--- /dev/null
+From d0ba80d77e6359d4b3f5bf2f7285db474650b4ce Mon Sep 17 00:00:00 2001
+From: Peng Hao <peng.hao2@zte.com.cn>
+Date: Sat, 29 Dec 2018 13:10:06 +0800
+Subject: ARM: pxa: ssp: unneeded to free devm_ allocated data
+
+[ Upstream commit ba16adeb346387eb2d1ada69003588be96f098fa ]
+
+devm_ allocated data will be automatically freed. The free
+of devm_ allocated data is invalid.
+
+Fixes: 1c459de1e645 ("ARM: pxa: ssp: use devm_ functions")
+Signed-off-by: Peng Hao <peng.hao2@zte.com.cn>
+[title's prefix changed]
+Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/plat-pxa/ssp.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/arch/arm/plat-pxa/ssp.c b/arch/arm/plat-pxa/ssp.c
+index daa1a65f2eb7..6748827c2ec8 100644
+--- a/arch/arm/plat-pxa/ssp.c
++++ b/arch/arm/plat-pxa/ssp.c
+@@ -238,8 +238,6 @@ static int pxa_ssp_remove(struct platform_device *pdev)
+ if (ssp == NULL)
+ return -ENODEV;
+
+- iounmap(ssp->mmio_base);
+-
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ release_mem_region(res->start, resource_size(res));
+
+@@ -249,7 +247,6 @@ static int pxa_ssp_remove(struct platform_device *pdev)
+ list_del(&ssp->node);
+ mutex_unlock(&ssp_lock);
+
+- kfree(ssp);
+ return 0;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From baefe25c3c47559cfca0782102ccc0029decf850 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Fri, 1 Feb 2019 14:21:26 -0800
+Subject: autofs: drop dentry reference only when it is never used
+
+[ Upstream commit 63ce5f552beb9bdb41546b3a26c4374758b21815 ]
+
+autofs_expire_run() calls dput(dentry) to drop the reference count of
+dentry. However, dentry is read via autofs_dentry_ino(dentry) after
+that. This may result in a use-free-bug. The patch drops the reference
+count of dentry only when it is never used.
+
+Link: http://lkml.kernel.org/r/154725122396.11260.16053424107144453867.stgit@pluto-themaw-net
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Ian Kent <raven@themaw.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/autofs4/expire.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/autofs4/expire.c b/fs/autofs4/expire.c
+index 7a5a598a2d94..0d8b9c4f27f2 100644
+--- a/fs/autofs4/expire.c
++++ b/fs/autofs4/expire.c
+@@ -560,7 +560,6 @@ int autofs4_expire_run(struct super_block *sb,
+ pkt.len = dentry->d_name.len;
+ memcpy(pkt.name, dentry->d_name.name, pkt.len);
+ pkt.name[pkt.len] = '\0';
+- dput(dentry);
+
+ if ( copy_to_user(pkt_p, &pkt, sizeof(struct autofs_packet_expire)) )
+ ret = -EFAULT;
+@@ -573,6 +572,8 @@ int autofs4_expire_run(struct super_block *sb,
+ complete_all(&ino->expire_complete);
+ spin_unlock(&sbi->fs_lock);
+
++ dput(dentry);
++
+ return ret;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 773dfaca9936fa6ae0298f244bffb1c3c7448314 Mon Sep 17 00:00:00 2001
+From: Ian Kent <raven@themaw.net>
+Date: Fri, 1 Feb 2019 14:21:29 -0800
+Subject: autofs: fix error return in autofs_fill_super()
+
+[ Upstream commit f585b283e3f025754c45bbe7533fc6e5c4643700 ]
+
+In autofs_fill_super() on error of get inode/make root dentry the return
+should be ENOMEM as this is the only failure case of the called
+functions.
+
+Link: http://lkml.kernel.org/r/154725123240.11260.796773942606871359.stgit@pluto-themaw-net
+Signed-off-by: Ian Kent <raven@themaw.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/autofs4/inode.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/autofs4/inode.c b/fs/autofs4/inode.c
+index 1132fe71b312..0fd472d67029 100644
+--- a/fs/autofs4/inode.c
++++ b/fs/autofs4/inode.c
+@@ -255,8 +255,10 @@ int autofs4_fill_super(struct super_block *s, void *data, int silent)
+ }
+ root_inode = autofs4_get_inode(s, S_IFDIR | 0755);
+ root = d_make_root(root_inode);
+- if (!root)
++ if (!root) {
++ ret = -ENOMEM;
+ goto fail_ino;
++ }
+ pipe = NULL;
+
+ root->d_fsdata = ino;
+--
+2.19.1
+
--- /dev/null
+From 31fe3bc744857c762f5467a13bbff165afa9a6d4 Mon Sep 17 00:00:00 2001
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Tue, 29 Jan 2019 12:46:16 +1000
+Subject: cifs: fix computation for MAX_SMB2_HDR_SIZE
+
+[ Upstream commit 58d15ed1203f4d858c339ea4d7dafa94bd2a56d3 ]
+
+The size of the fixed part of the create response is 88 bytes not 56.
+
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2pdu.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h
+index aacb15bd56fe..f087158c5555 100644
+--- a/fs/cifs/smb2pdu.h
++++ b/fs/cifs/smb2pdu.h
+@@ -82,8 +82,8 @@
+
+ #define NUMBER_OF_SMB2_COMMANDS 0x0013
+
+-/* 4 len + 52 transform hdr + 64 hdr + 56 create rsp */
+-#define MAX_SMB2_HDR_SIZE 0x00b0
++/* 52 transform hdr + 64 hdr + 88 create rsp */
++#define MAX_SMB2_HDR_SIZE 204
+
+ #define SMB2_PROTO_NUMBER cpu_to_le32(0x424d53fe)
+
+--
+2.19.1
+
--- /dev/null
+From 6ee0b2d89a3e17e4f545ca6515f62b5f81870090 Mon Sep 17 00:00:00 2001
+From: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+Date: Wed, 23 Jan 2019 16:33:47 +0000
+Subject: dmaengine: at_xdmac: Fix wrongfull report of a channel as in use
+
+[ Upstream commit dc3f595b6617ebc0307e0ce151e8f2f2b2489b95 ]
+
+atchan->status variable is used to store two different information:
+ - pass channel interrupts status from interrupt handler to tasklet;
+ - channel information like whether it is cyclic or paused;
+
+This causes a bug when device_terminate_all() is called,
+(AT_XDMAC_CHAN_IS_CYCLIC cleared on atchan->status) and then a late End
+of Block interrupt arrives (AT_XDMAC_CIS_BIS), which sets bit 0 of
+atchan->status. Bit 0 is also used for AT_XDMAC_CHAN_IS_CYCLIC, so when
+a new descriptor for a cyclic transfer is created, the driver reports
+the channel as in use:
+
+if (test_and_set_bit(AT_XDMAC_CHAN_IS_CYCLIC, &atchan->status)) {
+ dev_err(chan2dev(chan), "channel currently used\n");
+ return NULL;
+}
+
+This patch fixes the bug by adding a different struct member to keep
+the interrupts status separated from the channel status bits.
+
+Fixes: e1f7c9eee707 ("dmaengine: at_xdmac: creation of the atmel eXtended DMA Controller driver")
+Signed-off-by: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/at_xdmac.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c
+index 82a7c89caae2..af24c5bf32d6 100644
+--- a/drivers/dma/at_xdmac.c
++++ b/drivers/dma/at_xdmac.c
+@@ -203,6 +203,7 @@ struct at_xdmac_chan {
+ u32 save_cim;
+ u32 save_cnda;
+ u32 save_cndc;
++ u32 irq_status;
+ unsigned long status;
+ struct tasklet_struct tasklet;
+ struct dma_slave_config sconfig;
+@@ -1582,8 +1583,8 @@ static void at_xdmac_tasklet(unsigned long data)
+ struct at_xdmac_desc *desc;
+ u32 error_mask;
+
+- dev_dbg(chan2dev(&atchan->chan), "%s: status=0x%08lx\n",
+- __func__, atchan->status);
++ dev_dbg(chan2dev(&atchan->chan), "%s: status=0x%08x\n",
++ __func__, atchan->irq_status);
+
+ error_mask = AT_XDMAC_CIS_RBEIS
+ | AT_XDMAC_CIS_WBEIS
+@@ -1591,15 +1592,15 @@ static void at_xdmac_tasklet(unsigned long data)
+
+ if (at_xdmac_chan_is_cyclic(atchan)) {
+ at_xdmac_handle_cyclic(atchan);
+- } else if ((atchan->status & AT_XDMAC_CIS_LIS)
+- || (atchan->status & error_mask)) {
++ } else if ((atchan->irq_status & AT_XDMAC_CIS_LIS)
++ || (atchan->irq_status & error_mask)) {
+ struct dma_async_tx_descriptor *txd;
+
+- if (atchan->status & AT_XDMAC_CIS_RBEIS)
++ if (atchan->irq_status & AT_XDMAC_CIS_RBEIS)
+ dev_err(chan2dev(&atchan->chan), "read bus error!!!");
+- if (atchan->status & AT_XDMAC_CIS_WBEIS)
++ if (atchan->irq_status & AT_XDMAC_CIS_WBEIS)
+ dev_err(chan2dev(&atchan->chan), "write bus error!!!");
+- if (atchan->status & AT_XDMAC_CIS_ROIS)
++ if (atchan->irq_status & AT_XDMAC_CIS_ROIS)
+ dev_err(chan2dev(&atchan->chan), "request overflow error!!!");
+
+ spin_lock_bh(&atchan->lock);
+@@ -1654,7 +1655,7 @@ static irqreturn_t at_xdmac_interrupt(int irq, void *dev_id)
+ atchan = &atxdmac->chan[i];
+ chan_imr = at_xdmac_chan_read(atchan, AT_XDMAC_CIM);
+ chan_status = at_xdmac_chan_read(atchan, AT_XDMAC_CIS);
+- atchan->status = chan_status & chan_imr;
++ atchan->irq_status = chan_status & chan_imr;
+ dev_vdbg(atxdmac->dma.dev,
+ "%s: chan%d: imr=0x%x, status=0x%x\n",
+ __func__, i, chan_imr, chan_status);
+@@ -1668,7 +1669,7 @@ static irqreturn_t at_xdmac_interrupt(int irq, void *dev_id)
+ at_xdmac_chan_read(atchan, AT_XDMAC_CDA),
+ at_xdmac_chan_read(atchan, AT_XDMAC_CUBC));
+
+- if (atchan->status & (AT_XDMAC_CIS_RBEIS | AT_XDMAC_CIS_WBEIS))
++ if (atchan->irq_status & (AT_XDMAC_CIS_RBEIS | AT_XDMAC_CIS_WBEIS))
+ at_xdmac_write(atxdmac, AT_XDMAC_GD, atchan->mask);
+
+ tasklet_schedule(&atchan->tasklet);
+--
+2.19.1
+
--- /dev/null
+From 7caea3afe8d8d99ff3fed6e9f4131460b690b025 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Wed, 30 Jan 2019 21:48:44 +0200
+Subject: dmaengine: dmatest: Abort test in case of mapping error
+
+[ Upstream commit 6454368a804c4955ccd116236037536f81e5b1f1 ]
+
+In case of mapping error the DMA addresses are invalid and continuing
+will screw system memory or potentially something else.
+
+[ 222.480310] dmatest: dma0chan7-copy0: summary 1 tests, 3 failures 6 iops 349 KB/s (0)
+...
+[ 240.912725] check: Corrupted low memory at 00000000c7c75ac9 (2940 phys) = 5656000000000000
+[ 240.921998] check: Corrupted low memory at 000000005715a1cd (2948 phys) = 279f2aca5595ab2b
+[ 240.931280] check: Corrupted low memory at 000000002f4024c0 (2950 phys) = 5e5624f349e793cf
+...
+
+Abort any test if mapping failed.
+
+Fixes: 4076e755dbec ("dmatest: convert to dmaengine_unmap_data")
+Cc: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/dmatest.c | 28 ++++++++++++----------------
+ 1 file changed, 12 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/dma/dmatest.c b/drivers/dma/dmatest.c
+index 6796eb1a8a4c..884aecebb249 100644
+--- a/drivers/dma/dmatest.c
++++ b/drivers/dma/dmatest.c
+@@ -563,11 +563,9 @@ static int dmatest_func(void *data)
+ srcs[i] = um->addr[i] + src_off;
+ ret = dma_mapping_error(dev->dev, um->addr[i]);
+ if (ret) {
+- dmaengine_unmap_put(um);
+ result("src mapping error", total_tests,
+ src_off, dst_off, len, ret);
+- failed_tests++;
+- continue;
++ goto error_unmap_continue;
+ }
+ um->to_cnt++;
+ }
+@@ -582,11 +580,9 @@ static int dmatest_func(void *data)
+ DMA_BIDIRECTIONAL);
+ ret = dma_mapping_error(dev->dev, dsts[i]);
+ if (ret) {
+- dmaengine_unmap_put(um);
+ result("dst mapping error", total_tests,
+ src_off, dst_off, len, ret);
+- failed_tests++;
+- continue;
++ goto error_unmap_continue;
+ }
+ um->bidi_cnt++;
+ }
+@@ -611,12 +607,10 @@ static int dmatest_func(void *data)
+ }
+
+ if (!tx) {
+- dmaengine_unmap_put(um);
+ result("prep error", total_tests, src_off,
+ dst_off, len, ret);
+ msleep(100);
+- failed_tests++;
+- continue;
++ goto error_unmap_continue;
+ }
+
+ done->done = false;
+@@ -625,12 +619,10 @@ static int dmatest_func(void *data)
+ cookie = tx->tx_submit(tx);
+
+ if (dma_submit_error(cookie)) {
+- dmaengine_unmap_put(um);
+ result("submit error", total_tests, src_off,
+ dst_off, len, ret);
+ msleep(100);
+- failed_tests++;
+- continue;
++ goto error_unmap_continue;
+ }
+ dma_async_issue_pending(chan);
+
+@@ -643,16 +635,14 @@ static int dmatest_func(void *data)
+ dmaengine_unmap_put(um);
+ result("test timed out", total_tests, src_off, dst_off,
+ len, 0);
+- failed_tests++;
+- continue;
++ goto error_unmap_continue;
+ } else if (status != DMA_COMPLETE) {
+ dmaengine_unmap_put(um);
+ result(status == DMA_ERROR ?
+ "completion error status" :
+ "completion busy status", total_tests, src_off,
+ dst_off, len, ret);
+- failed_tests++;
+- continue;
++ goto error_unmap_continue;
+ }
+
+ dmaengine_unmap_put(um);
+@@ -691,6 +681,12 @@ static int dmatest_func(void *data)
+ verbose_result("test passed", total_tests, src_off,
+ dst_off, len, 0);
+ }
++
++ continue;
++
++error_unmap_continue:
++ dmaengine_unmap_put(um);
++ failed_tests++;
+ }
+ runtime = ktime_us_delta(ktime_get(), ktime);
+
+--
+2.19.1
+
--- /dev/null
+From 7199a084b3fdb6d98f52130f4eaf9f3f7985fdd2 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 1 Feb 2019 14:21:23 -0800
+Subject: fs/drop_caches.c: avoid softlockups in drop_pagecache_sb()
+
+[ Upstream commit c27d82f52f75fc9d8d9d40d120d2a96fdeeada5e ]
+
+When superblock has lots of inodes without any pagecache (like is the
+case for /proc), drop_pagecache_sb() will iterate through all of them
+without dropping sb->s_inode_list_lock which can lead to softlockups
+(one of our customers hit this).
+
+Fix the problem by going to the slow path and doing cond_resched() in
+case the process needs rescheduling.
+
+Link: http://lkml.kernel.org/r/20190114085343.15011-1-jack@suse.cz
+Signed-off-by: Jan Kara <jack@suse.cz>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Al Viro <viro@ZenIV.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/drop_caches.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/drop_caches.c b/fs/drop_caches.c
+index d72d52b90433..280460fef066 100644
+--- a/fs/drop_caches.c
++++ b/fs/drop_caches.c
+@@ -20,8 +20,13 @@ static void drop_pagecache_sb(struct super_block *sb, void *unused)
+ spin_lock(&sb->s_inode_list_lock);
+ list_for_each_entry(inode, &sb->s_inodes, i_sb_list) {
+ spin_lock(&inode->i_lock);
++ /*
++ * We must skip inodes in unusual state. We may also skip
++ * inodes without pages but we deliberately won't in case
++ * we need to reschedule to avoid softlockups.
++ */
+ if ((inode->i_state & (I_FREEING|I_WILL_FREE|I_NEW)) ||
+- (inode->i_mapping->nrpages == 0)) {
++ (inode->i_mapping->nrpages == 0 && !need_resched())) {
+ spin_unlock(&inode->i_lock);
+ continue;
+ }
+@@ -29,6 +34,7 @@ static void drop_pagecache_sb(struct super_block *sb, void *unused)
+ spin_unlock(&inode->i_lock);
+ spin_unlock(&sb->s_inode_list_lock);
+
++ cond_resched();
+ invalidate_mapping_pages(inode->i_mapping, 0, -1);
+ iput(toput_inode);
+ toput_inode = inode;
+--
+2.19.1
+
--- /dev/null
+From b284e294b9c2f78c4fbdf8878eb8664979f9f5f1 Mon Sep 17 00:00:00 2001
+From: Andrew Lunn <andrew@lunn.ch>
+Date: Sun, 27 Jan 2019 22:58:00 +0100
+Subject: gpio: vf610: Mask all GPIO interrupts
+
+[ Upstream commit 7ae710f9f8b2cf95297e7bbfe1c09789a7dc43d4 ]
+
+On SoC reset all GPIO interrupts are disable. However, if kexec is
+used to boot into a new kernel, the SoC does not experience a
+reset. Hence GPIO interrupts can be left enabled from the previous
+kernel. It is then possible for the interrupt to fire before an
+interrupt handler is registered, resulting in the kernel complaining
+of an "unexpected IRQ trap", the interrupt is never cleared, and so
+fires again, resulting in an interrupt storm.
+
+Disable all GPIO interrupts before registering the GPIO IRQ chip.
+
+Fixes: 7f2691a19627 ("gpio: vf610: add gpiolib/IRQ chip driver for Vybrid")
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Acked-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-vf610.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/gpio/gpio-vf610.c b/drivers/gpio/gpio-vf610.c
+index 87b950cec6ec..db95c4b99a74 100644
+--- a/drivers/gpio/gpio-vf610.c
++++ b/drivers/gpio/gpio-vf610.c
+@@ -227,6 +227,7 @@ static int vf610_gpio_probe(struct platform_device *pdev)
+ struct vf610_gpio_port *port;
+ struct resource *iores;
+ struct gpio_chip *gc;
++ int i;
+ int ret;
+
+ port = devm_kzalloc(&pdev->dev, sizeof(*port), GFP_KERNEL);
+@@ -265,6 +266,10 @@ static int vf610_gpio_probe(struct platform_device *pdev)
+ if (ret < 0)
+ return ret;
+
++ /* Mask all GPIO interrupts */
++ for (i = 0; i < gc->ngpio; i++)
++ vf610_gpio_writel(0, port->base + PORT_PCR(i));
++
+ /* Clear the interrupt status register for all GPIO's */
+ vf610_gpio_writel(~0, port->base + PORT_ISFR);
+
+--
+2.19.1
+
--- /dev/null
+From e3a2df6cfc85b1156274ebe4640917fec3bd0417 Mon Sep 17 00:00:00 2001
+From: Brian Welty <brian.welty@intel.com>
+Date: Thu, 17 Jan 2019 12:41:32 -0800
+Subject: IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM
+
+[ Upstream commit 904bba211acc2112fdf866e5a2bc6cd9ecd0de1b ]
+
+The work completion length for a receiving a UD send with immediate is
+short by 4 bytes causing application using this opcode to fail.
+
+The UD receive logic incorrectly subtracts 4 bytes for immediate
+value. These bytes are already included in header length and are used to
+calculate header/payload split, so the result is these 4 bytes are
+subtracted twice, once when the header length subtracted from the overall
+length and once again in the UD opcode specific path.
+
+Remove the extra subtraction when handling the opcode.
+
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Brian Welty <brian.welty@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/qib/qib_ud.c | 1 -
+ drivers/staging/rdma/hfi1/ud.c | 1 -
+ 2 files changed, 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/qib/qib_ud.c b/drivers/infiniband/hw/qib/qib_ud.c
+index 59193f67ea78..56bd59bc08b5 100644
+--- a/drivers/infiniband/hw/qib/qib_ud.c
++++ b/drivers/infiniband/hw/qib/qib_ud.c
+@@ -515,7 +515,6 @@ void qib_ud_rcv(struct qib_ibport *ibp, struct qib_ib_header *hdr,
+ opcode == IB_OPCODE_UD_SEND_ONLY_WITH_IMMEDIATE) {
+ wc.ex.imm_data = ohdr->u.ud.imm_data;
+ wc.wc_flags = IB_WC_WITH_IMM;
+- tlen -= sizeof(u32);
+ } else if (opcode == IB_OPCODE_UD_SEND_ONLY) {
+ wc.ex.imm_data = 0;
+ wc.wc_flags = 0;
+diff --git a/drivers/staging/rdma/hfi1/ud.c b/drivers/staging/rdma/hfi1/ud.c
+index 5a9c784bec04..a88e37444be0 100644
+--- a/drivers/staging/rdma/hfi1/ud.c
++++ b/drivers/staging/rdma/hfi1/ud.c
+@@ -793,7 +793,6 @@ void hfi1_ud_rcv(struct hfi1_packet *packet)
+ opcode == IB_OPCODE_UD_SEND_ONLY_WITH_IMMEDIATE) {
+ wc.ex.imm_data = ohdr->u.ud.imm_data;
+ wc.wc_flags = IB_WC_WITH_IMM;
+- tlen -= sizeof(u32);
+ } else if (opcode == IB_OPCODE_UD_SEND_ONLY) {
+ wc.ex.imm_data = 0;
+ wc.wc_flags = 0;
+--
+2.19.1
+
--- /dev/null
+From 9c3f293ec55c14bf779d3988235a16462c56e122 Mon Sep 17 00:00:00 2001
+From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Date: Thu, 24 Jan 2019 04:16:45 +0000
+Subject: iommu/amd: Fix IOMMU page flush when detach device from a domain
+
+[ Upstream commit 9825bd94e3a2baae1f4874767ae3a7d4c049720e ]
+
+When a VM is terminated, the VFIO driver detaches all pass-through
+devices from VFIO domain by clearing domain id and page table root
+pointer from each device table entry (DTE), and then invalidates
+the DTE. Then, the VFIO driver unmap pages and invalidate IOMMU pages.
+
+Currently, the IOMMU driver keeps track of which IOMMU and how many
+devices are attached to the domain. When invalidate IOMMU pages,
+the driver checks if the IOMMU is still attached to the domain before
+issuing the invalidate page command.
+
+However, since VFIO has already detached all devices from the domain,
+the subsequent INVALIDATE_IOMMU_PAGES commands are being skipped as
+there is no IOMMU attached to the domain. This results in data
+corruption and could cause the PCI device to end up in indeterministic
+state.
+
+Fix this by invalidate IOMMU pages when detach a device, and
+before decrementing the per-domain device reference counts.
+
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Suggested-by: Joerg Roedel <joro@8bytes.org>
+Co-developed-by: Brijesh Singh <brijesh.singh@amd.com>
+Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
+Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Fixes: 6de8ad9b9ee0 ('x86/amd-iommu: Make iommu_flush_pages aware of multiple IOMMUs')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd_iommu.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index 52c36394dba5..0ad8b7c78a43 100644
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -1982,6 +1982,7 @@ static void do_attach(struct iommu_dev_data *dev_data,
+
+ static void do_detach(struct iommu_dev_data *dev_data)
+ {
++ struct protection_domain *domain = dev_data->domain;
+ struct amd_iommu *iommu;
+ u16 alias;
+
+@@ -1997,10 +1998,6 @@ static void do_detach(struct iommu_dev_data *dev_data)
+ iommu = amd_iommu_rlookup_table[dev_data->devid];
+ alias = dev_data->alias;
+
+- /* decrease reference counters */
+- dev_data->domain->dev_iommu[iommu->index] -= 1;
+- dev_data->domain->dev_cnt -= 1;
+-
+ /* Update data structures */
+ dev_data->domain = NULL;
+ list_del(&dev_data->list);
+@@ -2010,6 +2007,16 @@ static void do_detach(struct iommu_dev_data *dev_data)
+
+ /* Flush the DTE entry */
+ device_flush_dte(dev_data);
++
++ /* Flush IOTLB */
++ domain_flush_tlb_pde(domain);
++
++ /* Wait for the flushes to finish */
++ domain_flush_complete(domain);
++
++ /* decrease reference counters - needs to happen after the flushes */
++ domain->dev_iommu[iommu->index] -= 1;
++ domain->dev_cnt -= 1;
+ }
+
+ /*
+--
+2.19.1
+
--- /dev/null
+From 8ec2305bb0e0b598e7b20e680f3ee55286e7ecd2 Mon Sep 17 00:00:00 2001
+From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+Date: Thu, 10 Jan 2019 16:39:06 +0800
+Subject: ipvs: Fix signed integer overflow when setsockopt timeout
+
+[ Upstream commit 53ab60baa1ac4f20b080a22c13b77b6373922fd7 ]
+
+There is a UBSAN bug report as below:
+UBSAN: Undefined behaviour in net/netfilter/ipvs/ip_vs_ctl.c:2227:21
+signed integer overflow:
+-2147483647 * 1000 cannot be represented in type 'int'
+
+Reproduce program:
+ #include <stdio.h>
+ #include <sys/types.h>
+ #include <sys/socket.h>
+
+ #define IPPROTO_IP 0
+ #define IPPROTO_RAW 255
+
+ #define IP_VS_BASE_CTL (64+1024+64)
+ #define IP_VS_SO_SET_TIMEOUT (IP_VS_BASE_CTL+10)
+
+ /* The argument to IP_VS_SO_GET_TIMEOUT */
+ struct ipvs_timeout_t {
+ int tcp_timeout;
+ int tcp_fin_timeout;
+ int udp_timeout;
+ };
+
+ int main() {
+ int ret = -1;
+ int sockfd = -1;
+ struct ipvs_timeout_t to;
+
+ sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+ if (sockfd == -1) {
+ printf("socket init error\n");
+ return -1;
+ }
+
+ to.tcp_timeout = -2147483647;
+ to.tcp_fin_timeout = -2147483647;
+ to.udp_timeout = -2147483647;
+
+ ret = setsockopt(sockfd,
+ IPPROTO_IP,
+ IP_VS_SO_SET_TIMEOUT,
+ (char *)(&to),
+ sizeof(to));
+
+ printf("setsockopt return %d\n", ret);
+ return ret;
+ }
+
+Return -EINVAL if the timeout value is negative or max than 'INT_MAX / HZ'.
+
+Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 3167ec76903a..56c62b65923f 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -2217,6 +2217,18 @@ static int ip_vs_set_timeout(struct netns_ipvs *ipvs, struct ip_vs_timeout_user
+ u->tcp_fin_timeout,
+ u->udp_timeout);
+
++#ifdef CONFIG_IP_VS_PROTO_TCP
++ if (u->tcp_timeout < 0 || u->tcp_timeout > (INT_MAX / HZ) ||
++ u->tcp_fin_timeout < 0 || u->tcp_fin_timeout > (INT_MAX / HZ)) {
++ return -EINVAL;
++ }
++#endif
++
++#ifdef CONFIG_IP_VS_PROTO_UDP
++ if (u->udp_timeout < 0 || u->udp_timeout > (INT_MAX / HZ))
++ return -EINVAL;
++#endif
++
+ #ifdef CONFIG_IP_VS_PROTO_TCP
+ if (u->tcp_timeout) {
+ pd = ip_vs_proto_data_get(ipvs, IPPROTO_TCP);
+--
+2.19.1
+
--- /dev/null
+From 7d5d23ca00fb8354f93c8ae2cc8854323ef626bb Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Mon, 28 Jan 2019 16:59:35 +0100
+Subject: irqchip/mmp: Only touch the PJ4 IRQ & FIQ bits on enable/disable
+
+[ Upstream commit 2380a22b60ce6f995eac806e69c66e397b59d045 ]
+
+Resetting bit 4 disables the interrupt delivery to the "secure
+processor" core. This breaks the keyboard on a OLPC XO 1.75 laptop,
+where the firmware running on the "secure processor" bit-bangs the
+PS/2 protocol over the GPIO lines.
+
+It is not clear what the rest of the bits are and Marvell was unhelpful
+when asked for documentation. Aside from the SP bit, there are probably
+priority bits.
+
+Leaving the unknown bits as the firmware set them up seems to be a wiser
+course of action compared to just turning them off.
+
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+[maz: fixed-up subject and commit message]
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-mmp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-mmp.c b/drivers/irqchip/irq-mmp.c
+index 013fc9659a84..2fe2bcb63a71 100644
+--- a/drivers/irqchip/irq-mmp.c
++++ b/drivers/irqchip/irq-mmp.c
+@@ -34,6 +34,9 @@
+ #define SEL_INT_PENDING (1 << 6)
+ #define SEL_INT_NUM_MASK 0x3f
+
++#define MMP2_ICU_INT_ROUTE_PJ4_IRQ (1 << 5)
++#define MMP2_ICU_INT_ROUTE_PJ4_FIQ (1 << 6)
++
+ struct icu_chip_data {
+ int nr_irqs;
+ unsigned int virq_base;
+@@ -190,7 +193,8 @@ static struct mmp_intc_conf mmp_conf = {
+ static struct mmp_intc_conf mmp2_conf = {
+ .conf_enable = 0x20,
+ .conf_disable = 0x0,
+- .conf_mask = 0x7f,
++ .conf_mask = MMP2_ICU_INT_ROUTE_PJ4_IRQ |
++ MMP2_ICU_INT_ROUTE_PJ4_FIQ,
+ };
+
+ static void __exception_irq_entry mmp_handle_irq(struct pt_regs *regs)
+--
+2.19.1
+
--- /dev/null
+From 6e9b2517b306c477922026c071c600c39b8df923 Mon Sep 17 00:00:00 2001
+From: Jun-Ru Chang <jrjang@realtek.com>
+Date: Tue, 29 Jan 2019 11:56:07 +0800
+Subject: MIPS: Remove function size check in get_frame_info()
+
+[ Upstream commit 2b424cfc69728224fcb5fad138ea7260728e0901 ]
+
+Patch (b6c7a324df37b "MIPS: Fix get_frame_info() handling of
+microMIPS function size.") introduces additional function size
+check for microMIPS by only checking insn between ip and ip + func_size.
+However, func_size in get_frame_info() is always 0 if KALLSYMS is not
+enabled. This causes get_frame_info() to return immediately without
+calculating correct frame_size, which in turn causes "Can't analyze
+schedule() prologue" warning messages at boot time.
+
+This patch removes func_size check, and let the frame_size check run
+up to 128 insns for both MIPS and microMIPS.
+
+Signed-off-by: Jun-Ru Chang <jrjang@realtek.com>
+Signed-off-by: Tony Wu <tonywu@realtek.com>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Fixes: b6c7a324df37b ("MIPS: Fix get_frame_info() handling of microMIPS function size.")
+Cc: <ralf@linux-mips.org>
+Cc: <jhogan@kernel.org>
+Cc: <macro@mips.com>
+Cc: <yamada.masahiro@socionext.com>
+Cc: <peterz@infradead.org>
+Cc: <mingo@kernel.org>
+Cc: <linux-mips@vger.kernel.org>
+Cc: <linux-kernel@vger.kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/process.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
+index ebd8a715fe38..e6102775892d 100644
+--- a/arch/mips/kernel/process.c
++++ b/arch/mips/kernel/process.c
+@@ -339,7 +339,7 @@ static inline int is_sp_move_ins(union mips_instruction *ip)
+ static int get_frame_info(struct mips_frame_info *info)
+ {
+ bool is_mmips = IS_ENABLED(CONFIG_CPU_MICROMIPS);
+- union mips_instruction insn, *ip, *ip_end;
++ union mips_instruction insn, *ip;
+ const unsigned int max_insns = 128;
+ unsigned int last_insn_size = 0;
+ unsigned int i;
+@@ -351,10 +351,9 @@ static int get_frame_info(struct mips_frame_info *info)
+ if (!ip)
+ goto err;
+
+- ip_end = (void *)ip + info->func_size;
+-
+- for (i = 0; i < max_insns && ip < ip_end; i++) {
++ for (i = 0; i < max_insns; i++) {
+ ip = (void *)ip + last_insn_size;
++
+ if (is_mmips && mm_insn_16bit(ip->halfword[0])) {
+ insn.halfword[0] = 0;
+ insn.halfword[1] = ip->halfword[0];
+--
+2.19.1
+
--- /dev/null
+From e6ee702b4560633744a47f45900713f1367cb959 Mon Sep 17 00:00:00 2001
+From: Michal Hocko <mhocko@suse.com>
+Date: Fri, 1 Feb 2019 14:20:34 -0800
+Subject: mm, memory_hotplug: is_mem_section_removable do not pass the end of a
+ zone
+
+[ Upstream commit efad4e475c312456edb3c789d0996d12ed744c13 ]
+
+Patch series "mm, memory_hotplug: fix uninitialized pages fallouts", v2.
+
+Mikhail Zaslonko has posted fixes for the two bugs quite some time ago
+[1]. I have pushed back on those fixes because I believed that it is
+much better to plug the problem at the initialization time rather than
+play whack-a-mole all over the hotplug code and find all the places
+which expect the full memory section to be initialized.
+
+We have ended up with commit 2830bf6f05fb ("mm, memory_hotplug:
+initialize struct pages for the full memory section") merged and cause a
+regression [2][3]. The reason is that there might be memory layouts
+when two NUMA nodes share the same memory section so the merged fix is
+simply incorrect.
+
+In order to plug this hole we really have to be zone range aware in
+those handlers. I have split up the original patch into two. One is
+unchanged (patch 2) and I took a different approach for `removable'
+crash.
+
+[1] http://lkml.kernel.org/r/20181105150401.97287-2-zaslonko@linux.ibm.com
+[2] https://bugzilla.redhat.com/show_bug.cgi?id=1666948
+[3] http://lkml.kernel.org/r/20190125163938.GA20411@dhcp22.suse.cz
+
+This patch (of 2):
+
+Mikhail has reported the following VM_BUG_ON triggered when reading sysfs
+removable state of a memory block:
+
+ page:000003d08300c000 is uninitialized and poisoned
+ page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p))
+ Call Trace:
+ is_mem_section_removable+0xb4/0x190
+ show_mem_removable+0x9a/0xd8
+ dev_attr_show+0x34/0x70
+ sysfs_kf_seq_show+0xc8/0x148
+ seq_read+0x204/0x480
+ __vfs_read+0x32/0x178
+ vfs_read+0x82/0x138
+ ksys_read+0x5a/0xb0
+ system_call+0xdc/0x2d8
+ Last Breaking-Event-Address:
+ is_mem_section_removable+0xb4/0x190
+ Kernel panic - not syncing: Fatal exception: panic_on_oops
+
+The reason is that the memory block spans the zone boundary and we are
+stumbling over an unitialized struct page. Fix this by enforcing zone
+range in is_mem_section_removable so that we never run away from a zone.
+
+Link: http://lkml.kernel.org/r/20190128144506.15603-2-mhocko@kernel.org
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Reported-by: Mikhail Zaslonko <zaslonko@linux.ibm.com>
+Debugged-by: Mikhail Zaslonko <zaslonko@linux.ibm.com>
+Tested-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
+Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/memory_hotplug.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
+index 0addef5f8aa3..153acbf5f83d 100644
+--- a/mm/memory_hotplug.c
++++ b/mm/memory_hotplug.c
+@@ -1358,7 +1358,8 @@ static struct page *next_active_pageblock(struct page *page)
+ int is_mem_section_removable(unsigned long start_pfn, unsigned long nr_pages)
+ {
+ struct page *page = pfn_to_page(start_pfn);
+- struct page *end_page = page + nr_pages;
++ unsigned long end_pfn = min(start_pfn + nr_pages, zone_end_pfn(page_zone(page)));
++ struct page *end_page = pfn_to_page(end_pfn);
+
+ /* Check the starting page of each pageblock within the range */
+ for (; page < end_page; page = next_active_pageblock(page)) {
+--
+2.19.1
+
--- /dev/null
+From 4c24e5201755042e82eb412bfee188aabb7c78c8 Mon Sep 17 00:00:00 2001
+From: Mikhail Zaslonko <zaslonko@linux.ibm.com>
+Date: Fri, 1 Feb 2019 14:20:38 -0800
+Subject: mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone
+
+[ Upstream commit 24feb47c5fa5b825efb0151f28906dfdad027e61 ]
+
+If memory end is not aligned with the sparse memory section boundary,
+the mapping of such a section is only partly initialized. This may lead
+to VM_BUG_ON due to uninitialized struct pages access from
+test_pages_in_a_zone() function triggered by memory_hotplug sysfs
+handlers.
+
+Here are the the panic examples:
+ CONFIG_DEBUG_VM_PGFLAGS=y
+ kernel parameter mem=2050M
+ --------------------------
+ page:000003d082008000 is uninitialized and poisoned
+ page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p))
+ Call Trace:
+ test_pages_in_a_zone+0xde/0x160
+ show_valid_zones+0x5c/0x190
+ dev_attr_show+0x34/0x70
+ sysfs_kf_seq_show+0xc8/0x148
+ seq_read+0x204/0x480
+ __vfs_read+0x32/0x178
+ vfs_read+0x82/0x138
+ ksys_read+0x5a/0xb0
+ system_call+0xdc/0x2d8
+ Last Breaking-Event-Address:
+ test_pages_in_a_zone+0xde/0x160
+ Kernel panic - not syncing: Fatal exception: panic_on_oops
+
+Fix this by checking whether the pfn to check is within the zone.
+
+[mhocko@suse.com: separated this change from http://lkml.kernel.org/r/20181105150401.97287-2-zaslonko@linux.ibm.com]
+Link: http://lkml.kernel.org/r/20190128144506.15603-3-mhocko@kernel.org
+
+[mhocko@suse.com: separated this change from
+http://lkml.kernel.org/r/20181105150401.97287-2-zaslonko@linux.ibm.com]
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Mikhail Zaslonko <zaslonko@linux.ibm.com>
+Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Tested-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/memory_hotplug.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
+index 153acbf5f83d..804cbfe9132d 100644
+--- a/mm/memory_hotplug.c
++++ b/mm/memory_hotplug.c
+@@ -1399,6 +1399,9 @@ int test_pages_in_a_zone(unsigned long start_pfn, unsigned long end_pfn,
+ i++;
+ if (i == MAX_ORDER_NR_PAGES)
+ continue;
++ /* Check if we got outside of the zone */
++ if (zone && !zone_spans_pfn(zone, pfn + i))
++ return 0;
+ page = pfn_to_page(pfn + i);
+ if (zone && page_zone(page) != zone)
+ return 0;
+--
+2.19.1
+
--- /dev/null
+From 1b419fbd0f68ef74841a9cb61b8dee5b2e1994a7 Mon Sep 17 00:00:00 2001
+From: Tomonori Sakita <tomonori.sakita@sord.co.jp>
+Date: Fri, 25 Jan 2019 11:02:22 +0900
+Subject: net: altera_tse: fix msgdma_tx_completion on non-zero fill_level case
+
+[ Upstream commit 6571ebce112a21ec9be68ef2f53b96fcd41fd81b ]
+
+If fill_level was not zero and status was not BUSY,
+result of "tx_prod - tx_cons - inuse" might be zero.
+Subtracting 1 unconditionally results invalid negative return value
+on this case.
+Make sure not to return an negative value.
+
+Signed-off-by: Tomonori Sakita <tomonori.sakita@sord.co.jp>
+Signed-off-by: Atsushi Nemoto <atsushi.nemoto@sord.co.jp>
+Reviewed-by: Dalon L Westergreen <dalon.westergreen@linux.intel.com>
+Acked-by: Thor Thayer <thor.thayer@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/altera/altera_msgdma.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/altera/altera_msgdma.c b/drivers/net/ethernet/altera/altera_msgdma.c
+index 0fb986ba3290..0ae723f75341 100644
+--- a/drivers/net/ethernet/altera/altera_msgdma.c
++++ b/drivers/net/ethernet/altera/altera_msgdma.c
+@@ -145,7 +145,8 @@ u32 msgdma_tx_completions(struct altera_tse_private *priv)
+ & 0xffff;
+
+ if (inuse) { /* Tx FIFO is not empty */
+- ready = priv->tx_prod - priv->tx_cons - inuse - 1;
++ ready = max_t(int,
++ priv->tx_prod - priv->tx_cons - inuse - 1, 0);
+ } else {
+ /* Check for buffered last packet */
+ status = csrrd32(priv->tx_dma_csr, msgdma_csroffs(status));
+--
+2.19.1
+
--- /dev/null
+From 10994799d4fe63e3b45d596bebc2c1df6965e42c Mon Sep 17 00:00:00 2001
+From: Yonglong Liu <liuyonglong@huawei.com>
+Date: Sat, 26 Jan 2019 17:18:27 +0800
+Subject: net: hns: Fix wrong read accesses via Clause 45 MDIO protocol
+
+[ Upstream commit cec8abba13e6a26729dfed41019720068eeeff2b ]
+
+When reading phy registers via Clause 45 MDIO protocol, after write
+address operation, the driver use another write address operation, so
+can not read the right value of any phy registers. This patch fixes it.
+
+Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns_mdio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns_mdio.c b/drivers/net/ethernet/hisilicon/hns_mdio.c
+index 37491c85bc42..6ff13c559e52 100644
+--- a/drivers/net/ethernet/hisilicon/hns_mdio.c
++++ b/drivers/net/ethernet/hisilicon/hns_mdio.c
+@@ -319,7 +319,7 @@ static int hns_mdio_read(struct mii_bus *bus, int phy_id, int regnum)
+ }
+
+ hns_mdio_cmd_write(mdio_dev, is_c45,
+- MDIO_C45_WRITE_ADDR, phy_id, devad);
++ MDIO_C45_READ, phy_id, devad);
+ }
+
+ /* Step 5: waitting for MDIO_COMMAND_REG 's mdio_start==0,*/
+--
+2.19.1
+
--- /dev/null
+From c19e9e10f5fe7c8c9f6f48757471ffb3941eeea5 Mon Sep 17 00:00:00 2001
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Sat, 26 Jan 2019 22:48:57 +0300
+Subject: net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup()
+
+[ Upstream commit c69c29a1a0a8f68cd87e98ba4a5a79fb8ef2a58c ]
+
+If phy_power_on() fails in rk_gmac_powerup(), clocks are left enabled.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
+index 0cd3ecff768b..398b08e07149 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
+@@ -535,8 +535,10 @@ static int rk_gmac_init(struct platform_device *pdev, void *priv)
+ int ret;
+
+ ret = phy_power_on(bsp_priv, true);
+- if (ret)
++ if (ret) {
++ gmac_clk_enable(bsp_priv, false);
+ return ret;
++ }
+
+ ret = gmac_clk_enable(bsp_priv, true);
+ if (ret)
+--
+2.19.1
+
--- /dev/null
+From 48aff3e8e33a6b8dcf6b585070bdd5a12e915851 Mon Sep 17 00:00:00 2001
+From: Yao Liu <yotta.liu@ucloud.cn>
+Date: Mon, 28 Jan 2019 19:44:14 +0800
+Subject: nfs: Fix NULL pointer dereference of dev_name
+
+[ Upstream commit 80ff00172407e0aad4b10b94ef0816fc3e7813cb ]
+
+There is a NULL pointer dereference of dev_name in nfs_parse_devname()
+
+The oops looks something like:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
+ ...
+ RIP: 0010:nfs_fs_mount+0x3b6/0xc20 [nfs]
+ ...
+ Call Trace:
+ ? ida_alloc_range+0x34b/0x3d0
+ ? nfs_clone_super+0x80/0x80 [nfs]
+ ? nfs_free_parsed_mount_data+0x60/0x60 [nfs]
+ mount_fs+0x52/0x170
+ ? __init_waitqueue_head+0x3b/0x50
+ vfs_kern_mount+0x6b/0x170
+ do_mount+0x216/0xdc0
+ ksys_mount+0x83/0xd0
+ __x64_sys_mount+0x25/0x30
+ do_syscall_64+0x65/0x220
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fix this by adding a NULL check on dev_name
+
+Signed-off-by: Yao Liu <yotta.liu@ucloud.cn>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/super.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/nfs/super.c b/fs/nfs/super.c
+index 412fcfbc50e2..9b42139a479b 100644
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -1877,6 +1877,11 @@ static int nfs_parse_devname(const char *dev_name,
+ size_t len;
+ char *end;
+
++ if (unlikely(!dev_name || !*dev_name)) {
++ dfprintk(MOUNT, "NFS: device name not specified\n");
++ return -EINVAL;
++ }
++
+ /* Is the host name protected with square brakcets? */
+ if (*dev_name == '[') {
+ end = strchr(++dev_name, ']');
+--
+2.19.1
+
--- /dev/null
+From 53be15f10c4778730bb0199657cb51aa0324e43b Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@redhat.com>
+Date: Mon, 28 Jan 2019 14:35:26 +0100
+Subject: perf symbols: Filter out hidden symbols from labels
+
+[ Upstream commit 59a17706915fe5ea6f711e1f92d4fb706bce07fe ]
+
+When perf is built with the annobin plugin (RHEL8 build) extra symbols
+are added to its binary:
+
+ # nm perf | grep annobin | head -10
+ 0000000000241100 t .annobin_annotate.c
+ 0000000000326490 t .annobin_annotate.c
+ 0000000000249255 t .annobin_annotate.c_end
+ 00000000003283a8 t .annobin_annotate.c_end
+ 00000000001bce18 t .annobin_annotate.c_end.hot
+ 00000000001bce18 t .annobin_annotate.c_end.hot
+ 00000000001bc3e2 t .annobin_annotate.c_end.unlikely
+ 00000000001bc400 t .annobin_annotate.c_end.unlikely
+ 00000000001bce18 t .annobin_annotate.c.hot
+ 00000000001bce18 t .annobin_annotate.c.hot
+ ...
+
+Those symbols have no use for report or annotation and should be
+skipped. Moreover they interfere with the DWARF unwind test on the PPC
+arch, where they are mixed with checked symbols and then the test fails:
+
+ # perf test dwarf -v
+ 59: Test dwarf unwind :
+ --- start ---
+ test child forked, pid 8515
+ unwind: .annobin_dwarf_unwind.c:ip = 0x10dba40dc (0x2740dc)
+ ...
+ got: .annobin_dwarf_unwind.c 0x10dba40dc, expecting test__arch_unwind_sample
+ unwind: failed with 'no error'
+
+The annobin symbols are defined as NOTYPE/LOCAL/HIDDEN:
+
+ # readelf -s ./perf | grep annobin | head -1
+ 40: 00000000001bce4f 0 NOTYPE LOCAL HIDDEN 13 .annobin_init.c
+
+They can still pass the check for the label symbol. Adding check for
+HIDDEN and INTERNAL (as suggested by Nick below) visibility and filter
+out such symbols.
+
+> Just to be awkward, if you are going to ignore STV_HIDDEN
+> symbols then you should probably also ignore STV_INTERNAL ones
+> as well... Annobin does not generate them, but you never know,
+> one day some other tool might create some.
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Michael Petlan <mpetlan@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Nick Clifton <nickc@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/20190128133526.GD15461@krava
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/symbol-elf.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c
+index 7c97ecaeae48..2070c02de3af 100644
+--- a/tools/perf/util/symbol-elf.c
++++ b/tools/perf/util/symbol-elf.c
+@@ -74,6 +74,11 @@ static inline uint8_t elf_sym__type(const GElf_Sym *sym)
+ return GELF_ST_TYPE(sym->st_info);
+ }
+
++static inline uint8_t elf_sym__visibility(const GElf_Sym *sym)
++{
++ return GELF_ST_VISIBILITY(sym->st_other);
++}
++
+ #ifndef STT_GNU_IFUNC
+ #define STT_GNU_IFUNC 10
+ #endif
+@@ -98,7 +103,9 @@ static inline int elf_sym__is_label(const GElf_Sym *sym)
+ return elf_sym__type(sym) == STT_NOTYPE &&
+ sym->st_name != 0 &&
+ sym->st_shndx != SHN_UNDEF &&
+- sym->st_shndx != SHN_ABS;
++ sym->st_shndx != SHN_ABS &&
++ elf_sym__visibility(sym) != STV_HIDDEN &&
++ elf_sym__visibility(sym) != STV_INTERNAL;
+ }
+
+ static bool elf_sym__is_a(GElf_Sym *sym, enum map_type type)
+--
+2.19.1
+
--- /dev/null
+From 00bca002797d0a110230da37655c168667e4e3ec Mon Sep 17 00:00:00 2001
+From: Stephane Eranian <eranian@google.com>
+Date: Sat, 19 Jan 2019 00:12:39 -0800
+Subject: perf tools: Handle TOPOLOGY headers with no CPU
+
+[ Upstream commit 1497e804d1a6e2bd9107ddf64b0310449f4673eb ]
+
+This patch fixes an issue in cpumap.c when used with the TOPOLOGY
+header. In some configurations, some NUMA nodes may have no CPU (empty
+cpulist). Yet a cpumap map must be created otherwise perf abort with an
+error. This patch handles this case by creating a dummy map.
+
+ Before:
+
+ $ perf record -o - -e cycles noploop 2 | perf script -i -
+ 0x6e8 [0x6c]: failed to process type: 80
+
+ After:
+
+ $ perf record -o - -e cycles noploop 2 | perf script -i -
+ noploop for 2 seconds
+
+Signed-off-by: Stephane Eranian <eranian@google.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/1547885559-1657-1-git-send-email-eranian@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/cpumap.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/cpumap.c b/tools/perf/util/cpumap.c
+index 10af1e7524fb..f1aae86f7f6c 100644
+--- a/tools/perf/util/cpumap.c
++++ b/tools/perf/util/cpumap.c
+@@ -124,7 +124,12 @@ struct cpu_map *cpu_map__new(const char *cpu_list)
+ if (!cpu_list)
+ return cpu_map__read_all_cpu_map();
+
+- if (!isdigit(*cpu_list))
++ /*
++ * must handle the case of empty cpumap to cover
++ * TOPOLOGY header for NUMA nodes with no CPU
++ * ( e.g., because of CPU hotplug)
++ */
++ if (!isdigit(*cpu_list) && *cpu_list != '\0')
+ goto out;
+
+ while (isdigit(*cpu_list)) {
+@@ -171,8 +176,10 @@ struct cpu_map *cpu_map__new(const char *cpu_list)
+
+ if (nr_cpus > 0)
+ cpus = cpu_map__trim_new(nr_cpus, tmp_cpus);
+- else
++ else if (*cpu_list != '\0')
+ cpus = cpu_map__default_new();
++ else
++ cpus = cpu_map__dummy_new();
+ invalid:
+ free(tmp_cpus);
+ out:
+--
+2.19.1
+
--- /dev/null
+From 2c5947ff54f89f7b46d25d6d73476037af4a9256 Mon Sep 17 00:00:00 2001
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Tue, 29 Jan 2019 15:12:34 +0100
+Subject: perf trace: Support multiple "vfs_getname" probes
+
+[ Upstream commit 6ab3bc240ade47a0f52bc16d97edd9accbe0024e ]
+
+With a suitably defined "probe:vfs_getname" probe, 'perf trace' can
+"beautify" its output, so syscalls like open() or openat() can print the
+"filename" argument instead of just its hex address, like:
+
+ $ perf trace -e open -- touch /dev/null
+ [...]
+ 0.590 ( 0.014 ms): touch/18063 open(filename: /dev/null, flags: CREAT|NOCTTY|NONBLOCK|WRONLY, mode: IRUGO|IWUGO) = 3
+ [...]
+
+The output without such beautifier looks like:
+
+ 0.529 ( 0.011 ms): touch/18075 open(filename: 0xc78cf288, flags: CREAT|NOCTTY|NONBLOCK|WRONLY, mode: IRUGO|IWUGO) = 3
+
+However, when the vfs_getname probe expands to multiple probes and it is
+not the first one that is hit, the beautifier fails, as following:
+
+ 0.326 ( 0.010 ms): touch/18072 open(filename: , flags: CREAT|NOCTTY|NONBLOCK|WRONLY, mode: IRUGO|IWUGO) = 3
+
+Fix it by hooking into all the expanded probes (inlines), now, for instance:
+
+ [root@quaco ~]# perf probe -l
+ probe:vfs_getname (on getname_flags:73@fs/namei.c with pathname)
+ probe:vfs_getname_1 (on getname_flags:73@fs/namei.c with pathname)
+ [root@quaco ~]# perf trace -e open* sleep 1
+ 0.010 ( 0.005 ms): sleep/5588 openat(dfd: CWD, filename: /etc/ld.so.cache, flags: RDONLY|CLOEXEC) = 3
+ 0.029 ( 0.006 ms): sleep/5588 openat(dfd: CWD, filename: /lib64/libc.so.6, flags: RDONLY|CLOEXEC) = 3
+ 0.194 ( 0.008 ms): sleep/5588 openat(dfd: CWD, filename: /usr/lib/locale/locale-archive, flags: RDONLY|CLOEXEC) = 3
+ [root@quaco ~]#
+
+Works, further verified with:
+
+ [root@quaco ~]# perf test vfs
+ 65: Use vfs_getname probe to get syscall args filenames : Ok
+ 66: Add vfs_getname probe to get syscall args filenames : Ok
+ 67: Check open filename arg using perf trace + vfs_getname: Ok
+ [root@quaco ~]#
+
+Reported-by: Michael Petlan <mpetlan@redhat.com>
+Tested-by: Michael Petlan <mpetlan@redhat.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: https://lkml.kernel.org/n/tip-mv8kolk17xla1smvmp3qabv1@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-trace.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
+index da8afc121118..039517c61c75 100644
+--- a/tools/perf/builtin-trace.c
++++ b/tools/perf/builtin-trace.c
+@@ -2403,19 +2403,30 @@ static size_t trace__fprintf_thread_summary(struct trace *trace, FILE *fp);
+
+ static bool perf_evlist__add_vfs_getname(struct perf_evlist *evlist)
+ {
+- struct perf_evsel *evsel = perf_evsel__newtp("probe", "vfs_getname");
++ bool found = false;
++ struct perf_evsel *evsel, *tmp;
++ struct parse_events_error err = { .idx = 0, };
++ int ret = parse_events(evlist, "probe:vfs_getname*", &err);
+
+- if (IS_ERR(evsel))
++ if (ret)
+ return false;
+
+- if (perf_evsel__field(evsel, "pathname") == NULL) {
++ evlist__for_each_entry_safe(evlist, evsel, tmp) {
++ if (!strstarts(perf_evsel__name(evsel), "probe:vfs_getname"))
++ continue;
++
++ if (perf_evsel__field(evsel, "pathname")) {
++ evsel->handler = trace__vfs_getname;
++ found = true;
++ continue;
++ }
++
++ list_del_init(&evsel->node);
++ evsel->evlist = NULL;
+ perf_evsel__delete(evsel);
+- return false;
+ }
+
+- evsel->handler = trace__vfs_getname;
+- perf_evlist__add(evlist, evsel);
+- return true;
++ return found;
+ }
+
+ static int perf_evlist__add_pgfault(struct perf_evlist *evlist,
+--
+2.19.1
+
--- /dev/null
+From f95077deb31e0ba0934ef8332ce623dfb307ddb7 Mon Sep 17 00:00:00 2001
+From: Sinan Kaya <okaya@kernel.org>
+Date: Thu, 24 Jan 2019 19:31:01 +0000
+Subject: platform/x86: Fix unmet dependency warning for SAMSUNG_Q10
+
+[ Upstream commit 0ee4b5f801b73b83a9fb3921d725f2162fd4a2e5 ]
+
+Add BACKLIGHT_LCD_SUPPORT for SAMSUNG_Q10 to fix the
+warning: unmet direct dependencies detected for BACKLIGHT_CLASS_DEVICE.
+
+SAMSUNG_Q10 selects BACKLIGHT_CLASS_DEVICE but BACKLIGHT_CLASS_DEVICE
+depends on BACKLIGHT_LCD_SUPPORT.
+
+Copy BACKLIGHT_LCD_SUPPORT dependency into SAMSUNG_Q10 to fix:
+
+WARNING: unmet direct dependencies detected for BACKLIGHT_CLASS_DEVICE
+ Depends on [n]: HAS_IOMEM [=y] && BACKLIGHT_LCD_SUPPORT [=n]
+ Selected by [y]:
+ - SAMSUNG_Q10 [=y] && X86 [=y] && X86_PLATFORM_DEVICES [=y] && ACPI [=y]
+
+Signed-off-by: Sinan Kaya <okaya@kernel.org>
+Acked-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig
+index 988ebe9a6b90..953974b5a9a9 100644
+--- a/drivers/platform/x86/Kconfig
++++ b/drivers/platform/x86/Kconfig
+@@ -881,6 +881,7 @@ config INTEL_OAKTRAIL
+ config SAMSUNG_Q10
+ tristate "Samsung Q10 Extras"
+ depends on ACPI
++ depends on BACKLIGHT_LCD_SUPPORT
+ select BACKLIGHT_CLASS_DEVICE
+ ---help---
+ This driver provides support for backlight control on Samsung Q10
+--
+2.19.1
+
--- /dev/null
+From 7a52d6ee03c768885b211035c04a1de160575705 Mon Sep 17 00:00:00 2001
+From: Julian Wiedmann <jwi@linux.ibm.com>
+Date: Mon, 4 Feb 2019 17:40:07 +0100
+Subject: s390/qeth: fix use-after-free in error path
+
+[ Upstream commit afa0c5904ba16d59b0454f7ee4c807dae350f432 ]
+
+The error path in qeth_alloc_qdio_buffers() that takes care of
+cleaning up the Output Queues is buggy. It first frees the queue, but
+then calls qeth_clear_outq_buffers() with that very queue struct.
+
+Make the call to qeth_clear_outq_buffers() part of the free action
+(in the correct order), and while at it fix the naming of the helper.
+
+Fixes: 0da9581ddb0f ("qeth: exploit asynchronous delivery of storage blocks")
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/net/qeth_core_main.c | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c
+index 533bd2467910..b40604d0126f 100644
+--- a/drivers/s390/net/qeth_core_main.c
++++ b/drivers/s390/net/qeth_core_main.c
+@@ -2452,11 +2452,12 @@ static int qeth_init_qdio_out_buf(struct qeth_qdio_out_q *q, int bidx)
+ return rc;
+ }
+
+-static void qeth_free_qdio_out_buf(struct qeth_qdio_out_q *q)
++static void qeth_free_output_queue(struct qeth_qdio_out_q *q)
+ {
+ if (!q)
+ return;
+
++ qeth_clear_outq_buffers(q, 1);
+ qdio_free_buffers(q->qdio_bufs, QDIO_MAX_BUFFERS_PER_Q);
+ kfree(q);
+ }
+@@ -2529,10 +2530,8 @@ static int qeth_alloc_qdio_buffers(struct qeth_card *card)
+ card->qdio.out_qs[i]->bufs[j] = NULL;
+ }
+ out_freeoutq:
+- while (i > 0) {
+- qeth_free_qdio_out_buf(card->qdio.out_qs[--i]);
+- qeth_clear_outq_buffers(card->qdio.out_qs[i], 1);
+- }
++ while (i > 0)
++ qeth_free_output_queue(card->qdio.out_qs[--i]);
+ kfree(card->qdio.out_qs);
+ card->qdio.out_qs = NULL;
+ out_freepool:
+@@ -2565,10 +2564,8 @@ static void qeth_free_qdio_buffers(struct qeth_card *card)
+ qeth_free_buffer_pool(card);
+ /* free outbound qdio_qs */
+ if (card->qdio.out_qs) {
+- for (i = 0; i < card->qdio.no_out_queues; ++i) {
+- qeth_clear_outq_buffers(card->qdio.out_qs[i], 1);
+- qeth_free_qdio_out_buf(card->qdio.out_qs[i]);
+- }
++ for (i = 0; i < card->qdio.no_out_queues; i++)
++ qeth_free_output_queue(card->qdio.out_qs[i]);
+ kfree(card->qdio.out_qs);
+ card->qdio.out_qs = NULL;
+ }
+--
+2.19.1
+
--- /dev/null
+From d9173cb303b1d2a59d161abeabea5771acb60304 Mon Sep 17 00:00:00 2001
+From: Ming Lu <ming.lu@citrix.com>
+Date: Thu, 24 Jan 2019 13:25:42 +0800
+Subject: scsi: libfc: free skb when receiving invalid flogi resp
+
+[ Upstream commit 5d8fc4a9f0eec20b6c07895022a6bea3fb6dfb38 ]
+
+The issue to be fixed in this commit is when libfc found it received a
+invalid FLOGI response from FC switch, it would return without freeing the
+fc frame, which is just the skb data. This would cause memory leak if FC
+switch keeps sending invalid FLOGI responses.
+
+This fix is just to make it execute `fc_frame_free(fp)` before returning
+from function `fc_lport_flogi_resp`.
+
+Signed-off-by: Ming Lu <ming.lu@citrix.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libfc/fc_lport.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/libfc/fc_lport.c b/drivers/scsi/libfc/fc_lport.c
+index e01a29863c38..867fc036d6ef 100644
+--- a/drivers/scsi/libfc/fc_lport.c
++++ b/drivers/scsi/libfc/fc_lport.c
+@@ -1739,14 +1739,14 @@ void fc_lport_flogi_resp(struct fc_seq *sp, struct fc_frame *fp,
+ fc_frame_payload_op(fp) != ELS_LS_ACC) {
+ FC_LPORT_DBG(lport, "FLOGI not accepted or bad response\n");
+ fc_lport_error(lport, fp);
+- goto err;
++ goto out;
+ }
+
+ flp = fc_frame_payload_get(fp, sizeof(*flp));
+ if (!flp) {
+ FC_LPORT_DBG(lport, "FLOGI bad response\n");
+ fc_lport_error(lport, fp);
+- goto err;
++ goto out;
+ }
+
+ mfs = ntohs(flp->fl_csp.sp_bb_data) &
+@@ -1756,7 +1756,7 @@ void fc_lport_flogi_resp(struct fc_seq *sp, struct fc_frame *fp,
+ FC_LPORT_DBG(lport, "FLOGI bad mfs:%hu response, "
+ "lport->mfs:%hu\n", mfs, lport->mfs);
+ fc_lport_error(lport, fp);
+- goto err;
++ goto out;
+ }
+
+ if (mfs <= lport->mfs) {
+--
+2.19.1
+
net-dsa-mv88e6xxx-fix-u64-statistics.patch
ip6mr-do-not-call-__ip6_inc_stats-from-preemptible-context.patch
media-uvcvideo-fix-type-check-leading-to-overflow.patch
+vti4-fix-a-ipip-packet-processing-bug-in-ipcomp-virt.patch
+perf-tools-handle-topology-headers-with-no-cpu.patch
+ib-hfi1-qib-fix-wc.byte_len-calculation-for-ud_send_.patch
+ipvs-fix-signed-integer-overflow-when-setsockopt-tim.patch
+iommu-amd-fix-iommu-page-flush-when-detach-device-fr.patch
+xtensa-smp-fix-ccount_timer_shutdown.patch
+xtensa-smp-fix-secondary-cpu-initialization.patch
+xtensa-smp_lx200_defconfig-fix-vectors-clash.patch
+xtensa-smp-mark-each-possible-cpu-as-present.patch
+xtensa-smp-limit-number-of-possible-cpus-by-nr_cpus.patch
+net-altera_tse-fix-msgdma_tx_completion-on-non-zero-.patch
+net-hns-fix-wrong-read-accesses-via-clause-45-mdio-p.patch
+net-stmmac-dwmac-rk-fix-error-handling-in-rk_gmac_po.patch
+gpio-vf610-mask-all-gpio-interrupts.patch
+nfs-fix-null-pointer-dereference-of-dev_name.patch
+scsi-libfc-free-skb-when-receiving-invalid-flogi-res.patch
+platform-x86-fix-unmet-dependency-warning-for-samsun.patch
+cifs-fix-computation-for-max_smb2_hdr_size.patch
+x86-kexec-don-t-setup-efi-info-if-efi-runtime-is-not.patch
+x86_64-increase-stack-size-for-kasan_extra.patch
+mm-memory_hotplug-is_mem_section_removable-do-not-pa.patch
+mm-memory_hotplug-test_pages_in_a_zone-do-not-pass-t.patch
+fs-drop_caches.c-avoid-softlockups-in-drop_pagecache.patch
+autofs-drop-dentry-reference-only-when-it-is-never-u.patch
+autofs-fix-error-return-in-autofs_fill_super.patch
+arm-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch
+irqchip-mmp-only-touch-the-pj4-irq-fiq-bits-on-enabl.patch
+dmaengine-at_xdmac-fix-wrongfull-report-of-a-channel.patch
+dmaengine-dmatest-abort-test-in-case-of-mapping-erro.patch
+s390-qeth-fix-use-after-free-in-error-path.patch
+perf-symbols-filter-out-hidden-symbols-from-labels.patch
+perf-trace-support-multiple-vfs_getname-probes.patch
+mips-remove-function-size-check-in-get_frame_info.patch
--- /dev/null
+From 182a40a7c83ce759eca4b56c46ade449f74b9eb2 Mon Sep 17 00:00:00 2001
+From: Su Yanjun <suyj.fnst@cn.fujitsu.com>
+Date: Sun, 6 Jan 2019 21:31:20 -0500
+Subject: vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel
+
+[ Upstream commit dd9ee3444014e8f28c0eefc9fffc9ac9c5248c12 ]
+
+Recently we run a network test over ipcomp virtual tunnel.We find that
+if a ipv4 packet needs fragment, then the peer can't receive
+it.
+
+We deep into the code and find that when packet need fragment the smaller
+fragment will be encapsulated by ipip not ipcomp. So when the ipip packet
+goes into xfrm, it's skb->dev is not properly set. The ipv4 reassembly code
+always set skb'dev to the last fragment's dev. After ipv4 defrag processing,
+when the kernel rp_filter parameter is set, the skb will be drop by -EXDEV
+error.
+
+This patch adds compatible support for the ipip process in ipcomp virtual tunnel.
+
+Signed-off-by: Su Yanjun <suyj.fnst@cn.fujitsu.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_vti.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 50 insertions(+)
+
+diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
+index 4b7c81f88abf..fcf327ebd134 100644
+--- a/net/ipv4/ip_vti.c
++++ b/net/ipv4/ip_vti.c
+@@ -75,6 +75,33 @@ static int vti_input(struct sk_buff *skb, int nexthdr, __be32 spi,
+ return 0;
+ }
+
++static int vti_input_ipip(struct sk_buff *skb, int nexthdr, __be32 spi,
++ int encap_type)
++{
++ struct ip_tunnel *tunnel;
++ const struct iphdr *iph = ip_hdr(skb);
++ struct net *net = dev_net(skb->dev);
++ struct ip_tunnel_net *itn = net_generic(net, vti_net_id);
++
++ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY,
++ iph->saddr, iph->daddr, 0);
++ if (tunnel) {
++ if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
++ goto drop;
++
++ XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = tunnel;
++
++ skb->dev = tunnel->dev;
++
++ return xfrm_input(skb, nexthdr, spi, encap_type);
++ }
++
++ return -EINVAL;
++drop:
++ kfree_skb(skb);
++ return 0;
++}
++
+ static int vti_rcv(struct sk_buff *skb)
+ {
+ XFRM_SPI_SKB_CB(skb)->family = AF_INET;
+@@ -83,6 +110,14 @@ static int vti_rcv(struct sk_buff *skb)
+ return vti_input(skb, ip_hdr(skb)->protocol, 0, 0);
+ }
+
++static int vti_rcv_ipip(struct sk_buff *skb)
++{
++ XFRM_SPI_SKB_CB(skb)->family = AF_INET;
++ XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
++
++ return vti_input_ipip(skb, ip_hdr(skb)->protocol, ip_hdr(skb)->saddr, 0);
++}
++
+ static int vti_rcv_cb(struct sk_buff *skb, int err)
+ {
+ unsigned short family;
+@@ -409,6 +444,12 @@ static struct xfrm4_protocol vti_ipcomp4_protocol __read_mostly = {
+ .priority = 100,
+ };
+
++static struct xfrm_tunnel ipip_handler __read_mostly = {
++ .handler = vti_rcv_ipip,
++ .err_handler = vti4_err,
++ .priority = 0,
++};
++
+ static int __net_init vti_init_net(struct net *net)
+ {
+ int err;
+@@ -592,6 +633,13 @@ static int __init vti_init(void)
+ if (err < 0)
+ goto xfrm_proto_comp_failed;
+
++ msg = "ipip tunnel";
++ err = xfrm4_tunnel_register(&ipip_handler, AF_INET);
++ if (err < 0) {
++ pr_info("%s: cant't register tunnel\n",__func__);
++ goto xfrm_tunnel_failed;
++ }
++
+ msg = "netlink interface";
+ err = rtnl_link_register(&vti_link_ops);
+ if (err < 0)
+@@ -601,6 +649,8 @@ static int __init vti_init(void)
+
+ rtnl_link_failed:
+ xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP);
++xfrm_tunnel_failed:
++ xfrm4_tunnel_deregister(&ipip_handler, AF_INET);
+ xfrm_proto_comp_failed:
+ xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH);
+ xfrm_proto_ah_failed:
+--
+2.19.1
+
--- /dev/null
+From 7723102b76ee6c60a2bd50eab3c68e0f40479a44 Mon Sep 17 00:00:00 2001
+From: Kairui Song <kasong@redhat.com>
+Date: Fri, 18 Jan 2019 19:13:08 +0800
+Subject: x86/kexec: Don't setup EFI info if EFI runtime is not enabled
+
+[ Upstream commit 2aa958c99c7fd3162b089a1a56a34a0cdb778de1 ]
+
+Kexec-ing a kernel with "efi=noruntime" on the first kernel's command
+line causes the following null pointer dereference:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
+ #PF error: [normal kernel read fault]
+ Call Trace:
+ efi_runtime_map_copy+0x28/0x30
+ bzImage64_load+0x688/0x872
+ arch_kexec_kernel_image_load+0x6d/0x70
+ kimage_file_alloc_init+0x13e/0x220
+ __x64_sys_kexec_file_load+0x144/0x290
+ do_syscall_64+0x55/0x1a0
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Just skip the EFI info setup if EFI runtime services are not enabled.
+
+ [ bp: Massage commit message. ]
+
+Suggested-by: Dave Young <dyoung@redhat.com>
+Signed-off-by: Kairui Song <kasong@redhat.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: Dave Young <dyoung@redhat.com>
+Cc: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: bhe@redhat.com
+Cc: David Howells <dhowells@redhat.com>
+Cc: erik.schmauss@intel.com
+Cc: fanc.fnst@cn.fujitsu.com
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: kexec@lists.infradead.org
+Cc: lenb@kernel.org
+Cc: linux-acpi@vger.kernel.org
+Cc: Philipp Rudo <prudo@linux.vnet.ibm.com>
+Cc: rafael.j.wysocki@intel.com
+Cc: robert.moore@intel.com
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86-ml <x86@kernel.org>
+Cc: Yannik Sembritzki <yannik@sembritzki.me>
+Link: https://lkml.kernel.org/r/20190118111310.29589-2-kasong@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/kexec-bzimage64.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
+index 0f8a6bbaaa44..0bf17576dd2a 100644
+--- a/arch/x86/kernel/kexec-bzimage64.c
++++ b/arch/x86/kernel/kexec-bzimage64.c
+@@ -168,6 +168,9 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
+ struct efi_info *current_ei = &boot_params.efi_info;
+ struct efi_info *ei = ¶ms->efi_info;
+
++ if (!efi_enabled(EFI_RUNTIME_SERVICES))
++ return 0;
++
+ if (!current_ei->efi_memmap_size)
+ return 0;
+
+--
+2.19.1
+
--- /dev/null
+From a718030c59b48e22a044ec5fbdd3db0bb3a4d941 Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Fri, 1 Feb 2019 14:20:20 -0800
+Subject: x86_64: increase stack size for KASAN_EXTRA
+
+[ Upstream commit a8e911d13540487942d53137c156bd7707f66e5d ]
+
+If the kernel is configured with KASAN_EXTRA, the stack size is
+increasted significantly because this option sets "-fstack-reuse" to
+"none" in GCC [1]. As a result, it triggers stack overrun quite often
+with 32k stack size compiled using GCC 8. For example, this reproducer
+
+ https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/madvise/madvise06.c
+
+triggers a "corrupted stack end detected inside scheduler" very reliably
+with CONFIG_SCHED_STACK_END_CHECK enabled.
+
+There are just too many functions that could have a large stack with
+KASAN_EXTRA due to large local variables that have been called over and
+over again without being able to reuse the stacks. Some noticiable ones
+are
+
+ size
+ 7648 shrink_page_list
+ 3584 xfs_rmap_convert
+ 3312 migrate_page_move_mapping
+ 3312 dev_ethtool
+ 3200 migrate_misplaced_transhuge_page
+ 3168 copy_process
+
+There are other 49 functions are over 2k in size while compiling kernel
+with "-Wframe-larger-than=" even with a related minimal config on this
+machine. Hence, it is too much work to change Makefiles for each object
+to compile without "-fsanitize-address-use-after-scope" individually.
+
+[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715#c23
+
+Although there is a patch in GCC 9 to help the situation, GCC 9 probably
+won't be released in a few months and then it probably take another
+6-month to 1-year for all major distros to include it as a default.
+Hence, the stack usage with KASAN_EXTRA can be revisited again in 2020
+when GCC 9 is everywhere. Until then, this patch will help users avoid
+stack overrun.
+
+This has already been fixed for arm64 for the same reason via
+6e8830674ea ("arm64: kasan: Increase stack size for KASAN_EXTRA").
+
+Link: http://lkml.kernel.org/r/20190109215209.2903-1-cai@lca.pw
+Signed-off-by: Qian Cai <cai@lca.pw>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/page_64_types.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/x86/include/asm/page_64_types.h b/arch/x86/include/asm/page_64_types.h
+index 4928cf0d5af0..fb1251946b45 100644
+--- a/arch/x86/include/asm/page_64_types.h
++++ b/arch/x86/include/asm/page_64_types.h
+@@ -2,7 +2,11 @@
+ #define _ASM_X86_PAGE_64_DEFS_H
+
+ #ifdef CONFIG_KASAN
++#ifdef CONFIG_KASAN_EXTRA
++#define KASAN_STACK_ORDER 2
++#else
+ #define KASAN_STACK_ORDER 1
++#endif
+ #else
+ #define KASAN_STACK_ORDER 0
+ #endif
+--
+2.19.1
+
--- /dev/null
+From 04ea0be0a3ed8372dbc41be1b5f119a38792801d Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Mon, 29 Jan 2018 09:09:41 -0800
+Subject: xtensa: SMP: fix ccount_timer_shutdown
+
+[ Upstream commit 4fe8713b873fc881284722ce4ac47995de7cf62c ]
+
+ccount_timer_shutdown is called from the atomic context in the
+secondary_start_kernel, resulting in the following BUG:
+
+BUG: sleeping function called from invalid context
+in_atomic(): 1, irqs_disabled(): 1, pid: 0, name: swapper/1
+Preemption disabled at:
+ secondary_start_kernel+0xa1/0x130
+Call Trace:
+ ___might_sleep+0xe7/0xfc
+ __might_sleep+0x41/0x44
+ synchronize_irq+0x24/0x64
+ disable_irq+0x11/0x14
+ ccount_timer_shutdown+0x12/0x20
+ clockevents_switch_state+0x82/0xb4
+ clockevents_exchange_device+0x54/0x60
+ tick_check_new_device+0x46/0x70
+ clockevents_register_device+0x8c/0xc8
+ clockevents_config_and_register+0x1d/0x2c
+ local_timer_setup+0x75/0x7c
+ secondary_start_kernel+0xb4/0x130
+ should_never_return+0x32/0x35
+
+Use disable_irq_nosync instead of disable_irq to avoid it.
+This is safe because the ccount timer IRQ is per-CPU, and once IRQ is
+masked the ISR will not be called.
+
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/xtensa/kernel/time.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/xtensa/kernel/time.c b/arch/xtensa/kernel/time.c
+index b9ad9feadc2d..a992cb6a47db 100644
+--- a/arch/xtensa/kernel/time.c
++++ b/arch/xtensa/kernel/time.c
+@@ -87,7 +87,7 @@ static int ccount_timer_shutdown(struct clock_event_device *evt)
+ container_of(evt, struct ccount_timer, evt);
+
+ if (timer->irq_enabled) {
+- disable_irq(evt->irq);
++ disable_irq_nosync(evt->irq);
+ timer->irq_enabled = 0;
+ }
+ return 0;
+--
+2.19.1
+
--- /dev/null
+From 98b38d2cd82d185a179365f284a493a848628893 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Fri, 21 Dec 2018 08:26:20 -0800
+Subject: xtensa: SMP: fix secondary CPU initialization
+
+[ Upstream commit 32a7726c4f4aadfabdb82440d84f88a5a2c8fe13 ]
+
+- add missing memory barriers to the secondary CPU synchronization spin
+ loops; add comment to the matching memory barrier in the boot_secondary
+ and __cpu_die functions;
+- use READ_ONCE/WRITE_ONCE to access cpu_start_id/cpu_start_ccount
+ instead of reading/writing them directly;
+- re-initialize cpu_running every time before starting secondary CPU to
+ flush possible previous CPU startup results.
+
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/xtensa/kernel/head.S | 5 ++++-
+ arch/xtensa/kernel/smp.c | 34 +++++++++++++++++++++-------------
+ 2 files changed, 25 insertions(+), 14 deletions(-)
+
+diff --git a/arch/xtensa/kernel/head.S b/arch/xtensa/kernel/head.S
+index c7b3bedbfffe..e3823b4f9d08 100644
+--- a/arch/xtensa/kernel/head.S
++++ b/arch/xtensa/kernel/head.S
+@@ -286,12 +286,13 @@ should_never_return:
+
+ movi a2, cpu_start_ccount
+ 1:
++ memw
+ l32i a3, a2, 0
+ beqi a3, 0, 1b
+ movi a3, 0
+ s32i a3, a2, 0
+- memw
+ 1:
++ memw
+ l32i a3, a2, 0
+ beqi a3, 0, 1b
+ wsr a3, ccount
+@@ -328,11 +329,13 @@ ENTRY(cpu_restart)
+ rsr a0, prid
+ neg a2, a0
+ movi a3, cpu_start_id
++ memw
+ s32i a2, a3, 0
+ #if XCHAL_DCACHE_IS_WRITEBACK
+ dhwbi a3, 0
+ #endif
+ 1:
++ memw
+ l32i a2, a3, 0
+ dhi a3, 0
+ bne a2, a0, 1b
+diff --git a/arch/xtensa/kernel/smp.c b/arch/xtensa/kernel/smp.c
+index 4d02e38514f5..545144d1431d 100644
+--- a/arch/xtensa/kernel/smp.c
++++ b/arch/xtensa/kernel/smp.c
+@@ -192,9 +192,11 @@ static int boot_secondary(unsigned int cpu, struct task_struct *ts)
+ int i;
+
+ #ifdef CONFIG_HOTPLUG_CPU
+- cpu_start_id = cpu;
+- system_flush_invalidate_dcache_range(
+- (unsigned long)&cpu_start_id, sizeof(cpu_start_id));
++ WRITE_ONCE(cpu_start_id, cpu);
++ /* Pairs with the third memw in the cpu_restart */
++ mb();
++ system_flush_invalidate_dcache_range((unsigned long)&cpu_start_id,
++ sizeof(cpu_start_id));
+ #endif
+ smp_call_function_single(0, mx_cpu_start, (void *)cpu, 1);
+
+@@ -203,18 +205,21 @@ static int boot_secondary(unsigned int cpu, struct task_struct *ts)
+ ccount = get_ccount();
+ while (!ccount);
+
+- cpu_start_ccount = ccount;
++ WRITE_ONCE(cpu_start_ccount, ccount);
+
+- while (time_before(jiffies, timeout)) {
++ do {
++ /*
++ * Pairs with the first two memws in the
++ * .Lboot_secondary.
++ */
+ mb();
+- if (!cpu_start_ccount)
+- break;
+- }
++ ccount = READ_ONCE(cpu_start_ccount);
++ } while (ccount && time_before(jiffies, timeout));
+
+- if (cpu_start_ccount) {
++ if (ccount) {
+ smp_call_function_single(0, mx_cpu_stop,
+- (void *)cpu, 1);
+- cpu_start_ccount = 0;
++ (void *)cpu, 1);
++ WRITE_ONCE(cpu_start_ccount, 0);
+ return -EIO;
+ }
+ }
+@@ -234,6 +239,7 @@ int __cpu_up(unsigned int cpu, struct task_struct *idle)
+ pr_debug("%s: Calling wakeup_secondary(cpu:%d, idle:%p, sp: %08lx)\n",
+ __func__, cpu, idle, start_info.stack);
+
++ init_completion(&cpu_running);
+ ret = boot_secondary(cpu, idle);
+ if (ret == 0) {
+ wait_for_completion_timeout(&cpu_running,
+@@ -295,8 +301,10 @@ void __cpu_die(unsigned int cpu)
+ unsigned long timeout = jiffies + msecs_to_jiffies(1000);
+ while (time_before(jiffies, timeout)) {
+ system_invalidate_dcache_range((unsigned long)&cpu_start_id,
+- sizeof(cpu_start_id));
+- if (cpu_start_id == -cpu) {
++ sizeof(cpu_start_id));
++ /* Pairs with the second memw in the cpu_restart */
++ mb();
++ if (READ_ONCE(cpu_start_id) == -cpu) {
+ platform_cpu_kill(cpu);
+ return;
+ }
+--
+2.19.1
+
--- /dev/null
+From cd7c9b84490abf6f7e1040a7cb6b17f2b60b18b4 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Sat, 26 Jan 2019 20:35:18 -0800
+Subject: xtensa: SMP: limit number of possible CPUs by NR_CPUS
+
+[ Upstream commit 25384ce5f9530def39421597b1457d9462df6455 ]
+
+This fixes the following warning at boot when the kernel is booted on a
+board with more CPU cores than was configured in NR_CPUS:
+
+ smp_init_cpus: Core Count = 8
+ smp_init_cpus: Core Id = 0
+ ------------[ cut here ]------------
+ WARNING: CPU: 0 PID: 0 at include/linux/cpumask.h:121 smp_init_cpus+0x54/0x74
+ Modules linked in:
+ CPU: 0 PID: 0 Comm: swapper Not tainted 5.0.0-rc3-00015-g1459333f88a0 #124
+ Call Trace:
+ __warn$part$3+0x6a/0x7c
+ warn_slowpath_null+0x35/0x3c
+ smp_init_cpus+0x54/0x74
+ setup_arch+0x1c0/0x1d0
+ start_kernel+0x44/0x310
+ _startup+0x107/0x107
+
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/xtensa/kernel/smp.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/xtensa/kernel/smp.c b/arch/xtensa/kernel/smp.c
+index 0e34c1ed4aa8..54bb8e0473a0 100644
+--- a/arch/xtensa/kernel/smp.c
++++ b/arch/xtensa/kernel/smp.c
+@@ -93,6 +93,11 @@ void __init smp_init_cpus(void)
+ pr_info("%s: Core Count = %d\n", __func__, ncpus);
+ pr_info("%s: Core Id = %d\n", __func__, core_id);
+
++ if (ncpus > NR_CPUS) {
++ ncpus = NR_CPUS;
++ pr_info("%s: limiting core count by %d\n", __func__, ncpus);
++ }
++
+ for (i = 0; i < ncpus; ++i)
+ set_cpu_possible(i, true);
+ }
+--
+2.19.1
+
--- /dev/null
+From 4ddd1118c527ed190f71dc19440545dd8e9438dc Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Sat, 19 Jan 2019 00:26:48 -0800
+Subject: xtensa: SMP: mark each possible CPU as present
+
+[ Upstream commit 8b1c42cdd7181200dc1fff39dcb6ac1a3fac2c25 ]
+
+Otherwise it is impossible to enable CPUs after booting with 'maxcpus'
+parameter.
+
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/xtensa/kernel/smp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/xtensa/kernel/smp.c b/arch/xtensa/kernel/smp.c
+index 545144d1431d..0e34c1ed4aa8 100644
+--- a/arch/xtensa/kernel/smp.c
++++ b/arch/xtensa/kernel/smp.c
+@@ -80,7 +80,7 @@ void __init smp_prepare_cpus(unsigned int max_cpus)
+ {
+ unsigned i;
+
+- for (i = 0; i < max_cpus; ++i)
++ for_each_possible_cpu(i)
+ set_cpu_present(i, true);
+ }
+
+--
+2.19.1
+
--- /dev/null
+From b20e832c65b5febf24bb3ae84f5dbe219376a4b7 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Thu, 24 Jan 2019 17:16:11 -0800
+Subject: xtensa: smp_lx200_defconfig: fix vectors clash
+
+[ Upstream commit 306b38305c0f86de7f17c5b091a95451dcc93d7d ]
+
+Secondary CPU reset vector overlaps part of the double exception handler
+code, resulting in weird crashes and hangups when running user code.
+Move exception vectors one page up so that they don't clash with the
+secondary CPU reset vector.
+
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/xtensa/configs/smp_lx200_defconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/xtensa/configs/smp_lx200_defconfig b/arch/xtensa/configs/smp_lx200_defconfig
+index 22eeacba37cc..199e05f85e89 100644
+--- a/arch/xtensa/configs/smp_lx200_defconfig
++++ b/arch/xtensa/configs/smp_lx200_defconfig
+@@ -35,6 +35,7 @@ CONFIG_SMP=y
+ CONFIG_HOTPLUG_CPU=y
+ # CONFIG_INITIALIZE_XTENSA_MMU_INSIDE_VMLINUX is not set
+ # CONFIG_PCI is not set
++CONFIG_VECTORS_OFFSET=0x00002000
+ CONFIG_XTENSA_PLATFORM_XTFPGA=y
+ CONFIG_CMDLINE_BOOL=y
+ CONFIG_CMDLINE="earlycon=uart8250,mmio32,0xfd050020,115200n8 console=ttyS0,115200n8 ip=dhcp root=/dev/nfs rw debug"
+--
+2.19.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
