--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 21 Apr 2017 13:48:08 +0200
+Subject: ACPI / PMIC: xpower: Fix power_table addresses
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+
+[ Upstream commit 2bde7c32b1db162692f05c6be066b5bcd3d9fdbe ]
+
+The power table addresses should be contiguous, but there was a hole
+where 0x34 was missing. On most devices this is not a problem as
+addresses above 0x34 are used for the BUC# convertors which are not
+used in the DSDTs I've access to but after the BUC# convertors
+there is a field named GPI1 in the DSTDs, which does get used in some
+cases and ended up turning BUC6 on and off due to the wrong addresses,
+resulting in turning the entire device off (or causing it to reboot).
+
+Removing the hole in the addresses fixes this, fixing one of my
+Bay Trail tablets turning off while booting the mainline kernel.
+
+While at it add comments with the field names used in the DSDTs to
+make it easier to compare the register and bits used at each address
+with the datasheet.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/pmic/intel_pmic_xpower.c | 50 +++++++++++++++++-----------------
+ 1 file changed, 25 insertions(+), 25 deletions(-)
+
+--- a/drivers/acpi/pmic/intel_pmic_xpower.c
++++ b/drivers/acpi/pmic/intel_pmic_xpower.c
+@@ -28,97 +28,97 @@ static struct pmic_table power_table[] =
+ .address = 0x00,
+ .reg = 0x13,
+ .bit = 0x05,
+- },
++ }, /* ALD1 */
+ {
+ .address = 0x04,
+ .reg = 0x13,
+ .bit = 0x06,
+- },
++ }, /* ALD2 */
+ {
+ .address = 0x08,
+ .reg = 0x13,
+ .bit = 0x07,
+- },
++ }, /* ALD3 */
+ {
+ .address = 0x0c,
+ .reg = 0x12,
+ .bit = 0x03,
+- },
++ }, /* DLD1 */
+ {
+ .address = 0x10,
+ .reg = 0x12,
+ .bit = 0x04,
+- },
++ }, /* DLD2 */
+ {
+ .address = 0x14,
+ .reg = 0x12,
+ .bit = 0x05,
+- },
++ }, /* DLD3 */
+ {
+ .address = 0x18,
+ .reg = 0x12,
+ .bit = 0x06,
+- },
++ }, /* DLD4 */
+ {
+ .address = 0x1c,
+ .reg = 0x12,
+ .bit = 0x00,
+- },
++ }, /* ELD1 */
+ {
+ .address = 0x20,
+ .reg = 0x12,
+ .bit = 0x01,
+- },
++ }, /* ELD2 */
+ {
+ .address = 0x24,
+ .reg = 0x12,
+ .bit = 0x02,
+- },
++ }, /* ELD3 */
+ {
+ .address = 0x28,
+ .reg = 0x13,
+ .bit = 0x02,
+- },
++ }, /* FLD1 */
+ {
+ .address = 0x2c,
+ .reg = 0x13,
+ .bit = 0x03,
+- },
++ }, /* FLD2 */
+ {
+ .address = 0x30,
+ .reg = 0x13,
+ .bit = 0x04,
+- },
++ }, /* FLD3 */
+ {
+- .address = 0x38,
++ .address = 0x34,
+ .reg = 0x10,
+ .bit = 0x03,
+- },
++ }, /* BUC1 */
+ {
+- .address = 0x3c,
++ .address = 0x38,
+ .reg = 0x10,
+ .bit = 0x06,
+- },
++ }, /* BUC2 */
+ {
+- .address = 0x40,
++ .address = 0x3c,
+ .reg = 0x10,
+ .bit = 0x05,
+- },
++ }, /* BUC3 */
+ {
+- .address = 0x44,
++ .address = 0x40,
+ .reg = 0x10,
+ .bit = 0x04,
+- },
++ }, /* BUC4 */
+ {
+- .address = 0x48,
++ .address = 0x44,
+ .reg = 0x10,
+ .bit = 0x01,
+- },
++ }, /* BUC5 */
+ {
+- .address = 0x4c,
++ .address = 0x48,
+ .reg = 0x10,
+ .bit = 0x00
+- },
++ }, /* BUC6 */
+ };
+
+ /* TMP0 - TMP5 are the same, all from GPADC */
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 12 Apr 2017 22:07:33 +0200
+Subject: ACPI/processor: Fix error handling in __acpi_processor_start()
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+
+[ Upstream commit a5cbdf693a60d5b86d4d21dfedd90f17754eb273 ]
+
+When acpi_install_notify_handler() fails the cooling device stays
+registered and the sysfs files created via acpi_pss_perf_init() are
+leaked and the function returns success.
+
+Undo acpi_pss_perf_init() and return a proper error code.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Sebastian Siewior <bigeasy@linutronix.de>
+Cc: Lai Jiangshan <jiangshanlai@gmail.com>
+Cc: linux-acpi@vger.kernel.org
+Cc: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Len Brown <lenb@kernel.org>
+Link: http://lkml.kernel.org/r/20170412201042.695499645@linutronix.de
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/processor_driver.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/acpi/processor_driver.c
++++ b/drivers/acpi/processor_driver.c
+@@ -259,6 +259,9 @@ static int __acpi_processor_start(struct
+ if (ACPI_SUCCESS(status))
+ return 0;
+
++ result = -ENODEV;
++ acpi_pss_perf_exit(pr, device);
++
+ err_power_exit:
+ acpi_processor_power_exit(pr);
+ return result;
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 12 Apr 2017 22:07:34 +0200
+Subject: ACPI/processor: Replace racy task affinity logic
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+
+[ Upstream commit 8153f9ac43897f9f4786b30badc134fcc1a4fb11 ]
+
+acpi_processor_get_throttling() requires to invoke the getter function on
+the target CPU. This is achieved by temporarily setting the affinity of the
+calling user space thread to the requested CPU and reset it to the original
+affinity afterwards.
+
+That's racy vs. CPU hotplug and concurrent affinity settings for that
+thread resulting in code executing on the wrong CPU and overwriting the
+new affinity setting.
+
+acpi_processor_get_throttling() is invoked in two ways:
+
+1) The CPU online callback, which is already running on the target CPU and
+ obviously protected against hotplug and not affected by affinity
+ settings.
+
+2) The ACPI driver probe function, which is not protected against hotplug
+ during modprobe.
+
+Switch it over to work_on_cpu() and protect the probe function against CPU
+hotplug.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Sebastian Siewior <bigeasy@linutronix.de>
+Cc: Lai Jiangshan <jiangshanlai@gmail.com>
+Cc: linux-acpi@vger.kernel.org
+Cc: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Len Brown <lenb@kernel.org>
+Link: http://lkml.kernel.org/r/20170412201042.785920903@linutronix.de
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/processor_driver.c | 7 +++-
+ drivers/acpi/processor_throttling.c | 62 ++++++++++++++++++++----------------
+ 2 files changed, 42 insertions(+), 27 deletions(-)
+
+--- a/drivers/acpi/processor_driver.c
++++ b/drivers/acpi/processor_driver.c
+@@ -270,11 +270,16 @@ err_power_exit:
+ static int acpi_processor_start(struct device *dev)
+ {
+ struct acpi_device *device = ACPI_COMPANION(dev);
++ int ret;
+
+ if (!device)
+ return -ENODEV;
+
+- return __acpi_processor_start(device);
++ /* Protect against concurrent CPU hotplug operations */
++ get_online_cpus();
++ ret = __acpi_processor_start(device);
++ put_online_cpus();
++ return ret;
+ }
+
+ static int acpi_processor_stop(struct device *dev)
+--- a/drivers/acpi/processor_throttling.c
++++ b/drivers/acpi/processor_throttling.c
+@@ -62,8 +62,8 @@ struct acpi_processor_throttling_arg {
+ #define THROTTLING_POSTCHANGE (2)
+
+ static int acpi_processor_get_throttling(struct acpi_processor *pr);
+-int acpi_processor_set_throttling(struct acpi_processor *pr,
+- int state, bool force);
++static int __acpi_processor_set_throttling(struct acpi_processor *pr,
++ int state, bool force, bool direct);
+
+ static int acpi_processor_update_tsd_coord(void)
+ {
+@@ -891,7 +891,8 @@ static int acpi_processor_get_throttling
+ ACPI_DEBUG_PRINT((ACPI_DB_INFO,
+ "Invalid throttling state, reset\n"));
+ state = 0;
+- ret = acpi_processor_set_throttling(pr, state, true);
++ ret = __acpi_processor_set_throttling(pr, state, true,
++ true);
+ if (ret)
+ return ret;
+ }
+@@ -901,36 +902,31 @@ static int acpi_processor_get_throttling
+ return 0;
+ }
+
+-static int acpi_processor_get_throttling(struct acpi_processor *pr)
++static long __acpi_processor_get_throttling(void *data)
+ {
+- cpumask_var_t saved_mask;
+- int ret;
++ struct acpi_processor *pr = data;
++
++ return pr->throttling.acpi_processor_get_throttling(pr);
++}
+
++static int acpi_processor_get_throttling(struct acpi_processor *pr)
++{
+ if (!pr)
+ return -EINVAL;
+
+ if (!pr->flags.throttling)
+ return -ENODEV;
+
+- if (!alloc_cpumask_var(&saved_mask, GFP_KERNEL))
+- return -ENOMEM;
+-
+ /*
+- * Migrate task to the cpu pointed by pr.
++ * This is either called from the CPU hotplug callback of
++ * processor_driver or via the ACPI probe function. In the latter
++ * case the CPU is not guaranteed to be online. Both call sites are
++ * protected against CPU hotplug.
+ */
+- cpumask_copy(saved_mask, ¤t->cpus_allowed);
+- /* FIXME: use work_on_cpu() */
+- if (set_cpus_allowed_ptr(current, cpumask_of(pr->id))) {
+- /* Can't migrate to the target pr->id CPU. Exit */
+- free_cpumask_var(saved_mask);
++ if (!cpu_online(pr->id))
+ return -ENODEV;
+- }
+- ret = pr->throttling.acpi_processor_get_throttling(pr);
+- /* restore the previous state */
+- set_cpus_allowed_ptr(current, saved_mask);
+- free_cpumask_var(saved_mask);
+
+- return ret;
++ return work_on_cpu(pr->id, __acpi_processor_get_throttling, pr);
+ }
+
+ static int acpi_processor_get_fadt_info(struct acpi_processor *pr)
+@@ -1080,8 +1076,15 @@ static long acpi_processor_throttling_fn
+ arg->target_state, arg->force);
+ }
+
+-int acpi_processor_set_throttling(struct acpi_processor *pr,
+- int state, bool force)
++static int call_on_cpu(int cpu, long (*fn)(void *), void *arg, bool direct)
++{
++ if (direct)
++ return fn(arg);
++ return work_on_cpu(cpu, fn, arg);
++}
++
++static int __acpi_processor_set_throttling(struct acpi_processor *pr,
++ int state, bool force, bool direct)
+ {
+ int ret = 0;
+ unsigned int i;
+@@ -1130,7 +1133,8 @@ int acpi_processor_set_throttling(struct
+ arg.pr = pr;
+ arg.target_state = state;
+ arg.force = force;
+- ret = work_on_cpu(pr->id, acpi_processor_throttling_fn, &arg);
++ ret = call_on_cpu(pr->id, acpi_processor_throttling_fn, &arg,
++ direct);
+ } else {
+ /*
+ * When the T-state coordination is SW_ALL or HW_ALL,
+@@ -1163,8 +1167,8 @@ int acpi_processor_set_throttling(struct
+ arg.pr = match_pr;
+ arg.target_state = state;
+ arg.force = force;
+- ret = work_on_cpu(pr->id, acpi_processor_throttling_fn,
+- &arg);
++ ret = call_on_cpu(pr->id, acpi_processor_throttling_fn,
++ &arg, direct);
+ }
+ }
+ /*
+@@ -1182,6 +1186,12 @@ int acpi_processor_set_throttling(struct
+ return ret;
+ }
+
++int acpi_processor_set_throttling(struct acpi_processor *pr, int state,
++ bool force)
++{
++ return __acpi_processor_set_throttling(pr, state, force, false);
++}
++
+ int acpi_processor_get_throttling_info(struct acpi_processor *pr)
+ {
+ int result = 0;
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Mikhail Paulyshka <me@mixaill.tk>
+Date: Fri, 21 Apr 2017 08:52:42 +0200
+Subject: ALSA: hda - Fix headset microphone detection for ASUS N551 and N751
+
+From: Mikhail Paulyshka <me@mixaill.tk>
+
+
+[ Upstream commit fc7438b1eb12b6c93d7b7a62423779eb5dfc673c ]
+
+Headset microphone does not work out of the box on ASUS Nx51
+laptops. This patch fixes it.
+
+Patch tested on Asus N551 laptop. Asus N751 part is not tested, but
+according to [1] this laptop uses the same audiosystem.
+
+1. https://bugzilla.kernel.org/show_bug.cgi?id=117781
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195437
+Signed-off-by: Mikhail Paulyshka <me@mixaill.tk>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6717,6 +6717,7 @@ enum {
+ ALC668_FIXUP_DELL_DISABLE_AAMIX,
+ ALC668_FIXUP_DELL_XPS13,
+ ALC662_FIXUP_ASUS_Nx50,
++ ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE,
+ ALC668_FIXUP_ASUS_Nx51,
+ };
+
+@@ -6964,14 +6965,21 @@ static const struct hda_fixup alc662_fix
+ .chained = true,
+ .chain_id = ALC662_FIXUP_BASS_1A
+ },
++ [ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc_fixup_headset_mode_alc668,
++ .chain_id = ALC662_FIXUP_BASS_CHMAP
++ },
+ [ALC668_FIXUP_ASUS_Nx51] = {
+ .type = HDA_FIXUP_PINS,
+ .v.pins = (const struct hda_pintbl[]) {
+- {0x1a, 0x90170151}, /* bass speaker */
++ { 0x19, 0x03a1913d }, /* use as headphone mic, without its own jack detect */
++ { 0x1a, 0x90170151 }, /* bass speaker */
++ { 0x1b, 0x03a1113c }, /* use as headset mic, without its own jack detect */
+ {}
+ },
+ .chained = true,
+- .chain_id = ALC662_FIXUP_BASS_CHMAP,
++ .chain_id = ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE,
+ },
+ };
+
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Abel Vesa <abelvesa@linux.com>
+Date: Mon, 3 Apr 2017 23:58:54 +0100
+Subject: ARM: 8668/1: ftrace: Fix dynamic ftrace with DEBUG_RODATA and !FRAME_POINTER
+
+From: Abel Vesa <abelvesa@linux.com>
+
+
+[ Upstream commit 6f05d0761af612e04572ba4d65b4c0274a88444f ]
+
+The support for dynamic ftrace with CONFIG_DEBUG_RODATA involves
+overriding the weak arch_ftrace_update_code() with a variant which makes
+the kernel text writable around the patching.
+
+This override was however added under the CONFIG_OLD_MCOUNT ifdef, and
+CONFIG_OLD_MCOUNT is only enabled if frame pointers are enabled.
+
+This leads to non-functional dynamic ftrace (ftrace triggers a
+WARN_ON()) when CONFIG_DEBUG_RODATA is enabled and CONFIG_FRAME_POINTER
+is not.
+
+Move the override out of that ifdef and into the CONFIG_DYNAMIC_FTRACE
+ifdef where it belongs.
+
+Fixes: 80d6b0c2eed2a ("ARM: mm: allow text and rodata sections to be read-only")
+Suggested-by: Nicolai Stange <nicstange@gmail.com>
+Suggested-by: Rabin Vincent <rabin@rab.in>
+Signed-off-by: Abel Vesa <abelvesa@gmail.com>
+Acked-by: Rabin Vincent <rabin@rab.in>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/kernel/ftrace.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/arch/arm/kernel/ftrace.c
++++ b/arch/arm/kernel/ftrace.c
+@@ -29,11 +29,6 @@
+ #endif
+
+ #ifdef CONFIG_DYNAMIC_FTRACE
+-#ifdef CONFIG_OLD_MCOUNT
+-#define OLD_MCOUNT_ADDR ((unsigned long) mcount)
+-#define OLD_FTRACE_ADDR ((unsigned long) ftrace_caller_old)
+-
+-#define OLD_NOP 0xe1a00000 /* mov r0, r0 */
+
+ static int __ftrace_modify_code(void *data)
+ {
+@@ -51,6 +46,12 @@ void arch_ftrace_update_code(int command
+ stop_machine(__ftrace_modify_code, &command, NULL);
+ }
+
++#ifdef CONFIG_OLD_MCOUNT
++#define OLD_MCOUNT_ADDR ((unsigned long) mcount)
++#define OLD_FTRACE_ADDR ((unsigned long) ftrace_caller_old)
++
++#define OLD_NOP 0xe1a00000 /* mov r0, r0 */
++
+ static unsigned long ftrace_nop_replace(struct dyn_ftrace *rec)
+ {
+ return rec->arch.old_mcount ? OLD_NOP : NOP;
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Kishon Vijay Abraham I <kishon@ti.com>
+Date: Mon, 27 Mar 2017 15:15:20 +0530
+Subject: ARM: DRA7: clockdomain: Change the CLKTRCTRL of CM_PCIE_CLKSTCTRL to SW_WKUP
+
+From: Kishon Vijay Abraham I <kishon@ti.com>
+
+
+[ Upstream commit 2c949ce38f4e81d7487f165fa3b8f77d74a2a6c4 ]
+
+The PCIe programming sequence in TRM suggests CLKSTCTRL of PCIe should be
+set to SW_WKUP. There are no issues when CLKSTCTRL is set to HW_AUTO in RC
+mode. However in EP mode, the host system is not able to access the
+MEMSPACE and setting the CLKSTCTRL to SW_WKUP fixes it.
+
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-omap2/clockdomains7xx_data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/mach-omap2/clockdomains7xx_data.c
++++ b/arch/arm/mach-omap2/clockdomains7xx_data.c
+@@ -524,7 +524,7 @@ static struct clockdomain pcie_7xx_clkdm
+ .dep_bit = DRA7XX_PCIE_STATDEP_SHIFT,
+ .wkdep_srcs = pcie_wkup_sleep_deps,
+ .sleepdep_srcs = pcie_wkup_sleep_deps,
+- .flags = CLKDM_CAN_HWSUP_SWSUP,
++ .flags = CLKDM_CAN_SWSUP,
+ };
+
+ static struct clockdomain atl_7xx_clkdm = {
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 20 Apr 2017 13:17:02 +0300
+Subject: ASoC: Intel: Skylake: Uninitialized variable in probe_codec()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit e6a33532affd14c12688c0e9b2e773e8b2550f3b ]
+
+My static checker complains that if snd_hdac_bus_get_response() returns
+-EIO then "res" is uninitialized. Fix this by initializing it to -1 so
+that the error is handled correctly.
+
+Fixes: d8c2dab8381d ("ASoC: Intel: Add Skylake HDA audio driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/intel/skylake/skl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/intel/skylake/skl.c
++++ b/sound/soc/intel/skylake/skl.c
+@@ -280,7 +280,7 @@ static int probe_codec(struct hdac_ext_b
+ struct hdac_bus *bus = ebus_to_hbus(ebus);
+ unsigned int cmd = (addr << 28) | (AC_NODE_ROOT << 20) |
+ (AC_VERB_PARAMETERS << 8) | AC_PAR_VENDOR_ID;
+- unsigned int res;
++ unsigned int res = -1;
+
+ mutex_lock(&bus->cmd_mutex);
+ snd_hdac_bus_send_cmd(bus, cmd);
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
+Date: Wed, 12 Apr 2017 23:19:37 +0530
+Subject: ath: Fix updating radar flags for coutry code India
+
+From: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
+
+
+[ Upstream commit c0c345d4cacc6a1f39d4856f37dcf6e34f51a5e4 ]
+
+As per latest regulatory update for India, channel 52, 56, 60, 64
+is no longer restricted to DFS. Enabling DFS/no infra flags in driver
+results in applying all DFS related restrictions (like doing CAC etc
+before this channel moves to 'available state') for these channels
+even though the country code is programmed as 'India' in he hardware,
+fix this by relaxing the frequency range while applying RADAR flags
+only if the country code is programmed to India. If the frequency range
+needs to modified based on different country code, ath_is_radar_freq
+can be extended/modified dynamically.
+
+Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/regd.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/wireless/ath/regd.c
++++ b/drivers/net/wireless/ath/regd.c
+@@ -254,8 +254,12 @@ bool ath_is_49ghz_allowed(u16 regdomain)
+ EXPORT_SYMBOL(ath_is_49ghz_allowed);
+
+ /* Frequency is one where radar detection is required */
+-static bool ath_is_radar_freq(u16 center_freq)
++static bool ath_is_radar_freq(u16 center_freq,
++ struct ath_regulatory *reg)
++
+ {
++ if (reg->country_code == CTRY_INDIA)
++ return (center_freq >= 5500 && center_freq <= 5700);
+ return (center_freq >= 5260 && center_freq <= 5700);
+ }
+
+@@ -306,7 +310,7 @@ __ath_reg_apply_beaconing_flags(struct w
+ enum nl80211_reg_initiator initiator,
+ struct ieee80211_channel *ch)
+ {
+- if (ath_is_radar_freq(ch->center_freq) ||
++ if (ath_is_radar_freq(ch->center_freq, reg) ||
+ (ch->flags & IEEE80211_CHAN_RADAR))
+ return;
+
+@@ -395,8 +399,9 @@ ath_reg_apply_ir_flags(struct wiphy *wip
+ }
+ }
+
+-/* Always apply Radar/DFS rules on freq range 5260 MHz - 5700 MHz */
+-static void ath_reg_apply_radar_flags(struct wiphy *wiphy)
++/* Always apply Radar/DFS rules on freq range 5500 MHz - 5700 MHz */
++static void ath_reg_apply_radar_flags(struct wiphy *wiphy,
++ struct ath_regulatory *reg)
+ {
+ struct ieee80211_supported_band *sband;
+ struct ieee80211_channel *ch;
+@@ -409,7 +414,7 @@ static void ath_reg_apply_radar_flags(st
+
+ for (i = 0; i < sband->n_channels; i++) {
+ ch = &sband->channels[i];
+- if (!ath_is_radar_freq(ch->center_freq))
++ if (!ath_is_radar_freq(ch->center_freq, reg))
+ continue;
+ /* We always enable radar detection/DFS on this
+ * frequency range. Additionally we also apply on
+@@ -505,7 +510,7 @@ void ath_reg_notifier_apply(struct wiphy
+ struct ath_common *common = container_of(reg, struct ath_common,
+ regulatory);
+ /* We always apply this */
+- ath_reg_apply_radar_flags(wiphy);
++ ath_reg_apply_radar_flags(wiphy, reg);
+
+ /*
+ * This would happen when we have sent a custom regulatory request
+@@ -653,7 +658,7 @@ ath_regd_init_wiphy(struct ath_regulator
+ }
+
+ wiphy_apply_custom_regulatory(wiphy, regd);
+- ath_reg_apply_radar_flags(wiphy);
++ ath_reg_apply_radar_flags(wiphy, reg);
+ ath_reg_apply_world_flags(wiphy, NL80211_REGDOM_SET_BY_DRIVER, reg);
+ return 0;
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Loic Poulain <loic.poulain@linaro.org>
+Date: Mon, 6 Nov 2017 12:16:56 +0100
+Subject: Bluetooth: hci_qca: Avoid setup failure on missing rampatch
+
+From: Loic Poulain <loic.poulain@linaro.org>
+
+
+[ Upstream commit ba8f3597900291a93604643017fff66a14546015 ]
+
+Assuming that the original code idea was to enable in-band sleeping
+only if the setup_rome method returns succes and run in 'standard'
+mode otherwise, we should not return setup_rome return value which
+makes qca_setup fail if no rampatch/nvm file found.
+
+This fixes BT issue on the dragonboard-820C p4 which includes the
+following QCA controller:
+hci0: Product:0x00000008
+hci0: Patch :0x00000111
+hci0: ROM :0x00000302
+hci0: SOC :0x00000044
+
+Since there is no rampatch for this controller revision, just make
+it work as is.
+
+Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/hci_qca.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/hci_qca.c
++++ b/drivers/bluetooth/hci_qca.c
+@@ -936,6 +936,9 @@ static int qca_setup(struct hci_uart *hu
+ if (!ret) {
+ set_bit(STATE_IN_BAND_SLEEP_ENABLED, &qca->flags);
+ qca_debugfs_init(hdev);
++ } else if (ret == -ENOENT) {
++ /* No patch/nvm-config found, run with original fw/config */
++ ret = 0;
+ }
+
+ /* Setup bdaddr */
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Scott Wood <swood@redhat.com>
+Date: Fri, 28 Apr 2017 19:17:41 -0500
+Subject: bnx2x: Align RX buffers
+
+From: Scott Wood <swood@redhat.com>
+
+
+[ Upstream commit 9b70de6d0266888b3743f03802502e43131043c8 ]
+
+The bnx2x driver is not providing proper alignment on the receive buffers it
+passes to build_skb(), causing skb_shared_info to be misaligned.
+skb_shared_info contains an atomic, and while PPC normally supports
+unaligned accesses, it does not support unaligned atomics.
+
+Aligning the size of rx buffers will ensure that page_frag_alloc() returns
+aligned addresses.
+
+This can be reproduced on PPC by setting the network MTU to 1450 (or other
+non-multiple-of-4) and then generating sufficient inbound network traffic
+(one or two large "wget"s usually does it), producing the following oops:
+
+Unable to handle kernel paging request for unaligned access at address 0xc00000ffc43af656
+Faulting instruction address: 0xc00000000080ef8c
+Oops: Kernel access of bad area, sig: 7 [#1]
+SMP NR_CPUS=2048
+NUMA
+PowerNV
+Modules linked in: vmx_crypto powernv_rng rng_core powernv_op_panel leds_powernv led_class nfsd ip_tables x_tables autofs4 xfs lpfc bnx2x mdio libcrc32c crc_t10dif crct10dif_generic crct10dif_common
+CPU: 104 PID: 0 Comm: swapper/104 Not tainted 4.11.0-rc8-00088-g4c761da #2
+task: c00000ffd4892400 task.stack: c00000ffd4920000
+NIP: c00000000080ef8c LR: c00000000080eee8 CTR: c0000000001f8320
+REGS: c00000ffffc33710 TRAP: 0600 Not tainted (4.11.0-rc8-00088-g4c761da)
+MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE>
+ CR: 24082042 XER: 00000000
+CFAR: c00000000080eea0 DAR: c00000ffc43af656 DSISR: 00000000 SOFTE: 1
+GPR00: c000000000907f64 c00000ffffc33990 c000000000dd3b00 c00000ffcaf22100
+GPR04: c00000ffcaf22e00 0000000000000000 0000000000000000 0000000000000000
+GPR08: 0000000000b80008 c00000ffc43af636 c00000ffc43af656 0000000000000000
+GPR12: c0000000001f6f00 c00000000fe1a000 000000000000049f 000000000000c51f
+GPR16: 00000000ffffef33 0000000000000000 0000000000008a43 0000000000000001
+GPR20: c00000ffc58a90c0 0000000000000000 000000000000dd86 0000000000000000
+GPR24: c000007fd0ed10c0 00000000ffffffff 0000000000000158 000000000000014a
+GPR28: c00000ffc43af010 c00000ffc9144000 c00000ffcaf22e00 c00000ffcaf22100
+NIP [c00000000080ef8c] __skb_clone+0xdc/0x140
+LR [c00000000080eee8] __skb_clone+0x38/0x140
+Call Trace:
+[c00000ffffc33990] [c00000000080fb74] skb_clone+0x74/0x110 (unreliable)
+[c00000ffffc339c0] [c000000000907f64] packet_rcv+0x144/0x510
+[c00000ffffc33a40] [c000000000827b64] __netif_receive_skb_core+0x5b4/0xd80
+[c00000ffffc33b00] [c00000000082b2bc] netif_receive_skb_internal+0x2c/0xc0
+[c00000ffffc33b40] [c00000000082c49c] napi_gro_receive+0x11c/0x260
+[c00000ffffc33b80] [d000000066483d68] bnx2x_poll+0xcf8/0x17b0 [bnx2x]
+[c00000ffffc33d00] [c00000000082babc] net_rx_action+0x31c/0x480
+[c00000ffffc33e10] [c0000000000d5a44] __do_softirq+0x164/0x3d0
+[c00000ffffc33f00] [c0000000000d60a8] irq_exit+0x108/0x120
+[c00000ffffc33f20] [c000000000015b98] __do_irq+0x98/0x200
+[c00000ffffc33f90] [c000000000027f14] call_do_irq+0x14/0x24
+[c00000ffd4923a90] [c000000000015d94] do_IRQ+0x94/0x110
+[c00000ffd4923ae0] [c000000000008d90] hardware_interrupt_common+0x150/0x160
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+@@ -2044,6 +2044,7 @@ static void bnx2x_set_rx_buf_size(struct
+ ETH_OVREHEAD +
+ mtu +
+ BNX2X_FW_RX_ALIGN_END;
++ fp->rx_buf_size = SKB_DATA_ALIGN(fp->rx_buf_size);
+ /* Note : rx_buf_size doesn't take into account NET_SKB_PAD */
+ if (fp->rx_buf_size + NET_SKB_PAD <= PAGE_SIZE)
+ fp->rx_frag_size = fp->rx_buf_size + NET_SKB_PAD;
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Filipe Manana <fdmanana@suse.com>
+Date: Tue, 4 Apr 2017 20:31:00 +0100
+Subject: Btrfs: send, fix file hole not being preserved due to inline extent
+
+From: Filipe Manana <fdmanana@suse.com>
+
+
+[ Upstream commit e1cbfd7bf6dabdac561c75d08357571f44040a45 ]
+
+Normally we don't have inline extents followed by regular extents, but
+there's currently at least one harmless case where this happens. For
+example, when the page size is 4Kb and compression is enabled:
+
+ $ mkfs.btrfs -f /dev/sdb
+ $ mount -o compress /dev/sdb /mnt
+ $ xfs_io -f -c "pwrite -S 0xaa 0 4K" -c "fsync" /mnt/foobar
+ $ xfs_io -c "pwrite -S 0xbb 8K 4K" -c "fsync" /mnt/foobar
+
+In this case we get a compressed inline extent, representing 4Kb of
+data, followed by a hole extent and then a regular data extent. The
+inline extent was not expanded/converted to a regular extent exactly
+because it represents 4Kb of data. This does not cause any apparent
+problem (such as the issue solved by commit e1699d2d7bf6
+("btrfs: add missing memset while reading compressed inline extents"))
+except trigger an unexpected case in the incremental send code path
+that makes us issue an operation to write a hole when it's not needed,
+resulting in more writes at the receiver and wasting space at the
+receiver.
+
+So teach the incremental send code to deal with this particular case.
+
+The issue can be currently triggered by running fstests btrfs/137 with
+compression enabled (MOUNT_OPTIONS="-o compress" ./check btrfs/137).
+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/send.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -5008,13 +5008,19 @@ static int is_extent_unchanged(struct se
+ while (key.offset < ekey->offset + left_len) {
+ ei = btrfs_item_ptr(eb, slot, struct btrfs_file_extent_item);
+ right_type = btrfs_file_extent_type(eb, ei);
+- if (right_type != BTRFS_FILE_EXTENT_REG) {
++ if (right_type != BTRFS_FILE_EXTENT_REG &&
++ right_type != BTRFS_FILE_EXTENT_INLINE) {
+ ret = 0;
+ goto out;
+ }
+
+ right_disknr = btrfs_file_extent_disk_bytenr(eb, ei);
+- right_len = btrfs_file_extent_num_bytes(eb, ei);
++ if (right_type == BTRFS_FILE_EXTENT_INLINE) {
++ right_len = btrfs_file_extent_inline_len(eb, slot, ei);
++ right_len = PAGE_ALIGN(right_len);
++ } else {
++ right_len = btrfs_file_extent_num_bytes(eb, ei);
++ }
+ right_offset = btrfs_file_extent_offset(eb, ei);
+ right_gen = btrfs_file_extent_generation(eb, ei);
+
+@@ -5028,6 +5034,19 @@ static int is_extent_unchanged(struct se
+ goto out;
+ }
+
++ /*
++ * We just wanted to see if when we have an inline extent, what
++ * follows it is a regular extent (wanted to check the above
++ * condition for inline extents too). This should normally not
++ * happen but it's possible for example when we have an inline
++ * compressed extent representing data with a size matching
++ * the page size (currently the same as sector size).
++ */
++ if (right_type == BTRFS_FILE_EXTENT_INLINE) {
++ ret = 0;
++ goto out;
++ }
++
+ left_offset_fixed = left_offset;
+ if (key.offset < ekey->offset) {
+ /* Fix the right offset for 2a and 7. */
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 1 May 2017 21:43:43 +0300
+Subject: cifs: small underflow in cnvrtDosUnixTm()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit 564277eceeca01e02b1ef3e141cfb939184601b4 ]
+
+January is month 1. There is no zero-th month. If someone passes a
+zero month then it means we read from one space before the start of the
+total_days_of_prev_months[] array.
+
+We may as well also be strict about days as well.
+
+Fixes: 1bd5bbcb6531 ("[CIFS] Legacy time handling for Win9x and OS/2 part 1")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/netmisc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/cifs/netmisc.c
++++ b/fs/cifs/netmisc.c
+@@ -980,10 +980,10 @@ struct timespec cnvrtDosUnixTm(__le16 le
+ cifs_dbg(VFS, "illegal hours %d\n", st->Hours);
+ days = sd->Day;
+ month = sd->Month;
+- if ((days > 31) || (month > 12)) {
++ if (days < 1 || days > 31 || month < 1 || month > 12) {
+ cifs_dbg(VFS, "illegal date, month %d day: %d\n", month, days);
+- if (month > 12)
+- month = 12;
++ days = clamp(days, 1, 31);
++ month = clamp(month, 1, 12);
+ }
+ month -= 1;
+ days += total_days_of_prev_months[month];
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Bharat Kumar Reddy Gooty <bharat.gooty@broadcom.com>
+Date: Mon, 20 Mar 2017 18:12:14 -0400
+Subject: clk: ns2: Correct SDIO bits
+
+From: Bharat Kumar Reddy Gooty <bharat.gooty@broadcom.com>
+
+
+[ Upstream commit 8973aa4aecac223548366ca81818309a0f0efa6d ]
+
+Corrected the bits for power and iso.
+
+Signed-off-by: Bharat Kumar Reddy Gooty <bharat.gooty@broadcom.com>
+Signed-off-by: Jon Mason <jon.mason@broadcom.com>
+Fixes: f7225a83 ("clk: ns2: add clock support for Broadcom Northstar 2 SoC")
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/bcm/clk-ns2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/bcm/clk-ns2.c
++++ b/drivers/clk/bcm/clk-ns2.c
+@@ -103,7 +103,7 @@ CLK_OF_DECLARE(ns2_genpll_src_clk, "brcm
+
+ static const struct iproc_pll_ctrl genpll_sw = {
+ .flags = IPROC_CLK_AON | IPROC_CLK_PLL_SPLIT_STAT_CTRL,
+- .aon = AON_VAL(0x0, 2, 9, 8),
++ .aon = AON_VAL(0x0, 1, 11, 10),
+ .reset = RESET_VAL(0x4, 2, 1),
+ .dig_filter = DF_VAL(0x0, 9, 3, 5, 4, 2, 3),
+ .ndiv_int = REG_VAL(0x8, 4, 10),
--- /dev/null
+From foo@baz Thu Mar 22 14:57:33 CET 2018
+From: Sergej Sawazki <sergej@taudac.com>
+Date: Tue, 25 Jul 2017 23:21:02 +0200
+Subject: clk: si5351: Rename internal plls to avoid name collisions
+
+From: Sergej Sawazki <sergej@taudac.com>
+
+
+[ Upstream commit cdba9a4fb0b53703959ac861e415816cb61aded4 ]
+
+This drivers probe fails due to a clock name collision if a clock named
+'plla' or 'pllb' is already registered when registering this drivers
+internal plls.
+
+Fix it by renaming internal plls to avoid name collisions.
+
+Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
+Cc: Rabeeh Khoury <rabeeh@solid-run.com>
+Signed-off-by: Sergej Sawazki <sergej@taudac.com>
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/clk-si5351.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/clk-si5351.c
++++ b/drivers/clk/clk-si5351.c
+@@ -72,7 +72,7 @@ static const char * const si5351_input_n
+ "xtal", "clkin"
+ };
+ static const char * const si5351_pll_names[] = {
+- "plla", "pllb", "vxco"
++ "si5351_plla", "si5351_pllb", "si5351_vxco"
+ };
+ static const char * const si5351_msynth_names[] = {
+ "ms0", "ms1", "ms2", "ms3", "ms4", "ms5", "ms6", "ms7"
--- /dev/null
+From foo@baz Thu Mar 22 14:57:33 CET 2018
+From: Robert Walker <robert.walker@arm.com>
+Date: Mon, 18 Dec 2017 11:05:44 -0700
+Subject: coresight: Fix disabling of CoreSight TPIU
+
+From: Robert Walker <robert.walker@arm.com>
+
+
+[ Upstream commit 11595db8e17faaa05fadc25746c870e31276962f ]
+
+The CoreSight TPIU should be disabled when tracing to other sinks to allow
+them to operate at full bandwidth.
+
+This patch fixes tpiu_disable_hw() to correctly disable the TPIU by
+configuring the TPIU to stop on flush, initiating a manual flush, waiting
+for the flush to complete and then waits for the TPIU to indicate it has
+stopped.
+
+Signed-off-by: Robert Walker <robert.walker@arm.com>
+Tested-by: Mike Leach <mike.leach@linaro.org>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/coresight/coresight-tpiu.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/hwtracing/coresight/coresight-tpiu.c
++++ b/drivers/hwtracing/coresight/coresight-tpiu.c
+@@ -45,8 +45,11 @@
+ #define TPIU_ITATBCTR0 0xef8
+
+ /** register definition **/
++/* FFSR - 0x300 */
++#define FFSR_FT_STOPPED BIT(1)
+ /* FFCR - 0x304 */
+ #define FFCR_FON_MAN BIT(6)
++#define FFCR_STOP_FI BIT(12)
+
+ /**
+ * @base: memory mapped base address for this component.
+@@ -85,10 +88,14 @@ static void tpiu_disable_hw(struct tpiu_
+ {
+ CS_UNLOCK(drvdata->base);
+
+- /* Clear formatter controle reg. */
+- writel_relaxed(0x0, drvdata->base + TPIU_FFCR);
++ /* Clear formatter and stop on flush */
++ writel_relaxed(FFCR_STOP_FI, drvdata->base + TPIU_FFCR);
+ /* Generate manual flush */
+- writel_relaxed(FFCR_FON_MAN, drvdata->base + TPIU_FFCR);
++ writel_relaxed(FFCR_STOP_FI | FFCR_FON_MAN, drvdata->base + TPIU_FFCR);
++ /* Wait for flush to complete */
++ coresight_timeout(drvdata->base, TPIU_FFCR, FFCR_FON_MAN, 0);
++ /* Wait for formatter to stop */
++ coresight_timeout(drvdata->base, TPIU_FFSR, FFSR_FT_STOPPED, 1);
+
+ CS_LOCK(drvdata->base);
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 12 Apr 2017 22:07:36 +0200
+Subject: cpufreq/sh: Replace racy task affinity logic
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+
+[ Upstream commit 205dcc1ecbc566cbc20acf246e68de3b080b3ecf ]
+
+The target() callback must run on the affected cpu. This is achieved by
+temporarily setting the affinity of the calling thread to the requested CPU
+and reset it to the original affinity afterwards.
+
+That's racy vs. concurrent affinity settings for that thread resulting in
+code executing on the wrong CPU.
+
+Replace it by work_on_cpu(). All call pathes which invoke the callbacks are
+already protected against CPU hotplug.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Sebastian Siewior <bigeasy@linutronix.de>
+Cc: linux-pm@vger.kernel.org
+Cc: Lai Jiangshan <jiangshanlai@gmail.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Len Brown <lenb@kernel.org>
+Link: http://lkml.kernel.org/r/20170412201042.958216363@linutronix.de
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/sh-cpufreq.c | 45 +++++++++++++++++++++++++------------------
+ 1 file changed, 27 insertions(+), 18 deletions(-)
+
+--- a/drivers/cpufreq/sh-cpufreq.c
++++ b/drivers/cpufreq/sh-cpufreq.c
+@@ -30,54 +30,63 @@
+
+ static DEFINE_PER_CPU(struct clk, sh_cpuclk);
+
++struct cpufreq_target {
++ struct cpufreq_policy *policy;
++ unsigned int freq;
++};
++
+ static unsigned int sh_cpufreq_get(unsigned int cpu)
+ {
+ return (clk_get_rate(&per_cpu(sh_cpuclk, cpu)) + 500) / 1000;
+ }
+
+-/*
+- * Here we notify other drivers of the proposed change and the final change.
+- */
+-static int sh_cpufreq_target(struct cpufreq_policy *policy,
+- unsigned int target_freq,
+- unsigned int relation)
++static long __sh_cpufreq_target(void *arg)
+ {
+- unsigned int cpu = policy->cpu;
++ struct cpufreq_target *target = arg;
++ struct cpufreq_policy *policy = target->policy;
++ int cpu = policy->cpu;
+ struct clk *cpuclk = &per_cpu(sh_cpuclk, cpu);
+- cpumask_t cpus_allowed;
+ struct cpufreq_freqs freqs;
+ struct device *dev;
+ long freq;
+
+- cpus_allowed = current->cpus_allowed;
+- set_cpus_allowed_ptr(current, cpumask_of(cpu));
+-
+- BUG_ON(smp_processor_id() != cpu);
++ if (smp_processor_id() != cpu)
++ return -ENODEV;
+
+ dev = get_cpu_device(cpu);
+
+ /* Convert target_freq from kHz to Hz */
+- freq = clk_round_rate(cpuclk, target_freq * 1000);
++ freq = clk_round_rate(cpuclk, target->freq * 1000);
+
+ if (freq < (policy->min * 1000) || freq > (policy->max * 1000))
+ return -EINVAL;
+
+- dev_dbg(dev, "requested frequency %u Hz\n", target_freq * 1000);
++ dev_dbg(dev, "requested frequency %u Hz\n", target->freq * 1000);
+
+ freqs.old = sh_cpufreq_get(cpu);
+ freqs.new = (freq + 500) / 1000;
+ freqs.flags = 0;
+
+- cpufreq_freq_transition_begin(policy, &freqs);
+- set_cpus_allowed_ptr(current, &cpus_allowed);
++ cpufreq_freq_transition_begin(target->policy, &freqs);
+ clk_set_rate(cpuclk, freq);
+- cpufreq_freq_transition_end(policy, &freqs, 0);
++ cpufreq_freq_transition_end(target->policy, &freqs, 0);
+
+ dev_dbg(dev, "set frequency %lu Hz\n", freq);
+-
+ return 0;
+ }
+
++/*
++ * Here we notify other drivers of the proposed change and the final change.
++ */
++static int sh_cpufreq_target(struct cpufreq_policy *policy,
++ unsigned int target_freq,
++ unsigned int relation)
++{
++ struct cpufreq_target data = { .policy = policy, .freq = target_freq };
++
++ return work_on_cpu(policy->cpu, __sh_cpufreq_target, &data);
++}
++
+ static int sh_cpufreq_verify(struct cpufreq_policy *policy)
+ {
+ struct clk *cpuclk = &per_cpu(sh_cpuclk, policy->cpu);
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 4 Dec 2017 15:49:48 +0100
+Subject: cros_ec: fix nul-termination for firmware build info
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+
+[ Upstream commit 50a0d71a5d20e1d3eff1d974fdc8559ad6d74892 ]
+
+As gcc-8 reports, we zero out the wrong byte:
+
+drivers/platform/chrome/cros_ec_sysfs.c: In function 'show_ec_version':
+drivers/platform/chrome/cros_ec_sysfs.c:190:12: error: array subscript 4294967295 is above array bounds of 'uint8_t[]' [-Werror=array-bounds]
+
+This changes the code back to what it did before changing to a
+zero-length array structure.
+
+Fixes: a841178445bb ("mfd: cros_ec: Use a zero-length array for command data")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Benson Leung <bleung@chromium.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/chrome/cros_ec_sysfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/platform/chrome/cros_ec_sysfs.c
++++ b/drivers/platform/chrome/cros_ec_sysfs.c
+@@ -187,7 +187,7 @@ static ssize_t show_ec_version(struct de
+ count += scnprintf(buf + count, PAGE_SIZE - count,
+ "Build info: EC error %d\n", msg->result);
+ else {
+- msg->data[sizeof(msg->data) - 1] = '\0';
++ msg->data[EC_HOST_PARAM_SIZE - 1] = '\0';
+ count += scnprintf(buf + count, PAGE_SIZE - count,
+ "Build info: %s\n", msg->data);
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:57:33 CET 2018
+From: Vignesh R <vigneshr@ti.com>
+Date: Tue, 19 Dec 2017 12:51:16 +0200
+Subject: dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63
+
+From: Vignesh R <vigneshr@ti.com>
+
+
+[ Upstream commit d087f15786021a9605b20f4c678312510be4cac1 ]
+
+Register layout of a typical TPCC_EVT_MUX_M_N register is such that the
+lowest numbered event is at the lowest byte address and highest numbered
+event at highest byte address. But TPCC_EVT_MUX_60_63 register layout is
+different, in that the lowest numbered event is at the highest address
+and highest numbered event is at the lowest address. Therefore, modify
+ti_am335x_xbar_write() to handle TPCC_EVT_MUX_60_63 register
+accordingly.
+
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/ti-dma-crossbar.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/dma/ti-dma-crossbar.c
++++ b/drivers/dma/ti-dma-crossbar.c
+@@ -51,7 +51,15 @@ struct ti_am335x_xbar_map {
+
+ static inline void ti_am335x_xbar_write(void __iomem *iomem, int event, u8 val)
+ {
+- writeb_relaxed(val, iomem + event);
++ /*
++ * TPCC_EVT_MUX_60_63 register layout is different than the
++ * rest, in the sense, that event 63 is mapped to lowest byte
++ * and event 60 is mapped to highest, handle it separately.
++ */
++ if (event >= 60 && event <= 63)
++ writeb_relaxed(val, iomem + (63 - event % 4));
++ else
++ writeb_relaxed(val, iomem + event);
+ }
+
+ static void ti_am335x_xbar_free(struct device *dev, void *route_data)
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Prakash Kamliya <pkamliya@codeaurora.org>
+Date: Mon, 4 Dec 2017 19:10:15 +0530
+Subject: drm/msm: fix leak in failed get_pages
+
+From: Prakash Kamliya <pkamliya@codeaurora.org>
+
+
+[ Upstream commit 62e3a3e342af3c313ab38603811ecdb1fcc79edb ]
+
+get_pages doesn't keep a reference of the pages allocated
+when it fails later in the code path. This can lead to
+a memory leak. Keep reference of the allocated pages so
+that it can be freed when msm_gem_free_object gets called
+later during cleanup.
+
+Signed-off-by: Prakash Kamliya <pkamliya@codeaurora.org>
+Signed-off-by: Sharat Masetty <smasetty@codeaurora.org>
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/msm_gem.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/msm/msm_gem.c
++++ b/drivers/gpu/drm/msm/msm_gem.c
+@@ -89,14 +89,17 @@ static struct page **get_pages(struct dr
+ return p;
+ }
+
++ msm_obj->pages = p;
++
+ msm_obj->sgt = drm_prime_pages_to_sg(p, npages);
+ if (IS_ERR(msm_obj->sgt)) {
++ void *ptr = ERR_CAST(msm_obj->sgt);
++
+ dev_err(dev->dev, "failed to allocate sgt\n");
+- return ERR_CAST(msm_obj->sgt);
++ msm_obj->sgt = NULL;
++ return ptr;
+ }
+
+- msm_obj->pages = p;
+-
+ /* For non-cached buffers, ensure the new pages are clean
+ * because display controller, GPU, etc. are not coherent:
+ */
+@@ -119,7 +122,10 @@ static void put_pages(struct drm_gem_obj
+ if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED))
+ dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl,
+ msm_obj->sgt->nents, DMA_BIDIRECTIONAL);
+- sg_free_table(msm_obj->sgt);
++
++ if (msm_obj->sgt)
++ sg_free_table(msm_obj->sgt);
++
+ kfree(msm_obj->sgt);
+
+ if (use_pages(obj))
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Mario Kleiner <mario.kleiner.de@gmail.com>
+Date: Mon, 24 Apr 2017 01:59:34 +0200
+Subject: drm/nouveau/kms: Increase max retries in scanout position queries.
+
+From: Mario Kleiner <mario.kleiner.de@gmail.com>
+
+
+[ Upstream commit 60b95d709525e3ce1c51e1fc93175dcd1755d345 ]
+
+So far we only allowed for 1 retry and just failed the query
+- and thereby high precision vblank timestamping - if we did
+not get a reasonable result, as such a failure wasn't considered
+all too horrible. There are a few NVidia gpu models out there which
+may need a bit more than 1 retry to get a successful query result
+under some conditions.
+
+Since Linux 4.4 the update code for vblank counter and timestamp
+in drm_update_vblank_count() changed so that the implementation
+assumes that high precision vblank timestamping of a kms driver
+either consistently succeeds or consistently fails for a given
+video mode and encoder/connector combo. Iow. switching from success
+to fail or vice versa on a modeset or connector change is ok, but
+spurious temporary failure for a given setup can confuse the core
+code and potentially cause bad miscounting of vblanks and confusion
+or hangs in userspace clients which rely on vblank stuff, e.g.,
+desktop compositors.
+
+Therefore change the max retry count to a larger number - more than
+any gpu so far is known to need to succeed, but still low enough
+so that these queries which do also happen in vblank interrupt are
+still fast enough to be not disastrously long if something would
+go badly wrong with them.
+
+As such sporadic retries only happen seldom even on affected gpu's,
+this could mean a vblank irq could take a few dozen microseconds
+longer every few hours of uptime -- better than a desktop compositor
+randomly hanging every couple of hours or days of uptime in a hard
+to reproduce manner.
+
+Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_display.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_display.c
++++ b/drivers/gpu/drm/nouveau/nouveau_display.c
+@@ -104,7 +104,7 @@ nouveau_display_scanoutpos_head(struct d
+ };
+ struct nouveau_display *disp = nouveau_display(crtc->dev);
+ struct drm_vblank_crtc *vblank = &crtc->dev->vblank[drm_crtc_index(crtc)];
+- int ret, retry = 1;
++ int ret, retry = 20;
+
+ do {
+ ret = nvif_mthd(&disp->disp, 0, &args, sizeof(args));
--- /dev/null
+From foo@baz Thu Mar 22 14:57:33 CET 2018
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Fri, 29 Sep 2017 14:49:49 +0300
+Subject: drm/omap: DMM: Check for DMM readiness after successful transaction commit
+
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+
+
+[ Upstream commit b7ea6b286c4051e043f691781785e3c4672f014a ]
+
+Check the status of the DMM engine after it is reported that the
+transaction was completed as in rare cases the engine might not reached a
+working state.
+
+The wait_status() will print information in case the DMM is not reached the
+expected state and the dmm_txn_commit() will return with an error code to
+make sure that we are not continuing with a broken setup.
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/omapdrm/omap_dmm_tiler.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
++++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
+@@ -288,7 +288,12 @@ static int dmm_txn_commit(struct dmm_txn
+ msecs_to_jiffies(100))) {
+ dev_err(dmm->dev, "timed out waiting for done\n");
+ ret = -ETIMEDOUT;
++ goto cleanup;
+ }
++
++ /* Check the engine status before continue */
++ ret = wait_status(engine, DMM_PATSTATUS_READY |
++ DMM_PATSTATUS_VALID | DMM_PATSTATUS_DONE);
+ }
+
+ cleanup:
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Bernd Faust <berndfaust@gmail.com>
+Date: Thu, 16 Feb 2017 19:42:07 +0100
+Subject: e1000e: fix timing for 82579 Gigabit Ethernet controller
+
+From: Bernd Faust <berndfaust@gmail.com>
+
+
+[ Upstream commit 5313eeccd2d7f486be4e5c7560e3e2be239ec8f7 ]
+
+After an upgrade to Linux kernel v4.x the hardware timestamps of the
+82579 Gigabit Ethernet Controller are different than expected.
+The values that are being read are almost four times as big as before
+the kernel upgrade.
+
+The difference is that after the upgrade the driver sets the clock
+frequency to 25MHz, where before the upgrade it was set to 96MHz. Intel
+confirmed that the correct frequency for this network adapter is 96MHz.
+
+Signed-off-by: Bernd Faust <berndfaust@gmail.com>
+Acked-by: Sasha Neftin <sasha.neftin@intel.com>
+Acked-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/e1000e/netdev.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -3526,6 +3526,12 @@ s32 e1000e_get_base_timinca(struct e1000
+
+ switch (hw->mac.type) {
+ case e1000_pch2lan:
++ /* Stable 96MHz frequency */
++ incperiod = INCPERIOD_96MHz;
++ incvalue = INCVALUE_96MHz;
++ shift = INCVALUE_SHIFT_96MHz;
++ adapter->cc.shift = shift + INCPERIOD_SHIFT_96MHz;
++ break;
+ case e1000_pch_lpt:
+ if (er32(TSYNCRXCTL) & E1000_TSYNCRXCTL_SYSCFI) {
+ /* Stable 96MHz frequency */
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: James Smart <jsmart2021@gmail.com>
+Date: Fri, 21 Apr 2017 16:04:56 -0700
+Subject: Fix driver usage of 128B WQEs when WQ_CREATE is V1.
+
+From: James Smart <jsmart2021@gmail.com>
+
+
+[ Upstream commit 3f247de750b8dd8f50a2c1390e2a1238790a9dff ]
+
+There are two versions of a structure for queue creation and setup that the
+driver shares with FW. The driver was only treating as version 0.
+
+Verify WQ_CREATE with 128B WQEs in V0 and V1.
+
+Code review of another bug showed the driver passing
+128B WQEs and 8 pages in WQ CREATE and V0.
+Code inspection/instrumentation showed that the driver
+uses V0 in WQ_CREATE and if the caller passes queue->entry_size
+128B, the driver sets the hdr_version to V1 so all is good.
+When I tested the V1 WQ_CREATE, the mailbox failed causing
+the driver to unload.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_sli.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -13493,6 +13493,9 @@ lpfc_wq_create(struct lpfc_hba *phba, st
+ case LPFC_Q_CREATE_VERSION_1:
+ bf_set(lpfc_mbx_wq_create_wqe_count, &wq_create->u.request_1,
+ wq->entry_count);
++ bf_set(lpfc_mbox_hdr_version, &shdr->request,
++ LPFC_Q_CREATE_VERSION_1);
++
+ switch (wq->entry_size) {
+ default:
+ case 64:
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 15 Apr 2017 12:08:31 +0200
+Subject: genirq: Use irqd_get_trigger_type to compare the trigger type for shared IRQs
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+
+[ Upstream commit 382bd4de61827dbaaf5fb4fb7b1f4be4a86505e7 ]
+
+When requesting a shared irq with IRQF_TRIGGER_NONE then the irqaction
+flags get filled with the trigger type from the irq_data:
+
+ if (!(new->flags & IRQF_TRIGGER_MASK))
+ new->flags |= irqd_get_trigger_type(&desc->irq_data);
+
+On the first setup_irq() the trigger type in irq_data is NONE when the
+above code executes, then the irq is started up for the first time and
+then the actual trigger type gets established, but that's too late to fix
+up new->flags.
+
+When then a second user of the irq requests the irq with IRQF_TRIGGER_NONE
+its irqaction's triggertype gets set to the actual trigger type and the
+following check fails:
+
+ if (!((old->flags ^ new->flags) & IRQF_TRIGGER_MASK))
+
+Resulting in the request_irq failing with -EBUSY even though both
+users requested the irq with IRQF_SHARED | IRQF_TRIGGER_NONE
+
+Fix this by comparing the new irqaction's trigger type to the trigger type
+stored in the irq_data which correctly reflects the actual trigger type
+being used for the irq.
+
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Link: http://lkml.kernel.org/r/20170415100831.17073-1-hdegoede@redhat.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/irq/manage.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/irq/manage.c
++++ b/kernel/irq/manage.c
+@@ -1189,8 +1189,10 @@ __setup_irq(unsigned int irq, struct irq
+ * set the trigger type must match. Also all must
+ * agree on ONESHOT.
+ */
++ unsigned int oldtype = irqd_get_trigger_type(&desc->irq_data);
++
+ if (!((old->flags & new->flags) & IRQF_SHARED) ||
+- ((old->flags ^ new->flags) & IRQF_TRIGGER_MASK) ||
++ (oldtype != (new->flags & IRQF_TRIGGER_MASK)) ||
+ ((old->flags ^ new->flags) & IRQF_ONESHOT))
+ goto mismatch;
+
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 21 Apr 2017 13:39:09 +0300
+Subject: HSI: ssi_protocol: double free in ssip_pn_xmit()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit 3026050179a3a9a6f5c892c414b5e36ecf092081 ]
+
+If skb_pad() fails then it frees skb and we don't need to free it again
+at the end of the function.
+
+Fixes: dc7bf5d7 ("HSI: Introduce driver for SSI Protocol")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hsi/clients/ssi_protocol.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/hsi/clients/ssi_protocol.c
++++ b/drivers/hsi/clients/ssi_protocol.c
+@@ -976,7 +976,7 @@ static int ssip_pn_xmit(struct sk_buff *
+ goto drop;
+ /* Pad to 32-bits - FIXME: Revisit*/
+ if ((skb->len & 3) && skb_pad(skb, 4 - (skb->len & 3)))
+- goto drop;
++ goto inc_dropped;
+
+ /*
+ * Modem sends Phonet messages over SSI with its own endianess...
+@@ -1028,8 +1028,9 @@ static int ssip_pn_xmit(struct sk_buff *
+ drop2:
+ hsi_free_msg(msg);
+ drop:
+- dev->stats.tx_dropped++;
+ dev_kfree_skb(skb);
++inc_dropped:
++ dev->stats.tx_dropped++;
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Edgar Cherkasov <echerkasov@dev.rtsoft.ru>
+Date: Tue, 4 Apr 2017 19:18:27 +0300
+Subject: i2c: i2c-scmi: add a MS HID
+
+From: Edgar Cherkasov <echerkasov@dev.rtsoft.ru>
+
+
+[ Upstream commit e058e7a4bc89104540a8a303682248614b5df6f1 ]
+
+Description of the problem:
+ - i2c-scmi driver contains only two identifiers "SMBUS01" and "SMBUSIBM";
+ - the fist HID (SMBUS01) is clearly defined in "SMBus Control Method
+ Interface Specification, version 1.0": "Each device must specify
+ 'SMBUS01' as its _HID and use a unique _UID value";
+ - unfortunately, BIOS vendors (like AMI) seem to ignore this requirement
+ and implement "SMB0001" HID instead of "SMBUS01";
+ - I speculate that they do this because only "SMB0001" is hard coded in
+ Windows SMBus driver produced by Microsoft.
+
+This leads to following situation:
+ - SMBus works out of box in Windows but not in Linux;
+ - board vendors are forced to add correct "SMBUS01" HID to BIOS to make
+ SMBus work in Linux. Moreover the same board vendors complain that
+ tools (3-rd party ASL compiler) do not like the "SMBUS01" identifier
+ and produce errors. So they need to constantly patch the compiler for
+ each new version of BIOS.
+
+As it is very unlikely that BIOS vendors implement a correct HID in
+future, I would propose to consider whether it is possible to work around
+the problem by adding MS HID to the Linux i2c-scmi driver.
+
+v2: move the definition of the new HID to the driver itself.
+
+Signed-off-by: Edgar Cherkasov <echerkasov@dev.rtsoft.ru>
+Signed-off-by: Michael Brunner <Michael.Brunner@kontron.com>
+Acked-by: Viktor Krasnov <vkrasnov@dev.rtsoft.ru>
+Reviewed-by: Jean Delvare <jdelvare@suse.de>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-scmi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-scmi.c
++++ b/drivers/i2c/busses/i2c-scmi.c
+@@ -18,6 +18,9 @@
+ #define ACPI_SMBUS_HC_CLASS "smbus"
+ #define ACPI_SMBUS_HC_DEVICE_NAME "cmi"
+
++/* SMBUS HID definition as supported by Microsoft Windows */
++#define ACPI_SMBUS_MS_HID "SMB0001"
++
+ ACPI_MODULE_NAME("smbus_cmi");
+
+ struct smbus_methods_t {
+@@ -51,6 +54,7 @@ static const struct smbus_methods_t ibm_
+ static const struct acpi_device_id acpi_smbus_cmi_ids[] = {
+ {"SMBUS01", (kernel_ulong_t)&smbus_methods},
+ {ACPI_SMBUS_IBM_HID, (kernel_ulong_t)&ibm_smbus_methods},
++ {ACPI_SMBUS_MS_HID, (kernel_ulong_t)&smbus_methods},
+ {"", 0}
+ };
+ MODULE_DEVICE_TABLE(acpi, acpi_smbus_cmi_ids);
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Sergei Trofimovich <slyfox@gentoo.org>
+Date: Mon, 1 May 2017 11:51:55 -0700
+Subject: ia64: fix module loading for gcc-5.4
+
+From: Sergei Trofimovich <slyfox@gentoo.org>
+
+
+[ Upstream commit a25fb8508c1b80dce742dbeaa4d75a1e9f2c5617 ]
+
+Starting from gcc-5.4+ gcc generates MLX instructions in more cases to
+refer local symbols:
+
+ https://gcc.gnu.org/PR60465
+
+That caused ia64 module loader to choke on such instructions:
+
+ fuse: invalid slot number 1 for IMM64
+
+The Linux kernel used to handle only case where relocation pointed to
+slot=2 instruction in the bundle. That limitation was fixed in linux by
+commit 9c184a073bfd ("[IA64] Fix 2.6 kernel for the new ia64 assembler")
+See
+
+ http://sources.redhat.com/bugzilla/show_bug.cgi?id=1433
+
+This change lifts the slot=2 restriction from the kernel module loader.
+
+Tested on 'fuse' and 'btrfs' kernel modules.
+
+Cc: Markus Elfring <elfring@users.sourceforge.net>
+Cc: H J Lu <hjl.tools@gmail.com>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Bug: https://bugs.gentoo.org/601014
+Tested-by: Émeric MASCHINO <emeric.maschino@gmail.com>
+Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/ia64/kernel/module.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/ia64/kernel/module.c
++++ b/arch/ia64/kernel/module.c
+@@ -153,7 +153,7 @@ slot (const struct insn *insn)
+ static int
+ apply_imm64 (struct module *mod, struct insn *insn, uint64_t val)
+ {
+- if (slot(insn) != 2) {
++ if (slot(insn) != 1 && slot(insn) != 2) {
+ printk(KERN_ERR "%s: invalid slot number %d for IMM64\n",
+ mod->name, slot(insn));
+ return 0;
+@@ -165,7 +165,7 @@ apply_imm64 (struct module *mod, struct
+ static int
+ apply_imm60 (struct module *mod, struct insn *insn, uint64_t val)
+ {
+- if (slot(insn) != 2) {
++ if (slot(insn) != 1 && slot(insn) != 2) {
+ printk(KERN_ERR "%s: invalid slot number %d for IMM60\n",
+ mod->name, slot(insn));
+ return 0;
--- /dev/null
+From foo@baz Thu Mar 22 14:57:33 CET 2018
+From: Erez Shitrit <erezsh@mellanox.com>
+Date: Tue, 14 Nov 2017 14:51:53 +0200
+Subject: IB/ipoib: Avoid memory leak if the SA returns a different DGID
+
+From: Erez Shitrit <erezsh@mellanox.com>
+
+
+[ Upstream commit 439000892ee17a9c92f1e4297818790ef8bb4ced ]
+
+The ipoib path database is organized around DGIDs from the LLADDR, but the
+SA is free to return a different GID when asked for path. This causes a
+bug because the SA's modified DGID is copied into the database key, even
+though it is no longer the correct lookup key, causing a memory leak and
+other malfunctions.
+
+Ensure the database key does not change after the SA query completes.
+
+Demonstration of the bug is as follows
+ipoib wants to send to GID fe80:0000:0000:0000:0002:c903:00ef:5ee2, it
+creates new record in the DB with that gid as a key, and issues a new
+request to the SM.
+Now, the SM from some reason returns path-record with other SGID (for
+example, 2001:0000:0000:0000:0002:c903:00ef:5ee2 that contains the local
+subnet prefix) now ipoib will overwrite the current entry with the new
+one, and if new request to the original GID arrives ipoib will not find
+it in the DB (was overwritten) and will create new record that in its
+turn will also be overwritten by the response from the SM, and so on
+till the driver eats all the device memory.
+
+Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_main.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+@@ -724,6 +724,22 @@ static void path_rec_completion(int stat
+ spin_lock_irqsave(&priv->lock, flags);
+
+ if (!IS_ERR_OR_NULL(ah)) {
++ /*
++ * pathrec.dgid is used as the database key from the LLADDR,
++ * it must remain unchanged even if the SA returns a different
++ * GID to use in the AH.
++ */
++ if (memcmp(pathrec->dgid.raw, path->pathrec.dgid.raw,
++ sizeof(union ib_gid))) {
++ ipoib_dbg(
++ priv,
++ "%s got PathRec for gid %pI6 while asked for %pI6\n",
++ dev->name, pathrec->dgid.raw,
++ path->pathrec.dgid.raw);
++ memcpy(pathrec->dgid.raw, path->pathrec.dgid.raw,
++ sizeof(union ib_gid));
++ }
++
+ path->pathrec = *pathrec;
+
+ old_ah = path->ah;
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Feras Daoud <ferasda@mellanox.com>
+Date: Sun, 19 Mar 2017 11:18:55 +0200
+Subject: IB/ipoib: Fix deadlock between ipoib_stop and mcast join flow
+
+From: Feras Daoud <ferasda@mellanox.com>
+
+
+[ Upstream commit 3e31a490e01a6e67cbe9f6e1df2f3ff0fbf48972 ]
+
+Before calling ipoib_stop, rtnl_lock should be taken, then
+the flow clears the IPOIB_FLAG_ADMIN_UP and IPOIB_FLAG_OPER_UP
+flags, and waits for mcast completion if IPOIB_MCAST_FLAG_BUSY
+is set.
+
+On the other hand, the flow of multicast join task initializes
+a mcast completion, sets the IPOIB_MCAST_FLAG_BUSY and calls
+ipoib_mcast_join. If IPOIB_FLAG_OPER_UP flag is not set, this
+call returns EINVAL without setting the mcast completion and
+leads to a deadlock.
+
+ ipoib_stop |
+ | |
+ clear_bit(IPOIB_FLAG_ADMIN_UP) |
+ | |
+ Context Switch |
+ | ipoib_mcast_join_task
+ | |
+ | spin_lock_irq(lock)
+ | |
+ | init_completion(mcast)
+ | |
+ | set_bit(IPOIB_MCAST_FLAG_BUSY)
+ | |
+ | Context Switch
+ | |
+ clear_bit(IPOIB_FLAG_OPER_UP) |
+ | |
+ spin_lock_irqsave(lock) |
+ | |
+ Context Switch |
+ | ipoib_mcast_join
+ | return (-EINVAL)
+ | |
+ | spin_unlock_irq(lock)
+ | |
+ | Context Switch
+ | |
+ ipoib_mcast_dev_flush |
+ wait_for_completion(mcast) |
+
+ipoib_stop will wait for mcast completion for ever, and will
+not release the rtnl_lock. As a result panic occurs with the
+following trace:
+
+ [13441.639268] Call Trace:
+ [13441.640150] [<ffffffff8168b579>] schedule+0x29/0x70
+ [13441.641038] [<ffffffff81688fc9>] schedule_timeout+0x239/0x2d0
+ [13441.641914] [<ffffffff810bc017>] ? complete+0x47/0x50
+ [13441.642765] [<ffffffff810a690d>] ? flush_workqueue_prep_pwqs+0x16d/0x200
+ [13441.643580] [<ffffffff8168b956>] wait_for_completion+0x116/0x170
+ [13441.644434] [<ffffffff810c4ec0>] ? wake_up_state+0x20/0x20
+ [13441.645293] [<ffffffffa05af170>] ipoib_mcast_dev_flush+0x150/0x190 [ib_ipoib]
+ [13441.646159] [<ffffffffa05ac967>] ipoib_ib_dev_down+0x37/0x60 [ib_ipoib]
+ [13441.647013] [<ffffffffa05a4805>] ipoib_stop+0x75/0x150 [ib_ipoib]
+
+Fixes: 08bc327629cb ("IB/ipoib: fix for rare multicast join race condition")
+Signed-off-by: Feras Daoud <ferasda@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_multicast.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
+@@ -473,6 +473,9 @@ static int ipoib_mcast_join(struct net_d
+ !test_bit(IPOIB_FLAG_OPER_UP, &priv->flags))
+ return -EINVAL;
+
++ init_completion(&mcast->done);
++ set_bit(IPOIB_MCAST_FLAG_BUSY, &mcast->flags);
++
+ ipoib_dbg_mcast(priv, "joining MGID %pI6\n", mcast->mcmember.mgid.raw);
+
+ rec.mgid = mcast->mcmember.mgid;
+@@ -631,8 +634,6 @@ void ipoib_mcast_join_task(struct work_s
+ if (mcast->backoff == 1 ||
+ time_after_eq(jiffies, mcast->delay_until)) {
+ /* Found the next unjoined group */
+- init_completion(&mcast->done);
+- set_bit(IPOIB_MCAST_FLAG_BUSY, &mcast->flags);
+ if (ipoib_mcast_join(dev, mcast)) {
+ spin_unlock_irq(&priv->lock);
+ return;
+@@ -652,11 +653,9 @@ out:
+ queue_delayed_work(priv->wq, &priv->mcast_task,
+ delay_until - jiffies);
+ }
+- if (mcast) {
+- init_completion(&mcast->done);
+- set_bit(IPOIB_MCAST_FLAG_BUSY, &mcast->flags);
++ if (mcast)
+ ipoib_mcast_join(dev, mcast);
+- }
++
+ spin_unlock_irq(&priv->lock);
+ }
+
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Feras Daoud <ferasda@mellanox.com>
+Date: Sun, 19 Mar 2017 11:18:54 +0200
+Subject: IB/ipoib: Update broadcast object if PKey value was changed in index 0
+
+From: Feras Daoud <ferasda@mellanox.com>
+
+
+[ Upstream commit 9a9b8112699d78e7f317019b37f377e90023f3ed ]
+
+Update the broadcast address in the priv->broadcast object when the
+Pkey value changes in index 0, otherwise the multicast GID value will
+keep the previous value of the PKey, and will not be updated.
+This leads to interface state down because the interface will keep the
+old PKey value.
+
+For example, in SR-IOV environment, if the PF changes the value of PKey
+index 0 for one of the VFs, then the VF receives PKey change event that
+triggers heavy flush. This flush calls update_parent_pkey that update the
+broadcast object and its relevant members. If in this case the multicast
+GID will not be updated, the interface state will be down.
+
+Fixes: c2904141696e ("IPoIB: Fix pkey change flow for virtualization environments")
+Signed-off-by: Feras Daoud <ferasda@mellanox.com>
+Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
+Reviewed-by: Alex Vesker <valex@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_ib.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+@@ -945,6 +945,19 @@ static inline int update_parent_pkey(str
+ */
+ priv->dev->broadcast[8] = priv->pkey >> 8;
+ priv->dev->broadcast[9] = priv->pkey & 0xff;
++
++ /*
++ * Update the broadcast address in the priv->broadcast object,
++ * in case it already exists, otherwise no one will do that.
++ */
++ if (priv->broadcast) {
++ spin_lock_irq(&priv->lock);
++ memcpy(priv->broadcast->mcmember.mgid.raw,
++ priv->dev->broadcast + 4,
++ sizeof(union ib_gid));
++ spin_unlock_irq(&priv->lock);
++ }
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Maor Gottlieb <maorg@mellanox.com>
+Date: Wed, 29 Mar 2017 06:03:01 +0300
+Subject: IB/mlx4: Change vma from shared to private
+
+From: Maor Gottlieb <maorg@mellanox.com>
+
+
+[ Upstream commit ca37a664a8e4e9988b220988ceb4d79e3316f195 ]
+
+Anonymous VMA (->vm_ops == NULL) cannot be shared, otherwise
+it would lead to SIGBUS.
+
+Remove the shared flags from the vma after we change it to be
+anonymous.
+
+This is easily reproduced by doing modprobe -r while running a
+user-space application such as raw_ethernet_bw.
+
+Fixes: ae184ddeca5db ('IB/mlx4_ib: Disassociate support')
+Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx4/main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/infiniband/hw/mlx4/main.c
++++ b/drivers/infiniband/hw/mlx4/main.c
+@@ -1055,6 +1055,8 @@ static void mlx4_ib_disassociate_ucontex
+ BUG_ON(1);
+ }
+
++ context->hw_bar_info[i].vma->vm_flags &=
++ ~(VM_SHARED | VM_MAYSHARE);
+ /* context going to be destroyed, should not access ops any more */
+ context->hw_bar_info[i].vma->vm_ops = NULL;
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Maor Gottlieb <maorg@mellanox.com>
+Date: Wed, 29 Mar 2017 06:03:00 +0300
+Subject: IB/mlx4: Take write semaphore when changing the vma struct
+
+From: Maor Gottlieb <maorg@mellanox.com>
+
+
+[ Upstream commit 22c3653d04bd0c67b75e99d85e0c0bdf83947df5 ]
+
+When the driver disassociate user context, it changes the vma to
+anonymous by setting the vm_ops to null and zap the vma ptes.
+
+In order to avoid race in the kernel, we need to take write lock
+before we change the vma entries.
+
+Fixes: ae184ddeca5db ('IB/mlx4_ib: Disassociate support')
+Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx4/main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx4/main.c
++++ b/drivers/infiniband/hw/mlx4/main.c
+@@ -1041,7 +1041,7 @@ static void mlx4_ib_disassociate_ucontex
+ /* need to protect from a race on closing the vma as part of
+ * mlx4_ib_vma_close().
+ */
+- down_read(&owning_mm->mmap_sem);
++ down_write(&owning_mm->mmap_sem);
+ for (i = 0; i < HW_BAR_COUNT; i++) {
+ vma = context->hw_bar_info[i].vma;
+ if (!vma)
+@@ -1059,7 +1059,7 @@ static void mlx4_ib_disassociate_ucontex
+ context->hw_bar_info[i].vma->vm_ops = NULL;
+ }
+
+- up_read(&owning_mm->mmap_sem);
++ up_write(&owning_mm->mmap_sem);
+ mmput(owning_mm);
+ put_task_struct(owning_process);
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:57:33 CET 2018
+From: Artemy Kovalyov <artemyko@mellanox.com>
+Date: Tue, 14 Nov 2017 14:51:59 +0200
+Subject: IB/umem: Fix use of npages/nmap fields
+
+From: Artemy Kovalyov <artemyko@mellanox.com>
+
+
+[ Upstream commit edf1a84fe37c51290e2c88154ecaf48dadff3d27 ]
+
+In ib_umem structure npages holds original number of sg entries, while
+nmap is number of DMA blocks returned by dma_map_sg.
+
+Fixes: c5d76f130b28 ('IB/core: Add umem function to read data from user-space')
+Signed-off-by: Artemy Kovalyov <artemyko@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/umem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/umem.c
++++ b/drivers/infiniband/core/umem.c
+@@ -354,7 +354,7 @@ int ib_umem_copy_from(void *dst, struct
+ return -EINVAL;
+ }
+
+- ret = sg_pcopy_to_buffer(umem->sg_head.sgl, umem->nmap, dst, length,
++ ret = sg_pcopy_to_buffer(umem->sg_head.sgl, umem->npages, dst, length,
+ offset + ib_umem_offset(umem));
+
+ if (ret < 0)
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Shrirang Bagul <shrirang.bagul@canonical.com>
+Date: Wed, 19 Apr 2017 22:05:00 +0800
+Subject: iio: st_pressure: st_accel: Initialise sensor platform data properly
+
+From: Shrirang Bagul <shrirang.bagul@canonical.com>
+
+
+[ Upstream commit 7383d44b84c94aaca4bf695a6bd8a69f2295ef1a ]
+
+This patch fixes the sensor platform data initialisation for st_pressure
+and st_accel device drivers. Without this patch, the driver fails to
+register the sensors when the user removes and re-loads the driver.
+
+1. Unload the kernel modules for st_pressure
+$ sudo rmmod st_pressure_i2c
+$ sudo rmmod st_pressure
+
+2. Re-load the driver
+$ sudo insmod st_pressure
+$ sudo insmod st_pressure_i2c
+
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Acked-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/accel/st_accel_core.c | 7 ++++---
+ drivers/iio/pressure/st_pressure_core.c | 8 ++++----
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+--- a/drivers/iio/accel/st_accel_core.c
++++ b/drivers/iio/accel/st_accel_core.c
+@@ -628,6 +628,8 @@ static const struct iio_trigger_ops st_a
+ int st_accel_common_probe(struct iio_dev *indio_dev)
+ {
+ struct st_sensor_data *adata = iio_priv(indio_dev);
++ struct st_sensors_platform_data *pdata =
++ (struct st_sensors_platform_data *)adata->dev->platform_data;
+ int irq = adata->get_irq_data_ready(indio_dev);
+ int err;
+
+@@ -652,9 +654,8 @@ int st_accel_common_probe(struct iio_dev
+ &adata->sensor_settings->fs.fs_avl[0];
+ adata->odr = adata->sensor_settings->odr.odr_avl[0].hz;
+
+- if (!adata->dev->platform_data)
+- adata->dev->platform_data =
+- (struct st_sensors_platform_data *)&default_accel_pdata;
++ if (!pdata)
++ pdata = (struct st_sensors_platform_data *)&default_accel_pdata;
+
+ err = st_sensors_init_sensor(indio_dev, adata->dev->platform_data);
+ if (err < 0)
+--- a/drivers/iio/pressure/st_pressure_core.c
++++ b/drivers/iio/pressure/st_pressure_core.c
+@@ -436,6 +436,8 @@ static const struct iio_trigger_ops st_p
+ int st_press_common_probe(struct iio_dev *indio_dev)
+ {
+ struct st_sensor_data *press_data = iio_priv(indio_dev);
++ struct st_sensors_platform_data *pdata =
++ (struct st_sensors_platform_data *)press_data->dev->platform_data;
+ int irq = press_data->get_irq_data_ready(indio_dev);
+ int err;
+
+@@ -464,10 +466,8 @@ int st_press_common_probe(struct iio_dev
+ press_data->odr = press_data->sensor_settings->odr.odr_avl[0].hz;
+
+ /* Some devices don't support a data ready pin. */
+- if (!press_data->dev->platform_data &&
+- press_data->sensor_settings->drdy_irq.addr)
+- press_data->dev->platform_data =
+- (struct st_sensors_platform_data *)&default_press_pdata;
++ if (!pdata && press_data->sensor_settings->drdy_irq.addr)
++ pdata = (struct st_sensors_platform_data *)&default_press_pdata;
+
+ err = st_sensors_init_sensor(indio_dev, press_data->dev->platform_data);
+ if (err < 0)
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
+Date: Fri, 24 Mar 2017 15:55:17 -0400
+Subject: infiniband/uverbs: Fix integer overflows
+
+From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
+
+
+[ Upstream commit 4f7f4dcfff2c19debbcdbcc861c325610a15e0c5 ]
+
+The 'num_sge' variable is verfied to be smaller than the 'sge_count'
+variable; however, since both are user-controlled it's possible to cause
+an integer overflow for the kmalloc multiply on 32-bit platforms
+(num_sge and sge_count are both defined u32). By crafting an input that
+causes a smaller-than-expected allocation it's possible to write
+controlled data out-of-bounds.
+
+Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/uverbs_cmd.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -2436,9 +2436,13 @@ ssize_t ib_uverbs_destroy_qp(struct ib_u
+
+ static void *alloc_wr(size_t wr_size, __u32 num_sge)
+ {
++ if (num_sge >= (U32_MAX - ALIGN(wr_size, sizeof (struct ib_sge))) /
++ sizeof (struct ib_sge))
++ return NULL;
++
+ return kmalloc(ALIGN(wr_size, sizeof (struct ib_sge)) +
+ num_sge * sizeof (struct ib_sge), GFP_KERNEL);
+-};
++}
+
+ ssize_t ib_uverbs_post_send(struct ib_uverbs_file *file,
+ struct ib_device *ib_dev,
+@@ -2664,6 +2668,13 @@ static struct ib_recv_wr *ib_uverbs_unma
+ ret = -EINVAL;
+ goto err;
+ }
++
++ if (user_wr->num_sge >=
++ (U32_MAX - ALIGN(sizeof *next, sizeof (struct ib_sge))) /
++ sizeof (struct ib_sge)) {
++ ret = -EINVAL;
++ goto err;
++ }
+
+ next = kmalloc(ALIGN(sizeof *next, sizeof (struct ib_sge)) +
+ user_wr->num_sge * sizeof (struct ib_sge),
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 12 Dec 2016 15:32:57 -0800
+Subject: Input: ar1021_i2c - fix too long name in driver's device table
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+
+[ Upstream commit 95123fc43560d6f4a60e74f72836e63cd8848f76 ]
+
+The name field in structure i2c_device_id is 20 characters, and we expect
+it to be NULL-terminated, however we are trying to stuff it with 21 bytes
+and thus NULL-terminator is lost. This causes issues when one creates
+device with name "MICROCHIP_AR1021_I2C" as i2c core cuts off the last "C",
+and automatic module loading by alias does not work as result.
+
+The -I2C suffix in the device name is superfluous, we know what bus we are
+dealing with, so let's drop it. Also, no other driver uses capitals, and
+the manufacturer name is normally not included, except in very rare cases
+of incompatible name collisions.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116211
+Fixes: dd4cae8bf166 ("Input: Add Microchip AR1021 i2c touchscreen")
+Reviewed-By: Christian Gmeiner <christian.gmeiner@gmail.com>
+Tested-by: Martin Kepplinger <martin.kepplinger@ginzinger.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/ar1021_i2c.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/ar1021_i2c.c
++++ b/drivers/input/touchscreen/ar1021_i2c.c
+@@ -152,7 +152,7 @@ static int __maybe_unused ar1021_i2c_res
+ static SIMPLE_DEV_PM_OPS(ar1021_i2c_pm, ar1021_i2c_suspend, ar1021_i2c_resume);
+
+ static const struct i2c_device_id ar1021_i2c_id[] = {
+- { "MICROCHIP_AR1021_I2C", 0 },
++ { "ar1021", 0 },
+ { },
+ };
+ MODULE_DEVICE_TABLE(i2c, ar1021_i2c_id);
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Date: Fri, 28 Apr 2017 10:25:51 -0700
+Subject: Input: twl4030-pwrbutton - use correct device for irq request
+
+From: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+
+
+[ Upstream commit 3071e9dd6cd3f2290d770117330f2c8b2e9a97e4 ]
+
+The interrupt should be requested for the platform device
+and not for the input device.
+
+Fixes: 7f9ce649d267 ("Input: twl4030-pwrbutton - simplify driver using devm_*")
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/misc/twl4030-pwrbutton.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/misc/twl4030-pwrbutton.c
++++ b/drivers/input/misc/twl4030-pwrbutton.c
+@@ -70,7 +70,7 @@ static int twl4030_pwrbutton_probe(struc
+ pwr->phys = "twl4030_pwrbutton/input0";
+ pwr->dev.parent = &pdev->dev;
+
+- err = devm_request_threaded_irq(&pwr->dev, irq, NULL, powerbutton_irq,
++ err = devm_request_threaded_irq(&pdev->dev, irq, NULL, powerbutton_irq,
+ IRQF_TRIGGER_FALLING | IRQF_TRIGGER_RISING |
+ IRQF_ONESHOT,
+ "twl4030_pwrbutton", pwr);
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Suman Anna <s-anna@ti.com>
+Date: Wed, 12 Apr 2017 00:21:26 -0500
+Subject: iommu/omap: Register driver before setting IOMMU ops
+
+From: Suman Anna <s-anna@ti.com>
+
+
+[ Upstream commit abaa7e5b054aae567861628b74dbc7fbf8ed79e8 ]
+
+Move the registration of the OMAP IOMMU platform driver before
+setting the IOMMU callbacks on the platform bus. This causes
+the IOMMU devices to be probed first before the .add_device()
+callback is invoked for all registered devices, and allows
+the iommu_group support to be added to the OMAP IOMMU driver.
+
+While at this, also check for the return status from bus_set_iommu.
+
+Signed-off-by: Suman Anna <s-anna@ti.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/omap-iommu.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+--- a/drivers/iommu/omap-iommu.c
++++ b/drivers/iommu/omap-iommu.c
+@@ -1295,6 +1295,7 @@ static int __init omap_iommu_init(void)
+ const unsigned long flags = SLAB_HWCACHE_ALIGN;
+ size_t align = 1 << 10; /* L2 pagetable alignement */
+ struct device_node *np;
++ int ret;
+
+ np = of_find_matching_node(NULL, omap_iommu_of_match);
+ if (!np)
+@@ -1308,11 +1309,25 @@ static int __init omap_iommu_init(void)
+ return -ENOMEM;
+ iopte_cachep = p;
+
+- bus_set_iommu(&platform_bus_type, &omap_iommu_ops);
+-
+ omap_iommu_debugfs_init();
+
+- return platform_driver_register(&omap_iommu_driver);
++ ret = platform_driver_register(&omap_iommu_driver);
++ if (ret) {
++ pr_err("%s: failed to register driver\n", __func__);
++ goto fail_driver;
++ }
++
++ ret = bus_set_iommu(&platform_bus_type, &omap_iommu_ops);
++ if (ret)
++ goto fail_bus;
++
++ return 0;
++
++fail_bus:
++ platform_driver_unregister(&omap_iommu_driver);
++fail_driver:
++ kmem_cache_destroy(iopte_cachep);
++ return ret;
+ }
+ subsys_initcall(omap_iommu_init);
+ /* must be ready before omap3isp is probed */
--- /dev/null
+From foo@baz Thu Mar 22 14:57:33 CET 2018
+From: Jerry Snitselaar <jsnitsel@redhat.com>
+Date: Wed, 20 Dec 2017 09:48:56 -0700
+Subject: iommu/vt-d: clean up pr_irq if request_threaded_irq fails
+
+From: Jerry Snitselaar <jsnitsel@redhat.com>
+
+
+[ Upstream commit 72d548113881dd32bf7f0b221d031e6586468437 ]
+
+It is unlikely request_threaded_irq will fail, but if it does for some
+reason we should clear iommu->pr_irq in the error path. Also
+intel_svm_finish_prq shouldn't try to clean up the page request
+interrupt if pr_irq is 0. Without these, if request_threaded_irq were
+to fail the following occurs:
+
+fail with no fixes:
+
+[ 0.683147] ------------[ cut here ]------------
+[ 0.683148] NULL pointer, cannot free irq
+[ 0.683158] WARNING: CPU: 1 PID: 1 at kernel/irq/irqdomain.c:1632 irq_domain_free_irqs+0x126/0x140
+[ 0.683160] Modules linked in:
+[ 0.683163] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2 #3
+[ 0.683165] Hardware name: /NUC7i3BNB, BIOS BNKBL357.86A.0036.2017.0105.1112 01/05/2017
+[ 0.683168] RIP: 0010:irq_domain_free_irqs+0x126/0x140
+[ 0.683169] RSP: 0000:ffffc90000037ce8 EFLAGS: 00010292
+[ 0.683171] RAX: 000000000000001d RBX: ffff880276283c00 RCX: ffffffff81c5e5e8
+[ 0.683172] RDX: 0000000000000001 RSI: 0000000000000096 RDI: 0000000000000246
+[ 0.683174] RBP: ffff880276283c00 R08: 0000000000000000 R09: 000000000000023c
+[ 0.683175] R10: 0000000000000007 R11: 0000000000000000 R12: 000000000000007a
+[ 0.683176] R13: 0000000000000001 R14: 0000000000000000 R15: 0000010010000000
+[ 0.683178] FS: 0000000000000000(0000) GS:ffff88027ec80000(0000) knlGS:0000000000000000
+[ 0.683180] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 0.683181] CR2: 0000000000000000 CR3: 0000000001c09001 CR4: 00000000003606e0
+[ 0.683182] Call Trace:
+[ 0.683189] intel_svm_finish_prq+0x3c/0x60
+[ 0.683191] free_dmar_iommu+0x1ac/0x1b0
+[ 0.683195] init_dmars+0xaaa/0xaea
+[ 0.683200] ? klist_next+0x19/0xc0
+[ 0.683203] ? pci_do_find_bus+0x50/0x50
+[ 0.683205] ? pci_get_dev_by_id+0x52/0x70
+[ 0.683208] intel_iommu_init+0x498/0x5c7
+[ 0.683211] pci_iommu_init+0x13/0x3c
+[ 0.683214] ? e820__memblock_setup+0x61/0x61
+[ 0.683217] do_one_initcall+0x4d/0x1a0
+[ 0.683220] kernel_init_freeable+0x186/0x20e
+[ 0.683222] ? set_debug_rodata+0x11/0x11
+[ 0.683225] ? rest_init+0xb0/0xb0
+[ 0.683226] kernel_init+0xa/0xff
+[ 0.683229] ret_from_fork+0x1f/0x30
+[ 0.683259] Code: 89 ee 44 89 e7 e8 3b e8 ff ff 5b 5d 44 89 e7 44 89 ee 41 5c 41 5d 41 5e e9 a8 84 ff ff 48 c7 c7 a8 71 a7 81 31 c0 e8 6a d3 f9 ff <0f> ff 5b 5d 41 5c 41 5d 41 5
+e c3 0f 1f 44 00 00 66 2e 0f 1f 84
+[ 0.683285] ---[ end trace f7650e42792627ca ]---
+
+with iommu->pr_irq = 0, but no check in intel_svm_finish_prq:
+
+[ 0.669561] ------------[ cut here ]------------
+[ 0.669563] Trying to free already-free IRQ 0
+[ 0.669573] WARNING: CPU: 3 PID: 1 at kernel/irq/manage.c:1546 __free_irq+0xa4/0x2c0
+[ 0.669574] Modules linked in:
+[ 0.669577] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2 #4
+[ 0.669579] Hardware name: /NUC7i3BNB, BIOS BNKBL357.86A.0036.2017.0105.1112 01/05/2017
+[ 0.669581] RIP: 0010:__free_irq+0xa4/0x2c0
+[ 0.669582] RSP: 0000:ffffc90000037cc0 EFLAGS: 00010082
+[ 0.669584] RAX: 0000000000000021 RBX: 0000000000000000 RCX: ffffffff81c5e5e8
+[ 0.669585] RDX: 0000000000000001 RSI: 0000000000000086 RDI: 0000000000000046
+[ 0.669587] RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000023c
+[ 0.669588] R10: 0000000000000007 R11: 0000000000000000 R12: ffff880276253960
+[ 0.669589] R13: ffff8802762538a4 R14: ffff880276253800 R15: ffff880276283600
+[ 0.669593] FS: 0000000000000000(0000) GS:ffff88027ed80000(0000) knlGS:0000000000000000
+[ 0.669594] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 0.669596] CR2: 0000000000000000 CR3: 0000000001c09001 CR4: 00000000003606e0
+[ 0.669602] Call Trace:
+[ 0.669616] free_irq+0x30/0x60
+[ 0.669620] intel_svm_finish_prq+0x34/0x60
+[ 0.669623] free_dmar_iommu+0x1ac/0x1b0
+[ 0.669627] init_dmars+0xaaa/0xaea
+[ 0.669631] ? klist_next+0x19/0xc0
+[ 0.669634] ? pci_do_find_bus+0x50/0x50
+[ 0.669637] ? pci_get_dev_by_id+0x52/0x70
+[ 0.669639] intel_iommu_init+0x498/0x5c7
+[ 0.669642] pci_iommu_init+0x13/0x3c
+[ 0.669645] ? e820__memblock_setup+0x61/0x61
+[ 0.669648] do_one_initcall+0x4d/0x1a0
+[ 0.669651] kernel_init_freeable+0x186/0x20e
+[ 0.669653] ? set_debug_rodata+0x11/0x11
+[ 0.669656] ? rest_init+0xb0/0xb0
+[ 0.669658] kernel_init+0xa/0xff
+[ 0.669661] ret_from_fork+0x1f/0x30
+[ 0.669662] Code: 7a 08 75 0e e9 c3 01 00 00 4c 39 7b 08 74 57 48 89 da 48 8b 5a 18 48 85 db 75 ee 89 ee 48 c7 c7 78 67 a7 81 31 c0 e8 4c 37 fa ff <0f> ff 48 8b 34 24 4c 89 ef e
+8 0e 4c 68 00 49 8b 46 40 48 8b 80
+[ 0.669688] ---[ end trace 58a470248700f2fc ]---
+
+Cc: Alex Williamson <alex.williamson@redhat.com>
+Cc: Joerg Roedel <joro@8bytes.org>
+Cc: Ashok Raj <ashok.raj@intel.com>
+Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
+Reviewed-by: Ashok Raj <ashok.raj@intel.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/intel-svm.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/iommu/intel-svm.c
++++ b/drivers/iommu/intel-svm.c
+@@ -127,6 +127,7 @@ int intel_svm_enable_prq(struct intel_io
+ pr_err("IOMMU: %s: Failed to request IRQ for page request queue\n",
+ iommu->name);
+ dmar_free_hwirq(irq);
++ iommu->pr_irq = 0;
+ goto err;
+ }
+ dmar_writeq(iommu->reg + DMAR_PQH_REG, 0ULL);
+@@ -142,9 +143,11 @@ int intel_svm_finish_prq(struct intel_io
+ dmar_writeq(iommu->reg + DMAR_PQT_REG, 0ULL);
+ dmar_writeq(iommu->reg + DMAR_PQA_REG, 0ULL);
+
+- free_irq(iommu->pr_irq, iommu);
+- dmar_free_hwirq(iommu->pr_irq);
+- iommu->pr_irq = 0;
++ if (iommu->pr_irq) {
++ free_irq(iommu->pr_irq, iommu);
++ dmar_free_hwirq(iommu->pr_irq);
++ iommu->pr_irq = 0;
++ }
+
+ free_pages((unsigned long)iommu->prq, PRQ_ORDER);
+ iommu->prq = NULL;
--- /dev/null
+From foo@baz Thu Mar 22 14:57:33 CET 2018
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+Date: Tue, 19 Dec 2017 16:59:21 +0300
+Subject: ip6_vti: adjust vti mtu according to mtu of lower device
+
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+
+
+[ Upstream commit 53c81e95df1793933f87748d36070a721f6cb287 ]
+
+LTP/udp6_ipsec_vti tests fail when sending large UDP datagrams over
+ip6_vti that require fragmentation and the underlying device has an
+MTU smaller than 1500 plus some extra space for headers. This happens
+because ip6_vti, by default, sets MTU to ETH_DATA_LEN and not updating
+it depending on a destination address or link parameter. Further
+attempts to send UDP packets may succeed because pmtu gets updated on
+ICMPV6_PKT_TOOBIG in vti6_err().
+
+In case the lower device has larger MTU size, e.g. 9000, ip6_vti works
+but not using the possible maximum size, output packets have 1500 limit.
+
+The above cases require manual MTU setup after ip6_vti creation. However
+ip_vti already updates MTU based on lower device with ip_tunnel_bind_dev().
+
+Here is the example when the lower device MTU is set to 9000:
+
+ # ip a sh ltp_ns_veth2
+ ltp_ns_veth2@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 ...
+ inet 10.0.0.2/24 scope global ltp_ns_veth2
+ inet6 fd00::2/64 scope global
+
+ # ip li add vti6 type vti6 local fd00::2 remote fd00::1
+ # ip li show vti6
+ vti6@NONE: <POINTOPOINT,NOARP> mtu 1500 ...
+ link/tunnel6 fd00::2 peer fd00::1
+
+After the patch:
+ # ip li add vti6 type vti6 local fd00::2 remote fd00::1
+ # ip li show vti6
+ vti6@NONE: <POINTOPOINT,NOARP> mtu 8832 ...
+ link/tunnel6 fd00::2 peer fd00::1
+
+Reported-by: Petr Vorel <pvorel@suse.cz>
+Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_vti.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -614,6 +614,7 @@ static void vti6_link_config(struct ip6_
+ {
+ struct net_device *dev = t->dev;
+ struct __ip6_tnl_parm *p = &t->parms;
++ struct net_device *tdev = NULL;
+
+ memcpy(dev->dev_addr, &p->laddr, sizeof(struct in6_addr));
+ memcpy(dev->broadcast, &p->raddr, sizeof(struct in6_addr));
+@@ -626,6 +627,25 @@ static void vti6_link_config(struct ip6_
+ dev->flags |= IFF_POINTOPOINT;
+ else
+ dev->flags &= ~IFF_POINTOPOINT;
++
++ if (p->flags & IP6_TNL_F_CAP_XMIT) {
++ int strict = (ipv6_addr_type(&p->raddr) &
++ (IPV6_ADDR_MULTICAST | IPV6_ADDR_LINKLOCAL));
++ struct rt6_info *rt = rt6_lookup(t->net,
++ &p->raddr, &p->laddr,
++ p->link, strict);
++
++ if (rt)
++ tdev = rt->dst.dev;
++ ip6_rt_put(rt);
++ }
++
++ if (!tdev && p->link)
++ tdev = __dev_get_by_index(t->net, p->link);
++
++ if (tdev)
++ dev->mtu = max_t(int, tdev->mtu - dev->hard_header_len,
++ IPV6_MIN_MTU);
+ }
+
+ /**
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Robert Lippert <roblip@gmail.com>
+Date: Thu, 20 Apr 2017 16:49:47 -0700
+Subject: ipmi/watchdog: fix wdog hang on panic waiting for ipmi response
+
+From: Robert Lippert <roblip@gmail.com>
+
+
+[ Upstream commit 2c1175c2e8e5487233cabde358a19577562ac83e ]
+
+Commit c49c097610fe ("ipmi: Don't call receive handler in the
+panic context") means that the panic_recv_free is not called during a
+panic and the atomic count does not drop to 0.
+
+Fix this by only expecting one decrement of the atomic variable
+which comes from panic_smi_free.
+
+Signed-off-by: Robert Lippert <rlippert@google.com>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/ipmi/ipmi_watchdog.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/char/ipmi/ipmi_watchdog.c
++++ b/drivers/char/ipmi/ipmi_watchdog.c
+@@ -515,7 +515,7 @@ static void panic_halt_ipmi_heartbeat(vo
+ msg.cmd = IPMI_WDOG_RESET_TIMER;
+ msg.data = NULL;
+ msg.data_len = 0;
+- atomic_add(2, &panic_done_count);
++ atomic_add(1, &panic_done_count);
+ rv = ipmi_request_supply_msgs(watchdog_user,
+ (struct ipmi_addr *) &addr,
+ 0,
+@@ -525,7 +525,7 @@ static void panic_halt_ipmi_heartbeat(vo
+ &panic_halt_heartbeat_recv_msg,
+ 1);
+ if (rv)
+- atomic_sub(2, &panic_done_count);
++ atomic_sub(1, &panic_done_count);
+ }
+
+ static struct ipmi_smi_msg panic_halt_smi_msg = {
+@@ -549,12 +549,12 @@ static void panic_halt_ipmi_set_timeout(
+ /* Wait for the messages to be free. */
+ while (atomic_read(&panic_done_count) != 0)
+ ipmi_poll_interface(watchdog_user);
+- atomic_add(2, &panic_done_count);
++ atomic_add(1, &panic_done_count);
+ rv = i_ipmi_set_timeout(&panic_halt_smi_msg,
+ &panic_halt_recv_msg,
+ &send_heartbeat_now);
+ if (rv) {
+- atomic_sub(2, &panic_done_count);
++ atomic_sub(1, &panic_done_count);
+ printk(KERN_WARNING PFX
+ "Unable to extend the watchdog timeout.");
+ } else {
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+Date: Fri, 24 Mar 2017 17:48:10 +1100
+Subject: KVM: PPC: Book3S PR: Exit KVM on failed mapping
+
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+
+
+[ Upstream commit bd9166ffe624000140fc6b606b256df01fc0d060 ]
+
+At the moment kvmppc_mmu_map_page() returns -1 if
+mmu_hash_ops.hpte_insert() fails for any reason so the page fault handler
+resumes the guest and it faults on the same address again.
+
+This adds distinction to kvmppc_mmu_map_page() to return -EIO if
+mmu_hash_ops.hpte_insert() failed for a reason other than full pteg.
+At the moment only pSeries_lpar_hpte_insert() returns -2 if
+plpar_pte_enter() failed with a code other than H_PTEG_FULL.
+Other mmu_hash_ops.hpte_insert() instances can only fail with
+-1 "full pteg".
+
+With this change, if PR KVM fails to update HPT, it can signal
+the userspace about this instead of returning to guest and having
+the very same page fault over and over again.
+
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kvm/book3s_64_mmu_host.c | 5 ++++-
+ arch/powerpc/kvm/book3s_pr.c | 6 +++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kvm/book3s_64_mmu_host.c
++++ b/arch/powerpc/kvm/book3s_64_mmu_host.c
+@@ -177,12 +177,15 @@ map_again:
+ ret = ppc_md.hpte_insert(hpteg, vpn, hpaddr, rflags, vflags,
+ hpsize, hpsize, MMU_SEGSIZE_256M);
+
+- if (ret < 0) {
++ if (ret == -1) {
+ /* If we couldn't map a primary PTE, try a secondary */
+ hash = ~hash;
+ vflags ^= HPTE_V_SECONDARY;
+ attempt++;
+ goto map_again;
++ } else if (ret < 0) {
++ r = -EIO;
++ goto out_unlock;
+ } else {
+ trace_kvm_book3s_64_mmu_map(rflags, hpteg,
+ vpn, hpaddr, orig_pte);
+--- a/arch/powerpc/kvm/book3s_pr.c
++++ b/arch/powerpc/kvm/book3s_pr.c
+@@ -625,7 +625,11 @@ int kvmppc_handle_pagefault(struct kvm_r
+ kvmppc_mmu_unmap_page(vcpu, &pte);
+ }
+ /* The guest's PTE is not mapped yet. Map on the host */
+- kvmppc_mmu_map_page(vcpu, &pte, iswrite);
++ if (kvmppc_mmu_map_page(vcpu, &pte, iswrite) == -EIO) {
++ /* Exit KVM if mapping failed */
++ run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
++ return RESUME_HOST;
++ }
+ if (data)
+ vcpu->stat.sp_storage++;
+ else if (vcpu->arch.mmu.is_dcbz32(vcpu) &&
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Wed, 26 Apr 2017 10:58:51 +0300
+Subject: mac80211: don't parse encrypted management frames in ieee80211_frame_acked
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+
+[ Upstream commit cf147085fdda044622973a12e4e06f1c753ab677 ]
+
+ieee80211_frame_acked is called when a frame is acked by
+the peer. In case this is a management frame, we check
+if this an SMPS frame, in which case we can update our
+antenna configuration.
+
+When we parse the management frame we look at the category
+in case it is an action frame. That byte sits after the IV
+in case the frame was encrypted. This means that if the
+frame was encrypted, we basically look at the IV instead
+of looking at the category. It is then theorically
+possible that we think that an SMPS action frame was acked
+where really we had another frame that was encrypted.
+
+Since the only management frame whose ack needs to be
+tracked is the SMPS action frame, and that frame is not
+a robust management frame, it will never be encrypted.
+The easiest way to fix this problem is then to not look
+at frames that were encrypted.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/status.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/mac80211/status.c
++++ b/net/mac80211/status.c
+@@ -194,6 +194,7 @@ static void ieee80211_frame_acked(struct
+ }
+
+ if (ieee80211_is_action(mgmt->frame_control) &&
++ !ieee80211_has_protected(mgmt->frame_control) &&
+ mgmt->u.action.category == WLAN_CATEGORY_HT &&
+ mgmt->u.action.u.ht_smps.action == WLAN_HT_ACTION_SMPS &&
+ ieee80211_sdata_running(sdata)) {
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Shaohua Li <shli@fb.com>
+Date: Mon, 1 May 2017 12:15:07 -0700
+Subject: md/raid10: skip spare disk as 'first' disk
+
+From: Shaohua Li <shli@fb.com>
+
+
+[ Upstream commit b506335e5d2b4ec687dde392a3bdbf7601778f1d ]
+
+Commit 6f287ca(md/raid10: reset the 'first' at the end of loop) ignores
+a case in reshape, the first rdev could be a spare disk, which shouldn't
+be accounted as the first disk since it doesn't include the offset info.
+
+Fix: 6f287ca(md/raid10: reset the 'first' at the end of loop)
+Cc: Guoqing Jiang <gqjiang@suse.com>
+Cc: NeilBrown <neilb@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid10.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -4044,6 +4044,7 @@ static int raid10_start_reshape(struct m
+ diff = 0;
+ if (first || diff < min_offset_diff)
+ min_offset_diff = diff;
++ first = 0;
+ }
+ }
+
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Guoqing Jiang <gqjiang@suse.com>
+Date: Mon, 17 Apr 2017 17:11:05 +0800
+Subject: md/raid10: wait up frozen array in handle_write_completed
+
+From: Guoqing Jiang <gqjiang@suse.com>
+
+
+[ Upstream commit cf25ae78fc50010f66b9be945017796da34c434d ]
+
+Since nr_queued is changed, we need to call wake_up here
+if the array is already frozen and waiting for condition
+"nr_pending == nr_queued + extra" to be true.
+
+And commit 824e47daddbf ("RAID1: avoid unnecessary spin
+locks in I/O barrier code") which has already added the
+wake_up for raid1.
+
+Signed-off-by: Guoqing Jiang <gqjiang@suse.com>
+Reviewed-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid10.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -2698,6 +2698,11 @@ static void handle_write_completed(struc
+ list_add(&r10_bio->retry_list, &conf->bio_end_io_list);
+ conf->nr_queued++;
+ spin_unlock_irq(&conf->device_lock);
++ /*
++ * In case freeze_array() is waiting for condition
++ * nr_pending == nr_queued + extra to be true.
++ */
++ wake_up(&conf->wait_barrier);
+ md_wakeup_thread(conf->mddev->thread);
+ } else {
+ if (test_bit(R10BIO_WriteError,
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Thu, 21 Sep 2017 19:23:56 -0400
+Subject: media: bt8xx: Fix err 'bt878_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit 45392ff6881dbe56d41ef0b17c2e576065f8ffa1 ]
+
+This is odd to call 'pci_disable_device()' in an error path before a
+coresponding successful 'pci_enable_device()'.
+
+Return directly instead.
+
+Fixes: 77e0be12100a ("V4L/DVB (4176): Bug-fix: Fix memory overflow")
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/pci/bt8xx/bt878.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/media/pci/bt8xx/bt878.c
++++ b/drivers/media/pci/bt8xx/bt878.c
+@@ -422,8 +422,7 @@ static int bt878_probe(struct pci_dev *d
+ bt878_num);
+ if (bt878_num >= BT878_MAX) {
+ printk(KERN_ERR "bt878: Too many devices inserted\n");
+- result = -ENOMEM;
+- goto fail0;
++ return -ENOMEM;
+ }
+ if (pci_enable_device(dev))
+ return -EIO;
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+Date: Mon, 20 Nov 2017 09:00:55 -0500
+Subject: media: c8sectpfe: fix potential NULL pointer dereference in c8sectpfe_timer_interrupt
+
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+
+
+[ Upstream commit baed3c4bc4c13de93e0dba0a26d601411ebcb389 ]
+
+_channel_ is being dereferenced before it is null checked, hence there is a
+potential null pointer dereference. Fix this by moving the pointer dereference
+after _channel_ has been null checked.
+
+This issue was detected with the help of Coccinelle.
+
+Fixes: c5f5d0f99794 ("[media] c8sectpfe: STiH407/10 Linux DVB demux support")
+
+Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
+Acked-by: Patrice Chotard <patrice.chotard@st.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
++++ b/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
+@@ -83,7 +83,7 @@ static void c8sectpfe_timer_interrupt(un
+ static void channel_swdemux_tsklet(unsigned long data)
+ {
+ struct channel_info *channel = (struct channel_info *)data;
+- struct c8sectpfei *fei = channel->fei;
++ struct c8sectpfei *fei;
+ unsigned long wp, rp;
+ int pos, num_packets, n, size;
+ u8 *buf;
+@@ -91,6 +91,8 @@ static void channel_swdemux_tsklet(unsig
+ if (unlikely(!channel || !channel->irec))
+ return;
+
++ fei = channel->fei;
++
+ wp = readl(channel->irec + DMA_PRDS_BUSWP_TP(0));
+ rp = readl(channel->irec + DMA_PRDS_BUSRP_TP(0));
+
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Jasmin J <jasmin@anw.at>
+Date: Fri, 17 Mar 2017 23:04:20 -0300
+Subject: [media] media/dvb-core: Race condition when writing to CAM
+
+From: Jasmin J <jasmin@anw.at>
+
+
+[ Upstream commit e7080d4471d805d921a9ea21b32f911a91e248cb ]
+
+It started with a sporadic message in syslog: "CAM tried to send a
+buffer larger than the ecount size" This message is not the fault
+itself, but a consecutive fault, after a read error from the CAM. This
+happens only on several CAMs, several hardware, and of course sporadic.
+
+It is a consecutive fault, if the last read from the CAM did fail. I
+guess this will not happen on all CAMs, but at least it did on mine.
+There was a write error to the CAM and during the re-initialization
+procedure, the CAM finished the last read, although it got a RS.
+
+The write error to the CAM happened because a race condition between HC
+write, checking DA and FR.
+
+This patch added an additional check for DA(RE), just after checking FR.
+It is important to read the CAMs status register again, to give the CAM
+the necessary time for a proper reaction to HC. Please note the
+description within the source code (patch below).
+
+[mchehab@s-opensource.com: make checkpatch happy]
+
+Signed-off-by: Jasmin jessich <jasmin@anw.at>
+Tested-by: Ralph Metzler <rjkm@metzlerbros.de>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-core/dvb_ca_en50221.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+--- a/drivers/media/dvb-core/dvb_ca_en50221.c
++++ b/drivers/media/dvb-core/dvb_ca_en50221.c
+@@ -750,6 +750,29 @@ static int dvb_ca_en50221_write_data(str
+ goto exit;
+ }
+
++ /*
++ * It may need some time for the CAM to settle down, or there might
++ * be a race condition between the CAM, writing HC and our last
++ * check for DA. This happens, if the CAM asserts DA, just after
++ * checking DA before we are setting HC. In this case it might be
++ * a bug in the CAM to keep the FR bit, the lower layer/HW
++ * communication requires a longer timeout or the CAM needs more
++ * time internally. But this happens in reality!
++ * We need to read the status from the HW again and do the same
++ * we did for the previous check for DA
++ */
++ status = ca->pub->read_cam_control(ca->pub, slot, CTRLIF_STATUS);
++ if (status < 0)
++ goto exit;
++
++ if (status & (STATUSREG_DA | STATUSREG_RE)) {
++ if (status & STATUSREG_DA)
++ dvb_ca_en50221_thread_wakeup(ca);
++
++ status = -EAGAIN;
++ goto exit;
++ }
++
+ /* send the amount of data */
+ if ((status = ca->pub->write_cam_control(ca->pub, slot, CTRLIF_SIZE_HIGH, bytes_write >> 8)) != 0)
+ goto exit;
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Ron Economos <w6rz@comcast.net>
+Date: Mon, 11 Dec 2017 19:51:53 -0500
+Subject: media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart
+
+From: Ron Economos <w6rz@comcast.net>
+
+
+[ Upstream commit 380a6c86457573aa42d27ae11e025eb25941a0b7 ]
+
+On faster CPUs a delay is required after the resume command and the restart command. Without the delay, the restart command often returns -EREMOTEIO and the Si2168 does not restart.
+
+Note that this patch fixes the same issue as https://patchwork.linuxtv.org/patch/44304/, but I believe my udelay() fix addresses the actual problem.
+
+Signed-off-by: Ron Economos <w6rz@comcast.net>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-frontends/si2168.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/dvb-frontends/si2168.c
++++ b/drivers/media/dvb-frontends/si2168.c
+@@ -14,6 +14,8 @@
+ * GNU General Public License for more details.
+ */
+
++#include <linux/delay.h>
++
+ #include "si2168_priv.h"
+
+ static const struct dvb_frontend_ops si2168_ops;
+@@ -420,6 +422,7 @@ static int si2168_init(struct dvb_fronte
+ if (ret)
+ goto err;
+
++ udelay(100);
+ memcpy(cmd.args, "\x85", 1);
+ cmd.wlen = 1;
+ cmd.rlen = 1;
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Keerthy <j-keerthy@ti.com>
+Date: Thu, 10 Nov 2016 10:39:18 +0530
+Subject: mfd: palmas: Reset the POWERHOLD mux during power off
+
+From: Keerthy <j-keerthy@ti.com>
+
+
+[ Upstream commit 85fdaf8eb9bbec1f0f8a52fd5d85659d60738816 ]
+
+POWERHOLD signal has higher priority over the DEV_ON bit.
+So power off will not happen if the POWERHOLD is held high.
+Hence reset the MUX to GPIO_7 mode to release the POWERHOLD
+and the DEV_ON bit to take effect to power off the PMIC.
+
+PMIC Power off happens in dire situations like thermal shutdown
+so irrespective of the POWERHOLD setting go ahead and turn off
+the powerhold. Currently poweroff is broken on boards that have
+powerhold enabled. This fixes poweroff on those boards.
+
+Signed-off-by: Keerthy <j-keerthy@ti.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mfd/palmas.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/mfd/palmas.c
++++ b/drivers/mfd/palmas.c
+@@ -430,6 +430,20 @@ static void palmas_power_off(void)
+ {
+ unsigned int addr;
+ int ret, slave;
++ struct device_node *np = palmas_dev->dev->of_node;
++
++ if (of_property_read_bool(np, "ti,palmas-override-powerhold")) {
++ addr = PALMAS_BASE_TO_REG(PALMAS_PU_PD_OD_BASE,
++ PALMAS_PRIMARY_SECONDARY_PAD2);
++ slave = PALMAS_BASE_TO_SLAVE(PALMAS_PU_PD_OD_BASE);
++
++ ret = regmap_update_bits(palmas_dev->regmap[slave], addr,
++ PALMAS_PRIMARY_SECONDARY_PAD2_GPIO_7_MASK, 0);
++ if (ret)
++ dev_err(palmas_dev->dev,
++ "Unable to write PRIMARY_SECONDARY_PAD2 %d\n",
++ ret);
++ }
+
+ if (!palmas_dev)
+ return;
--- /dev/null
+From foo@baz Thu Mar 22 14:57:33 CET 2018
+From: Daniel Drake <drake@endlessm.com>
+Date: Tue, 12 Dec 2017 10:49:02 +0000
+Subject: mmc: avoid removing non-removable hosts during suspend
+
+From: Daniel Drake <drake@endlessm.com>
+
+
+[ Upstream commit de8dcc3d2c0e08e5068ee1e26fc46415c15e3637 ]
+
+The Weibu F3C MiniPC has an onboard AP6255 module, presenting
+two SDIO functions on a single MMC host (Bluetooth/btsdio and
+WiFi/brcmfmac), and the mmc layer correctly detects this as
+non-removable.
+
+After suspend/resume, the wifi and bluetooth interfaces disappear
+and do not get probed again.
+
+The conditions here are:
+
+ 1. During suspend, we reach mmc_pm_notify()
+
+ 2. mmc_pm_notify() calls mmc_sdio_pre_suspend() to see if we can
+ suspend the SDIO host. However, mmc_sdio_pre_suspend() returns
+ -ENOSYS because btsdio_driver does not have a suspend method.
+
+ 3. mmc_pm_notify() proceeds to remove the card
+
+ 4. Upon resume, mmc_rescan() does nothing with this host, because of
+ the rescan_entered check which aims to only scan a non-removable
+ device a single time (i.e. during boot).
+
+Fix the loss of functionality by detecting that we are unable to
+suspend a non-removable host, so avoid the forced removal in that
+case. The comment above this function already indicates that this
+code was only intended for removable devices.
+
+Signed-off-by: Daniel Drake <drake@endlessm.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/core.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/mmc/core/core.c
++++ b/drivers/mmc/core/core.c
+@@ -2791,6 +2791,14 @@ int mmc_pm_notify(struct notifier_block
+ if (!err)
+ break;
+
++ if (!mmc_card_is_removable(host)) {
++ dev_warn(mmc_dev(host),
++ "pre_suspend failed for non-removable host: "
++ "%d\n", err);
++ /* Avoid removing non-removable hosts */
++ break;
++ }
++
+ /* Calling bus_ops->remove() with a claimed host can deadlock */
+ host->bus_ops->remove(host);
+ mmc_claim_host(host);
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 10 Apr 2017 16:54:17 +0300
+Subject: mmc: host: omap_hsmmc: checking for NULL instead of IS_ERR()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit ec5ab8933772c87f24ad62a4a602fe8949f423c2 ]
+
+devm_pinctrl_get() returns error pointers, it never returns NULL.
+
+Fixes: 455e5cd6f736 ("mmc: omap_hsmmc: Pin remux workaround to support SDIO interrupt on AM335x")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/omap_hsmmc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/host/omap_hsmmc.c
++++ b/drivers/mmc/host/omap_hsmmc.c
+@@ -1776,8 +1776,8 @@ static int omap_hsmmc_configure_wake_irq
+ */
+ if (host->pdata->controller_flags & OMAP_HSMMC_SWAKEUP_MISSING) {
+ struct pinctrl *p = devm_pinctrl_get(host->dev);
+- if (!p) {
+- ret = -ENODEV;
++ if (IS_ERR(p)) {
++ ret = PTR_ERR(p);
+ goto err_free_irq;
+ }
+ if (IS_ERR(pinctrl_lookup_state(p, PINCTRL_STATE_DEFAULT))) {
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: yangbo lu <yangbo.lu@nxp.com>
+Date: Thu, 20 Apr 2017 14:58:29 +0800
+Subject: mmc: sdhci-of-esdhc: limit SD clock for ls1012a/ls1046a
+
+From: yangbo lu <yangbo.lu@nxp.com>
+
+
+[ Upstream commit a627f025eb0534052ff451427c16750b3530634c ]
+
+The ls1046a datasheet specified that the max SD clock frequency
+for eSDHC SDR104/HS200 was 167MHz, and the ls1012a datasheet
+specified it's 125MHz for ls1012a. So this patch is to add the
+limitation.
+
+Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-of-esdhc.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-of-esdhc.c
++++ b/drivers/mmc/host/sdhci-of-esdhc.c
+@@ -418,6 +418,20 @@ static void esdhc_of_set_clock(struct sd
+ if (esdhc->vendor_ver < VENDOR_V_23)
+ pre_div = 2;
+
++ /*
++ * Limit SD clock to 167MHz for ls1046a according to its datasheet
++ */
++ if (clock > 167000000 &&
++ of_find_compatible_node(NULL, NULL, "fsl,ls1046a-esdhc"))
++ clock = 167000000;
++
++ /*
++ * Limit SD clock to 125MHz for ls1012a according to its datasheet
++ */
++ if (clock > 125000000 &&
++ of_find_compatible_node(NULL, NULL, "fsl,ls1012a-esdhc"))
++ clock = 125000000;
++
+ /* Workaround to reduce the clock frequency for p1010 esdhc */
+ if (of_find_compatible_node(NULL, NULL, "fsl,p1010-esdhc")) {
+ if (clock > 20000000)
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Pan Bian <bianpan2016@163.com>
+Date: Sun, 23 Apr 2017 15:00:23 +0800
+Subject: mt7601u: check return value of alloc_skb
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit 5fb01e91daf84ad1e50edfcf63116ecbe31e7ba7 ]
+
+Function alloc_skb() will return a NULL pointer if there is no enough
+memory. However, in function mt7601u_mcu_msg_alloc(), its return value
+is not validated before it is used. This patch fixes it.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Acked-by: Jakub Kicinski <kubakici@wp.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt7601u/mcu.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt7601u/mcu.c
++++ b/drivers/net/wireless/mediatek/mt7601u/mcu.c
+@@ -66,8 +66,10 @@ mt7601u_mcu_msg_alloc(struct mt7601u_dev
+ WARN_ON(len % 4); /* if length is not divisible by 4 we need to pad */
+
+ skb = alloc_skb(len + MT_DMA_HDR_LEN + 4, GFP_KERNEL);
+- skb_reserve(skb, MT_DMA_HDR_LEN);
+- memcpy(skb_put(skb, len), data, len);
++ if (skb) {
++ skb_reserve(skb, MT_DMA_HDR_LEN);
++ memcpy(skb_put(skb, len), data, len);
++ }
+
+ return skb;
+ }
+@@ -170,6 +172,8 @@ static int mt7601u_mcu_function_select(s
+ };
+
+ skb = mt7601u_mcu_msg_alloc(dev, &msg, sizeof(msg));
++ if (!skb)
++ return -ENOMEM;
+ return mt7601u_mcu_msg_send(dev, skb, CMD_FUN_SET_OP, func == 5);
+ }
+
+@@ -205,6 +209,8 @@ mt7601u_mcu_calibrate(struct mt7601u_dev
+ };
+
+ skb = mt7601u_mcu_msg_alloc(dev, &msg, sizeof(msg));
++ if (!skb)
++ return -ENOMEM;
+ return mt7601u_mcu_msg_send(dev, skb, CMD_CALIBRATION_OP, true);
+ }
+
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Ming Lei <ming.lei@redhat.com>
+Date: Thu, 27 Apr 2017 07:45:18 -0600
+Subject: mtip32xx: use runtime tag to initialize command header
+
+From: Ming Lei <ming.lei@redhat.com>
+
+
+[ Upstream commit a4e84aae8139aca9fbfbced1f45c51ca81b57488 ]
+
+mtip32xx supposes that 'request_idx' passed to .init_request()
+is tag of the request, and use that as request's tag to initialize
+command header.
+
+After MQ IO scheduler is in, request tag assigned isn't same with
+the request index anymore, so cause strange hardware failure on
+mtip32xx, even whole system panic is triggered.
+
+This patch fixes the issue by initializing command header via
+request's real tag.
+
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/mtip32xx/mtip32xx.c | 36 ++++++++++++++++++++++++------------
+ 1 file changed, 24 insertions(+), 12 deletions(-)
+
+--- a/drivers/block/mtip32xx/mtip32xx.c
++++ b/drivers/block/mtip32xx/mtip32xx.c
+@@ -169,6 +169,25 @@ static bool mtip_check_surprise_removal(
+ return false; /* device present */
+ }
+
++/* we have to use runtime tag to setup command header */
++static void mtip_init_cmd_header(struct request *rq)
++{
++ struct driver_data *dd = rq->q->queuedata;
++ struct mtip_cmd *cmd = blk_mq_rq_to_pdu(rq);
++ u32 host_cap_64 = readl(dd->mmio + HOST_CAP) & HOST_CAP_64;
++
++ /* Point the command headers at the command tables. */
++ cmd->command_header = dd->port->command_list +
++ (sizeof(struct mtip_cmd_hdr) * rq->tag);
++ cmd->command_header_dma = dd->port->command_list_dma +
++ (sizeof(struct mtip_cmd_hdr) * rq->tag);
++
++ if (host_cap_64)
++ cmd->command_header->ctbau = __force_bit2int cpu_to_le32((cmd->command_dma >> 16) >> 16);
++
++ cmd->command_header->ctba = __force_bit2int cpu_to_le32(cmd->command_dma & 0xFFFFFFFF);
++}
++
+ static struct mtip_cmd *mtip_get_int_command(struct driver_data *dd)
+ {
+ struct request *rq;
+@@ -180,6 +199,9 @@ static struct mtip_cmd *mtip_get_int_com
+ if (IS_ERR(rq))
+ return NULL;
+
++ /* Internal cmd isn't submitted via .queue_rq */
++ mtip_init_cmd_header(rq);
++
+ return blk_mq_rq_to_pdu(rq);
+ }
+
+@@ -3818,6 +3840,8 @@ static int mtip_queue_rq(struct blk_mq_h
+ struct request *rq = bd->rq;
+ int ret;
+
++ mtip_init_cmd_header(rq);
++
+ if (unlikely(mtip_check_unal_depth(hctx, rq)))
+ return BLK_MQ_RQ_QUEUE_BUSY;
+
+@@ -3849,7 +3873,6 @@ static int mtip_init_cmd(void *data, str
+ {
+ struct driver_data *dd = data;
+ struct mtip_cmd *cmd = blk_mq_rq_to_pdu(rq);
+- u32 host_cap_64 = readl(dd->mmio + HOST_CAP) & HOST_CAP_64;
+
+ /*
+ * For flush requests, request_idx starts at the end of the
+@@ -3866,17 +3889,6 @@ static int mtip_init_cmd(void *data, str
+
+ memset(cmd->command, 0, CMD_DMA_ALLOC_SZ);
+
+- /* Point the command headers at the command tables. */
+- cmd->command_header = dd->port->command_list +
+- (sizeof(struct mtip_cmd_hdr) * request_idx);
+- cmd->command_header_dma = dd->port->command_list_dma +
+- (sizeof(struct mtip_cmd_hdr) * request_idx);
+-
+- if (host_cap_64)
+- cmd->command_header->ctbau = __force_bit2int cpu_to_le32((cmd->command_dma >> 16) >> 16);
+-
+- cmd->command_header->ctba = __force_bit2int cpu_to_le32(cmd->command_dma & 0xFFFFFFFF);
+-
+ sg_init_table(cmd->sg, MTIP_MAX_SG);
+ return 0;
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Timmy Li <lixiaoping3@huawei.com>
+Date: Tue, 2 May 2017 10:46:52 +0800
+Subject: net: hns: fix ethtool_get_strings overflow in hns driver
+
+From: Timmy Li <lixiaoping3@huawei.com>
+
+
+[ Upstream commit 412b65d15a7f8a93794653968308fc100f2aa87c ]
+
+hns_get_sset_count() returns HNS_NET_STATS_CNT and the data space allocated
+is not enough for ethtool_get_strings(), which will cause random memory
+corruption.
+
+When SLAB and DEBUG_SLAB are both enabled, memory corruptions like the
+the following can be observed without this patch:
+[ 43.115200] Slab corruption (Not tainted): Acpi-ParseExt start=ffff801fb0b69030, len=80
+[ 43.115206] Redzone: 0x9f911029d006462/0x5f78745f31657070.
+[ 43.115208] Last user: [<5f7272655f746b70>](0x5f7272655f746b70)
+[ 43.115214] 010: 70 70 65 31 5f 74 78 5f 70 6b 74 00 6b 6b 6b 6b ppe1_tx_pkt.kkkk
+[ 43.115217] 030: 70 70 65 31 5f 74 78 5f 70 6b 74 5f 6f 6b 00 6b ppe1_tx_pkt_ok.k
+[ 43.115218] Next obj: start=ffff801fb0b69098, len=80
+[ 43.115220] Redzone: 0x706d655f6f666966/0x9f911029d74e35b.
+[ 43.115229] Last user: [<ffff0000084b11b0>](acpi_os_release_object+0x28/0x38)
+[ 43.115231] 000: 74 79 00 6b 6b 6b 6b 6b 70 70 65 31 5f 74 78 5f ty.kkkkkppe1_tx_
+[ 43.115232] 010: 70 6b 74 5f 65 72 72 5f 63 73 75 6d 5f 66 61 69 pkt_err_csum_fai
+
+Signed-off-by: Timmy Li <lixiaoping3@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c | 2 +-
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c | 2 +-
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c | 2 +-
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_xgmac.c | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c
+@@ -648,7 +648,7 @@ static void hns_gmac_get_strings(u32 str
+
+ static int hns_gmac_get_sset_count(int stringset)
+ {
+- if (stringset == ETH_SS_STATS)
++ if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS)
+ return ARRAY_SIZE(g_gmac_stats_string);
+
+ return 0;
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c
+@@ -384,7 +384,7 @@ void hns_ppe_update_stats(struct hns_ppe
+
+ int hns_ppe_get_sset_count(int stringset)
+ {
+- if (stringset == ETH_SS_STATS)
++ if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS)
+ return ETH_PPE_STATIC_NUM;
+ return 0;
+ }
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c
+@@ -807,7 +807,7 @@ void hns_rcb_get_stats(struct hnae_queue
+ */
+ int hns_rcb_get_ring_sset_count(int stringset)
+ {
+- if (stringset == ETH_SS_STATS)
++ if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS)
+ return HNS_RING_STATIC_REG_NUM;
+
+ return 0;
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_xgmac.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_xgmac.c
+@@ -776,7 +776,7 @@ static void hns_xgmac_get_strings(u32 st
+ */
+ static int hns_xgmac_get_sset_count(int stringset)
+ {
+- if (stringset == ETH_SS_STATS)
++ if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS)
+ return ARRAY_SIZE(g_xgmac_stats_string);
+
+ return 0;
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: David Ahern <dsa@cumulusnetworks.com>
+Date: Wed, 12 Apr 2017 11:49:04 -0700
+Subject: net: ipv6: send unsolicited NA on admin up
+
+From: David Ahern <dsa@cumulusnetworks.com>
+
+
+[ Upstream commit 4a6e3c5def13c91adf2acc613837001f09af3baa ]
+
+ndisc_notify is the ipv6 equivalent to arp_notify. When arp_notify is
+set to 1, gratuitous arp requests are sent when the device is brought up.
+The same is expected when ndisc_notify is set to 1 (per ndisc_notify in
+Documentation/networking/ip-sysctl.txt). The NA is not sent on NETDEV_UP
+event; add it.
+
+Fixes: 5cb04436eef6 ("ipv6: add knob to send unsolicited ND on link-layer address change")
+Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ndisc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -1686,6 +1686,8 @@ static int ndisc_netdev_event(struct not
+ case NETDEV_CHANGEADDR:
+ neigh_changeaddr(&nd_tbl, dev);
+ fib6_run_gc(0, net, false);
++ /* fallthrough */
++ case NETDEV_UP:
+ idev = in6_dev_get(dev);
+ if (!idev)
+ break;
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Gao Feng <fgao@ikuai8.com>
+Date: Fri, 14 Apr 2017 10:00:08 +0800
+Subject: netfilter: xt_CT: fix refcnt leak on error path
+
+From: Gao Feng <fgao@ikuai8.com>
+
+
+[ Upstream commit 470acf55a021713869b9bcc967268ac90c8a0fac ]
+
+There are two cases which causes refcnt leak.
+
+1. When nf_ct_timeout_ext_add failed in xt_ct_set_timeout, it should
+free the timeout refcnt.
+Now goto the err_put_timeout error handler instead of going ahead.
+
+2. When the time policy is not found, we should call module_put.
+Otherwise, the related cthelper module cannot be removed anymore.
+It is easy to reproduce by typing the following command:
+ # iptables -t raw -A OUTPUT -p tcp -j CT --helper ftp --timeout xxx
+
+Signed-off-by: Gao Feng <fgao@ikuai8.com>
+Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/xt_CT.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/xt_CT.c
++++ b/net/netfilter/xt_CT.c
+@@ -168,8 +168,10 @@ xt_ct_set_timeout(struct nf_conn *ct, co
+ goto err_put_timeout;
+ }
+ timeout_ext = nf_ct_timeout_ext_add(ct, timeout, GFP_ATOMIC);
+- if (timeout_ext == NULL)
++ if (!timeout_ext) {
+ ret = -ENOMEM;
++ goto err_put_timeout;
++ }
+
+ rcu_read_unlock();
+ return ret;
+@@ -201,6 +203,7 @@ static int xt_ct_tg_check(const struct x
+ struct xt_ct_target_info_v1 *info)
+ {
+ struct nf_conntrack_zone zone;
++ struct nf_conn_help *help;
+ struct nf_conn *ct;
+ int ret = -EOPNOTSUPP;
+
+@@ -249,7 +252,7 @@ static int xt_ct_tg_check(const struct x
+ if (info->timeout[0]) {
+ ret = xt_ct_set_timeout(ct, par, info->timeout);
+ if (ret < 0)
+- goto err3;
++ goto err4;
+ }
+ __set_bit(IPS_CONFIRMED_BIT, &ct->status);
+ nf_conntrack_get(&ct->ct_general);
+@@ -257,6 +260,10 @@ out:
+ info->ct = ct;
+ return 0;
+
++err4:
++ help = nfct_help(ct);
++ if (help)
++ module_put(help->helper->me);
+ err3:
+ nf_ct_tmpl_free(ct);
+ err2:
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: NeilBrown <neilb@suse.com>
+Date: Wed, 15 Mar 2017 12:40:44 +1100
+Subject: NFS: don't try to cross a mountpount when there isn't one there.
+
+From: NeilBrown <neilb@suse.com>
+
+
+[ Upstream commit 99bbf6ecc694dfe0b026e15359c5aa2a60b97a93 ]
+
+consider the sequence of commands:
+ mkdir -p /import/nfs /import/bind /import/etc
+ mount --bind / /import/bind
+ mount --make-private /import/bind
+ mount --bind /import/etc /import/bind/etc
+
+ exportfs -o rw,no_root_squash,crossmnt,async,no_subtree_check localhost:/
+ mount -o vers=4 localhost:/ /import/nfs
+ ls -l /import/nfs/etc
+
+You would not expect this to report a stale file handle.
+Yet it does.
+
+The manipulations under /import/bind cause the dentry for
+/etc to get the DCACHE_MOUNTED flag set, even though nothing
+is mounted on /etc. This causes nfsd to call
+nfsd_cross_mnt() even though there is no mountpoint. So an
+upcall to mountd for "/etc" is performed.
+
+The 'crossmnt' flag on the export of / causes mountd to
+report that /etc is exported as it is a descendant of /. It
+assumes the kernel wouldn't ask about something that wasn't
+a mountpoint. The filehandle returned identifies the
+filesystem and the inode number of /etc.
+
+When this filehandle is presented to rpc.mountd, via
+"nfsd.fh", the inode cannot be found associated with any
+name in /etc/exports, or with any mountpoint listed by
+getmntent(). So rpc.mountd says the filehandle doesn't
+exist. Hence ESTALE.
+
+This is fixed by teaching nfsd not to trust DCACHE_MOUNTED
+too much. It is just a hint, not a guarantee.
+Change nfsd_mountpoint() to return '1' for a certain mountpoint,
+'2' for a possible mountpoint, and 0 otherwise.
+
+Then change nfsd_crossmnt() to check if follow_down()
+actually found a mountpount and, if not, to avoid performing
+a lookup if the location is not known to certainly require
+an export-point.
+
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/vfs.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -92,6 +92,12 @@ nfsd_cross_mnt(struct svc_rqst *rqstp, s
+ err = follow_down(&path);
+ if (err < 0)
+ goto out;
++ if (path.mnt == exp->ex_path.mnt && path.dentry == dentry &&
++ nfsd_mountpoint(dentry, exp) == 2) {
++ /* This is only a mountpoint in some other namespace */
++ path_put(&path);
++ goto out;
++ }
+
+ exp2 = rqst_exp_get_by_name(rqstp, &path);
+ if (IS_ERR(exp2)) {
+@@ -165,16 +171,26 @@ static int nfsd_lookup_parent(struct svc
+ /*
+ * For nfsd purposes, we treat V4ROOT exports as though there was an
+ * export at *every* directory.
++ * We return:
++ * '1' if this dentry *must* be an export point,
++ * '2' if it might be, if there is really a mount here, and
++ * '0' if there is no chance of an export point here.
+ */
+ int nfsd_mountpoint(struct dentry *dentry, struct svc_export *exp)
+ {
+- if (d_mountpoint(dentry))
++ if (!d_inode(dentry))
++ return 0;
++ if (exp->ex_flags & NFSEXP_V4ROOT)
+ return 1;
+ if (nfsd4_is_junction(dentry))
+ return 1;
+- if (!(exp->ex_flags & NFSEXP_V4ROOT))
+- return 0;
+- return d_inode(dentry) != NULL;
++ if (d_mountpoint(dentry))
++ /*
++ * Might only be a mountpoint in a different namespace,
++ * but we need to check.
++ */
++ return 2;
++ return 0;
+ }
+
+ __be32
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Fri, 14 Apr 2017 12:29:54 -0400
+Subject: NFS: Fix missing pg_cleanup after nfs_pageio_cond_complete()
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+
+[ Upstream commit 43b7d964ed30dbca5c83c90cb010985b429ec4f9 ]
+
+Commit a7d42ddb3099727f58366fa006f850a219cce6c8 ("nfs: add mirroring
+support to pgio layer") moved pg_cleanup out of the path when there was
+non-sequental I/O that needed to be flushed. The result is that for
+layouts that have more than one layout segment per file, the pg_lseg is not
+cleared, so we can end up hitting the WARN_ON_ONCE(req_start >= seg_end) in
+pnfs_generic_pg_test since the pg_lseg will be pointing to that
+previously-flushed layout segment.
+
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Fixes: a7d42ddb3099 ("nfs: add mirroring support to pgio layer")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/pagelist.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/pagelist.c
++++ b/fs/nfs/pagelist.c
+@@ -1273,8 +1273,10 @@ void nfs_pageio_cond_complete(struct nfs
+ mirror = &desc->pg_mirrors[midx];
+ if (!list_empty(&mirror->pg_list)) {
+ prev = nfs_list_entry(mirror->pg_list.prev);
+- if (index != prev->wb_index + 1)
+- nfs_pageio_complete_mirror(desc, midx);
++ if (index != prev->wb_index + 1) {
++ nfs_pageio_complete(desc);
++ break;
++ }
+ }
+ }
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:57:33 CET 2018
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Tue, 19 Dec 2017 09:35:25 -0500
+Subject: nfsd4: permit layoutget of executable-only files
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+
+[ Upstream commit 66282ec1cf004c09083c29cb5e49019037937bbd ]
+
+Clients must be able to read a file in order to execute it, and for pNFS
+that means the client needs to be able to perform a LAYOUTGET on the file.
+
+This behavior for executable-only files was added for OPEN in commit
+a043226bc140 "nfsd4: permit read opens of executable-only files".
+
+This fixes up xfstests generic/126 on block/scsi layouts.
+
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4proc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1245,14 +1245,14 @@ nfsd4_layoutget(struct svc_rqst *rqstp,
+ const struct nfsd4_layout_ops *ops;
+ struct nfs4_layout_stateid *ls;
+ __be32 nfserr;
+- int accmode;
++ int accmode = NFSD_MAY_READ_IF_EXEC;
+
+ switch (lgp->lg_seg.iomode) {
+ case IOMODE_READ:
+- accmode = NFSD_MAY_READ;
++ accmode |= NFSD_MAY_READ;
+ break;
+ case IOMODE_RW:
+- accmode = NFSD_MAY_READ | NFSD_MAY_WRITE;
++ accmode |= NFSD_MAY_READ | NFSD_MAY_WRITE;
+ break;
+ default:
+ dprintk("%s: invalid iomode %d\n",
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Jarno Rajahalme <jarno@ovn.org>
+Date: Fri, 14 Apr 2017 14:26:38 -0700
+Subject: openvswitch: Delete conntrack entry clashing with an expectation.
+
+From: Jarno Rajahalme <jarno@ovn.org>
+
+
+[ Upstream commit cf5d70918877c6a6655dc1e92e2ebb661ce904fd ]
+
+Conntrack helpers do not check for a potentially clashing conntrack
+entry when creating a new expectation. Also, nf_conntrack_in() will
+check expectations (via init_conntrack()) only if a conntrack entry
+can not be found. The expectation for a packet which also matches an
+existing conntrack entry will not be removed by conntrack, and is
+currently handled inconsistently by OVS, as OVS expects the
+expectation to be removed when the connection tracking entry matching
+that expectation is confirmed.
+
+It should be noted that normally an IP stack would not allow reuse of
+a 5-tuple of an old (possibly lingering) connection for a new data
+connection, so this is somewhat unlikely corner case. However, it is
+possible that a misbehaving source could cause conntrack entries be
+created that could then interfere with new related connections.
+
+Fix this in the OVS module by deleting the clashing conntrack entry
+after an expectation has been matched. This causes the following
+nf_conntrack_in() call also find the expectation and remove it when
+creating the new conntrack entry, as well as the forthcoming reply
+direction packets to match the new related connection instead of the
+old clashing conntrack entry.
+
+Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action")
+Reported-by: Yang Song <yangsong@vmware.com>
+Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
+Acked-by: Joe Stringer <joe@ovn.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/conntrack.c | 30 +++++++++++++++++++++++++++++-
+ 1 file changed, 29 insertions(+), 1 deletion(-)
+
+--- a/net/openvswitch/conntrack.c
++++ b/net/openvswitch/conntrack.c
+@@ -361,10 +361,38 @@ ovs_ct_expect_find(struct net *net, cons
+ u16 proto, const struct sk_buff *skb)
+ {
+ struct nf_conntrack_tuple tuple;
++ struct nf_conntrack_expect *exp;
+
+ if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), proto, net, &tuple))
+ return NULL;
+- return __nf_ct_expect_find(net, zone, &tuple);
++
++ exp = __nf_ct_expect_find(net, zone, &tuple);
++ if (exp) {
++ struct nf_conntrack_tuple_hash *h;
++
++ /* Delete existing conntrack entry, if it clashes with the
++ * expectation. This can happen since conntrack ALGs do not
++ * check for clashes between (new) expectations and existing
++ * conntrack entries. nf_conntrack_in() will check the
++ * expectations only if a conntrack entry can not be found,
++ * which can lead to OVS finding the expectation (here) in the
++ * init direction, but which will not be removed by the
++ * nf_conntrack_in() call, if a matching conntrack entry is
++ * found instead. In this case all init direction packets
++ * would be reported as new related packets, while reply
++ * direction packets would be reported as un-related
++ * established packets.
++ */
++ h = nf_conntrack_find_get(net, zone, &tuple);
++ if (h) {
++ struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
++
++ nf_ct_delete(ct, 0, 0);
++ nf_conntrack_put(&ct->ct_general);
++ }
++ }
++
++ return exp;
+ }
+
+ /* Determine whether skb->nfct is equal to the result of conntrack lookup. */
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Kim Phillips <kim.phillips@arm.com>
+Date: Wed, 3 May 2017 13:14:02 +0100
+Subject: perf tests kmod-path: Don't fail if compressed modules aren't supported
+
+From: Kim Phillips <kim.phillips@arm.com>
+
+
+[ Upstream commit 805b151a1afd24414706a7f6ae275fbb9649be74 ]
+
+__kmod_path__parse() uses is_supported_compression() to determine and
+parse out compressed module file extensions. On systems without zlib,
+this test fails and __kmod_path__parse() continues to strcmp "ko" with
+"gz". Don't do this on those systems.
+
+Signed-off-by: Kim Phillips <kim.phillips@arm.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Fixes: 3c8a67f50a1e ("perf tools: Add kmod_path__parse function")
+Link: http://lkml.kernel.org/r/20170503131402.c66e314460026c80cd787b34@arm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/tests/kmod-path.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/tools/perf/tests/kmod-path.c
++++ b/tools/perf/tests/kmod-path.c
+@@ -60,6 +60,7 @@ int test__kmod_path__parse(void)
+ M("/xxxx/xxxx/x-x.ko", PERF_RECORD_MISC_KERNEL, true);
+ M("/xxxx/xxxx/x-x.ko", PERF_RECORD_MISC_USER, false);
+
++#ifdef HAVE_ZLIB_SUPPORT
+ /* path alloc_name alloc_ext kmod comp name ext */
+ T("/xxxx/xxxx/x.ko.gz", true , true , true, true, "[x]", "gz");
+ T("/xxxx/xxxx/x.ko.gz", false , true , true, true, NULL , "gz");
+@@ -95,6 +96,7 @@ int test__kmod_path__parse(void)
+ M("x.ko.gz", PERF_RECORD_MISC_CPUMODE_UNKNOWN, true);
+ M("x.ko.gz", PERF_RECORD_MISC_KERNEL, true);
+ M("x.ko.gz", PERF_RECORD_MISC_USER, false);
++#endif
+
+ /* path alloc_name alloc_ext kmod comp name ext */
+ T("[test_module]", true , true , true, false, "[test_module]", NULL);
--- /dev/null
+From foo@baz Thu Mar 22 14:57:33 CET 2018
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Wed, 1 Mar 2017 10:32:57 -0800
+Subject: pinctrl: Really force states during suspend/resume
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+
+[ Upstream commit 981ed1bfbc6c4660b2ddaa8392893e20a6255048 ]
+
+In case a platform only defaults a "default" set of pins, but not a
+"sleep" set of pins, and this particular platform suspends and resumes
+in a way that the pin states are not preserved by the hardware, when we
+resume, we would call pinctrl_single_resume() -> pinctrl_force_default()
+-> pinctrl_select_state() and the first thing we do is check that the
+pins state is the same as before, and do nothing.
+
+In order to fix this, decouple the actual state change from
+pinctrl_select_state() and move it pinctrl_commit_state(), while keeping
+the p->state == state check in pinctrl_select_state() not to change the
+caller assumptions. pinctrl_force_sleep() and pinctrl_force_default()
+are updated to bypass the state check by calling pinctrl_commit_state().
+
+[Linus Walleij]
+The forced pin control states are currently only used in some pin
+controller drivers that grab their own reference to their own pins.
+This is equal to the pin control hogs: pins taken by pin control
+devices since there are no corresponding device in the Linux device
+hierarchy, such as memory controller lines or unused GPIO lines,
+or GPIO lines that are used orthogonally from the GPIO subsystem
+but pincontrol-wise managed as hogs (non-strict mode, allowing
+simultaneous use by GPIO and pin control). For this case forcing
+the state from the drivers' suspend()/resume() callbacks makes
+sense and should semantically match the name of the function.
+
+Fixes: 6e5e959dde0d ("pinctrl: API changes to support multiple states per device")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/core.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+--- a/drivers/pinctrl/core.c
++++ b/drivers/pinctrl/core.c
+@@ -979,19 +979,16 @@ struct pinctrl_state *pinctrl_lookup_sta
+ EXPORT_SYMBOL_GPL(pinctrl_lookup_state);
+
+ /**
+- * pinctrl_select_state() - select/activate/program a pinctrl state to HW
++ * pinctrl_commit_state() - select/activate/program a pinctrl state to HW
+ * @p: the pinctrl handle for the device that requests configuration
+ * @state: the state handle to select/activate/program
+ */
+-int pinctrl_select_state(struct pinctrl *p, struct pinctrl_state *state)
++static int pinctrl_commit_state(struct pinctrl *p, struct pinctrl_state *state)
+ {
+ struct pinctrl_setting *setting, *setting2;
+ struct pinctrl_state *old_state = p->state;
+ int ret;
+
+- if (p->state == state)
+- return 0;
+-
+ if (p->state) {
+ /*
+ * For each pinmux setting in the old state, forget SW's record
+@@ -1055,6 +1052,19 @@ unapply_new_state:
+
+ return ret;
+ }
++
++/**
++ * pinctrl_select_state() - select/activate/program a pinctrl state to HW
++ * @p: the pinctrl handle for the device that requests configuration
++ * @state: the state handle to select/activate/program
++ */
++int pinctrl_select_state(struct pinctrl *p, struct pinctrl_state *state)
++{
++ if (p->state == state)
++ return 0;
++
++ return pinctrl_commit_state(p, state);
++}
+ EXPORT_SYMBOL_GPL(pinctrl_select_state);
+
+ static void devm_pinctrl_release(struct device *dev, void *res)
+@@ -1223,7 +1233,7 @@ void pinctrl_unregister_map(struct pinct
+ int pinctrl_force_sleep(struct pinctrl_dev *pctldev)
+ {
+ if (!IS_ERR(pctldev->p) && !IS_ERR(pctldev->hog_sleep))
+- return pinctrl_select_state(pctldev->p, pctldev->hog_sleep);
++ return pinctrl_commit_state(pctldev->p, pctldev->hog_sleep);
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(pinctrl_force_sleep);
+@@ -1235,7 +1245,7 @@ EXPORT_SYMBOL_GPL(pinctrl_force_sleep);
+ int pinctrl_force_default(struct pinctrl_dev *pctldev)
+ {
+ if (!IS_ERR(pctldev->p) && !IS_ERR(pctldev->hog_default))
+- return pinctrl_select_state(pctldev->p, pctldev->hog_default);
++ return pinctrl_commit_state(pctldev->p, pctldev->hog_default);
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(pinctrl_force_default);
--- /dev/null
+From foo@baz Thu Mar 22 14:57:33 CET 2018
+From: Shawn Nematbakhsh <shawnn@chromium.org>
+Date: Fri, 8 Sep 2017 13:50:11 -0700
+Subject: platform/chrome: Use proper protocol transfer function
+
+From: Shawn Nematbakhsh <shawnn@chromium.org>
+
+
+[ Upstream commit d48b8c58c57f6edbe2965f0a5f62c5cf9593ca96 ]
+
+pkt_xfer should be used for protocol v3, and cmd_xfer otherwise. We had
+one instance of these functions correct, but not the second, fall-back
+case. We use the fall-back only when the first command returns an
+IN_PROGRESS status, which is only used on some EC firmwares where we
+don't want to constantly poll the bus, but instead back off and
+sleep/retry for a little while.
+
+Fixes: 2c7589af3c4d ("mfd: cros_ec: add proto v3 skeleton")
+Signed-off-by: Shawn Nematbakhsh <shawnn@chromium.org>
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Javier Martinez Canillas <javier@osg.samsung.com>
+Signed-off-by: Benson Leung <bleung@chromium.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/chrome/cros_ec_proto.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/platform/chrome/cros_ec_proto.c
++++ b/drivers/platform/chrome/cros_ec_proto.c
+@@ -59,12 +59,14 @@ static int send_command(struct cros_ec_d
+ struct cros_ec_command *msg)
+ {
+ int ret;
++ int (*xfer_fxn)(struct cros_ec_device *ec, struct cros_ec_command *msg);
+
+ if (ec_dev->proto_version > 2)
+- ret = ec_dev->pkt_xfer(ec_dev, msg);
++ xfer_fxn = ec_dev->pkt_xfer;
+ else
+- ret = ec_dev->cmd_xfer(ec_dev, msg);
++ xfer_fxn = ec_dev->cmd_xfer;
+
++ ret = (*xfer_fxn)(ec_dev, msg);
+ if (msg->result == EC_RES_IN_PROGRESS) {
+ int i;
+ struct cros_ec_command *status_msg;
+@@ -87,7 +89,7 @@ static int send_command(struct cros_ec_d
+ for (i = 0; i < EC_COMMAND_RETRIES; i++) {
+ usleep_range(10000, 11000);
+
+- ret = ec_dev->cmd_xfer(ec_dev, status_msg);
++ ret = (*xfer_fxn)(ec_dev, status_msg);
+ if (ret < 0)
+ break;
+
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Santeri Toivonen <santeri.toivonen@vatsul.com>
+Date: Tue, 4 Apr 2017 21:09:00 +0300
+Subject: platform/x86: asus-nb-wmi: Add wapf4 quirk for the X302UA
+
+From: Santeri Toivonen <santeri.toivonen@vatsul.com>
+
+
+[ Upstream commit f35823619db8bbaa2afea8705f239c3cecb9d22f ]
+
+Asus laptop X302UA starts up with Wi-Fi disabled,
+without a way to enable it. Set wapf=4 to fix the problem.
+
+Signed-off-by: Santeri Toivonen <santeri.toivonen@vatsul.com>
+Signed-off-by: Darren Hart (VMware) <dvhart@infradead.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/asus-nb-wmi.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/platform/x86/asus-nb-wmi.c
++++ b/drivers/platform/x86/asus-nb-wmi.c
+@@ -101,6 +101,15 @@ static const struct dmi_system_id asus_q
+ },
+ {
+ .callback = dmi_matched,
++ .ident = "ASUSTeK COMPUTER INC. X302UA",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "X302UA"),
++ },
++ .driver_data = &quirk_asus_wapf4,
++ },
++ {
++ .callback = dmi_matched,
+ .ident = "ASUSTeK COMPUTER INC. X401U",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Michael Trimarchi <michael@amarulasolutions.com>
+Date: Tue, 25 Apr 2017 15:18:05 +0200
+Subject: power: supply: pda_power: move from timer to delayed_work
+
+From: Michael Trimarchi <michael@amarulasolutions.com>
+
+
+[ Upstream commit 633e8799ddc09431be2744c4a1efdbda13af2b0b ]
+
+This changed is needed to avoid locking problem during
+boot as shown:
+
+<5>[ 8.824096] Registering SWP/SWPB emulation handler
+<6>[ 8.977294] clock: disabling unused clocks to save power
+<3>[ 9.108154] BUG: sleeping function called from invalid context at kernel_albert/kernel/mutex.c:269
+<3>[ 9.122894] in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: swapper/0
+<4>[ 9.130249] 3 locks held by swapper/0/1:
+<4>[ 9.134613] #0: (&__lockdep_no_validate__){......}, at: [<c0342430>] __driver_attach+0x58/0xa8
+<4>[ 9.144500] #1: (&__lockdep_no_validate__){......}, at: [<c0342440>] __driver_attach+0x68/0xa8
+<4>[ 9.154357] #2: (&polling_timer){......}, at: [<c0053770>] run_timer_softirq+0x108/0x3ec
+<4>[ 9.163726] Backtrace:
+<4>[ 9.166473] [<c001269c>] (dump_backtrace+0x0/0x114) from [<c067e5f0>] (dump_stack+0x20/0x24)
+<4>[ 9.175811] r6:00203230 r5:0000010d r4:d782e000 r3:60000113
+<4>[ 9.182250] [<c067e5d0>] (dump_stack+0x0/0x24) from [<c007441c>] (__might_sleep+0x10c/0x128)
+<4>[ 9.191650] [<c0074310>] (__might_sleep+0x0/0x128) from [<c0688f60>] (mutex_lock_nested+0x34/0x36c)
+<4>[ 9.201660] r5:c02d5350 r4:d79a0c64
+<4>[ 9.205688] [<c0688f2c>] (mutex_lock_nested+0x0/0x36c) from [<c02d5350>] (regulator_set_current_limit+0x30/0x118)
+<4>[ 9.217071] [<c02d5320>] (regulator_set_current_limit+0x0/0x118) from [<c0435ce0>] (update_charger+0x84/0xc4)
+<4>[ 9.228027] r7:d782fb20 r6:00000101 r5:c1767e94 r4:00000000
+<4>[ 9.234436] [<c0435c5c>] (update_charger+0x0/0xc4) from [<c0435d40>] (psy_changed+0x20/0x48)
+<4>[ 9.243804] r5:d782e000 r4:c1767e94
+<4>[ 9.247802] [<c0435d20>] (psy_changed+0x0/0x48) from [<c0435dec>] (polling_timer_func+0x84/0xb8)
+<4>[ 9.257537] r4:c1767e94 r3:00000002
+<4>[ 9.261566] [<c0435d68>] (polling_timer_func+0x0/0xb8) from [<c00537e4>] (run_timer_softirq+0x17c/0x3ec)
+<4>[ 9.272033] r4:c1767eb0 r3:00000000
+<4>[ 9.276062] [<c0053668>] (run_timer_softirq+0x0/0x3ec) from [<c004b000>] (__do_softirq+0xf0/0x298)
+<4>[ 9.286010] [<c004af10>] (__do_softirq+0x0/0x298) from [<c004b650>] (irq_exit+0x98/0xa0)
+<4>[ 9.295013] [<c004b5b8>] (irq_exit+0x0/0xa0) from [<c000edbc>] (handle_IRQ+0x60/0xc0)
+<4>[ 9.303680] r4:c1194e98 r3:c00bc778
+<4>[ 9.307708] [<c000ed5c>] (handle_IRQ+0x0/0xc0) from [<c0008504>] (gic_handle_irq+0x34/0x68)
+<4>[ 9.316955] r8:000ac383 r7:d782fc3c r6:d782fc08 r5:c11936c4 r4:e0802100
+<4>[ 9.324310] r3:c026ba48
+<4>[ 9.327301] [<c00084d0>] (gic_handle_irq+0x0/0x68) from [<c068c2c0>] (__irq_svc+0x40/0x74)
+<4>[ 9.336456] Exception stack(0xd782fc08 to 0xd782fc50)
+<4>[ 9.342041] fc00: d6e30e6c ac383627 00000000 ac383417 ea19c000 ea200000
+<4>[ 9.351104] fc20: beffffff 00000667 000ac383 d6e30670 d6e3066c d782fc94 d782fbe8 d782fc50
+<4>[ 9.360168] fc40: c026ba48 c001d1f0 00000113 ffffffff
+
+Fixes: b2998049cfae ("[BATTERY] pda_power platform driver")
+Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com>
+Signed-off-by: Anthony Brandon <anthony@amarulasolutions.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/pda_power.c | 49 +++++++++++++++++++++++++---------------------
+ 1 file changed, 27 insertions(+), 22 deletions(-)
+
+--- a/drivers/power/pda_power.c
++++ b/drivers/power/pda_power.c
+@@ -30,9 +30,9 @@ static inline unsigned int get_irq_flags
+ static struct device *dev;
+ static struct pda_power_pdata *pdata;
+ static struct resource *ac_irq, *usb_irq;
+-static struct timer_list charger_timer;
+-static struct timer_list supply_timer;
+-static struct timer_list polling_timer;
++static struct delayed_work charger_work;
++static struct delayed_work polling_work;
++static struct delayed_work supply_work;
+ static int polling;
+ static struct power_supply *pda_psy_ac, *pda_psy_usb;
+
+@@ -140,7 +140,7 @@ static void update_charger(void)
+ }
+ }
+
+-static void supply_timer_func(unsigned long unused)
++static void supply_work_func(struct work_struct *work)
+ {
+ if (ac_status == PDA_PSY_TO_CHANGE) {
+ ac_status = new_ac_status;
+@@ -161,11 +161,12 @@ static void psy_changed(void)
+ * Okay, charger set. Now wait a bit before notifying supplicants,
+ * charge power should stabilize.
+ */
+- mod_timer(&supply_timer,
+- jiffies + msecs_to_jiffies(pdata->wait_for_charger));
++ cancel_delayed_work(&supply_work);
++ schedule_delayed_work(&supply_work,
++ msecs_to_jiffies(pdata->wait_for_charger));
+ }
+
+-static void charger_timer_func(unsigned long unused)
++static void charger_work_func(struct work_struct *work)
+ {
+ update_status();
+ psy_changed();
+@@ -184,13 +185,14 @@ static irqreturn_t power_changed_isr(int
+ * Wait a bit before reading ac/usb line status and setting charger,
+ * because ac/usb status readings may lag from irq.
+ */
+- mod_timer(&charger_timer,
+- jiffies + msecs_to_jiffies(pdata->wait_for_status));
++ cancel_delayed_work(&charger_work);
++ schedule_delayed_work(&charger_work,
++ msecs_to_jiffies(pdata->wait_for_status));
+
+ return IRQ_HANDLED;
+ }
+
+-static void polling_timer_func(unsigned long unused)
++static void polling_work_func(struct work_struct *work)
+ {
+ int changed = 0;
+
+@@ -211,8 +213,9 @@ static void polling_timer_func(unsigned
+ if (changed)
+ psy_changed();
+
+- mod_timer(&polling_timer,
+- jiffies + msecs_to_jiffies(pdata->polling_interval));
++ cancel_delayed_work(&polling_work);
++ schedule_delayed_work(&polling_work,
++ msecs_to_jiffies(pdata->polling_interval));
+ }
+
+ #if IS_ENABLED(CONFIG_USB_PHY)
+@@ -250,8 +253,9 @@ static int otg_handle_notification(struc
+ * Wait a bit before reading ac/usb line status and setting charger,
+ * because ac/usb status readings may lag from irq.
+ */
+- mod_timer(&charger_timer,
+- jiffies + msecs_to_jiffies(pdata->wait_for_status));
++ cancel_delayed_work(&charger_work);
++ schedule_delayed_work(&charger_work,
++ msecs_to_jiffies(pdata->wait_for_status));
+
+ return NOTIFY_OK;
+ }
+@@ -300,8 +304,8 @@ static int pda_power_probe(struct platfo
+ if (!pdata->ac_max_uA)
+ pdata->ac_max_uA = 500000;
+
+- setup_timer(&charger_timer, charger_timer_func, 0);
+- setup_timer(&supply_timer, supply_timer_func, 0);
++ INIT_DELAYED_WORK(&charger_work, charger_work_func);
++ INIT_DELAYED_WORK(&supply_work, supply_work_func);
+
+ ac_irq = platform_get_resource_byname(pdev, IORESOURCE_IRQ, "ac");
+ usb_irq = platform_get_resource_byname(pdev, IORESOURCE_IRQ, "usb");
+@@ -385,9 +389,10 @@ static int pda_power_probe(struct platfo
+
+ if (polling) {
+ dev_dbg(dev, "will poll for status\n");
+- setup_timer(&polling_timer, polling_timer_func, 0);
+- mod_timer(&polling_timer,
+- jiffies + msecs_to_jiffies(pdata->polling_interval));
++ INIT_DELAYED_WORK(&polling_work, polling_work_func);
++ cancel_delayed_work(&polling_work);
++ schedule_delayed_work(&polling_work,
++ msecs_to_jiffies(pdata->polling_interval));
+ }
+
+ if (ac_irq || usb_irq)
+@@ -433,9 +438,9 @@ static int pda_power_remove(struct platf
+ free_irq(ac_irq->start, pda_psy_ac);
+
+ if (polling)
+- del_timer_sync(&polling_timer);
+- del_timer_sync(&charger_timer);
+- del_timer_sync(&supply_timer);
++ cancel_delayed_work_sync(&polling_work);
++ cancel_delayed_work_sync(&charger_work);
++ cancel_delayed_work_sync(&supply_work);
+
+ if (pdata->is_usb_online)
+ power_supply_unregister(pda_psy_usb);
--- /dev/null
+From foo@baz Thu Mar 22 14:57:33 CET 2018
+From: Sahara <keun-o.park@darkmatter.ae>
+Date: Wed, 13 Dec 2017 09:10:48 +0400
+Subject: pty: cancel pty slave port buf's work in tty_release
+
+From: Sahara <keun-o.park@darkmatter.ae>
+
+
+[ Upstream commit 2b022ab7542df60021ab57854b3faaaf42552eaf ]
+
+In case that CONFIG_SLUB_DEBUG is on and pty is used, races between
+release_one_tty and flush_to_ldisc work threads may happen and lead
+to use-after-free condition on tty->link->port. Because SLUB_DEBUG
+is turned on, freed tty->link->port is filled with POISON_FREE value.
+So far without SLUB_DEBUG, port was filled with zero and flush_to_ldisc
+could return without a problem by checking if tty is NULL.
+
+CPU 0 CPU 1
+----- -----
+release_tty pty_write
+ cancel_work_sync(tty) to = tty->link
+ tty_kref_put(tty->link) tty_schedule_flip(to->port)
+ << workqueue >> ...
+ release_one_tty ...
+ pty_cleanup ...
+ kfree(tty->link->port) << workqueue >>
+ flush_to_ldisc
+ tty = READ_ONCE(port->itty)
+ tty is 0x6b6b6b6b6b6b6b6b
+ !!PANIC!! access tty->ldisc
+
+ Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b6b93
+ pgd = ffffffc0eb1c3000
+ [6b6b6b6b6b6b6b93] *pgd=0000000000000000, *pud=0000000000000000
+ ------------[ cut here ]------------
+ Kernel BUG at ffffff800851154c [verbose debug info unavailable]
+ Internal error: Oops - BUG: 96000004 [#1] PREEMPT SMP
+ CPU: 3 PID: 265 Comm: kworker/u8:9 Tainted: G W 3.18.31-g0a58eeb #1
+ Hardware name: Qualcomm Technologies, Inc. MSM 8996pro v1.1 + PMI8996 Carbide (DT)
+ Workqueue: events_unbound flush_to_ldisc
+ task: ffffffc0ed610ec0 ti: ffffffc0ed624000 task.ti: ffffffc0ed624000
+ PC is at ldsem_down_read_trylock+0x0/0x4c
+ LR is at tty_ldisc_ref+0x24/0x4c
+ pc : [<ffffff800851154c>] lr : [<ffffff800850f6c0>] pstate: 80400145
+ sp : ffffffc0ed627cd0
+ x29: ffffffc0ed627cd0 x28: 0000000000000000
+ x27: ffffff8009e05000 x26: ffffffc0d382cfa0
+ x25: 0000000000000000 x24: ffffff800a012f08
+ x23: 0000000000000000 x22: ffffffc0703fbc88
+ x21: 6b6b6b6b6b6b6b6b x20: 6b6b6b6b6b6b6b93
+ x19: 0000000000000000 x18: 0000000000000001
+ x17: 00e80000f80d6f53 x16: 0000000000000001
+ x15: 0000007f7d826fff x14: 00000000000000a0
+ x13: 0000000000000000 x12: 0000000000000109
+ x11: 0000000000000000 x10: 0000000000000000
+ x9 : ffffffc0ed624000 x8 : ffffffc0ed611580
+ x7 : 0000000000000000 x6 : ffffff800a42e000
+ x5 : 00000000000003fc x4 : 0000000003bd1201
+ x3 : 0000000000000001 x2 : 0000000000000001
+ x1 : ffffff800851004c x0 : 6b6b6b6b6b6b6b93
+
+Signed-off-by: Sahara <keun-o.park@darkmatter.ae>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/tty_io.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -1694,6 +1694,8 @@ static void release_tty(struct tty_struc
+ if (tty->link)
+ tty->link->port->itty = NULL;
+ tty_buffer_cancel_work(tty->port);
++ if (tty->link)
++ tty_buffer_cancel_work(tty->link->port);
+
+ tty_kref_put(tty->link);
+ tty_kref_put(tty);
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Pan Bian <bianpan2016@163.com>
+Date: Sun, 23 Apr 2017 20:04:04 +0800
+Subject: qlcnic: fix unchecked return value
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit 91ec701a553cb3de470fd471c6fefe3ad1125455 ]
+
+Function pci_find_ext_capability() may return 0, which is an invalid
+address. In function qlcnic_sriov_virtid_fn(), its return value is used
+without validation. This may result in invalid memory access bugs. This
+patch fixes the bug.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
+@@ -127,6 +127,8 @@ static int qlcnic_sriov_virtid_fn(struct
+ return 0;
+
+ pos = pci_find_ext_capability(dev, PCI_EXT_CAP_ID_SRIOV);
++ if (!pos)
++ return 0;
+ pci_read_config_word(dev, pos + PCI_SRIOV_VF_OFFSET, &offset);
+ pci_read_config_word(dev, pos + PCI_SRIOV_VF_STRIDE, &stride);
+
--- /dev/null
+From foo@baz Thu Mar 22 14:57:33 CET 2018
+From: Parav Pandit <parav@mellanox.com>
+Date: Tue, 14 Nov 2017 14:51:55 +0200
+Subject: RDMA/cma: Use correct size when writing netlink stats
+
+From: Parav Pandit <parav@mellanox.com>
+
+
+[ Upstream commit 7baaa49af3716fb31877c61f59b74d029ce15b75 ]
+
+The code was using the src size when formatting the dst. They are almost
+certainly the same value but it reads wrong.
+
+Fixes: ce117ffac2e9 ("RDMA/cma: Export AF_IB statistics")
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/cma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -4007,7 +4007,7 @@ static int cma_get_id_stats(struct sk_bu
+ RDMA_NL_RDMA_CM_ATTR_SRC_ADDR))
+ goto out;
+ if (ibnl_put_attr(skb, nlh,
+- rdma_addr_size(cma_src_addr(id_priv)),
++ rdma_addr_size(cma_dst_addr(id_priv)),
+ cma_dst_addr(id_priv),
+ RDMA_NL_RDMA_CM_ATTR_DST_ADDR))
+ goto out;
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Wed, 29 Nov 2017 09:47:33 +0100
+Subject: RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo()
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+
+[ Upstream commit 302d6424e4a293a5761997e6c9fc3dfb1e4c355f ]
+
+With gcc-4.1.2:
+
+ drivers/infiniband/core/iwpm_util.c: In function ‘iwpm_send_mapinfo’:
+ drivers/infiniband/core/iwpm_util.c:647: warning: ‘ret’ may be used uninitialized in this function
+
+Indeed, if nl_client is not found in any of the scanned has buckets, ret
+will be used uninitialized.
+
+Preinitialize ret to -EINVAL to fix this.
+
+Fixes: 30dc5e63d6a5ad24 ("RDMA/core: Add support for iWARP Port Mapper user space service")
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Reviewed-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/iwpm_util.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/infiniband/core/iwpm_util.c
++++ b/drivers/infiniband/core/iwpm_util.c
+@@ -663,6 +663,7 @@ int iwpm_send_mapinfo(u8 nl_client, int
+ }
+ skb_num++;
+ spin_lock_irqsave(&iwpm_mapinfo_lock, flags);
++ ret = -EINVAL;
+ for (i = 0; i < IWPM_MAPINFO_HASH_SIZE; i++) {
+ hlist_for_each_entry(map_info, &iwpm_hash_bucket[i],
+ hlist_node) {
--- /dev/null
+From foo@baz Thu Mar 22 14:57:33 CET 2018
+From: Anton Vasilyev <vasilyev@ispras.ru>
+Date: Tue, 8 Aug 2017 18:56:37 +0300
+Subject: RDMA/ocrdma: Fix permissions for OCRDMA_RESET_STATS
+
+From: Anton Vasilyev <vasilyev@ispras.ru>
+
+
+[ Upstream commit 744820869166c8c78be891240cf5f66e8a333694 ]
+
+Debugfs file reset_stats is created with S_IRUSR permissions,
+but ocrdma_dbgfs_ops_read() doesn't support OCRDMA_RESET_STATS,
+whereas ocrdma_dbgfs_ops_write() supports only OCRDMA_RESET_STATS.
+
+The patch fixes misstype with permissions.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
+Acked-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/ocrdma/ocrdma_stats.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/ocrdma/ocrdma_stats.c
++++ b/drivers/infiniband/hw/ocrdma/ocrdma_stats.c
+@@ -834,7 +834,7 @@ void ocrdma_add_port_stats(struct ocrdma
+
+ dev->reset_stats.type = OCRDMA_RESET_STATS;
+ dev->reset_stats.dev = dev;
+- if (!debugfs_create_file("reset_stats", S_IRUSR, dev->dir,
++ if (!debugfs_create_file("reset_stats", 0200, dev->dir,
+ &dev->reset_stats, &ocrdma_dbg_ops))
+ goto err;
+
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Dong Aisheng <aisheng.dong@nxp.com>
+Date: Wed, 12 Apr 2017 09:58:47 +0800
+Subject: regulator: anatop: set default voltage selector for pcie
+
+From: Dong Aisheng <aisheng.dong@nxp.com>
+
+
+[ Upstream commit 9bf944548169f6153c3d3778cf983cb5db251a0e ]
+
+Set the initial voltage selector for vddpcie in case it's disabled
+by default.
+
+This fixes the below warning:
+20c8000.anatop:regulator-vddpcie: Failed to read a valid default voltage selector.
+anatop_regulator: probe of 20c8000.anatop:regulator-vddpcie failed with error -22
+
+Cc: Liam Girdwood <lgirdwood@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Shawn Guo <shawnguo@kernel.org>
+Cc: Sascha Hauer <kernel@pengutronix.de>
+Cc: Robin Gong <yibin.gong@nxp.com>
+Cc: Richard Zhu <hongxing.zhu@nxp.com>
+Signed-off-by: Richard Zhu <hongxing.zhu@nxp.com>
+Signed-off-by: Dong Aisheng <aisheng.dong@nxp.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/regulator/anatop-regulator.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/regulator/anatop-regulator.c
++++ b/drivers/regulator/anatop-regulator.c
+@@ -296,6 +296,11 @@ static int anatop_regulator_probe(struct
+ if (!sreg->sel && !strcmp(sreg->name, "vddpu"))
+ sreg->sel = 22;
+
++ /* set the default voltage of the pcie phy to be 1.100v */
++ if (!sreg->sel && rdesc->name &&
++ !strcmp(rdesc->name, "vddpcie"))
++ sreg->sel = 0x10;
++
+ if (!sreg->bypass && !sreg->sel) {
+ dev_err(&pdev->dev, "Failed to read a valid default voltage selector.\n");
+ return -EINVAL;
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Pan Bian <bianpan2016@163.com>
+Date: Mon, 24 Apr 2017 08:40:28 +0800
+Subject: rndis_wlan: add return value validation
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit 9dc7efd3978aa67ae598129d2a3f240b390ce508 ]
+
+Function create_singlethread_workqueue() will return a NULL pointer if
+there is no enough memory, and its return value should be validated
+before using. However, in function rndis_wlan_bind(), its return value
+is not checked. This may cause NULL dereference bugs. This patch fixes
+it.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/rndis_wlan.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/rndis_wlan.c
++++ b/drivers/net/wireless/rndis_wlan.c
+@@ -3425,6 +3425,10 @@ static int rndis_wlan_bind(struct usbnet
+
+ /* because rndis_command() sleeps we need to use workqueue */
+ priv->workqueue = create_singlethread_workqueue("rndis_wlan");
++ if (!priv->workqueue) {
++ wiphy_free(wiphy);
++ return -ENOMEM;
++ }
+ INIT_WORK(&priv->work, rndis_wlan_worker);
+ INIT_DELAYED_WORK(&priv->dev_poller_work, rndis_device_poller);
+ INIT_DELAYED_WORK(&priv->scan_work, rndis_get_scan_results);
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 18 Mar 2017 14:45:49 +0100
+Subject: rtc: cmos: Do not assume irq 8 for rtc when there are no legacy irqs
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+
+[ Upstream commit a1e23a42f1bdc00e32fc4869caef12e4e6272f26 ]
+
+On some systems (e.g. Intel Bay Trail systems) the legacy PIC is not
+used, in this case virq 8 will be a random irq, rather then hw_irq 8
+from the PIC.
+
+Requesting virq 8 in this case will not help us to get alarm irqs and
+may cause problems for other drivers which actually do need virq 8,
+for example on an Asus Transformer T100TA this leads to:
+
+[ 28.745155] genirq: Flags mismatch irq 8. 00000088 (mmc0) vs. 00000080 (rtc0)
+<snip oops>
+[ 28.753700] mmc0: Failed to request IRQ 8: -16
+[ 28.975934] sdhci-acpi: probe of 80860F14:01 failed with error -16
+
+This commit fixes this by making the rtc-cmos driver continue
+without using an irq rather then claiming irq 8 when no irq is
+specified in the pnp-info and there are no legacy-irqs.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-cmos.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+--- a/drivers/rtc/rtc-cmos.c
++++ b/drivers/rtc/rtc-cmos.c
+@@ -41,6 +41,9 @@
+ #include <linux/pm.h>
+ #include <linux/of.h>
+ #include <linux/of_platform.h>
++#ifdef CONFIG_X86
++#include <asm/i8259.h>
++#endif
+
+ /* this is for "generic access to PC-style RTC" using CMOS_READ/CMOS_WRITE */
+ #include <asm-generic/rtc.h>
+@@ -1058,17 +1061,23 @@ static int cmos_pnp_probe(struct pnp_dev
+ {
+ cmos_wake_setup(&pnp->dev);
+
+- if (pnp_port_start(pnp, 0) == 0x70 && !pnp_irq_valid(pnp, 0))
++ if (pnp_port_start(pnp, 0) == 0x70 && !pnp_irq_valid(pnp, 0)) {
++ unsigned int irq = 0;
++#ifdef CONFIG_X86
+ /* Some machines contain a PNP entry for the RTC, but
+ * don't define the IRQ. It should always be safe to
+- * hardcode it in these cases
++ * hardcode it on systems with a legacy PIC.
+ */
++ if (nr_legacy_irqs())
++ irq = 8;
++#endif
+ return cmos_do_probe(&pnp->dev,
+- pnp_get_resource(pnp, IORESOURCE_IO, 0), 8);
+- else
++ pnp_get_resource(pnp, IORESOURCE_IO, 0), irq);
++ } else {
+ return cmos_do_probe(&pnp->dev,
+ pnp_get_resource(pnp, IORESOURCE_IO, 0),
+ pnp_irq(pnp, 0));
++ }
+ }
+
+ static void __exit cmos_pnp_remove(struct pnp_dev *pnp)
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Moritz Fischer <mdf@kernel.org>
+Date: Mon, 24 Apr 2017 15:05:11 -0700
+Subject: rtc: ds1374: wdt: Fix issue with timeout scaling from secs to wdt ticks
+
+From: Moritz Fischer <mdf@kernel.org>
+
+
+[ Upstream commit 453d0744f6c6ca3f9749b8c57c2e85b5b9f52514 ]
+
+The issue is that the internal counter that triggers the watchdog reset
+is actually running at 4096 Hz instead of 1Hz, therefore the value
+given by userland (in sec) needs to be multiplied by 4096 to get the
+correct behavior.
+
+Fixes: 920f91e50c5b ("drivers/rtc/rtc-ds1374.c: add watchdog support")
+Signed-off-by: Moritz Fischer <mdf@kernel.org>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-ds1374.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/rtc/rtc-ds1374.c
++++ b/drivers/rtc/rtc-ds1374.c
+@@ -527,6 +527,10 @@ static long ds1374_wdt_ioctl(struct file
+ if (get_user(new_margin, (int __user *)arg))
+ return -EFAULT;
+
++ /* the hardware's tick rate is 4096 Hz, so
++ * the counter value needs to be scaled accordingly
++ */
++ new_margin <<= 12;
+ if (new_margin < 1 || new_margin > 16777216)
+ return -EINVAL;
+
+@@ -535,7 +539,8 @@ static long ds1374_wdt_ioctl(struct file
+ ds1374_wdt_ping();
+ /* fallthrough */
+ case WDIOC_GETTIMEOUT:
+- return put_user(wdt_margin, (int __user *)arg);
++ /* when returning ... inverse is true */
++ return put_user((wdt_margin >> 12), (int __user *)arg);
+ case WDIOC_SETOPTIONS:
+ if (copy_from_user(&options, (int __user *)arg, sizeof(int)))
+ return -EFAULT;
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Moritz Fischer <mdf@kernel.org>
+Date: Mon, 24 Apr 2017 15:05:12 -0700
+Subject: rtc: ds1374: wdt: Fix stop/start ioctl always returning -EINVAL
+
+From: Moritz Fischer <mdf@kernel.org>
+
+
+[ Upstream commit 538c08f4c89580fc644e2bc64e0a4b86c925da4e ]
+
+The WDIOC_SETOPTIONS case in the watchdog ioctl would alwayss falls
+through to the -EINVAL case. This is wrong since thew watchdog does
+actually get stopped or started correctly.
+
+Fixes: 920f91e50c5b ("drivers/rtc/rtc-ds1374.c: add watchdog support")
+Signed-off-by: Moritz Fischer <mdf@kernel.org>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-ds1374.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/rtc/rtc-ds1374.c
++++ b/drivers/rtc/rtc-ds1374.c
+@@ -548,14 +548,15 @@ static long ds1374_wdt_ioctl(struct file
+ if (options & WDIOS_DISABLECARD) {
+ pr_info("disable watchdog\n");
+ ds1374_wdt_disable();
++ return 0;
+ }
+
+ if (options & WDIOS_ENABLECARD) {
+ pr_info("enable watchdog\n");
+ ds1374_wdt_settimeout(wdt_margin);
+ ds1374_wdt_ping();
++ return 0;
+ }
+-
+ return -EINVAL;
+ }
+ return -ENOTTY;
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Tsang-Shian Lin <thlin@realtek.com>
+Date: Sat, 9 Dec 2017 11:37:10 -0600
+Subject: rtlwifi: rtl_pci: Fix the bug when inactiveps is enabled.
+
+From: Tsang-Shian Lin <thlin@realtek.com>
+
+
+[ Upstream commit b7573a0a27bfa8270dea9b145448f6884b7cacc1 ]
+
+Reset the driver current tx read/write index to zero when inactiveps
+nic out of sync with HW state. Wrong driver tx read/write index will
+cause Tx fail.
+
+Signed-off-by: Tsang-Shian Lin <thlin@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Cc: Yan-Hsuan Chuang <yhchuang@realtek.com>
+Cc: Birming Chiu <birming@realtek.com>
+Cc: Shaofu <shaofu@realtek.com>
+Cc: Steven Ting <steventing@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/pci.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
+@@ -1572,7 +1572,14 @@ int rtl_pci_reset_trx_ring(struct ieee80
+ dev_kfree_skb_irq(skb);
+ ring->idx = (ring->idx + 1) % ring->entries;
+ }
++
++ if (rtlpriv->use_new_trx_flow) {
++ rtlpci->tx_ring[i].cur_tx_rp = 0;
++ rtlpci->tx_ring[i].cur_tx_wp = 0;
++ }
++
+ ring->idx = 0;
++ ring->entries = rtlpci->txringcount[i];
+ }
+ }
+ spin_unlock_irqrestore(&rtlpriv->locks.irq_th_lock, flags);
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Finn Thain <fthain@telegraphics.com.au>
+Date: Sun, 2 Apr 2017 17:08:05 +1000
+Subject: scsi: mac_esp: Replace bogus memory barrier with spinlock
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+
+[ Upstream commit 4da2b1eb230ba4ad19b58984dc52e05b1073df5f ]
+
+Commit da244654c66e ("[SCSI] mac_esp: fix for quadras with two esp
+chips") added mac_scsi_esp_intr() to handle the IRQ lines from a pair of
+on-board ESP chips (a normal shared IRQ did not work).
+
+Proper mutual exclusion was missing from that patch. This patch fixes
+race conditions between comparison and assignment of esp_chips[]
+pointers.
+
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Reviewed-by: Michael Schmitz <schmitzmic@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mac_esp.c | 33 +++++++++++++++++++++++----------
+ 1 file changed, 23 insertions(+), 10 deletions(-)
+
+--- a/drivers/scsi/mac_esp.c
++++ b/drivers/scsi/mac_esp.c
+@@ -55,6 +55,7 @@ struct mac_esp_priv {
+ int error;
+ };
+ static struct esp *esp_chips[2];
++static DEFINE_SPINLOCK(esp_chips_lock);
+
+ #define MAC_ESP_GET_PRIV(esp) ((struct mac_esp_priv *) \
+ platform_get_drvdata((struct platform_device *) \
+@@ -562,15 +563,18 @@ static int esp_mac_probe(struct platform
+ }
+
+ host->irq = IRQ_MAC_SCSI;
+- esp_chips[dev->id] = esp;
+- mb();
+- if (esp_chips[!dev->id] == NULL) {
+- err = request_irq(host->irq, mac_scsi_esp_intr, 0, "ESP", NULL);
+- if (err < 0) {
+- esp_chips[dev->id] = NULL;
+- goto fail_free_priv;
+- }
++
++ /* The request_irq() call is intended to succeed for the first device
++ * and fail for the second device.
++ */
++ err = request_irq(host->irq, mac_scsi_esp_intr, 0, "ESP", NULL);
++ spin_lock(&esp_chips_lock);
++ if (err < 0 && esp_chips[!dev->id] == NULL) {
++ spin_unlock(&esp_chips_lock);
++ goto fail_free_priv;
+ }
++ esp_chips[dev->id] = esp;
++ spin_unlock(&esp_chips_lock);
+
+ err = scsi_esp_register(esp, &dev->dev);
+ if (err)
+@@ -579,8 +583,13 @@ static int esp_mac_probe(struct platform
+ return 0;
+
+ fail_free_irq:
+- if (esp_chips[!dev->id] == NULL)
++ spin_lock(&esp_chips_lock);
++ esp_chips[dev->id] = NULL;
++ if (esp_chips[!dev->id] == NULL) {
++ spin_unlock(&esp_chips_lock);
+ free_irq(host->irq, esp);
++ } else
++ spin_unlock(&esp_chips_lock);
+ fail_free_priv:
+ kfree(mep);
+ fail_free_command_block:
+@@ -599,9 +608,13 @@ static int esp_mac_remove(struct platfor
+
+ scsi_esp_unregister(esp);
+
++ spin_lock(&esp_chips_lock);
+ esp_chips[dev->id] = NULL;
+- if (!(esp_chips[0] || esp_chips[1]))
++ if (esp_chips[!dev->id] == NULL) {
++ spin_unlock(&esp_chips_lock);
+ free_irq(irq, NULL);
++ } else
++ spin_unlock(&esp_chips_lock);
+
+ kfree(mep);
+
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: David Gibson <david@gibson.dropbear.id.au>
+Date: Thu, 13 Apr 2017 12:13:00 +1000
+Subject: scsi: virtio_scsi: Always try to read VPD pages
+
+From: David Gibson <david@gibson.dropbear.id.au>
+
+
+[ Upstream commit 25d1d50e23275e141e3a3fe06c25a99f4c4bf4e0 ]
+
+Passed through SCSI targets may have transfer limits which come from the
+host SCSI controller or something on the host side other than the target
+itself.
+
+To make this work properly, the hypervisor can adjust the target's VPD
+information to advertise these limits. But for that to work, the guest
+has to look at the VPD pages, which we won't do by default if it is an
+SPC-2 device, even if it does actually support it.
+
+This adds a workaround to address this, forcing devices attached to a
+virtio-scsi controller to always check the VPD pages. This is modelled
+on a similar workaround for the storvsc (Hyper-V) SCSI controller,
+although that exists for slightly different reasons.
+
+A specific case which causes this is a volume from IBM's IPR RAID
+controller (which presents as an SPC-2 device, although it does support
+VPD) passed through with qemu's 'scsi-block' device.
+
+[mkp: fixed typo]
+
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/virtio_scsi.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+--- a/drivers/scsi/virtio_scsi.c
++++ b/drivers/scsi/virtio_scsi.c
+@@ -28,6 +28,7 @@
+ #include <scsi/scsi_device.h>
+ #include <scsi/scsi_cmnd.h>
+ #include <scsi/scsi_tcq.h>
++#include <scsi/scsi_devinfo.h>
+ #include <linux/seqlock.h>
+
+ #define VIRTIO_SCSI_MEMPOOL_SZ 64
+@@ -704,6 +705,28 @@ static int virtscsi_device_reset(struct
+ return virtscsi_tmf(vscsi, cmd);
+ }
+
++static int virtscsi_device_alloc(struct scsi_device *sdevice)
++{
++ /*
++ * Passed through SCSI targets (e.g. with qemu's 'scsi-block')
++ * may have transfer limits which come from the host SCSI
++ * controller or something on the host side other than the
++ * target itself.
++ *
++ * To make this work properly, the hypervisor can adjust the
++ * target's VPD information to advertise these limits. But
++ * for that to work, the guest has to look at the VPD pages,
++ * which we won't do by default if it is an SPC-2 device, even
++ * if it does actually support it.
++ *
++ * So, set the blist to always try to read the VPD pages.
++ */
++ sdevice->sdev_bflags = BLIST_TRY_VPD_PAGES;
++
++ return 0;
++}
++
++
+ /**
+ * virtscsi_change_queue_depth() - Change a virtscsi target's queue depth
+ * @sdev: Virtscsi target whose queue depth to change
+@@ -775,6 +798,7 @@ static struct scsi_host_template virtscs
+ .change_queue_depth = virtscsi_change_queue_depth,
+ .eh_abort_handler = virtscsi_abort,
+ .eh_device_reset_handler = virtscsi_device_reset,
++ .slave_alloc = virtscsi_device_alloc,
+
+ .can_queue = 1024,
+ .dma_boundary = UINT_MAX,
smb3-validate-negotiate-request-must-always-be-signed.patch
cifs-enable-encryption-during-session-setup-phase.patch
staging-android-ashmem-fix-possible-deadlock-in-ashmem_ioctl.patch
+platform-x86-asus-nb-wmi-add-wapf4-quirk-for-the-x302ua.patch
+regulator-anatop-set-default-voltage-selector-for-pcie.patch
+x86-i8259-export-legacy_pic-symbol.patch
+rtc-cmos-do-not-assume-irq-8-for-rtc-when-there-are-no-legacy-irqs.patch
+input-ar1021_i2c-fix-too-long-name-in-driver-s-device-table.patch
+time-change-posix-clocks-ops-interfaces-to-use-timespec64.patch
+acpi-processor-fix-error-handling-in-__acpi_processor_start.patch
+acpi-processor-replace-racy-task-affinity-logic.patch
+cpufreq-sh-replace-racy-task-affinity-logic.patch
+genirq-use-irqd_get_trigger_type-to-compare-the-trigger-type-for-shared-irqs.patch
+i2c-i2c-scmi-add-a-ms-hid.patch
+net-ipv6-send-unsolicited-na-on-admin-up.patch
+media-dvb-core-race-condition-when-writing-to-cam.patch
+spi-dw-disable-clock-after-unregistering-the-host.patch
+ath-fix-updating-radar-flags-for-coutry-code-india.patch
+clk-ns2-correct-sdio-bits.patch
+scsi-virtio_scsi-always-try-to-read-vpd-pages.patch
+kvm-ppc-book3s-pr-exit-kvm-on-failed-mapping.patch
+arm-8668-1-ftrace-fix-dynamic-ftrace-with-debug_rodata-and-frame_pointer.patch
+iommu-omap-register-driver-before-setting-iommu-ops.patch
+md-raid10-wait-up-frozen-array-in-handle_write_completed.patch
+nfs-fix-missing-pg_cleanup-after-nfs_pageio_cond_complete.patch
+tcp-remove-poll-flakes-with-fastopen.patch
+e1000e-fix-timing-for-82579-gigabit-ethernet-controller.patch
+alsa-hda-fix-headset-microphone-detection-for-asus-n551-and-n751.patch
+ib-ipoib-fix-deadlock-between-ipoib_stop-and-mcast-join-flow.patch
+ib-ipoib-update-broadcast-object-if-pkey-value-was-changed-in-index-0.patch
+hsi-ssi_protocol-double-free-in-ssip_pn_xmit.patch
+ib-mlx4-take-write-semaphore-when-changing-the-vma-struct.patch
+ib-mlx4-change-vma-from-shared-to-private.patch
+asoc-intel-skylake-uninitialized-variable-in-probe_codec.patch
+fix-driver-usage-of-128b-wqes-when-wq_create-is-v1.patch
+netfilter-xt_ct-fix-refcnt-leak-on-error-path.patch
+openvswitch-delete-conntrack-entry-clashing-with-an-expectation.patch
+mmc-host-omap_hsmmc-checking-for-null-instead-of-is_err.patch
+wan-pc300too-abort-path-on-failure.patch
+qlcnic-fix-unchecked-return-value.patch
+scsi-mac_esp-replace-bogus-memory-barrier-with-spinlock.patch
+infiniband-uverbs-fix-integer-overflows.patch
+nfs-don-t-try-to-cross-a-mountpount-when-there-isn-t-one-there.patch
+iio-st_pressure-st_accel-initialise-sensor-platform-data-properly.patch
+mt7601u-check-return-value-of-alloc_skb.patch
+rndis_wlan-add-return-value-validation.patch
+btrfs-send-fix-file-hole-not-being-preserved-due-to-inline-extent.patch
+mac80211-don-t-parse-encrypted-management-frames-in-ieee80211_frame_acked.patch
+mfd-palmas-reset-the-powerhold-mux-during-power-off.patch
+mtip32xx-use-runtime-tag-to-initialize-command-header.patch
+staging-unisys-visorhba-fix-s-par-to-boot-with-option-config_vmap_stack-set-to-y.patch
+staging-wilc1000-fix-unchecked-return-value.patch
+mmc-sdhci-of-esdhc-limit-sd-clock-for-ls1012a-ls1046a.patch
+arm-dra7-clockdomain-change-the-clktrctrl-of-cm_pcie_clkstctrl-to-sw_wkup.patch
+ipmi-watchdog-fix-wdog-hang-on-panic-waiting-for-ipmi-response.patch
+acpi-pmic-xpower-fix-power_table-addresses.patch
+drm-nouveau-kms-increase-max-retries-in-scanout-position-queries.patch
+bnx2x-align-rx-buffers.patch
+power-supply-pda_power-move-from-timer-to-delayed_work.patch
+input-twl4030-pwrbutton-use-correct-device-for-irq-request.patch
+md-raid10-skip-spare-disk-as-first-disk.patch
+ia64-fix-module-loading-for-gcc-5.4.patch
+tcm_fileio-prevent-information-leak-for-short-reads.patch
+video-fbdev-udlfb-fix-buffer-on-stack.patch
+sm501fb-don-t-return-zero-on-failure-path-in-sm501fb_start.patch
+net-hns-fix-ethtool_get_strings-overflow-in-hns-driver.patch
+cifs-small-underflow-in-cnvrtdosunixtm.patch
+rtc-ds1374-wdt-fix-issue-with-timeout-scaling-from-secs-to-wdt-ticks.patch
+rtc-ds1374-wdt-fix-stop-start-ioctl-always-returning-einval.patch
+perf-tests-kmod-path-don-t-fail-if-compressed-modules-aren-t-supported.patch
+bluetooth-hci_qca-avoid-setup-failure-on-missing-rampatch.patch
+media-c8sectpfe-fix-potential-null-pointer-dereference-in-c8sectpfe_timer_interrupt.patch
+drm-msm-fix-leak-in-failed-get_pages.patch
+rdma-iwpm-fix-uninitialized-error-code-in-iwpm_send_mapinfo.patch
+rtlwifi-rtl_pci-fix-the-bug-when-inactiveps-is-enabled.patch
+media-bt8xx-fix-err-bt878_probe.patch
+media-media-dvb-frontends-add-delay-to-si2168-restart.patch
+cros_ec-fix-nul-termination-for-firmware-build-info.patch
+platform-chrome-use-proper-protocol-transfer-function.patch
+mmc-avoid-removing-non-removable-hosts-during-suspend.patch
+ib-ipoib-avoid-memory-leak-if-the-sa-returns-a-different-dgid.patch
+rdma-cma-use-correct-size-when-writing-netlink-stats.patch
+ib-umem-fix-use-of-npages-nmap-fields.patch
+vgacon-set-vga-struct-resource-types.patch
+drm-omap-dmm-check-for-dmm-readiness-after-successful-transaction-commit.patch
+pty-cancel-pty-slave-port-buf-s-work-in-tty_release.patch
+coresight-fix-disabling-of-coresight-tpiu.patch
+pinctrl-really-force-states-during-suspend-resume.patch
+iommu-vt-d-clean-up-pr_irq-if-request_threaded_irq-fails.patch
+ip6_vti-adjust-vti-mtu-according-to-mtu-of-lower-device.patch
+rdma-ocrdma-fix-permissions-for-ocrdma_reset_stats.patch
+nfsd4-permit-layoutget-of-executable-only-files.patch
+clk-si5351-rename-internal-plls-to-avoid-name-collisions.patch
+dmaengine-ti-dma-crossbar-fix-event-mapping-for-tpcc_evt_mux_60_63.patch
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Tue, 2 May 2017 13:47:53 +0200
+Subject: sm501fb: don't return zero on failure path in sm501fb_start()
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+
+[ Upstream commit dc85e9a87420613b3129d5cc5ecd79c58351c546 ]
+
+If fbmem iomemory mapping failed, sm501fb_start() breaks off
+initialization, deallocates resources, but returns zero.
+As a result, double deallocation can happen in sm501fb_stop().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/sm501fb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/video/fbdev/sm501fb.c
++++ b/drivers/video/fbdev/sm501fb.c
+@@ -1600,6 +1600,7 @@ static int sm501fb_start(struct sm501fb_
+ info->fbmem = ioremap(res->start, resource_size(res));
+ if (info->fbmem == NULL) {
+ dev_err(dev, "cannot remap framebuffer\n");
++ ret = -ENXIO;
+ goto err_mem_res;
+ }
+
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Marek Vasut <marex@denx.de>
+Date: Tue, 18 Apr 2017 20:09:06 +0200
+Subject: spi: dw: Disable clock after unregistering the host
+
+From: Marek Vasut <marex@denx.de>
+
+
+[ Upstream commit 400c18e3dc86e04ef5afec9b86a8586ca629b9e9 ]
+
+The dw_mmio driver disables the block clock before unregistering
+the host. The code unregistering the host may access the SPI block
+registers. If register access happens with block clock disabled,
+this may lead to a bus hang. Disable the clock after unregistering
+the host to prevent such situation.
+
+This bug was observed on Altera Cyclone V SoC.
+
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Mark Brown <broonie@kernel.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-dw-mmio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-dw-mmio.c
++++ b/drivers/spi/spi-dw-mmio.c
+@@ -120,8 +120,8 @@ static int dw_spi_mmio_remove(struct pla
+ {
+ struct dw_spi_mmio *dwsmmio = platform_get_drvdata(pdev);
+
+- clk_disable_unprepare(dwsmmio->clk);
+ dw_spi_remove_host(&dwsmmio->dws);
++ clk_disable_unprepare(dwsmmio->clk);
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Sameer Wadgaonkar <sameer.wadgaonkar@unisys.com>
+Date: Tue, 18 Apr 2017 16:55:25 -0400
+Subject: staging: unisys: visorhba: fix s-Par to boot with option CONFIG_VMAP_STACK set to y
+
+From: Sameer Wadgaonkar <sameer.wadgaonkar@unisys.com>
+
+
+[ Upstream commit 3c2bf0bd08123f3497bd3e84bd9088c937b0cb40 ]
+
+The root issue is that we are not allowed to have items on the
+stack being passed to "DMA" like operations. In this case we have
+a vmcall and an inline completion of scsi command.
+
+This patch fixes the issue by moving the variables on stack in
+do_scsi_nolinuxstat() to heap memory.
+
+Signed-off-by: Sameer Wadgaonkar <sameer.wadgaonkar@unisys.com>
+Signed-off-by: David Kershner <david.kershner@unisys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/unisys/visorhba/visorhba_main.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/unisys/visorhba/visorhba_main.c
++++ b/drivers/staging/unisys/visorhba/visorhba_main.c
+@@ -792,7 +792,7 @@ static void
+ do_scsi_nolinuxstat(struct uiscmdrsp *cmdrsp, struct scsi_cmnd *scsicmd)
+ {
+ struct scsi_device *scsidev;
+- unsigned char buf[36];
++ unsigned char *buf;
+ struct scatterlist *sg;
+ unsigned int i;
+ char *this_page;
+@@ -807,6 +807,10 @@ do_scsi_nolinuxstat(struct uiscmdrsp *cm
+ if (cmdrsp->scsi.no_disk_result == 0)
+ return;
+
++ buf = kzalloc(sizeof(char) * 36, GFP_KERNEL);
++ if (!buf)
++ return;
++
+ /* Linux scsi code wants a device at Lun 0
+ * to issue report luns, but we don't want
+ * a disk there so we'll present a processor
+@@ -820,6 +824,7 @@ do_scsi_nolinuxstat(struct uiscmdrsp *cm
+ if (scsi_sg_count(scsicmd) == 0) {
+ memcpy(scsi_sglist(scsicmd), buf,
+ cmdrsp->scsi.bufflen);
++ kfree(buf);
+ return;
+ }
+
+@@ -831,6 +836,7 @@ do_scsi_nolinuxstat(struct uiscmdrsp *cm
+ memcpy(this_page, buf + bufind, sg[i].length);
+ kunmap_atomic(this_page_orig);
+ }
++ kfree(buf);
+ } else {
+ devdata = (struct visorhba_devdata *)scsidev->host->hostdata;
+ for_each_vdisk_match(vdisk, devdata, scsidev) {
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Pan Bian <bianpan2016@163.com>
+Date: Sun, 23 Apr 2017 19:53:58 +0800
+Subject: staging: wilc1000: fix unchecked return value
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit 9e96652756ad647b7bcc03cb99ffc9756d7b5f93 ]
+
+Function dev_alloc_skb() will return a NULL pointer if there is no
+enough memory. However, in function WILC_WFI_mon_xmit(), its return
+value is used without validation. This may result in a bad memory access
+bug. This patch fixes the bug.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/wilc1000/linux_mon.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/staging/wilc1000/linux_mon.c
++++ b/drivers/staging/wilc1000/linux_mon.c
+@@ -251,6 +251,8 @@ static netdev_tx_t WILC_WFI_mon_xmit(str
+
+ if (skb->data[0] == 0xc0 && (!(memcmp(broadcast, &skb->data[4], 6)))) {
+ skb2 = dev_alloc_skb(skb->len + sizeof(struct wilc_wfi_radiotap_cb_hdr));
++ if (!skb2)
++ return -ENOMEM;
+
+ memcpy(skb_put(skb2, skb->len), skb->data, skb->len);
+
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Dmitry Monakhov <dmonakhov@openvz.org>
+Date: Fri, 31 Mar 2017 19:53:35 +0400
+Subject: tcm_fileio: Prevent information leak for short reads
+
+From: Dmitry Monakhov <dmonakhov@openvz.org>
+
+
+[ Upstream commit f11b55d13563e9428c88c873f4f03a6bef11ec0a ]
+
+If we failed to read data from backing file (probably because some one
+truncate file under us), we must zerofill cmd's data, otherwise it will
+be returned as is. Most likely cmd's data are unitialized pages from
+page cache. This result in information leak.
+
+(Change BUG_ON into -EINVAL se_cmd failure - nab)
+
+testcase: https://github.com/dmonakhov/xfstests/commit/e11a1b7b907ca67b1be51a1594025600767366d5
+Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_file.c | 23 +++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+--- a/drivers/target/target_core_file.c
++++ b/drivers/target/target_core_file.c
+@@ -276,12 +276,11 @@ static int fd_do_rw(struct se_cmd *cmd,
+ else
+ ret = vfs_iter_read(fd, &iter, &pos);
+
+- kfree(bvec);
+-
+ if (is_write) {
+ if (ret < 0 || ret != data_length) {
+ pr_err("%s() write returned %d\n", __func__, ret);
+- return (ret < 0 ? ret : -EINVAL);
++ if (ret >= 0)
++ ret = -EINVAL;
+ }
+ } else {
+ /*
+@@ -294,17 +293,29 @@ static int fd_do_rw(struct se_cmd *cmd,
+ pr_err("%s() returned %d, expecting %u for "
+ "S_ISBLK\n", __func__, ret,
+ data_length);
+- return (ret < 0 ? ret : -EINVAL);
++ if (ret >= 0)
++ ret = -EINVAL;
+ }
+ } else {
+ if (ret < 0) {
+ pr_err("%s() returned %d for non S_ISBLK\n",
+ __func__, ret);
+- return ret;
++ } else if (ret != data_length) {
++ /*
++ * Short read case:
++ * Probably some one truncate file under us.
++ * We must explicitly zero sg-pages to prevent
++ * expose uninizialized pages to userspace.
++ */
++ if (ret < data_length)
++ ret += iov_iter_zero(data_length - ret, &iter);
++ else
++ ret = -EINVAL;
+ }
+ }
+ }
+- return 1;
++ kfree(bvec);
++ return ret;
+ }
+
+ static sense_reason_t
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 18 Apr 2017 09:45:52 -0700
+Subject: tcp: remove poll() flakes with FastOpen
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 0f9fa831aecfc297b7b45d4f046759bcefcf87f0 ]
+
+When using TCP FastOpen for an active session, we send one wakeup event
+from tcp_finish_connect(), right before the data eventually contained in
+the received SYNACK is queued to sk->sk_receive_queue.
+
+This means that depending on machine load or luck, poll() users
+might receive POLLOUT events instead of POLLIN|POLLOUT
+
+To fix this, we need to move the call to sk->sk_state_change()
+after the (optional) call to tcp_rcv_fastopen_synack()
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -5464,10 +5464,6 @@ void tcp_finish_connect(struct sock *sk,
+ else
+ tp->pred_flags = 0;
+
+- if (!sock_flag(sk, SOCK_DEAD)) {
+- sk->sk_state_change(sk);
+- sk_wake_async(sk, SOCK_WAKE_IO, POLL_OUT);
+- }
+ }
+
+ static bool tcp_rcv_fastopen_synack(struct sock *sk, struct sk_buff *synack,
+@@ -5531,6 +5527,7 @@ static int tcp_rcv_synsent_state_process
+ struct tcp_sock *tp = tcp_sk(sk);
+ struct tcp_fastopen_cookie foc = { .len = -1 };
+ int saved_clamp = tp->rx_opt.mss_clamp;
++ bool fastopen_fail;
+
+ tcp_parse_options(skb, &tp->rx_opt, 0, &foc);
+ if (tp->rx_opt.saw_tstamp && tp->rx_opt.rcv_tsecr)
+@@ -5633,10 +5630,15 @@ static int tcp_rcv_synsent_state_process
+
+ tcp_finish_connect(sk, skb);
+
+- if ((tp->syn_fastopen || tp->syn_data) &&
+- tcp_rcv_fastopen_synack(sk, skb, &foc))
+- return -1;
++ fastopen_fail = (tp->syn_fastopen || tp->syn_data) &&
++ tcp_rcv_fastopen_synack(sk, skb, &foc);
+
++ if (!sock_flag(sk, SOCK_DEAD)) {
++ sk->sk_state_change(sk);
++ sk_wake_async(sk, SOCK_WAKE_IO, POLL_OUT);
++ }
++ if (fastopen_fail)
++ return -1;
+ if (sk->sk_write_pending ||
+ icsk->icsk_accept_queue.rskq_defer_accept ||
+ icsk->icsk_ack.pingpong) {
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Deepa Dinamani <deepa.kernel@gmail.com>
+Date: Sun, 26 Mar 2017 12:04:13 -0700
+Subject: time: Change posix clocks ops interfaces to use timespec64
+
+From: Deepa Dinamani <deepa.kernel@gmail.com>
+
+
+[ Upstream commit d340266e19ddb70dbd608f9deedcfb35fdb9d419 ]
+
+struct timespec is not y2038 safe on 32 bit machines.
+
+The posix clocks apis use struct timespec directly and through struct
+itimerspec.
+
+Replace the posix clock interfaces to use struct timespec64 and struct
+itimerspec64 instead. Also fix up their implementations accordingly.
+
+Note that the clock_getres() interface has also been changed to use
+timespec64 even though this particular interface is not affected by the
+y2038 problem. This helps verification for internal kernel code for y2038
+readiness by getting rid of time_t/ timeval/ timespec.
+
+Signed-off-by: Deepa Dinamani <deepa.kernel@gmail.com>
+Cc: arnd@arndb.de
+Cc: y2038@lists.linaro.org
+Cc: netdev@vger.kernel.org
+Cc: Richard Cochran <richardcochran@gmail.com>
+Cc: john.stultz@linaro.org
+Link: http://lkml.kernel.org/r/1490555058-4603-3-git-send-email-deepa.kernel@gmail.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ptp/ptp_clock.c | 18 +++++++-----------
+ include/linux/posix-clock.h | 10 +++++-----
+ kernel/time/posix-clock.c | 34 ++++++++++++++++++++++++----------
+ 3 files changed, 36 insertions(+), 26 deletions(-)
+
+--- a/drivers/ptp/ptp_clock.c
++++ b/drivers/ptp/ptp_clock.c
+@@ -97,30 +97,26 @@ static s32 scaled_ppm_to_ppb(long ppm)
+
+ /* posix clock implementation */
+
+-static int ptp_clock_getres(struct posix_clock *pc, struct timespec *tp)
++static int ptp_clock_getres(struct posix_clock *pc, struct timespec64 *tp)
+ {
+ tp->tv_sec = 0;
+ tp->tv_nsec = 1;
+ return 0;
+ }
+
+-static int ptp_clock_settime(struct posix_clock *pc, const struct timespec *tp)
++static int ptp_clock_settime(struct posix_clock *pc, const struct timespec64 *tp)
+ {
+ struct ptp_clock *ptp = container_of(pc, struct ptp_clock, clock);
+- struct timespec64 ts = timespec_to_timespec64(*tp);
+
+- return ptp->info->settime64(ptp->info, &ts);
++ return ptp->info->settime64(ptp->info, tp);
+ }
+
+-static int ptp_clock_gettime(struct posix_clock *pc, struct timespec *tp)
++static int ptp_clock_gettime(struct posix_clock *pc, struct timespec64 *tp)
+ {
+ struct ptp_clock *ptp = container_of(pc, struct ptp_clock, clock);
+- struct timespec64 ts;
+ int err;
+
+- err = ptp->info->gettime64(ptp->info, &ts);
+- if (!err)
+- *tp = timespec64_to_timespec(ts);
++ err = ptp->info->gettime64(ptp->info, tp);
+ return err;
+ }
+
+@@ -133,7 +129,7 @@ static int ptp_clock_adjtime(struct posi
+ ops = ptp->info;
+
+ if (tx->modes & ADJ_SETOFFSET) {
+- struct timespec ts;
++ struct timespec64 ts;
+ ktime_t kt;
+ s64 delta;
+
+@@ -146,7 +142,7 @@ static int ptp_clock_adjtime(struct posi
+ if ((unsigned long) ts.tv_nsec >= NSEC_PER_SEC)
+ return -EINVAL;
+
+- kt = timespec_to_ktime(ts);
++ kt = timespec64_to_ktime(ts);
+ delta = ktime_to_ns(kt);
+ err = ops->adjtime(ops, delta);
+ } else if (tx->modes & ADJ_FREQUENCY) {
+--- a/include/linux/posix-clock.h
++++ b/include/linux/posix-clock.h
+@@ -59,23 +59,23 @@ struct posix_clock_operations {
+
+ int (*clock_adjtime)(struct posix_clock *pc, struct timex *tx);
+
+- int (*clock_gettime)(struct posix_clock *pc, struct timespec *ts);
++ int (*clock_gettime)(struct posix_clock *pc, struct timespec64 *ts);
+
+- int (*clock_getres) (struct posix_clock *pc, struct timespec *ts);
++ int (*clock_getres) (struct posix_clock *pc, struct timespec64 *ts);
+
+ int (*clock_settime)(struct posix_clock *pc,
+- const struct timespec *ts);
++ const struct timespec64 *ts);
+
+ int (*timer_create) (struct posix_clock *pc, struct k_itimer *kit);
+
+ int (*timer_delete) (struct posix_clock *pc, struct k_itimer *kit);
+
+ void (*timer_gettime)(struct posix_clock *pc,
+- struct k_itimer *kit, struct itimerspec *tsp);
++ struct k_itimer *kit, struct itimerspec64 *tsp);
+
+ int (*timer_settime)(struct posix_clock *pc,
+ struct k_itimer *kit, int flags,
+- struct itimerspec *tsp, struct itimerspec *old);
++ struct itimerspec64 *tsp, struct itimerspec64 *old);
+ /*
+ * Optional character device methods:
+ */
+--- a/kernel/time/posix-clock.c
++++ b/kernel/time/posix-clock.c
+@@ -300,14 +300,17 @@ out:
+ static int pc_clock_gettime(clockid_t id, struct timespec *ts)
+ {
+ struct posix_clock_desc cd;
++ struct timespec64 ts64;
+ int err;
+
+ err = get_clock_desc(id, &cd);
+ if (err)
+ return err;
+
+- if (cd.clk->ops.clock_gettime)
+- err = cd.clk->ops.clock_gettime(cd.clk, ts);
++ if (cd.clk->ops.clock_gettime) {
++ err = cd.clk->ops.clock_gettime(cd.clk, &ts64);
++ *ts = timespec64_to_timespec(ts64);
++ }
+ else
+ err = -EOPNOTSUPP;
+
+@@ -319,14 +322,17 @@ static int pc_clock_gettime(clockid_t id
+ static int pc_clock_getres(clockid_t id, struct timespec *ts)
+ {
+ struct posix_clock_desc cd;
++ struct timespec64 ts64;
+ int err;
+
+ err = get_clock_desc(id, &cd);
+ if (err)
+ return err;
+
+- if (cd.clk->ops.clock_getres)
+- err = cd.clk->ops.clock_getres(cd.clk, ts);
++ if (cd.clk->ops.clock_getres) {
++ err = cd.clk->ops.clock_getres(cd.clk, &ts64);
++ *ts = timespec64_to_timespec(ts64);
++ }
+ else
+ err = -EOPNOTSUPP;
+
+@@ -337,6 +343,7 @@ static int pc_clock_getres(clockid_t id,
+
+ static int pc_clock_settime(clockid_t id, const struct timespec *ts)
+ {
++ struct timespec64 ts64 = timespec_to_timespec64(*ts);
+ struct posix_clock_desc cd;
+ int err;
+
+@@ -350,7 +357,7 @@ static int pc_clock_settime(clockid_t id
+ }
+
+ if (cd.clk->ops.clock_settime)
+- err = cd.clk->ops.clock_settime(cd.clk, ts);
++ err = cd.clk->ops.clock_settime(cd.clk, &ts64);
+ else
+ err = -EOPNOTSUPP;
+ out:
+@@ -403,29 +410,36 @@ static void pc_timer_gettime(struct k_it
+ {
+ clockid_t id = kit->it_clock;
+ struct posix_clock_desc cd;
++ struct itimerspec64 ts64;
+
+ if (get_clock_desc(id, &cd))
+ return;
+
+- if (cd.clk->ops.timer_gettime)
+- cd.clk->ops.timer_gettime(cd.clk, kit, ts);
+-
++ if (cd.clk->ops.timer_gettime) {
++ cd.clk->ops.timer_gettime(cd.clk, kit, &ts64);
++ *ts = itimerspec64_to_itimerspec(&ts64);
++ }
+ put_clock_desc(&cd);
+ }
+
+ static int pc_timer_settime(struct k_itimer *kit, int flags,
+ struct itimerspec *ts, struct itimerspec *old)
+ {
++ struct itimerspec64 ts64 = itimerspec_to_itimerspec64(ts);
+ clockid_t id = kit->it_clock;
+ struct posix_clock_desc cd;
++ struct itimerspec64 old64;
+ int err;
+
+ err = get_clock_desc(id, &cd);
+ if (err)
+ return err;
+
+- if (cd.clk->ops.timer_settime)
+- err = cd.clk->ops.timer_settime(cd.clk, kit, flags, ts, old);
++ if (cd.clk->ops.timer_settime) {
++ err = cd.clk->ops.timer_settime(cd.clk, kit, flags, &ts64, &old64);
++ if (old)
++ *old = itimerspec64_to_itimerspec(&old64);
++ }
+ else
+ err = -EOPNOTSUPP;
+
--- /dev/null
+From foo@baz Thu Mar 22 14:57:33 CET 2018
+From: Bjorn Helgaas <bhelgaas@google.com>
+Date: Fri, 1 Dec 2017 11:06:39 -0600
+Subject: vgacon: Set VGA struct resource types
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+
+[ Upstream commit c82084117f79bcae085e40da526253736a247120 ]
+
+Set the resource type when we reserve VGA-related I/O port resources.
+
+The resource code doesn't actually look at the type, so it inserts
+resources without a type in the tree correctly even without this change.
+But if we ever print a resource without a type, it looks like this:
+
+ vga+ [??? 0x000003c0-0x000003df flags 0x0]
+
+Setting the type means it will be printed correctly as:
+
+ vga+ [io 0x000003c0-0x000003df]
+
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/alpha/kernel/console.c | 1 +
+ drivers/video/console/vgacon.c | 34 ++++++++++++++++++++++++++--------
+ 2 files changed, 27 insertions(+), 8 deletions(-)
+
+--- a/arch/alpha/kernel/console.c
++++ b/arch/alpha/kernel/console.c
+@@ -20,6 +20,7 @@
+ struct pci_controller *pci_vga_hose;
+ static struct resource alpha_vga = {
+ .name = "alpha-vga+",
++ .flags = IORESOURCE_IO,
+ .start = 0x3C0,
+ .end = 0x3DF
+ };
+--- a/drivers/video/console/vgacon.c
++++ b/drivers/video/console/vgacon.c
+@@ -409,7 +409,10 @@ static const char *vgacon_startup(void)
+ vga_video_port_val = VGA_CRT_DM;
+ if ((screen_info.orig_video_ega_bx & 0xff) != 0x10) {
+ static struct resource ega_console_resource =
+- { .name = "ega", .start = 0x3B0, .end = 0x3BF };
++ { .name = "ega",
++ .flags = IORESOURCE_IO,
++ .start = 0x3B0,
++ .end = 0x3BF };
+ vga_video_type = VIDEO_TYPE_EGAM;
+ vga_vram_size = 0x8000;
+ display_desc = "EGA+";
+@@ -417,9 +420,15 @@ static const char *vgacon_startup(void)
+ &ega_console_resource);
+ } else {
+ static struct resource mda1_console_resource =
+- { .name = "mda", .start = 0x3B0, .end = 0x3BB };
++ { .name = "mda",
++ .flags = IORESOURCE_IO,
++ .start = 0x3B0,
++ .end = 0x3BB };
+ static struct resource mda2_console_resource =
+- { .name = "mda", .start = 0x3BF, .end = 0x3BF };
++ { .name = "mda",
++ .flags = IORESOURCE_IO,
++ .start = 0x3BF,
++ .end = 0x3BF };
+ vga_video_type = VIDEO_TYPE_MDA;
+ vga_vram_size = 0x2000;
+ display_desc = "*MDA";
+@@ -441,15 +450,21 @@ static const char *vgacon_startup(void)
+ vga_vram_size = 0x8000;
+
+ if (!screen_info.orig_video_isVGA) {
+- static struct resource ega_console_resource
+- = { .name = "ega", .start = 0x3C0, .end = 0x3DF };
++ static struct resource ega_console_resource =
++ { .name = "ega",
++ .flags = IORESOURCE_IO,
++ .start = 0x3C0,
++ .end = 0x3DF };
+ vga_video_type = VIDEO_TYPE_EGAC;
+ display_desc = "EGA";
+ request_resource(&ioport_resource,
+ &ega_console_resource);
+ } else {
+- static struct resource vga_console_resource
+- = { .name = "vga+", .start = 0x3C0, .end = 0x3DF };
++ static struct resource vga_console_resource =
++ { .name = "vga+",
++ .flags = IORESOURCE_IO,
++ .start = 0x3C0,
++ .end = 0x3DF };
+ vga_video_type = VIDEO_TYPE_VGAC;
+ display_desc = "VGA+";
+ request_resource(&ioport_resource,
+@@ -493,7 +508,10 @@ static const char *vgacon_startup(void)
+ }
+ } else {
+ static struct resource cga_console_resource =
+- { .name = "cga", .start = 0x3D4, .end = 0x3D5 };
++ { .name = "cga",
++ .flags = IORESOURCE_IO,
++ .start = 0x3D4,
++ .end = 0x3D5 };
+ vga_video_type = VIDEO_TYPE_CGA;
+ vga_vram_size = 0x2000;
+ display_desc = "*CGA";
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Maksim Salau <maksim.salau@gmail.com>
+Date: Tue, 2 May 2017 13:47:53 +0200
+Subject: video: fbdev: udlfb: Fix buffer on stack
+
+From: Maksim Salau <maksim.salau@gmail.com>
+
+
+[ Upstream commit 45f580c42e5c125d55dbd8099750a1998de3d917 ]
+
+Allocate buffers on HEAP instead of STACK for local array
+that is to be sent using usb_control_msg().
+
+Signed-off-by: Maksim Salau <maksim.salau@gmail.com>
+Cc: Bernie Thompson <bernie@plugable.com>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/udlfb.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/video/fbdev/udlfb.c
++++ b/drivers/video/fbdev/udlfb.c
+@@ -1487,15 +1487,25 @@ static struct device_attribute fb_device
+ static int dlfb_select_std_channel(struct dlfb_data *dev)
+ {
+ int ret;
+- u8 set_def_chn[] = { 0x57, 0xCD, 0xDC, 0xA7,
++ void *buf;
++ static const u8 set_def_chn[] = {
++ 0x57, 0xCD, 0xDC, 0xA7,
+ 0x1C, 0x88, 0x5E, 0x15,
+ 0x60, 0xFE, 0xC6, 0x97,
+ 0x16, 0x3D, 0x47, 0xF2 };
+
++ buf = kmemdup(set_def_chn, sizeof(set_def_chn), GFP_KERNEL);
++
++ if (!buf)
++ return -ENOMEM;
++
+ ret = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
+ NR_USB_REQUEST_CHANNEL,
+ (USB_DIR_OUT | USB_TYPE_VENDOR), 0, 0,
+- set_def_chn, sizeof(set_def_chn), USB_CTRL_SET_TIMEOUT);
++ buf, sizeof(set_def_chn), USB_CTRL_SET_TIMEOUT);
++
++ kfree(buf);
++
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Pan Bian <bianpan2016@163.com>
+Date: Sun, 23 Apr 2017 17:38:35 +0800
+Subject: wan: pc300too: abort path on failure
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit 2a39e7aa8a98f777f0732ca7125b6c9668791760 ]
+
+In function pc300_pci_init_one(), on the ioremap error path, function
+pc300_pci_remove_one() is called to free the allocated memory. However,
+the path is not terminated, and the freed memory will be used later,
+resulting in use-after-free bugs. This path fixes the bug.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wan/pc300too.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wan/pc300too.c
++++ b/drivers/net/wan/pc300too.c
+@@ -347,6 +347,7 @@ static int pc300_pci_init_one(struct pci
+ card->rambase == NULL) {
+ pr_err("ioremap() failed\n");
+ pc300_pci_remove_one(pdev);
++ return -ENOMEM;
+ }
+
+ /* PLX PCI 9050 workaround for local configuration register read bug */
--- /dev/null
+From foo@baz Thu Mar 22 14:57:32 CET 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 8 Apr 2017 19:54:20 +0200
+Subject: x86: i8259: export legacy_pic symbol
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+
+[ Upstream commit 7ee06cb2f840a96be46233181ed4557901a74385 ]
+
+The classic PC rtc-coms driver has a workaround for broken ACPI device
+nodes for it which lack an irq resource. This workaround used to
+unconditionally hardcode the irq to 8 in these cases.
+
+This was causing irq conflict problems on systems without a legacy-pic
+so a recent patch added an if (nr_legacy_irqs()) guard to the
+workaround to avoid this irq conflict.
+
+nr_legacy_irqs() uses the legacy_pic symbol under the hood causing
+an undefined symbol error if the rtc-cmos code is build as a module.
+
+This commit exports the legacy_pic symbol to fix this.
+
+Cc: rtc-linux@googlegroups.com
+Cc: alexandre.belloni@free-electrons.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/i8259.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kernel/i8259.c
++++ b/arch/x86/kernel/i8259.c
+@@ -418,6 +418,7 @@ struct legacy_pic default_legacy_pic = {
+ };
+
+ struct legacy_pic *legacy_pic = &default_legacy_pic;
++EXPORT_SYMBOL(legacy_pic);
+
+ static int __init i8259A_init_ops(void)
+ {
projects / thirdparty / kernel / stable-queue.git / commitdiff
