--- /dev/null
+From ba933313b3330892df563fb70d1c4fa3b8dfb511 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 11 Oct 2018 22:45:49 +0100
+Subject: afs: Fix cell proc list
+
+[ Upstream commit 6b3944e42e2e554aa5a4be681ecd70dccd459114 ]
+
+Access to the list of cells by /proc/net/afs/cells has a couple of
+problems:
+
+ (1) It should be checking against SEQ_START_TOKEN for the keying the
+ header line.
+
+ (2) It's only holding the RCU read lock, so it can't just walk over the
+ list without following the proper RCU methods.
+
+Fix these by using an hlist instead of an ordinary list and using the
+appropriate accessor functions to follow it with RCU.
+
+Since the code that adds a cell to the list must also necessarily change,
+sort the list on insertion whilst we're at it.
+
+Fixes: 989782dcdc91 ("afs: Overhaul cell database management")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/cell.c | 17 +++++++++++++++--
+ fs/afs/dynroot.c | 2 +-
+ fs/afs/internal.h | 4 ++--
+ fs/afs/main.c | 2 +-
+ fs/afs/proc.c | 7 +++----
+ 5 files changed, 22 insertions(+), 10 deletions(-)
+
+diff --git a/fs/afs/cell.c b/fs/afs/cell.c
+index f3d0bef16d78..6127f0fcd62c 100644
+--- a/fs/afs/cell.c
++++ b/fs/afs/cell.c
+@@ -514,6 +514,8 @@ static int afs_alloc_anon_key(struct afs_cell *cell)
+ */
+ static int afs_activate_cell(struct afs_net *net, struct afs_cell *cell)
+ {
++ struct hlist_node **p;
++ struct afs_cell *pcell;
+ int ret;
+
+ if (!cell->anonymous_key) {
+@@ -534,7 +536,18 @@ static int afs_activate_cell(struct afs_net *net, struct afs_cell *cell)
+ return ret;
+
+ mutex_lock(&net->proc_cells_lock);
+- list_add_tail(&cell->proc_link, &net->proc_cells);
++ for (p = &net->proc_cells.first; *p; p = &(*p)->next) {
++ pcell = hlist_entry(*p, struct afs_cell, proc_link);
++ if (strcmp(cell->name, pcell->name) < 0)
++ break;
++ }
++
++ cell->proc_link.pprev = p;
++ cell->proc_link.next = *p;
++ rcu_assign_pointer(*p, &cell->proc_link.next);
++ if (cell->proc_link.next)
++ cell->proc_link.next->pprev = &cell->proc_link.next;
++
+ afs_dynroot_mkdir(net, cell);
+ mutex_unlock(&net->proc_cells_lock);
+ return 0;
+@@ -550,7 +563,7 @@ static void afs_deactivate_cell(struct afs_net *net, struct afs_cell *cell)
+ afs_proc_cell_remove(cell);
+
+ mutex_lock(&net->proc_cells_lock);
+- list_del_init(&cell->proc_link);
++ hlist_del_rcu(&cell->proc_link);
+ afs_dynroot_rmdir(net, cell);
+ mutex_unlock(&net->proc_cells_lock);
+
+diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
+index 174e843f0633..7de7223843cc 100644
+--- a/fs/afs/dynroot.c
++++ b/fs/afs/dynroot.c
+@@ -286,7 +286,7 @@ int afs_dynroot_populate(struct super_block *sb)
+ return -ERESTARTSYS;
+
+ net->dynroot_sb = sb;
+- list_for_each_entry(cell, &net->proc_cells, proc_link) {
++ hlist_for_each_entry(cell, &net->proc_cells, proc_link) {
+ ret = afs_dynroot_mkdir(net, cell);
+ if (ret < 0)
+ goto error;
+diff --git a/fs/afs/internal.h b/fs/afs/internal.h
+index 9778df135717..270d1caa27c6 100644
+--- a/fs/afs/internal.h
++++ b/fs/afs/internal.h
+@@ -241,7 +241,7 @@ struct afs_net {
+ seqlock_t cells_lock;
+
+ struct mutex proc_cells_lock;
+- struct list_head proc_cells;
++ struct hlist_head proc_cells;
+
+ /* Known servers. Theoretically each fileserver can only be in one
+ * cell, but in practice, people create aliases and subsets and there's
+@@ -319,7 +319,7 @@ struct afs_cell {
+ struct afs_net *net;
+ struct key *anonymous_key; /* anonymous user key for this cell */
+ struct work_struct manager; /* Manager for init/deinit/dns */
+- struct list_head proc_link; /* /proc cell list link */
++ struct hlist_node proc_link; /* /proc cell list link */
+ #ifdef CONFIG_AFS_FSCACHE
+ struct fscache_cookie *cache; /* caching cookie */
+ #endif
+diff --git a/fs/afs/main.c b/fs/afs/main.c
+index e84fe822a960..107427688edd 100644
+--- a/fs/afs/main.c
++++ b/fs/afs/main.c
+@@ -87,7 +87,7 @@ static int __net_init afs_net_init(struct net *net_ns)
+ timer_setup(&net->cells_timer, afs_cells_timer, 0);
+
+ mutex_init(&net->proc_cells_lock);
+- INIT_LIST_HEAD(&net->proc_cells);
++ INIT_HLIST_HEAD(&net->proc_cells);
+
+ seqlock_init(&net->fs_lock);
+ net->fs_servers = RB_ROOT;
+diff --git a/fs/afs/proc.c b/fs/afs/proc.c
+index 476dcbb79713..9101f62707af 100644
+--- a/fs/afs/proc.c
++++ b/fs/afs/proc.c
+@@ -33,9 +33,8 @@ static inline struct afs_net *afs_seq2net_single(struct seq_file *m)
+ static int afs_proc_cells_show(struct seq_file *m, void *v)
+ {
+ struct afs_cell *cell = list_entry(v, struct afs_cell, proc_link);
+- struct afs_net *net = afs_seq2net(m);
+
+- if (v == &net->proc_cells) {
++ if (v == SEQ_START_TOKEN) {
+ /* display header on line 1 */
+ seq_puts(m, "USE NAME\n");
+ return 0;
+@@ -50,12 +49,12 @@ static void *afs_proc_cells_start(struct seq_file *m, loff_t *_pos)
+ __acquires(rcu)
+ {
+ rcu_read_lock();
+- return seq_list_start_head(&afs_seq2net(m)->proc_cells, *_pos);
++ return seq_hlist_start_head_rcu(&afs_seq2net(m)->proc_cells, *_pos);
+ }
+
+ static void *afs_proc_cells_next(struct seq_file *m, void *v, loff_t *pos)
+ {
+- return seq_list_next(v, &afs_seq2net(m)->proc_cells, pos);
++ return seq_hlist_next_rcu(v, &afs_seq2net(m)->proc_cells, pos);
+ }
+
+ static void afs_proc_cells_stop(struct seq_file *m, void *v)
+--
+2.17.1
+
--- /dev/null
+From 3ec43dbd13f800f5240698cdc1c0a5cdd52ab800 Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Date: Thu, 13 Sep 2018 16:48:08 +0100
+Subject: ARM: 8799/1: mm: fix pci_ioremap_io() offset check
+
+[ Upstream commit 3a58ac65e2d7969bcdf1b6acb70fa4d12a88e53e ]
+
+IO_SPACE_LIMIT is the ending address of the PCI IO space, i.e
+something like 0xfffff (and not 0x100000).
+
+Therefore, when offset = 0xf0000 is passed as argument, this function
+fails even though the offset + SZ_64K fits below the
+IO_SPACE_LIMIT. This makes the last chunk of 64 KB of the I/O space
+not usable as it cannot be mapped.
+
+This patch fixes that by substracing 1 to offset + SZ_64K, so that we
+compare the addrss of the last byte of the I/O space against
+IO_SPACE_LIMIT instead of the address of the first byte of what is
+after the I/O space.
+
+Fixes: c2794437091a4 ("ARM: Add fixed PCI i/o mapping")
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Acked-by: Nicolas Pitre <nico@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/ioremap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/mm/ioremap.c b/arch/arm/mm/ioremap.c
+index fc91205ff46c..5bf9443cfbaa 100644
+--- a/arch/arm/mm/ioremap.c
++++ b/arch/arm/mm/ioremap.c
+@@ -473,7 +473,7 @@ void pci_ioremap_set_mem_type(int mem_type)
+
+ int pci_ioremap_io(unsigned int offset, phys_addr_t phys_addr)
+ {
+- BUG_ON(offset + SZ_64K > IO_SPACE_LIMIT);
++ BUG_ON(offset + SZ_64K - 1 > IO_SPACE_LIMIT);
+
+ return ioremap_page_range(PCI_IO_VIRT_BASE + offset,
+ PCI_IO_VIRT_BASE + offset + SZ_64K,
+--
+2.17.1
+
--- /dev/null
+From 4dc03765f20bb4b53a438470e28f3f20cee9b1ae Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Wed, 19 Sep 2018 17:14:01 -0700
+Subject: ARM: dts: BCM63xx: Fix incorrect interrupt specifiers
+
+[ Upstream commit 3ab97942d0213b6583a5408630a8cbbfbf54730f ]
+
+A number of our interrupts were incorrectly specified, fix both the PPI
+and SPI interrupts to be correct.
+
+Fixes: b5762cacc411 ("ARM: bcm63138: add NAND DT support")
+Fixes: 46d4bca0445a ("ARM: BCM63XX: add BCM63138 minimal Device Tree")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/bcm63138.dtsi | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/arch/arm/boot/dts/bcm63138.dtsi b/arch/arm/boot/dts/bcm63138.dtsi
+index 43ee992ccdcf..6df61518776f 100644
+--- a/arch/arm/boot/dts/bcm63138.dtsi
++++ b/arch/arm/boot/dts/bcm63138.dtsi
+@@ -106,21 +106,23 @@
+ global_timer: timer@1e200 {
+ compatible = "arm,cortex-a9-global-timer";
+ reg = <0x1e200 0x20>;
+- interrupts = <GIC_PPI 11 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_PPI 11 IRQ_TYPE_EDGE_RISING>;
+ clocks = <&axi_clk>;
+ };
+
+ local_timer: local-timer@1e600 {
+ compatible = "arm,cortex-a9-twd-timer";
+ reg = <0x1e600 0x20>;
+- interrupts = <GIC_PPI 13 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_PPI 13 (GIC_CPU_MASK_SIMPLE(2) |
++ IRQ_TYPE_EDGE_RISING)>;
+ clocks = <&axi_clk>;
+ };
+
+ twd_watchdog: watchdog@1e620 {
+ compatible = "arm,cortex-a9-twd-wdt";
+ reg = <0x1e620 0x20>;
+- interrupts = <GIC_PPI 14 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_PPI 14 (GIC_CPU_MASK_SIMPLE(2) |
++ IRQ_TYPE_LEVEL_HIGH)>;
+ };
+
+ armpll: armpll {
+@@ -158,7 +160,7 @@
+ serial0: serial@600 {
+ compatible = "brcm,bcm6345-uart";
+ reg = <0x600 0x1b>;
+- interrupts = <GIC_SPI 32 0>;
++ interrupts = <GIC_SPI 32 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&periph_clk>;
+ clock-names = "periph";
+ status = "disabled";
+@@ -167,7 +169,7 @@
+ serial1: serial@620 {
+ compatible = "brcm,bcm6345-uart";
+ reg = <0x620 0x1b>;
+- interrupts = <GIC_SPI 33 0>;
++ interrupts = <GIC_SPI 33 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&periph_clk>;
+ clock-names = "periph";
+ status = "disabled";
+@@ -180,7 +182,7 @@
+ reg = <0x2000 0x600>, <0xf0 0x10>;
+ reg-names = "nand", "nand-int-base";
+ status = "disabled";
+- interrupts = <GIC_SPI 38 0>;
++ interrupts = <GIC_SPI 38 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "nand";
+ };
+
+--
+2.17.1
+
--- /dev/null
+From 974924b86affd52302d146355382e654d57311a5 Mon Sep 17 00:00:00 2001
+From: Sascha Hauer <s.hauer@pengutronix.de>
+Date: Wed, 12 Sep 2018 08:23:01 +0200
+Subject: ARM: dts: imx53-qsb: disable 1.2GHz OPP
+
+[ Upstream commit eea96566c189c77e5272585984eb2729881a2f1d ]
+
+The maximum CPU frequency for the i.MX53 QSB is 1GHz, so disable the
+1.2GHz OPP. This makes the board work again with configs that have
+cpufreq enabled like imx_v6_v7_defconfig on which the board stopped
+working with the addition of cpufreq-dt support.
+
+Fixes: 791f416608 ("ARM: dts: imx53: add cpufreq-dt support")
+
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx53-qsb-common.dtsi | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/arch/arm/boot/dts/imx53-qsb-common.dtsi b/arch/arm/boot/dts/imx53-qsb-common.dtsi
+index ef7658a78836..c1548adee789 100644
+--- a/arch/arm/boot/dts/imx53-qsb-common.dtsi
++++ b/arch/arm/boot/dts/imx53-qsb-common.dtsi
+@@ -123,6 +123,17 @@
+ };
+ };
+
++&cpu0 {
++ /* CPU rated to 1GHz, not 1.2GHz as per the default settings */
++ operating-points = <
++ /* kHz uV */
++ 166666 850000
++ 400000 900000
++ 800000 1050000
++ 1000000 1200000
++ >;
++};
++
+ &esdhc1 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_esdhc1>;
+--
+2.17.1
+
--- /dev/null
+From 08e617ee82d9d4f643c7967a9fab72e012316abc Mon Sep 17 00:00:00 2001
+From: Steve Capper <steve.capper@arm.com>
+Date: Fri, 21 Sep 2018 16:34:04 +0100
+Subject: arm64: hugetlb: Fix handling of young ptes
+
+[ Upstream commit 469ed9d823b7d240d6b9574f061ded7c3834c167 ]
+
+In the contiguous bit hugetlb break-before-make code we assume that all
+hugetlb pages are young.
+
+In fact, remove_migration_pte is able to place an old hugetlb pte so
+this assumption is not valid.
+
+This patch fixes the contiguous hugetlb scanning code to preserve young
+ptes.
+
+Fixes: d8bdcff28764 ("arm64: hugetlb: Add break-before-make logic for contiguous entries")
+Signed-off-by: Steve Capper <steve.capper@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/mm/hugetlbpage.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/mm/hugetlbpage.c b/arch/arm64/mm/hugetlbpage.c
+index 192b3ba07075..f85be2f8b140 100644
+--- a/arch/arm64/mm/hugetlbpage.c
++++ b/arch/arm64/mm/hugetlbpage.c
+@@ -117,11 +117,14 @@ static pte_t get_clear_flush(struct mm_struct *mm,
+
+ /*
+ * If HW_AFDBM is enabled, then the HW could turn on
+- * the dirty bit for any page in the set, so check
+- * them all. All hugetlb entries are already young.
++ * the dirty or accessed bit for any page in the set,
++ * so check them all.
+ */
+ if (pte_dirty(pte))
+ orig_pte = pte_mkdirty(orig_pte);
++
++ if (pte_young(pte))
++ orig_pte = pte_mkyoung(orig_pte);
+ }
+
+ if (valid) {
+@@ -340,10 +343,13 @@ int huge_ptep_set_access_flags(struct vm_area_struct *vma,
+ if (!pte_same(orig_pte, pte))
+ changed = 1;
+
+- /* Make sure we don't lose the dirty state */
++ /* Make sure we don't lose the dirty or young state */
+ if (pte_dirty(orig_pte))
+ pte = pte_mkdirty(pte);
+
++ if (pte_young(orig_pte))
++ pte = pte_mkyoung(pte);
++
+ hugeprot = pte_pgprot(pte);
+ for (i = 0; i < ncontig; i++, ptep++, addr += pgsize, pfn += dpfn)
+ set_pte_at(vma->vm_mm, addr, ptep, pfn_pte(pfn, hugeprot));
+--
+2.17.1
+
--- /dev/null
+From 17f1457c4748470f807bff0bd230dad4c919c953 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:50 -0700
+Subject: asix: Check for supported Wake-on-LAN modes
+
+[ Upstream commit c4ce446e33d7a0e978256ac6fea4c80e59d9de5f ]
+
+The driver currently silently accepts unsupported Wake-on-LAN modes
+(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user,
+which is confusing.
+
+Fixes: 2e55cc7210fe ("[PATCH] USB: usbnet (3/9) module for ASIX Ethernet adapters")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/asix_common.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c
+index e95dd12edec4..023b8d0bf175 100644
+--- a/drivers/net/usb/asix_common.c
++++ b/drivers/net/usb/asix_common.c
+@@ -607,6 +607,9 @@ int asix_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo)
+ struct usbnet *dev = netdev_priv(net);
+ u8 opt = 0;
+
++ if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC))
++ return -EINVAL;
++
+ if (wolinfo->wolopts & WAKE_PHY)
+ opt |= AX_MONITOR_LINK;
+ if (wolinfo->wolopts & WAKE_MAGIC)
+--
+2.17.1
+
--- /dev/null
+From 3d947d7775f8e692eb83fc37507414792516573a Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:51 -0700
+Subject: ax88179_178a: Check for supported Wake-on-LAN modes
+
+[ Upstream commit 5ba6b4aa9a410c5e2c6417df52b5e2118ea9b467 ]
+
+The driver currently silently accepts unsupported Wake-on-LAN modes
+(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user,
+which is confusing.
+
+Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/ax88179_178a.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c
+index 9e8ad372f419..2207f7a7d1ff 100644
+--- a/drivers/net/usb/ax88179_178a.c
++++ b/drivers/net/usb/ax88179_178a.c
+@@ -566,6 +566,9 @@ ax88179_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo)
+ struct usbnet *dev = netdev_priv(net);
+ u8 opt = 0;
+
++ if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC))
++ return -EINVAL;
++
+ if (wolinfo->wolopts & WAKE_PHY)
+ opt |= AX_MONITOR_MODE_RWLC;
+ if (wolinfo->wolopts & WAKE_MAGIC)
+--
+2.17.1
+
--- /dev/null
+From 55cca91ed7ed5444150c34bcb2c93b13dcd0f3f9 Mon Sep 17 00:00:00 2001
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Wed, 3 Oct 2018 15:20:58 +0200
+Subject: be2net: don't flip hw_features when VXLANs are added/deleted
+
+[ Upstream commit 2d52527e80c2dc0c5f43f50adf183781262ec565 ]
+
+the be2net implementation of .ndo_tunnel_{add,del}() changes the value of
+NETIF_F_GSO_UDP_TUNNEL bit in 'features' and 'hw_features', but it forgets
+to call netdev_features_change(). Moreover, ethtool setting for that bit
+can potentially be reverted after a tunnel is added or removed.
+
+GSO already does software segmentation when 'hw_enc_features' is 0, even
+if VXLAN offload is turned on. In addition, commit 096de2f83ebc ("benet:
+stricter vxlan offloading check in be_features_check") avoids hardware
+segmentation of non-VXLAN tunneled packets, or VXLAN packets having wrong
+destination port. So, it's safe to avoid flipping the above feature on
+addition/deletion of VXLAN tunnels.
+
+Fixes: 630f4b70567f ("be2net: Export tunnel offloads only when a VxLAN tunnel is created")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/emulex/benet/be_main.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
+index 8f755009ff38..c8445a4135a9 100644
+--- a/drivers/net/ethernet/emulex/benet/be_main.c
++++ b/drivers/net/ethernet/emulex/benet/be_main.c
+@@ -3915,8 +3915,6 @@ static int be_enable_vxlan_offloads(struct be_adapter *adapter)
+ netdev->hw_enc_features |= NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM |
+ NETIF_F_TSO | NETIF_F_TSO6 |
+ NETIF_F_GSO_UDP_TUNNEL;
+- netdev->hw_features |= NETIF_F_GSO_UDP_TUNNEL;
+- netdev->features |= NETIF_F_GSO_UDP_TUNNEL;
+
+ dev_info(dev, "Enabled VxLAN offloads for UDP port %d\n",
+ be16_to_cpu(port));
+@@ -3938,8 +3936,6 @@ static void be_disable_vxlan_offloads(struct be_adapter *adapter)
+ adapter->vxlan_port = 0;
+
+ netdev->hw_enc_features = 0;
+- netdev->hw_features &= ~(NETIF_F_GSO_UDP_TUNNEL);
+- netdev->features &= ~(NETIF_F_GSO_UDP_TUNNEL);
+ }
+
+ static void be_calculate_vf_res(struct be_adapter *adapter, u16 num_vfs,
+@@ -5232,6 +5228,7 @@ static void be_netdev_init(struct net_device *netdev)
+ struct be_adapter *adapter = netdev_priv(netdev);
+
+ netdev->hw_features |= NETIF_F_SG | NETIF_F_TSO | NETIF_F_TSO6 |
++ NETIF_F_GSO_UDP_TUNNEL |
+ NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM | NETIF_F_RXCSUM |
+ NETIF_F_HW_VLAN_CTAG_TX;
+ if ((be_if_cap_flags(adapter) & BE_IF_FLAGS_RSS))
+--
+2.17.1
+
--- /dev/null
+From 16be326ef3dfa52b62fdbd32627b6378d4e75ce1 Mon Sep 17 00:00:00 2001
+From: Matias Karhumaa <matias.karhumaa@gmail.com>
+Date: Wed, 26 Sep 2018 09:13:46 +0300
+Subject: Bluetooth: SMP: fix crash in unpairing
+
+[ Upstream commit cb28c306b93b71f2741ce1a5a66289db26715f4d ]
+
+In case unpair_device() was called through mgmt interface at the same time
+when pairing was in progress, Bluetooth kernel module crash was seen.
+
+[ 600.351225] general protection fault: 0000 [#1] SMP PTI
+[ 600.351235] CPU: 1 PID: 11096 Comm: btmgmt Tainted: G OE 4.19.0-rc1+ #1
+[ 600.351238] Hardware name: Dell Inc. Latitude E5440/08RCYC, BIOS A18 05/14/2017
+[ 600.351272] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth]
+[ 600.351276] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 <48> 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01
+[ 600.351279] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246
+[ 600.351282] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60
+[ 600.351285] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500
+[ 600.351287] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00
+[ 600.351290] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800
+[ 600.351292] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00
+[ 600.351295] FS: 00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000
+[ 600.351298] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 600.351300] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0
+[ 600.351302] Call Trace:
+[ 600.351325] smp_failure+0x4f/0x70 [bluetooth]
+[ 600.351345] smp_cancel_pairing+0x74/0x80 [bluetooth]
+[ 600.351370] unpair_device+0x1c1/0x330 [bluetooth]
+[ 600.351399] hci_sock_sendmsg+0x960/0x9f0 [bluetooth]
+[ 600.351409] ? apparmor_socket_sendmsg+0x1e/0x20
+[ 600.351417] sock_sendmsg+0x3e/0x50
+[ 600.351422] sock_write_iter+0x85/0xf0
+[ 600.351429] do_iter_readv_writev+0x12b/0x1b0
+[ 600.351434] do_iter_write+0x87/0x1a0
+[ 600.351439] vfs_writev+0x98/0x110
+[ 600.351443] ? ep_poll+0x16d/0x3d0
+[ 600.351447] ? ep_modify+0x73/0x170
+[ 600.351451] do_writev+0x61/0xf0
+[ 600.351455] ? do_writev+0x61/0xf0
+[ 600.351460] __x64_sys_writev+0x1c/0x20
+[ 600.351465] do_syscall_64+0x5a/0x110
+[ 600.351471] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 600.351474] RIP: 0033:0x7fb2bdb62fe0
+[ 600.351477] Code: 73 01 c3 48 8b 0d b8 6e 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 69 c7 2c 00 00 75 10 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 de 80 01 00 48 89 04 24
+[ 600.351479] RSP: 002b:00007ffe062cb8f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
+[ 600.351484] RAX: ffffffffffffffda RBX: 000000000255b3d0 RCX: 00007fb2bdb62fe0
+[ 600.351487] RDX: 0000000000000001 RSI: 00007ffe062cb920 RDI: 0000000000000004
+[ 600.351490] RBP: 00007ffe062cb920 R08: 000000000255bd80 R09: 0000000000000000
+[ 600.351494] R10: 0000000000000353 R11: 0000000000000246 R12: 0000000000000001
+[ 600.351497] R13: 00007ffe062cbbe0 R14: 0000000000000000 R15: 0000000000000000
+[ 600.351501] Modules linked in: algif_hash algif_skcipher af_alg cmac ipt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_nat_ipv4 xt_addrtype iptable_filter ip_tables xt_conntrack x_tables nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c br_netfilter bridge stp llc overlay arc4 nls_iso8859_1 dm_crypt intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp dell_laptop kvm_intel crct10dif_pclmul dell_smm_hwmon crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper intel_cstate intel_rapl_perf uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev media hid_multitouch input_leds joydev serio_raw dell_wmi snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic dell_smbios dcdbas sparse_keymap
+[ 600.351569] snd_hda_intel btusb snd_hda_codec btrtl btbcm btintel snd_hda_core bluetooth(OE) snd_hwdep snd_pcm iwlmvm ecdh_generic wmi_bmof dell_wmi_descriptor snd_seq_midi mac80211 snd_seq_midi_event lpc_ich iwlwifi snd_rawmidi snd_seq snd_seq_device snd_timer cfg80211 snd soundcore mei_me mei dell_rbtn dell_smo8800 mac_hid parport_pc ppdev lp parport autofs4 hid_generic usbhid hid i915 nouveau kvmgt vfio_mdev mdev vfio_iommu_type1 vfio kvm irqbypass i2c_algo_bit ttm drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi psmouse ahci sdhci_pci cqhci libahci fb_sys_fops sdhci drm e1000e video wmi
+[ 600.351637] ---[ end trace e49e9f1df09c94fb ]---
+[ 600.351664] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth]
+[ 600.351666] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 <48> 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01
+[ 600.351669] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246
+[ 600.351672] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60
+[ 600.351674] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500
+[ 600.351676] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00
+[ 600.351679] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800
+[ 600.351681] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00
+[ 600.351684] FS: 00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000
+[ 600.351686] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 600.351689] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0
+
+Crash happened because list_del_rcu() was called twice for smp->ltk. This
+was possible if unpair_device was called right after ltk was generated
+but before keys were distributed.
+
+In this commit smp_cancel_pairing was refactored to cancel pairing if it
+is in progress and otherwise just removes keys. Once keys are removed from
+rcu list, pointers to smp context's keys are set to NULL to make sure
+removed list items are not accessed later.
+
+This commit also adjusts the functionality of mgmt unpair_device() little
+bit. Previously pairing was canceled only if pairing was in state that
+keys were already generated. With this commit unpair_device() cancels
+pairing already in earlier states.
+
+Bug was found by fuzzing kernel SMP implementation using Synopsys
+Defensics.
+
+Reported-by: Pekka Oikarainen <pekka.oikarainen@synopsys.com>
+Signed-off-by: Matias Karhumaa <matias.karhumaa@gmail.com>
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 7 ++-----
+ net/bluetooth/smp.c | 29 +++++++++++++++++++++++++----
+ net/bluetooth/smp.h | 3 ++-
+ 3 files changed, 29 insertions(+), 10 deletions(-)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index 8a80d48d89c4..1b9984f653dd 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -2298,9 +2298,8 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
+ /* LE address type */
+ addr_type = le_addr_type(cp->addr.type);
+
+- hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type);
+-
+- err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type);
++ /* Abort any ongoing SMP pairing. Removes ltk and irk if they exist. */
++ err = smp_cancel_and_remove_pairing(hdev, &cp->addr.bdaddr, addr_type);
+ if (err < 0) {
+ err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
+ MGMT_STATUS_NOT_PAIRED, &rp,
+@@ -2314,8 +2313,6 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
+ goto done;
+ }
+
+- /* Abort any ongoing SMP pairing */
+- smp_cancel_pairing(conn);
+
+ /* Defer clearing up the connection parameters until closing to
+ * give a chance of keeping them if a repairing happens.
+diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
+index 3a7b0773536b..73f7211d0431 100644
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -2422,30 +2422,51 @@ unlock:
+ return ret;
+ }
+
+-void smp_cancel_pairing(struct hci_conn *hcon)
++int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
++ u8 addr_type)
+ {
+- struct l2cap_conn *conn = hcon->l2cap_data;
++ struct hci_conn *hcon;
++ struct l2cap_conn *conn;
+ struct l2cap_chan *chan;
+ struct smp_chan *smp;
++ int err;
++
++ err = hci_remove_ltk(hdev, bdaddr, addr_type);
++ hci_remove_irk(hdev, bdaddr, addr_type);
++
++ hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
++ if (!hcon)
++ goto done;
+
++ conn = hcon->l2cap_data;
+ if (!conn)
+- return;
++ goto done;
+
+ chan = conn->smp;
+ if (!chan)
+- return;
++ goto done;
+
+ l2cap_chan_lock(chan);
+
+ smp = chan->data;
+ if (smp) {
++ /* Set keys to NULL to make sure smp_failure() does not try to
++ * remove and free already invalidated rcu list entries. */
++ smp->ltk = NULL;
++ smp->slave_ltk = NULL;
++ smp->remote_irk = NULL;
++
+ if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
+ smp_failure(conn, 0);
+ else
+ smp_failure(conn, SMP_UNSPECIFIED);
++ err = 0;
+ }
+
+ l2cap_chan_unlock(chan);
++
++done:
++ return err;
+ }
+
+ static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
+diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h
+index 0ff6247eaa6c..121edadd5f8d 100644
+--- a/net/bluetooth/smp.h
++++ b/net/bluetooth/smp.h
+@@ -181,7 +181,8 @@ enum smp_key_pref {
+ };
+
+ /* SMP Commands */
+-void smp_cancel_pairing(struct hci_conn *hcon);
++int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
++ u8 addr_type);
+ bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
+ enum smp_key_pref key_pref);
+ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level);
+--
+2.17.1
+
--- /dev/null
+From 3b4ef9999c4db110021ce06c296d9dd62e9b5c74 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 5 Sep 2018 18:52:22 +0300
+Subject: cfg80211: Address some corner cases in scan result channel updating
+
+[ Upstream commit 119f94a6fefcc76d47075b83d2b73d04c895df78 ]
+
+cfg80211_get_bss_channel() is used to update the RX channel based on the
+available frame payload information (channel number from DSSS Parameter
+Set element or HT Operation element). This is needed on 2.4 GHz channels
+where frames may be received on neighboring channels due to overlapping
+frequency range.
+
+This might of some use on the 5 GHz band in some corner cases, but
+things are more complex there since there is no n:1 or 1:n mapping
+between channel numbers and frequencies due to multiple different
+starting frequencies in different operating classes. This could result
+in ieee80211_channel_to_frequency() returning incorrect frequency and
+ieee80211_get_channel() returning incorrect channel information (or
+indication of no match). In the previous implementation, this could
+result in some scan results being dropped completely, e.g., for the 4.9
+GHz channels. That prevented connection to such BSSs.
+
+Fix this by using the driver-provided channel pointer if
+ieee80211_get_channel() does not find matching channel data for the
+channel number in the frame payload and if the scan is done with 5 MHz
+or 10 MHz channel bandwidth. While doing this, also add comments
+describing what the function is trying to achieve to make it easier to
+understand what happens here and why.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 58 ++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 49 insertions(+), 9 deletions(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index d36c3eb7b931..d0e7472dd9fd 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -1058,13 +1058,23 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev,
+ return NULL;
+ }
+
++/*
++ * Update RX channel information based on the available frame payload
++ * information. This is mainly for the 2.4 GHz band where frames can be received
++ * from neighboring channels and the Beacon frames use the DSSS Parameter Set
++ * element to indicate the current (transmitting) channel, but this might also
++ * be needed on other bands if RX frequency does not match with the actual
++ * operating channel of a BSS.
++ */
+ static struct ieee80211_channel *
+ cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen,
+- struct ieee80211_channel *channel)
++ struct ieee80211_channel *channel,
++ enum nl80211_bss_scan_width scan_width)
+ {
+ const u8 *tmp;
+ u32 freq;
+ int channel_number = -1;
++ struct ieee80211_channel *alt_channel;
+
+ tmp = cfg80211_find_ie(WLAN_EID_DS_PARAMS, ie, ielen);
+ if (tmp && tmp[1] == 1) {
+@@ -1078,16 +1088,45 @@ cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen,
+ }
+ }
+
+- if (channel_number < 0)
++ if (channel_number < 0) {
++ /* No channel information in frame payload */
+ return channel;
++ }
+
+ freq = ieee80211_channel_to_frequency(channel_number, channel->band);
+- channel = ieee80211_get_channel(wiphy, freq);
+- if (!channel)
+- return NULL;
+- if (channel->flags & IEEE80211_CHAN_DISABLED)
++ alt_channel = ieee80211_get_channel(wiphy, freq);
++ if (!alt_channel) {
++ if (channel->band == NL80211_BAND_2GHZ) {
++ /*
++ * Better not allow unexpected channels when that could
++ * be going beyond the 1-11 range (e.g., discovering
++ * BSS on channel 12 when radio is configured for
++ * channel 11.
++ */
++ return NULL;
++ }
++
++ /* No match for the payload channel number - ignore it */
++ return channel;
++ }
++
++ if (scan_width == NL80211_BSS_CHAN_WIDTH_10 ||
++ scan_width == NL80211_BSS_CHAN_WIDTH_5) {
++ /*
++ * Ignore channel number in 5 and 10 MHz channels where there
++ * may not be an n:1 or 1:n mapping between frequencies and
++ * channel numbers.
++ */
++ return channel;
++ }
++
++ /*
++ * Use the channel determined through the payload channel number
++ * instead of the RX channel reported by the driver.
++ */
++ if (alt_channel->flags & IEEE80211_CHAN_DISABLED)
+ return NULL;
+- return channel;
++ return alt_channel;
+ }
+
+ /* Returned bss is reference counted and must be cleaned up appropriately. */
+@@ -1112,7 +1151,8 @@ cfg80211_inform_bss_data(struct wiphy *wiphy,
+ (data->signal < 0 || data->signal > 100)))
+ return NULL;
+
+- channel = cfg80211_get_bss_channel(wiphy, ie, ielen, data->chan);
++ channel = cfg80211_get_bss_channel(wiphy, ie, ielen, data->chan,
++ data->scan_width);
+ if (!channel)
+ return NULL;
+
+@@ -1210,7 +1250,7 @@ cfg80211_inform_bss_frame_data(struct wiphy *wiphy,
+ return NULL;
+
+ channel = cfg80211_get_bss_channel(wiphy, mgmt->u.beacon.variable,
+- ielen, data->chan);
++ ielen, data->chan, data->scan_width);
+ if (!channel)
+ return NULL;
+
+--
+2.17.1
+
--- /dev/null
+From f9f762c85f7b74229abbd3dada0dee06bd641587 Mon Sep 17 00:00:00 2001
+From: Yu Zhao <yuzhao@google.com>
+Date: Thu, 27 Sep 2018 17:05:04 -0600
+Subject: cfg80211: fix use-after-free in reg_process_hint()
+
+[ Upstream commit 1db58529454742f67ebd96e3588315e880b72837 ]
+
+reg_process_hint_country_ie() can free regulatory_request and return
+REG_REQ_ALREADY_SET. We shouldn't use regulatory_request after it's
+called. KASAN error was observed when this happens.
+
+BUG: KASAN: use-after-free in reg_process_hint+0x839/0x8aa [cfg80211]
+Read of size 4 at addr ffff8800c430d434 by task kworker/1:3/89
+<snipped>
+Workqueue: events reg_todo [cfg80211]
+Call Trace:
+ dump_stack+0xc1/0x10c
+ ? _atomic_dec_and_lock+0x1ad/0x1ad
+ ? _raw_spin_lock_irqsave+0xa0/0xd2
+ print_address_description+0x86/0x26f
+ ? reg_process_hint+0x839/0x8aa [cfg80211]
+ kasan_report+0x241/0x29b
+ reg_process_hint+0x839/0x8aa [cfg80211]
+ reg_todo+0x204/0x5b9 [cfg80211]
+ process_one_work+0x55f/0x8d0
+ ? worker_detach_from_pool+0x1b5/0x1b5
+ ? _raw_spin_unlock_irq+0x65/0xdd
+ ? _raw_spin_unlock_irqrestore+0xf3/0xf3
+ worker_thread+0x5dd/0x841
+ ? kthread_parkme+0x1d/0x1d
+ kthread+0x270/0x285
+ ? pr_cont_work+0xe3/0xe3
+ ? rcu_read_unlock_sched_notrace+0xca/0xca
+ ret_from_fork+0x22/0x40
+
+Allocated by task 2718:
+ set_track+0x63/0xfa
+ __kmalloc+0x119/0x1ac
+ regulatory_hint_country_ie+0x38/0x329 [cfg80211]
+ __cfg80211_connect_result+0x854/0xadd [cfg80211]
+ cfg80211_rx_assoc_resp+0x3bc/0x4f0 [cfg80211]
+smsc95xx v1.0.6
+ ieee80211_sta_rx_queued_mgmt+0x1803/0x7ed5 [mac80211]
+ ieee80211_iface_work+0x411/0x696 [mac80211]
+ process_one_work+0x55f/0x8d0
+ worker_thread+0x5dd/0x841
+ kthread+0x270/0x285
+ ret_from_fork+0x22/0x40
+
+Freed by task 89:
+ set_track+0x63/0xfa
+ kasan_slab_free+0x6a/0x87
+ kfree+0xdc/0x470
+ reg_process_hint+0x31e/0x8aa [cfg80211]
+ reg_todo+0x204/0x5b9 [cfg80211]
+ process_one_work+0x55f/0x8d0
+ worker_thread+0x5dd/0x841
+ kthread+0x270/0x285
+ ret_from_fork+0x22/0x40
+<snipped>
+
+Signed-off-by: Yu Zhao <yuzhao@google.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/reg.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/wireless/reg.c b/net/wireless/reg.c
+index 765dedb12361..24cfa2776f50 100644
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -2661,11 +2661,12 @@ static void reg_process_hint(struct regulatory_request *reg_request)
+ {
+ struct wiphy *wiphy = NULL;
+ enum reg_request_treatment treatment;
++ enum nl80211_reg_initiator initiator = reg_request->initiator;
+
+ if (reg_request->wiphy_idx != WIPHY_IDX_INVALID)
+ wiphy = wiphy_idx_to_wiphy(reg_request->wiphy_idx);
+
+- switch (reg_request->initiator) {
++ switch (initiator) {
+ case NL80211_REGDOM_SET_BY_CORE:
+ treatment = reg_process_hint_core(reg_request);
+ break;
+@@ -2683,7 +2684,7 @@ static void reg_process_hint(struct regulatory_request *reg_request)
+ treatment = reg_process_hint_country_ie(wiphy, reg_request);
+ break;
+ default:
+- WARN(1, "invalid initiator %d\n", reg_request->initiator);
++ WARN(1, "invalid initiator %d\n", initiator);
+ goto out_free;
+ }
+
+@@ -2698,7 +2699,7 @@ static void reg_process_hint(struct regulatory_request *reg_request)
+ */
+ if (treatment == REG_REQ_ALREADY_SET && wiphy &&
+ wiphy->regulatory_flags & REGULATORY_STRICT_REG) {
+- wiphy_update_regulatory(wiphy, reg_request->initiator);
++ wiphy_update_regulatory(wiphy, initiator);
+ wiphy_all_share_dfs_chan_state(wiphy);
+ reg_check_channels();
+ }
+--
+2.17.1
+
--- /dev/null
+From 6d364d6ed5723a579bf88cd5082e00b183145665 Mon Sep 17 00:00:00 2001
+From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Date: Wed, 5 Sep 2018 08:06:12 +0300
+Subject: cfg80211: reg: Init wiphy_idx in regulatory_hint_core()
+
+[ Upstream commit 24f33e64fcd0d50a4b1a8e5b41bd0257aa66b0e8 ]
+
+Core regulatory hints didn't set wiphy_idx to WIPHY_IDX_INVALID. Since
+the regulatory request is zeroed, wiphy_idx was always implicitly set to
+0. This resulted in updating only phy #0.
+Fix that.
+
+Fixes: 806a9e39670b ("cfg80211: make regulatory_request use wiphy_idx instead of wiphy")
+Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+[add fixes tag]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/reg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/wireless/reg.c b/net/wireless/reg.c
+index 2f702adf2912..765dedb12361 100644
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -2867,6 +2867,7 @@ static int regulatory_hint_core(const char *alpha2)
+ request->alpha2[0] = alpha2[0];
+ request->alpha2[1] = alpha2[1];
+ request->initiator = NL80211_REGDOM_SET_BY_CORE;
++ request->wiphy_idx = WIPHY_IDX_INVALID;
+
+ queue_regulatory_request(request);
+
+--
+2.17.1
+
--- /dev/null
+From e1a230c72811a338ab874af2dd39e2379da23c36 Mon Sep 17 00:00:00 2001
+From: Anders Roxell <anders.roxell@linaro.org>
+Date: Fri, 27 Jul 2018 00:27:21 +0200
+Subject: clk: mvebu: armada-37xx-periph: Remove unused var num_parents
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 8927c27b32703e28041ae19bf25ea53461be83a1 ]
+
+When building armada-37xx-periph, num_parents isn't used in function
+clk_pm_cpu_get_parent:
+drivers/clk/mvebu/armada-37xx-periph.c: In function ‘clk_pm_cpu_get_parent’:
+drivers/clk/mvebu/armada-37xx-periph.c:419:6: warning: unused variable ‘num_parents’ [-Wunused-variable]
+ int num_parents = clk_hw_get_num_parents(hw);
+ ^~~~~~~~~~~
+Remove the declaration of num_parents to dispose the warning.
+
+Fixes: 616bf80d381d ("clk: mvebu: armada-37xx-periph: Fix wrong return value in get_parent")
+Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/mvebu/armada-37xx-periph.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/clk/mvebu/armada-37xx-periph.c b/drivers/clk/mvebu/armada-37xx-periph.c
+index 6f7637b19738..e764dfdea53f 100644
+--- a/drivers/clk/mvebu/armada-37xx-periph.c
++++ b/drivers/clk/mvebu/armada-37xx-periph.c
+@@ -419,7 +419,6 @@ static unsigned int armada_3700_pm_dvfs_get_cpu_parent(struct regmap *base)
+ static u8 clk_pm_cpu_get_parent(struct clk_hw *hw)
+ {
+ struct clk_pm_cpu *pm_cpu = to_clk_pm_cpu(hw);
+- int num_parents = clk_hw_get_num_parents(hw);
+ u32 val;
+
+ if (armada_3700_pm_dvfs_is_enabled(pm_cpu->nb_pm_base)) {
+--
+2.17.1
+
--- /dev/null
+From b4c281930217f6487e00ad6a690b8c6cd9fb70ac Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@mips.com>
+Date: Mon, 20 Aug 2018 15:36:17 -0700
+Subject: compiler.h: Allow arch-specific asm/compiler.h
+
+[ Upstream commit 04f264d3a8b0eb25d378127bd78c3c9a0261c828 ]
+
+We have a need to override the definition of
+barrier_before_unreachable() for MIPS, which means we either need to add
+architecture-specific code into linux/compiler-gcc.h or we need to allow
+the architecture to provide a header that can define the macro before
+the generic definition. The latter seems like the better approach.
+
+A straightforward approach to the per-arch header is to make use of
+asm-generic to provide a default empty header & adjust architectures
+which don't need anything specific to make use of that by adding the
+header to generic-y. Unfortunately this doesn't work so well due to
+commit 28128c61e08e ("kconfig.h: Include compiler types to avoid missed
+struct attributes") which caused linux/compiler_types.h to be included
+in the compilation of every C file via the -include linux/kconfig.h flag
+in c_flags.
+
+Because the -include flag is present for all C files we compile, we need
+the architecture-provided header to be present before any C files are
+compiled. If any C files can be compiled prior to the asm-generic header
+wrappers being generated then we hit a build failure due to missing
+header. Such cases do exist - one pointed out by the kbuild test robot
+is the compilation of arch/ia64/kernel/nr-irqs.c, which occurs as part
+of the archprepare target [1].
+
+This leaves us with a few options:
+
+ 1) Use generic-y & fix any build failures we find by enforcing
+ ordering such that the asm-generic target occurs before any C
+ compilation, such that linux/compiler_types.h can always include
+ the generated asm-generic wrapper which in turn includes the empty
+ asm-generic header. This would rely on us finding all the
+ problematic cases - I don't know for sure that the ia64 issue is
+ the only one.
+
+ 2) Add an actual empty header to each architecture, so that we don't
+ need the generated asm-generic wrapper. This seems messy.
+
+ 3) Give up & add #ifdef CONFIG_MIPS or similar to
+ linux/compiler_types.h. This seems messy too.
+
+ 4) Include the arch header only when it's actually needed, removing
+ the need for the asm-generic wrapper for all other architectures.
+
+This patch allows us to use approach 4, by including an asm/compiler.h
+header from linux/compiler_types.h after the inclusion of the
+compiler-specific linux/compiler-*.h header(s). We do this
+conditionally, only when CONFIG_HAVE_ARCH_COMPILER_H is selected, in
+order to avoid the need for asm-generic wrappers & the associated build
+ordering issue described above. The asm/compiler.h header is included
+after the generic linux/compiler-*.h header(s) for consistency with the
+way linux/compiler-intel.h & linux/compiler-clang.h are included after
+the linux/compiler-gcc.h header that they override.
+
+[1] https://lists.01.org/pipermail/kbuild-all/2018-August/051175.html
+
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Reviewed-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Patchwork: https://patchwork.linux-mips.org/patch/20269/
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-arch@vger.kernel.org
+Cc: linux-kbuild@vger.kernel.org
+Cc: linux-mips@linux-mips.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/Kconfig | 8 ++++++++
+ include/linux/compiler_types.h | 12 ++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/arch/Kconfig b/arch/Kconfig
+index f03b72644902..a18371a36e03 100644
+--- a/arch/Kconfig
++++ b/arch/Kconfig
+@@ -977,4 +977,12 @@ config REFCOUNT_FULL
+ against various use-after-free conditions that can be used in
+ security flaw exploits.
+
++config HAVE_ARCH_COMPILER_H
++ bool
++ help
++ An architecture can select this if it provides an
++ asm/compiler.h header that should be included after
++ linux/compiler-*.h in order to override macro definitions that those
++ headers generally provide.
++
+ source "kernel/gcov/Kconfig"
+diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
+index a8ba6b04152c..55e4be8b016b 100644
+--- a/include/linux/compiler_types.h
++++ b/include/linux/compiler_types.h
+@@ -78,6 +78,18 @@ extern void __chk_io_ptr(const volatile void __iomem *);
+ #include <linux/compiler-clang.h>
+ #endif
+
++/*
++ * Some architectures need to provide custom definitions of macros provided
++ * by linux/compiler-*.h, and can do so using asm/compiler.h. We include that
++ * conditionally rather than using an asm-generic wrapper in order to avoid
++ * build failures if any C compilation, which will include this file via an
++ * -include argument in c_flags, occurs prior to the asm-generic wrappers being
++ * generated.
++ */
++#ifdef CONFIG_HAVE_ARCH_COMPILER_H
++#include <asm/compiler.h>
++#endif
++
+ /*
+ * Generic compiler-dependent macros required for kernel
+ * build go below this comment. Actual compiler/compiler version
+--
+2.17.1
+
--- /dev/null
+From 1165edd92c6e62f10d0118f276fd6e22cd3b245f Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@linux-mips.org>
+Date: Tue, 2 Oct 2018 14:23:45 +0100
+Subject: declance: Fix continuation with the adapter identification message
+
+[ Upstream commit fe3a83af6a50199bf250fa331e94216912f79395 ]
+
+Fix a commit 4bcc595ccd80 ("printk: reinstate KERN_CONT for printing
+continuation lines") regression with the `declance' driver, which caused
+the adapter identification message to be split between two lines, e.g.:
+
+declance.c: v0.011 by Linux MIPS DECstation task force
+tc6: PMAD-AA
+, addr = 08:00:2b:1b:2a:6a, irq = 14
+tc6: registered as eth0.
+
+Address that properly, by printing identification with a single call,
+making the messages now look like:
+
+declance.c: v0.011 by Linux MIPS DECstation task force
+tc6: PMAD-AA, addr = 08:00:2b:1b:2a:6a, irq = 14
+tc6: registered as eth0.
+
+Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
+Fixes: 4bcc595ccd80 ("printk: reinstate KERN_CONT for printing continuation lines")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/declance.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/declance.c b/drivers/net/ethernet/amd/declance.c
+index 116997a8b593..00332a1ea84b 100644
+--- a/drivers/net/ethernet/amd/declance.c
++++ b/drivers/net/ethernet/amd/declance.c
+@@ -1031,6 +1031,7 @@ static int dec_lance_probe(struct device *bdev, const int type)
+ int i, ret;
+ unsigned long esar_base;
+ unsigned char *esar;
++ const char *desc;
+
+ if (dec_lance_debug && version_printed++ == 0)
+ printk(version);
+@@ -1216,19 +1217,20 @@ static int dec_lance_probe(struct device *bdev, const int type)
+ */
+ switch (type) {
+ case ASIC_LANCE:
+- printk("%s: IOASIC onboard LANCE", name);
++ desc = "IOASIC onboard LANCE";
+ break;
+ case PMAD_LANCE:
+- printk("%s: PMAD-AA", name);
++ desc = "PMAD-AA";
+ break;
+ case PMAX_LANCE:
+- printk("%s: PMAX onboard LANCE", name);
++ desc = "PMAX onboard LANCE";
+ break;
+ }
+ for (i = 0; i < 6; i++)
+ dev->dev_addr[i] = esar[i * 4];
+
+- printk(", addr = %pM, irq = %d\n", dev->dev_addr, dev->irq);
++ printk("%s: %s, addr = %pM, irq = %d\n",
++ name, desc, dev->dev_addr, dev->irq);
+
+ dev->netdev_ops = &lance_netdev_ops;
+ dev->watchdog_timeo = 5*HZ;
+--
+2.17.1
+
--- /dev/null
+From 95f6b03bc8afc1554b7c6662e4f9e18c40ad5633 Mon Sep 17 00:00:00 2001
+From: Shirish S <shirish.s@amd.com>
+Date: Mon, 24 Sep 2018 19:01:47 +0530
+Subject: drm/amd/display: Signal hw_done() after waiting for flip_done()
+
+[ Upstream commit 987bf116445db5d63a5c2ed94c4479687d9c9973 ]
+
+In amdgpu_dm_commit_tail(), wait until flip_done() is signaled before
+we signal hw_done().
+
+[Why]
+
+This is to temporarily address a paging error that occurs when a
+nonblocking commit contends with another commit, particularly in a
+mirrored display configuration where at least 2 CRTCs are updated.
+The error occurs in drm_atomic_helper_wait_for_flip_done(), when we
+attempt to access the contents of new_crtc_state->commit.
+
+Here's the sequence for a mirrored 2 display setup (irrelevant steps
+left out for clarity):
+
+**THREAD 1** | **THREAD 2**
+ |
+Initialize atomic state for flip |
+ |
+Queue worker |
+ ...
+
+ | Do work for flip
+ |
+ | Signal hw_done() on CRTC 1
+ | Signal hw_done() on CRTC 2
+ |
+ | Wait for flip_done() on CRTC 1
+
+ <---- **PREEMPTED BY THREAD 1**
+
+Initialize atomic state for cursor |
+update (1) |
+ |
+Do cursor update work on both CRTCs |
+ |
+Clear atomic state (2) |
+**DONE** |
+ ...
+ |
+ | Wait for flip_done() on CRTC 2
+ | *ERROR*
+ |
+
+The issue starts with (1). When the atomic state is initialized, the
+current CRTC states are duplicated to be the new_crtc_states, and
+referenced to be the old_crtc_states. (The new_crtc_states are to be
+filled with update data.)
+
+Some things to note:
+
+* Due to the mirrored configuration, the cursor updates on both CRTCs.
+
+* At this point, the pflip IRQ has already been handled, and flip_done
+ signaled on all CRTCs. The cursor commit can therefore continue.
+
+* The old_crtc_states used by the cursor update are the **same states**
+ as the new_crtc_states used by the flip worker.
+
+At (2), the old_crtc_state is freed (*), and the cursor commit
+completes. We then context switch back to the flip worker, where we
+attempt to access the new_crtc_state->commit object. This is
+problematic, as this state has already been freed.
+
+(*) Technically, 'state->crtcs[i].state' is freed, which was made to
+ reference old_crtc_state in drm_atomic_helper_swap_state()
+
+[How]
+
+By moving hw_done() after wait_for_flip_done(), we're guaranteed that
+the new_crtc_state (from the flip worker's perspective) still exists.
+This is because any other commit will be blocked, waiting for the
+hw_done() signal.
+
+Note that both the i915 and imx drivers have this sequence flipped
+already, masking this problem.
+
+Signed-off-by: Shirish S <shirish.s@amd.com>
+Signed-off-by: Leo Li <sunpeng.li@amd.com>
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index e484d0a94bdc..5b9cc3aeaa55 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -4494,12 +4494,18 @@ static void amdgpu_dm_atomic_commit_tail(struct drm_atomic_state *state)
+ }
+ spin_unlock_irqrestore(&adev->ddev->event_lock, flags);
+
+- /* Signal HW programming completion */
+- drm_atomic_helper_commit_hw_done(state);
+
+ if (wait_for_vblank)
+ drm_atomic_helper_wait_for_flip_done(dev, state);
+
++ /*
++ * FIXME:
++ * Delay hw_done() until flip_done() is signaled. This is to block
++ * another commit from freeing the CRTC state while we're still
++ * waiting on flip_done.
++ */
++ drm_atomic_helper_commit_hw_done(state);
++
+ drm_atomic_helper_cleanup_planes(dev, state);
+
+ /* Finally, drop a runtime PM reference for each newly disabled CRTC,
+--
+2.17.1
+
--- /dev/null
+From aa240e20785302f145fb5293ff51053d6da54d46 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Sun, 27 May 2018 22:42:55 +0100
+Subject: drm/i2c: tda9950: fix timeout counter check
+
+[ Upstream commit d98627d1360d55e3b28f702caca8b6342c4a4e45 ]
+
+Currently the check to see if the timeout has reached zero is incorrect
+and the check is instead checking if the timeout is non-zero and not
+zero, hence it will break out of the loop on the first iteration and
+the msleep is never executed. Fix this by breaking from the loop when
+timeout is zero.
+
+Detected by CoverityScan, CID#1469404 ("Logically Dead Code")
+
+Fixes: f0316f93897c ("drm/i2c: tda9950: add CEC driver")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i2c/tda9950.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i2c/tda9950.c b/drivers/gpu/drm/i2c/tda9950.c
+index 3f7396caad48..f2186409f0cf 100644
+--- a/drivers/gpu/drm/i2c/tda9950.c
++++ b/drivers/gpu/drm/i2c/tda9950.c
+@@ -307,7 +307,7 @@ static void tda9950_release(struct tda9950_priv *priv)
+ /* Wait up to .5s for it to signal non-busy */
+ do {
+ csr = tda9950_read(client, REG_CSR);
+- if (!(csr & CSR_BUSY) || --timeout)
++ if (!(csr & CSR_BUSY) || !--timeout)
+ break;
+ msleep(10);
+ } while (1);
+--
+2.17.1
+
--- /dev/null
+From b7f3d5ab67482c2901452a9484c0df2dcb7fb814 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Mon, 27 Aug 2018 14:28:50 +0200
+Subject: drm/i2c: tda9950: set MAX_RETRIES for errors only
+
+[ Upstream commit e0dccce1193f87597548d0db6ecc942fb92c04cd ]
+
+The CEC_TX_STATUS_MAX_RETRIES should be set for errors only to
+prevent the CEC framework from retrying the transmit. If the
+transmit was successful, then don't set this flag.
+
+Found by running 'cec-compliance -A' on a beaglebone box.
+
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i2c/tda9950.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i2c/tda9950.c b/drivers/gpu/drm/i2c/tda9950.c
+index f2186409f0cf..ccd355d0c123 100644
+--- a/drivers/gpu/drm/i2c/tda9950.c
++++ b/drivers/gpu/drm/i2c/tda9950.c
+@@ -188,7 +188,8 @@ static irqreturn_t tda9950_irq(int irq, void *data)
+ break;
+ }
+ /* TDA9950 executes all retries for us */
+- tx_status |= CEC_TX_STATUS_MAX_RETRIES;
++ if (tx_status != CEC_TX_STATUS_OK)
++ tx_status |= CEC_TX_STATUS_MAX_RETRIES;
+ cec_transmit_done(priv->adap, tx_status, arb_lost_cnt,
+ nack_cnt, 0, err_cnt);
+ break;
+--
+2.17.1
+
--- /dev/null
+From db465c454a3bd638c8d0948cfbcf31a4e7386d1f Mon Sep 17 00:00:00 2001
+From: Khazhismel Kumykov <khazhy@google.com>
+Date: Fri, 12 Oct 2018 21:34:40 -0700
+Subject: fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters()
+
+[ Upstream commit ac081c3be3fae6d0cc3e1862507fca3862d30b67 ]
+
+On non-preempt kernels this loop can take a long time (more than 50 ticks)
+processing through entries.
+
+Link: http://lkml.kernel.org/r/20181010172623.57033-1-khazhy@google.com
+Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
+Acked-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fat/fatent.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/fat/fatent.c b/fs/fat/fatent.c
+index 3aef8630a4b9..95d2c716e0da 100644
+--- a/fs/fat/fatent.c
++++ b/fs/fat/fatent.c
+@@ -681,6 +681,7 @@ int fat_count_free_clusters(struct super_block *sb)
+ if (ops->ent_get(&fatent) == FAT_ENT_FREE)
+ free++;
+ } while (fat_ent_next(sbi, &fatent));
++ cond_resched();
+ }
+ sbi->free_clusters = free;
+ sbi->free_clus_valid = 1;
+--
+2.17.1
+
--- /dev/null
+From c7114e561a8bf10018358868a4609084228902aa Mon Sep 17 00:00:00 2001
+From: Stephen Boyd <swboyd@chromium.org>
+Date: Mon, 8 Oct 2018 09:32:13 -0700
+Subject: gpio: Assign gpio_irq_chip::parents to non-stack pointer
+
+[ Upstream commit 3e779a2e7f909015f21428b66834127496110b6d ]
+
+gpiochip_set_cascaded_irqchip() is passed 'parent_irq' as an argument
+and then the address of that argument is assigned to the gpio chips
+gpio_irq_chip 'parents' pointer shortly thereafter. This can't ever
+work, because we've just assigned some stack address to a pointer that
+we plan to dereference later in gpiochip_irq_map(). I ran into this
+issue with the KASAN report below when gpiochip_irq_map() tried to setup
+the parent irq with a total junk pointer for the 'parents' array.
+
+BUG: KASAN: stack-out-of-bounds in gpiochip_irq_map+0x228/0x248
+Read of size 4 at addr ffffffc0dde472e0 by task swapper/0/1
+
+CPU: 7 PID: 1 Comm: swapper/0 Not tainted 4.14.72 #34
+Call trace:
+[<ffffff9008093638>] dump_backtrace+0x0/0x718
+[<ffffff9008093da4>] show_stack+0x20/0x2c
+[<ffffff90096b9224>] __dump_stack+0x20/0x28
+[<ffffff90096b91c8>] dump_stack+0x80/0xbc
+[<ffffff900845a350>] print_address_description+0x70/0x238
+[<ffffff900845a8e4>] kasan_report+0x1cc/0x260
+[<ffffff900845aa14>] __asan_report_load4_noabort+0x2c/0x38
+[<ffffff900897e098>] gpiochip_irq_map+0x228/0x248
+[<ffffff900820cc08>] irq_domain_associate+0x114/0x2ec
+[<ffffff900820d13c>] irq_create_mapping+0x120/0x234
+[<ffffff900820da78>] irq_create_fwspec_mapping+0x4c8/0x88c
+[<ffffff900820e2d8>] irq_create_of_mapping+0x180/0x210
+[<ffffff900917114c>] of_irq_get+0x138/0x198
+[<ffffff9008dc70ac>] spi_drv_probe+0x94/0x178
+[<ffffff9008ca5168>] driver_probe_device+0x51c/0x824
+[<ffffff9008ca6538>] __device_attach_driver+0x148/0x20c
+[<ffffff9008ca14cc>] bus_for_each_drv+0x120/0x188
+[<ffffff9008ca570c>] __device_attach+0x19c/0x2dc
+[<ffffff9008ca586c>] device_initial_probe+0x20/0x2c
+[<ffffff9008ca18bc>] bus_probe_device+0x80/0x154
+[<ffffff9008c9b9b4>] device_add+0x9b8/0xbdc
+[<ffffff9008dc7640>] spi_add_device+0x1b8/0x380
+[<ffffff9008dcbaf0>] spi_register_controller+0x111c/0x1378
+[<ffffff9008dd6b10>] spi_geni_probe+0x4dc/0x6f8
+[<ffffff9008cab058>] platform_drv_probe+0xdc/0x130
+[<ffffff9008ca5168>] driver_probe_device+0x51c/0x824
+[<ffffff9008ca59cc>] __driver_attach+0x100/0x194
+[<ffffff9008ca0ea8>] bus_for_each_dev+0x104/0x16c
+[<ffffff9008ca58c0>] driver_attach+0x48/0x54
+[<ffffff9008ca1edc>] bus_add_driver+0x274/0x498
+[<ffffff9008ca8448>] driver_register+0x1ac/0x230
+[<ffffff9008caaf6c>] __platform_driver_register+0xcc/0xdc
+[<ffffff9009c4b33c>] spi_geni_driver_init+0x1c/0x24
+[<ffffff9008084cb8>] do_one_initcall+0x240/0x3dc
+[<ffffff9009c017d0>] kernel_init_freeable+0x378/0x468
+[<ffffff90096e8240>] kernel_init+0x14/0x110
+[<ffffff9008086fcc>] ret_from_fork+0x10/0x18
+
+The buggy address belongs to the page:
+page:ffffffbf037791c0 count:0 mapcount:0 mapping: (null) index:0x0
+flags: 0x4000000000000000()
+raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff
+raw: ffffffbf037791e0 ffffffbf037791e0 0000000000000000 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffffffc0dde47180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffffffc0dde47200: f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2
+>ffffffc0dde47280: f2 f2 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3
+ ^
+ ffffffc0dde47300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffffffc0dde47380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+Let's leave around one unsigned int in the gpio_irq_chip struct for the
+single parent irq case and repoint the 'parents' array at it. This way
+code is left mostly intact to setup parents and we waste an extra few
+bytes per structure of which there should be only a handful in a system.
+
+Cc: Evan Green <evgreen@chromium.org>
+Cc: Thierry Reding <treding@nvidia.com>
+Cc: Grygorii Strashko <grygorii.strashko@ti.com>
+Fixes: e0d897289813 ("gpio: Implement tighter IRQ chip integration")
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib.c | 3 ++-
+ include/linux/gpio/driver.h | 7 +++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
+index 06dce16e22bb..70f0dedca59f 100644
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -1675,7 +1675,8 @@ static void gpiochip_set_cascaded_irqchip(struct gpio_chip *gpiochip,
+ irq_set_chained_handler_and_data(parent_irq, parent_handler,
+ gpiochip);
+
+- gpiochip->irq.parents = &parent_irq;
++ gpiochip->irq.parent_irq = parent_irq;
++ gpiochip->irq.parents = &gpiochip->irq.parent_irq;
+ gpiochip->irq.num_parents = 1;
+ }
+
+diff --git a/include/linux/gpio/driver.h b/include/linux/gpio/driver.h
+index 5382b5183b7e..82a953ec5ef0 100644
+--- a/include/linux/gpio/driver.h
++++ b/include/linux/gpio/driver.h
+@@ -94,6 +94,13 @@ struct gpio_irq_chip {
+ */
+ unsigned int num_parents;
+
++ /**
++ * @parent_irq:
++ *
++ * For use by gpiochip_set_cascaded_irqchip()
++ */
++ unsigned int parent_irq;
++
+ /**
+ * @parents:
+ *
+--
+2.17.1
+
--- /dev/null
+From 6ae190bb198f0b85577668cff61b96a9a9f746c0 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 19 Sep 2018 20:52:45 +0200
+Subject: HID: i2c-hid: Remove RESEND_REPORT_DESCR quirk and its handling
+
+[ Upstream commit afbb1169ed5b58cfca017e368b53e019cf285853 ]
+
+Commit 52cf93e63ee6 ("HID: i2c-hid: Don't reset device upon system resume")
+removes the need for the RESEND_REPORT_DESCR quirk for Raydium devices, but
+kept it for the SIS device id 10FB touchscreens, as the author of that
+commit could not determine if the quirk is still necessary there.
+
+I've tested suspend/resume on a Toshiba Click Mini L9W-B which is the
+device for which this quirk was added in the first place and with the
+"Don't reset device upon system resume" fix the quirk is no longer
+necessary, so this commit removes it.
+
+Note even better I also had some other devices with SIS touchscreens which
+suspend/resume issues, where the RESEND_REPORT_DESCR quirk did not help.
+
+I've also tested these devices with the "Don't reset device upon system
+resume" fix and I'm happy to report that that fix also fixes touchscreen
+resume on the following devices:
+
+Asus T100HA
+Asus T200TA
+Peaq C1010
+
+Cc: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 1 -
+ drivers/hid/i2c-hid/i2c-hid.c | 18 +++---------------
+ 2 files changed, 3 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index eee6b79fb131..ae5b72269e27 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -974,7 +974,6 @@
+ #define USB_DEVICE_ID_SIS817_TOUCH 0x0817
+ #define USB_DEVICE_ID_SIS_TS 0x1013
+ #define USB_DEVICE_ID_SIS1030_TOUCH 0x1030
+-#define USB_DEVICE_ID_SIS10FB_TOUCH 0x10fb
+
+ #define USB_VENDOR_ID_SKYCABLE 0x1223
+ #define USB_DEVICE_ID_SKYCABLE_WIRELESS_PRESENTER 0x3F07
+diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
+index 37013b58098c..d17cf6e323b2 100644
+--- a/drivers/hid/i2c-hid/i2c-hid.c
++++ b/drivers/hid/i2c-hid/i2c-hid.c
+@@ -47,8 +47,7 @@
+ /* quirks to control the device */
+ #define I2C_HID_QUIRK_SET_PWR_WAKEUP_DEV BIT(0)
+ #define I2C_HID_QUIRK_NO_IRQ_AFTER_RESET BIT(1)
+-#define I2C_HID_QUIRK_RESEND_REPORT_DESCR BIT(2)
+-#define I2C_HID_QUIRK_NO_RUNTIME_PM BIT(3)
++#define I2C_HID_QUIRK_NO_RUNTIME_PM BIT(2)
+
+ /* flags */
+ #define I2C_HID_STARTED 0
+@@ -172,8 +171,6 @@ static const struct i2c_hid_quirks {
+ { I2C_VENDOR_ID_HANTICK, I2C_PRODUCT_ID_HANTICK_5288,
+ I2C_HID_QUIRK_NO_IRQ_AFTER_RESET |
+ I2C_HID_QUIRK_NO_RUNTIME_PM },
+- { USB_VENDOR_ID_SIS_TOUCH, USB_DEVICE_ID_SIS10FB_TOUCH,
+- I2C_HID_QUIRK_RESEND_REPORT_DESCR },
+ { 0, 0 }
+ };
+
+@@ -1241,22 +1238,13 @@ static int i2c_hid_resume(struct device *dev)
+
+ /* Instead of resetting device, simply powers the device on. This
+ * solves "incomplete reports" on Raydium devices 2386:3118 and
+- * 2386:4B33
++ * 2386:4B33 and fixes various SIS touchscreens no longer sending
++ * data after a suspend/resume.
+ */
+ ret = i2c_hid_set_power(client, I2C_HID_PWR_ON);
+ if (ret)
+ return ret;
+
+- /* Some devices need to re-send report descr cmd
+- * after resume, after this it will be back normal.
+- * otherwise it issues too many incomplete reports.
+- */
+- if (ihid->quirks & I2C_HID_QUIRK_RESEND_REPORT_DESCR) {
+- ret = i2c_hid_command(client, &hid_report_descr_cmd, NULL, 0);
+- if (ret)
+- return ret;
+- }
+-
+ if (hid->driver && hid->driver->reset_resume) {
+ ret = hid->driver->reset_resume(hid);
+ return ret;
+--
+2.17.1
+
--- /dev/null
+From 9bb7655ba9229d9eea58dadaa2f9e11da4b52b08 Mon Sep 17 00:00:00 2001
+From: Valentine Fatiev <Valentinef@mellanox.com>
+Date: Wed, 10 Oct 2018 09:56:25 +0300
+Subject: IB/mlx5: Unmap DMA addr from HCA before IOMMU
+
+[ Upstream commit dd9a403495704fc80fb9f399003013ef2be2ee23 ]
+
+The function that puts back the MR in cache also removes the DMA address
+from the HCA. Therefore we need to call this function before we remove
+the DMA mapping from MMU. Otherwise the HCA may access a memory that
+is no longer DMA mapped.
+
+Call trace:
+NMI: IOCK error (debug interrupt?) for reason 71 on CPU 0.
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.19.0-rc6+ #4
+Hardware name: HP ProLiant DL360p Gen8, BIOS P71 08/20/2012
+RIP: 0010:intel_idle+0x73/0x120
+Code: 80 5c 01 00 0f ae 38 0f ae f0 31 d2 65 48 8b 04 25 80 5c 01 00 48 89 d1 0f 60 02
+RSP: 0018:ffffffff9a403e38 EFLAGS: 00000046
+RAX: 0000000000000030 RBX: 0000000000000005 RCX: 0000000000000001
+RDX: 0000000000000000 RSI: ffffffff9a5790c0 RDI: 0000000000000000
+RBP: 0000000000000030 R08: 0000000000000000 R09: 0000000000007cf9
+R10: 000000000000030a R11: 0000000000000018 R12: 0000000000000000
+R13: ffffffff9a5792b8 R14: ffffffff9a5790c0 R15: 0000002b48471e4d
+FS: 0000000000000000(0000) GS:ffff9c6caf400000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f5737185000 CR3: 0000000590c0a002 CR4: 00000000000606f0
+Call Trace:
+ cpuidle_enter_state+0x7e/0x2e0
+ do_idle+0x1ed/0x290
+ cpu_startup_entry+0x6f/0x80
+ start_kernel+0x524/0x544
+ ? set_init_arg+0x55/0x55
+ secondary_startup_64+0xa4/0xb0
+DMAR: DRHD: handling fault status reg 2
+DMAR: [DMA Read] Request device [04:00.0] fault addr b34d2000 [fault reason 06] PTE Read access is not set
+DMAR: [DMA Read] Request device [01:00.2] fault addr bff8b000 [fault reason 06] PTE Read access is not set
+
+Fixes: f3f134f5260a ("RDMA/mlx5: Fix crash while accessing garbage pointer and freed memory")
+Signed-off-by: Valentine Fatiev <valentinef@mellanox.com>
+Reviewed-by: Moni Shoua <monis@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/mr.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c
+index 308456d28afb..73339fd47dd8 100644
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -544,6 +544,9 @@ void mlx5_mr_cache_free(struct mlx5_ib_dev *dev, struct mlx5_ib_mr *mr)
+ int shrink = 0;
+ int c;
+
++ if (!mr->allocated_from_cache)
++ return;
++
+ c = order2idx(dev, mr->order);
+ if (c < 0 || c >= MAX_MR_CACHE_ENTRIES) {
+ mlx5_ib_warn(dev, "order %d, cache index %d\n", mr->order, c);
+@@ -1647,18 +1650,19 @@ static void dereg_mr(struct mlx5_ib_dev *dev, struct mlx5_ib_mr *mr)
+ umem = NULL;
+ }
+ #endif
+-
+ clean_mr(dev, mr);
+
++ /*
++ * We should unregister the DMA address from the HCA before
++ * remove the DMA mapping.
++ */
++ mlx5_mr_cache_free(dev, mr);
+ if (umem) {
+ ib_umem_release(umem);
+ atomic_sub(npages, &dev->mdev->priv.reg_pages);
+ }
+-
+ if (!mr->allocated_from_cache)
+ kfree(mr);
+- else
+- mlx5_mr_cache_free(dev, mr);
+ }
+
+ int mlx5_ib_dereg_mr(struct ib_mr *ibmr)
+--
+2.17.1
+
--- /dev/null
+From 077120225a51d7a13a15cb3c312dce985bdbf593 Mon Sep 17 00:00:00 2001
+From: Liran Alon <liran.alon@oracle.com>
+Date: Fri, 14 Sep 2018 03:25:52 +0300
+Subject: KVM: nVMX: Do not expose MPX VMX controls when guest MPX disabled
+
+[ Upstream commit 5f76f6f5ff96587af5acd5930f7d9fea81e0d1a8 ]
+
+Before this commit, KVM exposes MPX VMX controls to L1 guest only based
+on if KVM and host processor supports MPX virtualization.
+However, these controls should be exposed to guest only in case guest
+vCPU supports MPX.
+
+Without this change, a L1 guest running with kernel which don't have
+commit 691bd4340bef ("kvm: vmx: allow host to access guest
+MSR_IA32_BNDCFGS") asserts in QEMU on the following:
+ qemu-kvm: error: failed to set MSR 0xd90 to 0x0
+ qemu-kvm: .../qemu-2.10.0/target/i386/kvm.c:1801 kvm_put_msrs:
+ Assertion 'ret == cpu->kvm_msr_buf->nmsrs failed'
+This is because L1 KVM kvm_init_msr_list() will see that
+vmx_mpx_supported() (As it only checks MPX VMX controls support) and
+therefore KVM_GET_MSR_INDEX_LIST IOCTL will include MSR_IA32_BNDCFGS.
+However, later when L1 will attempt to set this MSR via KVM_SET_MSRS
+IOCTL, it will fail because !guest_cpuid_has_mpx(vcpu).
+
+Therefore, fix the issue by exposing MPX VMX controls to L1 guest only
+when vCPU supports MPX.
+
+Fixes: 36be0b9deb23 ("KVM: x86: Add nested virtualization support for MPX")
+
+Reported-by: Eyal Moscovici <eyal.moscovici@oracle.com>
+Reviewed-by: Nikita Leshchenko <nikita.leshchenko@oracle.com>
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Signed-off-by: Liran Alon <liran.alon@oracle.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 32721ef9652d..ea691ddfc3aa 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -3395,9 +3395,6 @@ static void nested_vmx_setup_ctls_msrs(struct nested_vmx_msrs *msrs, bool apicv)
+ VM_EXIT_LOAD_IA32_EFER | VM_EXIT_SAVE_IA32_EFER |
+ VM_EXIT_SAVE_VMX_PREEMPTION_TIMER | VM_EXIT_ACK_INTR_ON_EXIT;
+
+- if (kvm_mpx_supported())
+- msrs->exit_ctls_high |= VM_EXIT_CLEAR_BNDCFGS;
+-
+ /* We support free control of debug control saving. */
+ msrs->exit_ctls_low &= ~VM_EXIT_SAVE_DEBUG_CONTROLS;
+
+@@ -3414,8 +3411,6 @@ static void nested_vmx_setup_ctls_msrs(struct nested_vmx_msrs *msrs, bool apicv)
+ VM_ENTRY_LOAD_IA32_PAT;
+ msrs->entry_ctls_high |=
+ (VM_ENTRY_ALWAYSON_WITHOUT_TRUE_MSR | VM_ENTRY_LOAD_IA32_EFER);
+- if (kvm_mpx_supported())
+- msrs->entry_ctls_high |= VM_ENTRY_LOAD_BNDCFGS;
+
+ /* We support free control of debug control loading. */
+ msrs->entry_ctls_low &= ~VM_ENTRY_LOAD_DEBUG_CONTROLS;
+@@ -10825,6 +10820,23 @@ static void nested_vmx_cr_fixed1_bits_update(struct kvm_vcpu *vcpu)
+ #undef cr4_fixed1_update
+ }
+
++static void nested_vmx_entry_exit_ctls_update(struct kvm_vcpu *vcpu)
++{
++ struct vcpu_vmx *vmx = to_vmx(vcpu);
++
++ if (kvm_mpx_supported()) {
++ bool mpx_enabled = guest_cpuid_has(vcpu, X86_FEATURE_MPX);
++
++ if (mpx_enabled) {
++ vmx->nested.msrs.entry_ctls_high |= VM_ENTRY_LOAD_BNDCFGS;
++ vmx->nested.msrs.exit_ctls_high |= VM_EXIT_CLEAR_BNDCFGS;
++ } else {
++ vmx->nested.msrs.entry_ctls_high &= ~VM_ENTRY_LOAD_BNDCFGS;
++ vmx->nested.msrs.exit_ctls_high &= ~VM_EXIT_CLEAR_BNDCFGS;
++ }
++ }
++}
++
+ static void vmx_cpuid_update(struct kvm_vcpu *vcpu)
+ {
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+@@ -10841,8 +10853,10 @@ static void vmx_cpuid_update(struct kvm_vcpu *vcpu)
+ to_vmx(vcpu)->msr_ia32_feature_control_valid_bits &=
+ ~FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX;
+
+- if (nested_vmx_allowed(vcpu))
++ if (nested_vmx_allowed(vcpu)) {
+ nested_vmx_cr_fixed1_bits_update(vcpu);
++ nested_vmx_entry_exit_ctls_update(vcpu);
++ }
+ }
+
+ static void vmx_set_supported_cpuid(u32 func, struct kvm_cpuid_entry2 *entry)
+--
+2.17.1
+
--- /dev/null
+From 54309f38e7ea44a8f76cb33100db2cade61004af Mon Sep 17 00:00:00 2001
+From: Liran Alon <liran.alon@oracle.com>
+Date: Fri, 14 Sep 2018 03:25:54 +0300
+Subject: KVM: nVMX: Fix emulation of VM_ENTRY_LOAD_BNDCFGS
+
+[ Upstream commit 62cf9bd8118c4009f02c477ef78c723f49e53e16 ]
+
+L2 IA32_BNDCFGS should be updated with vmcs12->guest_bndcfgs only
+when VM_ENTRY_LOAD_BNDCFGS is specified in vmcs12->vm_entry_controls.
+
+Otherwise, L2 IA32_BNDCFGS should be set to vmcs01->guest_bndcfgs which
+is L1 IA32_BNDCFGS.
+
+Reviewed-by: Nikita Leshchenko <nikita.leshchenko@oracle.com>
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Signed-off-by: Liran Alon <liran.alon@oracle.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 2e23fce5eb1f..9efe130ea2e6 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -819,6 +819,7 @@ struct nested_vmx {
+
+ /* to migrate it to L2 if VM_ENTRY_LOAD_DEBUG_CONTROLS is off */
+ u64 vmcs01_debugctl;
++ u64 vmcs01_guest_bndcfgs;
+
+ u16 vpid02;
+ u16 last_vpid;
+@@ -11567,8 +11568,13 @@ static void prepare_vmcs02_full(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
+
+ set_cr4_guest_host_mask(vmx);
+
+- if (kvm_mpx_supported())
+- vmcs_write64(GUEST_BNDCFGS, vmcs12->guest_bndcfgs);
++ if (kvm_mpx_supported()) {
++ if (vmx->nested.nested_run_pending &&
++ (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))
++ vmcs_write64(GUEST_BNDCFGS, vmcs12->guest_bndcfgs);
++ else
++ vmcs_write64(GUEST_BNDCFGS, vmx->nested.vmcs01_guest_bndcfgs);
++ }
+
+ if (enable_vpid) {
+ if (nested_cpu_has_vpid(vmcs12) && vmx->nested.vpid02)
+@@ -12082,6 +12088,9 @@ static int enter_vmx_non_root_mode(struct kvm_vcpu *vcpu)
+
+ if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
+ vmx->nested.vmcs01_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL);
++ if (kvm_mpx_supported() &&
++ !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))
++ vmx->nested.vmcs01_guest_bndcfgs = vmcs_read64(GUEST_BNDCFGS);
+
+ vmx_switch_vmcs(vcpu, &vmx->nested.vmcs02);
+ vmx_segment_cache_clear(vmx);
+--
+2.17.1
+
--- /dev/null
+From 74ba358e911284ff4b57612c6b6a7d2770e9e15b Mon Sep 17 00:00:00 2001
+From: Liran Alon <liran.alon@oracle.com>
+Date: Fri, 14 Sep 2018 03:25:53 +0300
+Subject: KVM: x86: Do not use kvm_x86_ops->mpx_supported() directly
+
+[ Upstream commit 503234b3fdcaa578395c07e393ea3e5d13958824 ]
+
+Commit a87036add092 ("KVM: x86: disable MPX if host did not enable
+MPX XSAVE features") introduced kvm_mpx_supported() to return true
+iff MPX is enabled in the host.
+
+However, that commit seems to have missed replacing some calls to
+kvm_x86_ops->mpx_supported() to kvm_mpx_supported().
+
+Complete original commit by replacing remaining calls to
+kvm_mpx_supported().
+
+Fixes: a87036add092 ("KVM: x86: disable MPX if host did not enable
+MPX XSAVE features")
+
+Suggested-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Liran Alon <liran.alon@oracle.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx.c | 2 +-
+ arch/x86/kvm/x86.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index ea691ddfc3aa..2e23fce5eb1f 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -11567,7 +11567,7 @@ static void prepare_vmcs02_full(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
+
+ set_cr4_guest_host_mask(vmx);
+
+- if (vmx_mpx_supported())
++ if (kvm_mpx_supported())
+ vmcs_write64(GUEST_BNDCFGS, vmcs12->guest_bndcfgs);
+
+ if (enable_vpid) {
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 97fcac34e007..3cd58a5eb449 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -4625,7 +4625,7 @@ static void kvm_init_msr_list(void)
+ */
+ switch (msrs_to_save[i]) {
+ case MSR_IA32_BNDCFGS:
+- if (!kvm_x86_ops->mpx_supported())
++ if (!kvm_mpx_supported())
+ continue;
+ break;
+ case MSR_TSC_AUX:
+--
+2.17.1
+
--- /dev/null
+From 46ef64339f64c1a32566aebe22a929b41081353f Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 9 Oct 2018 18:35:29 +0200
+Subject: KVM: x86: support CONFIG_KVM_AMD=y with CONFIG_CRYPTO_DEV_CCP_DD=m
+
+[ Upstream commit 853c110982eaff0d99dace3f66f1ba58b5bfd9d5 ]
+
+SEV requires access to the AMD cryptographic device APIs, and this
+does not work when KVM is builtin and the crypto driver is a module.
+Actually the Kconfig conditions for CONFIG_KVM_AMD_SEV try to disable
+SEV in that case, but it does not work because the actual crypto
+calls are not culled, only sev_hardware_setup() is.
+
+This patch adds two CONFIG_KVM_AMD_SEV checks that gate all the remaining
+SEV code; it fixes this particular configuration, and drops 5 KiB of
+code when CONFIG_KVM_AMD_SEV=n.
+
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/svm.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
+index ef772e5634d4..3e59a187fe30 100644
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -436,14 +436,18 @@ static inline struct kvm_svm *to_kvm_svm(struct kvm *kvm)
+
+ static inline bool svm_sev_enabled(void)
+ {
+- return max_sev_asid;
++ return IS_ENABLED(CONFIG_KVM_AMD_SEV) ? max_sev_asid : 0;
+ }
+
+ static inline bool sev_guest(struct kvm *kvm)
+ {
++#ifdef CONFIG_KVM_AMD_SEV
+ struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;
+
+ return sev->active;
++#else
++ return false;
++#endif
+ }
+
+ static inline int sev_get_asid(struct kvm *kvm)
+--
+2.17.1
+
--- /dev/null
+From 374b9d3d7ea210a069f3b16d6dd1e6ef8139e288 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:52 -0700
+Subject: lan78xx: Check for supported Wake-on-LAN modes
+
+[ Upstream commit eb9ad088f96653a26b340f7c447c44cf023d5cdc ]
+
+The driver supports a fair amount of Wake-on-LAN modes, but is not
+checking that the user specified one that is supported.
+
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Woojung Huh <Woojung.Huh@Microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/lan78xx.c | 17 ++++-------------
+ 1 file changed, 4 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index aeca484a75b8..2bb3a081ff10 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -1401,19 +1401,10 @@ static int lan78xx_set_wol(struct net_device *netdev,
+ if (ret < 0)
+ return ret;
+
+- pdata->wol = 0;
+- if (wol->wolopts & WAKE_UCAST)
+- pdata->wol |= WAKE_UCAST;
+- if (wol->wolopts & WAKE_MCAST)
+- pdata->wol |= WAKE_MCAST;
+- if (wol->wolopts & WAKE_BCAST)
+- pdata->wol |= WAKE_BCAST;
+- if (wol->wolopts & WAKE_MAGIC)
+- pdata->wol |= WAKE_MAGIC;
+- if (wol->wolopts & WAKE_PHY)
+- pdata->wol |= WAKE_PHY;
+- if (wol->wolopts & WAKE_ARP)
+- pdata->wol |= WAKE_ARP;
++ if (wol->wolopts & ~WAKE_ALL)
++ return -EINVAL;
++
++ pdata->wol = wol->wolopts;
+
+ device_set_wakeup_enable(&dev->udev->dev, (bool)wol->wolopts);
+
+--
+2.17.1
+
--- /dev/null
+From cf7690ba8a9184e3984187570655b588fedccad7 Mon Sep 17 00:00:00 2001
+From: Daniel Mack <daniel@zonque.org>
+Date: Mon, 8 Oct 2018 22:03:57 +0200
+Subject: libertas: call into generic suspend code before turning off power
+
+[ Upstream commit 4f666675cdff0b986195413215eb062b7da6586f ]
+
+When powering down a SDIO connected card during suspend, make sure to call
+into the generic lbs_suspend() function before pulling the plug. This will
+make sure the card is successfully deregistered from the system to avoid
+communication to the card starving out.
+
+Fixes: 7444a8092906 ("libertas: fix suspend and resume for SDIO connected cards")
+Signed-off-by: Daniel Mack <daniel@zonque.org>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Acked-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/libertas/if_sdio.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/libertas/if_sdio.c b/drivers/net/wireless/marvell/libertas/if_sdio.c
+index 43743c26c071..39bf85d0ade0 100644
+--- a/drivers/net/wireless/marvell/libertas/if_sdio.c
++++ b/drivers/net/wireless/marvell/libertas/if_sdio.c
+@@ -1317,6 +1317,10 @@ static int if_sdio_suspend(struct device *dev)
+ if (priv->wol_criteria == EHS_REMOVE_WAKEUP) {
+ dev_info(dev, "Suspend without wake params -- powering down card\n");
+ if (priv->fw_ready) {
++ ret = lbs_suspend(priv);
++ if (ret)
++ return ret;
++
+ priv->power_up_on_resume = true;
+ if_sdio_power_off(card);
+ }
+--
+2.17.1
+
--- /dev/null
+From cc4d452ee7e182a8fe9443512cc7ecd859b7643f Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Tue, 2 Oct 2018 14:48:49 -0700
+Subject: locking/ww_mutex: Fix runtime warning in the WW mutex selftest
+
+[ Upstream commit e4a02ed2aaf447fa849e3254bfdb3b9b01e1e520 ]
+
+If CONFIG_WW_MUTEX_SELFTEST=y is enabled, booting an image
+in an arm64 virtual machine results in the following
+traceback if 8 CPUs are enabled:
+
+ DEBUG_LOCKS_WARN_ON(__owner_task(owner) != current)
+ WARNING: CPU: 2 PID: 537 at kernel/locking/mutex.c:1033 __mutex_unlock_slowpath+0x1a8/0x2e0
+ ...
+ Call trace:
+ __mutex_unlock_slowpath()
+ ww_mutex_unlock()
+ test_cycle_work()
+ process_one_work()
+ worker_thread()
+ kthread()
+ ret_from_fork()
+
+If requesting b_mutex fails with -EDEADLK, the error variable
+is reassigned to the return value from calling ww_mutex_lock
+on a_mutex again. If this call fails, a_mutex is not locked.
+It is, however, unconditionally unlocked subsequently, causing
+the reported warning. Fix the problem by using two error variables.
+
+With this change, the selftest still fails as follows:
+
+ cyclic deadlock not resolved, ret[7/8] = -35
+
+However, the traceback is gone.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Cc: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Fixes: d1b42b800e5d0 ("locking/ww_mutex: Add kselftests for resolving ww_mutex cyclic deadlocks")
+Link: http://lkml.kernel.org/r/1538516929-9734-1-git-send-email-linux@roeck-us.net
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/locking/test-ww_mutex.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/locking/test-ww_mutex.c b/kernel/locking/test-ww_mutex.c
+index 0e4cd64ad2c0..654977862b06 100644
+--- a/kernel/locking/test-ww_mutex.c
++++ b/kernel/locking/test-ww_mutex.c
+@@ -260,7 +260,7 @@ static void test_cycle_work(struct work_struct *work)
+ {
+ struct test_cycle *cycle = container_of(work, typeof(*cycle), work);
+ struct ww_acquire_ctx ctx;
+- int err;
++ int err, erra = 0;
+
+ ww_acquire_init(&ctx, &ww_class);
+ ww_mutex_lock(&cycle->a_mutex, &ctx);
+@@ -270,17 +270,19 @@ static void test_cycle_work(struct work_struct *work)
+
+ err = ww_mutex_lock(cycle->b_mutex, &ctx);
+ if (err == -EDEADLK) {
++ err = 0;
+ ww_mutex_unlock(&cycle->a_mutex);
+ ww_mutex_lock_slow(cycle->b_mutex, &ctx);
+- err = ww_mutex_lock(&cycle->a_mutex, &ctx);
++ erra = ww_mutex_lock(&cycle->a_mutex, &ctx);
+ }
+
+ if (!err)
+ ww_mutex_unlock(cycle->b_mutex);
+- ww_mutex_unlock(&cycle->a_mutex);
++ if (!erra)
++ ww_mutex_unlock(&cycle->a_mutex);
+ ww_acquire_fini(&ctx);
+
+- cycle->result = err;
++ cycle->result = err ?: erra;
+ }
+
+ static int __test_cycle(unsigned int nthreads)
+--
+2.17.1
+
--- /dev/null
+From 97eca670125ceee04479a0db58655b2857bd87fc Mon Sep 17 00:00:00 2001
+From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Date: Wed, 5 Sep 2018 08:06:13 +0300
+Subject: mac80211: Always report TX status
+
+[ Upstream commit 8682250b3c1b75a45feb7452bc413d004cfe3778 ]
+
+If a frame is dropped for any reason, mac80211 wouldn't report the TX
+status back to user space.
+
+As the user space may rely on the TX_STATUS to kick its state
+machines, resends etc, it's better to just report this frame as not
+acked instead.
+
+Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/status.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/net/mac80211/status.c b/net/mac80211/status.c
+index 9a6d7208bf4f..001a869c059c 100644
+--- a/net/mac80211/status.c
++++ b/net/mac80211/status.c
+@@ -479,11 +479,6 @@ static void ieee80211_report_ack_skb(struct ieee80211_local *local,
+ if (!skb)
+ return;
+
+- if (dropped) {
+- dev_kfree_skb_any(skb);
+- return;
+- }
+-
+ if (info->flags & IEEE80211_TX_INTFL_NL80211_FRAME_TX) {
+ u64 cookie = IEEE80211_SKB_CB(skb)->ack.cookie;
+ struct ieee80211_sub_if_data *sdata;
+@@ -506,6 +501,8 @@ static void ieee80211_report_ack_skb(struct ieee80211_local *local,
+ }
+ rcu_read_unlock();
+
++ dev_kfree_skb_any(skb);
++ } else if (dropped) {
+ dev_kfree_skb_any(skb);
+ } else {
+ /* consumes skb */
+--
+2.17.1
+
--- /dev/null
+From 77905baab61a37ec9c20cc793e12d30983ccc5ed Mon Sep 17 00:00:00 2001
+From: Bob Copeland <me@bobcopeland.com>
+Date: Wed, 5 Sep 2018 06:22:59 -0400
+Subject: mac80211: fix pending queue hang due to TX_DROP
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 6eae4a6c2be387fec41b0d2782c4fffb57159498 ]
+
+In our environment running lots of mesh nodes, we are seeing the
+pending queue hang periodically, with the debugfs queues file showing
+lines such as:
+
+ 00: 0x00000000/348
+
+i.e. there are a large number of frames but no stop reason set.
+
+One way this could happen is if queue processing from the pending
+tasklet exited early without processing all frames, and without having
+some future event (incoming frame, stop reason flag, ...) to reschedule
+it.
+
+Exactly this can occur today if ieee80211_tx() returns false due to
+packet drops or power-save buffering in the tx handlers. In the
+past, this function would return true in such cases, and the change
+to false doesn't seem to be intentional. Fix this case by reverting
+to the previous behavior.
+
+Fixes: bb42f2d13ffc ("mac80211: Move reorder-sensitive TX handlers to after TXQ dequeue")
+Signed-off-by: Bob Copeland <bobcopeland@fb.com>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 9b3b069e418a..361f2f6cc839 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -1886,7 +1886,7 @@ static bool ieee80211_tx(struct ieee80211_sub_if_data *sdata,
+ sdata->vif.hw_queue[skb_get_queue_mapping(skb)];
+
+ if (invoke_tx_handlers_early(&tx))
+- return false;
++ return true;
+
+ if (ieee80211_queue_skb(local, sdata, tx.sta, tx.skb))
+ return true;
+--
+2.17.1
+
--- /dev/null
+From 181bef621c1620ee6483393b1782f4e0d48a4f7d Mon Sep 17 00:00:00 2001
+From: Yuan-Chi Pang <fu3mo6goo@gmail.com>
+Date: Thu, 6 Sep 2018 16:57:48 +0800
+Subject: mac80211: fix TX status reporting for ieee80211s
+
+[ Upstream commit c42055105785580563535e6d3143cad95c7ac7ee ]
+
+TX status reporting to ieee80211s is through ieee80211s_update_metric.
+There are two problems about ieee80211s_update_metric:
+
+1. The purpose is to estimate the fail probability
+to a specific link. No need to restrict to data frame.
+
+2. Current implementation does not work if wireless driver does not
+pass tx_status with skb.
+
+Fix this by removing ieee80211_is_data condition, passing
+ieee80211_tx_status directly to ieee80211s_update_metric, and
+putting it in both __ieee80211_tx_status and ieee80211_tx_status_ext.
+
+Signed-off-by: Yuan-Chi Pang <fu3mo6goo@gmail.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh.h | 3 ++-
+ net/mac80211/mesh_hwmp.c | 9 +++------
+ net/mac80211/status.c | 4 +++-
+ 3 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/net/mac80211/mesh.h b/net/mac80211/mesh.h
+index ee56f18cad3f..21526630bf65 100644
+--- a/net/mac80211/mesh.h
++++ b/net/mac80211/mesh.h
+@@ -217,7 +217,8 @@ void mesh_rmc_free(struct ieee80211_sub_if_data *sdata);
+ int mesh_rmc_init(struct ieee80211_sub_if_data *sdata);
+ void ieee80211s_init(void);
+ void ieee80211s_update_metric(struct ieee80211_local *local,
+- struct sta_info *sta, struct sk_buff *skb);
++ struct sta_info *sta,
++ struct ieee80211_tx_status *st);
+ void ieee80211_mesh_init_sdata(struct ieee80211_sub_if_data *sdata);
+ void ieee80211_mesh_teardown_sdata(struct ieee80211_sub_if_data *sdata);
+ int ieee80211_start_mesh(struct ieee80211_sub_if_data *sdata);
+diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
+index daf9db3c8f24..6950cd0bf594 100644
+--- a/net/mac80211/mesh_hwmp.c
++++ b/net/mac80211/mesh_hwmp.c
+@@ -295,15 +295,12 @@ int mesh_path_error_tx(struct ieee80211_sub_if_data *sdata,
+ }
+
+ void ieee80211s_update_metric(struct ieee80211_local *local,
+- struct sta_info *sta, struct sk_buff *skb)
++ struct sta_info *sta,
++ struct ieee80211_tx_status *st)
+ {
+- struct ieee80211_tx_info *txinfo = IEEE80211_SKB_CB(skb);
+- struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
++ struct ieee80211_tx_info *txinfo = st->info;
+ int failed;
+
+- if (!ieee80211_is_data(hdr->frame_control))
+- return;
+-
+ failed = !(txinfo->flags & IEEE80211_TX_STAT_ACK);
+
+ /* moving average, scaled to 100.
+diff --git a/net/mac80211/status.c b/net/mac80211/status.c
+index 001a869c059c..91d7c0cd1882 100644
+--- a/net/mac80211/status.c
++++ b/net/mac80211/status.c
+@@ -808,7 +808,7 @@ static void __ieee80211_tx_status(struct ieee80211_hw *hw,
+
+ rate_control_tx_status(local, sband, status);
+ if (ieee80211_vif_is_mesh(&sta->sdata->vif))
+- ieee80211s_update_metric(local, sta, skb);
++ ieee80211s_update_metric(local, sta, status);
+
+ if (!(info->flags & IEEE80211_TX_CTL_INJECTED) && acked)
+ ieee80211_frame_acked(sta, skb);
+@@ -969,6 +969,8 @@ void ieee80211_tx_status_ext(struct ieee80211_hw *hw,
+ }
+
+ rate_control_tx_status(local, sband, status);
++ if (ieee80211_vif_is_mesh(&sta->sdata->vif))
++ ieee80211s_update_metric(local, sta, status);
+ }
+
+ if (acked || noack_success) {
+--
+2.17.1
+
--- /dev/null
+From 7918dd72a1847fbf3b20fb0bf3f2d2e6f41f7bc2 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 5 Sep 2018 13:34:02 +0200
+Subject: mac80211: TDLS: fix skb queue/priority assignment
+
+[ Upstream commit cb59bc14e830028d2244861216df038165d7625d ]
+
+If the TDLS setup happens over a connection to an AP that
+doesn't have QoS, we nevertheless assign a non-zero TID
+(skb->priority) and queue mapping, which may confuse us or
+drivers later.
+
+Fix it by just assigning the special skb->priority and then
+using ieee80211_select_queue() just like other data frames
+would go through.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tdls.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
+index 5cd5e6e5834e..6c647f425e05 100644
+--- a/net/mac80211/tdls.c
++++ b/net/mac80211/tdls.c
+@@ -16,6 +16,7 @@
+ #include "ieee80211_i.h"
+ #include "driver-ops.h"
+ #include "rate.h"
++#include "wme.h"
+
+ /* give usermode some time for retries in setting up the TDLS session */
+ #define TDLS_PEER_SETUP_TIMEOUT (15 * HZ)
+@@ -1010,14 +1011,13 @@ ieee80211_tdls_prep_mgmt_packet(struct wiphy *wiphy, struct net_device *dev,
+ switch (action_code) {
+ case WLAN_TDLS_SETUP_REQUEST:
+ case WLAN_TDLS_SETUP_RESPONSE:
+- skb_set_queue_mapping(skb, IEEE80211_AC_BK);
+- skb->priority = 2;
++ skb->priority = 256 + 2;
+ break;
+ default:
+- skb_set_queue_mapping(skb, IEEE80211_AC_VI);
+- skb->priority = 5;
++ skb->priority = 256 + 5;
+ break;
+ }
++ skb_set_queue_mapping(skb, ieee80211_select_queue(sdata, skb));
+
+ /*
+ * Set the WLAN_TDLS_TEARDOWN flag to indicate a teardown in progress.
+--
+2.17.1
+
--- /dev/null
+From c7756d4519df646249634bd0e350de74318696fe Mon Sep 17 00:00:00 2001
+From: Martin Willi <martin@strongswan.org>
+Date: Tue, 25 Sep 2018 09:51:02 +0200
+Subject: mac80211_hwsim: do not omit multicast announce of first added radio
+
+[ Upstream commit 28ef8b49a338dc1844e86b7954cfffc7dfa2660a ]
+
+The allocation of hwsim radio identifiers uses a post-increment from 0,
+so the first radio has idx 0. This idx is explicitly excluded from
+multicast announcements ever since, but it is unclear why.
+
+Drop that idx check and announce the first radio as well. This makes
+userspace happy if it relies on these events.
+
+Signed-off-by: Martin Willi <martin@strongswan.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
+index cfd0c58aa02a..58dd217811c8 100644
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -2811,8 +2811,7 @@ static int mac80211_hwsim_new_radio(struct genl_info *info,
+ hwsim_radios_generation++;
+ spin_unlock_bh(&hwsim_radio_lock);
+
+- if (idx > 0)
+- hwsim_mcast_new_radio(idx, info, param);
++ hwsim_mcast_new_radio(idx, info, param);
+
+ return idx;
+
+--
+2.17.1
+
--- /dev/null
+From 2a085708ec8e7c5b2088cb68d6aaaa94d15fbb7e Mon Sep 17 00:00:00 2001
+From: Martin Willi <martin@strongswan.org>
+Date: Tue, 25 Sep 2018 09:41:13 +0200
+Subject: mac80211_hwsim: fix locking when iterating radios during ns exit
+
+[ Upstream commit 628980e5c8f038f730582c6ee50b7410741cd96e ]
+
+The cleanup of radios during namespace exit has recently been reworked
+to directly delete a radio while temporarily releasing the spinlock,
+fixing a race condition between the work-queue execution and namespace
+exits. However, the temporary unlock allows unsafe modifications on the
+iterated list, resulting in a potential crash when continuing the
+iteration of additional radios.
+
+Move radios about to destroy to a temporary list, and clean that up
+after releasing the spinlock once iteration is complete.
+
+Fixes: 8cfd36a0b53a ("mac80211_hwsim: fix use-after-free bug in hwsim_exit_net")
+Signed-off-by: Martin Willi <martin@strongswan.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
+index 80e2c8595c7c..6b90bef58293 100644
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -3523,6 +3523,7 @@ static __net_init int hwsim_init_net(struct net *net)
+ static void __net_exit hwsim_exit_net(struct net *net)
+ {
+ struct mac80211_hwsim_data *data, *tmp;
++ LIST_HEAD(list);
+
+ spin_lock_bh(&hwsim_radio_lock);
+ list_for_each_entry_safe(data, tmp, &hwsim_radios, list) {
+@@ -3533,17 +3534,19 @@ static void __net_exit hwsim_exit_net(struct net *net)
+ if (data->netgroup == hwsim_net_get_netgroup(&init_net))
+ continue;
+
+- list_del(&data->list);
++ list_move(&data->list, &list);
+ rhashtable_remove_fast(&hwsim_radios_rht, &data->rht,
+ hwsim_rht_params);
+ hwsim_radios_generation++;
+- spin_unlock_bh(&hwsim_radio_lock);
++ }
++ spin_unlock_bh(&hwsim_radio_lock);
++
++ list_for_each_entry_safe(data, tmp, &list, list) {
++ list_del(&data->list);
+ mac80211_hwsim_del_radio(data,
+ wiphy_name(data->hw->wiphy),
+ NULL);
+- spin_lock_bh(&hwsim_radio_lock);
+ }
+- spin_unlock_bh(&hwsim_radio_lock);
+
+ ida_simple_remove(&hwsim_netgroup_ida, hwsim_net_get_netgroup(net));
+ }
+--
+2.17.1
+
--- /dev/null
+From 3f6da2f8da72c7c1fd08c56ef98e9345e30cc604 Mon Sep 17 00:00:00 2001
+From: Martin Willi <martin@strongswan.org>
+Date: Tue, 25 Sep 2018 09:41:14 +0200
+Subject: mac80211_hwsim: fix race in radio destruction from netlink notifier
+
+[ Upstream commit f1c47eb61d52379de5747d02bb36be20d7a2d0d3 ]
+
+The asynchronous destruction from a work-queue of radios tagged with
+destroy-on-close may race with the owning namespace about to exit,
+resulting in potential use-after-free of that namespace.
+
+Instead of using a work-queue, move radios about to destroy to a
+temporary list, which can be worked on synchronously after releasing
+the lock. This should be safe to do from the netlink socket notifier,
+as the namespace is guaranteed to not get released.
+
+Signed-off-by: Martin Willi <martin@strongswan.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 22 +++++++++-------------
+ 1 file changed, 9 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
+index 6b90bef58293..cfd0c58aa02a 100644
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -519,7 +519,6 @@ struct mac80211_hwsim_data {
+ int channels, idx;
+ bool use_chanctx;
+ bool destroy_on_close;
+- struct work_struct destroy_work;
+ u32 portid;
+ char alpha2[2];
+ const struct ieee80211_regdomain *regd;
+@@ -3442,30 +3441,27 @@ static struct genl_family hwsim_genl_family __ro_after_init = {
+ .n_mcgrps = ARRAY_SIZE(hwsim_mcgrps),
+ };
+
+-static void destroy_radio(struct work_struct *work)
+-{
+- struct mac80211_hwsim_data *data =
+- container_of(work, struct mac80211_hwsim_data, destroy_work);
+-
+- hwsim_radios_generation++;
+- mac80211_hwsim_del_radio(data, wiphy_name(data->hw->wiphy), NULL);
+-}
+-
+ static void remove_user_radios(u32 portid)
+ {
+ struct mac80211_hwsim_data *entry, *tmp;
++ LIST_HEAD(list);
+
+ spin_lock_bh(&hwsim_radio_lock);
+ list_for_each_entry_safe(entry, tmp, &hwsim_radios, list) {
+ if (entry->destroy_on_close && entry->portid == portid) {
+- list_del(&entry->list);
++ list_move(&entry->list, &list);
+ rhashtable_remove_fast(&hwsim_radios_rht, &entry->rht,
+ hwsim_rht_params);
+- INIT_WORK(&entry->destroy_work, destroy_radio);
+- queue_work(hwsim_wq, &entry->destroy_work);
++ hwsim_radios_generation++;
+ }
+ }
+ spin_unlock_bh(&hwsim_radio_lock);
++
++ list_for_each_entry_safe(entry, tmp, &list, list) {
++ list_del(&entry->list);
++ mac80211_hwsim_del_radio(entry, wiphy_name(entry->hw->wiphy),
++ NULL);
++ }
+ }
+
+ static int mac80211_hwsim_netlink_notify(struct notifier_block *nb,
+--
+2.17.1
+
--- /dev/null
+From 147087b5e5383ce51d610bdc3bacac88a21bfcaf Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Fri, 5 Oct 2018 15:51:44 -0700
+Subject: mm/gup_benchmark: fix unsigned comparison to zero in
+ __gup_benchmark_ioctl
+
+[ Upstream commit 51896864579d5a3349740847083f4db5c6487164 ]
+
+get_user_pages_fast() will return negative value if no pages were pinned,
+then be converted to a unsigned, which is compared to zero, giving the
+wrong result.
+
+Link: http://lkml.kernel.org/r/20180921095015.26088-1-yuehaibing@huawei.com
+Fixes: 09e35a4a1ca8 ("mm/gup_benchmark: handle gup failures")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/gup_benchmark.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/mm/gup_benchmark.c b/mm/gup_benchmark.c
+index 6a473709e9b6..7405c9d89d65 100644
+--- a/mm/gup_benchmark.c
++++ b/mm/gup_benchmark.c
+@@ -19,7 +19,8 @@ static int __gup_benchmark_ioctl(unsigned int cmd,
+ struct gup_benchmark *gup)
+ {
+ ktime_t start_time, end_time;
+- unsigned long i, nr, nr_pages, addr, next;
++ unsigned long i, nr_pages, addr, next;
++ int nr;
+ struct page **pages;
+
+ nr_pages = gup->size / PAGE_SIZE;
+--
+2.17.1
+
--- /dev/null
+From 3385ea1c1468f6f7ac099e1e7fa9895c873e99f8 Mon Sep 17 00:00:00 2001
+From: Anshuman Khandual <anshuman.khandual@arm.com>
+Date: Fri, 5 Oct 2018 15:51:51 -0700
+Subject: mm/migrate.c: split only transparent huge pages when allocation fails
+
+[ Upstream commit e6112fc300702f96374f34368513d57795fc6d23 ]
+
+split_huge_page_to_list() fails on HugeTLB pages. I was experimenting
+with moving 32MB contig HugeTLB pages on arm64 (with a debug patch
+applied) and hit the following stack trace when the kernel crashed.
+
+[ 3732.462797] Call trace:
+[ 3732.462835] split_huge_page_to_list+0x3b0/0x858
+[ 3732.462913] migrate_pages+0x728/0xc20
+[ 3732.462999] soft_offline_page+0x448/0x8b0
+[ 3732.463097] __arm64_sys_madvise+0x724/0x850
+[ 3732.463197] el0_svc_handler+0x74/0x110
+[ 3732.463297] el0_svc+0x8/0xc
+[ 3732.463347] Code: d1000400 f90b0e60 f2fbd5a2 a94982a1 (f9000420)
+
+When unmap_and_move[_huge_page]() fails due to lack of memory, the
+splitting should happen only for transparent huge pages not for HugeTLB
+pages. PageTransHuge() returns true for both THP and HugeTLB pages.
+Hence the conditonal check should test PagesHuge() flag to make sure that
+given pages is not a HugeTLB one.
+
+Link: http://lkml.kernel.org/r/1537798495-4996-1-git-send-email-anshuman.khandual@arm.com
+Fixes: 94723aafb9 ("mm: unclutter THP migration")
+Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Zi Yan <zi.yan@cs.rutgers.edu>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/migrate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mm/migrate.c b/mm/migrate.c
+index 2a55289ee9f1..f49eb9589d73 100644
+--- a/mm/migrate.c
++++ b/mm/migrate.c
+@@ -1415,7 +1415,7 @@ retry:
+ * we encounter them after the rest of the list
+ * is processed.
+ */
+- if (PageTransHuge(page)) {
++ if (PageTransHuge(page) && !PageHuge(page)) {
+ lock_page(page);
+ rc = split_huge_page_to_list(page, from);
+ unlock_page(page);
+--
+2.17.1
+
--- /dev/null
+From 06f4c19b6fa15dd6d09e2fecd4d122c9681cb277 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wang6495@umn.edu>
+Date: Fri, 5 Oct 2018 08:48:27 -0500
+Subject: net: cxgb3_main: fix a missing-check bug
+
+[ Upstream commit 2c05d88818ab6571816b93edce4d53703870d7ae ]
+
+In cxgb_extension_ioctl(), the command of the ioctl is firstly copied from
+the user-space buffer 'useraddr' to 'cmd' and checked through the
+switch statement. If the command is not as expected, an error code
+EOPNOTSUPP is returned. In the following execution, i.e., the cases of the
+switch statement, the whole buffer of 'useraddr' is copied again to a
+specific data structure, according to what kind of command is requested.
+However, after the second copy, there is no re-check on the newly-copied
+command. Given that the buffer 'useraddr' is in the user space, a malicious
+user can race to change the command between the two copies. By doing so,
+the attacker can supply malicious data to the kernel and cause undefined
+behavior.
+
+This patch adds a re-check in each case of the switch statement if there is
+a second copy in that case, to re-check whether the command obtained in the
+second copy is the same as the one in the first copy. If not, an error code
+EINVAL is returned.
+
+Signed-off-by: Wenwen Wang <wang6495@umn.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+index a19172dbe6be..c34ea385fe4a 100644
+--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+@@ -2159,6 +2159,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ return -EPERM;
+ if (copy_from_user(&t, useraddr, sizeof(t)))
+ return -EFAULT;
++ if (t.cmd != CHELSIO_SET_QSET_PARAMS)
++ return -EINVAL;
+ if (t.qset_idx >= SGE_QSETS)
+ return -EINVAL;
+ if (!in_range(t.intr_lat, 0, M_NEWTIMER) ||
+@@ -2258,6 +2260,9 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ if (copy_from_user(&t, useraddr, sizeof(t)))
+ return -EFAULT;
+
++ if (t.cmd != CHELSIO_GET_QSET_PARAMS)
++ return -EINVAL;
++
+ /* Display qsets for all ports when offload enabled */
+ if (test_bit(OFFLOAD_DEVMAP_BIT, &adapter->open_device_map)) {
+ q1 = 0;
+@@ -2303,6 +2308,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ return -EBUSY;
+ if (copy_from_user(&edata, useraddr, sizeof(edata)))
+ return -EFAULT;
++ if (edata.cmd != CHELSIO_SET_QSET_NUM)
++ return -EINVAL;
+ if (edata.val < 1 ||
+ (edata.val > 1 && !(adapter->flags & USING_MSIX)))
+ return -EINVAL;
+@@ -2343,6 +2350,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ return -EPERM;
+ if (copy_from_user(&t, useraddr, sizeof(t)))
+ return -EFAULT;
++ if (t.cmd != CHELSIO_LOAD_FW)
++ return -EINVAL;
+ /* Check t.len sanity ? */
+ fw_data = memdup_user(useraddr + sizeof(t), t.len);
+ if (IS_ERR(fw_data))
+@@ -2366,6 +2375,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ return -EBUSY;
+ if (copy_from_user(&m, useraddr, sizeof(m)))
+ return -EFAULT;
++ if (m.cmd != CHELSIO_SETMTUTAB)
++ return -EINVAL;
+ if (m.nmtus != NMTUS)
+ return -EINVAL;
+ if (m.mtus[0] < 81) /* accommodate SACK */
+@@ -2407,6 +2418,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ return -EBUSY;
+ if (copy_from_user(&m, useraddr, sizeof(m)))
+ return -EFAULT;
++ if (m.cmd != CHELSIO_SET_PM)
++ return -EINVAL;
+ if (!is_power_of_2(m.rx_pg_sz) ||
+ !is_power_of_2(m.tx_pg_sz))
+ return -EINVAL; /* not power of 2 */
+@@ -2440,6 +2453,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ return -EIO; /* need the memory controllers */
+ if (copy_from_user(&t, useraddr, sizeof(t)))
+ return -EFAULT;
++ if (t.cmd != CHELSIO_GET_MEM)
++ return -EINVAL;
+ if ((t.addr & 7) || (t.len & 7))
+ return -EINVAL;
+ if (t.mem_id == MEM_CM)
+@@ -2492,6 +2507,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ return -EAGAIN;
+ if (copy_from_user(&t, useraddr, sizeof(t)))
+ return -EFAULT;
++ if (t.cmd != CHELSIO_SET_TRACE_FILTER)
++ return -EINVAL;
+
+ tp = (const struct trace_params *)&t.sip;
+ if (t.config_tx)
+--
+2.17.1
+
--- /dev/null
+From 7c27ca83410fda7f819f51d398e6f96164d92e2c Mon Sep 17 00:00:00 2001
+From: Arthur Kiyanovski <akiyano@amazon.com>
+Date: Tue, 9 Oct 2018 11:21:29 +0300
+Subject: net: ena: fix NULL dereference due to untimely napi initialization
+
+[ Upstream commit 78a55d05def95144ca5fa9a64c49b2a0636a9866 ]
+
+napi poll functions should be initialized before running request_irq(),
+to handle a rare condition where there is a pending interrupt, causing
+the ISR to fire immediately while the poll function wasn't set yet,
+causing a NULL dereference.
+
+Fixes: 1738cd3ed342 ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)")
+Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+index 72dbdebf4b5d..000f0d42a710 100644
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -1580,8 +1580,6 @@ static int ena_up_complete(struct ena_adapter *adapter)
+ if (rc)
+ return rc;
+
+- ena_init_napi(adapter);
+-
+ ena_change_mtu(adapter->netdev, adapter->netdev->mtu);
+
+ ena_refill_all_rx_bufs(adapter);
+@@ -1735,6 +1733,13 @@ static int ena_up(struct ena_adapter *adapter)
+
+ ena_setup_io_intr(adapter);
+
++ /* napi poll functions should be initialized before running
++ * request_irq(), to handle a rare condition where there is a pending
++ * interrupt, causing the ISR to fire immediately while the poll
++ * function wasn't set yet, causing a null dereference
++ */
++ ena_init_napi(adapter);
++
+ rc = ena_request_io_irq(adapter);
+ if (rc)
+ goto err_req_irq;
+--
+2.17.1
+
--- /dev/null
+From 0d92fe3c01f9c83e24d3523f4ad15819f33bf96e Mon Sep 17 00:00:00 2001
+From: Arthur Kiyanovski <akiyano@amazon.com>
+Date: Tue, 9 Oct 2018 11:21:28 +0300
+Subject: net: ena: fix rare bug when failed restart/resume is followed by
+ driver removal
+
+[ Upstream commit d7703ddbd7c9cb1ab7c08e1b85b314ff8cea38e9 ]
+
+In a rare scenario when ena_device_restore() fails, followed by device
+remove, an FLR will not be issued. In this case, the device will keep
+sending asynchronous AENQ keep-alive events, even after driver removal,
+leading to memory corruption.
+
+Fixes: 8c5c7abdeb2d ("net: ena: add power management ops to the ENA driver")
+Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+index 7093b661c50e..72dbdebf4b5d 100644
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -2648,7 +2648,11 @@ err_disable_msix:
+ ena_free_mgmnt_irq(adapter);
+ ena_disable_msix(adapter);
+ err_device_destroy:
++ ena_com_abort_admin_commands(ena_dev);
++ ena_com_wait_for_abort_completion(ena_dev);
+ ena_com_admin_destroy(ena_dev);
++ ena_com_mmio_reg_read_request_destroy(ena_dev);
++ ena_com_dev_reset(ena_dev, ENA_REGS_RESET_DRIVER_INVALID_STATE);
+ err:
+ clear_bit(ENA_FLAG_DEVICE_RUNNING, &adapter->flags);
+ clear_bit(ENA_FLAG_ONGOING_RESET, &adapter->flags);
+--
+2.17.1
+
--- /dev/null
+From b403e97a2f22ca9eea82339db48666aa79fac1a5 Mon Sep 17 00:00:00 2001
+From: Arthur Kiyanovski <akiyano@amazon.com>
+Date: Tue, 9 Oct 2018 11:21:27 +0300
+Subject: net: ena: fix warning in rmmod caused by double iounmap
+
+[ Upstream commit d79c3888bde6581da7ff9f9d6f581900ecb5e632 ]
+
+Memory mapped with devm_ioremap is automatically freed when the driver
+is disconnected from the device. Therefore there is no need to
+explicitly call devm_iounmap.
+
+Fixes: 0857d92f71b6 ("net: ena: add missing unmap bars on device removal")
+Fixes: 411838e7b41c ("net: ena: fix rare kernel crash when bar memory remap fails")
+Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+index 1b01cd2820ba..7093b661c50e 100644
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -3128,15 +3128,8 @@ err_rss_init:
+
+ static void ena_release_bars(struct ena_com_dev *ena_dev, struct pci_dev *pdev)
+ {
+- int release_bars;
++ int release_bars = pci_select_bars(pdev, IORESOURCE_MEM) & ENA_BAR_MASK;
+
+- if (ena_dev->mem_bar)
+- devm_iounmap(&pdev->dev, ena_dev->mem_bar);
+-
+- if (ena_dev->reg_bar)
+- devm_iounmap(&pdev->dev, ena_dev->reg_bar);
+-
+- release_bars = pci_select_bars(pdev, IORESOURCE_MEM) & ENA_BAR_MASK;
+ pci_release_selected_regions(pdev, release_bars);
+ }
+
+--
+2.17.1
+
--- /dev/null
+From 3a1d2f9fc191162d894bc8931ddbd198533ded29 Mon Sep 17 00:00:00 2001
+From: Rickard x Andersson <rickaran@axis.com>
+Date: Tue, 2 Oct 2018 14:49:32 +0200
+Subject: net: fec: fix rare tx timeout
+
+[ Upstream commit 657ade07df72847f591ccdb36bd9b91ed0edbac3 ]
+
+During certain heavy network loads TX could time out
+with TX ring dump.
+TX is sometimes never restarted after reaching
+"tx_stop_threshold" because function "fec_enet_tx_queue"
+only tests the first queue.
+
+In addition the TX timeout callback function failed to
+recover because it also operated only on the first queue.
+
+Signed-off-by: Rickard x Andersson <rickaran@axis.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index c729665107f5..e10471ee0a8b 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -1157,7 +1157,7 @@ static void fec_enet_timeout_work(struct work_struct *work)
+ napi_disable(&fep->napi);
+ netif_tx_lock_bh(ndev);
+ fec_restart(ndev);
+- netif_wake_queue(ndev);
++ netif_tx_wake_all_queues(ndev);
+ netif_tx_unlock_bh(ndev);
+ napi_enable(&fep->napi);
+ }
+@@ -1272,7 +1272,7 @@ skb_done:
+
+ /* Since we have freed up a buffer, the ring is no longer full
+ */
+- if (netif_queue_stopped(ndev)) {
++ if (netif_tx_queue_stopped(nq)) {
+ entries_free = fec_enet_get_free_txdesc_num(txq);
+ if (entries_free >= txq->tx_wake_threshold)
+ netif_tx_wake_queue(nq);
+@@ -1745,7 +1745,7 @@ static void fec_enet_adjust_link(struct net_device *ndev)
+ napi_disable(&fep->napi);
+ netif_tx_lock_bh(ndev);
+ fec_restart(ndev);
+- netif_wake_queue(ndev);
++ netif_tx_wake_all_queues(ndev);
+ netif_tx_unlock_bh(ndev);
+ napi_enable(&fep->napi);
+ }
+@@ -2246,7 +2246,7 @@ static int fec_enet_set_pauseparam(struct net_device *ndev,
+ napi_disable(&fep->napi);
+ netif_tx_lock_bh(ndev);
+ fec_restart(ndev);
+- netif_wake_queue(ndev);
++ netif_tx_wake_all_queues(ndev);
+ netif_tx_unlock_bh(ndev);
+ napi_enable(&fep->napi);
+ }
+--
+2.17.1
+
--- /dev/null
+From 380bf7a3771724c5659aa55fe1e1b3259399083c Mon Sep 17 00:00:00 2001
+From: Michal Simek <michal.simek@xilinx.com>
+Date: Tue, 25 Sep 2018 08:32:50 +0200
+Subject: net: macb: Clean 64b dma addresses if they are not detected
+
+[ Upstream commit e1e5d8a9fe737d94ccc0ccbaf0c97f69a8f3e000 ]
+
+Clear ADDR64 dma bit in DMACFG register in case that HW_DMA_CAP_64B is
+not detected on 64bit system.
+The issue was observed when bootloader(u-boot) does not check macb
+feature at DCFG6 register (DAW64_OFFSET) and enabling 64bit dma support
+by default. Then macb driver is reading DMACFG register back and only
+adding 64bit dma configuration but not cleaning it out.
+
+Signed-off-by: Michal Simek <michal.simek@xilinx.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index dfa045f22ef1..db568232ff3e 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -2089,6 +2089,7 @@ static void macb_configure_dma(struct macb *bp)
+ else
+ dmacfg &= ~GEM_BIT(TXCOEN);
+
++ dmacfg &= ~GEM_BIT(ADDR64);
+ #ifdef CONFIG_ARCH_DMA_ADDR_T_64BIT
+ if (bp->hw_dma_cap & HW_DMA_CAP_64B)
+ dmacfg |= GEM_BIT(ADDR64);
+--
+2.17.1
+
--- /dev/null
+From 5ecac9d041501fe8643de3bd9cd319566f8ffae2 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 24 Sep 2018 14:10:04 +0200
+Subject: netfilter: avoid erronous array bounds warning
+
+[ Upstream commit 421c119f558761556afca6a62ad183bc2d8659e0 ]
+
+Unfortunately some versions of gcc emit following warning:
+ $ make net/xfrm/xfrm_output.o
+ linux/compiler.h:252:20: warning: array subscript is above array bounds [-Warray-bounds]
+ hook_head = rcu_dereference(net->nf.hooks_arp[hook]);
+ ^~~~~~~~~~~~~~~~~~~~~
+xfrm_output_resume passes skb_dst(skb)->ops->family as its 'pf' arg so compiler
+can't know that we'll never access hooks_arp[].
+(NFPROTO_IPV4 or NFPROTO_IPV6 are only possible cases).
+
+Avoid this by adding an explicit WARN_ON_ONCE() check.
+
+This patch has no effect if the family is a compile-time constant as gcc
+will remove the switch() construct entirely.
+
+Reported-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/netfilter.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
+index dd2052f0efb7..11b7b8ab0696 100644
+--- a/include/linux/netfilter.h
++++ b/include/linux/netfilter.h
+@@ -215,6 +215,8 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
+ break;
+ case NFPROTO_ARP:
+ #ifdef CONFIG_NETFILTER_FAMILY_ARP
++ if (WARN_ON_ONCE(hook >= ARRAY_SIZE(net->nf.hooks_arp)))
++ break;
+ hook_head = rcu_dereference(net->nf.hooks_arp[hook]);
+ #endif
+ break;
+--
+2.17.1
+
--- /dev/null
+From 94752e613140794543069183ab63197ff5c215a0 Mon Sep 17 00:00:00 2001
+From: David Ahern <dsahern@gmail.com>
+Date: Mon, 17 Sep 2018 08:20:36 -0700
+Subject: netfilter: bridge: Don't sabotage nf_hook calls from an l3mdev
+
+[ Upstream commit a173f066c7cfc031acb8f541708041e009fc9812 ]
+
+For starters, the bridge netfilter code registers operations that
+are invoked any time nh_hook is called. Specifically, ip_sabotage_in
+watches for nested calls for NF_INET_PRE_ROUTING when a bridge is in
+the stack.
+
+Packet wise, the bridge netfilter hook runs first. br_nf_pre_routing
+allocates nf_bridge, sets in_prerouting to 1 and calls NF_HOOK for
+NF_INET_PRE_ROUTING. It's finish function, br_nf_pre_routing_finish,
+then resets in_prerouting flag to 0 and the packet continues up the
+stack. The packet eventually makes it to the VRF driver and it invokes
+nf_hook for NF_INET_PRE_ROUTING in case any rules have been added against
+the vrf device.
+
+Because of the registered operations the call to nf_hook causes
+ip_sabotage_in to be invoked. That function sees the nf_bridge on the
+skb and that in_prerouting is not set. Thinking it is an invalid nested
+call it steals (drops) the packet.
+
+Update ip_sabotage_in to recognize that the bridge or one of its upper
+devices (e.g., vlan) can be enslaved to a VRF (L3 master device) and
+allow the packet to go through the nf_hook a second time.
+
+Fixes: 73e20b761acf ("net: vrf: Add support for PREROUTING rules on vrf device")
+Reported-by: D'Souza, Nelson <ndsouza@ciena.com>
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_netfilter_hooks.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
+index 9b16eaf33819..58240cc185e7 100644
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -834,7 +834,8 @@ static unsigned int ip_sabotage_in(void *priv,
+ struct sk_buff *skb,
+ const struct nf_hook_state *state)
+ {
+- if (skb->nf_bridge && !skb->nf_bridge->in_prerouting) {
++ if (skb->nf_bridge && !skb->nf_bridge->in_prerouting &&
++ !netif_is_l3_master(skb->dev)) {
+ state->okfn(state->net, state->sk, skb);
+ return NF_STOLEN;
+ }
+--
+2.17.1
+
--- /dev/null
+From 8b79606d13423ac7c7a587c6b7c954f86b41b53a Mon Sep 17 00:00:00 2001
+From: zhong jiang <zhongjiang@huawei.com>
+Date: Wed, 19 Sep 2018 20:21:11 +0800
+Subject: netfilter: conntrack: get rid of double sizeof
+
+[ Upstream commit 346fa83d10934cf206e2fd0f514bf8ce186f08fe ]
+
+sizeof(sizeof()) is quite strange and does not seem to be what
+is wanted here.
+
+The issue is detected with the help of Coccinelle.
+
+Fixes: 39215846740a ("netfilter: conntrack: remove nlattr_size pointer from l4proto trackers")
+Signed-off-by: zhong jiang <zhongjiang@huawei.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_proto_tcp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
+index 8e67910185a0..1004fb5930de 100644
+--- a/net/netfilter/nf_conntrack_proto_tcp.c
++++ b/net/netfilter/nf_conntrack_proto_tcp.c
+@@ -1239,8 +1239,8 @@ static const struct nla_policy tcp_nla_policy[CTA_PROTOINFO_TCP_MAX+1] = {
+ #define TCP_NLATTR_SIZE ( \
+ NLA_ALIGN(NLA_HDRLEN + 1) + \
+ NLA_ALIGN(NLA_HDRLEN + 1) + \
+- NLA_ALIGN(NLA_HDRLEN + sizeof(sizeof(struct nf_ct_tcp_flags))) + \
+- NLA_ALIGN(NLA_HDRLEN + sizeof(sizeof(struct nf_ct_tcp_flags))))
++ NLA_ALIGN(NLA_HDRLEN + sizeof(struct nf_ct_tcp_flags)) + \
++ NLA_ALIGN(NLA_HDRLEN + sizeof(struct nf_ct_tcp_flags)))
+
+ static int nlattr_to_tcp(struct nlattr *cda[], struct nf_conn *ct)
+ {
+--
+2.17.1
+
--- /dev/null
+From 1b12c830f6556f7b0f4f093d7d6d52499ed74702 Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Thu, 30 Aug 2018 17:56:52 +0900
+Subject: netfilter: nft_set_rbtree: add missing rb_erase() in GC routine
+
+[ Upstream commit a13f814a67b12a2f29d1decf4b4f4e700658a517 ]
+
+The nft_set_gc_batch_check() checks whether gc buffer is full.
+If gc buffer is full, gc buffer is released by
+the nft_set_gc_batch_complete() internally.
+In case of rbtree, the rb_erase() should be called before calling the
+nft_set_gc_batch_complete(). therefore the rb_erase() should
+be called before calling the nft_set_gc_batch_check() too.
+
+test commands:
+ table ip filter {
+ set set1 {
+ type ipv4_addr; flags interval, timeout;
+ gc-interval 10s;
+ timeout 1s;
+ elements = {
+ 1-2,
+ 3-4,
+ 5-6,
+ ...
+ 10000-10001,
+ }
+ }
+ }
+ %nft -f test.nft
+
+splat looks like:
+[ 430.273885] kasan: GPF could be caused by NULL-ptr deref or user memory access
+[ 430.282158] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
+[ 430.283116] CPU: 1 PID: 190 Comm: kworker/1:2 Tainted: G B 4.18.0+ #7
+[ 430.283116] Workqueue: events_power_efficient nft_rbtree_gc [nf_tables_set]
+[ 430.313559] RIP: 0010:rb_next+0x81/0x130
+[ 430.313559] Code: 08 49 bd 00 00 00 00 00 fc ff df 48 bb 00 00 00 00 00 fc ff df 48 85 c0 75 05 eb 58 48 89 d4
+[ 430.313559] RSP: 0018:ffff88010cdb7680 EFLAGS: 00010207
+[ 430.313559] RAX: 0000000000b84854 RBX: dffffc0000000000 RCX: ffffffff83f01973
+[ 430.313559] RDX: 000000000017090c RSI: 0000000000000008 RDI: 0000000000b84864
+[ 430.313559] RBP: ffff8801060d4588 R08: fffffbfff09bc349 R09: fffffbfff09bc349
+[ 430.313559] R10: 0000000000000001 R11: fffffbfff09bc348 R12: ffff880100f081a8
+[ 430.313559] R13: dffffc0000000000 R14: ffff880100ff8688 R15: dffffc0000000000
+[ 430.313559] FS: 0000000000000000(0000) GS:ffff88011b400000(0000) knlGS:0000000000000000
+[ 430.313559] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 430.313559] CR2: 0000000001551008 CR3: 000000005dc16000 CR4: 00000000001006e0
+[ 430.313559] Call Trace:
+[ 430.313559] nft_rbtree_gc+0x112/0x5c0 [nf_tables_set]
+[ 430.313559] process_one_work+0xc13/0x1ec0
+[ 430.313559] ? _raw_spin_unlock_irq+0x29/0x40
+[ 430.313559] ? pwq_dec_nr_in_flight+0x3c0/0x3c0
+[ 430.313559] ? set_load_weight+0x270/0x270
+[ 430.313559] ? __switch_to_asm+0x34/0x70
+[ 430.313559] ? __switch_to_asm+0x40/0x70
+[ 430.313559] ? __switch_to_asm+0x34/0x70
+[ 430.313559] ? __switch_to_asm+0x34/0x70
+[ 430.313559] ? __switch_to_asm+0x40/0x70
+[ 430.313559] ? __switch_to_asm+0x34/0x70
+[ 430.313559] ? __switch_to_asm+0x40/0x70
+[ 430.313559] ? __switch_to_asm+0x34/0x70
+[ 430.313559] ? __switch_to_asm+0x34/0x70
+[ 430.313559] ? __switch_to_asm+0x40/0x70
+[ 430.313559] ? __switch_to_asm+0x34/0x70
+[ 430.313559] ? __schedule+0x6d3/0x1f50
+[ 430.313559] ? find_held_lock+0x39/0x1c0
+[ 430.313559] ? __sched_text_start+0x8/0x8
+[ 430.313559] ? cyc2ns_read_end+0x10/0x10
+[ 430.313559] ? save_trace+0x300/0x300
+[ 430.313559] ? sched_clock_local+0xd4/0x140
+[ 430.313559] ? find_held_lock+0x39/0x1c0
+[ 430.313559] ? worker_thread+0x353/0x1120
+[ 430.313559] ? worker_thread+0x353/0x1120
+[ 430.313559] ? lock_contended+0xe70/0xe70
+[ 430.313559] ? __lock_acquire+0x4500/0x4500
+[ 430.535635] ? do_raw_spin_unlock+0xa5/0x330
+[ 430.535635] ? do_raw_spin_trylock+0x101/0x1a0
+[ 430.535635] ? do_raw_spin_lock+0x1f0/0x1f0
+[ 430.535635] ? _raw_spin_lock_irq+0x10/0x70
+[ 430.535635] worker_thread+0x15d/0x1120
+[ ... ]
+
+Fixes: 8d8540c4f5e0 ("netfilter: nft_set_rbtree: add timeout support")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_rbtree.c | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
+index 9873d734b494..8ad78b82c8e2 100644
+--- a/net/netfilter/nft_set_rbtree.c
++++ b/net/netfilter/nft_set_rbtree.c
+@@ -355,12 +355,11 @@ cont:
+
+ static void nft_rbtree_gc(struct work_struct *work)
+ {
++ struct nft_rbtree_elem *rbe, *rbe_end = NULL, *rbe_prev = NULL;
+ struct nft_set_gc_batch *gcb = NULL;
+- struct rb_node *node, *prev = NULL;
+- struct nft_rbtree_elem *rbe;
+ struct nft_rbtree *priv;
++ struct rb_node *node;
+ struct nft_set *set;
+- int i;
+
+ priv = container_of(work, struct nft_rbtree, gc_work.work);
+ set = nft_set_container_of(priv);
+@@ -371,7 +370,7 @@ static void nft_rbtree_gc(struct work_struct *work)
+ rbe = rb_entry(node, struct nft_rbtree_elem, node);
+
+ if (nft_rbtree_interval_end(rbe)) {
+- prev = node;
++ rbe_end = rbe;
+ continue;
+ }
+ if (!nft_set_elem_expired(&rbe->ext))
+@@ -379,29 +378,30 @@ static void nft_rbtree_gc(struct work_struct *work)
+ if (nft_set_elem_mark_busy(&rbe->ext))
+ continue;
+
++ if (rbe_prev) {
++ rb_erase(&rbe_prev->node, &priv->root);
++ rbe_prev = NULL;
++ }
+ gcb = nft_set_gc_batch_check(set, gcb, GFP_ATOMIC);
+ if (!gcb)
+ break;
+
+ atomic_dec(&set->nelems);
+ nft_set_gc_batch_add(gcb, rbe);
++ rbe_prev = rbe;
+
+- if (prev) {
+- rbe = rb_entry(prev, struct nft_rbtree_elem, node);
++ if (rbe_end) {
+ atomic_dec(&set->nelems);
+- nft_set_gc_batch_add(gcb, rbe);
+- prev = NULL;
++ nft_set_gc_batch_add(gcb, rbe_end);
++ rb_erase(&rbe_end->node, &priv->root);
++ rbe_end = NULL;
+ }
+ node = rb_next(node);
+ if (!node)
+ break;
+ }
+- if (gcb) {
+- for (i = 0; i < gcb->head.cnt; i++) {
+- rbe = gcb->elems[i];
+- rb_erase(&rbe->node, &priv->root);
+- }
+- }
++ if (rbe_prev)
++ rb_erase(&rbe_prev->node, &priv->root);
+ write_seqcount_end(&priv->count);
+ write_unlock_bh(&priv->lock);
+
+--
+2.17.1
+
--- /dev/null
+From 46f76d7b0b7615ef6842e67ea319b82459091b38 Mon Sep 17 00:00:00 2001
+From: Masashi Honma <masashi.honma@gmail.com>
+Date: Tue, 25 Sep 2018 11:15:01 +0900
+Subject: nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds
+
+[ Upstream commit 1222a16014888ed9733c11e221730d4a8196222b ]
+
+Use array_index_nospec() to sanitize i with respect to speculation.
+
+Note that the user doesn't control i directly, but can make it out
+of bounds by not finding a threshold in the array.
+
+Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
+[add note about user control, as explained by Masashi]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 3b80cf012438..214f9ef79a64 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -10125,7 +10125,7 @@ static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
+ struct wireless_dev *wdev = dev->ieee80211_ptr;
+ s32 last, low, high;
+ u32 hyst;
+- int i, n;
++ int i, n, low_index;
+ int err;
+
+ /* RSSI reporting disabled? */
+@@ -10162,10 +10162,19 @@ static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
+ if (last < wdev->cqm_config->rssi_thresholds[i])
+ break;
+
+- low = i > 0 ?
+- (wdev->cqm_config->rssi_thresholds[i - 1] - hyst) : S32_MIN;
+- high = i < n ?
+- (wdev->cqm_config->rssi_thresholds[i] + hyst - 1) : S32_MAX;
++ low_index = i - 1;
++ if (low_index >= 0) {
++ low_index = array_index_nospec(low_index, n);
++ low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
++ } else {
++ low = S32_MIN;
++ }
++ if (i < n) {
++ i = array_index_nospec(i, n);
++ high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
++ } else {
++ high = S32_MAX;
++ }
+
+ return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
+ }
+--
+2.17.1
+
--- /dev/null
+From a338a8a0c919d2884bca1cbd142ce92e1102ed04 Mon Sep 17 00:00:00 2001
+From: Masashi Honma <masashi.honma@gmail.com>
+Date: Tue, 25 Sep 2018 11:15:00 +0900
+Subject: nl80211: Fix possible Spectre-v1 for NL80211_TXRATE_HT
+
+[ Upstream commit 30fe6d50eb088783c8729c7d930f65296b2b3fa7 ]
+
+Use array_index_nospec() to sanitize ridx with respect to speculation.
+
+Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 733ccf867972..3b80cf012438 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -3699,6 +3699,7 @@ static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
+ return false;
+
+ /* check availability */
++ ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
+ if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
+ mcs[ridx] |= rbit;
+ else
+--
+2.17.1
+
--- /dev/null
+From 848a092e0c111cc8c38ff857ae189041179953f6 Mon Sep 17 00:00:00 2001
+From: Larry Chen <lchen@suse.com>
+Date: Fri, 5 Oct 2018 15:51:37 -0700
+Subject: ocfs2: fix crash in ocfs2_duplicate_clusters_by_page()
+
+[ Upstream commit 69eb7765b9c6902444c89c54e7043242faf981e5 ]
+
+ocfs2_duplicate_clusters_by_page() may crash if one of the extent's pages
+is dirty. When a page has not been written back, it is still in dirty
+state. If ocfs2_duplicate_clusters_by_page() is called against the dirty
+page, the crash happens.
+
+To fix this bug, we can just unlock the page and wait until the page until
+its not dirty.
+
+The following is the backtrace:
+
+kernel BUG at /root/code/ocfs2/refcounttree.c:2961!
+[exception RIP: ocfs2_duplicate_clusters_by_page+822]
+__ocfs2_move_extent+0x80/0x450 [ocfs2]
+? __ocfs2_claim_clusters+0x130/0x250 [ocfs2]
+ocfs2_defrag_extent+0x5b8/0x5e0 [ocfs2]
+__ocfs2_move_extents_range+0x2a4/0x470 [ocfs2]
+ocfs2_move_extents+0x180/0x3b0 [ocfs2]
+? ocfs2_wait_for_recovery+0x13/0x70 [ocfs2]
+ocfs2_ioctl_move_extents+0x133/0x2d0 [ocfs2]
+ocfs2_ioctl+0x253/0x640 [ocfs2]
+do_vfs_ioctl+0x90/0x5f0
+SyS_ioctl+0x74/0x80
+do_syscall_64+0x74/0x140
+entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Once we find the page is dirty, we do not wait until it's clean, rather we
+use write_one_page() to write it back
+
+Link: http://lkml.kernel.org/r/20180829074740.9438-1-lchen@suse.com
+[lchen@suse.com: update comments]
+ Link: http://lkml.kernel.org/r/20180830075041.14879-1-lchen@suse.com
+[akpm@linux-foundation.org: coding-style fixes]
+Signed-off-by: Larry Chen <lchen@suse.com>
+Acked-by: Changwei Ge <ge.changwei@h3c.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/refcounttree.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/fs/ocfs2/refcounttree.c b/fs/ocfs2/refcounttree.c
+index 7869622af22a..7a5ee145c733 100644
+--- a/fs/ocfs2/refcounttree.c
++++ b/fs/ocfs2/refcounttree.c
+@@ -2946,6 +2946,7 @@ int ocfs2_duplicate_clusters_by_page(handle_t *handle,
+ if (map_end & (PAGE_SIZE - 1))
+ to = map_end & (PAGE_SIZE - 1);
+
++retry:
+ page = find_or_create_page(mapping, page_index, GFP_NOFS);
+ if (!page) {
+ ret = -ENOMEM;
+@@ -2954,11 +2955,18 @@ int ocfs2_duplicate_clusters_by_page(handle_t *handle,
+ }
+
+ /*
+- * In case PAGE_SIZE <= CLUSTER_SIZE, This page
+- * can't be dirtied before we CoW it out.
++ * In case PAGE_SIZE <= CLUSTER_SIZE, we do not expect a dirty
++ * page, so write it back.
+ */
+- if (PAGE_SIZE <= OCFS2_SB(sb)->s_clustersize)
+- BUG_ON(PageDirty(page));
++ if (PAGE_SIZE <= OCFS2_SB(sb)->s_clustersize) {
++ if (PageDirty(page)) {
++ /*
++ * write_on_page will unlock the page on return
++ */
++ ret = write_one_page(page);
++ goto retry;
++ }
++ }
+
+ if (!PageUptodate(page)) {
+ ret = block_read_full_page(page, ocfs2_get_block);
+--
+2.17.1
+
--- /dev/null
+From 4224db0c83daf2dc8387603258d1463101b68f1a Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Tue, 25 Sep 2018 17:58:35 +0200
+Subject: perf/core: Fix perf_pmu_unregister() locking
+
+[ Upstream commit a9f9772114c8b07ae75bcb3654bd017461248095 ]
+
+When we unregister a PMU, we fail to serialize the @pmu_idr properly.
+Fix that by doing the entire thing under pmu_lock.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Fixes: 2e80a82a49c4 ("perf: Dynamic pmu types")
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index ae22d93701db..b1ed5e99d9c6 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -9436,9 +9436,7 @@ static void free_pmu_context(struct pmu *pmu)
+ if (pmu->task_ctx_nr > perf_invalid_context)
+ return;
+
+- mutex_lock(&pmus_lock);
+ free_percpu(pmu->pmu_cpu_context);
+- mutex_unlock(&pmus_lock);
+ }
+
+ /*
+@@ -9694,12 +9692,8 @@ EXPORT_SYMBOL_GPL(perf_pmu_register);
+
+ void perf_pmu_unregister(struct pmu *pmu)
+ {
+- int remove_device;
+-
+ mutex_lock(&pmus_lock);
+- remove_device = pmu_bus_running;
+ list_del_rcu(&pmu->entry);
+- mutex_unlock(&pmus_lock);
+
+ /*
+ * We dereference the pmu list under both SRCU and regular RCU, so
+@@ -9711,13 +9705,14 @@ void perf_pmu_unregister(struct pmu *pmu)
+ free_percpu(pmu->pmu_disable_count);
+ if (pmu->type >= PERF_TYPE_MAX)
+ idr_remove(&pmu_idr, pmu->type);
+- if (remove_device) {
++ if (pmu_bus_running) {
+ if (pmu->nr_addr_filters)
+ device_remove_file(pmu->dev, &dev_attr_nr_addr_filters);
+ device_del(pmu->dev);
+ put_device(pmu->dev);
+ }
+ free_pmu_context(pmu);
++ mutex_unlock(&pmus_lock);
+ }
+ EXPORT_SYMBOL_GPL(perf_pmu_unregister);
+
+--
+2.17.1
+
--- /dev/null
+From 56d4b18c247cb4e0c4301c09ba7a192a1a22f689 Mon Sep 17 00:00:00 2001
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Tue, 18 Sep 2018 16:08:02 -0300
+Subject: perf python: Use -Wno-redundant-decls to build with PYTHON=python3
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 05a2f54679861deb188750ba2a70187000b2c71f ]
+
+When building in ClearLinux using 'make PYTHON=python3' with gcc 8.2.1
+it fails with:
+
+ GEN /tmp/build/perf/python/perf.so
+ In file included from /usr/include/python3.7m/Python.h:126,
+ from /git/linux/tools/perf/util/python.c:2:
+ /usr/include/python3.7m/import.h:58:24: error: redundant redeclaration of ‘_PyImport_AddModuleObject’ [-Werror=redundant-decls]
+ PyAPI_FUNC(PyObject *) _PyImport_AddModuleObject(PyObject *, PyObject *);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~
+ /usr/include/python3.7m/import.h:47:24: note: previous declaration of ‘_PyImport_AddModuleObject’ was here
+ PyAPI_FUNC(PyObject *) _PyImport_AddModuleObject(PyObject *name,
+ ^~~~~~~~~~~~~~~~~~~~~~~~~
+ cc1: all warnings being treated as errors
+ error: command 'gcc' failed with exit status 1
+
+And indeed there is a redundant declaration in that Python.h file, one
+with parameter names and the other without, so just add
+-Wno-error=redundant-decls to the python setup instructions.
+
+Now perf builds with gcc in ClearLinux with the following Dockerfile:
+
+ # docker.io/acmel/linux-perf-tools-build-clearlinux:latest
+ FROM docker.io/clearlinux:latest
+ MAINTAINER Arnaldo Carvalho de Melo <acme@kernel.org>
+ RUN swupd update && \
+ swupd bundle-add sysadmin-basic-dev
+ RUN mkdir -m 777 -p /git /tmp/build/perf /tmp/build/objtool /tmp/build/linux && \
+ groupadd -r perfbuilder && \
+ useradd -m -r -g perfbuilder perfbuilder && \
+ chown -R perfbuilder.perfbuilder /tmp/build/ /git/
+ USER perfbuilder
+ COPY rx_and_build.sh /
+ ENV EXTRA_MAKE_ARGS=PYTHON=python3
+ ENTRYPOINT ["/rx_and_build.sh"]
+
+Now to figure out why the build fails with clang, that is present in the
+above container as detected by the rx_and_build.sh script:
+
+ clang version 6.0.1 (tags/RELEASE_601/final)
+ Target: x86_64-unknown-linux-gnu
+ Thread model: posix
+ InstalledDir: /usr/sbin
+ make: Entering directory '/git/linux/tools/perf'
+ BUILD: Doing 'make -j4' parallel build
+ HOSTCC /tmp/build/perf/fixdep.o
+ HOSTLD /tmp/build/perf/fixdep-in.o
+ LINK /tmp/build/perf/fixdep
+
+ Auto-detecting system features:
+ ... dwarf: [ OFF ]
+ ... dwarf_getlocations: [ OFF ]
+ ... glibc: [ OFF ]
+ ... gtk2: [ OFF ]
+ ... libaudit: [ OFF ]
+ ... libbfd: [ OFF ]
+ ... libelf: [ OFF ]
+ ... libnuma: [ OFF ]
+ ... numa_num_possible_cpus: [ OFF ]
+ ... libperl: [ OFF ]
+ ... libpython: [ OFF ]
+ ... libslang: [ OFF ]
+ ... libcrypto: [ OFF ]
+ ... libunwind: [ OFF ]
+ ... libdw-dwarf-unwind: [ OFF ]
+ ... zlib: [ OFF ]
+ ... lzma: [ OFF ]
+ ... get_cpuid: [ OFF ]
+ ... bpf: [ OFF ]
+
+ Makefile.config:331: *** No gnu/libc-version.h found, please install glibc-dev[el]. Stop.
+ make[1]: *** [Makefile.perf:206: sub-make] Error 2
+ make: *** [Makefile:70: all] Error 2
+ make: Leaving directory '/git/linux/tools/perf'
+
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Thiago Macieira <thiago.macieira@intel.com>
+Cc: Wang Nan <wangnan0@huawei.com>
+Link: https://lkml.kernel.org/n/tip-c3khb9ac86s00qxzjrueomme@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/setup.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/setup.py b/tools/perf/util/setup.py
+index 001be4f9d3b9..a5f9e236cc71 100644
+--- a/tools/perf/util/setup.py
++++ b/tools/perf/util/setup.py
+@@ -27,7 +27,7 @@ class install_lib(_install_lib):
+
+ cflags = getenv('CFLAGS', '').split()
+ # switch off several checks (need to be at the end of cflags list)
+-cflags += ['-fno-strict-aliasing', '-Wno-write-strings', '-Wno-unused-parameter' ]
++cflags += ['-fno-strict-aliasing', '-Wno-write-strings', '-Wno-unused-parameter', '-Wno-redundant-decls' ]
+ if cc != "clang":
+ cflags += ['-Wno-cast-function-type' ]
+
+--
+2.17.1
+
--- /dev/null
+From 5c6a4c6a36a78feed9790df6d74d47c030a2fab5 Mon Sep 17 00:00:00 2001
+From: Milian Wolff <milian.wolff@kdab.com>
+Date: Wed, 26 Sep 2018 15:52:06 +0200
+Subject: perf record: Use unmapped IP for inline callchain cursors
+
+[ Upstream commit 7a8a8fcf7b860e4b2d4edc787c844d41cad9dfcf ]
+
+Only use the mapped IP to find inline frames, but keep using the
+unmapped IP for the callchain cursor. This ensures we properly show the
+unmapped IP when displaying a frame we received via the
+dso__parse_addr_inlines API for a module which does not contain
+sufficient debug symbols to show the srcline.
+
+This is another follow-up to commit 19610184693c ("perf script: Show
+virtual addresses instead of offsets").
+
+Signed-off-by: Milian Wolff <milian.wolff@kdab.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Tested-by: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jin Yao <yao.jin@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Sandipan Das <sandipan@linux.ibm.com>
+Fixes: 19610184693c ("perf script: Show virtual addresses instead of offsets")
+Link: http://lkml.kernel.org/r/20180926135207.30263-2-milian.wolff@kdab.com
+Link: http://lkml.kernel.org/r/20181002073949.3297-1-milian.wolff@kdab.com
+[ Squashed a fix from Milian for a problem reported by Ravi, fixed up space damage ]
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/machine.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c
+index d49744dc46d7..b70cce40ca97 100644
+--- a/tools/perf/util/machine.c
++++ b/tools/perf/util/machine.c
+@@ -2246,7 +2246,8 @@ static int append_inlines(struct callchain_cursor *cursor,
+ if (!symbol_conf.inline_name || !map || !sym)
+ return ret;
+
+- addr = map__rip_2objdump(map, ip);
++ addr = map__map_ip(map, ip);
++ addr = map__rip_2objdump(map, addr);
+
+ inline_node = inlines__tree_find(&map->dso->inlined_nodes, addr);
+ if (!inline_node) {
+--
+2.17.1
+
--- /dev/null
+From ced2a94765495eebd6eadf84334a5c6188ced65f Mon Sep 17 00:00:00 2001
+From: Milian Wolff <milian.wolff@kdab.com>
+Date: Wed, 26 Sep 2018 15:52:05 +0200
+Subject: perf report: Don't try to map ip to invalid map
+
+[ Upstream commit ff4ce2885af8f9e8e99864d78dbeb4673f089c76 ]
+
+Fixes a crash when the report encounters an address that could not be
+associated with an mmaped region:
+
+ #0 0x00005555557bdc4a in callchain_srcline (ip=<error reading variable: Cannot access memory at address 0x38>, sym=0x0, map=0x0) at util/machine.c:2329
+ #1 unwind_entry (entry=entry@entry=0x7fffffff9180, arg=arg@entry=0x7ffff5642498) at util/machine.c:2329
+ #2 0x00005555558370af in entry (arg=0x7ffff5642498, cb=0x5555557bdb50 <unwind_entry>, thread=<optimized out>, ip=18446744073709551615) at util/unwind-libunwind-local.c:586
+ #3 get_entries (ui=ui@entry=0x7fffffff9620, cb=0x5555557bdb50 <unwind_entry>, arg=0x7ffff5642498, max_stack=<optimized out>) at util/unwind-libunwind-local.c:703
+ #4 0x0000555555837192 in _unwind__get_entries (cb=<optimized out>, arg=<optimized out>, thread=<optimized out>, data=<optimized out>, max_stack=<optimized out>) at util/unwind-libunwind-local.c:725
+ #5 0x00005555557c310f in thread__resolve_callchain_unwind (max_stack=127, sample=0x7fffffff9830, evsel=0x555555c7b3b0, cursor=0x7ffff5642498, thread=0x555555c7f6f0) at util/machine.c:2351
+ #6 thread__resolve_callchain (thread=0x555555c7f6f0, cursor=0x7ffff5642498, evsel=0x555555c7b3b0, sample=0x7fffffff9830, parent=0x7fffffff97b8, root_al=0x7fffffff9750, max_stack=127) at util/machine.c:2378
+ #7 0x00005555557ba4ee in sample__resolve_callchain (sample=<optimized out>, cursor=<optimized out>, parent=parent@entry=0x7fffffff97b8, evsel=<optimized out>, al=al@entry=0x7fffffff9750,
+ max_stack=<optimized out>) at util/callchain.c:1085
+
+Signed-off-by: Milian Wolff <milian.wolff@kdab.com>
+Tested-by: Sandipan Das <sandipan@linux.ibm.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Jin Yao <yao.jin@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Fixes: 2a9d5050dc84 ("perf script: Show correct offsets for DWARF-based unwinding")
+Link: http://lkml.kernel.org/r/20180926135207.30263-1-milian.wolff@kdab.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/machine.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c
+index 22dbb6612b41..d49744dc46d7 100644
+--- a/tools/perf/util/machine.c
++++ b/tools/perf/util/machine.c
+@@ -2272,7 +2272,7 @@ static int unwind_entry(struct unwind_entry *entry, void *arg)
+ {
+ struct callchain_cursor *cursor = arg;
+ const char *srcline = NULL;
+- u64 addr;
++ u64 addr = entry->ip;
+
+ if (symbol_conf.hide_unresolved && entry->sym == NULL)
+ return 0;
+@@ -2284,7 +2284,8 @@ static int unwind_entry(struct unwind_entry *entry, void *arg)
+ * Convert entry->ip from a virtual address to an offset in
+ * its corresponding binary.
+ */
+- addr = map__map_ip(entry->map, entry->ip);
++ if (entry->map)
++ addr = map__map_ip(entry->map, entry->ip);
+
+ srcline = callchain_srcline(entry->map, entry->sym, addr);
+ return callchain_cursor_append(cursor, entry->ip,
+--
+2.17.1
+
--- /dev/null
+From 88cbf472143b7483de671f7fa0a8dac73b8188e8 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@redhat.com>
+Date: Sun, 23 Sep 2018 18:13:43 +0200
+Subject: perf/ring_buffer: Prevent concurent ring buffer access
+
+[ Upstream commit cd6fb677ce7e460c25bdd66f689734102ec7d642 ]
+
+Some of the scheduling tracepoints allow the perf_tp_event
+code to write to ring buffer under different cpu than the
+code is running on.
+
+This results in corrupted ring buffer data demonstrated in
+following perf commands:
+
+ # perf record -e 'sched:sched_switch,sched:sched_wakeup' perf bench sched messaging
+ # Running 'sched/messaging' benchmark:
+ # 20 sender and receiver processes per group
+ # 10 groups == 400 processes run
+
+ Total time: 0.383 [sec]
+ [ perf record: Woken up 8 times to write data ]
+ 0x42b890 [0]: failed to process type: -1765585640
+ [ perf record: Captured and wrote 4.825 MB perf.data (29669 samples) ]
+
+ # perf report --stdio
+ 0x42b890 [0]: failed to process type: -1765585640
+
+The reason for the corruption are some of the scheduling tracepoints,
+that have __perf_task dfined and thus allow to store data to another
+cpu ring buffer:
+
+ sched_waking
+ sched_wakeup
+ sched_wakeup_new
+ sched_stat_wait
+ sched_stat_sleep
+ sched_stat_iowait
+ sched_stat_blocked
+
+The perf_tp_event function first store samples for current cpu
+related events defined for tracepoint:
+
+ hlist_for_each_entry_rcu(event, head, hlist_entry)
+ perf_swevent_event(event, count, &data, regs);
+
+And then iterates events of the 'task' and store the sample
+for any task's event that passes tracepoint checks:
+
+ ctx = rcu_dereference(task->perf_event_ctxp[perf_sw_context]);
+
+ list_for_each_entry_rcu(event, &ctx->event_list, event_entry) {
+ if (event->attr.type != PERF_TYPE_TRACEPOINT)
+ continue;
+ if (event->attr.config != entry->type)
+ continue;
+
+ perf_swevent_event(event, count, &data, regs);
+ }
+
+Above code can race with same code running on another cpu,
+ending up with 2 cpus trying to store under the same ring
+buffer, which is specifically not allowed.
+
+This patch prevents the problem, by allowing only events with the same
+current cpu to receive the event.
+
+NOTE: this requires the use of (per-task-)per-cpu buffers for this
+feature to work; perf-record does this.
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+[peterz: small edits to Changelog]
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andrew Vagin <avagin@openvz.org>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Fixes: e6dab5ffab59 ("perf/trace: Add ability to set a target task for events")
+Link: http://lkml.kernel.org/r/20180923161343.GB15054@krava
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index b1ed5e99d9c6..fc072b7f839d 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -8319,6 +8319,8 @@ void perf_tp_event(u16 event_type, u64 count, void *record, int entry_size,
+ goto unlock;
+
+ list_for_each_entry_rcu(event, &ctx->event_list, event_entry) {
++ if (event->cpu != smp_processor_id())
++ continue;
+ if (event->attr.type != PERF_TYPE_TRACEPOINT)
+ continue;
+ if (event->attr.config != entry->type)
+--
+2.17.1
+
--- /dev/null
+From bb9f5d8f1b9630066459cdb8e3cba9e2fd45862d Mon Sep 17 00:00:00 2001
+From: "Natarajan, Janakarajan" <Janakarajan.Natarajan@amd.com>
+Date: Thu, 27 Sep 2018 15:51:55 +0000
+Subject: perf/x86/amd/uncore: Set ThreadMask and SliceMask for L3 Cache perf
+ events
+
+[ Upstream commit d7cbbe49a9304520181fb8c9272d1327deec8453 ]
+
+In Family 17h, some L3 Cache Performance events require the ThreadMask
+and SliceMask to be set. For other events, these fields do not affect
+the count either way.
+
+Set ThreadMask and SliceMask to 0xFF and 0xF respectively.
+
+Signed-off-by: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: H . Peter Anvin <hpa@zytor.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Suravee <Suravee.Suthikulpanit@amd.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Link: http://lkml.kernel.org/r/Message-ID:
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/amd/uncore.c | 10 ++++++++++
+ arch/x86/include/asm/perf_event.h | 8 ++++++++
+ 2 files changed, 18 insertions(+)
+
+diff --git a/arch/x86/events/amd/uncore.c b/arch/x86/events/amd/uncore.c
+index 981ba5e8241b..8671de126eac 100644
+--- a/arch/x86/events/amd/uncore.c
++++ b/arch/x86/events/amd/uncore.c
+@@ -36,6 +36,7 @@
+
+ static int num_counters_llc;
+ static int num_counters_nb;
++static bool l3_mask;
+
+ static HLIST_HEAD(uncore_unused_list);
+
+@@ -209,6 +210,13 @@ static int amd_uncore_event_init(struct perf_event *event)
+ hwc->config = event->attr.config & AMD64_RAW_EVENT_MASK_NB;
+ hwc->idx = -1;
+
++ /*
++ * SliceMask and ThreadMask need to be set for certain L3 events in
++ * Family 17h. For other events, the two fields do not affect the count.
++ */
++ if (l3_mask)
++ hwc->config |= (AMD64_L3_SLICE_MASK | AMD64_L3_THREAD_MASK);
++
+ if (event->cpu < 0)
+ return -EINVAL;
+
+@@ -525,6 +533,7 @@ static int __init amd_uncore_init(void)
+ amd_llc_pmu.name = "amd_l3";
+ format_attr_event_df.show = &event_show_df;
+ format_attr_event_l3.show = &event_show_l3;
++ l3_mask = true;
+ } else {
+ num_counters_nb = NUM_COUNTERS_NB;
+ num_counters_llc = NUM_COUNTERS_L2;
+@@ -532,6 +541,7 @@ static int __init amd_uncore_init(void)
+ amd_llc_pmu.name = "amd_l2";
+ format_attr_event_df = format_attr_event;
+ format_attr_event_l3 = format_attr_event;
++ l3_mask = false;
+ }
+
+ amd_nb_pmu.attr_groups = amd_uncore_attr_groups_df;
+diff --git a/arch/x86/include/asm/perf_event.h b/arch/x86/include/asm/perf_event.h
+index 12f54082f4c8..78241b736f2a 100644
+--- a/arch/x86/include/asm/perf_event.h
++++ b/arch/x86/include/asm/perf_event.h
+@@ -46,6 +46,14 @@
+ #define INTEL_ARCH_EVENT_MASK \
+ (ARCH_PERFMON_EVENTSEL_UMASK | ARCH_PERFMON_EVENTSEL_EVENT)
+
++#define AMD64_L3_SLICE_SHIFT 48
++#define AMD64_L3_SLICE_MASK \
++ ((0xFULL) << AMD64_L3_SLICE_SHIFT)
++
++#define AMD64_L3_THREAD_SHIFT 56
++#define AMD64_L3_THREAD_MASK \
++ ((0xFFULL) << AMD64_L3_THREAD_SHIFT)
++
+ #define X86_RAW_EVENT_MASK \
+ (ARCH_PERFMON_EVENTSEL_EVENT | \
+ ARCH_PERFMON_EVENTSEL_UMASK | \
+--
+2.17.1
+
--- /dev/null
+From bd349695f940548bc3059f48667d577c614ad47b Mon Sep 17 00:00:00 2001
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Fri, 21 Sep 2018 07:07:06 -0700
+Subject: perf/x86/intel/uncore: Fix PCI BDF address of M3UPI on SKX
+
+[ Upstream commit 9d92cfeaf5215158d26d2991be7f7ff865cb98f3 ]
+
+The counters on M3UPI Link 0 and Link 3 don't count properly, and writing
+0 to these counters may causes system crash on some machines.
+
+The PCI BDF addresses of the M3UPI in the current code are incorrect.
+
+The correct addresses should be:
+
+ D18:F1 0x204D
+ D18:F2 0x204E
+ D18:F5 0x204D
+
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Fixes: cd34cd97b7b4 ("perf/x86/intel/uncore: Add Skylake server uncore support")
+Link: http://lkml.kernel.org/r/1537538826-55489-1-git-send-email-kan.liang@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/uncore_snbep.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
+index 53b981dcdb42..c07bee31abe8 100644
+--- a/arch/x86/events/intel/uncore_snbep.c
++++ b/arch/x86/events/intel/uncore_snbep.c
+@@ -3931,16 +3931,16 @@ static const struct pci_device_id skx_uncore_pci_ids[] = {
+ .driver_data = UNCORE_PCI_DEV_FULL_DATA(21, 5, SKX_PCI_UNCORE_M2PCIE, 3),
+ },
+ { /* M3UPI0 Link 0 */
+- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204C),
+- .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 0, SKX_PCI_UNCORE_M3UPI, 0),
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204D),
++ .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 1, SKX_PCI_UNCORE_M3UPI, 0),
+ },
+ { /* M3UPI0 Link 1 */
+- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204D),
+- .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 1, SKX_PCI_UNCORE_M3UPI, 1),
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204E),
++ .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 2, SKX_PCI_UNCORE_M3UPI, 1),
+ },
+ { /* M3UPI1 Link 2 */
+- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204C),
+- .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 4, SKX_PCI_UNCORE_M3UPI, 2),
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204D),
++ .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 5, SKX_PCI_UNCORE_M3UPI, 2),
+ },
+ { /* end: all zeroes */ }
+ };
+--
+2.17.1
+
--- /dev/null
+From a0106893e79275c4d0fe9e8b2ec1c5e1f15a1de5 Mon Sep 17 00:00:00 2001
+From: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
+Date: Mon, 10 Sep 2018 10:47:50 -0400
+Subject: perf/x86/intel/uncore: Use boot_cpu_data.phys_proc_id instead of
+ hardcorded physical package ID 0
+
+[ Upstream commit 6265adb9726098b7f4f7ca70bc51992b25fdd9d6 ]
+
+Physical package id 0 doesn't always exist, we should use
+boot_cpu_data.phys_proc_id here.
+
+Signed-off-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Masayoshi Mizuma <msys.mizuma@gmail.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Link: http://lkml.kernel.org/r/20180910144750.6782-1-msys.mizuma@gmail.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/uncore_snbep.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
+index 51d7c117e3c7..53b981dcdb42 100644
+--- a/arch/x86/events/intel/uncore_snbep.c
++++ b/arch/x86/events/intel/uncore_snbep.c
+@@ -3061,7 +3061,7 @@ static struct event_constraint bdx_uncore_pcu_constraints[] = {
+
+ void bdx_uncore_cpu_init(void)
+ {
+- int pkg = topology_phys_to_logical_pkg(0);
++ int pkg = topology_phys_to_logical_pkg(boot_cpu_data.phys_proc_id);
+
+ if (bdx_uncore_cbox.num_boxes > boot_cpu_data.x86_max_cores)
+ bdx_uncore_cbox.num_boxes = boot_cpu_data.x86_max_cores;
+--
+2.17.1
+
--- /dev/null
+From b8964941d13b3c939cea2904587dd0722fb8286e Mon Sep 17 00:00:00 2001
+From: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Date: Fri, 28 Sep 2018 09:17:32 +0530
+Subject: powerpc/numa: Skip onlining a offline node in kdump path
+
+[ Upstream commit ac1788cc7da4ce54edcfd2e499afdb0a23d5c41d ]
+
+With commit 2ea626306810 ("powerpc/topology: Get topology for shared
+processors at boot"), kdump kernel on shared LPAR may crash.
+
+The necessary conditions are
+- Shared LPAR with at least 2 nodes having memory and CPUs.
+- Memory requirement for kdump kernel must be met by the first N-1
+ nodes where there are at least N nodes with memory and CPUs.
+
+Example numactl of such a machine.
+ $ numactl -H
+ available: 5 nodes (0,2,5-7)
+ node 0 cpus:
+ node 0 size: 0 MB
+ node 0 free: 0 MB
+ node 2 cpus:
+ node 2 size: 255 MB
+ node 2 free: 189 MB
+ node 5 cpus: 24 25 26 27 28 29 30 31
+ node 5 size: 4095 MB
+ node 5 free: 4024 MB
+ node 6 cpus: 0 1 2 3 4 5 6 7 16 17 18 19 20 21 22 23
+ node 6 size: 6353 MB
+ node 6 free: 5998 MB
+ node 7 cpus: 8 9 10 11 12 13 14 15 32 33 34 35 36 37 38 39
+ node 7 size: 7640 MB
+ node 7 free: 7164 MB
+ node distances:
+ node 0 2 5 6 7
+ 0: 10 40 40 40 40
+ 2: 40 10 40 40 40
+ 5: 40 40 10 40 40
+ 6: 40 40 40 10 20
+ 7: 40 40 40 20 10
+
+Steps to reproduce.
+1. Load / start kdump service.
+2. Trigger a kdump (for example : echo c > /proc/sysrq-trigger)
+
+When booting a kdump kernel with 2048M:
+
+ kexec: Starting switchover sequence.
+ I'm in purgatory
+ Using 1TB segments
+ hash-mmu: Initializing hash mmu with SLB
+ Linux version 4.19.0-rc5-master+ (srikar@linux-xxu6) (gcc version 4.8.5 (SUSE Linux)) #1 SMP Thu Sep 27 19:45:00 IST 2018
+ Found initrd at 0xc000000009e70000:0xc00000000ae554b4
+ Using pSeries machine description
+ -----------------------------------------------------
+ ppc64_pft_size = 0x1e
+ phys_mem_size = 0x88000000
+ dcache_bsize = 0x80
+ icache_bsize = 0x80
+ cpu_features = 0x000000ff8f5d91a7
+ possible = 0x0000fbffcf5fb1a7
+ always = 0x0000006f8b5c91a1
+ cpu_user_features = 0xdc0065c2 0xef000000
+ mmu_features = 0x7c006001
+ firmware_features = 0x00000007c45bfc57
+ htab_hash_mask = 0x7fffff
+ physical_start = 0x8000000
+ -----------------------------------------------------
+ numa: NODE_DATA [mem 0x87d5e300-0x87d67fff]
+ numa: NODE_DATA(0) on node 6
+ numa: NODE_DATA [mem 0x87d54600-0x87d5e2ff]
+ Top of RAM: 0x88000000, Total RAM: 0x88000000
+ Memory hole size: 0MB
+ Zone ranges:
+ DMA [mem 0x0000000000000000-0x0000000087ffffff]
+ DMA32 empty
+ Normal empty
+ Movable zone start for each node
+ Early memory node ranges
+ node 6: [mem 0x0000000000000000-0x0000000087ffffff]
+ Could not find start_pfn for node 0
+ Initmem setup node 0 [mem 0x0000000000000000-0x0000000000000000]
+ On node 0 totalpages: 0
+ Initmem setup node 6 [mem 0x0000000000000000-0x0000000087ffffff]
+ On node 6 totalpages: 34816
+
+ Unable to handle kernel paging request for data at address 0x00000060
+ Faulting instruction address: 0xc000000008703a54
+ Oops: Kernel access of bad area, sig: 11 [#1]
+ LE SMP NR_CPUS=2048 NUMA pSeries
+ Modules linked in:
+ CPU: 11 PID: 1 Comm: swapper/11 Not tainted 4.19.0-rc5-master+ #1
+ NIP: c000000008703a54 LR: c000000008703a38 CTR: 0000000000000000
+ REGS: c00000000b673440 TRAP: 0380 Not tainted (4.19.0-rc5-master+)
+ MSR: 8000000002009033 <SF,VEC,EE,ME,IR,DR,RI,LE> CR: 24022022 XER: 20000002
+ CFAR: c0000000086fc238 IRQMASK: 0
+ GPR00: c000000008703a38 c00000000b6736c0 c000000009281900 0000000000000000
+ GPR04: 0000000000000000 0000000000000000 fffffffffffff001 c00000000b660080
+ GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000220
+ GPR12: 0000000000002200 c000000009e51400 0000000000000000 0000000000000008
+ GPR16: 0000000000000000 c000000008c152e8 c000000008c152a8 0000000000000000
+ GPR20: c000000009422fd8 c000000009412fd8 c000000009426040 0000000000000008
+ GPR24: 0000000000000000 0000000000000000 c000000009168bc8 c000000009168c78
+ GPR28: c00000000b126410 0000000000000000 c00000000916a0b8 c00000000b126400
+ NIP [c000000008703a54] bus_add_device+0x84/0x1e0
+ LR [c000000008703a38] bus_add_device+0x68/0x1e0
+ Call Trace:
+ [c00000000b6736c0] [c000000008703a38] bus_add_device+0x68/0x1e0 (unreliable)
+ [c00000000b673740] [c000000008700194] device_add+0x454/0x7c0
+ [c00000000b673800] [c00000000872e660] __register_one_node+0xb0/0x240
+ [c00000000b673860] [c00000000839a6bc] __try_online_node+0x12c/0x180
+ [c00000000b673900] [c00000000839b978] try_online_node+0x58/0x90
+ [c00000000b673930] [c0000000080846d8] find_and_online_cpu_nid+0x158/0x190
+ [c00000000b673a10] [c0000000080848a0] numa_update_cpu_topology+0x190/0x580
+ [c00000000b673c00] [c000000008d3f2e4] smp_cpus_done+0x94/0x108
+ [c00000000b673c70] [c000000008d5c00c] smp_init+0x174/0x19c
+ [c00000000b673d00] [c000000008d346b8] kernel_init_freeable+0x1e0/0x450
+ [c00000000b673dc0] [c0000000080102e8] kernel_init+0x28/0x160
+ [c00000000b673e30] [c00000000800b65c] ret_from_kernel_thread+0x5c/0x80
+ Instruction dump:
+ 60000000 60000000 e89e0020 7fe3fb78 4bff87d5 60000000 7c7d1b79 4082008c
+ e8bf0050 e93e0098 3b9f0010 2fa50000 <e8690060> 38630018 419e0114 7f84e378
+ ---[ end trace 593577668c2daa65 ]---
+
+However a regular kernel with 4096M (2048 gets reserved for crash
+kernel) boots properly.
+
+Unlike regular kernels, which mark all available nodes as online,
+kdump kernel only marks just enough nodes as online and marks the rest
+as offline at boot. However kdump kernel boots with all available
+CPUs. With Commit 2ea626306810 ("powerpc/topology: Get topology for
+shared processors at boot"), all CPUs are onlined on their respective
+nodes at boot time. try_online_node() tries to online the offline
+nodes but fails as all needed subsystems are not yet initialized.
+
+As part of fix, detect and skip early onlining of a offline node.
+
+Fixes: 2ea626306810 ("powerpc/topology: Get topology for shared processors at boot")
+Reported-by: Pavithra Prakash <pavrampu@in.ibm.com>
+Signed-off-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Tested-by: Hari Bathini <hbathini@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/mm/numa.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/mm/numa.c b/arch/powerpc/mm/numa.c
+index 59d07bd5374a..055b211b7126 100644
+--- a/arch/powerpc/mm/numa.c
++++ b/arch/powerpc/mm/numa.c
+@@ -1217,9 +1217,10 @@ int find_and_online_cpu_nid(int cpu)
+ * Need to ensure that NODE_DATA is initialized for a node from
+ * available memory (see memblock_alloc_try_nid). If unable to
+ * init the node, then default to nearest node that has memory
+- * installed.
++ * installed. Skip onlining a node if the subsystems are not
++ * yet initialized.
+ */
+- if (try_online_node(new_nid))
++ if (!topology_inited || try_online_node(new_nid))
+ new_nid = first_online_node;
+ #else
+ /*
+--
+2.17.1
+
--- /dev/null
+From e6e30abe00caec2f9b5f88827892c2d90ce291ab Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Wed, 26 Sep 2018 18:11:22 +0200
+Subject: pxa168fb: prepare the clock
+
+[ Upstream commit d85536cde91fcfed6fb8d983783bd2b92c843939 ]
+
+Add missing prepare/unprepare operations for fbi->clk,
+this fixes following kernel warning:
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 0 PID: 1 at drivers/clk/clk.c:874 clk_core_enable+0x2c/0x1b0
+ Enabling unprepared disp0_clk
+ Modules linked in:
+ CPU: 0 PID: 1 Comm: swapper Not tainted 4.18.0-rc8-00032-g02b43ddd4f21-dirty #25
+ Hardware name: Marvell MMP2 (Device Tree Support)
+ [<c010f7cc>] (unwind_backtrace) from [<c010cc6c>] (show_stack+0x10/0x14)
+ [<c010cc6c>] (show_stack) from [<c011dab4>] (__warn+0xd8/0xf0)
+ [<c011dab4>] (__warn) from [<c011db10>] (warn_slowpath_fmt+0x44/0x6c)
+ [<c011db10>] (warn_slowpath_fmt) from [<c043898c>] (clk_core_enable+0x2c/0x1b0)
+ [<c043898c>] (clk_core_enable) from [<c0439ec8>] (clk_core_enable_lock+0x18/0x2c)
+ [<c0439ec8>] (clk_core_enable_lock) from [<c0436698>] (pxa168fb_probe+0x464/0x6ac)
+ [<c0436698>] (pxa168fb_probe) from [<c04779a0>] (platform_drv_probe+0x48/0x94)
+ [<c04779a0>] (platform_drv_probe) from [<c0475bec>] (driver_probe_device+0x328/0x470)
+ [<c0475bec>] (driver_probe_device) from [<c0475de4>] (__driver_attach+0xb0/0x124)
+ [<c0475de4>] (__driver_attach) from [<c0473c38>] (bus_for_each_dev+0x64/0xa0)
+ [<c0473c38>] (bus_for_each_dev) from [<c0474ee0>] (bus_add_driver+0x1b8/0x230)
+ [<c0474ee0>] (bus_add_driver) from [<c0476a20>] (driver_register+0xac/0xf0)
+ [<c0476a20>] (driver_register) from [<c0102dd4>] (do_one_initcall+0xb8/0x1f0)
+ [<c0102dd4>] (do_one_initcall) from [<c0b010a0>] (kernel_init_freeable+0x294/0x2e0)
+ [<c0b010a0>] (kernel_init_freeable) from [<c07e9eb8>] (kernel_init+0x8/0x10c)
+ [<c07e9eb8>] (kernel_init) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
+ Exception stack(0xd008bfb0 to 0xd008bff8)
+ bfa0: 00000000 00000000 00000000 00000000
+ bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+ bfe0: 00000000 00000000 00000000 00000000 00000013 00000000
+ ---[ end trace c0af40f9e2ed7cb4 ]---
+
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+[b.zolnierkie: enhance patch description a bit]
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/pxa168fb.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/video/fbdev/pxa168fb.c b/drivers/video/fbdev/pxa168fb.c
+index def3a501acd6..d059d04c63ac 100644
+--- a/drivers/video/fbdev/pxa168fb.c
++++ b/drivers/video/fbdev/pxa168fb.c
+@@ -712,7 +712,7 @@ static int pxa168fb_probe(struct platform_device *pdev)
+ /*
+ * enable controller clock
+ */
+- clk_enable(fbi->clk);
++ clk_prepare_enable(fbi->clk);
+
+ pxa168fb_set_par(info);
+
+@@ -767,7 +767,7 @@ static int pxa168fb_probe(struct platform_device *pdev)
+ failed_free_cmap:
+ fb_dealloc_cmap(&info->cmap);
+ failed_free_clk:
+- clk_disable(fbi->clk);
++ clk_disable_unprepare(fbi->clk);
+ failed_free_fbmem:
+ dma_free_coherent(fbi->dev, info->fix.smem_len,
+ info->screen_base, fbi->fb_start_dma);
+@@ -807,7 +807,7 @@ static int pxa168fb_remove(struct platform_device *pdev)
+ dma_free_wc(fbi->dev, PAGE_ALIGN(info->fix.smem_len),
+ info->screen_base, info->fix.smem_start);
+
+- clk_disable(fbi->clk);
++ clk_disable_unprepare(fbi->clk);
+
+ framebuffer_release(info);
+
+--
+2.17.1
+
--- /dev/null
+From 645db65051c2888847fcd489b7a7fb58283742af Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Mon, 24 Sep 2018 15:17:03 -0700
+Subject: qed: Avoid constant logical operation warning in qed_vf_pf_acquire
+
+[ Upstream commit 1c492a9d55ba99079210ed901dd8a5423f980487 ]
+
+Clang warns when a constant is used in a boolean context as it thinks a
+bitwise operation may have been intended.
+
+drivers/net/ethernet/qlogic/qed/qed_vf.c:415:27: warning: use of logical
+'&&' with constant operand [-Wconstant-logical-operand]
+ if (!p_iov->b_pre_fp_hsi &&
+ ^
+drivers/net/ethernet/qlogic/qed/qed_vf.c:415:27: note: use '&' for a
+bitwise operation
+ if (!p_iov->b_pre_fp_hsi &&
+ ^~
+ &
+drivers/net/ethernet/qlogic/qed/qed_vf.c:415:27: note: remove constant
+to silence this warning
+ if (!p_iov->b_pre_fp_hsi &&
+ ~^~
+1 warning generated.
+
+This has been here since commit 1fe614d10f45 ("qed: Relax VF firmware
+requirements") and I am not entirely sure why since 0 isn't a special
+case. Just remove the statement causing Clang to warn since it isn't
+required.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/126
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_vf.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_vf.c b/drivers/net/ethernet/qlogic/qed/qed_vf.c
+index ac3f54bbe9b9..c4766e4ac485 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_vf.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_vf.c
+@@ -413,7 +413,6 @@ static int qed_vf_pf_acquire(struct qed_hwfn *p_hwfn)
+ }
+
+ if (!p_iov->b_pre_fp_hsi &&
+- ETH_HSI_VER_MINOR &&
+ (resp->pfdev_info.minor_fp_hsi < ETH_HSI_VER_MINOR)) {
+ DP_INFO(p_hwfn,
+ "PF is using older fastpath HSI; %02x.%02x is configured\n",
+--
+2.17.1
+
--- /dev/null
+From 9d6309b5990a3df426d2b6613940f078a1f06bea Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Mon, 24 Sep 2018 14:42:12 -0700
+Subject: qed: Avoid implicit enum conversion in qed_iwarp_parse_rx_pkt
+
+[ Upstream commit 77f2d753819b7d50c16abfb778caf1fe075faed0 ]
+
+Clang warns when one enumerated type is implicitly converted to another.
+
+drivers/net/ethernet/qlogic/qed/qed_iwarp.c:1713:25: warning: implicit
+conversion from enumeration type 'enum tcp_ip_version' to different
+enumeration type 'enum qed_tcp_ip_version' [-Wenum-conversion]
+ cm_info->ip_version = TCP_IPV4;
+ ~ ^~~~~~~~
+drivers/net/ethernet/qlogic/qed/qed_iwarp.c:1733:25: warning: implicit
+conversion from enumeration type 'enum tcp_ip_version' to different
+enumeration type 'enum qed_tcp_ip_version' [-Wenum-conversion]
+ cm_info->ip_version = TCP_IPV6;
+ ~ ^~~~~~~~
+2 warnings generated.
+
+Use the appropriate values from the expected type, qed_tcp_ip_version:
+
+TCP_IPV4 = QED_TCP_IPV4 = 0
+TCP_IPV6 = QED_TCP_IPV6 = 1
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/125
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_iwarp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_iwarp.c b/drivers/net/ethernet/qlogic/qed/qed_iwarp.c
+index 90a2b53096e2..51bbb0e5b514 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_iwarp.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_iwarp.c
+@@ -1710,7 +1710,7 @@ qed_iwarp_parse_rx_pkt(struct qed_hwfn *p_hwfn,
+
+ cm_info->local_ip[0] = ntohl(iph->daddr);
+ cm_info->remote_ip[0] = ntohl(iph->saddr);
+- cm_info->ip_version = TCP_IPV4;
++ cm_info->ip_version = QED_TCP_IPV4;
+
+ ip_hlen = (iph->ihl) * sizeof(u32);
+ *payload_len = ntohs(iph->tot_len) - ip_hlen;
+@@ -1730,7 +1730,7 @@ qed_iwarp_parse_rx_pkt(struct qed_hwfn *p_hwfn,
+ cm_info->remote_ip[i] =
+ ntohl(ip6h->saddr.in6_u.u6_addr32[i]);
+ }
+- cm_info->ip_version = TCP_IPV6;
++ cm_info->ip_version = QED_TCP_IPV6;
+
+ ip_hlen = sizeof(*ip6h);
+ *payload_len = ntohs(ip6h->payload_len);
+--
+2.17.1
+
--- /dev/null
+From f856bf1c4332c8035dd56437bb4a298fef2794d4 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Mon, 24 Sep 2018 14:34:53 -0700
+Subject: qed: Avoid implicit enum conversion in qed_roce_mode_to_flavor
+
+[ Upstream commit d3a315795b4ce8b105a64a90699103121bde04a8 ]
+
+Clang warns when one enumerated type is implicitly converted to another.
+
+drivers/net/ethernet/qlogic/qed/qed_roce.c:153:12: warning: implicit
+conversion from enumeration type 'enum roce_mode' to different
+enumeration type 'enum roce_flavor' [-Wenum-conversion]
+ flavor = ROCE_V2_IPV6;
+ ~ ^~~~~~~~~~~~
+drivers/net/ethernet/qlogic/qed/qed_roce.c:156:12: warning: implicit
+conversion from enumeration type 'enum roce_mode' to different
+enumeration type 'enum roce_flavor' [-Wenum-conversion]
+ flavor = MAX_ROCE_MODE;
+ ~ ^~~~~~~~~~~~~
+2 warnings generated.
+
+Use the appropriate values from the expected type, roce_flavor:
+
+ROCE_V2_IPV6 = RROCE_IPV6 = 2
+MAX_ROCE_MODE = MAX_ROCE_FLAVOR = 3
+
+While we're add it, ditch the local variable flavor, we can just return
+the value directly from the switch statement.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/125
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_roce.c | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_roce.c b/drivers/net/ethernet/qlogic/qed/qed_roce.c
+index b5ce1581645f..79424e6f0976 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_roce.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_roce.c
+@@ -138,23 +138,16 @@ static void qed_rdma_copy_gids(struct qed_rdma_qp *qp, __le32 *src_gid,
+
+ static enum roce_flavor qed_roce_mode_to_flavor(enum roce_mode roce_mode)
+ {
+- enum roce_flavor flavor;
+-
+ switch (roce_mode) {
+ case ROCE_V1:
+- flavor = PLAIN_ROCE;
+- break;
++ return PLAIN_ROCE;
+ case ROCE_V2_IPV4:
+- flavor = RROCE_IPV4;
+- break;
++ return RROCE_IPV4;
+ case ROCE_V2_IPV6:
+- flavor = ROCE_V2_IPV6;
+- break;
++ return RROCE_IPV6;
+ default:
+- flavor = MAX_ROCE_MODE;
+- break;
++ return MAX_ROCE_FLAVOR;
+ }
+- return flavor;
+ }
+
+ void qed_roce_free_cid_pair(struct qed_hwfn *p_hwfn, u16 cid)
+--
+2.17.1
+
--- /dev/null
+From 42d254562e281a0a0efb7e79cbaa640ca13a2339 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Mon, 24 Sep 2018 13:53:34 -0700
+Subject: qed: Avoid implicit enum conversion in qed_set_tunn_cls_info
+
+[ Upstream commit a898fba32229efd5e6b6154f83fa86a7145156b9 ]
+
+Clang warns when one enumerated type is implicitly converted to another.
+
+drivers/net/ethernet/qlogic/qed/qed_sp_commands.c:163:25: warning:
+implicit conversion from enumeration type 'enum tunnel_clss' to
+different enumeration type 'enum qed_tunn_clss' [-Wenum-conversion]
+ p_tun->vxlan.tun_cls = type;
+ ~ ^~~~
+drivers/net/ethernet/qlogic/qed/qed_sp_commands.c:165:26: warning:
+implicit conversion from enumeration type 'enum tunnel_clss' to
+different enumeration type 'enum qed_tunn_clss' [-Wenum-conversion]
+ p_tun->l2_gre.tun_cls = type;
+ ~ ^~~~
+drivers/net/ethernet/qlogic/qed/qed_sp_commands.c:167:26: warning:
+implicit conversion from enumeration type 'enum tunnel_clss' to
+different enumeration type 'enum qed_tunn_clss' [-Wenum-conversion]
+ p_tun->ip_gre.tun_cls = type;
+ ~ ^~~~
+drivers/net/ethernet/qlogic/qed/qed_sp_commands.c:169:29: warning:
+implicit conversion from enumeration type 'enum tunnel_clss' to
+different enumeration type 'enum qed_tunn_clss' [-Wenum-conversion]
+ p_tun->l2_geneve.tun_cls = type;
+ ~ ^~~~
+drivers/net/ethernet/qlogic/qed/qed_sp_commands.c:171:29: warning:
+implicit conversion from enumeration type 'enum tunnel_clss' to
+different enumeration type 'enum qed_tunn_clss' [-Wenum-conversion]
+ p_tun->ip_geneve.tun_cls = type;
+ ~ ^~~~
+5 warnings generated.
+
+Avoid this by changing type to an int.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/125
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_sp_commands.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_sp_commands.c b/drivers/net/ethernet/qlogic/qed/qed_sp_commands.c
+index 8de644b4721e..77b6248ad3b9 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_sp_commands.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_sp_commands.c
+@@ -154,7 +154,7 @@ qed_set_pf_update_tunn_mode(struct qed_tunnel_info *p_tun,
+ static void qed_set_tunn_cls_info(struct qed_tunnel_info *p_tun,
+ struct qed_tunnel_info *p_src)
+ {
+- enum tunnel_clss type;
++ int type;
+
+ p_tun->b_update_rx_cls = p_src->b_update_rx_cls;
+ p_tun->b_update_tx_cls = p_src->b_update_tx_cls;
+--
+2.17.1
+
--- /dev/null
+From 793ed2b7f21d6ea12844eb5a5382c97f11895668 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Mon, 24 Sep 2018 14:05:27 -0700
+Subject: qed: Fix mask parameter in qed_vf_prep_tunn_req_tlv
+
+[ Upstream commit db803f36e56f23b5a2266807e190d1dc11554d54 ]
+
+Clang complains when one enumerated type is implicitly converted to
+another.
+
+drivers/net/ethernet/qlogic/qed/qed_vf.c:686:6: warning: implicit
+conversion from enumeration type 'enum qed_tunn_mode' to different
+enumeration type 'enum qed_tunn_clss' [-Wenum-conversion]
+ QED_MODE_L2GENEVE_TUNN,
+ ^~~~~~~~~~~~~~~~~~~~~~
+
+Update mask's parameter to expect qed_tunn_mode, which is what was
+intended.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/125
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_vf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_vf.c b/drivers/net/ethernet/qlogic/qed/qed_vf.c
+index be6ddde1a104..ac3f54bbe9b9 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_vf.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_vf.c
+@@ -572,7 +572,7 @@ free_p_iov:
+ static void
+ __qed_vf_prep_tunn_req_tlv(struct vfpf_update_tunn_param_tlv *p_req,
+ struct qed_tunn_update_type *p_src,
+- enum qed_tunn_clss mask, u8 *p_cls)
++ enum qed_tunn_mode mask, u8 *p_cls)
+ {
+ if (p_src->b_update_mode) {
+ p_req->tun_mode_update_mask |= BIT(mask);
+@@ -587,7 +587,7 @@ __qed_vf_prep_tunn_req_tlv(struct vfpf_update_tunn_param_tlv *p_req,
+ static void
+ qed_vf_prep_tunn_req_tlv(struct vfpf_update_tunn_param_tlv *p_req,
+ struct qed_tunn_update_type *p_src,
+- enum qed_tunn_clss mask,
++ enum qed_tunn_mode mask,
+ u8 *p_cls, struct qed_tunn_update_udp_port *p_port,
+ u8 *p_update_port, u16 *p_udp_port)
+ {
+--
+2.17.1
+
--- /dev/null
+From 53251f685e1284ad9143c35ab2451b17c4eb307b Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:54 -0700
+Subject: r8152: Check for supported Wake-on-LAN Modes
+
+[ Upstream commit f2750df1548bd8a2b060eb609fc43ca82811af4c ]
+
+The driver does not check for Wake-on-LAN modes specified by an user,
+but will conditionally set the device as wake-up enabled or not based on
+that, which could be a very confusing user experience.
+
+Fixes: 21ff2e8976b1 ("r8152: support WOL")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index 1b07bb5e110d..9a55d75f7f10 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -4503,6 +4503,9 @@ static int rtl8152_set_wol(struct net_device *dev, struct ethtool_wolinfo *wol)
+ if (!rtl_can_wakeup(tp))
+ return -EOPNOTSUPP;
+
++ if (wol->wolopts & ~WAKE_ANY)
++ return -EINVAL;
++
+ ret = usb_autopm_get_interface(tp->intf);
+ if (ret < 0)
+ goto out_set_wol;
+--
+2.17.1
+
--- /dev/null
+From b555b8cfdf5f6b91ed1c18b6c9d354e69987ff26 Mon Sep 17 00:00:00 2001
+From: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
+Date: Mon, 8 Oct 2018 09:17:11 -0700
+Subject: rds: RDS (tcp) hangs on sendto() to unresponding address
+
+[ Upstream commit 9a4890bd6d6325a1c88564a20ab310b2d56f6094 ]
+
+In rds_send_mprds_hash(), if the calculated hash value is non-zero and
+the MPRDS connections are not yet up, it will wait. But it should not
+wait if the send is non-blocking. In this case, it should just use the
+base c_path for sending the message.
+
+Signed-off-by: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rds/send.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/net/rds/send.c b/net/rds/send.c
+index 59f17a2335f4..0e54ca0f4e9e 100644
+--- a/net/rds/send.c
++++ b/net/rds/send.c
+@@ -1006,7 +1006,8 @@ static int rds_cmsg_send(struct rds_sock *rs, struct rds_message *rm,
+ return ret;
+ }
+
+-static int rds_send_mprds_hash(struct rds_sock *rs, struct rds_connection *conn)
++static int rds_send_mprds_hash(struct rds_sock *rs,
++ struct rds_connection *conn, int nonblock)
+ {
+ int hash;
+
+@@ -1022,10 +1023,16 @@ static int rds_send_mprds_hash(struct rds_sock *rs, struct rds_connection *conn)
+ * used. But if we are interrupted, we have to use the zero
+ * c_path in case the connection ends up being non-MP capable.
+ */
+- if (conn->c_npaths == 0)
++ if (conn->c_npaths == 0) {
++ /* Cannot wait for the connection be made, so just use
++ * the base c_path.
++ */
++ if (nonblock)
++ return 0;
+ if (wait_event_interruptible(conn->c_hs_waitq,
+ conn->c_npaths != 0))
+ hash = 0;
++ }
+ if (conn->c_npaths == 1)
+ hash = 0;
+ }
+@@ -1170,7 +1177,7 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
+ }
+
+ if (conn->c_trans->t_mp_capable)
+- cpath = &conn->c_path[rds_send_mprds_hash(rs, conn)];
++ cpath = &conn->c_path[rds_send_mprds_hash(rs, conn, nonblock)];
+ else
+ cpath = &conn->c_path[0];
+
+--
+2.17.1
+
--- /dev/null
+From b271987a84ea03d4c009066c91e19edab1ed542e Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Mon, 1 Oct 2018 21:42:37 -0700
+Subject: Revert "serial: 8250_dw: Fix runtime PM handling"
+
+[ Upstream commit beeeac43b6fae5f5eaf707b6fcc2bf1e09deb785 ]
+
+This reverts commit d76c74387e1c978b6c5524a146ab0f3f72206f98.
+
+While commit d76c74387e1c ("serial: 8250_dw: Fix runtime PM handling")
+fixes runtime PM handling when using kgdb, it introduces a traceback for
+everyone else.
+
+BUG: sleeping function called from invalid context at
+ /mnt/host/source/src/third_party/kernel/next/drivers/base/power/runtime.c:1034
+in_atomic(): 1, irqs_disabled(): 1, pid: 1, name: swapper/0
+7 locks held by swapper/0/1:
+ #0: 000000005ec5bc72 (&dev->mutex){....}, at: __driver_attach+0xb5/0x12b
+ #1: 000000005d5fa9e5 (&dev->mutex){....}, at: __device_attach+0x3e/0x15b
+ #2: 0000000047e93286 (serial_mutex){+.+.}, at: serial8250_register_8250_port+0x51/0x8bb
+ #3: 000000003b328f07 (port_mutex){+.+.}, at: uart_add_one_port+0xab/0x8b0
+ #4: 00000000fa313d4d (&port->mutex){+.+.}, at: uart_add_one_port+0xcc/0x8b0
+ #5: 00000000090983ca (console_lock){+.+.}, at: vprintk_emit+0xdb/0x217
+ #6: 00000000c743e583 (console_owner){-...}, at: console_unlock+0x211/0x60f
+irq event stamp: 735222
+__down_trylock_console_sem+0x4a/0x84
+console_unlock+0x338/0x60f
+__do_softirq+0x4a4/0x50d
+irq_exit+0x64/0xe2
+CPU: 2 PID: 1 Comm: swapper/0 Not tainted 4.19.0-rc5 #6
+Hardware name: Google Caroline/Caroline, BIOS Google_Caroline.7820.286.0 03/15/2017
+Call Trace:
+ dump_stack+0x7d/0xbd
+ ___might_sleep+0x238/0x259
+ __pm_runtime_resume+0x4e/0xa4
+ ? serial8250_rpm_get+0x2e/0x44
+ serial8250_console_write+0x44/0x301
+ ? lock_acquire+0x1b8/0x1fa
+ console_unlock+0x577/0x60f
+ vprintk_emit+0x1f0/0x217
+ printk+0x52/0x6e
+ register_console+0x43b/0x524
+ uart_add_one_port+0x672/0x8b0
+ ? set_io_from_upio+0x150/0x162
+ serial8250_register_8250_port+0x825/0x8bb
+ dw8250_probe+0x80c/0x8b0
+ ? dw8250_serial_inq+0x8e/0x8e
+ ? dw8250_check_lcr+0x108/0x108
+ ? dw8250_runtime_resume+0x5b/0x5b
+ ? dw8250_serial_outq+0xa1/0xa1
+ ? dw8250_remove+0x115/0x115
+ platform_drv_probe+0x76/0xc5
+ really_probe+0x1f1/0x3ee
+ ? driver_allows_async_probing+0x5d/0x5d
+ driver_probe_device+0xd6/0x112
+ ? driver_allows_async_probing+0x5d/0x5d
+ bus_for_each_drv+0xbe/0xe5
+ __device_attach+0xdd/0x15b
+ bus_probe_device+0x5a/0x10b
+ device_add+0x501/0x894
+ ? _raw_write_unlock+0x27/0x3a
+ platform_device_add+0x224/0x2b7
+ mfd_add_device+0x718/0x75b
+ ? __kmalloc+0x144/0x16a
+ ? mfd_add_devices+0x38/0xdb
+ mfd_add_devices+0x9b/0xdb
+ intel_lpss_probe+0x7d4/0x8ee
+ intel_lpss_pci_probe+0xac/0xd4
+ pci_device_probe+0x101/0x18e
+...
+
+Revert the offending patch until a more comprehensive solution
+is available.
+
+Cc: Tony Lindgren <tony@atomide.com>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Phil Edworthy <phil.edworthy@renesas.com>
+Fixes: d76c74387e1c ("serial: 8250_dw: Fix runtime PM handling")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_dw.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/tty/serial/8250/8250_dw.c b/drivers/tty/serial/8250/8250_dw.c
+index af842000188c..a25f6ea5c784 100644
+--- a/drivers/tty/serial/8250/8250_dw.c
++++ b/drivers/tty/serial/8250/8250_dw.c
+@@ -576,10 +576,6 @@ static int dw8250_probe(struct platform_device *pdev)
+ if (!data->skip_autocfg)
+ dw8250_setup_port(p);
+
+-#ifdef CONFIG_PM
+- uart.capabilities |= UART_CAP_RPM;
+-#endif
+-
+ /* If we have a valid fifosize, try hooking up DMA */
+ if (p->fifosize) {
+ data->dma.rxconf.src_maxburst = p->fifosize / 4;
+--
+2.17.1
+
--- /dev/null
+From 40b6f327d405e4c4f68f814e80136ac611d71802 Mon Sep 17 00:00:00 2001
+From: Atish Patra <atish.patra@wdc.com>
+Date: Tue, 11 Sep 2018 11:30:18 -0700
+Subject: RISCV: Fix end PFN for low memory
+
+[ Upstream commit ef1f2258748b675422ca0107e5bfb9ceeac675de ]
+
+Use memblock_end_of_DRAM which provides correct last low memory
+PFN. Without that, DMA32 region becomes empty resulting in zero
+pages being allocated for DMA32.
+
+This patch is based on earlier patch from palmer which never
+merged into 4.19. I just edited the commit text to make more
+sense.
+
+Signed-off-by: Atish Patra <atish.patra@wdc.com>
+Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/setup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/kernel/setup.c b/arch/riscv/kernel/setup.c
+index 0efa5b29d0a3..dcff272aee06 100644
+--- a/arch/riscv/kernel/setup.c
++++ b/arch/riscv/kernel/setup.c
+@@ -165,7 +165,7 @@ static void __init setup_bootmem(void)
+ BUG_ON(mem_size == 0);
+
+ set_max_mapnr(PFN_DOWN(mem_size));
+- max_low_pfn = pfn_base + PFN_DOWN(mem_size);
++ max_low_pfn = memblock_end_of_DRAM();
+
+ #ifdef CONFIG_BLK_DEV_INITRD
+ setup_initrd();
+--
+2.17.1
+
--- /dev/null
+From 3891146904c97a65c98aea31016d8ed71e808313 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Mon, 8 Oct 2018 15:46:05 +0100
+Subject: rxrpc: Carry call state out of locked section in
+ rxrpc_rotate_tx_window()
+
+[ Upstream commit dfe995224693798e554ab4770f6d8a096afc60cd ]
+
+Carry the call state out of the locked section in rxrpc_rotate_tx_window()
+rather than sampling it afterwards. This is only used to select tracepoint
+data, but could have changed by the time we do the tracepoint.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/input.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
+index 5e180a3c2d01..fe1cf206d12a 100644
+--- a/net/rxrpc/input.c
++++ b/net/rxrpc/input.c
+@@ -278,23 +278,26 @@ static bool rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,
+ static bool rxrpc_end_tx_phase(struct rxrpc_call *call, bool reply_begun,
+ const char *abort_why)
+ {
++ unsigned int state;
+
+ ASSERT(test_bit(RXRPC_CALL_TX_LAST, &call->flags));
+
+ write_lock(&call->state_lock);
+
+- switch (call->state) {
++ state = call->state;
++ switch (state) {
+ case RXRPC_CALL_CLIENT_SEND_REQUEST:
+ case RXRPC_CALL_CLIENT_AWAIT_REPLY:
+ if (reply_begun)
+- call->state = RXRPC_CALL_CLIENT_RECV_REPLY;
++ call->state = state = RXRPC_CALL_CLIENT_RECV_REPLY;
+ else
+- call->state = RXRPC_CALL_CLIENT_AWAIT_REPLY;
++ call->state = state = RXRPC_CALL_CLIENT_AWAIT_REPLY;
+ break;
+
+ case RXRPC_CALL_SERVER_AWAIT_ACK:
+ __rxrpc_call_completed(call);
+ rxrpc_notify_socket(call);
++ state = call->state;
+ break;
+
+ default:
+@@ -302,11 +305,10 @@ static bool rxrpc_end_tx_phase(struct rxrpc_call *call, bool reply_begun,
+ }
+
+ write_unlock(&call->state_lock);
+- if (call->state == RXRPC_CALL_CLIENT_AWAIT_REPLY) {
++ if (state == RXRPC_CALL_CLIENT_AWAIT_REPLY)
+ trace_rxrpc_transmit(call, rxrpc_transmit_await_reply);
+- } else {
++ else
+ trace_rxrpc_transmit(call, rxrpc_transmit_end);
+- }
+ _leave(" = ok");
+ return true;
+
+--
+2.17.1
+
--- /dev/null
+From a12e32872c5a91ce2ab872c1bd376e6bc9d47a14 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Mon, 8 Oct 2018 15:46:01 +0100
+Subject: rxrpc: Don't check RXRPC_CALL_TX_LAST after calling
+ rxrpc_rotate_tx_window()
+
+[ Upstream commit c479d5f2c2e1ce609da08c075054440d97ddff52 ]
+
+We should only call the function to end a call's Tx phase if we rotated the
+marked-last packet out of the transmission buffer.
+
+Make rxrpc_rotate_tx_window() return an indication of whether it just
+rotated the packet marked as the last out of the transmit buffer, carrying
+the information out of the locked section in that function.
+
+We can then check the return value instead of examining RXRPC_CALL_TX_LAST.
+
+Fixes: 70790dbe3f66 ("rxrpc: Pass the last Tx packet marker in the annotation buffer")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/input.c | 35 +++++++++++++++++++----------------
+ 1 file changed, 19 insertions(+), 16 deletions(-)
+
+diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
+index 608d078a4981..5e180a3c2d01 100644
+--- a/net/rxrpc/input.c
++++ b/net/rxrpc/input.c
+@@ -216,10 +216,11 @@ static void rxrpc_send_ping(struct rxrpc_call *call, struct sk_buff *skb,
+ /*
+ * Apply a hard ACK by advancing the Tx window.
+ */
+-static void rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,
++static bool rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,
+ struct rxrpc_ack_summary *summary)
+ {
+ struct sk_buff *skb, *list = NULL;
++ bool rot_last = false;
+ int ix;
+ u8 annotation;
+
+@@ -243,15 +244,17 @@ static void rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,
+ skb->next = list;
+ list = skb;
+
+- if (annotation & RXRPC_TX_ANNO_LAST)
++ if (annotation & RXRPC_TX_ANNO_LAST) {
+ set_bit(RXRPC_CALL_TX_LAST, &call->flags);
++ rot_last = true;
++ }
+ if ((annotation & RXRPC_TX_ANNO_MASK) != RXRPC_TX_ANNO_ACK)
+ summary->nr_rot_new_acks++;
+ }
+
+ spin_unlock(&call->lock);
+
+- trace_rxrpc_transmit(call, (test_bit(RXRPC_CALL_TX_LAST, &call->flags) ?
++ trace_rxrpc_transmit(call, (rot_last ?
+ rxrpc_transmit_rotate_last :
+ rxrpc_transmit_rotate));
+ wake_up(&call->waitq);
+@@ -262,6 +265,8 @@ static void rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,
+ skb->next = NULL;
+ rxrpc_free_skb(skb, rxrpc_skb_tx_freed);
+ }
++
++ return rot_last;
+ }
+
+ /*
+@@ -332,11 +337,11 @@ static bool rxrpc_receiving_reply(struct rxrpc_call *call)
+ trace_rxrpc_timer(call, rxrpc_timer_init_for_reply, now);
+ }
+
+- if (!test_bit(RXRPC_CALL_TX_LAST, &call->flags))
+- rxrpc_rotate_tx_window(call, top, &summary);
+ if (!test_bit(RXRPC_CALL_TX_LAST, &call->flags)) {
+- rxrpc_proto_abort("TXL", call, top);
+- return false;
++ if (!rxrpc_rotate_tx_window(call, top, &summary)) {
++ rxrpc_proto_abort("TXL", call, top);
++ return false;
++ }
+ }
+ if (!rxrpc_end_tx_phase(call, true, "ETD"))
+ return false;
+@@ -890,8 +895,12 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb,
+ if (nr_acks > call->tx_top - hard_ack)
+ return rxrpc_proto_abort("AKN", call, 0);
+
+- if (after(hard_ack, call->tx_hard_ack))
+- rxrpc_rotate_tx_window(call, hard_ack, &summary);
++ if (after(hard_ack, call->tx_hard_ack)) {
++ if (rxrpc_rotate_tx_window(call, hard_ack, &summary)) {
++ rxrpc_end_tx_phase(call, false, "ETA");
++ return;
++ }
++ }
+
+ if (nr_acks > 0) {
+ if (skb_copy_bits(skb, offset, buf.acks, nr_acks) < 0)
+@@ -900,11 +909,6 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb,
+ &summary);
+ }
+
+- if (test_bit(RXRPC_CALL_TX_LAST, &call->flags)) {
+- rxrpc_end_tx_phase(call, false, "ETA");
+- return;
+- }
+-
+ if (call->rxtx_annotations[call->tx_top & RXRPC_RXTX_BUFF_MASK] &
+ RXRPC_TX_ANNO_LAST &&
+ summary.nr_acks == call->tx_top - hard_ack &&
+@@ -926,8 +930,7 @@ static void rxrpc_input_ackall(struct rxrpc_call *call, struct sk_buff *skb)
+
+ _proto("Rx ACKALL %%%u", sp->hdr.serial);
+
+- rxrpc_rotate_tx_window(call, call->tx_top, &summary);
+- if (test_bit(RXRPC_CALL_TX_LAST, &call->flags))
++ if (rxrpc_rotate_tx_window(call, call->tx_top, &summary))
+ rxrpc_end_tx_phase(call, false, "ETL");
+ }
+
+--
+2.17.1
+
--- /dev/null
+From db3f3b9a9cc5d4534a4c27011b6f0ce8cbdac7f4 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 27 Sep 2018 15:13:08 +0100
+Subject: rxrpc: Fix checks as to whether we should set up a new call
+
+[ Upstream commit dc71db34e4f3c06b8277c8f3c2ff014610607a8c ]
+
+There's a check in rxrpc_data_ready() that's checking the CLIENT_INITIATED
+flag in the packet type field rather than in the packet flags field.
+
+Fix this by creating a pair of helper functions to check whether the packet
+is going to the client or to the server and use them generally.
+
+Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/ar-internal.h | 10 ++++++++++
+ net/rxrpc/conn_object.c | 2 +-
+ net/rxrpc/input.c | 12 ++++--------
+ 3 files changed, 15 insertions(+), 9 deletions(-)
+
+diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
+index 707630ab4713..5069193d2cc1 100644
+--- a/net/rxrpc/ar-internal.h
++++ b/net/rxrpc/ar-internal.h
+@@ -462,6 +462,16 @@ struct rxrpc_connection {
+ u8 out_clientflag; /* RXRPC_CLIENT_INITIATED if we are client */
+ };
+
++static inline bool rxrpc_to_server(const struct rxrpc_skb_priv *sp)
++{
++ return sp->hdr.flags & RXRPC_CLIENT_INITIATED;
++}
++
++static inline bool rxrpc_to_client(const struct rxrpc_skb_priv *sp)
++{
++ return !rxrpc_to_server(sp);
++}
++
+ /*
+ * Flags in call->flags.
+ */
+diff --git a/net/rxrpc/conn_object.c b/net/rxrpc/conn_object.c
+index 4c77a78a252a..c37bf8e282b9 100644
+--- a/net/rxrpc/conn_object.c
++++ b/net/rxrpc/conn_object.c
+@@ -99,7 +99,7 @@ struct rxrpc_connection *rxrpc_find_connection_rcu(struct rxrpc_local *local,
+ k.epoch = sp->hdr.epoch;
+ k.cid = sp->hdr.cid & RXRPC_CIDMASK;
+
+- if (sp->hdr.flags & RXRPC_CLIENT_INITIATED) {
++ if (rxrpc_to_server(sp)) {
+ /* We need to look up service connections by the full protocol
+ * parameter set. We look up the peer first as an intermediate
+ * step and then the connection from the peer's tree.
+diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
+index 608d078a4981..338fbbf216a9 100644
+--- a/net/rxrpc/input.c
++++ b/net/rxrpc/input.c
+@@ -1171,10 +1171,6 @@ void rxrpc_data_ready(struct sock *udp_sk)
+
+ trace_rxrpc_rx_packet(sp);
+
+- _net("Rx RxRPC %s ep=%x call=%x:%x",
+- sp->hdr.flags & RXRPC_CLIENT_INITIATED ? "ToServer" : "ToClient",
+- sp->hdr.epoch, sp->hdr.cid, sp->hdr.callNumber);
+-
+ if (sp->hdr.type >= RXRPC_N_PACKET_TYPES ||
+ !((RXRPC_SUPPORTED_PACKET_TYPES >> sp->hdr.type) & 1)) {
+ _proto("Rx Bad Packet Type %u", sp->hdr.type);
+@@ -1183,13 +1179,13 @@ void rxrpc_data_ready(struct sock *udp_sk)
+
+ switch (sp->hdr.type) {
+ case RXRPC_PACKET_TYPE_VERSION:
+- if (!(sp->hdr.flags & RXRPC_CLIENT_INITIATED))
++ if (rxrpc_to_client(sp))
+ goto discard;
+ rxrpc_post_packet_to_local(local, skb);
+ goto out;
+
+ case RXRPC_PACKET_TYPE_BUSY:
+- if (sp->hdr.flags & RXRPC_CLIENT_INITIATED)
++ if (rxrpc_to_server(sp))
+ goto discard;
+ /* Fall through */
+
+@@ -1269,7 +1265,7 @@ void rxrpc_data_ready(struct sock *udp_sk)
+ call = rcu_dereference(chan->call);
+
+ if (sp->hdr.callNumber > chan->call_id) {
+- if (!(sp->hdr.flags & RXRPC_CLIENT_INITIATED)) {
++ if (rxrpc_to_client(sp)) {
+ rcu_read_unlock();
+ goto reject_packet;
+ }
+@@ -1292,7 +1288,7 @@ void rxrpc_data_ready(struct sock *udp_sk)
+ }
+
+ if (!call || atomic_read(&call->usage) == 0) {
+- if (!(sp->hdr.type & RXRPC_CLIENT_INITIATED) ||
++ if (rxrpc_to_client(sp) ||
+ sp->hdr.callNumber == 0 ||
+ sp->hdr.type != RXRPC_PACKET_TYPE_DATA)
+ goto bad_message_unlock;
+--
+2.17.1
+
--- /dev/null
+From 74a2ae1657e6c0ec963fa50a7b7b02aa00dbf379 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Mon, 8 Oct 2018 15:46:17 +0100
+Subject: rxrpc: Fix connection-level abort handling
+
+[ Upstream commit 647530924f47c93db472ee3cf43b7ef1425581b6 ]
+
+Fix connection-level abort handling to cache the abort and error codes
+properly so that a new incoming call can be properly aborted if it races
+with the parent connection being aborted by another CPU.
+
+The abort_code and error parameters can then be dropped from
+rxrpc_abort_calls().
+
+Fixes: f5c17aaeb2ae ("rxrpc: Calls should only have one terminal state")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/ar-internal.h | 4 ++--
+ net/rxrpc/call_accept.c | 4 ++--
+ net/rxrpc/conn_event.c | 26 +++++++++++++++-----------
+ 3 files changed, 19 insertions(+), 15 deletions(-)
+
+diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
+index 707630ab4713..599d6c4e9444 100644
+--- a/net/rxrpc/ar-internal.h
++++ b/net/rxrpc/ar-internal.h
+@@ -449,8 +449,7 @@ struct rxrpc_connection {
+ spinlock_t state_lock; /* state-change lock */
+ enum rxrpc_conn_cache_state cache_state;
+ enum rxrpc_conn_proto_state state; /* current state of connection */
+- u32 local_abort; /* local abort code */
+- u32 remote_abort; /* remote abort code */
++ u32 abort_code; /* Abort code of connection abort */
+ int debug_id; /* debug ID for printks */
+ atomic_t serial; /* packet serial number counter */
+ unsigned int hi_serial; /* highest serial number received */
+@@ -460,6 +459,7 @@ struct rxrpc_connection {
+ u8 security_size; /* security header size */
+ u8 security_ix; /* security type */
+ u8 out_clientflag; /* RXRPC_CLIENT_INITIATED if we are client */
++ short error; /* Local error code */
+ };
+
+ /*
+diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c
+index 9d1e298b784c..0e378d73e856 100644
+--- a/net/rxrpc/call_accept.c
++++ b/net/rxrpc/call_accept.c
+@@ -422,11 +422,11 @@ found_service:
+
+ case RXRPC_CONN_REMOTELY_ABORTED:
+ rxrpc_set_call_completion(call, RXRPC_CALL_REMOTELY_ABORTED,
+- conn->remote_abort, -ECONNABORTED);
++ conn->abort_code, conn->error);
+ break;
+ case RXRPC_CONN_LOCALLY_ABORTED:
+ rxrpc_abort_call("CON", call, sp->hdr.seq,
+- conn->local_abort, -ECONNABORTED);
++ conn->abort_code, conn->error);
+ break;
+ default:
+ BUG();
+diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
+index 3fde001fcc39..5e7c8239e703 100644
+--- a/net/rxrpc/conn_event.c
++++ b/net/rxrpc/conn_event.c
+@@ -126,7 +126,7 @@ static void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn,
+
+ switch (chan->last_type) {
+ case RXRPC_PACKET_TYPE_ABORT:
+- _proto("Tx ABORT %%%u { %d } [re]", serial, conn->local_abort);
++ _proto("Tx ABORT %%%u { %d } [re]", serial, conn->abort_code);
+ break;
+ case RXRPC_PACKET_TYPE_ACK:
+ trace_rxrpc_tx_ack(NULL, serial, chan->last_seq, 0,
+@@ -148,13 +148,12 @@ static void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn,
+ * pass a connection-level abort onto all calls on that connection
+ */
+ static void rxrpc_abort_calls(struct rxrpc_connection *conn,
+- enum rxrpc_call_completion compl,
+- u32 abort_code, int error)
++ enum rxrpc_call_completion compl)
+ {
+ struct rxrpc_call *call;
+ int i;
+
+- _enter("{%d},%x", conn->debug_id, abort_code);
++ _enter("{%d},%x", conn->debug_id, conn->abort_code);
+
+ spin_lock(&conn->channel_lock);
+
+@@ -167,9 +166,11 @@ static void rxrpc_abort_calls(struct rxrpc_connection *conn,
+ trace_rxrpc_abort(call->debug_id,
+ "CON", call->cid,
+ call->call_id, 0,
+- abort_code, error);
++ conn->abort_code,
++ conn->error);
+ if (rxrpc_set_call_completion(call, compl,
+- abort_code, error))
++ conn->abort_code,
++ conn->error))
+ rxrpc_notify_socket(call);
+ }
+ }
+@@ -202,10 +203,12 @@ static int rxrpc_abort_connection(struct rxrpc_connection *conn,
+ return 0;
+ }
+
++ conn->error = error;
++ conn->abort_code = abort_code;
+ conn->state = RXRPC_CONN_LOCALLY_ABORTED;
+ spin_unlock_bh(&conn->state_lock);
+
+- rxrpc_abort_calls(conn, RXRPC_CALL_LOCALLY_ABORTED, abort_code, error);
++ rxrpc_abort_calls(conn, RXRPC_CALL_LOCALLY_ABORTED);
+
+ msg.msg_name = &conn->params.peer->srx.transport;
+ msg.msg_namelen = conn->params.peer->srx.transport_len;
+@@ -224,7 +227,7 @@ static int rxrpc_abort_connection(struct rxrpc_connection *conn,
+ whdr._rsvd = 0;
+ whdr.serviceId = htons(conn->service_id);
+
+- word = htonl(conn->local_abort);
++ word = htonl(conn->abort_code);
+
+ iov[0].iov_base = &whdr;
+ iov[0].iov_len = sizeof(whdr);
+@@ -235,7 +238,7 @@ static int rxrpc_abort_connection(struct rxrpc_connection *conn,
+
+ serial = atomic_inc_return(&conn->serial);
+ whdr.serial = htonl(serial);
+- _proto("Tx CONN ABORT %%%u { %d }", serial, conn->local_abort);
++ _proto("Tx CONN ABORT %%%u { %d }", serial, conn->abort_code);
+
+ ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
+ if (ret < 0) {
+@@ -308,9 +311,10 @@ static int rxrpc_process_event(struct rxrpc_connection *conn,
+ abort_code = ntohl(wtmp);
+ _proto("Rx ABORT %%%u { ac=%d }", sp->hdr.serial, abort_code);
+
++ conn->error = -ECONNABORTED;
++ conn->abort_code = abort_code;
+ conn->state = RXRPC_CONN_REMOTELY_ABORTED;
+- rxrpc_abort_calls(conn, RXRPC_CALL_REMOTELY_ABORTED,
+- abort_code, -ECONNABORTED);
++ rxrpc_abort_calls(conn, RXRPC_CALL_REMOTELY_ABORTED);
+ return -ECONNABORTED;
+
+ case RXRPC_PACKET_TYPE_CHALLENGE:
+--
+2.17.1
+
--- /dev/null
+From 7b5719cbb9abf88e7a2fb8a1da289989ae56b74e Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 27 Sep 2018 15:13:09 +0100
+Subject: rxrpc: Fix error distribution
+
+[ Upstream commit f334430316e7fd37c4821ebec627e27714bb5d76 ]
+
+Fix error distribution by immediately delivering the errors to all the
+affected calls rather than deferring them to a worker thread. The problem
+with the latter is that retries and things can happen in the meantime when we
+want to stop that sooner.
+
+To this end:
+
+ (1) Stop the error distributor from removing calls from the error_targets
+ list so that peer->lock isn't needed to synchronise against other adds
+ and removals.
+
+ (2) Require the peer's error_targets list to be accessed with RCU, thereby
+ avoiding the need to take peer->lock over distribution.
+
+ (3) Don't attempt to affect a call's state if it is already marked complete.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/rxrpc.h | 4 +---
+ net/rxrpc/ar-internal.h | 5 ----
+ net/rxrpc/call_object.c | 2 +-
+ net/rxrpc/conn_client.c | 4 ++--
+ net/rxrpc/conn_object.c | 2 +-
+ net/rxrpc/peer_event.c | 46 +++++++++---------------------------
+ net/rxrpc/peer_object.c | 17 -------------
+ 7 files changed, 16 insertions(+), 64 deletions(-)
+
+diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h
+index 4fff00e9da8a..0a774b64fc29 100644
+--- a/include/trace/events/rxrpc.h
++++ b/include/trace/events/rxrpc.h
+@@ -56,7 +56,6 @@ enum rxrpc_peer_trace {
+ rxrpc_peer_new,
+ rxrpc_peer_processing,
+ rxrpc_peer_put,
+- rxrpc_peer_queued_error,
+ };
+
+ enum rxrpc_conn_trace {
+@@ -257,8 +256,7 @@ enum rxrpc_tx_fail_trace {
+ EM(rxrpc_peer_got, "GOT") \
+ EM(rxrpc_peer_new, "NEW") \
+ EM(rxrpc_peer_processing, "PRO") \
+- EM(rxrpc_peer_put, "PUT") \
+- E_(rxrpc_peer_queued_error, "QER")
++ E_(rxrpc_peer_put, "PUT")
+
+ #define rxrpc_conn_traces \
+ EM(rxrpc_conn_got, "GOT") \
+diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
+index 5069193d2cc1..4718d08c0af1 100644
+--- a/net/rxrpc/ar-internal.h
++++ b/net/rxrpc/ar-internal.h
+@@ -293,7 +293,6 @@ struct rxrpc_peer {
+ struct hlist_node hash_link;
+ struct rxrpc_local *local;
+ struct hlist_head error_targets; /* targets for net error distribution */
+- struct work_struct error_distributor;
+ struct rb_root service_conns; /* Service connections */
+ struct list_head keepalive_link; /* Link in net->peer_keepalive[] */
+ time64_t last_tx_at; /* Last time packet sent here */
+@@ -304,8 +303,6 @@ struct rxrpc_peer {
+ unsigned int maxdata; /* data size (MTU - hdrsize) */
+ unsigned short hdrsize; /* header size (IP + UDP + RxRPC) */
+ int debug_id; /* debug ID for printks */
+- int error_report; /* Net (+0) or local (+1000000) to distribute */
+-#define RXRPC_LOCAL_ERROR_OFFSET 1000000
+ struct sockaddr_rxrpc srx; /* remote address */
+
+ /* calculated RTT cache */
+@@ -1039,7 +1036,6 @@ void rxrpc_send_keepalive(struct rxrpc_peer *);
+ * peer_event.c
+ */
+ void rxrpc_error_report(struct sock *);
+-void rxrpc_peer_error_distributor(struct work_struct *);
+ void rxrpc_peer_add_rtt(struct rxrpc_call *, enum rxrpc_rtt_rx_trace,
+ rxrpc_serial_t, rxrpc_serial_t, ktime_t, ktime_t);
+ void rxrpc_peer_keepalive_worker(struct work_struct *);
+@@ -1058,7 +1054,6 @@ void rxrpc_destroy_all_peers(struct rxrpc_net *);
+ struct rxrpc_peer *rxrpc_get_peer(struct rxrpc_peer *);
+ struct rxrpc_peer *rxrpc_get_peer_maybe(struct rxrpc_peer *);
+ void rxrpc_put_peer(struct rxrpc_peer *);
+-void __rxrpc_queue_peer_error(struct rxrpc_peer *);
+
+ /*
+ * proc.c
+diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c
+index f6734d8cb01a..ed69257203c2 100644
+--- a/net/rxrpc/call_object.c
++++ b/net/rxrpc/call_object.c
+@@ -400,7 +400,7 @@ void rxrpc_incoming_call(struct rxrpc_sock *rx,
+ rcu_assign_pointer(conn->channels[chan].call, call);
+
+ spin_lock(&conn->params.peer->lock);
+- hlist_add_head(&call->error_link, &conn->params.peer->error_targets);
++ hlist_add_head_rcu(&call->error_link, &conn->params.peer->error_targets);
+ spin_unlock(&conn->params.peer->lock);
+
+ _net("CALL incoming %d on CONN %d", call->debug_id, call->conn->debug_id);
+diff --git a/net/rxrpc/conn_client.c b/net/rxrpc/conn_client.c
+index 5736f643c516..0be19132202b 100644
+--- a/net/rxrpc/conn_client.c
++++ b/net/rxrpc/conn_client.c
+@@ -709,8 +709,8 @@ int rxrpc_connect_call(struct rxrpc_call *call,
+ }
+
+ spin_lock_bh(&call->conn->params.peer->lock);
+- hlist_add_head(&call->error_link,
+- &call->conn->params.peer->error_targets);
++ hlist_add_head_rcu(&call->error_link,
++ &call->conn->params.peer->error_targets);
+ spin_unlock_bh(&call->conn->params.peer->lock);
+
+ out:
+diff --git a/net/rxrpc/conn_object.c b/net/rxrpc/conn_object.c
+index c37bf8e282b9..e0d6d0fb7426 100644
+--- a/net/rxrpc/conn_object.c
++++ b/net/rxrpc/conn_object.c
+@@ -214,7 +214,7 @@ void rxrpc_disconnect_call(struct rxrpc_call *call)
+ call->peer->cong_cwnd = call->cong_cwnd;
+
+ spin_lock_bh(&conn->params.peer->lock);
+- hlist_del_init(&call->error_link);
++ hlist_del_rcu(&call->error_link);
+ spin_unlock_bh(&conn->params.peer->lock);
+
+ if (rxrpc_is_client_call(call))
+diff --git a/net/rxrpc/peer_event.c b/net/rxrpc/peer_event.c
+index 4f9da2f51c69..f3e6fc670da2 100644
+--- a/net/rxrpc/peer_event.c
++++ b/net/rxrpc/peer_event.c
+@@ -23,6 +23,8 @@
+ #include "ar-internal.h"
+
+ static void rxrpc_store_error(struct rxrpc_peer *, struct sock_exterr_skb *);
++static void rxrpc_distribute_error(struct rxrpc_peer *, int,
++ enum rxrpc_call_completion);
+
+ /*
+ * Find the peer associated with an ICMP packet.
+@@ -194,8 +196,6 @@ void rxrpc_error_report(struct sock *sk)
+ rcu_read_unlock();
+ rxrpc_free_skb(skb, rxrpc_skb_rx_freed);
+
+- /* The ref we obtained is passed off to the work item */
+- __rxrpc_queue_peer_error(peer);
+ _leave("");
+ }
+
+@@ -205,6 +205,7 @@ void rxrpc_error_report(struct sock *sk)
+ static void rxrpc_store_error(struct rxrpc_peer *peer,
+ struct sock_exterr_skb *serr)
+ {
++ enum rxrpc_call_completion compl = RXRPC_CALL_NETWORK_ERROR;
+ struct sock_extended_err *ee;
+ int err;
+
+@@ -255,7 +256,7 @@ static void rxrpc_store_error(struct rxrpc_peer *peer,
+ case SO_EE_ORIGIN_NONE:
+ case SO_EE_ORIGIN_LOCAL:
+ _proto("Rx Received local error { error=%d }", err);
+- err += RXRPC_LOCAL_ERROR_OFFSET;
++ compl = RXRPC_CALL_LOCAL_ERROR;
+ break;
+
+ case SO_EE_ORIGIN_ICMP6:
+@@ -264,48 +265,23 @@ static void rxrpc_store_error(struct rxrpc_peer *peer,
+ break;
+ }
+
+- peer->error_report = err;
++ rxrpc_distribute_error(peer, err, compl);
+ }
+
+ /*
+- * Distribute an error that occurred on a peer
++ * Distribute an error that occurred on a peer.
+ */
+-void rxrpc_peer_error_distributor(struct work_struct *work)
++static void rxrpc_distribute_error(struct rxrpc_peer *peer, int error,
++ enum rxrpc_call_completion compl)
+ {
+- struct rxrpc_peer *peer =
+- container_of(work, struct rxrpc_peer, error_distributor);
+ struct rxrpc_call *call;
+- enum rxrpc_call_completion compl;
+- int error;
+-
+- _enter("");
+-
+- error = READ_ONCE(peer->error_report);
+- if (error < RXRPC_LOCAL_ERROR_OFFSET) {
+- compl = RXRPC_CALL_NETWORK_ERROR;
+- } else {
+- compl = RXRPC_CALL_LOCAL_ERROR;
+- error -= RXRPC_LOCAL_ERROR_OFFSET;
+- }
+
+- _debug("ISSUE ERROR %s %d", rxrpc_call_completions[compl], error);
+-
+- spin_lock_bh(&peer->lock);
+-
+- while (!hlist_empty(&peer->error_targets)) {
+- call = hlist_entry(peer->error_targets.first,
+- struct rxrpc_call, error_link);
+- hlist_del_init(&call->error_link);
++ hlist_for_each_entry_rcu(call, &peer->error_targets, error_link) {
+ rxrpc_see_call(call);
+-
+- if (rxrpc_set_call_completion(call, compl, 0, -error))
++ if (call->state < RXRPC_CALL_COMPLETE &&
++ rxrpc_set_call_completion(call, compl, 0, -error))
+ rxrpc_notify_socket(call);
+ }
+-
+- spin_unlock_bh(&peer->lock);
+-
+- rxrpc_put_peer(peer);
+- _leave("");
+ }
+
+ /*
+diff --git a/net/rxrpc/peer_object.c b/net/rxrpc/peer_object.c
+index 24ec7cdcf332..ef4c2e8a35cc 100644
+--- a/net/rxrpc/peer_object.c
++++ b/net/rxrpc/peer_object.c
+@@ -222,8 +222,6 @@ struct rxrpc_peer *rxrpc_alloc_peer(struct rxrpc_local *local, gfp_t gfp)
+ atomic_set(&peer->usage, 1);
+ peer->local = local;
+ INIT_HLIST_HEAD(&peer->error_targets);
+- INIT_WORK(&peer->error_distributor,
+- &rxrpc_peer_error_distributor);
+ peer->service_conns = RB_ROOT;
+ seqlock_init(&peer->service_conn_lock);
+ spin_lock_init(&peer->lock);
+@@ -415,21 +413,6 @@ struct rxrpc_peer *rxrpc_get_peer_maybe(struct rxrpc_peer *peer)
+ return peer;
+ }
+
+-/*
+- * Queue a peer record. This passes the caller's ref to the workqueue.
+- */
+-void __rxrpc_queue_peer_error(struct rxrpc_peer *peer)
+-{
+- const void *here = __builtin_return_address(0);
+- int n;
+-
+- n = atomic_read(&peer->usage);
+- if (rxrpc_queue_work(&peer->error_distributor))
+- trace_rxrpc_peer(peer, rxrpc_peer_queued_error, n, here);
+- else
+- rxrpc_put_peer(peer);
+-}
+-
+ /*
+ * Discard a peer record.
+ */
+--
+2.17.1
+
--- /dev/null
+From 9dc3e2288fb483d44be72ceb8ec4997613b0d2ed Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 27 Sep 2018 15:13:08 +0100
+Subject: rxrpc: Fix RTT gathering
+
+[ Upstream commit b604dd9883f783a94020d772e4fe03160f455372 ]
+
+Fix RTT information gathering in AF_RXRPC by the following means:
+
+ (1) Enable Rx timestamping on the transport socket with SO_TIMESTAMPNS.
+
+ (2) If the sk_buff doesn't have a timestamp set when rxrpc_data_ready()
+ collects it, set it at that point.
+
+ (3) Allow ACKs to be requested on the last packet of a client call, but
+ not a service call. We need to be careful lest we undo:
+
+ bf7d620abf22c321208a4da4f435e7af52551a21
+ Author: David Howells <dhowells@redhat.com>
+ Date: Thu Oct 6 08:11:51 2016 +0100
+ rxrpc: Don't request an ACK on the last DATA packet of a call's Tx phase
+
+ but that only really applies to service calls that we're handling,
+ since the client side gets to send the final ACK (or not).
+
+ (4) When about to transmit an ACK or DATA packet, record the Tx timestamp
+ before only; don't update the timestamp afterwards.
+
+ (5) Switch the ordering between recording the serial and recording the
+ timestamp to always set the serial number first. The serial number
+ shouldn't be seen referenced by an ACK packet until we've transmitted
+ the packet bearing it - so in the Rx path, we don't need the timestamp
+ until we've checked the serial number.
+
+Fixes: cf1a6474f807 ("rxrpc: Add per-peer RTT tracker")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/input.c | 8 ++++++--
+ net/rxrpc/local_object.c | 9 +++++++++
+ net/rxrpc/output.c | 31 ++++++++++++++++++-------------
+ 3 files changed, 33 insertions(+), 15 deletions(-)
+
+diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
+index 338fbbf216a9..f6027c875876 100644
+--- a/net/rxrpc/input.c
++++ b/net/rxrpc/input.c
+@@ -616,13 +616,14 @@ static void rxrpc_input_requested_ack(struct rxrpc_call *call,
+ if (!skb)
+ continue;
+
++ sent_at = skb->tstamp;
++ smp_rmb(); /* Read timestamp before serial. */
+ sp = rxrpc_skb(skb);
+ if (sp->hdr.serial != orig_serial)
+ continue;
+- smp_rmb();
+- sent_at = skb->tstamp;
+ goto found;
+ }
++
+ return;
+
+ found:
+@@ -1137,6 +1138,9 @@ void rxrpc_data_ready(struct sock *udp_sk)
+ return;
+ }
+
++ if (skb->tstamp == 0)
++ skb->tstamp = ktime_get_real();
++
+ rxrpc_new_skb(skb, rxrpc_skb_rx_received);
+
+ _net("recv skb %p", skb);
+diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c
+index b493e6b62740..5d89ea5c1976 100644
+--- a/net/rxrpc/local_object.c
++++ b/net/rxrpc/local_object.c
+@@ -173,6 +173,15 @@ static int rxrpc_open_socket(struct rxrpc_local *local, struct net *net)
+ _debug("setsockopt failed");
+ goto error;
+ }
++
++ /* We want receive timestamps. */
++ opt = 1;
++ ret = kernel_setsockopt(local->socket, SOL_SOCKET, SO_TIMESTAMPNS,
++ (char *)&opt, sizeof(opt));
++ if (ret < 0) {
++ _debug("setsockopt failed");
++ goto error;
++ }
+ break;
+
+ default:
+diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c
+index 4774c8f5634d..6ac21bb2071d 100644
+--- a/net/rxrpc/output.c
++++ b/net/rxrpc/output.c
+@@ -124,7 +124,6 @@ int rxrpc_send_ack_packet(struct rxrpc_call *call, bool ping,
+ struct kvec iov[2];
+ rxrpc_serial_t serial;
+ rxrpc_seq_t hard_ack, top;
+- ktime_t now;
+ size_t len, n;
+ int ret;
+ u8 reason;
+@@ -196,9 +195,7 @@ int rxrpc_send_ack_packet(struct rxrpc_call *call, bool ping,
+ /* We need to stick a time in before we send the packet in case
+ * the reply gets back before kernel_sendmsg() completes - but
+ * asking UDP to send the packet can take a relatively long
+- * time, so we update the time after, on the assumption that
+- * the packet transmission is more likely to happen towards the
+- * end of the kernel_sendmsg() call.
++ * time.
+ */
+ call->ping_time = ktime_get_real();
+ set_bit(RXRPC_CALL_PINGING, &call->flags);
+@@ -206,9 +203,6 @@ int rxrpc_send_ack_packet(struct rxrpc_call *call, bool ping,
+ }
+
+ ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
+- now = ktime_get_real();
+- if (ping)
+- call->ping_time = now;
+ conn->params.peer->last_tx_at = ktime_get_seconds();
+ if (ret < 0)
+ trace_rxrpc_tx_fail(call->debug_id, serial, ret,
+@@ -357,8 +351,14 @@ int rxrpc_send_data_packet(struct rxrpc_call *call, struct sk_buff *skb,
+
+ /* If our RTT cache needs working on, request an ACK. Also request
+ * ACKs if a DATA packet appears to have been lost.
++ *
++ * However, we mustn't request an ACK on the last reply packet of a
++ * service call, lest OpenAFS incorrectly send us an ACK with some
++ * soft-ACKs in it and then never follow up with a proper hard ACK.
+ */
+- if (!(sp->hdr.flags & RXRPC_LAST_PACKET) &&
++ if ((!(sp->hdr.flags & RXRPC_LAST_PACKET) ||
++ rxrpc_to_server(sp)
++ ) &&
+ (test_and_clear_bit(RXRPC_CALL_EV_ACK_LOST, &call->events) ||
+ retrans ||
+ call->cong_mode == RXRPC_CALL_SLOW_START ||
+@@ -384,6 +384,11 @@ int rxrpc_send_data_packet(struct rxrpc_call *call, struct sk_buff *skb,
+ goto send_fragmentable;
+
+ down_read(&conn->params.local->defrag_sem);
++
++ sp->hdr.serial = serial;
++ smp_wmb(); /* Set serial before timestamp */
++ skb->tstamp = ktime_get_real();
++
+ /* send the packet by UDP
+ * - returns -EMSGSIZE if UDP would have to fragment the packet
+ * to go out of the interface
+@@ -404,12 +409,8 @@ done:
+ trace_rxrpc_tx_data(call, sp->hdr.seq, serial, whdr.flags,
+ retrans, lost);
+ if (ret >= 0) {
+- ktime_t now = ktime_get_real();
+- skb->tstamp = now;
+- smp_wmb();
+- sp->hdr.serial = serial;
+ if (whdr.flags & RXRPC_REQUEST_ACK) {
+- call->peer->rtt_last_req = now;
++ call->peer->rtt_last_req = skb->tstamp;
+ trace_rxrpc_rtt_tx(call, rxrpc_rtt_tx_data, serial);
+ if (call->peer->rtt_usage > 1) {
+ unsigned long nowj = jiffies, ack_lost_at;
+@@ -448,6 +449,10 @@ send_fragmentable:
+
+ down_write(&conn->params.local->defrag_sem);
+
++ sp->hdr.serial = serial;
++ smp_wmb(); /* Set serial before timestamp */
++ skb->tstamp = ktime_get_real();
++
+ switch (conn->params.local->srx.transport.family) {
+ case AF_INET:
+ opt = IP_PMTUDISC_DONT;
+--
+2.17.1
+
--- /dev/null
+From 978b37f142675e7e5802e300159dd6d8dcfea381 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 27 Sep 2018 15:13:09 +0100
+Subject: rxrpc: Fix transport sockopts to get IPv4 errors on an IPv6 socket
+
+[ Upstream commit 37a675e768d7606fe8a53e0c459c9b53e121ac20 ]
+
+It seems that enabling IPV6_RECVERR on an IPv6 socket doesn't also turn on
+IP_RECVERR, so neither local errors nor ICMP-transported remote errors from
+IPv4 peer addresses are returned to the AF_RXRPC protocol.
+
+Make the sockopt setting code in rxrpc_open_socket() fall through from the
+AF_INET6 case to the AF_INET case to turn on all the AF_INET options too in
+the AF_INET6 case.
+
+Fixes: f2aeed3a591f ("rxrpc: Fix error reception on AF_INET6 sockets")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/local_object.c | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c
+index 5d89ea5c1976..386dc1f20c73 100644
+--- a/net/rxrpc/local_object.c
++++ b/net/rxrpc/local_object.c
+@@ -135,10 +135,10 @@ static int rxrpc_open_socket(struct rxrpc_local *local, struct net *net)
+ }
+
+ switch (local->srx.transport.family) {
+- case AF_INET:
+- /* we want to receive ICMP errors */
++ case AF_INET6:
++ /* we want to receive ICMPv6 errors */
+ opt = 1;
+- ret = kernel_setsockopt(local->socket, SOL_IP, IP_RECVERR,
++ ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_RECVERR,
+ (char *) &opt, sizeof(opt));
+ if (ret < 0) {
+ _debug("setsockopt failed");
+@@ -146,19 +146,22 @@ static int rxrpc_open_socket(struct rxrpc_local *local, struct net *net)
+ }
+
+ /* we want to set the don't fragment bit */
+- opt = IP_PMTUDISC_DO;
+- ret = kernel_setsockopt(local->socket, SOL_IP, IP_MTU_DISCOVER,
++ opt = IPV6_PMTUDISC_DO;
++ ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_MTU_DISCOVER,
+ (char *) &opt, sizeof(opt));
+ if (ret < 0) {
+ _debug("setsockopt failed");
+ goto error;
+ }
+- break;
+
+- case AF_INET6:
++ /* Fall through and set IPv4 options too otherwise we don't get
++ * errors from IPv4 packets sent through the IPv6 socket.
++ */
++
++ case AF_INET:
+ /* we want to receive ICMP errors */
+ opt = 1;
+- ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_RECVERR,
++ ret = kernel_setsockopt(local->socket, SOL_IP, IP_RECVERR,
+ (char *) &opt, sizeof(opt));
+ if (ret < 0) {
+ _debug("setsockopt failed");
+@@ -166,8 +169,8 @@ static int rxrpc_open_socket(struct rxrpc_local *local, struct net *net)
+ }
+
+ /* we want to set the don't fragment bit */
+- opt = IPV6_PMTUDISC_DO;
+- ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_MTU_DISCOVER,
++ opt = IP_PMTUDISC_DO;
++ ret = kernel_setsockopt(local->socket, SOL_IP, IP_MTU_DISCOVER,
+ (char *) &opt, sizeof(opt));
+ if (ret < 0) {
+ _debug("setsockopt failed");
+--
+2.17.1
+
--- /dev/null
+From f02d5459622c47fbf710a5b7c18ab79e9f265885 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Mon, 8 Oct 2018 15:46:11 +0100
+Subject: rxrpc: Only take the rwind and mtu values from latest ACK
+
+[ Upstream commit 298bc15b2079c324e82d0a6fda39c3d762af7282 ]
+
+Move the out-of-order and duplicate ACK packet check to before the call to
+rxrpc_input_ackinfo() so that the receive window size and MTU size are only
+checked in the latest ACK packet and don't regress.
+
+Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/input.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
+index fe1cf206d12a..b768b170f0e7 100644
+--- a/net/rxrpc/input.c
++++ b/net/rxrpc/input.c
+@@ -861,6 +861,16 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb,
+ rxrpc_propose_ack_respond_to_ack);
+ }
+
++ /* Discard any out-of-order or duplicate ACKs. */
++ if (before_eq(sp->hdr.serial, call->acks_latest)) {
++ _debug("discard ACK %d <= %d",
++ sp->hdr.serial, call->acks_latest);
++ return;
++ }
++ call->acks_latest_ts = skb->tstamp;
++ call->acks_latest = sp->hdr.serial;
++
++ /* Parse rwind and mtu sizes if provided. */
+ ioffset = offset + nr_acks + 3;
+ if (skb->len >= ioffset + sizeof(buf.info)) {
+ if (skb_copy_bits(skb, ioffset, &buf.info, sizeof(buf.info)) < 0)
+@@ -882,15 +892,6 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb,
+ return;
+ }
+
+- /* Discard any out-of-order or duplicate ACKs. */
+- if (before_eq(sp->hdr.serial, call->acks_latest)) {
+- _debug("discard ACK %d <= %d",
+- sp->hdr.serial, call->acks_latest);
+- return;
+- }
+- call->acks_latest_ts = skb->tstamp;
+- call->acks_latest = sp->hdr.serial;
+-
+ if (before(hard_ack, call->tx_hard_ack) ||
+ after(hard_ack, call->tx_top))
+ return rxrpc_proto_abort("AKW", call, 0);
+--
+2.17.1
+
--- /dev/null
+From a984ee83596437d1b3cc2b4d9854cb7134f87dc4 Mon Sep 17 00:00:00 2001
+From: Nilesh Javali <nilesh.javali@cavium.com>
+Date: Thu, 27 Sep 2018 05:15:35 -0700
+Subject: scsi: qedi: Initialize the stats mutex lock
+
+[ Upstream commit 3cc5746e5ad7688e274e193fa71278d98aa52759 ]
+
+Fix kernel NULL pointer dereference,
+
+Call Trace:
+ [<ffffffff9b7658e6>] __mutex_lock_slowpath+0xa6/0x1d0
+ [<ffffffff9b764cef>] mutex_lock+0x1f/0x2f
+ [<ffffffffc061b5e1>] qedi_get_protocol_tlv_data+0x61/0x450 [qedi]
+ [<ffffffff9b1f9d8e>] ? map_vm_area+0x2e/0x40
+ [<ffffffff9b1fc370>] ? __vmalloc_node_range+0x170/0x280
+ [<ffffffffc0b81c3d>] ? qed_mfw_process_tlv_req+0x27d/0xbd0 [qed]
+ [<ffffffffc0b6461b>] qed_mfw_fill_tlv_data+0x4b/0xb0 [qed]
+ [<ffffffffc0b81c59>] qed_mfw_process_tlv_req+0x299/0xbd0 [qed]
+ [<ffffffff9b02a59e>] ? __switch_to+0xce/0x580
+ [<ffffffffc0b61e5b>] qed_slowpath_task+0x5b/0x80 [qed]
+
+Signed-off-by: Nilesh Javali <nilesh.javali@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedi/qedi_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/qedi/qedi_main.c b/drivers/scsi/qedi/qedi_main.c
+index 3e18a68c2b03..054e66d93ed6 100644
+--- a/drivers/scsi/qedi/qedi_main.c
++++ b/drivers/scsi/qedi/qedi_main.c
+@@ -2472,6 +2472,7 @@ static int __qedi_probe(struct pci_dev *pdev, int mode)
+ /* start qedi context */
+ spin_lock_init(&qedi->hba_lock);
+ spin_lock_init(&qedi->task_idx_lock);
++ mutex_init(&qedi->stats_lock);
+ }
+ qedi_ops->ll2->register_cb_ops(qedi->cdev, &qedi_ll2_cb_ops, qedi);
+ qedi_ops->ll2->start(qedi->cdev, ¶ms);
+--
+2.17.1
+
--- /dev/null
+From ba67fc8b8e4bf2a9e0077112d643bdec2faaae4f Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Thu, 11 Oct 2018 10:54:52 +0200
+Subject: selftests: rtnetlink.sh explicitly requires bash.
+
+[ Upstream commit 3c718e677c2b35b449992adc36ecce883c467e98 ]
+
+the script rtnetlink.sh requires a bash-only features (sleep with sub-second
+precision). This may cause random test failure if the default shell is not
+bash.
+Address the above explicitly requiring bash as the script interpreter.
+
+Fixes: 33b01b7b4f19 ("selftests: add rtnetlink test script")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/rtnetlink.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh
+index 0d7a44fa30af..8e509cbcb209 100755
+--- a/tools/testing/selftests/net/rtnetlink.sh
++++ b/tools/testing/selftests/net/rtnetlink.sh
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+ #
+ # This test is for checking rtnetlink callpaths, and get as much coverage as possible.
+ #
+--
+2.17.1
+
--- /dev/null
+From aeb295a3525cfff808b0739fb8a490344509e7ed Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Thu, 11 Oct 2018 10:54:53 +0200
+Subject: selftests: udpgso_bench.sh explicitly requires bash
+
+[ Upstream commit 12a2ea962c06efb30764c47b140d2ec9d3cd7cb0 ]
+
+The udpgso_bench.sh script requires several bash-only features. This
+may cause random failures if the default shell is not bash.
+Address the above explicitly requiring bash as the script interpreter
+
+Fixes: 3a687bef148d ("selftests: udp gso benchmark")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/udpgso_bench.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/udpgso_bench.sh b/tools/testing/selftests/net/udpgso_bench.sh
+index 850767befa47..99e537ab5ad9 100755
+--- a/tools/testing/selftests/net/udpgso_bench.sh
++++ b/tools/testing/selftests/net/udpgso_bench.sh
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+ # SPDX-License-Identifier: GPL-2.0
+ #
+ # Run a series of udpgso benchmarks
+--
+2.17.1
+
--- /dev/null
+xfrm-validate-address-prefix-lengths-in-the-xfrm-sel.patch
+xfrm6-call-kfree_skb-when-skb-is-toobig.patch
+xfrm-reset-transport-header-back-to-network-header-a.patch
+xfrm-reset-crypto_done-when-iterating-over-multiple-.patch
+mac80211-always-report-tx-status.patch
+cfg80211-reg-init-wiphy_idx-in-regulatory_hint_core.patch
+mac80211-fix-pending-queue-hang-due-to-tx_drop.patch
+cfg80211-address-some-corner-cases-in-scan-result-ch.patch
+mac80211-tdls-fix-skb-queue-priority-assignment.patch
+mac80211-fix-tx-status-reporting-for-ieee80211s.patch
+xfrm-fix-null-pointer-dereference-when-skb_dst_force.patch
+arm-8799-1-mm-fix-pci_ioremap_io-offset-check.patch
+xfrm-validate-template-mode.patch
+drm-i2c-tda9950-fix-timeout-counter-check.patch
+drm-i2c-tda9950-set-max_retries-for-errors-only.patch
+netfilter-bridge-don-t-sabotage-nf_hook-calls-from-a.patch
+netfilter-conntrack-get-rid-of-double-sizeof.patch
+arm64-hugetlb-fix-handling-of-young-ptes.patch
+arm-dts-bcm63xx-fix-incorrect-interrupt-specifiers.patch
+net-macb-clean-64b-dma-addresses-if-they-are-not-det.patch
+soc-fsl-qbman-qman-avoid-allocating-from-non-existin.patch
+soc-fsl-qe-fix-copy-paste-bug-in-ucc_get_tdm_sync_sh.patch
+nl80211-fix-possible-spectre-v1-for-nl80211_txrate_h.patch
+mac80211_hwsim-fix-locking-when-iterating-radios-dur.patch
+mac80211_hwsim-fix-race-in-radio-destruction-from-ne.patch
+mac80211_hwsim-do-not-omit-multicast-announce-of-fir.patch
+bluetooth-smp-fix-crash-in-unpairing.patch
+pxa168fb-prepare-the-clock.patch
+qed-avoid-implicit-enum-conversion-in-qed_set_tunn_c.patch
+qed-fix-mask-parameter-in-qed_vf_prep_tunn_req_tlv.patch
+qed-avoid-implicit-enum-conversion-in-qed_roce_mode_.patch
+qed-avoid-constant-logical-operation-warning-in-qed_.patch
+qed-avoid-implicit-enum-conversion-in-qed_iwarp_pars.patch
+nl80211-fix-possible-spectre-v1-for-cqm-rssi-thresho.patch
+scsi-qedi-initialize-the-stats-mutex-lock.patch
+rxrpc-fix-checks-as-to-whether-we-should-set-up-a-ne.patch
+rxrpc-fix-rtt-gathering.patch
+rxrpc-fix-transport-sockopts-to-get-ipv4-errors-on-a.patch
+rxrpc-fix-error-distribution.patch
+netfilter-nft_set_rbtree-add-missing-rb_erase-in-gc-.patch
+netfilter-avoid-erronous-array-bounds-warning.patch
+asix-check-for-supported-wake-on-lan-modes.patch
+ax88179_178a-check-for-supported-wake-on-lan-modes.patch
+lan78xx-check-for-supported-wake-on-lan-modes.patch
+sr9800-check-for-supported-wake-on-lan-modes.patch
+r8152-check-for-supported-wake-on-lan-modes.patch
+smsc75xx-check-for-wake-on-lan-modes.patch
+smsc95xx-check-for-wake-on-lan-modes.patch
+cfg80211-fix-use-after-free-in-reg_process_hint.patch
+kvm-nvmx-do-not-expose-mpx-vmx-controls-when-guest-m.patch
+kvm-x86-do-not-use-kvm_x86_ops-mpx_supported-directl.patch
+kvm-nvmx-fix-emulation-of-vm_entry_load_bndcfgs.patch
+perf-core-fix-perf_pmu_unregister-locking.patch
+perf-x86-intel-uncore-use-boot_cpu_data.phys_proc_id.patch
+perf-ring_buffer-prevent-concurent-ring-buffer-acces.patch
+perf-x86-intel-uncore-fix-pci-bdf-address-of-m3upi-o.patch
+perf-x86-amd-uncore-set-threadmask-and-slicemask-for.patch
+thunderbolt-do-not-handle-icm-events-after-domain-is.patch
+thunderbolt-initialize-after-iommus.patch
+net-fec-fix-rare-tx-timeout.patch
+declance-fix-continuation-with-the-adapter-identific.patch
+riscv-fix-end-pfn-for-low-memory.patch
+revert-serial-8250_dw-fix-runtime-pm-handling.patch
+locking-ww_mutex-fix-runtime-warning-in-the-ww-mutex.patch
+drm-amd-display-signal-hw_done-after-waiting-for-fli.patch
+be2net-don-t-flip-hw_features-when-vxlans-are-added-.patch
+powerpc-numa-skip-onlining-a-offline-node-in-kdump-p.patch
+net-cxgb3_main-fix-a-missing-check-bug.patch
+yam-fix-a-missing-check-bug.patch
+ocfs2-fix-crash-in-ocfs2_duplicate_clusters_by_page.patch
+mm-gup_benchmark-fix-unsigned-comparison-to-zero-in-.patch
+mm-migrate.c-split-only-transparent-huge-pages-when-.patch
+x86-paravirt-fix-some-warning-messages.patch
+clk-mvebu-armada-37xx-periph-remove-unused-var-num_p.patch
+libertas-call-into-generic-suspend-code-before-turni.patch
+perf-report-don-t-try-to-map-ip-to-invalid-map.patch
+tls-fix-improper-revert-in-zerocopy_from_iter.patch
+hid-i2c-hid-remove-resend_report_descr-quirk-and-its.patch
+compiler.h-allow-arch-specific-asm-compiler.h.patch
+arm-dts-imx53-qsb-disable-1.2ghz-opp.patch
+perf-python-use-wno-redundant-decls-to-build-with-py.patch
+perf-record-use-unmapped-ip-for-inline-callchain-cur.patch
+rxrpc-don-t-check-rxrpc_call_tx_last-after-calling-r.patch
+rxrpc-carry-call-state-out-of-locked-section-in-rxrp.patch
+rxrpc-only-take-the-rwind-and-mtu-values-from-latest.patch
+rxrpc-fix-connection-level-abort-handling.patch
+kvm-x86-support-config_kvm_amd-y-with-config_crypto_.patch
+net-ena-fix-warning-in-rmmod-caused-by-double-iounma.patch
+net-ena-fix-rare-bug-when-failed-restart-resume-is-f.patch
+net-ena-fix-null-dereference-due-to-untimely-napi-in.patch
+gpio-assign-gpio_irq_chip-parents-to-non-stack-point.patch
+ib-mlx5-unmap-dma-addr-from-hca-before-iommu.patch
+rds-rds-tcp-hangs-on-sendto-to-unresponding-address.patch
+selftests-rtnetlink.sh-explicitly-requires-bash.patch
+selftests-udpgso_bench.sh-explicitly-requires-bash.patch
+vmlinux.lds.h-fix-incomplete-.text.exit-discards.patch
+vmlinux.lds.h-fix-linker-warnings-about-orphan-.lpbx.patch
+afs-fix-cell-proc-list.patch
+fs-fat-fatent.c-add-cond_resched-to-fat_count_free_c.patch
--- /dev/null
+From d03fe1488bb708acd05fdcf045e023b36f08929a Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:55 -0700
+Subject: smsc75xx: Check for Wake-on-LAN modes
+
+[ Upstream commit 9c734b2769a73eea2e9e9767c0e0bf839ff23679 ]
+
+The driver does not check for Wake-on-LAN modes specified by an user,
+but will conditionally set the device as wake-up enabled or not based on
+that, which could be a very confusing user experience.
+
+Fixes: 6c636503260d ("smsc75xx: add wol magic packet support")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc75xx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c
+index b64b1ee56d2d..ec287c9741e8 100644
+--- a/drivers/net/usb/smsc75xx.c
++++ b/drivers/net/usb/smsc75xx.c
+@@ -731,6 +731,9 @@ static int smsc75xx_ethtool_set_wol(struct net_device *net,
+ struct smsc75xx_priv *pdata = (struct smsc75xx_priv *)(dev->data[0]);
+ int ret;
+
++ if (wolinfo->wolopts & ~SUPPORTED_WAKE)
++ return -EINVAL;
++
+ pdata->wolopts = wolinfo->wolopts & SUPPORTED_WAKE;
+
+ ret = device_set_wakeup_enable(&dev->udev->dev, pdata->wolopts);
+--
+2.17.1
+
--- /dev/null
+From 5a6422ae26d1803ed8ebabdc848cc8f56ab31376 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:56 -0700
+Subject: smsc95xx: Check for Wake-on-LAN modes
+
+[ Upstream commit c530c471ba37bdd9fe1c7185b01455c00ae606fb ]
+
+The driver does not check for Wake-on-LAN modes specified by an user,
+but will conditionally set the device as wake-up enabled or not based on
+that, which could be a very confusing user experience.
+
+Fixes: e0e474a83c18 ("smsc95xx: add wol magic packet support")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc95xx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
+index 06b4d290784d..262e7a3c23cb 100644
+--- a/drivers/net/usb/smsc95xx.c
++++ b/drivers/net/usb/smsc95xx.c
+@@ -774,6 +774,9 @@ static int smsc95xx_ethtool_set_wol(struct net_device *net,
+ struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]);
+ int ret;
+
++ if (wolinfo->wolopts & ~SUPPORTED_WAKE)
++ return -EINVAL;
++
+ pdata->wolopts = wolinfo->wolopts & SUPPORTED_WAKE;
+
+ ret = device_set_wakeup_enable(&dev->udev->dev, pdata->wolopts);
+--
+2.17.1
+
--- /dev/null
+From 36fa6bb69266ab902f868bd734ec86e5404fabc8 Mon Sep 17 00:00:00 2001
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Thu, 23 Aug 2018 23:36:00 +0200
+Subject: soc: fsl: qbman: qman: avoid allocating from non existing gen_pool
+
+[ Upstream commit 64e9e22e68512da8df3c9a7430f07621e48db3c2 ]
+
+If the qman driver didn't probe, calling qman_alloc_fqid_range,
+qman_alloc_pool_range or qman_alloc_cgrid_range (as done in dpaa_eth) will
+pass a NULL pointer to gen_pool_alloc, leading to a NULL pointer
+dereference.
+
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Reviewed-by: Roy Pledge <roy.pledge@nxp.com>
+Signed-off-by: Li Yang <leoyang.li@nxp.com>
+(cherry picked from commit f72487a2788aa70c3aee1d0ebd5470de9bac953a)
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/fsl/qbman/qman.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c
+index ecb22749df0b..8cc015183043 100644
+--- a/drivers/soc/fsl/qbman/qman.c
++++ b/drivers/soc/fsl/qbman/qman.c
+@@ -2729,6 +2729,9 @@ static int qman_alloc_range(struct gen_pool *p, u32 *result, u32 cnt)
+ {
+ unsigned long addr;
+
++ if (!p)
++ return -ENODEV;
++
+ addr = gen_pool_alloc(p, cnt);
+ if (!addr)
+ return -ENOMEM;
+--
+2.17.1
+
--- /dev/null
+From 9cb1f1caac07ad051a0d1aa13978c86683b68d9e Mon Sep 17 00:00:00 2001
+From: Zhao Qiang <qiang.zhao@nxp.com>
+Date: Thu, 1 Feb 2018 14:54:32 +0800
+Subject: soc: fsl: qe: Fix copy/paste bug in ucc_get_tdm_sync_shift()
+
+[ Upstream commit 96fc74333f84cfdf8d434c6c07254e215e2aad00 ]
+
+There is a copy and paste bug so we accidentally use the RX_ shift when
+we're in TX_ mode.
+
+Fixes: bb8b2062aff3 ("fsl/qe: setup clock source for TDM mode")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>
+Signed-off-by: Li Yang <leoyang.li@nxp.com>
+(cherry picked from commit 3cb31b634052ed458922e0c8e2b4b093d7fb60b9)
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/fsl/qe/ucc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/fsl/qe/ucc.c b/drivers/soc/fsl/qe/ucc.c
+index c646d8713861..681f7d4b7724 100644
+--- a/drivers/soc/fsl/qe/ucc.c
++++ b/drivers/soc/fsl/qe/ucc.c
+@@ -626,7 +626,7 @@ static u32 ucc_get_tdm_sync_shift(enum comm_dir mode, u32 tdm_num)
+ {
+ u32 shift;
+
+- shift = (mode == COMM_DIR_RX) ? RX_SYNC_SHIFT_BASE : RX_SYNC_SHIFT_BASE;
++ shift = (mode == COMM_DIR_RX) ? RX_SYNC_SHIFT_BASE : TX_SYNC_SHIFT_BASE;
+ shift -= tdm_num * 2;
+
+ return shift;
+--
+2.17.1
+
--- /dev/null
+From 9ffe0a85b28cd0dc0469e6bc7781ec30ee8f9a63 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:53 -0700
+Subject: sr9800: Check for supported Wake-on-LAN modes
+
+[ Upstream commit c5cb93e994ffb43b7b3b1ff10b9f928f54574a36 ]
+
+The driver currently silently accepts unsupported Wake-on-LAN modes
+(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user,
+which is confusing.
+
+Fixes: 19a38d8e0aa3 ("USB2NET : SR9800 : One chip USB2.0 USB2NET SR9800 Device Driver Support")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/sr9800.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/sr9800.c b/drivers/net/usb/sr9800.c
+index 9277a0f228df..35f39f23d881 100644
+--- a/drivers/net/usb/sr9800.c
++++ b/drivers/net/usb/sr9800.c
+@@ -421,6 +421,9 @@ sr_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo)
+ struct usbnet *dev = netdev_priv(net);
+ u8 opt = 0;
+
++ if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC))
++ return -EINVAL;
++
+ if (wolinfo->wolopts & WAKE_PHY)
+ opt |= SR_MONITOR_LINK;
+ if (wolinfo->wolopts & WAKE_MAGIC)
+--
+2.17.1
+
--- /dev/null
+From 2216724064855cc351ecc235e65bc650800c3419 Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Mon, 24 Sep 2018 13:20:44 +0300
+Subject: thunderbolt: Do not handle ICM events after domain is stopped
+
+[ Upstream commit 86da809dda64a63fc27e05a215475325c3aaae92 ]
+
+If there is a long chain of devices connected when the driver is loaded
+ICM sends device connected event for each and those are put to tb->wq
+for later processing. Now if the driver gets unloaded in the middle, so
+that the work queue is not yet empty it gets flushed by tb_domain_stop().
+However, by that time the root switch is already removed so the driver
+crashes when it tries to dereference it in ICM event handling callbacks.
+
+Fix this by checking whether the root switch is already removed. If it
+is we know that the domain is stopped and we should merely skip handling
+the event.
+
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thunderbolt/icm.c | 49 ++++++++++++++++-----------------------
+ 1 file changed, 20 insertions(+), 29 deletions(-)
+
+diff --git a/drivers/thunderbolt/icm.c b/drivers/thunderbolt/icm.c
+index 500911f16498..5bad9fdec5f8 100644
+--- a/drivers/thunderbolt/icm.c
++++ b/drivers/thunderbolt/icm.c
+@@ -653,14 +653,6 @@ icm_fr_xdomain_connected(struct tb *tb, const struct icm_pkg_header *hdr)
+ bool approved;
+ u64 route;
+
+- /*
+- * After NVM upgrade adding root switch device fails because we
+- * initiated reset. During that time ICM might still send
+- * XDomain connected message which we ignore here.
+- */
+- if (!tb->root_switch)
+- return;
+-
+ link = pkg->link_info & ICM_LINK_INFO_LINK_MASK;
+ depth = (pkg->link_info & ICM_LINK_INFO_DEPTH_MASK) >>
+ ICM_LINK_INFO_DEPTH_SHIFT;
+@@ -950,14 +942,6 @@ icm_tr_device_connected(struct tb *tb, const struct icm_pkg_header *hdr)
+ if (pkg->hdr.packet_id)
+ return;
+
+- /*
+- * After NVM upgrade adding root switch device fails because we
+- * initiated reset. During that time ICM might still send device
+- * connected message which we ignore here.
+- */
+- if (!tb->root_switch)
+- return;
+-
+ route = get_route(pkg->route_hi, pkg->route_lo);
+ authorized = pkg->link_info & ICM_LINK_INFO_APPROVED;
+ security_level = (pkg->hdr.flags & ICM_FLAGS_SLEVEL_MASK) >>
+@@ -1317,19 +1301,26 @@ static void icm_handle_notification(struct work_struct *work)
+
+ mutex_lock(&tb->lock);
+
+- switch (n->pkg->code) {
+- case ICM_EVENT_DEVICE_CONNECTED:
+- icm->device_connected(tb, n->pkg);
+- break;
+- case ICM_EVENT_DEVICE_DISCONNECTED:
+- icm->device_disconnected(tb, n->pkg);
+- break;
+- case ICM_EVENT_XDOMAIN_CONNECTED:
+- icm->xdomain_connected(tb, n->pkg);
+- break;
+- case ICM_EVENT_XDOMAIN_DISCONNECTED:
+- icm->xdomain_disconnected(tb, n->pkg);
+- break;
++ /*
++ * When the domain is stopped we flush its workqueue but before
++ * that the root switch is removed. In that case we should treat
++ * the queued events as being canceled.
++ */
++ if (tb->root_switch) {
++ switch (n->pkg->code) {
++ case ICM_EVENT_DEVICE_CONNECTED:
++ icm->device_connected(tb, n->pkg);
++ break;
++ case ICM_EVENT_DEVICE_DISCONNECTED:
++ icm->device_disconnected(tb, n->pkg);
++ break;
++ case ICM_EVENT_XDOMAIN_CONNECTED:
++ icm->xdomain_connected(tb, n->pkg);
++ break;
++ case ICM_EVENT_XDOMAIN_DISCONNECTED:
++ icm->xdomain_disconnected(tb, n->pkg);
++ break;
++ }
+ }
+
+ mutex_unlock(&tb->lock);
+--
+2.17.1
+
--- /dev/null
+From f9073340ff67a547089c99309d88cf221433a406 Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Mon, 24 Sep 2018 13:20:45 +0300
+Subject: thunderbolt: Initialize after IOMMUs
+
+[ Upstream commit eafa717bc145963c944bb0a64d16add683861b35 ]
+
+If IOMMU is enabled and Thunderbolt driver is built into the kernel
+image, it will be probed before IOMMUs are attached to the PCI bus.
+Because of this DMA mappings the driver does will not go through IOMMU
+and start failing right after IOMMUs are enabled.
+
+For this reason move the Thunderbolt driver initialization happen at
+rootfs level.
+
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thunderbolt/nhi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/thunderbolt/nhi.c b/drivers/thunderbolt/nhi.c
+index f5a33e88e676..2d042150e41c 100644
+--- a/drivers/thunderbolt/nhi.c
++++ b/drivers/thunderbolt/nhi.c
+@@ -1147,5 +1147,5 @@ static void __exit nhi_unload(void)
+ tb_domain_exit();
+ }
+
+-fs_initcall(nhi_init);
++rootfs_initcall(nhi_init);
+ module_exit(nhi_unload);
+--
+2.17.1
+
--- /dev/null
+From f89553ae0cd0275e2154eb3b6222fb6bcd42c8f8 Mon Sep 17 00:00:00 2001
+From: Doron Roberts-Kedes <doronrk@fb.com>
+Date: Thu, 26 Jul 2018 07:59:36 -0700
+Subject: tls: Fix improper revert in zerocopy_from_iter
+
+[ Upstream commit 2da19ed3e4a87db16c0f69039da9f17a9596c350 ]
+
+The current code is problematic because the iov_iter is reverted and
+never advanced in the non-error case. This patch skips the revert in the
+non-error case. This patch also fixes the amount by which the iov_iter
+is reverted. Currently, iov_iter is reverted by size, which can be
+greater than the amount by which the iter was actually advanced.
+Instead, only revert by the amount that the iter was advanced.
+
+Fixes: 4718799817c5 ("tls: Fix zerocopy_from_iter iov handling")
+Signed-off-by: Doron Roberts-Kedes <doronrk@fb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_sw.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
+index 9fab8e5a4a5b..994ddc7ec9b1 100644
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -286,7 +286,7 @@ static int zerocopy_from_iter(struct sock *sk, struct iov_iter *from,
+ int length, int *pages_used,
+ unsigned int *size_used,
+ struct scatterlist *to, int to_max_pages,
+- bool charge, bool revert)
++ bool charge)
+ {
+ struct page *pages[MAX_SKB_FRAGS];
+
+@@ -335,10 +335,10 @@ static int zerocopy_from_iter(struct sock *sk, struct iov_iter *from,
+ }
+
+ out:
++ if (rc)
++ iov_iter_revert(from, size - *size_used);
+ *size_used = size;
+ *pages_used = num_elem;
+- if (revert)
+- iov_iter_revert(from, size);
+
+ return rc;
+ }
+@@ -440,7 +440,7 @@ alloc_encrypted:
+ &ctx->sg_plaintext_size,
+ ctx->sg_plaintext_data,
+ ARRAY_SIZE(ctx->sg_plaintext_data),
+- true, false);
++ true);
+ if (ret)
+ goto fallback_to_reg_send;
+
+@@ -453,8 +453,6 @@ alloc_encrypted:
+
+ copied -= try_to_copy;
+ fallback_to_reg_send:
+- iov_iter_revert(&msg->msg_iter,
+- ctx->sg_plaintext_size - orig_size);
+ trim_sg(sk, ctx->sg_plaintext_data,
+ &ctx->sg_plaintext_num_elem,
+ &ctx->sg_plaintext_size,
+@@ -828,7 +826,7 @@ int tls_sw_recvmsg(struct sock *sk,
+ err = zerocopy_from_iter(sk, &msg->msg_iter,
+ to_copy, &pages,
+ &chunk, &sgin[1],
+- MAX_SKB_FRAGS, false, true);
++ MAX_SKB_FRAGS, false);
+ if (err < 0)
+ goto fallback_to_reg_recv;
+
+--
+2.17.1
+
--- /dev/null
+From a3fb868ec9ff4c861505da05e0193a1ddb3ad4a7 Mon Sep 17 00:00:00 2001
+From: Peter Oberparleiter <oberpar@linux.ibm.com>
+Date: Thu, 13 Sep 2018 12:59:59 +0200
+Subject: vmlinux.lds.h: Fix incomplete .text.exit discards
+
+[ Upstream commit 8dcf86caa1e3daf4a6ccf38e97f4f752b411f829 ]
+
+Enabling CONFIG_GCOV_PROFILE_ALL=y causes linker errors on ARM:
+
+ `.text.exit' referenced in section `.ARM.exidx.text.exit':
+ defined in discarded section `.text.exit'
+
+ `.text.exit' referenced in section `.fini_array.00100':
+ defined in discarded section `.text.exit'
+
+And related errors on NDS32:
+
+ `.text.exit' referenced in section `.dtors.65435':
+ defined in discarded section `.text.exit'
+
+The gcov compiler flags cause certain compiler versions to generate
+additional destructor-related sections that are not yet handled by the
+linker script, resulting in references between discarded and
+non-discarded sections.
+
+Since destructors are not used in the Linux kernel, fix this by
+discarding these additional sections.
+
+Reported-by: Arnd Bergmann <arnd@arndb.de>
+Tested-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Reported-by: Greentime Hu <green.hu@gmail.com>
+Tested-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kernel/vmlinux.lds.h | 2 ++
+ include/asm-generic/vmlinux.lds.h | 4 ++--
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/kernel/vmlinux.lds.h b/arch/arm/kernel/vmlinux.lds.h
+index ae5fdff18406..8247bc15addc 100644
+--- a/arch/arm/kernel/vmlinux.lds.h
++++ b/arch/arm/kernel/vmlinux.lds.h
+@@ -49,6 +49,8 @@
+ #define ARM_DISCARD \
+ *(.ARM.exidx.exit.text) \
+ *(.ARM.extab.exit.text) \
++ *(.ARM.exidx.text.exit) \
++ *(.ARM.extab.text.exit) \
+ ARM_CPU_DISCARD(*(.ARM.exidx.cpuexit.text)) \
+ ARM_CPU_DISCARD(*(.ARM.extab.cpuexit.text)) \
+ ARM_EXIT_DISCARD(EXIT_TEXT) \
+diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
+index e373e2e10f6a..a11f86014352 100644
+--- a/include/asm-generic/vmlinux.lds.h
++++ b/include/asm-generic/vmlinux.lds.h
+@@ -617,8 +617,8 @@
+
+ #define EXIT_DATA \
+ *(.exit.data .exit.data.*) \
+- *(.fini_array) \
+- *(.dtors) \
++ *(.fini_array .fini_array.*) \
++ *(.dtors .dtors.*) \
+ MEM_DISCARD(exit.data*) \
+ MEM_DISCARD(exit.rodata*)
+
+--
+2.17.1
+
--- /dev/null
+From c1c778d6270a38579724d5d0f6cdcae786c197fa Mon Sep 17 00:00:00 2001
+From: Peter Oberparleiter <oberpar@linux.ibm.com>
+Date: Thu, 13 Sep 2018 13:00:00 +0200
+Subject: vmlinux.lds.h: Fix linker warnings about orphan .LPBX sections
+
+[ Upstream commit 52c8ee5bad8f33d02c567f6609f43d69303fc48d ]
+
+Enabling both CONFIG_LD_DEAD_CODE_DATA_ELIMINATION=y and
+CONFIG_GCOV_PROFILE_ALL=y results in linker warnings:
+
+ warning: orphan section `.data..LPBX1' being placed in
+ section `.data..LPBX1'.
+
+LD_DEAD_CODE_DATA_ELIMINATION adds compiler flag -fdata-sections. This
+option causes GCC to create separate data sections for data objects,
+including those generated by GCC internally for gcov profiling. The
+names of these objects start with a dot (.LPBX0, .LPBX1), resulting in
+section names starting with 'data..'.
+
+As section names starting with 'data..' are used for specific purposes
+in the Linux kernel, the linker script does not automatically include
+them in the output data section, resulting in the "orphan section"
+linker warnings.
+
+Fix this by specifically including sections named "data..LPBX*" in the
+data section.
+
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Tested-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Tested-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/asm-generic/vmlinux.lds.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
+index a11f86014352..83b930988e21 100644
+--- a/include/asm-generic/vmlinux.lds.h
++++ b/include/asm-generic/vmlinux.lds.h
+@@ -70,7 +70,7 @@
+ */
+ #ifdef CONFIG_LD_DEAD_CODE_DATA_ELIMINATION
+ #define TEXT_MAIN .text .text.[0-9a-zA-Z_]*
+-#define DATA_MAIN .data .data.[0-9a-zA-Z_]*
++#define DATA_MAIN .data .data.[0-9a-zA-Z_]* .data..LPBX*
+ #define SDATA_MAIN .sdata .sdata.[0-9a-zA-Z_]*
+ #define RODATA_MAIN .rodata .rodata.[0-9a-zA-Z_]*
+ #define BSS_MAIN .bss .bss.[0-9a-zA-Z_]*
+--
+2.17.1
+
--- /dev/null
+From 4d7e127edab2ccb47025356301ef4f8c4860c995 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 19 Sep 2018 13:35:53 +0300
+Subject: x86/paravirt: Fix some warning messages
+
+[ Upstream commit 571d0563c8881595f4ab027aef9ed1c55e3e7b7c ]
+
+The first argument to WARN_ONCE() is a condition.
+
+Fixes: 5800dc5c19f3 ("x86/paravirt: Fix spectre-v2 mitigations for paravirt guests")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Alok Kataria <akataria@vmware.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: virtualization@lists.linux-foundation.org
+Cc: kernel-janitors@vger.kernel.org
+Link: https://lkml.kernel.org/r/20180919103553.GD9238@mwanda
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/paravirt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/paravirt.c b/arch/x86/kernel/paravirt.c
+index 930c88341e4e..1fbf38dde84c 100644
+--- a/arch/x86/kernel/paravirt.c
++++ b/arch/x86/kernel/paravirt.c
+@@ -90,7 +90,7 @@ unsigned paravirt_patch_call(void *insnbuf,
+
+ if (len < 5) {
+ #ifdef CONFIG_RETPOLINE
+- WARN_ONCE("Failing to patch indirect CALL in %ps\n", (void *)addr);
++ WARN_ONCE(1, "Failing to patch indirect CALL in %ps\n", (void *)addr);
+ #endif
+ return len; /* call too long for patch site */
+ }
+@@ -110,7 +110,7 @@ unsigned paravirt_patch_jmp(void *insnbuf, const void *target,
+
+ if (len < 5) {
+ #ifdef CONFIG_RETPOLINE
+- WARN_ONCE("Failing to patch indirect JMP in %ps\n", (void *)addr);
++ WARN_ONCE(1, "Failing to patch indirect JMP in %ps\n", (void *)addr);
+ #endif
+ return len; /* call too long for patch site */
+ }
+--
+2.17.1
+
--- /dev/null
+From d5edf03d92c7630f58a068213dc77b9d618cc6d9 Mon Sep 17 00:00:00 2001
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Tue, 11 Sep 2018 10:31:15 +0200
+Subject: xfrm: Fix NULL pointer dereference when skb_dst_force clears the
+ dst_entry.
+
+[ Upstream commit 9e1437937807b0122e8da1ca8765be2adca9aee6 ]
+
+Since commit 222d7dbd258d ("net: prevent dst uses after free")
+skb_dst_force() might clear the dst_entry attached to the skb.
+The xfrm code don't expect this to happen, so we crash with
+a NULL pointer dereference in this case. Fix it by checking
+skb_dst(skb) for NULL after skb_dst_force() and drop the packet
+in cast the dst_entry was cleared.
+
+Fixes: 222d7dbd258d ("net: prevent dst uses after free")
+Reported-by: Tobias Hommel <netdev-list@genoetigt.de>
+Reported-by: Kristian Evensen <kristian.evensen@gmail.com>
+Reported-by: Wolfgang Walter <linux@stwm.de>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_output.c | 4 ++++
+ net/xfrm/xfrm_policy.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
+index 89b178a78dc7..36d15a38ce5e 100644
+--- a/net/xfrm/xfrm_output.c
++++ b/net/xfrm/xfrm_output.c
+@@ -101,6 +101,10 @@ static int xfrm_output_one(struct sk_buff *skb, int err)
+ spin_unlock_bh(&x->lock);
+
+ skb_dst_force(skb);
++ if (!skb_dst(skb)) {
++ XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
++ goto error_nolock;
++ }
+
+ if (xfrm_offload(skb)) {
+ x->type_offload->encap(x, skb);
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index a94983e03a8b..526e6814ed4b 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -2551,6 +2551,10 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
+ }
+
+ skb_dst_force(skb);
++ if (!skb_dst(skb)) {
++ XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR);
++ return 0;
++ }
+
+ dst = xfrm_lookup(net, skb_dst(skb), &fl, NULL, XFRM_LOOKUP_QUEUE);
+ if (IS_ERR(dst)) {
+--
+2.17.1
+
--- /dev/null
+From da749d370a4e50bc67fda3c9bba4cb482e84d3e3 Mon Sep 17 00:00:00 2001
+From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Date: Mon, 3 Sep 2018 04:36:53 -0700
+Subject: xfrm: reset crypto_done when iterating over multiple input xfrms
+
+[ Upstream commit 782710e333a526780d65918d669cb96646983ba2 ]
+
+We only support one offloaded xfrm (we do not have devices that
+can handle more than one offload), so reset crypto_done in
+xfrm_input() when iterating over multiple transforms in xfrm_input,
+so that we can invoke the appropriate x->type->input for the
+non-offloaded transforms
+
+Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API")
+Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_input.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
+index 352abca2605f..86f5afbd0a0c 100644
+--- a/net/xfrm/xfrm_input.c
++++ b/net/xfrm/xfrm_input.c
+@@ -453,6 +453,7 @@ resume:
+ XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR);
+ goto drop;
+ }
++ crypto_done = false;
+ } while (!err);
+
+ err = xfrm_rcv_cb(skb, family, x->type->proto, 0);
+--
+2.17.1
+
--- /dev/null
+From 265bd1eea89fd834337fdd188fb980e99a387949 Mon Sep 17 00:00:00 2001
+From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Date: Mon, 3 Sep 2018 04:36:52 -0700
+Subject: xfrm: reset transport header back to network header after all input
+ transforms ahave been applied
+
+[ Upstream commit bfc0698bebcb16d19ecfc89574ad4d696955e5d3 ]
+
+A policy may have been set up with multiple transforms (e.g., ESP
+and ipcomp). In this situation, the ingress IPsec processing
+iterates in xfrm_input() and applies each transform in turn,
+processing the nexthdr to find any additional xfrm that may apply.
+
+This patch resets the transport header back to network header
+only after the last transformation so that subsequent xfrms
+can find the correct transport header.
+
+Fixes: 7785bba299a8 ("esp: Add a software GRO codepath")
+Suggested-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/xfrm4_input.c | 1 +
+ net/ipv4/xfrm4_mode_transport.c | 4 +---
+ net/ipv6/xfrm6_input.c | 1 +
+ net/ipv6/xfrm6_mode_transport.c | 4 +---
+ 4 files changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c
+index bcfc00e88756..f8de2482a529 100644
+--- a/net/ipv4/xfrm4_input.c
++++ b/net/ipv4/xfrm4_input.c
+@@ -67,6 +67,7 @@ int xfrm4_transport_finish(struct sk_buff *skb, int async)
+
+ if (xo && (xo->flags & XFRM_GRO)) {
+ skb_mac_header_rebuild(skb);
++ skb_reset_transport_header(skb);
+ return 0;
+ }
+
+diff --git a/net/ipv4/xfrm4_mode_transport.c b/net/ipv4/xfrm4_mode_transport.c
+index 3d36644890bb..1ad2c2c4e250 100644
+--- a/net/ipv4/xfrm4_mode_transport.c
++++ b/net/ipv4/xfrm4_mode_transport.c
+@@ -46,7 +46,6 @@ static int xfrm4_transport_output(struct xfrm_state *x, struct sk_buff *skb)
+ static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+ {
+ int ihl = skb->data - skb_transport_header(skb);
+- struct xfrm_offload *xo = xfrm_offload(skb);
+
+ if (skb->transport_header != skb->network_header) {
+ memmove(skb_transport_header(skb),
+@@ -54,8 +53,7 @@ static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+ skb->network_header = skb->transport_header;
+ }
+ ip_hdr(skb)->tot_len = htons(skb->len + ihl);
+- if (!xo || !(xo->flags & XFRM_GRO))
+- skb_reset_transport_header(skb);
++ skb_reset_transport_header(skb);
+ return 0;
+ }
+
+diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
+index 841f4a07438e..9ef490dddcea 100644
+--- a/net/ipv6/xfrm6_input.c
++++ b/net/ipv6/xfrm6_input.c
+@@ -59,6 +59,7 @@ int xfrm6_transport_finish(struct sk_buff *skb, int async)
+
+ if (xo && (xo->flags & XFRM_GRO)) {
+ skb_mac_header_rebuild(skb);
++ skb_reset_transport_header(skb);
+ return -1;
+ }
+
+diff --git a/net/ipv6/xfrm6_mode_transport.c b/net/ipv6/xfrm6_mode_transport.c
+index 9ad07a91708e..3c29da5defe6 100644
+--- a/net/ipv6/xfrm6_mode_transport.c
++++ b/net/ipv6/xfrm6_mode_transport.c
+@@ -51,7 +51,6 @@ static int xfrm6_transport_output(struct xfrm_state *x, struct sk_buff *skb)
+ static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+ {
+ int ihl = skb->data - skb_transport_header(skb);
+- struct xfrm_offload *xo = xfrm_offload(skb);
+
+ if (skb->transport_header != skb->network_header) {
+ memmove(skb_transport_header(skb),
+@@ -60,8 +59,7 @@ static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+ }
+ ipv6_hdr(skb)->payload_len = htons(skb->len + ihl -
+ sizeof(struct ipv6hdr));
+- if (!xo || !(xo->flags & XFRM_GRO))
+- skb_reset_transport_header(skb);
++ skb_reset_transport_header(skb);
+ return 0;
+ }
+
+--
+2.17.1
+
--- /dev/null
+From 35329ba614b877cc6f2b683e98deb7245933c486 Mon Sep 17 00:00:00 2001
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Wed, 1 Aug 2018 13:45:11 +0200
+Subject: xfrm: Validate address prefix lengths in the xfrm selector.
+
+[ Upstream commit 07bf7908950a8b14e81aa1807e3c667eab39287a ]
+
+We don't validate the address prefix lengths in the xfrm
+selector we got from userspace. This can lead to undefined
+behaviour in the address matching functions if the prefix
+is too big for the given address family. Fix this by checking
+the prefixes and refuse SA/policy insertation when a prefix
+is invalid.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Air Icy <icytxw@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 33878e6e0d0a..5151b3ebf068 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -151,10 +151,16 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
+ err = -EINVAL;
+ switch (p->family) {
+ case AF_INET:
++ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
++ goto out;
++
+ break;
+
+ case AF_INET6:
+ #if IS_ENABLED(CONFIG_IPV6)
++ if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128)
++ goto out;
++
+ break;
+ #else
+ err = -EAFNOSUPPORT;
+@@ -1359,10 +1365,16 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p)
+
+ switch (p->sel.family) {
+ case AF_INET:
++ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
++ return -EINVAL;
++
+ break;
+
+ case AF_INET6:
+ #if IS_ENABLED(CONFIG_IPV6)
++ if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128)
++ return -EINVAL;
++
+ break;
+ #else
+ return -EAFNOSUPPORT;
+--
+2.17.1
+
--- /dev/null
+From 072b574cce2e6928902e60b6e4fb0d7b4461b1b5 Mon Sep 17 00:00:00 2001
+From: Sean Tranchetti <stranche@codeaurora.org>
+Date: Wed, 19 Sep 2018 13:54:56 -0600
+Subject: xfrm: validate template mode
+
+[ Upstream commit 32bf94fb5c2ec4ec842152d0e5937cd4bb6738fa ]
+
+XFRM mode parameters passed as part of the user templates
+in the IP_XFRM_POLICY are never properly validated. Passing
+values other than valid XFRM modes can cause stack-out-of-bounds
+reads to occur later in the XFRM processing:
+
+[ 140.535608] ================================================================
+[ 140.543058] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x17e4/0x1cc4
+[ 140.550306] Read of size 4 at addr ffffffc0238a7a58 by task repro/5148
+[ 140.557369]
+[ 140.558927] Call trace:
+[ 140.558936] dump_backtrace+0x0/0x388
+[ 140.558940] show_stack+0x24/0x30
+[ 140.558946] __dump_stack+0x24/0x2c
+[ 140.558949] dump_stack+0x8c/0xd0
+[ 140.558956] print_address_description+0x74/0x234
+[ 140.558960] kasan_report+0x240/0x264
+[ 140.558963] __asan_report_load4_noabort+0x2c/0x38
+[ 140.558967] xfrm_state_find+0x17e4/0x1cc4
+[ 140.558971] xfrm_resolve_and_create_bundle+0x40c/0x1fb8
+[ 140.558975] xfrm_lookup+0x238/0x1444
+[ 140.558977] xfrm_lookup_route+0x48/0x11c
+[ 140.558984] ip_route_output_flow+0x88/0xc4
+[ 140.558991] raw_sendmsg+0xa74/0x266c
+[ 140.558996] inet_sendmsg+0x258/0x3b0
+[ 140.559002] sock_sendmsg+0xbc/0xec
+[ 140.559005] SyS_sendto+0x3a8/0x5a8
+[ 140.559008] el0_svc_naked+0x34/0x38
+[ 140.559009]
+[ 140.592245] page dumped because: kasan: bad access detected
+[ 140.597981] page_owner info is not active (free page?)
+[ 140.603267]
+[ 140.653503] ================================================================
+
+Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 5151b3ebf068..d0672c400c2f 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1455,6 +1455,9 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family)
+ (ut[i].family != prev_family))
+ return -EINVAL;
+
++ if (ut[i].mode >= XFRM_MODE_MAX)
++ return -EINVAL;
++
+ prev_family = ut[i].family;
+
+ switch (ut[i].family) {
+--
+2.17.1
+
--- /dev/null
+From 668f5d94b013c17dd9aaec3a1aa02fa69bb8aeb8 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Fri, 31 Aug 2018 08:38:49 -0300
+Subject: xfrm6: call kfree_skb when skb is toobig
+
+[ Upstream commit 215ab0f021c9fea3c18b75e7d522400ee6a49990 ]
+
+After commit d6990976af7c5d8f55903bfb4289b6fb030bf754 ("vti6: fix PMTU caching
+and reporting on xmit"), some too big skbs might be potentially passed down to
+__xfrm6_output, causing it to fail to transmit but not free the skb, causing a
+leak of skb, and consequentially a leak of dst references.
+
+After running pmtu.sh, that shows as failure to unregister devices in a namespace:
+
+[ 311.397671] unregister_netdevice: waiting for veth_b to become free. Usage count = 1
+
+The fix is to call kfree_skb in case of transmit failures.
+
+Fixes: dd767856a36e ("xfrm6: Don't call icmpv6_send on local error")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/xfrm6_output.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
+index 5959ce9620eb..6a74080005cf 100644
+--- a/net/ipv6/xfrm6_output.c
++++ b/net/ipv6/xfrm6_output.c
+@@ -170,9 +170,11 @@ static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
+
+ if (toobig && xfrm6_local_dontfrag(skb)) {
+ xfrm6_local_rxpmtu(skb, mtu);
++ kfree_skb(skb);
+ return -EMSGSIZE;
+ } else if (!skb->ignore_df && toobig && skb->sk) {
+ xfrm_local_error(skb, mtu);
++ kfree_skb(skb);
+ return -EMSGSIZE;
+ }
+
+--
+2.17.1
+
--- /dev/null
+From 3b65d00c0ca748f1121adc7668f576179b39d1c2 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wang6495@umn.edu>
+Date: Fri, 5 Oct 2018 10:59:36 -0500
+Subject: yam: fix a missing-check bug
+
+[ Upstream commit 0781168e23a2fc8dceb989f11fc5b39b3ccacc35 ]
+
+In yam_ioctl(), the concrete ioctl command is firstly copied from the
+user-space buffer 'ifr->ifr_data' to 'ioctl_cmd' and checked through the
+following switch statement. If the command is not as expected, an error
+code EINVAL is returned. In the following execution the buffer
+'ifr->ifr_data' is copied again in the cases of the switch statement to
+specific data structures according to what kind of ioctl command is
+requested. However, after the second copy, no re-check is enforced on the
+newly-copied command. Given that the buffer 'ifr->ifr_data' is in the user
+space, a malicious user can race to change the command between the two
+copies. This way, the attacker can inject inconsistent data and cause
+undefined behavior.
+
+This patch adds a re-check in each case of the switch statement if there is
+a second copy in that case, to re-check whether the command obtained in the
+second copy is the same as the one in the first copy. If not, an error code
+EINVAL will be returned.
+
+Signed-off-by: Wenwen Wang <wang6495@umn.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hamradio/yam.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/hamradio/yam.c b/drivers/net/hamradio/yam.c
+index 16ec7af6ab7b..ba9df430fca6 100644
+--- a/drivers/net/hamradio/yam.c
++++ b/drivers/net/hamradio/yam.c
+@@ -966,6 +966,8 @@ static int yam_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
+ sizeof(struct yamdrv_ioctl_mcs));
+ if (IS_ERR(ym))
+ return PTR_ERR(ym);
++ if (ym->cmd != SIOCYAMSMCS)
++ return -EINVAL;
+ if (ym->bitrate > YAM_MAXBITRATE) {
+ kfree(ym);
+ return -EINVAL;
+@@ -981,6 +983,8 @@ static int yam_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
+ if (copy_from_user(&yi, ifr->ifr_data, sizeof(struct yamdrv_ioctl_cfg)))
+ return -EFAULT;
+
++ if (yi.cmd != SIOCYAMSCFG)
++ return -EINVAL;
+ if ((yi.cfg.mask & YAM_IOBASE) && netif_running(dev))
+ return -EINVAL; /* Cannot change this parameter when up */
+ if ((yi.cfg.mask & YAM_IRQ) && netif_running(dev))
+--
+2.17.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
