(parent, "codec");
++ if (node) {
++ of_node_put(node);
+ return true;
++ }
+
+ return false;
+ }
--- /dev/null
+From 85e9b13cbb130a3209f21bd7933933399c389ffe Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Sat, 11 Nov 2017 16:38:44 +0100
+Subject: mfd: twl6040: Fix child-node lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 85e9b13cbb130a3209f21bd7933933399c389ffe upstream.
+
+Fix child-node lookup during probe, which ended up searching the whole
+device tree depth-first starting at the parent rather than just matching
+on its children.
+
+To make things worse, the parent node was prematurely freed, while the
+child node was leaked.
+
+Note that the CONFIG_OF compile guard can be removed as
+of_get_child_by_name() provides a !CONFIG_OF implementation which always
+fails.
+
+Fixes: 37e13cecaa14 ("mfd: Add support for Device Tree to twl6040")
+Fixes: ca2cad6ae38e ("mfd: Fix twl6040 build failure")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/twl6040.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/mfd/twl6040.c
++++ b/drivers/mfd/twl6040.c
+@@ -97,12 +97,16 @@ static struct reg_sequence twl6040_patch
+ };
+
+
+-static bool twl6040_has_vibra(struct device_node *node)
++static bool twl6040_has_vibra(struct device_node *parent)
+ {
+-#ifdef CONFIG_OF
+- if (of_find_node_by_name(node, "vibra"))
++ struct device_node *node;
++
++ node = of_get_child_by_name(parent, "vibra");
++ if (node) {
++ of_node_put(node);
+ return true;
+-#endif
++ }
++
+ return false;
+ }
+
--- /dev/null
+From 4423c18e466afdfb02a36ee8b9f901d144b3c607 Mon Sep 17 00:00:00 2001
+From: Yelena Krivosheev <yelena@marvell.com>
+Date: Tue, 19 Dec 2017 17:59:45 +0100
+Subject: net: mvneta: clear interface link status on port disable
+
+From: Yelena Krivosheev <yelena@marvell.com>
+
+commit 4423c18e466afdfb02a36ee8b9f901d144b3c607 upstream.
+
+When port connect to PHY in polling mode (with poll interval 1 sec),
+port and phy link status must be synchronize in order don't loss link
+change event.
+
+[gregory.clement@free-electrons.com: add fixes tag]
+Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP network unit")
+Signed-off-by: Yelena Krivosheev <yelena@marvell.com>
+Tested-by: Dmitri Epshtein <dima@marvell.com>
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/marvell/mvneta.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -914,6 +914,10 @@ static void mvneta_port_disable(struct m
+ val &= ~MVNETA_GMAC0_PORT_ENABLE;
+ mvreg_write(pp, MVNETA_GMAC_CTRL_0, val);
+
++ pp->link = 0;
++ pp->duplex = -1;
++ pp->speed = 0;
++
+ udelay(200);
+ }
+
--- /dev/null
+From bcf3f1752a622f1372d3252d0fea8855d89812e7 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Tue, 12 Dec 2017 21:52:26 +0100
+Subject: parisc: Hide Diva-built-in serial aux and graphics card
+
+From: Helge Deller <deller@gmx.de>
+
+commit bcf3f1752a622f1372d3252d0fea8855d89812e7 upstream.
+
+Diva GSP card has built-in serial AUX port and ATI graphic card which simply
+don't work and which both don't have external connectors. User Guides even
+mention that those devices shouldn't be used.
+So, prevent that Linux drivers try to enable those devices.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/parisc/lba_pci.c | 33 +++++++++++++++++++++++++++++++++
+ 1 file changed, 33 insertions(+)
+
+--- a/drivers/parisc/lba_pci.c
++++ b/drivers/parisc/lba_pci.c
+@@ -1654,3 +1654,36 @@ void lba_set_iregs(struct parisc_device
+ iounmap(base_addr);
+ }
+
++
++/*
++ * The design of the Diva management card in rp34x0 machines (rp3410, rp3440)
++ * seems rushed, so that many built-in components simply don't work.
++ * The following quirks disable the serial AUX port and the built-in ATI RV100
++ * Radeon 7000 graphics card which both don't have any external connectors and
++ * thus are useless, and even worse, e.g. the AUX port occupies ttyS0 and as
++ * such makes those machines the only PARISC machines on which we can't use
++ * ttyS0 as boot console.
++ */
++static void quirk_diva_ati_card(struct pci_dev *dev)
++{
++ if (dev->subsystem_vendor != PCI_VENDOR_ID_HP ||
++ dev->subsystem_device != 0x1292)
++ return;
++
++ dev_info(&dev->dev, "Hiding Diva built-in ATI card");
++ dev->device = 0;
++}
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RADEON_QY,
++ quirk_diva_ati_card);
++
++static void quirk_diva_aux_disable(struct pci_dev *dev)
++{
++ if (dev->subsystem_vendor != PCI_VENDOR_ID_HP ||
++ dev->subsystem_device != 0x1291)
++ return;
++
++ dev_info(&dev->dev, "Hiding Diva built-in AUX serial device");
++ dev->device = 0;
++}
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_DIVA_AUX,
++ quirk_diva_aux_disable);
--- /dev/null
+From 5839ee7389e893a31e4e3c9cf17b50d14103c902 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Fri, 15 Dec 2017 03:07:18 +0100
+Subject: PCI / PM: Force devices to D0 in pci_pm_thaw_noirq()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit 5839ee7389e893a31e4e3c9cf17b50d14103c902 upstream.
+
+It is incorrect to call pci_restore_state() for devices in low-power
+states (D1-D3), as that involves the restoration of MSI setup which
+requires MMIO to be operational and that is only the case in D0.
+
+However, pci_pm_thaw_noirq() may do that if the driver's "freeze"
+callbacks put the device into a low-power state, so fix it by making
+it force devices into D0 via pci_set_power_state() instead of trying
+to "update" their power state which is pointless.
+
+Fixes: e60514bd4485 (PCI/PM: Restore the status of PCI devices across hibernation)
+Reported-by: Thomas Gleixner <tglx@linutronix.de>
+Reported-by: Maarten Lankhorst <dev@mblankhorst.nl>
+Tested-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Maarten Lankhorst <dev@mblankhorst.nl>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pci-driver.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/pci-driver.c
++++ b/drivers/pci/pci-driver.c
+@@ -944,7 +944,12 @@ static int pci_pm_thaw_noirq(struct devi
+ if (pci_has_legacy_pm_support(pci_dev))
+ return pci_legacy_resume_early(dev);
+
+- pci_update_current_state(pci_dev, PCI_D0);
++ /*
++ * pci_restore_state() requires the device to be in D0 (because of MSI
++ * restoration among other things), so force it into D0 in case the
++ * driver's "freeze" callbacks put it into a low-power state directly.
++ */
++ pci_set_power_state(pci_dev, PCI_D0);
+ pci_restore_state(pci_dev);
+
+ if (drv && drv->pm && drv->pm->thaw_noirq)
--- /dev/null
+From d2b3c353595a855794f8b9df5b5bdbe8deb0c413 Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Mon, 4 Dec 2017 12:11:02 +0300
+Subject: pinctrl: cherryview: Mask all interrupts on Intel_Strago based systems
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit d2b3c353595a855794f8b9df5b5bdbe8deb0c413 upstream.
+
+Guenter Roeck reported an interrupt storm on a prototype system which is
+based on Cyan Chromebook. The root cause turned out to be a incorrectly
+configured pin that triggers spurious interrupts. This will be fixed in
+coreboot but currently we need to prevent the interrupt storm from
+happening by masking all interrupts (but not GPEs) on those systems.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=197953
+Fixes: bcb48cca23ec ("pinctrl: cherryview: Do not mask all interrupts in probe")
+Reported-and-tested-by: Guenter Roeck <linux@roeck-us.net>
+Reported-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/intel/pinctrl-cherryview.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/pinctrl/intel/pinctrl-cherryview.c
++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c
+@@ -1466,6 +1466,22 @@ static int chv_gpio_probe(struct chv_pin
+ offset += range->npins;
+ }
+
++ /*
++ * The same set of machines in chv_no_valid_mask[] have incorrectly
++ * configured GPIOs that generate spurious interrupts so we use
++ * this same list to apply another quirk for them.
++ *
++ * See also https://bugzilla.kernel.org/show_bug.cgi?id=197953.
++ */
++ if (!need_valid_mask) {
++ /*
++ * Mask all interrupts the community is able to generate
++ * but leave the ones that can only generate GPEs unmasked.
++ */
++ chv_writel(GENMASK(31, pctrl->community->nirqs),
++ pctrl->regs + CHV_INTMASK);
++ }
++
+ /* Clear all interrupts */
+ chv_writel(0xffff, pctrl->regs + CHV_INTSTAT);
+
--- /dev/null
+From f41d84dddc66b164ac16acf3f584c276146f1c48 Mon Sep 17 00:00:00 2001
+From: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
+Date: Tue, 12 Dec 2017 17:59:15 +0530
+Subject: powerpc/perf: Dereference BHRB entries safely
+
+From: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
+
+commit f41d84dddc66b164ac16acf3f584c276146f1c48 upstream.
+
+It's theoretically possible that branch instructions recorded in
+BHRB (Branch History Rolling Buffer) entries have already been
+unmapped before they are processed by the kernel. Hence, trying to
+dereference such memory location will result in a crash. eg:
+
+ Unable to handle kernel paging request for data at address 0xd000000019c41764
+ Faulting instruction address: 0xc000000000084a14
+ NIP [c000000000084a14] branch_target+0x4/0x70
+ LR [c0000000000eb828] record_and_restart+0x568/0x5c0
+ Call Trace:
+ [c0000000000eb3b4] record_and_restart+0xf4/0x5c0 (unreliable)
+ [c0000000000ec378] perf_event_interrupt+0x298/0x460
+ [c000000000027964] performance_monitor_exception+0x54/0x70
+ [c000000000009ba4] performance_monitor_common+0x114/0x120
+
+Fix it by deferefencing the addresses safely.
+
+Fixes: 691231846ceb ("powerpc/perf: Fix setting of "to" addresses for BHRB")
+Suggested-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
+Reviewed-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+[mpe: Use probe_kernel_read() which is clearer, tweak change log]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/perf/core-book3s.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/perf/core-book3s.c
++++ b/arch/powerpc/perf/core-book3s.c
+@@ -401,8 +401,12 @@ static __u64 power_pmu_bhrb_to(u64 addr)
+ int ret;
+ __u64 target;
+
+- if (is_kernel_addr(addr))
+- return branch_target((unsigned int *)addr);
++ if (is_kernel_addr(addr)) {
++ if (probe_kernel_read(&instr, (void *)addr, sizeof(instr)))
++ return 0;
++
++ return branch_target(&instr);
++ }
+
+ /* Userspace: need copy instruction here then translate it */
+ pagefault_disable();
--- /dev/null
+acpi-apei-erst-fix-missing-error-handling-in-erst_reader.patch
+crypto-mcryptd-protect-the-per-cpu-queue-with-a-lock.patch
+mfd-cros-ec-spi-don-t-send-first-message-too-soon.patch
+mfd-twl4030-audio-fix-sibling-node-lookup.patch
+mfd-twl6040-fix-child-node-lookup.patch
+alsa-rawmidi-avoid-racy-info-ioctl-via-ctl-device.patch
+alsa-usb-audio-fix-the-missing-ctl-name-suffix-at-parsing-su.patch
+pci-pm-force-devices-to-d0-in-pci_pm_thaw_noirq.patch
+parisc-hide-diva-built-in-serial-aux-and-graphics-card.patch
+spi-xilinx-detect-stall-with-unknown-commands.patch
+pinctrl-cherryview-mask-all-interrupts-on-intel_strago-based-systems.patch
+kvm-x86-fix-load-rflags-w-o-the-fixed-bit.patch
+kvm-x86-fix-rsm-when-pcid-is-non-zero.patch
+powerpc-perf-dereference-bhrb-entries-safely.patch
+net-mvneta-clear-interface-link-status-on-port-disable.patch
--- /dev/null
+From 5a1314fa697fc65cefaba64cd4699bfc3e6882a6 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ricardo.ribalda@gmail.com>
+Date: Tue, 21 Nov 2017 10:09:02 +0100
+Subject: spi: xilinx: Detect stall with Unknown commands
+
+From: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
+
+commit 5a1314fa697fc65cefaba64cd4699bfc3e6882a6 upstream.
+
+When the core is configured in C_SPI_MODE > 0, it integrates a
+lookup table that automatically configures the core in dual or quad mode
+based on the command (first byte on the tx fifo).
+
+Unfortunately, that list mode_?_memoy_*.mif does not contain all the
+supported commands by the flash.
+
+Since 4.14 spi-nor automatically tries to probe the flash using SFDP
+(command 0x5a), and that command is not part of the list_mode table.
+
+Whit the right combination of C_SPI_MODE and C_SPI_MEMORY this leads
+into a stall that can only be recovered with a soft rest.
+
+This patch detects this kind of stall and returns -EIO to the caller on
+those commands. spi-nor can handle this error properly:
+
+m25p80 spi0.0: Detected stall. Check C_SPI_MODE and C_SPI_MEMORY. 0x21 0x2404
+m25p80 spi0.0: SPI transfer failed: -5
+spi_master spi0: failed to transfer one message from queue
+m25p80 spi0.0: s25sl064p (8192 Kbytes)
+
+Signed-off-by: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-xilinx.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/spi/spi-xilinx.c
++++ b/drivers/spi/spi-xilinx.c
+@@ -271,6 +271,7 @@ static int xilinx_spi_txrx_bufs(struct s
+ while (remaining_words) {
+ int n_words, tx_words, rx_words;
+ u32 sr;
++ int stalled;
+
+ n_words = min(remaining_words, xspi->buffer_size);
+
+@@ -299,7 +300,17 @@ static int xilinx_spi_txrx_bufs(struct s
+
+ /* Read out all the data from the Rx FIFO */
+ rx_words = n_words;
++ stalled = 10;
+ while (rx_words) {
++ if (rx_words == n_words && !(stalled--) &&
++ !(sr & XSPI_SR_TX_EMPTY_MASK) &&
++ (sr & XSPI_SR_RX_EMPTY_MASK)) {
++ dev_err(&spi->dev,
++ "Detected stall. Check C_SPI_MODE and C_SPI_MEMORY\n");
++ xspi_init_hw(xspi);
++ return -EIO;
++ }
++
+ if ((sr & XSPI_SR_TX_EMPTY_MASK) && (rx_words > 1)) {
+ xilinx_spi_rx(xspi);
+ rx_words--;
projects / thirdparty / kernel / stable-queue.git / commitdiff
