--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Bob Moore <robert.moore@intel.com>
+Date: Mon, 5 Jun 2017 16:40:34 +0800
+Subject: ACPICA: Disassembler: Abort on an invalid/unknown AML opcode
+
+From: Bob Moore <robert.moore@intel.com>
+
+
+[ Upstream commit 6f0527b77d9e0129dd8e50945b0d610ed943d6b2 ]
+
+ACPICA commit ed0389cb11a61e63c568ac1f67948fc6a7bd1aeb
+
+An invalid opcode indicates something seriously wrong with the
+input AML file. The AML parser is immediately confused and lost,
+causing the resulting parse tree to be ill-formed. The actual
+disassembly can then cause numerous unrelated errors and faults.
+
+This change aborts the disassembly upon discovery of such an
+opcode during the AML parse phase.
+
+Link: https://github.com/acpica/acpica/commit/ed0389cb
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Lv Zheng <lv.zheng@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpica/psobject.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/acpi/acpica/psobject.c
++++ b/drivers/acpi/acpica/psobject.c
+@@ -118,6 +118,9 @@ static acpi_status acpi_ps_get_aml_opcod
+ (u32)(walk_state->aml_offset +
+ sizeof(struct acpi_table_header)));
+
++ ACPI_ERROR((AE_INFO,
++ "Aborting disassembly, AML byte code is corrupt"));
++
+ /* Dump the context surrounding the invalid opcode */
+
+ acpi_ut_dump_buffer(((u8 *)walk_state->parser_state.
+@@ -126,6 +129,14 @@ static acpi_status acpi_ps_get_aml_opcod
+ sizeof(struct acpi_table_header) -
+ 16));
+ acpi_os_printf(" */\n");
++
++ /*
++ * Just abort the disassembly, cannot continue because the
++ * parser is essentially lost. The disassembler can then
++ * randomly fail because an ill-constructed parse tree
++ * can result.
++ */
++ return_ACPI_STATUS(AE_AML_BAD_OPCODE);
+ #endif
+ }
+
+@@ -290,6 +301,9 @@ acpi_ps_create_op(struct acpi_walk_state
+ if (status == AE_CTRL_PARSE_CONTINUE) {
+ return_ACPI_STATUS(AE_CTRL_PARSE_CONTINUE);
+ }
++ if (ACPI_FAILURE(status)) {
++ return_ACPI_STATUS(status);
++ }
+
+ /* Create Op structure and append to parent's argument list */
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Lv Zheng <lv.zheng@intel.com>
+Date: Mon, 5 Jun 2017 16:40:02 +0800
+Subject: ACPICA: Events: Add runtime stub support for event APIs
+
+From: Lv Zheng <lv.zheng@intel.com>
+
+
+[ Upstream commit 861ba6351c520328e94a78c923b415faa9116287 ]
+
+ACPICA commit 99bc3beca92c6574ea1d69de42e54f872e6373ce
+
+It is reported that on Linux, RTC driver complains wrong errors on
+hardware reduced platform:
+ [ 4.085420] ACPI Warning: Could not enable fixed event - real_time_clock (4) (20160422/evxface-654)
+
+This patch fixes this by correctly adding runtime reduced hardware check.
+Reported by Chandan Tagore, fixed by Lv Zheng.
+
+Link: https://github.com/acpica/acpica/commit/99bc3bec
+Tested-by: Chandan Tagore <tagore.chandan@gmail.com>
+Signed-off-by: Lv Zheng <lv.zheng@intel.com>
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpica/evxfevnt.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/acpi/acpica/evxfevnt.c
++++ b/drivers/acpi/acpica/evxfevnt.c
+@@ -180,6 +180,12 @@ acpi_status acpi_enable_event(u32 event,
+
+ ACPI_FUNCTION_TRACE(acpi_enable_event);
+
++ /* If Hardware Reduced flag is set, there are no fixed events */
++
++ if (acpi_gbl_reduced_hardware) {
++ return_ACPI_STATUS(AE_OK);
++ }
++
+ /* Decode the Fixed Event */
+
+ if (event > ACPI_EVENT_MAX) {
+@@ -237,6 +243,12 @@ acpi_status acpi_disable_event(u32 event
+
+ ACPI_FUNCTION_TRACE(acpi_disable_event);
+
++ /* If Hardware Reduced flag is set, there are no fixed events */
++
++ if (acpi_gbl_reduced_hardware) {
++ return_ACPI_STATUS(AE_OK);
++ }
++
+ /* Decode the Fixed Event */
+
+ if (event > ACPI_EVENT_MAX) {
+@@ -290,6 +302,12 @@ acpi_status acpi_clear_event(u32 event)
+
+ ACPI_FUNCTION_TRACE(acpi_clear_event);
+
++ /* If Hardware Reduced flag is set, there are no fixed events */
++
++ if (acpi_gbl_reduced_hardware) {
++ return_ACPI_STATUS(AE_OK);
++ }
++
+ /* Decode the Fixed Event */
+
+ if (event > ACPI_EVENT_MAX) {
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Fri, 5 May 2017 07:40:42 +0200
+Subject: af_key: Fix slab-out-of-bounds in pfkey_compile_policy.
+
+From: Steffen Klassert <steffen.klassert@secunet.com>
+
+
+[ Upstream commit d90c902449a7561f1b1d58ba5a0d11728ce8b0b2 ]
+
+The sadb_x_sec_len is stored in the unit 'byte divided by eight'.
+So we have to multiply this value by eight before we can do
+size checks. Otherwise we may get a slab-out-of-bounds when
+we memcpy the user sec_ctx.
+
+Fixes: df71837d502 ("[LSM-IPSec]: Security association restriction.")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/key/af_key.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -3301,7 +3301,7 @@ static struct xfrm_policy *pfkey_compile
+ p += pol->sadb_x_policy_len*8;
+ sec_ctx = (struct sadb_x_sec_ctx *)p;
+ if (len < pol->sadb_x_policy_len*8 +
+- sec_ctx->sadb_x_sec_len) {
++ sec_ctx->sadb_x_sec_len*8) {
+ *dir = -EINVAL;
+ goto out;
+ }
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Suman Anna <s-anna@ti.com>
+Date: Tue, 16 May 2017 17:13:45 -0500
+Subject: ARM: davinci: da8xx: Create DSP device only when assigned memory
+
+From: Suman Anna <s-anna@ti.com>
+
+
+[ Upstream commit f97f03578b997a8ec2b9bc4928f958a865137268 ]
+
+The DSP device on Davinci platforms does not have an MMU and requires
+specific DDR memory to boot. This memory is reserved using the rproc_mem
+kernel boot parameter and is assigned to the device on non-DT boots.
+The remoteproc core uses the DMA API and so will fall back to assigning
+random memory if this memory is not assigned to the device, but the DSP
+remote processor boot will not be successful in such cases. So, check
+that memory has been reserved and assigned to the device specifically
+before even creating the DSP device.
+
+Signed-off-by: Suman Anna <s-anna@ti.com>
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-davinci/devices-da8xx.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/arch/arm/mach-davinci/devices-da8xx.c
++++ b/arch/arm/mach-davinci/devices-da8xx.c
+@@ -761,6 +761,8 @@ static struct platform_device da8xx_dsp
+ .resource = da8xx_rproc_resources,
+ };
+
++static bool rproc_mem_inited __initdata;
++
+ #if IS_ENABLED(CONFIG_DA8XX_REMOTEPROC)
+
+ static phys_addr_t rproc_base __initdata;
+@@ -799,6 +801,8 @@ void __init da8xx_rproc_reserve_cma(void
+ ret = dma_declare_contiguous(&da8xx_dsp.dev, rproc_size, rproc_base, 0);
+ if (ret)
+ pr_err("%s: dma_declare_contiguous failed %d\n", __func__, ret);
++ else
++ rproc_mem_inited = true;
+ }
+
+ #else
+@@ -813,6 +817,12 @@ int __init da8xx_register_rproc(void)
+ {
+ int ret;
+
++ if (!rproc_mem_inited) {
++ pr_warn("%s: memory not reserved for DSP, not registering DSP device\n",
++ __func__);
++ return -ENOMEM;
++ }
++
+ ret = platform_device_register(&da8xx_dsp);
+ if (ret)
+ pr_err("%s: can't register DSP device: %d\n", __func__, ret);
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Fabio Estevam <fabio.estevam@nxp.com>
+Date: Sun, 14 May 2017 11:50:50 -0300
+Subject: ARM: dts: imx6qdl-wandboard: Fix audio channel swap
+
+From: Fabio Estevam <fabio.estevam@nxp.com>
+
+
+[ Upstream commit 79935915300c5eb88a0e94fa9148a7505c14a02a ]
+
+When running a stress playback/stop loop test on a mx6wandboard channel
+swaps can be noticed randomly.
+
+Increasing the SGTL5000 LRCLK pad strength to its maximum value fixes
+the issue, so add the 'lrclk-strength' property to avoid the audio
+channel swaps.
+
+Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/imx6qdl-wandboard.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/boot/dts/imx6qdl-wandboard.dtsi
++++ b/arch/arm/boot/dts/imx6qdl-wandboard.dtsi
+@@ -86,6 +86,7 @@
+ clocks = <&clks 201>;
+ VDDA-supply = <®_2p5v>;
+ VDDIO-supply = <®_3p3v>;
++ lrclk-strength = <3>;
+ };
+ };
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Will Deacon <will.deacon@arm.com>
+Date: Wed, 5 Apr 2017 11:14:05 +0100
+Subject: arm64: futex: Fix undefined behaviour with FUTEX_OP_OPARG_SHIFT usage
+
+From: Will Deacon <will.deacon@arm.com>
+
+
+[ Upstream commit 5f16a046f8e144c294ef98cd29d9458b5f8273e5 ]
+
+FUTEX_OP_OPARG_SHIFT instructs the futex code to treat the 12-bit oparg
+field as a shift value, potentially leading to a left shift value that
+is negative or with an absolute value that is significantly larger then
+the size of the type. UBSAN chokes with:
+
+================================================================================
+UBSAN: Undefined behaviour in ./arch/arm64/include/asm/futex.h:60:13
+shift exponent -1 is negative
+CPU: 1 PID: 1449 Comm: syz-executor0 Not tainted 4.11.0-rc4-00005-g977eb52-dirty #11
+Hardware name: linux,dummy-virt (DT)
+Call trace:
+[<ffff200008094778>] dump_backtrace+0x0/0x538 arch/arm64/kernel/traps.c:73
+[<ffff200008094cd0>] show_stack+0x20/0x30 arch/arm64/kernel/traps.c:228
+[<ffff200008c194a8>] __dump_stack lib/dump_stack.c:16 [inline]
+[<ffff200008c194a8>] dump_stack+0x120/0x188 lib/dump_stack.c:52
+[<ffff200008cc24b8>] ubsan_epilogue+0x18/0x98 lib/ubsan.c:164
+[<ffff200008cc3098>] __ubsan_handle_shift_out_of_bounds+0x250/0x294 lib/ubsan.c:421
+[<ffff20000832002c>] futex_atomic_op_inuser arch/arm64/include/asm/futex.h:60 [inline]
+[<ffff20000832002c>] futex_wake_op kernel/futex.c:1489 [inline]
+[<ffff20000832002c>] do_futex+0x137c/0x1740 kernel/futex.c:3231
+[<ffff200008320504>] SYSC_futex kernel/futex.c:3281 [inline]
+[<ffff200008320504>] SyS_futex+0x114/0x268 kernel/futex.c:3249
+[<ffff200008084770>] el0_svc_naked+0x24/0x28
+================================================================================
+syz-executor1 uses obsolete (PF_INET,SOCK_PACKET)
+sock: process `syz-executor0' is using obsolete setsockopt SO_BSDCOMPAT
+
+This patch attempts to fix some of this by:
+
+ * Making encoded_op an unsigned type, so we can shift it left even if
+ the top bit is set.
+
+ * Casting to signed prior to shifting right when extracting oparg
+ and cmparg
+
+ * Consider only the bottom 5 bits of oparg when using it as a left-shift
+ value.
+
+Whilst I think this catches all of the issues, I'd much prefer to remove
+this stuff, as I think it's unused and the bugs are copy-pasted between
+a bunch of architectures.
+
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/futex.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/arm64/include/asm/futex.h
++++ b/arch/arm64/include/asm/futex.h
+@@ -44,16 +44,16 @@
+ : "memory")
+
+ static inline int
+-futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
++futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr)
+ {
+ int op = (encoded_op >> 28) & 7;
+ int cmp = (encoded_op >> 24) & 15;
+- int oparg = (encoded_op << 8) >> 20;
+- int cmparg = (encoded_op << 20) >> 20;
++ int oparg = (int)(encoded_op << 8) >> 20;
++ int cmparg = (int)(encoded_op << 20) >> 20;
+ int oldval = 0, ret, tmp;
+
+ if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
+- oparg = 1 << oparg;
++ oparg = 1U << (oparg & 0x1f);
+
+ if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+ return -EFAULT;
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Anup Patel <anup.patel@broadcom.com>
+Date: Mon, 15 May 2017 10:34:53 +0530
+Subject: async_tx: Fix DMA_PREP_FENCE usage in do_async_gen_syndrome()
+
+From: Anup Patel <anup.patel@broadcom.com>
+
+
+[ Upstream commit baae03a0e2497f49704628fd0aaf993cf98e1b99 ]
+
+The DMA_PREP_FENCE is to be used when preparing Tx descriptor if output
+of Tx descriptor is to be used by next/dependent Tx descriptor.
+
+The DMA_PREP_FENSE will not be set correctly in do_async_gen_syndrome()
+when calling dma->device_prep_dma_pq() under following conditions:
+1. ASYNC_TX_FENCE not set in submit->flags
+2. DMA_PREP_FENCE not set in dma_flags
+3. src_cnt (= (disks - 2)) is greater than dma_maxpq(dma, dma_flags)
+
+This patch fixes DMA_PREP_FENCE usage in do_async_gen_syndrome() taking
+inspiration from do_async_xor() implementation.
+
+Signed-off-by: Anup Patel <anup.patel@broadcom.com>
+Reviewed-by: Ray Jui <ray.jui@broadcom.com>
+Reviewed-by: Scott Branden <scott.branden@broadcom.com>
+Acked-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/async_tx/async_pq.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/crypto/async_tx/async_pq.c
++++ b/crypto/async_tx/async_pq.c
+@@ -62,9 +62,6 @@ do_async_gen_syndrome(struct dma_chan *c
+ dma_addr_t dma_dest[2];
+ int src_off = 0;
+
+- if (submit->flags & ASYNC_TX_FENCE)
+- dma_flags |= DMA_PREP_FENCE;
+-
+ while (src_cnt > 0) {
+ submit->flags = flags_orig;
+ pq_src_cnt = min(src_cnt, dma_maxpq(dma, dma_flags));
+@@ -83,6 +80,8 @@ do_async_gen_syndrome(struct dma_chan *c
+ if (cb_fn_orig)
+ dma_flags |= DMA_PREP_INTERRUPT;
+ }
++ if (submit->flags & ASYNC_TX_FENCE)
++ dma_flags |= DMA_PREP_FENCE;
+
+ /* Drivers force forward progress in case they can not provide
+ * a descriptor
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Date: Tue, 16 May 2017 14:06:12 +0200
+Subject: ata: libahci: properly propagate return value of platform_get_irq()
+
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+
+
+[ Upstream commit c034640a32f8456018d9c8c83799ead683046b95 ]
+
+When platform_get_irq() fails, it returns an error code, which
+libahci_platform and replaces it by -EINVAL. This commit fixes that by
+propagating the error code. It fixes the situation where
+platform_get_irq() returns -EPROBE_DEFER because the interrupt
+controller is not available yet, and generally looks like the right
+thing to do.
+
+We pay attention to not show the "no irq" message when we are in an
+EPROBE_DEFER situation, because the driver probing will be retried
+later on, once the interrupt controller becomes available to provide
+the interrupt.
+
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libahci_platform.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/ata/libahci_platform.c
++++ b/drivers/ata/libahci_platform.c
+@@ -419,8 +419,9 @@ int ahci_platform_init_host(struct platf
+
+ irq = platform_get_irq(pdev, 0);
+ if (irq <= 0) {
+- dev_err(dev, "no irq\n");
+- return -EINVAL;
++ if (irq != -EPROBE_DEFER)
++ dev_err(dev, "no irq\n");
++ return irq;
+ }
+
+ /* prepare host */
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Wed, 3 May 2017 15:26:00 +0100
+Subject: ath5k: fix memory leak on buf on failed eeprom read
+
+From: Colin Ian King <colin.king@canonical.com>
+
+
+[ Upstream commit 8fed6823e06e43ee9cf7c0ffecec2f9111ce6201 ]
+
+The AR5K_EEPROM_READ macro returns with -EIO if a read error
+occurs causing a memory leak on the allocated buffer buf. Fix
+this by explicitly calling ath5k_hw_nvram_read and exiting on
+the via the freebuf label that performs the necessary free'ing
+of buf when a read error occurs.
+
+Detected by CoverityScan, CID#1248782 ("Resource Leak")
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath5k/debug.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath5k/debug.c
++++ b/drivers/net/wireless/ath/ath5k/debug.c
+@@ -939,7 +939,10 @@ static int open_file_eeprom(struct inode
+ }
+
+ for (i = 0; i < eesize; ++i) {
+- AR5K_EEPROM_READ(i, val);
++ if (!ath5k_hw_nvram_read(ah, i, &val)) {
++ ret = -EIO;
++ goto freebuf;
++ }
+ buf[i] = val;
+ }
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Tang Junhui <tang.junhui@zte.com.cn>
+Date: Mon, 8 Jan 2018 12:21:21 -0800
+Subject: bcache: segregate flash only volume write streams
+
+From: Tang Junhui <tang.junhui@zte.com.cn>
+
+
+[ Upstream commit 4eca1cb28d8b0574ca4f1f48e9331c5f852d43b9 ]
+
+In such scenario that there are some flash only volumes
+, and some cached devices, when many tasks request these devices in
+writeback mode, the write IOs may fall to the same bucket as bellow:
+| cached data | flash data | cached data | cached data| flash data|
+then after writeback of these cached devices, the bucket would
+be like bellow bucket:
+| free | flash data | free | free | flash data |
+
+So, there are many free space in this bucket, but since data of flash
+only volumes still exists, so this bucket cannot be reclaimable,
+which would cause waste of bucket space.
+
+In this patch, we segregate flash only volume write streams from
+cached devices, so data from flash only volumes and cached devices
+can store in different buckets.
+
+Compare to v1 patch, this patch do not add a additionally open bucket
+list, and it is try best to segregate flash only volume write streams
+from cached devices, sectors of flash only volumes may still be mixed
+with dirty sectors of cached device, but the number is very small.
+
+[mlyle: fixed commit log formatting, permissions, line endings]
+
+Signed-off-by: Tang Junhui <tang.junhui@zte.com.cn>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Signed-off-by: Michael Lyle <mlyle@lyle.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/alloc.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/drivers/md/bcache/alloc.c
++++ b/drivers/md/bcache/alloc.c
+@@ -514,15 +514,21 @@ struct open_bucket {
+
+ /*
+ * We keep multiple buckets open for writes, and try to segregate different
+- * write streams for better cache utilization: first we look for a bucket where
+- * the last write to it was sequential with the current write, and failing that
+- * we look for a bucket that was last used by the same task.
++ * write streams for better cache utilization: first we try to segregate flash
++ * only volume write streams from cached devices, secondly we look for a bucket
++ * where the last write to it was sequential with the current write, and
++ * failing that we look for a bucket that was last used by the same task.
+ *
+ * The ideas is if you've got multiple tasks pulling data into the cache at the
+ * same time, you'll get better cache utilization if you try to segregate their
+ * data and preserve locality.
+ *
+- * For example, say you've starting Firefox at the same time you're copying a
++ * For example, dirty sectors of flash only volume is not reclaimable, if their
++ * dirty sectors mixed with dirty sectors of cached device, such buckets will
++ * be marked as dirty and won't be reclaimed, though the dirty data of cached
++ * device have been written back to backend device.
++ *
++ * And say you've starting Firefox at the same time you're copying a
+ * bunch of files. Firefox will likely end up being fairly hot and stay in the
+ * cache awhile, but the data you copied might not be; if you wrote all that
+ * data to the same buckets it'd get invalidated at the same time.
+@@ -539,7 +545,10 @@ static struct open_bucket *pick_data_buc
+ struct open_bucket *ret, *ret_task = NULL;
+
+ list_for_each_entry_reverse(ret, &c->data_buckets, list)
+- if (!bkey_cmp(&ret->key, search))
++ if (UUID_FLASH_ONLY(&c->uuids[KEY_INODE(&ret->key)]) !=
++ UUID_FLASH_ONLY(&c->uuids[KEY_INODE(search)]))
++ continue;
++ else if (!bkey_cmp(&ret->key, search))
+ goto found;
+ else if (ret->last_write_point == write_point)
+ ret_task = ret;
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Tang Junhui <tang.junhui@zte.com.cn>
+Date: Mon, 8 Jan 2018 12:21:19 -0800
+Subject: bcache: stop writeback thread after detaching
+
+From: Tang Junhui <tang.junhui@zte.com.cn>
+
+
+[ Upstream commit 8d29c4426b9f8afaccf28de414fde8a722b35fdf ]
+
+Currently, when a cached device detaching from cache, writeback thread is
+not stopped, and writeback_rate_update work is not canceled. For example,
+after the following command:
+echo 1 >/sys/block/sdb/bcache/detach
+you can still see the writeback thread. Then you attach the device to the
+cache again, bcache will create another writeback thread, for example,
+after below command:
+echo ba0fb5cd-658a-4533-9806-6ce166d883b9 > /sys/block/sdb/bcache/attach
+then you will see 2 writeback threads.
+This patch stops writeback thread and cancels writeback_rate_update work
+when cached device detaching from cache.
+
+Compare with patch v1, this v2 patch moves code down into the register
+lock for safety in case of any future changes as Coly and Mike suggested.
+
+[edit by mlyle: commit log spelling/formatting]
+
+Signed-off-by: Tang Junhui <tang.junhui@zte.com.cn>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Signed-off-by: Michael Lyle <mlyle@lyle.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/super.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -921,6 +921,12 @@ static void cached_dev_detach_finish(str
+
+ mutex_lock(&bch_register_lock);
+
++ cancel_delayed_work_sync(&dc->writeback_rate_update);
++ if (!IS_ERR_OR_NULL(dc->writeback_thread)) {
++ kthread_stop(dc->writeback_thread);
++ dc->writeback_thread = NULL;
++ }
++
+ memset(&dc->sb.set_uuid, 0, 16);
+ SET_BDEV_STATE(&dc->sb, BDEV_STATE_NONE);
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Dmitry Monakhov <dmonakhov@openvz.org>
+Date: Wed, 10 May 2017 19:20:44 +0400
+Subject: bio-integrity: Do not allocate integrity context for bio w/o data
+
+From: Dmitry Monakhov <dmonakhov@openvz.org>
+
+
+[ Upstream commit 3116a23bb30272d74ea81baf5d0ee23f602dd15b ]
+
+If bio has no data, such as ones from blkdev_issue_flush(),
+then we have nothing to protect.
+
+This patch prevent bugon like follows:
+
+kfree_debugcheck: out of range ptr ac1fa1d106742a5ah
+kernel BUG at mm/slab.c:2773!
+invalid opcode: 0000 [#1] SMP
+Modules linked in: bcache
+CPU: 0 PID: 4428 Comm: xfs_io Tainted: G W 4.11.0-rc4-ext4-00041-g2ef0043-dirty #43
+Hardware name: Virtuozzo KVM, BIOS seabios-1.7.5-11.vz7.4 04/01/2014
+task: ffff880137786440 task.stack: ffffc90000ba8000
+RIP: 0010:kfree_debugcheck+0x25/0x2a
+RSP: 0018:ffffc90000babde0 EFLAGS: 00010082
+RAX: 0000000000000034 RBX: ac1fa1d106742a5a RCX: 0000000000000007
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88013f3ccb40
+RBP: ffffc90000babde8 R08: 0000000000000000 R09: 0000000000000000
+R10: 00000000fcb76420 R11: 00000000725172ed R12: 0000000000000282
+R13: ffffffff8150e766 R14: ffff88013a145e00 R15: 0000000000000001
+FS: 00007fb09384bf40(0000) GS:ffff88013f200000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fd0172f9e40 CR3: 0000000137fa9000 CR4: 00000000000006f0
+Call Trace:
+ kfree+0xc8/0x1b3
+ bio_integrity_free+0xc3/0x16b
+ bio_free+0x25/0x66
+ bio_put+0x14/0x26
+ blkdev_issue_flush+0x7a/0x85
+ blkdev_fsync+0x35/0x42
+ vfs_fsync_range+0x8e/0x9f
+ vfs_fsync+0x1c/0x1e
+ do_fsync+0x31/0x4a
+ SyS_fsync+0x10/0x14
+ entry_SYSCALL_64_fastpath+0x1f/0xc2
+
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/bio-integrity.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/block/bio-integrity.c
++++ b/block/bio-integrity.c
+@@ -165,6 +165,9 @@ bool bio_integrity_enabled(struct bio *b
+ if (!bio_is_rw(bio))
+ return false;
+
++ if (!bio_sectors(bio))
++ return false;
++
+ /* Already protected? */
+ if (bio_integrity(bio))
+ return false;
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 23 May 2017 17:28:36 +0300
+Subject: block: fix an error code in add_partition()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit 7bd897cfce1eb373892d35d7f73201b0f9b221c4 ]
+
+We don't set an error code on this path. It means that we return NULL
+instead of an error pointer and the caller does a NULL dereference.
+
+Fixes: 6d1d8050b4bc ("block, partition: add partition_meta_info to hd_struct")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/partition-generic.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/block/partition-generic.c
++++ b/block/partition-generic.c
+@@ -309,8 +309,10 @@ struct hd_struct *add_partition(struct g
+
+ if (info) {
+ struct partition_meta_info *pinfo = alloc_part_info(disk);
+- if (!pinfo)
++ if (!pinfo) {
++ err = -ENOMEM;
+ goto out_free_stats;
++ }
+ memcpy(pinfo, info, sizeof(*info));
+ p->info = pinfo;
+ }
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Marcel Holtmann <marcel@holtmann.org>
+Date: Fri, 9 Jun 2017 18:43:56 +0200
+Subject: Bluetooth: Send HCI Set Event Mask Page 2 command only when needed
+
+From: Marcel Holtmann <marcel@holtmann.org>
+
+
+[ Upstream commit 313f6888c8fbb1bc8b36c9012ce4e1de848df696 ]
+
+The Broadcom BCM20702 Bluetooth controller in ThinkPad-T530 devices
+report support for the Set Event Mask Page 2 command, but actually do
+return an error when trying to use it.
+
+ < HCI Command: Read Local Supported Commands (0x04|0x0002) plen 0
+ > HCI Event: Command Complete (0x0e) plen 68
+ Read Local Supported Commands (0x04|0x0002) ncmd 1
+ Status: Success (0x00)
+ Commands: 162 entries
+ ...
+ Set Event Mask Page 2 (Octet 22 - Bit 2)
+ ...
+
+ < HCI Command: Set Event Mask Page 2 (0x03|0x0063) plen 8
+ Mask: 0x0000000000000000
+ > HCI Event: Command Complete (0x0e) plen 4
+ Set Event Mask Page 2 (0x03|0x0063) ncmd 1
+ Status: Unknown HCI Command (0x01)
+
+Since these controllers do not support any feature that would require
+the event mask page 2 to be modified, it is safe to not send this
+command at all. The default value is all bits set to zero.
+
+T: Bus=01 Lev=02 Prnt=02 Port=03 Cnt=03 Dev#= 9 Spd=12 MxCh= 0
+D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=0a5c ProdID=21e6 Rev= 1.12
+S: Manufacturer=Broadcom Corp
+S: Product=BCM20702A0
+S: SerialNumber=F82FA8E8CFC0
+C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr= 0mA
+I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
+E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
+E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+I: If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
+E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+I: If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
+E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+I: If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
+E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+I: If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
+E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+I: If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
+E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=btusb
+E: Ad=84(I) Atr=02(Bulk) MxPS= 32 Ivl=0ms
+E: Ad=04(O) Atr=02(Bulk) MxPS= 32 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)
+
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Reported-by: Sedat Dilek <sedat.dilek@gmail.com>
+Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
+Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_core.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -1635,6 +1635,7 @@ static void hci_set_event_mask_page_2(st
+ {
+ struct hci_dev *hdev = req->hdev;
+ u8 events[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
++ bool changed = false;
+
+ /* If Connectionless Slave Broadcast master role is supported
+ * enable all necessary events for it.
+@@ -1644,6 +1645,7 @@ static void hci_set_event_mask_page_2(st
+ events[1] |= 0x80; /* Synchronization Train Complete */
+ events[2] |= 0x10; /* Slave Page Response Timeout */
+ events[2] |= 0x20; /* CSB Channel Map Change */
++ changed = true;
+ }
+
+ /* If Connectionless Slave Broadcast slave role is supported
+@@ -1654,13 +1656,24 @@ static void hci_set_event_mask_page_2(st
+ events[2] |= 0x02; /* CSB Receive */
+ events[2] |= 0x04; /* CSB Timeout */
+ events[2] |= 0x08; /* Truncated Page Complete */
++ changed = true;
+ }
+
+ /* Enable Authenticated Payload Timeout Expired event if supported */
+- if (lmp_ping_capable(hdev) || hdev->le_features[0] & HCI_LE_PING)
++ if (lmp_ping_capable(hdev) || hdev->le_features[0] & HCI_LE_PING) {
+ events[2] |= 0x80;
++ changed = true;
++ }
+
+- hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2, sizeof(events), events);
++ /* Some Broadcom based controllers indicate support for Set Event
++ * Mask Page 2 command, but then actually do not support it. Since
++ * the default value is all bits set to zero, the command is only
++ * required if the event mask has to be changed. In case no change
++ * to the event mask is needed, skip this command.
++ */
++ if (changed)
++ hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2,
++ sizeof(events), events);
+ }
+
+ static void hci_init3_req(struct hci_request *req, unsigned long opt)
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 5 May 2017 15:25:32 -0700
+Subject: bna: Avoid reading past end of buffer
+
+From: Kees Cook <keescook@chromium.org>
+
+
+[ Upstream commit 9e4eb1ce472fbf7b007f23c88ec11c37265e401c ]
+
+Using memcpy() from a string that is shorter than the length copied means
+the destination buffer is being filled with arbitrary data from the kernel
+rodata segment. Instead, use strncpy() which will fill the trailing bytes
+with zeros.
+
+This was found with the future CONFIG_FORTIFY_SOURCE feature.
+
+Cc: Daniel Micay <danielmicay@gmail.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/brocade/bna/bfa_ioc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/brocade/bna/bfa_ioc.c
++++ b/drivers/net/ethernet/brocade/bna/bfa_ioc.c
+@@ -2856,7 +2856,7 @@ bfa_ioc_get_adapter_optrom_ver(struct bf
+ static void
+ bfa_ioc_get_adapter_manufacturer(struct bfa_ioc *ioc, char *manufacturer)
+ {
+- memcpy(manufacturer, BFA_MFG_NAME, BFA_ADAPTER_MFG_NAME_LEN);
++ strncpy(manufacturer, BFA_MFG_NAME, BFA_ADAPTER_MFG_NAME_LEN);
+ }
+
+ static void
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: "Mintz, Yuval" <Yuval.Mintz@cavium.com>
+Date: Fri, 9 Jun 2017 17:17:01 +0300
+Subject: bnx2x: Allow vfs to disable txvlan offload
+
+From: "Mintz, Yuval" <Yuval.Mintz@cavium.com>
+
+
+[ Upstream commit 92f85f05caa51d844af6ea14ffbc7a786446a644 ]
+
+VF clients are configured as enforced, meaning firmware is validating
+the correctness of their ethertype/vid during transmission.
+Once txvlan is disabled, VF would start getting SKBs for transmission
+here vlan is on the payload - but it'll pass the packet's ethertype
+instead of the vid, leading to firmware declaring it as malicious.
+
+Signed-off-by: Yuval Mintz <Yuval.Mintz@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+@@ -3876,15 +3876,26 @@ netdev_tx_t bnx2x_start_xmit(struct sk_b
+ /* when transmitting in a vf, start bd must hold the ethertype
+ * for fw to enforce it
+ */
++ u16 vlan_tci = 0;
+ #ifndef BNX2X_STOP_ON_ERROR
+- if (IS_VF(bp))
++ if (IS_VF(bp)) {
+ #endif
+- tx_start_bd->vlan_or_ethertype =
+- cpu_to_le16(ntohs(eth->h_proto));
++ /* Still need to consider inband vlan for enforced */
++ if (__vlan_get_tag(skb, &vlan_tci)) {
++ tx_start_bd->vlan_or_ethertype =
++ cpu_to_le16(ntohs(eth->h_proto));
++ } else {
++ tx_start_bd->bd_flags.as_bitfield |=
++ (X_ETH_INBAND_VLAN <<
++ ETH_TX_BD_FLAGS_VLAN_MODE_SHIFT);
++ tx_start_bd->vlan_or_ethertype =
++ cpu_to_le16(vlan_tci);
++ }
+ #ifndef BNX2X_STOP_ON_ERROR
+- else
++ } else {
+ /* used by FW for packet accounting */
+ tx_start_bd->vlan_or_ethertype = cpu_to_le16(pkt_prod);
++ }
+ #endif
+ }
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Nithin Sujir <nsujir@tintri.com>
+Date: Wed, 24 May 2017 19:45:17 -0700
+Subject: bonding: Don't update slave->link until ready to commit
+
+From: Nithin Sujir <nsujir@tintri.com>
+
+
+[ Upstream commit 797a93647a48d6cb8a20641a86a71713a947f786 ]
+
+In the loadbalance arp monitoring scheme, when a slave link change is
+detected, the slave->link is immediately updated and slave_state_changed
+is set. Later down the function, the rtnl_lock is acquired and the
+changes are committed, updating the bond link state.
+
+However, the acquisition of the rtnl_lock can fail. The next time the
+monitor runs, since slave->link is already updated, it determines that
+link is unchanged. This results in the bond link state permanently out
+of sync with the slave link.
+
+This patch modifies bond_loadbalance_arp_mon() to handle link changes
+identical to bond_ab_arp_{inspect/commit}(). The new link state is
+maintained in slave->new_link until we're ready to commit at which point
+it's copied into slave->link.
+
+NOTE: miimon_{inspect/commit}() has a more complex state machine
+requiring the use of the bond_{propose,commit}_link_state() functions
+which maintains the intermediate state in slave->link_new_state. The arp
+monitors don't require that.
+
+Testing: This bug is very easy to reproduce with the following steps.
+1. In a loop, toggle a slave link of a bond slave interface.
+2. In a separate loop, do ifconfig up/down of an unrelated interface to
+create contention for rtnl_lock.
+Within a few iterations, the bond link goes out of sync with the slave
+link.
+
+Signed-off-by: Nithin Nayak Sujir <nsujir@tintri.com>
+Cc: Mahesh Bandewar <maheshb@google.com>
+Cc: Jay Vosburgh <jay.vosburgh@canonical.com>
+Acked-by: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2425,11 +2425,13 @@ static void bond_loadbalance_arp_mon(str
+ bond_for_each_slave_rcu(bond, slave, iter) {
+ unsigned long trans_start = dev_trans_start(slave->dev);
+
++ slave->new_link = BOND_LINK_NOCHANGE;
++
+ if (slave->link != BOND_LINK_UP) {
+ if (bond_time_in_interval(bond, trans_start, 1) &&
+ bond_time_in_interval(bond, slave->last_rx, 1)) {
+
+- slave->link = BOND_LINK_UP;
++ slave->new_link = BOND_LINK_UP;
+ slave_state_changed = 1;
+
+ /* primary_slave has no meaning in round-robin
+@@ -2456,7 +2458,7 @@ static void bond_loadbalance_arp_mon(str
+ if (!bond_time_in_interval(bond, trans_start, 2) ||
+ !bond_time_in_interval(bond, slave->last_rx, 2)) {
+
+- slave->link = BOND_LINK_DOWN;
++ slave->new_link = BOND_LINK_DOWN;
+ slave_state_changed = 1;
+
+ if (slave->link_failure_count < UINT_MAX)
+@@ -2487,6 +2489,11 @@ static void bond_loadbalance_arp_mon(str
+ if (!rtnl_trylock())
+ goto re_arm;
+
++ bond_for_each_slave(bond, slave, iter) {
++ if (slave->new_link != BOND_LINK_NOCHANGE)
++ slave->link = slave->new_link;
++ }
++
+ if (slave_state_changed) {
+ bond_slave_state_change(bond);
+ if (BOND_MODE(bond) == BOND_MODE_XOR)
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Tue, 9 May 2017 18:14:01 +0100
+Subject: btrfs: fix incorrect error return ret being passed to mapping_set_error
+
+From: Colin Ian King <colin.king@canonical.com>
+
+
+[ Upstream commit bff5baf8aa37a97293725a16c03f49872249c07e ]
+
+The setting of return code ret should be based on the error code
+passed into function end_extent_writepage and not on ret. Thanks
+to Liu Bo for spotting this mistake in the original fix I submitted.
+
+Detected by CoverityScan, CID#1414312 ("Logically dead code")
+
+Fixes: 5dca6eea91653e ("Btrfs: mark mapping with error flag to report errors to userspace")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/extent_io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -2438,7 +2438,7 @@ int end_extent_writepage(struct page *pa
+ if (!uptodate) {
+ ClearPageUptodate(page);
+ SetPageError(page);
+- ret = ret < 0 ? ret : -EIO;
++ ret = err < 0 ? err : -EIO;
+ mapping_set_error(page->mapping, ret);
+ }
+ return 0;
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Rabin Vincent <rabinv@axis.com>
+Date: Wed, 3 May 2017 17:17:21 +0200
+Subject: CIFS: silence lockdep splat in cifs_relock_file()
+
+From: Rabin Vincent <rabinv@axis.com>
+
+
+[ Upstream commit 560d388950ceda5e7c7cdef7f3d9a8ff297bbf9d ]
+
+cifs_relock_file() can perform a down_write() on the inode's lock_sem even
+though it was already performed in cifs_strict_readv(). Lockdep complains
+about this. AFAICS, there is no problem here, and lockdep just needs to be
+told that this nesting is OK.
+
+ =============================================
+ [ INFO: possible recursive locking detected ]
+ 4.11.0+ #20 Not tainted
+ ---------------------------------------------
+ cat/701 is trying to acquire lock:
+ (&cifsi->lock_sem){++++.+}, at: cifs_reopen_file+0x7a7/0xc00
+
+ but task is already holding lock:
+ (&cifsi->lock_sem){++++.+}, at: cifs_strict_readv+0x177/0x310
+
+ other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&cifsi->lock_sem);
+ lock(&cifsi->lock_sem);
+
+ *** DEADLOCK ***
+
+ May be due to missing lock nesting notation
+
+ 1 lock held by cat/701:
+ #0: (&cifsi->lock_sem){++++.+}, at: cifs_strict_readv+0x177/0x310
+
+ stack backtrace:
+ CPU: 0 PID: 701 Comm: cat Not tainted 4.11.0+ #20
+ Call Trace:
+ dump_stack+0x85/0xc2
+ __lock_acquire+0x17dd/0x2260
+ ? trace_hardirqs_on_thunk+0x1a/0x1c
+ ? preempt_schedule_irq+0x6b/0x80
+ lock_acquire+0xcc/0x260
+ ? lock_acquire+0xcc/0x260
+ ? cifs_reopen_file+0x7a7/0xc00
+ down_read+0x2d/0x70
+ ? cifs_reopen_file+0x7a7/0xc00
+ cifs_reopen_file+0x7a7/0xc00
+ ? printk+0x43/0x4b
+ cifs_readpage_worker+0x327/0x8a0
+ cifs_readpage+0x8c/0x2a0
+ generic_file_read_iter+0x692/0xd00
+ cifs_strict_readv+0x29f/0x310
+ generic_file_splice_read+0x11c/0x1c0
+ do_splice_to+0xa5/0xc0
+ splice_direct_to_actor+0xfa/0x350
+ ? generic_pipe_buf_nosteal+0x10/0x10
+ do_splice_direct+0xb5/0xe0
+ do_sendfile+0x278/0x3a0
+ SyS_sendfile64+0xc4/0xe0
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+
+Signed-off-by: Rabin Vincent <rabinv@axis.com>
+Acked-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -583,7 +583,7 @@ cifs_relock_file(struct cifsFileInfo *cf
+ struct cifs_tcon *tcon = tlink_tcon(cfile->tlink);
+ int rc = 0;
+
+- down_read(&cinode->lock_sem);
++ down_read_nested(&cinode->lock_sem, SINGLE_DEPTH_NESTING);
+ if (cinode->can_cache_brlcks) {
+ /* can cache locks - no need to relock */
+ up_read(&cinode->lock_sem);
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Pan Bian <bianpan2016@163.com>
+Date: Sun, 23 Apr 2017 10:06:36 -0300
+Subject: [media] cx25840: fix unchecked return values
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit 35378ce143071c2a6bad4b59a000e9b9f8f6ea67 ]
+
+In functions cx25840_initialize(), cx231xx_initialize(), and
+cx23885_initialize(), the return value of create_singlethread_workqueue()
+is used without validation. This may result in NULL dereference and cause
+kernel crash. This patch fixes it.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/cx25840/cx25840-core.c | 36 ++++++++++++++++++-------------
+ 1 file changed, 21 insertions(+), 15 deletions(-)
+
+--- a/drivers/media/i2c/cx25840/cx25840-core.c
++++ b/drivers/media/i2c/cx25840/cx25840-core.c
+@@ -420,11 +420,13 @@ static void cx25840_initialize(struct i2
+ INIT_WORK(&state->fw_work, cx25840_work_handler);
+ init_waitqueue_head(&state->fw_wait);
+ q = create_singlethread_workqueue("cx25840_fw");
+- prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
+- queue_work(q, &state->fw_work);
+- schedule();
+- finish_wait(&state->fw_wait, &wait);
+- destroy_workqueue(q);
++ if (q) {
++ prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
++ queue_work(q, &state->fw_work);
++ schedule();
++ finish_wait(&state->fw_wait, &wait);
++ destroy_workqueue(q);
++ }
+
+ /* 6. */
+ cx25840_write(client, 0x115, 0x8c);
+@@ -631,11 +633,13 @@ static void cx23885_initialize(struct i2
+ INIT_WORK(&state->fw_work, cx25840_work_handler);
+ init_waitqueue_head(&state->fw_wait);
+ q = create_singlethread_workqueue("cx25840_fw");
+- prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
+- queue_work(q, &state->fw_work);
+- schedule();
+- finish_wait(&state->fw_wait, &wait);
+- destroy_workqueue(q);
++ if (q) {
++ prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
++ queue_work(q, &state->fw_work);
++ schedule();
++ finish_wait(&state->fw_wait, &wait);
++ destroy_workqueue(q);
++ }
+
+ /* Call the cx23888 specific std setup func, we no longer rely on
+ * the generic cx24840 func.
+@@ -746,11 +750,13 @@ static void cx231xx_initialize(struct i2
+ INIT_WORK(&state->fw_work, cx25840_work_handler);
+ init_waitqueue_head(&state->fw_wait);
+ q = create_singlethread_workqueue("cx25840_fw");
+- prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
+- queue_work(q, &state->fw_work);
+- schedule();
+- finish_wait(&state->fw_wait, &wait);
+- destroy_workqueue(q);
++ if (q) {
++ prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
++ queue_work(q, &state->fw_work);
++ schedule();
++ finish_wait(&state->fw_wait, &wait);
++ destroy_workqueue(q);
++ }
+
+ cx25840_std_setup(client);
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Date: Thu, 18 May 2017 11:51:51 +0300
+Subject: drm/omap: fix tiled buffer stride calculations
+
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+
+
+[ Upstream commit cc8dd7661ccc2d8dc88921da8e6cc7c2fcdb0341 ]
+
+omap_gem uses page alignment for buffer stride. The related calculations
+are a bit off, though, as byte stride of 4096 gets aligned to 8192,
+instead of 4096.
+
+This patch changes the code to use DIV_ROUND_UP(), which fixes those
+calculations and makes them more readable.
+
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/omapdrm/omap_gem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/omapdrm/omap_gem.c
++++ b/drivers/gpu/drm/omapdrm/omap_gem.c
+@@ -158,7 +158,7 @@ static void evict_entry(struct drm_gem_o
+ size_t size = PAGE_SIZE * n;
+ loff_t off = mmap_offset(obj) +
+ (entry->obj_pgoff << PAGE_SHIFT);
+- const int m = 1 + ((omap_obj->width << fmt) / PAGE_SIZE);
++ const int m = DIV_ROUND_UP(omap_obj->width << fmt, PAGE_SIZE);
+
+ if (m > 1) {
+ int i;
+@@ -415,7 +415,7 @@ static int fault_2d(struct drm_gem_objec
+ * into account in some of the math, so figure out virtual stride
+ * in pages
+ */
+- const int m = 1 + ((omap_obj->width << fmt) / PAGE_SIZE);
++ const int m = DIV_ROUND_UP(omap_obj->width << fmt, PAGE_SIZE);
+
+ /* We don't use vmf->pgoff since that has the fake offset: */
+ pgoff = ((unsigned long)vmf->virtual_address -
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Jacob Keller <jacob.e.keller@intel.com>
+Date: Wed, 3 May 2017 10:28:50 -0700
+Subject: e1000e: fix race condition around skb_tstamp_tx()
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+
+[ Upstream commit 5012863b7347866764c4a4e58b62fb05346b0d06 ]
+
+The e1000e driver and related hardware has a limitation on Tx PTP
+packets which requires we limit to timestamping a single packet at once.
+We do this by verifying that we never request a new Tx timestamp while
+we still have a tx_hwtstamp_skb pointer.
+
+Unfortunately the driver suffers from a race condition around this. The
+tx_hwtstamp_skb pointer is not set to NULL until after skb_tstamp_tx()
+is called. This function notifies the stack and applications of a new
+timestamp. Even a well behaved application that only sends a new request
+when the first one is finished might be woken up and possibly send
+a packet before we can free the timestamp in the driver again. The
+result is that we needlessly ignore some Tx timestamp requests in this
+corner case.
+
+Fix this by assigning the tx_hwtstamp_skb pointer prior to calling
+skb_tstamp_tx() and use a temporary pointer to hold the timestamped skb
+until that function finishes. This ensures that the application is not
+woken up until the driver is ready to begin timestamping a new packet.
+
+This ensures that well behaved applications do not accidentally race
+with condition to skip Tx timestamps. Obviously an application which
+sends multiple Tx timestamp requests at once will still only timestamp
+one packet at a time. Unfortunately there is nothing we can do about
+this.
+
+Reported-by: David Mirabito <davidm@metamako.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/e1000e/netdev.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -1181,6 +1181,7 @@ static void e1000e_tx_hwtstamp_work(stru
+ struct e1000_hw *hw = &adapter->hw;
+
+ if (er32(TSYNCTXCTL) & E1000_TSYNCTXCTL_VALID) {
++ struct sk_buff *skb = adapter->tx_hwtstamp_skb;
+ struct skb_shared_hwtstamps shhwtstamps;
+ u64 txstmp;
+
+@@ -1189,9 +1190,14 @@ static void e1000e_tx_hwtstamp_work(stru
+
+ e1000e_systim_to_hwtstamp(adapter, &shhwtstamps, txstmp);
+
+- skb_tstamp_tx(adapter->tx_hwtstamp_skb, &shhwtstamps);
+- dev_kfree_skb_any(adapter->tx_hwtstamp_skb);
++ /* Clear the global tx_hwtstamp_skb pointer and force writes
++ * prior to notifying the stack of a Tx timestamp.
++ */
+ adapter->tx_hwtstamp_skb = NULL;
++ wmb(); /* force write prior to skb_tstamp_tx */
++
++ skb_tstamp_tx(skb, &shhwtstamps);
++ dev_kfree_skb_any(skb);
+ } else if (time_after(jiffies, adapter->tx_hwtstamp_start
+ + adapter->tx_timeout_factor * HZ)) {
+ dev_kfree_skb_any(adapter->tx_hwtstamp_skb);
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Wed, 31 May 2017 18:50:43 +0300
+Subject: e1000e: Undo e1000e_pm_freeze if __e1000_shutdown fails
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+
+[ Upstream commit 833521ebc65b1c3092e5c0d8a97092f98eec595d ]
+
+An error during suspend (e100e_pm_suspend),
+
+[ 429.994338] ACPI : EC: event blocked
+[ 429.994633] e1000e: EEE TX LPI TIMER: 00000011
+[ 430.955451] pci_pm_suspend(): e1000e_pm_suspend+0x0/0x30 [e1000e] returns -2
+[ 430.955454] dpm_run_callback(): pci_pm_suspend+0x0/0x140 returns -2
+[ 430.955458] PM: Device 0000:00:19.0 failed to suspend async: error -2
+[ 430.955581] PM: Some devices failed to suspend, or early wake event detected
+[ 430.957709] ACPI : EC: event unblocked
+
+lead to complete failure:
+
+[ 432.585002] ------------[ cut here ]------------
+[ 432.585013] WARNING: CPU: 3 PID: 8372 at kernel/irq/manage.c:1478 __free_irq+0x9f/0x280
+[ 432.585015] Trying to free already-free IRQ 20
+[ 432.585016] Modules linked in: cdc_ncm usbnet x86_pkg_temp_thermal intel_powerclamp coretemp mii crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep lpc_ich snd_hda_core snd_pcm mei_me mei sdhci_pci sdhci i915 mmc_core e1000e ptp pps_core prime_numbers
+[ 432.585042] CPU: 3 PID: 8372 Comm: kworker/u16:40 Tainted: G U 4.10.0-rc8-CI-Patchwork_3870+ #1
+[ 432.585044] Hardware name: LENOVO 2356GCG/2356GCG, BIOS G7ET31WW (1.13 ) 07/02/2012
+[ 432.585050] Workqueue: events_unbound async_run_entry_fn
+[ 432.585051] Call Trace:
+[ 432.585058] dump_stack+0x67/0x92
+[ 432.585062] __warn+0xc6/0xe0
+[ 432.585065] warn_slowpath_fmt+0x4a/0x50
+[ 432.585070] ? _raw_spin_lock_irqsave+0x49/0x60
+[ 432.585072] __free_irq+0x9f/0x280
+[ 432.585075] free_irq+0x34/0x80
+[ 432.585089] e1000_free_irq+0x65/0x70 [e1000e]
+[ 432.585098] e1000e_pm_freeze+0x7a/0xb0 [e1000e]
+[ 432.585106] e1000e_pm_suspend+0x21/0x30 [e1000e]
+[ 432.585113] pci_pm_suspend+0x71/0x140
+[ 432.585118] dpm_run_callback+0x6f/0x330
+[ 432.585122] ? pci_pm_freeze+0xe0/0xe0
+[ 432.585125] __device_suspend+0xea/0x330
+[ 432.585128] async_suspend+0x1a/0x90
+[ 432.585132] async_run_entry_fn+0x34/0x160
+[ 432.585137] process_one_work+0x1f4/0x6d0
+[ 432.585140] ? process_one_work+0x16e/0x6d0
+[ 432.585143] worker_thread+0x49/0x4a0
+[ 432.585145] kthread+0x107/0x140
+[ 432.585148] ? process_one_work+0x6d0/0x6d0
+[ 432.585150] ? kthread_create_on_node+0x40/0x40
+[ 432.585154] ret_from_fork+0x2e/0x40
+[ 432.585156] ---[ end trace 6712df7f8c4b9124 ]---
+
+The unwind failures stems from commit 2800209994f8 ("e1000e: Refactor PM
+flows"), but it may be a later patch that introduced the non-recoverable
+behaviour.
+
+Fixes: 2800209994f8 ("e1000e: Refactor PM flows")
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=99847
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/e1000e/netdev.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -6363,12 +6363,17 @@ static int e1000e_pm_thaw(struct device
+ static int e1000e_pm_suspend(struct device *dev)
+ {
+ struct pci_dev *pdev = to_pci_dev(dev);
++ int rc;
+
+ e1000e_flush_lpic(pdev);
+
+ e1000e_pm_freeze(dev);
+
+- return __e1000_shutdown(pdev, false);
++ rc = __e1000_shutdown(pdev, false);
++ if (rc)
++ e1000e_pm_thaw(dev);
++
++ return rc;
+ }
+
+ static int e1000e_pm_resume(struct device *dev)
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 7 Jan 2018 21:54:00 +0100
+Subject: EDAC, mv64x60: Fix an error handling path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit 68fa24f9121c04ef146b5158f538c8b32f285be5 ]
+
+We should not call edac_mc_del_mc() if a corresponding call to
+edac_mc_add_mc() has not been performed yet.
+
+So here, we should go to err instead of err2 to branch at the right
+place of the error handling path.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20180107205400.14068-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/mv64x60_edac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/edac/mv64x60_edac.c
++++ b/drivers/edac/mv64x60_edac.c
+@@ -763,7 +763,7 @@ static int mv64x60_mc_err_probe(struct p
+ /* Non-ECC RAM? */
+ printk(KERN_WARNING "%s: No ECC DIMMs discovered\n", __func__);
+ res = -ENODEV;
+- goto err2;
++ goto err;
+ }
+
+ edac_dbg(3, "init mci\n");
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Eryu Guan <eguan@redhat.com>
+Date: Wed, 24 May 2017 18:02:20 -0400
+Subject: ext4: fix off-by-one on max nr_pages in ext4_find_unwritten_pgoff()
+
+From: Eryu Guan <eguan@redhat.com>
+
+
+[ Upstream commit 624327f8794704c5066b11a52f9da6a09dce7f9a ]
+
+ext4_find_unwritten_pgoff() is used to search for offset of hole or
+data in page range [index, end] (both inclusive), and the max number
+of pages to search should be at least one, if end == index.
+Otherwise the only page is missed and no hole or data is found,
+which is not correct.
+
+When block size is smaller than page size, this can be demonstrated
+by preallocating a file with size smaller than page size and writing
+data to the last block. E.g. run this xfs_io command on a 1k block
+size ext4 on x86_64 host.
+
+ # xfs_io -fc "falloc 0 3k" -c "pwrite 2k 1k" \
+ -c "seek -d 0" /mnt/ext4/testfile
+ wrote 1024/1024 bytes at offset 2048
+ 1 KiB, 1 ops; 0.0000 sec (42.459 MiB/sec and 43478.2609 ops/sec)
+ Whence Result
+ DATA EOF
+
+Data at offset 2k was missed, and lseek(2) returned ENXIO.
+
+This is unconvered by generic/285 subtest 07 and 08 on ppc64 host,
+where pagesize is 64k. Because a recent change to generic/285
+reduced the preallocated file size to smaller than 64k.
+
+Signed-off-by: Eryu Guan <eguan@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/file.c
++++ b/fs/ext4/file.c
+@@ -300,7 +300,7 @@ static int ext4_find_unwritten_pgoff(str
+ int i, num;
+ unsigned long nr_pages;
+
+- num = min_t(pgoff_t, end - index, PAGEVEC_SIZE);
++ num = min_t(pgoff_t, end - index, PAGEVEC_SIZE - 1) + 1;
+ nr_pages = pagevec_lookup(&pvec, inode->i_mapping, index,
+ (pgoff_t)num);
+ if (nr_pages == 0)
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Michael Schmitz <schmitzmic@gmail.com>
+Date: Sun, 30 Apr 2017 19:49:21 +1200
+Subject: fix race in drivers/char/random.c:get_reg()
+
+From: Michael Schmitz <schmitzmic@gmail.com>
+
+
+[ Upstream commit 9dfa7bba35ac08a63565d58c454dccb7e1bb0a08 ]
+
+get_reg() can be reentered on architectures with prioritized interrupts
+(m68k in this case), causing f->reg_index to be incremented after the
+range check. Out of bounds memory access past the pt_regs struct results.
+This will go mostly undetected unless access is beyond end of memory.
+
+Prevent the race by disabling interrupts in get_reg().
+
+Tested on m68k (Atari Falcon, and ARAnyM emulator).
+
+Kudos to Geert Uytterhoeven for helping to trace this race.
+
+Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -863,12 +863,16 @@ static void add_interrupt_bench(cycles_t
+ static __u32 get_reg(struct fast_pool *f, struct pt_regs *regs)
+ {
+ __u32 *ptr = (__u32 *) regs;
++ unsigned long flags;
+
+ if (regs == NULL)
+ return 0;
++ local_irq_save(flags);
+ if (f->reg_idx >= sizeof(struct pt_regs) / sizeof(__u32))
+ f->reg_idx = 0;
+- return *(ptr + f->reg_idx++);
++ ptr += f->reg_idx++;
++ local_irq_restore(flags);
++ return *ptr;
+ }
+
+ void add_interrupt_randomness(int irq, int irq_flags)
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Date: Wed, 31 May 2017 22:21:03 +0200
+Subject: Fix serial console on SNI RM400 machines
+
+From: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+
+
+[ Upstream commit e279e6d98e0cf2c2fe008b3c29042b92f0e17b1d ]
+
+sccnxp driver doesn't get the correct uart clock rate, if CONFIG_HAVE_CLOCK
+is disabled. Correct usage of clk API to make it work with/without it.
+
+Fixes: 90efa75f7ab0 (serial: sccnxp: Using CLK API for getting UART clock)
+
+Suggested-by: Russell King - ARM Linux <linux@armlinux.org.uk>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/sccnxp.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/drivers/tty/serial/sccnxp.c
++++ b/drivers/tty/serial/sccnxp.c
+@@ -884,14 +884,19 @@ static int sccnxp_probe(struct platform_
+
+ clk = devm_clk_get(&pdev->dev, NULL);
+ if (IS_ERR(clk)) {
+- if (PTR_ERR(clk) == -EPROBE_DEFER) {
+- ret = -EPROBE_DEFER;
++ ret = PTR_ERR(clk);
++ if (ret == -EPROBE_DEFER)
+ goto err_out;
+- }
++ uartclk = 0;
++ } else {
++ clk_prepare_enable(clk);
++ uartclk = clk_get_rate(clk);
++ }
++
++ if (!uartclk) {
+ dev_notice(&pdev->dev, "Using default clock frequency\n");
+ uartclk = s->chip->freq_std;
+- } else
+- uartclk = clk_get_rate(clk);
++ }
+
+ /* Check input frequency */
+ if ((uartclk < s->chip->freq_min) || (uartclk > s->chip->freq_max)) {
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Firo Yang <firogm@gmail.com>
+Date: Fri, 26 May 2017 22:37:38 +0800
+Subject: hdlcdrv: Fix divide by zero in hdlcdrv_ioctl
+
+From: Firo Yang <firogm@gmail.com>
+
+
+[ Upstream commit fb3ce90b7d7761b6f7f28f0ff5c456ef6b5229a1 ]
+
+syszkaller fuzzer triggered a divide by zero, when set calibration
+through ioctl().
+
+To fix it, test 'bitrate' if it is negative or 0, just return -EINVAL.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Firo Yang <firogm@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hamradio/hdlcdrv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/hamradio/hdlcdrv.c
++++ b/drivers/net/hamradio/hdlcdrv.c
+@@ -571,6 +571,8 @@ static int hdlcdrv_ioctl(struct net_devi
+ case HDLCDRVCTL_CALIBRATE:
+ if(!capable(CAP_SYS_RAWIO))
+ return -EPERM;
++ if (s->par.bitrate <= 0)
++ return -EINVAL;
+ if (bi.data.calibrate > INT_MAX / s->par.bitrate)
+ return -EINVAL;
+ s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+Date: Thu, 4 May 2017 15:50:53 -0700
+Subject: IB/srpt: Fix abort handling
+
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+
+
+[ Upstream commit 55d694275f41a1c0eef4ef49044ff29bc3999490 ]
+
+Let the target core check the CMD_T_ABORTED flag instead of the SRP
+target driver. Hence remove the transport_check_aborted_status()
+call. Since state == SRPT_STATE_CMD_RSP_SENT is something that really
+should not happen, do not try to recover if srpt_queue_response() is
+called for an I/O context that is in that state. This patch is a bug
+fix because the srpt_abort_cmd() call is misplaced - if that function
+is called from srpt_queue_response() it should either be called
+before the command state is changed or after the response has been
+sent.
+
+Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Cc: Doug Ledford <dledford@redhat.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Andy Grover <agrover@redhat.com>
+Cc: David Disseldorp <ddiss@suse.de>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -2986,12 +2986,8 @@ static void srpt_queue_response(struct s
+ }
+ spin_unlock_irqrestore(&ioctx->spinlock, flags);
+
+- if (unlikely(transport_check_aborted_status(&ioctx->cmd, false)
+- || WARN_ON_ONCE(state == SRPT_STATE_CMD_RSP_SENT))) {
+- atomic_inc(&ch->req_lim_delta);
+- srpt_abort_cmd(ioctx);
++ if (unlikely(WARN_ON_ONCE(state == SRPT_STATE_CMD_RSP_SENT)))
+ return;
+- }
+
+ dir = ioctx->cmd.data_direction;
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>
+Date: Tue, 6 Jun 2017 22:51:24 +0200
+Subject: iio: magnetometer: st_magn_spi: fix spi_device_id table
+
+From: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>
+
+
+[ Upstream commit c83761ff0aac954aa368c623bb0f0d1a3214e834 ]
+
+Remove LSM303DLHC, LSM303DLM from st_magn_id_table since LSM303DL series
+does not support spi interface
+
+Fixes: 872e79add756 (iio: magn: Add STMicroelectronics magn driver)
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@st.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/magnetometer/st_magn_spi.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/iio/magnetometer/st_magn_spi.c
++++ b/drivers/iio/magnetometer/st_magn_spi.c
+@@ -49,8 +49,6 @@ static int st_magn_spi_remove(struct spi
+ }
+
+ static const struct spi_device_id st_magn_id_table[] = {
+- { LSM303DLHC_MAGN_DEV_NAME },
+- { LSM303DLM_MAGN_DEV_NAME },
+ { LIS3MDL_MAGN_DEV_NAME },
+ {},
+ };
--- /dev/null
+From 3f29770723fe498a5c5f57c3a31a996ebdde03e1 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sun, 4 Jun 2017 04:16:23 +0200
+Subject: ipsec: check return value of skb_to_sgvec always
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+commit 3f29770723fe498a5c5f57c3a31a996ebdde03e1 upstream.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "David S. Miller" <davem@davemloft.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[nc: Adjust context due to lack of 000ae7b2690e2 and fca11ebde3f0]
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ah4.c | 8 ++++++--
+ net/ipv4/esp4.c | 12 ++++++++----
+ net/ipv6/ah6.c | 8 ++++++--
+ net/ipv6/esp6.c | 12 ++++++++----
+ 4 files changed, 28 insertions(+), 12 deletions(-)
+
+--- a/net/ipv4/ah4.c
++++ b/net/ipv4/ah4.c
+@@ -220,7 +220,9 @@ static int ah_output(struct xfrm_state *
+ ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low);
+
+ sg_init_table(sg, nfrags + sglists);
+- skb_to_sgvec_nomark(skb, sg, 0, skb->len);
++ err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
++ if (unlikely(err < 0))
++ goto out_free;
+
+ if (x->props.flags & XFRM_STATE_ESN) {
+ /* Attach seqhi sg right after packet payload */
+@@ -391,7 +393,9 @@ static int ah_input(struct xfrm_state *x
+ skb_push(skb, ihl);
+
+ sg_init_table(sg, nfrags + sglists);
+- skb_to_sgvec_nomark(skb, sg, 0, skb->len);
++ err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
++ if (unlikely(err < 0))
++ goto out_free;
+
+ if (x->props.flags & XFRM_STATE_ESN) {
+ /* Attach seqhi sg right after packet payload */
+--- a/net/ipv4/esp4.c
++++ b/net/ipv4/esp4.c
+@@ -239,9 +239,11 @@ static int esp_output(struct xfrm_state
+ esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low);
+
+ sg_init_table(sg, nfrags);
+- skb_to_sgvec(skb, sg,
+- esph->enc_data + crypto_aead_ivsize(aead) - skb->data,
+- clen + alen);
++ err = skb_to_sgvec(skb, sg,
++ esph->enc_data + crypto_aead_ivsize(aead) - skb->data,
++ clen + alen);
++ if (unlikely(err < 0))
++ goto error;
+
+ if ((x->props.flags & XFRM_STATE_ESN)) {
+ sg_init_table(asg, 3);
+@@ -426,7 +428,9 @@ static int esp_input(struct xfrm_state *
+ iv = esph->enc_data;
+
+ sg_init_table(sg, nfrags);
+- skb_to_sgvec(skb, sg, sizeof(*esph) + crypto_aead_ivsize(aead), elen);
++ err = skb_to_sgvec(skb, sg, sizeof(*esph) + crypto_aead_ivsize(aead), elen);
++ if (unlikely(err < 0))
++ goto out;
+
+ if ((x->props.flags & XFRM_STATE_ESN)) {
+ sg_init_table(asg, 3);
+--- a/net/ipv6/ah6.c
++++ b/net/ipv6/ah6.c
+@@ -423,7 +423,9 @@ static int ah6_output(struct xfrm_state
+ ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low);
+
+ sg_init_table(sg, nfrags + sglists);
+- skb_to_sgvec_nomark(skb, sg, 0, skb->len);
++ err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
++ if (unlikely(err < 0))
++ goto out_free;
+
+ if (x->props.flags & XFRM_STATE_ESN) {
+ /* Attach seqhi sg right after packet payload */
+@@ -601,7 +603,9 @@ static int ah6_input(struct xfrm_state *
+ ip6h->hop_limit = 0;
+
+ sg_init_table(sg, nfrags + sglists);
+- skb_to_sgvec_nomark(skb, sg, 0, skb->len);
++ err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
++ if (unlikely(err < 0))
++ goto out_free;
+
+ if (x->props.flags & XFRM_STATE_ESN) {
+ /* Attach seqhi sg right after packet payload */
+--- a/net/ipv6/esp6.c
++++ b/net/ipv6/esp6.c
+@@ -231,9 +231,11 @@ static int esp6_output(struct xfrm_state
+ esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low);
+
+ sg_init_table(sg, nfrags);
+- skb_to_sgvec(skb, sg,
+- esph->enc_data + crypto_aead_ivsize(aead) - skb->data,
+- clen + alen);
++ err = skb_to_sgvec(skb, sg,
++ esph->enc_data + crypto_aead_ivsize(aead) - skb->data,
++ clen + alen);
++ if (unlikely(err < 0))
++ goto error;
+
+ if ((x->props.flags & XFRM_STATE_ESN)) {
+ sg_init_table(asg, 3);
+@@ -381,7 +383,9 @@ static int esp6_input(struct xfrm_state
+ iv = esph->enc_data;
+
+ sg_init_table(sg, nfrags);
+- skb_to_sgvec(skb, sg, sizeof(*esph) + crypto_aead_ivsize(aead), elen);
++ ret = skb_to_sgvec(skb, sg, sizeof(*esph) + crypto_aead_ivsize(aead), elen);
++ if (unlikely(ret < 0))
++ goto out;
+
+ if ((x->props.flags & XFRM_STATE_ESN)) {
+ sg_init_table(asg, 3);
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Mahesh Bandewar <maheshb@google.com>
+Date: Fri, 12 May 2017 17:03:39 -0700
+Subject: ipv6: avoid dad-failures for addresses with NODAD
+
+From: Mahesh Bandewar <maheshb@google.com>
+
+
+[ Upstream commit 66eb9f86e50547ec2a8ff7a75997066a74ef584b ]
+
+Every address gets added with TENTATIVE flag even for the addresses with
+IFA_F_NODAD flag and dad-work is scheduled for them. During this DAD process
+we realize it's an address with NODAD and complete the process without
+sending any probe. However the TENTATIVE flags stays on the
+address for sometime enough to cause misinterpretation when we receive a NS.
+While processing NS, if the address has TENTATIVE flag, we mark it DADFAILED
+and endup with an address that was originally configured as NODAD with
+DADFAILED.
+
+We can't avoid scheduling dad_work for addresses with NODAD but we can
+avoid adding TENTATIVE flag to avoid this racy situation.
+
+Signed-off-by: Mahesh Bandewar <maheshb@google.com>
+Acked-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -863,7 +863,10 @@ ipv6_add_addr(struct inet6_dev *idev, co
+ INIT_HLIST_NODE(&ifa->addr_lst);
+ ifa->scope = scope;
+ ifa->prefix_len = pfxlen;
+- ifa->flags = flags | IFA_F_TENTATIVE;
++ ifa->flags = flags;
++ /* No need to add the TENTATIVE flag for addresses with NODAD */
++ if (!(flags & IFA_F_NODAD))
++ ifa->flags |= IFA_F_TENTATIVE;
+ ifa->valid_lft = valid_lft;
+ ifa->prefered_lft = prefered_lft;
+ ifa->cstamp = ifa->tstamp = jiffies;
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: "Jan H. Schönherr" <jschoenh@amazon.de>
+Date: Sat, 20 May 2017 13:22:56 +0200
+Subject: KVM: nVMX: Fix handling of lmsw instruction
+
+From: "Jan H. Schönherr" <jschoenh@amazon.de>
+
+
+[ Upstream commit e1d39b17e044e8ae819827810d87d809ba5f58c0 ]
+
+The decision whether or not to exit from L2 to L1 on an lmsw instruction is
+based on bogus values: instead of using the information encoded within the
+exit qualification, it uses the data also used for the mov-to-cr
+instruction, which boils down to using whatever is in %eax at that point.
+
+Use the correct values instead.
+
+Without this fix, an L1 may not get notified when a 32-bit Linux L2
+switches its secondary CPUs to protected mode; the L1 is only notified on
+the next modification of CR0. This short time window poses a problem, when
+there is some other reason to exit to L1 in between. Then, L2 will be
+resumed in real mode and chaos ensues.
+
+Signed-off-by: Jan H. Schönherr <jschoenh@amazon.de>
+Reviewed-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -6935,11 +6935,13 @@ static bool nested_vmx_exit_handled_cr(s
+ {
+ unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
+ int cr = exit_qualification & 15;
+- int reg = (exit_qualification >> 8) & 15;
+- unsigned long val = kvm_register_readl(vcpu, reg);
++ int reg;
++ unsigned long val;
+
+ switch ((exit_qualification >> 4) & 3) {
+ case 0: /* mov to cr */
++ reg = (exit_qualification >> 8) & 15;
++ val = kvm_register_readl(vcpu, reg);
+ switch (cr) {
+ case 0:
+ if (vmcs12->cr0_guest_host_mask &
+@@ -6994,6 +6996,7 @@ static bool nested_vmx_exit_handled_cr(s
+ * lmsw can change bits 1..3 of cr0, and only set bit 0 of
+ * cr0. Other attempted changes are ignored, with no exit.
+ */
++ val = (exit_qualification >> LMSW_SOURCE_DATA_SHIFT) & 0x0f;
+ if (vmcs12->cr0_guest_host_mask & 0xe &
+ (val ^ vmcs12->cr0_read_shadow))
+ return 1;
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Thu, 11 May 2017 11:33:30 +1000
+Subject: KVM: PPC: Book3S PR: Check copy_to/from_user return values
+
+From: Paul Mackerras <paulus@ozlabs.org>
+
+
+[ Upstream commit 67325e988faea735d663799b6d152b5f4254093c ]
+
+The PR KVM implementation of the PAPR HPT hypercalls (H_ENTER etc.)
+access an image of the HPT in userspace memory using copy_from_user
+and copy_to_user. Recently, the declarations of those functions were
+annotated to indicate that the return value must be checked. Since
+this code doesn't currently check the return value, this causes
+compile warnings like the ones shown below, and since on PPC the
+default is to compile arch/powerpc with -Werror, this causes the
+build to fail.
+
+To fix this, we check the return values, and if non-zero, fail the
+hypercall being processed with a H_FUNCTION error return value.
+There is really no good error return value to use since PAPR didn't
+envisage the possibility that the hypervisor may not be able to access
+the guest's HPT, and H_FUNCTION (function not supported) seems as
+good as any.
+
+The typical compile warnings look like this:
+
+ CC arch/powerpc/kvm/book3s_pr_papr.o
+/home/paulus/kernel/kvm/arch/powerpc/kvm/book3s_pr_papr.c: In function ‘kvmppc_h_pr_enter’:
+/home/paulus/kernel/kvm/arch/powerpc/kvm/book3s_pr_papr.c:53:2: error: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result [-Werror=unused-result]
+ copy_from_user(pteg, (void __user *)pteg_addr, sizeof(pteg));
+ ^
+/home/paulus/kernel/kvm/arch/powerpc/kvm/book3s_pr_papr.c:74:2: error: ignoring return value of ‘copy_to_user’, declared with attribute warn_unused_result [-Werror=unused-result]
+ copy_to_user((void __user *)pteg_addr, hpte, HPTE_SIZE);
+ ^
+
+... etc.
+
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kvm/book3s_pr_papr.c | 34 ++++++++++++++++++++++++++--------
+ 1 file changed, 26 insertions(+), 8 deletions(-)
+
+--- a/arch/powerpc/kvm/book3s_pr_papr.c
++++ b/arch/powerpc/kvm/book3s_pr_papr.c
+@@ -50,7 +50,9 @@ static int kvmppc_h_pr_enter(struct kvm_
+ pteg_addr = get_pteg_addr(vcpu, pte_index);
+
+ mutex_lock(&vcpu->kvm->arch.hpt_mutex);
+- copy_from_user(pteg, (void __user *)pteg_addr, sizeof(pteg));
++ ret = H_FUNCTION;
++ if (copy_from_user(pteg, (void __user *)pteg_addr, sizeof(pteg)))
++ goto done;
+ hpte = pteg;
+
+ ret = H_PTEG_FULL;
+@@ -71,7 +73,9 @@ static int kvmppc_h_pr_enter(struct kvm_
+ hpte[0] = cpu_to_be64(kvmppc_get_gpr(vcpu, 6));
+ hpte[1] = cpu_to_be64(kvmppc_get_gpr(vcpu, 7));
+ pteg_addr += i * HPTE_SIZE;
+- copy_to_user((void __user *)pteg_addr, hpte, HPTE_SIZE);
++ ret = H_FUNCTION;
++ if (copy_to_user((void __user *)pteg_addr, hpte, HPTE_SIZE))
++ goto done;
+ kvmppc_set_gpr(vcpu, 4, pte_index | i);
+ ret = H_SUCCESS;
+
+@@ -93,7 +97,9 @@ static int kvmppc_h_pr_remove(struct kvm
+
+ pteg = get_pteg_addr(vcpu, pte_index);
+ mutex_lock(&vcpu->kvm->arch.hpt_mutex);
+- copy_from_user(pte, (void __user *)pteg, sizeof(pte));
++ ret = H_FUNCTION;
++ if (copy_from_user(pte, (void __user *)pteg, sizeof(pte)))
++ goto done;
+ pte[0] = be64_to_cpu((__force __be64)pte[0]);
+ pte[1] = be64_to_cpu((__force __be64)pte[1]);
+
+@@ -103,7 +109,9 @@ static int kvmppc_h_pr_remove(struct kvm
+ ((flags & H_ANDCOND) && (pte[0] & avpn) != 0))
+ goto done;
+
+- copy_to_user((void __user *)pteg, &v, sizeof(v));
++ ret = H_FUNCTION;
++ if (copy_to_user((void __user *)pteg, &v, sizeof(v)))
++ goto done;
+
+ rb = compute_tlbie_rb(pte[0], pte[1], pte_index);
+ vcpu->arch.mmu.tlbie(vcpu, rb, rb & 1 ? true : false);
+@@ -171,7 +179,10 @@ static int kvmppc_h_pr_bulk_remove(struc
+ }
+
+ pteg = get_pteg_addr(vcpu, tsh & H_BULK_REMOVE_PTEX);
+- copy_from_user(pte, (void __user *)pteg, sizeof(pte));
++ if (copy_from_user(pte, (void __user *)pteg, sizeof(pte))) {
++ ret = H_FUNCTION;
++ break;
++ }
+ pte[0] = be64_to_cpu((__force __be64)pte[0]);
+ pte[1] = be64_to_cpu((__force __be64)pte[1]);
+
+@@ -184,7 +195,10 @@ static int kvmppc_h_pr_bulk_remove(struc
+ tsh |= H_BULK_REMOVE_NOT_FOUND;
+ } else {
+ /* Splat the pteg in (userland) hpt */
+- copy_to_user((void __user *)pteg, &v, sizeof(v));
++ if (copy_to_user((void __user *)pteg, &v, sizeof(v))) {
++ ret = H_FUNCTION;
++ break;
++ }
+
+ rb = compute_tlbie_rb(pte[0], pte[1],
+ tsh & H_BULK_REMOVE_PTEX);
+@@ -211,7 +225,9 @@ static int kvmppc_h_pr_protect(struct kv
+
+ pteg = get_pteg_addr(vcpu, pte_index);
+ mutex_lock(&vcpu->kvm->arch.hpt_mutex);
+- copy_from_user(pte, (void __user *)pteg, sizeof(pte));
++ ret = H_FUNCTION;
++ if (copy_from_user(pte, (void __user *)pteg, sizeof(pte)))
++ goto done;
+ pte[0] = be64_to_cpu((__force __be64)pte[0]);
+ pte[1] = be64_to_cpu((__force __be64)pte[1]);
+
+@@ -234,7 +250,9 @@ static int kvmppc_h_pr_protect(struct kv
+ vcpu->arch.mmu.tlbie(vcpu, rb, rb & 1 ? true : false);
+ pte[0] = (__force u64)cpu_to_be64(pte[0]);
+ pte[1] = (__force u64)cpu_to_be64(pte[1]);
+- copy_to_user((void __user *)pteg, pte, sizeof(pte));
++ ret = H_FUNCTION;
++ if (copy_to_user((void __user *)pteg, pte, sizeof(pte)))
++ goto done;
+ ret = H_SUCCESS;
+
+ done:
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Roman Pen <roman.penyaev@profitbricks.com>
+Date: Thu, 1 Jun 2017 10:55:03 +0200
+Subject: KVM: SVM: do not zero out segment attributes if segment is unusable or not present
+
+From: Roman Pen <roman.penyaev@profitbricks.com>
+
+
+[ Upstream commit d9c1b5431d5f0e07575db785a022bce91051ac1d ]
+
+This is a fix for the problem [1], where VMCB.CPL was set to 0 and interrupt
+was taken on userspace stack. The root cause lies in the specific AMD CPU
+behaviour which manifests itself as unusable segment attributes on SYSRET.
+The corresponding work around for the kernel is the following:
+
+61f01dd941ba ("x86_64, asm: Work around AMD SYSRET SS descriptor attribute issue")
+
+In other turn virtualization side treated unusable segment incorrectly and
+restored CPL from SS attributes, which were zeroed out few lines above.
+
+In current patch it is assured only that P bit is cleared in VMCB.save state
+and segment attributes are not zeroed out if segment is not presented or is
+unusable, therefore CPL can be safely restored from DPL field.
+
+This is only one part of the fix, since QEMU side should be fixed accordingly
+not to zero out attributes on its side. Corresponding patch will follow.
+
+[1] Message id: CAJrWOzD6Xq==b-zYCDdFLgSRMPM-NkNuTSDFEtX=7MreT45i7Q@mail.gmail.com
+
+Signed-off-by: Roman Pen <roman.penyaev@profitbricks.com>
+Signed-off-by: Mikhail Sennikovskii <mikhail.sennikovskii@profitbricks.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim KrÄmář <rkrcmar@redhat.com>
+Cc: kvm@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm.c | 24 +++++++++++-------------
+ 1 file changed, 11 insertions(+), 13 deletions(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -1467,6 +1467,7 @@ static void svm_get_segment(struct kvm_v
+ */
+ if (var->unusable)
+ var->db = 0;
++ /* This is symmetric with svm_set_segment() */
+ var->dpl = to_svm(vcpu)->vmcb->save.cpl;
+ break;
+ }
+@@ -1611,18 +1612,14 @@ static void svm_set_segment(struct kvm_v
+ s->base = var->base;
+ s->limit = var->limit;
+ s->selector = var->selector;
+- if (var->unusable)
+- s->attrib = 0;
+- else {
+- s->attrib = (var->type & SVM_SELECTOR_TYPE_MASK);
+- s->attrib |= (var->s & 1) << SVM_SELECTOR_S_SHIFT;
+- s->attrib |= (var->dpl & 3) << SVM_SELECTOR_DPL_SHIFT;
+- s->attrib |= (var->present & 1) << SVM_SELECTOR_P_SHIFT;
+- s->attrib |= (var->avl & 1) << SVM_SELECTOR_AVL_SHIFT;
+- s->attrib |= (var->l & 1) << SVM_SELECTOR_L_SHIFT;
+- s->attrib |= (var->db & 1) << SVM_SELECTOR_DB_SHIFT;
+- s->attrib |= (var->g & 1) << SVM_SELECTOR_G_SHIFT;
+- }
++ s->attrib = (var->type & SVM_SELECTOR_TYPE_MASK);
++ s->attrib |= (var->s & 1) << SVM_SELECTOR_S_SHIFT;
++ s->attrib |= (var->dpl & 3) << SVM_SELECTOR_DPL_SHIFT;
++ s->attrib |= ((var->present & 1) && !var->unusable) << SVM_SELECTOR_P_SHIFT;
++ s->attrib |= (var->avl & 1) << SVM_SELECTOR_AVL_SHIFT;
++ s->attrib |= (var->l & 1) << SVM_SELECTOR_L_SHIFT;
++ s->attrib |= (var->db & 1) << SVM_SELECTOR_DB_SHIFT;
++ s->attrib |= (var->g & 1) << SVM_SELECTOR_G_SHIFT;
+
+ /*
+ * This is always accurate, except if SYSRET returned to a segment
+@@ -1631,7 +1628,8 @@ static void svm_set_segment(struct kvm_v
+ * would entail passing the CPL to userspace and back.
+ */
+ if (seg == VCPU_SREG_SS)
+- svm->vmcb->save.cpl = (s->attrib >> SVM_SELECTOR_DPL_SHIFT) & 3;
++ /* This is symmetric with svm_get_segment() */
++ svm->vmcb->save.cpl = (var->dpl & 3);
+
+ mark_dirty(svm->vmcb, VMCB_SEG);
+ }
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Fri, 22 Dec 2017 15:10:17 +0100
+Subject: l2tp: fix missing print session offset info
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+
+[ Upstream commit 820da5357572715c6235ba3b3daa2d5b43a1198f ]
+
+Report offset parameter in L2TP_CMD_SESSION_GET command if
+it has been configured by userspace
+
+Fixes: 309795f4bec ("l2tp: Add netlink control API for L2TP")
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_netlink.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/l2tp/l2tp_netlink.c
++++ b/net/l2tp/l2tp_netlink.c
+@@ -633,6 +633,8 @@ static int l2tp_nl_session_send(struct s
+
+ if ((session->ifname[0] &&
+ nla_put_string(skb, L2TP_ATTR_IFNAME, session->ifname)) ||
++ (session->offset &&
++ nla_put_u16(skb, L2TP_ATTR_OFFSET, session->offset)) ||
+ (session->cookie_len &&
+ nla_put(skb, L2TP_ATTR_COOKIE, session->cookie_len,
+ &session->cookie[0])) ||
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Tin Huynh <tnhuynh@apm.com>
+Date: Mon, 22 May 2017 16:19:20 +0700
+Subject: leds: pca955x: Correct I2C Functionality
+
+From: Tin Huynh <tnhuynh@apm.com>
+
+
+[ Upstream commit aace34c0bb8ea3c8bdcec865b6a4be4db0a68e33 ]
+
+The driver checks an incorrect flag of functionality of adapter.
+When a driver requires i2c_smbus_read_byte_data and
+i2c_smbus_write_byte_data, it should check I2C_FUNC_SMBUS_BYTE_DATA
+instead I2C_FUNC_I2C.
+This patch fixes the problem.
+
+Signed-off-by: Tin Huynh <tnhuynh@apm.com>
+Signed-off-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/leds/leds-pca955x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/leds/leds-pca955x.c
++++ b/drivers/leds/leds-pca955x.c
+@@ -281,7 +281,7 @@ static int pca955x_probe(struct i2c_clie
+ "slave address 0x%02x\n",
+ id->name, chip->bits, client->addr);
+
+- if (!i2c_check_functionality(adapter, I2C_FUNC_I2C))
++ if (!i2c_check_functionality(adapter, I2C_FUNC_SMBUS_BYTE_DATA))
+ return -EIO;
+
+ if (pdata) {
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 23 May 2017 17:25:10 +0300
+Subject: libceph: NULL deref on crush_decode() error path
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit 293dffaad8d500e1a5336eeb90d544cf40d4fbd8 ]
+
+If there is not enough space then ceph_decode_32_safe() does a goto bad.
+We need to return an error code in that situation. The current code
+returns ERR_PTR(0) which is NULL. The callers are not expecting that
+and it results in a NULL dereference.
+
+Fixes: f24e9980eb86 ("ceph: OSD client")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/osdmap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ceph/osdmap.c
++++ b/net/ceph/osdmap.c
+@@ -270,6 +270,7 @@ static struct crush_map *crush_decode(vo
+ u32 yes;
+ struct crush_rule *r;
+
++ err = -EINVAL;
+ ceph_decode_32_safe(p, end, yes, bad);
+ if (!yes) {
+ dout("crush_decode NO rule %d off %x %p to %p\n",
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Tue, 28 Mar 2017 21:25:08 -0400
+Subject: lockd: fix lockd shutdown race
+
+From: "J. Bruce Fields" <bfields@redhat.com>
+
+
+[ Upstream commit efda760fe95ea15291853c8fa9235c32d319cd98 ]
+
+As reported by David Jeffery: "a signal was sent to lockd while lockd
+was shutting down from a request to stop nfs. The signal causes lockd
+to call restart_grace() which puts the lockd_net structure on the grace
+list. If this signal is received at the wrong time, it will occur after
+lockd_down_net() has called locks_end_grace() but before
+lockd_down_net() stops the lockd thread. This leads to lockd putting
+the lockd_net structure back on the grace list, then exiting without
+anything removing it from the list."
+
+So, perform the final locks_end_grace() from the the lockd thread; this
+ensures it's serialized with respect to restart_grace().
+
+Reported-by: David Jeffery <djeffery@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/lockd/svc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/lockd/svc.c
++++ b/fs/lockd/svc.c
+@@ -129,6 +129,8 @@ lockd(void *vrqstp)
+ {
+ int err = 0;
+ struct svc_rqst *rqstp = vrqstp;
++ struct net *net = &init_net;
++ struct lockd_net *ln = net_generic(net, lockd_net_id);
+
+ /* try_to_freeze() is called from svc_recv() */
+ set_freezable();
+@@ -173,6 +175,8 @@ lockd(void *vrqstp)
+ if (nlmsvc_ops)
+ nlmsvc_invalidate_all();
+ nlm_shutdown_hosts();
++ cancel_delayed_work_sync(&ln->grace_period_end);
++ locks_end_grace(&ln->lockd_manager);
+ return 0;
+ }
+
+@@ -267,8 +271,6 @@ static void lockd_down_net(struct svc_se
+ if (ln->nlmsvc_users) {
+ if (--ln->nlmsvc_users == 0) {
+ nlm_shutdown_hosts_net(net);
+- cancel_delayed_work_sync(&ln->grace_period_end);
+- locks_end_grace(&ln->lockd_manager);
+ svc_shutdown_net(serv, net);
+ dprintk("lockd_down_net: per-net data destroyed; net=%p\n", net);
+ }
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Luca Coelho <luciano.coelho@intel.com>
+Date: Tue, 2 May 2017 17:56:21 +0300
+Subject: mac80211: bail out from prep_connection() if a reconfig is ongoing
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+
+[ Upstream commit f8860ce836f2d502b07ef99559707fe55d90f5bc ]
+
+If ieee80211_hw_restart() is called during authentication, the
+authentication process will continue, causing the driver to be called
+in a wrong state. This ultimately causes an oops in the iwlwifi
+driver (at least).
+
+This fixes bugzilla 195299 partly.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195299
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/mlme.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -3995,6 +3995,10 @@ static int ieee80211_prep_connection(str
+ if (WARN_ON(!ifmgd->auth_data && !ifmgd->assoc_data))
+ return -EINVAL;
+
++ /* If a reconfig is happening, bail out */
++ if (local->in_reconfig)
++ return -EBUSY;
++
+ if (assoc) {
+ rcu_read_lock();
+ have_sta = sta_info_get(sdata, cbss->bssid);
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: A Sun <as1033x@comcast.net>
+Date: Sun, 26 Mar 2017 15:33:07 -0300
+Subject: [media] mceusb: sporadic RX truncation corruption fix
+
+From: A Sun <as1033x@comcast.net>
+
+
+[ Upstream commit 8e175b22e8640bf3a58e071af54190b909e4a944 ]
+
+Intermittent RX truncation and loss of IR received data. This resulted
+in receive stream synchronization errors where driver attempted to
+incorrectly parse IR data (eg 0x90 below) as command response.
+
+[ 3969.139898] mceusb 1-1.2:1.0: processed IR data
+[ 3969.151315] mceusb 1-1.2:1.0: rx data: 00 90 (length=2)
+[ 3969.151321] mceusb 1-1.2:1.0: Unknown command 0x00 0x90
+[ 3969.151336] mceusb 1-1.2:1.0: rx data: 98 0a 8d 0a 8e 0a 8e 0a 8e 0a 8e 0a 9a 0a 8e 0a 0b 3a 8e 00 80 41 59 00 00 (length=25)
+[ 3969.151341] mceusb 1-1.2:1.0: Raw IR data, 24 pulse/space samples
+[ 3969.151348] mceusb 1-1.2:1.0: Storing space with duration 500000
+
+Bug trigger appears to be normal, but heavy, IR receiver use.
+
+Signed-off-by: A Sun <as1033x@comcast.net>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/rc/mceusb.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/rc/mceusb.c
++++ b/drivers/media/rc/mceusb.c
+@@ -1370,8 +1370,13 @@ static int mceusb_dev_probe(struct usb_i
+ goto rc_dev_fail;
+
+ /* wire up inbound data handler */
+- usb_fill_int_urb(ir->urb_in, dev, pipe, ir->buf_in, maxp,
+- mceusb_dev_recv, ir, ep_in->bInterval);
++ if (usb_endpoint_xfer_int(ep_in))
++ usb_fill_int_urb(ir->urb_in, dev, pipe, ir->buf_in, maxp,
++ mceusb_dev_recv, ir, ep_in->bInterval);
++ else
++ usb_fill_bulk_urb(ir->urb_in, dev, pipe, ir->buf_in, maxp,
++ mceusb_dev_recv, ir);
++
+ ir->urb_in->transfer_dma = ir->dma_in;
+ ir->urb_in->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+Date: Thu, 8 Jun 2017 15:20:32 +0200
+Subject: MIPS: kprobes: flush_insn_slot should flush only if probe initialised
+
+From: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+
+
+[ Upstream commit 698b851073ddf5a894910d63ca04605e0473414e ]
+
+When ftrace is used with kprobes, it is possible for a kprobe to contain
+an invalid location (ie. only initialised to 0 and not to a specific
+location in the code). Trying to perform a cache flush on such location
+leads to a crash r4k_flush_icache_range().
+
+Fixes: c1bf207d6ee1 ("MIPS: kprobe: Add support.")
+Signed-off-by: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16296/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/include/asm/kprobes.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/include/asm/kprobes.h
++++ b/arch/mips/include/asm/kprobes.h
+@@ -40,7 +40,8 @@ typedef union mips_instruction kprobe_op
+
+ #define flush_insn_slot(p) \
+ do { \
+- flush_icache_range((unsigned long)p->addr, \
++ if (p->addr) \
++ flush_icache_range((unsigned long)p->addr, \
+ (unsigned long)p->addr + \
+ (MAX_INSN_SIZE * sizeof(kprobe_opcode_t))); \
+ } while (0)
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+Date: Tue, 11 Apr 2017 09:00:34 +0200
+Subject: MIPS: mm: fixed mappings: correct initialisation
+
+From: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+
+
+[ Upstream commit 71eb989ab5a110df8bcbb9609bacde73feacbedd ]
+
+fixrange_init operates at PMD-granularity and expects the addresses to
+be PMD-size aligned, but currently that might not be the case for
+PKMAP_BASE unless it is defined properly, so ensure a correct alignment
+is used before passing the address to fixrange_init.
+
+fixed mappings: only align the start address that is passed to
+fixrange_init rather than the value before adding the size, as we may
+end up with uninitialised upper part of the range.
+
+Signed-off-by: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/15948/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/mm/pgtable-32.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/mips/mm/pgtable-32.c
++++ b/arch/mips/mm/pgtable-32.c
+@@ -51,15 +51,15 @@ void __init pagetable_init(void)
+ /*
+ * Fixed mappings:
+ */
+- vaddr = __fix_to_virt(__end_of_fixed_addresses - 1) & PMD_MASK;
+- fixrange_init(vaddr, vaddr + FIXADDR_SIZE, pgd_base);
++ vaddr = __fix_to_virt(__end_of_fixed_addresses - 1);
++ fixrange_init(vaddr & PMD_MASK, vaddr + FIXADDR_SIZE, pgd_base);
+
+ #ifdef CONFIG_HIGHMEM
+ /*
+ * Permanent kmaps:
+ */
+ vaddr = PKMAP_BASE;
+- fixrange_init(vaddr, vaddr + PAGE_SIZE*LAST_PKMAP, pgd_base);
++ fixrange_init(vaddr & PMD_MASK, vaddr + PAGE_SIZE*LAST_PKMAP, pgd_base);
+
+ pgd = swapper_pg_dir + __pgd_offset(vaddr);
+ pud = pud_offset(pgd, vaddr);
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Jia-Ju Bai <baijiaju1990@163.com>
+Date: Wed, 31 May 2017 15:08:25 +0800
+Subject: mISDN: Fix a sleep-in-atomic bug
+
+From: Jia-Ju Bai <baijiaju1990@163.com>
+
+
+[ Upstream commit 93818da5eed63fbc17b64080406ea53b86b23309 ]
+
+The driver may sleep under a read spin lock, and the function call path is:
+send_socklist (acquire the lock by read_lock)
+ skb_copy(GFP_KERNEL) --> may sleep
+
+To fix it, the "GFP_KERNEL" is replaced with "GFP_ATOMIC".
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/mISDN/stack.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/isdn/mISDN/stack.c
++++ b/drivers/isdn/mISDN/stack.c
+@@ -72,7 +72,7 @@ send_socklist(struct mISDN_sock_list *sl
+ if (sk->sk_state != MISDN_BOUND)
+ continue;
+ if (!cskb)
+- cskb = skb_copy(skb, GFP_KERNEL);
++ cskb = skb_copy(skb, GFP_ATOMIC);
+ if (!cskb) {
+ printk(KERN_WARNING "%s no skb\n", __func__);
+ break;
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Ihar Hrachyshka <ihrachys@redhat.com>
+Date: Tue, 16 May 2017 08:44:24 -0700
+Subject: neighbour: update neigh timestamps iff update is effective
+
+From: Ihar Hrachyshka <ihrachys@redhat.com>
+
+
+[ Upstream commit 77d7123342dcf6442341b67816321d71da8b2b16 ]
+
+It's a common practice to send gratuitous ARPs after moving an
+IP address to another device to speed up healing of a service. To
+fulfill service availability constraints, the timing of network peers
+updating their caches to point to a new location of an IP address can be
+particularly important.
+
+Sometimes neigh_update calls won't touch neither lladdr nor state, for
+example if an update arrives in locktime interval. The neigh->updated
+value is tested by the protocol specific neigh code, which in turn
+will influence whether NEIGH_UPDATE_F_OVERRIDE gets set in the
+call to neigh_update() or not. As a result, we may effectively ignore
+the update request, bailing out of touching the neigh entry, except that
+we still bump its timestamps inside neigh_update.
+
+This may be a problem for updates arriving in quick succession. For
+example, consider the following scenario:
+
+A service is moved to another device with its IP address. The new device
+sends three gratuitous ARP requests into the network with ~1 seconds
+interval between them. Just before the first request arrives to one of
+network peer nodes, its neigh entry for the IP address transitions from
+STALE to DELAY. This transition, among other things, updates
+neigh->updated. Once the kernel receives the first gratuitous ARP, it
+ignores it because its arrival time is inside the locktime interval. The
+kernel still bumps neigh->updated. Then the second gratuitous ARP
+request arrives, and it's also ignored because it's still in the (new)
+locktime interval. Same happens for the third request. The node
+eventually heals itself (after delay_first_probe_time seconds since the
+initial transition to DELAY state), but it just wasted some time and
+require a new ARP request/reply round trip. This unfortunate behaviour
+both puts more load on the network, as well as reduces service
+availability.
+
+This patch changes neigh_update so that it bumps neigh->updated (as well
+as neigh->confirmed) only once we are sure that either lladdr or entry
+state will change). In the scenario described above, it means that the
+second gratuitous ARP request will actually update the entry lladdr.
+
+Ideally, we would update the neigh entry on the very first gratuitous
+ARP request. The locktime mechanism is designed to ignore ARP updates in
+a short timeframe after a previous ARP update was honoured by the kernel
+layer. This would require tracking timestamps for state transitions
+separately from timestamps when actual updates are received. This would
+probably involve changes in neighbour struct. Therefore, the patch
+doesn't tackle the issue of the first gratuitous APR ignored, leaving
+it for a follow-up.
+
+Signed-off-by: Ihar Hrachyshka <ihrachys@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/neighbour.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -1147,10 +1147,6 @@ int neigh_update(struct neighbour *neigh
+ lladdr = neigh->ha;
+ }
+
+- if (new & NUD_CONNECTED)
+- neigh->confirmed = jiffies;
+- neigh->updated = jiffies;
+-
+ /* If entry was valid and address is not changed,
+ do not change entry state, if new one is STALE.
+ */
+@@ -1174,6 +1170,16 @@ int neigh_update(struct neighbour *neigh
+ }
+ }
+
++ /* Update timestamps only once we know we will make a change to the
++ * neighbour entry. Otherwise we risk to move the locktime window with
++ * noop updates and ignore relevant ARP updates.
++ */
++ if (new != old || lladdr != neigh->ha) {
++ if (new & NUD_CONNECTED)
++ neigh->confirmed = jiffies;
++ neigh->updated = jiffies;
++ }
++
+ if (new != old) {
+ neigh_del_timer(neigh);
+ if (new & NUD_IN_TIMER)
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Christian Lamparter <chunkeey@googlemail.com>
+Date: Wed, 7 Jun 2017 15:51:15 +0200
+Subject: net: emac: fix reset timeout with AR8035 phy
+
+From: Christian Lamparter <chunkeey@googlemail.com>
+
+
+[ Upstream commit 19d90ece81da802207a9b91ce95a29fbdc40626e ]
+
+This patch fixes a problem where the AR8035 PHY can't be
+detected on an Cisco Meraki MR24, if the ethernet cable is
+not connected on boot.
+
+Russell Senior provided steps to reproduce the issue:
+|Disconnect ethernet cable, apply power, wait until device has booted,
+|plug in ethernet, check for interfaces, no eth0 is listed.
+|
+|This appears to be a problem during probing of the AR8035 Phy chip.
+|When ethernet has no link, the phy detection fails, and eth0 is not
+|created. Plugging ethernet later has no effect, because there is no
+|interface as far as the kernel is concerned. The relevant part of
+|the boot log looks like this:
+|this is the failing case:
+|
+|[ 0.876611] /plb/opb/emac-rgmii@ef601500: input 0 in RGMII mode
+|[ 0.882532] /plb/opb/ethernet@ef600c00: reset timeout
+|[ 0.888546] /plb/opb/ethernet@ef600c00: can't find PHY!
+|and the succeeding case:
+|
+|[ 0.876672] /plb/opb/emac-rgmii@ef601500: input 0 in RGMII mode
+|[ 0.883952] eth0: EMAC-0 /plb/opb/ethernet@ef600c00, MAC 00:01:..
+|[ 0.890822] eth0: found Atheros 8035 Gigabit Ethernet PHY (0x01)
+
+Based on the comment and the commit message of
+commit 23fbb5a87c56 ("emac: Fix EMAC soft reset on 460EX/GT").
+This is because the AR8035 PHY doesn't provide the TX Clock,
+if the ethernet cable is not attached. This causes the reset
+to timeout and the PHY detection code in emac_init_phy() is
+unable to detect the AR8035 PHY. As a result, the emac driver
+bails out early and the user left with no ethernet.
+
+In order to stay compatible with existing configurations, the driver
+tries the current reset approach at first. Only if the first attempt
+timed out, it does perform one more retry with the clock temporarily
+switched to the internal source for just the duration of the reset.
+
+LEDE-Bug: #687 <https://bugs.lede-project.org/index.php?do=details&task_id=687>
+
+Cc: Chris Blake <chrisrblake93@gmail.com>
+Reported-by: Russell Senior <russell@personaltelco.net>
+Fixes: 23fbb5a87c56e98 ("emac: Fix EMAC soft reset on 460EX/GT")
+Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/emac/core.c | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/ibm/emac/core.c
++++ b/drivers/net/ethernet/ibm/emac/core.c
+@@ -349,6 +349,7 @@ static int emac_reset(struct emac_instan
+ {
+ struct emac_regs __iomem *p = dev->emacp;
+ int n = 20;
++ bool __maybe_unused try_internal_clock = false;
+
+ DBG(dev, "reset" NL);
+
+@@ -361,6 +362,7 @@ static int emac_reset(struct emac_instan
+ }
+
+ #ifdef CONFIG_PPC_DCR_NATIVE
++do_retry:
+ /*
+ * PPC460EX/GT Embedded Processor Advanced User's Manual
+ * section 28.10.1 Mode Register 0 (EMACx_MR0) states:
+@@ -368,10 +370,19 @@ static int emac_reset(struct emac_instan
+ * of the EMAC. If none is present, select the internal clock
+ * (SDR0_ETH_CFG[EMACx_PHY_CLK] = 1).
+ * After a soft reset, select the external clock.
++ *
++ * The AR8035-A PHY Meraki MR24 does not provide a TX Clk if the
++ * ethernet cable is not attached. This causes the reset to timeout
++ * and the PHY detection code in emac_init_phy() is unable to
++ * communicate and detect the AR8035-A PHY. As a result, the emac
++ * driver bails out early and the user has no ethernet.
++ * In order to stay compatible with existing configurations, the
++ * driver will temporarily switch to the internal clock, after
++ * the first reset fails.
+ */
+ if (emac_has_feature(dev, EMAC_FTR_460EX_PHY_CLK_FIX)) {
+- if (dev->phy_address == 0xffffffff &&
+- dev->phy_map == 0xffffffff) {
++ if (try_internal_clock || (dev->phy_address == 0xffffffff &&
++ dev->phy_map == 0xffffffff)) {
+ /* No PHY: select internal loop clock before reset */
+ dcri_clrset(SDR0, SDR0_ETH_CFG,
+ 0, SDR0_ETH_CFG_ECS << dev->cell_index);
+@@ -389,8 +400,15 @@ static int emac_reset(struct emac_instan
+
+ #ifdef CONFIG_PPC_DCR_NATIVE
+ if (emac_has_feature(dev, EMAC_FTR_460EX_PHY_CLK_FIX)) {
+- if (dev->phy_address == 0xffffffff &&
+- dev->phy_map == 0xffffffff) {
++ if (!n && !try_internal_clock) {
++ /* first attempt has timed out. */
++ n = 20;
++ try_internal_clock = true;
++ goto do_retry;
++ }
++
++ if (try_internal_clock || (dev->phy_address == 0xffffffff &&
++ dev->phy_map == 0xffffffff)) {
+ /* No PHY: restore external clock source after reset */
+ dcri_clrset(SDR0, SDR0_ETH_CFG,
+ SDR0_ETH_CFG_ECS << dev->cell_index, 0);
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Grygorii Strashko <grygorii.strashko@ti.com>
+Date: Mon, 8 May 2017 14:21:21 -0500
+Subject: net: ethernet: ti: cpsw: adjust cpsw fifos depth for fullduplex flow control
+
+From: Grygorii Strashko <grygorii.strashko@ti.com>
+
+
+[ Upstream commit 48f5bccc60675f8426a6159935e8636a1fd89f56 ]
+
+When users set flow control using ethtool the bits are set properly in the
+CPGMAC_SL MACCONTROL register, but the FIFO depth in the respective Port n
+Maximum FIFO Blocks (Pn_MAX_BLKS) registers remains set to the minimum size
+reset value. When receive flow control is enabled on a port, the port's
+associated FIFO block allocation must be adjusted. The port RX allocation
+must increase to accommodate the flow control runout. The TRM recommends
+numbers of 5 or 6.
+
+Hence, apply required Port FIFO configuration to
+Pn_MAX_BLKS.Pn_TX_MAX_BLKS=0xF and Pn_MAX_BLKS.Pn_RX_MAX_BLKS=0x5 during
+interface initialization.
+
+Cc: Schuyler Patton <spatton@ti.com>
+Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ti/cpsw.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/net/ethernet/ti/cpsw.c
++++ b/drivers/net/ethernet/ti/cpsw.c
+@@ -293,6 +293,10 @@ struct cpsw_ss_regs {
+ /* Bit definitions for the CPSW1_TS_SEQ_LTYPE register */
+ #define CPSW_V1_SEQ_ID_OFS_SHIFT 16
+
++#define CPSW_MAX_BLKS_TX 15
++#define CPSW_MAX_BLKS_TX_SHIFT 4
++#define CPSW_MAX_BLKS_RX 5
++
+ struct cpsw_host_regs {
+ u32 max_blks;
+ u32 blk_cnt;
+@@ -1120,11 +1124,23 @@ static void cpsw_slave_open(struct cpsw_
+ switch (priv->version) {
+ case CPSW_VERSION_1:
+ slave_write(slave, TX_PRIORITY_MAPPING, CPSW1_TX_PRI_MAP);
++ /* Increase RX FIFO size to 5 for supporting fullduplex
++ * flow control mode
++ */
++ slave_write(slave,
++ (CPSW_MAX_BLKS_TX << CPSW_MAX_BLKS_TX_SHIFT) |
++ CPSW_MAX_BLKS_RX, CPSW1_MAX_BLKS);
+ break;
+ case CPSW_VERSION_2:
+ case CPSW_VERSION_3:
+ case CPSW_VERSION_4:
+ slave_write(slave, TX_PRIORITY_MAPPING, CPSW2_TX_PRI_MAP);
++ /* Increase RX FIFO size to 5 for supporting fullduplex
++ * flow control mode
++ */
++ slave_write(slave,
++ (CPSW_MAX_BLKS_TX << CPSW_MAX_BLKS_TX_SHIFT) |
++ CPSW_MAX_BLKS_RX, CPSW2_MAX_BLKS);
+ break;
+ }
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+Date: Tue, 30 May 2017 17:38:43 -0500
+Subject: net: freescale: fix potential null pointer dereference
+
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+
+
+[ Upstream commit 06d2d6431bc8d41ef5ffd8bd4b52cea9f72aed22 ]
+
+Add NULL check before dereferencing pointer _id_ in order to avoid
+a potential NULL pointer dereference.
+
+Addresses-Coverity-ID: 1397995
+Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/fsl_pq_mdio.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/freescale/fsl_pq_mdio.c
++++ b/drivers/net/ethernet/freescale/fsl_pq_mdio.c
+@@ -370,7 +370,7 @@ static int fsl_pq_mdio_probe(struct plat
+ {
+ const struct of_device_id *id =
+ of_match_device(fsl_pq_mdio_match, &pdev->dev);
+- const struct fsl_pq_mdio_data *data = id->data;
++ const struct fsl_pq_mdio_data *data;
+ struct device_node *np = pdev->dev.of_node;
+ struct resource res;
+ struct device_node *tbi;
+@@ -378,6 +378,13 @@ static int fsl_pq_mdio_probe(struct plat
+ struct mii_bus *new_bus;
+ int err;
+
++ if (!id) {
++ dev_err(&pdev->dev, "Failed to match device\n");
++ return -ENODEV;
++ }
++
++ data = id->data;
++
+ dev_dbg(&pdev->dev, "found %s compatible node\n", id->compatible);
+
+ new_bus = mdiobus_alloc_size(sizeof(*priv));
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: linzhang <xiaolou4617@gmail.com>
+Date: Thu, 25 May 2017 14:07:18 +0800
+Subject: net: llc: add lock_sock in llc_ui_bind to avoid a race condition
+
+From: linzhang <xiaolou4617@gmail.com>
+
+
+[ Upstream commit 0908cf4dfef35fc6ac12329007052ebe93ff1081 ]
+
+There is a race condition in llc_ui_bind if two or more processes/threads
+try to bind a same socket.
+
+If more processes/threads bind a same socket success that will lead to
+two problems, one is this action is not what we expected, another is
+will lead to kernel in unstable status or oops(in my simple test case,
+cause llc2.ko can't unload).
+
+The current code is test SOCK_ZAPPED bit to avoid a process to
+bind a same socket twice but that is can't avoid more processes/threads
+try to bind a same socket at the same time.
+
+So, add lock_sock in llc_ui_bind like others, such as llc_ui_connect.
+
+Signed-off-by: Lin Zhang <xiaolou4617@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/llc/af_llc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -309,6 +309,8 @@ static int llc_ui_bind(struct socket *so
+ int rc = -EINVAL;
+
+ dprintk("%s: binding %02X\n", __func__, addr->sllc_sap);
++
++ lock_sock(sk);
+ if (unlikely(!sock_flag(sk, SOCK_ZAPPED) || addrlen != sizeof(*addr)))
+ goto out;
+ rc = -EAFNOSUPPORT;
+@@ -380,6 +382,7 @@ static int llc_ui_bind(struct socket *so
+ out_put:
+ llc_sap_put(sap);
+ out:
++ release_sock(sk);
+ return rc;
+ }
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Talat Batheesh <talatb@mellanox.com>
+Date: Sun, 4 Jun 2017 14:30:07 +0300
+Subject: net/mlx4: Fix the check in attaching steering rules
+
+From: Talat Batheesh <talatb@mellanox.com>
+
+
+[ Upstream commit 6dc06c08bef1c746ff8da33dab677cfbacdcad32 ]
+
+Our previous patch (cited below) introduced a regression
+for RAW Eth QPs.
+
+Fix it by checking if the QP number provided by user-space
+exists, hence allowing steering rules to be added for valid
+QPs only.
+
+Fixes: 89c557687a32 ("net/mlx4_en: Avoid adding steering rules with invalid ring")
+Reported-by: Or Gerlitz <gerlitz.or@gmail.com>
+Signed-off-by: Talat Batheesh <talatb@mellanox.com>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Acked-by: Or Gerlitz <ogerlitz@mellanox.com>
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 5 -----
+ drivers/net/ethernet/mellanox/mlx4/mcg.c | 15 +++++++++++----
+ drivers/net/ethernet/mellanox/mlx4/qp.c | 13 +++++++++++++
+ include/linux/mlx4/qp.h | 1 +
+ 4 files changed, 25 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+@@ -946,11 +946,6 @@ static int mlx4_en_flow_replace(struct n
+ qpn = priv->drop_qp.qpn;
+ else if (cmd->fs.ring_cookie & EN_ETHTOOL_QP_ATTACH) {
+ qpn = cmd->fs.ring_cookie & (EN_ETHTOOL_QP_ATTACH - 1);
+- if (qpn < priv->rss_map.base_qpn ||
+- qpn >= priv->rss_map.base_qpn + priv->rx_ring_num) {
+- en_warn(priv, "rxnfc: QP (0x%x) doesn't exist\n", qpn);
+- return -EINVAL;
+- }
+ } else {
+ if (cmd->fs.ring_cookie >= priv->rx_ring_num) {
+ en_warn(priv, "rxnfc: RX ring (%llu) doesn't exist\n",
+--- a/drivers/net/ethernet/mellanox/mlx4/mcg.c
++++ b/drivers/net/ethernet/mellanox/mlx4/mcg.c
+@@ -35,6 +35,7 @@
+ #include <linux/etherdevice.h>
+
+ #include <linux/mlx4/cmd.h>
++#include <linux/mlx4/qp.h>
+ #include <linux/export.h>
+
+ #include "mlx4.h"
+@@ -985,16 +986,21 @@ int mlx4_flow_attach(struct mlx4_dev *de
+ if (IS_ERR(mailbox))
+ return PTR_ERR(mailbox);
+
++ if (!mlx4_qp_lookup(dev, rule->qpn)) {
++ mlx4_err_rule(dev, "QP doesn't exist\n", rule);
++ ret = -EINVAL;
++ goto out;
++ }
++
+ trans_rule_ctrl_to_hw(rule, mailbox->buf);
+
+ size += sizeof(struct mlx4_net_trans_rule_hw_ctrl);
+
+ list_for_each_entry(cur, &rule->list, list) {
+ ret = parse_trans_rule(dev, cur, mailbox->buf + size);
+- if (ret < 0) {
+- mlx4_free_cmd_mailbox(dev, mailbox);
+- return ret;
+- }
++ if (ret < 0)
++ goto out;
++
+ size += ret;
+ }
+
+@@ -1006,6 +1012,7 @@ int mlx4_flow_attach(struct mlx4_dev *de
+ else if (ret)
+ mlx4_err_rule(dev, "Fail to register network rule\n", rule);
+
++out:
+ mlx4_free_cmd_mailbox(dev, mailbox);
+
+ return ret;
+--- a/drivers/net/ethernet/mellanox/mlx4/qp.c
++++ b/drivers/net/ethernet/mellanox/mlx4/qp.c
+@@ -358,6 +358,19 @@ static void mlx4_qp_free_icm(struct mlx4
+ __mlx4_qp_free_icm(dev, qpn);
+ }
+
++struct mlx4_qp *mlx4_qp_lookup(struct mlx4_dev *dev, u32 qpn)
++{
++ struct mlx4_qp_table *qp_table = &mlx4_priv(dev)->qp_table;
++ struct mlx4_qp *qp;
++
++ spin_lock(&qp_table->lock);
++
++ qp = __mlx4_qp_lookup(dev, qpn);
++
++ spin_unlock(&qp_table->lock);
++ return qp;
++}
++
+ int mlx4_qp_alloc(struct mlx4_dev *dev, int qpn, struct mlx4_qp *qp, gfp_t gfp)
+ {
+ struct mlx4_priv *priv = mlx4_priv(dev);
+--- a/include/linux/mlx4/qp.h
++++ b/include/linux/mlx4/qp.h
+@@ -437,6 +437,7 @@ struct mlx4_update_qp_params {
+ u32 flags;
+ };
+
++struct mlx4_qp *mlx4_qp_lookup(struct mlx4_dev *dev, u32 qpn);
+ int mlx4_update_qp(struct mlx4_dev *dev, u32 qpn,
+ enum mlx4_update_qp_attr attr,
+ struct mlx4_update_qp_params *params);
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Talat Batheesh <talatb@mellanox.com>
+Date: Tue, 9 May 2017 14:45:23 +0300
+Subject: net/mlx4_en: Avoid adding steering rules with invalid ring
+
+From: Talat Batheesh <talatb@mellanox.com>
+
+
+[ Upstream commit 89c557687a32c294e9d25670a96e9287c09f2d5f ]
+
+Inserting steering rules with illegal ring is an invalid operation,
+block it.
+
+Fixes: 820672812f82 ('net/mlx4_en: Manage flow steering rules with ethtool')
+Signed-off-by: Talat Batheesh <talatb@mellanox.com>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+@@ -946,6 +946,11 @@ static int mlx4_en_flow_replace(struct n
+ qpn = priv->drop_qp.qpn;
+ else if (cmd->fs.ring_cookie & EN_ETHTOOL_QP_ATTACH) {
+ qpn = cmd->fs.ring_cookie & (EN_ETHTOOL_QP_ATTACH - 1);
++ if (qpn < priv->rss_map.base_qpn ||
++ qpn >= priv->rss_map.base_qpn + priv->rx_ring_num) {
++ en_warn(priv, "rxnfc: QP (0x%x) doesn't exist\n", qpn);
++ return -EINVAL;
++ }
+ } else {
+ if (cmd->fs.ring_cookie >= priv->rx_ring_num) {
+ en_warn(priv, "rxnfc: RX ring (%llu) doesn't exist\n",
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Roman Kapl <roman.kapl@sysgo.com>
+Date: Wed, 24 May 2017 10:22:22 +0200
+Subject: net: move somaxconn init from sysctl code
+
+From: Roman Kapl <roman.kapl@sysgo.com>
+
+
+[ Upstream commit 7c3f1875c66fbc19762760097cabc91849ea0bbb ]
+
+The default value for somaxconn is set in sysctl_core_net_init(), but this
+function is not called when kernel is configured without CONFIG_SYSCTL.
+
+This results in the kernel not being able to accept TCP connections,
+because the backlog has zero size. Usually, the user ends up with:
+"TCP: request_sock_TCP: Possible SYN flooding on port 7. Dropping request. Check SNMP counters."
+If SYN cookies are not enabled the connection is rejected.
+
+Before ef547f2ac16 (tcp: remove max_qlen_log), the effects were less
+severe, because the backlog was always at least eight slots long.
+
+Signed-off-by: Roman Kapl <roman.kapl@sysgo.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/net_namespace.c | 19 +++++++++++++++++++
+ net/core/sysctl_net_core.c | 2 --
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+
+--- a/net/core/net_namespace.c
++++ b/net/core/net_namespace.c
+@@ -188,6 +188,25 @@ out_undo:
+ goto out;
+ }
+
++static int __net_init net_defaults_init_net(struct net *net)
++{
++ net->core.sysctl_somaxconn = SOMAXCONN;
++ return 0;
++}
++
++static struct pernet_operations net_defaults_ops = {
++ .init = net_defaults_init_net,
++};
++
++static __init int net_defaults_init(void)
++{
++ if (register_pernet_subsys(&net_defaults_ops))
++ panic("Cannot initialize net default settings");
++
++ return 0;
++}
++
++core_initcall(net_defaults_init);
+
+ #ifdef CONFIG_NET_NS
+ static struct kmem_cache *net_cachep;
+--- a/net/core/sysctl_net_core.c
++++ b/net/core/sysctl_net_core.c
+@@ -395,8 +395,6 @@ static __net_init int sysctl_core_net_in
+ {
+ struct ctl_table *tbl;
+
+- net->core.sysctl_somaxconn = SOMAXCONN;
+-
+ tbl = netns_core_table;
+ if (!net_eq(net, &init_net)) {
+ tbl = kmemdup(tbl, sizeof(netns_core_table), GFP_KERNEL);
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Mon, 5 Jun 2017 12:22:55 +0100
+Subject: net: phy: avoid genphy_aneg_done() for PHYs without clause 22 support
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+
+[ Upstream commit 41408ad519f7a2a1c5229e61f2a97f4df1b61adc ]
+
+Avoid calling genphy_aneg_done() for PHYs that do not implement the
+Clause 22 register set.
+
+Clause 45 PHYs may implement the Clause 22 register set along with the
+Clause 22 extension MMD. Hence, we can't simply block access to the
+Clause 22 functions based on the PHY being a Clause 45 PHY.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/phy.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/phy/phy.c
++++ b/drivers/net/phy/phy.c
+@@ -123,6 +123,12 @@ static inline int phy_aneg_done(struct p
+ if (phydev->drv->aneg_done)
+ return phydev->drv->aneg_done(phydev);
+
++ /* Avoid genphy_aneg_done() if the Clause 45 PHY does not
++ * implement Clause 22 registers
++ */
++ if (phydev->is_c45 && !(phydev->c45_ids.devices_in_package & BIT(0)))
++ return -EINVAL;
++
+ return genphy_aneg_done(phydev);
+ }
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Tue, 9 May 2017 15:40:38 +0200
+Subject: net: qca_spi: Fix alignment issues in rx path
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+
+[ Upstream commit 8d66c30b12ed3cb533696dea8b9a9eadd5da426a ]
+
+The qca_spi driver causes alignment issues on ARM devices.
+So fix this by using netdev_alloc_skb_ip_align().
+
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qualcomm/qca_spi.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/qualcomm/qca_spi.c
++++ b/drivers/net/ethernet/qualcomm/qca_spi.c
+@@ -297,8 +297,9 @@ qcaspi_receive(struct qcaspi *qca)
+
+ /* Allocate rx SKB if we don't have one available. */
+ if (!qca->rx_skb) {
+- qca->rx_skb = netdev_alloc_skb(net_dev,
+- net_dev->mtu + VLAN_ETH_HLEN);
++ qca->rx_skb = netdev_alloc_skb_ip_align(net_dev,
++ net_dev->mtu +
++ VLAN_ETH_HLEN);
+ if (!qca->rx_skb) {
+ netdev_dbg(net_dev, "out of RX resources\n");
+ qca->stats.out_of_mem++;
+@@ -378,7 +379,7 @@ qcaspi_receive(struct qcaspi *qca)
+ qca->rx_skb, qca->rx_skb->dev);
+ qca->rx_skb->ip_summed = CHECKSUM_UNNECESSARY;
+ netif_rx_ni(qca->rx_skb);
+- qca->rx_skb = netdev_alloc_skb(net_dev,
++ qca->rx_skb = netdev_alloc_skb_ip_align(net_dev,
+ net_dev->mtu + VLAN_ETH_HLEN);
+ if (!qca->rx_skb) {
+ netdev_dbg(net_dev, "out of RX resources\n");
+@@ -760,7 +761,8 @@ qcaspi_netdev_init(struct net_device *de
+ if (!qca->rx_buffer)
+ return -ENOBUFS;
+
+- qca->rx_skb = netdev_alloc_skb(dev, qca->net_dev->mtu + VLAN_ETH_HLEN);
++ qca->rx_skb = netdev_alloc_skb_ip_align(dev, qca->net_dev->mtu +
++ VLAN_ETH_HLEN);
+ if (!qca->rx_skb) {
+ kfree(qca->rx_buffer);
+ netdev_info(qca->net_dev, "Failed to allocate RX sk_buff.\n");
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: linzhang <xiaolou4617@gmail.com>
+Date: Wed, 17 May 2017 12:05:07 +0800
+Subject: net: x25: fix one potential use-after-free issue
+
+From: linzhang <xiaolou4617@gmail.com>
+
+
+[ Upstream commit 64df6d525fcff1630098db9238bfd2b3e092d5c1 ]
+
+The function x25_init is not properly unregister related resources
+on error handler.It is will result in kernel oops if x25_init init
+failed, so add properly unregister call on error handler.
+
+Also, i adjust the coding style and make x25_register_sysctl properly
+return failure.
+
+Signed-off-by: linzhang <xiaolou4617@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/x25.h | 4 ++--
+ net/x25/af_x25.c | 24 ++++++++++++++++--------
+ net/x25/sysctl_net_x25.c | 5 ++++-
+ 3 files changed, 22 insertions(+), 11 deletions(-)
+
+--- a/include/net/x25.h
++++ b/include/net/x25.h
+@@ -298,10 +298,10 @@ void x25_check_rbuf(struct sock *);
+
+ /* sysctl_net_x25.c */
+ #ifdef CONFIG_SYSCTL
+-void x25_register_sysctl(void);
++int x25_register_sysctl(void);
+ void x25_unregister_sysctl(void);
+ #else
+-static inline void x25_register_sysctl(void) {};
++static inline int x25_register_sysctl(void) { return 0; };
+ static inline void x25_unregister_sysctl(void) {};
+ #endif /* CONFIG_SYSCTL */
+
+--- a/net/x25/af_x25.c
++++ b/net/x25/af_x25.c
+@@ -1796,32 +1796,40 @@ void x25_kill_by_neigh(struct x25_neigh
+
+ static int __init x25_init(void)
+ {
+- int rc = proto_register(&x25_proto, 0);
++ int rc;
+
+- if (rc != 0)
++ rc = proto_register(&x25_proto, 0);
++ if (rc)
+ goto out;
+
+ rc = sock_register(&x25_family_ops);
+- if (rc != 0)
++ if (rc)
+ goto out_proto;
+
+ dev_add_pack(&x25_packet_type);
+
+ rc = register_netdevice_notifier(&x25_dev_notifier);
+- if (rc != 0)
++ if (rc)
+ goto out_sock;
+
+- pr_info("Linux Version 0.2\n");
++ rc = x25_register_sysctl();
++ if (rc)
++ goto out_dev;
+
+- x25_register_sysctl();
+ rc = x25_proc_init();
+- if (rc != 0)
+- goto out_dev;
++ if (rc)
++ goto out_sysctl;
++
++ pr_info("Linux Version 0.2\n");
++
+ out:
+ return rc;
++out_sysctl:
++ x25_unregister_sysctl();
+ out_dev:
+ unregister_netdevice_notifier(&x25_dev_notifier);
+ out_sock:
++ dev_remove_pack(&x25_packet_type);
+ sock_unregister(AF_X25);
+ out_proto:
+ proto_unregister(&x25_proto);
+--- a/net/x25/sysctl_net_x25.c
++++ b/net/x25/sysctl_net_x25.c
+@@ -73,9 +73,12 @@ static struct ctl_table x25_table[] = {
+ { 0, },
+ };
+
+-void __init x25_register_sysctl(void)
++int __init x25_register_sysctl(void)
+ {
+ x25_table_header = register_net_sysctl(&init_net, "net/x25", x25_table);
++ if (!x25_table_header)
++ return -ENOMEM;
++ return 0;
+ }
+
+ void x25_unregister_sysctl(void)
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Liping Zhang <zlpnobody@gmail.com>
+Date: Sun, 21 May 2017 07:22:49 +0800
+Subject: netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize
+
+From: Liping Zhang <zlpnobody@gmail.com>
+
+
+[ Upstream commit fefa92679dbe0c613e62b6c27235dcfbe9640ad1 ]
+
+If nf_conntrack_htable_size was adjusted by the user during the ct
+dump operation, we may invoke nf_ct_put twice for the same ct, i.e.
+the "last" ct. This will cause the ct will be freed but still linked
+in hash buckets.
+
+It's very easy to reproduce the problem by the following commands:
+ # while : ; do
+ echo $RANDOM > /proc/sys/net/netfilter/nf_conntrack_buckets
+ done
+ # while : ; do
+ conntrack -L
+ done
+ # iperf -s 127.0.0.1 &
+ # iperf -c 127.0.0.1 -P 60 -t 36000
+
+After a while, the system will hang like this:
+ NMI watchdog: BUG: soft lockup - CPU#1 stuck for 22s! [bash:20184]
+ NMI watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [iperf:20382]
+ ...
+
+So at last if we find cb->args[1] is equal to "last", this means hash
+resize happened, then we can set cb->args[1] to 0 to fix the above
+issue.
+
+Fixes: d205dc40798d ("[NETFILTER]: ctnetlink: fix deadlock in table dumping")
+Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -828,8 +828,13 @@ restart:
+ }
+ out:
+ local_bh_enable();
+- if (last)
++ if (last) {
++ /* nf ct hash resize happened, now clear the leftover. */
++ if ((struct nf_conn *)cb->args[1] == last)
++ cb->args[1] = 0;
++
+ nf_ct_put(last);
++ }
+
+ return skb->len;
+ }
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Tue, 9 May 2017 17:19:42 +0100
+Subject: netxen_nic: set rcode to the return status from the call to netxen_issue_cmd
+
+From: Colin Ian King <colin.king@canonical.com>
+
+
+[ Upstream commit 0fe20fafd1791f993806d417048213ec57b81045 ]
+
+Currently rcode is being initialized to NX_RCODE_SUCCESS and later it
+is checked to see if it is not NX_RCODE_SUCCESS which is never true. It
+appears that there is an unintentional missing assignment of rcode from
+the return of the call to netxen_issue_cmd() that was dropped in
+an earlier fix, so add it in.
+
+Detected by CoverityScan, CID#401900 ("Logically dead code")
+
+Fixes: 2dcd5d95ad6b2 ("netxen_nic: fix cdrp race condition")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c
++++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c
+@@ -247,7 +247,7 @@ nx_fw_cmd_set_mtu(struct netxen_adapter
+ cmd.req.arg3 = 0;
+
+ if (recv_ctx->state == NX_HOST_CTX_STATE_ACTIVE)
+- netxen_issue_cmd(adapter, &cmd);
++ rcode = netxen_issue_cmd(adapter, &cmd);
+
+ if (rcode != NX_RCODE_SUCCESS)
+ return -EIO;
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Thu, 4 May 2017 13:44:04 -0400
+Subject: NFSv4.1: RECLAIM_COMPLETE must handle NFS4ERR_CONN_NOT_BOUND_TO_SESSION
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+
+[ Upstream commit 0048fdd06614a4ea088f9fcad11511956b795698 ]
+
+If the server returns NFS4ERR_CONN_NOT_BOUND_TO_SESSION because we
+are trunking, then RECLAIM_COMPLETE must handle that by calling
+nfs4_schedule_session_recovery() and then retrying.
+
+Reported-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Tested-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c | 7 ++++++-
+ fs/nfs/nfs4state.c | 10 +++++++---
+ 2 files changed, 13 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -7429,6 +7429,12 @@ static int nfs41_reclaim_complete_handle
+ /* fall through */
+ case -NFS4ERR_RETRY_UNCACHED_REP:
+ return -EAGAIN;
++ case -NFS4ERR_BADSESSION:
++ case -NFS4ERR_DEADSESSION:
++ case -NFS4ERR_CONN_NOT_BOUND_TO_SESSION:
++ nfs4_schedule_session_recovery(clp->cl_session,
++ task->tk_status);
++ break;
+ default:
+ nfs4_schedule_lease_recovery(clp);
+ }
+@@ -7507,7 +7513,6 @@ static int nfs41_proc_reclaim_complete(s
+ if (status == 0)
+ status = task->tk_status;
+ rpc_put_task(task);
+- return 0;
+ out:
+ dprintk("<-- %s status=%d\n", __func__, status);
+ return status;
+--- a/fs/nfs/nfs4state.c
++++ b/fs/nfs/nfs4state.c
+@@ -1563,13 +1563,14 @@ static void nfs4_state_start_reclaim_reb
+ nfs4_state_mark_reclaim_helper(clp, nfs4_state_mark_reclaim_reboot);
+ }
+
+-static void nfs4_reclaim_complete(struct nfs_client *clp,
++static int nfs4_reclaim_complete(struct nfs_client *clp,
+ const struct nfs4_state_recovery_ops *ops,
+ struct rpc_cred *cred)
+ {
+ /* Notify the server we're done reclaiming our state */
+ if (ops->reclaim_complete)
+- (void)ops->reclaim_complete(clp, cred);
++ return ops->reclaim_complete(clp, cred);
++ return 0;
+ }
+
+ static void nfs4_clear_reclaim_server(struct nfs_server *server)
+@@ -1616,13 +1617,16 @@ static void nfs4_state_end_reclaim_reboo
+ {
+ const struct nfs4_state_recovery_ops *ops;
+ struct rpc_cred *cred;
++ int err;
+
+ if (!nfs4_state_clear_reclaim_reboot(clp))
+ return;
+ ops = clp->cl_mvops->reboot_recovery_ops;
+ cred = nfs4_get_clid_cred(clp);
+- nfs4_reclaim_complete(clp, ops, cred);
++ err = nfs4_reclaim_complete(clp, ops, cred);
+ put_rpccred(cred);
++ if (err == -NFS4ERR_CONN_NOT_BOUND_TO_SESSION)
++ set_bit(NFS4CLNT_RECLAIM_REBOOT, &clp->cl_state);
+ }
+
+ static void nfs_delegation_clear_all(struct nfs_client *clp)
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Mon, 29 May 2017 15:15:27 +0200
+Subject: ovl: filter trusted xattr for non-admin
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+
+[ Upstream commit a082c6f680da298cf075886ff032f32ccb7c5e1a ]
+
+Filesystems filter out extended attributes in the "trusted." domain for
+unprivlieged callers.
+
+Overlay calls underlying filesystem's method with elevated privs, so need
+to do the filtering in overlayfs too.
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/inode.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/fs/overlayfs/inode.c
++++ b/fs/overlayfs/inode.c
+@@ -258,6 +258,16 @@ ssize_t ovl_getxattr(struct dentry *dent
+ return vfs_getxattr(realpath.dentry, name, value, size);
+ }
+
++static bool ovl_can_list(const char *s)
++{
++ /* List all non-trusted xatts */
++ if (strncmp(s, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) != 0)
++ return true;
++
++ /* Never list trusted.overlay, list other trusted for superuser only */
++ return !ovl_is_private_xattr(s) && capable(CAP_SYS_ADMIN);
++}
++
+ ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size)
+ {
+ struct path realpath;
+@@ -282,7 +292,7 @@ ssize_t ovl_listxattr(struct dentry *den
+ return -EIO;
+
+ len -= slen;
+- if (ovl_is_private_xattr(s)) {
++ if (!ovl_can_list(s)) {
+ res -= slen;
+ memmove(s, s + slen, len);
+ } else {
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Tue, 30 May 2017 11:45:12 +0200
+Subject: perf/core: Correct event creation with PERF_FORMAT_GROUP
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+
+[ Upstream commit ba5213ae6b88fb170c4771fef6553f759c7d8cdd ]
+
+Andi was asking about PERF_FORMAT_GROUP vs inherited events, which led
+to the discovery of a bug from commit:
+
+ 3dab77fb1bf8 ("perf: Rework/fix the whole read vs group stuff")
+
+ - PERF_SAMPLE_GROUP = 1U << 4,
+ + PERF_SAMPLE_READ = 1U << 4,
+
+ - if (attr->inherit && (attr->sample_type & PERF_SAMPLE_GROUP))
+ + if (attr->inherit && (attr->read_format & PERF_FORMAT_GROUP))
+
+is a clear fail :/
+
+While this changes user visible behaviour; it was previously possible
+to create an inherited event with PERF_SAMPLE_READ; this is deemed
+acceptible because its results were always incorrect.
+
+Reported-by: Andi Kleen <ak@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vince@deater.net>
+Fixes: 3dab77fb1bf8 ("perf: Rework/fix the whole read vs group stuff")
+Link: http://lkml.kernel.org/r/20170530094512.dy2nljns2uq7qa3j@hirez.programming.kicks-ass.net
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/events/core.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -4861,9 +4861,6 @@ static void perf_output_read_one(struct
+ __output_copy(handle, values, n * sizeof(u64));
+ }
+
+-/*
+- * XXX PERF_FORMAT_GROUP vs inherited events seems difficult.
+- */
+ static void perf_output_read_group(struct perf_output_handle *handle,
+ struct perf_event *event,
+ u64 enabled, u64 running)
+@@ -4908,6 +4905,13 @@ static void perf_output_read_group(struc
+ #define PERF_FORMAT_TOTAL_TIMES (PERF_FORMAT_TOTAL_TIME_ENABLED|\
+ PERF_FORMAT_TOTAL_TIME_RUNNING)
+
++/*
++ * XXX PERF_SAMPLE_READ vs inherited events seems difficult.
++ *
++ * The problem is that its both hard and excessively expensive to iterate the
++ * child list, not to mention that its impossible to IPI the children running
++ * on another CPU, from interrupt/NMI context.
++ */
+ static void perf_output_read(struct perf_output_handle *handle,
+ struct perf_event *event)
+ {
+@@ -7194,9 +7198,10 @@ perf_event_alloc(struct perf_event_attr
+ local64_set(&hwc->period_left, hwc->sample_period);
+
+ /*
+- * we currently do not support PERF_FORMAT_GROUP on inherited events
++ * We currently do not support PERF_SAMPLE_READ on inherited events.
++ * See perf_output_read().
+ */
+- if (attr->inherit && (attr->read_format & PERF_FORMAT_GROUP))
++ if (attr->inherit && (attr->sample_type & PERF_SAMPLE_READ))
+ goto err_ns;
+
+ pmu = perf_init_event(event);
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Milian Wolff <milian.wolff@kdab.com>
+Date: Fri, 2 Jun 2017 16:37:52 +0200
+Subject: perf report: Ensure the perf DSO mapping matches what libdw sees
+
+From: Milian Wolff <milian.wolff@kdab.com>
+
+
+[ Upstream commit 2538b9e2450ae255337c04356e9e0f8cb9ec48d9 ]
+
+In some situations the libdw unwinder stopped working properly. I.e.
+with libunwind we see:
+
+~~~~~
+heaptrack_gui 2228 135073.400112: 641314 cycles:
+ e8ed _dl_fixup (/usr/lib/ld-2.25.so)
+ 15f06 _dl_runtime_resolve_sse_vex (/usr/lib/ld-2.25.so)
+ ed94c KDynamicJobTracker::KDynamicJobTracker (/home/milian/projects/compiled/kf5/lib64/libKF5KIOWidgets.so.5.35.0)
+ 608f3 _GLOBAL__sub_I_kdynamicjobtracker.cpp (/home/milian/projects/compiled/kf5/lib64/libKF5KIOWidgets.so.5.35.0)
+ f199 call_init.part.0 (/usr/lib/ld-2.25.so)
+ f2a5 _dl_init (/usr/lib/ld-2.25.so)
+ db9 _dl_start_user (/usr/lib/ld-2.25.so)
+~~~~~
+
+But with libdw and without this patch this sample is not properly
+unwound:
+
+~~~~~
+heaptrack_gui 2228 135073.400112: 641314 cycles:
+ e8ed _dl_fixup (/usr/lib/ld-2.25.so)
+ 15f06 _dl_runtime_resolve_sse_vex (/usr/lib/ld-2.25.so)
+ ed94c KDynamicJobTracker::KDynamicJobTracker (/home/milian/projects/compiled/kf5/lib64/libKF5KIOWidgets.so.5.35.0)
+~~~~~
+
+Debug output showed me that libdw found a module for the last frame
+address, but it thinks it belongs to /usr/lib/ld-2.25.so. This patch
+double-checks what libdw sees and what perf knows. If the mappings
+mismatch, we now report the elf known to perf. This fixes the situation
+above, and the libdw unwinder produces the same stack as libunwind.
+
+Signed-off-by: Milian Wolff <milian.wolff@kdab.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: http://lkml.kernel.org/r/20170602143753.16907-1-milian.wolff@kdab.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/unwind-libdw.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/tools/perf/util/unwind-libdw.c
++++ b/tools/perf/util/unwind-libdw.c
+@@ -37,6 +37,14 @@ static int __report_module(struct addr_l
+ return 0;
+
+ mod = dwfl_addrmodule(ui->dwfl, ip);
++ if (mod) {
++ Dwarf_Addr s;
++
++ dwfl_module_info(mod, NULL, &s, NULL, NULL, NULL, NULL, NULL);
++ if (s != al->map->start)
++ mod = 0;
++ }
++
+ if (!mod)
+ mod = dwfl_report_elf(ui->dwfl, dso->short_name,
+ dso->long_name, -1, al->map->start,
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Namhyung Kim <namhyung@kernel.org>
+Date: Thu, 8 Jun 2017 16:31:07 +0900
+Subject: perf tests: Decompress kernel module before objdump
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+
+[ Upstream commit 94df1040b1e6aacd8dec0ba3c61d7e77cd695f26 ]
+
+If a kernel modules is compressed, it should be decompressed before
+running objdump to parse binary data correctly. This fixes a failure of
+object code reading test for me.
+
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Wang Nan <wangnan0@huawei.com>
+Cc: kernel-team@lge.com
+Link: http://lkml.kernel.org/r/20170608073109.30699-8-namhyung@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/tests/code-reading.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/tests/code-reading.c
++++ b/tools/perf/tests/code-reading.c
+@@ -141,6 +141,8 @@ static int read_object_code(u64 addr, si
+ unsigned char buf2[BUFSZ];
+ size_t ret_len;
+ u64 objdump_addr;
++ const char *objdump_name;
++ char decomp_name[KMOD_DECOMP_LEN];
+ int ret;
+
+ pr_debug("Reading object code for memory address: %#"PRIx64"\n", addr);
+@@ -202,9 +204,25 @@ static int read_object_code(u64 addr, si
+ state->done[state->done_cnt++] = al.map->start;
+ }
+
++ objdump_name = al.map->dso->long_name;
++ if (dso__needs_decompress(al.map->dso)) {
++ if (dso__decompress_kmodule_path(al.map->dso, objdump_name,
++ decomp_name,
++ sizeof(decomp_name)) < 0) {
++ pr_debug("decompression failed\n");
++ return -1;
++ }
++
++ objdump_name = decomp_name;
++ }
++
+ /* Read the object code using objdump */
+ objdump_addr = map__rip_2objdump(al.map, al.addr);
+- ret = read_via_objdump(al.map->dso->long_name, objdump_addr, buf2, len);
++ ret = read_via_objdump(objdump_name, objdump_addr, buf2, len);
++
++ if (dso__needs_decompress(al.map->dso))
++ unlink(objdump_name);
++
+ if (ret > 0) {
+ /*
+ * The kernel maps are inaccurate - assume objdump is right in
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Wed, 31 May 2017 13:35:57 +0200
+Subject: perf trace: Add mmap alias for s390
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+
+[ Upstream commit 54265664c15a68905d8d67d19205e9a767636434 ]
+
+The s390 architecture maps sys_mmap (nr 90) into sys_old_mmap. For this
+reason perf trace can't find the proper syscall event to get args format
+from and displays it wrongly as 'continued'.
+
+To fix that fill the "alias" field with "old_mmap" for trace's mmap record
+to get the correct translation.
+
+Before:
+ 0.042 ( 0.011 ms): vest/43052 fstat(statbuf: 0x3ffff89fd90 ) = 0
+ 0.042 ( 0.028 ms): vest/43052 ... [continued]: mmap()) = 0x3fffd6e2000
+ 0.072 ( 0.025 ms): vest/43052 read(buf: 0x3fffd6e2000, count: 4096 ) = 6
+
+After:
+ 0.045 ( 0.011 ms): fstat(statbuf: 0x3ffff8a0930 ) = 0
+ 0.057 ( 0.018 ms): mmap(arg: 0x3ffff8a0858 ) = 0x3fffd14a000
+ 0.076 ( 0.025 ms): read(buf: 0x3fffd14a000, count: 4096 ) = 6
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Link: http://lkml.kernel.org/r/20170531113557.19175-1-jolsa@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/builtin-trace.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/tools/perf/builtin-trace.c
++++ b/tools/perf/builtin-trace.c
+@@ -1020,6 +1020,10 @@ static struct syscall_fmt {
+ { .name = "mlockall", .errmsg = true,
+ .arg_scnprintf = { [0] = SCA_HEX, /* addr */ }, },
+ { .name = "mmap", .hexret = true,
++/* The standard mmap maps to old_mmap on s390x */
++#if defined(__s390x__)
++ .alias = "old_mmap",
++#endif
+ .arg_scnprintf = { [0] = SCA_HEX, /* addr */
+ [2] = SCA_MMAP_PROT, /* prot */
+ [3] = SCA_MMAP_FLAGS, /* flags */
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+Date: Mon, 8 May 2017 15:56:34 -0700
+Subject: pidns: disable pid allocation if pid_ns_prepare_proc() is failed in alloc_pid()
+
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+
+
+[ Upstream commit 8896c23d2ef803f1883fea73117a435925c2b4c4 ]
+
+alloc_pidmap() advances pid_namespace::last_pid. When first pid
+allocation fails, then next created process will have pid 2 and
+pid_ns_prepare_proc() won't be called. So, pid_namespace::proc_mnt will
+never be initialized (not to mention that there won't be a child
+reaper).
+
+I saw crash stack of such case on kernel 3.10:
+
+ BUG: unable to handle kernel NULL pointer dereference at (null)
+ IP: proc_flush_task+0x8f/0x1b0
+ Call Trace:
+ release_task+0x3f/0x490
+ wait_consider_task.part.10+0x7ff/0xb00
+ do_wait+0x11f/0x280
+ SyS_wait4+0x7d/0x110
+
+We may fix this by restore of last_pid in 0 or by prohibiting of futher
+allocations. Since there was a similar issue in Oleg Nesterov's commit
+314a8ad0f18a ("pidns: fix free_pid() to handle the first fork failure").
+and it was fixed via prohibiting allocation, let's follow this way, and
+do the same.
+
+Link: http://lkml.kernel.org/r/149201021004.4863.6762095011554287922.stgit@localhost.localdomain
+Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
+Cc: Andrei Vagin <avagin@virtuozzo.com>
+Cc: Andreas Gruenbacher <agruenba@redhat.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Paul Moore <paul@paul-moore.com>
+Cc: Eric Biederman <ebiederm@xmission.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Serge Hallyn <serge@hallyn.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/pid.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/pid.c
++++ b/kernel/pid.c
+@@ -316,8 +316,10 @@ struct pid *alloc_pid(struct pid_namespa
+ }
+
+ if (unlikely(is_child_reaper(pid))) {
+- if (pid_ns_prepare_proc(ns))
++ if (pid_ns_prepare_proc(ns)) {
++ disable_pid_allocation(ns);
+ goto out_free;
++ }
+ }
+
+ get_pid_ns(ns);
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 10 May 2017 22:40:06 +0300
+Subject: PowerCap: Fix an error code in powercap_register_zone()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit 216c4e9db4c9d1d2a382b42880442dc632cd47d9 ]
+
+In the current code we accidentally return the successful result from
+idr_alloc() instead of a negative error pointer. The caller is looking
+for an error pointer and so it treats the returned value as a valid
+pointer.
+
+This one might be a bit serious because if it lets people get around the
+kernel's protection for remapping NULL. I'm not sure.
+
+Fixes: 75d2364ea0ca (PowerCap: Add class driver)
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/powercap/powercap_sys.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/powercap/powercap_sys.c
++++ b/drivers/powercap/powercap_sys.c
+@@ -538,6 +538,7 @@ struct powercap_zone *powercap_register_
+
+ power_zone->id = result;
+ idr_init(&power_zone->idr);
++ result = -ENOMEM;
+ power_zone->name = kstrdup(name, GFP_KERNEL);
+ if (!power_zone->name)
+ goto err_name_alloc;
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Ivan Mikhaylov <ivan@de.ibm.com>
+Date: Fri, 19 May 2017 18:47:05 +0300
+Subject: powerpc/[booke|4xx]: Don't clobber TCR[WP] when setting TCR[DIE]
+
+From: Ivan Mikhaylov <ivan@de.ibm.com>
+
+
+[ Upstream commit 6e2f03e292ef46eed2b31b0a344a91d514f9cd81 ]
+
+Prevent a kernel panic caused by unintentionally clearing TCR watchdog
+bits. At this point in the kernel boot, the watchdog may have already
+been enabled by u-boot. The original code's attempt to write to the TCR
+register results in an inadvertent clearing of the watchdog
+configuration bits, causing the 476 to reset.
+
+Signed-off-by: Ivan Mikhaylov <ivan@de.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/time.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/kernel/time.c
++++ b/arch/powerpc/kernel/time.c
+@@ -646,12 +646,20 @@ static int __init get_freq(char *name, i
+ static void start_cpu_decrementer(void)
+ {
+ #if defined(CONFIG_BOOKE) || defined(CONFIG_40x)
++ unsigned int tcr;
++
+ /* Clear any pending timer interrupts */
+ mtspr(SPRN_TSR, TSR_ENW | TSR_WIS | TSR_DIS | TSR_FIS);
+
+- /* Enable decrementer interrupt */
+- mtspr(SPRN_TCR, TCR_DIE);
+-#endif /* defined(CONFIG_BOOKE) || defined(CONFIG_40x) */
++ tcr = mfspr(SPRN_TCR);
++ /*
++ * The watchdog may have already been enabled by u-boot. So leave
++ * TRC[WP] (Watchdog Period) alone.
++ */
++ tcr &= TCR_WP_MASK; /* Clear all bits except for TCR[WP] */
++ tcr |= TCR_DIE; /* Enable decrementer */
++ mtspr(SPRN_TCR, tcr);
++#endif
+ }
+
+ void __init generic_calibrate_decr(void)
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Mon, 29 May 2017 20:26:07 +1000
+Subject: powerpc/spufs: Fix coredump of SPU contexts
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+
+[ Upstream commit 99acc9bede06bbb2662aafff51f5b9e529fa845e ]
+
+If a process dumps core while it has SPU contexts active then we have
+code to also dump information about the SPU contexts.
+
+Unfortunately it's been broken for 3 1/2 years, and we didn't notice. In
+commit 7b1f4020d0d1 ("spufs: get rid of dump_emit() wrappers") the nread
+variable was removed and rc used instead. That means when the loop exits
+successfully, rc has the number of bytes read, but it's then used as the
+return value for the function, which should return 0 on success.
+
+So fix it by setting rc = 0 before returning in the success case.
+
+Fixes: 7b1f4020d0d1 ("spufs: get rid of dump_emit() wrappers")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Acked-by: Jeremy Kerr <jk@ozlabs.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/cell/spufs/coredump.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/powerpc/platforms/cell/spufs/coredump.c
++++ b/arch/powerpc/platforms/cell/spufs/coredump.c
+@@ -174,6 +174,8 @@ static int spufs_arch_write_note(struct
+ if (!dump_skip(cprm,
+ roundup(cprm->written - total + sz, 4) - cprm->written))
+ goto Eio;
++
++ rc = 0;
+ out:
+ free_page((unsigned long)buf);
+ return rc;
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Jia-Ju Bai <baijiaju1990@163.com>
+Date: Thu, 1 Jun 2017 16:18:10 +0800
+Subject: qlcnic: Fix a sleep-in-atomic bug in qlcnic_82xx_hw_write_wx_2M and qlcnic_82xx_hw_read_wx_2M
+
+From: Jia-Ju Bai <baijiaju1990@163.com>
+
+
+[ Upstream commit 5ea6d691aac6c93b790f0905e3460d44cc4c449b ]
+
+The driver may sleep under a write spin lock, and the function
+call path is:
+qlcnic_82xx_hw_write_wx_2M (acquire the lock by write_lock_irqsave)
+ crb_win_lock
+ qlcnic_pcie_sem_lock
+ usleep_range
+qlcnic_82xx_hw_read_wx_2M (acquire the lock by write_lock_irqsave)
+ crb_win_lock
+ qlcnic_pcie_sem_lock
+ usleep_range
+
+To fix it, the usleep_range is replaced with udelay.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c
+@@ -341,7 +341,7 @@ qlcnic_pcie_sem_lock(struct qlcnic_adapt
+ }
+ return -EIO;
+ }
+- usleep_range(1000, 1500);
++ udelay(1200);
+ }
+
+ if (id_reg)
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 5 May 2017 15:34:34 -0700
+Subject: qlge: Avoid reading past end of buffer
+
+From: Kees Cook <keescook@chromium.org>
+
+
+[ Upstream commit df5303a8aa9a0a6934f4cea7427f1edf771f21c2 ]
+
+Using memcpy() from a string that is shorter than the length copied means
+the destination buffer is being filled with arbitrary data from the kernel
+rodata segment. Instead, use strncpy() which will fill the trailing bytes
+with zeros.
+
+This was found with the future CONFIG_FORTIFY_SOURCE feature.
+
+Cc: Daniel Micay <danielmicay@gmail.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qlge/qlge_dbg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c
++++ b/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c
+@@ -765,7 +765,7 @@ int ql_core_dump(struct ql_adapter *qdev
+ sizeof(struct mpi_coredump_global_header);
+ mpi_coredump->mpi_global_header.imageSize =
+ sizeof(struct ql_mpi_coredump);
+- memcpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump",
++ strncpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump",
+ sizeof(mpi_coredump->mpi_global_header.idString));
+
+ /* Get generic NIC reg dump */
+@@ -1255,7 +1255,7 @@ static void ql_gen_reg_dump(struct ql_ad
+ sizeof(struct mpi_coredump_global_header);
+ mpi_coredump->mpi_global_header.imageSize =
+ sizeof(struct ql_reg_dump);
+- memcpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump",
++ strncpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump",
+ sizeof(mpi_coredump->mpi_global_header.idString));
+
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 5 May 2017 15:38:41 -0700
+Subject: ray_cs: Avoid reading past end of buffer
+
+From: Kees Cook <keescook@chromium.org>
+
+
+[ Upstream commit e48d661eb13f2f83861428f001c567fdb3f317e8 ]
+
+Using memcpy() from a buffer that is shorter than the length copied means
+the destination buffer is being filled with arbitrary data from the kernel
+rodata segment. In this case, the source was made longer, since it did not
+match the destination structure size. Additionally removes a needless cast.
+
+This was found with the future CONFIG_FORTIFY_SOURCE feature.
+
+Cc: Daniel Micay <danielmicay@gmail.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ray_cs.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ray_cs.c
++++ b/drivers/net/wireless/ray_cs.c
+@@ -247,7 +247,10 @@ static const UCHAR b4_default_startup_pa
+ 0x04, 0x08, /* Noise gain, limit offset */
+ 0x28, 0x28, /* det rssi, med busy offsets */
+ 7, /* det sync thresh */
+- 0, 2, 2 /* test mode, min, max */
++ 0, 2, 2, /* test mode, min, max */
++ 0, /* rx/tx delay */
++ 0, 0, 0, 0, 0, 0, /* current BSS id */
++ 0 /* hop set */
+ };
+
+ /*===========================================================================*/
+@@ -598,7 +601,7 @@ static void init_startup_params(ray_dev_
+ * a_beacon_period = hops a_beacon_period = KuS
+ *//* 64ms = 010000 */
+ if (local->fw_ver == 0x55) {
+- memcpy((UCHAR *) &local->sparm.b4, b4_default_startup_parms,
++ memcpy(&local->sparm.b4, b4_default_startup_parms,
+ sizeof(struct b4_startup_params));
+ /* Translate sane kus input values to old build 4/5 format */
+ /* i = hop time in uS truncated to 3 bytes */
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+Date: Fri, 19 May 2017 22:18:55 +0530
+Subject: rtc: interface: Validate alarm-time before handling rollover
+
+From: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+
+
+[ Upstream commit da96aea0ed177105cb13ee83b328f6c61e061d3f ]
+
+In function __rtc_read_alarm() its possible for an alarm time-stamp to
+be invalid even after replacing missing components with current
+time-stamp. The condition 'alarm->time.tm_year < 70' will trigger this
+case and will cause the call to 'rtc_tm_to_time64(&alarm->time)'
+return a negative value for variable t_alm.
+
+While handling alarm rollover this negative t_alm (assumed to seconds
+offset from '1970-01-01 00:00:00') is converted back to rtc_time via
+rtc_time64_to_tm() which results in this error log with seemingly
+garbage values:
+
+"rtc rtc0: invalid alarm value: -2-1--1041528741
+2005511117:71582844:32"
+
+This error was generated when the rtc driver (rtc-opal in this case)
+returned an alarm time-stamp of '00-00-00 00:00:00' to indicate that
+the alarm is disabled. Though I have submitted a separate fix for the
+rtc-opal driver, this issue may potentially impact other
+existing/future rtc drivers.
+
+To fix this issue the patch validates the alarm time-stamp just after
+filling up the missing datetime components and if rtc_valid_tm() still
+reports it to be invalid then bails out of the function without
+handling the rollover.
+
+Reported-by: Steve Best <sbest@redhat.com>
+Signed-off-by: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/interface.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/rtc/interface.c
++++ b/drivers/rtc/interface.c
+@@ -249,6 +249,13 @@ int __rtc_read_alarm(struct rtc_device *
+ missing = year;
+ }
+
++ /* Can't proceed if alarm is still invalid after replacing
++ * missing fields.
++ */
++ err = rtc_valid_tm(&alarm->time);
++ if (err)
++ goto done;
++
+ /* with luck, no rollover is needed */
+ rtc_tm_to_time(&now, &t_now);
+ rtc_tm_to_time(&alarm->time, &t_alm);
+@@ -300,9 +307,9 @@ int __rtc_read_alarm(struct rtc_device *
+ dev_warn(&rtc->dev, "alarm rollover not handled\n");
+ }
+
+-done:
+ err = rtc_valid_tm(&alarm->time);
+
++done:
+ if (err) {
+ dev_warn(&rtc->dev, "invalid alarm value: %d-%d-%d %d:%d:%d\n",
+ alarm->time.tm_year + 1900, alarm->time.tm_mon + 1,
--- /dev/null
+From 89a5ea99662505d2d61f2a3030a6896c2cb3cdb0 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sun, 4 Jun 2017 04:16:24 +0200
+Subject: rxrpc: check return value of skb_to_sgvec always
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+commit 89a5ea99662505d2d61f2a3030a6896c2cb3cdb0 upstream.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Acked-by: David Howells <dhowells@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[natechancellor: backport to 3.18]
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/rxkad.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+--- a/net/rxrpc/rxkad.c
++++ b/net/rxrpc/rxkad.c
+@@ -209,7 +209,7 @@ static int rxkad_secure_packet_encrypt(c
+ struct sk_buff *trailer;
+ unsigned int len;
+ u16 check;
+- int nsg;
++ int nsg, err;
+
+ sp = rxrpc_skb(skb);
+
+@@ -240,7 +240,9 @@ static int rxkad_secure_packet_encrypt(c
+ len &= ~(call->conn->size_align - 1);
+
+ sg_init_table(sg, nsg);
+- skb_to_sgvec(skb, sg, 0, len);
++ err = skb_to_sgvec(skb, sg, 0, len);
++ if (unlikely(err < 0))
++ return err;
+ crypto_blkcipher_encrypt_iv(&desc, sg, sg, len);
+
+ _leave(" = 0");
+@@ -336,7 +338,7 @@ static int rxkad_verify_packet_auth(cons
+ struct sk_buff *trailer;
+ u32 data_size, buf;
+ u16 check;
+- int nsg;
++ int nsg, ret;
+
+ _enter("");
+
+@@ -348,7 +350,9 @@ static int rxkad_verify_packet_auth(cons
+ goto nomem;
+
+ sg_init_table(sg, nsg);
+- skb_to_sgvec(skb, sg, 0, 8);
++ ret = skb_to_sgvec(skb, sg, 0, 8);
++ if (unlikely(ret < 0))
++ return ret;
+
+ /* start the decryption afresh */
+ memset(&iv, 0, sizeof(iv));
+@@ -411,7 +415,7 @@ static int rxkad_verify_packet_encrypt(c
+ struct sk_buff *trailer;
+ u32 data_size, buf;
+ u16 check;
+- int nsg;
++ int nsg, ret;
+
+ _enter(",{%d}", skb->len);
+
+@@ -430,7 +434,12 @@ static int rxkad_verify_packet_encrypt(c
+ }
+
+ sg_init_table(sg, nsg);
+- skb_to_sgvec(skb, sg, 0, skb->len);
++ ret = skb_to_sgvec(skb, sg, 0, skb->len);
++ if (unlikely(ret < 0)) {
++ if (sg != _sg)
++ kfree(sg);
++ return ret;
++ }
+
+ /* decrypt from the session key */
+ token = call->conn->key->payload.data;
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Thu, 4 May 2017 09:42:22 +0200
+Subject: s390: move _text symbol to address higher than zero
+
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+
+[ Upstream commit d04a4c76f71dd5335f8e499b59617382d84e2b8d ]
+
+The perf tool assumes that kernel symbols are never present at address
+zero. In fact it assumes if functions that map symbols to addresses
+return zero, that the symbol was not found.
+
+Given that s390's _text symbol historically is located at address zero
+this yields at least a couple of false errors and warnings in one of
+perf's test cases about not present symbols ("perf test 1").
+
+To fix this simply move the _text symbol to address 0x200, just behind
+the initial psw and channel program located at the beginning of the
+kernel image. This is now hard coded within the linker script.
+
+I tried a nicer solution which moves the initial psw and channel
+program into an own section. However that would move the symbols
+within the "real" head.text section to different addresses, since the
+".org" statements within head.S are relative to the head.text
+section. If there is a new section in front, everything else will be
+moved. Alternatively I could have adjusted all ".org" statements. But
+this current solution seems to be the easiest one, since nobody really
+cares where the _text symbol is actually located.
+
+Reported-by: Zvonko Kosic <zkosic@linux.vnet.ibm.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/vmlinux.lds.S | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/kernel/vmlinux.lds.S
++++ b/arch/s390/kernel/vmlinux.lds.S
+@@ -28,8 +28,14 @@ SECTIONS
+ {
+ . = 0x00000000;
+ .text : {
+- _text = .; /* Text and read-only data */
++ /* Text and read-only data */
+ HEAD_TEXT
++ /*
++ * E.g. perf doesn't like symbols starting at address zero,
++ * therefore skip the initial PSW and channel program located
++ * at address zero and let _text start at 0x200.
++ */
++ _text = 0x200;
+ TEXT_TEXT
+ SCHED_TEXT
+ LOCK_TEXT
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Maurizio Lombardi <mlombard@redhat.com>
+Date: Wed, 24 May 2017 14:09:44 +0200
+Subject: scsi: bnx2fc: fix race condition in bnx2fc_get_host_stats()
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+
+[ Upstream commit c2dd893a3b0772d1c680e109b9d5715d7f73022b ]
+
+If multiple tasks attempt to read the stats, it may happen that the
+start_req_done completion is re-initialized while still being used by
+another task, causing a list corruption.
+
+This patch fixes the bug by adding a mutex to serialize the calls to
+bnx2fc_get_host_stats().
+
+WARNING: at lib/list_debug.c:48 list_del+0x6e/0xa0() (Not tainted)
+Hardware name: PowerEdge R820
+list_del corruption. prev->next should be ffff882035627d90, but was ffff884069541588
+
+Pid: 40267, comm: perl Not tainted 2.6.32-642.3.1.el6.x86_64 #1
+Call Trace:
+ [<ffffffff8107c691>] ? warn_slowpath_common+0x91/0xe0
+ [<ffffffff8107c796>] ? warn_slowpath_fmt+0x46/0x60
+ [<ffffffff812ad16e>] ? list_del+0x6e/0xa0
+ [<ffffffff81547eed>] ? wait_for_common+0x14d/0x180
+ [<ffffffff8106c4a0>] ? default_wake_function+0x0/0x20
+ [<ffffffff81547fd3>] ? wait_for_completion_timeout+0x13/0x20
+ [<ffffffffa05410b1>] ? bnx2fc_get_host_stats+0xa1/0x280 [bnx2fc]
+ [<ffffffffa04cf630>] ? fc_stat_show+0x90/0xc0 [scsi_transport_fc]
+ [<ffffffffa04cf8b6>] ? show_fcstat_tx_frames+0x16/0x20 [scsi_transport_fc]
+ [<ffffffff8137c647>] ? dev_attr_show+0x27/0x50
+ [<ffffffff8113b9be>] ? __get_free_pages+0xe/0x50
+ [<ffffffff812170e1>] ? sysfs_read_file+0x111/0x200
+ [<ffffffff8119a305>] ? vfs_read+0xb5/0x1a0
+ [<ffffffff8119b0b6>] ? fget_light_pos+0x16/0x50
+ [<ffffffff8119a651>] ? sys_read+0x51/0xb0
+ [<ffffffff810ee1fe>] ? __audit_syscall_exit+0x25e/0x290
+ [<ffffffff8100b0d2>] ? system_call_fastpath+0x16/0x1b
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Acked-by: Chad Dupuis <chad.dupuis@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/bnx2fc/bnx2fc.h | 1 +
+ drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 10 ++++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/bnx2fc/bnx2fc.h
++++ b/drivers/scsi/bnx2fc/bnx2fc.h
+@@ -191,6 +191,7 @@ struct bnx2fc_hba {
+ struct bnx2fc_cmd_mgr *cmd_mgr;
+ spinlock_t hba_lock;
+ struct mutex hba_mutex;
++ struct mutex hba_stats_mutex;
+ unsigned long adapter_state;
+ #define ADAPTER_STATE_UP 0
+ #define ADAPTER_STATE_GOING_DOWN 1
+--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
++++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
+@@ -641,15 +641,17 @@ static struct fc_host_statistics *bnx2fc
+ if (!fw_stats)
+ return NULL;
+
++ mutex_lock(&hba->hba_stats_mutex);
++
+ bnx2fc_stats = fc_get_host_stats(shost);
+
+ init_completion(&hba->stat_req_done);
+ if (bnx2fc_send_stat_req(hba))
+- return bnx2fc_stats;
++ goto unlock_stats_mutex;
+ rc = wait_for_completion_timeout(&hba->stat_req_done, (2 * HZ));
+ if (!rc) {
+ BNX2FC_HBA_DBG(lport, "FW stat req timed out\n");
+- return bnx2fc_stats;
++ goto unlock_stats_mutex;
+ }
+ BNX2FC_STATS(hba, rx_stat2, fc_crc_cnt);
+ bnx2fc_stats->invalid_crc_count += hba->bfw_stats.fc_crc_cnt;
+@@ -671,6 +673,9 @@ static struct fc_host_statistics *bnx2fc
+
+ memcpy(&hba->prev_stats, hba->stats_buffer,
+ sizeof(struct fcoe_statistics_params));
++
++unlock_stats_mutex:
++ mutex_unlock(&hba->hba_stats_mutex);
+ return bnx2fc_stats;
+ }
+
+@@ -1303,6 +1308,7 @@ static struct bnx2fc_hba *bnx2fc_hba_cre
+ }
+ spin_lock_init(&hba->hba_lock);
+ mutex_init(&hba->hba_mutex);
++ mutex_init(&hba->hba_stats_mutex);
+
+ hba->cnic = cnic;
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Rafael David Tinoco <rafael.tinoco@canonical.com>
+Date: Thu, 7 Dec 2017 19:59:13 -0200
+Subject: scsi: libiscsi: Allow sd_shutdown on bad transport
+
+From: Rafael David Tinoco <rafael.tinoco@canonical.com>
+
+
+[ Upstream commit d754941225a7dbc61f6dd2173fa9498049f9a7ee ]
+
+If, for any reason, userland shuts down iscsi transport interfaces
+before proper logouts - like when logging in to LUNs manually, without
+logging out on server shutdown, or when automated scripts can't
+umount/logout from logged LUNs - kernel will hang forever on its
+sd_sync_cache() logic, after issuing the SYNCHRONIZE_CACHE cmd to all
+still existent paths.
+
+PID: 1 TASK: ffff8801a69b8000 CPU: 1 COMMAND: "systemd-shutdow"
+ #0 [ffff8801a69c3a30] __schedule at ffffffff8183e9ee
+ #1 [ffff8801a69c3a80] schedule at ffffffff8183f0d5
+ #2 [ffff8801a69c3a98] schedule_timeout at ffffffff81842199
+ #3 [ffff8801a69c3b40] io_schedule_timeout at ffffffff8183e604
+ #4 [ffff8801a69c3b70] wait_for_completion_io_timeout at ffffffff8183fc6c
+ #5 [ffff8801a69c3bd0] blk_execute_rq at ffffffff813cfe10
+ #6 [ffff8801a69c3c88] scsi_execute at ffffffff815c3fc7
+ #7 [ffff8801a69c3cc8] scsi_execute_req_flags at ffffffff815c60fe
+ #8 [ffff8801a69c3d30] sd_sync_cache at ffffffff815d37d7
+ #9 [ffff8801a69c3da8] sd_shutdown at ffffffff815d3c3c
+
+This happens because iscsi_eh_cmd_timed_out(), the transport layer
+timeout helper, would tell the queue timeout function (scsi_times_out)
+to reset the request timer over and over, until the session state is
+back to logged in state. Unfortunately, during server shutdown, this
+might never happen again.
+
+Other option would be "not to handle" the issue in the transport
+layer. That would trigger the error handler logic, which would also need
+the session state to be logged in again.
+
+Best option, for such case, is to tell upper layers that the command was
+handled during the transport layer error handler helper, marking it as
+DID_NO_CONNECT, which will allow completion and inform about the
+problem.
+
+After the session was marked as ISCSI_STATE_FAILED, due to the first
+timeout during the server shutdown phase, all subsequent cmds will fail
+to be queued, allowing upper logic to fail faster.
+
+Signed-off-by: Rafael David Tinoco <rafael.tinoco@canonical.com>
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/libiscsi.c | 24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/libiscsi.c
++++ b/drivers/scsi/libiscsi.c
+@@ -1695,6 +1695,15 @@ int iscsi_queuecommand(struct Scsi_Host
+ */
+ switch (session->state) {
+ case ISCSI_STATE_FAILED:
++ /*
++ * cmds should fail during shutdown, if the session
++ * state is bad, allowing completion to happen
++ */
++ if (unlikely(system_state != SYSTEM_RUNNING)) {
++ reason = FAILURE_SESSION_FAILED;
++ sc->result = DID_NO_CONNECT << 16;
++ break;
++ }
+ case ISCSI_STATE_IN_RECOVERY:
+ reason = FAILURE_SESSION_IN_RECOVERY;
+ sc->result = DID_IMM_RETRY << 16;
+@@ -1999,6 +2008,19 @@ static enum blk_eh_timer_return iscsi_eh
+
+ if (session->state != ISCSI_STATE_LOGGED_IN) {
+ /*
++ * During shutdown, if session is prematurely disconnected,
++ * recovery won't happen and there will be hung cmds. Not
++ * handling cmds would trigger EH, also bad in this case.
++ * Instead, handle cmd, allow completion to happen and let
++ * upper layer to deal with the result.
++ */
++ if (unlikely(system_state != SYSTEM_RUNNING)) {
++ sc->result = DID_NO_CONNECT << 16;
++ ISCSI_DBG_EH(session, "sc on shutdown, handled\n");
++ rc = BLK_EH_HANDLED;
++ goto done;
++ }
++ /*
+ * We are probably in the middle of iscsi recovery so let
+ * that complete and handle the error.
+ */
+@@ -2102,7 +2124,7 @@ done:
+ task->last_timeout = jiffies;
+ spin_unlock(&session->frwd_lock);
+ ISCSI_DBG_EH(session, "return %s\n", rc == BLK_EH_RESET_TIMER ?
+- "timer reset" : "nh");
++ "timer reset" : "shutdown or nh");
+ return rc;
+ }
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Jason Yan <yanaijie@huawei.com>
+Date: Thu, 4 Jan 2018 21:04:32 +0800
+Subject: scsi: libsas: fix error when getting phy events
+
+From: Jason Yan <yanaijie@huawei.com>
+
+
+[ Upstream commit 2b23d9509fd7174b362482cf5f3b5f9a2265bc33 ]
+
+The intend purpose here was to goto out if smp_execute_task() returned
+error. Obviously something got screwed up. We will never get these link
+error statistics below:
+
+~:/sys/class/sas_phy/phy-1:0:12 # cat invalid_dword_count
+0
+~:/sys/class/sas_phy/phy-1:0:12 # cat running_disparity_error_count
+0
+~:/sys/class/sas_phy/phy-1:0:12 # cat loss_of_dword_sync_count
+0
+~:/sys/class/sas_phy/phy-1:0:12 # cat phy_reset_problem_count
+0
+
+Obviously we should goto error handler if smp_execute_task() returns
+non-zero.
+
+Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
+Signed-off-by: Jason Yan <yanaijie@huawei.com>
+CC: John Garry <john.garry@huawei.com>
+CC: chenqilin <chenqilin2@huawei.com>
+CC: chenxiang <chenxiang66@hisilicon.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/libsas/sas_expander.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/libsas/sas_expander.c
++++ b/drivers/scsi/libsas/sas_expander.c
+@@ -675,7 +675,7 @@ int sas_smp_get_phy_events(struct sas_ph
+ res = smp_execute_task(dev, req, RPEL_REQ_SIZE,
+ resp, RPEL_RESP_SIZE);
+
+- if (!res)
++ if (res)
+ goto out;
+
+ phy->invalid_dword_count = scsi_to_u32(&resp[12]);
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Jason Yan <yanaijie@huawei.com>
+Date: Thu, 4 Jan 2018 21:04:31 +0800
+Subject: scsi: libsas: fix memory leak in sas_smp_get_phy_events()
+
+From: Jason Yan <yanaijie@huawei.com>
+
+
+[ Upstream commit 4a491b1ab11ca0556d2fda1ff1301e862a2d44c4 ]
+
+We've got a memory leak with the following producer:
+
+while true;
+do cat /sys/class/sas_phy/phy-1:0:12/invalid_dword_count >/dev/null;
+done
+
+The buffer req is allocated and not freed after we return. Fix it.
+
+Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
+Signed-off-by: Jason Yan <yanaijie@huawei.com>
+CC: John Garry <john.garry@huawei.com>
+CC: chenqilin <chenqilin2@huawei.com>
+CC: chenxiang <chenxiang66@hisilicon.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/libsas/sas_expander.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/libsas/sas_expander.c
++++ b/drivers/scsi/libsas/sas_expander.c
+@@ -684,6 +684,7 @@ int sas_smp_get_phy_events(struct sas_ph
+ phy->phy_reset_problem_count = scsi_to_u32(&resp[24]);
+
+ out:
++ kfree(req);
+ kfree(resp);
+ return res;
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: chenxiang <chenxiang66@hisilicon.com>
+Date: Thu, 4 Jan 2018 21:04:33 +0800
+Subject: scsi: libsas: initialize sas_phy status according to response of DISCOVER
+
+From: chenxiang <chenxiang66@hisilicon.com>
+
+
+[ Upstream commit affc67788fe5dfffad5cda3d461db5cf2b2ff2b0 ]
+
+The status of SAS PHY is in sas_phy->enabled. There is an issue that the
+status of a remote SAS PHY may be initialized incorrectly: if disable
+remote SAS PHY through sysfs interface (such as echo 0 >
+/sys/class/sas_phy/phy-1:0:0/enable), then reboot the system, and we
+will find the status of remote SAS PHY which is disabled before is
+1 (cat /sys/class/sas_phy/phy-1:0:0/enable). But actually the status of
+remote SAS PHY is disabled and the device attached is not found.
+
+In SAS protocol, NEGOTIATED LOGICAL LINK RATE field of DISCOVER response
+is 0x1 when remote SAS PHY is disabled. So initialize sas_phy->enabled
+according to the value of NEGOTIATED LOGICAL LINK RATE field.
+
+Signed-off-by: chenxiang <chenxiang66@hisilicon.com>
+Reviewed-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Jason Yan <yanaijie@huawei.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/libsas/sas_expander.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/libsas/sas_expander.c
++++ b/drivers/scsi/libsas/sas_expander.c
+@@ -282,6 +282,7 @@ static void sas_set_ex_phy(struct domain
+ phy->phy->minimum_linkrate = dr->pmin_linkrate;
+ phy->phy->maximum_linkrate = dr->pmax_linkrate;
+ phy->phy->negotiated_linkrate = phy->linkrate;
++ phy->phy->enabled = (phy->linkrate != SAS_PHY_DISABLED);
+
+ skip:
+ if (new_phy)
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sat, 10 Jun 2017 14:56:56 +0800
+Subject: sctp: fix recursive locking warning in sctp_do_peeloff
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 6dfe4b97e08ec3d1a593fdaca099f0ef0a3a19e6 ]
+
+Dmitry got the following recursive locking report while running syzkaller
+fuzzer, the Call Trace:
+ __dump_stack lib/dump_stack.c:16 [inline]
+ dump_stack+0x2ee/0x3ef lib/dump_stack.c:52
+ print_deadlock_bug kernel/locking/lockdep.c:1729 [inline]
+ check_deadlock kernel/locking/lockdep.c:1773 [inline]
+ validate_chain kernel/locking/lockdep.c:2251 [inline]
+ __lock_acquire+0xef2/0x3430 kernel/locking/lockdep.c:3340
+ lock_acquire+0x2a1/0x630 kernel/locking/lockdep.c:3755
+ lock_sock_nested+0xcb/0x120 net/core/sock.c:2536
+ lock_sock include/net/sock.h:1460 [inline]
+ sctp_close+0xcd/0x9d0 net/sctp/socket.c:1497
+ inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425
+ inet6_release+0x50/0x70 net/ipv6/af_inet6.c:432
+ sock_release+0x8d/0x1e0 net/socket.c:597
+ __sock_create+0x38b/0x870 net/socket.c:1226
+ sock_create+0x7f/0xa0 net/socket.c:1237
+ sctp_do_peeloff+0x1a2/0x440 net/sctp/socket.c:4879
+ sctp_getsockopt_peeloff net/sctp/socket.c:4914 [inline]
+ sctp_getsockopt+0x111a/0x67e0 net/sctp/socket.c:6628
+ sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2690
+ SYSC_getsockopt net/socket.c:1817 [inline]
+ SyS_getsockopt+0x240/0x380 net/socket.c:1799
+ entry_SYSCALL_64_fastpath+0x1f/0xc2
+
+This warning is caused by the lock held by sctp_getsockopt() is on one
+socket, while the other lock that sctp_close() is getting later is on
+the newly created (which failed) socket during peeloff operation.
+
+This patch is to avoid this warning by use lock_sock with subclass
+SINGLE_DEPTH_NESTING as Wang Cong and Marcelo's suggestion.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Suggested-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Suggested-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1513,7 +1513,7 @@ static void sctp_close(struct sock *sk,
+
+ pr_debug("%s: sk:%p, timeout:%ld\n", __func__, sk, timeout);
+
+- lock_sock(sk);
++ lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
+ sk->sk_shutdown = SHUTDOWN_MASK;
+ sk->sk_state = SCTP_SS_CLOSING;
+
+@@ -1564,7 +1564,7 @@ static void sctp_close(struct sock *sk,
+ * held and that should be grabbed before socket lock.
+ */
+ spin_lock_bh(&net->sctp.addr_wq_lock);
+- bh_lock_sock(sk);
++ bh_lock_sock_nested(sk);
+
+ /* Hold the sock, since sk_common_release() will put sock_put()
+ * and we have just a little more cleanup.
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Fri, 19 May 2017 11:29:04 +1000
+Subject: selftests/powerpc: Fix TM resched DSCR test with some compilers
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+
+[ Upstream commit fe06fe860250a4f01d0eaf70a2563b1997174a74 ]
+
+The tm-resched-dscr test has started failing sometimes, depending on
+what compiler it's built with, eg:
+
+ test: tm_resched_dscr
+ Check DSCR TM context switch: tm-resched-dscr: tm-resched-dscr.c:76: test_body: Assertion `rv' failed.
+ !! child died by signal 6
+
+When it fails we see that the compiler doesn't initialise rv to 1 before
+entering the inline asm block. Although that's counter intuitive, it
+is allowed because we tell the compiler that the inline asm will write
+to rv (using "=r"), meaning the original value is irrelevant.
+
+Marking it as a read/write parameter would presumably work, but it seems
+simpler to fix it by setting the initial value of rv in the inline asm.
+
+Fixes: 96d016108640 ("powerpc: Correct DSCR during TM context switch")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Acked-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/powerpc/tm/tm-resched-dscr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/powerpc/tm/tm-resched-dscr.c
++++ b/tools/testing/selftests/powerpc/tm/tm-resched-dscr.c
+@@ -45,12 +45,12 @@ int test_body(void)
+ printf("Check DSCR TM context switch: ");
+ fflush(stdout);
+ for (;;) {
+- rv = 1;
+ asm __volatile__ (
+ /* set a known value into the DSCR */
+ "ld 3, %[dscr1];"
+ "mtspr %[sprn_dscr], 3;"
+
++ "li %[rv], 1;"
+ /* start and suspend a transaction */
+ TBEGIN
+ "beq 1f;"
--- /dev/null
+nfsv4.1-reclaim_complete-must-handle-nfs4err_conn_not_bound_to_session.patch
+ib-srpt-fix-abort-handling.patch
+af_key-fix-slab-out-of-bounds-in-pfkey_compile_policy.patch
+mac80211-bail-out-from-prep_connection-if-a-reconfig-is-ongoing.patch
+bna-avoid-reading-past-end-of-buffer.patch
+qlge-avoid-reading-past-end-of-buffer.patch
+net-ethernet-ti-cpsw-adjust-cpsw-fifos-depth-for-fullduplex-flow-control.patch
+lockd-fix-lockd-shutdown-race.patch
+pidns-disable-pid-allocation-if-pid_ns_prepare_proc-is-failed-in-alloc_pid.patch
+s390-move-_text-symbol-to-address-higher-than-zero.patch
+net-mlx4_en-avoid-adding-steering-rules-with-invalid-ring.patch
+cifs-silence-lockdep-splat-in-cifs_relock_file.patch
+net-qca_spi-fix-alignment-issues-in-rx-path.patch
+netxen_nic-set-rcode-to-the-return-status-from-the-call-to-netxen_issue_cmd.patch
+kvm-ppc-book3s-pr-check-copy_to-from_user-return-values.patch
+vmxnet3-ensure-that-adapter-is-in-proper-state-during-force_close.patch
+smb2-fix-share-type-handling.patch
+powercap-fix-an-error-code-in-powercap_register_zone.patch
+staging-wlan-ng-prism2mgmt.c-fixed-a-double-endian-conversion-before-calling-hfa384x_drvr_setconfig16-also-fixes-relative-sparse-warning.patch
+x86-tsc-provide-tsc-unstable-boot-parameter.patch
+arm-dts-imx6qdl-wandboard-fix-audio-channel-swap.patch
+ipv6-avoid-dad-failures-for-addresses-with-nodad.patch
+async_tx-fix-dma_prep_fence-usage-in-do_async_gen_syndrome.patch
+usb-dwc3-keystone-check-return-value.patch
+btrfs-fix-incorrect-error-return-ret-being-passed-to-mapping_set_error.patch
+ata-libahci-properly-propagate-return-value-of-platform_get_irq.patch
+neighbour-update-neigh-timestamps-iff-update-is-effective.patch
+usb-chipidea-properly-handle-host-or-gadget-initialization-failure.patch
+usb-ene_usb6250-fix-first-command-execution.patch
+net-x25-fix-one-potential-use-after-free-issue.patch
+usb-ene_usb6250-fix-scsi-residue-overwriting.patch
+sh_eth-use-platform-device-for-printing-before-register_netdev.patch
+ath5k-fix-memory-leak-on-buf-on-failed-eeprom-read.patch
+selftests-powerpc-fix-tm-resched-dscr-test-with-some-compilers.patch
+xfrm-fix-state-migration-copy-replay-sequence-numbers.patch
+arm-davinci-da8xx-create-dsp-device-only-when-assigned-memory.patch
+ray_cs-avoid-reading-past-end-of-buffer.patch
+leds-pca955x-correct-i2c-functionality.patch
+block-fix-an-error-code-in-add_partition.patch
+libceph-null-deref-on-crush_decode-error-path.patch
+netfilter-ctnetlink-fix-incorrect-nf_ct_put-during-hash-resize.patch
+scsi-bnx2fc-fix-race-condition-in-bnx2fc_get_host_stats.patch
+fix-race-in-drivers-char-random.c-get_reg.patch
+ext4-fix-off-by-one-on-max-nr_pages-in-ext4_find_unwritten_pgoff.patch
+net-move-somaxconn-init-from-sysctl-code.patch
+bonding-don-t-update-slave-link-until-ready-to-commit.patch
+kvm-nvmx-fix-handling-of-lmsw-instruction.patch
+net-llc-add-lock_sock-in-llc_ui_bind-to-avoid-a-race-condition.patch
+l2tp-fix-missing-print-session-offset-info.patch
+scsi-libiscsi-allow-sd_shutdown-on-bad-transport.patch
+vfb-fix-video-mode-and-line_length-being-set-when-loaded.patch
+wl1251-check-return-from-call-to-wl1251_acx_arp_ip_filter.patch
+hdlcdrv-fix-divide-by-zero-in-hdlcdrv_ioctl.patch
+ovl-filter-trusted-xattr-for-non-admin.patch
+powerpc-don-t-clobber-tcr-when-setting-tcr.patch
+arm64-futex-fix-undefined-behaviour-with-futex_op_oparg_shift-usage.patch
+rtc-interface-validate-alarm-time-before-handling-rollover.patch
+net-freescale-fix-potential-null-pointer-dereference.patch
+kvm-svm-do-not-zero-out-segment-attributes-if-segment-is-unusable-or-not-present.patch
+powerpc-spufs-fix-coredump-of-spu-contexts.patch
+perf-trace-add-mmap-alias-for-s390.patch
+qlcnic-fix-a-sleep-in-atomic-bug-in-qlcnic_82xx_hw_write_wx_2m-and-qlcnic_82xx_hw_read_wx_2m.patch
+misdn-fix-a-sleep-in-atomic-bug.patch
+drm-omap-fix-tiled-buffer-stride-calculations.patch
+fix-serial-console-on-sni-rm400-machines.patch
+bio-integrity-do-not-allocate-integrity-context-for-bio-w-o-data.patch
+skbuff-return-emsgsize-in-skb_to_sgvec-to-prevent-overflow.patch
+net-mlx4-fix-the-check-in-attaching-steering-rules.patch
+perf-report-ensure-the-perf-dso-mapping-matches-what-libdw-sees.patch
+tags-honor-compiled_source-with-apart-output-directory.patch
+e1000e-fix-race-condition-around-skb_tstamp_tx.patch
+cx25840-fix-unchecked-return-values.patch
+mceusb-sporadic-rx-truncation-corruption-fix.patch
+net-phy-avoid-genphy_aneg_done-for-phys-without-clause-22-support.patch
+e1000e-undo-e1000e_pm_freeze-if-__e1000_shutdown-fails.patch
+perf-core-correct-event-creation-with-perf_format_group.patch
+mips-mm-fixed-mappings-correct-initialisation.patch
+mips-kprobes-flush_insn_slot-should-flush-only-if-probe-initialised.patch
+net-emac-fix-reset-timeout-with-ar8035-phy.patch
+perf-tests-decompress-kernel-module-before-objdump.patch
+xen-avoid-type-warning-in-xchg_xen_ulong.patch
+bnx2x-allow-vfs-to-disable-txvlan-offload.patch
+sctp-fix-recursive-locking-warning-in-sctp_do_peeloff.patch
+sparc64-ldc-abort-during-vds-iso-boot.patch
+iio-magnetometer-st_magn_spi-fix-spi_device_id-table.patch
+bluetooth-send-hci-set-event-mask-page-2-command-only-when-needed.patch
+acpica-events-add-runtime-stub-support-for-event-apis.patch
+acpica-disassembler-abort-on-an-invalid-unknown-aml-opcode.patch
+vxlan-dont-migrate-permanent-fdb-entries-during-learn.patch
+bcache-stop-writeback-thread-after-detaching.patch
+bcache-segregate-flash-only-volume-write-streams.patch
+scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_events.patch
+scsi-libsas-fix-error-when-getting-phy-events.patch
+scsi-libsas-initialize-sas_phy-status-according-to-response-of-discover.patch
+tty-n_gsm-allow-adm-response-in-addition-to-ua-for-control-dlci.patch
+edac-mv64x60-fix-an-error-handling-path.patch
+signal-metag-document-a-conflict-with-si_user-with-sigfpe.patch
+signal-powerpc-document-conflicts-with-si_user-and-sigfpe-and-sigtrap.patch
+signal-arm-document-conflicts-with-si_user-and-sigfpe.patch
+ipsec-check-return-value-of-skb_to_sgvec-always.patch
+rxrpc-check-return-value-of-skb_to_sgvec-always.patch
+virtio_net-check-return-value-of-skb_to_sgvec-always.patch
+virtio_net-check-return-value-of-skb_to_sgvec-in-one-more-location.patch
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Thu, 18 May 2017 15:01:34 +0200
+Subject: sh_eth: Use platform device for printing before register_netdev()
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+
+[ Upstream commit 5f5c5449acad0cd3322e53e1ac68c044483b0aa5 ]
+
+The MDIO initialization failure message is printed using the network
+device, before it has been registered, leading to:
+
+ (null): failed to initialise MDIO
+
+Use the platform device instead to fix this:
+
+ sh-eth ee700000.ethernet: failed to initialise MDIO
+
+Fixes: daacf03f0bbfefee ("sh_eth: Register MDIO bus before registering the network device")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/renesas/sh_eth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/renesas/sh_eth.c
++++ b/drivers/net/ethernet/renesas/sh_eth.c
+@@ -2933,7 +2933,7 @@ static int sh_eth_drv_probe(struct platf
+ /* MDIO bus init */
+ ret = sh_mdio_init(mdp, pd);
+ if (ret) {
+- dev_err(&ndev->dev, "failed to initialise MDIO\n");
++ dev_err(&pdev->dev, "failed to initialise MDIO\n");
+ goto out_release;
+ }
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Thu, 17 Aug 2017 17:07:46 -0500
+Subject: signal/arm: Document conflicts with SI_USER and SIGFPE
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+
+[ Upstream commit 7771c66457004977b616bab785209f49d164f527 ]
+
+Setting si_code to 0 results in a userspace seeing an si_code of 0.
+This is the same si_code as SI_USER. Posix and common sense requires
+that SI_USER not be a signal specific si_code. As such this use of 0
+for the si_code is a pretty horribly broken ABI.
+
+Further use of si_code == 0 guaranteed that copy_siginfo_to_user saw a
+value of __SI_KILL and now sees a value of SIL_KILL with the result
+that uid and pid fields are copied and which might copying the si_addr
+field by accident but certainly not by design. Making this a very
+flakey implementation.
+
+Utilizing FPE_FIXME, siginfo_layout will now return SIL_FAULT and the
+appropriate fields will be reliably copied.
+
+Possible ABI fixes includee:
+- Send the signal without siginfo
+- Don't generate a signal
+- Possibly assign and use an appropriate si_code
+- Don't handle cases which can't happen
+
+Cc: Russell King <rmk@flint.arm.linux.org.uk>
+Cc: linux-arm-kernel@lists.infradead.org
+Ref: 451436b7bbb2 ("[ARM] Add support code for ARM hardware vector floating point")
+History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/include/uapi/asm/siginfo.h | 13 +++++++++++++
+ arch/arm/vfp/vfpmodule.c | 2 +-
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+ create mode 100644 arch/arm/include/uapi/asm/siginfo.h
+
+--- /dev/null
++++ b/arch/arm/include/uapi/asm/siginfo.h
+@@ -0,0 +1,13 @@
++#ifndef __ASM_SIGINFO_H
++#define __ASM_SIGINFO_H
++
++#include <asm-generic/siginfo.h>
++
++/*
++ * SIGFPE si_codes
++ */
++#ifdef __KERNEL__
++#define FPE_FIXME 0 /* Broken dup of SI_USER */
++#endif /* __KERNEL__ */
++
++#endif
+--- a/arch/arm/vfp/vfpmodule.c
++++ b/arch/arm/vfp/vfpmodule.c
+@@ -261,7 +261,7 @@ static void vfp_raise_exceptions(u32 exc
+
+ if (exceptions == VFP_EXCEPTION_ERROR) {
+ vfp_panic("unhandled bounce", inst);
+- vfp_raise_sigfpe(0, regs);
++ vfp_raise_sigfpe(FPE_FIXME, regs);
+ return;
+ }
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Tue, 1 Aug 2017 10:37:40 -0500
+Subject: signal/metag: Document a conflict with SI_USER with SIGFPE
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+
+[ Upstream commit b80328be53c215346b153769267b38f531d89b4f ]
+
+Setting si_code to 0 results in a userspace seeing an si_code of 0.
+This is the same si_code as SI_USER. Posix and common sense requires
+that SI_USER not be a signal specific si_code. As such this use of 0
+for the si_code is a pretty horribly broken ABI.
+
+Further use of si_code == 0 guaranteed that copy_siginfo_to_user saw a
+value of __SI_KILL and now sees a value of SIL_KILL with the result
+hat uid and pid fields are copied and which might copying the si_addr
+field by accident but certainly not by design. Making this a very
+flakey implementation.
+
+Utilizing FPE_FIXME siginfo_layout will now return SIL_FAULT and the
+appropriate fields will reliably be copied.
+
+Possible ABI fixes includee:
+ - Send the signal without siginfo
+ - Don't generate a signal
+ - Possibly assign and use an appropriate si_code
+ - Don't handle cases which can't happen
+
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: linux-metag@vger.kernel.org
+Ref: ac919f0883e5 ("metag: Traps")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/metag/include/uapi/asm/siginfo.h | 7 +++++++
+ arch/metag/kernel/traps.c | 2 +-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/arch/metag/include/uapi/asm/siginfo.h
++++ b/arch/metag/include/uapi/asm/siginfo.h
+@@ -5,4 +5,11 @@
+
+ #include <asm-generic/siginfo.h>
+
++/*
++ * SIGFPE si_codes
++ */
++#ifdef __KERNEL__
++#define FPE_FIXME 0 /* Broken dup of SI_USER */
++#endif /* __KERNEL__ */
++
+ #endif
+--- a/arch/metag/kernel/traps.c
++++ b/arch/metag/kernel/traps.c
+@@ -732,7 +732,7 @@ TBIRES fpe_handler(TBIRES State, int Sig
+ else if (error_state & TXSTAT_FPE_INEXACT_BIT)
+ info.si_code = FPE_FLTRES;
+ else
+- info.si_code = 0;
++ info.si_code = FPE_FIXME;
+ info.si_errno = 0;
+ info.si_addr = (__force void __user *)regs->ctx.CurrPC;
+ force_sig_info(SIGFPE, &info, current);
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Sat, 19 Aug 2017 15:26:01 -0500
+Subject: signal/powerpc: Document conflicts with SI_USER and SIGFPE and SIGTRAP
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+
+[ Upstream commit cf4674c46c66e45f238f8f7e81af2a444b970c0a ]
+
+Setting si_code to 0 results in a userspace seeing an si_code of 0.
+This is the same si_code as SI_USER. Posix and common sense requires
+that SI_USER not be a signal specific si_code. As such this use of 0
+for the si_code is a pretty horribly broken ABI.
+
+Further use of si_code == 0 guaranteed that copy_siginfo_to_user saw a
+value of __SI_KILL and now sees a value of SIL_KILL with the result
+that uid and pid fields are copied and which might copying the si_addr
+field by accident but certainly not by design. Making this a very
+flakey implementation.
+
+Utilizing FPE_FIXME and TRAP_FIXME, siginfo_layout() will now return
+SIL_FAULT and the appropriate fields will be reliably copied.
+
+Possible ABI fixes includee:
+- Send the signal without siginfo
+- Don't generate a signal
+- Possibly assign and use an appropriate si_code
+- Don't handle cases which can't happen
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Kumar Gala <kumar.gala@freescale.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: linuxppc-dev@lists.ozlabs.org
+Ref: 9bad068c24d7 ("[PATCH] ppc32: support for e500 and 85xx")
+Ref: 0ed70f6105ef ("PPC32: Provide proper siginfo information on various exceptions.")
+History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/uapi/asm/siginfo.h | 15 +++++++++++++++
+ arch/powerpc/kernel/traps.c | 10 +++++-----
+ 2 files changed, 20 insertions(+), 5 deletions(-)
+
+--- a/arch/powerpc/include/uapi/asm/siginfo.h
++++ b/arch/powerpc/include/uapi/asm/siginfo.h
+@@ -17,4 +17,19 @@
+ #undef NSIGTRAP
+ #define NSIGTRAP 4
+
++/*
++ * SIGFPE si_codes
++ */
++#ifdef __KERNEL__
++#define FPE_FIXME 0 /* Broken dup of SI_USER */
++#endif /* __KERNEL__ */
++
++/*
++ * SIGTRAP si_codes
++ */
++#ifdef __KERNEL__
++#define TRAP_FIXME 0 /* Broken dup of SI_USER */
++#endif /* __KERNEL__ */
++
++
+ #endif /* _ASM_POWERPC_SIGINFO_H */
+--- a/arch/powerpc/kernel/traps.c
++++ b/arch/powerpc/kernel/traps.c
+@@ -769,7 +769,7 @@ void unknown_exception(struct pt_regs *r
+ printk("Bad trap at PC: %lx, SR: %lx, vector=%lx\n",
+ regs->nip, regs->msr, regs->trap);
+
+- _exception(SIGTRAP, regs, 0, 0);
++ _exception(SIGTRAP, regs, TRAP_FIXME, 0);
+
+ exception_exit(prev_state);
+ }
+@@ -791,7 +791,7 @@ bail:
+
+ void RunModeException(struct pt_regs *regs)
+ {
+- _exception(SIGTRAP, regs, 0, 0);
++ _exception(SIGTRAP, regs, TRAP_FIXME, 0);
+ }
+
+ void __kprobes single_step_exception(struct pt_regs *regs)
+@@ -826,7 +826,7 @@ static void emulate_single_step(struct p
+
+ static inline int __parse_fpscr(unsigned long fpscr)
+ {
+- int ret = 0;
++ int ret = FPE_FIXME;
+
+ /* Invalid operation */
+ if ((fpscr & FPSCR_VE) && (fpscr & FPSCR_VX))
+@@ -1742,7 +1742,7 @@ void SPEFloatingPointException(struct pt
+ extern int do_spe_mathemu(struct pt_regs *regs);
+ unsigned long spefscr;
+ int fpexc_mode;
+- int code = 0;
++ int code = FPE_FIXME;
+ int err;
+
+ flush_spe_to_thread(current);
+@@ -1811,7 +1811,7 @@ void SPEFloatingPointRoundException(stru
+ printk(KERN_ERR "unrecognized spe instruction "
+ "in %s at %lx\n", current->comm, regs->nip);
+ } else {
+- _exception(SIGFPE, regs, 0, regs->nip);
++ _exception(SIGFPE, regs, FPE_FIXME, regs->nip);
+ return;
+ }
+ }
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sun, 4 Jun 2017 04:16:22 +0200
+Subject: skbuff: return -EMSGSIZE in skb_to_sgvec to prevent overflow
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+
+[ Upstream commit 48a1df65334b74bd7531f932cca5928932abf769 ]
+
+This is a defense-in-depth measure in response to bugs like
+4d6fa57b4dab ("macsec: avoid heap overflow in skb_to_sgvec"). There's
+not only a potential overflow of sglist items, but also a stack overflow
+potential, so we fix this by limiting the amount of recursion this function
+is allowed to do. Not actually providing a bounded base case is a future
+disaster that we can easily avoid here.
+
+As a small matter of house keeping, we take this opportunity to move the
+documentation comment over the actual function the documentation is for.
+
+While this could be implemented by using an explicit stack of skbuffs,
+when implementing this, the function complexity increased considerably,
+and I don't think such complexity and bloat is actually worth it. So,
+instead I built this and tested it on x86, x86_64, ARM, ARM64, and MIPS,
+and measured the stack usage there. I also reverted the recent MIPS
+changes that give it a separate IRQ stack, so that I could experience
+some worst-case situations. I found that limiting it to 24 layers deep
+yielded a good stack usage with room for safety, as well as being much
+deeper than any driver actually ever creates.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Sabrina Dubroca <sd@queasysnail.net>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skbuff.h | 8 +++---
+ net/core/skbuff.c | 65 +++++++++++++++++++++++++++++++------------------
+ 2 files changed, 46 insertions(+), 27 deletions(-)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -845,10 +845,10 @@ struct sk_buff *skb_realloc_headroom(str
+ unsigned int headroom);
+ struct sk_buff *skb_copy_expand(const struct sk_buff *skb, int newheadroom,
+ int newtailroom, gfp_t priority);
+-int skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg,
+- int offset, int len);
+-int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset,
+- int len);
++int __must_check skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg,
++ int offset, int len);
++int __must_check skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg,
++ int offset, int len);
+ int skb_cow_data(struct sk_buff *skb, int tailbits, struct sk_buff **trailer);
+ int skb_pad(struct sk_buff *skb, int pad);
+ #define dev_kfree_skb(a) consume_skb(a)
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3285,24 +3285,18 @@ void __init skb_init(void)
+ NULL);
+ }
+
+-/**
+- * skb_to_sgvec - Fill a scatter-gather list from a socket buffer
+- * @skb: Socket buffer containing the buffers to be mapped
+- * @sg: The scatter-gather list to map into
+- * @offset: The offset into the buffer's contents to start mapping
+- * @len: Length of buffer space to be mapped
+- *
+- * Fill the specified scatter-gather list with mappings/pointers into a
+- * region of the buffer space attached to a socket buffer.
+- */
+ static int
+-__skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
++__skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len,
++ unsigned int recursion_level)
+ {
+ int start = skb_headlen(skb);
+ int i, copy = start - offset;
+ struct sk_buff *frag_iter;
+ int elt = 0;
+
++ if (unlikely(recursion_level >= 24))
++ return -EMSGSIZE;
++
+ if (copy > 0) {
+ if (copy > len)
+ copy = len;
+@@ -3321,6 +3315,8 @@ __skb_to_sgvec(struct sk_buff *skb, stru
+ end = start + skb_frag_size(&skb_shinfo(skb)->frags[i]);
+ if ((copy = end - offset) > 0) {
+ skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
++ if (unlikely(elt && sg_is_last(&sg[elt - 1])))
++ return -EMSGSIZE;
+
+ if (copy > len)
+ copy = len;
+@@ -3335,16 +3331,22 @@ __skb_to_sgvec(struct sk_buff *skb, stru
+ }
+
+ skb_walk_frags(skb, frag_iter) {
+- int end;
++ int end, ret;
+
+ WARN_ON(start > offset + len);
+
+ end = start + frag_iter->len;
+ if ((copy = end - offset) > 0) {
++ if (unlikely(elt && sg_is_last(&sg[elt - 1])))
++ return -EMSGSIZE;
++
+ if (copy > len)
+ copy = len;
+- elt += __skb_to_sgvec(frag_iter, sg+elt, offset - start,
+- copy);
++ ret = __skb_to_sgvec(frag_iter, sg+elt, offset - start,
++ copy, recursion_level + 1);
++ if (unlikely(ret < 0))
++ return ret;
++ elt += ret;
+ if ((len -= copy) == 0)
+ return elt;
+ offset += copy;
+@@ -3355,6 +3357,31 @@ __skb_to_sgvec(struct sk_buff *skb, stru
+ return elt;
+ }
+
++/**
++ * skb_to_sgvec - Fill a scatter-gather list from a socket buffer
++ * @skb: Socket buffer containing the buffers to be mapped
++ * @sg: The scatter-gather list to map into
++ * @offset: The offset into the buffer's contents to start mapping
++ * @len: Length of buffer space to be mapped
++ *
++ * Fill the specified scatter-gather list with mappings/pointers into a
++ * region of the buffer space attached to a socket buffer. Returns either
++ * the number of scatterlist items used, or -EMSGSIZE if the contents
++ * could not fit.
++ */
++int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
++{
++ int nsg = __skb_to_sgvec(skb, sg, offset, len, 0);
++
++ if (nsg <= 0)
++ return nsg;
++
++ sg_mark_end(&sg[nsg - 1]);
++
++ return nsg;
++}
++EXPORT_SYMBOL_GPL(skb_to_sgvec);
++
+ /* As compared with skb_to_sgvec, skb_to_sgvec_nomark only map skb to given
+ * sglist without mark the sg which contain last skb data as the end.
+ * So the caller can mannipulate sg list as will when padding new data after
+@@ -3377,19 +3404,11 @@ __skb_to_sgvec(struct sk_buff *skb, stru
+ int skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg,
+ int offset, int len)
+ {
+- return __skb_to_sgvec(skb, sg, offset, len);
++ return __skb_to_sgvec(skb, sg, offset, len, 0);
+ }
+ EXPORT_SYMBOL_GPL(skb_to_sgvec_nomark);
+
+-int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
+-{
+- int nsg = __skb_to_sgvec(skb, sg, offset, len);
+
+- sg_mark_end(&sg[nsg - 1]);
+-
+- return nsg;
+-}
+-EXPORT_SYMBOL_GPL(skb_to_sgvec);
+
+ /**
+ * skb_cow_data - Check that a socket buffer's data buffers are writable
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Fri, 12 May 2017 17:59:32 +0200
+Subject: SMB2: Fix share type handling
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit cd1230070ae1c12fd34cf6a557bfa81bf9311009 ]
+
+In fs/cifs/smb2pdu.h, we have:
+#define SMB2_SHARE_TYPE_DISK 0x01
+#define SMB2_SHARE_TYPE_PIPE 0x02
+#define SMB2_SHARE_TYPE_PRINT 0x03
+
+Knowing that, with the current code, the SMB2_SHARE_TYPE_PRINT case can
+never trigger and printer share would be interpreted as disk share.
+
+So, test the ShareType value for equality instead.
+
+Fixes: faaf946a7d5b ("CIFS: Add tree connect/disconnect capability for SMB2")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2pdu.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -921,15 +921,19 @@ SMB2_tcon(const unsigned int xid, struct
+ goto tcon_exit;
+ }
+
+- if (rsp->ShareType & SMB2_SHARE_TYPE_DISK)
++ switch (rsp->ShareType) {
++ case SMB2_SHARE_TYPE_DISK:
+ cifs_dbg(FYI, "connection to disk share\n");
+- else if (rsp->ShareType & SMB2_SHARE_TYPE_PIPE) {
++ break;
++ case SMB2_SHARE_TYPE_PIPE:
+ tcon->ipc = true;
+ cifs_dbg(FYI, "connection to pipe share\n");
+- } else if (rsp->ShareType & SMB2_SHARE_TYPE_PRINT) {
+- tcon->print = true;
++ break;
++ case SMB2_SHARE_TYPE_PRINT:
++ tcon->ipc = true;
+ cifs_dbg(FYI, "connection to printer\n");
+- } else {
++ break;
++ default:
+ cifs_dbg(VFS, "unknown share type %d\n", rsp->ShareType);
+ rc = -EOPNOTSUPP;
+ goto tcon_error_exit;
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Jag Raman <jag.raman@oracle.com>
+Date: Fri, 9 Jun 2017 12:29:31 -0400
+Subject: sparc64: ldc abort during vds iso boot
+
+From: Jag Raman <jag.raman@oracle.com>
+
+
+[ Upstream commit 6c95483b768c62f8ee933ae08a1bdbcb78b5410f ]
+
+Orabug: 20902628
+
+When an ldc control-only packet is received during data exchange in
+read_nonraw(), a new rx head is calculated but the rx queue head is not
+actually advanced (rx_set_head() is not called) and a branch is taken to
+'no_data' at which point two things can happen depending on the value
+of the newly calculated rx head and the current rx tail:
+
+- If the rx queue is determined to be not empty, then the wrong packet
+ is picked up.
+
+- If the rx queue is determined to be empty, then a read error (EAGAIN)
+ is eventually returned since it is falsely assumed that more data was
+ expected.
+
+The fix is to update the rx head and return in case of a control only
+packet during data exchange.
+
+Signed-off-by: Jagannathan Raman <jag.raman@oracle.com>
+Reviewed-by: Aaron Young <aaron.young@oracle.com>
+Reviewed-by: Alexandre Chartre <alexandre.chartre@oracle.com>
+Reviewed-by: Bijan Mottahedeh <bijan.mottahedeh@oracle.com>
+Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/kernel/ldc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/sparc/kernel/ldc.c
++++ b/arch/sparc/kernel/ldc.c
+@@ -1693,9 +1693,14 @@ static int read_nonraw(struct ldc_channe
+
+ lp->rcv_nxt = p->seqid;
+
++ /*
++ * If this is a control-only packet, there is nothing
++ * else to do but advance the rx queue since the packet
++ * was already processed above.
++ */
+ if (!(p->type & LDC_DATA)) {
+ new = rx_advance(lp, new);
+- goto no_data;
++ break;
+ }
+ if (p->stype & (LDC_ACK | LDC_NACK)) {
+ err = data_ack_nack(lp, p);
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Andrea della Porta <sfaragnaus@gmail.com>
+Date: Sat, 29 Apr 2017 07:30:23 +0100
+Subject: staging: wlan-ng: prism2mgmt.c: fixed a double endian conversion before calling hfa384x_drvr_setconfig16, also fixes relative sparse warning
+
+From: Andrea della Porta <sfaragnaus@gmail.com>
+
+
+[ Upstream commit dea20579a69ab68cdca6adf79bb7c0c162eb9b72 ]
+
+staging: wlan-ng: prism2mgmt.c: This patches fixes a double endian conversion.
+cpu_to_le16() was called twice first in prism2mgmt_scan and again inside
+hfa384x_drvr_setconfig16() for the same variable, hence it was swapped
+twice. Incidentally, it also fixed the following sparse warning:
+
+drivers/staging/wlan-ng/prism2mgmt.c:173:30: warning: incorrect type in assignment (different base types)
+drivers/staging/wlan-ng/prism2mgmt.c:173:30: expected unsigned short [unsigned] [usertype] word
+drivers/staging/wlan-ng/prism2mgmt.c:173:30: got restricted __le16 [usertype] <noident>
+
+Unfortunately, only compile tested.
+
+Signed-off-by: Andrea della Porta <sfaragnaus@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/wlan-ng/prism2mgmt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/wlan-ng/prism2mgmt.c
++++ b/drivers/staging/wlan-ng/prism2mgmt.c
+@@ -169,7 +169,7 @@ int prism2mgmt_scan(wlandevice_t *wlande
+ hw->ident_sta_fw.variant) >
+ HFA384x_FIRMWARE_VERSION(1, 5, 0)) {
+ if (msg->scantype.data != P80211ENUM_scantype_active)
+- word = cpu_to_le16(msg->maxchanneltime.data);
++ word = msg->maxchanneltime.data;
+ else
+ word = 0;
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Robert Jarzmik <robert.jarzmik@free.fr>
+Date: Mon, 5 Jun 2017 13:59:15 +0200
+Subject: tags: honor COMPILED_SOURCE with apart output directory
+
+From: Robert Jarzmik <robert.jarzmik@free.fr>
+
+
+[ Upstream commit cbf52a3e6a8a92beec6e0c70abf4111cd8f8faf7 ]
+
+When the kernel is compiled with an "O=" argument, the object files are
+not in the source tree, but in the build tree.
+
+This patch fixes O= build by looking for object files in the build tree.
+
+Fixes: 923e02ecf3f8 ("scripts/tags.sh: Support compiled source")
+Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/tags.sh | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/scripts/tags.sh
++++ b/scripts/tags.sh
+@@ -106,6 +106,7 @@ all_compiled_sources()
+ case "$i" in
+ *.[cS])
+ j=${i/\.[cS]/\.o}
++ j="${j#$tree}"
+ if [ -e $j ]; then
+ echo $i
+ fi
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Tony Lindgren <tony@atomide.com>
+Date: Wed, 3 Jan 2018 10:18:03 -0800
+Subject: tty: n_gsm: Allow ADM response in addition to UA for control dlci
+
+From: Tony Lindgren <tony@atomide.com>
+
+
+[ Upstream commit ea3d8465ab9b3e01be329ac5195970a84bef76c5 ]
+
+Some devices have the control dlci stay in ADM mode instead of the UA
+mode. This can seen at least on droid 4 when trying to open the ts
+27.010 mux port. Enabling n_gsm debug mode shows the control dlci
+always respond with DM to SABM instead of UA:
+
+# modprobe n_gsm debug=0xff
+# ldattach -d GSM0710 /dev/ttyS0 &
+gsmld_output: 00000000: f9 03 3f 01 1c f9
+--> 0) C: SABM(P)
+gsmld_receive: 00000000: f9 03 1f 01 36 f9
+<-- 0) C: DM(P)
+...
+$ minicom -D /dev/gsmtty1
+minicom: cannot open /dev/gsmtty1: No error information
+$ strace minicom -D /dev/gsmtty1
+...
+open("/dev/gsmtty1", O_RDWR|O_NOCTTY|O_NONBLOCK|O_LARGEFILE) = -1 EL2HLT
+
+Note that this is different issue from other n_gsm -EL2HLT issues such
+as timeouts when the control dlci does not respond at all.
+
+The ADM mode seems to be a quite common according to "RF Wireless World"
+article "GSM Issue-UE sends SABM and gets a DM response instead of
+UA response":
+
+ This issue is most commonly observed in GSM networks where in UE sends
+ SABM and expects network to send UA response but it ends up receiving
+ DM response from the network. SABM stands for Set asynchronous balanced
+ mode, UA stands for Unnumbered Acknowledge and DA stands for
+ Disconnected Mode.
+
+ An RLP entity can be in one of two modes:
+ - Asynchronous Balanced Mode (ABM)
+ - Asynchronous Disconnected Mode (ADM)
+
+Currently Linux kernel closes the control dlci after several retries
+in gsm_dlci_t1() on DM. This causes n_gsm /dev/gsmtty ports to produce
+error code -EL2HLT when trying to open them as the closing of control
+dlci has already set gsm->dead.
+
+Let's fix the issue by allowing control dlci stay in ADM mode after the
+retries so the /dev/gsmtty ports can be opened and used. It seems that
+it might take several attempts to get any response from the control
+dlci, so it's best to allow ADM mode only after the SABM retries are
+done.
+
+Note that for droid 4 additional patches are needed to mux the ttyS0
+pins and to toggle RTS gpio_149 to wake up the mdm6600 modem are also
+needed to use n_gsm. And the mdm6600 modem needs to be powered on.
+
+Cc: linux-serial@vger.kernel.org
+Cc: Alan Cox <alan@llwyncelyn.cymru>
+Cc: Jiri Prchal <jiri.prchal@aksignal.cz>
+Cc: Jiri Slaby <jslaby@suse.cz>
+Cc: Marcel Partap <mpartap@gmx.net>
+Cc: Michael Scott <michael.scott@linaro.org>
+Cc: Peter Hurley <peter@hurleysoftware.com>
+Cc: Russ Gorby <russ.gorby@intel.com>
+Cc: Sascha Hauer <s.hauer@pengutronix.de>
+Cc: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_gsm.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -1467,6 +1467,10 @@ static void gsm_dlci_open(struct gsm_dlc
+ * in which case an opening port goes back to closed and a closing port
+ * is simply put into closed state (any further frames from the other
+ * end will get a DM response)
++ *
++ * Some control dlci can stay in ADM mode with other dlci working just
++ * fine. In that case we can just keep the control dlci open after the
++ * DLCI_OPENING retries time out.
+ */
+
+ static void gsm_dlci_t1(unsigned long data)
+@@ -1480,8 +1484,15 @@ static void gsm_dlci_t1(unsigned long da
+ if (dlci->retries) {
+ gsm_command(dlci->gsm, dlci->addr, SABM|PF);
+ mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100);
+- } else
++ } else if (!dlci->addr && gsm->control == (DM | PF)) {
++ if (debug & 8)
++ pr_info("DLCI %d opening in ADM mode.\n",
++ dlci->addr);
++ gsm_dlci_open(dlci);
++ } else {
+ gsm_dlci_close(dlci);
++ }
++
+ break;
+ case DLCI_CLOSING:
+ dlci->retries--;
+@@ -1499,8 +1510,8 @@ static void gsm_dlci_t1(unsigned long da
+ * @dlci: DLCI to open
+ *
+ * Commence opening a DLCI from the Linux side. We issue SABM messages
+- * to the modem which should then reply with a UA, at which point we
+- * will move into open state. Opening is done asynchronously with retry
++ * to the modem which should then reply with a UA or ADM, at which point
++ * we will move into open state. Opening is done asynchronously with retry
+ * running off timers and the responses.
+ */
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Jisheng Zhang <jszhang@marvell.com>
+Date: Wed, 26 Apr 2017 16:59:34 +0800
+Subject: usb: chipidea: properly handle host or gadget initialization failure
+
+From: Jisheng Zhang <jszhang@marvell.com>
+
+
+[ Upstream commit c4a0bbbdb7f6e3c37fa6deb3ef28c5ed99da6175 ]
+
+If ci_hdrc_host_init() or ci_hdrc_gadget_init() returns error and the
+error != -ENXIO, as Peter pointed out, "it stands for initialization
+for host or gadget has failed", so we'd better return failure rather
+continue.
+
+And before destroying the otg, i.e ci_hdrc_otg_destroy(ci), we should
+also check ci->roles[CI_ROLE_GADGET].
+
+Signed-off-by: Jisheng Zhang <jszhang@marvell.com>
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/chipidea/core.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/chipidea/core.c
++++ b/drivers/usb/chipidea/core.c
+@@ -553,7 +553,7 @@ static inline void ci_role_destroy(struc
+ {
+ ci_hdrc_gadget_destroy(ci);
+ ci_hdrc_host_destroy(ci);
+- if (ci->is_otg)
++ if (ci->is_otg && ci->roles[CI_ROLE_GADGET])
+ ci_hdrc_otg_destroy(ci);
+ }
+
+@@ -653,20 +653,28 @@ static int ci_hdrc_probe(struct platform
+ /* initialize role(s) before the interrupt is requested */
+ if (dr_mode == USB_DR_MODE_OTG || dr_mode == USB_DR_MODE_HOST) {
+ ret = ci_hdrc_host_init(ci);
+- if (ret)
+- dev_info(dev, "doesn't support host\n");
++ if (ret) {
++ if (ret == -ENXIO)
++ dev_info(dev, "doesn't support host\n");
++ else
++ goto deinit_phy;
++ }
+ }
+
+ if (dr_mode == USB_DR_MODE_OTG || dr_mode == USB_DR_MODE_PERIPHERAL) {
+ ret = ci_hdrc_gadget_init(ci);
+- if (ret)
+- dev_info(dev, "doesn't support gadget\n");
++ if (ret) {
++ if (ret == -ENXIO)
++ dev_info(dev, "doesn't support gadget\n");
++ else
++ goto deinit_host;
++ }
+ }
+
+ if (!ci->roles[CI_ROLE_HOST] && !ci->roles[CI_ROLE_GADGET]) {
+ dev_err(dev, "no supported roles\n");
+ ret = -ENODEV;
+- goto deinit_phy;
++ goto deinit_gadget;
+ }
+
+ if (ci->is_otg && ci->roles[CI_ROLE_GADGET]) {
+@@ -676,7 +684,7 @@ static int ci_hdrc_probe(struct platform
+ ret = ci_hdrc_otg_init(ci);
+ if (ret) {
+ dev_err(dev, "init otg fails, ret = %d\n", ret);
+- goto stop;
++ goto deinit_gadget;
+ }
+ }
+
+@@ -727,7 +735,12 @@ static int ci_hdrc_probe(struct platform
+
+ free_irq(ci->irq, ci);
+ stop:
+- ci_role_destroy(ci);
++ if (ci->is_otg && ci->roles[CI_ROLE_GADGET])
++ ci_hdrc_otg_destroy(ci);
++deinit_gadget:
++ ci_hdrc_gadget_destroy(ci);
++deinit_host:
++ ci_hdrc_host_destroy(ci);
+ deinit_phy:
+ usb_phy_shutdown(ci->transceiver);
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Pan Bian <bianpan2016@163.com>
+Date: Sun, 23 Apr 2017 13:55:13 +0800
+Subject: usb: dwc3: keystone: check return value
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit 018047a1dba7636e1f7fdae2cc290a528991d648 ]
+
+Function devm_clk_get() returns an ERR_PTR when it fails. However, in
+function kdwc3_probe(), its return value is not checked, which may
+result in a bad memory access bug. This patch fixes the bug.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/dwc3-keystone.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/dwc3/dwc3-keystone.c
++++ b/drivers/usb/dwc3/dwc3-keystone.c
+@@ -117,6 +117,10 @@ static int kdwc3_probe(struct platform_d
+ dev->dma_mask = &kdwc3_dma_mask;
+
+ kdwc->clk = devm_clk_get(kdwc->dev, "usb");
++ if (IS_ERR(kdwc->clk)) {
++ dev_err(kdwc->dev, "unable to get usb clock\n");
++ return PTR_ERR(kdwc->clk);
++ }
+
+ error = clk_prepare_enable(kdwc->clk);
+ if (error < 0) {
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 16 May 2017 11:47:42 -0400
+Subject: USB: ene_usb6250: fix first command execution
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+
+[ Upstream commit 4b309f1c4972c8f09e03ac64fc63510dbf5591a4 ]
+
+In the ene_usb6250 sub-driver for usb-storage, the ene_transport()
+routine is supposed to initialize the driver before executing the
+current command, if the initialization has not already been performed.
+However, a bug in the routine causes it to skip the command after
+doing the initialization. Also, the routine does not return an
+appropriate error code if either the initialization or the command
+fails.
+
+As a result of the first bug, the first command (a SCSI INQUIRY) is
+not carried out. The results can be seen in the system log, in the
+form of a warning message and empty or garbage INQUIRY data:
+
+Apr 18 22:40:08 notebook2 kernel: scsi host6: scsi scan: INQUIRY result too short (5), using 36
+Apr 18 22:40:08 notebook2 kernel: scsi 6:0:0:0: Direct-Access PQ: 0 ANSI: 0
+
+This patch fixes both errors.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-and-tested-by: Andreas Hartmann <andihartmann@01019freenet.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/storage/ene_ub6250.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/storage/ene_ub6250.c
++++ b/drivers/usb/storage/ene_ub6250.c
+@@ -2303,21 +2303,22 @@ static int ms_scsi_irp(struct us_data *u
+
+ static int ene_transport(struct scsi_cmnd *srb, struct us_data *us)
+ {
+- int result = 0;
++ int result = USB_STOR_XFER_GOOD;
+ struct ene_ub6250_info *info = (struct ene_ub6250_info *)(us->extra);
+
+ /*US_DEBUG(usb_stor_show_command(us, srb)); */
+ scsi_set_resid(srb, 0);
+- if (unlikely(!(info->SD_Status.Ready || info->MS_Status.Ready))) {
++ if (unlikely(!(info->SD_Status.Ready || info->MS_Status.Ready)))
+ result = ene_init(us);
+- } else {
++ if (result == USB_STOR_XFER_GOOD) {
++ result = USB_STOR_TRANSPORT_ERROR;
+ if (info->SD_Status.Ready)
+ result = sd_scsi_irp(us, srb);
+
+ if (info->MS_Status.Ready)
+ result = ms_scsi_irp(us, srb);
+ }
+- return 0;
++ return result;
+ }
+
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 16 May 2017 11:47:52 -0400
+Subject: USB: ene_usb6250: fix SCSI residue overwriting
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+
+[ Upstream commit aa18c4b6e0e39bfb00af48734ec24bc189ac9909 ]
+
+In the ene_usb6250 sub-driver for usb-storage, the SCSI residue is not
+reported correctly. The residue is initialized to 0, but this value
+is overwritten whenever the driver sends firmware to the card reader
+before performing the current command. As a result, a valid READ or
+WRITE operation appears to have failed, causing the SCSI core to retry
+the command multiple times and eventually fail.
+
+This patch fixes the problem by resetting the SCSI residue to 0 after
+sending firmware to the device.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-and-tested-by: Andreas Hartmann <andihartmann@01019freenet.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/storage/ene_ub6250.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/storage/ene_ub6250.c
++++ b/drivers/usb/storage/ene_ub6250.c
+@@ -1950,6 +1950,8 @@ static int ene_load_bincode(struct us_da
+ bcb->CDB[0] = 0xEF;
+
+ result = ene_send_scsi_cmd(us, FDIR_WRITE, buf, 0);
++ if (us->srb != NULL)
++ scsi_set_resid(us->srb, 0);
+ info->BIN_FLAG = flag;
+ kfree(buf);
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: "Pieter \\\"PoroCYon\\\" Sluys" <pcy@national.shitposting.agency>
+Date: Thu, 4 Jan 2018 16:53:50 +0100
+Subject: vfb: fix video mode and line_length being set when loaded
+
+From: "Pieter \\\"PoroCYon\\\" Sluys" <pcy@national.shitposting.agency>
+
+
+[ Upstream commit 7b9faf5df0ac495a1a3d7cdb64921c179f9008ac ]
+
+Currently, when loading the vfb module, the newly created fbdev
+has a line_length of 0, and its video mode would be PSEUDOCOLOR
+regardless of color depth. (The former could be worked around by
+calling the FBIOPUT_VSCREENINFO ioctl with having the FBACTIVIATE_FORCE
+flag set.) This patch automatically sets the line_length correctly,
+and the video mode is derived from the bit depth now as well.
+
+Thanks to Geert Uytterhoeven for confirming the bug and helping me with
+the patch.
+
+Output of `fbset -i' before the patch:
+mode "1366x768-60"
+ # D: 72.432 MHz, H: 47.403 kHz, V: 60.004 Hz
+ geometry 1366 768 1366 768 32
+ timings 13806 120 10 14 3 32 5
+ rgba 8/0,8/8,8/16,8/24
+endmode
+
+Frame buffer device information:
+ Name : Virtual FB
+ Address : 0xffffaa1405d85000
+ Size : 4196352
+ Type : PACKED PIXELS
+ Visual : PSEUDOCOLOR
+ XPanStep : 1
+ YPanStep : 1
+ YWrapStep : 1
+ LineLength : 0 <-- note this
+ Accelerator : No
+
+After:
+mode "1366x768-60"
+ # D: 72.432 MHz, H: 47.403 kHz, V: 60.004 Hz
+ geometry 1366 768 1366 768 32
+ timings 13806 120 10 14 3 32 5
+ rgba 8/0,8/8,8/16,8/24
+endmode
+
+Frame buffer device information:
+ Name : Virtual FB
+ Address : 0xffffaa1405d85000
+ Size : 4196352
+ Type : PACKED PIXELS
+ Visual : TRUECOLOR
+ XPanStep : 1
+ YPanStep : 1
+ YWrapStep : 1
+ LineLength : 5464
+ Accelerator : No
+
+Signed-off-by: "Pieter \"PoroCYon\" Sluys" <pcy@national.shitposting.agency>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+[b.zolnierkie: minor fixups]
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/vfb.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/drivers/video/fbdev/vfb.c
++++ b/drivers/video/fbdev/vfb.c
+@@ -284,8 +284,23 @@ static int vfb_check_var(struct fb_var_s
+ */
+ static int vfb_set_par(struct fb_info *info)
+ {
++ switch (info->var.bits_per_pixel) {
++ case 1:
++ info->fix.visual = FB_VISUAL_MONO01;
++ break;
++ case 8:
++ info->fix.visual = FB_VISUAL_PSEUDOCOLOR;
++ break;
++ case 16:
++ case 24:
++ case 32:
++ info->fix.visual = FB_VISUAL_TRUECOLOR;
++ break;
++ }
++
+ info->fix.line_length = get_line_length(info->var.xres_virtual,
+ info->var.bits_per_pixel);
++
+ return 0;
+ }
+
+@@ -526,6 +541,8 @@ static int vfb_probe(struct platform_dev
+ goto err2;
+ platform_set_drvdata(dev, info);
+
++ vfb_set_par(info);
++
+ fb_info(info, "Virtual frame buffer device, using %ldK of video memory\n",
+ videomemorysize >> 10);
+ return 0;
--- /dev/null
+From e2fcad58fd230f635a74e4e983c6f4ea893642d2 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sun, 4 Jun 2017 04:16:26 +0200
+Subject: virtio_net: check return value of skb_to_sgvec always
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+commit e2fcad58fd230f635a74e4e983c6f4ea893642d2 upstream.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Reviewed-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[natechancellor: backport to 3.18]
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/virtio_net.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -854,7 +854,7 @@ static int xmit_skb(struct send_queue *s
+ struct skb_vnet_hdr *hdr;
+ const unsigned char *dest = ((struct ethhdr *)skb->data)->h_dest;
+ struct virtnet_info *vi = sq->vq->vdev->priv;
+- unsigned num_sg;
++ int num_sg;
+ unsigned hdr_len;
+ bool can_push;
+
+@@ -906,11 +906,16 @@ static int xmit_skb(struct send_queue *s
+ if (can_push) {
+ __skb_push(skb, hdr_len);
+ num_sg = skb_to_sgvec(skb, sq->sg, 0, skb->len);
++ if (unlikely(num_sg < 0))
++ return num_sg;
+ /* Pull header back to avoid skew in tx bytes calculations. */
+ __skb_pull(skb, hdr_len);
+ } else {
+ sg_set_buf(sq->sg, hdr, hdr_len);
+- num_sg = skb_to_sgvec(skb, sq->sg + 1, 0, skb->len) + 1;
++ num_sg = skb_to_sgvec(skb, sq->sg + 1, 0, skb->len);
++ if (unlikely(num_sg < 0))
++ return num_sg;
++ num_sg++;
+ }
+ return virtqueue_add_outbuf(sq->vq, sq->sg, num_sg, skb, GFP_ATOMIC);
+ }
--- /dev/null
+From natechancellor@gmail.com Tue Apr 10 14:13:23 2018
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Mon, 9 Apr 2018 18:21:44 -0700
+Subject: virtio_net: check return value of skb_to_sgvec in one more location
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org
+Cc: Nathan Chancellor <natechancellor@gmail.com>, "Jason A . Donenfeld" <Jason@zx2c4.com>, Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>, "Michael S. Tsirkin" <mst@redhat.com>, Jason Wang <jasowang@redhat.com>, "David S . Miller" <davem@davemloft.net>
+Message-ID: <20180410012150.6573-4-natechancellor@gmail.com>
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+Kernels that do not have f6b10209b90d ("virtio-net: switch to use
+build_skb() for small buffer") will have an extra call to skb_to_sgvec
+that is not handled by e2fcad58fd23 ("virtio_net: check return value of
+skb_to_sgvec always"). Since the former does not appear to be stable
+material, just fix the call up directly.
+
+Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+Cc: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: David S. Miller <davem@davemloft.net>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/virtio_net.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -551,7 +551,12 @@ static int add_recvbuf_small(struct rece
+ hdr = skb_vnet_hdr(skb);
+ sg_init_table(rq->sg, MAX_SKB_FRAGS + 2);
+ sg_set_buf(rq->sg, &hdr->hdr, sizeof hdr->hdr);
+- skb_to_sgvec(skb, rq->sg + 1, 0, skb->len);
++
++ err = skb_to_sgvec(skb, rq->sg + 1, 0, skb->len);
++ if (unlikely(err < 0)) {
++ dev_kfree_skb(skb);
++ return err;
++ }
+
+ err = virtqueue_add_inbuf(rq->vq, rq->sg, 2, skb, gfp);
+ if (err < 0)
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Neil Horman <nhorman@tuxdriver.com>
+Date: Fri, 12 May 2017 12:00:01 -0400
+Subject: vmxnet3: ensure that adapter is in proper state during force_close
+
+From: Neil Horman <nhorman@tuxdriver.com>
+
+
+[ Upstream commit 1c4d5f51a812a82de97beee24f48ed05c65ebda5 ]
+
+There are several paths in vmxnet3, where settings changes cause the
+adapter to be brought down and back up (vmxnet3_set_ringparam among
+them). Should part of the reset operation fail, these paths call
+vmxnet3_force_close, which enables all napi instances prior to calling
+dev_close (with the expectation that vmxnet3_close will then properly
+disable them again). However, vmxnet3_force_close neglects to clear
+VMXNET3_STATE_BIT_QUIESCED prior to calling dev_close. As a result
+vmxnet3_quiesce_dev (called from vmxnet3_close), returns early, and
+leaves all the napi instances in a enabled state while the device itself
+is closed. If a device in this state is activated again, napi_enable
+will be called on already enabled napi_instances, leading to a BUG halt.
+
+The fix is to simply enausre that the QUIESCED bit is cleared in
+vmxnet3_force_close to allow quesence to be completed properly on close.
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+CC: Shrikrishna Khare <skhare@vmware.com>
+CC: "VMware, Inc." <pv-drivers@vmware.com>
+CC: "David S. Miller" <davem@davemloft.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vmxnet3/vmxnet3_drv.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/vmxnet3/vmxnet3_drv.c
++++ b/drivers/net/vmxnet3/vmxnet3_drv.c
+@@ -2648,6 +2648,11 @@ vmxnet3_force_close(struct vmxnet3_adapt
+ /* we need to enable NAPI, otherwise dev_close will deadlock */
+ for (i = 0; i < adapter->num_rx_queues; i++)
+ napi_enable(&adapter->rx_queue[i].napi);
++ /*
++ * Need to clear the quiesce bit to ensure that vmxnet3_close
++ * can quiesce the device properly
++ */
++ clear_bit(VMXNET3_STATE_BIT_QUIESCED, &adapter->state);
+ dev_close(adapter->netdev);
+ }
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Roopa Prabhu <roopa@cumulusnetworks.com>
+Date: Sun, 11 Jun 2017 16:32:50 -0700
+Subject: vxlan: dont migrate permanent fdb entries during learn
+
+From: Roopa Prabhu <roopa@cumulusnetworks.com>
+
+
+[ Upstream commit e0090a9e979de5202c7d16c635dea2f005221073 ]
+
+This patch fixes vxlan_snoop to not move permanent fdb entries
+on learn events. This is consistent with the bridge fdb
+handling of permanent entries.
+
+Fixes: 26a41ae60438 ("vxlan: only migrate dynamic FDB entries")
+Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vxlan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -985,7 +985,7 @@ static bool vxlan_snoop(struct net_devic
+ return false;
+
+ /* Don't migrate static entries, drop packets */
+- if (f->state & NUD_NOARP)
++ if (f->state & (NUD_PERMANENT | NUD_NOARP))
+ return true;
+
+ if (net_ratelimit())
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Tue, 26 Dec 2017 17:33:18 +0000
+Subject: wl1251: check return from call to wl1251_acx_arp_ip_filter
+
+From: Colin Ian King <colin.king@canonical.com>
+
+
+[ Upstream commit ac1181c60822292176ab96912208ec9f9819faf8 ]
+
+Currently the less than zero error check on ret is incorrect
+as it is checking a far earlier ret assignment rather than the
+return from the call to wl1251_acx_arp_ip_filter. Fix this by
+adding in the missing assginment.
+
+Detected by CoverityScan, CID#1164835 ("Logically dead code")
+
+Fixes: 204cc5c44fb6 ("wl1251: implement hardware ARP filtering")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ti/wl1251/main.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ti/wl1251/main.c
++++ b/drivers/net/wireless/ti/wl1251/main.c
+@@ -1200,8 +1200,7 @@ static void wl1251_op_bss_info_changed(s
+ WARN_ON(wl->bss_type != BSS_TYPE_STA_BSS);
+
+ enable = bss_conf->arp_addr_cnt == 1 && bss_conf->assoc;
+- wl1251_acx_arp_ip_filter(wl, enable, addr);
+-
++ ret = wl1251_acx_arp_ip_filter(wl, enable, addr);
+ if (ret < 0)
+ goto out_sleep;
+ }
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 13 Apr 2017 14:56:44 +0200
+Subject: x86/tsc: Provide 'tsc=unstable' boot parameter
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+
+[ Upstream commit 8309f86cd41e8714526867177facf7a316d9be53 ]
+
+Since the clocksource watchdog will only detect broken TSC after the
+fact, all TSC based clocks will likely have observed non-continuous
+values before/when switching away from TSC.
+
+Therefore only thing to fully avoid random clock movement when your
+BIOS randomly mucks with TSC values from SMI handlers is reporting the
+TSC as unstable at boot.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/tsc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kernel/tsc.c
++++ b/arch/x86/kernel/tsc.c
+@@ -356,6 +356,8 @@ static int __init tsc_setup(char *str)
+ tsc_clocksource_reliable = 1;
+ if (!strncmp(str, "noirqtime", 9))
+ no_sched_irq_time = 1;
++ if (!strcmp(str, "unstable"))
++ mark_tsc_unstable("boot parameter");
+ return 1;
+ }
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 8 Jun 2017 10:53:10 +0200
+Subject: xen: avoid type warning in xchg_xen_ulong
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+
+[ Upstream commit 9cc91f212111cdcbefa02dcdb7dd443f224bf52c ]
+
+The improved type-checking version of container_of() triggers a warning for
+xchg_xen_ulong, pointing out that 'xen_ulong_t' is unsigned, but atomic64_t
+contains a signed value:
+
+drivers/xen/events/events_2l.c: In function 'evtchn_2l_handle_events':
+drivers/xen/events/events_2l.c:187:1020: error: call to '__compiletime_assert_187' declared with attribute error: pointer type mismatch in container_of()
+
+This adds a cast to work around the warning.
+
+Cc: Ian Abbott <abbotti@mev.co.uk>
+Fixes: 85323a991d40 ("xen: arm: mandate EABI and use generic atomic operations.")
+Fixes: daa2ac80834d ("kernel.h: handle pointers to arrays better in container_of()")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Acked-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/include/asm/xen/events.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/include/asm/xen/events.h
++++ b/arch/arm/include/asm/xen/events.h
+@@ -16,7 +16,7 @@ static inline int xen_irqs_disabled(stru
+ return raw_irqs_disabled_flags(regs->ARM_cpsr);
+ }
+
+-#define xchg_xen_ulong(ptr, val) atomic64_xchg(container_of((ptr), \
++#define xchg_xen_ulong(ptr, val) atomic64_xchg(container_of((long long*)(ptr),\
+ atomic64_t, \
+ counter), (val))
+
--- /dev/null
+From foo@baz Tue Apr 10 13:58:07 CEST 2018
+From: Antony Antony <antony@phenome.org>
+Date: Fri, 19 May 2017 12:47:00 +0200
+Subject: xfrm: fix state migration copy replay sequence numbers
+
+From: Antony Antony <antony@phenome.org>
+
+
+[ Upstream commit a486cd23661c9387fb076c3f6ae8b2aa9d20d54a ]
+
+During xfrm migration copy replay and preplay sequence numbers
+from the previous state.
+
+Here is a tcpdump output showing the problem.
+10.0.10.46 is running vanilla kernel, is the IKE/IPsec responder.
+After the migration it sent wrong sequence number, reset to 1.
+The migration is from 10.0.0.52 to 10.0.0.53.
+
+IP 10.0.0.52.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7cf), length 136
+IP 10.0.10.46.4500 > 10.0.0.52.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x7cf), length 136
+IP 10.0.0.52.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d0), length 136
+IP 10.0.10.46.4500 > 10.0.0.52.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x7d0), length 136
+
+IP 10.0.0.53.4500 > 10.0.10.46.4500: NONESP-encap: isakmp: child_sa inf2[I]
+IP 10.0.10.46.4500 > 10.0.0.53.4500: NONESP-encap: isakmp: child_sa inf2[R]
+IP 10.0.0.53.4500 > 10.0.10.46.4500: NONESP-encap: isakmp: child_sa inf2[I]
+IP 10.0.10.46.4500 > 10.0.0.53.4500: NONESP-encap: isakmp: child_sa inf2[R]
+
+IP 10.0.0.53.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d1), length 136
+
+NOTE: next sequence is wrong 0x1
+
+IP 10.0.10.46.4500 > 10.0.0.53.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x1), length 136
+IP 10.0.0.53.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d2), length 136
+IP 10.0.10.46.4500 > 10.0.0.53.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x2), length 136
+
+Signed-off-by: Antony Antony <antony@phenome.org>
+Reviewed-by: Richard Guy Briggs <rgb@tricolour.ca>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_state.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -1208,6 +1208,8 @@ static struct xfrm_state *xfrm_state_clo
+ x->curlft.add_time = orig->curlft.add_time;
+ x->km.state = orig->km.state;
+ x->km.seq = orig->km.seq;
++ x->replay = orig->replay;
++ x->preplay = orig->preplay;
+
+ return x;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
