--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 21 Apr 2017 13:48:08 +0200
+Subject: ACPI / PMIC: xpower: Fix power_table addresses
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+
+[ Upstream commit 2bde7c32b1db162692f05c6be066b5bcd3d9fdbe ]
+
+The power table addresses should be contiguous, but there was a hole
+where 0x34 was missing. On most devices this is not a problem as
+addresses above 0x34 are used for the BUC# convertors which are not
+used in the DSDTs I've access to but after the BUC# convertors
+there is a field named GPI1 in the DSTDs, which does get used in some
+cases and ended up turning BUC6 on and off due to the wrong addresses,
+resulting in turning the entire device off (or causing it to reboot).
+
+Removing the hole in the addresses fixes this, fixing one of my
+Bay Trail tablets turning off while booting the mainline kernel.
+
+While at it add comments with the field names used in the DSDTs to
+make it easier to compare the register and bits used at each address
+with the datasheet.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/pmic/intel_pmic_xpower.c | 50 +++++++++++++++++-----------------
+ 1 file changed, 25 insertions(+), 25 deletions(-)
+
+--- a/drivers/acpi/pmic/intel_pmic_xpower.c
++++ b/drivers/acpi/pmic/intel_pmic_xpower.c
+@@ -28,97 +28,97 @@ static struct pmic_table power_table[] =
+ .address = 0x00,
+ .reg = 0x13,
+ .bit = 0x05,
+- },
++ }, /* ALD1 */
+ {
+ .address = 0x04,
+ .reg = 0x13,
+ .bit = 0x06,
+- },
++ }, /* ALD2 */
+ {
+ .address = 0x08,
+ .reg = 0x13,
+ .bit = 0x07,
+- },
++ }, /* ALD3 */
+ {
+ .address = 0x0c,
+ .reg = 0x12,
+ .bit = 0x03,
+- },
++ }, /* DLD1 */
+ {
+ .address = 0x10,
+ .reg = 0x12,
+ .bit = 0x04,
+- },
++ }, /* DLD2 */
+ {
+ .address = 0x14,
+ .reg = 0x12,
+ .bit = 0x05,
+- },
++ }, /* DLD3 */
+ {
+ .address = 0x18,
+ .reg = 0x12,
+ .bit = 0x06,
+- },
++ }, /* DLD4 */
+ {
+ .address = 0x1c,
+ .reg = 0x12,
+ .bit = 0x00,
+- },
++ }, /* ELD1 */
+ {
+ .address = 0x20,
+ .reg = 0x12,
+ .bit = 0x01,
+- },
++ }, /* ELD2 */
+ {
+ .address = 0x24,
+ .reg = 0x12,
+ .bit = 0x02,
+- },
++ }, /* ELD3 */
+ {
+ .address = 0x28,
+ .reg = 0x13,
+ .bit = 0x02,
+- },
++ }, /* FLD1 */
+ {
+ .address = 0x2c,
+ .reg = 0x13,
+ .bit = 0x03,
+- },
++ }, /* FLD2 */
+ {
+ .address = 0x30,
+ .reg = 0x13,
+ .bit = 0x04,
+- },
++ }, /* FLD3 */
+ {
+- .address = 0x38,
++ .address = 0x34,
+ .reg = 0x10,
+ .bit = 0x03,
+- },
++ }, /* BUC1 */
+ {
+- .address = 0x3c,
++ .address = 0x38,
+ .reg = 0x10,
+ .bit = 0x06,
+- },
++ }, /* BUC2 */
+ {
+- .address = 0x40,
++ .address = 0x3c,
+ .reg = 0x10,
+ .bit = 0x05,
+- },
++ }, /* BUC3 */
+ {
+- .address = 0x44,
++ .address = 0x40,
+ .reg = 0x10,
+ .bit = 0x04,
+- },
++ }, /* BUC4 */
+ {
+- .address = 0x48,
++ .address = 0x44,
+ .reg = 0x10,
+ .bit = 0x01,
+- },
++ }, /* BUC5 */
+ {
+- .address = 0x4c,
++ .address = 0x48,
+ .reg = 0x10,
+ .bit = 0x00
+- },
++ }, /* BUC6 */
+ };
+
+ /* TMP0 - TMP5 are the same, all from GPADC */
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sun, 30 Apr 2017 22:54:16 +0200
+Subject: ACPI / power: Delay turning off unused power resources after suspend
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+
+[ Upstream commit 8ece1d83346bcc431090d59a2184276192189cdd ]
+
+Commit 660b1113e0f3 (ACPI / PM: Fix consistency check for power resources
+during resume) introduced a check for ACPI power resources which have
+been turned on by the BIOS during suspend and turns these back off again.
+
+This is causing problems on a Dell Venue Pro 11 7130 (i5-4300Y) it causes
+the following messages to show up in dmesg:
+
+[ 131.014605] ACPI: Waking up from system sleep state S3
+[ 131.150271] acpi LNXPOWER:07: Turning OFF
+[ 131.150323] acpi LNXPOWER:06: Turning OFF
+[ 131.150911] acpi LNXPOWER:00: Turning OFF
+[ 131.169014] ACPI : EC: interrupt unblocked
+[ 131.181811] xhci_hcd 0000:00:14.0: System wakeup disabled by ACPI
+[ 133.535728] pci_raw_set_power_state: 76 callbacks suppressed
+[ 133.535735] iwlwifi 0000:01:00.0: Refused to change power state,
+ currently in D3
+[ 133.597672] PM: noirq resume of devices complete after 2428.891 msecs
+
+Followed by a bunch of iwlwifi errors later on and the pcie device
+dropping from the bus (acpiphp thinks it has been unplugged).
+
+Disabling the turning off of unused power resources fixes this. Instead
+of adding a quirk for this system, this commit fixes this by moving the
+disabling of unused power resources to later in the resume sequence
+when the iwlwifi card has been moved out of D3 so the ref_count for
+its power resource no longer is 0.
+
+This new behavior seems to match the intend of the original commit which
+commit-msg says: "(... which means that no devices are going to need them
+any time soon) and we should turn them off".
+
+This also avoids power resources which we need when bringing devices out
+of D3 from getting bounced off and then back on again.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/power.c | 10 ++++++++++
+ drivers/acpi/sleep.c | 1 +
+ drivers/acpi/sleep.h | 1 +
+ 3 files changed, 12 insertions(+)
+
+--- a/drivers/acpi/power.c
++++ b/drivers/acpi/power.c
+@@ -864,6 +864,16 @@ void acpi_resume_power_resources(void)
+
+ mutex_unlock(&resource->resource_lock);
+ }
++
++ mutex_unlock(&power_resource_list_lock);
++}
++
++void acpi_turn_off_unused_power_resources(void)
++{
++ struct acpi_power_resource *resource;
++
++ mutex_lock(&power_resource_list_lock);
++
+ list_for_each_entry_reverse(resource, &acpi_power_resource_list, list_node) {
+ int result, state;
+
+--- a/drivers/acpi/sleep.c
++++ b/drivers/acpi/sleep.c
+@@ -474,6 +474,7 @@ static void acpi_pm_start(u32 acpi_state
+ */
+ static void acpi_pm_end(void)
+ {
++ acpi_turn_off_unused_power_resources();
+ acpi_scan_lock_release();
+ /*
+ * This is necessary in case acpi_pm_finish() is not called during a
+--- a/drivers/acpi/sleep.h
++++ b/drivers/acpi/sleep.h
+@@ -6,6 +6,7 @@ extern struct list_head acpi_wakeup_devi
+ extern struct mutex acpi_device_lock;
+
+ extern void acpi_resume_power_resources(void);
++extern void acpi_turn_off_unused_power_resources(void);
+
+ static inline acpi_status acpi_set_waking_vector(u32 wakeup_address)
+ {
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 12 Apr 2017 22:07:33 +0200
+Subject: ACPI/processor: Fix error handling in __acpi_processor_start()
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+
+[ Upstream commit a5cbdf693a60d5b86d4d21dfedd90f17754eb273 ]
+
+When acpi_install_notify_handler() fails the cooling device stays
+registered and the sysfs files created via acpi_pss_perf_init() are
+leaked and the function returns success.
+
+Undo acpi_pss_perf_init() and return a proper error code.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Sebastian Siewior <bigeasy@linutronix.de>
+Cc: Lai Jiangshan <jiangshanlai@gmail.com>
+Cc: linux-acpi@vger.kernel.org
+Cc: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Len Brown <lenb@kernel.org>
+Link: http://lkml.kernel.org/r/20170412201042.695499645@linutronix.de
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/processor_driver.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/acpi/processor_driver.c
++++ b/drivers/acpi/processor_driver.c
+@@ -251,6 +251,9 @@ static int __acpi_processor_start(struct
+ if (ACPI_SUCCESS(status))
+ return 0;
+
++ result = -ENODEV;
++ acpi_pss_perf_exit(pr, device);
++
+ err_power_exit:
+ acpi_processor_power_exit(pr);
+ return result;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 12 Apr 2017 22:07:34 +0200
+Subject: ACPI/processor: Replace racy task affinity logic
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+
+[ Upstream commit 8153f9ac43897f9f4786b30badc134fcc1a4fb11 ]
+
+acpi_processor_get_throttling() requires to invoke the getter function on
+the target CPU. This is achieved by temporarily setting the affinity of the
+calling user space thread to the requested CPU and reset it to the original
+affinity afterwards.
+
+That's racy vs. CPU hotplug and concurrent affinity settings for that
+thread resulting in code executing on the wrong CPU and overwriting the
+new affinity setting.
+
+acpi_processor_get_throttling() is invoked in two ways:
+
+1) The CPU online callback, which is already running on the target CPU and
+ obviously protected against hotplug and not affected by affinity
+ settings.
+
+2) The ACPI driver probe function, which is not protected against hotplug
+ during modprobe.
+
+Switch it over to work_on_cpu() and protect the probe function against CPU
+hotplug.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Sebastian Siewior <bigeasy@linutronix.de>
+Cc: Lai Jiangshan <jiangshanlai@gmail.com>
+Cc: linux-acpi@vger.kernel.org
+Cc: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Len Brown <lenb@kernel.org>
+Link: http://lkml.kernel.org/r/20170412201042.785920903@linutronix.de
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/processor_driver.c | 7 +++-
+ drivers/acpi/processor_throttling.c | 62 ++++++++++++++++++++----------------
+ 2 files changed, 42 insertions(+), 27 deletions(-)
+
+--- a/drivers/acpi/processor_driver.c
++++ b/drivers/acpi/processor_driver.c
+@@ -262,11 +262,16 @@ err_power_exit:
+ static int acpi_processor_start(struct device *dev)
+ {
+ struct acpi_device *device = ACPI_COMPANION(dev);
++ int ret;
+
+ if (!device)
+ return -ENODEV;
+
+- return __acpi_processor_start(device);
++ /* Protect against concurrent CPU hotplug operations */
++ get_online_cpus();
++ ret = __acpi_processor_start(device);
++ put_online_cpus();
++ return ret;
+ }
+
+ static int acpi_processor_stop(struct device *dev)
+--- a/drivers/acpi/processor_throttling.c
++++ b/drivers/acpi/processor_throttling.c
+@@ -62,8 +62,8 @@ struct acpi_processor_throttling_arg {
+ #define THROTTLING_POSTCHANGE (2)
+
+ static int acpi_processor_get_throttling(struct acpi_processor *pr);
+-int acpi_processor_set_throttling(struct acpi_processor *pr,
+- int state, bool force);
++static int __acpi_processor_set_throttling(struct acpi_processor *pr,
++ int state, bool force, bool direct);
+
+ static int acpi_processor_update_tsd_coord(void)
+ {
+@@ -891,7 +891,8 @@ static int acpi_processor_get_throttling
+ ACPI_DEBUG_PRINT((ACPI_DB_INFO,
+ "Invalid throttling state, reset\n"));
+ state = 0;
+- ret = acpi_processor_set_throttling(pr, state, true);
++ ret = __acpi_processor_set_throttling(pr, state, true,
++ true);
+ if (ret)
+ return ret;
+ }
+@@ -901,36 +902,31 @@ static int acpi_processor_get_throttling
+ return 0;
+ }
+
+-static int acpi_processor_get_throttling(struct acpi_processor *pr)
++static long __acpi_processor_get_throttling(void *data)
+ {
+- cpumask_var_t saved_mask;
+- int ret;
++ struct acpi_processor *pr = data;
++
++ return pr->throttling.acpi_processor_get_throttling(pr);
++}
+
++static int acpi_processor_get_throttling(struct acpi_processor *pr)
++{
+ if (!pr)
+ return -EINVAL;
+
+ if (!pr->flags.throttling)
+ return -ENODEV;
+
+- if (!alloc_cpumask_var(&saved_mask, GFP_KERNEL))
+- return -ENOMEM;
+-
+ /*
+- * Migrate task to the cpu pointed by pr.
++ * This is either called from the CPU hotplug callback of
++ * processor_driver or via the ACPI probe function. In the latter
++ * case the CPU is not guaranteed to be online. Both call sites are
++ * protected against CPU hotplug.
+ */
+- cpumask_copy(saved_mask, ¤t->cpus_allowed);
+- /* FIXME: use work_on_cpu() */
+- if (set_cpus_allowed_ptr(current, cpumask_of(pr->id))) {
+- /* Can't migrate to the target pr->id CPU. Exit */
+- free_cpumask_var(saved_mask);
++ if (!cpu_online(pr->id))
+ return -ENODEV;
+- }
+- ret = pr->throttling.acpi_processor_get_throttling(pr);
+- /* restore the previous state */
+- set_cpus_allowed_ptr(current, saved_mask);
+- free_cpumask_var(saved_mask);
+
+- return ret;
++ return work_on_cpu(pr->id, __acpi_processor_get_throttling, pr);
+ }
+
+ static int acpi_processor_get_fadt_info(struct acpi_processor *pr)
+@@ -1080,8 +1076,15 @@ static long acpi_processor_throttling_fn
+ arg->target_state, arg->force);
+ }
+
+-int acpi_processor_set_throttling(struct acpi_processor *pr,
+- int state, bool force)
++static int call_on_cpu(int cpu, long (*fn)(void *), void *arg, bool direct)
++{
++ if (direct)
++ return fn(arg);
++ return work_on_cpu(cpu, fn, arg);
++}
++
++static int __acpi_processor_set_throttling(struct acpi_processor *pr,
++ int state, bool force, bool direct)
+ {
+ int ret = 0;
+ unsigned int i;
+@@ -1130,7 +1133,8 @@ int acpi_processor_set_throttling(struct
+ arg.pr = pr;
+ arg.target_state = state;
+ arg.force = force;
+- ret = work_on_cpu(pr->id, acpi_processor_throttling_fn, &arg);
++ ret = call_on_cpu(pr->id, acpi_processor_throttling_fn, &arg,
++ direct);
+ } else {
+ /*
+ * When the T-state coordination is SW_ALL or HW_ALL,
+@@ -1163,8 +1167,8 @@ int acpi_processor_set_throttling(struct
+ arg.pr = match_pr;
+ arg.target_state = state;
+ arg.force = force;
+- ret = work_on_cpu(pr->id, acpi_processor_throttling_fn,
+- &arg);
++ ret = call_on_cpu(pr->id, acpi_processor_throttling_fn,
++ &arg, direct);
+ }
+ }
+ /*
+@@ -1182,6 +1186,12 @@ int acpi_processor_set_throttling(struct
+ return ret;
+ }
+
++int acpi_processor_set_throttling(struct acpi_processor *pr, int state,
++ bool force)
++{
++ return __acpi_processor_set_throttling(pr, state, force, false);
++}
++
+ int acpi_processor_get_throttling_info(struct acpi_processor *pr)
+ {
+ int result = 0;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Lv Zheng <lv.zheng@intel.com>
+Date: Wed, 26 Apr 2017 16:18:49 +0800
+Subject: ACPICA: iasl: Fix IORT SMMU GSI disassembling
+
+From: Lv Zheng <lv.zheng@intel.com>
+
+
+[ Upstream commit bb1e23e66e6237ff7a1824b37366540a89149c33 ]
+
+ACPICA commit 637b88de24a78c20478728d9d66632b06fcaa5bf
+
+If the IORT template is compiled and then iort.aml binary disassembled to
+iort.dsl, SMMUv1 node lists incorrect offset for SMMU_Nsg_cfg_irpt Interrupt:
+[0ECh 0236 8] SMMU_Nsg_irpt Interrupt : 0000000000000000
+[0ECh 0236 8] SMMU_Nsg_cfg_irpt Interrupt : 0000000000000000
+This is because iasl hasn't implemented SMMU GSI decoding yet.
+
+This patch fixes this issue by preparing structures for decoding IORT SMMU
+GSI. ACPICA BZ 1340, reported by Alexei Fedorov, fixed by Lv Zheng.
+
+Link: https://github.com/acpica/acpica/commit/637b88de
+Link: https://bugs.acpica.org/show_bug.cgi?id=1340
+Reported-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
+Signed-off-by: Lv Zheng <lv.zheng@intel.com>
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/acpi/actbl2.h | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/include/acpi/actbl2.h
++++ b/include/acpi/actbl2.h
+@@ -783,6 +783,15 @@ struct acpi_iort_smmu {
+ #define ACPI_IORT_SMMU_DVM_SUPPORTED (1)
+ #define ACPI_IORT_SMMU_COHERENT_WALK (1<<1)
+
++/* Global interrupt format */
++
++struct acpi_iort_smmu_gsi {
++ u32 nsg_irpt;
++ u32 nsg_irpt_flags;
++ u32 nsg_cfg_irpt;
++ u32 nsg_cfg_irpt_flags;
++};
++
+ struct acpi_iort_smmu_v3 {
+ u64 base_address; /* SMMUv3 base address */
+ u32 flags;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Mikhail Paulyshka <me@mixaill.tk>
+Date: Fri, 21 Apr 2017 08:52:42 +0200
+Subject: ALSA: hda - Fix headset microphone detection for ASUS N551 and N751
+
+From: Mikhail Paulyshka <me@mixaill.tk>
+
+
+[ Upstream commit fc7438b1eb12b6c93d7b7a62423779eb5dfc673c ]
+
+Headset microphone does not work out of the box on ASUS Nx51
+laptops. This patch fixes it.
+
+Patch tested on Asus N551 laptop. Asus N751 part is not tested, but
+according to [1] this laptop uses the same audiosystem.
+
+1. https://bugzilla.kernel.org/show_bug.cgi?id=117781
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195437
+Signed-off-by: Mikhail Paulyshka <me@mixaill.tk>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6780,6 +6780,7 @@ enum {
+ ALC668_FIXUP_DELL_DISABLE_AAMIX,
+ ALC668_FIXUP_DELL_XPS13,
+ ALC662_FIXUP_ASUS_Nx50,
++ ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE,
+ ALC668_FIXUP_ASUS_Nx51,
+ ALC891_FIXUP_HEADSET_MODE,
+ ALC891_FIXUP_DELL_MIC_NO_PRESENCE,
+@@ -7031,14 +7032,21 @@ static const struct hda_fixup alc662_fix
+ .chained = true,
+ .chain_id = ALC662_FIXUP_BASS_1A
+ },
++ [ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc_fixup_headset_mode_alc668,
++ .chain_id = ALC662_FIXUP_BASS_CHMAP
++ },
+ [ALC668_FIXUP_ASUS_Nx51] = {
+ .type = HDA_FIXUP_PINS,
+ .v.pins = (const struct hda_pintbl[]) {
+- {0x1a, 0x90170151}, /* bass speaker */
++ { 0x19, 0x03a1913d }, /* use as headphone mic, without its own jack detect */
++ { 0x1a, 0x90170151 }, /* bass speaker */
++ { 0x1b, 0x03a1113c }, /* use as headset mic, without its own jack detect */
+ {}
+ },
+ .chained = true,
+- .chain_id = ALC662_FIXUP_BASS_CHMAP,
++ .chain_id = ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE,
+ },
+ [ALC891_FIXUP_HEADSET_MODE] = {
+ .type = HDA_FIXUP_FUNC,
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Abel Vesa <abelvesa@linux.com>
+Date: Mon, 3 Apr 2017 23:58:54 +0100
+Subject: ARM: 8668/1: ftrace: Fix dynamic ftrace with DEBUG_RODATA and !FRAME_POINTER
+
+From: Abel Vesa <abelvesa@linux.com>
+
+
+[ Upstream commit 6f05d0761af612e04572ba4d65b4c0274a88444f ]
+
+The support for dynamic ftrace with CONFIG_DEBUG_RODATA involves
+overriding the weak arch_ftrace_update_code() with a variant which makes
+the kernel text writable around the patching.
+
+This override was however added under the CONFIG_OLD_MCOUNT ifdef, and
+CONFIG_OLD_MCOUNT is only enabled if frame pointers are enabled.
+
+This leads to non-functional dynamic ftrace (ftrace triggers a
+WARN_ON()) when CONFIG_DEBUG_RODATA is enabled and CONFIG_FRAME_POINTER
+is not.
+
+Move the override out of that ifdef and into the CONFIG_DYNAMIC_FTRACE
+ifdef where it belongs.
+
+Fixes: 80d6b0c2eed2a ("ARM: mm: allow text and rodata sections to be read-only")
+Suggested-by: Nicolai Stange <nicstange@gmail.com>
+Suggested-by: Rabin Vincent <rabin@rab.in>
+Signed-off-by: Abel Vesa <abelvesa@gmail.com>
+Acked-by: Rabin Vincent <rabin@rab.in>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/kernel/ftrace.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/arch/arm/kernel/ftrace.c
++++ b/arch/arm/kernel/ftrace.c
+@@ -29,11 +29,6 @@
+ #endif
+
+ #ifdef CONFIG_DYNAMIC_FTRACE
+-#ifdef CONFIG_OLD_MCOUNT
+-#define OLD_MCOUNT_ADDR ((unsigned long) mcount)
+-#define OLD_FTRACE_ADDR ((unsigned long) ftrace_caller_old)
+-
+-#define OLD_NOP 0xe1a00000 /* mov r0, r0 */
+
+ static int __ftrace_modify_code(void *data)
+ {
+@@ -51,6 +46,12 @@ void arch_ftrace_update_code(int command
+ stop_machine(__ftrace_modify_code, &command, NULL);
+ }
+
++#ifdef CONFIG_OLD_MCOUNT
++#define OLD_MCOUNT_ADDR ((unsigned long) mcount)
++#define OLD_FTRACE_ADDR ((unsigned long) ftrace_caller_old)
++
++#define OLD_NOP 0xe1a00000 /* mov r0, r0 */
++
+ static unsigned long ftrace_nop_replace(struct dyn_ftrace *rec)
+ {
+ return rec->arch.old_mcount ? OLD_NOP : NOP;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Kishon Vijay Abraham I <kishon@ti.com>
+Date: Mon, 27 Mar 2017 15:15:20 +0530
+Subject: ARM: DRA7: clockdomain: Change the CLKTRCTRL of CM_PCIE_CLKSTCTRL to SW_WKUP
+
+From: Kishon Vijay Abraham I <kishon@ti.com>
+
+
+[ Upstream commit 2c949ce38f4e81d7487f165fa3b8f77d74a2a6c4 ]
+
+The PCIe programming sequence in TRM suggests CLKSTCTRL of PCIe should be
+set to SW_WKUP. There are no issues when CLKSTCTRL is set to HW_AUTO in RC
+mode. However in EP mode, the host system is not able to access the
+MEMSPACE and setting the CLKSTCTRL to SW_WKUP fixes it.
+
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-omap2/clockdomains7xx_data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/mach-omap2/clockdomains7xx_data.c
++++ b/arch/arm/mach-omap2/clockdomains7xx_data.c
+@@ -524,7 +524,7 @@ static struct clockdomain pcie_7xx_clkdm
+ .dep_bit = DRA7XX_PCIE_STATDEP_SHIFT,
+ .wkdep_srcs = pcie_wkup_sleep_deps,
+ .sleepdep_srcs = pcie_wkup_sleep_deps,
+- .flags = CLKDM_CAN_HWSUP_SWSUP,
++ .flags = CLKDM_CAN_SWSUP,
+ };
+
+ static struct clockdomain atl_7xx_clkdm = {
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Joel Stanley <joel@jms.id.au>
+Date: Mon, 18 Dec 2017 23:27:03 +1030
+Subject: ARM: dts: aspeed-evb: Add unit name to memory node
+
+From: Joel Stanley <joel@jms.id.au>
+
+
+[ Upstream commit e40ed274489a5f516da120186578eb379b452ac6 ]
+
+Fixes a warning when building with W=1.
+
+All of the ASPEED device trees build without warnings now.
+
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/aspeed-ast2500-evb.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/aspeed-ast2500-evb.dts
++++ b/arch/arm/boot/dts/aspeed-ast2500-evb.dts
+@@ -15,7 +15,7 @@
+ bootargs = "console=ttyS4,115200 earlyprintk";
+ };
+
+- memory {
++ memory@80000000 {
+ reg = <0x80000000 0x20000000>;
+ };
+ };
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Date: Mon, 17 Apr 2017 10:04:07 -0500
+Subject: ASoC: Intel: Atom: update Thinkpad 10 quirk
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+
+[ Upstream commit beb5989a8c6c6867b4e873cca2a66d31f977368f ]
+
+There are multiple skews of the same Lenovo audio hardware
+based on the Realtek RT5670 codec.
+
+Manufacturer: LENOVO
+ Product Name: 20C1CTO1WW
+ Version: ThinkPad 10
+
+Manufacturer: LENOVO
+ Product Name: 20C3001VHH
+ Version: ThinkPad 10
+
+Manufacturer: LENOVO
+ Product Name: 20C10024GE
+ Version: ThinkPad Tablet B
+
+Manufacturer: LENOVO
+ Product Name: 20359
+ Version: Lenovo Miix 2 10
+
+For all these devices, the same quirk is used to force
+the machine driver to be based on RT5670 instead of RT5640
+as indicated by the BIOS.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=96691
+Tested-by: Nicole Faerber <nicole.faerber@dpin.de>
+Tested-by: Viacheslav Ostroukh <v.dev@ostroukh.me>
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/intel/atom/sst/sst_acpi.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/sound/soc/intel/atom/sst/sst_acpi.c
++++ b/sound/soc/intel/atom/sst/sst_acpi.c
+@@ -420,7 +420,21 @@ static const struct dmi_system_id byt_ta
+ .callback = byt_thinkpad10_quirk_cb,
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+- DMI_MATCH(DMI_PRODUCT_NAME, "20C3001VHH"),
++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad 10"),
++ },
++ },
++ {
++ .callback = byt_thinkpad10_quirk_cb,
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad Tablet B"),
++ },
++ },
++ {
++ .callback = byt_thinkpad10_quirk_cb,
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Miix 2 10"),
+ },
+ },
+ { }
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 20 Apr 2017 13:17:02 +0300
+Subject: ASoC: Intel: Skylake: Uninitialized variable in probe_codec()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit e6a33532affd14c12688c0e9b2e773e8b2550f3b ]
+
+My static checker complains that if snd_hdac_bus_get_response() returns
+-EIO then "res" is uninitialized. Fix this by initializing it to -1 so
+that the error is handled correctly.
+
+Fixes: d8c2dab8381d ("ASoC: Intel: Add Skylake HDA audio driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/intel/skylake/skl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/intel/skylake/skl.c
++++ b/sound/soc/intel/skylake/skl.c
+@@ -457,7 +457,7 @@ static int probe_codec(struct hdac_ext_b
+ struct hdac_bus *bus = ebus_to_hbus(ebus);
+ unsigned int cmd = (addr << 28) | (AC_NODE_ROOT << 20) |
+ (AC_VERB_PARAMETERS << 8) | AC_PAR_VENDOR_ID;
+- unsigned int res;
++ unsigned int res = -1;
+
+ mutex_lock(&bus->cmd_mutex);
+ snd_hdac_bus_send_cmd(bus, cmd);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
+Date: Wed, 12 Apr 2017 23:19:37 +0530
+Subject: ath: Fix updating radar flags for coutry code India
+
+From: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
+
+
+[ Upstream commit c0c345d4cacc6a1f39d4856f37dcf6e34f51a5e4 ]
+
+As per latest regulatory update for India, channel 52, 56, 60, 64
+is no longer restricted to DFS. Enabling DFS/no infra flags in driver
+results in applying all DFS related restrictions (like doing CAC etc
+before this channel moves to 'available state') for these channels
+even though the country code is programmed as 'India' in he hardware,
+fix this by relaxing the frequency range while applying RADAR flags
+only if the country code is programmed to India. If the frequency range
+needs to modified based on different country code, ath_is_radar_freq
+can be extended/modified dynamically.
+
+Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/regd.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/wireless/ath/regd.c
++++ b/drivers/net/wireless/ath/regd.c
+@@ -254,8 +254,12 @@ bool ath_is_49ghz_allowed(u16 regdomain)
+ EXPORT_SYMBOL(ath_is_49ghz_allowed);
+
+ /* Frequency is one where radar detection is required */
+-static bool ath_is_radar_freq(u16 center_freq)
++static bool ath_is_radar_freq(u16 center_freq,
++ struct ath_regulatory *reg)
++
+ {
++ if (reg->country_code == CTRY_INDIA)
++ return (center_freq >= 5500 && center_freq <= 5700);
+ return (center_freq >= 5260 && center_freq <= 5700);
+ }
+
+@@ -306,7 +310,7 @@ __ath_reg_apply_beaconing_flags(struct w
+ enum nl80211_reg_initiator initiator,
+ struct ieee80211_channel *ch)
+ {
+- if (ath_is_radar_freq(ch->center_freq) ||
++ if (ath_is_radar_freq(ch->center_freq, reg) ||
+ (ch->flags & IEEE80211_CHAN_RADAR))
+ return;
+
+@@ -395,8 +399,9 @@ ath_reg_apply_ir_flags(struct wiphy *wip
+ }
+ }
+
+-/* Always apply Radar/DFS rules on freq range 5260 MHz - 5700 MHz */
+-static void ath_reg_apply_radar_flags(struct wiphy *wiphy)
++/* Always apply Radar/DFS rules on freq range 5500 MHz - 5700 MHz */
++static void ath_reg_apply_radar_flags(struct wiphy *wiphy,
++ struct ath_regulatory *reg)
+ {
+ struct ieee80211_supported_band *sband;
+ struct ieee80211_channel *ch;
+@@ -409,7 +414,7 @@ static void ath_reg_apply_radar_flags(st
+
+ for (i = 0; i < sband->n_channels; i++) {
+ ch = &sband->channels[i];
+- if (!ath_is_radar_freq(ch->center_freq))
++ if (!ath_is_radar_freq(ch->center_freq, reg))
+ continue;
+ /* We always enable radar detection/DFS on this
+ * frequency range. Additionally we also apply on
+@@ -505,7 +510,7 @@ void ath_reg_notifier_apply(struct wiphy
+ struct ath_common *common = container_of(reg, struct ath_common,
+ regulatory);
+ /* We always apply this */
+- ath_reg_apply_radar_flags(wiphy);
++ ath_reg_apply_radar_flags(wiphy, reg);
+
+ /*
+ * This would happen when we have sent a custom regulatory request
+@@ -653,7 +658,7 @@ ath_regd_init_wiphy(struct ath_regulator
+ }
+
+ wiphy_apply_custom_regulatory(wiphy, regd);
+- ath_reg_apply_radar_flags(wiphy);
++ ath_reg_apply_radar_flags(wiphy, reg);
+ ath_reg_apply_world_flags(wiphy, NL80211_REGDOM_SET_BY_DRIVER, reg);
+ return 0;
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Michael Mera <dev@michaelmera.com>
+Date: Mon, 24 Apr 2017 16:11:57 +0900
+Subject: ath10k: fix out of bounds access to local buffer
+
+From: Michael Mera <dev@michaelmera.com>
+
+
+[ Upstream commit a16703aaeaedec7a8bee5be5522c7c3e75478951 ]
+
+During write to debugfs file simulate_fw_crash, fixed-size local buffer
+'buf' is accessed and modified at index 'count-1', where 'count' is the
+size of the write (so potentially out of bounds).
+This patch fixes this problem.
+
+Signed-off-by: Michael Mera <dev@michaelmera.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/debug.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath10k/debug.c
++++ b/drivers/net/wireless/ath/ath10k/debug.c
+@@ -624,17 +624,21 @@ static ssize_t ath10k_write_simulate_fw_
+ size_t count, loff_t *ppos)
+ {
+ struct ath10k *ar = file->private_data;
+- char buf[32];
++ char buf[32] = {0};
++ ssize_t rc;
+ int ret;
+
+- simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
++ /* filter partial writes and invalid commands */
++ if (*ppos != 0 || count >= sizeof(buf) || count == 0)
++ return -EINVAL;
+
+- /* make sure that buf is null terminated */
+- buf[sizeof(buf) - 1] = 0;
++ rc = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
++ if (rc < 0)
++ return rc;
+
+ /* drop the possible '\n' from the end */
+- if (buf[count - 1] == '\n')
+- buf[count - 1] = 0;
++ if (buf[*ppos - 1] == '\n')
++ buf[*ppos - 1] = '\0';
+
+ mutex_lock(&ar->conf_mutex);
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Balaji Pothunoori <bpothuno@qti.qualcomm.com>
+Date: Thu, 7 Dec 2017 16:58:04 +0200
+Subject: ath10k: handling qos at STA side based on AP WMM enable/disable
+
+From: Balaji Pothunoori <bpothuno@qti.qualcomm.com>
+
+
+[ Upstream commit 07ffb4497360ae8789f05555fec8171ee952304d ]
+
+Data packets are not sent by STA in case of STA joined to
+non QOS AP (WMM disabled AP). This is happening because of STA
+is sending data packets to firmware from host with qos enabled
+along with non qos queue value(TID = 16).
+Due to qos enabled, firmware is discarding the packet.
+
+This patch fixes this issue by updating the qos based on station
+WME capability field if WMM is disabled in AP.
+
+This patch is required by 10.4 family chipsets like
+QCA4019/QCA9888/QCA9884/QCA99X0.
+Firmware Versoin : 10.4-3.5.1-00018.
+
+For 10.2.4 family chipsets QCA988X/QCA9887 and QCA6174 this patch
+has no effect.
+
+Signed-off-by: Balaji Pothunoori <bpothuno@qti.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -2505,7 +2505,7 @@ static void ath10k_peer_assoc_h_qos(stru
+ }
+ break;
+ case WMI_VDEV_TYPE_STA:
+- if (vif->bss_conf.qos)
++ if (sta->wme)
+ arg->peer_flags |= arvif->ar->wmi.peer_flags->qos;
+ break;
+ case WMI_VDEV_TYPE_IBSS:
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 4 May 2017 15:05:26 +0200
+Subject: block/mq: Cure cpu hotplug lock inversion
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+
+[ Upstream commit eabe06595d62cfa9278e2cd012df614bc68a7042 ]
+
+By poking at /debug/sched_features I triggered the following splat:
+
+ [] ======================================================
+ [] WARNING: possible circular locking dependency detected
+ [] 4.11.0-00873-g964c8b7-dirty #694 Not tainted
+ [] ------------------------------------------------------
+ [] bash/2109 is trying to acquire lock:
+ [] (cpu_hotplug_lock.rw_sem){++++++}, at: [<ffffffff8120cb8b>] static_key_slow_dec+0x1b/0x50
+ []
+ [] but task is already holding lock:
+ [] (&sb->s_type->i_mutex_key#4){+++++.}, at: [<ffffffff81140216>] sched_feat_write+0x86/0x170
+ []
+ [] which lock already depends on the new lock.
+ []
+ []
+ [] the existing dependency chain (in reverse order) is:
+ []
+ [] -> #2 (&sb->s_type->i_mutex_key#4){+++++.}:
+ [] lock_acquire+0x100/0x210
+ [] down_write+0x28/0x60
+ [] start_creating+0x5e/0xf0
+ [] debugfs_create_dir+0x13/0x110
+ [] blk_mq_debugfs_register+0x21/0x70
+ [] blk_mq_register_dev+0x64/0xd0
+ [] blk_register_queue+0x6a/0x170
+ [] device_add_disk+0x22d/0x440
+ [] loop_add+0x1f3/0x280
+ [] loop_init+0x104/0x142
+ [] do_one_initcall+0x43/0x180
+ [] kernel_init_freeable+0x1de/0x266
+ [] kernel_init+0xe/0x100
+ [] ret_from_fork+0x31/0x40
+ []
+ [] -> #1 (all_q_mutex){+.+.+.}:
+ [] lock_acquire+0x100/0x210
+ [] __mutex_lock+0x6c/0x960
+ [] mutex_lock_nested+0x1b/0x20
+ [] blk_mq_init_allocated_queue+0x37c/0x4e0
+ [] blk_mq_init_queue+0x3a/0x60
+ [] loop_add+0xe5/0x280
+ [] loop_init+0x104/0x142
+ [] do_one_initcall+0x43/0x180
+ [] kernel_init_freeable+0x1de/0x266
+ [] kernel_init+0xe/0x100
+ [] ret_from_fork+0x31/0x40
+
+ [] *** DEADLOCK ***
+ []
+ [] 3 locks held by bash/2109:
+ [] #0: (sb_writers#11){.+.+.+}, at: [<ffffffff81292bcd>] vfs_write+0x17d/0x1a0
+ [] #1: (debugfs_srcu){......}, at: [<ffffffff8155a90d>] full_proxy_write+0x5d/0xd0
+ [] #2: (&sb->s_type->i_mutex_key#4){+++++.}, at: [<ffffffff81140216>] sched_feat_write+0x86/0x170
+ []
+ [] stack backtrace:
+ [] CPU: 9 PID: 2109 Comm: bash Not tainted 4.11.0-00873-g964c8b7-dirty #694
+ [] Hardware name: Intel Corporation S2600GZ/S2600GZ, BIOS SE5C600.86B.02.02.0002.122320131210 12/23/2013
+ [] Call Trace:
+
+ [] lock_acquire+0x100/0x210
+ [] get_online_cpus+0x2a/0x90
+ [] static_key_slow_dec+0x1b/0x50
+ [] static_key_disable+0x20/0x30
+ [] sched_feat_write+0x131/0x170
+ [] full_proxy_write+0x97/0xd0
+ [] __vfs_write+0x28/0x120
+ [] vfs_write+0xb5/0x1a0
+ [] SyS_write+0x49/0xa0
+ [] entry_SYSCALL_64_fastpath+0x23/0xc2
+
+This is because of the cpu hotplug lock rework. Break the chain at #1
+by reversing the lock acquisition order. This way i_mutex_key#4 no
+longer depends on cpu_hotplug_lock and things are good.
+
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-mq.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -2014,15 +2014,15 @@ struct request_queue *blk_mq_init_alloca
+
+ blk_mq_init_cpu_queues(q, set->nr_hw_queues);
+
+- get_online_cpus();
+ mutex_lock(&all_q_mutex);
++ get_online_cpus();
+
+ list_add_tail(&q->all_q_node, &all_q_list);
+ blk_mq_add_queue_tag_set(set, q);
+ blk_mq_map_swqueue(q, cpu_online_mask);
+
+- mutex_unlock(&all_q_mutex);
+ put_online_cpus();
++ mutex_unlock(&all_q_mutex);
+
+ return q;
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Loic Poulain <loic.poulain@linaro.org>
+Date: Wed, 22 Nov 2017 15:03:17 +0100
+Subject: Bluetooth: btqcomsmd: Fix skb double free corruption
+
+From: Loic Poulain <loic.poulain@linaro.org>
+
+
+[ Upstream commit 67b8fbead4685b36d290a0ef91c6ddffc4920ec9 ]
+
+In case of hci send frame failure, skb is still owned
+by the caller (hci_core) and then should not be freed.
+
+This fixes crash on dragonboard-410c when sending SCO
+packet. skb is freed by both btqcomsmd and hci_core.
+
+Fixes: 1511cc750c3d ("Bluetooth: Introduce Qualcomm WCNSS SMD based HCI driver")
+Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btqcomsmd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/bluetooth/btqcomsmd.c
++++ b/drivers/bluetooth/btqcomsmd.c
+@@ -85,7 +85,8 @@ static int btqcomsmd_send(struct hci_dev
+ break;
+ }
+
+- kfree_skb(skb);
++ if (!ret)
++ kfree_skb(skb);
+
+ return ret;
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Dean Jenkins <Dean_Jenkins@mentor.com>
+Date: Fri, 28 Apr 2017 13:57:25 +0100
+Subject: Bluetooth: hci_ldisc: Add protocol check to hci_uart_dequeue()
+
+From: Dean Jenkins <Dean_Jenkins@mentor.com>
+
+
+[ Upstream commit 048e1bd3a27fbeb84ccdff52e165370c1339a193 ]
+
+Before attempting to dequeue a Data Link protocol encapsulated message,
+check that the Data Link protocol is still bound to the HCI UART driver.
+This makes the code consistent with the usage of the other proto
+function pointers.
+
+Therefore, add a check for HCI_UART_PROTO_READY into hci_uart_dequeue()
+and return NULL if the Data Link protocol is not bound.
+
+This is needed for robustness as there is a scheduling race condition.
+hci_uart_write_work() is scheduled to run via work queue hu->write_work
+from hci_uart_tx_wakeup(). Therefore, there is a delay between
+scheduling hci_uart_write_work() to run and hci_uart_dequeue() running
+whereby the Data Link protocol layer could become unbound during the
+scheduling delay. In this case, without the check, the call to the
+unbound Data Link protocol layer dequeue function can crash.
+
+It is noted that hci_uart_tty_close() has a
+"cancel_work_sync(&hu->write_work)" statement but this only reduces
+the window of the race condition because it is possible for a new
+work-item to be added to work queue hu->write_work after the call to
+cancel_work_sync(). For example, Data Link layer retransmissions can
+be added to the work queue after the cancel_work_sync() has finished.
+
+Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/hci_ldisc.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/bluetooth/hci_ldisc.c
++++ b/drivers/bluetooth/hci_ldisc.c
+@@ -113,10 +113,12 @@ static inline struct sk_buff *hci_uart_d
+ {
+ struct sk_buff *skb = hu->tx_skb;
+
+- if (!skb)
+- skb = hu->proto->dequeue(hu);
+- else
++ if (!skb) {
++ if (test_bit(HCI_UART_PROTO_READY, &hu->flags))
++ skb = hu->proto->dequeue(hu);
++ } else {
+ hu->tx_skb = NULL;
++ }
+
+ return skb;
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Dean Jenkins <Dean_Jenkins@mentor.com>
+Date: Fri, 28 Apr 2017 13:57:26 +0100
+Subject: Bluetooth: hci_ldisc: Add protocol check to hci_uart_tx_wakeup()
+
+From: Dean Jenkins <Dean_Jenkins@mentor.com>
+
+
+[ Upstream commit 2d6f1da168e1d62c47f7d50135ac4cbd8411dcb1 ]
+
+Before attempting to schedule a work-item onto hu->write_work in
+hci_uart_tx_wakeup(), check that the Data Link protocol layer is
+still bound to the HCI UART driver.
+
+Failure to perform this protocol check causes a race condition between
+the work queue hu->write_work running hci_uart_write_work() and the
+Data Link protocol layer being unbound (closed) in hci_uart_tty_close().
+
+Note hci_uart_tty_close() does have a "cancel_work_sync(&hu->write_work)"
+but it is ineffective because it cannot prevent work-items being added
+to hu->write_work after cancel_work_sync() has run.
+
+Therefore, add a check for HCI_UART_PROTO_READY into hci_uart_tx_wakeup()
+which prevents scheduling of the work queue when HCI_UART_PROTO_READY
+is in the clear state. However, note a small race condition remains
+because the hci_uart_tx_wakeup() thread can run in parallel with the
+hci_uart_tty_close() thread so it is possible that a schedule of
+hu->write_work can occur when HCI_UART_PROTO_READY is cleared. A complete
+solution needs locking of the threads which is implemented in a future
+commit.
+
+Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/hci_ldisc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/hci_ldisc.c
++++ b/drivers/bluetooth/hci_ldisc.c
+@@ -125,6 +125,9 @@ static inline struct sk_buff *hci_uart_d
+
+ int hci_uart_tx_wakeup(struct hci_uart *hu)
+ {
++ if (!test_bit(HCI_UART_PROTO_READY, &hu->flags))
++ return 0;
++
+ if (test_and_set_bit(HCI_UART_SENDING, &hu->tx_state)) {
+ set_bit(HCI_UART_TX_WAKEUP, &hu->tx_state);
+ return 0;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Loic Poulain <loic.poulain@linaro.org>
+Date: Mon, 6 Nov 2017 12:16:56 +0100
+Subject: Bluetooth: hci_qca: Avoid setup failure on missing rampatch
+
+From: Loic Poulain <loic.poulain@linaro.org>
+
+
+[ Upstream commit ba8f3597900291a93604643017fff66a14546015 ]
+
+Assuming that the original code idea was to enable in-band sleeping
+only if the setup_rome method returns succes and run in 'standard'
+mode otherwise, we should not return setup_rome return value which
+makes qca_setup fail if no rampatch/nvm file found.
+
+This fixes BT issue on the dragonboard-820C p4 which includes the
+following QCA controller:
+hci0: Product:0x00000008
+hci0: Patch :0x00000111
+hci0: ROM :0x00000302
+hci0: SOC :0x00000044
+
+Since there is no rampatch for this controller revision, just make
+it work as is.
+
+Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/hci_qca.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/hci_qca.c
++++ b/drivers/bluetooth/hci_qca.c
+@@ -936,6 +936,9 @@ static int qca_setup(struct hci_uart *hu
+ if (!ret) {
+ set_bit(STATE_IN_BAND_SLEEP_ENABLED, &qca->flags);
+ qca_debugfs_init(hdev);
++ } else if (ret == -ENOENT) {
++ /* No patch/nvm-config found, run with original fw/config */
++ ret = 0;
+ }
+
+ /* Setup bdaddr */
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Scott Wood <swood@redhat.com>
+Date: Fri, 28 Apr 2017 19:17:41 -0500
+Subject: bnx2x: Align RX buffers
+
+From: Scott Wood <swood@redhat.com>
+
+
+[ Upstream commit 9b70de6d0266888b3743f03802502e43131043c8 ]
+
+The bnx2x driver is not providing proper alignment on the receive buffers it
+passes to build_skb(), causing skb_shared_info to be misaligned.
+skb_shared_info contains an atomic, and while PPC normally supports
+unaligned accesses, it does not support unaligned atomics.
+
+Aligning the size of rx buffers will ensure that page_frag_alloc() returns
+aligned addresses.
+
+This can be reproduced on PPC by setting the network MTU to 1450 (or other
+non-multiple-of-4) and then generating sufficient inbound network traffic
+(one or two large "wget"s usually does it), producing the following oops:
+
+Unable to handle kernel paging request for unaligned access at address 0xc00000ffc43af656
+Faulting instruction address: 0xc00000000080ef8c
+Oops: Kernel access of bad area, sig: 7 [#1]
+SMP NR_CPUS=2048
+NUMA
+PowerNV
+Modules linked in: vmx_crypto powernv_rng rng_core powernv_op_panel leds_powernv led_class nfsd ip_tables x_tables autofs4 xfs lpfc bnx2x mdio libcrc32c crc_t10dif crct10dif_generic crct10dif_common
+CPU: 104 PID: 0 Comm: swapper/104 Not tainted 4.11.0-rc8-00088-g4c761da #2
+task: c00000ffd4892400 task.stack: c00000ffd4920000
+NIP: c00000000080ef8c LR: c00000000080eee8 CTR: c0000000001f8320
+REGS: c00000ffffc33710 TRAP: 0600 Not tainted (4.11.0-rc8-00088-g4c761da)
+MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE>
+ CR: 24082042 XER: 00000000
+CFAR: c00000000080eea0 DAR: c00000ffc43af656 DSISR: 00000000 SOFTE: 1
+GPR00: c000000000907f64 c00000ffffc33990 c000000000dd3b00 c00000ffcaf22100
+GPR04: c00000ffcaf22e00 0000000000000000 0000000000000000 0000000000000000
+GPR08: 0000000000b80008 c00000ffc43af636 c00000ffc43af656 0000000000000000
+GPR12: c0000000001f6f00 c00000000fe1a000 000000000000049f 000000000000c51f
+GPR16: 00000000ffffef33 0000000000000000 0000000000008a43 0000000000000001
+GPR20: c00000ffc58a90c0 0000000000000000 000000000000dd86 0000000000000000
+GPR24: c000007fd0ed10c0 00000000ffffffff 0000000000000158 000000000000014a
+GPR28: c00000ffc43af010 c00000ffc9144000 c00000ffcaf22e00 c00000ffcaf22100
+NIP [c00000000080ef8c] __skb_clone+0xdc/0x140
+LR [c00000000080eee8] __skb_clone+0x38/0x140
+Call Trace:
+[c00000ffffc33990] [c00000000080fb74] skb_clone+0x74/0x110 (unreliable)
+[c00000ffffc339c0] [c000000000907f64] packet_rcv+0x144/0x510
+[c00000ffffc33a40] [c000000000827b64] __netif_receive_skb_core+0x5b4/0xd80
+[c00000ffffc33b00] [c00000000082b2bc] netif_receive_skb_internal+0x2c/0xc0
+[c00000ffffc33b40] [c00000000082c49c] napi_gro_receive+0x11c/0x260
+[c00000ffffc33b80] [d000000066483d68] bnx2x_poll+0xcf8/0x17b0 [bnx2x]
+[c00000ffffc33d00] [c00000000082babc] net_rx_action+0x31c/0x480
+[c00000ffffc33e10] [c0000000000d5a44] __do_softirq+0x164/0x3d0
+[c00000ffffc33f00] [c0000000000d60a8] irq_exit+0x108/0x120
+[c00000ffffc33f20] [c000000000015b98] __do_irq+0x98/0x200
+[c00000ffffc33f90] [c000000000027f14] call_do_irq+0x14/0x24
+[c00000ffd4923a90] [c000000000015d94] do_IRQ+0x94/0x110
+[c00000ffd4923ae0] [c000000000008d90] hardware_interrupt_common+0x150/0x160
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+@@ -2026,6 +2026,7 @@ static void bnx2x_set_rx_buf_size(struct
+ ETH_OVREHEAD +
+ mtu +
+ BNX2X_FW_RX_ALIGN_END;
++ fp->rx_buf_size = SKB_DATA_ALIGN(fp->rx_buf_size);
+ /* Note : rx_buf_size doesn't take into account NET_SKB_PAD */
+ if (fp->rx_buf_size + NET_SKB_PAD <= PAGE_SIZE)
+ fp->rx_frag_size = fp->rx_buf_size + NET_SKB_PAD;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Mahesh Bandewar <maheshb@google.com>
+Date: Tue, 11 Apr 2017 22:36:00 -0700
+Subject: bonding: handle link transition from FAIL to UP correctly
+
+From: Mahesh Bandewar <maheshb@google.com>
+
+
+[ Upstream commit fb9eb899a6dc663e4a2deed9af2ac28f507d0ffb ]
+
+When link transitions from LINK_FAIL to LINK_UP, the commit phase is
+not called. This leads to an erroneous state causing slave-link state to
+get stuck in "going down" state while its speed and duplex are perfectly
+fine. This issue is a side-effect of splitting link-set into propose and
+commit phases introduced by de77ecd4ef02 ("bonding: improve link-status
+update in mii-monitoring")
+
+This patch fixes these issues by calling commit phase whenever link
+state change is proposed.
+
+Fixes: de77ecd4ef02 ("bonding: improve link-status update in mii-monitoring")
+Signed-off-by: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2067,6 +2067,7 @@ static int bond_miimon_inspect(struct bo
+ (bond->params.downdelay - slave->delay) *
+ bond->params.miimon,
+ slave->dev->name);
++ commit++;
+ continue;
+ }
+
+@@ -2104,7 +2105,7 @@ static int bond_miimon_inspect(struct bo
+ (bond->params.updelay - slave->delay) *
+ bond->params.miimon,
+ slave->dev->name);
+-
++ commit++;
+ continue;
+ }
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Adam Borowski <kilobyte@angband.pl>
+Date: Tue, 7 Mar 2017 23:34:44 +0100
+Subject: btrfs: fix a bogus warning when converting only data or metadata
+
+From: Adam Borowski <kilobyte@angband.pl>
+
+
+[ Upstream commit 14506127979a5a3d0c5d9b4cc76ce9d4ec23b717 ]
+
+If your filesystem has, eg, data:raid0 metadata:raid1, and you run "btrfs
+balance -dconvert=raid1", the meta.target field will be uninitialized.
+That's otherwise ok, as it's unused except for this warning.
+
+Thus, let's use the existing set of raid levels for the comparison.
+
+As a side effect, non-convert balances will now nag about data>metadata.
+
+Signed-off-by: Adam Borowski <kilobyte@angband.pl>
+Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -3765,6 +3765,7 @@ int btrfs_balance(struct btrfs_balance_c
+ struct btrfs_ioctl_balance_args *bargs)
+ {
+ struct btrfs_fs_info *fs_info = bctl->fs_info;
++ u64 meta_target, data_target;
+ u64 allowed;
+ int mixed = 0;
+ int ret;
+@@ -3861,11 +3862,16 @@ int btrfs_balance(struct btrfs_balance_c
+ }
+ } while (read_seqretry(&fs_info->profiles_lock, seq));
+
+- if (btrfs_get_num_tolerated_disk_barrier_failures(bctl->meta.target) <
+- btrfs_get_num_tolerated_disk_barrier_failures(bctl->data.target)) {
++ /* if we're not converting, the target field is uninitialized */
++ meta_target = (bctl->meta.flags & BTRFS_BALANCE_ARGS_CONVERT) ?
++ bctl->meta.target : fs_info->avail_metadata_alloc_bits;
++ data_target = (bctl->data.flags & BTRFS_BALANCE_ARGS_CONVERT) ?
++ bctl->data.target : fs_info->avail_data_alloc_bits;
++ if (btrfs_get_num_tolerated_disk_barrier_failures(meta_target) <
++ btrfs_get_num_tolerated_disk_barrier_failures(data_target)) {
+ btrfs_warn(fs_info,
+ "metadata profile 0x%llx has lower redundancy than data profile 0x%llx",
+- bctl->meta.target, bctl->data.target);
++ meta_target, data_target);
+ }
+
+ if (bctl->sys.flags & BTRFS_BALANCE_ARGS_CONVERT) {
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Filipe Manana <fdmanana@suse.com>
+Date: Mon, 3 Apr 2017 15:57:17 +0100
+Subject: Btrfs: fix extent map leak during fallocate error path
+
+From: Filipe Manana <fdmanana@suse.com>
+
+
+[ Upstream commit be2d253cc98244765323a7c94cc1ac5cd5a17072 ]
+
+If the call to btrfs_qgroup_reserve_data() failed, we were leaking an
+extent map structure. The failure can happen either due to an -ENOMEM
+condition or, when quotas are enabled, due to -EDQUOT for example.
+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/file.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/file.c
++++ b/fs/btrfs/file.c
+@@ -2817,8 +2817,10 @@ static long btrfs_fallocate(struct file
+ }
+ ret = btrfs_qgroup_reserve_data(inode, cur_offset,
+ last_byte - cur_offset);
+- if (ret < 0)
++ if (ret < 0) {
++ free_extent_map(em);
+ break;
++ }
+ } else {
+ /*
+ * Do not need to reserve unwritten extent for this
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Filipe Manana <fdmanana@suse.com>
+Date: Wed, 8 Mar 2017 16:43:49 +0000
+Subject: Btrfs: fix incorrect space accounting after failure to insert inline extent
+
+From: Filipe Manana <fdmanana@suse.com>
+
+
+[ Upstream commit 1c81ba237bcecad9bc885a1ddcf02d725ea38482 ]
+
+When using compression, if we fail to insert an inline extent we
+incorrectly end up attempting to free the reserved data space twice,
+once through extent_clear_unlock_delalloc(), because we pass it the
+flag EXTENT_DO_ACCOUNTING, and once through a direct call to
+btrfs_free_reserved_data_space_noquota(). This results in a trace
+like the following:
+
+[ 834.576240] ------------[ cut here ]------------
+[ 834.576825] WARNING: CPU: 2 PID: 486 at fs/btrfs/extent-tree.c:4316 btrfs_free_reserved_data_space_noquota+0x60/0x9f [btrfs]
+[ 834.579501] Modules linked in: btrfs crc32c_generic xor raid6_pq ppdev i2c_piix4 acpi_cpufreq psmouse tpm_tis parport_pc pcspkr serio_raw tpm_tis_core sg parport evdev i2c_core tpm button loop autofs4 ext4 crc16 jbd2 mbcache sr_mod cdrom sd_mod ata_generic virtio_scsi ata_piix virtio_pci libata virtio_ring virtio scsi_mod e1000 floppy [last unloaded: btrfs]
+[ 834.592116] CPU: 2 PID: 486 Comm: kworker/u32:4 Not tainted 4.10.0-rc8-btrfs-next-37+ #2
+[ 834.593316] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.1-0-gb3ef39f-prebuilt.qemu-project.org 04/01/2014
+[ 834.595273] Workqueue: btrfs-delalloc btrfs_delalloc_helper [btrfs]
+[ 834.596103] Call Trace:
+[ 834.596103] dump_stack+0x67/0x90
+[ 834.596103] __warn+0xc2/0xdd
+[ 834.596103] warn_slowpath_null+0x1d/0x1f
+[ 834.596103] btrfs_free_reserved_data_space_noquota+0x60/0x9f [btrfs]
+[ 834.596103] compress_file_range.constprop.42+0x2fa/0x3fc [btrfs]
+[ 834.596103] ? submit_compressed_extents+0x3a7/0x3a7 [btrfs]
+[ 834.596103] async_cow_start+0x32/0x4d [btrfs]
+[ 834.596103] btrfs_scrubparity_helper+0x187/0x3e7 [btrfs]
+[ 834.596103] btrfs_delalloc_helper+0xe/0x10 [btrfs]
+[ 834.596103] process_one_work+0x273/0x4e4
+[ 834.596103] worker_thread+0x1eb/0x2ca
+[ 834.596103] ? rescuer_thread+0x2b6/0x2b6
+[ 834.596103] kthread+0x100/0x108
+[ 834.596103] ? __list_del_entry+0x22/0x22
+[ 834.596103] ret_from_fork+0x2e/0x40
+[ 834.611656] ---[ end trace 719902fe6bdef08f ]---
+
+So fix this by not calling directly btrfs_free_reserved_data_space_noquota()
+if an error happened.
+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/inode.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -567,8 +567,10 @@ cont:
+ PAGE_SET_WRITEBACK |
+ page_error_op |
+ PAGE_END_WRITEBACK);
+- btrfs_free_reserved_data_space_noquota(inode, start,
+- end - start + 1);
++ if (ret == 0)
++ btrfs_free_reserved_data_space_noquota(inode,
++ start,
++ end - start + 1);
+ goto free_pages_out;
+ }
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Filipe Manana <fdmanana@suse.com>
+Date: Tue, 4 Apr 2017 20:31:00 +0100
+Subject: Btrfs: send, fix file hole not being preserved due to inline extent
+
+From: Filipe Manana <fdmanana@suse.com>
+
+
+[ Upstream commit e1cbfd7bf6dabdac561c75d08357571f44040a45 ]
+
+Normally we don't have inline extents followed by regular extents, but
+there's currently at least one harmless case where this happens. For
+example, when the page size is 4Kb and compression is enabled:
+
+ $ mkfs.btrfs -f /dev/sdb
+ $ mount -o compress /dev/sdb /mnt
+ $ xfs_io -f -c "pwrite -S 0xaa 0 4K" -c "fsync" /mnt/foobar
+ $ xfs_io -c "pwrite -S 0xbb 8K 4K" -c "fsync" /mnt/foobar
+
+In this case we get a compressed inline extent, representing 4Kb of
+data, followed by a hole extent and then a regular data extent. The
+inline extent was not expanded/converted to a regular extent exactly
+because it represents 4Kb of data. This does not cause any apparent
+problem (such as the issue solved by commit e1699d2d7bf6
+("btrfs: add missing memset while reading compressed inline extents"))
+except trigger an unexpected case in the incremental send code path
+that makes us issue an operation to write a hole when it's not needed,
+resulting in more writes at the receiver and wasting space at the
+receiver.
+
+So teach the incremental send code to deal with this particular case.
+
+The issue can be currently triggered by running fstests btrfs/137 with
+compression enabled (MOUNT_OPTIONS="-o compress" ./check btrfs/137).
+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/send.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -5156,13 +5156,19 @@ static int is_extent_unchanged(struct se
+ while (key.offset < ekey->offset + left_len) {
+ ei = btrfs_item_ptr(eb, slot, struct btrfs_file_extent_item);
+ right_type = btrfs_file_extent_type(eb, ei);
+- if (right_type != BTRFS_FILE_EXTENT_REG) {
++ if (right_type != BTRFS_FILE_EXTENT_REG &&
++ right_type != BTRFS_FILE_EXTENT_INLINE) {
+ ret = 0;
+ goto out;
+ }
+
+ right_disknr = btrfs_file_extent_disk_bytenr(eb, ei);
+- right_len = btrfs_file_extent_num_bytes(eb, ei);
++ if (right_type == BTRFS_FILE_EXTENT_INLINE) {
++ right_len = btrfs_file_extent_inline_len(eb, slot, ei);
++ right_len = PAGE_ALIGN(right_len);
++ } else {
++ right_len = btrfs_file_extent_num_bytes(eb, ei);
++ }
+ right_offset = btrfs_file_extent_offset(eb, ei);
+ right_gen = btrfs_file_extent_generation(eb, ei);
+
+@@ -5176,6 +5182,19 @@ static int is_extent_unchanged(struct se
+ goto out;
+ }
+
++ /*
++ * We just wanted to see if when we have an inline extent, what
++ * follows it is a regular extent (wanted to check the above
++ * condition for inline extents too). This should normally not
++ * happen but it's possible for example when we have an inline
++ * compressed extent representing data with a size matching
++ * the page size (currently the same as sector size).
++ */
++ if (right_type == BTRFS_FILE_EXTENT_INLINE) {
++ ret = 0;
++ goto out;
++ }
++
+ left_offset_fixed = left_offset;
+ if (key.offset < ekey->offset) {
+ /* Fix the right offset for 2a and 7. */
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 1 May 2017 21:43:43 +0300
+Subject: cifs: small underflow in cnvrtDosUnixTm()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit 564277eceeca01e02b1ef3e141cfb939184601b4 ]
+
+January is month 1. There is no zero-th month. If someone passes a
+zero month then it means we read from one space before the start of the
+total_days_of_prev_months[] array.
+
+We may as well also be strict about days as well.
+
+Fixes: 1bd5bbcb6531 ("[CIFS] Legacy time handling for Win9x and OS/2 part 1")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/netmisc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/cifs/netmisc.c
++++ b/fs/cifs/netmisc.c
+@@ -980,10 +980,10 @@ struct timespec cnvrtDosUnixTm(__le16 le
+ cifs_dbg(VFS, "illegal hours %d\n", st->Hours);
+ days = sd->Day;
+ month = sd->Month;
+- if ((days > 31) || (month > 12)) {
++ if (days < 1 || days > 31 || month < 1 || month > 12) {
+ cifs_dbg(VFS, "illegal date, month %d day: %d\n", month, days);
+- if (month > 12)
+- month = 12;
++ days = clamp(days, 1, 31);
++ month = clamp(month, 1, 12);
+ }
+ month -= 1;
+ days += total_days_of_prev_months[month];
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Tue, 5 Sep 2017 11:32:40 +0200
+Subject: clk: axi-clkgen: Correctly handle nocount bit in recalc_rate()
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+
+[ Upstream commit 063578dc5f407f67d149133818efabe457daafda ]
+
+If the nocount bit is set the divider is bypassed and the settings for the
+divider count should be ignored and a divider value of 1 should be assumed.
+Handle this correctly in the driver recalc_rate() callback.
+
+While the driver sets up the part so that the read back dividers values
+yield the correct result the power-on reset settings of the part might not
+reflect this and hence calling e.g. clk_get_rate() without prior calls to
+clk_set_rate() will yield the wrong result.
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/clk-axi-clkgen.c | 29 ++++++++++++++++++++++++-----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+--- a/drivers/clk/clk-axi-clkgen.c
++++ b/drivers/clk/clk-axi-clkgen.c
+@@ -40,6 +40,10 @@
+ #define MMCM_REG_FILTER1 0x4e
+ #define MMCM_REG_FILTER2 0x4f
+
++#define MMCM_CLKOUT_NOCOUNT BIT(6)
++
++#define MMCM_CLK_DIV_NOCOUNT BIT(12)
++
+ struct axi_clkgen {
+ void __iomem *base;
+ struct clk_hw clk_hw;
+@@ -315,12 +319,27 @@ static unsigned long axi_clkgen_recalc_r
+ unsigned int reg;
+ unsigned long long tmp;
+
+- axi_clkgen_mmcm_read(axi_clkgen, MMCM_REG_CLKOUT0_1, ®);
+- dout = (reg & 0x3f) + ((reg >> 6) & 0x3f);
++ axi_clkgen_mmcm_read(axi_clkgen, MMCM_REG_CLKOUT0_2, ®);
++ if (reg & MMCM_CLKOUT_NOCOUNT) {
++ dout = 1;
++ } else {
++ axi_clkgen_mmcm_read(axi_clkgen, MMCM_REG_CLKOUT0_1, ®);
++ dout = (reg & 0x3f) + ((reg >> 6) & 0x3f);
++ }
++
+ axi_clkgen_mmcm_read(axi_clkgen, MMCM_REG_CLK_DIV, ®);
+- d = (reg & 0x3f) + ((reg >> 6) & 0x3f);
+- axi_clkgen_mmcm_read(axi_clkgen, MMCM_REG_CLK_FB1, ®);
+- m = (reg & 0x3f) + ((reg >> 6) & 0x3f);
++ if (reg & MMCM_CLK_DIV_NOCOUNT)
++ d = 1;
++ else
++ d = (reg & 0x3f) + ((reg >> 6) & 0x3f);
++
++ axi_clkgen_mmcm_read(axi_clkgen, MMCM_REG_CLK_FB2, ®);
++ if (reg & MMCM_CLKOUT_NOCOUNT) {
++ m = 1;
++ } else {
++ axi_clkgen_mmcm_read(axi_clkgen, MMCM_REG_CLK_FB1, ®);
++ m = (reg & 0x3f) + ((reg >> 6) & 0x3f);
++ }
+
+ if (d == 0 || dout == 0)
+ return 0;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Stephen Boyd <sboyd@codeaurora.org>
+Date: Thu, 2 Nov 2017 00:36:09 -0700
+Subject: clk: Don't touch hardware when reparenting during registration
+
+From: Stephen Boyd <sboyd@codeaurora.org>
+
+
+[ Upstream commit f8f8f1d04494d3a6546bee3f0618c4dba31d7b72 ]
+
+The orphan clocks reparent operation shouldn't touch the hardware
+if clocks are enabled, otherwise it may get a chance to disable a
+newly registered critical clock which triggers the warning below.
+
+Assuming we have two clocks: A and B, B is the parent of A.
+Clock A has flag: CLK_OPS_PARENT_ENABLE
+Clock B has flag: CLK_IS_CRITICAL
+
+Step 1:
+Clock A is registered, then it becomes orphan.
+
+Step 2:
+Clock B is registered. Before clock B reach the critical clock enable
+operation, orphan A will find the newly registered parent B and do
+reparent operation, then parent B will be finally disabled in
+__clk_set_parent_after() due to CLK_OPS_PARENT_ENABLE flag as there's
+still no users of B which will then trigger the following warning.
+
+WARNING: CPU: 0 PID: 0 at drivers/clk/clk.c:597 clk_core_disable+0xb4/0xe0
+Modules linked in:
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.11.0-rc1-00056-gdff1f66-dirty #1373
+Hardware name: Generic DT based system
+Backtrace:
+[<c010c4bc>] (dump_backtrace) from [<c010c764>] (show_stack+0x18/0x1c)
+ r6:600000d3 r5:00000000 r4:c0e26358 r3:00000000
+[<c010c74c>] (show_stack) from [<c040599c>] (dump_stack+0xb4/0xe8)
+[<c04058e8>] (dump_stack) from [<c0125c94>] (__warn+0xd8/0x104)
+ r10:c0c21cd0 r9:c048aa78 r8:00000255 r7:00000009 r6:c0c1cd90 r5:00000000
+ r4:00000000 r3:c0e01d34
+[<c0125bbc>] (__warn) from [<c0125d74>] (warn_slowpath_null+0x28/0x30)
+ r9:00000000 r8:ef00bf80 r7:c165ac4c r6:ef00bf80 r5:ef00bf80 r4:ef00bf80
+[<c0125d4c>] (warn_slowpath_null) from [<c048aa78>] (clk_core_disable+0xb4/0xe0)
+[<c048a9c4>] (clk_core_disable) from [<c048be88>] (clk_core_disable_lock+0x20/0x2c)
+ r4:000000d3 r3:c0e0af00
+[<c048be68>] (clk_core_disable_lock) from [<c048c224>] (clk_core_disable_unprepare+0x14/0x28)
+ r5:00000000 r4:ef00bf80
+[<c048c210>] (clk_core_disable_unprepare) from [<c048c270>] (__clk_set_parent_after+0x38/0x54)
+ r4:ef00bd80 r3:000010a0
+[<c048c238>] (__clk_set_parent_after) from [<c048daa8>] (clk_register+0x4d0/0x648)
+ r6:ef00d500 r5:ef00bf80 r4:ef00bd80 r3:ef00bfd4
+[<c048d5d8>] (clk_register) from [<c048dc30>] (clk_hw_register+0x10/0x1c)
+ r9:00000000 r8:00000003 r7:00000000 r6:00000824 r5:00000001 r4:ef00d500
+[<c048dc20>] (clk_hw_register) from [<c048e698>] (_register_divider+0xcc/0x120)
+[<c048e5cc>] (_register_divider) from [<c048e730>] (clk_register_divider+0x44/0x54)
+ r10:00000004 r9:00000003 r8:00000001 r7:00000000 r6:00000003 r5:00000001
+ r4:f0810030
+[<c048e6ec>] (clk_register_divider) from [<c0d3ff58>] (imx7ulp_clocks_init+0x558/0xe98)
+ r7:c0e296f8 r6:c165c808 r5:00000000 r4:c165c808
+[<c0d3fa00>] (imx7ulp_clocks_init) from [<c0d24db0>] (of_clk_init+0x118/0x1e0)
+ r10:00000001 r9:c0e01f68 r8:00000000 r7:c0e01f60 r6:ef7f8974 r5:ef0035c0
+ r4:00000006
+[<c0d24c98>] (of_clk_init) from [<c0d04a50>] (time_init+0x2c/0x38)
+ r10:efffed40 r9:c0d61a48 r8:c0e78000 r7:c0e07900 r6:ffffffff r5:c0e78000
+ r4:00000000
+[<c0d04a24>] (time_init) from [<c0d00b8c>] (start_kernel+0x218/0x394)
+[<c0d00974>] (start_kernel) from [<6000807c>] (0x6000807c)
+ r10:00000000 r9:410fc075 r8:6000406a r7:c0e0c930 r6:c0d61a44 r5:c0e07918
+ r4:c0e78294
+
+We know that the clk isn't enabled with any sort of prepare_count
+here so we don't need to enable anything to prevent a race. And
+we're holding the prepare mutex so set_rate/set_parent can't race
+here either. Based on an earlier patch by Dong Aisheng.
+
+Fixes: fc8726a2c021 ("clk: core: support clocks which requires parents enable (part 2)")
+Cc: Michael Turquette <mturquette@baylibre.com>
+Cc: Shawn Guo <shawnguo@kernel.org>
+Reported-by: Dong Aisheng <aisheng.dong@nxp.com>
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/clk.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/clk/clk.c
++++ b/drivers/clk/clk.c
+@@ -2443,14 +2443,17 @@ static int __clk_core_init(struct clk_co
+ */
+ hlist_for_each_entry_safe(orphan, tmp2, &clk_orphan_list, child_node) {
+ struct clk_core *parent = __clk_init_parent(orphan);
++ unsigned long flags;
+
+ /*
+ * we could call __clk_set_parent, but that would result in a
+ * redundant call to the .set_rate op, if it exists
+ */
+ if (parent) {
+- __clk_set_parent_before(orphan, parent);
+- __clk_set_parent_after(orphan, parent, NULL);
++ /* update the clk tree topology */
++ flags = clk_enable_lock();
++ clk_reparent(orphan, parent);
++ clk_enable_unlock(flags);
+ __clk_recalc_accuracies(orphan);
+ __clk_recalc_rates(orphan, 0);
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Bharat Kumar Reddy Gooty <bharat.gooty@broadcom.com>
+Date: Mon, 20 Mar 2017 18:12:14 -0400
+Subject: clk: ns2: Correct SDIO bits
+
+From: Bharat Kumar Reddy Gooty <bharat.gooty@broadcom.com>
+
+
+[ Upstream commit 8973aa4aecac223548366ca81818309a0f0efa6d ]
+
+Corrected the bits for power and iso.
+
+Signed-off-by: Bharat Kumar Reddy Gooty <bharat.gooty@broadcom.com>
+Signed-off-by: Jon Mason <jon.mason@broadcom.com>
+Fixes: f7225a83 ("clk: ns2: add clock support for Broadcom Northstar 2 SoC")
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/bcm/clk-ns2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/bcm/clk-ns2.c
++++ b/drivers/clk/bcm/clk-ns2.c
+@@ -103,7 +103,7 @@ CLK_OF_DECLARE(ns2_genpll_src_clk, "brcm
+
+ static const struct iproc_pll_ctrl genpll_sw = {
+ .flags = IPROC_CLK_AON | IPROC_CLK_PLL_SPLIT_STAT_CTRL,
+- .aon = AON_VAL(0x0, 2, 9, 8),
++ .aon = AON_VAL(0x0, 1, 11, 10),
+ .reset = RESET_VAL(0x4, 2, 1),
+ .dig_filter = DF_VAL(0x0, 9, 3, 5, 4, 2, 3),
+ .ndiv_int = REG_VAL(0x8, 4, 10),
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Sergej Sawazki <sergej@taudac.com>
+Date: Tue, 25 Jul 2017 23:21:02 +0200
+Subject: clk: si5351: Rename internal plls to avoid name collisions
+
+From: Sergej Sawazki <sergej@taudac.com>
+
+
+[ Upstream commit cdba9a4fb0b53703959ac861e415816cb61aded4 ]
+
+This drivers probe fails due to a clock name collision if a clock named
+'plla' or 'pllb' is already registered when registering this drivers
+internal plls.
+
+Fix it by renaming internal plls to avoid name collisions.
+
+Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
+Cc: Rabeeh Khoury <rabeeh@solid-run.com>
+Signed-off-by: Sergej Sawazki <sergej@taudac.com>
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/clk-si5351.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/clk-si5351.c
++++ b/drivers/clk/clk-si5351.c
+@@ -72,7 +72,7 @@ static const char * const si5351_input_n
+ "xtal", "clkin"
+ };
+ static const char * const si5351_pll_names[] = {
+- "plla", "pllb", "vxco"
++ "si5351_plla", "si5351_pllb", "si5351_vxco"
+ };
+ static const char * const si5351_msynth_names[] = {
+ "ms0", "ms1", "ms2", "ms3", "ms4", "ms5", "ms6", "ms7"
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Robert Walker <robert.walker@arm.com>
+Date: Mon, 18 Dec 2017 11:05:44 -0700
+Subject: coresight: Fix disabling of CoreSight TPIU
+
+From: Robert Walker <robert.walker@arm.com>
+
+
+[ Upstream commit 11595db8e17faaa05fadc25746c870e31276962f ]
+
+The CoreSight TPIU should be disabled when tracing to other sinks to allow
+them to operate at full bandwidth.
+
+This patch fixes tpiu_disable_hw() to correctly disable the TPIU by
+configuring the TPIU to stop on flush, initiating a manual flush, waiting
+for the flush to complete and then waits for the TPIU to indicate it has
+stopped.
+
+Signed-off-by: Robert Walker <robert.walker@arm.com>
+Tested-by: Mike Leach <mike.leach@linaro.org>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/coresight/coresight-tpiu.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/hwtracing/coresight/coresight-tpiu.c
++++ b/drivers/hwtracing/coresight/coresight-tpiu.c
+@@ -46,8 +46,11 @@
+ #define TPIU_ITATBCTR0 0xef8
+
+ /** register definition **/
++/* FFSR - 0x300 */
++#define FFSR_FT_STOPPED BIT(1)
+ /* FFCR - 0x304 */
+ #define FFCR_FON_MAN BIT(6)
++#define FFCR_STOP_FI BIT(12)
+
+ /**
+ * @base: memory mapped base address for this component.
+@@ -85,10 +88,14 @@ static void tpiu_disable_hw(struct tpiu_
+ {
+ CS_UNLOCK(drvdata->base);
+
+- /* Clear formatter controle reg. */
+- writel_relaxed(0x0, drvdata->base + TPIU_FFCR);
++ /* Clear formatter and stop on flush */
++ writel_relaxed(FFCR_STOP_FI, drvdata->base + TPIU_FFCR);
+ /* Generate manual flush */
+- writel_relaxed(FFCR_FON_MAN, drvdata->base + TPIU_FFCR);
++ writel_relaxed(FFCR_STOP_FI | FFCR_FON_MAN, drvdata->base + TPIU_FFCR);
++ /* Wait for flush to complete */
++ coresight_timeout(drvdata->base, TPIU_FFCR, FFCR_FON_MAN, 0);
++ /* Wait for formatter to stop */
++ coresight_timeout(drvdata->base, TPIU_FFSR, FFSR_FT_STOPPED, 1);
+
+ CS_LOCK(drvdata->base);
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 12 Apr 2017 22:07:36 +0200
+Subject: cpufreq/sh: Replace racy task affinity logic
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+
+[ Upstream commit 205dcc1ecbc566cbc20acf246e68de3b080b3ecf ]
+
+The target() callback must run on the affected cpu. This is achieved by
+temporarily setting the affinity of the calling thread to the requested CPU
+and reset it to the original affinity afterwards.
+
+That's racy vs. concurrent affinity settings for that thread resulting in
+code executing on the wrong CPU.
+
+Replace it by work_on_cpu(). All call pathes which invoke the callbacks are
+already protected against CPU hotplug.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Sebastian Siewior <bigeasy@linutronix.de>
+Cc: linux-pm@vger.kernel.org
+Cc: Lai Jiangshan <jiangshanlai@gmail.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Len Brown <lenb@kernel.org>
+Link: http://lkml.kernel.org/r/20170412201042.958216363@linutronix.de
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/sh-cpufreq.c | 45 +++++++++++++++++++++++++------------------
+ 1 file changed, 27 insertions(+), 18 deletions(-)
+
+--- a/drivers/cpufreq/sh-cpufreq.c
++++ b/drivers/cpufreq/sh-cpufreq.c
+@@ -30,54 +30,63 @@
+
+ static DEFINE_PER_CPU(struct clk, sh_cpuclk);
+
++struct cpufreq_target {
++ struct cpufreq_policy *policy;
++ unsigned int freq;
++};
++
+ static unsigned int sh_cpufreq_get(unsigned int cpu)
+ {
+ return (clk_get_rate(&per_cpu(sh_cpuclk, cpu)) + 500) / 1000;
+ }
+
+-/*
+- * Here we notify other drivers of the proposed change and the final change.
+- */
+-static int sh_cpufreq_target(struct cpufreq_policy *policy,
+- unsigned int target_freq,
+- unsigned int relation)
++static long __sh_cpufreq_target(void *arg)
+ {
+- unsigned int cpu = policy->cpu;
++ struct cpufreq_target *target = arg;
++ struct cpufreq_policy *policy = target->policy;
++ int cpu = policy->cpu;
+ struct clk *cpuclk = &per_cpu(sh_cpuclk, cpu);
+- cpumask_t cpus_allowed;
+ struct cpufreq_freqs freqs;
+ struct device *dev;
+ long freq;
+
+- cpus_allowed = current->cpus_allowed;
+- set_cpus_allowed_ptr(current, cpumask_of(cpu));
+-
+- BUG_ON(smp_processor_id() != cpu);
++ if (smp_processor_id() != cpu)
++ return -ENODEV;
+
+ dev = get_cpu_device(cpu);
+
+ /* Convert target_freq from kHz to Hz */
+- freq = clk_round_rate(cpuclk, target_freq * 1000);
++ freq = clk_round_rate(cpuclk, target->freq * 1000);
+
+ if (freq < (policy->min * 1000) || freq > (policy->max * 1000))
+ return -EINVAL;
+
+- dev_dbg(dev, "requested frequency %u Hz\n", target_freq * 1000);
++ dev_dbg(dev, "requested frequency %u Hz\n", target->freq * 1000);
+
+ freqs.old = sh_cpufreq_get(cpu);
+ freqs.new = (freq + 500) / 1000;
+ freqs.flags = 0;
+
+- cpufreq_freq_transition_begin(policy, &freqs);
+- set_cpus_allowed_ptr(current, &cpus_allowed);
++ cpufreq_freq_transition_begin(target->policy, &freqs);
+ clk_set_rate(cpuclk, freq);
+- cpufreq_freq_transition_end(policy, &freqs, 0);
++ cpufreq_freq_transition_end(target->policy, &freqs, 0);
+
+ dev_dbg(dev, "set frequency %lu Hz\n", freq);
+-
+ return 0;
+ }
+
++/*
++ * Here we notify other drivers of the proposed change and the final change.
++ */
++static int sh_cpufreq_target(struct cpufreq_policy *policy,
++ unsigned int target_freq,
++ unsigned int relation)
++{
++ struct cpufreq_target data = { .policy = policy, .freq = target_freq };
++
++ return work_on_cpu(policy->cpu, __sh_cpufreq_target, &data);
++}
++
+ static int sh_cpufreq_verify(struct cpufreq_policy *policy)
+ {
+ struct clk *cpuclk = &per_cpu(sh_cpuclk, policy->cpu);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 4 Dec 2017 15:49:48 +0100
+Subject: cros_ec: fix nul-termination for firmware build info
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+
+[ Upstream commit 50a0d71a5d20e1d3eff1d974fdc8559ad6d74892 ]
+
+As gcc-8 reports, we zero out the wrong byte:
+
+drivers/platform/chrome/cros_ec_sysfs.c: In function 'show_ec_version':
+drivers/platform/chrome/cros_ec_sysfs.c:190:12: error: array subscript 4294967295 is above array bounds of 'uint8_t[]' [-Werror=array-bounds]
+
+This changes the code back to what it did before changing to a
+zero-length array structure.
+
+Fixes: a841178445bb ("mfd: cros_ec: Use a zero-length array for command data")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Benson Leung <bleung@chromium.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/chrome/cros_ec_sysfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/platform/chrome/cros_ec_sysfs.c
++++ b/drivers/platform/chrome/cros_ec_sysfs.c
+@@ -187,7 +187,7 @@ static ssize_t show_ec_version(struct de
+ count += scnprintf(buf + count, PAGE_SIZE - count,
+ "Build info: EC error %d\n", msg->result);
+ else {
+- msg->data[sizeof(msg->data) - 1] = '\0';
++ msg->data[EC_HOST_PARAM_SIZE - 1] = '\0';
+ count += scnprintf(buf + count, PAGE_SIZE - count,
+ "Build info: %s\n", msg->data);
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: NeilBrown <neilb@suse.com>
+Date: Wed, 6 Sep 2017 09:43:28 +1000
+Subject: dm: ensure bio submission follows a depth-first tree walk
+
+From: NeilBrown <neilb@suse.com>
+
+
+[ Upstream commit 18a25da84354c6bb655320de6072c00eda6eb602 ]
+
+A dm device can, in general, represent a tree of targets, each of which
+handles a sub-range of the range of blocks handled by the parent.
+
+The bio sequencing managed by generic_make_request() requires that bios
+are generated and handled in a depth-first manner. Each call to a
+make_request_fn() may submit bios to a single member device, and may
+submit bios for a reduced region of the same device as the
+make_request_fn.
+
+In particular, any bios submitted to member devices must be expected to
+be processed in order, so a later one must never wait for an earlier
+one.
+
+This ordering is usually achieved by using bio_split() to reduce a bio
+to a size that can be completely handled by one target, and resubmitting
+the remainder to the originating device. bio_queue_split() shows the
+canonical approach.
+
+dm doesn't follow this approach, largely because it has needed to split
+bios since long before bio_split() was available. It currently can
+submit bios to separate targets within the one dm_make_request() call.
+Dependencies between these targets, as can happen with dm-snap, can
+cause deadlocks if either bios gets stuck behind the other in the queues
+managed by generic_make_request(). This requires the 'rescue'
+functionality provided by dm_offload_{start,end}.
+
+Some of this requirement can be removed by changing the order of bio
+submission to follow the canonical approach. That is, if dm finds that
+it needs to split a bio, the remainder should be sent to
+generic_make_request() rather than being handled immediately. This
+delays the handling until the first part is completely processed, so the
+deadlock problems do not occur.
+
+__split_and_process_bio() can be called both from dm_make_request() and
+from dm_wq_work(). When called from dm_wq_work() the current approach
+is perfectly satisfactory as each bio will be processed immediately.
+When called from dm_make_request(), current->bio_list will be non-NULL,
+and in this case it is best to create a separate "clone" bio for the
+remainder.
+
+When we use bio_clone_bioset() to split off the front part of a bio
+and chain the two together and submit the remainder to
+generic_make_request(), it is important that the newly allocated
+bio is used as the head to be processed immediately, and the original
+bio gets "bio_advance()"d and sent to generic_make_request() as the
+remainder. Otherwise, if the newly allocated bio is used as the
+remainder, and if it then needs to be split again, then the next
+bio_clone_bioset() call will be made while holding a reference a bio
+(result of the first clone) from the same bioset. This can potentially
+exhaust the bioset mempool and result in a memory allocation deadlock.
+
+Note that there is no race caused by reassigning cio.io->bio after already
+calling __map_bio(). This bio will only be dereferenced again after
+dec_pending() has found io->io_count to be zero, and this cannot happen
+before the dec_pending() call at the end of __split_and_process_bio().
+
+To provide the clone bio when splitting, we use q->bio_split. This
+was previously being freed by bio-based dm to avoid having excess
+rescuer threads. As bio_split bio sets no longer create rescuer
+threads, there is little cost and much gain from restoring the
+q->bio_split bio set.
+
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm.c | 33 ++++++++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -1320,8 +1320,29 @@ static void __split_and_process_bio(stru
+ } else {
+ ci.bio = bio;
+ ci.sector_count = bio_sectors(bio);
+- while (ci.sector_count && !error)
++ while (ci.sector_count && !error) {
+ error = __split_and_process_non_flush(&ci);
++ if (current->bio_list && ci.sector_count && !error) {
++ /*
++ * Remainder must be passed to generic_make_request()
++ * so that it gets handled *after* bios already submitted
++ * have been completely processed.
++ * We take a clone of the original to store in
++ * ci.io->bio to be used by end_io_acct() and
++ * for dec_pending to use for completion handling.
++ * As this path is not used for REQ_OP_ZONE_REPORT,
++ * the usage of io->bio in dm_remap_zone_report()
++ * won't be affected by this reassignment.
++ */
++ struct bio *b = bio_clone_bioset(bio, GFP_NOIO,
++ md->queue->bio_split);
++ ci.io->bio = b;
++ bio_advance(bio, (bio_sectors(bio) - ci.sector_count) << 9);
++ bio_chain(b, bio);
++ generic_make_request(bio);
++ break;
++ }
++ }
+ }
+
+ /* drop the extra reference count */
+@@ -1332,8 +1353,8 @@ static void __split_and_process_bio(stru
+ *---------------------------------------------------------------*/
+
+ /*
+- * The request function that just remaps the bio built up by
+- * dm_merge_bvec.
++ * The request function that remaps the bio to one target and
++ * splits off any remainder.
+ */
+ static blk_qc_t dm_make_request(struct request_queue *q, struct bio *bio)
+ {
+@@ -1854,12 +1875,6 @@ int dm_setup_md_queue(struct mapped_devi
+ case DM_TYPE_DAX_BIO_BASED:
+ dm_init_normal_md_queue(md);
+ blk_queue_make_request(md->queue, dm_make_request);
+- /*
+- * DM handles splitting bios as needed. Free the bio_split bioset
+- * since it won't be used (saves 1 process per bio-based DM device).
+- */
+- bioset_free(md->queue->bio_split);
+- md->queue->bio_split = NULL;
+
+ if (type == DM_TYPE_DAX_BIO_BASED)
+ queue_flag_set_unlocked(QUEUE_FLAG_DAX, md->queue);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Vignesh R <vigneshr@ti.com>
+Date: Tue, 19 Dec 2017 12:51:16 +0200
+Subject: dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63
+
+From: Vignesh R <vigneshr@ti.com>
+
+
+[ Upstream commit d087f15786021a9605b20f4c678312510be4cac1 ]
+
+Register layout of a typical TPCC_EVT_MUX_M_N register is such that the
+lowest numbered event is at the lowest byte address and highest numbered
+event at highest byte address. But TPCC_EVT_MUX_60_63 register layout is
+different, in that the lowest numbered event is at the highest address
+and highest numbered event is at the lowest address. Therefore, modify
+ti_am335x_xbar_write() to handle TPCC_EVT_MUX_60_63 register
+accordingly.
+
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/ti-dma-crossbar.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/dma/ti-dma-crossbar.c
++++ b/drivers/dma/ti-dma-crossbar.c
+@@ -54,7 +54,15 @@ struct ti_am335x_xbar_map {
+
+ static inline void ti_am335x_xbar_write(void __iomem *iomem, int event, u8 val)
+ {
+- writeb_relaxed(val, iomem + event);
++ /*
++ * TPCC_EVT_MUX_60_63 register layout is different than the
++ * rest, in the sense, that event 63 is mapped to lowest byte
++ * and event 60 is mapped to highest, handle it separately.
++ */
++ if (event >= 60 && event <= 63)
++ writeb_relaxed(val, iomem + (63 - event % 4));
++ else
++ writeb_relaxed(val, iomem + event);
+ }
+
+ static void ti_am335x_xbar_free(struct device *dev, void *route_data)
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Kedareswara rao Appana <appana.durga.rao@xilinx.com>
+Date: Thu, 7 Dec 2017 10:54:28 +0530
+Subject: dmaengine: zynqmp_dma: Fix race condition in the probe
+
+From: Kedareswara rao Appana <appana.durga.rao@xilinx.com>
+
+
+[ Upstream commit 5ba080aada5e739165e0f38d5cc3b04c82b323c8 ]
+
+Incase of interrupt property is not present,
+Driver is trying to free an invalid irq,
+This patch fixes it by adding a check before freeing the irq.
+
+Signed-off-by: Kedareswara rao Appana <appanad@xilinx.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/xilinx/zynqmp_dma.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/dma/xilinx/zynqmp_dma.c
++++ b/drivers/dma/xilinx/zynqmp_dma.c
+@@ -933,7 +933,8 @@ static void zynqmp_dma_chan_remove(struc
+ if (!chan)
+ return;
+
+- devm_free_irq(chan->zdev->dev, chan->irq, chan);
++ if (chan->irq)
++ devm_free_irq(chan->zdev->dev, chan->irq, chan);
+ tasklet_kill(&chan->tasklet);
+ list_del(&chan->common.device_node);
+ clk_disable_unprepare(chan->clk_apb);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Chunming Zhou <David1.Zhou@amd.com>
+Date: Mon, 24 Apr 2017 17:09:15 +0800
+Subject: drm/amdgpu: fix gpu reset crash
+
+From: Chunming Zhou <David1.Zhou@amd.com>
+
+
+[ Upstream commit 51687759be93fbc553f2727e86be25c38126ba93 ]
+
+[ 413.687439] BUG: unable to handle kernel NULL pointer dereference at 0000000000000548
+[ 413.687479] IP: [<ffffffff8109b175>] to_live_kthread+0x5/0x60
+[ 413.687507] PGD 1efd12067
+[ 413.687519] PUD 1efd11067
+[ 413.687531] PMD 0
+
+[ 413.687543] Oops: 0000 [#1] SMP
+[ 413.687557] Modules linked in: amdgpu(OE) ttm(OE) drm_kms_helper(E) drm(E) i2c_algo_bit(E) fb_sys_fops(E) syscopyarea(E) sysfillrect(E) sysimgblt(E) rpcsec_gss_krb5(E) nfsv4(E) nfs(E) fscache(E) snd_hda_codec_realtek(E) snd_hda_codec_generic(E) snd_hda_codec_hdmi(E) snd_hda_intel(E) eeepc_wmi(E) snd_hda_codec(E) asus_wmi(E) snd_hda_core(E) sparse_keymap(E) snd_hwdep(E) video(E) snd_pcm(E) snd_seq_midi(E) joydev(E) snd_seq_midi_event(E) snd_rawmidi(E) snd_seq(E) snd_seq_device(E) snd_timer(E) kvm(E) irqbypass(E) crct10dif_pclmul(E) snd(E) crc32_pclmul(E) ghash_clmulni_intel(E) soundcore(E) aesni_intel(E) aes_x86_64(E) lrw(E) gf128mul(E) glue_helper(E) ablk_helper(E) cryptd(E) shpchp(E) serio_raw(E) i2c_piix4(E) 8250_dw(E) i2c_designware_platform(E) i2c_designware_core(E) mac_hid(E) binfmt_misc(E)
+[ 413.687894] parport_pc(E) ppdev(E) lp(E) parport(E) nfsd(E) auth_rpcgss(E) nfs_acl(E) lockd(E) grace(E) sunrpc(E) autofs4(E) hid_generic(E) usbhid(E) hid(E) psmouse(E) ahci(E) r8169(E) mii(E) libahci(E) wmi(E)
+[ 413.687989] CPU: 13 PID: 1134 Comm: kworker/13:2 Tainted: G OE 4.9.0-custom #4
+[ 413.688019] Hardware name: System manufacturer System Product Name/PRIME B350-PLUS, BIOS 0606 04/06/2017
+[ 413.688089] Workqueue: events amd_sched_job_timedout [amdgpu]
+[ 413.688116] task: ffff88020f9657c0 task.stack: ffffc90001a88000
+[ 413.688139] RIP: 0010:[<ffffffff8109b175>] [<ffffffff8109b175>] to_live_kthread+0x5/0x60
+[ 413.688171] RSP: 0018:ffffc90001a8bd60 EFLAGS: 00010282
+[ 413.688191] RAX: ffff88020f0073f8 RBX: ffff88020f000000 RCX: 0000000000000000
+[ 413.688217] RDX: 0000000000000001 RSI: ffff88020f9670c0 RDI: 0000000000000000
+[ 413.688243] RBP: ffffc90001a8bd78 R08: 0000000000000000 R09: 0000000000001000
+[ 413.688269] R10: 0000006051b11a82 R11: 0000000000000001 R12: 0000000000000000
+[ 413.688295] R13: ffff88020f002770 R14: ffff88020f004838 R15: ffff8801b23c2c60
+[ 413.688321] FS: 0000000000000000(0000) GS:ffff88021ef40000(0000) knlGS:0000000000000000
+[ 413.688352] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 413.688373] CR2: 0000000000000548 CR3: 00000001efd0f000 CR4: 00000000003406e0
+[ 413.688399] Stack:
+[ 413.688407] ffffffff8109b304 ffff88020f000000 0000000000000070 ffffc90001a8bdf0
+[ 413.688439] ffffffffa05ce29d ffffffffa052feb7 ffffffffa07b5820 ffffc90001a8bda0
+[ 413.688470] ffffffff00000018 ffff8801bb88f060 0000000001a8bdb8 ffff88021ef59280
+[ 413.688502] Call Trace:
+[ 413.688514] [<ffffffff8109b304>] ? kthread_park+0x14/0x60
+[ 413.688555] [<ffffffffa05ce29d>] amdgpu_gpu_reset+0x7d/0x670 [amdgpu]
+[ 413.688589] [<ffffffffa052feb7>] ? drm_printk+0x97/0xa0 [drm]
+[ 413.688643] [<ffffffffa0698136>] amdgpu_job_timedout+0x46/0x50 [amdgpu]
+[ 413.688700] [<ffffffffa06969e7>] amd_sched_job_timedout+0x17/0x20 [amdgpu]
+[ 413.688727] [<ffffffff81095493>] process_one_work+0x153/0x3f0
+[ 413.688751] [<ffffffff81095c5b>] worker_thread+0x12b/0x4b0
+[ 413.688773] [<ffffffff8100392e>] ? do_syscall_64+0x6e/0x180
+[ 413.688795] [<ffffffff81095b30>] ? rescuer_thread+0x350/0x350
+[ 413.688818] [<ffffffff8100392e>] ? do_syscall_64+0x6e/0x180
+[ 413.688839] [<ffffffff8109b423>] kthread+0xd3/0xf0
+[ 413.688858] [<ffffffff8109b350>] ? kthread_park+0x60/0x60
+[ 413.688881] [<ffffffff817e1ee5>] ret_from_fork+0x25/0x30
+[ 413.688901] Code: 25 40 d3 00 00 48 8b 80 48 05 00 00 48 89 e5 5d 48 8b 40 c8 48 c1 e8 02 83 e0 01 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 8b b7 48 05 00 00 55 48 89 e5 48 85 f6 74 31 8b 97 f8 18 00
+[ 413.689045] RIP [<ffffffff8109b175>] to_live_kthread+0x5/0x60
+[ 413.689064] RSP <ffffc90001a8bd60>
+[ 413.689076] CR2: 0000000000000548
+[ 413.697985] ---[ end trace 0a314a64821f84e9 ]---
+
+The root cause is some ring doesn't have scheduler, like KIQ ring
+
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Chunming Zhou <David1.Zhou@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -2237,7 +2237,7 @@ int amdgpu_gpu_reset(struct amdgpu_devic
+ for (i = 0; i < AMDGPU_MAX_RINGS; ++i) {
+ struct amdgpu_ring *ring = adev->rings[i];
+
+- if (!ring)
++ if (!ring || !ring->sched.thread)
+ continue;
+ kthread_park(ring->sched.thread);
+ amd_sched_hw_job_reset(&ring->sched);
+@@ -2326,7 +2326,8 @@ retry:
+ }
+ for (i = 0; i < AMDGPU_MAX_RINGS; ++i) {
+ struct amdgpu_ring *ring = adev->rings[i];
+- if (!ring)
++
++ if (!ring || !ring->sched.thread)
+ continue;
+
+ amd_sched_job_recovery(&ring->sched);
+@@ -2335,7 +2336,7 @@ retry:
+ } else {
+ dev_err(adev->dev, "asic resume failed (%d).\n", r);
+ for (i = 0; i < AMDGPU_MAX_RINGS; ++i) {
+- if (adev->rings[i]) {
++ if (adev->rings[i] && adev->rings[i]->sched.thread) {
+ kthread_unpark(adev->rings[i]->sched.thread);
+ }
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Prakash Kamliya <pkamliya@codeaurora.org>
+Date: Mon, 4 Dec 2017 19:10:15 +0530
+Subject: drm/msm: fix leak in failed get_pages
+
+From: Prakash Kamliya <pkamliya@codeaurora.org>
+
+
+[ Upstream commit 62e3a3e342af3c313ab38603811ecdb1fcc79edb ]
+
+get_pages doesn't keep a reference of the pages allocated
+when it fails later in the code path. This can lead to
+a memory leak. Keep reference of the allocated pages so
+that it can be freed when msm_gem_free_object gets called
+later during cleanup.
+
+Signed-off-by: Prakash Kamliya <pkamliya@codeaurora.org>
+Signed-off-by: Sharat Masetty <smasetty@codeaurora.org>
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/msm_gem.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/msm/msm_gem.c
++++ b/drivers/gpu/drm/msm/msm_gem.c
+@@ -91,14 +91,17 @@ static struct page **get_pages(struct dr
+ return p;
+ }
+
++ msm_obj->pages = p;
++
+ msm_obj->sgt = drm_prime_pages_to_sg(p, npages);
+ if (IS_ERR(msm_obj->sgt)) {
++ void *ptr = ERR_CAST(msm_obj->sgt);
++
+ dev_err(dev->dev, "failed to allocate sgt\n");
+- return ERR_CAST(msm_obj->sgt);
++ msm_obj->sgt = NULL;
++ return ptr;
+ }
+
+- msm_obj->pages = p;
+-
+ /* For non-cached buffers, ensure the new pages are clean
+ * because display controller, GPU, etc. are not coherent:
+ */
+@@ -121,7 +124,10 @@ static void put_pages(struct drm_gem_obj
+ if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED))
+ dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl,
+ msm_obj->sgt->nents, DMA_BIDIRECTIONAL);
+- sg_free_table(msm_obj->sgt);
++
++ if (msm_obj->sgt)
++ sg_free_table(msm_obj->sgt);
++
+ kfree(msm_obj->sgt);
+
+ if (use_pages(obj))
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Mario Kleiner <mario.kleiner.de@gmail.com>
+Date: Mon, 24 Apr 2017 01:59:34 +0200
+Subject: drm/nouveau/kms: Increase max retries in scanout position queries.
+
+From: Mario Kleiner <mario.kleiner.de@gmail.com>
+
+
+[ Upstream commit 60b95d709525e3ce1c51e1fc93175dcd1755d345 ]
+
+So far we only allowed for 1 retry and just failed the query
+- and thereby high precision vblank timestamping - if we did
+not get a reasonable result, as such a failure wasn't considered
+all too horrible. There are a few NVidia gpu models out there which
+may need a bit more than 1 retry to get a successful query result
+under some conditions.
+
+Since Linux 4.4 the update code for vblank counter and timestamp
+in drm_update_vblank_count() changed so that the implementation
+assumes that high precision vblank timestamping of a kms driver
+either consistently succeeds or consistently fails for a given
+video mode and encoder/connector combo. Iow. switching from success
+to fail or vice versa on a modeset or connector change is ok, but
+spurious temporary failure for a given setup can confuse the core
+code and potentially cause bad miscounting of vblanks and confusion
+or hangs in userspace clients which rely on vblank stuff, e.g.,
+desktop compositors.
+
+Therefore change the max retry count to a larger number - more than
+any gpu so far is known to need to succeed, but still low enough
+so that these queries which do also happen in vblank interrupt are
+still fast enough to be not disastrously long if something would
+go badly wrong with them.
+
+As such sporadic retries only happen seldom even on affected gpu's,
+this could mean a vblank irq could take a few dozen microseconds
+longer every few hours of uptime -- better than a desktop compositor
+randomly hanging every couple of hours or days of uptime in a hard
+to reproduce manner.
+
+Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_display.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_display.c
++++ b/drivers/gpu/drm/nouveau/nouveau_display.c
+@@ -106,7 +106,7 @@ nouveau_display_scanoutpos_head(struct d
+ };
+ struct nouveau_display *disp = nouveau_display(crtc->dev);
+ struct drm_vblank_crtc *vblank = &crtc->dev->vblank[drm_crtc_index(crtc)];
+- int ret, retry = 1;
++ int ret, retry = 20;
+
+ do {
+ ret = nvif_mthd(&disp->disp, 0, &args, sizeof(args));
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Fri, 29 Sep 2017 14:49:49 +0300
+Subject: drm/omap: DMM: Check for DMM readiness after successful transaction commit
+
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+
+
+[ Upstream commit b7ea6b286c4051e043f691781785e3c4672f014a ]
+
+Check the status of the DMM engine after it is reported that the
+transaction was completed as in rare cases the engine might not reached a
+working state.
+
+The wait_status() will print information in case the DMM is not reached the
+expected state and the dmm_txn_commit() will return with an error code to
+make sure that we are not continuing with a broken setup.
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/omapdrm/omap_dmm_tiler.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
++++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
+@@ -298,7 +298,12 @@ static int dmm_txn_commit(struct dmm_txn
+ msecs_to_jiffies(100))) {
+ dev_err(dmm->dev, "timed out waiting for done\n");
+ ret = -ETIMEDOUT;
++ goto cleanup;
+ }
++
++ /* Check the engine status before continue */
++ ret = wait_status(engine, DMM_PATSTATUS_READY |
++ DMM_PATSTATUS_VALID | DMM_PATSTATUS_DONE);
+ }
+
+ cleanup:
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Logan Gunthorpe <logang@deltatee.com>
+Date: Tue, 5 Dec 2017 16:30:51 -0700
+Subject: drm/tilcdc: ensure nonatomic iowrite64 is not used
+
+From: Logan Gunthorpe <logang@deltatee.com>
+
+
+[ Upstream commit 4e5ca2d930aa8714400aedf4bf1dc959cb04280f ]
+
+Add a check to ensure iowrite64 is only used if it is atomic.
+
+It was decided in [1] that the tilcdc driver should not be using an
+atomic operation (so it was left out of this patchset). However, it turns
+out that through the drm code, a nonatomic header is actually included:
+
+include/linux/io-64-nonatomic-lo-hi.h
+is included from include/drm/drm_os_linux.h:9:0,
+ from include/drm/drmP.h:74,
+ from include/drm/drm_modeset_helper.h:26,
+ from include/drm/drm_atomic_helper.h:33,
+ from drivers/gpu/drm/tilcdc/tilcdc_crtc.c:19:
+
+And thus, without this change, this patchset would inadvertantly
+change the behaviour of the tilcdc driver.
+
+[1] lkml.kernel.org/r/CAK8P3a2HhO_zCnsTzq7hmWSz5La5Thu19FWZpun16iMnyyNreQ@mail.gmail.com
+
+Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Cc: Jyri Sarha <jsarha@ti.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Cc: David Airlie <airlied@linux.ie>
+Signed-off-by: Jyri Sarha <jsarha@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/tilcdc/tilcdc_regs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/tilcdc/tilcdc_regs.h
++++ b/drivers/gpu/drm/tilcdc/tilcdc_regs.h
+@@ -124,7 +124,7 @@ static inline void tilcdc_write64(struct
+ struct tilcdc_drm_private *priv = dev->dev_private;
+ volatile void __iomem *addr = priv->mmio + reg;
+
+-#ifdef iowrite64
++#if defined(iowrite64) && !defined(iowrite64_is_nonatomic)
+ iowrite64(data, addr);
+ #else
+ __iowmb();
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Rask Ingemann Lambertsen <rask@formelder.dk>
+Date: Wed, 22 Feb 2017 20:41:02 +0100
+Subject: dt-bindings: mfd: axp20x: Add "xpowers,master-mode" property for AXP806 PMICs
+
+From: Rask Ingemann Lambertsen <rask@formelder.dk>
+
+
+[ Upstream commit 8461cf20d17e0090e9236b73d25b31be4f7fadc5 ]
+
+commit b101829a029a ("mfd: axp20x: Fix AXP806 access errors on cold boot")
+was intended to fix the case where a board uses an AXP806 in slave mode,
+but the boot loader leaves it in master mode for lack of AXP806 support.
+But now the driver breaks on boards where the PMIC is operating in master
+mode. To let the device tree describe which mode of operation is needed,
+this patch introduces a new property "xpowers,master-mode".
+
+Fixes: 204ae2963e10 ("mfd: axp20x: Add bindings for AXP806 PMIC")
+Signed-off-by: Rask Ingemann Lambertsen <rask@formelder.dk>
+Acked-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/mfd/axp20x.txt | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/Documentation/devicetree/bindings/mfd/axp20x.txt
++++ b/Documentation/devicetree/bindings/mfd/axp20x.txt
+@@ -28,6 +28,9 @@ Optional properties:
+ regulator to drive the OTG VBus, rather then as an input pin
+ which signals whether the board is driving OTG VBus or not.
+
++- x-powers,master-mode: Boolean (axp806 only). Set this when the PMIC is
++ wired for master mode. The default is slave mode.
++
+ - <input>-supply: a phandle to the regulator supply node. May be omitted if
+ inputs are unregulated, such as using the IPSOUT output
+ from the PMIC.
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Bernd Faust <berndfaust@gmail.com>
+Date: Thu, 16 Feb 2017 19:42:07 +0100
+Subject: e1000e: fix timing for 82579 Gigabit Ethernet controller
+
+From: Bernd Faust <berndfaust@gmail.com>
+
+
+[ Upstream commit 5313eeccd2d7f486be4e5c7560e3e2be239ec8f7 ]
+
+After an upgrade to Linux kernel v4.x the hardware timestamps of the
+82579 Gigabit Ethernet Controller are different than expected.
+The values that are being read are almost four times as big as before
+the kernel upgrade.
+
+The difference is that after the upgrade the driver sets the clock
+frequency to 25MHz, where before the upgrade it was set to 96MHz. Intel
+confirmed that the correct frequency for this network adapter is 96MHz.
+
+Signed-off-by: Bernd Faust <berndfaust@gmail.com>
+Acked-by: Sasha Neftin <sasha.neftin@intel.com>
+Acked-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/e1000e/netdev.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -3528,6 +3528,12 @@ s32 e1000e_get_base_timinca(struct e1000
+
+ switch (hw->mac.type) {
+ case e1000_pch2lan:
++ /* Stable 96MHz frequency */
++ incperiod = INCPERIOD_96MHz;
++ incvalue = INCVALUE_96MHz;
++ shift = INCVALUE_SHIFT_96MHz;
++ adapter->cc.shift = shift + INCPERIOD_SHIFT_96MHz;
++ break;
+ case e1000_pch_lpt:
+ if (er32(TSYNCRXCTL) & E1000_TSYNCRXCTL_SYSCFI) {
+ /* Stable 96MHz frequency */
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: James Smart <jsmart2021@gmail.com>
+Date: Fri, 21 Apr 2017 16:04:56 -0700
+Subject: Fix driver usage of 128B WQEs when WQ_CREATE is V1.
+
+From: James Smart <jsmart2021@gmail.com>
+
+
+[ Upstream commit 3f247de750b8dd8f50a2c1390e2a1238790a9dff ]
+
+There are two versions of a structure for queue creation and setup that the
+driver shares with FW. The driver was only treating as version 0.
+
+Verify WQ_CREATE with 128B WQEs in V0 and V1.
+
+Code review of another bug showed the driver passing
+128B WQEs and 8 pages in WQ CREATE and V0.
+Code inspection/instrumentation showed that the driver
+uses V0 in WQ_CREATE and if the caller passes queue->entry_size
+128B, the driver sets the hdr_version to V1 so all is good.
+When I tested the V1 WQ_CREATE, the mailbox failed causing
+the driver to unload.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_sli.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -13696,6 +13696,9 @@ lpfc_wq_create(struct lpfc_hba *phba, st
+ case LPFC_Q_CREATE_VERSION_1:
+ bf_set(lpfc_mbx_wq_create_wqe_count, &wq_create->u.request_1,
+ wq->entry_count);
++ bf_set(lpfc_mbox_hdr_version, &shdr->request,
++ LPFC_Q_CREATE_VERSION_1);
++
+ switch (wq->entry_size) {
+ default:
+ case 64:
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: James Smart <jsmart2021@gmail.com>
+Date: Fri, 21 Apr 2017 16:05:05 -0700
+Subject: Fix Express lane queue creation.
+
+From: James Smart <jsmart2021@gmail.com>
+
+
+[ Upstream commit 7e04e21afa82ef024416f5413b5bdb66e0505bcd ]
+
+The older sli4 adapters only supported the 64 byte WQE entry size.
+The new adapter (fw) support both 64 and 128 byte WQE entry sizies.
+The Express lane WQ was not being created with the 128 byte WQE sizes
+when it was supported.
+
+Not having the right WQE size created for the express lane work queue
+caused the the firmware to overwrite the lun indentifier in the FCP header.
+
+This patch correctly creates the express lane work queue with the
+supported size.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_init.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/lpfc/lpfc_init.c
++++ b/drivers/scsi/lpfc/lpfc_init.c
+@@ -11312,6 +11312,7 @@ int
+ lpfc_fof_queue_create(struct lpfc_hba *phba)
+ {
+ struct lpfc_queue *qdesc;
++ uint32_t wqesize;
+
+ /* Create FOF EQ */
+ qdesc = lpfc_sli4_queue_alloc(phba, phba->sli4_hba.eq_esize,
+@@ -11332,8 +11333,11 @@ lpfc_fof_queue_create(struct lpfc_hba *p
+ phba->sli4_hba.oas_cq = qdesc;
+
+ /* Create OAS WQ */
+- qdesc = lpfc_sli4_queue_alloc(phba, phba->sli4_hba.wq_esize,
++ wqesize = (phba->fcp_embed_io) ?
++ LPFC_WQE128_SIZE : phba->sli4_hba.wq_esize;
++ qdesc = lpfc_sli4_queue_alloc(phba, wqesize,
+ phba->sli4_hba.wq_ecount);
++
+ if (!qdesc)
+ goto out_error;
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 15 Apr 2017 12:08:31 +0200
+Subject: genirq: Use irqd_get_trigger_type to compare the trigger type for shared IRQs
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+
+[ Upstream commit 382bd4de61827dbaaf5fb4fb7b1f4be4a86505e7 ]
+
+When requesting a shared irq with IRQF_TRIGGER_NONE then the irqaction
+flags get filled with the trigger type from the irq_data:
+
+ if (!(new->flags & IRQF_TRIGGER_MASK))
+ new->flags |= irqd_get_trigger_type(&desc->irq_data);
+
+On the first setup_irq() the trigger type in irq_data is NONE when the
+above code executes, then the irq is started up for the first time and
+then the actual trigger type gets established, but that's too late to fix
+up new->flags.
+
+When then a second user of the irq requests the irq with IRQF_TRIGGER_NONE
+its irqaction's triggertype gets set to the actual trigger type and the
+following check fails:
+
+ if (!((old->flags ^ new->flags) & IRQF_TRIGGER_MASK))
+
+Resulting in the request_irq failing with -EBUSY even though both
+users requested the irq with IRQF_SHARED | IRQF_TRIGGER_NONE
+
+Fix this by comparing the new irqaction's trigger type to the trigger type
+stored in the irq_data which correctly reflects the actual trigger type
+being used for the irq.
+
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Link: http://lkml.kernel.org/r/20170415100831.17073-1-hdegoede@redhat.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/irq/manage.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/irq/manage.c
++++ b/kernel/irq/manage.c
+@@ -1210,8 +1210,10 @@ __setup_irq(unsigned int irq, struct irq
+ * set the trigger type must match. Also all must
+ * agree on ONESHOT.
+ */
++ unsigned int oldtype = irqd_get_trigger_type(&desc->irq_data);
++
+ if (!((old->flags & new->flags) & IRQF_SHARED) ||
+- ((old->flags ^ new->flags) & IRQF_TRIGGER_MASK) ||
++ (oldtype != (new->flags & IRQF_TRIGGER_MASK)) ||
+ ((old->flags ^ new->flags) & IRQF_ONESHOT))
+ goto mismatch;
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Date: Mon, 24 Apr 2017 12:15:04 -0700
+Subject: gpio: gpio-wcove: fix GPIO IRQ status mask
+
+From: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+
+
+[ Upstream commit 881ebd229f4a5ea88f269c1225245e50db9ba303 ]
+
+According to Whiskey Cove PMIC spec, bit 7 of GPIOIRQ0_REG belongs to
+battery IO. So we should skip this bit when checking for GPIO IRQ pending
+status. Otherwise, wcove_gpio_irq_handler() might go into the infinite
+loop until IRQ "pending" status becomes 0. This patch fixes this issue.
+
+Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Acked-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-wcove.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpio/gpio-wcove.c
++++ b/drivers/gpio/gpio-wcove.c
+@@ -51,6 +51,8 @@
+ #define GROUP1_NR_IRQS 6
+ #define IRQ_MASK_BASE 0x4e19
+ #define IRQ_STATUS_BASE 0x4e0b
++#define GPIO_IRQ0_MASK GENMASK(6, 0)
++#define GPIO_IRQ1_MASK GENMASK(5, 0)
+ #define UPDATE_IRQ_TYPE BIT(0)
+ #define UPDATE_IRQ_MASK BIT(1)
+
+@@ -310,7 +312,7 @@ static irqreturn_t wcove_gpio_irq_handle
+ return IRQ_NONE;
+ }
+
+- pending = p[0] | (p[1] << 8);
++ pending = (p[0] & GPIO_IRQ0_MASK) | ((p[1] & GPIO_IRQ1_MASK) << 7);
+ if (!pending)
+ return IRQ_NONE;
+
+@@ -334,7 +336,7 @@ static irqreturn_t wcove_gpio_irq_handle
+ break;
+ }
+
+- pending = p[0] | (p[1] << 8);
++ pending = (p[0] & GPIO_IRQ0_MASK) | ((p[1] & GPIO_IRQ1_MASK) << 7);
+ }
+
+ return IRQ_HANDLED;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Date: Fri, 14 Apr 2017 10:29:25 -0700
+Subject: gpio: gpio-wcove: fix irq pending status bit width
+
+From: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+
+
+[ Upstream commit 7c2d176fe3f8dce632b948f79c7e89916ffe2c70 ]
+
+Whiskey cove PMIC has three GPIO banks with total number of 13 GPIO
+pins. But when checking for the pending status, for_each_set_bit() uses
+bit width of 7 and hence it only checks the status for first 7 GPIO pins
+missing to check/clear the status of rest of the GPIO pins. This patch
+fixes this issue.
+
+Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-wcove.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpio-wcove.c
++++ b/drivers/gpio/gpio-wcove.c
+@@ -318,7 +318,7 @@ static irqreturn_t wcove_gpio_irq_handle
+ while (pending) {
+ /* One iteration is for all pending bits */
+ for_each_set_bit(gpio, (const unsigned long *)&pending,
+- GROUP0_NR_IRQS) {
++ WCOVE_GPIO_NUM) {
+ offset = (gpio > GROUP0_NR_IRQS) ? 1 : 0;
+ mask = (offset == 1) ? BIT(gpio - GROUP0_NR_IRQS) :
+ BIT(gpio);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 21 Apr 2017 13:39:09 +0300
+Subject: HSI: ssi_protocol: double free in ssip_pn_xmit()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit 3026050179a3a9a6f5c892c414b5e36ecf092081 ]
+
+If skb_pad() fails then it frees skb and we don't need to free it again
+at the end of the function.
+
+Fixes: dc7bf5d7 ("HSI: Introduce driver for SSI Protocol")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hsi/clients/ssi_protocol.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/hsi/clients/ssi_protocol.c
++++ b/drivers/hsi/clients/ssi_protocol.c
+@@ -989,7 +989,7 @@ static int ssip_pn_xmit(struct sk_buff *
+ goto drop;
+ /* Pad to 32-bits - FIXME: Revisit*/
+ if ((skb->len & 3) && skb_pad(skb, 4 - (skb->len & 3)))
+- goto drop;
++ goto inc_dropped;
+
+ /*
+ * Modem sends Phonet messages over SSI with its own endianess...
+@@ -1041,8 +1041,9 @@ static int ssip_pn_xmit(struct sk_buff *
+ drop2:
+ hsi_free_msg(msg);
+ drop:
+- dev->stats.tx_dropped++;
+ dev_kfree_skb(skb);
++inc_dropped:
++ dev->stats.tx_dropped++;
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Edgar Cherkasov <echerkasov@dev.rtsoft.ru>
+Date: Tue, 4 Apr 2017 19:18:27 +0300
+Subject: i2c: i2c-scmi: add a MS HID
+
+From: Edgar Cherkasov <echerkasov@dev.rtsoft.ru>
+
+
+[ Upstream commit e058e7a4bc89104540a8a303682248614b5df6f1 ]
+
+Description of the problem:
+ - i2c-scmi driver contains only two identifiers "SMBUS01" and "SMBUSIBM";
+ - the fist HID (SMBUS01) is clearly defined in "SMBus Control Method
+ Interface Specification, version 1.0": "Each device must specify
+ 'SMBUS01' as its _HID and use a unique _UID value";
+ - unfortunately, BIOS vendors (like AMI) seem to ignore this requirement
+ and implement "SMB0001" HID instead of "SMBUS01";
+ - I speculate that they do this because only "SMB0001" is hard coded in
+ Windows SMBus driver produced by Microsoft.
+
+This leads to following situation:
+ - SMBus works out of box in Windows but not in Linux;
+ - board vendors are forced to add correct "SMBUS01" HID to BIOS to make
+ SMBus work in Linux. Moreover the same board vendors complain that
+ tools (3-rd party ASL compiler) do not like the "SMBUS01" identifier
+ and produce errors. So they need to constantly patch the compiler for
+ each new version of BIOS.
+
+As it is very unlikely that BIOS vendors implement a correct HID in
+future, I would propose to consider whether it is possible to work around
+the problem by adding MS HID to the Linux i2c-scmi driver.
+
+v2: move the definition of the new HID to the driver itself.
+
+Signed-off-by: Edgar Cherkasov <echerkasov@dev.rtsoft.ru>
+Signed-off-by: Michael Brunner <Michael.Brunner@kontron.com>
+Acked-by: Viktor Krasnov <vkrasnov@dev.rtsoft.ru>
+Reviewed-by: Jean Delvare <jdelvare@suse.de>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-scmi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-scmi.c
++++ b/drivers/i2c/busses/i2c-scmi.c
+@@ -18,6 +18,9 @@
+ #define ACPI_SMBUS_HC_CLASS "smbus"
+ #define ACPI_SMBUS_HC_DEVICE_NAME "cmi"
+
++/* SMBUS HID definition as supported by Microsoft Windows */
++#define ACPI_SMBUS_MS_HID "SMB0001"
++
+ ACPI_MODULE_NAME("smbus_cmi");
+
+ struct smbus_methods_t {
+@@ -51,6 +54,7 @@ static const struct smbus_methods_t ibm_
+ static const struct acpi_device_id acpi_smbus_cmi_ids[] = {
+ {"SMBUS01", (kernel_ulong_t)&smbus_methods},
+ {ACPI_SMBUS_IBM_HID, (kernel_ulong_t)&ibm_smbus_methods},
++ {ACPI_SMBUS_MS_HID, (kernel_ulong_t)&smbus_methods},
+ {"", 0}
+ };
+ MODULE_DEVICE_TABLE(acpi, acpi_smbus_cmi_ids);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Sergei Trofimovich <slyfox@gentoo.org>
+Date: Mon, 1 May 2017 11:51:55 -0700
+Subject: ia64: fix module loading for gcc-5.4
+
+From: Sergei Trofimovich <slyfox@gentoo.org>
+
+
+[ Upstream commit a25fb8508c1b80dce742dbeaa4d75a1e9f2c5617 ]
+
+Starting from gcc-5.4+ gcc generates MLX instructions in more cases to
+refer local symbols:
+
+ https://gcc.gnu.org/PR60465
+
+That caused ia64 module loader to choke on such instructions:
+
+ fuse: invalid slot number 1 for IMM64
+
+The Linux kernel used to handle only case where relocation pointed to
+slot=2 instruction in the bundle. That limitation was fixed in linux by
+commit 9c184a073bfd ("[IA64] Fix 2.6 kernel for the new ia64 assembler")
+See
+
+ http://sources.redhat.com/bugzilla/show_bug.cgi?id=1433
+
+This change lifts the slot=2 restriction from the kernel module loader.
+
+Tested on 'fuse' and 'btrfs' kernel modules.
+
+Cc: Markus Elfring <elfring@users.sourceforge.net>
+Cc: H J Lu <hjl.tools@gmail.com>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Bug: https://bugs.gentoo.org/601014
+Tested-by: Émeric MASCHINO <emeric.maschino@gmail.com>
+Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/ia64/kernel/module.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/ia64/kernel/module.c
++++ b/arch/ia64/kernel/module.c
+@@ -153,7 +153,7 @@ slot (const struct insn *insn)
+ static int
+ apply_imm64 (struct module *mod, struct insn *insn, uint64_t val)
+ {
+- if (slot(insn) != 2) {
++ if (slot(insn) != 1 && slot(insn) != 2) {
+ printk(KERN_ERR "%s: invalid slot number %d for IMM64\n",
+ mod->name, slot(insn));
+ return 0;
+@@ -165,7 +165,7 @@ apply_imm64 (struct module *mod, struct
+ static int
+ apply_imm60 (struct module *mod, struct insn *insn, uint64_t val)
+ {
+- if (slot(insn) != 2) {
++ if (slot(insn) != 1 && slot(insn) != 2) {
+ printk(KERN_ERR "%s: invalid slot number %d for IMM60\n",
+ mod->name, slot(insn));
+ return 0;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Tadeusz Struk <tadeusz.struk@intel.com>
+Date: Fri, 28 Apr 2017 10:40:02 -0700
+Subject: IB/hfi1: Fix softlockup issue
+
+From: Tadeusz Struk <tadeusz.struk@intel.com>
+
+
+[ Upstream commit 22546b741af8355cd2e16739b6af4a8f17081839 ]
+
+Soft lockups can occur because the mad processing on different CPUs acquire
+the spin lock dc8051_lock:
+
+[534552.835870] [<ffffffffa026f993>] ? read_dev_port_cntr.isra.37+0x23/0x160 [hfi1]
+[534552.835880] [<ffffffffa02775af>] read_dev_cntr+0x4f/0x60 [hfi1]
+[534552.835893] [<ffffffffa028d7cd>] pma_get_opa_portstatus+0x64d/0x8c0 [hfi1]
+[534552.835904] [<ffffffffa0290e7d>] hfi1_process_mad+0x48d/0x18c0 [hfi1]
+[534552.835908] [<ffffffff811dc1f1>] ? __slab_free+0x81/0x2f0
+[534552.835936] [<ffffffffa024c34e>] ? ib_mad_recv_done+0x21e/0xa30 [ib_core]
+[534552.835939] [<ffffffff811dd153>] ? __kmalloc+0x1f3/0x240
+[534552.835947] [<ffffffffa024c3fb>] ib_mad_recv_done+0x2cb/0xa30 [ib_core]
+[534552.835955] [<ffffffffa0237c85>] __ib_process_cq+0x55/0xd0 [ib_core]
+[534552.835962] [<ffffffffa0237d70>] ib_cq_poll_work+0x20/0x60 [ib_core]
+[534552.835964] [<ffffffff810a7f3b>] process_one_work+0x17b/0x470
+[534552.835966] [<ffffffff810a8d76>] worker_thread+0x126/0x410
+[534552.835969] [<ffffffff810a8c50>] ? rescuer_thread+0x460/0x460
+[534552.835971] [<ffffffff810b052f>] kthread+0xcf/0xe0
+[534552.835974] [<ffffffff810b0460>] ? kthread_create_on_node+0x140/0x140
+[534552.835977] [<ffffffff81696418>] ret_from_fork+0x58/0x90
+[534552.835980] [<ffffffff810b0460>] ? kthread_create_on_node+0x140/0x140
+
+This issue is made worse when the 8051 is busy and the reads take longer.
+Fix by using a non-spinning lock procure.
+
+Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Reviewed-by: Mike Marciszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/hfi1/chip.c | 86 ++++++++++++++++++++++----------------
+ drivers/infiniband/hw/hfi1/hfi.h | 7 +--
+ drivers/infiniband/hw/hfi1/init.c | 2
+ 3 files changed, 57 insertions(+), 38 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/chip.c
++++ b/drivers/infiniband/hw/hfi1/chip.c
+@@ -6379,18 +6379,17 @@ static void lcb_shutdown(struct hfi1_dev
+ *
+ * The expectation is that the caller of this routine would have taken
+ * care of properly transitioning the link into the correct state.
++ * NOTE: the caller needs to acquire the dd->dc8051_lock lock
++ * before calling this function.
+ */
+-static void dc_shutdown(struct hfi1_devdata *dd)
++static void _dc_shutdown(struct hfi1_devdata *dd)
+ {
+- unsigned long flags;
++ lockdep_assert_held(&dd->dc8051_lock);
+
+- spin_lock_irqsave(&dd->dc8051_lock, flags);
+- if (dd->dc_shutdown) {
+- spin_unlock_irqrestore(&dd->dc8051_lock, flags);
++ if (dd->dc_shutdown)
+ return;
+- }
++
+ dd->dc_shutdown = 1;
+- spin_unlock_irqrestore(&dd->dc8051_lock, flags);
+ /* Shutdown the LCB */
+ lcb_shutdown(dd, 1);
+ /*
+@@ -6401,35 +6400,45 @@ static void dc_shutdown(struct hfi1_devd
+ write_csr(dd, DC_DC8051_CFG_RST, 0x1);
+ }
+
++static void dc_shutdown(struct hfi1_devdata *dd)
++{
++ mutex_lock(&dd->dc8051_lock);
++ _dc_shutdown(dd);
++ mutex_unlock(&dd->dc8051_lock);
++}
++
+ /*
+ * Calling this after the DC has been brought out of reset should not
+ * do any damage.
++ * NOTE: the caller needs to acquire the dd->dc8051_lock lock
++ * before calling this function.
+ */
+-static void dc_start(struct hfi1_devdata *dd)
++static void _dc_start(struct hfi1_devdata *dd)
+ {
+- unsigned long flags;
+- int ret;
++ lockdep_assert_held(&dd->dc8051_lock);
+
+- spin_lock_irqsave(&dd->dc8051_lock, flags);
+ if (!dd->dc_shutdown)
+- goto done;
+- spin_unlock_irqrestore(&dd->dc8051_lock, flags);
++ return;
++
+ /* Take the 8051 out of reset */
+ write_csr(dd, DC_DC8051_CFG_RST, 0ull);
+ /* Wait until 8051 is ready */
+- ret = wait_fm_ready(dd, TIMEOUT_8051_START);
+- if (ret) {
++ if (wait_fm_ready(dd, TIMEOUT_8051_START))
+ dd_dev_err(dd, "%s: timeout starting 8051 firmware\n",
+ __func__);
+- }
++
+ /* Take away reset for LCB and RX FPE (set in lcb_shutdown). */
+ write_csr(dd, DCC_CFG_RESET, 0x10);
+ /* lcb_shutdown() with abort=1 does not restore these */
+ write_csr(dd, DC_LCB_ERR_EN, dd->lcb_err_en);
+- spin_lock_irqsave(&dd->dc8051_lock, flags);
+ dd->dc_shutdown = 0;
+-done:
+- spin_unlock_irqrestore(&dd->dc8051_lock, flags);
++}
++
++static void dc_start(struct hfi1_devdata *dd)
++{
++ mutex_lock(&dd->dc8051_lock);
++ _dc_start(dd);
++ mutex_unlock(&dd->dc8051_lock);
+ }
+
+ /*
+@@ -8418,16 +8427,11 @@ static int do_8051_command(
+ {
+ u64 reg, completed;
+ int return_code;
+- unsigned long flags;
+ unsigned long timeout;
+
+ hfi1_cdbg(DC8051, "type %d, data 0x%012llx", type, in_data);
+
+- /*
+- * Alternative to holding the lock for a long time:
+- * - keep busy wait - have other users bounce off
+- */
+- spin_lock_irqsave(&dd->dc8051_lock, flags);
++ mutex_lock(&dd->dc8051_lock);
+
+ /* We can't send any commands to the 8051 if it's in reset */
+ if (dd->dc_shutdown) {
+@@ -8453,10 +8457,8 @@ static int do_8051_command(
+ return_code = -ENXIO;
+ goto fail;
+ }
+- spin_unlock_irqrestore(&dd->dc8051_lock, flags);
+- dc_shutdown(dd);
+- dc_start(dd);
+- spin_lock_irqsave(&dd->dc8051_lock, flags);
++ _dc_shutdown(dd);
++ _dc_start(dd);
+ }
+
+ /*
+@@ -8534,8 +8536,7 @@ static int do_8051_command(
+ write_csr(dd, DC_DC8051_CFG_HOST_CMD_0, 0);
+
+ fail:
+- spin_unlock_irqrestore(&dd->dc8051_lock, flags);
+-
++ mutex_unlock(&dd->dc8051_lock);
+ return return_code;
+ }
+
+@@ -11849,6 +11850,10 @@ static void free_cntrs(struct hfi1_devda
+ dd->scntrs = NULL;
+ kfree(dd->cntrnames);
+ dd->cntrnames = NULL;
++ if (dd->update_cntr_wq) {
++ destroy_workqueue(dd->update_cntr_wq);
++ dd->update_cntr_wq = NULL;
++ }
+ }
+
+ static u64 read_dev_port_cntr(struct hfi1_devdata *dd, struct cntr_entry *entry,
+@@ -12004,7 +12009,7 @@ u64 write_port_cntr(struct hfi1_pportdat
+ return write_dev_port_cntr(ppd->dd, entry, sval, ppd, vl, data);
+ }
+
+-static void update_synth_timer(unsigned long opaque)
++static void do_update_synth_timer(struct work_struct *work)
+ {
+ u64 cur_tx;
+ u64 cur_rx;
+@@ -12013,8 +12018,8 @@ static void update_synth_timer(unsigned
+ int i, j, vl;
+ struct hfi1_pportdata *ppd;
+ struct cntr_entry *entry;
+-
+- struct hfi1_devdata *dd = (struct hfi1_devdata *)opaque;
++ struct hfi1_devdata *dd = container_of(work, struct hfi1_devdata,
++ update_cntr_work);
+
+ /*
+ * Rather than keep beating on the CSRs pick a minimal set that we can
+@@ -12097,7 +12102,13 @@ static void update_synth_timer(unsigned
+ } else {
+ hfi1_cdbg(CNTR, "[%d] No update necessary", dd->unit);
+ }
++}
++
++static void update_synth_timer(unsigned long opaque)
++{
++ struct hfi1_devdata *dd = (struct hfi1_devdata *)opaque;
+
++ queue_work(dd->update_cntr_wq, &dd->update_cntr_work);
+ mod_timer(&dd->synth_stats_timer, jiffies + HZ * SYNTH_CNT_TIME);
+ }
+
+@@ -12333,6 +12344,13 @@ static int init_cntrs(struct hfi1_devdat
+ if (init_cpu_counters(dd))
+ goto bail;
+
++ dd->update_cntr_wq = alloc_ordered_workqueue("hfi1_update_cntr_%d",
++ WQ_MEM_RECLAIM, dd->unit);
++ if (!dd->update_cntr_wq)
++ goto bail;
++
++ INIT_WORK(&dd->update_cntr_work, do_update_synth_timer);
++
+ mod_timer(&dd->synth_stats_timer, jiffies + HZ * SYNTH_CNT_TIME);
+ return 0;
+ bail:
+--- a/drivers/infiniband/hw/hfi1/hfi.h
++++ b/drivers/infiniband/hw/hfi1/hfi.h
+@@ -475,7 +475,7 @@ struct rvt_sge_state;
+ #define HFI1_PART_ENFORCE_OUT 0x2
+
+ /* how often we check for synthetic counter wrap around */
+-#define SYNTH_CNT_TIME 2
++#define SYNTH_CNT_TIME 3
+
+ /* Counter flags */
+ #define CNTR_NORMAL 0x0 /* Normal counters, just read register */
+@@ -929,8 +929,9 @@ struct hfi1_devdata {
+ spinlock_t rcvctrl_lock; /* protect changes to RcvCtrl */
+ /* around rcd and (user ctxts) ctxt_cnt use (intr vs free) */
+ spinlock_t uctxt_lock; /* rcd and user context changes */
+- /* exclusive access to 8051 */
+- spinlock_t dc8051_lock;
++ struct mutex dc8051_lock; /* exclusive access to 8051 */
++ struct workqueue_struct *update_cntr_wq;
++ struct work_struct update_cntr_work;
+ /* exclusive access to 8051 memory */
+ spinlock_t dc8051_memlock;
+ int dc8051_timed_out; /* remember if the 8051 timed out */
+--- a/drivers/infiniband/hw/hfi1/init.c
++++ b/drivers/infiniband/hw/hfi1/init.c
+@@ -1078,11 +1078,11 @@ struct hfi1_devdata *hfi1_alloc_devdata(
+ spin_lock_init(&dd->uctxt_lock);
+ spin_lock_init(&dd->hfi1_diag_trans_lock);
+ spin_lock_init(&dd->sc_init_lock);
+- spin_lock_init(&dd->dc8051_lock);
+ spin_lock_init(&dd->dc8051_memlock);
+ seqlock_init(&dd->sc2vl_lock);
+ spin_lock_init(&dd->sde_map_lock);
+ spin_lock_init(&dd->pio_map_lock);
++ mutex_init(&dd->dc8051_lock);
+ init_waitqueue_head(&dd->event_queue);
+
+ dd->int_counter = alloc_percpu(u64);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Erez Shitrit <erezsh@mellanox.com>
+Date: Tue, 14 Nov 2017 14:51:53 +0200
+Subject: IB/ipoib: Avoid memory leak if the SA returns a different DGID
+
+From: Erez Shitrit <erezsh@mellanox.com>
+
+
+[ Upstream commit 439000892ee17a9c92f1e4297818790ef8bb4ced ]
+
+The ipoib path database is organized around DGIDs from the LLADDR, but the
+SA is free to return a different GID when asked for path. This causes a
+bug because the SA's modified DGID is copied into the database key, even
+though it is no longer the correct lookup key, causing a memory leak and
+other malfunctions.
+
+Ensure the database key does not change after the SA query completes.
+
+Demonstration of the bug is as follows
+ipoib wants to send to GID fe80:0000:0000:0000:0002:c903:00ef:5ee2, it
+creates new record in the DB with that gid as a key, and issues a new
+request to the SM.
+Now, the SM from some reason returns path-record with other SGID (for
+example, 2001:0000:0000:0000:0002:c903:00ef:5ee2 that contains the local
+subnet prefix) now ipoib will overwrite the current entry with the new
+one, and if new request to the original GID arrives ipoib will not find
+it in the DB (was overwritten) and will create new record that in its
+turn will also be overwritten by the response from the SM, and so on
+till the driver eats all the device memory.
+
+Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_main.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+@@ -799,6 +799,22 @@ static void path_rec_completion(int stat
+ spin_lock_irqsave(&priv->lock, flags);
+
+ if (!IS_ERR_OR_NULL(ah)) {
++ /*
++ * pathrec.dgid is used as the database key from the LLADDR,
++ * it must remain unchanged even if the SA returns a different
++ * GID to use in the AH.
++ */
++ if (memcmp(pathrec->dgid.raw, path->pathrec.dgid.raw,
++ sizeof(union ib_gid))) {
++ ipoib_dbg(
++ priv,
++ "%s got PathRec for gid %pI6 while asked for %pI6\n",
++ dev->name, pathrec->dgid.raw,
++ path->pathrec.dgid.raw);
++ memcpy(pathrec->dgid.raw, path->pathrec.dgid.raw,
++ sizeof(union ib_gid));
++ }
++
+ path->pathrec = *pathrec;
+
+ old_ah = path->ah;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Feras Daoud <ferasda@mellanox.com>
+Date: Sun, 19 Mar 2017 11:18:55 +0200
+Subject: IB/ipoib: Fix deadlock between ipoib_stop and mcast join flow
+
+From: Feras Daoud <ferasda@mellanox.com>
+
+
+[ Upstream commit 3e31a490e01a6e67cbe9f6e1df2f3ff0fbf48972 ]
+
+Before calling ipoib_stop, rtnl_lock should be taken, then
+the flow clears the IPOIB_FLAG_ADMIN_UP and IPOIB_FLAG_OPER_UP
+flags, and waits for mcast completion if IPOIB_MCAST_FLAG_BUSY
+is set.
+
+On the other hand, the flow of multicast join task initializes
+a mcast completion, sets the IPOIB_MCAST_FLAG_BUSY and calls
+ipoib_mcast_join. If IPOIB_FLAG_OPER_UP flag is not set, this
+call returns EINVAL without setting the mcast completion and
+leads to a deadlock.
+
+ ipoib_stop |
+ | |
+ clear_bit(IPOIB_FLAG_ADMIN_UP) |
+ | |
+ Context Switch |
+ | ipoib_mcast_join_task
+ | |
+ | spin_lock_irq(lock)
+ | |
+ | init_completion(mcast)
+ | |
+ | set_bit(IPOIB_MCAST_FLAG_BUSY)
+ | |
+ | Context Switch
+ | |
+ clear_bit(IPOIB_FLAG_OPER_UP) |
+ | |
+ spin_lock_irqsave(lock) |
+ | |
+ Context Switch |
+ | ipoib_mcast_join
+ | return (-EINVAL)
+ | |
+ | spin_unlock_irq(lock)
+ | |
+ | Context Switch
+ | |
+ ipoib_mcast_dev_flush |
+ wait_for_completion(mcast) |
+
+ipoib_stop will wait for mcast completion for ever, and will
+not release the rtnl_lock. As a result panic occurs with the
+following trace:
+
+ [13441.639268] Call Trace:
+ [13441.640150] [<ffffffff8168b579>] schedule+0x29/0x70
+ [13441.641038] [<ffffffff81688fc9>] schedule_timeout+0x239/0x2d0
+ [13441.641914] [<ffffffff810bc017>] ? complete+0x47/0x50
+ [13441.642765] [<ffffffff810a690d>] ? flush_workqueue_prep_pwqs+0x16d/0x200
+ [13441.643580] [<ffffffff8168b956>] wait_for_completion+0x116/0x170
+ [13441.644434] [<ffffffff810c4ec0>] ? wake_up_state+0x20/0x20
+ [13441.645293] [<ffffffffa05af170>] ipoib_mcast_dev_flush+0x150/0x190 [ib_ipoib]
+ [13441.646159] [<ffffffffa05ac967>] ipoib_ib_dev_down+0x37/0x60 [ib_ipoib]
+ [13441.647013] [<ffffffffa05a4805>] ipoib_stop+0x75/0x150 [ib_ipoib]
+
+Fixes: 08bc327629cb ("IB/ipoib: fix for rare multicast join race condition")
+Signed-off-by: Feras Daoud <ferasda@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_multicast.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
+@@ -487,6 +487,9 @@ static int ipoib_mcast_join(struct net_d
+ !test_bit(IPOIB_FLAG_OPER_UP, &priv->flags))
+ return -EINVAL;
+
++ init_completion(&mcast->done);
++ set_bit(IPOIB_MCAST_FLAG_BUSY, &mcast->flags);
++
+ ipoib_dbg_mcast(priv, "joining MGID %pI6\n", mcast->mcmember.mgid.raw);
+
+ rec.mgid = mcast->mcmember.mgid;
+@@ -645,8 +648,6 @@ void ipoib_mcast_join_task(struct work_s
+ if (mcast->backoff == 1 ||
+ time_after_eq(jiffies, mcast->delay_until)) {
+ /* Found the next unjoined group */
+- init_completion(&mcast->done);
+- set_bit(IPOIB_MCAST_FLAG_BUSY, &mcast->flags);
+ if (ipoib_mcast_join(dev, mcast)) {
+ spin_unlock_irq(&priv->lock);
+ return;
+@@ -666,11 +667,9 @@ out:
+ queue_delayed_work(priv->wq, &priv->mcast_task,
+ delay_until - jiffies);
+ }
+- if (mcast) {
+- init_completion(&mcast->done);
+- set_bit(IPOIB_MCAST_FLAG_BUSY, &mcast->flags);
++ if (mcast)
+ ipoib_mcast_join(dev, mcast);
+- }
++
+ spin_unlock_irq(&priv->lock);
+ }
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Feras Daoud <ferasda@mellanox.com>
+Date: Sun, 19 Mar 2017 11:18:54 +0200
+Subject: IB/ipoib: Update broadcast object if PKey value was changed in index 0
+
+From: Feras Daoud <ferasda@mellanox.com>
+
+
+[ Upstream commit 9a9b8112699d78e7f317019b37f377e90023f3ed ]
+
+Update the broadcast address in the priv->broadcast object when the
+Pkey value changes in index 0, otherwise the multicast GID value will
+keep the previous value of the PKey, and will not be updated.
+This leads to interface state down because the interface will keep the
+old PKey value.
+
+For example, in SR-IOV environment, if the PF changes the value of PKey
+index 0 for one of the VFs, then the VF receives PKey change event that
+triggers heavy flush. This flush calls update_parent_pkey that update the
+broadcast object and its relevant members. If in this case the multicast
+GID will not be updated, the interface state will be down.
+
+Fixes: c2904141696e ("IPoIB: Fix pkey change flow for virtualization environments")
+Signed-off-by: Feras Daoud <ferasda@mellanox.com>
+Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
+Reviewed-by: Alex Vesker <valex@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_ib.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+@@ -974,6 +974,19 @@ static inline int update_parent_pkey(str
+ */
+ priv->dev->broadcast[8] = priv->pkey >> 8;
+ priv->dev->broadcast[9] = priv->pkey & 0xff;
++
++ /*
++ * Update the broadcast address in the priv->broadcast object,
++ * in case it already exists, otherwise no one will do that.
++ */
++ if (priv->broadcast) {
++ spin_lock_irq(&priv->lock);
++ memcpy(priv->broadcast->mcmember.mgid.raw,
++ priv->dev->broadcast + 4,
++ sizeof(union ib_gid));
++ spin_unlock_irq(&priv->lock);
++ }
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Maor Gottlieb <maorg@mellanox.com>
+Date: Wed, 29 Mar 2017 06:03:01 +0300
+Subject: IB/mlx4: Change vma from shared to private
+
+From: Maor Gottlieb <maorg@mellanox.com>
+
+
+[ Upstream commit ca37a664a8e4e9988b220988ceb4d79e3316f195 ]
+
+Anonymous VMA (->vm_ops == NULL) cannot be shared, otherwise
+it would lead to SIGBUS.
+
+Remove the shared flags from the vma after we change it to be
+anonymous.
+
+This is easily reproduced by doing modprobe -r while running a
+user-space application such as raw_ethernet_bw.
+
+Fixes: ae184ddeca5db ('IB/mlx4_ib: Disassociate support')
+Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx4/main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/infiniband/hw/mlx4/main.c
++++ b/drivers/infiniband/hw/mlx4/main.c
+@@ -1182,6 +1182,8 @@ static void mlx4_ib_disassociate_ucontex
+ BUG_ON(1);
+ }
+
++ context->hw_bar_info[i].vma->vm_flags &=
++ ~(VM_SHARED | VM_MAYSHARE);
+ /* context going to be destroyed, should not access ops any more */
+ context->hw_bar_info[i].vma->vm_ops = NULL;
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Maor Gottlieb <maorg@mellanox.com>
+Date: Wed, 29 Mar 2017 06:03:00 +0300
+Subject: IB/mlx4: Take write semaphore when changing the vma struct
+
+From: Maor Gottlieb <maorg@mellanox.com>
+
+
+[ Upstream commit 22c3653d04bd0c67b75e99d85e0c0bdf83947df5 ]
+
+When the driver disassociate user context, it changes the vma to
+anonymous by setting the vm_ops to null and zap the vma ptes.
+
+In order to avoid race in the kernel, we need to take write lock
+before we change the vma entries.
+
+Fixes: ae184ddeca5db ('IB/mlx4_ib: Disassociate support')
+Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx4/main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx4/main.c
++++ b/drivers/infiniband/hw/mlx4/main.c
+@@ -1168,7 +1168,7 @@ static void mlx4_ib_disassociate_ucontex
+ /* need to protect from a race on closing the vma as part of
+ * mlx4_ib_vma_close().
+ */
+- down_read(&owning_mm->mmap_sem);
++ down_write(&owning_mm->mmap_sem);
+ for (i = 0; i < HW_BAR_COUNT; i++) {
+ vma = context->hw_bar_info[i].vma;
+ if (!vma)
+@@ -1186,7 +1186,7 @@ static void mlx4_ib_disassociate_ucontex
+ context->hw_bar_info[i].vma->vm_ops = NULL;
+ }
+
+- up_read(&owning_mm->mmap_sem);
++ up_write(&owning_mm->mmap_sem);
+ mmput(owning_mm);
+ put_task_struct(owning_process);
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Maor Gottlieb <maorg@mellanox.com>
+Date: Wed, 29 Mar 2017 06:03:03 +0300
+Subject: IB/mlx5: Change vma from shared to private
+
+From: Maor Gottlieb <maorg@mellanox.com>
+
+
+[ Upstream commit 1377661298d2820d675553d186c31b6f46c140d0 ]
+
+Anonymous VMA (->vm_ops == NULL) cannot be shared, otherwise
+it would lead to SIGBUS.
+
+Remove the shared flags from the vma after we change it to be
+anonymous.
+
+This is easily reproduced by doing modprobe -r while running a
+user-space application such as raw_ethernet_bw.
+
+Fixes: 7c2344c3bbf97 ('IB/mlx5: Implements disassociate_ucontext API')
+Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -1323,6 +1323,7 @@ static void mlx5_ib_disassociate_ucontex
+ /* context going to be destroyed, should
+ * not access ops any more.
+ */
++ vma->vm_flags &= ~(VM_SHARED | VM_MAYSHARE);
+ vma->vm_ops = NULL;
+ list_del(&vma_private->list);
+ kfree(vma_private);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Moni Shoua <monis@mellanox.com>
+Date: Thu, 20 Apr 2017 13:26:54 +0300
+Subject: IB/mlx5: Set correct SL in completion for RoCE
+
+From: Moni Shoua <monis@mellanox.com>
+
+
+[ Upstream commit 12f8fedef2ec94c783f929126b20440a01512c14 ]
+
+There is a difference when parsing a completion entry between Ethernet
+and IB ports. When link layer is Ethernet the bits describe the type of
+L3 header in the packet. In the case when link layer is Ethernet and VLAN
+header is present the value of SL is equal to the 3 UP bits in the VLAN
+header. If VLAN header is not present then the SL is undefined and consumer
+of the completion should check if IB_WC_WITH_VLAN is set.
+
+While that, this patch also fills the vlan_id field in the completion if
+present.
+
+Signed-off-by: Moni Shoua <monis@mellanox.com>
+Reviewed-by: Majd Dibbiny <majd@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx5/cq.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx5/cq.c
++++ b/drivers/infiniband/hw/mlx5/cq.c
+@@ -172,6 +172,8 @@ static void handle_responder(struct ib_w
+ struct mlx5_ib_srq *srq;
+ struct mlx5_ib_wq *wq;
+ u16 wqe_ctr;
++ u8 roce_packet_type;
++ bool vlan_present;
+ u8 g;
+
+ if (qp->ibqp.srq || qp->ibqp.xrcd) {
+@@ -223,7 +225,6 @@ static void handle_responder(struct ib_w
+ break;
+ }
+ wc->slid = be16_to_cpu(cqe->slid);
+- wc->sl = (be32_to_cpu(cqe->flags_rqpn) >> 24) & 0xf;
+ wc->src_qp = be32_to_cpu(cqe->flags_rqpn) & 0xffffff;
+ wc->dlid_path_bits = cqe->ml_path;
+ g = (be32_to_cpu(cqe->flags_rqpn) >> 28) & 3;
+@@ -237,10 +238,22 @@ static void handle_responder(struct ib_w
+ wc->pkey_index = 0;
+ }
+
+- if (ll != IB_LINK_LAYER_ETHERNET)
++ if (ll != IB_LINK_LAYER_ETHERNET) {
++ wc->sl = (be32_to_cpu(cqe->flags_rqpn) >> 24) & 0xf;
+ return;
++ }
++
++ vlan_present = cqe->l4_l3_hdr_type & 0x1;
++ roce_packet_type = (be32_to_cpu(cqe->flags_rqpn) >> 24) & 0x3;
++ if (vlan_present) {
++ wc->vlan_id = (be16_to_cpu(cqe->vlan_info)) & 0xfff;
++ wc->sl = (be16_to_cpu(cqe->vlan_info) >> 13) & 0x7;
++ wc->wc_flags |= IB_WC_WITH_VLAN;
++ } else {
++ wc->sl = 0;
++ }
+
+- switch (wc->sl & 0x3) {
++ switch (roce_packet_type) {
+ case MLX5_CQE_ROCE_L3_HEADER_TYPE_GRH:
+ wc->network_hdr_type = RDMA_NETWORK_IB;
+ break;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Maor Gottlieb <maorg@mellanox.com>
+Date: Wed, 29 Mar 2017 06:03:02 +0300
+Subject: IB/mlx5: Take write semaphore when changing the vma struct
+
+From: Maor Gottlieb <maorg@mellanox.com>
+
+
+[ Upstream commit ecc7d83be3243835c9396a1a2fb8ce95f205207b ]
+
+When the driver disassociate user context, it changes the vma to
+anonymous by setting the vm_ops to null and zap the vma ptes.
+
+In order to avoid race in the kernel, we need to take write lock
+before we change the vma entries.
+
+Fixes: 7c2344c3bbf97 ('IB/mlx5: Implements disassociate_ucontext API')
+Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -1313,7 +1313,7 @@ static void mlx5_ib_disassociate_ucontex
+ /* need to protect from a race on closing the vma as part of
+ * mlx5_ib_vma_close.
+ */
+- down_read(&owning_mm->mmap_sem);
++ down_write(&owning_mm->mmap_sem);
+ list_for_each_entry_safe(vma_private, n, &context->vma_private_list,
+ list) {
+ vma = vma_private->vma;
+@@ -1327,7 +1327,7 @@ static void mlx5_ib_disassociate_ucontex
+ list_del(&vma_private->list);
+ kfree(vma_private);
+ }
+- up_read(&owning_mm->mmap_sem);
++ up_write(&owning_mm->mmap_sem);
+ mmput(owning_mm);
+ put_task_struct(owning_process);
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 27 Apr 2017 12:14:20 +0300
+Subject: IB/rdmavt: restore IRQs on error path in rvt_create_ah()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit f0bb2d44ca26b7090dc7bade8877b77005f07dfc ]
+
+We need to call spin_unlock_irqrestore() instead of vanilla
+spin_unlock() on this error path.
+
+Fixes: 119a8e708d16 ("IB/rdmavt: Add AH to rdmavt")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Acked-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/sw/rdmavt/ah.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/sw/rdmavt/ah.c
++++ b/drivers/infiniband/sw/rdmavt/ah.c
+@@ -119,7 +119,7 @@ struct ib_ah *rvt_create_ah(struct ib_pd
+
+ spin_lock_irqsave(&dev->n_ahs_lock, flags);
+ if (dev->n_ahs_allocated == dev->dparms.props.max_ah) {
+- spin_unlock(&dev->n_ahs_lock);
++ spin_unlock_irqrestore(&dev->n_ahs_lock, flags);
+ kfree(ah);
+ return ERR_PTR(-ENOMEM);
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Thu, 6 Apr 2017 14:49:44 +0200
+Subject: IB/rxe: Don't clamp residual length to mtu
+
+From: Johannes Thumshirn <jthumshirn@suse.de>
+
+
+[ Upstream commit d52418502e288b5c7e9e2e6cf1de5f1d3d79d2e1 ]
+
+When reading a RDMA WRITE FIRST packet we copy the DMA length from the RDMA
+header into the qp->resp.resid variable for later use. Later in check_rkey()
+we clamp it to the MTU if the packet is an RDMA WRITE packet and has a
+residual length bigger than the MTU. Later in write_data_in() we subtract the
+payload of the packet from the residual length. If the packet happens to have a
+payload of exactly the MTU size we end up with a residual length of 0 despite
+the packet not being the last in the conversation. When the next packet in the
+conversation arrives, we don't have any residual length left and thus set the QP
+into an error state.
+
+This broke NVMe over Fabrics functionality over rdma_rxe.ko
+
+The patch was verified using the following test.
+
+ # echo eth0 > /sys/module/rdma_rxe/parameters/add
+ # nvme connect -t rdma -a 192.168.155.101 -s 1023 -n nvmf-test
+ # mkfs.xfs -fK /dev/nvme0n1
+ meta-data=/dev/nvme0n1 isize=256 agcount=4, agsize=65536 blks
+ = sectsz=4096 attr=2, projid32bit=1
+ = crc=0 finobt=0, sparse=0
+ data = bsize=4096 blocks=262144, imaxpct=25
+ = sunit=0 swidth=0 blks
+ naming =version 2 bsize=4096 ascii-ci=0 ftype=1
+ log =internal log bsize=4096 blocks=2560, version=2
+ = sectsz=4096 sunit=1 blks, lazy-count=1
+ realtime =none extsz=4096 blocks=0, rtextents=0
+ # mount /dev/nvme0n1 /tmp/
+ [ 148.923263] XFS (nvme0n1): Mounting V4 Filesystem
+ [ 148.961196] XFS (nvme0n1): Ending clean mount
+ # dd if=/dev/urandom of=test.bin bs=1M count=128
+ 128+0 records in
+ 128+0 records out
+ 134217728 bytes (134 MB, 128 MiB) copied, 0.437991 s, 306 MB/s
+ # sha256sum test.bin
+ cde42941f045efa8c4f0f157ab6f29741753cdd8d1cff93a6b03649d83c4129a test.bin
+ # cp test.bin /tmp/
+ sha256sum /tmp/test.bin
+ cde42941f045efa8c4f0f157ab6f29741753cdd8d1cff93a6b03649d83c4129a /tmp/test.bin
+
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Cc: Hannes Reinecke <hare@suse.de>
+Cc: Sagi Grimberg <sagi@grimberg.me>
+Cc: Max Gurtovoy <maxg@mellanox.com>
+Acked-by: Moni Shoua <monis@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/sw/rxe/rxe_resp.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/infiniband/sw/rxe/rxe_resp.c
++++ b/drivers/infiniband/sw/rxe/rxe_resp.c
+@@ -471,8 +471,6 @@ static enum resp_states check_rkey(struc
+ state = RESPST_ERR_LENGTH;
+ goto err;
+ }
+-
+- qp->resp.resid = mtu;
+ } else {
+ if (pktlen != resid) {
+ state = RESPST_ERR_LENGTH;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Artemy Kovalyov <artemyko@mellanox.com>
+Date: Tue, 14 Nov 2017 14:51:59 +0200
+Subject: IB/umem: Fix use of npages/nmap fields
+
+From: Artemy Kovalyov <artemyko@mellanox.com>
+
+
+[ Upstream commit edf1a84fe37c51290e2c88154ecaf48dadff3d27 ]
+
+In ib_umem structure npages holds original number of sg entries, while
+nmap is number of DMA blocks returned by dma_map_sg.
+
+Fixes: c5d76f130b28 ('IB/core: Add umem function to read data from user-space')
+Signed-off-by: Artemy Kovalyov <artemyko@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/umem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/umem.c
++++ b/drivers/infiniband/core/umem.c
+@@ -357,7 +357,7 @@ int ib_umem_copy_from(void *dst, struct
+ return -EINVAL;
+ }
+
+- ret = sg_pcopy_to_buffer(umem->sg_head.sgl, umem->nmap, dst, length,
++ ret = sg_pcopy_to_buffer(umem->sg_head.sgl, umem->npages, dst, length,
+ offset + ib_umem_offset(umem));
+
+ if (ret < 0)
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Brian King <brking@linux.vnet.ibm.com>
+Date: Wed, 19 Apr 2017 13:45:10 -0400
+Subject: ibmvnic: Disable irq prior to close
+
+From: Brian King <brking@linux.vnet.ibm.com>
+
+
+[ Upstream commit dd9c20fa07ba5cfb5a0ab3181d68530506610605 ]
+
+ Add some code to call disable_irq on all the vnic interface's irqs.
+ This fixes a crash observed when closing an active interface, as
+ seen in the oops below when we try to access a buffer in the interrupt
+ handler which we've already freed.
+
+ Unable to handle kernel paging request for data at address 0x00000001
+ Faulting instruction address: 0xd000000003886824
+ Oops: Kernel access of bad area, sig: 11 [#1]
+ SMP NR_CPUS=2048 NUMA pSeries
+ Modules linked in: ibmvnic(OEN) rpadlpar_io(X) rpaphp(X) tcp_diag udp_diag inet_diag unix_diag af_packet_diag netlink_diag rpcsec_
+ Supported: No, Unsupported modules are loaded
+ CPU: 8 PID: 0 Comm: swapper/8 Tainted: G OE NX 4.4.49-92.11-default #1
+ task: c00000007f990110 ti: c0000000fffa0000 task.ti: c00000007f9b8000
+ NIP: d000000003886824 LR: d000000003886824 CTR: c0000000007eff60
+ REGS: c0000000fffa3a70 TRAP: 0300 Tainted: G OE NX (4.4.49-92.11-default)
+ MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 22008042 XER: 20000008
+ CFAR: c000000000008468 DAR: 0000000000000001 DSISR: 40000000 SOFTE: 0
+ GPR00: d000000003886824 c0000000fffa3cf0 d000000003894118 0000000000000000
+ GPR04: 0000000000000000 0000000000000000 c000000001249da0 0000000000000000
+ GPR08: 000000000000000e 0000000000000000 c0000000ccb00000 d000000003889180
+ GPR12: c0000000007eff60 c000000007af4c00 0000000000000001 c0000000010def30
+ GPR16: c00000007f9b8000 c000000000b98c30 c00000007f9b8080 c000000000bab858
+ GPR20: 0000000000000005 0000000000000000 c0000000ff5d7e80 c0000000f809f648
+ GPR24: c0000000ff5d7ec8 0000000000000000 0000000000000000 c0000000ccb001a0
+ GPR28: 000000000000000a c0000000f809f600 c0000000fd4cd900 c0000000f9cd5b00
+ NIP [d000000003886824] ibmvnic_interrupt_tx+0x114/0x380 [ibmvnic]
+ LR [d000000003886824] ibmvnic_interrupt_tx+0x114/0x380 [ibmvnic]
+ Call Trace:
+ [c0000000fffa3cf0] [d000000003886824] ibmvnic_interrupt_tx+0x114/0x380 [ibmvnic] (unreliable)
+ [c0000000fffa3dd0] [c000000000132940] __handle_irq_event_percpu+0x90/0x2e0
+ [c0000000fffa3e90] [c000000000132bcc] handle_irq_event_percpu+0x3c/0x90
+ [c0000000fffa3ed0] [c000000000132c88] handle_irq_event+0x68/0xc0
+ [c0000000fffa3f00] [c000000000137edc] handle_fasteoi_irq+0xec/0x250
+ [c0000000fffa3f30] [c000000000131b04] generic_handle_irq+0x54/0x80
+ [c0000000fffa3f60] [c000000000011190] __do_irq+0x80/0x1d0
+ [c0000000fffa3f90] [c0000000000248d8] call_do_irq+0x14/0x24
+ [c00000007f9bb9e0] [c000000000011380] do_IRQ+0xa0/0x120
+ [c00000007f9bba40] [c000000000002594] hardware_interrupt_common+0x114/0x180
+
+Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
+Signed-off-by: Nathan Fontenot <nfont@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -511,6 +511,23 @@ alloc_napi_failed:
+ return -ENOMEM;
+ }
+
++static void disable_sub_crqs(struct ibmvnic_adapter *adapter)
++{
++ int i;
++
++ if (adapter->tx_scrq) {
++ for (i = 0; i < adapter->req_tx_queues; i++)
++ if (adapter->tx_scrq[i])
++ disable_irq(adapter->tx_scrq[i]->irq);
++ }
++
++ if (adapter->rx_scrq) {
++ for (i = 0; i < adapter->req_rx_queues; i++)
++ if (adapter->rx_scrq[i])
++ disable_irq(adapter->rx_scrq[i]->irq);
++ }
++}
++
+ static int ibmvnic_close(struct net_device *netdev)
+ {
+ struct ibmvnic_adapter *adapter = netdev_priv(netdev);
+@@ -519,6 +536,7 @@ static int ibmvnic_close(struct net_devi
+ int i;
+
+ adapter->closing = true;
++ disable_sub_crqs(adapter);
+
+ for (i = 0; i < adapter->req_rx_queues; i++)
+ napi_disable(&adapter->napi[i]);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Wed, 19 Apr 2017 15:35:48 +0100
+Subject: iio: hid-sensor: fix return of -EINVAL on invalid values in ret or value
+
+From: Colin Ian King <colin.king@canonical.com>
+
+
+[ Upstream commit c894acc7bf400d039bf740420b22f0b71b7fb504 ]
+
+Ensure that when an invalid value in ret or value is found -EINVAL
+is returned. A previous commit broke the way the return error is
+being returned and instead caused the return code in ret to be
+re-assigned rather than be returned.
+
+Fixes: 5d9854eaea776 ("iio: hid-sensor: Store restore poll and hysteresis on S3")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/common/hid-sensors/hid-sensor-attributes.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/common/hid-sensors/hid-sensor-attributes.c
++++ b/drivers/iio/common/hid-sensors/hid-sensor-attributes.c
+@@ -215,7 +215,7 @@ int hid_sensor_write_samp_freq_value(str
+ ret = sensor_hub_set_feature(st->hsdev, st->poll.report_id,
+ st->poll.index, sizeof(value), &value);
+ if (ret < 0 || value < 0)
+- ret = -EINVAL;
++ return -EINVAL;
+
+ ret = sensor_hub_get_feature(st->hsdev,
+ st->poll.report_id,
+@@ -265,7 +265,7 @@ int hid_sensor_write_raw_hyst_value(stru
+ st->sensitivity.index, sizeof(value),
+ &value);
+ if (ret < 0 || value < 0)
+- ret = -EINVAL;
++ return -EINVAL;
+
+ ret = sensor_hub_get_feature(st->hsdev,
+ st->sensitivity.report_id,
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Shrirang Bagul <shrirang.bagul@canonical.com>
+Date: Wed, 19 Apr 2017 22:05:00 +0800
+Subject: iio: st_pressure: st_accel: Initialise sensor platform data properly
+
+From: Shrirang Bagul <shrirang.bagul@canonical.com>
+
+
+[ Upstream commit 7383d44b84c94aaca4bf695a6bd8a69f2295ef1a ]
+
+This patch fixes the sensor platform data initialisation for st_pressure
+and st_accel device drivers. Without this patch, the driver fails to
+register the sensors when the user removes and re-loads the driver.
+
+1. Unload the kernel modules for st_pressure
+$ sudo rmmod st_pressure_i2c
+$ sudo rmmod st_pressure
+
+2. Re-load the driver
+$ sudo insmod st_pressure
+$ sudo insmod st_pressure_i2c
+
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Acked-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/accel/st_accel_core.c | 7 ++++---
+ drivers/iio/pressure/st_pressure_core.c | 8 ++++----
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+--- a/drivers/iio/accel/st_accel_core.c
++++ b/drivers/iio/accel/st_accel_core.c
+@@ -827,6 +827,8 @@ static const struct iio_trigger_ops st_a
+ int st_accel_common_probe(struct iio_dev *indio_dev)
+ {
+ struct st_sensor_data *adata = iio_priv(indio_dev);
++ struct st_sensors_platform_data *pdata =
++ (struct st_sensors_platform_data *)adata->dev->platform_data;
+ int irq = adata->get_irq_data_ready(indio_dev);
+ int err;
+
+@@ -853,9 +855,8 @@ int st_accel_common_probe(struct iio_dev
+ &adata->sensor_settings->fs.fs_avl[0];
+ adata->odr = adata->sensor_settings->odr.odr_avl[0].hz;
+
+- if (!adata->dev->platform_data)
+- adata->dev->platform_data =
+- (struct st_sensors_platform_data *)&default_accel_pdata;
++ if (!pdata)
++ pdata = (struct st_sensors_platform_data *)&default_accel_pdata;
+
+ err = st_sensors_init_sensor(indio_dev, adata->dev->platform_data);
+ if (err < 0)
+--- a/drivers/iio/pressure/st_pressure_core.c
++++ b/drivers/iio/pressure/st_pressure_core.c
+@@ -638,6 +638,8 @@ static const struct iio_trigger_ops st_p
+ int st_press_common_probe(struct iio_dev *indio_dev)
+ {
+ struct st_sensor_data *press_data = iio_priv(indio_dev);
++ struct st_sensors_platform_data *pdata =
++ (struct st_sensors_platform_data *)press_data->dev->platform_data;
+ int irq = press_data->get_irq_data_ready(indio_dev);
+ int err;
+
+@@ -673,10 +675,8 @@ int st_press_common_probe(struct iio_dev
+ press_data->odr = press_data->sensor_settings->odr.odr_avl[0].hz;
+
+ /* Some devices don't support a data ready pin. */
+- if (!press_data->dev->platform_data &&
+- press_data->sensor_settings->drdy_irq.addr)
+- press_data->dev->platform_data =
+- (struct st_sensors_platform_data *)&default_press_pdata;
++ if (!pdata && press_data->sensor_settings->drdy_irq.addr)
++ pdata = (struct st_sensors_platform_data *)&default_press_pdata;
+
+ err = st_sensors_init_sensor(indio_dev, press_data->dev->platform_data);
+ if (err < 0)
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
+Date: Fri, 24 Mar 2017 15:55:17 -0400
+Subject: infiniband/uverbs: Fix integer overflows
+
+From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
+
+
+[ Upstream commit 4f7f4dcfff2c19debbcdbcc861c325610a15e0c5 ]
+
+The 'num_sge' variable is verfied to be smaller than the 'sge_count'
+variable; however, since both are user-controlled it's possible to cause
+an integer overflow for the kmalloc multiply on 32-bit platforms
+(num_sge and sge_count are both defined u32). By crafting an input that
+causes a smaller-than-expected allocation it's possible to write
+controlled data out-of-bounds.
+
+Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/uverbs_cmd.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -2491,9 +2491,13 @@ ssize_t ib_uverbs_destroy_qp(struct ib_u
+
+ static void *alloc_wr(size_t wr_size, __u32 num_sge)
+ {
++ if (num_sge >= (U32_MAX - ALIGN(wr_size, sizeof (struct ib_sge))) /
++ sizeof (struct ib_sge))
++ return NULL;
++
+ return kmalloc(ALIGN(wr_size, sizeof (struct ib_sge)) +
+ num_sge * sizeof (struct ib_sge), GFP_KERNEL);
+-};
++}
+
+ ssize_t ib_uverbs_post_send(struct ib_uverbs_file *file,
+ struct ib_device *ib_dev,
+@@ -2719,6 +2723,13 @@ static struct ib_recv_wr *ib_uverbs_unma
+ ret = -EINVAL;
+ goto err;
+ }
++
++ if (user_wr->num_sge >=
++ (U32_MAX - ALIGN(sizeof *next, sizeof (struct ib_sge))) /
++ sizeof (struct ib_sge)) {
++ ret = -EINVAL;
++ goto err;
++ }
+
+ next = kmalloc(ALIGN(sizeof *next, sizeof (struct ib_sge)) +
+ user_wr->num_sge * sizeof (struct ib_sge),
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 12 Dec 2016 15:32:57 -0800
+Subject: Input: ar1021_i2c - fix too long name in driver's device table
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+
+[ Upstream commit 95123fc43560d6f4a60e74f72836e63cd8848f76 ]
+
+The name field in structure i2c_device_id is 20 characters, and we expect
+it to be NULL-terminated, however we are trying to stuff it with 21 bytes
+and thus NULL-terminator is lost. This causes issues when one creates
+device with name "MICROCHIP_AR1021_I2C" as i2c core cuts off the last "C",
+and automatic module loading by alias does not work as result.
+
+The -I2C suffix in the device name is superfluous, we know what bus we are
+dealing with, so let's drop it. Also, no other driver uses capitals, and
+the manufacturer name is normally not included, except in very rare cases
+of incompatible name collisions.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116211
+Fixes: dd4cae8bf166 ("Input: Add Microchip AR1021 i2c touchscreen")
+Reviewed-By: Christian Gmeiner <christian.gmeiner@gmail.com>
+Tested-by: Martin Kepplinger <martin.kepplinger@ginzinger.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/ar1021_i2c.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/ar1021_i2c.c
++++ b/drivers/input/touchscreen/ar1021_i2c.c
+@@ -152,7 +152,7 @@ static int __maybe_unused ar1021_i2c_res
+ static SIMPLE_DEV_PM_OPS(ar1021_i2c_pm, ar1021_i2c_suspend, ar1021_i2c_resume);
+
+ static const struct i2c_device_id ar1021_i2c_id[] = {
+- { "MICROCHIP_AR1021_I2C", 0 },
++ { "ar1021", 0 },
+ { },
+ };
+ MODULE_DEVICE_TABLE(i2c, ar1021_i2c_id);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Date: Fri, 28 Apr 2017 10:25:51 -0700
+Subject: Input: twl4030-pwrbutton - use correct device for irq request
+
+From: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+
+
+[ Upstream commit 3071e9dd6cd3f2290d770117330f2c8b2e9a97e4 ]
+
+The interrupt should be requested for the platform device
+and not for the input device.
+
+Fixes: 7f9ce649d267 ("Input: twl4030-pwrbutton - simplify driver using devm_*")
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/misc/twl4030-pwrbutton.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/misc/twl4030-pwrbutton.c
++++ b/drivers/input/misc/twl4030-pwrbutton.c
+@@ -70,7 +70,7 @@ static int twl4030_pwrbutton_probe(struc
+ pwr->phys = "twl4030_pwrbutton/input0";
+ pwr->dev.parent = &pdev->dev;
+
+- err = devm_request_threaded_irq(&pwr->dev, irq, NULL, powerbutton_irq,
++ err = devm_request_threaded_irq(&pdev->dev, irq, NULL, powerbutton_irq,
+ IRQF_TRIGGER_FALLING | IRQF_TRIGGER_RISING |
+ IRQF_ONESHOT,
+ "twl4030_pwrbutton", pwr);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Suman Anna <s-anna@ti.com>
+Date: Wed, 12 Apr 2017 00:21:26 -0500
+Subject: iommu/omap: Register driver before setting IOMMU ops
+
+From: Suman Anna <s-anna@ti.com>
+
+
+[ Upstream commit abaa7e5b054aae567861628b74dbc7fbf8ed79e8 ]
+
+Move the registration of the OMAP IOMMU platform driver before
+setting the IOMMU callbacks on the platform bus. This causes
+the IOMMU devices to be probed first before the .add_device()
+callback is invoked for all registered devices, and allows
+the iommu_group support to be added to the OMAP IOMMU driver.
+
+While at this, also check for the return status from bus_set_iommu.
+
+Signed-off-by: Suman Anna <s-anna@ti.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/omap-iommu.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+--- a/drivers/iommu/omap-iommu.c
++++ b/drivers/iommu/omap-iommu.c
+@@ -1299,6 +1299,7 @@ static int __init omap_iommu_init(void)
+ const unsigned long flags = SLAB_HWCACHE_ALIGN;
+ size_t align = 1 << 10; /* L2 pagetable alignement */
+ struct device_node *np;
++ int ret;
+
+ np = of_find_matching_node(NULL, omap_iommu_of_match);
+ if (!np)
+@@ -1312,11 +1313,25 @@ static int __init omap_iommu_init(void)
+ return -ENOMEM;
+ iopte_cachep = p;
+
+- bus_set_iommu(&platform_bus_type, &omap_iommu_ops);
+-
+ omap_iommu_debugfs_init();
+
+- return platform_driver_register(&omap_iommu_driver);
++ ret = platform_driver_register(&omap_iommu_driver);
++ if (ret) {
++ pr_err("%s: failed to register driver\n", __func__);
++ goto fail_driver;
++ }
++
++ ret = bus_set_iommu(&platform_bus_type, &omap_iommu_ops);
++ if (ret)
++ goto fail_bus;
++
++ return 0;
++
++fail_bus:
++ platform_driver_unregister(&omap_iommu_driver);
++fail_driver:
++ kmem_cache_destroy(iopte_cachep);
++ return ret;
+ }
+ subsys_initcall(omap_iommu_init);
+ /* must be ready before omap3isp is probed */
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Jerry Snitselaar <jsnitsel@redhat.com>
+Date: Wed, 20 Dec 2017 09:48:56 -0700
+Subject: iommu/vt-d: clean up pr_irq if request_threaded_irq fails
+
+From: Jerry Snitselaar <jsnitsel@redhat.com>
+
+
+[ Upstream commit 72d548113881dd32bf7f0b221d031e6586468437 ]
+
+It is unlikely request_threaded_irq will fail, but if it does for some
+reason we should clear iommu->pr_irq in the error path. Also
+intel_svm_finish_prq shouldn't try to clean up the page request
+interrupt if pr_irq is 0. Without these, if request_threaded_irq were
+to fail the following occurs:
+
+fail with no fixes:
+
+[ 0.683147] ------------[ cut here ]------------
+[ 0.683148] NULL pointer, cannot free irq
+[ 0.683158] WARNING: CPU: 1 PID: 1 at kernel/irq/irqdomain.c:1632 irq_domain_free_irqs+0x126/0x140
+[ 0.683160] Modules linked in:
+[ 0.683163] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2 #3
+[ 0.683165] Hardware name: /NUC7i3BNB, BIOS BNKBL357.86A.0036.2017.0105.1112 01/05/2017
+[ 0.683168] RIP: 0010:irq_domain_free_irqs+0x126/0x140
+[ 0.683169] RSP: 0000:ffffc90000037ce8 EFLAGS: 00010292
+[ 0.683171] RAX: 000000000000001d RBX: ffff880276283c00 RCX: ffffffff81c5e5e8
+[ 0.683172] RDX: 0000000000000001 RSI: 0000000000000096 RDI: 0000000000000246
+[ 0.683174] RBP: ffff880276283c00 R08: 0000000000000000 R09: 000000000000023c
+[ 0.683175] R10: 0000000000000007 R11: 0000000000000000 R12: 000000000000007a
+[ 0.683176] R13: 0000000000000001 R14: 0000000000000000 R15: 0000010010000000
+[ 0.683178] FS: 0000000000000000(0000) GS:ffff88027ec80000(0000) knlGS:0000000000000000
+[ 0.683180] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 0.683181] CR2: 0000000000000000 CR3: 0000000001c09001 CR4: 00000000003606e0
+[ 0.683182] Call Trace:
+[ 0.683189] intel_svm_finish_prq+0x3c/0x60
+[ 0.683191] free_dmar_iommu+0x1ac/0x1b0
+[ 0.683195] init_dmars+0xaaa/0xaea
+[ 0.683200] ? klist_next+0x19/0xc0
+[ 0.683203] ? pci_do_find_bus+0x50/0x50
+[ 0.683205] ? pci_get_dev_by_id+0x52/0x70
+[ 0.683208] intel_iommu_init+0x498/0x5c7
+[ 0.683211] pci_iommu_init+0x13/0x3c
+[ 0.683214] ? e820__memblock_setup+0x61/0x61
+[ 0.683217] do_one_initcall+0x4d/0x1a0
+[ 0.683220] kernel_init_freeable+0x186/0x20e
+[ 0.683222] ? set_debug_rodata+0x11/0x11
+[ 0.683225] ? rest_init+0xb0/0xb0
+[ 0.683226] kernel_init+0xa/0xff
+[ 0.683229] ret_from_fork+0x1f/0x30
+[ 0.683259] Code: 89 ee 44 89 e7 e8 3b e8 ff ff 5b 5d 44 89 e7 44 89 ee 41 5c 41 5d 41 5e e9 a8 84 ff ff 48 c7 c7 a8 71 a7 81 31 c0 e8 6a d3 f9 ff <0f> ff 5b 5d 41 5c 41 5d 41 5
+e c3 0f 1f 44 00 00 66 2e 0f 1f 84
+[ 0.683285] ---[ end trace f7650e42792627ca ]---
+
+with iommu->pr_irq = 0, but no check in intel_svm_finish_prq:
+
+[ 0.669561] ------------[ cut here ]------------
+[ 0.669563] Trying to free already-free IRQ 0
+[ 0.669573] WARNING: CPU: 3 PID: 1 at kernel/irq/manage.c:1546 __free_irq+0xa4/0x2c0
+[ 0.669574] Modules linked in:
+[ 0.669577] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2 #4
+[ 0.669579] Hardware name: /NUC7i3BNB, BIOS BNKBL357.86A.0036.2017.0105.1112 01/05/2017
+[ 0.669581] RIP: 0010:__free_irq+0xa4/0x2c0
+[ 0.669582] RSP: 0000:ffffc90000037cc0 EFLAGS: 00010082
+[ 0.669584] RAX: 0000000000000021 RBX: 0000000000000000 RCX: ffffffff81c5e5e8
+[ 0.669585] RDX: 0000000000000001 RSI: 0000000000000086 RDI: 0000000000000046
+[ 0.669587] RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000023c
+[ 0.669588] R10: 0000000000000007 R11: 0000000000000000 R12: ffff880276253960
+[ 0.669589] R13: ffff8802762538a4 R14: ffff880276253800 R15: ffff880276283600
+[ 0.669593] FS: 0000000000000000(0000) GS:ffff88027ed80000(0000) knlGS:0000000000000000
+[ 0.669594] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 0.669596] CR2: 0000000000000000 CR3: 0000000001c09001 CR4: 00000000003606e0
+[ 0.669602] Call Trace:
+[ 0.669616] free_irq+0x30/0x60
+[ 0.669620] intel_svm_finish_prq+0x34/0x60
+[ 0.669623] free_dmar_iommu+0x1ac/0x1b0
+[ 0.669627] init_dmars+0xaaa/0xaea
+[ 0.669631] ? klist_next+0x19/0xc0
+[ 0.669634] ? pci_do_find_bus+0x50/0x50
+[ 0.669637] ? pci_get_dev_by_id+0x52/0x70
+[ 0.669639] intel_iommu_init+0x498/0x5c7
+[ 0.669642] pci_iommu_init+0x13/0x3c
+[ 0.669645] ? e820__memblock_setup+0x61/0x61
+[ 0.669648] do_one_initcall+0x4d/0x1a0
+[ 0.669651] kernel_init_freeable+0x186/0x20e
+[ 0.669653] ? set_debug_rodata+0x11/0x11
+[ 0.669656] ? rest_init+0xb0/0xb0
+[ 0.669658] kernel_init+0xa/0xff
+[ 0.669661] ret_from_fork+0x1f/0x30
+[ 0.669662] Code: 7a 08 75 0e e9 c3 01 00 00 4c 39 7b 08 74 57 48 89 da 48 8b 5a 18 48 85 db 75 ee 89 ee 48 c7 c7 78 67 a7 81 31 c0 e8 4c 37 fa ff <0f> ff 48 8b 34 24 4c 89 ef e
+8 0e 4c 68 00 49 8b 46 40 48 8b 80
+[ 0.669688] ---[ end trace 58a470248700f2fc ]---
+
+Cc: Alex Williamson <alex.williamson@redhat.com>
+Cc: Joerg Roedel <joro@8bytes.org>
+Cc: Ashok Raj <ashok.raj@intel.com>
+Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
+Reviewed-by: Ashok Raj <ashok.raj@intel.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/intel-svm.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/iommu/intel-svm.c
++++ b/drivers/iommu/intel-svm.c
+@@ -127,6 +127,7 @@ int intel_svm_enable_prq(struct intel_io
+ pr_err("IOMMU: %s: Failed to request IRQ for page request queue\n",
+ iommu->name);
+ dmar_free_hwirq(irq);
++ iommu->pr_irq = 0;
+ goto err;
+ }
+ dmar_writeq(iommu->reg + DMAR_PQH_REG, 0ULL);
+@@ -142,9 +143,11 @@ int intel_svm_finish_prq(struct intel_io
+ dmar_writeq(iommu->reg + DMAR_PQT_REG, 0ULL);
+ dmar_writeq(iommu->reg + DMAR_PQA_REG, 0ULL);
+
+- free_irq(iommu->pr_irq, iommu);
+- dmar_free_hwirq(iommu->pr_irq);
+- iommu->pr_irq = 0;
++ if (iommu->pr_irq) {
++ free_irq(iommu->pr_irq, iommu);
++ dmar_free_hwirq(iommu->pr_irq);
++ iommu->pr_irq = 0;
++ }
+
+ free_pages((unsigned long)iommu->prq, PRQ_ORDER);
+ iommu->prq = NULL;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+Date: Tue, 19 Dec 2017 16:59:21 +0300
+Subject: ip6_vti: adjust vti mtu according to mtu of lower device
+
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+
+
+[ Upstream commit 53c81e95df1793933f87748d36070a721f6cb287 ]
+
+LTP/udp6_ipsec_vti tests fail when sending large UDP datagrams over
+ip6_vti that require fragmentation and the underlying device has an
+MTU smaller than 1500 plus some extra space for headers. This happens
+because ip6_vti, by default, sets MTU to ETH_DATA_LEN and not updating
+it depending on a destination address or link parameter. Further
+attempts to send UDP packets may succeed because pmtu gets updated on
+ICMPV6_PKT_TOOBIG in vti6_err().
+
+In case the lower device has larger MTU size, e.g. 9000, ip6_vti works
+but not using the possible maximum size, output packets have 1500 limit.
+
+The above cases require manual MTU setup after ip6_vti creation. However
+ip_vti already updates MTU based on lower device with ip_tunnel_bind_dev().
+
+Here is the example when the lower device MTU is set to 9000:
+
+ # ip a sh ltp_ns_veth2
+ ltp_ns_veth2@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 ...
+ inet 10.0.0.2/24 scope global ltp_ns_veth2
+ inet6 fd00::2/64 scope global
+
+ # ip li add vti6 type vti6 local fd00::2 remote fd00::1
+ # ip li show vti6
+ vti6@NONE: <POINTOPOINT,NOARP> mtu 1500 ...
+ link/tunnel6 fd00::2 peer fd00::1
+
+After the patch:
+ # ip li add vti6 type vti6 local fd00::2 remote fd00::1
+ # ip li show vti6
+ vti6@NONE: <POINTOPOINT,NOARP> mtu 8832 ...
+ link/tunnel6 fd00::2 peer fd00::1
+
+Reported-by: Petr Vorel <pvorel@suse.cz>
+Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_vti.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -625,6 +625,7 @@ static void vti6_link_config(struct ip6_
+ {
+ struct net_device *dev = t->dev;
+ struct __ip6_tnl_parm *p = &t->parms;
++ struct net_device *tdev = NULL;
+
+ memcpy(dev->dev_addr, &p->laddr, sizeof(struct in6_addr));
+ memcpy(dev->broadcast, &p->raddr, sizeof(struct in6_addr));
+@@ -637,6 +638,25 @@ static void vti6_link_config(struct ip6_
+ dev->flags |= IFF_POINTOPOINT;
+ else
+ dev->flags &= ~IFF_POINTOPOINT;
++
++ if (p->flags & IP6_TNL_F_CAP_XMIT) {
++ int strict = (ipv6_addr_type(&p->raddr) &
++ (IPV6_ADDR_MULTICAST | IPV6_ADDR_LINKLOCAL));
++ struct rt6_info *rt = rt6_lookup(t->net,
++ &p->raddr, &p->laddr,
++ p->link, strict);
++
++ if (rt)
++ tdev = rt->dst.dev;
++ ip6_rt_put(rt);
++ }
++
++ if (!tdev && p->link)
++ tdev = __dev_get_by_index(t->net, p->link);
++
++ if (tdev)
++ dev->mtu = max_t(int, tdev->mtu - dev->hard_header_len,
++ IPV6_MIN_MTU);
+ }
+
+ /**
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Robert Lippert <roblip@gmail.com>
+Date: Thu, 20 Apr 2017 16:49:47 -0700
+Subject: ipmi/watchdog: fix wdog hang on panic waiting for ipmi response
+
+From: Robert Lippert <roblip@gmail.com>
+
+
+[ Upstream commit 2c1175c2e8e5487233cabde358a19577562ac83e ]
+
+Commit c49c097610fe ("ipmi: Don't call receive handler in the
+panic context") means that the panic_recv_free is not called during a
+panic and the atomic count does not drop to 0.
+
+Fix this by only expecting one decrement of the atomic variable
+which comes from panic_smi_free.
+
+Signed-off-by: Robert Lippert <rlippert@google.com>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/ipmi/ipmi_watchdog.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/char/ipmi/ipmi_watchdog.c
++++ b/drivers/char/ipmi/ipmi_watchdog.c
+@@ -515,7 +515,7 @@ static void panic_halt_ipmi_heartbeat(vo
+ msg.cmd = IPMI_WDOG_RESET_TIMER;
+ msg.data = NULL;
+ msg.data_len = 0;
+- atomic_add(2, &panic_done_count);
++ atomic_add(1, &panic_done_count);
+ rv = ipmi_request_supply_msgs(watchdog_user,
+ (struct ipmi_addr *) &addr,
+ 0,
+@@ -525,7 +525,7 @@ static void panic_halt_ipmi_heartbeat(vo
+ &panic_halt_heartbeat_recv_msg,
+ 1);
+ if (rv)
+- atomic_sub(2, &panic_done_count);
++ atomic_sub(1, &panic_done_count);
+ }
+
+ static struct ipmi_smi_msg panic_halt_smi_msg = {
+@@ -549,12 +549,12 @@ static void panic_halt_ipmi_set_timeout(
+ /* Wait for the messages to be free. */
+ while (atomic_read(&panic_done_count) != 0)
+ ipmi_poll_interface(watchdog_user);
+- atomic_add(2, &panic_done_count);
++ atomic_add(1, &panic_done_count);
+ rv = i_ipmi_set_timeout(&panic_halt_smi_msg,
+ &panic_halt_recv_msg,
+ &send_heartbeat_now);
+ if (rv) {
+- atomic_sub(2, &panic_done_count);
++ atomic_sub(1, &panic_done_count);
+ printk(KERN_WARNING PFX
+ "Unable to extend the watchdog timeout.");
+ } else {
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Thu, 20 Apr 2017 11:44:16 +0200
+Subject: ipvs: explicitly forbid ipv6 service/dest creation if ipv6 mod is disabled
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+
+[ Upstream commit 1442f6f7c1b77de1c508318164a527e240c24a4d ]
+
+When creating a new ipvs service, ipv6 addresses are always accepted
+if CONFIG_IP_VS_IPV6 is enabled. On dest creation the address family
+is not explicitly checked.
+
+This allows the user-space to configure ipvs services even if the
+system is booted with ipv6.disable=1. On specific configuration, ipvs
+can try to call ipv6 routing code at setup time, causing the kernel to
+oops due to fib6_rules_ops being NULL.
+
+This change addresses the issue adding a check for the ipv6
+module being enabled while validating ipv6 service operations and
+adding the same validation for dest operations.
+
+According to git history, this issue is apparently present since
+the introduction of ipv6 support, and the oops can be triggered
+since commit 09571c7ae30865ad ("IPVS: Add function to determine
+if IPv6 address is local")
+
+Fixes: 09571c7ae30865ad ("IPVS: Add function to determine if IPv6 address is local")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -3092,6 +3092,17 @@ nla_put_failure:
+ return skb->len;
+ }
+
++static bool ip_vs_is_af_valid(int af)
++{
++ if (af == AF_INET)
++ return true;
++#ifdef CONFIG_IP_VS_IPV6
++ if (af == AF_INET6 && ipv6_mod_enabled())
++ return true;
++#endif
++ return false;
++}
++
+ static int ip_vs_genl_parse_service(struct netns_ipvs *ipvs,
+ struct ip_vs_service_user_kern *usvc,
+ struct nlattr *nla, int full_entry,
+@@ -3118,11 +3129,7 @@ static int ip_vs_genl_parse_service(stru
+ memset(usvc, 0, sizeof(*usvc));
+
+ usvc->af = nla_get_u16(nla_af);
+-#ifdef CONFIG_IP_VS_IPV6
+- if (usvc->af != AF_INET && usvc->af != AF_INET6)
+-#else
+- if (usvc->af != AF_INET)
+-#endif
++ if (!ip_vs_is_af_valid(usvc->af))
+ return -EAFNOSUPPORT;
+
+ if (nla_fwmark) {
+@@ -3624,6 +3631,11 @@ static int ip_vs_genl_set_cmd(struct sk_
+ if (udest.af == 0)
+ udest.af = svc->af;
+
++ if (!ip_vs_is_af_valid(udest.af)) {
++ ret = -EAFNOSUPPORT;
++ goto out;
++ }
++
+ if (udest.af != svc->af && cmd != IPVS_CMD_DEL_DEST) {
+ /* The synchronization protocol is incompatible
+ * with mixed family services
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Paul Burton <paul.burton@imgtec.com>
+Date: Thu, 20 Apr 2017 10:07:34 +0100
+Subject: irqchip/mips-gic: Separate IPI reservation & usage tracking
+
+From: Paul Burton <paul.burton@imgtec.com>
+
+
+[ Upstream commit f8dcd9e81797ae24acc44c84f0eb3b9e6cee9791 ]
+
+Since commit 2af70a962070 ("irqchip/mips-gic: Add a IPI hierarchy
+domain") introduced the GIC IPI IRQ domain we have tracked both
+reservation of interrupts & their use with a single bitmap - ipi_resrv.
+If an interrupt is reserved for use as an IPI but not actually in use
+then the appropriate bit is set in ipi_resrv. If an interrupt is either
+not reserved for use as an IPI or has been allocated as one then the
+appropriate bit is clear in ipi_resrv.
+
+Unfortunately this means that checking whether a bit is set in ipi_resrv
+to prevent IPI interrupts being allocated for use with a device is
+broken, because if the interrupt has been allocated as an IPI first then
+its bit will be clear.
+
+Fix this by separating the tracking of IPI reservation & usage,
+introducing a separate ipi_available bitmap for the latter. This means
+that ipi_resrv will now always have bits set corresponding to all
+interrupts reserved for use as IPIs, whether or not they have been
+allocated yet, and therefore that checking it when allocating device
+interrupts works as expected.
+
+Fixes: 2af70a962070 ("irqchip/mips-gic: Add a IPI hierarchy domain")
+Signed-off-by: Paul Burton <paul.burton@imgtec.com>
+Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Cc: Jason Cooper <jason@lakedaemon.net>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Link: http://lkml.kernel.org/r/1492679256-14513-2-git-send-email-matt.redfearn@imgtec.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-mips-gic.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/irqchip/irq-mips-gic.c
++++ b/drivers/irqchip/irq-mips-gic.c
+@@ -55,6 +55,7 @@ static unsigned int gic_cpu_pin;
+ static unsigned int timer_cpu_pin;
+ static struct irq_chip gic_level_irq_controller, gic_edge_irq_controller;
+ DECLARE_BITMAP(ipi_resrv, GIC_MAX_INTRS);
++DECLARE_BITMAP(ipi_available, GIC_MAX_INTRS);
+
+ static void __gic_irq_dispatch(void);
+
+@@ -746,17 +747,17 @@ static int gic_irq_domain_alloc(struct i
+
+ return gic_setup_dev_chip(d, virq, spec->hwirq);
+ } else {
+- base_hwirq = find_first_bit(ipi_resrv, gic_shared_intrs);
++ base_hwirq = find_first_bit(ipi_available, gic_shared_intrs);
+ if (base_hwirq == gic_shared_intrs) {
+ return -ENOMEM;
+ }
+
+ /* check that we have enough space */
+ for (i = base_hwirq; i < nr_irqs; i++) {
+- if (!test_bit(i, ipi_resrv))
++ if (!test_bit(i, ipi_available))
+ return -EBUSY;
+ }
+- bitmap_clear(ipi_resrv, base_hwirq, nr_irqs);
++ bitmap_clear(ipi_available, base_hwirq, nr_irqs);
+
+ /* map the hwirq for each cpu consecutively */
+ i = 0;
+@@ -787,7 +788,7 @@ static int gic_irq_domain_alloc(struct i
+
+ return 0;
+ error:
+- bitmap_set(ipi_resrv, base_hwirq, nr_irqs);
++ bitmap_set(ipi_available, base_hwirq, nr_irqs);
+ return ret;
+ }
+
+@@ -802,7 +803,7 @@ void gic_irq_domain_free(struct irq_doma
+ return;
+
+ base_hwirq = GIC_HWIRQ_TO_SHARED(irqd_to_hwirq(data));
+- bitmap_set(ipi_resrv, base_hwirq, nr_irqs);
++ bitmap_set(ipi_available, base_hwirq, nr_irqs);
+ }
+
+ int gic_irq_domain_match(struct irq_domain *d, struct device_node *node,
+@@ -1066,6 +1067,7 @@ static void __init __gic_init(unsigned l
+ 2 * gic_vpes);
+ }
+
++ bitmap_copy(ipi_available, ipi_resrv, GIC_MAX_INTRS);
+ gic_basic_init();
+ }
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Bharat Potnuri <bharat@chelsio.com>
+Date: Tue, 28 Nov 2017 23:58:07 +0530
+Subject: iser-target: avoid reinitializing rdma contexts for isert commands
+
+From: Bharat Potnuri <bharat@chelsio.com>
+
+
+[ Upstream commit 66f53e6f5400578bae58db0c06d85a8820831f40 ]
+
+isert commands that failed during isert_rdma_rw_ctx_post() are queued to
+Queue-Full(QF) queue and are scheduled to be reposted during queue-full
+queue processing. During this reposting, the rdma contexts are initialised
+again in isert_rdma_rw_ctx_post(), which is leaking significant memory.
+
+unreferenced object 0xffff8830201d9640 (size 64):
+ comm "kworker/0:2", pid 195, jiffies 4295374851 (age 4528.436s)
+ hex dump (first 32 bytes):
+ 00 60 8b cb 2e 00 00 00 00 10 00 00 00 00 00 00 .`..............
+ 00 90 e3 cb 2e 00 00 00 00 10 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff8170711e>] kmemleak_alloc+0x4e/0xb0
+ [<ffffffff811f8ba5>] __kmalloc+0x125/0x2b0
+ [<ffffffffa046b24f>] rdma_rw_ctx_init+0x15f/0x6f0 [ib_core]
+ [<ffffffffa07ab644>] isert_rdma_rw_ctx_post+0xc4/0x3c0 [ib_isert]
+ [<ffffffffa07ad972>] isert_put_datain+0x112/0x1c0 [ib_isert]
+ [<ffffffffa07dddce>] lio_queue_data_in+0x2e/0x30 [iscsi_target_mod]
+ [<ffffffffa076c322>] target_qf_do_work+0x2b2/0x4b0 [target_core_mod]
+ [<ffffffff81080c3b>] process_one_work+0x1db/0x5d0
+ [<ffffffff8108107d>] worker_thread+0x4d/0x3e0
+ [<ffffffff81088667>] kthread+0x117/0x150
+ [<ffffffff81713fa7>] ret_from_fork+0x27/0x40
+ [<ffffffffffffffff>] 0xffffffffffffffff
+
+Here is patch to use the older rdma contexts while reposting
+the isert commands intead of reinitialising them.
+
+Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/isert/ib_isert.c | 7 +++++++
+ drivers/infiniband/ulp/isert/ib_isert.h | 1 +
+ 2 files changed, 8 insertions(+)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -2098,6 +2098,9 @@ isert_rdma_rw_ctx_post(struct isert_cmd
+ u32 rkey, offset;
+ int ret;
+
++ if (cmd->ctx_init_done)
++ goto rdma_ctx_post;
++
+ if (dir == DMA_FROM_DEVICE) {
+ addr = cmd->write_va;
+ rkey = cmd->write_stag;
+@@ -2125,11 +2128,15 @@ isert_rdma_rw_ctx_post(struct isert_cmd
+ se_cmd->t_data_sg, se_cmd->t_data_nents,
+ offset, addr, rkey, dir);
+ }
++
+ if (ret < 0) {
+ isert_err("Cmd: %p failed to prepare RDMA res\n", cmd);
+ return ret;
+ }
+
++ cmd->ctx_init_done = true;
++
++rdma_ctx_post:
+ ret = rdma_rw_ctx_post(&cmd->rw, conn->qp, port_num, cqe, chain_wr);
+ if (ret < 0)
+ isert_err("Cmd: %p failed to post RDMA res\n", cmd);
+--- a/drivers/infiniband/ulp/isert/ib_isert.h
++++ b/drivers/infiniband/ulp/isert/ib_isert.h
+@@ -124,6 +124,7 @@ struct isert_cmd {
+ struct rdma_rw_ctx rw;
+ struct work_struct comp_work;
+ struct scatterlist sg;
++ bool ctx_init_done;
+ };
+
+ static inline struct isert_cmd *tx_desc_to_cmd(struct iser_tx_desc *desc)
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Liad Kaufman <liad.kaufman@intel.com>
+Date: Sun, 19 Feb 2017 10:42:40 +0200
+Subject: iwlwifi: a000: fix memory offsets and lengths
+
+From: Liad Kaufman <liad.kaufman@intel.com>
+
+
+[ Upstream commit f4d1047914ea05e0f8393944da18f6ee5dad24c4 ]
+
+Memory offsets and lengths for A000 HW is different
+than currently specified.
+
+Fixes: e34d975e40ff ("iwlwifi: Add a000 HW family support")
+Signed-off-by: Liad Kaufman <liad.kaufman@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/iwl-a000.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-a000.c
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-a000.c
+@@ -65,12 +65,12 @@
+ #define IWL_A000_TX_POWER_VERSION 0xffff /* meaningless */
+
+ /* Memory offsets and lengths */
+-#define IWL_A000_DCCM_OFFSET 0x800000
+-#define IWL_A000_DCCM_LEN 0x18000
++#define IWL_A000_DCCM_OFFSET 0x800000 /* LMAC1 */
++#define IWL_A000_DCCM_LEN 0x10000 /* LMAC1 */
+ #define IWL_A000_DCCM2_OFFSET 0x880000
+ #define IWL_A000_DCCM2_LEN 0x8000
+ #define IWL_A000_SMEM_OFFSET 0x400000
+-#define IWL_A000_SMEM_LEN 0x68000
++#define IWL_A000_SMEM_LEN 0xD0000
+
+ #define IWL_A000_FW_PRE "iwlwifi-Qu-a0-jf-b0-"
+ #define IWL_A000_MODULE_FIRMWARE(api) \
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Mon, 13 Feb 2017 11:29:16 +0200
+Subject: iwlwifi: split the handler and the wake parts of the notification infra
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+
+[ Upstream commit 2220fb2960b72915e7fd9da640a4695dceff238c ]
+
+The notification infrastructure (iwl_notification_wait_*
+functions) allows to wait until a list of notifications
+will come up from the firmware and to run a special handler
+(notif_wait handler) when those are received.
+
+The operation mode notifies the notification infrastructure
+about any Rx being received by the mean of
+iwl_notification_wait_notify() which will do two things:
+1) call the notif_wait handler
+2) wakeup the thread that was waiting for the notification
+
+Typically, only after those two steps happened, the
+operation mode will run its own handler for the notification
+that was received from the firmware. This means that the
+thread that was waiting for that notification can be
+running before the operation mode's handler was called.
+
+When the operation mode's handler is ASYNC, things get even
+worse since the thread that was waiting for the
+notification isn't even guaranteed that the ASYNC callback
+was added to async_handlers_list before it starts to run.
+This means that even calling
+iwl_mvm_wait_for_async_handlers() can't guarantee that
+absolutely everything related to that notification has run.
+The following can happen:
+
+Thread sending the command Operation mode's Rx path
+-------------------------- ------------------------
+iwl_init_notification_wait()
+iwl_mvm_send_cmd()
+ iwl_mvm_rx_common()
+ iwl_notification_wait_notify()
+iwl_mvm_wait_for_async_handlers()
+// Possibly free some data
+// structure
+ list_add_tail(async_handlers_list);
+ schedule_work(async_handlers_wk);
+ // Access the freed structure
+
+Split the 'run notif_wait's handler' and the 'wake up the
+thread' parts to fix this. This allows the operation mode
+to do the following:
+
+Thread sending the command Operation mode's Rx path
+-------------------------- ------------------------
+iwl_init_notification_wait()
+iwl_mvm_send_cmd()
+ iwl_mvm_rx_common()
+ iwl_notification_wait()
+ // Will run the notif_wait's handler
+ list_add_tail(async_handlers_list);
+ schedule_work(async_handlers_wk);
+ iwl_notification_notify()
+iwl_mvm_wait_for_async_handlers()
+
+This way, the waiter is guaranteed that all the handlers
+have been run (if SYNC), or at least enqueued (if ASYNC)
+by the time it wakes up.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/iwl-notif-wait.c | 10 +++-----
+ drivers/net/wireless/intel/iwlwifi/iwl-notif-wait.h | 25 ++++++++++++++++----
+ 2 files changed, 24 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-notif-wait.c
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-notif-wait.c
+@@ -76,8 +76,8 @@ void iwl_notification_wait_init(struct i
+ }
+ IWL_EXPORT_SYMBOL(iwl_notification_wait_init);
+
+-void iwl_notification_wait_notify(struct iwl_notif_wait_data *notif_wait,
+- struct iwl_rx_packet *pkt)
++bool iwl_notification_wait(struct iwl_notif_wait_data *notif_wait,
++ struct iwl_rx_packet *pkt)
+ {
+ bool triggered = false;
+
+@@ -118,13 +118,11 @@ void iwl_notification_wait_notify(struct
+ }
+ }
+ spin_unlock(¬if_wait->notif_wait_lock);
+-
+ }
+
+- if (triggered)
+- wake_up_all(¬if_wait->notif_waitq);
++ return triggered;
+ }
+-IWL_EXPORT_SYMBOL(iwl_notification_wait_notify);
++IWL_EXPORT_SYMBOL(iwl_notification_wait);
+
+ void iwl_abort_notification_waits(struct iwl_notif_wait_data *notif_wait)
+ {
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-notif-wait.h
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-notif-wait.h
+@@ -6,7 +6,7 @@
+ * GPL LICENSE SUMMARY
+ *
+ * Copyright(c) 2007 - 2014 Intel Corporation. All rights reserved.
+- * Copyright(c) 2015 Intel Deutschland GmbH
++ * Copyright(c) 2015 - 2017 Intel Deutschland GmbH
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+@@ -32,6 +32,7 @@
+ * BSD LICENSE
+ *
+ * Copyright(c) 2005 - 2014 Intel Corporation. All rights reserved.
++ * Copyright(c) 2015 - 2017 Intel Deutschland GmbH
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+@@ -89,10 +90,10 @@ struct iwl_notif_wait_data {
+ *
+ * This structure is not used directly, to wait for a
+ * notification declare it on the stack, and call
+- * iwlagn_init_notification_wait() with appropriate
++ * iwl_init_notification_wait() with appropriate
+ * parameters. Then do whatever will cause the ucode
+ * to notify the driver, and to wait for that then
+- * call iwlagn_wait_notification().
++ * call iwl_wait_notification().
+ *
+ * Each notification is one-shot. If at some point we
+ * need to support multi-shot notifications (which
+@@ -114,10 +115,24 @@ struct iwl_notification_wait {
+
+ /* caller functions */
+ void iwl_notification_wait_init(struct iwl_notif_wait_data *notif_data);
+-void iwl_notification_wait_notify(struct iwl_notif_wait_data *notif_data,
+- struct iwl_rx_packet *pkt);
++bool iwl_notification_wait(struct iwl_notif_wait_data *notif_data,
++ struct iwl_rx_packet *pkt);
+ void iwl_abort_notification_waits(struct iwl_notif_wait_data *notif_data);
+
++static inline void
++iwl_notification_notify(struct iwl_notif_wait_data *notif_data)
++{
++ wake_up_all(¬if_data->notif_waitq);
++}
++
++static inline void
++iwl_notification_wait_notify(struct iwl_notif_wait_data *notif_data,
++ struct iwl_rx_packet *pkt)
++{
++ if (iwl_notification_wait(notif_data, pkt))
++ iwl_notification_notify(notif_data);
++}
++
+ /* user functions */
+ void __acquires(wait_entry)
+ iwl_init_notification_wait(struct iwl_notif_wait_data *notif_data,
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Emil Tantilov <emil.s.tantilov@intel.com>
+Date: Thu, 30 Mar 2017 20:49:02 -0700
+Subject: ixgbevf: fix size of queue stats length
+
+From: Emil Tantilov <emil.s.tantilov@intel.com>
+
+
+[ Upstream commit f87fc44770f54ff1b54d44ae9cec11f10efeca02 ]
+
+IXGBEVF_QUEUE_STATS_LEN is based on ixgebvf_stats, not ixgbe_stats.
+
+This change fixes a bug where ethtool -S displayed some empty fields.
+
+Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ixgbevf/ethtool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/ixgbevf/ethtool.c
++++ b/drivers/net/ethernet/intel/ixgbevf/ethtool.c
+@@ -80,7 +80,7 @@ static struct ixgbe_stats ixgbevf_gstrin
+ #define IXGBEVF_QUEUE_STATS_LEN ( \
+ (((struct ixgbevf_adapter *)netdev_priv(netdev))->num_tx_queues + \
+ ((struct ixgbevf_adapter *)netdev_priv(netdev))->num_rx_queues) * \
+- (sizeof(struct ixgbe_stats) / sizeof(u64)))
++ (sizeof(struct ixgbevf_stats) / sizeof(u64)))
+ #define IXGBEVF_GLOBAL_STATS_LEN ARRAY_SIZE(ixgbevf_gstrings_stats)
+
+ #define IXGBEVF_STATS_LEN (IXGBEVF_GLOBAL_STATS_LEN + IXGBEVF_QUEUE_STATS_LEN)
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Jan Kara <jack@suse.cz>
+Date: Sat, 29 Apr 2017 20:12:16 -0400
+Subject: jbd2: Fix lockdep splat with generic/270 test
+
+From: Jan Kara <jack@suse.cz>
+
+
+[ Upstream commit c52c47e4b4fbe4284602fc2ccbfc4a4d8dc05b49 ]
+
+I've hit a lockdep splat with generic/270 test complaining that:
+
+3216.fsstress.b/3533 is trying to acquire lock:
+ (jbd2_handle){++++..}, at: [<ffffffff813152e0>] jbd2_log_wait_commit+0x0/0x150
+
+but task is already holding lock:
+ (jbd2_handle){++++..}, at: [<ffffffff8130bd3b>] start_this_handle+0x35b/0x850
+
+The underlying problem is that jbd2_journal_force_commit_nested()
+(called from ext4_should_retry_alloc()) may get called while a
+transaction handle is started. In such case it takes care to not wait
+for commit of the running transaction (which would deadlock) but only
+for a commit of a transaction that is already committing (which is safe
+as that doesn't wait for any filesystem locks).
+
+In fact there are also other callers of jbd2_log_wait_commit() that take
+care to pass tid of a transaction that is already committing and for
+those cases, the lockdep instrumentation is too restrictive and leading
+to false positive reports. Fix the problem by calling
+jbd2_might_wait_for_commit() from jbd2_log_wait_commit() only if the
+transaction isn't already committing.
+
+Fixes: 1eaa566d368b214d99cbb973647c1b0b8102a9ae
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jbd2/journal.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/fs/jbd2/journal.c
++++ b/fs/jbd2/journal.c
+@@ -691,8 +691,21 @@ int jbd2_log_wait_commit(journal_t *jour
+ {
+ int err = 0;
+
+- jbd2_might_wait_for_commit(journal);
+ read_lock(&journal->j_state_lock);
++#ifdef CONFIG_PROVE_LOCKING
++ /*
++ * Some callers make sure transaction is already committing and in that
++ * case we cannot block on open handles anymore. So don't warn in that
++ * case.
++ */
++ if (tid_gt(tid, journal->j_commit_sequence) &&
++ (!journal->j_committing_transaction ||
++ journal->j_committing_transaction->t_tid != tid)) {
++ read_unlock(&journal->j_state_lock);
++ jbd2_might_wait_for_commit(journal);
++ read_lock(&journal->j_state_lock);
++ }
++#endif
+ #ifdef CONFIG_JBD2_DEBUG
+ if (!tid_geq(journal->j_commit_request, tid)) {
+ printk(KERN_ERR
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+Date: Fri, 24 Mar 2017 17:48:10 +1100
+Subject: KVM: PPC: Book3S PR: Exit KVM on failed mapping
+
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+
+
+[ Upstream commit bd9166ffe624000140fc6b606b256df01fc0d060 ]
+
+At the moment kvmppc_mmu_map_page() returns -1 if
+mmu_hash_ops.hpte_insert() fails for any reason so the page fault handler
+resumes the guest and it faults on the same address again.
+
+This adds distinction to kvmppc_mmu_map_page() to return -EIO if
+mmu_hash_ops.hpte_insert() failed for a reason other than full pteg.
+At the moment only pSeries_lpar_hpte_insert() returns -2 if
+plpar_pte_enter() failed with a code other than H_PTEG_FULL.
+Other mmu_hash_ops.hpte_insert() instances can only fail with
+-1 "full pteg".
+
+With this change, if PR KVM fails to update HPT, it can signal
+the userspace about this instead of returning to guest and having
+the very same page fault over and over again.
+
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kvm/book3s_64_mmu_host.c | 5 ++++-
+ arch/powerpc/kvm/book3s_pr.c | 6 +++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kvm/book3s_64_mmu_host.c
++++ b/arch/powerpc/kvm/book3s_64_mmu_host.c
+@@ -177,12 +177,15 @@ map_again:
+ ret = mmu_hash_ops.hpte_insert(hpteg, vpn, hpaddr, rflags, vflags,
+ hpsize, hpsize, MMU_SEGSIZE_256M);
+
+- if (ret < 0) {
++ if (ret == -1) {
+ /* If we couldn't map a primary PTE, try a secondary */
+ hash = ~hash;
+ vflags ^= HPTE_V_SECONDARY;
+ attempt++;
+ goto map_again;
++ } else if (ret < 0) {
++ r = -EIO;
++ goto out_unlock;
+ } else {
+ trace_kvm_book3s_64_mmu_map(rflags, hpteg,
+ vpn, hpaddr, orig_pte);
+--- a/arch/powerpc/kvm/book3s_pr.c
++++ b/arch/powerpc/kvm/book3s_pr.c
+@@ -627,7 +627,11 @@ int kvmppc_handle_pagefault(struct kvm_r
+ kvmppc_mmu_unmap_page(vcpu, &pte);
+ }
+ /* The guest's PTE is not mapped yet. Map on the host */
+- kvmppc_mmu_map_page(vcpu, &pte, iswrite);
++ if (kvmppc_mmu_map_page(vcpu, &pte, iswrite) == -EIO) {
++ /* Exit KVM if mapping failed */
++ run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
++ return RESUME_HOST;
++ }
+ if (data)
+ vcpu->stat.sp_storage++;
+ else if (vcpu->arch.mmu.is_dcbz32(vcpu) &&
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Pan Bian <bianpan2016@163.com>
+Date: Sun, 23 Apr 2017 21:19:38 +0800
+Subject: libertas: check return value of alloc_workqueue
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit dc3f89c38a8406554ffeffa370aad086a9c5e9de ]
+
+Function alloc_workqueue() will return a NULL pointer if there is no
+enough memory, and its return value should be validated before using.
+However, in function if_spi_probe(), its return value is not checked.
+This may result in a NULL dereference bug. This patch fixes the bug.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/marvell/libertas/if_spi.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/wireless/marvell/libertas/if_spi.c
++++ b/drivers/net/wireless/marvell/libertas/if_spi.c
+@@ -1181,6 +1181,10 @@ static int if_spi_probe(struct spi_devic
+
+ /* Initialize interrupt handling stuff. */
+ card->workqueue = alloc_workqueue("libertas_spi", WQ_MEM_RECLAIM, 0);
++ if (!card->workqueue) {
++ err = -ENOMEM;
++ goto remove_card;
++ }
+ INIT_WORK(&card->packet_work, if_spi_host_to_card_worker);
+ INIT_WORK(&card->resume_work, if_spi_resume_worker);
+
+@@ -1209,6 +1213,7 @@ release_irq:
+ free_irq(spi->irq, card);
+ terminate_workqueue:
+ destroy_workqueue(card->workqueue);
++remove_card:
+ lbs_remove_card(priv); /* will call free_netdev */
+ free_card:
+ free_if_spi_card(card);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Wed, 26 Apr 2017 10:58:51 +0300
+Subject: mac80211: don't parse encrypted management frames in ieee80211_frame_acked
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+
+[ Upstream commit cf147085fdda044622973a12e4e06f1c753ab677 ]
+
+ieee80211_frame_acked is called when a frame is acked by
+the peer. In case this is a management frame, we check
+if this an SMPS frame, in which case we can update our
+antenna configuration.
+
+When we parse the management frame we look at the category
+in case it is an action frame. That byte sits after the IV
+in case the frame was encrypted. This means that if the
+frame was encrypted, we basically look at the IV instead
+of looking at the category. It is then theorically
+possible that we think that an SMPS action frame was acked
+where really we had another frame that was encrypted.
+
+Since the only management frame whose ack needs to be
+tracked is the SMPS action frame, and that frame is not
+a robust management frame, it will never be encrypted.
+The easiest way to fix this problem is then to not look
+at frames that were encrypted.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/status.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/mac80211/status.c
++++ b/net/mac80211/status.c
+@@ -200,6 +200,7 @@ static void ieee80211_frame_acked(struct
+ }
+
+ if (ieee80211_is_action(mgmt->frame_control) &&
++ !ieee80211_has_protected(mgmt->frame_control) &&
+ mgmt->u.action.category == WLAN_CATEGORY_HT &&
+ mgmt->u.action.u.ht_smps.action == WLAN_HT_ACTION_SMPS &&
+ ieee80211_sdata_running(sdata)) {
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
+Date: Thu, 27 Apr 2017 12:45:38 +0530
+Subject: mac80211: Fix possible sband related NULL pointer de-reference
+
+From: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
+
+
+[ Upstream commit 21a8e9dd52b64f0170bad208293ef8c30c3c1403 ]
+
+Existing API 'ieee80211_get_sdata_band' returns default 2 GHz band even
+if the channel context configuration is NULL. This crashes for chipsets
+which support 5 Ghz alone when it tries to access members of 'sband'.
+Channel context configuration can be NULL in multivif case and when
+channel switch is in progress (or) when it fails. Fix this by replacing
+the API 'ieee80211_get_sdata_band' with 'ieee80211_get_sband' which
+returns a NULL pointer for sband when the channel configuration is NULL.
+
+An example scenario is as below:
+
+In multivif mode (AP + STA) with drivers like ath10k, when we do a
+channel switch in the AP vif (which has a number of clients connected)
+and a STA vif which is connected to some other AP, when the channel
+switch in AP vif fails, while the STA vifs tries to connect to the
+other AP, there is a window where the channel context is NULL/invalid
+and this results in a crash while the clients connected to the AP vif
+tries to reconnect and this race is very similar to the one investigated
+by Michal in https://patchwork.kernel.org/patch/3788161/ and this does
+happens with hardware that supports 5Ghz alone after long hours of
+testing with continuous channel switch on the AP vif
+
+ieee80211 phy0: channel context reservation cannot be finalized because
+some interfaces aren't switching
+wlan0: failed to finalize CSA, disconnecting
+wlan0-1: deauthenticating from 8c:fd:f0:01:54:9c by local choice
+ (Reason: 3=DEAUTH_LEAVING)
+
+ WARNING: CPU: 1 PID: 19032 at net/mac80211/ieee80211_i.h:1013 sta_info_alloc+0x374/0x3fc [mac80211]
+ [<bf77272c>] (sta_info_alloc [mac80211])
+ [<bf78776c>] (ieee80211_add_station [mac80211]))
+ [<bf73cc50>] (nl80211_new_station [cfg80211])
+
+ Unable to handle kernel NULL pointer dereference at virtual
+ address 00000014
+ pgd = d5f4c000
+ Internal error: Oops: 17 [#1] PREEMPT SMP ARM
+ PC is at sta_info_alloc+0x380/0x3fc [mac80211]
+ LR is at sta_info_alloc+0x37c/0x3fc [mac80211]
+ [<bf772738>] (sta_info_alloc [mac80211])
+ [<bf78776c>] (ieee80211_add_station [mac80211])
+ [<bf73cc50>] (nl80211_new_station [cfg80211]))
+
+Cc: Michal Kazior <michal.kazior@tieto.com>
+Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/cfg.c | 30 +++++++++++++++++-------------
+ net/mac80211/ibss.c | 6 +++++-
+ net/mac80211/ieee80211_i.h | 36 +++++++++++++++++++++---------------
+ net/mac80211/mesh.c | 29 ++++++++++++++++++++---------
+ net/mac80211/mesh_plink.c | 37 ++++++++++++++++++++++++++-----------
+ net/mac80211/mlme.c | 14 ++++++++++++--
+ net/mac80211/rate.c | 4 +++-
+ net/mac80211/sta_info.c | 13 +++++++++----
+ net/mac80211/tdls.c | 29 +++++++++++++++++++----------
+ net/mac80211/tx.c | 5 ++++-
+ net/mac80211/util.c | 6 +++---
+ 11 files changed, 139 insertions(+), 70 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -620,10 +620,11 @@ void sta_set_rate_info_tx(struct sta_inf
+ int shift = ieee80211_vif_get_shift(&sta->sdata->vif);
+ u16 brate;
+
+- sband = sta->local->hw.wiphy->bands[
+- ieee80211_get_sdata_band(sta->sdata)];
+- brate = sband->bitrates[rate->idx].bitrate;
+- rinfo->legacy = DIV_ROUND_UP(brate, 1 << shift);
++ sband = ieee80211_get_sband(sta->sdata);
++ if (sband) {
++ brate = sband->bitrates[rate->idx].bitrate;
++ rinfo->legacy = DIV_ROUND_UP(brate, 1 << shift);
++ }
+ }
+ if (rate->flags & IEEE80211_TX_RC_40_MHZ_WIDTH)
+ rinfo->bw = RATE_INFO_BW_40;
+@@ -1218,10 +1219,11 @@ static int sta_apply_parameters(struct i
+ int ret = 0;
+ struct ieee80211_supported_band *sband;
+ struct ieee80211_sub_if_data *sdata = sta->sdata;
+- enum nl80211_band band = ieee80211_get_sdata_band(sdata);
+ u32 mask, set;
+
+- sband = local->hw.wiphy->bands[band];
++ sband = ieee80211_get_sband(sdata);
++ if (!sband)
++ return -EINVAL;
+
+ mask = params->sta_flags_mask;
+ set = params->sta_flags_set;
+@@ -1354,7 +1356,7 @@ static int sta_apply_parameters(struct i
+ ieee80211_parse_bitrates(&sdata->vif.bss_conf.chandef,
+ sband, params->supported_rates,
+ params->supported_rates_len,
+- &sta->sta.supp_rates[band]);
++ &sta->sta.supp_rates[sband->band]);
+ }
+
+ if (params->ht_capa)
+@@ -1370,8 +1372,8 @@ static int sta_apply_parameters(struct i
+ /* returned value is only needed for rc update, but the
+ * rc isn't initialized here yet, so ignore it
+ */
+- __ieee80211_vht_handle_opmode(sdata, sta,
+- params->opmode_notif, band);
++ __ieee80211_vht_handle_opmode(sdata, sta, params->opmode_notif,
++ sband->band);
+ }
+
+ if (params->support_p2p_ps >= 0)
+@@ -2017,13 +2019,15 @@ static int ieee80211_change_bss(struct w
+ struct bss_parameters *params)
+ {
+ struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+- enum nl80211_band band;
++ struct ieee80211_supported_band *sband;
+ u32 changed = 0;
+
+ if (!sdata_dereference(sdata->u.ap.beacon, sdata))
+ return -ENOENT;
+
+- band = ieee80211_get_sdata_band(sdata);
++ sband = ieee80211_get_sband(sdata);
++ if (!sband)
++ return -EINVAL;
+
+ if (params->use_cts_prot >= 0) {
+ sdata->vif.bss_conf.use_cts_prot = params->use_cts_prot;
+@@ -2036,7 +2040,7 @@ static int ieee80211_change_bss(struct w
+ }
+
+ if (!sdata->vif.bss_conf.use_short_slot &&
+- band == NL80211_BAND_5GHZ) {
++ sband->band == NL80211_BAND_5GHZ) {
+ sdata->vif.bss_conf.use_short_slot = true;
+ changed |= BSS_CHANGED_ERP_SLOT;
+ }
+@@ -2049,7 +2053,7 @@ static int ieee80211_change_bss(struct w
+
+ if (params->basic_rates) {
+ ieee80211_parse_bitrates(&sdata->vif.bss_conf.chandef,
+- wiphy->bands[band],
++ wiphy->bands[sband->band],
+ params->basic_rates,
+ params->basic_rates_len,
+ &sdata->vif.bss_conf.basic_rates);
+--- a/net/mac80211/ibss.c
++++ b/net/mac80211/ibss.c
+@@ -994,7 +994,7 @@ static void ieee80211_update_sta_info(st
+ enum nl80211_band band = rx_status->band;
+ enum nl80211_bss_scan_width scan_width;
+ struct ieee80211_local *local = sdata->local;
+- struct ieee80211_supported_band *sband = local->hw.wiphy->bands[band];
++ struct ieee80211_supported_band *sband;
+ bool rates_updated = false;
+ u32 supp_rates = 0;
+
+@@ -1004,6 +1004,10 @@ static void ieee80211_update_sta_info(st
+ if (!ether_addr_equal(mgmt->bssid, sdata->u.ibss.bssid))
+ return;
+
++ sband = local->hw.wiphy->bands[band];
++ if (WARN_ON(!sband))
++ return;
++
+ rcu_read_lock();
+ sta = sta_info_get(sdata, mgmt->sa);
+
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -991,21 +991,6 @@ sdata_assert_lock(struct ieee80211_sub_i
+ lockdep_assert_held(&sdata->wdev.mtx);
+ }
+
+-static inline enum nl80211_band
+-ieee80211_get_sdata_band(struct ieee80211_sub_if_data *sdata)
+-{
+- enum nl80211_band band = NL80211_BAND_2GHZ;
+- struct ieee80211_chanctx_conf *chanctx_conf;
+-
+- rcu_read_lock();
+- chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+- if (!WARN_ON(!chanctx_conf))
+- band = chanctx_conf->def.chan->band;
+- rcu_read_unlock();
+-
+- return band;
+-}
+-
+ static inline int
+ ieee80211_chandef_get_shift(struct cfg80211_chan_def *chandef)
+ {
+@@ -1410,6 +1395,27 @@ IEEE80211_WDEV_TO_SUB_IF(struct wireless
+ return container_of(wdev, struct ieee80211_sub_if_data, wdev);
+ }
+
++static inline struct ieee80211_supported_band *
++ieee80211_get_sband(struct ieee80211_sub_if_data *sdata)
++{
++ struct ieee80211_local *local = sdata->local;
++ struct ieee80211_chanctx_conf *chanctx_conf;
++ enum nl80211_band band;
++
++ rcu_read_lock();
++ chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
++
++ if (WARN_ON(!chanctx_conf)) {
++ rcu_read_unlock();
++ return NULL;
++ }
++
++ band = chanctx_conf->def.chan->band;
++ rcu_read_unlock();
++
++ return local->hw.wiphy->bands[band];
++}
++
+ /* this struct represents 802.11n's RA/TID combination */
+ struct ieee80211_ra_tid {
+ u8 ra[ETH_ALEN];
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -63,6 +63,7 @@ bool mesh_matches_local(struct ieee80211
+ struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
+ u32 basic_rates = 0;
+ struct cfg80211_chan_def sta_chan_def;
++ struct ieee80211_supported_band *sband;
+
+ /*
+ * As support for each feature is added, check for matching
+@@ -83,7 +84,11 @@ bool mesh_matches_local(struct ieee80211
+ (ifmsh->mesh_auth_id == ie->mesh_config->meshconf_auth)))
+ return false;
+
+- ieee80211_sta_get_rates(sdata, ie, ieee80211_get_sdata_band(sdata),
++ sband = ieee80211_get_sband(sdata);
++ if (!sband)
++ return false;
++
++ ieee80211_sta_get_rates(sdata, ie, sband->band,
+ &basic_rates);
+
+ if (sdata->vif.bss_conf.basic_rates != basic_rates)
+@@ -399,12 +404,13 @@ static int mesh_add_ds_params_ie(struct
+ int mesh_add_ht_cap_ie(struct ieee80211_sub_if_data *sdata,
+ struct sk_buff *skb)
+ {
+- struct ieee80211_local *local = sdata->local;
+- enum nl80211_band band = ieee80211_get_sdata_band(sdata);
+ struct ieee80211_supported_band *sband;
+ u8 *pos;
+
+- sband = local->hw.wiphy->bands[band];
++ sband = ieee80211_get_sband(sdata);
++ if (!sband)
++ return -EINVAL;
++
+ if (!sband->ht_cap.ht_supported ||
+ sdata->vif.bss_conf.chandef.width == NL80211_CHAN_WIDTH_20_NOHT ||
+ sdata->vif.bss_conf.chandef.width == NL80211_CHAN_WIDTH_5 ||
+@@ -462,12 +468,13 @@ int mesh_add_ht_oper_ie(struct ieee80211
+ int mesh_add_vht_cap_ie(struct ieee80211_sub_if_data *sdata,
+ struct sk_buff *skb)
+ {
+- struct ieee80211_local *local = sdata->local;
+- enum nl80211_band band = ieee80211_get_sdata_band(sdata);
+ struct ieee80211_supported_band *sband;
+ u8 *pos;
+
+- sband = local->hw.wiphy->bands[band];
++ sband = ieee80211_get_sband(sdata);
++ if (!sband)
++ return -EINVAL;
++
+ if (!sband->vht_cap.vht_supported ||
+ sdata->vif.bss_conf.chandef.width == NL80211_CHAN_WIDTH_20_NOHT ||
+ sdata->vif.bss_conf.chandef.width == NL80211_CHAN_WIDTH_5 ||
+@@ -916,12 +923,16 @@ ieee80211_mesh_process_chnswitch(struct
+ struct cfg80211_csa_settings params;
+ struct ieee80211_csa_ie csa_ie;
+ struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
+- enum nl80211_band band = ieee80211_get_sdata_band(sdata);
++ struct ieee80211_supported_band *sband;
+ int err;
+ u32 sta_flags;
+
+ sdata_assert_lock(sdata);
+
++ sband = ieee80211_get_sband(sdata);
++ if (!sband)
++ return false;
++
+ sta_flags = IEEE80211_STA_DISABLE_VHT;
+ switch (sdata->vif.bss_conf.chandef.width) {
+ case NL80211_CHAN_WIDTH_20_NOHT:
+@@ -935,7 +946,7 @@ ieee80211_mesh_process_chnswitch(struct
+
+ memset(¶ms, 0, sizeof(params));
+ memset(&csa_ie, 0, sizeof(csa_ie));
+- err = ieee80211_parse_ch_switch_ie(sdata, elems, band,
++ err = ieee80211_parse_ch_switch_ie(sdata, elems, sband->band,
+ sta_flags, sdata->vif.addr,
+ &csa_ie);
+ if (err < 0)
+--- a/net/mac80211/mesh_plink.c
++++ b/net/mac80211/mesh_plink.c
+@@ -93,19 +93,23 @@ static inline void mesh_plink_fsm_restar
+ static u32 mesh_set_short_slot_time(struct ieee80211_sub_if_data *sdata)
+ {
+ struct ieee80211_local *local = sdata->local;
+- enum nl80211_band band = ieee80211_get_sdata_band(sdata);
+- struct ieee80211_supported_band *sband = local->hw.wiphy->bands[band];
++ struct ieee80211_supported_band *sband;
+ struct sta_info *sta;
+ u32 erp_rates = 0, changed = 0;
+ int i;
+ bool short_slot = false;
+
+- if (band == NL80211_BAND_5GHZ) {
++ sband = ieee80211_get_sband(sdata);
++ if (!sband)
++ return changed;
++
++ if (sband->band == NL80211_BAND_5GHZ) {
+ /* (IEEE 802.11-2012 19.4.5) */
+ short_slot = true;
+ goto out;
+- } else if (band != NL80211_BAND_2GHZ)
++ } else if (sband->band != NL80211_BAND_2GHZ) {
+ goto out;
++ }
+
+ for (i = 0; i < sband->n_bitrates; i++)
+ if (sband->bitrates[i].flags & IEEE80211_RATE_ERP_G)
+@@ -121,7 +125,7 @@ static u32 mesh_set_short_slot_time(stru
+ continue;
+
+ short_slot = false;
+- if (erp_rates & sta->sta.supp_rates[band])
++ if (erp_rates & sta->sta.supp_rates[sband->band])
+ short_slot = true;
+ else
+ break;
+@@ -247,7 +251,15 @@ static int mesh_plink_frame_tx(struct ie
+ mgmt->u.action.u.self_prot.action_code = action;
+
+ if (action != WLAN_SP_MESH_PEERING_CLOSE) {
+- enum nl80211_band band = ieee80211_get_sdata_band(sdata);
++ struct ieee80211_supported_band *sband;
++ enum nl80211_band band;
++
++ sband = ieee80211_get_sband(sdata);
++ if (!sband) {
++ err = -EINVAL;
++ goto free;
++ }
++ band = sband->band;
+
+ /* capability info */
+ pos = skb_put(skb, 2);
+@@ -393,13 +405,16 @@ static void mesh_sta_info_init(struct ie
+ struct ieee802_11_elems *elems, bool insert)
+ {
+ struct ieee80211_local *local = sdata->local;
+- enum nl80211_band band = ieee80211_get_sdata_band(sdata);
+ struct ieee80211_supported_band *sband;
+ u32 rates, basic_rates = 0, changed = 0;
+ enum ieee80211_sta_rx_bandwidth bw = sta->sta.bandwidth;
+
+- sband = local->hw.wiphy->bands[band];
+- rates = ieee80211_sta_get_rates(sdata, elems, band, &basic_rates);
++ sband = ieee80211_get_sband(sdata);
++ if (!sband)
++ return;
++
++ rates = ieee80211_sta_get_rates(sdata, elems, sband->band,
++ &basic_rates);
+
+ spin_lock_bh(&sta->mesh->plink_lock);
+ sta->rx_stats.last_rx = jiffies;
+@@ -410,9 +425,9 @@ static void mesh_sta_info_init(struct ie
+ goto out;
+ sta->mesh->processed_beacon = true;
+
+- if (sta->sta.supp_rates[band] != rates)
++ if (sta->sta.supp_rates[sband->band] != rates)
+ changed |= IEEE80211_RC_SUPP_RATES_CHANGED;
+- sta->sta.supp_rates[band] = rates;
++ sta->sta.supp_rates[sband->band] = rates;
+
+ if (ieee80211_ht_cap_ie_to_sta_ht_cap(sdata, sband,
+ elems->ht_cap_elem, sta))
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -1851,11 +1851,16 @@ static u32 ieee80211_handle_bss_capabili
+ u16 capab, bool erp_valid, u8 erp)
+ {
+ struct ieee80211_bss_conf *bss_conf = &sdata->vif.bss_conf;
++ struct ieee80211_supported_band *sband;
+ u32 changed = 0;
+ bool use_protection;
+ bool use_short_preamble;
+ bool use_short_slot;
+
++ sband = ieee80211_get_sband(sdata);
++ if (!sband)
++ return changed;
++
+ if (erp_valid) {
+ use_protection = (erp & WLAN_ERP_USE_PROTECTION) != 0;
+ use_short_preamble = (erp & WLAN_ERP_BARKER_PREAMBLE) == 0;
+@@ -1865,7 +1870,7 @@ static u32 ieee80211_handle_bss_capabili
+ }
+
+ use_short_slot = !!(capab & WLAN_CAPABILITY_SHORT_SLOT_TIME);
+- if (ieee80211_get_sdata_band(sdata) == NL80211_BAND_5GHZ)
++ if (sband->band == NL80211_BAND_5GHZ)
+ use_short_slot = true;
+
+ if (use_protection != bss_conf->use_cts_prot) {
+@@ -2994,7 +2999,12 @@ static bool ieee80211_assoc_success(stru
+ goto out;
+ }
+
+- sband = local->hw.wiphy->bands[ieee80211_get_sdata_band(sdata)];
++ sband = ieee80211_get_sband(sdata);
++ if (!sband) {
++ mutex_unlock(&sdata->local->sta_mtx);
++ ret = false;
++ goto out;
++ }
+
+ /* Set up internal HT/VHT capabilities */
+ if (elems.ht_cap_elem && !(ifmgd->flags & IEEE80211_STA_DISABLE_HT))
+--- a/net/mac80211/rate.c
++++ b/net/mac80211/rate.c
+@@ -875,7 +875,9 @@ int rate_control_set_rates(struct ieee80
+ struct ieee80211_sta_rates *old;
+ struct ieee80211_supported_band *sband;
+
+- sband = hw->wiphy->bands[ieee80211_get_sdata_band(sta->sdata)];
++ sband = ieee80211_get_sband(sta->sdata);
++ if (!sband)
++ return -EINVAL;
+ rate_control_apply_mask_ratetbl(sta, sband, rates);
+ /*
+ * mac80211 guarantees that this function will not be called
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -395,10 +395,15 @@ struct sta_info *sta_info_alloc(struct i
+ sta->sta.smps_mode = IEEE80211_SMPS_OFF;
+ if (sdata->vif.type == NL80211_IFTYPE_AP ||
+ sdata->vif.type == NL80211_IFTYPE_AP_VLAN) {
+- struct ieee80211_supported_band *sband =
+- hw->wiphy->bands[ieee80211_get_sdata_band(sdata)];
+- u8 smps = (sband->ht_cap.cap & IEEE80211_HT_CAP_SM_PS) >>
+- IEEE80211_HT_CAP_SM_PS_SHIFT;
++ struct ieee80211_supported_band *sband;
++ u8 smps;
++
++ sband = ieee80211_get_sband(sdata);
++ if (!sband)
++ goto free_txq;
++
++ smps = (sband->ht_cap.cap & IEEE80211_HT_CAP_SM_PS) >>
++ IEEE80211_HT_CAP_SM_PS_SHIFT;
+ /*
+ * Assume that hostapd advertises our caps in the beacon and
+ * this is the known_smps_mode for a station that just assciated
+--- a/net/mac80211/tdls.c
++++ b/net/mac80211/tdls.c
+@@ -47,8 +47,7 @@ static void ieee80211_tdls_add_ext_capab
+ NL80211_FEATURE_TDLS_CHANNEL_SWITCH;
+ bool wider_band = ieee80211_hw_check(&local->hw, TDLS_WIDER_BW) &&
+ !ifmgd->tdls_wider_bw_prohibited;
+- enum nl80211_band band = ieee80211_get_sdata_band(sdata);
+- struct ieee80211_supported_band *sband = local->hw.wiphy->bands[band];
++ struct ieee80211_supported_band *sband = ieee80211_get_sband(sdata);
+ bool vht = sband && sband->vht_cap.vht_supported;
+ u8 *pos = (void *)skb_put(skb, 10);
+
+@@ -180,11 +179,14 @@ static void ieee80211_tdls_add_bss_coex_
+ static u16 ieee80211_get_tdls_sta_capab(struct ieee80211_sub_if_data *sdata,
+ u16 status_code)
+ {
++ struct ieee80211_supported_band *sband;
++
+ /* The capability will be 0 when sending a failure code */
+ if (status_code != 0)
+ return 0;
+
+- if (ieee80211_get_sdata_band(sdata) == NL80211_BAND_2GHZ) {
++ sband = ieee80211_get_sband(sdata);
++ if (sband && sband->band == NL80211_BAND_2GHZ) {
+ return WLAN_CAPABILITY_SHORT_SLOT_TIME |
+ WLAN_CAPABILITY_SHORT_PREAMBLE;
+ }
+@@ -358,17 +360,20 @@ ieee80211_tdls_add_setup_start_ies(struc
+ u8 action_code, bool initiator,
+ const u8 *extra_ies, size_t extra_ies_len)
+ {
+- enum nl80211_band band = ieee80211_get_sdata_band(sdata);
+- struct ieee80211_local *local = sdata->local;
+ struct ieee80211_supported_band *sband;
++ struct ieee80211_local *local = sdata->local;
+ struct ieee80211_sta_ht_cap ht_cap;
+ struct ieee80211_sta_vht_cap vht_cap;
+ struct sta_info *sta = NULL;
+ size_t offset = 0, noffset;
+ u8 *pos;
+
+- ieee80211_add_srates_ie(sdata, skb, false, band);
+- ieee80211_add_ext_srates_ie(sdata, skb, false, band);
++ sband = ieee80211_get_sband(sdata);
++ if (!sband)
++ return;
++
++ ieee80211_add_srates_ie(sdata, skb, false, sband->band);
++ ieee80211_add_ext_srates_ie(sdata, skb, false, sband->band);
+ ieee80211_tdls_add_supp_channels(sdata, skb);
+
+ /* add any custom IEs that go before Extended Capabilities */
+@@ -439,7 +444,6 @@ ieee80211_tdls_add_setup_start_ies(struc
+ * the same on all bands. The specification limits the setup to a
+ * single HT-cap, so use the current band for now.
+ */
+- sband = local->hw.wiphy->bands[band];
+ memcpy(&ht_cap, &sband->ht_cap, sizeof(ht_cap));
+
+ if ((action_code == WLAN_TDLS_SETUP_REQUEST ||
+@@ -545,9 +549,13 @@ ieee80211_tdls_add_setup_cfm_ies(struct
+ struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
+ size_t offset = 0, noffset;
+ struct sta_info *sta, *ap_sta;
+- enum nl80211_band band = ieee80211_get_sdata_band(sdata);
++ struct ieee80211_supported_band *sband;
+ u8 *pos;
+
++ sband = ieee80211_get_sband(sdata);
++ if (!sband)
++ return;
++
+ mutex_lock(&local->sta_mtx);
+
+ sta = sta_info_get(sdata, peer);
+@@ -612,7 +620,8 @@ ieee80211_tdls_add_setup_cfm_ies(struct
+ ieee80211_tdls_add_link_ie(sdata, skb, peer, initiator);
+
+ /* only include VHT-operation if not on the 2.4GHz band */
+- if (band != NL80211_BAND_2GHZ && sta->sta.vht_cap.vht_supported) {
++ if (sband->band != NL80211_BAND_2GHZ &&
++ sta->sta.vht_cap.vht_supported) {
+ /*
+ * if both peers support WIDER_BW, we can expand the chandef to
+ * a wider compatible one, up to 80MHz
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -4182,7 +4182,10 @@ struct sk_buff *ieee80211_beacon_get_tim
+ return bcn;
+
+ shift = ieee80211_vif_get_shift(vif);
+- sband = hw->wiphy->bands[ieee80211_get_sdata_band(vif_to_sdata(vif))];
++ sband = ieee80211_get_sband(vif_to_sdata(vif));
++ if (!sband)
++ return bcn;
++
+ ieee80211_tx_monitor(hw_to_local(hw), copy, sband, 1, shift, false);
+
+ return bcn;
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -1590,14 +1590,14 @@ u32 ieee80211_sta_get_rates(struct ieee8
+ size_t num_rates;
+ u32 supp_rates, rate_flags;
+ int i, j, shift;
++
+ sband = sdata->local->hw.wiphy->bands[band];
++ if (WARN_ON(!sband))
++ return 1;
+
+ rate_flags = ieee80211_chandef_rate_flags(&sdata->vif.bss_conf.chandef);
+ shift = ieee80211_vif_get_shift(&sdata->vif);
+
+- if (WARN_ON(!sband))
+- return 1;
+-
+ num_rates = sband->n_bitrates;
+ supp_rates = 0;
+ for (i = 0; i < elems->supp_rates_len +
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Shaohua Li <shli@fb.com>
+Date: Mon, 1 May 2017 12:15:07 -0700
+Subject: md/raid10: skip spare disk as 'first' disk
+
+From: Shaohua Li <shli@fb.com>
+
+
+[ Upstream commit b506335e5d2b4ec687dde392a3bdbf7601778f1d ]
+
+Commit 6f287ca(md/raid10: reset the 'first' at the end of loop) ignores
+a case in reshape, the first rdev could be a spare disk, which shouldn't
+be accounted as the first disk since it doesn't include the offset info.
+
+Fix: 6f287ca(md/raid10: reset the 'first' at the end of loop)
+Cc: Guoqing Jiang <gqjiang@suse.com>
+Cc: NeilBrown <neilb@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid10.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -4089,6 +4089,7 @@ static int raid10_start_reshape(struct m
+ diff = 0;
+ if (first || diff < min_offset_diff)
+ min_offset_diff = diff;
++ first = 0;
+ }
+ }
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Guoqing Jiang <gqjiang@suse.com>
+Date: Mon, 17 Apr 2017 17:11:05 +0800
+Subject: md/raid10: wait up frozen array in handle_write_completed
+
+From: Guoqing Jiang <gqjiang@suse.com>
+
+
+[ Upstream commit cf25ae78fc50010f66b9be945017796da34c434d ]
+
+Since nr_queued is changed, we need to call wake_up here
+if the array is already frozen and waiting for condition
+"nr_pending == nr_queued + extra" to be true.
+
+And commit 824e47daddbf ("RAID1: avoid unnecessary spin
+locks in I/O barrier code") which has already added the
+wake_up for raid1.
+
+Signed-off-by: Guoqing Jiang <gqjiang@suse.com>
+Reviewed-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid10.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -2704,6 +2704,11 @@ static void handle_write_completed(struc
+ list_add(&r10_bio->retry_list, &conf->bio_end_io_list);
+ conf->nr_queued++;
+ spin_unlock_irq(&conf->device_lock);
++ /*
++ * In case freeze_array() is waiting for condition
++ * nr_pending == nr_queued + extra to be true.
++ */
++ wake_up(&conf->wait_barrier);
+ md_wakeup_thread(conf->mddev->thread);
+ } else {
+ if (test_bit(R10BIO_WriteError,
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Thu, 21 Sep 2017 19:23:56 -0400
+Subject: media: bt8xx: Fix err 'bt878_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit 45392ff6881dbe56d41ef0b17c2e576065f8ffa1 ]
+
+This is odd to call 'pci_disable_device()' in an error path before a
+coresponding successful 'pci_enable_device()'.
+
+Return directly instead.
+
+Fixes: 77e0be12100a ("V4L/DVB (4176): Bug-fix: Fix memory overflow")
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/pci/bt8xx/bt878.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/media/pci/bt8xx/bt878.c
++++ b/drivers/media/pci/bt8xx/bt878.c
+@@ -422,8 +422,7 @@ static int bt878_probe(struct pci_dev *d
+ bt878_num);
+ if (bt878_num >= BT878_MAX) {
+ printk(KERN_ERR "bt878: Too many devices inserted\n");
+- result = -ENOMEM;
+- goto fail0;
++ return -ENOMEM;
+ }
+ if (pci_enable_device(dev))
+ return -EIO;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+Date: Mon, 20 Nov 2017 09:00:55 -0500
+Subject: media: c8sectpfe: fix potential NULL pointer dereference in c8sectpfe_timer_interrupt
+
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+
+
+[ Upstream commit baed3c4bc4c13de93e0dba0a26d601411ebcb389 ]
+
+_channel_ is being dereferenced before it is null checked, hence there is a
+potential null pointer dereference. Fix this by moving the pointer dereference
+after _channel_ has been null checked.
+
+This issue was detected with the help of Coccinelle.
+
+Fixes: c5f5d0f99794 ("[media] c8sectpfe: STiH407/10 Linux DVB demux support")
+
+Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
+Acked-by: Patrice Chotard <patrice.chotard@st.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
++++ b/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
+@@ -83,7 +83,7 @@ static void c8sectpfe_timer_interrupt(un
+ static void channel_swdemux_tsklet(unsigned long data)
+ {
+ struct channel_info *channel = (struct channel_info *)data;
+- struct c8sectpfei *fei = channel->fei;
++ struct c8sectpfei *fei;
+ unsigned long wp, rp;
+ int pos, num_packets, n, size;
+ u8 *buf;
+@@ -91,6 +91,8 @@ static void channel_swdemux_tsklet(unsig
+ if (unlikely(!channel || !channel->irec))
+ return;
+
++ fei = channel->fei;
++
+ wp = readl(channel->irec + DMA_PRDS_BUSWP_TP(0));
+ rp = readl(channel->irec + DMA_PRDS_BUSRP_TP(0));
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Jasmin J <jasmin@anw.at>
+Date: Fri, 17 Mar 2017 23:04:20 -0300
+Subject: [media] media/dvb-core: Race condition when writing to CAM
+
+From: Jasmin J <jasmin@anw.at>
+
+
+[ Upstream commit e7080d4471d805d921a9ea21b32f911a91e248cb ]
+
+It started with a sporadic message in syslog: "CAM tried to send a
+buffer larger than the ecount size" This message is not the fault
+itself, but a consecutive fault, after a read error from the CAM. This
+happens only on several CAMs, several hardware, and of course sporadic.
+
+It is a consecutive fault, if the last read from the CAM did fail. I
+guess this will not happen on all CAMs, but at least it did on mine.
+There was a write error to the CAM and during the re-initialization
+procedure, the CAM finished the last read, although it got a RS.
+
+The write error to the CAM happened because a race condition between HC
+write, checking DA and FR.
+
+This patch added an additional check for DA(RE), just after checking FR.
+It is important to read the CAMs status register again, to give the CAM
+the necessary time for a proper reaction to HC. Please note the
+description within the source code (patch below).
+
+[mchehab@s-opensource.com: make checkpatch happy]
+
+Signed-off-by: Jasmin jessich <jasmin@anw.at>
+Tested-by: Ralph Metzler <rjkm@metzlerbros.de>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-core/dvb_ca_en50221.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+--- a/drivers/media/dvb-core/dvb_ca_en50221.c
++++ b/drivers/media/dvb-core/dvb_ca_en50221.c
+@@ -779,6 +779,29 @@ static int dvb_ca_en50221_write_data(str
+ goto exit;
+ }
+
++ /*
++ * It may need some time for the CAM to settle down, or there might
++ * be a race condition between the CAM, writing HC and our last
++ * check for DA. This happens, if the CAM asserts DA, just after
++ * checking DA before we are setting HC. In this case it might be
++ * a bug in the CAM to keep the FR bit, the lower layer/HW
++ * communication requires a longer timeout or the CAM needs more
++ * time internally. But this happens in reality!
++ * We need to read the status from the HW again and do the same
++ * we did for the previous check for DA
++ */
++ status = ca->pub->read_cam_control(ca->pub, slot, CTRLIF_STATUS);
++ if (status < 0)
++ goto exit;
++
++ if (status & (STATUSREG_DA | STATUSREG_RE)) {
++ if (status & STATUSREG_DA)
++ dvb_ca_en50221_thread_wakeup(ca);
++
++ status = -EAGAIN;
++ goto exit;
++ }
++
+ /* send the amount of data */
+ if ((status = ca->pub->write_cam_control(ca->pub, slot, CTRLIF_SIZE_HIGH, bytes_write >> 8)) != 0)
+ goto exit;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Ron Economos <w6rz@comcast.net>
+Date: Mon, 11 Dec 2017 19:51:53 -0500
+Subject: media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart
+
+From: Ron Economos <w6rz@comcast.net>
+
+
+[ Upstream commit 380a6c86457573aa42d27ae11e025eb25941a0b7 ]
+
+On faster CPUs a delay is required after the resume command and the restart command. Without the delay, the restart command often returns -EREMOTEIO and the Si2168 does not restart.
+
+Note that this patch fixes the same issue as https://patchwork.linuxtv.org/patch/44304/, but I believe my udelay() fix addresses the actual problem.
+
+Signed-off-by: Ron Economos <w6rz@comcast.net>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-frontends/si2168.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/dvb-frontends/si2168.c
++++ b/drivers/media/dvb-frontends/si2168.c
+@@ -14,6 +14,8 @@
+ * GNU General Public License for more details.
+ */
+
++#include <linux/delay.h>
++
+ #include "si2168_priv.h"
+
+ static const struct dvb_frontend_ops si2168_ops;
+@@ -378,6 +380,7 @@ static int si2168_init(struct dvb_fronte
+ if (ret)
+ goto err;
+
++ udelay(100);
+ memcpy(cmd.args, "\x85", 1);
+ cmd.wlen = 1;
+ cmd.rlen = 1;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Keerthy <j-keerthy@ti.com>
+Date: Thu, 10 Nov 2016 10:39:18 +0530
+Subject: mfd: palmas: Reset the POWERHOLD mux during power off
+
+From: Keerthy <j-keerthy@ti.com>
+
+
+[ Upstream commit 85fdaf8eb9bbec1f0f8a52fd5d85659d60738816 ]
+
+POWERHOLD signal has higher priority over the DEV_ON bit.
+So power off will not happen if the POWERHOLD is held high.
+Hence reset the MUX to GPIO_7 mode to release the POWERHOLD
+and the DEV_ON bit to take effect to power off the PMIC.
+
+PMIC Power off happens in dire situations like thermal shutdown
+so irrespective of the POWERHOLD setting go ahead and turn off
+the powerhold. Currently poweroff is broken on boards that have
+powerhold enabled. This fixes poweroff on those boards.
+
+Signed-off-by: Keerthy <j-keerthy@ti.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mfd/palmas.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/mfd/palmas.c
++++ b/drivers/mfd/palmas.c
+@@ -430,6 +430,20 @@ static void palmas_power_off(void)
+ {
+ unsigned int addr;
+ int ret, slave;
++ struct device_node *np = palmas_dev->dev->of_node;
++
++ if (of_property_read_bool(np, "ti,palmas-override-powerhold")) {
++ addr = PALMAS_BASE_TO_REG(PALMAS_PU_PD_OD_BASE,
++ PALMAS_PRIMARY_SECONDARY_PAD2);
++ slave = PALMAS_BASE_TO_SLAVE(PALMAS_PU_PD_OD_BASE);
++
++ ret = regmap_update_bits(palmas_dev->regmap[slave], addr,
++ PALMAS_PRIMARY_SECONDARY_PAD2_GPIO_7_MASK, 0);
++ if (ret)
++ dev_err(palmas_dev->dev,
++ "Unable to write PRIMARY_SECONDARY_PAD2 %d\n",
++ ret);
++ }
+
+ if (!palmas_dev)
+ return;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Johannes Weiner <hannes@cmpxchg.org>
+Date: Wed, 3 May 2017 14:51:54 -0700
+Subject: mm: fix check for reclaimable pages in PF_MEMALLOC reclaim throttling
+
+From: Johannes Weiner <hannes@cmpxchg.org>
+
+
+[ Upstream commit d450abd81b081d45adb12f303a07dd44b15eb1bc ]
+
+PF_MEMALLOC direct reclaimers get throttled on a node when the sum of
+all free pages in each zone fall below half the min watermark. During
+the summation, we want to exclude zones that don't have reclaimables.
+Checking the same pgdat over and over again doesn't make sense.
+
+Fixes: 599d0c954f91 ("mm, vmscan: move LRU lists to node")
+Link: http://lkml.kernel.org/r/20170228214007.5621-3-hannes@cmpxchg.org
+Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
+Acked-by: Hillf Danton <hillf.zj@alibaba-inc.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Jia He <hejianet@gmail.com>
+Cc: Mel Gorman <mgorman@suse.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/vmscan.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -2841,8 +2841,10 @@ static bool allow_direct_reclaim(pg_data
+
+ for (i = 0; i <= ZONE_NORMAL; i++) {
+ zone = &pgdat->node_zones[i];
+- if (!managed_zone(zone) ||
+- pgdat_reclaimable_pages(pgdat) == 0)
++ if (!managed_zone(zone))
++ continue;
++
++ if (!zone_reclaimable_pages(zone))
+ continue;
+
+ pfmemalloc_reserve += min_wmark_pages(zone);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Date: Wed, 3 May 2017 14:56:22 -0700
+Subject: mm: hwpoison: call shake_page() after try_to_unmap() for mlocked page
+
+From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+
+
+[ Upstream commit 286c469a988fbaf68e3a97ddf1e6c245c1446968 ]
+
+Memory error handler calls try_to_unmap() for error pages in various
+states. If the error page is a mlocked page, error handling could fail
+with "still referenced by 1 users" message. This is because the page is
+linked to and stays in lru cache after the following call chain.
+
+ try_to_unmap_one
+ page_remove_rmap
+ clear_page_mlock
+ putback_lru_page
+ lru_cache_add
+
+memory_failure() calls shake_page() to hanlde the similar issue, but
+current code doesn't cover because shake_page() is called only before
+try_to_unmap(). So this patches adds shake_page().
+
+Fixes: 23a003bfd23ea9ea0b7756b920e51f64b284b468 ("mm/madvise: pass return code of memory_failure() to userspace")
+Link: http://lkml.kernel.org/r/20170417055948.GM31394@yexl-desktop
+Link: http://lkml.kernel.org/r/1493197841-23986-3-git-send-email-n-horiguchi@ah.jp.nec.com
+Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Cc: Xiaolong Ye <xiaolong.ye@intel.com>
+Cc: Chen Gong <gong.chen@linux.intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memory-failure.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/mm/memory-failure.c
++++ b/mm/memory-failure.c
+@@ -921,6 +921,7 @@ static int hwpoison_user_mappings(struct
+ int ret;
+ int kill = 1, forcekill;
+ struct page *hpage = *hpagep;
++ bool mlocked = PageMlocked(hpage);
+
+ /*
+ * Here we are interested only in user-mapped pages, so skip any
+@@ -985,6 +986,13 @@ static int hwpoison_user_mappings(struct
+ pfn, page_mapcount(hpage));
+
+ /*
++ * try_to_unmap() might put mlocked page in lru cache, so call
++ * shake_page() again to ensure that it's flushed.
++ */
++ if (mlocked)
++ shake_page(hpage, 0);
++
++ /*
+ * Now that the dirty bit has been propagated to the
+ * struct page and all unmaps done we can decide if
+ * killing is needed or not. Only kill when the page
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: David Rientjes <rientjes@google.com>
+Date: Wed, 3 May 2017 14:53:02 -0700
+Subject: mm, vmstat: suppress pcp stats for unpopulated zones in zoneinfo
+
+From: David Rientjes <rientjes@google.com>
+
+
+[ Upstream commit 7dfb8bf3b9caef4049bee51d2c22e1c3a311d483 ]
+
+After "mm, vmstat: print non-populated zones in zoneinfo",
+/proc/zoneinfo will show unpopulated zones.
+
+The per-cpu pageset statistics are not relevant for unpopulated zones
+and can be potentially lengthy, so supress them when they are not
+interesting.
+
+Also moves lowmem reserve protection information above pcp stats since
+it is relevant for all zones per vm.lowmem_reserve_ratio.
+
+Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1703061400500.46428@chino.kir.corp.google.com
+Signed-off-by: David Rientjes <rientjes@google.com>
+Cc: Anshuman Khandual <khandual@linux.vnet.ibm.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/vmstat.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+--- a/mm/vmstat.c
++++ b/mm/vmstat.c
+@@ -1387,18 +1387,24 @@ static void zoneinfo_show_print(struct s
+ zone->present_pages,
+ zone->managed_pages);
+
+- for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
+- seq_printf(m, "\n %-12s %lu", vmstat_text[i],
+- zone_page_state(zone, i));
+-
+ seq_printf(m,
+ "\n protection: (%ld",
+ zone->lowmem_reserve[0]);
+ for (i = 1; i < ARRAY_SIZE(zone->lowmem_reserve); i++)
+ seq_printf(m, ", %ld", zone->lowmem_reserve[i]);
+- seq_printf(m,
+- ")"
+- "\n pagesets");
++ seq_putc(m, ')');
++
++ /* If unpopulated, no other information is useful */
++ if (!populated_zone(zone)) {
++ seq_putc(m, '\n');
++ return;
++ }
++
++ for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
++ seq_printf(m, "\n %-12s %lu", vmstat_text[i],
++ zone_page_state(zone, i));
++
++ seq_printf(m, "\n pagesets");
+ for_each_online_cpu(i) {
+ struct per_cpu_pageset *pageset;
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Daniel Drake <drake@endlessm.com>
+Date: Tue, 12 Dec 2017 10:49:02 +0000
+Subject: mmc: avoid removing non-removable hosts during suspend
+
+From: Daniel Drake <drake@endlessm.com>
+
+
+[ Upstream commit de8dcc3d2c0e08e5068ee1e26fc46415c15e3637 ]
+
+The Weibu F3C MiniPC has an onboard AP6255 module, presenting
+two SDIO functions on a single MMC host (Bluetooth/btsdio and
+WiFi/brcmfmac), and the mmc layer correctly detects this as
+non-removable.
+
+After suspend/resume, the wifi and bluetooth interfaces disappear
+and do not get probed again.
+
+The conditions here are:
+
+ 1. During suspend, we reach mmc_pm_notify()
+
+ 2. mmc_pm_notify() calls mmc_sdio_pre_suspend() to see if we can
+ suspend the SDIO host. However, mmc_sdio_pre_suspend() returns
+ -ENOSYS because btsdio_driver does not have a suspend method.
+
+ 3. mmc_pm_notify() proceeds to remove the card
+
+ 4. Upon resume, mmc_rescan() does nothing with this host, because of
+ the rescan_entered check which aims to only scan a non-removable
+ device a single time (i.e. during boot).
+
+Fix the loss of functionality by detecting that we are unable to
+suspend a non-removable host, so avoid the forced removal in that
+case. The comment above this function already indicates that this
+code was only intended for removable devices.
+
+Signed-off-by: Daniel Drake <drake@endlessm.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/core.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/mmc/core/core.c
++++ b/drivers/mmc/core/core.c
+@@ -2974,6 +2974,14 @@ static int mmc_pm_notify(struct notifier
+ if (!err)
+ break;
+
++ if (!mmc_card_is_removable(host)) {
++ dev_warn(mmc_dev(host),
++ "pre_suspend failed for non-removable host: "
++ "%d\n", err);
++ /* Avoid removing non-removable hosts */
++ break;
++ }
++
+ /* Calling bus_ops->remove() with a claimed host can deadlock */
+ host->bus_ops->remove(host);
+ mmc_claim_host(host);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 10 Apr 2017 16:54:17 +0300
+Subject: mmc: host: omap_hsmmc: checking for NULL instead of IS_ERR()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit ec5ab8933772c87f24ad62a4a602fe8949f423c2 ]
+
+devm_pinctrl_get() returns error pointers, it never returns NULL.
+
+Fixes: 455e5cd6f736 ("mmc: omap_hsmmc: Pin remux workaround to support SDIO interrupt on AM335x")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/omap_hsmmc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/host/omap_hsmmc.c
++++ b/drivers/mmc/host/omap_hsmmc.c
+@@ -1762,8 +1762,8 @@ static int omap_hsmmc_configure_wake_irq
+ */
+ if (host->pdata->controller_flags & OMAP_HSMMC_SWAKEUP_MISSING) {
+ struct pinctrl *p = devm_pinctrl_get(host->dev);
+- if (!p) {
+- ret = -ENODEV;
++ if (IS_ERR(p)) {
++ ret = PTR_ERR(p);
+ goto err_free_irq;
+ }
+ if (IS_ERR(pinctrl_lookup_state(p, PINCTRL_STATE_DEFAULT))) {
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: yangbo lu <yangbo.lu@nxp.com>
+Date: Thu, 20 Apr 2017 14:58:29 +0800
+Subject: mmc: sdhci-of-esdhc: limit SD clock for ls1012a/ls1046a
+
+From: yangbo lu <yangbo.lu@nxp.com>
+
+
+[ Upstream commit a627f025eb0534052ff451427c16750b3530634c ]
+
+The ls1046a datasheet specified that the max SD clock frequency
+for eSDHC SDR104/HS200 was 167MHz, and the ls1012a datasheet
+specified it's 125MHz for ls1012a. So this patch is to add the
+limitation.
+
+Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-of-esdhc.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-of-esdhc.c
++++ b/drivers/mmc/host/sdhci-of-esdhc.c
+@@ -432,6 +432,20 @@ static void esdhc_of_set_clock(struct sd
+ if (esdhc->vendor_ver < VENDOR_V_23)
+ pre_div = 2;
+
++ /*
++ * Limit SD clock to 167MHz for ls1046a according to its datasheet
++ */
++ if (clock > 167000000 &&
++ of_find_compatible_node(NULL, NULL, "fsl,ls1046a-esdhc"))
++ clock = 167000000;
++
++ /*
++ * Limit SD clock to 125MHz for ls1012a according to its datasheet
++ */
++ if (clock > 125000000 &&
++ of_find_compatible_node(NULL, NULL, "fsl,ls1012a-esdhc"))
++ clock = 125000000;
++
+ /* Workaround to reduce the clock frequency for p1010 esdhc */
+ if (of_find_compatible_node(NULL, NULL, "fsl,p1010-esdhc")) {
+ if (clock > 20000000)
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Pan Bian <bianpan2016@163.com>
+Date: Sun, 23 Apr 2017 15:00:23 +0800
+Subject: mt7601u: check return value of alloc_skb
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit 5fb01e91daf84ad1e50edfcf63116ecbe31e7ba7 ]
+
+Function alloc_skb() will return a NULL pointer if there is no enough
+memory. However, in function mt7601u_mcu_msg_alloc(), its return value
+is not validated before it is used. This patch fixes it.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Acked-by: Jakub Kicinski <kubakici@wp.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt7601u/mcu.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt7601u/mcu.c
++++ b/drivers/net/wireless/mediatek/mt7601u/mcu.c
+@@ -66,8 +66,10 @@ mt7601u_mcu_msg_alloc(struct mt7601u_dev
+ WARN_ON(len % 4); /* if length is not divisible by 4 we need to pad */
+
+ skb = alloc_skb(len + MT_DMA_HDR_LEN + 4, GFP_KERNEL);
+- skb_reserve(skb, MT_DMA_HDR_LEN);
+- memcpy(skb_put(skb, len), data, len);
++ if (skb) {
++ skb_reserve(skb, MT_DMA_HDR_LEN);
++ memcpy(skb_put(skb, len), data, len);
++ }
+
+ return skb;
+ }
+@@ -170,6 +172,8 @@ static int mt7601u_mcu_function_select(s
+ };
+
+ skb = mt7601u_mcu_msg_alloc(dev, &msg, sizeof(msg));
++ if (!skb)
++ return -ENOMEM;
+ return mt7601u_mcu_msg_send(dev, skb, CMD_FUN_SET_OP, func == 5);
+ }
+
+@@ -205,6 +209,8 @@ mt7601u_mcu_calibrate(struct mt7601u_dev
+ };
+
+ skb = mt7601u_mcu_msg_alloc(dev, &msg, sizeof(msg));
++ if (!skb)
++ return -ENOMEM;
+ return mt7601u_mcu_msg_send(dev, skb, CMD_CALIBRATION_OP, true);
+ }
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Ming Lei <ming.lei@redhat.com>
+Date: Thu, 27 Apr 2017 07:45:18 -0600
+Subject: mtip32xx: use runtime tag to initialize command header
+
+From: Ming Lei <ming.lei@redhat.com>
+
+
+[ Upstream commit a4e84aae8139aca9fbfbced1f45c51ca81b57488 ]
+
+mtip32xx supposes that 'request_idx' passed to .init_request()
+is tag of the request, and use that as request's tag to initialize
+command header.
+
+After MQ IO scheduler is in, request tag assigned isn't same with
+the request index anymore, so cause strange hardware failure on
+mtip32xx, even whole system panic is triggered.
+
+This patch fixes the issue by initializing command header via
+request's real tag.
+
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/mtip32xx/mtip32xx.c | 36 ++++++++++++++++++++++++------------
+ 1 file changed, 24 insertions(+), 12 deletions(-)
+
+--- a/drivers/block/mtip32xx/mtip32xx.c
++++ b/drivers/block/mtip32xx/mtip32xx.c
+@@ -169,6 +169,25 @@ static bool mtip_check_surprise_removal(
+ return false; /* device present */
+ }
+
++/* we have to use runtime tag to setup command header */
++static void mtip_init_cmd_header(struct request *rq)
++{
++ struct driver_data *dd = rq->q->queuedata;
++ struct mtip_cmd *cmd = blk_mq_rq_to_pdu(rq);
++ u32 host_cap_64 = readl(dd->mmio + HOST_CAP) & HOST_CAP_64;
++
++ /* Point the command headers at the command tables. */
++ cmd->command_header = dd->port->command_list +
++ (sizeof(struct mtip_cmd_hdr) * rq->tag);
++ cmd->command_header_dma = dd->port->command_list_dma +
++ (sizeof(struct mtip_cmd_hdr) * rq->tag);
++
++ if (host_cap_64)
++ cmd->command_header->ctbau = __force_bit2int cpu_to_le32((cmd->command_dma >> 16) >> 16);
++
++ cmd->command_header->ctba = __force_bit2int cpu_to_le32(cmd->command_dma & 0xFFFFFFFF);
++}
++
+ static struct mtip_cmd *mtip_get_int_command(struct driver_data *dd)
+ {
+ struct request *rq;
+@@ -180,6 +199,9 @@ static struct mtip_cmd *mtip_get_int_com
+ if (IS_ERR(rq))
+ return NULL;
+
++ /* Internal cmd isn't submitted via .queue_rq */
++ mtip_init_cmd_header(rq);
++
+ return blk_mq_rq_to_pdu(rq);
+ }
+
+@@ -3811,6 +3833,8 @@ static int mtip_queue_rq(struct blk_mq_h
+ struct request *rq = bd->rq;
+ int ret;
+
++ mtip_init_cmd_header(rq);
++
+ if (unlikely(mtip_check_unal_depth(hctx, rq)))
+ return BLK_MQ_RQ_QUEUE_BUSY;
+
+@@ -3842,7 +3866,6 @@ static int mtip_init_cmd(void *data, str
+ {
+ struct driver_data *dd = data;
+ struct mtip_cmd *cmd = blk_mq_rq_to_pdu(rq);
+- u32 host_cap_64 = readl(dd->mmio + HOST_CAP) & HOST_CAP_64;
+
+ /*
+ * For flush requests, request_idx starts at the end of the
+@@ -3859,17 +3882,6 @@ static int mtip_init_cmd(void *data, str
+
+ memset(cmd->command, 0, CMD_DMA_ALLOC_SZ);
+
+- /* Point the command headers at the command tables. */
+- cmd->command_header = dd->port->command_list +
+- (sizeof(struct mtip_cmd_hdr) * request_idx);
+- cmd->command_header_dma = dd->port->command_list_dma +
+- (sizeof(struct mtip_cmd_hdr) * request_idx);
+-
+- if (host_cap_64)
+- cmd->command_header->ctbau = __force_bit2int cpu_to_le32((cmd->command_dma >> 16) >> 16);
+-
+- cmd->command_header->ctba = __force_bit2int cpu_to_le32(cmd->command_dma & 0xFFFFFFFF);
+-
+ sg_init_table(cmd->sg, MTIP_MAX_SG);
+ return 0;
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Brian Norris <briannorris@chromium.org>
+Date: Fri, 14 Apr 2017 14:51:20 -0700
+Subject: mwifiex: don't leak 'chan_stats' on reset
+
+From: Brian Norris <briannorris@chromium.org>
+
+
+[ Upstream commit fb9e67bee3ab7111513130c516ffe378d885c0d0 ]
+
+'chan_stats' is (re)allocated in _mwifiex_fw_dpc() ->
+mwifiex_init_channel_scan_gap(), which is called whenever the device is
+initialized -- at probe or at reset.
+
+But we only free it in we completely unregister the adapter, meaning we
+leak a copy of it during every reset.
+
+Let's free it in the shutdown / removal paths instead (and in the
+error-handling path), to avoid the leak.
+
+Ideally, we can eventually unify much of mwifiex_shutdown_sw() and
+mwifiex_remove_card() (way too much copy-and-paste) to reduce the burden
+on bugfixes like this. But that's work for tomorrow.
+
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/marvell/mwifiex/main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/marvell/mwifiex/main.c
++++ b/drivers/net/wireless/marvell/mwifiex/main.c
+@@ -146,7 +146,6 @@ static int mwifiex_unregister(struct mwi
+
+ kfree(adapter->regd);
+
+- vfree(adapter->chan_stats);
+ kfree(adapter);
+ return 0;
+ }
+@@ -636,6 +635,7 @@ static void mwifiex_fw_dpc(const struct
+ goto done;
+
+ err_add_intf:
++ vfree(adapter->chan_stats);
+ wiphy_unregister(adapter->wiphy);
+ wiphy_free(adapter->wiphy);
+ err_init_fw:
+@@ -1429,6 +1429,7 @@ mwifiex_shutdown_sw(struct mwifiex_adapt
+ mwifiex_del_virtual_intf(adapter->wiphy, &priv->wdev);
+ rtnl_unlock();
+ }
++ vfree(adapter->chan_stats);
+
+ up(sem);
+ exit_sem_err:
+@@ -1729,6 +1730,7 @@ int mwifiex_remove_card(struct mwifiex_a
+ mwifiex_del_virtual_intf(adapter->wiphy, &priv->wdev);
+ rtnl_unlock();
+ }
++ vfree(adapter->chan_stats);
+
+ wiphy_unregister(adapter->wiphy);
+ wiphy_free(adapter->wiphy);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Tue, 7 Feb 2017 10:05:09 +0100
+Subject: net: ethernet: ucc_geth: fix MEM_PART_MURAM mode
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+
+[ Upstream commit 8b8642af15ed14b9a7a34d3401afbcc274533e13 ]
+
+Since commit 5093bb965a163 ("powerpc/QE: switch to the cpm_muram
+implementation"), muram area is not part of immrbar mapping anymore
+so immrbar_virt_to_phys() is not usable anymore.
+
+Fixes: 5093bb965a163 ("powerpc/QE: switch to the cpm_muram implementation")
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Acked-by: David S. Miller <davem@davemloft.net>
+Acked-by: Li Yang <pku.leo@gmail.com>
+Signed-off-by: Scott Wood <oss@buserror.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/ucc_geth.c | 8 +++-----
+ include/soc/fsl/qe/qe.h | 1 +
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/ucc_geth.c
++++ b/drivers/net/ethernet/freescale/ucc_geth.c
+@@ -2594,11 +2594,10 @@ static int ucc_geth_startup(struct ucc_g
+ } else if (ugeth->ug_info->uf_info.bd_mem_part ==
+ MEM_PART_MURAM) {
+ out_be32(&ugeth->p_send_q_mem_reg->sqqd[i].bd_ring_base,
+- (u32) immrbar_virt_to_phys(ugeth->
+- p_tx_bd_ring[i]));
++ (u32)qe_muram_dma(ugeth->p_tx_bd_ring[i]));
+ out_be32(&ugeth->p_send_q_mem_reg->sqqd[i].
+ last_bd_completed_address,
+- (u32) immrbar_virt_to_phys(endOfRing));
++ (u32)qe_muram_dma(endOfRing));
+ }
+ }
+
+@@ -2844,8 +2843,7 @@ static int ucc_geth_startup(struct ucc_g
+ } else if (ugeth->ug_info->uf_info.bd_mem_part ==
+ MEM_PART_MURAM) {
+ out_be32(&ugeth->p_rx_bd_qs_tbl[i].externalbdbaseptr,
+- (u32) immrbar_virt_to_phys(ugeth->
+- p_rx_bd_ring[i]));
++ (u32)qe_muram_dma(ugeth->p_rx_bd_ring[i]));
+ }
+ /* rest of fields handled by QE */
+ }
+--- a/include/soc/fsl/qe/qe.h
++++ b/include/soc/fsl/qe/qe.h
+@@ -243,6 +243,7 @@ static inline int qe_alive_during_sleep(
+ #define qe_muram_free cpm_muram_free
+ #define qe_muram_addr cpm_muram_addr
+ #define qe_muram_offset cpm_muram_offset
++#define qe_muram_dma cpm_muram_dma
+
+ #define qe_setbits32(_addr, _v) iowrite32be(ioread32be(_addr) | (_v), (_addr))
+ #define qe_clrbits32(_addr, _v) iowrite32be(ioread32be(_addr) & ~(_v), (_addr))
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Timmy Li <lixiaoping3@huawei.com>
+Date: Tue, 2 May 2017 10:46:52 +0800
+Subject: net: hns: fix ethtool_get_strings overflow in hns driver
+
+From: Timmy Li <lixiaoping3@huawei.com>
+
+
+[ Upstream commit 412b65d15a7f8a93794653968308fc100f2aa87c ]
+
+hns_get_sset_count() returns HNS_NET_STATS_CNT and the data space allocated
+is not enough for ethtool_get_strings(), which will cause random memory
+corruption.
+
+When SLAB and DEBUG_SLAB are both enabled, memory corruptions like the
+the following can be observed without this patch:
+[ 43.115200] Slab corruption (Not tainted): Acpi-ParseExt start=ffff801fb0b69030, len=80
+[ 43.115206] Redzone: 0x9f911029d006462/0x5f78745f31657070.
+[ 43.115208] Last user: [<5f7272655f746b70>](0x5f7272655f746b70)
+[ 43.115214] 010: 70 70 65 31 5f 74 78 5f 70 6b 74 00 6b 6b 6b 6b ppe1_tx_pkt.kkkk
+[ 43.115217] 030: 70 70 65 31 5f 74 78 5f 70 6b 74 5f 6f 6b 00 6b ppe1_tx_pkt_ok.k
+[ 43.115218] Next obj: start=ffff801fb0b69098, len=80
+[ 43.115220] Redzone: 0x706d655f6f666966/0x9f911029d74e35b.
+[ 43.115229] Last user: [<ffff0000084b11b0>](acpi_os_release_object+0x28/0x38)
+[ 43.115231] 000: 74 79 00 6b 6b 6b 6b 6b 70 70 65 31 5f 74 78 5f ty.kkkkkppe1_tx_
+[ 43.115232] 010: 70 6b 74 5f 65 72 72 5f 63 73 75 6d 5f 66 61 69 pkt_err_csum_fai
+
+Signed-off-by: Timmy Li <lixiaoping3@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c | 2 +-
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c | 2 +-
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c | 2 +-
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_xgmac.c | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c
+@@ -671,7 +671,7 @@ static void hns_gmac_get_strings(u32 str
+
+ static int hns_gmac_get_sset_count(int stringset)
+ {
+- if (stringset == ETH_SS_STATS)
++ if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS)
+ return ARRAY_SIZE(g_gmac_stats_string);
+
+ return 0;
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c
+@@ -422,7 +422,7 @@ void hns_ppe_update_stats(struct hns_ppe
+
+ int hns_ppe_get_sset_count(int stringset)
+ {
+- if (stringset == ETH_SS_STATS)
++ if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS)
+ return ETH_PPE_STATIC_NUM;
+ return 0;
+ }
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c
+@@ -798,7 +798,7 @@ void hns_rcb_get_stats(struct hnae_queue
+ */
+ int hns_rcb_get_ring_sset_count(int stringset)
+ {
+- if (stringset == ETH_SS_STATS)
++ if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS)
+ return HNS_RING_STATIC_REG_NUM;
+
+ return 0;
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_xgmac.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_xgmac.c
+@@ -776,7 +776,7 @@ static void hns_xgmac_get_strings(u32 st
+ */
+ static int hns_xgmac_get_sset_count(int stringset)
+ {
+- if (stringset == ETH_SS_STATS)
++ if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS)
+ return ARRAY_SIZE(g_xgmac_stats_string);
+
+ return 0;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: David Ahern <dsa@cumulusnetworks.com>
+Date: Wed, 12 Apr 2017 11:49:04 -0700
+Subject: net: ipv6: send unsolicited NA on admin up
+
+From: David Ahern <dsa@cumulusnetworks.com>
+
+
+[ Upstream commit 4a6e3c5def13c91adf2acc613837001f09af3baa ]
+
+ndisc_notify is the ipv6 equivalent to arp_notify. When arp_notify is
+set to 1, gratuitous arp requests are sent when the device is brought up.
+The same is expected when ndisc_notify is set to 1 (per ndisc_notify in
+Documentation/networking/ip-sysctl.txt). The NA is not sent on NETDEV_UP
+event; add it.
+
+Fixes: 5cb04436eef6 ("ipv6: add knob to send unsolicited ND on link-layer address change")
+Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ndisc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -1723,6 +1723,8 @@ static int ndisc_netdev_event(struct not
+ case NETDEV_CHANGEADDR:
+ neigh_changeaddr(&nd_tbl, dev);
+ fib6_run_gc(0, net, false);
++ /* fallthrough */
++ case NETDEV_UP:
+ idev = in6_dev_get(dev);
+ if (!idev)
+ break;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Liping Zhang <zlpnobody@gmail.com>
+Date: Sat, 15 Apr 2017 19:27:42 +0800
+Subject: netfilter: nf_ct_helper: permit cthelpers with different names via nfnetlink
+
+From: Liping Zhang <zlpnobody@gmail.com>
+
+
+[ Upstream commit 66e5a6b18bd09d0431e97cd3c162e76c5c2aebba ]
+
+cthelpers added via nfnetlink may have the same tuple, i.e. except for
+the l3proto and l4proto, other fields are all zero. So even with the
+different names, we will also fail to add them:
+ # nfct helper add ssdp inet udp
+ # nfct helper add tftp inet udp
+ nfct v1.4.3: netlink error: File exists
+
+So in order to avoid unpredictable behaviour, we should:
+1. cthelpers can be selected by nft ct helper obj or xt_CT target, so
+report error if duplicated { name, l3proto, l4proto } tuple exist.
+2. cthelpers can be selected by nf_ct_tuple_src_mask_cmp when
+nf_ct_auto_assign_helper is enabled, so also report error if duplicated
+{ l3proto, l4proto, src-port } tuple exist.
+
+Also note, if the cthelper is added from userspace, then the src-port will
+always be zero, it's invalid for nf_ct_auto_assign_helper, so there's no
+need to check the second point listed above.
+
+Fixes: 893e093c786c ("netfilter: nf_ct_helper: bail out on duplicated helpers")
+Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_conntrack_helper.c | 26 +++++++++++++++++++++-----
+ 1 file changed, 21 insertions(+), 5 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_helper.c
++++ b/net/netfilter/nf_conntrack_helper.c
+@@ -379,17 +379,33 @@ int nf_conntrack_helper_register(struct
+ struct nf_conntrack_tuple_mask mask = { .src.u.all = htons(0xFFFF) };
+ unsigned int h = helper_hash(&me->tuple);
+ struct nf_conntrack_helper *cur;
+- int ret = 0;
++ int ret = 0, i;
+
+ BUG_ON(me->expect_policy == NULL);
+ BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES);
+ BUG_ON(strlen(me->name) > NF_CT_HELPER_NAME_LEN - 1);
+
+ mutex_lock(&nf_ct_helper_mutex);
+- hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) {
+- if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple, &mask)) {
+- ret = -EEXIST;
+- goto out;
++ for (i = 0; i < nf_ct_helper_hsize; i++) {
++ hlist_for_each_entry(cur, &nf_ct_helper_hash[i], hnode) {
++ if (!strcmp(cur->name, me->name) &&
++ (cur->tuple.src.l3num == NFPROTO_UNSPEC ||
++ cur->tuple.src.l3num == me->tuple.src.l3num) &&
++ cur->tuple.dst.protonum == me->tuple.dst.protonum) {
++ ret = -EEXIST;
++ goto out;
++ }
++ }
++ }
++
++ /* avoid unpredictable behaviour for auto_assign_helper */
++ if (!(me->flags & NF_CT_HELPER_F_USERSPACE)) {
++ hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) {
++ if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple,
++ &mask)) {
++ ret = -EEXIST;
++ goto out;
++ }
+ }
+ }
+ hlist_add_head_rcu(&me->hnode, &nf_ct_helper_hash[h]);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Liping Zhang <zlpnobody@gmail.com>
+Date: Sun, 23 Apr 2017 18:29:30 +0800
+Subject: netfilter: nft_dynset: continue to next expr if _OP_ADD succeeded
+
+From: Liping Zhang <zlpnobody@gmail.com>
+
+
+[ Upstream commit 277a292835c196894ef895d5e1fd6170bb916f55 ]
+
+Currently, after adding the following nft rules:
+ # nft add set x target1 { type ipv4_addr \; flags timeout \;}
+ # nft add rule x y set add ip daddr timeout 1d @target1 counter
+
+the counters will always be zero despite of the elements are added
+to the dynamic set "target1" or not, as we will break the nft expr
+traversal unconditionally:
+ # nft list ruleset
+ ...
+ set target1 {
+ ...
+ elements = { 8.8.8.8 expires 23h59m53s}
+ }
+ chain output {
+ ...
+ set add ip daddr timeout 1d @target1 counter packets 0 bytes 0
+ ^ ^
+ ...
+ }
+
+Since we add the elements to the set successfully, we should continue
+to the next expression.
+
+Additionally, if elements are added to "flow table" successfully, we
+will _always_ continue to the next expr, even if the operation is
+_OP_ADD. So it's better to keep them to be consistent.
+
+Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates")
+Reported-by: Robert White <rwhite@pobox.com>
+Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_dynset.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/netfilter/nft_dynset.c
++++ b/net/netfilter/nft_dynset.c
+@@ -82,8 +82,7 @@ static void nft_dynset_eval(const struct
+ nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
+ timeout = priv->timeout ? : set->timeout;
+ *nft_set_ext_expiration(ext) = jiffies + timeout;
+- } else if (sexpr == NULL)
+- goto out;
++ }
+
+ if (sexpr != NULL)
+ sexpr->ops->eval(sexpr, regs, pkt);
+@@ -92,7 +91,7 @@ static void nft_dynset_eval(const struct
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+-out:
++
+ if (!priv->invert)
+ regs->verdict.code = NFT_BREAK;
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 28 Apr 2017 15:57:56 +0300
+Subject: netfilter: x_tables: unlock on error in xt_find_table_lock()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit 7dde07e9c53617549d67dd3e1d791496d0d3868e ]
+
+According to my static checker we should unlock here before the return.
+That seems reasonable to me as well.
+
+Fixes" b9e69e127397 ("netfilter: xtables: don't hook tables by default")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/x_tables.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -1006,8 +1006,10 @@ struct xt_table *xt_find_table_lock(stru
+ list_for_each_entry(t, &init_net.xt.tables[af], list) {
+ if (strcmp(t->name, name))
+ continue;
+- if (!try_module_get(t->me))
++ if (!try_module_get(t->me)) {
++ mutex_unlock(&xt[af].mutex);
+ return NULL;
++ }
+
+ mutex_unlock(&xt[af].mutex);
+ if (t->table_init(net) != 0) {
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Gao Feng <fgao@ikuai8.com>
+Date: Fri, 14 Apr 2017 10:00:08 +0800
+Subject: netfilter: xt_CT: fix refcnt leak on error path
+
+From: Gao Feng <fgao@ikuai8.com>
+
+
+[ Upstream commit 470acf55a021713869b9bcc967268ac90c8a0fac ]
+
+There are two cases which causes refcnt leak.
+
+1. When nf_ct_timeout_ext_add failed in xt_ct_set_timeout, it should
+free the timeout refcnt.
+Now goto the err_put_timeout error handler instead of going ahead.
+
+2. When the time policy is not found, we should call module_put.
+Otherwise, the related cthelper module cannot be removed anymore.
+It is easy to reproduce by typing the following command:
+ # iptables -t raw -A OUTPUT -p tcp -j CT --helper ftp --timeout xxx
+
+Signed-off-by: Gao Feng <fgao@ikuai8.com>
+Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/xt_CT.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/xt_CT.c
++++ b/net/netfilter/xt_CT.c
+@@ -168,8 +168,10 @@ xt_ct_set_timeout(struct nf_conn *ct, co
+ goto err_put_timeout;
+ }
+ timeout_ext = nf_ct_timeout_ext_add(ct, timeout, GFP_ATOMIC);
+- if (timeout_ext == NULL)
++ if (!timeout_ext) {
+ ret = -ENOMEM;
++ goto err_put_timeout;
++ }
+
+ rcu_read_unlock();
+ return ret;
+@@ -201,6 +203,7 @@ static int xt_ct_tg_check(const struct x
+ struct xt_ct_target_info_v1 *info)
+ {
+ struct nf_conntrack_zone zone;
++ struct nf_conn_help *help;
+ struct nf_conn *ct;
+ int ret = -EOPNOTSUPP;
+
+@@ -249,7 +252,7 @@ static int xt_ct_tg_check(const struct x
+ if (info->timeout[0]) {
+ ret = xt_ct_set_timeout(ct, par, info->timeout);
+ if (ret < 0)
+- goto err3;
++ goto err4;
+ }
+ __set_bit(IPS_CONFIRMED_BIT, &ct->status);
+ nf_conntrack_get(&ct->ct_general);
+@@ -257,6 +260,10 @@ out:
+ info->ct = ct;
+ return 0;
+
++err4:
++ help = nfct_help(ct);
++ if (help)
++ module_put(help->helper->me);
+ err3:
+ nf_ct_tmpl_free(ct);
+ err2:
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Wed, 19 Apr 2017 13:53:49 -0700
+Subject: netvsc: Deal with rescinded channels correctly
+
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+
+
+[ Upstream commit 73e64fa4f417b22d8d5521999a631ced8e2d442e ]
+
+We will not be able to send packets over a channel that has been
+rescinded. Make necessary adjustments so we can properly cleanup
+even when the channel is rescinded. This issue can be trigerred
+in the NIC hot-remove path.
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/netvsc.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/net/hyperv/netvsc.c
++++ b/drivers/net/hyperv/netvsc.c
+@@ -151,6 +151,13 @@ static void netvsc_destroy_buf(struct hv
+ sizeof(struct nvsp_message),
+ (unsigned long)revoke_packet,
+ VM_PKT_DATA_INBAND, 0);
++ /* If the failure is because the channel is rescinded;
++ * ignore the failure since we cannot send on a rescinded
++ * channel. This would allow us to properly cleanup
++ * even when the channel is rescinded.
++ */
++ if (device->channel->rescind)
++ ret = 0;
+ /*
+ * If we failed here, we might as well return and
+ * have a leak rather than continue and a bugchk
+@@ -211,6 +218,15 @@ static void netvsc_destroy_buf(struct hv
+ sizeof(struct nvsp_message),
+ (unsigned long)revoke_packet,
+ VM_PKT_DATA_INBAND, 0);
++
++ /* If the failure is because the channel is rescinded;
++ * ignore the failure since we cannot send on a rescinded
++ * channel. This would allow us to properly cleanup
++ * even when the channel is rescinded.
++ */
++ if (device->channel->rescind)
++ ret = 0;
++
+ /* If we failed here, we might as well return and
+ * have a leak rather than continue and a bugchk
+ */
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: NeilBrown <neilb@suse.com>
+Date: Wed, 15 Mar 2017 12:40:44 +1100
+Subject: NFS: don't try to cross a mountpount when there isn't one there.
+
+From: NeilBrown <neilb@suse.com>
+
+
+[ Upstream commit 99bbf6ecc694dfe0b026e15359c5aa2a60b97a93 ]
+
+consider the sequence of commands:
+ mkdir -p /import/nfs /import/bind /import/etc
+ mount --bind / /import/bind
+ mount --make-private /import/bind
+ mount --bind /import/etc /import/bind/etc
+
+ exportfs -o rw,no_root_squash,crossmnt,async,no_subtree_check localhost:/
+ mount -o vers=4 localhost:/ /import/nfs
+ ls -l /import/nfs/etc
+
+You would not expect this to report a stale file handle.
+Yet it does.
+
+The manipulations under /import/bind cause the dentry for
+/etc to get the DCACHE_MOUNTED flag set, even though nothing
+is mounted on /etc. This causes nfsd to call
+nfsd_cross_mnt() even though there is no mountpoint. So an
+upcall to mountd for "/etc" is performed.
+
+The 'crossmnt' flag on the export of / causes mountd to
+report that /etc is exported as it is a descendant of /. It
+assumes the kernel wouldn't ask about something that wasn't
+a mountpoint. The filehandle returned identifies the
+filesystem and the inode number of /etc.
+
+When this filehandle is presented to rpc.mountd, via
+"nfsd.fh", the inode cannot be found associated with any
+name in /etc/exports, or with any mountpoint listed by
+getmntent(). So rpc.mountd says the filehandle doesn't
+exist. Hence ESTALE.
+
+This is fixed by teaching nfsd not to trust DCACHE_MOUNTED
+too much. It is just a hint, not a guarantee.
+Change nfsd_mountpoint() to return '1' for a certain mountpoint,
+'2' for a possible mountpoint, and 0 otherwise.
+
+Then change nfsd_crossmnt() to check if follow_down()
+actually found a mountpount and, if not, to avoid performing
+a lookup if the location is not known to certainly require
+an export-point.
+
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/vfs.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -94,6 +94,12 @@ nfsd_cross_mnt(struct svc_rqst *rqstp, s
+ err = follow_down(&path);
+ if (err < 0)
+ goto out;
++ if (path.mnt == exp->ex_path.mnt && path.dentry == dentry &&
++ nfsd_mountpoint(dentry, exp) == 2) {
++ /* This is only a mountpoint in some other namespace */
++ path_put(&path);
++ goto out;
++ }
+
+ exp2 = rqst_exp_get_by_name(rqstp, &path);
+ if (IS_ERR(exp2)) {
+@@ -167,16 +173,26 @@ static int nfsd_lookup_parent(struct svc
+ /*
+ * For nfsd purposes, we treat V4ROOT exports as though there was an
+ * export at *every* directory.
++ * We return:
++ * '1' if this dentry *must* be an export point,
++ * '2' if it might be, if there is really a mount here, and
++ * '0' if there is no chance of an export point here.
+ */
+ int nfsd_mountpoint(struct dentry *dentry, struct svc_export *exp)
+ {
+- if (d_mountpoint(dentry))
++ if (!d_inode(dentry))
++ return 0;
++ if (exp->ex_flags & NFSEXP_V4ROOT)
+ return 1;
+ if (nfsd4_is_junction(dentry))
+ return 1;
+- if (!(exp->ex_flags & NFSEXP_V4ROOT))
+- return 0;
+- return d_inode(dentry) != NULL;
++ if (d_mountpoint(dentry))
++ /*
++ * Might only be a mountpoint in a different namespace,
++ * but we need to check.
++ */
++ return 2;
++ return 0;
+ }
+
+ __be32
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Fri, 14 Apr 2017 12:29:54 -0400
+Subject: NFS: Fix missing pg_cleanup after nfs_pageio_cond_complete()
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+
+[ Upstream commit 43b7d964ed30dbca5c83c90cb010985b429ec4f9 ]
+
+Commit a7d42ddb3099727f58366fa006f850a219cce6c8 ("nfs: add mirroring
+support to pgio layer") moved pg_cleanup out of the path when there was
+non-sequental I/O that needed to be flushed. The result is that for
+layouts that have more than one layout segment per file, the pg_lseg is not
+cleared, so we can end up hitting the WARN_ON_ONCE(req_start >= seg_end) in
+pnfs_generic_pg_test since the pg_lseg will be pointing to that
+previously-flushed layout segment.
+
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Fixes: a7d42ddb3099 ("nfs: add mirroring support to pgio layer")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/pagelist.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/pagelist.c
++++ b/fs/nfs/pagelist.c
+@@ -1262,8 +1262,10 @@ void nfs_pageio_cond_complete(struct nfs
+ mirror = &desc->pg_mirrors[midx];
+ if (!list_empty(&mirror->pg_list)) {
+ prev = nfs_list_entry(mirror->pg_list.prev);
+- if (index != prev->wb_index + 1)
+- nfs_pageio_complete_mirror(desc, midx);
++ if (index != prev->wb_index + 1) {
++ nfs_pageio_complete(desc);
++ break;
++ }
+ }
+ }
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Tue, 19 Dec 2017 09:35:25 -0500
+Subject: nfsd4: permit layoutget of executable-only files
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+
+[ Upstream commit 66282ec1cf004c09083c29cb5e49019037937bbd ]
+
+Clients must be able to read a file in order to execute it, and for pNFS
+that means the client needs to be able to perform a LAYOUTGET on the file.
+
+This behavior for executable-only files was added for OPEN in commit
+a043226bc140 "nfsd4: permit read opens of executable-only files".
+
+This fixes up xfstests generic/126 on block/scsi layouts.
+
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4proc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1338,14 +1338,14 @@ nfsd4_layoutget(struct svc_rqst *rqstp,
+ const struct nfsd4_layout_ops *ops;
+ struct nfs4_layout_stateid *ls;
+ __be32 nfserr;
+- int accmode;
++ int accmode = NFSD_MAY_READ_IF_EXEC;
+
+ switch (lgp->lg_seg.iomode) {
+ case IOMODE_READ:
+- accmode = NFSD_MAY_READ;
++ accmode |= NFSD_MAY_READ;
+ break;
+ case IOMODE_RW:
+- accmode = NFSD_MAY_READ | NFSD_MAY_WRITE;
++ accmode |= NFSD_MAY_READ | NFSD_MAY_WRITE;
+ break;
+ default:
+ dprintk("%s: invalid iomode %d\n",
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: "H. Nikolaus Schaller" <hns@goldelico.com>
+Date: Tue, 28 Nov 2017 16:48:54 +0100
+Subject: omapdrm: panel: fix compatible vendor string for td028ttec1
+
+From: "H. Nikolaus Schaller" <hns@goldelico.com>
+
+
+[ Upstream commit c1b9d4c75cd549e08bd0596d7f9dcc20f7f6e8fa ]
+
+The vendor name was "toppoly" but other panels and the vendor list
+have defined it as "tpo". So let's fix it in driver and bindings.
+
+We keep the old definition in parallel to stay compatible with
+potential older DTB setup.
+
+Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/display/panel/toppoly,td028ttec1.txt | 30 ----------
+ Documentation/devicetree/bindings/display/panel/tpo,td028ttec1.txt | 30 ++++++++++
+ drivers/gpu/drm/omapdrm/displays/panel-tpo-td028ttec1.c | 3 +
+ drivers/video/fbdev/omap2/omapfb/displays/panel-tpo-td028ttec1.c | 3 +
+ 4 files changed, 36 insertions(+), 30 deletions(-)
+ rename Documentation/devicetree/bindings/display/panel/{toppoly,td028ttec1.txt => tpo,td028ttec1.txt} (84%)
+
+--- a/Documentation/devicetree/bindings/display/panel/toppoly,td028ttec1.txt
++++ /dev/null
+@@ -1,30 +0,0 @@
+-Toppoly TD028TTEC1 Panel
+-========================
+-
+-Required properties:
+-- compatible: "toppoly,td028ttec1"
+-
+-Optional properties:
+-- label: a symbolic name for the panel
+-
+-Required nodes:
+-- Video port for DPI input
+-
+-Example
+--------
+-
+-lcd-panel: td028ttec1@0 {
+- compatible = "toppoly,td028ttec1";
+- reg = <0>;
+- spi-max-frequency = <100000>;
+- spi-cpol;
+- spi-cpha;
+-
+- label = "lcd";
+- port {
+- lcd_in: endpoint {
+- remote-endpoint = <&dpi_out>;
+- };
+- };
+-};
+-
+--- /dev/null
++++ b/Documentation/devicetree/bindings/display/panel/tpo,td028ttec1.txt
+@@ -0,0 +1,30 @@
++Toppoly TD028TTEC1 Panel
++========================
++
++Required properties:
++- compatible: "tpo,td028ttec1"
++
++Optional properties:
++- label: a symbolic name for the panel
++
++Required nodes:
++- Video port for DPI input
++
++Example
++-------
++
++lcd-panel: td028ttec1@0 {
++ compatible = "tpo,td028ttec1";
++ reg = <0>;
++ spi-max-frequency = <100000>;
++ spi-cpol;
++ spi-cpha;
++
++ label = "lcd";
++ port {
++ lcd_in: endpoint {
++ remote-endpoint = <&dpi_out>;
++ };
++ };
++};
++
+--- a/drivers/gpu/drm/omapdrm/displays/panel-tpo-td028ttec1.c
++++ b/drivers/gpu/drm/omapdrm/displays/panel-tpo-td028ttec1.c
+@@ -456,6 +456,8 @@ static int td028ttec1_panel_remove(struc
+ }
+
+ static const struct of_device_id td028ttec1_of_match[] = {
++ { .compatible = "omapdss,tpo,td028ttec1", },
++ /* keep to not break older DTB */
+ { .compatible = "omapdss,toppoly,td028ttec1", },
+ {},
+ };
+@@ -475,6 +477,7 @@ static struct spi_driver td028ttec1_spi_
+
+ module_spi_driver(td028ttec1_spi_driver);
+
++MODULE_ALIAS("spi:tpo,td028ttec1");
+ MODULE_ALIAS("spi:toppoly,td028ttec1");
+ MODULE_AUTHOR("H. Nikolaus Schaller <hns@goldelico.com>");
+ MODULE_DESCRIPTION("Toppoly TD028TTEC1 panel driver");
+--- a/drivers/video/fbdev/omap2/omapfb/displays/panel-tpo-td028ttec1.c
++++ b/drivers/video/fbdev/omap2/omapfb/displays/panel-tpo-td028ttec1.c
+@@ -455,6 +455,8 @@ static int td028ttec1_panel_remove(struc
+ }
+
+ static const struct of_device_id td028ttec1_of_match[] = {
++ { .compatible = "omapdss,tpo,td028ttec1", },
++ /* keep to not break older DTB */
+ { .compatible = "omapdss,toppoly,td028ttec1", },
+ {},
+ };
+@@ -474,6 +476,7 @@ static struct spi_driver td028ttec1_spi_
+
+ module_spi_driver(td028ttec1_spi_driver);
+
++MODULE_ALIAS("spi:tpo,td028ttec1");
+ MODULE_ALIAS("spi:toppoly,td028ttec1");
+ MODULE_AUTHOR("H. Nikolaus Schaller <hns@goldelico.com>");
+ MODULE_DESCRIPTION("Toppoly TD028TTEC1 panel driver");
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Michal Hocko <mhocko@suse.com>
+Date: Wed, 3 May 2017 14:54:57 -0700
+Subject: oom: improve oom disable handling
+
+From: Michal Hocko <mhocko@suse.com>
+
+
+[ Upstream commit d75da004c708c9fca7b53f7da293a295522414d9 ]
+
+Tetsuo has reported that sysrq triggered OOM killer will print a
+misleading information when no tasks are selected:
+
+ sysrq: SysRq : Manual OOM execution
+ Out of memory: Kill process 4468 ((agetty)) score 0 or sacrifice child
+ Killed process 4468 ((agetty)) total-vm:43704kB, anon-rss:1760kB, file-rss:0kB, shmem-rss:0kB
+ sysrq: SysRq : Manual OOM execution
+ Out of memory: Kill process 4469 (systemd-cgroups) score 0 or sacrifice child
+ Killed process 4469 (systemd-cgroups) total-vm:10704kB, anon-rss:120kB, file-rss:0kB, shmem-rss:0kB
+ sysrq: SysRq : Manual OOM execution
+ sysrq: OOM request ignored because killer is disabled
+ sysrq: SysRq : Manual OOM execution
+ sysrq: OOM request ignored because killer is disabled
+ sysrq: SysRq : Manual OOM execution
+ sysrq: OOM request ignored because killer is disabled
+
+The real reason is that there are no eligible tasks for the OOM killer
+to select but since commit 7c5f64f84483 ("mm: oom: deduplicate victim
+selection code for memcg and global oom") the semantic of out_of_memory
+has changed without updating moom_callback.
+
+This patch updates moom_callback to tell that no task was eligible which
+is the case for both oom killer disabled and no eligible tasks. In
+order to help distinguish first case from the second add printk to both
+oom_killer_{enable,disable}. This information is useful on its own
+because it might help debugging potential memory allocation failures.
+
+Fixes: 7c5f64f84483 ("mm: oom: deduplicate victim selection code for memcg and global oom")
+Link: http://lkml.kernel.org/r/20170404134705.6361-1-mhocko@kernel.org
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/sysrq.c | 2 +-
+ mm/oom_kill.c | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/sysrq.c
++++ b/drivers/tty/sysrq.c
+@@ -375,7 +375,7 @@ static void moom_callback(struct work_st
+
+ mutex_lock(&oom_lock);
+ if (!out_of_memory(&oc))
+- pr_info("OOM request ignored because killer is disabled\n");
++ pr_info("OOM request ignored. No task eligible\n");
+ mutex_unlock(&oom_lock);
+ }
+
+--- a/mm/oom_kill.c
++++ b/mm/oom_kill.c
+@@ -706,6 +706,7 @@ void exit_oom_victim(void)
+ void oom_killer_enable(void)
+ {
+ oom_killer_disabled = false;
++ pr_info("OOM killer enabled.\n");
+ }
+
+ /**
+@@ -742,6 +743,7 @@ bool oom_killer_disable(signed long time
+ oom_killer_enable();
+ return false;
+ }
++ pr_info("OOM killer disabled.\n");
+
+ return true;
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Jarno Rajahalme <jarno@ovn.org>
+Date: Fri, 14 Apr 2017 14:26:38 -0700
+Subject: openvswitch: Delete conntrack entry clashing with an expectation.
+
+From: Jarno Rajahalme <jarno@ovn.org>
+
+
+[ Upstream commit cf5d70918877c6a6655dc1e92e2ebb661ce904fd ]
+
+Conntrack helpers do not check for a potentially clashing conntrack
+entry when creating a new expectation. Also, nf_conntrack_in() will
+check expectations (via init_conntrack()) only if a conntrack entry
+can not be found. The expectation for a packet which also matches an
+existing conntrack entry will not be removed by conntrack, and is
+currently handled inconsistently by OVS, as OVS expects the
+expectation to be removed when the connection tracking entry matching
+that expectation is confirmed.
+
+It should be noted that normally an IP stack would not allow reuse of
+a 5-tuple of an old (possibly lingering) connection for a new data
+connection, so this is somewhat unlikely corner case. However, it is
+possible that a misbehaving source could cause conntrack entries be
+created that could then interfere with new related connections.
+
+Fix this in the OVS module by deleting the clashing conntrack entry
+after an expectation has been matched. This causes the following
+nf_conntrack_in() call also find the expectation and remove it when
+creating the new conntrack entry, as well as the forthcoming reply
+direction packets to match the new related connection instead of the
+old clashing conntrack entry.
+
+Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action")
+Reported-by: Yang Song <yangsong@vmware.com>
+Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
+Acked-by: Joe Stringer <joe@ovn.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/conntrack.c | 30 +++++++++++++++++++++++++++++-
+ 1 file changed, 29 insertions(+), 1 deletion(-)
+
+--- a/net/openvswitch/conntrack.c
++++ b/net/openvswitch/conntrack.c
+@@ -396,10 +396,38 @@ ovs_ct_expect_find(struct net *net, cons
+ u16 proto, const struct sk_buff *skb)
+ {
+ struct nf_conntrack_tuple tuple;
++ struct nf_conntrack_expect *exp;
+
+ if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), proto, net, &tuple))
+ return NULL;
+- return __nf_ct_expect_find(net, zone, &tuple);
++
++ exp = __nf_ct_expect_find(net, zone, &tuple);
++ if (exp) {
++ struct nf_conntrack_tuple_hash *h;
++
++ /* Delete existing conntrack entry, if it clashes with the
++ * expectation. This can happen since conntrack ALGs do not
++ * check for clashes between (new) expectations and existing
++ * conntrack entries. nf_conntrack_in() will check the
++ * expectations only if a conntrack entry can not be found,
++ * which can lead to OVS finding the expectation (here) in the
++ * init direction, but which will not be removed by the
++ * nf_conntrack_in() call, if a matching conntrack entry is
++ * found instead. In this case all init direction packets
++ * would be reported as new related packets, while reply
++ * direction packets would be reported as un-related
++ * established packets.
++ */
++ h = nf_conntrack_find_get(net, zone, &tuple);
++ if (h) {
++ struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
++
++ nf_ct_delete(ct, 0, 0);
++ nf_conntrack_put(&ct->ct_general);
++ }
++ }
++
++ return exp;
+ }
+
+ /* This replicates logic from nf_conntrack_core.c that is not exported. */
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Martin Brandenburg <martin@omnibond.com>
+Date: Tue, 25 Apr 2017 15:38:07 -0400
+Subject: orangefs: do not wait for timeout if umounting
+
+From: Martin Brandenburg <martin@omnibond.com>
+
+
+[ Upstream commit b5a9d61eebdd0016ccb383b25a5c3d04977a6549 ]
+
+When the computer is turned off, all the processes are killed and then
+all the filesystems are umounted. OrangeFS should not wait for the
+userspace daemon to come back in that case.
+
+This only works for plain umount(2). To actually take advantage of this
+interactively, `umount -f' is needed; otherwise umount will issue a
+statfs first, which will wait for the userspace daemon to come back.
+
+Signed-off-by: Martin Brandenburg <martin@omnibond.com>
+Signed-off-by: Mike Marshall <hubcap@omnibond.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/orangefs/waitqueue.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/orangefs/waitqueue.c
++++ b/fs/orangefs/waitqueue.c
+@@ -124,7 +124,14 @@ retry_servicing:
+ gossip_debug(GOSSIP_WAIT_DEBUG,
+ "%s:client core is NOT in service.\n",
+ __func__);
+- timeout = op_timeout_secs * HZ;
++ /*
++ * Don't wait for the userspace component to return if
++ * the filesystem is being umounted anyway.
++ */
++ if (op->upcall.type == ORANGEFS_VFS_OP_FS_UMOUNT)
++ timeout = 0;
++ else
++ timeout = op_timeout_secs * HZ;
+ }
+ spin_unlock(&orangefs_request_list_lock);
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Kim Phillips <kim.phillips@arm.com>
+Date: Wed, 3 May 2017 13:14:02 +0100
+Subject: perf tests kmod-path: Don't fail if compressed modules aren't supported
+
+From: Kim Phillips <kim.phillips@arm.com>
+
+
+[ Upstream commit 805b151a1afd24414706a7f6ae275fbb9649be74 ]
+
+__kmod_path__parse() uses is_supported_compression() to determine and
+parse out compressed module file extensions. On systems without zlib,
+this test fails and __kmod_path__parse() continues to strcmp "ko" with
+"gz". Don't do this on those systems.
+
+Signed-off-by: Kim Phillips <kim.phillips@arm.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Fixes: 3c8a67f50a1e ("perf tools: Add kmod_path__parse function")
+Link: http://lkml.kernel.org/r/20170503131402.c66e314460026c80cd787b34@arm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/tests/kmod-path.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/tools/perf/tests/kmod-path.c
++++ b/tools/perf/tests/kmod-path.c
+@@ -61,6 +61,7 @@ int test__kmod_path__parse(int subtest _
+ M("/xxxx/xxxx/x-x.ko", PERF_RECORD_MISC_KERNEL, true);
+ M("/xxxx/xxxx/x-x.ko", PERF_RECORD_MISC_USER, false);
+
++#ifdef HAVE_ZLIB_SUPPORT
+ /* path alloc_name alloc_ext kmod comp name ext */
+ T("/xxxx/xxxx/x.ko.gz", true , true , true, true, "[x]", "gz");
+ T("/xxxx/xxxx/x.ko.gz", false , true , true, true, NULL , "gz");
+@@ -96,6 +97,7 @@ int test__kmod_path__parse(int subtest _
+ M("x.ko.gz", PERF_RECORD_MISC_CPUMODE_UNKNOWN, true);
+ M("x.ko.gz", PERF_RECORD_MISC_KERNEL, true);
+ M("x.ko.gz", PERF_RECORD_MISC_USER, false);
++#endif
+
+ /* path alloc_name alloc_ext kmod comp name ext */
+ T("[test_module]", true , true , true, false, "[test_module]", NULL);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Wed, 1 Mar 2017 10:32:57 -0800
+Subject: pinctrl: Really force states during suspend/resume
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+
+[ Upstream commit 981ed1bfbc6c4660b2ddaa8392893e20a6255048 ]
+
+In case a platform only defaults a "default" set of pins, but not a
+"sleep" set of pins, and this particular platform suspends and resumes
+in a way that the pin states are not preserved by the hardware, when we
+resume, we would call pinctrl_single_resume() -> pinctrl_force_default()
+-> pinctrl_select_state() and the first thing we do is check that the
+pins state is the same as before, and do nothing.
+
+In order to fix this, decouple the actual state change from
+pinctrl_select_state() and move it pinctrl_commit_state(), while keeping
+the p->state == state check in pinctrl_select_state() not to change the
+caller assumptions. pinctrl_force_sleep() and pinctrl_force_default()
+are updated to bypass the state check by calling pinctrl_commit_state().
+
+[Linus Walleij]
+The forced pin control states are currently only used in some pin
+controller drivers that grab their own reference to their own pins.
+This is equal to the pin control hogs: pins taken by pin control
+devices since there are no corresponding device in the Linux device
+hierarchy, such as memory controller lines or unused GPIO lines,
+or GPIO lines that are used orthogonally from the GPIO subsystem
+but pincontrol-wise managed as hogs (non-strict mode, allowing
+simultaneous use by GPIO and pin control). For this case forcing
+the state from the drivers' suspend()/resume() callbacks makes
+sense and should semantically match the name of the function.
+
+Fixes: 6e5e959dde0d ("pinctrl: API changes to support multiple states per device")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/core.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+--- a/drivers/pinctrl/core.c
++++ b/drivers/pinctrl/core.c
+@@ -992,19 +992,16 @@ struct pinctrl_state *pinctrl_lookup_sta
+ EXPORT_SYMBOL_GPL(pinctrl_lookup_state);
+
+ /**
+- * pinctrl_select_state() - select/activate/program a pinctrl state to HW
++ * pinctrl_commit_state() - select/activate/program a pinctrl state to HW
+ * @p: the pinctrl handle for the device that requests configuration
+ * @state: the state handle to select/activate/program
+ */
+-int pinctrl_select_state(struct pinctrl *p, struct pinctrl_state *state)
++static int pinctrl_commit_state(struct pinctrl *p, struct pinctrl_state *state)
+ {
+ struct pinctrl_setting *setting, *setting2;
+ struct pinctrl_state *old_state = p->state;
+ int ret;
+
+- if (p->state == state)
+- return 0;
+-
+ if (p->state) {
+ /*
+ * For each pinmux setting in the old state, forget SW's record
+@@ -1068,6 +1065,19 @@ unapply_new_state:
+
+ return ret;
+ }
++
++/**
++ * pinctrl_select_state() - select/activate/program a pinctrl state to HW
++ * @p: the pinctrl handle for the device that requests configuration
++ * @state: the state handle to select/activate/program
++ */
++int pinctrl_select_state(struct pinctrl *p, struct pinctrl_state *state)
++{
++ if (p->state == state)
++ return 0;
++
++ return pinctrl_commit_state(p, state);
++}
+ EXPORT_SYMBOL_GPL(pinctrl_select_state);
+
+ static void devm_pinctrl_release(struct device *dev, void *res)
+@@ -1236,7 +1246,7 @@ void pinctrl_unregister_map(struct pinct
+ int pinctrl_force_sleep(struct pinctrl_dev *pctldev)
+ {
+ if (!IS_ERR(pctldev->p) && !IS_ERR(pctldev->hog_sleep))
+- return pinctrl_select_state(pctldev->p, pctldev->hog_sleep);
++ return pinctrl_commit_state(pctldev->p, pctldev->hog_sleep);
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(pinctrl_force_sleep);
+@@ -1248,7 +1258,7 @@ EXPORT_SYMBOL_GPL(pinctrl_force_sleep);
+ int pinctrl_force_default(struct pinctrl_dev *pctldev)
+ {
+ if (!IS_ERR(pctldev->p) && !IS_ERR(pctldev->hog_default))
+- return pinctrl_select_state(pctldev->p, pctldev->hog_default);
++ return pinctrl_commit_state(pctldev->p, pctldev->hog_default);
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(pinctrl_force_default);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Brian Norris <briannorris@chromium.org>
+Date: Tue, 12 Dec 2017 09:43:43 -0800
+Subject: pinctrl: rockchip: enable clock when reading pin direction register
+
+From: Brian Norris <briannorris@chromium.org>
+
+
+[ Upstream commit 5c9d8c4f6b8168738a26bcf288516cc3a0886810 ]
+
+We generally leave the GPIO clock disabled, unless an interrupt is
+requested or we're accessing IO registers. We forgot to do this for the
+->get_direction() callback, which means we can sometimes [1] get
+incorrect results [2] from, e.g., /sys/kernel/debug/gpio.
+
+Enable the clock, so we get the right results!
+
+[1] Sometimes, because many systems have 1 or mor interrupt requested on
+each GPIO bank, so they always leave their clock on.
+
+[2] Incorrect, meaning the register returns 0, and so we interpret that
+as "input".
+
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinctrl-rockchip.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/pinctrl/pinctrl-rockchip.c
++++ b/drivers/pinctrl/pinctrl-rockchip.c
+@@ -1278,8 +1278,16 @@ static int rockchip_gpio_get_direction(s
+ {
+ struct rockchip_pin_bank *bank = gpiochip_get_data(chip);
+ u32 data;
++ int ret;
+
++ ret = clk_enable(bank->clk);
++ if (ret < 0) {
++ dev_err(bank->drvdata->dev,
++ "failed to enable clock for bank %s\n", bank->name);
++ return ret;
++ }
+ data = readl_relaxed(bank->reg_base + GPIO_SWPORT_DDR);
++ clk_disable(bank->clk);
+
+ return !(data & BIT(offset));
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Shawn Nematbakhsh <shawnn@chromium.org>
+Date: Fri, 8 Sep 2017 13:50:11 -0700
+Subject: platform/chrome: Use proper protocol transfer function
+
+From: Shawn Nematbakhsh <shawnn@chromium.org>
+
+
+[ Upstream commit d48b8c58c57f6edbe2965f0a5f62c5cf9593ca96 ]
+
+pkt_xfer should be used for protocol v3, and cmd_xfer otherwise. We had
+one instance of these functions correct, but not the second, fall-back
+case. We use the fall-back only when the first command returns an
+IN_PROGRESS status, which is only used on some EC firmwares where we
+don't want to constantly poll the bus, but instead back off and
+sleep/retry for a little while.
+
+Fixes: 2c7589af3c4d ("mfd: cros_ec: add proto v3 skeleton")
+Signed-off-by: Shawn Nematbakhsh <shawnn@chromium.org>
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Javier Martinez Canillas <javier@osg.samsung.com>
+Signed-off-by: Benson Leung <bleung@chromium.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/chrome/cros_ec_proto.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/platform/chrome/cros_ec_proto.c
++++ b/drivers/platform/chrome/cros_ec_proto.c
+@@ -60,12 +60,14 @@ static int send_command(struct cros_ec_d
+ struct cros_ec_command *msg)
+ {
+ int ret;
++ int (*xfer_fxn)(struct cros_ec_device *ec, struct cros_ec_command *msg);
+
+ if (ec_dev->proto_version > 2)
+- ret = ec_dev->pkt_xfer(ec_dev, msg);
++ xfer_fxn = ec_dev->pkt_xfer;
+ else
+- ret = ec_dev->cmd_xfer(ec_dev, msg);
++ xfer_fxn = ec_dev->cmd_xfer;
+
++ ret = (*xfer_fxn)(ec_dev, msg);
+ if (msg->result == EC_RES_IN_PROGRESS) {
+ int i;
+ struct cros_ec_command *status_msg;
+@@ -88,7 +90,7 @@ static int send_command(struct cros_ec_d
+ for (i = 0; i < EC_COMMAND_RETRIES; i++) {
+ usleep_range(10000, 11000);
+
+- ret = ec_dev->cmd_xfer(ec_dev, status_msg);
++ ret = (*xfer_fxn)(ec_dev, status_msg);
+ if (ret < 0)
+ break;
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Santeri Toivonen <santeri.toivonen@vatsul.com>
+Date: Tue, 4 Apr 2017 21:09:00 +0300
+Subject: platform/x86: asus-nb-wmi: Add wapf4 quirk for the X302UA
+
+From: Santeri Toivonen <santeri.toivonen@vatsul.com>
+
+
+[ Upstream commit f35823619db8bbaa2afea8705f239c3cecb9d22f ]
+
+Asus laptop X302UA starts up with Wi-Fi disabled,
+without a way to enable it. Set wapf=4 to fix the problem.
+
+Signed-off-by: Santeri Toivonen <santeri.toivonen@vatsul.com>
+Signed-off-by: Darren Hart (VMware) <dvhart@infradead.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/asus-nb-wmi.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/platform/x86/asus-nb-wmi.c
++++ b/drivers/platform/x86/asus-nb-wmi.c
+@@ -152,6 +152,15 @@ static const struct dmi_system_id asus_q
+ },
+ {
+ .callback = dmi_matched,
++ .ident = "ASUSTeK COMPUTER INC. X302UA",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "X302UA"),
++ },
++ .driver_data = &quirk_asus_wapf4,
++ },
++ {
++ .callback = dmi_matched,
+ .ident = "ASUSTeK COMPUTER INC. X401U",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Oleksij Rempel <linux@rempel-privat.de>
+Date: Fri, 28 Apr 2017 16:19:49 +0200
+Subject: platform/x86: asus-wmi: try to set als by default
+
+From: Oleksij Rempel <linux@rempel-privat.de>
+
+
+[ Upstream commit e9b615186805e2c18a0ac76aca62c1543ecfdbb8 ]
+
+some laptops, for example ASUS UX330UAK, have brocken als_get function
+but working als_set funktion. In this case, ALS will stay turned off.
+
+ Method (WMNB, 3, Serialized)
+ {
+ ...
+ If (Local0 == 0x53545344)
+ {
+ ...
+ If (IIA0 == 0x00050001)
+ {
+ If (!ALSP)
+ {
+ Return (0x02)
+ }
+
+ Local0 = (GALS & 0x10) <<<---- bug,
+ should be: (GALS () & 0x10)
+ If (Local0)
+ {
+ Return (0x00050001)
+ }
+ Else
+ {
+ Return (0x00050000)
+ }
+ }
+
+ .....
+ If (Local0 == 0x53564544)
+ {
+ ...
+ If (IIA0 == 0x00050001)
+ {
+ Return (ALSC (IIA1))
+ }
+
+ ......
+ Method (GALS, 0, NotSerialized)
+ {
+ Local0 = Zero
+ Local0 |= 0x20
+ If (ALAE)
+ {
+ Local0 |= 0x10
+ }
+
+ Local1 = 0x0A
+ Local1 <<= 0x08
+ Local0 |= Local1
+ Return (Local0)
+ }
+
+Since it works without problems on Windows I assume ASUS WMI driver for Win
+never trying to get ALS state, and instead it is setting it by default to ON.
+
+This patch will do the same. Turn ALS on by default.
+
+Signed-off-by: Oleksij Rempel <linux@rempel-privat.de>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/asus-nb-wmi.c | 13 +++++++++++++
+ drivers/platform/x86/asus-wmi.c | 12 ++++++++++++
+ drivers/platform/x86/asus-wmi.h | 1 +
+ 3 files changed, 26 insertions(+)
+
+--- a/drivers/platform/x86/asus-nb-wmi.c
++++ b/drivers/platform/x86/asus-nb-wmi.c
+@@ -120,6 +120,10 @@ static struct quirk_entry quirk_asus_x55
+ .xusb2pr = 0x01D9,
+ };
+
++static struct quirk_entry quirk_asus_ux330uak = {
++ .wmi_force_als_set = true,
++};
++
+ static int dmi_matched(const struct dmi_system_id *dmi)
+ {
+ quirks = dmi->driver_data;
+@@ -422,6 +426,15 @@ static const struct dmi_system_id asus_q
+ },
+ {
+ .callback = dmi_matched,
++ .ident = "ASUSTeK COMPUTER INC. UX330UAK",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "UX330UAK"),
++ },
++ .driver_data = &quirk_asus_ux330uak,
++ },
++ {
++ .callback = dmi_matched,
+ .ident = "ASUSTeK COMPUTER INC. X550LB",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+--- a/drivers/platform/x86/asus-wmi.c
++++ b/drivers/platform/x86/asus-wmi.c
+@@ -1109,6 +1109,15 @@ static void asus_wmi_set_xusb2pr(struct
+ }
+
+ /*
++ * Some devices dont support or have borcken get_als method
++ * but still support set method.
++ */
++static void asus_wmi_set_als(void)
++{
++ asus_wmi_set_devstate(ASUS_WMI_DEVID_ALS_ENABLE, 1, NULL);
++}
++
++/*
+ * Hwmon device
+ */
+ static int asus_hwmon_agfn_fan_speed_read(struct asus_wmi *asus, int fan,
+@@ -2120,6 +2129,9 @@ static int asus_wmi_add(struct platform_
+ goto fail_rfkill;
+ }
+
++ if (asus->driver->quirks->wmi_force_als_set)
++ asus_wmi_set_als();
++
+ /* Some Asus desktop boards export an acpi-video backlight interface,
+ stop this from showing up */
+ chassis_type = dmi_get_system_info(DMI_CHASSIS_TYPE);
+--- a/drivers/platform/x86/asus-wmi.h
++++ b/drivers/platform/x86/asus-wmi.h
+@@ -45,6 +45,7 @@ struct quirk_entry {
+ bool store_backlight_power;
+ bool wmi_backlight_power;
+ bool wmi_backlight_native;
++ bool wmi_force_als_set;
+ int wapf;
+ /*
+ * For machines with AMD graphic chips, it will send out WMI event
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Maarten Maathuis <madman2003@gmail.com>
+Date: Mon, 24 Apr 2017 23:35:21 +0200
+Subject: platform/x86: intel-vbtn: add volume up and down
+
+From: Maarten Maathuis <madman2003@gmail.com>
+
+
+[ Upstream commit 8d9e29972836b75eb74f533594999500a4c7cc19 ]
+
+Tested on HP Elite X2 1012 G1.
+Matches event report of Lenovo Helix 2
+(https://www.spinics.net/lists/ibm-acpi-devel/msg03982.html).
+
+Signed-off-by: Maarten Maathuis <madman2003@shikahr.net>
+[andy: fixed indentation of comments and massaged title of the change]
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/intel-vbtn.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/platform/x86/intel-vbtn.c
++++ b/drivers/platform/x86/intel-vbtn.c
+@@ -37,6 +37,10 @@ static const struct acpi_device_id intel
+ static const struct key_entry intel_vbtn_keymap[] = {
+ { KE_IGNORE, 0xC0, { KEY_POWER } }, /* power key press */
+ { KE_KEY, 0xC1, { KEY_POWER } }, /* power key release */
++ { KE_KEY, 0xC4, { KEY_VOLUMEUP } }, /* volume-up key press */
++ { KE_IGNORE, 0xC5, { KEY_VOLUMEUP } }, /* volume-up key release */
++ { KE_KEY, 0xC6, { KEY_VOLUMEDOWN } }, /* volume-down key press */
++ { KE_IGNORE, 0xC7, { KEY_VOLUMEDOWN } }, /* volume-down key release */
+ { KE_END },
+ };
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Mon, 1 May 2017 17:06:56 -0400
+Subject: pNFS: Fix a deadlock when coalescing writes and returning the layout
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+
+[ Upstream commit 61f454e30c18a28924e96be12592c0d5e24bcc81 ]
+
+Consider the following deadlock:
+
+Process P1 Process P2 Process P3
+========== ========== ==========
+ lock_page(page)
+
+ lseg = pnfs_update_layout(inode)
+
+lo = NFS_I(inode)->layout
+pnfs_error_mark_layout_for_return(lo)
+
+ lock_page(page)
+
+ lseg = pnfs_update_layout(inode)
+
+In this scenario,
+- P1 has declared the layout to be in error, but P2 holds a reference to
+ a layout segment on that inode, so the layoutreturn is deferred.
+- P2 is waiting for a page lock held by P3.
+- P3 is asking for a new layout segment, but is blocked waiting
+ for the layoutreturn.
+
+The fix is to ensure that pnfs_error_mark_layout_for_return() does
+not set the NFS_LAYOUT_RETURN flag, which blocks P3. Instead, we allow
+the latter to call LAYOUTGET so that it can make progress and unblock
+P2.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/pnfs.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1953,8 +1953,6 @@ void pnfs_error_mark_layout_for_return(s
+
+ spin_lock(&inode->i_lock);
+ pnfs_set_plh_return_info(lo, range.iomode, 0);
+- /* Block LAYOUTGET */
+- set_bit(NFS_LAYOUT_RETURN, &lo->plh_flags);
+ /*
+ * mark all matching lsegs so that we are sure to have no live
+ * segments at hand when sending layoutreturn. See pnfs_put_lseg()
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Tue, 25 Apr 2017 11:26:53 -0400
+Subject: pNFS: Fix use after free issues in pnfs_do_read()
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+
+[ Upstream commit 6aeafd05eca9bc8ab6b03d7e56d09ffd18190f44 ]
+
+The assumption should be that if the caller returns PNFS_ATTEMPTED, then hdr
+has been consumed, and so we should not be testing hdr->task.tk_status.
+If the caller returns PNFS_TRY_AGAIN, then we need to recoalesce and
+free hdr.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/pnfs.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -2308,10 +2308,20 @@ pnfs_do_read(struct nfs_pageio_descripto
+ enum pnfs_try_status trypnfs;
+
+ trypnfs = pnfs_try_to_read_data(hdr, call_ops, lseg);
+- if (trypnfs == PNFS_TRY_AGAIN)
+- pnfs_read_resend_pnfs(hdr);
+- if (trypnfs == PNFS_NOT_ATTEMPTED || hdr->task.tk_status)
++ switch (trypnfs) {
++ case PNFS_NOT_ATTEMPTED:
+ pnfs_read_through_mds(desc, hdr);
++ case PNFS_ATTEMPTED:
++ break;
++ case PNFS_TRY_AGAIN:
++ /* cleanup hdr and prepare to redo pnfs */
++ if (!test_and_set_bit(NFS_IOHDR_REDO, &hdr->flags)) {
++ struct nfs_pgio_mirror *mirror = nfs_pgio_current_mirror(desc);
++ list_splice_init(&hdr->pages, &mirror->pg_list);
++ mirror->pg_recoalesce = 1;
++ }
++ hdr->mds_ops->rpc_release(hdr);
++ }
+ }
+
+ static void pnfs_readhdr_free(struct nfs_pgio_header *hdr)
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 14 Apr 2017 18:52:33 +0200
+Subject: power: supply: bq24190_charger: Add disable-reset device-property
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+
+[ Upstream commit 6cf62a3b97e78ba41d31390e59a1ddc98a9e3622 ]
+
+Allow platform-code to disable the reset on probe and suspend/resume
+by setting a "disable-reset" boolean device property on the device.
+
+There are several reasons why the platform-code may want to disable
+the reset on probe and suspend/resume:
+
+1) Resetting the charger should never be necessary it should always have
+sane values programmed. If it is running with invalid values while we
+are not running (system turned off or suspended) there is a big problem
+as that may lead to overcharging the battery.
+
+2) The reset in suspend() is meant to put the charger back into default
+mode, but this is not necessary and not a good idea. If the charger has
+been programmed with a higher max charge_current / charge_voltage then
+putting it back in default-mode will reset those to the safe power-on
+defaults, leading to slower charging, or charging to a lower voltage
+(and thus not using the full capacity) while suspended which is
+undesirable. Reprogramming the max charge_current / charge_voltage
+after the reset will not help here as that will put the charger back
+in host mode and start the i2c watchdog if the host then does not do
+anything for 40s (iow if we're suspended for more then 40s) the watchdog
+expires resetting the device to default-mode, including resetting all
+the registers to there safe power-on defaults. So the only way to keep
+using custom charge settings while suspending is to keep the charger in
+its normal running state with the i2c watchdog disabled. This is fine
+as the charger will still automatically switch from constant current
+to constant voltage and stop charging when the battery is full.
+
+3) Besides never being necessary resetting the charger also causes
+problems on systems where the charge voltage limit is set higher then the
+reset value, if this is the case and the charger is reset while charging
+and the battery voltage is between the 2 voltages, then about half the
+time the charger gets confused and claims to be charging (REG08 contains
+0x64) but in reality the charger has decoupled itself from VBUS (Q1 off)
+and is drawing 0A from VBUS, leaving the system running from the battery.
+
+This last problem is happening on a GPD-win mini PC with a bq24292i
+charger chip combined with a max17047 fuel-gauge and a LiHV battery.
+I've checked and TI does not list any errata for the bq24292i which
+could explain this (there are no errata at all).
+
+Cc: Liam Breck <kernel@networkimprov.net>
+Cc: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Liam Breck <kernel@networkimprov.net>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/bq24190_charger.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/power/supply/bq24190_charger.c
++++ b/drivers/power/supply/bq24190_charger.c
+@@ -506,6 +506,9 @@ static int bq24190_register_reset(struct
+ int ret, limit = 100;
+ u8 v;
+
++ if (device_property_read_bool(bdi->dev, "disable-reset"))
++ return 0;
++
+ /* Reset the registers */
+ ret = bq24190_write_mask(bdi, BQ24190_REG_POC,
+ BQ24190_REG_POC_RESET_MASK,
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Liam Breck <kernel@networkimprov.net>
+Date: Tue, 11 Apr 2017 04:59:54 -0700
+Subject: power: supply: bq24190_charger: Limit over/under voltage fault logging
+
+From: Liam Breck <kernel@networkimprov.net>
+
+
+[ Upstream commit d63d07c6fc25182af6d3ab5b3b8737b0c1025ebd ]
+
+If the charger is unplugged before the battery is full we may
+see an over/under voltage fault. Ignore this rather then emitting
+a message or uevent.
+
+This fixes messages like these getting logged on charger unplug + replug:
+bq24190-charger 15-006b: Fault: boost 0, charge 1, battery 0, ntc 0
+bq24190-charger 15-006b: Fault: boost 0, charge 0, battery 0, ntc 0
+
+Cc: Tony Lindgren <tony@atomide.com>
+Cc: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Liam Breck <kernel@networkimprov.net>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/bq24190_charger.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/power/supply/bq24190_charger.c
++++ b/drivers/power/supply/bq24190_charger.c
+@@ -1184,8 +1184,13 @@ static irqreturn_t bq24190_irq_handler_t
+ }
+ } while (f_reg && ++i < 2);
+
++ /* ignore over/under voltage fault after disconnect */
++ if (f_reg == (1 << BQ24190_REG_F_CHRG_FAULT_SHIFT) &&
++ !(ss_reg & BQ24190_REG_SS_PG_STAT_MASK))
++ f_reg = 0;
++
+ if (f_reg != bdi->f_reg) {
+- dev_info(bdi->dev,
++ dev_warn(bdi->dev,
+ "Fault: boost %d, charge %d, battery %d, ntc %d\n",
+ !!(f_reg & BQ24190_REG_F_BOOST_FAULT_MASK),
+ !!(f_reg & BQ24190_REG_F_CHRG_FAULT_MASK),
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Pan Bian <bianpan2016@163.com>
+Date: Mon, 24 Apr 2017 16:22:08 +0800
+Subject: power: supply: isp1704: Fix unchecked return value of devm_kzalloc
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit 8b20839988f1ed5e534b270f3776709b640dc7e0 ]
+
+Function devm_kzalloc() will return a NULL pointer. However, in function
+isp1704_charger_probe(), the return value of devm_kzalloc() is directly
+used without validation. This may result in a bad memory access bug.
+
+Fixes: 34a109610e2a ("isp1704_charger: Add DT support")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Reviewed-by: Pali Rohár <pali.rohar@gmail.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/isp1704_charger.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/power/supply/isp1704_charger.c
++++ b/drivers/power/supply/isp1704_charger.c
+@@ -418,6 +418,10 @@ static int isp1704_charger_probe(struct
+
+ pdata = devm_kzalloc(&pdev->dev,
+ sizeof(struct isp1704_charger_data), GFP_KERNEL);
++ if (!pdata) {
++ ret = -ENOMEM;
++ goto fail0;
++ }
+ pdata->enable_gpio = gpio;
+
+ dev_info(&pdev->dev, "init gpio %d\n", pdata->enable_gpio);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Michael Trimarchi <michael@amarulasolutions.com>
+Date: Tue, 25 Apr 2017 15:18:05 +0200
+Subject: power: supply: pda_power: move from timer to delayed_work
+
+From: Michael Trimarchi <michael@amarulasolutions.com>
+
+
+[ Upstream commit 633e8799ddc09431be2744c4a1efdbda13af2b0b ]
+
+This changed is needed to avoid locking problem during
+boot as shown:
+
+<5>[ 8.824096] Registering SWP/SWPB emulation handler
+<6>[ 8.977294] clock: disabling unused clocks to save power
+<3>[ 9.108154] BUG: sleeping function called from invalid context at kernel_albert/kernel/mutex.c:269
+<3>[ 9.122894] in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: swapper/0
+<4>[ 9.130249] 3 locks held by swapper/0/1:
+<4>[ 9.134613] #0: (&__lockdep_no_validate__){......}, at: [<c0342430>] __driver_attach+0x58/0xa8
+<4>[ 9.144500] #1: (&__lockdep_no_validate__){......}, at: [<c0342440>] __driver_attach+0x68/0xa8
+<4>[ 9.154357] #2: (&polling_timer){......}, at: [<c0053770>] run_timer_softirq+0x108/0x3ec
+<4>[ 9.163726] Backtrace:
+<4>[ 9.166473] [<c001269c>] (dump_backtrace+0x0/0x114) from [<c067e5f0>] (dump_stack+0x20/0x24)
+<4>[ 9.175811] r6:00203230 r5:0000010d r4:d782e000 r3:60000113
+<4>[ 9.182250] [<c067e5d0>] (dump_stack+0x0/0x24) from [<c007441c>] (__might_sleep+0x10c/0x128)
+<4>[ 9.191650] [<c0074310>] (__might_sleep+0x0/0x128) from [<c0688f60>] (mutex_lock_nested+0x34/0x36c)
+<4>[ 9.201660] r5:c02d5350 r4:d79a0c64
+<4>[ 9.205688] [<c0688f2c>] (mutex_lock_nested+0x0/0x36c) from [<c02d5350>] (regulator_set_current_limit+0x30/0x118)
+<4>[ 9.217071] [<c02d5320>] (regulator_set_current_limit+0x0/0x118) from [<c0435ce0>] (update_charger+0x84/0xc4)
+<4>[ 9.228027] r7:d782fb20 r6:00000101 r5:c1767e94 r4:00000000
+<4>[ 9.234436] [<c0435c5c>] (update_charger+0x0/0xc4) from [<c0435d40>] (psy_changed+0x20/0x48)
+<4>[ 9.243804] r5:d782e000 r4:c1767e94
+<4>[ 9.247802] [<c0435d20>] (psy_changed+0x0/0x48) from [<c0435dec>] (polling_timer_func+0x84/0xb8)
+<4>[ 9.257537] r4:c1767e94 r3:00000002
+<4>[ 9.261566] [<c0435d68>] (polling_timer_func+0x0/0xb8) from [<c00537e4>] (run_timer_softirq+0x17c/0x3ec)
+<4>[ 9.272033] r4:c1767eb0 r3:00000000
+<4>[ 9.276062] [<c0053668>] (run_timer_softirq+0x0/0x3ec) from [<c004b000>] (__do_softirq+0xf0/0x298)
+<4>[ 9.286010] [<c004af10>] (__do_softirq+0x0/0x298) from [<c004b650>] (irq_exit+0x98/0xa0)
+<4>[ 9.295013] [<c004b5b8>] (irq_exit+0x0/0xa0) from [<c000edbc>] (handle_IRQ+0x60/0xc0)
+<4>[ 9.303680] r4:c1194e98 r3:c00bc778
+<4>[ 9.307708] [<c000ed5c>] (handle_IRQ+0x0/0xc0) from [<c0008504>] (gic_handle_irq+0x34/0x68)
+<4>[ 9.316955] r8:000ac383 r7:d782fc3c r6:d782fc08 r5:c11936c4 r4:e0802100
+<4>[ 9.324310] r3:c026ba48
+<4>[ 9.327301] [<c00084d0>] (gic_handle_irq+0x0/0x68) from [<c068c2c0>] (__irq_svc+0x40/0x74)
+<4>[ 9.336456] Exception stack(0xd782fc08 to 0xd782fc50)
+<4>[ 9.342041] fc00: d6e30e6c ac383627 00000000 ac383417 ea19c000 ea200000
+<4>[ 9.351104] fc20: beffffff 00000667 000ac383 d6e30670 d6e3066c d782fc94 d782fbe8 d782fc50
+<4>[ 9.360168] fc40: c026ba48 c001d1f0 00000113 ffffffff
+
+Fixes: b2998049cfae ("[BATTERY] pda_power platform driver")
+Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com>
+Signed-off-by: Anthony Brandon <anthony@amarulasolutions.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/pda_power.c | 49 +++++++++++++++++++++------------------
+ 1 file changed, 27 insertions(+), 22 deletions(-)
+
+--- a/drivers/power/supply/pda_power.c
++++ b/drivers/power/supply/pda_power.c
+@@ -30,9 +30,9 @@ static inline unsigned int get_irq_flags
+ static struct device *dev;
+ static struct pda_power_pdata *pdata;
+ static struct resource *ac_irq, *usb_irq;
+-static struct timer_list charger_timer;
+-static struct timer_list supply_timer;
+-static struct timer_list polling_timer;
++static struct delayed_work charger_work;
++static struct delayed_work polling_work;
++static struct delayed_work supply_work;
+ static int polling;
+ static struct power_supply *pda_psy_ac, *pda_psy_usb;
+
+@@ -140,7 +140,7 @@ static void update_charger(void)
+ }
+ }
+
+-static void supply_timer_func(unsigned long unused)
++static void supply_work_func(struct work_struct *work)
+ {
+ if (ac_status == PDA_PSY_TO_CHANGE) {
+ ac_status = new_ac_status;
+@@ -161,11 +161,12 @@ static void psy_changed(void)
+ * Okay, charger set. Now wait a bit before notifying supplicants,
+ * charge power should stabilize.
+ */
+- mod_timer(&supply_timer,
+- jiffies + msecs_to_jiffies(pdata->wait_for_charger));
++ cancel_delayed_work(&supply_work);
++ schedule_delayed_work(&supply_work,
++ msecs_to_jiffies(pdata->wait_for_charger));
+ }
+
+-static void charger_timer_func(unsigned long unused)
++static void charger_work_func(struct work_struct *work)
+ {
+ update_status();
+ psy_changed();
+@@ -184,13 +185,14 @@ static irqreturn_t power_changed_isr(int
+ * Wait a bit before reading ac/usb line status and setting charger,
+ * because ac/usb status readings may lag from irq.
+ */
+- mod_timer(&charger_timer,
+- jiffies + msecs_to_jiffies(pdata->wait_for_status));
++ cancel_delayed_work(&charger_work);
++ schedule_delayed_work(&charger_work,
++ msecs_to_jiffies(pdata->wait_for_status));
+
+ return IRQ_HANDLED;
+ }
+
+-static void polling_timer_func(unsigned long unused)
++static void polling_work_func(struct work_struct *work)
+ {
+ int changed = 0;
+
+@@ -211,8 +213,9 @@ static void polling_timer_func(unsigned
+ if (changed)
+ psy_changed();
+
+- mod_timer(&polling_timer,
+- jiffies + msecs_to_jiffies(pdata->polling_interval));
++ cancel_delayed_work(&polling_work);
++ schedule_delayed_work(&polling_work,
++ msecs_to_jiffies(pdata->polling_interval));
+ }
+
+ #if IS_ENABLED(CONFIG_USB_PHY)
+@@ -250,8 +253,9 @@ static int otg_handle_notification(struc
+ * Wait a bit before reading ac/usb line status and setting charger,
+ * because ac/usb status readings may lag from irq.
+ */
+- mod_timer(&charger_timer,
+- jiffies + msecs_to_jiffies(pdata->wait_for_status));
++ cancel_delayed_work(&charger_work);
++ schedule_delayed_work(&charger_work,
++ msecs_to_jiffies(pdata->wait_for_status));
+
+ return NOTIFY_OK;
+ }
+@@ -300,8 +304,8 @@ static int pda_power_probe(struct platfo
+ if (!pdata->ac_max_uA)
+ pdata->ac_max_uA = 500000;
+
+- setup_timer(&charger_timer, charger_timer_func, 0);
+- setup_timer(&supply_timer, supply_timer_func, 0);
++ INIT_DELAYED_WORK(&charger_work, charger_work_func);
++ INIT_DELAYED_WORK(&supply_work, supply_work_func);
+
+ ac_irq = platform_get_resource_byname(pdev, IORESOURCE_IRQ, "ac");
+ usb_irq = platform_get_resource_byname(pdev, IORESOURCE_IRQ, "usb");
+@@ -385,9 +389,10 @@ static int pda_power_probe(struct platfo
+
+ if (polling) {
+ dev_dbg(dev, "will poll for status\n");
+- setup_timer(&polling_timer, polling_timer_func, 0);
+- mod_timer(&polling_timer,
+- jiffies + msecs_to_jiffies(pdata->polling_interval));
++ INIT_DELAYED_WORK(&polling_work, polling_work_func);
++ cancel_delayed_work(&polling_work);
++ schedule_delayed_work(&polling_work,
++ msecs_to_jiffies(pdata->polling_interval));
+ }
+
+ if (ac_irq || usb_irq)
+@@ -433,9 +438,9 @@ static int pda_power_remove(struct platf
+ free_irq(ac_irq->start, pda_psy_ac);
+
+ if (polling)
+- del_timer_sync(&polling_timer);
+- del_timer_sync(&charger_timer);
+- del_timer_sync(&supply_timer);
++ cancel_delayed_work_sync(&polling_work);
++ cancel_delayed_work_sync(&charger_work);
++ cancel_delayed_work_sync(&supply_work);
+
+ if (pdata->is_usb_online)
+ power_supply_unregister(pda_psy_usb);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Wed, 19 Apr 2017 12:27:38 +1000
+Subject: powerpc/64s: Remove SAO feature from Power9 DD1
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+
+[ Upstream commit ca80d5d0a8175c9be04cfbce24180b8f5e0a744b ]
+
+Power9 DD1 does not implement SAO. Although it's not widely used, its presence
+or absence is visible to user space via arch_validate_prot() so it's moderately
+important that we get the value right.
+
+Fixes: 7dccfbc325bb ("powerpc/book3s: Add a cpu table entry for different POWER9 revs")
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/cputable.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/include/asm/cputable.h
++++ b/arch/powerpc/include/asm/cputable.h
+@@ -474,7 +474,8 @@ enum {
+ CPU_FTR_ICSWX | CPU_FTR_CFAR | CPU_FTR_HVMODE | CPU_FTR_VMX_COPY | \
+ CPU_FTR_DBELL | CPU_FTR_HAS_PPR | CPU_FTR_DAWR | \
+ CPU_FTR_ARCH_207S | CPU_FTR_TM_COMP | CPU_FTR_ARCH_300)
+-#define CPU_FTRS_POWER9_DD1 (CPU_FTRS_POWER9 | CPU_FTR_POWER9_DD1)
++#define CPU_FTRS_POWER9_DD1 ((CPU_FTRS_POWER9 | CPU_FTR_POWER9_DD1) & \
++ (~CPU_FTR_SAO))
+ #define CPU_FTRS_CELL (CPU_FTR_USE_TB | CPU_FTR_LWSYNC | \
+ CPU_FTR_PPCAS_ARCH_V2 | CPU_FTR_CTRL | \
+ CPU_FTR_ALTIVEC_COMP | CPU_FTR_MMCRA | CPU_FTR_SMT | \
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Sahara <keun-o.park@darkmatter.ae>
+Date: Wed, 13 Dec 2017 09:10:48 +0400
+Subject: pty: cancel pty slave port buf's work in tty_release
+
+From: Sahara <keun-o.park@darkmatter.ae>
+
+
+[ Upstream commit 2b022ab7542df60021ab57854b3faaaf42552eaf ]
+
+In case that CONFIG_SLUB_DEBUG is on and pty is used, races between
+release_one_tty and flush_to_ldisc work threads may happen and lead
+to use-after-free condition on tty->link->port. Because SLUB_DEBUG
+is turned on, freed tty->link->port is filled with POISON_FREE value.
+So far without SLUB_DEBUG, port was filled with zero and flush_to_ldisc
+could return without a problem by checking if tty is NULL.
+
+CPU 0 CPU 1
+----- -----
+release_tty pty_write
+ cancel_work_sync(tty) to = tty->link
+ tty_kref_put(tty->link) tty_schedule_flip(to->port)
+ << workqueue >> ...
+ release_one_tty ...
+ pty_cleanup ...
+ kfree(tty->link->port) << workqueue >>
+ flush_to_ldisc
+ tty = READ_ONCE(port->itty)
+ tty is 0x6b6b6b6b6b6b6b6b
+ !!PANIC!! access tty->ldisc
+
+ Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b6b93
+ pgd = ffffffc0eb1c3000
+ [6b6b6b6b6b6b6b93] *pgd=0000000000000000, *pud=0000000000000000
+ ------------[ cut here ]------------
+ Kernel BUG at ffffff800851154c [verbose debug info unavailable]
+ Internal error: Oops - BUG: 96000004 [#1] PREEMPT SMP
+ CPU: 3 PID: 265 Comm: kworker/u8:9 Tainted: G W 3.18.31-g0a58eeb #1
+ Hardware name: Qualcomm Technologies, Inc. MSM 8996pro v1.1 + PMI8996 Carbide (DT)
+ Workqueue: events_unbound flush_to_ldisc
+ task: ffffffc0ed610ec0 ti: ffffffc0ed624000 task.ti: ffffffc0ed624000
+ PC is at ldsem_down_read_trylock+0x0/0x4c
+ LR is at tty_ldisc_ref+0x24/0x4c
+ pc : [<ffffff800851154c>] lr : [<ffffff800850f6c0>] pstate: 80400145
+ sp : ffffffc0ed627cd0
+ x29: ffffffc0ed627cd0 x28: 0000000000000000
+ x27: ffffff8009e05000 x26: ffffffc0d382cfa0
+ x25: 0000000000000000 x24: ffffff800a012f08
+ x23: 0000000000000000 x22: ffffffc0703fbc88
+ x21: 6b6b6b6b6b6b6b6b x20: 6b6b6b6b6b6b6b93
+ x19: 0000000000000000 x18: 0000000000000001
+ x17: 00e80000f80d6f53 x16: 0000000000000001
+ x15: 0000007f7d826fff x14: 00000000000000a0
+ x13: 0000000000000000 x12: 0000000000000109
+ x11: 0000000000000000 x10: 0000000000000000
+ x9 : ffffffc0ed624000 x8 : ffffffc0ed611580
+ x7 : 0000000000000000 x6 : ffffff800a42e000
+ x5 : 00000000000003fc x4 : 0000000003bd1201
+ x3 : 0000000000000001 x2 : 0000000000000001
+ x1 : ffffff800851004c x0 : 6b6b6b6b6b6b6b93
+
+Signed-off-by: Sahara <keun-o.park@darkmatter.ae>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/tty_io.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -1702,6 +1702,8 @@ static void release_tty(struct tty_struc
+ if (tty->link)
+ tty->link->port->itty = NULL;
+ tty_buffer_cancel_work(tty->port);
++ if (tty->link)
++ tty_buffer_cancel_work(tty->link->port);
+
+ tty_kref_put(tty->link);
+ tty_kref_put(tty);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 28 Apr 2017 15:56:09 +0300
+Subject: qed: Unlock on error in qed_vf_pf_acquire()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit 66117a9d9a8ca948680d6554769ef9e88f936954 ]
+
+My static checker complains that we're holding a mutex on this error
+path. Let's goto exit instead of returning directly.
+
+Fixes: b0bccb69eba3 ("qed: Change locking scheme for VF channel")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Yuval Mintz <Yuval.Mintz@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_vf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qlogic/qed/qed_vf.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_vf.c
+@@ -204,7 +204,7 @@ static int qed_vf_pf_acquire(struct qed_
+ /* send acquire request */
+ rc = qed_send_msg2pf(p_hwfn, &resp->hdr.status, sizeof(*resp));
+ if (rc)
+- return rc;
++ goto exit;
+
+ /* copy acquire response from buffer to p_hwfn */
+ memcpy(&p_iov->acquire_resp, resp, sizeof(p_iov->acquire_resp));
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Pan Bian <bianpan2016@163.com>
+Date: Sun, 23 Apr 2017 20:04:04 +0800
+Subject: qlcnic: fix unchecked return value
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit 91ec701a553cb3de470fd471c6fefe3ad1125455 ]
+
+Function pci_find_ext_capability() may return 0, which is an invalid
+address. In function qlcnic_sriov_virtid_fn(), its return value is used
+without validation. This may result in invalid memory access bugs. This
+patch fixes the bug.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
+@@ -128,6 +128,8 @@ static int qlcnic_sriov_virtid_fn(struct
+ return 0;
+
+ pos = pci_find_ext_capability(dev, PCI_EXT_CAP_ID_SRIOV);
++ if (!pos)
++ return 0;
+ pci_read_config_word(dev, pos + PCI_SRIOV_VF_OFFSET, &offset);
+ pci_read_config_word(dev, pos + PCI_SRIOV_VF_STRIDE, &stride);
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: "Bjørn Mork" <bjorn@mork.no>
+Date: Thu, 14 Dec 2017 19:55:50 +0100
+Subject: qmi_wwan: set FLAG_SEND_ZLP to avoid network initiated disconnect
+
+From: "Bjørn Mork" <bjorn@mork.no>
+
+
+[ Upstream commit 245d21190aec547c0de64f70c0e6de871c185a24 ]
+
+It has been reported that the dummy byte we add to avoid
+ZLPs can be forwarded by the modem to the PGW/GGSN, and that
+some operators will drop the connection if this happens.
+
+In theory, QMI devices are based on CDC ECM and should as such
+both support ZLPs and silently ignore the dummy byte. The latter
+assumption failed. Let's test out the first.
+
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -531,7 +531,7 @@ err:
+
+ static const struct driver_info qmi_wwan_info = {
+ .description = "WWAN/QMI device",
+- .flags = FLAG_WWAN,
++ .flags = FLAG_WWAN | FLAG_SEND_ZLP,
+ .bind = qmi_wwan_bind,
+ .unbind = qmi_wwan_unbind,
+ .manage_power = qmi_wwan_manage_power,
+@@ -540,7 +540,7 @@ static const struct driver_info qmi_wwan
+
+ static const struct driver_info qmi_wwan_info_quirk_dtr = {
+ .description = "WWAN/QMI device",
+- .flags = FLAG_WWAN,
++ .flags = FLAG_WWAN | FLAG_SEND_ZLP,
+ .bind = qmi_wwan_bind,
+ .unbind = qmi_wwan_unbind,
+ .manage_power = qmi_wwan_manage_power,
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Parav Pandit <parav@mellanox.com>
+Date: Tue, 14 Nov 2017 14:51:55 +0200
+Subject: RDMA/cma: Use correct size when writing netlink stats
+
+From: Parav Pandit <parav@mellanox.com>
+
+
+[ Upstream commit 7baaa49af3716fb31877c61f59b74d029ce15b75 ]
+
+The code was using the src size when formatting the dst. They are almost
+certainly the same value but it reads wrong.
+
+Fixes: ce117ffac2e9 ("RDMA/cma: Export AF_IB statistics")
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/cma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -4336,7 +4336,7 @@ static int cma_get_id_stats(struct sk_bu
+ RDMA_NL_RDMA_CM_ATTR_SRC_ADDR))
+ goto out;
+ if (ibnl_put_attr(skb, nlh,
+- rdma_addr_size(cma_src_addr(id_priv)),
++ rdma_addr_size(cma_dst_addr(id_priv)),
+ cma_dst_addr(id_priv),
+ RDMA_NL_RDMA_CM_ATTR_DST_ADDR))
+ goto out;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Wed, 29 Nov 2017 09:47:33 +0100
+Subject: RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo()
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+
+[ Upstream commit 302d6424e4a293a5761997e6c9fc3dfb1e4c355f ]
+
+With gcc-4.1.2:
+
+ drivers/infiniband/core/iwpm_util.c: In function ‘iwpm_send_mapinfo’:
+ drivers/infiniband/core/iwpm_util.c:647: warning: ‘ret’ may be used uninitialized in this function
+
+Indeed, if nl_client is not found in any of the scanned has buckets, ret
+will be used uninitialized.
+
+Preinitialize ret to -EINVAL to fix this.
+
+Fixes: 30dc5e63d6a5ad24 ("RDMA/core: Add support for iWARP Port Mapper user space service")
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Reviewed-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/iwpm_util.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/infiniband/core/iwpm_util.c
++++ b/drivers/infiniband/core/iwpm_util.c
+@@ -664,6 +664,7 @@ int iwpm_send_mapinfo(u8 nl_client, int
+ }
+ skb_num++;
+ spin_lock_irqsave(&iwpm_mapinfo_lock, flags);
++ ret = -EINVAL;
+ for (i = 0; i < IWPM_MAPINFO_HASH_SIZE; i++) {
+ hlist_for_each_entry(map_info, &iwpm_hash_bucket[i],
+ hlist_node) {
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Anton Vasilyev <vasilyev@ispras.ru>
+Date: Tue, 8 Aug 2017 18:56:37 +0300
+Subject: RDMA/ocrdma: Fix permissions for OCRDMA_RESET_STATS
+
+From: Anton Vasilyev <vasilyev@ispras.ru>
+
+
+[ Upstream commit 744820869166c8c78be891240cf5f66e8a333694 ]
+
+Debugfs file reset_stats is created with S_IRUSR permissions,
+but ocrdma_dbgfs_ops_read() doesn't support OCRDMA_RESET_STATS,
+whereas ocrdma_dbgfs_ops_write() supports only OCRDMA_RESET_STATS.
+
+The patch fixes misstype with permissions.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
+Acked-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/ocrdma/ocrdma_stats.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/ocrdma/ocrdma_stats.c
++++ b/drivers/infiniband/hw/ocrdma/ocrdma_stats.c
+@@ -836,7 +836,7 @@ void ocrdma_add_port_stats(struct ocrdma
+
+ dev->reset_stats.type = OCRDMA_RESET_STATS;
+ dev->reset_stats.dev = dev;
+- if (!debugfs_create_file("reset_stats", S_IRUSR, dev->dir,
++ if (!debugfs_create_file("reset_stats", 0200, dev->dir,
+ &dev->reset_stats, &ocrdma_dbg_ops))
+ goto err;
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Dong Aisheng <aisheng.dong@nxp.com>
+Date: Wed, 12 Apr 2017 09:58:47 +0800
+Subject: regulator: anatop: set default voltage selector for pcie
+
+From: Dong Aisheng <aisheng.dong@nxp.com>
+
+
+[ Upstream commit 9bf944548169f6153c3d3778cf983cb5db251a0e ]
+
+Set the initial voltage selector for vddpcie in case it's disabled
+by default.
+
+This fixes the below warning:
+20c8000.anatop:regulator-vddpcie: Failed to read a valid default voltage selector.
+anatop_regulator: probe of 20c8000.anatop:regulator-vddpcie failed with error -22
+
+Cc: Liam Girdwood <lgirdwood@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Shawn Guo <shawnguo@kernel.org>
+Cc: Sascha Hauer <kernel@pengutronix.de>
+Cc: Robin Gong <yibin.gong@nxp.com>
+Cc: Richard Zhu <hongxing.zhu@nxp.com>
+Signed-off-by: Richard Zhu <hongxing.zhu@nxp.com>
+Signed-off-by: Dong Aisheng <aisheng.dong@nxp.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/regulator/anatop-regulator.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/regulator/anatop-regulator.c
++++ b/drivers/regulator/anatop-regulator.c
+@@ -296,6 +296,11 @@ static int anatop_regulator_probe(struct
+ if (!sreg->sel && !strcmp(sreg->name, "vddpu"))
+ sreg->sel = 22;
+
++ /* set the default voltage of the pcie phy to be 1.100v */
++ if (!sreg->sel && rdesc->name &&
++ !strcmp(rdesc->name, "vddpcie"))
++ sreg->sel = 0x10;
++
+ if (!sreg->bypass && !sreg->sel) {
+ dev_err(&pdev->dev, "Failed to read a valid default voltage selector.\n");
+ return -EINVAL;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Pan Bian <bianpan2016@163.com>
+Date: Mon, 24 Apr 2017 08:40:28 +0800
+Subject: rndis_wlan: add return value validation
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit 9dc7efd3978aa67ae598129d2a3f240b390ce508 ]
+
+Function create_singlethread_workqueue() will return a NULL pointer if
+there is no enough memory, and its return value should be validated
+before using. However, in function rndis_wlan_bind(), its return value
+is not checked. This may cause NULL dereference bugs. This patch fixes
+it.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/rndis_wlan.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/rndis_wlan.c
++++ b/drivers/net/wireless/rndis_wlan.c
+@@ -3427,6 +3427,10 @@ static int rndis_wlan_bind(struct usbnet
+
+ /* because rndis_command() sleeps we need to use workqueue */
+ priv->workqueue = create_singlethread_workqueue("rndis_wlan");
++ if (!priv->workqueue) {
++ wiphy_free(wiphy);
++ return -ENOMEM;
++ }
+ INIT_WORK(&priv->work, rndis_wlan_worker);
+ INIT_DELAYED_WORK(&priv->dev_poller_work, rndis_device_poller);
+ INIT_DELAYED_WORK(&priv->scan_work, rndis_get_scan_results);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Date: Mon, 4 Dec 2017 14:58:33 +0100
+Subject: rtc: ac100: Fix multiple race conditions
+
+From: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+
+
+[ Upstream commit 994ec64c0a193940be7a6fd074668b9446d3b6c3 ]
+
+The probe function is not allowed to fail after registering the RTC because
+the following may happen:
+
+CPU0: CPU1:
+sys_load_module()
+ do_init_module()
+ do_one_initcall()
+ cmos_do_probe()
+ rtc_device_register()
+ __register_chrdev()
+ cdev->owner = struct module*
+ open("/dev/rtc0")
+ rtc_device_unregister()
+ module_put()
+ free_module()
+ module_free(mod->module_core)
+ /* struct module *module is now
+ freed */
+ chrdev_open()
+ spin_lock(cdev_lock)
+ cdev_get()
+ try_module_get()
+ module_is_live()
+ /* dereferences already
+ freed struct module* */
+
+Also, the interrupt handler: ac100_rtc_irq() is dereferencing chip->rtc but
+this may still be NULL when it is called, resulting in:
+Unable to handle kernel NULL pointer dereference at virtual address 00000194
+pgd = (ptrval)
+[00000194] *pgd=00000000
+Internal error: Oops: 5 [#1] SMP ARM
+Modules linked in:
+CPU: 0 PID: 72 Comm: irq/71-ac100-rt Not tainted 4.15.0-rc1-next-20171201-dirty #120
+Hardware name: Allwinner sun8i Family
+task: (ptrval) task.stack: (ptrval)
+PC is at mutex_lock+0x14/0x3c
+LR is at ac100_rtc_irq+0x38/0xc8
+pc : [<c06543a4>] lr : [<c04d9a2c>] psr: 60000053
+sp : ee9c9f28 ip : 00000000 fp : ee9adfdc
+r10: 00000000 r9 : c0a04c48 r8 : c015ed18
+r7 : ee9bd600 r6 : ee9c9f28 r5 : ee9af590 r4 : c0a04c48
+r3 : ef3cb3c0 r2 : 00000000 r1 : ee9af590 r0 : 00000194
+Flags: nZCv IRQs on FIQs off Mode SVC_32 ISA ARM Segment none
+Control: 10c5387d Table: 4000406a DAC: 00000051
+Process irq/71-ac100-rt (pid: 72, stack limit = 0x(ptrval))
+Stack: (0xee9c9f28 to 0xee9ca000)
+9f20: 00000000 7c2fd1be c015ed18 ee9adf40 ee9c0400 ee9c0400
+9f40: ee9adf40 c015ed34 ee9c8000 ee9adf64 ee9c0400 c015f040 ee9adf80 00000000
+9f60: c015ee24 7c2fd1be ee9adfc0 ee9adf80 00000000 ee9c8000 ee9adf40 c015eef4
+9f80: ef1eba34 c0138f14 ee9c8000 ee9adf80 c0138df4 00000000 00000000 00000000
+9fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000
+9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 ffffffff ffffffff
+[<c06543a4>] (mutex_lock) from [<c04d9a2c>] (ac100_rtc_irq+0x38/0xc8)
+[<c04d9a2c>] (ac100_rtc_irq) from [<c015ed34>] (irq_thread_fn+0x1c/0x54)
+[<c015ed34>] (irq_thread_fn) from [<c015f040>] (irq_thread+0x14c/0x214)
+[<c015f040>] (irq_thread) from [<c0138f14>] (kthread+0x120/0x150)
+[<c0138f14>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
+
+Solve both issues by moving to
+devm_rtc_allocate_device()/rtc_register_device()
+
+Reported-by: Quentin Schulz <quentin.schulz@free-electrons.com>
+Tested-by: Quentin Schulz <quentin.schulz@free-electrons.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-ac100.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/drivers/rtc/rtc-ac100.c
++++ b/drivers/rtc/rtc-ac100.c
+@@ -567,6 +567,12 @@ static int ac100_rtc_probe(struct platfo
+ return chip->irq;
+ }
+
++ chip->rtc = devm_rtc_allocate_device(&pdev->dev);
++ if (IS_ERR(chip->rtc))
++ return PTR_ERR(chip->rtc);
++
++ chip->rtc->ops = &ac100_rtc_ops;
++
+ ret = devm_request_threaded_irq(&pdev->dev, chip->irq, NULL,
+ ac100_rtc_irq,
+ IRQF_SHARED | IRQF_ONESHOT,
+@@ -586,17 +592,16 @@ static int ac100_rtc_probe(struct platfo
+ /* clear counter alarm pending interrupts */
+ regmap_write(chip->regmap, AC100_ALM_INT_STA, AC100_ALM_INT_ENABLE);
+
+- chip->rtc = devm_rtc_device_register(&pdev->dev, "rtc-ac100",
+- &ac100_rtc_ops, THIS_MODULE);
+- if (IS_ERR(chip->rtc)) {
+- dev_err(&pdev->dev, "unable to register device\n");
+- return PTR_ERR(chip->rtc);
+- }
+-
+ ret = ac100_rtc_register_clks(chip);
+ if (ret)
+ return ret;
+
++ ret = rtc_register_device(chip->rtc);
++ if (ret) {
++ dev_err(&pdev->dev, "unable to register device\n");
++ return ret;
++ }
++
+ dev_info(&pdev->dev, "RTC enabled\n");
+
+ return 0;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 18 Mar 2017 14:45:49 +0100
+Subject: rtc: cmos: Do not assume irq 8 for rtc when there are no legacy irqs
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+
+[ Upstream commit a1e23a42f1bdc00e32fc4869caef12e4e6272f26 ]
+
+On some systems (e.g. Intel Bay Trail systems) the legacy PIC is not
+used, in this case virq 8 will be a random irq, rather then hw_irq 8
+from the PIC.
+
+Requesting virq 8 in this case will not help us to get alarm irqs and
+may cause problems for other drivers which actually do need virq 8,
+for example on an Asus Transformer T100TA this leads to:
+
+[ 28.745155] genirq: Flags mismatch irq 8. 00000088 (mmc0) vs. 00000080 (rtc0)
+<snip oops>
+[ 28.753700] mmc0: Failed to request IRQ 8: -16
+[ 28.975934] sdhci-acpi: probe of 80860F14:01 failed with error -16
+
+This commit fixes this by making the rtc-cmos driver continue
+without using an irq rather then claiming irq 8 when no irq is
+specified in the pnp-info and there are no legacy-irqs.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-cmos.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+--- a/drivers/rtc/rtc-cmos.c
++++ b/drivers/rtc/rtc-cmos.c
+@@ -41,6 +41,9 @@
+ #include <linux/pm.h>
+ #include <linux/of.h>
+ #include <linux/of_platform.h>
++#ifdef CONFIG_X86
++#include <asm/i8259.h>
++#endif
+
+ /* this is for "generic access to PC-style RTC" using CMOS_READ/CMOS_WRITE */
+ #include <linux/mc146818rtc.h>
+@@ -1117,17 +1120,23 @@ static int cmos_pnp_probe(struct pnp_dev
+ {
+ cmos_wake_setup(&pnp->dev);
+
+- if (pnp_port_start(pnp, 0) == 0x70 && !pnp_irq_valid(pnp, 0))
++ if (pnp_port_start(pnp, 0) == 0x70 && !pnp_irq_valid(pnp, 0)) {
++ unsigned int irq = 0;
++#ifdef CONFIG_X86
+ /* Some machines contain a PNP entry for the RTC, but
+ * don't define the IRQ. It should always be safe to
+- * hardcode it in these cases
++ * hardcode it on systems with a legacy PIC.
+ */
++ if (nr_legacy_irqs())
++ irq = 8;
++#endif
+ return cmos_do_probe(&pnp->dev,
+- pnp_get_resource(pnp, IORESOURCE_IO, 0), 8);
+- else
++ pnp_get_resource(pnp, IORESOURCE_IO, 0), irq);
++ } else {
+ return cmos_do_probe(&pnp->dev,
+ pnp_get_resource(pnp, IORESOURCE_IO, 0),
+ pnp_irq(pnp, 0));
++ }
+ }
+
+ static void cmos_pnp_remove(struct pnp_dev *pnp)
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Moritz Fischer <mdf@kernel.org>
+Date: Mon, 24 Apr 2017 15:05:11 -0700
+Subject: rtc: ds1374: wdt: Fix issue with timeout scaling from secs to wdt ticks
+
+From: Moritz Fischer <mdf@kernel.org>
+
+
+[ Upstream commit 453d0744f6c6ca3f9749b8c57c2e85b5b9f52514 ]
+
+The issue is that the internal counter that triggers the watchdog reset
+is actually running at 4096 Hz instead of 1Hz, therefore the value
+given by userland (in sec) needs to be multiplied by 4096 to get the
+correct behavior.
+
+Fixes: 920f91e50c5b ("drivers/rtc/rtc-ds1374.c: add watchdog support")
+Signed-off-by: Moritz Fischer <mdf@kernel.org>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-ds1374.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/rtc/rtc-ds1374.c
++++ b/drivers/rtc/rtc-ds1374.c
+@@ -527,6 +527,10 @@ static long ds1374_wdt_ioctl(struct file
+ if (get_user(new_margin, (int __user *)arg))
+ return -EFAULT;
+
++ /* the hardware's tick rate is 4096 Hz, so
++ * the counter value needs to be scaled accordingly
++ */
++ new_margin <<= 12;
+ if (new_margin < 1 || new_margin > 16777216)
+ return -EINVAL;
+
+@@ -535,7 +539,8 @@ static long ds1374_wdt_ioctl(struct file
+ ds1374_wdt_ping();
+ /* fallthrough */
+ case WDIOC_GETTIMEOUT:
+- return put_user(wdt_margin, (int __user *)arg);
++ /* when returning ... inverse is true */
++ return put_user((wdt_margin >> 12), (int __user *)arg);
+ case WDIOC_SETOPTIONS:
+ if (copy_from_user(&options, (int __user *)arg, sizeof(int)))
+ return -EFAULT;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Moritz Fischer <mdf@kernel.org>
+Date: Mon, 24 Apr 2017 15:05:12 -0700
+Subject: rtc: ds1374: wdt: Fix stop/start ioctl always returning -EINVAL
+
+From: Moritz Fischer <mdf@kernel.org>
+
+
+[ Upstream commit 538c08f4c89580fc644e2bc64e0a4b86c925da4e ]
+
+The WDIOC_SETOPTIONS case in the watchdog ioctl would alwayss falls
+through to the -EINVAL case. This is wrong since thew watchdog does
+actually get stopped or started correctly.
+
+Fixes: 920f91e50c5b ("drivers/rtc/rtc-ds1374.c: add watchdog support")
+Signed-off-by: Moritz Fischer <mdf@kernel.org>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-ds1374.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/rtc/rtc-ds1374.c
++++ b/drivers/rtc/rtc-ds1374.c
+@@ -548,14 +548,15 @@ static long ds1374_wdt_ioctl(struct file
+ if (options & WDIOS_DISABLECARD) {
+ pr_info("disable watchdog\n");
+ ds1374_wdt_disable();
++ return 0;
+ }
+
+ if (options & WDIOS_ENABLECARD) {
+ pr_info("enable watchdog\n");
+ ds1374_wdt_settimeout(wdt_margin);
+ ds1374_wdt_ping();
++ return 0;
+ }
+-
+ return -EINVAL;
+ }
+ return -ENOTTY;
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Tsang-Shian Lin <thlin@realtek.com>
+Date: Sat, 9 Dec 2017 11:37:10 -0600
+Subject: rtlwifi: rtl_pci: Fix the bug when inactiveps is enabled.
+
+From: Tsang-Shian Lin <thlin@realtek.com>
+
+
+[ Upstream commit b7573a0a27bfa8270dea9b145448f6884b7cacc1 ]
+
+Reset the driver current tx read/write index to zero when inactiveps
+nic out of sync with HW state. Wrong driver tx read/write index will
+cause Tx fail.
+
+Signed-off-by: Tsang-Shian Lin <thlin@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Cc: Yan-Hsuan Chuang <yhchuang@realtek.com>
+Cc: Birming Chiu <birming@realtek.com>
+Cc: Shaofu <shaofu@realtek.com>
+Cc: Steven Ting <steventing@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/pci.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
+@@ -1572,7 +1572,14 @@ int rtl_pci_reset_trx_ring(struct ieee80
+ dev_kfree_skb_irq(skb);
+ ring->idx = (ring->idx + 1) % ring->entries;
+ }
++
++ if (rtlpriv->use_new_trx_flow) {
++ rtlpci->tx_ring[i].cur_tx_rp = 0;
++ rtlpci->tx_ring[i].cur_tx_wp = 0;
++ }
++
+ ring->idx = 0;
++ ring->entries = rtlpci->txringcount[i];
+ }
+ }
+ spin_unlock_irqrestore(&rtlpriv->locks.irq_th_lock, flags);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Finn Thain <fthain@telegraphics.com.au>
+Date: Sun, 2 Apr 2017 17:08:05 +1000
+Subject: scsi: mac_esp: Replace bogus memory barrier with spinlock
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+
+[ Upstream commit 4da2b1eb230ba4ad19b58984dc52e05b1073df5f ]
+
+Commit da244654c66e ("[SCSI] mac_esp: fix for quadras with two esp
+chips") added mac_scsi_esp_intr() to handle the IRQ lines from a pair of
+on-board ESP chips (a normal shared IRQ did not work).
+
+Proper mutual exclusion was missing from that patch. This patch fixes
+race conditions between comparison and assignment of esp_chips[]
+pointers.
+
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Reviewed-by: Michael Schmitz <schmitzmic@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mac_esp.c | 33 +++++++++++++++++++++++----------
+ 1 file changed, 23 insertions(+), 10 deletions(-)
+
+--- a/drivers/scsi/mac_esp.c
++++ b/drivers/scsi/mac_esp.c
+@@ -55,6 +55,7 @@ struct mac_esp_priv {
+ int error;
+ };
+ static struct esp *esp_chips[2];
++static DEFINE_SPINLOCK(esp_chips_lock);
+
+ #define MAC_ESP_GET_PRIV(esp) ((struct mac_esp_priv *) \
+ platform_get_drvdata((struct platform_device *) \
+@@ -562,15 +563,18 @@ static int esp_mac_probe(struct platform
+ }
+
+ host->irq = IRQ_MAC_SCSI;
+- esp_chips[dev->id] = esp;
+- mb();
+- if (esp_chips[!dev->id] == NULL) {
+- err = request_irq(host->irq, mac_scsi_esp_intr, 0, "ESP", NULL);
+- if (err < 0) {
+- esp_chips[dev->id] = NULL;
+- goto fail_free_priv;
+- }
++
++ /* The request_irq() call is intended to succeed for the first device
++ * and fail for the second device.
++ */
++ err = request_irq(host->irq, mac_scsi_esp_intr, 0, "ESP", NULL);
++ spin_lock(&esp_chips_lock);
++ if (err < 0 && esp_chips[!dev->id] == NULL) {
++ spin_unlock(&esp_chips_lock);
++ goto fail_free_priv;
+ }
++ esp_chips[dev->id] = esp;
++ spin_unlock(&esp_chips_lock);
+
+ err = scsi_esp_register(esp, &dev->dev);
+ if (err)
+@@ -579,8 +583,13 @@ static int esp_mac_probe(struct platform
+ return 0;
+
+ fail_free_irq:
+- if (esp_chips[!dev->id] == NULL)
++ spin_lock(&esp_chips_lock);
++ esp_chips[dev->id] = NULL;
++ if (esp_chips[!dev->id] == NULL) {
++ spin_unlock(&esp_chips_lock);
+ free_irq(host->irq, esp);
++ } else
++ spin_unlock(&esp_chips_lock);
+ fail_free_priv:
+ kfree(mep);
+ fail_free_command_block:
+@@ -599,9 +608,13 @@ static int esp_mac_remove(struct platfor
+
+ scsi_esp_unregister(esp);
+
++ spin_lock(&esp_chips_lock);
+ esp_chips[dev->id] = NULL;
+- if (!(esp_chips[0] || esp_chips[1]))
++ if (esp_chips[!dev->id] == NULL) {
++ spin_unlock(&esp_chips_lock);
+ free_irq(irq, NULL);
++ } else
++ spin_unlock(&esp_chips_lock);
+
+ kfree(mep);
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: David Gibson <david@gibson.dropbear.id.au>
+Date: Thu, 13 Apr 2017 12:13:00 +1000
+Subject: scsi: virtio_scsi: Always try to read VPD pages
+
+From: David Gibson <david@gibson.dropbear.id.au>
+
+
+[ Upstream commit 25d1d50e23275e141e3a3fe06c25a99f4c4bf4e0 ]
+
+Passed through SCSI targets may have transfer limits which come from the
+host SCSI controller or something on the host side other than the target
+itself.
+
+To make this work properly, the hypervisor can adjust the target's VPD
+information to advertise these limits. But for that to work, the guest
+has to look at the VPD pages, which we won't do by default if it is an
+SPC-2 device, even if it does actually support it.
+
+This adds a workaround to address this, forcing devices attached to a
+virtio-scsi controller to always check the VPD pages. This is modelled
+on a similar workaround for the storvsc (Hyper-V) SCSI controller,
+although that exists for slightly different reasons.
+
+A specific case which causes this is a volume from IBM's IPR RAID
+controller (which presents as an SPC-2 device, although it does support
+VPD) passed through with qemu's 'scsi-block' device.
+
+[mkp: fixed typo]
+
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/virtio_scsi.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+--- a/drivers/scsi/virtio_scsi.c
++++ b/drivers/scsi/virtio_scsi.c
+@@ -28,6 +28,7 @@
+ #include <scsi/scsi_device.h>
+ #include <scsi/scsi_cmnd.h>
+ #include <scsi/scsi_tcq.h>
++#include <scsi/scsi_devinfo.h>
+ #include <linux/seqlock.h>
+
+ #define VIRTIO_SCSI_MEMPOOL_SZ 64
+@@ -705,6 +706,28 @@ static int virtscsi_device_reset(struct
+ return virtscsi_tmf(vscsi, cmd);
+ }
+
++static int virtscsi_device_alloc(struct scsi_device *sdevice)
++{
++ /*
++ * Passed through SCSI targets (e.g. with qemu's 'scsi-block')
++ * may have transfer limits which come from the host SCSI
++ * controller or something on the host side other than the
++ * target itself.
++ *
++ * To make this work properly, the hypervisor can adjust the
++ * target's VPD information to advertise these limits. But
++ * for that to work, the guest has to look at the VPD pages,
++ * which we won't do by default if it is an SPC-2 device, even
++ * if it does actually support it.
++ *
++ * So, set the blist to always try to read the VPD pages.
++ */
++ sdevice->sdev_bflags = BLIST_TRY_VPD_PAGES;
++
++ return 0;
++}
++
++
+ /**
+ * virtscsi_change_queue_depth() - Change a virtscsi target's queue depth
+ * @sdev: Virtscsi target whose queue depth to change
+@@ -776,6 +799,7 @@ static struct scsi_host_template virtscs
+ .change_queue_depth = virtscsi_change_queue_depth,
+ .eh_abort_handler = virtscsi_abort,
+ .eh_device_reset_handler = virtscsi_device_reset,
++ .slave_alloc = virtscsi_device_alloc,
+
+ .can_queue = 1024,
+ .dma_boundary = UINT_MAX,
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Stefan Potyra <Stefan.Potyra@elektrobit.com>
+Date: Wed, 6 Dec 2017 16:46:12 +0100
+Subject: serial: 8250_dw: Disable clock on error
+
+From: Stefan Potyra <Stefan.Potyra@elektrobit.com>
+
+
+[ Upstream commit 8af016aa5a27c6a2505460eb4d83f1e70c38dc43 ]
+
+If there is no clock rate for uartclk defined, disable the previously
+enabled clock again.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Fixes: 23f5b3fdd04e serial: 8250_dw: only get the clock rate in one place
+Signed-off-by: Stefan Potyra <Stefan.Potyra@elektrobit.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_dw.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/8250/8250_dw.c
++++ b/drivers/tty/serial/8250/8250_dw.c
+@@ -464,7 +464,8 @@ static int dw8250_probe(struct platform_
+ /* If no clock rate is defined, fail. */
+ if (!p->uartclk) {
+ dev_err(dev, "clock rate not defined\n");
+- return -EINVAL;
++ err = -EINVAL;
++ goto err_clk;
+ }
+
+ data->pclk = devm_clk_get(dev, "apb_pclk");
staging-android-ashmem-fix-possible-deadlock-in-ashmem_ioctl.patch
revert-led-core-fix-brightness-setting-when-setting-delay_off-0.patch
led-core-clear-led_blink_sw-flag-in-led_blink_set.patch
+platform-x86-asus-nb-wmi-add-wapf4-quirk-for-the-x302ua.patch
+bonding-handle-link-transition-from-fail-to-up-correctly.patch
+regulator-anatop-set-default-voltage-selector-for-pcie.patch
+power-supply-bq24190_charger-limit-over-under-voltage-fault-logging.patch
+x86-i8259-export-legacy_pic-symbol.patch
+rtc-cmos-do-not-assume-irq-8-for-rtc-when-there-are-no-legacy-irqs.patch
+input-ar1021_i2c-fix-too-long-name-in-driver-s-device-table.patch
+time-change-posix-clocks-ops-interfaces-to-use-timespec64.patch
+acpi-processor-fix-error-handling-in-__acpi_processor_start.patch
+acpi-processor-replace-racy-task-affinity-logic.patch
+cpufreq-sh-replace-racy-task-affinity-logic.patch
+genirq-use-irqd_get_trigger_type-to-compare-the-trigger-type-for-shared-irqs.patch
+i2c-i2c-scmi-add-a-ms-hid.patch
+net-ipv6-send-unsolicited-na-on-admin-up.patch
+media-dvb-core-race-condition-when-writing-to-cam.patch
+btrfs-fix-a-bogus-warning-when-converting-only-data-or-metadata.patch
+asoc-intel-atom-update-thinkpad-10-quirk.patch
+tools-testing-nvdimm-fix-nfit_test-shutdown-crash.patch
+spi-dw-disable-clock-after-unregistering-the-host.patch
+powerpc-64s-remove-sao-feature-from-power9-dd1.patch
+ath-fix-updating-radar-flags-for-coutry-code-india.patch
+clk-ns2-correct-sdio-bits.patch
+iwlwifi-split-the-handler-and-the-wake-parts-of-the-notification-infra.patch
+iwlwifi-a000-fix-memory-offsets-and-lengths.patch
+scsi-virtio_scsi-always-try-to-read-vpd-pages.patch
+kvm-ppc-book3s-pr-exit-kvm-on-failed-mapping.patch
+mwifiex-don-t-leak-chan_stats-on-reset.patch
+x86-reboot-turn-off-kvm-when-halting-a-cpu.patch
+arm-8668-1-ftrace-fix-dynamic-ftrace-with-debug_rodata-and-frame_pointer.patch
+irqchip-mips-gic-separate-ipi-reservation-usage-tracking.patch
+iommu-omap-register-driver-before-setting-iommu-ops.patch
+md-raid10-wait-up-frozen-array-in-handle_write_completed.patch
+nfs-fix-missing-pg_cleanup-after-nfs_pageio_cond_complete.patch
+tcp-remove-poll-flakes-with-fastopen.patch
+e1000e-fix-timing-for-82579-gigabit-ethernet-controller.patch
+alsa-hda-fix-headset-microphone-detection-for-asus-n551-and-n751.patch
+ib-ipoib-fix-deadlock-between-ipoib_stop-and-mcast-join-flow.patch
+ib-ipoib-update-broadcast-object-if-pkey-value-was-changed-in-index-0.patch
+hsi-ssi_protocol-double-free-in-ssip_pn_xmit.patch
+ib-mlx4-take-write-semaphore-when-changing-the-vma-struct.patch
+ib-mlx4-change-vma-from-shared-to-private.patch
+ib-mlx5-take-write-semaphore-when-changing-the-vma-struct.patch
+ib-mlx5-change-vma-from-shared-to-private.patch
+ib-mlx5-set-correct-sl-in-completion-for-roce.patch
+asoc-intel-skylake-uninitialized-variable-in-probe_codec.patch
+ibmvnic-disable-irq-prior-to-close.patch
+netvsc-deal-with-rescinded-channels-correctly.patch
+fix-driver-usage-of-128b-wqes-when-wq_create-is-v1.patch
+fix-express-lane-queue-creation.patch
+gpio-gpio-wcove-fix-irq-pending-status-bit-width.patch
+netfilter-xt_ct-fix-refcnt-leak-on-error-path.patch
+openvswitch-delete-conntrack-entry-clashing-with-an-expectation.patch
+netfilter-nf_ct_helper-permit-cthelpers-with-different-names-via-nfnetlink.patch
+mmc-host-omap_hsmmc-checking-for-null-instead-of-is_err.patch
+tipc-check-return-value-of-nlmsg_new.patch
+wan-pc300too-abort-path-on-failure.patch
+qlcnic-fix-unchecked-return-value.patch
+netfilter-nft_dynset-continue-to-next-expr-if-_op_add-succeeded.patch
+platform-x86-intel-vbtn-add-volume-up-and-down.patch
+scsi-mac_esp-replace-bogus-memory-barrier-with-spinlock.patch
+infiniband-uverbs-fix-integer-overflows.patch
+pnfs-fix-use-after-free-issues-in-pnfs_do_read.patch
+xprtrdma-cancel-refresh-worker-during-buffer-shutdown.patch
+nfs-don-t-try-to-cross-a-mountpount-when-there-isn-t-one-there.patch
+iio-st_pressure-st_accel-initialise-sensor-platform-data-properly.patch
+mt7601u-check-return-value-of-alloc_skb.patch
+libertas-check-return-value-of-alloc_workqueue.patch
+rndis_wlan-add-return-value-validation.patch
+btrfs-fix-incorrect-space-accounting-after-failure-to-insert-inline-extent.patch
+btrfs-send-fix-file-hole-not-being-preserved-due-to-inline-extent.patch
+btrfs-fix-extent-map-leak-during-fallocate-error-path.patch
+orangefs-do-not-wait-for-timeout-if-umounting.patch
+mac80211-don-t-parse-encrypted-management-frames-in-ieee80211_frame_acked.patch
+acpica-iasl-fix-iort-smmu-gsi-disassembling.patch
+iio-hid-sensor-fix-return-of-einval-on-invalid-values-in-ret-or-value.patch
+dt-bindings-mfd-axp20x-add-xpowers-master-mode-property-for-axp806-pmics.patch
+mfd-palmas-reset-the-powerhold-mux-during-power-off.patch
+mtip32xx-use-runtime-tag-to-initialize-command-header.patch
+x86-kaslr-fix-kexec-kernel-boot-crash-when-kaslr-randomization-fails.patch
+gpio-gpio-wcove-fix-gpio-irq-status-mask.patch
+staging-unisys-visorhba-fix-s-par-to-boot-with-option-config_vmap_stack-set-to-y.patch
+staging-wilc1000-fix-unchecked-return-value.patch
+ipvs-explicitly-forbid-ipv6-service-dest-creation-if-ipv6-mod-is-disabled.patch
+mac80211-fix-possible-sband-related-null-pointer-de-reference.patch
+mmc-sdhci-of-esdhc-limit-sd-clock-for-ls1012a-ls1046a.patch
+netfilter-x_tables-unlock-on-error-in-xt_find_table_lock.patch
+arm-dra7-clockdomain-change-the-clktrctrl-of-cm_pcie_clkstctrl-to-sw_wkup.patch
+ib-rdmavt-restore-irqs-on-error-path-in-rvt_create_ah.patch
+ib-hfi1-fix-softlockup-issue.patch
+platform-x86-asus-wmi-try-to-set-als-by-default.patch
+ipmi-watchdog-fix-wdog-hang-on-panic-waiting-for-ipmi-response.patch
+acpi-pmic-xpower-fix-power_table-addresses.patch
+drm-amdgpu-fix-gpu-reset-crash.patch
+drm-nouveau-kms-increase-max-retries-in-scanout-position-queries.patch
+jbd2-fix-lockdep-splat-with-generic-270-test.patch
+ixgbevf-fix-size-of-queue-stats-length.patch
+net-ethernet-ucc_geth-fix-mem_part_muram-mode.patch
+soc-fsl-qe-round-brg_freq-to-1khz-granularity.patch
+bluetooth-hci_ldisc-add-protocol-check-to-hci_uart_dequeue.patch
+bluetooth-hci_ldisc-add-protocol-check-to-hci_uart_tx_wakeup.patch
+vxlan-correctly-handle-ipv6.disable-module-parameter.patch
+qed-unlock-on-error-in-qed_vf_pf_acquire.patch
+bnx2x-align-rx-buffers.patch
+power-supply-bq24190_charger-add-disable-reset-device-property.patch
+power-supply-isp1704-fix-unchecked-return-value-of-devm_kzalloc.patch
+power-supply-pda_power-move-from-timer-to-delayed_work.patch
+input-twl4030-pwrbutton-use-correct-device-for-irq-request.patch
+ib-rxe-don-t-clamp-residual-length-to-mtu.patch
+md-raid10-skip-spare-disk-as-first-disk.patch
+acpi-power-delay-turning-off-unused-power-resources-after-suspend.patch
+ia64-fix-module-loading-for-gcc-5.4.patch
+tcm_fileio-prevent-information-leak-for-short-reads.patch
+x86-xen-split-xen_smp_prepare_boot_cpu.patch
+video-fbdev-udlfb-fix-buffer-on-stack.patch
+sm501fb-don-t-return-zero-on-failure-path-in-sm501fb_start.patch
+pnfs-fix-a-deadlock-when-coalescing-writes-and-returning-the-layout.patch
+net-hns-fix-ethtool_get_strings-overflow-in-hns-driver.patch
+cifs-small-underflow-in-cnvrtdosunixtm.patch
+mm-fix-check-for-reclaimable-pages-in-pf_memalloc-reclaim-throttling.patch
+mm-vmstat-suppress-pcp-stats-for-unpopulated-zones-in-zoneinfo.patch
+oom-improve-oom-disable-handling.patch
+mm-hwpoison-call-shake_page-after-try_to_unmap-for-mlocked-page.patch
+rtc-ds1374-wdt-fix-issue-with-timeout-scaling-from-secs-to-wdt-ticks.patch
+rtc-ds1374-wdt-fix-stop-start-ioctl-always-returning-einval.patch
+ath10k-fix-out-of-bounds-access-to-local-buffer.patch
+perf-tests-kmod-path-don-t-fail-if-compressed-modules-aren-t-supported.patch
+block-mq-cure-cpu-hotplug-lock-inversion.patch
+bluetooth-hci_qca-avoid-setup-failure-on-missing-rampatch.patch
+bluetooth-btqcomsmd-fix-skb-double-free-corruption.patch
+media-c8sectpfe-fix-potential-null-pointer-dereference-in-c8sectpfe_timer_interrupt.patch
+drm-msm-fix-leak-in-failed-get_pages.patch
+dm-ensure-bio-submission-follows-a-depth-first-tree-walk.patch
+rdma-iwpm-fix-uninitialized-error-code-in-iwpm_send_mapinfo.patch
+rtlwifi-rtl_pci-fix-the-bug-when-inactiveps-is-enabled.patch
+media-bt8xx-fix-err-bt878_probe.patch
+ath10k-handling-qos-at-sta-side-based-on-ap-wmm-enable-disable.patch
+media-media-dvb-frontends-add-delay-to-si2168-restart.patch
+qmi_wwan-set-flag_send_zlp-to-avoid-network-initiated-disconnect.patch
+serial-8250_dw-disable-clock-on-error.patch
+cros_ec-fix-nul-termination-for-firmware-build-info.patch
+watchdog-fix-potential-kref-imbalance-when-opening-watchdog.patch
+platform-chrome-use-proper-protocol-transfer-function.patch
+dmaengine-zynqmp_dma-fix-race-condition-in-the-probe.patch
+drm-tilcdc-ensure-nonatomic-iowrite64-is-not-used.patch
+mmc-avoid-removing-non-removable-hosts-during-suspend.patch
+rtc-ac100-fix-multiple-race-conditions.patch
+ib-ipoib-avoid-memory-leak-if-the-sa-returns-a-different-dgid.patch
+rdma-cma-use-correct-size-when-writing-netlink-stats.patch
+ib-umem-fix-use-of-npages-nmap-fields.patch
+iser-target-avoid-reinitializing-rdma-contexts-for-isert-commands.patch
+vgacon-set-vga-struct-resource-types.patch
+omapdrm-panel-fix-compatible-vendor-string-for-td028ttec1.patch
+drm-omap-dmm-check-for-dmm-readiness-after-successful-transaction-commit.patch
+pty-cancel-pty-slave-port-buf-s-work-in-tty_release.patch
+coresight-fix-disabling-of-coresight-tpiu.patch
+pinctrl-really-force-states-during-suspend-resume.patch
+pinctrl-rockchip-enable-clock-when-reading-pin-direction-register.patch
+iommu-vt-d-clean-up-pr_irq-if-request_threaded_irq-fails.patch
+ip6_vti-adjust-vti-mtu-according-to-mtu-of-lower-device.patch
+rdma-ocrdma-fix-permissions-for-ocrdma_reset_stats.patch
+arm-dts-aspeed-evb-add-unit-name-to-memory-node.patch
+nfsd4-permit-layoutget-of-executable-only-files.patch
+clk-don-t-touch-hardware-when-reparenting-during-registration.patch
+clk-axi-clkgen-correctly-handle-nocount-bit-in-recalc_rate.patch
+clk-si5351-rename-internal-plls-to-avoid-name-collisions.patch
+dmaengine-ti-dma-crossbar-fix-event-mapping-for-tpcc_evt_mux_60_63.patch
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Tue, 2 May 2017 13:47:53 +0200
+Subject: sm501fb: don't return zero on failure path in sm501fb_start()
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+
+[ Upstream commit dc85e9a87420613b3129d5cc5ecd79c58351c546 ]
+
+If fbmem iomemory mapping failed, sm501fb_start() breaks off
+initialization, deallocates resources, but returns zero.
+As a result, double deallocation can happen in sm501fb_stop().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/sm501fb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/video/fbdev/sm501fb.c
++++ b/drivers/video/fbdev/sm501fb.c
+@@ -1600,6 +1600,7 @@ static int sm501fb_start(struct sm501fb_
+ info->fbmem = ioremap(res->start, resource_size(res));
+ if (info->fbmem == NULL) {
+ dev_err(dev, "cannot remap framebuffer\n");
++ ret = -ENXIO;
+ goto err_mem_res;
+ }
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Valentin Longchamp <valentin.longchamp@keymile.com>
+Date: Fri, 17 Feb 2017 11:29:45 +0100
+Subject: soc/fsl/qe: round brg_freq to 1kHz granularity
+
+From: Valentin Longchamp <valentin.longchamp@keymile.com>
+
+
+[ Upstream commit 2ccf80b7566cc035d903dd0ac5d7ebd25c2c1060 ]
+
+Because of integer computation rounding in u-boot (that sets the QE
+brg-frequency DTS prop), the clk value is 99999999 Hz even though it is
+100 MHz.
+
+When setting brg clks that are exact divisors of 100 MHz, this small
+differnce plays a role and can result in lower clks to be output (for
+instance 20 MHz - divide by 5 - results in 16.666 MHz - divide by 6).
+
+This patch fixes that by "forcing" the brg_clk to the nearest kHz when
+the difference is below 2 integer rounding errors (i.e. 4).
+
+Signed-off-by: Valentin Longchamp <valentin.longchamp@keymile.com>
+Signed-off-by: Scott Wood <oss@buserror.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/fsl/qe/qe.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/soc/fsl/qe/qe.c
++++ b/drivers/soc/fsl/qe/qe.c
+@@ -163,11 +163,15 @@ EXPORT_SYMBOL(qe_issue_cmd);
+ */
+ static unsigned int brg_clk = 0;
+
++#define CLK_GRAN (1000)
++#define CLK_GRAN_LIMIT (5)
++
+ unsigned int qe_get_brg_clk(void)
+ {
+ struct device_node *qe;
+ int size;
+ const u32 *prop;
++ unsigned int mod;
+
+ if (brg_clk)
+ return brg_clk;
+@@ -185,6 +189,15 @@ unsigned int qe_get_brg_clk(void)
+
+ of_node_put(qe);
+
++ /* round this if near to a multiple of CLK_GRAN */
++ mod = brg_clk % CLK_GRAN;
++ if (mod) {
++ if (mod < CLK_GRAN_LIMIT)
++ brg_clk -= mod;
++ else if (mod > (CLK_GRAN - CLK_GRAN_LIMIT))
++ brg_clk += CLK_GRAN - mod;
++ }
++
+ return brg_clk;
+ }
+ EXPORT_SYMBOL(qe_get_brg_clk);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Marek Vasut <marex@denx.de>
+Date: Tue, 18 Apr 2017 20:09:06 +0200
+Subject: spi: dw: Disable clock after unregistering the host
+
+From: Marek Vasut <marex@denx.de>
+
+
+[ Upstream commit 400c18e3dc86e04ef5afec9b86a8586ca629b9e9 ]
+
+The dw_mmio driver disables the block clock before unregistering
+the host. The code unregistering the host may access the SPI block
+registers. If register access happens with block clock disabled,
+this may lead to a bus hang. Disable the clock after unregistering
+the host to prevent such situation.
+
+This bug was observed on Altera Cyclone V SoC.
+
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Mark Brown <broonie@kernel.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-dw-mmio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-dw-mmio.c
++++ b/drivers/spi/spi-dw-mmio.c
+@@ -115,8 +115,8 @@ static int dw_spi_mmio_remove(struct pla
+ {
+ struct dw_spi_mmio *dwsmmio = platform_get_drvdata(pdev);
+
+- clk_disable_unprepare(dwsmmio->clk);
+ dw_spi_remove_host(&dwsmmio->dws);
++ clk_disable_unprepare(dwsmmio->clk);
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Sameer Wadgaonkar <sameer.wadgaonkar@unisys.com>
+Date: Tue, 18 Apr 2017 16:55:25 -0400
+Subject: staging: unisys: visorhba: fix s-Par to boot with option CONFIG_VMAP_STACK set to y
+
+From: Sameer Wadgaonkar <sameer.wadgaonkar@unisys.com>
+
+
+[ Upstream commit 3c2bf0bd08123f3497bd3e84bd9088c937b0cb40 ]
+
+The root issue is that we are not allowed to have items on the
+stack being passed to "DMA" like operations. In this case we have
+a vmcall and an inline completion of scsi command.
+
+This patch fixes the issue by moving the variables on stack in
+do_scsi_nolinuxstat() to heap memory.
+
+Signed-off-by: Sameer Wadgaonkar <sameer.wadgaonkar@unisys.com>
+Signed-off-by: David Kershner <david.kershner@unisys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/unisys/visorhba/visorhba_main.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/unisys/visorhba/visorhba_main.c
++++ b/drivers/staging/unisys/visorhba/visorhba_main.c
+@@ -842,7 +842,7 @@ static void
+ do_scsi_nolinuxstat(struct uiscmdrsp *cmdrsp, struct scsi_cmnd *scsicmd)
+ {
+ struct scsi_device *scsidev;
+- unsigned char buf[36];
++ unsigned char *buf;
+ struct scatterlist *sg;
+ unsigned int i;
+ char *this_page;
+@@ -857,6 +857,10 @@ do_scsi_nolinuxstat(struct uiscmdrsp *cm
+ if (cmdrsp->scsi.no_disk_result == 0)
+ return;
+
++ buf = kzalloc(sizeof(char) * 36, GFP_KERNEL);
++ if (!buf)
++ return;
++
+ /* Linux scsi code wants a device at Lun 0
+ * to issue report luns, but we don't want
+ * a disk there so we'll present a processor
+@@ -868,6 +872,7 @@ do_scsi_nolinuxstat(struct uiscmdrsp *cm
+ if (scsi_sg_count(scsicmd) == 0) {
+ memcpy(scsi_sglist(scsicmd), buf,
+ cmdrsp->scsi.bufflen);
++ kfree(buf);
+ return;
+ }
+
+@@ -879,6 +884,7 @@ do_scsi_nolinuxstat(struct uiscmdrsp *cm
+ memcpy(this_page, buf + bufind, sg[i].length);
+ kunmap_atomic(this_page_orig);
+ }
++ kfree(buf);
+ } else {
+ devdata = (struct visorhba_devdata *)scsidev->host->hostdata;
+ for_each_vdisk_match(vdisk, devdata, scsidev) {
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Pan Bian <bianpan2016@163.com>
+Date: Sun, 23 Apr 2017 19:53:58 +0800
+Subject: staging: wilc1000: fix unchecked return value
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit 9e96652756ad647b7bcc03cb99ffc9756d7b5f93 ]
+
+Function dev_alloc_skb() will return a NULL pointer if there is no
+enough memory. However, in function WILC_WFI_mon_xmit(), its return
+value is used without validation. This may result in a bad memory access
+bug. This patch fixes the bug.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/wilc1000/linux_mon.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/staging/wilc1000/linux_mon.c
++++ b/drivers/staging/wilc1000/linux_mon.c
+@@ -197,6 +197,8 @@ static netdev_tx_t WILC_WFI_mon_xmit(str
+
+ if (skb->data[0] == 0xc0 && (!(memcmp(broadcast, &skb->data[4], 6)))) {
+ skb2 = dev_alloc_skb(skb->len + sizeof(struct wilc_wfi_radiotap_cb_hdr));
++ if (!skb2)
++ return -ENOMEM;
+
+ memcpy(skb_put(skb2, skb->len), skb->data, skb->len);
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Dmitry Monakhov <dmonakhov@openvz.org>
+Date: Fri, 31 Mar 2017 19:53:35 +0400
+Subject: tcm_fileio: Prevent information leak for short reads
+
+From: Dmitry Monakhov <dmonakhov@openvz.org>
+
+
+[ Upstream commit f11b55d13563e9428c88c873f4f03a6bef11ec0a ]
+
+If we failed to read data from backing file (probably because some one
+truncate file under us), we must zerofill cmd's data, otherwise it will
+be returned as is. Most likely cmd's data are unitialized pages from
+page cache. This result in information leak.
+
+(Change BUG_ON into -EINVAL se_cmd failure - nab)
+
+testcase: https://github.com/dmonakhov/xfstests/commit/e11a1b7b907ca67b1be51a1594025600767366d5
+Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_file.c | 23 +++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+--- a/drivers/target/target_core_file.c
++++ b/drivers/target/target_core_file.c
+@@ -276,12 +276,11 @@ static int fd_do_rw(struct se_cmd *cmd,
+ else
+ ret = vfs_iter_read(fd, &iter, &pos);
+
+- kfree(bvec);
+-
+ if (is_write) {
+ if (ret < 0 || ret != data_length) {
+ pr_err("%s() write returned %d\n", __func__, ret);
+- return (ret < 0 ? ret : -EINVAL);
++ if (ret >= 0)
++ ret = -EINVAL;
+ }
+ } else {
+ /*
+@@ -294,17 +293,29 @@ static int fd_do_rw(struct se_cmd *cmd,
+ pr_err("%s() returned %d, expecting %u for "
+ "S_ISBLK\n", __func__, ret,
+ data_length);
+- return (ret < 0 ? ret : -EINVAL);
++ if (ret >= 0)
++ ret = -EINVAL;
+ }
+ } else {
+ if (ret < 0) {
+ pr_err("%s() returned %d for non S_ISBLK\n",
+ __func__, ret);
+- return ret;
++ } else if (ret != data_length) {
++ /*
++ * Short read case:
++ * Probably some one truncate file under us.
++ * We must explicitly zero sg-pages to prevent
++ * expose uninizialized pages to userspace.
++ */
++ if (ret < data_length)
++ ret += iov_iter_zero(data_length - ret, &iter);
++ else
++ ret = -EINVAL;
+ }
+ }
+ }
+- return 1;
++ kfree(bvec);
++ return ret;
+ }
+
+ static sense_reason_t
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 18 Apr 2017 09:45:52 -0700
+Subject: tcp: remove poll() flakes with FastOpen
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 0f9fa831aecfc297b7b45d4f046759bcefcf87f0 ]
+
+When using TCP FastOpen for an active session, we send one wakeup event
+from tcp_finish_connect(), right before the data eventually contained in
+the received SYNACK is queued to sk->sk_receive_queue.
+
+This means that depending on machine load or luck, poll() users
+might receive POLLOUT events instead of POLLIN|POLLOUT
+
+To fix this, we need to move the call to sk->sk_state_change()
+after the (optional) call to tcp_rcv_fastopen_synack()
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -5606,10 +5606,6 @@ void tcp_finish_connect(struct sock *sk,
+ else
+ tp->pred_flags = 0;
+
+- if (!sock_flag(sk, SOCK_DEAD)) {
+- sk->sk_state_change(sk);
+- sk_wake_async(sk, SOCK_WAKE_IO, POLL_OUT);
+- }
+ }
+
+ static bool tcp_rcv_fastopen_synack(struct sock *sk, struct sk_buff *synack,
+@@ -5678,6 +5674,7 @@ static int tcp_rcv_synsent_state_process
+ struct tcp_sock *tp = tcp_sk(sk);
+ struct tcp_fastopen_cookie foc = { .len = -1 };
+ int saved_clamp = tp->rx_opt.mss_clamp;
++ bool fastopen_fail;
+
+ tcp_parse_options(skb, &tp->rx_opt, 0, &foc);
+ if (tp->rx_opt.saw_tstamp && tp->rx_opt.rcv_tsecr)
+@@ -5781,10 +5778,15 @@ static int tcp_rcv_synsent_state_process
+
+ tcp_finish_connect(sk, skb);
+
+- if ((tp->syn_fastopen || tp->syn_data) &&
+- tcp_rcv_fastopen_synack(sk, skb, &foc))
+- return -1;
++ fastopen_fail = (tp->syn_fastopen || tp->syn_data) &&
++ tcp_rcv_fastopen_synack(sk, skb, &foc);
+
++ if (!sock_flag(sk, SOCK_DEAD)) {
++ sk->sk_state_change(sk);
++ sk_wake_async(sk, SOCK_WAKE_IO, POLL_OUT);
++ }
++ if (fastopen_fail)
++ return -1;
+ if (sk->sk_write_pending ||
+ icsk->icsk_accept_queue.rskq_defer_accept ||
+ icsk->icsk_ack.pingpong) {
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Deepa Dinamani <deepa.kernel@gmail.com>
+Date: Sun, 26 Mar 2017 12:04:13 -0700
+Subject: time: Change posix clocks ops interfaces to use timespec64
+
+From: Deepa Dinamani <deepa.kernel@gmail.com>
+
+
+[ Upstream commit d340266e19ddb70dbd608f9deedcfb35fdb9d419 ]
+
+struct timespec is not y2038 safe on 32 bit machines.
+
+The posix clocks apis use struct timespec directly and through struct
+itimerspec.
+
+Replace the posix clock interfaces to use struct timespec64 and struct
+itimerspec64 instead. Also fix up their implementations accordingly.
+
+Note that the clock_getres() interface has also been changed to use
+timespec64 even though this particular interface is not affected by the
+y2038 problem. This helps verification for internal kernel code for y2038
+readiness by getting rid of time_t/ timeval/ timespec.
+
+Signed-off-by: Deepa Dinamani <deepa.kernel@gmail.com>
+Cc: arnd@arndb.de
+Cc: y2038@lists.linaro.org
+Cc: netdev@vger.kernel.org
+Cc: Richard Cochran <richardcochran@gmail.com>
+Cc: john.stultz@linaro.org
+Link: http://lkml.kernel.org/r/1490555058-4603-3-git-send-email-deepa.kernel@gmail.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ptp/ptp_clock.c | 18 +++++++-----------
+ include/linux/posix-clock.h | 10 +++++-----
+ kernel/time/posix-clock.c | 34 ++++++++++++++++++++++++----------
+ 3 files changed, 36 insertions(+), 26 deletions(-)
+
+--- a/drivers/ptp/ptp_clock.c
++++ b/drivers/ptp/ptp_clock.c
+@@ -97,30 +97,26 @@ static s32 scaled_ppm_to_ppb(long ppm)
+
+ /* posix clock implementation */
+
+-static int ptp_clock_getres(struct posix_clock *pc, struct timespec *tp)
++static int ptp_clock_getres(struct posix_clock *pc, struct timespec64 *tp)
+ {
+ tp->tv_sec = 0;
+ tp->tv_nsec = 1;
+ return 0;
+ }
+
+-static int ptp_clock_settime(struct posix_clock *pc, const struct timespec *tp)
++static int ptp_clock_settime(struct posix_clock *pc, const struct timespec64 *tp)
+ {
+ struct ptp_clock *ptp = container_of(pc, struct ptp_clock, clock);
+- struct timespec64 ts = timespec_to_timespec64(*tp);
+
+- return ptp->info->settime64(ptp->info, &ts);
++ return ptp->info->settime64(ptp->info, tp);
+ }
+
+-static int ptp_clock_gettime(struct posix_clock *pc, struct timespec *tp)
++static int ptp_clock_gettime(struct posix_clock *pc, struct timespec64 *tp)
+ {
+ struct ptp_clock *ptp = container_of(pc, struct ptp_clock, clock);
+- struct timespec64 ts;
+ int err;
+
+- err = ptp->info->gettime64(ptp->info, &ts);
+- if (!err)
+- *tp = timespec64_to_timespec(ts);
++ err = ptp->info->gettime64(ptp->info, tp);
+ return err;
+ }
+
+@@ -133,7 +129,7 @@ static int ptp_clock_adjtime(struct posi
+ ops = ptp->info;
+
+ if (tx->modes & ADJ_SETOFFSET) {
+- struct timespec ts;
++ struct timespec64 ts;
+ ktime_t kt;
+ s64 delta;
+
+@@ -146,7 +142,7 @@ static int ptp_clock_adjtime(struct posi
+ if ((unsigned long) ts.tv_nsec >= NSEC_PER_SEC)
+ return -EINVAL;
+
+- kt = timespec_to_ktime(ts);
++ kt = timespec64_to_ktime(ts);
+ delta = ktime_to_ns(kt);
+ err = ops->adjtime(ops, delta);
+ } else if (tx->modes & ADJ_FREQUENCY) {
+--- a/include/linux/posix-clock.h
++++ b/include/linux/posix-clock.h
+@@ -59,23 +59,23 @@ struct posix_clock_operations {
+
+ int (*clock_adjtime)(struct posix_clock *pc, struct timex *tx);
+
+- int (*clock_gettime)(struct posix_clock *pc, struct timespec *ts);
++ int (*clock_gettime)(struct posix_clock *pc, struct timespec64 *ts);
+
+- int (*clock_getres) (struct posix_clock *pc, struct timespec *ts);
++ int (*clock_getres) (struct posix_clock *pc, struct timespec64 *ts);
+
+ int (*clock_settime)(struct posix_clock *pc,
+- const struct timespec *ts);
++ const struct timespec64 *ts);
+
+ int (*timer_create) (struct posix_clock *pc, struct k_itimer *kit);
+
+ int (*timer_delete) (struct posix_clock *pc, struct k_itimer *kit);
+
+ void (*timer_gettime)(struct posix_clock *pc,
+- struct k_itimer *kit, struct itimerspec *tsp);
++ struct k_itimer *kit, struct itimerspec64 *tsp);
+
+ int (*timer_settime)(struct posix_clock *pc,
+ struct k_itimer *kit, int flags,
+- struct itimerspec *tsp, struct itimerspec *old);
++ struct itimerspec64 *tsp, struct itimerspec64 *old);
+ /*
+ * Optional character device methods:
+ */
+--- a/kernel/time/posix-clock.c
++++ b/kernel/time/posix-clock.c
+@@ -300,14 +300,17 @@ out:
+ static int pc_clock_gettime(clockid_t id, struct timespec *ts)
+ {
+ struct posix_clock_desc cd;
++ struct timespec64 ts64;
+ int err;
+
+ err = get_clock_desc(id, &cd);
+ if (err)
+ return err;
+
+- if (cd.clk->ops.clock_gettime)
+- err = cd.clk->ops.clock_gettime(cd.clk, ts);
++ if (cd.clk->ops.clock_gettime) {
++ err = cd.clk->ops.clock_gettime(cd.clk, &ts64);
++ *ts = timespec64_to_timespec(ts64);
++ }
+ else
+ err = -EOPNOTSUPP;
+
+@@ -319,14 +322,17 @@ static int pc_clock_gettime(clockid_t id
+ static int pc_clock_getres(clockid_t id, struct timespec *ts)
+ {
+ struct posix_clock_desc cd;
++ struct timespec64 ts64;
+ int err;
+
+ err = get_clock_desc(id, &cd);
+ if (err)
+ return err;
+
+- if (cd.clk->ops.clock_getres)
+- err = cd.clk->ops.clock_getres(cd.clk, ts);
++ if (cd.clk->ops.clock_getres) {
++ err = cd.clk->ops.clock_getres(cd.clk, &ts64);
++ *ts = timespec64_to_timespec(ts64);
++ }
+ else
+ err = -EOPNOTSUPP;
+
+@@ -337,6 +343,7 @@ static int pc_clock_getres(clockid_t id,
+
+ static int pc_clock_settime(clockid_t id, const struct timespec *ts)
+ {
++ struct timespec64 ts64 = timespec_to_timespec64(*ts);
+ struct posix_clock_desc cd;
+ int err;
+
+@@ -350,7 +357,7 @@ static int pc_clock_settime(clockid_t id
+ }
+
+ if (cd.clk->ops.clock_settime)
+- err = cd.clk->ops.clock_settime(cd.clk, ts);
++ err = cd.clk->ops.clock_settime(cd.clk, &ts64);
+ else
+ err = -EOPNOTSUPP;
+ out:
+@@ -403,29 +410,36 @@ static void pc_timer_gettime(struct k_it
+ {
+ clockid_t id = kit->it_clock;
+ struct posix_clock_desc cd;
++ struct itimerspec64 ts64;
+
+ if (get_clock_desc(id, &cd))
+ return;
+
+- if (cd.clk->ops.timer_gettime)
+- cd.clk->ops.timer_gettime(cd.clk, kit, ts);
+-
++ if (cd.clk->ops.timer_gettime) {
++ cd.clk->ops.timer_gettime(cd.clk, kit, &ts64);
++ *ts = itimerspec64_to_itimerspec(&ts64);
++ }
+ put_clock_desc(&cd);
+ }
+
+ static int pc_timer_settime(struct k_itimer *kit, int flags,
+ struct itimerspec *ts, struct itimerspec *old)
+ {
++ struct itimerspec64 ts64 = itimerspec_to_itimerspec64(ts);
+ clockid_t id = kit->it_clock;
+ struct posix_clock_desc cd;
++ struct itimerspec64 old64;
+ int err;
+
+ err = get_clock_desc(id, &cd);
+ if (err)
+ return err;
+
+- if (cd.clk->ops.timer_settime)
+- err = cd.clk->ops.timer_settime(cd.clk, kit, flags, ts, old);
++ if (cd.clk->ops.timer_settime) {
++ err = cd.clk->ops.timer_settime(cd.clk, kit, flags, &ts64, &old64);
++ if (old)
++ *old = itimerspec64_to_itimerspec(&old64);
++ }
+ else
+ err = -EOPNOTSUPP;
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Pan Bian <bianpan2016@163.com>
+Date: Sun, 23 Apr 2017 15:09:19 +0800
+Subject: tipc: check return value of nlmsg_new
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit 78302fd405769c9a9379e9adda119d533dce2eed ]
+
+Function nlmsg_new() will return a NULL pointer if there is no enough
+memory, and its return value should be checked before it is used.
+However, in function tipc_nl_node_get_monitor(), the validation of the
+return value of function nlmsg_new() is missed. This patch fixes the
+bug.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/node.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/tipc/node.c
++++ b/net/tipc/node.c
+@@ -2094,6 +2094,8 @@ int tipc_nl_node_get_monitor(struct sk_b
+ int err;
+
+ msg.skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
++ if (!msg.skb)
++ return -ENOMEM;
+ msg.portid = info->snd_portid;
+ msg.seq = info->snd_seq;
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Thu, 13 Apr 2017 23:14:34 -0700
+Subject: tools/testing/nvdimm: fix nfit_test shutdown crash
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+
+[ Upstream commit 8b06b884cd98f7ec8b5028680b99fabfb7b3e192 ]
+
+Keep the nfit_test instances alive until after nfit_test_teardown(), as
+we may be doing resource lookups until the final un-registrations have
+completed. This fixes crashes of the form.
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
+ IP: __release_resource+0x12/0x90
+ Call Trace:
+ remove_resource+0x23/0x40
+ __wrap_remove_resource+0x29/0x30 [nfit_test_iomap]
+ acpi_nfit_remove_resource+0xe/0x10 [nfit]
+ devm_action_release+0xf/0x20
+ release_nodes+0x16d/0x2b0
+ devres_release_all+0x3c/0x60
+ device_release+0x21/0x90
+ kobject_release+0x6a/0x170
+ kobject_put+0x2f/0x60
+ put_device+0x17/0x20
+ platform_device_unregister+0x20/0x30
+ nfit_test_exit+0x36/0x960 [nfit_test]
+
+Reported-by: Linda Knippers <linda.knippers@hpe.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/nvdimm/test/nfit.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/tools/testing/nvdimm/test/nfit.c
++++ b/tools/testing/nvdimm/test/nfit.c
+@@ -1908,6 +1908,7 @@ static __init int nfit_test_init(void)
+ put_device(&pdev->dev);
+ goto err_register;
+ }
++ get_device(&pdev->dev);
+
+ rc = dma_coerce_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(64));
+ if (rc)
+@@ -1926,6 +1927,10 @@ static __init int nfit_test_init(void)
+ if (instances[i])
+ platform_device_unregister(&instances[i]->pdev);
+ nfit_test_teardown();
++ for (i = 0; i < NUM_NFITS; i++)
++ if (instances[i])
++ put_device(&instances[i]->pdev.dev);
++
+ return rc;
+ }
+
+@@ -1933,10 +1938,13 @@ static __exit void nfit_test_exit(void)
+ {
+ int i;
+
+- platform_driver_unregister(&nfit_test_driver);
+ for (i = 0; i < NUM_NFITS; i++)
+ platform_device_unregister(&instances[i]->pdev);
++ platform_driver_unregister(&nfit_test_driver);
+ nfit_test_teardown();
++
++ for (i = 0; i < NUM_NFITS; i++)
++ put_device(&instances[i]->pdev.dev);
+ class_destroy(nfit_test_dimm);
+ }
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Bjorn Helgaas <bhelgaas@google.com>
+Date: Fri, 1 Dec 2017 11:06:39 -0600
+Subject: vgacon: Set VGA struct resource types
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+
+[ Upstream commit c82084117f79bcae085e40da526253736a247120 ]
+
+Set the resource type when we reserve VGA-related I/O port resources.
+
+The resource code doesn't actually look at the type, so it inserts
+resources without a type in the tree correctly even without this change.
+But if we ever print a resource without a type, it looks like this:
+
+ vga+ [??? 0x000003c0-0x000003df flags 0x0]
+
+Setting the type means it will be printed correctly as:
+
+ vga+ [io 0x000003c0-0x000003df]
+
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/alpha/kernel/console.c | 1 +
+ drivers/video/console/vgacon.c | 34 ++++++++++++++++++++++++++--------
+ 2 files changed, 27 insertions(+), 8 deletions(-)
+
+--- a/arch/alpha/kernel/console.c
++++ b/arch/alpha/kernel/console.c
+@@ -20,6 +20,7 @@
+ struct pci_controller *pci_vga_hose;
+ static struct resource alpha_vga = {
+ .name = "alpha-vga+",
++ .flags = IORESOURCE_IO,
+ .start = 0x3C0,
+ .end = 0x3DF
+ };
+--- a/drivers/video/console/vgacon.c
++++ b/drivers/video/console/vgacon.c
+@@ -405,7 +405,10 @@ static const char *vgacon_startup(void)
+ vga_video_port_val = VGA_CRT_DM;
+ if ((screen_info.orig_video_ega_bx & 0xff) != 0x10) {
+ static struct resource ega_console_resource =
+- { .name = "ega", .start = 0x3B0, .end = 0x3BF };
++ { .name = "ega",
++ .flags = IORESOURCE_IO,
++ .start = 0x3B0,
++ .end = 0x3BF };
+ vga_video_type = VIDEO_TYPE_EGAM;
+ vga_vram_size = 0x8000;
+ display_desc = "EGA+";
+@@ -413,9 +416,15 @@ static const char *vgacon_startup(void)
+ &ega_console_resource);
+ } else {
+ static struct resource mda1_console_resource =
+- { .name = "mda", .start = 0x3B0, .end = 0x3BB };
++ { .name = "mda",
++ .flags = IORESOURCE_IO,
++ .start = 0x3B0,
++ .end = 0x3BB };
+ static struct resource mda2_console_resource =
+- { .name = "mda", .start = 0x3BF, .end = 0x3BF };
++ { .name = "mda",
++ .flags = IORESOURCE_IO,
++ .start = 0x3BF,
++ .end = 0x3BF };
+ vga_video_type = VIDEO_TYPE_MDA;
+ vga_vram_size = 0x2000;
+ display_desc = "*MDA";
+@@ -437,15 +446,21 @@ static const char *vgacon_startup(void)
+ vga_vram_size = 0x8000;
+
+ if (!screen_info.orig_video_isVGA) {
+- static struct resource ega_console_resource
+- = { .name = "ega", .start = 0x3C0, .end = 0x3DF };
++ static struct resource ega_console_resource =
++ { .name = "ega",
++ .flags = IORESOURCE_IO,
++ .start = 0x3C0,
++ .end = 0x3DF };
+ vga_video_type = VIDEO_TYPE_EGAC;
+ display_desc = "EGA";
+ request_resource(&ioport_resource,
+ &ega_console_resource);
+ } else {
+- static struct resource vga_console_resource
+- = { .name = "vga+", .start = 0x3C0, .end = 0x3DF };
++ static struct resource vga_console_resource =
++ { .name = "vga+",
++ .flags = IORESOURCE_IO,
++ .start = 0x3C0,
++ .end = 0x3DF };
+ vga_video_type = VIDEO_TYPE_VGAC;
+ display_desc = "VGA+";
+ request_resource(&ioport_resource,
+@@ -489,7 +504,10 @@ static const char *vgacon_startup(void)
+ }
+ } else {
+ static struct resource cga_console_resource =
+- { .name = "cga", .start = 0x3D4, .end = 0x3D5 };
++ { .name = "cga",
++ .flags = IORESOURCE_IO,
++ .start = 0x3D4,
++ .end = 0x3D5 };
+ vga_video_type = VIDEO_TYPE_CGA;
+ vga_vram_size = 0x2000;
+ display_desc = "*CGA";
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Maksim Salau <maksim.salau@gmail.com>
+Date: Tue, 2 May 2017 13:47:53 +0200
+Subject: video: fbdev: udlfb: Fix buffer on stack
+
+From: Maksim Salau <maksim.salau@gmail.com>
+
+
+[ Upstream commit 45f580c42e5c125d55dbd8099750a1998de3d917 ]
+
+Allocate buffers on HEAP instead of STACK for local array
+that is to be sent using usb_control_msg().
+
+Signed-off-by: Maksim Salau <maksim.salau@gmail.com>
+Cc: Bernie Thompson <bernie@plugable.com>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/udlfb.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/video/fbdev/udlfb.c
++++ b/drivers/video/fbdev/udlfb.c
+@@ -1487,15 +1487,25 @@ static struct device_attribute fb_device
+ static int dlfb_select_std_channel(struct dlfb_data *dev)
+ {
+ int ret;
+- u8 set_def_chn[] = { 0x57, 0xCD, 0xDC, 0xA7,
++ void *buf;
++ static const u8 set_def_chn[] = {
++ 0x57, 0xCD, 0xDC, 0xA7,
+ 0x1C, 0x88, 0x5E, 0x15,
+ 0x60, 0xFE, 0xC6, 0x97,
+ 0x16, 0x3D, 0x47, 0xF2 };
+
++ buf = kmemdup(set_def_chn, sizeof(set_def_chn), GFP_KERNEL);
++
++ if (!buf)
++ return -ENOMEM;
++
+ ret = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
+ NR_USB_REQUEST_CHANNEL,
+ (USB_DIR_OUT | USB_TYPE_VENDOR), 0, 0,
+- set_def_chn, sizeof(set_def_chn), USB_CTRL_SET_TIMEOUT);
++ buf, sizeof(set_def_chn), USB_CTRL_SET_TIMEOUT);
++
++ kfree(buf);
++
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Jiri Benc <jbenc@redhat.com>
+Date: Thu, 27 Apr 2017 21:24:35 +0200
+Subject: vxlan: correctly handle ipv6.disable module parameter
+
+From: Jiri Benc <jbenc@redhat.com>
+
+
+[ Upstream commit d074bf9600443403aa24fbc12c1f18eadc90f5aa ]
+
+When IPv6 is compiled but disabled at runtime, __vxlan_sock_add returns
+-EAFNOSUPPORT. For metadata based tunnels, this causes failure of the whole
+operation of bringing up the tunnel.
+
+Ignore failure of IPv6 socket creation for metadata based tunnels caused by
+IPv6 not being available.
+
+Fixes: b1be00a6c39f ("vxlan: support both IPv4 and IPv6 sockets in a single vxlan device")
+Signed-off-by: Jiri Benc <jbenc@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vxlan.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -2816,17 +2816,21 @@ static int __vxlan_sock_add(struct vxlan
+
+ static int vxlan_sock_add(struct vxlan_dev *vxlan)
+ {
+- bool ipv6 = vxlan->flags & VXLAN_F_IPV6;
+ bool metadata = vxlan->flags & VXLAN_F_COLLECT_METADATA;
++ bool ipv6 = vxlan->flags & VXLAN_F_IPV6 || metadata;
++ bool ipv4 = !ipv6 || metadata;
+ int ret = 0;
+
+ RCU_INIT_POINTER(vxlan->vn4_sock, NULL);
+ #if IS_ENABLED(CONFIG_IPV6)
+ RCU_INIT_POINTER(vxlan->vn6_sock, NULL);
+- if (ipv6 || metadata)
++ if (ipv6) {
+ ret = __vxlan_sock_add(vxlan, true);
++ if (ret < 0 && ret != -EAFNOSUPPORT)
++ ipv4 = false;
++ }
+ #endif
+- if (!ret && (!ipv6 || metadata))
++ if (ipv4)
+ ret = __vxlan_sock_add(vxlan, false);
+ if (ret < 0)
+ vxlan_sock_release(vxlan);
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Pan Bian <bianpan2016@163.com>
+Date: Sun, 23 Apr 2017 17:38:35 +0800
+Subject: wan: pc300too: abort path on failure
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit 2a39e7aa8a98f777f0732ca7125b6c9668791760 ]
+
+In function pc300_pci_init_one(), on the ioremap error path, function
+pc300_pci_remove_one() is called to free the allocated memory. However,
+the path is not terminated, and the freed memory will be used later,
+resulting in use-after-free bugs. This path fixes the bug.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wan/pc300too.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wan/pc300too.c
++++ b/drivers/net/wan/pc300too.c
+@@ -347,6 +347,7 @@ static int pc300_pci_init_one(struct pci
+ card->rambase == NULL) {
+ pr_err("ioremap() failed\n");
+ pc300_pci_remove_one(pdev);
++ return -ENOMEM;
+ }
+
+ /* PLX PCI 9050 workaround for local configuration register read bug */
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Mon, 25 Sep 2017 09:17:01 -0700
+Subject: watchdog: Fix potential kref imbalance when opening watchdog
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+
+[ Upstream commit 4bcd615fad6adddc68b058d498b30a9e0e0db77a ]
+
+If a watchdog driver's open function sets WDOG_HW_RUNNING with the
+expectation that the watchdog can not be stopped, but then stops the
+watchdog anyway in its stop function, kref_get() wil not be called in
+watchdog_open(). If the watchdog then stops on close, WDOG_HW_RUNNING
+will be cleared and kref_put() will be called, causing a kref imbalance.
+As result the character device data structure will be released, which in
+turn will cause the system to crash on the next call to watchdog_open().
+
+Fixes: ee142889e32f5 ("watchdog: Introduce WDOG_HW_RUNNING flag")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/watchdog/watchdog_dev.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/watchdog/watchdog_dev.c
++++ b/drivers/watchdog/watchdog_dev.c
+@@ -760,6 +760,7 @@ static int watchdog_open(struct inode *i
+ {
+ struct watchdog_core_data *wd_data;
+ struct watchdog_device *wdd;
++ bool hw_running;
+ int err;
+
+ /* Get the corresponding watchdog device */
+@@ -779,7 +780,8 @@ static int watchdog_open(struct inode *i
+ * If the /dev/watchdog device is open, we don't want the module
+ * to be unloaded.
+ */
+- if (!watchdog_hw_running(wdd) && !try_module_get(wdd->ops->owner)) {
++ hw_running = watchdog_hw_running(wdd);
++ if (!hw_running && !try_module_get(wdd->ops->owner)) {
+ err = -EBUSY;
+ goto out_clear;
+ }
+@@ -790,7 +792,7 @@ static int watchdog_open(struct inode *i
+
+ file->private_data = wd_data;
+
+- if (!watchdog_hw_running(wdd))
++ if (!hw_running)
+ kref_get(&wd_data->kref);
+
+ /* dev/watchdog is a virtual (and thus non-seekable) filesystem */
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 8 Apr 2017 19:54:20 +0200
+Subject: x86: i8259: export legacy_pic symbol
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+
+[ Upstream commit 7ee06cb2f840a96be46233181ed4557901a74385 ]
+
+The classic PC rtc-coms driver has a workaround for broken ACPI device
+nodes for it which lack an irq resource. This workaround used to
+unconditionally hardcode the irq to 8 in these cases.
+
+This was causing irq conflict problems on systems without a legacy-pic
+so a recent patch added an if (nr_legacy_irqs()) guard to the
+workaround to avoid this irq conflict.
+
+nr_legacy_irqs() uses the legacy_pic symbol under the hood causing
+an undefined symbol error if the rtc-cmos code is build as a module.
+
+This commit exports the legacy_pic symbol to fix this.
+
+Cc: rtc-linux@googlegroups.com
+Cc: alexandre.belloni@free-electrons.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/i8259.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kernel/i8259.c
++++ b/arch/x86/kernel/i8259.c
+@@ -418,6 +418,7 @@ struct legacy_pic default_legacy_pic = {
+ };
+
+ struct legacy_pic *legacy_pic = &default_legacy_pic;
++EXPORT_SYMBOL(legacy_pic);
+
+ static int __init i8259A_init_ops(void)
+ {
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Baoquan He <bhe@redhat.com>
+Date: Thu, 27 Apr 2017 15:42:20 +0800
+Subject: x86/KASLR: Fix kexec kernel boot crash when KASLR randomization fails
+
+From: Baoquan He <bhe@redhat.com>
+
+
+[ Upstream commit da63b6b20077469bd6bd96e07991ce145fc4fbc4 ]
+
+Dave found that a kdump kernel with KASLR enabled will reset to the BIOS
+immediately if physical randomization failed to find a new position for
+the kernel. A kernel with the 'nokaslr' option works in this case.
+
+The reason is that KASLR will install a new page table for the identity
+mapping, while it missed building it for the original kernel location
+if KASLR physical randomization fails.
+
+This only happens in the kexec/kdump kernel, because the identity mapping
+has been built for kexec/kdump in the 1st kernel for the whole memory by
+calling init_pgtable(). Here if physical randomizaiton fails, it won't build
+the identity mapping for the original area of the kernel but change to a
+new page table '_pgtable'. Then the kernel will triple fault immediately
+caused by no identity mappings.
+
+The normal kernel won't see this bug, because it comes here via startup_32()
+and CR3 will be set to _pgtable already. In startup_32() the identity
+mapping is built for the 0~4G area. In KASLR we just append to the existing
+area instead of entirely overwriting it for on-demand identity mapping
+building. So the identity mapping for the original area of kernel is still
+there.
+
+To fix it we just switch to the new identity mapping page table when physical
+KASLR succeeds. Otherwise we keep the old page table unchanged just like
+"nokaslr" does.
+
+Signed-off-by: Baoquan He <bhe@redhat.com>
+Signed-off-by: Dave Young <dyoung@redhat.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Dave Jiang <dave.jiang@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Garnier <thgarnie@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Yinghai Lu <yinghai@kernel.org>
+Link: http://lkml.kernel.org/r/1493278940-5885-1-git-send-email-bhe@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/boot/compressed/kaslr.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/boot/compressed/kaslr.c
++++ b/arch/x86/boot/compressed/kaslr.c
+@@ -460,10 +460,17 @@ void choose_random_location(unsigned lon
+ add_identity_map(random_addr, output_size);
+ *output = random_addr;
+ }
++
++ /*
++ * This loads the identity mapping page table.
++ * This should only be done if a new physical address
++ * is found for the kernel, otherwise we should keep
++ * the old page table to make it be like the "nokaslr"
++ * case.
++ */
++ finalize_identity_maps();
+ }
+
+- /* This actually loads the identity pagetable on x86_64. */
+- finalize_identity_maps();
+
+ /* Pick random virtual address starting from LOAD_PHYSICAL_ADDR. */
+ if (IS_ENABLED(CONFIG_X86_64))
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Tiantian Feng <fengtiantian@huawei.com>
+Date: Wed, 19 Apr 2017 18:18:39 +0200
+Subject: x86/reboot: Turn off KVM when halting a CPU
+
+From: Tiantian Feng <fengtiantian@huawei.com>
+
+
+[ Upstream commit fba4f472b33aa81ca1836f57d005455261e9126f ]
+
+A CPU in VMX root mode will ignore INIT signals and will fail to bring
+up the APs after reboot. Therefore, on a panic we disable VMX on all
+CPUs before rebooting or triggering kdump.
+
+Do this when halting the machine as well, in case a firmware-level reboot
+does not perform a cold reset for all processors. Without doing this,
+rebooting the host may hang.
+
+Signed-off-by: Tiantian Feng <fengtiantian@huawei.com>
+Signed-off-by: Xishi Qiu <qiuxishi@huawei.com>
+[ Rewritten commit message. ]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: kvm@vger.kernel.org
+Link: http://lkml.kernel.org/r/20170419161839.30550-1-pbonzini@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/smp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/kernel/smp.c
++++ b/arch/x86/kernel/smp.c
+@@ -33,6 +33,7 @@
+ #include <asm/mce.h>
+ #include <asm/trace/irq_vectors.h>
+ #include <asm/kexec.h>
++#include <asm/virtext.h>
+
+ /*
+ * Some notes on x86 processor bugs affecting SMP operation:
+@@ -162,6 +163,7 @@ static int smp_stop_nmi_callback(unsigne
+ if (raw_smp_processor_id() == atomic_read(&stopping_cpu))
+ return NMI_HANDLED;
+
++ cpu_emergency_vmxoff();
+ stop_this_cpu(NULL);
+
+ return NMI_HANDLED;
+@@ -174,6 +176,7 @@ static int smp_stop_nmi_callback(unsigne
+ asmlinkage __visible void smp_reboot_interrupt(void)
+ {
+ ipi_entering_ack_irq();
++ cpu_emergency_vmxoff();
+ stop_this_cpu(NULL);
+ irq_exit();
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:40:24 CET 2018
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Tue, 14 Mar 2017 18:35:43 +0100
+Subject: x86/xen: split xen_smp_prepare_boot_cpu()
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+
+[ Upstream commit a2d1078a35f9a38ae888aa6147e4ca32666154a1 ]
+
+Split xen_smp_prepare_boot_cpu() into xen_pv_smp_prepare_boot_cpu() and
+xen_hvm_smp_prepare_boot_cpu() to support further splitting of smp.c.
+
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/xen/smp.c | 49 ++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 30 insertions(+), 19 deletions(-)
+
+--- a/arch/x86/xen/smp.c
++++ b/arch/x86/xen/smp.c
+@@ -299,35 +299,46 @@ static void __init xen_filter_cpu_maps(v
+
+ }
+
+-static void __init xen_smp_prepare_boot_cpu(void)
++static void __init xen_pv_smp_prepare_boot_cpu(void)
+ {
+ BUG_ON(smp_processor_id() != 0);
+ native_smp_prepare_boot_cpu();
+
+- if (xen_pv_domain()) {
+- if (!xen_feature(XENFEAT_writable_page_tables))
+- /* We've switched to the "real" per-cpu gdt, so make
+- * sure the old memory can be recycled. */
+- make_lowmem_page_readwrite(xen_initial_gdt);
++ if (!xen_feature(XENFEAT_writable_page_tables))
++ /* We've switched to the "real" per-cpu gdt, so make
++ * sure the old memory can be recycled. */
++ make_lowmem_page_readwrite(xen_initial_gdt);
+
+ #ifdef CONFIG_X86_32
+- /*
+- * Xen starts us with XEN_FLAT_RING1_DS, but linux code
+- * expects __USER_DS
+- */
+- loadsegment(ds, __USER_DS);
+- loadsegment(es, __USER_DS);
++ /*
++ * Xen starts us with XEN_FLAT_RING1_DS, but linux code
++ * expects __USER_DS
++ */
++ loadsegment(ds, __USER_DS);
++ loadsegment(es, __USER_DS);
+ #endif
+
+- xen_filter_cpu_maps();
+- xen_setup_vcpu_info_placement();
+- }
++ xen_filter_cpu_maps();
++ xen_setup_vcpu_info_placement();
++
++ /*
++ * The alternative logic (which patches the unlock/lock) runs before
++ * the smp bootup up code is activated. Hence we need to set this up
++ * the core kernel is being patched. Otherwise we will have only
++ * modules patched but not core code.
++ */
++ xen_init_spinlocks();
++}
++
++static void __init xen_hvm_smp_prepare_boot_cpu(void)
++{
++ BUG_ON(smp_processor_id() != 0);
++ native_smp_prepare_boot_cpu();
+
+ /*
+ * Setup vcpu_info for boot CPU.
+ */
+- if (xen_hvm_domain())
+- xen_vcpu_setup(0);
++ xen_vcpu_setup(0);
+
+ /*
+ * The alternative logic (which patches the unlock/lock) runs before
+@@ -733,7 +744,7 @@ static irqreturn_t xen_irq_work_interrup
+ }
+
+ static const struct smp_ops xen_smp_ops __initconst = {
+- .smp_prepare_boot_cpu = xen_smp_prepare_boot_cpu,
++ .smp_prepare_boot_cpu = xen_pv_smp_prepare_boot_cpu,
+ .smp_prepare_cpus = xen_smp_prepare_cpus,
+ .smp_cpus_done = xen_smp_cpus_done,
+
+@@ -772,5 +783,5 @@ void __init xen_hvm_smp_init(void)
+ smp_ops.cpu_die = xen_cpu_die;
+ smp_ops.send_call_func_ipi = xen_smp_send_call_function_ipi;
+ smp_ops.send_call_func_single_ipi = xen_smp_send_call_function_single_ipi;
+- smp_ops.smp_prepare_boot_cpu = xen_smp_prepare_boot_cpu;
++ smp_ops.smp_prepare_boot_cpu = xen_hvm_smp_prepare_boot_cpu;
+ }
--- /dev/null
+From foo@baz Thu Mar 22 14:40:23 CET 2018
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Tue, 11 Apr 2017 13:22:29 -0400
+Subject: xprtrdma: Cancel refresh worker during buffer shutdown
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+
+[ Upstream commit 9378b274e1eb6925db315e345f48850d2d5d9789 ]
+
+Trying to create MRs while the transport is being torn down can
+cause a crash.
+
+Fixes: e2ac236c0b65 ("xprtrdma: Allocate MRs on demand")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/xprtrdma/verbs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sunrpc/xprtrdma/verbs.c
++++ b/net/sunrpc/xprtrdma/verbs.c
+@@ -1054,6 +1054,7 @@ void
+ rpcrdma_buffer_destroy(struct rpcrdma_buffer *buf)
+ {
+ cancel_delayed_work_sync(&buf->rb_recovery_worker);
++ cancel_delayed_work_sync(&buf->rb_refresh_worker);
+
+ while (!list_empty(&buf->rb_recv_bufs)) {
+ struct rpcrdma_rep *rep;
projects / thirdparty / kernel / stable-queue.git / commitdiff
