--- /dev/null
+From fd2fa95416188a767a63979296fa3e169a9ef5ec Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Thu, 2 Aug 2018 16:08:52 -0400
+Subject: dm cache metadata: save in-core policy_hint_size to on-disk superblock
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit fd2fa95416188a767a63979296fa3e169a9ef5ec upstream.
+
+policy_hint_size starts as 0 during __write_initial_superblock(). It
+isn't until the policy is loaded that policy_hint_size is set in-core
+(cmd->policy_hint_size). But it never got recorded in the on-disk
+superblock because __commit_transaction() didn't deal with transfering
+the in-core cmd->policy_hint_size to the on-disk superblock.
+
+The in-core cmd->policy_hint_size gets initialized by metadata_open()'s
+__begin_transaction_flags() which re-reads all superblock fields.
+Because the superblock's policy_hint_size was never properly stored, when
+the cache was created, hints_array_available() would always return false
+when re-activating a previously created cache. This means
+__load_mappings() always considered the hints invalid and never made use
+of the hints (these hints served to optimize).
+
+Another detremental side-effect of this oversight is the cache_check
+utility would fail with: "invalid hint width: 0"
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-cache-metadata.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/dm-cache-metadata.c
++++ b/drivers/md/dm-cache-metadata.c
+@@ -363,7 +363,7 @@ static int __write_initial_superblock(st
+ disk_super->version = cpu_to_le32(cmd->version);
+ memset(disk_super->policy_name, 0, sizeof(disk_super->policy_name));
+ memset(disk_super->policy_version, 0, sizeof(disk_super->policy_version));
+- disk_super->policy_hint_size = 0;
++ disk_super->policy_hint_size = cpu_to_le32(0);
+
+ __copy_sm_root(cmd, disk_super);
+
+@@ -701,6 +701,7 @@ static int __commit_transaction(struct d
+ disk_super->policy_version[0] = cpu_to_le32(cmd->policy_version[0]);
+ disk_super->policy_version[1] = cpu_to_le32(cmd->policy_version[1]);
+ disk_super->policy_version[2] = cpu_to_le32(cmd->policy_version[2]);
++ disk_super->policy_hint_size = cpu_to_le32(cmd->policy_hint_size);
+
+ disk_super->read_hits = cpu_to_le32(cmd->stats.read_hits);
+ disk_super->read_misses = cpu_to_le32(cmd->stats.read_misses);
--- /dev/null
+From 5b1fe7bec8a8d0cc547a22e7ddc2bd59acd67de4 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Thu, 9 Aug 2018 12:38:28 +0200
+Subject: dm cache metadata: set dirty on all cache blocks after a crash
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 5b1fe7bec8a8d0cc547a22e7ddc2bd59acd67de4 upstream.
+
+Quoting Documentation/device-mapper/cache.txt:
+
+ The 'dirty' state for a cache block changes far too frequently for us
+ to keep updating it on the fly. So we treat it as a hint. In normal
+ operation it will be written when the dm device is suspended. If the
+ system crashes all cache blocks will be assumed dirty when restarted.
+
+This got broken in commit f177940a8091 ("dm cache metadata: switch to
+using the new cursor api for loading metadata") in 4.9, which removed
+the code that consulted cmd->clean_when_opened (CLEAN_SHUTDOWN on-disk
+flag) when loading cache blocks. This results in data corruption on an
+unclean shutdown with dirty cache blocks on the fast device. After the
+crash those blocks are considered clean and may get evicted from the
+cache at any time. This can be demonstrated by doing a lot of reads
+to trigger individual evictions, but uncache is more predictable:
+
+ ### Disable auto-activation in lvm.conf to be able to do uncache in
+ ### time (i.e. see uncache doing flushing) when the fix is applied.
+
+ # xfs_io -d -c 'pwrite -b 4M -S 0xaa 0 1G' /dev/vdb
+ # vgcreate vg_cache /dev/vdb /dev/vdc
+ # lvcreate -L 1G -n lv_slowdev vg_cache /dev/vdb
+ # lvcreate -L 512M -n lv_cachedev vg_cache /dev/vdc
+ # lvcreate -L 256M -n lv_metadev vg_cache /dev/vdc
+ # lvconvert --type cache-pool --cachemode writeback vg_cache/lv_cachedev --poolmetadata vg_cache/lv_metadev
+ # lvconvert --type cache vg_cache/lv_slowdev --cachepool vg_cache/lv_cachedev
+ # xfs_io -d -c 'pwrite -b 4M -S 0xbb 0 512M' /dev/mapper/vg_cache-lv_slowdev
+ # xfs_io -d -c 'pread -v 254M 512' /dev/mapper/vg_cache-lv_slowdev | head -n 2
+ 0fe00000: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
+ 0fe00010: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
+ # dmsetup status vg_cache-lv_slowdev
+ 0 2097152 cache 8 27/65536 128 8192/8192 1 100 0 0 0 8192 7065 2 metadata2 writeback 2 migration_threshold 2048 smq 0 rw -
+ ^^^^
+ 7065 * 64k = 441M yet to be written to the slow device
+ # echo b >/proc/sysrq-trigger
+
+ # vgchange -ay vg_cache
+ # xfs_io -d -c 'pread -v 254M 512' /dev/mapper/vg_cache-lv_slowdev | head -n 2
+ 0fe00000: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
+ 0fe00010: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
+ # lvconvert --uncache vg_cache/lv_slowdev
+ Flushing 0 blocks for cache vg_cache/lv_slowdev.
+ Logical volume "lv_cachedev" successfully removed
+ Logical volume vg_cache/lv_slowdev is not cached.
+ # xfs_io -d -c 'pread -v 254M 512' /dev/mapper/vg_cache-lv_slowdev | head -n 2
+ 0fe00000: aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ................
+ 0fe00010: aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ................
+
+This is the case with both v1 and v2 cache pool metatata formats.
+
+After applying this patch:
+
+ # vgchange -ay vg_cache
+ # xfs_io -d -c 'pread -v 254M 512' /dev/mapper/vg_cache-lv_slowdev | head -n 2
+ 0fe00000: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
+ 0fe00010: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
+ # lvconvert --uncache vg_cache/lv_slowdev
+ Flushing 3724 blocks for cache vg_cache/lv_slowdev.
+ ...
+ Flushing 71 blocks for cache vg_cache/lv_slowdev.
+ Logical volume "lv_cachedev" successfully removed
+ Logical volume vg_cache/lv_slowdev is not cached.
+ # xfs_io -d -c 'pread -v 254M 512' /dev/mapper/vg_cache-lv_slowdev | head -n 2
+ 0fe00000: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
+ 0fe00010: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
+
+Cc: stable@vger.kernel.org
+Fixes: f177940a8091 ("dm cache metadata: switch to using the new cursor api for loading metadata")
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-cache-metadata.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/dm-cache-metadata.c
++++ b/drivers/md/dm-cache-metadata.c
+@@ -1323,6 +1323,7 @@ static int __load_mapping_v1(struct dm_c
+
+ dm_oblock_t oblock;
+ unsigned flags;
++ bool dirty = true;
+
+ dm_array_cursor_get_value(mapping_cursor, (void **) &mapping_value_le);
+ memcpy(&mapping, mapping_value_le, sizeof(mapping));
+@@ -1333,8 +1334,10 @@ static int __load_mapping_v1(struct dm_c
+ dm_array_cursor_get_value(hint_cursor, (void **) &hint_value_le);
+ memcpy(&hint, hint_value_le, sizeof(hint));
+ }
++ if (cmd->clean_when_opened)
++ dirty = flags & M_DIRTY;
+
+- r = fn(context, oblock, to_cblock(cb), flags & M_DIRTY,
++ r = fn(context, oblock, to_cblock(cb), dirty,
+ le32_to_cpu(hint), hints_valid);
+ if (r) {
+ DMERR("policy couldn't load cache block %llu",
+@@ -1362,7 +1365,7 @@ static int __load_mapping_v2(struct dm_c
+
+ dm_oblock_t oblock;
+ unsigned flags;
+- bool dirty;
++ bool dirty = true;
+
+ dm_array_cursor_get_value(mapping_cursor, (void **) &mapping_value_le);
+ memcpy(&mapping, mapping_value_le, sizeof(mapping));
+@@ -1373,8 +1376,9 @@ static int __load_mapping_v2(struct dm_c
+ dm_array_cursor_get_value(hint_cursor, (void **) &hint_value_le);
+ memcpy(&hint, hint_value_le, sizeof(hint));
+ }
++ if (cmd->clean_when_opened)
++ dirty = dm_bitset_cursor_get_value(dirty_cursor);
+
+- dirty = dm_bitset_cursor_get_value(dirty_cursor);
+ r = fn(context, oblock, to_cblock(cb), dirty,
+ le32_to_cpu(hint), hints_valid);
+ if (r) {
--- /dev/null
+From bc9e9cf0401f18e33b78d4c8a518661b8346baf7 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Fri, 10 Aug 2018 11:23:56 -0400
+Subject: dm crypt: don't decrease device limits
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit bc9e9cf0401f18e33b78d4c8a518661b8346baf7 upstream.
+
+dm-crypt should only increase device limits, it should not decrease them.
+
+This fixes a bug where the user could creates a crypt device with 1024
+sector size on the top of scsi device that had 4096 logical block size.
+The limit 4096 would be lost and the user could incorrectly send
+1024-I/Os to the crypt device.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-crypt.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/md/dm-crypt.c
++++ b/drivers/md/dm-crypt.c
+@@ -3069,11 +3069,11 @@ static void crypt_io_hints(struct dm_tar
+ */
+ limits->max_segment_size = PAGE_SIZE;
+
+- if (cc->sector_size != (1 << SECTOR_SHIFT)) {
+- limits->logical_block_size = cc->sector_size;
+- limits->physical_block_size = cc->sector_size;
+- blk_limits_io_min(limits, cc->sector_size);
+- }
++ limits->logical_block_size =
++ max_t(unsigned short, limits->logical_block_size, cc->sector_size);
++ limits->physical_block_size =
++ max_t(unsigned, limits->physical_block_size, cc->sector_size);
++ limits->io_min = max_t(unsigned, limits->io_min, cc->sector_size);
+ }
+
+ static struct target_type crypt_target = {
--- /dev/null
+From c21b16392701543d61e366dca84e15fe7f0cf0cf Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 3 Jul 2018 20:13:25 +0200
+Subject: dm integrity: change 'suspending' variable from bool to int
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit c21b16392701543d61e366dca84e15fe7f0cf0cf upstream.
+
+Early alpha processors can't write a byte or short atomically - they
+read 8 bytes, modify the byte or two bytes in registers and write back
+8 bytes.
+
+The modification of the variable "suspending" may race with
+modification of the variable "failed". Fix this by changing
+"suspending" to an int.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-integrity.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/dm-integrity.c
++++ b/drivers/md/dm-integrity.c
+@@ -178,7 +178,7 @@ struct dm_integrity_c {
+ __u8 sectors_per_block;
+
+ unsigned char mode;
+- bool suspending;
++ int suspending;
+
+ int failed;
+
+@@ -2210,7 +2210,7 @@ static void dm_integrity_postsuspend(str
+
+ del_timer_sync(&ic->autocommit_timer);
+
+- ic->suspending = true;
++ WRITE_ONCE(ic->suspending, 1);
+
+ queue_work(ic->commit_wq, &ic->commit_work);
+ drain_workqueue(ic->commit_wq);
+@@ -2220,7 +2220,7 @@ static void dm_integrity_postsuspend(str
+ dm_integrity_flush_buffers(ic);
+ }
+
+- ic->suspending = false;
++ WRITE_ONCE(ic->suspending, 0);
+
+ BUG_ON(!RB_EMPTY_ROOT(&ic->in_progress));
+
--- /dev/null
+From 75294442d896f2767be34f75aca7cc2b0d01301f Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Thu, 2 Aug 2018 16:18:24 +0800
+Subject: dm thin: stop no_space_timeout worker when switching to write-mode
+
+From: Hou Tao <houtao1@huawei.com>
+
+commit 75294442d896f2767be34f75aca7cc2b0d01301f upstream.
+
+Now both check_for_space() and do_no_space_timeout() will read & write
+pool->pf.error_if_no_space. If these functions run concurrently, as
+shown in the following case, the default setting of "queue_if_no_space"
+can get lost.
+
+precondition:
+ * error_if_no_space = false (aka "queue_if_no_space")
+ * pool is in Out-of-Data-Space (OODS) mode
+ * no_space_timeout worker has been queued
+
+CPU 0: CPU 1:
+// delete a thin device
+process_delete_mesg()
+// check_for_space() invoked by commit()
+set_pool_mode(pool, PM_WRITE)
+ pool->pf.error_if_no_space = \
+ pt->requested_pf.error_if_no_space
+
+ // timeout, pool is still in OODS mode
+ do_no_space_timeout
+ // "queue_if_no_space" config is lost
+ pool->pf.error_if_no_space = true
+ pool->pf.mode = new_mode
+
+Fix it by stopping no_space_timeout worker when switching to write mode.
+
+Fixes: bcc696fac11f ("dm thin: stay in out-of-data-space mode once no_space_timeout expires")
+Cc: stable@vger.kernel.org
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-thin.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/md/dm-thin.c
++++ b/drivers/md/dm-thin.c
+@@ -2520,6 +2520,8 @@ static void set_pool_mode(struct pool *p
+ case PM_WRITE:
+ if (old_mode != new_mode)
+ notify_of_pool_mode_change(pool, "write");
++ if (old_mode == PM_OUT_OF_DATA_SPACE)
++ cancel_delayed_work_sync(&pool->no_space_timeout);
+ pool->out_of_data_space = false;
+ pool->pf.error_if_no_space = pt->requested_pf.error_if_no_space;
+ dm_pool_metadata_read_write(pool->pmd);
--- /dev/null
+From 1e1132ea21da6d7be92a72195204379c819cb70b Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Thu, 16 Aug 2018 12:23:19 -0400
+Subject: dm writecache: fix a crash due to reading past end of dirty_bitmap
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 1e1132ea21da6d7be92a72195204379c819cb70b upstream.
+
+wc->dirty_bitmap_size is in bytes so must multiply it by 8, not by
+BITS_PER_LONG, to get number of bitmap_bits.
+
+Fixes crash in find_next_bit() that was reported:
+https://bugzilla.kernel.org/show_bug.cgi?id=200819
+
+Reported-by: edo.rus@gmail.com
+Fixes: 48debafe4f2f ("dm: add writecache target")
+Cc: stable@vger.kernel.org # 4.18
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-writecache.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-writecache.c
++++ b/drivers/md/dm-writecache.c
+@@ -457,7 +457,7 @@ static void ssd_commit_flushed(struct dm
+ COMPLETION_INITIALIZER_ONSTACK(endio.c),
+ ATOMIC_INIT(1),
+ };
+- unsigned bitmap_bits = wc->dirty_bitmap_size * BITS_PER_LONG;
++ unsigned bitmap_bits = wc->dirty_bitmap_size * 8;
+ unsigned i = 0;
+
+ while (1) {
--- /dev/null
+From 50229128727f7e11840ca1b2b501f880818d56b6 Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Tue, 5 Jun 2018 13:37:52 -0700
+Subject: Drivers: hv: vmbus: Fix the offer_in_progress in vmbus_process_offer()
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit 50229128727f7e11840ca1b2b501f880818d56b6 upstream.
+
+I didn't really hit a real bug, but just happened to spot the bug:
+we have decreased the counter at the beginning of vmbus_process_offer(),
+so we mustn't decrease it again.
+
+Fixes: 6f3d791f3006 ("Drivers: hv: vmbus: Fix rescind handling issues")
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Cc: stable@vger.kernel.org
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: K. Y. Srinivasan <kys@microsoft.com>
+Cc: Stable <stable@vger.kernel.org> # 4.14 and above
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/channel_mgmt.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/hv/channel_mgmt.c
++++ b/drivers/hv/channel_mgmt.c
+@@ -527,10 +527,8 @@ static void vmbus_process_offer(struct v
+ struct hv_device *dev
+ = newchannel->primary_channel->device_obj;
+
+- if (vmbus_add_channel_kobj(dev, newchannel)) {
+- atomic_dec(&vmbus_connection.offer_in_progress);
++ if (vmbus_add_channel_kobj(dev, newchannel))
+ goto err_free_chan;
+- }
+
+ if (channel->sc_creation_callback != NULL)
+ channel->sc_creation_callback(newchannel);
--- /dev/null
+From d3b26dd7cb0e3433bfd3c1d4dcf74c6039bb49fb Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Thu, 2 Aug 2018 03:08:23 +0000
+Subject: Drivers: hv: vmbus: Reset the channel callback in vmbus_onoffer_rescind()
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit d3b26dd7cb0e3433bfd3c1d4dcf74c6039bb49fb upstream.
+
+Before setting channel->rescind in vmbus_rescind_cleanup(), we should make
+sure the channel callback won't run any more, otherwise a high-level
+driver like pci_hyperv, which may be infinitely waiting for the host VSP's
+response and notices the channel has been rescinded, can't safely give
+up: e.g., in hv_pci_protocol_negotiation() -> wait_for_response(), it's
+unsafe to exit from wait_for_response() and proceed with the on-stack
+variable "comp_pkt" popped. The issue was originally spotted by
+Michael Kelley <mikelley@microsoft.com>.
+
+In vmbus_close_internal(), the patch also minimizes the range protected by
+disabling/enabling channel->callback_event: we don't really need that for
+the whole function.
+
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Cc: stable@vger.kernel.org
+Cc: K. Y. Srinivasan <kys@microsoft.com>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: Michael Kelley <mikelley@microsoft.com>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/channel.c | 40 ++++++++++++++++++++++++----------------
+ drivers/hv/channel_mgmt.c | 6 ++++++
+ include/linux/hyperv.h | 2 ++
+ 3 files changed, 32 insertions(+), 16 deletions(-)
+
+--- a/drivers/hv/channel.c
++++ b/drivers/hv/channel.c
+@@ -558,11 +558,8 @@ static void reset_channel_cb(void *arg)
+ channel->onchannel_callback = NULL;
+ }
+
+-static int vmbus_close_internal(struct vmbus_channel *channel)
++void vmbus_reset_channel_cb(struct vmbus_channel *channel)
+ {
+- struct vmbus_channel_close_channel *msg;
+- int ret;
+-
+ /*
+ * vmbus_on_event(), running in the per-channel tasklet, can race
+ * with vmbus_close_internal() in the case of SMP guest, e.g., when
+@@ -572,6 +569,29 @@ static int vmbus_close_internal(struct v
+ */
+ tasklet_disable(&channel->callback_event);
+
++ channel->sc_creation_callback = NULL;
++
++ /* Stop the callback asap */
++ if (channel->target_cpu != get_cpu()) {
++ put_cpu();
++ smp_call_function_single(channel->target_cpu, reset_channel_cb,
++ channel, true);
++ } else {
++ reset_channel_cb(channel);
++ put_cpu();
++ }
++
++ /* Re-enable tasklet for use on re-open */
++ tasklet_enable(&channel->callback_event);
++}
++
++static int vmbus_close_internal(struct vmbus_channel *channel)
++{
++ struct vmbus_channel_close_channel *msg;
++ int ret;
++
++ vmbus_reset_channel_cb(channel);
++
+ /*
+ * In case a device driver's probe() fails (e.g.,
+ * util_probe() -> vmbus_open() returns -ENOMEM) and the device is
+@@ -585,16 +605,6 @@ static int vmbus_close_internal(struct v
+ }
+
+ channel->state = CHANNEL_OPEN_STATE;
+- channel->sc_creation_callback = NULL;
+- /* Stop callback and cancel the timer asap */
+- if (channel->target_cpu != get_cpu()) {
+- put_cpu();
+- smp_call_function_single(channel->target_cpu, reset_channel_cb,
+- channel, true);
+- } else {
+- reset_channel_cb(channel);
+- put_cpu();
+- }
+
+ /* Send a closing message */
+
+@@ -639,8 +649,6 @@ static int vmbus_close_internal(struct v
+ get_order(channel->ringbuffer_pagecount * PAGE_SIZE));
+
+ out:
+- /* re-enable tasklet for use on re-open */
+- tasklet_enable(&channel->callback_event);
+ return ret;
+ }
+
+--- a/drivers/hv/channel_mgmt.c
++++ b/drivers/hv/channel_mgmt.c
+@@ -893,6 +893,12 @@ static void vmbus_onoffer_rescind(struct
+ }
+
+ /*
++ * Before setting channel->rescind in vmbus_rescind_cleanup(), we
++ * should make sure the channel callback is not running any more.
++ */
++ vmbus_reset_channel_cb(channel);
++
++ /*
+ * Now wait for offer handling to complete.
+ */
+ vmbus_rescind_cleanup(channel);
+--- a/include/linux/hyperv.h
++++ b/include/linux/hyperv.h
+@@ -1046,6 +1046,8 @@ extern int vmbus_establish_gpadl(struct
+ extern int vmbus_teardown_gpadl(struct vmbus_channel *channel,
+ u32 gpadl_handle);
+
++void vmbus_reset_channel_cb(struct vmbus_channel *channel);
++
+ extern int vmbus_recvpacket(struct vmbus_channel *channel,
+ void *buffer,
+ u32 bufferlen,
--- /dev/null
+From 45cd74cb5061781e793a098c420a7f548fdc9e7d Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 10 Jul 2018 17:15:38 +0200
+Subject: eventpoll.h: wrap casts in () properly
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 45cd74cb5061781e793a098c420a7f548fdc9e7d upstream.
+
+When importing the latest copy of the kernel headers into Bionic,
+Christpher and Elliott noticed that the eventpoll.h casts were not
+wrapped in (). As it is, clang complains about macros without
+surrounding (), so this makes it a pain for userspace tools.
+
+So fix it up by adding another () pair, and make them line up purty by
+using tabs.
+
+Fixes: 65aaf87b3aa2 ("add EPOLLNVAL, annotate EPOLL... and event_poll->event")
+Reported-by: Christopher Ferris <cferris@google.com>
+Reported-by: Elliott Hughes <enh@google.com>
+Cc: stable <stable@vger.kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/uapi/linux/eventpoll.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/include/uapi/linux/eventpoll.h
++++ b/include/uapi/linux/eventpoll.h
+@@ -42,7 +42,7 @@
+ #define EPOLLRDHUP (__force __poll_t)0x00002000
+
+ /* Set exclusive wakeup mode for the target file descriptor */
+-#define EPOLLEXCLUSIVE (__force __poll_t)(1U << 28)
++#define EPOLLEXCLUSIVE ((__force __poll_t)(1U << 28))
+
+ /*
+ * Request the handling of system wakeup events so as to prevent system suspends
+@@ -54,13 +54,13 @@
+ *
+ * Requires CAP_BLOCK_SUSPEND
+ */
+-#define EPOLLWAKEUP (__force __poll_t)(1U << 29)
++#define EPOLLWAKEUP ((__force __poll_t)(1U << 29))
+
+ /* Set the One Shot behaviour for the target file descriptor */
+-#define EPOLLONESHOT (__force __poll_t)(1U << 30)
++#define EPOLLONESHOT ((__force __poll_t)(1U << 30))
+
+ /* Set the Edge Triggered behaviour for the target file descriptor */
+-#define EPOLLET (__force __poll_t)(1U << 31)
++#define EPOLLET ((__force __poll_t)(1U << 31))
+
+ /*
+ * On x86-64 make the 64bit structure have the same alignment as the
--- /dev/null
+From 8a9dbb779fe882325b9a0238494a7afaff2eb444 Mon Sep 17 00:00:00 2001
+From: Chanwoo Choi <cw00.choi@samsung.com>
+Date: Thu, 14 Jun 2018 11:16:29 +0900
+Subject: extcon: Release locking when sending the notification of connector state
+
+From: Chanwoo Choi <cw00.choi@samsung.com>
+
+commit 8a9dbb779fe882325b9a0238494a7afaff2eb444 upstream.
+
+Previously, extcon used the spinlock before calling the notifier_call_chain
+to prevent the scheduled out of task and to prevent the notification delay.
+When spinlock is locked for sending the notification, deadlock issue
+occured on the side of extcon consumer device. To fix this issue,
+extcon consumer device should always use the work. it is always not
+reasonable to use work.
+
+To fix this issue on extcon consumer device, release locking when sending
+the notification of connector state.
+
+Fixes: ab11af049f88 ("extcon: Add the synchronization extcon APIs to support the notification")
+Cc: stable@vger.kernel.org
+Cc: Roger Quadros <rogerq@ti.com>
+Cc: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/extcon/extcon.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/extcon/extcon.c
++++ b/drivers/extcon/extcon.c
+@@ -433,8 +433,8 @@ int extcon_sync(struct extcon_dev *edev,
+ return index;
+
+ spin_lock_irqsave(&edev->lock, flags);
+-
+ state = !!(edev->state & BIT(index));
++ spin_unlock_irqrestore(&edev->lock, flags);
+
+ /*
+ * Call functions in a raw notifier chain for the specific one
+@@ -448,6 +448,7 @@ int extcon_sync(struct extcon_dev *edev,
+ */
+ raw_notifier_call_chain(&edev->nh_all, state, edev);
+
++ spin_lock_irqsave(&edev->lock, flags);
+ /* This could be in interrupt handler */
+ prop_buf = (char *)get_zeroed_page(GFP_ATOMIC);
+ if (!prop_buf) {
--- /dev/null
+From 5a4e33c1c53ae7d4425f7d94e60e4458a37b349e Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Mon, 25 Jun 2018 11:03:07 +0300
+Subject: iio: ad9523: Fix displayed phase
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+commit 5a4e33c1c53ae7d4425f7d94e60e4458a37b349e upstream.
+
+Fix the displayed phase for the ad9523 driver. Currently the most
+significant decimal place is dropped and all other digits are shifted one
+to the left. This is due to a multiplication by 10, which is not necessary,
+so remove it.
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Fixes: cd1678f9632 ("iio: frequency: New driver for AD9523 SPI Low Jitter Clock Generator")
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/frequency/ad9523.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/frequency/ad9523.c
++++ b/drivers/iio/frequency/ad9523.c
+@@ -642,7 +642,7 @@ static int ad9523_read_raw(struct iio_de
+ code = (AD9523_CLK_DIST_DIV_PHASE_REV(ret) * 3141592) /
+ AD9523_CLK_DIST_DIV_REV(ret);
+ *val = code / 1000000;
+- *val2 = (code % 1000000) * 10;
++ *val2 = code % 1000000;
+ return IIO_VAL_INT_PLUS_MICRO;
+ default:
+ return -EINVAL;
--- /dev/null
+From 9a5094ca29ea9b1da301b31fd377c0c0c4c23034 Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Fri, 27 Jul 2018 09:42:45 +0300
+Subject: iio: ad9523: Fix return value for ad952x_store()
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+commit 9a5094ca29ea9b1da301b31fd377c0c0c4c23034 upstream.
+
+A sysfs write callback function needs to either return the number of
+consumed characters or an error.
+
+The ad952x_store() function currently returns 0 if the input value was "0",
+this will signal that no characters have been consumed and the function
+will be called repeatedly in a loop indefinitely. Fix this by returning
+number of supplied characters to indicate that the whole input string has
+been consumed.
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Fixes: cd1678f96329 ("iio: frequency: New driver for AD9523 SPI Low Jitter Clock Generator")
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/frequency/ad9523.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/frequency/ad9523.c
++++ b/drivers/iio/frequency/ad9523.c
+@@ -508,7 +508,7 @@ static ssize_t ad9523_store(struct devic
+ return ret;
+
+ if (!state)
+- return 0;
++ return len;
+
+ mutex_lock(&indio_dev->mlock);
+ switch ((u32)this_attr->address) {
--- /dev/null
+From c5b974bee9d2ceae4c441ae5a01e498c2674e100 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Sat, 7 Jul 2018 12:44:01 -0500
+Subject: iio: sca3000: Fix missing return in switch
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit c5b974bee9d2ceae4c441ae5a01e498c2674e100 upstream.
+
+The IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY case is missing a
+return and will fall through to the default case and errorenously
+return -EINVAL.
+
+Fix this by adding in missing *return ret*.
+
+Fixes: 626f971b5b07 ("staging:iio:accel:sca3000 Add write support to the low pass filter control")
+Reported-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/accel/sca3000.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/accel/sca3000.c
++++ b/drivers/iio/accel/sca3000.c
+@@ -797,6 +797,7 @@ static int sca3000_write_raw(struct iio_
+ mutex_lock(&st->lock);
+ ret = sca3000_write_3db_freq(st, val);
+ mutex_unlock(&st->lock);
++ return ret;
+ default:
+ return -EINVAL;
+ }
--- /dev/null
+From 6e9df95b76cad18f7b217bdad7bb8a26d63b8c47 Mon Sep 17 00:00:00 2001
+From: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
+Date: Fri, 20 Jul 2018 15:16:42 +0530
+Subject: livepatch: Validate module/old func name length
+
+From: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
+
+commit 6e9df95b76cad18f7b217bdad7bb8a26d63b8c47 upstream.
+
+livepatch module author can pass module name/old function name with more
+than the defined character limit. With obj->name length greater than
+MODULE_NAME_LEN, the livepatch module gets loaded but waits forever on
+the module specified by obj->name to be loaded. It also populates a /sys
+directory with an untruncated object name.
+
+In the case of funcs->old_name length greater then KSYM_NAME_LEN, it
+would not match against any of the symbol table entries. Instead loop
+through the symbol table comparing them against a nonexisting function,
+which can be avoided.
+
+The same issues apply, to misspelled/incorrect names. At least gatekeep
+the modules with over the limit string length, by checking for their
+length during livepatch module registration.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
+Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/livepatch/core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/kernel/livepatch/core.c
++++ b/kernel/livepatch/core.c
+@@ -678,6 +678,9 @@ static int klp_init_func(struct klp_obje
+ if (!func->old_name || !func->new_func)
+ return -EINVAL;
+
++ if (strlen(func->old_name) >= KSYM_NAME_LEN)
++ return -EINVAL;
++
+ INIT_LIST_HEAD(&func->stack_node);
+ func->patched = false;
+ func->transition = false;
+@@ -751,6 +754,9 @@ static int klp_init_object(struct klp_pa
+ if (!obj->funcs)
+ return -EINVAL;
+
++ if (klp_is_module(obj) && strlen(obj->name) >= MODULE_NAME_LEN)
++ return -EINVAL;
++
+ obj->patched = false;
+ obj->mod = NULL;
+
--- /dev/null
+From 6afebb70ee7a4bde106dc1a875e7ac7997248f84 Mon Sep 17 00:00:00 2001
+From: Rafael David Tinoco <rafael.tinoco@linaro.org>
+Date: Fri, 6 Jul 2018 14:28:33 -0300
+Subject: mfd: hi655x: Fix regmap area declared size for hi655x
+
+From: Rafael David Tinoco <rafael.tinoco@linaro.org>
+
+commit 6afebb70ee7a4bde106dc1a875e7ac7997248f84 upstream.
+
+Fixes https://bugs.linaro.org/show_bug.cgi?id=3903
+
+LTP Functional tests have caused a bad paging request when triggering
+the regmap_read_debugfs() logic of the device PMIC Hi6553 (reading
+regmap/f8000000.pmic/registers file during read_all test):
+
+Unable to handle kernel paging request at virtual address ffff0
+[ffff00000984e000] pgd=0000000077ffe803, pud=0000000077ffd803,0
+Internal error: Oops: 96000007 [#1] SMP
+...
+Hardware name: HiKey Development Board (DT)
+...
+Call trace:
+ regmap_mmio_read8+0x24/0x40
+ regmap_mmio_read+0x48/0x70
+ _regmap_bus_reg_read+0x38/0x48
+ _regmap_read+0x68/0x170
+ regmap_read+0x50/0x78
+ regmap_read_debugfs+0x1a0/0x308
+ regmap_map_read_file+0x48/0x58
+ full_proxy_read+0x68/0x98
+ __vfs_read+0x48/0x80
+ vfs_read+0x94/0x150
+ SyS_read+0x6c/0xd8
+ el0_svc_naked+0x30/0x34
+Code: aa1e03e0 d503201f f9400280 8b334000 (39400000)
+
+Investigations have showed that, when triggered by debugfs read()
+handler, the mmio regmap logic was reading a bigger (16k) register area
+than the one mapped by devm_ioremap_resource() during hi655x-pmic probe
+time (4k).
+
+This commit changes hi655x's max register, according to HW specs, to be
+the same as the one declared in the pmic device in hi6220's dts, fixing
+the issue.
+
+Cc: <stable@vger.kernel.org> #v4.9 #v4.14 #v4.16 #v4.17
+Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/hi655x-pmic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mfd/hi655x-pmic.c
++++ b/drivers/mfd/hi655x-pmic.c
+@@ -49,7 +49,7 @@ static struct regmap_config hi655x_regma
+ .reg_bits = 32,
+ .reg_stride = HI655X_STRIDE,
+ .val_bits = 8,
+- .max_register = HI655X_BUS_ADDR(0xFFF),
++ .max_register = HI655X_BUS_ADDR(0x400) - HI655X_STRIDE,
+ };
+
+ static struct resource pwrkey_resources[] = {
--- /dev/null
+From 0c66847793d1982d1083dc6f7adad60fa265ce9c Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@mellanox.com>
+Date: Wed, 1 Aug 2018 14:25:39 -0700
+Subject: overflow.h: Add arithmetic shift helper
+
+From: Jason Gunthorpe <jgg@mellanox.com>
+
+commit 0c66847793d1982d1083dc6f7adad60fa265ce9c upstream.
+
+Add shift_overflow() helper to assist driver authors in ensuring that
+shift operations don't cause overflows or other odd conditions.
+
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+[kees: tweaked comments and commit log, dropped unneeded assignment]
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/overflow.h | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+--- a/include/linux/overflow.h
++++ b/include/linux/overflow.h
+@@ -202,6 +202,37 @@
+
+ #endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */
+
++/** check_shl_overflow() - Calculate a left-shifted value and check overflow
++ *
++ * @a: Value to be shifted
++ * @s: How many bits left to shift
++ * @d: Pointer to where to store the result
++ *
++ * Computes *@d = (@a << @s)
++ *
++ * Returns true if '*d' cannot hold the result or when 'a << s' doesn't
++ * make sense. Example conditions:
++ * - 'a << s' causes bits to be lost when stored in *d.
++ * - 's' is garbage (e.g. negative) or so large that the result of
++ * 'a << s' is guaranteed to be 0.
++ * - 'a' is negative.
++ * - 'a << s' sets the sign bit, if any, in '*d'.
++ *
++ * '*d' will hold the results of the attempted shift, but is not
++ * considered "safe for use" if false is returned.
++ */
++#define check_shl_overflow(a, s, d) ({ \
++ typeof(a) _a = a; \
++ typeof(s) _s = s; \
++ typeof(d) _d = d; \
++ u64 _a_full = _a; \
++ unsigned int _to_shift = \
++ _s >= 0 && _s < 8 * sizeof(*d) ? _s : 0; \
++ *_d = (_a_full << _to_shift); \
++ (_to_shift != _s || *_d < 0 || _a < 0 || \
++ (*_d >> _to_shift) != _a); \
++})
++
+ /**
+ * array_size() - Calculate size of 2-dimensional array.
+ *
--- /dev/null
+From 67810693077afc1ebf9e1646af300436cb8103c2 Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Tue, 17 Jul 2018 16:05:38 +0300
+Subject: ovl: fix wrong use of impure dir cache in ovl_iterate()
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 67810693077afc1ebf9e1646af300436cb8103c2 upstream.
+
+Only upper dir can be impure, but if we are in the middle of
+iterating a lower real dir, dir could be copied up and marked
+impure. We only want the impure cache if we started iterating
+a real upper dir to begin with.
+
+Aditya Kali reported that the following reproducer hits the
+WARN_ON(!cache->refcount) in ovl_get_cache():
+
+ docker run --rm drupal:8.5.4-fpm-alpine \
+ sh -c 'cd /var/www/html/vendor/symfony && \
+ chown -R www-data:www-data . && ls -l .'
+
+Reported-by: Aditya Kali <adityakali@google.com>
+Tested-by: Aditya Kali <adityakali@google.com>
+Fixes: 4edb83bb1041 ('ovl: constant d_ino for non-merge dirs')
+Cc: <stable@vger.kernel.org> # v4.14
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/readdir.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+--- a/fs/overlayfs/readdir.c
++++ b/fs/overlayfs/readdir.c
+@@ -668,6 +668,21 @@ static int ovl_fill_real(struct dir_cont
+ return orig_ctx->actor(orig_ctx, name, namelen, offset, ino, d_type);
+ }
+
++static bool ovl_is_impure_dir(struct file *file)
++{
++ struct ovl_dir_file *od = file->private_data;
++ struct inode *dir = d_inode(file->f_path.dentry);
++
++ /*
++ * Only upper dir can be impure, but if we are in the middle of
++ * iterating a lower real dir, dir could be copied up and marked
++ * impure. We only want the impure cache if we started iterating
++ * a real upper dir to begin with.
++ */
++ return od->is_upper && ovl_test_flag(OVL_IMPURE, dir);
++
++}
++
+ static int ovl_iterate_real(struct file *file, struct dir_context *ctx)
+ {
+ int err;
+@@ -696,7 +711,7 @@ static int ovl_iterate_real(struct file
+ rdt.parent_ino = stat.ino;
+ }
+
+- if (ovl_test_flag(OVL_IMPURE, d_inode(dir))) {
++ if (ovl_is_impure_dir(file)) {
+ rdt.cache = ovl_cache_get_impure(&file->f_path);
+ if (IS_ERR(rdt.cache))
+ return PTR_ERR(rdt.cache);
+@@ -727,7 +742,7 @@ static int ovl_iterate(struct file *file
+ */
+ if (ovl_xino_bits(dentry->d_sb) ||
+ (ovl_same_sb(dentry->d_sb) &&
+- (ovl_test_flag(OVL_IMPURE, d_inode(dentry)) ||
++ (ovl_is_impure_dir(file) ||
+ OVL_TYPE_MERGE(ovl_path_type(dentry->d_parent))))) {
+ return ovl_iterate_real(file, ctx);
+ }
--- /dev/null
+From d1c392c9e2a301f38998a353f467f76414e38725 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Wed, 5 Sep 2018 16:29:49 -0400
+Subject: printk/tracing: Do not trace printk_nmi_enter()
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit d1c392c9e2a301f38998a353f467f76414e38725 upstream.
+
+I hit the following splat in my tests:
+
+------------[ cut here ]------------
+IRQs not enabled as expected
+WARNING: CPU: 3 PID: 0 at kernel/time/tick-sched.c:982 tick_nohz_idle_enter+0x44/0x8c
+Modules linked in: ip6t_REJECT nf_reject_ipv6 ip6table_filter ip6_tables ipv6
+CPU: 3 PID: 0 Comm: swapper/3 Not tainted 4.19.0-rc2-test+ #2
+Hardware name: MSI MS-7823/CSM-H87M-G43 (MS-7823), BIOS V1.6 02/22/2014
+EIP: tick_nohz_idle_enter+0x44/0x8c
+Code: ec 05 00 00 00 75 26 83 b8 c0 05 00 00 00 75 1d 80 3d d0 36 3e c1 00
+75 14 68 94 63 12 c1 c6 05 d0 36 3e c1 01 e8 04 ee f8 ff <0f> 0b 58 fa bb a0
+e5 66 c1 e8 25 0f 04 00 64 03 1d 28 31 52 c1 8b
+EAX: 0000001c EBX: f26e7f8c ECX: 00000006 EDX: 00000007
+ESI: f26dd1c0 EDI: 00000000 EBP: f26e7f40 ESP: f26e7f38
+DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010296
+CR0: 80050033 CR2: 0813c6b0 CR3: 2f342000 CR4: 001406f0
+Call Trace:
+ do_idle+0x33/0x202
+ cpu_startup_entry+0x61/0x63
+ start_secondary+0x18e/0x1ed
+ startup_32_smp+0x164/0x168
+irq event stamp: 18773830
+hardirqs last enabled at (18773829): [<c040150c>] trace_hardirqs_on_thunk+0xc/0x10
+hardirqs last disabled at (18773830): [<c040151c>] trace_hardirqs_off_thunk+0xc/0x10
+softirqs last enabled at (18773824): [<c0ddaa6f>] __do_softirq+0x25f/0x2bf
+softirqs last disabled at (18773767): [<c0416bbe>] call_on_stack+0x45/0x4b
+---[ end trace b7c64aa79e17954a ]---
+
+After a bit of debugging, I found what was happening. This would trigger
+when performing "perf" with a high NMI interrupt rate, while enabling and
+disabling function tracer. Ftrace uses breakpoints to convert the nops at
+the start of functions to calls to the function trampolines. The breakpoint
+traps disable interrupts and this makes calls into lockdep via the
+trace_hardirqs_off_thunk in the entry.S code. What happens is the following:
+
+ do_idle {
+
+ [interrupts enabled]
+
+ <interrupt> [interrupts disabled]
+ TRACE_IRQS_OFF [lockdep says irqs off]
+ [...]
+ TRACE_IRQS_IRET
+ test if pt_regs say return to interrupts enabled [yes]
+ TRACE_IRQS_ON [lockdep says irqs are on]
+
+ <nmi>
+ nmi_enter() {
+ printk_nmi_enter() [traced by ftrace]
+ [ hit ftrace breakpoint ]
+ <breakpoint exception>
+ TRACE_IRQS_OFF [lockdep says irqs off]
+ [...]
+ TRACE_IRQS_IRET [return from breakpoint]
+ test if pt_regs say interrupts enabled [no]
+ [iret back to interrupt]
+ [iret back to code]
+
+ tick_nohz_idle_enter() {
+
+ lockdep_assert_irqs_enabled() [lockdep say no!]
+
+Although interrupts are indeed enabled, lockdep thinks it is not, and since
+we now do asserts via lockdep, it gives a false warning. The issue here is
+that printk_nmi_enter() is called before lockdep_off(), which disables
+lockdep (for this reason) in NMIs. By simply not allowing ftrace to see
+printk_nmi_enter() (via notrace annotation) we keep lockdep from getting
+confused.
+
+Cc: stable@vger.kernel.org
+Fixes: 42a0bb3f71383 ("printk/nmi: generic solution for safe printk in NMI")
+Acked-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Acked-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/printk/printk_safe.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/printk/printk_safe.c
++++ b/kernel/printk/printk_safe.c
+@@ -306,12 +306,12 @@ static __printf(1, 0) int vprintk_nmi(co
+ return printk_safe_log_store(s, fmt, args);
+ }
+
+-void printk_nmi_enter(void)
++void notrace printk_nmi_enter(void)
+ {
+ this_cpu_or(printk_context, PRINTK_NMI_CONTEXT_MASK);
+ }
+
+-void printk_nmi_exit(void)
++void notrace printk_nmi_exit(void)
+ {
+ this_cpu_and(printk_context, ~PRINTK_NMI_CONTEXT_MASK);
+ }
--- /dev/null
+From 5c8b84f410b3819d14cb1ebf32e4b3714b5a6e0b Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 4 Jul 2018 11:05:55 +0200
+Subject: rtc: omap: fix potential crash on power off
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 5c8b84f410b3819d14cb1ebf32e4b3714b5a6e0b upstream.
+
+Do not set the system power-off callback and omap power-off rtc pointer
+until we're done setting up our device to avoid leaving stale pointers
+around after a late probe error.
+
+Fixes: 97ea1906b3c2 ("rtc: omap: Support ext_wakeup configuration")
+Cc: stable <stable@vger.kernel.org> # 4.9
+Cc: Marcin Niestroj <m.niestroj@grinn-global.com>
+Cc: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Reviewed-by: Marcin Niestroj <m.niestroj@grinn-global.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/rtc/rtc-omap.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/rtc/rtc-omap.c
++++ b/drivers/rtc/rtc-omap.c
+@@ -861,13 +861,6 @@ static int omap_rtc_probe(struct platfor
+ goto err;
+ }
+
+- if (rtc->is_pmic_controller) {
+- if (!pm_power_off) {
+- omap_rtc_power_off_rtc = rtc;
+- pm_power_off = omap_rtc_power_off;
+- }
+- }
+-
+ /* Support ext_wakeup pinconf */
+ rtc_pinctrl_desc.name = dev_name(&pdev->dev);
+
+@@ -884,6 +877,13 @@ static int omap_rtc_probe(struct platfor
+
+ rtc_nvmem_register(rtc->rtc, &omap_rtc_nvmem_config);
+
++ if (rtc->is_pmic_controller) {
++ if (!pm_power_off) {
++ omap_rtc_power_off_rtc = rtc;
++ pm_power_off = omap_rtc_power_off;
++ }
++ }
++
+ return 0;
+
+ err_deregister_pinctrl:
--- /dev/null
+From 551757eb052986ec81cebcc6301cc1c4f8dca938 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 4 Jul 2018 11:05:56 +0200
+Subject: rtc: omap: fix resource leak in registration error path
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 551757eb052986ec81cebcc6301cc1c4f8dca938 upstream.
+
+Make sure to deregister the pin controller in case rtc registration
+fails.
+
+Fixes: 57072758623f ("rtc: omap: switch to rtc_register_device")
+Cc: stable <stable@vger.kernel.org> # 4.14
+Cc: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/rtc/rtc-omap.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/rtc/rtc-omap.c
++++ b/drivers/rtc/rtc-omap.c
+@@ -880,12 +880,14 @@ static int omap_rtc_probe(struct platfor
+
+ ret = rtc_register_device(rtc->rtc);
+ if (ret)
+- goto err;
++ goto err_deregister_pinctrl;
+
+ rtc_nvmem_register(rtc->rtc, &omap_rtc_nvmem_config);
+
+ return 0;
+
++err_deregister_pinctrl:
++ pinctrl_unregister(rtc->pctldev);
+ err:
+ clk_disable_unprepare(rtc->clk);
+ device_init_wakeup(&pdev->dev, false);
ib-srpt-fix-srpt_cm_req_recv-error-path-1-2.patch
ib-srpt-fix-srpt_cm_req_recv-error-path-2-2.patch
ib-srpt-support-hcas-with-more-than-two-ports.patch
+overflow.h-add-arithmetic-shift-helper.patch
rdma-mlx5-fix-shift-overflow-in-mlx5_ib_create_wq.patch
ib_srpt-fix-a-use-after-free-in-srpt_close_ch.patch
ib_srpt-fix-a-use-after-free-in-__srpt_close_all_ch.patch
9p-virtio-fix-off-by-one-error-in-sg-list-bounds-check.patch
net-9p-client.c-version-pointer-uninitialized.patch
net-9p-trans_fd.c-fix-race-condition-by-flushing-workqueue-before-the-kfree.patch
+dm-integrity-change-suspending-variable-from-bool-to-int.patch
+dm-thin-stop-no_space_timeout-worker-when-switching-to-write-mode.patch
+dm-cache-metadata-save-in-core-policy_hint_size-to-on-disk-superblock.patch
+dm-cache-metadata-set-dirty-on-all-cache-blocks-after-a-crash.patch
+dm-crypt-don-t-decrease-device-limits.patch
+dm-writecache-fix-a-crash-due-to-reading-past-end-of-dirty_bitmap.patch
+uart-fix-race-between-uart_put_char-and-uart_shutdown.patch
+drivers-hv-vmbus-fix-the-offer_in_progress-in-vmbus_process_offer.patch
+drivers-hv-vmbus-reset-the-channel-callback-in-vmbus_onoffer_rescind.patch
+iio-sca3000-fix-missing-return-in-switch.patch
+iio-ad9523-fix-displayed-phase.patch
+iio-ad9523-fix-return-value-for-ad952x_store.patch
+extcon-release-locking-when-sending-the-notification-of-connector-state.patch
+eventpoll.h-wrap-casts-in-properly.patch
+vmw_balloon-fix-inflation-of-64-bit-gfns.patch
+vmw_balloon-do-not-use-2mb-without-batching.patch
+vmw_balloon-vmci_doorbell_set-does-not-check-status.patch
+vmw_balloon-fix-vmci-use-when-balloon-built-into-kernel.patch
+rtc-omap-fix-resource-leak-in-registration-error-path.patch
+rtc-omap-fix-potential-crash-on-power-off.patch
+tracing-do-not-call-start-stop-functions-when-tracing_on-does-not-change.patch
+tracing-blktrace-fix-to-allow-setting-same-value.patch
+printk-tracing-do-not-trace-printk_nmi_enter.patch
+livepatch-validate-module-old-func-name-length.patch
+uprobes-use-synchronize_rcu-not-synchronize_sched.patch
+mfd-hi655x-fix-regmap-area-declared-size-for-hi655x.patch
+ovl-fix-wrong-use-of-impure-dir-cache-in-ovl_iterate.patch
--- /dev/null
+From 757d9140072054528b13bbe291583d9823cde195 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Thu, 16 Aug 2018 16:08:37 -0400
+Subject: tracing/blktrace: Fix to allow setting same value
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 757d9140072054528b13bbe291583d9823cde195 upstream.
+
+Masami Hiramatsu reported:
+
+ Current trace-enable attribute in sysfs returns an error
+ if user writes the same setting value as current one,
+ e.g.
+
+ # cat /sys/block/sda/trace/enable
+ 0
+ # echo 0 > /sys/block/sda/trace/enable
+ bash: echo: write error: Invalid argument
+ # echo 1 > /sys/block/sda/trace/enable
+ # echo 1 > /sys/block/sda/trace/enable
+ bash: echo: write error: Device or resource busy
+
+ But this is not a preferred behavior, it should ignore
+ if new setting is same as current one. This fixes the
+ problem as below.
+
+ # cat /sys/block/sda/trace/enable
+ 0
+ # echo 0 > /sys/block/sda/trace/enable
+ # echo 1 > /sys/block/sda/trace/enable
+ # echo 1 > /sys/block/sda/trace/enable
+
+Link: http://lkml.kernel.org/r/20180816103802.08678002@gandalf.local.home
+
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: linux-block@vger.kernel.org
+Cc: stable@vger.kernel.org
+Fixes: cd649b8bb830d ("blktrace: remove sysfs_blk_trace_enable_show/store()")
+Reported-by: Masami Hiramatsu <mhiramat@kernel.org>
+Tested-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/blktrace.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/trace/blktrace.c
++++ b/kernel/trace/blktrace.c
+@@ -1841,6 +1841,10 @@ static ssize_t sysfs_blk_trace_attr_stor
+ mutex_lock(&q->blk_trace_mutex);
+
+ if (attr == &dev_attr_enable) {
++ if (!!value == !!q->blk_trace) {
++ ret = 0;
++ goto out_unlock_bdev;
++ }
+ if (value)
+ ret = blk_trace_setup_queue(q, bdev);
+ else
--- /dev/null
+From f143641bfef9a4a60c57af30de26c63057e7e695 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Wed, 1 Aug 2018 15:40:57 -0400
+Subject: tracing: Do not call start/stop() functions when tracing_on does not change
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit f143641bfef9a4a60c57af30de26c63057e7e695 upstream.
+
+Currently, when one echo's in 1 into tracing_on, the current tracer's
+"start()" function is executed, even if tracing_on was already one. This can
+lead to strange side effects. One being that if the hwlat tracer is enabled,
+and someone does "echo 1 > tracing_on" into tracing_on, the hwlat tracer's
+start() function is called again which will recreate another kernel thread,
+and make it unable to remove the old one.
+
+Link: http://lkml.kernel.org/r/1533120354-22923-1-git-send-email-erica.bugden@linutronix.de
+
+Cc: stable@vger.kernel.org
+Fixes: 2df8f8a6a897e ("tracing: Fix regression with irqsoff tracer and tracing_on file")
+Reported-by: Erica Bugden <erica.bugden@linutronix.de>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -7628,7 +7628,9 @@ rb_simple_write(struct file *filp, const
+
+ if (buffer) {
+ mutex_lock(&trace_types_lock);
+- if (val) {
++ if (!!val == tracer_tracing_is_on(tr)) {
++ val = 0; /* do nothing */
++ } else if (val) {
+ tracer_tracing_on(tr);
+ if (tr->current_trace->start)
+ tr->current_trace->start(tr);
--- /dev/null
+From a5ba1d95e46ecaea638ddd7cd144107c783acb5d Mon Sep 17 00:00:00 2001
+From: Tycho Andersen <tycho@tycho.ws>
+Date: Fri, 6 Jul 2018 10:24:57 -0600
+Subject: uart: fix race between uart_put_char() and uart_shutdown()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tycho Andersen <tycho@tycho.ws>
+
+commit a5ba1d95e46ecaea638ddd7cd144107c783acb5d upstream.
+
+We have reports of the following crash:
+
+ PID: 7 TASK: ffff88085c6d61c0 CPU: 1 COMMAND: "kworker/u25:0"
+ #0 [ffff88085c6db710] machine_kexec at ffffffff81046239
+ #1 [ffff88085c6db760] crash_kexec at ffffffff810fc248
+ #2 [ffff88085c6db830] oops_end at ffffffff81008ae7
+ #3 [ffff88085c6db860] no_context at ffffffff81050b8f
+ #4 [ffff88085c6db8b0] __bad_area_nosemaphore at ffffffff81050d75
+ #5 [ffff88085c6db900] bad_area_nosemaphore at ffffffff81050e83
+ #6 [ffff88085c6db910] __do_page_fault at ffffffff8105132e
+ #7 [ffff88085c6db9b0] do_page_fault at ffffffff8105152c
+ #8 [ffff88085c6db9c0] page_fault at ffffffff81a3f122
+ [exception RIP: uart_put_char+149]
+ RIP: ffffffff814b67b5 RSP: ffff88085c6dba78 RFLAGS: 00010006
+ RAX: 0000000000000292 RBX: ffffffff827c5120 RCX: 0000000000000081
+ RDX: 0000000000000000 RSI: 000000000000005f RDI: ffffffff827c5120
+ RBP: ffff88085c6dba98 R8: 000000000000012c R9: ffffffff822ea320
+ R10: ffff88085fe4db04 R11: 0000000000000001 R12: ffff881059f9c000
+ R13: 0000000000000001 R14: 000000000000005f R15: 0000000000000fba
+ ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
+ #9 [ffff88085c6dbaa0] tty_put_char at ffffffff81497544
+ #10 [ffff88085c6dbac0] do_output_char at ffffffff8149c91c
+ #11 [ffff88085c6dbae0] __process_echoes at ffffffff8149cb8b
+ #12 [ffff88085c6dbb30] commit_echoes at ffffffff8149cdc2
+ #13 [ffff88085c6dbb60] n_tty_receive_buf_fast at ffffffff8149e49b
+ #14 [ffff88085c6dbbc0] __receive_buf at ffffffff8149ef5a
+ #15 [ffff88085c6dbc20] n_tty_receive_buf_common at ffffffff8149f016
+ #16 [ffff88085c6dbca0] n_tty_receive_buf2 at ffffffff8149f194
+ #17 [ffff88085c6dbcb0] flush_to_ldisc at ffffffff814a238a
+ #18 [ffff88085c6dbd50] process_one_work at ffffffff81090be2
+ #19 [ffff88085c6dbe20] worker_thread at ffffffff81091b4d
+ #20 [ffff88085c6dbeb0] kthread at ffffffff81096384
+ #21 [ffff88085c6dbf50] ret_from_fork at ffffffff81a3d69f
+
+after slogging through some dissasembly:
+
+ffffffff814b6720 <uart_put_char>:
+ffffffff814b6720: 55 push %rbp
+ffffffff814b6721: 48 89 e5 mov %rsp,%rbp
+ffffffff814b6724: 48 83 ec 20 sub $0x20,%rsp
+ffffffff814b6728: 48 89 1c 24 mov %rbx,(%rsp)
+ffffffff814b672c: 4c 89 64 24 08 mov %r12,0x8(%rsp)
+ffffffff814b6731: 4c 89 6c 24 10 mov %r13,0x10(%rsp)
+ffffffff814b6736: 4c 89 74 24 18 mov %r14,0x18(%rsp)
+ffffffff814b673b: e8 b0 8e 58 00 callq ffffffff81a3f5f0 <mcount>
+ffffffff814b6740: 4c 8b a7 88 02 00 00 mov 0x288(%rdi),%r12
+ffffffff814b6747: 45 31 ed xor %r13d,%r13d
+ffffffff814b674a: 41 89 f6 mov %esi,%r14d
+ffffffff814b674d: 49 83 bc 24 70 01 00 cmpq $0x0,0x170(%r12)
+ffffffff814b6754: 00 00
+ffffffff814b6756: 49 8b 9c 24 80 01 00 mov 0x180(%r12),%rbx
+ffffffff814b675d: 00
+ffffffff814b675e: 74 2f je ffffffff814b678f <uart_put_char+0x6f>
+ffffffff814b6760: 48 89 df mov %rbx,%rdi
+ffffffff814b6763: e8 a8 67 58 00 callq ffffffff81a3cf10 <_raw_spin_lock_irqsave>
+ffffffff814b6768: 41 8b 8c 24 78 01 00 mov 0x178(%r12),%ecx
+ffffffff814b676f: 00
+ffffffff814b6770: 89 ca mov %ecx,%edx
+ffffffff814b6772: f7 d2 not %edx
+ffffffff814b6774: 41 03 94 24 7c 01 00 add 0x17c(%r12),%edx
+ffffffff814b677b: 00
+ffffffff814b677c: 81 e2 ff 0f 00 00 and $0xfff,%edx
+ffffffff814b6782: 75 23 jne ffffffff814b67a7 <uart_put_char+0x87>
+ffffffff814b6784: 48 89 c6 mov %rax,%rsi
+ffffffff814b6787: 48 89 df mov %rbx,%rdi
+ffffffff814b678a: e8 e1 64 58 00 callq ffffffff81a3cc70 <_raw_spin_unlock_irqrestore>
+ffffffff814b678f: 44 89 e8 mov %r13d,%eax
+ffffffff814b6792: 48 8b 1c 24 mov (%rsp),%rbx
+ffffffff814b6796: 4c 8b 64 24 08 mov 0x8(%rsp),%r12
+ffffffff814b679b: 4c 8b 6c 24 10 mov 0x10(%rsp),%r13
+ffffffff814b67a0: 4c 8b 74 24 18 mov 0x18(%rsp),%r14
+ffffffff814b67a5: c9 leaveq
+ffffffff814b67a6: c3 retq
+ffffffff814b67a7: 49 8b 94 24 70 01 00 mov 0x170(%r12),%rdx
+ffffffff814b67ae: 00
+ffffffff814b67af: 48 63 c9 movslq %ecx,%rcx
+ffffffff814b67b2: 41 b5 01 mov $0x1,%r13b
+ffffffff814b67b5: 44 88 34 0a mov %r14b,(%rdx,%rcx,1)
+ffffffff814b67b9: 41 8b 94 24 78 01 00 mov 0x178(%r12),%edx
+ffffffff814b67c0: 00
+ffffffff814b67c1: 83 c2 01 add $0x1,%edx
+ffffffff814b67c4: 81 e2 ff 0f 00 00 and $0xfff,%edx
+ffffffff814b67ca: 41 89 94 24 78 01 00 mov %edx,0x178(%r12)
+ffffffff814b67d1: 00
+ffffffff814b67d2: eb b0 jmp ffffffff814b6784 <uart_put_char+0x64>
+ffffffff814b67d4: 66 66 66 2e 0f 1f 84 data32 data32 nopw %cs:0x0(%rax,%rax,1)
+ffffffff814b67db: 00 00 00 00 00
+
+for our build, this is crashing at:
+
+ circ->buf[circ->head] = c;
+
+Looking in uart_port_startup(), it seems that circ->buf (state->xmit.buf)
+protected by the "per-port mutex", which based on uart_port_check() is
+state->port.mutex. Indeed, the lock acquired in uart_put_char() is
+uport->lock, i.e. not the same lock.
+
+Anyway, since the lock is not acquired, if uart_shutdown() is called, the
+last chunk of that function may release state->xmit.buf before its assigned
+to null, and cause the race above.
+
+To fix it, let's lock uport->lock when allocating/deallocating
+state->xmit.buf in addition to the per-port mutex.
+
+v2: switch to locking uport->lock on allocation/deallocation instead of
+ locking the per-port mutex in uart_put_char. Note that since
+ uport->lock is a spin lock, we have to switch the allocation to
+ GFP_ATOMIC.
+v3: move the allocation outside the lock, so we can switch back to
+ GFP_KERNEL
+
+Signed-off-by: Tycho Andersen <tycho@tycho.ws>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/serial_core.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/drivers/tty/serial/serial_core.c
++++ b/drivers/tty/serial/serial_core.c
+@@ -182,6 +182,7 @@ static int uart_port_startup(struct tty_
+ {
+ struct uart_port *uport = uart_port_check(state);
+ unsigned long page;
++ unsigned long flags = 0;
+ int retval = 0;
+
+ if (uport->type == PORT_UNKNOWN)
+@@ -196,15 +197,18 @@ static int uart_port_startup(struct tty_
+ * Initialise and allocate the transmit and temporary
+ * buffer.
+ */
+- if (!state->xmit.buf) {
+- /* This is protected by the per port mutex */
+- page = get_zeroed_page(GFP_KERNEL);
+- if (!page)
+- return -ENOMEM;
++ page = get_zeroed_page(GFP_KERNEL);
++ if (!page)
++ return -ENOMEM;
+
++ uart_port_lock(state, flags);
++ if (!state->xmit.buf) {
+ state->xmit.buf = (unsigned char *) page;
+ uart_circ_clear(&state->xmit);
++ } else {
++ free_page(page);
+ }
++ uart_port_unlock(uport, flags);
+
+ retval = uport->ops->startup(uport);
+ if (retval == 0) {
+@@ -263,6 +267,7 @@ static void uart_shutdown(struct tty_str
+ {
+ struct uart_port *uport = uart_port_check(state);
+ struct tty_port *port = &state->port;
++ unsigned long flags = 0;
+
+ /*
+ * Set the TTY IO error marker
+@@ -295,10 +300,12 @@ static void uart_shutdown(struct tty_str
+ /*
+ * Free the transmit buffer page.
+ */
++ uart_port_lock(state, flags);
+ if (state->xmit.buf) {
+ free_page((unsigned long)state->xmit.buf);
+ state->xmit.buf = NULL;
+ }
++ uart_port_unlock(uport, flags);
+ }
+
+ /**
--- /dev/null
+From 016f8ffc48cb01d1e7701649c728c5d2e737d295 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Thu, 9 Aug 2018 15:37:59 -0400
+Subject: uprobes: Use synchronize_rcu() not synchronize_sched()
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 016f8ffc48cb01d1e7701649c728c5d2e737d295 upstream.
+
+While debugging another bug, I was looking at all the synchronize*()
+functions being used in kernel/trace, and noticed that trace_uprobes was
+using synchronize_sched(), with a comment to synchronize with
+{u,ret}_probe_trace_func(). When looking at those functions, the data is
+protected with "rcu_read_lock()" and not with "rcu_read_lock_sched()". This
+is using the wrong synchronize_*() function.
+
+Link: http://lkml.kernel.org/r/20180809160553.469e1e32@gandalf.local.home
+
+Cc: stable@vger.kernel.org
+Fixes: 70ed91c6ec7f8 ("tracing/uprobes: Support ftrace_event_file base multibuffer")
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_uprobe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_uprobe.c
++++ b/kernel/trace/trace_uprobe.c
+@@ -952,7 +952,7 @@ probe_event_disable(struct trace_uprobe
+
+ list_del_rcu(&link->list);
+ /* synchronize with u{,ret}probe_trace_func */
+- synchronize_sched();
++ synchronize_rcu();
+ kfree(link);
+
+ if (!list_empty(&tu->tp.files))
--- /dev/null
+From 5081efd112560d3febb328e627176235b250d59d Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@vmware.com>
+Date: Tue, 19 Jun 2018 16:00:25 -0700
+Subject: vmw_balloon: do not use 2MB without batching
+
+From: Nadav Amit <namit@vmware.com>
+
+commit 5081efd112560d3febb328e627176235b250d59d upstream.
+
+If the hypervisor sets 2MB batching is on, while batching is cleared,
+the balloon code breaks. In this case the legacy mechanism is used with
+2MB page. The VM would report a 2MB page is ballooned, and the
+hypervisor would only take the first 4KB.
+
+While the hypervisor should not report such settings, make the code more
+robust by not enabling 2MB support without batching.
+
+Fixes: 365bd7ef7ec8e ("VMware balloon: Support 2m page ballooning.")
+Cc: stable@vger.kernel.org
+Reviewed-by: Xavier Deguillard <xdeguillard@vmware.com>
+Signed-off-by: Nadav Amit <nadav.amit@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/vmw_balloon.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/misc/vmw_balloon.c
++++ b/drivers/misc/vmw_balloon.c
+@@ -341,7 +341,13 @@ static bool vmballoon_send_start(struct
+ success = false;
+ }
+
+- if (b->capabilities & VMW_BALLOON_BATCHED_2M_CMDS)
++ /*
++ * 2MB pages are only supported with batching. If batching is for some
++ * reason disabled, do not use 2MB pages, since otherwise the legacy
++ * mechanism is used with 2MB pages, causing a failure.
++ */
++ if ((b->capabilities & VMW_BALLOON_BATCHED_2M_CMDS) &&
++ (b->capabilities & VMW_BALLOON_BATCHED_CMDS))
+ b->supported_page_sizes = 2;
+ else
+ b->supported_page_sizes = 1;
--- /dev/null
+From 09755690c6b7c1eabdc4651eb3b276f8feb1e447 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@vmware.com>
+Date: Tue, 19 Jun 2018 16:00:24 -0700
+Subject: vmw_balloon: fix inflation of 64-bit GFNs
+
+From: Nadav Amit <namit@vmware.com>
+
+commit 09755690c6b7c1eabdc4651eb3b276f8feb1e447 upstream.
+
+When balloon batching is not supported by the hypervisor, the guest
+frame number (GFN) must fit in 32-bit. However, due to a bug, this check
+was mistakenly ignored. In practice, when total RAM is greater than
+16TB, the balloon does not work currently, making this bug unlikely to
+happen.
+
+Fixes: ef0f8f112984 ("VMware balloon: partially inline vmballoon_reserve_page.")
+Cc: stable@vger.kernel.org
+Reviewed-by: Xavier Deguillard <xdeguillard@vmware.com>
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/vmw_balloon.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/misc/vmw_balloon.c
++++ b/drivers/misc/vmw_balloon.c
+@@ -450,7 +450,7 @@ static int vmballoon_send_lock_page(stru
+
+ pfn32 = (u32)pfn;
+ if (pfn32 != pfn)
+- return -1;
++ return -EINVAL;
+
+ STATS_INC(b->stats.lock[false]);
+
+@@ -460,7 +460,7 @@ static int vmballoon_send_lock_page(stru
+
+ pr_debug("%s - ppn %lx, hv returns %ld\n", __func__, pfn, status);
+ STATS_INC(b->stats.lock_fail[false]);
+- return 1;
++ return -EIO;
+ }
+
+ static int vmballoon_send_batched_lock(struct vmballoon *b,
+@@ -597,11 +597,12 @@ static int vmballoon_lock_page(struct vm
+
+ locked = vmballoon_send_lock_page(b, page_to_pfn(page), &hv_status,
+ target);
+- if (locked > 0) {
++ if (locked) {
+ STATS_INC(b->stats.refused_alloc[false]);
+
+- if (hv_status == VMW_BALLOON_ERROR_RESET ||
+- hv_status == VMW_BALLOON_ERROR_PPN_NOTNEEDED) {
++ if (locked == -EIO &&
++ (hv_status == VMW_BALLOON_ERROR_RESET ||
++ hv_status == VMW_BALLOON_ERROR_PPN_NOTNEEDED)) {
+ vmballoon_free_page(page, false);
+ return -EIO;
+ }
+@@ -617,7 +618,7 @@ static int vmballoon_lock_page(struct vm
+ } else {
+ vmballoon_free_page(page, false);
+ }
+- return -EIO;
++ return locked;
+ }
+
+ /* track allocated page */
--- /dev/null
+From c3cc1b0fc27508da53fe955a3b23d03964410682 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@vmware.com>
+Date: Tue, 19 Jun 2018 16:00:27 -0700
+Subject: vmw_balloon: fix VMCI use when balloon built into kernel
+
+From: Nadav Amit <namit@vmware.com>
+
+commit c3cc1b0fc27508da53fe955a3b23d03964410682 upstream.
+
+Currently, when all modules, including VMCI and VMware balloon are built
+into the kernel, the initialization of the balloon happens before the
+VMCI is probed. As a result, the balloon fails to initialize the VMCI
+doorbell, which it uses to get asynchronous requests for balloon size
+changes.
+
+The problem can be seen in the logs, in the form of the following
+message:
+ "vmw_balloon: failed to initialize vmci doorbell"
+
+The driver would work correctly but slightly less efficiently, probing
+for requests periodically. This patch changes the balloon to be
+initialized using late_initcall() instead of module_init() to address
+this issue. It does not address a situation in which VMCI is built as a
+module and the balloon is built into the kernel.
+
+Fixes: 48e3d668b790 ("VMware balloon: Enable notification via VMCI")
+Cc: stable@vger.kernel.org
+Reviewed-by: Xavier Deguillard <xdeguillard@vmware.com>
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/vmw_balloon.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/misc/vmw_balloon.c
++++ b/drivers/misc/vmw_balloon.c
+@@ -1297,7 +1297,14 @@ static int __init vmballoon_init(void)
+
+ return 0;
+ }
+-module_init(vmballoon_init);
++
++/*
++ * Using late_initcall() instead of module_init() allows the balloon to use the
++ * VMCI doorbell even when the balloon is built into the kernel. Otherwise the
++ * VMCI is probed only after the balloon is initialized. If the balloon is used
++ * as a module, late_initcall() is equivalent to module_init().
++ */
++late_initcall(vmballoon_init);
+
+ static void __exit vmballoon_exit(void)
+ {
--- /dev/null
+From ce664331b2487a5d244a51cbdd8cb54f866fbe5d Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@vmware.com>
+Date: Tue, 19 Jun 2018 16:00:26 -0700
+Subject: vmw_balloon: VMCI_DOORBELL_SET does not check status
+
+From: Nadav Amit <namit@vmware.com>
+
+commit ce664331b2487a5d244a51cbdd8cb54f866fbe5d upstream.
+
+When vmballoon_vmci_init() sets a doorbell using VMCI_DOORBELL_SET, for
+some reason it does not consider the status and looks at the result.
+However, the hypervisor does not update the result - it updates the
+status. This might cause VMCI doorbell not to be enabled, resulting in
+degraded performance.
+
+Fixes: 48e3d668b790 ("VMware balloon: Enable notification via VMCI")
+Cc: stable@vger.kernel.org
+Reviewed-by: Xavier Deguillard <xdeguillard@vmware.com>
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/vmw_balloon.c | 37 +++++++++++++++++++------------------
+ 1 file changed, 19 insertions(+), 18 deletions(-)
+
+--- a/drivers/misc/vmw_balloon.c
++++ b/drivers/misc/vmw_balloon.c
+@@ -1036,29 +1036,30 @@ static void vmballoon_vmci_cleanup(struc
+ */
+ static int vmballoon_vmci_init(struct vmballoon *b)
+ {
+- int error = 0;
++ unsigned long error, dummy;
+
+- if ((b->capabilities & VMW_BALLOON_SIGNALLED_WAKEUP_CMD) != 0) {
+- error = vmci_doorbell_create(&b->vmci_doorbell,
+- VMCI_FLAG_DELAYED_CB,
+- VMCI_PRIVILEGE_FLAG_RESTRICTED,
+- vmballoon_doorbell, b);
+-
+- if (error == VMCI_SUCCESS) {
+- VMWARE_BALLOON_CMD(VMCI_DOORBELL_SET,
+- b->vmci_doorbell.context,
+- b->vmci_doorbell.resource, error);
+- STATS_INC(b->stats.doorbell_set);
+- }
+- }
++ if ((b->capabilities & VMW_BALLOON_SIGNALLED_WAKEUP_CMD) == 0)
++ return 0;
+
+- if (error != 0) {
+- vmballoon_vmci_cleanup(b);
++ error = vmci_doorbell_create(&b->vmci_doorbell, VMCI_FLAG_DELAYED_CB,
++ VMCI_PRIVILEGE_FLAG_RESTRICTED,
++ vmballoon_doorbell, b);
+
+- return -EIO;
+- }
++ if (error != VMCI_SUCCESS)
++ goto fail;
++
++ error = VMWARE_BALLOON_CMD(VMCI_DOORBELL_SET, b->vmci_doorbell.context,
++ b->vmci_doorbell.resource, dummy);
++
++ STATS_INC(b->stats.doorbell_set);
++
++ if (error != VMW_BALLOON_SUCCESS)
++ goto fail;
+
+ return 0;
++fail:
++ vmballoon_vmci_cleanup(b);
++ return -EIO;
+ }
+
+ /*
projects / thirdparty / kernel / stable-queue.git / commitdiff
