--- /dev/null
+From b313b977120af56a48a787c761fead6d894d38be Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Thu, 24 Jan 2019 13:53:05 -0800
+Subject: apparmor: Fix aa_label_build() error handling for failed merges
+
+[ Upstream commit d6d478aee003e19ef90321176552a8ad2929a47f ]
+
+aa_label_merge() can return NULL for memory allocations failures
+make sure to handle and set the correct error in this case.
+
+Reported-by: Peng Hao <peng.hao2@zte.com.cn>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/apparmor/domain.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
+index dd754b7850a8..67bf8b7ee8a2 100644
+--- a/security/apparmor/domain.c
++++ b/security/apparmor/domain.c
+@@ -1260,7 +1260,10 @@ int aa_change_profile(const char *fqname, int flags)
+ aa_get_label(&profile->label));
+ if (IS_ERR_OR_NULL(new)) {
+ info = "failed to build target label";
+- error = PTR_ERR(new);
++ if (!new)
++ error = -ENOMEM;
++ else
++ error = PTR_ERR(new);
+ new = NULL;
+ perms.allow = 0;
+ goto audit;
+--
+2.19.1
+
--- /dev/null
+From 9014268a2bee326e787afbf7254c19c888ef8154 Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Mon, 7 Jan 2019 09:52:43 -0800
+Subject: ARM: dts: omap4-droid4: Fix typo in cpcap IRQ flags
+
+[ Upstream commit ef4a55b9197a8f844ea0663138e902dcce3e2f36 ]
+
+We're now getting the following error:
+
+genirq: Setting trigger mode 1 for irq 230 failed
+(regmap_irq_set_type+0x0/0x15c)
+cpcap-usb-phy cpcap-usb-phy.0: could not get irq dp: -524
+
+Cc: Sebastian Reichel <sre@kernel.org>
+Reported-by: Pavel Machek <pavel@ucw.cz>
+Tested-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/motorola-cpcap-mapphone.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/motorola-cpcap-mapphone.dtsi b/arch/arm/boot/dts/motorola-cpcap-mapphone.dtsi
+index 4d61e5b1334a..bcced922b280 100644
+--- a/arch/arm/boot/dts/motorola-cpcap-mapphone.dtsi
++++ b/arch/arm/boot/dts/motorola-cpcap-mapphone.dtsi
+@@ -92,7 +92,7 @@
+ interrupts-extended = <
+ &cpcap 15 0 &cpcap 14 0 &cpcap 28 0 &cpcap 19 0
+ &cpcap 18 0 &cpcap 17 0 &cpcap 16 0 &cpcap 49 0
+- &cpcap 48 1
++ &cpcap 48 0
+ >;
+ interrupt-names =
+ "id_ground", "id_float", "se0conn", "vbusvld",
+--
+2.19.1
+
--- /dev/null
+From 007bfa823af7dc7bbc2684edc85c86a249ee9ecf Mon Sep 17 00:00:00 2001
+From: Peng Hao <peng.hao2@zte.com.cn>
+Date: Sat, 29 Dec 2018 13:10:06 +0800
+Subject: ARM: pxa: ssp: unneeded to free devm_ allocated data
+
+[ Upstream commit ba16adeb346387eb2d1ada69003588be96f098fa ]
+
+devm_ allocated data will be automatically freed. The free
+of devm_ allocated data is invalid.
+
+Fixes: 1c459de1e645 ("ARM: pxa: ssp: use devm_ functions")
+Signed-off-by: Peng Hao <peng.hao2@zte.com.cn>
+[title's prefix changed]
+Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/plat-pxa/ssp.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/arch/arm/plat-pxa/ssp.c b/arch/arm/plat-pxa/ssp.c
+index ba13f793fbce..b92673efffff 100644
+--- a/arch/arm/plat-pxa/ssp.c
++++ b/arch/arm/plat-pxa/ssp.c
+@@ -237,8 +237,6 @@ static int pxa_ssp_remove(struct platform_device *pdev)
+ if (ssp == NULL)
+ return -ENODEV;
+
+- iounmap(ssp->mmio_base);
+-
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ release_mem_region(res->start, resource_size(res));
+
+@@ -248,7 +246,6 @@ static int pxa_ssp_remove(struct platform_device *pdev)
+ list_del(&ssp->node);
+ mutex_unlock(&ssp_lock);
+
+- kfree(ssp);
+ return 0;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 2506a2b692f0236b340ab12ee08d12ab8097a82c Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Mon, 10 Dec 2018 13:56:33 +0000
+Subject: arm64: dts: add msm8996 compatible to gicv3
+
+[ Upstream commit 2a81efb0de0e33f2d2c83154af0bd3ce389b3269 ]
+
+Add compatible to gicv3 node to enable quirk required to restrict writing
+to GICR_WAKER register which is restricted on msm8996 SoC in Hypervisor.
+
+With this quirk MSM8996 can at least boot out of mainline, which can help
+community to work with boards based on MSM8996.
+
+Without this patch Qualcomm DB820c board reboots on mainline.
+
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Andy Gross <andy.gross@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/msm8996.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi b/arch/arm64/boot/dts/qcom/msm8996.dtsi
+index ab00be277c6f..6f372ec055dd 100644
+--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi
+@@ -359,7 +359,7 @@
+ };
+
+ intc: interrupt-controller@9bc0000 {
+- compatible = "arm,gic-v3";
++ compatible = "qcom,msm8996-gic-v3", "arm,gic-v3";
+ #interrupt-cells = <3>;
+ interrupt-controller;
+ #redistributor-regions = <1>;
+--
+2.19.1
+
--- /dev/null
+From f8126946e408ec88166b86d562e55dcd3cc2f5f9 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Thu, 10 Jan 2019 14:39:15 +0100
+Subject: arm64: dts: renesas: r8a7796: Enable DMA for SCIF2
+
+[ Upstream commit 97f26702bc95b5c3a72671d5c6675e4d6ee0a2f4 ]
+
+SCIF2 on R-Car M3-W can be used with both DMAC1 and DMAC2.
+
+Fixes: dbcae5ea4bd27409 ("arm64: dts: r8a7796: Enable SCIF DMA")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r8a7796.dtsi | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/renesas/r8a7796.dtsi b/arch/arm64/boot/dts/renesas/r8a7796.dtsi
+index 369092e17e34..016b84552a62 100644
+--- a/arch/arm64/boot/dts/renesas/r8a7796.dtsi
++++ b/arch/arm64/boot/dts/renesas/r8a7796.dtsi
+@@ -937,6 +937,9 @@
+ <&cpg CPG_CORE R8A7796_CLK_S3D1>,
+ <&scif_clk>;
+ clock-names = "fck", "brg_int", "scif_clk";
++ dmas = <&dmac1 0x13>, <&dmac1 0x12>,
++ <&dmac2 0x13>, <&dmac2 0x12>;
++ dma-names = "tx", "rx", "tx", "rx";
+ power-domains = <&sysc R8A7796_PD_ALWAYS_ON>;
+ resets = <&cpg 310>;
+ status = "disabled";
+--
+2.19.1
+
--- /dev/null
+From bfd0e83c0597c98c63de811ce686e1d33f53348c Mon Sep 17 00:00:00 2001
+From: James Morse <james.morse@arm.com>
+Date: Thu, 24 Jan 2019 16:32:55 +0000
+Subject: arm64: kprobe: Always blacklist the KVM world-switch code
+
+[ Upstream commit f2b3d8566d81deaca31f4e3163def0bea7746e11 ]
+
+On systems with VHE the kernel and KVM's world-switch code run at the
+same exception level. Code that is only used on a VHE system does not
+need to be annotated as __hyp_text as it can reside anywhere in the
+ kernel text.
+
+__hyp_text was also used to prevent kprobes from patching breakpoint
+instructions into this region, as this code runs at a different
+exception level. While this is no longer true with VHE, KVM still
+switches VBAR_EL1, meaning a kprobe's breakpoint executed in the
+world-switch code will cause a hyp-panic.
+
+Move the __hyp_text check in the kprobes blacklist so it applies on
+VHE systems too, to cover the common code and guest enter/exit
+assembly.
+
+Fixes: 888b3c8720e0 ("arm64: Treat all entry code as non-kprobe-able")
+Reviewed-by: Christoffer Dall <christoffer.dall@arm.com>
+Signed-off-by: James Morse <james.morse@arm.com>
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/probes/kprobes.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/kernel/probes/kprobes.c b/arch/arm64/kernel/probes/kprobes.c
+index 0417c929d21a..7d8c33279e9f 100644
+--- a/arch/arm64/kernel/probes/kprobes.c
++++ b/arch/arm64/kernel/probes/kprobes.c
+@@ -554,13 +554,13 @@ bool arch_within_kprobe_blacklist(unsigned long addr)
+ addr < (unsigned long)__entry_text_end) ||
+ (addr >= (unsigned long)__idmap_text_start &&
+ addr < (unsigned long)__idmap_text_end) ||
++ (addr >= (unsigned long)__hyp_text_start &&
++ addr < (unsigned long)__hyp_text_end) ||
+ !!search_exception_tables(addr))
+ return true;
+
+ if (!is_kernel_in_hyp_mode()) {
+- if ((addr >= (unsigned long)__hyp_text_start &&
+- addr < (unsigned long)__hyp_text_end) ||
+- (addr >= (unsigned long)__hyp_idmap_text_start &&
++ if ((addr >= (unsigned long)__hyp_idmap_text_start &&
+ addr < (unsigned long)__hyp_idmap_text_end))
+ return true;
+ }
+--
+2.19.1
+
--- /dev/null
+From a3dce3019c4ff044afcc775c163c6741d5c3d968 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Fri, 1 Feb 2019 14:21:26 -0800
+Subject: autofs: drop dentry reference only when it is never used
+
+[ Upstream commit 63ce5f552beb9bdb41546b3a26c4374758b21815 ]
+
+autofs_expire_run() calls dput(dentry) to drop the reference count of
+dentry. However, dentry is read via autofs_dentry_ino(dentry) after
+that. This may result in a use-free-bug. The patch drops the reference
+count of dentry only when it is never used.
+
+Link: http://lkml.kernel.org/r/154725122396.11260.16053424107144453867.stgit@pluto-themaw-net
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Ian Kent <raven@themaw.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/autofs4/expire.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/autofs4/expire.c b/fs/autofs4/expire.c
+index 57725d4a8c59..141f9bc213a3 100644
+--- a/fs/autofs4/expire.c
++++ b/fs/autofs4/expire.c
+@@ -567,7 +567,6 @@ int autofs4_expire_run(struct super_block *sb,
+ pkt.len = dentry->d_name.len;
+ memcpy(pkt.name, dentry->d_name.name, pkt.len);
+ pkt.name[pkt.len] = '\0';
+- dput(dentry);
+
+ if (copy_to_user(pkt_p, &pkt, sizeof(struct autofs_packet_expire)))
+ ret = -EFAULT;
+@@ -580,6 +579,8 @@ int autofs4_expire_run(struct super_block *sb,
+ complete_all(&ino->expire_complete);
+ spin_unlock(&sbi->fs_lock);
+
++ dput(dentry);
++
+ return ret;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 2deb8dbac3807eccfa7a65daae4bd9cb12ea367e Mon Sep 17 00:00:00 2001
+From: Ian Kent <raven@themaw.net>
+Date: Fri, 1 Feb 2019 14:21:29 -0800
+Subject: autofs: fix error return in autofs_fill_super()
+
+[ Upstream commit f585b283e3f025754c45bbe7533fc6e5c4643700 ]
+
+In autofs_fill_super() on error of get inode/make root dentry the return
+should be ENOMEM as this is the only failure case of the called
+functions.
+
+Link: http://lkml.kernel.org/r/154725123240.11260.796773942606871359.stgit@pluto-themaw-net
+Signed-off-by: Ian Kent <raven@themaw.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/autofs4/inode.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/autofs4/inode.c b/fs/autofs4/inode.c
+index 3c7e727612fa..e455388a939c 100644
+--- a/fs/autofs4/inode.c
++++ b/fs/autofs4/inode.c
+@@ -259,8 +259,10 @@ int autofs4_fill_super(struct super_block *s, void *data, int silent)
+ }
+ root_inode = autofs4_get_inode(s, S_IFDIR | 0755);
+ root = d_make_root(root_inode);
+- if (!root)
++ if (!root) {
++ ret = -ENOMEM;
+ goto fail_ino;
++ }
+ pipe = NULL;
+
+ root->d_fsdata = ino;
+--
+2.19.1
+
--- /dev/null
+From 04e8fb3035b73af49c804c80822dc8203e94d21d Mon Sep 17 00:00:00 2001
+From: Alexei Starovoitov <ast@kernel.org>
+Date: Wed, 30 Jan 2019 18:12:43 -0800
+Subject: bpf: fix lockdep false positive in percpu_freelist
+
+[ Upstream commit a89fac57b5d080771efd4d71feaae19877cf68f0 ]
+
+Lockdep warns about false positive:
+[ 12.492084] 00000000e6b28347 (&head->lock){+...}, at: pcpu_freelist_push+0x2a/0x40
+[ 12.492696] but this lock was taken by another, HARDIRQ-safe lock in the past:
+[ 12.493275] (&rq->lock){-.-.}
+[ 12.493276]
+[ 12.493276]
+[ 12.493276] and interrupts could create inverse lock ordering between them.
+[ 12.493276]
+[ 12.494435]
+[ 12.494435] other info that might help us debug this:
+[ 12.494979] Possible interrupt unsafe locking scenario:
+[ 12.494979]
+[ 12.495518] CPU0 CPU1
+[ 12.495879] ---- ----
+[ 12.496243] lock(&head->lock);
+[ 12.496502] local_irq_disable();
+[ 12.496969] lock(&rq->lock);
+[ 12.497431] lock(&head->lock);
+[ 12.497890] <Interrupt>
+[ 12.498104] lock(&rq->lock);
+[ 12.498368]
+[ 12.498368] *** DEADLOCK ***
+[ 12.498368]
+[ 12.498837] 1 lock held by dd/276:
+[ 12.499110] #0: 00000000c58cb2ee (rcu_read_lock){....}, at: trace_call_bpf+0x5e/0x240
+[ 12.499747]
+[ 12.499747] the shortest dependencies between 2nd lock and 1st lock:
+[ 12.500389] -> (&rq->lock){-.-.} {
+[ 12.500669] IN-HARDIRQ-W at:
+[ 12.500934] _raw_spin_lock+0x2f/0x40
+[ 12.501373] scheduler_tick+0x4c/0xf0
+[ 12.501812] update_process_times+0x40/0x50
+[ 12.502294] tick_periodic+0x27/0xb0
+[ 12.502723] tick_handle_periodic+0x1f/0x60
+[ 12.503203] timer_interrupt+0x11/0x20
+[ 12.503651] __handle_irq_event_percpu+0x43/0x2c0
+[ 12.504167] handle_irq_event_percpu+0x20/0x50
+[ 12.504674] handle_irq_event+0x37/0x60
+[ 12.505139] handle_level_irq+0xa7/0x120
+[ 12.505601] handle_irq+0xa1/0x150
+[ 12.506018] do_IRQ+0x77/0x140
+[ 12.506411] ret_from_intr+0x0/0x1d
+[ 12.506834] _raw_spin_unlock_irqrestore+0x53/0x60
+[ 12.507362] __setup_irq+0x481/0x730
+[ 12.507789] setup_irq+0x49/0x80
+[ 12.508195] hpet_time_init+0x21/0x32
+[ 12.508644] x86_late_time_init+0xb/0x16
+[ 12.509106] start_kernel+0x390/0x42a
+[ 12.509554] secondary_startup_64+0xa4/0xb0
+[ 12.510034] IN-SOFTIRQ-W at:
+[ 12.510305] _raw_spin_lock+0x2f/0x40
+[ 12.510772] try_to_wake_up+0x1c7/0x4e0
+[ 12.511220] swake_up_locked+0x20/0x40
+[ 12.511657] swake_up_one+0x1a/0x30
+[ 12.512070] rcu_process_callbacks+0xc5/0x650
+[ 12.512553] __do_softirq+0xe6/0x47b
+[ 12.512978] irq_exit+0xc3/0xd0
+[ 12.513372] smp_apic_timer_interrupt+0xa9/0x250
+[ 12.513876] apic_timer_interrupt+0xf/0x20
+[ 12.514343] default_idle+0x1c/0x170
+[ 12.514765] do_idle+0x199/0x240
+[ 12.515159] cpu_startup_entry+0x19/0x20
+[ 12.515614] start_kernel+0x422/0x42a
+[ 12.516045] secondary_startup_64+0xa4/0xb0
+[ 12.516521] INITIAL USE at:
+[ 12.516774] _raw_spin_lock_irqsave+0x38/0x50
+[ 12.517258] rq_attach_root+0x16/0xd0
+[ 12.517685] sched_init+0x2f2/0x3eb
+[ 12.518096] start_kernel+0x1fb/0x42a
+[ 12.518525] secondary_startup_64+0xa4/0xb0
+[ 12.518986] }
+[ 12.519132] ... key at: [<ffffffff82b7bc28>] __key.71384+0x0/0x8
+[ 12.519649] ... acquired at:
+[ 12.519892] pcpu_freelist_pop+0x7b/0xd0
+[ 12.520221] bpf_get_stackid+0x1d2/0x4d0
+[ 12.520563] ___bpf_prog_run+0x8b4/0x11a0
+[ 12.520887]
+[ 12.521008] -> (&head->lock){+...} {
+[ 12.521292] HARDIRQ-ON-W at:
+[ 12.521539] _raw_spin_lock+0x2f/0x40
+[ 12.521950] pcpu_freelist_push+0x2a/0x40
+[ 12.522396] bpf_get_stackid+0x494/0x4d0
+[ 12.522828] ___bpf_prog_run+0x8b4/0x11a0
+[ 12.523296] INITIAL USE at:
+[ 12.523537] _raw_spin_lock+0x2f/0x40
+[ 12.523944] pcpu_freelist_populate+0xc0/0x120
+[ 12.524417] htab_map_alloc+0x405/0x500
+[ 12.524835] __do_sys_bpf+0x1a3/0x1a90
+[ 12.525253] do_syscall_64+0x4a/0x180
+[ 12.525659] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 12.526167] }
+[ 12.526311] ... key at: [<ffffffff838f7668>] __key.13130+0x0/0x8
+[ 12.526812] ... acquired at:
+[ 12.527047] __lock_acquire+0x521/0x1350
+[ 12.527371] lock_acquire+0x98/0x190
+[ 12.527680] _raw_spin_lock+0x2f/0x40
+[ 12.527994] pcpu_freelist_push+0x2a/0x40
+[ 12.528325] bpf_get_stackid+0x494/0x4d0
+[ 12.528645] ___bpf_prog_run+0x8b4/0x11a0
+[ 12.528970]
+[ 12.529092]
+[ 12.529092] stack backtrace:
+[ 12.529444] CPU: 0 PID: 276 Comm: dd Not tainted 5.0.0-rc3-00018-g2fa53f892422 #475
+[ 12.530043] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
+[ 12.530750] Call Trace:
+[ 12.530948] dump_stack+0x5f/0x8b
+[ 12.531248] check_usage_backwards+0x10c/0x120
+[ 12.531598] ? ___bpf_prog_run+0x8b4/0x11a0
+[ 12.531935] ? mark_lock+0x382/0x560
+[ 12.532229] mark_lock+0x382/0x560
+[ 12.532496] ? print_shortest_lock_dependencies+0x180/0x180
+[ 12.532928] __lock_acquire+0x521/0x1350
+[ 12.533271] ? find_get_entry+0x17f/0x2e0
+[ 12.533586] ? find_get_entry+0x19c/0x2e0
+[ 12.533902] ? lock_acquire+0x98/0x190
+[ 12.534196] lock_acquire+0x98/0x190
+[ 12.534482] ? pcpu_freelist_push+0x2a/0x40
+[ 12.534810] _raw_spin_lock+0x2f/0x40
+[ 12.535099] ? pcpu_freelist_push+0x2a/0x40
+[ 12.535432] pcpu_freelist_push+0x2a/0x40
+[ 12.535750] bpf_get_stackid+0x494/0x4d0
+[ 12.536062] ___bpf_prog_run+0x8b4/0x11a0
+
+It has been explained that is a false positive here:
+https://lkml.org/lkml/2018/7/25/756
+Recap:
+- stackmap uses pcpu_freelist
+- The lock in pcpu_freelist is a percpu lock
+- stackmap is only used by tracing bpf_prog
+- A tracing bpf_prog cannot be run if another bpf_prog
+ has already been running (ensured by the percpu bpf_prog_active counter).
+
+Eric pointed out that this lockdep splats stops other
+legit lockdep splats in selftests/bpf/test_progs.c.
+
+Fix this by calling local_irq_save/restore for stackmap.
+
+Another false positive had also been worked around by calling
+local_irq_save in commit 89ad2fa3f043 ("bpf: fix lockdep splat").
+That commit added unnecessary irq_save/restore to fast path of
+bpf hash map. irqs are already disabled at that point, since htab
+is holding per bucket spin_lock with irqsave.
+
+Let's reduce overhead for htab by introducing __pcpu_freelist_push/pop
+function w/o irqsave and convert pcpu_freelist_push/pop to irqsave
+to be used elsewhere (right now only in stackmap).
+It stops lockdep false positive in stackmap with a bit of acceptable overhead.
+
+Fixes: 557c0c6e7df8 ("bpf: convert stackmap to pre-allocation")
+Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/hashtab.c | 4 ++--
+ kernel/bpf/percpu_freelist.c | 41 +++++++++++++++++++++++++-----------
+ kernel/bpf/percpu_freelist.h | 4 ++++
+ 3 files changed, 35 insertions(+), 14 deletions(-)
+
+diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
+index 3d0ecc273cc6..84237f640789 100644
+--- a/kernel/bpf/hashtab.c
++++ b/kernel/bpf/hashtab.c
+@@ -655,7 +655,7 @@ static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l)
+ }
+
+ if (htab_is_prealloc(htab)) {
+- pcpu_freelist_push(&htab->freelist, &l->fnode);
++ __pcpu_freelist_push(&htab->freelist, &l->fnode);
+ } else {
+ atomic_dec(&htab->count);
+ l->htab = htab;
+@@ -717,7 +717,7 @@ static struct htab_elem *alloc_htab_elem(struct bpf_htab *htab, void *key,
+ } else {
+ struct pcpu_freelist_node *l;
+
+- l = pcpu_freelist_pop(&htab->freelist);
++ l = __pcpu_freelist_pop(&htab->freelist);
+ if (!l)
+ return ERR_PTR(-E2BIG);
+ l_new = container_of(l, struct htab_elem, fnode);
+diff --git a/kernel/bpf/percpu_freelist.c b/kernel/bpf/percpu_freelist.c
+index 673fa6fe2d73..0c1b4ba9e90e 100644
+--- a/kernel/bpf/percpu_freelist.c
++++ b/kernel/bpf/percpu_freelist.c
+@@ -28,8 +28,8 @@ void pcpu_freelist_destroy(struct pcpu_freelist *s)
+ free_percpu(s->freelist);
+ }
+
+-static inline void __pcpu_freelist_push(struct pcpu_freelist_head *head,
+- struct pcpu_freelist_node *node)
++static inline void ___pcpu_freelist_push(struct pcpu_freelist_head *head,
++ struct pcpu_freelist_node *node)
+ {
+ raw_spin_lock(&head->lock);
+ node->next = head->first;
+@@ -37,12 +37,22 @@ static inline void __pcpu_freelist_push(struct pcpu_freelist_head *head,
+ raw_spin_unlock(&head->lock);
+ }
+
+-void pcpu_freelist_push(struct pcpu_freelist *s,
++void __pcpu_freelist_push(struct pcpu_freelist *s,
+ struct pcpu_freelist_node *node)
+ {
+ struct pcpu_freelist_head *head = this_cpu_ptr(s->freelist);
+
+- __pcpu_freelist_push(head, node);
++ ___pcpu_freelist_push(head, node);
++}
++
++void pcpu_freelist_push(struct pcpu_freelist *s,
++ struct pcpu_freelist_node *node)
++{
++ unsigned long flags;
++
++ local_irq_save(flags);
++ __pcpu_freelist_push(s, node);
++ local_irq_restore(flags);
+ }
+
+ void pcpu_freelist_populate(struct pcpu_freelist *s, void *buf, u32 elem_size,
+@@ -63,7 +73,7 @@ void pcpu_freelist_populate(struct pcpu_freelist *s, void *buf, u32 elem_size,
+ for_each_possible_cpu(cpu) {
+ again:
+ head = per_cpu_ptr(s->freelist, cpu);
+- __pcpu_freelist_push(head, buf);
++ ___pcpu_freelist_push(head, buf);
+ i++;
+ buf += elem_size;
+ if (i == nr_elems)
+@@ -74,14 +84,12 @@ void pcpu_freelist_populate(struct pcpu_freelist *s, void *buf, u32 elem_size,
+ local_irq_restore(flags);
+ }
+
+-struct pcpu_freelist_node *pcpu_freelist_pop(struct pcpu_freelist *s)
++struct pcpu_freelist_node *__pcpu_freelist_pop(struct pcpu_freelist *s)
+ {
+ struct pcpu_freelist_head *head;
+ struct pcpu_freelist_node *node;
+- unsigned long flags;
+ int orig_cpu, cpu;
+
+- local_irq_save(flags);
+ orig_cpu = cpu = raw_smp_processor_id();
+ while (1) {
+ head = per_cpu_ptr(s->freelist, cpu);
+@@ -89,16 +97,25 @@ struct pcpu_freelist_node *pcpu_freelist_pop(struct pcpu_freelist *s)
+ node = head->first;
+ if (node) {
+ head->first = node->next;
+- raw_spin_unlock_irqrestore(&head->lock, flags);
++ raw_spin_unlock(&head->lock);
+ return node;
+ }
+ raw_spin_unlock(&head->lock);
+ cpu = cpumask_next(cpu, cpu_possible_mask);
+ if (cpu >= nr_cpu_ids)
+ cpu = 0;
+- if (cpu == orig_cpu) {
+- local_irq_restore(flags);
++ if (cpu == orig_cpu)
+ return NULL;
+- }
+ }
+ }
++
++struct pcpu_freelist_node *pcpu_freelist_pop(struct pcpu_freelist *s)
++{
++ struct pcpu_freelist_node *ret;
++ unsigned long flags;
++
++ local_irq_save(flags);
++ ret = __pcpu_freelist_pop(s);
++ local_irq_restore(flags);
++ return ret;
++}
+diff --git a/kernel/bpf/percpu_freelist.h b/kernel/bpf/percpu_freelist.h
+index 3049aae8ea1e..c3960118e617 100644
+--- a/kernel/bpf/percpu_freelist.h
++++ b/kernel/bpf/percpu_freelist.h
+@@ -22,8 +22,12 @@ struct pcpu_freelist_node {
+ struct pcpu_freelist_node *next;
+ };
+
++/* pcpu_freelist_* do spin_lock_irqsave. */
+ void pcpu_freelist_push(struct pcpu_freelist *, struct pcpu_freelist_node *);
+ struct pcpu_freelist_node *pcpu_freelist_pop(struct pcpu_freelist *);
++/* __pcpu_freelist_* do spin_lock only. caller must disable irqs. */
++void __pcpu_freelist_push(struct pcpu_freelist *, struct pcpu_freelist_node *);
++struct pcpu_freelist_node *__pcpu_freelist_pop(struct pcpu_freelist *);
+ void pcpu_freelist_populate(struct pcpu_freelist *s, void *buf, u32 elem_size,
+ u32 nr_elems);
+ int pcpu_freelist_init(struct pcpu_freelist *);
+--
+2.19.1
+
--- /dev/null
+From 92899a144ba1b345c850c0f81ad72313a49d0233 Mon Sep 17 00:00:00 2001
+From: Martynas Pumputis <m@lambda.lt>
+Date: Thu, 31 Jan 2019 10:19:33 +0100
+Subject: bpf, selftests: fix handling of sparse CPU allocations
+
+[ Upstream commit 1bb54c4071f585ebef56ce8fdfe6026fa2cbcddd ]
+
+Previously, bpf_num_possible_cpus() had a bug when calculating a
+number of possible CPUs in the case of sparse CPU allocations, as
+it was considering only the first range or element of
+/sys/devices/system/cpu/possible.
+
+E.g. in the case of "0,2-3" (CPU 1 is not available), the function
+returned 1 instead of 3.
+
+This patch fixes the function by making it parse all CPU ranges and
+elements.
+
+Signed-off-by: Martynas Pumputis <m@lambda.lt>
+Acked-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/bpf_util.h | 30 +++++++++++++++++---------
+ 1 file changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/bpf_util.h b/tools/testing/selftests/bpf/bpf_util.h
+index d0811b3d6a6f..4bf720364934 100644
+--- a/tools/testing/selftests/bpf/bpf_util.h
++++ b/tools/testing/selftests/bpf/bpf_util.h
+@@ -13,7 +13,7 @@ static inline unsigned int bpf_num_possible_cpus(void)
+ unsigned int start, end, possible_cpus = 0;
+ char buff[128];
+ FILE *fp;
+- int n;
++ int len, n, i, j = 0;
+
+ fp = fopen(fcpu, "r");
+ if (!fp) {
+@@ -21,17 +21,27 @@ static inline unsigned int bpf_num_possible_cpus(void)
+ exit(1);
+ }
+
+- while (fgets(buff, sizeof(buff), fp)) {
+- n = sscanf(buff, "%u-%u", &start, &end);
+- if (n == 0) {
+- printf("Failed to retrieve # possible CPUs!\n");
+- exit(1);
+- } else if (n == 1) {
+- end = start;
++ if (!fgets(buff, sizeof(buff), fp)) {
++ printf("Failed to read %s!\n", fcpu);
++ exit(1);
++ }
++
++ len = strlen(buff);
++ for (i = 0; i <= len; i++) {
++ if (buff[i] == ',' || buff[i] == '\0') {
++ buff[i] = '\0';
++ n = sscanf(&buff[j], "%u-%u", &start, &end);
++ if (n <= 0) {
++ printf("Failed to retrieve # possible CPUs!\n");
++ exit(1);
++ } else if (n == 1) {
++ end = start;
++ }
++ possible_cpus += end - start + 1;
++ j = i + 1;
+ }
+- possible_cpus = start == 0 ? end + 1 : 0;
+- break;
+ }
++
+ fclose(fp);
+
+ return possible_cpus;
+--
+2.19.1
+
--- /dev/null
+From cc9ef0372c607bf623d24b4d0a4559e112a02022 Mon Sep 17 00:00:00 2001
+From: Yafang Shao <laoar.shao@gmail.com>
+Date: Wed, 23 Jan 2019 12:37:19 +0800
+Subject: bpf: sock recvbuff must be limited by rmem_max in bpf_setsockopt()
+
+[ Upstream commit c9e4576743eeda8d24dedc164d65b78877f9a98c ]
+
+When sock recvbuff is set by bpf_setsockopt(), the value must by
+limited by rmem_max. It is the same with sendbuff.
+
+Fixes: 8c4b4c7e9ff0 ("bpf: Add setsockopt helper function to bpf")
+Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Acked-by: Lawrence Brakmo <brakmo@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 41ede90fc28f..61396648381e 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -3081,10 +3081,12 @@ BPF_CALL_5(bpf_setsockopt, struct bpf_sock_ops_kern *, bpf_sock,
+ /* Only some socketops are supported */
+ switch (optname) {
+ case SO_RCVBUF:
++ val = min_t(u32, val, sysctl_rmem_max);
+ sk->sk_userlocks |= SOCK_RCVBUF_LOCK;
+ sk->sk_rcvbuf = max_t(int, val * 2, SOCK_MIN_RCVBUF);
+ break;
+ case SO_SNDBUF:
++ val = min_t(u32, val, sysctl_wmem_max);
+ sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
+ sk->sk_sndbuf = max_t(int, val * 2, SOCK_MIN_SNDBUF);
+ break;
+--
+2.19.1
+
--- /dev/null
+From a6448b5df215044f3b9e62262cc587b1800a1fab Mon Sep 17 00:00:00 2001
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Tue, 29 Jan 2019 12:46:16 +1000
+Subject: cifs: fix computation for MAX_SMB2_HDR_SIZE
+
+[ Upstream commit 58d15ed1203f4d858c339ea4d7dafa94bd2a56d3 ]
+
+The size of the fixed part of the create response is 88 bytes not 56.
+
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2pdu.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h
+index e52454059725..bad458a2b579 100644
+--- a/fs/cifs/smb2pdu.h
++++ b/fs/cifs/smb2pdu.h
+@@ -84,8 +84,8 @@
+
+ #define NUMBER_OF_SMB2_COMMANDS 0x0013
+
+-/* 4 len + 52 transform hdr + 64 hdr + 56 create rsp */
+-#define MAX_SMB2_HDR_SIZE 0x00b0
++/* 52 transform hdr + 64 hdr + 88 create rsp */
++#define MAX_SMB2_HDR_SIZE 204
+
+ #define SMB2_PROTO_NUMBER cpu_to_le32(0x424d53fe)
+ #define SMB2_TRANSFORM_PROTO_NUM cpu_to_le32(0x424d53fd)
+--
+2.19.1
+
--- /dev/null
+From 34be0ad923534510cdf480a450c9ff29fc52fc23 Mon Sep 17 00:00:00 2001
+From: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+Date: Wed, 23 Jan 2019 16:33:47 +0000
+Subject: dmaengine: at_xdmac: Fix wrongfull report of a channel as in use
+
+[ Upstream commit dc3f595b6617ebc0307e0ce151e8f2f2b2489b95 ]
+
+atchan->status variable is used to store two different information:
+ - pass channel interrupts status from interrupt handler to tasklet;
+ - channel information like whether it is cyclic or paused;
+
+This causes a bug when device_terminate_all() is called,
+(AT_XDMAC_CHAN_IS_CYCLIC cleared on atchan->status) and then a late End
+of Block interrupt arrives (AT_XDMAC_CIS_BIS), which sets bit 0 of
+atchan->status. Bit 0 is also used for AT_XDMAC_CHAN_IS_CYCLIC, so when
+a new descriptor for a cyclic transfer is created, the driver reports
+the channel as in use:
+
+if (test_and_set_bit(AT_XDMAC_CHAN_IS_CYCLIC, &atchan->status)) {
+ dev_err(chan2dev(chan), "channel currently used\n");
+ return NULL;
+}
+
+This patch fixes the bug by adding a different struct member to keep
+the interrupts status separated from the channel status bits.
+
+Fixes: e1f7c9eee707 ("dmaengine: at_xdmac: creation of the atmel eXtended DMA Controller driver")
+Signed-off-by: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/at_xdmac.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c
+index 94236ec9d410..4db2cd1c611d 100644
+--- a/drivers/dma/at_xdmac.c
++++ b/drivers/dma/at_xdmac.c
+@@ -203,6 +203,7 @@ struct at_xdmac_chan {
+ u32 save_cim;
+ u32 save_cnda;
+ u32 save_cndc;
++ u32 irq_status;
+ unsigned long status;
+ struct tasklet_struct tasklet;
+ struct dma_slave_config sconfig;
+@@ -1580,8 +1581,8 @@ static void at_xdmac_tasklet(unsigned long data)
+ struct at_xdmac_desc *desc;
+ u32 error_mask;
+
+- dev_dbg(chan2dev(&atchan->chan), "%s: status=0x%08lx\n",
+- __func__, atchan->status);
++ dev_dbg(chan2dev(&atchan->chan), "%s: status=0x%08x\n",
++ __func__, atchan->irq_status);
+
+ error_mask = AT_XDMAC_CIS_RBEIS
+ | AT_XDMAC_CIS_WBEIS
+@@ -1589,15 +1590,15 @@ static void at_xdmac_tasklet(unsigned long data)
+
+ if (at_xdmac_chan_is_cyclic(atchan)) {
+ at_xdmac_handle_cyclic(atchan);
+- } else if ((atchan->status & AT_XDMAC_CIS_LIS)
+- || (atchan->status & error_mask)) {
++ } else if ((atchan->irq_status & AT_XDMAC_CIS_LIS)
++ || (atchan->irq_status & error_mask)) {
+ struct dma_async_tx_descriptor *txd;
+
+- if (atchan->status & AT_XDMAC_CIS_RBEIS)
++ if (atchan->irq_status & AT_XDMAC_CIS_RBEIS)
+ dev_err(chan2dev(&atchan->chan), "read bus error!!!");
+- if (atchan->status & AT_XDMAC_CIS_WBEIS)
++ if (atchan->irq_status & AT_XDMAC_CIS_WBEIS)
+ dev_err(chan2dev(&atchan->chan), "write bus error!!!");
+- if (atchan->status & AT_XDMAC_CIS_ROIS)
++ if (atchan->irq_status & AT_XDMAC_CIS_ROIS)
+ dev_err(chan2dev(&atchan->chan), "request overflow error!!!");
+
+ spin_lock_bh(&atchan->lock);
+@@ -1652,7 +1653,7 @@ static irqreturn_t at_xdmac_interrupt(int irq, void *dev_id)
+ atchan = &atxdmac->chan[i];
+ chan_imr = at_xdmac_chan_read(atchan, AT_XDMAC_CIM);
+ chan_status = at_xdmac_chan_read(atchan, AT_XDMAC_CIS);
+- atchan->status = chan_status & chan_imr;
++ atchan->irq_status = chan_status & chan_imr;
+ dev_vdbg(atxdmac->dma.dev,
+ "%s: chan%d: imr=0x%x, status=0x%x\n",
+ __func__, i, chan_imr, chan_status);
+@@ -1666,7 +1667,7 @@ static irqreturn_t at_xdmac_interrupt(int irq, void *dev_id)
+ at_xdmac_chan_read(atchan, AT_XDMAC_CDA),
+ at_xdmac_chan_read(atchan, AT_XDMAC_CUBC));
+
+- if (atchan->status & (AT_XDMAC_CIS_RBEIS | AT_XDMAC_CIS_WBEIS))
++ if (atchan->irq_status & (AT_XDMAC_CIS_RBEIS | AT_XDMAC_CIS_WBEIS))
+ at_xdmac_write(atxdmac, AT_XDMAC_GD, atchan->mask);
+
+ tasklet_schedule(&atchan->tasklet);
+--
+2.19.1
+
--- /dev/null
+From fbec0fdd029f2edba24b9b413e72107d9adc1fc2 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Wed, 30 Jan 2019 21:48:44 +0200
+Subject: dmaengine: dmatest: Abort test in case of mapping error
+
+[ Upstream commit 6454368a804c4955ccd116236037536f81e5b1f1 ]
+
+In case of mapping error the DMA addresses are invalid and continuing
+will screw system memory or potentially something else.
+
+[ 222.480310] dmatest: dma0chan7-copy0: summary 1 tests, 3 failures 6 iops 349 KB/s (0)
+...
+[ 240.912725] check: Corrupted low memory at 00000000c7c75ac9 (2940 phys) = 5656000000000000
+[ 240.921998] check: Corrupted low memory at 000000005715a1cd (2948 phys) = 279f2aca5595ab2b
+[ 240.931280] check: Corrupted low memory at 000000002f4024c0 (2950 phys) = 5e5624f349e793cf
+...
+
+Abort any test if mapping failed.
+
+Fixes: 4076e755dbec ("dmatest: convert to dmaengine_unmap_data")
+Cc: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/dmatest.c | 28 ++++++++++++----------------
+ 1 file changed, 12 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/dma/dmatest.c b/drivers/dma/dmatest.c
+index 80cc2be6483c..e39336127741 100644
+--- a/drivers/dma/dmatest.c
++++ b/drivers/dma/dmatest.c
+@@ -626,11 +626,9 @@ static int dmatest_func(void *data)
+ srcs[i] = um->addr[i] + src_off;
+ ret = dma_mapping_error(dev->dev, um->addr[i]);
+ if (ret) {
+- dmaengine_unmap_put(um);
+ result("src mapping error", total_tests,
+ src_off, dst_off, len, ret);
+- failed_tests++;
+- continue;
++ goto error_unmap_continue;
+ }
+ um->to_cnt++;
+ }
+@@ -645,11 +643,9 @@ static int dmatest_func(void *data)
+ DMA_BIDIRECTIONAL);
+ ret = dma_mapping_error(dev->dev, dsts[i]);
+ if (ret) {
+- dmaengine_unmap_put(um);
+ result("dst mapping error", total_tests,
+ src_off, dst_off, len, ret);
+- failed_tests++;
+- continue;
++ goto error_unmap_continue;
+ }
+ um->bidi_cnt++;
+ }
+@@ -679,12 +675,10 @@ static int dmatest_func(void *data)
+ }
+
+ if (!tx) {
+- dmaengine_unmap_put(um);
+ result("prep error", total_tests, src_off,
+ dst_off, len, ret);
+ msleep(100);
+- failed_tests++;
+- continue;
++ goto error_unmap_continue;
+ }
+
+ done->done = false;
+@@ -693,12 +687,10 @@ static int dmatest_func(void *data)
+ cookie = tx->tx_submit(tx);
+
+ if (dma_submit_error(cookie)) {
+- dmaengine_unmap_put(um);
+ result("submit error", total_tests, src_off,
+ dst_off, len, ret);
+ msleep(100);
+- failed_tests++;
+- continue;
++ goto error_unmap_continue;
+ }
+ dma_async_issue_pending(chan);
+
+@@ -711,16 +703,14 @@ static int dmatest_func(void *data)
+ dmaengine_unmap_put(um);
+ result("test timed out", total_tests, src_off, dst_off,
+ len, 0);
+- failed_tests++;
+- continue;
++ goto error_unmap_continue;
+ } else if (status != DMA_COMPLETE) {
+ dmaengine_unmap_put(um);
+ result(status == DMA_ERROR ?
+ "completion error status" :
+ "completion busy status", total_tests, src_off,
+ dst_off, len, ret);
+- failed_tests++;
+- continue;
++ goto error_unmap_continue;
+ }
+
+ dmaengine_unmap_put(um);
+@@ -765,6 +755,12 @@ static int dmatest_func(void *data)
+ verbose_result("test passed", total_tests, src_off,
+ dst_off, len, 0);
+ }
++
++ continue;
++
++error_unmap_continue:
++ dmaengine_unmap_put(um);
++ failed_tests++;
+ }
+ ktime = ktime_sub(ktime_get(), ktime);
+ ktime = ktime_sub(ktime, comparetime);
+--
+2.19.1
+
--- /dev/null
+From a76e9eadd4c5cd796a574c8a0891418289e6a7b1 Mon Sep 17 00:00:00 2001
+From: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Date: Thu, 31 Jan 2019 14:25:50 +0100
+Subject: drm/sun4i: tcon: Prepare and enable TCON channel 0 clock at init
+
+[ Upstream commit b14e945bda8ae227d1bf2b1837c0c4a61721cd1a ]
+
+When initializing clocks, a reference to the TCON channel 0 clock is
+obtained. However, the clock is never prepared and enabled later.
+Switching from simplefb to DRM actually disables the clock (that was
+usually configured by U-Boot) because of that.
+
+On the V3s, this results in a hang when writing to some mixer registers
+when switching over to DRM from simplefb.
+
+Fix this by preparing and enabling the clock when initializing other
+clocks. Waiting for sun4i_tcon_channel_enable to enable the clock is
+apparently too late and results in the same mixer register access hang.
+
+Signed-off-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190131132550.26355-1-paul.kocialkowski@bootlin.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/sun4i/sun4i_tcon.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/sun4i/sun4i_tcon.c b/drivers/gpu/drm/sun4i/sun4i_tcon.c
+index 7b909d814d38..095bd6b4ae80 100644
+--- a/drivers/gpu/drm/sun4i/sun4i_tcon.c
++++ b/drivers/gpu/drm/sun4i/sun4i_tcon.c
+@@ -371,6 +371,7 @@ static int sun4i_tcon_init_clocks(struct device *dev,
+ dev_err(dev, "Couldn't get the TCON channel 0 clock\n");
+ return PTR_ERR(tcon->sclk0);
+ }
++ clk_prepare_enable(tcon->sclk0);
+
+ if (tcon->quirks->has_channel_1) {
+ tcon->sclk1 = devm_clk_get(dev, "tcon-ch1");
+@@ -385,6 +386,7 @@ static int sun4i_tcon_init_clocks(struct device *dev,
+
+ static void sun4i_tcon_free_clocks(struct sun4i_tcon *tcon)
+ {
++ clk_disable_unprepare(tcon->sclk0);
+ clk_disable_unprepare(tcon->clk);
+ }
+
+--
+2.19.1
+
--- /dev/null
+From ab8559e5e4001730001bfb28dd245e05538c10ae Mon Sep 17 00:00:00 2001
+From: Zhou Yanjie <zhouyanjie@cduestc.edu.cn>
+Date: Fri, 25 Jan 2019 02:22:15 +0800
+Subject: DTS: CI20: Fix bugs in ci20's device tree.
+
+[ Upstream commit 1ca1c87f91d9dc50d6a38e2177b2032996e7901c ]
+
+According to the Schematic, the hardware of ci20 leads to uart3,
+but not to uart2. Uart2 is miswritten in the original code.
+
+Signed-off-by: Zhou Yanjie <zhouyanjie@cduestc.edu.cn>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: linux-mips <linux-mips@vger.kernel.org>
+Cc: linux-kernel <linux-kernel@vger.kernel.org>
+Cc: devicetree@vger.kernel.org
+Cc: robh+dt@kernel.org
+Cc: ralf@linux-mips.org
+Cc: jhogan@kernel.org
+Cc: mark.rutland@arm.com
+Cc: malat@debian.org
+Cc: ezequiel@collabora.co.uk
+Cc: ulf.hansson@linaro.org
+Cc: syq <syq@debian.org>
+Cc: jiaxun.yang <jiaxun.yang@flygoat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/boot/dts/ingenic/ci20.dts | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/mips/boot/dts/ingenic/ci20.dts b/arch/mips/boot/dts/ingenic/ci20.dts
+index a4cc52214dbd..dad4aa0ebdd8 100644
+--- a/arch/mips/boot/dts/ingenic/ci20.dts
++++ b/arch/mips/boot/dts/ingenic/ci20.dts
+@@ -54,7 +54,7 @@
+ status = "okay";
+
+ pinctrl-names = "default";
+- pinctrl-0 = <&pins_uart2>;
++ pinctrl-0 = <&pins_uart3>;
+ };
+
+ &uart4 {
+@@ -174,9 +174,9 @@
+ bias-disable;
+ };
+
+- pins_uart2: uart2 {
+- function = "uart2";
+- groups = "uart2-data", "uart2-hwflow";
++ pins_uart3: uart3 {
++ function = "uart3";
++ groups = "uart3-data", "uart3-hwflow";
+ bias-disable;
+ };
+
+--
+2.19.1
+
--- /dev/null
+From af9439b63b3180137582898b362c56f8afe7a807 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 1 Feb 2019 14:21:23 -0800
+Subject: fs/drop_caches.c: avoid softlockups in drop_pagecache_sb()
+
+[ Upstream commit c27d82f52f75fc9d8d9d40d120d2a96fdeeada5e ]
+
+When superblock has lots of inodes without any pagecache (like is the
+case for /proc), drop_pagecache_sb() will iterate through all of them
+without dropping sb->s_inode_list_lock which can lead to softlockups
+(one of our customers hit this).
+
+Fix the problem by going to the slow path and doing cond_resched() in
+case the process needs rescheduling.
+
+Link: http://lkml.kernel.org/r/20190114085343.15011-1-jack@suse.cz
+Signed-off-by: Jan Kara <jack@suse.cz>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Al Viro <viro@ZenIV.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/drop_caches.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/drop_caches.c b/fs/drop_caches.c
+index 82377017130f..d31b6c72b476 100644
+--- a/fs/drop_caches.c
++++ b/fs/drop_caches.c
+@@ -21,8 +21,13 @@ static void drop_pagecache_sb(struct super_block *sb, void *unused)
+ spin_lock(&sb->s_inode_list_lock);
+ list_for_each_entry(inode, &sb->s_inodes, i_sb_list) {
+ spin_lock(&inode->i_lock);
++ /*
++ * We must skip inodes in unusual state. We may also skip
++ * inodes without pages but we deliberately won't in case
++ * we need to reschedule to avoid softlockups.
++ */
+ if ((inode->i_state & (I_FREEING|I_WILL_FREE|I_NEW)) ||
+- (inode->i_mapping->nrpages == 0)) {
++ (inode->i_mapping->nrpages == 0 && !need_resched())) {
+ spin_unlock(&inode->i_lock);
+ continue;
+ }
+@@ -30,6 +35,7 @@ static void drop_pagecache_sb(struct super_block *sb, void *unused)
+ spin_unlock(&inode->i_lock);
+ spin_unlock(&sb->s_inode_list_lock);
+
++ cond_resched();
+ invalidate_mapping_pages(inode->i_mapping, 0, -1);
+ iput(toput_inode);
+ toput_inode = inode;
+--
+2.19.1
+
--- /dev/null
+From 84fda75a12a7bb7c71b30436af1b7039e42e8651 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Mon, 21 Jan 2019 22:49:37 +0900
+Subject: fs: ratelimit __find_get_block_slow() failure message.
+
+[ Upstream commit 43636c804df0126da669c261fc820fb22f62bfc2 ]
+
+When something let __find_get_block_slow() hit all_mapped path, it calls
+printk() for 100+ times per a second. But there is no need to print same
+message with such high frequency; it is just asking for stall warning, or
+at least bloating log files.
+
+ [ 399.866302][T15342] __find_get_block_slow() failed. block=1, b_blocknr=8
+ [ 399.873324][T15342] b_state=0x00000029, b_size=512
+ [ 399.878403][T15342] device loop0 blocksize: 4096
+ [ 399.883296][T15342] __find_get_block_slow() failed. block=1, b_blocknr=8
+ [ 399.890400][T15342] b_state=0x00000029, b_size=512
+ [ 399.895595][T15342] device loop0 blocksize: 4096
+ [ 399.900556][T15342] __find_get_block_slow() failed. block=1, b_blocknr=8
+ [ 399.907471][T15342] b_state=0x00000029, b_size=512
+ [ 399.912506][T15342] device loop0 blocksize: 4096
+
+This patch reduces frequency to up to once per a second, in addition to
+concatenating three lines into one.
+
+ [ 399.866302][T15342] __find_get_block_slow() failed. block=1, b_blocknr=8, b_state=0x00000029, b_size=512, device loop0 blocksize: 4096
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/buffer.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/fs/buffer.c b/fs/buffer.c
+index b96f3b98a6ef..8086cc8ff0bc 100644
+--- a/fs/buffer.c
++++ b/fs/buffer.c
+@@ -208,6 +208,7 @@ __find_get_block_slow(struct block_device *bdev, sector_t block)
+ struct buffer_head *head;
+ struct page *page;
+ int all_mapped = 1;
++ static DEFINE_RATELIMIT_STATE(last_warned, HZ, 1);
+
+ index = block >> (PAGE_SHIFT - bd_inode->i_blkbits);
+ page = find_get_page_flags(bd_mapping, index, FGP_ACCESSED);
+@@ -235,15 +236,15 @@ __find_get_block_slow(struct block_device *bdev, sector_t block)
+ * file io on the block device and getblk. It gets dealt with
+ * elsewhere, don't buffer_error if we had some unmapped buffers
+ */
+- if (all_mapped) {
+- printk("__find_get_block_slow() failed. "
+- "block=%llu, b_blocknr=%llu\n",
+- (unsigned long long)block,
+- (unsigned long long)bh->b_blocknr);
+- printk("b_state=0x%08lx, b_size=%zu\n",
+- bh->b_state, bh->b_size);
+- printk("device %pg blocksize: %d\n", bdev,
+- 1 << bd_inode->i_blkbits);
++ ratelimit_set_flags(&last_warned, RATELIMIT_MSG_ON_RELEASE);
++ if (all_mapped && __ratelimit(&last_warned)) {
++ printk("__find_get_block_slow() failed. block=%llu, "
++ "b_blocknr=%llu, b_state=0x%08lx, b_size=%zu, "
++ "device %pg blocksize: %d\n",
++ (unsigned long long)block,
++ (unsigned long long)bh->b_blocknr,
++ bh->b_state, bh->b_size, bdev,
++ 1 << bd_inode->i_blkbits);
+ }
+ out_unlock:
+ spin_unlock(&bd_mapping->private_lock);
+--
+2.19.1
+
--- /dev/null
+From b8b03cc424494d481e15e7c567ee8a43565d3743 Mon Sep 17 00:00:00 2001
+From: Andrew Lunn <andrew@lunn.ch>
+Date: Sun, 27 Jan 2019 22:58:00 +0100
+Subject: gpio: vf610: Mask all GPIO interrupts
+
+[ Upstream commit 7ae710f9f8b2cf95297e7bbfe1c09789a7dc43d4 ]
+
+On SoC reset all GPIO interrupts are disable. However, if kexec is
+used to boot into a new kernel, the SoC does not experience a
+reset. Hence GPIO interrupts can be left enabled from the previous
+kernel. It is then possible for the interrupt to fire before an
+interrupt handler is registered, resulting in the kernel complaining
+of an "unexpected IRQ trap", the interrupt is never cleared, and so
+fires again, resulting in an interrupt storm.
+
+Disable all GPIO interrupts before registering the GPIO IRQ chip.
+
+Fixes: 7f2691a19627 ("gpio: vf610: add gpiolib/IRQ chip driver for Vybrid")
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Acked-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-vf610.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/gpio/gpio-vf610.c b/drivers/gpio/gpio-vf610.c
+index cbe9e06861de..1309b444720e 100644
+--- a/drivers/gpio/gpio-vf610.c
++++ b/drivers/gpio/gpio-vf610.c
+@@ -261,6 +261,7 @@ static int vf610_gpio_probe(struct platform_device *pdev)
+ struct vf610_gpio_port *port;
+ struct resource *iores;
+ struct gpio_chip *gc;
++ int i;
+ int ret;
+
+ port = devm_kzalloc(&pdev->dev, sizeof(*port), GFP_KERNEL);
+@@ -300,6 +301,10 @@ static int vf610_gpio_probe(struct platform_device *pdev)
+ if (ret < 0)
+ return ret;
+
++ /* Mask all GPIO interrupts */
++ for (i = 0; i < gc->ngpio; i++)
++ vf610_gpio_writel(0, port->base + PORT_PCR(i));
++
+ /* Clear the interrupt status register for all GPIO's */
+ vf610_gpio_writel(~0, port->base + PORT_ISFR);
+
+--
+2.19.1
+
--- /dev/null
+From 563399cbd5e22762a03c98208d1985a11f7f7014 Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Thu, 10 Jan 2019 07:59:16 -0800
+Subject: i2c: omap: Use noirq system sleep pm ops to idle device for suspend
+
+[ Upstream commit c6e2bd956936d925748581e4d0294f10f1d92f2c ]
+
+We currently get the following error with pixcir_ts driver during a
+suspend resume cycle:
+
+omap_i2c 4802a000.i2c: controller timed out
+pixcir_ts 1-005c: pixcir_int_enable: can't read reg 0x34 : -110
+pixcir_ts 1-005c: Failed to disable interrupt generation: -110
+pixcir_ts 1-005c: Failed to stop
+dpm_run_callback(): pixcir_i2c_ts_resume+0x0/0x98
+[pixcir_i2c_ts] returns -110
+PM: Device 1-005c failed to resume: error -110
+
+And at least am437x based devices with pixcir_ts will fail to resume
+to a touchscreen that is configured as the wakeup-source in device
+tree for these devices.
+
+This is because pixcir_ts tries to reconfigure it's registers for
+noirq suspend which fails. This also leaves i2c-omap in enabled state
+for suspend.
+
+Let's fix the pixcir_ts issue and make sure i2c-omap is suspended by
+adding SET_NOIRQ_SYSTEM_SLEEP_PM_OPS.
+
+Let's also get rid of some ifdefs while at it and replace them with
+__maybe_unused as SET_RUNTIME_PM_OPS and SET_NOIRQ_SYSTEM_SLEEP_PM_OPS
+already deal with the various PM Kconfig options.
+
+Reported-by: Keerthy <j-keerthy@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Acked-by: Vignesh R <vigneshr@ti.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-omap.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-omap.c b/drivers/i2c/busses/i2c-omap.c
+index 23c2ea2baedc..12ba183693d6 100644
+--- a/drivers/i2c/busses/i2c-omap.c
++++ b/drivers/i2c/busses/i2c-omap.c
+@@ -1477,8 +1477,7 @@ static int omap_i2c_remove(struct platform_device *pdev)
+ return 0;
+ }
+
+-#ifdef CONFIG_PM
+-static int omap_i2c_runtime_suspend(struct device *dev)
++static int __maybe_unused omap_i2c_runtime_suspend(struct device *dev)
+ {
+ struct omap_i2c_dev *omap = dev_get_drvdata(dev);
+
+@@ -1504,7 +1503,7 @@ static int omap_i2c_runtime_suspend(struct device *dev)
+ return 0;
+ }
+
+-static int omap_i2c_runtime_resume(struct device *dev)
++static int __maybe_unused omap_i2c_runtime_resume(struct device *dev)
+ {
+ struct omap_i2c_dev *omap = dev_get_drvdata(dev);
+
+@@ -1519,20 +1518,18 @@ static int omap_i2c_runtime_resume(struct device *dev)
+ }
+
+ static const struct dev_pm_ops omap_i2c_pm_ops = {
++ SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend,
++ pm_runtime_force_resume)
+ SET_RUNTIME_PM_OPS(omap_i2c_runtime_suspend,
+ omap_i2c_runtime_resume, NULL)
+ };
+-#define OMAP_I2C_PM_OPS (&omap_i2c_pm_ops)
+-#else
+-#define OMAP_I2C_PM_OPS NULL
+-#endif /* CONFIG_PM */
+
+ static struct platform_driver omap_i2c_driver = {
+ .probe = omap_i2c_probe,
+ .remove = omap_i2c_remove,
+ .driver = {
+ .name = "omap_i2c",
+- .pm = OMAP_I2C_PM_OPS,
++ .pm = &omap_i2c_pm_ops,
+ .of_match_table = of_match_ptr(omap_i2c_of_match),
+ },
+ };
+--
+2.19.1
+
--- /dev/null
+From 2e54dbe4fc6375ce602f383b9a621e91b3e3105b Mon Sep 17 00:00:00 2001
+From: Brian Welty <brian.welty@intel.com>
+Date: Thu, 17 Jan 2019 12:41:32 -0800
+Subject: IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM
+
+[ Upstream commit 904bba211acc2112fdf866e5a2bc6cd9ecd0de1b ]
+
+The work completion length for a receiving a UD send with immediate is
+short by 4 bytes causing application using this opcode to fail.
+
+The UD receive logic incorrectly subtracts 4 bytes for immediate
+value. These bytes are already included in header length and are used to
+calculate header/payload split, so the result is these 4 bytes are
+subtracted twice, once when the header length subtracted from the overall
+length and once again in the UD opcode specific path.
+
+Remove the extra subtraction when handling the opcode.
+
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Brian Welty <brian.welty@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/ud.c | 1 -
+ drivers/infiniband/hw/qib/qib_ud.c | 1 -
+ 2 files changed, 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/ud.c b/drivers/infiniband/hw/hfi1/ud.c
+index 37abd150fad3..74aff88c593d 100644
+--- a/drivers/infiniband/hw/hfi1/ud.c
++++ b/drivers/infiniband/hw/hfi1/ud.c
+@@ -954,7 +954,6 @@ void hfi1_ud_rcv(struct hfi1_packet *packet)
+ opcode == IB_OPCODE_UD_SEND_ONLY_WITH_IMMEDIATE) {
+ wc.ex.imm_data = ohdr->u.ud.imm_data;
+ wc.wc_flags = IB_WC_WITH_IMM;
+- tlen -= sizeof(u32);
+ } else if (opcode == IB_OPCODE_UD_SEND_ONLY) {
+ wc.ex.imm_data = 0;
+ wc.wc_flags = 0;
+diff --git a/drivers/infiniband/hw/qib/qib_ud.c b/drivers/infiniband/hw/qib/qib_ud.c
+index be4907453ac4..5ef144e4a4cb 100644
+--- a/drivers/infiniband/hw/qib/qib_ud.c
++++ b/drivers/infiniband/hw/qib/qib_ud.c
+@@ -515,7 +515,6 @@ void qib_ud_rcv(struct qib_ibport *ibp, struct ib_header *hdr,
+ opcode == IB_OPCODE_UD_SEND_ONLY_WITH_IMMEDIATE) {
+ wc.ex.imm_data = ohdr->u.ud.imm_data;
+ wc.wc_flags = IB_WC_WITH_IMM;
+- tlen -= sizeof(u32);
+ } else if (opcode == IB_OPCODE_UD_SEND_ONLY) {
+ wc.ex.imm_data = 0;
+ wc.wc_flags = 0;
+--
+2.19.1
+
--- /dev/null
+From e66fff0982b28eeec5a215798dddbdf521a9d30d Mon Sep 17 00:00:00 2001
+From: Jerry Snitselaar <jsnitsel@redhat.com>
+Date: Thu, 17 Jan 2019 12:29:02 -0700
+Subject: iommu/amd: Call free_iova_fast with pfn in map_sg
+
+[ Upstream commit 51d8838d66d3249508940d8f59b07701f2129723 ]
+
+In the error path of map_sg, free_iova_fast is being called with
+address instead of the pfn. This results in a bad value getting into
+the rcache, and can result in hitting a BUG_ON when
+iova_magazine_free_pfns is called.
+
+Cc: Joerg Roedel <joro@8bytes.org>
+Cc: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
+Fixes: 80187fd39dcb ("iommu/amd: Optimize map_sg and unmap_sg")
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd_iommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index 766103ea237e..ded13a6afa66 100644
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -2566,7 +2566,7 @@ static int map_sg(struct device *dev, struct scatterlist *sglist,
+ }
+
+ out_free_iova:
+- free_iova_fast(&dma_dom->iovad, address, npages);
++ free_iova_fast(&dma_dom->iovad, address >> PAGE_SHIFT, npages);
+
+ out_err:
+ return 0;
+--
+2.19.1
+
--- /dev/null
+From b6b8eb167b26efe99b3c0d7d29e4b8afcde4e76c Mon Sep 17 00:00:00 2001
+From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Date: Thu, 24 Jan 2019 04:16:45 +0000
+Subject: iommu/amd: Fix IOMMU page flush when detach device from a domain
+
+[ Upstream commit 9825bd94e3a2baae1f4874767ae3a7d4c049720e ]
+
+When a VM is terminated, the VFIO driver detaches all pass-through
+devices from VFIO domain by clearing domain id and page table root
+pointer from each device table entry (DTE), and then invalidates
+the DTE. Then, the VFIO driver unmap pages and invalidate IOMMU pages.
+
+Currently, the IOMMU driver keeps track of which IOMMU and how many
+devices are attached to the domain. When invalidate IOMMU pages,
+the driver checks if the IOMMU is still attached to the domain before
+issuing the invalidate page command.
+
+However, since VFIO has already detached all devices from the domain,
+the subsequent INVALIDATE_IOMMU_PAGES commands are being skipped as
+there is no IOMMU attached to the domain. This results in data
+corruption and could cause the PCI device to end up in indeterministic
+state.
+
+Fix this by invalidate IOMMU pages when detach a device, and
+before decrementing the per-domain device reference counts.
+
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Suggested-by: Joerg Roedel <joro@8bytes.org>
+Co-developed-by: Brijesh Singh <brijesh.singh@amd.com>
+Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
+Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Fixes: 6de8ad9b9ee0 ('x86/amd-iommu: Make iommu_flush_pages aware of multiple IOMMUs')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd_iommu.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index 0c0acf6fda87..78b97f31a1f2 100644
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -1919,6 +1919,7 @@ static void do_attach(struct iommu_dev_data *dev_data,
+
+ static void do_detach(struct iommu_dev_data *dev_data)
+ {
++ struct protection_domain *domain = dev_data->domain;
+ struct amd_iommu *iommu;
+ u16 alias;
+
+@@ -1934,10 +1935,6 @@ static void do_detach(struct iommu_dev_data *dev_data)
+ iommu = amd_iommu_rlookup_table[dev_data->devid];
+ alias = dev_data->alias;
+
+- /* decrease reference counters */
+- dev_data->domain->dev_iommu[iommu->index] -= 1;
+- dev_data->domain->dev_cnt -= 1;
+-
+ /* Update data structures */
+ dev_data->domain = NULL;
+ list_del(&dev_data->list);
+@@ -1947,6 +1944,16 @@ static void do_detach(struct iommu_dev_data *dev_data)
+
+ /* Flush the DTE entry */
+ device_flush_dte(dev_data);
++
++ /* Flush IOTLB */
++ domain_flush_tlb_pde(domain);
++
++ /* Wait for the flushes to finish */
++ domain_flush_complete(domain);
++
++ /* decrease reference counters - needs to happen after the flushes */
++ domain->dev_iommu[iommu->index] -= 1;
++ domain->dev_cnt -= 1;
+ }
+
+ /*
+--
+2.19.1
+
--- /dev/null
+From 74e7b2337254489fb1ca392cdaf0b08bd12c3f4a Mon Sep 17 00:00:00 2001
+From: Jerry Snitselaar <jsnitsel@redhat.com>
+Date: Sat, 19 Jan 2019 10:38:05 -0700
+Subject: iommu/amd: Unmap all mapped pages in error path of map_sg
+
+[ Upstream commit f1724c0883bb0ce93b8dcb94b53dcca3b75ac9a7 ]
+
+In the error path of map_sg there is an incorrect if condition
+for breaking out of the loop that searches the scatterlist
+for mapped pages to unmap. Instead of breaking out of the
+loop once all the pages that were mapped have been unmapped,
+it will break out of the loop after it has unmapped 1 page.
+Fix the condition, so it breaks out of the loop only after
+all the mapped pages have been unmapped.
+
+Fixes: 80187fd39dcb ("iommu/amd: Optimize map_sg and unmap_sg")
+Cc: Joerg Roedel <joro@8bytes.org>
+Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd_iommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index ded13a6afa66..0c0acf6fda87 100644
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -2560,7 +2560,7 @@ static int map_sg(struct device *dev, struct scatterlist *sglist,
+ bus_addr = address + s->dma_address + (j << PAGE_SHIFT);
+ iommu_unmap_page(domain, bus_addr, PAGE_SIZE);
+
+- if (--mapped_pages)
++ if (--mapped_pages == 0)
+ goto out_free_iova;
+ }
+ }
+--
+2.19.1
+
--- /dev/null
+From 190429edb34e6515939fb27f7c5decdeb7958c7f Mon Sep 17 00:00:00 2001
+From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+Date: Thu, 10 Jan 2019 16:39:06 +0800
+Subject: ipvs: Fix signed integer overflow when setsockopt timeout
+
+[ Upstream commit 53ab60baa1ac4f20b080a22c13b77b6373922fd7 ]
+
+There is a UBSAN bug report as below:
+UBSAN: Undefined behaviour in net/netfilter/ipvs/ip_vs_ctl.c:2227:21
+signed integer overflow:
+-2147483647 * 1000 cannot be represented in type 'int'
+
+Reproduce program:
+ #include <stdio.h>
+ #include <sys/types.h>
+ #include <sys/socket.h>
+
+ #define IPPROTO_IP 0
+ #define IPPROTO_RAW 255
+
+ #define IP_VS_BASE_CTL (64+1024+64)
+ #define IP_VS_SO_SET_TIMEOUT (IP_VS_BASE_CTL+10)
+
+ /* The argument to IP_VS_SO_GET_TIMEOUT */
+ struct ipvs_timeout_t {
+ int tcp_timeout;
+ int tcp_fin_timeout;
+ int udp_timeout;
+ };
+
+ int main() {
+ int ret = -1;
+ int sockfd = -1;
+ struct ipvs_timeout_t to;
+
+ sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+ if (sockfd == -1) {
+ printf("socket init error\n");
+ return -1;
+ }
+
+ to.tcp_timeout = -2147483647;
+ to.tcp_fin_timeout = -2147483647;
+ to.udp_timeout = -2147483647;
+
+ ret = setsockopt(sockfd,
+ IPPROTO_IP,
+ IP_VS_SO_SET_TIMEOUT,
+ (char *)(&to),
+ sizeof(to));
+
+ printf("setsockopt return %d\n", ret);
+ return ret;
+ }
+
+Return -EINVAL if the timeout value is negative or max than 'INT_MAX / HZ'.
+
+Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 2f45c3ce77ef..dff4ead3d117 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -2252,6 +2252,18 @@ static int ip_vs_set_timeout(struct netns_ipvs *ipvs, struct ip_vs_timeout_user
+ u->tcp_fin_timeout,
+ u->udp_timeout);
+
++#ifdef CONFIG_IP_VS_PROTO_TCP
++ if (u->tcp_timeout < 0 || u->tcp_timeout > (INT_MAX / HZ) ||
++ u->tcp_fin_timeout < 0 || u->tcp_fin_timeout > (INT_MAX / HZ)) {
++ return -EINVAL;
++ }
++#endif
++
++#ifdef CONFIG_IP_VS_PROTO_UDP
++ if (u->udp_timeout < 0 || u->udp_timeout > (INT_MAX / HZ))
++ return -EINVAL;
++#endif
++
+ #ifdef CONFIG_IP_VS_PROTO_TCP
+ if (u->tcp_timeout) {
+ pd = ip_vs_proto_data_get(ipvs, IPPROTO_TCP);
+--
+2.19.1
+
--- /dev/null
+From d95baba99498cb2cd90abafb6ecbb851f30ce09e Mon Sep 17 00:00:00 2001
+From: Zenghui Yu <yuzenghui@huawei.com>
+Date: Thu, 31 Jan 2019 11:19:43 +0000
+Subject: irqchip/gic-v3-its: Fix ITT_entry_size accessor
+
+[ Upstream commit 56841070ccc87b463ac037d2d1f2beb8e5e35f0c ]
+
+According to ARM IHI 0069C (ID070116), we should use GITS_TYPER's
+bits [7:4] as ITT_entry_size instead of [8:4]. Although this is
+pretty annoying, it only results in a potential over-allocation
+of memory, and nothing bad happens.
+
+Fixes: 3dfa576bfb45 ("irqchip/gic-v3-its: Add probing for VLPI properties")
+Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
+[maz: massaged subject and commit message]
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/irqchip/arm-gic-v3.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/irqchip/arm-gic-v3.h b/include/linux/irqchip/arm-gic-v3.h
+index bacb499c512c..845ff8c51564 100644
+--- a/include/linux/irqchip/arm-gic-v3.h
++++ b/include/linux/irqchip/arm-gic-v3.h
+@@ -306,7 +306,7 @@
+ #define GITS_TYPER_PLPIS (1UL << 0)
+ #define GITS_TYPER_VLPIS (1UL << 1)
+ #define GITS_TYPER_ITT_ENTRY_SIZE_SHIFT 4
+-#define GITS_TYPER_ITT_ENTRY_SIZE(r) ((((r) >> GITS_TYPER_ITT_ENTRY_SIZE_SHIFT) & 0x1f) + 1)
++#define GITS_TYPER_ITT_ENTRY_SIZE(r) ((((r) >> GITS_TYPER_ITT_ENTRY_SIZE_SHIFT) & 0xf) + 1)
+ #define GITS_TYPER_IDBITS_SHIFT 8
+ #define GITS_TYPER_DEVBITS_SHIFT 13
+ #define GITS_TYPER_DEVBITS(r) ((((r) >> GITS_TYPER_DEVBITS_SHIFT) & 0x1f) + 1)
+--
+2.19.1
+
--- /dev/null
+From 7402a10407b1d415e991ad828f406ec1c0b7065b Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Mon, 28 Jan 2019 16:59:35 +0100
+Subject: irqchip/mmp: Only touch the PJ4 IRQ & FIQ bits on enable/disable
+
+[ Upstream commit 2380a22b60ce6f995eac806e69c66e397b59d045 ]
+
+Resetting bit 4 disables the interrupt delivery to the "secure
+processor" core. This breaks the keyboard on a OLPC XO 1.75 laptop,
+where the firmware running on the "secure processor" bit-bangs the
+PS/2 protocol over the GPIO lines.
+
+It is not clear what the rest of the bits are and Marvell was unhelpful
+when asked for documentation. Aside from the SP bit, there are probably
+priority bits.
+
+Leaving the unknown bits as the firmware set them up seems to be a wiser
+course of action compared to just turning them off.
+
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+[maz: fixed-up subject and commit message]
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-mmp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-mmp.c b/drivers/irqchip/irq-mmp.c
+index 25f32e1d7764..3496b61a312a 100644
+--- a/drivers/irqchip/irq-mmp.c
++++ b/drivers/irqchip/irq-mmp.c
+@@ -34,6 +34,9 @@
+ #define SEL_INT_PENDING (1 << 6)
+ #define SEL_INT_NUM_MASK 0x3f
+
++#define MMP2_ICU_INT_ROUTE_PJ4_IRQ (1 << 5)
++#define MMP2_ICU_INT_ROUTE_PJ4_FIQ (1 << 6)
++
+ struct icu_chip_data {
+ int nr_irqs;
+ unsigned int virq_base;
+@@ -190,7 +193,8 @@ static const struct mmp_intc_conf mmp_conf = {
+ static const struct mmp_intc_conf mmp2_conf = {
+ .conf_enable = 0x20,
+ .conf_disable = 0x0,
+- .conf_mask = 0x7f,
++ .conf_mask = MMP2_ICU_INT_ROUTE_PJ4_IRQ |
++ MMP2_ICU_INT_ROUTE_PJ4_FIQ,
+ };
+
+ static void __exception_irq_entry mmp_handle_irq(struct pt_regs *regs)
+--
+2.19.1
+
--- /dev/null
+From b2026e357fcf69bba02e05efe6e122683c8429b5 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 1 Feb 2019 14:20:58 -0800
+Subject: lib/test_kmod.c: potential double free in error handling
+
+[ Upstream commit db7ddeab3ce5d64c9696e70d61f45ea9909cd196 ]
+
+There is a copy and paste bug so we set "config->test_driver" to NULL
+twice instead of setting "config->test_fs". Smatch complains that it
+leads to a double free:
+
+ lib/test_kmod.c:840 __kmod_config_init() warn: 'config->test_fs' double freed
+
+Link: http://lkml.kernel.org/r/20190121140011.GA14283@kadam
+Fixes: d9c6a72d6fa2 ("kmod: add test driver to stress test the module loader")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Luis Chamberlain <mcgrof@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/test_kmod.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/test_kmod.c b/lib/test_kmod.c
+index 7abb59ce6613..cf619795a182 100644
+--- a/lib/test_kmod.c
++++ b/lib/test_kmod.c
+@@ -632,7 +632,7 @@ static void __kmod_config_free(struct test_config *config)
+ config->test_driver = NULL;
+
+ kfree_const(config->test_fs);
+- config->test_driver = NULL;
++ config->test_fs = NULL;
+ }
+
+ static void kmod_config_free(struct kmod_test_device *test_dev)
+--
+2.19.1
+
--- /dev/null
+From e9bb0ec00df506e933b99927883d6846e9c7cf0d Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Tue, 15 Jan 2019 16:04:54 +0800
+Subject: MIPS: Loongson: Introduce and use loongson_llsc_mb()
+
+[ Upstream commit e02e07e3127d8aec1f4bcdfb2fc52a2d99b4859e ]
+
+On the Loongson-2G/2H/3A/3B there is a hardware flaw that ll/sc and
+lld/scd is very weak ordering. We should add sync instructions "before
+each ll/lld" and "at the branch-target between ll/sc" to workaround.
+Otherwise, this flaw will cause deadlock occasionally (e.g. when doing
+heavy load test with LTP).
+
+Below is the explaination of CPU designer:
+
+"For Loongson 3 family, when a memory access instruction (load, store,
+or prefetch)'s executing occurs between the execution of LL and SC, the
+success or failure of SC is not predictable. Although programmer would
+not insert memory access instructions between LL and SC, the memory
+instructions before LL in program-order, may dynamically executed
+between the execution of LL/SC, so a memory fence (SYNC) is needed
+before LL/LLD to avoid this situation.
+
+Since Loongson-3A R2 (3A2000), we have improved our hardware design to
+handle this case. But we later deduce a rarely circumstance that some
+speculatively executed memory instructions due to branch misprediction
+between LL/SC still fall into the above case, so a memory fence (SYNC)
+at branch-target (if its target is not between LL/SC) is needed for
+Loongson 3A1000, 3B1500, 3A2000 and 3A3000.
+
+Our processor is continually evolving and we aim to to remove all these
+workaround-SYNCs around LL/SC for new-come processor."
+
+Here is an example:
+
+Both cpu1 and cpu2 simutaneously run atomic_add by 1 on same atomic var,
+this bug cause both 'sc' run by two cpus (in atomic_add) succeed at same
+time('sc' return 1), and the variable is only *added by 1*, sometimes,
+which is wrong and unacceptable(it should be added by 2).
+
+Why disable fix-loongson3-llsc in compiler?
+Because compiler fix will cause problems in kernel's __ex_table section.
+
+This patch fix all the cases in kernel, but:
+
++. the fix at the end of futex_atomic_cmpxchg_inatomic is for branch-target
+of 'bne', there other cases which smp_mb__before_llsc() and smp_llsc_mb() fix
+the ll and branch-target coincidently such as atomic_sub_if_positive/
+cmpxchg/xchg, just like this one.
+
++. Loongson 3 does support CONFIG_EDAC_ATOMIC_SCRUB, so no need to touch
+edac.h
+
++. local_ops and cmpxchg_local should not be affected by this bug since
+only the owner can write.
+
++. mips_atomic_set for syscall.c is deprecated and rarely used, just let
+it go
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: Huang Pei <huangpei@loongson.cn>
+[paul.burton@mips.com:
+ - Simplify the addition of -mno-fix-loongson3-llsc to cflags, and add
+ a comment describing why it's there.
+ - Make loongson_llsc_mb() a no-op when
+ CONFIG_CPU_LOONGSON3_WORKAROUNDS=n, rather than a compiler memory
+ barrier.
+ - Add a comment describing the bug & how loongson_llsc_mb() helps
+ in asm/barrier.h.]
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: ambrosehua@gmail.com
+Cc: Steven J . Hill <Steven.Hill@cavium.com>
+Cc: linux-mips@linux-mips.org
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Cc: Li Xuefeng <lixuefeng@loongson.cn>
+Cc: Xu Chenghua <xuchenghua@loongson.cn>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/Kconfig | 15 ++++++++++++++
+ arch/mips/include/asm/atomic.h | 6 ++++++
+ arch/mips/include/asm/barrier.h | 36 +++++++++++++++++++++++++++++++++
+ arch/mips/include/asm/bitops.h | 5 +++++
+ arch/mips/include/asm/futex.h | 3 +++
+ arch/mips/include/asm/pgtable.h | 2 ++
+ arch/mips/loongson64/Platform | 23 +++++++++++++++++++++
+ arch/mips/mm/tlbex.c | 10 +++++++++
+ 8 files changed, 100 insertions(+)
+
+diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
+index 8d4470f44b74..77877c56ffc1 100644
+--- a/arch/mips/Kconfig
++++ b/arch/mips/Kconfig
+@@ -1407,6 +1407,21 @@ config LOONGSON3_ENHANCEMENT
+ please say 'N' here. If you want a high-performance kernel to run on
+ new Loongson 3 machines only, please say 'Y' here.
+
++config CPU_LOONGSON3_WORKAROUNDS
++ bool "Old Loongson 3 LLSC Workarounds"
++ default y if SMP
++ depends on CPU_LOONGSON3
++ help
++ Loongson 3 processors have the llsc issues which require workarounds.
++ Without workarounds the system may hang unexpectedly.
++
++ Newer Loongson 3 will fix these issues and no workarounds are needed.
++ The workarounds have no significant side effect on them but may
++ decrease the performance of the system so this option should be
++ disabled unless the kernel is intended to be run on old systems.
++
++ If unsure, please say Y.
++
+ config CPU_LOONGSON2E
+ bool "Loongson 2E"
+ depends on SYS_HAS_CPU_LOONGSON2E
+diff --git a/arch/mips/include/asm/atomic.h b/arch/mips/include/asm/atomic.h
+index 0ab176bdb8e8..8ee17565bc78 100644
+--- a/arch/mips/include/asm/atomic.h
++++ b/arch/mips/include/asm/atomic.h
+@@ -47,6 +47,7 @@ static __inline__ void atomic_##op(int i, atomic_t * v) \
+ if (kernel_uses_llsc && R10000_LLSC_WAR) { \
+ int temp; \
+ \
++ loongson_llsc_mb(); \
+ __asm__ __volatile__( \
+ " .set arch=r4000 \n" \
+ "1: ll %0, %1 # atomic_" #op " \n" \
+@@ -86,6 +87,7 @@ static __inline__ int atomic_##op##_return_relaxed(int i, atomic_t * v) \
+ if (kernel_uses_llsc && R10000_LLSC_WAR) { \
+ int temp; \
+ \
++ loongson_llsc_mb(); \
+ __asm__ __volatile__( \
+ " .set arch=r4000 \n" \
+ "1: ll %1, %2 # atomic_" #op "_return \n" \
+@@ -134,6 +136,7 @@ static __inline__ int atomic_fetch_##op##_relaxed(int i, atomic_t * v) \
+ if (kernel_uses_llsc && R10000_LLSC_WAR) { \
+ int temp; \
+ \
++ loongson_llsc_mb(); \
+ __asm__ __volatile__( \
+ " .set arch=r4000 \n" \
+ "1: ll %1, %2 # atomic_fetch_" #op " \n" \
+@@ -389,6 +392,7 @@ static __inline__ void atomic64_##op(long i, atomic64_t * v) \
+ if (kernel_uses_llsc && R10000_LLSC_WAR) { \
+ long temp; \
+ \
++ loongson_llsc_mb(); \
+ __asm__ __volatile__( \
+ " .set arch=r4000 \n" \
+ "1: lld %0, %1 # atomic64_" #op " \n" \
+@@ -428,6 +432,7 @@ static __inline__ long atomic64_##op##_return_relaxed(long i, atomic64_t * v) \
+ if (kernel_uses_llsc && R10000_LLSC_WAR) { \
+ long temp; \
+ \
++ loongson_llsc_mb(); \
+ __asm__ __volatile__( \
+ " .set arch=r4000 \n" \
+ "1: lld %1, %2 # atomic64_" #op "_return\n" \
+@@ -477,6 +482,7 @@ static __inline__ long atomic64_fetch_##op##_relaxed(long i, atomic64_t * v) \
+ if (kernel_uses_llsc && R10000_LLSC_WAR) { \
+ long temp; \
+ \
++ loongson_llsc_mb(); \
+ __asm__ __volatile__( \
+ " .set arch=r4000 \n" \
+ "1: lld %1, %2 # atomic64_fetch_" #op "\n" \
+diff --git a/arch/mips/include/asm/barrier.h b/arch/mips/include/asm/barrier.h
+index a5eb1bb199a7..b7f6ac5e513c 100644
+--- a/arch/mips/include/asm/barrier.h
++++ b/arch/mips/include/asm/barrier.h
+@@ -222,6 +222,42 @@
+ #define __smp_mb__before_atomic() __smp_mb__before_llsc()
+ #define __smp_mb__after_atomic() smp_llsc_mb()
+
++/*
++ * Some Loongson 3 CPUs have a bug wherein execution of a memory access (load,
++ * store or pref) in between an ll & sc can cause the sc instruction to
++ * erroneously succeed, breaking atomicity. Whilst it's unusual to write code
++ * containing such sequences, this bug bites harder than we might otherwise
++ * expect due to reordering & speculation:
++ *
++ * 1) A memory access appearing prior to the ll in program order may actually
++ * be executed after the ll - this is the reordering case.
++ *
++ * In order to avoid this we need to place a memory barrier (ie. a sync
++ * instruction) prior to every ll instruction, in between it & any earlier
++ * memory access instructions. Many of these cases are already covered by
++ * smp_mb__before_llsc() but for the remaining cases, typically ones in
++ * which multiple CPUs may operate on a memory location but ordering is not
++ * usually guaranteed, we use loongson_llsc_mb() below.
++ *
++ * This reordering case is fixed by 3A R2 CPUs, ie. 3A2000 models and later.
++ *
++ * 2) If a conditional branch exists between an ll & sc with a target outside
++ * of the ll-sc loop, for example an exit upon value mismatch in cmpxchg()
++ * or similar, then misprediction of the branch may allow speculative
++ * execution of memory accesses from outside of the ll-sc loop.
++ *
++ * In order to avoid this we need a memory barrier (ie. a sync instruction)
++ * at each affected branch target, for which we also use loongson_llsc_mb()
++ * defined below.
++ *
++ * This case affects all current Loongson 3 CPUs.
++ */
++#ifdef CONFIG_CPU_LOONGSON3_WORKAROUNDS /* Loongson-3's LLSC workaround */
++#define loongson_llsc_mb() __asm__ __volatile__(__WEAK_LLSC_MB : : :"memory")
++#else
++#define loongson_llsc_mb() do { } while (0)
++#endif
++
+ #include <asm-generic/barrier.h>
+
+ #endif /* __ASM_BARRIER_H */
+diff --git a/arch/mips/include/asm/bitops.h b/arch/mips/include/asm/bitops.h
+index fa57cef12a46..38a162d11b7b 100644
+--- a/arch/mips/include/asm/bitops.h
++++ b/arch/mips/include/asm/bitops.h
+@@ -68,6 +68,7 @@ static inline void set_bit(unsigned long nr, volatile unsigned long *addr)
+ : "ir" (1UL << bit), GCC_OFF_SMALL_ASM() (*m));
+ #if defined(CONFIG_CPU_MIPSR2) || defined(CONFIG_CPU_MIPSR6)
+ } else if (kernel_uses_llsc && __builtin_constant_p(bit)) {
++ loongson_llsc_mb();
+ do {
+ __asm__ __volatile__(
+ " " __LL "%0, %1 # set_bit \n"
+@@ -78,6 +79,7 @@ static inline void set_bit(unsigned long nr, volatile unsigned long *addr)
+ } while (unlikely(!temp));
+ #endif /* CONFIG_CPU_MIPSR2 || CONFIG_CPU_MIPSR6 */
+ } else if (kernel_uses_llsc) {
++ loongson_llsc_mb();
+ do {
+ __asm__ __volatile__(
+ " .set "MIPS_ISA_ARCH_LEVEL" \n"
+@@ -120,6 +122,7 @@ static inline void clear_bit(unsigned long nr, volatile unsigned long *addr)
+ : "ir" (~(1UL << bit)));
+ #if defined(CONFIG_CPU_MIPSR2) || defined(CONFIG_CPU_MIPSR6)
+ } else if (kernel_uses_llsc && __builtin_constant_p(bit)) {
++ loongson_llsc_mb();
+ do {
+ __asm__ __volatile__(
+ " " __LL "%0, %1 # clear_bit \n"
+@@ -130,6 +133,7 @@ static inline void clear_bit(unsigned long nr, volatile unsigned long *addr)
+ } while (unlikely(!temp));
+ #endif /* CONFIG_CPU_MIPSR2 || CONFIG_CPU_MIPSR6 */
+ } else if (kernel_uses_llsc) {
++ loongson_llsc_mb();
+ do {
+ __asm__ __volatile__(
+ " .set "MIPS_ISA_ARCH_LEVEL" \n"
+@@ -188,6 +192,7 @@ static inline void change_bit(unsigned long nr, volatile unsigned long *addr)
+ unsigned long *m = ((unsigned long *) addr) + (nr >> SZLONG_LOG);
+ unsigned long temp;
+
++ loongson_llsc_mb();
+ do {
+ __asm__ __volatile__(
+ " .set "MIPS_ISA_ARCH_LEVEL" \n"
+diff --git a/arch/mips/include/asm/futex.h b/arch/mips/include/asm/futex.h
+index a9e61ea54ca9..0a62a91b592d 100644
+--- a/arch/mips/include/asm/futex.h
++++ b/arch/mips/include/asm/futex.h
+@@ -50,6 +50,7 @@
+ "i" (-EFAULT) \
+ : "memory"); \
+ } else if (cpu_has_llsc) { \
++ loongson_llsc_mb(); \
+ __asm__ __volatile__( \
+ " .set push \n" \
+ " .set noat \n" \
+@@ -162,6 +163,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
+ "i" (-EFAULT)
+ : "memory");
+ } else if (cpu_has_llsc) {
++ loongson_llsc_mb();
+ __asm__ __volatile__(
+ "# futex_atomic_cmpxchg_inatomic \n"
+ " .set push \n"
+@@ -190,6 +192,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
+ : GCC_OFF_SMALL_ASM() (*uaddr), "Jr" (oldval), "Jr" (newval),
+ "i" (-EFAULT)
+ : "memory");
++ loongson_llsc_mb();
+ } else
+ return -ENOSYS;
+
+diff --git a/arch/mips/include/asm/pgtable.h b/arch/mips/include/asm/pgtable.h
+index 9e9e94415d08..aab7b382a062 100644
+--- a/arch/mips/include/asm/pgtable.h
++++ b/arch/mips/include/asm/pgtable.h
+@@ -229,6 +229,7 @@ static inline void set_pte(pte_t *ptep, pte_t pteval)
+ : [buddy] "+m" (buddy->pte), [tmp] "=&r" (tmp)
+ : [global] "r" (page_global));
+ } else if (kernel_uses_llsc) {
++ loongson_llsc_mb();
+ __asm__ __volatile__ (
+ " .set "MIPS_ISA_ARCH_LEVEL" \n"
+ " .set push \n"
+@@ -244,6 +245,7 @@ static inline void set_pte(pte_t *ptep, pte_t pteval)
+ " .set mips0 \n"
+ : [buddy] "+m" (buddy->pte), [tmp] "=&r" (tmp)
+ : [global] "r" (page_global));
++ loongson_llsc_mb();
+ }
+ #else /* !CONFIG_SMP */
+ if (pte_none(*buddy))
+diff --git a/arch/mips/loongson64/Platform b/arch/mips/loongson64/Platform
+index 0fce4608aa88..c1a4d4dc4665 100644
+--- a/arch/mips/loongson64/Platform
++++ b/arch/mips/loongson64/Platform
+@@ -23,6 +23,29 @@ ifdef CONFIG_CPU_LOONGSON2F_WORKAROUNDS
+ endif
+
+ cflags-$(CONFIG_CPU_LOONGSON3) += -Wa,--trap
++
++#
++# Some versions of binutils, not currently mainline as of 2019/02/04, support
++# an -mfix-loongson3-llsc flag which emits a sync prior to each ll instruction
++# to work around a CPU bug (see loongson_llsc_mb() in asm/barrier.h for a
++# description).
++#
++# We disable this in order to prevent the assembler meddling with the
++# instruction that labels refer to, ie. if we label an ll instruction:
++#
++# 1: ll v0, 0(a0)
++#
++# ...then with the assembler fix applied the label may actually point at a sync
++# instruction inserted by the assembler, and if we were using the label in an
++# exception table the table would no longer contain the address of the ll
++# instruction.
++#
++# Avoid this by explicitly disabling that assembler behaviour. If upstream
++# binutils does not merge support for the flag then we can revisit & remove
++# this later - for now it ensures vendor toolchains don't cause problems.
++#
++cflags-$(CONFIG_CPU_LOONGSON3) += $(call as-option,-Wa$(comma)-mno-fix-loongson3-llsc,)
++
+ #
+ # binutils from v2.25 on and gcc starting from v4.9.0 treat -march=loongson3a
+ # as MIPS64 R2; older versions as just R1. This leaves the possibility open
+diff --git a/arch/mips/mm/tlbex.c b/arch/mips/mm/tlbex.c
+index 79b9f2ad3ff5..7da67a278129 100644
+--- a/arch/mips/mm/tlbex.c
++++ b/arch/mips/mm/tlbex.c
+@@ -935,6 +935,8 @@ build_get_pgd_vmalloc64(u32 **p, struct uasm_label **l, struct uasm_reloc **r,
+ * to mimic that here by taking a load/istream page
+ * fault.
+ */
++ if (IS_ENABLED(CONFIG_CPU_LOONGSON3_WORKAROUNDS))
++ uasm_i_sync(p, 0);
+ UASM_i_LA(p, ptr, (unsigned long)tlb_do_page_fault_0);
+ uasm_i_jr(p, ptr);
+
+@@ -1660,6 +1662,8 @@ static void
+ iPTE_LW(u32 **p, unsigned int pte, unsigned int ptr)
+ {
+ #ifdef CONFIG_SMP
++ if (IS_ENABLED(CONFIG_CPU_LOONGSON3_WORKAROUNDS))
++ uasm_i_sync(p, 0);
+ # ifdef CONFIG_PHYS_ADDR_T_64BIT
+ if (cpu_has_64bits)
+ uasm_i_lld(p, pte, 0, ptr);
+@@ -2277,6 +2281,8 @@ static void build_r4000_tlb_load_handler(void)
+ #endif
+
+ uasm_l_nopage_tlbl(&l, p);
++ if (IS_ENABLED(CONFIG_CPU_LOONGSON3_WORKAROUNDS))
++ uasm_i_sync(&p, 0);
+ build_restore_work_registers(&p);
+ #ifdef CONFIG_CPU_MICROMIPS
+ if ((unsigned long)tlb_do_page_fault_0 & 1) {
+@@ -2332,6 +2338,8 @@ static void build_r4000_tlb_store_handler(void)
+ #endif
+
+ uasm_l_nopage_tlbs(&l, p);
++ if (IS_ENABLED(CONFIG_CPU_LOONGSON3_WORKAROUNDS))
++ uasm_i_sync(&p, 0);
+ build_restore_work_registers(&p);
+ #ifdef CONFIG_CPU_MICROMIPS
+ if ((unsigned long)tlb_do_page_fault_1 & 1) {
+@@ -2388,6 +2396,8 @@ static void build_r4000_tlb_modify_handler(void)
+ #endif
+
+ uasm_l_nopage_tlbm(&l, p);
++ if (IS_ENABLED(CONFIG_CPU_LOONGSON3_WORKAROUNDS))
++ uasm_i_sync(&p, 0);
+ build_restore_work_registers(&p);
+ #ifdef CONFIG_CPU_MICROMIPS
+ if ((unsigned long)tlb_do_page_fault_1 & 1) {
+--
+2.19.1
+
--- /dev/null
+From 4ef228d3c1f5ba14bb04113ab244d531b37f58d1 Mon Sep 17 00:00:00 2001
+From: Jun-Ru Chang <jrjang@realtek.com>
+Date: Tue, 29 Jan 2019 11:56:07 +0800
+Subject: MIPS: Remove function size check in get_frame_info()
+
+[ Upstream commit 2b424cfc69728224fcb5fad138ea7260728e0901 ]
+
+Patch (b6c7a324df37b "MIPS: Fix get_frame_info() handling of
+microMIPS function size.") introduces additional function size
+check for microMIPS by only checking insn between ip and ip + func_size.
+However, func_size in get_frame_info() is always 0 if KALLSYMS is not
+enabled. This causes get_frame_info() to return immediately without
+calculating correct frame_size, which in turn causes "Can't analyze
+schedule() prologue" warning messages at boot time.
+
+This patch removes func_size check, and let the frame_size check run
+up to 128 insns for both MIPS and microMIPS.
+
+Signed-off-by: Jun-Ru Chang <jrjang@realtek.com>
+Signed-off-by: Tony Wu <tonywu@realtek.com>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Fixes: b6c7a324df37b ("MIPS: Fix get_frame_info() handling of microMIPS function size.")
+Cc: <ralf@linux-mips.org>
+Cc: <jhogan@kernel.org>
+Cc: <macro@mips.com>
+Cc: <yamada.masahiro@socionext.com>
+Cc: <peterz@infradead.org>
+Cc: <mingo@kernel.org>
+Cc: <linux-mips@vger.kernel.org>
+Cc: <linux-kernel@vger.kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/process.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
+index e8b166e9146a..ea563bfea0e1 100644
+--- a/arch/mips/kernel/process.c
++++ b/arch/mips/kernel/process.c
+@@ -370,7 +370,7 @@ static inline int is_sp_move_ins(union mips_instruction *ip, int *frame_size)
+ static int get_frame_info(struct mips_frame_info *info)
+ {
+ bool is_mmips = IS_ENABLED(CONFIG_CPU_MICROMIPS);
+- union mips_instruction insn, *ip, *ip_end;
++ union mips_instruction insn, *ip;
+ const unsigned int max_insns = 128;
+ unsigned int last_insn_size = 0;
+ unsigned int i;
+@@ -383,10 +383,9 @@ static int get_frame_info(struct mips_frame_info *info)
+ if (!ip)
+ goto err;
+
+- ip_end = (void *)ip + info->func_size;
+-
+- for (i = 0; i < max_insns && ip < ip_end; i++) {
++ for (i = 0; i < max_insns; i++) {
+ ip = (void *)ip + last_insn_size;
++
+ if (is_mmips && mm_insn_16bit(ip->halfword[0])) {
+ insn.word = ip->halfword[0] << 16;
+ last_insn_size = 2;
+--
+2.19.1
+
--- /dev/null
+From bf739eea4a46bfe613a9e7b4cbab3524dd9438f5 Mon Sep 17 00:00:00 2001
+From: Michal Hocko <mhocko@suse.com>
+Date: Fri, 1 Feb 2019 14:20:34 -0800
+Subject: mm, memory_hotplug: is_mem_section_removable do not pass the end of a
+ zone
+
+[ Upstream commit efad4e475c312456edb3c789d0996d12ed744c13 ]
+
+Patch series "mm, memory_hotplug: fix uninitialized pages fallouts", v2.
+
+Mikhail Zaslonko has posted fixes for the two bugs quite some time ago
+[1]. I have pushed back on those fixes because I believed that it is
+much better to plug the problem at the initialization time rather than
+play whack-a-mole all over the hotplug code and find all the places
+which expect the full memory section to be initialized.
+
+We have ended up with commit 2830bf6f05fb ("mm, memory_hotplug:
+initialize struct pages for the full memory section") merged and cause a
+regression [2][3]. The reason is that there might be memory layouts
+when two NUMA nodes share the same memory section so the merged fix is
+simply incorrect.
+
+In order to plug this hole we really have to be zone range aware in
+those handlers. I have split up the original patch into two. One is
+unchanged (patch 2) and I took a different approach for `removable'
+crash.
+
+[1] http://lkml.kernel.org/r/20181105150401.97287-2-zaslonko@linux.ibm.com
+[2] https://bugzilla.redhat.com/show_bug.cgi?id=1666948
+[3] http://lkml.kernel.org/r/20190125163938.GA20411@dhcp22.suse.cz
+
+This patch (of 2):
+
+Mikhail has reported the following VM_BUG_ON triggered when reading sysfs
+removable state of a memory block:
+
+ page:000003d08300c000 is uninitialized and poisoned
+ page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p))
+ Call Trace:
+ is_mem_section_removable+0xb4/0x190
+ show_mem_removable+0x9a/0xd8
+ dev_attr_show+0x34/0x70
+ sysfs_kf_seq_show+0xc8/0x148
+ seq_read+0x204/0x480
+ __vfs_read+0x32/0x178
+ vfs_read+0x82/0x138
+ ksys_read+0x5a/0xb0
+ system_call+0xdc/0x2d8
+ Last Breaking-Event-Address:
+ is_mem_section_removable+0xb4/0x190
+ Kernel panic - not syncing: Fatal exception: panic_on_oops
+
+The reason is that the memory block spans the zone boundary and we are
+stumbling over an unitialized struct page. Fix this by enforcing zone
+range in is_mem_section_removable so that we never run away from a zone.
+
+Link: http://lkml.kernel.org/r/20190128144506.15603-2-mhocko@kernel.org
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Reported-by: Mikhail Zaslonko <zaslonko@linux.ibm.com>
+Debugged-by: Mikhail Zaslonko <zaslonko@linux.ibm.com>
+Tested-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
+Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/memory_hotplug.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
+index c7c74a927d6f..39db89f3df65 100644
+--- a/mm/memory_hotplug.c
++++ b/mm/memory_hotplug.c
+@@ -1256,7 +1256,8 @@ static struct page *next_active_pageblock(struct page *page)
+ bool is_mem_section_removable(unsigned long start_pfn, unsigned long nr_pages)
+ {
+ struct page *page = pfn_to_page(start_pfn);
+- struct page *end_page = page + nr_pages;
++ unsigned long end_pfn = min(start_pfn + nr_pages, zone_end_pfn(page_zone(page)));
++ struct page *end_page = pfn_to_page(end_pfn);
+
+ /* Check the starting page of each pageblock within the range */
+ for (; page < end_page; page = next_active_pageblock(page)) {
+--
+2.19.1
+
--- /dev/null
+From ba3b69567275674c25942444351abd74ffafcbf5 Mon Sep 17 00:00:00 2001
+From: Mikhail Zaslonko <zaslonko@linux.ibm.com>
+Date: Fri, 1 Feb 2019 14:20:38 -0800
+Subject: mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone
+
+[ Upstream commit 24feb47c5fa5b825efb0151f28906dfdad027e61 ]
+
+If memory end is not aligned with the sparse memory section boundary,
+the mapping of such a section is only partly initialized. This may lead
+to VM_BUG_ON due to uninitialized struct pages access from
+test_pages_in_a_zone() function triggered by memory_hotplug sysfs
+handlers.
+
+Here are the the panic examples:
+ CONFIG_DEBUG_VM_PGFLAGS=y
+ kernel parameter mem=2050M
+ --------------------------
+ page:000003d082008000 is uninitialized and poisoned
+ page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p))
+ Call Trace:
+ test_pages_in_a_zone+0xde/0x160
+ show_valid_zones+0x5c/0x190
+ dev_attr_show+0x34/0x70
+ sysfs_kf_seq_show+0xc8/0x148
+ seq_read+0x204/0x480
+ __vfs_read+0x32/0x178
+ vfs_read+0x82/0x138
+ ksys_read+0x5a/0xb0
+ system_call+0xdc/0x2d8
+ Last Breaking-Event-Address:
+ test_pages_in_a_zone+0xde/0x160
+ Kernel panic - not syncing: Fatal exception: panic_on_oops
+
+Fix this by checking whether the pfn to check is within the zone.
+
+[mhocko@suse.com: separated this change from http://lkml.kernel.org/r/20181105150401.97287-2-zaslonko@linux.ibm.com]
+Link: http://lkml.kernel.org/r/20190128144506.15603-3-mhocko@kernel.org
+
+[mhocko@suse.com: separated this change from
+http://lkml.kernel.org/r/20181105150401.97287-2-zaslonko@linux.ibm.com]
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Mikhail Zaslonko <zaslonko@linux.ibm.com>
+Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Tested-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/memory_hotplug.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
+index 39db89f3df65..c9d3a49bd4e2 100644
+--- a/mm/memory_hotplug.c
++++ b/mm/memory_hotplug.c
+@@ -1297,6 +1297,9 @@ int test_pages_in_a_zone(unsigned long start_pfn, unsigned long end_pfn,
+ i++;
+ if (i == MAX_ORDER_NR_PAGES || pfn + i >= end_pfn)
+ continue;
++ /* Check if we got outside of the zone */
++ if (zone && !zone_spans_pfn(zone, pfn + i))
++ return 0;
+ page = pfn_to_page(pfn + i);
+ if (zone && page_zone(page) != zone)
+ return 0;
+--
+2.19.1
+
--- /dev/null
+From 260af20da2520755b14c15f3a35af9685d8e4fbd Mon Sep 17 00:00:00 2001
+From: Tomonori Sakita <tomonori.sakita@sord.co.jp>
+Date: Fri, 25 Jan 2019 11:02:22 +0900
+Subject: net: altera_tse: fix msgdma_tx_completion on non-zero fill_level case
+
+[ Upstream commit 6571ebce112a21ec9be68ef2f53b96fcd41fd81b ]
+
+If fill_level was not zero and status was not BUSY,
+result of "tx_prod - tx_cons - inuse" might be zero.
+Subtracting 1 unconditionally results invalid negative return value
+on this case.
+Make sure not to return an negative value.
+
+Signed-off-by: Tomonori Sakita <tomonori.sakita@sord.co.jp>
+Signed-off-by: Atsushi Nemoto <atsushi.nemoto@sord.co.jp>
+Reviewed-by: Dalon L Westergreen <dalon.westergreen@linux.intel.com>
+Acked-by: Thor Thayer <thor.thayer@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/altera/altera_msgdma.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/altera/altera_msgdma.c b/drivers/net/ethernet/altera/altera_msgdma.c
+index 0fb986ba3290..0ae723f75341 100644
+--- a/drivers/net/ethernet/altera/altera_msgdma.c
++++ b/drivers/net/ethernet/altera/altera_msgdma.c
+@@ -145,7 +145,8 @@ u32 msgdma_tx_completions(struct altera_tse_private *priv)
+ & 0xffff;
+
+ if (inuse) { /* Tx FIFO is not empty */
+- ready = priv->tx_prod - priv->tx_cons - inuse - 1;
++ ready = max_t(int,
++ priv->tx_prod - priv->tx_cons - inuse - 1, 0);
+ } else {
+ /* Check for buffered last packet */
+ status = csrrd32(priv->tx_dma_csr, msgdma_csroffs(status));
+--
+2.19.1
+
--- /dev/null
+From 9fa1c4740cb551021b6a956c0e28a0f4e5b22476 Mon Sep 17 00:00:00 2001
+From: Yonglong Liu <liuyonglong@huawei.com>
+Date: Sat, 26 Jan 2019 17:18:25 +0800
+Subject: net: hns: Fix for missing of_node_put() after of_parse_phandle()
+
+[ Upstream commit 263c6d75f9a544a3c2f8f6a26de4f4808d8f59cf ]
+
+In hns enet driver, we use of_parse_handle() to get hold of the
+device node related to "ae-handle" but we have missed to put
+the node reference using of_node_put() after we are done using
+the node. This patch fixes it.
+
+Note:
+This problem is stated in Link: https://lkml.org/lkml/2018/12/22/217
+
+Fixes: 48189d6aaf1e ("net: hns: enet specifies a reference to dsaf")
+Reported-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns/hns_enet.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
+index 86662a14208e..d30c28fba249 100644
+--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
+@@ -2532,6 +2532,8 @@ static int hns_nic_dev_probe(struct platform_device *pdev)
+ out_notify_fail:
+ (void)cancel_work_sync(&priv->service_task);
+ out_read_prop_fail:
++ /* safe for ACPI FW */
++ of_node_put(to_of_node(priv->fwnode));
+ free_netdev(ndev);
+ return ret;
+ }
+@@ -2561,6 +2563,9 @@ static int hns_nic_dev_remove(struct platform_device *pdev)
+ set_bit(NIC_STATE_REMOVING, &priv->state);
+ (void)cancel_work_sync(&priv->service_task);
+
++ /* safe for ACPI FW */
++ of_node_put(to_of_node(priv->fwnode));
++
+ free_netdev(ndev);
+ return 0;
+ }
+--
+2.19.1
+
--- /dev/null
+From d3a03ee9ca4458fce6ac817b719cd14b4f72ab33 Mon Sep 17 00:00:00 2001
+From: Yonglong Liu <liuyonglong@huawei.com>
+Date: Sat, 26 Jan 2019 17:18:27 +0800
+Subject: net: hns: Fix wrong read accesses via Clause 45 MDIO protocol
+
+[ Upstream commit cec8abba13e6a26729dfed41019720068eeeff2b ]
+
+When reading phy registers via Clause 45 MDIO protocol, after write
+address operation, the driver use another write address operation, so
+can not read the right value of any phy registers. This patch fixes it.
+
+Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns_mdio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns_mdio.c b/drivers/net/ethernet/hisilicon/hns_mdio.c
+index 017e08452d8c..baf5cc251f32 100644
+--- a/drivers/net/ethernet/hisilicon/hns_mdio.c
++++ b/drivers/net/ethernet/hisilicon/hns_mdio.c
+@@ -321,7 +321,7 @@ static int hns_mdio_read(struct mii_bus *bus, int phy_id, int regnum)
+ }
+
+ hns_mdio_cmd_write(mdio_dev, is_c45,
+- MDIO_C45_WRITE_ADDR, phy_id, devad);
++ MDIO_C45_READ, phy_id, devad);
+ }
+
+ /* Step 5: waitting for MDIO_COMMAND_REG 's mdio_start==0,*/
+--
+2.19.1
+
--- /dev/null
+From acb042ae446c11e5a779c769ace2884af4954ac7 Mon Sep 17 00:00:00 2001
+From: Yonglong Liu <liuyonglong@huawei.com>
+Date: Sat, 26 Jan 2019 17:18:26 +0800
+Subject: net: hns: Restart autoneg need return failed when autoneg off
+
+[ Upstream commit ed29ca8b9592562559c64d027fb5eb126e463e2c ]
+
+The hns driver of earlier devices, when autoneg off, restart autoneg
+will return -EINVAL, so make the hns driver for the latest devices
+do the same.
+
+Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns/hns_ethtool.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c b/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c
+index c1e947bb852f..14df03f60e05 100644
+--- a/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c
+@@ -1154,16 +1154,18 @@ static int hns_get_regs_len(struct net_device *net_dev)
+ */
+ static int hns_nic_nway_reset(struct net_device *netdev)
+ {
+- int ret = 0;
+ struct phy_device *phy = netdev->phydev;
+
+- if (netif_running(netdev)) {
+- /* if autoneg is disabled, don't restart auto-negotiation */
+- if (phy && phy->autoneg == AUTONEG_ENABLE)
+- ret = genphy_restart_aneg(phy);
+- }
++ if (!netif_running(netdev))
++ return 0;
+
+- return ret;
++ if (!phy)
++ return -EOPNOTSUPP;
++
++ if (phy->autoneg != AUTONEG_ENABLE)
++ return -EINVAL;
++
++ return genphy_restart_aneg(phy);
+ }
+
+ static u32
+--
+2.19.1
+
--- /dev/null
+From 29852fdab0b13b045fb2bdd3341c2244aada77f8 Mon Sep 17 00:00:00 2001
+From: Jose Abreu <jose.abreu@synopsys.com>
+Date: Wed, 30 Jan 2019 15:54:21 +0100
+Subject: net: stmmac: Disable EEE mode earlier in XMIT callback
+
+[ Upstream commit e2cd682deb231ba6f80524bb84e57e7138261149 ]
+
+In stmmac xmit callback we use a different flow for TSO packets but TSO
+xmit callback is not disabling the EEE mode.
+
+Fix this by disabling earlier the EEE mode, i.e. before calling the TSO
+xmit callback.
+
+Signed-off-by: Jose Abreu <joabreu@synopsys.com>
+Cc: Joao Pinto <jpinto@synopsys.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
+Cc: Alexandre Torgue <alexandre.torgue@st.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index b1454c63e675..0cc83e8417ef 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -3017,6 +3017,9 @@ static netdev_tx_t stmmac_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ tx_q = &priv->tx_queue[queue];
+
++ if (priv->tx_path_in_lpi_mode)
++ stmmac_disable_eee_mode(priv);
++
+ /* Manage oversized TCP frames for GMAC4 device */
+ if (skb_is_gso(skb) && priv->tso) {
+ if (skb_shinfo(skb)->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6)) {
+@@ -3044,9 +3047,6 @@ static netdev_tx_t stmmac_xmit(struct sk_buff *skb, struct net_device *dev)
+ return NETDEV_TX_BUSY;
+ }
+
+- if (priv->tx_path_in_lpi_mode)
+- stmmac_disable_eee_mode(priv);
+-
+ entry = tx_q->cur_tx;
+ first_entry = entry;
+
+--
+2.19.1
+
--- /dev/null
+From 45e42c81d7ba6aec4651719acf23ce1c814757ad Mon Sep 17 00:00:00 2001
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Sat, 26 Jan 2019 22:48:57 +0300
+Subject: net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup()
+
+[ Upstream commit c69c29a1a0a8f68cd87e98ba4a5a79fb8ef2a58c ]
+
+If phy_power_on() fails in rk_gmac_powerup(), clocks are left enabled.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
+index 13133b30b575..01787344f6e5 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
+@@ -1284,8 +1284,10 @@ static int rk_gmac_powerup(struct rk_priv_data *bsp_priv)
+ }
+
+ ret = phy_power_on(bsp_priv, true);
+- if (ret)
++ if (ret) {
++ gmac_clk_enable(bsp_priv, false);
+ return ret;
++ }
+
+ pm_runtime_enable(dev);
+ pm_runtime_get_sync(dev);
+--
+2.19.1
+
--- /dev/null
+From 7c78264e27fc34f651a772880bb17e34e20e0cbc Mon Sep 17 00:00:00 2001
+From: Jose Abreu <jose.abreu@synopsys.com>
+Date: Wed, 30 Jan 2019 15:54:19 +0100
+Subject: net: stmmac: Fallback to Platform Data clock in Watchdog conversion
+
+[ Upstream commit 4ec5302fa906ec9d86597b236f62315bacdb9622 ]
+
+If we don't have DT then stmmac_clk will not be available. Let's add a
+new Platform Data field so that we can specify the refclk by this mean.
+
+This way we can still use the coalesce command in PCI based setups.
+
+Signed-off-by: Jose Abreu <joabreu@synopsys.com>
+Cc: Joao Pinto <jpinto@synopsys.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
+Cc: Alexandre Torgue <alexandre.torgue@st.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 14 ++++++++++----
+ include/linux/stmmac.h | 1 +
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
+index c3c6335cbe9a..ecddd9948788 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
+@@ -702,8 +702,11 @@ static u32 stmmac_usec2riwt(u32 usec, struct stmmac_priv *priv)
+ {
+ unsigned long clk = clk_get_rate(priv->plat->stmmac_clk);
+
+- if (!clk)
+- return 0;
++ if (!clk) {
++ clk = priv->plat->clk_ref_rate;
++ if (!clk)
++ return 0;
++ }
+
+ return (usec * (clk / 1000000)) / 256;
+ }
+@@ -712,8 +715,11 @@ static u32 stmmac_riwt2usec(u32 riwt, struct stmmac_priv *priv)
+ {
+ unsigned long clk = clk_get_rate(priv->plat->stmmac_clk);
+
+- if (!clk)
+- return 0;
++ if (!clk) {
++ clk = priv->plat->clk_ref_rate;
++ if (!clk)
++ return 0;
++ }
+
+ return (riwt * 256) / (clk / 1000000);
+ }
+diff --git a/include/linux/stmmac.h b/include/linux/stmmac.h
+index 32feac5bbd75..5844105a482b 100644
+--- a/include/linux/stmmac.h
++++ b/include/linux/stmmac.h
+@@ -183,6 +183,7 @@ struct plat_stmmacenet_data {
+ struct clk *pclk;
+ struct clk *clk_ptp_ref;
+ unsigned int clk_ptp_rate;
++ unsigned int clk_ref_rate;
+ struct reset_control *stmmac_rst;
+ struct stmmac_axi *axi;
+ int has_gmac4;
+--
+2.19.1
+
--- /dev/null
+From 4844ff34e23df9fef58eeab261709a1829b98e8a Mon Sep 17 00:00:00 2001
+From: Jose Abreu <jose.abreu@synopsys.com>
+Date: Wed, 30 Jan 2019 15:54:20 +0100
+Subject: net: stmmac: Send TSO packets always from Queue 0
+
+[ Upstream commit c5acdbee22a1b200dde07effd26fd1f649e9ab8a ]
+
+The number of TSO enabled channels in HW can be different than the
+number of total channels. There is no way to determined, at runtime, the
+number of TSO capable channels and its safe to assume that if TSO is
+enabled then at least channel 0 will be TSO capable.
+
+Lets always send TSO packets from Queue 0.
+
+Signed-off-by: Jose Abreu <joabreu@synopsys.com>
+Cc: Joao Pinto <jpinto@synopsys.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
+Cc: Alexandre Torgue <alexandre.torgue@st.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 0e66a5082140..b1454c63e675 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -3019,8 +3019,17 @@ static netdev_tx_t stmmac_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ /* Manage oversized TCP frames for GMAC4 device */
+ if (skb_is_gso(skb) && priv->tso) {
+- if (skb_shinfo(skb)->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))
++ if (skb_shinfo(skb)->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6)) {
++ /*
++ * There is no way to determine the number of TSO
++ * capable Queues. Let's use always the Queue 0
++ * because if TSO is supported then at least this
++ * one will be capable.
++ */
++ skb_set_queue_mapping(skb, 0);
++
+ return stmmac_tso_xmit(skb, dev);
++ }
+ }
+
+ if (unlikely(stmmac_tx_avail(priv, queue) < nfrags + 1)) {
+--
+2.19.1
+
--- /dev/null
+From 867e3944b355ca7f41768c8e91deb189726c378b Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 21 Jan 2019 21:54:36 +0100
+Subject: netfilter: ebtables: compat: un-break 32bit setsockopt when no rules
+ are present
+
+[ Upstream commit 2035f3ff8eaa29cfb5c8e2160b0f6e85eeb21a95 ]
+
+Unlike ip(6)tables ebtables only counts user-defined chains.
+
+The effect is that a 32bit ebtables binary on a 64bit kernel can do
+'ebtables -N FOO' only after adding at least one rule, else the request
+fails with -EINVAL.
+
+This is a similar fix as done in
+3f1e53abff84 ("netfilter: ebtables: don't attempt to allocate 0-sized compat array").
+
+Fixes: 7d7d7e02111e9 ("netfilter: compat: reject huge allocation requests")
+Reported-by: Francesco Ruggeri <fruggeri@arista.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/netfilter/ebtables.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 22e4c15a1fc3..53392ac58b38 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -2292,9 +2292,12 @@ static int compat_do_replace(struct net *net, void __user *user,
+
+ xt_compat_lock(NFPROTO_BRIDGE);
+
+- ret = xt_compat_init_offsets(NFPROTO_BRIDGE, tmp.nentries);
+- if (ret < 0)
+- goto out_unlock;
++ if (tmp.nentries) {
++ ret = xt_compat_init_offsets(NFPROTO_BRIDGE, tmp.nentries);
++ if (ret < 0)
++ goto out_unlock;
++ }
++
+ ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
+ if (ret < 0)
+ goto out_unlock;
+--
+2.19.1
+
--- /dev/null
+From d6aa7b3737aba8a016c37f7bbe47dcb5965984da Mon Sep 17 00:00:00 2001
+From: Martynas Pumputis <martynas@weave.works>
+Date: Tue, 29 Jan 2019 15:51:42 +0100
+Subject: netfilter: nf_nat: skip nat clash resolution for same-origin entries
+
+[ Upstream commit 4e35c1cb9460240e983a01745b5f29fe3a4d8e39 ]
+
+It is possible that two concurrent packets originating from the same
+socket of a connection-less protocol (e.g. UDP) can end up having
+different IP_CT_DIR_REPLY tuples which results in one of the packets
+being dropped.
+
+To illustrate this, consider the following simplified scenario:
+
+1. Packet A and B are sent at the same time from two different threads
+ by same UDP socket. No matching conntrack entry exists yet.
+ Both packets cause allocation of a new conntrack entry.
+2. get_unique_tuple gets called for A. No clashing entry found.
+ conntrack entry for A is added to main conntrack table.
+3. get_unique_tuple is called for B and will find that the reply
+ tuple of B is already taken by A.
+ It will allocate a new UDP source port for B to resolve the clash.
+4. conntrack entry for B cannot be added to main conntrack table
+ because its ORIGINAL direction is clashing with A and the REPLY
+ directions of A and B are not the same anymore due to UDP source
+ port reallocation done in step 3.
+
+This patch modifies nf_conntrack_tuple_taken so it doesn't consider
+colliding reply tuples if the IP_CT_DIR_ORIGINAL tuples are equal.
+
+[ Florian: simplify patch to not use .allow_clash setting
+ and always ignore identical flows ]
+
+Signed-off-by: Martynas Pumputis <martynas@weave.works>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_core.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
+index b793b55d1488..f07357ba9629 100644
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -869,6 +869,22 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
+ }
+
+ if (nf_ct_key_equal(h, tuple, zone, net)) {
++ /* Tuple is taken already, so caller will need to find
++ * a new source port to use.
++ *
++ * Only exception:
++ * If the *original tuples* are identical, then both
++ * conntracks refer to the same flow.
++ * This is a rare situation, it can occur e.g. when
++ * more than one UDP packet is sent from same socket
++ * in different threads.
++ *
++ * Let nf_ct_resolve_clash() deal with this later.
++ */
++ if (nf_ct_tuple_equal(&ignored_conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
++ &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple))
++ continue;
++
+ NF_CT_STAT_INC_ATOMIC(net, found);
+ rcu_read_unlock();
+ return 1;
+--
+2.19.1
+
--- /dev/null
+From cd10c2d67b7de5808afb9a38dd3c6a7820f4d722 Mon Sep 17 00:00:00 2001
+From: Yao Liu <yotta.liu@ucloud.cn>
+Date: Mon, 28 Jan 2019 19:44:14 +0800
+Subject: nfs: Fix NULL pointer dereference of dev_name
+
+[ Upstream commit 80ff00172407e0aad4b10b94ef0816fc3e7813cb ]
+
+There is a NULL pointer dereference of dev_name in nfs_parse_devname()
+
+The oops looks something like:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
+ ...
+ RIP: 0010:nfs_fs_mount+0x3b6/0xc20 [nfs]
+ ...
+ Call Trace:
+ ? ida_alloc_range+0x34b/0x3d0
+ ? nfs_clone_super+0x80/0x80 [nfs]
+ ? nfs_free_parsed_mount_data+0x60/0x60 [nfs]
+ mount_fs+0x52/0x170
+ ? __init_waitqueue_head+0x3b/0x50
+ vfs_kern_mount+0x6b/0x170
+ do_mount+0x216/0xdc0
+ ksys_mount+0x83/0xd0
+ __x64_sys_mount+0x25/0x30
+ do_syscall_64+0x65/0x220
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fix this by adding a NULL check on dev_name
+
+Signed-off-by: Yao Liu <yotta.liu@ucloud.cn>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/super.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/nfs/super.c b/fs/nfs/super.c
+index 3c4aeb83e1c4..77d8d03344c8 100644
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -1901,6 +1901,11 @@ static int nfs_parse_devname(const char *dev_name,
+ size_t len;
+ char *end;
+
++ if (unlikely(!dev_name || !*dev_name)) {
++ dfprintk(MOUNT, "NFS: device name not specified\n");
++ return -EINVAL;
++ }
++
+ /* Is the host name protected with square brakcets? */
+ if (*dev_name == '[') {
+ end = strchr(++dev_name, ']');
+--
+2.19.1
+
--- /dev/null
+From b6ae60a6b0ada3d2a5ff96f48e6ef03b95b0e4ca Mon Sep 17 00:00:00 2001
+From: Stephane Eranian <eranian@google.com>
+Date: Thu, 10 Jan 2019 17:17:16 -0800
+Subject: perf core: Fix perf_proc_update_handler() bug
+
+[ Upstream commit 1a51c5da5acc6c188c917ba572eebac5f8793432 ]
+
+The perf_proc_update_handler() handles /proc/sys/kernel/perf_event_max_sample_rate
+syctl variable. When the PMU IRQ handler timing monitoring is disabled, i.e,
+when /proc/sys/kernel/perf_cpu_time_max_percent is equal to 0 or 100,
+then no modification to sysctl_perf_event_sample_rate is allowed to prevent
+possible hang from wrong values.
+
+The problem is that the test to prevent modification is made after the
+sysctl variable is modified in perf_proc_update_handler().
+
+You get an error:
+
+ $ echo 10001 >/proc/sys/kernel/perf_event_max_sample_rate
+ echo: write error: invalid argument
+
+But the value is still modified causing all sorts of inconsistencies:
+
+ $ cat /proc/sys/kernel/perf_event_max_sample_rate
+ 10001
+
+This patch fixes the problem by moving the parsing of the value after
+the test.
+
+Committer testing:
+
+ # echo 100 > /proc/sys/kernel/perf_cpu_time_max_percent
+ # echo 10001 > /proc/sys/kernel/perf_event_max_sample_rate
+ -bash: echo: write error: Invalid argument
+ # cat /proc/sys/kernel/perf_event_max_sample_rate
+ 10001
+ #
+
+Signed-off-by: Stephane Eranian <eranian@google.com>
+Reviewed-by: Andi Kleen <ak@linux.intel.com>
+Reviewed-by: Jiri Olsa <jolsa@kernel.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/1547169436-6266-1-git-send-email-eranian@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 17d5d41464c6..92939b5397df 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -436,18 +436,18 @@ int perf_proc_update_handler(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp,
+ loff_t *ppos)
+ {
+- int ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
+-
+- if (ret || !write)
+- return ret;
+-
++ int ret;
++ int perf_cpu = sysctl_perf_cpu_time_max_percent;
+ /*
+ * If throttling is disabled don't allow the write:
+ */
+- if (sysctl_perf_cpu_time_max_percent == 100 ||
+- sysctl_perf_cpu_time_max_percent == 0)
++ if (write && (perf_cpu == 100 || perf_cpu == 0))
+ return -EINVAL;
+
++ ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
++ if (ret || !write)
++ return ret;
++
+ max_samples_per_tick = DIV_ROUND_UP(sysctl_perf_event_sample_rate, HZ);
+ perf_sample_period_ns = NSEC_PER_SEC / sysctl_perf_event_sample_rate;
+ update_perf_cpu_limits();
+--
+2.19.1
+
--- /dev/null
+From 172ce23d8f1ad5066ce7d9a6710206021c62238d Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@redhat.com>
+Date: Mon, 28 Jan 2019 14:35:26 +0100
+Subject: perf symbols: Filter out hidden symbols from labels
+
+[ Upstream commit 59a17706915fe5ea6f711e1f92d4fb706bce07fe ]
+
+When perf is built with the annobin plugin (RHEL8 build) extra symbols
+are added to its binary:
+
+ # nm perf | grep annobin | head -10
+ 0000000000241100 t .annobin_annotate.c
+ 0000000000326490 t .annobin_annotate.c
+ 0000000000249255 t .annobin_annotate.c_end
+ 00000000003283a8 t .annobin_annotate.c_end
+ 00000000001bce18 t .annobin_annotate.c_end.hot
+ 00000000001bce18 t .annobin_annotate.c_end.hot
+ 00000000001bc3e2 t .annobin_annotate.c_end.unlikely
+ 00000000001bc400 t .annobin_annotate.c_end.unlikely
+ 00000000001bce18 t .annobin_annotate.c.hot
+ 00000000001bce18 t .annobin_annotate.c.hot
+ ...
+
+Those symbols have no use for report or annotation and should be
+skipped. Moreover they interfere with the DWARF unwind test on the PPC
+arch, where they are mixed with checked symbols and then the test fails:
+
+ # perf test dwarf -v
+ 59: Test dwarf unwind :
+ --- start ---
+ test child forked, pid 8515
+ unwind: .annobin_dwarf_unwind.c:ip = 0x10dba40dc (0x2740dc)
+ ...
+ got: .annobin_dwarf_unwind.c 0x10dba40dc, expecting test__arch_unwind_sample
+ unwind: failed with 'no error'
+
+The annobin symbols are defined as NOTYPE/LOCAL/HIDDEN:
+
+ # readelf -s ./perf | grep annobin | head -1
+ 40: 00000000001bce4f 0 NOTYPE LOCAL HIDDEN 13 .annobin_init.c
+
+They can still pass the check for the label symbol. Adding check for
+HIDDEN and INTERNAL (as suggested by Nick below) visibility and filter
+out such symbols.
+
+> Just to be awkward, if you are going to ignore STV_HIDDEN
+> symbols then you should probably also ignore STV_INTERNAL ones
+> as well... Annobin does not generate them, but you never know,
+> one day some other tool might create some.
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Michael Petlan <mpetlan@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Nick Clifton <nickc@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/20190128133526.GD15461@krava
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/symbol-elf.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c
+index 8ad4296de98b..3d39332b3a06 100644
+--- a/tools/perf/util/symbol-elf.c
++++ b/tools/perf/util/symbol-elf.c
+@@ -87,6 +87,11 @@ static inline uint8_t elf_sym__type(const GElf_Sym *sym)
+ return GELF_ST_TYPE(sym->st_info);
+ }
+
++static inline uint8_t elf_sym__visibility(const GElf_Sym *sym)
++{
++ return GELF_ST_VISIBILITY(sym->st_other);
++}
++
+ #ifndef STT_GNU_IFUNC
+ #define STT_GNU_IFUNC 10
+ #endif
+@@ -111,7 +116,9 @@ static inline int elf_sym__is_label(const GElf_Sym *sym)
+ return elf_sym__type(sym) == STT_NOTYPE &&
+ sym->st_name != 0 &&
+ sym->st_shndx != SHN_UNDEF &&
+- sym->st_shndx != SHN_ABS;
++ sym->st_shndx != SHN_ABS &&
++ elf_sym__visibility(sym) != STV_HIDDEN &&
++ elf_sym__visibility(sym) != STV_INTERNAL;
+ }
+
+ static bool elf_sym__is_a(GElf_Sym *sym, enum map_type type)
+--
+2.19.1
+
--- /dev/null
+From b8f9d25ecdec6e6774ef7056f80583f6c1468283 Mon Sep 17 00:00:00 2001
+From: Stephane Eranian <eranian@google.com>
+Date: Sat, 19 Jan 2019 00:12:39 -0800
+Subject: perf tools: Handle TOPOLOGY headers with no CPU
+
+[ Upstream commit 1497e804d1a6e2bd9107ddf64b0310449f4673eb ]
+
+This patch fixes an issue in cpumap.c when used with the TOPOLOGY
+header. In some configurations, some NUMA nodes may have no CPU (empty
+cpulist). Yet a cpumap map must be created otherwise perf abort with an
+error. This patch handles this case by creating a dummy map.
+
+ Before:
+
+ $ perf record -o - -e cycles noploop 2 | perf script -i -
+ 0x6e8 [0x6c]: failed to process type: 80
+
+ After:
+
+ $ perf record -o - -e cycles noploop 2 | perf script -i -
+ noploop for 2 seconds
+
+Signed-off-by: Stephane Eranian <eranian@google.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/1547885559-1657-1-git-send-email-eranian@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/cpumap.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/cpumap.c b/tools/perf/util/cpumap.c
+index 1ccbd3342069..383674f448fc 100644
+--- a/tools/perf/util/cpumap.c
++++ b/tools/perf/util/cpumap.c
+@@ -134,7 +134,12 @@ struct cpu_map *cpu_map__new(const char *cpu_list)
+ if (!cpu_list)
+ return cpu_map__read_all_cpu_map();
+
+- if (!isdigit(*cpu_list))
++ /*
++ * must handle the case of empty cpumap to cover
++ * TOPOLOGY header for NUMA nodes with no CPU
++ * ( e.g., because of CPU hotplug)
++ */
++ if (!isdigit(*cpu_list) && *cpu_list != '\0')
+ goto out;
+
+ while (isdigit(*cpu_list)) {
+@@ -181,8 +186,10 @@ struct cpu_map *cpu_map__new(const char *cpu_list)
+
+ if (nr_cpus > 0)
+ cpus = cpu_map__trim_new(nr_cpus, tmp_cpus);
+- else
++ else if (*cpu_list != '\0')
+ cpus = cpu_map__default_new();
++ else
++ cpus = cpu_map__dummy_new();
+ invalid:
+ free(tmp_cpus);
+ out:
+--
+2.19.1
+
--- /dev/null
+From 746a8aebb2312b4de8818fbf792712656103d98e Mon Sep 17 00:00:00 2001
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Tue, 29 Jan 2019 15:12:34 +0100
+Subject: perf trace: Support multiple "vfs_getname" probes
+
+[ Upstream commit 6ab3bc240ade47a0f52bc16d97edd9accbe0024e ]
+
+With a suitably defined "probe:vfs_getname" probe, 'perf trace' can
+"beautify" its output, so syscalls like open() or openat() can print the
+"filename" argument instead of just its hex address, like:
+
+ $ perf trace -e open -- touch /dev/null
+ [...]
+ 0.590 ( 0.014 ms): touch/18063 open(filename: /dev/null, flags: CREAT|NOCTTY|NONBLOCK|WRONLY, mode: IRUGO|IWUGO) = 3
+ [...]
+
+The output without such beautifier looks like:
+
+ 0.529 ( 0.011 ms): touch/18075 open(filename: 0xc78cf288, flags: CREAT|NOCTTY|NONBLOCK|WRONLY, mode: IRUGO|IWUGO) = 3
+
+However, when the vfs_getname probe expands to multiple probes and it is
+not the first one that is hit, the beautifier fails, as following:
+
+ 0.326 ( 0.010 ms): touch/18072 open(filename: , flags: CREAT|NOCTTY|NONBLOCK|WRONLY, mode: IRUGO|IWUGO) = 3
+
+Fix it by hooking into all the expanded probes (inlines), now, for instance:
+
+ [root@quaco ~]# perf probe -l
+ probe:vfs_getname (on getname_flags:73@fs/namei.c with pathname)
+ probe:vfs_getname_1 (on getname_flags:73@fs/namei.c with pathname)
+ [root@quaco ~]# perf trace -e open* sleep 1
+ 0.010 ( 0.005 ms): sleep/5588 openat(dfd: CWD, filename: /etc/ld.so.cache, flags: RDONLY|CLOEXEC) = 3
+ 0.029 ( 0.006 ms): sleep/5588 openat(dfd: CWD, filename: /lib64/libc.so.6, flags: RDONLY|CLOEXEC) = 3
+ 0.194 ( 0.008 ms): sleep/5588 openat(dfd: CWD, filename: /usr/lib/locale/locale-archive, flags: RDONLY|CLOEXEC) = 3
+ [root@quaco ~]#
+
+Works, further verified with:
+
+ [root@quaco ~]# perf test vfs
+ 65: Use vfs_getname probe to get syscall args filenames : Ok
+ 66: Add vfs_getname probe to get syscall args filenames : Ok
+ 67: Check open filename arg using perf trace + vfs_getname: Ok
+ [root@quaco ~]#
+
+Reported-by: Michael Petlan <mpetlan@redhat.com>
+Tested-by: Michael Petlan <mpetlan@redhat.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: https://lkml.kernel.org/n/tip-mv8kolk17xla1smvmp3qabv1@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-trace.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
+index 8e3c4ec00017..b224bf3f2b99 100644
+--- a/tools/perf/builtin-trace.c
++++ b/tools/perf/builtin-trace.c
+@@ -2109,19 +2109,30 @@ static size_t trace__fprintf_thread_summary(struct trace *trace, FILE *fp);
+
+ static bool perf_evlist__add_vfs_getname(struct perf_evlist *evlist)
+ {
+- struct perf_evsel *evsel = perf_evsel__newtp("probe", "vfs_getname");
++ bool found = false;
++ struct perf_evsel *evsel, *tmp;
++ struct parse_events_error err = { .idx = 0, };
++ int ret = parse_events(evlist, "probe:vfs_getname*", &err);
+
+- if (IS_ERR(evsel))
++ if (ret)
+ return false;
+
+- if (perf_evsel__field(evsel, "pathname") == NULL) {
++ evlist__for_each_entry_safe(evlist, evsel, tmp) {
++ if (!strstarts(perf_evsel__name(evsel), "probe:vfs_getname"))
++ continue;
++
++ if (perf_evsel__field(evsel, "pathname")) {
++ evsel->handler = trace__vfs_getname;
++ found = true;
++ continue;
++ }
++
++ list_del_init(&evsel->node);
++ evsel->evlist = NULL;
+ perf_evsel__delete(evsel);
+- return false;
+ }
+
+- evsel->handler = trace__vfs_getname;
+- perf_evlist__add(evlist, evsel);
+- return true;
++ return found;
+ }
+
+ static struct perf_evsel *perf_evsel__new_pgfault(u64 config)
+--
+2.19.1
+
--- /dev/null
+From 3d14d32ee8965a96065d906dd0a86ac84d0ea60a Mon Sep 17 00:00:00 2001
+From: Sinan Kaya <okaya@kernel.org>
+Date: Thu, 24 Jan 2019 19:31:01 +0000
+Subject: platform/x86: Fix unmet dependency warning for SAMSUNG_Q10
+
+[ Upstream commit 0ee4b5f801b73b83a9fb3921d725f2162fd4a2e5 ]
+
+Add BACKLIGHT_LCD_SUPPORT for SAMSUNG_Q10 to fix the
+warning: unmet direct dependencies detected for BACKLIGHT_CLASS_DEVICE.
+
+SAMSUNG_Q10 selects BACKLIGHT_CLASS_DEVICE but BACKLIGHT_CLASS_DEVICE
+depends on BACKLIGHT_LCD_SUPPORT.
+
+Copy BACKLIGHT_LCD_SUPPORT dependency into SAMSUNG_Q10 to fix:
+
+WARNING: unmet direct dependencies detected for BACKLIGHT_CLASS_DEVICE
+ Depends on [n]: HAS_IOMEM [=y] && BACKLIGHT_LCD_SUPPORT [=n]
+ Selected by [y]:
+ - SAMSUNG_Q10 [=y] && X86 [=y] && X86_PLATFORM_DEVICES [=y] && ACPI [=y]
+
+Signed-off-by: Sinan Kaya <okaya@kernel.org>
+Acked-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig
+index 80b87954f6dd..09035705d0a0 100644
+--- a/drivers/platform/x86/Kconfig
++++ b/drivers/platform/x86/Kconfig
+@@ -999,6 +999,7 @@ config INTEL_OAKTRAIL
+ config SAMSUNG_Q10
+ tristate "Samsung Q10 Extras"
+ depends on ACPI
++ depends on BACKLIGHT_LCD_SUPPORT
+ select BACKLIGHT_CLASS_DEVICE
+ ---help---
+ This driver provides support for backlight control on Samsung Q10
+--
+2.19.1
+
--- /dev/null
+From b4f157d010c2529555eb2d20e5c0a101c381357c Mon Sep 17 00:00:00 2001
+From: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+Date: Wed, 6 Feb 2019 14:43:44 -0800
+Subject: qed: Consider TX tcs while deriving the max num_queues for PF.
+
+[ Upstream commit fb1faab74ddef9ec2d841d54e5d0912a097b3abe ]
+
+Max supported queues is derived incorrectly in the case of multi-CoS.
+Need to consider TCs while calculating num_queues for PF.
+
+Signed-off-by: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+Signed-off-by: Ariel Elior <aelior@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_l2.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_l2.c b/drivers/net/ethernet/qlogic/qed/qed_l2.c
+index 4ffdde755db7..62cde3854a5c 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_l2.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_l2.c
+@@ -2170,7 +2170,7 @@ static int qed_fill_eth_dev_info(struct qed_dev *cdev,
+ u16 num_queues = 0;
+
+ /* Since the feature controls only queue-zones,
+- * make sure we have the contexts [rx, tx, xdp] to
++ * make sure we have the contexts [rx, xdp, tcs] to
+ * match.
+ */
+ for_each_hwfn(cdev, i) {
+@@ -2180,7 +2180,8 @@ static int qed_fill_eth_dev_info(struct qed_dev *cdev,
+ u16 cids;
+
+ cids = hwfn->pf_params.eth_pf_params.num_cons;
+- num_queues += min_t(u16, l2_queues, cids / 3);
++ cids /= (2 + info->num_tc);
++ num_queues += min_t(u16, l2_queues, cids);
+ }
+
+ /* queues might theoretically be >256, but interrupts'
+--
+2.19.1
+
--- /dev/null
+From 404ece56088d77cdcd4c2889750a83d2a71242bb Mon Sep 17 00:00:00 2001
+From: Manish Chopra <manishc@marvell.com>
+Date: Mon, 28 Jan 2019 10:05:04 -0800
+Subject: qed: Fix bug in tx promiscuous mode settings
+
+[ Upstream commit 9e71a15d8b5bbce25c637f7f8833cd3f45b65646 ]
+
+When running tx switched traffic between VNICs
+created via a bridge(to which VFs are added),
+adapter drops the unicast packets in tx flow due to
+VNIC's ucast mac being unknown to it. But VF interfaces
+being in promiscuous mode should have caused adapter
+to accept all the unknown ucast packets. Later, it
+was found that driver doesn't really configure tx
+promiscuous mode settings to accept all unknown unicast macs.
+
+This patch fixes tx promiscuous mode settings to accept all
+unknown/unmatched unicast macs and works out the scenario.
+
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Signed-off-by: Ariel Elior <aelior@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_l2.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_l2.c b/drivers/net/ethernet/qlogic/qed/qed_l2.c
+index 83c1c4fa102b..5191b575d57b 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_l2.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_l2.c
+@@ -607,6 +607,10 @@ qed_sp_update_accept_mode(struct qed_hwfn *p_hwfn,
+ (!!(accept_filter & QED_ACCEPT_MCAST_MATCHED) &&
+ !!(accept_filter & QED_ACCEPT_MCAST_UNMATCHED)));
+
++ SET_FIELD(state, ETH_VPORT_TX_MODE_UCAST_ACCEPT_ALL,
++ (!!(accept_filter & QED_ACCEPT_UCAST_MATCHED) &&
++ !!(accept_filter & QED_ACCEPT_UCAST_UNMATCHED)));
++
+ SET_FIELD(state, ETH_VPORT_TX_MODE_BCAST_ACCEPT_ALL,
+ !!(accept_filter & QED_ACCEPT_BCAST));
+
+@@ -2640,7 +2644,8 @@ static int qed_configure_filter_rx_mode(struct qed_dev *cdev,
+ if (type == QED_FILTER_RX_MODE_TYPE_PROMISC) {
+ accept_flags.rx_accept_filter |= QED_ACCEPT_UCAST_UNMATCHED |
+ QED_ACCEPT_MCAST_UNMATCHED;
+- accept_flags.tx_accept_filter |= QED_ACCEPT_MCAST_UNMATCHED;
++ accept_flags.tx_accept_filter |= QED_ACCEPT_UCAST_UNMATCHED |
++ QED_ACCEPT_MCAST_UNMATCHED;
+ } else if (type == QED_FILTER_RX_MODE_TYPE_MULTI_PROMISC) {
+ accept_flags.rx_accept_filter |= QED_ACCEPT_MCAST_UNMATCHED;
+ accept_flags.tx_accept_filter |= QED_ACCEPT_MCAST_UNMATCHED;
+--
+2.19.1
+
--- /dev/null
+From 5ff098a3aab35ed2c39d45eadadf51276b70438b Mon Sep 17 00:00:00 2001
+From: Manish Chopra <manishc@marvell.com>
+Date: Wed, 6 Feb 2019 14:43:42 -0800
+Subject: qed: Fix EQ full firmware assert.
+
+[ Upstream commit 660492bcf4a7561b5fdc13be0ae0b0c0a8c120be ]
+
+When slowpath messages are sent with high rate, the resulting
+events can lead to a FW assert in case they are not handled fast
+enough (Event Queue Full assert). Attempt to send queued slowpath
+messages only after the newly evacuated entries in the EQ ring
+are indicated to FW.
+
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Signed-off-by: Ariel Elior <aelior@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_sp.h | 1 +
+ drivers/net/ethernet/qlogic/qed/qed_spq.c | 15 +++++++--------
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_sp.h b/drivers/net/ethernet/qlogic/qed/qed_sp.h
+index 01a213d4ee9c..e7192f3babc2 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_sp.h
++++ b/drivers/net/ethernet/qlogic/qed/qed_sp.h
+@@ -380,6 +380,7 @@ void qed_consq_setup(struct qed_hwfn *p_hwfn);
+ * @param p_hwfn
+ */
+ void qed_consq_free(struct qed_hwfn *p_hwfn);
++int qed_spq_pend_post(struct qed_hwfn *p_hwfn);
+
+ /**
+ * @file
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_spq.c b/drivers/net/ethernet/qlogic/qed/qed_spq.c
+index 467755b6dd0b..01f8e2b5cb6c 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_spq.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_spq.c
+@@ -404,6 +404,11 @@ int qed_eq_completion(struct qed_hwfn *p_hwfn, void *cookie)
+
+ qed_eq_prod_update(p_hwfn, qed_chain_get_prod_idx(p_chain));
+
++ /* Attempt to post pending requests */
++ spin_lock_bh(&p_hwfn->p_spq->lock);
++ rc = qed_spq_pend_post(p_hwfn);
++ spin_unlock_bh(&p_hwfn->p_spq->lock);
++
+ return rc;
+ }
+
+@@ -747,7 +752,7 @@ static int qed_spq_post_list(struct qed_hwfn *p_hwfn,
+ return 0;
+ }
+
+-static int qed_spq_pend_post(struct qed_hwfn *p_hwfn)
++int qed_spq_pend_post(struct qed_hwfn *p_hwfn)
+ {
+ struct qed_spq *p_spq = p_hwfn->p_spq;
+ struct qed_spq_entry *p_ent = NULL;
+@@ -879,7 +884,6 @@ int qed_spq_completion(struct qed_hwfn *p_hwfn,
+ struct qed_spq_entry *p_ent = NULL;
+ struct qed_spq_entry *tmp;
+ struct qed_spq_entry *found = NULL;
+- int rc;
+
+ if (!p_hwfn)
+ return -EINVAL;
+@@ -937,12 +941,7 @@ int qed_spq_completion(struct qed_hwfn *p_hwfn,
+ */
+ qed_spq_return_entry(p_hwfn, found);
+
+- /* Attempt to post pending requests */
+- spin_lock_bh(&p_spq->lock);
+- rc = qed_spq_pend_post(p_hwfn);
+- spin_unlock_bh(&p_spq->lock);
+-
+- return rc;
++ return 0;
+ }
+
+ int qed_consq_alloc(struct qed_hwfn *p_hwfn)
+--
+2.19.1
+
--- /dev/null
+From 40af4e9572b399cd921743e75b10a6b47cb0de03 Mon Sep 17 00:00:00 2001
+From: Manish Chopra <manishc@marvell.com>
+Date: Mon, 28 Jan 2019 10:05:05 -0800
+Subject: qed: Fix LACP pdu drops for VFs
+
+[ Upstream commit ff9296966e5e00b0d0d00477b2365a178f0f06a3 ]
+
+VF is always configured to drop control frames
+(with reserved mac addresses) but to work LACP
+on the VFs, it would require LACP control frames
+to be forwarded or transmitted successfully.
+
+This patch fixes this in such a way that trusted VFs
+(marked through ndo_set_vf_trust) would be allowed to
+pass the control frames such as LACP pdus.
+
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Signed-off-by: Ariel Elior <aelior@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_l2.c | 5 +++++
+ drivers/net/ethernet/qlogic/qed/qed_l2.h | 3 +++
+ drivers/net/ethernet/qlogic/qed/qed_sriov.c | 10 ++++++++--
+ 3 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_l2.c b/drivers/net/ethernet/qlogic/qed/qed_l2.c
+index 5191b575d57b..4ffdde755db7 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_l2.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_l2.c
+@@ -747,6 +747,11 @@ int qed_sp_vport_update(struct qed_hwfn *p_hwfn,
+ return rc;
+ }
+
++ if (p_params->update_ctl_frame_check) {
++ p_cmn->ctl_frame_mac_check_en = p_params->mac_chk_en;
++ p_cmn->ctl_frame_ethtype_check_en = p_params->ethtype_chk_en;
++ }
++
+ /* Update mcast bins for VFs, PF doesn't use this functionality */
+ qed_sp_update_mcast_bin(p_hwfn, p_ramrod, p_params);
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_l2.h b/drivers/net/ethernet/qlogic/qed/qed_l2.h
+index 91d383f3a661..7c41142452a3 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_l2.h
++++ b/drivers/net/ethernet/qlogic/qed/qed_l2.h
+@@ -218,6 +218,9 @@ struct qed_sp_vport_update_params {
+ struct qed_rss_params *rss_params;
+ struct qed_filter_accept_flags accept_flags;
+ struct qed_sge_tpa_params *sge_tpa_params;
++ u8 update_ctl_frame_check;
++ u8 mac_chk_en;
++ u8 ethtype_chk_en;
+ };
+
+ int qed_sp_vport_update(struct qed_hwfn *p_hwfn,
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_sriov.c b/drivers/net/ethernet/qlogic/qed/qed_sriov.c
+index c6411158afd7..65a53d409e77 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_sriov.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.c
+@@ -1963,7 +1963,9 @@ static void qed_iov_vf_mbx_start_vport(struct qed_hwfn *p_hwfn,
+ params.vport_id = vf->vport_id;
+ params.max_buffers_per_cqe = start->max_buffers_per_cqe;
+ params.mtu = vf->mtu;
+- params.check_mac = true;
++
++ /* Non trusted VFs should enable control frame filtering */
++ params.check_mac = !vf->p_vf_info.is_trusted_configured;
+
+ rc = qed_sp_eth_vport_start(p_hwfn, ¶ms);
+ if (rc) {
+@@ -4910,6 +4912,9 @@ static void qed_iov_handle_trust_change(struct qed_hwfn *hwfn)
+ params.opaque_fid = vf->opaque_fid;
+ params.vport_id = vf->vport_id;
+
++ params.update_ctl_frame_check = 1;
++ params.mac_chk_en = !vf_info->is_trusted_configured;
++
+ if (vf_info->rx_accept_mode & mask) {
+ flags->update_rx_mode_config = 1;
+ flags->rx_accept_filter = vf_info->rx_accept_mode;
+@@ -4927,7 +4932,8 @@ static void qed_iov_handle_trust_change(struct qed_hwfn *hwfn)
+ }
+
+ if (flags->update_rx_mode_config ||
+- flags->update_tx_mode_config)
++ flags->update_tx_mode_config ||
++ params.update_ctl_frame_check)
+ qed_sp_vport_update(hwfn, ¶ms,
+ QED_SPQ_MODE_EBLOCK, NULL);
+ }
+--
+2.19.1
+
--- /dev/null
+From bbf10850adc75d4ac5694d7edce0f7b063f96923 Mon Sep 17 00:00:00 2001
+From: Manish Chopra <manishc@marvell.com>
+Date: Mon, 28 Jan 2019 10:05:08 -0800
+Subject: qed: Fix stack out of bounds bug
+
+[ Upstream commit ffb057f98928aa099b08e419bbe5afc26ec9f448 ]
+
+KASAN reported following bug in qed_init_qm_get_idx_from_flags
+due to inappropriate casting of "pq_flags". Fix the type of "pq_flags".
+
+[ 196.624707] BUG: KASAN: stack-out-of-bounds in qed_init_qm_get_idx_from_flags+0x1a4/0x1b8 [qed]
+[ 196.624712] Read of size 8 at addr ffff809b00bc7360 by task kworker/0:9/1712
+[ 196.624714]
+[ 196.624720] CPU: 0 PID: 1712 Comm: kworker/0:9 Not tainted 4.18.0-60.el8.aarch64+debug #1
+[ 196.624723] Hardware name: To be filled by O.E.M. Saber/Saber, BIOS 0ACKL024 09/26/2018
+[ 196.624733] Workqueue: events work_for_cpu_fn
+[ 196.624738] Call trace:
+[ 196.624742] dump_backtrace+0x0/0x2f8
+[ 196.624745] show_stack+0x24/0x30
+[ 196.624749] dump_stack+0xe0/0x11c
+[ 196.624755] print_address_description+0x68/0x260
+[ 196.624759] kasan_report+0x178/0x340
+[ 196.624762] __asan_report_load_n_noabort+0x38/0x48
+[ 196.624786] qed_init_qm_get_idx_from_flags+0x1a4/0x1b8 [qed]
+[ 196.624808] qed_init_qm_info+0xec0/0x2200 [qed]
+[ 196.624830] qed_resc_alloc+0x284/0x7e8 [qed]
+[ 196.624853] qed_slowpath_start+0x6cc/0x1ae8 [qed]
+[ 196.624864] __qede_probe.isra.10+0x1cc/0x12c0 [qede]
+[ 196.624874] qede_probe+0x78/0xf0 [qede]
+[ 196.624879] local_pci_probe+0xc4/0x180
+[ 196.624882] work_for_cpu_fn+0x54/0x98
+[ 196.624885] process_one_work+0x758/0x1900
+[ 196.624888] worker_thread+0x4e0/0xd18
+[ 196.624892] kthread+0x2c8/0x350
+[ 196.624897] ret_from_fork+0x10/0x18
+[ 196.624899]
+[ 196.624902] Allocated by task 2:
+[ 196.624906] kasan_kmalloc.part.1+0x40/0x108
+[ 196.624909] kasan_kmalloc+0xb4/0xc8
+[ 196.624913] kasan_slab_alloc+0x14/0x20
+[ 196.624916] kmem_cache_alloc_node+0x1dc/0x480
+[ 196.624921] copy_process.isra.1.part.2+0x1d8/0x4a98
+[ 196.624924] _do_fork+0x150/0xfa0
+[ 196.624926] kernel_thread+0x48/0x58
+[ 196.624930] kthreadd+0x3a4/0x5a0
+[ 196.624932] ret_from_fork+0x10/0x18
+[ 196.624934]
+[ 196.624937] Freed by task 0:
+[ 196.624938] (stack is not available)
+[ 196.624940]
+[ 196.624943] The buggy address belongs to the object at ffff809b00bc0000
+[ 196.624943] which belongs to the cache thread_stack of size 32768
+[ 196.624946] The buggy address is located 29536 bytes inside of
+[ 196.624946] 32768-byte region [ffff809b00bc0000, ffff809b00bc8000)
+[ 196.624948] The buggy address belongs to the page:
+[ 196.624952] page:ffff7fe026c02e00 count:1 mapcount:0 mapping:ffff809b4001c000 index:0x0 compound_mapcount: 0
+[ 196.624960] flags: 0xfffff8000008100(slab|head)
+[ 196.624967] raw: 0fffff8000008100 dead000000000100 dead000000000200 ffff809b4001c000
+[ 196.624970] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
+[ 196.624973] page dumped because: kasan: bad access detected
+[ 196.624974]
+[ 196.624976] Memory state around the buggy address:
+[ 196.624980] ffff809b00bc7200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 196.624983] ffff809b00bc7280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 196.624985] >ffff809b00bc7300: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2
+[ 196.624988] ^
+[ 196.624990] ffff809b00bc7380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 196.624993] ffff809b00bc7400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 196.624995] ==================================================================
+
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Signed-off-by: Ariel Elior <aelior@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_dev.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+index 16953c4ebd71..410528e7d927 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+@@ -435,19 +435,19 @@ static void qed_init_qm_pq(struct qed_hwfn *p_hwfn,
+
+ /* get pq index according to PQ_FLAGS */
+ static u16 *qed_init_qm_get_idx_from_flags(struct qed_hwfn *p_hwfn,
+- u32 pq_flags)
++ unsigned long pq_flags)
+ {
+ struct qed_qm_info *qm_info = &p_hwfn->qm_info;
+
+ /* Can't have multiple flags set here */
+- if (bitmap_weight((unsigned long *)&pq_flags,
++ if (bitmap_weight(&pq_flags,
+ sizeof(pq_flags) * BITS_PER_BYTE) > 1) {
+- DP_ERR(p_hwfn, "requested multiple pq flags 0x%x\n", pq_flags);
++ DP_ERR(p_hwfn, "requested multiple pq flags 0x%lx\n", pq_flags);
+ goto err;
+ }
+
+ if (!(qed_get_pq_flags(p_hwfn) & pq_flags)) {
+- DP_ERR(p_hwfn, "pq flag 0x%x is not set\n", pq_flags);
++ DP_ERR(p_hwfn, "pq flag 0x%lx is not set\n", pq_flags);
+ goto err;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From d58a01289d51dffc211e62ac31cc441681984a93 Mon Sep 17 00:00:00 2001
+From: Manish Chopra <manishc@marvell.com>
+Date: Mon, 28 Jan 2019 10:05:07 -0800
+Subject: qed: Fix system crash in ll2 xmit
+
+[ Upstream commit 7c81626a3c37e4ac320b8ad785694ba498f24794 ]
+
+Cache number of fragments in the skb locally as in case
+of linear skb (with zero fragments), tx completion
+(or freeing of skb) may happen before driver tries
+to get number of frgaments from the skb which could
+lead to stale access to an already freed skb.
+
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Signed-off-by: Ariel Elior <aelior@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_ll2.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_ll2.c b/drivers/net/ethernet/qlogic/qed/qed_ll2.c
+index cef619f0ce10..e82adea55ce9 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_ll2.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_ll2.c
+@@ -2299,19 +2299,24 @@ static int qed_ll2_start_xmit(struct qed_dev *cdev, struct sk_buff *skb)
+ {
+ struct qed_ll2_tx_pkt_info pkt;
+ const skb_frag_t *frag;
++ u8 flags = 0, nr_frags;
+ int rc = -EINVAL, i;
+ dma_addr_t mapping;
+ u16 vlan = 0;
+- u8 flags = 0;
+
+ if (unlikely(skb->ip_summed != CHECKSUM_NONE)) {
+ DP_INFO(cdev, "Cannot transmit a checksumed packet\n");
+ return -EINVAL;
+ }
+
+- if (1 + skb_shinfo(skb)->nr_frags > CORE_LL2_TX_MAX_BDS_PER_PACKET) {
++ /* Cache number of fragments from SKB since SKB may be freed by
++ * the completion routine after calling qed_ll2_prepare_tx_packet()
++ */
++ nr_frags = skb_shinfo(skb)->nr_frags;
++
++ if (1 + nr_frags > CORE_LL2_TX_MAX_BDS_PER_PACKET) {
+ DP_ERR(cdev, "Cannot transmit a packet with %d fragments\n",
+- 1 + skb_shinfo(skb)->nr_frags);
++ 1 + nr_frags);
+ return -EINVAL;
+ }
+
+@@ -2333,7 +2338,7 @@ static int qed_ll2_start_xmit(struct qed_dev *cdev, struct sk_buff *skb)
+ }
+
+ memset(&pkt, 0, sizeof(pkt));
+- pkt.num_of_bds = 1 + skb_shinfo(skb)->nr_frags;
++ pkt.num_of_bds = 1 + nr_frags;
+ pkt.vlan = vlan;
+ pkt.bd_flags = flags;
+ pkt.tx_dest = QED_LL2_TX_DEST_NW;
+@@ -2341,12 +2346,17 @@ static int qed_ll2_start_xmit(struct qed_dev *cdev, struct sk_buff *skb)
+ pkt.first_frag_len = skb->len;
+ pkt.cookie = skb;
+
++ /* qed_ll2_prepare_tx_packet() may actually send the packet if
++ * there are no fragments in the skb and subsequently the completion
++ * routine may run and free the SKB, so no dereferencing the SKB
++ * beyond this point unless skb has any fragments.
++ */
+ rc = qed_ll2_prepare_tx_packet(&cdev->hwfns[0], cdev->ll2->handle,
+ &pkt, 1);
+ if (rc)
+ goto err;
+
+- for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
++ for (i = 0; i < nr_frags; i++) {
+ frag = &skb_shinfo(skb)->frags[i];
+
+ mapping = skb_frag_dma_map(&cdev->pdev->dev, frag, 0,
+--
+2.19.1
+
--- /dev/null
+From 3146b2717fa22f7afccd3b47f4bd53aac243121b Mon Sep 17 00:00:00 2001
+From: Manish Chopra <manishc@marvell.com>
+Date: Mon, 28 Jan 2019 10:05:06 -0800
+Subject: qed: Fix VF probe failure while FLR
+
+[ Upstream commit 327852ec64205bb651be391a069784872098a3b2 ]
+
+VFs may hit VF-PF channel timeout while probing, as in some
+cases it was observed that VF FLR and VF "acquire" message
+transaction (i.e first message from VF to PF in VF's probe flow)
+could occur simultaneously which could lead VF to fail sending
+"acquire" message to PF as VF is marked disabled from HW perspective
+due to FLR, which will result into channel timeout and VF probe failure.
+
+In such cases, try retrying VF "acquire" message so that in later
+attempts it could be successful to pass message to PF after the VF
+FLR is completed and can be probed successfully.
+
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Signed-off-by: Ariel Elior <aelior@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_vf.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_vf.c b/drivers/net/ethernet/qlogic/qed/qed_vf.c
+index dd8ebf6d380f..3220086f99de 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_vf.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_vf.c
+@@ -261,6 +261,7 @@ static int qed_vf_pf_acquire(struct qed_hwfn *p_hwfn)
+ struct pfvf_acquire_resp_tlv *resp = &p_iov->pf2vf_reply->acquire_resp;
+ struct pf_vf_pfdev_info *pfdev_info = &resp->pfdev_info;
+ struct vf_pf_resc_request *p_resc;
++ u8 retry_cnt = VF_ACQUIRE_THRESH;
+ bool resources_acquired = false;
+ struct vfpf_acquire_tlv *req;
+ int rc = 0, attempts = 0;
+@@ -314,6 +315,15 @@ static int qed_vf_pf_acquire(struct qed_hwfn *p_hwfn)
+
+ /* send acquire request */
+ rc = qed_send_msg2pf(p_hwfn, &resp->hdr.status, sizeof(*resp));
++
++ /* Re-try acquire in case of vf-pf hw channel timeout */
++ if (retry_cnt && rc == -EBUSY) {
++ DP_VERBOSE(p_hwfn, QED_MSG_IOV,
++ "VF retrying to acquire due to VPC timeout\n");
++ retry_cnt--;
++ continue;
++ }
++
+ if (rc)
+ goto exit;
+
+--
+2.19.1
+
--- /dev/null
+From 3d975d404eb6f4cb5cb091e5e5893bb929373361 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 31 Jan 2019 13:57:58 +0100
+Subject: relay: check return of create_buf_file() properly
+
+[ Upstream commit 2c1cf00eeacb784781cf1c9896b8af001246d339 ]
+
+If create_buf_file() returns an error, don't try to reference it later
+as a valid dentry pointer.
+
+This problem was exposed when debugfs started to return errors instead
+of just NULL for some calls when they do not succeed properly.
+
+Also, the check for WARN_ON(dentry) was just wrong :)
+
+Reported-by: Kees Cook <keescook@chromium.org>
+Reported-and-tested-by: syzbot+16c3a70e1e9b29346c43@syzkaller.appspotmail.com
+Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: David Rientjes <rientjes@google.com>
+Fixes: ff9fb72bc077 ("debugfs: return error values, not NULL")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/relay.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/relay.c b/kernel/relay.c
+index 1537158c67b3..61d37e6da22d 100644
+--- a/kernel/relay.c
++++ b/kernel/relay.c
+@@ -427,6 +427,8 @@ static struct dentry *relay_create_buf_file(struct rchan *chan,
+ dentry = chan->cb->create_buf_file(tmpname, chan->parent,
+ S_IRUSR, buf,
+ &chan->is_global);
++ if (IS_ERR(dentry))
++ dentry = NULL;
+
+ kfree(tmpname);
+
+@@ -460,7 +462,7 @@ static struct rchan_buf *relay_open_buf(struct rchan *chan, unsigned int cpu)
+ dentry = chan->cb->create_buf_file(NULL, NULL,
+ S_IRUSR, buf,
+ &chan->is_global);
+- if (WARN_ON(dentry))
++ if (IS_ERR_OR_NULL(dentry))
+ goto free_buf;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From e93ece11820b33ceac06d17ac5b0d05c58b8d2d1 Mon Sep 17 00:00:00 2001
+From: Julian Wiedmann <jwi@linux.ibm.com>
+Date: Mon, 4 Feb 2019 17:40:07 +0100
+Subject: s390/qeth: fix use-after-free in error path
+
+[ Upstream commit afa0c5904ba16d59b0454f7ee4c807dae350f432 ]
+
+The error path in qeth_alloc_qdio_buffers() that takes care of
+cleaning up the Output Queues is buggy. It first frees the queue, but
+then calls qeth_clear_outq_buffers() with that very queue struct.
+
+Make the call to qeth_clear_outq_buffers() part of the free action
+(in the correct order), and while at it fix the naming of the helper.
+
+Fixes: 0da9581ddb0f ("qeth: exploit asynchronous delivery of storage blocks")
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/net/qeth_core_main.c | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c
+index 69ef5f4060ed..6566fceef38d 100644
+--- a/drivers/s390/net/qeth_core_main.c
++++ b/drivers/s390/net/qeth_core_main.c
+@@ -2472,11 +2472,12 @@ static int qeth_init_qdio_out_buf(struct qeth_qdio_out_q *q, int bidx)
+ return rc;
+ }
+
+-static void qeth_free_qdio_out_buf(struct qeth_qdio_out_q *q)
++static void qeth_free_output_queue(struct qeth_qdio_out_q *q)
+ {
+ if (!q)
+ return;
+
++ qeth_clear_outq_buffers(q, 1);
+ qdio_free_buffers(q->qdio_bufs, QDIO_MAX_BUFFERS_PER_Q);
+ kfree(q);
+ }
+@@ -2549,10 +2550,8 @@ static int qeth_alloc_qdio_buffers(struct qeth_card *card)
+ card->qdio.out_qs[i]->bufs[j] = NULL;
+ }
+ out_freeoutq:
+- while (i > 0) {
+- qeth_free_qdio_out_buf(card->qdio.out_qs[--i]);
+- qeth_clear_outq_buffers(card->qdio.out_qs[i], 1);
+- }
++ while (i > 0)
++ qeth_free_output_queue(card->qdio.out_qs[--i]);
+ kfree(card->qdio.out_qs);
+ card->qdio.out_qs = NULL;
+ out_freepool:
+@@ -2585,10 +2584,8 @@ static void qeth_free_qdio_buffers(struct qeth_card *card)
+ qeth_free_buffer_pool(card);
+ /* free outbound qdio_qs */
+ if (card->qdio.out_qs) {
+- for (i = 0; i < card->qdio.no_out_queues; ++i) {
+- qeth_clear_outq_buffers(card->qdio.out_qs[i], 1);
+- qeth_free_qdio_out_buf(card->qdio.out_qs[i]);
+- }
++ for (i = 0; i < card->qdio.no_out_queues; i++)
++ qeth_free_output_queue(card->qdio.out_qs[i]);
+ kfree(card->qdio.out_qs);
+ card->qdio.out_qs = NULL;
+ }
+--
+2.19.1
+
--- /dev/null
+From 6a59723e7027eff315524d5e24020b76ac2a8033 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 24 Jan 2019 13:33:27 +0300
+Subject: scsi: 53c700: pass correct "dev" to dma_alloc_attrs()
+
+[ Upstream commit 8437fcf14deed67e5ad90b5e8abf62fb20f30881 ]
+
+The "hostdata->dev" pointer is NULL here. We set "hostdata->dev = dev;"
+later in the function and we also use "hostdata->dev" when we call
+dma_free_attrs() in NCR_700_release().
+
+This bug predates git version control.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/53c700.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/53c700.c b/drivers/scsi/53c700.c
+index 6be77b3aa8a5..ac79f2088b31 100644
+--- a/drivers/scsi/53c700.c
++++ b/drivers/scsi/53c700.c
+@@ -295,7 +295,7 @@ NCR_700_detect(struct scsi_host_template *tpnt,
+ if(tpnt->sdev_attrs == NULL)
+ tpnt->sdev_attrs = NCR_700_dev_attrs;
+
+- memory = dma_alloc_attrs(hostdata->dev, TOTAL_MEM_SIZE, &pScript,
++ memory = dma_alloc_attrs(dev, TOTAL_MEM_SIZE, &pScript,
+ GFP_KERNEL, DMA_ATTR_NON_CONSISTENT);
+ if(memory == NULL) {
+ printk(KERN_ERR "53c700: Failed to allocate memory for driver, detaching\n");
+--
+2.19.1
+
--- /dev/null
+From 0de1c7f4ab3a6edd27eeaad0581d50d0b7266af3 Mon Sep 17 00:00:00 2001
+From: Ming Lu <ming.lu@citrix.com>
+Date: Thu, 24 Jan 2019 13:25:42 +0800
+Subject: scsi: libfc: free skb when receiving invalid flogi resp
+
+[ Upstream commit 5d8fc4a9f0eec20b6c07895022a6bea3fb6dfb38 ]
+
+The issue to be fixed in this commit is when libfc found it received a
+invalid FLOGI response from FC switch, it would return without freeing the
+fc frame, which is just the skb data. This would cause memory leak if FC
+switch keeps sending invalid FLOGI responses.
+
+This fix is just to make it execute `fc_frame_free(fp)` before returning
+from function `fc_lport_flogi_resp`.
+
+Signed-off-by: Ming Lu <ming.lu@citrix.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libfc/fc_lport.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/libfc/fc_lport.c b/drivers/scsi/libfc/fc_lport.c
+index 2fd0ec651170..ca7967e390f1 100644
+--- a/drivers/scsi/libfc/fc_lport.c
++++ b/drivers/scsi/libfc/fc_lport.c
+@@ -1739,14 +1739,14 @@ void fc_lport_flogi_resp(struct fc_seq *sp, struct fc_frame *fp,
+ fc_frame_payload_op(fp) != ELS_LS_ACC) {
+ FC_LPORT_DBG(lport, "FLOGI not accepted or bad response\n");
+ fc_lport_error(lport, fp);
+- goto err;
++ goto out;
+ }
+
+ flp = fc_frame_payload_get(fp, sizeof(*flp));
+ if (!flp) {
+ FC_LPORT_DBG(lport, "FLOGI bad response\n");
+ fc_lport_error(lport, fp);
+- goto err;
++ goto out;
+ }
+
+ mfs = ntohs(flp->fl_csp.sp_bb_data) &
+@@ -1756,7 +1756,7 @@ void fc_lport_flogi_resp(struct fc_seq *sp, struct fc_frame *fp,
+ FC_LPORT_DBG(lport, "FLOGI bad mfs:%hu response, "
+ "lport->mfs:%hu\n", mfs, lport->mfs);
+ fc_lport_error(lport, fp);
+- goto err;
++ goto out;
+ }
+
+ if (mfs <= lport->mfs) {
+--
+2.19.1
+
--- /dev/null
+From 05f1df6195f97ecb244b41c400c36e2dff5c59aa Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 10 Jan 2019 12:38:02 +0000
+Subject: selftests: cpu-hotplug: fix case where CPUs offline > CPUs present
+
+[ Upstream commit 2b531b6137834a55857a337ac17510d6436b6fbb ]
+
+The cpu-hotplug test assumes that we can offline the maximum CPU as
+described by /sys/devices/system/cpu/offline. However, in the case
+where the number of CPUs exceeds like kernel configuration then
+the offline count can be greater than the present count and we end
+up trying to test the offlining of a CPU that is not available to
+offline. Fix this by testing the maximum present CPU instead.
+
+Also, the test currently offlines the CPU and does not online it,
+so fix this by onlining the CPU after the test.
+
+Fixes: d89dffa976bc ("fault-injection: add selftests for cpu and memory hotplug")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Shuah Khan <shuah@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/cpu-hotplug/cpu-on-off-test.sh | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh b/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh
+index f3a8933c1275..49ccd2293343 100755
+--- a/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh
++++ b/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh
+@@ -35,6 +35,10 @@ prerequisite()
+ exit 0
+ fi
+
++ present_cpus=`cat $SYSFS/devices/system/cpu/present`
++ present_max=${present_cpus##*-}
++ echo "present_cpus = $present_cpus present_max = $present_max"
++
+ echo -e "\t Cpus in online state: $online_cpus"
+
+ offline_cpus=`cat $SYSFS/devices/system/cpu/offline`
+@@ -149,6 +153,8 @@ online_cpus=0
+ online_max=0
+ offline_cpus=0
+ offline_max=0
++present_cpus=0
++present_max=0
+
+ while getopts e:ahp: opt; do
+ case $opt in
+@@ -188,9 +194,10 @@ if [ $allcpus -eq 0 ]; then
+ online_cpu_expect_success $online_max
+
+ if [[ $offline_cpus -gt 0 ]]; then
+- echo -e "\t offline to online to offline: cpu $offline_max"
+- online_cpu_expect_success $offline_max
+- offline_cpu_expect_success $offline_max
++ echo -e "\t offline to online to offline: cpu $present_max"
++ online_cpu_expect_success $present_max
++ offline_cpu_expect_success $present_max
++ online_cpu $present_max
+ fi
+ exit 0
+ else
+--
+2.19.1
+
--- /dev/null
+From 47bf7db1af95933abcb920057e637fb19acdd09a Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 29 Jan 2019 15:16:23 +0100
+Subject: selftests: netfilter: add simple masq/redirect test cases
+
+[ Upstream commit 98bfc3414bda335dbd7fec58bde6266f991801d7 ]
+
+Check basic nat/redirect/masquerade for ipv4 and ipv6.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/netfilter/Makefile | 2 +-
+ tools/testing/selftests/netfilter/nft_nat.sh | 762 +++++++++++++++++++
+ 2 files changed, 763 insertions(+), 1 deletion(-)
+ create mode 100755 tools/testing/selftests/netfilter/nft_nat.sh
+
+diff --git a/tools/testing/selftests/netfilter/Makefile b/tools/testing/selftests/netfilter/Makefile
+index 47ed6cef93fb..c9ff2b47bd1c 100644
+--- a/tools/testing/selftests/netfilter/Makefile
++++ b/tools/testing/selftests/netfilter/Makefile
+@@ -1,6 +1,6 @@
+ # SPDX-License-Identifier: GPL-2.0
+ # Makefile for netfilter selftests
+
+-TEST_PROGS := nft_trans_stress.sh
++TEST_PROGS := nft_trans_stress.sh nft_nat.sh
+
+ include ../lib.mk
+diff --git a/tools/testing/selftests/netfilter/nft_nat.sh b/tools/testing/selftests/netfilter/nft_nat.sh
+new file mode 100755
+index 000000000000..8ec76681605c
+--- /dev/null
++++ b/tools/testing/selftests/netfilter/nft_nat.sh
+@@ -0,0 +1,762 @@
++#!/bin/bash
++#
++# This test is for basic NAT functionality: snat, dnat, redirect, masquerade.
++#
++
++# Kselftest framework requirement - SKIP code is 4.
++ksft_skip=4
++ret=0
++
++nft --version > /dev/null 2>&1
++if [ $? -ne 0 ];then
++ echo "SKIP: Could not run test without nft tool"
++ exit $ksft_skip
++fi
++
++ip -Version > /dev/null 2>&1
++if [ $? -ne 0 ];then
++ echo "SKIP: Could not run test without ip tool"
++ exit $ksft_skip
++fi
++
++ip netns add ns0
++ip netns add ns1
++ip netns add ns2
++
++ip link add veth0 netns ns0 type veth peer name eth0 netns ns1
++ip link add veth1 netns ns0 type veth peer name eth0 netns ns2
++
++ip -net ns0 link set lo up
++ip -net ns0 link set veth0 up
++ip -net ns0 addr add 10.0.1.1/24 dev veth0
++ip -net ns0 addr add dead:1::1/64 dev veth0
++
++ip -net ns0 link set veth1 up
++ip -net ns0 addr add 10.0.2.1/24 dev veth1
++ip -net ns0 addr add dead:2::1/64 dev veth1
++
++for i in 1 2; do
++ ip -net ns$i link set lo up
++ ip -net ns$i link set eth0 up
++ ip -net ns$i addr add 10.0.$i.99/24 dev eth0
++ ip -net ns$i route add default via 10.0.$i.1
++ ip -net ns$i addr add dead:$i::99/64 dev eth0
++ ip -net ns$i route add default via dead:$i::1
++done
++
++bad_counter()
++{
++ local ns=$1
++ local counter=$2
++ local expect=$3
++
++ echo "ERROR: $counter counter in $ns has unexpected value (expected $expect)" 1>&2
++ ip netns exec $ns nft list counter inet filter $counter 1>&2
++}
++
++check_counters()
++{
++ ns=$1
++ local lret=0
++
++ cnt=$(ip netns exec $ns nft list counter inet filter ns0in | grep -q "packets 1 bytes 84")
++ if [ $? -ne 0 ]; then
++ bad_counter $ns ns0in "packets 1 bytes 84"
++ lret=1
++ fi
++ cnt=$(ip netns exec $ns nft list counter inet filter ns0out | grep -q "packets 1 bytes 84")
++ if [ $? -ne 0 ]; then
++ bad_counter $ns ns0out "packets 1 bytes 84"
++ lret=1
++ fi
++
++ expect="packets 1 bytes 104"
++ cnt=$(ip netns exec $ns nft list counter inet filter ns0in6 | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter $ns ns0in6 "$expect"
++ lret=1
++ fi
++ cnt=$(ip netns exec $ns nft list counter inet filter ns0out6 | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter $ns ns0out6 "$expect"
++ lret=1
++ fi
++
++ return $lret
++}
++
++check_ns0_counters()
++{
++ local ns=$1
++ local lret=0
++
++ cnt=$(ip netns exec ns0 nft list counter inet filter ns0in | grep -q "packets 0 bytes 0")
++ if [ $? -ne 0 ]; then
++ bad_counter ns0 ns0in "packets 0 bytes 0"
++ lret=1
++ fi
++
++ cnt=$(ip netns exec ns0 nft list counter inet filter ns0in6 | grep -q "packets 0 bytes 0")
++ if [ $? -ne 0 ]; then
++ bad_counter ns0 ns0in6 "packets 0 bytes 0"
++ lret=1
++ fi
++
++ cnt=$(ip netns exec ns0 nft list counter inet filter ns0out | grep -q "packets 0 bytes 0")
++ if [ $? -ne 0 ]; then
++ bad_counter ns0 ns0out "packets 0 bytes 0"
++ lret=1
++ fi
++ cnt=$(ip netns exec ns0 nft list counter inet filter ns0out6 | grep -q "packets 0 bytes 0")
++ if [ $? -ne 0 ]; then
++ bad_counter ns0 ns0out6 "packets 0 bytes 0"
++ lret=1
++ fi
++
++ for dir in "in" "out" ; do
++ expect="packets 1 bytes 84"
++ cnt=$(ip netns exec ns0 nft list counter inet filter ${ns}${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns0 $ns$dir "$expect"
++ lret=1
++ fi
++
++ expect="packets 1 bytes 104"
++ cnt=$(ip netns exec ns0 nft list counter inet filter ${ns}${dir}6 | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns0 $ns$dir6 "$expect"
++ lret=1
++ fi
++ done
++
++ return $lret
++}
++
++reset_counters()
++{
++ for i in 0 1 2;do
++ ip netns exec ns$i nft reset counters inet > /dev/null
++ done
++}
++
++test_local_dnat6()
++{
++ local lret=0
++ip netns exec ns0 nft -f - <<EOF
++table ip6 nat {
++ chain output {
++ type nat hook output priority 0; policy accept;
++ ip6 daddr dead:1::99 dnat to dead:2::99
++ }
++}
++EOF
++ if [ $? -ne 0 ]; then
++ echo "SKIP: Could not add add ip6 dnat hook"
++ return $ksft_skip
++ fi
++
++ # ping netns1, expect rewrite to netns2
++ ip netns exec ns0 ping -q -c 1 dead:1::99 > /dev/null
++ if [ $? -ne 0 ]; then
++ lret=1
++ echo "ERROR: ping6 failed"
++ return $lret
++ fi
++
++ expect="packets 0 bytes 0"
++ for dir in "in6" "out6" ; do
++ cnt=$(ip netns exec ns0 nft list counter inet filter ns1${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns0 ns1$dir "$expect"
++ lret=1
++ fi
++ done
++
++ expect="packets 1 bytes 104"
++ for dir in "in6" "out6" ; do
++ cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns0 ns2$dir "$expect"
++ lret=1
++ fi
++ done
++
++ # expect 0 count in ns1
++ expect="packets 0 bytes 0"
++ for dir in "in6" "out6" ; do
++ cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns1 ns0$dir "$expect"
++ lret=1
++ fi
++ done
++
++ # expect 1 packet in ns2
++ expect="packets 1 bytes 104"
++ for dir in "in6" "out6" ; do
++ cnt=$(ip netns exec ns2 nft list counter inet filter ns0${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns2 ns0$dir "$expect"
++ lret=1
++ fi
++ done
++
++ test $lret -eq 0 && echo "PASS: ipv6 ping to ns1 was NATted to ns2"
++ ip netns exec ns0 nft flush chain ip6 nat output
++
++ return $lret
++}
++
++test_local_dnat()
++{
++ local lret=0
++ip netns exec ns0 nft -f - <<EOF
++table ip nat {
++ chain output {
++ type nat hook output priority 0; policy accept;
++ ip daddr 10.0.1.99 dnat to 10.0.2.99
++ }
++}
++EOF
++ # ping netns1, expect rewrite to netns2
++ ip netns exec ns0 ping -q -c 1 10.0.1.99 > /dev/null
++ if [ $? -ne 0 ]; then
++ lret=1
++ echo "ERROR: ping failed"
++ return $lret
++ fi
++
++ expect="packets 0 bytes 0"
++ for dir in "in" "out" ; do
++ cnt=$(ip netns exec ns0 nft list counter inet filter ns1${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns0 ns1$dir "$expect"
++ lret=1
++ fi
++ done
++
++ expect="packets 1 bytes 84"
++ for dir in "in" "out" ; do
++ cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns0 ns2$dir "$expect"
++ lret=1
++ fi
++ done
++
++ # expect 0 count in ns1
++ expect="packets 0 bytes 0"
++ for dir in "in" "out" ; do
++ cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns1 ns0$dir "$expect"
++ lret=1
++ fi
++ done
++
++ # expect 1 packet in ns2
++ expect="packets 1 bytes 84"
++ for dir in "in" "out" ; do
++ cnt=$(ip netns exec ns2 nft list counter inet filter ns0${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns2 ns0$dir "$expect"
++ lret=1
++ fi
++ done
++
++ test $lret -eq 0 && echo "PASS: ping to ns1 was NATted to ns2"
++
++ ip netns exec ns0 nft flush chain ip nat output
++
++ reset_counters
++ ip netns exec ns0 ping -q -c 1 10.0.1.99 > /dev/null
++ if [ $? -ne 0 ]; then
++ lret=1
++ echo "ERROR: ping failed"
++ return $lret
++ fi
++
++ expect="packets 1 bytes 84"
++ for dir in "in" "out" ; do
++ cnt=$(ip netns exec ns0 nft list counter inet filter ns1${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns1 ns1$dir "$expect"
++ lret=1
++ fi
++ done
++ expect="packets 0 bytes 0"
++ for dir in "in" "out" ; do
++ cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns0 ns2$dir "$expect"
++ lret=1
++ fi
++ done
++
++ # expect 1 count in ns1
++ expect="packets 1 bytes 84"
++ for dir in "in" "out" ; do
++ cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns0 ns0$dir "$expect"
++ lret=1
++ fi
++ done
++
++ # expect 0 packet in ns2
++ expect="packets 0 bytes 0"
++ for dir in "in" "out" ; do
++ cnt=$(ip netns exec ns2 nft list counter inet filter ns0${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns2 ns2$dir "$expect"
++ lret=1
++ fi
++ done
++
++ test $lret -eq 0 && echo "PASS: ping to ns1 OK after nat output chain flush"
++
++ return $lret
++}
++
++
++test_masquerade6()
++{
++ local lret=0
++
++ ip netns exec ns0 sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
++
++ ip netns exec ns2 ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1
++ if [ $? -ne 0 ] ; then
++ echo "ERROR: cannot ping ns1 from ns2 via ipv6"
++ return 1
++ lret=1
++ fi
++
++ expect="packets 1 bytes 104"
++ for dir in "in6" "out6" ; do
++ cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns1 ns2$dir "$expect"
++ lret=1
++ fi
++
++ cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns2 ns1$dir "$expect"
++ lret=1
++ fi
++ done
++
++ reset_counters
++
++# add masquerading rule
++ip netns exec ns0 nft -f - <<EOF
++table ip6 nat {
++ chain postrouting {
++ type nat hook postrouting priority 0; policy accept;
++ meta oif veth0 masquerade
++ }
++}
++EOF
++ ip netns exec ns2 ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1
++ if [ $? -ne 0 ] ; then
++ echo "ERROR: cannot ping ns1 from ns2 with active ipv6 masquerading"
++ lret=1
++ fi
++
++ # ns1 should have seen packets from ns0, due to masquerade
++ expect="packets 1 bytes 104"
++ for dir in "in6" "out6" ; do
++
++ cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns1 ns0$dir "$expect"
++ lret=1
++ fi
++
++ cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns2 ns1$dir "$expect"
++ lret=1
++ fi
++ done
++
++ # ns1 should not have seen packets from ns2, due to masquerade
++ expect="packets 0 bytes 0"
++ for dir in "in6" "out6" ; do
++ cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns1 ns0$dir "$expect"
++ lret=1
++ fi
++
++ cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns2 ns1$dir "$expect"
++ lret=1
++ fi
++ done
++
++ ip netns exec ns0 nft flush chain ip6 nat postrouting
++ if [ $? -ne 0 ]; then
++ echo "ERROR: Could not flush ip6 nat postrouting" 1>&2
++ lret=1
++ fi
++
++ test $lret -eq 0 && echo "PASS: IPv6 masquerade for ns2"
++
++ return $lret
++}
++
++test_masquerade()
++{
++ local lret=0
++
++ ip netns exec ns0 sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null
++ ip netns exec ns0 sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null
++
++ ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1
++ if [ $? -ne 0 ] ; then
++ echo "ERROR: canot ping ns1 from ns2"
++ lret=1
++ fi
++
++ expect="packets 1 bytes 84"
++ for dir in "in" "out" ; do
++ cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns1 ns2$dir "$expect"
++ lret=1
++ fi
++
++ cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns2 ns1$dir "$expect"
++ lret=1
++ fi
++ done
++
++ reset_counters
++
++# add masquerading rule
++ip netns exec ns0 nft -f - <<EOF
++table ip nat {
++ chain postrouting {
++ type nat hook postrouting priority 0; policy accept;
++ meta oif veth0 masquerade
++ }
++}
++EOF
++ ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1
++ if [ $? -ne 0 ] ; then
++ echo "ERROR: cannot ping ns1 from ns2 with active ip masquerading"
++ lret=1
++ fi
++
++ # ns1 should have seen packets from ns0, due to masquerade
++ expect="packets 1 bytes 84"
++ for dir in "in" "out" ; do
++ cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns1 ns0$dir "$expect"
++ lret=1
++ fi
++
++ cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns2 ns1$dir "$expect"
++ lret=1
++ fi
++ done
++
++ # ns1 should not have seen packets from ns2, due to masquerade
++ expect="packets 0 bytes 0"
++ for dir in "in" "out" ; do
++ cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns1 ns0$dir "$expect"
++ lret=1
++ fi
++
++ cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns2 ns1$dir "$expect"
++ lret=1
++ fi
++ done
++
++ ip netns exec ns0 nft flush chain ip nat postrouting
++ if [ $? -ne 0 ]; then
++ echo "ERROR: Could not flush nat postrouting" 1>&2
++ lret=1
++ fi
++
++ test $lret -eq 0 && echo "PASS: IP masquerade for ns2"
++
++ return $lret
++}
++
++test_redirect6()
++{
++ local lret=0
++
++ ip netns exec ns0 sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
++
++ ip netns exec ns2 ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1
++ if [ $? -ne 0 ] ; then
++ echo "ERROR: cannnot ping ns1 from ns2 via ipv6"
++ lret=1
++ fi
++
++ expect="packets 1 bytes 104"
++ for dir in "in6" "out6" ; do
++ cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns1 ns2$dir "$expect"
++ lret=1
++ fi
++
++ cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns2 ns1$dir "$expect"
++ lret=1
++ fi
++ done
++
++ reset_counters
++
++# add redirect rule
++ip netns exec ns0 nft -f - <<EOF
++table ip6 nat {
++ chain prerouting {
++ type nat hook prerouting priority 0; policy accept;
++ meta iif veth1 meta l4proto icmpv6 ip6 saddr dead:2::99 ip6 daddr dead:1::99 redirect
++ }
++}
++EOF
++ ip netns exec ns2 ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1
++ if [ $? -ne 0 ] ; then
++ echo "ERROR: cannot ping ns1 from ns2 with active ip6 redirect"
++ lret=1
++ fi
++
++ # ns1 should have seen no packets from ns2, due to redirection
++ expect="packets 0 bytes 0"
++ for dir in "in6" "out6" ; do
++ cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns1 ns0$dir "$expect"
++ lret=1
++ fi
++ done
++
++ # ns0 should have seen packets from ns2, due to masquerade
++ expect="packets 1 bytes 104"
++ for dir in "in6" "out6" ; do
++ cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns1 ns0$dir "$expect"
++ lret=1
++ fi
++ done
++
++ ip netns exec ns0 nft delete table ip6 nat
++ if [ $? -ne 0 ]; then
++ echo "ERROR: Could not delete ip6 nat table" 1>&2
++ lret=1
++ fi
++
++ test $lret -eq 0 && echo "PASS: IPv6 redirection for ns2"
++
++ return $lret
++}
++
++test_redirect()
++{
++ local lret=0
++
++ ip netns exec ns0 sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null
++ ip netns exec ns0 sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null
++
++ ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1
++ if [ $? -ne 0 ] ; then
++ echo "ERROR: cannot ping ns1 from ns2"
++ lret=1
++ fi
++
++ expect="packets 1 bytes 84"
++ for dir in "in" "out" ; do
++ cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns1 ns2$dir "$expect"
++ lret=1
++ fi
++
++ cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns2 ns1$dir "$expect"
++ lret=1
++ fi
++ done
++
++ reset_counters
++
++# add redirect rule
++ip netns exec ns0 nft -f - <<EOF
++table ip nat {
++ chain prerouting {
++ type nat hook prerouting priority 0; policy accept;
++ meta iif veth1 ip protocol icmp ip saddr 10.0.2.99 ip daddr 10.0.1.99 redirect
++ }
++}
++EOF
++ ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1
++ if [ $? -ne 0 ] ; then
++ echo "ERROR: cannot ping ns1 from ns2 with active ip redirect"
++ lret=1
++ fi
++
++ # ns1 should have seen no packets from ns2, due to redirection
++ expect="packets 0 bytes 0"
++ for dir in "in" "out" ; do
++
++ cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns1 ns0$dir "$expect"
++ lret=1
++ fi
++ done
++
++ # ns0 should have seen packets from ns2, due to masquerade
++ expect="packets 1 bytes 84"
++ for dir in "in" "out" ; do
++ cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ bad_counter ns1 ns0$dir "$expect"
++ lret=1
++ fi
++ done
++
++ ip netns exec ns0 nft delete table ip nat
++ if [ $? -ne 0 ]; then
++ echo "ERROR: Could not delete nat table" 1>&2
++ lret=1
++ fi
++
++ test $lret -eq 0 && echo "PASS: IP redirection for ns2"
++
++ return $lret
++}
++
++
++# ip netns exec ns0 ping -c 1 -q 10.0.$i.99
++for i in 0 1 2; do
++ip netns exec ns$i nft -f - <<EOF
++table inet filter {
++ counter ns0in {}
++ counter ns1in {}
++ counter ns2in {}
++
++ counter ns0out {}
++ counter ns1out {}
++ counter ns2out {}
++
++ counter ns0in6 {}
++ counter ns1in6 {}
++ counter ns2in6 {}
++
++ counter ns0out6 {}
++ counter ns1out6 {}
++ counter ns2out6 {}
++
++ map nsincounter {
++ type ipv4_addr : counter
++ elements = { 10.0.1.1 : "ns0in",
++ 10.0.2.1 : "ns0in",
++ 10.0.1.99 : "ns1in",
++ 10.0.2.99 : "ns2in" }
++ }
++
++ map nsincounter6 {
++ type ipv6_addr : counter
++ elements = { dead:1::1 : "ns0in6",
++ dead:2::1 : "ns0in6",
++ dead:1::99 : "ns1in6",
++ dead:2::99 : "ns2in6" }
++ }
++
++ map nsoutcounter {
++ type ipv4_addr : counter
++ elements = { 10.0.1.1 : "ns0out",
++ 10.0.2.1 : "ns0out",
++ 10.0.1.99: "ns1out",
++ 10.0.2.99: "ns2out" }
++ }
++
++ map nsoutcounter6 {
++ type ipv6_addr : counter
++ elements = { dead:1::1 : "ns0out6",
++ dead:2::1 : "ns0out6",
++ dead:1::99 : "ns1out6",
++ dead:2::99 : "ns2out6" }
++ }
++
++ chain input {
++ type filter hook input priority 0; policy accept;
++ counter name ip saddr map @nsincounter
++ icmpv6 type { "echo-request", "echo-reply" } counter name ip6 saddr map @nsincounter6
++ }
++ chain output {
++ type filter hook output priority 0; policy accept;
++ counter name ip daddr map @nsoutcounter
++ icmpv6 type { "echo-request", "echo-reply" } counter name ip6 daddr map @nsoutcounter6
++ }
++}
++EOF
++done
++
++sleep 3
++# test basic connectivity
++for i in 1 2; do
++ ip netns exec ns0 ping -c 1 -q 10.0.$i.99 > /dev/null
++ if [ $? -ne 0 ];then
++ echo "ERROR: Could not reach other namespace(s)" 1>&2
++ ret=1
++ fi
++
++ ip netns exec ns0 ping -c 1 -q dead:$i::99 > /dev/null
++ if [ $? -ne 0 ];then
++ echo "ERROR: Could not reach other namespace(s) via ipv6" 1>&2
++ ret=1
++ fi
++ check_counters ns$i
++ if [ $? -ne 0 ]; then
++ ret=1
++ fi
++
++ check_ns0_counters ns$i
++ if [ $? -ne 0 ]; then
++ ret=1
++ fi
++ reset_counters
++done
++
++if [ $ret -eq 0 ];then
++ echo "PASS: netns routing/connectivity: ns0 can reach ns1 and ns2"
++fi
++
++reset_counters
++test_local_dnat
++test_local_dnat6
++
++reset_counters
++test_masquerade
++test_masquerade6
++
++reset_counters
++test_redirect
++test_redirect6
++
++for i in 0 1 2; do ip netns del ns$i;done
++
++exit $ret
+--
+2.19.1
+
--- /dev/null
+From ce6d5a94e386575f5dcc00da1024fb137c320813 Mon Sep 17 00:00:00 2001
+From: Naresh Kamboju <naresh.kamboju@linaro.org>
+Date: Tue, 29 Jan 2019 06:28:35 +0000
+Subject: selftests: netfilter: fix config fragment CONFIG_NF_TABLES_INET
+
+[ Upstream commit 952b72f89ae23b316da8c1021b18d0c388ad6cc4 ]
+
+In selftests the config fragment for netfilter was added as
+NF_TABLES_INET=y and this patch correct it as CONFIG_NF_TABLES_INET=y
+
+Signed-off-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/netfilter/config | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/netfilter/config b/tools/testing/selftests/netfilter/config
+index 1017313e41a8..59caa8f71cd8 100644
+--- a/tools/testing/selftests/netfilter/config
++++ b/tools/testing/selftests/netfilter/config
+@@ -1,2 +1,2 @@
+ CONFIG_NET_NS=y
+-NF_TABLES_INET=y
++CONFIG_NF_TABLES_INET=y
+--
+2.19.1
+
--- /dev/null
+From 7a035f514d7b5ed1c04239baea874f64e69bc74a Mon Sep 17 00:00:00 2001
+From: Fathi Boudra <fathi.boudra@linaro.org>
+Date: Wed, 16 Jan 2019 11:43:20 -0600
+Subject: selftests: timers: use LDLIBS instead of LDFLAGS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 7d4e591bc051d3382c45caaa2530969fb42ed23d ]
+
+posix_timers fails to build due to undefined reference errors:
+
+ aarch64-linaro-linux-gcc --sysroot=/build/tmp-rpb-glibc/sysroots/hikey
+ -O2 -pipe -g -feliminate-unused-debug-types -O3 -Wl,-no-as-needed -Wall
+ -DKTEST -Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -lrt -lpthread
+ posix_timers.c
+ -o /build/tmp-rpb-glibc/work/hikey-linaro-linux/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/timers/posix_timers
+ /tmp/cc1FTZzT.o: In function `check_timer_create':
+ /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/timers/posix_timers.c:157:
+ undefined reference to `timer_create'
+ /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/timers/posix_timers.c:170:
+ undefined reference to `timer_settime'
+ collect2: error: ld returned 1 exit status
+
+It's GNU Make and linker specific.
+
+The default Makefile rule looks like:
+
+$(CC) $(CFLAGS) $(LDFLAGS) $@ $^ $(LDLIBS)
+
+When linking is done by gcc itself, no issue, but when it needs to be passed
+to proper ld, only LDLIBS follows and then ld cannot know what libs to link
+with.
+
+More detail:
+https://www.gnu.org/software/make/manual/html_node/Implicit-Variables.html
+
+LDFLAGS
+Extra flags to give to compilers when they are supposed to invoke the linker,
+‘ld’, such as -L. Libraries (-lfoo) should be added to the LDLIBS variable
+instead.
+
+LDLIBS
+Library flags or names given to compilers when they are supposed to invoke the
+linker, ‘ld’. LOADLIBES is a deprecated (but still supported) alternative to
+LDLIBS. Non-library linker flags, such as -L, should go in the LDFLAGS
+variable.
+
+https://lkml.org/lkml/2010/2/10/362
+
+tools/perf: libraries must come after objects
+
+Link order matters, use LDLIBS instead of LDFLAGS to properly link against
+libpthread.
+
+Signed-off-by: Denys Dmytriyenko <denys@ti.com>
+Signed-off-by: Fathi Boudra <fathi.boudra@linaro.org>
+Signed-off-by: Shuah Khan <shuah@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/timers/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/timers/Makefile b/tools/testing/selftests/timers/Makefile
+index 3496680981f2..d937e45532d8 100644
+--- a/tools/testing/selftests/timers/Makefile
++++ b/tools/testing/selftests/timers/Makefile
+@@ -1,6 +1,6 @@
+ # SPDX-License-Identifier: GPL-2.0
+ CFLAGS += -O3 -Wl,-no-as-needed -Wall
+-LDFLAGS += -lrt -lpthread -lm
++LDLIBS += -lrt -lpthread -lm
+
+ # these are all "safe" tests that don't modify
+ # system time or require escalated privileges
+--
+2.19.1
+
exec-fix-mem-leak-in-kernel_read_file.patch
scsi-core-reset-host-byte-in-did_nexus_failure-case.patch
media-uvcvideo-fix-type-check-leading-to-overflow.patch
+vti4-fix-a-ipip-packet-processing-bug-in-ipcomp-virt.patch
+perf-core-fix-perf_proc_update_handler-bug.patch
+perf-tools-handle-topology-headers-with-no-cpu.patch
+ib-hfi1-qib-fix-wc.byte_len-calculation-for-ud_send_.patch
+iommu-amd-call-free_iova_fast-with-pfn-in-map_sg.patch
+iommu-amd-unmap-all-mapped-pages-in-error-path-of-ma.patch
+ipvs-fix-signed-integer-overflow-when-setsockopt-tim.patch
+iommu-amd-fix-iommu-page-flush-when-detach-device-fr.patch
+xtensa-smp-fix-ccount_timer_shutdown.patch
+selftests-cpu-hotplug-fix-case-where-cpus-offline-cp.patch
+xtensa-smp-fix-secondary-cpu-initialization.patch
+xtensa-smp_lx200_defconfig-fix-vectors-clash.patch
+xtensa-smp-mark-each-possible-cpu-as-present.patch
+xtensa-smp-limit-number-of-possible-cpus-by-nr_cpus.patch
+net-altera_tse-fix-msgdma_tx_completion-on-non-zero-.patch
+net-hns-fix-for-missing-of_node_put-after-of_parse_p.patch
+net-hns-restart-autoneg-need-return-failed-when-auto.patch
+net-hns-fix-wrong-read-accesses-via-clause-45-mdio-p.patch
+net-stmmac-dwmac-rk-fix-error-handling-in-rk_gmac_po.patch
+netfilter-ebtables-compat-un-break-32bit-setsockopt-.patch
+gpio-vf610-mask-all-gpio-interrupts.patch
+selftests-timers-use-ldlibs-instead-of-ldflags.patch
+nfs-fix-null-pointer-dereference-of-dev_name.patch
+qed-fix-bug-in-tx-promiscuous-mode-settings.patch
+qed-fix-lacp-pdu-drops-for-vfs.patch
+qed-fix-vf-probe-failure-while-flr.patch
+qed-fix-system-crash-in-ll2-xmit.patch
+qed-fix-stack-out-of-bounds-bug.patch
+scsi-libfc-free-skb-when-receiving-invalid-flogi-res.patch
+scsi-53c700-pass-correct-dev-to-dma_alloc_attrs.patch
+platform-x86-fix-unmet-dependency-warning-for-samsun.patch
+cifs-fix-computation-for-max_smb2_hdr_size.patch
+x86-microcode-amd-don-t-falsely-trick-the-late-loadi.patch
+arm64-kprobe-always-blacklist-the-kvm-world-switch-c.patch
+apparmor-fix-aa_label_build-error-handling-for-faile.patch
+x86-kexec-don-t-setup-efi-info-if-efi-runtime-is-not.patch
+x86_64-increase-stack-size-for-kasan_extra.patch
+mm-memory_hotplug-is_mem_section_removable-do-not-pa.patch
+mm-memory_hotplug-test_pages_in_a_zone-do-not-pass-t.patch
+lib-test_kmod.c-potential-double-free-in-error-handl.patch
+fs-drop_caches.c-avoid-softlockups-in-drop_pagecache.patch
+autofs-drop-dentry-reference-only-when-it-is-never-u.patch
+autofs-fix-error-return-in-autofs_fill_super.patch
+arm-dts-omap4-droid4-fix-typo-in-cpcap-irq-flags.patch
+arm64-dts-renesas-r8a7796-enable-dma-for-scif2.patch
+soc-fsl-qbman-avoid-race-in-clearing-qman-interrupt.patch
+bpf-sock-recvbuff-must-be-limited-by-rmem_max-in-bpf.patch
+arm-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch
+arm64-dts-add-msm8996-compatible-to-gicv3.patch
+dts-ci20-fix-bugs-in-ci20-s-device-tree.patch
+usb-phy-fix-link-errors.patch
+irqchip-mmp-only-touch-the-pj4-irq-fiq-bits-on-enabl.patch
+net-stmmac-fallback-to-platform-data-clock-in-watchd.patch
+net-stmmac-send-tso-packets-always-from-queue-0.patch
+net-stmmac-disable-eee-mode-earlier-in-xmit-callback.patch
+irqchip-gic-v3-its-fix-itt_entry_size-accessor.patch
+relay-check-return-of-create_buf_file-properly.patch
+bpf-selftests-fix-handling-of-sparse-cpu-allocations.patch
+bpf-fix-lockdep-false-positive-in-percpu_freelist.patch
+drm-sun4i-tcon-prepare-and-enable-tcon-channel-0-clo.patch
+dmaengine-at_xdmac-fix-wrongfull-report-of-a-channel.patch
+vsock-virtio-fix-kernel-panic-after-device-hot-unplu.patch
+vsock-virtio-reset-connected-sockets-on-device-remov.patch
+dmaengine-dmatest-abort-test-in-case-of-mapping-erro.patch
+selftests-netfilter-fix-config-fragment-config_nf_ta.patch
+selftests-netfilter-add-simple-masq-redirect-test-ca.patch
+netfilter-nf_nat-skip-nat-clash-resolution-for-same-.patch
+s390-qeth-fix-use-after-free-in-error-path.patch
+perf-symbols-filter-out-hidden-symbols-from-labels.patch
+perf-trace-support-multiple-vfs_getname-probes.patch
+mips-loongson-introduce-and-use-loongson_llsc_mb.patch
+mips-remove-function-size-check-in-get_frame_info.patch
+i2c-omap-use-noirq-system-sleep-pm-ops-to-idle-devic.patch
+fs-ratelimit-__find_get_block_slow-failure-message.patch
+qed-fix-eq-full-firmware-assert.patch
+qed-consider-tx-tcs-while-deriving-the-max-num_queue.patch
--- /dev/null
+From 9b42b4ed86c552e43ea9df0c596100318372f796 Mon Sep 17 00:00:00 2001
+From: Madalin Bucur <madalin.bucur@nxp.com>
+Date: Fri, 21 Dec 2018 16:41:42 +0200
+Subject: soc: fsl: qbman: avoid race in clearing QMan interrupt
+
+[ Upstream commit 89857a8a5c89a406b967ab2be7bd2ccdbe75e73d ]
+
+By clearing all interrupt sources, not only those that
+already occurred, the existing code may acknowledge by
+mistake interrupts that occurred after the code checks
+for them.
+
+Signed-off-by: Madalin Bucur <madalin.bucur@nxp.com>
+Signed-off-by: Roy Pledge <roy.pledge@nxp.com>
+Signed-off-by: Li Yang <leoyang.li@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/fsl/qbman/qman.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c
+index 4f27e95efcdd..90892a360c61 100644
+--- a/drivers/soc/fsl/qbman/qman.c
++++ b/drivers/soc/fsl/qbman/qman.c
+@@ -1048,18 +1048,19 @@ static void qm_mr_process_task(struct work_struct *work);
+ static irqreturn_t portal_isr(int irq, void *ptr)
+ {
+ struct qman_portal *p = ptr;
+-
+- u32 clear = QM_DQAVAIL_MASK | p->irq_sources;
+ u32 is = qm_in(&p->p, QM_REG_ISR) & p->irq_sources;
++ u32 clear = 0;
+
+ if (unlikely(!is))
+ return IRQ_NONE;
+
+ /* DQRR-handling if it's interrupt-driven */
+- if (is & QM_PIRQ_DQRI)
++ if (is & QM_PIRQ_DQRI) {
+ __poll_portal_fast(p, QMAN_POLL_LIMIT);
++ clear = QM_DQAVAIL_MASK | QM_PIRQ_DQRI;
++ }
+ /* Handling of anything else that's interrupt-driven */
+- clear |= __poll_portal_slow(p, is);
++ clear |= __poll_portal_slow(p, is) & QM_PIRQ_SLOW;
+ qm_out(&p->p, QM_REG_ISR, clear);
+ return IRQ_HANDLED;
+ }
+--
+2.19.1
+
--- /dev/null
+From 762b8a6efe299d244b865535c200b98d4ec790f1 Mon Sep 17 00:00:00 2001
+From: Anders Roxell <anders.roxell@linaro.org>
+Date: Tue, 22 Jan 2019 11:36:02 +0100
+Subject: usb: phy: fix link errors
+
+[ Upstream commit f2105d42597f4d10e431b195d69e96dccaf9b012 ]
+
+Fix link errors when CONFIG_FSL_USB2_OTG is enabled and USB_OTG_FSM is
+set to module then the following link error occurs.
+
+aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.o: in function `fsl_otg_ioctl':
+drivers/usb/phy/phy-fsl-usb.c:1083: undefined reference to `otg_statemachine'
+aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.c:1083:(.text+0x574): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `otg_statemachine'
+aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.o: in function `fsl_otg_start_srp':
+drivers/usb/phy/phy-fsl-usb.c:674: undefined reference to `otg_statemachine'
+aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.c:674:(.text+0x61c): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `otg_statemachine'
+aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.o: in function `fsl_otg_set_host':
+drivers/usb/phy/phy-fsl-usb.c:593: undefined reference to `otg_statemachine'
+aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.c:593:(.text+0x7a4): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `otg_statemachine'
+aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.o: in function `fsl_otg_start_hnp':
+drivers/usb/phy/phy-fsl-usb.c:695: undefined reference to `otg_statemachine'
+aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.c:695:(.text+0x858): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `otg_statemachine'
+aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.o: in function `a_wait_enum':
+drivers/usb/phy/phy-fsl-usb.c:274: undefined reference to `otg_statemachine'
+aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.c:274:(.text+0x16f0): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `otg_statemachine'
+aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.o:drivers/usb/phy/phy-fsl-usb.c:619: more undefined references to `otg_statemachine' follow
+aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.o: in function `fsl_otg_set_peripheral':
+drivers/usb/phy/phy-fsl-usb.c:619:(.text+0x1fa0): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `otg_statemachine'
+make[1]: *** [Makefile:1020: vmlinux] Error 1
+make[1]: Target 'Image' not remade because of errors.
+make: *** [Makefile:152: sub-make] Error 2
+make: Target 'Image' not remade because of errors.
+
+Rework so that FSL_USB2_OTG depends on that the USB_OTG_FSM is builtin.
+
+Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/phy/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/phy/Kconfig b/drivers/usb/phy/Kconfig
+index aff702c0eb9f..85a92d0813dd 100644
+--- a/drivers/usb/phy/Kconfig
++++ b/drivers/usb/phy/Kconfig
+@@ -21,7 +21,7 @@ config AB8500_USB
+
+ config FSL_USB2_OTG
+ bool "Freescale USB OTG Transceiver Driver"
+- depends on USB_EHCI_FSL && USB_FSL_USB2 && USB_OTG_FSM && PM
++ depends on USB_EHCI_FSL && USB_FSL_USB2 && USB_OTG_FSM=y && PM
+ depends on USB_GADGET || !USB_GADGET # if USB_GADGET=m, this can't be 'y'
+ select USB_PHY
+ help
+--
+2.19.1
+
--- /dev/null
+From eeaa42fe361525ca615ba1ed079aad97b493a8cc Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Fri, 1 Feb 2019 12:42:06 +0100
+Subject: vsock/virtio: fix kernel panic after device hot-unplug
+
+[ Upstream commit 22b5c0b63f32568e130fa2df4ba23efce3eb495b ]
+
+virtio_vsock_remove() invokes the vsock_core_exit() also if there
+are opened sockets for the AF_VSOCK protocol family. In this way
+the vsock "transport" pointer is set to NULL, triggering the
+kernel panic at the first socket activity.
+
+This patch move the vsock_core_init()/vsock_core_exit() in the
+virtio_vsock respectively in module_init and module_exit functions,
+that cannot be invoked until there are open sockets.
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1609699
+Reported-by: Yan Fu <yafu@redhat.com>
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/virtio_transport.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c
+index fdb294441682..8cdf6ddec9b7 100644
+--- a/net/vmw_vsock/virtio_transport.c
++++ b/net/vmw_vsock/virtio_transport.c
+@@ -75,6 +75,9 @@ static u32 virtio_transport_get_local_cid(void)
+ {
+ struct virtio_vsock *vsock = virtio_vsock_get();
+
++ if (!vsock)
++ return VMADDR_CID_ANY;
++
+ return vsock->guest_cid;
+ }
+
+@@ -584,10 +587,6 @@ static int virtio_vsock_probe(struct virtio_device *vdev)
+
+ virtio_vsock_update_guest_cid(vsock);
+
+- ret = vsock_core_init(&virtio_transport.transport);
+- if (ret < 0)
+- goto out_vqs;
+-
+ vsock->rx_buf_nr = 0;
+ vsock->rx_buf_max_nr = 0;
+ atomic_set(&vsock->queued_replies, 0);
+@@ -618,8 +617,6 @@ static int virtio_vsock_probe(struct virtio_device *vdev)
+ mutex_unlock(&the_virtio_vsock_mutex);
+ return 0;
+
+-out_vqs:
+- vsock->vdev->config->del_vqs(vsock->vdev);
+ out:
+ kfree(vsock);
+ mutex_unlock(&the_virtio_vsock_mutex);
+@@ -669,7 +666,6 @@ static void virtio_vsock_remove(struct virtio_device *vdev)
+
+ mutex_lock(&the_virtio_vsock_mutex);
+ the_virtio_vsock = NULL;
+- vsock_core_exit();
+ mutex_unlock(&the_virtio_vsock_mutex);
+
+ vdev->config->del_vqs(vdev);
+@@ -702,14 +698,28 @@ static int __init virtio_vsock_init(void)
+ virtio_vsock_workqueue = alloc_workqueue("virtio_vsock", 0, 0);
+ if (!virtio_vsock_workqueue)
+ return -ENOMEM;
++
+ ret = register_virtio_driver(&virtio_vsock_driver);
+ if (ret)
+- destroy_workqueue(virtio_vsock_workqueue);
++ goto out_wq;
++
++ ret = vsock_core_init(&virtio_transport.transport);
++ if (ret)
++ goto out_vdr;
++
++ return 0;
++
++out_vdr:
++ unregister_virtio_driver(&virtio_vsock_driver);
++out_wq:
++ destroy_workqueue(virtio_vsock_workqueue);
+ return ret;
++
+ }
+
+ static void __exit virtio_vsock_exit(void)
+ {
++ vsock_core_exit();
+ unregister_virtio_driver(&virtio_vsock_driver);
+ destroy_workqueue(virtio_vsock_workqueue);
+ }
+--
+2.19.1
+
--- /dev/null
+From b166d2146a6d2156638735b0310d37b4696d647c Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Fri, 1 Feb 2019 12:42:07 +0100
+Subject: vsock/virtio: reset connected sockets on device removal
+
+[ Upstream commit 85965487abc540368393a15491e6e7fcd230039d ]
+
+When the virtio transport device disappear, we should reset all
+connected sockets in order to inform the users.
+
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/virtio_transport.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c
+index 8cdf6ddec9b7..2ff751eba037 100644
+--- a/net/vmw_vsock/virtio_transport.c
++++ b/net/vmw_vsock/virtio_transport.c
+@@ -634,6 +634,9 @@ static void virtio_vsock_remove(struct virtio_device *vdev)
+ flush_work(&vsock->event_work);
+ flush_work(&vsock->send_pkt_work);
+
++ /* Reset all connected sockets when the device disappear */
++ vsock_for_each_connected_socket(virtio_vsock_reset_sock);
++
+ vdev->config->reset(vdev);
+
+ mutex_lock(&vsock->rx_lock);
+--
+2.19.1
+
--- /dev/null
+From 605395756f8f982e8a893245970f9aa7e8829d25 Mon Sep 17 00:00:00 2001
+From: Su Yanjun <suyj.fnst@cn.fujitsu.com>
+Date: Sun, 6 Jan 2019 21:31:20 -0500
+Subject: vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel
+
+[ Upstream commit dd9ee3444014e8f28c0eefc9fffc9ac9c5248c12 ]
+
+Recently we run a network test over ipcomp virtual tunnel.We find that
+if a ipv4 packet needs fragment, then the peer can't receive
+it.
+
+We deep into the code and find that when packet need fragment the smaller
+fragment will be encapsulated by ipip not ipcomp. So when the ipip packet
+goes into xfrm, it's skb->dev is not properly set. The ipv4 reassembly code
+always set skb'dev to the last fragment's dev. After ipv4 defrag processing,
+when the kernel rp_filter parameter is set, the skb will be drop by -EXDEV
+error.
+
+This patch adds compatible support for the ipip process in ipcomp virtual tunnel.
+
+Signed-off-by: Su Yanjun <suyj.fnst@cn.fujitsu.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_vti.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 50 insertions(+)
+
+diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
+index 00d4371d4573..306603a7f351 100644
+--- a/net/ipv4/ip_vti.c
++++ b/net/ipv4/ip_vti.c
+@@ -74,6 +74,33 @@ static int vti_input(struct sk_buff *skb, int nexthdr, __be32 spi,
+ return 0;
+ }
+
++static int vti_input_ipip(struct sk_buff *skb, int nexthdr, __be32 spi,
++ int encap_type)
++{
++ struct ip_tunnel *tunnel;
++ const struct iphdr *iph = ip_hdr(skb);
++ struct net *net = dev_net(skb->dev);
++ struct ip_tunnel_net *itn = net_generic(net, vti_net_id);
++
++ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY,
++ iph->saddr, iph->daddr, 0);
++ if (tunnel) {
++ if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
++ goto drop;
++
++ XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = tunnel;
++
++ skb->dev = tunnel->dev;
++
++ return xfrm_input(skb, nexthdr, spi, encap_type);
++ }
++
++ return -EINVAL;
++drop:
++ kfree_skb(skb);
++ return 0;
++}
++
+ static int vti_rcv(struct sk_buff *skb)
+ {
+ XFRM_SPI_SKB_CB(skb)->family = AF_INET;
+@@ -82,6 +109,14 @@ static int vti_rcv(struct sk_buff *skb)
+ return vti_input(skb, ip_hdr(skb)->protocol, 0, 0);
+ }
+
++static int vti_rcv_ipip(struct sk_buff *skb)
++{
++ XFRM_SPI_SKB_CB(skb)->family = AF_INET;
++ XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
++
++ return vti_input_ipip(skb, ip_hdr(skb)->protocol, ip_hdr(skb)->saddr, 0);
++}
++
+ static int vti_rcv_cb(struct sk_buff *skb, int err)
+ {
+ unsigned short family;
+@@ -439,6 +474,12 @@ static struct xfrm4_protocol vti_ipcomp4_protocol __read_mostly = {
+ .priority = 100,
+ };
+
++static struct xfrm_tunnel ipip_handler __read_mostly = {
++ .handler = vti_rcv_ipip,
++ .err_handler = vti4_err,
++ .priority = 0,
++};
++
+ static int __net_init vti_init_net(struct net *net)
+ {
+ int err;
+@@ -607,6 +648,13 @@ static int __init vti_init(void)
+ if (err < 0)
+ goto xfrm_proto_comp_failed;
+
++ msg = "ipip tunnel";
++ err = xfrm4_tunnel_register(&ipip_handler, AF_INET);
++ if (err < 0) {
++ pr_info("%s: cant't register tunnel\n",__func__);
++ goto xfrm_tunnel_failed;
++ }
++
+ msg = "netlink interface";
+ err = rtnl_link_register(&vti_link_ops);
+ if (err < 0)
+@@ -616,6 +664,8 @@ static int __init vti_init(void)
+
+ rtnl_link_failed:
+ xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP);
++xfrm_tunnel_failed:
++ xfrm4_tunnel_deregister(&ipip_handler, AF_INET);
+ xfrm_proto_comp_failed:
+ xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH);
+ xfrm_proto_ah_failed:
+--
+2.19.1
+
--- /dev/null
+From 4a88f5292e8119e167d7d84b5ab9ffc31703498e Mon Sep 17 00:00:00 2001
+From: Kairui Song <kasong@redhat.com>
+Date: Fri, 18 Jan 2019 19:13:08 +0800
+Subject: x86/kexec: Don't setup EFI info if EFI runtime is not enabled
+
+[ Upstream commit 2aa958c99c7fd3162b089a1a56a34a0cdb778de1 ]
+
+Kexec-ing a kernel with "efi=noruntime" on the first kernel's command
+line causes the following null pointer dereference:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
+ #PF error: [normal kernel read fault]
+ Call Trace:
+ efi_runtime_map_copy+0x28/0x30
+ bzImage64_load+0x688/0x872
+ arch_kexec_kernel_image_load+0x6d/0x70
+ kimage_file_alloc_init+0x13e/0x220
+ __x64_sys_kexec_file_load+0x144/0x290
+ do_syscall_64+0x55/0x1a0
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Just skip the EFI info setup if EFI runtime services are not enabled.
+
+ [ bp: Massage commit message. ]
+
+Suggested-by: Dave Young <dyoung@redhat.com>
+Signed-off-by: Kairui Song <kasong@redhat.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: Dave Young <dyoung@redhat.com>
+Cc: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: bhe@redhat.com
+Cc: David Howells <dhowells@redhat.com>
+Cc: erik.schmauss@intel.com
+Cc: fanc.fnst@cn.fujitsu.com
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: kexec@lists.infradead.org
+Cc: lenb@kernel.org
+Cc: linux-acpi@vger.kernel.org
+Cc: Philipp Rudo <prudo@linux.vnet.ibm.com>
+Cc: rafael.j.wysocki@intel.com
+Cc: robert.moore@intel.com
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86-ml <x86@kernel.org>
+Cc: Yannik Sembritzki <yannik@sembritzki.me>
+Link: https://lkml.kernel.org/r/20190118111310.29589-2-kasong@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/kexec-bzimage64.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
+index 928b0c6083c9..4d948d87f01c 100644
+--- a/arch/x86/kernel/kexec-bzimage64.c
++++ b/arch/x86/kernel/kexec-bzimage64.c
+@@ -167,6 +167,9 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
+ struct efi_info *current_ei = &boot_params.efi_info;
+ struct efi_info *ei = ¶ms->efi_info;
+
++ if (!efi_enabled(EFI_RUNTIME_SERVICES))
++ return 0;
++
+ if (!current_ei->efi_memmap_size)
+ return 0;
+
+--
+2.19.1
+
--- /dev/null
+From 6ce930acf72398d15404235278c91a1d52b3b2a5 Mon Sep 17 00:00:00 2001
+From: Thomas Lendacky <Thomas.Lendacky@amd.com>
+Date: Thu, 31 Jan 2019 14:33:06 +0000
+Subject: x86/microcode/amd: Don't falsely trick the late loading mechanism
+
+[ Upstream commit 912139cfbfa6a2bc1da052314d2c29338dae1f6a ]
+
+The load_microcode_amd() function searches for microcode patches and
+attempts to apply a microcode patch if it is of different level than the
+currently installed level.
+
+While the processor won't actually load a level that is less than
+what is already installed, the logic wrongly returns UCODE_NEW thus
+signaling to its caller reload_store() that a late loading should be
+attempted.
+
+If the file-system contains an older microcode revision than what is
+currently running, such a late microcode reload can result in these
+misleading messages:
+
+ x86/CPU: CPU features have changed after loading microcode, but might not take effect.
+ x86/CPU: Please consider either early loading through initrd/built-in or a potential BIOS update.
+
+These messages were issued on a system where SME/SEV are not
+enabled by the BIOS (MSR C001_0010[23] = 0b) because during boot,
+early_detect_mem_encrypt() is called and cleared the SME and SEV
+features in this case.
+
+However, after the wrong late load attempt, get_cpu_cap() is called and
+reloads the SME and SEV feature bits, resulting in the messages.
+
+Update the microcode level check to not attempt microcode loading if the
+current level is greater than(!) and not only equal to the current patch
+level.
+
+ [ bp: massage commit message. ]
+
+Fixes: 2613f36ed965 ("x86/microcode: Attempt late loading only when new microcode is present")
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/154894518427.9406.8246222496874202773.stgit@tlendack-t1.amdoffice.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/microcode/amd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
+index 9d33dbf2489e..d0a61d3e2fb9 100644
+--- a/arch/x86/kernel/cpu/microcode/amd.c
++++ b/arch/x86/kernel/cpu/microcode/amd.c
+@@ -707,7 +707,7 @@ load_microcode_amd(bool save, u8 family, const u8 *data, size_t size)
+ if (!p) {
+ return ret;
+ } else {
+- if (boot_cpu_data.microcode == p->patch_id)
++ if (boot_cpu_data.microcode >= p->patch_id)
+ return ret;
+
+ ret = UCODE_NEW;
+--
+2.19.1
+
--- /dev/null
+From 4672223b4e1d214a915cf132e3c146bcc04dd036 Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Fri, 1 Feb 2019 14:20:20 -0800
+Subject: x86_64: increase stack size for KASAN_EXTRA
+
+[ Upstream commit a8e911d13540487942d53137c156bd7707f66e5d ]
+
+If the kernel is configured with KASAN_EXTRA, the stack size is
+increasted significantly because this option sets "-fstack-reuse" to
+"none" in GCC [1]. As a result, it triggers stack overrun quite often
+with 32k stack size compiled using GCC 8. For example, this reproducer
+
+ https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/madvise/madvise06.c
+
+triggers a "corrupted stack end detected inside scheduler" very reliably
+with CONFIG_SCHED_STACK_END_CHECK enabled.
+
+There are just too many functions that could have a large stack with
+KASAN_EXTRA due to large local variables that have been called over and
+over again without being able to reuse the stacks. Some noticiable ones
+are
+
+ size
+ 7648 shrink_page_list
+ 3584 xfs_rmap_convert
+ 3312 migrate_page_move_mapping
+ 3312 dev_ethtool
+ 3200 migrate_misplaced_transhuge_page
+ 3168 copy_process
+
+There are other 49 functions are over 2k in size while compiling kernel
+with "-Wframe-larger-than=" even with a related minimal config on this
+machine. Hence, it is too much work to change Makefiles for each object
+to compile without "-fsanitize-address-use-after-scope" individually.
+
+[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715#c23
+
+Although there is a patch in GCC 9 to help the situation, GCC 9 probably
+won't be released in a few months and then it probably take another
+6-month to 1-year for all major distros to include it as a default.
+Hence, the stack usage with KASAN_EXTRA can be revisited again in 2020
+when GCC 9 is everywhere. Until then, this patch will help users avoid
+stack overrun.
+
+This has already been fixed for arm64 for the same reason via
+6e8830674ea ("arm64: kasan: Increase stack size for KASAN_EXTRA").
+
+Link: http://lkml.kernel.org/r/20190109215209.2903-1-cai@lca.pw
+Signed-off-by: Qian Cai <cai@lca.pw>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/page_64_types.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/x86/include/asm/page_64_types.h b/arch/x86/include/asm/page_64_types.h
+index 74d531f6d518..50c8baaca4b0 100644
+--- a/arch/x86/include/asm/page_64_types.h
++++ b/arch/x86/include/asm/page_64_types.h
+@@ -7,7 +7,11 @@
+ #endif
+
+ #ifdef CONFIG_KASAN
++#ifdef CONFIG_KASAN_EXTRA
++#define KASAN_STACK_ORDER 2
++#else
+ #define KASAN_STACK_ORDER 1
++#endif
+ #else
+ #define KASAN_STACK_ORDER 0
+ #endif
+--
+2.19.1
+
--- /dev/null
+From f1fbcaadc017525888a1aa4c9dd4893c33cb6ff7 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Mon, 29 Jan 2018 09:09:41 -0800
+Subject: xtensa: SMP: fix ccount_timer_shutdown
+
+[ Upstream commit 4fe8713b873fc881284722ce4ac47995de7cf62c ]
+
+ccount_timer_shutdown is called from the atomic context in the
+secondary_start_kernel, resulting in the following BUG:
+
+BUG: sleeping function called from invalid context
+in_atomic(): 1, irqs_disabled(): 1, pid: 0, name: swapper/1
+Preemption disabled at:
+ secondary_start_kernel+0xa1/0x130
+Call Trace:
+ ___might_sleep+0xe7/0xfc
+ __might_sleep+0x41/0x44
+ synchronize_irq+0x24/0x64
+ disable_irq+0x11/0x14
+ ccount_timer_shutdown+0x12/0x20
+ clockevents_switch_state+0x82/0xb4
+ clockevents_exchange_device+0x54/0x60
+ tick_check_new_device+0x46/0x70
+ clockevents_register_device+0x8c/0xc8
+ clockevents_config_and_register+0x1d/0x2c
+ local_timer_setup+0x75/0x7c
+ secondary_start_kernel+0xb4/0x130
+ should_never_return+0x32/0x35
+
+Use disable_irq_nosync instead of disable_irq to avoid it.
+This is safe because the ccount timer IRQ is per-CPU, and once IRQ is
+masked the ISR will not be called.
+
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/xtensa/kernel/time.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/xtensa/kernel/time.c b/arch/xtensa/kernel/time.c
+index fd524a54d2ab..378186b5eb40 100644
+--- a/arch/xtensa/kernel/time.c
++++ b/arch/xtensa/kernel/time.c
+@@ -89,7 +89,7 @@ static int ccount_timer_shutdown(struct clock_event_device *evt)
+ container_of(evt, struct ccount_timer, evt);
+
+ if (timer->irq_enabled) {
+- disable_irq(evt->irq);
++ disable_irq_nosync(evt->irq);
+ timer->irq_enabled = 0;
+ }
+ return 0;
+--
+2.19.1
+
--- /dev/null
+From 4c044f596611bea6c9cc75f7956112737642fc67 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Fri, 21 Dec 2018 08:26:20 -0800
+Subject: xtensa: SMP: fix secondary CPU initialization
+
+[ Upstream commit 32a7726c4f4aadfabdb82440d84f88a5a2c8fe13 ]
+
+- add missing memory barriers to the secondary CPU synchronization spin
+ loops; add comment to the matching memory barrier in the boot_secondary
+ and __cpu_die functions;
+- use READ_ONCE/WRITE_ONCE to access cpu_start_id/cpu_start_ccount
+ instead of reading/writing them directly;
+- re-initialize cpu_running every time before starting secondary CPU to
+ flush possible previous CPU startup results.
+
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/xtensa/kernel/head.S | 5 ++++-
+ arch/xtensa/kernel/smp.c | 34 +++++++++++++++++++++-------------
+ 2 files changed, 25 insertions(+), 14 deletions(-)
+
+diff --git a/arch/xtensa/kernel/head.S b/arch/xtensa/kernel/head.S
+index 27c8e07ace43..29f445b410b3 100644
+--- a/arch/xtensa/kernel/head.S
++++ b/arch/xtensa/kernel/head.S
+@@ -281,12 +281,13 @@ should_never_return:
+
+ movi a2, cpu_start_ccount
+ 1:
++ memw
+ l32i a3, a2, 0
+ beqi a3, 0, 1b
+ movi a3, 0
+ s32i a3, a2, 0
+- memw
+ 1:
++ memw
+ l32i a3, a2, 0
+ beqi a3, 0, 1b
+ wsr a3, ccount
+@@ -323,11 +324,13 @@ ENTRY(cpu_restart)
+ rsr a0, prid
+ neg a2, a0
+ movi a3, cpu_start_id
++ memw
+ s32i a2, a3, 0
+ #if XCHAL_DCACHE_IS_WRITEBACK
+ dhwbi a3, 0
+ #endif
+ 1:
++ memw
+ l32i a2, a3, 0
+ dhi a3, 0
+ bne a2, a0, 1b
+diff --git a/arch/xtensa/kernel/smp.c b/arch/xtensa/kernel/smp.c
+index 932d64689bac..c9fc2c4f71b3 100644
+--- a/arch/xtensa/kernel/smp.c
++++ b/arch/xtensa/kernel/smp.c
+@@ -195,9 +195,11 @@ static int boot_secondary(unsigned int cpu, struct task_struct *ts)
+ int i;
+
+ #ifdef CONFIG_HOTPLUG_CPU
+- cpu_start_id = cpu;
+- system_flush_invalidate_dcache_range(
+- (unsigned long)&cpu_start_id, sizeof(cpu_start_id));
++ WRITE_ONCE(cpu_start_id, cpu);
++ /* Pairs with the third memw in the cpu_restart */
++ mb();
++ system_flush_invalidate_dcache_range((unsigned long)&cpu_start_id,
++ sizeof(cpu_start_id));
+ #endif
+ smp_call_function_single(0, mx_cpu_start, (void *)cpu, 1);
+
+@@ -206,18 +208,21 @@ static int boot_secondary(unsigned int cpu, struct task_struct *ts)
+ ccount = get_ccount();
+ while (!ccount);
+
+- cpu_start_ccount = ccount;
++ WRITE_ONCE(cpu_start_ccount, ccount);
+
+- while (time_before(jiffies, timeout)) {
++ do {
++ /*
++ * Pairs with the first two memws in the
++ * .Lboot_secondary.
++ */
+ mb();
+- if (!cpu_start_ccount)
+- break;
+- }
++ ccount = READ_ONCE(cpu_start_ccount);
++ } while (ccount && time_before(jiffies, timeout));
+
+- if (cpu_start_ccount) {
++ if (ccount) {
+ smp_call_function_single(0, mx_cpu_stop,
+- (void *)cpu, 1);
+- cpu_start_ccount = 0;
++ (void *)cpu, 1);
++ WRITE_ONCE(cpu_start_ccount, 0);
+ return -EIO;
+ }
+ }
+@@ -237,6 +242,7 @@ int __cpu_up(unsigned int cpu, struct task_struct *idle)
+ pr_debug("%s: Calling wakeup_secondary(cpu:%d, idle:%p, sp: %08lx)\n",
+ __func__, cpu, idle, start_info.stack);
+
++ init_completion(&cpu_running);
+ ret = boot_secondary(cpu, idle);
+ if (ret == 0) {
+ wait_for_completion_timeout(&cpu_running,
+@@ -298,8 +304,10 @@ void __cpu_die(unsigned int cpu)
+ unsigned long timeout = jiffies + msecs_to_jiffies(1000);
+ while (time_before(jiffies, timeout)) {
+ system_invalidate_dcache_range((unsigned long)&cpu_start_id,
+- sizeof(cpu_start_id));
+- if (cpu_start_id == -cpu) {
++ sizeof(cpu_start_id));
++ /* Pairs with the second memw in the cpu_restart */
++ mb();
++ if (READ_ONCE(cpu_start_id) == -cpu) {
+ platform_cpu_kill(cpu);
+ return;
+ }
+--
+2.19.1
+
--- /dev/null
+From c985481662afd310239c8a8a1a2dba28a551d194 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Sat, 26 Jan 2019 20:35:18 -0800
+Subject: xtensa: SMP: limit number of possible CPUs by NR_CPUS
+
+[ Upstream commit 25384ce5f9530def39421597b1457d9462df6455 ]
+
+This fixes the following warning at boot when the kernel is booted on a
+board with more CPU cores than was configured in NR_CPUS:
+
+ smp_init_cpus: Core Count = 8
+ smp_init_cpus: Core Id = 0
+ ------------[ cut here ]------------
+ WARNING: CPU: 0 PID: 0 at include/linux/cpumask.h:121 smp_init_cpus+0x54/0x74
+ Modules linked in:
+ CPU: 0 PID: 0 Comm: swapper Not tainted 5.0.0-rc3-00015-g1459333f88a0 #124
+ Call Trace:
+ __warn$part$3+0x6a/0x7c
+ warn_slowpath_null+0x35/0x3c
+ smp_init_cpus+0x54/0x74
+ setup_arch+0x1c0/0x1d0
+ start_kernel+0x44/0x310
+ _startup+0x107/0x107
+
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/xtensa/kernel/smp.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/xtensa/kernel/smp.c b/arch/xtensa/kernel/smp.c
+index 80be6449c497..be1f280c322c 100644
+--- a/arch/xtensa/kernel/smp.c
++++ b/arch/xtensa/kernel/smp.c
+@@ -96,6 +96,11 @@ void __init smp_init_cpus(void)
+ pr_info("%s: Core Count = %d\n", __func__, ncpus);
+ pr_info("%s: Core Id = %d\n", __func__, core_id);
+
++ if (ncpus > NR_CPUS) {
++ ncpus = NR_CPUS;
++ pr_info("%s: limiting core count by %d\n", __func__, ncpus);
++ }
++
+ for (i = 0; i < ncpus; ++i)
+ set_cpu_possible(i, true);
+ }
+--
+2.19.1
+
--- /dev/null
+From b35a4e86ead2552d45c49a103eeddf0de4e7bda3 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Sat, 19 Jan 2019 00:26:48 -0800
+Subject: xtensa: SMP: mark each possible CPU as present
+
+[ Upstream commit 8b1c42cdd7181200dc1fff39dcb6ac1a3fac2c25 ]
+
+Otherwise it is impossible to enable CPUs after booting with 'maxcpus'
+parameter.
+
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/xtensa/kernel/smp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/xtensa/kernel/smp.c b/arch/xtensa/kernel/smp.c
+index c9fc2c4f71b3..80be6449c497 100644
+--- a/arch/xtensa/kernel/smp.c
++++ b/arch/xtensa/kernel/smp.c
+@@ -83,7 +83,7 @@ void __init smp_prepare_cpus(unsigned int max_cpus)
+ {
+ unsigned i;
+
+- for (i = 0; i < max_cpus; ++i)
++ for_each_possible_cpu(i)
+ set_cpu_present(i, true);
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 96a631c53e5bde21abf23f28b9e6576aa1366d4d Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Thu, 24 Jan 2019 17:16:11 -0800
+Subject: xtensa: smp_lx200_defconfig: fix vectors clash
+
+[ Upstream commit 306b38305c0f86de7f17c5b091a95451dcc93d7d ]
+
+Secondary CPU reset vector overlaps part of the double exception handler
+code, resulting in weird crashes and hangups when running user code.
+Move exception vectors one page up so that they don't clash with the
+secondary CPU reset vector.
+
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/xtensa/configs/smp_lx200_defconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/xtensa/configs/smp_lx200_defconfig b/arch/xtensa/configs/smp_lx200_defconfig
+index 14e3ca353ac8..5035b86a2e49 100644
+--- a/arch/xtensa/configs/smp_lx200_defconfig
++++ b/arch/xtensa/configs/smp_lx200_defconfig
+@@ -34,6 +34,7 @@ CONFIG_SMP=y
+ CONFIG_HOTPLUG_CPU=y
+ # CONFIG_INITIALIZE_XTENSA_MMU_INSIDE_VMLINUX is not set
+ # CONFIG_PCI is not set
++CONFIG_VECTORS_OFFSET=0x00002000
+ CONFIG_XTENSA_PLATFORM_XTFPGA=y
+ CONFIG_CMDLINE_BOOL=y
+ CONFIG_CMDLINE="earlycon=uart8250,mmio32native,0xfd050020,115200n8 console=ttyS0,115200n8 ip=dhcp root=/dev/nfs rw debug memmap=96M@0"
+--
+2.19.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
