--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Chen Yu <yu.c.chen@intel.com>
+Date: Tue, 10 Apr 2018 23:07:51 +0800
+Subject: ACPI / PM: Blacklist Low Power S0 Idle _DSM for ThinkPad X1 Tablet(2016)
+
+From: Chen Yu <yu.c.chen@intel.com>
+
+[ Upstream commit 855c1c2fce8bdbd796cba1d1456ca8f0e876c2f1 ]
+
+ThinkPad X1 Tablet(2016) is reported to have issues with
+the Low Power S0 Idle _DSM interface and since this machine
+model generally can do ACPI S3 just fine, and user would
+like to use S3 as default sleep model, add a blacklist
+entry to disable that interface for ThinkPad X1 Tablet(2016).
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=199057
+Reported-and-tested-by: Robin Lee <robinlee.sysu@gmail.com>
+Signed-off-by: Chen Yu <yu.c.chen@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/sleep.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/acpi/sleep.c
++++ b/drivers/acpi/sleep.c
+@@ -364,6 +364,19 @@ static const struct dmi_system_id acpisl
+ DMI_MATCH(DMI_PRODUCT_NAME, "XPS 13 9360"),
+ },
+ },
++ /*
++ * ThinkPad X1 Tablet(2016) cannot do suspend-to-idle using
++ * the Low Power S0 Idle firmware interface (see
++ * https://bugzilla.kernel.org/show_bug.cgi?id=199057).
++ */
++ {
++ .callback = init_no_lps0,
++ .ident = "ThinkPad X1 Tablet(2016)",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "20GGA00L00"),
++ },
++ },
+ {},
+ };
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Thu, 19 Apr 2018 13:08:37 +0300
+Subject: ACPI / scan: Initialize watchdog before PNP
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+[ Upstream commit cc6a0e315a68e5db85bea347b0c5b0fe4a9a5904 ]
+
+At least on one Dell system the PNP motherboard resources device
+includes resources used by WDAT table. Since PNP gets initialized before
+WDAT it results following error and no watchdog:
+
+ platform wdat_wdt: failed to claim resource 3: [io 0x046a-0x046c]
+ ACPI: watchdog: Device creation failed: -16
+
+Now, the PNP system driver is already accustomed with the situation that
+it cannot reserve all those motherboard resources because drivers using
+those might have reserved them already. In addition putting WDAT table
+resources under motherboard resources device makes sense in general.
+
+Fix this by initializing WDAT right before PNP. This allows WDAT to
+reserve all its resources and still keeps PNP system driver happy.
+
+Reported-by: Shubhrata.Priyadarsh@dell.com
+Reported-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Acked-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/scan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -2150,10 +2150,10 @@ int __init acpi_scan_init(void)
+ acpi_cmos_rtc_init();
+ acpi_container_init();
+ acpi_memory_hotplug_init();
++ acpi_watchdog_init();
+ acpi_pnp_init();
+ acpi_int340x_thermal_init();
+ acpi_amba_init();
+- acpi_watchdog_init();
+ acpi_init_lpit();
+
+ acpi_scan_add_handler(&generic_device_handler);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Mon, 23 Apr 2018 14:16:03 +0300
+Subject: ACPI / watchdog: Prefer iTCO_wdt on Lenovo Z50-70
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+[ Upstream commit a0a37862a4e1844793d39aca9ccb8fecbdcb8659 ]
+
+WDAT table on Lenovo Z50-70 is using RTC SRAM (ports 0x70 and 0x71) to
+store state of the timer. This conflicts with Linux RTC driver
+(rtc-cmos.c) who fails to reserve those ports for itself preventing RTC
+from functioning. In addition the WDAT table seems not to be fully
+functional because it does not reset the system when the watchdog times
+out.
+
+On this system iTCO_wdt works just fine so we simply prefer to use it
+instead of WDAT. This makes RTC working again and also results working
+watchdog via iTCO_wdt.
+
+Reported-by: Peter Milley <pbmilley@gmail.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=199033
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpi_watchdog.c | 59 +++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 49 insertions(+), 10 deletions(-)
+
+--- a/drivers/acpi/acpi_watchdog.c
++++ b/drivers/acpi/acpi_watchdog.c
+@@ -12,23 +12,64 @@
+ #define pr_fmt(fmt) "ACPI: watchdog: " fmt
+
+ #include <linux/acpi.h>
++#include <linux/dmi.h>
+ #include <linux/ioport.h>
+ #include <linux/platform_device.h>
+
+ #include "internal.h"
+
++static const struct dmi_system_id acpi_watchdog_skip[] = {
++ {
++ /*
++ * On Lenovo Z50-70 there are two issues with the WDAT
++ * table. First some of the instructions use RTC SRAM
++ * to store persistent information. This does not work well
++ * with Linux RTC driver. Second, more important thing is
++ * that the instructions do not actually reset the system.
++ *
++ * On this particular system iTCO_wdt seems to work just
++ * fine so we prefer that over WDAT for now.
++ *
++ * See also https://bugzilla.kernel.org/show_bug.cgi?id=199033.
++ */
++ .ident = "Lenovo Z50-70",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "20354"),
++ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Z50-70"),
++ },
++ },
++ {}
++};
++
++static const struct acpi_table_wdat *acpi_watchdog_get_wdat(void)
++{
++ const struct acpi_table_wdat *wdat = NULL;
++ acpi_status status;
++
++ if (acpi_disabled)
++ return NULL;
++
++ if (dmi_check_system(acpi_watchdog_skip))
++ return NULL;
++
++ status = acpi_get_table(ACPI_SIG_WDAT, 0,
++ (struct acpi_table_header **)&wdat);
++ if (ACPI_FAILURE(status)) {
++ /* It is fine if there is no WDAT */
++ return NULL;
++ }
++
++ return wdat;
++}
++
+ /**
+ * Returns true if this system should prefer ACPI based watchdog instead of
+ * the native one (which are typically the same hardware).
+ */
+ bool acpi_has_watchdog(void)
+ {
+- struct acpi_table_header hdr;
+-
+- if (acpi_disabled)
+- return false;
+-
+- return ACPI_SUCCESS(acpi_get_table_header(ACPI_SIG_WDAT, 0, &hdr));
++ return !!acpi_watchdog_get_wdat();
+ }
+ EXPORT_SYMBOL_GPL(acpi_has_watchdog);
+
+@@ -41,12 +82,10 @@ void __init acpi_watchdog_init(void)
+ struct platform_device *pdev;
+ struct resource *resources;
+ size_t nresources = 0;
+- acpi_status status;
+ int i;
+
+- status = acpi_get_table(ACPI_SIG_WDAT, 0,
+- (struct acpi_table_header **)&wdat);
+- if (ACPI_FAILURE(status)) {
++ wdat = acpi_watchdog_get_wdat();
++ if (!wdat) {
+ /* It is fine if there is no WDAT */
+ return;
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 9 May 2018 22:03:18 +0100
+Subject: afs: Fix address list parsing
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 01fd79e6de74a447c5657913a335d9ce6508cdb1 ]
+
+The parsing of port specifiers in the address list obtained from the DNS
+resolution upcall doesn't work as in4_pton() and in6_pton() will fail on
+encountering an unexpected delimiter (in this case, the '+' marking the
+port number). However, in*_pton() can't be given multiple specifiers.
+
+Fix this by finding the delimiter in advance and not relying on in*_pton()
+to find the end of the address for us.
+
+Fixes: 8b2a464ced77 ("afs: Add an address list concept")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/addr_list.c | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+--- a/fs/afs/addr_list.c
++++ b/fs/afs/addr_list.c
+@@ -121,7 +121,7 @@ struct afs_addr_list *afs_parse_text_add
+ p = text;
+ do {
+ struct sockaddr_rxrpc *srx = &alist->addrs[alist->nr_addrs];
+- char tdelim = delim;
++ const char *q, *stop;
+
+ if (*p == delim) {
+ p++;
+@@ -130,28 +130,33 @@ struct afs_addr_list *afs_parse_text_add
+
+ if (*p == '[') {
+ p++;
+- tdelim = ']';
++ q = memchr(p, ']', end - p);
++ } else {
++ for (q = p; q < end; q++)
++ if (*q == '+' || *q == delim)
++ break;
+ }
+
+- if (in4_pton(p, end - p,
++ if (in4_pton(p, q - p,
+ (u8 *)&srx->transport.sin6.sin6_addr.s6_addr32[3],
+- tdelim, &p)) {
++ -1, &stop)) {
+ srx->transport.sin6.sin6_addr.s6_addr32[0] = 0;
+ srx->transport.sin6.sin6_addr.s6_addr32[1] = 0;
+ srx->transport.sin6.sin6_addr.s6_addr32[2] = htonl(0xffff);
+- } else if (in6_pton(p, end - p,
++ } else if (in6_pton(p, q - p,
+ srx->transport.sin6.sin6_addr.s6_addr,
+- tdelim, &p)) {
++ -1, &stop)) {
+ /* Nothing to do */
+ } else {
+ goto bad_address;
+ }
+
+- if (tdelim == ']') {
+- if (p == end || *p != ']')
+- goto bad_address;
++ if (stop != q)
++ goto bad_address;
++
++ p = q;
++ if (q < end && *q == ']')
+ p++;
+- }
+
+ if (p < end) {
+ if (*p == '+') {
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Marc Dionne <marc.dionne@auristor.com>
+Date: Fri, 11 May 2018 21:35:06 -0300
+Subject: afs: Fix afs_find_server search loop
+
+From: Marc Dionne <marc.dionne@auristor.com>
+
+[ Upstream commit f9c1bba3d392843f046d2ee27b4dfcec989d8a4b ]
+
+The code that looks up servers by addresses makes the assumption
+that the list of addresses for a server is sorted. It exits the
+loop if it finds that the target address is larger than the
+current candidate. As the list is not currently sorted, this
+can lead to a failure to find a matching server, which can cause
+callbacks from that server to be ignored.
+
+Remove the early exit case so that the complete list is searched.
+
+Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation")
+Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/server.c | 13 -------------
+ 1 file changed, 13 deletions(-)
+
+--- a/fs/afs/server.c
++++ b/fs/afs/server.c
+@@ -66,12 +66,6 @@ struct afs_server *afs_find_server(struc
+ sizeof(struct in6_addr));
+ if (diff == 0)
+ goto found;
+- if (diff < 0) {
+- // TODO: Sort the list
+- //if (i == alist->nr_ipv4)
+- // goto not_found;
+- break;
+- }
+ }
+ }
+ } else {
+@@ -85,17 +79,10 @@ struct afs_server *afs_find_server(struc
+ (u32)b->sin6_addr.s6_addr32[3]);
+ if (diff == 0)
+ goto found;
+- if (diff < 0) {
+- // TODO: Sort the list
+- //if (i == 0)
+- // goto not_found;
+- break;
+- }
+ }
+ }
+ }
+
+- //not_found:
+ server = NULL;
+ found:
+ if (server && !atomic_inc_not_zero(&server->usage))
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 10 May 2018 08:43:04 +0100
+Subject: afs: Fix refcounting in callback registration
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit d4a96bec7a7362834ef5c31d7b2cc9bf36eb0570 ]
+
+The refcounting on afs_cb_interest struct objects in
+afs_register_server_cb_interest() is wrong as it uses the server list
+entry's call back interest pointer without regard for the fact that it
+might be replaced at any time and the object thrown away.
+
+Fix this by:
+
+ (1) Put a lock on the afs_server_list struct that can be used to
+ mediate access to the callback interest pointers in the servers array.
+
+ (2) Keep a ref on the callback interest that we get from the entry.
+
+ (3) Dropping the old reference held by vnode->cb_interest if we replace
+ the pointer.
+
+Fixes: c435ee34551e ("afs: Overhaul the callback handling")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/callback.c | 56 ++++++++++++++++++++++++++++++++++++---------------
+ fs/afs/internal.h | 7 ++++--
+ fs/afs/rotate.c | 4 +--
+ fs/afs/server_list.c | 7 ++++--
+ 4 files changed, 52 insertions(+), 22 deletions(-)
+
+--- a/fs/afs/callback.c
++++ b/fs/afs/callback.c
+@@ -23,36 +23,55 @@
+ /*
+ * Set up an interest-in-callbacks record for a volume on a server and
+ * register it with the server.
+- * - Called with volume->server_sem held.
++ * - Called with vnode->io_lock held.
+ */
+ int afs_register_server_cb_interest(struct afs_vnode *vnode,
+- struct afs_server_entry *entry)
++ struct afs_server_list *slist,
++ unsigned int index)
+ {
+- struct afs_cb_interest *cbi = entry->cb_interest, *vcbi, *new, *x;
++ struct afs_server_entry *entry = &slist->servers[index];
++ struct afs_cb_interest *cbi, *vcbi, *new, *old;
+ struct afs_server *server = entry->server;
+
+ again:
++ if (vnode->cb_interest &&
++ likely(vnode->cb_interest == entry->cb_interest))
++ return 0;
++
++ read_lock(&slist->lock);
++ cbi = afs_get_cb_interest(entry->cb_interest);
++ read_unlock(&slist->lock);
++
+ vcbi = vnode->cb_interest;
+ if (vcbi) {
+- if (vcbi == cbi)
++ if (vcbi == cbi) {
++ afs_put_cb_interest(afs_v2net(vnode), cbi);
+ return 0;
++ }
+
++ /* Use a new interest in the server list for the same server
++ * rather than an old one that's still attached to a vnode.
++ */
+ if (cbi && vcbi->server == cbi->server) {
+ write_seqlock(&vnode->cb_lock);
+- vnode->cb_interest = afs_get_cb_interest(cbi);
++ old = vnode->cb_interest;
++ vnode->cb_interest = cbi;
+ write_sequnlock(&vnode->cb_lock);
+- afs_put_cb_interest(afs_v2net(vnode), cbi);
++ afs_put_cb_interest(afs_v2net(vnode), old);
+ return 0;
+ }
+
++ /* Re-use the one attached to the vnode. */
+ if (!cbi && vcbi->server == server) {
+- afs_get_cb_interest(vcbi);
+- x = cmpxchg(&entry->cb_interest, cbi, vcbi);
+- if (x != cbi) {
+- cbi = x;
+- afs_put_cb_interest(afs_v2net(vnode), vcbi);
++ write_lock(&slist->lock);
++ if (entry->cb_interest) {
++ write_unlock(&slist->lock);
++ afs_put_cb_interest(afs_v2net(vnode), cbi);
+ goto again;
+ }
++
++ entry->cb_interest = cbi;
++ write_unlock(&slist->lock);
+ return 0;
+ }
+ }
+@@ -72,13 +91,16 @@ again:
+ list_add_tail(&new->cb_link, &server->cb_interests);
+ write_unlock(&server->cb_break_lock);
+
+- x = cmpxchg(&entry->cb_interest, cbi, new);
+- if (x == cbi) {
++ write_lock(&slist->lock);
++ if (!entry->cb_interest) {
++ entry->cb_interest = afs_get_cb_interest(new);
+ cbi = new;
++ new = NULL;
+ } else {
+- cbi = x;
+- afs_put_cb_interest(afs_v2net(vnode), new);
++ cbi = afs_get_cb_interest(entry->cb_interest);
+ }
++ write_unlock(&slist->lock);
++ afs_put_cb_interest(afs_v2net(vnode), new);
+ }
+
+ ASSERT(cbi);
+@@ -88,11 +110,13 @@ again:
+ */
+ write_seqlock(&vnode->cb_lock);
+
+- vnode->cb_interest = afs_get_cb_interest(cbi);
++ old = vnode->cb_interest;
++ vnode->cb_interest = cbi;
+ vnode->cb_s_break = cbi->server->cb_s_break;
+ clear_bit(AFS_VNODE_CB_PROMISED, &vnode->flags);
+
+ write_sequnlock(&vnode->cb_lock);
++ afs_put_cb_interest(afs_v2net(vnode), old);
+ return 0;
+ }
+
+--- a/fs/afs/internal.h
++++ b/fs/afs/internal.h
+@@ -399,6 +399,7 @@ struct afs_server_list {
+ unsigned short index; /* Server currently in use */
+ unsigned short vnovol_mask; /* Servers to be skipped due to VNOVOL */
+ unsigned int seq; /* Set to ->servers_seq when installed */
++ rwlock_t lock;
+ struct afs_server_entry servers[];
+ };
+
+@@ -605,13 +606,15 @@ extern void afs_init_callback_state(stru
+ extern void afs_break_callback(struct afs_vnode *);
+ extern void afs_break_callbacks(struct afs_server *, size_t,struct afs_callback[]);
+
+-extern int afs_register_server_cb_interest(struct afs_vnode *, struct afs_server_entry *);
++extern int afs_register_server_cb_interest(struct afs_vnode *,
++ struct afs_server_list *, unsigned int);
+ extern void afs_put_cb_interest(struct afs_net *, struct afs_cb_interest *);
+ extern void afs_clear_callback_interests(struct afs_net *, struct afs_server_list *);
+
+ static inline struct afs_cb_interest *afs_get_cb_interest(struct afs_cb_interest *cbi)
+ {
+- refcount_inc(&cbi->usage);
++ if (cbi)
++ refcount_inc(&cbi->usage);
+ return cbi;
+ }
+
+--- a/fs/afs/rotate.c
++++ b/fs/afs/rotate.c
+@@ -350,8 +350,8 @@ use_server:
+ * break request before we've finished decoding the reply and
+ * installing the vnode.
+ */
+- fc->ac.error = afs_register_server_cb_interest(
+- vnode, &fc->server_list->servers[fc->index]);
++ fc->ac.error = afs_register_server_cb_interest(vnode, fc->server_list,
++ fc->index);
+ if (fc->ac.error < 0)
+ goto failed;
+
+--- a/fs/afs/server_list.c
++++ b/fs/afs/server_list.c
+@@ -49,6 +49,7 @@ struct afs_server_list *afs_alloc_server
+ goto error;
+
+ refcount_set(&slist->usage, 1);
++ rwlock_init(&slist->lock);
+
+ /* Make sure a records exists for each server in the list. */
+ for (i = 0; i < vldb->nr_servers; i++) {
+@@ -64,9 +65,11 @@ struct afs_server_list *afs_alloc_server
+ goto error_2;
+ }
+
+- /* Insertion-sort by server pointer */
++ /* Insertion-sort by UUID */
+ for (j = 0; j < slist->nr_servers; j++)
+- if (slist->servers[j].server >= server)
++ if (memcmp(&slist->servers[j].server->uuid,
++ &server->uuid,
++ sizeof(server->uuid)) >= 0)
+ break;
+ if (j < slist->nr_servers) {
+ if (slist->servers[j].server == server) {
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 18 Apr 2018 09:38:34 +0100
+Subject: afs: Fix server record deletion
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 660625922b3d9fcb376e5870299bc5c1086e1d32 ]
+
+AFS server records get removed from the net->fs_servers tree when
+they're deleted, but not from the net->fs_addresses{4,6} lists, which
+can lead to an oops in afs_find_server() when a server record has been
+removed, for instance during rmmod.
+
+Fix this by deleting the record from the by-address lists before posting
+it for RCU destruction.
+
+The reason this hasn't been noticed before is that the fileserver keeps
+probing the local cache manager, thereby keeping the service record
+alive, so the oops would only happen when a fileserver eventually gets
+bored and stops pinging or if the module gets rmmod'd and a call comes
+in from the fileserver during the window between the server records
+being destroyed and the socket being closed.
+
+The oops looks something like:
+
+ BUG: unable to handle kernel NULL pointer dereference at 000000000000001c
+ ...
+ Workqueue: kafsd afs_process_async_call [kafs]
+ RIP: 0010:afs_find_server+0x271/0x36f [kafs]
+ ...
+ Call Trace:
+ afs_deliver_cb_init_call_back_state3+0x1f2/0x21f [kafs]
+ afs_deliver_to_call+0x1ee/0x5e8 [kafs]
+ afs_process_async_call+0x5b/0xd0 [kafs]
+ process_one_work+0x2c2/0x504
+ worker_thread+0x1d4/0x2ac
+ kthread+0x11f/0x127
+ ret_from_fork+0x24/0x30
+
+Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/server.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/afs/server.c
++++ b/fs/afs/server.c
+@@ -426,8 +426,15 @@ static void afs_gc_servers(struct afs_ne
+ }
+ write_sequnlock(&net->fs_lock);
+
+- if (deleted)
++ if (deleted) {
++ write_seqlock(&net->fs_addr_lock);
++ if (!hlist_unhashed(&server->addr4_link))
++ hlist_del_rcu(&server->addr4_link);
++ if (!hlist_unhashed(&server->addr6_link))
++ hlist_del_rcu(&server->addr6_link);
++ write_sequnlock(&net->fs_addr_lock);
+ afs_destroy_server(net, server);
++ }
+ }
+ }
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 10 May 2018 14:22:38 +0100
+Subject: afs: Fix server rotation's handling of fileserver probe failure
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit ec5a3b4b507efca903d848518dcf2ebf7b04b466 ]
+
+The server rotation algorithm just gives up if it fails to probe a
+fileserver. Fix this by rotating to the next fileserver instead.
+
+Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/rotate.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/fs/afs/rotate.c
++++ b/fs/afs/rotate.c
+@@ -369,8 +369,16 @@ use_server:
+ if (!test_bit(AFS_SERVER_FL_PROBED, &server->flags)) {
+ fc->ac.alist = afs_get_addrlist(alist);
+
+- if (!afs_probe_fileserver(fc))
+- goto failed;
++ if (!afs_probe_fileserver(fc)) {
++ switch (fc->ac.error) {
++ case -ENOMEM:
++ case -ERESTARTSYS:
++ case -EINTR:
++ goto failed;
++ default:
++ goto next_server;
++ }
++ }
+ }
+
+ if (!fc->ac.alist)
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: David Howells <dhowells@redhat.com>
+Date: Fri, 11 May 2018 23:21:35 +0100
+Subject: afs: Fix the handling of CB.InitCallBackState3 to find the server by UUID
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 001ab5a67ee5d191c64aebf4b4ef8c7a0dcfd2bc ]
+
+Fix the handling of the CB.InitCallBackState3 service call to find the
+record of a server that we're using by looking it up by the UUID passed as
+the parameter rather than by its address (of which it might have many, and
+which may change).
+
+Fixes: c35eccb1f614 ("[AFS]: Implement the CB.InitCallBackState3 operation.")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/cmservice.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/afs/cmservice.c
++++ b/fs/afs/cmservice.c
+@@ -341,7 +341,6 @@ static int afs_deliver_cb_init_call_back
+ */
+ static int afs_deliver_cb_init_call_back_state3(struct afs_call *call)
+ {
+- struct sockaddr_rxrpc srx;
+ struct afs_server *server;
+ struct afs_uuid *r;
+ unsigned loop;
+@@ -398,8 +397,9 @@ static int afs_deliver_cb_init_call_back
+
+ /* we'll need the file server record as that tells us which set of
+ * vnodes to operate upon */
+- rxrpc_kernel_get_peer(call->net->socket, call->rxcall, &srx);
+- server = afs_find_server(call->net, &srx);
++ rcu_read_lock();
++ server = afs_find_server_by_uuid(call->net, call->request);
++ rcu_read_unlock();
+ if (!server)
+ return -ENOTCONN;
+ call->cm_server = server;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 10 May 2018 23:10:40 +0100
+Subject: afs: Fix the non-encryption of calls
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 4776cab43fd3111618112737a257dc3ef368eddd ]
+
+Some AFS servers refuse to accept unencrypted traffic, so can't be accessed
+with kAFS. Set the AF_RXRPC security level to encrypt client calls to deal
+with this.
+
+Note that incoming service calls are set by the remote client and so aren't
+affected by this.
+
+This requires an AF_RXRPC patch to pass the value set by setsockopt to calls
+begun by the kernel.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/rxrpc.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/afs/rxrpc.c
++++ b/fs/afs/rxrpc.c
+@@ -41,6 +41,7 @@ int afs_open_socket(struct afs_net *net)
+ {
+ struct sockaddr_rxrpc srx;
+ struct socket *socket;
++ unsigned int min_level;
+ int ret;
+
+ _enter("");
+@@ -60,6 +61,12 @@ int afs_open_socket(struct afs_net *net)
+ srx.transport.sin6.sin6_family = AF_INET6;
+ srx.transport.sin6.sin6_port = htons(AFS_CM_PORT);
+
++ min_level = RXRPC_SECURITY_ENCRYPT;
++ ret = kernel_setsockopt(socket, SOL_RXRPC, RXRPC_MIN_SECURITY_LEVEL,
++ (void *)&min_level, sizeof(min_level));
++ if (ret < 0)
++ goto error_2;
++
+ ret = kernel_bind(socket, (struct sockaddr *) &srx, sizeof(srx));
+ if (ret == -EADDRINUSE) {
+ srx.transport.sin6.sin6_port = 0;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: David Howells <dhowells@redhat.com>
+Date: Fri, 11 May 2018 22:55:59 +0100
+Subject: afs: Fix VNOVOL handling in address rotation
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 3d9fa91161387ee629e7a07c47934d119910c8ae ]
+
+If a volume location record lists multiple file servers for a volume, then
+it's possible that due to a misconfiguration or a changing configuration
+that one of the file servers doesn't know about it yet and will abort
+VNOVOL. Currently, the rotation algorithm will stop with EREMOTEIO.
+
+Fix this by moving on to try the next server if VNOVOL is returned. Once
+all the servers have been tried and the record rechecked, the algorithm
+will stop with EREMOTEIO or ENOMEDIUM.
+
+Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation")
+Reported-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/rotate.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/afs/rotate.c
++++ b/fs/afs/rotate.c
+@@ -179,7 +179,7 @@ bool afs_select_fileserver(struct afs_fs
+ */
+ if (fc->flags & AFS_FS_CURSOR_VNOVOL) {
+ fc->ac.error = -EREMOTEIO;
+- goto failed;
++ goto next_server;
+ }
+
+ write_lock(&vnode->volume->servers_lock);
+@@ -201,7 +201,7 @@ bool afs_select_fileserver(struct afs_fs
+ */
+ if (vnode->volume->servers == fc->server_list) {
+ fc->ac.error = -EREMOTEIO;
+- goto failed;
++ goto next_server;
+ }
+
+ /* Try again */
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Mathieu Malaterre <malat@debian.org>
+Date: Sat, 5 May 2018 21:54:05 +0200
+Subject: agp: uninorth: make two functions static
+
+From: Mathieu Malaterre <malat@debian.org>
+
+[ Upstream commit dec60f3a9b7251f2657d743d96ba9a83dca02351 ]
+
+Both ‘uninorth_remove_memory’ and ‘null_cache_flush’ can be made
+static. So make them.
+
+Silence the following gcc warning (W=1):
+
+ drivers/char/agp/uninorth-agp.c:198:5: warning: no previous prototype for ‘uninorth_remove_memory’ [-Wmissing-prototypes]
+
+and
+
+ drivers/char/agp/uninorth-agp.c:473:6: warning: no previous prototype for ‘null_cache_flush’ [-Wmissing-prototypes]
+
+Signed-off-by: Mathieu Malaterre <malat@debian.org>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/agp/uninorth-agp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/agp/uninorth-agp.c
++++ b/drivers/char/agp/uninorth-agp.c
+@@ -195,7 +195,7 @@ static int uninorth_insert_memory(struct
+ return 0;
+ }
+
+-int uninorth_remove_memory(struct agp_memory *mem, off_t pg_start, int type)
++static int uninorth_remove_memory(struct agp_memory *mem, off_t pg_start, int type)
+ {
+ size_t i;
+ u32 *gp;
+@@ -470,7 +470,7 @@ static int uninorth_free_gatt_table(stru
+ return 0;
+ }
+
+-void null_cache_flush(void)
++static void null_cache_flush(void)
+ {
+ mb();
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: "Łukasz Stelmach" <l.stelmach@samsung.com>
+Date: Tue, 3 Apr 2018 09:04:57 +0100
+Subject: ARM: 8753/1: decompressor: add a missing parameter to the addruart macro
+
+From: "Łukasz Stelmach" <l.stelmach@samsung.com>
+
+[ Upstream commit e07e3c33b9c0b5751ade624f44325c9bf2487ea6 ]
+
+In commit 639da5ee374b ("ARM: add an extra temp register to the low
+level debugging addruart macro") an additional temporary register was
+added to the addruart macro, but the decompressor code wasn't updated.
+
+Fixes: 639da5ee374b ("ARM: add an extra temp register to the low level debugging addruart macro")
+Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/compressed/head.S | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/arch/arm/boot/compressed/head.S
++++ b/arch/arm/boot/compressed/head.S
+@@ -29,19 +29,19 @@
+ #if defined(CONFIG_DEBUG_ICEDCC)
+
+ #if defined(CONFIG_CPU_V6) || defined(CONFIG_CPU_V6K) || defined(CONFIG_CPU_V7)
+- .macro loadsp, rb, tmp
++ .macro loadsp, rb, tmp1, tmp2
+ .endm
+ .macro writeb, ch, rb
+ mcr p14, 0, \ch, c0, c5, 0
+ .endm
+ #elif defined(CONFIG_CPU_XSCALE)
+- .macro loadsp, rb, tmp
++ .macro loadsp, rb, tmp1, tmp2
+ .endm
+ .macro writeb, ch, rb
+ mcr p14, 0, \ch, c8, c0, 0
+ .endm
+ #else
+- .macro loadsp, rb, tmp
++ .macro loadsp, rb, tmp1, tmp2
+ .endm
+ .macro writeb, ch, rb
+ mcr p14, 0, \ch, c1, c0, 0
+@@ -57,7 +57,7 @@
+ .endm
+
+ #if defined(CONFIG_ARCH_SA1100)
+- .macro loadsp, rb, tmp
++ .macro loadsp, rb, tmp1, tmp2
+ mov \rb, #0x80000000 @ physical base address
+ #ifdef CONFIG_DEBUG_LL_SER3
+ add \rb, \rb, #0x00050000 @ Ser3
+@@ -66,8 +66,8 @@
+ #endif
+ .endm
+ #else
+- .macro loadsp, rb, tmp
+- addruart \rb, \tmp
++ .macro loadsp, rb, tmp1, tmp2
++ addruart \rb, \tmp1, \tmp2
+ .endm
+ #endif
+ #endif
+@@ -1297,7 +1297,7 @@ phex: adr r3, phexbuf
+ b 1b
+
+ @ puts corrupts {r0, r1, r2, r3}
+-puts: loadsp r3, r1
++puts: loadsp r3, r2, r1
+ 1: ldrb r2, [r0], #1
+ teq r2, #0
+ moveq pc, lr
+@@ -1314,8 +1314,8 @@ puts: loadsp r3, r1
+ @ putc corrupts {r0, r1, r2, r3}
+ putc:
+ mov r2, r0
++ loadsp r3, r1, r0
+ mov r0, #0
+- loadsp r3, r1
+ b 2b
+
+ @ memdump corrupts {r0, r1, r2, r3, r10, r11, r12, lr}
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: "Łukasz Stelmach" <l.stelmach@samsung.com>
+Date: Wed, 4 Apr 2018 08:46:58 +0100
+Subject: ARM: 8758/1: decompressor: restore r1 and r2 just before jumping to the kernel
+
+From: "Łukasz Stelmach" <l.stelmach@samsung.com>
+
+[ Upstream commit f2ae9de019e4e2807d812ec4fe1df7c34788a0a0 ]
+
+The hypervisor setup before __enter_kernel destroys the value
+sotred in r1. The value needs to be restored just before the jump.
+
+Fixes: 6b52f7bdb888 ("ARM: hyp-stub: Use r1 for the soft-restart address")
+Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/compressed/head.S | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/compressed/head.S
++++ b/arch/arm/boot/compressed/head.S
+@@ -561,8 +561,6 @@ not_relocated: mov r0, #0
+ bl decompress_kernel
+ bl cache_clean_flush
+ bl cache_off
+- mov r1, r7 @ restore architecture number
+- mov r2, r8 @ restore atags pointer
+
+ #ifdef CONFIG_ARM_VIRT_EXT
+ mrs r0, spsr @ Get saved CPU boot mode
+@@ -1365,6 +1363,8 @@ __hyp_reentry_vectors:
+
+ __enter_kernel:
+ mov r0, #0 @ must be 0
++ mov r1, r7 @ restore architecture number
++ mov r2, r8 @ restore atags pointer
+ ARM( mov pc, r4 ) @ call kernel
+ M_CLASS( add r4, r4, #1 ) @ enter in Thumb mode for M class
+ THUMB( bx r4 ) @ entry point is always ARM for A/R classes
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Sekhar Nori <nsekhar@ti.com>
+Date: Tue, 24 Apr 2018 20:05:03 +0530
+Subject: ARM: davinci: board-da830-evm: fix GPIO lookup for MMC/SD
+
+From: Sekhar Nori <nsekhar@ti.com>
+
+[ Upstream commit 51e9f12163223546bd3aa9f7af6817931f980da8 ]
+
+The GPIO chip is called davinci_gpio.0 in legacy mode. Fix it, so that
+mmc can correctly lookup the wp and cp gpios. Also fix the GPIO numbers
+as they are not offsets within a bank.
+
+Note that it is the gpio-davinci driver that sets the gpiochip label to
+davinci_gpio.0.
+
+Fixes: b5e1438cf98a ("ARM: davinci: da830-evm: use gpio descriptor for mmc pins")
+Reported-by: David Lechner <david@lechnology.com>
+Reviewed-by: David Lechner <david@lechnology.com>
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-davinci/board-da830-evm.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/mach-davinci/board-da830-evm.c
++++ b/arch/arm/mach-davinci/board-da830-evm.c
+@@ -205,12 +205,17 @@ static const short da830_evm_mmc_sd_pins
+ -1
+ };
+
++#define DA830_MMCSD_WP_PIN GPIO_TO_PIN(2, 1)
++#define DA830_MMCSD_CD_PIN GPIO_TO_PIN(2, 2)
++
+ static struct gpiod_lookup_table mmc_gpios_table = {
+ .dev_id = "da830-mmc.0",
+ .table = {
+ /* gpio chip 1 contains gpio range 32-63 */
+- GPIO_LOOKUP("davinci_gpio.1", 2, "cd", GPIO_ACTIVE_LOW),
+- GPIO_LOOKUP("davinci_gpio.1", 1, "wp", GPIO_ACTIVE_LOW),
++ GPIO_LOOKUP("davinci_gpio.0", DA830_MMCSD_CD_PIN, "cd",
++ GPIO_ACTIVE_LOW),
++ GPIO_LOOKUP("davinci_gpio.0", DA830_MMCSD_WP_PIN, "wp",
++ GPIO_ACTIVE_LOW),
+ },
+ };
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Sekhar Nori <nsekhar@ti.com>
+Date: Tue, 24 Apr 2018 20:05:04 +0530
+Subject: ARM: davinci: board-da850-evm: fix GPIO lookup for MMC/SD
+
+From: Sekhar Nori <nsekhar@ti.com>
+
+[ Upstream commit 67c6b6ff221f807180aea6dd597246f87e1dd98a ]
+
+The GPIO chip is called davinci_gpio.0 in legacy mode. Fix it, so that
+mmc can correctly lookup the wp and cp gpios. Also fix the GPIO numbers
+as they are not offsets within a bank.
+
+Note that it is the gpio-davinci driver that sets the gpiochip label to
+davinci_gpio.0.
+
+Fixes: bdf0e8364fd3 ("ARM: davinci: da850-evm: use gpio descriptor for mmc pins")
+Reviewed-by: David Lechner <david@lechnology.com>
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-davinci/board-da850-evm.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/mach-davinci/board-da850-evm.c
++++ b/arch/arm/mach-davinci/board-da850-evm.c
+@@ -763,12 +763,17 @@ static const short da850_evm_mcasp_pins[
+ -1
+ };
+
++#define DA850_MMCSD_CD_PIN GPIO_TO_PIN(4, 0)
++#define DA850_MMCSD_WP_PIN GPIO_TO_PIN(4, 1)
++
+ static struct gpiod_lookup_table mmc_gpios_table = {
+ .dev_id = "da830-mmc.0",
+ .table = {
+ /* gpio chip 2 contains gpio range 64-95 */
+- GPIO_LOOKUP("davinci_gpio.2", 0, "cd", GPIO_ACTIVE_LOW),
+- GPIO_LOOKUP("davinci_gpio.2", 1, "wp", GPIO_ACTIVE_LOW),
++ GPIO_LOOKUP("davinci_gpio.0", DA850_MMCSD_CD_PIN, "cd",
++ GPIO_ACTIVE_LOW),
++ GPIO_LOOKUP("davinci_gpio.0", DA850_MMCSD_WP_PIN, "wp",
++ GPIO_ACTIVE_LOW),
+ },
+ };
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Sekhar Nori <nsekhar@ti.com>
+Date: Wed, 25 Apr 2018 14:53:23 +0530
+Subject: ARM: davinci: board-dm355-evm: fix broken networking
+
+From: Sekhar Nori <nsekhar@ti.com>
+
+[ Upstream commit 5c054de228dd6d97bf8e38962bd118953b66e5a0 ]
+
+Since commit 09f3756bb9a8 ("dm9000: Return an ERR_PTR() in all
+error conditions of dm9000_parse_dt()"), passing either non-NULL
+platform data or device-tree for dm9000 driver to probe is
+mandatory.
+
+DM335 board was using none, so networking failed to initialize.
+Fix it by passing non-NULL (but empty) platform data.
+
+Fixes: 09f3756bb9a8 ("dm9000: Return an ERR_PTR() in all error conditions of dm9000_parse_dt()")
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-davinci/board-dm355-evm.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/arm/mach-davinci/board-dm355-evm.c
++++ b/arch/arm/mach-davinci/board-dm355-evm.c
+@@ -19,6 +19,7 @@
+ #include <linux/gpio.h>
+ #include <linux/gpio/machine.h>
+ #include <linux/clk.h>
++#include <linux/dm9000.h>
+ #include <linux/videodev2.h>
+ #include <media/i2c/tvp514x.h>
+ #include <linux/spi/spi.h>
+@@ -179,11 +180,16 @@ static struct resource dm355evm_dm9000_r
+ },
+ };
+
++static struct dm9000_plat_data dm335evm_dm9000_platdata;
++
+ static struct platform_device dm355evm_dm9000 = {
+ .name = "dm9000",
+ .id = -1,
+ .resource = dm355evm_dm9000_rsrc,
+ .num_resources = ARRAY_SIZE(dm355evm_dm9000_rsrc),
++ .dev = {
++ .platform_data = &dm335evm_dm9000_platdata,
++ },
+ };
+
+ static struct tvp514x_platform_data tvp5146_pdata = {
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Sekhar Nori <nsekhar@ti.com>
+Date: Fri, 11 May 2018 20:51:35 +0530
+Subject: ARM: davinci: board-dm646x-evm: pass correct I2C adapter id for VPIF
+
+From: Sekhar Nori <nsekhar@ti.com>
+
+[ Upstream commit 7d46899d57f8b61eb28701d9a4043b71e3392c26 ]
+
+commit a16cb91ad9c4 ("[media] media: vpif: use a configurable
+i2c_adapter_id for vpif display") removed hardcoded I2C adaptor
+setting in VPIF driver, but missed updating platform data passed
+from DM646x board.
+
+Fix it.
+
+Fixes: a16cb91ad9c4 ("[media] media: vpif: use a configurable i2c_adapter_id for vpif display")
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-davinci/board-dm646x-evm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm/mach-davinci/board-dm646x-evm.c
++++ b/arch/arm/mach-davinci/board-dm646x-evm.c
+@@ -534,6 +534,7 @@ static struct vpif_display_config dm646x
+ .set_clock = set_vpif_clock,
+ .subdevinfo = dm646x_vpif_subdev,
+ .subdev_count = ARRAY_SIZE(dm646x_vpif_subdev),
++ .i2c_adapter_id = 1,
+ .chan_config[0] = {
+ .outputs = dm6467_ch0_outputs,
+ .output_count = ARRAY_SIZE(dm6467_ch0_outputs),
+@@ -676,6 +677,7 @@ static struct vpif_capture_config dm646x
+ .setup_input_channel_mode = setup_vpif_input_channel_mode,
+ .subdev_info = vpif_capture_sdev_info,
+ .subdev_count = ARRAY_SIZE(vpif_capture_sdev_info),
++ .i2c_adapter_id = 1,
+ .chan_config[0] = {
+ .inputs = dm6467_ch0_inputs,
+ .input_count = ARRAY_SIZE(dm6467_ch0_inputs),
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Sekhar Nori <nsekhar@ti.com>
+Date: Fri, 11 May 2018 20:51:36 +0530
+Subject: ARM: davinci: board-dm646x-evm: set VPIF capture card name
+
+From: Sekhar Nori <nsekhar@ti.com>
+
+[ Upstream commit bb7298a7e87cf3430eb62be8746e5d7a07ca9d7c ]
+
+VPIF capture driver expects card name to be set since it
+uses it without checking for NULL. The commit which
+introduced VPIF display and capture support added card
+name only for display, not for capture.
+
+Set it in platform data to probe driver successfully.
+
+While at it, also fix the display card name to something more
+appropriate.
+
+Fixes: 85609c1ccda6 ("DaVinci: DM646x - platform changes for vpif capture and display drivers")
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-davinci/board-dm646x-evm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/mach-davinci/board-dm646x-evm.c
++++ b/arch/arm/mach-davinci/board-dm646x-evm.c
+@@ -539,7 +539,7 @@ static struct vpif_display_config dm646x
+ .outputs = dm6467_ch0_outputs,
+ .output_count = ARRAY_SIZE(dm6467_ch0_outputs),
+ },
+- .card_name = "DM646x EVM",
++ .card_name = "DM646x EVM Video Display",
+ };
+
+ /**
+@@ -698,6 +698,7 @@ static struct vpif_capture_config dm646x
+ .fid_pol = 0,
+ },
+ },
++ .card_name = "DM646x EVM Video Capture",
+ };
+
+ static void __init evm_init_video(void)
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Sekhar Nori <nsekhar@ti.com>
+Date: Tue, 24 Apr 2018 20:05:06 +0530
+Subject: ARM: davinci: board-omapl138-hawk: fix GPIO numbers for MMC/SD lookup
+
+From: Sekhar Nori <nsekhar@ti.com>
+
+[ Upstream commit d45622c0eaa5992a1a2248cbe93e1ff7a2da7be4 ]
+
+commit c4dc56be7e26 ("ARM: davinci: fix the GPIO lookup for omapl138-hawk")
+fixed the GPIO chip name for look-up of MMC/SD CD and WP pins, but forgot
+to change the GPIO numbers passed.
+
+The GPIO numbers are not offsets from within a 32 GPIO bank. Fix the
+GPIO numbers as well as remove the misleading comment.
+
+Fixes: c4dc56be7e26 ("ARM: davinci: fix the GPIO lookup for omapl138-hawk")
+Reviewed-by: David Lechner <david@lechnology.com>
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-davinci/board-omapl138-hawk.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/arch/arm/mach-davinci/board-omapl138-hawk.c
++++ b/arch/arm/mach-davinci/board-omapl138-hawk.c
+@@ -123,12 +123,16 @@ static const short hawk_mmcsd0_pins[] =
+ -1
+ };
+
++#define DA850_HAWK_MMCSD_CD_PIN GPIO_TO_PIN(3, 12)
++#define DA850_HAWK_MMCSD_WP_PIN GPIO_TO_PIN(3, 13)
++
+ static struct gpiod_lookup_table mmc_gpios_table = {
+ .dev_id = "da830-mmc.0",
+ .table = {
+- /* CD: gpio3_12: gpio60: chip 1 contains gpio range 32-63*/
+- GPIO_LOOKUP("davinci_gpio.0", 28, "cd", GPIO_ACTIVE_LOW),
+- GPIO_LOOKUP("davinci_gpio.0", 29, "wp", GPIO_ACTIVE_LOW),
++ GPIO_LOOKUP("davinci_gpio.0", DA850_HAWK_MMCSD_CD_PIN, "cd",
++ GPIO_ACTIVE_LOW),
++ GPIO_LOOKUP("davinci_gpio.0", DA850_HAWK_MMCSD_WP_PIN, "wp",
++ GPIO_ACTIVE_LOW),
+ },
+ };
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Sekhar Nori <nsekhar@ti.com>
+Date: Fri, 11 May 2018 20:51:34 +0530
+Subject: ARM: davinci: dm646x: fix timer interrupt generation
+
+From: Sekhar Nori <nsekhar@ti.com>
+
+[ Upstream commit 73d4337ed9ceddef4b2f0e226634d5f985aa2d1c ]
+
+commit b38434145b34 ("ARM: davinci: irqs: Correct McASP1 TX interrupt
+definition for DM646x") inadvertently removed priority setting for
+timer0_12 (bottom half of timer0). This timer is used as clockevent.
+
+When INTPRIn register setting for an interrupt is left at 0, it is
+mapped to FIQ by the AINTC causing the timer interrupt to not get
+generated.
+
+Fix it by including an entry for timer0_12 in interrupt priority map
+array. While at it, move the clockevent comment to the right place.
+
+Fixes: b38434145b34 ("ARM: davinci: irqs: Correct McASP1 TX interrupt definition for DM646x")
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-davinci/dm646x.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/mach-davinci/dm646x.c
++++ b/arch/arm/mach-davinci/dm646x.c
+@@ -495,7 +495,8 @@ static u8 dm646x_default_priorities[DAVI
+ [IRQ_DM646X_MCASP0TXINT] = 7,
+ [IRQ_DM646X_MCASP0RXINT] = 7,
+ [IRQ_DM646X_RESERVED_3] = 7,
+- [IRQ_DM646X_MCASP1TXINT] = 7, /* clockevent */
++ [IRQ_DM646X_MCASP1TXINT] = 7,
++ [IRQ_TINT0_TINT12] = 7, /* clockevent */
+ [IRQ_TINT0_TINT34] = 7, /* clocksource */
+ [IRQ_TINT1_TINT12] = 7, /* DSP timer */
+ [IRQ_TINT1_TINT34] = 7, /* system tick */
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Sekhar Nori <nsekhar@ti.com>
+Date: Wed, 18 Apr 2018 15:02:46 +0530
+Subject: ARM: davinci: fix GPIO lookup for I2C
+
+From: Sekhar Nori <nsekhar@ti.com>
+
+[ Upstream commit 9411ac07cd764be34bbd7ff09125a6b7b9175d4c ]
+
+The GPIO chip is called davinci_gpio.0 in legacy mode. Fix it, so that
+I2C can correctly lookup the recovery gpios.
+
+Note that it is the gpio-davinci driver that sets the gpiochip label to
+davinci_gpio.0.
+
+Also, the I2C device uses an id of 1 on DM644x and DM355.
+
+While at it, convert to using GPIO_TO_PIN() for referring to GPIO pin
+numbers, like it is done in rest of the board support files.
+
+Fixes: e53537653791 ("i2c/ARM: davinci: Deep refactoring of I2C recovery")
+Reviewed-by: David Lechner <david@lechnology.com>
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-davinci/board-dm355-evm.c | 9 ++++++---
+ arch/arm/mach-davinci/board-dm644x-evm.c | 10 +++++++---
+ 2 files changed, 13 insertions(+), 6 deletions(-)
+
+--- a/arch/arm/mach-davinci/board-dm355-evm.c
++++ b/arch/arm/mach-davinci/board-dm355-evm.c
+@@ -110,12 +110,15 @@ static struct platform_device davinci_na
+ },
+ };
+
++#define DM355_I2C_SDA_PIN GPIO_TO_PIN(0, 15)
++#define DM355_I2C_SCL_PIN GPIO_TO_PIN(0, 14)
++
+ static struct gpiod_lookup_table i2c_recovery_gpiod_table = {
+- .dev_id = "i2c_davinci",
++ .dev_id = "i2c_davinci.1",
+ .table = {
+- GPIO_LOOKUP("davinci_gpio", 15, "sda",
++ GPIO_LOOKUP("davinci_gpio.0", DM355_I2C_SDA_PIN, "sda",
+ GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN),
+- GPIO_LOOKUP("davinci_gpio", 14, "scl",
++ GPIO_LOOKUP("davinci_gpio.0", DM355_I2C_SCL_PIN, "scl",
+ GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN),
+ },
+ };
+--- a/arch/arm/mach-davinci/board-dm644x-evm.c
++++ b/arch/arm/mach-davinci/board-dm644x-evm.c
+@@ -17,6 +17,7 @@
+ #include <linux/i2c.h>
+ #include <linux/platform_data/pcf857x.h>
+ #include <linux/platform_data/at24.h>
++#include <linux/platform_data/gpio-davinci.h>
+ #include <linux/mtd/mtd.h>
+ #include <linux/mtd/rawnand.h>
+ #include <linux/mtd/partitions.h>
+@@ -596,12 +597,15 @@ static struct i2c_board_info __initdata
+ },
+ };
+
++#define DM644X_I2C_SDA_PIN GPIO_TO_PIN(2, 12)
++#define DM644X_I2C_SCL_PIN GPIO_TO_PIN(2, 11)
++
+ static struct gpiod_lookup_table i2c_recovery_gpiod_table = {
+- .dev_id = "i2c_davinci",
++ .dev_id = "i2c_davinci.1",
+ .table = {
+- GPIO_LOOKUP("davinci_gpio", 44, "sda",
++ GPIO_LOOKUP("davinci_gpio.0", DM644X_I2C_SDA_PIN, "sda",
+ GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN),
+- GPIO_LOOKUP("davinci_gpio", 43, "scl",
++ GPIO_LOOKUP("davinci_gpio.0", DM644X_I2C_SCL_PIN, "scl",
+ GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN),
+ },
+ };
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Graeme Smecher <gsmecher@threespeedlogic.com>
+Date: Wed, 2 May 2018 17:32:36 -0700
+Subject: ARM: dts: correct missing "compatible" entry for ti81xx SoCs
+
+From: Graeme Smecher <gsmecher@threespeedlogic.com>
+
+[ Upstream commit 647efef69de483f1dd7944ede31b4cae16acb124 ]
+
+The missing "compatible" entries are needed by drivers/clk/ti/clkctrl.c,
+and without them the structures initialized in drivers/clk/ti/clk-814x.c
+are not passed to configuration code. The result is a "not found from
+clkctrl data" error message, although boot proceeds anyway.
+
+The reason why the compatible is not found is because the board specific
+files override the SoC compatible without including it. This did not
+cause any issues until with the clkctrl nodes got introduced.
+
+Very lightly tested on a (lurching) AM3874 design that's in the middle
+of a kernel upgrade from TI's abandoned 2.6.37 tree.
+
+Also tested on j5eco-evm and hp-t410 to verify the clkctrl clocks are
+found.
+
+Fixes: bb30465b5902 ("ARM: dts: dm814x: add clkctrl nodes")
+Fixes: 80a06c0d8357 ("ARM: dts: dm816x: add clkctrl nodes")
+Signed-off-by: Graeme Smecher <gsmecher@threespeedlogic.com>
+[tony: updated to fix for 8168-evm, updated comments]
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/dm8148-evm.dts | 2 +-
+ arch/arm/boot/dts/dm8148-t410.dts | 2 +-
+ arch/arm/boot/dts/dm8168-evm.dts | 2 +-
+ arch/arm/boot/dts/dra62x-j5eco-evm.dts | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/arm/boot/dts/dm8148-evm.dts
++++ b/arch/arm/boot/dts/dm8148-evm.dts
+@@ -10,7 +10,7 @@
+
+ / {
+ model = "DM8148 EVM";
+- compatible = "ti,dm8148-evm", "ti,dm8148";
++ compatible = "ti,dm8148-evm", "ti,dm8148", "ti,dm814";
+
+ memory@80000000 {
+ device_type = "memory";
+--- a/arch/arm/boot/dts/dm8148-t410.dts
++++ b/arch/arm/boot/dts/dm8148-t410.dts
+@@ -9,7 +9,7 @@
+
+ / {
+ model = "HP t410 Smart Zero Client";
+- compatible = "hp,t410", "ti,dm8148";
++ compatible = "hp,t410", "ti,dm8148", "ti,dm814";
+
+ memory@80000000 {
+ device_type = "memory";
+--- a/arch/arm/boot/dts/dm8168-evm.dts
++++ b/arch/arm/boot/dts/dm8168-evm.dts
+@@ -10,7 +10,7 @@
+
+ / {
+ model = "DM8168 EVM";
+- compatible = "ti,dm8168-evm", "ti,dm8168";
++ compatible = "ti,dm8168-evm", "ti,dm8168", "ti,dm816";
+
+ memory@80000000 {
+ device_type = "memory";
+--- a/arch/arm/boot/dts/dra62x-j5eco-evm.dts
++++ b/arch/arm/boot/dts/dra62x-j5eco-evm.dts
+@@ -10,7 +10,7 @@
+
+ / {
+ model = "DRA62x J5 Eco EVM";
+- compatible = "ti,dra62x-j5eco-evm", "ti,dra62x", "ti,dm8148";
++ compatible = "ti,dra62x-j5eco-evm", "ti,dra62x", "ti,dm8148", "ti,dm814";
+
+ memory@80000000 {
+ device_type = "memory";
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: "Clément Péron" <peron.clem@gmail.com>
+Date: Thu, 3 May 2018 17:32:07 +0200
+Subject: ARM: dts: cygnus: fix irq type for arm global timer
+
+From: "Clément Péron" <peron.clem@gmail.com>
+
+[ Upstream commit 675c7215aacf54242b2e8bc64bab698abbe764db ]
+
+As per ARM documentation
+PPI(0) ID27 - global timer interrupt is rising-edge sensitive.
+
+set IRQ triggering type to IRQ_TYPE_EDGE_RISING for ARM Global timers.
+
+Fixes: c9ad7bc5fe3 ("ARM: dts: Enable Broadcom Cygnus SoC")
+Signed-off-by: Clément Péron <peron.clem@gmail.com>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/bcm-cygnus.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/bcm-cygnus.dtsi
++++ b/arch/arm/boot/dts/bcm-cygnus.dtsi
+@@ -69,7 +69,7 @@
+ timer@20200 {
+ compatible = "arm,cortex-a9-global-timer";
+ reg = <0x20200 0x100>;
+- interrupts = <GIC_PPI 11 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_PPI 11 IRQ_TYPE_EDGE_RISING>;
+ clocks = <&periph_clk>;
+ };
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Sekhar Nori <nsekhar@ti.com>
+Date: Tue, 17 Apr 2018 18:06:00 +0530
+Subject: ARM: dts: da850: fix W=1 warnings with pinmux node
+
+From: Sekhar Nori <nsekhar@ti.com>
+
+[ Upstream commit 94a82284ad4711b7f9fd78981fdc7a1cb645030b ]
+
+Remove unused #address-cells and #size-cells from pinmux
+node. This fixes W=1 warnings of the type:
+
+arch/arm/boot/dts/da850-lcdk.dtb: Warning (avoid_unnecessary_addr_size): /soc@1c00000/pinmux@14120: unnecessary #address-cells/#size-cells without "ranges" or child "reg" property
+
+Tested on DA850 LCDK by checking output of:
+
+/sys/kernel/debug/pinctrl/1c14120.pinmux-pinctrl-single/pins
+
+before and after the change.
+
+Reviewed-by: David Lechner <david@lechnology.com>
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/da850.dtsi | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/arch/arm/boot/dts/da850.dtsi
++++ b/arch/arm/boot/dts/da850.dtsi
+@@ -46,8 +46,6 @@
+ pmx_core: pinmux@14120 {
+ compatible = "pinctrl-single";
+ reg = <0x14120 0x50>;
+- #address-cells = <1>;
+- #size-cells = <0>;
+ #pinctrl-cells = <2>;
+ pinctrl-single,bit-per-mux;
+ pinctrl-single,register-width = <32>;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Tony Lindgren <tony@atomide.com>
+Date: Mon, 16 Apr 2018 10:01:04 -0700
+Subject: ARM: dts: Fix cm2 and prm sizes for omap4
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit bc8a3ef1940c9a6dfa316b31e063fdd4fbab0add ]
+
+The size of these modules is 0x2000, not 0x3000. The extra 0x1000
+after 0x2000 is for the interconnect target agent which is a separate
+device.
+
+Fixes: 7415b0b4c645 ("ARM: dts: omap4: add minimal l4 bus layout with
+control module support")
+Cc: Tero Kristo <t-kristo@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/omap4.dtsi | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/arm/boot/dts/omap4.dtsi
++++ b/arch/arm/boot/dts/omap4.dtsi
+@@ -163,10 +163,10 @@
+
+ cm2: cm2@8000 {
+ compatible = "ti,omap4-cm2", "simple-bus";
+- reg = <0x8000 0x3000>;
++ reg = <0x8000 0x2000>;
+ #address-cells = <1>;
+ #size-cells = <1>;
+- ranges = <0 0x8000 0x3000>;
++ ranges = <0 0x8000 0x2000>;
+
+ cm2_clocks: clocks {
+ #address-cells = <1>;
+@@ -250,11 +250,11 @@
+
+ prm: prm@6000 {
+ compatible = "ti,omap4-prm";
+- reg = <0x6000 0x3000>;
++ reg = <0x6000 0x2000>;
+ interrupts = <GIC_SPI 11 IRQ_TYPE_LEVEL_HIGH>;
+ #address-cells = <1>;
+ #size-cells = <1>;
+- ranges = <0 0x6000 0x3000>;
++ ranges = <0 0x6000 0x2000>;
+
+ prm_clocks: clocks {
+ #address-cells = <1>;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+Date: Mon, 7 May 2018 16:53:09 +0300
+Subject: ARM: dts: imx51-zii-rdu1: fix touchscreen bindings
+
+From: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+
+[ Upstream commit 6d3299aef7df7225ecff653feedafb5d1646998b ]
+
+This fixes errors in RDU1 device tree that cause touch screens not
+working.
+
+Fixes: ceef0396f367 ("ARM: dts: imx: add ZII RDU1 board")
+Signed-off-by: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/imx51-zii-rdu1.dts | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/arm/boot/dts/imx51-zii-rdu1.dts
++++ b/arch/arm/boot/dts/imx51-zii-rdu1.dts
+@@ -518,7 +518,7 @@
+ };
+
+ touchscreen@20 {
+- compatible = "syna,rmi4_i2c";
++ compatible = "syna,rmi4-i2c";
+ reg = <0x20>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_ts>;
+@@ -536,8 +536,8 @@
+
+ rmi4-f11@11 {
+ reg = <0x11>;
+- touch-inverted-y;
+- touch-swapped-x-y;
++ touchscreen-inverted-y;
++ touchscreen-swapped-x-y;
+ syna,sensor-type = <1>;
+ };
+ };
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Adam Ford <aford173@gmail.com>
+Date: Tue, 1 May 2018 08:58:53 -0500
+Subject: ARM: dts: logicpd-som-lv: Fix Audio Mute
+
+From: Adam Ford <aford173@gmail.com>
+
+[ Upstream commit 95e59fc3c3fa3187a07a75f40b21637deb4bd12d ]
+
+The Audio has worked, but the mute pin has a weak pulldown which alows
+some of the audio signal to pass very quietly. This patch fixes
+that so the mute pin is actively driven high for mute or low for normal
+operation.
+
+Fixes: ab8dd3aed011 ("ARM: DTS: Add minimal Support for Logic
+PD DM3730 SOM-LV")
+
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/logicpd-som-lv.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm/boot/dts/logicpd-som-lv.dtsi
++++ b/arch/arm/boot/dts/logicpd-som-lv.dtsi
+@@ -82,6 +82,7 @@
+ twl_audio: audio {
+ compatible = "ti,twl4030-audio";
+ codec {
++ ti,hs_extmute_gpio = <&gpio2 25 GPIO_ACTIVE_HIGH>;
+ };
+ };
+ };
+@@ -195,6 +196,7 @@
+ pinctrl-single,pins = <
+ OMAP3_CORE1_IOPAD(0x21ba, PIN_INPUT | MUX_MODE0) /* i2c1_scl.i2c1_scl */
+ OMAP3_CORE1_IOPAD(0x21bc, PIN_INPUT | MUX_MODE0) /* i2c1_sda.i2c1_sda */
++ OMAP3_CORE1_IOPAD(0x20ba, PIN_OUTPUT | MUX_MODE4) /* gpmc_ncs6.gpio_57 */
+ >;
+ };
+ };
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Adam Ford <aford173@gmail.com>
+Date: Mon, 30 Apr 2018 18:24:34 -0500
+Subject: ARM: dts: logicpd-som-lv: Fix WL127x Startup Issues
+
+From: Adam Ford <aford173@gmail.com>
+
+[ Upstream commit 189822cbcbf3ea37c26a15612d8f922c440bc0e0 ]
+
+The VAUX3 rail from the PMIC powers a clock driver which clocks
+the WL127x. This corrects a bug which did not correctly associate
+the vin-supply with the proper power rail.
+
+This also fixes a typo in the pinmuxing to properly configure the
+interrupt pin.
+
+Fixes: ab8dd3aed011 ("ARM: DTS: Add minimal Support for Logic PD
+DM3730 SOM-LV")
+
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/logicpd-som-lv.dtsi | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/logicpd-som-lv.dtsi
++++ b/arch/arm/boot/dts/logicpd-som-lv.dtsi
+@@ -26,7 +26,7 @@
+ gpio = <&gpio1 3 0>; /* gpio_3 */
+ startup-delay-us = <70000>;
+ enable-active-high;
+- vin-supply = <&vmmc2>;
++ vin-supply = <&vaux3>;
+ };
+
+ /* HS USB Host PHY on PORT 1 */
+@@ -209,7 +209,7 @@
+ };
+ wl127x_gpio: pinmux_wl127x_gpio_pin {
+ pinctrl-single,pins = <
+- OMAP3_WKUP_IOPAD(0x2a0c, PIN_INPUT | MUX_MODE4) /* sys_boot0.gpio_2 */
++ OMAP3_WKUP_IOPAD(0x2a0a, PIN_INPUT | MUX_MODE4) /* sys_boot0.gpio_2 */
+ OMAP3_WKUP_IOPAD(0x2a0c, PIN_OUTPUT | MUX_MODE4) /* sys_boot1.gpio_3 */
+ >;
+ };
+@@ -244,6 +244,11 @@
+ #include "twl4030.dtsi"
+ #include "twl4030_omap3.dtsi"
+
++&vaux3 {
++ regulator-min-microvolt = <2800000>;
++ regulator-max-microvolt = <2800000>;
++};
++
+ &twl {
+ twl_power: power {
+ compatible = "ti,twl4030-power-idle-osc-off", "ti,twl4030-power-idle";
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Fri, 13 Apr 2018 00:22:47 +0100
+Subject: ARM: fix kill( ,SIGFPE) breakage
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit 92d44a42af81e850a038c38278ff4f434b2871df ]
+
+Commit 7771c6645700 ("signal/arm: Document conflicts with SI_USER and
+SIGFPE") broke the siginfo structure for userspace triggered signals,
+causing the strace testsuite to regress. Fix this by eliminating
+the FPE_FIXME definition (which is at the root of the breakage) and
+use FPE_FLTINV instead for the case where the hardware appears to be
+reporting nonsense.
+
+Fixes: 7771c6645700 ("signal/arm: Document conflicts with SI_USER and SIGFPE")
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/include/uapi/asm/siginfo.h | 13 -------------
+ arch/arm/vfp/vfpmodule.c | 2 +-
+ 2 files changed, 1 insertion(+), 14 deletions(-)
+ delete mode 100644 arch/arm/include/uapi/asm/siginfo.h
+
+--- a/arch/arm/include/uapi/asm/siginfo.h
++++ /dev/null
+@@ -1,13 +0,0 @@
+-#ifndef __ASM_SIGINFO_H
+-#define __ASM_SIGINFO_H
+-
+-#include <asm-generic/siginfo.h>
+-
+-/*
+- * SIGFPE si_codes
+- */
+-#ifdef __KERNEL__
+-#define FPE_FIXME 0 /* Broken dup of SI_USER */
+-#endif /* __KERNEL__ */
+-
+-#endif
+--- a/arch/arm/vfp/vfpmodule.c
++++ b/arch/arm/vfp/vfpmodule.c
+@@ -257,7 +257,7 @@ static void vfp_raise_exceptions(u32 exc
+
+ if (exceptions == VFP_EXCEPTION_ERROR) {
+ vfp_panic("unhandled bounce", inst);
+- vfp_raise_sigfpe(FPE_FIXME, regs);
++ vfp_raise_sigfpe(FPE_FLTINV, regs);
+ return;
+ }
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Wed, 11 Apr 2018 18:24:01 +0100
+Subject: ARM: kexec: fix kdump register saving on panic()
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit 2d7b3c64431245c95b05a441669c074da10db943 ]
+
+When a panic() occurs, the kexec code uses smp_send_stop() to stop
+the other CPUs, but this results in the CPU register state not being
+saved, and gdb is unable to inspect the state of other CPUs.
+
+Commit 0ee59413c967 ("x86/panic: replace smp_send_stop() with kdump
+friendly version in panic path") addressed the issue on x86, but
+ignored other architectures. Address the issue on ARM by splitting
+out the crash stop implementation to crash_smp_send_stop() and
+adding the necessary protection.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/kernel/machine_kexec.c | 34 ++++++++++++++++++++++------------
+ 1 file changed, 22 insertions(+), 12 deletions(-)
+
+--- a/arch/arm/kernel/machine_kexec.c
++++ b/arch/arm/kernel/machine_kexec.c
+@@ -95,6 +95,27 @@ void machine_crash_nonpanic_core(void *u
+ cpu_relax();
+ }
+
++void crash_smp_send_stop(void)
++{
++ static int cpus_stopped;
++ unsigned long msecs;
++
++ if (cpus_stopped)
++ return;
++
++ atomic_set(&waiting_for_crash_ipi, num_online_cpus() - 1);
++ smp_call_function(machine_crash_nonpanic_core, NULL, false);
++ msecs = 1000; /* Wait at most a second for the other cpus to stop */
++ while ((atomic_read(&waiting_for_crash_ipi) > 0) && msecs) {
++ mdelay(1);
++ msecs--;
++ }
++ if (atomic_read(&waiting_for_crash_ipi) > 0)
++ pr_warn("Non-crashing CPUs did not react to IPI\n");
++
++ cpus_stopped = 1;
++}
++
+ static void machine_kexec_mask_interrupts(void)
+ {
+ unsigned int i;
+@@ -120,19 +141,8 @@ static void machine_kexec_mask_interrupt
+
+ void machine_crash_shutdown(struct pt_regs *regs)
+ {
+- unsigned long msecs;
+-
+ local_irq_disable();
+-
+- atomic_set(&waiting_for_crash_ipi, num_online_cpus() - 1);
+- smp_call_function(machine_crash_nonpanic_core, NULL, false);
+- msecs = 1000; /* Wait at most a second for the other cpus to stop */
+- while ((atomic_read(&waiting_for_crash_ipi) > 0) && msecs) {
+- mdelay(1);
+- msecs--;
+- }
+- if (atomic_read(&waiting_for_crash_ipi) > 0)
+- pr_warn("Non-crashing CPUs did not react to IPI\n");
++ crash_smp_send_stop();
+
+ crash_save_cpu(regs, smp_processor_id());
+ machine_kexec_mask_interrupts();
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Thu, 10 May 2018 14:24:20 +0100
+Subject: ARM: keystone: fix platform_domain_notifier array overrun
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit 9954b80b8c0e8abc98e17bba0fccd9876211ceaa ]
+
+platform_domain_notifier contains a variable sized array, which the
+pm_clk_notify() notifier treats as a NULL terminated array:
+
+ for (con_id = clknb->con_ids; *con_id; con_id++)
+ pm_clk_add(dev, *con_id);
+
+Omitting the initialiser for con_ids means that the array is zero
+sized, and there is no NULL terminator. This leads to pm_clk_notify()
+overrunning into what ever structure follows, which may not be NULL.
+This leads to an oops:
+
+Unable to handle kernel NULL pointer dereference at virtual address 0000008c
+pgd = c0003000
+[0000008c] *pgd=80000800004003c, *pmd=00000000c
+Internal error: Oops: 206 [#1] PREEMPT SMP ARM
+Modules linked in:c
+CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.16.0+ #9
+Hardware name: Keystone
+PC is at strlen+0x0/0x34
+LR is at kstrdup+0x18/0x54
+pc : [<c0623340>] lr : [<c0111d6c>] psr: 20000013
+sp : eec73dc0 ip : eed780c0 fp : 00000001
+r10: 00000000 r9 : 00000000 r8 : eed71e10
+r7 : 0000008c r6 : 0000008c r5 : 014000c0 r4 : c03a6ff4
+r3 : c09445d0 r2 : 00000000 r1 : 014000c0 r0 : 0000008c
+Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
+Control: 30c5387d Table: 00003000 DAC: fffffffd
+Process swapper/0 (pid: 1, stack limit = 0xeec72210)
+Stack: (0xeec73dc0 to 0xeec74000)
+...
+[<c0623340>] (strlen) from [<c0111d6c>] (kstrdup+0x18/0x54)
+[<c0111d6c>] (kstrdup) from [<c03a6ff4>] (__pm_clk_add+0x58/0x120)
+[<c03a6ff4>] (__pm_clk_add) from [<c03a731c>] (pm_clk_notify+0x64/0xa8)
+[<c03a731c>] (pm_clk_notify) from [<c004614c>] (notifier_call_chain+0x44/0x84)
+[<c004614c>] (notifier_call_chain) from [<c0046320>] (__blocking_notifier_call_chain+0x48/0x60)
+[<c0046320>] (__blocking_notifier_call_chain) from [<c0046350>] (blocking_notifier_call_chain+0x18/0x20)
+[<c0046350>] (blocking_notifier_call_chain) from [<c0390234>] (device_add+0x36c/0x534)
+[<c0390234>] (device_add) from [<c047fc00>] (of_platform_device_create_pdata+0x70/0xa4)
+[<c047fc00>] (of_platform_device_create_pdata) from [<c047fea0>] (of_platform_bus_create+0xf0/0x1ec)
+[<c047fea0>] (of_platform_bus_create) from [<c047fff8>] (of_platform_populate+0x5c/0xac)
+[<c047fff8>] (of_platform_populate) from [<c08b1f04>] (of_platform_default_populate_init+0x8c/0xa8)
+[<c08b1f04>] (of_platform_default_populate_init) from [<c000a78c>] (do_one_initcall+0x3c/0x164)
+[<c000a78c>] (do_one_initcall) from [<c087bd9c>] (kernel_init_freeable+0x10c/0x1d0)
+[<c087bd9c>] (kernel_init_freeable) from [<c0628db0>] (kernel_init+0x8/0xf0)
+[<c0628db0>] (kernel_init) from [<c00090d8>] (ret_from_fork+0x14/0x3c)
+Exception stack(0xeec73fb0 to 0xeec73ff8)
+3fa0: 00000000 00000000 00000000 00000000
+3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+3fe0: 00000000 00000000 00000000 00000000 00000013 00000000
+Code: e3520000 1afffff7 e12fff1e c0801730 (e5d02000)
+---[ end trace cafa8f148e262e80 ]---
+
+Fix this by adding the necessary initialiser.
+
+Fixes: fc20ffe1213b ("ARM: keystone: add PM domain support for clock management")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Acked-by: Santosh Shilimkar <ssantosh@kernel.org>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-keystone/pm_domain.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/mach-keystone/pm_domain.c
++++ b/arch/arm/mach-keystone/pm_domain.c
+@@ -29,6 +29,7 @@ static struct dev_pm_domain keystone_pm_
+
+ static struct pm_clk_notifier_block platform_domain_notifier = {
+ .pm_domain = &keystone_pm_domain,
++ .con_ids = { NULL },
+ };
+
+ static const struct of_device_id of_keystone_table[] = {
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+Date: Wed, 2 May 2018 20:32:03 +0200
+Subject: ARM: OMAP1: ams-delta: fix deferred_fiq handler
+
+From: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+
+[ Upstream commit baf64250b4a513bf4ac226fd938692dc1836f4f6 ]
+
+The deferred_fiq handler used to limit hardware operations to IRQ
+unmask only, relying on gpio-omap assigned handler performing the ACKs.
+Since commit 80ac93c27441 ("gpio: omap: Fix lost edge interrupts") this
+is no longer the case as handle_edge_irq() has been replaced with
+handle_simmple_irq() which doesn't touch the hardware.
+
+Add single ACK operation per each active IRQ pin to the handler. While
+being at it, move unmask operation out of irq_counter loop so it is
+also called only once for each active IRQ pin.
+
+Fixes: 80ac93c27441 ("gpio: omap: Fix lost edge interrupts")
+Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-omap1/ams-delta-fiq.c | 26 ++++++++++++++------------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+--- a/arch/arm/mach-omap1/ams-delta-fiq.c
++++ b/arch/arm/mach-omap1/ams-delta-fiq.c
+@@ -58,22 +58,24 @@ static irqreturn_t deferred_fiq(int irq,
+ irq_num = gpio_to_irq(gpio);
+ fiq_count = fiq_buffer[FIQ_CNT_INT_00 + gpio];
+
+- while (irq_counter[gpio] < fiq_count) {
+- if (gpio != AMS_DELTA_GPIO_PIN_KEYBRD_CLK) {
+- struct irq_data *d = irq_get_irq_data(irq_num);
++ if (irq_counter[gpio] < fiq_count &&
++ gpio != AMS_DELTA_GPIO_PIN_KEYBRD_CLK) {
++ struct irq_data *d = irq_get_irq_data(irq_num);
+
+- /*
+- * It looks like handle_edge_irq() that
+- * OMAP GPIO edge interrupts default to,
+- * expects interrupt already unmasked.
+- */
+- if (irq_chip && irq_chip->irq_unmask)
++ /*
++ * handle_simple_irq() that OMAP GPIO edge
++ * interrupts default to since commit 80ac93c27441
++ * requires interrupt already acked and unmasked.
++ */
++ if (irq_chip) {
++ if (irq_chip->irq_ack)
++ irq_chip->irq_ack(d);
++ if (irq_chip->irq_unmask)
+ irq_chip->irq_unmask(d);
+ }
+- generic_handle_irq(irq_num);
+-
+- irq_counter[gpio]++;
+ }
++ for (; irq_counter[gpio] < fiq_count; irq_counter[gpio]++)
++ generic_handle_irq(irq_num);
+ }
+ return IRQ_HANDLED;
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Tero Kristo <t-kristo@ti.com>
+Date: Fri, 9 Mar 2018 11:50:20 +0200
+Subject: ARM: OMAP2+: powerdomain: use raw_smp_processor_id() for trace
+
+From: Tero Kristo <t-kristo@ti.com>
+
+[ Upstream commit 33e9572483031a79ad0a4468064675144d9269ec ]
+
+smp_processor_id() checks preemption if CONFIG_DEBUG_PREEMPT is enabled,
+causing a warning dump during boot:
+
+[ 5.042377] BUG: using smp_processor_id() in preemptible [00000000] code: swapper/0/1
+[ 5.050281] caller is pwrdm_set_next_pwrst+0x48/0x88
+[ 5.055330] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.14.24-g57341df0b4 #1
+
+Use the raw_smp_processor_id() for the trace instead, this value does
+not need to be perfectly correct. The alternative of disabling preempt
+is too heavy weight operation to be applied in PM hot path for just
+tracing purposes.
+
+Signed-off-by: Tero Kristo <t-kristo@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-omap2/powerdomain.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/mach-omap2/powerdomain.c
++++ b/arch/arm/mach-omap2/powerdomain.c
+@@ -188,7 +188,7 @@ static int _pwrdm_state_switch(struct po
+ ((prev & OMAP_POWERSTATE_MASK) << 0));
+ trace_power_domain_target_rcuidle(pwrdm->name,
+ trace_state,
+- smp_processor_id());
++ raw_smp_processor_id());
+ }
+ break;
+ default:
+@@ -518,7 +518,7 @@ int pwrdm_set_next_pwrst(struct powerdom
+ if (arch_pwrdm && arch_pwrdm->pwrdm_set_next_pwrst) {
+ /* Trace the pwrdm desired target state */
+ trace_power_domain_target_rcuidle(pwrdm->name, pwrst,
+- smp_processor_id());
++ raw_smp_processor_id());
+ /* Program the pwrdm desired target state */
+ ret = arch_pwrdm->pwrdm_set_next_pwrst(pwrdm, pwrst);
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Mon, 16 Apr 2018 13:21:54 +0100
+Subject: ARM: replace unnecessary perl with sed and the shell $(( )) operator
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit 6cea14f55474ec71f1098228e0ae5dd2a8f22c0a ]
+
+You can build a kernel in a cross compiling environment that doesn't
+have perl in the $PATH. Commit 429f7a062e3b broke that for 32 bit
+ARM. Fix it.
+
+As reported by Stephen Rothwell, it appears that the symbols can be
+either part of the BSS section or absolute symbols depending on the
+binutils version. When they're an absolute symbol, the $(( ))
+operator errors out and the build fails. Fix this as well.
+
+Fixes: 429f7a062e3b ("ARM: decompressor: fix BSS size calculation")
+Reported-by: Rob Landley <rob@landley.net>
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Acked-by: Rob Landley <rob@landley.net>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/compressed/Makefile | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/arch/arm/boot/compressed/Makefile
++++ b/arch/arm/boot/compressed/Makefile
+@@ -117,11 +117,9 @@ ccflags-y := -fpic -mno-single-pic-base
+ asflags-y := -DZIMAGE
+
+ # Supply kernel BSS size to the decompressor via a linker symbol.
+-KBSS_SZ = $(shell $(CROSS_COMPILE)nm $(obj)/../../../../vmlinux | \
+- perl -e 'while (<>) { \
+- $$bss_start=hex($$1) if /^([[:xdigit:]]+) B __bss_start$$/; \
+- $$bss_end=hex($$1) if /^([[:xdigit:]]+) B __bss_stop$$/; \
+- }; printf "%d\n", $$bss_end - $$bss_start;')
++KBSS_SZ = $(shell echo $$(($$($(CROSS_COMPILE)nm $(obj)/../../../../vmlinux | \
++ sed -n -e 's/^\([^ ]*\) [AB] __bss_start$$/-0x\1/p' \
++ -e 's/^\([^ ]*\) [AB] __bss_stop$$/+0x\1/p') )) )
+ LDFLAGS_vmlinux = --defsym _kernel_bss_size=$(KBSS_SZ)
+ # Supply ZRELADDR to the decompressor via a linker symbol.
+ ifneq ($(CONFIG_AUTO_ZRELADDR),y)
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: David Gilhooley <dgilhooley@nvidia.com>
+Date: Tue, 8 May 2018 15:49:42 -0700
+Subject: arm64: Add MIDR encoding for NVIDIA CPUs
+
+From: David Gilhooley <dgilhooley@nvidia.com>
+
+[ Upstream commit 1b06bd8dd95f7a19ab33fdf0f477c94950822ab3 ]
+
+This patch adds the MIDR encodings for NVIDIA as well as
+the Denver and Carmel CPUs used in Tegra SoCs.
+
+Signed-off-by: David Gilhooley <dgilhooley@nvidia.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/cputype.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/arm64/include/asm/cputype.h
++++ b/arch/arm64/include/asm/cputype.h
+@@ -75,6 +75,7 @@
+ #define ARM_CPU_IMP_CAVIUM 0x43
+ #define ARM_CPU_IMP_BRCM 0x42
+ #define ARM_CPU_IMP_QCOM 0x51
++#define ARM_CPU_IMP_NVIDIA 0x4E
+
+ #define ARM_CPU_PART_AEM_V8 0xD0F
+ #define ARM_CPU_PART_FOUNDATION 0xD00
+@@ -98,6 +99,9 @@
+ #define QCOM_CPU_PART_FALKOR 0xC00
+ #define QCOM_CPU_PART_KRYO 0x200
+
++#define NVIDIA_CPU_PART_DENVER 0x003
++#define NVIDIA_CPU_PART_CARMEL 0x004
++
+ #define MIDR_CORTEX_A53 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A53)
+ #define MIDR_CORTEX_A57 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A57)
+ #define MIDR_CORTEX_A72 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A72)
+@@ -112,6 +116,8 @@
+ #define MIDR_QCOM_FALKOR_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_FALKOR_V1)
+ #define MIDR_QCOM_FALKOR MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_FALKOR)
+ #define MIDR_QCOM_KRYO MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO)
++#define MIDR_NVIDIA_DENVER MIDR_CPU_MODEL(ARM_CPU_IMP_NVIDIA, NVIDIA_CPU_PART_DENVER)
++#define MIDR_NVIDIA_CARMEL MIDR_CPU_MODEL(ARM_CPU_IMP_NVIDIA, NVIDIA_CPU_PART_CARMEL)
+
+ #ifndef __ASSEMBLY__
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Srinath Mannam <srinath.mannam@broadcom.com>
+Date: Wed, 18 Apr 2018 14:11:29 +0530
+Subject: arm64: dts: correct SATA addresses for Stingray
+
+From: Srinath Mannam <srinath.mannam@broadcom.com>
+
+[ Upstream commit 4555a5021fe88fc4f19ff53d1e58b410cf30a49a ]
+
+Correct all SATA ahci and phy controller register
+addresses and interrupt lines to proper values.
+
+Fixes: 344a2e514182 ("arm64: dts: Add SATA DT nodes for Stingray SoC")
+
+Signed-off-by: Srinath Mannam <srinath.mannam@broadcom.com>
+Reviewed-by: Ray Jui <ray.jui@broadcom.com>
+Reviewed-by: Scott Branden <scott.branden@broadcom.com>
+Reviewed-by: Andrew Gospodarek <andrew.gospodarek@broadcom.com>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/broadcom/stingray/stingray-sata.dtsi | 80 +++++++--------
+ 1 file changed, 40 insertions(+), 40 deletions(-)
+
+--- a/arch/arm64/boot/dts/broadcom/stingray/stingray-sata.dtsi
++++ b/arch/arm64/boot/dts/broadcom/stingray/stingray-sata.dtsi
+@@ -36,11 +36,11 @@
+ #size-cells = <1>;
+ ranges = <0x0 0x0 0x67d00000 0x00800000>;
+
+- sata0: ahci@210000 {
++ sata0: ahci@0 {
+ compatible = "brcm,iproc-ahci", "generic-ahci";
+- reg = <0x00210000 0x1000>;
++ reg = <0x00000000 0x1000>;
+ reg-names = "ahci";
+- interrupts = <GIC_SPI 339 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_SPI 321 IRQ_TYPE_LEVEL_HIGH>;
+ #address-cells = <1>;
+ #size-cells = <0>;
+ status = "disabled";
+@@ -52,9 +52,9 @@
+ };
+ };
+
+- sata_phy0: sata_phy@212100 {
++ sata_phy0: sata_phy@2100 {
+ compatible = "brcm,iproc-sr-sata-phy";
+- reg = <0x00212100 0x1000>;
++ reg = <0x00002100 0x1000>;
+ reg-names = "phy";
+ #address-cells = <1>;
+ #size-cells = <0>;
+@@ -66,11 +66,11 @@
+ };
+ };
+
+- sata1: ahci@310000 {
++ sata1: ahci@10000 {
+ compatible = "brcm,iproc-ahci", "generic-ahci";
+- reg = <0x00310000 0x1000>;
++ reg = <0x00010000 0x1000>;
+ reg-names = "ahci";
+- interrupts = <GIC_SPI 347 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_SPI 323 IRQ_TYPE_LEVEL_HIGH>;
+ #address-cells = <1>;
+ #size-cells = <0>;
+ status = "disabled";
+@@ -82,9 +82,9 @@
+ };
+ };
+
+- sata_phy1: sata_phy@312100 {
++ sata_phy1: sata_phy@12100 {
+ compatible = "brcm,iproc-sr-sata-phy";
+- reg = <0x00312100 0x1000>;
++ reg = <0x00012100 0x1000>;
+ reg-names = "phy";
+ #address-cells = <1>;
+ #size-cells = <0>;
+@@ -96,11 +96,11 @@
+ };
+ };
+
+- sata2: ahci@120000 {
++ sata2: ahci@20000 {
+ compatible = "brcm,iproc-ahci", "generic-ahci";
+- reg = <0x00120000 0x1000>;
++ reg = <0x00020000 0x1000>;
+ reg-names = "ahci";
+- interrupts = <GIC_SPI 333 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_SPI 325 IRQ_TYPE_LEVEL_HIGH>;
+ #address-cells = <1>;
+ #size-cells = <0>;
+ status = "disabled";
+@@ -112,9 +112,9 @@
+ };
+ };
+
+- sata_phy2: sata_phy@122100 {
++ sata_phy2: sata_phy@22100 {
+ compatible = "brcm,iproc-sr-sata-phy";
+- reg = <0x00122100 0x1000>;
++ reg = <0x00022100 0x1000>;
+ reg-names = "phy";
+ #address-cells = <1>;
+ #size-cells = <0>;
+@@ -126,11 +126,11 @@
+ };
+ };
+
+- sata3: ahci@130000 {
++ sata3: ahci@30000 {
+ compatible = "brcm,iproc-ahci", "generic-ahci";
+- reg = <0x00130000 0x1000>;
++ reg = <0x00030000 0x1000>;
+ reg-names = "ahci";
+- interrupts = <GIC_SPI 335 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_SPI 327 IRQ_TYPE_LEVEL_HIGH>;
+ #address-cells = <1>;
+ #size-cells = <0>;
+ status = "disabled";
+@@ -142,9 +142,9 @@
+ };
+ };
+
+- sata_phy3: sata_phy@132100 {
++ sata_phy3: sata_phy@32100 {
+ compatible = "brcm,iproc-sr-sata-phy";
+- reg = <0x00132100 0x1000>;
++ reg = <0x00032100 0x1000>;
+ reg-names = "phy";
+ #address-cells = <1>;
+ #size-cells = <0>;
+@@ -156,11 +156,11 @@
+ };
+ };
+
+- sata4: ahci@330000 {
++ sata4: ahci@100000 {
+ compatible = "brcm,iproc-ahci", "generic-ahci";
+- reg = <0x00330000 0x1000>;
++ reg = <0x00100000 0x1000>;
+ reg-names = "ahci";
+- interrupts = <GIC_SPI 351 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_SPI 329 IRQ_TYPE_LEVEL_HIGH>;
+ #address-cells = <1>;
+ #size-cells = <0>;
+ status = "disabled";
+@@ -172,9 +172,9 @@
+ };
+ };
+
+- sata_phy4: sata_phy@332100 {
++ sata_phy4: sata_phy@102100 {
+ compatible = "brcm,iproc-sr-sata-phy";
+- reg = <0x00332100 0x1000>;
++ reg = <0x00102100 0x1000>;
+ reg-names = "phy";
+ #address-cells = <1>;
+ #size-cells = <0>;
+@@ -186,11 +186,11 @@
+ };
+ };
+
+- sata5: ahci@400000 {
++ sata5: ahci@110000 {
+ compatible = "brcm,iproc-ahci", "generic-ahci";
+- reg = <0x00400000 0x1000>;
++ reg = <0x00110000 0x1000>;
+ reg-names = "ahci";
+- interrupts = <GIC_SPI 353 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_SPI 331 IRQ_TYPE_LEVEL_HIGH>;
+ #address-cells = <1>;
+ #size-cells = <0>;
+ status = "disabled";
+@@ -202,9 +202,9 @@
+ };
+ };
+
+- sata_phy5: sata_phy@402100 {
++ sata_phy5: sata_phy@112100 {
+ compatible = "brcm,iproc-sr-sata-phy";
+- reg = <0x00402100 0x1000>;
++ reg = <0x00112100 0x1000>;
+ reg-names = "phy";
+ #address-cells = <1>;
+ #size-cells = <0>;
+@@ -216,11 +216,11 @@
+ };
+ };
+
+- sata6: ahci@410000 {
++ sata6: ahci@120000 {
+ compatible = "brcm,iproc-ahci", "generic-ahci";
+- reg = <0x00410000 0x1000>;
++ reg = <0x00120000 0x1000>;
+ reg-names = "ahci";
+- interrupts = <GIC_SPI 355 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_SPI 333 IRQ_TYPE_LEVEL_HIGH>;
+ #address-cells = <1>;
+ #size-cells = <0>;
+ status = "disabled";
+@@ -232,9 +232,9 @@
+ };
+ };
+
+- sata_phy6: sata_phy@412100 {
++ sata_phy6: sata_phy@122100 {
+ compatible = "brcm,iproc-sr-sata-phy";
+- reg = <0x00412100 0x1000>;
++ reg = <0x00122100 0x1000>;
+ reg-names = "phy";
+ #address-cells = <1>;
+ #size-cells = <0>;
+@@ -246,11 +246,11 @@
+ };
+ };
+
+- sata7: ahci@420000 {
++ sata7: ahci@130000 {
+ compatible = "brcm,iproc-ahci", "generic-ahci";
+- reg = <0x00420000 0x1000>;
++ reg = <0x00130000 0x1000>;
+ reg-names = "ahci";
+- interrupts = <GIC_SPI 357 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_SPI 335 IRQ_TYPE_LEVEL_HIGH>;
+ #address-cells = <1>;
+ #size-cells = <0>;
+ status = "disabled";
+@@ -262,9 +262,9 @@
+ };
+ };
+
+- sata_phy7: sata_phy@422100 {
++ sata_phy7: sata_phy@132100 {
+ compatible = "brcm,iproc-sr-sata-phy";
+- reg = <0x00422100 0x1000>;
++ reg = <0x00132100 0x1000>;
+ reg-names = "phy";
+ #address-cells = <1>;
+ #size-cells = <0>;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Mon, 26 Mar 2018 23:17:45 +0200
+Subject: ARM64: dts: meson-gx-p23x-q20x: enable the USB controller
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit 972cd12a027256061c19c164021f2a771e860438 ]
+
+All S905D (GXL) and S912 (GXM) reference boards (namely these are
+P230, P231, Q200 and Q201) provide USB connectors.
+This enables the USB controller on these boards to make the USB ports
+actually usable.
+
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/amlogic/meson-gx-p23x-q20x.dtsi | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/arm64/boot/dts/amlogic/meson-gx-p23x-q20x.dtsi
++++ b/arch/arm64/boot/dts/amlogic/meson-gx-p23x-q20x.dtsi
+@@ -248,3 +248,7 @@
+ pinctrl-0 = <&uart_ao_a_pins>;
+ pinctrl-names = "default";
+ };
++
++&usb0 {
++ status = "okay";
++};
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Mon, 26 Mar 2018 23:17:42 +0200
+Subject: ARM64: dts: meson-gxl: add USB host support
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit 8aec5fc1d4d881fe446addb94309efb39d4e5b23 ]
+
+This adds USB host support to the Meson GXL SoC. A dwc3 controller is
+used for host-mode, while a dwc2 controller (not added in this patch
+because I could not get it working) is used for device-mode only.
+
+The dwc3 controller's internal roothub has two USB2 ports enabled but no
+USB3 port. Each of the ports is supplied by a separate PHY. The USB pins
+are connected to the SoC's USBHOST_A and USBOTG_B pins.
+Due to the way the roothub works internally the USB PHYs are left
+enabled. When the dwc3 controller is disabled the PHY is never powered on
+so it does not draw any extra power. However, when the dwc3 host
+controller is enabled then all PHYs also have to be enabled, otherwise
+USB devices will not be detected (regardless of whether they are plugged
+into an enabled port or not). This means that only the dwc3 controller
+has to be enabled on boards with USB support (instead of requiring all
+boards to enable the PHYs additionally with the chance of forgetting to
+enable one and breaking all other ports with that as well).
+
+This also adds the USB3 PHY which currently only does some basic
+initialization. That however is required because without it high-speed
+devices (like USB thumb drives) do not work on some devices (probably
+because the bootloader does not configure the USB3 PHY registers).
+
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/amlogic/meson-gxl.dtsi | 61 +++++++++++++++++++++++++++++
+ 1 file changed, 61 insertions(+)
+
+--- a/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi
++++ b/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi
+@@ -57,6 +57,67 @@
+ no-map;
+ };
+ };
++
++ soc {
++ usb0: usb@c9000000 {
++ status = "disabled";
++ compatible = "amlogic,meson-gxl-dwc3";
++ #address-cells = <2>;
++ #size-cells = <2>;
++ ranges;
++
++ clocks = <&clkc CLKID_USB>;
++ clock-names = "usb_general";
++ resets = <&reset RESET_USB_OTG>;
++ reset-names = "usb_otg";
++
++ dwc3: dwc3@c9000000 {
++ compatible = "snps,dwc3";
++ reg = <0x0 0xc9000000 0x0 0x100000>;
++ interrupts = <GIC_SPI 30 IRQ_TYPE_LEVEL_HIGH>;
++ dr_mode = "host";
++ maximum-speed = "high-speed";
++ snps,dis_u2_susphy_quirk;
++ phys = <&usb3_phy>, <&usb2_phy0>, <&usb2_phy1>;
++ };
++ };
++ };
++};
++
++&apb {
++ usb2_phy0: phy@78000 {
++ compatible = "amlogic,meson-gxl-usb2-phy";
++ #phy-cells = <0>;
++ reg = <0x0 0x78000 0x0 0x20>;
++ clocks = <&clkc CLKID_USB>;
++ clock-names = "phy";
++ resets = <&reset RESET_USB_OTG>;
++ reset-names = "phy";
++ status = "okay";
++ };
++
++ usb2_phy1: phy@78020 {
++ compatible = "amlogic,meson-gxl-usb2-phy";
++ #phy-cells = <0>;
++ reg = <0x0 0x78020 0x0 0x20>;
++ clocks = <&clkc CLKID_USB>;
++ clock-names = "phy";
++ resets = <&reset RESET_USB_OTG>;
++ reset-names = "phy";
++ status = "okay";
++ };
++
++ usb3_phy: phy@78080 {
++ compatible = "amlogic,meson-gxl-usb3-phy";
++ #phy-cells = <0>;
++ reg = <0x0 0x78080 0x0 0x20>;
++ interrupts = <GIC_SPI 16 IRQ_TYPE_LEVEL_HIGH>;
++ clocks = <&clkc CLKID_USB>, <&clkc_AO CLKID_AO_CEC_32K>;
++ clock-names = "phy", "peripheral";
++ resets = <&reset RESET_USB_OTG>, <&reset RESET_USB_OTG>;
++ reset-names = "phy", "peripheral";
++ status = "okay";
++ };
+ };
+
+ ðmac {
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Mon, 26 Mar 2018 23:17:47 +0200
+Subject: ARM64: dts: meson-gxl-nexbox-a95x: enable the USB controller
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit 55ef32249bb647c6b64adcf943918d302a0020a7 ]
+
+The Nexbox A95X provides two USB ports. Enable the SoC's USB controller
+on this board to make these USB ports usable.
+
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/amlogic/meson-gxl-s905x-nexbox-a95x.dts | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-nexbox-a95x.dts
++++ b/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-nexbox-a95x.dts
+@@ -251,3 +251,7 @@
+ pinctrl-0 = <&uart_ao_a_pins>;
+ pinctrl-names = "default";
+ };
++
++&usb0 {
++ status = "okay";
++};
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Mon, 26 Mar 2018 23:17:46 +0200
+Subject: ARM64: dts: meson-gxl-s905x-libretech-cc: enable the USB controller
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit b83687f359d9b4128073f06ab7a06489eb04aa7c ]
+
+The LibreTech CC ("Le Potato") board provides four USB connectors.
+These are provided by a hub which is connected to the SoC's USB
+controller.
+Enable the SoC's USB controller to make the USB ports usable. Also turn
+on the HDMI_5V regulator when powering on the PHY because (even though
+it's not shown in the schematics) HDMI_5V also supplies the USB VBUS.
+
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/amlogic/meson-gxl-s905x-libretech-cc.dts | 12 +++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-libretech-cc.dts
++++ b/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-libretech-cc.dts
+@@ -271,3 +271,15 @@
+ pinctrl-0 = <&uart_ao_a_pins>;
+ pinctrl-names = "default";
+ };
++
++&usb0 {
++ status = "okay";
++};
++
++&usb2_phy0 {
++ /*
++ * even though the schematics don't show it:
++ * HDMI_5V is also used as supply for the USB VBUS.
++ */
++ phy-supply = <&hdmi_5v>;
++};
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Mon, 26 Mar 2018 23:17:44 +0200
+Subject: ARM64: dts: meson-gxl-s905x-p212: enable the USB controller
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit b9f07cb4f41fccbe7616482015d28e6e26aec3a3 ]
+
+All boards based on the P212 reference design (the P212 reference board
+itself and the Khadas VIM) have USB connectors (in case of the Khadas
+VIM the first port is exposed through the USB Type-C connector, the
+second port is connected to a 4-port USB hub).
+This enables the USB controller on these boards to make the USB ports
+actually usable.
+
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/amlogic/meson-gxl-s905x-p212.dtsi | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-p212.dtsi
++++ b/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-p212.dtsi
+@@ -185,3 +185,7 @@
+ pinctrl-0 = <&uart_ao_a_pins>;
+ pinctrl-names = "default";
+ };
++
++&usb0 {
++ status = "okay";
++};
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Mon, 26 Mar 2018 23:17:43 +0200
+Subject: ARM64: dts: meson-gxm: add GXM specific USB host configuration
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit 458baa95c86406c81c6ebac0a98d1689075a3ec4 ]
+
+The USB configuration on GXM is slightly different than on GXL. The dwc3
+controller's internal hub has three USB2 ports (instead of 2 on GXL)
+along with a dedicated USB2 PHY for this port. However, it seems that
+there are no pins on GXM which would allow connecting the third port to
+a physical USB port.
+Passing the third PHY is required though, because without it none of the
+other USB ports is working (this seems to be a limitation of how the
+internal USB hub works, if one PHY is disabled then no USB port works).
+
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/amlogic/meson-gxm.dtsi | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/arch/arm64/boot/dts/amlogic/meson-gxm.dtsi
++++ b/arch/arm64/boot/dts/amlogic/meson-gxm.dtsi
+@@ -117,6 +117,19 @@
+ };
+ };
+
++&apb {
++ usb2_phy2: phy@78040 {
++ compatible = "amlogic,meson-gxl-usb2-phy";
++ #phy-cells = <0>;
++ reg = <0x0 0x78040 0x0 0x20>;
++ clocks = <&clkc CLKID_USB>;
++ clock-names = "phy";
++ resets = <&reset RESET_USB_OTG>;
++ reset-names = "phy";
++ status = "okay";
++ };
++};
++
+ &clkc_AO {
+ compatible = "amlogic,meson-gxm-aoclkc", "amlogic,meson-gx-aoclkc";
+ };
+@@ -137,3 +150,7 @@
+ &hdmi_tx {
+ compatible = "amlogic,meson-gxm-dw-hdmi", "amlogic,meson-gx-dw-hdmi";
+ };
++
++&dwc3 {
++ phys = <&usb3_phy>, <&usb2_phy0>, <&usb2_phy1>, <&usb2_phy2>;
++};
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Mon, 26 Mar 2018 23:17:48 +0200
+Subject: ARM64: dts: meson-gxm-khadas-vim2: enable the USB controller
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit 4b7b0d7b25538d2ad421a1041267d5208d3425bc ]
+
+The Khadas VIM2 board connects the dwc3 controller to an internal 4-port
+USB hub which. Two of these ports are accessible directly soldered to
+the board, while the other two are accessible through the 40-pin "GPIO"
+header.
+
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/amlogic/meson-gxm-khadas-vim2.dts | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/arm64/boot/dts/amlogic/meson-gxm-khadas-vim2.dts
++++ b/arch/arm64/boot/dts/amlogic/meson-gxm-khadas-vim2.dts
+@@ -413,3 +413,7 @@
+ status = "okay";
+ vref-supply = <&vddio_ao18>;
+ };
++
++&usb0 {
++ status = "okay";
++};
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Thu, 12 Apr 2018 11:31:31 +0900
+Subject: arm64: dts: uniphier: fix input delay value for legacy mode of eMMC
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+[ Upstream commit f4e5200fc0d7dad75c688e7ccc0652481a916df5 ]
+
+The property of the legacy mode for the eMMC PHY turned out to
+be wrong. Some eMMC devices are unstable due to the set-up/hold
+timing violation. Correct the delay value.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/socionext/uniphier-ld11.dtsi | 2 +-
+ arch/arm64/boot/dts/socionext/uniphier-ld20.dtsi | 2 +-
+ arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/arm64/boot/dts/socionext/uniphier-ld11.dtsi
++++ b/arch/arm64/boot/dts/socionext/uniphier-ld11.dtsi
+@@ -330,7 +330,7 @@
+ mmc-ddr-1_8v;
+ mmc-hs200-1_8v;
+ mmc-pwrseq = <&emmc_pwrseq>;
+- cdns,phy-input-delay-legacy = <4>;
++ cdns,phy-input-delay-legacy = <9>;
+ cdns,phy-input-delay-mmc-highspeed = <2>;
+ cdns,phy-input-delay-mmc-ddr = <3>;
+ cdns,phy-dll-delay-sdclk = <21>;
+--- a/arch/arm64/boot/dts/socionext/uniphier-ld20.dtsi
++++ b/arch/arm64/boot/dts/socionext/uniphier-ld20.dtsi
+@@ -435,7 +435,7 @@
+ mmc-ddr-1_8v;
+ mmc-hs200-1_8v;
+ mmc-pwrseq = <&emmc_pwrseq>;
+- cdns,phy-input-delay-legacy = <4>;
++ cdns,phy-input-delay-legacy = <9>;
+ cdns,phy-input-delay-mmc-highspeed = <2>;
+ cdns,phy-input-delay-mmc-ddr = <3>;
+ cdns,phy-dll-delay-sdclk = <21>;
+--- a/arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi
++++ b/arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi
+@@ -336,7 +336,7 @@
+ mmc-ddr-1_8v;
+ mmc-hs200-1_8v;
+ mmc-pwrseq = <&emmc_pwrseq>;
+- cdns,phy-input-delay-legacy = <4>;
++ cdns,phy-input-delay-legacy = <9>;
+ cdns,phy-input-delay-mmc-highspeed = <2>;
+ cdns,phy-input-delay-mmc-ddr = <3>;
+ cdns,phy-dll-delay-sdclk = <21>;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Wed, 25 Apr 2018 17:13:40 +0100
+Subject: arm64: fix possible spectre-v1 in ptrace_hbp_get_event()
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit 19791a7ca674fb3009bb068260e852a2f05b605c ]
+
+It's possible for userspace to control idx. Sanitize idx when using it
+as an array index.
+
+Found by smatch.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/ptrace.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -25,6 +25,7 @@
+ #include <linux/sched/signal.h>
+ #include <linux/sched/task_stack.h>
+ #include <linux/mm.h>
++#include <linux/nospec.h>
+ #include <linux/smp.h>
+ #include <linux/ptrace.h>
+ #include <linux/user.h>
+@@ -249,15 +250,20 @@ static struct perf_event *ptrace_hbp_get
+
+ switch (note_type) {
+ case NT_ARM_HW_BREAK:
+- if (idx < ARM_MAX_BRP)
+- bp = tsk->thread.debug.hbp_break[idx];
++ if (idx >= ARM_MAX_BRP)
++ goto out;
++ idx = array_index_nospec(idx, ARM_MAX_BRP);
++ bp = tsk->thread.debug.hbp_break[idx];
+ break;
+ case NT_ARM_HW_WATCH:
+- if (idx < ARM_MAX_WRP)
+- bp = tsk->thread.debug.hbp_watch[idx];
++ if (idx >= ARM_MAX_WRP)
++ goto out;
++ idx = array_index_nospec(idx, ARM_MAX_WRP);
++ bp = tsk->thread.debug.hbp_watch[idx];
+ break;
+ }
+
++out:
+ return bp;
+ }
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Mon, 16 Apr 2018 14:44:41 +0100
+Subject: arm64: kasan: avoid pfn_to_nid() before page array is initialized
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit 800cb2e553d44541b83aa3ec45d9839385fe8ab6 ]
+
+In arm64's kasan_init(), we use pfn_to_nid() to find the NUMA node a
+span of memory is in, hoping to allocate shadow from the same NUMA node.
+However, at this point, the page array has not been initialized, and
+thus this is bogus.
+
+Since commit:
+
+ f165b378bbdf6c8a ("mm: uninitialized struct page poisoning sanity")
+
+... accessing fields of the page array results in a boot time Oops(),
+highlighting this problem:
+
+[ 0.000000] Unable to handle kernel paging request at virtual address dfff200000000000
+[ 0.000000] Mem abort info:
+[ 0.000000] ESR = 0x96000004
+[ 0.000000] Exception class = DABT (current EL), IL = 32 bits
+[ 0.000000] SET = 0, FnV = 0
+[ 0.000000] EA = 0, S1PTW = 0
+[ 0.000000] Data abort info:
+[ 0.000000] ISV = 0, ISS = 0x00000004
+[ 0.000000] CM = 0, WnR = 0
+[ 0.000000] [dfff200000000000] address between user and kernel address ranges
+[ 0.000000] Internal error: Oops: 96000004 [#1] PREEMPT SMP
+[ 0.000000] Modules linked in:
+[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.16.0-07317-gf165b378bbdf #42
+[ 0.000000] Hardware name: ARM Juno development board (r1) (DT)
+[ 0.000000] pstate: 80000085 (Nzcv daIf -PAN -UAO)
+[ 0.000000] pc : __asan_load8+0x8c/0xa8
+[ 0.000000] lr : __dump_page+0x3c/0x3b8
+[ 0.000000] sp : ffff2000099b7ca0
+[ 0.000000] x29: ffff2000099b7ca0 x28: ffff20000a1762c0
+[ 0.000000] x27: ffff7e0000000000 x26: ffff2000099dd000
+[ 0.000000] x25: ffff200009a3f960 x24: ffff200008f9c38c
+[ 0.000000] x23: ffff20000a9d3000 x22: ffff200009735430
+[ 0.000000] x21: fffffffffffffffe x20: ffff7e0001e50420
+[ 0.000000] x19: ffff7e0001e50400 x18: 0000000000001840
+[ 0.000000] x17: ffffffffffff8270 x16: 0000000000001840
+[ 0.000000] x15: 0000000000001920 x14: 0000000000000004
+[ 0.000000] x13: 0000000000000000 x12: 0000000000000800
+[ 0.000000] x11: 1ffff0012d0f89ff x10: ffff10012d0f89ff
+[ 0.000000] x9 : 0000000000000000 x8 : ffff8009687c5000
+[ 0.000000] x7 : 0000000000000000 x6 : ffff10000f282000
+[ 0.000000] x5 : 0000000000000040 x4 : fffffffffffffffe
+[ 0.000000] x3 : 0000000000000000 x2 : dfff200000000000
+[ 0.000000] x1 : 0000000000000005 x0 : 0000000000000000
+[ 0.000000] Process swapper (pid: 0, stack limit = 0x (ptrval))
+[ 0.000000] Call trace:
+[ 0.000000] __asan_load8+0x8c/0xa8
+[ 0.000000] __dump_page+0x3c/0x3b8
+[ 0.000000] dump_page+0xc/0x18
+[ 0.000000] kasan_init+0x2e8/0x5a8
+[ 0.000000] setup_arch+0x294/0x71c
+[ 0.000000] start_kernel+0xdc/0x500
+[ 0.000000] Code: aa0403e0 9400063c 17ffffee d343fc00 (38e26800)
+[ 0.000000] ---[ end trace 67064f0e9c0cc338 ]---
+[ 0.000000] Kernel panic - not syncing: Attempted to kill the idle task!
+[ 0.000000] ---[ end Kernel panic - not syncing: Attempted to kill the idle task! ]---
+
+Let's fix this by using early_pfn_to_nid(), as other architectures do in
+their kasan init code. Note that early_pfn_to_nid acquires the nid from
+the memblock array, which we iterate over in kasan_init(), so this
+should be fine.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Fixes: 39d114ddc6822302 ("arm64: add KASAN support")
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/mm/kasan_init.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/mm/kasan_init.c
++++ b/arch/arm64/mm/kasan_init.c
+@@ -204,7 +204,7 @@ void __init kasan_init(void)
+ clear_pgds(KASAN_SHADOW_START, KASAN_SHADOW_END);
+
+ kasan_map_populate(kimg_shadow_start, kimg_shadow_end,
+- pfn_to_nid(virt_to_pfn(lm_alias(_text))));
++ early_pfn_to_nid(virt_to_pfn(lm_alias(_text))));
+
+ kasan_populate_zero_shadow((void *)KASAN_SHADOW_START,
+ (void *)mod_shadow_start);
+@@ -224,7 +224,7 @@ void __init kasan_init(void)
+
+ kasan_map_populate((unsigned long)kasan_mem_to_shadow(start),
+ (unsigned long)kasan_mem_to_shadow(end),
+- pfn_to_nid(virt_to_pfn(start)));
++ early_pfn_to_nid(virt_to_pfn(start)));
+ }
+
+ /*
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Tue, 3 Apr 2018 11:22:51 +0100
+Subject: arm64: only advance singlestep for user instruction traps
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit 9478f1927e6ef9ef5e1ad761af1c98aa8e40b7f5 ]
+
+Our arm64_skip_faulting_instruction() helper advances the userspace
+singlestep state machine, but this is also called by the kernel BRK
+handler, as used for WARN*().
+
+Thus, if we happen to hit a WARN*() while the user singlestep state
+machine is in the active-no-pending state, we'll advance to the
+active-pending state without having executed a user instruction, and
+will take a step exception earlier than expected when we return to
+userspace.
+
+Let's fix this by only advancing the state machine when skipping a user
+instruction.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Andrey Konovalov <andreyknvl@google.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/traps.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/traps.c
++++ b/arch/arm64/kernel/traps.c
+@@ -243,7 +243,8 @@ void arm64_skip_faulting_instruction(str
+ * If we were single stepping, we want to get the step exception after
+ * we return from the trap.
+ */
+- user_fastforward_single_step(current);
++ if (user_mode(regs))
++ user_fastforward_single_step(current);
+ }
+
+ static LIST_HEAD(undef_hook);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Tue, 24 Apr 2018 13:11:22 +0100
+Subject: arm64: ptrace: remove addr_limit manipulation
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit 59275a0c037ed6fabd6354730f1e3104264ab719 ]
+
+We transiently switch to KERNEL_DS in compat_ptrace_gethbpregs() and
+compat_ptrace_sethbpregs(), but in either case this is pointless as we
+don't perform any uaccess during this window.
+
+let's rip out the redundant addr_limit manipulation.
+
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/ptrace.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -1458,9 +1458,7 @@ static int compat_ptrace_gethbpregs(stru
+ {
+ int ret;
+ u32 kdata;
+- mm_segment_t old_fs = get_fs();
+
+- set_fs(KERNEL_DS);
+ /* Watchpoint */
+ if (num < 0) {
+ ret = compat_ptrace_hbp_get(NT_ARM_HW_WATCH, tsk, num, &kdata);
+@@ -1471,7 +1469,6 @@ static int compat_ptrace_gethbpregs(stru
+ } else {
+ ret = compat_ptrace_hbp_get(NT_ARM_HW_BREAK, tsk, num, &kdata);
+ }
+- set_fs(old_fs);
+
+ if (!ret)
+ ret = put_user(kdata, data);
+@@ -1484,7 +1481,6 @@ static int compat_ptrace_sethbpregs(stru
+ {
+ int ret;
+ u32 kdata = 0;
+- mm_segment_t old_fs = get_fs();
+
+ if (num == 0)
+ return 0;
+@@ -1493,12 +1489,10 @@ static int compat_ptrace_sethbpregs(stru
+ if (ret)
+ return ret;
+
+- set_fs(KERNEL_DS);
+ if (num < 0)
+ ret = compat_ptrace_hbp_set(NT_ARM_HW_WATCH, tsk, num, &kdata);
+ else
+ ret = compat_ptrace_hbp_set(NT_ARM_HW_BREAK, tsk, num, &kdata);
+- set_fs(old_fs);
+
+ return ret;
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Bhadram Varka <vbhadram@nvidia.com>
+Date: Wed, 2 May 2018 20:44:40 +0530
+Subject: arm64: tegra: Make BCM89610 PHY interrupt as active low
+
+From: Bhadram Varka <vbhadram@nvidia.com>
+
+[ Upstream commit 9df50ba76ac1485b844beffa1f3f5d9659d9cdaf ]
+
+Need to configure PHY interrupt as active low for P3310 Tegra186
+platform otherwise it results in spurious interrupts.
+
+This issue wasn't seen before because the generic PHY driver without
+interrupt support was used.
+
+Signed-off-by: Bhadram Varka <vbhadram@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/nvidia/tegra186-p3310.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/nvidia/tegra186-p3310.dtsi
++++ b/arch/arm64/boot/dts/nvidia/tegra186-p3310.dtsi
+@@ -46,7 +46,7 @@
+ compatible = "ethernet-phy-ieee802.3-c22";
+ reg = <0x0>;
+ interrupt-parent = <&gpio>;
+- interrupts = <TEGRA_MAIN_GPIO(M, 5) IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <TEGRA_MAIN_GPIO(M, 5) IRQ_TYPE_LEVEL_LOW>;
+ };
+ };
+ };
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Date: Mon, 2 Apr 2018 12:06:14 -0500
+Subject: ASoC: Intel: atom: fix ACPI/PCI Kconfig
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+[ Upstream commit 90619eb1dc4f19357fef5e9c13c6c9beead0fd80 ]
+
+The split between ACPI and PCI platforms generated issues with randconfig:
+
+with SND_SST_ATOM_HIFI2_PLATFORM_PCI=y and
+SND_SST_ATOM_HIFI2_PLATFORM=m, we get this module link failure:
+
+ERROR: "sst_context_init"
+[sound/soc/intel/atom/sst/snd-intel-sst-acpi.ko] undefined!
+
+ERROR: "sst_context_cleanup"
+[sound/soc/intel/atom/sst/snd-intel-sst-acpi.ko] undefined!
+
+ERROR: "sst_alloc_drv_context"
+[sound/soc/intel/atom/sst/snd-intel-sst-acpi.ko] undefined!
+
+ERROR: "intel_sst_pm" [sound/soc/intel/atom/sst/snd-intel-sst-acpi.ko]
+undefined!
+
+ERROR: "sst_configure_runtime_pm"
+[sound/soc/intel/atom/sst/snd-intel-sst-acpi.ko] undefined!
+
+To keep things simple, let's expose two configs for
+SND_SST_ATOM_HIFI2_PLATFORM_PCI and SND_SST_ATOM_HIFI2_PLATFORM_ACPI,
+which select a common SND_SST_ATOM_HIFI2_PLATFORM option. To avoid
+breaking existing solutions with the semantics change,
+SND_SST_ATOM_HIFI2_PLATFORM_ACPI uses "default ACPI" so that "make
+oldnoconfig" and "make olddefconfig" still work as expected.
+
+Also remove mentions of Medfield while we are at it since it was
+removed recently.
+
+Reported-by: Arnd Bergmann <arnd@arndb.de>
+Fixes: 4772c16ede52 ("ASoC: Intel: Kconfig: Simplify-clarify ACPI/PCI
+dependencies")
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-By: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/intel/Kconfig | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+--- a/sound/soc/intel/Kconfig
++++ b/sound/soc/intel/Kconfig
+@@ -72,24 +72,28 @@ config SND_SOC_INTEL_BAYTRAIL
+ for Baytrail Chromebooks but this option is now deprecated and is
+ not recommended, use SND_SST_ATOM_HIFI2_PLATFORM instead.
+
++config SND_SST_ATOM_HIFI2_PLATFORM
++ tristate
++ select SND_SOC_COMPRESS
++
+ config SND_SST_ATOM_HIFI2_PLATFORM_PCI
+- tristate "PCI HiFi2 (Medfield, Merrifield) Platforms"
++ tristate "PCI HiFi2 (Merrifield) Platforms"
+ depends on X86 && PCI
+ select SND_SST_IPC_PCI
+- select SND_SOC_COMPRESS
++ select SND_SST_ATOM_HIFI2_PLATFORM
+ help
+- If you have a Intel Medfield or Merrifield/Edison platform, then
++ If you have a Intel Merrifield/Edison platform, then
+ enable this option by saying Y or m. Distros will typically not
+- enable this option: Medfield devices are not available to
+- developers and while Merrifield/Edison can run a mainline kernel with
+- limited functionality it will require a firmware file which
+- is not in the standard firmware tree
++ enable this option: while Merrifield/Edison can run a mainline
++ kernel with limited functionality it will require a firmware file
++ which is not in the standard firmware tree
+
+-config SND_SST_ATOM_HIFI2_PLATFORM
++config SND_SST_ATOM_HIFI2_PLATFORM_ACPI
+ tristate "ACPI HiFi2 (Baytrail, Cherrytrail) Platforms"
++ default ACPI
+ depends on X86 && ACPI
+ select SND_SST_IPC_ACPI
+- select SND_SOC_COMPRESS
++ select SND_SST_ATOM_HIFI2_PLATFORM
+ select SND_SOC_ACPI_INTEL_MATCH
+ select IOSF_MBI
+ help
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Wed, 18 Apr 2018 18:46:37 +0100
+Subject: ASoC: msm8916-wcd-analog: use threaded context for mbhc events
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit a8419a0cd98ddf628a9e38a92110af7cc650dde7 ]
+
+As snd_soc_jack_report() can sleep, move handling of mbhc events to a
+thread context rather than in interrupt context.
+
+Fixes: de66b3455023 ('ASoC: codecs: msm8916-wcd-analog: add MBHC support')
+Reported-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/msm8916-wcd-analog.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/sound/soc/codecs/msm8916-wcd-analog.c
++++ b/sound/soc/codecs/msm8916-wcd-analog.c
+@@ -1185,7 +1185,8 @@ static int pm8916_wcd_analog_spmi_probe(
+ return irq;
+ }
+
+- ret = devm_request_irq(dev, irq, pm8916_mbhc_switch_irq_handler,
++ ret = devm_request_threaded_irq(dev, irq, NULL,
++ pm8916_mbhc_switch_irq_handler,
+ IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING |
+ IRQF_ONESHOT,
+ "mbhc switch irq", priv);
+@@ -1199,7 +1200,8 @@ static int pm8916_wcd_analog_spmi_probe(
+ return irq;
+ }
+
+- ret = devm_request_irq(dev, irq, mbhc_btn_press_irq_handler,
++ ret = devm_request_threaded_irq(dev, irq, NULL,
++ mbhc_btn_press_irq_handler,
+ IRQF_TRIGGER_RISING |
+ IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
+ "mbhc btn press irq", priv);
+@@ -1212,7 +1214,8 @@ static int pm8916_wcd_analog_spmi_probe(
+ return irq;
+ }
+
+- ret = devm_request_irq(dev, irq, mbhc_btn_release_irq_handler,
++ ret = devm_request_threaded_irq(dev, irq, NULL,
++ mbhc_btn_release_irq_handler,
+ IRQF_TRIGGER_RISING |
+ IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
+ "mbhc btn release irq", priv);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: "oder_chiou@realtek.com" <oder_chiou@realtek.com>
+Date: Fri, 30 Mar 2018 15:41:55 +0800
+Subject: ASoC: rt5514: Add the missing register in the readable table
+
+From: "oder_chiou@realtek.com" <oder_chiou@realtek.com>
+
+[ Upstream commit 5ef5ac8de125fe6b4b23293bee026ca7ea1529b9 ]
+
+The patch adds the missing register in the readable table.
+
+Signed-off-by: Oder Chiou <oder_chiou@realtek.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/rt5514.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/soc/codecs/rt5514.c
++++ b/sound/soc/codecs/rt5514.c
+@@ -89,6 +89,7 @@ static const struct reg_default rt5514_r
+ {RT5514_PLL3_CALIB_CTRL5, 0x40220012},
+ {RT5514_DELAY_BUF_CTRL1, 0x7fff006a},
+ {RT5514_DELAY_BUF_CTRL3, 0x00000000},
++ {RT5514_ASRC_IN_CTRL1, 0x00000003},
+ {RT5514_DOWNFILTER0_CTRL1, 0x00020c2f},
+ {RT5514_DOWNFILTER0_CTRL2, 0x00020c2f},
+ {RT5514_DOWNFILTER0_CTRL3, 0x10000362},
+@@ -181,6 +182,7 @@ static bool rt5514_readable_register(str
+ case RT5514_PLL3_CALIB_CTRL5:
+ case RT5514_DELAY_BUF_CTRL1:
+ case RT5514_DELAY_BUF_CTRL3:
++ case RT5514_ASRC_IN_CTRL1:
+ case RT5514_DOWNFILTER0_CTRL1:
+ case RT5514_DOWNFILTER0_CTRL2:
+ case RT5514_DOWNFILTER0_CTRL3:
+@@ -238,6 +240,7 @@ static bool rt5514_i2c_readable_register
+ case RT5514_DSP_MAPPING | RT5514_PLL3_CALIB_CTRL5:
+ case RT5514_DSP_MAPPING | RT5514_DELAY_BUF_CTRL1:
+ case RT5514_DSP_MAPPING | RT5514_DELAY_BUF_CTRL3:
++ case RT5514_DSP_MAPPING | RT5514_ASRC_IN_CTRL1:
+ case RT5514_DSP_MAPPING | RT5514_DOWNFILTER0_CTRL1:
+ case RT5514_DSP_MAPPING | RT5514_DOWNFILTER0_CTRL2:
+ case RT5514_DSP_MAPPING | RT5514_DOWNFILTER0_CTRL3:
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Liam Girdwood <liam.r.girdwood@linux.intel.com>
+Date: Tue, 27 Mar 2018 14:30:44 +0100
+Subject: ASoC: topology: Check widget kcontrols before deref.
+
+From: Liam Girdwood <liam.r.girdwood@linux.intel.com>
+
+[ Upstream commit 05bdcf12905533b8628627b6634608cd3b57c607 ]
+
+Validate the topology input before we dereference the pointer.
+
+Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/soc-topology.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/soc-topology.c
++++ b/sound/soc/soc-topology.c
+@@ -510,7 +510,7 @@ static void remove_widget(struct snd_soc
+ */
+ if (dobj->widget.kcontrol_type == SND_SOC_TPLG_TYPE_ENUM) {
+ /* enumerated widget mixer */
+- for (i = 0; i < w->num_kcontrols; i++) {
++ for (i = 0; w->kcontrols != NULL && i < w->num_kcontrols; i++) {
+ struct snd_kcontrol *kcontrol = w->kcontrols[i];
+ struct soc_enum *se =
+ (struct soc_enum *)kcontrol->private_value;
+@@ -528,7 +528,7 @@ static void remove_widget(struct snd_soc
+ kfree(w->kcontrol_news);
+ } else {
+ /* volume mixer or bytes controls */
+- for (i = 0; i < w->num_kcontrols; i++) {
++ for (i = 0; w->kcontrols != NULL && i < w->num_kcontrols; i++) {
+ struct snd_kcontrol *kcontrol = w->kcontrols[i];
+
+ if (dobj->widget.kcontrol_type
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Yan Wang <yan.wang@linux.intel.com>
+Date: Mon, 26 Mar 2018 16:48:00 +0100
+Subject: ASoC: topology: Fix bugs of freeing soc topology
+
+From: Yan Wang <yan.wang@linux.intel.com>
+
+[ Upstream commit feb12f0cd8d7b1e8df2e6fce19fc9a026a468cc2 ]
+
+In snd_soc_tplg_component_remove(), it should compare index and
+not dobj->index with SND_SOC_TPLG_INDEX_ALL for removing all
+topology objects.
+
+Signed-off-by: Yan Wang <yan.wang@linux.intel.com>
+Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/soc-topology.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/soc-topology.c
++++ b/sound/soc/soc-topology.c
+@@ -2571,7 +2571,7 @@ int snd_soc_tplg_component_remove(struct
+
+ /* match index */
+ if (dobj->index != index &&
+- dobj->index != SND_SOC_TPLG_INDEX_ALL)
++ index != SND_SOC_TPLG_INDEX_ALL)
+ continue;
+
+ switch (dobj->type) {
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Evan Wang <xswang@marvell.com>
+Date: Fri, 13 Apr 2018 12:32:31 +0800
+Subject: ata: ahci: mvebu: override ahci_stop_engine for mvebu AHCI
+
+From: Evan Wang <xswang@marvell.com>
+
+[ Upstream commit daa2e3bdbb0b3e691cf20a042350817310cb8cb5 ]
+
+There is an issue(Errata Ref#226) that the SATA can not be
+detected via SATA Port-MultiPlayer(PMP) with following
+error log:
+ ata1.15: PMP product ID mismatch
+ ata1.15: SATA link up 6.0 Gbps (SStatus 133 SControl 300)
+ ata1.15: Port Multiplier vendor mismatch '0x1b4b'!='0x0'
+ ata1.15: PMP revalidation failed (errno=-19)
+
+After debugging, the reason is found that the value Port-x
+FIS-based Switching Control(PxFBS@0x40) become wrong.
+According to design, the bits[11:8, 0] of register PxFBS
+are cleared when Port Command and Status (0x18) bit[0]
+changes its value from 1 to 0, i.e. falling edge of Port
+Command and Status bit[0] sends PULSE that resets PxFBS
+bits[11:8; 0].
+So it needs a mvebu SATA WA to save the port PxFBS register
+before PxCMD ST write and restore it afterwards.
+
+This patch implements the WA in a separate function of
+ahci_mvebu_stop_engine to override ahci_stop_gngine.
+
+Signed-off-by: Evan Wang <xswang@marvell.com>
+Cc: Ofer Heifetz <oferh@marvell.com>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/ahci_mvebu.c | 56 +++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 56 insertions(+)
+
+--- a/drivers/ata/ahci_mvebu.c
++++ b/drivers/ata/ahci_mvebu.c
+@@ -62,6 +62,60 @@ static void ahci_mvebu_regret_option(str
+ writel(0x80, hpriv->mmio + AHCI_VENDOR_SPECIFIC_0_DATA);
+ }
+
++/**
++ * ahci_mvebu_stop_engine
++ *
++ * @ap: Target ata port
++ *
++ * Errata Ref#226 - SATA Disk HOT swap issue when connected through
++ * Port Multiplier in FIS-based Switching mode.
++ *
++ * To avoid the issue, according to design, the bits[11:8, 0] of
++ * register PxFBS are cleared when Port Command and Status (0x18) bit[0]
++ * changes its value from 1 to 0, i.e. falling edge of Port
++ * Command and Status bit[0] sends PULSE that resets PxFBS
++ * bits[11:8; 0].
++ *
++ * This function is used to override function of "ahci_stop_engine"
++ * from libahci.c by adding the mvebu work around(WA) to save PxFBS
++ * value before the PxCMD ST write of 0, then restore PxFBS value.
++ *
++ * Return: 0 on success; Error code otherwise.
++ */
++int ahci_mvebu_stop_engine(struct ata_port *ap)
++{
++ void __iomem *port_mmio = ahci_port_base(ap);
++ u32 tmp, port_fbs;
++
++ tmp = readl(port_mmio + PORT_CMD);
++
++ /* check if the HBA is idle */
++ if ((tmp & (PORT_CMD_START | PORT_CMD_LIST_ON)) == 0)
++ return 0;
++
++ /* save the port PxFBS register for later restore */
++ port_fbs = readl(port_mmio + PORT_FBS);
++
++ /* setting HBA to idle */
++ tmp &= ~PORT_CMD_START;
++ writel(tmp, port_mmio + PORT_CMD);
++
++ /*
++ * bit #15 PxCMD signal doesn't clear PxFBS,
++ * restore the PxFBS register right after clearing the PxCMD ST,
++ * no need to wait for the PxCMD bit #15.
++ */
++ writel(port_fbs, port_mmio + PORT_FBS);
++
++ /* wait for engine to stop. This could be as long as 500 msec */
++ tmp = ata_wait_register(ap, port_mmio + PORT_CMD,
++ PORT_CMD_LIST_ON, PORT_CMD_LIST_ON, 1, 500);
++ if (tmp & PORT_CMD_LIST_ON)
++ return -EIO;
++
++ return 0;
++}
++
+ #ifdef CONFIG_PM_SLEEP
+ static int ahci_mvebu_suspend(struct platform_device *pdev, pm_message_t state)
+ {
+@@ -112,6 +166,8 @@ static int ahci_mvebu_probe(struct platf
+ if (rc)
+ return rc;
+
++ hpriv->stop_engine = ahci_mvebu_stop_engine;
++
+ if (of_device_is_compatible(pdev->dev.of_node,
+ "marvell,armada-380-ahci")) {
+ dram = mv_mbus_dram_info();
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Omar Sandoval <osandov@fb.com>
+Date: Thu, 26 Apr 2018 00:21:59 -0700
+Subject: blk-mq: fix sysfs inflight counter
+
+From: Omar Sandoval <osandov@fb.com>
+
+[ Upstream commit bf0ddaba65ddbb2715af97041da8e7a45b2d8628 ]
+
+When the blk-mq inflight implementation was added, /proc/diskstats was
+converted to use it, but /sys/block/$dev/inflight was not. Fix it by
+adding another helper to count in-flight requests by data direction.
+
+Fixes: f299b7c7a9de ("blk-mq: provide internal in-flight variant")
+Signed-off-by: Omar Sandoval <osandov@fb.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-mq.c | 19 +++++++++++++++++++
+ block/blk-mq.h | 4 +++-
+ block/genhd.c | 12 ++++++++++++
+ block/partition-generic.c | 10 ++++++----
+ include/linux/genhd.h | 4 +++-
+ 5 files changed, 43 insertions(+), 6 deletions(-)
+
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -118,6 +118,25 @@ void blk_mq_in_flight(struct request_que
+ blk_mq_queue_tag_busy_iter(q, blk_mq_check_inflight, &mi);
+ }
+
++static void blk_mq_check_inflight_rw(struct blk_mq_hw_ctx *hctx,
++ struct request *rq, void *priv,
++ bool reserved)
++{
++ struct mq_inflight *mi = priv;
++
++ if (rq->part == mi->part)
++ mi->inflight[rq_data_dir(rq)]++;
++}
++
++void blk_mq_in_flight_rw(struct request_queue *q, struct hd_struct *part,
++ unsigned int inflight[2])
++{
++ struct mq_inflight mi = { .part = part, .inflight = inflight, };
++
++ inflight[0] = inflight[1] = 0;
++ blk_mq_queue_tag_busy_iter(q, blk_mq_check_inflight_rw, &mi);
++}
++
+ void blk_freeze_queue_start(struct request_queue *q)
+ {
+ int freeze_depth;
+--- a/block/blk-mq.h
++++ b/block/blk-mq.h
+@@ -185,7 +185,9 @@ static inline bool blk_mq_hw_queue_mappe
+ }
+
+ void blk_mq_in_flight(struct request_queue *q, struct hd_struct *part,
+- unsigned int inflight[2]);
++ unsigned int inflight[2]);
++void blk_mq_in_flight_rw(struct request_queue *q, struct hd_struct *part,
++ unsigned int inflight[2]);
+
+ static inline void blk_mq_put_dispatch_budget(struct blk_mq_hw_ctx *hctx)
+ {
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -82,6 +82,18 @@ void part_in_flight(struct request_queue
+ }
+ }
+
++void part_in_flight_rw(struct request_queue *q, struct hd_struct *part,
++ unsigned int inflight[2])
++{
++ if (q->mq_ops) {
++ blk_mq_in_flight_rw(q, part, inflight);
++ return;
++ }
++
++ inflight[0] = atomic_read(&part->in_flight[0]);
++ inflight[1] = atomic_read(&part->in_flight[1]);
++}
++
+ struct hd_struct *__disk_get_part(struct gendisk *disk, int partno)
+ {
+ struct disk_part_tbl *ptbl = rcu_dereference(disk->part_tbl);
+--- a/block/partition-generic.c
++++ b/block/partition-generic.c
+@@ -145,13 +145,15 @@ ssize_t part_stat_show(struct device *de
+ jiffies_to_msecs(part_stat_read(p, time_in_queue)));
+ }
+
+-ssize_t part_inflight_show(struct device *dev,
+- struct device_attribute *attr, char *buf)
++ssize_t part_inflight_show(struct device *dev, struct device_attribute *attr,
++ char *buf)
+ {
+ struct hd_struct *p = dev_to_part(dev);
++ struct request_queue *q = part_to_disk(p)->queue;
++ unsigned int inflight[2];
+
+- return sprintf(buf, "%8u %8u\n", atomic_read(&p->in_flight[0]),
+- atomic_read(&p->in_flight[1]));
++ part_in_flight_rw(q, p, inflight);
++ return sprintf(buf, "%8u %8u\n", inflight[0], inflight[1]);
+ }
+
+ #ifdef CONFIG_FAIL_MAKE_REQUEST
+--- a/include/linux/genhd.h
++++ b/include/linux/genhd.h
+@@ -368,7 +368,9 @@ static inline void free_part_stats(struc
+ part_stat_add(cpu, gendiskp, field, -subnd)
+
+ void part_in_flight(struct request_queue *q, struct hd_struct *part,
+- unsigned int inflight[2]);
++ unsigned int inflight[2]);
++void part_in_flight_rw(struct request_queue *q, struct hd_struct *part,
++ unsigned int inflight[2]);
+ void part_dec_in_flight(struct request_queue *q, struct hd_struct *part,
+ int rw);
+ void part_inc_in_flight(struct request_queue *q, struct hd_struct *part,
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Jiang Biao <jiang.biao2@zte.com.cn>
+Date: Wed, 18 Apr 2018 08:37:18 -0600
+Subject: blkcg: don't hold blkcg lock when deactivating policy
+
+From: Jiang Biao <jiang.biao2@zte.com.cn>
+
+[ Upstream commit 946b81da114b8ba5c74bb01e57c0c6eca2bdc801 ]
+
+As described in the comment of blkcg_activate_policy(),
+*Update of each blkg is protected by both queue and blkcg locks so
+that holding either lock and testing blkcg_policy_enabled() is
+always enough for dereferencing policy data.*
+with queue lock held, there is no need to hold blkcg lock in
+blkcg_deactivate_policy(). Similar case is in
+blkcg_activate_policy(), which has removed holding of blkcg lock in
+commit 4c55f4f9ad3001ac1fefdd8d8ca7641d18558e23.
+
+Signed-off-by: Jiang Biao <jiang.biao2@zte.com.cn>
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+CC: Tejun Heo <tj@kernel.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-cgroup.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/block/blk-cgroup.c
++++ b/block/blk-cgroup.c
+@@ -1367,17 +1367,12 @@ void blkcg_deactivate_policy(struct requ
+ __clear_bit(pol->plid, q->blkcg_pols);
+
+ list_for_each_entry(blkg, &q->blkg_list, q_node) {
+- /* grab blkcg lock too while removing @pd from @blkg */
+- spin_lock(&blkg->blkcg->lock);
+-
+ if (blkg->pd[pol->plid]) {
+ if (pol->pd_offline_fn)
+ pol->pd_offline_fn(blkg->pd[pol->plid]);
+ pol->pd_free_fn(blkg->pd[pol->plid]);
+ blkg->pd[pol->plid] = NULL;
+ }
+-
+- spin_unlock(&blkg->blkcg->lock);
+ }
+
+ spin_unlock_irq(q->queue_lock);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Jiang Biao <jiang.biao2@zte.com.cn>
+Date: Thu, 19 Apr 2018 12:06:09 +0800
+Subject: blkcg: init root blkcg_gq under lock
+
+From: Jiang Biao <jiang.biao2@zte.com.cn>
+
+[ Upstream commit 901932a3f9b2b80352896be946c6d577c0a9652c ]
+
+The initializing of q->root_blkg is currently outside of queue lock
+and rcu, so the blkg may be destroied before the initializing, which
+may cause dangling/null references. On the other side, the destroys
+of blkg are protected by queue lock or rcu. Put the initializing
+inside the queue lock and rcu to make it safer.
+
+Signed-off-by: Jiang Biao <jiang.biao2@zte.com.cn>
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+CC: Tejun Heo <tj@kernel.org>
+CC: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-cgroup.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/block/blk-cgroup.c
++++ b/block/blk-cgroup.c
+@@ -1142,18 +1142,16 @@ int blkcg_init_queue(struct request_queu
+ rcu_read_lock();
+ spin_lock_irq(q->queue_lock);
+ blkg = blkg_create(&blkcg_root, q, new_blkg);
++ if (IS_ERR(blkg))
++ goto err_unlock;
++ q->root_blkg = blkg;
++ q->root_rl.blkg = blkg;
+ spin_unlock_irq(q->queue_lock);
+ rcu_read_unlock();
+
+ if (preloaded)
+ radix_tree_preload_end();
+
+- if (IS_ERR(blkg))
+- return PTR_ERR(blkg);
+-
+- q->root_blkg = blkg;
+- q->root_rl.blkg = blkg;
+-
+ ret = blk_throtl_init(q);
+ if (ret) {
+ spin_lock_irq(q->queue_lock);
+@@ -1161,6 +1159,13 @@ int blkcg_init_queue(struct request_queu
+ spin_unlock_irq(q->queue_lock);
+ }
+ return ret;
++
++err_unlock:
++ spin_unlock_irq(q->queue_lock);
++ rcu_read_unlock();
++ if (preloaded)
++ radix_tree_preload_end();
++ return PTR_ERR(blkg);
+ }
+
+ /**
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Thu, 3 May 2018 17:04:59 +0100
+Subject: bpf: fix possible spectre-v1 in find_and_alloc_map()
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit 9ef09e35e521bf0df5325cc9cffa726a8f5f3c1b ]
+
+It's possible for userspace to control attr->map_type. Sanitize it when
+using it as an array index to prevent an out-of-bounds value being used
+under speculation.
+
+Found by smatch.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: netdev@vger.kernel.org
+Acked-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/syscall.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -26,6 +26,7 @@
+ #include <linux/cred.h>
+ #include <linux/timekeeping.h>
+ #include <linux/ctype.h>
++#include <linux/nospec.h>
+
+ #define IS_FD_ARRAY(map) ((map)->map_type == BPF_MAP_TYPE_PROG_ARRAY || \
+ (map)->map_type == BPF_MAP_TYPE_PERF_EVENT_ARRAY || \
+@@ -102,12 +103,14 @@ const struct bpf_map_ops bpf_map_offload
+ static struct bpf_map *find_and_alloc_map(union bpf_attr *attr)
+ {
+ const struct bpf_map_ops *ops;
++ u32 type = attr->map_type;
+ struct bpf_map *map;
+ int err;
+
+- if (attr->map_type >= ARRAY_SIZE(bpf_map_types))
++ if (type >= ARRAY_SIZE(bpf_map_types))
+ return ERR_PTR(-EINVAL);
+- ops = bpf_map_types[attr->map_type];
++ type = array_index_nospec(type, ARRAY_SIZE(bpf_map_types));
++ ops = bpf_map_types[type];
+ if (!ops)
+ return ERR_PTR(-EINVAL);
+
+@@ -122,7 +125,7 @@ static struct bpf_map *find_and_alloc_ma
+ if (IS_ERR(map))
+ return map;
+ map->ops = ops;
+- map->map_type = attr->map_type;
++ map->map_type = type;
+ return map;
+ }
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: John Fastabend <john.fastabend@gmail.com>
+Date: Wed, 25 Apr 2018 15:08:53 -0700
+Subject: bpf: fix uninitialized variable in bpf tools
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit 815425567dea6c54494e85050631d6bdda907c5d ]
+
+Here the variable cont is used as the saved_pointer for a call to
+strtok_r(). It is safe to use the value uninitialized in this
+context however and the later reference is only ever used if
+the strtok_r is successful. But, 'gcc-5' at least doesn't have all
+this knowledge so initialize cont to NULL. Additionally, do the
+natural NULL check before accessing just for completness.
+
+The warning is the following:
+
+./bpf/tools/bpf/bpf_dbg.c: In function ‘cmd_load’:
+./bpf/tools/bpf/bpf_dbg.c:1077:13: warning: ‘cont’ may be used uninitialized in this function [-Wmaybe-uninitialized]
+ } else if (matches(subcmd, "pcap") == 0) {
+
+Fixes: fd981e3c321a "filter: bpf_dbg: add minimal bpf debugger"
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/bpf/bpf_dbg.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/tools/bpf/bpf_dbg.c
++++ b/tools/bpf/bpf_dbg.c
+@@ -1063,7 +1063,7 @@ static int cmd_load_pcap(char *file)
+
+ static int cmd_load(char *arg)
+ {
+- char *subcmd, *cont, *tmp = strdup(arg);
++ char *subcmd, *cont = NULL, *tmp = strdup(arg);
+ int ret = CMD_OK;
+
+ subcmd = strtok_r(tmp, " ", &cont);
+@@ -1073,7 +1073,10 @@ static int cmd_load(char *arg)
+ bpf_reset();
+ bpf_reset_breakpoints();
+
+- ret = cmd_load_bpf(cont);
++ if (!cont)
++ ret = CMD_ERR;
++ else
++ ret = cmd_load_bpf(cont);
+ } else if (matches(subcmd, "pcap") == 0) {
+ ret = cmd_load_pcap(cont);
+ } else {
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Fri, 4 May 2018 02:13:57 +0200
+Subject: bpf: use array_index_nospec in find_prog_type
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit d0f1a451e33d9ca834422622da30aa68daade56b ]
+
+Commit 9ef09e35e521 ("bpf: fix possible spectre-v1 in find_and_alloc_map()")
+converted find_and_alloc_map() over to use array_index_nospec() to sanitize
+map type that user space passes on map creation, and this patch does an
+analogous conversion for progs in find_prog_type() as it's also passed from
+user space when loading progs as attr->prog_type.
+
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/syscall.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -872,11 +872,17 @@ static const struct bpf_prog_ops * const
+
+ static int find_prog_type(enum bpf_prog_type type, struct bpf_prog *prog)
+ {
+- if (type >= ARRAY_SIZE(bpf_prog_types) || !bpf_prog_types[type])
++ const struct bpf_prog_ops *ops;
++
++ if (type >= ARRAY_SIZE(bpf_prog_types))
++ return -EINVAL;
++ type = array_index_nospec(type, ARRAY_SIZE(bpf_prog_types));
++ ops = bpf_prog_types[type];
++ if (!ops)
+ return -EINVAL;
+
+ if (!bpf_prog_is_dev_bound(prog->aux))
+- prog->aux->ops = bpf_prog_types[type];
++ prog->aux->ops = ops;
+ else
+ prog->aux->ops = &bpf_offload_prog_ops;
+ prog->type = type;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Gianluca Borello <g.borello@gmail.com>
+Date: Wed, 25 Apr 2018 05:42:16 +0000
+Subject: bpf, x64: fix JIT emission for dead code
+
+From: Gianluca Borello <g.borello@gmail.com>
+
+[ Upstream commit 1612a981b76688c598dc944bbfbe29a2b33e3973 ]
+
+Commit 2a5418a13fcf ("bpf: improve dead code sanitizing") replaced dead
+code with a series of ja-1 instructions, for safety. That made JIT
+compilation much more complex for some BPF programs. One instance of such
+programs is, for example:
+
+bool flag = false
+...
+/* A bunch of other code */
+...
+if (flag)
+ do_something()
+
+In some cases llvm is not able to remove at compile time the code for
+do_something(), so the generated BPF program ends up with a large amount
+of dead instructions. In one specific real life example, there are two
+series of ~500 and ~1000 dead instructions in the program. When the
+verifier replaces them with a series of ja-1 instructions, it causes an
+interesting behavior at JIT time.
+
+During the first pass, since all the instructions are estimated at 64
+bytes, the ja-1 instructions end up being translated as 5 bytes JMP
+instructions (0xE9), since the jump offsets become increasingly large (>
+127) as each instruction gets discovered to be 5 bytes instead of the
+estimated 64.
+
+Starting from the second pass, the first N instructions of the ja-1
+sequence get translated into 2 bytes JMPs (0xEB) because the jump offsets
+become <= 127 this time. In particular, N is defined as roughly 127 / (5
+- 2) ~= 42. So, each further pass will make the subsequent N JMP
+instructions shrink from 5 to 2 bytes, making the image shrink every time.
+This means that in order to have the entire program converge, there need
+to be, in the real example above, at least ~1000 / 42 ~= 24 passes just
+for translating the dead code. If we add this number to the passes needed
+to translate the other non dead code, it brings such program to 40+
+passes, and JIT doesn't complete. Ultimately the userspace loader fails
+because such BPF program was supposed to be part of a prog array owner
+being JITed.
+
+While it is certainly possible to try to refactor such programs to help
+the compiler remove dead code, the behavior is not really intuitive and it
+puts further burden on the BPF developer who is not expecting such
+behavior. To make things worse, such programs are working just fine in all
+the kernel releases prior to the ja-1 fix.
+
+A possible approach to mitigate this behavior consists into noticing that
+for ja-1 instructions we don't really need to rely on the estimated size
+of the previous and current instructions, we know that a -1 BPF jump
+offset can be safely translated into a 0xEB instruction with a jump offset
+of -2.
+
+Such fix brings the BPF program in the previous example to complete again
+in ~9 passes.
+
+Fixes: 2a5418a13fcf ("bpf: improve dead code sanitizing")
+Signed-off-by: Gianluca Borello <g.borello@gmail.com>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/net/bpf_jit_comp.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -992,7 +992,17 @@ emit_cond_jmp: /* convert BPF opcode to
+ break;
+
+ case BPF_JMP | BPF_JA:
+- jmp_offset = addrs[i + insn->off] - addrs[i];
++ if (insn->off == -1)
++ /* -1 jmp instructions will always jump
++ * backwards two bytes. Explicitly handling
++ * this case avoids wasting too many passes
++ * when there are long sequences of replaced
++ * dead code.
++ */
++ jmp_offset = -2;
++ else
++ jmp_offset = addrs[i + insn->off] - addrs[i];
++
+ if (!jmp_offset)
+ /* optimize out nop jumps */
+ break;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Wed, 2 May 2018 20:12:22 +0200
+Subject: bpf, x64: fix memleak when not converging after image
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 3aab8884c9eb99189a3569ac4e6b205371c9ac0b ]
+
+While reviewing x64 JIT code, I noticed that we leak the prior allocated
+JIT image in the case where proglen != oldproglen during the JIT passes.
+Prior to the commit e0ee9c12157d ("x86: bpf_jit: fix two bugs in eBPF JIT
+compiler") we would just break out of the loop, and using the image as the
+JITed prog since it could only shrink in size anyway. After e0ee9c12157d,
+we would bail out to out_addrs label where we free addrs and jit_data but
+not the image coming from bpf_jit_binary_alloc().
+
+Fixes: e0ee9c12157d ("x86: bpf_jit: fix two bugs in eBPF JIT compiler")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/net/bpf_jit_comp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -1201,6 +1201,7 @@ skip_init_addrs:
+ for (pass = 0; pass < 20 || image; pass++) {
+ proglen = do_jit(prog, addrs, image, oldproglen, &ctx);
+ if (proglen <= 0) {
++out_image:
+ image = NULL;
+ if (header)
+ bpf_jit_binary_free(header);
+@@ -1211,8 +1212,7 @@ skip_init_addrs:
+ if (proglen != oldproglen) {
+ pr_err("bpf_jit: proglen=%d != oldproglen=%d\n",
+ proglen, oldproglen);
+- prog = orig_prog;
+- goto out_addrs;
++ goto out_image;
+ }
+ break;
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Wed, 2 May 2018 20:12:23 +0200
+Subject: bpf, x64: fix memleak when not converging on calls
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 39f56ca945af86112753646316c4c92dcd4acd82 ]
+
+The JIT logic in jit_subprogs() is as follows: for all subprogs we
+allocate a bpf_prog_alloc(), populate it (prog->is_func = 1 here),
+and pass it to bpf_int_jit_compile(). If a failure occurred during
+JIT and prog->jited is not set, then we bail out from attempting to
+JIT the whole program, and punt to the interpreter instead. In case
+JITing went successful, we fixup BPF call offsets and do another
+pass to bpf_int_jit_compile() (extra_pass is true at that point) to
+complete JITing calls. Given that requires to pass JIT context around
+addrs and jit_data from x86 JIT are freed in the extra_pass in
+bpf_int_jit_compile() when calls are involved (if not, they can
+be freed immediately). However, if in the original pass, the JIT
+image didn't converge then we leak addrs and jit_data since image
+itself is NULL, the prog->is_func is set and extra_pass is false
+in that case, meaning both will become unreachable and are never
+cleaned up, therefore we need to free as well on !image. Only x64
+JIT is affected.
+
+Fixes: 1c2a088a6626 ("bpf: x64: add JIT support for multi-function programs")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/net/bpf_jit_comp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -1249,7 +1249,7 @@ out_image:
+ prog = orig_prog;
+ }
+
+- if (!prog->is_func || extra_pass) {
++ if (!image || !prog->is_func || extra_pass) {
+ out_addrs:
+ kfree(addrs);
+ kfree(jit_data);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Jakob Unterwurzacher <jakob.unterwurzacher@theobroma-systems.com>
+Date: Wed, 18 Apr 2018 16:10:03 +0200
+Subject: can: dev: increase bus-off message severity
+
+From: Jakob Unterwurzacher <jakob.unterwurzacher@theobroma-systems.com>
+
+[ Upstream commit 71c23a821c6bcacba71a094efe49ee689605906b ]
+
+bus-off is usually caused by hardware malfunction or configuration error
+(baud rate mismatch) and causes a complete loss of communication.
+
+Increase the "bus-off" message's severity from netdev_dbg() to
+netdev_info() to make it visible to the user.
+
+A can interface going into bus-off is similar in severity to ethernet's
+"Link is Down" message, which is also printed at info level.
+
+It is debatable whether the the "restarted" message should also be
+changed to netdev_info() to make the interface state changes
+comprehensible from the kernel log. I have chosen to keep the
+"restarted" message at dbg for now as the "bus-off" message should be
+enough for the user to notice and investigate the problem.
+
+Signed-off-by: Jakob Unterwurzacher <jakob.unterwurzacher@theobroma-systems.com>
+Cc: linux-can@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -605,7 +605,7 @@ void can_bus_off(struct net_device *dev)
+ {
+ struct can_priv *priv = netdev_priv(dev);
+
+- netdev_dbg(dev, "bus-off\n");
++ netdev_info(dev, "bus-off\n");
+
+ netif_carrier_off(dev);
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Long Li <longli@microsoft.com>
+Date: Wed, 25 Apr 2018 11:30:04 -0700
+Subject: cifs: Allocate validate negotiation request through kmalloc
+
+From: Long Li <longli@microsoft.com>
+
+[ Upstream commit 2796d303e3c5ec213c578ed3a66872205c126eb8 ]
+
+The data buffer allocated on the stack can't be DMA'ed, ib_dma_map_page will
+return an invalid DMA address for a buffer on stack. Even worse, this
+incorrect address can't be detected by ib_dma_mapping_error. Sending data
+from this address to hardware will not fail, but the remote peer will get
+junk data.
+
+Fix this by allocating the request on the heap in smb3_validate_negotiate.
+
+Changes in v2:
+Removed duplicated code on freeing buffers on function exit.
+(Thanks to Parav Pandit <parav@mellanox.com>)
+Fixed typo in the patch title.
+
+Changes in v3:
+Added "Fixes" to the patch.
+Changed several sizeof() to use *pointer in place of struct.
+
+Changes in v4:
+Added detailed comments on the failure through RDMA.
+Allocate request buffer using GPF_NOFS.
+Fixed possible memory leak.
+
+Changes in v5:
+Removed variable ret for checking return value.
+Changed to use pneg_inbuf->Dialects[0] to calculate unused space in pneg_inbuf.
+
+Fixes: ff1c038addc4 ("Check SMB3 dialects against downgrade attacks")
+Signed-off-by: Long Li <longli@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Reviewed-by: Tom Talpey <ttalpey@microsoft.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2pdu.c | 68 ++++++++++++++++++++++++++++++------------------------
+ 1 file changed, 38 insertions(+), 30 deletions(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -621,8 +621,8 @@ neg_exit:
+
+ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
+ {
+- int rc = 0;
+- struct validate_negotiate_info_req vneg_inbuf;
++ int rc;
++ struct validate_negotiate_info_req *pneg_inbuf;
+ struct validate_negotiate_info_rsp *pneg_rsp = NULL;
+ u32 rsplen;
+ u32 inbuflen; /* max of 4 dialects */
+@@ -656,63 +656,69 @@ int smb3_validate_negotiate(const unsign
+ if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_NULL)
+ cifs_dbg(VFS, "Unexpected null user (anonymous) auth flag sent by server\n");
+
+- vneg_inbuf.Capabilities =
++ pneg_inbuf = kmalloc(sizeof(*pneg_inbuf), GFP_NOFS);
++ if (!pneg_inbuf)
++ return -ENOMEM;
++
++ pneg_inbuf->Capabilities =
+ cpu_to_le32(tcon->ses->server->vals->req_capabilities);
+- memcpy(vneg_inbuf.Guid, tcon->ses->server->client_guid,
++ memcpy(pneg_inbuf->Guid, tcon->ses->server->client_guid,
+ SMB2_CLIENT_GUID_SIZE);
+
+ if (tcon->ses->sign)
+- vneg_inbuf.SecurityMode =
++ pneg_inbuf->SecurityMode =
+ cpu_to_le16(SMB2_NEGOTIATE_SIGNING_REQUIRED);
+ else if (global_secflags & CIFSSEC_MAY_SIGN)
+- vneg_inbuf.SecurityMode =
++ pneg_inbuf->SecurityMode =
+ cpu_to_le16(SMB2_NEGOTIATE_SIGNING_ENABLED);
+ else
+- vneg_inbuf.SecurityMode = 0;
++ pneg_inbuf->SecurityMode = 0;
+
+
+ if (strcmp(tcon->ses->server->vals->version_string,
+ SMB3ANY_VERSION_STRING) == 0) {
+- vneg_inbuf.Dialects[0] = cpu_to_le16(SMB30_PROT_ID);
+- vneg_inbuf.Dialects[1] = cpu_to_le16(SMB302_PROT_ID);
+- vneg_inbuf.DialectCount = cpu_to_le16(2);
++ pneg_inbuf->Dialects[0] = cpu_to_le16(SMB30_PROT_ID);
++ pneg_inbuf->Dialects[1] = cpu_to_le16(SMB302_PROT_ID);
++ pneg_inbuf->DialectCount = cpu_to_le16(2);
+ /* structure is big enough for 3 dialects, sending only 2 */
+- inbuflen = sizeof(struct validate_negotiate_info_req) - 2;
++ inbuflen = sizeof(*pneg_inbuf) -
++ sizeof(pneg_inbuf->Dialects[0]);
+ } else if (strcmp(tcon->ses->server->vals->version_string,
+ SMBDEFAULT_VERSION_STRING) == 0) {
+- vneg_inbuf.Dialects[0] = cpu_to_le16(SMB21_PROT_ID);
+- vneg_inbuf.Dialects[1] = cpu_to_le16(SMB30_PROT_ID);
+- vneg_inbuf.Dialects[2] = cpu_to_le16(SMB302_PROT_ID);
+- vneg_inbuf.DialectCount = cpu_to_le16(3);
++ pneg_inbuf->Dialects[0] = cpu_to_le16(SMB21_PROT_ID);
++ pneg_inbuf->Dialects[1] = cpu_to_le16(SMB30_PROT_ID);
++ pneg_inbuf->Dialects[2] = cpu_to_le16(SMB302_PROT_ID);
++ pneg_inbuf->DialectCount = cpu_to_le16(3);
+ /* structure is big enough for 3 dialects */
+- inbuflen = sizeof(struct validate_negotiate_info_req);
++ inbuflen = sizeof(*pneg_inbuf);
+ } else {
+ /* otherwise specific dialect was requested */
+- vneg_inbuf.Dialects[0] =
++ pneg_inbuf->Dialects[0] =
+ cpu_to_le16(tcon->ses->server->vals->protocol_id);
+- vneg_inbuf.DialectCount = cpu_to_le16(1);
++ pneg_inbuf->DialectCount = cpu_to_le16(1);
+ /* structure is big enough for 3 dialects, sending only 1 */
+- inbuflen = sizeof(struct validate_negotiate_info_req) - 4;
++ inbuflen = sizeof(*pneg_inbuf) -
++ sizeof(pneg_inbuf->Dialects[0]) * 2;
+ }
+
+ rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID,
+ FSCTL_VALIDATE_NEGOTIATE_INFO, true /* is_fsctl */,
+- (char *)&vneg_inbuf, sizeof(struct validate_negotiate_info_req),
+- (char **)&pneg_rsp, &rsplen);
++ (char *)pneg_inbuf, inbuflen, (char **)&pneg_rsp, &rsplen);
+
+ if (rc != 0) {
+ cifs_dbg(VFS, "validate protocol negotiate failed: %d\n", rc);
+- return -EIO;
++ rc = -EIO;
++ goto out_free_inbuf;
+ }
+
+- if (rsplen != sizeof(struct validate_negotiate_info_rsp)) {
++ rc = -EIO;
++ if (rsplen != sizeof(*pneg_rsp)) {
+ cifs_dbg(VFS, "invalid protocol negotiate response size: %d\n",
+ rsplen);
+
+ /* relax check since Mac returns max bufsize allowed on ioctl */
+- if ((rsplen > CIFSMaxBufSize)
+- || (rsplen < sizeof(struct validate_negotiate_info_rsp)))
+- goto err_rsp_free;
++ if (rsplen > CIFSMaxBufSize || rsplen < sizeof(*pneg_rsp))
++ goto out_free_rsp;
+ }
+
+ /* check validate negotiate info response matches what we got earlier */
+@@ -729,15 +735,17 @@ int smb3_validate_negotiate(const unsign
+ goto vneg_out;
+
+ /* validate negotiate successful */
++ rc = 0;
+ cifs_dbg(FYI, "validate negotiate info successful\n");
+- kfree(pneg_rsp);
+- return 0;
++ goto out_free_rsp;
+
+ vneg_out:
+ cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n");
+-err_rsp_free:
++out_free_rsp:
+ kfree(pneg_rsp);
+- return -EIO;
++out_free_inbuf:
++ kfree(pneg_inbuf);
++ return rc;
+ }
+
+ enum securityEnum
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Steve French <smfrench@gmail.com>
+Date: Sun, 22 Apr 2018 10:24:19 -0500
+Subject: CIFS: set *resp_buf_type to NO_BUFFER on error
+
+From: Steve French <smfrench@gmail.com>
+
+[ Upstream commit 117e3b7fed552eba96ae0b3b92312fe8c5b0bfdd ]
+
+Dan Carpenter had pointed this out a while ago, but the code around
+this had changed so wasn't causing any problems since that field
+was not used in this error path.
+
+Still, it is cleaner to always initialize this field, so changing
+the error path to set it.
+
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+CC: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/transport.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/transport.c
++++ b/fs/cifs/transport.c
+@@ -833,8 +833,11 @@ SendReceive2(const unsigned int xid, str
+ if (n_vec + 1 > CIFS_MAX_IOV_SIZE) {
+ new_iov = kmalloc(sizeof(struct kvec) * (n_vec + 1),
+ GFP_KERNEL);
+- if (!new_iov)
++ if (!new_iov) {
++ /* otherwise cifs_send_recv below sets resp_buf_type */
++ *resp_buf_type = CIFS_NO_BUFFER;
+ return -ENOMEM;
++ }
+ } else
+ new_iov = s_iov;
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Paulo Alcantara <palcantara@suse.de>
+Date: Fri, 4 May 2018 11:25:26 -0300
+Subject: cifs: smb2ops: Fix listxattr() when there are no EAs
+
+From: Paulo Alcantara <palcantara@suse.de>
+
+[ Upstream commit ae2cd7fb478b8da707906ee1706ae1379968a8f9 ]
+
+As per listxattr(2):
+
+ On success, a nonnegative number is returned indicating the size
+ of the extended attribute name list. On failure, -1 is returned
+ and errno is set appropriately.
+
+In SMB1, when the server returns an empty EA list through a listxattr(),
+it will correctly return 0 as there are no EAs for the given file.
+
+However, in SMB2+, it returns -ENODATA in listxattr() which is wrong since
+the request and response were sent successfully, although there's no actual
+EA for the given file.
+
+This patch fixes listxattr() for SMB2+ by returning 0 in cifs_listxattr()
+when the server returns an empty list of EAs.
+
+Signed-off-by: Paulo Alcantara <palcantara@suse.de>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2ops.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -589,9 +589,15 @@ smb2_query_eas(const unsigned int xid, s
+
+ SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid);
+
++ /*
++ * If ea_name is NULL (listxattr) and there are no EAs, return 0 as it's
++ * not an error. Otherwise, the specified ea_name was not found.
++ */
+ if (!rc)
+ rc = move_smb2_ea_to_cifs(ea_data, buf_size, smb2_data,
+ SMB2_MAX_EA_BUF, ea_name);
++ else if (!ea_name && rc == -ENODATA)
++ rc = 0;
+
+ kfree(smb2_data);
+ return rc;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Greg Thelen <gthelen@google.com>
+Date: Thu, 26 Apr 2018 11:19:33 -0700
+Subject: cifs: smbd: depend on INFINIBAND_ADDR_TRANS
+
+From: Greg Thelen <gthelen@google.com>
+
+[ Upstream commit 3c6b03d18df657d677808d7090b4d03bc6026efd ]
+
+CIFS_SMB_DIRECT code depends on INFINIBAND_ADDR_TRANS provided symbols.
+So declare the kconfig dependency. This is necessary to allow for
+enabling INFINIBAND without INFINIBAND_ADDR_TRANS.
+
+Signed-off-by: Greg Thelen <gthelen@google.com>
+Cc: Tarick Bedeir <tarick@google.com>
+Reviewed-by: Long Li <longli@microsoft.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/Kconfig
++++ b/fs/cifs/Kconfig
+@@ -198,7 +198,7 @@ config CIFS_SMB311
+
+ config CIFS_SMB_DIRECT
+ bool "SMB Direct support (Experimental)"
+- depends on CIFS=m && INFINIBAND || CIFS=y && INFINIBAND=y
++ depends on CIFS=m && INFINIBAND && INFINIBAND_ADDR_TRANS || CIFS=y && INFINIBAND=y && INFINIBAND_ADDR_TRANS=y
+ help
+ Enables SMB Direct experimental support for SMB 3.0, 3.02 and 3.1.1.
+ SMB Direct allows transferring SMB packets over RDMA. If unsure,
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Mon, 9 Apr 2018 15:59:20 +0200
+Subject: clk: honor CLK_MUX_ROUND_CLOSEST in generic clk mux
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit 4ad69b80e886a845f56ce0a3d10211208693d92b ]
+
+CLK_MUX_ROUND_CLOSEST is part of the clk_mux documentation but clk_mux
+directly calls __clk_mux_determine_rate(), which overrides the flag.
+As result, if clk_mux is instantiated with CLK_MUX_ROUND_CLOSEST, the
+flag will be ignored and the clock rounded down.
+
+To solve this, this patch expose clk_mux_determine_rate_flags() in the
+clk-provider API and uses it in the determine_rate() callback of clk_mux.
+
+Fixes: 15a02c1f6dd7 ("clk: Add __clk_mux_determine_rate_closest")
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/clk-mux.c | 10 +++++++++-
+ drivers/clk/clk.c | 7 ++++---
+ include/linux/clk-provider.h | 3 +++
+ 3 files changed, 16 insertions(+), 4 deletions(-)
+
+--- a/drivers/clk/clk-mux.c
++++ b/drivers/clk/clk-mux.c
+@@ -101,10 +101,18 @@ static int clk_mux_set_parent(struct clk
+ return 0;
+ }
+
++static int clk_mux_determine_rate(struct clk_hw *hw,
++ struct clk_rate_request *req)
++{
++ struct clk_mux *mux = to_clk_mux(hw);
++
++ return clk_mux_determine_rate_flags(hw, req, mux->flags);
++}
++
+ const struct clk_ops clk_mux_ops = {
+ .get_parent = clk_mux_get_parent,
+ .set_parent = clk_mux_set_parent,
+- .determine_rate = __clk_mux_determine_rate,
++ .determine_rate = clk_mux_determine_rate,
+ };
+ EXPORT_SYMBOL_GPL(clk_mux_ops);
+
+--- a/drivers/clk/clk.c
++++ b/drivers/clk/clk.c
+@@ -426,9 +426,9 @@ static bool mux_is_better_rate(unsigned
+ return now <= rate && now > best;
+ }
+
+-static int
+-clk_mux_determine_rate_flags(struct clk_hw *hw, struct clk_rate_request *req,
+- unsigned long flags)
++int clk_mux_determine_rate_flags(struct clk_hw *hw,
++ struct clk_rate_request *req,
++ unsigned long flags)
+ {
+ struct clk_core *core = hw->core, *parent, *best_parent = NULL;
+ int i, num_parents, ret;
+@@ -488,6 +488,7 @@ out:
+
+ return 0;
+ }
++EXPORT_SYMBOL_GPL(clk_mux_determine_rate_flags);
+
+ struct clk *__clk_lookup(const char *name)
+ {
+--- a/include/linux/clk-provider.h
++++ b/include/linux/clk-provider.h
+@@ -755,6 +755,9 @@ int __clk_mux_determine_rate(struct clk_
+ int __clk_determine_rate(struct clk_hw *core, struct clk_rate_request *req);
+ int __clk_mux_determine_rate_closest(struct clk_hw *hw,
+ struct clk_rate_request *req);
++int clk_mux_determine_rate_flags(struct clk_hw *hw,
++ struct clk_rate_request *req,
++ unsigned long flags);
+ void clk_hw_reparent(struct clk_hw *hw, struct clk_hw *new_parent);
+ void clk_hw_set_rate_range(struct clk_hw *hw, unsigned long min_rate,
+ unsigned long max_rate);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Stefan Agner <stefan@agner.ch>
+Date: Wed, 18 Apr 2018 14:49:08 +0200
+Subject: clk: imx6ull: use OSC clock during AXI rate change
+
+From: Stefan Agner <stefan@agner.ch>
+
+[ Upstream commit 2e5be528ab0182ad4b42b9feea3b80f85f37179b ]
+
+On i.MX6 ULL using PLL3 seems to cause a freeze when setting
+the parent to IMX6UL_CLK_PLL3_USB_OTG. This only seems to appear
+since commit 6f9575e55632 ("clk: imx: Add CLK_IS_CRITICAL flag
+for busy divider and busy mux"), probably because the clock is
+now forced to be on.
+
+Fixes: 6f9575e55632("clk: imx: Add CLK_IS_CRITICAL flag for busy divider and busy mux")
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/imx/clk-imx6ul.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/imx/clk-imx6ul.c
++++ b/drivers/clk/imx/clk-imx6ul.c
+@@ -461,7 +461,7 @@ static void __init imx6ul_clocks_init(st
+ clk_set_rate(clks[IMX6UL_CLK_AHB], 99000000);
+
+ /* Change periph_pre clock to pll2_bus to adjust AXI rate to 264MHz */
+- clk_set_parent(clks[IMX6UL_CLK_PERIPH_CLK2_SEL], clks[IMX6UL_CLK_PLL3_USB_OTG]);
++ clk_set_parent(clks[IMX6UL_CLK_PERIPH_CLK2_SEL], clks[IMX6UL_CLK_OSC]);
+ clk_set_parent(clks[IMX6UL_CLK_PERIPH], clks[IMX6UL_CLK_PERIPH_CLK2]);
+ clk_set_parent(clks[IMX6UL_CLK_PERIPH_PRE], clks[IMX6UL_CLK_PLL2_BUS]);
+ clk_set_parent(clks[IMX6UL_CLK_PERIPH], clks[IMX6UL_CLK_PERIPH_PRE]);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Anson Huang <Anson.Huang@nxp.com>
+Date: Wed, 28 Mar 2018 11:22:37 +0800
+Subject: clocksource/drivers/imx-tpm: Correct some registers operation flow
+
+From: Anson Huang <Anson.Huang@nxp.com>
+
+[ Upstream commit 506a7be93ff773d5d4cf75a59f342865605b4910 ]
+
+According to i.MX7ULP reference manual, TPM_SC_CPWMS can ONLY be written when
+counter is disabled, TPM_SC_TOF is write-1-clear, TPM_C0SC_CHF is also
+write-1-clear, correct these registers initialization flow;
+
+Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clocksource/timer-imx-tpm.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/clocksource/timer-imx-tpm.c
++++ b/drivers/clocksource/timer-imx-tpm.c
+@@ -20,6 +20,7 @@
+ #define TPM_SC 0x10
+ #define TPM_SC_CMOD_INC_PER_CNT (0x1 << 3)
+ #define TPM_SC_CMOD_DIV_DEFAULT 0x3
++#define TPM_SC_TOF_MASK (0x1 << 7)
+ #define TPM_CNT 0x14
+ #define TPM_MOD 0x18
+ #define TPM_STATUS 0x1c
+@@ -29,6 +30,7 @@
+ #define TPM_C0SC_MODE_SHIFT 2
+ #define TPM_C0SC_MODE_MASK 0x3c
+ #define TPM_C0SC_MODE_SW_COMPARE 0x4
++#define TPM_C0SC_CHF_MASK (0x1 << 7)
+ #define TPM_C0V 0x24
+
+ static void __iomem *timer_base;
+@@ -205,9 +207,13 @@ static int __init tpm_timer_init(struct
+ * 4) Channel0 disabled
+ * 5) DMA transfers disabled
+ */
++ /* make sure counter is disabled */
+ writel(0, timer_base + TPM_SC);
++ /* TOF is W1C */
++ writel(TPM_SC_TOF_MASK, timer_base + TPM_SC);
+ writel(0, timer_base + TPM_CNT);
+- writel(0, timer_base + TPM_C0SC);
++ /* CHF is W1C */
++ writel(TPM_C0SC_CHF_MASK, timer_base + TPM_C0SC);
+
+ /* increase per cnt, div 8 by default */
+ writel(TPM_SC_CMOD_INC_PER_CNT | TPM_SC_CMOD_DIV_DEFAULT,
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Markus Mayer <mmayer@broadcom.com>
+Date: Wed, 18 Apr 2018 08:56:42 -0700
+Subject: cpufreq: brcmstb-avs-cpufreq: remove development debug support
+
+From: Markus Mayer <mmayer@broadcom.com>
+
+[ Upstream commit ee53a65dc766384aaf1a26e3c43dd13456170b69 ]
+
+This debug code was helpful while developing the driver, but it isn't
+being used for anything anymore.
+
+Signed-off-by: Markus Mayer <mmayer@broadcom.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/Kconfig.arm | 10 -
+ drivers/cpufreq/brcmstb-avs-cpufreq.c | 323 ----------------------------------
+ 2 files changed, 1 insertion(+), 332 deletions(-)
+
+--- a/drivers/cpufreq/Kconfig.arm
++++ b/drivers/cpufreq/Kconfig.arm
+@@ -70,16 +70,6 @@ config ARM_BRCMSTB_AVS_CPUFREQ
+
+ Say Y, if you have a Broadcom SoC with AVS support for DFS or DVFS.
+
+-config ARM_BRCMSTB_AVS_CPUFREQ_DEBUG
+- bool "Broadcom STB AVS CPUfreq driver sysfs debug capability"
+- depends on ARM_BRCMSTB_AVS_CPUFREQ
+- help
+- Enabling this option turns on debug support via sysfs under
+- /sys/kernel/debug/brcmstb-avs-cpufreq. It is possible to read all and
+- write some AVS mailbox registers through sysfs entries.
+-
+- If in doubt, say N.
+-
+ config ARM_EXYNOS5440_CPUFREQ
+ tristate "SAMSUNG EXYNOS5440"
+ depends on SOC_EXYNOS5440
+--- a/drivers/cpufreq/brcmstb-avs-cpufreq.c
++++ b/drivers/cpufreq/brcmstb-avs-cpufreq.c
+@@ -49,13 +49,6 @@
+ #include <linux/platform_device.h>
+ #include <linux/semaphore.h>
+
+-#ifdef CONFIG_ARM_BRCMSTB_AVS_CPUFREQ_DEBUG
+-#include <linux/ctype.h>
+-#include <linux/debugfs.h>
+-#include <linux/slab.h>
+-#include <linux/uaccess.h>
+-#endif
+-
+ /* Max number of arguments AVS calls take */
+ #define AVS_MAX_CMD_ARGS 4
+ /*
+@@ -182,88 +175,11 @@ struct private_data {
+ void __iomem *base;
+ void __iomem *avs_intr_base;
+ struct device *dev;
+-#ifdef CONFIG_ARM_BRCMSTB_AVS_CPUFREQ_DEBUG
+- struct dentry *debugfs;
+-#endif
+ struct completion done;
+ struct semaphore sem;
+ struct pmap pmap;
+ };
+
+-#ifdef CONFIG_ARM_BRCMSTB_AVS_CPUFREQ_DEBUG
+-
+-enum debugfs_format {
+- DEBUGFS_NORMAL,
+- DEBUGFS_FLOAT,
+- DEBUGFS_REV,
+-};
+-
+-struct debugfs_data {
+- struct debugfs_entry *entry;
+- struct private_data *priv;
+-};
+-
+-struct debugfs_entry {
+- char *name;
+- u32 offset;
+- fmode_t mode;
+- enum debugfs_format format;
+-};
+-
+-#define DEBUGFS_ENTRY(name, mode, format) { \
+- #name, AVS_MBOX_##name, mode, format \
+-}
+-
+-/*
+- * These are used for debugfs only. Otherwise we use AVS_MBOX_PARAM() directly.
+- */
+-#define AVS_MBOX_PARAM1 AVS_MBOX_PARAM(0)
+-#define AVS_MBOX_PARAM2 AVS_MBOX_PARAM(1)
+-#define AVS_MBOX_PARAM3 AVS_MBOX_PARAM(2)
+-#define AVS_MBOX_PARAM4 AVS_MBOX_PARAM(3)
+-
+-/*
+- * This table stores the name, access permissions and offset for each hardware
+- * register and is used to generate debugfs entries.
+- */
+-static struct debugfs_entry debugfs_entries[] = {
+- DEBUGFS_ENTRY(COMMAND, S_IWUSR, DEBUGFS_NORMAL),
+- DEBUGFS_ENTRY(STATUS, S_IWUSR, DEBUGFS_NORMAL),
+- DEBUGFS_ENTRY(VOLTAGE0, 0, DEBUGFS_FLOAT),
+- DEBUGFS_ENTRY(TEMP0, 0, DEBUGFS_FLOAT),
+- DEBUGFS_ENTRY(PV0, 0, DEBUGFS_FLOAT),
+- DEBUGFS_ENTRY(MV0, 0, DEBUGFS_FLOAT),
+- DEBUGFS_ENTRY(PARAM1, S_IWUSR, DEBUGFS_NORMAL),
+- DEBUGFS_ENTRY(PARAM2, S_IWUSR, DEBUGFS_NORMAL),
+- DEBUGFS_ENTRY(PARAM3, S_IWUSR, DEBUGFS_NORMAL),
+- DEBUGFS_ENTRY(PARAM4, S_IWUSR, DEBUGFS_NORMAL),
+- DEBUGFS_ENTRY(REVISION, 0, DEBUGFS_REV),
+- DEBUGFS_ENTRY(PSTATE, 0, DEBUGFS_NORMAL),
+- DEBUGFS_ENTRY(HEARTBEAT, 0, DEBUGFS_NORMAL),
+- DEBUGFS_ENTRY(MAGIC, S_IWUSR, DEBUGFS_NORMAL),
+- DEBUGFS_ENTRY(SIGMA_HVT, 0, DEBUGFS_NORMAL),
+- DEBUGFS_ENTRY(SIGMA_SVT, 0, DEBUGFS_NORMAL),
+- DEBUGFS_ENTRY(VOLTAGE1, 0, DEBUGFS_FLOAT),
+- DEBUGFS_ENTRY(TEMP1, 0, DEBUGFS_FLOAT),
+- DEBUGFS_ENTRY(PV1, 0, DEBUGFS_FLOAT),
+- DEBUGFS_ENTRY(MV1, 0, DEBUGFS_FLOAT),
+- DEBUGFS_ENTRY(FREQUENCY, 0, DEBUGFS_NORMAL),
+-};
+-
+-static int brcm_avs_target_index(struct cpufreq_policy *, unsigned int);
+-
+-static char *__strtolower(char *s)
+-{
+- char *p;
+-
+- for (p = s; *p; p++)
+- *p = tolower(*p);
+-
+- return s;
+-}
+-
+-#endif /* CONFIG_ARM_BRCMSTB_AVS_CPUFREQ_DEBUG */
+-
+ static void __iomem *__map_region(const char *name)
+ {
+ struct device_node *np;
+@@ -516,238 +432,6 @@ brcm_avs_get_freq_table(struct device *d
+ return table;
+ }
+
+-#ifdef CONFIG_ARM_BRCMSTB_AVS_CPUFREQ_DEBUG
+-
+-#define MANT(x) (unsigned int)(abs((x)) / 1000)
+-#define FRAC(x) (unsigned int)(abs((x)) - abs((x)) / 1000 * 1000)
+-
+-static int brcm_avs_debug_show(struct seq_file *s, void *data)
+-{
+- struct debugfs_data *dbgfs = s->private;
+- void __iomem *base;
+- u32 val, offset;
+-
+- if (!dbgfs) {
+- seq_puts(s, "No device pointer\n");
+- return 0;
+- }
+-
+- base = dbgfs->priv->base;
+- offset = dbgfs->entry->offset;
+- val = readl(base + offset);
+- switch (dbgfs->entry->format) {
+- case DEBUGFS_NORMAL:
+- seq_printf(s, "%u\n", val);
+- break;
+- case DEBUGFS_FLOAT:
+- seq_printf(s, "%d.%03d\n", MANT(val), FRAC(val));
+- break;
+- case DEBUGFS_REV:
+- seq_printf(s, "%c.%c.%c.%c\n", (val >> 24 & 0xff),
+- (val >> 16 & 0xff), (val >> 8 & 0xff),
+- val & 0xff);
+- break;
+- }
+- seq_printf(s, "0x%08x\n", val);
+-
+- return 0;
+-}
+-
+-#undef MANT
+-#undef FRAC
+-
+-static ssize_t brcm_avs_seq_write(struct file *file, const char __user *buf,
+- size_t size, loff_t *ppos)
+-{
+- struct seq_file *s = file->private_data;
+- struct debugfs_data *dbgfs = s->private;
+- struct private_data *priv = dbgfs->priv;
+- void __iomem *base, *avs_intr_base;
+- bool use_issue_command = false;
+- unsigned long val, offset;
+- char str[128];
+- int ret;
+- char *str_ptr = str;
+-
+- if (size >= sizeof(str))
+- return -E2BIG;
+-
+- memset(str, 0, sizeof(str));
+- ret = copy_from_user(str, buf, size);
+- if (ret)
+- return ret;
+-
+- base = priv->base;
+- avs_intr_base = priv->avs_intr_base;
+- offset = dbgfs->entry->offset;
+- /*
+- * Special case writing to "command" entry only: if the string starts
+- * with a 'c', we use the driver's __issue_avs_command() function.
+- * Otherwise, we perform a raw write. This should allow testing of raw
+- * access as well as using the higher level function. (Raw access
+- * doesn't clear the firmware return status after issuing the command.)
+- */
+- if (str_ptr[0] == 'c' && offset == AVS_MBOX_COMMAND) {
+- use_issue_command = true;
+- str_ptr++;
+- }
+- if (kstrtoul(str_ptr, 0, &val) != 0)
+- return -EINVAL;
+-
+- /*
+- * Setting the P-state is a special case. We need to update the CPU
+- * frequency we report.
+- */
+- if (val == AVS_CMD_SET_PSTATE) {
+- struct cpufreq_policy *policy;
+- unsigned int pstate;
+-
+- policy = cpufreq_cpu_get(smp_processor_id());
+- /* Read back the P-state we are about to set */
+- pstate = readl(base + AVS_MBOX_PARAM(0));
+- if (use_issue_command) {
+- ret = brcm_avs_target_index(policy, pstate);
+- return ret ? ret : size;
+- }
+- policy->cur = policy->freq_table[pstate].frequency;
+- }
+-
+- if (use_issue_command) {
+- ret = __issue_avs_command(priv, val, false, NULL);
+- } else {
+- /* Locking here is not perfect, but is only for debug. */
+- ret = down_interruptible(&priv->sem);
+- if (ret)
+- return ret;
+-
+- writel(val, base + offset);
+- /* We have to wake up the firmware to process a command. */
+- if (offset == AVS_MBOX_COMMAND)
+- writel(AVS_CPU_L2_INT_MASK,
+- avs_intr_base + AVS_CPU_L2_SET0);
+- up(&priv->sem);
+- }
+-
+- return ret ? ret : size;
+-}
+-
+-static struct debugfs_entry *__find_debugfs_entry(const char *name)
+-{
+- int i;
+-
+- for (i = 0; i < ARRAY_SIZE(debugfs_entries); i++)
+- if (strcasecmp(debugfs_entries[i].name, name) == 0)
+- return &debugfs_entries[i];
+-
+- return NULL;
+-}
+-
+-static int brcm_avs_debug_open(struct inode *inode, struct file *file)
+-{
+- struct debugfs_data *data;
+- fmode_t fmode;
+- int ret;
+-
+- /*
+- * seq_open(), which is called by single_open(), clears "write" access.
+- * We need write access to some files, so we preserve our access mode
+- * and restore it.
+- */
+- fmode = file->f_mode;
+- /*
+- * Check access permissions even for root. We don't want to be writing
+- * to read-only registers. Access for regular users has already been
+- * checked by the VFS layer.
+- */
+- if ((fmode & FMODE_WRITER) && !(inode->i_mode & S_IWUSR))
+- return -EACCES;
+-
+- data = kmalloc(sizeof(*data), GFP_KERNEL);
+- if (!data)
+- return -ENOMEM;
+- /*
+- * We use the same file system operations for all our debug files. To
+- * produce specific output, we look up the file name upon opening a
+- * debugfs entry and map it to a memory offset. This offset is then used
+- * in the generic "show" function to read a specific register.
+- */
+- data->entry = __find_debugfs_entry(file->f_path.dentry->d_iname);
+- data->priv = inode->i_private;
+-
+- ret = single_open(file, brcm_avs_debug_show, data);
+- if (ret)
+- kfree(data);
+- file->f_mode = fmode;
+-
+- return ret;
+-}
+-
+-static int brcm_avs_debug_release(struct inode *inode, struct file *file)
+-{
+- struct seq_file *seq_priv = file->private_data;
+- struct debugfs_data *data = seq_priv->private;
+-
+- kfree(data);
+- return single_release(inode, file);
+-}
+-
+-static const struct file_operations brcm_avs_debug_ops = {
+- .open = brcm_avs_debug_open,
+- .read = seq_read,
+- .write = brcm_avs_seq_write,
+- .llseek = seq_lseek,
+- .release = brcm_avs_debug_release,
+-};
+-
+-static void brcm_avs_cpufreq_debug_init(struct platform_device *pdev)
+-{
+- struct private_data *priv = platform_get_drvdata(pdev);
+- struct dentry *dir;
+- int i;
+-
+- if (!priv)
+- return;
+-
+- dir = debugfs_create_dir(BRCM_AVS_CPUFREQ_NAME, NULL);
+- if (IS_ERR_OR_NULL(dir))
+- return;
+- priv->debugfs = dir;
+-
+- for (i = 0; i < ARRAY_SIZE(debugfs_entries); i++) {
+- /*
+- * The DEBUGFS_ENTRY macro generates uppercase strings. We
+- * convert them to lowercase before creating the debugfs
+- * entries.
+- */
+- char *entry = __strtolower(debugfs_entries[i].name);
+- fmode_t mode = debugfs_entries[i].mode;
+-
+- if (!debugfs_create_file(entry, S_IFREG | S_IRUGO | mode,
+- dir, priv, &brcm_avs_debug_ops)) {
+- priv->debugfs = NULL;
+- debugfs_remove_recursive(dir);
+- break;
+- }
+- }
+-}
+-
+-static void brcm_avs_cpufreq_debug_exit(struct platform_device *pdev)
+-{
+- struct private_data *priv = platform_get_drvdata(pdev);
+-
+- if (priv && priv->debugfs) {
+- debugfs_remove_recursive(priv->debugfs);
+- priv->debugfs = NULL;
+- }
+-}
+-
+-#else
+-
+-static void brcm_avs_cpufreq_debug_init(struct platform_device *pdev) {}
+-static void brcm_avs_cpufreq_debug_exit(struct platform_device *pdev) {}
+-
+-#endif /* CONFIG_ARM_BRCMSTB_AVS_CPUFREQ_DEBUG */
+-
+ /*
+ * To ensure the right firmware is running we need to
+ * - check the MAGIC matches what we expect
+@@ -1020,11 +704,8 @@ static int brcm_avs_cpufreq_probe(struct
+ return ret;
+
+ brcm_avs_driver.driver_data = pdev;
+- ret = cpufreq_register_driver(&brcm_avs_driver);
+- if (!ret)
+- brcm_avs_cpufreq_debug_init(pdev);
+
+- return ret;
++ return cpufreq_register_driver(&brcm_avs_driver);
+ }
+
+ static int brcm_avs_cpufreq_remove(struct platform_device *pdev)
+@@ -1036,8 +717,6 @@ static int brcm_avs_cpufreq_remove(struc
+ if (ret)
+ return ret;
+
+- brcm_avs_cpufreq_debug_exit(pdev);
+-
+ priv = platform_get_drvdata(pdev);
+ iounmap(priv->base);
+ iounmap(priv->avs_intr_base);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Ganesh Goudar <ganeshgr@chelsio.com>
+Date: Wed, 9 May 2018 19:00:35 +0530
+Subject: cxgb4: copy mbox log size to PF0-3 adap instances
+
+From: Ganesh Goudar <ganeshgr@chelsio.com>
+
+[ Upstream commit aca06eafd09f48ca4d97f3c0b2a12c8d631116f0 ]
+
+copy mbox size to adapter instances of PF0-3 to avoid
+mbox log overflow. This fixes the possible protection
+fault.
+
+Fixes: baf5086840ab ("cxgb4: restructure VF mgmt code")
+Signed-off-by: Casey Leedom <leedom@chelsio.com>
+Signed-off-by: Ganesh Goudar <ganeshgr@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+@@ -5191,6 +5191,7 @@ static int init_one(struct pci_dev *pdev
+ }
+ spin_lock_init(&adapter->mbox_lock);
+ INIT_LIST_HEAD(&adapter->mlist.list);
++ adapter->mbox_log->size = T4_OS_LOG_MBOX_CMDS;
+ pci_set_drvdata(pdev, adapter);
+
+ if (func != ent->driver_data) {
+@@ -5225,8 +5226,6 @@ static int init_one(struct pci_dev *pdev
+ goto out_free_adapter;
+ }
+
+- adapter->mbox_log->size = T4_OS_LOG_MBOX_CMDS;
+-
+ /* PCI device has been enabled */
+ adapter->flags |= DEV_ENABLED;
+ memset(adapter->chan_map, 0xff, sizeof(adapter->chan_map));
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Lukasz Majewski <lukma@denx.de>
+Date: Wed, 4 Apr 2018 09:52:04 +0200
+Subject: doc: Add vendor prefix for Kieback & Peter GmbH
+
+From: Lukasz Majewski <lukma@denx.de>
+
+[ Upstream commit 99bf8f27f3f94d2a37291354b8dc83f13728f75f ]
+
+The 'kiebackpeter' entry has been added to vendor-prefixes.txt to indicate
+products from Kieback & Peter GmbH.
+
+Signed-off-by: Lukasz Majewski <lukma@denx.de>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/vendor-prefixes.txt | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/Documentation/devicetree/bindings/vendor-prefixes.txt
++++ b/Documentation/devicetree/bindings/vendor-prefixes.txt
+@@ -181,6 +181,7 @@ karo Ka-Ro electronics GmbH
+ keithkoep Keith & Koep GmbH
+ keymile Keymile GmbH
+ khadas Khadas
++kiebackpeter Kieback & Peter GmbH
+ kinetic Kinetic Technologies
+ kingnovel Kingnovel Technology Co., Ltd.
+ kosagi Sutajio Ko-Usagi PTE Ltd.
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Mathieu Malaterre <malat@debian.org>
+Date: Sat, 5 May 2018 22:00:37 +0200
+Subject: driver core: add __printf verification to __ata_ehi_pushv_desc
+
+From: Mathieu Malaterre <malat@debian.org>
+
+[ Upstream commit 0d74d872c3f8b9cb3d096fb932a063b43b37f188 ]
+
+__printf is useful to verify format and arguments. Remove the following
+warning (with W=1):
+
+ drivers/ata/libata-eh.c:183:10: warning: function might be possible candidate for ‘gnu_printf’ format attribute [-Wsuggest-attribute=format]
+
+Signed-off-by: Mathieu Malaterre <malat@debian.org>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-eh.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/ata/libata-eh.c
++++ b/drivers/ata/libata-eh.c
+@@ -175,8 +175,8 @@ static void ata_eh_handle_port_resume(st
+ { }
+ #endif /* CONFIG_PM */
+
+-static void __ata_ehi_pushv_desc(struct ata_eh_info *ehi, const char *fmt,
+- va_list args)
++static __printf(2, 0) void __ata_ehi_pushv_desc(struct ata_eh_info *ehi,
++ const char *fmt, va_list args)
+ {
+ ehi->desc_len += vscnprintf(ehi->desc + ehi->desc_len,
+ ATA_EH_DESC_LEN - ehi->desc_len,
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+Date: Mon, 30 Apr 2018 10:04:42 -0400
+Subject: drm/amdgpu: Switch to interruptable wait to recover from ring hang.
+
+From: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+
+[ Upstream commit e6a5b9f9aee145c2f2c24431d84edfbb0d49eea5 ]
+
+v2:
+Use dma_fence_wait instead of dma_fence_wait_timeout(...,MAX_SCHEDULE_TIMEOUT)
+Avoid printing error message for ERESTARTSYS
+
+Originally-by: David Panariti <David.Panariti@amd.com>
+Signed-off-by: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c
+@@ -419,9 +419,11 @@ int amdgpu_ctx_wait_prev_fence(struct am
+
+ if (other) {
+ signed long r;
+- r = dma_fence_wait_timeout(other, false, MAX_SCHEDULE_TIMEOUT);
++ r = dma_fence_wait(other, true);
+ if (r < 0) {
+- DRM_ERROR("Error (%ld) waiting for fence!\n", r);
++ if (r != -ERESTARTSYS)
++ DRM_ERROR("Error (%ld) waiting for fence!\n", r);
++
+ return r;
+ }
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Andres Rodriguez <andres.rodriguez@amd.com>
+Date: Tue, 10 Apr 2018 17:32:33 -0400
+Subject: drm/amdkfd: fix clock counter retrieval for node without GPU
+
+From: Andres Rodriguez <andres.rodriguez@amd.com>
+
+[ Upstream commit 1cf6cc74bbeb85bb87c3ca3f3df97a283c3aa737 ]
+
+Currently if a user requests clock counters for a node without a GPU
+resource we will always return EINVAL.
+
+Instead if no GPU resource is attached, fill the gpu_clock_counter
+argument with zeroes so that we may proceed and return valid CPU
+counters.
+
+Signed-off-by: Andres Rodriguez <andres.rodriguez@amd.com>
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Reviewed-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+@@ -748,12 +748,13 @@ static int kfd_ioctl_get_clock_counters(
+ struct timespec64 time;
+
+ dev = kfd_device_by_id(args->gpu_id);
+- if (dev == NULL)
+- return -EINVAL;
+-
+- /* Reading GPU clock counter from KGD */
+- args->gpu_clock_counter =
+- dev->kfd2kgd->get_gpu_clock_counter(dev->kgd);
++ if (dev)
++ /* Reading GPU clock counter from KGD */
++ args->gpu_clock_counter =
++ dev->kfd2kgd->get_gpu_clock_counter(dev->kgd);
++ else
++ /* Node without GPU resource */
++ args->gpu_clock_counter = 0;
+
+ /* No access to rdtsc. Using raw monotonic time */
+ getrawmonotonic64(&time);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 16 May 2018 17:00:26 +0300
+Subject: drm/dumb-buffers: Integer overflow in drm_mode_create_ioctl()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 2b6207291b7b277a5df9d1aab44b56815a292dba ]
+
+There is a comment here which says that DIV_ROUND_UP() and that's where
+the problem comes from. Say you pick:
+
+ args->bpp = UINT_MAX - 7;
+ args->width = 4;
+ args->height = 1;
+
+The integer overflow in DIV_ROUND_UP() means "cpp" is UINT_MAX / 8 and
+because of how we picked args->width that means cpp < UINT_MAX / 4.
+
+I've fixed it by preventing the integer overflow in DIV_ROUND_UP(). I
+removed the check for !cpp because it's not possible after this change.
+I also changed all the 0xffffffffU references to U32_MAX.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180516140026.GA19340@mwanda
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_dumb_buffers.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/drm_dumb_buffers.c
++++ b/drivers/gpu/drm/drm_dumb_buffers.c
+@@ -65,12 +65,13 @@ int drm_mode_create_dumb_ioctl(struct dr
+ return -EINVAL;
+
+ /* overflow checks for 32bit size calculations */
+- /* NOTE: DIV_ROUND_UP() can overflow */
++ if (args->bpp > U32_MAX - 8)
++ return -EINVAL;
+ cpp = DIV_ROUND_UP(args->bpp, 8);
+- if (!cpp || cpp > 0xffffffffU / args->width)
++ if (cpp > U32_MAX / args->width)
+ return -EINVAL;
+ stride = cpp * args->width;
+- if (args->height > 0xffffffffU / stride)
++ if (args->height > U32_MAX / stride)
+ return -EINVAL;
+
+ /* test for wrap-around */
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Tobias Jakobi <tjakobi@math.uni-bielefeld.de>
+Date: Fri, 2 Feb 2018 16:11:23 +0100
+Subject: drm/exynos: mixer: avoid Oops in vp_video_buffer()
+
+From: Tobias Jakobi <tjakobi@math.uni-bielefeld.de>
+
+[ Upstream commit 0ccc1c8f0282e237a0bd6dca7cdac4ed5e318ee7 ]
+
+If an interlaced video mode is selected, a IOMMU pagefault is
+triggered by vp_video_buffer().
+
+Fix the most apparent bugs:
+- pitch value for chroma plane
+- divide by two of height and vpos of source and destination
+
+Signed-off-by: Tobias Jakobi <tjakobi@math.uni-bielefeld.de>
+[ a.hajda: Halved also destination height and vpos, updated commit message ]
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/exynos/exynos_mixer.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/exynos/exynos_mixer.c
++++ b/drivers/gpu/drm/exynos/exynos_mixer.c
+@@ -485,7 +485,7 @@ static void vp_video_buffer(struct mixer
+ chroma_addr[1] = chroma_addr[0] + 0x40;
+ } else {
+ luma_addr[1] = luma_addr[0] + fb->pitches[0];
+- chroma_addr[1] = chroma_addr[0] + fb->pitches[0];
++ chroma_addr[1] = chroma_addr[0] + fb->pitches[1];
+ }
+ } else {
+ luma_addr[1] = 0;
+@@ -508,21 +508,23 @@ static void vp_video_buffer(struct mixer
+ vp_reg_write(ctx, VP_IMG_SIZE_Y, VP_IMG_HSIZE(fb->pitches[0]) |
+ VP_IMG_VSIZE(fb->height));
+ /* chroma plane for NV12/NV21 is half the height of the luma plane */
+- vp_reg_write(ctx, VP_IMG_SIZE_C, VP_IMG_HSIZE(fb->pitches[0]) |
++ vp_reg_write(ctx, VP_IMG_SIZE_C, VP_IMG_HSIZE(fb->pitches[1]) |
+ VP_IMG_VSIZE(fb->height / 2));
+
+ vp_reg_write(ctx, VP_SRC_WIDTH, state->src.w);
+- vp_reg_write(ctx, VP_SRC_HEIGHT, state->src.h);
+ vp_reg_write(ctx, VP_SRC_H_POSITION,
+ VP_SRC_H_POSITION_VAL(state->src.x));
+- vp_reg_write(ctx, VP_SRC_V_POSITION, state->src.y);
+-
+ vp_reg_write(ctx, VP_DST_WIDTH, state->crtc.w);
+ vp_reg_write(ctx, VP_DST_H_POSITION, state->crtc.x);
++
+ if (test_bit(MXR_BIT_INTERLACE, &ctx->flags)) {
++ vp_reg_write(ctx, VP_SRC_HEIGHT, state->src.h / 2);
++ vp_reg_write(ctx, VP_SRC_V_POSITION, state->src.y / 2);
+ vp_reg_write(ctx, VP_DST_HEIGHT, state->crtc.h / 2);
+ vp_reg_write(ctx, VP_DST_V_POSITION, state->crtc.y / 2);
+ } else {
++ vp_reg_write(ctx, VP_SRC_HEIGHT, state->src.h);
++ vp_reg_write(ctx, VP_SRC_V_POSITION, state->src.y);
+ vp_reg_write(ctx, VP_DST_HEIGHT, state->crtc.h);
+ vp_reg_write(ctx, VP_DST_V_POSITION, state->crtc.y);
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Andrzej Hajda <a.hajda@samsung.com>
+Date: Fri, 2 Feb 2018 16:11:22 +0100
+Subject: drm/exynos/mixer: fix synchronization check in interlaced mode
+
+From: Andrzej Hajda <a.hajda@samsung.com>
+
+[ Upstream commit 2eced8e917b060587fc8ed46df41c364957a5050 ]
+
+In case of interlace mode video processor registers and mixer config
+register must be check to ensure internal state is in sync with shadow
+registers.
+This patch fixes page-faults in interlaced mode.
+
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/exynos/exynos_mixer.c | 10 ++++++++++
+ drivers/gpu/drm/exynos/regs-mixer.h | 1 +
+ 2 files changed, 11 insertions(+)
+
+--- a/drivers/gpu/drm/exynos/exynos_mixer.c
++++ b/drivers/gpu/drm/exynos/exynos_mixer.c
+@@ -494,6 +494,7 @@ static void vp_video_buffer(struct mixer
+
+ spin_lock_irqsave(&ctx->reg_slock, flags);
+
++ vp_reg_write(ctx, VP_SHADOW_UPDATE, 1);
+ /* interlace or progressive scan mode */
+ val = (test_bit(MXR_BIT_INTERLACE, &ctx->flags) ? ~0 : 0);
+ vp_reg_writemask(ctx, VP_MODE, val, VP_MODE_LINE_SKIP);
+@@ -711,6 +712,15 @@ static irqreturn_t mixer_irq_handler(int
+
+ /* interlace scan need to check shadow register */
+ if (test_bit(MXR_BIT_INTERLACE, &ctx->flags)) {
++ if (test_bit(MXR_BIT_VP_ENABLED, &ctx->flags) &&
++ vp_reg_read(ctx, VP_SHADOW_UPDATE))
++ goto out;
++
++ base = mixer_reg_read(ctx, MXR_CFG);
++ shadow = mixer_reg_read(ctx, MXR_CFG_S);
++ if (base != shadow)
++ goto out;
++
+ base = mixer_reg_read(ctx, MXR_GRAPHIC_BASE(0));
+ shadow = mixer_reg_read(ctx, MXR_GRAPHIC_BASE_S(0));
+ if (base != shadow)
+--- a/drivers/gpu/drm/exynos/regs-mixer.h
++++ b/drivers/gpu/drm/exynos/regs-mixer.h
+@@ -47,6 +47,7 @@
+ #define MXR_MO 0x0304
+ #define MXR_RESOLUTION 0x0310
+
++#define MXR_CFG_S 0x2004
+ #define MXR_GRAPHIC0_BASE_S 0x2024
+ #define MXR_GRAPHIC1_BASE_S 0x2044
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Emil Velikov <emil.velikov@collabora.com>
+Date: Wed, 28 Mar 2018 17:22:16 +0100
+Subject: drm/msm: don't deref error pointer in the msm_fbdev_create error path
+
+From: Emil Velikov <emil.velikov@collabora.com>
+
+[ Upstream commit 789d4c300e10eb2096ee83c3497118e67ccc951e ]
+
+Currently the error pointer returned by msm_alloc_stolen_fb gets passed
+to drm_framebuffer_remove. The latter handles only NULL pointers, thus
+a nasty crash will occur.
+
+Drop the unnecessary fail label and the associated checks - both err and
+fb will be set at this stage.
+
+Cc: Rob Clark <robdclark@gmail.com>
+Cc: linux-arm-msm@vger.kernel.org
+Cc: dri-devel@lists.freedesktop.org
+Cc: freedreno@lists.freedesktop.org
+Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/msm_fbdev.c | 11 ++---------
+ 1 file changed, 2 insertions(+), 9 deletions(-)
+
+--- a/drivers/gpu/drm/msm/msm_fbdev.c
++++ b/drivers/gpu/drm/msm/msm_fbdev.c
+@@ -92,8 +92,7 @@ static int msm_fbdev_create(struct drm_f
+
+ if (IS_ERR(fb)) {
+ dev_err(dev->dev, "failed to allocate fb\n");
+- ret = PTR_ERR(fb);
+- goto fail;
++ return PTR_ERR(fb);
+ }
+
+ bo = msm_framebuffer_bo(fb, 0);
+@@ -151,13 +150,7 @@ static int msm_fbdev_create(struct drm_f
+
+ fail_unlock:
+ mutex_unlock(&dev->struct_mutex);
+-fail:
+-
+- if (ret) {
+- if (fb)
+- drm_framebuffer_remove(fb);
+- }
+-
++ drm_framebuffer_remove(fb);
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Stefan Agner <stefan@agner.ch>
+Date: Mon, 19 Mar 2018 22:26:32 +0100
+Subject: drm/msm/dsi: use correct enum in dsi_get_cmd_fmt
+
+From: Stefan Agner <stefan@agner.ch>
+
+[ Upstream commit a4af89286f8fc382459308764ea05935dc477cdc ]
+
+The function dsi_get_cmd_fmt returns enum dsi_cmd_dst_format,
+use the correct enum value also for MIPI_DSI_FMT_RGB666/_PACKED.
+
+This has been discovered using clang:
+ drivers/gpu/drm/msm/dsi/dsi_host.c:743:35: warning: implicit conversion
+ from enumeration type 'enum dsi_vid_dst_format' to different
+ enumeration type 'enum dsi_cmd_dst_format' [-Wenum-conversion]
+ case MIPI_DSI_FMT_RGB666: return VID_DST_FORMAT_RGB666;
+ ~~~~~~ ^~~~~~~~~~~~~~~~~~~~~
+
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Reviewed-by: Archit Taneja <architt@codeaurora.org>
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
+@@ -740,7 +740,7 @@ static inline enum dsi_cmd_dst_format ds
+ switch (mipi_fmt) {
+ case MIPI_DSI_FMT_RGB888: return CMD_DST_FORMAT_RGB888;
+ case MIPI_DSI_FMT_RGB666_PACKED:
+- case MIPI_DSI_FMT_RGB666: return VID_DST_FORMAT_RGB666;
++ case MIPI_DSI_FMT_RGB666: return CMD_DST_FORMAT_RGB666;
+ case MIPI_DSI_FMT_RGB565: return CMD_DST_FORMAT_RGB565;
+ default: return CMD_DST_FORMAT_RGB888;
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Tue, 3 Apr 2018 23:38:45 +0100
+Subject: drm/msm: Fix possible null dereference on failure of get_pages()
+
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+
+[ Upstream commit 3976626ea3d2011f8fd3f3a47070a8b792018253 ]
+
+Commit 62e3a3e342af changed get_pages() to initialise
+msm_gem_object::pages before trying to initialise msm_gem_object::sgt,
+so that put_pages() would properly clean up pages in the failure
+case.
+
+However, this means that put_pages() now needs to check that
+msm_gem_object::sgt is not null before trying to clean it up, and
+this check was only applied to part of the cleanup code. Move
+it all into the conditional block. (Strictly speaking we don't
+need to make the kfree() conditional, but since we can't avoid
+checking for null ourselves we may as well do so.)
+
+Fixes: 62e3a3e342af ("drm/msm: fix leak in failed get_pages")
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Reviewed-by: Jordan Crouse <jcrouse@codeaurora.org>
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/msm_gem.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/drivers/gpu/drm/msm/msm_gem.c
++++ b/drivers/gpu/drm/msm/msm_gem.c
+@@ -132,17 +132,19 @@ static void put_pages(struct drm_gem_obj
+ struct msm_gem_object *msm_obj = to_msm_bo(obj);
+
+ if (msm_obj->pages) {
+- /* For non-cached buffers, ensure the new pages are clean
+- * because display controller, GPU, etc. are not coherent:
+- */
+- if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED))
+- dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl,
+- msm_obj->sgt->nents, DMA_BIDIRECTIONAL);
++ if (msm_obj->sgt) {
++ /* For non-cached buffers, ensure the new
++ * pages are clean because display controller,
++ * GPU, etc. are not coherent:
++ */
++ if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED))
++ dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl,
++ msm_obj->sgt->nents,
++ DMA_BIDIRECTIONAL);
+
+- if (msm_obj->sgt)
+ sg_free_table(msm_obj->sgt);
+-
+- kfree(msm_obj->sgt);
++ kfree(msm_obj->sgt);
++ }
+
+ if (use_pages(obj))
+ drm_gem_put_pages(obj, msm_obj->pages, true, false);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Date: Wed, 2 May 2018 12:11:56 +0300
+Subject: drm/omap: check return value from soc_device_match
+
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+
+[ Upstream commit 4d6cb5e2fee52af17001e92950f0894304706ee4 ]
+
+soc_device_match() can return NULL, so add a check and fail if
+soc_device_match() fails.
+
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180502091159.7071-2-tomi.valkeinen@ti.com
+Reviewed-by: Benoit Parrot <bparrot@ti.com>
+Reviewed-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/omapdrm/dss/hdmi4_core.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/omapdrm/dss/hdmi4_core.c
++++ b/drivers/gpu/drm/omapdrm/dss/hdmi4_core.c
+@@ -922,8 +922,13 @@ int hdmi4_core_init(struct platform_devi
+ {
+ const struct hdmi4_features *features;
+ struct resource *res;
++ const struct soc_device_attribute *soc;
+
+- features = soc_device_match(hdmi4_soc_devices)->data;
++ soc = soc_device_match(hdmi4_soc_devices);
++ if (!soc)
++ return -ENODEV;
++
++ features = soc->data;
+ core->cts_swmode = features->cts_swmode;
+ core->audio_use_mclk = features->audio_use_mclk;
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Date: Thu, 29 Mar 2018 13:40:37 +0300
+Subject: drm/omap: fix possible NULL ref issue in tiler_reserve_2d
+
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+
+[ Upstream commit 6a0f0c55619f0b82a677cab72e77c3444a5eee58 ]
+
+tiler_reserve_2d allocates memory but does not check if it got the
+memory. Add the check and return ENOMEM on failure.
+
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180329104038.29154-2-tomi.valkeinen@ti.com
+Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/omapdrm/omap_dmm_tiler.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
++++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
+@@ -401,12 +401,16 @@ int tiler_unpin(struct tiler_block *bloc
+ struct tiler_block *tiler_reserve_2d(enum tiler_fmt fmt, uint16_t w,
+ uint16_t h, uint16_t align)
+ {
+- struct tiler_block *block = kzalloc(sizeof(*block), GFP_KERNEL);
++ struct tiler_block *block;
+ u32 min_align = 128;
+ int ret;
+ unsigned long flags;
+ u32 slot_bytes;
+
++ block = kzalloc(sizeof(*block), GFP_KERNEL);
++ if (!block)
++ return ERR_PTR(-ENOMEM);
++
+ BUG_ON(!validfmt(fmt));
+
+ /* convert width/height to slots */
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Date: Thu, 29 Mar 2018 13:40:36 +0300
+Subject: drm/omap: fix uninitialized ret variable
+
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+
+[ Upstream commit 77eeac24b10fc84d3ffd5b11a897dff88dde244d ]
+
+audio_config function for both HDMI4 and HDMI5 return uninitialized
+value as the error code if the display is not currently enabled. For
+some reason this has not caused any issues.
+
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180329104038.29154-1-tomi.valkeinen@ti.com
+Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/omapdrm/dss/hdmi4.c | 2 +-
+ drivers/gpu/drm/omapdrm/dss/hdmi5.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/omapdrm/dss/hdmi4.c
++++ b/drivers/gpu/drm/omapdrm/dss/hdmi4.c
+@@ -665,7 +665,7 @@ static int hdmi_audio_config(struct devi
+ struct omap_dss_audio *dss_audio)
+ {
+ struct omap_hdmi *hd = dev_get_drvdata(dev);
+- int ret;
++ int ret = 0;
+
+ mutex_lock(&hd->lock);
+
+--- a/drivers/gpu/drm/omapdrm/dss/hdmi5.c
++++ b/drivers/gpu/drm/omapdrm/dss/hdmi5.c
+@@ -660,7 +660,7 @@ static int hdmi_audio_config(struct devi
+ struct omap_dss_audio *dss_audio)
+ {
+ struct omap_hdmi *hd = dev_get_drvdata(dev);
+- int ret;
++ int ret = 0;
+
+ mutex_lock(&hd->lock);
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Date: Wed, 2 May 2018 12:11:59 +0300
+Subject: drm/omap: handle alloc failures in omap_connector
+
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+
+[ Upstream commit 47aaaec818dfd1009d1358974a2931f05dd57203 ]
+
+Handle memory allocation failures in omap_connector to avoid NULL
+derefs.
+
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180502091159.7071-5-tomi.valkeinen@ti.com
+Reviewed-by: Benoit Parrot <bparrot@ti.com>
+Reviewed-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/omapdrm/omap_connector.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/gpu/drm/omapdrm/omap_connector.c
++++ b/drivers/gpu/drm/omapdrm/omap_connector.c
+@@ -121,6 +121,9 @@ static int omap_connector_get_modes(stru
+ if (dssdrv->read_edid) {
+ void *edid = kzalloc(MAX_EDID, GFP_KERNEL);
+
++ if (!edid)
++ return 0;
++
+ if ((dssdrv->read_edid(dssdev, edid, MAX_EDID) > 0) &&
+ drm_edid_is_valid(edid)) {
+ drm_mode_connector_update_edid_property(
+@@ -139,6 +142,9 @@ static int omap_connector_get_modes(stru
+ struct drm_display_mode *mode = drm_mode_create(dev);
+ struct videomode vm = {0};
+
++ if (!mode)
++ return 0;
++
+ dssdrv->get_timings(dssdev, &vm);
+
+ drm_display_mode_from_videomode(&vm, mode);
+@@ -200,6 +206,10 @@ static int omap_connector_mode_valid(str
+ if (!r) {
+ /* check if vrefresh is still valid */
+ new_mode = drm_mode_duplicate(dev, mode);
++
++ if (!new_mode)
++ return MODE_BAD;
++
+ new_mode->clock = vm.pixelclock / 1000;
+ new_mode->vrefresh = 0;
+ if (mode->vrefresh == drm_mode_vrefresh(new_mode))
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 18 Apr 2018 17:29:37 +0300
+Subject: drm/omap: silence unititialized variable warning
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 4a9fbfcab19d3f71ad2bf0bcb653c4ee84e69c7f ]
+
+Smatch complains that "area_free" could be used without being
+initialized. This code is several years old and premusably works fine
+so this can't be a very serious bug. But it's easy enough to silence
+the warning. If "area_free" is false at the end of the function then
+we return -ENOMEM.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180418142937.GA13828@mwanda
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/omapdrm/tcm-sita.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/omapdrm/tcm-sita.c
++++ b/drivers/gpu/drm/omapdrm/tcm-sita.c
+@@ -90,7 +90,7 @@ static int l2r_t2b(uint16_t w, uint16_t
+ {
+ int i;
+ unsigned long index;
+- bool area_free;
++ bool area_free = false;
+ unsigned long slots_per_band = PAGE_SIZE / slot_bytes;
+ unsigned long bit_offset = (offset > 0) ? offset / slot_bytes : 0;
+ unsigned long curr_bit = bit_offset;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Eric Anholt <eric@anholt.net>
+Date: Fri, 9 Mar 2018 15:32:56 -0800
+Subject: drm/vc4: Fix oops dereferencing DPI's connector since panel_bridge.
+
+From: Eric Anholt <eric@anholt.net>
+
+[ Upstream commit 164c2416dd40770aba5814f93da835e8a9f7196d ]
+
+In the cleanup, I didn't notice that we needed to dereference the
+connector for the bus_format. Fix the regression by looking up the
+first (and only) connector attached to us, and assume that its
+bus_format is what we want. Some day it would be good to have that
+part of display_info attached to the bridge, instead.
+
+v2: Fix stray whitespace change
+
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Fixes: 7b1298e05310 ("drm/vc4: Switch DPI to using the panel-bridge helper.")
+Link: https://patchwork.freedesktop.org/patch/msgid/20180309233256.1667-1-eric@anholt.net
+Reviewed-by: Sean Paul <seanpaul@chromium.org>
+Reviewed-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/vc4/vc4_dpi.c | 25 ++++++++++++++++++++++---
+ 1 file changed, 22 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/vc4/vc4_dpi.c
++++ b/drivers/gpu/drm/vc4/vc4_dpi.c
+@@ -96,7 +96,6 @@ struct vc4_dpi {
+ struct platform_device *pdev;
+
+ struct drm_encoder *encoder;
+- struct drm_connector *connector;
+
+ void __iomem *regs;
+
+@@ -164,14 +163,31 @@ static void vc4_dpi_encoder_disable(stru
+
+ static void vc4_dpi_encoder_enable(struct drm_encoder *encoder)
+ {
++ struct drm_device *dev = encoder->dev;
+ struct drm_display_mode *mode = &encoder->crtc->mode;
+ struct vc4_dpi_encoder *vc4_encoder = to_vc4_dpi_encoder(encoder);
+ struct vc4_dpi *dpi = vc4_encoder->dpi;
++ struct drm_connector_list_iter conn_iter;
++ struct drm_connector *connector = NULL, *connector_scan;
+ u32 dpi_c = DPI_ENABLE | DPI_OUTPUT_ENABLE_MODE;
+ int ret;
+
+- if (dpi->connector->display_info.num_bus_formats) {
+- u32 bus_format = dpi->connector->display_info.bus_formats[0];
++ /* Look up the connector attached to DPI so we can get the
++ * bus_format. Ideally the bridge would tell us the
++ * bus_format we want, but it doesn't yet, so assume that it's
++ * uniform throughout the bridge chain.
++ */
++ drm_connector_list_iter_begin(dev, &conn_iter);
++ drm_for_each_connector_iter(connector_scan, &conn_iter) {
++ if (connector_scan->encoder == encoder) {
++ connector = connector_scan;
++ break;
++ }
++ }
++ drm_connector_list_iter_end(&conn_iter);
++
++ if (connector && connector->display_info.num_bus_formats) {
++ u32 bus_format = connector->display_info.bus_formats[0];
+
+ switch (bus_format) {
+ case MEDIA_BUS_FMT_RGB888_1X24:
+@@ -199,6 +215,9 @@ static void vc4_dpi_encoder_enable(struc
+ DRM_ERROR("Unknown media bus format %d\n", bus_format);
+ break;
+ }
++ } else {
++ /* Default to 24bit if no connector found. */
++ dpi_c |= VC4_SET_FIELD(DPI_FORMAT_24BIT_888_RGB, DPI_FORMAT);
+ }
+
+ if (mode->flags & DRM_MODE_FLAG_NHSYNC)
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Jacopo Mondi <jacopo+renesas@jmondi.org>
+Date: Mon, 16 Apr 2018 15:56:08 +0200
+Subject: dt-bindings: dmaengine: rcar-dmac: document R8A77965 support
+
+From: Jacopo Mondi <jacopo+renesas@jmondi.org>
+
+[ Upstream commit b89bc283286b105e50aab9ab35992c0237ac77d8 ]
+
+Add documentation for r8a77965 compatible string to rcar-dmac device
+tree bindings documentation.
+
+Signed-off-by: Jacopo Mondi <jacopo+renesas@jmondi.org>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/dma/renesas,rcar-dmac.txt | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/Documentation/devicetree/bindings/dma/renesas,rcar-dmac.txt
++++ b/Documentation/devicetree/bindings/dma/renesas,rcar-dmac.txt
+@@ -25,6 +25,7 @@ Required Properties:
+ - "renesas,dmac-r8a7794" (R-Car E2)
+ - "renesas,dmac-r8a7795" (R-Car H3)
+ - "renesas,dmac-r8a7796" (R-Car M3-W)
++ - "renesas,dmac-r8a77965" (R-Car M3-N)
+ - "renesas,dmac-r8a77970" (R-Car V3M)
+
+ - reg: base address and length of the registers block for the DMAC
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Mon, 23 Apr 2018 09:32:40 +0200
+Subject: dt-bindings: meson-uart: DT fix s/clocks-names/clock-names/
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 34df2466b48dfe258e14fe2a7bc4641416575ade ]
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/serial/amlogic,meson-uart.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/serial/amlogic,meson-uart.txt
++++ b/Documentation/devicetree/bindings/serial/amlogic,meson-uart.txt
+@@ -21,7 +21,7 @@ Required properties:
+ - interrupts : identifier to the device interrupt
+ - clocks : a list of phandle + clock-specifier pairs, one for each
+ entry in clock names.
+-- clocks-names :
++- clock-names :
+ * "xtal" for external xtal clock identifier
+ * "pclk" for the bus core clock, either the clk81 clock or the gate clock
+ * "baud" for the source of the baudrate generator, can be either the xtal
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Mon, 23 Apr 2018 09:35:16 +0200
+Subject: dt-bindings: mvebu-uart: DT fix s/interrupts-names/interrupt-names/
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 17a16542b88e753cc3bd54cf30b74df3d547421e ]
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/serial/mvebu-uart.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/serial/mvebu-uart.txt
++++ b/Documentation/devicetree/bindings/serial/mvebu-uart.txt
+@@ -24,7 +24,7 @@ Required properties:
+ - Must contain two elements for the extended variant of the IP
+ (marvell,armada-3700-uart-ext): "uart-tx" and "uart-rx",
+ respectively the UART TX interrupt and the UART RX interrupt. A
+- corresponding interrupts-names property must be defined.
++ corresponding interrupt-names property must be defined.
+ - For backward compatibility reasons, a single element interrupts
+ property is also supported for the standard variant of the IP,
+ containing only the UART sum interrupt. This form is deprecated
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Jacopo Mondi <jacopo+renesas@jmondi.org>
+Date: Mon, 16 Apr 2018 15:55:17 +0200
+Subject: dt-bindings: net: ravb: Add support for r8a77965 SoC
+
+From: Jacopo Mondi <jacopo+renesas@jmondi.org>
+
+[ Upstream commit 1a862488729a6ea9cfd285d2c90f8738949ae7d2 ]
+
+Add documentation for r8a77965 compatible string to renesas ravb device
+tree bindings documentation.
+
+Signed-off-by: Jacopo Mondi <jacopo+renesas@jmondi.org>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+Acked-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/net/renesas,ravb.txt | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/Documentation/devicetree/bindings/net/renesas,ravb.txt
++++ b/Documentation/devicetree/bindings/net/renesas,ravb.txt
+@@ -17,6 +17,7 @@ Required properties:
+
+ - "renesas,etheravb-r8a7795" for the R8A7795 SoC.
+ - "renesas,etheravb-r8a7796" for the R8A7796 SoC.
++ - "renesas,etheravb-r8a77965" for the R8A77965 SoC.
+ - "renesas,etheravb-r8a77970" for the R8A77970 SoC.
+ - "renesas,etheravb-r8a77980" for the R8A77980 SoC.
+ - "renesas,etheravb-r8a77995" for the R8A77995 SoC.
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Wed, 25 Apr 2018 09:49:38 +0200
+Subject: dt-bindings: panel: lvds: Fix path to display timing bindings
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit f130307054a59ca21d2396f386be77ebd2e8ca96 ]
+
+Fixes: 14da3ed8dd08c581 ("devicetree/bindings: display: Document common
+panel properties")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/display/panel/panel-common.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/display/panel/panel-common.txt
++++ b/Documentation/devicetree/bindings/display/panel/panel-common.txt
+@@ -38,7 +38,7 @@ Display Timings
+ require specific display timings. The panel-timing subnode expresses those
+ timings as specified in the timing subnode section of the display timing
+ bindings defined in
+- Documentation/devicetree/bindings/display/display-timing.txt.
++ Documentation/devicetree/bindings/display/panel/display-timing.txt.
+
+
+ Connectivity
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Matheus Castello <matheus@castello.eng.br>
+Date: Wed, 11 Apr 2018 01:17:03 -0400
+Subject: dt-bindings: pinctrl: sunxi: Fix reference to driver
+
+From: Matheus Castello <matheus@castello.eng.br>
+
+[ Upstream commit b614e905a0bc8fc5d4fa72665ac26ae00c874a4e ]
+
+Bindings describe hardware, not drivers.
+Use reference to hardware Allwinner A1X Pin Controller instead driver.
+
+Signed-off-by: Matheus Castello <matheus@castello.eng.br>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/pinctrl/allwinner,sunxi-pinctrl.txt | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/Documentation/devicetree/bindings/pinctrl/allwinner,sunxi-pinctrl.txt
++++ b/Documentation/devicetree/bindings/pinctrl/allwinner,sunxi-pinctrl.txt
+@@ -55,9 +55,9 @@ pins it needs, and how they should be co
+ configuration, drive strength and pullups. If one of these options is
+ not set, its actual value will be unspecified.
+
+-This driver supports the generic pin multiplexing and configuration
+-bindings. For details on each properties, you can refer to
+-./pinctrl-bindings.txt.
++Allwinner A1X Pin Controller supports the generic pin multiplexing and
++configuration bindings. For details on each properties, you can refer to
++ ./pinctrl-bindings.txt.
+
+ Required sub-node properties:
+ - pins
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Jacopo Mondi <jacopo+renesas@jmondi.org>
+Date: Mon, 16 Apr 2018 15:55:28 +0200
+Subject: dt-bindings: serial: sh-sci: Add support for r8a77965 (H)SCIF
+
+From: Jacopo Mondi <jacopo+renesas@jmondi.org>
+
+[ Upstream commit 7de5b7e5f6a67c285b86d1478e8e150929c93482 ]
+
+Add documentation for r8a77965 compatible string to Renesas sci-serial
+device tree bindings documentation.
+
+Signed-off-by: Jacopo Mondi <jacopo+renesas@jmondi.org>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/serial/renesas,sci-serial.txt | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/Documentation/devicetree/bindings/serial/renesas,sci-serial.txt
++++ b/Documentation/devicetree/bindings/serial/renesas,sci-serial.txt
+@@ -41,6 +41,8 @@ Required properties:
+ - "renesas,hscif-r8a7795" for R8A7795 (R-Car H3) HSCIF compatible UART.
+ - "renesas,scif-r8a7796" for R8A7796 (R-Car M3-W) SCIF compatible UART.
+ - "renesas,hscif-r8a7796" for R8A7796 (R-Car M3-W) HSCIF compatible UART.
++ - "renesas,scif-r8a77965" for R8A77965 (R-Car M3-N) SCIF compatible UART.
++ - "renesas,hscif-r8a77965" for R8A77965 (R-Car M3-N) HSCIF compatible UART.
+ - "renesas,scif-r8a77970" for R8A77970 (R-Car V3M) SCIF compatible UART.
+ - "renesas,hscif-r8a77970" for R8A77970 (R-Car V3M) HSCIF compatible UART.
+ - "renesas,scif-r8a77995" for R8A77995 (R-Car D3) SCIF compatible UART.
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Wed, 28 Mar 2018 23:41:52 +0000
+Subject: eCryptfs: don't pass up plaintext names when using filename encryption
+
+From: Tyler Hicks <tyhicks@canonical.com>
+
+[ Upstream commit e86281e700cca8a773f9a572fa406adf2784ba5c ]
+
+Both ecryptfs_filldir() and ecryptfs_readlink_lower() use
+ecryptfs_decode_and_decrypt_filename() to translate lower filenames to
+upper filenames. The function correctly passes up lower filenames,
+unchanged, when filename encryption isn't in use. However, it was also
+passing up lower filenames when the filename wasn't encrypted or
+when decryption failed. Since 88ae4ab9802e, eCryptfs refuses to lookup
+lower plaintext names when filename encryption is enabled so this
+resulted in a situation where userspace would see lower plaintext
+filenames in calls to getdents(2) but then not be able to lookup those
+filenames.
+
+An example of this can be seen when enabling filename encryption on an
+eCryptfs mount at the root directory of an Ext4 filesystem:
+
+$ ls -1i /lower
+12 ECRYPTFS_FNEK_ENCRYPTED.FWYZD8TcW.5FV-TKTEYOHsheiHX9a-w.NURCCYIMjI8pn5BDB9-h3fXwrE--
+11 lost+found
+$ ls -1i /upper
+ls: cannot access '/upper/lost+found': No such file or directory
+ ? lost+found
+12 test
+
+With this change, the lower lost+found dentry is ignored:
+
+$ ls -1i /lower
+12 ECRYPTFS_FNEK_ENCRYPTED.FWYZD8TcW.5FV-TKTEYOHsheiHX9a-w.NURCCYIMjI8pn5BDB9-h3fXwrE--
+11 lost+found
+$ ls -1i /upper
+12 test
+
+Additionally, some potentially noisy error/info messages in the related
+code paths are turned into debug messages so that the logs can't be
+easily filled.
+
+Fixes: 88ae4ab9802e ("ecryptfs_lookup(): try either only encrypted or plaintext name")
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ecryptfs/crypto.c | 41 ++++++++++++++++++++++++++++-------------
+ fs/ecryptfs/file.c | 21 ++++++++++++++++-----
+ 2 files changed, 44 insertions(+), 18 deletions(-)
+
+--- a/fs/ecryptfs/crypto.c
++++ b/fs/ecryptfs/crypto.c
+@@ -1997,6 +1997,16 @@ out:
+ return rc;
+ }
+
++static bool is_dot_dotdot(const char *name, size_t name_size)
++{
++ if (name_size == 1 && name[0] == '.')
++ return true;
++ else if (name_size == 2 && name[0] == '.' && name[1] == '.')
++ return true;
++
++ return false;
++}
++
+ /**
+ * ecryptfs_decode_and_decrypt_filename - converts the encoded cipher text name to decoded plaintext
+ * @plaintext_name: The plaintext name
+@@ -2021,13 +2031,21 @@ int ecryptfs_decode_and_decrypt_filename
+ size_t packet_size;
+ int rc = 0;
+
+- if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)
+- && !(mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
+- && (name_size > ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE)
+- && (strncmp(name, ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX,
+- ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE) == 0)) {
+- const char *orig_name = name;
+- size_t orig_name_size = name_size;
++ if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) &&
++ !(mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)) {
++ if (is_dot_dotdot(name, name_size)) {
++ rc = ecryptfs_copy_filename(plaintext_name,
++ plaintext_name_size,
++ name, name_size);
++ goto out;
++ }
++
++ if (name_size <= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE ||
++ strncmp(name, ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX,
++ ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE)) {
++ rc = -EINVAL;
++ goto out;
++ }
+
+ name += ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
+ name_size -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
+@@ -2047,12 +2065,9 @@ int ecryptfs_decode_and_decrypt_filename
+ decoded_name,
+ decoded_name_size);
+ if (rc) {
+- printk(KERN_INFO "%s: Could not parse tag 70 packet "
+- "from filename; copying through filename "
+- "as-is\n", __func__);
+- rc = ecryptfs_copy_filename(plaintext_name,
+- plaintext_name_size,
+- orig_name, orig_name_size);
++ ecryptfs_printk(KERN_DEBUG,
++ "%s: Could not parse tag 70 packet from filename\n",
++ __func__);
+ goto out_free;
+ }
+ } else {
+--- a/fs/ecryptfs/file.c
++++ b/fs/ecryptfs/file.c
+@@ -82,17 +82,28 @@ ecryptfs_filldir(struct dir_context *ctx
+ buf->sb, lower_name,
+ lower_namelen);
+ if (rc) {
+- printk(KERN_ERR "%s: Error attempting to decode and decrypt "
+- "filename [%s]; rc = [%d]\n", __func__, lower_name,
+- rc);
+- goto out;
++ if (rc != -EINVAL) {
++ ecryptfs_printk(KERN_DEBUG,
++ "%s: Error attempting to decode and decrypt filename [%s]; rc = [%d]\n",
++ __func__, lower_name, rc);
++ return rc;
++ }
++
++ /* Mask -EINVAL errors as these are most likely due a plaintext
++ * filename present in the lower filesystem despite filename
++ * encryption being enabled. One unavoidable example would be
++ * the "lost+found" dentry in the root directory of an Ext4
++ * filesystem.
++ */
++ return 0;
+ }
++
+ buf->caller->pos = buf->ctx.pos;
+ rc = !dir_emit(buf->caller, name, name_size, ino, d_type);
+ kfree(name);
+ if (!rc)
+ buf->entries_written++;
+-out:
++
+ return rc;
+ }
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Fri, 18 May 2018 16:08:41 +0200
+Subject: efi/libstub/arm64: Handle randomized TEXT_OFFSET
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit 4f74d72aa7067e75af92fbab077e6d7d0210be66 ]
+
+When CONFIG_RANDOMIZE_TEXT_OFFSET=y, TEXT_OFFSET is an arbitrary
+multiple of PAGE_SIZE in the interval [0, 2MB).
+
+The EFI stub does not account for the potential misalignment of
+TEXT_OFFSET relative to EFI_KIMG_ALIGN, and produces a randomized
+physical offset which is always a round multiple of EFI_KIMG_ALIGN.
+This may result in statically allocated objects whose alignment exceeds
+PAGE_SIZE to appear misaligned in memory. This has been observed to
+result in spurious stack overflow reports and failure to make use of
+the IRQ stacks, and theoretically could result in a number of other
+issues.
+
+We can OR in the low bits of TEXT_OFFSET to ensure that we have the
+necessary offset (and hence preserve the misalignment of TEXT_OFFSET
+relative to EFI_KIMG_ALIGN), so let's do that.
+
+Reported-by: Kim Phillips <kim.phillips@arm.com>
+Tested-by: Kim Phillips <kim.phillips@arm.com>
+[ardb: clarify comment and commit log, drop unneeded parens]
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Fixes: 6f26b3671184c36d ("arm64: kaslr: increase randomization granularity")
+Link: http://lkml.kernel.org/r/20180518140841.9731-2-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/efi/libstub/arm64-stub.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/firmware/efi/libstub/arm64-stub.c
++++ b/drivers/firmware/efi/libstub/arm64-stub.c
+@@ -98,6 +98,16 @@ efi_status_t handle_kernel_image(efi_sys
+ (phys_seed >> 32) & mask : TEXT_OFFSET;
+
+ /*
++ * With CONFIG_RANDOMIZE_TEXT_OFFSET=y, TEXT_OFFSET may not
++ * be a multiple of EFI_KIMG_ALIGN, and we must ensure that
++ * we preserve the misalignment of 'offset' relative to
++ * EFI_KIMG_ALIGN so that statically allocated objects whose
++ * alignment exceeds PAGE_SIZE appear correctly aligned in
++ * memory.
++ */
++ offset |= TEXT_OFFSET % EFI_KIMG_ALIGN;
++
++ /*
+ * If KASLR is enabled, and we have some randomness available,
+ * locate the kernel at a randomized offset in physical memory.
+ */
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Thu, 5 Apr 2018 16:18:03 +0300
+Subject: fsnotify: fix ignore mask logic in send_to_group()
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+[ Upstream commit 92183a42898dc400b89da35685d1814ac6acd3d8 ]
+
+The ignore mask logic in send_to_group() does not match the logic
+in fanotify_should_send_event(). In the latter, a vfsmount mark ignore
+mask precedes an inode mark mask and in the former, it does not.
+
+That difference may cause events to be sent to fanotify backend for no
+reason. Fix the logic in send_to_group() to match that of
+fanotify_should_send_event().
+
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/notify/fsnotify.c | 25 +++++++++++--------------
+ 1 file changed, 11 insertions(+), 14 deletions(-)
+
+--- a/fs/notify/fsnotify.c
++++ b/fs/notify/fsnotify.c
+@@ -192,8 +192,9 @@ static int send_to_group(struct inode *t
+ struct fsnotify_iter_info *iter_info)
+ {
+ struct fsnotify_group *group = NULL;
+- __u32 inode_test_mask = 0;
+- __u32 vfsmount_test_mask = 0;
++ __u32 test_mask = (mask & ~FS_EVENT_ON_CHILD);
++ __u32 marks_mask = 0;
++ __u32 marks_ignored_mask = 0;
+
+ if (unlikely(!inode_mark && !vfsmount_mark)) {
+ BUG();
+@@ -213,29 +214,25 @@ static int send_to_group(struct inode *t
+ /* does the inode mark tell us to do something? */
+ if (inode_mark) {
+ group = inode_mark->group;
+- inode_test_mask = (mask & ~FS_EVENT_ON_CHILD);
+- inode_test_mask &= inode_mark->mask;
+- inode_test_mask &= ~inode_mark->ignored_mask;
++ marks_mask |= inode_mark->mask;
++ marks_ignored_mask |= inode_mark->ignored_mask;
+ }
+
+ /* does the vfsmount_mark tell us to do something? */
+ if (vfsmount_mark) {
+- vfsmount_test_mask = (mask & ~FS_EVENT_ON_CHILD);
+ group = vfsmount_mark->group;
+- vfsmount_test_mask &= vfsmount_mark->mask;
+- vfsmount_test_mask &= ~vfsmount_mark->ignored_mask;
+- if (inode_mark)
+- vfsmount_test_mask &= ~inode_mark->ignored_mask;
++ marks_mask |= vfsmount_mark->mask;
++ marks_ignored_mask |= vfsmount_mark->ignored_mask;
+ }
+
+ pr_debug("%s: group=%p to_tell=%p mask=%x inode_mark=%p"
+- " inode_test_mask=%x vfsmount_mark=%p vfsmount_test_mask=%x"
++ " vfsmount_mark=%p marks_mask=%x marks_ignored_mask=%x"
+ " data=%p data_is=%d cookie=%d\n",
+- __func__, group, to_tell, mask, inode_mark,
+- inode_test_mask, vfsmount_mark, vfsmount_test_mask, data,
++ __func__, group, to_tell, mask, inode_mark, vfsmount_mark,
++ marks_mask, marks_ignored_mask, data,
+ data_is, cookie);
+
+- if (!inode_test_mask && !vfsmount_test_mask)
++ if (!(test_mask & marks_mask & ~marks_ignored_mask))
+ return 0;
+
+ return group->ops->handle_event(group, to_tell, inode_mark,
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Fri, 13 Apr 2018 14:06:10 +0900
+Subject: gcc-plugins: fix build condition of SANCOV plugin
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+[ Upstream commit 642ef99be932c4071274b28eaf3d3d85bbb6e78c ]
+
+Since commit d677a4d60193 ("Makefile: support flag
+-fsanitizer-coverage=trace-cmp"), you miss to build the SANCOV
+plugin under some circumstances.
+
+ CONFIG_KCOV=y
+ CONFIG_KCOV_ENABLE_COMPARISONS=y
+ Your compiler does not support -fsanitize-coverage=trace-pc
+ Your compiler does not support -fsanitize-coverage=trace-cmp
+
+Under this condition, $(CFLAGS_KCOV) is not empty but contains a
+space, so the following ifeq-conditional is false.
+
+ ifeq ($(CFLAGS_KCOV),)
+
+Then, scripts/Makefile.gcc-plugins misses to add sancov_plugin.so to
+gcc-plugin-y while the SANCOV plugin is necessary as an alternative
+means.
+
+Fixes: d677a4d60193 ("Makefile: support flag -fsanitizer-coverage=trace-cmp")
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/Makefile.gcc-plugins | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/scripts/Makefile.gcc-plugins
++++ b/scripts/Makefile.gcc-plugins
+@@ -14,7 +14,7 @@ ifdef CONFIG_GCC_PLUGINS
+ endif
+
+ ifdef CONFIG_GCC_PLUGIN_SANCOV
+- ifeq ($(CFLAGS_KCOV),)
++ ifeq ($(strip $(CFLAGS_KCOV)),)
+ # It is needed because of the gcc-plugin.sh and gcc version checks.
+ gcc-plugin-$(CONFIG_GCC_PLUGIN_SANCOV) += sancov_plugin.so
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 6 Apr 2018 16:28:22 +0200
+Subject: hexagon: add memset_io() helper
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit a57ab96ef9dde231d4d46edba4d5f73720edc16a ]
+
+We already have memcpy_toio(), but not memset_io(), so let's
+add the obvious version to allow building an allmodconfig kernel
+without errors like
+
+drivers/gpu/drm/ttm/ttm_bo_util.c: In function 'ttm_bo_move_memcpy':
+drivers/gpu/drm/ttm/ttm_bo_util.c:390:3: error: implicit declaration of function 'memset_io' [-Werror=implicit-function-declaration]
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Richard Kuo <rkuo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/hexagon/include/asm/io.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/hexagon/include/asm/io.h
++++ b/arch/hexagon/include/asm/io.h
+@@ -216,6 +216,12 @@ static inline void memcpy_toio(volatile
+ memcpy((void *) dst, src, count);
+ }
+
++static inline void memset_io(volatile void __iomem *addr, int value,
++ size_t size)
++{
++ memset((void __force *)addr, value, size);
++}
++
+ #define PCI_IO_ADDR (volatile void __iomem *)
+
+ /*
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 6 Apr 2018 16:28:23 +0200
+Subject: hexagon: export csum_partial_copy_nocheck
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 330e261c35dfb969c48f996dbbc8b334b5ee8d9d ]
+
+This is needed to link ipv6 as a loadable module, which in turn happens
+in allmodconfig.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Richard Kuo <rkuo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/hexagon/lib/checksum.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/hexagon/lib/checksum.c
++++ b/arch/hexagon/lib/checksum.c
+@@ -199,3 +199,4 @@ csum_partial_copy_nocheck(const void *sr
+ memcpy(dst, src, len);
+ return csum_partial(dst, len, sum);
+ }
++EXPORT_SYMBOL(csum_partial_copy_nocheck);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Thu, 3 May 2018 11:32:33 +0200
+Subject: HID: i2c-hid: Add RESEND_REPORT_DESCR quirk for Toshiba Click Mini L9W-B
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 070b9637dd8fa85c3ba7ecc60fe57fa4da9c2d1d ]
+
+The 0457:10fb touchscreen found on the Toshiba Click Mini L9W-B needs
+to have a report-decriptors command send to it on resume in order for
+the touchscreen to start generating events again on resume.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/i2c-hid/i2c-hid.c | 2 ++
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -966,6 +966,7 @@
+ #define USB_DEVICE_ID_SIS817_TOUCH 0x0817
+ #define USB_DEVICE_ID_SIS_TS 0x1013
+ #define USB_DEVICE_ID_SIS1030_TOUCH 0x1030
++#define USB_DEVICE_ID_SIS10FB_TOUCH 0x10fb
+
+ #define USB_VENDOR_ID_SKYCABLE 0x1223
+ #define USB_DEVICE_ID_SKYCABLE_WIRELESS_PRESENTER 0x3F07
+--- a/drivers/hid/i2c-hid/i2c-hid.c
++++ b/drivers/hid/i2c-hid/i2c-hid.c
+@@ -174,6 +174,8 @@ static const struct i2c_hid_quirks {
+ I2C_HID_QUIRK_NO_IRQ_AFTER_RESET },
+ { I2C_VENDOR_ID_RAYD, I2C_PRODUCT_ID_RAYD_3118,
+ I2C_HID_QUIRK_RESEND_REPORT_DESCR },
++ { USB_VENDOR_ID_SIS_TOUCH, USB_DEVICE_ID_SIS10FB_TOUCH,
++ I2C_HID_QUIRK_RESEND_REPORT_DESCR },
+ { 0, 0 }
+ };
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Date: Fri, 30 Mar 2018 16:56:10 +0530
+Subject: HID: intel-ish-hid: use put_device() instead of kfree()
+
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+
+[ Upstream commit a4eb490a41a0da3b1275fc7427084cf9ae2c3c1c ]
+
+Never directly free @dev after calling device_register(), even
+if it returned an error. Always use put_device() to give up the
+reference initialized.
+
+Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/intel-ish-hid/ishtp/bus.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/intel-ish-hid/ishtp/bus.c
++++ b/drivers/hid/intel-ish-hid/ishtp/bus.c
+@@ -418,7 +418,7 @@ static struct ishtp_cl_device *ishtp_bus
+ list_del(&device->device_link);
+ spin_unlock_irqrestore(&dev->device_list_lock, flags);
+ dev_err(dev->devc, "Failed to register ISHTP client device\n");
+- kfree(device);
++ put_device(&device->dev);
+ return NULL;
+ }
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: pgzh <peter.ganzhorn@gmail.com>
+Date: Thu, 12 Apr 2018 19:36:47 +0200
+Subject: HID: lenovo: Add support for IBM/Lenovo Scrollpoint mice
+
+From: pgzh <peter.ganzhorn@gmail.com>
+
+[ Upstream commit a230cd52b8a2be39cd6e9a13b3e62af57f21372a ]
+
+The IBM/Lenovo Scrollpoint mice feature a trackpoint-like stick instead of a
+scrolling wheel capable of 2-D (vertical+horizontal) scrolling. hid-generic
+does only expose 1-D (vertical) scrolling functionality for these mice. This
+patch adds support for horizontal scrolling for the IBM/Lenovo Scrollpoint mice
+to hid-lenovo.
+
+[jkosina@suse.cz: remove change versioning from git changelog]
+Signed-off-by: Peter Ganzhorn <peter.ganzhorn@gmail.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Peter De Wachter <pdewacht@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/Kconfig | 7 ++++---
+ drivers/hid/hid-ids.h | 8 ++++++++
+ drivers/hid/hid-lenovo.c | 36 ++++++++++++++++++++++++++++++++++++
+ 3 files changed, 48 insertions(+), 3 deletions(-)
+
+--- a/drivers/hid/Kconfig
++++ b/drivers/hid/Kconfig
+@@ -448,10 +448,11 @@ config HID_LENOVO
+ select NEW_LEDS
+ select LEDS_CLASS
+ ---help---
+- Support for Lenovo devices that are not fully compliant with HID standard.
++ Support for IBM/Lenovo devices that are not fully compliant with HID standard.
+
+- Say Y if you want support for the non-compliant features of the Lenovo
+- Thinkpad standalone keyboards, e.g:
++ Say Y if you want support for horizontal scrolling of the IBM/Lenovo
++ Scrollpoint mice or the non-compliant features of the Lenovo Thinkpad
++ standalone keyboards, e.g:
+ - ThinkPad USB Keyboard with TrackPoint (supports extra LEDs and trackpoint
+ configuration)
+ - ThinkPad Compact Bluetooth Keyboard with TrackPoint (supports Fn keys)
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -546,6 +546,13 @@
+ #define USB_VENDOR_ID_HUION 0x256c
+ #define USB_DEVICE_ID_HUION_TABLET 0x006e
+
++#define USB_VENDOR_ID_IBM 0x04b3
++#define USB_DEVICE_ID_IBM_SCROLLPOINT_III 0x3100
++#define USB_DEVICE_ID_IBM_SCROLLPOINT_PRO 0x3103
++#define USB_DEVICE_ID_IBM_SCROLLPOINT_OPTICAL 0x3105
++#define USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL 0x3108
++#define USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL_PRO 0x3109
++
+ #define USB_VENDOR_ID_IDEACOM 0x1cb6
+ #define USB_DEVICE_ID_IDEACOM_IDC6650 0x6650
+ #define USB_DEVICE_ID_IDEACOM_IDC6651 0x6651
+@@ -678,6 +685,7 @@
+ #define USB_DEVICE_ID_LENOVO_TPKBD 0x6009
+ #define USB_DEVICE_ID_LENOVO_CUSBKBD 0x6047
+ #define USB_DEVICE_ID_LENOVO_CBTKBD 0x6048
++#define USB_DEVICE_ID_LENOVO_SCROLLPOINT_OPTICAL 0x6049
+ #define USB_DEVICE_ID_LENOVO_TPPRODOCK 0x6067
+ #define USB_DEVICE_ID_LENOVO_X1_COVER 0x6085
+ #define USB_DEVICE_ID_LENOVO_X1_TAB 0x60a3
+--- a/drivers/hid/hid-lenovo.c
++++ b/drivers/hid/hid-lenovo.c
+@@ -6,6 +6,17 @@
+ *
+ * Copyright (c) 2012 Bernhard Seibold
+ * Copyright (c) 2014 Jamie Lentin <jm@lentin.co.uk>
++ *
++ * Linux IBM/Lenovo Scrollpoint mouse driver:
++ * - IBM Scrollpoint III
++ * - IBM Scrollpoint Pro
++ * - IBM Scrollpoint Optical
++ * - IBM Scrollpoint Optical 800dpi
++ * - IBM Scrollpoint Optical 800dpi Pro
++ * - Lenovo Scrollpoint Optical
++ *
++ * Copyright (c) 2012 Peter De Wachter <pdewacht@gmail.com>
++ * Copyright (c) 2018 Peter Ganzhorn <peter.ganzhorn@gmail.com>
+ */
+
+ /*
+@@ -160,6 +171,17 @@ static int lenovo_input_mapping_cptkbd(s
+ return 0;
+ }
+
++static int lenovo_input_mapping_scrollpoint(struct hid_device *hdev,
++ struct hid_input *hi, struct hid_field *field,
++ struct hid_usage *usage, unsigned long **bit, int *max)
++{
++ if (usage->hid == HID_GD_Z) {
++ hid_map_usage(hi, usage, bit, max, EV_REL, REL_HWHEEL);
++ return 1;
++ }
++ return 0;
++}
++
+ static int lenovo_input_mapping(struct hid_device *hdev,
+ struct hid_input *hi, struct hid_field *field,
+ struct hid_usage *usage, unsigned long **bit, int *max)
+@@ -172,6 +194,14 @@ static int lenovo_input_mapping(struct h
+ case USB_DEVICE_ID_LENOVO_CBTKBD:
+ return lenovo_input_mapping_cptkbd(hdev, hi, field,
+ usage, bit, max);
++ case USB_DEVICE_ID_IBM_SCROLLPOINT_III:
++ case USB_DEVICE_ID_IBM_SCROLLPOINT_PRO:
++ case USB_DEVICE_ID_IBM_SCROLLPOINT_OPTICAL:
++ case USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL:
++ case USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL_PRO:
++ case USB_DEVICE_ID_LENOVO_SCROLLPOINT_OPTICAL:
++ return lenovo_input_mapping_scrollpoint(hdev, hi, field,
++ usage, bit, max);
+ default:
+ return 0;
+ }
+@@ -883,6 +913,12 @@ static const struct hid_device_id lenovo
+ { HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_CUSBKBD) },
+ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_CBTKBD) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_TPPRODOCK) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_IBM, USB_DEVICE_ID_IBM_SCROLLPOINT_III) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_IBM, USB_DEVICE_ID_IBM_SCROLLPOINT_PRO) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_IBM, USB_DEVICE_ID_IBM_SCROLLPOINT_OPTICAL) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_IBM, USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_IBM, USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL_PRO) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_SCROLLPOINT_OPTICAL) },
+ { }
+ };
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Date: Tue, 24 Apr 2018 13:33:03 +0530
+Subject: HID: wacom: Release device resource data obtained by devres_alloc()
+
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+
+[ Upstream commit 097b8f62dd793e08f1732fc74dbb64596c7fbff9 ]
+
+Free device resource data, if __wacom_devm_sysfs_create_group
+is not successful.
+
+Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/wacom_sys.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/wacom_sys.c
++++ b/drivers/hid/wacom_sys.c
+@@ -1213,8 +1213,10 @@ static int __wacom_devm_sysfs_create_gro
+ devres->root = root;
+
+ error = sysfs_create_group(devres->root, group);
+- if (error)
++ if (error) {
++ devres_free(devres);
+ return error;
++ }
+
+ devres_add(&wacom->hdev->dev, devres);
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Peter Rosin <peda@axentia.se>
+Date: Wed, 9 May 2018 21:46:30 +0200
+Subject: i2c: pmcmsp: fix error return from master_xfer
+
+From: Peter Rosin <peda@axentia.se>
+
+[ Upstream commit 12d9bbc5a7f347eaa65ff2a9d34995cadc05eb1b ]
+
+Returning -1 (-EPERM) is not appropriate here, go with -EIO.
+
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Fixes: 1b144df1d7d6 ("i2c: New PMC MSP71xx TWI bus driver")
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-pmcmsp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-pmcmsp.c
++++ b/drivers/i2c/busses/i2c-pmcmsp.c
+@@ -564,7 +564,7 @@ static int pmcmsptwi_master_xfer(struct
+ * TODO: We could potentially loop and retry in the case
+ * of MSP_TWI_XFER_TIMEOUT.
+ */
+- return -1;
++ return -EIO;
+ }
+
+ return num;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Peter Rosin <peda@axentia.se>
+Date: Wed, 9 May 2018 21:46:29 +0200
+Subject: i2c: pmcmsp: return message count on master_xfer success
+
+From: Peter Rosin <peda@axentia.se>
+
+[ Upstream commit de9a8634f1cb4560a35696d472cc7f1383d9b866 ]
+
+Returning zero is wrong in this case.
+
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Fixes: 1b144df1d7d6 ("i2c: New PMC MSP71xx TWI bus driver")
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-pmcmsp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-pmcmsp.c
++++ b/drivers/i2c/busses/i2c-pmcmsp.c
+@@ -567,7 +567,7 @@ static int pmcmsptwi_master_xfer(struct
+ return -1;
+ }
+
+- return 0;
++ return num;
+ }
+
+ static u32 pmcmsptwi_i2c_func(struct i2c_adapter *adapter)
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Baolin Wang <baolin.wang@linaro.org>
+Date: Mon, 9 Apr 2018 14:40:55 +0800
+Subject: i2c: sprd: Fix the i2c count issue
+
+From: Baolin Wang <baolin.wang@linaro.org>
+
+[ Upstream commit 2a010461207cc96bee5ab81748325dec1972976f ]
+
+We found the I2C controller count register is unreliable sometimes,
+that will cause I2C to lose data. Thus we can read the data count
+from 'i2c_dev->count' instead of the I2C controller count register.
+
+Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-sprd.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-sprd.c
++++ b/drivers/i2c/busses/i2c-sprd.c
+@@ -368,13 +368,12 @@ static irqreturn_t sprd_i2c_isr_thread(i
+ struct sprd_i2c *i2c_dev = dev_id;
+ struct i2c_msg *msg = i2c_dev->msg;
+ bool ack = !(readl(i2c_dev->base + I2C_STATUS) & I2C_RX_ACK);
+- u32 i2c_count = readl(i2c_dev->base + I2C_COUNT);
+ u32 i2c_tran;
+
+ if (msg->flags & I2C_M_RD)
+ i2c_tran = i2c_dev->count >= I2C_FIFO_FULL_THLD;
+ else
+- i2c_tran = i2c_count;
++ i2c_tran = i2c_dev->count;
+
+ /*
+ * If we got one ACK from slave when writing data, and we did not
+@@ -412,14 +411,13 @@ static irqreturn_t sprd_i2c_isr(int irq,
+ {
+ struct sprd_i2c *i2c_dev = dev_id;
+ struct i2c_msg *msg = i2c_dev->msg;
+- u32 i2c_count = readl(i2c_dev->base + I2C_COUNT);
+ bool ack = !(readl(i2c_dev->base + I2C_STATUS) & I2C_RX_ACK);
+ u32 i2c_tran;
+
+ if (msg->flags & I2C_M_RD)
+ i2c_tran = i2c_dev->count >= I2C_FIFO_FULL_THLD;
+ else
+- i2c_tran = i2c_count;
++ i2c_tran = i2c_dev->count;
+
+ /*
+ * If we did not get one ACK from slave when writing data, then we
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Baolin Wang <baolin.wang@linaro.org>
+Date: Mon, 9 Apr 2018 14:40:54 +0800
+Subject: i2c: sprd: Prevent i2c accesses after suspend is called
+
+From: Baolin Wang <baolin.wang@linaro.org>
+
+[ Upstream commit da33aa03fa34c918faf2c371ebda0dd961d7ccb2 ]
+
+Add one flag to indicate if the i2c controller has been in suspend state,
+which can prevent i2c accesses after i2c controller is suspended following
+system suspend.
+
+Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-sprd.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-sprd.c
++++ b/drivers/i2c/busses/i2c-sprd.c
+@@ -86,6 +86,7 @@ struct sprd_i2c {
+ u32 count;
+ int irq;
+ int err;
++ bool is_suspended;
+ };
+
+ static void sprd_i2c_set_count(struct sprd_i2c *i2c_dev, u32 count)
+@@ -283,6 +284,9 @@ static int sprd_i2c_master_xfer(struct i
+ struct sprd_i2c *i2c_dev = i2c_adap->algo_data;
+ int im, ret;
+
++ if (i2c_dev->is_suspended)
++ return -EBUSY;
++
+ ret = pm_runtime_get_sync(i2c_dev->dev);
+ if (ret < 0)
+ return ret;
+@@ -586,11 +590,23 @@ static int sprd_i2c_remove(struct platfo
+
+ static int __maybe_unused sprd_i2c_suspend_noirq(struct device *pdev)
+ {
++ struct sprd_i2c *i2c_dev = dev_get_drvdata(pdev);
++
++ i2c_lock_adapter(&i2c_dev->adap);
++ i2c_dev->is_suspended = true;
++ i2c_unlock_adapter(&i2c_dev->adap);
++
+ return pm_runtime_force_suspend(pdev);
+ }
+
+ static int __maybe_unused sprd_i2c_resume_noirq(struct device *pdev)
+ {
++ struct sprd_i2c *i2c_dev = dev_get_drvdata(pdev);
++
++ i2c_lock_adapter(&i2c_dev->adap);
++ i2c_dev->is_suspended = false;
++ i2c_unlock_adapter(&i2c_dev->adap);
++
+ return pm_runtime_force_resume(pdev);
+ }
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Peter Rosin <peda@axentia.se>
+Date: Wed, 9 May 2018 21:47:48 +0200
+Subject: i2c: viperboard: return message count on master_xfer success
+
+From: Peter Rosin <peda@axentia.se>
+
+[ Upstream commit 35cd67a0caf767aba472452865dcb4471fcce2b1 ]
+
+Returning zero is wrong in this case.
+
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Fixes: 174a13aa8669 ("i2c: Add viperboard i2c master driver")
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-viperboard.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-viperboard.c
++++ b/drivers/i2c/busses/i2c-viperboard.c
+@@ -337,7 +337,7 @@ static int vprbrd_i2c_xfer(struct i2c_ad
+ }
+ mutex_unlock(&vb->lock);
+ }
+- return 0;
++ return num;
+ error:
+ mutex_unlock(&vb->lock);
+ return error;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: "Håkon Bugge" <haakon.bugge@oracle.com>
+Date: Wed, 18 Apr 2018 16:24:50 +0200
+Subject: IB/core: Make ib_mad_client_id atomic
+
+From: "Håkon Bugge" <haakon.bugge@oracle.com>
+
+[ Upstream commit db82476f37413eaeff5f836a9d8b022d6544accf ]
+
+Currently, the kernel protects access to the agent ID allocator on a per
+port basis using a spinlock, so it is impossible for two apps/threads on
+the same port to get the same TID, but it is entirely possible for two
+threads on different ports to end up with the same TID.
+
+As this can be confusing (regardless of it being legal according to the
+IB Spec 1.3, C13-18.1.1, in section 13.4.6.4 - TransactionID usage),
+and as the rdma-core user space API for /dev/umad devices implies unique
+TIDs even across ports, make the TID an atomic type so that no two
+allocations, regardless of port number, will be the same.
+
+Signed-off-by: Håkon Bugge <haakon.bugge@oracle.com>
+Reviewed-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Reviewed-by: Zhu Yanjun <yanjun.zhu@oracle.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/mad.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/core/mad.c
++++ b/drivers/infiniband/core/mad.c
+@@ -59,7 +59,7 @@ module_param_named(recv_queue_size, mad_
+ MODULE_PARM_DESC(recv_queue_size, "Size of receive queue in number of work requests");
+
+ static struct list_head ib_mad_port_list;
+-static u32 ib_mad_client_id = 0;
++static atomic_t ib_mad_client_id = ATOMIC_INIT(0);
+
+ /* Port list lock */
+ static DEFINE_SPINLOCK(ib_mad_port_list_lock);
+@@ -377,7 +377,7 @@ struct ib_mad_agent *ib_register_mad_age
+ }
+
+ spin_lock_irqsave(&port_priv->reg_lock, flags);
+- mad_agent_priv->agent.hi_tid = ++ib_mad_client_id;
++ mad_agent_priv->agent.hi_tid = atomic_inc_return(&ib_mad_client_id);
+
+ /*
+ * Make sure MAD registration (if supplied)
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Sebastian Sanchez <sebastian.sanchez@intel.com>
+Date: Tue, 1 May 2018 05:36:13 -0700
+Subject: IB/hfi1: Fix memory leak in exception path in get_irq_affinity()
+
+From: Sebastian Sanchez <sebastian.sanchez@intel.com>
+
+[ Upstream commit 59482a14918b282ca2a98f38c69da5ebeb1107d2 ]
+
+When IRQ affinity is set and the interrupt type is unknown, a cpu
+mask allocated within the function is never freed. Fix this memory
+leak by allocating memory within the scope where it is used.
+
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Sebastian Sanchez <sebastian.sanchez@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/hfi1/affinity.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/affinity.c
++++ b/drivers/infiniband/hw/hfi1/affinity.c
+@@ -412,7 +412,6 @@ static void hfi1_cleanup_sdma_notifier(s
+ static int get_irq_affinity(struct hfi1_devdata *dd,
+ struct hfi1_msix_entry *msix)
+ {
+- int ret;
+ cpumask_var_t diff;
+ struct hfi1_affinity_node *entry;
+ struct cpu_mask_set *set = NULL;
+@@ -424,10 +423,6 @@ static int get_irq_affinity(struct hfi1_
+ extra[0] = '\0';
+ cpumask_clear(&msix->mask);
+
+- ret = zalloc_cpumask_var(&diff, GFP_KERNEL);
+- if (!ret)
+- return -ENOMEM;
+-
+ entry = node_affinity_lookup(dd->node);
+
+ switch (msix->type) {
+@@ -458,6 +453,9 @@ static int get_irq_affinity(struct hfi1_
+ * finds its CPU here.
+ */
+ if (cpu == -1 && set) {
++ if (!zalloc_cpumask_var(&diff, GFP_KERNEL))
++ return -ENOMEM;
++
+ if (cpumask_equal(&set->mask, &set->used)) {
+ /*
+ * We've used up all the CPUs, bump up the generation
+@@ -469,6 +467,8 @@ static int get_irq_affinity(struct hfi1_
+ cpumask_andnot(diff, &set->mask, &set->used);
+ cpu = cpumask_first(diff);
+ cpumask_set_cpu(cpu, &set->used);
++
++ free_cpumask_var(diff);
+ }
+
+ cpumask_set_cpu(cpu, &msix->mask);
+@@ -482,7 +482,6 @@ static int get_irq_affinity(struct hfi1_
+ hfi1_setup_sdma_notifier(msix);
+ }
+
+- free_cpumask_var(diff);
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Sebastian Sanchez <sebastian.sanchez@intel.com>
+Date: Tue, 1 May 2018 05:36:06 -0700
+Subject: IB/{hfi1, rdmavt}: Fix memory leak in hfi1_alloc_devdata() upon failure
+
+From: Sebastian Sanchez <sebastian.sanchez@intel.com>
+
+[ Upstream commit e9777ad4399c26c70318c4945f94efac2ed95391 ]
+
+When allocating device data, if there's an allocation failure, the
+already allocated memory won't be freed such as per-cpu counters.
+
+Fix memory leaks in exception path by creating a common reentrant
+clean up function hfi1_clean_devdata() to be used at driver unload
+time and device data allocation failure.
+
+To accomplish this, free_platform_config() and clean_up_i2c() are
+changed to be reentrant to remove dependencies when they are called
+in different order. This helps avoid NULL pointer dereferences
+introduced by this patch if those two functions weren't reentrant.
+
+In addition, set dd->int_counter, dd->rcv_limit,
+dd->send_schedule and dd->tx_opstats to NULL after they're freed in
+hfi1_clean_devdata(), so that hfi1_clean_devdata() is fully reentrant.
+
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Sebastian Sanchez <sebastian.sanchez@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/hfi1/init.c | 37 ++++++++++++++++++++++++----------
+ drivers/infiniband/hw/hfi1/platform.c | 1
+ drivers/infiniband/hw/hfi1/qsfp.c | 2 +
+ 3 files changed, 30 insertions(+), 10 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/init.c
++++ b/drivers/infiniband/hw/hfi1/init.c
+@@ -1209,30 +1209,49 @@ static void finalize_asic_data(struct hf
+ kfree(ad);
+ }
+
+-static void __hfi1_free_devdata(struct kobject *kobj)
++/**
++ * hfi1_clean_devdata - cleans up per-unit data structure
++ * @dd: pointer to a valid devdata structure
++ *
++ * It cleans up all data structures set up by
++ * by hfi1_alloc_devdata().
++ */
++static void hfi1_clean_devdata(struct hfi1_devdata *dd)
+ {
+- struct hfi1_devdata *dd =
+- container_of(kobj, struct hfi1_devdata, kobj);
+ struct hfi1_asic_data *ad;
+ unsigned long flags;
+
+ spin_lock_irqsave(&hfi1_devs_lock, flags);
+- idr_remove(&hfi1_unit_table, dd->unit);
+- list_del(&dd->list);
++ if (!list_empty(&dd->list)) {
++ idr_remove(&hfi1_unit_table, dd->unit);
++ list_del_init(&dd->list);
++ }
+ ad = release_asic_data(dd);
+ spin_unlock_irqrestore(&hfi1_devs_lock, flags);
+- if (ad)
+- finalize_asic_data(dd, ad);
++
++ finalize_asic_data(dd, ad);
+ free_platform_config(dd);
+ rcu_barrier(); /* wait for rcu callbacks to complete */
+ free_percpu(dd->int_counter);
+ free_percpu(dd->rcv_limit);
+ free_percpu(dd->send_schedule);
+ free_percpu(dd->tx_opstats);
++ dd->int_counter = NULL;
++ dd->rcv_limit = NULL;
++ dd->send_schedule = NULL;
++ dd->tx_opstats = NULL;
+ sdma_clean(dd, dd->num_sdma);
+ rvt_dealloc_device(&dd->verbs_dev.rdi);
+ }
+
++static void __hfi1_free_devdata(struct kobject *kobj)
++{
++ struct hfi1_devdata *dd =
++ container_of(kobj, struct hfi1_devdata, kobj);
++
++ hfi1_clean_devdata(dd);
++}
++
+ static struct kobj_type hfi1_devdata_type = {
+ .release = __hfi1_free_devdata,
+ };
+@@ -1333,9 +1352,7 @@ struct hfi1_devdata *hfi1_alloc_devdata(
+ return dd;
+
+ bail:
+- if (!list_empty(&dd->list))
+- list_del_init(&dd->list);
+- rvt_dealloc_device(&dd->verbs_dev.rdi);
++ hfi1_clean_devdata(dd);
+ return ERR_PTR(ret);
+ }
+
+--- a/drivers/infiniband/hw/hfi1/platform.c
++++ b/drivers/infiniband/hw/hfi1/platform.c
+@@ -199,6 +199,7 @@ void free_platform_config(struct hfi1_de
+ {
+ /* Release memory allocated for eprom or fallback file read. */
+ kfree(dd->platform_config.data);
++ dd->platform_config.data = NULL;
+ }
+
+ void get_port_type(struct hfi1_pportdata *ppd)
+--- a/drivers/infiniband/hw/hfi1/qsfp.c
++++ b/drivers/infiniband/hw/hfi1/qsfp.c
+@@ -204,6 +204,8 @@ static void clean_i2c_bus(struct hfi1_i2
+
+ void clean_up_i2c(struct hfi1_devdata *dd, struct hfi1_asic_data *ad)
+ {
++ if (!ad)
++ return;
+ clean_i2c_bus(ad->i2c_bus0);
+ ad->i2c_bus0 = NULL;
+ clean_i2c_bus(ad->i2c_bus1);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: "Michael J. Ruhl" <michael.j.ruhl@intel.com>
+Date: Tue, 1 May 2018 05:35:43 -0700
+Subject: IB/hfi1 Use correct type for num_user_context
+
+From: "Michael J. Ruhl" <michael.j.ruhl@intel.com>
+
+[ Upstream commit 5da9e742be44d9b7c68b1bf6e1aaf46a1aa7a52b ]
+
+The module parameter num_user_context is defined as 'int' and
+defaults to -1. The module_param_named() says that it is uint.
+
+Correct module_param_named() type information and update the modinfo
+text to reflect the default value.
+
+Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/hfi1/init.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/init.c
++++ b/drivers/infiniband/hw/hfi1/init.c
+@@ -88,9 +88,9 @@
+ * pio buffers per ctxt, etc.) Zero means use one user context per CPU.
+ */
+ int num_user_contexts = -1;
+-module_param_named(num_user_contexts, num_user_contexts, uint, S_IRUGO);
++module_param_named(num_user_contexts, num_user_contexts, int, 0444);
+ MODULE_PARM_DESC(
+- num_user_contexts, "Set max number of user contexts to use");
++ num_user_contexts, "Set max number of user contexts to use (default: -1 will use the real (non-HT) CPU count)");
+
+ uint krcvqs[RXE_NUM_DATA_VL];
+ int krcvqsset;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Greg Thelen <gthelen@google.com>
+Date: Thu, 26 Apr 2018 11:19:35 -0700
+Subject: IB: make INFINIBAND_ADDR_TRANS configurable
+
+From: Greg Thelen <gthelen@google.com>
+
+[ Upstream commit f7cb7b85be55a4906b4b4b30596db1043dae6335 ]
+
+Allow INFINIBAND without INFINIBAND_ADDR_TRANS because fuzzing has been
+finding fair number of CM bugs. So provide option to disable it.
+
+Signed-off-by: Greg Thelen <gthelen@google.com>
+Cc: Tarick Bedeir <tarick@google.com>
+Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/Kconfig | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/Kconfig
++++ b/drivers/infiniband/Kconfig
+@@ -62,9 +62,12 @@ config INFINIBAND_ON_DEMAND_PAGING
+ pages on demand instead.
+
+ config INFINIBAND_ADDR_TRANS
+- bool
++ bool "RDMA/CM"
+ depends on INFINIBAND
+ default y
++ ---help---
++ Support for RDMA communication manager (CM).
++ This allows for a generic connection abstraction over RDMA.
+
+ config INFINIBAND_ADDR_TRANS_CONFIGFS
+ bool
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Wed, 2 May 2018 13:04:25 +0300
+Subject: IB/mlx4: Fix integer overflow when calculating optimal MTT size
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+[ Upstream commit b03bcde962606d2ee59a4e9dd470db9ad53c5418 ]
+
+When the kernel was compiled using the UBSAN option,
+we saw the following stack trace:
+
+[ 1184.827917] UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx4/mr.c:349:27
+[ 1184.828114] signed integer overflow:
+[ 1184.828247] -2147483648 - 1 cannot be represented in type 'int'
+
+The problem was caused by calling round_up in procedure
+mlx4_ib_umem_calc_optimal_mtt_size (on line 349, as noted in the stack
+trace) with the second parameter (1 << block_shift) (which is an int).
+The second parameter should have been (1ULL << block_shift) (which
+is an unsigned long long).
+
+(1 << block_shift) is treated by the compiler as an int (because 1 is
+an integer).
+
+Now, local variable block_shift is initialized to 31.
+If block_shift is 31, 1 << block_shift is 1 << 31 = 0x80000000=-214748368.
+This is the most negative int value.
+
+Inside the round_up macro, there is a cast applied to ((1 << 31) - 1).
+However, this cast is applied AFTER ((1 << 31) - 1) is calculated.
+Since (1 << 31) is treated as an int, we get the negative overflow
+identified by UBSAN in the process of calculating ((1 << 31) - 1).
+
+The fix is to change (1 << block_shift) to (1ULL << block_shift) on
+line 349.
+
+Fixes: 9901abf58368 ("IB/mlx4: Use optimal numbers of MTT entries")
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx4/mr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx4/mr.c
++++ b/drivers/infiniband/hw/mlx4/mr.c
+@@ -346,7 +346,7 @@ int mlx4_ib_umem_calc_optimal_mtt_size(s
+ /* Add to the first block the misalignment that it suffers from. */
+ total_len += (first_block_start & ((1ULL << block_shift) - 1ULL));
+ last_block_end = current_block_start + current_block_len;
+- last_block_aligned_end = round_up(last_block_end, 1 << block_shift);
++ last_block_aligned_end = round_up(last_block_end, 1ULL << block_shift);
+ total_len += (last_block_aligned_end - last_block_end);
+
+ if (total_len & ((1ULL << block_shift) - 1ULL))
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Jianchao Wang <jianchao.w.wang@oracle.com>
+Date: Thu, 26 Apr 2018 11:52:39 +0800
+Subject: IB/rxe: add RXE_START_MASK for rxe_opcode IB_OPCODE_RC_SEND_ONLY_INV
+
+From: Jianchao Wang <jianchao.w.wang@oracle.com>
+
+[ Upstream commit 2da36d44a9d54a2c6e1f8da1f7ccc26b0bc6cfec ]
+
+w/o RXE_START_MASK, the last_psn of IB_OPCODE_RC_SEND_ONLY_INV
+will not be updated in update_wqe_psn, and the corresponding
+wqe will not be acked in rxe_completer due to its last_psn is
+zero. Finally, the other wqe will also not be able to be acked,
+because the wqe of IB_OPCODE_RC_SEND_ONLY_INV with last_psn 0
+is still there. This causes large amount of io timeout when
+nvmeof is over rxe.
+
+Add RXE_START_MASK for IB_OPCODE_RC_SEND_ONLY_INV to fix this.
+
+Signed-off-by: Jianchao Wang <jianchao.w.wang@oracle.com>
+Reviewed-by: Zhu Yanjun <yanjun.zhu@oracle.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/sw/rxe/rxe_opcode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/sw/rxe/rxe_opcode.c
++++ b/drivers/infiniband/sw/rxe/rxe_opcode.c
+@@ -390,7 +390,7 @@ struct rxe_opcode_info rxe_opcode[RXE_NU
+ .name = "IB_OPCODE_RC_SEND_ONLY_INV",
+ .mask = RXE_IETH_MASK | RXE_PAYLOAD_MASK | RXE_REQ_MASK
+ | RXE_COMP_MASK | RXE_RWR_MASK | RXE_SEND_MASK
+- | RXE_END_MASK,
++ | RXE_END_MASK | RXE_START_MASK,
+ .length = RXE_BTH_BYTES + RXE_IETH_BYTES,
+ .offset = {
+ [RXE_BTH] = 0,
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Zhu Yanjun <yanjun.zhu@oracle.com>
+Date: Thu, 26 Apr 2018 00:41:10 -0400
+Subject: IB/rxe: avoid double kfree_skb
+
+From: Zhu Yanjun <yanjun.zhu@oracle.com>
+
+[ Upstream commit 9fd4350ba8953804f05215999e11a6cfb7b41f2b ]
+
+When skb is sent, it will pass the following functions in soft roce.
+
+rxe_send [rdma_rxe]
+ ip_local_out
+ __ip_local_out
+ ip_output
+ ip_finish_output
+ ip_finish_output2
+ dev_queue_xmit
+ __dev_queue_xmit
+ dev_hard_start_xmit
+
+In the above functions, if error occurs in the above functions or
+iptables rules drop skb after ip_local_out, kfree_skb will be called.
+So it is not necessary to call kfree_skb in soft roce module again.
+Or else crash will occur.
+
+The steps to reproduce:
+
+ server client
+ --------- ---------
+ |1.1.1.1|<----rxe-channel--->|1.1.1.2|
+ --------- ---------
+
+On server: rping -s -a 1.1.1.1 -v -C 10000 -S 512
+On client: rping -c -a 1.1.1.1 -v -C 10000 -S 512
+
+The kernel configs CONFIG_DEBUG_KMEMLEAK and
+CONFIG_DEBUG_OBJECTS are enabled on both server and client.
+
+When rping runs, run the following command in server:
+
+iptables -I OUTPUT -p udp --dport 4791 -j DROP
+
+Without this patch, crash will occur.
+
+CC: Srinivas Eeda <srinivas.eeda@oracle.com>
+CC: Junxiao Bi <junxiao.bi@oracle.com>
+Signed-off-by: Zhu Yanjun <yanjun.zhu@oracle.com>
+Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/sw/rxe/rxe_req.c | 1 -
+ drivers/infiniband/sw/rxe/rxe_resp.c | 6 +-----
+ 2 files changed, 1 insertion(+), 6 deletions(-)
+
+--- a/drivers/infiniband/sw/rxe/rxe_req.c
++++ b/drivers/infiniband/sw/rxe/rxe_req.c
+@@ -728,7 +728,6 @@ next_wqe:
+ rollback_state(wqe, qp, &rollback_wqe, rollback_psn);
+
+ if (ret == -EAGAIN) {
+- kfree_skb(skb);
+ rxe_run_task(&qp->req.task, 1);
+ goto exit;
+ }
+--- a/drivers/infiniband/sw/rxe/rxe_resp.c
++++ b/drivers/infiniband/sw/rxe/rxe_resp.c
+@@ -742,7 +742,6 @@ static enum resp_states read_reply(struc
+ err = rxe_xmit_packet(rxe, qp, &ack_pkt, skb);
+ if (err) {
+ pr_err("Failed sending RDMA reply.\n");
+- kfree_skb(skb);
+ return RESPST_ERR_RNR;
+ }
+
+@@ -954,10 +953,8 @@ static int send_ack(struct rxe_qp *qp, s
+ }
+
+ err = rxe_xmit_packet(rxe, qp, &ack_pkt, skb);
+- if (err) {
++ if (err)
+ pr_err_ratelimited("Failed sending ack\n");
+- kfree_skb(skb);
+- }
+
+ err1:
+ return err;
+@@ -1150,7 +1147,6 @@ static enum resp_states duplicate_reques
+ if (rc) {
+ pr_err("Failed resending result. This flow is not handled - skb ignored\n");
+ rxe_drop_ref(qp);
+- kfree_skb(skb_copy);
+ rc = RESPST_CLEANUP;
+ goto out;
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Matan Barak <matanb@mellanox.com>
+Date: Tue, 24 Apr 2018 08:15:20 +0000
+Subject: IB/uverbs: Fix validating mandatory attributes
+
+From: Matan Barak <matanb@mellanox.com>
+
+[ Upstream commit f604db645a66b7ba4f21c426fe73253928dada41 ]
+
+Previously, if a method contained mandatory attributes in a namespace
+that wasn't given by the user, these attributes weren't validated.
+Fixing this by iterating over all specification namespaces.
+
+Fixes: fac9658cabb9 ("IB/core: Add new ioctl interface")
+Signed-off-by: Matan Barak <matanb@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/uverbs_ioctl.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/infiniband/core/uverbs_ioctl.c
++++ b/drivers/infiniband/core/uverbs_ioctl.c
+@@ -191,6 +191,15 @@ static int uverbs_validate_kernel_mandat
+ return -EINVAL;
+ }
+
++ for (; i < method_spec->num_buckets; i++) {
++ struct uverbs_attr_spec_hash *attr_spec_bucket =
++ method_spec->attr_buckets[i];
++
++ if (!bitmap_empty(attr_spec_bucket->mandatory_attrs_bitmask,
++ attr_spec_bucket->num_attrs))
++ return -EINVAL;
++ }
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Greg Thelen <gthelen@google.com>
+Date: Thu, 26 Apr 2018 11:19:34 -0700
+Subject: ib_srp: depend on INFINIBAND_ADDR_TRANS
+
+From: Greg Thelen <gthelen@google.com>
+
+[ Upstream commit 5a3bc8a4abbd2d553430218d3a320400dce811b7 ]
+
+INFINIBAND_SRP code depends on INFINIBAND_ADDR_TRANS provided symbols.
+So declare the kconfig dependency. This is necessary to allow for
+enabling INFINIBAND without INFINIBAND_ADDR_TRANS.
+
+Signed-off-by: Greg Thelen <gthelen@google.com>
+Cc: Tarick Bedeir <tarick@google.com>
+Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/srp/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/ulp/srp/Kconfig
++++ b/drivers/infiniband/ulp/srp/Kconfig
+@@ -1,6 +1,6 @@
+ config INFINIBAND_SRP
+ tristate "InfiniBand SCSI RDMA Protocol"
+- depends on SCSI
++ depends on SCSI && INFINIBAND_ADDR_TRANS
+ select SCSI_SRP_ATTRS
+ ---help---
+ Support for the SCSI RDMA Protocol over InfiniBand. This
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Greg Thelen <gthelen@google.com>
+Date: Thu, 26 Apr 2018 11:19:32 -0700
+Subject: ib_srpt: depend on INFINIBAND_ADDR_TRANS
+
+From: Greg Thelen <gthelen@google.com>
+
+[ Upstream commit 346a47b65d10e450778ec0d21e4a9409f25daaa8 ]
+
+INFINIBAND_SRPT code depends on INFINIBAND_ADDR_TRANS provided symbols.
+So declare the kconfig dependency. This is necessary to allow for
+enabling INFINIBAND without INFINIBAND_ADDR_TRANS.
+
+Signed-off-by: Greg Thelen <gthelen@google.com>
+Cc: Tarick Bedeir <tarick@google.com>
+Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/srpt/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/ulp/srpt/Kconfig
++++ b/drivers/infiniband/ulp/srpt/Kconfig
+@@ -1,6 +1,6 @@
+ config INFINIBAND_SRPT
+ tristate "InfiniBand SCSI RDMA Protocol target support"
+- depends on INFINIBAND && TARGET_CORE
++ depends on INFINIBAND && INFINIBAND_ADDR_TRANS && TARGET_CORE
+ ---help---
+
+ Support for the SCSI RDMA Protocol (SRP) Target driver. The
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Nathan Fontenot <nfont@linux.vnet.ibm.com>
+Date: Wed, 11 Apr 2018 10:09:38 -0500
+Subject: ibmvnic: Do not notify peers on parameter change resets
+
+From: Nathan Fontenot <nfont@linux.vnet.ibm.com>
+
+[ Upstream commit ebc701b796a67a5785399dcbc83d90e3b5f1e02f ]
+
+When attempting to change the driver parameters, such as the MTU
+value or number of queues, do not call netdev_notify_peers().
+Doing so will deadlock on the rtnl_lock.
+
+Signed-off-by: Nathan Fontenot <nfont@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1711,7 +1711,8 @@ static int do_reset(struct ibmvnic_adapt
+ for (i = 0; i < adapter->req_rx_queues; i++)
+ napi_schedule(&adapter->napi[i]);
+
+- if (adapter->reset_reason != VNIC_RESET_FAILOVER)
++ if (adapter->reset_reason != VNIC_RESET_FAILOVER &&
++ adapter->reset_reason != VNIC_RESET_CHANGE_PARAM)
+ netdev_notify_peers(netdev);
+
+ netif_carrier_on(netdev);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Date: Fri, 30 Mar 2018 17:06:52 -0700
+Subject: igb: Fix the transmission mode of queue 0 for Qav mode
+
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+
+[ Upstream commit 2707df9773cd2cb8b0f35b8592431b301da9d352 ]
+
+When Qav mode is enabled, queue 0 should be kept on Stream Reservation
+mode. From the i210 datasheet, section 8.12.19:
+
+"Note: Queue0 QueueMode must be set to 1b when TransmitMode is set to
+Qav." ("QueueMode 1b" represents the Stream Reservation mode)
+
+The solution is to give queue 0 the all the credits it might need, so
+it has priority over queue 1.
+
+A situation where this can happen is when cbs is "installed" only on
+queue 1, leaving queue 0 alone. For example:
+
+$ tc qdisc replace dev enp2s0 handle 100: parent root mqprio num_tc 3 \
+ map 2 2 1 0 2 2 2 2 2 2 2 2 2 2 2 2 queues 1@0 1@1 2@2 hw 0
+
+$ tc qdisc replace dev enp2s0 parent 100:2 cbs locredit -1470 \
+ hicredit 30 sendslope -980000 idleslope 20000 offload 1
+
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -1698,7 +1698,22 @@ static void igb_configure_cbs(struct igb
+ WARN_ON(hw->mac.type != e1000_i210);
+ WARN_ON(queue < 0 || queue > 1);
+
+- if (enable) {
++ if (enable || queue == 0) {
++ /* i210 does not allow the queue 0 to be in the Strict
++ * Priority mode while the Qav mode is enabled, so,
++ * instead of disabling strict priority mode, we give
++ * queue 0 the maximum of credits possible.
++ *
++ * See section 8.12.19 of the i210 datasheet, "Note:
++ * Queue0 QueueMode must be set to 1b when
++ * TransmitMode is set to Qav."
++ */
++ if (queue == 0 && !enable) {
++ /* max "linkspeed" idleslope in kbps */
++ idleslope = 1000000;
++ hicredit = ETH_FRAME_LEN;
++ }
++
+ set_tx_desc_fetch_prio(hw, queue, TX_QUEUE_PRIO_HIGH);
+ set_queue_mode(hw, queue, QUEUE_MODE_STREAM_RESERVATION);
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Jeffrey Hugo <jhugo@codeaurora.org>
+Date: Fri, 11 May 2018 16:01:42 -0700
+Subject: init: fix false positives in W+X checking
+
+From: Jeffrey Hugo <jhugo@codeaurora.org>
+
+[ Upstream commit ae646f0b9ca135b87bc73ff606ef996c3029780a ]
+
+load_module() creates W+X mappings via __vmalloc_node_range() (from
+layout_and_allocate()->move_module()->module_alloc()) by using
+PAGE_KERNEL_EXEC. These mappings are later cleaned up via
+"call_rcu_sched(&freeinit->rcu, do_free_init)" from do_init_module().
+
+This is a problem because call_rcu_sched() queues work, which can be run
+after debug_checkwx() is run, resulting in a race condition. If hit,
+the race results in a nasty splat about insecure W+X mappings, which
+results in a poor user experience as these are not the mappings that
+debug_checkwx() is intended to catch.
+
+This issue is observed on multiple arm64 platforms, and has been
+artificially triggered on an x86 platform.
+
+Address the race by flushing the queued work before running the
+arch-defined mark_rodata_ro() which then calls debug_checkwx().
+
+Link: http://lkml.kernel.org/r/1525103946-29526-1-git-send-email-jhugo@codeaurora.org
+Fixes: e1a58320a38d ("x86/mm: Warn on W^X mappings")
+Signed-off-by: Jeffrey Hugo <jhugo@codeaurora.org>
+Reported-by: Timur Tabi <timur@codeaurora.org>
+Reported-by: Jan Glauber <jan.glauber@caviumnetworks.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Acked-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Acked-by: Laura Abbott <labbott@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Stephen Smalley <sds@tycho.nsa.gov>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ init/main.c | 7 +++++++
+ kernel/module.c | 5 +++++
+ 2 files changed, 12 insertions(+)
+
+--- a/init/main.c
++++ b/init/main.c
+@@ -981,6 +981,13 @@ __setup("rodata=", set_debug_rodata);
+ static void mark_readonly(void)
+ {
+ if (rodata_enabled) {
++ /*
++ * load_module() results in W+X mappings, which are cleaned up
++ * with call_rcu_sched(). Let's make sure that queued work is
++ * flushed so that we don't hit false positives looking for
++ * insecure pages which are W+X.
++ */
++ rcu_barrier_sched();
+ mark_rodata_ro();
+ rodata_test();
+ } else
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -3521,6 +3521,11 @@ static noinline int do_init_module(struc
+ * walking this with preempt disabled. In all the failure paths, we
+ * call synchronize_sched(), but we don't want to slow down the success
+ * path, so use actual RCU here.
++ * Note that module_alloc() on most architectures creates W+X page
++ * mappings which won't be cleaned up until do_free_init() runs. Any
++ * code such as mark_rodata_ro() which depends on those mappings to
++ * be cleaned up needs to sync with the queued work - ie
++ * rcu_barrier_sched()
+ */
+ call_rcu_sched(&freeinit->rcu, do_free_init);
+ mutex_unlock(&module_mutex);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Nick Dyer <nick@shmanahar.org>
+Date: Tue, 1 May 2018 11:40:18 -0700
+Subject: Input: atmel_mxt_ts - fix the firmware update
+
+From: Nick Dyer <nick@shmanahar.org>
+
+[ Upstream commit 068bdb67ef74df0ad1627b7247a163e3e252ac11 ]
+
+The automatic update mechanism will trigger an update if the
+info block CRCs are different between maxtouch configuration
+file (maxtouch.cfg) and chip.
+
+The driver compared the CRCs without retrieving the chip CRC,
+resulting always in a failure and firmware flashing action
+triggered. Fix this issue by retrieving the chip info block
+CRC before the check.
+
+Note that this solution has the benefit that by reading the
+information block and the object table into a contiguous region
+of memory, we can verify the checksum at probe time. This means
+we make sure that we are indeed talking to a chip that supports
+object protocol correctly.
+
+Using this patch on a kevin chromebook, the touchscreen and
+touchpad drivers are able to match the CRC:
+
+ atmel_mxt_ts 3-004b: Family: 164 Variant: 14 Firmware V2.3.AA Objects: 40
+ atmel_mxt_ts 5-004a: Family: 164 Variant: 17 Firmware V2.0.AA Objects: 31
+ atmel_mxt_ts 3-004b: Resetting device
+ atmel_mxt_ts 5-004a: Resetting device
+ atmel_mxt_ts 3-004b: Config CRC 0x573E89: OK
+ atmel_mxt_ts 3-004b: Touchscreen size X4095Y2729
+ input: Atmel maXTouch Touchscreen as /devices/platform/ff130000.i2c/i2c-3/3-004b/input/input5
+ atmel_mxt_ts 5-004a: Config CRC 0x0AF6BA: OK
+ atmel_mxt_ts 5-004a: Touchscreen size X1920Y1080
+ input: Atmel maXTouch Touchpad as /devices/platform/ff140000.i2c/i2c-5/5-004a/input/input6
+
+Signed-off-by: Nick Dyer <nick.dyer@shmanahar.org>
+Acked-by: Benson Leung <bleung@chromium.org>
+[Ezequiel: minor patch massage]
+Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
+Tested-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/atmel_mxt_ts.c | 186 ++++++++++++++++++-------------
+ 1 file changed, 110 insertions(+), 76 deletions(-)
+
+--- a/drivers/input/touchscreen/atmel_mxt_ts.c
++++ b/drivers/input/touchscreen/atmel_mxt_ts.c
+@@ -275,7 +275,8 @@ struct mxt_data {
+ char phys[64]; /* device physical location */
+ const struct mxt_platform_data *pdata;
+ struct mxt_object *object_table;
+- struct mxt_info info;
++ struct mxt_info *info;
++ void *raw_info_block;
+ unsigned int irq;
+ unsigned int max_x;
+ unsigned int max_y;
+@@ -450,12 +451,13 @@ static int mxt_lookup_bootloader_address
+ {
+ u8 appmode = data->client->addr;
+ u8 bootloader;
++ u8 family_id = data->info ? data->info->family_id : 0;
+
+ switch (appmode) {
+ case 0x4a:
+ case 0x4b:
+ /* Chips after 1664S use different scheme */
+- if (retry || data->info.family_id >= 0xa2) {
++ if (retry || family_id >= 0xa2) {
+ bootloader = appmode - 0x24;
+ break;
+ }
+@@ -682,7 +684,7 @@ mxt_get_object(struct mxt_data *data, u8
+ struct mxt_object *object;
+ int i;
+
+- for (i = 0; i < data->info.object_num; i++) {
++ for (i = 0; i < data->info->object_num; i++) {
+ object = data->object_table + i;
+ if (object->type == type)
+ return object;
+@@ -1453,12 +1455,12 @@ static int mxt_update_cfg(struct mxt_dat
+ data_pos += offset;
+ }
+
+- if (cfg_info.family_id != data->info.family_id) {
++ if (cfg_info.family_id != data->info->family_id) {
+ dev_err(dev, "Family ID mismatch!\n");
+ return -EINVAL;
+ }
+
+- if (cfg_info.variant_id != data->info.variant_id) {
++ if (cfg_info.variant_id != data->info->variant_id) {
+ dev_err(dev, "Variant ID mismatch!\n");
+ return -EINVAL;
+ }
+@@ -1503,7 +1505,7 @@ static int mxt_update_cfg(struct mxt_dat
+
+ /* Malloc memory to store configuration */
+ cfg_start_ofs = MXT_OBJECT_START +
+- data->info.object_num * sizeof(struct mxt_object) +
++ data->info->object_num * sizeof(struct mxt_object) +
+ MXT_INFO_CHECKSUM_SIZE;
+ config_mem_size = data->mem_size - cfg_start_ofs;
+ config_mem = kzalloc(config_mem_size, GFP_KERNEL);
+@@ -1554,20 +1556,6 @@ release_mem:
+ return ret;
+ }
+
+-static int mxt_get_info(struct mxt_data *data)
+-{
+- struct i2c_client *client = data->client;
+- struct mxt_info *info = &data->info;
+- int error;
+-
+- /* Read 7-byte info block starting at address 0 */
+- error = __mxt_read_reg(client, 0, sizeof(*info), info);
+- if (error)
+- return error;
+-
+- return 0;
+-}
+-
+ static void mxt_free_input_device(struct mxt_data *data)
+ {
+ if (data->input_dev) {
+@@ -1582,9 +1570,10 @@ static void mxt_free_object_table(struct
+ video_unregister_device(&data->dbg.vdev);
+ v4l2_device_unregister(&data->dbg.v4l2);
+ #endif
+-
+- kfree(data->object_table);
+ data->object_table = NULL;
++ data->info = NULL;
++ kfree(data->raw_info_block);
++ data->raw_info_block = NULL;
+ kfree(data->msg_buf);
+ data->msg_buf = NULL;
+ data->T5_address = 0;
+@@ -1600,34 +1589,18 @@ static void mxt_free_object_table(struct
+ data->max_reportid = 0;
+ }
+
+-static int mxt_get_object_table(struct mxt_data *data)
++static int mxt_parse_object_table(struct mxt_data *data,
++ struct mxt_object *object_table)
+ {
+ struct i2c_client *client = data->client;
+- size_t table_size;
+- struct mxt_object *object_table;
+- int error;
+ int i;
+ u8 reportid;
+ u16 end_address;
+
+- table_size = data->info.object_num * sizeof(struct mxt_object);
+- object_table = kzalloc(table_size, GFP_KERNEL);
+- if (!object_table) {
+- dev_err(&data->client->dev, "Failed to allocate memory\n");
+- return -ENOMEM;
+- }
+-
+- error = __mxt_read_reg(client, MXT_OBJECT_START, table_size,
+- object_table);
+- if (error) {
+- kfree(object_table);
+- return error;
+- }
+-
+ /* Valid Report IDs start counting from 1 */
+ reportid = 1;
+ data->mem_size = 0;
+- for (i = 0; i < data->info.object_num; i++) {
++ for (i = 0; i < data->info->object_num; i++) {
+ struct mxt_object *object = object_table + i;
+ u8 min_id, max_id;
+
+@@ -1651,8 +1624,8 @@ static int mxt_get_object_table(struct m
+
+ switch (object->type) {
+ case MXT_GEN_MESSAGE_T5:
+- if (data->info.family_id == 0x80 &&
+- data->info.version < 0x20) {
++ if (data->info->family_id == 0x80 &&
++ data->info->version < 0x20) {
+ /*
+ * On mXT224 firmware versions prior to V2.0
+ * read and discard unused CRC byte otherwise
+@@ -1707,24 +1680,102 @@ static int mxt_get_object_table(struct m
+ /* If T44 exists, T5 position has to be directly after */
+ if (data->T44_address && (data->T5_address != data->T44_address + 1)) {
+ dev_err(&client->dev, "Invalid T44 position\n");
+- error = -EINVAL;
+- goto free_object_table;
++ return -EINVAL;
+ }
+
+ data->msg_buf = kcalloc(data->max_reportid,
+ data->T5_msg_size, GFP_KERNEL);
+- if (!data->msg_buf) {
+- dev_err(&client->dev, "Failed to allocate message buffer\n");
++ if (!data->msg_buf)
++ return -ENOMEM;
++
++ return 0;
++}
++
++static int mxt_read_info_block(struct mxt_data *data)
++{
++ struct i2c_client *client = data->client;
++ int error;
++ size_t size;
++ void *id_buf, *buf;
++ uint8_t num_objects;
++ u32 calculated_crc;
++ u8 *crc_ptr;
++
++ /* If info block already allocated, free it */
++ if (data->raw_info_block)
++ mxt_free_object_table(data);
++
++ /* Read 7-byte ID information block starting at address 0 */
++ size = sizeof(struct mxt_info);
++ id_buf = kzalloc(size, GFP_KERNEL);
++ if (!id_buf)
++ return -ENOMEM;
++
++ error = __mxt_read_reg(client, 0, size, id_buf);
++ if (error)
++ goto err_free_mem;
++
++ /* Resize buffer to give space for rest of info block */
++ num_objects = ((struct mxt_info *)id_buf)->object_num;
++ size += (num_objects * sizeof(struct mxt_object))
++ + MXT_INFO_CHECKSUM_SIZE;
++
++ buf = krealloc(id_buf, size, GFP_KERNEL);
++ if (!buf) {
+ error = -ENOMEM;
+- goto free_object_table;
++ goto err_free_mem;
++ }
++ id_buf = buf;
++
++ /* Read rest of info block */
++ error = __mxt_read_reg(client, MXT_OBJECT_START,
++ size - MXT_OBJECT_START,
++ id_buf + MXT_OBJECT_START);
++ if (error)
++ goto err_free_mem;
++
++ /* Extract & calculate checksum */
++ crc_ptr = id_buf + size - MXT_INFO_CHECKSUM_SIZE;
++ data->info_crc = crc_ptr[0] | (crc_ptr[1] << 8) | (crc_ptr[2] << 16);
++
++ calculated_crc = mxt_calculate_crc(id_buf, 0,
++ size - MXT_INFO_CHECKSUM_SIZE);
++
++ /*
++ * CRC mismatch can be caused by data corruption due to I2C comms
++ * issue or else device is not using Object Based Protocol (eg i2c-hid)
++ */
++ if ((data->info_crc == 0) || (data->info_crc != calculated_crc)) {
++ dev_err(&client->dev,
++ "Info Block CRC error calculated=0x%06X read=0x%06X\n",
++ calculated_crc, data->info_crc);
++ error = -EIO;
++ goto err_free_mem;
++ }
++
++ data->raw_info_block = id_buf;
++ data->info = (struct mxt_info *)id_buf;
++
++ dev_info(&client->dev,
++ "Family: %u Variant: %u Firmware V%u.%u.%02X Objects: %u\n",
++ data->info->family_id, data->info->variant_id,
++ data->info->version >> 4, data->info->version & 0xf,
++ data->info->build, data->info->object_num);
++
++ /* Parse object table information */
++ error = mxt_parse_object_table(data, id_buf + MXT_OBJECT_START);
++ if (error) {
++ dev_err(&client->dev, "Error %d parsing object table\n", error);
++ mxt_free_object_table(data);
++ goto err_free_mem;
+ }
+
+- data->object_table = object_table;
++ data->object_table = (struct mxt_object *)(id_buf + MXT_OBJECT_START);
+
+ return 0;
+
+-free_object_table:
+- mxt_free_object_table(data);
++err_free_mem:
++ kfree(id_buf);
+ return error;
+ }
+
+@@ -2039,7 +2090,7 @@ static int mxt_initialize(struct mxt_dat
+ int error;
+
+ while (1) {
+- error = mxt_get_info(data);
++ error = mxt_read_info_block(data);
+ if (!error)
+ break;
+
+@@ -2070,16 +2121,9 @@ static int mxt_initialize(struct mxt_dat
+ msleep(MXT_FW_RESET_TIME);
+ }
+
+- /* Get object table information */
+- error = mxt_get_object_table(data);
+- if (error) {
+- dev_err(&client->dev, "Error %d reading object table\n", error);
+- return error;
+- }
+-
+ error = mxt_acquire_irq(data);
+ if (error)
+- goto err_free_object_table;
++ return error;
+
+ error = request_firmware_nowait(THIS_MODULE, true, MXT_CFG_NAME,
+ &client->dev, GFP_KERNEL, data,
+@@ -2087,14 +2131,10 @@ static int mxt_initialize(struct mxt_dat
+ if (error) {
+ dev_err(&client->dev, "Failed to invoke firmware loader: %d\n",
+ error);
+- goto err_free_object_table;
++ return error;
+ }
+
+ return 0;
+-
+-err_free_object_table:
+- mxt_free_object_table(data);
+- return error;
+ }
+
+ static int mxt_set_t7_power_cfg(struct mxt_data *data, u8 sleep)
+@@ -2155,7 +2195,7 @@ recheck:
+ static u16 mxt_get_debug_value(struct mxt_data *data, unsigned int x,
+ unsigned int y)
+ {
+- struct mxt_info *info = &data->info;
++ struct mxt_info *info = data->info;
+ struct mxt_dbg *dbg = &data->dbg;
+ unsigned int ofs, page;
+ unsigned int col = 0;
+@@ -2483,7 +2523,7 @@ static const struct video_device mxt_vid
+
+ static void mxt_debug_init(struct mxt_data *data)
+ {
+- struct mxt_info *info = &data->info;
++ struct mxt_info *info = data->info;
+ struct mxt_dbg *dbg = &data->dbg;
+ struct mxt_object *object;
+ int error;
+@@ -2569,7 +2609,6 @@ static int mxt_configure_objects(struct
+ const struct firmware *cfg)
+ {
+ struct device *dev = &data->client->dev;
+- struct mxt_info *info = &data->info;
+ int error;
+
+ error = mxt_init_t7_power_cfg(data);
+@@ -2594,11 +2633,6 @@ static int mxt_configure_objects(struct
+
+ mxt_debug_init(data);
+
+- dev_info(dev,
+- "Family: %u Variant: %u Firmware V%u.%u.%02X Objects: %u\n",
+- info->family_id, info->variant_id, info->version >> 4,
+- info->version & 0xf, info->build, info->object_num);
+-
+ return 0;
+ }
+
+@@ -2607,7 +2641,7 @@ static ssize_t mxt_fw_version_show(struc
+ struct device_attribute *attr, char *buf)
+ {
+ struct mxt_data *data = dev_get_drvdata(dev);
+- struct mxt_info *info = &data->info;
++ struct mxt_info *info = data->info;
+ return scnprintf(buf, PAGE_SIZE, "%u.%u.%02X\n",
+ info->version >> 4, info->version & 0xf, info->build);
+ }
+@@ -2617,7 +2651,7 @@ static ssize_t mxt_hw_version_show(struc
+ struct device_attribute *attr, char *buf)
+ {
+ struct mxt_data *data = dev_get_drvdata(dev);
+- struct mxt_info *info = &data->info;
++ struct mxt_info *info = data->info;
+ return scnprintf(buf, PAGE_SIZE, "%u.%u\n",
+ info->family_id, info->variant_id);
+ }
+@@ -2656,7 +2690,7 @@ static ssize_t mxt_object_show(struct de
+ return -ENOMEM;
+
+ error = 0;
+- for (i = 0; i < data->info.object_num; i++) {
++ for (i = 0; i < data->info->object_num; i++) {
+ object = data->object_table + i;
+
+ if (!mxt_object_readable(object->type))
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Fri, 6 Apr 2018 15:36:11 -0700
+Subject: Input: synaptics-rmi4 - fix an unchecked out of memory error path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 839c42273617787318da7baf6151d553108f5e17 ]
+
+When extending the rmi_spi buffers, we must check that no out of memory
+error occurs, otherwise we may access data above the currently allocated
+memory.
+
+Propagate the error code returned by 'rmi_spi_manage_pools()' instead.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Andrew Duggan <aduggan@synaptics.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/rmi4/rmi_spi.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/rmi4/rmi_spi.c
++++ b/drivers/input/rmi4/rmi_spi.c
+@@ -147,8 +147,11 @@ static int rmi_spi_xfer(struct rmi_spi_x
+ if (len > RMI_SPI_XFER_SIZE_LIMIT)
+ return -EINVAL;
+
+- if (rmi_spi->xfer_buf_size < len)
+- rmi_spi_manage_pools(rmi_spi, len);
++ if (rmi_spi->xfer_buf_size < len) {
++ ret = rmi_spi_manage_pools(rmi_spi, len);
++ if (ret < 0)
++ return ret;
++ }
+
+ if (addr == 0)
+ /*
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Changbin Du <changbin.du@intel.com>
+Date: Fri, 20 Apr 2018 13:29:55 +0800
+Subject: iommu/vt-d: fix shift-out-of-bounds in bug checking
+
+From: Changbin Du <changbin.du@intel.com>
+
+[ Upstream commit 0dfc0c792d691f8056f38b5c30789f504be0e467 ]
+
+It allows to flush more than 4GB of device TLBs. So the mask should be
+64bit wide. UBSAN captured this fault as below.
+
+[ 3.760024] ================================================================================
+[ 3.768440] UBSAN: Undefined behaviour in drivers/iommu/dmar.c:1348:3
+[ 3.774864] shift exponent 64 is too large for 32-bit type 'int'
+[ 3.780853] CPU: 2 PID: 0 Comm: swapper/2 Tainted: G U 4.17.0-rc1+ #89
+[ 3.788661] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.2.8 01/26/2016
+[ 3.796034] Call Trace:
+[ 3.798472] <IRQ>
+[ 3.800479] dump_stack+0x90/0xfb
+[ 3.803787] ubsan_epilogue+0x9/0x40
+[ 3.807353] __ubsan_handle_shift_out_of_bounds+0x10e/0x170
+[ 3.812916] ? qi_flush_dev_iotlb+0x124/0x180
+[ 3.817261] qi_flush_dev_iotlb+0x124/0x180
+[ 3.821437] iommu_flush_dev_iotlb+0x94/0xf0
+[ 3.825698] iommu_flush_iova+0x10b/0x1c0
+[ 3.829699] ? fq_ring_free+0x1d0/0x1d0
+[ 3.833527] iova_domain_flush+0x25/0x40
+[ 3.837448] fq_flush_timeout+0x55/0x160
+[ 3.841368] ? fq_ring_free+0x1d0/0x1d0
+[ 3.845200] ? fq_ring_free+0x1d0/0x1d0
+[ 3.849034] call_timer_fn+0xbe/0x310
+[ 3.852696] ? fq_ring_free+0x1d0/0x1d0
+[ 3.856530] run_timer_softirq+0x223/0x6e0
+[ 3.860625] ? sched_clock+0x5/0x10
+[ 3.864108] ? sched_clock+0x5/0x10
+[ 3.867594] __do_softirq+0x1b5/0x6f5
+[ 3.871250] irq_exit+0xd4/0x130
+[ 3.874470] smp_apic_timer_interrupt+0xb8/0x2f0
+[ 3.879075] apic_timer_interrupt+0xf/0x20
+[ 3.883159] </IRQ>
+[ 3.885255] RIP: 0010:poll_idle+0x60/0xe7
+[ 3.889252] RSP: 0018:ffffb1b201943e30 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
+[ 3.896802] RAX: 0000000080200000 RBX: 000000000000008e RCX: 000000000000001f
+[ 3.903918] RDX: 0000000000000000 RSI: 000000002819aa06 RDI: 0000000000000000
+[ 3.911031] RBP: ffff9e93c6b33280 R08: 00000010f717d567 R09: 000000000010d205
+[ 3.918146] R10: ffffb1b201943df8 R11: 0000000000000001 R12: 00000000e01b169d
+[ 3.925260] R13: 0000000000000000 R14: ffffffffb12aa400 R15: 0000000000000000
+[ 3.932382] cpuidle_enter_state+0xb4/0x470
+[ 3.936558] do_idle+0x222/0x310
+[ 3.939779] cpu_startup_entry+0x78/0x90
+[ 3.943693] start_secondary+0x205/0x2e0
+[ 3.947607] secondary_startup_64+0xa5/0xb0
+[ 3.951783] ================================================================================
+
+Signed-off-by: Changbin Du <changbin.du@intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/dmar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iommu/dmar.c
++++ b/drivers/iommu/dmar.c
+@@ -1345,7 +1345,7 @@ void qi_flush_dev_iotlb(struct intel_iom
+ struct qi_desc desc;
+
+ if (mask) {
+- BUG_ON(addr & ((1 << (VTD_PAGE_SHIFT + mask)) - 1));
++ BUG_ON(addr & ((1ULL << (VTD_PAGE_SHIFT + mask)) - 1));
+ addr |= (1ULL << (VTD_PAGE_SHIFT + mask - 1)) - 1;
+ desc.high = QI_DEV_IOTLB_ADDR(addr) | QI_DEV_IOTLB_SIZE;
+ } else
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Jagannathan Raman <jag.raman@oracle.com>
+Date: Tue, 6 Mar 2018 17:39:41 -0500
+Subject: iommu/vt-d: Fix usage of force parameter in intel_ir_reconfigure_irte()
+
+From: Jagannathan Raman <jag.raman@oracle.com>
+
+[ Upstream commit aa7528fe3576d11f4a10237178a723a1f080a547 ]
+
+It was noticed that the IRTE configured for guest OS kernel
+was over-written while the guest was running. As a result,
+vt-d Posted Interrupts configured for the guest are not being
+delivered directly, and instead bounces off the host. Every
+interrupt delivery takes a VM Exit.
+
+It was noticed that the following stack is doing the over-write:
+[ 147.463177] modify_irte+0x171/0x1f0
+[ 147.463405] intel_ir_set_affinity+0x5c/0x80
+[ 147.463641] msi_domain_set_affinity+0x32/0x90
+[ 147.463881] irq_do_set_affinity+0x37/0xd0
+[ 147.464125] irq_set_affinity_locked+0x9d/0xb0
+[ 147.464374] __irq_set_affinity+0x42/0x70
+[ 147.464627] write_irq_affinity.isra.5+0xe1/0x110
+[ 147.464895] proc_reg_write+0x38/0x70
+[ 147.465150] __vfs_write+0x36/0x180
+[ 147.465408] ? handle_mm_fault+0xdf/0x200
+[ 147.465671] ? _cond_resched+0x15/0x30
+[ 147.465936] vfs_write+0xad/0x1a0
+[ 147.466204] SyS_write+0x52/0xc0
+[ 147.466472] do_syscall_64+0x74/0x1a0
+[ 147.466744] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+reversing the sense of force check in intel_ir_reconfigure_irte()
+restores proper posted interrupt functionality
+
+Signed-off-by: Jagannathan Raman <jag.raman@oracle.com>
+Fixes: d491bdff888e ('iommu/vt-d: Reevaluate vector configuration on activate()')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/intel_irq_remapping.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iommu/intel_irq_remapping.c
++++ b/drivers/iommu/intel_irq_remapping.c
+@@ -1136,7 +1136,7 @@ static void intel_ir_reconfigure_irte(st
+ irte->dest_id = IRTE_DEST(cfg->dest_apicid);
+
+ /* Update the hardware only if the interrupt is in remapped mode. */
+- if (!force || ir_data->irq_2_iommu.mode == IRQ_REMAPPING)
++ if (force || ir_data->irq_2_iommu.mode == IRQ_REMAPPING)
+ modify_irte(&ir_data->irq_2_iommu, irte);
+ }
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Chengguang Xu <cgxu519@gmx.com>
+Date: Sat, 14 Apr 2018 20:16:06 +0800
+Subject: isofs: fix potential memory leak in mount option parsing
+
+From: Chengguang Xu <cgxu519@gmx.com>
+
+[ Upstream commit 4f34a5130a471f32f2fe7750769ab4057dc3eaa0 ]
+
+When specifying string type mount option (e.g., iocharset)
+several times in a mount, current option parsing may
+cause memory leak. Hence, call kfree for previous one
+in this case. Meanwhile, check memory allocation result
+for it.
+
+Signed-off-by: Chengguang Xu <cgxu519@gmx.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/isofs/inode.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/isofs/inode.c
++++ b/fs/isofs/inode.c
+@@ -394,7 +394,10 @@ static int parse_options(char *options,
+ break;
+ #ifdef CONFIG_JOLIET
+ case Opt_iocharset:
++ kfree(popt->iocharset);
+ popt->iocharset = match_strdup(&args[0]);
++ if (!popt->iocharset)
++ return 0;
+ break;
+ #endif
+ case Opt_map_a:
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Wed, 9 May 2018 14:58:48 +0100
+Subject: ixgbe: fix memory leak on ipsec allocation
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit c89ebb968f04c71e16e86c91caeacb045dc8f908 ]
+
+The error clean up path kfree's adapter->ipsec and should be
+instead kfree'ing ipsec. Fix this. Also, the err1 error exit path
+does not need to kfree ipsec because this failure path was for
+the failed allocation of ipsec.
+
+Detected by CoverityScan, CID#146424 ("Resource Leak")
+
+Fixes: 63a67fe229ea ("ixgbe: add ipsec offload add and remove SA")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Acked-by: Shannon Nelson <shannon.nelson@oracle.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
+@@ -918,8 +918,8 @@ err2:
+ kfree(ipsec->ip_tbl);
+ kfree(ipsec->rx_tbl);
+ kfree(ipsec->tx_tbl);
++ kfree(ipsec);
+ err1:
+- kfree(adapter->ipsec);
+ netdev_err(adapter->netdev, "Unable to allocate memory for SA tables");
+ }
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Emil Tantilov <emil.s.tantilov@intel.com>
+Date: Thu, 19 Apr 2018 17:06:57 -0700
+Subject: ixgbe: return error on unsupported SFP module when resetting
+
+From: Emil Tantilov <emil.s.tantilov@intel.com>
+
+[ Upstream commit bbb2707623f3ccc48695da2433f06d7c38193451 ]
+
+Add check for unsupported module and return the error code.
+This fixes a Coverity hit due to unused return status from setup_sfp.
+
+Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
+@@ -3427,6 +3427,9 @@ static s32 ixgbe_reset_hw_X550em(struct
+ hw->phy.sfp_setup_needed = false;
+ }
+
++ if (status == IXGBE_ERR_SFP_NOT_SUPPORTED)
++ return status;
++
+ /* Reset PHY */
+ if (!hw->phy.reset_disable && hw->phy.ops.reset)
+ hw->phy.ops.reset(hw);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Dave Young <dyoung@redhat.com>
+Date: Fri, 20 Apr 2018 14:56:10 -0700
+Subject: kexec_file: do not add extra alignment to efi memmap
+
+From: Dave Young <dyoung@redhat.com>
+
+[ Upstream commit a841aa83dff0af75c88aa846ba610a8af4c5ee21 ]
+
+Chun-Yi reported a kernel warning message below:
+
+ WARNING: CPU: 0 PID: 0 at ../mm/early_ioremap.c:182 early_iounmap+0x4f/0x12c()
+ early_iounmap(ffffffffff200180, 00000118) [0] size not consistent 00000120
+
+The problem is x86 kexec_file_load adds extra alignment to the efi
+memmap: in bzImage64_load():
+
+ efi_map_sz = efi_get_runtime_map_size();
+ efi_map_sz = ALIGN(efi_map_sz, 16);
+
+And __efi_memmap_init maps with the size including the alignment bytes
+but efi_memmap_unmap use nr_maps * desc_size which does not include the
+extra bytes.
+
+The alignment in kexec code is only needed for the kexec buffer internal
+use Actually kexec should pass exact size of the efi memmap to 2nd
+kernel.
+
+Link: http://lkml.kernel.org/r/20180417083600.GA1972@dhcp-128-65.nay.redhat.com
+Signed-off-by: Dave Young <dyoung@redhat.com>
+Reported-by: joeyli <jlee@suse.com>
+Tested-by: Randy Wright <rwright@hpe.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/kexec-bzimage64.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/kexec-bzimage64.c
++++ b/arch/x86/kernel/kexec-bzimage64.c
+@@ -398,11 +398,10 @@ static void *bzImage64_load(struct kimag
+ * little bit simple
+ */
+ efi_map_sz = efi_get_runtime_map_size();
+- efi_map_sz = ALIGN(efi_map_sz, 16);
+ params_cmdline_sz = sizeof(struct boot_params) + cmdline_len +
+ MAX_ELFCOREHDR_STR_LEN;
+ params_cmdline_sz = ALIGN(params_cmdline_sz, 16);
+- kbuf.bufsz = params_cmdline_sz + efi_map_sz +
++ kbuf.bufsz = params_cmdline_sz + ALIGN(efi_map_sz, 16) +
+ sizeof(struct setup_data) +
+ sizeof(struct efi_setup_data);
+
+@@ -410,7 +409,7 @@ static void *bzImage64_load(struct kimag
+ if (!params)
+ return ERR_PTR(-ENOMEM);
+ efi_map_offset = params_cmdline_sz;
+- efi_setup_data_offset = efi_map_offset + efi_map_sz;
++ efi_setup_data_offset = efi_map_offset + ALIGN(efi_map_sz, 16);
+
+ /* Copy setup header onto bootparams. Documentation/x86/boot.txt */
+ setup_header_size = 0x0202 + kernel[0x0201] - setup_hdr_offset;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Wed, 9 May 2018 21:58:15 +0900
+Subject: kprobes/x86: Prohibit probing on exception masking instructions
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit ee6a7354a3629f9b65bc18dbe393503e9440d6f5 ]
+
+Since MOV SS and POP SS instructions will delay the exceptions until the
+next instruction is executed, single-stepping on it by kprobes must be
+prohibited.
+
+However, kprobes usually executes those instructions directly on trampoline
+buffer (a.k.a. kprobe-booster), except for the kprobes which has
+post_handler. Thus if kprobe user probes MOV SS with post_handler, it will
+do single-stepping on the MOV SS.
+
+This means it is safe that if it is used via ftrace or perf/bpf since those
+don't use the post_handler.
+
+Anyway, since the stack switching is a rare case, it is safer just
+rejecting kprobes on such instructions.
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
+Cc: Francis Deslauriers <francis.deslauriers@efficios.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: "H . Peter Anvin" <hpa@zytor.com>
+Cc: Yonghong Song <yhs@fb.com>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: "David S . Miller" <davem@davemloft.net>
+Link: https://lkml.kernel.org/r/152587069574.17316.3311695234863248641.stgit@devbox
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/insn.h | 18 ++++++++++++++++++
+ arch/x86/kernel/kprobes/core.c | 4 ++++
+ 2 files changed, 22 insertions(+)
+
+--- a/arch/x86/include/asm/insn.h
++++ b/arch/x86/include/asm/insn.h
+@@ -208,4 +208,22 @@ static inline int insn_offset_immediate(
+ return insn_offset_displacement(insn) + insn->displacement.nbytes;
+ }
+
++#define POP_SS_OPCODE 0x1f
++#define MOV_SREG_OPCODE 0x8e
++
++/*
++ * Intel SDM Vol.3A 6.8.3 states;
++ * "Any single-step trap that would be delivered following the MOV to SS
++ * instruction or POP to SS instruction (because EFLAGS.TF is 1) is
++ * suppressed."
++ * This function returns true if @insn is MOV SS or POP SS. On these
++ * instructions, single stepping is suppressed.
++ */
++static inline int insn_masking_exception(struct insn *insn)
++{
++ return insn->opcode.bytes[0] == POP_SS_OPCODE ||
++ (insn->opcode.bytes[0] == MOV_SREG_OPCODE &&
++ X86_MODRM_REG(insn->modrm.bytes[0]) == 2);
++}
++
+ #endif /* _ASM_X86_INSN_H */
+--- a/arch/x86/kernel/kprobes/core.c
++++ b/arch/x86/kernel/kprobes/core.c
+@@ -370,6 +370,10 @@ int __copy_instruction(u8 *dest, u8 *src
+ if (insn->opcode.bytes[0] == BREAKPOINT_INSTRUCTION)
+ return 0;
+
++ /* We should not singlestep on the exception masking instructions */
++ if (insn_masking_exception(insn))
++ return 0;
++
+ #ifdef CONFIG_X86_64
+ /* Only x86_64 has RIP relative instructions */
+ if (insn_rip_relative(insn)) {
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Tue, 1 May 2018 18:14:45 +0200
+Subject: kthread, sched/wait: Fix kthread_parkme() completion issue
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 85f1abe0019fcb3ea10df7029056cf42702283a8 ]
+
+Even with the wait-loop fixed, there is a further issue with
+kthread_parkme(). Upon hotplug, when we do takedown_cpu(),
+smpboot_park_threads() can return before all those threads are in fact
+blocked, due to the placement of the complete() in __kthread_parkme().
+
+When that happens, sched_cpu_dying() -> migrate_tasks() can end up
+migrating such a still runnable task onto another CPU.
+
+Normally the task will have hit schedule() and gone to sleep by the
+time we do kthread_unpark(), which will then do __kthread_bind() to
+re-bind the task to the correct CPU.
+
+However, when we loose the initial TASK_PARKED store to the concurrent
+wakeup issue described previously, do the complete(), get migrated, it
+is possible to either:
+
+ - observe kthread_unpark()'s clearing of SHOULD_PARK and terminate
+ the park and set TASK_RUNNING, or
+
+ - __kthread_bind()'s wait_task_inactive() to observe the competing
+ TASK_RUNNING store.
+
+Either way the WARN() in __kthread_bind() will trigger and fail to
+correctly set the CPU affinity.
+
+Fix this by only issuing the complete() when the kthread has scheduled
+out. This does away with all the icky 'still running' nonsense.
+
+The alternative is to promote TASK_PARKED to a special state, this
+guarantees wait_task_inactive() cannot observe a 'stale' TASK_RUNNING
+and we'll end up doing the right thing, but this preserves the whole
+icky business of potentially migating the still runnable thing.
+
+Reported-by: Gaurav Kohli <gkohli@codeaurora.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/kthread.h | 1 +
+ kernel/kthread.c | 43 +++++++++++++++++++------------------------
+ kernel/sched/core.c | 32 +++++++++++++++++++++-----------
+ 3 files changed, 41 insertions(+), 35 deletions(-)
+
+--- a/include/linux/kthread.h
++++ b/include/linux/kthread.h
+@@ -62,6 +62,7 @@ void *kthread_probe_data(struct task_str
+ int kthread_park(struct task_struct *k);
+ void kthread_unpark(struct task_struct *k);
+ void kthread_parkme(void);
++void kthread_park_complete(struct task_struct *k);
+
+ int kthreadd(void *unused);
+ extern struct task_struct *kthreadd_task;
+--- a/kernel/kthread.c
++++ b/kernel/kthread.c
+@@ -55,7 +55,6 @@ enum KTHREAD_BITS {
+ KTHREAD_IS_PER_CPU = 0,
+ KTHREAD_SHOULD_STOP,
+ KTHREAD_SHOULD_PARK,
+- KTHREAD_IS_PARKED,
+ };
+
+ static inline void set_kthread_struct(void *kthread)
+@@ -181,11 +180,8 @@ static void __kthread_parkme(struct kthr
+ set_current_state(TASK_PARKED);
+ if (!test_bit(KTHREAD_SHOULD_PARK, &self->flags))
+ break;
+- if (!test_and_set_bit(KTHREAD_IS_PARKED, &self->flags))
+- complete(&self->parked);
+ schedule();
+ }
+- clear_bit(KTHREAD_IS_PARKED, &self->flags);
+ __set_current_state(TASK_RUNNING);
+ }
+
+@@ -195,6 +191,11 @@ void kthread_parkme(void)
+ }
+ EXPORT_SYMBOL_GPL(kthread_parkme);
+
++void kthread_park_complete(struct task_struct *k)
++{
++ complete(&to_kthread(k)->parked);
++}
++
+ static int kthread(void *_create)
+ {
+ /* Copy data: it's on kthread's stack */
+@@ -451,22 +452,15 @@ void kthread_unpark(struct task_struct *
+ {
+ struct kthread *kthread = to_kthread(k);
+
+- clear_bit(KTHREAD_SHOULD_PARK, &kthread->flags);
+ /*
+- * We clear the IS_PARKED bit here as we don't wait
+- * until the task has left the park code. So if we'd
+- * park before that happens we'd see the IS_PARKED bit
+- * which might be about to be cleared.
++ * Newly created kthread was parked when the CPU was offline.
++ * The binding was lost and we need to set it again.
+ */
+- if (test_and_clear_bit(KTHREAD_IS_PARKED, &kthread->flags)) {
+- /*
+- * Newly created kthread was parked when the CPU was offline.
+- * The binding was lost and we need to set it again.
+- */
+- if (test_bit(KTHREAD_IS_PER_CPU, &kthread->flags))
+- __kthread_bind(k, kthread->cpu, TASK_PARKED);
+- wake_up_state(k, TASK_PARKED);
+- }
++ if (test_bit(KTHREAD_IS_PER_CPU, &kthread->flags))
++ __kthread_bind(k, kthread->cpu, TASK_PARKED);
++
++ clear_bit(KTHREAD_SHOULD_PARK, &kthread->flags);
++ wake_up_state(k, TASK_PARKED);
+ }
+ EXPORT_SYMBOL_GPL(kthread_unpark);
+
+@@ -489,12 +483,13 @@ int kthread_park(struct task_struct *k)
+ if (WARN_ON(k->flags & PF_EXITING))
+ return -ENOSYS;
+
+- if (!test_bit(KTHREAD_IS_PARKED, &kthread->flags)) {
+- set_bit(KTHREAD_SHOULD_PARK, &kthread->flags);
+- if (k != current) {
+- wake_up_process(k);
+- wait_for_completion(&kthread->parked);
+- }
++ if (WARN_ON_ONCE(test_bit(KTHREAD_SHOULD_PARK, &kthread->flags)))
++ return -EBUSY;
++
++ set_bit(KTHREAD_SHOULD_PARK, &kthread->flags);
++ if (k != current) {
++ wake_up_process(k);
++ wait_for_completion(&kthread->parked);
+ }
+
+ return 0;
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -30,6 +30,8 @@
+ #include <linux/syscalls.h>
+ #include <linux/sched/isolation.h>
+
++#include <linux/kthread.h>
++
+ #include <asm/switch_to.h>
+ #include <asm/tlb.h>
+ #ifdef CONFIG_PARAVIRT
+@@ -2733,20 +2735,28 @@ static struct rq *finish_task_switch(str
+ membarrier_mm_sync_core_before_usermode(mm);
+ mmdrop(mm);
+ }
+- if (unlikely(prev_state == TASK_DEAD)) {
+- if (prev->sched_class->task_dead)
+- prev->sched_class->task_dead(prev);
++ if (unlikely(prev_state & (TASK_DEAD|TASK_PARKED))) {
++ switch (prev_state) {
++ case TASK_DEAD:
++ if (prev->sched_class->task_dead)
++ prev->sched_class->task_dead(prev);
++
++ /*
++ * Remove function-return probe instances associated with this
++ * task and put them back on the free list.
++ */
++ kprobe_flush_task(prev);
+
+- /*
+- * Remove function-return probe instances associated with this
+- * task and put them back on the free list.
+- */
+- kprobe_flush_task(prev);
++ /* Task is done with its stack. */
++ put_task_stack(prev);
+
+- /* Task is done with its stack. */
+- put_task_stack(prev);
++ put_task_struct(prev);
++ break;
+
+- put_task_struct(prev);
++ case TASK_PARKED:
++ kthread_park_complete(prev);
++ break;
++ }
+ }
+
+ tick_nohz_task_switch();
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Mon, 30 Apr 2018 14:50:22 +0200
+Subject: kthread, sched/wait: Fix kthread_parkme() wait-loop
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 741a76b350897604c48fb12beff1c9b77724dc96 ]
+
+Gaurav reported a problem with __kthread_parkme() where a concurrent
+try_to_wake_up() could result in competing stores to ->state which,
+when the TASK_PARKED store got lost bad things would happen.
+
+The comment near set_current_state() actually mentions this competing
+store, but only mentions the case against TASK_RUNNING. This same
+store, with different timing, can happen against a subsequent !RUNNING
+store.
+
+This normally is not a problem, because as per that same comment, the
+!RUNNING state store is inside a condition based wait-loop:
+
+ for (;;) {
+ set_current_state(TASK_UNINTERRUPTIBLE);
+ if (!need_sleep)
+ break;
+ schedule();
+ }
+ __set_current_state(TASK_RUNNING);
+
+If we loose the (first) TASK_UNINTERRUPTIBLE store to a previous
+(concurrent) wakeup, the schedule() will NO-OP and we'll go around the
+loop once more.
+
+The problem here is that the TASK_PARKED store is not inside the
+KTHREAD_SHOULD_PARK condition wait-loop.
+
+There is a genuine issue with sleeps that do not have a condition;
+this is addressed in a subsequent patch.
+
+Reported-by: Gaurav Kohli <gkohli@codeaurora.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kthread.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/kernel/kthread.c
++++ b/kernel/kthread.c
+@@ -177,12 +177,13 @@ void *kthread_probe_data(struct task_str
+
+ static void __kthread_parkme(struct kthread *self)
+ {
+- __set_current_state(TASK_PARKED);
+- while (test_bit(KTHREAD_SHOULD_PARK, &self->flags)) {
++ for (;;) {
++ set_current_state(TASK_PARKED);
++ if (!test_bit(KTHREAD_SHOULD_PARK, &self->flags))
++ break;
+ if (!test_and_set_bit(KTHREAD_IS_PARKED, &self->flags))
+ complete(&self->parked);
+ schedule();
+- __set_current_state(TASK_PARKED);
+ }
+ clear_bit(KTHREAD_IS_PARKED, &self->flags);
+ __set_current_state(TASK_RUNNING);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Junaid Shahid <junaids@google.com>
+Date: Thu, 26 Apr 2018 13:09:50 -0700
+Subject: kvm: apic: Flush TLB after APIC mode/address change if VPIDs are in use
+
+From: Junaid Shahid <junaids@google.com>
+
+[ Upstream commit a468f2dbf921d02f5107378501693137a812999b ]
+
+Currently, KVM flushes the TLB after a change to the APIC access page
+address or the APIC mode when EPT mode is enabled. However, even in
+shadow paging mode, a TLB flush is needed if VPIDs are being used, as
+specified in the Intel SDM Section 29.4.5.
+
+So replace vmx_flush_tlb_ept_only() with vmx_flush_tlb(), which will
+flush if either EPT or VPIDs are in use.
+
+Signed-off-by: Junaid Shahid <junaids@google.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx.c | 14 ++++----------
+ 1 file changed, 4 insertions(+), 10 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -4272,12 +4272,6 @@ static void vmx_flush_tlb(struct kvm_vcp
+ __vmx_flush_tlb(vcpu, to_vmx(vcpu)->vpid, invalidate_gpa);
+ }
+
+-static void vmx_flush_tlb_ept_only(struct kvm_vcpu *vcpu)
+-{
+- if (enable_ept)
+- vmx_flush_tlb(vcpu, true);
+-}
+-
+ static void vmx_decache_cr0_guest_bits(struct kvm_vcpu *vcpu)
+ {
+ ulong cr0_guest_owned_bits = vcpu->arch.cr0_guest_owned_bits;
+@@ -9030,7 +9024,7 @@ static void vmx_set_virtual_x2apic_mode(
+ } else {
+ sec_exec_control &= ~SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE;
+ sec_exec_control |= SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES;
+- vmx_flush_tlb_ept_only(vcpu);
++ vmx_flush_tlb(vcpu, true);
+ }
+ vmcs_write32(SECONDARY_VM_EXEC_CONTROL, sec_exec_control);
+
+@@ -9058,7 +9052,7 @@ static void vmx_set_apic_access_page_add
+ !nested_cpu_has2(get_vmcs12(&vmx->vcpu),
+ SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES)) {
+ vmcs_write64(APIC_ACCESS_ADDR, hpa);
+- vmx_flush_tlb_ept_only(vcpu);
++ vmx_flush_tlb(vcpu, true);
+ }
+ }
+
+@@ -10950,7 +10944,7 @@ static int prepare_vmcs02(struct kvm_vcp
+ }
+ } else if (nested_cpu_has2(vmcs12,
+ SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES)) {
+- vmx_flush_tlb_ept_only(vcpu);
++ vmx_flush_tlb(vcpu, true);
+ }
+
+ /*
+@@ -11777,7 +11771,7 @@ static void nested_vmx_vmexit(struct kvm
+ } else if (!nested_cpu_has_ept(vmcs12) &&
+ nested_cpu_has2(vmcs12,
+ SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES)) {
+- vmx_flush_tlb_ept_only(vcpu);
++ vmx_flush_tlb(vcpu, true);
+ }
+
+ /* This is needed for same reason as it was needed in prepare_vmcs02 */
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Wed, 25 Apr 2018 17:13:42 +0100
+Subject: KVM: arm/arm64: vgic: fix possible spectre-v1 in vgic_mmio_read_apr()
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit 5e1ca5e23b167987d5b6d8b08f2d5b7dd2d13f49 ]
+
+It's possible for userspace to control n. Sanitize n when using it as an
+array index.
+
+Note that while it appears that n must be bound to the interval [0,3]
+due to the way it is extracted from addr, we cannot guarantee that
+compiler transformations (and/or future refactoring) will ensure this is
+the case, and given this is a slow path it's better to always perform
+the masking.
+
+Found by smatch.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Acked-by: Christoffer Dall <christoffer.dall@arm.com>
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Cc: kvmarm@lists.cs.columbia.edu
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/arm/vgic/vgic-mmio-v2.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/virt/kvm/arm/vgic/vgic-mmio-v2.c
++++ b/virt/kvm/arm/vgic/vgic-mmio-v2.c
+@@ -14,6 +14,8 @@
+ #include <linux/irqchip/arm-gic.h>
+ #include <linux/kvm.h>
+ #include <linux/kvm_host.h>
++#include <linux/nospec.h>
++
+ #include <kvm/iodev.h>
+ #include <kvm/arm_vgic.h>
+
+@@ -324,6 +326,9 @@ static unsigned long vgic_mmio_read_apr(
+
+ if (n > vgic_v3_max_apr_idx(vcpu))
+ return 0;
++
++ n = array_index_nospec(n, 4);
++
+ /* GICv3 only uses ICH_AP1Rn for memory mapped (GICv2) guests */
+ return vgicv3->vgic_ap1r[n];
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Andre Przywara <andre.przywara@arm.com>
+Date: Tue, 17 Apr 2018 11:23:49 +0100
+Subject: KVM: arm/arm64: vgic: Kick new VCPU on interrupt migration
+
+From: Andre Przywara <andre.przywara@arm.com>
+
+[ Upstream commit bf9a41377d14f565764022470e14aae72559589a ]
+
+When vgic_prune_ap_list() finds an interrupt that needs to be migrated
+to a new VCPU, we should notify this VCPU of the pending interrupt,
+since it requires immediate action.
+Kick this VCPU once we have added the new IRQ to the list, but only
+after dropping the locks.
+
+Reported-by: Stefano Stabellini <sstabellini@kernel.org>
+Reviewed-by: Christoffer Dall <christoffer.dall@arm.com>
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/arm/vgic/vgic.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/virt/kvm/arm/vgic/vgic.c
++++ b/virt/kvm/arm/vgic/vgic.c
+@@ -599,6 +599,7 @@ retry:
+
+ list_for_each_entry_safe(irq, tmp, &vgic_cpu->ap_list_head, ap_list) {
+ struct kvm_vcpu *target_vcpu, *vcpuA, *vcpuB;
++ bool target_vcpu_needs_kick = false;
+
+ spin_lock(&irq->irq_lock);
+
+@@ -669,11 +670,18 @@ retry:
+ list_del(&irq->ap_list);
+ irq->vcpu = target_vcpu;
+ list_add_tail(&irq->ap_list, &new_cpu->ap_list_head);
++ target_vcpu_needs_kick = true;
+ }
+
+ spin_unlock(&irq->irq_lock);
+ spin_unlock(&vcpuB->arch.vgic_cpu.ap_list_lock);
+ spin_unlock_irqrestore(&vcpuA->arch.vgic_cpu.ap_list_lock, flags);
++
++ if (target_vcpu_needs_kick) {
++ kvm_make_request(KVM_REQ_IRQ_PENDING, target_vcpu);
++ kvm_vcpu_kick(target_vcpu);
++ }
++
+ goto retry;
+ }
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Wanpeng Li <wanpengli@tencent.com>
+Date: Thu, 26 Apr 2018 17:55:03 -0700
+Subject: KVM: Extend MAX_IRQ_ROUTES to 4096 for all archs
+
+From: Wanpeng Li <wanpengli@tencent.com>
+
+[ Upstream commit ddc9cfb79c1096a0855839631c091aa7e9602052 ]
+
+Our virtual machines make use of device assignment by configuring
+12 NVMe disks for high I/O performance. Each NVMe device has 129
+MSI-X Table entries:
+Capabilities: [50] MSI-X: Enable+ Count=129 Masked-Vector table: BAR=0 offset=00002000
+The windows virtual machines fail to boot since they will map the number of
+MSI-table entries that the NVMe hardware reported to the bus to msi routing
+table, this will exceed the 1024. This patch extends MAX_IRQ_ROUTES to 4096
+for all archs, in the future this might be extended again if needed.
+
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim KrÄmář <rkrcmar@redhat.com>
+Cc: Cornelia Huck <cohuck@redhat.com>
+Cc: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
+Signed-off-by: Tonny Lu <tonnylu@tencent.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/kvm_host.h | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -1045,13 +1045,7 @@ static inline int mmu_notifier_retry(str
+
+ #ifdef CONFIG_HAVE_KVM_IRQ_ROUTING
+
+-#ifdef CONFIG_S390
+-#define KVM_MAX_IRQ_ROUTES 4096 //FIXME: we can have more than that...
+-#elif defined(CONFIG_ARM64)
+-#define KVM_MAX_IRQ_ROUTES 4096
+-#else
+-#define KVM_MAX_IRQ_ROUTES 1024
+-#endif
++#define KVM_MAX_IRQ_ROUTES 4096 /* might need extension/rework in the future */
+
+ bool kvm_arch_can_set_irq_routing(struct kvm *kvm);
+ int kvm_set_irq_routing(struct kvm *kvm,
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: hu huajun <huhuajun@linux.alibaba.com>
+Date: Wed, 11 Apr 2018 15:16:40 +0800
+Subject: KVM: X86: fix incorrect reference of trace_kvm_pi_irte_update
+
+From: hu huajun <huhuajun@linux.alibaba.com>
+
+[ Upstream commit 2698d82e519413c6ad287e6f14b29e0373ed37f8 ]
+
+In arch/x86/kvm/trace.h, this function is declared as host_irq the
+first input, and vcpu_id the second, instead of otherwise.
+
+Signed-off-by: hu huajun <huhuajun@linux.alibaba.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm.c | 5 ++---
+ arch/x86/kvm/vmx.c | 2 +-
+ 2 files changed, 3 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -5142,9 +5142,8 @@ static int svm_update_pi_irte(struct kvm
+ }
+
+ if (!ret && svm) {
+- trace_kvm_pi_irte_update(svm->vcpu.vcpu_id,
+- host_irq, e->gsi,
+- vcpu_info.vector,
++ trace_kvm_pi_irte_update(host_irq, svm->vcpu.vcpu_id,
++ e->gsi, vcpu_info.vector,
+ vcpu_info.pi_desc_addr, set);
+ }
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -12237,7 +12237,7 @@ static int vmx_update_pi_irte(struct kvm
+ vcpu_info.pi_desc_addr = __pa(vcpu_to_pi_desc(vcpu));
+ vcpu_info.vector = irq.vector;
+
+- trace_kvm_pi_irte_update(vcpu->vcpu_id, host_irq, e->gsi,
++ trace_kvm_pi_irte_update(host_irq, vcpu->vcpu_id, e->gsi,
+ vcpu_info.vector, vcpu_info.pi_desc_addr, set);
+
+ if (set)
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Wanpeng Li <wanpengli@tencent.com>
+Date: Sat, 5 May 2018 04:02:32 -0700
+Subject: KVM: X86: Lower the default timer frequency limit to 200us
+
+From: Wanpeng Li <wanpengli@tencent.com>
+
+[ Upstream commit 4c27625b7a67eb9006963ed2bcf8e53b259b43af ]
+
+Anthoine reported:
+ The period used by Windows change over time but it can be 1
+ milliseconds or less. I saw the limit_periodic_timer_frequency
+ print so 500 microseconds is sometimes reached.
+
+As suggested by Paolo, lower the default timer frequency limit to a
+smaller interval of 200 us (5000 Hz) to leave some headroom. This
+is required due to Windows 10 changing the scheduler tick limit
+from 1024 Hz to 2048 Hz.
+
+Reported-by: Anthoine Bourgeois <anthoine.bourgeois@blade-group.com>
+Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Anthoine Bourgeois <anthoine.bourgeois@blade-group.com>
+Cc: Darren Kenny <darren.kenny@oracle.com>
+Cc: Jan Kiszka <jan.kiszka@web.de>
+Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/x86.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -112,7 +112,7 @@ module_param(ignore_msrs, bool, S_IRUGO
+ static bool __read_mostly report_ignored_msrs = true;
+ module_param(report_ignored_msrs, bool, S_IRUGO | S_IWUSR);
+
+-unsigned int min_timer_period_us = 500;
++unsigned int min_timer_period_us = 200;
+ module_param(min_timer_period_us, uint, S_IRUGO | S_IWUSR);
+
+ static bool __read_mostly kvmclock_periodic_sync = true;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Fri, 13 Apr 2018 11:38:35 +0200
+Subject: kvm: x86: move MSR_IA32_TSC handling to x86.c
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+[ Upstream commit dd259935e4eec844dc3e5b8a7cd951cd658b4fb6 ]
+
+This is not specific to Intel/AMD anymore. The TSC offset is available
+in vcpu->arch.tsc_offset.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm.c | 9 ---------
+ arch/x86/kvm/vmx.c | 20 --------------------
+ arch/x86/kvm/x86.c | 6 ++++++
+ 3 files changed, 6 insertions(+), 29 deletions(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -3915,12 +3915,6 @@ static int svm_get_msr(struct kvm_vcpu *
+ struct vcpu_svm *svm = to_svm(vcpu);
+
+ switch (msr_info->index) {
+- case MSR_IA32_TSC: {
+- msr_info->data = svm->vmcb->control.tsc_offset +
+- kvm_scale_tsc(vcpu, rdtsc());
+-
+- break;
+- }
+ case MSR_STAR:
+ msr_info->data = svm->vmcb->save.star;
+ break;
+@@ -4080,9 +4074,6 @@ static int svm_set_msr(struct kvm_vcpu *
+ svm->vmcb->save.g_pat = data;
+ mark_dirty(svm->vmcb, VMCB_NPT);
+ break;
+- case MSR_IA32_TSC:
+- kvm_write_tsc(vcpu, msr);
+- break;
+ case MSR_IA32_SPEC_CTRL:
+ if (!msr->host_initiated &&
+ !guest_cpuid_has(vcpu, X86_FEATURE_AMD_IBRS))
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2650,20 +2650,6 @@ static u64 vmx_read_l1_tsc_offset(struct
+ }
+
+ /*
+- * reads and returns guest's timestamp counter "register"
+- * guest_tsc = (host_tsc * tsc multiplier) >> 48 + tsc_offset
+- * -- Intel TSC Scaling for Virtualization White Paper, sec 1.3
+- */
+-static u64 guest_read_tsc(struct kvm_vcpu *vcpu)
+-{
+- u64 host_tsc, tsc_offset;
+-
+- host_tsc = rdtsc();
+- tsc_offset = vmcs_read64(TSC_OFFSET);
+- return kvm_scale_tsc(vcpu, host_tsc) + tsc_offset;
+-}
+-
+-/*
+ * writes 'offset' into guest's timestamp counter offset register
+ */
+ static void vmx_write_tsc_offset(struct kvm_vcpu *vcpu, u64 offset)
+@@ -3283,9 +3269,6 @@ static int vmx_get_msr(struct kvm_vcpu *
+ #endif
+ case MSR_EFER:
+ return kvm_get_msr_common(vcpu, msr_info);
+- case MSR_IA32_TSC:
+- msr_info->data = guest_read_tsc(vcpu);
+- break;
+ case MSR_IA32_SPEC_CTRL:
+ if (!msr_info->host_initiated &&
+ !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL))
+@@ -3403,9 +3386,6 @@ static int vmx_set_msr(struct kvm_vcpu *
+ return 1;
+ vmcs_write64(GUEST_BNDCFGS, data);
+ break;
+- case MSR_IA32_TSC:
+- kvm_write_tsc(vcpu, msr_info);
+- break;
+ case MSR_IA32_SPEC_CTRL:
+ if (!msr_info->host_initiated &&
+ !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL))
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -2333,6 +2333,9 @@ int kvm_set_msr_common(struct kvm_vcpu *
+ return 1;
+ vcpu->arch.smbase = data;
+ break;
++ case MSR_IA32_TSC:
++ kvm_write_tsc(vcpu, msr_info);
++ break;
+ case MSR_SMI_COUNT:
+ if (!msr_info->host_initiated)
+ return 1;
+@@ -2572,6 +2575,9 @@ int kvm_get_msr_common(struct kvm_vcpu *
+ case MSR_IA32_UCODE_REV:
+ msr_info->data = vcpu->arch.microcode_version;
+ break;
++ case MSR_IA32_TSC:
++ msr_info->data = kvm_scale_tsc(vcpu, rdtsc()) + vcpu->arch.tsc_offset;
++ break;
+ case MSR_MTRRcap:
+ case 0x200 ... 0x2ff:
+ return kvm_mtrr_get_msr(vcpu, msr_info->index, &msr_info->data);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Raghuram Chary J <raghuramchary.jallipalli@microchip.com>
+Date: Wed, 11 Apr 2018 20:36:36 +0530
+Subject: lan78xx: PHY DSP registers initialization to address EEE link drop issues with long cables
+
+From: Raghuram Chary J <raghuramchary.jallipalli@microchip.com>
+
+[ Upstream commit 1c2734b31d72316e3faaad88c0c9c46fa92a4b20 ]
+
+The patch is to configure DSP registers of PHY device
+to handle Gbe-EEE failures with >40m cable length.
+
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
+Signed-off-by: Raghuram Chary J <raghuramchary.jallipalli@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/microchip.c | 178 ++++++++++++++++++++++++++++++++++++++++++-
+ include/linux/microchipphy.h | 8 +
+ 2 files changed, 185 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/phy/microchip.c
++++ b/drivers/net/phy/microchip.c
+@@ -20,6 +20,7 @@
+ #include <linux/ethtool.h>
+ #include <linux/phy.h>
+ #include <linux/microchipphy.h>
++#include <linux/delay.h>
+
+ #define DRIVER_AUTHOR "WOOJUNG HUH <woojung.huh@microchip.com>"
+ #define DRIVER_DESC "Microchip LAN88XX PHY driver"
+@@ -30,6 +31,16 @@ struct lan88xx_priv {
+ __u32 wolopts;
+ };
+
++static int lan88xx_read_page(struct phy_device *phydev)
++{
++ return __phy_read(phydev, LAN88XX_EXT_PAGE_ACCESS);
++}
++
++static int lan88xx_write_page(struct phy_device *phydev, int page)
++{
++ return __phy_write(phydev, LAN88XX_EXT_PAGE_ACCESS, page);
++}
++
+ static int lan88xx_phy_config_intr(struct phy_device *phydev)
+ {
+ int rc;
+@@ -66,6 +77,150 @@ static int lan88xx_suspend(struct phy_de
+ return 0;
+ }
+
++static int lan88xx_TR_reg_set(struct phy_device *phydev, u16 regaddr,
++ u32 data)
++{
++ int val, save_page, ret = 0;
++ u16 buf;
++
++ /* Save current page */
++ save_page = phy_save_page(phydev);
++ if (save_page < 0) {
++ pr_warn("Failed to get current page\n");
++ goto err;
++ }
++
++ /* Switch to TR page */
++ lan88xx_write_page(phydev, LAN88XX_EXT_PAGE_ACCESS_TR);
++
++ ret = __phy_write(phydev, LAN88XX_EXT_PAGE_TR_LOW_DATA,
++ (data & 0xFFFF));
++ if (ret < 0) {
++ pr_warn("Failed to write TR low data\n");
++ goto err;
++ }
++
++ ret = __phy_write(phydev, LAN88XX_EXT_PAGE_TR_HIGH_DATA,
++ (data & 0x00FF0000) >> 16);
++ if (ret < 0) {
++ pr_warn("Failed to write TR high data\n");
++ goto err;
++ }
++
++ /* Config control bits [15:13] of register */
++ buf = (regaddr & ~(0x3 << 13));/* Clr [14:13] to write data in reg */
++ buf |= 0x8000; /* Set [15] to Packet transmit */
++
++ ret = __phy_write(phydev, LAN88XX_EXT_PAGE_TR_CR, buf);
++ if (ret < 0) {
++ pr_warn("Failed to write data in reg\n");
++ goto err;
++ }
++
++ usleep_range(1000, 2000);/* Wait for Data to be written */
++ val = __phy_read(phydev, LAN88XX_EXT_PAGE_TR_CR);
++ if (!(val & 0x8000))
++ pr_warn("TR Register[0x%X] configuration failed\n", regaddr);
++err:
++ return phy_restore_page(phydev, save_page, ret);
++}
++
++static void lan88xx_config_TR_regs(struct phy_device *phydev)
++{
++ int err;
++
++ /* Get access to Channel 0x1, Node 0xF , Register 0x01.
++ * Write 24-bit value 0x12B00A to register. Setting MrvlTrFix1000Kf,
++ * MrvlTrFix1000Kp, MasterEnableTR bits.
++ */
++ err = lan88xx_TR_reg_set(phydev, 0x0F82, 0x12B00A);
++ if (err < 0)
++ pr_warn("Failed to Set Register[0x0F82]\n");
++
++ /* Get access to Channel b'10, Node b'1101, Register 0x06.
++ * Write 24-bit value 0xD2C46F to register. Setting SSTrKf1000Slv,
++ * SSTrKp1000Mas bits.
++ */
++ err = lan88xx_TR_reg_set(phydev, 0x168C, 0xD2C46F);
++ if (err < 0)
++ pr_warn("Failed to Set Register[0x168C]\n");
++
++ /* Get access to Channel b'10, Node b'1111, Register 0x11.
++ * Write 24-bit value 0x620 to register. Setting rem_upd_done_thresh
++ * bits
++ */
++ err = lan88xx_TR_reg_set(phydev, 0x17A2, 0x620);
++ if (err < 0)
++ pr_warn("Failed to Set Register[0x17A2]\n");
++
++ /* Get access to Channel b'10, Node b'1101, Register 0x10.
++ * Write 24-bit value 0xEEFFDD to register. Setting
++ * eee_TrKp1Long_1000, eee_TrKp2Long_1000, eee_TrKp3Long_1000,
++ * eee_TrKp1Short_1000,eee_TrKp2Short_1000, eee_TrKp3Short_1000 bits.
++ */
++ err = lan88xx_TR_reg_set(phydev, 0x16A0, 0xEEFFDD);
++ if (err < 0)
++ pr_warn("Failed to Set Register[0x16A0]\n");
++
++ /* Get access to Channel b'10, Node b'1101, Register 0x13.
++ * Write 24-bit value 0x071448 to register. Setting
++ * slv_lpi_tr_tmr_val1, slv_lpi_tr_tmr_val2 bits.
++ */
++ err = lan88xx_TR_reg_set(phydev, 0x16A6, 0x071448);
++ if (err < 0)
++ pr_warn("Failed to Set Register[0x16A6]\n");
++
++ /* Get access to Channel b'10, Node b'1101, Register 0x12.
++ * Write 24-bit value 0x13132F to register. Setting
++ * slv_sigdet_timer_val1, slv_sigdet_timer_val2 bits.
++ */
++ err = lan88xx_TR_reg_set(phydev, 0x16A4, 0x13132F);
++ if (err < 0)
++ pr_warn("Failed to Set Register[0x16A4]\n");
++
++ /* Get access to Channel b'10, Node b'1101, Register 0x14.
++ * Write 24-bit value 0x0 to register. Setting eee_3level_delay,
++ * eee_TrKf_freeze_delay bits.
++ */
++ err = lan88xx_TR_reg_set(phydev, 0x16A8, 0x0);
++ if (err < 0)
++ pr_warn("Failed to Set Register[0x16A8]\n");
++
++ /* Get access to Channel b'01, Node b'1111, Register 0x34.
++ * Write 24-bit value 0x91B06C to register. Setting
++ * FastMseSearchThreshLong1000, FastMseSearchThreshShort1000,
++ * FastMseSearchUpdGain1000 bits.
++ */
++ err = lan88xx_TR_reg_set(phydev, 0x0FE8, 0x91B06C);
++ if (err < 0)
++ pr_warn("Failed to Set Register[0x0FE8]\n");
++
++ /* Get access to Channel b'01, Node b'1111, Register 0x3E.
++ * Write 24-bit value 0xC0A028 to register. Setting
++ * FastMseKp2ThreshLong1000, FastMseKp2ThreshShort1000,
++ * FastMseKp2UpdGain1000, FastMseKp2ExitEn1000 bits.
++ */
++ err = lan88xx_TR_reg_set(phydev, 0x0FFC, 0xC0A028);
++ if (err < 0)
++ pr_warn("Failed to Set Register[0x0FFC]\n");
++
++ /* Get access to Channel b'01, Node b'1111, Register 0x35.
++ * Write 24-bit value 0x041600 to register. Setting
++ * FastMseSearchPhShNum1000, FastMseSearchClksPerPh1000,
++ * FastMsePhChangeDelay1000 bits.
++ */
++ err = lan88xx_TR_reg_set(phydev, 0x0FEA, 0x041600);
++ if (err < 0)
++ pr_warn("Failed to Set Register[0x0FEA]\n");
++
++ /* Get access to Channel b'10, Node b'1101, Register 0x03.
++ * Write 24-bit value 0x000004 to register. Setting TrFreeze bits.
++ */
++ err = lan88xx_TR_reg_set(phydev, 0x1686, 0x000004);
++ if (err < 0)
++ pr_warn("Failed to Set Register[0x1686]\n");
++}
++
+ static int lan88xx_probe(struct phy_device *phydev)
+ {
+ struct device *dev = &phydev->mdio.dev;
+@@ -132,6 +287,25 @@ static void lan88xx_set_mdix(struct phy_
+ phy_write(phydev, LAN88XX_EXT_PAGE_ACCESS, LAN88XX_EXT_PAGE_SPACE_0);
+ }
+
++static int lan88xx_config_init(struct phy_device *phydev)
++{
++ int val;
++
++ genphy_config_init(phydev);
++ /*Zerodetect delay enable */
++ val = phy_read_mmd(phydev, MDIO_MMD_PCS,
++ PHY_ARDENNES_MMD_DEV_3_PHY_CFG);
++ val |= PHY_ARDENNES_MMD_DEV_3_PHY_CFG_ZD_DLY_EN_;
++
++ phy_write_mmd(phydev, MDIO_MMD_PCS, PHY_ARDENNES_MMD_DEV_3_PHY_CFG,
++ val);
++
++ /* Config DSP registers */
++ lan88xx_config_TR_regs(phydev);
++
++ return 0;
++}
++
+ static int lan88xx_config_aneg(struct phy_device *phydev)
+ {
+ lan88xx_set_mdix(phydev);
+@@ -151,7 +325,7 @@ static struct phy_driver microchip_phy_d
+ .probe = lan88xx_probe,
+ .remove = lan88xx_remove,
+
+- .config_init = genphy_config_init,
++ .config_init = lan88xx_config_init,
+ .config_aneg = lan88xx_config_aneg,
+
+ .ack_interrupt = lan88xx_phy_ack_interrupt,
+@@ -160,6 +334,8 @@ static struct phy_driver microchip_phy_d
+ .suspend = lan88xx_suspend,
+ .resume = genphy_resume,
+ .set_wol = lan88xx_set_wol,
++ .read_page = lan88xx_read_page,
++ .write_page = lan88xx_write_page,
+ } };
+
+ module_phy_driver(microchip_phy_driver);
+--- a/include/linux/microchipphy.h
++++ b/include/linux/microchipphy.h
+@@ -70,4 +70,12 @@
+ #define LAN88XX_MMD3_CHIP_ID (32877)
+ #define LAN88XX_MMD3_CHIP_REV (32878)
+
++/* DSP registers */
++#define PHY_ARDENNES_MMD_DEV_3_PHY_CFG (0x806A)
++#define PHY_ARDENNES_MMD_DEV_3_PHY_CFG_ZD_DLY_EN_ (0x2000)
++#define LAN88XX_EXT_PAGE_ACCESS_TR (0x52B5)
++#define LAN88XX_EXT_PAGE_TR_CR 16
++#define LAN88XX_EXT_PAGE_TR_LOW_DATA 17
++#define LAN88XX_EXT_PAGE_TR_HIGH_DATA 18
++
+ #endif /* _MICROCHIPPHY_H */
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Yury Norov <ynorov@caviumnetworks.com>
+Date: Fri, 11 May 2018 16:01:39 -0700
+Subject: lib/find_bit_benchmark.c: avoid soft lockup in test_find_first_bit()
+
+From: Yury Norov <ynorov@caviumnetworks.com>
+
+[ Upstream commit 4ba281d5bd9907355e6b79fb72049c9ed50cc670 ]
+
+test_find_first_bit() is intentionally sub-optimal, and may cause soft
+lockup due to long time of run on some systems. So decrease length of
+bitmap to traverse to avoid lockup.
+
+With the change below, time of test execution doesn't exceed 0.2 seconds
+on my testing system.
+
+Link: http://lkml.kernel.org/r/20180420171949.15710-1-ynorov@caviumnetworks.com
+Fixes: 4441fca0a27f5 ("lib: test module for find_*_bit() functions")
+Signed-off-by: Yury Norov <ynorov@caviumnetworks.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Reported-by: Fengguang Wu <fengguang.wu@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/find_bit_benchmark.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/lib/find_bit_benchmark.c
++++ b/lib/find_bit_benchmark.c
+@@ -132,7 +132,12 @@ static int __init find_bit_test(void)
+ test_find_next_bit(bitmap, BITMAP_LEN);
+ test_find_next_zero_bit(bitmap, BITMAP_LEN);
+ test_find_last_bit(bitmap, BITMAP_LEN);
+- test_find_first_bit(bitmap, BITMAP_LEN);
++
++ /*
++ * test_find_first_bit() may take some time, so
++ * traverse only part of bitmap to avoid soft lockup.
++ */
++ test_find_first_bit(bitmap, BITMAP_LEN / 10);
+ test_find_next_and_bit(bitmap, bitmap2, BITMAP_LEN);
+
+ pr_err("\nStart testing find_bit() with sparse bitmap\n");
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Evan Wang <xswang@marvell.com>
+Date: Fri, 13 Apr 2018 12:32:30 +0800
+Subject: libahci: Allow drivers to override stop_engine
+
+From: Evan Wang <xswang@marvell.com>
+
+[ Upstream commit fa89f53bd7288d6aa7a982841119e7123faf5a53 ]
+
+Marvell armada37xx, armada7k and armada8k share the same
+AHCI sata controller IP, and currently there is an issue
+(Errata Ref#226)that the SATA can not be detected via SATA
+Port-MultiPlayer(PMP). After debugging, the reason is
+found that the value of Port-x FIS-based Switching Control
+(PxFBS@0x40) became wrong.
+According to design, the bits[11:8, 0] of register PxFBS
+are cleared when Port Command and Status (0x18) bit[0]
+changes its value from 1 to 0, i.e. falling edge of Port
+Command and Status bit[0] sends PULSE that resets PxFBS
+bits[11:8; 0].
+So it needs save the port PxFBS register before PxCMD
+ST write and restore the port PxFBS register afterwards
+in ahci_stop_engine().
+
+This commit allows drivers to override ahci_stop_engine
+behavior for use by the Marvell AHCI driver(and potentially
+other drivers in the future).
+
+Signed-off-by: Evan Wang <xswang@marvell.com>
+Cc: Ofer Heifetz <oferh@marvell.com>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/ahci.c | 6 +++---
+ drivers/ata/ahci.h | 7 +++++++
+ drivers/ata/ahci_qoriq.c | 2 +-
+ drivers/ata/ahci_xgene.c | 4 ++--
+ drivers/ata/libahci.c | 20 ++++++++++++--------
+ drivers/ata/sata_highbank.c | 2 +-
+ 6 files changed, 26 insertions(+), 15 deletions(-)
+
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -699,7 +699,7 @@ static int ahci_vt8251_hardreset(struct
+
+ DPRINTK("ENTER\n");
+
+- ahci_stop_engine(ap);
++ hpriv->stop_engine(ap);
+
+ rc = sata_link_hardreset(link, sata_ehc_deb_timing(&link->eh_context),
+ deadline, &online, NULL);
+@@ -725,7 +725,7 @@ static int ahci_p5wdh_hardreset(struct a
+ bool online;
+ int rc;
+
+- ahci_stop_engine(ap);
++ hpriv->stop_engine(ap);
+
+ /* clear D2H reception area to properly wait for D2H FIS */
+ ata_tf_init(link->device, &tf);
+@@ -789,7 +789,7 @@ static int ahci_avn_hardreset(struct ata
+
+ DPRINTK("ENTER\n");
+
+- ahci_stop_engine(ap);
++ hpriv->stop_engine(ap);
+
+ for (i = 0; i < 2; i++) {
+ u16 val;
+--- a/drivers/ata/ahci.h
++++ b/drivers/ata/ahci.h
+@@ -365,6 +365,13 @@ struct ahci_host_priv {
+ * be overridden anytime before the host is activated.
+ */
+ void (*start_engine)(struct ata_port *ap);
++ /*
++ * Optional ahci_stop_engine override, if not set this gets set to the
++ * default ahci_stop_engine during ahci_save_initial_config, this can
++ * be overridden anytime before the host is activated.
++ */
++ int (*stop_engine)(struct ata_port *ap);
++
+ irqreturn_t (*irq_handler)(int irq, void *dev_instance);
+
+ /* only required for per-port MSI(-X) support */
+--- a/drivers/ata/ahci_qoriq.c
++++ b/drivers/ata/ahci_qoriq.c
+@@ -96,7 +96,7 @@ static int ahci_qoriq_hardreset(struct a
+
+ DPRINTK("ENTER\n");
+
+- ahci_stop_engine(ap);
++ hpriv->stop_engine(ap);
+
+ /*
+ * There is a errata on ls1021a Rev1.0 and Rev2.0 which is:
+--- a/drivers/ata/ahci_xgene.c
++++ b/drivers/ata/ahci_xgene.c
+@@ -165,7 +165,7 @@ static int xgene_ahci_restart_engine(str
+ PORT_CMD_ISSUE, 0x0, 1, 100))
+ return -EBUSY;
+
+- ahci_stop_engine(ap);
++ hpriv->stop_engine(ap);
+ ahci_start_fis_rx(ap);
+
+ /*
+@@ -421,7 +421,7 @@ static int xgene_ahci_hardreset(struct a
+ portrxfis_saved = readl(port_mmio + PORT_FIS_ADDR);
+ portrxfishi_saved = readl(port_mmio + PORT_FIS_ADDR_HI);
+
+- ahci_stop_engine(ap);
++ hpriv->stop_engine(ap);
+
+ rc = xgene_ahci_do_hardreset(link, deadline, &online);
+
+--- a/drivers/ata/libahci.c
++++ b/drivers/ata/libahci.c
+@@ -560,6 +560,9 @@ void ahci_save_initial_config(struct dev
+ if (!hpriv->start_engine)
+ hpriv->start_engine = ahci_start_engine;
+
++ if (!hpriv->stop_engine)
++ hpriv->stop_engine = ahci_stop_engine;
++
+ if (!hpriv->irq_handler)
+ hpriv->irq_handler = ahci_single_level_irq_intr;
+ }
+@@ -897,9 +900,10 @@ static void ahci_start_port(struct ata_p
+ static int ahci_deinit_port(struct ata_port *ap, const char **emsg)
+ {
+ int rc;
++ struct ahci_host_priv *hpriv = ap->host->private_data;
+
+ /* disable DMA */
+- rc = ahci_stop_engine(ap);
++ rc = hpriv->stop_engine(ap);
+ if (rc) {
+ *emsg = "failed to stop engine";
+ return rc;
+@@ -1310,7 +1314,7 @@ int ahci_kick_engine(struct ata_port *ap
+ int busy, rc;
+
+ /* stop engine */
+- rc = ahci_stop_engine(ap);
++ rc = hpriv->stop_engine(ap);
+ if (rc)
+ goto out_restart;
+
+@@ -1549,7 +1553,7 @@ int ahci_do_hardreset(struct ata_link *l
+
+ DPRINTK("ENTER\n");
+
+- ahci_stop_engine(ap);
++ hpriv->stop_engine(ap);
+
+ /* clear D2H reception area to properly wait for D2H FIS */
+ ata_tf_init(link->device, &tf);
+@@ -2075,14 +2079,14 @@ void ahci_error_handler(struct ata_port
+
+ if (!(ap->pflags & ATA_PFLAG_FROZEN)) {
+ /* restart engine */
+- ahci_stop_engine(ap);
++ hpriv->stop_engine(ap);
+ hpriv->start_engine(ap);
+ }
+
+ sata_pmp_error_handler(ap);
+
+ if (!ata_dev_enabled(ap->link.device))
+- ahci_stop_engine(ap);
++ hpriv->stop_engine(ap);
+ }
+ EXPORT_SYMBOL_GPL(ahci_error_handler);
+
+@@ -2129,7 +2133,7 @@ static void ahci_set_aggressive_devslp(s
+ return;
+
+ /* set DITO, MDAT, DETO and enable DevSlp, need to stop engine first */
+- rc = ahci_stop_engine(ap);
++ rc = hpriv->stop_engine(ap);
+ if (rc)
+ return;
+
+@@ -2189,7 +2193,7 @@ static void ahci_enable_fbs(struct ata_p
+ return;
+ }
+
+- rc = ahci_stop_engine(ap);
++ rc = hpriv->stop_engine(ap);
+ if (rc)
+ return;
+
+@@ -2222,7 +2226,7 @@ static void ahci_disable_fbs(struct ata_
+ return;
+ }
+
+- rc = ahci_stop_engine(ap);
++ rc = hpriv->stop_engine(ap);
+ if (rc)
+ return;
+
+--- a/drivers/ata/sata_highbank.c
++++ b/drivers/ata/sata_highbank.c
+@@ -410,7 +410,7 @@ static int ahci_highbank_hardreset(struc
+ int rc;
+ int retry = 100;
+
+- ahci_stop_engine(ap);
++ hpriv->stop_engine(ap);
+
+ /* clear D2H reception area to properly wait for D2H FIS */
+ ata_tf_init(link->device, &tf);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Mon, 5 Feb 2018 19:32:18 +0200
+Subject: <linux/stringhash.h>: fix end_name_hash() for 64bit long
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+[ Upstream commit 19b9ad67310ed2f685062a00aec602bec33835f0 ]
+
+The comment claims that this helper will try not to loose bits, but for
+64bit long it looses the high bits before hashing 64bit long into 32bit
+int. Use the helper hash_long() to do the right thing for 64bit long.
+For 32bit long, there is no change.
+
+All the callers of end_name_hash() either assign the result to
+qstr->hash, which is u32 or return the result as an int value (e.g.
+full_name_hash()). Change the helper return type to int to conform to
+its users.
+
+[ It took me a while to apply this, because my initial reaction to it
+ was - incorrectly - that it could make for slower code.
+
+ After having looked more at it, I take back all my complaints about
+ the patch, Amir was right and I was mis-reading things or just being
+ stupid.
+
+ I also don't worry too much about the possible performance impact of
+ this on 64-bit, since most architectures that actually care about
+ performance end up not using this very much (the dcache code is the
+ most performance-critical, but the word-at-a-time case uses its own
+ hashing anyway).
+
+ So this ends up being mostly used for filesystems that do their own
+ degraded hashing (usually because they want a case-insensitive
+ comparison function).
+
+ A _tiny_ worry remains, in that not everybody uses DCACHE_WORD_ACCESS,
+ and then this potentially makes things more expensive on 64-bit
+ architectures with slow or lacking multipliers even for the normal
+ case.
+
+ That said, realistically the only such architecture I can think of is
+ PA-RISC. Nobody really cares about performance on that, it's more of a
+ "look ma, I've got warts^W an odd machine" platform.
+
+ So the patch is fine, and all my initial worries were just misplaced
+ from not looking at this properly. - Linus ]
+
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/stringhash.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/stringhash.h
++++ b/include/linux/stringhash.h
+@@ -50,9 +50,9 @@ partial_name_hash(unsigned long c, unsig
+ * losing bits). This also has the property (wanted by the dcache)
+ * that the msbits make a good hash table index.
+ */
+-static inline unsigned long end_name_hash(unsigned long hash)
++static inline unsigned int end_name_hash(unsigned long hash)
+ {
+- return __hash_32((unsigned int)hash);
++ return hash_long(hash, 32);
+ }
+
+ /*
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Petr Mladek <pmladek@suse.com>
+Date: Mon, 16 Apr 2018 13:36:47 +0200
+Subject: livepatch: Allow to call a custom callback when freeing shadow variables
+
+From: Petr Mladek <pmladek@suse.com>
+
+[ Upstream commit 3b2c77d000fe9f7d02e9e726e00dccf9f92b256f ]
+
+We might need to do some actions before the shadow variable is freed.
+For example, we might need to remove it from a list or free some data
+that it points to.
+
+This is already possible now. The user can get the shadow variable
+by klp_shadow_get(), do the necessary actions, and then call
+klp_shadow_free().
+
+This patch allows to do it a more elegant way. The user could implement
+the needed actions in a callback that is passed to klp_shadow_free()
+as a parameter. The callback usually does reverse operations to
+the constructor callback that can be called by klp_shadow_*alloc().
+
+It is especially useful for klp_shadow_free_all(). There we need to do
+these extra actions for each found shadow variable with the given ID.
+
+Note that the memory used by the shadow variable itself is still released
+later by rcu callback. It is needed to protect internal structures that
+keep all shadow variables. But the destructor is called immediately.
+The shadow variable must not be access anyway after klp_shadow_free()
+is called. The user is responsible to protect this any suitable way.
+
+Be aware that the destructor is called under klp_shadow_lock. It is
+the same as for the contructor in klp_shadow_alloc().
+
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Acked-by: Miroslav Benes <mbenes@suse.cz>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/livepatch/shadow-vars.txt | 10 +++++++---
+ include/linux/livepatch.h | 5 +++--
+ kernel/livepatch/shadow.c | 26 ++++++++++++++++++--------
+ samples/livepatch/livepatch-shadow-fix1.c | 25 +++++++++++++++----------
+ samples/livepatch/livepatch-shadow-fix2.c | 27 ++++++++++++++++-----------
+ 5 files changed, 59 insertions(+), 34 deletions(-)
+
+--- a/Documentation/livepatch/shadow-vars.txt
++++ b/Documentation/livepatch/shadow-vars.txt
+@@ -65,11 +65,15 @@ to do actions that can be done only once
+
+ * klp_shadow_free() - detach and free a <obj, id> shadow variable
+ - find and remove a <obj, id> reference from global hashtable
+- - if found, free shadow variable
++ - if found
++ - call destructor function if defined
++ - free shadow variable
+
+ * klp_shadow_free_all() - detach and free all <*, id> shadow variables
+ - find and remove any <*, id> references from global hashtable
+- - if found, free shadow variable
++ - if found
++ - call destructor function if defined
++ - free shadow variable
+
+
+ 2. Use cases
+@@ -136,7 +140,7 @@ variable:
+
+ void sta_info_free(struct ieee80211_local *local, struct sta_info *sta)
+ {
+- klp_shadow_free(sta, PS_LOCK);
++ klp_shadow_free(sta, PS_LOCK, NULL);
+ kfree(sta);
+ ...
+
+--- a/include/linux/livepatch.h
++++ b/include/linux/livepatch.h
+@@ -189,6 +189,7 @@ static inline bool klp_have_reliable_sta
+ typedef int (*klp_shadow_ctor_t)(void *obj,
+ void *shadow_data,
+ void *ctor_data);
++typedef void (*klp_shadow_dtor_t)(void *obj, void *shadow_data);
+
+ void *klp_shadow_get(void *obj, unsigned long id);
+ void *klp_shadow_alloc(void *obj, unsigned long id,
+@@ -197,8 +198,8 @@ void *klp_shadow_alloc(void *obj, unsign
+ void *klp_shadow_get_or_alloc(void *obj, unsigned long id,
+ size_t size, gfp_t gfp_flags,
+ klp_shadow_ctor_t ctor, void *ctor_data);
+-void klp_shadow_free(void *obj, unsigned long id);
+-void klp_shadow_free_all(unsigned long id);
++void klp_shadow_free(void *obj, unsigned long id, klp_shadow_dtor_t dtor);
++void klp_shadow_free_all(unsigned long id, klp_shadow_dtor_t dtor);
+
+ #else /* !CONFIG_LIVEPATCH */
+
+--- a/kernel/livepatch/shadow.c
++++ b/kernel/livepatch/shadow.c
+@@ -243,15 +243,26 @@ void *klp_shadow_get_or_alloc(void *obj,
+ }
+ EXPORT_SYMBOL_GPL(klp_shadow_get_or_alloc);
+
++static void klp_shadow_free_struct(struct klp_shadow *shadow,
++ klp_shadow_dtor_t dtor)
++{
++ hash_del_rcu(&shadow->node);
++ if (dtor)
++ dtor(shadow->obj, shadow->data);
++ kfree_rcu(shadow, rcu_head);
++}
++
+ /**
+ * klp_shadow_free() - detach and free a <obj, id> shadow variable
+ * @obj: pointer to parent object
+ * @id: data identifier
++ * @dtor: custom callback that can be used to unregister the variable
++ * and/or free data that the shadow variable points to (optional)
+ *
+ * This function releases the memory for this <obj, id> shadow variable
+ * instance, callers should stop referencing it accordingly.
+ */
+-void klp_shadow_free(void *obj, unsigned long id)
++void klp_shadow_free(void *obj, unsigned long id, klp_shadow_dtor_t dtor)
+ {
+ struct klp_shadow *shadow;
+ unsigned long flags;
+@@ -263,8 +274,7 @@ void klp_shadow_free(void *obj, unsigned
+ (unsigned long)obj) {
+
+ if (klp_shadow_match(shadow, obj, id)) {
+- hash_del_rcu(&shadow->node);
+- kfree_rcu(shadow, rcu_head);
++ klp_shadow_free_struct(shadow, dtor);
+ break;
+ }
+ }
+@@ -276,11 +286,13 @@ EXPORT_SYMBOL_GPL(klp_shadow_free);
+ /**
+ * klp_shadow_free_all() - detach and free all <*, id> shadow variables
+ * @id: data identifier
++ * @dtor: custom callback that can be used to unregister the variable
++ * and/or free data that the shadow variable points to (optional)
+ *
+ * This function releases the memory for all <*, id> shadow variable
+ * instances, callers should stop referencing them accordingly.
+ */
+-void klp_shadow_free_all(unsigned long id)
++void klp_shadow_free_all(unsigned long id, klp_shadow_dtor_t dtor)
+ {
+ struct klp_shadow *shadow;
+ unsigned long flags;
+@@ -290,10 +302,8 @@ void klp_shadow_free_all(unsigned long i
+
+ /* Delete all <*, id> from hash */
+ hash_for_each(klp_shadow_hash, i, shadow, node) {
+- if (klp_shadow_match(shadow, shadow->obj, id)) {
+- hash_del_rcu(&shadow->node);
+- kfree_rcu(shadow, rcu_head);
+- }
++ if (klp_shadow_match(shadow, shadow->obj, id))
++ klp_shadow_free_struct(shadow, dtor);
+ }
+
+ spin_unlock_irqrestore(&klp_shadow_lock, flags);
+--- a/samples/livepatch/livepatch-shadow-fix1.c
++++ b/samples/livepatch/livepatch-shadow-fix1.c
+@@ -98,9 +98,19 @@ struct dummy *livepatch_fix1_dummy_alloc
+ return d;
+ }
+
++static void livepatch_fix1_dummy_leak_dtor(void *obj, void *shadow_data)
++{
++ void *d = obj;
++ void **shadow_leak = shadow_data;
++
++ kfree(*shadow_leak);
++ pr_info("%s: dummy @ %p, prevented leak @ %p\n",
++ __func__, d, *shadow_leak);
++}
++
+ void livepatch_fix1_dummy_free(struct dummy *d)
+ {
+- void **shadow_leak, *leak;
++ void **shadow_leak;
+
+ /*
+ * Patch: fetch the saved SV_LEAK shadow variable, detach and
+@@ -109,15 +119,10 @@ void livepatch_fix1_dummy_free(struct du
+ * was loaded.)
+ */
+ shadow_leak = klp_shadow_get(d, SV_LEAK);
+- if (shadow_leak) {
+- leak = *shadow_leak;
+- klp_shadow_free(d, SV_LEAK);
+- kfree(leak);
+- pr_info("%s: dummy @ %p, prevented leak @ %p\n",
+- __func__, d, leak);
+- } else {
++ if (shadow_leak)
++ klp_shadow_free(d, SV_LEAK, livepatch_fix1_dummy_leak_dtor);
++ else
+ pr_info("%s: dummy @ %p leaked!\n", __func__, d);
+- }
+
+ kfree(d);
+ }
+@@ -163,7 +168,7 @@ static int livepatch_shadow_fix1_init(vo
+ static void livepatch_shadow_fix1_exit(void)
+ {
+ /* Cleanup any existing SV_LEAK shadow variables */
+- klp_shadow_free_all(SV_LEAK);
++ klp_shadow_free_all(SV_LEAK, livepatch_fix1_dummy_leak_dtor);
+
+ WARN_ON(klp_unregister_patch(&patch));
+ }
+--- a/samples/livepatch/livepatch-shadow-fix2.c
++++ b/samples/livepatch/livepatch-shadow-fix2.c
+@@ -68,22 +68,27 @@ bool livepatch_fix2_dummy_check(struct d
+ return time_after(jiffies, d->jiffies_expire);
+ }
+
++static void livepatch_fix2_dummy_leak_dtor(void *obj, void *shadow_data)
++{
++ void *d = obj;
++ void **shadow_leak = shadow_data;
++
++ kfree(*shadow_leak);
++ pr_info("%s: dummy @ %p, prevented leak @ %p\n",
++ __func__, d, *shadow_leak);
++}
++
+ void livepatch_fix2_dummy_free(struct dummy *d)
+ {
+- void **shadow_leak, *leak;
++ void **shadow_leak;
+ int *shadow_count;
+
+ /* Patch: copy the memory leak patch from the fix1 module. */
+ shadow_leak = klp_shadow_get(d, SV_LEAK);
+- if (shadow_leak) {
+- leak = *shadow_leak;
+- klp_shadow_free(d, SV_LEAK);
+- kfree(leak);
+- pr_info("%s: dummy @ %p, prevented leak @ %p\n",
+- __func__, d, leak);
+- } else {
++ if (shadow_leak)
++ klp_shadow_free(d, SV_LEAK, livepatch_fix2_dummy_leak_dtor);
++ else
+ pr_info("%s: dummy @ %p leaked!\n", __func__, d);
+- }
+
+ /*
+ * Patch: fetch the SV_COUNTER shadow variable and display
+@@ -93,7 +98,7 @@ void livepatch_fix2_dummy_free(struct du
+ if (shadow_count) {
+ pr_info("%s: dummy @ %p, check counter = %d\n",
+ __func__, d, *shadow_count);
+- klp_shadow_free(d, SV_COUNTER);
++ klp_shadow_free(d, SV_COUNTER, NULL);
+ }
+
+ kfree(d);
+@@ -140,7 +145,7 @@ static int livepatch_shadow_fix2_init(vo
+ static void livepatch_shadow_fix2_exit(void)
+ {
+ /* Cleanup any existing SV_COUNTER shadow variables */
+- klp_shadow_free_all(SV_COUNTER);
++ klp_shadow_free_all(SV_COUNTER, NULL);
+
+ WARN_ON(klp_unregister_patch(&patch));
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Petr Mladek <pmladek@suse.com>
+Date: Mon, 16 Apr 2018 13:36:46 +0200
+Subject: livepatch: Initialize shadow variables safely by a custom callback
+
+From: Petr Mladek <pmladek@suse.com>
+
+[ Upstream commit e91c2518a5d22a07642f35d85f39001ad379dae4 ]
+
+The existing API allows to pass a sample data to initialize the shadow
+data. It works well when the data are position independent. But it fails
+miserably when we need to set a pointer to the shadow structure itself.
+
+Unfortunately, we might need to initialize the pointer surprisingly
+often because of struct list_head. It is even worse because the list
+might be hidden in other common structures, for example, struct mutex,
+struct wait_queue_head.
+
+For example, this was needed to fix races in ALSA sequencer. It required
+to add mutex into struct snd_seq_client. See commit b3defb791b26ea06
+("ALSA: seq: Make ioctls race-free") and commit d15d662e89fc667b9
+("ALSA: seq: Fix racy pool initializations")
+
+This patch makes the API more safe. A custom constructor function and data
+are passed to klp_shadow_*alloc() functions instead of the sample data.
+
+Note that ctor_data are no longer a template for shadow->data. It might
+point to any data that might be necessary when the constructor is called.
+
+Also note that the constructor is called under klp_shadow_lock. It is
+an internal spin_lock that synchronizes alloc() vs. get() operations,
+see klp_shadow_get_or_alloc(). On one hand, this adds a risk of ABBA
+deadlocks. On the other hand, it allows to do some operations safely.
+For example, we could add the new structure into an existing list.
+This must be done only once when the structure is allocated.
+
+Reported-by: Nicolai Stange <nstange@suse.de>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Acked-by: Miroslav Benes <mbenes@suse.cz>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/livepatch/shadow-vars.txt | 31 +++++++----
+ include/linux/livepatch.h | 14 +++--
+ kernel/livepatch/shadow.c | 84 +++++++++++++++++++-----------
+ samples/livepatch/livepatch-shadow-fix1.c | 18 ++++++
+ samples/livepatch/livepatch-shadow-fix2.c | 6 --
+ 5 files changed, 105 insertions(+), 48 deletions(-)
+
+--- a/Documentation/livepatch/shadow-vars.txt
++++ b/Documentation/livepatch/shadow-vars.txt
+@@ -34,9 +34,13 @@ meta-data and shadow-data:
+ - data[] - storage for shadow data
+
+ It is important to note that the klp_shadow_alloc() and
+-klp_shadow_get_or_alloc() calls, described below, store a *copy* of the
+-data that the functions are provided. Callers should provide whatever
+-mutual exclusion is required of the shadow data.
++klp_shadow_get_or_alloc() are zeroing the variable by default.
++They also allow to call a custom constructor function when a non-zero
++value is needed. Callers should provide whatever mutual exclusion
++is required.
++
++Note that the constructor is called under klp_shadow_lock spinlock. It allows
++to do actions that can be done only once when a new variable is allocated.
+
+ * klp_shadow_get() - retrieve a shadow variable data pointer
+ - search hashtable for <obj, id> pair
+@@ -47,7 +51,7 @@ mutual exclusion is required of the shad
+ - WARN and return NULL
+ - if <obj, id> doesn't already exist
+ - allocate a new shadow variable
+- - copy data into the new shadow variable
++ - initialize the variable using a custom constructor and data when provided
+ - add <obj, id> to the global hashtable
+
+ * klp_shadow_get_or_alloc() - get existing or alloc a new shadow variable
+@@ -56,7 +60,7 @@ mutual exclusion is required of the shad
+ - return existing shadow variable
+ - if <obj, id> doesn't already exist
+ - allocate a new shadow variable
+- - copy data into the new shadow variable
++ - initialize the variable using a custom constructor and data when provided
+ - add <obj, id> pair to the global hashtable
+
+ * klp_shadow_free() - detach and free a <obj, id> shadow variable
+@@ -107,7 +111,8 @@ struct sta_info *sta_info_alloc(struct i
+ sta = kzalloc(sizeof(*sta) + hw->sta_data_size, gfp);
+
+ /* Attach a corresponding shadow variable, then initialize it */
+- ps_lock = klp_shadow_alloc(sta, PS_LOCK, NULL, sizeof(*ps_lock), gfp);
++ ps_lock = klp_shadow_alloc(sta, PS_LOCK, sizeof(*ps_lock), gfp,
++ NULL, NULL);
+ if (!ps_lock)
+ goto shadow_fail;
+ spin_lock_init(ps_lock);
+@@ -148,16 +153,24 @@ shadow variables to parents already in-f
+ For commit 1d147bfa6429, a good spot to allocate a shadow spinlock is
+ inside ieee80211_sta_ps_deliver_wakeup():
+
++int ps_lock_shadow_ctor(void *obj, void *shadow_data, void *ctor_data)
++{
++ spinlock_t *lock = shadow_data;
++
++ spin_lock_init(lock);
++ return 0;
++}
++
+ #define PS_LOCK 1
+ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
+ {
+- DEFINE_SPINLOCK(ps_lock_fallback);
+ spinlock_t *ps_lock;
+
+ /* sync with ieee80211_tx_h_unicast_ps_buf */
+ ps_lock = klp_shadow_get_or_alloc(sta, PS_LOCK,
+- &ps_lock_fallback, sizeof(ps_lock_fallback),
+- GFP_ATOMIC);
++ sizeof(*ps_lock), GFP_ATOMIC,
++ ps_lock_shadow_ctor, NULL);
++
+ if (ps_lock)
+ spin_lock(ps_lock);
+ ...
+--- a/include/linux/livepatch.h
++++ b/include/linux/livepatch.h
+@@ -186,11 +186,17 @@ static inline bool klp_have_reliable_sta
+ IS_ENABLED(CONFIG_HAVE_RELIABLE_STACKTRACE);
+ }
+
++typedef int (*klp_shadow_ctor_t)(void *obj,
++ void *shadow_data,
++ void *ctor_data);
++
+ void *klp_shadow_get(void *obj, unsigned long id);
+-void *klp_shadow_alloc(void *obj, unsigned long id, void *data,
+- size_t size, gfp_t gfp_flags);
+-void *klp_shadow_get_or_alloc(void *obj, unsigned long id, void *data,
+- size_t size, gfp_t gfp_flags);
++void *klp_shadow_alloc(void *obj, unsigned long id,
++ size_t size, gfp_t gfp_flags,
++ klp_shadow_ctor_t ctor, void *ctor_data);
++void *klp_shadow_get_or_alloc(void *obj, unsigned long id,
++ size_t size, gfp_t gfp_flags,
++ klp_shadow_ctor_t ctor, void *ctor_data);
+ void klp_shadow_free(void *obj, unsigned long id);
+ void klp_shadow_free_all(unsigned long id);
+
+--- a/kernel/livepatch/shadow.c
++++ b/kernel/livepatch/shadow.c
+@@ -113,8 +113,10 @@ void *klp_shadow_get(void *obj, unsigned
+ }
+ EXPORT_SYMBOL_GPL(klp_shadow_get);
+
+-static void *__klp_shadow_get_or_alloc(void *obj, unsigned long id, void *data,
+- size_t size, gfp_t gfp_flags, bool warn_on_exist)
++static void *__klp_shadow_get_or_alloc(void *obj, unsigned long id,
++ size_t size, gfp_t gfp_flags,
++ klp_shadow_ctor_t ctor, void *ctor_data,
++ bool warn_on_exist)
+ {
+ struct klp_shadow *new_shadow;
+ void *shadow_data;
+@@ -125,18 +127,15 @@ static void *__klp_shadow_get_or_alloc(v
+ if (shadow_data)
+ goto exists;
+
+- /* Allocate a new shadow variable for use inside the lock below */
++ /*
++ * Allocate a new shadow variable. Fill it with zeroes by default.
++ * More complex setting can be done by @ctor function. But it is
++ * called only when the buffer is really used (under klp_shadow_lock).
++ */
+ new_shadow = kzalloc(size + sizeof(*new_shadow), gfp_flags);
+ if (!new_shadow)
+ return NULL;
+
+- new_shadow->obj = obj;
+- new_shadow->id = id;
+-
+- /* Initialize the shadow variable if data provided */
+- if (data)
+- memcpy(new_shadow->data, data, size);
+-
+ /* Look for <obj, id> again under the lock */
+ spin_lock_irqsave(&klp_shadow_lock, flags);
+ shadow_data = klp_shadow_get(obj, id);
+@@ -150,6 +149,22 @@ static void *__klp_shadow_get_or_alloc(v
+ goto exists;
+ }
+
++ new_shadow->obj = obj;
++ new_shadow->id = id;
++
++ if (ctor) {
++ int err;
++
++ err = ctor(obj, new_shadow->data, ctor_data);
++ if (err) {
++ spin_unlock_irqrestore(&klp_shadow_lock, flags);
++ kfree(new_shadow);
++ pr_err("Failed to construct shadow variable <%p, %lx> (%d)\n",
++ obj, id, err);
++ return NULL;
++ }
++ }
++
+ /* No <obj, id> found, so attach the newly allocated one */
+ hash_add_rcu(klp_shadow_hash, &new_shadow->node,
+ (unsigned long)new_shadow->obj);
+@@ -170,26 +185,32 @@ exists:
+ * klp_shadow_alloc() - allocate and add a new shadow variable
+ * @obj: pointer to parent object
+ * @id: data identifier
+- * @data: pointer to data to attach to parent
+ * @size: size of attached data
+ * @gfp_flags: GFP mask for allocation
++ * @ctor: custom constructor to initialize the shadow data (optional)
++ * @ctor_data: pointer to any data needed by @ctor (optional)
+ *
+- * Allocates @size bytes for new shadow variable data using @gfp_flags
+- * and copies @size bytes from @data into the new shadow variable's own
+- * data space. If @data is NULL, @size bytes are still allocated, but
+- * no copy is performed. The new shadow variable is then added to the
+- * global hashtable.
+- *
+- * If an existing <obj, id> shadow variable can be found, this routine
+- * will issue a WARN, exit early and return NULL.
++ * Allocates @size bytes for new shadow variable data using @gfp_flags.
++ * The data are zeroed by default. They are further initialized by @ctor
++ * function if it is not NULL. The new shadow variable is then added
++ * to the global hashtable.
++ *
++ * If an existing <obj, id> shadow variable can be found, this routine will
++ * issue a WARN, exit early and return NULL.
++ *
++ * This function guarantees that the constructor function is called only when
++ * the variable did not exist before. The cost is that @ctor is called
++ * in atomic context under a spin lock.
+ *
+ * Return: the shadow variable data element, NULL on duplicate or
+ * failure.
+ */
+-void *klp_shadow_alloc(void *obj, unsigned long id, void *data,
+- size_t size, gfp_t gfp_flags)
++void *klp_shadow_alloc(void *obj, unsigned long id,
++ size_t size, gfp_t gfp_flags,
++ klp_shadow_ctor_t ctor, void *ctor_data)
+ {
+- return __klp_shadow_get_or_alloc(obj, id, data, size, gfp_flags, true);
++ return __klp_shadow_get_or_alloc(obj, id, size, gfp_flags,
++ ctor, ctor_data, true);
+ }
+ EXPORT_SYMBOL_GPL(klp_shadow_alloc);
+
+@@ -197,25 +218,28 @@ EXPORT_SYMBOL_GPL(klp_shadow_alloc);
+ * klp_shadow_get_or_alloc() - get existing or allocate a new shadow variable
+ * @obj: pointer to parent object
+ * @id: data identifier
+- * @data: pointer to data to attach to parent
+ * @size: size of attached data
+ * @gfp_flags: GFP mask for allocation
++ * @ctor: custom constructor to initialize the shadow data (optional)
++ * @ctor_data: pointer to any data needed by @ctor (optional)
+ *
+ * Returns a pointer to existing shadow data if an <obj, id> shadow
+ * variable is already present. Otherwise, it creates a new shadow
+ * variable like klp_shadow_alloc().
+ *
+- * This function guarantees that only one shadow variable exists with
+- * the given @id for the given @obj. It also guarantees that the shadow
+- * variable will be initialized by the given @data only when it did not
+- * exist before.
++ * This function guarantees that only one shadow variable exists with the given
++ * @id for the given @obj. It also guarantees that the constructor function
++ * will be called only when the variable did not exist before. The cost is
++ * that @ctor is called in atomic context under a spin lock.
+ *
+ * Return: the shadow variable data element, NULL on failure.
+ */
+-void *klp_shadow_get_or_alloc(void *obj, unsigned long id, void *data,
+- size_t size, gfp_t gfp_flags)
++void *klp_shadow_get_or_alloc(void *obj, unsigned long id,
++ size_t size, gfp_t gfp_flags,
++ klp_shadow_ctor_t ctor, void *ctor_data)
+ {
+- return __klp_shadow_get_or_alloc(obj, id, data, size, gfp_flags, false);
++ return __klp_shadow_get_or_alloc(obj, id, size, gfp_flags,
++ ctor, ctor_data, false);
+ }
+ EXPORT_SYMBOL_GPL(klp_shadow_get_or_alloc);
+
+--- a/samples/livepatch/livepatch-shadow-fix1.c
++++ b/samples/livepatch/livepatch-shadow-fix1.c
+@@ -56,6 +56,21 @@ struct dummy {
+ unsigned long jiffies_expire;
+ };
+
++/*
++ * The constructor makes more sense together with klp_shadow_get_or_alloc().
++ * In this example, it would be safe to assign the pointer also to the shadow
++ * variable returned by klp_shadow_alloc(). But we wanted to show the more
++ * complicated use of the API.
++ */
++static int shadow_leak_ctor(void *obj, void *shadow_data, void *ctor_data)
++{
++ void **shadow_leak = shadow_data;
++ void *leak = ctor_data;
++
++ *shadow_leak = leak;
++ return 0;
++}
++
+ struct dummy *livepatch_fix1_dummy_alloc(void)
+ {
+ struct dummy *d;
+@@ -74,7 +89,8 @@ struct dummy *livepatch_fix1_dummy_alloc
+ * pointer to handle resource release.
+ */
+ leak = kzalloc(sizeof(int), GFP_KERNEL);
+- klp_shadow_alloc(d, SV_LEAK, &leak, sizeof(leak), GFP_KERNEL);
++ klp_shadow_alloc(d, SV_LEAK, sizeof(leak), GFP_KERNEL,
++ shadow_leak_ctor, leak);
+
+ pr_info("%s: dummy @ %p, expires @ %lx\n",
+ __func__, d, d->jiffies_expire);
+--- a/samples/livepatch/livepatch-shadow-fix2.c
++++ b/samples/livepatch/livepatch-shadow-fix2.c
+@@ -53,17 +53,15 @@ struct dummy {
+ bool livepatch_fix2_dummy_check(struct dummy *d, unsigned long jiffies)
+ {
+ int *shadow_count;
+- int count;
+
+ /*
+ * Patch: handle in-flight dummy structures, if they do not
+ * already have a SV_COUNTER shadow variable, then attach a
+ * new one.
+ */
+- count = 0;
+ shadow_count = klp_shadow_get_or_alloc(d, SV_COUNTER,
+- &count, sizeof(count),
+- GFP_NOWAIT);
++ sizeof(*shadow_count), GFP_NOWAIT,
++ NULL, NULL);
+ if (shadow_count)
+ *shadow_count += 1;
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Waiman Long <longman@redhat.com>
+Date: Tue, 15 May 2018 17:49:51 -0400
+Subject: locking/percpu-rwsem: Annotate rwsem ownership transfer by setting RWSEM_OWNER_UNKNOWN
+
+From: Waiman Long <longman@redhat.com>
+
+[ Upstream commit 5a817641f68a6399a5fac8b7d2da67a73698ffed ]
+
+The filesystem freezing code needs to transfer ownership of a rwsem
+embedded in a percpu-rwsem from the task that does the freezing to
+another one that does the thawing by calling percpu_rwsem_release()
+after freezing and percpu_rwsem_acquire() before thawing.
+
+However, the new rwsem debug code runs afoul with this scheme by warning
+that the task that releases the rwsem isn't the one that acquires it,
+as reported by Amir Goldstein:
+
+ DEBUG_LOCKS_WARN_ON(sem->owner != get_current())
+ WARNING: CPU: 1 PID: 1401 at /home/amir/build/src/linux/kernel/locking/rwsem.c:133 up_write+0x59/0x79
+
+ Call Trace:
+ percpu_up_write+0x1f/0x28
+ thaw_super_locked+0xdf/0x120
+ do_vfs_ioctl+0x270/0x5f1
+ ksys_ioctl+0x52/0x71
+ __x64_sys_ioctl+0x16/0x19
+ do_syscall_64+0x5d/0x167
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+To work properly with the rwsem debug code, we need to annotate that the
+rwsem ownership is unknown during the tranfer period until a brave soul
+comes forward to acquire the ownership. During that period, optimistic
+spinning will be disabled.
+
+Reported-by: Amir Goldstein <amir73il@gmail.com>
+Tested-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Waiman Long <longman@redhat.com>
+Acked-by: Peter Zijlstra <peterz@infradead.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Cc: Theodore Y. Ts'o <tytso@mit.edu>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: linux-fsdevel@vger.kernel.org
+Link: http://lkml.kernel.org/r/1526420991-21213-3-git-send-email-longman@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/percpu-rwsem.h | 6 +++++-
+ include/linux/rwsem.h | 6 ++++++
+ kernel/locking/rwsem-xadd.c | 2 ++
+ 3 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/include/linux/percpu-rwsem.h
++++ b/include/linux/percpu-rwsem.h
+@@ -133,7 +133,7 @@ static inline void percpu_rwsem_release(
+ lock_release(&sem->rw_sem.dep_map, 1, ip);
+ #ifdef CONFIG_RWSEM_SPIN_ON_OWNER
+ if (!read)
+- sem->rw_sem.owner = NULL;
++ sem->rw_sem.owner = RWSEM_OWNER_UNKNOWN;
+ #endif
+ }
+
+@@ -141,6 +141,10 @@ static inline void percpu_rwsem_acquire(
+ bool read, unsigned long ip)
+ {
+ lock_acquire(&sem->rw_sem.dep_map, 0, 1, read, 1, NULL, ip);
++#ifdef CONFIG_RWSEM_SPIN_ON_OWNER
++ if (!read)
++ sem->rw_sem.owner = current;
++#endif
+ }
+
+ #endif
+--- a/include/linux/rwsem.h
++++ b/include/linux/rwsem.h
+@@ -44,6 +44,12 @@ struct rw_semaphore {
+ #endif
+ };
+
++/*
++ * Setting bit 0 of the owner field with other non-zero bits will indicate
++ * that the rwsem is writer-owned with an unknown owner.
++ */
++#define RWSEM_OWNER_UNKNOWN ((struct task_struct *)-1L)
++
+ extern struct rw_semaphore *rwsem_down_read_failed(struct rw_semaphore *sem);
+ extern struct rw_semaphore *rwsem_down_read_failed_killable(struct rw_semaphore *sem);
+ extern struct rw_semaphore *rwsem_down_write_failed(struct rw_semaphore *sem);
+--- a/kernel/locking/rwsem-xadd.c
++++ b/kernel/locking/rwsem-xadd.c
+@@ -352,6 +352,8 @@ static inline bool rwsem_can_spin_on_own
+ struct task_struct *owner;
+ bool ret = true;
+
++ BUILD_BUG_ON(!rwsem_has_anonymous_owner(RWSEM_OWNER_UNKNOWN));
++
+ if (need_resched())
+ return false;
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Waiman Long <longman@redhat.com>
+Date: Tue, 15 May 2018 17:49:50 -0400
+Subject: locking/rwsem: Add a new RWSEM_ANONYMOUSLY_OWNED flag
+
+From: Waiman Long <longman@redhat.com>
+
+[ Upstream commit d7d760efad70c7a030725499bf9f342f04af24dd ]
+
+There are use cases where a rwsem can be acquired by one task, but
+released by another task. In thess cases, optimistic spinning may need
+to be disabled. One example will be the filesystem freeze/thaw code
+where the task that freezes the filesystem will acquire a write lock
+on a rwsem and then un-owns it before returning to userspace. Later on,
+another task will come along, acquire the ownership, thaw the filesystem
+and release the rwsem.
+
+Bit 0 of the owner field was used to designate that it is a reader
+owned rwsem. It is now repurposed to mean that the owner of the rwsem
+is not known. If only bit 0 is set, the rwsem is reader owned. If bit
+0 and other bits are set, it is writer owned with an unknown owner.
+One such value for the latter case is (-1L). So we can set owner to 1 for
+reader-owned, -1 for writer-owned. The owner is unknown in both cases.
+
+To handle transfer of rwsem ownership, the higher level code should
+set the owner field to -1 to indicate a write-locked rwsem with unknown
+owner. Optimistic spinning will be disabled in this case.
+
+Once the higher level code figures who the new owner is, it can then
+set the owner field accordingly.
+
+Tested-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Waiman Long <longman@redhat.com>
+Acked-by: Peter Zijlstra <peterz@infradead.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Cc: Theodore Y. Ts'o <tytso@mit.edu>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: linux-fsdevel@vger.kernel.org
+Link: http://lkml.kernel.org/r/1526420991-21213-2-git-send-email-longman@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/locking/rwsem-xadd.c | 17 +++++++----------
+ kernel/locking/rwsem.c | 2 --
+ kernel/locking/rwsem.h | 30 +++++++++++++++++++++---------
+ 3 files changed, 28 insertions(+), 21 deletions(-)
+
+--- a/kernel/locking/rwsem-xadd.c
++++ b/kernel/locking/rwsem-xadd.c
+@@ -357,11 +357,8 @@ static inline bool rwsem_can_spin_on_own
+
+ rcu_read_lock();
+ owner = READ_ONCE(sem->owner);
+- if (!rwsem_owner_is_writer(owner)) {
+- /*
+- * Don't spin if the rwsem is readers owned.
+- */
+- ret = !rwsem_owner_is_reader(owner);
++ if (!owner || !is_rwsem_owner_spinnable(owner)) {
++ ret = !owner; /* !owner is spinnable */
+ goto done;
+ }
+
+@@ -382,11 +379,11 @@ static noinline bool rwsem_spin_on_owner
+ {
+ struct task_struct *owner = READ_ONCE(sem->owner);
+
+- if (!rwsem_owner_is_writer(owner))
+- goto out;
++ if (!is_rwsem_owner_spinnable(owner))
++ return false;
+
+ rcu_read_lock();
+- while (sem->owner == owner) {
++ while (owner && (READ_ONCE(sem->owner) == owner)) {
+ /*
+ * Ensure we emit the owner->on_cpu, dereference _after_
+ * checking sem->owner still matches owner, if that fails,
+@@ -408,12 +405,12 @@ static noinline bool rwsem_spin_on_owner
+ cpu_relax();
+ }
+ rcu_read_unlock();
+-out:
++
+ /*
+ * If there is a new owner or the owner is not set, we continue
+ * spinning.
+ */
+- return !rwsem_owner_is_reader(READ_ONCE(sem->owner));
++ return is_rwsem_owner_spinnable(READ_ONCE(sem->owner));
+ }
+
+ static bool rwsem_optimistic_spin(struct rw_semaphore *sem)
+--- a/kernel/locking/rwsem.c
++++ b/kernel/locking/rwsem.c
+@@ -217,5 +217,3 @@ void up_read_non_owner(struct rw_semapho
+ EXPORT_SYMBOL(up_read_non_owner);
+
+ #endif
+-
+-
+--- a/kernel/locking/rwsem.h
++++ b/kernel/locking/rwsem.h
+@@ -1,20 +1,24 @@
+ /* SPDX-License-Identifier: GPL-2.0 */
+ /*
+ * The owner field of the rw_semaphore structure will be set to
+- * RWSEM_READ_OWNED when a reader grabs the lock. A writer will clear
++ * RWSEM_READER_OWNED when a reader grabs the lock. A writer will clear
+ * the owner field when it unlocks. A reader, on the other hand, will
+ * not touch the owner field when it unlocks.
+ *
+- * In essence, the owner field now has the following 3 states:
++ * In essence, the owner field now has the following 4 states:
+ * 1) 0
+ * - lock is free or the owner hasn't set the field yet
+ * 2) RWSEM_READER_OWNED
+ * - lock is currently or previously owned by readers (lock is free
+ * or not set by owner yet)
+- * 3) Other non-zero value
+- * - a writer owns the lock
++ * 3) RWSEM_ANONYMOUSLY_OWNED bit set with some other bits set as well
++ * - lock is owned by an anonymous writer, so spinning on the lock
++ * owner should be disabled.
++ * 4) Other non-zero value
++ * - a writer owns the lock and other writers can spin on the lock owner.
+ */
+-#define RWSEM_READER_OWNED ((struct task_struct *)1UL)
++#define RWSEM_ANONYMOUSLY_OWNED (1UL << 0)
++#define RWSEM_READER_OWNED ((struct task_struct *)RWSEM_ANONYMOUSLY_OWNED)
+
+ #ifdef CONFIG_RWSEM_SPIN_ON_OWNER
+ /*
+@@ -45,14 +49,22 @@ static inline void rwsem_set_reader_owne
+ WRITE_ONCE(sem->owner, RWSEM_READER_OWNED);
+ }
+
+-static inline bool rwsem_owner_is_writer(struct task_struct *owner)
++/*
++ * Return true if the a rwsem waiter can spin on the rwsem's owner
++ * and steal the lock, i.e. the lock is not anonymously owned.
++ * N.B. !owner is considered spinnable.
++ */
++static inline bool is_rwsem_owner_spinnable(struct task_struct *owner)
+ {
+- return owner && owner != RWSEM_READER_OWNED;
++ return !((unsigned long)owner & RWSEM_ANONYMOUSLY_OWNED);
+ }
+
+-static inline bool rwsem_owner_is_reader(struct task_struct *owner)
++/*
++ * Return true if rwsem is owned by an anonymous writer or readers.
++ */
++static inline bool rwsem_has_anonymous_owner(struct task_struct *owner)
+ {
+- return owner == RWSEM_READER_OWNED;
++ return (unsigned long)owner & RWSEM_ANONYMOUSLY_OWNED;
+ }
+ #else
+ static inline void rwsem_set_owner(struct rw_semaphore *sem)
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Ilan Peer <ilan.peer@intel.com>
+Date: Fri, 20 Apr 2018 13:49:20 +0300
+Subject: mac80211: Adjust SAE authentication timeout
+
+From: Ilan Peer <ilan.peer@intel.com>
+
+[ Upstream commit 407879b690ba3a6bf29be896d02dad63463bd1c0 ]
+
+The IEEE P802.11-REVmd D1.0 specification updated the SAE authentication
+timeout to be 2000 milliseconds (see dot11RSNASAERetransPeriod). Update
+the SAE timeout setting accordingly.
+
+While at it, reduce some code duplication in the timeout configuration.
+
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/mlme.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -35,6 +35,7 @@
+ #define IEEE80211_AUTH_TIMEOUT (HZ / 5)
+ #define IEEE80211_AUTH_TIMEOUT_LONG (HZ / 2)
+ #define IEEE80211_AUTH_TIMEOUT_SHORT (HZ / 10)
++#define IEEE80211_AUTH_TIMEOUT_SAE (HZ * 2)
+ #define IEEE80211_AUTH_MAX_TRIES 3
+ #define IEEE80211_AUTH_WAIT_ASSOC (HZ * 5)
+ #define IEEE80211_ASSOC_TIMEOUT (HZ / 5)
+@@ -3788,16 +3789,19 @@ static int ieee80211_auth(struct ieee802
+ tx_flags);
+
+ if (tx_flags == 0) {
+- auth_data->timeout = jiffies + IEEE80211_AUTH_TIMEOUT;
+- auth_data->timeout_started = true;
+- run_again(sdata, auth_data->timeout);
++ if (auth_data->algorithm == WLAN_AUTH_SAE)
++ auth_data->timeout = jiffies +
++ IEEE80211_AUTH_TIMEOUT_SAE;
++ else
++ auth_data->timeout = jiffies + IEEE80211_AUTH_TIMEOUT;
+ } else {
+ auth_data->timeout =
+ round_jiffies_up(jiffies + IEEE80211_AUTH_TIMEOUT_LONG);
+- auth_data->timeout_started = true;
+- run_again(sdata, auth_data->timeout);
+ }
+
++ auth_data->timeout_started = true;
++ run_again(sdata, auth_data->timeout);
++
+ return 0;
+ }
+
+@@ -3868,8 +3872,15 @@ void ieee80211_sta_work(struct ieee80211
+ ifmgd->status_received = false;
+ if (ifmgd->auth_data && ieee80211_is_auth(fc)) {
+ if (status_acked) {
+- ifmgd->auth_data->timeout =
+- jiffies + IEEE80211_AUTH_TIMEOUT_SHORT;
++ if (ifmgd->auth_data->algorithm ==
++ WLAN_AUTH_SAE)
++ ifmgd->auth_data->timeout =
++ jiffies +
++ IEEE80211_AUTH_TIMEOUT_SAE;
++ else
++ ifmgd->auth_data->timeout =
++ jiffies +
++ IEEE80211_AUTH_TIMEOUT_SHORT;
+ run_again(sdata, ifmgd->auth_data->timeout);
+ } else {
+ ifmgd->auth_data->timeout = jiffies - 1;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Sara Sharon <sara.sharon@intel.com>
+Date: Fri, 20 Apr 2018 13:49:19 +0300
+Subject: mac80211: use timeout from the AddBA response instead of the request
+
+From: Sara Sharon <sara.sharon@intel.com>
+
+[ Upstream commit 914eac248d876f9c00cd1792ffec3d182c863f13 ]
+
+2016 spec, section 10.24.2 specifies that the block ack
+timeout in the ADD BA request is advisory.
+
+That means we should check the value in the response and
+act upon it (same as buffer size).
+
+Signed-off-by: Sara Sharon <sara.sharon@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/agg-tx.c | 4 ++++
+ net/mac80211/tx.c | 3 ++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/agg-tx.c
++++ b/net/mac80211/agg-tx.c
+@@ -8,6 +8,7 @@
+ * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
+ * Copyright 2007-2010, Intel Corporation
+ * Copyright(c) 2015-2017 Intel Deutschland GmbH
++ * Copyright (C) 2018 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+@@ -970,6 +971,9 @@ void ieee80211_process_addba_resp(struct
+
+ sta->ampdu_mlme.addba_req_num[tid] = 0;
+
++ tid_tx->timeout =
++ le16_to_cpu(mgmt->u.action.u.addba_resp.timeout);
++
+ if (tid_tx->timeout) {
+ mod_timer(&tid_tx->session_timer,
+ TU_TO_EXP_TIME(tid_tx->timeout));
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -4,6 +4,7 @@
+ * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz>
+ * Copyright 2007 Johannes Berg <johannes@sipsolutions.net>
+ * Copyright 2013-2014 Intel Mobile Communications GmbH
++ * Copyright (C) 2018 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+@@ -1138,7 +1139,7 @@ static bool ieee80211_tx_prep_agg(struct
+ }
+
+ /* reset session timer */
+- if (reset_agg_timer && tid_tx->timeout)
++ if (reset_agg_timer)
+ tid_tx->last_tx = jiffies;
+
+ return queued;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Matt Redfearn <matt.redfearn@mips.com>
+Date: Fri, 13 Apr 2018 09:50:44 +0100
+Subject: MIPS: dts: Boston: Fix PCI bus dtc warnings:
+
+From: Matt Redfearn <matt.redfearn@mips.com>
+
+[ Upstream commit 2c2bf522ed8cbfaac666f7dc65cfd38de2b89f0f ]
+
+dtc recently (v1.4.4-8-g756ffc4f52f6) added PCI bus checks. Fix the
+warnings now emitted:
+
+arch/mips/boot/dts/img/boston.dtb: Warning (pci_bridge): /pci@10000000: missing bus-range for PCI bridge
+arch/mips/boot/dts/img/boston.dtb: Warning (pci_bridge): /pci@12000000: missing bus-range for PCI bridge
+arch/mips/boot/dts/img/boston.dtb: Warning (pci_bridge): /pci@14000000: missing bus-range for PCI bridge
+
+Signed-off-by: Matt Redfearn <matt.redfearn@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Paul Burton <paul.burton@mips.com>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: linux-mips@linux-mips.org
+Cc: devicetree@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/19070/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/boot/dts/img/boston.dts | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/mips/boot/dts/img/boston.dts
++++ b/arch/mips/boot/dts/img/boston.dts
+@@ -51,6 +51,8 @@
+ ranges = <0x02000000 0 0x40000000
+ 0x40000000 0 0x40000000>;
+
++ bus-range = <0x00 0xff>;
++
+ interrupt-map-mask = <0 0 0 7>;
+ interrupt-map = <0 0 0 1 &pci0_intc 1>,
+ <0 0 0 2 &pci0_intc 2>,
+@@ -79,6 +81,8 @@
+ ranges = <0x02000000 0 0x20000000
+ 0x20000000 0 0x20000000>;
+
++ bus-range = <0x00 0xff>;
++
+ interrupt-map-mask = <0 0 0 7>;
+ interrupt-map = <0 0 0 1 &pci1_intc 1>,
+ <0 0 0 2 &pci1_intc 2>,
+@@ -107,6 +111,8 @@
+ ranges = <0x02000000 0 0x16000000
+ 0x16000000 0 0x100000>;
+
++ bus-range = <0x00 0xff>;
++
+ interrupt-map-mask = <0 0 0 7>;
+ interrupt-map = <0 0 0 1 &pci2_intc 1>,
+ <0 0 0 2 &pci2_intc 2>,
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Sinan Kaya <okaya@codeaurora.org>
+Date: Thu, 12 Apr 2018 22:30:44 -0400
+Subject: MIPS: io: Add barrier after register read in readX()
+
+From: Sinan Kaya <okaya@codeaurora.org>
+
+[ Upstream commit a1cc7034e33d12dc17d13fbcd7d597d552889097 ]
+
+While a barrier is present in the writeX() functions before the register
+write, a similar barrier is missing in the readX() functions after the
+register read. This could allow memory accesses following readX() to
+observe stale data.
+
+Signed-off-by: Sinan Kaya <okaya@codeaurora.org>
+Reported-by: Arnd Bergmann <arnd@arndb.de>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Paul Burton <paul.burton@mips.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/19069/
+[jhogan@kernel.org: Tidy commit message]
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/include/asm/io.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/mips/include/asm/io.h
++++ b/arch/mips/include/asm/io.h
+@@ -377,6 +377,8 @@ static inline type pfx##read##bwlq(const
+ BUG(); \
+ } \
+ \
++ /* prevent prefetching of coherent DMA data prematurely */ \
++ rmb(); \
+ return pfx##ioswab##bwlq(__mem, __val); \
+ }
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Sinan Kaya <okaya@codeaurora.org>
+Date: Tue, 3 Apr 2018 08:55:03 -0400
+Subject: MIPS: io: Prevent compiler reordering writeX()
+
+From: Sinan Kaya <okaya@codeaurora.org>
+
+[ Upstream commit f6b7aeee8f167409195fbf1364d02988fecad1d0 ]
+
+writeX() has strong ordering semantics with respect to memory updates.
+In the absence of a write barrier or a compiler barrier, the compiler
+can reorder register and memory update instructions. This breaks the
+writeX() API.
+
+Signed-off-by: Sinan Kaya <okaya@codeaurora.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Paul Burton <paul.burton@mips.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/18997/
+[jhogan@kernel.org: Tidy commit message]
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/include/asm/io.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/include/asm/io.h
++++ b/arch/mips/include/asm/io.h
+@@ -307,7 +307,7 @@ static inline void iounmap(const volatil
+ #if defined(CONFIG_CPU_CAVIUM_OCTEON) || defined(CONFIG_LOONGSON3_ENHANCEMENT)
+ #define war_io_reorder_wmb() wmb()
+ #else
+-#define war_io_reorder_wmb() do { } while (0)
++#define war_io_reorder_wmb() barrier()
+ #endif
+
+ #define __BUILD_MEMORY_SINGLE(pfx, bwlq, type, irq) \
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Minchan Kim <minchan@kernel.org>
+Date: Fri, 20 Apr 2018 14:56:17 -0700
+Subject: mm: memcg: add __GFP_NOWARN in __memcg_schedule_kmem_cache_create()
+
+From: Minchan Kim <minchan@kernel.org>
+
+[ Upstream commit c892fd82cc0632d425ae011a4dd75eb59e9f84ee ]
+
+If there is heavy memory pressure, page allocation with __GFP_NOWAIT
+fails easily although it's order-0 request. I got below warning 9 times
+for normal boot.
+
+ <snip >: page allocation failure: order:0, mode:0x2200000(GFP_NOWAIT|__GFP_NOTRACK)
+ .. snip ..
+ Call trace:
+ dump_backtrace+0x0/0x4
+ dump_stack+0xa4/0xc0
+ warn_alloc+0xd4/0x15c
+ __alloc_pages_nodemask+0xf88/0x10fc
+ alloc_slab_page+0x40/0x18c
+ new_slab+0x2b8/0x2e0
+ ___slab_alloc+0x25c/0x464
+ __kmalloc+0x394/0x498
+ memcg_kmem_get_cache+0x114/0x2b8
+ kmem_cache_alloc+0x98/0x3e8
+ mmap_region+0x3bc/0x8c0
+ do_mmap+0x40c/0x43c
+ vm_mmap_pgoff+0x15c/0x1e4
+ sys_mmap+0xb0/0xc8
+ el0_svc_naked+0x24/0x28
+ Mem-Info:
+ active_anon:17124 inactive_anon:193 isolated_anon:0
+ active_file:7898 inactive_file:712955 isolated_file:55
+ unevictable:0 dirty:27 writeback:18 unstable:0
+ slab_reclaimable:12250 slab_unreclaimable:23334
+ mapped:19310 shmem:212 pagetables:816 bounce:0
+ free:36561 free_pcp:1205 free_cma:35615
+ Node 0 active_anon:68496kB inactive_anon:772kB active_file:31592kB inactive_file:2851820kB unevictable:0kB isolated(anon):0kB isolated(file):220kB mapped:77240kB dirty:108kB writeback:72kB shmem:848kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no
+ DMA free:142188kB min:3056kB low:3820kB high:4584kB active_anon:10052kB inactive_anon:12kB active_file:312kB inactive_file:1412620kB unevictable:0kB writepending:0kB present:1781412kB managed:1604728kB mlocked:0kB slab_reclaimable:3592kB slab_unreclaimable:876kB kernel_stack:400kB pagetables:52kB bounce:0kB free_pcp:1436kB local_pcp:124kB free_cma:142492kB
+ lowmem_reserve[]: 0 1842 1842
+ Normal free:4056kB min:4172kB low:5212kB high:6252kB active_anon:58376kB inactive_anon:760kB active_file:31348kB inactive_file:1439040kB unevictable:0kB writepending:180kB present:2000636kB managed:1923688kB mlocked:0kB slab_reclaimable:45408kB slab_unreclaimable:92460kB kernel_stack:9680kB pagetables:3212kB bounce:0kB free_pcp:3392kB local_pcp:688kB free_cma:0kB
+ lowmem_reserve[]: 0 0 0
+ DMA: 0*4kB 0*8kB 1*16kB (C) 0*32kB 0*64kB 0*128kB 1*256kB (C) 1*512kB (C) 0*1024kB 1*2048kB (C) 34*4096kB (C) = 142096kB
+ Normal: 228*4kB (UMEH) 172*8kB (UMH) 23*16kB (UH) 24*32kB (H) 5*64kB (H) 1*128kB (H) 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 3872kB
+ 721350 total pagecache pages
+ 0 pages in swap cache
+ Swap cache stats: add 0, delete 0, find 0/0
+ Free swap = 0kB
+ Total swap = 0kB
+ 945512 pages RAM
+ 0 pages HighMem/MovableOnly
+ 63408 pages reserved
+ 51200 pages cma reserved
+
+__memcg_schedule_kmem_cache_create() tries to create a shadow slab cache
+and the worker allocation failure is not really critical because we will
+retry on the next kmem charge. We might miss some charges but that
+shouldn't be critical. The excessive allocation failure report is not
+very helpful.
+
+[mhocko@kernel.org: changelog update]
+Link: http://lkml.kernel.org/r/20180418022912.248417-1-minchan@kernel.org
+Signed-off-by: Minchan Kim <minchan@kernel.org>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Matthew Wilcox <willy@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memcontrol.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -2192,7 +2192,7 @@ static void __memcg_schedule_kmem_cache_
+ {
+ struct memcg_kmem_cache_create_work *cw;
+
+- cw = kmalloc(sizeof(*cw), GFP_NOWAIT);
++ cw = kmalloc(sizeof(*cw), GFP_NOWAIT | __GFP_NOWARN);
+ if (!cw)
+ return;
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Huang Ying <ying.huang@intel.com>
+Date: Fri, 20 Apr 2018 14:55:38 -0700
+Subject: mm, pagemap: fix swap offset value for PMD migration entry
+
+From: Huang Ying <ying.huang@intel.com>
+
+[ Upstream commit 88c28f2469151b031f8cea9b28ed5be1b74a4172 ]
+
+The swap offset reported by /proc/<pid>/pagemap may be not correct for
+PMD migration entries. If addr passed into pagemap_pmd_range() isn't
+aligned with PMD start address, the swap offset reported doesn't
+reflect this. And in the loop to report information of each sub-page,
+the swap offset isn't increased accordingly as that for PFN.
+
+This may happen after opening /proc/<pid>/pagemap and seeking to a page
+whose address doesn't align with a PMD start address. I have verified
+this with a simple test program.
+
+BTW: migration swap entries have PFN information, do we need to restrict
+whether to show them?
+
+[akpm@linux-foundation.org: fix typo, per Huang, Ying]
+Link: http://lkml.kernel.org/r/20180408033737.10897-1-ying.huang@intel.com
+Signed-off-by: "Huang, Ying" <ying.huang@intel.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Cc: Andrei Vagin <avagin@openvz.org>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: "Jerome Glisse" <jglisse@redhat.com>
+Cc: Daniel Colascione <dancol@google.com>
+Cc: Zi Yan <zi.yan@cs.rutgers.edu>
+Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/task_mmu.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -1329,9 +1329,11 @@ static int pagemap_pmd_range(pmd_t *pmdp
+ #ifdef CONFIG_ARCH_ENABLE_THP_MIGRATION
+ else if (is_swap_pmd(pmd)) {
+ swp_entry_t entry = pmd_to_swp_entry(pmd);
++ unsigned long offset = swp_offset(entry);
+
++ offset += (addr & ~PMD_MASK) >> PAGE_SHIFT;
+ frame = swp_type(entry) |
+- (swp_offset(entry) << MAX_SWAPFILES_SHIFT);
++ (offset << MAX_SWAPFILES_SHIFT);
+ flags |= PM_SWAP;
+ if (pmd_swp_soft_dirty(pmd))
+ flags |= PM_SOFT_DIRTY;
+@@ -1351,6 +1353,8 @@ static int pagemap_pmd_range(pmd_t *pmdp
+ break;
+ if (pm->show_pfn && (flags & PM_PRESENT))
+ frame++;
++ else if (flags & PM_SWAP)
++ frame += (1 << MAX_SWAPFILES_SHIFT);
+ }
+ spin_unlock(ptl);
+ return err;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 10 May 2018 19:20:54 +0100
+Subject: mtd: Fix comparison in map_word_andequal()
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+[ Upstream commit ea739a287f4f16d6250bea779a1026ead79695f2 ]
+
+Commit 9e343e87d2c4 ("mtd: cfi: convert inline functions to macros")
+changed map_word_andequal() into a macro, but also changed the right
+hand side of the comparison from val3 to val2. Change it back to use
+val3 on the right hand side.
+
+Thankfully this did not cause a regression because all callers
+currently pass the same argument for val2 and val3.
+
+Fixes: 9e343e87d2c4 ("mtd: cfi: convert inline functions to macros")
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/mtd/map.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/mtd/map.h
++++ b/include/linux/mtd/map.h
+@@ -312,7 +312,7 @@ void map_destroy(struct mtd_info *mtd);
+ ({ \
+ int i, ret = 1; \
+ for (i = 0; i < map_words(map); i++) { \
+- if (((val1).x[i] & (val2).x[i]) != (val2).x[i]) { \
++ if (((val1).x[i] & (val2).x[i]) != (val3).x[i]) { \
+ ret = 0; \
+ break; \
+ } \
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Ladislav Michl <ladis@linux-mips.org>
+Date: Wed, 2 May 2018 12:41:32 +0200
+Subject: mtd: onenand: omap2: Disable DMA for HIGHMEM buffers
+
+From: Ladislav Michl <ladis@linux-mips.org>
+
+[ Upstream commit 6732cfd4cac514b556f36b518670af91c8bdf19a ]
+
+dma_map_single does not work for vmalloc-ed buffers,
+so disable DMA in this case.
+
+Signed-off-by: Ladislav Michl <ladis@linux-mips.org>
+Reported-by: "H. Nikolaus Schaller" <hns@goldelico.com>
+Tested-by: "H. Nikolaus Schaller" <hns@goldelico.com>
+Reviewed-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/onenand/omap2.c | 105 +++++++++++++++-----------------------------
+ 1 file changed, 38 insertions(+), 67 deletions(-)
+
+--- a/drivers/mtd/onenand/omap2.c
++++ b/drivers/mtd/onenand/omap2.c
+@@ -377,56 +377,42 @@ static int omap2_onenand_read_bufferram(
+ {
+ struct omap2_onenand *c = container_of(mtd, struct omap2_onenand, mtd);
+ struct onenand_chip *this = mtd->priv;
+- dma_addr_t dma_src, dma_dst;
+- int bram_offset;
++ struct device *dev = &c->pdev->dev;
+ void *buf = (void *)buffer;
++ dma_addr_t dma_src, dma_dst;
++ int bram_offset, err;
+ size_t xtra;
+- int ret;
+
+ bram_offset = omap2_onenand_bufferram_offset(mtd, area) + area + offset;
+- if (bram_offset & 3 || (size_t)buf & 3 || count < 384)
+- goto out_copy;
+-
+- /* panic_write() may be in an interrupt context */
+- if (in_interrupt() || oops_in_progress)
++ /*
++ * If the buffer address is not DMA-able, len is not long enough to make
++ * DMA transfers profitable or panic_write() may be in an interrupt
++ * context fallback to PIO mode.
++ */
++ if (!virt_addr_valid(buf) || bram_offset & 3 || (size_t)buf & 3 ||
++ count < 384 || in_interrupt() || oops_in_progress )
+ goto out_copy;
+
+- if (buf >= high_memory) {
+- struct page *p1;
+-
+- if (((size_t)buf & PAGE_MASK) !=
+- ((size_t)(buf + count - 1) & PAGE_MASK))
+- goto out_copy;
+- p1 = vmalloc_to_page(buf);
+- if (!p1)
+- goto out_copy;
+- buf = page_address(p1) + ((size_t)buf & ~PAGE_MASK);
+- }
+-
+ xtra = count & 3;
+ if (xtra) {
+ count -= xtra;
+ memcpy(buf + count, this->base + bram_offset + count, xtra);
+ }
+
++ dma_dst = dma_map_single(dev, buf, count, DMA_FROM_DEVICE);
+ dma_src = c->phys_base + bram_offset;
+- dma_dst = dma_map_single(&c->pdev->dev, buf, count, DMA_FROM_DEVICE);
+- if (dma_mapping_error(&c->pdev->dev, dma_dst)) {
+- dev_err(&c->pdev->dev,
+- "Couldn't DMA map a %d byte buffer\n",
+- count);
+- goto out_copy;
+- }
+
+- ret = omap2_onenand_dma_transfer(c, dma_src, dma_dst, count);
+- dma_unmap_single(&c->pdev->dev, dma_dst, count, DMA_FROM_DEVICE);
+-
+- if (ret) {
+- dev_err(&c->pdev->dev, "timeout waiting for DMA\n");
++ if (dma_mapping_error(dev, dma_dst)) {
++ dev_err(dev, "Couldn't DMA map a %d byte buffer\n", count);
+ goto out_copy;
+ }
+
+- return 0;
++ err = omap2_onenand_dma_transfer(c, dma_src, dma_dst, count);
++ dma_unmap_single(dev, dma_dst, count, DMA_FROM_DEVICE);
++ if (!err)
++ return 0;
++
++ dev_err(dev, "timeout waiting for DMA\n");
+
+ out_copy:
+ memcpy(buf, this->base + bram_offset, count);
+@@ -439,49 +425,34 @@ static int omap2_onenand_write_bufferram
+ {
+ struct omap2_onenand *c = container_of(mtd, struct omap2_onenand, mtd);
+ struct onenand_chip *this = mtd->priv;
+- dma_addr_t dma_src, dma_dst;
+- int bram_offset;
++ struct device *dev = &c->pdev->dev;
+ void *buf = (void *)buffer;
+- int ret;
++ dma_addr_t dma_src, dma_dst;
++ int bram_offset, err;
+
+ bram_offset = omap2_onenand_bufferram_offset(mtd, area) + area + offset;
+- if (bram_offset & 3 || (size_t)buf & 3 || count < 384)
+- goto out_copy;
+-
+- /* panic_write() may be in an interrupt context */
+- if (in_interrupt() || oops_in_progress)
++ /*
++ * If the buffer address is not DMA-able, len is not long enough to make
++ * DMA transfers profitable or panic_write() may be in an interrupt
++ * context fallback to PIO mode.
++ */
++ if (!virt_addr_valid(buf) || bram_offset & 3 || (size_t)buf & 3 ||
++ count < 384 || in_interrupt() || oops_in_progress )
+ goto out_copy;
+
+- if (buf >= high_memory) {
+- struct page *p1;
+-
+- if (((size_t)buf & PAGE_MASK) !=
+- ((size_t)(buf + count - 1) & PAGE_MASK))
+- goto out_copy;
+- p1 = vmalloc_to_page(buf);
+- if (!p1)
+- goto out_copy;
+- buf = page_address(p1) + ((size_t)buf & ~PAGE_MASK);
+- }
+-
+- dma_src = dma_map_single(&c->pdev->dev, buf, count, DMA_TO_DEVICE);
++ dma_src = dma_map_single(dev, buf, count, DMA_TO_DEVICE);
+ dma_dst = c->phys_base + bram_offset;
+- if (dma_mapping_error(&c->pdev->dev, dma_src)) {
+- dev_err(&c->pdev->dev,
+- "Couldn't DMA map a %d byte buffer\n",
+- count);
+- return -1;
+- }
+-
+- ret = omap2_onenand_dma_transfer(c, dma_src, dma_dst, count);
+- dma_unmap_single(&c->pdev->dev, dma_src, count, DMA_TO_DEVICE);
+-
+- if (ret) {
+- dev_err(&c->pdev->dev, "timeout waiting for DMA\n");
++ if (dma_mapping_error(dev, dma_src)) {
++ dev_err(dev, "Couldn't DMA map a %d byte buffer\n", count);
+ goto out_copy;
+ }
+
+- return 0;
++ err = omap2_onenand_dma_transfer(c, dma_src, dma_dst, count);
++ dma_unmap_page(dev, dma_src, count, DMA_TO_DEVICE);
++ if (!err)
++ return 0;
++
++ dev_err(dev, "timeout waiting for DMA\n");
+
+ out_copy:
+ memcpy(this->base + bram_offset, buf, count);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Mon, 14 May 2018 12:49:37 +0200
+Subject: mtd: rawnand: Fix return type of __DIVIDE() when called with 32-bit
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit 9f825e74d761c13b0cfaa5f65344d64ff970e252 ]
+
+The __DIVIDE() macro checks whether it is called with a 32-bit or 64-bit
+dividend, to select the appropriate divide-and-round-up routine.
+As the check uses the ternary operator, the result will always be
+promoted to a type that can hold both results, i.e. unsigned long long.
+
+When using this result in a division on a 32-bit system, this may lead
+to link errors like:
+
+ ERROR: "__udivdi3" [drivers/mtd/nand/raw/nand.ko] undefined!
+
+Fix this by casting the result of the division to the type of the
+dividend.
+
+Fixes: 8878b126df769831 ("mtd: nand: add ->exec_op() implementation")
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/mtd/rawnand.h | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/include/linux/mtd/rawnand.h
++++ b/include/linux/mtd/rawnand.h
+@@ -824,12 +824,18 @@ struct nand_op_instr {
+ * tBERS (during an erase) which all of them are u64 values that cannot be
+ * divided by usual kernel macros and must be handled with the special
+ * DIV_ROUND_UP_ULL() macro.
++ *
++ * Cast to type of dividend is needed here to guarantee that the result won't
++ * be an unsigned long long when the dividend is an unsigned long (or smaller),
++ * which is what the compiler does when it sees ternary operator with 2
++ * different return types (picks the largest type to make sure there's no
++ * loss).
+ */
+-#define __DIVIDE(dividend, divisor) ({ \
+- sizeof(dividend) == sizeof(u32) ? \
+- DIV_ROUND_UP(dividend, divisor) : \
+- DIV_ROUND_UP_ULL(dividend, divisor); \
+- })
++#define __DIVIDE(dividend, divisor) ({ \
++ (__typeof__(dividend))(sizeof(dividend) <= sizeof(unsigned long) ? \
++ DIV_ROUND_UP(dividend, divisor) : \
++ DIV_ROUND_UP_ULL(dividend, divisor)); \
++ })
+ #define PSEC_TO_NSEC(x) __DIVIDE(x, 1000)
+ #define PSEC_TO_MSEC(x) __DIVIDE(x, 1000000000)
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Igor Russkikh <igor.russkikh@aquantia.com>
+Date: Mon, 7 May 2018 16:10:38 +0300
+Subject: net: aquantia: driver should correctly declare vlan_features bits
+
+From: Igor Russkikh <igor.russkikh@aquantia.com>
+
+[ Upstream commit 8c61ab7f111a2b29d051348b9cb9a39804ebf1f8 ]
+
+In particular, not reporting SG forced skbs to be linear for vlan
+interfaces over atlantic NIC.
+
+With this fix it is possible to enable SG feature on device and
+therefore optimize performance.
+
+Reported-by: Ma Yuying <yuma@redhat.com>
+Signed-off-by: Igor Russkikh <igor.russkikh@aquantia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
+@@ -246,6 +246,8 @@ void aq_nic_ndev_init(struct aq_nic_s *s
+
+ self->ndev->hw_features |= aq_hw_caps->hw_features;
+ self->ndev->features = aq_hw_caps->hw_features;
++ self->ndev->vlan_features |= NETIF_F_HW_CSUM | NETIF_F_RXCSUM |
++ NETIF_F_RXHASH | NETIF_F_SG | NETIF_F_LRO;
+ self->ndev->priv_flags = aq_hw_caps->hw_priv_flags;
+ self->ndev->priv_flags |= IFF_LIVE_ADDR_CHANGE;
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Igor Russkikh <igor.russkikh@aquantia.com>
+Date: Mon, 7 May 2018 16:10:39 +0300
+Subject: net: aquantia: Limit number of vectors to actually allocated irqs
+
+From: Igor Russkikh <igor.russkikh@aquantia.com>
+
+[ Upstream commit a09bd81b5413d1b4d705c6c5303b5d311069da22 ]
+
+Driver should use pci_alloc_irq_vectors return value to correct number
+of allocated vectors and napi instances. Otherwise it'll panic later
+in pci_irq_vector.
+
+Driver also should allow more than one MSI vectors to be allocated.
+
+Error return path from pci_alloc_irq_vectors is also fixed to revert
+resources in a correct sequence when error happens.
+
+Reported-by: Long, Nicholas <nicholas.a.long@baesystems.com>
+Fixes: 23ee07a ("net: aquantia: Cleanup pci functions module")
+Signed-off-by: Igor Russkikh <igor.russkikh@aquantia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 1
+ drivers/net/ethernet/aquantia/atlantic/aq_nic.h | 1
+ drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c | 20 +++++++++----------
+ 3 files changed, 12 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
+@@ -95,6 +95,7 @@ void aq_nic_cfg_start(struct aq_nic_s *s
+ /*rss rings */
+ cfg->vecs = min(cfg->aq_hw_caps->vecs, AQ_CFG_VECS_DEF);
+ cfg->vecs = min(cfg->vecs, num_online_cpus());
++ cfg->vecs = min(cfg->vecs, self->irqvecs);
+ /* cfg->vecs should be power of 2 for RSS */
+ if (cfg->vecs >= 8U)
+ cfg->vecs = 8U;
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.h
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.h
+@@ -80,6 +80,7 @@ struct aq_nic_s {
+
+ struct pci_dev *pdev;
+ unsigned int msix_entry_mask;
++ u32 irqvecs;
+ };
+
+ static inline struct device *aq_nic_get_dev(struct aq_nic_s *self)
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c
+@@ -267,16 +267,16 @@ static int aq_pci_probe(struct pci_dev *
+ numvecs = min(numvecs, num_online_cpus());
+ /*enable interrupts */
+ #if !AQ_CFG_FORCE_LEGACY_INT
+- err = pci_alloc_irq_vectors(self->pdev, numvecs, numvecs,
+- PCI_IRQ_MSIX);
+-
+- if (err < 0) {
+- err = pci_alloc_irq_vectors(self->pdev, 1, 1,
+- PCI_IRQ_MSI | PCI_IRQ_LEGACY);
+- if (err < 0)
+- goto err_hwinit;
++ numvecs = pci_alloc_irq_vectors(self->pdev, 1, numvecs,
++ PCI_IRQ_MSIX | PCI_IRQ_MSI |
++ PCI_IRQ_LEGACY);
++
++ if (numvecs < 0) {
++ err = numvecs;
++ goto err_hwinit;
+ }
+ #endif
++ self->irqvecs = numvecs;
+
+ /* net device init */
+ aq_nic_cfg_start(self);
+@@ -298,9 +298,9 @@ err_free_aq_hw:
+ kfree(self->aq_hw);
+ err_ioremap:
+ free_netdev(ndev);
+-err_pci_func:
+- pci_release_regions(pdev);
+ err_ndev:
++ pci_release_regions(pdev);
++err_pci_func:
+ pci_disable_device(pdev);
+ return err;
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Mon, 23 Apr 2018 15:51:38 -0700
+Subject: net: ethtool: Add missing kernel doc for FEC parameters
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit d805c5209350ae725e3a1ee0204ba27d9e75ce3e ]
+
+While adding support for ethtool::get_fecparam and set_fecparam, kernel
+doc for these functions was missed, add those.
+
+Fixes: 1a5f3da20bd9 ("net: ethtool: add support for forward error correction modes")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Acked-by: Roopa Prabhu <roopa@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/ethtool.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/include/linux/ethtool.h
++++ b/include/linux/ethtool.h
+@@ -310,6 +310,8 @@ bool ethtool_convert_link_mode_to_legacy
+ * fields should be ignored (use %__ETHTOOL_LINK_MODE_MASK_NBITS
+ * instead of the latter), any change to them will be overwritten
+ * by kernel. Returns a negative error code or zero.
++ * @get_fecparam: Get the network device Forward Error Correction parameters.
++ * @set_fecparam: Set the network device Forward Error Correction parameters.
+ *
+ * All operations are optional (i.e. the function pointer may be set
+ * to %NULL) and callers must take this into account. Callers must
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: dann frazier <dann.frazier@canonical.com>
+Date: Wed, 18 Apr 2018 21:55:41 -0600
+Subject: net: hns: Avoid action name truncation
+
+From: dann frazier <dann.frazier@canonical.com>
+
+[ Upstream commit f4ea89110df237da6fbcaab76af431e85f07d904 ]
+
+When longer interface names are used, the action names exposed in
+/proc/interrupts and /proc/irq/* maybe truncated. For example, when
+using the predictable name algorithm in systemd on a HiSilicon D05,
+I see:
+
+ ubuntu@d05-3:~$ grep enahisic2i0-tx /proc/interrupts | sed 's/.* //'
+ enahisic2i0-tx0
+ enahisic2i0-tx1
+ [...]
+ enahisic2i0-tx8
+ enahisic2i0-tx9
+ enahisic2i0-tx1
+ enahisic2i0-tx1
+ enahisic2i0-tx1
+ enahisic2i0-tx1
+ enahisic2i0-tx1
+ enahisic2i0-tx1
+
+Increase the max ring name length to allow for an interface name
+of IFNAMSIZE. After this change, I now see:
+
+ $ grep enahisic2i0-tx /proc/interrupts | sed 's/.* //'
+ enahisic2i0-tx0
+ enahisic2i0-tx1
+ enahisic2i0-tx2
+ [...]
+ enahisic2i0-tx8
+ enahisic2i0-tx9
+ enahisic2i0-tx10
+ enahisic2i0-tx11
+ enahisic2i0-tx12
+ enahisic2i0-tx13
+ enahisic2i0-tx14
+ enahisic2i0-tx15
+
+Signed-off-by: dann frazier <dann.frazier@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns/hnae.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns/hnae.h
++++ b/drivers/net/ethernet/hisilicon/hns/hnae.h
+@@ -87,7 +87,7 @@ do { \
+
+ #define HNAE_AE_REGISTER 0x1
+
+-#define RCB_RING_NAME_LEN 16
++#define RCB_RING_NAME_LEN (IFNAMSIZ + 4)
+
+ #define HNAE_LOWEST_LATENCY_COAL_PARAM 30
+ #define HNAE_LOW_LATENCY_COAL_PARAM 80
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Date: Wed, 25 Apr 2018 20:21:16 +0200
+Subject: net: mvpp2: Fix clk error path in mvpp2_probe
+
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+
+[ Upstream commit 45f972adb7f4db2d7f02af728ccd104113336074 ]
+
+When clk_prepare_enable fails for the axi_clk, the mg_clk isn't properly
+cleaned up. Add another jump label to handle that case, and make sure we
+jump to it in the later error cases.
+
+Fixes: 4792ea04bcd0 ("net: mvpp2: Fix clock resource by adding an optional bus clock")
+Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Acked-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mvpp2.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/mvpp2.c
++++ b/drivers/net/ethernet/marvell/mvpp2.c
+@@ -8332,12 +8332,12 @@ static int mvpp2_probe(struct platform_d
+ if (IS_ERR(priv->axi_clk)) {
+ err = PTR_ERR(priv->axi_clk);
+ if (err == -EPROBE_DEFER)
+- goto err_gop_clk;
++ goto err_mg_clk;
+ priv->axi_clk = NULL;
+ } else {
+ err = clk_prepare_enable(priv->axi_clk);
+ if (err < 0)
+- goto err_gop_clk;
++ goto err_mg_clk;
+ }
+
+ /* Get system's tclk rate */
+@@ -8351,7 +8351,7 @@ static int mvpp2_probe(struct platform_d
+ if (priv->hw_version == MVPP22) {
+ err = dma_set_mask(&pdev->dev, MVPP2_DESC_DMA_MASK);
+ if (err)
+- goto err_mg_clk;
++ goto err_axi_clk;
+ /* Sadly, the BM pools all share the same register to
+ * store the high 32 bits of their address. So they
+ * must all have the same high 32 bits, which forces
+@@ -8359,14 +8359,14 @@ static int mvpp2_probe(struct platform_d
+ */
+ err = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32));
+ if (err)
+- goto err_mg_clk;
++ goto err_axi_clk;
+ }
+
+ /* Initialize network controller */
+ err = mvpp2_init(pdev, priv);
+ if (err < 0) {
+ dev_err(&pdev->dev, "failed to initialize controller\n");
+- goto err_mg_clk;
++ goto err_axi_clk;
+ }
+
+ /* Initialize ports */
+@@ -8379,7 +8379,7 @@ static int mvpp2_probe(struct platform_d
+ if (priv->port_count == 0) {
+ dev_err(&pdev->dev, "no ports enabled\n");
+ err = -ENODEV;
+- goto err_mg_clk;
++ goto err_axi_clk;
+ }
+
+ /* Statistics must be gathered regularly because some of them (like
+@@ -8407,8 +8407,9 @@ err_port_probe:
+ mvpp2_port_remove(priv->port_list[i]);
+ i++;
+ }
+-err_mg_clk:
++err_axi_clk:
+ clk_disable_unprepare(priv->axi_clk);
++err_mg_clk:
+ if (priv->hw_version == MVPP22)
+ clk_disable_unprepare(priv->mg_clk);
+ err_gop_clk:
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Bhadram Varka <vbhadram@nvidia.com>
+Date: Wed, 2 May 2018 20:43:58 +0530
+Subject: net: phy: broadcom: add support for BCM89610 PHY
+
+From: Bhadram Varka <vbhadram@nvidia.com>
+
+[ Upstream commit 23b8392201e0681b76630c4cea68e1a2e1821ec6 ]
+
+It adds support for BCM89610 (Single-Port 10/100/1000BASE-T)
+transceiver which is used in P3310 Tegra186 platform.
+
+Signed-off-by: Bhadram Varka <vbhadram@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/broadcom.c | 10 ++++++++++
+ include/linux/brcmphy.h | 1 +
+ 2 files changed, 11 insertions(+)
+
+--- a/drivers/net/phy/broadcom.c
++++ b/drivers/net/phy/broadcom.c
+@@ -720,6 +720,15 @@ static struct phy_driver broadcom_driver
+ .get_strings = bcm_phy_get_strings,
+ .get_stats = bcm53xx_phy_get_stats,
+ .probe = bcm53xx_phy_probe,
++}, {
++ .phy_id = PHY_ID_BCM89610,
++ .phy_id_mask = 0xfffffff0,
++ .name = "Broadcom BCM89610",
++ .features = PHY_GBIT_FEATURES,
++ .flags = PHY_HAS_INTERRUPT,
++ .config_init = bcm54xx_config_init,
++ .ack_interrupt = bcm_phy_ack_intr,
++ .config_intr = bcm_phy_config_intr,
+ } };
+
+ module_phy_driver(broadcom_drivers);
+@@ -741,6 +750,7 @@ static struct mdio_device_id __maybe_unu
+ { PHY_ID_BCMAC131, 0xfffffff0 },
+ { PHY_ID_BCM5241, 0xfffffff0 },
+ { PHY_ID_BCM5395, 0xfffffff0 },
++ { PHY_ID_BCM89610, 0xfffffff0 },
+ { }
+ };
+
+--- a/include/linux/brcmphy.h
++++ b/include/linux/brcmphy.h
+@@ -25,6 +25,7 @@
+ #define PHY_ID_BCM54612E 0x03625e60
+ #define PHY_ID_BCM54616S 0x03625d10
+ #define PHY_ID_BCM57780 0x03625d90
++#define PHY_ID_BCM89610 0x03625cd0
+
+ #define PHY_ID_BCM7250 0xae025280
+ #define PHY_ID_BCM7260 0xae025190
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Jingju Hou <Jingju.Hou@synaptics.com>
+Date: Mon, 23 Apr 2018 15:22:49 +0800
+Subject: net: phy: marvell: clear wol event before setting it
+
+From: Jingju Hou <Jingju.Hou@synaptics.com>
+
+[ Upstream commit b6a930fa88083b41d26ddf1cab95cbd740936c22 ]
+
+If WOL event happened once, the LED[2] interrupt pin will not be
+cleared unless we read the CSISR register. If interrupts are in use,
+the normal interrupt handling will clear the WOL event. Let's clear the
+WOL event before enabling it if !phy_interrupt_is_valid().
+
+Signed-off-by: Jingju Hou <Jingju.Hou@synaptics.com>
+Signed-off-by: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/marvell.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/net/phy/marvell.c
++++ b/drivers/net/phy/marvell.c
+@@ -1377,6 +1377,15 @@ static int m88e1318_set_wol(struct phy_d
+ if (err < 0)
+ goto error;
+
++ /* If WOL event happened once, the LED[2] interrupt pin
++ * will not be cleared unless we reading the interrupt status
++ * register. If interrupts are in use, the normal interrupt
++ * handling will clear the WOL event. Clear the WOL event
++ * before enabling it if !phy_interrupt_is_valid()
++ */
++ if (!phy_interrupt_is_valid(phydev))
++ phy_read(phydev, MII_M1011_IEVENT);
++
+ /* Enable the WOL interrupt */
+ err = __phy_modify(phydev, MII_88E1318S_PHY_CSIER, 0,
+ MII_88E1318S_PHY_CSIER_WOL_EIE);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Roman Mashak <mrv@mojatatu.com>
+Date: Fri, 11 May 2018 10:55:09 -0400
+Subject: net sched actions: fix invalid pointer dereferencing if skbedit flags missing
+
+From: Roman Mashak <mrv@mojatatu.com>
+
+[ Upstream commit af5d01842fe1fbfb9f5e1c1d957ba02ab6f4569a ]
+
+When application fails to pass flags in netlink TLV for a new skbedit action,
+the kernel results in the following oops:
+
+[ 8.307732] BUG: unable to handle kernel paging request at 0000000000021130
+[ 8.309167] PGD 80000000193d1067 P4D 80000000193d1067 PUD 180e0067 PMD 0
+[ 8.310595] Oops: 0000 [#1] SMP PTI
+[ 8.311334] Modules linked in: kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper serio_raw
+[ 8.314190] CPU: 1 PID: 397 Comm: tc Not tainted 4.17.0-rc3+ #357
+[ 8.315252] RIP: 0010:__tcf_idr_release+0x33/0x140
+[ 8.316203] RSP: 0018:ffffa0718038f840 EFLAGS: 00010246
+[ 8.317123] RAX: 0000000000000001 RBX: 0000000000021100 RCX: 0000000000000000
+[ 8.319831] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000021100
+[ 8.321181] RBP: 0000000000000000 R08: 000000000004adf8 R09: 0000000000000122
+[ 8.322645] R10: 0000000000000000 R11: ffffffff9e5b01ed R12: 0000000000000000
+[ 8.324157] R13: ffffffff9e0d3cc0 R14: 0000000000000000 R15: 0000000000000000
+[ 8.325590] FS: 00007f591292e700(0000) GS:ffff8fcf5bc40000(0000) knlGS:0000000000000000
+[ 8.327001] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 8.327987] CR2: 0000000000021130 CR3: 00000000180e6004 CR4: 00000000001606a0
+[ 8.329289] Call Trace:
+[ 8.329735] tcf_skbedit_init+0xa7/0xb0
+[ 8.330423] tcf_action_init_1+0x362/0x410
+[ 8.331139] ? try_to_wake_up+0x44/0x430
+[ 8.331817] tcf_action_init+0x103/0x190
+[ 8.332511] tc_ctl_action+0x11a/0x220
+[ 8.333174] rtnetlink_rcv_msg+0x23d/0x2e0
+[ 8.333902] ? _cond_resched+0x16/0x40
+[ 8.334569] ? __kmalloc_node_track_caller+0x5b/0x2c0
+[ 8.335440] ? rtnl_calcit.isra.31+0xf0/0xf0
+[ 8.336178] netlink_rcv_skb+0xdb/0x110
+[ 8.336855] netlink_unicast+0x167/0x220
+[ 8.337550] netlink_sendmsg+0x2a7/0x390
+[ 8.338258] sock_sendmsg+0x30/0x40
+[ 8.338865] ___sys_sendmsg+0x2c5/0x2e0
+[ 8.339531] ? pagecache_get_page+0x27/0x210
+[ 8.340271] ? filemap_fault+0xa2/0x630
+[ 8.340943] ? page_add_file_rmap+0x108/0x200
+[ 8.341732] ? alloc_set_pte+0x2aa/0x530
+[ 8.342573] ? finish_fault+0x4e/0x70
+[ 8.343332] ? __handle_mm_fault+0xbc1/0x10d0
+[ 8.344337] ? __sys_sendmsg+0x53/0x80
+[ 8.345040] __sys_sendmsg+0x53/0x80
+[ 8.345678] do_syscall_64+0x4f/0x100
+[ 8.346339] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 8.347206] RIP: 0033:0x7f591191da67
+[ 8.347831] RSP: 002b:00007fff745abd48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+[ 8.349179] RAX: ffffffffffffffda RBX: 00007fff745abe70 RCX: 00007f591191da67
+[ 8.350431] RDX: 0000000000000000 RSI: 00007fff745abdc0 RDI: 0000000000000003
+[ 8.351659] RBP: 000000005af35251 R08: 0000000000000001 R09: 0000000000000000
+[ 8.352922] R10: 00000000000005f1 R11: 0000000000000246 R12: 0000000000000000
+[ 8.354183] R13: 00007fff745afed0 R14: 0000000000000001 R15: 00000000006767c0
+[ 8.355400] Code: 41 89 d4 53 89 f5 48 89 fb e8 aa 20 fd ff 85 c0 0f 84 ed 00
+00 00 48 85 db 0f 84 cf 00 00 00 40 84 ed 0f 85 cd 00 00 00 45 84 e4 <8b> 53 30
+74 0d 85 d2 b8 ff ff ff ff 0f 8f b3 00 00 00 8b 43 2c
+[ 8.358699] RIP: __tcf_idr_release+0x33/0x140 RSP: ffffa0718038f840
+[ 8.359770] CR2: 0000000000021130
+[ 8.360438] ---[ end trace 60c66be45dfc14f0 ]---
+
+The caller calls action's ->init() and passes pointer to "struct tc_action *a",
+which later may be initialized to point at the existing action, otherwise
+"struct tc_action *a" is still invalid, and therefore dereferencing it is an
+error as happens in tcf_idr_release, where refcnt is decremented.
+
+So in case of missing flags tcf_idr_release must be called only for
+existing actions.
+
+v2:
+ - prepare patch for net tree
+
+Fixes: 5e1567aeb7fe ("net sched: skbedit action fix late binding")
+Signed-off-by: Roman Mashak <mrv@mojatatu.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_skbedit.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sched/act_skbedit.c
++++ b/net/sched/act_skbedit.c
+@@ -121,7 +121,8 @@ static int tcf_skbedit_init(struct net *
+ return 0;
+
+ if (!flags) {
+- tcf_idr_release(*a, bind);
++ if (exists)
++ tcf_idr_release(*a, bind);
+ return -EINVAL;
+ }
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Wed, 18 Apr 2018 23:35:34 +0900
+Subject: netfilter: nf_tables: fix out-of-bounds in nft_chain_commit_update
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit d71efb599ad42ef1e564c652d8084252bdc85edf ]
+
+When chain name is changed, nft_chain_commit_update is called.
+In the nft_chain_commit_update, trans->ctx.chain->name has old chain name
+and nft_trans_chain_name(trans) has new chain name.
+If new chain name is longer than old chain name, KASAN warns
+slab-out-of-bounds.
+
+[ 175.015012] BUG: KASAN: slab-out-of-bounds in strcpy+0x9e/0xb0
+[ 175.022735] Write of size 1 at addr ffff880114e022da by task iptables-compat/1458
+
+[ 175.031353] CPU: 0 PID: 1458 Comm: iptables-compat Not tainted 4.16.0-rc7+ #146
+[ 175.031353] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015
+[ 175.031353] Call Trace:
+[ 175.031353] dump_stack+0x68/0xa0
+[ 175.031353] print_address_description+0xd0/0x260
+[ 175.031353] ? strcpy+0x9e/0xb0
+[ 175.031353] kasan_report+0x234/0x350
+[ 175.031353] __asan_report_store1_noabort+0x1c/0x20
+[ 175.031353] strcpy+0x9e/0xb0
+[ 175.031353] nf_tables_commit+0x1ccc/0x2990
+[ 175.031353] nfnetlink_rcv+0x141e/0x16c0
+[ 175.031353] ? nfnetlink_net_init+0x150/0x150
+[ 175.031353] ? lock_acquire+0x370/0x370
+[ 175.031353] ? lock_acquire+0x370/0x370
+[ 175.031353] netlink_unicast+0x444/0x640
+[ 175.031353] ? netlink_attachskb+0x700/0x700
+[ 175.031353] ? _copy_from_iter_full+0x180/0x740
+[ 175.031353] ? kasan_check_write+0x14/0x20
+[ 175.031353] ? _copy_from_user+0x9b/0xd0
+[ 175.031353] netlink_sendmsg+0x845/0xc70
+[ ... ]
+
+Steps to reproduce:
+ iptables-compat -N 1
+ iptables-compat -E 1 aaaaaaaaa
+
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -5741,7 +5741,7 @@ static void nft_chain_commit_update(stru
+ struct nft_base_chain *basechain;
+
+ if (nft_trans_chain_name(trans))
+- strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
++ swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
+
+ if (!nft_is_base_chain(trans->ctx.chain))
+ return;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 18 Apr 2018 12:23:39 +0200
+Subject: netfilter: nf_tables: NAT chain and extensions require NF_TABLES
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 39f2ff0816e5421476c2bc538b68b4bb0708a78e ]
+
+Move these options inside the scope of the 'if' NF_TABLES and
+NF_TABLES_IPV6 dependencies. This patch fixes:
+
+ net/ipv6/netfilter/nft_chain_nat_ipv6.o: In function `nft_nat_do_chain':
+>> net/ipv6/netfilter/nft_chain_nat_ipv6.c:37: undefined reference to `nft_do_chain'
+ net/ipv6/netfilter/nft_chain_nat_ipv6.o: In function `nft_chain_nat_ipv6_exit':
+>> net/ipv6/netfilter/nft_chain_nat_ipv6.c:94: undefined reference to `nft_unregister_chain_type'
+ net/ipv6/netfilter/nft_chain_nat_ipv6.o: In function `nft_chain_nat_ipv6_init':
+>> net/ipv6/netfilter/nft_chain_nat_ipv6.c:87: undefined reference to `nft_register_chain_type'
+
+that happens with:
+
+CONFIG_NF_TABLES=m
+CONFIG_NFT_CHAIN_NAT_IPV6=y
+
+Fixes: 02c7b25e5f54 ("netfilter: nf_tables: build-in filter chain type")
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/netfilter/Kconfig | 55 ++++++++++++++++++++++-----------------------
+ 1 file changed, 28 insertions(+), 27 deletions(-)
+
+--- a/net/ipv6/netfilter/Kconfig
++++ b/net/ipv6/netfilter/Kconfig
+@@ -48,6 +48,34 @@ config NFT_CHAIN_ROUTE_IPV6
+ fields such as the source, destination, flowlabel, hop-limit and
+ the packet mark.
+
++if NF_NAT_IPV6
++
++config NFT_CHAIN_NAT_IPV6
++ tristate "IPv6 nf_tables nat chain support"
++ help
++ This option enables the "nat" chain for IPv6 in nf_tables. This
++ chain type is used to perform Network Address Translation (NAT)
++ packet transformations such as the source, destination address and
++ source and destination ports.
++
++config NFT_MASQ_IPV6
++ tristate "IPv6 masquerade support for nf_tables"
++ depends on NFT_MASQ
++ select NF_NAT_MASQUERADE_IPV6
++ help
++ This is the expression that provides IPv4 masquerading support for
++ nf_tables.
++
++config NFT_REDIR_IPV6
++ tristate "IPv6 redirect support for nf_tables"
++ depends on NFT_REDIR
++ select NF_NAT_REDIRECT
++ help
++ This is the expression that provides IPv4 redirect support for
++ nf_tables.
++
++endif # NF_NAT_IPV6
++
+ config NFT_REJECT_IPV6
+ select NF_REJECT_IPV6
+ default NFT_REJECT
+@@ -107,39 +135,12 @@ config NF_NAT_IPV6
+
+ if NF_NAT_IPV6
+
+-config NFT_CHAIN_NAT_IPV6
+- depends on NF_TABLES_IPV6
+- tristate "IPv6 nf_tables nat chain support"
+- help
+- This option enables the "nat" chain for IPv6 in nf_tables. This
+- chain type is used to perform Network Address Translation (NAT)
+- packet transformations such as the source, destination address and
+- source and destination ports.
+-
+ config NF_NAT_MASQUERADE_IPV6
+ tristate "IPv6 masquerade support"
+ help
+ This is the kernel functionality to provide NAT in the masquerade
+ flavour (automatic source address selection) for IPv6.
+
+-config NFT_MASQ_IPV6
+- tristate "IPv6 masquerade support for nf_tables"
+- depends on NF_TABLES_IPV6
+- depends on NFT_MASQ
+- select NF_NAT_MASQUERADE_IPV6
+- help
+- This is the expression that provides IPv4 masquerading support for
+- nf_tables.
+-
+-config NFT_REDIR_IPV6
+- tristate "IPv6 redirect support for nf_tables"
+- depends on NF_TABLES_IPV6
+- depends on NFT_REDIR
+- select NF_NAT_REDIRECT
+- help
+- This is the expression that provides IPv4 redirect support for
+- nf_tables.
+-
+ endif # NF_NAT_IPV6
+
+ config IP6_NF_IPTABLES
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+Date: Wed, 25 Apr 2018 11:21:08 -0700
+Subject: nfp: don't depend on eth_tbl being available
+
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+
+[ Upstream commit c55ca688ed99a9cb79367aee2ed2ff6cb80fc039 ]
+
+For very very old generation of the management FW Ethernet port
+information table may theoretically not be available. This in
+turn will cause the nfp_port structures to not be allocated.
+
+Make sure we don't crash the kernel when there is no eth_tbl:
+
+RIP: 0010:nfp_net_pci_probe+0xf2/0xb40 [nfp]
+...
+Call Trace:
+ nfp_pci_probe+0x6de/0xab0 [nfp]
+ local_pci_probe+0x47/0xa0
+ work_for_cpu_fn+0x1a/0x30
+ process_one_work+0x1de/0x3e0
+
+Found while working with broken/development version of management FW.
+
+Fixes: a5950182c00e ("nfp: map mac_stats and vf_cfg BARs")
+Fixes: 93da7d9660ee ("nfp: provide nfp_port to of nfp_net_get_mac_addr()")
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/flower/main.c | 2 -
+ drivers/net/ethernet/netronome/nfp/nfp_app_nic.c | 2 -
+ drivers/net/ethernet/netronome/nfp/nfp_main.h | 4 ++
+ drivers/net/ethernet/netronome/nfp/nfp_net_main.c | 31 ++++++++++++----------
+ 4 files changed, 23 insertions(+), 16 deletions(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/flower/main.c
++++ b/drivers/net/ethernet/netronome/nfp/flower/main.c
+@@ -358,7 +358,7 @@ nfp_flower_spawn_phy_reprs(struct nfp_ap
+ }
+
+ SET_NETDEV_DEV(repr, &priv->nn->pdev->dev);
+- nfp_net_get_mac_addr(app->pf, port);
++ nfp_net_get_mac_addr(app->pf, repr, port);
+
+ cmsg_port_id = nfp_flower_cmsg_phys_port(phys_port);
+ err = nfp_repr_init(app, repr,
+--- a/drivers/net/ethernet/netronome/nfp/nfp_app_nic.c
++++ b/drivers/net/ethernet/netronome/nfp/nfp_app_nic.c
+@@ -69,7 +69,7 @@ int nfp_app_nic_vnic_alloc(struct nfp_ap
+ if (err)
+ return err < 0 ? err : 0;
+
+- nfp_net_get_mac_addr(app->pf, nn->port);
++ nfp_net_get_mac_addr(app->pf, nn->dp.netdev, nn->port);
+
+ return 0;
+ }
+--- a/drivers/net/ethernet/netronome/nfp/nfp_main.h
++++ b/drivers/net/ethernet/netronome/nfp/nfp_main.h
+@@ -171,7 +171,9 @@ void nfp_net_pci_remove(struct nfp_pf *p
+ int nfp_hwmon_register(struct nfp_pf *pf);
+ void nfp_hwmon_unregister(struct nfp_pf *pf);
+
+-void nfp_net_get_mac_addr(struct nfp_pf *pf, struct nfp_port *port);
++void
++nfp_net_get_mac_addr(struct nfp_pf *pf, struct net_device *netdev,
++ struct nfp_port *port);
+
+ bool nfp_ctrl_tx(struct nfp_net *nn, struct sk_buff *skb);
+
+--- a/drivers/net/ethernet/netronome/nfp/nfp_net_main.c
++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_main.c
+@@ -67,23 +67,26 @@
+ /**
+ * nfp_net_get_mac_addr() - Get the MAC address.
+ * @pf: NFP PF handle
++ * @netdev: net_device to set MAC address on
+ * @port: NFP port structure
+ *
+ * First try to get the MAC address from NSP ETH table. If that
+ * fails generate a random address.
+ */
+-void nfp_net_get_mac_addr(struct nfp_pf *pf, struct nfp_port *port)
++void
++nfp_net_get_mac_addr(struct nfp_pf *pf, struct net_device *netdev,
++ struct nfp_port *port)
+ {
+ struct nfp_eth_table_port *eth_port;
+
+ eth_port = __nfp_port_get_eth_port(port);
+ if (!eth_port) {
+- eth_hw_addr_random(port->netdev);
++ eth_hw_addr_random(netdev);
+ return;
+ }
+
+- ether_addr_copy(port->netdev->dev_addr, eth_port->mac_addr);
+- ether_addr_copy(port->netdev->perm_addr, eth_port->mac_addr);
++ ether_addr_copy(netdev->dev_addr, eth_port->mac_addr);
++ ether_addr_copy(netdev->perm_addr, eth_port->mac_addr);
+ }
+
+ static struct nfp_eth_table_port *
+@@ -511,16 +514,18 @@ static int nfp_net_pci_map_mem(struct nf
+ return PTR_ERR(mem);
+ }
+
+- min_size = NFP_MAC_STATS_SIZE * (pf->eth_tbl->max_index + 1);
+- pf->mac_stats_mem = nfp_rtsym_map(pf->rtbl, "_mac_stats",
+- "net.macstats", min_size,
+- &pf->mac_stats_bar);
+- if (IS_ERR(pf->mac_stats_mem)) {
+- if (PTR_ERR(pf->mac_stats_mem) != -ENOENT) {
+- err = PTR_ERR(pf->mac_stats_mem);
+- goto err_unmap_ctrl;
++ if (pf->eth_tbl) {
++ min_size = NFP_MAC_STATS_SIZE * (pf->eth_tbl->max_index + 1);
++ pf->mac_stats_mem = nfp_rtsym_map(pf->rtbl, "_mac_stats",
++ "net.macstats", min_size,
++ &pf->mac_stats_bar);
++ if (IS_ERR(pf->mac_stats_mem)) {
++ if (PTR_ERR(pf->mac_stats_mem) != -ENOENT) {
++ err = PTR_ERR(pf->mac_stats_mem);
++ goto err_unmap_ctrl;
++ }
++ pf->mac_stats_mem = NULL;
+ }
+- pf->mac_stats_mem = NULL;
+ }
+
+ pf->vf_cfg_mem = nfp_net_pf_map_rtsym(pf, "net.vfcfg",
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
+Date: Wed, 11 Apr 2018 16:47:38 -0700
+Subject: nfp: flower: split and limit cmsg skb lists
+
+From: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
+
+[ Upstream commit cf2cbadc20f5651c3dde9f5ac2ee52fb43aa4ddd ]
+
+Introduce a second skb list for handling control messages and limit the
+number of allowed messages. Some control messages are considered more
+crucial than others, resulting in the need for a second skb list. By
+splitting the list into a separate high and low priority list we can
+ensure that messages on the high list get added to the head of the list
+that gets processed, this however has no functional impact. Previously
+there was no limit on the number of messages allowed on the queue, this
+could result in the queue growing boundlessly and eventually the host
+running out of memory.
+
+Fixes: b985f870a5f0 ("nfp: process control messages in workqueue in flower app")
+Signed-off-by: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
+Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Reviewed-by: Simon Horman <simon.horman@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/flower/cmsg.c | 38 ++++++++++++++++++++---
+ drivers/net/ethernet/netronome/nfp/flower/cmsg.h | 2 +
+ drivers/net/ethernet/netronome/nfp/flower/main.c | 6 ++-
+ drivers/net/ethernet/netronome/nfp/flower/main.h | 8 +++-
+ 4 files changed, 46 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/flower/cmsg.c
++++ b/drivers/net/ethernet/netronome/nfp/flower/cmsg.c
+@@ -242,18 +242,49 @@ out:
+
+ void nfp_flower_cmsg_process_rx(struct work_struct *work)
+ {
++ struct sk_buff_head cmsg_joined;
+ struct nfp_flower_priv *priv;
+ struct sk_buff *skb;
+
+ priv = container_of(work, struct nfp_flower_priv, cmsg_work);
++ skb_queue_head_init(&cmsg_joined);
+
+- while ((skb = skb_dequeue(&priv->cmsg_skbs)))
++ spin_lock_bh(&priv->cmsg_skbs_high.lock);
++ skb_queue_splice_tail_init(&priv->cmsg_skbs_high, &cmsg_joined);
++ spin_unlock_bh(&priv->cmsg_skbs_high.lock);
++
++ spin_lock_bh(&priv->cmsg_skbs_low.lock);
++ skb_queue_splice_tail_init(&priv->cmsg_skbs_low, &cmsg_joined);
++ spin_unlock_bh(&priv->cmsg_skbs_low.lock);
++
++ while ((skb = __skb_dequeue(&cmsg_joined)))
+ nfp_flower_cmsg_process_one_rx(priv->app, skb);
+ }
+
+-void nfp_flower_cmsg_rx(struct nfp_app *app, struct sk_buff *skb)
++static void
++nfp_flower_queue_ctl_msg(struct nfp_app *app, struct sk_buff *skb, int type)
+ {
+ struct nfp_flower_priv *priv = app->priv;
++ struct sk_buff_head *skb_head;
++
++ if (type == NFP_FLOWER_CMSG_TYPE_PORT_REIFY ||
++ type == NFP_FLOWER_CMSG_TYPE_PORT_MOD)
++ skb_head = &priv->cmsg_skbs_high;
++ else
++ skb_head = &priv->cmsg_skbs_low;
++
++ if (skb_queue_len(skb_head) >= NFP_FLOWER_WORKQ_MAX_SKBS) {
++ nfp_flower_cmsg_warn(app, "Dropping queued control messages\n");
++ dev_kfree_skb_any(skb);
++ return;
++ }
++
++ skb_queue_tail(skb_head, skb);
++ schedule_work(&priv->cmsg_work);
++}
++
++void nfp_flower_cmsg_rx(struct nfp_app *app, struct sk_buff *skb)
++{
+ struct nfp_flower_cmsg_hdr *cmsg_hdr;
+
+ cmsg_hdr = nfp_flower_cmsg_get_hdr(skb);
+@@ -270,7 +301,6 @@ void nfp_flower_cmsg_rx(struct nfp_app *
+ nfp_flower_rx_flow_stats(app, skb);
+ dev_consume_skb_any(skb);
+ } else {
+- skb_queue_tail(&priv->cmsg_skbs, skb);
+- schedule_work(&priv->cmsg_work);
++ nfp_flower_queue_ctl_msg(app, skb, cmsg_hdr->type);
+ }
+ }
+--- a/drivers/net/ethernet/netronome/nfp/flower/cmsg.h
++++ b/drivers/net/ethernet/netronome/nfp/flower/cmsg.h
+@@ -98,6 +98,8 @@
+ #define NFP_FL_IPV4_TUNNEL_TYPE GENMASK(7, 4)
+ #define NFP_FL_IPV4_PRE_TUN_INDEX GENMASK(2, 0)
+
++#define NFP_FLOWER_WORKQ_MAX_SKBS 30000
++
+ #define nfp_flower_cmsg_warn(app, fmt, args...) \
+ do { \
+ if (net_ratelimit()) \
+--- a/drivers/net/ethernet/netronome/nfp/flower/main.c
++++ b/drivers/net/ethernet/netronome/nfp/flower/main.c
+@@ -517,7 +517,8 @@ static int nfp_flower_init(struct nfp_ap
+
+ app->priv = app_priv;
+ app_priv->app = app;
+- skb_queue_head_init(&app_priv->cmsg_skbs);
++ skb_queue_head_init(&app_priv->cmsg_skbs_high);
++ skb_queue_head_init(&app_priv->cmsg_skbs_low);
+ INIT_WORK(&app_priv->cmsg_work, nfp_flower_cmsg_process_rx);
+ init_waitqueue_head(&app_priv->reify_wait_queue);
+
+@@ -544,7 +545,8 @@ static void nfp_flower_clean(struct nfp_
+ {
+ struct nfp_flower_priv *app_priv = app->priv;
+
+- skb_queue_purge(&app_priv->cmsg_skbs);
++ skb_queue_purge(&app_priv->cmsg_skbs_high);
++ skb_queue_purge(&app_priv->cmsg_skbs_low);
+ flush_work(&app_priv->cmsg_work);
+
+ nfp_flower_metadata_cleanup(app);
+--- a/drivers/net/ethernet/netronome/nfp/flower/main.h
++++ b/drivers/net/ethernet/netronome/nfp/flower/main.h
+@@ -89,7 +89,10 @@ struct nfp_fl_stats_id {
+ * @mask_table: Hash table used to store masks
+ * @flow_table: Hash table used to store flower rules
+ * @cmsg_work: Workqueue for control messages processing
+- * @cmsg_skbs: List of skbs for control message processing
++ * @cmsg_skbs_high: List of higher priority skbs for control message
++ * processing
++ * @cmsg_skbs_low: List of lower priority skbs for control message
++ * processing
+ * @nfp_mac_off_list: List of MAC addresses to offload
+ * @nfp_mac_index_list: List of unique 8-bit indexes for non NFP netdevs
+ * @nfp_ipv4_off_list: List of IPv4 addresses to offload
+@@ -117,7 +120,8 @@ struct nfp_flower_priv {
+ DECLARE_HASHTABLE(mask_table, NFP_FLOWER_MASK_HASH_BITS);
+ DECLARE_HASHTABLE(flow_table, NFP_FLOWER_HASH_BITS);
+ struct work_struct cmsg_work;
+- struct sk_buff_head cmsg_skbs;
++ struct sk_buff_head cmsg_skbs_high;
++ struct sk_buff_head cmsg_skbs_low;
+ struct list_head nfp_mac_off_list;
+ struct list_head nfp_mac_index_list;
+ struct list_head nfp_ipv4_off_list;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+Date: Wed, 11 Apr 2018 16:47:35 -0700
+Subject: nfp: ignore signals when communicating with management FW
+
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+
+[ Upstream commit 5496295aefe86995e41398b0f76de601308fc3f5 ]
+
+We currently allow signals to interrupt the wait for management FW
+commands. Exiting the wait should not cause trouble, the FW will
+just finish executing the command in the background and new commands
+will wait for the old one to finish.
+
+However, this may not be what users expect (Ctrl-C not actually stopping
+the command). Moreover some systems routinely request link information
+with signals pending (Ubuntu 14.04 runs a landscape-sysinfo python tool
+from MOTD) worrying users with errors like these:
+
+nfp 0000:04:00.0: nfp_nsp: Error -512 waiting for code 0x0007 to start
+nfp 0000:04:00.0: nfp: reading port table failed -512
+
+Make the wait for management FW responses non-interruptible.
+
+Fixes: 1a64821c6af7 ("nfp: add support for service processor access")
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/nfpcore/nfp_nsp.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_nsp.c
++++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_nsp.c
+@@ -281,8 +281,7 @@ nfp_nsp_wait_reg(struct nfp_cpp *cpp, u6
+ if ((*reg & mask) == val)
+ return 0;
+
+- if (msleep_interruptible(25))
+- return -ERESTARTSYS;
++ msleep(25);
+
+ if (time_after(start_time, wait_until))
+ return -ETIMEDOUT;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Greg Thelen <gthelen@google.com>
+Date: Thu, 26 Apr 2018 11:19:30 -0700
+Subject: nvme: depend on INFINIBAND_ADDR_TRANS
+
+From: Greg Thelen <gthelen@google.com>
+
+[ Upstream commit 3af7a156bdc356946098e13180be66b6420619bf ]
+
+NVME_RDMA code depends on INFINIBAND_ADDR_TRANS provided symbols. So
+declare the kconfig dependency. This is necessary to allow for enabling
+INFINIBAND without INFINIBAND_ADDR_TRANS.
+
+Signed-off-by: Greg Thelen <gthelen@google.com>
+Cc: Tarick Bedeir <tarick@google.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/Kconfig
++++ b/drivers/nvme/host/Kconfig
+@@ -27,7 +27,7 @@ config NVME_FABRICS
+
+ config NVME_RDMA
+ tristate "NVM Express over Fabrics RDMA host driver"
+- depends on INFINIBAND && BLOCK
++ depends on INFINIBAND && INFINIBAND_ADDR_TRANS && BLOCK
+ select NVME_CORE
+ select NVME_FABRICS
+ select SG_POOL
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Chengguang Xu <cgxu519@gmx.com>
+Date: Sat, 14 Apr 2018 20:06:19 +0800
+Subject: nvme: fix potential memory leak in option parsing
+
+From: Chengguang Xu <cgxu519@gmx.com>
+
+[ Upstream commit 59a2f3f00fd744dbad22593f47552037d3154ca6 ]
+
+When specifying same string type option several times,
+current option parsing may cause memory leak. Hence,
+call kfree for previous one in this case.
+
+Signed-off-by: Chengguang Xu <cgxu519@gmx.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/fabrics.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/nvme/host/fabrics.c
++++ b/drivers/nvme/host/fabrics.c
+@@ -668,6 +668,7 @@ static int nvmf_parse_options(struct nvm
+ ret = -ENOMEM;
+ goto out;
+ }
++ kfree(opts->transport);
+ opts->transport = p;
+ break;
+ case NVMF_OPT_NQN:
+@@ -676,6 +677,7 @@ static int nvmf_parse_options(struct nvm
+ ret = -ENOMEM;
+ goto out;
+ }
++ kfree(opts->subsysnqn);
+ opts->subsysnqn = p;
+ nqnlen = strlen(opts->subsysnqn);
+ if (nqnlen >= NVMF_NQN_SIZE) {
+@@ -698,6 +700,7 @@ static int nvmf_parse_options(struct nvm
+ ret = -ENOMEM;
+ goto out;
+ }
++ kfree(opts->traddr);
+ opts->traddr = p;
+ break;
+ case NVMF_OPT_TRSVCID:
+@@ -706,6 +709,7 @@ static int nvmf_parse_options(struct nvm
+ ret = -ENOMEM;
+ goto out;
+ }
++ kfree(opts->trsvcid);
+ opts->trsvcid = p;
+ break;
+ case NVMF_OPT_QUEUE_SIZE:
+@@ -792,6 +796,7 @@ static int nvmf_parse_options(struct nvm
+ ret = -EINVAL;
+ goto out;
+ }
++ nvmf_host_put(opts->host);
+ opts->host = nvmf_host_add(p);
+ kfree(p);
+ if (!opts->host) {
+@@ -817,6 +822,7 @@ static int nvmf_parse_options(struct nvm
+ ret = -ENOMEM;
+ goto out;
+ }
++ kfree(opts->host_traddr);
+ opts->host_traddr = p;
+ break;
+ case NVMF_OPT_HOST_ID:
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Jianchao Wang <jianchao.w.wang@oracle.com>
+Date: Fri, 4 May 2018 16:01:57 +0800
+Subject: nvme: fix use-after-free in nvme_free_ns_head
+
+From: Jianchao Wang <jianchao.w.wang@oracle.com>
+
+[ Upstream commit 12d9f07022dcde261ad16e9a11f45096dc68b03c ]
+
+Currently only nvme_ctrl will take a reference counter of
+nvme_subsystem, nvme_ns_head also needs it. Otherwise
+nvme_free_ns_head will access the nvme_subsystem.ns_ida
+which has been freed by __nvme_release_subsystem after all the
+reference of nvme_subsystem have been released by nvme_free_ctrl.
+This could cause memory corruption.
+
+ BUG: KASAN: use-after-free in radix_tree_next_chunk+0x9f/0x4b0
+ Read of size 8 at addr ffff88036494d2e8 by task fio/1815
+
+ CPU: 1 PID: 1815 Comm: fio Kdump: loaded Tainted: G W 4.17.0-rc1+ #18
+ Hardware name: LENOVO 10MLS0E339/3106, BIOS M1AKT22A 06/27/2017
+ Call Trace:
+ dump_stack+0x91/0xeb
+ print_address_description+0x6b/0x290
+ kasan_report+0x261/0x360
+ radix_tree_next_chunk+0x9f/0x4b0
+ ida_remove+0x8b/0x180
+ ida_simple_remove+0x26/0x40
+ nvme_free_ns_head+0x58/0xc0
+ __blkdev_put+0x30a/0x3a0
+ blkdev_close+0x44/0x50
+ __fput+0x184/0x380
+ task_work_run+0xaf/0xe0
+ do_exit+0x501/0x1440
+ do_group_exit+0x89/0x140
+ __x64_sys_exit_group+0x28/0x30
+ do_syscall_64+0x72/0x230
+
+Signed-off-by: Jianchao Wang <jianchao.w.wang@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -99,6 +99,7 @@ static struct class *nvme_subsys_class;
+
+ static void nvme_ns_remove(struct nvme_ns *ns);
+ static int nvme_revalidate_disk(struct gendisk *disk);
++static void nvme_put_subsystem(struct nvme_subsystem *subsys);
+
+ static __le32 nvme_get_log_dw10(u8 lid, size_t size)
+ {
+@@ -353,6 +354,7 @@ static void nvme_free_ns_head(struct kre
+ ida_simple_remove(&head->subsys->ns_ida, head->instance);
+ list_del_init(&head->entry);
+ cleanup_srcu_struct(&head->srcu);
++ nvme_put_subsystem(head->subsys);
+ kfree(head);
+ }
+
+@@ -2843,6 +2845,9 @@ static struct nvme_ns_head *nvme_alloc_n
+ goto out_cleanup_srcu;
+
+ list_add_tail(&head->entry, &ctrl->subsys->nsheads);
++
++ kref_get(&ctrl->subsys->ref);
++
+ return head;
+ out_cleanup_srcu:
+ cleanup_srcu_struct(&head->srcu);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Keith Busch <keith.busch@intel.com>
+Date: Thu, 26 Apr 2018 14:24:29 -0600
+Subject: nvme/multipath: Disable runtime writable enabling parameter
+
+From: Keith Busch <keith.busch@intel.com>
+
+[ Upstream commit 5cadde8019a6a80550fdde92d5a3327565974eab ]
+
+We can't allow the user to change multipath settings at runtime, as this
+will create naming conflicts due to the different naming schemes used
+for each mode.
+
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/multipath.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -15,7 +15,7 @@
+ #include "nvme.h"
+
+ static bool multipath = true;
+-module_param(multipath, bool, 0644);
++module_param(multipath, bool, 0444);
+ MODULE_PARM_DESC(multipath,
+ "turn on native support for multiple controllers per subsystem");
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Keith Busch <keith.busch@intel.com>
+Date: Thu, 26 Apr 2018 14:22:41 -0600
+Subject: nvme/multipath: Fix multipath disabled naming collisions
+
+From: Keith Busch <keith.busch@intel.com>
+
+[ Upstream commit a785dbccd95c37606c720580714f5a7a8b3255f1 ]
+
+When CONFIG_NVME_MULTIPATH is set, but we're not using nvme to multipath,
+namespaces with multiple paths were not creating unique names due to
+reusing the same instance number from the namespace's head.
+
+This patch fixes this by falling back to the non-multipath naming method
+when the parameter disabled using multipath.
+
+Reported-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/core.c | 26 +-------------------------
+ drivers/nvme/host/multipath.c | 22 ++++++++++++++++++++++
+ drivers/nvme/host/nvme.h | 12 ++++++++++++
+ 3 files changed, 35 insertions(+), 25 deletions(-)
+
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -2979,31 +2979,7 @@ static void nvme_alloc_ns(struct nvme_ct
+ if (nvme_init_ns_head(ns, nsid, id))
+ goto out_free_id;
+ nvme_setup_streams_ns(ctrl, ns);
+-
+-#ifdef CONFIG_NVME_MULTIPATH
+- /*
+- * If multipathing is enabled we need to always use the subsystem
+- * instance number for numbering our devices to avoid conflicts
+- * between subsystems that have multiple controllers and thus use
+- * the multipath-aware subsystem node and those that have a single
+- * controller and use the controller node directly.
+- */
+- if (ns->head->disk) {
+- sprintf(disk_name, "nvme%dc%dn%d", ctrl->subsys->instance,
+- ctrl->cntlid, ns->head->instance);
+- flags = GENHD_FL_HIDDEN;
+- } else {
+- sprintf(disk_name, "nvme%dn%d", ctrl->subsys->instance,
+- ns->head->instance);
+- }
+-#else
+- /*
+- * But without the multipath code enabled, multiple controller per
+- * subsystems are visible as devices and thus we cannot use the
+- * subsystem instance.
+- */
+- sprintf(disk_name, "nvme%dn%d", ctrl->instance, ns->head->instance);
+-#endif
++ nvme_set_disk_name(disk_name, ns, ctrl, &flags);
+
+ if ((ctrl->quirks & NVME_QUIRK_LIGHTNVM) && id->vs[0] == 0x1) {
+ if (nvme_nvm_register(ns, disk_name, node)) {
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -19,6 +19,28 @@ module_param(multipath, bool, 0444);
+ MODULE_PARM_DESC(multipath,
+ "turn on native support for multiple controllers per subsystem");
+
++/*
++ * If multipathing is enabled we need to always use the subsystem instance
++ * number for numbering our devices to avoid conflicts between subsystems that
++ * have multiple controllers and thus use the multipath-aware subsystem node
++ * and those that have a single controller and use the controller node
++ * directly.
++ */
++void nvme_set_disk_name(char *disk_name, struct nvme_ns *ns,
++ struct nvme_ctrl *ctrl, int *flags)
++{
++ if (!multipath) {
++ sprintf(disk_name, "nvme%dn%d", ctrl->instance, ns->head->instance);
++ } else if (ns->head->disk) {
++ sprintf(disk_name, "nvme%dc%dn%d", ctrl->subsys->instance,
++ ctrl->cntlid, ns->head->instance);
++ *flags = GENHD_FL_HIDDEN;
++ } else {
++ sprintf(disk_name, "nvme%dn%d", ctrl->subsys->instance,
++ ns->head->instance);
++ }
++}
++
+ void nvme_failover_req(struct request *req)
+ {
+ struct nvme_ns *ns = req->q->queuedata;
+--- a/drivers/nvme/host/nvme.h
++++ b/drivers/nvme/host/nvme.h
+@@ -411,6 +411,8 @@ extern const struct attribute_group nvme
+ extern const struct block_device_operations nvme_ns_head_ops;
+
+ #ifdef CONFIG_NVME_MULTIPATH
++void nvme_set_disk_name(char *disk_name, struct nvme_ns *ns,
++ struct nvme_ctrl *ctrl, int *flags);
+ void nvme_failover_req(struct request *req);
+ bool nvme_req_needs_failover(struct request *req, blk_status_t error);
+ void nvme_kick_requeue_lists(struct nvme_ctrl *ctrl);
+@@ -436,6 +438,16 @@ static inline void nvme_mpath_check_last
+ }
+
+ #else
++/*
++ * Without the multipath code enabled, multiple controller per subsystems are
++ * visible as devices and thus we cannot use the subsystem instance.
++ */
++static inline void nvme_set_disk_name(char *disk_name, struct nvme_ns *ns,
++ struct nvme_ctrl *ctrl, int *flags)
++{
++ sprintf(disk_name, "nvme%dn%d", ctrl->instance, ns->head->instance);
++}
++
+ static inline void nvme_failover_req(struct request *req)
+ {
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Keith Busch <keith.busch@intel.com>
+Date: Tue, 17 Apr 2018 14:42:44 -0600
+Subject: nvme: Set integrity flag for user passthrough commands
+
+From: Keith Busch <keith.busch@intel.com>
+
+[ Upstream commit f31a21103c03bb62846409fdc60cc9faf2398cfb ]
+
+If the command a separate metadata buffer attached, the request needs
+to have the integrity flag set so the driver knows to map it.
+
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -767,6 +767,7 @@ static int nvme_submit_user_cmd(struct r
+ ret = PTR_ERR(meta);
+ goto out_unmap;
+ }
++ req->cmd_flags |= REQ_INTEGRITY;
+ }
+ }
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Greg Thelen <gthelen@google.com>
+Date: Thu, 26 Apr 2018 11:19:31 -0700
+Subject: nvmet-rdma: depend on INFINIBAND_ADDR_TRANS
+
+From: Greg Thelen <gthelen@google.com>
+
+[ Upstream commit d6fc6a22fc7d3df987666725496ed5dd2dd30f23 ]
+
+NVME_TARGET_RDMA code depends on INFINIBAND_ADDR_TRANS provided symbols.
+So declare the kconfig dependency. This is necessary to allow for
+enabling INFINIBAND without INFINIBAND_ADDR_TRANS.
+
+Signed-off-by: Greg Thelen <gthelen@google.com>
+Cc: Tarick Bedeir <tarick@google.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/target/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvme/target/Kconfig
++++ b/drivers/nvme/target/Kconfig
+@@ -27,7 +27,7 @@ config NVME_TARGET_LOOP
+
+ config NVME_TARGET_RDMA
+ tristate "NVMe over Fabrics RDMA target support"
+- depends on INFINIBAND
++ depends on INFINIBAND && INFINIBAND_ADDR_TRANS
+ depends on NVME_TARGET
+ select SGL_ALLOC
+ help
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Ingo Molnar <mingo@kernel.org>
+Date: Mon, 14 May 2018 10:15:54 +0200
+Subject: objtool, kprobes/x86: Sync the latest <asm/insn.h> header with tools/objtool/arch/x86/include/asm/insn.h
+
+From: Ingo Molnar <mingo@kernel.org>
+
+[ Upstream commit 4fe875e4bd3cae85ae6f6eaf77f63fabe613b66e ]
+
+The following commit:
+
+ ee6a7354a362: kprobes/x86: Prohibit probing on exception masking instructions
+
+Modified <asm/insn.h>, adding the insn_masking_exception() function.
+
+Sync the tooling version of the header to it, to fix this warning:
+
+ Warning: synced file at 'tools/objtool/arch/x86/include/asm/insn.h' differs from latest kernel version at 'arch/x86/include/asm/insn.h'
+
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
+Cc: Francis Deslauriers <francis.deslauriers@efficios.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: "H . Peter Anvin" <hpa@zytor.com>
+Cc: Yonghong Song <yhs@fb.com>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: "David S . Miller" <davem@davemloft.net>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/objtool/arch/x86/include/asm/insn.h | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/tools/objtool/arch/x86/include/asm/insn.h
++++ b/tools/objtool/arch/x86/include/asm/insn.h
+@@ -208,4 +208,22 @@ static inline int insn_offset_immediate(
+ return insn_offset_displacement(insn) + insn->displacement.nbytes;
+ }
+
++#define POP_SS_OPCODE 0x1f
++#define MOV_SREG_OPCODE 0x8e
++
++/*
++ * Intel SDM Vol.3A 6.8.3 states;
++ * "Any single-step trap that would be delivered following the MOV to SS
++ * instruction or POP to SS instruction (because EFLAGS.TF is 1) is
++ * suppressed."
++ * This function returns true if @insn is MOV SS or POP SS. On these
++ * instructions, single stepping is suppressed.
++ */
++static inline int insn_masking_exception(struct insn *insn)
++{
++ return insn->opcode.bytes[0] == POP_SS_OPCODE ||
++ (insn->opcode.bytes[0] == MOV_SREG_OPCODE &&
++ X86_MODRM_REG(insn->modrm.bytes[0]) == 2);
++}
++
+ #endif /* _ASM_X86_INSN_H */
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Ashish Samant <ashish.samant@oracle.com>
+Date: Fri, 11 May 2018 16:02:07 -0700
+Subject: ocfs2: take inode cluster lock before moving reflinked inode from orphan dir
+
+From: Ashish Samant <ashish.samant@oracle.com>
+
+[ Upstream commit e4383029201470523c3ffe339bd7d57e9b4a7d65 ]
+
+While reflinking an inode, we create a new inode in orphan directory,
+then take EX lock on it, reflink the original inode to orphan inode and
+release EX lock. Once the lock is released another node could request
+it in EX mode from ocfs2_recover_orphans() which causes downconvert of
+the lock, on this node, to NL mode.
+
+Later we attempt to initialize security acl for the orphan inode and
+move it to the reflink destination. However, while doing this we dont
+take EX lock on the inode. This could potentially cause problems
+because we could be starting transaction, accessing journal and
+modifying metadata of the inode while holding NL lock and with another
+node holding EX lock on the inode.
+
+Fix this by taking orphan inode cluster lock in EX mode before
+initializing security and moving orphan inode to reflink destination.
+Use the __tracker variant while taking inode lock to avoid recursive
+locking in the ocfs2_init_security_and_acl() call chain.
+
+Link: http://lkml.kernel.org/r/1523475107-7639-1-git-send-email-ashish.samant@oracle.com
+Signed-off-by: Ashish Samant <ashish.samant@oracle.com>
+Reviewed-by: Joseph Qi <jiangqi903@gmail.com>
+Reviewed-by: Junxiao Bi <junxiao.bi@oracle.com>
+Acked-by: Jun Piao <piaojun@huawei.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Changwei Ge <ge.changwei@h3c.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/refcounttree.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/fs/ocfs2/refcounttree.c
++++ b/fs/ocfs2/refcounttree.c
+@@ -4250,10 +4250,11 @@ out:
+ static int ocfs2_reflink(struct dentry *old_dentry, struct inode *dir,
+ struct dentry *new_dentry, bool preserve)
+ {
+- int error;
++ int error, had_lock;
+ struct inode *inode = d_inode(old_dentry);
+ struct buffer_head *old_bh = NULL;
+ struct inode *new_orphan_inode = NULL;
++ struct ocfs2_lock_holder oh;
+
+ if (!ocfs2_refcount_tree(OCFS2_SB(inode->i_sb)))
+ return -EOPNOTSUPP;
+@@ -4295,6 +4296,14 @@ static int ocfs2_reflink(struct dentry *
+ goto out;
+ }
+
++ had_lock = ocfs2_inode_lock_tracker(new_orphan_inode, NULL, 1,
++ &oh);
++ if (had_lock < 0) {
++ error = had_lock;
++ mlog_errno(error);
++ goto out;
++ }
++
+ /* If the security isn't preserved, we need to re-initialize them. */
+ if (!preserve) {
+ error = ocfs2_init_security_and_acl(dir, new_orphan_inode,
+@@ -4302,14 +4311,15 @@ static int ocfs2_reflink(struct dentry *
+ if (error)
+ mlog_errno(error);
+ }
+-out:
+ if (!error) {
+ error = ocfs2_mv_orphaned_inode_to_new(dir, new_orphan_inode,
+ new_dentry);
+ if (error)
+ mlog_errno(error);
+ }
++ ocfs2_inode_unlock_tracker(new_orphan_inode, 1, &oh, had_lock);
+
++out:
+ if (new_orphan_inode) {
+ /*
+ * We need to open_unlock the inode no matter whether we
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Helge Deller <deller@gmx.de>
+Date: Fri, 20 Apr 2018 23:19:17 +0200
+Subject: parisc: drivers.c: Fix section mismatches
+
+From: Helge Deller <deller@gmx.de>
+
+[ Upstream commit b819439fea305a0bfd6ca23a7994fd1a8847c0d8 ]
+
+Fix two section mismatches in drivers.c:
+1) Section mismatch in reference from the function alloc_tree_node() to
+ the function .init.text:create_tree_node().
+2) Section mismatch in reference from the function walk_native_bus() to
+ the function .init.text:alloc_pa_dev().
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/drivers.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/parisc/kernel/drivers.c
++++ b/arch/parisc/kernel/drivers.c
+@@ -448,7 +448,8 @@ static int match_by_id(struct device * d
+ * Checks all the children of @parent for a matching @id. If none
+ * found, it allocates a new device and returns it.
+ */
+-static struct parisc_device * alloc_tree_node(struct device *parent, char id)
++static struct parisc_device * __init alloc_tree_node(
++ struct device *parent, char id)
+ {
+ struct match_id_data d = {
+ .id = id,
+@@ -825,8 +826,8 @@ void walk_lower_bus(struct parisc_device
+ * devices which are not physically connected (such as extra serial &
+ * keyboard ports). This problem is not yet solved.
+ */
+-static void walk_native_bus(unsigned long io_io_low, unsigned long io_io_high,
+- struct device *parent)
++static void __init walk_native_bus(unsigned long io_io_low,
++ unsigned long io_io_high, struct device *parent)
+ {
+ int i, devices_found = 0;
+ unsigned long hpa = io_io_low;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Helge Deller <deller@gmx.de>
+Date: Fri, 18 May 2018 16:12:12 +0200
+Subject: parisc: Move setup_profiling_timer() out of init section
+
+From: Helge Deller <deller@gmx.de>
+
+[ Upstream commit 01f56832cfb6fcc204e7203f46841b6185ebd574 ]
+
+No other architecture has setup_profiling_timer() in the init section,
+thus on parisc we face this section mismatch warning:
+ Reference from the function devm_device_add_group() to the function .init.text:setup_profiling_timer()
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/smp.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/parisc/kernel/smp.c
++++ b/arch/parisc/kernel/smp.c
+@@ -423,8 +423,7 @@ int __cpu_up(unsigned int cpu, struct ta
+ }
+
+ #ifdef CONFIG_PROC_FS
+-int __init
+-setup_profiling_timer(unsigned int multiplier)
++int setup_profiling_timer(unsigned int multiplier)
+ {
+ return -EINVAL;
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Baolin Wang <baolin.wang@linaro.org>
+Date: Thu, 19 Apr 2018 14:51:03 +0800
+Subject: parisc: time: Convert read_persistent_clock() to read_persistent_clock64()
+
+From: Baolin Wang <baolin.wang@linaro.org>
+
+[ Upstream commit f76cdd00ef0e39d880139b074e3b247594dff95a ]
+
+The read_persistent_clock() uses a timespec, which is not year 2038 safe
+on 32bit systems. On parisc architecture, we have implemented generic
+RTC drivers that can be used to compensate the system suspend time, but
+the RTC time can not represent the nanosecond resolution, so this patch
+just converts to read_persistent_clock64() with timespec64.
+
+Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/time.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/parisc/kernel/time.c
++++ b/arch/parisc/kernel/time.c
+@@ -205,7 +205,7 @@ static int __init rtc_init(void)
+ device_initcall(rtc_init);
+ #endif
+
+-void read_persistent_clock(struct timespec *ts)
++void read_persistent_clock64(struct timespec64 *ts)
+ {
+ static struct pdc_tod tod_data;
+ if (pdc_tod_read(&tod_data) == 0) {
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Loic Poulain <loic.poulain@linaro.org>
+Date: Tue, 3 Apr 2018 11:19:01 +0200
+Subject: PCI: kirin: Fix reset gpio name
+
+From: Loic Poulain <loic.poulain@linaro.org>
+
+[ Upstream commit 5db8f8d1099bd93a64a80b609dbcce887327ffc8 ]
+
+As documented in the devicetree bindings (pci/kirin-pcie.txt) and the
+reset gpio name must be 'reset-gpios'. However, current driver
+erroneously looks for a 'reset-gpio' resource which makes the driver
+probe fail. Fix it.
+
+Fixes: fc5165db245a ("PCI: kirin: Add HiSilicon Kirin SoC PCIe controller driver")
+Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
+[lorenzo.pieralisi@arm.com: updated the commit log]
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Acked-by: Xiaowei Song <songxiaowei@hisilicon.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/dwc/pcie-kirin.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pci/dwc/pcie-kirin.c
++++ b/drivers/pci/dwc/pcie-kirin.c
+@@ -487,7 +487,7 @@ static int kirin_pcie_probe(struct platf
+ return ret;
+
+ kirin_pcie->gpio_id_reset = of_get_named_gpio(dev->of_node,
+- "reset-gpio", 0);
++ "reset-gpios", 0);
+ if (kirin_pcie->gpio_id_reset < 0)
+ return -ENODEV;
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Leo Yan <leo.yan@linaro.org>
+Date: Thu, 10 May 2018 12:01:59 +0800
+Subject: perf cs-etm: Support unknown_thread in cs_etm_auxtrace
+
+From: Leo Yan <leo.yan@linaro.org>
+
+[ Upstream commit 46d53620044f7b574c0f3216f8b4f2ce3559ce31 ]
+
+CoreSight doesn't allocate thread structure for unknown_thread in ETM
+auxtrace, so unknown_thread is NULL pointer. If the perf data doesn't
+contain valid tid and then cs_etm__mem_access() uses unknown_thread
+instead as thread handler, this results in a segmentation fault when
+thread__find_addr_map() accesses the thread handler.
+
+This commit creates a new thread data which is used by unknown_thread, so
+CoreSight tracing can roll back to use unknown_thread if perf data
+doesn't include valid thread info. This commit also releases thread
+data for initialization failure case and for normal auxtrace free flow.
+
+Signed-off-by: Leo Yan <leo.yan@linaro.org>
+Acked-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: linux-arm-kernel@lists.infradead.org
+Link: http://lkml.kernel.org/r/1525924920-4381-1-git-send-email-leo.yan@linaro.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/cs-etm.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+--- a/tools/perf/util/cs-etm.c
++++ b/tools/perf/util/cs-etm.c
+@@ -212,6 +212,7 @@ static void cs_etm__free(struct perf_ses
+ for (i = 0; i < aux->num_cpu; i++)
+ zfree(&aux->metadata[i]);
+
++ thread__zput(aux->unknown_thread);
+ zfree(&aux->metadata);
+ zfree(&aux);
+ }
+@@ -980,6 +981,23 @@ int cs_etm__process_auxtrace_info(union
+ etm->auxtrace.free = cs_etm__free;
+ session->auxtrace = &etm->auxtrace;
+
++ etm->unknown_thread = thread__new(999999999, 999999999);
++ if (!etm->unknown_thread)
++ goto err_free_queues;
++
++ /*
++ * Initialize list node so that at thread__zput() we can avoid
++ * segmentation fault at list_del_init().
++ */
++ INIT_LIST_HEAD(&etm->unknown_thread->node);
++
++ err = thread__set_comm(etm->unknown_thread, "unknown", 0);
++ if (err)
++ goto err_delete_thread;
++
++ if (thread__init_map_groups(etm->unknown_thread, etm->machine))
++ goto err_delete_thread;
++
+ if (dump_trace) {
+ cs_etm__print_auxtrace_info(auxtrace_info->priv, num_cpu);
+ return 0;
+@@ -994,16 +1012,18 @@ int cs_etm__process_auxtrace_info(union
+
+ err = cs_etm__synth_events(etm, session);
+ if (err)
+- goto err_free_queues;
++ goto err_delete_thread;
+
+ err = auxtrace_queues__process_index(&etm->queues, session);
+ if (err)
+- goto err_free_queues;
++ goto err_delete_thread;
+
+ etm->data_queued = etm->queues.populated;
+
+ return 0;
+
++err_delete_thread:
++ thread__zput(etm->unknown_thread);
+ err_free_queues:
+ auxtrace_queues__free(&etm->queues);
+ session->auxtrace = NULL;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Tue, 24 Apr 2018 11:20:10 -0700
+Subject: perf pmu: Fix core PMU alias list for X86 platform
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit 292c34c10249c64a70def442f0d977bf9d466ed7 ]
+
+When counting uncore event with alias, core event is mistakenly
+involved, for example:
+
+ perf stat --no-merge -e "unc_m_cas_count.all" -C0 sleep 1
+
+ Performance counter stats for 'CPU(s) 0':
+
+ 0 unc_m_cas_count.all [uncore_imc_4]
+ 0 unc_m_cas_count.all [uncore_imc_2]
+ 0 unc_m_cas_count.all [uncore_imc_0]
+ 153,640 unc_m_cas_count.all [cpu]
+ 0 unc_m_cas_count.all [uncore_imc_5]
+ 25,026 unc_m_cas_count.all [uncore_imc_3]
+ 0 unc_m_cas_count.all [uncore_imc_1]
+
+ 1.001447890 seconds time elapsed
+
+The reason is that current implementation doesn't check PMU name of a
+event when adding its alias into the alias list for core PMU. The
+uncore event aliases are mistakenly added.
+
+This bug was introduced in:
+ commit 14b22ae028de ("perf pmu: Add helper function is_pmu_core to
+ detect PMU CORE devices")
+
+Checking the PMU name for all PMUs on X86 and other architectures except
+ARM.
+There is no behavior change for ARM.
+
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Agustin Vega-Frias <agustinv@codeaurora.org>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Ganapatrao Kulkarni <ganapatrao.kulkarni@cavium.com>
+Cc: Jin Yao <yao.jin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Shaokun Zhang <zhangshaokun@hisilicon.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Fixes: 14b22ae028de ("perf pmu: Add helper function is_pmu_core to detect PMU CORE devices")
+Link: http://lkml.kernel.org/r/1524594014-79243-1-git-send-email-kan.liang@linux.intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/pmu.c | 20 +++++++-------------
+ 1 file changed, 7 insertions(+), 13 deletions(-)
+
+--- a/tools/perf/util/pmu.c
++++ b/tools/perf/util/pmu.c
+@@ -539,9 +539,10 @@ static bool pmu_is_uncore(const char *na
+
+ /*
+ * PMU CORE devices have different name other than cpu in sysfs on some
+- * platforms. looking for possible sysfs files to identify as core device.
++ * platforms.
++ * Looking for possible sysfs files to identify the arm core device.
+ */
+-static int is_pmu_core(const char *name)
++static int is_arm_pmu_core(const char *name)
+ {
+ struct stat st;
+ char path[PATH_MAX];
+@@ -550,12 +551,6 @@ static int is_pmu_core(const char *name)
+ if (!sysfs)
+ return 0;
+
+- /* Look for cpu sysfs (x86 and others) */
+- scnprintf(path, PATH_MAX, "%s/bus/event_source/devices/cpu", sysfs);
+- if ((stat(path, &st) == 0) &&
+- (strncmp(name, "cpu", strlen("cpu")) == 0))
+- return 1;
+-
+ /* Look for cpu sysfs (specific to arm) */
+ scnprintf(path, PATH_MAX, "%s/bus/event_source/devices/%s/cpus",
+ sysfs, name);
+@@ -651,6 +646,7 @@ static void pmu_add_cpu_aliases(struct l
+ struct pmu_events_map *map;
+ struct pmu_event *pe;
+ const char *name = pmu->name;
++ const char *pname;
+
+ map = perf_pmu__find_map(pmu);
+ if (!map)
+@@ -669,11 +665,9 @@ static void pmu_add_cpu_aliases(struct l
+ break;
+ }
+
+- if (!is_pmu_core(name)) {
+- /* check for uncore devices */
+- if (pe->pmu == NULL)
+- continue;
+- if (strncmp(pe->pmu, name, strlen(pe->pmu)))
++ if (!is_arm_pmu_core(name)) {
++ pname = pe->pmu ? pe->pmu : "cpu";
++ if (strncmp(pname, name, strlen(pname)))
+ continue;
+ }
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Thu, 12 Apr 2018 14:58:24 -0300
+Subject: perf report: Fix switching to another perf.data file
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 7b366142a50ad79e48de8e67c5b3e8cfb9fa82dd ]
+
+In the TUI the 's' hotkey can be used to switch to another perf.data
+file in the current directory, but that got broken in Fixes:
+b01141f4f59c ("perf annotate: Initialize the priv are in symbol__new()"),
+that would show this once another file was chosen:
+
+ ┌─Fatal Error─────────────────────────────────────┐
+ │Annotation needs to be init before symbol__init()│
+ │ │
+ │ │
+ │Press any key... │
+ └─────────────────────────────────────────────────┘
+
+Fix it by just silently bailing out if symbol__annotation_init() was already
+called, just like is done with symbol__init(), i.e. they are done just once at
+session start, not when switching to a new perf.data file.
+
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Jin Yao <yao.jin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Martin Liška <mliska@suse.cz>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
+Cc: Thomas Richter <tmricht@linux.vnet.ibm.com>
+Cc: Wang Nan <wangnan0@huawei.com>
+Fixes: b01141f4f59c ("perf annotate: Initialize the priv are in symbol__new()")
+Link: https://lkml.kernel.org/n/tip-ogppdtpzfax7y1h6gjdv5s6u@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/symbol.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/tools/perf/util/symbol.c
++++ b/tools/perf/util/symbol.c
+@@ -2094,16 +2094,14 @@ static bool symbol__read_kptr_restrict(v
+
+ int symbol__annotation_init(void)
+ {
++ if (symbol_conf.init_annotation)
++ return 0;
++
+ if (symbol_conf.initialized) {
+ pr_err("Annotation needs to be init before symbol__init()\n");
+ return -1;
+ }
+
+- if (symbol_conf.init_annotation) {
+- pr_warning("Annotation being initialized multiple times\n");
+- return 0;
+- }
+-
+ symbol_conf.priv_size += sizeof(struct annotation);
+ symbol_conf.init_annotation = true;
+ return 0;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Wed, 25 Apr 2018 14:57:17 -0400
+Subject: perf/x86/intel: Don't enable freeze-on-smi for PerfMon V1
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit 4e949e9b9d1e3edcdab3b54656c5851bd9e49c67 ]
+
+The SMM freeze feature was introduced since PerfMon V2. But the current
+code unconditionally enables the feature for all platforms. It can
+generate #GP exception, if the related FREEZE_WHILE_SMM bit is set for
+the machine with PerfMon V1.
+
+To disable the feature for PerfMon V1, perf needs to
+- Remove the freeze_on_smi sysfs entry by moving intel_pmu_attrs to
+ intel_pmu, which is only applied to PerfMon V2 and later.
+- Check the PerfMon version before flipping the SMM bit when starting CPU
+
+Fixes: 6089327f5424 ("perf/x86: Add sysfs entry to freeze counters on SMI")
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: ak@linux.intel.com
+Cc: eranian@google.com
+Cc: acme@redhat.com
+Link: https://lkml.kernel.org/r/1524682637-63219-1-git-send-email-kan.liang@linux.intel.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/core.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -3331,7 +3331,8 @@ static void intel_pmu_cpu_starting(int c
+
+ cpuc->lbr_sel = NULL;
+
+- flip_smm_bit(&x86_pmu.attr_freeze_on_smi);
++ if (x86_pmu.version > 1)
++ flip_smm_bit(&x86_pmu.attr_freeze_on_smi);
+
+ if (!cpuc->shared_regs)
+ return;
+@@ -3494,6 +3495,8 @@ static __initconst const struct x86_pmu
+ .cpu_dying = intel_pmu_cpu_dying,
+ };
+
++static struct attribute *intel_pmu_attrs[];
++
+ static __initconst const struct x86_pmu intel_pmu = {
+ .name = "Intel",
+ .handle_irq = intel_pmu_handle_irq,
+@@ -3524,6 +3527,8 @@ static __initconst const struct x86_pmu
+ .format_attrs = intel_arch3_formats_attr,
+ .events_sysfs_show = intel_event_sysfs_show,
+
++ .attrs = intel_pmu_attrs,
++
+ .cpu_prepare = intel_pmu_cpu_prepare,
+ .cpu_starting = intel_pmu_cpu_starting,
+ .cpu_dying = intel_pmu_cpu_dying,
+@@ -3902,8 +3907,6 @@ __init int intel_pmu_init(void)
+
+ x86_pmu.max_pebs_events = min_t(unsigned, MAX_PEBS_EVENTS, x86_pmu.num_counters);
+
+-
+- x86_pmu.attrs = intel_pmu_attrs;
+ /*
+ * Quirk: v2 perfmon does not report fixed-purpose events, so
+ * assume at least 3 events, when not running in a hypervisor:
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Wed, 25 Apr 2018 13:32:11 +0300
+Subject: pinctrl: cherryview: Associate IRQ descriptors to irqdomain
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+[ Upstream commit 83b9dc11312f48a561594a895672abb6cb2a2250 ]
+
+When we dropped the custom Linux GPIO translation it resulted that the
+IRQ numbers changed slightly as well. Normally this would be fine
+because everyone is expected to use controller relative GPIO numbers and
+ACPI GpioIo/GpioInt resources. However, there is a certain set of
+Intel_Strago based Chromebooks where i8042 keyboard controller IRQ
+number is hardcoded be 182 (this is corrected with newer coreboot but
+the older ones still have the hardcoded Linux IRQ number). Because of
+this hardcoded IRQ number keyboard on those systems accidentally broke
+again.
+
+Fix this by iteratively associating IRQ descriptors to the chip irqdomain
+so that there are no gaps on those systems. Other systems are not
+affected.
+
+Fixes: 03c4749dd6c7 ("gpio / ACPI: Drop unnecessary ACPI GPIO to Linux GPIO translation")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=199463
+Reported-by: Sultan Alsawaf <sultanxda@gmail.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/intel/pinctrl-cherryview.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/pinctrl/intel/pinctrl-cherryview.c
++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c
+@@ -1622,22 +1622,30 @@ static int chv_gpio_probe(struct chv_pin
+
+ if (!need_valid_mask) {
+ irq_base = devm_irq_alloc_descs(pctrl->dev, -1, 0,
+- chip->ngpio, NUMA_NO_NODE);
++ community->npins, NUMA_NO_NODE);
+ if (irq_base < 0) {
+ dev_err(pctrl->dev, "Failed to allocate IRQ numbers\n");
+ return irq_base;
+ }
+- } else {
+- irq_base = 0;
+ }
+
+- ret = gpiochip_irqchip_add(chip, &chv_gpio_irqchip, irq_base,
++ ret = gpiochip_irqchip_add(chip, &chv_gpio_irqchip, 0,
+ handle_bad_irq, IRQ_TYPE_NONE);
+ if (ret) {
+ dev_err(pctrl->dev, "failed to add IRQ chip\n");
+ return ret;
+ }
+
++ if (!need_valid_mask) {
++ for (i = 0; i < community->ngpio_ranges; i++) {
++ range = &community->gpio_ranges[i];
++
++ irq_domain_associate_many(chip->irq.domain, irq_base,
++ range->base, range->npins);
++ irq_base += range->npins;
++ }
++ }
++
+ gpiochip_set_chained_irqchip(chip, &chv_gpio_irqchip, irq,
+ chv_gpio_irq_handler);
+ return 0;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Yixun Lan <yixun.lan@amlogic.com>
+Date: Tue, 17 Apr 2018 17:08:24 +0000
+Subject: pinctrl: meson-axg: fix the range of aobus bank
+
+From: Yixun Lan <yixun.lan@amlogic.com>
+
+[ Upstream commit b84e54616a946f24eeeca8762cb70a9074b045e7 ]
+
+The GPIOAO bank is range from GPIOAO_0 to GPIOAO_13.
+
+Fixes: 83c566806a68 ("pinctrl: meson-axg: Add new pinctrl driver for Meson AXG SoC")
+Reported-by: Xingyu Chen <xingyu.chen@amlogic.com>
+Signed-off-by: Yixun Lan <yixun.lan@amlogic.com>
+Acked-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/meson/pinctrl-meson-axg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/meson/pinctrl-meson-axg.c
++++ b/drivers/pinctrl/meson/pinctrl-meson-axg.c
+@@ -898,7 +898,7 @@ static struct meson_bank meson_axg_perip
+
+ static struct meson_bank meson_axg_aobus_banks[] = {
+ /* name first last irq pullen pull dir out in */
+- BANK("AO", GPIOAO_0, GPIOAO_9, 0, 13, 0, 16, 0, 0, 0, 0, 0, 16, 1, 0),
++ BANK("AO", GPIOAO_0, GPIOAO_13, 0, 13, 0, 16, 0, 0, 0, 0, 0, 16, 1, 0),
+ };
+
+ static struct meson_pmx_bank meson_axg_periphs_pmx_banks[] = {
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Darren Hart <dvhart@infradead.org>
+Date: Sat, 12 May 2018 12:10:07 -0700
+Subject: platform/x86: DELL_WMI use depends on instead of select for DELL_SMBIOS
+
+From: Darren Hart <dvhart@infradead.org>
+
+[ Upstream commit 54940fa60ad3728c592f62dadb558165495a6938 ]
+
+If DELL_WMI "select"s DELL_SMBIOS, the DELL_SMBIOS dependencies are
+ignored and it is still possible to end up with unmet direct
+dependencies.
+
+Change the select to a depends on.
+
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Darren Hart (VMware) <dvhart@infradead.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/platform/x86/Kconfig
++++ b/drivers/platform/x86/Kconfig
+@@ -168,8 +168,8 @@ config DELL_WMI
+ depends on DMI
+ depends on INPUT
+ depends on ACPI_VIDEO || ACPI_VIDEO = n
++ depends on DELL_SMBIOS
+ select DELL_WMI_DESCRIPTOR
+- select DELL_SMBIOS
+ select INPUT_SPARSEKMAP
+ ---help---
+ Say Y here if you want to support WMI-based hotkeys on Dell laptops.
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Date: Thu, 18 Jan 2018 00:33:36 +0530
+Subject: powerpc/64s: Default l1d_size to 64K in RFI fallback flush
+
+From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+
+[ Upstream commit 9dfbf78e4114fcaf4ef61c49885c3ab5bad40d0b ]
+
+If there is no d-cache-size property in the device tree, l1d_size could
+be zero. We don't actually expect that to happen, it's only been seen
+on mambo (simulator) in some configurations.
+
+A zero-size l1d_size leads to the loop in the asm wrapping around to
+2^64-1, and then walking off the end of the fallback area and
+eventually causing a page fault which is fatal.
+
+Just default to 64K which is correct on some CPUs, and sane enough to
+not cause a crash on others.
+
+Fixes: aa8a5e0062ac9 ('powerpc/64s: Add support for RFI flush of L1-D cache')
+Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+[mpe: Rewrite comment and change log]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/setup_64.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/arch/powerpc/kernel/setup_64.c
++++ b/arch/powerpc/kernel/setup_64.c
+@@ -864,6 +864,17 @@ static void init_fallback_flush(void)
+ int cpu;
+
+ l1d_size = ppc64_caches.l1d.size;
++
++ /*
++ * If there is no d-cache-size property in the device tree, l1d_size
++ * could be zero. That leads to the loop in the asm wrapping around to
++ * 2^64-1, and then walking off the end of the fallback area and
++ * eventually causing a page fault which is fatal. Just default to
++ * something vaguely sane.
++ */
++ if (!l1d_size)
++ l1d_size = (64 * 1024);
++
+ limit = min(ppc64_bolted_size(), ppc64_rma_size);
+
+ /*
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Laurentiu Tudor <laurentiu.tudor@nxp.com>
+Date: Thu, 26 Apr 2018 15:33:19 +0300
+Subject: powerpc/kvm/booke: Fix altivec related build break
+
+From: Laurentiu Tudor <laurentiu.tudor@nxp.com>
+
+[ Upstream commit b2d7ecbe355698010a6b7a15eb179e09eb3d6a34 ]
+
+Add missing "altivec unavailable" interrupt injection helper
+thus fixing the linker error below:
+
+ arch/powerpc/kvm/emulate_loadstore.o: In function `kvmppc_check_altivec_disabled':
+ arch/powerpc/kvm/emulate_loadstore.c: undefined reference to `.kvmppc_core_queue_vec_unavail'
+
+Fixes: 09f984961c137c4b ("KVM: PPC: Book3S: Add MMIO emulation for VMX instructions")
+Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kvm/booke.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/arch/powerpc/kvm/booke.c
++++ b/arch/powerpc/kvm/booke.c
+@@ -305,6 +305,13 @@ void kvmppc_core_queue_fpunavail(struct
+ kvmppc_booke_queue_irqprio(vcpu, BOOKE_IRQPRIO_FP_UNAVAIL);
+ }
+
++#ifdef CONFIG_ALTIVEC
++void kvmppc_core_queue_vec_unavail(struct kvm_vcpu *vcpu)
++{
++ kvmppc_booke_queue_irqprio(vcpu, BOOKE_IRQPRIO_ALTIVEC_UNAVAIL);
++}
++#endif
++
+ void kvmppc_core_queue_dec(struct kvm_vcpu *vcpu)
+ {
+ kvmppc_booke_queue_irqprio(vcpu, BOOKE_IRQPRIO_DECREMENTER);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Balbir Singh <bsingharora@gmail.com>
+Date: Fri, 6 Apr 2018 15:24:24 +1000
+Subject: powerpc/powernv/memtrace: Let the arch hotunplug code flush cache
+
+From: Balbir Singh <bsingharora@gmail.com>
+
+[ Upstream commit 7fd6641de28fe9b5bce0c38d2adee0a72a72619e ]
+
+Don't do this via custom code, instead now that we have support in the
+arch hotplug/hotunplug code, rely on those routines to do the right
+thing.
+
+The existing flush doesn't work because it uses ppc64_caches.l1d.size
+instead of ppc64_caches.l1d.line_size.
+
+Fixes: 9d5171a8f248 ("powerpc/powernv: Enable removal of memory for in memory tracing")
+Signed-off-by: Balbir Singh <bsingharora@gmail.com>
+Reviewed-by: Rashmica Gupta <rashmica.g@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/powernv/memtrace.c | 17 -----------------
+ 1 file changed, 17 deletions(-)
+
+--- a/arch/powerpc/platforms/powernv/memtrace.c
++++ b/arch/powerpc/platforms/powernv/memtrace.c
+@@ -82,19 +82,6 @@ static const struct file_operations memt
+ .open = simple_open,
+ };
+
+-static void flush_memory_region(u64 base, u64 size)
+-{
+- unsigned long line_size = ppc64_caches.l1d.size;
+- u64 end = base + size;
+- u64 addr;
+-
+- base = round_down(base, line_size);
+- end = round_up(end, line_size);
+-
+- for (addr = base; addr < end; addr += line_size)
+- asm volatile("dcbf 0,%0" : "=r" (addr) :: "memory");
+-}
+-
+ static int check_memblock_online(struct memory_block *mem, void *arg)
+ {
+ if (mem->state != MEM_ONLINE)
+@@ -132,10 +119,6 @@ static bool memtrace_offline_pages(u32 n
+ walk_memory_range(start_pfn, end_pfn, (void *)MEM_OFFLINE,
+ change_memblock_state);
+
+- /* RCU grace period? */
+- flush_memory_region((u64)__va(start_pfn << PAGE_SHIFT),
+- nr_pages << PAGE_SHIFT);
+-
+ lock_device_hotplug();
+ remove_memory(nid, start_pfn << PAGE_SHIFT, nr_pages << PAGE_SHIFT);
+ unlock_device_hotplug();
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Tue, 8 May 2018 14:59:56 +1000
+Subject: powerpc/pseries: Fix CONFIG_NUMA=n build
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit 6c0a8f6b5a45ac892a763b6299bd3c5324fc5e02 ]
+
+The build is failing with CONFIG_NUMA=n and some compiler versions:
+
+ arch/powerpc/platforms/pseries/hotplug-cpu.o: In function `dlpar_online_cpu':
+ hotplug-cpu.c:(.text+0x12c): undefined reference to `timed_topology_update'
+ arch/powerpc/platforms/pseries/hotplug-cpu.o: In function `dlpar_cpu_remove':
+ hotplug-cpu.c:(.text+0x400): undefined reference to `timed_topology_update'
+
+Fix it by moving the empty version of timed_topology_update() into the
+existing #ifdef block, which has the right guard of SPLPAR && NUMA.
+
+Fixes: cee5405da402 ("powerpc/hotplug: Improve responsiveness of hotplug change")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/topology.h | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+--- a/arch/powerpc/include/asm/topology.h
++++ b/arch/powerpc/include/asm/topology.h
+@@ -91,6 +91,7 @@ extern int start_topology_update(void);
+ extern int stop_topology_update(void);
+ extern int prrn_is_enabled(void);
+ extern int find_and_online_cpu_nid(int cpu);
++extern int timed_topology_update(int nsecs);
+ #else
+ static inline int start_topology_update(void)
+ {
+@@ -108,16 +109,12 @@ static inline int find_and_online_cpu_ni
+ {
+ return 0;
+ }
++static inline int timed_topology_update(int nsecs)
++{
++ return 0;
++}
+ #endif /* CONFIG_NUMA && CONFIG_PPC_SPLPAR */
+
+-#if defined(CONFIG_HOTPLUG_CPU) || defined(CONFIG_NEED_MULTIPLE_NODES)
+-#if defined(CONFIG_PPC_SPLPAR)
+-extern int timed_topology_update(int nsecs);
+-#else
+-#define timed_topology_update(nsecs)
+-#endif /* CONFIG_PPC_SPLPAR */
+-#endif /* CONFIG_HOTPLUG_CPU || CONFIG_NEED_MULTIPLE_NODES */
+-
+ #include <asm-generic/topology.h>
+
+ #ifdef CONFIG_SMP
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+Date: Fri, 4 May 2018 18:44:25 +0530
+Subject: powerpc/trace/syscalls: Update syscall name matching logic to account for ppc_ prefix
+
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+
+[ Upstream commit edf6a2dfe3889daf97e7c164891a87832169e3e4 ]
+
+Some syscall entry functions on powerpc are prefixed with
+ppc_/ppc32_/ppc64_ rather than the usual sys_/__se_sys prefix. fork(),
+clone(), swapcontext() are some examples of syscalls with such entry
+points. We need to match against these names when initializing ftrace
+syscall tracing.
+
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/ftrace.h | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/include/asm/ftrace.h
++++ b/arch/powerpc/include/asm/ftrace.h
+@@ -69,13 +69,30 @@ struct dyn_arch_ftrace {
+ #endif
+
+ #if defined(CONFIG_FTRACE_SYSCALLS) && !defined(__ASSEMBLY__)
+-#ifdef PPC64_ELF_ABI_v1
++/*
++ * Some syscall entry functions on powerpc start with "ppc_" (fork and clone,
++ * for instance) or ppc32_/ppc64_. We should also match the sys_ variant with
++ * those.
++ */
+ #define ARCH_HAS_SYSCALL_MATCH_SYM_NAME
++#ifdef PPC64_ELF_ABI_v1
+ static inline bool arch_syscall_match_sym_name(const char *sym, const char *name)
+ {
+ /* We need to skip past the initial dot, and the __se_sys alias */
+ return !strcmp(sym + 1, name) ||
+- (!strncmp(sym, ".__se_sys", 9) && !strcmp(sym + 6, name));
++ (!strncmp(sym, ".__se_sys", 9) && !strcmp(sym + 6, name)) ||
++ (!strncmp(sym, ".ppc_", 5) && !strcmp(sym + 5, name + 4)) ||
++ (!strncmp(sym, ".ppc32_", 7) && !strcmp(sym + 7, name + 4)) ||
++ (!strncmp(sym, ".ppc64_", 7) && !strcmp(sym + 7, name + 4));
++}
++#else
++static inline bool arch_syscall_match_sym_name(const char *sym, const char *name)
++{
++ return !strcmp(sym, name) ||
++ (!strncmp(sym, "__se_sys", 8) && !strcmp(sym + 5, name)) ||
++ (!strncmp(sym, "ppc_", 4) && !strcmp(sym + 4, name + 4)) ||
++ (!strncmp(sym, "ppc32_", 6) && !strcmp(sym + 6, name + 4)) ||
++ (!strncmp(sym, "ppc64_", 6) && !strcmp(sym + 6, name + 4));
+ }
+ #endif
+ #endif /* CONFIG_FTRACE_SYSCALLS && !__ASSEMBLY__ */
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+Date: Fri, 4 May 2018 18:44:24 +0530
+Subject: powerpc/trace/syscalls: Update syscall name matching logic
+
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+
+[ Upstream commit 0b7758aaf6543b9a10c8671db559e9d374a3fd95 ]
+
+On powerpc64 ABIv1, we are enabling syscall tracing for only ~20
+syscalls. This is due to commit e145242ea0df6 ("syscalls/core,
+syscalls/x86: Clean up syscall stub naming convention") which has
+changed the syscall entry wrapper prefix from "SyS" to "__se_sys".
+
+Update the logic for ABIv1 to not just skip the initial dot, but also
+the "__se_sys" prefix.
+
+Fixes: commit e145242ea0df6 ("syscalls/core, syscalls/x86: Clean up syscall stub naming convention")
+Reported-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/ftrace.h | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+--- a/arch/powerpc/include/asm/ftrace.h
++++ b/arch/powerpc/include/asm/ftrace.h
+@@ -73,13 +73,9 @@ struct dyn_arch_ftrace {
+ #define ARCH_HAS_SYSCALL_MATCH_SYM_NAME
+ static inline bool arch_syscall_match_sym_name(const char *sym, const char *name)
+ {
+- /*
+- * Compare the symbol name with the system call name. Skip the .sys or .SyS
+- * prefix from the symbol name and the sys prefix from the system call name and
+- * just match the rest. This is only needed on ppc64 since symbol names on
+- * 32bit do not start with a period so the generic function will work.
+- */
+- return !strcmp(sym + 4, name + 3);
++ /* We need to skip past the initial dot, and the __se_sys alias */
++ return !strcmp(sym + 1, name) ||
++ (!strncmp(sym, ".__se_sys", 9) && !strcmp(sym + 6, name));
+ }
+ #endif
+ #endif /* CONFIG_FTRACE_SYSCALLS && !__ASSEMBLY__ */
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Alexey Dobriyan <adobriyan@gmail.com>
+Date: Fri, 20 Apr 2018 14:56:06 -0700
+Subject: proc: fix /proc/loadavg regression
+
+From: Alexey Dobriyan <adobriyan@gmail.com>
+
+[ Upstream commit 9a1015b32faa7cebfe19663c886b0cfe90be1d49 ]
+
+Commit 95846ecf9dac ("pid: replace pid bitmap implementation with IDR
+API") changed last field of /proc/loadavg (last pid allocated) to be off
+by one:
+
+ # unshare -p -f --mount-proc cat /proc/loadavg
+ 0.00 0.00 0.00 1/60 2 <===
+
+It should be 1 after first fork into pid namespace.
+
+This is formally a regression but given how useless this field is I
+don't think anyone is affected.
+
+Bug was found by /proc testsuite!
+
+Link: http://lkml.kernel.org/r/20180413175408.GA27246@avx2
+Fixes: 95846ecf9dac508 ("pid: replace pid bitmap implementation with IDR API")
+Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: Gargi Sharma <gs051095@gmail.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/cell/spufs/sched.c | 2 +-
+ fs/proc/loadavg.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/platforms/cell/spufs/sched.c
++++ b/arch/powerpc/platforms/cell/spufs/sched.c
+@@ -1093,7 +1093,7 @@ static int show_spu_loadavg(struct seq_f
+ LOAD_INT(c), LOAD_FRAC(c),
+ count_active_contexts(),
+ atomic_read(&nr_spu_contexts),
+- idr_get_cursor(&task_active_pid_ns(current)->idr));
++ idr_get_cursor(&task_active_pid_ns(current)->idr) - 1);
+ return 0;
+ }
+
+--- a/fs/proc/loadavg.c
++++ b/fs/proc/loadavg.c
+@@ -24,7 +24,7 @@ static int loadavg_proc_show(struct seq_
+ LOAD_INT(avnrun[1]), LOAD_FRAC(avnrun[1]),
+ LOAD_INT(avnrun[2]), LOAD_FRAC(avnrun[2]),
+ nr_running(), nr_threads,
+- idr_get_cursor(&task_active_pid_ns(current)->idr));
++ idr_get_cursor(&task_active_pid_ns(current)->idr) - 1);
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Laura Abbott <labbott@redhat.com>
+Date: Fri, 11 May 2018 16:01:57 -0700
+Subject: proc/kcore: don't bounds check against address 0
+
+From: Laura Abbott <labbott@redhat.com>
+
+[ Upstream commit 3955333df9a50e8783d115613a397ae55d905080 ]
+
+The existing kcore code checks for bad addresses against __va(0) with
+the assumption that this is the lowest address on the system. This may
+not hold true on some systems (e.g. arm64) and produce overflows and
+crashes. Switch to using other functions to validate the address range.
+
+It's currently only seen on arm64 and it's not clear if anyone wants to
+use that particular combination on a stable release. So this is not
+urgent for stable.
+
+Link: http://lkml.kernel.org/r/20180501201143.15121-1-labbott@redhat.com
+Signed-off-by: Laura Abbott <labbott@redhat.com>
+Tested-by: Dave Anderson <anderson@redhat.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Andi Kleen <andi@firstfloor.org>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>a
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/kcore.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+--- a/fs/proc/kcore.c
++++ b/fs/proc/kcore.c
+@@ -209,25 +209,34 @@ kclist_add_private(unsigned long pfn, un
+ {
+ struct list_head *head = (struct list_head *)arg;
+ struct kcore_list *ent;
++ struct page *p;
++
++ if (!pfn_valid(pfn))
++ return 1;
++
++ p = pfn_to_page(pfn);
++ if (!memmap_valid_within(pfn, p, page_zone(p)))
++ return 1;
+
+ ent = kmalloc(sizeof(*ent), GFP_KERNEL);
+ if (!ent)
+ return -ENOMEM;
+- ent->addr = (unsigned long)__va((pfn << PAGE_SHIFT));
++ ent->addr = (unsigned long)page_to_virt(p);
+ ent->size = nr_pages << PAGE_SHIFT;
+
+- /* Sanity check: Can happen in 32bit arch...maybe */
+- if (ent->addr < (unsigned long) __va(0))
++ if (!virt_addr_valid(ent->addr))
+ goto free_out;
+
+ /* cut not-mapped area. ....from ppc-32 code. */
+ if (ULONG_MAX - ent->addr < ent->size)
+ ent->size = ULONG_MAX - ent->addr;
+
+- /* cut when vmalloc() area is higher than direct-map area */
+- if (VMALLOC_START > (unsigned long)__va(0)) {
+- if (ent->addr > VMALLOC_START)
+- goto free_out;
++ /*
++ * We've already checked virt_addr_valid so we know this address
++ * is a valid pointer, therefore we can check against it to determine
++ * if we need to trim
++ */
++ if (VMALLOC_START > ent->addr) {
+ if (VMALLOC_START - ent->addr < ent->size)
+ ent->size = VMALLOC_START - ent->addr;
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Alexey Dobriyan <adobriyan@gmail.com>
+Date: Fri, 20 Apr 2018 14:56:03 -0700
+Subject: proc: revalidate kernel thread inodes to root:root
+
+From: Alexey Dobriyan <adobriyan@gmail.com>
+
+[ Upstream commit 2e0ad552f5f8cd0fda02bc45fcd2b89821c62fd1 ]
+
+task_dump_owner() has the following code:
+
+ mm = task->mm;
+ if (mm) {
+ if (get_dumpable(mm) != SUID_DUMP_USER) {
+ uid = ...
+ }
+ }
+
+Check for ->mm is buggy -- kernel thread might be borrowing mm
+and inode will go to some random uid:gid pair.
+
+Link: http://lkml.kernel.org/r/20180412220109.GA20978@avx2
+Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/base.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -1693,6 +1693,12 @@ void task_dump_owner(struct task_struct
+ kuid_t uid;
+ kgid_t gid;
+
++ if (unlikely(task->flags & PF_KTHREAD)) {
++ *ruid = GLOBAL_ROOT_UID;
++ *rgid = GLOBAL_ROOT_GID;
++ return;
++ }
++
+ /* Default to the tasks effective ownership */
+ rcu_read_lock();
+ cred = __task_cred(task);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Michal Kalderon <Michal.Kalderon@cavium.com>
+Date: Tue, 8 May 2018 21:29:18 +0300
+Subject: qed: Fix l2 initializations over iWARP personality
+
+From: Michal Kalderon <Michal.Kalderon@cavium.com>
+
+[ Upstream commit af6858ee423a309d93054c361c61099b8eb12bbf ]
+
+If qede driver was loaded on a device configured for iWARP
+the l2 mutex wouldn't be allocated, and some l2 related
+resources wouldn't be freed.
+
+fixes: c851a9dc4359 ("qed: Introduce iWARP personality")
+Signed-off-by: Michal Kalderon <Michal.Kalderon@cavium.com>
+Signed-off-by: Sudarsana Kalluru <Sudarsana.Kalluru@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_l2.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/qlogic/qed/qed_l2.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_l2.c
+@@ -115,8 +115,7 @@ int qed_l2_alloc(struct qed_hwfn *p_hwfn
+
+ void qed_l2_setup(struct qed_hwfn *p_hwfn)
+ {
+- if (p_hwfn->hw_info.personality != QED_PCI_ETH &&
+- p_hwfn->hw_info.personality != QED_PCI_ETH_ROCE)
++ if (!QED_IS_L2_PERSONALITY(p_hwfn))
+ return;
+
+ mutex_init(&p_hwfn->p_l2_info->lock);
+@@ -126,8 +125,7 @@ void qed_l2_free(struct qed_hwfn *p_hwfn
+ {
+ u32 i;
+
+- if (p_hwfn->hw_info.personality != QED_PCI_ETH &&
+- p_hwfn->hw_info.personality != QED_PCI_ETH_ROCE)
++ if (!QED_IS_L2_PERSONALITY(p_hwfn))
+ return;
+
+ if (!p_hwfn->p_l2_info)
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Michal Kalderon <Michal.Kalderon@cavium.com>
+Date: Tue, 8 May 2018 21:29:19 +0300
+Subject: qede: Fix gfp flags sent to rdma event node allocation
+
+From: Michal Kalderon <Michal.Kalderon@cavium.com>
+
+[ Upstream commit 090477e4acb31c5dd674940c7c01d4f16bd1ac41 ]
+
+A previous commit 4609adc27175 ("qede: Fix qedr link update")
+added a flow that could allocate rdma event objects from an
+interrupt path (link notification). Therefore the kzalloc call
+should be done with GFP_ATOMIC.
+
+fixes: 4609adc27175 ("qede: Fix qedr link update")
+Signed-off-by: Michal Kalderon <Michal.Kalderon@cavium.com>
+Signed-off-by: Sudarsana Kalluru <Sudarsana.Kalluru@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede_rdma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qlogic/qede/qede_rdma.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_rdma.c
+@@ -238,7 +238,7 @@ qede_rdma_get_free_event_node(struct qed
+ }
+
+ if (!found) {
+- event_node = kzalloc(sizeof(*event_node), GFP_KERNEL);
++ event_node = kzalloc(sizeof(*event_node), GFP_ATOMIC);
+ if (!event_node) {
+ DP_NOTICE(edev,
+ "qedr: Could not allocate memory for rdma work\n");
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Parav Pandit <parav@mellanox.com>
+Date: Wed, 2 May 2018 13:18:59 +0300
+Subject: RDMA/cma: Do not query GID during QP state transition to RTR
+
+From: Parav Pandit <parav@mellanox.com>
+
+[ Upstream commit 9aa169213d1166d30ae357a44abbeae93459339d ]
+
+When commit [1] was added, SGID was queried to derive the SMAC address.
+Then, later on during a refactor [2], SMAC was no longer needed. However,
+the now useless GID query remained. Then during additional code changes
+later on, the GID query was being done in such a way that it caused iWARP
+queries to start breaking. Remove the useless GID query and resolve the
+iWARP breakage at the same time.
+
+This is discussed in [3].
+
+[1] commit dd5f03beb4f7 ("IB/core: Ethernet L2 attributes in verbs/cm structures")
+[2] commit 5c266b2304fb ("IB/cm: Remove the usage of smac and vid of qp_attr and cm_av")
+[3] https://www.spinics.net/lists/linux-rdma/msg63951.html
+
+Suggested-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/cma.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -901,7 +901,6 @@ static int cma_modify_qp_rtr(struct rdma
+ {
+ struct ib_qp_attr qp_attr;
+ int qp_attr_mask, ret;
+- union ib_gid sgid;
+
+ mutex_lock(&id_priv->qp_mutex);
+ if (!id_priv->id.qp) {
+@@ -924,12 +923,6 @@ static int cma_modify_qp_rtr(struct rdma
+ if (ret)
+ goto out;
+
+- ret = ib_query_gid(id_priv->id.device, id_priv->id.port_num,
+- rdma_ah_read_grh(&qp_attr.ah_attr)->sgid_index,
+- &sgid, NULL);
+- if (ret)
+- goto out;
+-
+ BUG_ON(id_priv->cma_dev->device != id_priv->id.device);
+
+ if (conn_param)
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Parav Pandit <parav@mellanox.com>
+Date: Tue, 24 Apr 2018 20:13:45 +0300
+Subject: RDMA/cma: Fix use after destroy access to net namespace for IPoIB
+
+From: Parav Pandit <parav@mellanox.com>
+
+[ Upstream commit 2918c1a900252b4a0c730715ec205437c7daf79d ]
+
+There are few issues with validation of netdevice and listen id lookup
+for IB (IPoIB) while processing incoming CM request as below.
+
+1. While performing lookup of bind_list in cma_ps_find(), net namespace
+of the netdevice can get deleted in cma_exit_net(), resulting in use
+after free access of idr and/or net namespace structures.
+This lookup occurs from the workqueue context (and not userspace
+context where net namespace is always valid).
+
+ CPU0 CPU1
+ ==== ====
+
+ bind_list = cma_ps_find();
+ move netdevice to new namespace
+ delete net namespace
+ cma_exit_net()
+ idr_destroy(idr);
+
+ [..]
+ cma_find_listener(bind_list, ..);
+
+2. While netdevice is validated for IP address in given net namespace,
+netdevice's net namespace and/or ifindex can change in
+cma_get_net_dev() and cma_match_net_dev().
+
+Above issues are overcome by using rcu lock along with netdevice
+UP/DOWN state as described below.
+When a net namespace is getting deleted, netdevice is closed and
+shutdown before moving it back to init_net namespace.
+change_net_namespace() synchronizes with any existing use of netdevice
+before changing the netdev properties such as net or ifindex.
+Once netdevice IFF_UP flags is cleared, such fields are not guaranteed
+to be valid.
+Therefore, rcu lock along with netdevice state check ensures that,
+while route lookup and cm_id lookup is in progress, netdevice of
+interest won't migrate to any other net namespace.
+This ensures that associated net namespace of netdevice won't get
+deleted while rcu lock is held for netdevice which is in IFF_UP state.
+
+Fixes: fa20105e09e9 ("IB/cma: Add support for network namespaces")
+Fixes: 4be74b42a6d0 ("IB/cma: Separate port allocation to network namespaces")
+Fixes: f887f2ac87c2 ("IB/cma: Validate routing of incoming requests")
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/cma.c | 53 ++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 43 insertions(+), 10 deletions(-)
+
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -420,6 +420,8 @@ struct cma_hdr {
+ #define CMA_VERSION 0x00
+
+ struct cma_req_info {
++ struct sockaddr_storage listen_addr_storage;
++ struct sockaddr_storage src_addr_storage;
+ struct ib_device *device;
+ int port;
+ union ib_gid local_gid;
+@@ -1373,11 +1375,11 @@ static bool validate_net_dev(struct net_
+ }
+
+ static struct net_device *cma_get_net_dev(struct ib_cm_event *ib_event,
+- const struct cma_req_info *req)
++ struct cma_req_info *req)
+ {
+- struct sockaddr_storage listen_addr_storage, src_addr_storage;
+- struct sockaddr *listen_addr = (struct sockaddr *)&listen_addr_storage,
+- *src_addr = (struct sockaddr *)&src_addr_storage;
++ struct sockaddr *listen_addr =
++ (struct sockaddr *)&req->listen_addr_storage;
++ struct sockaddr *src_addr = (struct sockaddr *)&req->src_addr_storage;
+ struct net_device *net_dev;
+ const union ib_gid *gid = req->has_gid ? &req->local_gid : NULL;
+ int err;
+@@ -1392,11 +1394,6 @@ static struct net_device *cma_get_net_de
+ if (!net_dev)
+ return ERR_PTR(-ENODEV);
+
+- if (!validate_net_dev(net_dev, listen_addr, src_addr)) {
+- dev_put(net_dev);
+- return ERR_PTR(-EHOSTUNREACH);
+- }
+-
+ return net_dev;
+ }
+
+@@ -1532,15 +1529,51 @@ static struct rdma_id_private *cma_id_fr
+ }
+ }
+
++ /*
++ * Net namespace might be getting deleted while route lookup,
++ * cm_id lookup is in progress. Therefore, perform netdevice
++ * validation, cm_id lookup under rcu lock.
++ * RCU lock along with netdevice state check, synchronizes with
++ * netdevice migrating to different net namespace and also avoids
++ * case where net namespace doesn't get deleted while lookup is in
++ * progress.
++ * If the device state is not IFF_UP, its properties such as ifindex
++ * and nd_net cannot be trusted to remain valid without rcu lock.
++ * net/core/dev.c change_net_namespace() ensures to synchronize with
++ * ongoing operations on net device after device is closed using
++ * synchronize_net().
++ */
++ rcu_read_lock();
++ if (*net_dev) {
++ /*
++ * If netdevice is down, it is likely that it is administratively
++ * down or it might be migrating to different namespace.
++ * In that case avoid further processing, as the net namespace
++ * or ifindex may change.
++ */
++ if (((*net_dev)->flags & IFF_UP) == 0) {
++ id_priv = ERR_PTR(-EHOSTUNREACH);
++ goto err;
++ }
++
++ if (!validate_net_dev(*net_dev,
++ (struct sockaddr *)&req.listen_addr_storage,
++ (struct sockaddr *)&req.src_addr_storage)) {
++ id_priv = ERR_PTR(-EHOSTUNREACH);
++ goto err;
++ }
++ }
++
+ bind_list = cma_ps_find(*net_dev ? dev_net(*net_dev) : &init_net,
+ rdma_ps_from_service_id(req.service_id),
+ cma_port_from_service_id(req.service_id));
+ id_priv = cma_find_listener(bind_list, cm_id, ib_event, &req, *net_dev);
++err:
++ rcu_read_unlock();
+ if (IS_ERR(id_priv) && *net_dev) {
+ dev_put(*net_dev);
+ *net_dev = NULL;
+ }
+-
+ return id_priv;
+ }
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: oulijun <oulijun@huawei.com>
+Date: Thu, 26 Apr 2018 14:46:15 +0800
+Subject: RDMA/hns: Bugfix for init hem table
+
+From: oulijun <oulijun@huawei.com>
+
+[ Upstream commit 215a8c09e5e2aa6ae1fbcef87f8f27d65d5d1ca4 ]
+
+During init hem table, type should be used instead of
+table->type which is finally initializaed with type.
+
+Signed-off-by: Lijun Ou <oulijun@huawei.com>
+Signed-off-by: Yixian Liu <liuyixian@huawei.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hem.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/infiniband/hw/hns/hns_roce_hem.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hem.c
+@@ -912,7 +912,7 @@ int hns_roce_init_hem_table(struct hns_r
+ obj_per_chunk = buf_chunk_size / obj_size;
+ num_hem = (nobj + obj_per_chunk - 1) / obj_per_chunk;
+ bt_chunk_num = bt_chunk_size / 8;
+- if (table->type >= HEM_TYPE_MTT)
++ if (type >= HEM_TYPE_MTT)
+ num_bt_l0 = bt_chunk_num;
+
+ table->hem = kcalloc(num_hem, sizeof(*table->hem),
+@@ -920,7 +920,7 @@ int hns_roce_init_hem_table(struct hns_r
+ if (!table->hem)
+ goto err_kcalloc_hem_buf;
+
+- if (check_whether_bt_num_3(table->type, hop_num)) {
++ if (check_whether_bt_num_3(type, hop_num)) {
+ unsigned long num_bt_l1;
+
+ num_bt_l1 = (num_hem + bt_chunk_num - 1) /
+@@ -939,8 +939,8 @@ int hns_roce_init_hem_table(struct hns_r
+ goto err_kcalloc_l1_dma;
+ }
+
+- if (check_whether_bt_num_2(table->type, hop_num) ||
+- check_whether_bt_num_3(table->type, hop_num)) {
++ if (check_whether_bt_num_2(type, hop_num) ||
++ check_whether_bt_num_3(type, hop_num)) {
+ table->bt_l0 = kcalloc(num_bt_l0, sizeof(*table->bt_l0),
+ GFP_KERNEL);
+ if (!table->bt_l0)
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: oulijun <oulijun@huawei.com>
+Date: Thu, 26 Apr 2018 14:46:17 +0800
+Subject: RDMA/hns: Fix the qp context state diagram
+
+From: oulijun <oulijun@huawei.com>
+
+[ Upstream commit 6e1a70943cecdca9bb13b601b1a9772a7bdcc2c3 ]
+
+According to RoCE protocol, it is possible to
+transition from error to error state for modifying
+qp in hip08. This patch fix it.
+
+Signed-off-by: Lijun Ou <oulijun@huawei.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -3166,7 +3166,8 @@ static int hns_roce_v2_modify_qp(struct
+ (cur_state == IB_QPS_RTR && new_state == IB_QPS_ERR) ||
+ (cur_state == IB_QPS_RTS && new_state == IB_QPS_ERR) ||
+ (cur_state == IB_QPS_SQD && new_state == IB_QPS_ERR) ||
+- (cur_state == IB_QPS_SQE && new_state == IB_QPS_ERR)) {
++ (cur_state == IB_QPS_SQE && new_state == IB_QPS_ERR) ||
++ (cur_state == IB_QPS_ERR && new_state == IB_QPS_ERR)) {
+ /* Nothing */
+ ;
+ } else {
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: oulijun <oulijun@huawei.com>
+Date: Thu, 26 Apr 2018 14:46:16 +0800
+Subject: RDMA/hns: Intercept illegal RDMA operation when use inline data
+
+From: oulijun <oulijun@huawei.com>
+
+[ Upstream commit 328d405b3d4c8dd1f06bfd77f498e23281ae348c ]
+
+RDMA read operation is not supported inline data. If user cofigures
+issue a RDMA read and use inline data, it will happen a hardware
+error.
+
+Signed-off-by: Lijun Ou <oulijun@huawei.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -71,6 +71,11 @@ static int set_rwqe_data_seg(struct ib_q
+ return -EINVAL;
+ }
+
++ if (wr->opcode == IB_WR_RDMA_READ) {
++ dev_err(hr_dev->dev, "Not support inline data!\n");
++ return -EINVAL;
++ }
++
+ for (i = 0; i < wr->num_sge; i++) {
+ memcpy(wqe, ((void *)wr->sg_list[i].addr),
+ wr->sg_list[i].length);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: oulijun <oulijun@huawei.com>
+Date: Thu, 26 Apr 2018 14:46:23 +0800
+Subject: RDMA/hns: Submit bad wr
+
+From: oulijun <oulijun@huawei.com>
+
+[ Upstream commit 137ae3208416278aabef3b71e0ea1052940ca362 ]
+
+When generated bad work reqeust, it needs to
+report to user. This patch mainly fixes it.
+
+Signed-off-by: Lijun Ou <oulijun@huawei.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -153,7 +153,7 @@ static int hns_roce_v2_post_send(struct
+ ibqp->qp_type != IB_QPT_GSI &&
+ ibqp->qp_type != IB_QPT_UD)) {
+ dev_err(dev, "Not supported QP(0x%x)type!\n", ibqp->qp_type);
+- *bad_wr = NULL;
++ *bad_wr = wr;
+ return -EOPNOTSUPP;
+ }
+
+@@ -461,6 +461,7 @@ static int hns_roce_v2_post_send(struct
+ } else {
+ dev_err(dev, "Illegal qp_type(0x%x)\n", ibqp->qp_type);
+ spin_unlock_irqrestore(&qp->sq.lock, flags);
++ *bad_wr = wr;
+ return -EOPNOTSUPP;
+ }
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Wed, 25 Apr 2018 17:24:04 +0100
+Subject: RDMA/iwpm: fix memory leak on map_info
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit f96416cea7bce9afe619c15e87fced70f93f9098 ]
+
+In the cases where iwpm_hash_bucket is NULL and where function
+get_mapinfo_hash_bucket returns NULL then the map_info is never added
+to hash_bucket_head and hence there is a leak of map_info. Fix this
+by nullifying hash_bucket_head and if that is null we know that
+that map_info was not added to hash_bucket_head and hence map_info
+should be free'd.
+
+Detected by CoverityScan, CID#1222481 ("Resource Leak")
+
+Fixes: 30dc5e63d6a5 ("RDMA/core: Add support for iWARP Port Mapper user space service")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/iwpm_util.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/iwpm_util.c
++++ b/drivers/infiniband/core/iwpm_util.c
+@@ -114,7 +114,7 @@ int iwpm_create_mapinfo(struct sockaddr_
+ struct sockaddr_storage *mapped_sockaddr,
+ u8 nl_client)
+ {
+- struct hlist_head *hash_bucket_head;
++ struct hlist_head *hash_bucket_head = NULL;
+ struct iwpm_mapping_info *map_info;
+ unsigned long flags;
+ int ret = -EINVAL;
+@@ -142,6 +142,9 @@ int iwpm_create_mapinfo(struct sockaddr_
+ }
+ }
+ spin_unlock_irqrestore(&iwpm_mapinfo_lock, flags);
++
++ if (!hash_bucket_head)
++ kfree(map_info);
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Mon, 23 Apr 2018 17:01:56 +0300
+Subject: RDMA/mlx5: Properly check return value of mlx5_get_uars_page
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+[ Upstream commit 444261ca6ff201fa03de97a5041237e67a9d8d31 ]
+
+Starting from commit 72f36be06138 ("net/mlx5: Fix mlx5_get_uars_page to
+return error code") the mlx5_get_uars_page() call returns error in case
+of failure, but it was mistakenly overlooked in the merge commit.
+
+Fixes: e7996a9a77fc ("Merge tag v4.15 of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6.git")
+Reported-by: Alaa Hleihel <alaa@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -4833,9 +4833,7 @@ static void mlx5_ib_stage_cong_debugfs_c
+ static int mlx5_ib_stage_uar_init(struct mlx5_ib_dev *dev)
+ {
+ dev->mdev->priv.uar = mlx5_get_uars_page(dev->mdev);
+- if (!dev->mdev->priv.uar)
+- return -ENOMEM;
+- return 0;
++ return PTR_ERR_OR_ZERO(dev->mdev->priv.uar);
+ }
+
+ static void mlx5_ib_stage_uar_cleanup(struct mlx5_ib_dev *dev)
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Dag Moxnes <dag.moxnes@oracle.com>
+Date: Wed, 25 Apr 2018 13:22:01 +0200
+Subject: rds: ib: Fix missing call to rds_ib_dev_put in rds_ib_setup_qp
+
+From: Dag Moxnes <dag.moxnes@oracle.com>
+
+[ Upstream commit 91a825290ca4eae88603bc811bf74a45f94a3f46 ]
+
+The function rds_ib_setup_qp is calling rds_ib_get_client_data and
+should correspondingly call rds_ib_dev_put. This call was lost in
+the non-error path with the introduction of error handling done in
+commit 3b12f73a5c29 ("rds: ib: add error handle")
+
+Signed-off-by: Dag Moxnes <dag.moxnes@oracle.com>
+Reviewed-by: Håkon Bugge <haakon.bugge@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/ib_cm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/rds/ib_cm.c
++++ b/net/rds/ib_cm.c
+@@ -547,7 +547,7 @@ static int rds_ib_setup_qp(struct rds_co
+ rdsdebug("conn %p pd %p cq %p %p\n", conn, ic->i_pd,
+ ic->i_send_cq, ic->i_recv_cq);
+
+- return ret;
++ goto out;
+
+ sends_out:
+ vfree(ic->i_sends);
+@@ -572,6 +572,7 @@ send_cq_out:
+ ic->i_send_cq = NULL;
+ rds_ibdev_out:
+ rds_ib_remove_conn(rds_ibdev, conn);
++out:
+ rds_ib_dev_put(rds_ibdev);
+
+ return ret;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Tobias Jordan <Tobias.Jordan@elektrobit.com>
+Date: Thu, 15 Feb 2018 16:12:55 +0100
+Subject: remoteproc: qcom: Fix potential device node leaks
+
+From: Tobias Jordan <Tobias.Jordan@elektrobit.com>
+
+[ Upstream commit 278d744c46fd4f1925aec77752d18a0e4a9cbec3 ]
+
+Add missing of_node_put()s at two places for device nodes returned by
+of_parse_phandle().
+
+Fixes: 051fb70fd4ea ("remoteproc: qcom: Driver for the self-authenticating
+ Hexagon v5")
+Signed-off-by: Tobias Jordan <Tobias.Jordan@elektrobit.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/qcom_q6v5_pil.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/remoteproc/qcom_q6v5_pil.c
++++ b/drivers/remoteproc/qcom_q6v5_pil.c
+@@ -1088,6 +1088,7 @@ static int q6v5_alloc_memory_region(stru
+ dev_err(qproc->dev, "unable to resolve mba region\n");
+ return ret;
+ }
++ of_node_put(node);
+
+ qproc->mba_phys = r.start;
+ qproc->mba_size = resource_size(&r);
+@@ -1105,6 +1106,7 @@ static int q6v5_alloc_memory_region(stru
+ dev_err(qproc->dev, "unable to resolve mpss region\n");
+ return ret;
+ }
++ of_node_put(node);
+
+ qproc->mpss_phys = qproc->mpss_reloc = r.start;
+ qproc->mpss_size = resource_size(&r);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Thu, 12 Apr 2018 11:16:10 +0900
+Subject: reset: uniphier: fix USB clock line for LD20
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+[ Upstream commit e6914365fd280fce303a89b8a8d4529af5a2e0f9 ]
+
+For LD20, the bit 5 of the offset 0x200c turned out to be a USB3
+reset. The hardware document says it is the GIO reset despite LD20
+has no GIO bus, confusingly.
+
+Also, fix confusing comments for PXs3.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/reset/reset-uniphier.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/reset/reset-uniphier.c
++++ b/drivers/reset/reset-uniphier.c
+@@ -107,7 +107,7 @@ static const struct uniphier_reset_data
+ UNIPHIER_RESETX(4, 0x200c, 2), /* eMMC */
+ UNIPHIER_RESETX(6, 0x200c, 6), /* Ether */
+ UNIPHIER_RESETX(8, 0x200c, 8), /* STDMAC (HSC) */
+- UNIPHIER_RESETX(12, 0x200c, 5), /* GIO (PCIe, USB3) */
++ UNIPHIER_RESETX(14, 0x200c, 5), /* USB30 */
+ UNIPHIER_RESETX(16, 0x200c, 12), /* USB30-PHY0 */
+ UNIPHIER_RESETX(17, 0x200c, 13), /* USB30-PHY1 */
+ UNIPHIER_RESETX(18, 0x200c, 14), /* USB30-PHY2 */
+@@ -122,8 +122,8 @@ static const struct uniphier_reset_data
+ UNIPHIER_RESETX(2, 0x200c, 0), /* NAND */
+ UNIPHIER_RESETX(4, 0x200c, 2), /* eMMC */
+ UNIPHIER_RESETX(8, 0x200c, 12), /* STDMAC */
+- UNIPHIER_RESETX(12, 0x200c, 4), /* USB30 link (GIO0) */
+- UNIPHIER_RESETX(13, 0x200c, 5), /* USB31 link (GIO1) */
++ UNIPHIER_RESETX(12, 0x200c, 4), /* USB30 link */
++ UNIPHIER_RESETX(13, 0x200c, 5), /* USB31 link */
+ UNIPHIER_RESETX(16, 0x200c, 16), /* USB30-PHY0 */
+ UNIPHIER_RESETX(17, 0x200c, 18), /* USB30-PHY1 */
+ UNIPHIER_RESETX(18, 0x200c, 20), /* USB30-PHY2 */
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Aurelien Jarno <aurelien@aurel32.net>
+Date: Wed, 21 Mar 2018 22:26:31 +0100
+Subject: RISC-V: build vdso-dummy.o with -no-pie
+
+From: Aurelien Jarno <aurelien@aurel32.net>
+
+[ Upstream commit 85602bea297fc4e5223adbf7006dcce9aa694f17 ]
+
+Debian toolcahin defaults to PIE, and I guess that will also be the case
+of most distributions. This causes the following build failure:
+
+ AS arch/riscv/kernel/vdso/getcpu.o
+ AS arch/riscv/kernel/vdso/flush_icache.o
+ VDSOLD arch/riscv/kernel/vdso/vdso.so.dbg
+ OBJCOPY arch/riscv/kernel/vdso/vdso.so
+ AS arch/riscv/kernel/vdso/vdso.o
+ VDSOLD arch/riscv/kernel/vdso/vdso-dummy.o
+ LD arch/riscv/kernel/vdso/vdso-syms.o
+riscv64-linux-gnu-ld: attempted static link of dynamic object `arch/riscv/kernel/vdso/vdso-dummy.o'
+make[2]: *** [arch/riscv/kernel/vdso/Makefile:43: arch/riscv/kernel/vdso/vdso-syms.o] Error 1
+make[1]: *** [scripts/Makefile.build:575: arch/riscv/kernel/vdso] Error 2
+make: *** [Makefile:1018: arch/riscv/kernel] Error 2
+
+While the root Makefile correctly passes "-fno-PIE" to build individual
+object files, the RISC-V kernel also builds vdso-dummy.o as an
+executable, which is therefore linked as PIE. Fix that by updating this
+specific link rule to also include "-no-pie".
+
+Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
+Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/vdso/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/riscv/kernel/vdso/Makefile
++++ b/arch/riscv/kernel/vdso/Makefile
+@@ -52,7 +52,7 @@ $(obj)/%.so: $(obj)/%.so.dbg FORCE
+ # Add -lgcc so rv32 gets static muldi3 and lshrdi3 definitions.
+ # Make sure only to export the intended __vdso_xxx symbol offsets.
+ quiet_cmd_vdsold = VDSOLD $@
+- cmd_vdsold = $(CC) $(KCFLAGS) -nostdlib $(SYSCFLAGS_$(@F)) \
++ cmd_vdsold = $(CC) $(KCFLAGS) $(call cc-option, -no-pie) -nostdlib $(SYSCFLAGS_$(@F)) \
+ -Wl,-T,$(filter-out FORCE,$^) -o $@.tmp -lgcc && \
+ $(CROSS_COMPILE)objcopy \
+ $(patsubst %, -G __vdso_%, $(vdso-syms)) $@.tmp $@
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Christoph Hellwig <hch@lst.de>
+Date: Mon, 16 Apr 2018 14:53:51 +0200
+Subject: riscv: select DMA_DIRECT_OPS instead of redefining it
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 86e11757d8b28d8266065beaa9d391d49426797b ]
+
+DMA_DIRECT_OPS is defined in lib/Kconfig, so don't duplicate it in
+arch/riscv/Kconfig.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/Kconfig | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/arch/riscv/Kconfig
++++ b/arch/riscv/Kconfig
+@@ -11,6 +11,7 @@ config RISCV
+ select ARCH_WANT_FRAME_POINTERS
+ select CLONE_BACKWARDS
+ select COMMON_CLK
++ select DMA_DIRECT_OPS
+ select GENERIC_CLOCKEVENTS
+ select GENERIC_CPU_DEVICES
+ select GENERIC_IRQ_SHOW
+@@ -88,9 +89,6 @@ config PGTABLE_LEVELS
+ config HAVE_KPROBES
+ def_bool n
+
+-config DMA_DIRECT_OPS
+- def_bool y
+-
+ menu "Platform type"
+
+ choice
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Ramon Fried <rfried@codeaurora.org>
+Date: Fri, 23 Mar 2018 00:09:12 -0400
+Subject: rpmsg: added MODULE_ALIAS for rpmsg_char
+
+From: Ramon Fried <rfried@codeaurora.org>
+
+[ Upstream commit 93dd4e73c0d9cc32f835d76a54257020b0bfc75a ]
+
+Added "rpmsg:rpmsg_chrdev" MODULE_ALIAS to autoload
+rpmg_chrdev module automatically.
+
+Signed-off-by: Ramon Fried <rfried@codeaurora.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rpmsg/rpmsg_char.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/rpmsg/rpmsg_char.c
++++ b/drivers/rpmsg/rpmsg_char.c
+@@ -581,4 +581,6 @@ static void rpmsg_chrdev_exit(void)
+ unregister_chrdev_region(rpmsg_major, RPMSG_DEV_MAX);
+ }
+ module_exit(rpmsg_chrdev_exit);
++
++MODULE_ALIAS("rpmsg:rpmsg_chrdev");
+ MODULE_LICENSE("GPL v2");
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 10 May 2018 23:26:00 +0100
+Subject: rxrpc: Fix error reception on AF_INET6 sockets
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit f2aeed3a591ff29a82495eeaa92ac4780bad7487 ]
+
+AF_RXRPC tries to turn on IP_RECVERR and IP_MTU_DISCOVER on the UDP socket
+it just opened for communications with the outside world, regardless of the
+type of socket. Unfortunately, this doesn't work with an AF_INET6 socket.
+
+Fix this by turning on IPV6_RECVERR and IPV6_MTU_DISCOVER instead if the
+socket is of the AF_INET6 family.
+
+Without this, kAFS server and address rotation doesn't work correctly
+because the algorithm doesn't detect received network errors.
+
+Fixes: 75b54cb57ca3 ("rxrpc: Add IPv6 support")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/local_object.c | 57 ++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 42 insertions(+), 15 deletions(-)
+
+--- a/net/rxrpc/local_object.c
++++ b/net/rxrpc/local_object.c
+@@ -133,22 +133,49 @@ static int rxrpc_open_socket(struct rxrp
+ }
+ }
+
+- /* we want to receive ICMP errors */
+- opt = 1;
+- ret = kernel_setsockopt(local->socket, SOL_IP, IP_RECVERR,
+- (char *) &opt, sizeof(opt));
+- if (ret < 0) {
+- _debug("setsockopt failed");
+- goto error;
+- }
++ switch (local->srx.transport.family) {
++ case AF_INET:
++ /* we want to receive ICMP errors */
++ opt = 1;
++ ret = kernel_setsockopt(local->socket, SOL_IP, IP_RECVERR,
++ (char *) &opt, sizeof(opt));
++ if (ret < 0) {
++ _debug("setsockopt failed");
++ goto error;
++ }
++
++ /* we want to set the don't fragment bit */
++ opt = IP_PMTUDISC_DO;
++ ret = kernel_setsockopt(local->socket, SOL_IP, IP_MTU_DISCOVER,
++ (char *) &opt, sizeof(opt));
++ if (ret < 0) {
++ _debug("setsockopt failed");
++ goto error;
++ }
++ break;
++
++ case AF_INET6:
++ /* we want to receive ICMP errors */
++ opt = 1;
++ ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_RECVERR,
++ (char *) &opt, sizeof(opt));
++ if (ret < 0) {
++ _debug("setsockopt failed");
++ goto error;
++ }
++
++ /* we want to set the don't fragment bit */
++ opt = IPV6_PMTUDISC_DO;
++ ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_MTU_DISCOVER,
++ (char *) &opt, sizeof(opt));
++ if (ret < 0) {
++ _debug("setsockopt failed");
++ goto error;
++ }
++ break;
+
+- /* we want to set the don't fragment bit */
+- opt = IP_PMTUDISC_DO;
+- ret = kernel_setsockopt(local->socket, SOL_IP, IP_MTU_DISCOVER,
+- (char *) &opt, sizeof(opt));
+- if (ret < 0) {
+- _debug("setsockopt failed");
+- goto error;
++ default:
++ BUG();
+ }
+
+ /* set the socket up */
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 10 May 2018 23:26:00 +0100
+Subject: rxrpc: Fix missing start of call timeout
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit c54e43d752c7187595c8c62a231e0b0d53c7fded ]
+
+The expect_rx_by call timeout is supposed to be set when a call is started
+to indicate that we need to receive a packet by that point. This is
+currently put back every time we receive a packet, but it isn't started
+when we first send a packet. Without this, the call may wait forever if
+the server doesn't deign to reply.
+
+Fix this by setting the timeout upon a successful UDP sendmsg call for the
+first DATA packet. The timeout is initiated only for initial transmission
+and not for subsequent retries as we don't want the retry mechanism to
+extend the timeout indefinitely.
+
+Fixes: a158bdd3247b ("rxrpc: Fix call timeouts")
+Reported-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/ar-internal.h | 1 +
+ net/rxrpc/input.c | 2 +-
+ net/rxrpc/output.c | 11 +++++++++++
+ net/rxrpc/sendmsg.c | 10 ++++++++++
+ 4 files changed, 23 insertions(+), 1 deletion(-)
+
+--- a/net/rxrpc/ar-internal.h
++++ b/net/rxrpc/ar-internal.h
+@@ -464,6 +464,7 @@ enum rxrpc_call_flag {
+ RXRPC_CALL_SEND_PING, /* A ping will need to be sent */
+ RXRPC_CALL_PINGING, /* Ping in process */
+ RXRPC_CALL_RETRANS_TIMEOUT, /* Retransmission due to timeout occurred */
++ RXRPC_CALL_BEGAN_RX_TIMER, /* We began the expect_rx_by timer */
+ };
+
+ /*
+--- a/net/rxrpc/input.c
++++ b/net/rxrpc/input.c
+@@ -971,7 +971,7 @@ static void rxrpc_input_call_packet(stru
+ if (timo) {
+ unsigned long now = jiffies, expect_rx_by;
+
+- expect_rx_by = jiffies + timo;
++ expect_rx_by = now + timo;
+ WRITE_ONCE(call->expect_rx_by, expect_rx_by);
+ rxrpc_reduce_call_timer(call, expect_rx_by, now,
+ rxrpc_timer_set_for_normal);
+--- a/net/rxrpc/output.c
++++ b/net/rxrpc/output.c
+@@ -407,6 +407,17 @@ done:
+ rxrpc_timer_set_for_lost_ack);
+ }
+ }
++
++ if (sp->hdr.seq == 1 &&
++ !test_and_set_bit(RXRPC_CALL_BEGAN_RX_TIMER,
++ &call->flags)) {
++ unsigned long nowj = jiffies, expect_rx_by;
++
++ expect_rx_by = nowj + call->next_rx_timo;
++ WRITE_ONCE(call->expect_rx_by, expect_rx_by);
++ rxrpc_reduce_call_timer(call, expect_rx_by, nowj,
++ rxrpc_timer_set_for_normal);
++ }
+ }
+
+ rxrpc_set_keepalive(call);
+--- a/net/rxrpc/sendmsg.c
++++ b/net/rxrpc/sendmsg.c
+@@ -223,6 +223,15 @@ static void rxrpc_queue_packet(struct rx
+
+ ret = rxrpc_send_data_packet(call, skb, false);
+ if (ret < 0) {
++ switch (ret) {
++ case -ENETUNREACH:
++ case -EHOSTUNREACH:
++ case -ECONNREFUSED:
++ rxrpc_set_call_completion(call,
++ RXRPC_CALL_LOCAL_ERROR,
++ 0, ret);
++ goto out;
++ }
+ _debug("need instant resend %d", ret);
+ rxrpc_instant_resend(call, ix);
+ } else {
+@@ -241,6 +250,7 @@ static void rxrpc_queue_packet(struct rx
+ rxrpc_timer_set_for_send);
+ }
+
++out:
+ rxrpc_free_skb(skb, rxrpc_skb_tx_freed);
+ _leave("");
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 10 May 2018 23:26:01 +0100
+Subject: rxrpc: Fix the min security level for kernel calls
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 93864fc3ffcc4bf70e96cfb5cc6e941630419ad0 ]
+
+Fix the kernel call initiation to set the minimum security level for kernel
+initiated calls (such as from kAFS) from the sockopt value.
+
+Fixes: 19ffa01c9c45 ("rxrpc: Use structs to hold connection params and protocol info")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/af_rxrpc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/rxrpc/af_rxrpc.c
++++ b/net/rxrpc/af_rxrpc.c
+@@ -310,7 +310,7 @@ struct rxrpc_call *rxrpc_kernel_begin_ca
+ memset(&cp, 0, sizeof(cp));
+ cp.local = rx->local;
+ cp.key = key;
+- cp.security_level = 0;
++ cp.security_level = rx->min_sec_level;
+ cp.exclusive = false;
+ cp.upgrade = upgrade;
+ cp.service_id = srx->srx_service;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Thu, 19 Apr 2018 12:52:09 +0200
+Subject: s390/qeth: fix MAC address update sequence
+
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+
+[ Upstream commit bcacfcbc82b4235d280ed9b067aa4567f4a0c756 ]
+
+When changing the MAC address on a L2 qeth device, current code first
+unregisters the old address, then registers the new one.
+If HW rejects the new address (or the IO fails), the device ends up with
+no operable address at all.
+
+Re-order the code flow so that the old address only gets dropped if the
+new address was registered successfully. While at it, add logic to catch
+some corner-cases.
+
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_l2_main.c | 55 ++++++++++++++++++++++------------------
+ 1 file changed, 31 insertions(+), 24 deletions(-)
+
+--- a/drivers/s390/net/qeth_l2_main.c
++++ b/drivers/s390/net/qeth_l2_main.c
+@@ -122,13 +122,10 @@ static int qeth_l2_send_setmac(struct qe
+ QETH_CARD_TEXT(card, 2, "L2Setmac");
+ rc = qeth_l2_send_setdelmac(card, mac, IPA_CMD_SETVMAC);
+ if (rc == 0) {
+- card->info.mac_bits |= QETH_LAYER2_MAC_REGISTERED;
+- ether_addr_copy(card->dev->dev_addr, mac);
+ dev_info(&card->gdev->dev,
+- "MAC address %pM successfully registered on device %s\n",
+- card->dev->dev_addr, card->dev->name);
++ "MAC address %pM successfully registered on device %s\n",
++ mac, card->dev->name);
+ } else {
+- card->info.mac_bits &= ~QETH_LAYER2_MAC_REGISTERED;
+ switch (rc) {
+ case -EEXIST:
+ dev_warn(&card->gdev->dev,
+@@ -143,19 +140,6 @@ static int qeth_l2_send_setmac(struct qe
+ return rc;
+ }
+
+-static int qeth_l2_send_delmac(struct qeth_card *card, __u8 *mac)
+-{
+- int rc;
+-
+- QETH_CARD_TEXT(card, 2, "L2Delmac");
+- if (!(card->info.mac_bits & QETH_LAYER2_MAC_REGISTERED))
+- return 0;
+- rc = qeth_l2_send_setdelmac(card, mac, IPA_CMD_DELVMAC);
+- if (rc == 0)
+- card->info.mac_bits &= ~QETH_LAYER2_MAC_REGISTERED;
+- return rc;
+-}
+-
+ static int qeth_l2_write_mac(struct qeth_card *card, u8 *mac)
+ {
+ enum qeth_ipa_cmds cmd = is_multicast_ether_addr_64bits(mac) ?
+@@ -522,6 +506,7 @@ static int qeth_l2_set_mac_address(struc
+ {
+ struct sockaddr *addr = p;
+ struct qeth_card *card = dev->ml_priv;
++ u8 old_addr[ETH_ALEN];
+ int rc = 0;
+
+ QETH_CARD_TEXT(card, 3, "setmac");
+@@ -533,14 +518,35 @@ static int qeth_l2_set_mac_address(struc
+ return -EOPNOTSUPP;
+ }
+ QETH_CARD_HEX(card, 3, addr->sa_data, ETH_ALEN);
++ if (!is_valid_ether_addr(addr->sa_data))
++ return -EADDRNOTAVAIL;
++
+ if (qeth_wait_for_threads(card, QETH_RECOVER_THREAD)) {
+ QETH_CARD_TEXT(card, 3, "setmcREC");
+ return -ERESTARTSYS;
+ }
+- rc = qeth_l2_send_delmac(card, &card->dev->dev_addr[0]);
+- if (!rc || (rc == -ENOENT))
+- rc = qeth_l2_send_setmac(card, addr->sa_data);
+- return rc ? -EINVAL : 0;
++
++ if (!qeth_card_hw_is_reachable(card)) {
++ ether_addr_copy(dev->dev_addr, addr->sa_data);
++ return 0;
++ }
++
++ /* don't register the same address twice */
++ if (ether_addr_equal_64bits(dev->dev_addr, addr->sa_data) &&
++ (card->info.mac_bits & QETH_LAYER2_MAC_REGISTERED))
++ return 0;
++
++ /* add the new address, switch over, drop the old */
++ rc = qeth_l2_send_setmac(card, addr->sa_data);
++ if (rc)
++ return rc;
++ ether_addr_copy(old_addr, dev->dev_addr);
++ ether_addr_copy(dev->dev_addr, addr->sa_data);
++
++ if (card->info.mac_bits & QETH_LAYER2_MAC_REGISTERED)
++ qeth_l2_remove_mac(card, old_addr);
++ card->info.mac_bits |= QETH_LAYER2_MAC_REGISTERED;
++ return 0;
+ }
+
+ static void qeth_promisc_to_bridge(struct qeth_card *card)
+@@ -1067,8 +1073,9 @@ static int __qeth_l2_set_online(struct c
+ goto out_remove;
+ }
+
+- if (card->info.type != QETH_CARD_TYPE_OSN)
+- qeth_l2_send_setmac(card, &card->dev->dev_addr[0]);
++ if (card->info.type != QETH_CARD_TYPE_OSN &&
++ !qeth_l2_send_setmac(card, card->dev->dev_addr))
++ card->info.mac_bits |= QETH_LAYER2_MAC_REGISTERED;
+
+ if (qeth_is_diagass_supported(card, QETH_DIAGS_CMD_TRAP)) {
+ if (card->info.hwtrap &&
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Thu, 19 Apr 2018 12:52:10 +0200
+Subject: s390/qeth: fix request-side race during cmd IO timeout
+
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+
+[ Upstream commit db71bbbd11a4d314f0fa3fbf3369b71cf33ce33c ]
+
+Submitting a cmd IO request (usually on the WRITE device, but for IDX
+also on the READ device) is currently done with ccw_device_start()
+and a manual timeout in the caller.
+On timeout, the caller cleans up the related resources (eg. IO buffer).
+But 1) the IO might still be active and utilize those resources, and
+ 2) when the IO completes, qeth_irq() will attempt to clean up the
+ same resources again.
+
+Instead of introducing additional resource locking, switch to
+ccw_device_start_timeout() to ensure IO termination after timeout, and
+let the IRQ handler alone deal with cleaning up after a request.
+
+This also removes a stray write->irq_pending reset from
+clear_ipacmd_list(). The routine doesn't terminate any pending IO on
+the WRITE device, so this should be handled properly via IO timeout
+in the IRQ handler.
+
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_core_main.c | 51 +++++++++++++++++++-------------------
+ drivers/s390/net/qeth_core_mpc.h | 12 ++++++++
+ drivers/s390/net/qeth_l2_main.c | 4 +-
+ 3 files changed, 40 insertions(+), 27 deletions(-)
+
+--- a/drivers/s390/net/qeth_core_main.c
++++ b/drivers/s390/net/qeth_core_main.c
+@@ -706,7 +706,6 @@ void qeth_clear_ipacmd_list(struct qeth_
+ qeth_put_reply(reply);
+ }
+ spin_unlock_irqrestore(&card->lock, flags);
+- atomic_set(&card->write.irq_pending, 0);
+ }
+ EXPORT_SYMBOL_GPL(qeth_clear_ipacmd_list);
+
+@@ -1101,14 +1100,9 @@ static void qeth_irq(struct ccw_device *
+ {
+ int rc;
+ int cstat, dstat;
++ struct qeth_cmd_buffer *iob = NULL;
+ struct qeth_channel *channel;
+ struct qeth_card *card;
+- struct qeth_cmd_buffer *iob;
+-
+- if (__qeth_check_irb_error(cdev, intparm, irb))
+- return;
+- cstat = irb->scsw.cmd.cstat;
+- dstat = irb->scsw.cmd.dstat;
+
+ card = CARD_FROM_CDEV(cdev);
+ if (!card)
+@@ -1126,6 +1120,19 @@ static void qeth_irq(struct ccw_device *
+ channel = &card->data;
+ QETH_CARD_TEXT(card, 5, "data");
+ }
++
++ if (qeth_intparm_is_iob(intparm))
++ iob = (struct qeth_cmd_buffer *) __va((addr_t)intparm);
++
++ if (__qeth_check_irb_error(cdev, intparm, irb)) {
++ /* IO was terminated, free its resources. */
++ if (iob)
++ qeth_release_buffer(iob->channel, iob);
++ atomic_set(&channel->irq_pending, 0);
++ wake_up(&card->wait_q);
++ return;
++ }
++
+ atomic_set(&channel->irq_pending, 0);
+
+ if (irb->scsw.cmd.fctl & (SCSW_FCTL_CLEAR_FUNC))
+@@ -1149,6 +1156,10 @@ static void qeth_irq(struct ccw_device *
+ /* we don't have to handle this further */
+ intparm = 0;
+ }
++
++ cstat = irb->scsw.cmd.cstat;
++ dstat = irb->scsw.cmd.dstat;
++
+ if ((dstat & DEV_STAT_UNIT_EXCEP) ||
+ (dstat & DEV_STAT_UNIT_CHECK) ||
+ (cstat)) {
+@@ -1187,11 +1198,8 @@ static void qeth_irq(struct ccw_device *
+ channel->state == CH_STATE_UP)
+ __qeth_issue_next_read(card);
+
+- if (intparm) {
+- iob = (struct qeth_cmd_buffer *) __va((addr_t)intparm);
+- if (iob->callback)
+- iob->callback(iob->channel, iob);
+- }
++ if (iob && iob->callback)
++ iob->callback(iob->channel, iob);
+
+ out:
+ wake_up(&card->wait_q);
+@@ -1862,8 +1870,8 @@ static int qeth_idx_activate_get_answer(
+ atomic_cmpxchg(&channel->irq_pending, 0, 1) == 0);
+ QETH_DBF_TEXT(SETUP, 6, "noirqpnd");
+ spin_lock_irqsave(get_ccwdev_lock(channel->ccwdev), flags);
+- rc = ccw_device_start(channel->ccwdev,
+- &channel->ccw, (addr_t) iob, 0, 0);
++ rc = ccw_device_start_timeout(channel->ccwdev, &channel->ccw,
++ (addr_t) iob, 0, 0, QETH_TIMEOUT);
+ spin_unlock_irqrestore(get_ccwdev_lock(channel->ccwdev), flags);
+
+ if (rc) {
+@@ -1880,7 +1888,6 @@ static int qeth_idx_activate_get_answer(
+ if (channel->state != CH_STATE_UP) {
+ rc = -ETIME;
+ QETH_DBF_TEXT_(SETUP, 2, "3err%d", rc);
+- qeth_clear_cmd_buffers(channel);
+ } else
+ rc = 0;
+ return rc;
+@@ -1934,8 +1941,8 @@ static int qeth_idx_activate_channel(str
+ atomic_cmpxchg(&channel->irq_pending, 0, 1) == 0);
+ QETH_DBF_TEXT(SETUP, 6, "noirqpnd");
+ spin_lock_irqsave(get_ccwdev_lock(channel->ccwdev), flags);
+- rc = ccw_device_start(channel->ccwdev,
+- &channel->ccw, (addr_t) iob, 0, 0);
++ rc = ccw_device_start_timeout(channel->ccwdev, &channel->ccw,
++ (addr_t) iob, 0, 0, QETH_TIMEOUT);
+ spin_unlock_irqrestore(get_ccwdev_lock(channel->ccwdev), flags);
+
+ if (rc) {
+@@ -1956,7 +1963,6 @@ static int qeth_idx_activate_channel(str
+ QETH_DBF_MESSAGE(2, "%s IDX activate timed out\n",
+ dev_name(&channel->ccwdev->dev));
+ QETH_DBF_TEXT_(SETUP, 2, "2err%d", -ETIME);
+- qeth_clear_cmd_buffers(channel);
+ return -ETIME;
+ }
+ return qeth_idx_activate_get_answer(channel, idx_reply_cb);
+@@ -2158,8 +2164,8 @@ int qeth_send_control_data(struct qeth_c
+
+ QETH_CARD_TEXT(card, 6, "noirqpnd");
+ spin_lock_irqsave(get_ccwdev_lock(card->write.ccwdev), flags);
+- rc = ccw_device_start(card->write.ccwdev, &card->write.ccw,
+- (addr_t) iob, 0, 0);
++ rc = ccw_device_start_timeout(CARD_WDEV(card), &card->write.ccw,
++ (addr_t) iob, 0, 0, event_timeout);
+ spin_unlock_irqrestore(get_ccwdev_lock(card->write.ccwdev), flags);
+ if (rc) {
+ QETH_DBF_MESSAGE(2, "%s qeth_send_control_data: "
+@@ -2191,8 +2197,6 @@ int qeth_send_control_data(struct qeth_c
+ }
+ }
+
+- if (reply->rc == -EIO)
+- goto error;
+ rc = reply->rc;
+ qeth_put_reply(reply);
+ return rc;
+@@ -2203,9 +2207,6 @@ time_err:
+ list_del_init(&reply->list);
+ spin_unlock_irqrestore(&reply->card->lock, flags);
+ atomic_inc(&reply->received);
+-error:
+- atomic_set(&card->write.irq_pending, 0);
+- qeth_release_buffer(iob->channel, iob);
+ rc = reply->rc;
+ qeth_put_reply(reply);
+ return rc;
+--- a/drivers/s390/net/qeth_core_mpc.h
++++ b/drivers/s390/net/qeth_core_mpc.h
+@@ -35,6 +35,18 @@ extern unsigned char IPA_PDU_HEADER[];
+ #define QETH_HALT_CHANNEL_PARM -11
+ #define QETH_RCD_PARM -12
+
++static inline bool qeth_intparm_is_iob(unsigned long intparm)
++{
++ switch (intparm) {
++ case QETH_CLEAR_CHANNEL_PARM:
++ case QETH_HALT_CHANNEL_PARM:
++ case QETH_RCD_PARM:
++ case 0:
++ return false;
++ }
++ return true;
++}
++
+ /*****************************************************************************/
+ /* IP Assist related definitions */
+ /*****************************************************************************/
+--- a/drivers/s390/net/qeth_l2_main.c
++++ b/drivers/s390/net/qeth_l2_main.c
+@@ -1346,8 +1346,8 @@ static int qeth_osn_send_control_data(st
+ qeth_prepare_control_data(card, len, iob);
+ QETH_CARD_TEXT(card, 6, "osnoirqp");
+ spin_lock_irqsave(get_ccwdev_lock(card->write.ccwdev), flags);
+- rc = ccw_device_start(card->write.ccwdev, &card->write.ccw,
+- (addr_t) iob, 0, 0);
++ rc = ccw_device_start_timeout(CARD_WDEV(card), &card->write.ccw,
++ (addr_t) iob, 0, 0, QETH_IPA_TIMEOUT);
+ spin_unlock_irqrestore(get_ccwdev_lock(card->write.ccwdev), flags);
+ if (rc) {
+ QETH_DBF_MESSAGE(2, "qeth_osn_send_control_data: "
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Thu, 19 Apr 2018 12:52:11 +0200
+Subject: s390/qeth: use Read device to query hypervisor for MAC
+
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+
+[ Upstream commit b7493e91c11a757cf0f8ab26989642ee4bb2c642 ]
+
+For z/VM NICs, qeth needs to consider which of the three CCW devices in
+an MPC group it uses for requesting a managed MAC address.
+
+On the Base device, the hypervisor returns a default MAC which is
+pre-assigned when creating the NIC (this MAC is also returned by the
+READ MAC primitive). Querying any other device results in the allocation
+of an additional MAC address.
+
+For consistency with READ MAC and to avoid using up more addresses than
+necessary, it is preferable to use the NIC's default MAC. So switch the
+the diag26c over to using a NIC's Read device, which should always be
+identical to the Base device.
+
+Fixes: ec61bd2fd2a2 ("s390/qeth: use diag26c to get MAC address on L2")
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_core_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/s390/net/qeth_core_main.c
++++ b/drivers/s390/net/qeth_core_main.c
+@@ -4839,7 +4839,7 @@ int qeth_vm_request_mac(struct qeth_card
+ goto out;
+ }
+
+- ccw_device_get_id(CARD_DDEV(card), &id);
++ ccw_device_get_id(CARD_RDEV(card), &id);
+ request->resp_buf_len = sizeof(*response);
+ request->resp_version = DIAG26C_VERSION2;
+ request->op_code = DIAG26C_GET_MAC;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Date: Tue, 3 Apr 2018 11:08:52 +0200
+Subject: s390/smsgiucv: disable SMSG on module unload
+
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+
+[ Upstream commit 760dd0eeaec1689430243ead14e5a429613d8c52 ]
+
+The module exit function of the smsgiucv module uses the incorrect CP
+command to disable SMSG messages. The correct command is "SET SMSG OFF".
+Use it.
+
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/smsgiucv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/s390/net/smsgiucv.c
++++ b/drivers/s390/net/smsgiucv.c
+@@ -176,7 +176,7 @@ static struct device_driver smsg_driver
+
+ static void __exit smsg_exit(void)
+ {
+- cpcmd("SET SMSG IUCV", NULL, 0, NULL);
++ cpcmd("SET SMSG OFF", NULL, 0, NULL);
+ device_unregister(smsg_dev);
+ iucv_unregister(&smsg_handler, 1);
+ driver_unregister(&smsg_driver);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Mon, 30 Apr 2018 14:51:01 +0200
+Subject: sched/core: Introduce set_special_state()
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit b5bf9a90bbebffba888c9144c5a8a10317b04064 ]
+
+Gaurav reported a perceived problem with TASK_PARKED, which turned out
+to be a broken wait-loop pattern in __kthread_parkme(), but the
+reported issue can (and does) in fact happen for states that do not do
+condition based sleeps.
+
+When the 'current->state = TASK_RUNNING' store of a previous
+(concurrent) try_to_wake_up() collides with the setting of a 'special'
+sleep state, we can loose the sleep state.
+
+Normal condition based wait-loops are immune to this problem, but for
+sleep states that are not condition based are subject to this problem.
+
+There already is a fix for TASK_DEAD. Abstract that and also apply it
+to TASK_STOPPED and TASK_TRACED, both of which are also without
+condition based wait-loop.
+
+Reported-by: Gaurav Kohli <gkohli@codeaurora.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/sched.h | 50 ++++++++++++++++++++++++++++++++++++++-----
+ include/linux/sched/signal.h | 2 -
+ kernel/sched/core.c | 17 --------------
+ kernel/signal.c | 17 ++++++++++++--
+ 4 files changed, 62 insertions(+), 24 deletions(-)
+
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -113,17 +113,36 @@ struct task_group;
+
+ #ifdef CONFIG_DEBUG_ATOMIC_SLEEP
+
++/*
++ * Special states are those that do not use the normal wait-loop pattern. See
++ * the comment with set_special_state().
++ */
++#define is_special_task_state(state) \
++ ((state) & (__TASK_STOPPED | __TASK_TRACED | TASK_DEAD))
++
+ #define __set_current_state(state_value) \
+ do { \
++ WARN_ON_ONCE(is_special_task_state(state_value));\
+ current->task_state_change = _THIS_IP_; \
+ current->state = (state_value); \
+ } while (0)
++
+ #define set_current_state(state_value) \
+ do { \
++ WARN_ON_ONCE(is_special_task_state(state_value));\
+ current->task_state_change = _THIS_IP_; \
+ smp_store_mb(current->state, (state_value)); \
+ } while (0)
+
++#define set_special_state(state_value) \
++ do { \
++ unsigned long flags; /* may shadow */ \
++ WARN_ON_ONCE(!is_special_task_state(state_value)); \
++ raw_spin_lock_irqsave(¤t->pi_lock, flags); \
++ current->task_state_change = _THIS_IP_; \
++ current->state = (state_value); \
++ raw_spin_unlock_irqrestore(¤t->pi_lock, flags); \
++ } while (0)
+ #else
+ /*
+ * set_current_state() includes a barrier so that the write of current->state
+@@ -145,8 +164,8 @@ struct task_group;
+ *
+ * The above is typically ordered against the wakeup, which does:
+ *
+- * need_sleep = false;
+- * wake_up_state(p, TASK_UNINTERRUPTIBLE);
++ * need_sleep = false;
++ * wake_up_state(p, TASK_UNINTERRUPTIBLE);
+ *
+ * Where wake_up_state() (and all other wakeup primitives) imply enough
+ * barriers to order the store of the variable against wakeup.
+@@ -155,12 +174,33 @@ struct task_group;
+ * once it observes the TASK_UNINTERRUPTIBLE store the waking CPU can issue a
+ * TASK_RUNNING store which can collide with __set_current_state(TASK_RUNNING).
+ *
+- * This is obviously fine, since they both store the exact same value.
++ * However, with slightly different timing the wakeup TASK_RUNNING store can
++ * also collide with the TASK_UNINTERRUPTIBLE store. Loosing that store is not
++ * a problem either because that will result in one extra go around the loop
++ * and our @cond test will save the day.
+ *
+ * Also see the comments of try_to_wake_up().
+ */
+-#define __set_current_state(state_value) do { current->state = (state_value); } while (0)
+-#define set_current_state(state_value) smp_store_mb(current->state, (state_value))
++#define __set_current_state(state_value) \
++ current->state = (state_value)
++
++#define set_current_state(state_value) \
++ smp_store_mb(current->state, (state_value))
++
++/*
++ * set_special_state() should be used for those states when the blocking task
++ * can not use the regular condition based wait-loop. In that case we must
++ * serialize against wakeups such that any possible in-flight TASK_RUNNING stores
++ * will not collide with our state change.
++ */
++#define set_special_state(state_value) \
++ do { \
++ unsigned long flags; /* may shadow */ \
++ raw_spin_lock_irqsave(¤t->pi_lock, flags); \
++ current->state = (state_value); \
++ raw_spin_unlock_irqrestore(¤t->pi_lock, flags); \
++ } while (0)
++
+ #endif
+
+ /* Task command name length: */
+--- a/include/linux/sched/signal.h
++++ b/include/linux/sched/signal.h
+@@ -280,7 +280,7 @@ static inline void kernel_signal_stop(vo
+ {
+ spin_lock_irq(¤t->sighand->siglock);
+ if (current->jobctl & JOBCTL_STOP_DEQUEUED)
+- __set_current_state(TASK_STOPPED);
++ set_special_state(TASK_STOPPED);
+ spin_unlock_irq(¤t->sighand->siglock);
+
+ schedule();
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -3459,23 +3459,8 @@ static void __sched notrace __schedule(b
+
+ void __noreturn do_task_dead(void)
+ {
+- /*
+- * The setting of TASK_RUNNING by try_to_wake_up() may be delayed
+- * when the following two conditions become true.
+- * - There is race condition of mmap_sem (It is acquired by
+- * exit_mm()), and
+- * - SMI occurs before setting TASK_RUNINNG.
+- * (or hypervisor of virtual machine switches to other guest)
+- * As a result, we may become TASK_RUNNING after becoming TASK_DEAD
+- *
+- * To avoid it, we have to wait for releasing tsk->pi_lock which
+- * is held by try_to_wake_up()
+- */
+- raw_spin_lock_irq(¤t->pi_lock);
+- raw_spin_unlock_irq(¤t->pi_lock);
+-
+ /* Causes final put_task_struct in finish_task_switch(): */
+- __set_current_state(TASK_DEAD);
++ set_special_state(TASK_DEAD);
+
+ /* Tell freezer to ignore us: */
+ current->flags |= PF_NOFREEZE;
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -1961,14 +1961,27 @@ static void ptrace_stop(int exit_code, i
+ return;
+ }
+
++ set_special_state(TASK_TRACED);
++
+ /*
+ * We're committing to trapping. TRACED should be visible before
+ * TRAPPING is cleared; otherwise, the tracer might fail do_wait().
+ * Also, transition to TRACED and updates to ->jobctl should be
+ * atomic with respect to siglock and should be done after the arch
+ * hook as siglock is released and regrabbed across it.
++ *
++ * TRACER TRACEE
++ *
++ * ptrace_attach()
++ * [L] wait_on_bit(JOBCTL_TRAPPING) [S] set_special_state(TRACED)
++ * do_wait()
++ * set_current_state() smp_wmb();
++ * ptrace_do_wait()
++ * wait_task_stopped()
++ * task_stopped_code()
++ * [L] task_is_traced() [S] task_clear_jobctl_trapping();
+ */
+- set_current_state(TASK_TRACED);
++ smp_wmb();
+
+ current->last_siginfo = info;
+ current->exit_code = exit_code;
+@@ -2176,7 +2189,7 @@ static bool do_signal_stop(int signr)
+ if (task_participate_group_stop(current))
+ notify = CLD_STOPPED;
+
+- __set_current_state(TASK_STOPPED);
++ set_special_state(TASK_STOPPED);
+ spin_unlock_irq(¤t->sighand->siglock);
+
+ /*
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Mathieu Malaterre <malat@debian.org>
+Date: Wed, 16 May 2018 22:09:02 +0200
+Subject: sched/deadline: Make the grub_reclaim() function static
+
+From: Mathieu Malaterre <malat@debian.org>
+
+[ Upstream commit 3febfc8a219a036633b57a34c6678e21b6a0580d ]
+
+Since the grub_reclaim() function can be made static, make it so.
+
+Silences the following GCC warning (W=1):
+
+ kernel/sched/deadline.c:1120:5: warning: no previous prototype for ‘grub_reclaim’ [-Wmissing-prototypes]
+
+Signed-off-by: Mathieu Malaterre <malat@debian.org>
+Acked-by: Peter Zijlstra <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20180516200902.959-1-malat@debian.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/deadline.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -1121,7 +1121,7 @@ extern bool sched_rt_bandwidth_account(s
+ * should be larger than 2^(64 - 20 - 8), which is more than 64 seconds.
+ * So, overflow is not an issue here.
+ */
+-u64 grub_reclaim(u64 delta, struct rq *rq, struct sched_dl_entity *dl_se)
++static u64 grub_reclaim(u64 delta, struct rq *rq, struct sched_dl_entity *dl_se)
+ {
+ u64 u_inact = rq->dl.this_bw - rq->dl.running_bw; /* Utot - Uact */
+ u64 u_act;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Mathieu Malaterre <malat@debian.org>
+Date: Wed, 16 May 2018 21:53:47 +0200
+Subject: sched/debug: Move the print_rt_rq() and print_dl_rq() declarations to kernel/sched/sched.h
+
+From: Mathieu Malaterre <malat@debian.org>
+
+[ Upstream commit f6a3463063f42d9fb2c78f386437a822e0ad1792 ]
+
+In the following commit:
+
+ 6b55c9654fcc ("sched/debug: Move print_cfs_rq() declaration to kernel/sched/sched.h")
+
+the print_cfs_rq() prototype was added to <kernel/sched/sched.h>,
+right next to the prototypes for print_cfs_stats(), print_rt_stats()
+and print_dl_stats().
+
+Finish this previous commit and also move related prototypes for
+print_rt_rq() and print_dl_rq().
+
+Remove existing extern declarations now that they not needed anymore.
+
+Silences the following GCC warning, triggered by W=1:
+
+ kernel/sched/debug.c:573:6: warning: no previous prototype for ‘print_rt_rq’ [-Wmissing-prototypes]
+ kernel/sched/debug.c:603:6: warning: no previous prototype for ‘print_dl_rq’ [-Wmissing-prototypes]
+
+Signed-off-by: Mathieu Malaterre <malat@debian.org>
+Acked-by: Peter Zijlstra <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20180516195348.30426-1-malat@debian.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/deadline.c | 2 --
+ kernel/sched/rt.c | 2 --
+ kernel/sched/sched.h | 5 +++--
+ 3 files changed, 3 insertions(+), 6 deletions(-)
+
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -2723,8 +2723,6 @@ bool dl_cpu_busy(unsigned int cpu)
+ #endif
+
+ #ifdef CONFIG_SCHED_DEBUG
+-extern void print_dl_rq(struct seq_file *m, int cpu, struct dl_rq *dl_rq);
+-
+ void print_dl_stats(struct seq_file *m, int cpu)
+ {
+ print_dl_rq(m, cpu, &cpu_rq(cpu)->dl);
+--- a/kernel/sched/rt.c
++++ b/kernel/sched/rt.c
+@@ -2691,8 +2691,6 @@ int sched_rr_handler(struct ctl_table *t
+ }
+
+ #ifdef CONFIG_SCHED_DEBUG
+-extern void print_rt_rq(struct seq_file *m, int cpu, struct rt_rq *rt_rq);
+-
+ void print_rt_stats(struct seq_file *m, int cpu)
+ {
+ rt_rq_iter_t iter;
+--- a/kernel/sched/sched.h
++++ b/kernel/sched/sched.h
+@@ -1986,8 +1986,9 @@ extern bool sched_debug_enabled;
+ extern void print_cfs_stats(struct seq_file *m, int cpu);
+ extern void print_rt_stats(struct seq_file *m, int cpu);
+ extern void print_dl_stats(struct seq_file *m, int cpu);
+-extern void
+-print_cfs_rq(struct seq_file *m, int cpu, struct cfs_rq *cfs_rq);
++extern void print_cfs_rq(struct seq_file *m, int cpu, struct cfs_rq *cfs_rq);
++extern void print_rt_rq(struct seq_file *m, int cpu, struct rt_rq *rt_rq);
++extern void print_dl_rq(struct seq_file *m, int cpu, struct dl_rq *dl_rq);
+ #ifdef CONFIG_NUMA_BALANCING
+ extern void
+ show_numa_stats(struct task_struct *p, struct seq_file *m);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 20 Apr 2018 10:57:16 +0100
+Subject: scsi: isci: Fix infinite loop in while loop
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 4bc83b3f272fe8f36450f9c003df49cf07ffe5fd ]
+
+In the case when the phy_mask is bitwise anded with the phy_index bit is
+zero the continue statement currently jumps to the next iteration of the
+while loop and phy_index is never actually incremented, potentially
+causing an infinite loop if phy_index is less than SCI_MAX_PHS. Fix this
+by turning the while loop into a for loop.
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/isci/port_config.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/scsi/isci/port_config.c
++++ b/drivers/scsi/isci/port_config.c
+@@ -291,7 +291,7 @@ sci_mpc_agent_validate_phy_configuration
+ * Note: We have not moved the current phy_index so we will actually
+ * compare the startting phy with itself.
+ * This is expected and required to add the phy to the port. */
+- while (phy_index < SCI_MAX_PHYS) {
++ for (; phy_index < SCI_MAX_PHYS; phy_index++) {
+ if ((phy_mask & (1 << phy_index)) == 0)
+ continue;
+ sci_phy_get_sas_address(&ihost->phys[phy_index],
+@@ -311,7 +311,6 @@ sci_mpc_agent_validate_phy_configuration
+ &ihost->phys[phy_index]);
+
+ assigned_phy_mask |= (1 << phy_index);
+- phy_index++;
+ }
+
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Chris Leech <cleech@redhat.com>
+Date: Mon, 9 Apr 2018 15:15:28 -0700
+Subject: scsi: iscsi: respond to netlink with unicast when appropriate
+
+From: Chris Leech <cleech@redhat.com>
+
+[ Upstream commit af17092810a887178195276255b7b31f8fbe7dbe ]
+
+Instead of always multicasting responses, send a unicast netlink message
+directed at the correct pid. This will be needed if we ever want to
+support multiple userspace processes interacting with the kernel over
+iSCSI netlink simultaneously. Limitations can currently be seen if you
+attempt to run multiple iscsistart commands in parallel.
+
+We've fixed up the userspace issues in iscsistart that prevented
+multiple instances from running, so now attempts to speed up booting by
+bringing up multiple iscsi sessions at once in the initramfs are just
+running into misrouted responses that this fixes.
+
+Signed-off-by: Chris Leech <cleech@redhat.com>
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/scsi_transport_iscsi.c | 29 ++++++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 11 deletions(-)
+
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -2322,6 +2322,12 @@ iscsi_multicast_skb(struct sk_buff *skb,
+ return nlmsg_multicast(nls, skb, 0, group, gfp);
+ }
+
++static int
++iscsi_unicast_skb(struct sk_buff *skb, u32 portid)
++{
++ return nlmsg_unicast(nls, skb, portid);
++}
++
+ int iscsi_recv_pdu(struct iscsi_cls_conn *conn, struct iscsi_hdr *hdr,
+ char *data, uint32_t data_size)
+ {
+@@ -2524,14 +2530,11 @@ void iscsi_ping_comp_event(uint32_t host
+ EXPORT_SYMBOL_GPL(iscsi_ping_comp_event);
+
+ static int
+-iscsi_if_send_reply(uint32_t group, int seq, int type, int done, int multi,
+- void *payload, int size)
++iscsi_if_send_reply(u32 portid, int type, void *payload, int size)
+ {
+ struct sk_buff *skb;
+ struct nlmsghdr *nlh;
+ int len = nlmsg_total_size(size);
+- int flags = multi ? NLM_F_MULTI : 0;
+- int t = done ? NLMSG_DONE : type;
+
+ skb = alloc_skb(len, GFP_ATOMIC);
+ if (!skb) {
+@@ -2539,10 +2542,9 @@ iscsi_if_send_reply(uint32_t group, int
+ return -ENOMEM;
+ }
+
+- nlh = __nlmsg_put(skb, 0, 0, t, (len - sizeof(*nlh)), 0);
+- nlh->nlmsg_flags = flags;
++ nlh = __nlmsg_put(skb, 0, 0, type, (len - sizeof(*nlh)), 0);
+ memcpy(nlmsg_data(nlh), payload, size);
+- return iscsi_multicast_skb(skb, group, GFP_ATOMIC);
++ return iscsi_unicast_skb(skb, portid);
+ }
+
+ static int
+@@ -3470,6 +3472,7 @@ static int
+ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group)
+ {
+ int err = 0;
++ u32 portid;
+ struct iscsi_uevent *ev = nlmsg_data(nlh);
+ struct iscsi_transport *transport = NULL;
+ struct iscsi_internal *priv;
+@@ -3490,10 +3493,12 @@ iscsi_if_recv_msg(struct sk_buff *skb, s
+ if (!try_module_get(transport->owner))
+ return -EINVAL;
+
++ portid = NETLINK_CB(skb).portid;
++
+ switch (nlh->nlmsg_type) {
+ case ISCSI_UEVENT_CREATE_SESSION:
+ err = iscsi_if_create_session(priv, ep, ev,
+- NETLINK_CB(skb).portid,
++ portid,
+ ev->u.c_session.initial_cmdsn,
+ ev->u.c_session.cmds_max,
+ ev->u.c_session.queue_depth);
+@@ -3506,7 +3511,7 @@ iscsi_if_recv_msg(struct sk_buff *skb, s
+ }
+
+ err = iscsi_if_create_session(priv, ep, ev,
+- NETLINK_CB(skb).portid,
++ portid,
+ ev->u.c_bound_session.initial_cmdsn,
+ ev->u.c_bound_session.cmds_max,
+ ev->u.c_bound_session.queue_depth);
+@@ -3664,6 +3669,8 @@ iscsi_if_recv_msg(struct sk_buff *skb, s
+ static void
+ iscsi_if_rx(struct sk_buff *skb)
+ {
++ u32 portid = NETLINK_CB(skb).portid;
++
+ mutex_lock(&rx_queue_mutex);
+ while (skb->len >= NLMSG_HDRLEN) {
+ int err;
+@@ -3699,8 +3706,8 @@ iscsi_if_rx(struct sk_buff *skb)
+ break;
+ if (ev->type == ISCSI_UEVENT_GET_CHAP && !err)
+ break;
+- err = iscsi_if_send_reply(group, nlh->nlmsg_seq,
+- nlh->nlmsg_type, 0, 0, ev, sizeof(*ev));
++ err = iscsi_if_send_reply(portid, nlh->nlmsg_type,
++ ev, sizeof(*ev));
+ } while (err < 0 && err != -ECONNREFUSED && err != -ESRCH);
+ skb_pull(skb, rlen);
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Vinson Lee <vlee@freedesktop.org>
+Date: Wed, 21 Mar 2018 21:04:12 +0000
+Subject: scsi: megaraid_sas: Do not log an error if FW successfully initializes.
+
+From: Vinson Lee <vlee@freedesktop.org>
+
+[ Upstream commit fb1633d56b0025233ed3dc49b44544748d509d9d ]
+
+Fixes: 2d2c2331673c ("scsi: megaraid_sas: modified few prints in OCR and IOC INIT path")
+Signed-off-by: Vinson Lee <vlee@freedesktop.org>
+Acked-by: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/megaraid/megaraid_sas_fusion.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
+@@ -1124,12 +1124,12 @@ megasas_ioc_init_fusion(struct megasas_i
+ goto fail_fw_init;
+ }
+
+- ret = 0;
++ return 0;
+
+ fail_fw_init:
+ dev_err(&instance->pdev->dev,
+- "Init cmd return status %s for SCSI host %d\n",
+- ret ? "FAILED" : "SUCCESS", instance->host->host_no);
++ "Init cmd return status FAILED for SCSI host %d\n",
++ instance->host->host_no);
+
+ return ret;
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Long Li <longli@microsoft.com>
+Date: Thu, 22 Mar 2018 14:47:18 -0700
+Subject: scsi: storvsc: Set up correct queue depth values for IDE devices
+
+From: Long Li <longli@microsoft.com>
+
+[ Upstream commit f286299c1d0ba5e2ca0377610307b370fe178767 ]
+
+Unlike SCSI and FC, we don't use multiple channels for IDE. Also fix
+the calculation for sub-channels.
+
+Signed-off-by: Long Li <longli@microsoft.com>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/storvsc_drv.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/storvsc_drv.c
++++ b/drivers/scsi/storvsc_drv.c
+@@ -1722,11 +1722,14 @@ static int storvsc_probe(struct hv_devic
+ max_targets = STORVSC_MAX_TARGETS;
+ max_channels = STORVSC_MAX_CHANNELS;
+ /*
+- * On Windows8 and above, we support sub-channels for storage.
++ * On Windows8 and above, we support sub-channels for storage
++ * on SCSI and FC controllers.
+ * The number of sub-channels offerred is based on the number of
+ * VCPUs in the guest.
+ */
+- max_sub_channels = (num_cpus / storvsc_vcpus_per_sub_channel);
++ if (!dev_is_ide)
++ max_sub_channels =
++ (num_cpus - 1) / storvsc_vcpus_per_sub_channel;
+ }
+
+ scsi_driver.can_queue = (max_outstanding_req_per_channel *
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Ming Lei <ming.lei@redhat.com>
+Date: Mon, 16 Apr 2018 17:48:41 +0800
+Subject: scsi: target: fix crash with iscsi target and dvd
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 8e1ceafe50ec4d1bcfae154dd70e7cb6946a6177 ]
+
+When the current page can't be added to bio, one new bio should be
+created for adding this page again, instead of ignoring this page.
+
+This patch fixes kernel crash with iscsi target and dvd, as reported by
+Wakko.
+
+Cc: Wakko Warner <wakko@animx.eu.org>
+Cc: Bart Van Assche <Bart.VanAssche@wdc.com>
+Cc: target-devel@vger.kernel.org
+Cc: linux-scsi@vger.kernel.org
+Cc: "Nicholas A. Bellinger" <nab@linux-iscsi.org>
+Cc: Christoph Hellwig <hch@lst.de>
+Fixes: 84c8590646d5b35804 ("target: avoid accessing .bi_vcnt directly")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_pscsi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/target/target_core_pscsi.c
++++ b/drivers/target/target_core_pscsi.c
+@@ -890,6 +890,7 @@ pscsi_map_sg(struct se_cmd *cmd, struct
+ bytes = min(bytes, data_len);
+
+ if (!bio) {
++new_bio:
+ nr_vecs = min_t(int, BIO_MAX_PAGES, nr_pages);
+ nr_pages -= nr_vecs;
+ /*
+@@ -931,6 +932,7 @@ pscsi_map_sg(struct se_cmd *cmd, struct
+ * be allocated with pscsi_get_bio() above.
+ */
+ bio = NULL;
++ goto new_bio;
+ }
+
+ data_len -= bytes;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Jim Gill <jgill@vmware.com>
+Date: Fri, 20 Apr 2018 19:04:47 -0700
+Subject: scsi: vmw-pvscsi: return DID_BUS_BUSY for adapter-initated aborts
+
+From: Jim Gill <jgill@vmware.com>
+
+[ Upstream commit f4b024271ae3e9786e5d6f1c05b01b57a74e1d6d ]
+
+The vmw_pvscsi driver returns DID_ABORT for commands aborted internally
+by the adapter, leading to the filesystem going read-only. Change the
+result to DID_BUS_BUSY, causing the kernel to retry the command.
+
+Signed-off-by: Jim Gill <jgill@vmware.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/vmw_pvscsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/vmw_pvscsi.c
++++ b/drivers/scsi/vmw_pvscsi.c
+@@ -609,7 +609,7 @@ static void pvscsi_complete_request(stru
+ break;
+
+ case BTSTAT_ABORTQUEUE:
+- cmd->result = (DID_ABORT << 16);
++ cmd->result = (DID_BUS_BUSY << 16);
+ break;
+
+ case BTSTAT_SCSIPARITY:
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Thu, 5 Apr 2018 18:29:12 +0900
+Subject: selftests: ftrace: Add a testcase for multiple actions on trigger
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit 25aa50e0ca397a5e5d4d6fcecefa8107877d1dd0 ]
+
+Add a testcase for multiple actions with different
+parameters on an event trigger, which has been fixed
+by commit 192c283e93bd ("tracing: Add action comparisons
+ when testing matching hist triggers").
+
+Link: http://lkml.kernel.org/r/152292055227.15769.6327959816123227152.stgit@devbox
+
+Reviewed-by: Tom Zanussi <tom.zanussi@linux.intel.com>
+Tested-by: Tom Zanussi <tom.zanussi@linux.intel.com>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-multi-actions-accept.tc | 44 ++++++++++
+ 1 file changed, 44 insertions(+)
+ create mode 100644 tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-multi-actions-accept.tc
+
+--- /dev/null
++++ b/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-multi-actions-accept.tc
+@@ -0,0 +1,44 @@
++#!/bin/sh
++# description: event trigger - test multiple actions on hist trigger
++
++
++do_reset() {
++ reset_trigger
++ echo > set_event
++ clear_trace
++}
++
++fail() { #msg
++ do_reset
++ echo $1
++ exit_fail
++}
++
++if [ ! -f set_event ]; then
++ echo "event tracing is not supported"
++ exit_unsupported
++fi
++
++if [ ! -f synthetic_events ]; then
++ echo "synthetic event is not supported"
++ exit_unsupported
++fi
++
++clear_synthetic_events
++reset_tracer
++do_reset
++
++echo "Test multiple actions on hist trigger"
++echo 'wakeup_latency u64 lat; pid_t pid' >> synthetic_events
++TRIGGER1=events/sched/sched_wakeup/trigger
++TRIGGER2=events/sched/sched_switch/trigger
++
++echo 'hist:keys=pid:ts0=common_timestamp.usecs if comm=="cyclictest"' > $TRIGGER1
++echo 'hist:keys=next_pid:wakeup_lat=common_timestamp.usecs-$ts0 if next_comm=="cyclictest"' >> $TRIGGER2
++echo 'hist:keys=next_pid:onmatch(sched.sched_wakeup).wakeup_latency(sched.sched_switch.$wakeup_lat,next_pid) if next_comm=="cyclictest"' >> $TRIGGER2
++echo 'hist:keys=next_pid:onmatch(sched.sched_wakeup).wakeup_latency(sched.sched_switch.$wakeup_lat,prev_pid) if next_comm=="cyclictest"' >> $TRIGGER2
++echo 'hist:keys=next_pid if next_comm=="cyclictest"' >> $TRIGGER2
++
++do_reset
++
++exit 0
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Rich Felker <dalias@libc.org>
+Date: Sat, 5 May 2018 16:40:23 -0400
+Subject: sh: fix build failure for J2 cpu with SMP disabled
+
+From: Rich Felker <dalias@libc.org>
+
+[ Upstream commit 6cb465972c4eb6741b3094a58a65e527fc63c100 ]
+
+The sh asm/smp.h defines a fallback hard_smp_processor_id macro for
+the !SMP case, but linux/smp.h never includes asm/smp.h in the !SMP
+case.
+
+Signed-off-by: Rich Felker <dalias@libc.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sh/kernel/cpu/sh2/probe.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/sh/kernel/cpu/sh2/probe.c
++++ b/arch/sh/kernel/cpu/sh2/probe.c
+@@ -43,7 +43,11 @@ void __ref cpu_probe(void)
+ #endif
+
+ #if defined(CONFIG_CPU_J2)
++#if defined(CONFIG_SMP)
+ unsigned cpu = hard_smp_processor_id();
++#else
++ unsigned cpu = 0;
++#endif
+ if (cpu == 0) of_scan_flat_dt(scan_cache, NULL);
+ if (j2_ccr_base) __raw_writel(0x80000303, j2_ccr_base + 4*cpu);
+ if (cpu != 0) return;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Rob Herring <robh@kernel.org>
+Date: Fri, 11 May 2018 08:45:59 -0500
+Subject: sh: switch to NO_BOOTMEM
+
+From: Rob Herring <robh@kernel.org>
+
+[ Upstream commit ac21fc2dcb405cf250ad3f1228f64f64930d9211 ]
+
+Commit 0fa1c579349f ("of/fdt: use memblock_virt_alloc for early alloc")
+inadvertently switched the DT unflattening allocations from memblock to
+bootmem which doesn't work because the unflattening happens before
+bootmem is initialized. Swapping the order of bootmem init and
+unflattening could also fix this, but removing bootmem is desired. So
+enable NO_BOOTMEM on SH like other architectures have done.
+
+Fixes: 0fa1c579349f ("of/fdt: use memblock_virt_alloc for early alloc")
+Reported-by: Rich Felker <dalias@libc.org>
+Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Rich Felker <dalias@libc.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sh/Kconfig | 1
+ arch/sh/kernel/setup.c | 1
+ arch/sh/mm/init.c | 68 ++++---------------------------------------------
+ arch/sh/mm/numa.c | 19 -------------
+ 4 files changed, 7 insertions(+), 82 deletions(-)
+
+--- a/arch/sh/Kconfig
++++ b/arch/sh/Kconfig
+@@ -9,6 +9,7 @@ config SUPERH
+ select HAVE_IDE if HAS_IOPORT_MAP
+ select HAVE_MEMBLOCK
+ select HAVE_MEMBLOCK_NODE_MAP
++ select NO_BOOTMEM
+ select ARCH_DISCARD_MEMBLOCK
+ select HAVE_OPROFILE
+ select HAVE_GENERIC_DMA_COHERENT
+--- a/arch/sh/kernel/setup.c
++++ b/arch/sh/kernel/setup.c
+@@ -11,7 +11,6 @@
+ #include <linux/ioport.h>
+ #include <linux/init.h>
+ #include <linux/initrd.h>
+-#include <linux/bootmem.h>
+ #include <linux/console.h>
+ #include <linux/root_dev.h>
+ #include <linux/utsname.h>
+--- a/arch/sh/mm/init.c
++++ b/arch/sh/mm/init.c
+@@ -211,59 +211,15 @@ void __init allocate_pgdat(unsigned int
+
+ NODE_DATA(nid) = __va(phys);
+ memset(NODE_DATA(nid), 0, sizeof(struct pglist_data));
+-
+- NODE_DATA(nid)->bdata = &bootmem_node_data[nid];
+ #endif
+
+ NODE_DATA(nid)->node_start_pfn = start_pfn;
+ NODE_DATA(nid)->node_spanned_pages = end_pfn - start_pfn;
+ }
+
+-static void __init bootmem_init_one_node(unsigned int nid)
+-{
+- unsigned long total_pages, paddr;
+- unsigned long end_pfn;
+- struct pglist_data *p;
+-
+- p = NODE_DATA(nid);
+-
+- /* Nothing to do.. */
+- if (!p->node_spanned_pages)
+- return;
+-
+- end_pfn = pgdat_end_pfn(p);
+-
+- total_pages = bootmem_bootmap_pages(p->node_spanned_pages);
+-
+- paddr = memblock_alloc(total_pages << PAGE_SHIFT, PAGE_SIZE);
+- if (!paddr)
+- panic("Can't allocate bootmap for nid[%d]\n", nid);
+-
+- init_bootmem_node(p, paddr >> PAGE_SHIFT, p->node_start_pfn, end_pfn);
+-
+- free_bootmem_with_active_regions(nid, end_pfn);
+-
+- /*
+- * XXX Handle initial reservations for the system memory node
+- * only for the moment, we'll refactor this later for handling
+- * reservations in other nodes.
+- */
+- if (nid == 0) {
+- struct memblock_region *reg;
+-
+- /* Reserve the sections we're already using. */
+- for_each_memblock(reserved, reg) {
+- reserve_bootmem(reg->base, reg->size, BOOTMEM_DEFAULT);
+- }
+- }
+-
+- sparse_memory_present_with_active_regions(nid);
+-}
+-
+ static void __init do_init_bootmem(void)
+ {
+ struct memblock_region *reg;
+- int i;
+
+ /* Add active regions with valid PFNs. */
+ for_each_memblock(memory, reg) {
+@@ -279,9 +235,12 @@ static void __init do_init_bootmem(void)
+
+ plat_mem_setup();
+
+- for_each_online_node(i)
+- bootmem_init_one_node(i);
++ for_each_memblock(memory, reg) {
++ int nid = memblock_get_region_node(reg);
+
++ memory_present(nid, memblock_region_memory_base_pfn(reg),
++ memblock_region_memory_end_pfn(reg));
++ }
+ sparse_init();
+ }
+
+@@ -322,7 +281,6 @@ void __init paging_init(void)
+ {
+ unsigned long max_zone_pfns[MAX_NR_ZONES];
+ unsigned long vaddr, end;
+- int nid;
+
+ sh_mv.mv_mem_init();
+
+@@ -377,21 +335,7 @@ void __init paging_init(void)
+ kmap_coherent_init();
+
+ memset(max_zone_pfns, 0, sizeof(max_zone_pfns));
+-
+- for_each_online_node(nid) {
+- pg_data_t *pgdat = NODE_DATA(nid);
+- unsigned long low, start_pfn;
+-
+- start_pfn = pgdat->bdata->node_min_pfn;
+- low = pgdat->bdata->node_low_pfn;
+-
+- if (max_zone_pfns[ZONE_NORMAL] < low)
+- max_zone_pfns[ZONE_NORMAL] = low;
+-
+- printk("Node %u: start_pfn = 0x%lx, low = 0x%lx\n",
+- nid, start_pfn, low);
+- }
+-
++ max_zone_pfns[ZONE_NORMAL] = max_low_pfn;
+ free_area_init_nodes(max_zone_pfns);
+ }
+
+--- a/arch/sh/mm/numa.c
++++ b/arch/sh/mm/numa.c
+@@ -8,7 +8,6 @@
+ * for more details.
+ */
+ #include <linux/module.h>
+-#include <linux/bootmem.h>
+ #include <linux/memblock.h>
+ #include <linux/mm.h>
+ #include <linux/numa.h>
+@@ -26,9 +25,7 @@ EXPORT_SYMBOL_GPL(node_data);
+ */
+ void __init setup_bootmem_node(int nid, unsigned long start, unsigned long end)
+ {
+- unsigned long bootmap_pages;
+ unsigned long start_pfn, end_pfn;
+- unsigned long bootmem_paddr;
+
+ /* Don't allow bogus node assignment */
+ BUG_ON(nid >= MAX_NUMNODES || nid <= 0);
+@@ -48,25 +45,9 @@ void __init setup_bootmem_node(int nid,
+ SMP_CACHE_BYTES, end));
+ memset(NODE_DATA(nid), 0, sizeof(struct pglist_data));
+
+- NODE_DATA(nid)->bdata = &bootmem_node_data[nid];
+ NODE_DATA(nid)->node_start_pfn = start_pfn;
+ NODE_DATA(nid)->node_spanned_pages = end_pfn - start_pfn;
+
+- /* Node-local bootmap */
+- bootmap_pages = bootmem_bootmap_pages(end_pfn - start_pfn);
+- bootmem_paddr = memblock_alloc_base(bootmap_pages << PAGE_SHIFT,
+- PAGE_SIZE, end);
+- init_bootmem_node(NODE_DATA(nid), bootmem_paddr >> PAGE_SHIFT,
+- start_pfn, end_pfn);
+-
+- free_bootmem_with_active_regions(nid, end_pfn);
+-
+- /* Reserve the pgdat and bootmap space with the bootmem allocator */
+- reserve_bootmem_node(NODE_DATA(nid), start_pfn << PAGE_SHIFT,
+- sizeof(struct pglist_data), BOOTMEM_DEFAULT);
+- reserve_bootmem_node(NODE_DATA(nid), bootmem_paddr,
+- bootmap_pages << PAGE_SHIFT, BOOTMEM_DEFAULT);
+-
+ /* It's up */
+ node_set_online(nid);
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Stefan Raspl <stefan.raspl@linux.ibm.com>
+Date: Thu, 3 May 2018 17:57:39 +0200
+Subject: smc: fix sendpage() call
+
+From: Stefan Raspl <stefan.raspl@linux.ibm.com>
+
+[ Upstream commit bda27ff5c4526f80a7620a94ecfe8dca153e3696 ]
+
+The sendpage() call grabs the sock lock before calling the default
+implementation - which tries to grab it once again.
+
+Signed-off-by: Stefan Raspl <raspl@linux.ibm.com>
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com><
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/af_smc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -1313,8 +1313,11 @@ static ssize_t smc_sendpage(struct socke
+
+ smc = smc_sk(sk);
+ lock_sock(sk);
+- if (sk->sk_state != SMC_ACTIVE)
++ if (sk->sk_state != SMC_ACTIVE) {
++ release_sock(sk);
+ goto out;
++ }
++ release_sock(sk);
+ if (smc->use_fallback)
+ rc = kernel_sendpage(smc->clcsock, page, offset,
+ size, flags);
+@@ -1322,7 +1325,6 @@ static ssize_t smc_sendpage(struct socke
+ rc = sock_no_sendpage(sock, page, offset, size, flags);
+
+ out:
+- release_sock(sk);
+ return rc;
+ }
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Sun, 1 Apr 2018 09:42:25 -0700
+Subject: soc: bcm: raspberrypi-power: Fix use of __packed
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 0a12e80ce4230434c2ed66ad0d65af0b7ccecea8 ]
+
+Commit a09cd356586d ("ARM: bcm2835: add rpi power domain driver")
+attempted to annotate the structure rpi_power_domain_packet with
+__packed but introduced a typo and made it named __packet instead. Just
+drop the annotation since the structure is naturally aligned already.
+
+Fixes: a09cd356586d ("ARM: bcm2835: add rpi power domain driver")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/bcm/raspberrypi-power.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/soc/bcm/raspberrypi-power.c
++++ b/drivers/soc/bcm/raspberrypi-power.c
+@@ -45,7 +45,7 @@ struct rpi_power_domains {
+ struct rpi_power_domain_packet {
+ u32 domain;
+ u32 on;
+-} __packet;
++};
+
+ /*
+ * Asks the firmware to enable or disable power on a specific power
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Sun, 8 Apr 2018 11:05:15 +0200
+Subject: soc: bcm2835: Make !RASPBERRYPI_FIRMWARE dummies return failure
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit 144345a4a8c3b497a3f60d3af9d6071a37660186 ]
+
+If CONFIG_RASPBERRYPI_FIRMWARE=n:
+
+ drivers/gpio/gpio-raspberrypi-exp.c: In function ‘rpi_exp_gpio_get_polarity’:
+ drivers/gpio/gpio-raspberrypi-exp.c:71: warning: ‘get.polarity’ is used uninitialized in this function
+ drivers/gpio/gpio-raspberrypi-exp.c: In function ‘rpi_exp_gpio_get_direction’:
+ drivers/gpio/gpio-raspberrypi-exp.c:150: warning: ‘get.direction’ is used uninitialized in this function
+
+The dummy firmware interface functions return 0, which means success,
+causing subsequent code to make use of the never initialized output
+parameter.
+
+Fix this by making the dummy functions return an error code (-ENOSYS)
+instead.
+
+Note that this assumes the firmware always fills in the requested data
+in the CONFIG_RASPBERRYPI_FIRMWARE=y case.
+
+Fixes: d45f1a563b92dac7 ("staging: vc04_services: fix up rpi firmware functions")
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/soc/bcm2835/raspberrypi-firmware.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/soc/bcm2835/raspberrypi-firmware.h
++++ b/include/soc/bcm2835/raspberrypi-firmware.h
+@@ -125,13 +125,13 @@ struct rpi_firmware *rpi_firmware_get(st
+ static inline int rpi_firmware_property(struct rpi_firmware *fw, u32 tag,
+ void *data, size_t len)
+ {
+- return 0;
++ return -ENOSYS;
+ }
+
+ static inline int rpi_firmware_property_list(struct rpi_firmware *fw,
+ void *data, size_t tag_size)
+ {
+- return 0;
++ return -ENOSYS;
+ }
+
+ static inline struct rpi_firmware *rpi_firmware_get(struct device_node *firmware_node)
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Rob Herring <robh@kernel.org>
+Date: Thu, 3 May 2018 13:09:44 -0500
+Subject: spi: bcm2835aux: ensure interrupts are enabled for shared handler
+
+From: Rob Herring <robh@kernel.org>
+
+[ Upstream commit bc519d9574618e47a0c788000fb78da95e18d953 ]
+
+The BCM2835 AUX SPI has a shared interrupt line (with AUX UART).
+Downstream fixes this with an AUX irqchip to demux the IRQ sources and a
+DT change which breaks compatibility with older kernels. The AUX irqchip
+was already rejected for upstream[1] and the DT change would break
+working systems if the DTB is updated to a newer one. The latter issue
+was brought to my attention by Alex Graf.
+
+The root cause however is a bug in the shared handler. Shared handlers
+must check that interrupts are actually enabled before servicing the
+interrupt. Add a check that the TXEMPTY or IDLE interrupts are enabled.
+
+[1] https://patchwork.kernel.org/patch/9781221/
+
+Cc: Alexander Graf <agraf@suse.de>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Eric Anholt <eric@anholt.net>
+Cc: Stefan Wahren <stefan.wahren@i2se.com>
+Cc: Florian Fainelli <f.fainelli@gmail.com>
+Cc: Ray Jui <rjui@broadcom.com>
+Cc: Scott Branden <sbranden@broadcom.com>
+Cc: bcm-kernel-feedback-list@broadcom.com
+Cc: linux-spi@vger.kernel.org
+Cc: linux-rpi-kernel@lists.infradead.org
+Cc: linux-arm-kernel@lists.infradead.org
+Signed-off-by: Rob Herring <robh@kernel.org>
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-bcm2835aux.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/spi/spi-bcm2835aux.c
++++ b/drivers/spi/spi-bcm2835aux.c
+@@ -184,6 +184,11 @@ static irqreturn_t bcm2835aux_spi_interr
+ struct bcm2835aux_spi *bs = spi_master_get_devdata(master);
+ irqreturn_t ret = IRQ_NONE;
+
++ /* IRQ may be shared, so return if our interrupts are disabled */
++ if (!(bcm2835aux_rd(bs, BCM2835_AUX_SPI_CNTL1) &
++ (BCM2835_AUX_SPI_CNTL1_TXEMPTY | BCM2835_AUX_SPI_CNTL1_IDLE)))
++ return ret;
++
+ /* check if we have data to read */
+ while (bs->rx_len &&
+ (!(bcm2835aux_rd(bs, BCM2835_AUX_SPI_STAT) &
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: sxauwsk <sxauwsk@163.com>
+Date: Tue, 17 Apr 2018 04:01:27 +0800
+Subject: spi: cadence: Add usleep_range() for cdns_spi_fill_tx_fifo()
+
+From: sxauwsk <sxauwsk@163.com>
+
+[ Upstream commit 49530e6411789c1b9ea3ebc58e520c19d1c3752f ]
+
+In case of xspi work in busy condition, may send bytes failed.
+once something wrong, spi controller did't work any more
+
+My test found this situation appear in both of read/write process.
+so when TX FIFO is full, add one byte delay before send data;
+
+Signed-off-by: sxauwsk <sxauwsk@163.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-cadence.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/spi/spi-cadence.c
++++ b/drivers/spi/spi-cadence.c
+@@ -313,6 +313,14 @@ static void cdns_spi_fill_tx_fifo(struct
+
+ while ((trans_cnt < CDNS_SPI_FIFO_DEPTH) &&
+ (xspi->tx_bytes > 0)) {
++
++ /* When xspi in busy condition, bytes may send failed,
++ * then spi control did't work thoroughly, add one byte delay
++ */
++ if (cdns_spi_read(xspi, CDNS_SPI_ISR) &
++ CDNS_SPI_IXR_TXFULL)
++ usleep_range(10, 20);
++
+ if (xspi->txbuf)
+ cdns_spi_write(xspi, CDNS_SPI_TXD, *xspi->txbuf++);
+ else
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
+Date: Fri, 13 Apr 2018 15:44:16 +0300
+Subject: spi: sh-msiof: Fix bit field overflow writes to TSCR/RSCR
+
+From: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
+
+[ Upstream commit 10b4640833e95eeacaef8060bc1b35e636df3218 ]
+
+The change fixes a bit field overflow which allows to write to higher
+bits while calculating SPI transfer clock and setting BRPS and BRDV
+bit fields, the problem is reproduced if 'parent_rate' to 'spi_hz'
+ratio is greater than 1024, for instance
+
+ p->min_div = 2,
+ MSO rate = 33333333,
+ SPI device rate = 10000
+
+results in
+
+ k = 5, i.e. BRDV = 0b100 or 1/32 prescaler output,
+ BRPS = 105,
+ TSCR value = 0x6804, thus MSSEL and MSIMM bit fields are non-zero.
+
+Fixes: 65d5665bb260 ("spi: sh-msiof: Update calculation of frequency dividing")
+Signed-off-by: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-sh-msiof.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/spi/spi-sh-msiof.c
++++ b/drivers/spi/spi-sh-msiof.c
+@@ -283,6 +283,7 @@ static void sh_msiof_spi_set_clk_regs(st
+ }
+
+ k = min_t(int, k, ARRAY_SIZE(sh_msiof_spi_div_table) - 1);
++ brps = min_t(int, brps, 32);
+
+ scr = sh_msiof_spi_div_table[k].brdv | SCR_BRPS(brps);
+ sh_msiof_write(p, TSCR, scr);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Fri, 20 Apr 2018 11:50:05 +0200
+Subject: stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 0b26351b910fb8fe6a056f8a1bbccabe50c0e19f ]
+
+Matt reported the following deadlock:
+
+CPU0 CPU1
+
+schedule(.prev=migrate/0) <fault>
+ pick_next_task() ...
+ idle_balance() migrate_swap()
+ active_balance() stop_two_cpus()
+ spin_lock(stopper0->lock)
+ spin_lock(stopper1->lock)
+ ttwu(migrate/0)
+ smp_cond_load_acquire() -- waits for schedule()
+ stop_one_cpu(1)
+ spin_lock(stopper1->lock) -- waits for stopper lock
+
+Fix this deadlock by taking the wakeups out from under stopper->lock.
+This allows the active_balance() to queue the stop work and finish the
+context switch, which in turn allows the wakeup from migrate_swap() to
+observe the context and complete the wakeup.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reported-by: Matt Fleming <matt@codeblueprint.co.uk>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Mike Galbraith <umgwanakikbuti@gmail.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20180420095005.GH4064@hirez.programming.kicks-ass.net
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/stop_machine.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/kernel/stop_machine.c
++++ b/kernel/stop_machine.c
+@@ -21,6 +21,7 @@
+ #include <linux/smpboot.h>
+ #include <linux/atomic.h>
+ #include <linux/nmi.h>
++#include <linux/sched/wake_q.h>
+
+ /*
+ * Structure to determine completion condition and record errors. May
+@@ -65,27 +66,31 @@ static void cpu_stop_signal_done(struct
+ }
+
+ static void __cpu_stop_queue_work(struct cpu_stopper *stopper,
+- struct cpu_stop_work *work)
++ struct cpu_stop_work *work,
++ struct wake_q_head *wakeq)
+ {
+ list_add_tail(&work->list, &stopper->works);
+- wake_up_process(stopper->thread);
++ wake_q_add(wakeq, stopper->thread);
+ }
+
+ /* queue @work to @stopper. if offline, @work is completed immediately */
+ static bool cpu_stop_queue_work(unsigned int cpu, struct cpu_stop_work *work)
+ {
+ struct cpu_stopper *stopper = &per_cpu(cpu_stopper, cpu);
++ DEFINE_WAKE_Q(wakeq);
+ unsigned long flags;
+ bool enabled;
+
+ spin_lock_irqsave(&stopper->lock, flags);
+ enabled = stopper->enabled;
+ if (enabled)
+- __cpu_stop_queue_work(stopper, work);
++ __cpu_stop_queue_work(stopper, work, &wakeq);
+ else if (work->done)
+ cpu_stop_signal_done(work->done);
+ spin_unlock_irqrestore(&stopper->lock, flags);
+
++ wake_up_q(&wakeq);
++
+ return enabled;
+ }
+
+@@ -229,6 +234,7 @@ static int cpu_stop_queue_two_works(int
+ {
+ struct cpu_stopper *stopper1 = per_cpu_ptr(&cpu_stopper, cpu1);
+ struct cpu_stopper *stopper2 = per_cpu_ptr(&cpu_stopper, cpu2);
++ DEFINE_WAKE_Q(wakeq);
+ int err;
+ retry:
+ spin_lock_irq(&stopper1->lock);
+@@ -252,8 +258,8 @@ retry:
+ goto unlock;
+
+ err = 0;
+- __cpu_stop_queue_work(stopper1, work1);
+- __cpu_stop_queue_work(stopper2, work2);
++ __cpu_stop_queue_work(stopper1, work1, &wakeq);
++ __cpu_stop_queue_work(stopper2, work2, &wakeq);
+ unlock:
+ spin_unlock(&stopper2->lock);
+ spin_unlock_irq(&stopper1->lock);
+@@ -263,6 +269,9 @@ unlock:
+ cpu_relax();
+ goto retry;
+ }
++
++ wake_up_q(&wakeq);
++
+ return err;
+ }
+ /**
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Etienne Carriere <etienne.carriere@linaro.org>
+Date: Sun, 29 Apr 2018 14:22:29 +0200
+Subject: tee: check shm references are consistent in offset/size
+
+From: Etienne Carriere <etienne.carriere@linaro.org>
+
+[ Upstream commit ab9d3db5b320a052452b9cd035599ee3c84bbee9 ]
+
+This change prevents userland from referencing TEE shared memory
+outside the area initially allocated by its owner. Prior this change an
+application could not reference or access memory it did not own but
+it could reference memory not explicitly allocated by owner but still
+allocated to the owner due to the memory allocation granule.
+
+Reported-by: Alexandre Jutras <alexandre.jutras@nxp.com>
+Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tee/tee_core.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/tee/tee_core.c
++++ b/drivers/tee/tee_core.c
+@@ -238,6 +238,17 @@ static int params_from_user(struct tee_c
+ if (IS_ERR(shm))
+ return PTR_ERR(shm);
+
++ /*
++ * Ensure offset + size does not overflow offset
++ * and does not overflow the size of the referred
++ * shared memory object.
++ */
++ if ((ip.a + ip.b) < ip.a ||
++ (ip.a + ip.b) > shm->size) {
++ tee_shm_put(shm);
++ return -EINVAL;
++ }
++
+ params[n].u.memref.shm_offs = ip.a;
+ params[n].u.memref.size = ip.b;
+ params[n].u.memref.shm = shm;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sun, 22 Apr 2018 19:56:17 +0200
+Subject: thermal: int3403_thermal: Fix NULL pointer deref on module load / probe
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 13b86f50eaaddaea4bdd2fe476fd12e6a0951add ]
+
+Starting with kernel 4.17 thermal_cooling_device_register() will call the
+get_max_state() op during register.
+
+Since we deref priv->priv in int3403_get_max_state() this means we must
+set priv->priv before calling thermal_cooling_device_register().
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/int340x_thermal/int3403_thermal.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/thermal/int340x_thermal/int3403_thermal.c
++++ b/drivers/thermal/int340x_thermal/int3403_thermal.c
+@@ -194,6 +194,7 @@ static int int3403_cdev_add(struct int34
+ return -EFAULT;
+ }
+
++ priv->priv = obj;
+ obj->max_state = p->package.count - 1;
+ obj->cdev =
+ thermal_cooling_device_register(acpi_device_bid(priv->adev),
+@@ -201,8 +202,6 @@ static int int3403_cdev_add(struct int34
+ if (IS_ERR(obj->cdev))
+ result = PTR_ERR(obj->cdev);
+
+- priv->priv = obj;
+-
+ kfree(buf.pointer);
+ /* TODO: add ACPI notification support */
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Ying Xue <ying.xue@windriver.com>
+Date: Tue, 8 May 2018 21:44:06 +0800
+Subject: tipc: eliminate KMSAN uninit-value in strcmp complaint
+
+From: Ying Xue <ying.xue@windriver.com>
+
+[ Upstream commit 94f6a80c0c11828cb7b3d79294459dd8d761ca89 ]
+
+When we get link properties through netlink interface with
+tipc_nl_node_get_link(), we don't validate TIPC_NLA_LINK_NAME
+attribute at all, instead we directly use it. As a consequence,
+KMSAN detected the TIPC_NLA_LINK_NAME attribute was an uninitialized
+value, and then posted the following complaint:
+
+==================================================================
+BUG: KMSAN: uninit-value in strcmp+0xf7/0x160 lib/string.c:329
+CPU: 1 PID: 4527 Comm: syz-executor655 Not tainted 4.16.0+ #87
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
+ strcmp+0xf7/0x160 lib/string.c:329
+ tipc_nl_node_get_link+0x220/0x6f0 net/tipc/node.c:1881
+ genl_family_rcv_msg net/netlink/genetlink.c:599 [inline]
+ genl_rcv_msg+0x1686/0x1810 net/netlink/genetlink.c:624
+ netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2447
+ genl_rcv+0x63/0x80 net/netlink/genetlink.c:635
+ netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
+ netlink_unicast+0x166b/0x1740 net/netlink/af_netlink.c:1337
+ netlink_sendmsg+0x1048/0x1310 net/netlink/af_netlink.c:1900
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
+ __sys_sendmsg net/socket.c:2080 [inline]
+ SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
+ SyS_sendmsg+0x54/0x80 net/socket.c:2087
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x445589
+RSP: 002b:00007fb7ee66cdb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00000000006dac24 RCX: 0000000000445589
+RDX: 0000000000000000 RSI: 0000000020023000 RDI: 0000000000000003
+RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007fffa2bf3f3f R14: 00007fb7ee66d9c0 R15: 0000000000000001
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
+ kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
+ slab_post_alloc_hook mm/slab.h:445 [inline]
+ slab_alloc_node mm/slub.c:2737 [inline]
+ __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
+ __kmalloc_reserve net/core/skbuff.c:138 [inline]
+ __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
+ alloc_skb include/linux/skbuff.h:984 [inline]
+ netlink_alloc_large_skb net/netlink/af_netlink.c:1183 [inline]
+ netlink_sendmsg+0x9a6/0x1310 net/netlink/af_netlink.c:1875
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
+ __sys_sendmsg net/socket.c:2080 [inline]
+ SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
+ SyS_sendmsg+0x54/0x80 net/socket.c:2087
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+==================================================================
+
+To quiet the complaint, TIPC_NLA_LINK_NAME attribute has been
+validated in tipc_nl_node_get_link() before it's used.
+
+Reported-by: syzbot+df0257c92ffd4fcc58cd@syzkaller.appspotmail.com
+Signed-off-by: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/node.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/net/tipc/node.c
++++ b/net/tipc/node.c
+@@ -1863,6 +1863,7 @@ out:
+ int tipc_nl_node_get_link(struct sk_buff *skb, struct genl_info *info)
+ {
+ struct net *net = genl_info_net(info);
++ struct nlattr *attrs[TIPC_NLA_LINK_MAX + 1];
+ struct tipc_nl_msg msg;
+ char *name;
+ int err;
+@@ -1870,9 +1871,19 @@ int tipc_nl_node_get_link(struct sk_buff
+ msg.portid = info->snd_portid;
+ msg.seq = info->snd_seq;
+
+- if (!info->attrs[TIPC_NLA_LINK_NAME])
++ if (!info->attrs[TIPC_NLA_LINK])
+ return -EINVAL;
+- name = nla_data(info->attrs[TIPC_NLA_LINK_NAME]);
++
++ err = nla_parse_nested(attrs, TIPC_NLA_LINK_MAX,
++ info->attrs[TIPC_NLA_LINK],
++ tipc_nl_link_policy, info->extack);
++ if (err)
++ return err;
++
++ if (!attrs[TIPC_NLA_LINK_NAME])
++ return -EINVAL;
++
++ name = nla_data(attrs[TIPC_NLA_LINK_NAME]);
+
+ msg.skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
+ if (!msg.skb)
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Jon Maloy <jon.maloy@ericsson.com>
+Date: Wed, 25 Apr 2018 18:29:25 +0200
+Subject: tipc: fix bug in function tipc_nl_node_dump_monitor
+
+From: Jon Maloy <jon.maloy@ericsson.com>
+
+[ Upstream commit 7dbc73e6124ce4d0cfbdd6166de388e9367c47ad ]
+
+Commit 36a50a989ee8 ("tipc: fix infinite loop when dumping link monitor
+summary") intended to fix a problem with user tool looping when max
+number of bearers are enabled.
+
+Unfortunately, the wrong version of the commit was posted, so the
+problem was not solved at all.
+
+This commit adds the missing part.
+
+Fixes: 36a50a989ee8 ("tipc: fix infinite loop when dumping link monitor summary")
+Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/node.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/tipc/node.c
++++ b/net/tipc/node.c
+@@ -2157,7 +2157,7 @@ int tipc_nl_node_dump_monitor(struct sk_
+
+ rtnl_lock();
+ for (bearer_id = prev_bearer; bearer_id < MAX_BEARERS; bearer_id++) {
+- err = __tipc_nl_add_monitor(net, &msg, prev_bearer);
++ err = __tipc_nl_add_monitor(net, &msg, bearer_id);
+ if (err)
+ break;
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Tung Nguyen <tung.q.nguyen@dektech.com.au>
+Date: Tue, 17 Apr 2018 21:58:27 +0200
+Subject: tipc: fix infinite loop when dumping link monitor summary
+
+From: Tung Nguyen <tung.q.nguyen@dektech.com.au>
+
+[ Upstream commit 36a50a989ee8267588de520b8704b85f045a3220 ]
+
+When configuring the number of used bearers to MAX_BEARER and issuing
+command "tipc link monitor summary", the command enters infinite loop
+in user space.
+
+This issue happens because function tipc_nl_node_dump_monitor() returns
+the wrong 'prev_bearer' value when all potential monitors have been
+scanned.
+
+The correct behavior is to always try to scan all monitors until either
+the netlink message is full, in which case we return the bearer identity
+of the affected monitor, or we continue through the whole bearer array
+until we can return MAX_BEARERS. This solution also caters for the case
+where there may be gaps in the bearer array.
+
+Signed-off-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
+Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/monitor.c | 2 +-
+ net/tipc/node.c | 11 ++++-------
+ 2 files changed, 5 insertions(+), 8 deletions(-)
+
+--- a/net/tipc/monitor.c
++++ b/net/tipc/monitor.c
+@@ -777,7 +777,7 @@ int __tipc_nl_add_monitor(struct net *ne
+
+ ret = tipc_bearer_get_name(net, bearer_name, bearer_id);
+ if (ret || !mon)
+- return -EINVAL;
++ return 0;
+
+ hdr = genlmsg_put(msg->skb, msg->portid, msg->seq, &tipc_genl_family,
+ NLM_F_MULTI, TIPC_NL_MON_GET);
+--- a/net/tipc/node.c
++++ b/net/tipc/node.c
+@@ -2145,8 +2145,8 @@ int tipc_nl_node_dump_monitor(struct sk_
+ struct net *net = sock_net(skb->sk);
+ u32 prev_bearer = cb->args[0];
+ struct tipc_nl_msg msg;
++ int bearer_id;
+ int err;
+- int i;
+
+ if (prev_bearer == MAX_BEARERS)
+ return 0;
+@@ -2156,16 +2156,13 @@ int tipc_nl_node_dump_monitor(struct sk_
+ msg.seq = cb->nlh->nlmsg_seq;
+
+ rtnl_lock();
+- for (i = prev_bearer; i < MAX_BEARERS; i++) {
+- prev_bearer = i;
++ for (bearer_id = prev_bearer; bearer_id < MAX_BEARERS; bearer_id++) {
+ err = __tipc_nl_add_monitor(net, &msg, prev_bearer);
+ if (err)
+- goto out;
++ break;
+ }
+-
+-out:
+ rtnl_unlock();
+- cb->args[0] = prev_bearer;
++ cb->args[0] = bearer_id;
+
+ return skb->len;
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Wed, 9 May 2018 21:58:45 +0900
+Subject: uprobes/x86: Prohibit probing on MOV SS instruction
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit 13ebe18c94f5b0665c01ae7fad2717ae959f4212 ]
+
+Since MOV SS and POP SS instructions will delay the exceptions until the
+next instruction is executed, single-stepping on it by uprobes must be
+prohibited.
+
+uprobe already rejects probing on POP SS (0x1f), but allows probing on MOV
+SS (0x8e and reg == 2). This checks the target instruction and if it is
+MOV SS or POP SS, returns -ENOTSUPP to reject probing.
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
+Cc: Francis Deslauriers <francis.deslauriers@efficios.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: "H . Peter Anvin" <hpa@zytor.com>
+Cc: Yonghong Song <yhs@fb.com>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: "David S . Miller" <davem@davemloft.net>
+Link: https://lkml.kernel.org/r/152587072544.17316.5950935243917346341.stgit@devbox
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/uprobes.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/x86/kernel/uprobes.c
++++ b/arch/x86/kernel/uprobes.c
+@@ -299,6 +299,10 @@ static int uprobe_init_insn(struct arch_
+ if (is_prefix_bad(insn))
+ return -ENOTSUPP;
+
++ /* We should not singlestep on the exception masking instructions */
++ if (insn_masking_exception(insn))
++ return -ENOTSUPP;
++
+ if (x86_64)
+ good_insns = good_insns_64;
+ else
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: "Daniel Glöckner" <dg@emlix.com>
+Date: Mon, 14 May 2018 09:40:05 -0500
+Subject: usb: musb: fix remote wakeup racing with suspend
+
+From: "Daniel Glöckner" <dg@emlix.com>
+
+[ Upstream commit ebc3dd688cd988754a304147753b13e58de1b5a1 ]
+
+It has been observed that writing 0xF2 to the power register while it
+reads as 0xF4 results in the register having the value 0xF0, i.e. clearing
+RESUME and setting SUSPENDM in one go does not work. It might also violate
+the USB spec to transition directly from resume to suspend, especially
+when not taking T_DRSMDN into account. But this is what happens when a
+remote wakeup occurs between SetPortFeature USB_PORT_FEAT_SUSPEND on the
+root hub and musb_bus_suspend being called.
+
+This commit returns -EBUSY when musb_bus_suspend is called while remote
+wakeup is signalled and thus avoids to reset the RESUME bit. Ignoring
+this error when musb_port_suspend is called from musb_hub_control is ok.
+
+Signed-off-by: Daniel Glöckner <dg@emlix.com>
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/musb/musb_host.c | 5 ++++-
+ drivers/usb/musb/musb_host.h | 7 +++++--
+ drivers/usb/musb/musb_virthub.c | 25 +++++++++++++++----------
+ 3 files changed, 24 insertions(+), 13 deletions(-)
+
+--- a/drivers/usb/musb/musb_host.c
++++ b/drivers/usb/musb/musb_host.c
+@@ -2530,8 +2530,11 @@ static int musb_bus_suspend(struct usb_h
+ {
+ struct musb *musb = hcd_to_musb(hcd);
+ u8 devctl;
++ int ret;
+
+- musb_port_suspend(musb, true);
++ ret = musb_port_suspend(musb, true);
++ if (ret)
++ return ret;
+
+ if (!is_host_active(musb))
+ return 0;
+--- a/drivers/usb/musb/musb_host.h
++++ b/drivers/usb/musb/musb_host.h
+@@ -67,7 +67,7 @@ extern void musb_host_rx(struct musb *,
+ extern void musb_root_disconnect(struct musb *musb);
+ extern void musb_host_resume_root_hub(struct musb *musb);
+ extern void musb_host_poke_root_hub(struct musb *musb);
+-extern void musb_port_suspend(struct musb *musb, bool do_suspend);
++extern int musb_port_suspend(struct musb *musb, bool do_suspend);
+ extern void musb_port_reset(struct musb *musb, bool do_reset);
+ extern void musb_host_finish_resume(struct work_struct *work);
+ #else
+@@ -99,7 +99,10 @@ static inline void musb_root_disconnect(
+ static inline void musb_host_resume_root_hub(struct musb *musb) {}
+ static inline void musb_host_poll_rh_status(struct musb *musb) {}
+ static inline void musb_host_poke_root_hub(struct musb *musb) {}
+-static inline void musb_port_suspend(struct musb *musb, bool do_suspend) {}
++static inline int musb_port_suspend(struct musb *musb, bool do_suspend)
++{
++ return 0;
++}
+ static inline void musb_port_reset(struct musb *musb, bool do_reset) {}
+ static inline void musb_host_finish_resume(struct work_struct *work) {}
+ #endif
+--- a/drivers/usb/musb/musb_virthub.c
++++ b/drivers/usb/musb/musb_virthub.c
+@@ -48,14 +48,14 @@ void musb_host_finish_resume(struct work
+ spin_unlock_irqrestore(&musb->lock, flags);
+ }
+
+-void musb_port_suspend(struct musb *musb, bool do_suspend)
++int musb_port_suspend(struct musb *musb, bool do_suspend)
+ {
+ struct usb_otg *otg = musb->xceiv->otg;
+ u8 power;
+ void __iomem *mbase = musb->mregs;
+
+ if (!is_host_active(musb))
+- return;
++ return 0;
+
+ /* NOTE: this doesn't necessarily put PHY into low power mode,
+ * turning off its clock; that's a function of PHY integration and
+@@ -66,16 +66,20 @@ void musb_port_suspend(struct musb *musb
+ if (do_suspend) {
+ int retries = 10000;
+
+- power &= ~MUSB_POWER_RESUME;
+- power |= MUSB_POWER_SUSPENDM;
+- musb_writeb(mbase, MUSB_POWER, power);
++ if (power & MUSB_POWER_RESUME)
++ return -EBUSY;
++
++ if (!(power & MUSB_POWER_SUSPENDM)) {
++ power |= MUSB_POWER_SUSPENDM;
++ musb_writeb(mbase, MUSB_POWER, power);
+
+- /* Needed for OPT A tests */
+- power = musb_readb(mbase, MUSB_POWER);
+- while (power & MUSB_POWER_SUSPENDM) {
++ /* Needed for OPT A tests */
+ power = musb_readb(mbase, MUSB_POWER);
+- if (retries-- < 1)
+- break;
++ while (power & MUSB_POWER_SUSPENDM) {
++ power = musb_readb(mbase, MUSB_POWER);
++ if (retries-- < 1)
++ break;
++ }
+ }
+
+ musb_dbg(musb, "Root port suspended, power %02x", power);
+@@ -111,6 +115,7 @@ void musb_port_suspend(struct musb *musb
+ schedule_delayed_work(&musb->finish_resume_work,
+ msecs_to_jiffies(USB_RESUME_TIMEOUT));
+ }
++ return 0;
+ }
+
+ void musb_port_reset(struct musb *musb, bool do_reset)
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Date: Wed, 25 Apr 2018 17:22:09 +0300
+Subject: usb: typec: tps6598x: handle block reads separately with plain-I2C adapters
+
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+
+[ Upstream commit 1a2f474d328f292ee706414824ec4ca690cdf5ba ]
+
+If the I2C adapter that the PD controller is attached to
+does not support SMBus protocol, the driver needs to handle
+block reads separately. The first byte returned in block
+read protocol will show the total number of bytes. It needs
+to be stripped away.
+
+This is handled separately in the driver only because right
+now we have no way of requesting the used protocol with
+regmap-i2c. This is in practice a workaround for what is
+really a problem in regmap-i2c. The other option would have
+been to register custom regmap, or not use regmap at all,
+however, since the solution is very simple, I choose to use
+it in this case for convenience. It is easy to remove once
+we figure out how to handle this kind of cases in
+regmap-i2c.
+
+Fixes: 0a4c005bd171 ("usb: typec: driver for TI TPS6598x USB Power Delivery controllers")
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tps6598x.c | 47 +++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 39 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/typec/tps6598x.c
++++ b/drivers/usb/typec/tps6598x.c
+@@ -73,6 +73,7 @@ struct tps6598x {
+ struct device *dev;
+ struct regmap *regmap;
+ struct mutex lock; /* device lock */
++ u8 i2c_protocol:1;
+
+ struct typec_port *port;
+ struct typec_partner *partner;
+@@ -80,19 +81,39 @@ struct tps6598x {
+ struct typec_capability typec_cap;
+ };
+
++static int
++tps6598x_block_read(struct tps6598x *tps, u8 reg, void *val, size_t len)
++{
++ u8 data[len + 1];
++ int ret;
++
++ if (!tps->i2c_protocol)
++ return regmap_raw_read(tps->regmap, reg, val, len);
++
++ ret = regmap_raw_read(tps->regmap, reg, data, sizeof(data));
++ if (ret)
++ return ret;
++
++ if (data[0] < len)
++ return -EIO;
++
++ memcpy(val, &data[1], len);
++ return 0;
++}
++
+ static inline int tps6598x_read16(struct tps6598x *tps, u8 reg, u16 *val)
+ {
+- return regmap_raw_read(tps->regmap, reg, val, sizeof(u16));
++ return tps6598x_block_read(tps, reg, val, sizeof(u16));
+ }
+
+ static inline int tps6598x_read32(struct tps6598x *tps, u8 reg, u32 *val)
+ {
+- return regmap_raw_read(tps->regmap, reg, val, sizeof(u32));
++ return tps6598x_block_read(tps, reg, val, sizeof(u32));
+ }
+
+ static inline int tps6598x_read64(struct tps6598x *tps, u8 reg, u64 *val)
+ {
+- return regmap_raw_read(tps->regmap, reg, val, sizeof(u64));
++ return tps6598x_block_read(tps, reg, val, sizeof(u64));
+ }
+
+ static inline int tps6598x_write16(struct tps6598x *tps, u8 reg, u16 val)
+@@ -121,8 +142,8 @@ static int tps6598x_read_partner_identit
+ struct tps6598x_rx_identity_reg id;
+ int ret;
+
+- ret = regmap_raw_read(tps->regmap, TPS_REG_RX_IDENTITY_SOP,
+- &id, sizeof(id));
++ ret = tps6598x_block_read(tps, TPS_REG_RX_IDENTITY_SOP,
++ &id, sizeof(id));
+ if (ret)
+ return ret;
+
+@@ -223,13 +244,13 @@ static int tps6598x_exec_cmd(struct tps6
+ } while (val);
+
+ if (out_len) {
+- ret = regmap_raw_read(tps->regmap, TPS_REG_DATA1,
+- out_data, out_len);
++ ret = tps6598x_block_read(tps, TPS_REG_DATA1,
++ out_data, out_len);
+ if (ret)
+ return ret;
+ val = out_data[0];
+ } else {
+- ret = regmap_read(tps->regmap, TPS_REG_DATA1, &val);
++ ret = tps6598x_block_read(tps, TPS_REG_DATA1, &val, sizeof(u8));
+ if (ret)
+ return ret;
+ }
+@@ -384,6 +405,16 @@ static int tps6598x_probe(struct i2c_cli
+ if (!vid)
+ return -ENODEV;
+
++ /*
++ * Checking can the adapter handle SMBus protocol. If it can not, the
++ * driver needs to take care of block reads separately.
++ *
++ * FIXME: Testing with I2C_FUNC_I2C. regmap-i2c uses I2C protocol
++ * unconditionally if the adapter has I2C_FUNC_I2C set.
++ */
++ if (i2c_check_functionality(client->adapter, I2C_FUNC_I2C))
++ tps->i2c_protocol = true;
++
+ ret = tps6598x_read32(tps, TPS_REG_STATUS, &status);
+ if (ret < 0)
+ return ret;
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Tobias Regnery <tobias.regnery@gmail.com>
+Date: Tue, 10 Apr 2018 10:38:06 +0200
+Subject: usb: typec: ucsi: fix tracepoint related build error
+
+From: Tobias Regnery <tobias.regnery@gmail.com>
+
+[ Upstream commit 2f860691c2d2e3af1404ffeb2d22dd5c3dbca811 ]
+
+There is the following build error with CONFIG_TYPEC_UCSI=m, CONFIG_FTRACE=y
+and CONFIG_TRACING=n:
+
+ERROR: "__tracepoint_ucsi_command" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined!
+ERROR: "__tracepoint_ucsi_register_port" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined!
+ERROR: "__tracepoint_ucsi_notify" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined!
+ERROR: "__tracepoint_ucsi_reset_ppm" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined!
+ERROR: "__tracepoint_ucsi_run_command" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined!
+ERROR: "__tracepoint_ucsi_ack" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined!
+ERROR: "__tracepoint_ucsi_connector_change" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined!
+
+This compination is quite hard to create because CONFIG_TRACING gets selected
+only in rare cases without CONFIG_FTRACE.
+
+The build failure is caused by conditionally compiling trace.c depending on
+the wrong option CONFIG_FTRACE. Change this to depend on CONFIG_TRACING like
+other users of tracepoints do.
+
+Fixes: c1b0bc2dabfa ("usb: typec: Add support for UCSI interface")
+Signed-off-by: Tobias Regnery <tobias.regnery@gmail.com>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/ucsi/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/typec/ucsi/Makefile
++++ b/drivers/usb/typec/ucsi/Makefile
+@@ -5,6 +5,6 @@ obj-$(CONFIG_TYPEC_UCSI) += typec_ucsi.o
+
+ typec_ucsi-y := ucsi.o
+
+-typec_ucsi-$(CONFIG_FTRACE) += trace.o
++typec_ucsi-$(CONFIG_TRACING) += trace.o
+
+ obj-$(CONFIG_UCSI_ACPI) += ucsi_acpi.o
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: David Howells <dhowells@redhat.com>
+Date: Fri, 20 Apr 2018 13:35:02 +0100
+Subject: vfs: Undo an overly zealous MS_RDONLY -> SB_RDONLY conversion
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit a9e5b73288cf1595ac2e05cf1acd1924ceea05fa ]
+
+In do_mount() when the MS_* flags are being converted to MNT_* flags,
+MS_RDONLY got accidentally convered to SB_RDONLY.
+
+Undo this change.
+
+Fixes: e462ec50cb5f ("VFS: Differentiate mount flags (MS_*) from internal superblock flags")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/namespace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -2810,7 +2810,7 @@ long do_mount(const char *dev_name, cons
+ mnt_flags |= MNT_NODIRATIME;
+ if (flags & MS_STRICTATIME)
+ mnt_flags &= ~(MNT_RELATIME | MNT_NOATIME);
+- if (flags & SB_RDONLY)
++ if (flags & MS_RDONLY)
+ mnt_flags |= MNT_READONLY;
+
+ /* The default atime for remount is preservation */
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Thu, 26 Apr 2018 19:39:09 +0200
+Subject: vti6: Change minimum MTU to IPV4_MIN_MTU, vti6 can carry IPv4 too
+
+From: Stefano Brivio <sbrivio@redhat.com>
+
+[ Upstream commit b4331a681822b420511b3258f1c3db35001fde48 ]
+
+A vti6 interface can carry IPv4 as well, so it makes no sense to
+enforce a minimum MTU of IPV6_MIN_MTU.
+
+If the user sets an MTU below IPV6_MIN_MTU, IPv6 will be
+disabled on the interface, courtesy of addrconf_notify().
+
+Reported-by: Xin Long <lucien.xin@gmail.com>
+Fixes: b96f9afee4eb ("ipv4/6: use core net MTU range checking")
+Fixes: c6741fbed6dc ("vti6: Properly adjust vti6 MTU from MTU of lower device")
+Fixes: 53c81e95df17 ("ip6_vti: adjust vti mtu according to mtu of lower device")
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_vti.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -669,7 +669,7 @@ static void vti6_link_config(struct ip6_
+ else
+ mtu = ETH_DATA_LEN - LL_MAX_HEADER - sizeof(struct ipv6hdr);
+
+- dev->mtu = max_t(int, mtu, IPV6_MIN_MTU);
++ dev->mtu = max_t(int, mtu, IPV4_MIN_MTU);
+ }
+
+ /**
+@@ -881,7 +881,7 @@ static void vti6_dev_setup(struct net_de
+ dev->priv_destructor = vti6_dev_free;
+
+ dev->type = ARPHRD_TUNNEL6;
+- dev->min_mtu = IPV6_MIN_MTU;
++ dev->min_mtu = IPV4_MIN_MTU;
+ dev->max_mtu = IP_MAX_MTU - sizeof(struct ipv6hdr);
+ dev->flags |= IFF_NOARP;
+ dev->addr_len = sizeof(struct in6_addr);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Krish Sadhukhan <krish.sadhukhan@oracle.com>
+Date: Wed, 11 Apr 2018 01:10:16 -0400
+Subject: x86: Add check for APIC access address for vmentry of L2 guests
+
+From: Krish Sadhukhan <krish.sadhukhan@oracle.com>
+
+[ Upstream commit f0f4cf5b306620282db0c59ff963012e1973e025 ]
+
+According to the sub-section titled 'VM-Execution Control Fields' in the
+section titled 'Basic VM-Entry Checks' in Intel SDM vol. 3C, the following
+vmentry check must be enforced:
+
+ If the 'virtualize APIC-accesses' VM-execution control is 1, the
+ APIC-access address must satisfy the following checks:
+
+ - Bits 11:0 of the address must be 0.
+ - The address should not set any bits beyond the processor's
+ physical-address width.
+
+This patch adds the necessary check to conform to this rule. If the check
+fails, we cause the L2 VMENTRY to fail which is what the associated unit
+test (following patch) expects.
+
+Reviewed-by: Mihai Carabas <mihai.carabas@oracle.com>
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Reviewed-by: Wanpeng Li <wanpengli@tencent.com>
+Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -10338,6 +10338,16 @@ static inline bool nested_vmx_prepare_ms
+ return true;
+ }
+
++static int nested_vmx_check_apic_access_controls(struct kvm_vcpu *vcpu,
++ struct vmcs12 *vmcs12)
++{
++ if (nested_cpu_has2(vmcs12, SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES) &&
++ !page_address_valid(vcpu, vmcs12->apic_access_addr))
++ return -EINVAL;
++ else
++ return 0;
++}
++
+ static int nested_vmx_check_apicv_controls(struct kvm_vcpu *vcpu,
+ struct vmcs12 *vmcs12)
+ {
+@@ -11006,6 +11016,9 @@ static int check_vmentry_prereqs(struct
+ if (nested_vmx_check_msr_bitmap_controls(vcpu, vmcs12))
+ return VMXERR_ENTRY_INVALID_CONTROL_FIELD;
+
++ if (nested_vmx_check_apic_access_controls(vcpu, vmcs12))
++ return VMXERR_ENTRY_INVALID_CONTROL_FIELD;
++
+ if (nested_vmx_check_tpr_shadow_controls(vcpu, vmcs12))
+ return VMXERR_ENTRY_INVALID_CONTROL_FIELD;
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: "jacek.tomaka@poczta.fm" <jacek.tomaka@poczta.fm>
+Date: Tue, 24 Apr 2018 00:14:25 +0800
+Subject: x86/cpu/intel: Add missing TLB cpuid values
+
+From: "jacek.tomaka@poczta.fm" <jacek.tomaka@poczta.fm>
+
+[ Upstream commit b837913fc2d9061bf9b8c0dd6bf2d24e2f98b84a ]
+
+Make kernel print the correct number of TLB entries on Intel Xeon Phi 7210
+(and others)
+
+Before:
+[ 0.320005] Last level dTLB entries: 4KB 0, 2MB 0, 4MB 0, 1GB 0
+After:
+[ 0.320005] Last level dTLB entries: 4KB 256, 2MB 128, 4MB 128, 1GB 16
+
+The entries do exist in the official Intel SMD but the type column there is
+incorrect (states "Cache" where it should read "TLB"), but the entries for
+the values 0x6B, 0x6C and 0x6D are correctly described as 'Data TLB'.
+
+Signed-off-by: Jacek Tomaka <jacek.tomaka@poczta.fm>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20180423161425.24366-1-jacekt@dugeo.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/intel.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/kernel/cpu/intel.c
++++ b/arch/x86/kernel/cpu/intel.c
+@@ -751,6 +751,9 @@ static const struct _tlb_table intel_tlb
+ { 0x5d, TLB_DATA_4K_4M, 256, " TLB_DATA 4 KByte and 4 MByte pages" },
+ { 0x61, TLB_INST_4K, 48, " TLB_INST 4 KByte pages, full associative" },
+ { 0x63, TLB_DATA_1G, 4, " TLB_DATA 1 GByte pages, 4-way set associative" },
++ { 0x6b, TLB_DATA_4K, 256, " TLB_DATA 4 KByte pages, 8-way associative" },
++ { 0x6c, TLB_DATA_2M_4M, 128, " TLB_DATA 2 MByte or 4 MByte pages, 8-way associative" },
++ { 0x6d, TLB_DATA_1G, 16, " TLB_DATA 1 GByte pages, fully associative" },
+ { 0x76, TLB_INST_2M_4M, 8, " TLB_INST 2-MByte or 4-MByte pages, fully associative" },
+ { 0xb0, TLB_INST_4K, 128, " TLB_INST 4 KByte pages, 4-way set associative" },
+ { 0xb1, TLB_INST_2M_4M, 4, " TLB_INST 2M pages, 4-way, 8 entries or 4M pages, 4-way entries" },
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Marian Rotariu <mrotariu@bitdefender.com>
+Date: Mon, 30 Apr 2018 12:23:01 +0300
+Subject: x86: Delay skip of emulated hypercall instruction
+
+From: Marian Rotariu <mrotariu@bitdefender.com>
+
+[ Upstream commit 6356ee0c9602004e0a3b4b2dad68ee2ee9385b17 ]
+
+The IP increment should be done after the hypercall emulation, after
+calling the various handlers. In this way, these handlers can accurately
+identify the the IP of the VMCALL if they need it.
+
+This patch keeps the same functionality for the Hyper-V handler which does
+not use the return code of the standard kvm_skip_emulated_instruction()
+call.
+
+Signed-off-by: Marian Rotariu <mrotariu@bitdefender.com>
+[Hyper-V hypercalls also need kvm_skip_emulated_instruction() - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/hyperv.c | 2 +-
+ arch/x86/kvm/x86.c | 19 +++++++++++--------
+ 2 files changed, 12 insertions(+), 9 deletions(-)
+
+--- a/arch/x86/kvm/hyperv.c
++++ b/arch/x86/kvm/hyperv.c
+@@ -1223,7 +1223,7 @@ static int kvm_hv_hypercall_complete_use
+ struct kvm_run *run = vcpu->run;
+
+ kvm_hv_hypercall_set_result(vcpu, run->hyperv.u.hcall.result);
+- return 1;
++ return kvm_skip_emulated_instruction(vcpu);
+ }
+
+ int kvm_hv_hypercall(struct kvm_vcpu *vcpu)
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -6553,12 +6553,13 @@ void kvm_vcpu_deactivate_apicv(struct kv
+ int kvm_emulate_hypercall(struct kvm_vcpu *vcpu)
+ {
+ unsigned long nr, a0, a1, a2, a3, ret;
+- int op_64_bit, r;
++ int op_64_bit;
+
+- r = kvm_skip_emulated_instruction(vcpu);
+-
+- if (kvm_hv_hypercall_enabled(vcpu->kvm))
+- return kvm_hv_hypercall(vcpu);
++ if (kvm_hv_hypercall_enabled(vcpu->kvm)) {
++ if (!kvm_hv_hypercall(vcpu))
++ return 0;
++ goto out;
++ }
+
+ nr = kvm_register_read(vcpu, VCPU_REGS_RAX);
+ a0 = kvm_register_read(vcpu, VCPU_REGS_RBX);
+@@ -6579,7 +6580,7 @@ int kvm_emulate_hypercall(struct kvm_vcp
+
+ if (kvm_x86_ops->get_cpl(vcpu) != 0) {
+ ret = -KVM_EPERM;
+- goto out;
++ goto out_error;
+ }
+
+ switch (nr) {
+@@ -6599,12 +6600,14 @@ int kvm_emulate_hypercall(struct kvm_vcp
+ ret = -KVM_ENOSYS;
+ break;
+ }
+-out:
++out_error:
+ if (!op_64_bit)
+ ret = (u32)ret;
+ kvm_register_write(vcpu, VCPU_REGS_RAX, ret);
++
++out:
+ ++vcpu->stat.hypercalls;
+- return r;
++ return kvm_skip_emulated_instruction(vcpu);
+ }
+ EXPORT_SYMBOL_GPL(kvm_emulate_hypercall);
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: KarimAllah Ahmed <karahmed@amazon.de>
+Date: Sat, 14 Apr 2018 05:10:52 +0200
+Subject: X86/KVM: Properly update 'tsc_offset' to represent the running guest
+
+From: KarimAllah Ahmed <karahmed@amazon.de>
+
+[ Upstream commit e79f245ddec17bbd89d73cd0169dba4be46c9b55 ]
+
+Update 'tsc_offset' on vmentry/vmexit of L2 guests to ensure that it always
+captures the TSC_OFFSET of the running guest whether it is the L1 or L2
+guest.
+
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: kvm@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: KarimAllah Ahmed <karahmed@amazon.de>
+[AMD changes, fix update_ia32_tsc_adjust_msr. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/kvm_host.h | 1
+ arch/x86/kvm/svm.c | 17 +++++++++++-
+ arch/x86/kvm/vmx.c | 54 +++++++++++++++++++++++++---------------
+ arch/x86/kvm/x86.c | 6 ++--
+ 4 files changed, 56 insertions(+), 22 deletions(-)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -1019,6 +1019,7 @@ struct kvm_x86_ops {
+
+ bool (*has_wbinvd_exit)(void);
+
++ u64 (*read_l1_tsc_offset)(struct kvm_vcpu *vcpu);
+ void (*write_tsc_offset)(struct kvm_vcpu *vcpu, u64 offset);
+
+ void (*get_exit_info)(struct kvm_vcpu *vcpu, u64 *info1, u64 *info2);
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -1313,12 +1313,23 @@ static void init_sys_seg(struct vmcb_seg
+ seg->base = 0;
+ }
+
++static u64 svm_read_l1_tsc_offset(struct kvm_vcpu *vcpu)
++{
++ struct vcpu_svm *svm = to_svm(vcpu);
++
++ if (is_guest_mode(vcpu))
++ return svm->nested.hsave->control.tsc_offset;
++
++ return vcpu->arch.tsc_offset;
++}
++
+ static void svm_write_tsc_offset(struct kvm_vcpu *vcpu, u64 offset)
+ {
+ struct vcpu_svm *svm = to_svm(vcpu);
+ u64 g_tsc_offset = 0;
+
+ if (is_guest_mode(vcpu)) {
++ /* Write L1's TSC offset. */
+ g_tsc_offset = svm->vmcb->control.tsc_offset -
+ svm->nested.hsave->control.tsc_offset;
+ svm->nested.hsave->control.tsc_offset = offset;
+@@ -3188,6 +3199,7 @@ static int nested_svm_vmexit(struct vcpu
+ /* Restore the original control entries */
+ copy_vmcb_control_area(vmcb, hsave);
+
++ svm->vcpu.arch.tsc_offset = svm->vmcb->control.tsc_offset;
+ kvm_clear_exception_queue(&svm->vcpu);
+ kvm_clear_interrupt_queue(&svm->vcpu);
+
+@@ -3348,10 +3360,12 @@ static void enter_svm_guest_mode(struct
+ /* We don't want to see VMMCALLs from a nested guest */
+ clr_intercept(svm, INTERCEPT_VMMCALL);
+
++ svm->vcpu.arch.tsc_offset += nested_vmcb->control.tsc_offset;
++ svm->vmcb->control.tsc_offset = svm->vcpu.arch.tsc_offset;
++
+ svm->vmcb->control.virt_ext = nested_vmcb->control.virt_ext;
+ svm->vmcb->control.int_vector = nested_vmcb->control.int_vector;
+ svm->vmcb->control.int_state = nested_vmcb->control.int_state;
+- svm->vmcb->control.tsc_offset += nested_vmcb->control.tsc_offset;
+ svm->vmcb->control.event_inj = nested_vmcb->control.event_inj;
+ svm->vmcb->control.event_inj_err = nested_vmcb->control.event_inj_err;
+
+@@ -6966,6 +6980,7 @@ static struct kvm_x86_ops svm_x86_ops __
+
+ .has_wbinvd_exit = svm_has_wbinvd_exit,
+
++ .read_l1_tsc_offset = svm_read_l1_tsc_offset,
+ .write_tsc_offset = svm_write_tsc_offset,
+
+ .set_tdp_cr3 = set_tdp_cr3,
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2638,6 +2638,17 @@ static void setup_msrs(struct vcpu_vmx *
+ vmx_update_msr_bitmap(&vmx->vcpu);
+ }
+
++static u64 vmx_read_l1_tsc_offset(struct kvm_vcpu *vcpu)
++{
++ struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
++
++ if (is_guest_mode(vcpu) &&
++ (vmcs12->cpu_based_vm_exec_control & CPU_BASED_USE_TSC_OFFSETING))
++ return vcpu->arch.tsc_offset - vmcs12->tsc_offset;
++
++ return vcpu->arch.tsc_offset;
++}
++
+ /*
+ * reads and returns guest's timestamp counter "register"
+ * guest_tsc = (host_tsc * tsc multiplier) >> 48 + tsc_offset
+@@ -10916,11 +10927,8 @@ static int prepare_vmcs02(struct kvm_vcp
+ vmcs_write64(GUEST_IA32_PAT, vmx->vcpu.arch.pat);
+ }
+
+- if (vmcs12->cpu_based_vm_exec_control & CPU_BASED_USE_TSC_OFFSETING)
+- vmcs_write64(TSC_OFFSET,
+- vcpu->arch.tsc_offset + vmcs12->tsc_offset);
+- else
+- vmcs_write64(TSC_OFFSET, vcpu->arch.tsc_offset);
++ vmcs_write64(TSC_OFFSET, vcpu->arch.tsc_offset);
++
+ if (kvm_has_tsc_control)
+ decache_tsc_multiplier(vmx);
+
+@@ -11137,6 +11145,7 @@ static int enter_vmx_non_root_mode(struc
+ struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
+ u32 msr_entry_idx;
+ u32 exit_qual;
++ int r;
+
+ enter_guest_mode(vcpu);
+
+@@ -11146,26 +11155,21 @@ static int enter_vmx_non_root_mode(struc
+ vmx_switch_vmcs(vcpu, &vmx->nested.vmcs02);
+ vmx_segment_cache_clear(vmx);
+
+- if (prepare_vmcs02(vcpu, vmcs12, from_vmentry, &exit_qual)) {
+- leave_guest_mode(vcpu);
+- vmx_switch_vmcs(vcpu, &vmx->vmcs01);
+- nested_vmx_entry_failure(vcpu, vmcs12,
+- EXIT_REASON_INVALID_STATE, exit_qual);
+- return 1;
+- }
++ if (vmcs12->cpu_based_vm_exec_control & CPU_BASED_USE_TSC_OFFSETING)
++ vcpu->arch.tsc_offset += vmcs12->tsc_offset;
++
++ r = EXIT_REASON_INVALID_STATE;
++ if (prepare_vmcs02(vcpu, vmcs12, from_vmentry, &exit_qual))
++ goto fail;
+
+ nested_get_vmcs12_pages(vcpu, vmcs12);
+
++ r = EXIT_REASON_MSR_LOAD_FAIL;
+ msr_entry_idx = nested_vmx_load_msr(vcpu,
+ vmcs12->vm_entry_msr_load_addr,
+ vmcs12->vm_entry_msr_load_count);
+- if (msr_entry_idx) {
+- leave_guest_mode(vcpu);
+- vmx_switch_vmcs(vcpu, &vmx->vmcs01);
+- nested_vmx_entry_failure(vcpu, vmcs12,
+- EXIT_REASON_MSR_LOAD_FAIL, msr_entry_idx);
+- return 1;
+- }
++ if (msr_entry_idx)
++ goto fail;
+
+ /*
+ * Note no nested_vmx_succeed or nested_vmx_fail here. At this point
+@@ -11174,6 +11178,14 @@ static int enter_vmx_non_root_mode(struc
+ * the success flag) when L2 exits (see nested_vmx_vmexit()).
+ */
+ return 0;
++
++fail:
++ if (vmcs12->cpu_based_vm_exec_control & CPU_BASED_USE_TSC_OFFSETING)
++ vcpu->arch.tsc_offset -= vmcs12->tsc_offset;
++ leave_guest_mode(vcpu);
++ vmx_switch_vmcs(vcpu, &vmx->vmcs01);
++ nested_vmx_entry_failure(vcpu, vmcs12, r, exit_qual);
++ return 1;
+ }
+
+ /*
+@@ -11745,6 +11757,9 @@ static void nested_vmx_vmexit(struct kvm
+
+ leave_guest_mode(vcpu);
+
++ if (vmcs12->cpu_based_vm_exec_control & CPU_BASED_USE_TSC_OFFSETING)
++ vcpu->arch.tsc_offset -= vmcs12->tsc_offset;
++
+ if (likely(!vmx->fail)) {
+ if (exit_reason == -1)
+ sync_vmcs12(vcpu, vmcs12);
+@@ -12423,6 +12438,7 @@ static struct kvm_x86_ops vmx_x86_ops __
+
+ .has_wbinvd_exit = cpu_has_vmx_wbinvd_exit,
+
++ .read_l1_tsc_offset = vmx_read_l1_tsc_offset,
+ .write_tsc_offset = vmx_write_tsc_offset,
+
+ .set_tdp_cr3 = vmx_set_cr3,
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1459,7 +1459,7 @@ static void kvm_track_tsc_matching(struc
+
+ static void update_ia32_tsc_adjust_msr(struct kvm_vcpu *vcpu, s64 offset)
+ {
+- u64 curr_offset = vcpu->arch.tsc_offset;
++ u64 curr_offset = kvm_x86_ops->read_l1_tsc_offset(vcpu);
+ vcpu->arch.ia32_tsc_adjust_msr += offset - curr_offset;
+ }
+
+@@ -1501,7 +1501,9 @@ static u64 kvm_compute_tsc_offset(struct
+
+ u64 kvm_read_l1_tsc(struct kvm_vcpu *vcpu, u64 host_tsc)
+ {
+- return vcpu->arch.tsc_offset + kvm_scale_tsc(vcpu, host_tsc);
++ u64 tsc_offset = kvm_x86_ops->read_l1_tsc_offset(vcpu);
++
++ return tsc_offset + kvm_scale_tsc(vcpu, host_tsc);
+ }
+ EXPORT_SYMBOL_GPL(kvm_read_l1_tsc);
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Ingo Molnar <mingo@kernel.org>
+Date: Mon, 14 May 2018 10:59:08 +0200
+Subject: x86/mpx/selftests: Adjust the self-test to fresh distros that export the MPX ABI
+
+From: Ingo Molnar <mingo@kernel.org>
+
+[ Upstream commit 73bb4d6cd192b8629c5125aaada9892d9fc986b6 ]
+
+Fix this warning:
+
+ mpx-mini-test.c:422:0: warning: "SEGV_BNDERR" redefined
+
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: akpm@linux-foundation.org
+Cc: dave.hansen@intel.com
+Cc: linux-mm@kvack.org
+Cc: linuxram@us.ibm.com
+Cc: mpe@ellerman.id.au
+Cc: shakeelb@google.com
+Cc: shuah@kernel.org
+Link: http://lkml.kernel.org/r/20180514085908.GA12798@gmail.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/x86/mpx-mini-test.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/tools/testing/selftests/x86/mpx-mini-test.c
++++ b/tools/testing/selftests/x86/mpx-mini-test.c
+@@ -368,6 +368,11 @@ static int expected_bnd_index = -1;
+ uint64_t shadow_plb[NR_MPX_BOUNDS_REGISTERS][2]; /* shadow MPX bound registers */
+ unsigned long shadow_map[NR_MPX_BOUNDS_REGISTERS];
+
++/* Failed address bound checks: */
++#ifndef SEGV_BNDERR
++# define SEGV_BNDERR 3
++#endif
++
+ /*
+ * The kernel is supposed to provide some information about the bounds
+ * exception in the siginfo. It should match what we have in the bounds
+@@ -419,8 +424,6 @@ void handler(int signum, siginfo_t *si,
+ br_count++;
+ dprintf1("#BR 0x%jx (total seen: %d)\n", status, br_count);
+
+-#define SEGV_BNDERR 3 /* failed address bound checks */
+-
+ dprintf2("Saw a #BR! status 0x%jx at %016lx br_reason: %jx\n",
+ status, ip, br_reason);
+ dprintf2("si_signo: %d\n", si->si_signo);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Wed, 9 May 2018 10:13:56 -0700
+Subject: x86/pkeys/selftests: Add a test for pkey 0
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+[ Upstream commit 3488a600d90bcaf061b104dbcfbdc8d99b398312 ]
+
+Protection key 0 is the default key for all memory and will
+not normally come back from pkey_alloc(). But, you might
+still want pass it to mprotect_pkey().
+
+This check ensures that you can use pkey 0.
+
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Michael Ellermen <mpe@ellerman.id.au>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ram Pai <linuxram@us.ibm.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-mm@kvack.org
+Link: http://lkml.kernel.org/r/20180509171356.9E40B254@viggo.jf.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/x86/protection_keys.c | 30 ++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+--- a/tools/testing/selftests/x86/protection_keys.c
++++ b/tools/testing/selftests/x86/protection_keys.c
+@@ -1184,6 +1184,35 @@ void test_pkey_alloc_exhaust(int *ptr, u
+ }
+ }
+
++/*
++ * pkey 0 is special. It is allocated by default, so you do not
++ * have to call pkey_alloc() to use it first. Make sure that it
++ * is usable.
++ */
++void test_mprotect_with_pkey_0(int *ptr, u16 pkey)
++{
++ long size;
++ int prot;
++
++ assert(pkey_last_malloc_record);
++ size = pkey_last_malloc_record->size;
++ /*
++ * This is a bit of a hack. But mprotect() requires
++ * huge-page-aligned sizes when operating on hugetlbfs.
++ * So, make sure that we use something that's a multiple
++ * of a huge page when we can.
++ */
++ if (size >= HPAGE_SIZE)
++ size = HPAGE_SIZE;
++ prot = pkey_last_malloc_record->prot;
++
++ /* Use pkey 0 */
++ mprotect_pkey(ptr, size, prot, 0);
++
++ /* Make sure that we can set it back to the original pkey. */
++ mprotect_pkey(ptr, size, prot, pkey);
++}
++
+ void test_ptrace_of_child(int *ptr, u16 pkey)
+ {
+ __attribute__((__unused__)) int peek_result;
+@@ -1378,6 +1407,7 @@ void (*pkey_tests[])(int *ptr, u16 pkey)
+ test_kernel_gup_write_to_write_disabled_region,
+ test_executing_on_unreadable_memory,
+ test_implicit_mprotect_exec_only_memory,
++ test_mprotect_with_pkey_0,
+ test_ptrace_of_child,
+ test_pkey_syscalls_on_non_allocated_pkey,
+ test_pkey_syscalls_bad_args,
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Wed, 9 May 2018 10:13:48 -0700
+Subject: x86/pkeys/selftests: Add PROT_EXEC test
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+[ Upstream commit 6af17cf89e99b64cf1f660bf848755442ab2f047 ]
+
+Under the covers, implement executable-only memory with
+protection keys when userspace calls mprotect(PROT_EXEC).
+
+But, we did not have a selftest for that. Now we do.
+
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Michael Ellermen <mpe@ellerman.id.au>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ram Pai <linuxram@us.ibm.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-mm@kvack.org
+Link: http://lkml.kernel.org/r/20180509171348.9EEE4BEF@viggo.jf.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/x86/protection_keys.c | 44 ++++++++++++++++++++++++++
+ 1 file changed, 44 insertions(+)
+
+--- a/tools/testing/selftests/x86/protection_keys.c
++++ b/tools/testing/selftests/x86/protection_keys.c
+@@ -1303,6 +1303,49 @@ void test_executing_on_unreadable_memory
+ expected_pk_fault(pkey);
+ }
+
++void test_implicit_mprotect_exec_only_memory(int *ptr, u16 pkey)
++{
++ void *p1;
++ int scratch;
++ int ptr_contents;
++ int ret;
++
++ dprintf1("%s() start\n", __func__);
++
++ p1 = get_pointer_to_instructions();
++ lots_o_noops_around_write(&scratch);
++ ptr_contents = read_ptr(p1);
++ dprintf2("ptr (%p) contents@%d: %x\n", p1, __LINE__, ptr_contents);
++
++ /* Use a *normal* mprotect(), not mprotect_pkey(): */
++ ret = mprotect(p1, PAGE_SIZE, PROT_EXEC);
++ pkey_assert(!ret);
++
++ dprintf2("pkru: %x\n", rdpkru());
++
++ /* Make sure this is an *instruction* fault */
++ madvise(p1, PAGE_SIZE, MADV_DONTNEED);
++ lots_o_noops_around_write(&scratch);
++ do_not_expect_pk_fault("executing on PROT_EXEC memory");
++ ptr_contents = read_ptr(p1);
++ dprintf2("ptr (%p) contents@%d: %x\n", p1, __LINE__, ptr_contents);
++ expected_pk_fault(UNKNOWN_PKEY);
++
++ /*
++ * Put the memory back to non-PROT_EXEC. Should clear the
++ * exec-only pkey off the VMA and allow it to be readable
++ * again. Go to PROT_NONE first to check for a kernel bug
++ * that did not clear the pkey when doing PROT_NONE.
++ */
++ ret = mprotect(p1, PAGE_SIZE, PROT_NONE);
++ pkey_assert(!ret);
++
++ ret = mprotect(p1, PAGE_SIZE, PROT_READ|PROT_EXEC);
++ pkey_assert(!ret);
++ ptr_contents = read_ptr(p1);
++ do_not_expect_pk_fault("plain read on recently PROT_EXEC area");
++}
++
+ void test_mprotect_pkey_on_unsupported_cpu(int *ptr, u16 pkey)
+ {
+ int size = PAGE_SIZE;
+@@ -1327,6 +1370,7 @@ void (*pkey_tests[])(int *ptr, u16 pkey)
+ test_kernel_gup_of_access_disabled_region,
+ test_kernel_gup_write_to_write_disabled_region,
+ test_executing_on_unreadable_memory,
++ test_implicit_mprotect_exec_only_memory,
+ test_ptrace_of_child,
+ test_pkey_syscalls_on_non_allocated_pkey,
+ test_pkey_syscalls_bad_args,
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Ingo Molnar <mingo@kernel.org>
+Date: Mon, 14 May 2018 10:56:23 +0200
+Subject: x86/pkeys/selftests: Adjust the self-test to fresh distros that export the pkeys ABI
+
+From: Ingo Molnar <mingo@kernel.org>
+
+[ Upstream commit 0fb96620dce351608aa82eed5942e2f58b07beda ]
+
+Ubuntu 18.04 started exporting pkeys details in header files, resulting
+in build failures and warnings in the pkeys self-tests:
+
+ protection_keys.c:232:0: warning: "SEGV_BNDERR" redefined
+ protection_keys.c:387:5: error: conflicting types for ‘pkey_get’
+ protection_keys.c:409:5: error: conflicting types for ‘pkey_set’
+ ...
+
+Fix these namespace conflicts and double definitions, plus also
+clean up the ABI definitions to make it all a bit more readable ...
+
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: akpm@linux-foundation.org
+Cc: dave.hansen@intel.com
+Cc: linux-mm@kvack.org
+Cc: linuxram@us.ibm.com
+Cc: mpe@ellerman.id.au
+Cc: shakeelb@google.com
+Cc: shuah@kernel.org
+Link: http://lkml.kernel.org/r/20180514085623.GB7094@gmail.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/x86/protection_keys.c | 67 +++++++++++++++-----------
+ 1 file changed, 41 insertions(+), 26 deletions(-)
+
+--- a/tools/testing/selftests/x86/protection_keys.c
++++ b/tools/testing/selftests/x86/protection_keys.c
+@@ -191,26 +191,30 @@ void lots_o_noops_around_write(int *writ
+ #ifdef __i386__
+
+ #ifndef SYS_mprotect_key
+-# define SYS_mprotect_key 380
++# define SYS_mprotect_key 380
+ #endif
++
+ #ifndef SYS_pkey_alloc
+-# define SYS_pkey_alloc 381
+-# define SYS_pkey_free 382
++# define SYS_pkey_alloc 381
++# define SYS_pkey_free 382
+ #endif
+-#define REG_IP_IDX REG_EIP
+-#define si_pkey_offset 0x14
++
++#define REG_IP_IDX REG_EIP
++#define si_pkey_offset 0x14
+
+ #else
+
+ #ifndef SYS_mprotect_key
+-# define SYS_mprotect_key 329
++# define SYS_mprotect_key 329
+ #endif
++
+ #ifndef SYS_pkey_alloc
+-# define SYS_pkey_alloc 330
+-# define SYS_pkey_free 331
++# define SYS_pkey_alloc 330
++# define SYS_pkey_free 331
+ #endif
+-#define REG_IP_IDX REG_RIP
+-#define si_pkey_offset 0x20
++
++#define REG_IP_IDX REG_RIP
++#define si_pkey_offset 0x20
+
+ #endif
+
+@@ -225,8 +229,14 @@ void dump_mem(void *dumpme, int len_byte
+ }
+ }
+
+-#define SEGV_BNDERR 3 /* failed address bound checks */
+-#define SEGV_PKUERR 4
++/* Failed address bound checks: */
++#ifndef SEGV_BNDERR
++# define SEGV_BNDERR 3
++#endif
++
++#ifndef SEGV_PKUERR
++# define SEGV_PKUERR 4
++#endif
+
+ static char *si_code_str(int si_code)
+ {
+@@ -393,10 +403,15 @@ pid_t fork_lazy_child(void)
+ return forkret;
+ }
+
+-#define PKEY_DISABLE_ACCESS 0x1
+-#define PKEY_DISABLE_WRITE 0x2
++#ifndef PKEY_DISABLE_ACCESS
++# define PKEY_DISABLE_ACCESS 0x1
++#endif
++
++#ifndef PKEY_DISABLE_WRITE
++# define PKEY_DISABLE_WRITE 0x2
++#endif
+
+-u32 pkey_get(int pkey, unsigned long flags)
++static u32 hw_pkey_get(int pkey, unsigned long flags)
+ {
+ u32 mask = (PKEY_DISABLE_ACCESS|PKEY_DISABLE_WRITE);
+ u32 pkru = __rdpkru();
+@@ -418,7 +433,7 @@ u32 pkey_get(int pkey, unsigned long fla
+ return masked_pkru;
+ }
+
+-int pkey_set(int pkey, unsigned long rights, unsigned long flags)
++static int hw_pkey_set(int pkey, unsigned long rights, unsigned long flags)
+ {
+ u32 mask = (PKEY_DISABLE_ACCESS|PKEY_DISABLE_WRITE);
+ u32 old_pkru = __rdpkru();
+@@ -452,15 +467,15 @@ void pkey_disable_set(int pkey, int flag
+ pkey, flags);
+ pkey_assert(flags & (PKEY_DISABLE_ACCESS | PKEY_DISABLE_WRITE));
+
+- pkey_rights = pkey_get(pkey, syscall_flags);
++ pkey_rights = hw_pkey_get(pkey, syscall_flags);
+
+- dprintf1("%s(%d) pkey_get(%d): %x\n", __func__,
++ dprintf1("%s(%d) hw_pkey_get(%d): %x\n", __func__,
+ pkey, pkey, pkey_rights);
+ pkey_assert(pkey_rights >= 0);
+
+ pkey_rights |= flags;
+
+- ret = pkey_set(pkey, pkey_rights, syscall_flags);
++ ret = hw_pkey_set(pkey, pkey_rights, syscall_flags);
+ assert(!ret);
+ /*pkru and flags have the same format */
+ shadow_pkru |= flags << (pkey * 2);
+@@ -468,8 +483,8 @@ void pkey_disable_set(int pkey, int flag
+
+ pkey_assert(ret >= 0);
+
+- pkey_rights = pkey_get(pkey, syscall_flags);
+- dprintf1("%s(%d) pkey_get(%d): %x\n", __func__,
++ pkey_rights = hw_pkey_get(pkey, syscall_flags);
++ dprintf1("%s(%d) hw_pkey_get(%d): %x\n", __func__,
+ pkey, pkey, pkey_rights);
+
+ dprintf1("%s(%d) pkru: 0x%x\n", __func__, pkey, rdpkru());
+@@ -483,24 +498,24 @@ void pkey_disable_clear(int pkey, int fl
+ {
+ unsigned long syscall_flags = 0;
+ int ret;
+- int pkey_rights = pkey_get(pkey, syscall_flags);
++ int pkey_rights = hw_pkey_get(pkey, syscall_flags);
+ u32 orig_pkru = rdpkru();
+
+ pkey_assert(flags & (PKEY_DISABLE_ACCESS | PKEY_DISABLE_WRITE));
+
+- dprintf1("%s(%d) pkey_get(%d): %x\n", __func__,
++ dprintf1("%s(%d) hw_pkey_get(%d): %x\n", __func__,
+ pkey, pkey, pkey_rights);
+ pkey_assert(pkey_rights >= 0);
+
+ pkey_rights |= flags;
+
+- ret = pkey_set(pkey, pkey_rights, 0);
++ ret = hw_pkey_set(pkey, pkey_rights, 0);
+ /* pkru and flags have the same format */
+ shadow_pkru &= ~(flags << (pkey * 2));
+ pkey_assert(ret >= 0);
+
+- pkey_rights = pkey_get(pkey, syscall_flags);
+- dprintf1("%s(%d) pkey_get(%d): %x\n", __func__,
++ pkey_rights = hw_pkey_get(pkey, syscall_flags);
++ dprintf1("%s(%d) hw_pkey_get(%d): %x\n", __func__,
+ pkey, pkey, pkey_rights);
+
+ dprintf1("%s(%d) pkru: 0x%x\n", __func__, pkey, rdpkru());
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Wed, 9 May 2018 10:13:46 -0700
+Subject: x86/pkeys/selftests: Allow faults on unknown keys
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+[ Upstream commit 7e7fd67ca39335a49619729821efb7cbdd674eb0 ]
+
+The exec-only pkey is allocated inside the kernel and userspace
+is not told what it is. So, allow PK faults to occur that have
+an unknown key.
+
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Michael Ellermen <mpe@ellerman.id.au>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ram Pai <linuxram@us.ibm.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-mm@kvack.org
+Link: http://lkml.kernel.org/r/20180509171345.7FC7DA00@viggo.jf.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/x86/protection_keys.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/x86/protection_keys.c
++++ b/tools/testing/selftests/x86/protection_keys.c
+@@ -921,13 +921,21 @@ void *malloc_pkey(long size, int prot, u
+ }
+
+ int last_pkru_faults;
++#define UNKNOWN_PKEY -2
+ void expected_pk_fault(int pkey)
+ {
+ dprintf2("%s(): last_pkru_faults: %d pkru_faults: %d\n",
+ __func__, last_pkru_faults, pkru_faults);
+ dprintf2("%s(%d): last_si_pkey: %d\n", __func__, pkey, last_si_pkey);
+ pkey_assert(last_pkru_faults + 1 == pkru_faults);
+- pkey_assert(last_si_pkey == pkey);
++
++ /*
++ * For exec-only memory, we do not know the pkey in
++ * advance, so skip this check.
++ */
++ if (pkey != UNKNOWN_PKEY)
++ pkey_assert(last_si_pkey == pkey);
++
+ /*
+ * The signal handler shold have cleared out PKRU to let the
+ * test program continue. We now have to restore it.
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Wed, 9 May 2018 10:13:44 -0700
+Subject: x86/pkeys/selftests: Avoid printf-in-signal deadlocks
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+[ Upstream commit caf9eb6b4c82fc6cbd03697052ff22d97b0c377b ]
+
+printf() and friends are unusable in signal handlers. They deadlock.
+The pkey selftest does not do any normal printing in signal handlers,
+only extra debugging. So, just print the format string so we get
+*some* output when debugging.
+
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Michael Ellermen <mpe@ellerman.id.au>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ram Pai <linuxram@us.ibm.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-mm@kvack.org
+Link: http://lkml.kernel.org/r/20180509171344.C53FD2F3@viggo.jf.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/x86/pkey-helpers.h | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+--- a/tools/testing/selftests/x86/pkey-helpers.h
++++ b/tools/testing/selftests/x86/pkey-helpers.h
+@@ -26,30 +26,26 @@ static inline void sigsafe_printf(const
+ {
+ va_list ap;
+
+- va_start(ap, format);
+ if (!dprint_in_signal) {
++ va_start(ap, format);
+ vprintf(format, ap);
++ va_end(ap);
+ } else {
+ int ret;
+- int len = vsnprintf(dprint_in_signal_buffer,
+- DPRINT_IN_SIGNAL_BUF_SIZE,
+- format, ap);
+ /*
+- * len is amount that would have been printed,
+- * but actual write is truncated at BUF_SIZE.
++ * No printf() functions are signal-safe.
++ * They deadlock easily. Write the format
++ * string to get some output, even if
++ * incomplete.
+ */
+- if (len > DPRINT_IN_SIGNAL_BUF_SIZE)
+- len = DPRINT_IN_SIGNAL_BUF_SIZE;
+- ret = write(1, dprint_in_signal_buffer, len);
++ ret = write(1, format, strlen(format));
+ if (ret < 0)
+- abort();
++ exit(1);
+ }
+- va_end(ap);
+ }
+ #define dprintf_level(level, args...) do { \
+ if (level <= DEBUG_LEVEL) \
+ sigsafe_printf(args); \
+- fflush(NULL); \
+ } while (0)
+ #define dprintf0(args...) dprintf_level(0, args)
+ #define dprintf1(args...) dprintf_level(1, args)
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Wed, 9 May 2018 10:13:47 -0700
+Subject: x86/pkeys/selftests: Factor out "instruction page"
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+[ Upstream commit 3fcd2b2d928904cbf30b01e2c5e4f1dd2f9ab262 ]
+
+We currently have an execute-only test, but it is for
+the explicit mprotect_pkey() interface. We will soon
+add a test for the implicit mprotect(PROT_EXEC)
+enterface. We need this code in both tests.
+
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Michael Ellermen <mpe@ellerman.id.au>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ram Pai <linuxram@us.ibm.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-mm@kvack.org
+Link: http://lkml.kernel.org/r/20180509171347.C64AB733@viggo.jf.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/x86/protection_keys.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+--- a/tools/testing/selftests/x86/protection_keys.c
++++ b/tools/testing/selftests/x86/protection_keys.c
+@@ -1253,12 +1253,9 @@ void test_ptrace_of_child(int *ptr, u16
+ free(plain_ptr_unaligned);
+ }
+
+-void test_executing_on_unreadable_memory(int *ptr, u16 pkey)
++void *get_pointer_to_instructions(void)
+ {
+ void *p1;
+- int scratch;
+- int ptr_contents;
+- int ret;
+
+ p1 = ALIGN_PTR_UP(&lots_o_noops_around_write, PAGE_SIZE);
+ dprintf3("&lots_o_noops: %p\n", &lots_o_noops_around_write);
+@@ -1268,7 +1265,23 @@ void test_executing_on_unreadable_memory
+ /* Point 'p1' at the *second* page of the function: */
+ p1 += PAGE_SIZE;
+
++ /*
++ * Try to ensure we fault this in on next touch to ensure
++ * we get an instruction fault as opposed to a data one
++ */
+ madvise(p1, PAGE_SIZE, MADV_DONTNEED);
++
++ return p1;
++}
++
++void test_executing_on_unreadable_memory(int *ptr, u16 pkey)
++{
++ void *p1;
++ int scratch;
++ int ptr_contents;
++ int ret;
++
++ p1 = get_pointer_to_instructions();
+ lots_o_noops_around_write(&scratch);
+ ptr_contents = read_ptr(p1);
+ dprintf2("ptr (%p) contents@%d: %x\n", p1, __LINE__, ptr_contents);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Wed, 9 May 2018 10:13:50 -0700
+Subject: x86/pkeys/selftests: Fix pkey exhaustion test off-by-one
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+[ Upstream commit f50b4878329ab61d8e05796f655adeb6f5fb57c6 ]
+
+In our "exhaust all pkeys" test, we make sure that there
+is the expected number available. Turns out that the
+test did not cover the execute-only key, but discussed
+it anyway. It did *not* discuss the test-allocated
+key.
+
+Now that we have a test for the mprotect(PROT_EXEC) case,
+this off-by-one issue showed itself. Correct the off-by-
+one and add the explanation for the case we missed.
+
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Michael Ellermen <mpe@ellerman.id.au>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ram Pai <linuxram@us.ibm.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-mm@kvack.org
+Link: http://lkml.kernel.org/r/20180509171350.E1656B95@viggo.jf.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/x86/protection_keys.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/tools/testing/selftests/x86/protection_keys.c
++++ b/tools/testing/selftests/x86/protection_keys.c
+@@ -1163,12 +1163,15 @@ void test_pkey_alloc_exhaust(int *ptr, u
+ pkey_assert(i < NR_PKEYS*2);
+
+ /*
+- * There are 16 pkeys supported in hardware. One is taken
+- * up for the default (0) and another can be taken up by
+- * an execute-only mapping. Ensure that we can allocate
+- * at least 14 (16-2).
++ * There are 16 pkeys supported in hardware. Three are
++ * allocated by the time we get here:
++ * 1. The default key (0)
++ * 2. One possibly consumed by an execute-only mapping.
++ * 3. One allocated by the test code and passed in via
++ * 'pkey' to this function.
++ * Ensure that we can allocate at least another 13 (16-3).
+ */
+- pkey_assert(i >= NR_PKEYS-2);
++ pkey_assert(i >= NR_PKEYS-3);
+
+ for (i = 0; i < nr_allocated_pkeys; i++) {
+ err = sys_pkey_free(allocated_pkeys[i]);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Wed, 9 May 2018 10:13:52 -0700
+Subject: x86/pkeys/selftests: Fix pointer math
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+[ Upstream commit 3d64f4ed15c3c53dba4c514bf59c334464dee373 ]
+
+We dump out the entire area of the siginfo where the si_pkey_ptr is
+supposed to be. But, we do some math on the poitner, which is a u32.
+We intended to do byte math, not u32 math on the pointer.
+
+Cast it over to a u8* so it works.
+
+Also, move this block of code to below th si_code check. It doesn't
+hurt anything, but the si_pkey field is gibberish for other signal
+types.
+
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Michael Ellermen <mpe@ellerman.id.au>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ram Pai <linuxram@us.ibm.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-mm@kvack.org
+Link: http://lkml.kernel.org/r/20180509171352.9BE09819@viggo.jf.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/x86/protection_keys.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/tools/testing/selftests/x86/protection_keys.c
++++ b/tools/testing/selftests/x86/protection_keys.c
+@@ -303,13 +303,6 @@ void signal_handler(int signum, siginfo_
+ dump_mem(pkru_ptr - 128, 256);
+ pkey_assert(*pkru_ptr);
+
+- si_pkey_ptr = (u32 *)(((u8 *)si) + si_pkey_offset);
+- dprintf1("si_pkey_ptr: %p\n", si_pkey_ptr);
+- dump_mem(si_pkey_ptr - 8, 24);
+- siginfo_pkey = *si_pkey_ptr;
+- pkey_assert(siginfo_pkey < NR_PKEYS);
+- last_si_pkey = siginfo_pkey;
+-
+ if ((si->si_code == SEGV_MAPERR) ||
+ (si->si_code == SEGV_ACCERR) ||
+ (si->si_code == SEGV_BNDERR)) {
+@@ -317,6 +310,13 @@ void signal_handler(int signum, siginfo_
+ exit(4);
+ }
+
++ si_pkey_ptr = (u32 *)(((u8 *)si) + si_pkey_offset);
++ dprintf1("si_pkey_ptr: %p\n", si_pkey_ptr);
++ dump_mem((u8 *)si_pkey_ptr - 8, 24);
++ siginfo_pkey = *si_pkey_ptr;
++ pkey_assert(siginfo_pkey < NR_PKEYS);
++ last_si_pkey = siginfo_pkey;
++
+ dprintf1("signal pkru from xsave: %08x\n", *pkru_ptr);
+ /* need __rdpkru() version so we do not do shadow_pkru checking */
+ dprintf1("signal pkru from pkru: %08x\n", __rdpkru());
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Wed, 9 May 2018 10:13:38 -0700
+Subject: x86/pkeys/selftests: Give better unexpected fault error messages
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+[ Upstream commit 55556b0b2016806b2e16a20b62d143383983a34a ]
+
+do_not_expect_pk_fault() is a helper that we call when we do not expect
+a PK fault to have occurred. But, it is a function, which means that
+it obscures the line numbers from pkey_assert(). It also gives no
+details.
+
+Replace it with an implementation that gives nice line numbers and
+also lets callers pass in a more descriptive message about what
+happened that caused the unexpected fault.
+
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Michael Ellermen <mpe@ellerman.id.au>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ram Pai <linuxram@us.ibm.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-mm@kvack.org
+Link: http://lkml.kernel.org/r/20180509171338.55D13B64@viggo.jf.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/x86/protection_keys.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/tools/testing/selftests/x86/protection_keys.c
++++ b/tools/testing/selftests/x86/protection_keys.c
+@@ -954,10 +954,11 @@ void expected_pk_fault(int pkey)
+ last_si_pkey = -1;
+ }
+
+-void do_not_expect_pk_fault(void)
+-{
+- pkey_assert(last_pkru_faults == pkru_faults);
+-}
++#define do_not_expect_pk_fault(msg) do { \
++ if (last_pkru_faults != pkru_faults) \
++ dprintf0("unexpected PK fault: %s\n", msg); \
++ pkey_assert(last_pkru_faults == pkru_faults); \
++} while (0)
+
+ int test_fds[10] = { -1 };
+ int nr_test_fds;
+@@ -1243,7 +1244,7 @@ void test_ptrace_of_child(int *ptr, u16
+ pkey_assert(ret != -1);
+ /* Now access from the current task, and expect NO exception: */
+ peek_result = read_ptr(plain_ptr);
+- do_not_expect_pk_fault();
++ do_not_expect_pk_fault("read plain pointer after ptrace");
+
+ ret = ptrace(PTRACE_DETACH, child_pid, ignored, 0);
+ pkey_assert(ret != -1);
+@@ -1287,7 +1288,7 @@ void test_executing_on_unreadable_memory
+ */
+ madvise(p1, PAGE_SIZE, MADV_DONTNEED);
+ lots_o_noops_around_write(&scratch);
+- do_not_expect_pk_fault();
++ do_not_expect_pk_fault("executing on PROT_EXEC memory");
+ ptr_contents = read_ptr(p1);
+ dprintf2("ptr (%p) contents@%d: %x\n", p1, __LINE__, ptr_contents);
+ expected_pk_fault(pkey);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Wed, 9 May 2018 10:13:42 -0700
+Subject: x86/pkeys/selftests: Remove dead debugging code, fix dprint_in_signal
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+[ Upstream commit a50093d60464dd51d1ae0c2267b0abe9e1de77f3 ]
+
+There is some noisy debug code at the end of the signal handler. It was
+disabled by an early, unconditional "return". However, that return also
+hid a dprint_in_signal=0, which kept dprint_in_signal=1 and effectively
+locked us into permanent dprint_in_signal=1 behavior.
+
+Remove the return and the dead code, fixing dprint_in_signal.
+
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Michael Ellermen <mpe@ellerman.id.au>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ram Pai <linuxram@us.ibm.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-mm@kvack.org
+Link: http://lkml.kernel.org/r/20180509171342.846B9B2E@viggo.jf.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/x86/protection_keys.c | 16 ----------------
+ 1 file changed, 16 deletions(-)
+
+--- a/tools/testing/selftests/x86/protection_keys.c
++++ b/tools/testing/selftests/x86/protection_keys.c
+@@ -325,22 +325,6 @@ void signal_handler(int signum, siginfo_
+ dprintf1("WARNING: set PRKU=0 to allow faulting instruction to continue\n");
+ pkru_faults++;
+ dprintf1("<<<<==================================================\n");
+- return;
+- if (trapno == 14) {
+- fprintf(stderr,
+- "ERROR: In signal handler, page fault, trapno = %d, ip = %016lx\n",
+- trapno, ip);
+- fprintf(stderr, "si_addr %p\n", si->si_addr);
+- fprintf(stderr, "REG_ERR: %lx\n",
+- (unsigned long)uctxt->uc_mcontext.gregs[REG_ERR]);
+- exit(1);
+- } else {
+- fprintf(stderr, "unexpected trap %d! at 0x%lx\n", trapno, ip);
+- fprintf(stderr, "si_addr %p\n", si->si_addr);
+- fprintf(stderr, "REG_ERR: %lx\n",
+- (unsigned long)uctxt->uc_mcontext.gregs[REG_ERR]);
+- exit(2);
+- }
+ dprint_in_signal = 0;
+ }
+
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Wed, 9 May 2018 10:13:54 -0700
+Subject: x86/pkeys/selftests: Save off 'prot' for allocations
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+[ Upstream commit acb25d761d6f2f64e785ccefc71e54f244f1eda4 ]
+
+This makes it possible to to tell what 'prot' a given allocation
+is supposed to have. That way, if we want to change just the
+pkey, we know what 'prot' to pass to mprotect_pkey().
+
+Also, keep a record of the most recent allocation so the tests
+can easily find it.
+
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Michael Ellermen <mpe@ellerman.id.au>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ram Pai <linuxram@us.ibm.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-mm@kvack.org
+Link: http://lkml.kernel.org/r/20180509171354.AA23E228@viggo.jf.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/x86/protection_keys.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/tools/testing/selftests/x86/protection_keys.c
++++ b/tools/testing/selftests/x86/protection_keys.c
+@@ -677,10 +677,12 @@ int mprotect_pkey(void *ptr, size_t size
+ struct pkey_malloc_record {
+ void *ptr;
+ long size;
++ int prot;
+ };
+ struct pkey_malloc_record *pkey_malloc_records;
++struct pkey_malloc_record *pkey_last_malloc_record;
+ long nr_pkey_malloc_records;
+-void record_pkey_malloc(void *ptr, long size)
++void record_pkey_malloc(void *ptr, long size, int prot)
+ {
+ long i;
+ struct pkey_malloc_record *rec = NULL;
+@@ -712,6 +714,8 @@ void record_pkey_malloc(void *ptr, long
+ (int)(rec - pkey_malloc_records), rec, ptr, size);
+ rec->ptr = ptr;
+ rec->size = size;
++ rec->prot = prot;
++ pkey_last_malloc_record = rec;
+ nr_pkey_malloc_records++;
+ }
+
+@@ -756,7 +760,7 @@ void *malloc_pkey_with_mprotect(long siz
+ pkey_assert(ptr != (void *)-1);
+ ret = mprotect_pkey((void *)ptr, PAGE_SIZE, prot, pkey);
+ pkey_assert(!ret);
+- record_pkey_malloc(ptr, size);
++ record_pkey_malloc(ptr, size, prot);
+ rdpkru();
+
+ dprintf1("%s() for pkey %d @ %p\n", __func__, pkey, ptr);
+@@ -777,7 +781,7 @@ void *malloc_pkey_anon_huge(long size, i
+ size = ALIGN_UP(size, HPAGE_SIZE * 2);
+ ptr = mmap(NULL, size, PROT_NONE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
+ pkey_assert(ptr != (void *)-1);
+- record_pkey_malloc(ptr, size);
++ record_pkey_malloc(ptr, size, prot);
+ mprotect_pkey(ptr, size, prot, pkey);
+
+ dprintf1("unaligned ptr: %p\n", ptr);
+@@ -850,7 +854,7 @@ void *malloc_pkey_hugetlb(long size, int
+ pkey_assert(ptr != (void *)-1);
+ mprotect_pkey(ptr, size, prot, pkey);
+
+- record_pkey_malloc(ptr, size);
++ record_pkey_malloc(ptr, size, prot);
+
+ dprintf1("mmap()'d hugetlbfs for pkey %d @ %p\n", pkey, ptr);
+ return ptr;
+@@ -872,7 +876,7 @@ void *malloc_pkey_mmap_dax(long size, in
+
+ mprotect_pkey(ptr, size, prot, pkey);
+
+- record_pkey_malloc(ptr, size);
++ record_pkey_malloc(ptr, size, prot);
+
+ dprintf1("mmap()'d for pkey %d @ %p\n", pkey, ptr);
+ close(fd);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Wed, 9 May 2018 10:13:40 -0700
+Subject: x86/pkeys/selftests: Stop using assert()
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+[ Upstream commit 86b9eea230edf4c67d4d4a70fba9b74505867a25 ]
+
+If we use assert(), the program "crashes". That can be scary to users,
+so stop doing it. Just exit with a >0 exit code instead.
+
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Michael Ellermen <mpe@ellerman.id.au>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ram Pai <linuxram@us.ibm.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-mm@kvack.org
+Link: http://lkml.kernel.org/r/20180509171340.E63EF7DA@viggo.jf.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/x86/protection_keys.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/tools/testing/selftests/x86/protection_keys.c
++++ b/tools/testing/selftests/x86/protection_keys.c
+@@ -72,10 +72,9 @@ extern void abort_hooks(void);
+ test_nr, iteration_nr); \
+ dprintf0("errno at assert: %d", errno); \
+ abort_hooks(); \
+- assert(condition); \
++ exit(__LINE__); \
+ } \
+ } while (0)
+-#define raw_assert(cond) assert(cond)
+
+ void cat_into_file(char *str, char *file)
+ {
+@@ -87,12 +86,17 @@ void cat_into_file(char *str, char *file
+ * these need to be raw because they are called under
+ * pkey_assert()
+ */
+- raw_assert(fd >= 0);
++ if (fd < 0) {
++ fprintf(stderr, "error opening '%s'\n", str);
++ perror("error: ");
++ exit(__LINE__);
++ }
++
+ ret = write(fd, str, strlen(str));
+ if (ret != strlen(str)) {
+ perror("write to file failed");
+ fprintf(stderr, "filename: '%s' str: '%s'\n", file, str);
+- raw_assert(0);
++ exit(__LINE__);
+ }
+ close(fd);
+ }
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Andy Lutomirski <luto@kernel.org>
+Date: Tue, 8 May 2018 10:28:35 -0700
+Subject: x86/selftests: Add mov_to_ss test
+
+From: Andy Lutomirski <luto@kernel.org>
+
+[ Upstream commit 59c2a7226fc5130032021c99f05ad5c0a56551cd ]
+
+This exercises a nasty corner case of the x86 ISA.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/67e08b69817171da8026e0eb3af0214b06b4d74f.1525800455.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/x86/Makefile | 2
+ tools/testing/selftests/x86/mov_ss_trap.c | 285 ++++++++++++++++++++++++++++++
+ 2 files changed, 286 insertions(+), 1 deletion(-)
+ create mode 100644 tools/testing/selftests/x86/mov_ss_trap.c
+
+--- a/tools/testing/selftests/x86/Makefile
++++ b/tools/testing/selftests/x86/Makefile
+@@ -11,7 +11,7 @@ CAN_BUILD_X86_64 := $(shell ./check_cc.s
+
+ TARGETS_C_BOTHBITS := single_step_syscall sysret_ss_attrs syscall_nt test_mremap_vdso \
+ check_initial_reg_state sigreturn iopl mpx-mini-test ioperm \
+- protection_keys test_vdso test_vsyscall
++ protection_keys test_vdso test_vsyscall mov_ss_trap
+ TARGETS_C_32BIT_ONLY := entry_from_vm86 syscall_arg_fault test_syscall_vdso unwind_vdso \
+ test_FCMOV test_FCOMI test_FISTTP \
+ vdso_restorer
+--- /dev/null
++++ b/tools/testing/selftests/x86/mov_ss_trap.c
+@@ -0,0 +1,285 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++/*
++ * mov_ss_trap.c: Exercise the bizarre side effects of a watchpoint on MOV SS
++ *
++ * This does MOV SS from a watchpointed address followed by various
++ * types of kernel entries. A MOV SS that hits a watchpoint will queue
++ * up a #DB trap but will not actually deliver that trap. The trap
++ * will be delivered after the next instruction instead. The CPU's logic
++ * seems to be:
++ *
++ * - Any fault: drop the pending #DB trap.
++ * - INT $N, INT3, INTO, SYSCALL, SYSENTER: enter the kernel and then
++ * deliver #DB.
++ * - ICEBP: enter the kernel but do not deliver the watchpoint trap
++ * - breakpoint: only one #DB is delivered (phew!)
++ *
++ * There are plenty of ways for a kernel to handle this incorrectly. This
++ * test tries to exercise all the cases.
++ *
++ * This should mostly cover CVE-2018-1087 and CVE-2018-8897.
++ */
++#define _GNU_SOURCE
++
++#include <stdlib.h>
++#include <sys/ptrace.h>
++#include <sys/types.h>
++#include <sys/wait.h>
++#include <sys/user.h>
++#include <sys/syscall.h>
++#include <unistd.h>
++#include <errno.h>
++#include <stddef.h>
++#include <stdio.h>
++#include <err.h>
++#include <string.h>
++#include <setjmp.h>
++#include <sys/prctl.h>
++
++#define X86_EFLAGS_RF (1UL << 16)
++
++#if __x86_64__
++# define REG_IP REG_RIP
++#else
++# define REG_IP REG_EIP
++#endif
++
++unsigned short ss;
++extern unsigned char breakpoint_insn[];
++sigjmp_buf jmpbuf;
++static unsigned char altstack_data[SIGSTKSZ];
++
++static void enable_watchpoint(void)
++{
++ pid_t parent = getpid();
++ int status;
++
++ pid_t child = fork();
++ if (child < 0)
++ err(1, "fork");
++
++ if (child) {
++ if (waitpid(child, &status, 0) != child)
++ err(1, "waitpid for child");
++ } else {
++ unsigned long dr0, dr1, dr7;
++
++ dr0 = (unsigned long)&ss;
++ dr1 = (unsigned long)breakpoint_insn;
++ dr7 = ((1UL << 1) | /* G0 */
++ (3UL << 16) | /* RW0 = read or write */
++ (1UL << 18) | /* LEN0 = 2 bytes */
++ (1UL << 3)); /* G1, RW1 = insn */
++
++ if (ptrace(PTRACE_ATTACH, parent, NULL, NULL) != 0)
++ err(1, "PTRACE_ATTACH");
++
++ if (waitpid(parent, &status, 0) != parent)
++ err(1, "waitpid for child");
++
++ if (ptrace(PTRACE_POKEUSER, parent, (void *)offsetof(struct user, u_debugreg[0]), dr0) != 0)
++ err(1, "PTRACE_POKEUSER DR0");
++
++ if (ptrace(PTRACE_POKEUSER, parent, (void *)offsetof(struct user, u_debugreg[1]), dr1) != 0)
++ err(1, "PTRACE_POKEUSER DR1");
++
++ if (ptrace(PTRACE_POKEUSER, parent, (void *)offsetof(struct user, u_debugreg[7]), dr7) != 0)
++ err(1, "PTRACE_POKEUSER DR7");
++
++ printf("\tDR0 = %lx, DR1 = %lx, DR7 = %lx\n", dr0, dr1, dr7);
++
++ if (ptrace(PTRACE_DETACH, parent, NULL, NULL) != 0)
++ err(1, "PTRACE_DETACH");
++
++ exit(0);
++ }
++}
++
++static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *),
++ int flags)
++{
++ struct sigaction sa;
++ memset(&sa, 0, sizeof(sa));
++ sa.sa_sigaction = handler;
++ sa.sa_flags = SA_SIGINFO | flags;
++ sigemptyset(&sa.sa_mask);
++ if (sigaction(sig, &sa, 0))
++ err(1, "sigaction");
++}
++
++static char const * const signames[] = {
++ [SIGSEGV] = "SIGSEGV",
++ [SIGBUS] = "SIBGUS",
++ [SIGTRAP] = "SIGTRAP",
++ [SIGILL] = "SIGILL",
++};
++
++static void sigtrap(int sig, siginfo_t *si, void *ctx_void)
++{
++ ucontext_t *ctx = ctx_void;
++
++ printf("\tGot SIGTRAP with RIP=%lx, EFLAGS.RF=%d\n",
++ (unsigned long)ctx->uc_mcontext.gregs[REG_IP],
++ !!(ctx->uc_mcontext.gregs[REG_EFL] & X86_EFLAGS_RF));
++}
++
++static void handle_and_return(int sig, siginfo_t *si, void *ctx_void)
++{
++ ucontext_t *ctx = ctx_void;
++
++ printf("\tGot %s with RIP=%lx\n", signames[sig],
++ (unsigned long)ctx->uc_mcontext.gregs[REG_IP]);
++}
++
++static void handle_and_longjmp(int sig, siginfo_t *si, void *ctx_void)
++{
++ ucontext_t *ctx = ctx_void;
++
++ printf("\tGot %s with RIP=%lx\n", signames[sig],
++ (unsigned long)ctx->uc_mcontext.gregs[REG_IP]);
++
++ siglongjmp(jmpbuf, 1);
++}
++
++int main()
++{
++ unsigned long nr;
++
++ asm volatile ("mov %%ss, %[ss]" : [ss] "=m" (ss));
++ printf("\tSS = 0x%hx, &SS = 0x%p\n", ss, &ss);
++
++ if (prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY, 0, 0, 0) == 0)
++ printf("\tPR_SET_PTRACER_ANY succeeded\n");
++
++ printf("\tSet up a watchpoint\n");
++ sethandler(SIGTRAP, sigtrap, 0);
++ enable_watchpoint();
++
++ printf("[RUN]\tRead from watched memory (should get SIGTRAP)\n");
++ asm volatile ("mov %[ss], %[tmp]" : [tmp] "=r" (nr) : [ss] "m" (ss));
++
++ printf("[RUN]\tMOV SS; INT3\n");
++ asm volatile ("mov %[ss], %%ss; int3" :: [ss] "m" (ss));
++
++ printf("[RUN]\tMOV SS; INT 3\n");
++ asm volatile ("mov %[ss], %%ss; .byte 0xcd, 0x3" :: [ss] "m" (ss));
++
++ printf("[RUN]\tMOV SS; CS CS INT3\n");
++ asm volatile ("mov %[ss], %%ss; .byte 0x2e, 0x2e; int3" :: [ss] "m" (ss));
++
++ printf("[RUN]\tMOV SS; CSx14 INT3\n");
++ asm volatile ("mov %[ss], %%ss; .fill 14,1,0x2e; int3" :: [ss] "m" (ss));
++
++ printf("[RUN]\tMOV SS; INT 4\n");
++ sethandler(SIGSEGV, handle_and_return, SA_RESETHAND);
++ asm volatile ("mov %[ss], %%ss; int $4" :: [ss] "m" (ss));
++
++#ifdef __i386__
++ printf("[RUN]\tMOV SS; INTO\n");
++ sethandler(SIGSEGV, handle_and_return, SA_RESETHAND);
++ nr = -1;
++ asm volatile ("add $1, %[tmp]; mov %[ss], %%ss; into"
++ : [tmp] "+r" (nr) : [ss] "m" (ss));
++#endif
++
++ if (sigsetjmp(jmpbuf, 1) == 0) {
++ printf("[RUN]\tMOV SS; ICEBP\n");
++
++ /* Some emulators (e.g. QEMU TCG) don't emulate ICEBP. */
++ sethandler(SIGILL, handle_and_longjmp, SA_RESETHAND);
++
++ asm volatile ("mov %[ss], %%ss; .byte 0xf1" :: [ss] "m" (ss));
++ }
++
++ if (sigsetjmp(jmpbuf, 1) == 0) {
++ printf("[RUN]\tMOV SS; CLI\n");
++ sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND);
++ asm volatile ("mov %[ss], %%ss; cli" :: [ss] "m" (ss));
++ }
++
++ if (sigsetjmp(jmpbuf, 1) == 0) {
++ printf("[RUN]\tMOV SS; #PF\n");
++ sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND);
++ asm volatile ("mov %[ss], %%ss; mov (-1), %[tmp]"
++ : [tmp] "=r" (nr) : [ss] "m" (ss));
++ }
++
++ /*
++ * INT $1: if #DB has DPL=3 and there isn't special handling,
++ * then the kernel will die.
++ */
++ if (sigsetjmp(jmpbuf, 1) == 0) {
++ printf("[RUN]\tMOV SS; INT 1\n");
++ sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND);
++ asm volatile ("mov %[ss], %%ss; int $1" :: [ss] "m" (ss));
++ }
++
++#ifdef __x86_64__
++ /*
++ * In principle, we should test 32-bit SYSCALL as well, but
++ * the calling convention is so unpredictable that it's
++ * not obviously worth the effort.
++ */
++ if (sigsetjmp(jmpbuf, 1) == 0) {
++ printf("[RUN]\tMOV SS; SYSCALL\n");
++ sethandler(SIGILL, handle_and_longjmp, SA_RESETHAND);
++ nr = SYS_getpid;
++ /*
++ * Toggle the high bit of RSP to make it noncanonical to
++ * strengthen this test on non-SMAP systems.
++ */
++ asm volatile ("btc $63, %%rsp\n\t"
++ "mov %[ss], %%ss; syscall\n\t"
++ "btc $63, %%rsp"
++ : "+a" (nr) : [ss] "m" (ss)
++ : "rcx"
++#ifdef __x86_64__
++ , "r11"
++#endif
++ );
++ }
++#endif
++
++ printf("[RUN]\tMOV SS; breakpointed NOP\n");
++ asm volatile ("mov %[ss], %%ss; breakpoint_insn: nop" :: [ss] "m" (ss));
++
++ /*
++ * Invoking SYSENTER directly breaks all the rules. Just handle
++ * the SIGSEGV.
++ */
++ if (sigsetjmp(jmpbuf, 1) == 0) {
++ printf("[RUN]\tMOV SS; SYSENTER\n");
++ stack_t stack = {
++ .ss_sp = altstack_data,
++ .ss_size = SIGSTKSZ,
++ };
++ if (sigaltstack(&stack, NULL) != 0)
++ err(1, "sigaltstack");
++ sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND | SA_ONSTACK);
++ nr = SYS_getpid;
++ asm volatile ("mov %[ss], %%ss; SYSENTER" : "+a" (nr)
++ : [ss] "m" (ss) : "flags", "rcx"
++#ifdef __x86_64__
++ , "r11"
++#endif
++ );
++
++ /* We're unreachable here. SYSENTER forgets RIP. */
++ }
++
++ if (sigsetjmp(jmpbuf, 1) == 0) {
++ printf("[RUN]\tMOV SS; INT $0x80\n");
++ sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND);
++ nr = 20; /* compat getpid */
++ asm volatile ("mov %[ss], %%ss; int $0x80"
++ : "+a" (nr) : [ss] "m" (ss)
++ : "flags"
++#ifdef __x86_64__
++ , "r8", "r9", "r10", "r11"
++#endif
++ );
++ }
++
++ printf("[OK]\tI aten't dead\n");
++ return 0;
++}
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: "van der Linden, Frank" <fllinden@amazon.com>
+Date: Fri, 4 May 2018 16:11:00 -0400
+Subject: x86/xen: Reset VCPU0 info pointer after shared_info remap
+
+From: "van der Linden, Frank" <fllinden@amazon.com>
+
+[ Upstream commit d1ecfa9d1f402366b1776fbf84e635678a51414f ]
+
+This patch fixes crashes during boot for HVM guests on older (pre HVM
+vector callback) Xen versions. Without this, current kernels will always
+fail to boot on those Xen versions.
+
+Sample stack trace:
+
+ BUG: unable to handle kernel paging request at ffffffffff200000
+ IP: __xen_evtchn_do_upcall+0x1e/0x80
+ PGD 1e0e067 P4D 1e0e067 PUD 1e10067 PMD 235c067 PTE 0
+ Oops: 0002 [#1] SMP PTI
+ Modules linked in:
+ CPU: 0 PID: 512 Comm: kworker/u2:0 Not tainted 4.14.33-52.13.amzn1.x86_64 #1
+ Hardware name: Xen HVM domU, BIOS 3.4.3.amazon 11/11/2016
+ task: ffff88002531d700 task.stack: ffffc90000480000
+ RIP: 0010:__xen_evtchn_do_upcall+0x1e/0x80
+ RSP: 0000:ffff880025403ef0 EFLAGS: 00010046
+ RAX: ffffffff813cc760 RBX: ffffffffff200000 RCX: ffffc90000483ef0
+ RDX: ffff880020540a00 RSI: ffff880023c78000 RDI: 000000000000001c
+ RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+ R13: ffff880025403f5c R14: 0000000000000000 R15: 0000000000000000
+ FS: 0000000000000000(0000) GS:ffff880025400000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: ffffffffff200000 CR3: 0000000001e0a000 CR4: 00000000000006f0
+ Call Trace:
+ <IRQ>
+ do_hvm_evtchn_intr+0xa/0x10
+ __handle_irq_event_percpu+0x43/0x1a0
+ handle_irq_event_percpu+0x20/0x50
+ handle_irq_event+0x39/0x60
+ handle_fasteoi_irq+0x80/0x140
+ handle_irq+0xaf/0x120
+ do_IRQ+0x41/0xd0
+ common_interrupt+0x7d/0x7d
+ </IRQ>
+
+During boot, the HYPERVISOR_shared_info page gets remapped to make it work
+with KASLR. This means that any pointer derived from it needs to be
+adjusted.
+
+The only value that this applies to is the vcpu_info pointer for VCPU 0.
+For PV and HVM with the callback vector feature, this gets done via the
+smp_ops prepare_boot_cpu callback. Older Xen versions do not support the
+HVM callback vector, so there is no Xen-specific smp_ops set up in that
+scenario. So, the vcpu_info pointer for VCPU 0 never gets set to the proper
+value, and the first reference of it will be bad. Fix this by resetting it
+immediately after the remap.
+
+Signed-off-by: Frank van der Linden <fllinden@amazon.com>
+Reviewed-by: Eduardo Valentin <eduval@amazon.com>
+Reviewed-by: Alakesh Haloi <alakeshh@amazon.com>
+Reviewed-by: Vallish Vaidyeshwara <vallish@amazon.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: xen-devel@lists.xenproject.org
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/xen/enlighten_hvm.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/arch/x86/xen/enlighten_hvm.c
++++ b/arch/x86/xen/enlighten_hvm.c
+@@ -65,6 +65,19 @@ static void __init xen_hvm_init_mem_mapp
+ {
+ early_memunmap(HYPERVISOR_shared_info, PAGE_SIZE);
+ HYPERVISOR_shared_info = __va(PFN_PHYS(shared_info_pfn));
++
++ /*
++ * The virtual address of the shared_info page has changed, so
++ * the vcpu_info pointer for VCPU 0 is now stale.
++ *
++ * The prepare_boot_cpu callback will re-initialize it via
++ * xen_vcpu_setup, but we can't rely on that to be called for
++ * old Xen versions (xen_have_vector_callback == 0).
++ *
++ * It is, in any case, bad to have a stale vcpu_info pointer
++ * so reset it now.
++ */
++ xen_vcpu_info_reset(0);
+ }
+
+ static void __init init_hvm_pv_info(void)
--- /dev/null
+From foo@baz Sun Jun 17 12:07:33 CEST 2018
+From: Simon Gaiser <simon@invisiblethingslab.com>
+Date: Thu, 15 Mar 2018 04:08:03 +0100
+Subject: xen: xenbus_dev_frontend: Really return response string
+
+From: Simon Gaiser <simon@invisiblethingslab.com>
+
+[ Upstream commit ebf04f331fa15a966262341a7dc6b1a0efd633e4 ]
+
+xenbus_command_reply() did not actually copy the response string and
+leaked stack content instead.
+
+Fixes: 9a6161fe73bd ("xen: return xenstore command failures via response instead of rc")
+Signed-off-by: Simon Gaiser <simon@invisiblethingslab.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/xenbus/xenbus_dev_frontend.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
++++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
+@@ -403,7 +403,7 @@ static int xenbus_command_reply(struct x
+ {
+ struct {
+ struct xsd_sockmsg hdr;
+- const char body[16];
++ char body[16];
+ } msg;
+ int rc;
+
+@@ -412,6 +412,7 @@ static int xenbus_command_reply(struct x
+ msg.hdr.len = strlen(reply) + 1;
+ if (msg.hdr.len > sizeof(msg.body))
+ return -E2BIG;
++ memcpy(&msg.body, reply, msg.hdr.len);
+
+ mutex_lock(&u->reply_mutex);
+ rc = queue_reply(&u->read_buffers, &msg, sizeof(msg.hdr) + msg.hdr.len);
--- /dev/null
+From foo@baz Sun Jun 17 12:07:34 CEST 2018
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Tue, 1 May 2018 11:37:14 -0400
+Subject: xprtrdma: Fix list corruption / DMAR errors during MR recovery
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 054f155721d7af1f343ed52bea246626d8450ca8 ]
+
+The ro_release_mr methods check whether mr->mr_list is empty.
+Therefore, be sure to always use list_del_init when removing an MR
+linked into a list using that field. Otherwise, when recovering from
+transport failures or device removal, list corruption can result, or
+MRs can get mapped or unmapped an odd number of times, resulting in
+IOMMU-related failures.
+
+In general this fix is appropriate back to v4.8. However, code
+changes since then make it impossible to apply this patch directly
+to stable kernels. The fix would have to be applied by hand or
+reworked for kernels earlier than v4.16.
+
+Backport guidance -- there are several cases:
+- When creating an MR, initialize mr_list so that using list_empty
+ on an as-yet-unused MR is safe.
+- When an MR is being handled by the remote invalidation path,
+ ensure that mr_list is reinitialized when it is removed from
+ rl_registered.
+- When an MR is being handled by rpcrdma_destroy_mrs, it is removed
+ from mr_all, but it may still be on an rl_registered list. In
+ that case, the MR needs to be removed from that list before being
+ released.
+- Other cases are covered by using list_del_init in rpcrdma_mr_pop.
+
+Fixes: 9d6b04097882 ('xprtrdma: Place registered MWs on a ... ')
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/xprtrdma/fmr_ops.c | 5 +----
+ net/sunrpc/xprtrdma/frwr_ops.c | 9 +++------
+ net/sunrpc/xprtrdma/verbs.c | 5 +++++
+ net/sunrpc/xprtrdma/xprt_rdma.h | 2 +-
+ 4 files changed, 10 insertions(+), 11 deletions(-)
+
+--- a/net/sunrpc/xprtrdma/fmr_ops.c
++++ b/net/sunrpc/xprtrdma/fmr_ops.c
+@@ -72,6 +72,7 @@ fmr_op_init_mr(struct rpcrdma_ia *ia, st
+ if (IS_ERR(mr->fmr.fm_mr))
+ goto out_fmr_err;
+
++ INIT_LIST_HEAD(&mr->mr_list);
+ return 0;
+
+ out_fmr_err:
+@@ -102,10 +103,6 @@ fmr_op_release_mr(struct rpcrdma_mr *mr)
+ LIST_HEAD(unmap_list);
+ int rc;
+
+- /* Ensure MW is not on any rl_registered list */
+- if (!list_empty(&mr->mr_list))
+- list_del(&mr->mr_list);
+-
+ kfree(mr->fmr.fm_physaddrs);
+ kfree(mr->mr_sg);
+
+--- a/net/sunrpc/xprtrdma/frwr_ops.c
++++ b/net/sunrpc/xprtrdma/frwr_ops.c
+@@ -110,6 +110,7 @@ frwr_op_init_mr(struct rpcrdma_ia *ia, s
+ if (!mr->mr_sg)
+ goto out_list_err;
+
++ INIT_LIST_HEAD(&mr->mr_list);
+ sg_init_table(mr->mr_sg, depth);
+ init_completion(&frwr->fr_linv_done);
+ return 0;
+@@ -133,10 +134,6 @@ frwr_op_release_mr(struct rpcrdma_mr *mr
+ {
+ int rc;
+
+- /* Ensure MR is not on any rl_registered list */
+- if (!list_empty(&mr->mr_list))
+- list_del(&mr->mr_list);
+-
+ rc = ib_dereg_mr(mr->frwr.fr_mr);
+ if (rc)
+ pr_err("rpcrdma: final ib_dereg_mr for %p returned %i\n",
+@@ -195,7 +192,7 @@ frwr_op_recover_mr(struct rpcrdma_mr *mr
+ return;
+
+ out_release:
+- pr_err("rpcrdma: FRWR reset failed %d, %p release\n", rc, mr);
++ pr_err("rpcrdma: FRWR reset failed %d, %p released\n", rc, mr);
+ r_xprt->rx_stats.mrs_orphaned++;
+
+ spin_lock(&r_xprt->rx_buf.rb_mrlock);
+@@ -458,7 +455,7 @@ frwr_op_reminv(struct rpcrdma_rep *rep,
+
+ list_for_each_entry(mr, mrs, mr_list)
+ if (mr->mr_handle == rep->rr_inv_rkey) {
+- list_del(&mr->mr_list);
++ list_del_init(&mr->mr_list);
+ trace_xprtrdma_remoteinv(mr);
+ mr->frwr.fr_state = FRWR_IS_INVALID;
+ rpcrdma_mr_unmap_and_put(mr);
+--- a/net/sunrpc/xprtrdma/verbs.c
++++ b/net/sunrpc/xprtrdma/verbs.c
+@@ -1244,6 +1244,11 @@ rpcrdma_mrs_destroy(struct rpcrdma_buffe
+ list_del(&mr->mr_all);
+
+ spin_unlock(&buf->rb_mrlock);
++
++ /* Ensure MW is not on any rl_registered list */
++ if (!list_empty(&mr->mr_list))
++ list_del(&mr->mr_list);
++
+ ia->ri_ops->ro_release_mr(mr);
+ count++;
+ spin_lock(&buf->rb_mrlock);
+--- a/net/sunrpc/xprtrdma/xprt_rdma.h
++++ b/net/sunrpc/xprtrdma/xprt_rdma.h
+@@ -381,7 +381,7 @@ rpcrdma_mr_pop(struct list_head *list)
+ struct rpcrdma_mr *mr;
+
+ mr = list_first_entry(list, struct rpcrdma_mr, mr_list);
+- list_del(&mr->mr_list);
++ list_del_init(&mr->mr_list);
+ return mr;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
