--- /dev/null
+From 6e1811900b6fe6f2b4665dba6bd6ed32c6b98575 Mon Sep 17 00:00:00 2001
+From: Jon Hunter <jonathanh@nvidia.com>
+Date: Tue, 3 Jul 2018 09:59:47 +0100
+Subject: ARM: tegra: Fix Tegra30 Cardhu PCA954x reset
+
+From: Jon Hunter <jonathanh@nvidia.com>
+
+commit 6e1811900b6fe6f2b4665dba6bd6ed32c6b98575 upstream.
+
+On all versions of Tegra30 Cardhu, the reset signal to the NXP PCA9546
+I2C mux is connected to the Tegra GPIO BB0. Currently, this pin on the
+Tegra is not configured as a GPIO but as a special-function IO (SFIO)
+that is multiplexing the pin to an I2S controller. On exiting system
+suspend, I2C commands sent to the PCA9546 are failing because there is
+no ACK. Although it is not possible to see exactly what is happening
+to the reset during suspend, by ensuring it is configured as a GPIO
+and driven high, to de-assert the reset, the failures are no longer
+seen.
+
+Please note that this GPIO is also used to drive the reset signal
+going to the camera connector on the board. However, given that there
+is no camera support currently for Cardhu, this should not have any
+impact.
+
+Fixes: 40431d16ff11 ("ARM: tegra: enable PCA9546 on Cardhu")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/tegra30-cardhu.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/boot/dts/tegra30-cardhu.dtsi
++++ b/arch/arm/boot/dts/tegra30-cardhu.dtsi
+@@ -206,6 +206,7 @@
+ #address-cells = <1>;
+ #size-cells = <0>;
+ reg = <0x70>;
++ reset-gpio = <&gpio TEGRA_GPIO(BB, 0) GPIO_ACTIVE_LOW>;
+ };
+ };
+
--- /dev/null
+From fc8ebd01deeb12728c83381f6ec923e4a192ffd3 Mon Sep 17 00:00:00 2001
+From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>
+Date: Wed, 15 Aug 2018 23:56:45 +0200
+Subject: block, bfq: return nbytes and not zero from struct cftype .write() method
+
+From: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+
+commit fc8ebd01deeb12728c83381f6ec923e4a192ffd3 upstream.
+
+The value that struct cftype .write() method returns is then directly
+returned to userspace as the value returned by write() syscall, so it
+should be the number of bytes actually written (or consumed) and not zero.
+
+Returning zero from write() syscall makes programs like /bin/echo or bash
+spin.
+
+Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+Fixes: e21b7a0b9887 ("block, bfq: add full hierarchical scheduling and cgroups support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/bfq-cgroup.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/block/bfq-cgroup.c
++++ b/block/bfq-cgroup.c
+@@ -887,7 +887,8 @@ static ssize_t bfq_io_set_weight(struct
+ if (ret)
+ return ret;
+
+- return bfq_io_set_weight_legacy(of_css(of), NULL, weight);
++ ret = bfq_io_set_weight_legacy(of_css(of), NULL, weight);
++ return ret ?: nbytes;
+ }
+
+ static int bfqg_print_stat(struct seq_file *sf, void *v)
--- /dev/null
+From 2a3eb51e30b9ac66fe1b75877627a7e4aaeca24a Mon Sep 17 00:00:00 2001
+From: Henry Willard <henry.willard@oracle.com>
+Date: Tue, 14 Aug 2018 17:01:02 -0700
+Subject: cpufreq: governor: Avoid accessing invalid governor_data
+
+From: Henry Willard <henry.willard@oracle.com>
+
+commit 2a3eb51e30b9ac66fe1b75877627a7e4aaeca24a upstream.
+
+If cppc_cpufreq.ko is deleted at the same time that tuned-adm is
+changing profiles, there is a small chance that a race can occur
+between cpufreq_dbs_governor_exit() and cpufreq_dbs_governor_limits()
+resulting in a system failure when the latter tries to use
+policy->governor_data that has been freed by the former.
+
+This patch uses gov_dbs_data_mutex to synchronize access.
+
+Fixes: e788892ba3cc (cpufreq: governor: Get rid of governor events)
+Signed-off-by: Henry Willard <henry.willard@oracle.com>
+[ rjw: Subject, minor white space adjustment ]
+Cc: 4.8+ <stable@vger.kernel.org> # 4.8+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/cpufreq_governor.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/cpufreq/cpufreq_governor.c
++++ b/drivers/cpufreq/cpufreq_governor.c
+@@ -555,12 +555,20 @@ EXPORT_SYMBOL_GPL(cpufreq_dbs_governor_s
+
+ void cpufreq_dbs_governor_limits(struct cpufreq_policy *policy)
+ {
+- struct policy_dbs_info *policy_dbs = policy->governor_data;
++ struct policy_dbs_info *policy_dbs;
++
++ /* Protect gov->gdbs_data against cpufreq_dbs_governor_exit() */
++ mutex_lock(&gov_dbs_data_mutex);
++ policy_dbs = policy->governor_data;
++ if (!policy_dbs)
++ goto out;
+
+ mutex_lock(&policy_dbs->update_mutex);
+ cpufreq_policy_apply_limits(policy);
+ gov_update_sample_delay(policy_dbs, 0);
+-
+ mutex_unlock(&policy_dbs->update_mutex);
++
++out:
++ mutex_unlock(&gov_dbs_data_mutex);
+ }
+ EXPORT_SYMBOL_GPL(cpufreq_dbs_governor_limits);
--- /dev/null
+From c8bd134a4bddafe5917d163eea73873932c15e83 Mon Sep 17 00:00:00 2001
+From: Peter Kalauskas <peskal@google.com>
+Date: Tue, 21 Aug 2018 21:54:02 -0700
+Subject: drivers/block/zram/zram_drv.c: fix bug storing backing_dev
+
+From: Peter Kalauskas <peskal@google.com>
+
+commit c8bd134a4bddafe5917d163eea73873932c15e83 upstream.
+
+The call to strlcpy in backing_dev_store is incorrect. It should take
+the size of the destination buffer instead of the size of the source
+buffer. Additionally, ignore the newline character (\n) when reading
+the new file_name buffer. This makes it possible to set the backing_dev
+as follows:
+
+ echo /dev/sdX > /sys/block/zram0/backing_dev
+
+The reason it worked before was the fact that strlcpy() copies 'len - 1'
+bytes, which is strlen(buf) - 1 in our case, so it accidentally didn't
+copy the trailing new line symbol. Which also means that "echo -n
+/dev/sdX" most likely was broken.
+
+Signed-off-by: Peter Kalauskas <peskal@google.com>
+Link: http://lkml.kernel.org/r/20180813061623.GC64836@rodete-desktop-imager.corp.google.com
+Acked-by: Minchan Kim <minchan@kernel.org>
+Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Cc: <stable@vger.kernel.org> [4.14+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/zram/zram_drv.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/zram/zram_drv.c
++++ b/drivers/block/zram/zram_drv.c
+@@ -321,6 +321,7 @@ static ssize_t backing_dev_store(struct
+ struct device_attribute *attr, const char *buf, size_t len)
+ {
+ char *file_name;
++ size_t sz;
+ struct file *backing_dev = NULL;
+ struct inode *inode;
+ struct address_space *mapping;
+@@ -341,7 +342,11 @@ static ssize_t backing_dev_store(struct
+ goto out;
+ }
+
+- strlcpy(file_name, buf, len);
++ strlcpy(file_name, buf, PATH_MAX);
++ /* ignore trailing newline */
++ sz = strlen(file_name);
++ if (sz > 0 && file_name[sz - 1] == '\n')
++ file_name[sz - 1] = 0x00;
+
+ backing_dev = filp_open(file_name, O_RDWR|O_LARGEFILE, 0);
+ if (IS_ERR(backing_dev)) {
--- /dev/null
+From 8cfbdbdc24815417a3ab35101ccf706b9a23ff17 Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Thu, 23 Aug 2018 10:08:58 +1000
+Subject: KVM: PPC: Book3S: Fix guest DMA when guest partially backed by THP pages
+
+From: Paul Mackerras <paulus@ozlabs.org>
+
+commit 8cfbdbdc24815417a3ab35101ccf706b9a23ff17 upstream.
+
+Commit 76fa4975f3ed ("KVM: PPC: Check if IOMMU page is contained in
+the pinned physical page", 2018-07-17) added some checks to ensure
+that guest DMA mappings don't attempt to map more than the guest is
+entitled to access. However, errors in the logic mean that legitimate
+guest requests to map pages for DMA are being denied in some
+situations. Specifically, if the first page of the range passed to
+mm_iommu_get() is mapped with a normal page, and subsequent pages are
+mapped with transparent huge pages, we end up with mem->pageshift ==
+0. That means that the page size checks in mm_iommu_ua_to_hpa() and
+mm_iommu_up_to_hpa_rm() will always fail for every page in that
+region, and thus the guest can never map any memory in that region for
+DMA, typically leading to a flood of error messages like this:
+
+ qemu-system-ppc64: VFIO_MAP_DMA: -22
+ qemu-system-ppc64: vfio_dma_map(0x10005f47780, 0x800000000000000, 0x10000, 0x7fff63ff0000) = -22 (Invalid argument)
+
+The logic errors in mm_iommu_get() are:
+
+ (a) use of 'ua' not 'ua + (i << PAGE_SHIFT)' in the find_linux_pte()
+ call (meaning that find_linux_pte() returns the pte for the
+ first address in the range, not the address we are currently up
+ to);
+ (b) use of 'pageshift' as the variable to receive the hugepage shift
+ returned by find_linux_pte() - for a normal page this gets set
+ to 0, leading to us setting mem->pageshift to 0 when we conclude
+ that the pte returned by find_linux_pte() didn't match the page
+ we were looking at;
+ (c) comparing 'compshift', which is a page order, i.e. log base 2 of
+ the number of pages, with 'pageshift', which is a log base 2 of
+ the number of bytes.
+
+To fix these problems, this patch introduces 'cur_ua' to hold the
+current user address and uses that in the find_linux_pte() call;
+introduces 'pteshift' to hold the hugepage shift found by
+find_linux_pte(); and compares 'pteshift' with 'compshift +
+PAGE_SHIFT' rather than 'compshift'.
+
+The patch also moves the local_irq_restore to the point after the PTE
+pointer returned by find_linux_pte() has been dereferenced because
+otherwise the PTE could change underneath us, and adds a check to
+avoid doing the find_linux_pte() call once mem->pageshift has been
+reduced to PAGE_SHIFT, as an optimization.
+
+Fixes: 76fa4975f3ed ("KVM: PPC: Check if IOMMU page is contained in the pinned physical page")
+Cc: stable@vger.kernel.org # v4.12+
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/mmu_context_iommu.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+--- a/arch/powerpc/mm/mmu_context_iommu.c
++++ b/arch/powerpc/mm/mmu_context_iommu.c
+@@ -130,6 +130,7 @@ long mm_iommu_get(struct mm_struct *mm,
+ long i, j, ret = 0, locked_entries = 0;
+ unsigned int pageshift;
+ unsigned long flags;
++ unsigned long cur_ua;
+ struct page *page = NULL;
+
+ mutex_lock(&mem_list_mutex);
+@@ -178,7 +179,8 @@ long mm_iommu_get(struct mm_struct *mm,
+ }
+
+ for (i = 0; i < entries; ++i) {
+- if (1 != get_user_pages_fast(ua + (i << PAGE_SHIFT),
++ cur_ua = ua + (i << PAGE_SHIFT);
++ if (1 != get_user_pages_fast(cur_ua,
+ 1/* pages */, 1/* iswrite */, &page)) {
+ ret = -EFAULT;
+ for (j = 0; j < i; ++j)
+@@ -197,7 +199,7 @@ long mm_iommu_get(struct mm_struct *mm,
+ if (is_migrate_cma_page(page)) {
+ if (mm_iommu_move_page_from_cma(page))
+ goto populate;
+- if (1 != get_user_pages_fast(ua + (i << PAGE_SHIFT),
++ if (1 != get_user_pages_fast(cur_ua,
+ 1/* pages */, 1/* iswrite */,
+ &page)) {
+ ret = -EFAULT;
+@@ -211,20 +213,21 @@ long mm_iommu_get(struct mm_struct *mm,
+ }
+ populate:
+ pageshift = PAGE_SHIFT;
+- if (PageCompound(page)) {
++ if (mem->pageshift > PAGE_SHIFT && PageCompound(page)) {
+ pte_t *pte;
+ struct page *head = compound_head(page);
+ unsigned int compshift = compound_order(head);
++ unsigned int pteshift;
+
+ local_irq_save(flags); /* disables as well */
+- pte = find_linux_pte(mm->pgd, ua, NULL, &pageshift);
+- local_irq_restore(flags);
++ pte = find_linux_pte(mm->pgd, cur_ua, NULL, &pteshift);
+
+ /* Double check it is still the same pinned page */
+ if (pte && pte_page(*pte) == head &&
+- pageshift == compshift)
+- pageshift = max_t(unsigned int, pageshift,
++ pteshift == compshift + PAGE_SHIFT)
++ pageshift = max_t(unsigned int, pteshift,
+ PAGE_SHIFT);
++ local_irq_restore(flags);
+ }
+ mem->pageshift = min(mem->pageshift, pageshift);
+ mem->hpas[i] = page_to_pfn(page) << PAGE_SHIFT;
--- /dev/null
+From 0027ff2a75f9dcf0537ac0a65c5840b0e21a4950 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 22 Aug 2018 16:43:39 +0200
+Subject: KVM: VMX: fixes for vmentry_l1d_flush module parameter
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 0027ff2a75f9dcf0537ac0a65c5840b0e21a4950 upstream.
+
+Two bug fixes:
+
+1) missing entries in the l1d_param array; this can cause a host crash
+if an access attempts to reach the missing entry. Future-proof the get
+function against any overflows as well. However, the two entries
+VMENTER_L1D_FLUSH_EPT_DISABLED and VMENTER_L1D_FLUSH_NOT_REQUIRED must
+not be accepted by the parse function, so disable them there.
+
+2) invalid values must be rejected even if the CPU does not have the
+bug, so test for them before checking boot_cpu_has(X86_BUG_L1TF)
+
+... and a small refactoring, since the .cmd field is redundant with
+the index in the array.
+
+Reported-by: Bandan Das <bsd@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: a7b9020b06ec6d7c3f3b0d4ef1a9eba12654f4f7
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 26 ++++++++++++++++----------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -200,12 +200,14 @@ static enum vmx_l1d_flush_state __read_m
+
+ static const struct {
+ const char *option;
+- enum vmx_l1d_flush_state cmd;
++ bool for_parse;
+ } vmentry_l1d_param[] = {
+- {"auto", VMENTER_L1D_FLUSH_AUTO},
+- {"never", VMENTER_L1D_FLUSH_NEVER},
+- {"cond", VMENTER_L1D_FLUSH_COND},
+- {"always", VMENTER_L1D_FLUSH_ALWAYS},
++ [VMENTER_L1D_FLUSH_AUTO] = {"auto", true},
++ [VMENTER_L1D_FLUSH_NEVER] = {"never", true},
++ [VMENTER_L1D_FLUSH_COND] = {"cond", true},
++ [VMENTER_L1D_FLUSH_ALWAYS] = {"always", true},
++ [VMENTER_L1D_FLUSH_EPT_DISABLED] = {"EPT disabled", false},
++ [VMENTER_L1D_FLUSH_NOT_REQUIRED] = {"not required", false},
+ };
+
+ #define L1D_CACHE_ORDER 4
+@@ -289,8 +291,9 @@ static int vmentry_l1d_flush_parse(const
+
+ if (s) {
+ for (i = 0; i < ARRAY_SIZE(vmentry_l1d_param); i++) {
+- if (sysfs_streq(s, vmentry_l1d_param[i].option))
+- return vmentry_l1d_param[i].cmd;
++ if (vmentry_l1d_param[i].for_parse &&
++ sysfs_streq(s, vmentry_l1d_param[i].option))
++ return i;
+ }
+ }
+ return -EINVAL;
+@@ -300,13 +303,13 @@ static int vmentry_l1d_flush_set(const c
+ {
+ int l1tf, ret;
+
+- if (!boot_cpu_has(X86_BUG_L1TF))
+- return 0;
+-
+ l1tf = vmentry_l1d_flush_parse(s);
+ if (l1tf < 0)
+ return l1tf;
+
++ if (!boot_cpu_has(X86_BUG_L1TF))
++ return 0;
++
+ /*
+ * Has vmx_init() run already? If not then this is the pre init
+ * parameter parsing. In that case just store the value and let
+@@ -326,6 +329,9 @@ static int vmentry_l1d_flush_set(const c
+
+ static int vmentry_l1d_flush_get(char *s, const struct kernel_param *kp)
+ {
++ if (WARN_ON_ONCE(l1tf_vmx_mitigation >= ARRAY_SIZE(vmentry_l1d_param)))
++ return sprintf(s, "???\n");
++
+ return sprintf(s, "%s\n", vmentry_l1d_param[l1tf_vmx_mitigation].option);
+ }
+
--- /dev/null
+From 0f90be132cbf1537d87a6a8b9e80867adac892f6 Mon Sep 17 00:00:00 2001
+From: Bill Baker <Bill.Baker@Oracle.com>
+Date: Tue, 19 Jun 2018 16:24:58 -0500
+Subject: NFSv4 client live hangs after live data migration recovery
+
+From: Bill Baker <Bill.Baker@Oracle.com>
+
+commit 0f90be132cbf1537d87a6a8b9e80867adac892f6 upstream.
+
+After a live data migration event at the NFS server, the client may send
+I/O requests to the wrong server, causing a live hang due to repeated
+recovery events. On the wire, this will appear as an I/O request failing
+with NFS4ERR_BADSESSION, followed by successful CREATE_SESSION, repeatedly.
+NFS4ERR_BADSSESSION is returned because the session ID being used was
+issued by the other server and is not valid at the old server.
+
+The failure is caused by async worker threads having cached the transport
+(xprt) in the rpc_task structure. After the migration recovery completes,
+the task is redispatched and the task resends the request to the wrong
+server based on the old value still present in tk_xprt.
+
+The solution is to recompute the tk_xprt field of the rpc_task structure
+so that the request goes to the correct server.
+
+Signed-off-by: Bill Baker <bill.baker@oracle.com>
+Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
+Tested-by: Helen Chao <helen.chao@oracle.com>
+Fixes: fb43d17210ba ("SUNRPC: Use the multipath iterator to assign a ...")
+Cc: stable@vger.kernel.org # v4.9+
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 9 ++++++++-
+ include/linux/sunrpc/clnt.h | 1 +
+ net/sunrpc/clnt.c | 28 ++++++++++++++++++++--------
+ 3 files changed, 29 insertions(+), 9 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -547,8 +547,15 @@ nfs4_async_handle_exception(struct rpc_t
+ ret = -EIO;
+ return ret;
+ out_retry:
+- if (ret == 0)
++ if (ret == 0) {
+ exception->retry = 1;
++ /*
++ * For NFS4ERR_MOVED, the client transport will need to
++ * be recomputed after migration recovery has completed.
++ */
++ if (errorcode == -NFS4ERR_MOVED)
++ rpc_task_release_transport(task);
++ }
+ return ret;
+ }
+
+--- a/include/linux/sunrpc/clnt.h
++++ b/include/linux/sunrpc/clnt.h
+@@ -156,6 +156,7 @@ int rpc_switch_client_transport(struct
+
+ void rpc_shutdown_client(struct rpc_clnt *);
+ void rpc_release_client(struct rpc_clnt *);
++void rpc_task_release_transport(struct rpc_task *);
+ void rpc_task_release_client(struct rpc_task *);
+
+ int rpcb_create_local(struct net *);
+--- a/net/sunrpc/clnt.c
++++ b/net/sunrpc/clnt.c
+@@ -965,10 +965,20 @@ out:
+ }
+ EXPORT_SYMBOL_GPL(rpc_bind_new_program);
+
++void rpc_task_release_transport(struct rpc_task *task)
++{
++ struct rpc_xprt *xprt = task->tk_xprt;
++
++ if (xprt) {
++ task->tk_xprt = NULL;
++ xprt_put(xprt);
++ }
++}
++EXPORT_SYMBOL_GPL(rpc_task_release_transport);
++
+ void rpc_task_release_client(struct rpc_task *task)
+ {
+ struct rpc_clnt *clnt = task->tk_client;
+- struct rpc_xprt *xprt = task->tk_xprt;
+
+ if (clnt != NULL) {
+ /* Remove from client task list */
+@@ -979,12 +989,14 @@ void rpc_task_release_client(struct rpc_
+
+ rpc_release_client(clnt);
+ }
++ rpc_task_release_transport(task);
++}
+
+- if (xprt != NULL) {
+- task->tk_xprt = NULL;
+-
+- xprt_put(xprt);
+- }
++static
++void rpc_task_set_transport(struct rpc_task *task, struct rpc_clnt *clnt)
++{
++ if (!task->tk_xprt)
++ task->tk_xprt = xprt_iter_get_next(&clnt->cl_xpi);
+ }
+
+ static
+@@ -992,8 +1004,7 @@ void rpc_task_set_client(struct rpc_task
+ {
+
+ if (clnt != NULL) {
+- if (task->tk_xprt == NULL)
+- task->tk_xprt = xprt_iter_get_next(&clnt->cl_xpi);
++ rpc_task_set_transport(task, clnt);
+ task->tk_client = clnt;
+ atomic_inc(&clnt->cl_count);
+ if (clnt->cl_softrtry)
+@@ -1529,6 +1540,7 @@ call_start(struct rpc_task *task)
+ clnt->cl_program->version[clnt->cl_vers]->counts[idx]++;
+ clnt->cl_stats->rpccnt++;
+ task->tk_action = call_reserve;
++ rpc_task_set_transport(task, clnt);
+ }
+
+ /*
--- /dev/null
+From 8618289c46556fd4dd259a1af02ccc448032f48d Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trondmy@gmail.com>
+Date: Tue, 14 Aug 2018 17:55:56 -0400
+Subject: NFSv4: Fix a sleep in atomic context in nfs4_callback_sequence()
+
+From: Trond Myklebust <trondmy@gmail.com>
+
+commit 8618289c46556fd4dd259a1af02ccc448032f48d upstream.
+
+We must drop the lock before we can sleep in referring_call_exists().
+
+Reported-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Fixes: 045d2a6d076a ("NFSv4.1: Delay callback processing...")
+Cc: stable@vger.kernel.org # v4.9+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/callback_proc.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs/callback_proc.c
++++ b/fs/nfs/callback_proc.c
+@@ -433,11 +433,14 @@ validate_seqid(const struct nfs4_slot_ta
+ * a match. If the slot is in use and the sequence numbers match, the
+ * client is still waiting for a response to the original request.
+ */
+-static bool referring_call_exists(struct nfs_client *clp,
++static int referring_call_exists(struct nfs_client *clp,
+ uint32_t nrclists,
+- struct referring_call_list *rclists)
++ struct referring_call_list *rclists,
++ spinlock_t *lock)
++ __releases(lock)
++ __acquires(lock)
+ {
+- bool status = 0;
++ int status = 0;
+ int i, j;
+ struct nfs4_session *session;
+ struct nfs4_slot_table *tbl;
+@@ -460,8 +463,10 @@ static bool referring_call_exists(struct
+
+ for (j = 0; j < rclist->rcl_nrefcalls; j++) {
+ ref = &rclist->rcl_refcalls[j];
++ spin_unlock(lock);
+ status = nfs4_slot_wait_on_seqid(tbl, ref->rc_slotid,
+ ref->rc_sequenceid, HZ >> 1) < 0;
++ spin_lock(lock);
+ if (status)
+ goto out;
+ }
+@@ -538,7 +543,8 @@ __be32 nfs4_callback_sequence(void *argp
+ * related callback was received before the response to the original
+ * call.
+ */
+- if (referring_call_exists(clp, args->csa_nrclists, args->csa_rclists)) {
++ if (referring_call_exists(clp, args->csa_nrclists, args->csa_rclists,
++ &tbl->slot_tbl_lock) < 0) {
+ status = htonl(NFS4ERR_DELAY);
+ goto out_unlock;
+ }
--- /dev/null
+From d0fbb1d8a194c0ec0180c1d073ad709e45503a43 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trondmy@gmail.com>
+Date: Tue, 14 Aug 2018 17:25:37 -0400
+Subject: NFSv4: Fix locking in pnfs_generic_recover_commit_reqs
+
+From: Trond Myklebust <trondmy@gmail.com>
+
+commit d0fbb1d8a194c0ec0180c1d073ad709e45503a43 upstream.
+
+The use of the inode->i_lock was converted to a mutex, but we forgot
+to remove the old inode unlock/lock() pair that allowed the layout
+segment to be put inside the loop.
+
+Reported-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Fixes: e824f99adaaf1 ("NFSv4: Use a mutex to protect the per-inode commit...")
+Cc: stable@vger.kernel.org # v4.14+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pnfs_nfs.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+--- a/fs/nfs/pnfs_nfs.c
++++ b/fs/nfs/pnfs_nfs.c
+@@ -61,7 +61,7 @@ EXPORT_SYMBOL_GPL(pnfs_generic_commit_re
+
+ /* The generic layer is about to remove the req from the commit list.
+ * If this will make the bucket empty, it will need to put the lseg reference.
+- * Note this must be called holding i_lock
++ * Note this must be called holding nfsi->commit_mutex
+ */
+ void
+ pnfs_generic_clear_request_commit(struct nfs_page *req,
+@@ -149,9 +149,7 @@ restart:
+ if (list_empty(&b->written)) {
+ freeme = b->wlseg;
+ b->wlseg = NULL;
+- spin_unlock(&cinfo->inode->i_lock);
+ pnfs_put_lseg(freeme);
+- spin_lock(&cinfo->inode->i_lock);
+ goto restart;
+ }
+ }
+@@ -167,7 +165,7 @@ static void pnfs_generic_retry_commit(st
+ LIST_HEAD(pages);
+ int i;
+
+- spin_lock(&cinfo->inode->i_lock);
++ mutex_lock(&NFS_I(cinfo->inode)->commit_mutex);
+ for (i = idx; i < fl_cinfo->nbuckets; i++) {
+ bucket = &fl_cinfo->buckets[i];
+ if (list_empty(&bucket->committing))
+@@ -177,12 +175,12 @@ static void pnfs_generic_retry_commit(st
+ list_for_each(pos, &bucket->committing)
+ cinfo->ds->ncommitting--;
+ list_splice_init(&bucket->committing, &pages);
+- spin_unlock(&cinfo->inode->i_lock);
++ mutex_unlock(&NFS_I(cinfo->inode)->commit_mutex);
+ nfs_retry_commit(&pages, freeme, cinfo, i);
+ pnfs_put_lseg(freeme);
+- spin_lock(&cinfo->inode->i_lock);
++ mutex_lock(&NFS_I(cinfo->inode)->commit_mutex);
+ }
+- spin_unlock(&cinfo->inode->i_lock);
++ mutex_unlock(&NFS_I(cinfo->inode)->commit_mutex);
+ }
+
+ static unsigned int
+@@ -222,13 +220,13 @@ void pnfs_fetch_commit_bucket_list(struc
+ struct list_head *pos;
+
+ bucket = &cinfo->ds->buckets[data->ds_commit_index];
+- spin_lock(&cinfo->inode->i_lock);
++ mutex_lock(&NFS_I(cinfo->inode)->commit_mutex);
+ list_for_each(pos, &bucket->committing)
+ cinfo->ds->ncommitting--;
+ list_splice_init(&bucket->committing, pages);
+ data->lseg = bucket->clseg;
+ bucket->clseg = NULL;
+- spin_unlock(&cinfo->inode->i_lock);
++ mutex_unlock(&NFS_I(cinfo->inode)->commit_mutex);
+
+ }
+
--- /dev/null
+From 3df6f61fff49632492490fb6e42646b803a9958a Mon Sep 17 00:00:00 2001
+From: "zhangyi (F)" <yi.zhang@huawei.com>
+Date: Tue, 14 Aug 2018 10:34:42 +0800
+Subject: PM / sleep: wakeup: Fix build error caused by missing SRCU support
+
+From: zhangyi (F) <yi.zhang@huawei.com>
+
+commit 3df6f61fff49632492490fb6e42646b803a9958a upstream.
+
+Commit ea0212f40c6 (power: auto select CONFIG_SRCU) made the code in
+drivers/base/power/wakeup.c use SRCU instead of RCU, but it forgot to
+select CONFIG_SRCU in Kconfig, which leads to the following build
+error if CONFIG_SRCU is not selected somewhere else:
+
+drivers/built-in.o: In function `wakeup_source_remove':
+(.text+0x3c6fc): undefined reference to `synchronize_srcu'
+drivers/built-in.o: In function `pm_print_active_wakeup_sources':
+(.text+0x3c7a8): undefined reference to `__srcu_read_lock'
+drivers/built-in.o: In function `pm_print_active_wakeup_sources':
+(.text+0x3c84c): undefined reference to `__srcu_read_unlock'
+drivers/built-in.o: In function `device_wakeup_arm_wake_irqs':
+(.text+0x3d1d8): undefined reference to `__srcu_read_lock'
+drivers/built-in.o: In function `device_wakeup_arm_wake_irqs':
+(.text+0x3d228): undefined reference to `__srcu_read_unlock'
+drivers/built-in.o: In function `device_wakeup_disarm_wake_irqs':
+(.text+0x3d24c): undefined reference to `__srcu_read_lock'
+drivers/built-in.o: In function `device_wakeup_disarm_wake_irqs':
+(.text+0x3d29c): undefined reference to `__srcu_read_unlock'
+drivers/built-in.o:(.data+0x4158): undefined reference to `process_srcu'
+
+Fix this error by selecting CONFIG_SRCU when PM_SLEEP is enabled.
+
+Fixes: ea0212f40c6 (power: auto select CONFIG_SRCU)
+Cc: 4.2+ <stable@vger.kernel.org> # 4.2+
+Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
+[ rjw: Minor subject/changelog fixups ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/power/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/power/Kconfig
++++ b/kernel/power/Kconfig
+@@ -105,6 +105,7 @@ config PM_SLEEP
+ def_bool y
+ depends on SUSPEND || HIBERNATE_CALLBACKS
+ select PM
++ select SRCU
+
+ config PM_SLEEP_SMP
+ def_bool y
--- /dev/null
+From 0914bb965e38a055e9245637aed117efbe976e91 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 4 Jul 2018 12:59:58 +0300
+Subject: pnfs/blocklayout: off by one in bl_map_stripe()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 0914bb965e38a055e9245637aed117efbe976e91 upstream.
+
+"dev->nr_children" is the number of children which were parsed
+successfully in bl_parse_stripe(). It could be all of them and then, in
+that case, it is equal to v->stripe.volumes_count. Either way, the >
+should be >= so that we don't go beyond the end of what we're supposed
+to.
+
+Fixes: 5c83746a0cf2 ("pnfs/blocklayout: in-kernel GETDEVICEINFO XDR parsing")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Cc: stable@vger.kernel.org # 3.17+
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/blocklayout/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/blocklayout/dev.c
++++ b/fs/nfs/blocklayout/dev.c
+@@ -204,7 +204,7 @@ static bool bl_map_stripe(struct pnfs_bl
+ chunk = div_u64(offset, dev->chunk_size);
+ div_u64_rem(chunk, dev->nr_children, &chunk_idx);
+
+- if (chunk_idx > dev->nr_children) {
++ if (chunk_idx >= dev->nr_children) {
+ dprintk("%s: invalid chunk idx %d (%lld/%lld)\n",
+ __func__, chunk_idx, offset, dev->chunk_size);
+ /* error, should not happen */
uprobes-use-synchronize_rcu-not-synchronize_sched.patch
mfd-hi655x-fix-regmap-area-declared-size-for-hi655x.patch
ovl-fix-wrong-use-of-impure-dir-cache-in-ovl_iterate.patch
+drivers-block-zram-zram_drv.c-fix-bug-storing-backing_dev.patch
+cpufreq-governor-avoid-accessing-invalid-governor_data.patch
+pm-sleep-wakeup-fix-build-error-caused-by-missing-srcu-support.patch
+kvm-vmx-fixes-for-vmentry_l1d_flush-module-parameter.patch
+kvm-ppc-book3s-fix-guest-dma-when-guest-partially-backed-by-thp-pages.patch
+xtensa-limit-offsets-in-__loop_cache_-all-page.patch
+xtensa-increase-ranges-in-___invalidate_-i-d-cache_all.patch
+block-bfq-return-nbytes-and-not-zero-from-struct-cftype-.write-method.patch
+pnfs-blocklayout-off-by-one-in-bl_map_stripe.patch
+nfsv4-client-live-hangs-after-live-data-migration-recovery.patch
+nfsv4-fix-locking-in-pnfs_generic_recover_commit_reqs.patch
+nfsv4-fix-a-sleep-in-atomic-context-in-nfs4_callback_sequence.patch
+arm-tegra-fix-tegra30-cardhu-pca954x-reset.patch
--- /dev/null
+From fec3259c9f747c039f90e99570540114c8d81a14 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Fri, 10 Aug 2018 22:21:22 -0700
+Subject: xtensa: increase ranges in ___invalidate_{i,d}cache_all
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+commit fec3259c9f747c039f90e99570540114c8d81a14 upstream.
+
+Cache invalidation macros use cache line size to iterate over
+invalidated cache lines, assuming that all cache ways are invalidated by
+single instruction, but xtensa ISA recommends to not assume that for
+future compatibility:
+ In some implementations all ways at index Addry-1..z are invalidated
+ regardless of the specified way, but for future compatibility this
+ behavior should not be assumed.
+
+Iterate over all cache ways in ___invalidate_icache_all and
+___invalidate_dcache_all.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/xtensa/include/asm/cacheasm.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/xtensa/include/asm/cacheasm.h
++++ b/arch/xtensa/include/asm/cacheasm.h
+@@ -123,7 +123,7 @@
+ .macro ___invalidate_dcache_all ar at
+
+ #if XCHAL_DCACHE_SIZE
+- __loop_cache_all \ar \at dii __stringify(DCACHE_WAY_SIZE) \
++ __loop_cache_all \ar \at dii XCHAL_DCACHE_SIZE \
+ XCHAL_DCACHE_LINEWIDTH 1020
+ #endif
+
+@@ -133,7 +133,7 @@
+ .macro ___invalidate_icache_all ar at
+
+ #if XCHAL_ICACHE_SIZE
+- __loop_cache_all \ar \at iii __stringify(ICACHE_WAY_SIZE) \
++ __loop_cache_all \ar \at iii XCHAL_ICACHE_SIZE \
+ XCHAL_ICACHE_LINEWIDTH 1020
+ #endif
+
--- /dev/null
+From be75de25251f7cf3e399ca1f584716a95510d24a Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Fri, 10 Aug 2018 20:43:48 -0700
+Subject: xtensa: limit offsets in __loop_cache_{all,page}
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+commit be75de25251f7cf3e399ca1f584716a95510d24a upstream.
+
+When building kernel for xtensa cores with big cache lines (e.g. 128
+bytes or more) __loop_cache_all and __loop_cache_page may generate
+assembly instructions with immediate fields that are too big. This
+results in the following build errors:
+
+ arch/xtensa/mm/misc.S: Assembler messages:
+ arch/xtensa/mm/misc.S:464: Error: operand 2 of 'diwbi' has invalid value '256'
+ arch/xtensa/mm/misc.S:464: Error: operand 2 of 'diwbi' has invalid value '384'
+ arch/xtensa/kernel/head.S: Assembler messages:
+ arch/xtensa/kernel/head.S:172: Error: operand 2 of 'diu' has invalid value '256'
+ arch/xtensa/kernel/head.S:172: Error: operand 2 of 'diu' has invalid value '384'
+ arch/xtensa/kernel/head.S:176: Error: operand 2 of 'iiu' has invalid value '256'
+ arch/xtensa/kernel/head.S:176: Error: operand 2 of 'iiu' has invalid value '384'
+ arch/xtensa/kernel/head.S:255: Error: operand 2 of 'diwb' has invalid value '256'
+ arch/xtensa/kernel/head.S:255: Error: operand 2 of 'diwb' has invalid value '384'
+
+Add parameter max_immed to these macros and use it to limit values of
+immediate operands. Extract common code of these macros into the new
+macro __loop_cache_unroll.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/xtensa/include/asm/cacheasm.h | 65 ++++++++++++++++++++++---------------
+ 1 file changed, 40 insertions(+), 25 deletions(-)
+
+--- a/arch/xtensa/include/asm/cacheasm.h
++++ b/arch/xtensa/include/asm/cacheasm.h
+@@ -31,16 +31,32 @@
+ *
+ */
+
+- .macro __loop_cache_all ar at insn size line_width
+
+- movi \ar, 0
++ .macro __loop_cache_unroll ar at insn size line_width max_immed
++
++ .if (1 << (\line_width)) > (\max_immed)
++ .set _reps, 1
++ .elseif (2 << (\line_width)) > (\max_immed)
++ .set _reps, 2
++ .else
++ .set _reps, 4
++ .endif
++
++ __loopi \ar, \at, \size, (_reps << (\line_width))
++ .set _index, 0
++ .rep _reps
++ \insn \ar, _index << (\line_width)
++ .set _index, _index + 1
++ .endr
++ __endla \ar, \at, _reps << (\line_width)
++
++ .endm
++
+
+- __loopi \ar, \at, \size, (4 << (\line_width))
+- \insn \ar, 0 << (\line_width)
+- \insn \ar, 1 << (\line_width)
+- \insn \ar, 2 << (\line_width)
+- \insn \ar, 3 << (\line_width)
+- __endla \ar, \at, 4 << (\line_width)
++ .macro __loop_cache_all ar at insn size line_width max_immed
++
++ movi \ar, 0
++ __loop_cache_unroll \ar, \at, \insn, \size, \line_width, \max_immed
+
+ .endm
+
+@@ -57,14 +73,9 @@
+ .endm
+
+
+- .macro __loop_cache_page ar at insn line_width
++ .macro __loop_cache_page ar at insn line_width max_immed
+
+- __loopi \ar, \at, PAGE_SIZE, 4 << (\line_width)
+- \insn \ar, 0 << (\line_width)
+- \insn \ar, 1 << (\line_width)
+- \insn \ar, 2 << (\line_width)
+- \insn \ar, 3 << (\line_width)
+- __endla \ar, \at, 4 << (\line_width)
++ __loop_cache_unroll \ar, \at, \insn, PAGE_SIZE, \line_width, \max_immed
+
+ .endm
+
+@@ -72,7 +83,8 @@
+ .macro ___unlock_dcache_all ar at
+
+ #if XCHAL_DCACHE_LINE_LOCKABLE && XCHAL_DCACHE_SIZE
+- __loop_cache_all \ar \at diu XCHAL_DCACHE_SIZE XCHAL_DCACHE_LINEWIDTH
++ __loop_cache_all \ar \at diu XCHAL_DCACHE_SIZE \
++ XCHAL_DCACHE_LINEWIDTH 240
+ #endif
+
+ .endm
+@@ -81,7 +93,8 @@
+ .macro ___unlock_icache_all ar at
+
+ #if XCHAL_ICACHE_LINE_LOCKABLE && XCHAL_ICACHE_SIZE
+- __loop_cache_all \ar \at iiu XCHAL_ICACHE_SIZE XCHAL_ICACHE_LINEWIDTH
++ __loop_cache_all \ar \at iiu XCHAL_ICACHE_SIZE \
++ XCHAL_ICACHE_LINEWIDTH 240
+ #endif
+
+ .endm
+@@ -90,7 +103,8 @@
+ .macro ___flush_invalidate_dcache_all ar at
+
+ #if XCHAL_DCACHE_SIZE
+- __loop_cache_all \ar \at diwbi XCHAL_DCACHE_SIZE XCHAL_DCACHE_LINEWIDTH
++ __loop_cache_all \ar \at diwbi XCHAL_DCACHE_SIZE \
++ XCHAL_DCACHE_LINEWIDTH 240
+ #endif
+
+ .endm
+@@ -99,7 +113,8 @@
+ .macro ___flush_dcache_all ar at
+
+ #if XCHAL_DCACHE_SIZE
+- __loop_cache_all \ar \at diwb XCHAL_DCACHE_SIZE XCHAL_DCACHE_LINEWIDTH
++ __loop_cache_all \ar \at diwb XCHAL_DCACHE_SIZE \
++ XCHAL_DCACHE_LINEWIDTH 240
+ #endif
+
+ .endm
+@@ -109,7 +124,7 @@
+
+ #if XCHAL_DCACHE_SIZE
+ __loop_cache_all \ar \at dii __stringify(DCACHE_WAY_SIZE) \
+- XCHAL_DCACHE_LINEWIDTH
++ XCHAL_DCACHE_LINEWIDTH 1020
+ #endif
+
+ .endm
+@@ -119,7 +134,7 @@
+
+ #if XCHAL_ICACHE_SIZE
+ __loop_cache_all \ar \at iii __stringify(ICACHE_WAY_SIZE) \
+- XCHAL_ICACHE_LINEWIDTH
++ XCHAL_ICACHE_LINEWIDTH 1020
+ #endif
+
+ .endm
+@@ -166,7 +181,7 @@
+ .macro ___flush_invalidate_dcache_page ar as
+
+ #if XCHAL_DCACHE_SIZE
+- __loop_cache_page \ar \as dhwbi XCHAL_DCACHE_LINEWIDTH
++ __loop_cache_page \ar \as dhwbi XCHAL_DCACHE_LINEWIDTH 1020
+ #endif
+
+ .endm
+@@ -175,7 +190,7 @@
+ .macro ___flush_dcache_page ar as
+
+ #if XCHAL_DCACHE_SIZE
+- __loop_cache_page \ar \as dhwb XCHAL_DCACHE_LINEWIDTH
++ __loop_cache_page \ar \as dhwb XCHAL_DCACHE_LINEWIDTH 1020
+ #endif
+
+ .endm
+@@ -184,7 +199,7 @@
+ .macro ___invalidate_dcache_page ar as
+
+ #if XCHAL_DCACHE_SIZE
+- __loop_cache_page \ar \as dhi XCHAL_DCACHE_LINEWIDTH
++ __loop_cache_page \ar \as dhi XCHAL_DCACHE_LINEWIDTH 1020
+ #endif
+
+ .endm
+@@ -193,7 +208,7 @@
+ .macro ___invalidate_icache_page ar as
+
+ #if XCHAL_ICACHE_SIZE
+- __loop_cache_page \ar \as ihi XCHAL_ICACHE_LINEWIDTH
++ __loop_cache_page \ar \as ihi XCHAL_ICACHE_LINEWIDTH 1020
+ #endif
+
+ .endm
projects / thirdparty / kernel / stable-queue.git / commitdiff
