--- /dev/null
+From foo@baz Thu Jul 5 20:15:13 CEST 2018
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 16 May 2018 21:25:46 +0100
+Subject: afs: Fix directory permissions check
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 378831e4daec75fbba6d3612bcf3b4dd00ddbf08 ]
+
+Doing faccessat("/afs/some/directory", 0) triggers a BUG in the permissions
+check code.
+
+Fix this by just removing the BUG section. If no permissions are asked
+for, just return okay if the file exists.
+
+Also:
+
+ (1) Split up the directory check so that it has separate if-statements
+ rather than if-else-if (e.g. checking for MAY_EXEC shouldn't skip the
+ check for MAY_READ and MAY_WRITE).
+
+ (2) Check for MAY_CHDIR as MAY_EXEC.
+
+Without the main fix, the following BUG may occur:
+
+ kernel BUG at fs/afs/security.c:386!
+ invalid opcode: 0000 [#1] SMP PTI
+ ...
+ RIP: 0010:afs_permission+0x19d/0x1a0 [kafs]
+ ...
+ Call Trace:
+ ? inode_permission+0xbe/0x180
+ ? do_faccessat+0xdc/0x270
+ ? do_syscall_64+0x60/0x1f0
+ ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: 00d3b7a4533e ("[AFS]: Add security support.")
+Reported-by: Jonathan Billings <jsbillings@jsbillings.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/security.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+--- a/fs/afs/security.c
++++ b/fs/afs/security.c
+@@ -323,18 +323,14 @@ int afs_permission(struct inode *inode,
+ mask, access, S_ISDIR(inode->i_mode) ? "dir" : "file");
+
+ if (S_ISDIR(inode->i_mode)) {
+- if (mask & MAY_EXEC) {
++ if (mask & (MAY_EXEC | MAY_READ | MAY_CHDIR)) {
+ if (!(access & AFS_ACE_LOOKUP))
+ goto permission_denied;
+- } else if (mask & MAY_READ) {
+- if (!(access & AFS_ACE_LOOKUP))
+- goto permission_denied;
+- } else if (mask & MAY_WRITE) {
++ }
++ if (mask & MAY_WRITE) {
+ if (!(access & (AFS_ACE_DELETE | /* rmdir, unlink, rename from */
+ AFS_ACE_INSERT))) /* create, mkdir, symlink, rename to */
+ goto permission_denied;
+- } else {
+- BUG();
+ }
+ } else {
+ if (!(access & AFS_ACE_LOOKUP))
--- /dev/null
+From df07101e1c4a29e820df02f9989a066988b160e6 Mon Sep 17 00:00:00 2001
+From: Sean Nyekjaer <sean.nyekjaer@prevas.dk>
+Date: Tue, 22 May 2018 19:45:09 +0200
+Subject: ARM: dts: imx6q: Use correct SDMA script for SPI5 core
+
+From: Sean Nyekjaer <sean.nyekjaer@prevas.dk>
+
+commit df07101e1c4a29e820df02f9989a066988b160e6 upstream.
+
+According to the reference manual the shp_2_mcu / mcu_2_shp
+scripts must be used for devices connected through the SPBA.
+
+This fixes an issue we saw with DMA transfers.
+Sometimes the SPI controller RX FIFO was not empty after a DMA
+transfer and the driver got stuck in the next PIO transfer when
+it read one word more than expected.
+
+commit dd4b487b32a35 ("ARM: dts: imx6: Use correct SDMA script
+for SPI cores") is fixing the same issue but only for SPI1 - 4.
+
+Fixes: 677940258dd8e ("ARM: dts: imx6q: enable dma for ecspi5")
+Signed-off-by: Sean Nyekjaer <sean.nyekjaer@prevas.dk>
+Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/imx6q.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/imx6q.dtsi
++++ b/arch/arm/boot/dts/imx6q.dtsi
+@@ -96,7 +96,7 @@
+ clocks = <&clks IMX6Q_CLK_ECSPI5>,
+ <&clks IMX6Q_CLK_ECSPI5>;
+ clock-names = "ipg", "per";
+- dmas = <&sdma 11 7 1>, <&sdma 12 7 2>;
++ dmas = <&sdma 11 8 1>, <&sdma 12 8 2>;
+ dma-names = "rx", "tx";
+ status = "disabled";
+ };
--- /dev/null
+From foo@baz Thu Jul 5 20:15:13 CEST 2018
+From: Ivan Bornyakov <brnkv.i1@gmail.com>
+Date: Fri, 25 May 2018 20:49:52 +0300
+Subject: atm: zatm: fix memcmp casting
+
+From: Ivan Bornyakov <brnkv.i1@gmail.com>
+
+[ Upstream commit f9c6442a8f0b1dde9e755eb4ff6fa22bcce4eabc ]
+
+memcmp() returns int, but eprom_try_esi() cast it to unsigned char. One
+can lose significant bits and get 0 from non-0 value returned by the
+memcmp().
+
+Signed-off-by: Ivan Bornyakov <brnkv.i1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/atm/zatm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/atm/zatm.c
++++ b/drivers/atm/zatm.c
+@@ -1151,8 +1151,8 @@ static void eprom_get_byte(struct zatm_d
+ }
+
+
+-static unsigned char eprom_try_esi(struct atm_dev *dev, unsigned short cmd,
+- int offset, int swap)
++static int eprom_try_esi(struct atm_dev *dev, unsigned short cmd, int offset,
++ int swap)
+ {
+ unsigned char buf[ZEPROM_SIZE];
+ struct zatm_dev *zatm_dev;
--- /dev/null
+From foo@baz Thu Jul 5 20:15:13 CEST 2018
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Wed, 30 May 2018 19:43:53 -0700
+Subject: fs: clear writeback errors in inode_init_always
+
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+
+[ Upstream commit 829bc787c1a0403e4d886296dd4d90c5f9c1744a ]
+
+In inode_init_always(), we clear the inode mapping flags, which clears
+any retained error (AS_EIO, AS_ENOSPC) bits. Unfortunately, we do not
+also clear wb_err, which means that old mapping errors can leak through
+to new inodes.
+
+This is crucial for the XFS inode allocation path because we recycle old
+in-core inodes and we do not want error state from an old file to leak
+into the new file. This bug was discovered by running generic/036 and
+generic/047 in a loop and noticing that the EIOs generated by the
+collision of direct and buffered writes in generic/036 would survive the
+remount between 036 and 047, and get reported to the fsyncs (on
+different files!) in generic/047.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/inode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -177,6 +177,7 @@ int inode_init_always(struct super_block
+ mapping->a_ops = &empty_aops;
+ mapping->host = inode;
+ mapping->flags = 0;
++ mapping->wb_err = 0;
+ atomic_set(&mapping->i_mmap_writable, 0);
+ mapping_set_gfp_mask(mapping, GFP_HIGHUSER_MOVABLE);
+ mapping->private_data = NULL;
--- /dev/null
+From foo@baz Thu Jul 5 20:15:13 CEST 2018
+From: Julian Anastasov <ja@ssi.bg>
+Date: Sat, 19 May 2018 18:22:35 +0300
+Subject: ipvs: fix buffer overflow with sync daemon and service
+
+From: Julian Anastasov <ja@ssi.bg>
+
+[ Upstream commit 52f96757905bbf0edef47f3ee6c7c784e7f8ff8a ]
+
+syzkaller reports for buffer overflow for interface name
+when starting sync daemons [1]
+
+What we do is that we copy user structure into larger stack
+buffer but later we search NUL past the stack buffer.
+The same happens for sched_name when adding/editing virtual server.
+
+We are restricted by IP_VS_SCHEDNAME_MAXLEN and IP_VS_IFNAME_MAXLEN
+being used as size in include/uapi/linux/ip_vs.h, so they
+include the space for NUL.
+
+As using strlcpy is wrong for unsafe source, replace it with
+strscpy and add checks to return EINVAL if source string is not
+NUL-terminated. The incomplete strlcpy fix comes from 2.6.13.
+
+For the netlink interface reduce the len parameter for
+IPVS_DAEMON_ATTR_MCAST_IFN and IPVS_SVC_ATTR_SCHED_NAME,
+so that we get proper EINVAL.
+
+[1]
+kernel BUG at lib/string.c:1052!
+invalid opcode: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 1 PID: 373 Comm: syz-executor936 Not tainted 4.17.0-rc4+ #45
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051
+RSP: 0018:ffff8801c976f800 EFLAGS: 00010282
+RAX: 0000000000000022 RBX: 0000000000000040 RCX: 0000000000000000
+RDX: 0000000000000022 RSI: ffffffff8160f6f1 RDI: ffffed00392edef6
+RBP: ffff8801c976f800 R08: ffff8801cf4c62c0 R09: ffffed003b5e4fb0
+R10: ffffed003b5e4fb0 R11: ffff8801daf27d87 R12: ffff8801c976fa20
+R13: ffff8801c976fae4 R14: ffff8801c976fae0 R15: 000000000000048b
+FS: 00007fd99f75e700(0000) GS:ffff8801daf00000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000200001c0 CR3: 00000001d6843000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ strlen include/linux/string.h:270 [inline]
+ strlcpy include/linux/string.h:293 [inline]
+ do_ip_vs_set_ctl+0x31c/0x1d00 net/netfilter/ipvs/ip_vs_ctl.c:2388
+ nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
+ nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115
+ ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253
+ udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2487
+ ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917
+ tcp_setsockopt+0x93/0xe0 net/ipv4/tcp.c:3057
+ sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3046
+ __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
+ __do_sys_setsockopt net/socket.c:1914 [inline]
+ __se_sys_setsockopt net/socket.c:1911 [inline]
+ __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
+ do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x447369
+RSP: 002b:00007fd99f75dda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 00000000006e39e4 RCX: 0000000000447369
+RDX: 000000000000048b RSI: 0000000000000000 RDI: 0000000000000003
+RBP: 0000000000000000 R08: 0000000000000018 R09: 0000000000000000
+R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000006e39e0
+R13: 75a1ff93f0896195 R14: 6f745f3168746576 R15: 0000000000000001
+Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 d2 8f 48 fa eb
+de 55 48 89 fe 48 c7 c7 60 65 64 88 48 89 e5 e8 91 dd f3 f9 <0f> 0b 90 90
+90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56
+RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801c976f800
+
+Reported-and-tested-by: syzbot+aac887f77319868646df@syzkaller.appspotmail.com
+Fixes: e4ff67513096 ("ipvs: add sync_maxlen parameter for the sync daemon")
+Fixes: 4da62fc70d7c ("[IPVS]: Fix for overflows")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -2384,8 +2384,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cm
+ struct ipvs_sync_daemon_cfg cfg;
+
+ memset(&cfg, 0, sizeof(cfg));
+- strlcpy(cfg.mcast_ifn, dm->mcast_ifn,
+- sizeof(cfg.mcast_ifn));
++ ret = -EINVAL;
++ if (strscpy(cfg.mcast_ifn, dm->mcast_ifn,
++ sizeof(cfg.mcast_ifn)) <= 0)
++ goto out_dec;
+ cfg.syncid = dm->syncid;
+ ret = start_sync_thread(ipvs, &cfg, dm->state);
+ } else {
+@@ -2423,12 +2425,19 @@ do_ip_vs_set_ctl(struct sock *sk, int cm
+ }
+ }
+
++ if ((cmd == IP_VS_SO_SET_ADD || cmd == IP_VS_SO_SET_EDIT) &&
++ strnlen(usvc.sched_name, IP_VS_SCHEDNAME_MAXLEN) ==
++ IP_VS_SCHEDNAME_MAXLEN) {
++ ret = -EINVAL;
++ goto out_unlock;
++ }
++
+ /* Check for valid protocol: TCP or UDP or SCTP, even for fwmark!=0 */
+ if (usvc.protocol != IPPROTO_TCP && usvc.protocol != IPPROTO_UDP &&
+ usvc.protocol != IPPROTO_SCTP) {
+- pr_err("set_ctl: invalid protocol: %d %pI4:%d %s\n",
++ pr_err("set_ctl: invalid protocol: %d %pI4:%d\n",
+ usvc.protocol, &usvc.addr.ip,
+- ntohs(usvc.port), usvc.sched_name);
++ ntohs(usvc.port));
+ ret = -EFAULT;
+ goto out_unlock;
+ }
+@@ -2850,7 +2859,7 @@ static const struct nla_policy ip_vs_cmd
+ static const struct nla_policy ip_vs_daemon_policy[IPVS_DAEMON_ATTR_MAX + 1] = {
+ [IPVS_DAEMON_ATTR_STATE] = { .type = NLA_U32 },
+ [IPVS_DAEMON_ATTR_MCAST_IFN] = { .type = NLA_NUL_STRING,
+- .len = IP_VS_IFNAME_MAXLEN },
++ .len = IP_VS_IFNAME_MAXLEN - 1 },
+ [IPVS_DAEMON_ATTR_SYNC_ID] = { .type = NLA_U32 },
+ [IPVS_DAEMON_ATTR_SYNC_MAXLEN] = { .type = NLA_U16 },
+ [IPVS_DAEMON_ATTR_MCAST_GROUP] = { .type = NLA_U32 },
+@@ -2868,7 +2877,7 @@ static const struct nla_policy ip_vs_svc
+ [IPVS_SVC_ATTR_PORT] = { .type = NLA_U16 },
+ [IPVS_SVC_ATTR_FWMARK] = { .type = NLA_U32 },
+ [IPVS_SVC_ATTR_SCHED_NAME] = { .type = NLA_NUL_STRING,
+- .len = IP_VS_SCHEDNAME_MAXLEN },
++ .len = IP_VS_SCHEDNAME_MAXLEN - 1 },
+ [IPVS_SVC_ATTR_PE_NAME] = { .type = NLA_NUL_STRING,
+ .len = IP_VS_PENAME_MAXLEN },
+ [IPVS_SVC_ATTR_FLAGS] = { .type = NLA_BINARY,
--- /dev/null
+From foo@baz Thu Jul 5 20:15:13 CEST 2018
+From: Hao Wei Tee <angelsl@in04.sg>
+Date: Tue, 29 May 2018 10:25:17 +0300
+Subject: iwlwifi: pcie: compare with number of IRQs requested for, not number of CPUs
+
+From: Hao Wei Tee <angelsl@in04.sg>
+
+[ Upstream commit ab1068d6866e28bf6427ceaea681a381e5870a4a ]
+
+When there are 16 or more logical CPUs, we request for
+`IWL_MAX_RX_HW_QUEUES` (16) IRQs only as we limit to that number of
+IRQs, but later on we compare the number of IRQs returned to
+nr_online_cpus+2 instead of max_irqs, the latter being what we
+actually asked for. This ends up setting num_rx_queues to 17 which
+causes lots of out-of-bounds array accesses later on.
+
+Compare to max_irqs instead, and also add an assertion in case
+num_rx_queues > IWM_MAX_RX_HW_QUEUES.
+
+This fixes https://bugzilla.kernel.org/show_bug.cgi?id=199551
+
+Fixes: 2e5d4a8f61dc ("iwlwifi: pcie: Add new configuration to enable MSIX")
+Signed-off-by: Hao Wei Tee <angelsl@in04.sg>
+Tested-by: Sara Sharon <sara.sharon@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+@@ -1499,14 +1499,13 @@ static void iwl_pcie_set_interrupt_capa(
+ struct iwl_trans *trans)
+ {
+ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
+- int max_irqs, num_irqs, i, ret, nr_online_cpus;
++ int max_irqs, num_irqs, i, ret;
+ u16 pci_cmd;
+
+ if (!trans->cfg->mq_rx_supported)
+ goto enable_msi;
+
+- nr_online_cpus = num_online_cpus();
+- max_irqs = min_t(u32, nr_online_cpus + 2, IWL_MAX_RX_HW_QUEUES);
++ max_irqs = min_t(u32, num_online_cpus() + 2, IWL_MAX_RX_HW_QUEUES);
+ for (i = 0; i < max_irqs; i++)
+ trans_pcie->msix_entries[i].entry = i;
+
+@@ -1532,16 +1531,17 @@ static void iwl_pcie_set_interrupt_capa(
+ * Two interrupts less: non rx causes shared with FBQ and RSS.
+ * More than two interrupts: we will use fewer RSS queues.
+ */
+- if (num_irqs <= nr_online_cpus) {
++ if (num_irqs <= max_irqs - 2) {
+ trans_pcie->trans->num_rx_queues = num_irqs + 1;
+ trans_pcie->shared_vec_mask = IWL_SHARED_IRQ_NON_RX |
+ IWL_SHARED_IRQ_FIRST_RSS;
+- } else if (num_irqs == nr_online_cpus + 1) {
++ } else if (num_irqs == max_irqs - 1) {
+ trans_pcie->trans->num_rx_queues = num_irqs;
+ trans_pcie->shared_vec_mask = IWL_SHARED_IRQ_NON_RX;
+ } else {
+ trans_pcie->trans->num_rx_queues = num_irqs - 1;
+ }
++ WARN_ON(trans_pcie->trans->num_rx_queues > IWL_MAX_RX_HW_QUEUES);
+
+ trans_pcie->alloc_vecs = num_irqs;
+ trans_pcie->msix_enabled = true;
--- /dev/null
+From e9893e6fa932f42c90c4ac5849fa9aa0f0f00a34 Mon Sep 17 00:00:00 2001
+From: Abhishek Sahu <absahu@codeaurora.org>
+Date: Wed, 13 Jun 2018 14:32:36 +0530
+Subject: mtd: rawnand: fix return value check for bad block status
+
+From: Abhishek Sahu <absahu@codeaurora.org>
+
+commit e9893e6fa932f42c90c4ac5849fa9aa0f0f00a34 upstream.
+
+Positive return value from read_oob() is making false BAD
+blocks. For some of the NAND controllers, OOB bytes will be
+protected with ECC and read_oob() will return number of bitflips.
+If there is any bitflip in ECC protected OOB bytes for BAD block
+status page, then that block is getting treated as BAD.
+
+Fixes: c120e75e0e7d ("mtd: nand: use read_oob() instead of cmdfunc() for bad block check")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Abhishek Sahu <absahu@codeaurora.org>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+[backported to 4.14.y]
+Signed-off-by: Abhishek Sahu <absahu@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/nand_base.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/nand_base.c
++++ b/drivers/mtd/nand/nand_base.c
+@@ -440,7 +440,7 @@ static int nand_block_bad(struct mtd_inf
+
+ for (; page < page_end; page++) {
+ res = chip->ecc.read_oob(mtd, chip, page);
+- if (res)
++ if (res < 0)
+ return res;
+
+ bad = chip->oob_poi[chip->badblockpos];
--- /dev/null
+From foo@baz Thu Jul 5 20:15:13 CEST 2018
+From: "Damien Thébault" <damien.thebault@vitec.com>
+Date: Thu, 31 May 2018 07:04:01 +0000
+Subject: net: dsa: b53: Add BCM5389 support
+
+From: "Damien Thébault" <damien.thebault@vitec.com>
+
+[ Upstream commit a95691bc54af1ac4b12c354f91e9cabf1cb068df ]
+
+This patch adds support for the BCM5389 switch connected through MDIO.
+
+Signed-off-by: Damien Thébault <damien.thebault@vitec.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/net/dsa/b53.txt | 1 +
+ drivers/net/dsa/b53/b53_common.c | 13 +++++++++++++
+ drivers/net/dsa/b53/b53_mdio.c | 5 ++++-
+ drivers/net/dsa/b53/b53_priv.h | 1 +
+ 4 files changed, 19 insertions(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/net/dsa/b53.txt
++++ b/Documentation/devicetree/bindings/net/dsa/b53.txt
+@@ -10,6 +10,7 @@ Required properties:
+ "brcm,bcm53128"
+ "brcm,bcm5365"
+ "brcm,bcm5395"
++ "brcm,bcm5389"
+ "brcm,bcm5397"
+ "brcm,bcm5398"
+
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -1550,6 +1550,18 @@ static const struct b53_chip_data b53_sw
+ .duplex_reg = B53_DUPLEX_STAT_FE,
+ },
+ {
++ .chip_id = BCM5389_DEVICE_ID,
++ .dev_name = "BCM5389",
++ .vlans = 4096,
++ .enabled_ports = 0x1f,
++ .arl_entries = 4,
++ .cpu_port = B53_CPU_PORT,
++ .vta_regs = B53_VTA_REGS,
++ .duplex_reg = B53_DUPLEX_STAT_GE,
++ .jumbo_pm_reg = B53_JUMBO_PORT_MASK,
++ .jumbo_size_reg = B53_JUMBO_MAX_SIZE,
++ },
++ {
+ .chip_id = BCM5395_DEVICE_ID,
+ .dev_name = "BCM5395",
+ .vlans = 4096,
+@@ -1872,6 +1884,7 @@ int b53_switch_detect(struct b53_device
+ else
+ dev->chip_id = BCM5365_DEVICE_ID;
+ break;
++ case BCM5389_DEVICE_ID:
+ case BCM5395_DEVICE_ID:
+ case BCM5397_DEVICE_ID:
+ case BCM5398_DEVICE_ID:
+--- a/drivers/net/dsa/b53/b53_mdio.c
++++ b/drivers/net/dsa/b53/b53_mdio.c
+@@ -285,6 +285,7 @@ static const struct b53_io_ops b53_mdio_
+ #define B53_BRCM_OUI_1 0x0143bc00
+ #define B53_BRCM_OUI_2 0x03625c00
+ #define B53_BRCM_OUI_3 0x00406000
++#define B53_BRCM_OUI_4 0x01410c00
+
+ static int b53_mdio_probe(struct mdio_device *mdiodev)
+ {
+@@ -311,7 +312,8 @@ static int b53_mdio_probe(struct mdio_de
+ */
+ if ((phy_id & 0xfffffc00) != B53_BRCM_OUI_1 &&
+ (phy_id & 0xfffffc00) != B53_BRCM_OUI_2 &&
+- (phy_id & 0xfffffc00) != B53_BRCM_OUI_3) {
++ (phy_id & 0xfffffc00) != B53_BRCM_OUI_3 &&
++ (phy_id & 0xfffffc00) != B53_BRCM_OUI_4) {
+ dev_err(&mdiodev->dev, "Unsupported device: 0x%08x\n", phy_id);
+ return -ENODEV;
+ }
+@@ -360,6 +362,7 @@ static const struct of_device_id b53_of_
+ { .compatible = "brcm,bcm53125" },
+ { .compatible = "brcm,bcm53128" },
+ { .compatible = "brcm,bcm5365" },
++ { .compatible = "brcm,bcm5389" },
+ { .compatible = "brcm,bcm5395" },
+ { .compatible = "brcm,bcm5397" },
+ { .compatible = "brcm,bcm5398" },
+--- a/drivers/net/dsa/b53/b53_priv.h
++++ b/drivers/net/dsa/b53/b53_priv.h
+@@ -48,6 +48,7 @@ struct b53_io_ops {
+ enum {
+ BCM5325_DEVICE_ID = 0x25,
+ BCM5365_DEVICE_ID = 0x65,
++ BCM5389_DEVICE_ID = 0x89,
+ BCM5395_DEVICE_ID = 0x95,
+ BCM5397_DEVICE_ID = 0x97,
+ BCM5398_DEVICE_ID = 0x98,
--- /dev/null
+From foo@baz Thu Jul 5 20:15:13 CEST 2018
+From: Josh Hill <josh@joshuajhill.com>
+Date: Sun, 27 May 2018 20:10:41 -0400
+Subject: net: qmi_wwan: Add Netgear Aircard 779S
+
+From: Josh Hill <josh@joshuajhill.com>
+
+[ Upstream commit 2415f3bd059fe050eb98aedf93664d000ceb4e92 ]
+
+Add support for Netgear Aircard 779S
+
+Signed-off-by: Josh Hill <josh@joshuajhill.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1103,6 +1103,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x05c6, 0x920d, 5)},
+ {QMI_QUIRK_SET_DTR(0x05c6, 0x9625, 4)}, /* YUGA CLM920-NC5 */
+ {QMI_FIXED_INTF(0x0846, 0x68a2, 8)},
++ {QMI_FIXED_INTF(0x0846, 0x68d3, 8)}, /* Netgear Aircard 779S */
+ {QMI_FIXED_INTF(0x12d1, 0x140c, 1)}, /* Huawei E173 */
+ {QMI_FIXED_INTF(0x12d1, 0x14ac, 1)}, /* Huawei E1820 */
+ {QMI_FIXED_INTF(0x1435, 0xd181, 3)}, /* Wistron NeWeb D18Q1 */
--- /dev/null
+From foo@baz Thu Jul 5 20:15:13 CEST 2018
+From: Finn Thain <fthain@telegraphics.com.au>
+Date: Wed, 30 May 2018 13:03:51 +1000
+Subject: net/sonic: Use dma_mapping_error()
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit 26de0b76d9ba3200f09c6cb9d9618bda338be5f7 ]
+
+With CONFIG_DMA_API_DEBUG=y, calling sonic_open() produces the
+message, "DMA-API: device driver failed to check map error".
+Add the missing dma_mapping_error() call.
+
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Acked-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/natsemi/sonic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/natsemi/sonic.c
++++ b/drivers/net/ethernet/natsemi/sonic.c
+@@ -71,7 +71,7 @@ static int sonic_open(struct net_device
+ for (i = 0; i < SONIC_NUM_RRS; i++) {
+ dma_addr_t laddr = dma_map_single(lp->device, skb_put(lp->rx_skb[i], SONIC_RBSIZE),
+ SONIC_RBSIZE, DMA_FROM_DEVICE);
+- if (!laddr) {
++ if (dma_mapping_error(lp->device, laddr)) {
+ while(i > 0) { /* free any that were mapped successfully */
+ i--;
+ dma_unmap_single(lp->device, lp->rx_laddr[i], SONIC_RBSIZE, DMA_FROM_DEVICE);
--- /dev/null
+From foo@baz Thu Jul 5 20:15:13 CEST 2018
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Fri, 27 Apr 2018 10:45:31 +0200
+Subject: netfilter: ebtables: handle string from userspace with care
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 94c752f99954797da583a84c4907ff19e92550a4 ]
+
+strlcpy() can't be safely used on a user-space provided string,
+as it can try to read beyond the buffer's end, if the latter is
+not NULL terminated.
+
+Leveraging the above, syzbot has been able to trigger the following
+splat:
+
+BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300
+[inline]
+BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user
+net/bridge/netfilter/ebtables.c:1957 [inline]
+BUG: KASAN: stack-out-of-bounds in ebt_size_mwt
+net/bridge/netfilter/ebtables.c:2059 [inline]
+BUG: KASAN: stack-out-of-bounds in size_entry_mwt
+net/bridge/netfilter/ebtables.c:2155 [inline]
+BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0
+net/bridge/netfilter/ebtables.c:2194
+Write of size 33 at addr ffff8801b0abf888 by task syz-executor0/4504
+
+CPU: 0 PID: 4504 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #40
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1b9/0x294 lib/dump_stack.c:113
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
+ memcpy+0x37/0x50 mm/kasan/kasan.c:303
+ strlcpy include/linux/string.h:300 [inline]
+ compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline]
+ ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline]
+ size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline]
+ compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194
+ compat_do_replace+0x483/0x900 net/bridge/netfilter/ebtables.c:2285
+ compat_do_ebt_set_ctl+0x2ac/0x324 net/bridge/netfilter/ebtables.c:2367
+ compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline]
+ compat_nf_setsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:156
+ compat_ip_setsockopt+0xff/0x140 net/ipv4/ip_sockglue.c:1279
+ inet_csk_compat_setsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1041
+ compat_tcp_setsockopt+0x49/0x80 net/ipv4/tcp.c:2901
+ compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:3050
+ __compat_sys_setsockopt+0x1ab/0x7c0 net/compat.c:403
+ __do_compat_sys_setsockopt net/compat.c:416 [inline]
+ __se_compat_sys_setsockopt net/compat.c:413 [inline]
+ __ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:413
+ do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline]
+ do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394
+ entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
+RIP: 0023:0xf7fb3cb9
+RSP: 002b:00000000fff0c26c EFLAGS: 00000282 ORIG_RAX: 000000000000016e
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
+RDX: 0000000000000080 RSI: 0000000020000300 RDI: 00000000000005f4
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+
+The buggy address belongs to the page:
+page:ffffea0006c2afc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
+flags: 0x2fffc0000000000()
+raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
+raw: 0000000000000000 ffffea0006c20101 0000000000000000 0000000000000000
+page dumped because: kasan: bad access detected
+
+Fix the issue replacing the unsafe function with strscpy() and
+taking care of possible errors.
+
+Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
+Reported-and-tested-by: syzbot+4e42a04e0bc33cb6c087@syzkaller.appspotmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/netfilter/ebtables.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1950,7 +1950,8 @@ static int compat_mtw_from_user(struct c
+ int off, pad = 0;
+ unsigned int size_kern, match_size = mwt->match_size;
+
+- strlcpy(name, mwt->u.name, sizeof(name));
++ if (strscpy(name, mwt->u.name, sizeof(name)) < 0)
++ return -EINVAL;
+
+ if (state->buf_kern_start)
+ dst = state->buf_kern_start + state->buf_kern_offset;
--- /dev/null
+From foo@baz Thu Jul 5 20:15:13 CEST 2018
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 16 May 2018 22:58:33 +0200
+Subject: netfilter: nft_limit: fix packet ratelimiting
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 3e0f64b7dd3149f75e8652ff1df56cffeedc8fc1 ]
+
+Credit calculations for the packet ratelimiting are not correct, as per
+the applied ratelimit of 25/second and burst 8, a total of 33 packets
+should have been accepted. This is true in iptables(33) but not in
+nftables (~65). For packet ratelimiting, use:
+
+ div_u64(limit->nsecs, limit->rate) * limit->burst;
+
+to calculate credit, just like in iptables' xt_limit does.
+
+Moreover, use default burst in iptables, users are expecting similar
+behaviour.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_limit.c | 38 ++++++++++++++++++++++++--------------
+ 1 file changed, 24 insertions(+), 14 deletions(-)
+
+--- a/net/netfilter/nft_limit.c
++++ b/net/netfilter/nft_limit.c
+@@ -51,10 +51,13 @@ static inline bool nft_limit_eval(struct
+ return !limit->invert;
+ }
+
++/* Use same default as in iptables. */
++#define NFT_LIMIT_PKT_BURST_DEFAULT 5
++
+ static int nft_limit_init(struct nft_limit *limit,
+- const struct nlattr * const tb[])
++ const struct nlattr * const tb[], bool pkts)
+ {
+- u64 unit;
++ u64 unit, tokens;
+
+ if (tb[NFTA_LIMIT_RATE] == NULL ||
+ tb[NFTA_LIMIT_UNIT] == NULL)
+@@ -68,18 +71,25 @@ static int nft_limit_init(struct nft_lim
+
+ if (tb[NFTA_LIMIT_BURST])
+ limit->burst = ntohl(nla_get_be32(tb[NFTA_LIMIT_BURST]));
+- else
+- limit->burst = 0;
++
++ if (pkts && limit->burst == 0)
++ limit->burst = NFT_LIMIT_PKT_BURST_DEFAULT;
+
+ if (limit->rate + limit->burst < limit->rate)
+ return -EOVERFLOW;
+
+- /* The token bucket size limits the number of tokens can be
+- * accumulated. tokens_max specifies the bucket size.
+- * tokens_max = unit * (rate + burst) / rate.
+- */
+- limit->tokens = div_u64(limit->nsecs * (limit->rate + limit->burst),
+- limit->rate);
++ if (pkts) {
++ tokens = div_u64(limit->nsecs, limit->rate) * limit->burst;
++ } else {
++ /* The token bucket size limits the number of tokens can be
++ * accumulated. tokens_max specifies the bucket size.
++ * tokens_max = unit * (rate + burst) / rate.
++ */
++ tokens = div_u64(limit->nsecs * (limit->rate + limit->burst),
++ limit->rate);
++ }
++
++ limit->tokens = tokens;
+ limit->tokens_max = limit->tokens;
+
+ if (tb[NFTA_LIMIT_FLAGS]) {
+@@ -144,7 +154,7 @@ static int nft_limit_pkts_init(const str
+ struct nft_limit_pkts *priv = nft_expr_priv(expr);
+ int err;
+
+- err = nft_limit_init(&priv->limit, tb);
++ err = nft_limit_init(&priv->limit, tb, true);
+ if (err < 0)
+ return err;
+
+@@ -185,7 +195,7 @@ static int nft_limit_bytes_init(const st
+ {
+ struct nft_limit *priv = nft_expr_priv(expr);
+
+- return nft_limit_init(priv, tb);
++ return nft_limit_init(priv, tb, false);
+ }
+
+ static int nft_limit_bytes_dump(struct sk_buff *skb,
+@@ -246,7 +256,7 @@ static int nft_limit_obj_pkts_init(const
+ struct nft_limit_pkts *priv = nft_obj_data(obj);
+ int err;
+
+- err = nft_limit_init(&priv->limit, tb);
++ err = nft_limit_init(&priv->limit, tb, true);
+ if (err < 0)
+ return err;
+
+@@ -289,7 +299,7 @@ static int nft_limit_obj_bytes_init(cons
+ {
+ struct nft_limit *priv = nft_obj_data(obj);
+
+- return nft_limit_init(priv, tb);
++ return nft_limit_init(priv, tb, false);
+ }
+
+ static int nft_limit_obj_bytes_dump(struct sk_buff *skb,
--- /dev/null
+From foo@baz Thu Jul 5 20:15:13 CEST 2018
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Fri, 11 May 2018 19:21:42 +0800
+Subject: perf bpf: Fix NULL return handling in bpf__prepare_load()
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit ab4e32ff5aa797eaea551dbb67946e2fcb56cc7e ]
+
+bpf_object__open()/bpf_object__open_buffer can return error pointer or
+NULL, check the return values with IS_ERR_OR_NULL() in bpf__prepare_load
+and bpf__prepare_load_buffer
+
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: netdev@vger.kernel.org
+Link: https://lkml.kernel.org/n/tip-psf4xwc09n62al2cb9s33v9h@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/bpf-loader.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/tools/perf/util/bpf-loader.c
++++ b/tools/perf/util/bpf-loader.c
+@@ -66,7 +66,7 @@ bpf__prepare_load_buffer(void *obj_buf,
+ }
+
+ obj = bpf_object__open_buffer(obj_buf, obj_buf_sz, name);
+- if (IS_ERR(obj)) {
++ if (IS_ERR_OR_NULL(obj)) {
+ pr_debug("bpf: failed to load buffer\n");
+ return ERR_PTR(-EINVAL);
+ }
+@@ -102,14 +102,14 @@ struct bpf_object *bpf__prepare_load(con
+ pr_debug("bpf: successfull builtin compilation\n");
+ obj = bpf_object__open_buffer(obj_buf, obj_buf_sz, filename);
+
+- if (!IS_ERR(obj) && llvm_param.dump_obj)
++ if (!IS_ERR_OR_NULL(obj) && llvm_param.dump_obj)
+ llvm__dump_obj(filename, obj_buf, obj_buf_sz);
+
+ free(obj_buf);
+ } else
+ obj = bpf_object__open(filename);
+
+- if (IS_ERR(obj)) {
++ if (IS_ERR_OR_NULL(obj)) {
+ pr_debug("bpf: failed to load %s\n", filename);
+ return obj;
+ }
--- /dev/null
+From foo@baz Thu Jul 5 20:15:13 CEST 2018
+From: Thomas Richter <tmricht@linux.ibm.com>
+Date: Mon, 28 May 2018 09:36:57 +0200
+Subject: perf test: "Session topology" dumps core on s390
+
+From: Thomas Richter <tmricht@linux.ibm.com>
+
+[ Upstream commit d121109100bda84bbbb199dab97f9d56432ab235 ]
+
+The "perf test Session topology" entry fails with core dump on s390. The root
+cause is a NULL pointer dereference in function check_cpu_topology() line 76
+(or line 82 without -v).
+
+The session->header.env.cpu variable is NULL because on s390 function
+process_cpu_topology() returns with error:
+
+ socket_id number is too big.
+ You may need to upgrade the perf tool.
+
+and releases the env.cpu variable via zfree() and sets it to NULL.
+
+Here is the gdb output:
+(gdb) n
+76 pr_debug("CPU %d, core %d, socket %d\n", i,
+(gdb) n
+
+Program received signal SIGSEGV, Segmentation fault.
+0x00000000010f4d9e in check_cpu_topology (path=0x3ffffffd6c8
+ "/tmp/perf-test-J6CHMa", map=0x14a1740) at tests/topology.c:76
+76 pr_debug("CPU %d, core %d, socket %d\n", i,
+(gdb)
+
+Make sure the env.cpu variable is not used when its NULL.
+Test for NULL pointer and return TEST_SKIP if so.
+
+Output before:
+
+ [root@p23lp27 perf]# ./perf test -F 39
+ 39: Session topology :Segmentation fault (core dumped)
+ [root@p23lp27 perf]#
+
+Output after:
+
+ [root@p23lp27 perf]# ./perf test -vF 39
+ 39: Session topology :
+ --- start ---
+ templ file: /tmp/perf-test-Ajx59D
+ socket_id number is too big.You may need to upgrade the perf tool.
+ ---- end ----
+ Session topology: Skip
+ [root@p23lp27 perf]#
+
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Link: http://lkml.kernel.org/r/20180528073657.11743-1-tmricht@linux.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/tests/topology.c | 30 ++++++++++++++++++++++++------
+ 1 file changed, 24 insertions(+), 6 deletions(-)
+
+--- a/tools/perf/tests/topology.c
++++ b/tools/perf/tests/topology.c
+@@ -66,6 +66,27 @@ static int check_cpu_topology(char *path
+ session = perf_session__new(&file, false, NULL);
+ TEST_ASSERT_VAL("can't get session", session);
+
++ /* On platforms with large numbers of CPUs process_cpu_topology()
++ * might issue an error while reading the perf.data file section
++ * HEADER_CPU_TOPOLOGY and the cpu_topology_map pointed to by member
++ * cpu is a NULL pointer.
++ * Example: On s390
++ * CPU 0 is on core_id 0 and physical_package_id 6
++ * CPU 1 is on core_id 1 and physical_package_id 3
++ *
++ * Core_id and physical_package_id are platform and architecture
++ * dependend and might have higher numbers than the CPU id.
++ * This actually depends on the configuration.
++ *
++ * In this case process_cpu_topology() prints error message:
++ * "socket_id number is too big. You may need to upgrade the
++ * perf tool."
++ *
++ * This is the reason why this test might be skipped.
++ */
++ if (!session->header.env.cpu)
++ return TEST_SKIP;
++
+ for (i = 0; i < session->header.env.nr_cpus_avail; i++) {
+ if (!cpu_map__has(map, i))
+ continue;
+@@ -91,7 +112,7 @@ int test__session_topology(struct test *
+ {
+ char path[PATH_MAX];
+ struct cpu_map *map;
+- int ret = -1;
++ int ret = TEST_FAIL;
+
+ TEST_ASSERT_VAL("can't get templ file", !get_temp(path));
+
+@@ -106,12 +127,9 @@ int test__session_topology(struct test *
+ goto free_path;
+ }
+
+- if (check_cpu_topology(path, map))
+- goto free_map;
+- ret = 0;
+-
+-free_map:
++ ret = check_cpu_topology(path, map);
+ cpu_map__put(map);
++
+ free_path:
+ unlink(path);
+ return ret;
--- /dev/null
+From foo@baz Thu Jul 5 20:15:13 CEST 2018
+From: "João Paulo Rechi Vita" <jprvita@gmail.com>
+Date: Tue, 22 May 2018 14:30:15 -0700
+Subject: platform/x86: asus-wmi: Fix NULL pointer dereference
+
+From: "João Paulo Rechi Vita" <jprvita@gmail.com>
+
+[ Upstream commit 32ffd6e8d1f6cef94bedca15dfcdebdeb590499d ]
+
+Do not perform the rfkill cleanup routine when
+(asus->driver->wlan_ctrl_by_user && ashs_present()) is true, since
+nothing is registered with the rfkill subsystem in that case. Doing so
+leads to the following kernel NULL pointer dereference:
+
+ BUG: unable to handle kernel NULL pointer dereference at (null)
+ IP: [<ffffffff816c7348>] __mutex_lock_slowpath+0x98/0x120
+ PGD 1a3aa8067
+ PUD 1a3b3d067
+ PMD 0
+
+ Oops: 0002 [#1] PREEMPT SMP
+ Modules linked in: bnep ccm binfmt_misc uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core hid_a4tech videodev x86_pkg_temp_thermal intel_powerclamp coretemp ath3k btusb btrtl btintel bluetooth kvm_intel snd_hda_codec_hdmi kvm snd_hda_codec_realtek snd_hda_codec_generic irqbypass crc32c_intel arc4 i915 snd_hda_intel snd_hda_codec ath9k ath9k_common ath9k_hw ath i2c_algo_bit snd_hwdep mac80211 ghash_clmulni_intel snd_hda_core snd_pcm snd_timer cfg80211 ehci_pci xhci_pci drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm xhci_hcd ehci_hcd asus_nb_wmi(-) asus_wmi sparse_keymap r8169 rfkill mxm_wmi serio_raw snd mii mei_me lpc_ich i2c_i801 video soundcore mei i2c_smbus wmi i2c_core mfd_core
+ CPU: 3 PID: 3275 Comm: modprobe Not tainted 4.9.34-gentoo #34
+ Hardware name: ASUSTeK COMPUTER INC. K56CM/K56CM, BIOS K56CM.206 08/21/2012
+ task: ffff8801a639ba00 task.stack: ffffc900014cc000
+ RIP: 0010:[<ffffffff816c7348>] [<ffffffff816c7348>] __mutex_lock_slowpath+0x98/0x120
+ RSP: 0018:ffffc900014cfce0 EFLAGS: 00010282
+ RAX: 0000000000000000 RBX: ffff8801a54315b0 RCX: 00000000c0000100
+ RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff8801a54315b4
+ RBP: ffffc900014cfd30 R08: 0000000000000000 R09: 0000000000000002
+ R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801a54315b4
+ R13: ffff8801a639ba00 R14: 00000000ffffffff R15: ffff8801a54315b8
+ FS: 00007faa254fb700(0000) GS:ffff8801aef80000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000000 CR3: 00000001a3b1b000 CR4: 00000000001406e0
+ Stack:
+ ffff8801a54315b8 0000000000000000 ffffffff814733ae ffffc900014cfd28
+ ffffffff8146a28c ffff8801a54315b0 0000000000000000 ffff8801a54315b0
+ ffff8801a66f3820 0000000000000000 ffffc900014cfd48 ffffffff816c73e7
+ Call Trace:
+ [<ffffffff814733ae>] ? acpi_ut_release_mutex+0x5d/0x61
+ [<ffffffff8146a28c>] ? acpi_ns_get_node+0x49/0x52
+ [<ffffffff816c73e7>] mutex_lock+0x17/0x30
+ [<ffffffffa00a3bb4>] asus_rfkill_hotplug+0x24/0x1a0 [asus_wmi]
+ [<ffffffffa00a4421>] asus_wmi_rfkill_exit+0x61/0x150 [asus_wmi]
+ [<ffffffffa00a49f1>] asus_wmi_remove+0x61/0xb0 [asus_wmi]
+ [<ffffffff814a5128>] platform_drv_remove+0x28/0x40
+ [<ffffffff814a2901>] __device_release_driver+0xa1/0x160
+ [<ffffffff814a29e3>] device_release_driver+0x23/0x30
+ [<ffffffff814a1ffd>] bus_remove_device+0xfd/0x170
+ [<ffffffff8149e5a9>] device_del+0x139/0x270
+ [<ffffffff814a5028>] platform_device_del+0x28/0x90
+ [<ffffffff814a50a2>] platform_device_unregister+0x12/0x30
+ [<ffffffffa00a4209>] asus_wmi_unregister_driver+0x19/0x30 [asus_wmi]
+ [<ffffffffa00da0ea>] asus_nb_wmi_exit+0x10/0xf26 [asus_nb_wmi]
+ [<ffffffff8110c692>] SyS_delete_module+0x192/0x270
+ [<ffffffff810022b2>] ? exit_to_usermode_loop+0x92/0xa0
+ [<ffffffff816ca560>] entry_SYSCALL_64_fastpath+0x13/0x94
+ Code: e8 5e 30 00 00 8b 03 83 f8 01 0f 84 93 00 00 00 48 8b 43 10 4c 8d 7b 08 48 89 63 10 41 be ff ff ff ff 4c 89 3c 24 48 89 44 24 08 <48> 89 20 4c 89 6c 24 10 eb 1d 4c 89 e7 49 c7 45 08 02 00 00 00
+ RIP [<ffffffff816c7348>] __mutex_lock_slowpath+0x98/0x120
+ RSP <ffffc900014cfce0>
+ CR2: 0000000000000000
+ ---[ end trace 8d484233fa7cb512 ]---
+ note: modprobe[3275] exited with preempt_count 2
+
+https://bugzilla.kernel.org/show_bug.cgi?id=196467
+
+Reported-by: red.f0xyz@gmail.com
+Signed-off-by: João Paulo Rechi Vita <jprvita@endlessm.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/asus-wmi.c | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+--- a/drivers/platform/x86/asus-wmi.c
++++ b/drivers/platform/x86/asus-wmi.c
+@@ -161,6 +161,16 @@ MODULE_LICENSE("GPL");
+
+ static const char * const ashs_ids[] = { "ATK4001", "ATK4002", NULL };
+
++static bool ashs_present(void)
++{
++ int i = 0;
++ while (ashs_ids[i]) {
++ if (acpi_dev_found(ashs_ids[i++]))
++ return true;
++ }
++ return false;
++}
++
+ struct bios_args {
+ u32 arg0;
+ u32 arg1;
+@@ -962,6 +972,9 @@ static int asus_new_rfkill(struct asus_w
+
+ static void asus_wmi_rfkill_exit(struct asus_wmi *asus)
+ {
++ if (asus->driver->wlan_ctrl_by_user && ashs_present())
++ return;
++
+ asus_unregister_rfkill_notifier(asus, "\\_SB.PCI0.P0P5");
+ asus_unregister_rfkill_notifier(asus, "\\_SB.PCI0.P0P6");
+ asus_unregister_rfkill_notifier(asus, "\\_SB.PCI0.P0P7");
+@@ -2058,16 +2071,6 @@ static int asus_wmi_fan_init(struct asus
+ return 0;
+ }
+
+-static bool ashs_present(void)
+-{
+- int i = 0;
+- while (ashs_ids[i]) {
+- if (acpi_dev_found(ashs_ids[i++]))
+- return true;
+- }
+- return false;
+-}
+-
+ /*
+ * WMI Driver
+ */
--- /dev/null
+From foo@baz Thu Jul 5 20:15:13 CEST 2018
+From: Sebastian Ott <sebott@linux.ibm.com>
+Date: Tue, 15 May 2018 14:05:13 +0200
+Subject: s390/dasd: use blk_mq_rq_from_pdu for per request data
+
+From: Sebastian Ott <sebott@linux.ibm.com>
+
+[ Upstream commit f0f59a2fab8e52b9d582b39da39f22230ca80aee ]
+
+Dasd uses completion_data from struct request to store per request
+private data - this is problematic since this member is part of a
+union which is also used by IO schedulers.
+Let the block layer maintain space for per request data behind each
+struct request.
+
+Fixes crashes on block layer timeouts like this one:
+
+Unable to handle kernel pointer dereference in virtual kernel address space
+Failing address: 0000000000000000 TEID: 0000000000000483
+Fault in home space mode while using kernel ASCE.
+AS:0000000001308007 R3:00000000fffc8007 S:00000000fffcc000 P:000000000000013d
+Oops: 0004 ilc:2 [#1] PREEMPT SMP
+Modules linked in: [...]
+CPU: 0 PID: 1480 Comm: kworker/0:2H Not tainted 4.17.0-rc4-00046-gaa3bcd43b5af #203
+Hardware name: IBM 3906 M02 702 (LPAR)
+Workqueue: kblockd blk_mq_timeout_work
+Krnl PSW : 0000000067ac406b 00000000b6960308 (do_raw_spin_trylock+0x30/0x78)
+ R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3
+Krnl GPRS: 0000000000000c00 0000000000000000 0000000000000000 0000000000000001
+ 0000000000b9d3c8 0000000000000000 0000000000000001 00000000cf9639d8
+ 0000000000000000 0700000000000000 0000000000000000 000000000099f09e
+ 0000000000000000 000000000076e9d0 000000006247bb08 000000006247bae0
+Krnl Code: 00000000001c159c: b90400c2 lgr %r12,%r2
+ 00000000001c15a0: a7180000 lhi %r1,0
+ #00000000001c15a4: 583003a4 l %r3,932
+ >00000000001c15a8: ba132000 cs %r1,%r3,0(%r2)
+ 00000000001c15ac: a7180001 lhi %r1,1
+ 00000000001c15b0: a784000b brc 8,1c15c6
+ 00000000001c15b4: c0e5004e72aa brasl %r14,b8fb08
+ 00000000001c15ba: 1812 lr %r1,%r2
+Call Trace:
+([<0700000000000000>] 0x700000000000000)
+ [<0000000000b9d3d2>] _raw_spin_lock_irqsave+0x7a/0xb8
+ [<000000000099f09e>] dasd_times_out+0x46/0x278
+ [<000000000076ea6e>] blk_mq_terminate_expired+0x9e/0x108
+ [<000000000077497a>] bt_for_each+0x102/0x130
+ [<0000000000774e54>] blk_mq_queue_tag_busy_iter+0x74/0xd8
+ [<000000000076fea0>] blk_mq_timeout_work+0x260/0x320
+ [<0000000000169dd4>] process_one_work+0x3bc/0x708
+ [<000000000016a382>] worker_thread+0x262/0x408
+ [<00000000001723a8>] kthread+0x160/0x178
+ [<0000000000b9e73a>] kernel_thread_starter+0x6/0xc
+ [<0000000000b9e734>] kernel_thread_starter+0x0/0xc
+INFO: lockdep is turned off.
+Last Breaking-Event-Address:
+ [<0000000000b9d3cc>] _raw_spin_lock_irqsave+0x74/0xb8
+
+Kernel panic - not syncing: Fatal exception: panic_on_oops
+
+Signed-off-by: Sebastian Ott <sebott@linux.ibm.com>
+Reviewed-by: Stefan Haberland <sth@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/block/dasd.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/s390/block/dasd.c
++++ b/drivers/s390/block/dasd.c
+@@ -3049,7 +3049,8 @@ static blk_status_t do_dasd_request(stru
+ cqr->callback_data = req;
+ cqr->status = DASD_CQR_FILLED;
+ cqr->dq = dq;
+- req->completion_data = cqr;
++ *((struct dasd_ccw_req **) blk_mq_rq_to_pdu(req)) = cqr;
++
+ blk_mq_start_request(req);
+ spin_lock(&block->queue_lock);
+ list_add_tail(&cqr->blocklist, &block->ccw_queue);
+@@ -3073,12 +3074,13 @@ out:
+ */
+ enum blk_eh_timer_return dasd_times_out(struct request *req, bool reserved)
+ {
+- struct dasd_ccw_req *cqr = req->completion_data;
+ struct dasd_block *block = req->q->queuedata;
+ struct dasd_device *device;
++ struct dasd_ccw_req *cqr;
+ unsigned long flags;
+ int rc = 0;
+
++ cqr = *((struct dasd_ccw_req **) blk_mq_rq_to_pdu(req));
+ if (!cqr)
+ return BLK_EH_NOT_HANDLED;
+
+@@ -3184,6 +3186,7 @@ static int dasd_alloc_queue(struct dasd_
+ int rc;
+
+ block->tag_set.ops = &dasd_mq_ops;
++ block->tag_set.cmd_size = sizeof(struct dasd_ccw_req *);
+ block->tag_set.nr_hw_queues = DASD_NR_HW_QUEUES;
+ block->tag_set.queue_depth = DASD_MAX_LCU_DEV * DASD_REQ_PER_DEV;
+ block->tag_set.flags = BLK_MQ_F_SHOULD_MERGE;
--- /dev/null
+From foo@baz Thu Jul 5 20:15:13 CEST 2018
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Tue, 25 Jul 2017 18:58:21 +0200
+Subject: sched/core: Fix rules for running on online && !active CPUs
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 175f0e25abeaa2218d431141ce19cf1de70fa82d ]
+
+As already enforced by the WARN() in __set_cpus_allowed_ptr(), the rules
+for running on an online && !active CPU are stricter than just being a
+kthread, you need to be a per-cpu kthread.
+
+If you're not strictly per-CPU, you have better CPUs to run on and
+don't need the partially booted one to get your work done.
+
+The exception is to allow smpboot threads to bootstrap the CPU itself
+and get kernel 'services' initialized before we allow userspace on it.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 955dbdf4ce87 ("sched: Allow migrating kthreads into online but inactive CPUs")
+Link: http://lkml.kernel.org/r/20170725165821.cejhb7v2s3kecems@hirez.programming.kicks-ass.net
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/core.c | 42 ++++++++++++++++++++++++++++++------------
+ 1 file changed, 30 insertions(+), 12 deletions(-)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -894,6 +894,33 @@ void check_preempt_curr(struct rq *rq, s
+ }
+
+ #ifdef CONFIG_SMP
++
++static inline bool is_per_cpu_kthread(struct task_struct *p)
++{
++ if (!(p->flags & PF_KTHREAD))
++ return false;
++
++ if (p->nr_cpus_allowed != 1)
++ return false;
++
++ return true;
++}
++
++/*
++ * Per-CPU kthreads are allowed to run on !actie && online CPUs, see
++ * __set_cpus_allowed_ptr() and select_fallback_rq().
++ */
++static inline bool is_cpu_allowed(struct task_struct *p, int cpu)
++{
++ if (!cpumask_test_cpu(cpu, &p->cpus_allowed))
++ return false;
++
++ if (is_per_cpu_kthread(p))
++ return cpu_online(cpu);
++
++ return cpu_active(cpu);
++}
++
+ /*
+ * This is how migration works:
+ *
+@@ -951,16 +978,8 @@ struct migration_arg {
+ static struct rq *__migrate_task(struct rq *rq, struct rq_flags *rf,
+ struct task_struct *p, int dest_cpu)
+ {
+- if (p->flags & PF_KTHREAD) {
+- if (unlikely(!cpu_online(dest_cpu)))
+- return rq;
+- } else {
+- if (unlikely(!cpu_active(dest_cpu)))
+- return rq;
+- }
+-
+ /* Affinity changed (again). */
+- if (!cpumask_test_cpu(dest_cpu, &p->cpus_allowed))
++ if (!is_cpu_allowed(p, dest_cpu))
+ return rq;
+
+ update_rq_clock(rq);
+@@ -1489,10 +1508,9 @@ static int select_fallback_rq(int cpu, s
+ for (;;) {
+ /* Any allowed, online CPU? */
+ for_each_cpu(dest_cpu, &p->cpus_allowed) {
+- if (!(p->flags & PF_KTHREAD) && !cpu_active(dest_cpu))
+- continue;
+- if (!cpu_online(dest_cpu))
++ if (!is_cpu_allowed(p, dest_cpu))
+ continue;
++
+ goto out;
+ }
+
--- /dev/null
+From foo@baz Thu Jul 5 20:15:13 CEST 2018
+From: Paul Burton <paul.burton@mips.com>
+Date: Sat, 26 May 2018 08:46:47 -0700
+Subject: sched/core: Require cpu_active() in select_task_rq(), for user tasks
+
+From: Paul Burton <paul.burton@mips.com>
+
+[ Upstream commit 7af443ee1697607541c6346c87385adab2214743 ]
+
+select_task_rq() is used in a few paths to select the CPU upon which a
+thread should be run - for example it is used by try_to_wake_up() & by
+fork or exec balancing. As-is it allows use of any online CPU that is
+present in the task's cpus_allowed mask.
+
+This presents a problem because there is a period whilst CPUs are
+brought online where a CPU is marked online, but is not yet fully
+initialized - ie. the period where CPUHP_AP_ONLINE_IDLE <= state <
+CPUHP_ONLINE. Usually we don't run any user tasks during this window,
+but there are corner cases where this can happen. An example observed
+is:
+
+ - Some user task A, running on CPU X, forks to create task B.
+
+ - sched_fork() calls __set_task_cpu() with cpu=X, setting task B's
+ task_struct::cpu field to X.
+
+ - CPU X is offlined.
+
+ - Task A, currently somewhere between the __set_task_cpu() in
+ copy_process() and the call to wake_up_new_task(), is migrated to
+ CPU Y by migrate_tasks() when CPU X is offlined.
+
+ - CPU X is onlined, but still in the CPUHP_AP_ONLINE_IDLE state. The
+ scheduler is now active on CPU X, but there are no user tasks on
+ the runqueue.
+
+ - Task A runs on CPU Y & reaches wake_up_new_task(). This calls
+ select_task_rq() with cpu=X, taken from task B's task_struct,
+ and select_task_rq() allows CPU X to be returned.
+
+ - Task A enqueues task B on CPU X's runqueue, via activate_task() &
+ enqueue_task().
+
+ - CPU X now has a user task on its runqueue before it has reached the
+ CPUHP_ONLINE state.
+
+In most cases, the user tasks that schedule on the newly onlined CPU
+have no idea that anything went wrong, but one case observed to be
+problematic is if the task goes on to invoke the sched_setaffinity
+syscall. The newly onlined CPU reaches the CPUHP_AP_ONLINE_IDLE state
+before the CPU that brought it online calls stop_machine_unpark(). This
+means that for a portion of the window of time between
+CPUHP_AP_ONLINE_IDLE & CPUHP_ONLINE the newly onlined CPU's struct
+cpu_stopper has its enabled field set to false. If a user thread is
+executed on the CPU during this window and it invokes sched_setaffinity
+with a CPU mask that does not include the CPU it's running on, then when
+__set_cpus_allowed_ptr() calls stop_one_cpu() intending to invoke
+migration_cpu_stop() and perform the actual migration away from the CPU
+it will simply return -ENOENT rather than calling migration_cpu_stop().
+We then return from the sched_setaffinity syscall back to the user task
+that is now running on a CPU which it just asked not to run on, and
+which is not present in its cpus_allowed mask.
+
+This patch resolves the problem by having select_task_rq() enforce that
+user tasks run on CPUs that are active - the same requirement that
+select_fallback_rq() already enforces. This should ensure that newly
+onlined CPUs reach the CPUHP_AP_ACTIVE state before being able to
+schedule user tasks, and also implies that bringup_wait_for_ap() will
+have called stop_machine_unpark() which resolves the sched_setaffinity
+issue above.
+
+I haven't yet investigated them, but it may be of interest to review
+whether any of the actions performed by hotplug states between
+CPUHP_AP_ONLINE_IDLE & CPUHP_AP_ACTIVE could have similar unintended
+effects on user tasks that might schedule before they are reached, which
+might widen the scope of the problem from just affecting the behaviour
+of sched_setaffinity.
+
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20180526154648.11635-2-paul.burton@mips.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/core.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -1573,8 +1573,7 @@ int select_task_rq(struct task_struct *p
+ * [ this allows ->select_task() to simply return task_cpu(p) and
+ * not worry about this generic constraint ]
+ */
+- if (unlikely(!cpumask_test_cpu(cpu, &p->cpus_allowed) ||
+- !cpu_online(cpu)))
++ if (unlikely(!is_cpu_allowed(p, cpu)))
+ cpu = select_fallback_rq(task_cpu(p), p);
+
+ return cpu;
netfilter-don-t-set-f_iface-on-ipv6-fib-lookups.patch
netfilter-ip6t_rpfilter-provide-input-interface-for-route-lookup.patch
netfilter-nf_tables-use-warn_on_once-instead-of-bug_on-in-nft_do_chain.patch
+arm-dts-imx6q-use-correct-sdma-script-for-spi5-core.patch
+mtd-rawnand-fix-return-value-check-for-bad-block-status.patch
+xfrm6-avoid-potential-infinite-loop-in-_decode_session6.patch
+afs-fix-directory-permissions-check.patch
+netfilter-ebtables-handle-string-from-userspace-with-care.patch
+s390-dasd-use-blk_mq_rq_from_pdu-for-per-request-data.patch
+netfilter-nft_limit-fix-packet-ratelimiting.patch
+ipvs-fix-buffer-overflow-with-sync-daemon-and-service.patch
+iwlwifi-pcie-compare-with-number-of-irqs-requested-for-not-number-of-cpus.patch
+atm-zatm-fix-memcmp-casting.patch
+net-qmi_wwan-add-netgear-aircard-779s.patch
+perf-test-session-topology-dumps-core-on-s390.patch
+perf-bpf-fix-null-return-handling-in-bpf__prepare_load.patch
+fs-clear-writeback-errors-in-inode_init_always.patch
+sched-core-fix-rules-for-running-on-online-active-cpus.patch
+sched-core-require-cpu_active-in-select_task_rq-for-user-tasks.patch
+platform-x86-asus-wmi-fix-null-pointer-dereference.patch
+net-sonic-use-dma_mapping_error.patch
+net-dsa-b53-add-bcm5389-support.patch
--- /dev/null
+From foo@baz Thu Jul 5 20:15:13 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 12 May 2018 02:49:30 -0700
+Subject: xfrm6: avoid potential infinite loop in _decode_session6()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d9f92772e8ec388d070752ee8f187ef8fa18621f ]
+
+syzbot found a way to trigger an infinitie loop by overflowing
+@offset variable that has been forced to use u16 for some very
+obscure reason in the past.
+
+We probably want to look at NEXTHDR_FRAGMENT handling which looks
+wrong, in a separate patch.
+
+In net-next, we shall try to use skb_header_pointer() instead of
+pskb_may_pull().
+
+watchdog: BUG: soft lockup - CPU#1 stuck for 134s! [syz-executor738:4553]
+Modules linked in:
+irq event stamp: 13885653
+hardirqs last enabled at (13885652): [<ffffffff878009d5>] restore_regs_and_return_to_kernel+0x0/0x2b
+hardirqs last disabled at (13885653): [<ffffffff87800905>] interrupt_entry+0xb5/0xf0 arch/x86/entry/entry_64.S:625
+softirqs last enabled at (13614028): [<ffffffff84df0809>] tun_napi_alloc_frags drivers/net/tun.c:1478 [inline]
+softirqs last enabled at (13614028): [<ffffffff84df0809>] tun_get_user+0x1dd9/0x4290 drivers/net/tun.c:1825
+softirqs last disabled at (13614032): [<ffffffff84df1b6f>] tun_get_user+0x313f/0x4290 drivers/net/tun.c:1942
+CPU: 1 PID: 4553 Comm: syz-executor738 Not tainted 4.17.0-rc3+ #40
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:check_kcov_mode kernel/kcov.c:67 [inline]
+RIP: 0010:__sanitizer_cov_trace_pc+0x20/0x50 kernel/kcov.c:101
+RSP: 0018:ffff8801d8cfe250 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
+RAX: ffff8801d88a8080 RBX: ffff8801d7389e40 RCX: 0000000000000006
+RDX: 0000000000000000 RSI: ffffffff868da4ad RDI: ffff8801c8a53277
+RBP: ffff8801d8cfe250 R08: ffff8801d88a8080 R09: ffff8801d8cfe3e8
+R10: ffffed003b19fc87 R11: ffff8801d8cfe43f R12: ffff8801c8a5327f
+R13: 0000000000000000 R14: ffff8801c8a4e5fe R15: ffff8801d8cfe3e8
+FS: 0000000000d88940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffff600400 CR3: 00000001acab3000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ _decode_session6+0xc1d/0x14f0 net/ipv6/xfrm6_policy.c:150
+ __xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:2368
+ xfrm_decode_session_reverse include/net/xfrm.h:1213 [inline]
+ icmpv6_route_lookup+0x395/0x6e0 net/ipv6/icmp.c:372
+ icmp6_send+0x1982/0x2da0 net/ipv6/icmp.c:551
+ icmpv6_send+0x17a/0x300 net/ipv6/ip6_icmp.c:43
+ ip6_input_finish+0x14e1/0x1a30 net/ipv6/ip6_input.c:305
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ip6_input+0xe1/0x5e0 net/ipv6/ip6_input.c:327
+ dst_input include/net/dst.h:450 [inline]
+ ip6_rcv_finish+0x29c/0xa10 net/ipv6/ip6_input.c:71
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ipv6_rcv+0xeb8/0x2040 net/ipv6/ip6_input.c:208
+ __netif_receive_skb_core+0x2468/0x3650 net/core/dev.c:4646
+ __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4711
+ netif_receive_skb_internal+0x126/0x7b0 net/core/dev.c:4785
+ napi_frags_finish net/core/dev.c:5226 [inline]
+ napi_gro_frags+0x631/0xc40 net/core/dev.c:5299
+ tun_get_user+0x3168/0x4290 drivers/net/tun.c:1951
+ tun_chr_write_iter+0xb9/0x154 drivers/net/tun.c:1996
+ call_write_iter include/linux/fs.h:1784 [inline]
+ do_iter_readv_writev+0x859/0xa50 fs/read_write.c:680
+ do_iter_write+0x185/0x5f0 fs/read_write.c:959
+ vfs_writev+0x1c7/0x330 fs/read_write.c:1004
+ do_writev+0x112/0x2f0 fs/read_write.c:1039
+ __do_sys_writev fs/read_write.c:1112 [inline]
+ __se_sys_writev fs/read_write.c:1109 [inline]
+ __x64_sys_writev+0x75/0xb0 fs/read_write.c:1109
+ do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Reported-by: syzbot+0053c8...@syzkaller.appspotmail.com
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/xfrm6_policy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/xfrm6_policy.c
++++ b/net/ipv6/xfrm6_policy.c
+@@ -123,7 +123,7 @@ _decode_session6(struct sk_buff *skb, st
+ struct flowi6 *fl6 = &fl->u.ip6;
+ int onlyproto = 0;
+ const struct ipv6hdr *hdr = ipv6_hdr(skb);
+- u16 offset = sizeof(*hdr);
++ u32 offset = sizeof(*hdr);
+ struct ipv6_opt_hdr *exthdr;
+ const unsigned char *nh = skb_network_header(skb);
+ u16 nhoff = IP6CB(skb)->nhoff;
projects / thirdparty / kernel / stable-queue.git / commitdiff
