--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Tue, 3 Jan 2017 13:22:34 +0200
+Subject: ARM: OMAP1: DMA: Correct the number of logical channels
+
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+
+
+[ Upstream commit 657279778af54f35e54b07b6687918f254a2992c ]
+
+OMAP1510, OMAP5910 and OMAP310 have only 9 logical channels.
+OMAP1610, OMAP5912, OMAP1710, OMAP730, and OMAP850 have 16 logical channels
+available.
+
+The wired 17 for the lch_count must have been used to cover the 16 + 1
+dedicated LCD channel, in reality we can only use 9 or 16 channels.
+
+The d->chan_count is not used by the omap-dma stack, so we can skip the
+setup. chan_count was configured to the number of logical channels and not
+the actual number of physical channels anyways.
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Acked-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-omap1/dma.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+--- a/arch/arm/mach-omap1/dma.c
++++ b/arch/arm/mach-omap1/dma.c
+@@ -31,7 +31,6 @@
+ #include "soc.h"
+
+ #define OMAP1_DMA_BASE (0xfffed800)
+-#define OMAP1_LOGICAL_DMA_CH_COUNT 17
+
+ static u32 enable_1510_mode;
+
+@@ -311,8 +310,6 @@ static int __init omap1_system_dma_init(
+ goto exit_iounmap;
+ }
+
+- d->lch_count = OMAP1_LOGICAL_DMA_CH_COUNT;
+-
+ /* Valid attributes for omap1 plus processors */
+ if (cpu_is_omap15xx())
+ d->dev_caps = ENABLE_1510_MODE;
+@@ -329,13 +326,14 @@ static int __init omap1_system_dma_init(
+ d->dev_caps |= CLEAR_CSR_ON_READ;
+ d->dev_caps |= IS_WORD_16;
+
+- if (cpu_is_omap15xx())
+- d->chan_count = 9;
+- else if (cpu_is_omap16xx() || cpu_is_omap7xx()) {
+- if (!(d->dev_caps & ENABLE_1510_MODE))
+- d->chan_count = 16;
++ /* available logical channels */
++ if (cpu_is_omap15xx()) {
++ d->lch_count = 9;
++ } else {
++ if (d->dev_caps & ENABLE_1510_MODE)
++ d->lch_count = 9;
+ else
+- d->chan_count = 9;
++ d->lch_count = 16;
+ }
+
+ p = dma_plat_info;
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Iago Abal <mail@iagoabal.eu>
+Date: Wed, 11 Jan 2017 14:00:21 +0100
+Subject: dmaengine: pl330: fix double lock
+
+From: Iago Abal <mail@iagoabal.eu>
+
+
+[ Upstream commit 91539eb1fda2d530d3b268eef542c5414e54bf1a ]
+
+The static bug finder EBA (http://www.iagoabal.eu/eba/) reported the
+following double-lock bug:
+
+ Double lock:
+ 1. spin_lock_irqsave(pch->lock, flags) at pl330_free_chan_resources:2236;
+ 2. call to function `pl330_release_channel' immediately after;
+ 3. call to function `dma_pl330_rqcb' in line 1753;
+ 4. spin_lock_irqsave(pch->lock, flags) at dma_pl330_rqcb:1505.
+
+I have fixed it as suggested by Marek Szyprowski.
+
+First, I have replaced `pch->lock' with `pl330->lock' in functions
+`pl330_alloc_chan_resources' and `pl330_free_chan_resources'. This avoids
+the double-lock by acquiring a different lock than `dma_pl330_rqcb'.
+
+NOTE that, as a result, `pl330_free_chan_resources' executes
+`list_splice_tail_init' on `pch->work_list' under lock `pl330->lock',
+whereas in the rest of the code `pch->work_list' is protected by
+`pch->lock'. I don't know if this may cause race conditions. Similarly
+`pch->cyclic' is written by `pl330_alloc_chan_resources' under
+`pl330->lock' but read by `pl330_tx_submit' under `pch->lock'.
+
+Second, I have removed locking from `pl330_request_channel' and
+`pl330_release_channel' functions. Function `pl330_request_channel' is
+only called from `pl330_alloc_chan_resources', so the lock is already
+held. Function `pl330_release_channel' is called from
+`pl330_free_chan_resources', which already holds the lock, and from
+`pl330_del'. Function `pl330_del' is called in an error path of
+`pl330_probe' and at the end of `pl330_remove', but I assume that there
+cannot be concurrent accesses to the protected data at those points.
+
+Signed-off-by: Iago Abal <mail@iagoabal.eu>
+Reviewed-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/pl330.c | 19 ++++++-------------
+ 1 file changed, 6 insertions(+), 13 deletions(-)
+
+--- a/drivers/dma/pl330.c
++++ b/drivers/dma/pl330.c
+@@ -1657,7 +1657,6 @@ static bool _chan_ns(const struct pl330_
+ static struct pl330_thread *pl330_request_channel(struct pl330_dmac *pl330)
+ {
+ struct pl330_thread *thrd = NULL;
+- unsigned long flags;
+ int chans, i;
+
+ if (pl330->state == DYING)
+@@ -1665,8 +1664,6 @@ static struct pl330_thread *pl330_reques
+
+ chans = pl330->pcfg.num_chan;
+
+- spin_lock_irqsave(&pl330->lock, flags);
+-
+ for (i = 0; i < chans; i++) {
+ thrd = &pl330->channels[i];
+ if ((thrd->free) && (!_manager_ns(thrd) ||
+@@ -1684,8 +1681,6 @@ static struct pl330_thread *pl330_reques
+ thrd = NULL;
+ }
+
+- spin_unlock_irqrestore(&pl330->lock, flags);
+-
+ return thrd;
+ }
+
+@@ -1703,7 +1698,6 @@ static inline void _free_event(struct pl
+ static void pl330_release_channel(struct pl330_thread *thrd)
+ {
+ struct pl330_dmac *pl330;
+- unsigned long flags;
+
+ if (!thrd || thrd->free)
+ return;
+@@ -1715,10 +1709,8 @@ static void pl330_release_channel(struct
+
+ pl330 = thrd->dmac;
+
+- spin_lock_irqsave(&pl330->lock, flags);
+ _free_event(thrd, thrd->ev);
+ thrd->free = true;
+- spin_unlock_irqrestore(&pl330->lock, flags);
+ }
+
+ /* Initialize the structure for PL330 configuration, that can be used
+@@ -2085,20 +2077,20 @@ static int pl330_alloc_chan_resources(st
+ struct pl330_dmac *pl330 = pch->dmac;
+ unsigned long flags;
+
+- spin_lock_irqsave(&pch->lock, flags);
++ spin_lock_irqsave(&pl330->lock, flags);
+
+ dma_cookie_init(chan);
+ pch->cyclic = false;
+
+ pch->thread = pl330_request_channel(pl330);
+ if (!pch->thread) {
+- spin_unlock_irqrestore(&pch->lock, flags);
++ spin_unlock_irqrestore(&pl330->lock, flags);
+ return -ENOMEM;
+ }
+
+ tasklet_init(&pch->task, pl330_tasklet, (unsigned long) pch);
+
+- spin_unlock_irqrestore(&pch->lock, flags);
++ spin_unlock_irqrestore(&pl330->lock, flags);
+
+ return 1;
+ }
+@@ -2201,12 +2193,13 @@ static int pl330_pause(struct dma_chan *
+ static void pl330_free_chan_resources(struct dma_chan *chan)
+ {
+ struct dma_pl330_chan *pch = to_pchan(chan);
++ struct pl330_dmac *pl330 = pch->dmac;
+ unsigned long flags;
+
+ tasklet_kill(&pch->task);
+
+ pm_runtime_get_sync(pch->dmac->ddma.dev);
+- spin_lock_irqsave(&pch->lock, flags);
++ spin_lock_irqsave(&pl330->lock, flags);
+
+ pl330_release_channel(pch->thread);
+ pch->thread = NULL;
+@@ -2214,7 +2207,7 @@ static void pl330_free_chan_resources(st
+ if (pch->cyclic)
+ list_splice_tail_init(&pch->work_list, &pch->dmac->desc_pool);
+
+- spin_unlock_irqrestore(&pch->lock, flags);
++ spin_unlock_irqrestore(&pl330->lock, flags);
+ pm_runtime_mark_last_busy(pch->dmac->ddma.dev);
+ pm_runtime_put_autosuspend(pch->dmac->ddma.dev);
+ }
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Andrzej Hajda <a.hajda@samsung.com>
+Date: Tue, 17 Jan 2017 15:15:20 +0100
+Subject: drm/exynos/decon5433: set STANDALONE_UPDATE_F on output enablement
+
+From: Andrzej Hajda <a.hajda@samsung.com>
+
+
+[ Upstream commit 11d8bcef7a0399e1d2519f207fd575fc404306b4 ]
+
+DECON_TV requires STANDALONE_UPDATE after output enabling, otherwise it does
+not start. This change is neutral for DECON.
+
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/exynos/exynos5433_drm_decon.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/exynos/exynos5433_drm_decon.c
++++ b/drivers/gpu/drm/exynos/exynos5433_drm_decon.c
+@@ -180,6 +180,8 @@ static void decon_commit(struct exynos_d
+
+ /* enable output and display signal */
+ decon_set_bits(ctx, DECON_VIDCON0, VIDCON0_ENVID | VIDCON0_ENVID_F, ~0);
++
++ decon_set_bits(ctx, DECON_UPDATE, STANDALONE_UPDATE_F, ~0);
+ }
+
+ static void decon_win_set_pixfmt(struct decon_context *ctx, unsigned int win,
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+Date: Mon, 16 Oct 2017 12:40:29 -0500
+Subject: EDAC, sb_edac: Fix missing break in switch
+
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+
+
+[ Upstream commit a8e9b186f153a44690ad0363a56716e7077ad28c ]
+
+Add missing break statement in order to prevent the code from falling
+through.
+
+Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
+Cc: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20171016174029.GA19757@embeddedor.com
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/sb_edac.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/edac/sb_edac.c
++++ b/drivers/edac/sb_edac.c
+@@ -1773,6 +1773,7 @@ static int ibridge_mci_bind_devs(struct
+ break;
+ case PCI_DEVICE_ID_INTEL_IBRIDGE_IMC_HA0_TA:
+ pvt->pci_ta = pdev;
++ break;
+ case PCI_DEVICE_ID_INTEL_IBRIDGE_IMC_HA0_RAS:
+ pvt->pci_ras = pdev;
+ break;
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Boshi Wang <wangboshi@huawei.com>
+Date: Fri, 20 Oct 2017 16:01:03 +0800
+Subject: ima: fix hash algorithm initialization
+
+From: Boshi Wang <wangboshi@huawei.com>
+
+
+[ Upstream commit ebe7c0a7be92bbd34c6ff5b55810546a0ee05bee ]
+
+The hash_setup function always sets the hash_setup_done flag, even
+when the hash algorithm is invalid. This prevents the default hash
+algorithm defined as CONFIG_IMA_DEFAULT_HASH from being used.
+
+This patch sets hash_setup_done flag only for valid hash algorithms.
+
+Fixes: e7a2ad7eb6f4 "ima: enable support for larger default filedata hash algorithms"
+Signed-off-by: Boshi Wang <wangboshi@huawei.com>
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/integrity/ima/ima_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/security/integrity/ima/ima_main.c
++++ b/security/integrity/ima/ima_main.c
+@@ -52,6 +52,8 @@ static int __init hash_setup(char *str)
+ ima_hash_algo = HASH_ALGO_SHA1;
+ else if (strncmp(str, "md5", 3) == 0)
+ ima_hash_algo = HASH_ALGO_MD5;
++ else
++ return 1;
+ goto out;
+ }
+
+@@ -61,6 +63,8 @@ static int __init hash_setup(char *str)
+ break;
+ }
+ }
++ if (i == HASH_ALGO__LAST)
++ return 1;
+ out:
+ hash_setup_done = 1;
+ return 1;
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Tue, 19 Sep 2017 19:01:40 +0900
+Subject: kprobes/x86: Disable preemption in ftrace-based jprobes
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+
+[ Upstream commit 5bb4fc2d8641219732eb2bb654206775a4219aca ]
+
+Disable preemption in ftrace-based jprobe handlers as
+described in Documentation/kprobes.txt:
+
+ "Probe handlers are run with preemption disabled."
+
+This will fix jprobes behavior when CONFIG_PREEMPT=y.
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Alexei Starovoitov <ast@fb.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Ananth N Mavinakayanahalli <ananth@linux.vnet.ibm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Paul E . McKenney <paulmck@linux.vnet.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/150581530024.32348.9863783558598926771.stgit@devbox
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/kprobes/ftrace.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/arch/x86/kernel/kprobes/ftrace.c
++++ b/arch/x86/kernel/kprobes/ftrace.c
+@@ -26,7 +26,7 @@
+ #include "common.h"
+
+ static nokprobe_inline
+-int __skip_singlestep(struct kprobe *p, struct pt_regs *regs,
++void __skip_singlestep(struct kprobe *p, struct pt_regs *regs,
+ struct kprobe_ctlblk *kcb, unsigned long orig_ip)
+ {
+ /*
+@@ -41,20 +41,21 @@ int __skip_singlestep(struct kprobe *p,
+ __this_cpu_write(current_kprobe, NULL);
+ if (orig_ip)
+ regs->ip = orig_ip;
+- return 1;
+ }
+
+ int skip_singlestep(struct kprobe *p, struct pt_regs *regs,
+ struct kprobe_ctlblk *kcb)
+ {
+- if (kprobe_ftrace(p))
+- return __skip_singlestep(p, regs, kcb, 0);
+- else
+- return 0;
++ if (kprobe_ftrace(p)) {
++ __skip_singlestep(p, regs, kcb, 0);
++ preempt_enable_no_resched();
++ return 1;
++ }
++ return 0;
+ }
+ NOKPROBE_SYMBOL(skip_singlestep);
+
+-/* Ftrace callback handler for kprobes */
++/* Ftrace callback handler for kprobes -- called under preepmt disabed */
+ void kprobe_ftrace_handler(unsigned long ip, unsigned long parent_ip,
+ struct ftrace_ops *ops, struct pt_regs *regs)
+ {
+@@ -77,13 +78,17 @@ void kprobe_ftrace_handler(unsigned long
+ /* Kprobe handler expects regs->ip = ip + 1 as breakpoint hit */
+ regs->ip = ip + sizeof(kprobe_opcode_t);
+
++ /* To emulate trap based kprobes, preempt_disable here */
++ preempt_disable();
+ __this_cpu_write(current_kprobe, p);
+ kcb->kprobe_status = KPROBE_HIT_ACTIVE;
+- if (!p->pre_handler || !p->pre_handler(p, regs))
++ if (!p->pre_handler || !p->pre_handler(p, regs)) {
+ __skip_singlestep(p, regs, kcb, orig_ip);
++ preempt_enable_no_resched();
++ }
+ /*
+ * If pre_handler returns !0, it sets regs->ip and
+- * resets current kprobe.
++ * resets current kprobe, and keep preempt count +1.
+ */
+ }
+ end:
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Christoffer Dall <christoffer.dall@linaro.org>
+Date: Mon, 9 Jan 2017 12:18:56 +0100
+Subject: KVM: arm/arm64: Fix occasional warning from the timer work function
+
+From: Christoffer Dall <christoffer.dall@linaro.org>
+
+
+[ Upstream commit 63e41226afc3f7a044b70325566fa86ac3142538 ]
+
+When a VCPU blocks (WFI) and has programmed the vtimer, we program a
+soft timer to expire in the future to wake up the vcpu thread when
+appropriate. Because such as wake up involves a vcpu kick, and the
+timer expire function can get called from interrupt context, and the
+kick may sleep, we have to schedule the kick in the work function.
+
+The work function currently has a warning that gets raised if it turns
+out that the timer shouldn't fire when it's run, which was added because
+the idea was that in that case the work should never have been cancelled.
+
+However, it turns out that this whole thing is racy and we can get
+spurious warnings. The problem is that we clear the armed flag in the
+work function, which may run in parallel with the
+kvm_timer_unschedule->timer_disarm() call. This results in a possible
+situation where the timer_disarm() call does not call
+cancel_work_sync(), which effectively synchronizes the completion of the
+work function with running the VCPU. As a result, the VCPU thread
+proceeds before the work function completees, causing changes to the
+timer state such that kvm_timer_should_fire(vcpu) returns false in the
+work function.
+
+All we do in the work function is to kick the VCPU, and an occasional
+rare extra kick never harmed anyone. Since the race above is extremely
+rare, we don't bother checking if the race happens but simply remove the
+check and the clearing of the armed flag from the work function.
+
+Reported-by: Matthias Brugger <mbrugger@suse.com>
+Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/arm/arch_timer.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/virt/kvm/arm/arch_timer.c
++++ b/virt/kvm/arm/arch_timer.c
+@@ -84,9 +84,6 @@ static void kvm_timer_inject_irq_work(st
+ struct kvm_vcpu *vcpu;
+
+ vcpu = container_of(work, struct kvm_vcpu, arch.timer_cpu.expired);
+- vcpu->arch.timer_cpu.armed = false;
+-
+- WARN_ON(!kvm_timer_should_fire(vcpu));
+
+ /*
+ * If the vcpu is blocked we want to wake it up so that it will see
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 8 Feb 2017 14:30:53 -0800
+Subject: mm: avoid returning VM_FAULT_RETRY from ->page_mkwrite handlers
+
+From: Jan Kara <jack@suse.cz>
+
+
+[ Upstream commit 0911d0041c22922228ca52a977d7b0b0159fee4b ]
+
+Some ->page_mkwrite handlers may return VM_FAULT_RETRY as its return
+code (GFS2 or Lustre can definitely do this). However VM_FAULT_RETRY
+from ->page_mkwrite is completely unhandled by the mm code and results
+in locking and writeably mapping the page which definitely is not what
+the caller wanted.
+
+Fix Lustre and block_page_mkwrite_ret() used by other filesystems
+(notably GFS2) to return VM_FAULT_NOPAGE instead which results in
+bailing out from the fault code, the CPU then retries the access, and we
+fault again effectively doing what the handler wanted.
+
+Link: http://lkml.kernel.org/r/20170203150729.15863-1-jack@suse.cz
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+Reviewed-by: Jinshan Xiong <jinshan.xiong@intel.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/lustre/lustre/llite/llite_mmap.c | 4 +---
+ include/linux/buffer_head.h | 4 +---
+ 2 files changed, 2 insertions(+), 6 deletions(-)
+
+--- a/drivers/staging/lustre/lustre/llite/llite_mmap.c
++++ b/drivers/staging/lustre/lustre/llite/llite_mmap.c
+@@ -402,15 +402,13 @@ static int ll_page_mkwrite(struct vm_are
+ result = VM_FAULT_LOCKED;
+ break;
+ case -ENODATA:
++ case -EAGAIN:
+ case -EFAULT:
+ result = VM_FAULT_NOPAGE;
+ break;
+ case -ENOMEM:
+ result = VM_FAULT_OOM;
+ break;
+- case -EAGAIN:
+- result = VM_FAULT_RETRY;
+- break;
+ default:
+ result = VM_FAULT_SIGBUS;
+ break;
+--- a/include/linux/buffer_head.h
++++ b/include/linux/buffer_head.h
+@@ -234,12 +234,10 @@ static inline int block_page_mkwrite_ret
+ {
+ if (err == 0)
+ return VM_FAULT_LOCKED;
+- if (err == -EFAULT)
++ if (err == -EFAULT || err == -EAGAIN)
+ return VM_FAULT_NOPAGE;
+ if (err == -ENOMEM)
+ return VM_FAULT_OOM;
+- if (err == -EAGAIN)
+- return VM_FAULT_RETRY;
+ /* -ENOSPC, -EDQUOT, -EIO ... */
+ return VM_FAULT_SIGBUS;
+ }
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
+Date: Mon, 9 Jan 2017 20:57:48 +0700
+Subject: net/appletalk: Fix kernel memory disclosure
+
+From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
+
+
+[ Upstream commit ce7e40c432ba84da104438f6799d460a4cad41bc ]
+
+ipddp_route structs contain alignment padding so kernel heap memory
+is leaked when they are copied to user space in
+ipddp_ioctl(SIOCFINDIPDDPRT). Change kmalloc() to kzalloc() to clear
+that memory.
+
+Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/appletalk/ipddp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/appletalk/ipddp.c
++++ b/drivers/net/appletalk/ipddp.c
+@@ -191,7 +191,7 @@ static netdev_tx_t ipddp_xmit(struct sk_
+ */
+ static int ipddp_create(struct ipddp_route *new_rt)
+ {
+- struct ipddp_route *rt = kmalloc(sizeof(*rt), GFP_KERNEL);
++ struct ipddp_route *rt = kzalloc(sizeof(*rt), GFP_KERNEL);
+
+ if (rt == NULL)
+ return -ENOMEM;
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Rui Sousa <rui.sousa@nxp.com>
+Date: Mon, 13 Feb 2017 10:01:25 +0800
+Subject: net: fec: fix multicast filtering hardware setup
+
+From: Rui Sousa <rui.sousa@nxp.com>
+
+
+[ Upstream commit 01f8902bcf3ff124d0aeb88a774180ebcec20ace ]
+
+Fix hardware setup of multicast address hash:
+- Never clear the hardware hash (to avoid packet loss)
+- Construct the hash register values in software and then write once
+to hardware
+
+Signed-off-by: Rui Sousa <rui.sousa@nxp.com>
+Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 23 +++++++++--------------
+ 1 file changed, 9 insertions(+), 14 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -2968,6 +2968,7 @@ static void set_multicast_list(struct ne
+ struct netdev_hw_addr *ha;
+ unsigned int i, bit, data, crc, tmp;
+ unsigned char hash;
++ unsigned int hash_high = 0, hash_low = 0;
+
+ if (ndev->flags & IFF_PROMISC) {
+ tmp = readl(fep->hwp + FEC_R_CNTRL);
+@@ -2990,11 +2991,7 @@ static void set_multicast_list(struct ne
+ return;
+ }
+
+- /* Clear filter and add the addresses in hash register
+- */
+- writel(0, fep->hwp + FEC_GRP_HASH_TABLE_HIGH);
+- writel(0, fep->hwp + FEC_GRP_HASH_TABLE_LOW);
+-
++ /* Add the addresses in hash register */
+ netdev_for_each_mc_addr(ha, ndev) {
+ /* calculate crc32 value of mac address */
+ crc = 0xffffffff;
+@@ -3012,16 +3009,14 @@ static void set_multicast_list(struct ne
+ */
+ hash = (crc >> (32 - HASH_BITS)) & 0x3f;
+
+- if (hash > 31) {
+- tmp = readl(fep->hwp + FEC_GRP_HASH_TABLE_HIGH);
+- tmp |= 1 << (hash - 32);
+- writel(tmp, fep->hwp + FEC_GRP_HASH_TABLE_HIGH);
+- } else {
+- tmp = readl(fep->hwp + FEC_GRP_HASH_TABLE_LOW);
+- tmp |= 1 << hash;
+- writel(tmp, fep->hwp + FEC_GRP_HASH_TABLE_LOW);
+- }
++ if (hash > 31)
++ hash_high |= 1 << (hash - 32);
++ else
++ hash_low |= 1 << hash;
+ }
++
++ writel(hash_high, fep->hwp + FEC_GRP_HASH_TABLE_HIGH);
++ writel(hash_low, fep->hwp + FEC_GRP_HASH_TABLE_LOW);
+ }
+
+ /* Set a MAC change in hardware. */
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 20 Jan 2017 13:01:57 +0000
+Subject: net: sctp: fix array overrun read on sctp_timer_tbl
+
+From: Colin Ian King <colin.king@canonical.com>
+
+
+[ Upstream commit 0e73fc9a56f22f2eec4d2b2910c649f7af67b74d ]
+
+The comparison on the timeout can lead to an array overrun
+read on sctp_timer_tbl because of an off-by-one error. Fix
+this by using < instead of <= and also compare to the array
+size rather than SCTP_EVENT_TIMEOUT_MAX.
+
+Fixes CoverityScan CID#1397639 ("Out-of-bounds read")
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/debug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sctp/debug.c
++++ b/net/sctp/debug.c
+@@ -166,7 +166,7 @@ static const char *const sctp_timer_tbl[
+ /* Lookup timer debug name. */
+ const char *sctp_tname(const sctp_subtype_t id)
+ {
+- if (id.timeout <= SCTP_EVENT_TIMEOUT_MAX)
++ if (id.timeout < ARRAY_SIZE(sctp_timer_tbl))
+ return sctp_timer_tbl[id.timeout];
+ return "unknown_timer";
+ }
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Tue, 3 Jan 2017 16:34:49 -0800
+Subject: net: systemport: Pad packet before inserting TSB
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+
+[ Upstream commit 38e5a85562a6cd911fc26d951d576551a688574c ]
+
+Inserting the TSB means adding an extra 8 bytes in front the of packet
+that is going to be used as metadata information by the TDMA engine, but
+stripped off, so it does not really help with the packet padding.
+
+For some odd packet sizes that fall below the 60 bytes payload (e.g: ARP)
+we can end-up padding them after the TSB insertion, thus making them 64
+bytes, but with the TDMA stripping off the first 8 bytes, they could
+still be smaller than 64 bytes which is required to ingress the switch.
+
+Fix this by swapping the padding and TSB insertion, guaranteeing that
+the packets have the right sizes.
+
+Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -1045,15 +1045,6 @@ static netdev_tx_t bcm_sysport_xmit(stru
+ goto out;
+ }
+
+- /* Insert TSB and checksum infos */
+- if (priv->tsb_en) {
+- skb = bcm_sysport_insert_tsb(skb, dev);
+- if (!skb) {
+- ret = NETDEV_TX_OK;
+- goto out;
+- }
+- }
+-
+ /* The Ethernet switch we are interfaced with needs packets to be at
+ * least 64 bytes (including FCS) otherwise they will be discarded when
+ * they enter the switch port logic. When Broadcom tags are enabled, we
+@@ -1066,6 +1057,15 @@ static netdev_tx_t bcm_sysport_xmit(stru
+ goto out;
+ }
+
++ /* Insert TSB and checksum infos */
++ if (priv->tsb_en) {
++ skb = bcm_sysport_insert_tsb(skb, dev);
++ if (!skb) {
++ ret = NETDEV_TX_OK;
++ goto out;
++ }
++ }
++
+ skb_len = skb->len;
+
+ mapping = dma_map_single(kdev, skb->data, skb_len, DMA_TO_DEVICE);
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Tue, 3 Jan 2017 16:34:48 -0800
+Subject: net: systemport: Utilize skb_put_padto()
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+
+[ Upstream commit bb7da333d0a9f3bddc08f84187b7579a3f68fd24 ]
+
+Since we need to pad our packets, utilize skb_put_padto() which
+increases skb->len by how much we need to pad, allowing us to eliminate
+the test on skb->len right below.
+
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -1061,13 +1061,12 @@ static netdev_tx_t bcm_sysport_xmit(stru
+ * (including FCS and tag) because the length verification is done after
+ * the Broadcom tag is stripped off the ingress packet.
+ */
+- if (skb_padto(skb, ETH_ZLEN + ENET_BRCM_TAG_LEN)) {
++ if (skb_put_padto(skb, ETH_ZLEN + ENET_BRCM_TAG_LEN)) {
+ ret = NETDEV_TX_OK;
+ goto out;
+ }
+
+- skb_len = skb->len < ETH_ZLEN + ENET_BRCM_TAG_LEN ?
+- ETH_ZLEN + ENET_BRCM_TAG_LEN : skb->len;
++ skb_len = skb->len;
+
+ mapping = dma_map_single(kdev, skb->data, skb_len, DMA_TO_DEVICE);
+ if (dma_mapping_error(kdev, mapping)) {
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Thu, 5 Jan 2017 10:20:16 -0500
+Subject: nfs: Don't take a reference on fl->fl_file for LOCK operation
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+
+[ Upstream commit 4b09ec4b14a168bf2c687e1f598140c3c11e9222 ]
+
+I have reports of a crash that look like __fput() was called twice for
+a NFSv4.0 file. It seems possible that the state manager could try to
+reclaim a lock and take a reference on the fl->fl_file at the same time the
+file is being released if, during the close(), a signal interrupts the wait
+for outstanding IO while removing locks which then skips the removal
+of that lock.
+
+Since 83bfff23e9ed ("nfs4: have do_vfs_lock take an inode pointer") has
+removed the need to traverse fl->fl_file->f_inode in nfs4_lock_done(),
+taking that reference is no longer necessary.
+
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -38,7 +38,6 @@
+ #include <linux/mm.h>
+ #include <linux/delay.h>
+ #include <linux/errno.h>
+-#include <linux/file.h>
+ #include <linux/string.h>
+ #include <linux/ratelimit.h>
+ #include <linux/printk.h>
+@@ -5738,7 +5737,6 @@ static struct nfs4_lockdata *nfs4_alloc_
+ p->server = server;
+ atomic_inc(&lsp->ls_count);
+ p->ctx = get_nfs_open_context(ctx);
+- get_file(fl->fl_file);
+ memcpy(&p->fl, fl, sizeof(p->fl));
+ return p;
+ out_free_seqid:
+@@ -5851,7 +5849,6 @@ static void nfs4_lock_release(void *call
+ nfs_free_seqid(data->arg.lock_seqid);
+ nfs4_put_lock_state(data->lsp);
+ put_nfs_open_context(data->ctx);
+- fput(data->fl.fl_file);
+ kfree(data);
+ dprintk("%s: done!\n", __func__);
+ }
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Fri, 13 Jan 2017 13:31:32 -0500
+Subject: NFSv4: Fix client recovery when server reboots multiple times
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+
+[ Upstream commit c6180a6237174f481dc856ed6e890d8196b6f0fb ]
+
+If the server reboots multiple times, the client should rely on the
+server to tell it that it cannot reclaim state as per section 9.6.3.4
+in RFC7530 and section 8.4.2.1 in RFC5661.
+Currently, the client is being to conservative, and is assuming that
+if the server reboots while state recovery is in progress, then it must
+ignore state that was not recovered before the reboot.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4state.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/nfs/nfs4state.c
++++ b/fs/nfs/nfs4state.c
+@@ -1680,7 +1680,6 @@ static int nfs4_recovery_handle_error(st
+ break;
+ case -NFS4ERR_STALE_CLIENTID:
+ set_bit(NFS4CLNT_LEASE_EXPIRED, &clp->cl_state);
+- nfs4_state_clear_reclaim_reboot(clp);
+ nfs4_state_start_reclaim_reboot(clp);
+ break;
+ case -NFS4ERR_EXPIRED:
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Thomas Richter <tmricht@linux.vnet.ibm.com>
+Date: Wed, 13 Sep 2017 10:12:09 +0200
+Subject: perf test attr: Fix ignored test case result
+
+From: Thomas Richter <tmricht@linux.vnet.ibm.com>
+
+
+[ Upstream commit 22905582f6dd4bbd0c370fe5732c607452010c04 ]
+
+Command perf test -v 16 (Setup struct perf_event_attr test) always
+reports success even if the test case fails. It works correctly if you
+also specify -F (for don't fork).
+
+ root@s35lp76 perf]# ./perf test -v 16
+ 15: Setup struct perf_event_attr :
+ --- start ---
+ running './tests/attr/test-record-no-delay'
+ [ perf record: Woken up 1 times to write data ]
+ [ perf record: Captured and wrote 0.002 MB /tmp/tmp4E1h7R/perf.data
+ (1 samples) ]
+ expected task=0, got 1
+ expected precise_ip=0, got 3
+ expected wakeup_events=1, got 0
+ FAILED './tests/attr/test-record-no-delay' - match failure
+ test child finished with 0
+ ---- end ----
+ Setup struct perf_event_attr: Ok
+
+The reason for the wrong error reporting is the return value of the
+system() library call. It is called in run_dir() file tests/attr.c and
+returns the exit status, in above case 0xff00.
+
+This value is given as parameter to the exit() function which can only
+handle values 0-0xff.
+
+The child process terminates with exit value of 0 and the parent does
+not detect any error.
+
+This patch corrects the error reporting and prints the correct test
+result.
+
+Signed-off-by: Thomas-Mich Richter <tmricht@linux.vnet.ibm.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Thomas-Mich Richter <tmricht@linux.vnet.ibm.com>
+LPU-Reference: 20170913081209.39570-2-tmricht@linux.vnet.ibm.com
+Link: http://lkml.kernel.org/n/tip-rdube6rfcjsr1nzue72c7lqn@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/tests/attr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/tests/attr.c
++++ b/tools/perf/tests/attr.c
+@@ -150,7 +150,7 @@ static int run_dir(const char *d, const
+ snprintf(cmd, 3*PATH_MAX, PYTHON " %s/attr.py -d %s/attr/ -p %s %.*s",
+ d, d, perf, vcnt, v);
+
+- return system(cmd);
++ return system(cmd) ? TEST_FAIL : TEST_OK;
+ }
+
+ int test__attr(void)
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
+Date: Thu, 12 Jan 2017 13:21:06 +0100
+Subject: ravb: Remove Rx overflow log messages
+
+From: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
+
+
+[ Upstream commit 18a3ed59d09cf81a6447aadf6931bf0c9ffec5e0 ]
+
+Remove Rx overflow log messages as in an environment where logging results
+in network traffic logging may cause further overflows.
+
+Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
+Signed-off-by: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
+[simon: reworked changelog]
+Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
+Acked-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -831,14 +831,10 @@ static int ravb_poll(struct napi_struct
+ /* Receive error message handling */
+ priv->rx_over_errors = priv->stats[RAVB_BE].rx_over_errors;
+ priv->rx_over_errors += priv->stats[RAVB_NC].rx_over_errors;
+- if (priv->rx_over_errors != ndev->stats.rx_over_errors) {
++ if (priv->rx_over_errors != ndev->stats.rx_over_errors)
+ ndev->stats.rx_over_errors = priv->rx_over_errors;
+- netif_err(priv, rx_err, ndev, "Receive Descriptor Empty\n");
+- }
+- if (priv->rx_fifo_errors != ndev->stats.rx_fifo_errors) {
++ if (priv->rx_fifo_errors != ndev->stats.rx_fifo_errors)
+ ndev->stats.rx_fifo_errors = priv->rx_fifo_errors;
+- netif_err(priv, rx_err, ndev, "Receive FIFO Overflow\n");
+- }
+ out:
+ return budget - quota;
+ }
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Mon, 30 Oct 2017 14:38:58 +0100
+Subject: s390/pci: do not require AIS facility
+
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+
+
+[ Upstream commit 48070c73058be6de9c0d754d441ed7092dfc8f12 ]
+
+As of today QEMU does not provide the AIS facility to its guest. This
+prevents Linux guests from using PCI devices as the ais facility is
+checked during init. As this is just a performance optimization, we can
+move the ais check into the code where we need it (calling the SIC
+instruction). This is used at initialization and on interrupt. Both
+places do not require any serialization, so we can simply skip the
+instruction.
+
+Since we will now get all interrupts, we can also avoid the 2nd scan.
+As we can have multiple interrupts in parallel we might trigger spurious
+irqs more often for the non-AIS case but the core code can handle that.
+
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Reviewed-by: Pierre Morel <pmorel@linux.vnet.ibm.com>
+Reviewed-by: Halil Pasic <pasic@linux.vnet.ibm.com>
+Acked-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/pci_insn.h | 2 +-
+ arch/s390/pci/pci.c | 5 +++--
+ arch/s390/pci/pci_insn.c | 6 +++++-
+ 3 files changed, 9 insertions(+), 4 deletions(-)
+
+--- a/arch/s390/include/asm/pci_insn.h
++++ b/arch/s390/include/asm/pci_insn.h
+@@ -81,6 +81,6 @@ int zpci_refresh_trans(u64 fn, u64 addr,
+ int zpci_load(u64 *data, u64 req, u64 offset);
+ int zpci_store(u64 data, u64 req, u64 offset);
+ int zpci_store_block(const u64 *data, u64 req, u64 offset);
+-void zpci_set_irq_ctrl(u16 ctl, char *unused, u8 isc);
++int zpci_set_irq_ctrl(u16 ctl, char *unused, u8 isc);
+
+ #endif
+--- a/arch/s390/pci/pci.c
++++ b/arch/s390/pci/pci.c
+@@ -359,7 +359,8 @@ static void zpci_irq_handler(struct airq
+ /* End of second scan with interrupts on. */
+ break;
+ /* First scan complete, reenable interrupts. */
+- zpci_set_irq_ctrl(SIC_IRQ_MODE_SINGLE, NULL, PCI_ISC);
++ if (zpci_set_irq_ctrl(SIC_IRQ_MODE_SINGLE, NULL, PCI_ISC))
++ break;
+ si = 0;
+ continue;
+ }
+@@ -921,7 +922,7 @@ static int __init pci_base_init(void)
+ if (!s390_pci_probe)
+ return 0;
+
+- if (!test_facility(69) || !test_facility(71) || !test_facility(72))
++ if (!test_facility(69) || !test_facility(71))
+ return 0;
+
+ rc = zpci_debug_init();
+--- a/arch/s390/pci/pci_insn.c
++++ b/arch/s390/pci/pci_insn.c
+@@ -7,6 +7,7 @@
+ #include <linux/export.h>
+ #include <linux/errno.h>
+ #include <linux/delay.h>
++#include <asm/facility.h>
+ #include <asm/pci_insn.h>
+ #include <asm/pci_debug.h>
+ #include <asm/processor.h>
+@@ -91,11 +92,14 @@ int zpci_refresh_trans(u64 fn, u64 addr,
+ }
+
+ /* Set Interruption Controls */
+-void zpci_set_irq_ctrl(u16 ctl, char *unused, u8 isc)
++int zpci_set_irq_ctrl(u16 ctl, char *unused, u8 isc)
+ {
++ if (!test_facility(72))
++ return -EIO;
+ asm volatile (
+ " .insn rsy,0xeb00000000d1,%[ctl],%[isc],%[u]\n"
+ : : [ctl] "d" (ctl), [isc] "d" (isc << 27), [u] "Q" (*unused));
++ return 0;
+ }
+
+ /* PCI Load */
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Andy Lutomirski <luto@kernel.org>
+Date: Sat, 4 Nov 2017 04:19:52 -0700
+Subject: selftests/x86/ldt_get: Add a few additional tests for limits
+
+From: Andy Lutomirski <luto@kernel.org>
+
+
+[ Upstream commit fec8f5ae1715a01c72ad52cb2ecd8aacaf142302 ]
+
+We weren't testing the .limit and .limit_in_pages fields very well.
+Add more tests.
+
+This addition seems to trigger the "bits 16:19 are undefined" issue
+that was fixed in an earlier patch. I think that, at least on my
+CPU, the high nibble of the limit ends in LAR bits 16:19.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bpetkov@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/5601c15ea9b3113d288953fd2838b18bedf6bc67.1509794321.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/x86/ldt_gdt.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/x86/ldt_gdt.c
++++ b/tools/testing/selftests/x86/ldt_gdt.c
+@@ -351,9 +351,24 @@ static void do_simple_tests(void)
+ install_invalid(&desc, false);
+
+ desc.seg_not_present = 0;
+- desc.read_exec_only = 0;
+ desc.seg_32bit = 1;
++ desc.read_exec_only = 0;
++ desc.limit = 0xfffff;
++
+ install_valid(&desc, AR_DPL3 | AR_TYPE_RWDATA | AR_S | AR_P | AR_DB);
++
++ desc.limit_in_pages = 1;
++
++ install_valid(&desc, AR_DPL3 | AR_TYPE_RWDATA | AR_S | AR_P | AR_DB | AR_G);
++ desc.read_exec_only = 1;
++ install_valid(&desc, AR_DPL3 | AR_TYPE_RODATA | AR_S | AR_P | AR_DB | AR_G);
++ desc.contents = 1;
++ desc.read_exec_only = 0;
++ install_valid(&desc, AR_DPL3 | AR_TYPE_RWDATA_EXPDOWN | AR_S | AR_P | AR_DB | AR_G);
++ desc.read_exec_only = 1;
++ install_valid(&desc, AR_DPL3 | AR_TYPE_RODATA_EXPDOWN | AR_S | AR_P | AR_DB | AR_G);
++
++ desc.limit = 0;
+ install_invalid(&desc, true);
+ }
+
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Aaron Sierra <asierra@xes-inc.com>
+Date: Wed, 4 Oct 2017 10:01:28 -0500
+Subject: serial: 8250: Preserve DLD[7:4] for PORT_XR17V35X
+
+From: Aaron Sierra <asierra@xes-inc.com>
+
+
+[ Upstream commit 0ab84da2e076948c49d36197ee7d254125c53eab ]
+
+The upper four bits of the XR17V35x fractional divisor register (DLD)
+control general chip function (RS-485 direction pin polarity, multidrop
+mode, XON/XOFF parity check, and fast IR mode). Don't allow these bits
+to be clobbered when setting the baudrate.
+
+Signed-off-by: Aaron Sierra <asierra@xes-inc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_port.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -2223,8 +2223,11 @@ static void serial8250_set_divisor(struc
+ serial_dl_write(up, quot);
+
+ /* XR17V35x UARTs have an extra fractional divisor register (DLD) */
+- if (up->port.type == PORT_XR17V35X)
++ if (up->port.type == PORT_XR17V35X) {
++ /* Preserve bits not related to baudrate; DLD[7:4]. */
++ quot_frac |= serial_port_in(port, 0x2) & 0xf0;
+ serial_port_out(port, 0x2, quot_frac);
++ }
+ }
+
+ static unsigned int
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Lukas Wunner <lukas@wunner.de>
+Date: Sat, 28 Oct 2017 11:35:49 +0200
+Subject: serial: 8250_fintek: Fix rs485 disablement on invalid ioctl()
+
+From: Lukas Wunner <lukas@wunner.de>
+
+
+[ Upstream commit 3236a965486ba0c6043cf2c7b51943d8b382ae29 ]
+
+This driver's ->rs485_config callback checks if SER_RS485_RTS_ON_SEND
+and SER_RS485_RTS_AFTER_SEND have the same value. If they do, it means
+the user has passed in invalid data with the TIOCSRS485 ioctl()
+since RTS must have a different polarity when sending and when not
+sending. In this case, rs485 mode is not enabled (the RS485_URA bit
+is not set in the RS485 Enable Register) and this is supposed to be
+signaled back to the user by clearing the SER_RS485_ENABLED bit in
+struct serial_rs485 ... except a missing tilde character is preventing
+that from happening.
+
+Fixes: 28e3fb6c4dce ("serial: Add support for Fintek F81216A LPC to 4 UART")
+Cc: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
+Cc: "Ji-Ze Hong (Peter Hong)" <hpeter@gmail.com>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_fintek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/8250/8250_fintek.c
++++ b/drivers/tty/serial/8250/8250_fintek.c
+@@ -117,7 +117,7 @@ static int fintek_8250_rs485_config(stru
+
+ if ((!!(rs485->flags & SER_RS485_RTS_ON_SEND)) ==
+ (!!(rs485->flags & SER_RS485_RTS_AFTER_SEND)))
+- rs485->flags &= SER_RS485_ENABLED;
++ rs485->flags &= ~SER_RS485_ENABLED;
+ else
+ config |= RS485_URA;
+
usb-quirks-add-no-lpm-quirk-for-ky-688-usb-3.1-type-c-hub.patch
serial-8250_pci-add-amazon-pci-serial-device-id.patch
s390-runtime-instrumentation-simplify-task-exit-handling.patch
+usb-serial-option-add-quectel-bg96-id.patch
+ima-fix-hash-algorithm-initialization.patch
+s390-pci-do-not-require-ais-facility.patch
+selftests-x86-ldt_get-add-a-few-additional-tests-for-limits.patch
+serial-8250_fintek-fix-rs485-disablement-on-invalid-ioctl.patch
+spi-sh-msiof-fix-dma-transfer-size-check.patch
+usb-dwc2-fix-udc-state-tracking.patch
+usb-dwc2-error-out-of-dwc2_hsotg_ep_disable-if-we-re-in-host-mode.patch
+usb-phy-tahvo-fix-error-handling-in-tahvo_usb_probe.patch
+serial-8250-preserve-dld-for-port_xr17v35x.patch
+x86-entry-use-syscall_define-macros-for-sys_modify_ldt.patch
+edac-sb_edac-fix-missing-break-in-switch.patch
+sysrq-fix-show-regs-call-trace-on-arm.patch
+usbip-tools-install-all-headers-needed-for-libusbip-development.patch
+perf-test-attr-fix-ignored-test-case-result.patch
+kprobes-x86-disable-preemption-in-ftrace-based-jprobes.patch
+net-systemport-utilize-skb_put_padto.patch
+net-systemport-pad-packet-before-inserting-tsb.patch
+arm-omap1-dma-correct-the-number-of-logical-channels.patch
+vti6-fix-device-register-to-report-ifla_info_kind.patch
+net-appletalk-fix-kernel-memory-disclosure.patch
+ravb-remove-rx-overflow-log-messages.patch
+nfs-don-t-take-a-reference-on-fl-fl_file-for-lock-operation.patch
+kvm-arm-arm64-fix-occasional-warning-from-the-timer-work-function.patch
+nfsv4-fix-client-recovery-when-server-reboots-multiple-times.patch
+drm-exynos-decon5433-set-standalone_update_f-on-output-enablement.patch
+net-sctp-fix-array-overrun-read-on-sctp_timer_tbl.patch
+tipc-fix-cleanup-at-module-unload.patch
+dmaengine-pl330-fix-double-lock.patch
+tcp-correct-memory-barrier-usage-in-tcp_check_space.patch
+mm-avoid-returning-vm_fault_retry-from-page_mkwrite-handlers.patch
+xen-netfront-improve-error-handling-during-initialization.patch
+net-fec-fix-multicast-filtering-hardware-setup.patch
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Hiromitsu Yamasaki <hiromitsu.yamasaki.ym@renesas.com>
+Date: Thu, 2 Nov 2017 10:32:36 +0100
+Subject: spi: sh-msiof: Fix DMA transfer size check
+
+From: Hiromitsu Yamasaki <hiromitsu.yamasaki.ym@renesas.com>
+
+
+[ Upstream commit 36735783fdb599c94b9c86824583df367c65900b ]
+
+DMA supports 32-bit words only,
+even if BITLEN1 of SITMDR2 register is 16bit.
+
+Fixes: b0d0ce8b6b91 ("spi: sh-msiof: Add DMA support")
+Signed-off-by: Hiromitsu Yamasaki <hiromitsu.yamasaki.ym@renesas.com>
+Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
+Acked-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Acked-by: Dirk Behme <dirk.behme@de.bosch.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-sh-msiof.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-sh-msiof.c
++++ b/drivers/spi/spi-sh-msiof.c
+@@ -863,7 +863,7 @@ static int sh_msiof_transfer_one(struct
+ break;
+ copy32 = copy_bswap32;
+ } else if (bits <= 16) {
+- if (l & 1)
++ if (l & 3)
+ break;
+ copy32 = copy_wswap32;
+ } else {
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Jibin Xu <jibin.xu@windriver.com>
+Date: Sun, 10 Sep 2017 20:11:42 -0700
+Subject: sysrq : fix Show Regs call trace on ARM
+
+From: Jibin Xu <jibin.xu@windriver.com>
+
+
+[ Upstream commit b00bebbc301c8e1f74f230dc82282e56b7e7a6db ]
+
+When kernel configuration SMP,PREEMPT and DEBUG_PREEMPT are enabled,
+echo 1 >/proc/sys/kernel/sysrq
+echo p >/proc/sysrq-trigger
+kernel will print call trace as below:
+
+sysrq: SysRq : Show Regs
+BUG: using __this_cpu_read() in preemptible [00000000] code: sh/435
+caller is __this_cpu_preempt_check+0x18/0x20
+Call trace:
+[<ffffff8008088e80>] dump_backtrace+0x0/0x1d0
+[<ffffff8008089074>] show_stack+0x24/0x30
+[<ffffff8008447970>] dump_stack+0x90/0xb0
+[<ffffff8008463950>] check_preemption_disabled+0x100/0x108
+[<ffffff8008463998>] __this_cpu_preempt_check+0x18/0x20
+[<ffffff80084c9194>] sysrq_handle_showregs+0x1c/0x40
+[<ffffff80084c9c7c>] __handle_sysrq+0x12c/0x1a0
+[<ffffff80084ca140>] write_sysrq_trigger+0x60/0x70
+[<ffffff8008251e00>] proc_reg_write+0x90/0xd0
+[<ffffff80081f1788>] __vfs_write+0x48/0x90
+[<ffffff80081f241c>] vfs_write+0xa4/0x190
+[<ffffff80081f3354>] SyS_write+0x54/0xb0
+[<ffffff80080833f0>] el0_svc_naked+0x24/0x28
+
+This can be seen on a common board like an r-pi3.
+This happens because when echo p >/proc/sysrq-trigger,
+get_irq_regs() is called outside of IRQ context,
+if preemption is enabled in this situation,kernel will
+print the call trace. Since many prior discussions on
+the mailing lists have made it clear that get_irq_regs
+either just returns NULL or stale data when used outside
+of IRQ context,we simply avoid calling it outside of
+IRQ context.
+
+Signed-off-by: Jibin Xu <jibin.xu@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/sysrq.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/sysrq.c
++++ b/drivers/tty/sysrq.c
+@@ -237,8 +237,10 @@ static void sysrq_handle_showallcpus(int
+ * architecture has no support for it:
+ */
+ if (!trigger_all_cpu_backtrace()) {
+- struct pt_regs *regs = get_irq_regs();
++ struct pt_regs *regs = NULL;
+
++ if (in_irq())
++ regs = get_irq_regs();
+ if (regs) {
+ pr_info("CPU%d:\n", smp_processor_id());
+ show_regs(regs);
+@@ -257,7 +259,10 @@ static struct sysrq_key_op sysrq_showall
+
+ static void sysrq_handle_showregs(int key)
+ {
+- struct pt_regs *regs = get_irq_regs();
++ struct pt_regs *regs = NULL;
++
++ if (in_irq())
++ regs = get_irq_regs();
+ if (regs)
+ show_regs(regs);
+ perf_event_print_debug();
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Jason Baron <jbaron@akamai.com>
+Date: Tue, 24 Jan 2017 21:49:41 -0500
+Subject: tcp: correct memory barrier usage in tcp_check_space()
+
+From: Jason Baron <jbaron@akamai.com>
+
+
+[ Upstream commit 56d806222ace4c3aeae516cd7a855340fb2839d8 ]
+
+sock_reset_flag() maps to __clear_bit() not the atomic version clear_bit().
+Thus, we need smp_mb(), smp_mb__after_atomic() is not sufficient.
+
+Fixes: 3c7151275c0c ("tcp: add memory barriers to write space paths")
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Jason Baron <jbaron@akamai.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -4942,7 +4942,7 @@ static void tcp_check_space(struct sock
+ if (sock_flag(sk, SOCK_QUEUE_SHRUNK)) {
+ sock_reset_flag(sk, SOCK_QUEUE_SHRUNK);
+ /* pairs with tcp_poll() */
+- smp_mb__after_atomic();
++ smp_mb();
+ if (sk->sk_socket &&
+ test_bit(SOCK_NOSPACE, &sk->sk_socket->flags))
+ tcp_new_space(sk);
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>
+Date: Tue, 24 Jan 2017 13:00:48 +0100
+Subject: tipc: fix cleanup at module unload
+
+From: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>
+
+
+[ Upstream commit 35e22e49a5d6a741ebe7f2dd280b2052c3003ef7 ]
+
+In tipc_server_stop(), we iterate over the connections with limiting
+factor as server's idr_in_use. We ignore the fact that this variable
+is decremented in tipc_close_conn(), leading to premature exit.
+
+In this commit, we iterate until the we have no connections left.
+
+Acked-by: Ying Xue <ying.xue@windriver.com>
+Acked-by: Jon Maloy <jon.maloy@ericsson.com>
+Tested-by: John Thompson <thompa.atl@gmail.com>
+Signed-off-by: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/server.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/net/tipc/server.c
++++ b/net/tipc/server.c
+@@ -618,14 +618,12 @@ int tipc_server_start(struct tipc_server
+ void tipc_server_stop(struct tipc_server *s)
+ {
+ struct tipc_conn *con;
+- int total = 0;
+ int id;
+
+ spin_lock_bh(&s->idr_lock);
+- for (id = 0; total < s->idr_in_use; id++) {
++ for (id = 0; s->idr_in_use; id++) {
+ con = idr_find(&s->conn_idr, id);
+ if (con) {
+- total++;
+ spin_unlock_bh(&s->idr_lock);
+ tipc_close_conn(con);
+ spin_lock_bh(&s->idr_lock);
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: John Stultz <john.stultz@linaro.org>
+Date: Mon, 23 Oct 2017 14:32:49 -0700
+Subject: usb: dwc2: Error out of dwc2_hsotg_ep_disable() if we're in host mode
+
+From: John Stultz <john.stultz@linaro.org>
+
+
+[ Upstream commit 9b481092c2a31a6b630aff9c28f0145bf6683787 ]
+
+We've found that while in host mode, using Android, if one runs
+the command:
+ stop adbd
+
+The existing usb devices being utilized in host mode are disconnected.
+This is most visible with usb networking devices.
+
+This seems to be due to adbd closing the file:
+ /dev/usb-ffs/adb/ep0
+Which calls ffs_ep0_release() and the following backtrace:
+
+[<ffffff800875a430>] dwc2_hsotg_ep_disable+0x148/0x150
+[<ffffff800875a498>] dwc2_hsotg_udc_stop+0x60/0x110
+[<ffffff8008787950>] usb_gadget_remove_driver+0x58/0x78
+[<ffffff80087879e4>] usb_gadget_unregister_driver+0x74/0xe8
+[<ffffff80087850c0>] unregister_gadget+0x28/0x58
+[<ffffff800878511c>] unregister_gadget_item+0x2c/0x40
+[<ffffff8008790ea8>] ffs_data_clear+0xe8/0xf8
+[<ffffff8008790ed8>] ffs_data_reset+0x20/0x58
+[<ffffff8008793218>] ffs_data_closed+0x98/0xe8
+[<ffffff80087932d8>] ffs_ep0_release+0x20/0x30
+
+Then when dwc2_hsotg_ep_disable() is called, we call
+kill_all_requests() which causes a bunch of the following
+messages:
+
+dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode
+dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode
+dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode
+dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode
+dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode
+dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode
+dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode
+dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode
+init: Service 'adbd' (pid 1915) killed by signal 9
+init: Sending signal 9 to service 'adbd' (pid 1915) process group...
+init: Successfully killed process cgroup uid 0 pid 1915 in 0ms
+init: processing action (init.svc.adbd=stopped) from (/init.usb.configfs.rc:15)
+dwc2 f72c0000.usb: dwc2_hc_chhltd_intr_dma: Channel 8 - ChHltd set, but reason is unknown
+dwc2 f72c0000.usb: hcint 0x00000002, intsts 0x04200029
+dwc2 f72c0000.usb: dwc2_hc_chhltd_intr_dma: Channel 12 - ChHltd set, but reason is unknown
+dwc2 f72c0000.usb: hcint 0x00000002, intsts 0x04200029
+dwc2 f72c0000.usb: dwc2_hc_chhltd_intr_dma: Channel 15 - ChHltd set, but reason is unknown
+dwc2 f72c0000.usb: hcint 0x00000002, intsts 0x04200029
+dwc2 f72c0000.usb: dwc2_hc_chhltd_intr_dma: Channel 3 - ChHltd set, but reason is unknown
+dwc2 f72c0000.usb: hcint 0x00000002, intsts 0x04200029
+dwc2 f72c0000.usb: dwc2_hc_chhltd_intr_dma: Channel 4 - ChHltd set, but reason is unknown
+dwc2 f72c0000.usb: hcint 0x00000002, intsts 0x04200029
+dwc2 f72c0000.usb: dwc2_update_urb_state_abn(): trimming xfer length
+
+And the usb devices connected are basically hung at this point.
+
+It seems like if we're in host mode, we probably shouldn't run
+the dwc2_hostg_ep_disable logic, so this patch returns an error
+in that case.
+
+With this patch (along with the previous patch in this set), we avoid
+the mismatched interrupts and connected usb devices continue to function.
+
+I'm not sure if some other solution would be better here, but this seems
+to work, so I wanted to send it out for input on what the right approach
+should be.
+
+Cc: Wei Xu <xuwei5@hisilicon.com>
+Cc: Guodong Xu <guodong.xu@linaro.org>
+Cc: Amit Pundir <amit.pundir@linaro.org>
+Cc: YongQin Liu <yongqin.liu@linaro.org>
+Cc: John Youn <johnyoun@synopsys.com>
+Cc: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+Cc: Douglas Anderson <dianders@chromium.org>
+Cc: Chen Yu <chenyu56@huawei.com>
+Cc: Felipe Balbi <felipe.balbi@linux.intel.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: linux-usb@vger.kernel.org
+Acked-by: Minas Harutyunyan <hminas@synopsys.com>
+Tested-by: Minas Harutyunyan <hminas@synopsys.com>
+Reported-by: YongQin Liu <yongqin.liu@linaro.org>
+Signed-off-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc2/gadget.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/dwc2/gadget.c
++++ b/drivers/usb/dwc2/gadget.c
+@@ -2834,6 +2834,11 @@ static int dwc2_hsotg_ep_disable(struct
+ return -EINVAL;
+ }
+
++ if (hsotg->op_state != OTG_STATE_B_PERIPHERAL) {
++ dev_err(hsotg->dev, "%s: called in host mode?\n", __func__);
++ return -EINVAL;
++ }
++
+ epctrl_reg = dir_in ? DIEPCTL(index) : DOEPCTL(index);
+
+ spin_lock_irqsave(&hsotg->lock, flags);
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: John Stultz <john.stultz@linaro.org>
+Date: Mon, 23 Oct 2017 14:32:50 -0700
+Subject: usb: dwc2: Fix UDC state tracking
+
+From: John Stultz <john.stultz@linaro.org>
+
+
+[ Upstream commit ce2b21a4e5ce042c0a42c9db8fa9e0f849427d5e ]
+
+It has been noticed that the dwc2 udc state reporting doesn't
+seem to work (at least on HiKey boards). Where after the initial
+setup, the sysfs /sys/class/udc/f72c0000.usb/state file would
+report "configured" no matter the state of the OTG port.
+
+This patch adds a call so that we report to the UDC layer when
+the gadget device is disconnected.
+
+This patch does depend on the previous patch ("usb: dwc2:
+Improve gadget state disconnection handling") in this patch set
+in order to properly work.
+
+Cc: Wei Xu <xuwei5@hisilicon.com>
+Cc: Guodong Xu <guodong.xu@linaro.org>
+Cc: Amit Pundir <amit.pundir@linaro.org>
+Cc: YongQin Liu <yongqin.liu@linaro.org>
+Cc: John Youn <johnyoun@synopsys.com>
+Cc: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+Cc: Douglas Anderson <dianders@chromium.org>
+Cc: Chen Yu <chenyu56@huawei.com>
+Cc: Felipe Balbi <felipe.balbi@linux.intel.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: linux-usb@vger.kernel.org
+Acked-by: Minas Harutyunyan <hminas@synopsys.com>
+Tested-by: Minas Harutyunyan <hminas@synopsys.com>
+Reported-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc2/gadget.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/dwc2/gadget.c
++++ b/drivers/usb/dwc2/gadget.c
+@@ -2206,6 +2206,8 @@ void dwc2_hsotg_disconnect(struct dwc2_h
+
+ call_gadget(hsotg, disconnect);
+ hsotg->lx_state = DWC2_L3;
++
++ usb_gadget_set_state(&hsotg->gadget, USB_STATE_NOTATTACHED);
+ }
+
+ /**
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Sat, 21 Oct 2017 01:02:07 +0300
+Subject: usb: phy: tahvo: fix error handling in tahvo_usb_probe()
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+
+[ Upstream commit ce035409bfa892a2fabb89720b542e1b335c3426 ]
+
+If devm_extcon_dev_allocate() fails, we should disable clk before return.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Fixes: 860d2686fda7 ("usb: phy: tahvo: Use devm_extcon_dev_[allocate|register]() and replace deprecated API")
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/phy/phy-tahvo.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/phy/phy-tahvo.c
++++ b/drivers/usb/phy/phy-tahvo.c
+@@ -368,7 +368,8 @@ static int tahvo_usb_probe(struct platfo
+ tu->extcon = devm_extcon_dev_allocate(&pdev->dev, tahvo_cable);
+ if (IS_ERR(tu->extcon)) {
+ dev_err(&pdev->dev, "failed to allocate memory for extcon\n");
+- return -ENOMEM;
++ ret = PTR_ERR(tu->extcon);
++ goto err_disable_clk;
+ }
+
+ ret = devm_extcon_dev_register(&pdev->dev, tu->extcon);
--- /dev/null
+From c654b21ede93845863597de9ad774fd30db5f2ab Mon Sep 17 00:00:00 2001
+From: Sebastian Sjoholm <ssjoholm@mac.com>
+Date: Mon, 20 Nov 2017 19:29:32 +0100
+Subject: USB: serial: option: add Quectel BG96 id
+
+From: Sebastian Sjoholm <ssjoholm@mac.com>
+
+commit c654b21ede93845863597de9ad774fd30db5f2ab upstream.
+
+Quectel BG96 is an Qualcomm MDM9206 based IoT modem, supporting both
+CAT-M and NB-IoT. Tested hardware is BG96 mounted on Quectel
+development board (EVB). The USB id is added to option.c to allow
+DIAG,GPS,AT and modem communication with the BG96.
+
+Signed-off-by: Sebastian Sjoholm <ssjoholm@mac.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -241,6 +241,7 @@ static void option_instat_callback(struc
+ /* These Quectel products use Quectel's vendor ID */
+ #define QUECTEL_PRODUCT_EC21 0x0121
+ #define QUECTEL_PRODUCT_EC25 0x0125
++#define QUECTEL_PRODUCT_BG96 0x0296
+
+ #define CMOTECH_VENDOR_ID 0x16d8
+ #define CMOTECH_PRODUCT_6001 0x6001
+@@ -1185,6 +1186,8 @@ static const struct usb_device_id option
+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+ { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC25),
+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
++ { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_BG96),
++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) },
+ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) },
+ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6003),
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun, 1 Oct 2017 02:18:37 +0100
+Subject: usbip: tools: Install all headers needed for libusbip development
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+
+[ Upstream commit c15562c0dcb2c7f26e891923b784cf1926b8c833 ]
+
+usbip_host_driver.h now depends on several additional headers, which
+need to be installed along with it.
+
+Fixes: 021aed845303 ("staging: usbip: userspace: migrate usbip_host_driver ...")
+Fixes: 3391ba0e2792 ("usbip: tools: Extract generic code to be shared with ...")
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/usb/usbip/Makefile.am | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/tools/usb/usbip/Makefile.am
++++ b/tools/usb/usbip/Makefile.am
+@@ -1,6 +1,7 @@
+ SUBDIRS := libsrc src
+ includedir = @includedir@/usbip
+ include_HEADERS := $(addprefix libsrc/, \
+- usbip_common.h vhci_driver.h usbip_host_driver.h)
++ usbip_common.h vhci_driver.h usbip_host_driver.h \
++ list.h sysfs_utils.h usbip_host_common.h)
+
+ dist_man_MANS := $(addprefix doc/, usbip.8 usbipd.8)
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: David Forster <dforster@brocade.com>
+Date: Fri, 6 Jan 2017 10:27:59 +0000
+Subject: vti6: fix device register to report IFLA_INFO_KIND
+
+From: David Forster <dforster@brocade.com>
+
+
+[ Upstream commit 93e246f783e6bd1bc64fdfbfe68b18161f69b28e ]
+
+vti6 interface is registered before the rtnl_link_ops block
+is attached. As a result the resulting RTM_NEWLINK is missing
+IFLA_INFO_KIND. Re-order attachment of rtnl_link_ops block to fix.
+
+Signed-off-by: Dave Forster <dforster@brocade.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_vti.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -189,12 +189,12 @@ static int vti6_tnl_create2(struct net_d
+ struct vti6_net *ip6n = net_generic(net, vti6_net_id);
+ int err;
+
++ dev->rtnl_link_ops = &vti6_link_ops;
+ err = register_netdevice(dev);
+ if (err < 0)
+ goto out;
+
+ strcpy(t->parms.name, dev->name);
+- dev->rtnl_link_ops = &vti6_link_ops;
+
+ dev_hold(dev);
+ vti6_tnl_link(ip6n, t);
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Wed, 18 Oct 2017 10:21:07 -0700
+Subject: x86/entry: Use SYSCALL_DEFINE() macros for sys_modify_ldt()
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+
+[ Upstream commit da20ab35180780e4a6eadc804544f1fa967f3567 ]
+
+We do not have tracepoints for sys_modify_ldt() because we define
+it directly instead of using the normal SYSCALL_DEFINEx() macros.
+
+However, there is a reason sys_modify_ldt() does not use the macros:
+it has an 'int' return type instead of 'unsigned long'. This is
+a bug, but it's a bug cemented in the ABI.
+
+What does this mean? If we return -EINVAL from a function that
+returns 'int', we have 0x00000000ffffffea in %rax. But, if we
+return -EINVAL from a function returning 'unsigned long', we end
+up with 0xffffffffffffffea in %rax, which is wrong.
+
+To work around this and maintain the 'int' behavior while using
+the SYSCALL_DEFINEx() macros, so we add a cast to 'unsigned int'
+in both implementations of sys_modify_ldt().
+
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Andy Lutomirski <luto@kernel.org>
+Reviewed-by: Brian Gerst <brgerst@gmail.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20171018172107.1A79C532@viggo.jf.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/syscalls.h | 2 +-
+ arch/x86/kernel/ldt.c | 16 +++++++++++++---
+ arch/x86/um/ldt.c | 7 +++++--
+ 3 files changed, 19 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/include/asm/syscalls.h
++++ b/arch/x86/include/asm/syscalls.h
+@@ -21,7 +21,7 @@ asmlinkage long sys_ioperm(unsigned long
+ asmlinkage long sys_iopl(unsigned int);
+
+ /* kernel/ldt.c */
+-asmlinkage int sys_modify_ldt(int, void __user *, unsigned long);
++asmlinkage long sys_modify_ldt(int, void __user *, unsigned long);
+
+ /* kernel/signal.c */
+ asmlinkage long sys_rt_sigreturn(void);
+--- a/arch/x86/kernel/ldt.c
++++ b/arch/x86/kernel/ldt.c
+@@ -12,6 +12,7 @@
+ #include <linux/string.h>
+ #include <linux/mm.h>
+ #include <linux/smp.h>
++#include <linux/syscalls.h>
+ #include <linux/slab.h>
+ #include <linux/vmalloc.h>
+ #include <linux/uaccess.h>
+@@ -271,8 +272,8 @@ out:
+ return error;
+ }
+
+-asmlinkage int sys_modify_ldt(int func, void __user *ptr,
+- unsigned long bytecount)
++SYSCALL_DEFINE3(modify_ldt, int , func , void __user * , ptr ,
++ unsigned long , bytecount)
+ {
+ int ret = -ENOSYS;
+
+@@ -290,5 +291,14 @@ asmlinkage int sys_modify_ldt(int func,
+ ret = write_ldt(ptr, bytecount, 0);
+ break;
+ }
+- return ret;
++ /*
++ * The SYSCALL_DEFINE() macros give us an 'unsigned long'
++ * return type, but tht ABI for sys_modify_ldt() expects
++ * 'int'. This cast gives us an int-sized value in %rax
++ * for the return code. The 'unsigned' is necessary so
++ * the compiler does not try to sign-extend the negative
++ * return codes into the high half of the register when
++ * taking the value from int->long.
++ */
++ return (unsigned int)ret;
+ }
+--- a/arch/x86/um/ldt.c
++++ b/arch/x86/um/ldt.c
+@@ -6,6 +6,7 @@
+ #include <linux/mm.h>
+ #include <linux/sched.h>
+ #include <linux/slab.h>
++#include <linux/syscalls.h>
+ #include <linux/uaccess.h>
+ #include <asm/unistd.h>
+ #include <os.h>
+@@ -369,7 +370,9 @@ void free_ldt(struct mm_context *mm)
+ mm->arch.ldt.entry_count = 0;
+ }
+
+-int sys_modify_ldt(int func, void __user *ptr, unsigned long bytecount)
++SYSCALL_DEFINE3(modify_ldt, int , func , void __user * , ptr ,
++ unsigned long , bytecount)
+ {
+- return do_modify_ldt_skas(func, ptr, bytecount);
++ /* See non-um modify_ldt() for why we do this cast */
++ return (unsigned int)do_modify_ldt_skas(func, ptr, bytecount);
+ }
--- /dev/null
+From foo@baz Wed Dec 6 16:43:17 CET 2017
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+Date: Wed, 8 Feb 2017 10:57:37 +0000
+Subject: xen-netfront: Improve error handling during initialization
+
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+
+
+[ Upstream commit e2e004acc7cbe3c531e752a270a74e95cde3ea48 ]
+
+This fixes a crash when running out of grant refs when creating many
+queues across many netdevs.
+
+* If creating queues fails (i.e. there are no grant refs available),
+call xenbus_dev_fatal() to ensure that the xenbus device is set to the
+closed state.
+* If no queues are created, don't call xennet_disconnect_backend as
+netdev->real_num_tx_queues will not have been set correctly.
+* If setup_netfront() fails, ensure that all the queues created are
+cleaned up, not just those that have been set up.
+* If any queues were set up and an error occurs, call
+xennet_destroy_queues() to clean up the napi context.
+* If any fatal error occurs, unregister and destroy the netdev to avoid
+leaving around a half setup network device.
+
+Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netfront.c | 29 +++++++++++------------------
+ 1 file changed, 11 insertions(+), 18 deletions(-)
+
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -1840,27 +1840,19 @@ static int talk_to_netback(struct xenbus
+ xennet_destroy_queues(info);
+
+ err = xennet_create_queues(info, &num_queues);
+- if (err < 0)
+- goto destroy_ring;
++ if (err < 0) {
++ xenbus_dev_fatal(dev, err, "creating queues");
++ kfree(info->queues);
++ info->queues = NULL;
++ goto out;
++ }
+
+ /* Create shared ring, alloc event channel -- for each queue */
+ for (i = 0; i < num_queues; ++i) {
+ queue = &info->queues[i];
+ err = setup_netfront(dev, queue, feature_split_evtchn);
+- if (err) {
+- /* setup_netfront() will tidy up the current
+- * queue on error, but we need to clean up
+- * those already allocated.
+- */
+- if (i > 0) {
+- rtnl_lock();
+- netif_set_real_num_tx_queues(info->netdev, i);
+- rtnl_unlock();
+- goto destroy_ring;
+- } else {
+- goto out;
+- }
+- }
++ if (err)
++ goto destroy_ring;
+ }
+
+ again:
+@@ -1950,9 +1942,10 @@ abort_transaction_no_dev_fatal:
+ xenbus_transaction_end(xbt, 1);
+ destroy_ring:
+ xennet_disconnect_backend(info);
+- kfree(info->queues);
+- info->queues = NULL;
++ xennet_destroy_queues(info);
+ out:
++ unregister_netdev(info->netdev);
++ xennet_free_netdev(info->netdev);
+ return err;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
