--- /dev/null
+From e2ca3163b40c1741c8e6334708e31c0066a15f20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Nov 2018 09:43:52 -0800
+Subject: ACPICA: Use %d for signed int print formatting instead of %u
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit f8ddf49b420112e28bdd23d7ad52d7991a0ccbe3 ]
+
+Fix warnings found using static analysis with cppcheck, use %d printf
+format specifier for signed ints rather than %u
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/acpi/tools/acpidump/apmain.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/power/acpi/tools/acpidump/apmain.c b/tools/power/acpi/tools/acpidump/apmain.c
+index 7ff46be908f0b..d426fec3b1d34 100644
+--- a/tools/power/acpi/tools/acpidump/apmain.c
++++ b/tools/power/acpi/tools/acpidump/apmain.c
+@@ -139,7 +139,7 @@ static int ap_insert_action(char *argument, u32 to_be_done)
+
+ current_action++;
+ if (current_action > AP_MAX_ACTIONS) {
+- fprintf(stderr, "Too many table options (max %u)\n",
++ fprintf(stderr, "Too many table options (max %d)\n",
+ AP_MAX_ACTIONS);
+ return (-1);
+ }
+--
+2.20.1
+
--- /dev/null
+From 7652edc6b434fc65c872e08ec3e815f3ee24648b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Oct 2018 12:33:02 +0200
+Subject: ALSA: i2c/cs8427: Fix int to char conversion
+
+From: Philipp Klocke <philipp97kl@gmail.com>
+
+[ Upstream commit eb7ebfa3c1989aa8e59d5e68ab3cddd7df1bfb27 ]
+
+Compiling with clang yields the following warning:
+
+sound/i2c/cs8427.c:140:31: warning: implicit conversion from 'int'
+to 'char' changes value from 160 to -96 [-Wconstant-conversion]
+ data[0] = CS8427_REG_AUTOINC | CS8427_REG_CORU_DATABUF;
+ ~ ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~
+
+Because CS8427_REG_AUTOINC is defined as 128, it is too big for a
+char field.
+So change data from char to unsigned char, that it can hold the value.
+
+This patch does not change the generated code.
+
+Signed-off-by: Philipp Klocke <philipp97kl@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/i2c/cs8427.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/i2c/cs8427.c b/sound/i2c/cs8427.c
+index 7e21621e492a4..7fd1b40008838 100644
+--- a/sound/i2c/cs8427.c
++++ b/sound/i2c/cs8427.c
+@@ -118,7 +118,7 @@ static int snd_cs8427_send_corudata(struct snd_i2c_device *device,
+ struct cs8427 *chip = device->private_data;
+ char *hw_data = udata ?
+ chip->playback.hw_udata : chip->playback.hw_status;
+- char data[32];
++ unsigned char data[32];
+ int err, idx;
+
+ if (!memcmp(hw_data, ndata, count))
+--
+2.20.1
+
--- /dev/null
+From 6c6ca20437cfdecdf8ed794ea85bda81cb9f7156 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Oct 2018 14:25:22 +0900
+Subject: ALSA: isight: fix leak of reference to firewire unit in error path of
+ .probe callback
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+[ Upstream commit 51e68fb0929c29e47e9074ca3e99ffd6021a1c5a ]
+
+In some error paths, reference count of firewire unit is not decreased.
+This commit fixes the bug.
+
+Fixes: 5b14ec25a79b('ALSA: firewire: release reference count of firewire unit in .remove callback of bus driver')
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/firewire/isight.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/sound/firewire/isight.c b/sound/firewire/isight.c
+index 48d6dca471c6b..6c8daf5b391ff 100644
+--- a/sound/firewire/isight.c
++++ b/sound/firewire/isight.c
+@@ -639,7 +639,7 @@ static int isight_probe(struct fw_unit *unit,
+ if (!isight->audio_base) {
+ dev_err(&unit->device, "audio unit base not found\n");
+ err = -ENXIO;
+- goto err_unit;
++ goto error;
+ }
+ fw_iso_resources_init(&isight->resources, unit);
+
+@@ -668,12 +668,12 @@ static int isight_probe(struct fw_unit *unit,
+ dev_set_drvdata(&unit->device, isight);
+
+ return 0;
+-
+-err_unit:
+- fw_unit_put(isight->unit);
+- mutex_destroy(&isight->mutex);
+ error:
+ snd_card_free(card);
++
++ mutex_destroy(&isight->mutex);
++ fw_unit_put(isight->unit);
++
+ return err;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From ff0f6a9fc017fa2172069bc4154c5cf4b0a5b8c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Oct 2018 12:20:46 -0700
+Subject: amiflop: clean up on errors during setup
+
+From: Omar Sandoval <osandov@fb.com>
+
+[ Upstream commit 53d0f8dbde89cf6c862c7a62e00c6123e02cba41 ]
+
+The error handling in fd_probe_drives() doesn't clean up at all. Fix it
+up in preparation for converting to blk-mq. While we're here, get rid of
+the commented out amiga_floppy_remove().
+
+Signed-off-by: Omar Sandoval <osandov@fb.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/amiflop.c | 84 ++++++++++++++++++++---------------------
+ 1 file changed, 40 insertions(+), 44 deletions(-)
+
+diff --git a/drivers/block/amiflop.c b/drivers/block/amiflop.c
+index 5fd50a2841682..db4354fb2a0d3 100644
+--- a/drivers/block/amiflop.c
++++ b/drivers/block/amiflop.c
+@@ -1699,11 +1699,41 @@ static const struct block_device_operations floppy_fops = {
+ .check_events = amiga_check_events,
+ };
+
++static struct gendisk *fd_alloc_disk(int drive)
++{
++ struct gendisk *disk;
++
++ disk = alloc_disk(1);
++ if (!disk)
++ goto out;
++
++ disk->queue = blk_init_queue(do_fd_request, &amiflop_lock);
++ if (IS_ERR(disk->queue)) {
++ disk->queue = NULL;
++ goto out_put_disk;
++ }
++
++ unit[drive].trackbuf = kmalloc(FLOPPY_MAX_SECTORS * 512, GFP_KERNEL);
++ if (!unit[drive].trackbuf)
++ goto out_cleanup_queue;
++
++ return disk;
++
++out_cleanup_queue:
++ blk_cleanup_queue(disk->queue);
++ disk->queue = NULL;
++out_put_disk:
++ put_disk(disk);
++out:
++ unit[drive].type->code = FD_NODRIVE;
++ return NULL;
++}
++
+ static int __init fd_probe_drives(void)
+ {
+ int drive,drives,nomem;
+
+- printk(KERN_INFO "FD: probing units\nfound ");
++ pr_info("FD: probing units\nfound");
+ drives=0;
+ nomem=0;
+ for(drive=0;drive<FD_MAX_UNITS;drive++) {
+@@ -1711,27 +1741,17 @@ static int __init fd_probe_drives(void)
+ fd_probe(drive);
+ if (unit[drive].type->code == FD_NODRIVE)
+ continue;
+- disk = alloc_disk(1);
++
++ disk = fd_alloc_disk(drive);
+ if (!disk) {
+- unit[drive].type->code = FD_NODRIVE;
++ pr_cont(" no mem for fd%d", drive);
++ nomem = 1;
+ continue;
+ }
+ unit[drive].gendisk = disk;
+-
+- disk->queue = blk_init_queue(do_fd_request, &amiflop_lock);
+- if (!disk->queue) {
+- unit[drive].type->code = FD_NODRIVE;
+- continue;
+- }
+-
+ drives++;
+- if ((unit[drive].trackbuf = kmalloc(FLOPPY_MAX_SECTORS * 512, GFP_KERNEL)) == NULL) {
+- printk("no mem for ");
+- unit[drive].type = &drive_types[num_dr_types - 1]; /* FD_NODRIVE */
+- drives--;
+- nomem = 1;
+- }
+- printk("fd%d ",drive);
++
++ pr_cont(" fd%d",drive);
+ disk->major = FLOPPY_MAJOR;
+ disk->first_minor = drive;
+ disk->fops = &floppy_fops;
+@@ -1742,11 +1762,11 @@ static int __init fd_probe_drives(void)
+ }
+ if ((drives > 0) || (nomem == 0)) {
+ if (drives == 0)
+- printk("no drives");
+- printk("\n");
++ pr_cont(" no drives");
++ pr_cont("\n");
+ return drives;
+ }
+- printk("\n");
++ pr_cont("\n");
+ return -ENOMEM;
+ }
+
+@@ -1837,30 +1857,6 @@ static int __init amiga_floppy_probe(struct platform_device *pdev)
+ return ret;
+ }
+
+-#if 0 /* not safe to unload */
+-static int __exit amiga_floppy_remove(struct platform_device *pdev)
+-{
+- int i;
+-
+- for( i = 0; i < FD_MAX_UNITS; i++) {
+- if (unit[i].type->code != FD_NODRIVE) {
+- struct request_queue *q = unit[i].gendisk->queue;
+- del_gendisk(unit[i].gendisk);
+- put_disk(unit[i].gendisk);
+- kfree(unit[i].trackbuf);
+- if (q)
+- blk_cleanup_queue(q);
+- }
+- }
+- blk_unregister_region(MKDEV(FLOPPY_MAJOR, 0), 256);
+- free_irq(IRQ_AMIGA_CIAA_TB, NULL);
+- free_irq(IRQ_AMIGA_DSKBLK, NULL);
+- custom.dmacon = DMAF_DISK; /* disable DMA */
+- amiga_chip_free(raw_buf);
+- unregister_blkdev(FLOPPY_MAJOR, "fd");
+-}
+-#endif
+-
+ static struct platform_driver amiga_floppy_driver = {
+ .driver = {
+ .name = "amiga-floppy",
+--
+2.20.1
+
--- /dev/null
+From 2b5a38d40b0e56016add6d77a2aa0d0986df852d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 16:37:10 -0700
+Subject: arm64: makefile fix build of .i file in external module case
+
+From: Victor Kamensky <kamensky@cisco.com>
+
+[ Upstream commit 98356eb0ae499c63e78073ccedd9a5fc5c563288 ]
+
+After 'a66649dab350 arm64: fix vdso-offsets.h dependency' if
+one will try to build .i file in case of external kernel module,
+build fails complaining that prepare0 target is missing. This
+issue came up with SystemTap when it tries to build variety
+of .i files for its own generated kernel modules trying to
+figure given kernel features/capabilities.
+
+The issue is that prepare0 is defined in top level Makefile
+only if KBUILD_EXTMOD is not defined. .i file rule depends
+on prepare and in case KBUILD_EXTMOD defined top level Makefile
+contains empty rule for prepare. But after mentioned commit
+arch/arm64/Makefile would introduce dependency on prepare0
+through its own prepare target.
+
+Fix it to put proper ifdef KBUILD_EXTMOD around code introduced
+by mentioned commit. It matches what top level Makefile does.
+
+Acked-by: Kevin Brodsky <kevin.brodsky@arm.com>
+Signed-off-by: Victor Kamensky <kamensky@cisco.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/Makefile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
+index ee94597773fab..8d469aa5fc987 100644
+--- a/arch/arm64/Makefile
++++ b/arch/arm64/Makefile
+@@ -134,6 +134,7 @@ archclean:
+ $(Q)$(MAKE) $(clean)=$(boot)
+ $(Q)$(MAKE) $(clean)=$(boot)/dts
+
++ifeq ($(KBUILD_EXTMOD),)
+ # We need to generate vdso-offsets.h before compiling certain files in kernel/.
+ # In order to do that, we should use the archprepare target, but we can't since
+ # asm-offsets.h is included in some files used to generate vdso-offsets.h, and
+@@ -143,6 +144,7 @@ archclean:
+ prepare: vdso_prepare
+ vdso_prepare: prepare0
+ $(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso include/generated/vdso-offsets.h
++endif
+
+ define archhelp
+ echo '* Image.gz - Compressed kernel image (arch/$(ARCH)/boot/Image.gz)'
+--
+2.20.1
+
--- /dev/null
+From 29f6aebeb619e9fad5cef118f8732c2bf10b5c02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 12:47:29 +0200
+Subject: ASoC: tegra_sgtl5000: fix device_node refcounting
+
+From: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+
+[ Upstream commit a85227da2dcc291b762c8482a505bc7d0d2d4b07 ]
+
+Similar to the following:
+
+commit 4321723648b0 ("ASoC: tegra_alc5632: fix device_node refcounting")
+
+commit 7c5dfd549617 ("ASoC: tegra: fix device_node refcounting")
+
+Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+Acked-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/tegra/tegra_sgtl5000.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/tegra/tegra_sgtl5000.c b/sound/soc/tegra/tegra_sgtl5000.c
+index 1e76869dd4880..863e04809a6b8 100644
+--- a/sound/soc/tegra/tegra_sgtl5000.c
++++ b/sound/soc/tegra/tegra_sgtl5000.c
+@@ -152,14 +152,14 @@ static int tegra_sgtl5000_driver_probe(struct platform_device *pdev)
+ dev_err(&pdev->dev,
+ "Property 'nvidia,i2s-controller' missing/invalid\n");
+ ret = -EINVAL;
+- goto err;
++ goto err_put_codec_of_node;
+ }
+
+ tegra_sgtl5000_dai.platform_of_node = tegra_sgtl5000_dai.cpu_of_node;
+
+ ret = tegra_asoc_utils_init(&machine->util_data, &pdev->dev);
+ if (ret)
+- goto err;
++ goto err_put_cpu_of_node;
+
+ ret = snd_soc_register_card(card);
+ if (ret) {
+@@ -172,6 +172,13 @@ static int tegra_sgtl5000_driver_probe(struct platform_device *pdev)
+
+ err_fini_utils:
+ tegra_asoc_utils_fini(&machine->util_data);
++err_put_cpu_of_node:
++ of_node_put(tegra_sgtl5000_dai.cpu_of_node);
++ tegra_sgtl5000_dai.cpu_of_node = NULL;
++ tegra_sgtl5000_dai.platform_of_node = NULL;
++err_put_codec_of_node:
++ of_node_put(tegra_sgtl5000_dai.codec_of_node);
++ tegra_sgtl5000_dai.codec_of_node = NULL;
+ err:
+ return ret;
+ }
+@@ -186,6 +193,12 @@ static int tegra_sgtl5000_driver_remove(struct platform_device *pdev)
+
+ tegra_asoc_utils_fini(&machine->util_data);
+
++ of_node_put(tegra_sgtl5000_dai.cpu_of_node);
++ tegra_sgtl5000_dai.cpu_of_node = NULL;
++ tegra_sgtl5000_dai.platform_of_node = NULL;
++ of_node_put(tegra_sgtl5000_dai.codec_of_node);
++ tegra_sgtl5000_dai.codec_of_node = NULL;
++
+ return ret;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From e390a4630b75a30915c6e97895f09861b6d141a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Oct 2018 15:55:26 +0800
+Subject: ath10k: allocate small size dma memory in ath10k_pci_diag_write_mem
+
+From: Carl Huang <cjhuang@codeaurora.org>
+
+[ Upstream commit 0738b4998c6d1caf9ca2447b946709a7278c70f1 ]
+
+ath10k_pci_diag_write_mem may allocate big size of the dma memory
+based on the parameter nbytes. Take firmware diag download as
+example, the biggest size is about 500K. In some systems, the
+allocation is likely to fail because it can't acquire such a large
+contiguous dma memory.
+
+The fix is to allocate a small size dma memory. In the loop,
+driver copies the data to the allocated dma memory and writes to
+the destination until all the data is written.
+
+Tested with QCA6174 PCI with
+firmware-6.bin_WLAN.RM.4.4.1-00119-QCARMSWP-1, this also affects
+QCA9377 PCI.
+
+Signed-off-by: Carl Huang <cjhuang@codeaurora.org>
+Reviewed-by: Brian Norris <briannorris@chomium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/pci.c | 23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c
+index b7bac14d1487b..d84a362a084ac 100644
+--- a/drivers/net/wireless/ath/ath10k/pci.c
++++ b/drivers/net/wireless/ath/ath10k/pci.c
+@@ -1039,10 +1039,9 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address,
+ struct ath10k_pci *ar_pci = ath10k_pci_priv(ar);
+ int ret = 0;
+ u32 *buf;
+- unsigned int completed_nbytes, orig_nbytes, remaining_bytes;
++ unsigned int completed_nbytes, alloc_nbytes, remaining_bytes;
+ struct ath10k_ce_pipe *ce_diag;
+ void *data_buf = NULL;
+- u32 ce_data; /* Host buffer address in CE space */
+ dma_addr_t ce_data_base = 0;
+ int i;
+
+@@ -1056,9 +1055,10 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address,
+ * 1) 4-byte alignment
+ * 2) Buffer in DMA-able space
+ */
+- orig_nbytes = nbytes;
++ alloc_nbytes = min_t(unsigned int, nbytes, DIAG_TRANSFER_LIMIT);
++
+ data_buf = (unsigned char *)dma_alloc_coherent(ar->dev,
+- orig_nbytes,
++ alloc_nbytes,
+ &ce_data_base,
+ GFP_ATOMIC);
+ if (!data_buf) {
+@@ -1066,9 +1066,6 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address,
+ goto done;
+ }
+
+- /* Copy caller's data to allocated DMA buf */
+- memcpy(data_buf, data, orig_nbytes);
+-
+ /*
+ * The address supplied by the caller is in the
+ * Target CPU virtual address space.
+@@ -1081,12 +1078,14 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address,
+ */
+ address = ath10k_pci_targ_cpu_to_ce_addr(ar, address);
+
+- remaining_bytes = orig_nbytes;
+- ce_data = ce_data_base;
++ remaining_bytes = nbytes;
+ while (remaining_bytes) {
+ /* FIXME: check cast */
+ nbytes = min_t(int, remaining_bytes, DIAG_TRANSFER_LIMIT);
+
++ /* Copy caller's data to allocated DMA buf */
++ memcpy(data_buf, data, nbytes);
++
+ /* Set up to receive directly into Target(!) address */
+ ret = __ath10k_ce_rx_post_buf(ce_diag, &address, address);
+ if (ret != 0)
+@@ -1096,7 +1095,7 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address,
+ * Request CE to send caller-supplied data that
+ * was copied to bounce buffer to Target(!) address.
+ */
+- ret = ath10k_ce_send_nolock(ce_diag, NULL, (u32)ce_data,
++ ret = ath10k_ce_send_nolock(ce_diag, NULL, ce_data_base,
+ nbytes, 0, 0);
+ if (ret != 0)
+ goto done;
+@@ -1137,12 +1136,12 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address,
+
+ remaining_bytes -= nbytes;
+ address += nbytes;
+- ce_data += nbytes;
++ data += nbytes;
+ }
+
+ done:
+ if (data_buf) {
+- dma_free_coherent(ar->dev, orig_nbytes, data_buf,
++ dma_free_coherent(ar->dev, alloc_nbytes, data_buf,
+ ce_data_base);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 7946aa41fe9b76f805b7071cd3c38a5ea65dae47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Oct 2018 11:04:19 -0700
+Subject: atm: zatm: Fix empty body Clang warnings
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit 64b9d16e2d02ca6e5dc8fcd30cfd52b0ecaaa8f4 ]
+
+Clang warns:
+
+drivers/atm/zatm.c:513:7: error: while loop has empty body
+[-Werror,-Wempty-body]
+ zwait;
+ ^
+drivers/atm/zatm.c:513:7: note: put the semicolon on a separate line to
+silence this warning
+
+Get rid of this warning by using an empty do-while loop. While we're at
+it, add parentheses to make it clear that this is a function-like macro.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/42
+Suggested-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/zatm.c | 42 +++++++++++++++++++++---------------------
+ 1 file changed, 21 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/atm/zatm.c b/drivers/atm/zatm.c
+index a0b88f1489905..e23e2672a1d6b 100644
+--- a/drivers/atm/zatm.c
++++ b/drivers/atm/zatm.c
+@@ -126,7 +126,7 @@ static unsigned long dummy[2] = {0,0};
+ #define zin_n(r) inl(zatm_dev->base+r*4)
+ #define zin(r) inl(zatm_dev->base+uPD98401_##r*4)
+ #define zout(v,r) outl(v,zatm_dev->base+uPD98401_##r*4)
+-#define zwait while (zin(CMR) & uPD98401_BUSY)
++#define zwait() do {} while (zin(CMR) & uPD98401_BUSY)
+
+ /* RX0, RX1, TX0, TX1 */
+ static const int mbx_entries[NR_MBX] = { 1024,1024,1024,1024 };
+@@ -140,7 +140,7 @@ static const int mbx_esize[NR_MBX] = { 16,16,4,4 }; /* entry size in bytes */
+
+ static void zpokel(struct zatm_dev *zatm_dev,u32 value,u32 addr)
+ {
+- zwait;
++ zwait();
+ zout(value,CER);
+ zout(uPD98401_IND_ACC | uPD98401_IA_BALL |
+ (uPD98401_IA_TGT_CM << uPD98401_IA_TGT_SHIFT) | addr,CMR);
+@@ -149,10 +149,10 @@ static void zpokel(struct zatm_dev *zatm_dev,u32 value,u32 addr)
+
+ static u32 zpeekl(struct zatm_dev *zatm_dev,u32 addr)
+ {
+- zwait;
++ zwait();
+ zout(uPD98401_IND_ACC | uPD98401_IA_BALL | uPD98401_IA_RW |
+ (uPD98401_IA_TGT_CM << uPD98401_IA_TGT_SHIFT) | addr,CMR);
+- zwait;
++ zwait();
+ return zin(CER);
+ }
+
+@@ -241,7 +241,7 @@ static void refill_pool(struct atm_dev *dev,int pool)
+ }
+ if (first) {
+ spin_lock_irqsave(&zatm_dev->lock, flags);
+- zwait;
++ zwait();
+ zout(virt_to_bus(first),CER);
+ zout(uPD98401_ADD_BAT | (pool << uPD98401_POOL_SHIFT) | count,
+ CMR);
+@@ -508,9 +508,9 @@ static int open_rx_first(struct atm_vcc *vcc)
+ }
+ if (zatm_vcc->pool < 0) return -EMSGSIZE;
+ spin_lock_irqsave(&zatm_dev->lock, flags);
+- zwait;
++ zwait();
+ zout(uPD98401_OPEN_CHAN,CMR);
+- zwait;
++ zwait();
+ DPRINTK("0x%x 0x%x\n",zin(CMR),zin(CER));
+ chan = (zin(CMR) & uPD98401_CHAN_ADDR) >> uPD98401_CHAN_ADDR_SHIFT;
+ spin_unlock_irqrestore(&zatm_dev->lock, flags);
+@@ -571,21 +571,21 @@ static void close_rx(struct atm_vcc *vcc)
+ pos = vcc->vci >> 1;
+ shift = (1-(vcc->vci & 1)) << 4;
+ zpokel(zatm_dev,zpeekl(zatm_dev,pos) & ~(0xffff << shift),pos);
+- zwait;
++ zwait();
+ zout(uPD98401_NOP,CMR);
+- zwait;
++ zwait();
+ zout(uPD98401_NOP,CMR);
+ spin_unlock_irqrestore(&zatm_dev->lock, flags);
+ }
+ spin_lock_irqsave(&zatm_dev->lock, flags);
+- zwait;
++ zwait();
+ zout(uPD98401_DEACT_CHAN | uPD98401_CHAN_RT | (zatm_vcc->rx_chan <<
+ uPD98401_CHAN_ADDR_SHIFT),CMR);
+- zwait;
++ zwait();
+ udelay(10); /* why oh why ... ? */
+ zout(uPD98401_CLOSE_CHAN | uPD98401_CHAN_RT | (zatm_vcc->rx_chan <<
+ uPD98401_CHAN_ADDR_SHIFT),CMR);
+- zwait;
++ zwait();
+ if (!(zin(CMR) & uPD98401_CHAN_ADDR))
+ printk(KERN_CRIT DEV_LABEL "(itf %d): can't close RX channel "
+ "%d\n",vcc->dev->number,zatm_vcc->rx_chan);
+@@ -699,7 +699,7 @@ printk("NONONONOO!!!!\n");
+ skb_queue_tail(&zatm_vcc->tx_queue,skb);
+ DPRINTK("QRP=0x%08lx\n",zpeekl(zatm_dev,zatm_vcc->tx_chan*VC_SIZE/4+
+ uPD98401_TXVC_QRP));
+- zwait;
++ zwait();
+ zout(uPD98401_TX_READY | (zatm_vcc->tx_chan <<
+ uPD98401_CHAN_ADDR_SHIFT),CMR);
+ spin_unlock_irqrestore(&zatm_dev->lock, flags);
+@@ -891,12 +891,12 @@ static void close_tx(struct atm_vcc *vcc)
+ }
+ spin_lock_irqsave(&zatm_dev->lock, flags);
+ #if 0
+- zwait;
++ zwait();
+ zout(uPD98401_DEACT_CHAN | (chan << uPD98401_CHAN_ADDR_SHIFT),CMR);
+ #endif
+- zwait;
++ zwait();
+ zout(uPD98401_CLOSE_CHAN | (chan << uPD98401_CHAN_ADDR_SHIFT),CMR);
+- zwait;
++ zwait();
+ if (!(zin(CMR) & uPD98401_CHAN_ADDR))
+ printk(KERN_CRIT DEV_LABEL "(itf %d): can't close TX channel "
+ "%d\n",vcc->dev->number,chan);
+@@ -926,9 +926,9 @@ static int open_tx_first(struct atm_vcc *vcc)
+ zatm_vcc->tx_chan = 0;
+ if (vcc->qos.txtp.traffic_class == ATM_NONE) return 0;
+ spin_lock_irqsave(&zatm_dev->lock, flags);
+- zwait;
++ zwait();
+ zout(uPD98401_OPEN_CHAN,CMR);
+- zwait;
++ zwait();
+ DPRINTK("0x%x 0x%x\n",zin(CMR),zin(CER));
+ chan = (zin(CMR) & uPD98401_CHAN_ADDR) >> uPD98401_CHAN_ADDR_SHIFT;
+ spin_unlock_irqrestore(&zatm_dev->lock, flags);
+@@ -1559,7 +1559,7 @@ static void zatm_phy_put(struct atm_dev *dev,unsigned char value,
+ struct zatm_dev *zatm_dev;
+
+ zatm_dev = ZATM_DEV(dev);
+- zwait;
++ zwait();
+ zout(value,CER);
+ zout(uPD98401_IND_ACC | uPD98401_IA_B0 |
+ (uPD98401_IA_TGT_PHY << uPD98401_IA_TGT_SHIFT) | addr,CMR);
+@@ -1571,10 +1571,10 @@ static unsigned char zatm_phy_get(struct atm_dev *dev,unsigned long addr)
+ struct zatm_dev *zatm_dev;
+
+ zatm_dev = ZATM_DEV(dev);
+- zwait;
++ zwait();
+ zout(uPD98401_IND_ACC | uPD98401_IA_B0 | uPD98401_IA_RW |
+ (uPD98401_IA_TGT_PHY << uPD98401_IA_TGT_SHIFT) | addr,CMR);
+- zwait;
++ zwait();
+ return zin(CER) & 0xff;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From c8ef44a825d2f8d4e02d1d9f16082ff1defeaf15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Oct 2018 16:22:57 -0400
+Subject: audit: print empty EXECVE args
+
+From: Richard Guy Briggs <rgb@redhat.com>
+
+[ Upstream commit ea956d8be91edc702a98b7fe1f9463e7ca8c42ab ]
+
+Empty executable arguments were being skipped when printing out the list
+of arguments in an EXECVE record, making it appear they were somehow
+lost. Include empty arguments as an itemized empty string.
+
+Reproducer:
+ autrace /bin/ls "" "/etc"
+ ausearch --start recent -m execve -i | grep EXECVE
+ type=EXECVE msg=audit(10/03/2018 13:04:03.208:1391) : argc=3 a0=/bin/ls a2=/etc
+
+With fix:
+ type=EXECVE msg=audit(10/03/2018 21:51:38.290:194) : argc=3 a0=/bin/ls a1= a2=/etc
+ type=EXECVE msg=audit(1538617898.290:194): argc=3 a0="/bin/ls" a1="" a2="/etc"
+
+Passes audit-testsuite. GH issue tracker at
+https://github.com/linux-audit/audit-kernel/issues/99
+
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+[PM: cleaned up the commit metadata]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/auditsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/auditsc.c b/kernel/auditsc.c
+index c2aaf539728fb..854e90be1a023 100644
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -1096,7 +1096,7 @@ static void audit_log_execve_info(struct audit_context *context,
+ }
+
+ /* write as much as we can to the audit log */
+- if (len_buf > 0) {
++ if (len_buf >= 0) {
+ /* NOTE: some magic numbers here - basically if we
+ * can't fit a reasonable amount of data into the
+ * existing audit buffer, flush it and start with
+--
+2.20.1
+
--- /dev/null
+From d07534613ef6da56263db1b36f624127c8f0731c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Oct 2018 19:21:39 +0300
+Subject: brcmsmac: AP mode: update beacon when TIM changes
+
+From: Ali MJ Al-Nasrawy <alimjalnasrawy@gmail.com>
+
+[ Upstream commit 2258ee58baa554609a3cc3996276e4276f537b6d ]
+
+Beacons are not updated to reflect TIM changes. This is not compliant with
+power-saving client stations as the beacons do not have valid TIM and can
+cause the network to stall at random occasions and to have highly variable
+latencies.
+Fix it by updating beacon templates on mac80211 set_tim callback.
+
+Addresses an issue described in:
+https://marc.info/?i=20180911163534.21312d08%20()%20manjaro
+
+Signed-off-by: Ali MJ Al-Nasrawy <alimjalnasrawy@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../broadcom/brcm80211/brcmsmac/mac80211_if.c | 26 +++++++++++++++++++
+ .../broadcom/brcm80211/brcmsmac/main.h | 1 +
+ 2 files changed, 27 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
+index 7c2a9a9bc372c..a620b2f6c7c4c 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
+@@ -502,6 +502,7 @@ brcms_ops_add_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif)
+ }
+
+ spin_lock_bh(&wl->lock);
++ wl->wlc->vif = vif;
+ wl->mute_tx = false;
+ brcms_c_mute(wl->wlc, false);
+ if (vif->type == NL80211_IFTYPE_STATION)
+@@ -519,6 +520,11 @@ brcms_ops_add_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif)
+ static void
+ brcms_ops_remove_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif)
+ {
++ struct brcms_info *wl = hw->priv;
++
++ spin_lock_bh(&wl->lock);
++ wl->wlc->vif = NULL;
++ spin_unlock_bh(&wl->lock);
+ }
+
+ static int brcms_ops_config(struct ieee80211_hw *hw, u32 changed)
+@@ -937,6 +943,25 @@ static void brcms_ops_set_tsf(struct ieee80211_hw *hw,
+ spin_unlock_bh(&wl->lock);
+ }
+
++static int brcms_ops_beacon_set_tim(struct ieee80211_hw *hw,
++ struct ieee80211_sta *sta, bool set)
++{
++ struct brcms_info *wl = hw->priv;
++ struct sk_buff *beacon = NULL;
++ u16 tim_offset = 0;
++
++ spin_lock_bh(&wl->lock);
++ if (wl->wlc->vif)
++ beacon = ieee80211_beacon_get_tim(hw, wl->wlc->vif,
++ &tim_offset, NULL);
++ if (beacon)
++ brcms_c_set_new_beacon(wl->wlc, beacon, tim_offset,
++ wl->wlc->vif->bss_conf.dtim_period);
++ spin_unlock_bh(&wl->lock);
++
++ return 0;
++}
++
+ static const struct ieee80211_ops brcms_ops = {
+ .tx = brcms_ops_tx,
+ .start = brcms_ops_start,
+@@ -955,6 +980,7 @@ static const struct ieee80211_ops brcms_ops = {
+ .flush = brcms_ops_flush,
+ .get_tsf = brcms_ops_get_tsf,
+ .set_tsf = brcms_ops_set_tsf,
++ .set_tim = brcms_ops_beacon_set_tim,
+ };
+
+ void brcms_dpc(unsigned long data)
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.h b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.h
+index c4d135cff04ad..9f76b880814e8 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.h
+@@ -563,6 +563,7 @@ struct brcms_c_info {
+
+ struct wiphy *wiphy;
+ struct scb pri_scb;
++ struct ieee80211_vif *vif;
+
+ struct sk_buff *beacon;
+ u16 beacon_tim_offset;
+--
+2.20.1
+
--- /dev/null
+From a5c81924dc8ac3d95261c70cb2c67a39acd43bd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Oct 2018 19:12:35 +0300
+Subject: brcmsmac: never log "tid x is not agg'able" by default
+
+From: Ali MJ Al-Nasrawy <alimjalnasrawy@gmail.com>
+
+[ Upstream commit 96fca788e5788b7ea3b0050eb35a343637e0a465 ]
+
+This message greatly spams the log under heavy Tx of frames with BK access
+class which is especially true when operating as AP. It is also not informative
+as the "agg'ablity" of TIDs are set once and never change.
+Fix this by logging only in debug mode.
+
+Signed-off-by: Ali MJ Al-Nasrawy <alimjalnasrawy@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
+index a620b2f6c7c4c..b820e80d4b4c2 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
+@@ -846,8 +846,8 @@ brcms_ops_ampdu_action(struct ieee80211_hw *hw,
+ status = brcms_c_aggregatable(wl->wlc, tid);
+ spin_unlock_bh(&wl->lock);
+ if (!status) {
+- brcms_err(wl->wlc->hw->d11core,
+- "START: tid %d is not agg\'able\n", tid);
++ brcms_dbg_ht(wl->wlc->hw->d11core,
++ "START: tid %d is not agg\'able\n", tid);
+ return -EINVAL;
+ }
+ ieee80211_start_tx_ba_cb_irqsafe(vif, sta->addr, tid);
+--
+2.20.1
+
--- /dev/null
+From df37243bc0d7ac6e907e233e76e74c04e33a8e95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Sep 2018 11:35:10 +0300
+Subject: btrfs: handle error of get_old_root
+
+From: Nikolay Borisov <nborisov@suse.com>
+
+[ Upstream commit 315bed43fea532650933e7bba316a7601d439edf ]
+
+In btrfs_search_old_slot get_old_root is always used with the assumption
+it cannot fail. However, this is not true in rare circumstance it can
+fail and return null. This will lead to null point dereference when the
+header is read. Fix this by checking the return value and properly
+handling NULL by setting ret to -EIO and returning gracefully.
+
+Coverity-id: 1087503
+Signed-off-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: Lu Fengqi <lufq.fnst@cn.fujitsu.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ctree.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
+index 3df434eb14743..3faccbf35e9f4 100644
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -2973,6 +2973,10 @@ int btrfs_search_old_slot(struct btrfs_root *root, struct btrfs_key *key,
+
+ again:
+ b = get_old_root(root, time_seq);
++ if (!b) {
++ ret = -EIO;
++ goto done;
++ }
+ level = btrfs_header_level(b);
+ p->locks[level] = BTRFS_READ_LOCK;
+
+--
+2.20.1
+
--- /dev/null
+From ef03fc3baae696318d18f457fa40cb7840b06743 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Sep 2018 09:10:29 +0800
+Subject: ceph: fix dentry leak in ceph_readdir_prepopulate
+
+From: Yan, Zheng <zyan@redhat.com>
+
+[ Upstream commit c58f450bd61511d897efc2ea472c69630635b557 ]
+
+Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/inode.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
+index 7fcddaaca8a5d..049cff197d2a1 100644
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -1630,7 +1630,6 @@ int ceph_readdir_prepopulate(struct ceph_mds_request *req,
+ if (IS_ERR(realdn)) {
+ err = PTR_ERR(realdn);
+ d_drop(dn);
+- dn = NULL;
+ goto next_item;
+ }
+ dn = realdn;
+--
+2.20.1
+
--- /dev/null
+From cb6c9ef62f3dc548292f501b4b739c5af27d9b3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Sep 2018 14:01:44 +0200
+Subject: clk: mmp2: fix the clock id for sdh2_clk and sdh3_clk
+
+From: Lubomir Rintel <lkundrak@v3.sk>
+
+[ Upstream commit 4917fb90eec7c26dac1497ada3bd4a325f670fcc ]
+
+A typo that makes it impossible to get the correct clocks for
+MMP2_CLK_SDH2 and MMP2_CLK_SDH3.
+
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+Fixes: 1ec770d92a62 ("clk: mmp: add mmp2 DT support for clock driver")
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/mmp/clk-of-mmp2.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/mmp/clk-of-mmp2.c b/drivers/clk/mmp/clk-of-mmp2.c
+index 9adaf48aea231..061a9f10218b3 100644
+--- a/drivers/clk/mmp/clk-of-mmp2.c
++++ b/drivers/clk/mmp/clk-of-mmp2.c
+@@ -227,8 +227,8 @@ static struct mmp_param_gate_clk apmu_gate_clks[] = {
+ /* The gate clocks has mux parent. */
+ {MMP2_CLK_SDH0, "sdh0_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH0, 0x1b, 0x1b, 0x0, 0, &sdh_lock},
+ {MMP2_CLK_SDH1, "sdh1_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH1, 0x1b, 0x1b, 0x0, 0, &sdh_lock},
+- {MMP2_CLK_SDH1, "sdh2_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH2, 0x1b, 0x1b, 0x0, 0, &sdh_lock},
+- {MMP2_CLK_SDH1, "sdh3_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH3, 0x1b, 0x1b, 0x0, 0, &sdh_lock},
++ {MMP2_CLK_SDH2, "sdh2_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH2, 0x1b, 0x1b, 0x0, 0, &sdh_lock},
++ {MMP2_CLK_SDH3, "sdh3_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH3, 0x1b, 0x1b, 0x0, 0, &sdh_lock},
+ {MMP2_CLK_DISP0, "disp0_clk", "disp0_div", CLK_SET_RATE_PARENT, APMU_DISP0, 0x1b, 0x1b, 0x0, 0, &disp0_lock},
+ {MMP2_CLK_DISP0_SPHY, "disp0_sphy_clk", "disp0_sphy_div", CLK_SET_RATE_PARENT, APMU_DISP0, 0x1024, 0x1024, 0x0, 0, &disp0_lock},
+ {MMP2_CLK_DISP1, "disp1_clk", "disp1_div", CLK_SET_RATE_PARENT, APMU_DISP1, 0x1b, 0x1b, 0x0, 0, &disp1_lock},
+--
+2.20.1
+
--- /dev/null
+From 4a72f03dbc2ca6d8a85c6b54709b05dcd09df97f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Nov 2018 14:18:22 -0600
+Subject: dlm: don't leak kernel pointer to userspace
+
+From: Tycho Andersen <tycho@tycho.ws>
+
+[ Upstream commit 9de30f3f7f4d31037cfbb7c787e1089c1944b3a7 ]
+
+In copy_result_to_user(), we first create a struct dlm_lock_result, which
+contains a struct dlm_lksb, the last member of which is a pointer to the
+lvb. Unfortunately, we copy the entire struct dlm_lksb to the result
+struct, which is then copied to userspace at the end of the function,
+leaking the contents of sb_lvbptr, which is a valid kernel pointer in some
+cases (indeed, later in the same function the data it points to is copied
+to userspace).
+
+It is an error to leak kernel pointers to userspace, as it undermines KASLR
+protections (see e.g. 65eea8edc31 ("floppy: Do not copy a kernel pointer to
+user memory in FDGETPRM ioctl") for another example of this).
+
+Signed-off-by: Tycho Andersen <tycho@tycho.ws>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/user.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/dlm/user.c b/fs/dlm/user.c
+index 9ac65914ab5b0..57f2aacec97f5 100644
+--- a/fs/dlm/user.c
++++ b/fs/dlm/user.c
+@@ -700,7 +700,7 @@ static int copy_result_to_user(struct dlm_user_args *ua, int compat,
+ result.version[0] = DLM_DEVICE_VERSION_MAJOR;
+ result.version[1] = DLM_DEVICE_VERSION_MINOR;
+ result.version[2] = DLM_DEVICE_VERSION_PATCH;
+- memcpy(&result.lksb, &ua->lksb, sizeof(struct dlm_lksb));
++ memcpy(&result.lksb, &ua->lksb, offsetof(struct dlm_lksb, sb_lvbptr));
+ result.user_lksb = ua->user_lksb;
+
+ /* FIXME: dlm1 provides for the user's bastparam/addr to not be updated
+--
+2.20.1
+
--- /dev/null
+From 985604531597ab9837b804c06887dc3704a65892 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Nov 2018 14:18:20 -0600
+Subject: dlm: fix invalid free
+
+From: Tycho Andersen <tycho@tycho.ws>
+
+[ Upstream commit d968b4e240cfe39d39d80483bac8bca8716fd93c ]
+
+dlm_config_nodes() does not allocate nodes on failure, so we should not
+free() nodes when it fails.
+
+Signed-off-by: Tycho Andersen <tycho@tycho.ws>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/member.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/dlm/member.c b/fs/dlm/member.c
+index 9c47f1c14a8ba..a47ae99f7bcbc 100644
+--- a/fs/dlm/member.c
++++ b/fs/dlm/member.c
+@@ -683,7 +683,7 @@ int dlm_ls_start(struct dlm_ls *ls)
+
+ error = dlm_config_nodes(ls->ls_name, &nodes, &count);
+ if (error < 0)
+- goto fail;
++ goto fail_rv;
+
+ spin_lock(&ls->ls_recover_lock);
+
+@@ -715,8 +715,9 @@ int dlm_ls_start(struct dlm_ls *ls)
+ return 0;
+
+ fail:
+- kfree(rv);
+ kfree(nodes);
++ fail_rv:
++ kfree(rv);
+ return error;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From e57e5961a8ee5ef4a2e010df933474a8d0e920aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jul 2018 18:15:16 +0800
+Subject: f2fs: fix to spread clear_cold_data()
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit 2baf07818549c8bb8d7b3437e889b86eab56d38e ]
+
+We need to drop PG_checked flag on page as well when we clear PG_uptodate
+flag, in order to avoid treating the page as GCing one later.
+
+Signed-off-by: Weichao Guo <guoweichao@huawei.com>
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/data.c | 8 +++++++-
+ fs/f2fs/dir.c | 1 +
+ fs/f2fs/segment.c | 4 +++-
+ 3 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
+index 9041805096e0c..0206c8c20784c 100644
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -1201,6 +1201,7 @@ int do_write_data_page(struct f2fs_io_info *fio)
+ /* This page is already truncated */
+ if (fio->old_blkaddr == NULL_ADDR) {
+ ClearPageUptodate(page);
++ clear_cold_data(page);
+ goto out_writepage;
+ }
+
+@@ -1337,8 +1338,10 @@ static int f2fs_write_data_page(struct page *page,
+ clear_cold_data(page);
+ out:
+ inode_dec_dirty_pages(inode);
+- if (err)
++ if (err) {
+ ClearPageUptodate(page);
++ clear_cold_data(page);
++ }
+
+ if (wbc->for_reclaim) {
+ f2fs_submit_merged_bio_cond(sbi, NULL, page, 0, DATA, WRITE);
+@@ -1821,6 +1824,8 @@ void f2fs_invalidate_page(struct page *page, unsigned int offset,
+ inode_dec_dirty_pages(inode);
+ }
+
++ clear_cold_data(page);
++
+ /* This is atomic written page, keep Private */
+ if (IS_ATOMIC_WRITTEN_PAGE(page))
+ return;
+@@ -1839,6 +1844,7 @@ int f2fs_release_page(struct page *page, gfp_t wait)
+ if (IS_ATOMIC_WRITTEN_PAGE(page))
+ return 0;
+
++ clear_cold_data(page);
+ set_page_private(page, 0);
+ ClearPagePrivate(page);
+ return 1;
+diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
+index af719d93507e8..b414892be08b7 100644
+--- a/fs/f2fs/dir.c
++++ b/fs/f2fs/dir.c
+@@ -772,6 +772,7 @@ void f2fs_delete_entry(struct f2fs_dir_entry *dentry, struct page *page,
+ clear_page_dirty_for_io(page);
+ ClearPagePrivate(page);
+ ClearPageUptodate(page);
++ clear_cold_data(page);
+ inode_dec_dirty_pages(dir);
+ }
+ f2fs_put_page(page, 1);
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index 1d5a352138109..c4c84af1ec17a 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -227,8 +227,10 @@ static int __revoke_inmem_pages(struct inode *inode,
+ }
+ next:
+ /* we don't need to invalidate this in the sccessful status */
+- if (drop || recover)
++ if (drop || recover) {
+ ClearPageUptodate(page);
++ clear_cold_data(page);
++ }
+ set_page_private(page, 0);
+ ClearPagePrivate(page);
+ f2fs_put_page(page, 1);
+--
+2.20.1
+
--- /dev/null
+From a964c5c0201e8b2b32e171c15b39ef3eed020abc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:06:35 -0700
+Subject: fs/hfs/extent.c: fix array out of bounds read of array extent
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 6c9a3f843a29d6894dfc40df338b91dbd78f0ae3 ]
+
+Currently extent and index i are both being incremented causing an array
+out of bounds read on extent[i]. Fix this by removing the extraneous
+increment of extent.
+
+Ernesto said:
+
+: This is only triggered when deleting a file with a resource fork. I
+: may be wrong because the documentation isn't clear, but I don't think
+: you can create those under linux. So I guess nobody was testing them.
+:
+: > A disk space leak, perhaps?
+:
+: That's what it looks like in general. hfs_free_extents() won't do
+: anything if the block count doesn't add up, and the error will be
+: ignored. Now, if the block count randomly does add up, we could see
+: some corruption.
+
+Detected by CoverityScan, CID#711541 ("Out of bounds read")
+
+Link: http://lkml.kernel.org/r/20180831140538.31566-1-colin.king@canonical.com
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Ernesto A. Fernndez <ernesto.mnd.fernandez@gmail.com>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Hin-Tak Leung <htl10@users.sourceforge.net>
+Cc: Vyacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/extent.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/hfs/extent.c b/fs/hfs/extent.c
+index 16819d2a978b4..cbe4fca96378a 100644
+--- a/fs/hfs/extent.c
++++ b/fs/hfs/extent.c
+@@ -304,7 +304,7 @@ int hfs_free_fork(struct super_block *sb, struct hfs_cat_file *file, int type)
+ return 0;
+
+ blocks = 0;
+- for (i = 0; i < 3; extent++, i++)
++ for (i = 0; i < 3; i++)
+ blocks += be16_to_cpu(extent[i].count);
+
+ res = hfs_free_extents(sb, extent, blocks, blocks);
+--
+2.20.1
+
--- /dev/null
+From 8d4342e6348471b9bb8f82b6d21b4ac894b8e880 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Oct 2018 15:02:52 -0700
+Subject: fs/ocfs2/dlm/dlmdebug.c: fix a sleep-in-atomic-context bug in
+ dlm_print_one_mle()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 999865764f5f128896402572b439269acb471022 ]
+
+The kernel module may sleep with holding a spinlock.
+
+The function call paths (from bottom to top) in Linux-4.16 are:
+
+[FUNC] get_zeroed_page(GFP_NOFS)
+fs/ocfs2/dlm/dlmdebug.c, 332: get_zeroed_page in dlm_print_one_mle
+fs/ocfs2/dlm/dlmmaster.c, 240: dlm_print_one_mle in __dlm_put_mle
+fs/ocfs2/dlm/dlmmaster.c, 255: __dlm_put_mle in dlm_put_mle
+fs/ocfs2/dlm/dlmmaster.c, 254: spin_lock in dlm_put_ml
+
+[FUNC] get_zeroed_page(GFP_NOFS)
+fs/ocfs2/dlm/dlmdebug.c, 332: get_zeroed_page in dlm_print_one_mle
+fs/ocfs2/dlm/dlmmaster.c, 240: dlm_print_one_mle in __dlm_put_mle
+fs/ocfs2/dlm/dlmmaster.c, 222: __dlm_put_mle in dlm_put_mle_inuse
+fs/ocfs2/dlm/dlmmaster.c, 219: spin_lock in dlm_put_mle_inuse
+
+To fix this bug, GFP_NOFS is replaced with GFP_ATOMIC.
+
+This bug is found by my static analysis tool DSAC.
+
+Link: http://lkml.kernel.org/r/20180901112528.27025-1-baijiaju1990@gmail.com
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Changwei Ge <ge.changwei@h3c.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/dlm/dlmdebug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ocfs2/dlm/dlmdebug.c b/fs/ocfs2/dlm/dlmdebug.c
+index e7b760deefaee..32d60f69db24c 100644
+--- a/fs/ocfs2/dlm/dlmdebug.c
++++ b/fs/ocfs2/dlm/dlmdebug.c
+@@ -329,7 +329,7 @@ void dlm_print_one_mle(struct dlm_master_list_entry *mle)
+ {
+ char *buf;
+
+- buf = (char *) get_zeroed_page(GFP_NOFS);
++ buf = (char *) get_zeroed_page(GFP_ATOMIC);
+ if (buf) {
+ dump_mle(mle, buf, PAGE_SIZE - 1);
+ free_page((unsigned long)buf);
+--
+2.20.1
+
--- /dev/null
+From 861ac6f2be4ad446b542c9f174a406a930f1b7bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Sep 2018 15:30:25 +0100
+Subject: gfs2: Fix marking bitmaps non-full
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit ec23df2b0cf3e1620f5db77972b7fb735f267eff ]
+
+Reservations in gfs can span multiple gfs2_bitmaps (but they won't span
+multiple resource groups). When removing a reservation, we want to
+clear the GBF_FULL flags of all involved gfs2_bitmaps, not just that of
+the first bitmap.
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Reviewed-by: Steven Whitehouse <swhiteho@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/rgrp.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c
+index f77a38755aea6..0a80f66365492 100644
+--- a/fs/gfs2/rgrp.c
++++ b/fs/gfs2/rgrp.c
+@@ -630,7 +630,10 @@ static void __rs_deltree(struct gfs2_blkreserv *rs)
+ RB_CLEAR_NODE(&rs->rs_node);
+
+ if (rs->rs_free) {
+- struct gfs2_bitmap *bi = rbm_bi(&rs->rs_rbm);
++ u64 last_block = gfs2_rbm_to_block(&rs->rs_rbm) +
++ rs->rs_free - 1;
++ struct gfs2_rbm last_rbm = { .rgd = rs->rs_rbm.rgd, };
++ struct gfs2_bitmap *start, *last;
+
+ /* return reserved blocks to the rgrp */
+ BUG_ON(rs->rs_rbm.rgd->rd_reserved < rs->rs_free);
+@@ -641,7 +644,13 @@ static void __rs_deltree(struct gfs2_blkreserv *rs)
+ it will force the number to be recalculated later. */
+ rgd->rd_extfail_pt += rs->rs_free;
+ rs->rs_free = 0;
+- clear_bit(GBF_FULL, &bi->bi_flags);
++ if (gfs2_rbm_from_block(&last_rbm, last_block))
++ return;
++ start = rbm_bi(&rs->rs_rbm);
++ last = rbm_bi(&last_rbm);
++ do
++ clear_bit(GBF_FULL, &start->bi_flags);
++ while (start++ != last);
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From d93da0a71756aefcb31c8072b586c713ed2397fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Oct 2018 10:04:45 -0600
+Subject: gsmi: Fix bug in append_to_eventlog sysfs handler
+
+From: Duncan Laurie <dlaurie@chromium.org>
+
+[ Upstream commit 655603de68469adaff16842ac17a5aec9c9ce89b ]
+
+The sysfs handler should return the number of bytes consumed, which in the
+case of a successful write is the entire buffer. Also fix a bug where
+param.data_len was being set to (count - (2 * sizeof(u32))) instead of just
+(count - sizeof(u32)). The latter is correct because we skip over the
+leading u32 which is our param.type, but we were also incorrectly
+subtracting sizeof(u32) on the line where we were actually setting
+param.data_len:
+
+ param.data_len = count - sizeof(u32);
+
+This meant that for our example event.kernel_software_watchdog with total
+length 10 bytes, param.data_len was just 2 prior to this change.
+
+To test, successfully append an event to the log with gsmi sysfs.
+This sample event is for a "Kernel Software Watchdog"
+
+> xxd -g 1 event.kernel_software_watchdog
+0000000: 01 00 00 00 ad de 06 00 00 00
+
+> cat event.kernel_software_watchdog > /sys/firmware/gsmi/append_to_eventlog
+
+> mosys eventlog list | tail -1
+14 | 2012-06-25 10:14:14 | Kernl Event | Software Watchdog
+
+Signed-off-by: Duncan Laurie <dlaurie@chromium.org>
+Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
+Reviewed-by: Stefan Reinauer <reinauer@chromium.org>
+Signed-off-by: Furquan Shaikh <furquan@google.com>
+Tested-by: Furquan Shaikh <furquan@chromium.org>
+Reviewed-by: Aaron Durbin <adurbin@chromium.org>
+Reviewed-by: Justin TerAvest <teravest@chromium.org>
+[zwisler: updated changelog for 2nd bug fix and upstream]
+Signed-off-by: Ross Zwisler <zwisler@google.com>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/google/gsmi.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/firmware/google/gsmi.c b/drivers/firmware/google/gsmi.c
+index c463871609764..98cdfc2ee0dff 100644
+--- a/drivers/firmware/google/gsmi.c
++++ b/drivers/firmware/google/gsmi.c
+@@ -480,11 +480,10 @@ static ssize_t eventlog_write(struct file *filp, struct kobject *kobj,
+ if (count < sizeof(u32))
+ return -EINVAL;
+ param.type = *(u32 *)buf;
+- count -= sizeof(u32);
+ buf += sizeof(u32);
+
+ /* The remaining buffer is the data payload */
+- if (count > gsmi_dev.data_buf->length)
++ if ((count - sizeof(u32)) > gsmi_dev.data_buf->length)
+ return -EINVAL;
+ param.data_len = count - sizeof(u32);
+
+@@ -504,7 +503,7 @@ static ssize_t eventlog_write(struct file *filp, struct kobject *kobj,
+
+ spin_unlock_irqrestore(&gsmi_dev.lock, flags);
+
+- return rc;
++ return (rc == 0) ? count : rc;
+
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 92574cac0ea464ffbf00b9ffa882805434496efd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:06:11 -0700
+Subject: hfs: fix BUG on bnode parent update
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+
+[ Upstream commit ef75bcc5763d130451a99825f247d301088b790b ]
+
+hfs_brec_update_parent() may hit BUG_ON() if the first record of both a
+leaf node and its parent are changed, and if this forces the parent to
+be split. It is not possible for this to happen on a valid hfs
+filesystem because the index nodes have fixed length keys.
+
+For reasons I ignore, the hfs module does have support for a number of
+hfsplus features. A corrupt btree header may report variable length
+keys and trigger this BUG, so it's better to fix it.
+
+Link: http://lkml.kernel.org/r/cf9b02d57f806217a2b1bf5db8c3e39730d8f603.1535682463.git.ernesto.mnd.fernandez@gmail.com
+Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Christoph Hellwig <hch@infradead.org>
+Cc: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/brec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c
+index 2e713673df42f..85dab71bee74f 100644
+--- a/fs/hfs/brec.c
++++ b/fs/hfs/brec.c
+@@ -444,6 +444,7 @@ static int hfs_brec_update_parent(struct hfs_find_data *fd)
+ /* restore search_key */
+ hfs_bnode_read_key(node, fd->search_key, 14);
+ }
++ new_node = NULL;
+ }
+
+ if (!rec && node->parent)
+--
+2.20.1
+
--- /dev/null
+From 36621185f26b8184dfd33c0a1f6049b5f1c6e02b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:06:24 -0700
+Subject: hfs: fix return value of hfs_get_block()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+
+[ Upstream commit 1267a07be5ebbff2d2739290f3d043ae137c15b4 ]
+
+Direct writes to empty inodes fail with EIO. The generic direct-io code
+is in part to blame (a patch has been submitted as "direct-io: allow
+direct writes to empty inodes"), but hfs is worse affected than the other
+filesystems because the fallback to buffered I/O doesn't happen.
+
+The problem is the return value of hfs_get_block() when called with
+!create. Change it to be more consistent with the other modules.
+
+Link: http://lkml.kernel.org/r/4538ab8c35ea37338490525f0f24cbc37227528c.1539195310.git.ernesto.mnd.fernandez@gmail.com
+Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+Reviewed-by: Vyacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/extent.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfs/extent.c b/fs/hfs/extent.c
+index 1bd1afefe2538..16819d2a978b4 100644
+--- a/fs/hfs/extent.c
++++ b/fs/hfs/extent.c
+@@ -345,7 +345,9 @@ int hfs_get_block(struct inode *inode, sector_t block,
+ ablock = (u32)block / HFS_SB(sb)->fs_div;
+
+ if (block >= HFS_I(inode)->fs_blocks) {
+- if (block > HFS_I(inode)->fs_blocks || !create)
++ if (!create)
++ return 0;
++ if (block > HFS_I(inode)->fs_blocks)
+ return -EIO;
+ if (ablock >= HFS_I(inode)->alloc_blocks) {
+ res = hfs_extend_file(inode);
+--
+2.20.1
+
--- /dev/null
+From 740923c7596692ef2369ee73ac1d416d4030e8bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:06:17 -0700
+Subject: hfs: prevent btree data loss on ENOSPC
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+
+[ Upstream commit 54640c7502e5ed41fbf4eedd499e85f9acc9698f ]
+
+Inserting a new record in a btree may require splitting several of its
+nodes. If we hit ENOSPC halfway through, the new nodes will be left
+orphaned and their records will be lost. This could mean lost inodes or
+extents.
+
+Henceforth, check the available disk space before making any changes.
+This still leaves the potential problem of corruption on ENOMEM.
+
+There is no need to reserve space before deleting a catalog record, as we
+do for hfsplus. This difference is because hfs index nodes have fixed
+length keys.
+
+Link: http://lkml.kernel.org/r/ab5fc8a7d5ffccfd5f27b1cf2cb4ceb6c110da74.1536269131.git.ernesto.mnd.fernandez@gmail.com
+Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/btree.c | 41 +++++++++++++++++++++++++----------------
+ fs/hfs/btree.h | 1 +
+ fs/hfs/catalog.c | 16 ++++++++++++++++
+ fs/hfs/extent.c | 4 ++++
+ 4 files changed, 46 insertions(+), 16 deletions(-)
+
+diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c
+index 320f4372f1720..77eff447d3014 100644
+--- a/fs/hfs/btree.c
++++ b/fs/hfs/btree.c
+@@ -219,25 +219,17 @@ static struct hfs_bnode *hfs_bmap_new_bmap(struct hfs_bnode *prev, u32 idx)
+ return node;
+ }
+
+-struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
++/* Make sure @tree has enough space for the @rsvd_nodes */
++int hfs_bmap_reserve(struct hfs_btree *tree, int rsvd_nodes)
+ {
+- struct hfs_bnode *node, *next_node;
+- struct page **pagep;
+- u32 nidx, idx;
+- unsigned off;
+- u16 off16;
+- u16 len;
+- u8 *data, byte, m;
+- int i;
+-
+- while (!tree->free_nodes) {
+- struct inode *inode = tree->inode;
+- u32 count;
+- int res;
++ struct inode *inode = tree->inode;
++ u32 count;
++ int res;
+
++ while (tree->free_nodes < rsvd_nodes) {
+ res = hfs_extend_file(inode);
+ if (res)
+- return ERR_PTR(res);
++ return res;
+ HFS_I(inode)->phys_size = inode->i_size =
+ (loff_t)HFS_I(inode)->alloc_blocks *
+ HFS_SB(tree->sb)->alloc_blksz;
+@@ -245,9 +237,26 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
+ tree->sb->s_blocksize_bits;
+ inode_set_bytes(inode, inode->i_size);
+ count = inode->i_size >> tree->node_size_shift;
+- tree->free_nodes = count - tree->node_count;
++ tree->free_nodes += count - tree->node_count;
+ tree->node_count = count;
+ }
++ return 0;
++}
++
++struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
++{
++ struct hfs_bnode *node, *next_node;
++ struct page **pagep;
++ u32 nidx, idx;
++ unsigned off;
++ u16 off16;
++ u16 len;
++ u8 *data, byte, m;
++ int i, res;
++
++ res = hfs_bmap_reserve(tree, 1);
++ if (res)
++ return ERR_PTR(res);
+
+ nidx = 0;
+ node = hfs_bnode_find(tree, nidx);
+diff --git a/fs/hfs/btree.h b/fs/hfs/btree.h
+index f6bd266d70b55..2715f416b5a80 100644
+--- a/fs/hfs/btree.h
++++ b/fs/hfs/btree.h
+@@ -81,6 +81,7 @@ struct hfs_find_data {
+ extern struct hfs_btree *hfs_btree_open(struct super_block *, u32, btree_keycmp);
+ extern void hfs_btree_close(struct hfs_btree *);
+ extern void hfs_btree_write(struct hfs_btree *);
++extern int hfs_bmap_reserve(struct hfs_btree *, int);
+ extern struct hfs_bnode * hfs_bmap_alloc(struct hfs_btree *);
+ extern void hfs_bmap_free(struct hfs_bnode *node);
+
+diff --git a/fs/hfs/catalog.c b/fs/hfs/catalog.c
+index 8a66405b0f8b5..d365bf0b8c77d 100644
+--- a/fs/hfs/catalog.c
++++ b/fs/hfs/catalog.c
+@@ -97,6 +97,14 @@ int hfs_cat_create(u32 cnid, struct inode *dir, const struct qstr *str, struct i
+ if (err)
+ return err;
+
++ /*
++ * Fail early and avoid ENOSPC during the btree operations. We may
++ * have to split the root node at most once.
++ */
++ err = hfs_bmap_reserve(fd.tree, 2 * fd.tree->depth);
++ if (err)
++ goto err2;
++
+ hfs_cat_build_key(sb, fd.search_key, cnid, NULL);
+ entry_size = hfs_cat_build_thread(sb, &entry, S_ISDIR(inode->i_mode) ?
+ HFS_CDR_THD : HFS_CDR_FTH,
+@@ -295,6 +303,14 @@ int hfs_cat_move(u32 cnid, struct inode *src_dir, const struct qstr *src_name,
+ return err;
+ dst_fd = src_fd;
+
++ /*
++ * Fail early and avoid ENOSPC during the btree operations. We may
++ * have to split the root node at most once.
++ */
++ err = hfs_bmap_reserve(src_fd.tree, 2 * src_fd.tree->depth);
++ if (err)
++ goto out;
++
+ /* find the old dir entry and read the data */
+ hfs_cat_build_key(sb, src_fd.search_key, src_dir->i_ino, src_name);
+ err = hfs_brec_find(&src_fd);
+diff --git a/fs/hfs/extent.c b/fs/hfs/extent.c
+index e33a0d36a93eb..1bd1afefe2538 100644
+--- a/fs/hfs/extent.c
++++ b/fs/hfs/extent.c
+@@ -117,6 +117,10 @@ static int __hfs_ext_write_extent(struct inode *inode, struct hfs_find_data *fd)
+ if (HFS_I(inode)->flags & HFS_FLG_EXT_NEW) {
+ if (res != -ENOENT)
+ return res;
++ /* Fail early and avoid ENOSPC during the btree operation */
++ res = hfs_bmap_reserve(fd->tree, fd->tree->depth + 1);
++ if (res)
++ return res;
+ hfs_brec_insert(fd, HFS_I(inode)->cached_extents, sizeof(hfs_extent_rec));
+ HFS_I(inode)->flags &= ~(HFS_FLG_EXT_DIRTY|HFS_FLG_EXT_NEW);
+ } else {
+--
+2.20.1
+
--- /dev/null
+From 696f9bd11d11e7134a2a49adf9cb9f47947d42ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:06:31 -0700
+Subject: hfs: update timestamp on truncate()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+
+[ Upstream commit 8cd3cb5061730af085a3f9890a3352f162b4e20c ]
+
+The vfs takes care of updating mtime on ftruncate(), but on truncate() it
+must be done by the module.
+
+Link: http://lkml.kernel.org/r/e1611eda2985b672ed2d8677350b4ad8c2d07e8a.1539316825.git.ernesto.mnd.fernandez@gmail.com
+Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+Reviewed-by: Vyacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/inode.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
+index f776acf2378a1..de0d6d4c46b68 100644
+--- a/fs/hfs/inode.c
++++ b/fs/hfs/inode.c
+@@ -641,6 +641,8 @@ int hfs_inode_setattr(struct dentry *dentry, struct iattr * attr)
+
+ truncate_setsize(inode, attr->ia_size);
+ hfs_file_truncate(inode);
++ inode->i_atime = inode->i_mtime = inode->i_ctime =
++ current_time(inode);
+ }
+
+ setattr_copy(inode, attr);
+--
+2.20.1
+
--- /dev/null
+From 072242322dc2850c00a4653b25eaa8c7ac82bd0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:06:04 -0700
+Subject: hfsplus: fix BUG on bnode parent update
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+
+[ Upstream commit 19a9d0f1acf75e8be8cfba19c1a34e941846fa2b ]
+
+Creating, renaming or deleting a file may hit BUG_ON() if the first
+record of both a leaf node and its parent are changed, and if this
+forces the parent to be split. This bug is triggered by xfstests
+generic/027, somewhat rarely; here is a more reliable reproducer:
+
+ truncate -s 50M fs.iso
+ mkfs.hfsplus fs.iso
+ mount fs.iso /mnt
+ i=1000
+ while [ $i -le 2400 ]; do
+ touch /mnt/$i &>/dev/null
+ ((++i))
+ done
+ i=2400
+ while [ $i -ge 1000 ]; do
+ mv /mnt/$i /mnt/$(perl -e "print $i x61") &>/dev/null
+ ((--i))
+ done
+
+The issue is that a newly created bnode is being put twice. Reset
+new_node to NULL in hfs_brec_update_parent() before reaching goto again.
+
+Link: http://lkml.kernel.org/r/5ee1db09b60373a15890f6a7c835d00e76bf601d.1535682461.git.ernesto.mnd.fernandez@gmail.com
+Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+Cc: Christoph Hellwig <hch@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/brec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/hfsplus/brec.c b/fs/hfsplus/brec.c
+index 1002a0c08319b..20ce698251ad1 100644
+--- a/fs/hfsplus/brec.c
++++ b/fs/hfsplus/brec.c
+@@ -447,6 +447,7 @@ static int hfs_brec_update_parent(struct hfs_find_data *fd)
+ /* restore search_key */
+ hfs_bnode_read_key(node, fd->search_key, 14);
+ }
++ new_node = NULL;
+ }
+
+ if (!rec && node->parent)
+--
+2.20.1
+
--- /dev/null
+From a3f75f5e4096ac86e4b2e2eb91e9b8a15078b408 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:06:21 -0700
+Subject: hfsplus: fix return value of hfsplus_get_block()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+
+[ Upstream commit 839c3a6a5e1fbc8542d581911b35b2cb5cd29304 ]
+
+Direct writes to empty inodes fail with EIO. The generic direct-io code
+is in part to blame (a patch has been submitted as "direct-io: allow
+direct writes to empty inodes"), but hfsplus is worse affected than the
+other filesystems because the fallback to buffered I/O doesn't happen.
+
+The problem is the return value of hfsplus_get_block() when called with
+!create. Change it to be more consistent with the other modules.
+
+Link: http://lkml.kernel.org/r/2cd1301404ec7cf1e39c8f11a01a4302f1460ad6.1539195310.git.ernesto.mnd.fernandez@gmail.com
+Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+Reviewed-by: Vyacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/extents.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfsplus/extents.c b/fs/hfsplus/extents.c
+index ce0b8f8374081..d93c051559cb8 100644
+--- a/fs/hfsplus/extents.c
++++ b/fs/hfsplus/extents.c
+@@ -236,7 +236,9 @@ int hfsplus_get_block(struct inode *inode, sector_t iblock,
+ ablock = iblock >> sbi->fs_shift;
+
+ if (iblock >= hip->fs_blocks) {
+- if (iblock > hip->fs_blocks || !create)
++ if (!create)
++ return 0;
++ if (iblock > hip->fs_blocks)
+ return -EIO;
+ if (ablock >= hip->alloc_blocks) {
+ res = hfsplus_file_extend(inode, false);
+--
+2.20.1
+
--- /dev/null
+From 17d319d4836ac0d161a923366ef2674c2e7c34b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:06:14 -0700
+Subject: hfsplus: prevent btree data loss on ENOSPC
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+
+[ Upstream commit d92915c35bfaf763d78bf1d5ac7f183420e3bd99 ]
+
+Inserting or deleting a record in a btree may require splitting several of
+its nodes. If we hit ENOSPC halfway through, the new nodes will be left
+orphaned and their records will be lost. This could mean lost inodes,
+extents or xattrs.
+
+Henceforth, check the available disk space before making any changes.
+This still leaves the potential problem of corruption on ENOMEM.
+
+The patch can be tested with xfstests generic/027.
+
+Link: http://lkml.kernel.org/r/4596eef22fbda137b4ffa0272d92f0da15364421.1536269129.git.ernesto.mnd.fernandez@gmail.com
+Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/attributes.c | 10 ++++++++++
+ fs/hfsplus/btree.c | 44 ++++++++++++++++++++++++++---------------
+ fs/hfsplus/catalog.c | 24 ++++++++++++++++++++++
+ fs/hfsplus/extents.c | 4 ++++
+ fs/hfsplus/hfsplus_fs.h | 2 ++
+ 5 files changed, 68 insertions(+), 16 deletions(-)
+
+diff --git a/fs/hfsplus/attributes.c b/fs/hfsplus/attributes.c
+index e5b221de7de63..d7455ea702878 100644
+--- a/fs/hfsplus/attributes.c
++++ b/fs/hfsplus/attributes.c
+@@ -216,6 +216,11 @@ int hfsplus_create_attr(struct inode *inode,
+ if (err)
+ goto failed_init_create_attr;
+
++ /* Fail early and avoid ENOSPC during the btree operation */
++ err = hfs_bmap_reserve(fd.tree, fd.tree->depth + 1);
++ if (err)
++ goto failed_create_attr;
++
+ if (name) {
+ err = hfsplus_attr_build_key(sb, fd.search_key,
+ inode->i_ino, name);
+@@ -312,6 +317,11 @@ int hfsplus_delete_attr(struct inode *inode, const char *name)
+ if (err)
+ return err;
+
++ /* Fail early and avoid ENOSPC during the btree operation */
++ err = hfs_bmap_reserve(fd.tree, fd.tree->depth);
++ if (err)
++ goto out;
++
+ if (name) {
+ err = hfsplus_attr_build_key(sb, fd.search_key,
+ inode->i_ino, name);
+diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
+index 8d2256454efe6..7e96b4c294f7a 100644
+--- a/fs/hfsplus/btree.c
++++ b/fs/hfsplus/btree.c
+@@ -341,26 +341,21 @@ static struct hfs_bnode *hfs_bmap_new_bmap(struct hfs_bnode *prev, u32 idx)
+ return node;
+ }
+
+-struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
++/* Make sure @tree has enough space for the @rsvd_nodes */
++int hfs_bmap_reserve(struct hfs_btree *tree, int rsvd_nodes)
+ {
+- struct hfs_bnode *node, *next_node;
+- struct page **pagep;
+- u32 nidx, idx;
+- unsigned off;
+- u16 off16;
+- u16 len;
+- u8 *data, byte, m;
+- int i;
++ struct inode *inode = tree->inode;
++ struct hfsplus_inode_info *hip = HFSPLUS_I(inode);
++ u32 count;
++ int res;
+
+- while (!tree->free_nodes) {
+- struct inode *inode = tree->inode;
+- struct hfsplus_inode_info *hip = HFSPLUS_I(inode);
+- u32 count;
+- int res;
++ if (rsvd_nodes <= 0)
++ return 0;
+
++ while (tree->free_nodes < rsvd_nodes) {
+ res = hfsplus_file_extend(inode, hfs_bnode_need_zeroout(tree));
+ if (res)
+- return ERR_PTR(res);
++ return res;
+ hip->phys_size = inode->i_size =
+ (loff_t)hip->alloc_blocks <<
+ HFSPLUS_SB(tree->sb)->alloc_blksz_shift;
+@@ -368,9 +363,26 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
+ hip->alloc_blocks << HFSPLUS_SB(tree->sb)->fs_shift;
+ inode_set_bytes(inode, inode->i_size);
+ count = inode->i_size >> tree->node_size_shift;
+- tree->free_nodes = count - tree->node_count;
++ tree->free_nodes += count - tree->node_count;
+ tree->node_count = count;
+ }
++ return 0;
++}
++
++struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
++{
++ struct hfs_bnode *node, *next_node;
++ struct page **pagep;
++ u32 nidx, idx;
++ unsigned off;
++ u16 off16;
++ u16 len;
++ u8 *data, byte, m;
++ int i, res;
++
++ res = hfs_bmap_reserve(tree, 1);
++ if (res)
++ return ERR_PTR(res);
+
+ nidx = 0;
+ node = hfs_bnode_find(tree, nidx);
+diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c
+index a5e00f7a4c143..947da72e72a30 100644
+--- a/fs/hfsplus/catalog.c
++++ b/fs/hfsplus/catalog.c
+@@ -264,6 +264,14 @@ int hfsplus_create_cat(u32 cnid, struct inode *dir,
+ if (err)
+ return err;
+
++ /*
++ * Fail early and avoid ENOSPC during the btree operations. We may
++ * have to split the root node at most once.
++ */
++ err = hfs_bmap_reserve(fd.tree, 2 * fd.tree->depth);
++ if (err)
++ goto err2;
++
+ hfsplus_cat_build_key_with_cnid(sb, fd.search_key, cnid);
+ entry_size = hfsplus_fill_cat_thread(sb, &entry,
+ S_ISDIR(inode->i_mode) ?
+@@ -332,6 +340,14 @@ int hfsplus_delete_cat(u32 cnid, struct inode *dir, const struct qstr *str)
+ if (err)
+ return err;
+
++ /*
++ * Fail early and avoid ENOSPC during the btree operations. We may
++ * have to split the root node at most once.
++ */
++ err = hfs_bmap_reserve(fd.tree, 2 * (int)fd.tree->depth - 2);
++ if (err)
++ goto out;
++
+ if (!str) {
+ int len;
+
+@@ -432,6 +448,14 @@ int hfsplus_rename_cat(u32 cnid,
+ return err;
+ dst_fd = src_fd;
+
++ /*
++ * Fail early and avoid ENOSPC during the btree operations. We may
++ * have to split the root node at most twice.
++ */
++ err = hfs_bmap_reserve(src_fd.tree, 4 * (int)src_fd.tree->depth - 1);
++ if (err)
++ goto out;
++
+ /* find the old dir entry and read the data */
+ err = hfsplus_cat_build_key(sb, src_fd.search_key,
+ src_dir->i_ino, src_name);
+diff --git a/fs/hfsplus/extents.c b/fs/hfsplus/extents.c
+index feca524ce2a5c..ce0b8f8374081 100644
+--- a/fs/hfsplus/extents.c
++++ b/fs/hfsplus/extents.c
+@@ -99,6 +99,10 @@ static int __hfsplus_ext_write_extent(struct inode *inode,
+ if (hip->extent_state & HFSPLUS_EXT_NEW) {
+ if (res != -ENOENT)
+ return res;
++ /* Fail early and avoid ENOSPC during the btree operation */
++ res = hfs_bmap_reserve(fd->tree, fd->tree->depth + 1);
++ if (res)
++ return res;
+ hfs_brec_insert(fd, hip->cached_extents,
+ sizeof(hfsplus_extent_rec));
+ hip->extent_state &= ~(HFSPLUS_EXT_DIRTY | HFSPLUS_EXT_NEW);
+diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h
+index a3f03b2474637..35cd703c66045 100644
+--- a/fs/hfsplus/hfsplus_fs.h
++++ b/fs/hfsplus/hfsplus_fs.h
+@@ -311,6 +311,7 @@ static inline unsigned short hfsplus_min_io_size(struct super_block *sb)
+ #define hfs_btree_open hfsplus_btree_open
+ #define hfs_btree_close hfsplus_btree_close
+ #define hfs_btree_write hfsplus_btree_write
++#define hfs_bmap_reserve hfsplus_bmap_reserve
+ #define hfs_bmap_alloc hfsplus_bmap_alloc
+ #define hfs_bmap_free hfsplus_bmap_free
+ #define hfs_bnode_read hfsplus_bnode_read
+@@ -395,6 +396,7 @@ u32 hfsplus_calc_btree_clump_size(u32 block_size, u32 node_size, u64 sectors,
+ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id);
+ void hfs_btree_close(struct hfs_btree *tree);
+ int hfs_btree_write(struct hfs_btree *tree);
++int hfs_bmap_reserve(struct hfs_btree *tree, int rsvd_nodes);
+ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree);
+ void hfs_bmap_free(struct hfs_bnode *node);
+
+--
+2.20.1
+
--- /dev/null
+From 0422dd32c4d90ba87f5e282cbef6d7c4e9cc1e70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:06:27 -0700
+Subject: hfsplus: update timestamps on truncate()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+
+[ Upstream commit dc8844aada735890a6de109bef327f5df36a982e ]
+
+The vfs takes care of updating ctime and mtime on ftruncate(), but on
+truncate() it must be done by the module.
+
+This patch can be tested with xfstests generic/313.
+
+Link: http://lkml.kernel.org/r/9beb0913eea37288599e8e1b7cec8768fb52d1b8.1539316825.git.ernesto.mnd.fernandez@gmail.com
+Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+Reviewed-by: Vyacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/inode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/hfsplus/inode.c b/fs/hfsplus/inode.c
+index 2e796f8302ffa..cfd380e2743d1 100644
+--- a/fs/hfsplus/inode.c
++++ b/fs/hfsplus/inode.c
+@@ -260,6 +260,7 @@ static int hfsplus_setattr(struct dentry *dentry, struct iattr *attr)
+ }
+ truncate_setsize(inode, attr->ia_size);
+ hfsplus_file_truncate(inode);
++ inode->i_mtime = inode->i_ctime = current_time(inode);
+ }
+
+ setattr_copy(inode, attr);
+--
+2.20.1
+
--- /dev/null
+From 1cb0007ae0f0e87df7a561d60088cb0ad0d71d88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Oct 2018 13:13:39 +0200
+Subject: igb: shorten maximum PHC timecounter update interval
+
+From: Miroslav Lichvar <mlichvar@redhat.com>
+
+[ Upstream commit 094bf4d0e9657f6ea1ee3d7e07ce3970796949ce ]
+
+The timecounter needs to be updated at least once per ~550 seconds in
+order to avoid a 40-bit SYSTIM timestamp to be misinterpreted as an old
+timestamp.
+
+Since commit 500462a9d ("timers: Switch to a non-cascading wheel"),
+scheduling of delayed work seems to be less accurate and a requested
+delay of 540 seconds may actually be longer than 550 seconds. Shorten
+the delay to 480 seconds to be sure the timecounter is updated in time.
+
+This fixes an issue with HW timestamps on 82580/I350/I354 being off by
+~1100 seconds for few seconds every ~9 minutes.
+
+Cc: Jacob Keller <jacob.e.keller@intel.com>
+Cc: Richard Cochran <richardcochran@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_ptp.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_ptp.c b/drivers/net/ethernet/intel/igb/igb_ptp.c
+index 9eb9b68f8935e..ae1f963b60923 100644
+--- a/drivers/net/ethernet/intel/igb/igb_ptp.c
++++ b/drivers/net/ethernet/intel/igb/igb_ptp.c
+@@ -65,9 +65,15 @@
+ *
+ * The 40 bit 82580 SYSTIM overflows every
+ * 2^40 * 10^-9 / 60 = 18.3 minutes.
++ *
++ * SYSTIM is converted to real time using a timecounter. As
++ * timecounter_cyc2time() allows old timestamps, the timecounter
++ * needs to be updated at least once per half of the SYSTIM interval.
++ * Scheduling of delayed work is not very accurate, so we aim for 8
++ * minutes to be sure the actual interval is shorter than 9.16 minutes.
+ */
+
+-#define IGB_SYSTIM_OVERFLOW_PERIOD (HZ * 60 * 9)
++#define IGB_SYSTIM_OVERFLOW_PERIOD (HZ * 60 * 8)
+ #define IGB_PTP_TX_TIMEOUT (HZ * 15)
+ #define INCPERIOD_82576 BIT(E1000_TIMINCA_16NS_SHIFT)
+ #define INCVALUE_82576_MASK GENMASK(E1000_TIMINCA_16NS_SHIFT - 1, 0)
+--
+2.20.1
+
--- /dev/null
+From ae5f561b447cbd94594eb41bf53431614cd7e496 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Oct 2018 16:59:51 -0400
+Subject: kprobes, x86/ptrace.h: Make regs_get_kernel_stack_nth() not fault on
+ bad stack
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+[ Upstream commit c2712b858187f5bcd7b042fe4daa3ba3a12635c0 ]
+
+Andy had some concerns about using regs_get_kernel_stack_nth() in a new
+function regs_get_kernel_argument() as if there's any error in the stack
+code, it could cause a bad memory access. To be on the safe side, call
+probe_kernel_read() on the stack address to be extra careful in accessing
+the memory. A helper function, regs_get_kernel_stack_nth_addr(), was added
+to just return the stack address (or NULL if not on the stack), that will be
+used to find the address (and could be used by other functions) and read the
+address with kernel_probe_read().
+
+Requested-by: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20181017165951.09119177@gandalf.local.home
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/ptrace.h | 42 +++++++++++++++++++++++++++++------
+ 1 file changed, 35 insertions(+), 7 deletions(-)
+
+diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
+index ea78a8438a8af..fb489cd848faa 100644
+--- a/arch/x86/include/asm/ptrace.h
++++ b/arch/x86/include/asm/ptrace.h
+@@ -199,24 +199,52 @@ static inline int regs_within_kernel_stack(struct pt_regs *regs,
+ (kernel_stack_pointer(regs) & ~(THREAD_SIZE - 1)));
+ }
+
++/**
++ * regs_get_kernel_stack_nth_addr() - get the address of the Nth entry on stack
++ * @regs: pt_regs which contains kernel stack pointer.
++ * @n: stack entry number.
++ *
++ * regs_get_kernel_stack_nth() returns the address of the @n th entry of the
++ * kernel stack which is specified by @regs. If the @n th entry is NOT in
++ * the kernel stack, this returns NULL.
++ */
++static inline unsigned long *regs_get_kernel_stack_nth_addr(struct pt_regs *regs, unsigned int n)
++{
++ unsigned long *addr = (unsigned long *)kernel_stack_pointer(regs);
++
++ addr += n;
++ if (regs_within_kernel_stack(regs, (unsigned long)addr))
++ return addr;
++ else
++ return NULL;
++}
++
++/* To avoid include hell, we can't include uaccess.h */
++extern long probe_kernel_read(void *dst, const void *src, size_t size);
++
+ /**
+ * regs_get_kernel_stack_nth() - get Nth entry of the stack
+ * @regs: pt_regs which contains kernel stack pointer.
+ * @n: stack entry number.
+ *
+ * regs_get_kernel_stack_nth() returns @n th entry of the kernel stack which
+- * is specified by @regs. If the @n th entry is NOT in the kernel stack,
++ * is specified by @regs. If the @n th entry is NOT in the kernel stack
+ * this returns 0.
+ */
+ static inline unsigned long regs_get_kernel_stack_nth(struct pt_regs *regs,
+ unsigned int n)
+ {
+- unsigned long *addr = (unsigned long *)kernel_stack_pointer(regs);
+- addr += n;
+- if (regs_within_kernel_stack(regs, (unsigned long)addr))
+- return *addr;
+- else
+- return 0;
++ unsigned long *addr;
++ unsigned long val;
++ long ret;
++
++ addr = regs_get_kernel_stack_nth_addr(regs, n);
++ if (addr) {
++ ret = probe_kernel_read(&val, addr, sizeof(val));
++ if (!ret)
++ return val;
++ }
++ return 0;
+ }
+
+ #define arch_has_single_step() (1)
+--
+2.20.1
+
--- /dev/null
+From 566c97233809f67e717e141463a255f5315cbeb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Oct 2018 19:40:43 +0200
+Subject: KVM/x86: Fix invvpid and invept register operand size in 64-bit mode
+
+From: Uros Bizjak <ubizjak@gmail.com>
+
+[ Upstream commit 5ebb272b2ea7e02911a03a893f8d922d49f9bb4a ]
+
+Register operand size of invvpid and invept instruction in 64-bit mode
+has always 64 bits. Adjust inline function argument type to reflect
+correct size.
+
+Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 4c0d6d0d6337f..f76caa03f4f80 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -1547,7 +1547,7 @@ static int __find_msr_index(struct vcpu_vmx *vmx, u32 msr)
+ return -1;
+ }
+
+-static inline void __invvpid(int ext, u16 vpid, gva_t gva)
++static inline void __invvpid(unsigned long ext, u16 vpid, gva_t gva)
+ {
+ struct {
+ u64 vpid : 16;
+@@ -1561,7 +1561,7 @@ static inline void __invvpid(int ext, u16 vpid, gva_t gva)
+ : : "a"(&operand), "c"(ext) : "cc", "memory");
+ }
+
+-static inline void __invept(int ext, u64 eptp, gpa_t gpa)
++static inline void __invept(unsigned long ext, u64 eptp, gpa_t gpa)
+ {
+ struct {
+ u64 eptp, gpa;
+--
+2.20.1
+
--- /dev/null
+From 8a38f10b6a37677bb46ce95efddf9d3bd59ca92a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:05:07 -0700
+Subject: linux/bitmap.h: fix type of nbits in bitmap_shift_right()
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+[ Upstream commit d9873969fa8725dc6a5a21ab788c057fd8719751 ]
+
+Most other bitmap API, including the OOL version __bitmap_shift_right,
+take unsigned nbits. This was accidentally left out from 2fbad29917c98.
+
+Link: http://lkml.kernel.org/r/20180818131623.8755-5-linux@rasmusvillemoes.dk
+Fixes: 2fbad29917c98 ("lib: bitmap: change bitmap_shift_right to take unsigned parameters")
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Reported-by: Yury Norov <ynorov@caviumnetworks.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Cc: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bitmap.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/bitmap.h b/include/linux/bitmap.h
+index dc56304ac829f..dec03c0dbc214 100644
+--- a/include/linux/bitmap.h
++++ b/include/linux/bitmap.h
+@@ -321,7 +321,7 @@ static __always_inline int bitmap_weight(const unsigned long *src, unsigned int
+ }
+
+ static inline void bitmap_shift_right(unsigned long *dst, const unsigned long *src,
+- unsigned int shift, int nbits)
++ unsigned int shift, unsigned int nbits)
+ {
+ if (small_const_nbits(nbits))
+ *dst = (*src & BITMAP_LAST_WORD_MASK(nbits)) >> shift;
+--
+2.20.1
+
--- /dev/null
+From 94646d697b833330f67bfdcdc1ba525c49f72e6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:04:59 -0700
+Subject: linux/bitmap.h: handle constant zero-size bitmaps correctly
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+[ Upstream commit 7275b097851a5e2e0dd4da039c7e96b59ac5314e ]
+
+The static inlines in bitmap.h do not handle a compile-time constant
+nbits==0 correctly (they dereference the passed src or dst pointers,
+despite only 0 words being valid to access). I had the 0-day buildbot
+chew on a patch [1] that would cause build failures for such cases without
+complaining, suggesting that we don't have any such users currently, at
+least for the 70 .config/arch combinations that was built. Should any
+turn up, make sure they use the out-of-line versions, which do handle
+nbits==0 correctly.
+
+This is of course not the most efficient, but it's much less churn than
+teaching all the static inlines an "if (zero_const_nbits())", and since we
+don't have any current instances, this doesn't affect existing code at
+all.
+
+[1] lkml.kernel.org/r/20180815085539.27485-1-linux@rasmusvillemoes.dk
+
+Link: http://lkml.kernel.org/r/20180818131623.8755-3-linux@rasmusvillemoes.dk
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Cc: Yury Norov <ynorov@caviumnetworks.com>
+Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Cc: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bitmap.h | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/bitmap.h b/include/linux/bitmap.h
+index 3b77588a93602..dc56304ac829f 100644
+--- a/include/linux/bitmap.h
++++ b/include/linux/bitmap.h
+@@ -185,8 +185,13 @@ extern int bitmap_print_to_pagebuf(bool list, char *buf,
+ #define BITMAP_FIRST_WORD_MASK(start) (~0UL << ((start) & (BITS_PER_LONG - 1)))
+ #define BITMAP_LAST_WORD_MASK(nbits) (~0UL >> (-(nbits) & (BITS_PER_LONG - 1)))
+
++/*
++ * The static inlines below do not handle constant nbits==0 correctly,
++ * so make such users (should any ever turn up) call the out-of-line
++ * versions.
++ */
+ #define small_const_nbits(nbits) \
+- (__builtin_constant_p(nbits) && (nbits) <= BITS_PER_LONG)
++ (__builtin_constant_p(nbits) && (nbits) <= BITS_PER_LONG && (nbits) > 0)
+
+ static inline void bitmap_zero(unsigned long *dst, unsigned int nbits)
+ {
+--
+2.20.1
+
--- /dev/null
+From 67fabc780e1c98b1b7381b578c51c4d1da70d735 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Sep 2018 14:44:25 +0200
+Subject: m68k: fix command-line parsing when passed from u-boot
+
+From: Angelo Dureghello <angelo@sysam.it>
+
+[ Upstream commit 381fdd62c38344a771aed06adaf14aae65c47454 ]
+
+This patch fixes command_line array zero-terminated
+one byte over the end of the array, causing boot to hang.
+
+Signed-off-by: Angelo Dureghello <angelo@sysam.it>
+Signed-off-by: Greg Ungerer <gerg@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/kernel/uboot.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/m68k/kernel/uboot.c b/arch/m68k/kernel/uboot.c
+index b3536a82a2620..e002084af1012 100644
+--- a/arch/m68k/kernel/uboot.c
++++ b/arch/m68k/kernel/uboot.c
+@@ -103,5 +103,5 @@ __init void process_uboot_commandline(char *commandp, int size)
+ }
+
+ parse_uboot_commandline(commandp, len);
+- commandp[size - 1] = 0;
++ commandp[len - 1] = 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From f8809c622b9ae17458f5d86c06d58290ae00bf4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Oct 2018 11:18:49 +1100
+Subject: macintosh/windfarm_smu_sat: Fix debug output
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+[ Upstream commit fc0c8b36d379a046525eacb9c3323ca635283757 ]
+
+There's some antiquated debug output that's trying
+to do a hand-made hexdump and turning into horrible
+1-byte-per-line output these days.
+
+Use print_hex_dump() instead
+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/macintosh/windfarm_smu_sat.c | 25 +++++++------------------
+ 1 file changed, 7 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/macintosh/windfarm_smu_sat.c b/drivers/macintosh/windfarm_smu_sat.c
+index ad6223e883404..3d310dd60a0be 100644
+--- a/drivers/macintosh/windfarm_smu_sat.c
++++ b/drivers/macintosh/windfarm_smu_sat.c
+@@ -22,14 +22,6 @@
+
+ #define VERSION "1.0"
+
+-#define DEBUG
+-
+-#ifdef DEBUG
+-#define DBG(args...) printk(args)
+-#else
+-#define DBG(args...) do { } while(0)
+-#endif
+-
+ /* If the cache is older than 800ms we'll refetch it */
+ #define MAX_AGE msecs_to_jiffies(800)
+
+@@ -106,13 +98,10 @@ struct smu_sdbp_header *smu_sat_get_sdb_partition(unsigned int sat_id, int id,
+ buf[i+2] = data[3];
+ buf[i+3] = data[2];
+ }
+-#ifdef DEBUG
+- DBG(KERN_DEBUG "sat %d partition %x:", sat_id, id);
+- for (i = 0; i < len; ++i)
+- DBG(" %x", buf[i]);
+- DBG("\n");
+-#endif
+
++ printk(KERN_DEBUG "sat %d partition %x:", sat_id, id);
++ print_hex_dump(KERN_DEBUG, " ", DUMP_PREFIX_OFFSET,
++ 16, 1, buf, len, false);
+ if (size)
+ *size = len;
+ return (struct smu_sdbp_header *) buf;
+@@ -132,13 +121,13 @@ static int wf_sat_read_cache(struct wf_sat *sat)
+ if (err < 0)
+ return err;
+ sat->last_read = jiffies;
++
+ #ifdef LOTSA_DEBUG
+ {
+ int i;
+- DBG(KERN_DEBUG "wf_sat_get: data is");
+- for (i = 0; i < 16; ++i)
+- DBG(" %.2x", sat->cache[i]);
+- DBG("\n");
++ printk(KERN_DEBUG "wf_sat_get: data is");
++ print_hex_dump(KERN_DEBUG, " ", DUMP_PREFIX_OFFSET,
++ 16, 1, sat->cache, 16, false);
+ }
+ #endif
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From 57302dd2ff63b5dfe58a4efafccd4d078738181b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Oct 2018 09:33:10 +0100
+Subject: macsec: let the administrator set UP state even if lowerdev is down
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 07bddef9839378bd6f95b393cf24c420529b4ef1 ]
+
+Currently, the kernel doesn't let the administrator set a macsec device
+up unless its lower device is currently up. This is inconsistent, as a
+macsec device that is up won't automatically go down when its lower
+device goes down.
+
+Now that linkstate propagation works, there's really no reason for this
+limitation, so let's remove it.
+
+Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
+Reported-by: Radu Rendec <radu.rendec@gmail.com>
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macsec.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index d2a3825376be5..a48ed0873cc72 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -2798,9 +2798,6 @@ static int macsec_dev_open(struct net_device *dev)
+ struct net_device *real_dev = macsec->real_dev;
+ int err;
+
+- if (!(real_dev->flags & IFF_UP))
+- return -ENETDOWN;
+-
+ err = dev_uc_add(real_dev, dev->dev_addr);
+ if (err < 0)
+ return err;
+--
+2.20.1
+
--- /dev/null
+From 91d100e38c91965e6750c2ccfcba9cc40a1e60c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Oct 2018 09:33:09 +0100
+Subject: macsec: update operstate when lower device changes
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit e6ac075882b2afcdf2d5ab328ce4ab42a1eb9593 ]
+
+Like all other virtual devices (macvlan, vlan), the operstate of a
+macsec device should match the state of its lower device. This is done
+by calling netif_stacked_transfer_operstate from its netdevice notifier.
+
+We also need to call netif_stacked_transfer_operstate when a new macsec
+device is created, so that its operstate is set properly. This is only
+relevant when we try to bring the device up directly when we create it.
+
+Radu Rendec proposed a similar patch, inspired from the 802.1q driver,
+that included changing the administrative state of the macsec device,
+instead of just the operstate. This version is similar to what the
+macvlan driver does, and updates only the operstate.
+
+Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
+Reported-by: Radu Rendec <radu.rendec@gmail.com>
+Reported-by: Patrick Talbert <ptalbert@redhat.com>
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macsec.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index da10104be16cf..d2a3825376be5 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -3275,6 +3275,9 @@ static int macsec_newlink(struct net *net, struct net_device *dev,
+ if (err < 0)
+ goto del_dev;
+
++ netif_stacked_transfer_operstate(real_dev, dev);
++ linkwatch_fire_event(dev);
++
+ macsec_generation++;
+
+ return 0;
+@@ -3446,6 +3449,20 @@ static int macsec_notify(struct notifier_block *this, unsigned long event,
+ return NOTIFY_DONE;
+
+ switch (event) {
++ case NETDEV_DOWN:
++ case NETDEV_UP:
++ case NETDEV_CHANGE: {
++ struct macsec_dev *m, *n;
++ struct macsec_rxh_data *rxd;
++
++ rxd = macsec_data_rtnl(real_dev);
++ list_for_each_entry_safe(m, n, &rxd->secys, secys) {
++ struct net_device *dev = m->secy.netdev;
++
++ netif_stacked_transfer_operstate(real_dev, dev);
++ }
++ break;
++ }
+ case NETDEV_UNREGISTER: {
+ struct macsec_dev *m, *n;
+ struct macsec_rxh_data *rxd;
+--
+2.20.1
+
--- /dev/null
+From 8a816f3ea7b3455ebad48bd02f6ae91877c72cd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Aug 2018 19:52:44 +0530
+Subject: mfd: arizona: Correct calling of runtime_put_sync
+
+From: Sapthagiri Baratam <sapthagiri.baratam@cirrus.com>
+
+[ Upstream commit 6b269a41a4520f7eb639e61a45ebbb9c9267d5e0 ]
+
+Don't call runtime_put_sync when clk32k_ref is ARIZONA_32KZ_MCLK2
+as there is no corresponding runtime_get_sync call.
+
+MCLK1 is not in the AoD power domain so if it is used as 32kHz clock
+source we need to hold a runtime PM reference to keep the device from
+going into low power mode.
+
+Fixes: cdd8da8cc66b ("mfd: arizona: Add gating of external MCLKn clocks")
+Signed-off-by: Sapthagiri Baratam <sapthagiri.baratam@cirrus.com>
+Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/arizona-core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mfd/arizona-core.c b/drivers/mfd/arizona-core.c
+index 0556a9749dbe0..1f0c2b594654e 100644
+--- a/drivers/mfd/arizona-core.c
++++ b/drivers/mfd/arizona-core.c
+@@ -52,8 +52,10 @@ int arizona_clk32k_enable(struct arizona *arizona)
+ if (ret != 0)
+ goto err_ref;
+ ret = clk_prepare_enable(arizona->mclk[ARIZONA_MCLK1]);
+- if (ret != 0)
+- goto err_pm;
++ if (ret != 0) {
++ pm_runtime_put_sync(arizona->dev);
++ goto err_ref;
++ }
+ break;
+ case ARIZONA_32KZ_MCLK2:
+ ret = clk_prepare_enable(arizona->mclk[ARIZONA_MCLK2]);
+@@ -67,8 +69,6 @@ int arizona_clk32k_enable(struct arizona *arizona)
+ ARIZONA_CLK_32K_ENA);
+ }
+
+-err_pm:
+- pm_runtime_put_sync(arizona->dev);
+ err_ref:
+ if (ret != 0)
+ arizona->clk32k_ref--;
+--
+2.20.1
+
--- /dev/null
+From ee72bd7891200888d77e6b98f518ddac833b65bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Sep 2018 13:54:07 +0200
+Subject: mfd: max8997: Enale irq-wakeup unconditionally
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+[ Upstream commit efddff27c886e729a7f84a7205bd84d7d4af7336 ]
+
+IRQ wake up support for MAX8997 driver was initially configured by
+respective property in pdata. However, after the driver conversion to
+device-tree, setting it was left as 'todo'. Nowadays most of other PMIC MFD
+drivers initialized from device-tree assume that they can be an irq wakeup
+source, so enable it also for MAX8997. This fixes support for wakeup from
+MAX8997 RTC alarm.
+
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/max8997.c | 8 +-------
+ include/linux/mfd/max8997.h | 1 -
+ 2 files changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/drivers/mfd/max8997.c b/drivers/mfd/max8997.c
+index 2d6e2c3927862..4a2fc59d59016 100644
+--- a/drivers/mfd/max8997.c
++++ b/drivers/mfd/max8997.c
+@@ -155,12 +155,6 @@ static struct max8997_platform_data *max8997_i2c_parse_dt_pdata(
+
+ pd->ono = irq_of_parse_and_map(dev->of_node, 1);
+
+- /*
+- * ToDo: the 'wakeup' member in the platform data is more of a linux
+- * specfic information. Hence, there is no binding for that yet and
+- * not parsed here.
+- */
+-
+ return pd;
+ }
+
+@@ -248,7 +242,7 @@ static int max8997_i2c_probe(struct i2c_client *i2c,
+ */
+
+ /* MAX8997 has a power button input. */
+- device_init_wakeup(max8997->dev, pdata->wakeup);
++ device_init_wakeup(max8997->dev, true);
+
+ return ret;
+
+diff --git a/include/linux/mfd/max8997.h b/include/linux/mfd/max8997.h
+index cf815577bd686..3ae1fe743bc34 100644
+--- a/include/linux/mfd/max8997.h
++++ b/include/linux/mfd/max8997.h
+@@ -178,7 +178,6 @@ struct max8997_led_platform_data {
+ struct max8997_platform_data {
+ /* IRQ */
+ int ono;
+- int wakeup;
+
+ /* ---- PMIC ---- */
+ struct max8997_regulator_data *regulators;
+--
+2.20.1
+
--- /dev/null
+From 63fcd757b1b5d05a4fb9347a5ada859a3bc322fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Aug 2018 17:02:40 -0300
+Subject: mfd: mc13xxx-core: Fix PMIC shutdown when reading ADC values
+
+From: Fabio Estevam <fabio.estevam@nxp.com>
+
+[ Upstream commit 55143439b7b501882bea9d95a54adfe00ffc79a3 ]
+
+When trying to read any MC13892 ADC channel on a imx51-babbage board:
+
+The MC13892 PMIC shutdowns completely.
+
+After debugging this issue and comparing the MC13892 and MC13783
+initializations done in the vendor kernel, it was noticed that the
+CHRGRAWDIV bit of the ADC0 register was not being set.
+
+This bit is set by default after power on, but the driver was
+clearing it.
+
+After setting this bit it is possible to read the ADC values correctly.
+
+Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
+Tested-by: Chris Healy <cphealy@gmail.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/mc13xxx-core.c | 3 ++-
+ include/linux/mfd/mc13xxx.h | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/mc13xxx-core.c b/drivers/mfd/mc13xxx-core.c
+index 6c16f170529f5..75d52034f89da 100644
+--- a/drivers/mfd/mc13xxx-core.c
++++ b/drivers/mfd/mc13xxx-core.c
+@@ -278,7 +278,8 @@ int mc13xxx_adc_do_conversion(struct mc13xxx *mc13xxx, unsigned int mode,
+ if (ret)
+ goto out;
+
+- adc0 = MC13XXX_ADC0_ADINC1 | MC13XXX_ADC0_ADINC2;
++ adc0 = MC13XXX_ADC0_ADINC1 | MC13XXX_ADC0_ADINC2 |
++ MC13XXX_ADC0_CHRGRAWDIV;
+ adc1 = MC13XXX_ADC1_ADEN | MC13XXX_ADC1_ADTRIGIGN | MC13XXX_ADC1_ASC;
+
+ if (channel > 7)
+diff --git a/include/linux/mfd/mc13xxx.h b/include/linux/mfd/mc13xxx.h
+index 638222e43e489..93011c61aafd2 100644
+--- a/include/linux/mfd/mc13xxx.h
++++ b/include/linux/mfd/mc13xxx.h
+@@ -247,6 +247,7 @@ struct mc13xxx_platform_data {
+ #define MC13XXX_ADC0_TSMOD0 (1 << 12)
+ #define MC13XXX_ADC0_TSMOD1 (1 << 13)
+ #define MC13XXX_ADC0_TSMOD2 (1 << 14)
++#define MC13XXX_ADC0_CHRGRAWDIV (1 << 15)
+ #define MC13XXX_ADC0_ADINC1 (1 << 16)
+ #define MC13XXX_ADC0_ADINC2 (1 << 17)
+
+--
+2.20.1
+
--- /dev/null
+From ee49698b283de968622355c24aaae7940e95779a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Oct 2018 18:38:28 -0500
+Subject: misc: mic: fix a DMA pool free failure
+
+From: Wenwen Wang <wang6495@umn.edu>
+
+[ Upstream commit 6b995f4eec34745f6cb20d66d5277611f0b3c3fa ]
+
+In _scif_prog_signal(), the boolean variable 'x100' is used to indicate
+whether the MIC Coprocessor is X100. If 'x100' is true, the status
+descriptor will be used to write the value to the destination. Otherwise, a
+DMA pool will be allocated for this purpose. Specifically, if the DMA pool
+is allocated successfully, two memory addresses will be returned. One is
+for the CPU and the other is for the device to access the DMA pool. The
+former is stored to the variable 'status' and the latter is stored to the
+variable 'src'. After the allocation, the address in 'src' is saved to
+'status->src_dma_addr', which is actually in the DMA pool, and 'src' is
+then modified.
+
+Later on, if an error occurs, the execution flow will transfer to the label
+'dma_fail', which will check 'x100' and free up the allocated DMA pool if
+'x100' is false. The point here is that 'status->src_dma_addr' is used for
+freeing up the DMA pool. As mentioned before, 'status->src_dma_addr' is in
+the DMA pool. And thus, the device is able to modify this data. This can
+potentially cause failures when freeing up the DMA pool because of the
+modified device address.
+
+This patch avoids the above issue by using the variable 'src' (with
+necessary calculation) to free up the DMA pool.
+
+Signed-off-by: Wenwen Wang <wang6495@umn.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/mic/scif/scif_fence.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/misc/mic/scif/scif_fence.c b/drivers/misc/mic/scif/scif_fence.c
+index cac3bcc308a7e..7bb929f05d852 100644
+--- a/drivers/misc/mic/scif/scif_fence.c
++++ b/drivers/misc/mic/scif/scif_fence.c
+@@ -272,7 +272,7 @@ static int _scif_prog_signal(scif_epd_t epd, dma_addr_t dst, u64 val)
+ dma_fail:
+ if (!x100)
+ dma_pool_free(ep->remote_dev->signal_pool, status,
+- status->src_dma_addr);
++ src - offsetof(struct scif_status, val));
+ alloc_fail:
+ return err;
+ }
+--
+2.20.1
+
--- /dev/null
+From 10035449294e8f7834c1d2bf86cb00e16e988592 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Oct 2018 11:00:30 -0700
+Subject: mISDN: Fix type of switch control variable in ctrl_teimanager
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit aeb5e02aca91522733eb1db595ac607d30c87767 ]
+
+Clang warns (trimmed for brevity):
+
+drivers/isdn/mISDN/tei.c:1193:7: warning: overflow converting case value
+to switch condition type (2147764552 to 18446744071562348872) [-Wswitch]
+ case IMHOLD_L1:
+ ^
+drivers/isdn/mISDN/tei.c:1187:7: warning: overflow converting case value
+to switch condition type (2147764550 to 18446744071562348870) [-Wswitch]
+ case IMCLEAR_L2:
+ ^
+2 warnings generated.
+
+The root cause is that the _IOC macro can generate really large numbers,
+which don't find into type int. My research into how GCC and Clang are
+handling this at a low level didn't prove fruitful and surveying the
+kernel tree shows that aside from here and a few places in the scsi
+subsystem, everything that uses _IOC is at least of type 'unsigned int'.
+Make that change here because as nothing in this function cares about
+the signedness of the variable and it removes ambiguity, which is never
+good when dealing with compilers.
+
+While we're here, remove the unnecessary local variable ret (just return
+-EINVAL and 0 directly).
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/67
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/mISDN/tei.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/isdn/mISDN/tei.c b/drivers/isdn/mISDN/tei.c
+index 592f597d89518..8261afbbafb05 100644
+--- a/drivers/isdn/mISDN/tei.c
++++ b/drivers/isdn/mISDN/tei.c
+@@ -1180,8 +1180,7 @@ static int
+ ctrl_teimanager(struct manager *mgr, void *arg)
+ {
+ /* currently we only have one option */
+- int *val = (int *)arg;
+- int ret = 0;
++ unsigned int *val = (unsigned int *)arg;
+
+ switch (val[0]) {
+ case IMCLEAR_L2:
+@@ -1197,9 +1196,9 @@ ctrl_teimanager(struct manager *mgr, void *arg)
+ test_and_clear_bit(OPTION_L1_HOLD, &mgr->options);
+ break;
+ default:
+- ret = -EINVAL;
++ return -EINVAL;
+ }
+- return ret;
++ return 0;
+ }
+
+ /* This function does create a L2 for fixed TEI in NT Mode */
+--
+2.20.1
+
--- /dev/null
+From f6835ab9034e37be557587b78ec6d7dc53406123 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Apr 2019 12:07:17 +0800
+Subject: mm/memory_hotplug: Do not unlock when fails to take the
+ device_hotplug_lock
+
+From: zhong jiang <zhongjiang@huawei.com>
+
+[ Upstream commit d2ab99403ee00d8014e651728a4702ea1ae5e52c ]
+
+When adding the memory by probing memory block in sysfs interface, there is an
+obvious issue that we will unlock the device_hotplug_lock when fails to takes it.
+
+That issue was introduced in Commit 8df1d0e4a265
+("mm/memory_hotplug: make add_memory() take the device_hotplug_lock")
+
+We should drop out in time when fails to take the device_hotplug_lock.
+
+Fixes: 8df1d0e4a265 ("mm/memory_hotplug: make add_memory() take the device_hotplug_lock")
+Reported-by: Yang yingliang <yangyingliang@huawei.com>
+Signed-off-by: zhong jiang <zhongjiang@huawei.com>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/memory.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/base/memory.c b/drivers/base/memory.c
+index 9f96f1b43c15f..6a3694a4843f8 100644
+--- a/drivers/base/memory.c
++++ b/drivers/base/memory.c
+@@ -502,7 +502,7 @@ memory_probe_store(struct device *dev, struct device_attribute *attr,
+
+ ret = lock_device_hotplug_sysfs();
+ if (ret)
+- goto out;
++ return ret;
+
+ nid = memory_add_physaddr_to_nid(phys_addr);
+ ret = __add_memory(nid, phys_addr,
+--
+2.20.1
+
--- /dev/null
+From 9c196251d942b0555d572d60eb79b4a90fa980aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:10:24 -0700
+Subject: mm/memory_hotplug: make add_memory() take the device_hotplug_lock
+
+From: David Hildenbrand <david@redhat.com>
+
+[ Upstream commit 8df1d0e4a265f25dc1e7e7624ccdbcb4a6630c89 ]
+
+add_memory() currently does not take the device_hotplug_lock, however
+is aleady called under the lock from
+ arch/powerpc/platforms/pseries/hotplug-memory.c
+ drivers/acpi/acpi_memhotplug.c
+to synchronize against CPU hot-remove and similar.
+
+In general, we should hold the device_hotplug_lock when adding memory to
+synchronize against online/offline request (e.g. from user space) - which
+already resulted in lock inversions due to device_lock() and
+mem_hotplug_lock - see 30467e0b3be ("mm, hotplug: fix concurrent memory
+hot-add deadlock"). add_memory()/add_memory_resource() will create memory
+block devices, so this really feels like the right thing to do.
+
+Holding the device_hotplug_lock makes sure that a memory block device
+can really only be accessed (e.g. via .online/.state) from user space,
+once the memory has been fully added to the system.
+
+The lock is not held yet in
+ drivers/xen/balloon.c
+ arch/powerpc/platforms/powernv/memtrace.c
+ drivers/s390/char/sclp_cmd.c
+ drivers/hv/hv_balloon.c
+So, let's either use the locked variants or take the lock.
+
+Don't export add_memory_resource(), as it once was exported to be used by
+XEN, which is never built as a module. If somebody requires it, we also
+have to export a locked variant (as device_hotplug_lock is never
+exported).
+
+Link: http://lkml.kernel.org/r/20180925091457.28651-3-david@redhat.com
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Pavel Tatashin <pavel.tatashin@microsoft.com>
+Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Rashmica Gupta <rashmica.g@gmail.com>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Len Brown <lenb@kernel.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Nathan Fontenot <nfont@linux.vnet.ibm.com>
+Cc: John Allen <jallen@linux.vnet.ibm.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Mathieu Malaterre <malat@debian.org>
+Cc: Pavel Tatashin <pavel.tatashin@microsoft.com>
+Cc: YASUAKI ISHIMATSU <yasu.isimatu@gmail.com>
+Cc: Balbir Singh <bsingharora@gmail.com>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Kate Stewart <kstewart@linuxfoundation.org>
+Cc: "K. Y. Srinivasan" <kys@microsoft.com>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Michael Neuling <mikey@neuling.org>
+Cc: Philippe Ombredanne <pombredanne@nexb.com>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../platforms/pseries/hotplug-memory.c | 2 +-
+ drivers/acpi/acpi_memhotplug.c | 2 +-
+ drivers/base/memory.c | 9 ++++++--
+ drivers/xen/balloon.c | 3 +++
+ include/linux/memory_hotplug.h | 1 +
+ mm/memory_hotplug.c | 22 ++++++++++++++++---
+ 6 files changed, 32 insertions(+), 7 deletions(-)
+
+diff --git a/arch/powerpc/platforms/pseries/hotplug-memory.c b/arch/powerpc/platforms/pseries/hotplug-memory.c
+index c0a0947f43bbb..656bbbd731d03 100644
+--- a/arch/powerpc/platforms/pseries/hotplug-memory.c
++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c
+@@ -616,7 +616,7 @@ static int dlpar_add_lmb(struct of_drconf_cell *lmb)
+ nid = memory_add_physaddr_to_nid(lmb->base_addr);
+
+ /* Add the memory */
+- rc = add_memory(nid, lmb->base_addr, block_sz);
++ rc = __add_memory(nid, lmb->base_addr, block_sz);
+ if (rc) {
+ dlpar_remove_device_tree_lmb(lmb);
+ dlpar_release_drc(lmb->drc_index);
+diff --git a/drivers/acpi/acpi_memhotplug.c b/drivers/acpi/acpi_memhotplug.c
+index 6b0d3ef7309cb..2ccfbb61ca899 100644
+--- a/drivers/acpi/acpi_memhotplug.c
++++ b/drivers/acpi/acpi_memhotplug.c
+@@ -228,7 +228,7 @@ static int acpi_memory_enable_device(struct acpi_memory_device *mem_device)
+ if (node < 0)
+ node = memory_add_physaddr_to_nid(info->start_addr);
+
+- result = add_memory(node, info->start_addr, info->length);
++ result = __add_memory(node, info->start_addr, info->length);
+
+ /*
+ * If the memory block has been used by the kernel, add_memory()
+diff --git a/drivers/base/memory.c b/drivers/base/memory.c
+index c5cdd190b7816..9f96f1b43c15f 100644
+--- a/drivers/base/memory.c
++++ b/drivers/base/memory.c
+@@ -500,15 +500,20 @@ memory_probe_store(struct device *dev, struct device_attribute *attr,
+ if (phys_addr & ((pages_per_block << PAGE_SHIFT) - 1))
+ return -EINVAL;
+
++ ret = lock_device_hotplug_sysfs();
++ if (ret)
++ goto out;
++
+ nid = memory_add_physaddr_to_nid(phys_addr);
+- ret = add_memory(nid, phys_addr,
+- MIN_MEMORY_BLOCK_SIZE * sections_per_block);
++ ret = __add_memory(nid, phys_addr,
++ MIN_MEMORY_BLOCK_SIZE * sections_per_block);
+
+ if (ret)
+ goto out;
+
+ ret = count;
+ out:
++ unlock_device_hotplug();
+ return ret;
+ }
+
+diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
+index 6af117af97804..731cf54f75c65 100644
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -358,7 +358,10 @@ static enum bp_state reserve_additional_memory(void)
+ * callers drop the mutex before trying again.
+ */
+ mutex_unlock(&balloon_mutex);
++ /* add_memory_resource() requires the device_hotplug lock */
++ lock_device_hotplug();
+ rc = add_memory_resource(nid, resource, memhp_auto_online);
++ unlock_device_hotplug();
+ mutex_lock(&balloon_mutex);
+
+ if (rc) {
+diff --git a/include/linux/memory_hotplug.h b/include/linux/memory_hotplug.h
+index 134a2f69c21ab..9469eef300952 100644
+--- a/include/linux/memory_hotplug.h
++++ b/include/linux/memory_hotplug.h
+@@ -272,6 +272,7 @@ static inline void remove_memory(int nid, u64 start, u64 size) {}
+
+ extern int walk_memory_range(unsigned long start_pfn, unsigned long end_pfn,
+ void *arg, int (*func)(struct memory_block *, void *));
++extern int __add_memory(int nid, u64 start, u64 size);
+ extern int add_memory(int nid, u64 start, u64 size);
+ extern int add_memory_resource(int nid, struct resource *resource, bool online);
+ extern int zone_for_memory(int nid, u64 start, u64 size, int zone_default,
+diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
+index b4c8d7b9ab820..449999657c0bb 100644
+--- a/mm/memory_hotplug.c
++++ b/mm/memory_hotplug.c
+@@ -1340,7 +1340,12 @@ static int online_memory_block(struct memory_block *mem, void *arg)
+ return memory_block_change_state(mem, MEM_ONLINE, MEM_OFFLINE);
+ }
+
+-/* we are OK calling __meminit stuff here - we have CONFIG_MEMORY_HOTPLUG */
++/*
++ * NOTE: The caller must call lock_device_hotplug() to serialize hotplug
++ * and online/offline operations (triggered e.g. by sysfs).
++ *
++ * we are OK calling __meminit stuff here - we have CONFIG_MEMORY_HOTPLUG
++ */
+ int __ref add_memory_resource(int nid, struct resource *res, bool online)
+ {
+ u64 start, size;
+@@ -1418,9 +1423,9 @@ int __ref add_memory_resource(int nid, struct resource *res, bool online)
+ mem_hotplug_done();
+ return ret;
+ }
+-EXPORT_SYMBOL_GPL(add_memory_resource);
+
+-int __ref add_memory(int nid, u64 start, u64 size)
++/* requires device_hotplug_lock, see add_memory_resource() */
++int __ref __add_memory(int nid, u64 start, u64 size)
+ {
+ struct resource *res;
+ int ret;
+@@ -1434,6 +1439,17 @@ int __ref add_memory(int nid, u64 start, u64 size)
+ release_memory_resource(res);
+ return ret;
+ }
++
++int add_memory(int nid, u64 start, u64 size)
++{
++ int rc;
++
++ lock_device_hotplug();
++ rc = __add_memory(nid, start, size);
++ unlock_device_hotplug();
++
++ return rc;
++}
+ EXPORT_SYMBOL_GPL(add_memory);
+
+ #ifdef CONFIG_MEMORY_HOTREMOVE
+--
+2.20.1
+
--- /dev/null
+From e08dbf2302939c517b97f5c5c0e282e8df94a5b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Oct 2018 15:09:45 -0700
+Subject: mm/page-writeback.c: fix range_cyclic writeback vs writepages
+ deadlock
+
+From: Dave Chinner <dchinner@redhat.com>
+
+[ Upstream commit 64081362e8ff4587b4554087f3cfc73d3e0a4cd7 ]
+
+We've recently seen a workload on XFS filesystems with a repeatable
+deadlock between background writeback and a multi-process application
+doing concurrent writes and fsyncs to a small range of a file.
+
+range_cyclic
+writeback Process 1 Process 2
+
+xfs_vm_writepages
+ write_cache_pages
+ writeback_index = 2
+ cycled = 0
+ ....
+ find page 2 dirty
+ lock Page 2
+ ->writepage
+ page 2 writeback
+ page 2 clean
+ page 2 added to bio
+ no more pages
+ write()
+ locks page 1
+ dirties page 1
+ locks page 2
+ dirties page 1
+ fsync()
+ ....
+ xfs_vm_writepages
+ write_cache_pages
+ start index 0
+ find page 1 towrite
+ lock Page 1
+ ->writepage
+ page 1 writeback
+ page 1 clean
+ page 1 added to bio
+ find page 2 towrite
+ lock Page 2
+ page 2 is writeback
+ <blocks>
+ write()
+ locks page 1
+ dirties page 1
+ fsync()
+ ....
+ xfs_vm_writepages
+ write_cache_pages
+ start index 0
+
+ !done && !cycled
+ sets index to 0, restarts lookup
+ find page 1 dirty
+ find page 1 towrite
+ lock Page 1
+ page 1 is writeback
+ <blocks>
+
+ lock Page 1
+ <blocks>
+
+DEADLOCK because:
+
+ - process 1 needs page 2 writeback to complete to make
+ enough progress to issue IO pending for page 1
+ - writeback needs page 1 writeback to complete so process 2
+ can progress and unlock the page it is blocked on, then it
+ can issue the IO pending for page 2
+ - process 2 can't make progress until process 1 issues IO
+ for page 1
+
+The underlying cause of the problem here is that range_cyclic writeback is
+processing pages in descending index order as we hold higher index pages
+in a structure controlled from above write_cache_pages(). The
+write_cache_pages() caller needs to be able to submit these pages for IO
+before write_cache_pages restarts writeback at mapping index 0 to avoid
+wcp inverting the page lock/writeback wait order.
+
+generic_writepages() is not susceptible to this bug as it has no private
+context held across write_cache_pages() - filesystems using this
+infrastructure always submit pages in ->writepage immediately and so there
+is no problem with range_cyclic going back to mapping index 0.
+
+However:
+ mpage_writepages() has a private bio context,
+ exofs_writepages() has page_collect
+ fuse_writepages() has fuse_fill_wb_data
+ nfs_writepages() has nfs_pageio_descriptor
+ xfs_vm_writepages() has xfs_writepage_ctx
+
+All of these ->writepages implementations can hold pages under writeback
+in their private structures until write_cache_pages() returns, and hence
+they are all susceptible to this deadlock.
+
+Also worth noting is that ext4 has it's own bastardised version of
+write_cache_pages() and so it /may/ have an equivalent deadlock. I looked
+at the code long enough to understand that it has a similar retry loop for
+range_cyclic writeback reaching the end of the file and then promptly ran
+away before my eyes bled too much. I'll leave it for the ext4 developers
+to determine if their code is actually has this deadlock and how to fix it
+if it has.
+
+There's a few ways I can see avoid this deadlock. There's probably more,
+but these are the first I've though of:
+
+1. get rid of range_cyclic altogether
+
+2. range_cyclic always stops at EOF, and we start again from
+writeback index 0 on the next call into write_cache_pages()
+
+2a. wcp also returns EAGAIN to ->writepages implementations to
+indicate range cyclic has hit EOF. writepages implementations can
+then flush the current context and call wpc again to continue. i.e.
+lift the retry into the ->writepages implementation
+
+3. range_cyclic uses trylock_page() rather than lock_page(), and it
+skips pages it can't lock without blocking. It will already do this
+for pages under writeback, so this seems like a no-brainer
+
+3a. all non-WB_SYNC_ALL writeback uses trylock_page() to avoid
+blocking as per pages under writeback.
+
+I don't think #1 is an option - range_cyclic prevents frequently
+dirtied lower file offset from starving background writeback of
+rarely touched higher file offsets.
+
+#2 is simple, and I don't think it will have any impact on
+performance as going back to the start of the file implies an
+immediate seek. We'll have exactly the same number of seeks if we
+switch writeback to another inode, and then come back to this one
+later and restart from index 0.
+
+#2a is pretty much "status quo without the deadlock". Moving the
+retry loop up into the wcp caller means we can issue IO on the
+pending pages before calling wcp again, and so avoid locking or
+waiting on pages in the wrong order. I'm not convinced we need to do
+this given that we get the same thing from #2 on the next writeback
+call from the writeback infrastructure.
+
+#3 is really just a band-aid - it doesn't fix the access/wait
+inversion problem, just prevents it from becoming a deadlock
+situation. I'd prefer we fix the inversion, not sweep it under the
+carpet like this.
+
+#3a is really an optimisation that just so happens to include the
+band-aid fix of #3.
+
+So it seems that the simplest way to fix this issue is to implement
+solution #2
+
+Link: http://lkml.kernel.org/r/20181005054526.21507-1-david@fromorbit.com
+Signed-off-by: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: Jan Kara <jack@suse.de>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/page-writeback.c | 33 +++++++++++++++------------------
+ 1 file changed, 15 insertions(+), 18 deletions(-)
+
+diff --git a/mm/page-writeback.c b/mm/page-writeback.c
+index 281a46aeae61d..f6a376a510995 100644
+--- a/mm/page-writeback.c
++++ b/mm/page-writeback.c
+@@ -2141,6 +2141,13 @@ EXPORT_SYMBOL(tag_pages_for_writeback);
+ * not miss some pages (e.g., because some other process has cleared TOWRITE
+ * tag we set). The rule we follow is that TOWRITE tag can be cleared only
+ * by the process clearing the DIRTY tag (and submitting the page for IO).
++ *
++ * To avoid deadlocks between range_cyclic writeback and callers that hold
++ * pages in PageWriteback to aggregate IO until write_cache_pages() returns,
++ * we do not loop back to the start of the file. Doing so causes a page
++ * lock/page writeback access order inversion - we should only ever lock
++ * multiple pages in ascending page->index order, and looping back to the start
++ * of the file violates that rule and causes deadlocks.
+ */
+ int write_cache_pages(struct address_space *mapping,
+ struct writeback_control *wbc, writepage_t writepage,
+@@ -2155,7 +2162,6 @@ int write_cache_pages(struct address_space *mapping,
+ pgoff_t index;
+ pgoff_t end; /* Inclusive */
+ pgoff_t done_index;
+- int cycled;
+ int range_whole = 0;
+ int tag;
+
+@@ -2163,23 +2169,17 @@ int write_cache_pages(struct address_space *mapping,
+ if (wbc->range_cyclic) {
+ writeback_index = mapping->writeback_index; /* prev offset */
+ index = writeback_index;
+- if (index == 0)
+- cycled = 1;
+- else
+- cycled = 0;
+ end = -1;
+ } else {
+ index = wbc->range_start >> PAGE_SHIFT;
+ end = wbc->range_end >> PAGE_SHIFT;
+ if (wbc->range_start == 0 && wbc->range_end == LLONG_MAX)
+ range_whole = 1;
+- cycled = 1; /* ignore range_cyclic tests */
+ }
+ if (wbc->sync_mode == WB_SYNC_ALL || wbc->tagged_writepages)
+ tag = PAGECACHE_TAG_TOWRITE;
+ else
+ tag = PAGECACHE_TAG_DIRTY;
+-retry:
+ if (wbc->sync_mode == WB_SYNC_ALL || wbc->tagged_writepages)
+ tag_pages_for_writeback(mapping, index, end);
+ done_index = index;
+@@ -2287,17 +2287,14 @@ int write_cache_pages(struct address_space *mapping,
+ pagevec_release(&pvec);
+ cond_resched();
+ }
+- if (!cycled && !done) {
+- /*
+- * range_cyclic:
+- * We hit the last page and there is more work to be done: wrap
+- * back to the start of the file
+- */
+- cycled = 1;
+- index = 0;
+- end = writeback_index - 1;
+- goto retry;
+- }
++
++ /*
++ * If we hit the last page and there is more work to be done: wrap
++ * back the index back to the start of the file for the next
++ * time we are called.
++ */
++ if (wbc->range_cyclic && !done)
++ done_index = 0;
+ if (wbc->range_cyclic || (range_whole && wbc->nr_to_write > 0))
+ mapping->writeback_index = done_index;
+
+--
+2.20.1
+
--- /dev/null
+From 328078f72e1f9cd36365e970c37f1de7145cf7a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Oct 2018 15:20:47 +0800
+Subject: mmc: mediatek: fix cannot receive new request when msdc_cmd_is_ready
+ fail
+
+From: Chaotian Jing <chaotian.jing@mediatek.com>
+
+[ Upstream commit f38a9774ddde9d79b3487dd888edd8b8623552af ]
+
+when msdc_cmd_is_ready return fail, the req_timeout work has not been
+inited and cancel_delayed_work() will return false, then, the request
+return directly and never call mmc_request_done().
+
+so need call mod_delayed_work() before msdc_cmd_is_ready()
+
+Signed-off-by: Chaotian Jing <chaotian.jing@mediatek.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/mtk-sd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c
+index 6f9535e5e584b..7fc6ce3811421 100644
+--- a/drivers/mmc/host/mtk-sd.c
++++ b/drivers/mmc/host/mtk-sd.c
+@@ -870,6 +870,7 @@ static void msdc_start_command(struct msdc_host *host,
+ WARN_ON(host->cmd);
+ host->cmd = cmd;
+
++ mod_delayed_work(system_wq, &host->req_timeout, DAT_TIMEOUT);
+ if (!msdc_cmd_is_ready(host, mrq, cmd))
+ return;
+
+@@ -881,7 +882,6 @@ static void msdc_start_command(struct msdc_host *host,
+
+ cmd->error = 0;
+ rawcmd = msdc_cmd_prepare_raw_cmd(host, mrq, cmd);
+- mod_delayed_work(system_wq, &host->req_timeout, DAT_TIMEOUT);
+
+ sdr_set_bits(host->base + MSDC_INTEN, cmd_ints_mask);
+ writel(cmd->arg, host->base + SDC_ARG);
+--
+2.20.1
+
--- /dev/null
+From 52d8eab10243e3c2e54db6f8aabe15cbab23192d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Feb 2019 15:59:38 +0200
+Subject: mwifiex: Fix NL80211_TX_POWER_LIMITED
+
+From: Adrian Bunk <bunk@kernel.org>
+
+[ Upstream commit 65a576e27309120e0621f54d5c81eb9128bd56be ]
+
+NL80211_TX_POWER_LIMITED was treated as NL80211_TX_POWER_AUTOMATIC,
+which is the opposite of what should happen and can cause nasty
+regulatory problems.
+
+if/else converted to a switch without default to make gcc warn
+on unhandled enum values.
+
+Signed-off-by: Adrian Bunk <bunk@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/cfg80211.c | 13 +++++++++++--
+ drivers/net/wireless/marvell/mwifiex/ioctl.h | 1 +
+ drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 11 +++++++----
+ 3 files changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+index 46d0099fd6e82..94901b0041cec 100644
+--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c
++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+@@ -364,11 +364,20 @@ mwifiex_cfg80211_set_tx_power(struct wiphy *wiphy,
+ struct mwifiex_power_cfg power_cfg;
+ int dbm = MBM_TO_DBM(mbm);
+
+- if (type == NL80211_TX_POWER_FIXED) {
++ switch (type) {
++ case NL80211_TX_POWER_FIXED:
+ power_cfg.is_power_auto = 0;
++ power_cfg.is_power_fixed = 1;
+ power_cfg.power_level = dbm;
+- } else {
++ break;
++ case NL80211_TX_POWER_LIMITED:
++ power_cfg.is_power_auto = 0;
++ power_cfg.is_power_fixed = 0;
++ power_cfg.power_level = dbm;
++ break;
++ case NL80211_TX_POWER_AUTOMATIC:
+ power_cfg.is_power_auto = 1;
++ break;
+ }
+
+ priv = mwifiex_get_priv(adapter, MWIFIEX_BSS_ROLE_ANY);
+diff --git a/drivers/net/wireless/marvell/mwifiex/ioctl.h b/drivers/net/wireless/marvell/mwifiex/ioctl.h
+index 536ab834b1262..729a69f88a481 100644
+--- a/drivers/net/wireless/marvell/mwifiex/ioctl.h
++++ b/drivers/net/wireless/marvell/mwifiex/ioctl.h
+@@ -265,6 +265,7 @@ struct mwifiex_ds_encrypt_key {
+
+ struct mwifiex_power_cfg {
+ u32 is_power_auto;
++ u32 is_power_fixed;
+ u32 power_level;
+ };
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+index 7f9645703d968..478885afb6c6b 100644
+--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
++++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+@@ -728,6 +728,9 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv,
+ txp_cfg = (struct host_cmd_ds_txpwr_cfg *) buf;
+ txp_cfg->action = cpu_to_le16(HostCmd_ACT_GEN_SET);
+ if (!power_cfg->is_power_auto) {
++ u16 dbm_min = power_cfg->is_power_fixed ?
++ dbm : priv->min_tx_power_level;
++
+ txp_cfg->mode = cpu_to_le32(1);
+ pg_tlv = (struct mwifiex_types_power_group *)
+ (buf + sizeof(struct host_cmd_ds_txpwr_cfg));
+@@ -742,7 +745,7 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv,
+ pg->last_rate_code = 0x03;
+ pg->modulation_class = MOD_CLASS_HR_DSSS;
+ pg->power_step = 0;
+- pg->power_min = (s8) dbm;
++ pg->power_min = (s8) dbm_min;
+ pg->power_max = (s8) dbm;
+ pg++;
+ /* Power group for modulation class OFDM */
+@@ -750,7 +753,7 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv,
+ pg->last_rate_code = 0x07;
+ pg->modulation_class = MOD_CLASS_OFDM;
+ pg->power_step = 0;
+- pg->power_min = (s8) dbm;
++ pg->power_min = (s8) dbm_min;
+ pg->power_max = (s8) dbm;
+ pg++;
+ /* Power group for modulation class HTBW20 */
+@@ -758,7 +761,7 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv,
+ pg->last_rate_code = 0x20;
+ pg->modulation_class = MOD_CLASS_HT;
+ pg->power_step = 0;
+- pg->power_min = (s8) dbm;
++ pg->power_min = (s8) dbm_min;
+ pg->power_max = (s8) dbm;
+ pg->ht_bandwidth = HT_BW_20;
+ pg++;
+@@ -767,7 +770,7 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv,
+ pg->last_rate_code = 0x20;
+ pg->modulation_class = MOD_CLASS_HT;
+ pg->power_step = 0;
+- pg->power_min = (s8) dbm;
++ pg->power_min = (s8) dbm_min;
+ pg->power_max = (s8) dbm;
+ pg->ht_bandwidth = HT_BW_40;
+ }
+--
+2.20.1
+
--- /dev/null
+From ad3b995fba69b720a646a76d24a1261cb6923373 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Nov 2018 02:08:43 +0000
+Subject: net: bcmgenet: return correct value 'ret' from bcmgenet_power_down
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 0db55093b56618088b9a1d445eb6e43b311bea33 ]
+
+Fixes gcc '-Wunused-but-set-variable' warning:
+
+drivers/net/ethernet/broadcom/genet/bcmgenet.c: In function 'bcmgenet_power_down':
+drivers/net/ethernet/broadcom/genet/bcmgenet.c:1136:6: warning:
+ variable 'ret' set but not used [-Wunused-but-set-variable]
+
+bcmgenet_power_down should return 'ret' instead of 0.
+
+Fixes: ca8cf341903f ("net: bcmgenet: propagate errors from bcmgenet_power_down")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+index 4a4782b3cc1b1..a234044805977 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -1078,7 +1078,7 @@ static int bcmgenet_power_down(struct bcmgenet_priv *priv,
+ break;
+ }
+
+- return 0;
++ return ret;
+ }
+
+ static void bcmgenet_power_up(struct bcmgenet_priv *priv,
+--
+2.20.1
+
--- /dev/null
+From 99eed3c5aba0f22a9a71be0d60862bbd5e95d3f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Oct 2018 08:39:13 -0700
+Subject: net: do not abort bulk send on BQL status
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit fe60faa5063822f2d555f4f326c7dd72a60929bf ]
+
+Before calling dev_hard_start_xmit(), upper layers tried
+to cook optimal skb list based on BQL budget.
+
+Problem is that GSO packets can end up comsuming more than
+the BQL budget.
+
+Breaking the loop is not useful, since requeued packets
+are ahead of any packets still in the qdisc.
+
+It is also more expensive, since next TX completion will
+push these packets later, while skbs are not in cpu caches.
+
+It is also a behavior difference with TSO packets, that can
+break the BQL limit by a large amount.
+
+Note that drivers should use __netdev_tx_sent_queue()
+in order to have optimal xmit_more support, and avoid
+useless atomic operations as shown in the following patch.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 547b4daae5cad..c6fb7e61cb405 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2997,7 +2997,7 @@ struct sk_buff *dev_hard_start_xmit(struct sk_buff *first, struct net_device *de
+ }
+
+ skb = next;
+- if (netif_xmit_stopped(txq) && skb) {
++ if (netif_tx_queue_stopped(txq) && skb) {
+ rc = NETDEV_TX_BUSY;
+ break;
+ }
+--
+2.20.1
+
--- /dev/null
+From b28c51d3164cd6305767ce56177e7f1f0f9fae40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Oct 2018 10:04:21 +0000
+Subject: net: ena: Fix Kconfig dependency on X86
+
+From: Netanel Belgazal <netanel@amazon.com>
+
+[ Upstream commit 8c590f9776386b8f697fd0b7ed6142ae6e3de79e ]
+
+The Kconfig limitation of X86 is to too wide.
+The ENA driver only requires a little endian dependency.
+
+Change the dependency to be on little endian CPU.
+
+Signed-off-by: Netanel Belgazal <netanel@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amazon/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/amazon/Kconfig b/drivers/net/ethernet/amazon/Kconfig
+index 99b30353541ab..9e87d7b8360f5 100644
+--- a/drivers/net/ethernet/amazon/Kconfig
++++ b/drivers/net/ethernet/amazon/Kconfig
+@@ -17,7 +17,7 @@ if NET_VENDOR_AMAZON
+
+ config ENA_ETHERNET
+ tristate "Elastic Network Adapter (ENA) support"
+- depends on (PCI_MSI && X86)
++ depends on PCI_MSI && !CPU_BIG_ENDIAN
+ ---help---
+ This driver supports Elastic Network Adapter (ENA)"
+
+--
+2.20.1
+
--- /dev/null
+From a352005dd0d3ae7488f846f4db1c9ddc5130ea72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Oct 2018 21:51:36 +0300
+Subject: net: ethernet: ti: cpsw: unsync mcast entries while switch promisc
+ mode
+
+From: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
+
+[ Upstream commit 9737cc99dd14b5b8b9d267618a6061feade8ea68 ]
+
+After flushing all mcast entries from the table, the ones contained in
+mc list of ndev are not restored when promisc mode is toggled off,
+because they are considered as synched with ALE, thus, in order to
+restore them after promisc mode - reset syncing info. This fix
+touches only switch mode devices, including single port boards
+like Beagle Bone.
+
+Fixes: commit 5da1948969bc
+("net: ethernet: ti: cpsw: fix lost of mcast packets while rx_mode update")
+
+Signed-off-by: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
+Reviewed-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/cpsw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/ti/cpsw.c b/drivers/net/ethernet/ti/cpsw.c
+index d7cb205fe7e26..892b06852e150 100644
+--- a/drivers/net/ethernet/ti/cpsw.c
++++ b/drivers/net/ethernet/ti/cpsw.c
+@@ -590,6 +590,7 @@ static void cpsw_set_promiscious(struct net_device *ndev, bool enable)
+
+ /* Clear all mcast from ALE */
+ cpsw_ale_flush_multicast(ale, ALE_ALL_PORTS, -1);
++ __dev_mc_unsync(ndev, NULL);
+
+ /* Flood All Unicast Packets to Host port */
+ cpsw_ale_control_set(ale, 0, ALE_P0_UNI_FLOOD, 1);
+--
+2.20.1
+
--- /dev/null
+From c90cd3c7ef7d69fe04d38c263e8adf3163961e8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 14:57:26 +0900
+Subject: net: fix warning in af_unix
+
+From: Kyeongdon Kim <kyeongdon.kim@lge.com>
+
+[ Upstream commit 33c4368ee2589c165aebd8d388cbd91e9adb9688 ]
+
+This fixes the "'hash' may be used uninitialized in this function"
+
+net/unix/af_unix.c:1041:20: warning: 'hash' may be used uninitialized in this function [-Wmaybe-uninitialized]
+ addr->hash = hash ^ sk->sk_type;
+
+Signed-off-by: Kyeongdon Kim <kyeongdon.kim@lge.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index cecf51a5aec4f..32ae82a5596d9 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -224,6 +224,8 @@ static inline void unix_release_addr(struct unix_address *addr)
+
+ static int unix_mkname(struct sockaddr_un *sunaddr, int len, unsigned int *hashp)
+ {
++ *hashp = 0;
++
+ if (len <= sizeof(short) || len > sizeof(*sunaddr))
+ return -EINVAL;
+ if (!sunaddr || sunaddr->sun_family != AF_UNIX)
+--
+2.20.1
+
--- /dev/null
+From 371b94ae3eafef4ff4361718e2d39ac9b5e3f163 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Aug 2018 17:13:59 -0700
+Subject: ntb: intel: fix return value for ndev_vec_mask()
+
+From: Dave Jiang <dave.jiang@intel.com>
+
+[ Upstream commit 7756e2b5d68c36e170a111dceea22f7365f83256 ]
+
+ndev_vec_mask() should be returning u64 mask value instead of int.
+Otherwise the mask value returned can be incorrect for larger
+vectors.
+
+Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers")
+
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Tested-by: Lucas Van <lucas.van@intel.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/hw/intel/ntb_hw_intel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ntb/hw/intel/ntb_hw_intel.c b/drivers/ntb/hw/intel/ntb_hw_intel.c
+index 7310a261c858b..e175cbeba266f 100644
+--- a/drivers/ntb/hw/intel/ntb_hw_intel.c
++++ b/drivers/ntb/hw/intel/ntb_hw_intel.c
+@@ -330,7 +330,7 @@ static inline int ndev_db_clear_mask(struct intel_ntb_dev *ndev, u64 db_bits,
+ return 0;
+ }
+
+-static inline int ndev_vec_mask(struct intel_ntb_dev *ndev, int db_vector)
++static inline u64 ndev_vec_mask(struct intel_ntb_dev *ndev, int db_vector)
+ {
+ u64 shift, mask;
+
+--
+2.20.1
+
--- /dev/null
+From c30b4abdf56e3476c4a53a64d46aca69aecc5f64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Jun 2018 16:13:12 -0400
+Subject: ntb_netdev: fix sleep time mismatch
+
+From: Jon Mason <jdmason@kudzu.us>
+
+[ Upstream commit a861594b1b7ffd630f335b351c4e9f938feadb8e ]
+
+The tx_time should be in usecs (according to the comment above the
+variable), but the setting of the timer during the rearming is done in
+msecs. Change it to match the expected units.
+
+Fixes: e74bfeedad08 ("NTB: Add flow control to the ntb_netdev")
+Suggested-by: Gerd W. Haeussler <gerd.haeussler@cesys-it.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Acked-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ntb_netdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ntb_netdev.c b/drivers/net/ntb_netdev.c
+index a9acf71568555..03009f1becddc 100644
+--- a/drivers/net/ntb_netdev.c
++++ b/drivers/net/ntb_netdev.c
+@@ -236,7 +236,7 @@ static void ntb_netdev_tx_timer(unsigned long data)
+ struct ntb_netdev *dev = netdev_priv(ndev);
+
+ if (ntb_transport_tx_free_entry(dev->qp) < tx_stop) {
+- mod_timer(&dev->tx_timer, jiffies + msecs_to_jiffies(tx_time));
++ mod_timer(&dev->tx_timer, jiffies + usecs_to_jiffies(tx_time));
+ } else {
+ /* Make sure anybody stopping the queue after this sees the new
+ * value of ntb_transport_tx_free_entry()
+--
+2.20.1
+
--- /dev/null
+From a4a4e4a1e02dc02383268b8254d057d2563a12cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Nov 2018 15:48:19 -0700
+Subject: ocfs2: don't put and assigning null to bh allocated outside
+
+From: Changwei Ge <ge.changwei@h3c.com>
+
+[ Upstream commit cf76c78595ca87548ca5e45c862ac9e0949c4687 ]
+
+ocfs2_read_blocks() and ocfs2_read_blocks_sync() are both used to read
+several blocks from disk. Currently, the input argument *bhs* can be
+NULL or NOT. It depends on the caller's behavior. If the function
+fails in reading blocks from disk, the corresponding bh will be assigned
+to NULL and put.
+
+Obviously, above process for non-NULL input bh is not appropriate.
+Because the caller doesn't even know its bhs are put and re-assigned.
+
+If buffer head is managed by caller, ocfs2_read_blocks and
+ocfs2_read_blocks_sync() should not evaluate it to NULL. It will cause
+caller accessing illegal memory, thus crash.
+
+Link: http://lkml.kernel.org/r/HK2PR06MB045285E0F4FBB561F9F2F9B3D5680@HK2PR06MB0452.apcprd06.prod.outlook.com
+Signed-off-by: Changwei Ge <ge.changwei@h3c.com>
+Reviewed-by: Guozhonghua <guozhonghua@h3c.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Changwei Ge <ge.changwei@h3c.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/buffer_head_io.c | 77 ++++++++++++++++++++++++++++++---------
+ 1 file changed, 59 insertions(+), 18 deletions(-)
+
+diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c
+index 935bac253991b..1403c88f2b053 100644
+--- a/fs/ocfs2/buffer_head_io.c
++++ b/fs/ocfs2/buffer_head_io.c
+@@ -98,25 +98,34 @@ int ocfs2_write_block(struct ocfs2_super *osb, struct buffer_head *bh,
+ return ret;
+ }
+
++/* Caller must provide a bhs[] with all NULL or non-NULL entries, so it
++ * will be easier to handle read failure.
++ */
+ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
+ unsigned int nr, struct buffer_head *bhs[])
+ {
+ int status = 0;
+ unsigned int i;
+ struct buffer_head *bh;
++ int new_bh = 0;
+
+ trace_ocfs2_read_blocks_sync((unsigned long long)block, nr);
+
+ if (!nr)
+ goto bail;
+
++ /* Don't put buffer head and re-assign it to NULL if it is allocated
++ * outside since the caller can't be aware of this alternation!
++ */
++ new_bh = (bhs[0] == NULL);
++
+ for (i = 0 ; i < nr ; i++) {
+ if (bhs[i] == NULL) {
+ bhs[i] = sb_getblk(osb->sb, block++);
+ if (bhs[i] == NULL) {
+ status = -ENOMEM;
+ mlog_errno(status);
+- goto bail;
++ break;
+ }
+ }
+ bh = bhs[i];
+@@ -156,9 +165,26 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
+ submit_bh(REQ_OP_READ, 0, bh);
+ }
+
++read_failure:
+ for (i = nr; i > 0; i--) {
+ bh = bhs[i - 1];
+
++ if (unlikely(status)) {
++ if (new_bh && bh) {
++ /* If middle bh fails, let previous bh
++ * finish its read and then put it to
++ * aovoid bh leak
++ */
++ if (!buffer_jbd(bh))
++ wait_on_buffer(bh);
++ put_bh(bh);
++ bhs[i - 1] = NULL;
++ } else if (bh && buffer_uptodate(bh)) {
++ clear_buffer_uptodate(bh);
++ }
++ continue;
++ }
++
+ /* No need to wait on the buffer if it's managed by JBD. */
+ if (!buffer_jbd(bh))
+ wait_on_buffer(bh);
+@@ -168,8 +194,7 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
+ * so we can safely record this and loop back
+ * to cleanup the other buffers. */
+ status = -EIO;
+- put_bh(bh);
+- bhs[i - 1] = NULL;
++ goto read_failure;
+ }
+ }
+
+@@ -177,6 +202,9 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
+ return status;
+ }
+
++/* Caller must provide a bhs[] with all NULL or non-NULL entries, so it
++ * will be easier to handle read failure.
++ */
+ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
+ struct buffer_head *bhs[], int flags,
+ int (*validate)(struct super_block *sb,
+@@ -186,6 +214,7 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
+ int i, ignore_cache = 0;
+ struct buffer_head *bh;
+ struct super_block *sb = ocfs2_metadata_cache_get_super(ci);
++ int new_bh = 0;
+
+ trace_ocfs2_read_blocks_begin(ci, (unsigned long long)block, nr, flags);
+
+@@ -211,6 +240,11 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
+ goto bail;
+ }
+
++ /* Don't put buffer head and re-assign it to NULL if it is allocated
++ * outside since the caller can't be aware of this alternation!
++ */
++ new_bh = (bhs[0] == NULL);
++
+ ocfs2_metadata_cache_io_lock(ci);
+ for (i = 0 ; i < nr ; i++) {
+ if (bhs[i] == NULL) {
+@@ -219,7 +253,8 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
+ ocfs2_metadata_cache_io_unlock(ci);
+ status = -ENOMEM;
+ mlog_errno(status);
+- goto bail;
++ /* Don't forget to put previous bh! */
++ break;
+ }
+ }
+ bh = bhs[i];
+@@ -313,16 +348,27 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
+ }
+ }
+
+- status = 0;
+-
++read_failure:
+ for (i = (nr - 1); i >= 0; i--) {
+ bh = bhs[i];
+
+ if (!(flags & OCFS2_BH_READAHEAD)) {
+- if (status) {
+- /* Clear the rest of the buffers on error */
+- put_bh(bh);
+- bhs[i] = NULL;
++ if (unlikely(status)) {
++ /* Clear the buffers on error including those
++ * ever succeeded in reading
++ */
++ if (new_bh && bh) {
++ /* If middle bh fails, let previous bh
++ * finish its read and then put it to
++ * aovoid bh leak
++ */
++ if (!buffer_jbd(bh))
++ wait_on_buffer(bh);
++ put_bh(bh);
++ bhs[i] = NULL;
++ } else if (bh && buffer_uptodate(bh)) {
++ clear_buffer_uptodate(bh);
++ }
+ continue;
+ }
+ /* We know this can't have changed as we hold the
+@@ -340,9 +386,7 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
+ * uptodate. */
+ status = -EIO;
+ clear_buffer_needs_validate(bh);
+- put_bh(bh);
+- bhs[i] = NULL;
+- continue;
++ goto read_failure;
+ }
+
+ if (buffer_needs_validate(bh)) {
+@@ -352,11 +396,8 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
+ BUG_ON(buffer_jbd(bh));
+ clear_buffer_needs_validate(bh);
+ status = validate(sb, bh);
+- if (status) {
+- put_bh(bh);
+- bhs[i] = NULL;
+- continue;
+- }
++ if (status)
++ goto read_failure;
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 401b6345c34bb7bd83a391213e072f9a4cdbce2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Nov 2018 15:48:27 -0700
+Subject: ocfs2: fix clusters leak in ocfs2_defrag_extent()
+
+From: Larry Chen <lchen@suse.com>
+
+[ Upstream commit 6194ae4242dec0c9d604bc05df83aa9260a899e4 ]
+
+ocfs2_defrag_extent() might leak allocated clusters. When the file
+system has insufficient space, the number of claimed clusters might be
+less than the caller wants. If that happens, the original code might
+directly commit the transaction without returning clusters.
+
+This patch is based on code in ocfs2_add_clusters_in_btree().
+
+[akpm@linux-foundation.org: include localalloc.h, reduce scope of data_ac]
+Link: http://lkml.kernel.org/r/20180904041621.16874-3-lchen@suse.com
+Signed-off-by: Larry Chen <lchen@suse.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Changwei Ge <ge.changwei@h3c.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/move_extents.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
+index c179afd0051a0..afaa044f5f6bd 100644
+--- a/fs/ocfs2/move_extents.c
++++ b/fs/ocfs2/move_extents.c
+@@ -25,6 +25,7 @@
+ #include "ocfs2_ioctl.h"
+
+ #include "alloc.h"
++#include "localalloc.h"
+ #include "aops.h"
+ #include "dlmglue.h"
+ #include "extent_map.h"
+@@ -222,6 +223,7 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context,
+ struct ocfs2_refcount_tree *ref_tree = NULL;
+ u32 new_phys_cpos, new_len;
+ u64 phys_blkno = ocfs2_clusters_to_blocks(inode->i_sb, phys_cpos);
++ int need_free = 0;
+
+ if ((ext_flags & OCFS2_EXT_REFCOUNTED) && *len) {
+
+@@ -315,6 +317,7 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context,
+ if (!partial) {
+ context->range->me_flags &= ~OCFS2_MOVE_EXT_FL_COMPLETE;
+ ret = -ENOSPC;
++ need_free = 1;
+ goto out_commit;
+ }
+ }
+@@ -339,6 +342,20 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context,
+ mlog_errno(ret);
+
+ out_commit:
++ if (need_free && context->data_ac) {
++ struct ocfs2_alloc_context *data_ac = context->data_ac;
++
++ if (context->data_ac->ac_which == OCFS2_AC_USE_LOCAL)
++ ocfs2_free_local_alloc_bits(osb, handle, data_ac,
++ new_phys_cpos, new_len);
++ else
++ ocfs2_free_clusters(handle,
++ data_ac->ac_inode,
++ data_ac->ac_bh,
++ ocfs2_clusters_to_blocks(osb->sb, new_phys_cpos),
++ new_len);
++ }
++
+ ocfs2_commit_trans(osb, handle);
+
+ out_unlock_mutex:
+--
+2.20.1
+
--- /dev/null
+From 675fd729032126be1c25af2ca1e8ac11e7db8ff2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Oct 2018 13:10:54 +0530
+Subject: PCI: keystone: Use quirk to limit MRRS for K2G
+
+From: Kishon Vijay Abraham I <kishon@ti.com>
+
+[ Upstream commit 148e340c0696369fadbbddc8f4bef801ed247d71 ]
+
+PCI controller in K2G also has a limitation that memory read request
+size (MRRS) must not exceed 256 bytes. Use the quirk to limit MRRS
+(added for K2HK, K2L and K2E) for K2G as well.
+
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/host/pci-keystone.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/pci/host/pci-keystone.c b/drivers/pci/host/pci-keystone.c
+index eac0a1238e9d0..c690299d5c4a8 100644
+--- a/drivers/pci/host/pci-keystone.c
++++ b/drivers/pci/host/pci-keystone.c
+@@ -43,6 +43,7 @@
+ #define PCIE_RC_K2HK 0xb008
+ #define PCIE_RC_K2E 0xb009
+ #define PCIE_RC_K2L 0xb00a
++#define PCIE_RC_K2G 0xb00b
+
+ #define to_keystone_pcie(x) container_of(x, struct keystone_pcie, pp)
+
+@@ -57,6 +58,8 @@ static void quirk_limit_mrrs(struct pci_dev *dev)
+ .class = PCI_CLASS_BRIDGE_PCI << 8, .class_mask = ~0, },
+ { PCI_DEVICE(PCI_VENDOR_ID_TI, PCIE_RC_K2L),
+ .class = PCI_CLASS_BRIDGE_PCI << 8, .class_mask = ~0, },
++ { PCI_DEVICE(PCI_VENDOR_ID_TI, PCIE_RC_K2G),
++ .class = PCI_CLASS_BRIDGE_PCI << 8, .class_mask = ~0, },
+ { 0, },
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 60734f17bf0f62070752eb3c611ac501aa7e85a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Nov 2018 08:00:08 -0700
+Subject: pinctrl: lpc18xx: Use define directive for PIN_CONFIG_GPIO_PIN_INT
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit f24bfb39975c241374cadebbd037c17960cf1412 ]
+
+Clang warns when one enumerated type is implicitly converted to another:
+
+drivers/pinctrl/pinctrl-lpc18xx.c:643:29: warning: implicit conversion
+from enumeration type 'enum lpc18xx_pin_config_param' to different
+enumeration type 'enum pin_config_param' [-Wenum-conversion]
+ {"nxp,gpio-pin-interrupt", PIN_CONFIG_GPIO_PIN_INT, 0},
+ ~ ^~~~~~~~~~~~~~~~~~~~~~~
+drivers/pinctrl/pinctrl-lpc18xx.c:648:12: warning: implicit conversion
+from enumeration type 'enum lpc18xx_pin_config_param' to different
+enumeration type 'enum pin_config_param' [-Wenum-conversion]
+ PCONFDUMP(PIN_CONFIG_GPIO_PIN_INT, "gpio pin int", NULL, true),
+ ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+./include/linux/pinctrl/pinconf-generic.h:163:11: note: expanded from
+macro 'PCONFDUMP'
+ .param = a, .display = b, .format = c, .has_arg = d \
+ ^
+2 warnings generated.
+
+It is expected that pinctrl drivers can extend pin_config_param because
+of the gap between PIN_CONFIG_END and PIN_CONFIG_MAX so this conversion
+isn't an issue. Most drivers that take advantage of this define the
+PIN_CONFIG variables as constants, rather than enumerated values. Do the
+same thing here so that Clang no longer warns.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/140
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-lpc18xx.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/pinctrl/pinctrl-lpc18xx.c b/drivers/pinctrl/pinctrl-lpc18xx.c
+index e053f1fa55120..ab2a451f31562 100644
+--- a/drivers/pinctrl/pinctrl-lpc18xx.c
++++ b/drivers/pinctrl/pinctrl-lpc18xx.c
+@@ -630,14 +630,8 @@ static const struct pinctrl_pin_desc lpc18xx_pins[] = {
+ LPC18XX_PIN(i2c0_sda, PIN_I2C0_SDA),
+ };
+
+-/**
+- * enum lpc18xx_pin_config_param - possible pin configuration parameters
+- * @PIN_CONFIG_GPIO_PIN_INT: route gpio to the gpio pin interrupt
+- * controller.
+- */
+-enum lpc18xx_pin_config_param {
+- PIN_CONFIG_GPIO_PIN_INT = PIN_CONFIG_END + 1,
+-};
++/* PIN_CONFIG_GPIO_PIN_INT: route gpio to the gpio pin interrupt controller */
++#define PIN_CONFIG_GPIO_PIN_INT (PIN_CONFIG_END + 1)
+
+ static const struct pinconf_generic_params lpc18xx_params[] = {
+ {"nxp,gpio-pin-interrupt", PIN_CONFIG_GPIO_PIN_INT, 0},
+--
+2.20.1
+
--- /dev/null
+From 351e5b47342121facb3a716b30bdde84a3cf9be6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Oct 2018 20:11:47 -0400
+Subject: pinctrl: qcom: spmi-gpio: fix gpio-hog related boot issues
+
+From: Brian Masney <masneyb@onstation.org>
+
+[ Upstream commit 149a96047237574b756d872007c006acd0cc6687 ]
+
+When attempting to setup up a gpio hog, device probing would repeatedly
+fail with -EPROBE_DEFERED errors. It was caused by a circular dependency
+between the gpio and pinctrl frameworks. If the gpio-ranges property is
+present in device tree, then the gpio framework will handle the gpio pin
+registration and eliminate the circular dependency.
+
+See Christian Lamparter's commit a86caa9ba5d7 ("pinctrl: msm: fix
+gpio-hog related boot issues") for a detailed commit message that
+explains the issue in much more detail. The code comment in this commit
+came from Christian's commit.
+
+Signed-off-by: Brian Masney <masneyb@onstation.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/qcom/pinctrl-spmi-gpio.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c b/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c
+index 8093afd17aa4f..69641c9e7d179 100644
+--- a/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c
++++ b/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c
+@@ -790,10 +790,23 @@ static int pmic_gpio_probe(struct platform_device *pdev)
+ return ret;
+ }
+
+- ret = gpiochip_add_pin_range(&state->chip, dev_name(dev), 0, 0, npins);
+- if (ret) {
+- dev_err(dev, "failed to add pin range\n");
+- goto err_range;
++ /*
++ * For DeviceTree-supported systems, the gpio core checks the
++ * pinctrl's device node for the "gpio-ranges" property.
++ * If it is present, it takes care of adding the pin ranges
++ * for the driver. In this case the driver can skip ahead.
++ *
++ * In order to remain compatible with older, existing DeviceTree
++ * files which don't set the "gpio-ranges" property or systems that
++ * utilize ACPI the driver has to call gpiochip_add_pin_range().
++ */
++ if (!of_property_read_bool(dev->of_node, "gpio-ranges")) {
++ ret = gpiochip_add_pin_range(&state->chip, dev_name(dev), 0, 0,
++ npins);
++ if (ret) {
++ dev_err(dev, "failed to add pin range\n");
++ goto err_range;
++ }
+ }
+
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From 7d8b92c20e3828efbd6a3ce926b1363cfd8a510f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Nov 2018 01:56:40 -0700
+Subject: pinctrl: zynq: Use define directive for PIN_CONFIG_IO_STANDARD
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit cd8a145a066a1a3beb0ae615c7cb2ee4217418d7 ]
+
+Clang warns when one enumerated type is implicitly converted to another:
+
+drivers/pinctrl/pinctrl-zynq.c:985:18: warning: implicit conversion from
+enumeration type 'enum zynq_pin_config_param' to different enumeration
+type 'enum pin_config_param' [-Wenum-conversion]
+ {"io-standard", PIN_CONFIG_IOSTANDARD, zynq_iostd_lvcmos18},
+ ~ ^~~~~~~~~~~~~~~~~~~~~
+drivers/pinctrl/pinctrl-zynq.c:990:16: warning: implicit conversion from
+enumeration type 'enum zynq_pin_config_param' to different enumeration
+type 'enum pin_config_param' [-Wenum-conversion]
+ = { PCONFDUMP(PIN_CONFIG_IOSTANDARD, "IO-standard", NULL, true),
+ ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+./include/linux/pinctrl/pinconf-generic.h:163:11: note: expanded from
+macro 'PCONFDUMP'
+ .param = a, .display = b, .format = c, .has_arg = d \
+ ^
+2 warnings generated.
+
+It is expected that pinctrl drivers can extend pin_config_param because
+of the gap between PIN_CONFIG_END and PIN_CONFIG_MAX so this conversion
+isn't an issue. Most drivers that take advantage of this define the
+PIN_CONFIG variables as constants, rather than enumerated values. Do the
+same thing here so that Clang no longer warns.
+
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Acked-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-zynq.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/pinctrl/pinctrl-zynq.c b/drivers/pinctrl/pinctrl-zynq.c
+index e0ecffcbe11f6..f8b54cfc90c7d 100644
+--- a/drivers/pinctrl/pinctrl-zynq.c
++++ b/drivers/pinctrl/pinctrl-zynq.c
+@@ -967,15 +967,12 @@ enum zynq_io_standards {
+ zynq_iostd_max
+ };
+
+-/**
+- * enum zynq_pin_config_param - possible pin configuration parameters
+- * @PIN_CONFIG_IOSTANDARD: if the pin can select an IO standard, the argument to
++/*
++ * PIN_CONFIG_IOSTANDARD: if the pin can select an IO standard, the argument to
+ * this parameter (on a custom format) tells the driver which alternative
+ * IO standard to use.
+ */
+-enum zynq_pin_config_param {
+- PIN_CONFIG_IOSTANDARD = PIN_CONFIG_END + 1,
+-};
++#define PIN_CONFIG_IOSTANDARD (PIN_CONFIG_END + 1)
+
+ static const struct pinconf_generic_params zynq_dt_params[] = {
+ {"io-standard", PIN_CONFIG_IOSTANDARD, zynq_iostd_lvcmos18},
+--
+2.20.1
+
--- /dev/null
+From 6446a82022f948e2bf3398aee3d0ae58cb1ac7e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Nov 2017 14:18:44 -0700
+Subject: platform/x86: asus-nb-wmi: Support ALS on the Zenbook UX430UQ
+
+From: Kiernan Hager <kah.listaddress@gmail.com>
+
+[ Upstream commit db2582afa7444a0ce6bb1ebf1431715969a10b06 ]
+
+This patch adds support for ALS on the Zenbook UX430UQ to the asus_nb_wmi
+driver. It also renames "quirk_asus_ux330uak" to "quirk_asus_forceals"
+because it is now used for more than one model of computer, and should
+thus have a more general name.
+
+Signed-off-by: Kiernan Hager <kah.listaddress@gmail.com>
+[andy: massaged commit message, fixed indentation and commas in the code]
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/asus-nb-wmi.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c
+index 69ffbd7b76f74..4c35419608f7c 100644
+--- a/drivers/platform/x86/asus-nb-wmi.c
++++ b/drivers/platform/x86/asus-nb-wmi.c
+@@ -120,7 +120,7 @@ static struct quirk_entry quirk_asus_x550lb = {
+ .xusb2pr = 0x01D9,
+ };
+
+-static struct quirk_entry quirk_asus_ux330uak = {
++static struct quirk_entry quirk_asus_forceals = {
+ .wmi_force_als_set = true,
+ };
+
+@@ -431,7 +431,7 @@ static const struct dmi_system_id asus_quirks[] = {
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "UX330UAK"),
+ },
+- .driver_data = &quirk_asus_ux330uak,
++ .driver_data = &quirk_asus_forceals,
+ },
+ {
+ .callback = dmi_matched,
+@@ -442,6 +442,15 @@ static const struct dmi_system_id asus_quirks[] = {
+ },
+ .driver_data = &quirk_asus_x550lb,
+ },
++ {
++ .callback = dmi_matched,
++ .ident = "ASUSTeK COMPUTER INC. UX430UQ",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "UX430UQ"),
++ },
++ .driver_data = &quirk_asus_forceals,
++ },
+ {},
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 60aa7f3187a22d0957e751eb3ad6e10d212b2e33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Jun 2019 09:02:02 +0200
+Subject: platform/x86: asus-wmi: Only Tell EC the OS will handle display
+ hotkeys from asus_nb_wmi
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 401fee8195d401b2b94dee57383f627050724d5b ]
+
+Commit 78f3ac76d9e5 ("platform/x86: asus-wmi: Tell the EC the OS will
+handle the display off hotkey") causes the backlight to be permanently off
+on various EeePC laptop models using the eeepc-wmi driver (Asus EeePC
+1015BX, Asus EeePC 1025C).
+
+The asus_wmi_set_devstate(ASUS_WMI_DEVID_BACKLIGHT, 2, NULL) call added
+by that commit is made conditional in this commit and only enabled in
+the quirk_entry structs in the asus-nb-wmi driver fixing the broken
+display / backlight on various EeePC laptop models.
+
+Cc: João Paulo Rechi Vita <jprvita@endlessm.com>
+Fixes: 78f3ac76d9e5 ("platform/x86: asus-wmi: Tell the EC the OS will handle the display off hotkey")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/asus-nb-wmi.c | 8 ++++++++
+ drivers/platform/x86/asus-wmi.c | 2 +-
+ drivers/platform/x86/asus-wmi.h | 1 +
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c
+index 4c35419608f7c..0fd7e40b86a0d 100644
+--- a/drivers/platform/x86/asus-nb-wmi.c
++++ b/drivers/platform/x86/asus-nb-wmi.c
+@@ -78,10 +78,12 @@ static bool asus_q500a_i8042_filter(unsigned char data, unsigned char str,
+
+ static struct quirk_entry quirk_asus_unknown = {
+ .wapf = 0,
++ .wmi_backlight_set_devstate = true,
+ };
+
+ static struct quirk_entry quirk_asus_q500a = {
+ .i8042_filter = asus_q500a_i8042_filter,
++ .wmi_backlight_set_devstate = true,
+ };
+
+ /*
+@@ -92,15 +94,18 @@ static struct quirk_entry quirk_asus_q500a = {
+ static struct quirk_entry quirk_asus_x55u = {
+ .wapf = 4,
+ .wmi_backlight_power = true,
++ .wmi_backlight_set_devstate = true,
+ .no_display_toggle = true,
+ };
+
+ static struct quirk_entry quirk_asus_wapf4 = {
+ .wapf = 4,
++ .wmi_backlight_set_devstate = true,
+ };
+
+ static struct quirk_entry quirk_asus_x200ca = {
+ .wapf = 2,
++ .wmi_backlight_set_devstate = true,
+ };
+
+ static struct quirk_entry quirk_no_rfkill = {
+@@ -114,13 +119,16 @@ static struct quirk_entry quirk_no_rfkill_wapf4 = {
+
+ static struct quirk_entry quirk_asus_ux303ub = {
+ .wmi_backlight_native = true,
++ .wmi_backlight_set_devstate = true,
+ };
+
+ static struct quirk_entry quirk_asus_x550lb = {
++ .wmi_backlight_set_devstate = true,
+ .xusb2pr = 0x01D9,
+ };
+
+ static struct quirk_entry quirk_asus_forceals = {
++ .wmi_backlight_set_devstate = true,
+ .wmi_force_als_set = true,
+ };
+
+diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
+index 10bd13b301784..aede41a92cacb 100644
+--- a/drivers/platform/x86/asus-wmi.c
++++ b/drivers/platform/x86/asus-wmi.c
+@@ -2154,7 +2154,7 @@ static int asus_wmi_add(struct platform_device *pdev)
+ err = asus_wmi_backlight_init(asus);
+ if (err && err != -ENODEV)
+ goto fail_backlight;
+- } else
++ } else if (asus->driver->quirks->wmi_backlight_set_devstate)
+ err = asus_wmi_set_devstate(ASUS_WMI_DEVID_BACKLIGHT, 2, NULL);
+
+ status = wmi_install_notify_handler(asus->driver->event_guid,
+diff --git a/drivers/platform/x86/asus-wmi.h b/drivers/platform/x86/asus-wmi.h
+index 5db052d1de1e1..53bab79780e22 100644
+--- a/drivers/platform/x86/asus-wmi.h
++++ b/drivers/platform/x86/asus-wmi.h
+@@ -45,6 +45,7 @@ struct quirk_entry {
+ bool store_backlight_power;
+ bool wmi_backlight_power;
+ bool wmi_backlight_native;
++ bool wmi_backlight_set_devstate;
+ bool wmi_force_als_set;
+ int wapf;
+ /*
+--
+2.20.1
+
--- /dev/null
+From 8cc48beef8d8129e0f518b57a5a7d241c87f68f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Sep 2018 11:23:22 +1000
+Subject: powerpc/eeh: Fix use of EEH_PE_KEEP on wrong field
+
+From: Sam Bobroff <sbobroff@linux.ibm.com>
+
+[ Upstream commit 473af09b56dc4be68e4af33220ceca6be67aa60d ]
+
+eeh_add_to_parent_pe() sometimes removes the EEH_PE_KEEP flag, but it
+incorrectly removes it from pe->type, instead of pe->state.
+
+However, rather than clearing it from the correct field, remove it.
+Inspection of the code shows that it can't ever have had any effect
+(even if it had been cleared from the correct field), because the
+field is never tested after it is cleared by the statement in
+question.
+
+The clear statement was added by commit 807a827d4e74 ("powerpc/eeh:
+Keep PE during hotplug"), but it didn't explain why it was necessary.
+
+Signed-off-by: Sam Bobroff <sbobroff@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/eeh_pe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/eeh_pe.c b/arch/powerpc/kernel/eeh_pe.c
+index 1abd8dd77ec13..eee2131a97e61 100644
+--- a/arch/powerpc/kernel/eeh_pe.c
++++ b/arch/powerpc/kernel/eeh_pe.c
+@@ -370,7 +370,7 @@ int eeh_add_to_parent_pe(struct eeh_dev *edev)
+ while (parent) {
+ if (!(parent->type & EEH_PE_INVALID))
+ break;
+- parent->type &= ~(EEH_PE_INVALID | EEH_PE_KEEP);
++ parent->type &= ~EEH_PE_INVALID;
+ parent = parent->parent;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From a8cade1738cdf5f6b8d855fd68c6e9d30eff62be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Oct 2018 19:44:58 +0300
+Subject: powerpc: Fix signedness bug in update_flash_db()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 014704e6f54189a203cc14c7c0bb411b940241bc ]
+
+The "count < sizeof(struct os_area_db)" comparison is type promoted to
+size_t so negative values of "count" are treated as very high values
+and we accidentally return success instead of a negative error code.
+
+This doesn't really change runtime much but it fixes a static checker
+warning.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Geoff Levand <geoff@infradead.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/ps3/os-area.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/platforms/ps3/os-area.c b/arch/powerpc/platforms/ps3/os-area.c
+index 3db53e8aff927..9b2ef76578f06 100644
+--- a/arch/powerpc/platforms/ps3/os-area.c
++++ b/arch/powerpc/platforms/ps3/os-area.c
+@@ -664,7 +664,7 @@ static int update_flash_db(void)
+ db_set_64(db, &os_area_db_id_rtc_diff, saved_params.rtc_diff);
+
+ count = os_area_flash_write(db, sizeof(struct os_area_db), pos);
+- if (count < sizeof(struct os_area_db)) {
++ if (count < 0 || count < sizeof(struct os_area_db)) {
+ pr_debug("%s: os_area_flash_write failed %zd\n", __func__,
+ count);
+ error = count < 0 ? count : -EIO;
+--
+2.20.1
+
--- /dev/null
+From bb41489629d9c385e95b5e533aa58677fd393539 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Oct 2018 10:57:22 -0300
+Subject: powerpc/process: Fix flush_all_to_thread for SPE
+
+From: Felipe Rechia <felipe.rechia@datacom.com.br>
+
+[ Upstream commit e901378578c62202594cba0f6c076f3df365ec91 ]
+
+Fix a bug introduced by the creation of flush_all_to_thread() for
+processors that have SPE (Signal Processing Engine) and use it to
+compute floating-point operations.
+
+>From userspace perspective, the problem was seen in attempts of
+computing floating-point operations which should generate exceptions.
+For example:
+
+ fork();
+ float x = 0.0 / 0.0;
+ isnan(x); // forked process returns False (should be True)
+
+The operation above also should always cause the SPEFSCR FINV bit to
+be set. However, the SPE floating-point exceptions were turned off
+after a fork().
+
+Kernel versions prior to the bug used flush_spe_to_thread(), which
+first saves SPEFSCR register values in tsk->thread and then calls
+giveup_spe(tsk).
+
+After commit 579e633e764e, the save_all() function was called first
+to giveup_spe(), and then the SPEFSCR register values were saved in
+tsk->thread. This would save the SPEFSCR register values after
+disabling SPE for that thread, causing the bug described above.
+
+Fixes 579e633e764e ("powerpc: create flush_all_to_thread()")
+Signed-off-by: Felipe Rechia <felipe.rechia@datacom.com.br>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/process.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
+index 47c6c0401b3a2..54c95e7c74cce 100644
+--- a/arch/powerpc/kernel/process.c
++++ b/arch/powerpc/kernel/process.c
+@@ -576,12 +576,11 @@ void flush_all_to_thread(struct task_struct *tsk)
+ if (tsk->thread.regs) {
+ preempt_disable();
+ BUG_ON(tsk != current);
+- save_all(tsk);
+-
+ #ifdef CONFIG_SPE
+ if (tsk->thread.regs->msr & MSR_SPE)
+ tsk->thread.spefscr = mfspr(SPRN_SPEFSCR);
+ #endif
++ save_all(tsk);
+
+ preempt_enable();
+ }
+--
+2.20.1
+
--- /dev/null
+From f56649903c9d6f2d1ef9fe6f2281ff3f0f2900f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Oct 2018 20:33:08 +0900
+Subject: printk: fix integer overflow in setup_log_buf()
+
+From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+
+[ Upstream commit d2130e82e9454304e9b91ba9da551b5989af8c27 ]
+
+The way we calculate logbuf free space percentage overflows signed
+integer:
+
+ int free;
+
+ free = __LOG_BUF_LEN - log_next_idx;
+ pr_info("early log buf free: %u(%u%%)\n",
+ free, (free * 100) / __LOG_BUF_LEN);
+
+We support LOG_BUF_LEN of up to 1<<25 bytes. Since setup_log_buf() is
+called during early init, logbuf is mostly empty, so
+
+ __LOG_BUF_LEN - log_next_idx
+
+is close to 1<<25. Thus when we multiply it by 100, we overflow signed
+integer value range: 100 is 2^6 + 2^5 + 2^2.
+
+Example, booting with LOG_BUF_LEN 1<<25 and log_buf_len=2G
+boot param:
+
+[ 0.075317] log_buf_len: -2147483648 bytes
+[ 0.075319] early log buf free: 33549896(-28%)
+
+Make "free" unsigned integer and use appropriate printk() specifier.
+
+Link: http://lkml.kernel.org/r/20181010113308.9337-1-sergey.senozhatsky@gmail.com
+To: Steven Rostedt <rostedt@goodmis.org>
+Cc: linux-kernel@vger.kernel.org
+Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
+Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/printk/printk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
+index a0339c458c140..c1873d325ebda 100644
+--- a/kernel/printk/printk.c
++++ b/kernel/printk/printk.c
+@@ -1050,7 +1050,7 @@ void __init setup_log_buf(int early)
+ {
+ unsigned long flags;
+ char *new_log_buf;
+- int free;
++ unsigned int free;
+
+ if (log_buf != __log_buf)
+ return;
+--
+2.20.1
+
--- /dev/null
+From 8a8d865f33d95f8acfefc0dd7e2f7bc712236663 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Oct 2018 23:11:11 +0300
+Subject: qlcnic: fix a return in qlcnic_dcb_get_capability()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit c94f026fb742b2d3199422751dbc4f6fc0e753d8 ]
+
+These functions are supposed to return one on failure and zero on
+success. Returning a zero here could cause uninitialized variable
+bugs in several of the callers. For example:
+
+ drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:1660 get_iscsi_dcb_priority()
+ error: uninitialized symbol 'caps'.
+
+Fixes: 48365e485275 ("qlcnic: dcb: Add support for CEE Netlink interface.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c
+index 4b76c69fe86d2..834208e55f7b8 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c
+@@ -883,7 +883,7 @@ static u8 qlcnic_dcb_get_capability(struct net_device *netdev, int capid,
+ struct qlcnic_adapter *adapter = netdev_priv(netdev);
+
+ if (!test_bit(QLCNIC_DCB_STATE, &adapter->dcb->state))
+- return 0;
++ return 1;
+
+ switch (capid) {
+ case DCB_CAP_ATTR_PG:
+--
+2.20.1
+
--- /dev/null
+From 719b58ae688f3f53e1e7a5acb4fe380507e75a41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Oct 2018 13:43:45 -0700
+Subject: rtc: s35390a: Change buf's type to u8 in s35390a_init
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit ef0f02fd69a02b50e468a4ddbe33e3d81671e248 ]
+
+Clang warns:
+
+drivers/rtc/rtc-s35390a.c:124:27: warning: implicit conversion from
+'int' to 'char' changes value from 192 to -64 [-Wconstant-conversion]
+ buf = S35390A_FLAG_RESET | S35390A_FLAG_24H;
+ ~ ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~
+1 warning generated.
+
+Update buf to be an unsigned 8-bit integer, which matches the buf member
+in struct i2c_msg.
+
+https://github.com/ClangBuiltLinux/linux/issues/145
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-s35390a.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-s35390a.c b/drivers/rtc/rtc-s35390a.c
+index 5dab4665ca3bd..3e0eea3aa876d 100644
+--- a/drivers/rtc/rtc-s35390a.c
++++ b/drivers/rtc/rtc-s35390a.c
+@@ -106,7 +106,7 @@ static int s35390a_get_reg(struct s35390a *s35390a, int reg, char *buf, int len)
+ */
+ static int s35390a_reset(struct s35390a *s35390a, char *status1)
+ {
+- char buf;
++ u8 buf;
+ int ret;
+ unsigned initcount = 0;
+
+--
+2.20.1
+
--- /dev/null
+From 1336102cb802af2a05688edff327b28cef7a42b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Oct 2018 13:51:03 +0200
+Subject: rtl8xxxu: Fix missing break in switch
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+[ Upstream commit 307b00c5e695857ca92fc6a4b8ab6c48f988a1b1 ]
+
+Add missing break statement in order to prevent the code from falling
+through to the default case.
+
+Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)")
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+index 4e725d165aa60..e78545d4add3c 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -5660,6 +5660,7 @@ static int rtl8xxxu_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
+ break;
+ case WLAN_CIPHER_SUITE_TKIP:
+ key->flags |= IEEE80211_KEY_FLAG_GENERATE_MMIC;
++ break;
+ default:
+ return -EOPNOTSUPP;
+ }
+--
+2.20.1
+
--- /dev/null
+From e914c1a9114e3b43785cf733b0ef9860945d70e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Nov 2018 19:25:30 +0800
+Subject: rtlwifi: rtl8192de: Fix misleading REG_MCUFWDL information
+
+From: Shaokun Zhang <zhangshaokun@hisilicon.com>
+
+[ Upstream commit 7d129adff3afbd3a449bc3593f2064ac546d58d3 ]
+
+RT_TRACE shows REG_MCUFWDL value as a decimal value with a '0x'
+prefix, which is somewhat misleading.
+
+Fix it to print hexadecimal, as was intended.
+
+Cc: Ping-Ke Shih <pkshih@realtek.com>
+Cc: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Shaokun Zhang <zhangshaokun@hisilicon.com>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8192de/fw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/fw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/fw.c
+index 8de29cc3ced07..a24644f34e650 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/fw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/fw.c
+@@ -234,7 +234,7 @@ static int _rtl92d_fw_init(struct ieee80211_hw *hw)
+ rtl_read_byte(rtlpriv, FW_MAC1_READY));
+ }
+ RT_TRACE(rtlpriv, COMP_FW, DBG_DMESG,
+- "Polling FW ready fail!! REG_MCUFWDL:0x%08ul\n",
++ "Polling FW ready fail!! REG_MCUFWDL:0x%08x\n",
+ rtl_read_dword(rtlpriv, REG_MCUFWDL));
+ return -1;
+ }
+--
+2.20.1
+
--- /dev/null
+From ba8a71b8a1cc6cda565f24dc94421c3ecd30c6a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Oct 2018 14:39:29 +0100
+Subject: s390/perf: Return error when debug_register fails
+
+From: Thomas Richter <tmricht@linux.ibm.com>
+
+[ Upstream commit ec0c0bb489727de0d4dca6a00be6970ab8a3b30a ]
+
+Return an error when the function debug_register() fails allocating
+the debug handle.
+Also remove the registered debug handle when the initialization fails
+later on.
+
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/perf_cpum_sf.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c
+index 96e4fcad57bf7..f46e5c0cb6d95 100644
+--- a/arch/s390/kernel/perf_cpum_sf.c
++++ b/arch/s390/kernel/perf_cpum_sf.c
+@@ -1611,14 +1611,17 @@ static int __init init_cpum_sampling_pmu(void)
+ }
+
+ sfdbg = debug_register(KMSG_COMPONENT, 2, 1, 80);
+- if (!sfdbg)
++ if (!sfdbg) {
+ pr_err("Registering for s390dbf failed\n");
++ return -ENOMEM;
++ }
+ debug_register_view(sfdbg, &debug_sprintf_view);
+
+ err = register_external_irq(EXT_IRQ_MEASURE_ALERT,
+ cpumf_measurement_alert);
+ if (err) {
+ pr_cpumsf_err(RS_INIT_FAILURE_ALRT);
++ debug_unregister(sfdbg);
+ goto out;
+ }
+
+@@ -1627,6 +1630,7 @@ static int __init init_cpum_sampling_pmu(void)
+ pr_cpumsf_err(RS_INIT_FAILURE_PERF);
+ unregister_external_irq(EXT_IRQ_MEASURE_ALERT,
+ cpumf_measurement_alert);
++ debug_unregister(sfdbg);
+ goto out;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 3ed7f097460ef146b38f1404341fa5fc47c14e9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Sep 2018 16:12:07 +0100
+Subject: sched/fair: Don't increase sd->balance_interval on newidle balance
+
+From: Valentin Schneider <valentin.schneider@arm.com>
+
+[ Upstream commit 3f130a37c442d5c4d66531b240ebe9abfef426b5 ]
+
+When load_balance() fails to move some load because of task affinity,
+we end up increasing sd->balance_interval to delay the next periodic
+balance in the hopes that next time we look, that annoying pinned
+task(s) will be gone.
+
+However, idle_balance() pays no attention to sd->balance_interval, yet
+it will still lead to an increase in balance_interval in case of
+pinned tasks.
+
+If we're going through several newidle balances (e.g. we have a
+periodic task), this can lead to a huge increase of the
+balance_interval in a very small amount of time.
+
+To prevent that, don't increase the balance interval when going
+through a newidle balance.
+
+This is a similar approach to what is done in commit 58b26c4c0257
+("sched: Increment cache_nice_tries only on periodic lb"), where we
+disregard newidle balance and rely on periodic balance for more stable
+results.
+
+Signed-off-by: Valentin Schneider <valentin.schneider@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Dietmar.Eggemann@arm.com
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: patrick.bellasi@arm.com
+Cc: vincent.guittot@linaro.org
+Link: http://lkml.kernel.org/r/1537974727-30788-2-git-send-email-valentin.schneider@arm.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index d8afae1bd5c5e..b765a58cf20f1 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -7950,13 +7950,22 @@ static int load_balance(int this_cpu, struct rq *this_rq,
+ sd->nr_balance_failed = 0;
+
+ out_one_pinned:
++ ld_moved = 0;
++
++ /*
++ * idle_balance() disregards balance intervals, so we could repeatedly
++ * reach this code, which would lead to balance_interval skyrocketting
++ * in a short amount of time. Skip the balance_interval increase logic
++ * to avoid that.
++ */
++ if (env.idle == CPU_NEWLY_IDLE)
++ goto out;
++
+ /* tune up the balancing interval */
+ if (((env.flags & LBF_ALL_PINNED) &&
+ sd->balance_interval < MAX_PINNED_INTERVAL) ||
+ (sd->balance_interval < sd->max_interval))
+ sd->balance_interval *= 2;
+-
+- ld_moved = 0;
+ out:
+ return ld_moved;
+ }
+--
+2.20.1
+
--- /dev/null
+From 2c1d7b361dbdce1438858bb6741327baa59438da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Oct 2018 16:17:15 +0200
+Subject: scsi: dc395x: fix DMA API usage in sg_update_list
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 6c404a68bf83b4135a8a9aa1c388ebdf98e8ba7f ]
+
+We need to transfer device ownership to the CPU before we can manipulate
+the mapped data.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/dc395x.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c
+index 9da0ac360848f..830b2d2dcf206 100644
+--- a/drivers/scsi/dc395x.c
++++ b/drivers/scsi/dc395x.c
+@@ -1972,6 +1972,11 @@ static void sg_update_list(struct ScsiReqBlk *srb, u32 left)
+ xferred -= psge->length;
+ } else {
+ /* Partial SG entry done */
++ pci_dma_sync_single_for_cpu(srb->dcb->
++ acb->dev,
++ srb->sg_bus_addr,
++ SEGMENTX_LEN,
++ PCI_DMA_TODEVICE);
+ psge->length -= xferred;
+ psge->address += xferred;
+ srb->sg_index = idx;
+--
+2.20.1
+
--- /dev/null
+From 11465a06f519df297430f6128c5ba068b7d34b92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Oct 2018 16:17:14 +0200
+Subject: scsi: dc395x: fix dma API usage in srb_done
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 3a5bd7021184dec2946f2a4d7a8943f8a5713e52 ]
+
+We can't just transfer ownership to the CPU and then unmap, as this will
+break with swiotlb.
+
+Instead unmap the command and sense buffer a little earlier in the I/O
+completion handler and get rid of the pci_dma_sync_sg_for_cpu call
+entirely.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/dc395x.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c
+index 5ee7f44cf869b..9da0ac360848f 100644
+--- a/drivers/scsi/dc395x.c
++++ b/drivers/scsi/dc395x.c
+@@ -3450,14 +3450,12 @@ static void srb_done(struct AdapterCtlBlk *acb, struct DeviceCtlBlk *dcb,
+ }
+ }
+
+- if (dir != PCI_DMA_NONE && scsi_sg_count(cmd))
+- pci_dma_sync_sg_for_cpu(acb->dev, scsi_sglist(cmd),
+- scsi_sg_count(cmd), dir);
+-
+ ckc_only = 0;
+ /* Check Error Conditions */
+ ckc_e:
+
++ pci_unmap_srb(acb, srb);
++
+ if (cmd->cmnd[0] == INQUIRY) {
+ unsigned char *base = NULL;
+ struct ScsiInqData *ptr;
+@@ -3511,7 +3509,6 @@ static void srb_done(struct AdapterCtlBlk *acb, struct DeviceCtlBlk *dcb,
+ cmd, cmd->result);
+ srb_free_insert(acb, srb);
+ }
+- pci_unmap_srb(acb, srb);
+
+ cmd->scsi_done(cmd);
+ waiting_process_next(acb);
+--
+2.20.1
+
--- /dev/null
+From ed1e0da33f437a04a25a44d94c38ed7f550ddbf4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 11:12:23 +0200
+Subject: scsi: ips: fix missing break in switch
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+[ Upstream commit 5d25ff7a544889bc4b749fda31778d6a18dddbcb ]
+
+Add missing break statement in order to prevent the code from falling
+through to case TEST_UNIT_READY.
+
+Addresses-Coverity-ID: 1357338 ("Missing break in switch")
+Suggested-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ips.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/ips.c b/drivers/scsi/ips.c
+index 02cb76fd44208..6bbf2945a3e00 100644
+--- a/drivers/scsi/ips.c
++++ b/drivers/scsi/ips.c
+@@ -3500,6 +3500,7 @@ ips_send_cmd(ips_ha_t * ha, ips_scb_t * scb)
+
+ case START_STOP:
+ scb->scsi_cmd->result = DID_OK << 16;
++ break;
+
+ case TEST_UNIT_READY:
+ case INQUIRY:
+--
+2.20.1
+
--- /dev/null
+From e633318fd0122332c177282883df3e717443bce3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Sep 2018 17:12:00 -0700
+Subject: scsi: isci: Change sci_controller_start_task's return type to
+ sci_status
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit 362b5da3dfceada6e74ecdd7af3991bbe42c0c0f ]
+
+Clang warns when an enumerated type is implicitly converted to another.
+
+drivers/scsi/isci/request.c:3476:13: warning: implicit conversion from
+enumeration type 'enum sci_task_status' to different enumeration type
+'enum sci_status' [-Wenum-conversion]
+ status = sci_controller_start_task(ihost,
+ ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+drivers/scsi/isci/host.c:2744:10: warning: implicit conversion from
+enumeration type 'enum sci_status' to different enumeration type 'enum
+sci_task_status' [-Wenum-conversion]
+ return SCI_SUCCESS;
+ ~~~~~~ ^~~~~~~~~~~
+drivers/scsi/isci/host.c:2753:9: warning: implicit conversion from
+enumeration type 'enum sci_status' to different enumeration type 'enum
+sci_task_status' [-Wenum-conversion]
+ return status;
+ ~~~~~~ ^~~~~~
+
+Avoid all of these implicit conversion by just making
+sci_controller_start_task use sci_status. This silences
+Clang and has no functional change since sci_task_status
+has all of its values mapped to something in sci_status.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/153
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/isci/host.c | 8 ++++----
+ drivers/scsi/isci/host.h | 2 +-
+ drivers/scsi/isci/task.c | 4 ++--
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/scsi/isci/host.c b/drivers/scsi/isci/host.c
+index 609dafd661d14..da4583a2fa23e 100644
+--- a/drivers/scsi/isci/host.c
++++ b/drivers/scsi/isci/host.c
+@@ -2717,9 +2717,9 @@ enum sci_status sci_controller_continue_io(struct isci_request *ireq)
+ * the task management request.
+ * @task_request: the handle to the task request object to start.
+ */
+-enum sci_task_status sci_controller_start_task(struct isci_host *ihost,
+- struct isci_remote_device *idev,
+- struct isci_request *ireq)
++enum sci_status sci_controller_start_task(struct isci_host *ihost,
++ struct isci_remote_device *idev,
++ struct isci_request *ireq)
+ {
+ enum sci_status status;
+
+@@ -2728,7 +2728,7 @@ enum sci_task_status sci_controller_start_task(struct isci_host *ihost,
+ "%s: SCIC Controller starting task from invalid "
+ "state\n",
+ __func__);
+- return SCI_TASK_FAILURE_INVALID_STATE;
++ return SCI_FAILURE_INVALID_STATE;
+ }
+
+ status = sci_remote_device_start_task(ihost, idev, ireq);
+diff --git a/drivers/scsi/isci/host.h b/drivers/scsi/isci/host.h
+index 22a9bb1abae14..15dc6e0d8deb0 100644
+--- a/drivers/scsi/isci/host.h
++++ b/drivers/scsi/isci/host.h
+@@ -490,7 +490,7 @@ enum sci_status sci_controller_start_io(
+ struct isci_remote_device *idev,
+ struct isci_request *ireq);
+
+-enum sci_task_status sci_controller_start_task(
++enum sci_status sci_controller_start_task(
+ struct isci_host *ihost,
+ struct isci_remote_device *idev,
+ struct isci_request *ireq);
+diff --git a/drivers/scsi/isci/task.c b/drivers/scsi/isci/task.c
+index 6dcaed0c1fc8c..fb6eba331ac6e 100644
+--- a/drivers/scsi/isci/task.c
++++ b/drivers/scsi/isci/task.c
+@@ -258,7 +258,7 @@ static int isci_task_execute_tmf(struct isci_host *ihost,
+ struct isci_tmf *tmf, unsigned long timeout_ms)
+ {
+ DECLARE_COMPLETION_ONSTACK(completion);
+- enum sci_task_status status = SCI_TASK_FAILURE;
++ enum sci_status status = SCI_FAILURE;
+ struct isci_request *ireq;
+ int ret = TMF_RESP_FUNC_FAILED;
+ unsigned long flags;
+@@ -301,7 +301,7 @@ static int isci_task_execute_tmf(struct isci_host *ihost,
+ /* start the TMF io. */
+ status = sci_controller_start_task(ihost, idev, ireq);
+
+- if (status != SCI_TASK_SUCCESS) {
++ if (status != SCI_SUCCESS) {
+ dev_dbg(&ihost->pdev->dev,
+ "%s: start_io failed - status = 0x%x, request = %p\n",
+ __func__,
+--
+2.20.1
+
--- /dev/null
+From b0ba4d407dd601295c5022e93856cff4cf61c43d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Sep 2018 17:11:50 -0700
+Subject: scsi: isci: Use proper enumerated type in atapi_d2h_reg_frame_handler
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit e9e9a103528c7e199ead6e5374c9c52cf16b5802 ]
+
+Clang warns when one enumerated type is implicitly converted to another.
+
+drivers/scsi/isci/request.c:1629:13: warning: implicit conversion from
+enumeration type 'enum sci_io_status' to different enumeration type
+'enum sci_status' [-Wenum-conversion]
+ status = SCI_IO_FAILURE_RESPONSE_VALID;
+ ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+drivers/scsi/isci/request.c:1631:12: warning: implicit conversion from
+enumeration type 'enum sci_io_status' to different enumeration type
+'enum sci_status' [-Wenum-conversion]
+ status = SCI_IO_FAILURE_RESPONSE_VALID;
+ ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+status is of type sci_status but SCI_IO_FAILURE_RESPONSE_VALID is of
+type sci_io_status. Use SCI_FAILURE_IO_RESPONSE_VALID, which is from
+sci_status and has SCI_IO_FAILURE_RESPONSE_VALID's exact value since
+that is what SCI_IO_FAILURE_RESPONSE_VALID is mapped to in the isci.h
+file.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/153
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/isci/request.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/isci/request.c b/drivers/scsi/isci/request.c
+index b709d2b208809..7d71ca421751d 100644
+--- a/drivers/scsi/isci/request.c
++++ b/drivers/scsi/isci/request.c
+@@ -1626,9 +1626,9 @@ static enum sci_status atapi_d2h_reg_frame_handler(struct isci_request *ireq,
+
+ if (status == SCI_SUCCESS) {
+ if (ireq->stp.rsp.status & ATA_ERR)
+- status = SCI_IO_FAILURE_RESPONSE_VALID;
++ status = SCI_FAILURE_IO_RESPONSE_VALID;
+ } else {
+- status = SCI_IO_FAILURE_RESPONSE_VALID;
++ status = SCI_FAILURE_IO_RESPONSE_VALID;
+ }
+
+ if (status != SCI_SUCCESS) {
+--
+2.20.1
+
--- /dev/null
+From 2107c6452e6d2ca1d962aa0ec3cc8c4474ea8542 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Oct 2018 18:06:15 -0700
+Subject: scsi: iscsi_tcp: Explicitly cast param in iscsi_sw_tcp_host_get_param
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit 20054597f169090109fc3f0dfa1a48583f4178a4 ]
+
+Clang warns when one enumerated type is implicitly converted to another.
+
+drivers/scsi/iscsi_tcp.c:803:15: warning: implicit conversion from
+enumeration type 'enum iscsi_host_param' to different enumeration type
+'enum iscsi_param' [-Wenum-conversion]
+ &addr, param, buf);
+ ^~~~~
+1 warning generated.
+
+iscsi_conn_get_addr_param handles ISCSI_HOST_PARAM_IPADDRESS just fine
+so add an explicit cast to iscsi_param to make it clear to Clang that
+this is expected behavior.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/153
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/iscsi_tcp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
+index ace4f1f41b8e0..d60564397be54 100644
+--- a/drivers/scsi/iscsi_tcp.c
++++ b/drivers/scsi/iscsi_tcp.c
+@@ -798,7 +798,8 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
+ return rc;
+
+ return iscsi_conn_get_addr_param((struct sockaddr_storage *)
+- &addr, param, buf);
++ &addr,
++ (enum iscsi_param)param, buf);
+ default:
+ return iscsi_host_get_param(shost, param, buf);
+ }
+--
+2.20.1
+
--- /dev/null
+From 1a670a58a8786a35e6c6b4cf5923a552b39b824d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Oct 2018 13:41:06 -0700
+Subject: scsi: lpfc: fcoe: Fix link down issue after 1000+ link bounces
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 036cad1f1ac9ce03e2db94b8460f98eaf1e1ee4c ]
+
+On FCoE adapters, when running link bounce test in a loop, initiator
+failed to login with switch switch and required driver reload to
+recover. Switch reached a point where all subsequent FLOGIs would be
+LS_RJT'd. Further testing showed the condition to be related to not
+performing FCF discovery between FLOGI's.
+
+Fix by monitoring FLOGI failures and once a repeated error is seen
+repeat FCF discovery.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_els.c | 2 ++
+ drivers/scsi/lpfc/lpfc_hbadisc.c | 20 ++++++++++++++++++++
+ drivers/scsi/lpfc/lpfc_init.c | 2 +-
+ drivers/scsi/lpfc/lpfc_sli.c | 11 ++---------
+ drivers/scsi/lpfc/lpfc_sli4.h | 1 +
+ 5 files changed, 26 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
+index b5be4df05733f..3702497b5b169 100644
+--- a/drivers/scsi/lpfc/lpfc_els.c
++++ b/drivers/scsi/lpfc/lpfc_els.c
+@@ -1141,6 +1141,7 @@ lpfc_cmpl_els_flogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
+ phba->fcf.fcf_flag &= ~FCF_DISCOVERY;
+ phba->hba_flag &= ~(FCF_RR_INPROG | HBA_DEVLOSS_TMO);
+ spin_unlock_irq(&phba->hbalock);
++ phba->fcf.fcf_redisc_attempted = 0; /* reset */
+ goto out;
+ }
+ if (!rc) {
+@@ -1155,6 +1156,7 @@ lpfc_cmpl_els_flogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
+ phba->fcf.fcf_flag &= ~FCF_DISCOVERY;
+ phba->hba_flag &= ~(FCF_RR_INPROG | HBA_DEVLOSS_TMO);
+ spin_unlock_irq(&phba->hbalock);
++ phba->fcf.fcf_redisc_attempted = 0; /* reset */
+ goto out;
+ }
+ }
+diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
+index 9cca5ddbc50cc..6eaba16768461 100644
+--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
+@@ -1969,6 +1969,26 @@ int lpfc_sli4_fcf_rr_next_proc(struct lpfc_vport *vport, uint16_t fcf_index)
+ "failover and change port state:x%x/x%x\n",
+ phba->pport->port_state, LPFC_VPORT_UNKNOWN);
+ phba->pport->port_state = LPFC_VPORT_UNKNOWN;
++
++ if (!phba->fcf.fcf_redisc_attempted) {
++ lpfc_unregister_fcf(phba);
++
++ rc = lpfc_sli4_redisc_fcf_table(phba);
++ if (!rc) {
++ lpfc_printf_log(phba, KERN_INFO, LOG_FIP,
++ "3195 Rediscover FCF table\n");
++ phba->fcf.fcf_redisc_attempted = 1;
++ lpfc_sli4_clear_fcf_rr_bmask(phba);
++ } else {
++ lpfc_printf_log(phba, KERN_WARNING, LOG_FIP,
++ "3196 Rediscover FCF table "
++ "failed. Status:x%x\n", rc);
++ }
++ } else {
++ lpfc_printf_log(phba, KERN_WARNING, LOG_FIP,
++ "3197 Already rediscover FCF table "
++ "attempted. No more retry\n");
++ }
+ goto stop_flogi_current_fcf;
+ } else {
+ lpfc_printf_log(phba, KERN_INFO, LOG_FIP | LOG_ELS,
+diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
+index e9ea8f4ea2c92..2f80b2c0409e0 100644
+--- a/drivers/scsi/lpfc/lpfc_init.c
++++ b/drivers/scsi/lpfc/lpfc_init.c
+@@ -4444,7 +4444,7 @@ lpfc_sli4_async_fip_evt(struct lpfc_hba *phba,
+ break;
+ }
+ /* If fast FCF failover rescan event is pending, do nothing */
+- if (phba->fcf.fcf_flag & FCF_REDISC_EVT) {
++ if (phba->fcf.fcf_flag & (FCF_REDISC_EVT | FCF_REDISC_PEND)) {
+ spin_unlock_irq(&phba->hbalock);
+ break;
+ }
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index c05fc61a383b2..e1e0feb250031 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -16553,15 +16553,8 @@ lpfc_sli4_fcf_rr_next_index_get(struct lpfc_hba *phba)
+ goto initial_priority;
+ lpfc_printf_log(phba, KERN_WARNING, LOG_FIP,
+ "2844 No roundrobin failover FCF available\n");
+- if (next_fcf_index >= LPFC_SLI4_FCF_TBL_INDX_MAX)
+- return LPFC_FCOE_FCF_NEXT_NONE;
+- else {
+- lpfc_printf_log(phba, KERN_WARNING, LOG_FIP,
+- "3063 Only FCF available idx %d, flag %x\n",
+- next_fcf_index,
+- phba->fcf.fcf_pri[next_fcf_index].fcf_rec.flag);
+- return next_fcf_index;
+- }
++
++ return LPFC_FCOE_FCF_NEXT_NONE;
+ }
+
+ if (next_fcf_index < LPFC_SLI4_FCF_TBL_INDX_MAX &&
+diff --git a/drivers/scsi/lpfc/lpfc_sli4.h b/drivers/scsi/lpfc/lpfc_sli4.h
+index 0b88b5703e0f1..9c69c4215de30 100644
+--- a/drivers/scsi/lpfc/lpfc_sli4.h
++++ b/drivers/scsi/lpfc/lpfc_sli4.h
+@@ -237,6 +237,7 @@ struct lpfc_fcf {
+ #define FCF_REDISC_EVT 0x100 /* FCF rediscovery event to worker thread */
+ #define FCF_REDISC_FOV 0x200 /* Post FCF rediscovery fast failover */
+ #define FCF_REDISC_PROG (FCF_REDISC_PEND | FCF_REDISC_EVT)
++ uint16_t fcf_redisc_attempted;
+ uint32_t addr_mode;
+ uint32_t eligible_fcf_cnt;
+ struct lpfc_fcf_rec current_rec;
+--
+2.20.1
+
--- /dev/null
+From bb10bdced2bf450dc6b2ba7b278978b5bbdcc60e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 23:37:41 -0700
+Subject: scsi: megaraid_sas: Fix msleep granularity
+
+From: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
+
+[ Upstream commit 9155cf30a3c4ef97e225d6daddf9bd4b173267e8 ]
+
+In megasas_transition_to_ready() driver waits 180seconds for controller to
+change FW state. Here we are calling msleep(1) in a loop for this. As
+explained in timers-howto.txt, msleep(1) will actually sleep longer than
+1ms. If a faulty controller is connected, we will end up waiting for much
+more than 180 seconds causing unnecessary delays during load.
+
+Change the granularity of msleep() call from 1ms to 1000ms.
+
+Signed-off-by: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/megaraid/megaraid_sas_base.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
+index d90693b2767fd..c5cc002dfdd5c 100644
+--- a/drivers/scsi/megaraid/megaraid_sas_base.c
++++ b/drivers/scsi/megaraid/megaraid_sas_base.c
+@@ -3694,12 +3694,12 @@ megasas_transition_to_ready(struct megasas_instance *instance, int ocr)
+ /*
+ * The cur_state should not last for more than max_wait secs
+ */
+- for (i = 0; i < (max_wait * 1000); i++) {
++ for (i = 0; i < max_wait; i++) {
+ curr_abs_state = instance->instancet->
+ read_fw_status_reg(instance->reg_set);
+
+ if (abs_state == curr_abs_state) {
+- msleep(1);
++ msleep(1000);
+ } else
+ break;
+ }
+--
+2.20.1
+
--- /dev/null
+From ec3f45b1b5aef95f2947f7778d81495a490e18b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Oct 2018 18:53:38 +0530
+Subject: scsi: mpt3sas: Fix driver modifying persistent data in Manufacturing
+ page11
+
+From: Suganath Prabu <suganath-prabu.subramani@broadcom.com>
+
+[ Upstream commit 97f35194093362a63b33caba2485521ddabe2c95 ]
+
+Currently driver is modifying both current & NVRAM/persistent data in
+Manufacturing page11. Driver should change only current copy of
+Manufacturing page11. It should not modify the persistent data.
+
+So removed the section of code where driver is modifying the persistent
+data of Manufacturing page11.
+
+Signed-off-by: Suganath Prabu <suganath-prabu.subramani@broadcom.com>
+Reviewed-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_config.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_config.c b/drivers/scsi/mpt3sas/mpt3sas_config.c
+index cebfd734fd769..a9fef0cd382bd 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_config.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_config.c
+@@ -674,10 +674,6 @@ mpt3sas_config_set_manufacturing_pg11(struct MPT3SAS_ADAPTER *ioc,
+ r = _config_request(ioc, &mpi_request, mpi_reply,
+ MPT3_CONFIG_PAGE_DEFAULT_TIMEOUT, config_page,
+ sizeof(*config_page));
+- mpi_request.Action = MPI2_CONFIG_ACTION_PAGE_WRITE_NVRAM;
+- r = _config_request(ioc, &mpi_request, mpi_reply,
+- MPT3_CONFIG_PAGE_DEFAULT_TIMEOUT, config_page,
+- sizeof(*config_page));
+ out:
+ return r;
+ }
+--
+2.20.1
+
--- /dev/null
+From 45eb16fecc63c166d44e7de47835bfc7354cfc34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Oct 2018 18:53:36 +0530
+Subject: scsi: mpt3sas: Fix Sync cache command failure during driver unload
+
+From: Suganath Prabu <suganath-prabu.subramani@broadcom.com>
+
+[ Upstream commit 9029a72500b95578a35877a43473b82cb0386c53 ]
+
+This is to fix SYNC CACHE and START STOP command failures with
+DID_NO_CONNECT during driver unload.
+
+In driver's IO submission patch (i.e. in driver's .queuecommand()) driver
+won't allow any SCSI commands to the IOC when ioc->remove_host flag is set
+and hence SYNC CACHE commands which are issued to the target drives (where
+write cache is enabled) during driver unload time is failed with
+DID_NO_CONNECT status.
+
+Now modified the driver to allow SYNC CACHE and START STOP commands to IOC,
+even when remove_host flag is set.
+
+Signed-off-by: Suganath Prabu <suganath-prabu.subramani@broadcom.com>
+Reviewed-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 36 +++++++++++++++++++++++++++-
+ 1 file changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+index ec48c010a3bab..aa2078d7e23e2 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+@@ -3297,6 +3297,40 @@ _scsih_tm_tr_complete(struct MPT3SAS_ADAPTER *ioc, u16 smid, u8 msix_index,
+ return _scsih_check_for_pending_tm(ioc, smid);
+ }
+
++/** _scsih_allow_scmd_to_device - check whether scmd needs to
++ * issue to IOC or not.
++ * @ioc: per adapter object
++ * @scmd: pointer to scsi command object
++ *
++ * Returns true if scmd can be issued to IOC otherwise returns false.
++ */
++inline bool _scsih_allow_scmd_to_device(struct MPT3SAS_ADAPTER *ioc,
++ struct scsi_cmnd *scmd)
++{
++
++ if (ioc->pci_error_recovery)
++ return false;
++
++ if (ioc->hba_mpi_version_belonged == MPI2_VERSION) {
++ if (ioc->remove_host)
++ return false;
++
++ return true;
++ }
++
++ if (ioc->remove_host) {
++
++ switch (scmd->cmnd[0]) {
++ case SYNCHRONIZE_CACHE:
++ case START_STOP:
++ return true;
++ default:
++ return false;
++ }
++ }
++
++ return true;
++}
+
+ /**
+ * _scsih_sas_control_complete - completion routine
+@@ -4059,7 +4093,7 @@ scsih_qcmd(struct Scsi_Host *shost, struct scsi_cmnd *scmd)
+ return 0;
+ }
+
+- if (ioc->pci_error_recovery || ioc->remove_host) {
++ if (!(_scsih_allow_scmd_to_device(ioc, scmd))) {
+ scmd->result = DID_NO_CONNECT << 16;
+ scmd->scsi_done(scmd);
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From 6ac56213280539ee30108a087a65ec5a68bd6ac7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Aug 2018 23:16:13 +0900
+Subject: selftests/ftrace: Fix to test kprobe $comm arg only if available
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit 2452c96e617a0ff6fb2692e55217a3fa57a7322c ]
+
+Test $comm in kprobe-event argument syntax testcase
+only if it is supported on the kernel because
+$comm has been introduced 4.8 kernel.
+So on older stable kernel, it should be skipped.
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc
+index 231bcd2c4eb59..1e7ac6f3362ff 100644
+--- a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc
++++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc
+@@ -71,8 +71,11 @@ test_badarg "\$stackp" "\$stack0+10" "\$stack1-10"
+ echo "r ${PROBEFUNC} \$retval" > kprobe_events
+ ! echo "p ${PROBEFUNC} \$retval" > kprobe_events
+
++# $comm was introduced in 4.8, older kernels reject it.
++if grep -A1 "fetcharg:" README | grep -q '\$comm' ; then
+ : "Comm access"
+ test_goodarg "\$comm"
++fi
+
+ : "Indirect memory access"
+ test_goodarg "+0(${GOODREG})" "-0(${GOODREG})" "+10(\$stack)" \
+--
+2.20.1
+
tools-gpio-correctly-add-make-dependencies-for-gpio_utils.patch
revert-fs-ocfs2-fix-possible-null-pointer-dereferences-in-ocfs2_xa_prepare_entry.patch
mm-ksm.c-don-t-warn-if-page-is-still-mapped-in-remove_stable_node.patch
+platform-x86-asus-nb-wmi-support-als-on-the-zenbook-.patch
+platform-x86-asus-wmi-only-tell-ec-the-os-will-handl.patch
+mwifiex-fix-nl80211_tx_power_limited.patch
+alsa-isight-fix-leak-of-reference-to-firewire-unit-i.patch
+printk-fix-integer-overflow-in-setup_log_buf.patch
+gfs2-fix-marking-bitmaps-non-full.patch
+synclink_gt-fix-compat_ioctl.patch
+powerpc-fix-signedness-bug-in-update_flash_db.patch
+powerpc-eeh-fix-use-of-eeh_pe_keep-on-wrong-field.patch
+brcmsmac-ap-mode-update-beacon-when-tim-changes.patch
+ath10k-allocate-small-size-dma-memory-in-ath10k_pci_.patch
+spi-sh-msiof-fix-deferred-probing.patch
+mmc-mediatek-fix-cannot-receive-new-request-when-msd.patch
+btrfs-handle-error-of-get_old_root.patch
+gsmi-fix-bug-in-append_to_eventlog-sysfs-handler.patch
+misc-mic-fix-a-dma-pool-free-failure.patch
+m68k-fix-command-line-parsing-when-passed-from-u-boo.patch
+amiflop-clean-up-on-errors-during-setup.patch
+scsi-ips-fix-missing-break-in-switch.patch
+kvm-x86-fix-invvpid-and-invept-register-operand-size.patch
+scsi-isci-use-proper-enumerated-type-in-atapi_d2h_re.patch
+scsi-isci-change-sci_controller_start_task-s-return-.patch
+scsi-iscsi_tcp-explicitly-cast-param-in-iscsi_sw_tcp.patch
+clk-mmp2-fix-the-clock-id-for-sdh2_clk-and-sdh3_clk.patch
+asoc-tegra_sgtl5000-fix-device_node-refcounting.patch
+scsi-dc395x-fix-dma-api-usage-in-srb_done.patch
+scsi-dc395x-fix-dma-api-usage-in-sg_update_list.patch
+net-fix-warning-in-af_unix.patch
+net-ena-fix-kconfig-dependency-on-x86.patch
+xfs-fix-use-after-free-race-in-xfs_buf_rele.patch
+kprobes-x86-ptrace.h-make-regs_get_kernel_stack_nth-.patch
+alsa-i2c-cs8427-fix-int-to-char-conversion.patch
+macintosh-windfarm_smu_sat-fix-debug-output.patch
+usb-misc-appledisplay-fix-backlight-update_status-re.patch
+usbip-tools-fix-atoi-on-non-null-terminated-string.patch
+sunrpc-fix-a-compile-warning-for-cmpxchg64.patch
+sunrpc-safely-reallow-resvport-min-max-inversion.patch
+atm-zatm-fix-empty-body-clang-warnings.patch
+s390-perf-return-error-when-debug_register-fails.patch
+spi-omap2-mcspi-set-fifo-dma-trigger-level-to-word-l.patch
+sparc-fix-parport-build-warnings.patch
+ceph-fix-dentry-leak-in-ceph_readdir_prepopulate.patch
+rtc-s35390a-change-buf-s-type-to-u8-in-s35390a_init.patch
+f2fs-fix-to-spread-clear_cold_data.patch
+misdn-fix-type-of-switch-control-variable-in-ctrl_te.patch
+qlcnic-fix-a-return-in-qlcnic_dcb_get_capability.patch
+net-ethernet-ti-cpsw-unsync-mcast-entries-while-swit.patch
+mfd-arizona-correct-calling-of-runtime_put_sync.patch
+mfd-mc13xxx-core-fix-pmic-shutdown-when-reading-adc-.patch
+mfd-max8997-enale-irq-wakeup-unconditionally.patch
+selftests-ftrace-fix-to-test-kprobe-comm-arg-only-if.patch
+thermal-rcar_thermal-prevent-hardware-access-during-.patch
+powerpc-process-fix-flush_all_to_thread-for-spe.patch
+sparc64-rework-xchg-definition-to-avoid-warnings.patch
+fs-ocfs2-dlm-dlmdebug.c-fix-a-sleep-in-atomic-contex.patch
+mm-page-writeback.c-fix-range_cyclic-writeback-vs-wr.patch
+macsec-update-operstate-when-lower-device-changes.patch
+macsec-let-the-administrator-set-up-state-even-if-lo.patch
+um-make-line-tty-semantics-use-true-write-irq.patch
+linux-bitmap.h-handle-constant-zero-size-bitmaps-cor.patch
+linux-bitmap.h-fix-type-of-nbits-in-bitmap_shift_rig.patch
+hfsplus-fix-bug-on-bnode-parent-update.patch
+hfs-fix-bug-on-bnode-parent-update.patch
+hfsplus-prevent-btree-data-loss-on-enospc.patch
+hfs-prevent-btree-data-loss-on-enospc.patch
+hfsplus-fix-return-value-of-hfsplus_get_block.patch
+hfs-fix-return-value-of-hfs_get_block.patch
+hfsplus-update-timestamps-on-truncate.patch
+hfs-update-timestamp-on-truncate.patch
+fs-hfs-extent.c-fix-array-out-of-bounds-read-of-arra.patch
+mm-memory_hotplug-make-add_memory-take-the-device_ho.patch
+igb-shorten-maximum-phc-timecounter-update-interval.patch
+ntb_netdev-fix-sleep-time-mismatch.patch
+ntb-intel-fix-return-value-for-ndev_vec_mask.patch
+arm64-makefile-fix-build-of-.i-file-in-external-modu.patch
+ocfs2-don-t-put-and-assigning-null-to-bh-allocated-o.patch
+ocfs2-fix-clusters-leak-in-ocfs2_defrag_extent.patch
+net-do-not-abort-bulk-send-on-bql-status.patch
+sched-fair-don-t-increase-sd-balance_interval-on-new.patch
+audit-print-empty-execve-args.patch
+wlcore-fix-the-return-value-in-case-of-error-in-wlco.patch
+rtl8xxxu-fix-missing-break-in-switch.patch
+brcmsmac-never-log-tid-x-is-not-agg-able-by-default.patch
+wireless-airo-potential-buffer-overflow-in-sprintf.patch
+rtlwifi-rtl8192de-fix-misleading-reg_mcufwdl-informa.patch
+scsi-mpt3sas-fix-sync-cache-command-failure-during-d.patch
+scsi-mpt3sas-fix-driver-modifying-persistent-data-in.patch
+scsi-megaraid_sas-fix-msleep-granularity.patch
+scsi-lpfc-fcoe-fix-link-down-issue-after-1000-link-b.patch
+dlm-fix-invalid-free.patch
+dlm-don-t-leak-kernel-pointer-to-userspace.patch
+acpica-use-d-for-signed-int-print-formatting-instead.patch
+net-bcmgenet-return-correct-value-ret-from-bcmgenet_.patch
+sock-reset-dst-when-changing-sk_mark-via-setsockopt.patch
+pinctrl-qcom-spmi-gpio-fix-gpio-hog-related-boot-iss.patch
+pinctrl-lpc18xx-use-define-directive-for-pin_config_.patch
+pinctrl-zynq-use-define-directive-for-pin_config_io_.patch
+pci-keystone-use-quirk-to-limit-mrrs-for-k2g.patch
+spi-omap2-mcspi-fix-dma-and-fifo-event-trigger-size-.patch
+mm-memory_hotplug-do-not-unlock-when-fails-to-take-t.patch
--- /dev/null
+From 94b9ee1b9fac02ce9920644686f28830a177e9b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Nov 2018 08:13:35 -0600
+Subject: sock: Reset dst when changing sk_mark via setsockopt
+
+From: David Barmann <david.barmann@stackpath.com>
+
+[ Upstream commit 50254256f382c56bde87d970f3d0d02fdb76ec70 ]
+
+When setting the SO_MARK socket option, if the mark changes, the dst
+needs to be reset so that a new route lookup is performed.
+
+This fixes the case where an application wants to change routing by
+setting a new sk_mark. If this is done after some packets have already
+been sent, the dst is cached and has no effect.
+
+Signed-off-by: David Barmann <david.barmann@stackpath.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index d224933514074..9178c16543758 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -945,10 +945,12 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
+ clear_bit(SOCK_PASSSEC, &sock->flags);
+ break;
+ case SO_MARK:
+- if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
++ if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
+ ret = -EPERM;
+- else
++ } else if (val != sk->sk_mark) {
+ sk->sk_mark = val;
++ sk_dst_reset(sk);
++ }
+ break;
+
+ case SO_RXQ_OVFL:
+--
+2.20.1
+
--- /dev/null
+From 4ce88b409b277387707dfefc235513f07497fd6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Oct 2018 10:52:52 -0700
+Subject: sparc: Fix parport build warnings.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David S. Miller <davem@davemloft.net>
+
+[ Upstream commit 46b8306480fb424abd525acc1763da1c63a27d8a ]
+
+If PARPORT_PC_FIFO is not enabled, do not provide the dma lock
+macros and lock definition. Otherwise:
+
+./arch/sparc/include/asm/parport.h:24:24: warning: ‘dma_spin_lock’ defined but not used [-Wunused-variable]
+ static DEFINE_SPINLOCK(dma_spin_lock);
+ ^~~~~~~~~~~~~
+./include/linux/spinlock_types.h:81:39: note: in definition of macro ‘DEFINE_SPINLOCK’
+ #define DEFINE_SPINLOCK(x) spinlock_t x = __SPIN_LOCK_UNLOCKED(x)
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sparc/include/asm/parport.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/sparc/include/asm/parport.h b/arch/sparc/include/asm/parport.h
+index f005ccac91cc9..e87c0f81b700e 100644
+--- a/arch/sparc/include/asm/parport.h
++++ b/arch/sparc/include/asm/parport.h
+@@ -20,6 +20,7 @@
+ */
+ #define HAS_DMA
+
++#ifdef CONFIG_PARPORT_PC_FIFO
+ static DEFINE_SPINLOCK(dma_spin_lock);
+
+ #define claim_dma_lock() \
+@@ -30,6 +31,7 @@ static DEFINE_SPINLOCK(dma_spin_lock);
+
+ #define release_dma_lock(__flags) \
+ spin_unlock_irqrestore(&dma_spin_lock, __flags);
++#endif
+
+ static struct sparc_ebus_info {
+ struct ebus_dma_info info;
+--
+2.20.1
+
--- /dev/null
+From c51d2e8298f7d498593ac83158bfbe77762e3a23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Oct 2018 15:39:49 -0700
+Subject: sparc64: Rework xchg() definition to avoid warnings.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David S. Miller <davem@davemloft.net>
+
+[ Upstream commit 6c2fc9cddc1ffdef8ada1dc8404e5affae849953 ]
+
+Such as:
+
+fs/ocfs2/file.c: In function ‘ocfs2_file_write_iter’:
+./arch/sparc/include/asm/cmpxchg_64.h:55:22: warning: value computed is not used [-Wunused-value]
+ #define xchg(ptr,x) ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr))))
+
+and
+
+drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c: In function ‘ixgbevf_xdp_setup’:
+./arch/sparc/include/asm/cmpxchg_64.h:55:22: warning: value computed is not used [-Wunused-value]
+ #define xchg(ptr,x) ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr))))
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sparc/include/asm/cmpxchg_64.h | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/arch/sparc/include/asm/cmpxchg_64.h b/arch/sparc/include/asm/cmpxchg_64.h
+index faa2f61058c27..92f0a46ace78e 100644
+--- a/arch/sparc/include/asm/cmpxchg_64.h
++++ b/arch/sparc/include/asm/cmpxchg_64.h
+@@ -40,7 +40,12 @@ static inline unsigned long xchg64(__volatile__ unsigned long *m, unsigned long
+ return val;
+ }
+
+-#define xchg(ptr,x) ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr))))
++#define xchg(ptr,x) \
++({ __typeof__(*(ptr)) __ret; \
++ __ret = (__typeof__(*(ptr))) \
++ __xchg((unsigned long)(x), (ptr), sizeof(*(ptr))); \
++ __ret; \
++})
+
+ void __xchg_called_with_bad_pointer(void);
+
+--
+2.20.1
+
--- /dev/null
+From 44a4d7a0e3edd60e2ee5264b6fced58a6e8198c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jan 2019 12:28:32 +0530
+Subject: spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch
+
+From: Vignesh R <vigneshr@ti.com>
+
+[ Upstream commit baf8b9f8d260c55a86405f70a384c29cda888476 ]
+
+Commit b682cffa3ac6 ("spi: omap2-mcspi: Set FIFO DMA trigger level to word length")
+broke SPI transfers where bits_per_word != 8. This is because of
+mimsatch between McSPI FIFO level event trigger size (SPI word length) and
+DMA request size(word length * maxburst). This leads to data
+corruption, lockup and errors like:
+
+ spi1.0: EOW timed out
+
+Fix this by setting DMA maxburst size to 1 so that
+McSPI FIFO level event trigger size matches DMA request size.
+
+Fixes: b682cffa3ac6 ("spi: omap2-mcspi: Set FIFO DMA trigger level to word length")
+Cc: stable@vger.kernel.org
+Reported-by: David Lechner <david@lechnology.com>
+Tested-by: David Lechner <david@lechnology.com>
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-omap2-mcspi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-omap2-mcspi.c b/drivers/spi/spi-omap2-mcspi.c
+index bc136fe3a2829..ccb6f98550da4 100644
+--- a/drivers/spi/spi-omap2-mcspi.c
++++ b/drivers/spi/spi-omap2-mcspi.c
+@@ -625,8 +625,8 @@ omap2_mcspi_txrx_dma(struct spi_device *spi, struct spi_transfer *xfer)
+ cfg.dst_addr = cs->phys + OMAP2_MCSPI_TX0;
+ cfg.src_addr_width = width;
+ cfg.dst_addr_width = width;
+- cfg.src_maxburst = es;
+- cfg.dst_maxburst = es;
++ cfg.src_maxburst = 1;
++ cfg.dst_maxburst = 1;
+
+ rx = xfer->rx_buf;
+ tx = xfer->tx_buf;
+--
+2.20.1
+
--- /dev/null
+From 238ccabf43d2c13a5c373aa07773b980c7b61e88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Oct 2018 12:08:28 +0530
+Subject: spi: omap2-mcspi: Set FIFO DMA trigger level to word length
+
+From: Vignesh R <vigneshr@ti.com>
+
+[ Upstream commit b682cffa3ac6d9d9e16e9b413c45caee3b391fab ]
+
+McSPI has 32 byte FIFO in Transmit-Receive mode. Current code tries to
+configuration FIFO watermark level for DMA trigger to be GCD of transfer
+length and max FIFO size which would mean trigger level may be set to 32
+for transmit-receive mode if length is aligned. This does not work in
+case of SPI slave mode where FIFO always needs to have data ready
+whenever master starts the clock. With DMA trigger size of 32 there will
+be a small window during slave TX where DMA is still putting data into
+FIFO but master would have started clock for next byte, resulting in
+shifting out of stale data. Similarly, on Slave RX side there may be RX
+FIFO overflow
+Fix this by setting FIFO watermark for DMA trigger to word
+length. This means DMA is triggered as soon as FIFO has space for word
+length bytes and DMA would make sure FIFO is almost always full
+therefore improving FIFO occupancy in both master and slave mode.
+
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-omap2-mcspi.c | 26 +++++++-------------------
+ 1 file changed, 7 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/spi/spi-omap2-mcspi.c b/drivers/spi/spi-omap2-mcspi.c
+index a47cf638460a6..bc136fe3a2829 100644
+--- a/drivers/spi/spi-omap2-mcspi.c
++++ b/drivers/spi/spi-omap2-mcspi.c
+@@ -298,7 +298,7 @@ static void omap2_mcspi_set_fifo(const struct spi_device *spi,
+ struct omap2_mcspi_cs *cs = spi->controller_state;
+ struct omap2_mcspi *mcspi;
+ unsigned int wcnt;
+- int max_fifo_depth, fifo_depth, bytes_per_word;
++ int max_fifo_depth, bytes_per_word;
+ u32 chconf, xferlevel;
+
+ mcspi = spi_master_get_devdata(master);
+@@ -314,10 +314,6 @@ static void omap2_mcspi_set_fifo(const struct spi_device *spi,
+ else
+ max_fifo_depth = OMAP2_MCSPI_MAX_FIFODEPTH;
+
+- fifo_depth = gcd(t->len, max_fifo_depth);
+- if (fifo_depth < 2 || fifo_depth % bytes_per_word != 0)
+- goto disable_fifo;
+-
+ wcnt = t->len / bytes_per_word;
+ if (wcnt > OMAP2_MCSPI_MAX_FIFOWCNT)
+ goto disable_fifo;
+@@ -325,16 +321,17 @@ static void omap2_mcspi_set_fifo(const struct spi_device *spi,
+ xferlevel = wcnt << 16;
+ if (t->rx_buf != NULL) {
+ chconf |= OMAP2_MCSPI_CHCONF_FFER;
+- xferlevel |= (fifo_depth - 1) << 8;
++ xferlevel |= (bytes_per_word - 1) << 8;
+ }
++
+ if (t->tx_buf != NULL) {
+ chconf |= OMAP2_MCSPI_CHCONF_FFET;
+- xferlevel |= fifo_depth - 1;
++ xferlevel |= bytes_per_word - 1;
+ }
+
+ mcspi_write_reg(master, OMAP2_MCSPI_XFERLEVEL, xferlevel);
+ mcspi_write_chconf0(spi, chconf);
+- mcspi->fifo_depth = fifo_depth;
++ mcspi->fifo_depth = max_fifo_depth;
+
+ return;
+ }
+@@ -601,7 +598,6 @@ omap2_mcspi_txrx_dma(struct spi_device *spi, struct spi_transfer *xfer)
+ struct dma_slave_config cfg;
+ enum dma_slave_buswidth width;
+ unsigned es;
+- u32 burst;
+ void __iomem *chstat_reg;
+ void __iomem *irqstat_reg;
+ int wait_res;
+@@ -623,22 +619,14 @@ omap2_mcspi_txrx_dma(struct spi_device *spi, struct spi_transfer *xfer)
+ }
+
+ count = xfer->len;
+- burst = 1;
+-
+- if (mcspi->fifo_depth > 0) {
+- if (count > mcspi->fifo_depth)
+- burst = mcspi->fifo_depth / es;
+- else
+- burst = count / es;
+- }
+
+ memset(&cfg, 0, sizeof(cfg));
+ cfg.src_addr = cs->phys + OMAP2_MCSPI_RX0;
+ cfg.dst_addr = cs->phys + OMAP2_MCSPI_TX0;
+ cfg.src_addr_width = width;
+ cfg.dst_addr_width = width;
+- cfg.src_maxburst = burst;
+- cfg.dst_maxburst = burst;
++ cfg.src_maxburst = es;
++ cfg.dst_maxburst = es;
+
+ rx = xfer->rx_buf;
+ tx = xfer->tx_buf;
+--
+2.20.1
+
--- /dev/null
+From fa0cfee1080bd4b1885a2c4c97df505fb43523aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Oct 2018 22:48:22 +0300
+Subject: spi: sh-msiof: fix deferred probing
+
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+
+[ Upstream commit f34c6e6257aa477cdfe7e9bbbecd3c5648ecda69 ]
+
+Since commit 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
+platform_get_irq() can return -EPROBE_DEFER. However, the driver overrides
+an error returned by that function with -ENOENT which breaks the deferred
+probing. Propagate upstream an error code returned by platform_get_irq()
+and remove the bogus "platform" from the error message, while at it...
+
+Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-sh-msiof.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-sh-msiof.c b/drivers/spi/spi-sh-msiof.c
+index 711ea523b3251..8a69148a962a8 100644
+--- a/drivers/spi/spi-sh-msiof.c
++++ b/drivers/spi/spi-sh-msiof.c
+@@ -1198,8 +1198,8 @@ static int sh_msiof_spi_probe(struct platform_device *pdev)
+
+ i = platform_get_irq(pdev, 0);
+ if (i < 0) {
+- dev_err(&pdev->dev, "cannot get platform IRQ\n");
+- ret = -ENOENT;
++ dev_err(&pdev->dev, "cannot get IRQ\n");
++ ret = i;
+ goto err1;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 9d44217f88f37016090552b4f1f56c9ee1bb0b60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Oct 2018 17:03:56 -0400
+Subject: SUNRPC: Fix a compile warning for cmpxchg64()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit e732f4485a150492b286f3efc06f9b34dd6b9995 ]
+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/auth_gss/gss_krb5_seal.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c
+index 1d74d653e6c05..ad0dcb69395d7 100644
+--- a/net/sunrpc/auth_gss/gss_krb5_seal.c
++++ b/net/sunrpc/auth_gss/gss_krb5_seal.c
+@@ -63,6 +63,7 @@
+ #include <linux/sunrpc/gss_krb5.h>
+ #include <linux/random.h>
+ #include <linux/crypto.h>
++#include <linux/atomic.h>
+
+ #if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
+ # define RPCDBG_FACILITY RPCDBG_AUTH
+--
+2.20.1
+
--- /dev/null
+From c93872757b46befffe8d673d6dc36eb99b2e180e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Oct 2018 15:27:02 -0400
+Subject: sunrpc: safely reallow resvport min/max inversion
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+[ Upstream commit 826799e66e8683e5698e140bb9ef69afc8c0014e ]
+
+Commits ffb6ca33b04b and e08ea3a96fc7 prevent setting xprt_min_resvport
+greater than xprt_max_resvport, but may also break simple code that sets
+one parameter then the other, if the new range does not overlap the old.
+
+Also it looks racy to me, unless there's some serialization I'm not
+seeing. Granted it would probably require malicious privileged processes
+(unless there's a chance these might eventually be settable in unprivileged
+containers), but still it seems better not to let userspace panic the
+kernel.
+
+Simpler seems to be to allow setting the parameters to whatever you want
+but interpret xprt_min_resvport > xprt_max_resvport as the empty range.
+
+Fixes: ffb6ca33b04b "sunrpc: Prevent resvport min/max inversion..."
+Fixes: e08ea3a96fc7 "sunrpc: Prevent rexvport min/max inversion..."
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/xprtsock.c | 34 ++++++++++++++++++----------------
+ 1 file changed, 18 insertions(+), 16 deletions(-)
+
+diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
+index 280fb31787084..f3f05148922a1 100644
+--- a/net/sunrpc/xprtsock.c
++++ b/net/sunrpc/xprtsock.c
+@@ -124,7 +124,7 @@ static struct ctl_table xs_tunables_table[] = {
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = &xprt_min_resvport_limit,
+- .extra2 = &xprt_max_resvport
++ .extra2 = &xprt_max_resvport_limit
+ },
+ {
+ .procname = "max_resvport",
+@@ -132,7 +132,7 @@ static struct ctl_table xs_tunables_table[] = {
+ .maxlen = sizeof(unsigned int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+- .extra1 = &xprt_min_resvport,
++ .extra1 = &xprt_min_resvport_limit,
+ .extra2 = &xprt_max_resvport_limit
+ },
+ {
+@@ -1737,11 +1737,17 @@ static void xs_udp_timer(struct rpc_xprt *xprt, struct rpc_task *task)
+ xprt_adjust_cwnd(xprt, task, -ETIMEDOUT);
+ }
+
+-static unsigned short xs_get_random_port(void)
++static int xs_get_random_port(void)
+ {
+- unsigned short range = xprt_max_resvport - xprt_min_resvport + 1;
+- unsigned short rand = (unsigned short) prandom_u32() % range;
+- return rand + xprt_min_resvport;
++ unsigned short min = xprt_min_resvport, max = xprt_max_resvport;
++ unsigned short range;
++ unsigned short rand;
++
++ if (max < min)
++ return -EADDRINUSE;
++ range = max - min + 1;
++ rand = (unsigned short) prandom_u32() % range;
++ return rand + min;
+ }
+
+ /**
+@@ -1798,9 +1804,9 @@ static void xs_set_srcport(struct sock_xprt *transport, struct socket *sock)
+ transport->srcport = xs_sock_getport(sock);
+ }
+
+-static unsigned short xs_get_srcport(struct sock_xprt *transport)
++static int xs_get_srcport(struct sock_xprt *transport)
+ {
+- unsigned short port = transport->srcport;
++ int port = transport->srcport;
+
+ if (port == 0 && transport->xprt.resvport)
+ port = xs_get_random_port();
+@@ -1821,7 +1827,7 @@ static int xs_bind(struct sock_xprt *transport, struct socket *sock)
+ {
+ struct sockaddr_storage myaddr;
+ int err, nloop = 0;
+- unsigned short port = xs_get_srcport(transport);
++ int port = xs_get_srcport(transport);
+ unsigned short last;
+
+ /*
+@@ -1839,8 +1845,8 @@ static int xs_bind(struct sock_xprt *transport, struct socket *sock)
+ * transport->xprt.resvport == 1) xs_get_srcport above will
+ * ensure that port is non-zero and we will bind as needed.
+ */
+- if (port == 0)
+- return 0;
++ if (port <= 0)
++ return port;
+
+ memcpy(&myaddr, &transport->srcaddr, transport->xprt.addrlen);
+ do {
+@@ -3223,12 +3229,8 @@ static int param_set_uint_minmax(const char *val,
+
+ static int param_set_portnr(const char *val, const struct kernel_param *kp)
+ {
+- if (kp->arg == &xprt_min_resvport)
+- return param_set_uint_minmax(val, kp,
+- RPC_MIN_RESVPORT,
+- xprt_max_resvport);
+ return param_set_uint_minmax(val, kp,
+- xprt_min_resvport,
++ RPC_MIN_RESVPORT,
+ RPC_MAX_RESVPORT);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 5c4857d3cb127f036a2ce4d7852d20407f3edba5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Sep 2018 20:57:18 -0400
+Subject: synclink_gt(): fix compat_ioctl()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 27230e51349fde075598c1b59d15e1ff802f3f6e ]
+
+compat_ptr() for pointer-taking ones...
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/synclink_gt.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c
+index 7aca2d4670e4a..e645ee1cfd989 100644
+--- a/drivers/tty/synclink_gt.c
++++ b/drivers/tty/synclink_gt.c
+@@ -1187,14 +1187,13 @@ static long slgt_compat_ioctl(struct tty_struct *tty,
+ unsigned int cmd, unsigned long arg)
+ {
+ struct slgt_info *info = tty->driver_data;
+- int rc = -ENOIOCTLCMD;
++ int rc;
+
+ if (sanity_check(info, tty->name, "compat_ioctl"))
+ return -ENODEV;
+ DBGINFO(("%s compat_ioctl() cmd=%08X\n", info->device_name, cmd));
+
+ switch (cmd) {
+-
+ case MGSL_IOCSPARAMS32:
+ rc = set_params32(info, compat_ptr(arg));
+ break;
+@@ -1214,18 +1213,11 @@ static long slgt_compat_ioctl(struct tty_struct *tty,
+ case MGSL_IOCWAITGPIO:
+ case MGSL_IOCGXSYNC:
+ case MGSL_IOCGXCTRL:
+- case MGSL_IOCSTXIDLE:
+- case MGSL_IOCTXENABLE:
+- case MGSL_IOCRXENABLE:
+- case MGSL_IOCTXABORT:
+- case TIOCMIWAIT:
+- case MGSL_IOCSIF:
+- case MGSL_IOCSXSYNC:
+- case MGSL_IOCSXCTRL:
+- rc = ioctl(tty, cmd, arg);
++ rc = ioctl(tty, cmd, (unsigned long)compat_ptr(arg));
+ break;
++ default:
++ rc = ioctl(tty, cmd, arg);
+ }
+-
+ DBGINFO(("%s compat_ioctl() cmd=%08X rc=%d\n", info->device_name, cmd, rc));
+ return rc;
+ }
+--
+2.20.1
+
--- /dev/null
+From 31f331cbbd981dac15f1084cde4a8db218c571bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Oct 2018 09:20:15 +0200
+Subject: thermal: rcar_thermal: Prevent hardware access during system suspend
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 3a31386217628ffe2491695be2db933c25dde785 ]
+
+On r8a7791/koelsch, sometimes the following message is printed during
+system suspend:
+
+ rcar_thermal e61f0000.thermal: thermal sensor was broken
+
+This happens if the workqueue runs while the device is already
+suspended. Fix this by using the freezable system workqueue instead,
+cfr. commit 51e20d0e3a60cf46 ("thermal: Prevent polling from happening
+during system suspend").
+
+Fixes: e0a5172e9eec7f0d ("thermal: rcar: add interrupt support")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/rcar_thermal.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/thermal/rcar_thermal.c b/drivers/thermal/rcar_thermal.c
+index 73e5fee6cf1d5..83126e2dce36d 100644
+--- a/drivers/thermal/rcar_thermal.c
++++ b/drivers/thermal/rcar_thermal.c
+@@ -401,8 +401,8 @@ static irqreturn_t rcar_thermal_irq(int irq, void *data)
+ rcar_thermal_for_each_priv(priv, common) {
+ if (rcar_thermal_had_changed(priv, status)) {
+ rcar_thermal_irq_disable(priv);
+- schedule_delayed_work(&priv->work,
+- msecs_to_jiffies(300));
++ queue_delayed_work(system_freezable_wq, &priv->work,
++ msecs_to_jiffies(300));
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 0b463edf28f52af6cb1409275fa3155d3b8ee1e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Sep 2018 08:47:13 +0100
+Subject: um: Make line/tty semantics use true write IRQ
+
+From: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+
+[ Upstream commit 917e2fd2c53eb3c4162f5397555cbd394390d4bc ]
+
+This fixes a long standing bug where large amounts of output
+could freeze the tty (most commonly seen on stdio console).
+While the bug has always been there it became more pronounced
+after moving to the new interrupt controller.
+
+The line semantics are now changed to have true IRQ write
+semantics which should further improve the tty/line subsystem
+stability and performance
+
+Signed-off-by: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/drivers/line.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/um/drivers/line.c b/arch/um/drivers/line.c
+index 62087028a9ce1..d2ad45c101137 100644
+--- a/arch/um/drivers/line.c
++++ b/arch/um/drivers/line.c
+@@ -260,7 +260,7 @@ static irqreturn_t line_write_interrupt(int irq, void *data)
+ if (err == 0) {
+ spin_unlock(&line->lock);
+ return IRQ_NONE;
+- } else if (err < 0) {
++ } else if ((err < 0) && (err != -EAGAIN)) {
+ line->head = line->buffer;
+ line->tail = line->buffer;
+ }
+--
+2.20.1
+
--- /dev/null
+From 3eb6dcfa8887c82cabafb0142ac38a0e7ff32f3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 14:20:08 +0200
+Subject: USB: misc: appledisplay: fix backlight update_status return code
+
+From: Mattias Jacobsson <2pi@mok.nu>
+
+[ Upstream commit 090158555ff8d194a98616034100b16697dd80d0 ]
+
+Upon success the update_status handler returns a positive number
+corresponding to the number of bytes transferred by usb_control_msg.
+However the return code of the update_status handler should indicate if
+an error occurred(negative) or how many bytes of the user's input to sysfs
+that was consumed. Return code zero indicates all bytes were consumed.
+
+The bug can for example result in the update_status handler being called
+twice, the second time with only the "unconsumed" part of the user's input
+to sysfs. Effectively setting an incorrect brightness.
+
+Change the update_status handler to return zero for all successful
+transactions and forward usb_control_msg's error code upon failure.
+
+Signed-off-by: Mattias Jacobsson <2pi@mok.nu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/misc/appledisplay.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c
+index b8092bcf89a29..140af7754c1e6 100644
+--- a/drivers/usb/misc/appledisplay.c
++++ b/drivers/usb/misc/appledisplay.c
+@@ -160,8 +160,11 @@ static int appledisplay_bl_update_status(struct backlight_device *bd)
+ pdata->msgdata, 2,
+ ACD_USB_TIMEOUT);
+ mutex_unlock(&pdata->sysfslock);
+-
+- return retval;
++
++ if (retval < 0)
++ return retval;
++ else
++ return 0;
+ }
+
+ static int appledisplay_bl_get_brightness(struct backlight_device *bd)
+--
+2.20.1
+
--- /dev/null
+From faf287416ee584650a2e4556828560872ee1e581 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 19:03:43 +0100
+Subject: usbip: tools: fix atoi() on non-null terminated string
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit e325808c0051b16729ffd472ff887c6cae5c6317 ]
+
+Currently the call to atoi is being passed a single char string
+that is not null terminated, so there is a potential read overrun
+along the stack when parsing for an integer value. Fix this by
+instead using a 2 char string that is initialized to all zeros
+to ensure that a 1 char read into the string is always terminated
+with a \0.
+
+Detected by cppcheck:
+"Invalid atoi() argument nr 1. A nul-terminated string is required."
+
+Fixes: 3391ba0e2792 ("usbip: tools: Extract generic code to be shared with vudc backend")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/usb/usbip/libsrc/usbip_host_common.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tools/usb/usbip/libsrc/usbip_host_common.c b/tools/usb/usbip/libsrc/usbip_host_common.c
+index 6ff7b601f8545..f5ad219a324e8 100644
+--- a/tools/usb/usbip/libsrc/usbip_host_common.c
++++ b/tools/usb/usbip/libsrc/usbip_host_common.c
+@@ -43,7 +43,7 @@ static int32_t read_attr_usbip_status(struct usbip_usb_device *udev)
+ int size;
+ int fd;
+ int length;
+- char status;
++ char status[2] = { 0 };
+ int value = 0;
+
+ size = snprintf(status_attr_path, sizeof(status_attr_path),
+@@ -61,14 +61,14 @@ static int32_t read_attr_usbip_status(struct usbip_usb_device *udev)
+ return -1;
+ }
+
+- length = read(fd, &status, 1);
++ length = read(fd, status, 1);
+ if (length < 0) {
+ err("error reading attribute %s", status_attr_path);
+ close(fd);
+ return -1;
+ }
+
+- value = atoi(&status);
++ value = atoi(status);
+
+ return value;
+ }
+--
+2.20.1
+
--- /dev/null
+From dbb6e66cc1dd6daa8b94999cccf516876dbfa50d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Oct 2018 11:33:34 +0300
+Subject: wireless: airo: potential buffer overflow in sprintf()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 3d39e1bb1c88f32820c5f9271f2c8c2fb9a52bac ]
+
+It looks like we wanted to print a maximum of BSSList_rid.ssidLen bytes
+of the ssid, but we accidentally use "%*s" (width) instead of "%.*s"
+(precision) so if the ssid doesn't have a NUL terminator this could lead
+to an overflow.
+
+Static analysis. Not tested.
+
+Fixes: e174961ca1a0 ("net: convert print_mac to %pM")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/cisco/airo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c
+index 69b826d229c5b..04939e576ee02 100644
+--- a/drivers/net/wireless/cisco/airo.c
++++ b/drivers/net/wireless/cisco/airo.c
+@@ -5472,7 +5472,7 @@ static int proc_BSSList_open( struct inode *inode, struct file *file ) {
+ we have to add a spin lock... */
+ rc = readBSSListRid(ai, doLoseSync, &BSSList_rid);
+ while(rc == 0 && BSSList_rid.index != cpu_to_le16(0xffff)) {
+- ptr += sprintf(ptr, "%pM %*s rssi = %d",
++ ptr += sprintf(ptr, "%pM %.*s rssi = %d",
+ BSSList_rid.bssid,
+ (int)BSSList_rid.ssidLen,
+ BSSList_rid.ssid,
+--
+2.20.1
+
--- /dev/null
+From 3e1a3979e34657fedfa19644c7b3dcd52b574751 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 09:39:40 +0200
+Subject: wlcore: Fix the return value in case of error in
+ 'wlcore_vendor_cmd_smart_config_start()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 3419348a97bcc256238101129d69b600ceb5cc70 ]
+
+We return 0 unconditionally at the end of
+'wlcore_vendor_cmd_smart_config_start()'.
+However, 'ret' is set to some error codes in several error handling paths
+and we already return some error codes at the beginning of the function.
+
+Return 'ret' instead to propagate the error code.
+
+Fixes: 80ff8063e87c ("wlcore: handle smart config vendor commands")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wlcore/vendor_cmd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ti/wlcore/vendor_cmd.c b/drivers/net/wireless/ti/wlcore/vendor_cmd.c
+index fd4e9ba176c9b..332a3a5c1c900 100644
+--- a/drivers/net/wireless/ti/wlcore/vendor_cmd.c
++++ b/drivers/net/wireless/ti/wlcore/vendor_cmd.c
+@@ -66,7 +66,7 @@ wlcore_vendor_cmd_smart_config_start(struct wiphy *wiphy,
+ out:
+ mutex_unlock(&wl->mutex);
+
+- return 0;
++ return ret;
+ }
+
+ static int
+--
+2.20.1
+
--- /dev/null
+From 5627b1716e4cd9658bd61e306607ff7fc33126ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Oct 2018 17:21:29 +1100
+Subject: xfs: fix use-after-free race in xfs_buf_rele
+
+From: Dave Chinner <dchinner@redhat.com>
+
+[ Upstream commit 37fd1678245f7a5898c1b05128bc481fb403c290 ]
+
+When looking at a 4.18 based KASAN use after free report, I noticed
+that racing xfs_buf_rele() may race on dropping the last reference
+to the buffer and taking the buffer lock. This was the symptom
+displayed by the KASAN report, but the actual issue that was
+reported had already been fixed in 4.19-rc1 by commit e339dd8d8b04
+("xfs: use sync buffer I/O for sync delwri queue submission").
+
+Despite this, I think there is still an issue with xfs_buf_rele()
+in this code:
+
+ release = atomic_dec_and_lock(&bp->b_hold, &pag->pag_buf_lock);
+ spin_lock(&bp->b_lock);
+ if (!release) {
+.....
+
+If two threads race on the b_lock after both dropping a reference
+and one getting dropping the last reference so release = true, we
+end up with:
+
+CPU 0 CPU 1
+atomic_dec_and_lock()
+ atomic_dec_and_lock()
+ spin_lock(&bp->b_lock)
+spin_lock(&bp->b_lock)
+<spins>
+ <release = true bp->b_lru_ref = 0>
+ <remove from lists>
+ freebuf = true
+ spin_unlock(&bp->b_lock)
+ xfs_buf_free(bp)
+<gets lock, reading and writing freed memory>
+<accesses freed memory>
+spin_unlock(&bp->b_lock) <reads/writes freed memory>
+
+IOWs, we can't safely take bp->b_lock after dropping the hold
+reference because the buffer may go away at any time after we
+drop that reference. However, this can be fixed simply by taking the
+bp->b_lock before we drop the reference.
+
+It is safe to nest the pag_buf_lock inside bp->b_lock as the
+pag_buf_lock is only used to serialise against lookup in
+xfs_buf_find() and no other locks are held over or under the
+pag_buf_lock there. Make this clear by documenting the buffer lock
+orders at the top of the file.
+
+Signed-off-by: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com
+Signed-off-by: Dave Chinner <david@fromorbit.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_buf.c | 38 +++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 37 insertions(+), 1 deletion(-)
+
+diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
+index 651755353374d..0b58b9d419e84 100644
+--- a/fs/xfs/xfs_buf.c
++++ b/fs/xfs/xfs_buf.c
+@@ -57,6 +57,32 @@ static kmem_zone_t *xfs_buf_zone;
+ #define xb_to_gfp(flags) \
+ ((((flags) & XBF_READ_AHEAD) ? __GFP_NORETRY : GFP_NOFS) | __GFP_NOWARN)
+
++/*
++ * Locking orders
++ *
++ * xfs_buf_ioacct_inc:
++ * xfs_buf_ioacct_dec:
++ * b_sema (caller holds)
++ * b_lock
++ *
++ * xfs_buf_stale:
++ * b_sema (caller holds)
++ * b_lock
++ * lru_lock
++ *
++ * xfs_buf_rele:
++ * b_lock
++ * pag_buf_lock
++ * lru_lock
++ *
++ * xfs_buftarg_wait_rele
++ * lru_lock
++ * b_lock (trylock due to inversion)
++ *
++ * xfs_buftarg_isolate
++ * lru_lock
++ * b_lock (trylock due to inversion)
++ */
+
+ static inline int
+ xfs_buf_is_vmapped(
+@@ -957,8 +983,18 @@ xfs_buf_rele(
+
+ ASSERT(atomic_read(&bp->b_hold) > 0);
+
+- release = atomic_dec_and_lock(&bp->b_hold, &pag->pag_buf_lock);
++ /*
++ * We grab the b_lock here first to serialise racing xfs_buf_rele()
++ * calls. The pag_buf_lock being taken on the last reference only
++ * serialises against racing lookups in xfs_buf_find(). IOWs, the second
++ * to last reference we drop here is not serialised against the last
++ * reference until we take bp->b_lock. Hence if we don't grab b_lock
++ * first, the last "release" reference can win the race to the lock and
++ * free the buffer before the second-to-last reference is processed,
++ * leading to a use-after-free scenario.
++ */
+ spin_lock(&bp->b_lock);
++ release = atomic_dec_and_lock(&bp->b_hold, &pag->pag_buf_lock);
+ if (!release) {
+ /*
+ * Drop the in-flight state if the buffer is already on the LRU
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
