--- /dev/null
+From 90995ef1e7d34edc68c76d9db7b91f68ea272b6b Mon Sep 17 00:00:00 2001
+From: Prarit Bhargava <prarit@redhat.com>
+Date: Thu, 30 Nov 2017 15:05:59 -0500
+Subject: ACPI: sysfs: Make ACPI GPE mask kernel parameter cover all GPEs
+
+[ Upstream commit 0f27cff8597d86f881ea8274b49b63b678c14a3c ]
+
+The acpi_mask_gpe= kernel parameter documentation states that the range
+of mask is 128 GPEs (0x00 to 0x7F). The acpi_masked_gpes mask is a u64 so
+only 64 GPEs (0x00 to 0x3F) can really be masked.
+
+Use a bitmap of size 0xFF instead of a u64 for the GPE mask so 256
+GPEs can be masked.
+
+Fixes: 9c4aa1eecb48 (ACPI / sysfs: Provide quirk mechanism to prevent GPE flooding)
+Signed-off-by: Prarit Bharava <prarit@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/kernel-parameters.txt | 1 -
+ drivers/acpi/sysfs.c | 26 ++++++++------------------
+ 2 files changed, 8 insertions(+), 19 deletions(-)
+
+diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
+index f9f67be8d3c3..c708a50b060e 100644
+--- a/Documentation/kernel-parameters.txt
++++ b/Documentation/kernel-parameters.txt
+@@ -313,7 +313,6 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+ This facility can be used to prevent such uncontrolled
+ GPE floodings.
+ Format: <int>
+- Support masking of GPEs numbered from 0x00 to 0x7f.
+
+ acpi_no_auto_serialize [HW,ACPI]
+ Disable auto-serialization of AML methods
+diff --git a/drivers/acpi/sysfs.c b/drivers/acpi/sysfs.c
+index cf05ae973381..a36d0739dbfe 100644
+--- a/drivers/acpi/sysfs.c
++++ b/drivers/acpi/sysfs.c
+@@ -724,14 +724,8 @@ end:
+ * interface:
+ * echo unmask > /sys/firmware/acpi/interrupts/gpe00
+ */
+-
+-/*
+- * Currently, the GPE flooding prevention only supports to mask the GPEs
+- * numbered from 00 to 7f.
+- */
+-#define ACPI_MASKABLE_GPE_MAX 0x80
+-
+-static u64 __initdata acpi_masked_gpes;
++#define ACPI_MASKABLE_GPE_MAX 0xFF
++static DECLARE_BITMAP(acpi_masked_gpes_map, ACPI_MASKABLE_GPE_MAX) __initdata;
+
+ static int __init acpi_gpe_set_masked_gpes(char *val)
+ {
+@@ -739,7 +733,7 @@ static int __init acpi_gpe_set_masked_gpes(char *val)
+
+ if (kstrtou8(val, 0, &gpe) || gpe > ACPI_MASKABLE_GPE_MAX)
+ return -EINVAL;
+- acpi_masked_gpes |= ((u64)1<<gpe);
++ set_bit(gpe, acpi_masked_gpes_map);
+
+ return 1;
+ }
+@@ -751,15 +745,11 @@ void __init acpi_gpe_apply_masked_gpes(void)
+ acpi_status status;
+ u8 gpe;
+
+- for (gpe = 0;
+- gpe < min_t(u8, ACPI_MASKABLE_GPE_MAX, acpi_current_gpe_count);
+- gpe++) {
+- if (acpi_masked_gpes & ((u64)1<<gpe)) {
+- status = acpi_get_gpe_device(gpe, &handle);
+- if (ACPI_SUCCESS(status)) {
+- pr_info("Masking GPE 0x%x.\n", gpe);
+- (void)acpi_mask_gpe(handle, gpe, TRUE);
+- }
++ for_each_set_bit(gpe, acpi_masked_gpes_map, ACPI_MASKABLE_GPE_MAX) {
++ status = acpi_get_gpe_device(gpe, &handle);
++ if (ACPI_SUCCESS(status)) {
++ pr_info("Masking GPE 0x%x.\n", gpe);
++ (void)acpi_mask_gpe(handle, gpe, TRUE);
+ }
+ }
+ }
+--
+2.17.1
+
--- /dev/null
+From d29df43b8bc9859c8276bed8b55cfafb45758e2a Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 27 Apr 2018 17:17:35 +0200
+Subject: ALSA: hda - Fix incorrect usage of IS_REACHABLE()
+
+[ Upstream commit 6a30abaa40b62aed46ef12ea4c16c48565bdb376 ]
+
+The commit c469652bb5e8 ("ALSA: hda - Use IS_REACHABLE() for
+dependency on input") simplified the dependencies with IS_REACHABLE()
+macro, but it broke due to its incorrect usage: it should have been
+IS_REACHABLE(CONFIG_INPUT) instead of IS_REACHABLE(INPUT).
+
+Fixes: c469652bb5e8 ("ALSA: hda - Use IS_REACHABLE() for dependency on input")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 0eee308365c4..cc48800f95e0 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -3499,7 +3499,7 @@ static void alc280_fixup_hp_gpio4(struct hda_codec *codec,
+ }
+ }
+
+-#if IS_REACHABLE(INPUT)
++#if IS_REACHABLE(CONFIG_INPUT)
+ static void gpio2_mic_hotkey_event(struct hda_codec *codec,
+ struct hda_jack_callback *event)
+ {
+--
+2.17.1
+
--- /dev/null
+From d5d47d49156d31ebcf21b3521cd595f04eced5d0 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 16 May 2017 09:11:33 +0200
+Subject: ALSA: hda - No loopback on ALC299 codec
+
+[ Upstream commit fa16b69f1299004b60b625f181143500a246e5cb ]
+
+ALC299 has no loopback mixer, but the driver still tries to add a beep
+control over the mixer NID which leads to the error at accessing it.
+This patch fixes it by properly declaring mixer_nid=0 for this codec.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195775
+Fixes: 28f1f9b26cee ("ALSA: hda/realtek - Add new codec ID ALC299")
+Cc: stable@vger.kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index ca2945711dbe..0eee308365c4 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6392,8 +6392,11 @@ static int patch_alc269(struct hda_codec *codec)
+ break;
+ case 0x10ec0225:
+ case 0x10ec0295:
++ spec->codec_variant = ALC269_TYPE_ALC225;
++ break;
+ case 0x10ec0299:
+ spec->codec_variant = ALC269_TYPE_ALC225;
++ spec->gen.mixer_nid = 0; /* no loopback on ALC299 */
+ break;
+ case 0x10ec0234:
+ case 0x10ec0274:
+--
+2.17.1
+
--- /dev/null
+From dd121e00d6890eb359ce0e865b331accf3cfd75c Mon Sep 17 00:00:00 2001
+From: Jane Chu <jane.chu@oracle.com>
+Date: Thu, 25 May 2017 13:51:20 -0600
+Subject: arch/sparc: increase CONFIG_NODES_SHIFT on SPARC64 to 5
+
+[ Upstream commit 7485af89a6fd48f7e6fab2505d2364d1817723e6 ]
+
+SPARC M6-32 platform has (2^5) NUMA nodes, so need to bump up the
+CONFIG_NODES_SHIFT to 5.
+
+Orabug: 25577754
+
+Signed-off-by: Jane Chu <jane.chu@oracle.com>
+Reviewed-by: Bob Picco <bob.picco@oracle.com>
+Reviewed-by: Atish Patra <atish.patra@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sparc/Kconfig | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig
+index 8b4152f3a764..cef42d4be292 100644
+--- a/arch/sparc/Kconfig
++++ b/arch/sparc/Kconfig
+@@ -290,9 +290,13 @@ config NUMA
+ depends on SPARC64 && SMP
+
+ config NODES_SHIFT
+- int
+- default "4"
++ int "Maximum NUMA Nodes (as a power of 2)"
++ range 4 5 if SPARC64
++ default "5"
+ depends on NEED_MULTIPLE_NODES
++ help
++ Specify the maximum number of NUMA Nodes available on the target
++ system. Increases memory reserved to accommodate various tables.
+
+ # Some NUMA nodes have memory ranges that span
+ # other nodes. Even though a pfn is valid and
+--
+2.17.1
+
--- /dev/null
+From 755d00cf687af9b34167e6a65987b250bcbfd818 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Wed, 24 May 2017 15:31:57 +0100
+Subject: ARM: 8677/1: boot/compressed: fix decompressor header layout for v7-M
+
+[ Upstream commit 06a4b6d009a1b74a6ec46c5418b46cc53a79fcb8 ]
+
+As reported by Patrice, the header layout of the decompressor is
+incorrect when building for v7-M. In this case, the __nop macro
+resolves to 'mov r0, r0', which is emitted as a narrow encoding,
+resulting in the header data fields to end up at lower offsets than
+required.
+
+Given the variety of targets we need to support with the same code,
+the startup sequence is a bit of a jumble, and uses instructions
+and macros whose encoding widths cannot be specified (badr), or only
+exist in a narrow encoding (bx)
+
+So force the use of a wide encoding in __nop, and replace the start
+sequence with a simple jump to the label marking the start of code,
+preceded by a Thumb2 mode switch if required (using explicit wide
+encodings where appropriate). The label itself can be moved to the
+start of code [where it belongs] due to the larger range of branch
+instructions as compared to adr instructions.
+
+Reported-by: Patrice CHOTARD <patrice.chotard@st.com>
+Acked-by: Nicolas Pitre <nico@linaro.org>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/compressed/efi-header.S | 4 +---
+ arch/arm/boot/compressed/head.S | 17 ++++++++++-------
+ 2 files changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/arch/arm/boot/compressed/efi-header.S b/arch/arm/boot/compressed/efi-header.S
+index 9d5dc4fda3c1..3f7d1b74c5e0 100644
+--- a/arch/arm/boot/compressed/efi-header.S
++++ b/arch/arm/boot/compressed/efi-header.S
+@@ -17,14 +17,12 @@
+ @ there.
+ .inst 'M' | ('Z' << 8) | (0x1310 << 16) @ tstne r0, #0x4d000
+ #else
+- mov r0, r0
++ W(mov) r0, r0
+ #endif
+ .endm
+
+ .macro __EFI_HEADER
+ #ifdef CONFIG_EFI_STUB
+- b __efi_start
+-
+ .set start_offset, __efi_start - start
+ .org start + 0x3c
+ @
+diff --git a/arch/arm/boot/compressed/head.S b/arch/arm/boot/compressed/head.S
+index fc6d541549a2..2d7f2bb0d66a 100644
+--- a/arch/arm/boot/compressed/head.S
++++ b/arch/arm/boot/compressed/head.S
+@@ -130,19 +130,22 @@ start:
+ .rept 7
+ __nop
+ .endr
+- ARM( mov r0, r0 )
+- ARM( b 1f )
+- THUMB( badr r12, 1f )
+- THUMB( bx r12 )
++#ifndef CONFIG_THUMB2_KERNEL
++ mov r0, r0
++#else
++ AR_CLASS( sub pc, pc, #3 ) @ A/R: switch to Thumb2 mode
++ M_CLASS( nop.w ) @ M: already in Thumb2 mode
++ .thumb
++#endif
++ W(b) 1f
+
+ .word _magic_sig @ Magic numbers to help the loader
+ .word _magic_start @ absolute load/run zImage address
+ .word _magic_end @ zImage end address
+ .word 0x04030201 @ endianness flag
+
+- THUMB( .thumb )
+-1: __EFI_HEADER
+-
++ __EFI_HEADER
++1:
+ ARM_BE8( setend be ) @ go BE8 if compiled for BE8
+ AR_CLASS( mrs r9, cpsr )
+ #ifdef CONFIG_ARM_VIRT_EXT
+--
+2.17.1
+
--- /dev/null
+From b64083661b598e4165df9615069198b9d5e9d75c Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Date: Thu, 13 Sep 2018 16:48:08 +0100
+Subject: ARM: 8799/1: mm: fix pci_ioremap_io() offset check
+
+[ Upstream commit 3a58ac65e2d7969bcdf1b6acb70fa4d12a88e53e ]
+
+IO_SPACE_LIMIT is the ending address of the PCI IO space, i.e
+something like 0xfffff (and not 0x100000).
+
+Therefore, when offset = 0xf0000 is passed as argument, this function
+fails even though the offset + SZ_64K fits below the
+IO_SPACE_LIMIT. This makes the last chunk of 64 KB of the I/O space
+not usable as it cannot be mapped.
+
+This patch fixes that by substracing 1 to offset + SZ_64K, so that we
+compare the addrss of the last byte of the I/O space against
+IO_SPACE_LIMIT instead of the address of the first byte of what is
+after the I/O space.
+
+Fixes: c2794437091a4 ("ARM: Add fixed PCI i/o mapping")
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Acked-by: Nicolas Pitre <nico@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/ioremap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/mm/ioremap.c b/arch/arm/mm/ioremap.c
+index ff0eed23ddf1..66e5d8765601 100644
+--- a/arch/arm/mm/ioremap.c
++++ b/arch/arm/mm/ioremap.c
+@@ -473,7 +473,7 @@ void pci_ioremap_set_mem_type(int mem_type)
+
+ int pci_ioremap_io(unsigned int offset, phys_addr_t phys_addr)
+ {
+- BUG_ON(offset + SZ_64K > IO_SPACE_LIMIT);
++ BUG_ON(offset + SZ_64K - 1 > IO_SPACE_LIMIT);
+
+ return ioremap_page_range(PCI_IO_VIRT_BASE + offset,
+ PCI_IO_VIRT_BASE + offset + SZ_64K,
+--
+2.17.1
+
--- /dev/null
+From 8b58c06a27bdc37edb7c0c927e573a6c7039b3f0 Mon Sep 17 00:00:00 2001
+From: Phil Elwell <phil@raspberrypi.org>
+Date: Tue, 9 May 2017 10:04:30 +0100
+Subject: ARM: dts: bcm283x: Reserve first page for firmware
+
+[ Upstream commit b0804ed0cadd7e38d94d2f15cdcc0d9695818856 ]
+
+The Raspberry Pi startup stub files for multi-core BCM283X processors
+make the secondary CPUs spin until the corresponding mailbox is
+written. These stubs are loaded at physical address 0x00000xxx (as seen
+by the ARMs), but this page will be reused by the kernel unless it is
+explicitly reserved, causing the waiting cores to execute random code.
+
+Use the /memreserve/ Device Tree directive to mark the first page as
+off-limits to the kernel.
+
+See: https://github.com/raspberrypi/linux/issues/1989
+Signed-off-by: Phil Elwell <phil@raspberrypi.org>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/bcm283x.dtsi | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/arm/boot/dts/bcm283x.dtsi b/arch/arm/boot/dts/bcm283x.dtsi
+index c51b88ee3cec..31563007772c 100644
+--- a/arch/arm/boot/dts/bcm283x.dtsi
++++ b/arch/arm/boot/dts/bcm283x.dtsi
+@@ -3,6 +3,11 @@
+ #include <dt-bindings/clock/bcm2835-aux.h>
+ #include <dt-bindings/gpio/gpio.h>
+
++/* firmware-provided startup stubs live here, where the secondary CPUs are
++ * spinning.
++ */
++/memreserve/ 0x00000000 0x00001000;
++
+ /* This include file covers the common peripherals and configuration between
+ * bcm2835 and bcm2836 implementations, leaving the CPU configuration to
+ * bcm2835.dtsi and bcm2836.dtsi.
+--
+2.17.1
+
--- /dev/null
+From 554fad7e15c743391d845357d52561c8eb53b654 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Wed, 19 Sep 2018 17:14:01 -0700
+Subject: ARM: dts: BCM63xx: Fix incorrect interrupt specifiers
+
+[ Upstream commit 3ab97942d0213b6583a5408630a8cbbfbf54730f ]
+
+A number of our interrupts were incorrectly specified, fix both the PPI
+and SPI interrupts to be correct.
+
+Fixes: b5762cacc411 ("ARM: bcm63138: add NAND DT support")
+Fixes: 46d4bca0445a ("ARM: BCM63XX: add BCM63138 minimal Device Tree")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/bcm63138.dtsi | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/arch/arm/boot/dts/bcm63138.dtsi b/arch/arm/boot/dts/bcm63138.dtsi
+index d0560e8cd6de..547369c69e96 100644
+--- a/arch/arm/boot/dts/bcm63138.dtsi
++++ b/arch/arm/boot/dts/bcm63138.dtsi
+@@ -105,21 +105,23 @@
+ global_timer: timer@1e200 {
+ compatible = "arm,cortex-a9-global-timer";
+ reg = <0x1e200 0x20>;
+- interrupts = <GIC_PPI 11 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_PPI 11 IRQ_TYPE_EDGE_RISING>;
+ clocks = <&axi_clk>;
+ };
+
+ local_timer: local-timer@1e600 {
+ compatible = "arm,cortex-a9-twd-timer";
+ reg = <0x1e600 0x20>;
+- interrupts = <GIC_PPI 13 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_PPI 13 (GIC_CPU_MASK_SIMPLE(2) |
++ IRQ_TYPE_EDGE_RISING)>;
+ clocks = <&axi_clk>;
+ };
+
+ twd_watchdog: watchdog@1e620 {
+ compatible = "arm,cortex-a9-twd-wdt";
+ reg = <0x1e620 0x20>;
+- interrupts = <GIC_PPI 14 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_PPI 14 (GIC_CPU_MASK_SIMPLE(2) |
++ IRQ_TYPE_LEVEL_HIGH)>;
+ };
+
+ armpll: armpll {
+@@ -157,7 +159,7 @@
+ serial0: serial@600 {
+ compatible = "brcm,bcm6345-uart";
+ reg = <0x600 0x1b>;
+- interrupts = <GIC_SPI 32 0>;
++ interrupts = <GIC_SPI 32 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&periph_clk>;
+ clock-names = "periph";
+ status = "disabled";
+@@ -166,7 +168,7 @@
+ serial1: serial@620 {
+ compatible = "brcm,bcm6345-uart";
+ reg = <0x620 0x1b>;
+- interrupts = <GIC_SPI 33 0>;
++ interrupts = <GIC_SPI 33 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&periph_clk>;
+ clock-names = "periph";
+ status = "disabled";
+@@ -179,7 +181,7 @@
+ reg = <0x2000 0x600>, <0xf0 0x10>;
+ reg-names = "nand", "nand-int-base";
+ status = "disabled";
+- interrupts = <GIC_SPI 38 0>;
++ interrupts = <GIC_SPI 38 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "nand";
+ };
+
+--
+2.17.1
+
--- /dev/null
+From b8febbd6d0a92500ecd7e360ae1fb08aaf5f459b Mon Sep 17 00:00:00 2001
+From: Sascha Hauer <s.hauer@pengutronix.de>
+Date: Wed, 12 Sep 2018 08:23:01 +0200
+Subject: ARM: dts: imx53-qsb: disable 1.2GHz OPP
+
+[ Upstream commit eea96566c189c77e5272585984eb2729881a2f1d ]
+
+The maximum CPU frequency for the i.MX53 QSB is 1GHz, so disable the
+1.2GHz OPP. This makes the board work again with configs that have
+cpufreq enabled like imx_v6_v7_defconfig on which the board stopped
+working with the addition of cpufreq-dt support.
+
+Fixes: 791f416608 ("ARM: dts: imx53: add cpufreq-dt support")
+
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx53-qsb-common.dtsi | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/arch/arm/boot/dts/imx53-qsb-common.dtsi b/arch/arm/boot/dts/imx53-qsb-common.dtsi
+index c05e7cfd0cbc..c8a6a6868c46 100644
+--- a/arch/arm/boot/dts/imx53-qsb-common.dtsi
++++ b/arch/arm/boot/dts/imx53-qsb-common.dtsi
+@@ -130,6 +130,17 @@
+ };
+ };
+
++&cpu0 {
++ /* CPU rated to 1GHz, not 1.2GHz as per the default settings */
++ operating-points = <
++ /* kHz uV */
++ 166666 850000
++ 400000 900000
++ 800000 1050000
++ 1000000 1200000
++ >;
++};
++
+ &esdhc1 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_esdhc1>;
+--
+2.17.1
+
--- /dev/null
+From 0bc3a6d4f0e519111965325703f4889555413d28 Mon Sep 17 00:00:00 2001
+From: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+Date: Thu, 22 Feb 2018 15:38:25 +0100
+Subject: ARM: tegra: Fix ULPI regression on Tegra20
+
+[ Upstream commit 4c9a27a6c66d4427f3cba4019d4ba738fe99fa87 ]
+
+Since commit f8f8f1d04494 ("clk: Don't touch hardware when reparenting
+during registration") ULPI has been broken on Tegra20 leading to the
+following error message during boot:
+
+[ 1.974698] ulpi_phy_power_on: ulpi write failed
+[ 1.979384] tegra-ehci c5004000.usb: Failed to power on the phy
+[ 1.985434] tegra-ehci: probe of c5004000.usb failed with error -110
+
+Debugging through the changes and finally also consulting the TRM
+revealed that rather than the CDEV2 clock off OSC requiring such pin
+muxing actually the PLL_P_OUT4 clock is in use. It looks like so far it
+just worked by chance of that one having been enabled which Stephen's
+commit now changed when reparenting sclk away from pll_p_out4 leaving
+that one disabled. Fix this by properly assigning the PLL_P_OUT4 clock
+as the ULPI PHY clock.
+
+Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+Reviewed-by: Dmitry Osipenko <digetx@gmail.com>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/tegra20.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/tegra20.dtsi b/arch/arm/boot/dts/tegra20.dtsi
+index 2207c08e3fa3..d771f24f6a26 100644
+--- a/arch/arm/boot/dts/tegra20.dtsi
++++ b/arch/arm/boot/dts/tegra20.dtsi
+@@ -690,7 +690,7 @@
+ phy_type = "ulpi";
+ clocks = <&tegra_car TEGRA20_CLK_USB2>,
+ <&tegra_car TEGRA20_CLK_PLL_U>,
+- <&tegra_car TEGRA20_CLK_CDEV2>;
++ <&tegra_car TEGRA20_CLK_PLL_P_OUT4>;
+ clock-names = "reg", "pll_u", "ulpi-link";
+ resets = <&tegra_car 58>, <&tegra_car 22>;
+ reset-names = "usb", "utmi-pads";
+--
+2.17.1
+
--- /dev/null
+From 34ade51e53278ce2916010bdab5acd5477cbcad1 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:50 -0700
+Subject: asix: Check for supported Wake-on-LAN modes
+
+[ Upstream commit c4ce446e33d7a0e978256ac6fea4c80e59d9de5f ]
+
+The driver currently silently accepts unsupported Wake-on-LAN modes
+(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user,
+which is confusing.
+
+Fixes: 2e55cc7210fe ("[PATCH] USB: usbnet (3/9) module for ASIX Ethernet adapters")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/asix_common.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c
+index 125cff57c759..3dbb0646b024 100644
+--- a/drivers/net/usb/asix_common.c
++++ b/drivers/net/usb/asix_common.c
+@@ -575,6 +575,9 @@ int asix_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo)
+ struct usbnet *dev = netdev_priv(net);
+ u8 opt = 0;
+
++ if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC))
++ return -EINVAL;
++
+ if (wolinfo->wolopts & WAKE_PHY)
+ opt |= AX_MONITOR_LINK;
+ if (wolinfo->wolopts & WAKE_MAGIC)
+--
+2.17.1
+
--- /dev/null
+From d12ccb5e1b808a6fbf12a7e15e80579399086497 Mon Sep 17 00:00:00 2001
+From: Shreyas NC <shreyas.nc@intel.com>
+Date: Mon, 15 May 2017 19:44:30 +0530
+Subject: ASoC: Intel: Skylake: Fix to parse consecutive string tkns in
+ manifest
+
+[ Upstream commit 0a716776914ed9d7ca90b48041e6767693bfb672 ]
+
+Element size in the manifest should be updated for each token, so that the
+loop can parse all the string elements in the manifest. This was not
+happening when more than two string elements appear consecutively, as it is
+not updated with correct string element size. Fixed with this patch.
+
+Signed-off-by: Shreyas NC <shreyas.nc@intel.com>
+Signed-off-by: Subhransu S. Prusty <subhransu.s.prusty@intel.com>
+Acked-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/skylake/skl-topology.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/intel/skylake/skl-topology.c b/sound/soc/intel/skylake/skl-topology.c
+index bef8a4546c12..b0c154d5924b 100644
+--- a/sound/soc/intel/skylake/skl-topology.c
++++ b/sound/soc/intel/skylake/skl-topology.c
+@@ -2325,7 +2325,7 @@ static int skl_tplg_get_manifest_tkn(struct device *dev,
+
+ if (ret < 0)
+ return ret;
+- tkn_count += ret;
++ tkn_count = ret;
+
+ tuple_size += tkn_count *
+ sizeof(struct snd_soc_tplg_vendor_string_elem);
+--
+2.17.1
+
--- /dev/null
+From f5e65131075d80be7b0aa6dedf6d7f16b0a935c6 Mon Sep 17 00:00:00 2001
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Date: Tue, 9 May 2017 16:00:28 +0530
+Subject: ata: sata_rcar: Handle return value of clk_prepare_enable
+
+[ Upstream commit 5dc63fdcc09f47fb226b8bc7d83a61feb787d817 ]
+
+Here, Clock enable can failed. So adding an error check for
+clk_prepare_enable.
+
+tj: minor style updates
+
+Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/sata_rcar.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/ata/sata_rcar.c b/drivers/ata/sata_rcar.c
+index f72d601e300a..e83a3d3421b9 100644
+--- a/drivers/ata/sata_rcar.c
++++ b/drivers/ata/sata_rcar.c
+@@ -890,7 +890,10 @@ static int sata_rcar_probe(struct platform_device *pdev)
+ dev_err(&pdev->dev, "failed to get access to sata clock\n");
+ return PTR_ERR(priv->clk);
+ }
+- clk_prepare_enable(priv->clk);
++
++ ret = clk_prepare_enable(priv->clk);
++ if (ret)
++ return ret;
+
+ host = ata_host_alloc(&pdev->dev, 1);
+ if (!host) {
+@@ -970,8 +973,11 @@ static int sata_rcar_resume(struct device *dev)
+ struct ata_host *host = dev_get_drvdata(dev);
+ struct sata_rcar_priv *priv = host->private_data;
+ void __iomem *base = priv->base;
++ int ret;
+
+- clk_prepare_enable(priv->clk);
++ ret = clk_prepare_enable(priv->clk);
++ if (ret)
++ return ret;
+
+ /* ack and mask */
+ iowrite32(0, base + SATAINTSTAT_REG);
+@@ -988,8 +994,11 @@ static int sata_rcar_restore(struct device *dev)
+ {
+ struct ata_host *host = dev_get_drvdata(dev);
+ struct sata_rcar_priv *priv = host->private_data;
++ int ret;
+
+- clk_prepare_enable(priv->clk);
++ ret = clk_prepare_enable(priv->clk);
++ if (ret)
++ return ret;
+
+ sata_rcar_setup_port(host);
+
+--
+2.17.1
+
--- /dev/null
+From 91d3c35edc8c72d1294904f2352400cbc348d7fb Mon Sep 17 00:00:00 2001
+From: Kalle Valo <kvalo@qca.qualcomm.com>
+Date: Mon, 13 Feb 2017 12:38:43 +0200
+Subject: ath10k: convert warning about non-existent OTP board id to debug
+ message
+
+[ Upstream commit 7be52c03bbf7c8f53211ed13810d64dcb2bc7168 ]
+
+Currently ath10k unncessarily warns about board id not available from OTP:
+
+ath10k_pci 0000:02:00.0: pci irq msi oper_irq_mode 2 irq_mode 0 reset_mode 0
+ath10k_pci 0000:02:00.0: qca988x hw2.0 target 0x4100016c chip_id 0x043202ff sub 0000:0000
+ath10k_pci 0000:02:00.0: kconfig debug 1 debugfs 1 tracing 1 dfs 1 testmode 1
+ath10k_pci 0000:02:00.0: firmware ver 10.2.4.70.9-2 api 5 features no-p2p,raw-mode crc32 b8d50af5
+ath10k_pci 0000:02:00.0: board id is not exist in otp, ignore it
+ath10k_pci 0000:02:00.0: board_file api 1 bmi_id N/A crc32 bebc7c08
+ath10k_pci 0000:02:00.0: htt-ver 2.1 wmi-op 5 htt-op 2 cal otp max-sta 128 raw 0 hwcrypto 1
+
+But not all boards have the board id in OTP so this is not a problem and no
+need to confuse the user with that info. So this can be safely changed to a
+debug message.
+
+Also fix grammar in the debug message.
+
+Fixes: d2e202c06ca4 ("ath10k: ignore configuring the incorrect board_id")
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c
+index 65ad7a130ca1..1e41d6c6de36 100644
+--- a/drivers/net/wireless/ath/ath10k/core.c
++++ b/drivers/net/wireless/ath/ath10k/core.c
+@@ -698,7 +698,8 @@ static int ath10k_core_get_board_id_from_otp(struct ath10k *ar)
+
+ if ((result & ATH10K_BMI_BOARD_ID_STATUS_MASK) != 0 ||
+ (board_id == 0)) {
+- ath10k_warn(ar, "board id is not exist in otp, ignore it\n");
++ ath10k_dbg(ar, ATH10K_DBG_BOOT,
++ "board id does not exist in otp, ignore it\n");
+ return -EOPNOTSUPP;
+ }
+
+--
+2.17.1
+
--- /dev/null
+From 38668c67ce8675f823e8d3203ed43c9e16574a07 Mon Sep 17 00:00:00 2001
+From: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
+Date: Mon, 20 Mar 2017 20:52:46 +0530
+Subject: ath10k: fix NAPI enable/disable symmetry for AHB interface
+
+[ Upstream commit a7595a820b07db9ac0d8f479ff62002bdd32a05a ]
+
+Move NAPI enable to 'ath10k_ahb_hif_start' from
+'ath10k_ahb_hif_power_up'. This is to maintain the symmetry
+of calling napi_enable() from ath10k_ahb_hif_start() so that it
+matches with napi_disable() being called from ath10k_pci_hif_stop().
+
+This change is based on the crash fix from Kalle for PCI interface in
+commit 1427228d5869 ("ath10k: fix napi crash during rmmod when probe
+firmware fails").
+
+Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/ahb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/ahb.c b/drivers/net/wireless/ath/ath10k/ahb.c
+index 45226dbee5ce..da770af83036 100644
+--- a/drivers/net/wireless/ath/ath10k/ahb.c
++++ b/drivers/net/wireless/ath/ath10k/ahb.c
+@@ -640,6 +640,7 @@ static int ath10k_ahb_hif_start(struct ath10k *ar)
+ {
+ ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot ahb hif start\n");
+
++ napi_enable(&ar->napi);
+ ath10k_ce_enable_interrupts(ar);
+ ath10k_pci_enable_legacy_irq(ar);
+
+@@ -692,7 +693,6 @@ static int ath10k_ahb_hif_power_up(struct ath10k *ar)
+ ath10k_err(ar, "could not wake up target CPU: %d\n", ret);
+ goto err_ce_deinit;
+ }
+- napi_enable(&ar->napi);
+
+ return 0;
+
+--
+2.17.1
+
--- /dev/null
+From d90f1f21e63bffb8c77fa9c4cf6d2b1a233e9231 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:51 -0700
+Subject: ax88179_178a: Check for supported Wake-on-LAN modes
+
+[ Upstream commit 5ba6b4aa9a410c5e2c6417df52b5e2118ea9b467 ]
+
+The driver currently silently accepts unsupported Wake-on-LAN modes
+(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user,
+which is confusing.
+
+Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/ax88179_178a.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c
+index 8a6675d92b98..559af8e6ad90 100644
+--- a/drivers/net/usb/ax88179_178a.c
++++ b/drivers/net/usb/ax88179_178a.c
+@@ -566,6 +566,9 @@ ax88179_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo)
+ struct usbnet *dev = netdev_priv(net);
+ u8 opt = 0;
+
++ if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC))
++ return -EINVAL;
++
+ if (wolinfo->wolopts & WAKE_PHY)
+ opt |= AX_MONITOR_MODE_RWLC;
+ if (wolinfo->wolopts & WAKE_MAGIC)
+--
+2.17.1
+
--- /dev/null
+From d804261f9f31ef6ebd26b5a77cabe92c0d00750f Mon Sep 17 00:00:00 2001
+From: Matias Karhumaa <matias.karhumaa@gmail.com>
+Date: Wed, 26 Sep 2018 09:13:46 +0300
+Subject: Bluetooth: SMP: fix crash in unpairing
+
+[ Upstream commit cb28c306b93b71f2741ce1a5a66289db26715f4d ]
+
+In case unpair_device() was called through mgmt interface at the same time
+when pairing was in progress, Bluetooth kernel module crash was seen.
+
+[ 600.351225] general protection fault: 0000 [#1] SMP PTI
+[ 600.351235] CPU: 1 PID: 11096 Comm: btmgmt Tainted: G OE 4.19.0-rc1+ #1
+[ 600.351238] Hardware name: Dell Inc. Latitude E5440/08RCYC, BIOS A18 05/14/2017
+[ 600.351272] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth]
+[ 600.351276] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 <48> 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01
+[ 600.351279] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246
+[ 600.351282] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60
+[ 600.351285] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500
+[ 600.351287] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00
+[ 600.351290] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800
+[ 600.351292] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00
+[ 600.351295] FS: 00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000
+[ 600.351298] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 600.351300] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0
+[ 600.351302] Call Trace:
+[ 600.351325] smp_failure+0x4f/0x70 [bluetooth]
+[ 600.351345] smp_cancel_pairing+0x74/0x80 [bluetooth]
+[ 600.351370] unpair_device+0x1c1/0x330 [bluetooth]
+[ 600.351399] hci_sock_sendmsg+0x960/0x9f0 [bluetooth]
+[ 600.351409] ? apparmor_socket_sendmsg+0x1e/0x20
+[ 600.351417] sock_sendmsg+0x3e/0x50
+[ 600.351422] sock_write_iter+0x85/0xf0
+[ 600.351429] do_iter_readv_writev+0x12b/0x1b0
+[ 600.351434] do_iter_write+0x87/0x1a0
+[ 600.351439] vfs_writev+0x98/0x110
+[ 600.351443] ? ep_poll+0x16d/0x3d0
+[ 600.351447] ? ep_modify+0x73/0x170
+[ 600.351451] do_writev+0x61/0xf0
+[ 600.351455] ? do_writev+0x61/0xf0
+[ 600.351460] __x64_sys_writev+0x1c/0x20
+[ 600.351465] do_syscall_64+0x5a/0x110
+[ 600.351471] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 600.351474] RIP: 0033:0x7fb2bdb62fe0
+[ 600.351477] Code: 73 01 c3 48 8b 0d b8 6e 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 69 c7 2c 00 00 75 10 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 de 80 01 00 48 89 04 24
+[ 600.351479] RSP: 002b:00007ffe062cb8f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
+[ 600.351484] RAX: ffffffffffffffda RBX: 000000000255b3d0 RCX: 00007fb2bdb62fe0
+[ 600.351487] RDX: 0000000000000001 RSI: 00007ffe062cb920 RDI: 0000000000000004
+[ 600.351490] RBP: 00007ffe062cb920 R08: 000000000255bd80 R09: 0000000000000000
+[ 600.351494] R10: 0000000000000353 R11: 0000000000000246 R12: 0000000000000001
+[ 600.351497] R13: 00007ffe062cbbe0 R14: 0000000000000000 R15: 0000000000000000
+[ 600.351501] Modules linked in: algif_hash algif_skcipher af_alg cmac ipt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_nat_ipv4 xt_addrtype iptable_filter ip_tables xt_conntrack x_tables nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c br_netfilter bridge stp llc overlay arc4 nls_iso8859_1 dm_crypt intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp dell_laptop kvm_intel crct10dif_pclmul dell_smm_hwmon crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper intel_cstate intel_rapl_perf uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev media hid_multitouch input_leds joydev serio_raw dell_wmi snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic dell_smbios dcdbas sparse_keymap
+[ 600.351569] snd_hda_intel btusb snd_hda_codec btrtl btbcm btintel snd_hda_core bluetooth(OE) snd_hwdep snd_pcm iwlmvm ecdh_generic wmi_bmof dell_wmi_descriptor snd_seq_midi mac80211 snd_seq_midi_event lpc_ich iwlwifi snd_rawmidi snd_seq snd_seq_device snd_timer cfg80211 snd soundcore mei_me mei dell_rbtn dell_smo8800 mac_hid parport_pc ppdev lp parport autofs4 hid_generic usbhid hid i915 nouveau kvmgt vfio_mdev mdev vfio_iommu_type1 vfio kvm irqbypass i2c_algo_bit ttm drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi psmouse ahci sdhci_pci cqhci libahci fb_sys_fops sdhci drm e1000e video wmi
+[ 600.351637] ---[ end trace e49e9f1df09c94fb ]---
+[ 600.351664] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth]
+[ 600.351666] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 <48> 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01
+[ 600.351669] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246
+[ 600.351672] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60
+[ 600.351674] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500
+[ 600.351676] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00
+[ 600.351679] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800
+[ 600.351681] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00
+[ 600.351684] FS: 00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000
+[ 600.351686] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 600.351689] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0
+
+Crash happened because list_del_rcu() was called twice for smp->ltk. This
+was possible if unpair_device was called right after ltk was generated
+but before keys were distributed.
+
+In this commit smp_cancel_pairing was refactored to cancel pairing if it
+is in progress and otherwise just removes keys. Once keys are removed from
+rcu list, pointers to smp context's keys are set to NULL to make sure
+removed list items are not accessed later.
+
+This commit also adjusts the functionality of mgmt unpair_device() little
+bit. Previously pairing was canceled only if pairing was in state that
+keys were already generated. With this commit unpair_device() cancels
+pairing already in earlier states.
+
+Bug was found by fuzzing kernel SMP implementation using Synopsys
+Defensics.
+
+Reported-by: Pekka Oikarainen <pekka.oikarainen@synopsys.com>
+Signed-off-by: Matias Karhumaa <matias.karhumaa@gmail.com>
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 7 ++-----
+ net/bluetooth/smp.c | 29 +++++++++++++++++++++++++----
+ net/bluetooth/smp.h | 3 ++-
+ 3 files changed, 29 insertions(+), 10 deletions(-)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index 1fba2a03f8ae..ba24f613c0fc 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -2298,9 +2298,8 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
+ /* LE address type */
+ addr_type = le_addr_type(cp->addr.type);
+
+- hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type);
+-
+- err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type);
++ /* Abort any ongoing SMP pairing. Removes ltk and irk if they exist. */
++ err = smp_cancel_and_remove_pairing(hdev, &cp->addr.bdaddr, addr_type);
+ if (err < 0) {
+ err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
+ MGMT_STATUS_NOT_PAIRED, &rp,
+@@ -2314,8 +2313,6 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
+ goto done;
+ }
+
+- /* Abort any ongoing SMP pairing */
+- smp_cancel_pairing(conn);
+
+ /* Defer clearing up the connection parameters until closing to
+ * give a chance of keeping them if a repairing happens.
+diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
+index ead4d1baeaa6..1abfbcd8090a 100644
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -2353,30 +2353,51 @@ unlock:
+ return ret;
+ }
+
+-void smp_cancel_pairing(struct hci_conn *hcon)
++int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
++ u8 addr_type)
+ {
+- struct l2cap_conn *conn = hcon->l2cap_data;
++ struct hci_conn *hcon;
++ struct l2cap_conn *conn;
+ struct l2cap_chan *chan;
+ struct smp_chan *smp;
++ int err;
++
++ err = hci_remove_ltk(hdev, bdaddr, addr_type);
++ hci_remove_irk(hdev, bdaddr, addr_type);
++
++ hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
++ if (!hcon)
++ goto done;
+
++ conn = hcon->l2cap_data;
+ if (!conn)
+- return;
++ goto done;
+
+ chan = conn->smp;
+ if (!chan)
+- return;
++ goto done;
+
+ l2cap_chan_lock(chan);
+
+ smp = chan->data;
+ if (smp) {
++ /* Set keys to NULL to make sure smp_failure() does not try to
++ * remove and free already invalidated rcu list entries. */
++ smp->ltk = NULL;
++ smp->slave_ltk = NULL;
++ smp->remote_irk = NULL;
++
+ if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
+ smp_failure(conn, 0);
+ else
+ smp_failure(conn, SMP_UNSPECIFIED);
++ err = 0;
+ }
+
+ l2cap_chan_unlock(chan);
++
++done:
++ return err;
+ }
+
+ static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
+diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h
+index ffcc70b6b199..993cbd7bcfe7 100644
+--- a/net/bluetooth/smp.h
++++ b/net/bluetooth/smp.h
+@@ -180,7 +180,8 @@ enum smp_key_pref {
+ };
+
+ /* SMP Commands */
+-void smp_cancel_pairing(struct hci_conn *hcon);
++int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
++ u8 addr_type);
+ bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
+ enum smp_key_pref key_pref);
+ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level);
+--
+2.17.1
+
--- /dev/null
+From 8c27e1e8372aad078b6c09e243a71e541896df38 Mon Sep 17 00:00:00 2001
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Fri, 13 Oct 2017 21:09:30 -0400
+Subject: bnxt_en: Don't use rtnl lock to protect link change logic in
+ workqueue.
+
+[ Upstream commit e2dc9b6e38fa3919e63d6d7905da70ca41cbf908 ]
+
+As a further improvement to the PF/VF link change logic, use a private
+mutex instead of the rtnl lock to protect link change logic. With the
+new mutex, we don't have to take the rtnl lock in the workqueue when
+we have to handle link related functions. If the VF and PF drivers
+are running on the same host and both take the rtnl lock and one is
+waiting for the other, it will cause timeout. This patch fixes these
+timeouts.
+
+Fixes: 90c694bb7181 ("bnxt_en: Fix RTNL lock usage on bnxt_update_link().")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 25 ++++++++++---------
+ drivers/net/ethernet/broadcom/bnxt/bnxt.h | 4 +++
+ .../net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 4 +++
+ 3 files changed, 21 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index 208e9dacfd34..a036f7039d76 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -5580,7 +5580,9 @@ static int __bnxt_open_nic(struct bnxt *bp, bool irq_re_init, bool link_re_init)
+ }
+
+ if (link_re_init) {
++ mutex_lock(&bp->link_lock);
+ rc = bnxt_update_phy_setting(bp);
++ mutex_unlock(&bp->link_lock);
+ if (rc)
+ netdev_warn(bp->dev, "failed to update phy settings\n");
+ }
+@@ -6230,30 +6232,28 @@ static void bnxt_sp_task(struct work_struct *work)
+ if (test_and_clear_bit(BNXT_PERIODIC_STATS_SP_EVENT, &bp->sp_event))
+ bnxt_hwrm_port_qstats(bp);
+
+- /* These functions below will clear BNXT_STATE_IN_SP_TASK. They
+- * must be the last functions to be called before exiting.
+- */
+ if (test_and_clear_bit(BNXT_LINK_CHNG_SP_EVENT, &bp->sp_event)) {
+- int rc = 0;
++ int rc;
+
++ mutex_lock(&bp->link_lock);
+ if (test_and_clear_bit(BNXT_LINK_SPEED_CHNG_SP_EVENT,
+ &bp->sp_event))
+ bnxt_hwrm_phy_qcaps(bp);
+
+- bnxt_rtnl_lock_sp(bp);
+- if (test_bit(BNXT_STATE_OPEN, &bp->state))
+- rc = bnxt_update_link(bp, true);
+- bnxt_rtnl_unlock_sp(bp);
++ rc = bnxt_update_link(bp, true);
++ mutex_unlock(&bp->link_lock);
+ if (rc)
+ netdev_err(bp->dev, "SP task can't update link (rc: %x)\n",
+ rc);
+ }
+ if (test_and_clear_bit(BNXT_HWRM_PORT_MODULE_SP_EVENT, &bp->sp_event)) {
+- bnxt_rtnl_lock_sp(bp);
+- if (test_bit(BNXT_STATE_OPEN, &bp->state))
+- bnxt_get_port_module_status(bp);
+- bnxt_rtnl_unlock_sp(bp);
++ mutex_lock(&bp->link_lock);
++ bnxt_get_port_module_status(bp);
++ mutex_unlock(&bp->link_lock);
+ }
++ /* These functions below will clear BNXT_STATE_IN_SP_TASK. They
++ * must be the last functions to be called before exiting.
++ */
+ if (test_and_clear_bit(BNXT_RESET_TASK_SP_EVENT, &bp->sp_event))
+ bnxt_reset(bp, false);
+
+@@ -6788,6 +6788,7 @@ static int bnxt_probe_phy(struct bnxt *bp)
+ rc);
+ return rc;
+ }
++ mutex_init(&bp->link_lock);
+
+ rc = bnxt_update_link(bp, false);
+ if (rc) {
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+index 666bc0608ed7..017c10c53715 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+@@ -1109,6 +1109,10 @@ struct bnxt {
+ unsigned long *ntp_fltr_bmap;
+ int ntp_fltr_count;
+
++ /* To protect link related settings during link changes and
++ * ethtool settings changes.
++ */
++ struct mutex link_lock;
+ struct bnxt_link_info link_info;
+ struct ethtool_eee eee;
+ u32 lpi_tmr_lo;
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+index cde4b96f3153..3a352f76e633 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+@@ -793,6 +793,7 @@ static int bnxt_get_link_ksettings(struct net_device *dev,
+ u32 ethtool_speed;
+
+ ethtool_link_ksettings_zero_link_mode(lk_ksettings, supported);
++ mutex_lock(&bp->link_lock);
+ bnxt_fw_to_ethtool_support_spds(link_info, lk_ksettings);
+
+ ethtool_link_ksettings_zero_link_mode(lk_ksettings, advertising);
+@@ -840,6 +841,7 @@ static int bnxt_get_link_ksettings(struct net_device *dev,
+ base->port = PORT_FIBRE;
+ }
+ base->phy_address = link_info->phy_addr;
++ mutex_unlock(&bp->link_lock);
+
+ return 0;
+ }
+@@ -926,6 +928,7 @@ static int bnxt_set_link_ksettings(struct net_device *dev,
+ if (!BNXT_SINGLE_PF(bp))
+ return -EOPNOTSUPP;
+
++ mutex_lock(&bp->link_lock);
+ if (base->autoneg == AUTONEG_ENABLE) {
+ BNXT_ETHTOOL_TO_FW_SPDS(fw_advertising, lk_ksettings,
+ advertising);
+@@ -970,6 +973,7 @@ static int bnxt_set_link_ksettings(struct net_device *dev,
+ rc = bnxt_hwrm_set_link_setting(bp, set_pause, false);
+
+ set_setting_exit:
++ mutex_unlock(&bp->link_lock);
+ return rc;
+ }
+
+--
+2.17.1
+
--- /dev/null
+From 294d1947f79e885e666879d997f5b30803997c94 Mon Sep 17 00:00:00 2001
+From: Andreas Born <futur.andy@googlemail.com>
+Date: Sat, 12 Aug 2017 00:36:55 +0200
+Subject: bonding: ratelimit failed speed/duplex update warning
+
+[ Upstream commit 11e9d7829dd08dbafb24517fe922f11c3a8a9dc2 ]
+
+bond_miimon_commit() handles the UP transition for each slave of a bond
+in the case of MII. It is triggered 10 times per second for the default
+MII Polling interval of 100ms. For device drivers that do not implement
+__ethtool_get_link_ksettings() the call to bond_update_speed_duplex()
+fails persistently while the MII status could remain UP. That is, in
+this and other cases where the speed/duplex update keeps failing over a
+longer period of time while the MII state is UP, a warning is printed
+every MII polling interval.
+
+To address these excessive warnings net_ratelimit() should be used.
+Printing a warning once would not be sufficient since the call to
+bond_update_speed_duplex() could recover to succeed and fail again
+later. In that case there would be no new indication what went wrong.
+
+Fixes: b5bf0f5b16b9c (bonding: correctly update link status during mii-commit phase)
+Signed-off-by: Andreas Born <futur.andy@googlemail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index b1ea29d8ad1a..389d1db69a32 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2132,9 +2132,10 @@ static void bond_miimon_commit(struct bonding *bond)
+ if (bond_update_speed_duplex(slave) &&
+ bond_needs_speed_duplex(bond)) {
+ slave->link = BOND_LINK_DOWN;
+- netdev_warn(bond->dev,
+- "failed to get link speed/duplex for %s\n",
+- slave->dev->name);
++ if (net_ratelimit())
++ netdev_warn(bond->dev,
++ "failed to get link speed/duplex for %s\n",
++ slave->dev->name);
+ continue;
+ }
+ bond_set_slave_link_state(slave, BOND_LINK_UP,
+--
+2.17.1
+
--- /dev/null
+From 3d8ef16ce0e1fb9aaec31aef403950302a854532 Mon Sep 17 00:00:00 2001
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 26 May 2017 17:44:23 -0600
+Subject: Btrfs: clear EXTENT_DEFRAG bits in finish_ordered_io
+
+[ Upstream commit 452e62b71fbbefe2646fad3a968371a026936c6d ]
+
+Before this, we use 'filled' mode here, ie. if all range has been
+filled with EXTENT_DEFRAG bits, get to clear it, but if the defrag
+range joins the adjacent delalloc range, then we'll have EXTENT_DEFRAG
+bits in extent_state until releasing this inode's pages, and that
+prevents extent_data from being freed.
+
+This clears the bit if any was found within the ordered extent.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index bd036557c6bc..5ebdb58079e1 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -2966,7 +2966,7 @@ static int btrfs_finish_ordered_io(struct btrfs_ordered_extent *ordered_extent)
+
+ ret = test_range_bit(io_tree, ordered_extent->file_offset,
+ ordered_extent->file_offset + ordered_extent->len - 1,
+- EXTENT_DEFRAG, 1, cached_state);
++ EXTENT_DEFRAG, 0, cached_state);
+ if (ret) {
+ u64 last_snapshot = btrfs_root_last_snapshot(&root->root_item);
+ if (0 && last_snapshot >= BTRFS_I(inode)->generation)
+--
+2.17.1
+
--- /dev/null
+From 513ff014a8c73f860539d9f9cbee5c027a06cbc9 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <quwenruo@cn.fujitsu.com>
+Date: Fri, 7 Apr 2017 10:43:15 +0800
+Subject: btrfs: fiemap: Cache and merge fiemap extent before submit it to user
+
+[ Upstream commit 4751832da990a927c37526ae67b9226ea01eb99e ]
+
+[BUG]
+Cycle mount btrfs can cause fiemap to return different result.
+Like:
+ # mount /dev/vdb5 /mnt/btrfs
+ # dd if=/dev/zero bs=16K count=4 oflag=dsync of=/mnt/btrfs/file
+ # xfs_io -c "fiemap -v" /mnt/btrfs/file
+ /mnt/test/file:
+ EXT: FILE-OFFSET BLOCK-RANGE TOTAL FLAGS
+ 0: [0..127]: 25088..25215 128 0x1
+ # umount /mnt/btrfs
+ # mount /dev/vdb5 /mnt/btrfs
+ # xfs_io -c "fiemap -v" /mnt/btrfs/file
+ /mnt/test/file:
+ EXT: FILE-OFFSET BLOCK-RANGE TOTAL FLAGS
+ 0: [0..31]: 25088..25119 32 0x0
+ 1: [32..63]: 25120..25151 32 0x0
+ 2: [64..95]: 25152..25183 32 0x0
+ 3: [96..127]: 25184..25215 32 0x1
+But after above fiemap, we get correct merged result if we call fiemap
+again.
+ # xfs_io -c "fiemap -v" /mnt/btrfs/file
+ /mnt/test/file:
+ EXT: FILE-OFFSET BLOCK-RANGE TOTAL FLAGS
+ 0: [0..127]: 25088..25215 128 0x1
+
+[REASON]
+Btrfs will try to merge extent map when inserting new extent map.
+
+btrfs_fiemap(start=0 len=(u64)-1)
+|- extent_fiemap(start=0 len=(u64)-1)
+ |- get_extent_skip_holes(start=0 len=64k)
+ | |- btrfs_get_extent_fiemap(start=0 len=64k)
+ | |- btrfs_get_extent(start=0 len=64k)
+ | | Found on-disk (ino, EXTENT_DATA, 0)
+ | |- add_extent_mapping()
+ | |- Return (em->start=0, len=16k)
+ |
+ |- fiemap_fill_next_extent(logic=0 phys=X len=16k)
+ |
+ |- get_extent_skip_holes(start=0 len=64k)
+ | |- btrfs_get_extent_fiemap(start=0 len=64k)
+ | |- btrfs_get_extent(start=16k len=48k)
+ | | Found on-disk (ino, EXTENT_DATA, 16k)
+ | |- add_extent_mapping()
+ | | |- try_merge_map()
+ | | Merge with previous em start=0 len=16k
+ | | resulting em start=0 len=32k
+ | |- Return (em->start=0, len=32K) << Merged result
+ |- Stripe off the unrelated range (0~16K) of return em
+ |- fiemap_fill_next_extent(logic=16K phys=X+16K len=16K)
+ ^^^ Causing split fiemap extent.
+
+And since in add_extent_mapping(), em is already merged, in next
+fiemap() call, we will get merged result.
+
+[FIX]
+Here we introduce a new structure, fiemap_cache, which records previous
+fiemap extent.
+
+And will always try to merge current fiemap_cache result before calling
+fiemap_fill_next_extent().
+Only when we failed to merge current fiemap extent with cached one, we
+will call fiemap_fill_next_extent() to submit cached one.
+
+So by this method, we can merge all fiemap extents.
+
+It can also be done in fs/ioctl.c, however the problem is if
+fieinfo->fi_extents_max == 0, we have no space to cache previous fiemap
+extent.
+So I choose to merge it in btrfs.
+
+Signed-off-by: Qu Wenruo <quwenruo@cn.fujitsu.com>
+Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/extent_io.c | 124 ++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 122 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
+index 2b96ca68dc10..5feaef9bcbda 100644
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -4377,6 +4377,123 @@ static struct extent_map *get_extent_skip_holes(struct inode *inode,
+ return NULL;
+ }
+
++/*
++ * To cache previous fiemap extent
++ *
++ * Will be used for merging fiemap extent
++ */
++struct fiemap_cache {
++ u64 offset;
++ u64 phys;
++ u64 len;
++ u32 flags;
++ bool cached;
++};
++
++/*
++ * Helper to submit fiemap extent.
++ *
++ * Will try to merge current fiemap extent specified by @offset, @phys,
++ * @len and @flags with cached one.
++ * And only when we fails to merge, cached one will be submitted as
++ * fiemap extent.
++ *
++ * Return value is the same as fiemap_fill_next_extent().
++ */
++static int emit_fiemap_extent(struct fiemap_extent_info *fieinfo,
++ struct fiemap_cache *cache,
++ u64 offset, u64 phys, u64 len, u32 flags)
++{
++ int ret = 0;
++
++ if (!cache->cached)
++ goto assign;
++
++ /*
++ * Sanity check, extent_fiemap() should have ensured that new
++ * fiemap extent won't overlap with cahced one.
++ * Not recoverable.
++ *
++ * NOTE: Physical address can overlap, due to compression
++ */
++ if (cache->offset + cache->len > offset) {
++ WARN_ON(1);
++ return -EINVAL;
++ }
++
++ /*
++ * Only merges fiemap extents if
++ * 1) Their logical addresses are continuous
++ *
++ * 2) Their physical addresses are continuous
++ * So truly compressed (physical size smaller than logical size)
++ * extents won't get merged with each other
++ *
++ * 3) Share same flags except FIEMAP_EXTENT_LAST
++ * So regular extent won't get merged with prealloc extent
++ */
++ if (cache->offset + cache->len == offset &&
++ cache->phys + cache->len == phys &&
++ (cache->flags & ~FIEMAP_EXTENT_LAST) ==
++ (flags & ~FIEMAP_EXTENT_LAST)) {
++ cache->len += len;
++ cache->flags |= flags;
++ goto try_submit_last;
++ }
++
++ /* Not mergeable, need to submit cached one */
++ ret = fiemap_fill_next_extent(fieinfo, cache->offset, cache->phys,
++ cache->len, cache->flags);
++ cache->cached = false;
++ if (ret)
++ return ret;
++assign:
++ cache->cached = true;
++ cache->offset = offset;
++ cache->phys = phys;
++ cache->len = len;
++ cache->flags = flags;
++try_submit_last:
++ if (cache->flags & FIEMAP_EXTENT_LAST) {
++ ret = fiemap_fill_next_extent(fieinfo, cache->offset,
++ cache->phys, cache->len, cache->flags);
++ cache->cached = false;
++ }
++ return ret;
++}
++
++/*
++ * Sanity check for fiemap cache
++ *
++ * All fiemap cache should be submitted by emit_fiemap_extent()
++ * Iteration should be terminated either by last fiemap extent or
++ * fieinfo->fi_extents_max.
++ * So no cached fiemap should exist.
++ */
++static int check_fiemap_cache(struct btrfs_fs_info *fs_info,
++ struct fiemap_extent_info *fieinfo,
++ struct fiemap_cache *cache)
++{
++ int ret;
++
++ if (!cache->cached)
++ return 0;
++
++ /* Small and recoverbale problem, only to info developer */
++#ifdef CONFIG_BTRFS_DEBUG
++ WARN_ON(1);
++#endif
++ btrfs_warn(fs_info,
++ "unhandled fiemap cache detected: offset=%llu phys=%llu len=%llu flags=0x%x",
++ cache->offset, cache->phys, cache->len, cache->flags);
++ ret = fiemap_fill_next_extent(fieinfo, cache->offset, cache->phys,
++ cache->len, cache->flags);
++ cache->cached = false;
++ if (ret > 0)
++ ret = 0;
++ return ret;
++}
++
+ int extent_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo,
+ __u64 start, __u64 len, get_extent_t *get_extent)
+ {
+@@ -4394,6 +4511,7 @@ int extent_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo,
+ struct extent_state *cached_state = NULL;
+ struct btrfs_path *path;
+ struct btrfs_root *root = BTRFS_I(inode)->root;
++ struct fiemap_cache cache = { 0 };
+ int end = 0;
+ u64 em_start = 0;
+ u64 em_len = 0;
+@@ -4573,8 +4691,8 @@ int extent_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo,
+ flags |= FIEMAP_EXTENT_LAST;
+ end = 1;
+ }
+- ret = fiemap_fill_next_extent(fieinfo, em_start, disko,
+- em_len, flags);
++ ret = emit_fiemap_extent(fieinfo, &cache, em_start, disko,
++ em_len, flags);
+ if (ret) {
+ if (ret == 1)
+ ret = 0;
+@@ -4582,6 +4700,8 @@ int extent_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo,
+ }
+ }
+ out_free:
++ if (!ret)
++ ret = check_fiemap_cache(root->fs_info, fieinfo, &cache);
+ free_extent_map(em);
+ out:
+ btrfs_free_path(path);
+--
+2.17.1
+
--- /dev/null
+From 9cd0b90dd3c91e15cb5df841f12cfbfb70364b53 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Thu, 6 Jul 2017 15:31:46 +0100
+Subject: Btrfs: incremental send, fix invalid memory access
+
+[ Upstream commit 24e52b11e0ca788513b945a87b57cc0522a92933 ]
+
+When doing an incremental send, while processing an extent that changed
+between the parent and send snapshots and that extent was an inline extent
+in the parent snapshot, it's possible to access a memory region beyond
+the end of leaf if the inline extent is very small and it is the first
+item in a leaf.
+
+An example scenario is described below.
+
+The send snapshot has the following leaf:
+
+ leaf 33865728 items 33 free space 773 generation 46 owner 5
+ fs uuid ab7090d8-dafd-4fb9-9246-723b6d2e2fb7
+ chunk uuid 2d16478c-c704-4ab9-b574-68bff2281b1f
+ (...)
+ item 14 key (335 EXTENT_DATA 0) itemoff 3052 itemsize 53
+ generation 36 type 1 (regular)
+ extent data disk byte 12791808 nr 4096
+ extent data offset 0 nr 4096 ram 4096
+ extent compression 0 (none)
+ item 15 key (335 EXTENT_DATA 8192) itemoff 2999 itemsize 53
+ generation 36 type 1 (regular)
+ extent data disk byte 138170368 nr 225280
+ extent data offset 0 nr 225280 ram 225280
+ extent compression 0 (none)
+ (...)
+
+And the parent snapshot has the following leaf:
+
+ leaf 31272960 items 17 free space 17 generation 31 owner 5
+ fs uuid ab7090d8-dafd-4fb9-9246-723b6d2e2fb7
+ chunk uuid 2d16478c-c704-4ab9-b574-68bff2281b1f
+ item 0 key (335 EXTENT_DATA 0) itemoff 3951 itemsize 44
+ generation 31 type 0 (inline)
+ inline extent data size 23 ram_bytes 613 compression 1 (zlib)
+ (...)
+
+When computing the send stream, it is detected that the extent of inode
+335, at file offset 0, and at fs/btrfs/send.c:is_extent_unchanged() we
+grab the leaf from the parent snapshot and access the inline extent item.
+However, before jumping to the 'out' label, we access the 'offset' and
+'disk_bytenr' fields of the extent item, which should not be done for
+inline extents since the inlined data starts at the offset of the
+'disk_bytenr' field and can be very small. For example accessing the
+'offset' field of the file extent item results in the following trace:
+
+[ 599.705368] general protection fault: 0000 [#1] PREEMPT SMP
+[ 599.706296] Modules linked in: btrfs psmouse i2c_piix4 ppdev acpi_cpufreq serio_raw parport_pc i2c_core evdev tpm_tis tpm_tis_core sg pcspkr parport tpm button su$
+[ 599.709340] CPU: 7 PID: 5283 Comm: btrfs Not tainted 4.10.0-rc8-btrfs-next-46+ #1
+[ 599.709340] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.1-0-gb3ef39f-prebuilt.qemu-project.org 04/01/2014
+[ 599.709340] task: ffff88023eedd040 task.stack: ffffc90006658000
+[ 599.709340] RIP: 0010:read_extent_buffer+0xdb/0xf4 [btrfs]
+[ 599.709340] RSP: 0018:ffffc9000665ba00 EFLAGS: 00010286
+[ 599.709340] RAX: db73880000000000 RBX: 0000000000000000 RCX: 0000000000000001
+[ 599.709340] RDX: ffffc9000665ba60 RSI: db73880000000000 RDI: ffffc9000665ba5f
+[ 599.709340] RBP: ffffc9000665ba30 R08: 0000000000000001 R09: ffff88020dc5e098
+[ 599.709340] R10: 0000000000001000 R11: 0000160000000000 R12: 6db6db6db6db6db7
+[ 599.709340] R13: ffff880000000000 R14: 0000000000000000 R15: ffff88020dc5e088
+[ 599.709340] FS: 00007f519555a8c0(0000) GS:ffff88023f3c0000(0000) knlGS:0000000000000000
+[ 599.709340] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 599.709340] CR2: 00007f1411afd000 CR3: 0000000235f8e000 CR4: 00000000000006e0
+[ 599.709340] Call Trace:
+[ 599.709340] btrfs_get_token_64+0x93/0xce [btrfs]
+[ 599.709340] ? printk+0x48/0x50
+[ 599.709340] btrfs_get_64+0xb/0xd [btrfs]
+[ 599.709340] process_extent+0x3a1/0x1106 [btrfs]
+[ 599.709340] ? btree_read_extent_buffer_pages+0x5/0xef [btrfs]
+[ 599.709340] changed_cb+0xb03/0xb3d [btrfs]
+[ 599.709340] ? btrfs_get_token_32+0x7a/0xcc [btrfs]
+[ 599.709340] btrfs_compare_trees+0x432/0x53d [btrfs]
+[ 599.709340] ? process_extent+0x1106/0x1106 [btrfs]
+[ 599.709340] btrfs_ioctl_send+0x960/0xe26 [btrfs]
+[ 599.709340] btrfs_ioctl+0x181b/0x1fed [btrfs]
+[ 599.709340] ? trace_hardirqs_on_caller+0x150/0x1ac
+[ 599.709340] vfs_ioctl+0x21/0x38
+[ 599.709340] ? vfs_ioctl+0x21/0x38
+[ 599.709340] do_vfs_ioctl+0x611/0x645
+[ 599.709340] ? rcu_read_unlock+0x5b/0x5d
+[ 599.709340] ? __fget+0x6d/0x79
+[ 599.709340] SyS_ioctl+0x57/0x7b
+[ 599.709340] entry_SYSCALL_64_fastpath+0x18/0xad
+[ 599.709340] RIP: 0033:0x7f51945eec47
+[ 599.709340] RSP: 002b:00007ffc21c13e98 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
+[ 599.709340] RAX: ffffffffffffffda RBX: ffffffff81096459 RCX: 00007f51945eec47
+[ 599.709340] RDX: 00007ffc21c13f20 RSI: 0000000040489426 RDI: 0000000000000004
+[ 599.709340] RBP: ffffc9000665bf98 R08: 00007f519450d700 R09: 00007f519450d700
+[ 599.709340] R10: 00007f519450d9d0 R11: 0000000000000202 R12: 0000000000000046
+[ 599.709340] R13: ffffc9000665bf78 R14: 0000000000000000 R15: 00007f5195574040
+[ 599.709340] ? trace_hardirqs_off_caller+0x43/0xb1
+[ 599.709340] Code: 29 f0 49 39 d8 4c 0f 47 c3 49 03 81 58 01 00 00 44 89 c1 4c 01 c2 4c 29 c3 48 c1 f8 03 49 0f af c4 48 c1 e0 0c 4c 01 e8 48 01 c6 <f3> a4 31 f6 4$
+[ 599.709340] RIP: read_extent_buffer+0xdb/0xf4 [btrfs] RSP: ffffc9000665ba00
+[ 599.762057] ---[ end trace fe00d7af61b9f49e ]---
+
+This is because the 'offset' field starts at an offset of 37 bytes
+(offsetof(struct btrfs_file_extent_item, offset)), has a length of 8
+bytes and therefore attemping to read it causes a 1 byte access beyond
+the end of the leaf, as the first item's content in a leaf is located
+at the tail of the leaf, the item size is 44 bytes and the offset of
+that field plus its length (37 + 8 = 45) goes beyond the item's size
+by 1 byte.
+
+So fix this by accessing the 'offset' and 'disk_bytenr' fields after
+jumping to the 'out' label if we are processing an inline extent. We
+move the reading operation of the 'disk_bytenr' field too because we
+have the same problem as for the 'offset' field explained above when
+the inline data is less then 8 bytes. The access to the 'generation'
+field is also moved but just for the sake of grouping access to all
+the fields.
+
+Fixes: e1cbfd7bf6da ("Btrfs: send, fix file hole not being preserved due to inline extent")
+Cc: <stable@vger.kernel.org> # v4.12+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/send.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index c8d2eec6596b..79dc3ee1de58 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -5165,15 +5165,12 @@ static int is_extent_unchanged(struct send_ctx *sctx,
+ goto out;
+ }
+
+- right_disknr = btrfs_file_extent_disk_bytenr(eb, ei);
+ if (right_type == BTRFS_FILE_EXTENT_INLINE) {
+ right_len = btrfs_file_extent_inline_len(eb, slot, ei);
+ right_len = PAGE_ALIGN(right_len);
+ } else {
+ right_len = btrfs_file_extent_num_bytes(eb, ei);
+ }
+- right_offset = btrfs_file_extent_offset(eb, ei);
+- right_gen = btrfs_file_extent_generation(eb, ei);
+
+ /*
+ * Are we at extent 8? If yes, we know the extent is changed.
+@@ -5198,6 +5195,10 @@ static int is_extent_unchanged(struct send_ctx *sctx,
+ goto out;
+ }
+
++ right_disknr = btrfs_file_extent_disk_bytenr(eb, ei);
++ right_offset = btrfs_file_extent_offset(eb, ei);
++ right_gen = btrfs_file_extent_generation(eb, ei);
++
+ left_offset_fixed = left_offset;
+ if (key.offset < ekey->offset) {
+ /* Fix the right offset for 2a and 7. */
+--
+2.17.1
+
--- /dev/null
+From 5461693523ace092f6f91944e303ec1e988bfce5 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 5 Sep 2018 18:52:22 +0300
+Subject: cfg80211: Address some corner cases in scan result channel updating
+
+[ Upstream commit 119f94a6fefcc76d47075b83d2b73d04c895df78 ]
+
+cfg80211_get_bss_channel() is used to update the RX channel based on the
+available frame payload information (channel number from DSSS Parameter
+Set element or HT Operation element). This is needed on 2.4 GHz channels
+where frames may be received on neighboring channels due to overlapping
+frequency range.
+
+This might of some use on the 5 GHz band in some corner cases, but
+things are more complex there since there is no n:1 or 1:n mapping
+between channel numbers and frequencies due to multiple different
+starting frequencies in different operating classes. This could result
+in ieee80211_channel_to_frequency() returning incorrect frequency and
+ieee80211_get_channel() returning incorrect channel information (or
+indication of no match). In the previous implementation, this could
+result in some scan results being dropped completely, e.g., for the 4.9
+GHz channels. That prevented connection to such BSSs.
+
+Fix this by using the driver-provided channel pointer if
+ieee80211_get_channel() does not find matching channel data for the
+channel number in the frame payload and if the scan is done with 5 MHz
+or 10 MHz channel bandwidth. While doing this, also add comments
+describing what the function is trying to achieve to make it easier to
+understand what happens here and why.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 58 ++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 49 insertions(+), 9 deletions(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index 35ad69fd0838..435f904c1be5 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -978,13 +978,23 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev,
+ return NULL;
+ }
+
++/*
++ * Update RX channel information based on the available frame payload
++ * information. This is mainly for the 2.4 GHz band where frames can be received
++ * from neighboring channels and the Beacon frames use the DSSS Parameter Set
++ * element to indicate the current (transmitting) channel, but this might also
++ * be needed on other bands if RX frequency does not match with the actual
++ * operating channel of a BSS.
++ */
+ static struct ieee80211_channel *
+ cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen,
+- struct ieee80211_channel *channel)
++ struct ieee80211_channel *channel,
++ enum nl80211_bss_scan_width scan_width)
+ {
+ const u8 *tmp;
+ u32 freq;
+ int channel_number = -1;
++ struct ieee80211_channel *alt_channel;
+
+ tmp = cfg80211_find_ie(WLAN_EID_DS_PARAMS, ie, ielen);
+ if (tmp && tmp[1] == 1) {
+@@ -998,16 +1008,45 @@ cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen,
+ }
+ }
+
+- if (channel_number < 0)
++ if (channel_number < 0) {
++ /* No channel information in frame payload */
+ return channel;
++ }
+
+ freq = ieee80211_channel_to_frequency(channel_number, channel->band);
+- channel = ieee80211_get_channel(wiphy, freq);
+- if (!channel)
+- return NULL;
+- if (channel->flags & IEEE80211_CHAN_DISABLED)
++ alt_channel = ieee80211_get_channel(wiphy, freq);
++ if (!alt_channel) {
++ if (channel->band == NL80211_BAND_2GHZ) {
++ /*
++ * Better not allow unexpected channels when that could
++ * be going beyond the 1-11 range (e.g., discovering
++ * BSS on channel 12 when radio is configured for
++ * channel 11.
++ */
++ return NULL;
++ }
++
++ /* No match for the payload channel number - ignore it */
++ return channel;
++ }
++
++ if (scan_width == NL80211_BSS_CHAN_WIDTH_10 ||
++ scan_width == NL80211_BSS_CHAN_WIDTH_5) {
++ /*
++ * Ignore channel number in 5 and 10 MHz channels where there
++ * may not be an n:1 or 1:n mapping between frequencies and
++ * channel numbers.
++ */
++ return channel;
++ }
++
++ /*
++ * Use the channel determined through the payload channel number
++ * instead of the RX channel reported by the driver.
++ */
++ if (alt_channel->flags & IEEE80211_CHAN_DISABLED)
+ return NULL;
+- return channel;
++ return alt_channel;
+ }
+
+ /* Returned bss is reference counted and must be cleaned up appropriately. */
+@@ -1032,7 +1071,8 @@ cfg80211_inform_bss_data(struct wiphy *wiphy,
+ (data->signal < 0 || data->signal > 100)))
+ return NULL;
+
+- channel = cfg80211_get_bss_channel(wiphy, ie, ielen, data->chan);
++ channel = cfg80211_get_bss_channel(wiphy, ie, ielen, data->chan,
++ data->scan_width);
+ if (!channel)
+ return NULL;
+
+@@ -1130,7 +1170,7 @@ cfg80211_inform_bss_frame_data(struct wiphy *wiphy,
+ return NULL;
+
+ channel = cfg80211_get_bss_channel(wiphy, mgmt->u.beacon.variable,
+- ielen, data->chan);
++ ielen, data->chan, data->scan_width);
+ if (!channel)
+ return NULL;
+
+--
+2.17.1
+
--- /dev/null
+From 8cbb8b51b6ed792f66ed835e80b1de0f64b89202 Mon Sep 17 00:00:00 2001
+From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Date: Wed, 5 Sep 2018 08:06:12 +0300
+Subject: cfg80211: reg: Init wiphy_idx in regulatory_hint_core()
+
+[ Upstream commit 24f33e64fcd0d50a4b1a8e5b41bd0257aa66b0e8 ]
+
+Core regulatory hints didn't set wiphy_idx to WIPHY_IDX_INVALID. Since
+the regulatory request is zeroed, wiphy_idx was always implicitly set to
+0. This resulted in updating only phy #0.
+Fix that.
+
+Fixes: 806a9e39670b ("cfg80211: make regulatory_request use wiphy_idx instead of wiphy")
+Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+[add fixes tag]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/reg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/wireless/reg.c b/net/wireless/reg.c
+index 5dbac3749738..36d1d25082e3 100644
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -2298,6 +2298,7 @@ static int regulatory_hint_core(const char *alpha2)
+ request->alpha2[0] = alpha2[0];
+ request->alpha2[1] = alpha2[1];
+ request->initiator = NL80211_REGDOM_SET_BY_CORE;
++ request->wiphy_idx = WIPHY_IDX_INVALID;
+
+ queue_regulatory_request(request);
+
+--
+2.17.1
+
--- /dev/null
+From 8d2b2e686f182656e4eddf254a05831365a8436e Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Thu, 5 Apr 2018 14:57:11 +0200
+Subject: cifs: Use ULL suffix for 64-bit constant
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 3995bbf53bd2047f2720c6fdd4bf38f6d942a0c0 ]
+
+On 32-bit (e.g. with m68k-linux-gnu-gcc-4.1):
+
+ fs/cifs/inode.c: In function ‘simple_hashstr’:
+ fs/cifs/inode.c:713: warning: integer constant is too large for ‘long’ type
+
+Fixes: 7ea884c77e5c97f1 ("smb3: Fix root directory when server returns inode number of zero")
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
+index a012f70bba5c..77a18fe10805 100644
+--- a/fs/cifs/inode.c
++++ b/fs/cifs/inode.c
+@@ -704,7 +704,7 @@ cgfi_exit:
+ /* Simple function to return a 64 bit hash of string. Rarely called */
+ static __u64 simple_hashstr(const char *str)
+ {
+- const __u64 hash_mult = 1125899906842597L; /* a big enough prime */
++ const __u64 hash_mult = 1125899906842597ULL; /* a big enough prime */
+ __u64 hash = 0;
+
+ while (*str)
+--
+2.17.1
+
--- /dev/null
+From 4c5c240d9003591261525828172905ed9939434a Mon Sep 17 00:00:00 2001
+From: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
+Date: Fri, 29 Sep 2017 09:32:53 +0200
+Subject: clk: samsung: Fix m2m scaler clock on Exynos542x
+
+[ Upstream commit c07c1a0f68d0f2f7ca9aff924e2772526027b019 ]
+
+The TOP "aclk400_mscl" clock should be kept enabled all the time
+to allow proper access to power management control for MSC power
+domain and devices that are a part of it. This change is required
+for the scaler to work properly after domain power on/off sequence.
+
+Fixes: 318fa46cc60d ("clk/samsung: exynos542x: mark some clocks as critical")
+Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/samsung/clk-exynos5420.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/samsung/clk-exynos5420.c b/drivers/clk/samsung/clk-exynos5420.c
+index cdc092a1d9ef..07fb667e258f 100644
+--- a/drivers/clk/samsung/clk-exynos5420.c
++++ b/drivers/clk/samsung/clk-exynos5420.c
+@@ -987,7 +987,7 @@ static const struct samsung_gate_clock exynos5x_gate_clks[] __initconst = {
+ GATE(0, "aclk400_isp", "mout_user_aclk400_isp",
+ GATE_BUS_TOP, 16, 0, 0),
+ GATE(0, "aclk400_mscl", "mout_user_aclk400_mscl",
+- GATE_BUS_TOP, 17, 0, 0),
++ GATE_BUS_TOP, 17, CLK_IS_CRITICAL, 0),
+ GATE(0, "aclk200_disp1", "mout_user_aclk200_disp1",
+ GATE_BUS_TOP, 18, CLK_IS_CRITICAL, 0),
+ GATE(CLK_SCLK_MPHY_IXTAL24, "sclk_mphy_ixtal24", "mphy_refclk_ixtal24",
+--
+2.17.1
+
--- /dev/null
+From 42d7caa697c8efe9df22abc4bed1a875498042bd Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@linux-mips.org>
+Date: Tue, 2 Oct 2018 14:23:45 +0100
+Subject: declance: Fix continuation with the adapter identification message
+
+[ Upstream commit fe3a83af6a50199bf250fa331e94216912f79395 ]
+
+Fix a commit 4bcc595ccd80 ("printk: reinstate KERN_CONT for printing
+continuation lines") regression with the `declance' driver, which caused
+the adapter identification message to be split between two lines, e.g.:
+
+declance.c: v0.011 by Linux MIPS DECstation task force
+tc6: PMAD-AA
+, addr = 08:00:2b:1b:2a:6a, irq = 14
+tc6: registered as eth0.
+
+Address that properly, by printing identification with a single call,
+making the messages now look like:
+
+declance.c: v0.011 by Linux MIPS DECstation task force
+tc6: PMAD-AA, addr = 08:00:2b:1b:2a:6a, irq = 14
+tc6: registered as eth0.
+
+Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
+Fixes: 4bcc595ccd80 ("printk: reinstate KERN_CONT for printing continuation lines")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/declance.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/declance.c b/drivers/net/ethernet/amd/declance.c
+index b799c7ac899b..9e80a76c3dfe 100644
+--- a/drivers/net/ethernet/amd/declance.c
++++ b/drivers/net/ethernet/amd/declance.c
+@@ -1030,6 +1030,7 @@ static int dec_lance_probe(struct device *bdev, const int type)
+ int i, ret;
+ unsigned long esar_base;
+ unsigned char *esar;
++ const char *desc;
+
+ if (dec_lance_debug && version_printed++ == 0)
+ printk(version);
+@@ -1215,19 +1216,20 @@ static int dec_lance_probe(struct device *bdev, const int type)
+ */
+ switch (type) {
+ case ASIC_LANCE:
+- printk("%s: IOASIC onboard LANCE", name);
++ desc = "IOASIC onboard LANCE";
+ break;
+ case PMAD_LANCE:
+- printk("%s: PMAD-AA", name);
++ desc = "PMAD-AA";
+ break;
+ case PMAX_LANCE:
+- printk("%s: PMAX onboard LANCE", name);
++ desc = "PMAX onboard LANCE";
+ break;
+ }
+ for (i = 0; i < 6; i++)
+ dev->dev_addr[i] = esar[i * 4];
+
+- printk(", addr = %pM, irq = %d\n", dev->dev_addr, dev->irq);
++ printk("%s: %s, addr = %pM, irq = %d\n",
++ name, desc, dev->dev_addr, dev->irq);
+
+ dev->netdev_ops = &lance_netdev_ops;
+ dev->watchdog_timeo = 5*HZ;
+--
+2.17.1
+
--- /dev/null
+From 5618572826552e6f81befc6e723c840046373fe9 Mon Sep 17 00:00:00 2001
+From: Gabriel Krisman Bertazi <krisman@collabora.co.uk>
+Date: Fri, 17 Mar 2017 15:14:09 -0300
+Subject: drm: bochs: Don't remove uninitialized fbdev framebuffer
+
+[ Upstream commit 4fa13dbe8c86382a846584e65c47bce09297f75b ]
+
+In the same spirit of the fix for QXL in commit 861078381ba5 ("drm: qxl:
+Don't alloc fbdev if emulation is not supported"), prevent the Oops in
+the unbind path of Bochs if fbdev emulation is disabled.
+
+[ 112.176009] Oops: 0002 [#1] SMP
+[ 112.176009] Modules linked in: bochs_drm
+[ 112.176009] CPU: 0 PID: 3002 Comm: bash Not tainted 4.11.0-rc1+ #111
+[ 112.176009] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-20161025_171302-gandalf 04/01/2014
+[ 112.176009] task: ffff8800743bbac0 task.stack: ffffc90000b5c000
+[ 112.176009] RIP: 0010:mutex_lock+0x18/0x30
+[ 112.176009] RSP: 0018:ffffc90000b5fc78 EFLAGS: 00010246
+[ 112.176009] RAX: 0000000000000000 RBX: 0000000000000260 RCX: 0000000000000000
+[ 112.176009] RDX: ffff8800743bbac0 RSI: ffff8800787176e0 RDI: 0000000000000260
+[ 112.176009] RBP: ffffc90000b5fc80 R08: ffffffff00000000 R09: 00000000ffffffff
+[ 112.176009] R10: ffff88007b463650 R11: 0000000000000000 R12: 0000000000000260
+[ 112.176009] R13: ffff8800787176e0 R14: ffffffffa0003068 R15: 0000000000000060
+[ 112.176009] FS: 00007f20564c7b40(0000) GS:ffff88007ce00000(0000) knlGS:0000000000000000
+[ 112.176009] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 112.176009] CR2: 0000000000000260 CR3: 000000006b89c000 CR4: 00000000000006f0
+[ 112.176009] Call Trace:
+[ 112.176009] drm_mode_object_unregister+0x1e/0x50
+[ 112.176009] drm_framebuffer_unregister_private+0x15/0x20
+[ 112.176009] bochs_fbdev_fini+0x57/0x70 [bochs_drm]
+[ 112.176009] bochs_unload+0x16/0x50 [bochs_drm]
+[ 112.176009] drm_dev_unregister+0x37/0xd0
+[ 112.176009] drm_put_dev+0x31/0x60
+[ 112.176009] bochs_pci_remove+0x10/0x20 [bochs_drm]
+[ 112.176009] pci_device_remove+0x34/0xb0
+[ 112.176009] device_release_driver_internal+0x150/0x200
+[ 112.176009] device_release_driver+0xd/0x10
+[ 112.176009] unbind_store+0x108/0x150
+[ 112.176009] drv_attr_store+0x20/0x30
+[ 112.176009] sysfs_kf_write+0x32/0x40
+[ 112.176009] kernfs_fop_write+0x10b/0x190
+[ 112.176009] __vfs_write+0x23/0x120
+[ 112.176009] ? security_file_permission+0x36/0xb0
+[ 112.176009] ? rw_verify_area+0x49/0xb0
+[ 112.176009] vfs_write+0xb0/0x190
+[ 112.176009] SyS_write+0x41/0xa0
+[ 112.176009] entry_SYSCALL_64_fastpath+0x1a/0xa9
+[ 112.176009] RIP: 0033:0x7f2055bd5620
+[ 112.176009] RSP: 002b:00007ffed2f487d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+[ 112.176009] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2055bd5620
+[ 112.176009] RDX: 000000000000000d RSI: 0000000000ee0008 RDI: 0000000000000001
+[ 112.176009] RBP: 0000000000000001 R08: 00007f2055e94760 R09: 00007f20564c7b40
+[ 112.176009] R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000000
+[ 112.176009] R13: 00007ffed2f48d70 R14: 0000000000000000 R15: 0000000000000000
+[ 112.176009] Code: 00 00 00 55 be 02 00 00 00 48 89 e5 e8 62 fb ff ff 5d c3 55 48 89 e5 53 48 89 fb e8 53 e9 ff ff 65 48 8b 14 25 40 c4 00 00 31 c0 <f0> 48 0f b1 13 48 85 c0 74 08 48 89 df e8c6 ff ff ff 5b 5d c3
+[ 112.176009] RIP: mutex_lock+0x18/0x30 RSP: ffffc90000b5fc78
+[ 112.176009] CR2: 0000000000000260
+[ 112.205622] ---[ end trace 76189cd7a9bdd155 ]---
+
+Signed-off-by: Gabriel Krisman Bertazi <krisman@collabora.co.uk>
+Link: http://patchwork.freedesktop.org/patch/msgid/20170317181409.4183-1-krisman@collabora.co.uk
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bochs/bochs_fbdev.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/bochs/bochs_fbdev.c b/drivers/gpu/drm/bochs/bochs_fbdev.c
+index e1ec498a6b6e..35f40255644d 100644
+--- a/drivers/gpu/drm/bochs/bochs_fbdev.c
++++ b/drivers/gpu/drm/bochs/bochs_fbdev.c
+@@ -138,6 +138,7 @@ static int bochsfb_create(struct drm_fb_helper *helper,
+ info->fix.smem_start = 0;
+ info->fix.smem_len = size;
+
++ bochs->fb.initialized = true;
+ return 0;
+ }
+
+@@ -155,7 +156,6 @@ static int bochs_fbdev_destroy(struct bochs_device *bochs)
+ gfb->obj = NULL;
+ }
+
+- drm_fb_helper_fini(&bochs->fb.helper);
+ drm_framebuffer_unregister_private(&gfb->base);
+ drm_framebuffer_cleanup(&gfb->base);
+
+@@ -188,7 +188,6 @@ int bochs_fbdev_init(struct bochs_device *bochs)
+ if (ret)
+ goto fini;
+
+- bochs->fb.initialized = true;
+ return 0;
+
+ fini:
+@@ -198,9 +197,9 @@ fini:
+
+ void bochs_fbdev_fini(struct bochs_device *bochs)
+ {
+- if (!bochs->fb.initialized)
+- return;
++ if (bochs->fb.initialized)
++ bochs_fbdev_destroy(bochs);
+
+- bochs_fbdev_destroy(bochs);
++ drm_fb_helper_fini(&bochs->fb.helper);
+ bochs->fb.initialized = false;
+ }
+--
+2.17.1
+
--- /dev/null
+From 278060dee20205d52ac72ebbddb3456520c24840 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Tue, 3 Apr 2018 23:38:45 +0100
+Subject: drm/msm: Fix possible null dereference on failure of get_pages()
+
+[ Upstream commit 3976626ea3d2011f8fd3f3a47070a8b792018253 ]
+
+Commit 62e3a3e342af changed get_pages() to initialise
+msm_gem_object::pages before trying to initialise msm_gem_object::sgt,
+so that put_pages() would properly clean up pages in the failure
+case.
+
+However, this means that put_pages() now needs to check that
+msm_gem_object::sgt is not null before trying to clean it up, and
+this check was only applied to part of the cleanup code. Move
+it all into the conditional block. (Strictly speaking we don't
+need to make the kfree() conditional, but since we can't avoid
+checking for null ourselves we may as well do so.)
+
+Fixes: 62e3a3e342af ("drm/msm: fix leak in failed get_pages")
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Reviewed-by: Jordan Crouse <jcrouse@codeaurora.org>
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gem.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
+index 7145127513c4..795660e29b2c 100644
+--- a/drivers/gpu/drm/msm/msm_gem.c
++++ b/drivers/gpu/drm/msm/msm_gem.c
+@@ -118,17 +118,19 @@ static void put_pages(struct drm_gem_object *obj)
+ struct msm_gem_object *msm_obj = to_msm_bo(obj);
+
+ if (msm_obj->pages) {
+- /* For non-cached buffers, ensure the new pages are clean
+- * because display controller, GPU, etc. are not coherent:
+- */
+- if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED))
+- dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl,
+- msm_obj->sgt->nents, DMA_BIDIRECTIONAL);
++ if (msm_obj->sgt) {
++ /* For non-cached buffers, ensure the new
++ * pages are clean because display controller,
++ * GPU, etc. are not coherent:
++ */
++ if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED))
++ dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl,
++ msm_obj->sgt->nents,
++ DMA_BIDIRECTIONAL);
+
+- if (msm_obj->sgt)
+ sg_free_table(msm_obj->sgt);
+-
+- kfree(msm_obj->sgt);
++ kfree(msm_obj->sgt);
++ }
+
+ if (use_pages(obj))
+ drm_gem_put_pages(obj, msm_obj->pages, true, false);
+--
+2.17.1
+
--- /dev/null
+From aa288c63f74327a14ab0188c4def1a44b82faf36 Mon Sep 17 00:00:00 2001
+From: Bjorn Helgaas <bhelgaas@google.com>
+Date: Fri, 19 May 2017 14:37:53 -0500
+Subject: efi/fb: Correct PCI_STD_RESOURCE_END usage
+
+[ Upstream commit 92a16c86299c64f58f320e491977408ba31b8c3c ]
+
+PCI_STD_RESOURCE_END is (confusingly) the index of the last valid BAR, not
+the *number* of BARs. To iterate through all possible BARs, we need to
+include PCI_STD_RESOURCE_END.
+
+Fixes: 55d728a40d36 ("efi/fb: Avoid reconfiguration of BAR that covers the framebuffer")
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/efifb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c
+index 6f2e729a308f..f4b6d063a4b7 100644
+--- a/drivers/video/fbdev/efifb.c
++++ b/drivers/video/fbdev/efifb.c
+@@ -375,7 +375,7 @@ static void efifb_fixup_resources(struct pci_dev *dev)
+ if (!base)
+ return;
+
+- for (i = 0; i < PCI_STD_RESOURCE_END; i++) {
++ for (i = 0; i <= PCI_STD_RESOURCE_END; i++) {
+ struct resource *res = &dev->resource[i];
+
+ if (!(res->flags & IORESOURCE_MEM))
+--
+2.17.1
+
--- /dev/null
+From 132910e094a2bd544b6d36a09078df8081479c7d Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 2 Jun 2017 20:35:51 -0700
+Subject: elevator: fix truncation of icq_cache_name
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 9bd2bbc01d17ddd567cc0f81f77fe1163e497462 ]
+
+gcc 7.1 reports the following warning:
+
+ block/elevator.c: In function ‘elv_register’:
+ block/elevator.c:898:5: warning: ‘snprintf’ output may be truncated before the last format character [-Wformat-truncation=]
+ "%s_io_cq", e->elevator_name);
+ ^~~~~~~~~~
+ block/elevator.c:897:3: note: ‘snprintf’ output between 7 and 22 bytes into a destination of size 21
+ snprintf(e->icq_cache_name, sizeof(e->icq_cache_name),
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ "%s_io_cq", e->elevator_name);
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The bug is that the name of the icq_cache is 6 characters longer than
+the elevator name, but only ELV_NAME_MAX + 5 characters were reserved
+for it --- so in the case of a maximum-length elevator name, the 'q'
+character in "_io_cq" would be truncated by snprintf(). Fix it by
+reserving ELV_NAME_MAX + 6 characters instead.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Bart Van Assche <Bart.VanAssche@sandisk.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/elevator.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/elevator.h b/include/linux/elevator.h
+index e7f358d2e5fc..eaa58c0f894b 100644
+--- a/include/linux/elevator.h
++++ b/include/linux/elevator.h
+@@ -102,7 +102,7 @@ struct elevator_type
+ struct module *elevator_owner;
+
+ /* managed by elevator core */
+- char icq_cache_name[ELV_NAME_MAX + 5]; /* elvname + "_io_cq" */
++ char icq_cache_name[ELV_NAME_MAX + 6]; /* elvname + "_io_cq" */
+ struct list_head list;
+ };
+
+--
+2.17.1
+
--- /dev/null
+From 0939accd696eb0743b507c33c5e96263f936f9f1 Mon Sep 17 00:00:00 2001
+From: Govindarajulu Varadarajan <gvaradar@cisco.com>
+Date: Mon, 18 Jun 2018 10:01:05 -0700
+Subject: enic: do not overwrite error code
+
+[ Upstream commit 56f772279a762984f6e9ebbf24a7c829faba5712 ]
+
+In failure path, we overwrite err to what vnic_rq_disable() returns. In
+case it returns 0, enic_open() returns success in case of error.
+
+Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Fixes: e8588e268509 ("enic: enable rq before updating rq descriptors")
+Signed-off-by: Govindarajulu Varadarajan <gvaradar@cisco.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cisco/enic/enic_main.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c
+index f314be07ec58..07282eb76867 100644
+--- a/drivers/net/ethernet/cisco/enic/enic_main.c
++++ b/drivers/net/ethernet/cisco/enic/enic_main.c
+@@ -1708,7 +1708,7 @@ static int enic_open(struct net_device *netdev)
+ {
+ struct enic *enic = netdev_priv(netdev);
+ unsigned int i;
+- int err;
++ int err, ret;
+
+ err = enic_request_intr(enic);
+ if (err) {
+@@ -1766,10 +1766,9 @@ static int enic_open(struct net_device *netdev)
+
+ err_out_free_rq:
+ for (i = 0; i < enic->rq_count; i++) {
+- err = vnic_rq_disable(&enic->rq[i]);
+- if (err)
+- return err;
+- vnic_rq_clean(&enic->rq[i], enic_free_rq_buf);
++ ret = vnic_rq_disable(&enic->rq[i]);
++ if (!ret)
++ vnic_rq_clean(&enic->rq[i], enic_free_rq_buf);
+ }
+ enic_dev_notify_unset(enic);
+ err_out_free_intr:
+--
+2.17.1
+
--- /dev/null
+From 7b8e94c5df7a107d742f8267c2d2510e534af7a0 Mon Sep 17 00:00:00 2001
+From: Sheng Yong <shengyong1@huawei.com>
+Date: Sat, 22 Apr 2017 10:39:20 +0800
+Subject: f2fs: fix multiple f2fs_add_link() having same name for inline dentry
+
+[ Upstream commit d3bb910c15d75ee3340311c64a1c05985bb663a3 ]
+
+Commit 88c5c13a5027 (f2fs: fix multiple f2fs_add_link() calls having
+same name) does not cover the scenario where inline dentry is enabled.
+In that case, F2FS_I(dir)->task will be NULL, and __f2fs_add_link will
+lookup dentries one more time.
+
+This patch fixes it by moving the assigment of current task to a upper
+level to cover both normal and inline dentry.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 88c5c13a5027 (f2fs: fix multiple f2fs_add_link() calls having same name)
+Signed-off-by: Sheng Yong <shengyong1@huawei.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/dir.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
+index 8add4e8bab99..af719d93507e 100644
+--- a/fs/f2fs/dir.c
++++ b/fs/f2fs/dir.c
+@@ -212,13 +212,9 @@ static struct f2fs_dir_entry *find_in_level(struct inode *dir,
+ f2fs_put_page(dentry_page, 0);
+ }
+
+- /* This is to increase the speed of f2fs_create */
+- if (!de && room) {
+- F2FS_I(dir)->task = current;
+- if (F2FS_I(dir)->chash != namehash) {
+- F2FS_I(dir)->chash = namehash;
+- F2FS_I(dir)->clevel = level;
+- }
++ if (!de && room && F2FS_I(dir)->chash != namehash) {
++ F2FS_I(dir)->chash = namehash;
++ F2FS_I(dir)->clevel = level;
+ }
+
+ return de;
+@@ -259,6 +255,9 @@ struct f2fs_dir_entry *__f2fs_find_entry(struct inode *dir,
+ break;
+ }
+ out:
++ /* This is to increase the speed of f2fs_create */
++ if (!de)
++ F2FS_I(dir)->task = current;
+ return de;
+ }
+
+--
+2.17.1
+
--- /dev/null
+From 7e617e9fb4cfbee429602df20c86c862e41eed32 Mon Sep 17 00:00:00 2001
+From: Khazhismel Kumykov <khazhy@google.com>
+Date: Fri, 12 Oct 2018 21:34:40 -0700
+Subject: fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters()
+
+[ Upstream commit ac081c3be3fae6d0cc3e1862507fca3862d30b67 ]
+
+On non-preempt kernels this loop can take a long time (more than 50 ticks)
+processing through entries.
+
+Link: http://lkml.kernel.org/r/20181010172623.57033-1-khazhy@google.com
+Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
+Acked-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fat/fatent.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/fat/fatent.c b/fs/fat/fatent.c
+index 3b7644e43796..a9cad9b60790 100644
+--- a/fs/fat/fatent.c
++++ b/fs/fat/fatent.c
+@@ -681,6 +681,7 @@ int fat_count_free_clusters(struct super_block *sb)
+ if (ops->ent_get(&fatent) == FAT_ENT_FREE)
+ free++;
+ } while (fat_ent_next(sbi, &fatent));
++ cond_resched();
+ }
+ sbi->free_clusters = free;
+ sbi->free_clus_valid = 1;
+--
+2.17.1
+
--- /dev/null
+From 8112703f5ecc572a5632333fc3640a88eaff144b Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Mon, 23 Oct 2017 13:41:51 +0200
+Subject: futex: futex_wake_op, do not fail on invalid op
+
+[ Upstream commit e78c38f6bdd900b2ad9ac9df8eff58b745dc5b3c ]
+
+In commit 30d6e0a4190d ("futex: Remove duplicated code and fix undefined
+behaviour"), I let FUTEX_WAKE_OP to fail on invalid op. Namely when op
+should be considered as shift and the shift is out of range (< 0 or > 31).
+
+But strace's test suite does this madness:
+
+ futex(0x7fabd78bcffc, 0x5, 0xfacefeed, 0xb, 0x7fabd78bcffc, 0xa0caffee);
+ futex(0x7fabd78bcffc, 0x5, 0xfacefeed, 0xb, 0x7fabd78bcffc, 0xbadfaced);
+ futex(0x7fabd78bcffc, 0x5, 0xfacefeed, 0xb, 0x7fabd78bcffc, 0xffffffff);
+
+When I pick the first 0xa0caffee, it decodes as:
+
+ 0x80000000 & 0xa0caffee: oparg is shift
+ 0x70000000 & 0xa0caffee: op is FUTEX_OP_OR
+ 0x0f000000 & 0xa0caffee: cmp is FUTEX_OP_CMP_EQ
+ 0x00fff000 & 0xa0caffee: oparg is sign-extended 0xcaf = -849
+ 0x00000fff & 0xa0caffee: cmparg is sign-extended 0xfee = -18
+
+That means the op tries to do this:
+
+ (futex |= (1 << (-849))) == -18
+
+which is completely bogus. The new check of op in the code is:
+
+ if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) {
+ if (oparg < 0 || oparg > 31)
+ return -EINVAL;
+ oparg = 1 << oparg;
+ }
+
+which results obviously in the "Invalid argument" errno:
+
+ FAIL: futex
+ ===========
+
+ futex(0x7fabd78bcffc, 0x5, 0xfacefeed, 0xb, 0x7fabd78bcffc, 0xa0caffee) = -1: Invalid argument
+ futex.test: failed test: ../futex failed with code 1
+
+So let us soften the failure to print only a (ratelimited) message, crop
+the value and continue as if it were right. When userspace keeps up, we
+can switch this to return -EINVAL again.
+
+[v2] Do not return 0 immediatelly, proceed with the cropped value.
+
+Fixes: 30d6e0a4190d ("futex: Remove duplicated code and fix undefined behaviour")
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Darren Hart <dvhart@infradead.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/futex.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/futex.c b/kernel/futex.c
+index c3ea6f2a6997..053d7be08be5 100644
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -1467,8 +1467,16 @@ static int futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr)
+ int oldval, ret;
+
+ if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) {
+- if (oparg < 0 || oparg > 31)
+- return -EINVAL;
++ if (oparg < 0 || oparg > 31) {
++ char comm[sizeof(current->comm)];
++ /*
++ * kill this print and return -EINVAL when userspace
++ * is sane again
++ */
++ pr_info_ratelimited("futex_wake_op: %s tries to shift op by %d; fix this program\n",
++ get_task_comm(comm, current), oparg);
++ oparg &= 31;
++ }
+ oparg = 1 << oparg;
+ }
+
+--
+2.17.1
+
--- /dev/null
+From eda51c701e42f2395914c9494ef3bdb0aac21460 Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@denx.de>
+Date: Sat, 3 Jun 2017 11:57:21 -0700
+Subject: gpu: ipu-v3: Fix CSI selection for VDIC
+
+[ Upstream commit b7dfee2433576f1f030cb84cdb04b70f36554992 ]
+
+The description of the CSI_SEL bit in the i.MX6 reference manual is
+incorrect. It states "This bit defines which CSI is the input to the
+IC. This bit is effective only if IC_INPUT is bit cleared".
+
+From experiment it was found this is in fact not correct. The CSI_SEL
+bit selects which CSI is input to _both_ the VDIC _and_ the IC. If the
+IC_INPUT bit is set so that the IC is receiving from the VDIC, the IC
+ignores the CSI_SEL bit, but CSI_SEL still selects which CSI the VDIC
+receives from in that case.
+
+Signed-off-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Steve Longerbeam <steve_longerbeam@mentor.com>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/ipu-v3/ipu-common.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c
+index b9539f7c5e9a..99c813a4ec1f 100644
+--- a/drivers/gpu/ipu-v3/ipu-common.c
++++ b/drivers/gpu/ipu-v3/ipu-common.c
+@@ -715,15 +715,16 @@ void ipu_set_ic_src_mux(struct ipu_soc *ipu, int csi_id, bool vdi)
+ spin_lock_irqsave(&ipu->lock, flags);
+
+ val = ipu_cm_read(ipu, IPU_CONF);
+- if (vdi) {
++ if (vdi)
+ val |= IPU_CONF_IC_INPUT;
+- } else {
++ else
+ val &= ~IPU_CONF_IC_INPUT;
+- if (csi_id == 1)
+- val |= IPU_CONF_CSI_SEL;
+- else
+- val &= ~IPU_CONF_CSI_SEL;
+- }
++
++ if (csi_id == 1)
++ val |= IPU_CONF_CSI_SEL;
++ else
++ val &= ~IPU_CONF_CSI_SEL;
++
+ ipu_cm_write(ipu, val, IPU_CONF);
+
+ spin_unlock_irqrestore(&ipu->lock, flags);
+--
+2.17.1
+
--- /dev/null
+From 7263cf2f55935fb90e6cc5fe6c4dc3868c3cc8ae Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Thu, 16 Feb 2017 21:20:45 +0000
+Subject: i2c: bcm2835: Avoid possible NULL ptr dereference
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit ababb08938df7ac245d30a58b95b94ecf8dc04fc ]
+
+Since commit e2474541032d ("bcm2835: Fix hang for writing messages
+larger than 16 bytes") the interrupt handler is prone to a possible
+NULL pointer dereference. This could happen if an interrupt fires
+before curr_msg is set by bcm2835_i2c_xfer_msg() and randomly occurs
+on the RPi 3. Even this is an unexpected behavior the driver must
+handle that with an error instead of a crash.
+
+Reported-by: Peter Robinson <pbrobinson@gmail.com>
+Fixes: e2474541032d ("bcm2835: Fix hang for writing messages larger than 16 bytes")
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Acked-by: Noralf Trønnes <noralf@tronnes.org>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-bcm2835.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-bcm2835.c b/drivers/i2c/busses/i2c-bcm2835.c
+index f283b714aa79..7ed09865cb4b 100644
+--- a/drivers/i2c/busses/i2c-bcm2835.c
++++ b/drivers/i2c/busses/i2c-bcm2835.c
+@@ -128,7 +128,9 @@ static irqreturn_t bcm2835_i2c_isr(int this_irq, void *data)
+ }
+
+ if (val & BCM2835_I2C_S_DONE) {
+- if (i2c_dev->curr_msg->flags & I2C_M_RD) {
++ if (!i2c_dev->curr_msg) {
++ dev_err(i2c_dev->dev, "Got unexpected interrupt (from firmware?)\n");
++ } else if (i2c_dev->curr_msg->flags & I2C_M_RD) {
+ bcm2835_drain_rxfifo(i2c_dev);
+ val = bcm2835_i2c_readl(i2c_dev, BCM2835_I2C_S);
+ }
+--
+2.17.1
+
--- /dev/null
+From 4b49f448567d42ab59c970883b1e59bc8d4b4b00 Mon Sep 17 00:00:00 2001
+From: Anjali Singhai Jain <anjali.singhai@intel.com>
+Date: Fri, 1 Sep 2017 13:42:49 -0700
+Subject: i40e: avoid NVM acquire deadlock during NVM update
+
+[ Upstream commit 09f79fd49d94cda5837e9bfd0cb222232b3b6d9f ]
+
+X722 devices use the AdminQ to access the NVM, and this requires taking
+the AdminQ lock. Because of this, we lock the AdminQ during
+i40e_read_nvm(), which is also called in places where the lock is
+already held, such as the firmware update path which wants to lock once
+and then unlock when finished after performing several tasks.
+
+Although this should have only affected X722 devices, commit
+96a39aed25e6 ("i40e: Acquire NVM lock before reads on all devices",
+2016-12-02) added locking for all NVM reads, regardless of device
+family.
+
+This resulted in us accidentally causing NVM acquire timeouts on all
+devices, causing failed firmware updates which left the eeprom in
+a corrupt state.
+
+Create unsafe non-locked variants of i40e_read_nvm_word and
+i40e_read_nvm_buffer, __i40e_read_nvm_word and __i40e_read_nvm_buffer
+respectively. These variants will not take the NVM lock and are expected
+to only be called in places where the NVM lock is already held if
+needed.
+
+Since the only caller of i40e_read_nvm_buffer() was in such a path,
+remove it entirely in favor of the unsafe version. If necessary we can
+always add it back in the future.
+
+Additionally, we now need to hold the NVM lock in i40e_validate_checksum
+because the call to i40e_calc_nvm_checksum now assumes that the NVM lock
+is held. We can further move the call to read I40E_SR_SW_CHECKSUM_WORD
+up a bit so that we do not need to acquire the NVM lock twice.
+
+This should resolve firmware updates and also fix potential raise that
+could have caused the driver to report an invalid NVM checksum upon
+driver load.
+
+Reported-by: Stefan Assmann <sassmann@kpanic.de>
+Fixes: 96a39aed25e6 ("i40e: Acquire NVM lock before reads on all devices", 2016-12-02)
+Signed-off-by: Anjali Singhai Jain <anjali.singhai@intel.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_nvm.c | 98 ++++++++++++-------
+ .../net/ethernet/intel/i40e/i40e_prototype.h | 2 -
+ 2 files changed, 60 insertions(+), 40 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_nvm.c b/drivers/net/ethernet/intel/i40e/i40e_nvm.c
+index abe290bfc638..8408682efd86 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_nvm.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_nvm.c
+@@ -266,7 +266,7 @@ static i40e_status i40e_read_nvm_aq(struct i40e_hw *hw, u8 module_pointer,
+ * @offset: offset of the Shadow RAM word to read (0x000000 - 0x001FFF)
+ * @data: word read from the Shadow RAM
+ *
+- * Reads one 16 bit word from the Shadow RAM using the GLNVM_SRCTL register.
++ * Reads one 16 bit word from the Shadow RAM using the AdminQ
+ **/
+ static i40e_status i40e_read_nvm_word_aq(struct i40e_hw *hw, u16 offset,
+ u16 *data)
+@@ -280,27 +280,49 @@ static i40e_status i40e_read_nvm_word_aq(struct i40e_hw *hw, u16 offset,
+ }
+
+ /**
+- * i40e_read_nvm_word - Reads Shadow RAM
++ * __i40e_read_nvm_word - Reads nvm word, assumes called does the locking
+ * @hw: pointer to the HW structure
+ * @offset: offset of the Shadow RAM word to read (0x000000 - 0x001FFF)
+ * @data: word read from the Shadow RAM
+ *
+- * Reads one 16 bit word from the Shadow RAM using the GLNVM_SRCTL register.
++ * Reads one 16 bit word from the Shadow RAM.
++ *
++ * Do not use this function except in cases where the nvm lock is already
++ * taken via i40e_acquire_nvm().
++ **/
++static i40e_status __i40e_read_nvm_word(struct i40e_hw *hw,
++ u16 offset, u16 *data)
++{
++ i40e_status ret_code = 0;
++
++ if (hw->flags & I40E_HW_FLAG_AQ_SRCTL_ACCESS_ENABLE)
++ ret_code = i40e_read_nvm_word_aq(hw, offset, data);
++ else
++ ret_code = i40e_read_nvm_word_srctl(hw, offset, data);
++ return ret_code;
++}
++
++/**
++ * i40e_read_nvm_word - Reads nvm word and acquire lock if necessary
++ * @hw: pointer to the HW structure
++ * @offset: offset of the Shadow RAM word to read (0x000000 - 0x001FFF)
++ * @data: word read from the Shadow RAM
++ *
++ * Reads one 16 bit word from the Shadow RAM.
+ **/
+ i40e_status i40e_read_nvm_word(struct i40e_hw *hw, u16 offset,
+ u16 *data)
+ {
+- enum i40e_status_code ret_code = 0;
++ i40e_status ret_code = 0;
+
+ ret_code = i40e_acquire_nvm(hw, I40E_RESOURCE_READ);
+- if (!ret_code) {
+- if (hw->flags & I40E_HW_FLAG_AQ_SRCTL_ACCESS_ENABLE) {
+- ret_code = i40e_read_nvm_word_aq(hw, offset, data);
+- } else {
+- ret_code = i40e_read_nvm_word_srctl(hw, offset, data);
+- }
+- i40e_release_nvm(hw);
+- }
++ if (ret_code)
++ return ret_code;
++
++ ret_code = __i40e_read_nvm_word(hw, offset, data);
++
++ i40e_release_nvm(hw);
++
+ return ret_code;
+ }
+
+@@ -393,31 +415,25 @@ read_nvm_buffer_aq_exit:
+ }
+
+ /**
+- * i40e_read_nvm_buffer - Reads Shadow RAM buffer
++ * __i40e_read_nvm_buffer - Reads nvm buffer, caller must acquire lock
+ * @hw: pointer to the HW structure
+ * @offset: offset of the Shadow RAM word to read (0x000000 - 0x001FFF).
+ * @words: (in) number of words to read; (out) number of words actually read
+ * @data: words read from the Shadow RAM
+ *
+ * Reads 16 bit words (data buffer) from the SR using the i40e_read_nvm_srrd()
+- * method. The buffer read is preceded by the NVM ownership take
+- * and followed by the release.
++ * method.
+ **/
+-i40e_status i40e_read_nvm_buffer(struct i40e_hw *hw, u16 offset,
+- u16 *words, u16 *data)
++static i40e_status __i40e_read_nvm_buffer(struct i40e_hw *hw,
++ u16 offset, u16 *words,
++ u16 *data)
+ {
+- enum i40e_status_code ret_code = 0;
++ i40e_status ret_code = 0;
+
+- if (hw->flags & I40E_HW_FLAG_AQ_SRCTL_ACCESS_ENABLE) {
+- ret_code = i40e_acquire_nvm(hw, I40E_RESOURCE_READ);
+- if (!ret_code) {
+- ret_code = i40e_read_nvm_buffer_aq(hw, offset, words,
+- data);
+- i40e_release_nvm(hw);
+- }
+- } else {
++ if (hw->flags & I40E_HW_FLAG_AQ_SRCTL_ACCESS_ENABLE)
++ ret_code = i40e_read_nvm_buffer_aq(hw, offset, words, data);
++ else
+ ret_code = i40e_read_nvm_buffer_srctl(hw, offset, words, data);
+- }
+ return ret_code;
+ }
+
+@@ -499,15 +515,15 @@ static i40e_status i40e_calc_nvm_checksum(struct i40e_hw *hw,
+ data = (u16 *)vmem.va;
+
+ /* read pointer to VPD area */
+- ret_code = i40e_read_nvm_word(hw, I40E_SR_VPD_PTR, &vpd_module);
++ ret_code = __i40e_read_nvm_word(hw, I40E_SR_VPD_PTR, &vpd_module);
+ if (ret_code) {
+ ret_code = I40E_ERR_NVM_CHECKSUM;
+ goto i40e_calc_nvm_checksum_exit;
+ }
+
+ /* read pointer to PCIe Alt Auto-load module */
+- ret_code = i40e_read_nvm_word(hw, I40E_SR_PCIE_ALT_AUTO_LOAD_PTR,
+- &pcie_alt_module);
++ ret_code = __i40e_read_nvm_word(hw, I40E_SR_PCIE_ALT_AUTO_LOAD_PTR,
++ &pcie_alt_module);
+ if (ret_code) {
+ ret_code = I40E_ERR_NVM_CHECKSUM;
+ goto i40e_calc_nvm_checksum_exit;
+@@ -521,7 +537,7 @@ static i40e_status i40e_calc_nvm_checksum(struct i40e_hw *hw,
+ if ((i % I40E_SR_SECTOR_SIZE_IN_WORDS) == 0) {
+ u16 words = I40E_SR_SECTOR_SIZE_IN_WORDS;
+
+- ret_code = i40e_read_nvm_buffer(hw, i, &words, data);
++ ret_code = __i40e_read_nvm_buffer(hw, i, &words, data);
+ if (ret_code) {
+ ret_code = I40E_ERR_NVM_CHECKSUM;
+ goto i40e_calc_nvm_checksum_exit;
+@@ -593,14 +609,19 @@ i40e_status i40e_validate_nvm_checksum(struct i40e_hw *hw,
+ u16 checksum_sr = 0;
+ u16 checksum_local = 0;
+
++ /* We must acquire the NVM lock in order to correctly synchronize the
++ * NVM accesses across multiple PFs. Without doing so it is possible
++ * for one of the PFs to read invalid data potentially indicating that
++ * the checksum is invalid.
++ */
++ ret_code = i40e_acquire_nvm(hw, I40E_RESOURCE_READ);
++ if (ret_code)
++ return ret_code;
+ ret_code = i40e_calc_nvm_checksum(hw, &checksum_local);
++ __i40e_read_nvm_word(hw, I40E_SR_SW_CHECKSUM_WORD, &checksum_sr);
++ i40e_release_nvm(hw);
+ if (ret_code)
+- goto i40e_validate_nvm_checksum_exit;
+-
+- /* Do not use i40e_read_nvm_word() because we do not want to take
+- * the synchronization semaphores twice here.
+- */
+- i40e_read_nvm_word(hw, I40E_SR_SW_CHECKSUM_WORD, &checksum_sr);
++ return ret_code;
+
+ /* Verify read checksum from EEPROM is the same as
+ * calculated checksum
+@@ -612,7 +633,6 @@ i40e_status i40e_validate_nvm_checksum(struct i40e_hw *hw,
+ if (checksum)
+ *checksum = checksum_local;
+
+-i40e_validate_nvm_checksum_exit:
+ return ret_code;
+ }
+
+@@ -986,6 +1006,7 @@ retry:
+ break;
+
+ case I40E_NVMUPD_CSUM_CON:
++ /* Assumes the caller has acquired the nvm */
+ status = i40e_update_nvm_checksum(hw);
+ if (status) {
+ *perrno = hw->aq.asq_last_status ?
+@@ -1000,6 +1021,7 @@ retry:
+ break;
+
+ case I40E_NVMUPD_CSUM_LCB:
++ /* Assumes the caller has acquired the nvm */
+ status = i40e_update_nvm_checksum(hw);
+ if (status) {
+ *perrno = hw->aq.asq_last_status ?
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_prototype.h b/drivers/net/ethernet/intel/i40e/i40e_prototype.h
+index 4660c5abc855..6b364118badd 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_prototype.h
++++ b/drivers/net/ethernet/intel/i40e/i40e_prototype.h
+@@ -311,8 +311,6 @@ i40e_status i40e_acquire_nvm(struct i40e_hw *hw,
+ void i40e_release_nvm(struct i40e_hw *hw);
+ i40e_status i40e_read_nvm_word(struct i40e_hw *hw, u16 offset,
+ u16 *data);
+-i40e_status i40e_read_nvm_buffer(struct i40e_hw *hw, u16 offset,
+- u16 *words, u16 *data);
+ i40e_status i40e_update_nvm_checksum(struct i40e_hw *hw);
+ i40e_status i40e_validate_nvm_checksum(struct i40e_hw *hw,
+ u16 *checksum);
+--
+2.17.1
+
--- /dev/null
+From 1160b186c7b541636ef75e26b80a8abf7fde1dfb Mon Sep 17 00:00:00 2001
+From: Noa Osherovich <noaos@mellanox.com>
+Date: Mon, 12 Jun 2017 11:14:02 +0300
+Subject: IB/core: Fix the validations of a multicast LID in attach or detach
+ operations
+
+[ Upstream commit 5236333592244557a19694a51337df6ac018f0a7 ]
+
+RoCE Annex (A16.9.10/11) declares that during attach (detach) QP to a
+multicast group, if the QP is associated with a RoCE port, the
+multicast group MLID is unused and is ignored.
+
+During attach or detach multicast, when the QP is associated with a
+port, it is enough to check the port's link layer and validate the
+LID only if it is Infiniband. Otherwise, avoid validating the
+multicast LID.
+
+Fixes: 8561eae60ff9 ("IB/core: For multicast functions, verify that LIDs are multicast LIDs")
+Signed-off-by: Noa Osherovich <noaos@mellanox.com>
+Reviewed-by: Moni Shoua <monis@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/verbs.c | 44 ++++++++++++++++++++++++++++++---
+ 1 file changed, 40 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
+index 0e64b52af5b2..d28c4cf7c1ee 100644
+--- a/drivers/infiniband/core/verbs.c
++++ b/drivers/infiniband/core/verbs.c
+@@ -1510,6 +1510,44 @@ EXPORT_SYMBOL(ib_dealloc_fmr);
+
+ /* Multicast groups */
+
++static bool is_valid_mcast_lid(struct ib_qp *qp, u16 lid)
++{
++ struct ib_qp_init_attr init_attr = {};
++ struct ib_qp_attr attr = {};
++ int num_eth_ports = 0;
++ int port;
++
++ /* If QP state >= init, it is assigned to a port and we can check this
++ * port only.
++ */
++ if (!ib_query_qp(qp, &attr, IB_QP_STATE | IB_QP_PORT, &init_attr)) {
++ if (attr.qp_state >= IB_QPS_INIT) {
++ if (qp->device->get_link_layer(qp->device, attr.port_num) !=
++ IB_LINK_LAYER_INFINIBAND)
++ return true;
++ goto lid_check;
++ }
++ }
++
++ /* Can't get a quick answer, iterate over all ports */
++ for (port = 0; port < qp->device->phys_port_cnt; port++)
++ if (qp->device->get_link_layer(qp->device, port) !=
++ IB_LINK_LAYER_INFINIBAND)
++ num_eth_ports++;
++
++ /* If we have at lease one Ethernet port, RoCE annex declares that
++ * multicast LID should be ignored. We can't tell at this step if the
++ * QP belongs to an IB or Ethernet port.
++ */
++ if (num_eth_ports)
++ return true;
++
++ /* If all the ports are IB, we can check according to IB spec. */
++lid_check:
++ return !(lid < be16_to_cpu(IB_MULTICAST_LID_BASE) ||
++ lid == be16_to_cpu(IB_LID_PERMISSIVE));
++}
++
+ int ib_attach_mcast(struct ib_qp *qp, union ib_gid *gid, u16 lid)
+ {
+ int ret;
+@@ -1517,8 +1555,7 @@ int ib_attach_mcast(struct ib_qp *qp, union ib_gid *gid, u16 lid)
+ if (!qp->device->attach_mcast)
+ return -ENOSYS;
+ if (gid->raw[0] != 0xff || qp->qp_type != IB_QPT_UD ||
+- lid < be16_to_cpu(IB_MULTICAST_LID_BASE) ||
+- lid == be16_to_cpu(IB_LID_PERMISSIVE))
++ !is_valid_mcast_lid(qp, lid))
+ return -EINVAL;
+
+ ret = qp->device->attach_mcast(qp, gid, lid);
+@@ -1535,8 +1572,7 @@ int ib_detach_mcast(struct ib_qp *qp, union ib_gid *gid, u16 lid)
+ if (!qp->device->detach_mcast)
+ return -ENOSYS;
+ if (gid->raw[0] != 0xff || qp->qp_type != IB_QPT_UD ||
+- lid < be16_to_cpu(IB_MULTICAST_LID_BASE) ||
+- lid == be16_to_cpu(IB_LID_PERMISSIVE))
++ !is_valid_mcast_lid(qp, lid))
+ return -EINVAL;
+
+ ret = qp->device->detach_mcast(qp, gid, lid);
+--
+2.17.1
+
--- /dev/null
+From 9236edc16bee49b0dfea6270e5464104c516d144 Mon Sep 17 00:00:00 2001
+From: Alaa Hleihel <alaa@mellanox.com>
+Date: Tue, 13 Feb 2018 12:18:27 +0200
+Subject: IB/ipoib: Do not warn if IPoIB debugfs doesn't exist
+
+[ Upstream commit 14fa91e0fef8e4d6feb8b1fa2a807828e0abe815 ]
+
+netdev_wait_allrefs() could rebroadcast NETDEV_UNREGISTER event
+multiple times until all refs are gone, which will result in calling
+ipoib_delete_debug_files multiple times and printing a warning.
+
+Remove the WARN_ONCE since checks of NULL pointers before calling
+debugfs_remove are not needed.
+
+Fixes: 771a52584096 ("IB/IPoIB: ibX: failed to create mcg debug file")
+Signed-off-by: Alaa Hleihel <alaa@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_fs.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_fs.c b/drivers/infiniband/ulp/ipoib/ipoib_fs.c
+index 09396bd7b02d..63be3bcdc0e3 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib_fs.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_fs.c
+@@ -281,8 +281,6 @@ void ipoib_delete_debug_files(struct net_device *dev)
+ {
+ struct ipoib_dev_priv *priv = netdev_priv(dev);
+
+- WARN_ONCE(!priv->mcg_dentry, "null mcg debug file\n");
+- WARN_ONCE(!priv->path_dentry, "null path debug file\n");
+ debugfs_remove(priv->mcg_dentry);
+ debugfs_remove(priv->path_dentry);
+ priv->mcg_dentry = priv->path_dentry = NULL;
+--
+2.17.1
+
--- /dev/null
+From 8201a4ca437e67c641cca727e9fe750c91787da0 Mon Sep 17 00:00:00 2001
+From: Alex Vesker <valex@mellanox.com>
+Date: Thu, 21 Dec 2017 17:38:27 +0200
+Subject: IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush
+
+[ Upstream commit 1f80bd6a6cc8358b81194e1f5fc16449947396ec ]
+
+The locking order of vlan_rwsem (LOCK A) and then rtnl (LOCK B),
+contradicts other flows such as ipoib_open possibly causing a deadlock.
+To prevent this deadlock heavy flush is called with RTNL locked and
+only then tries to acquire vlan_rwsem.
+This deadlock is possible only when there are child interfaces.
+
+[ 140.941758] ======================================================
+[ 140.946276] WARNING: possible circular locking dependency detected
+[ 140.950950] 4.15.0-rc1+ #9 Tainted: G O
+[ 140.954797] ------------------------------------------------------
+[ 140.959424] kworker/u32:1/146 is trying to acquire lock:
+[ 140.963450] (rtnl_mutex){+.+.}, at: [<ffffffffc083516a>] __ipoib_ib_dev_flush+0x2da/0x4e0 [ib_ipoib]
+[ 140.970006]
+but task is already holding lock:
+[ 140.975141] (&priv->vlan_rwsem){++++}, at: [<ffffffffc0834ee1>] __ipoib_ib_dev_flush+0x51/0x4e0 [ib_ipoib]
+[ 140.982105]
+which lock already depends on the new lock.
+[ 140.990023]
+the existing dependency chain (in reverse order) is:
+[ 140.998650]
+-> #1 (&priv->vlan_rwsem){++++}:
+[ 141.005276] down_read+0x4d/0xb0
+[ 141.009560] ipoib_open+0xad/0x120 [ib_ipoib]
+[ 141.014400] __dev_open+0xcb/0x140
+[ 141.017919] __dev_change_flags+0x1a4/0x1e0
+[ 141.022133] dev_change_flags+0x23/0x60
+[ 141.025695] devinet_ioctl+0x704/0x7d0
+[ 141.029156] sock_do_ioctl+0x20/0x50
+[ 141.032526] sock_ioctl+0x221/0x300
+[ 141.036079] do_vfs_ioctl+0xa6/0x6d0
+[ 141.039656] SyS_ioctl+0x74/0x80
+[ 141.042811] entry_SYSCALL_64_fastpath+0x1f/0x96
+[ 141.046891]
+-> #0 (rtnl_mutex){+.+.}:
+[ 141.051701] lock_acquire+0xd4/0x220
+[ 141.055212] __mutex_lock+0x88/0x970
+[ 141.058631] __ipoib_ib_dev_flush+0x2da/0x4e0 [ib_ipoib]
+[ 141.063160] __ipoib_ib_dev_flush+0x71/0x4e0 [ib_ipoib]
+[ 141.067648] process_one_work+0x1f5/0x610
+[ 141.071429] worker_thread+0x4a/0x3f0
+[ 141.074890] kthread+0x141/0x180
+[ 141.078085] ret_from_fork+0x24/0x30
+[ 141.081559]
+
+other info that might help us debug this:
+[ 141.088967] Possible unsafe locking scenario:
+[ 141.094280] CPU0 CPU1
+[ 141.097953] ---- ----
+[ 141.101640] lock(&priv->vlan_rwsem);
+[ 141.104771] lock(rtnl_mutex);
+[ 141.109207] lock(&priv->vlan_rwsem);
+[ 141.114032] lock(rtnl_mutex);
+[ 141.116800]
+ *** DEADLOCK ***
+
+Fixes: b4b678b06f6e ("IB/ipoib: Grab rtnl lock on heavy flush when calling ndo_open/stop")
+Signed-off-by: Alex Vesker <valex@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_ib.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_ib.c b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+index 34122c96522b..3dd5bf6c6c7a 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+@@ -1190,13 +1190,10 @@ static void __ipoib_ib_dev_flush(struct ipoib_dev_priv *priv,
+ ipoib_ib_dev_down(dev);
+
+ if (level == IPOIB_FLUSH_HEAVY) {
+- rtnl_lock();
+ if (test_bit(IPOIB_FLAG_INITIALIZED, &priv->flags))
+ ipoib_ib_dev_stop(dev);
+
+- result = ipoib_ib_dev_open(dev);
+- rtnl_unlock();
+- if (result)
++ if (ipoib_ib_dev_open(dev))
+ return;
+
+ if (netif_queue_stopped(dev))
+@@ -1236,7 +1233,9 @@ void ipoib_ib_dev_flush_heavy(struct work_struct *work)
+ struct ipoib_dev_priv *priv =
+ container_of(work, struct ipoib_dev_priv, flush_heavy);
+
++ rtnl_lock();
+ __ipoib_ib_dev_flush(priv, IPOIB_FLUSH_HEAVY, 0);
++ rtnl_unlock();
+ }
+
+ void ipoib_ib_dev_cleanup(struct net_device *dev)
+--
+2.17.1
+
--- /dev/null
+From caedcc8038e8c5ffd2685d5a15beacafb5652b73 Mon Sep 17 00:00:00 2001
+From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+Date: Mon, 11 Jun 2018 20:15:11 +0200
+Subject: IB/mlx4: Fix an error handling path in 'mlx4_ib_rereg_user_mr()'
+
+[ Upstream commit 3dc7c7badb7502ec3e3aa817a8bdd9e53aa54c52 ]
+
+Before returning -EPERM we should release some resources, as already done
+in the other error handling path of the function.
+
+Fixes: d8f9cc328c88 ("IB/mlx4: Mark user MR as writable if actual virtual memory is writable")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx4/mr.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx4/mr.c b/drivers/infiniband/hw/mlx4/mr.c
+index 0d4878efd643..ddd3182138ac 100644
+--- a/drivers/infiniband/hw/mlx4/mr.c
++++ b/drivers/infiniband/hw/mlx4/mr.c
+@@ -247,8 +247,11 @@ int mlx4_ib_rereg_user_mr(struct ib_mr *mr, int flags,
+ }
+
+ if (flags & IB_MR_REREG_ACCESS) {
+- if (ib_access_writable(mr_access_flags) && !mmr->umem->writable)
+- return -EPERM;
++ if (ib_access_writable(mr_access_flags) &&
++ !mmr->umem->writable) {
++ err = -EPERM;
++ goto release_mpt_entry;
++ }
+
+ err = mlx4_mr_hw_change_access(dev->dev, *pmpt_entry,
+ convert_access(mr_access_flags));
+--
+2.17.1
+
--- /dev/null
+From c47b9eb6973dc055abec524095dbee90a0873657 Mon Sep 17 00:00:00 2001
+From: Noa Osherovich <noaos@mellanox.com>
+Date: Sun, 25 Feb 2018 13:39:51 +0200
+Subject: IB/mlx5: Avoid passing an invalid QP type to firmware
+
+[ Upstream commit e7b169f34403becd3c9fd3b6e46614ab788f2187 ]
+
+During QP creation, the mlx5 driver translates the QP type to an
+internal value which is passed on to FW. There was no check to make
+sure that the translated value is valid, and -EINVAL was coerced into
+the mailbox command.
+
+Current firmware refuses this as an invalid QP type, but future/past
+firmware may do something else.
+
+Fixes: 09a7d9eca1a6c ('{net,IB}/mlx5: QP/XRCD commands via mlx5 ifc')
+Reviewed-by: Ilya Lesokhin <ilyal@mellanox.com>
+Signed-off-by: Noa Osherovich <noaos@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/qp.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
+index abb47e780070..f8f7a2191b98 100644
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -1523,6 +1523,7 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd,
+ u32 uidx = MLX5_IB_DEFAULT_UIDX;
+ struct mlx5_ib_create_qp ucmd;
+ struct mlx5_ib_qp_base *base;
++ int mlx5_st;
+ void *qpc;
+ u32 *in;
+ int err;
+@@ -1538,6 +1539,10 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd,
+ spin_lock_init(&qp->sq.lock);
+ spin_lock_init(&qp->rq.lock);
+
++ mlx5_st = to_mlx5_st(init_attr->qp_type);
++ if (mlx5_st < 0)
++ return -EINVAL;
++
+ if (init_attr->rwq_ind_tbl) {
+ if (!udata)
+ return -ENOSYS;
+@@ -1665,7 +1670,7 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd,
+
+ qpc = MLX5_ADDR_OF(create_qp_in, in, qpc);
+
+- MLX5_SET(qpc, qpc, st, to_mlx5_st(init_attr->qp_type));
++ MLX5_SET(qpc, qpc, st, mlx5_st);
+ MLX5_SET(qpc, qpc, pm_state, MLX5_QP_PM_MIGRATED);
+
+ if (init_attr->qp_type != MLX5_IB_QPT_REG_UMR)
+--
+2.17.1
+
--- /dev/null
+From 027918605e719867a162666a40c529d85d7e7c78 Mon Sep 17 00:00:00 2001
+From: Doug Ledford <dledford@redhat.com>
+Date: Mon, 9 Oct 2017 09:11:32 -0400
+Subject: IB/rxe: put the pool on allocation failure
+
+[ Upstream commit 6b9f8970cd30929cb6b372fa44fa66da9e59c650 ]
+
+If the allocation of elem fails, it is not sufficient to simply check
+for NULL and return. We need to also put our reference on the pool or
+else we will leave the pool with a permanent ref count and we will never
+be able to free it.
+
+Fixes: 4831ca9e4a8e ("IB/rxe: check for allocation failure on elem")
+Suggested-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_pool.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_pool.c b/drivers/infiniband/sw/rxe/rxe_pool.c
+index 1c4e5b2e6835..527ca662da69 100644
+--- a/drivers/infiniband/sw/rxe/rxe_pool.c
++++ b/drivers/infiniband/sw/rxe/rxe_pool.c
+@@ -402,23 +402,25 @@ void *rxe_alloc(struct rxe_pool *pool)
+
+ kref_get(&pool->rxe->ref_cnt);
+
+- if (atomic_inc_return(&pool->num_elem) > pool->max_elem) {
+- atomic_dec(&pool->num_elem);
+- rxe_dev_put(pool->rxe);
+- rxe_pool_put(pool);
+- return NULL;
+- }
++ if (atomic_inc_return(&pool->num_elem) > pool->max_elem)
++ goto out_put_pool;
+
+ elem = kmem_cache_zalloc(pool_cache(pool),
+ (pool->flags & RXE_POOL_ATOMIC) ?
+ GFP_ATOMIC : GFP_KERNEL);
+ if (!elem)
+- return NULL;
++ goto out_put_pool;
+
+ elem->pool = pool;
+ kref_init(&elem->ref_cnt);
+
+ return elem;
++
++out_put_pool:
++ atomic_dec(&pool->num_elem);
++ rxe_dev_put(pool->rxe);
++ rxe_pool_put(pool);
++ return NULL;
+ }
+
+ void rxe_elem_release(struct kref *kref)
+--
+2.17.1
+
--- /dev/null
+From cbd4db989af0a1d4b85c047efd5bdb4b133da291 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20Gr=C3=B6nke?= <c.groenke@infodas.de>
+Date: Tue, 26 Jun 2018 10:12:18 +0000
+Subject: igb: Remove superfluous reset to PHY and page 0 selection
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 2a83fba6cae89dd9c0625e68ff8ffff791c67ac0 ]
+
+This patch reverts two previous applied patches to fix an issue
+that appeared when using SGMII based SFP modules. In the current
+state the driver will try to reset the PHY before obtaining the
+phy_addr of the SGMII attached PHY. That leads to an error in
+e1000_write_phy_reg_sgmii_82575. Causing the initialization to
+fail:
+
+ igb: Intel(R) Gigabit Ethernet Network Driver - version 5.4.0-k
+ igb: Copyright (c) 2007-2014 Intel Corporation.
+ igb: probe of ????:??:??.? failed with error -3
+
+The patches being reverted are:
+
+ commit 182785335447957409282ca745aa5bc3968facee
+ Author: Aaron Sierra <asierra@xes-inc.com>
+ Date: Tue Nov 29 10:03:56 2016 -0600
+
+ igb: reset the PHY before reading the PHY ID
+
+ commit 440aeca4b9858248d8f16d724d9fa87a4f65fa33
+ Author: Matwey V Kornilov <matwey@sai.msu.ru>
+ Date: Thu Nov 24 13:32:48 2016 +0300
+
+ igb: Explicitly select page 0 at initialization
+
+The first reverted patch directly causes the problem mentioned above.
+In case of SGMII the phy_addr is not known at this point and will
+only be obtained by 'igb_get_phy_id_82575' further down in the code.
+The second removed patch selects forces selection of page 0 in the
+PHY. Something that the reset tries to address as well.
+
+As pointed out by Alexander Duzck, the patch below fixes the same
+issue but in the proper location:
+
+ commit 4e684f59d760a2c7c716bb60190783546e2d08a1
+ Author: Chris J Arges <christopherarges@gmail.com>
+ Date: Wed Nov 2 09:13:42 2016 -0500
+
+ igb: Workaround for igb i210 firmware issue
+
+Reverts: 440aeca4b9858248d8f16d724d9fa87a4f65fa33.
+Reverts: 182785335447957409282ca745aa5bc3968facee.
+
+Signed-off-by: Christian Grönke <c.groenke@infodas.de>
+Reviewed-by: Alexander Duyck <alexander.h.duyck@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/e1000_82575.c | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/e1000_82575.c b/drivers/net/ethernet/intel/igb/e1000_82575.c
+index 4a50870e0fa7..a61447fd778e 100644
+--- a/drivers/net/ethernet/intel/igb/e1000_82575.c
++++ b/drivers/net/ethernet/intel/igb/e1000_82575.c
+@@ -245,19 +245,7 @@ static s32 igb_init_phy_params_82575(struct e1000_hw *hw)
+ hw->bus.func = (rd32(E1000_STATUS) & E1000_STATUS_FUNC_MASK) >>
+ E1000_STATUS_FUNC_SHIFT;
+
+- /* Make sure the PHY is in a good state. Several people have reported
+- * firmware leaving the PHY's page select register set to something
+- * other than the default of zero, which causes the PHY ID read to
+- * access something other than the intended register.
+- */
+- ret_val = hw->phy.ops.reset(hw);
+- if (ret_val) {
+- hw_dbg("Error resetting the PHY.\n");
+- goto out;
+- }
+-
+ /* Set phy->phy_addr and phy->id. */
+- igb_write_phy_reg_82580(hw, I347AT4_PAGE_SELECT, 0);
+ ret_val = igb_get_phy_id_82575(hw);
+ if (ret_val)
+ return ret_val;
+--
+2.17.1
+
--- /dev/null
+From 0d82809fed23b7466c96c8460247c7f6b41805f7 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 30 Jun 2017 19:42:54 +0200
+Subject: iio: adc: Revert "axp288: Drop bogus AXP288_ADC_TS_PIN_CTRL register
+ modifications"
+
+[ Upstream commit 631b010abc5b57009c6a8328f51492665f6ef310 ]
+
+Inheriting the ADC BIAS current settings from the BIOS instead of
+hardcoding then causes the AXP288 to disable charging (I think it
+mis-detects an overheated battery) on at least one model tablet.
+
+So lets go back to hard coding the values, this reverts
+commit fa2849e9649b ("iio: adc: axp288: Drop bogus
+AXP288_ADC_TS_PIN_CTRL register modifications"), fixing charging not
+working on the model tablet in question.
+
+The exact cause is not fully understood, hence the revert to a known working
+state.
+
+Cc: stable@vger.kernel.org
+Reported-by: Umberto Ixxo <sfumato1977@gmail.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/axp288_adc.c | 32 +++++++++++++++++++++++++++++++-
+ 1 file changed, 31 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iio/adc/axp288_adc.c b/drivers/iio/adc/axp288_adc.c
+index 64799ad7ebad..7fd24949c0c1 100644
+--- a/drivers/iio/adc/axp288_adc.c
++++ b/drivers/iio/adc/axp288_adc.c
+@@ -28,6 +28,8 @@
+ #include <linux/iio/driver.h>
+
+ #define AXP288_ADC_EN_MASK 0xF1
++#define AXP288_ADC_TS_PIN_GPADC 0xF2
++#define AXP288_ADC_TS_PIN_ON 0xF3
+
+ enum axp288_adc_id {
+ AXP288_ADC_TS,
+@@ -121,6 +123,16 @@ static int axp288_adc_read_channel(int *val, unsigned long address,
+ return IIO_VAL_INT;
+ }
+
++static int axp288_adc_set_ts(struct regmap *regmap, unsigned int mode,
++ unsigned long address)
++{
++ /* channels other than GPADC do not need to switch TS pin */
++ if (address != AXP288_GP_ADC_H)
++ return 0;
++
++ return regmap_write(regmap, AXP288_ADC_TS_PIN_CTRL, mode);
++}
++
+ static int axp288_adc_read_raw(struct iio_dev *indio_dev,
+ struct iio_chan_spec const *chan,
+ int *val, int *val2, long mask)
+@@ -131,7 +143,16 @@ static int axp288_adc_read_raw(struct iio_dev *indio_dev,
+ mutex_lock(&indio_dev->mlock);
+ switch (mask) {
+ case IIO_CHAN_INFO_RAW:
++ if (axp288_adc_set_ts(info->regmap, AXP288_ADC_TS_PIN_GPADC,
++ chan->address)) {
++ dev_err(&indio_dev->dev, "GPADC mode\n");
++ ret = -EINVAL;
++ break;
++ }
+ ret = axp288_adc_read_channel(val, chan->address, info->regmap);
++ if (axp288_adc_set_ts(info->regmap, AXP288_ADC_TS_PIN_ON,
++ chan->address))
++ dev_err(&indio_dev->dev, "TS pin restore\n");
+ break;
+ default:
+ ret = -EINVAL;
+@@ -141,6 +162,15 @@ static int axp288_adc_read_raw(struct iio_dev *indio_dev,
+ return ret;
+ }
+
++static int axp288_adc_set_state(struct regmap *regmap)
++{
++ /* ADC should be always enabled for internal FG to function */
++ if (regmap_write(regmap, AXP288_ADC_TS_PIN_CTRL, AXP288_ADC_TS_PIN_ON))
++ return -EIO;
++
++ return regmap_write(regmap, AXP20X_ADC_EN1, AXP288_ADC_EN_MASK);
++}
++
+ static const struct iio_info axp288_adc_iio_info = {
+ .read_raw = &axp288_adc_read_raw,
+ .driver_module = THIS_MODULE,
+@@ -169,7 +199,7 @@ static int axp288_adc_probe(struct platform_device *pdev)
+ * Set ADC to enabled state at all time, including system suspend.
+ * otherwise internal fuel gauge functionality may be affected.
+ */
+- ret = regmap_write(info->regmap, AXP20X_ADC_EN1, AXP288_ADC_EN_MASK);
++ ret = axp288_adc_set_state(axp20x->regmap);
+ if (ret) {
+ dev_err(&pdev->dev, "unable to enable ADC device\n");
+ return ret;
+--
+2.17.1
+
--- /dev/null
+From 73a550b0ed5f4ef59ad3d58482fcf94f0614236a Mon Sep 17 00:00:00 2001
+From: Phil Reid <preid@electromag.com.au>
+Date: Tue, 5 Jun 2018 14:15:10 +0800
+Subject: iio: buffer: fix the function signature to match implementation
+
+[ Upstream commit 92397a6c38d139d50fabbe9e2dc09b61d53b2377 ]
+
+linux/iio/buffer-dma.h was not updated to when length was changed to
+unsigned int.
+
+Fixes: c043ec1ca5ba ("iio:buffer: make length types match kfifo types")
+Signed-off-by: Phil Reid <preid@electromag.com.au>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/iio/buffer-dma.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/iio/buffer-dma.h b/include/linux/iio/buffer-dma.h
+index 767467d886de..67c75372b691 100644
+--- a/include/linux/iio/buffer-dma.h
++++ b/include/linux/iio/buffer-dma.h
+@@ -141,7 +141,7 @@ int iio_dma_buffer_read(struct iio_buffer *buffer, size_t n,
+ char __user *user_buffer);
+ size_t iio_dma_buffer_data_available(struct iio_buffer *buffer);
+ int iio_dma_buffer_set_bytes_per_datum(struct iio_buffer *buffer, size_t bpd);
+-int iio_dma_buffer_set_length(struct iio_buffer *buffer, int length);
++int iio_dma_buffer_set_length(struct iio_buffer *buffer, unsigned int length);
+ int iio_dma_buffer_request_update(struct iio_buffer *buffer);
+
+ int iio_dma_buffer_init(struct iio_dma_buffer_queue *queue,
+--
+2.17.1
+
--- /dev/null
+From 0d08d761e17b5aa39f57c6dcc205ef9c46081e4d Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Wed, 5 Jul 2017 10:14:59 +0200
+Subject: iio: pressure: zpa2326: Remove always-true check which confuses gcc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit f61dfff2f5b9fcb087bf5c444bc44b444709588f ]
+
+With gcc 4.1.2:
+
+ drivers/iio/pressure/zpa2326.c: In function ‘zpa2326_wait_oneshot_completion’:
+ drivers/iio/pressure/zpa2326.c:868: warning: ‘ret’ may be used uninitialized in this function
+
+When testing for "timeout < 0", timeout is already guaranteed to be
+strict negative, so the branch is always taken, and ret is thus always
+initialized. But (some version of) gcc is not smart enough to notice.
+
+Remove the check to fix this.
+As there is no other code in between assigning the error codes and
+returning them, the error codes can be returned immediately, and the
+intermediate variable can be dropped.
+Drop the "else" to please checkpatch.
+
+Fixes: e7215fe4d51e69c9 ("iio: pressure: zpa2326: report interrupted case as failure")
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/pressure/zpa2326.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/iio/pressure/zpa2326.c b/drivers/iio/pressure/zpa2326.c
+index 2a4a62ebfd8d..cc002b958f7e 100644
+--- a/drivers/iio/pressure/zpa2326.c
++++ b/drivers/iio/pressure/zpa2326.c
+@@ -869,7 +869,6 @@ complete:
+ static int zpa2326_wait_oneshot_completion(const struct iio_dev *indio_dev,
+ struct zpa2326_private *private)
+ {
+- int ret;
+ unsigned int val;
+ long timeout;
+
+@@ -891,14 +890,11 @@ static int zpa2326_wait_oneshot_completion(const struct iio_dev *indio_dev,
+ /* Timed out. */
+ zpa2326_warn(indio_dev, "no one shot interrupt occurred (%ld)",
+ timeout);
+- ret = -ETIME;
+- } else if (timeout < 0) {
+- zpa2326_warn(indio_dev,
+- "wait for one shot interrupt cancelled");
+- ret = -ERESTARTSYS;
++ return -ETIME;
+ }
+
+- return ret;
++ zpa2326_warn(indio_dev, "wait for one shot interrupt cancelled");
++ return -ERESTARTSYS;
+ }
+
+ static int zpa2326_init_managed_irq(struct device *parent,
+--
+2.17.1
+
--- /dev/null
+From 382f656e11584252dcd8aff2a2f723e29f0eafe7 Mon Sep 17 00:00:00 2001
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Date: Sat, 17 Jun 2017 11:38:05 +0800
+Subject: ip6_tunnel: Correct tos value in collect_md mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 46f8cd9d2fc1e4e8b82b53a0007f6c92e80c930b ]
+
+Same as ip_gre, geneve and vxlan, use key->tos as traffic class value.
+
+CC: Peter Dawson <petedaws@gmail.com>
+Fixes: 0e9a709560db ("ip6_tunnel, ip6_gre: fix setting of DSCP on
+encapsulated packets”)
+Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Acked-by: Peter Dawson <peter.a.dawson@boeing.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_tunnel.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
+index fd081a14064e..a499e585d018 100644
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -1258,7 +1258,7 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
+ fl6.flowi6_proto = IPPROTO_IPIP;
+ fl6.daddr = key->u.ipv6.dst;
+ fl6.flowlabel = key->label;
+- dsfield = ip6_tclass(key->label);
++ dsfield = key->tos;
+ } else {
+ if (!(t->parms.flags & IP6_TNL_F_IGN_ENCAP_LIMIT))
+ encap_limit = t->parms.encap_limit;
+@@ -1329,7 +1329,7 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
+ fl6.flowi6_proto = IPPROTO_IPV6;
+ fl6.daddr = key->u.ipv6.dst;
+ fl6.flowlabel = key->label;
+- dsfield = ip6_tclass(key->label);
++ dsfield = key->tos;
+ } else {
+ offset = ip6_tnl_parse_tlv_enc_lim(skb, skb_network_header(skb));
+ /* ip6_tnl_parse_tlv_enc_lim() might have reallocated skb->head */
+--
+2.17.1
+
--- /dev/null
+From bfbbd2e27cb41185142edad97e4c058e75136a37 Mon Sep 17 00:00:00 2001
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Tue, 28 Aug 2018 13:40:51 +0200
+Subject: ipv6: fix cleanup ordering for ip6_mr failure
+
+[ Upstream commit afe49de44c27a89e8e9631c44b5ffadf6ace65e2 ]
+
+Commit 15e668070a64 ("ipv6: reorder icmpv6_init() and ip6_mr_init()")
+moved the cleanup label for ipmr_fail, but should have changed the
+contents of the cleanup labels as well. Now we can end up cleaning up
+icmpv6 even though it hasn't been initialized (jump to icmp_fail or
+ipmr_fail).
+
+Simply undo things in the reverse order of their initialization.
+
+Example of panic (triggered by faking a failure of icmpv6_init):
+
+ kasan: GPF could be caused by NULL-ptr deref or user memory access
+ general protection fault: 0000 [#1] PREEMPT SMP KASAN PTI
+ [...]
+ RIP: 0010:__list_del_entry_valid+0x79/0x160
+ [...]
+ Call Trace:
+ ? lock_release+0x8a0/0x8a0
+ unregister_pernet_operations+0xd4/0x560
+ ? ops_free_list+0x480/0x480
+ ? down_write+0x91/0x130
+ ? unregister_pernet_subsys+0x15/0x30
+ ? down_read+0x1b0/0x1b0
+ ? up_read+0x110/0x110
+ ? kmem_cache_create_usercopy+0x1b4/0x240
+ unregister_pernet_subsys+0x1d/0x30
+ icmpv6_cleanup+0x1d/0x30
+ inet6_init+0x1b5/0x23f
+
+Fixes: 15e668070a64 ("ipv6: reorder icmpv6_init() and ip6_mr_init()")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/af_inet6.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
+index 421379014995..f7b425615c12 100644
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -1045,11 +1045,11 @@ netfilter_fail:
+ igmp_fail:
+ ndisc_cleanup();
+ ndisc_fail:
+- ip6_mr_cleanup();
++ icmpv6_cleanup();
+ icmp_fail:
+- unregister_pernet_subsys(&inet6_net_ops);
++ ip6_mr_cleanup();
+ ipmr_fail:
+- icmpv6_cleanup();
++ unregister_pernet_subsys(&inet6_net_ops);
+ register_pernet_fail:
+ sock_unregister(PF_INET6);
+ rtnl_unregister_all(PF_INET6);
+--
+2.17.1
+
--- /dev/null
+From 31138a59535a20e005623b4e4096632159dfbe5a Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Thu, 3 Aug 2017 14:13:46 +0800
+Subject: ipv6: set rt6i_protocol properly in the route when it is installed
+
+[ Upstream commit b91d532928dff2141ea9c107c3e73104d9843767 ]
+
+After commit c2ed1880fd61 ("net: ipv6: check route protocol when
+deleting routes"), ipv6 route checks rt protocol when trying to
+remove a rt entry.
+
+It introduced a side effect causing 'ip -6 route flush cache' not
+to work well. When flushing caches with iproute, all route caches
+get dumped from kernel then removed one by one by sending DELROUTE
+requests to kernel for each cache.
+
+The thing is iproute sends the request with the cache whose proto
+is set with RTPROT_REDIRECT by rt6_fill_node() when kernel dumps
+it. But in kernel the rt_cache protocol is still 0, which causes
+the cache not to be matched and removed.
+
+So the real reason is rt6i_protocol in the route is not set when
+it is allocated. As David Ahern's suggestion, this patch is to
+set rt6i_protocol properly in the route when it is installed and
+remove the codes setting rtm_protocol according to rt6i_flags in
+rt6_fill_node.
+
+This is also an improvement to keep rt6i_protocol consistent with
+rtm_protocol.
+
+Fixes: c2ed1880fd61 ("net: ipv6: check route protocol when deleting routes")
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Suggested-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/route.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 70fa31e37360..4cc12eeca7ab 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -2289,6 +2289,7 @@ static void rt6_do_redirect(struct dst_entry *dst, struct sock *sk, struct sk_bu
+ if (on_link)
+ nrt->rt6i_flags &= ~RTF_GATEWAY;
+
++ nrt->rt6i_protocol = RTPROT_REDIRECT;
+ nrt->rt6i_gateway = *(struct in6_addr *)neigh->primary_key;
+
+ if (ip6_ins_rt(nrt))
+@@ -2393,6 +2394,7 @@ static struct rt6_info *rt6_add_route_info(struct net *net,
+ .fc_dst_len = prefixlen,
+ .fc_flags = RTF_GATEWAY | RTF_ADDRCONF | RTF_ROUTEINFO |
+ RTF_UP | RTF_PREF(pref),
++ .fc_protocol = RTPROT_RA,
+ .fc_nlinfo.portid = 0,
+ .fc_nlinfo.nlh = NULL,
+ .fc_nlinfo.nl_net = net,
+@@ -2445,6 +2447,7 @@ struct rt6_info *rt6_add_dflt_router(const struct in6_addr *gwaddr,
+ .fc_ifindex = dev->ifindex,
+ .fc_flags = RTF_GATEWAY | RTF_ADDRCONF | RTF_DEFAULT |
+ RTF_UP | RTF_EXPIRES | RTF_PREF(pref),
++ .fc_protocol = RTPROT_RA,
+ .fc_nlinfo.portid = 0,
+ .fc_nlinfo.nlh = NULL,
+ .fc_nlinfo.nl_net = dev_net(dev),
+@@ -3241,14 +3244,6 @@ static int rt6_fill_node(struct net *net,
+ }
+ rtm->rtm_scope = RT_SCOPE_UNIVERSE;
+ rtm->rtm_protocol = rt->rt6i_protocol;
+- if (rt->rt6i_flags & RTF_DYNAMIC)
+- rtm->rtm_protocol = RTPROT_REDIRECT;
+- else if (rt->rt6i_flags & RTF_ADDRCONF) {
+- if (rt->rt6i_flags & (RTF_DEFAULT | RTF_ROUTEINFO))
+- rtm->rtm_protocol = RTPROT_RA;
+- else
+- rtm->rtm_protocol = RTPROT_KERNEL;
+- }
+
+ if (rt->rt6i_flags & RTF_CACHE)
+ rtm->rtm_flags |= RTM_F_CLONED;
+--
+2.17.1
+
--- /dev/null
+From 4834d0e413ac39e9f8702eed50a893d0fdc031de Mon Sep 17 00:00:00 2001
+From: James Chapman <jchapman@katalix.com>
+Date: Wed, 3 Jan 2018 22:48:06 +0000
+Subject: l2tp: remove configurable payload offset
+
+[ Upstream commit 900631ee6a2651dc4fbaecb8ef9fa5f1e3378853 ]
+
+If L2TP_ATTR_OFFSET is set to a non-zero value in L2TPv3 tunnels, it
+results in L2TPv3 packets being transmitted which might not be
+compliant with the L2TPv3 RFC. This patch has l2tp ignore the offset
+setting and send all packets with no offset.
+
+In more detail:
+
+L2TPv2 supports a variable offset from the L2TPv2 header to the
+payload. The offset value is indicated by an optional field in the
+L2TP header. Our L2TP implementation already detects the presence of
+the optional offset and skips that many bytes when handling data
+received packets. All transmitted packets are always transmitted with
+no offset.
+
+L2TPv3 has no optional offset field in the L2TPv3 packet
+header. Instead, L2TPv3 defines optional fields in a "Layer-2 Specific
+Sublayer". At the time when the original L2TP code was written, there
+was talk at IETF of offset being implemented in a new Layer-2 Specific
+Sublayer. A L2TP_ATTR_OFFSET netlink attribute was added so that this
+offset could be configured and the intention was to allow it to be
+also used to set the tx offset for L2TPv2. However, no L2TPv3 offset
+was ever specified and the L2TP_ATTR_OFFSET parameter was forgotten
+about.
+
+Setting L2TP_ATTR_OFFSET results in L2TPv3 packets being transmitted
+with the specified number of bytes padding between L2TPv3 header and
+payload. This is not compliant with L2TPv3 RFC3931. This change
+removes the configurable offset altogether while retaining
+L2TP_ATTR_OFFSET for backwards compatibility. Any L2TP_ATTR_OFFSET
+value is ignored.
+
+Signed-off-by: James Chapman <jchapman@katalix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_core.c | 14 ++++----------
+ net/l2tp/l2tp_core.h | 3 ---
+ net/l2tp/l2tp_debugfs.c | 4 ++--
+ net/l2tp/l2tp_netlink.c | 3 ---
+ 4 files changed, 6 insertions(+), 18 deletions(-)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index a5333f6cb65a..b96dbe38ecad 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -845,10 +845,8 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
+ }
+ }
+
+- /* Session data offset is handled differently for L2TPv2 and
+- * L2TPv3. For L2TPv2, there is an optional 16-bit value in
+- * the header. For L2TPv3, the offset is negotiated using AVPs
+- * in the session setup control protocol.
++ /* Session data offset is defined only for L2TPv2 and is
++ * indicated by an optional 16-bit value in the header.
+ */
+ if (tunnel->version == L2TP_HDR_VER_2) {
+ /* If offset bit set, skip it. */
+@@ -856,8 +854,7 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
+ offset = ntohs(*(__be16 *)ptr);
+ ptr += 2 + offset;
+ }
+- } else
+- ptr += session->offset;
++ }
+
+ offset = ptr - optr;
+ if (!pskb_may_pull(skb, offset))
+@@ -1141,8 +1138,6 @@ static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
+ }
+ bufp += session->l2specific_len;
+ }
+- if (session->offset)
+- bufp += session->offset;
+
+ return bufp - optr;
+ }
+@@ -1827,7 +1822,7 @@ void l2tp_session_set_header_len(struct l2tp_session *session, int version)
+ if (session->send_seq)
+ session->hdr_len += 4;
+ } else {
+- session->hdr_len = 4 + session->cookie_len + session->l2specific_len + session->offset;
++ session->hdr_len = 4 + session->cookie_len + session->l2specific_len;
+ if (session->tunnel->encap == L2TP_ENCAPTYPE_UDP)
+ session->hdr_len += 4;
+ }
+@@ -1878,7 +1873,6 @@ struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunn
+ session->recv_seq = cfg->recv_seq;
+ session->lns_mode = cfg->lns_mode;
+ session->reorder_timeout = cfg->reorder_timeout;
+- session->offset = cfg->offset;
+ session->l2specific_type = cfg->l2specific_type;
+ session->l2specific_len = cfg->l2specific_len;
+ session->cookie_len = cfg->cookie_len;
+diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
+index 42419f1c24cf..86356a23a0a7 100644
+--- a/net/l2tp/l2tp_core.h
++++ b/net/l2tp/l2tp_core.h
+@@ -68,7 +68,6 @@ struct l2tp_session_cfg {
+ int debug; /* bitmask of debug message
+ * categories */
+ u16 vlan_id; /* VLAN pseudowire only */
+- u16 offset; /* offset to payload */
+ u16 l2specific_len; /* Layer 2 specific length */
+ u16 l2specific_type; /* Layer 2 specific type */
+ u8 cookie[8]; /* optional cookie */
+@@ -94,8 +93,6 @@ struct l2tp_session {
+ int cookie_len;
+ u8 peer_cookie[8];
+ int peer_cookie_len;
+- u16 offset; /* offset from end of L2TP header
+- to beginning of data */
+ u16 l2specific_len;
+ u16 l2specific_type;
+ u16 hdr_len;
+diff --git a/net/l2tp/l2tp_debugfs.c b/net/l2tp/l2tp_debugfs.c
+index d100aed3d06f..2d2a73280ec2 100644
+--- a/net/l2tp/l2tp_debugfs.c
++++ b/net/l2tp/l2tp_debugfs.c
+@@ -181,8 +181,8 @@ static void l2tp_dfs_seq_session_show(struct seq_file *m, void *v)
+ session->lns_mode ? "LNS" : "LAC",
+ session->debug,
+ jiffies_to_msecs(session->reorder_timeout));
+- seq_printf(m, " offset %hu l2specific %hu/%hu\n",
+- session->offset, session->l2specific_type, session->l2specific_len);
++ seq_printf(m, " offset 0 l2specific %hu/%hu\n",
++ session->l2specific_type, session->l2specific_len);
+ if (session->cookie_len) {
+ seq_printf(m, " cookie %02x%02x%02x%02x",
+ session->cookie[0], session->cookie[1],
+diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
+index ee03bc866d1b..d6fccfdca201 100644
+--- a/net/l2tp/l2tp_netlink.c
++++ b/net/l2tp/l2tp_netlink.c
+@@ -536,9 +536,6 @@ static int l2tp_nl_cmd_session_create(struct sk_buff *skb, struct genl_info *inf
+ }
+
+ if (tunnel->version > 2) {
+- if (info->attrs[L2TP_ATTR_OFFSET])
+- cfg.offset = nla_get_u16(info->attrs[L2TP_ATTR_OFFSET]);
+-
+ if (info->attrs[L2TP_ATTR_DATA_SEQ])
+ cfg.data_seq = nla_get_u8(info->attrs[L2TP_ATTR_DATA_SEQ]);
+
+--
+2.17.1
+
--- /dev/null
+From 013128f1786db34e2c513def1e3b12b35dde24da Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:52 -0700
+Subject: lan78xx: Check for supported Wake-on-LAN modes
+
+[ Upstream commit eb9ad088f96653a26b340f7c447c44cf023d5cdc ]
+
+The driver supports a fair amount of Wake-on-LAN modes, but is not
+checking that the user specified one that is supported.
+
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Woojung Huh <Woojung.Huh@Microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/lan78xx.c | 17 ++++-------------
+ 1 file changed, 4 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index c5e04d1ad73a..0cbcd3f77341 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -1311,19 +1311,10 @@ static int lan78xx_set_wol(struct net_device *netdev,
+ if (ret < 0)
+ return ret;
+
+- pdata->wol = 0;
+- if (wol->wolopts & WAKE_UCAST)
+- pdata->wol |= WAKE_UCAST;
+- if (wol->wolopts & WAKE_MCAST)
+- pdata->wol |= WAKE_MCAST;
+- if (wol->wolopts & WAKE_BCAST)
+- pdata->wol |= WAKE_BCAST;
+- if (wol->wolopts & WAKE_MAGIC)
+- pdata->wol |= WAKE_MAGIC;
+- if (wol->wolopts & WAKE_PHY)
+- pdata->wol |= WAKE_PHY;
+- if (wol->wolopts & WAKE_ARP)
+- pdata->wol |= WAKE_ARP;
++ if (wol->wolopts & ~WAKE_ALL)
++ return -EINVAL;
++
++ pdata->wol = wol->wolopts;
+
+ device_set_wakeup_enable(&dev->udev->dev, (bool)wol->wolopts);
+
+--
+2.17.1
+
--- /dev/null
+From e5d6aeefe900898e774fcf20cce7f370f9b0821a Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Wed, 31 May 2017 14:26:26 -0400
+Subject: libata: fix error checking in in ata_parse_force_one()
+
+[ Upstream commit f7cf69ae171592d133c69b9adaa5de7cfb6038ea ]
+
+ata_parse_force_one() was incorrectly comparing @p to @endp when it
+should have been comparing @id. The only consequence is that it may
+end up using an invalid port number in "libata.force" module param
+instead of rejecting it.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Petru-Florin Mihancea <petrum@gmail.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=195785
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index 73d636d35961..a166359ad5d4 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -6781,7 +6781,7 @@ static int __init ata_parse_force_one(char **cur,
+ }
+
+ force_ent->port = simple_strtoul(id, &endp, 10);
+- if (p == endp || *endp != '\0') {
++ if (id == endp || *endp != '\0') {
+ *reason = "invalid port/link";
+ return -EINVAL;
+ }
+--
+2.17.1
+
--- /dev/null
+From 145d0f02b5d4b9611545d80897fdc8ddc6d2a609 Mon Sep 17 00:00:00 2001
+From: Daniel Mack <daniel@zonque.org>
+Date: Mon, 8 Oct 2018 22:03:57 +0200
+Subject: libertas: call into generic suspend code before turning off power
+
+[ Upstream commit 4f666675cdff0b986195413215eb062b7da6586f ]
+
+When powering down a SDIO connected card during suspend, make sure to call
+into the generic lbs_suspend() function before pulling the plug. This will
+make sure the card is successfully deregistered from the system to avoid
+communication to the card starving out.
+
+Fixes: 7444a8092906 ("libertas: fix suspend and resume for SDIO connected cards")
+Signed-off-by: Daniel Mack <daniel@zonque.org>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Acked-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/libertas/if_sdio.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/libertas/if_sdio.c b/drivers/net/wireless/marvell/libertas/if_sdio.c
+index a0ae8d8763bb..06a57c708992 100644
+--- a/drivers/net/wireless/marvell/libertas/if_sdio.c
++++ b/drivers/net/wireless/marvell/libertas/if_sdio.c
+@@ -1368,6 +1368,10 @@ static int if_sdio_suspend(struct device *dev)
+ if (priv->wol_criteria == EHS_REMOVE_WAKEUP) {
+ dev_info(dev, "Suspend without wake params -- powering down card\n");
+ if (priv->fw_ready) {
++ ret = lbs_suspend(priv);
++ if (ret)
++ return ret;
++
+ priv->power_up_on_resume = true;
+ if_sdio_power_off(card);
+ }
+--
+2.17.1
+
--- /dev/null
+From 9012841fbe50f464a65b0108fdff19f77028dabf Mon Sep 17 00:00:00 2001
+From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Date: Wed, 5 Sep 2018 08:06:13 +0300
+Subject: mac80211: Always report TX status
+
+[ Upstream commit 8682250b3c1b75a45feb7452bc413d004cfe3778 ]
+
+If a frame is dropped for any reason, mac80211 wouldn't report the TX
+status back to user space.
+
+As the user space may rely on the TX_STATUS to kick its state
+machines, resends etc, it's better to just report this frame as not
+acked instead.
+
+Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/status.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/net/mac80211/status.c b/net/mac80211/status.c
+index 72fe9bc7a1f9..7892bac21eac 100644
+--- a/net/mac80211/status.c
++++ b/net/mac80211/status.c
+@@ -472,11 +472,6 @@ static void ieee80211_report_ack_skb(struct ieee80211_local *local,
+ if (!skb)
+ return;
+
+- if (dropped) {
+- dev_kfree_skb_any(skb);
+- return;
+- }
+-
+ if (info->flags & IEEE80211_TX_INTFL_NL80211_FRAME_TX) {
+ u64 cookie = IEEE80211_SKB_CB(skb)->ack.cookie;
+ struct ieee80211_sub_if_data *sdata;
+@@ -497,6 +492,8 @@ static void ieee80211_report_ack_skb(struct ieee80211_local *local,
+ }
+ rcu_read_unlock();
+
++ dev_kfree_skb_any(skb);
++ } else if (dropped) {
+ dev_kfree_skb_any(skb);
+ } else {
+ /* consumes skb */
+--
+2.17.1
+
--- /dev/null
+From 5aeddcd6b2c0cab577b5c38d46e4be6f0032a025 Mon Sep 17 00:00:00 2001
+From: Bob Copeland <me@bobcopeland.com>
+Date: Wed, 5 Sep 2018 06:22:59 -0400
+Subject: mac80211: fix pending queue hang due to TX_DROP
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 6eae4a6c2be387fec41b0d2782c4fffb57159498 ]
+
+In our environment running lots of mesh nodes, we are seeing the
+pending queue hang periodically, with the debugfs queues file showing
+lines such as:
+
+ 00: 0x00000000/348
+
+i.e. there are a large number of frames but no stop reason set.
+
+One way this could happen is if queue processing from the pending
+tasklet exited early without processing all frames, and without having
+some future event (incoming frame, stop reason flag, ...) to reschedule
+it.
+
+Exactly this can occur today if ieee80211_tx() returns false due to
+packet drops or power-save buffering in the tx handlers. In the
+past, this function would return true in such cases, and the change
+to false doesn't seem to be intentional. Fix this case by reverting
+to the previous behavior.
+
+Fixes: bb42f2d13ffc ("mac80211: Move reorder-sensitive TX handlers to after TXQ dequeue")
+Signed-off-by: Bob Copeland <bobcopeland@fb.com>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 84582998f65f..58fba4e569e6 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -1833,7 +1833,7 @@ static bool ieee80211_tx(struct ieee80211_sub_if_data *sdata,
+ sdata->vif.hw_queue[skb_get_queue_mapping(skb)];
+
+ if (invoke_tx_handlers_early(&tx))
+- return false;
++ return true;
+
+ if (ieee80211_queue_skb(local, sdata, tx.sta, tx.skb))
+ return true;
+--
+2.17.1
+
--- /dev/null
+From 2dea1d8f98a2d0d3e98020c34b14134c8df481e2 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Sat, 27 May 2017 00:27:25 +0200
+Subject: mac80211: fix TX aggregation start/stop callback race
+
+[ Upstream commit 7a7c0a6438b8e7636d5a22e572892cc234f68297 ]
+
+When starting or stopping an aggregation session, one of the steps
+is that the driver calls back to mac80211 that the start/stop can
+proceed. This is handled by queueing up a fake SKB and processing
+it from the normal iface/sdata work. Since this isn't flushed when
+disassociating, the following race is possible:
+
+ * associate
+ * start aggregation session
+ * driver callback
+ * disassociate
+ * associate again to the same AP
+ * callback processing runs, leading to a WARN_ON() that
+ the TID hadn't requested aggregation
+
+If the second association isn't to the same AP, there would only
+be a message printed ("Could not find station: <addr>"), but the
+same race could happen.
+
+Fix this by not going the whole detour with a fake SKB etc. but
+simply looking up the aggregation session in the driver callback,
+marking it with a START_CB/STOP_CB bit and then scheduling the
+regular aggregation work that will now process these bits as well.
+This also simplifies the code and gets rid of the whole problem
+with allocation failures of said skb, which could have left the
+session in limbo.
+
+Reported-by: Jouni Malinen <j@w1.fi>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/agg-tx.c | 128 +++++++++++++++----------------------
+ net/mac80211/ht.c | 16 +++--
+ net/mac80211/ieee80211_i.h | 14 ++--
+ net/mac80211/iface.c | 11 +---
+ net/mac80211/sta_info.h | 2 +
+ 5 files changed, 71 insertions(+), 100 deletions(-)
+
+diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
+index 45319cc01121..80c45567ee3a 100644
+--- a/net/mac80211/agg-tx.c
++++ b/net/mac80211/agg-tx.c
+@@ -7,7 +7,7 @@
+ * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz>
+ * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
+ * Copyright 2007-2010, Intel Corporation
+- * Copyright(c) 2015 Intel Deutschland GmbH
++ * Copyright(c) 2015-2017 Intel Deutschland GmbH
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+@@ -741,46 +741,43 @@ static void ieee80211_agg_tx_operational(struct ieee80211_local *local,
+ ieee80211_agg_start_txq(sta, tid, true);
+ }
+
+-void ieee80211_start_tx_ba_cb(struct ieee80211_vif *vif, u8 *ra, u16 tid)
++void ieee80211_start_tx_ba_cb(struct sta_info *sta, int tid,
++ struct tid_ampdu_tx *tid_tx)
+ {
+- struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
++ struct ieee80211_sub_if_data *sdata = sta->sdata;
+ struct ieee80211_local *local = sdata->local;
+- struct sta_info *sta;
+- struct tid_ampdu_tx *tid_tx;
+
+- trace_api_start_tx_ba_cb(sdata, ra, tid);
++ if (WARN_ON(test_and_set_bit(HT_AGG_STATE_DRV_READY, &tid_tx->state)))
++ return;
++
++ if (test_bit(HT_AGG_STATE_RESPONSE_RECEIVED, &tid_tx->state))
++ ieee80211_agg_tx_operational(local, sta, tid);
++}
++
++static struct tid_ampdu_tx *
++ieee80211_lookup_tid_tx(struct ieee80211_sub_if_data *sdata,
++ const u8 *ra, u16 tid, struct sta_info **sta)
++{
++ struct tid_ampdu_tx *tid_tx;
+
+ if (tid >= IEEE80211_NUM_TIDS) {
+ ht_dbg(sdata, "Bad TID value: tid = %d (>= %d)\n",
+ tid, IEEE80211_NUM_TIDS);
+- return;
++ return NULL;
+ }
+
+- mutex_lock(&local->sta_mtx);
+- sta = sta_info_get_bss(sdata, ra);
+- if (!sta) {
+- mutex_unlock(&local->sta_mtx);
++ *sta = sta_info_get_bss(sdata, ra);
++ if (!*sta) {
+ ht_dbg(sdata, "Could not find station: %pM\n", ra);
+- return;
++ return NULL;
+ }
+
+- mutex_lock(&sta->ampdu_mlme.mtx);
+- tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
++ tid_tx = rcu_dereference((*sta)->ampdu_mlme.tid_tx[tid]);
+
+- if (WARN_ON(!tid_tx)) {
++ if (WARN_ON(!tid_tx))
+ ht_dbg(sdata, "addBA was not requested!\n");
+- goto unlock;
+- }
+
+- if (WARN_ON(test_and_set_bit(HT_AGG_STATE_DRV_READY, &tid_tx->state)))
+- goto unlock;
+-
+- if (test_bit(HT_AGG_STATE_RESPONSE_RECEIVED, &tid_tx->state))
+- ieee80211_agg_tx_operational(local, sta, tid);
+-
+- unlock:
+- mutex_unlock(&sta->ampdu_mlme.mtx);
+- mutex_unlock(&local->sta_mtx);
++ return tid_tx;
+ }
+
+ void ieee80211_start_tx_ba_cb_irqsafe(struct ieee80211_vif *vif,
+@@ -788,19 +785,20 @@ void ieee80211_start_tx_ba_cb_irqsafe(struct ieee80211_vif *vif,
+ {
+ struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
+ struct ieee80211_local *local = sdata->local;
+- struct ieee80211_ra_tid *ra_tid;
+- struct sk_buff *skb = dev_alloc_skb(0);
++ struct sta_info *sta;
++ struct tid_ampdu_tx *tid_tx;
+
+- if (unlikely(!skb))
+- return;
++ trace_api_start_tx_ba_cb(sdata, ra, tid);
+
+- ra_tid = (struct ieee80211_ra_tid *) &skb->cb;
+- memcpy(&ra_tid->ra, ra, ETH_ALEN);
+- ra_tid->tid = tid;
++ rcu_read_lock();
++ tid_tx = ieee80211_lookup_tid_tx(sdata, ra, tid, &sta);
++ if (!tid_tx)
++ goto out;
+
+- skb->pkt_type = IEEE80211_SDATA_QUEUE_AGG_START;
+- skb_queue_tail(&sdata->skb_queue, skb);
+- ieee80211_queue_work(&local->hw, &sdata->work);
++ set_bit(HT_AGG_STATE_START_CB, &tid_tx->state);
++ ieee80211_queue_work(&local->hw, &sta->ampdu_mlme.work);
++ out:
++ rcu_read_unlock();
+ }
+ EXPORT_SYMBOL(ieee80211_start_tx_ba_cb_irqsafe);
+
+@@ -860,37 +858,18 @@ int ieee80211_stop_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid)
+ }
+ EXPORT_SYMBOL(ieee80211_stop_tx_ba_session);
+
+-void ieee80211_stop_tx_ba_cb(struct ieee80211_vif *vif, u8 *ra, u8 tid)
++void ieee80211_stop_tx_ba_cb(struct sta_info *sta, int tid,
++ struct tid_ampdu_tx *tid_tx)
+ {
+- struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
+- struct ieee80211_local *local = sdata->local;
+- struct sta_info *sta;
+- struct tid_ampdu_tx *tid_tx;
++ struct ieee80211_sub_if_data *sdata = sta->sdata;
+ bool send_delba = false;
+
+- trace_api_stop_tx_ba_cb(sdata, ra, tid);
+-
+- if (tid >= IEEE80211_NUM_TIDS) {
+- ht_dbg(sdata, "Bad TID value: tid = %d (>= %d)\n",
+- tid, IEEE80211_NUM_TIDS);
+- return;
+- }
+-
+- ht_dbg(sdata, "Stopping Tx BA session for %pM tid %d\n", ra, tid);
+-
+- mutex_lock(&local->sta_mtx);
+-
+- sta = sta_info_get_bss(sdata, ra);
+- if (!sta) {
+- ht_dbg(sdata, "Could not find station: %pM\n", ra);
+- goto unlock;
+- }
++ ht_dbg(sdata, "Stopping Tx BA session for %pM tid %d\n",
++ sta->sta.addr, tid);
+
+- mutex_lock(&sta->ampdu_mlme.mtx);
+ spin_lock_bh(&sta->lock);
+- tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
+
+- if (!tid_tx || !test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) {
++ if (!test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) {
+ ht_dbg(sdata,
+ "unexpected callback to A-MPDU stop for %pM tid %d\n",
+ sta->sta.addr, tid);
+@@ -906,12 +885,8 @@ void ieee80211_stop_tx_ba_cb(struct ieee80211_vif *vif, u8 *ra, u8 tid)
+ spin_unlock_bh(&sta->lock);
+
+ if (send_delba)
+- ieee80211_send_delba(sdata, ra, tid,
++ ieee80211_send_delba(sdata, sta->sta.addr, tid,
+ WLAN_BACK_INITIATOR, WLAN_REASON_QSTA_NOT_USE);
+-
+- mutex_unlock(&sta->ampdu_mlme.mtx);
+- unlock:
+- mutex_unlock(&local->sta_mtx);
+ }
+
+ void ieee80211_stop_tx_ba_cb_irqsafe(struct ieee80211_vif *vif,
+@@ -919,19 +894,20 @@ void ieee80211_stop_tx_ba_cb_irqsafe(struct ieee80211_vif *vif,
+ {
+ struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
+ struct ieee80211_local *local = sdata->local;
+- struct ieee80211_ra_tid *ra_tid;
+- struct sk_buff *skb = dev_alloc_skb(0);
++ struct sta_info *sta;
++ struct tid_ampdu_tx *tid_tx;
+
+- if (unlikely(!skb))
+- return;
++ trace_api_stop_tx_ba_cb(sdata, ra, tid);
+
+- ra_tid = (struct ieee80211_ra_tid *) &skb->cb;
+- memcpy(&ra_tid->ra, ra, ETH_ALEN);
+- ra_tid->tid = tid;
++ rcu_read_lock();
++ tid_tx = ieee80211_lookup_tid_tx(sdata, ra, tid, &sta);
++ if (!tid_tx)
++ goto out;
+
+- skb->pkt_type = IEEE80211_SDATA_QUEUE_AGG_STOP;
+- skb_queue_tail(&sdata->skb_queue, skb);
+- ieee80211_queue_work(&local->hw, &sdata->work);
++ set_bit(HT_AGG_STATE_STOP_CB, &tid_tx->state);
++ ieee80211_queue_work(&local->hw, &sta->ampdu_mlme.work);
++ out:
++ rcu_read_unlock();
+ }
+ EXPORT_SYMBOL(ieee80211_stop_tx_ba_cb_irqsafe);
+
+diff --git a/net/mac80211/ht.c b/net/mac80211/ht.c
+index f4a528773563..6ca5442b1e03 100644
+--- a/net/mac80211/ht.c
++++ b/net/mac80211/ht.c
+@@ -7,6 +7,7 @@
+ * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz>
+ * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
+ * Copyright 2007-2010, Intel Corporation
++ * Copyright 2017 Intel Deutschland GmbH
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+@@ -289,8 +290,6 @@ void ieee80211_sta_tear_down_BA_sessions(struct sta_info *sta,
+ {
+ int i;
+
+- cancel_work_sync(&sta->ampdu_mlme.work);
+-
+ for (i = 0; i < IEEE80211_NUM_TIDS; i++) {
+ __ieee80211_stop_tx_ba_session(sta, i, reason);
+ __ieee80211_stop_rx_ba_session(sta, i, WLAN_BACK_RECIPIENT,
+@@ -298,6 +297,9 @@ void ieee80211_sta_tear_down_BA_sessions(struct sta_info *sta,
+ reason != AGG_STOP_DESTROY_STA &&
+ reason != AGG_STOP_PEER_REQUEST);
+ }
++
++ /* stopping might queue the work again - so cancel only afterwards */
++ cancel_work_sync(&sta->ampdu_mlme.work);
+ }
+
+ void ieee80211_ba_session_work(struct work_struct *work)
+@@ -352,10 +354,16 @@ void ieee80211_ba_session_work(struct work_struct *work)
+ spin_unlock_bh(&sta->lock);
+
+ tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
+- if (tid_tx && test_and_clear_bit(HT_AGG_STATE_WANT_STOP,
+- &tid_tx->state))
++ if (!tid_tx)
++ continue;
++
++ if (test_and_clear_bit(HT_AGG_STATE_START_CB, &tid_tx->state))
++ ieee80211_start_tx_ba_cb(sta, tid, tid_tx);
++ if (test_and_clear_bit(HT_AGG_STATE_WANT_STOP, &tid_tx->state))
+ ___ieee80211_stop_tx_ba_session(sta, tid,
+ AGG_STOP_LOCAL_REQUEST);
++ if (test_and_clear_bit(HT_AGG_STATE_STOP_CB, &tid_tx->state))
++ ieee80211_stop_tx_ba_cb(sta, tid, tid_tx);
+ }
+ mutex_unlock(&sta->ampdu_mlme.mtx);
+ }
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index 7fd544d970d9..8a690ebd7374 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -1026,8 +1026,6 @@ struct ieee80211_rx_agg {
+
+ enum sdata_queue_type {
+ IEEE80211_SDATA_QUEUE_TYPE_FRAME = 0,
+- IEEE80211_SDATA_QUEUE_AGG_START = 1,
+- IEEE80211_SDATA_QUEUE_AGG_STOP = 2,
+ IEEE80211_SDATA_QUEUE_RX_AGG_START = 3,
+ IEEE80211_SDATA_QUEUE_RX_AGG_STOP = 4,
+ };
+@@ -1416,12 +1414,6 @@ ieee80211_get_sband(struct ieee80211_sub_if_data *sdata)
+ return local->hw.wiphy->bands[band];
+ }
+
+-/* this struct represents 802.11n's RA/TID combination */
+-struct ieee80211_ra_tid {
+- u8 ra[ETH_ALEN];
+- u16 tid;
+-};
+-
+ /* this struct holds the value parsing from channel switch IE */
+ struct ieee80211_csa_ie {
+ struct cfg80211_chan_def chandef;
+@@ -1765,8 +1757,10 @@ int __ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
+ enum ieee80211_agg_stop_reason reason);
+ int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
+ enum ieee80211_agg_stop_reason reason);
+-void ieee80211_start_tx_ba_cb(struct ieee80211_vif *vif, u8 *ra, u16 tid);
+-void ieee80211_stop_tx_ba_cb(struct ieee80211_vif *vif, u8 *ra, u8 tid);
++void ieee80211_start_tx_ba_cb(struct sta_info *sta, int tid,
++ struct tid_ampdu_tx *tid_tx);
++void ieee80211_stop_tx_ba_cb(struct sta_info *sta, int tid,
++ struct tid_ampdu_tx *tid_tx);
+ void ieee80211_ba_session_work(struct work_struct *work);
+ void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid);
+ void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid);
+diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
+index fa7d757fef95..760ba8ec2944 100644
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -1248,7 +1248,6 @@ static void ieee80211_iface_work(struct work_struct *work)
+ struct ieee80211_local *local = sdata->local;
+ struct sk_buff *skb;
+ struct sta_info *sta;
+- struct ieee80211_ra_tid *ra_tid;
+ struct ieee80211_rx_agg *rx_agg;
+
+ if (!ieee80211_sdata_running(sdata))
+@@ -1264,15 +1263,7 @@ static void ieee80211_iface_work(struct work_struct *work)
+ while ((skb = skb_dequeue(&sdata->skb_queue))) {
+ struct ieee80211_mgmt *mgmt = (void *)skb->data;
+
+- if (skb->pkt_type == IEEE80211_SDATA_QUEUE_AGG_START) {
+- ra_tid = (void *)&skb->cb;
+- ieee80211_start_tx_ba_cb(&sdata->vif, ra_tid->ra,
+- ra_tid->tid);
+- } else if (skb->pkt_type == IEEE80211_SDATA_QUEUE_AGG_STOP) {
+- ra_tid = (void *)&skb->cb;
+- ieee80211_stop_tx_ba_cb(&sdata->vif, ra_tid->ra,
+- ra_tid->tid);
+- } else if (skb->pkt_type == IEEE80211_SDATA_QUEUE_RX_AGG_START) {
++ if (skb->pkt_type == IEEE80211_SDATA_QUEUE_RX_AGG_START) {
+ rx_agg = (void *)&skb->cb;
+ mutex_lock(&local->sta_mtx);
+ sta = sta_info_get_bss(sdata, rx_agg->addr);
+diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h
+index 15599c70a38f..cc808ac783e5 100644
+--- a/net/mac80211/sta_info.h
++++ b/net/mac80211/sta_info.h
+@@ -115,6 +115,8 @@ enum ieee80211_sta_info_flags {
+ #define HT_AGG_STATE_STOPPING 3
+ #define HT_AGG_STATE_WANT_START 4
+ #define HT_AGG_STATE_WANT_STOP 5
++#define HT_AGG_STATE_START_CB 6
++#define HT_AGG_STATE_STOP_CB 7
+
+ enum ieee80211_agg_stop_reason {
+ AGG_STOP_DECLINED,
+--
+2.17.1
+
--- /dev/null
+From 487e8e42b5bb2a39617a7a2b92c957f7ecef5b79 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 5 Sep 2018 13:34:02 +0200
+Subject: mac80211: TDLS: fix skb queue/priority assignment
+
+[ Upstream commit cb59bc14e830028d2244861216df038165d7625d ]
+
+If the TDLS setup happens over a connection to an AP that
+doesn't have QoS, we nevertheless assign a non-zero TID
+(skb->priority) and queue mapping, which may confuse us or
+drivers later.
+
+Fix it by just assigning the special skb->priority and then
+using ieee80211_select_queue() just like other data frames
+would go through.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tdls.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
+index f20dcf1b1830..c64ae68ae4f8 100644
+--- a/net/mac80211/tdls.c
++++ b/net/mac80211/tdls.c
+@@ -16,6 +16,7 @@
+ #include "ieee80211_i.h"
+ #include "driver-ops.h"
+ #include "rate.h"
++#include "wme.h"
+
+ /* give usermode some time for retries in setting up the TDLS session */
+ #define TDLS_PEER_SETUP_TIMEOUT (15 * HZ)
+@@ -1019,14 +1020,13 @@ ieee80211_tdls_prep_mgmt_packet(struct wiphy *wiphy, struct net_device *dev,
+ switch (action_code) {
+ case WLAN_TDLS_SETUP_REQUEST:
+ case WLAN_TDLS_SETUP_RESPONSE:
+- skb_set_queue_mapping(skb, IEEE80211_AC_BK);
+- skb->priority = 2;
++ skb->priority = 256 + 2;
+ break;
+ default:
+- skb_set_queue_mapping(skb, IEEE80211_AC_VI);
+- skb->priority = 5;
++ skb->priority = 256 + 5;
+ break;
+ }
++ skb_set_queue_mapping(skb, ieee80211_select_queue(sdata, skb));
+
+ /*
+ * Set the WLAN_TDLS_TEARDOWN flag to indicate a teardown in progress.
+--
+2.17.1
+
--- /dev/null
+From 3a26e0dfbc25ed8ac001afc781aa155d07cd42eb Mon Sep 17 00:00:00 2001
+From: Martin Willi <martin@strongswan.org>
+Date: Tue, 25 Sep 2018 09:51:02 +0200
+Subject: mac80211_hwsim: do not omit multicast announce of first added radio
+
+[ Upstream commit 28ef8b49a338dc1844e86b7954cfffc7dfa2660a ]
+
+The allocation of hwsim radio identifiers uses a post-increment from 0,
+so the first radio has idx 0. This idx is explicitly excluded from
+multicast announcements ever since, but it is unclear why.
+
+Drop that idx check and announce the first radio as well. This makes
+userspace happy if it relies on these events.
+
+Signed-off-by: Martin Willi <martin@strongswan.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
+index 4bb36dc73433..cbb3e902e347 100644
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -2665,8 +2665,7 @@ static int mac80211_hwsim_new_radio(struct genl_info *info,
+ list_add_tail(&data->list, &hwsim_radios);
+ spin_unlock_bh(&hwsim_radio_lock);
+
+- if (idx > 0)
+- hwsim_mcast_new_radio(idx, info, param);
++ hwsim_mcast_new_radio(idx, info, param);
+
+ return idx;
+
+--
+2.17.1
+
--- /dev/null
+From 02673f18ad1d162eec032c9543d74d0ec73fc683 Mon Sep 17 00:00:00 2001
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Tue, 10 Oct 2017 17:07:12 +0200
+Subject: macsec: fix memory leaks when skb_to_sgvec fails
+
+[ Upstream commit 5aba2ba5030b66a6f8c93049b718556f9aacd7c6 ]
+
+Fixes: cda7ea690350 ("macsec: check return value of skb_to_sgvec always")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macsec.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index 365a48cfcbbf..653f0b185a68 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -744,6 +744,7 @@ static struct sk_buff *macsec_encrypt(struct sk_buff *skb,
+ sg_init_table(sg, ret);
+ ret = skb_to_sgvec(skb, sg, 0, skb->len);
+ if (unlikely(ret < 0)) {
++ aead_request_free(req);
+ macsec_txsa_put(tx_sa);
+ kfree_skb(skb);
+ return ERR_PTR(ret);
+@@ -956,6 +957,7 @@ static struct sk_buff *macsec_decrypt(struct sk_buff *skb,
+ sg_init_table(sg, ret);
+ ret = skb_to_sgvec(skb, sg, 0, skb->len);
+ if (unlikely(ret < 0)) {
++ aead_request_free(req);
+ kfree_skb(skb);
+ return ERR_PTR(ret);
+ }
+--
+2.17.1
+
--- /dev/null
+From 477b55e9136344ec5dd8c7cf2ab64fc089fbfe6b Mon Sep 17 00:00:00 2001
+From: Matt Redfearn <matt.redfearn@imgtec.com>
+Date: Tue, 8 Aug 2017 13:22:30 +0100
+Subject: MIPS: Handle non word sized instructions when examining frame
+
+[ Upstream commit 11887ed172a6960673f130dad8f8fb42778f64d7 ]
+
+Commit 34c2f668d0f6b ("MIPS: microMIPS: Add unaligned access support.")
+added fairly broken support for handling 16bit microMIPS instructions in
+get_frame_info(). It adjusts the instruction pointer by 16bits in the
+case of a 16bit sp move instruction, but not any other 16bit
+instruction.
+
+Commit b6c7a324df37 ("MIPS: Fix get_frame_info() handling of microMIPS
+function size") goes some way to fixing get_frame_info() to iterate over
+microMIPS instuctions, but the instruction pointer is still manipulated
+using a postincrement, and is of union mips_instruction type. Since the
+union is sized to the largest member (a word), but microMIPS
+instructions are a mix of halfword and word sizes, the function does not
+always iterate correctly, ending up misaligned with the instruction
+stream and interpreting it incorrectly.
+
+Since the instruction modifying the stack pointer is usually the first
+in the function, that one is usually handled correctly. But the
+instruction which saves the return address to the sp is some variable
+number of instructions into the frame and is frequently missed due to
+not being on a word boundary, leading to incomplete walking of the
+stack.
+
+Fix this by incrementing the instruction pointer based on the size of
+the previously decoded instruction (& remove the hack introduced by
+commit 34c2f668d0f6b ("MIPS: microMIPS: Add unaligned access support.")
+which adjusts the instruction pointer in the case of a 16bit sp move
+instruction, but not any other).
+
+Fixes: 34c2f668d0f6b ("MIPS: microMIPS: Add unaligned access support.")
+Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
+Cc: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Paul Burton <paul.burton@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/16953/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/process.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
+index 0211dc737a21..1cc133e7026f 100644
+--- a/arch/mips/kernel/process.c
++++ b/arch/mips/kernel/process.c
+@@ -346,6 +346,7 @@ static int get_frame_info(struct mips_frame_info *info)
+ bool is_mmips = IS_ENABLED(CONFIG_CPU_MICROMIPS);
+ union mips_instruction insn, *ip, *ip_end;
+ const unsigned int max_insns = 128;
++ unsigned int last_insn_size = 0;
+ unsigned int i;
+
+ info->pc_offset = -1;
+@@ -357,15 +358,19 @@ static int get_frame_info(struct mips_frame_info *info)
+
+ ip_end = (void *)ip + info->func_size;
+
+- for (i = 0; i < max_insns && ip < ip_end; i++, ip++) {
++ for (i = 0; i < max_insns && ip < ip_end; i++) {
++ ip = (void *)ip + last_insn_size;
+ if (is_mmips && mm_insn_16bit(ip->halfword[0])) {
+ insn.halfword[0] = 0;
+ insn.halfword[1] = ip->halfword[0];
++ last_insn_size = 2;
+ } else if (is_mmips) {
+ insn.halfword[0] = ip->halfword[1];
+ insn.halfword[1] = ip->halfword[0];
++ last_insn_size = 4;
+ } else {
+ insn.word = ip->word;
++ last_insn_size = 4;
+ }
+
+ if (is_jump_ins(&insn))
+@@ -387,8 +392,6 @@ static int get_frame_info(struct mips_frame_info *info)
+ tmp = (ip->halfword[0] >> 1);
+ info->frame_size = -(signed short)(tmp & 0xf);
+ }
+- ip = (void *) &ip->halfword[1];
+- ip--;
+ } else
+ #endif
+ info->frame_size = - ip->i_format.simmediate;
+--
+2.17.1
+
--- /dev/null
+From 928990c84f3dade70d7e8067d7cb38cb7e0e5bc0 Mon Sep 17 00:00:00 2001
+From: Matt Redfearn <matt.redfearn@imgtec.com>
+Date: Tue, 8 Aug 2017 13:22:33 +0100
+Subject: MIPS: microMIPS: Fix decoding of swsp16 instruction
+
+[ Upstream commit cea8cd498f4f1c30ea27e3664b3c671e495c4fce ]
+
+When the immediate encoded in the instruction is accessed, it is sign
+extended due to being a signed value being assigned to a signed integer.
+The ISA specifies that this operation is an unsigned operation.
+The sign extension leads us to incorrectly decode:
+
+801e9c8e: cbf1 sw ra,68(sp)
+
+As having an immediate of 1073741809.
+
+Since the instruction format does not specify signed/unsigned, and this
+is currently the only location to use this instuction format, change it
+to an unsigned immediate.
+
+Fixes: bb9bc4689b9c ("MIPS: Calculate microMIPS ra properly when unwinding the stack")
+Suggested-by: Paul Burton <paul.burton@imgtec.com>
+Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
+Reviewed-by: James Hogan <james.hogan@imgtec.com>
+Cc: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+Cc: Miodrag Dinic <miodrag.dinic@imgtec.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: David Daney <david.daney@cavium.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/16957/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/uapi/asm/inst.h | 2 +-
+ arch/mips/kernel/process.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/include/uapi/asm/inst.h b/arch/mips/include/uapi/asm/inst.h
+index 77429d1622b3..711d9b8465b8 100644
+--- a/arch/mips/include/uapi/asm/inst.h
++++ b/arch/mips/include/uapi/asm/inst.h
+@@ -964,7 +964,7 @@ struct mm16_r3_format { /* Load from global pointer format */
+ struct mm16_r5_format { /* Load/store from stack pointer format */
+ __BITFIELD_FIELD(unsigned int opcode : 6,
+ __BITFIELD_FIELD(unsigned int rt : 5,
+- __BITFIELD_FIELD(signed int simmediate : 5,
++ __BITFIELD_FIELD(unsigned int imm : 5,
+ __BITFIELD_FIELD(unsigned int : 16, /* Ignored */
+ ;))))
+ };
+diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
+index ba315e523b33..0211dc737a21 100644
+--- a/arch/mips/kernel/process.c
++++ b/arch/mips/kernel/process.c
+@@ -212,7 +212,7 @@ static inline int is_ra_save_ins(union mips_instruction *ip, int *poff)
+ if (ip->mm16_r5_format.rt != 31)
+ return 0;
+
+- *poff = ip->mm16_r5_format.simmediate;
++ *poff = ip->mm16_r5_format.imm;
+ *poff = (*poff << 2) / sizeof(ulong);
+ return 1;
+
+--
+2.17.1
+
--- /dev/null
+From cea217a565dce92591af7df35041d016cc76bb78 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Thu, 14 Dec 2017 15:33:08 -0800
+Subject: mm/frame_vector.c: release a semaphore in 'get_vaddr_frames()'
+
+[ Upstream commit 1f704fd0d14043e76e80f6b8b2251b9b2cedcca6 ]
+
+A semaphore is acquired before this check, so we must release it before
+leaving.
+
+Link: http://lkml.kernel.org/r/20171211211009.4971-1-christophe.jaillet@wanadoo.fr
+Fixes: b7f0554a56f2 ("mm: fail get_vaddr_frames() for filesystem-dax mappings")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Christian Borntraeger <borntraeger@de.ibm.com>
+Cc: David Sterba <dsterba@suse.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/frame_vector.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/mm/frame_vector.c b/mm/frame_vector.c
+index 375a103d7a56..d73eed0443f6 100644
+--- a/mm/frame_vector.c
++++ b/mm/frame_vector.c
+@@ -61,8 +61,10 @@ int get_vaddr_frames(unsigned long start, unsigned int nr_frames,
+ * get_user_pages_longterm() and disallow it for filesystem-dax
+ * mappings.
+ */
+- if (vma_is_fsdax(vma))
+- return -EOPNOTSUPP;
++ if (vma_is_fsdax(vma)) {
++ ret = -EOPNOTSUPP;
++ goto out;
++ }
+
+ if (!(vma->vm_flags & (VM_IO | VM_PFNMAP))) {
+ vec->got_ref = true;
+--
+2.17.1
+
--- /dev/null
+From fd74c86ceb73d8c100796c25a2ce0a6ce8a00bf4 Mon Sep 17 00:00:00 2001
+From: zhong jiang <zhongjiang@huawei.com>
+Date: Fri, 24 Feb 2017 14:59:30 -0800
+Subject: mm/memory_hotplug.c: fix overflow in test_pages_in_a_zone()
+
+[ Upstream commit d6d8c8a48291b929b2e039f220f0b62958cccfea ]
+
+When mainline introduced commit a96dfddbcc04 ("base/memory, hotplug: fix
+a kernel oops in show_valid_zones()"), it obtained the valid start and
+end pfn from the given pfn range. The valid start pfn can fix the
+actual issue, but it introduced another issue. The valid end pfn will
+may exceed the given end_pfn.
+
+Although the incorrect overflow will not result in actual problem at
+present, but I think it need to be fixed.
+
+[toshi.kani@hpe.com: remove assumption that end_pfn is aligned by MAX_ORDER_NR_PAGES]
+Fixes: a96dfddbcc04 ("base/memory, hotplug: fix a kernel oops in show_valid_zones()")
+Link: http://lkml.kernel.org/r/1486467299-22648-1-git-send-email-zhongjiang@huawei.com
+Signed-off-by: zhong jiang <zhongjiang@huawei.com>
+Signed-off-by: Toshi Kani <toshi.kani@hpe.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/memory_hotplug.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
+index c9f715b2917f..0f962cc3f1bf 100644
+--- a/mm/memory_hotplug.c
++++ b/mm/memory_hotplug.c
+@@ -1508,7 +1508,7 @@ int test_pages_in_a_zone(unsigned long start_pfn, unsigned long end_pfn,
+ while ((i < MAX_ORDER_NR_PAGES) &&
+ !pfn_valid_within(pfn + i))
+ i++;
+- if (i == MAX_ORDER_NR_PAGES)
++ if (i == MAX_ORDER_NR_PAGES || pfn + i >= end_pfn)
+ continue;
+ page = pfn_to_page(pfn + i);
+ if (zone && page_zone(page) != zone)
+@@ -1522,7 +1522,7 @@ int test_pages_in_a_zone(unsigned long start_pfn, unsigned long end_pfn,
+
+ if (zone) {
+ *valid_start = start;
+- *valid_end = end;
++ *valid_end = min(end, end_pfn);
+ return 1;
+ } else {
+ return 0;
+--
+2.17.1
+
--- /dev/null
+From d5ba8a4ed5c30be4acf1b568a69108fc55debcad Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 28 Nov 2016 15:59:13 +0100
+Subject: module: fix DEBUG_SET_MODULE_RONX typo
+
+[ Upstream commit 4d217a5adccf5e806790c37c61cc374a08bd7381 ]
+
+The newly added 'rodata_enabled' global variable is protected by
+the wrong #ifdef, leading to a link error when CONFIG_DEBUG_SET_MODULE_RONX
+is turned on:
+
+kernel/module.o: In function `disable_ro_nx':
+module.c:(.text.unlikely.disable_ro_nx+0x88): undefined reference to `rodata_enabled'
+kernel/module.o: In function `module_disable_ro':
+module.c:(.text.module_disable_ro+0x8c): undefined reference to `rodata_enabled'
+kernel/module.o: In function `module_enable_ro':
+module.c:(.text.module_enable_ro+0xb0): undefined reference to `rodata_enabled'
+
+CONFIG_SET_MODULE_RONX does not exist, so use the correct one instead.
+
+Fixes: 39290b389ea2 ("module: extend 'rodata=off' boot cmdline parameter to module mappings")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Jessica Yu <jeyu@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ init/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/init/main.c b/init/main.c
+index 4313772d634a..3c7f71d8e704 100644
+--- a/init/main.c
++++ b/init/main.c
+@@ -915,7 +915,7 @@ static int try_to_run_init_process(const char *init_filename)
+
+ static noinline void __init kernel_init_freeable(void);
+
+-#if defined(CONFIG_DEBUG_RODATA) || defined(CONFIG_SET_MODULE_RONX)
++#if defined(CONFIG_DEBUG_RODATA) || defined(CONFIG_DEBUG_SET_MODULE_RONX)
+ bool rodata_enabled __ro_after_init = true;
+ static int __init set_debug_rodata(char *str)
+ {
+--
+2.17.1
+
--- /dev/null
+From d5039b9b4833a5e7d8cabb87ba6c54f9ade9b022 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <jbacik@fb.com>
+Date: Thu, 19 Jan 2017 16:08:49 -0500
+Subject: nbd: only set MSG_MORE when we have more to send
+
+[ Upstream commit d61b7f972dab2a7d187c38254845546dfc8eed85 ]
+
+A user noticed that write performance was horrible over loopback and we
+traced it to an inversion of when we need to set MSG_MORE. It should be
+set when we have more bvec's to send, not when we are on the last bvec.
+This patch made the test go from 20 iops to 78k iops.
+
+Signed-off-by: Josef Bacik <jbacik@fb.com>
+Fixes: 429a787be679 ("nbd: fix use-after-free of rq/bio in the xmit path")
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 4d30da269060..42a53956aefe 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -269,7 +269,7 @@ static inline int sock_send_bvec(struct nbd_device *nbd, struct bio_vec *bvec,
+ static int nbd_send_cmd(struct nbd_device *nbd, struct nbd_cmd *cmd)
+ {
+ struct request *req = blk_mq_rq_from_pdu(cmd);
+- int result, flags;
++ int result;
+ struct nbd_request request;
+ unsigned long size = blk_rq_bytes(req);
+ struct bio *bio;
+@@ -309,7 +309,6 @@ static int nbd_send_cmd(struct nbd_device *nbd, struct nbd_cmd *cmd)
+ if (type != NBD_CMD_WRITE)
+ return 0;
+
+- flags = 0;
+ bio = req->bio;
+ while (bio) {
+ struct bio *next = bio->bi_next;
+@@ -318,9 +317,8 @@ static int nbd_send_cmd(struct nbd_device *nbd, struct nbd_cmd *cmd)
+
+ bio_for_each_segment(bvec, bio, iter) {
+ bool is_last = !next && bio_iter_last(bvec, iter);
++ int flags = is_last ? 0 : MSG_MORE;
+
+- if (is_last)
+- flags = MSG_MORE;
+ dev_dbg(nbd_to_dev(nbd), "request %p: sending %d bytes data\n",
+ cmd, bvec.bv_len);
+ result = sock_send_bvec(nbd, &bvec, flags);
+--
+2.17.1
+
--- /dev/null
+From 56314bef3a6756dbcfa44078b37a214d3b1eedd9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Wed, 15 Nov 2017 09:35:02 +0100
+Subject: net: cdc_ncm: GetNtbFormat endian fix
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 6314dab4b8fb8493d810e175cb340376052c69b6 ]
+
+The GetNtbFormat and SetNtbFormat requests operate on 16 bit little
+endian values. We get away with ignoring this most of the time, because
+we only care about USB_CDC_NCM_NTB16_FORMAT which is 0x0000. This
+fails for USB_CDC_NCM_NTB32_FORMAT.
+
+Fix comparison between LE value from device and constant by converting
+the constant to LE.
+
+Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Fixes: 2b02c20ce0c2 ("cdc_ncm: Set NTB format again after altsetting switch for Huawei devices")
+Cc: Enrico Mioso <mrkiko.rs@gmail.com>
+Cc: Christian Panton <christian@panton.org>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Acked-By: Enrico Mioso <mrkiko.rs@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/cdc_ncm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index 3086cae62fdc..7b158674ceed 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -772,7 +772,7 @@ int cdc_ncm_bind_common(struct usbnet *dev, struct usb_interface *intf, u8 data_
+ int err;
+ u8 iface_no;
+ struct usb_cdc_parsed_header hdr;
+- u16 curr_ntb_format;
++ __le16 curr_ntb_format;
+
+ ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
+ if (!ctx)
+@@ -890,7 +890,7 @@ int cdc_ncm_bind_common(struct usbnet *dev, struct usb_interface *intf, u8 data_
+ goto error2;
+ }
+
+- if (curr_ntb_format == USB_CDC_NCM_NTB32_FORMAT) {
++ if (curr_ntb_format == cpu_to_le16(USB_CDC_NCM_NTB32_FORMAT)) {
+ dev_info(&intf->dev, "resetting NTB format to 16-bit");
+ err = usbnet_write_cmd(dev, USB_CDC_SET_NTB_FORMAT,
+ USB_TYPE_CLASS | USB_DIR_OUT
+--
+2.17.1
+
--- /dev/null
+From adb99f7e0d4ff306713c969a8c6d062a9680b2ce Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wang6495@umn.edu>
+Date: Fri, 5 Oct 2018 08:48:27 -0500
+Subject: net: cxgb3_main: fix a missing-check bug
+
+[ Upstream commit 2c05d88818ab6571816b93edce4d53703870d7ae ]
+
+In cxgb_extension_ioctl(), the command of the ioctl is firstly copied from
+the user-space buffer 'useraddr' to 'cmd' and checked through the
+switch statement. If the command is not as expected, an error code
+EOPNOTSUPP is returned. In the following execution, i.e., the cases of the
+switch statement, the whole buffer of 'useraddr' is copied again to a
+specific data structure, according to what kind of command is requested.
+However, after the second copy, there is no re-check on the newly-copied
+command. Given that the buffer 'useraddr' is in the user space, a malicious
+user can race to change the command between the two copies. By doing so,
+the attacker can supply malicious data to the kernel and cause undefined
+behavior.
+
+This patch adds a re-check in each case of the switch statement if there is
+a second copy in that case, to re-check whether the command obtained in the
+second copy is the same as the one in the first copy. If not, an error code
+EINVAL is returned.
+
+Signed-off-by: Wenwen Wang <wang6495@umn.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+index dc0efbd91c32..ddd1ec8f7bd0 100644
+--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+@@ -2150,6 +2150,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ return -EPERM;
+ if (copy_from_user(&t, useraddr, sizeof(t)))
+ return -EFAULT;
++ if (t.cmd != CHELSIO_SET_QSET_PARAMS)
++ return -EINVAL;
+ if (t.qset_idx >= SGE_QSETS)
+ return -EINVAL;
+ if (!in_range(t.intr_lat, 0, M_NEWTIMER) ||
+@@ -2249,6 +2251,9 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ if (copy_from_user(&t, useraddr, sizeof(t)))
+ return -EFAULT;
+
++ if (t.cmd != CHELSIO_GET_QSET_PARAMS)
++ return -EINVAL;
++
+ /* Display qsets for all ports when offload enabled */
+ if (test_bit(OFFLOAD_DEVMAP_BIT, &adapter->open_device_map)) {
+ q1 = 0;
+@@ -2294,6 +2299,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ return -EBUSY;
+ if (copy_from_user(&edata, useraddr, sizeof(edata)))
+ return -EFAULT;
++ if (edata.cmd != CHELSIO_SET_QSET_NUM)
++ return -EINVAL;
+ if (edata.val < 1 ||
+ (edata.val > 1 && !(adapter->flags & USING_MSIX)))
+ return -EINVAL;
+@@ -2334,6 +2341,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ return -EPERM;
+ if (copy_from_user(&t, useraddr, sizeof(t)))
+ return -EFAULT;
++ if (t.cmd != CHELSIO_LOAD_FW)
++ return -EINVAL;
+ /* Check t.len sanity ? */
+ fw_data = memdup_user(useraddr + sizeof(t), t.len);
+ if (IS_ERR(fw_data))
+@@ -2357,6 +2366,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ return -EBUSY;
+ if (copy_from_user(&m, useraddr, sizeof(m)))
+ return -EFAULT;
++ if (m.cmd != CHELSIO_SETMTUTAB)
++ return -EINVAL;
+ if (m.nmtus != NMTUS)
+ return -EINVAL;
+ if (m.mtus[0] < 81) /* accommodate SACK */
+@@ -2398,6 +2409,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ return -EBUSY;
+ if (copy_from_user(&m, useraddr, sizeof(m)))
+ return -EFAULT;
++ if (m.cmd != CHELSIO_SET_PM)
++ return -EINVAL;
+ if (!is_power_of_2(m.rx_pg_sz) ||
+ !is_power_of_2(m.tx_pg_sz))
+ return -EINVAL; /* not power of 2 */
+@@ -2431,6 +2444,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ return -EIO; /* need the memory controllers */
+ if (copy_from_user(&t, useraddr, sizeof(t)))
+ return -EFAULT;
++ if (t.cmd != CHELSIO_GET_MEM)
++ return -EINVAL;
+ if ((t.addr & 7) || (t.len & 7))
+ return -EINVAL;
+ if (t.mem_id == MEM_CM)
+@@ -2483,6 +2498,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ return -EAGAIN;
+ if (copy_from_user(&t, useraddr, sizeof(t)))
+ return -EFAULT;
++ if (t.cmd != CHELSIO_SET_TRACE_FILTER)
++ return -EINVAL;
+
+ tp = (const struct trace_params *)&t.sip;
+ if (t.config_tx)
+--
+2.17.1
+
--- /dev/null
+From 19abf6728e9618986b7f8efd6595330cb77b575d Mon Sep 17 00:00:00 2001
+From: Arthur Kiyanovski <akiyano@amazon.com>
+Date: Tue, 9 Oct 2018 11:21:29 +0300
+Subject: net: ena: fix NULL dereference due to untimely napi initialization
+
+[ Upstream commit 78a55d05def95144ca5fa9a64c49b2a0636a9866 ]
+
+napi poll functions should be initialized before running request_irq(),
+to handle a rare condition where there is a pending interrupt, causing
+the ISR to fire immediately while the poll function wasn't set yet,
+causing a NULL dereference.
+
+Fixes: 1738cd3ed342 ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)")
+Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+index 1d92e034febc..0c298878bf46 100644
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -1482,8 +1482,6 @@ static int ena_up_complete(struct ena_adapter *adapter)
+ if (rc)
+ return rc;
+
+- ena_init_napi(adapter);
+-
+ ena_change_mtu(adapter->netdev, adapter->netdev->mtu);
+
+ ena_refill_all_rx_bufs(adapter);
+@@ -1643,6 +1641,13 @@ static int ena_up(struct ena_adapter *adapter)
+
+ ena_setup_io_intr(adapter);
+
++ /* napi poll functions should be initialized before running
++ * request_irq(), to handle a rare condition where there is a pending
++ * interrupt, causing the ISR to fire immediately while the poll
++ * function wasn't set yet, causing a null dereference
++ */
++ ena_init_napi(adapter);
++
+ rc = ena_request_io_irq(adapter);
+ if (rc)
+ goto err_req_irq;
+--
+2.17.1
+
--- /dev/null
+From bc905d73e734588d2e8108d23c664fc5fe56dfe4 Mon Sep 17 00:00:00 2001
+From: Thor Thayer <thor.thayer@linux.intel.com>
+Date: Wed, 31 May 2017 14:28:47 -0500
+Subject: net: ethernet: stmmac: Fix altr_tse_pcs SGMII Initialization
+
+[ Upstream commit 77032732d0e89b83c3bca75b857a1f63e9efb44b ]
+
+Fix NETDEV WATCHDOG timeout on startup by adding missing register
+writes that properly setup SGMII.
+
+Signed-off-by: Thor Thayer <thor.thayer@linux.intel.com>
+Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.c b/drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.c
+index 489ef146201e..6a9c954492f2 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.c
++++ b/drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.c
+@@ -37,6 +37,7 @@
+ #define TSE_PCS_CONTROL_AN_EN_MASK BIT(12)
+ #define TSE_PCS_CONTROL_REG 0x00
+ #define TSE_PCS_CONTROL_RESTART_AN_MASK BIT(9)
++#define TSE_PCS_CTRL_AUTONEG_SGMII 0x1140
+ #define TSE_PCS_IF_MODE_REG 0x28
+ #define TSE_PCS_LINK_TIMER_0_REG 0x24
+ #define TSE_PCS_LINK_TIMER_1_REG 0x26
+@@ -65,6 +66,7 @@
+ #define TSE_PCS_SW_RESET_TIMEOUT 100
+ #define TSE_PCS_USE_SGMII_AN_MASK BIT(1)
+ #define TSE_PCS_USE_SGMII_ENA BIT(0)
++#define TSE_PCS_IF_USE_SGMII 0x03
+
+ #define SGMII_ADAPTER_CTRL_REG 0x00
+ #define SGMII_ADAPTER_DISABLE 0x0001
+@@ -101,7 +103,9 @@ int tse_pcs_init(void __iomem *base, struct tse_pcs *pcs)
+ {
+ int ret = 0;
+
+- writew(TSE_PCS_USE_SGMII_ENA, base + TSE_PCS_IF_MODE_REG);
++ writew(TSE_PCS_IF_USE_SGMII, base + TSE_PCS_IF_MODE_REG);
++
++ writew(TSE_PCS_CTRL_AUTONEG_SGMII, base + TSE_PCS_CONTROL_REG);
+
+ writew(TSE_PCS_SGMII_LINK_TIMER_0, base + TSE_PCS_LINK_TIMER_0_REG);
+ writew(TSE_PCS_SGMII_LINK_TIMER_1, base + TSE_PCS_LINK_TIMER_1_REG);
+--
+2.17.1
+
--- /dev/null
+From 01a066921f495d77c6a3d3f27d8db2a648a893bd Mon Sep 17 00:00:00 2001
+From: Rickard x Andersson <rickaran@axis.com>
+Date: Tue, 2 Oct 2018 14:49:32 +0200
+Subject: net: fec: fix rare tx timeout
+
+[ Upstream commit 657ade07df72847f591ccdb36bd9b91ed0edbac3 ]
+
+During certain heavy network loads TX could time out
+with TX ring dump.
+TX is sometimes never restarted after reaching
+"tx_stop_threshold" because function "fec_enet_tx_queue"
+only tests the first queue.
+
+In addition the TX timeout callback function failed to
+recover because it also operated only on the first queue.
+
+Signed-off-by: Rickard x Andersson <rickaran@axis.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index fe00f71bc6b4..051ecc76a7ef 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -1152,7 +1152,7 @@ static void fec_enet_timeout_work(struct work_struct *work)
+ napi_disable(&fep->napi);
+ netif_tx_lock_bh(ndev);
+ fec_restart(ndev);
+- netif_wake_queue(ndev);
++ netif_tx_wake_all_queues(ndev);
+ netif_tx_unlock_bh(ndev);
+ napi_enable(&fep->napi);
+ }
+@@ -1267,7 +1267,7 @@ skb_done:
+
+ /* Since we have freed up a buffer, the ring is no longer full
+ */
+- if (netif_queue_stopped(ndev)) {
++ if (netif_tx_queue_stopped(nq)) {
+ entries_free = fec_enet_get_free_txdesc_num(txq);
+ if (entries_free >= txq->tx_wake_threshold)
+ netif_tx_wake_queue(nq);
+@@ -1744,7 +1744,7 @@ static void fec_enet_adjust_link(struct net_device *ndev)
+ napi_disable(&fep->napi);
+ netif_tx_lock_bh(ndev);
+ fec_restart(ndev);
+- netif_wake_queue(ndev);
++ netif_tx_wake_all_queues(ndev);
+ netif_tx_unlock_bh(ndev);
+ napi_enable(&fep->napi);
+ }
+@@ -2247,7 +2247,7 @@ static int fec_enet_set_pauseparam(struct net_device *ndev,
+ napi_disable(&fep->napi);
+ netif_tx_lock_bh(ndev);
+ fec_restart(ndev);
+- netif_wake_queue(ndev);
++ netif_tx_wake_all_queues(ndev);
+ netif_tx_unlock_bh(ndev);
+ napi_enable(&fep->napi);
+ }
+--
+2.17.1
+
--- /dev/null
+From 15114ba0d155d4e84d176aad4b6d76c866bce289 Mon Sep 17 00:00:00 2001
+From: Michal Simek <michal.simek@xilinx.com>
+Date: Tue, 25 Sep 2018 08:32:50 +0200
+Subject: net: macb: Clean 64b dma addresses if they are not detected
+
+[ Upstream commit e1e5d8a9fe737d94ccc0ccbaf0c97f69a8f3e000 ]
+
+Clear ADDR64 dma bit in DMACFG register in case that HW_DMA_CAP_64B is
+not detected on 64bit system.
+The issue was observed when bootloader(u-boot) does not check macb
+feature at DCFG6 register (DAW64_OFFSET) and enabling 64bit dma support
+by default. Then macb driver is reading DMACFG register back and only
+adding 64bit dma configuration but not cleaning it out.
+
+Signed-off-by: Michal Simek <michal.simek@xilinx.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/cadence/macb.c b/drivers/net/ethernet/cadence/macb.c
+index 8f55c23e9821..a0d640243df2 100644
+--- a/drivers/net/ethernet/cadence/macb.c
++++ b/drivers/net/ethernet/cadence/macb.c
+@@ -1737,6 +1737,7 @@ static void macb_configure_dma(struct macb *bp)
+ else
+ dmacfg &= ~GEM_BIT(TXCOEN);
+
++ dmacfg &= ~GEM_BIT(ADDR64);
+ #ifdef CONFIG_ARCH_DMA_ADDR_T_64BIT
+ dmacfg |= GEM_BIT(ADDR64);
+ #endif
+--
+2.17.1
+
--- /dev/null
+From 9568c3b802edd008b90bff80e097b4883b0b79c8 Mon Sep 17 00:00:00 2001
+From: Moshe Shemesh <moshe@mellanox.com>
+Date: Thu, 6 Jul 2017 15:48:40 +0300
+Subject: net/mlx5: Fix command completion after timeout access invalid
+ structure
+
+[ Upstream commit 061870800efb4e3d1ad4082a2569363629bdfcfc ]
+
+Completion on timeout should not free the driver command entry structure
+as it will need to access it again once real completion event from FW
+will occur.
+
+Fixes: 73dd3a4839c1 ('net/mlx5: Avoid using pending command interface slots')
+Signed-off-by: Moshe Shemesh <moshe@mellanox.com>
+Cc: kernel-team@fb.com
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+index 9680c8805178..1d5263c46eee 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -965,7 +965,7 @@ static int mlx5_cmd_invoke(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *in,
+
+ err = wait_func(dev, ent);
+ if (err == -ETIMEDOUT)
+- goto out_free;
++ goto out;
+
+ ds = ent->ts2 - ent->ts1;
+ op = MLX5_GET(mbox_in, in->first.data, opcode);
+@@ -1428,6 +1428,7 @@ void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool forced)
+ mlx5_core_err(dev, "Command completion arrived after timeout (entry idx = %d).\n",
+ ent->idx);
+ free_ent(cmd, ent->idx);
++ free_cmd(ent);
+ }
+ continue;
+ }
+@@ -1486,7 +1487,8 @@ void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool forced)
+ free_msg(dev, ent->in);
+
+ err = err ? err : ent->status;
+- free_cmd(ent);
++ if (!forced)
++ free_cmd(ent);
+ callback(err, context);
+ } else {
+ complete(&ent->done);
+--
+2.17.1
+
--- /dev/null
+From c378e6f55b462eea331bceae5e996e5e386babc4 Mon Sep 17 00:00:00 2001
+From: Gal Pressman <galp@mellanox.com>
+Date: Mon, 19 Jun 2017 18:25:59 +0300
+Subject: net/mlx5: Fix driver load error flow when firmware is stuck
+
+[ Upstream commit 8ce59b16b4b6eacedaec1f7b652b4781cdbfe15f ]
+
+When wait for firmware init fails, previous code would mistakenly
+return success and cause inconsistency in the driver state.
+
+Fixes: 6c780a0267b8 ("net/mlx5: Wait for FW readiness before initializing command interface")
+Signed-off-by: Gal Pressman <galp@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+index 6698a3a07406..d676088512cf 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -957,7 +957,7 @@ static int mlx5_load_one(struct mlx5_core_dev *dev, struct mlx5_priv *priv,
+ if (err) {
+ dev_err(&dev->pdev->dev, "Firmware over %d MS in pre-initializing state, aborting\n",
+ FW_PRE_INIT_TIMEOUT_MILI);
+- goto out;
++ goto out_err;
+ }
+
+ err = mlx5_cmd_init(dev);
+--
+2.17.1
+
--- /dev/null
+From 770fed98b3be8bd97cceff3ccc08464dbcd21e7b Mon Sep 17 00:00:00 2001
+From: Moshe Shemesh <moshe@mellanox.com>
+Date: Thu, 19 Oct 2017 14:14:29 +0300
+Subject: net/mlx5: Fix health work queue spin lock to IRQ safe
+
+[ Upstream commit 6377ed0bbae6fa28853e1679d068a9106c8a8908 ]
+
+spin_lock/unlock of health->wq_lock should be IRQ safe.
+It was changed to spin_lock_irqsave since adding commit 0179720d6be2
+("net/mlx5: Introduce trigger_health_work function") which uses
+spin_lock from asynchronous event (IRQ) context.
+Thus, all spin_lock/unlock of health->wq_lock should have been moved
+to IRQ safe mode.
+However, one occurrence on new code using this lock missed that
+change, resulting in possible deadlock:
+ kernel: Possible unsafe locking scenario:
+ kernel: CPU0
+ kernel: ----
+ kernel: lock(&(&health->wq_lock)->rlock);
+ kernel: <Interrupt>
+ kernel: lock(&(&health->wq_lock)->rlock);
+ kernel: #012 *** DEADLOCK ***
+
+Fixes: 2a0165a034ac ("net/mlx5: Cancel delayed recovery work when unloading the driver")
+Signed-off-by: Moshe Shemesh <moshe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/health.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/health.c b/drivers/net/ethernet/mellanox/mlx5/core/health.c
+index 448e71e07668..264f51b3409d 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/health.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/health.c
+@@ -369,10 +369,11 @@ void mlx5_drain_health_wq(struct mlx5_core_dev *dev)
+ void mlx5_drain_health_recovery(struct mlx5_core_dev *dev)
+ {
+ struct mlx5_core_health *health = &dev->priv.health;
++ unsigned long flags;
+
+- spin_lock(&health->wq_lock);
++ spin_lock_irqsave(&health->wq_lock, flags);
+ set_bit(MLX5_DROP_NEW_RECOVERY_WORK, &health->flags);
+- spin_unlock(&health->wq_lock);
++ spin_unlock_irqrestore(&health->wq_lock, flags);
+ cancel_delayed_work_sync(&dev->priv.health.recover_work);
+ }
+
+--
+2.17.1
+
--- /dev/null
+From 7701389304957cf25e1fcb2adf10bc6eb49de690 Mon Sep 17 00:00:00 2001
+From: Talat Batheesh <talatb@mellanox.com>
+Date: Sun, 21 Jan 2018 05:30:42 +0200
+Subject: net/mlx5e: Fix fixpoint divide exception in mlx5e_am_stats_compare
+
+[ Upstream commit e58edaa4863583b54409444f11b4f80dff0af1cd ]
+
+Helmut reported a bug about division by zero while
+running traffic and doing physical cable pull test.
+
+When the cable unplugged the ppms become zero, so when
+dividing the current ppms by the previous ppms in the
+next dim iteration there is division by zero.
+
+This patch prevent this division for both ppms and epms.
+
+Fixes: c3164d2fc48f ("net/mlx5e: Added BW check for DIM decision mechanism")
+Reported-by: Helmut Grauer <helmut.grauer@de.ibm.com>
+Signed-off-by: Talat Batheesh <talatb@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_rx_am.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx_am.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx_am.c
+index 23ccec4cb7f5..a1f3556307c7 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx_am.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx_am.c
+@@ -197,9 +197,15 @@ static int mlx5e_am_stats_compare(struct mlx5e_rx_am_stats *curr,
+ return (curr->bpms > prev->bpms) ? MLX5E_AM_STATS_BETTER :
+ MLX5E_AM_STATS_WORSE;
+
++ if (!prev->ppms)
++ return curr->ppms ? MLX5E_AM_STATS_BETTER :
++ MLX5E_AM_STATS_SAME;
++
+ if (IS_SIGNIFICANT_DIFF(curr->ppms, prev->ppms))
+ return (curr->ppms > prev->ppms) ? MLX5E_AM_STATS_BETTER :
+ MLX5E_AM_STATS_WORSE;
++ if (!prev->epms)
++ return MLX5E_AM_STATS_SAME;
+
+ if (IS_SIGNIFICANT_DIFF(curr->epms, prev->epms))
+ return (curr->epms < prev->epms) ? MLX5E_AM_STATS_BETTER :
+--
+2.17.1
+
--- /dev/null
+From 4385b787af4bdeb253fed5d7f59e6b91eb7b66ba Mon Sep 17 00:00:00 2001
+From: Zhao Qiang <qiang.zhao@nxp.com>
+Date: Mon, 18 Dec 2017 10:26:43 +0800
+Subject: net: phy: marvell: Limit 88m1101 autoneg errata to 88E1145 as well.
+
+[ Upstream commit c505873eaece2b4aefd07d339dc7e1400e0235ac ]
+
+88E1145 also need this autoneg errata.
+
+Fixes: f2899788353c ("net: phy: marvell: Limit errata to 88m1101")
+Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/marvell.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/marvell.c b/drivers/net/phy/marvell.c
+index c60c147708c4..520352327104 100644
+--- a/drivers/net/phy/marvell.c
++++ b/drivers/net/phy/marvell.c
+@@ -1610,7 +1610,7 @@ static struct phy_driver marvell_drivers[] = {
+ .flags = PHY_HAS_INTERRUPT,
+ .probe = marvell_probe,
+ .config_init = &m88e1145_config_init,
+- .config_aneg = &marvell_config_aneg,
++ .config_aneg = &m88e1101_config_aneg,
+ .read_status = &genphy_read_status,
+ .ack_interrupt = &marvell_ack_interrupt,
+ .config_intr = &marvell_config_intr,
+--
+2.17.1
+
--- /dev/null
+From 60f95b86dc5ea8a30f8a5738bfdef9d22456f5e1 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Mon, 5 Jun 2017 10:04:52 +0100
+Subject: net: stmmac: ensure jumbo_frm error return is correctly checked for
+ -ve value
+
+[ Upstream commit 594238158bf748c285f0a73222cd9b7ccf3c525d ]
+
+The current comparison of entry < 0 will never be true since entry is an
+unsigned integer. Make entry an int to ensure -ve error return values
+from the call to jumbo_frm are correctly being caught.
+
+Detected by CoverityScan, CID#1238760 ("Macro compares unsigned to 0")
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 0df71865fab1..65ed02bc3ea3 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -2199,7 +2199,8 @@ static netdev_tx_t stmmac_xmit(struct sk_buff *skb, struct net_device *dev)
+ unsigned int nopaged_len = skb_headlen(skb);
+ int i, csum_insertion = 0, is_jumbo = 0;
+ int nfrags = skb_shinfo(skb)->nr_frags;
+- unsigned int entry, first_entry;
++ int entry;
++ unsigned int first_entry;
+ struct dma_desc *desc, *first;
+ unsigned int enh_desc;
+ unsigned int des;
+--
+2.17.1
+
--- /dev/null
+From 0e13cd3fcc708c464bb514d2c5cfd50d85bea9ad Mon Sep 17 00:00:00 2001
+From: Masashi Honma <masashi.honma@gmail.com>
+Date: Tue, 25 Sep 2018 11:15:00 +0900
+Subject: nl80211: Fix possible Spectre-v1 for NL80211_TXRATE_HT
+
+[ Upstream commit 30fe6d50eb088783c8729c7d930f65296b2b3fa7 ]
+
+Use array_index_nospec() to sanitize ridx with respect to speculation.
+
+Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 0e91ec49d3da..549d0a4083b3 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -3422,6 +3422,7 @@ static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
+ return false;
+
+ /* check availability */
++ ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
+ if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
+ mcs[ridx] |= rbit;
+ else
+--
+2.17.1
+
--- /dev/null
+From c214cd976c1c55011a712567e41486ba210b07c3 Mon Sep 17 00:00:00 2001
+From: Max Gurtovoy <maxg@mellanox.com>
+Date: Sun, 30 Jul 2017 01:45:08 +0300
+Subject: nvme-pci: fix CMB sysfs file removal in reset path
+
+[ Upstream commit 1c78f7735b2bdd0afbe5d14c5c8b6d8d381b6f13 ]
+
+Currently we create the sysfs entry even if we fail mapping
+it. In that case, the unmapping will not remove the sysfs created
+file. There is no good reason to create a sysfs entry for a non
+working CMB and show his characteristics.
+
+Fixes: f63572dff ("nvme: unmap CMB and remove sysfs file in reset path")
+Signed-off-by: Max Gurtovoy <maxg@mellanox.com>
+Reviewed-by: Stephen Bates <sbates@raithlin.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 18 +++++++-----------
+ 1 file changed, 7 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index fadf151ce830..1ac4cec5f4f7 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -1393,11 +1393,9 @@ static inline void nvme_release_cmb(struct nvme_dev *dev)
+ if (dev->cmb) {
+ iounmap(dev->cmb);
+ dev->cmb = NULL;
+- if (dev->cmbsz) {
+- sysfs_remove_file_from_group(&dev->ctrl.device->kobj,
+- &dev_attr_cmb.attr, NULL);
+- dev->cmbsz = 0;
+- }
++ sysfs_remove_file_from_group(&dev->ctrl.device->kobj,
++ &dev_attr_cmb.attr, NULL);
++ dev->cmbsz = 0;
+ }
+ }
+
+@@ -1632,16 +1630,14 @@ static int nvme_pci_enable(struct nvme_dev *dev)
+
+ /*
+ * CMBs can currently only exist on >=1.2 PCIe devices. We only
+- * populate sysfs if a CMB is implemented. Note that we add the
+- * CMB attribute to the nvme_ctrl kobj which removes the need to remove
+- * it on exit. Since nvme_dev_attrs_group has no name we can pass
+- * NULL as final argument to sysfs_add_file_to_group.
++ * populate sysfs if a CMB is implemented. Since nvme_dev_attrs_group
++ * has no name we can pass NULL as final argument to
++ * sysfs_add_file_to_group.
+ */
+
+ if (readl(dev->bar + NVME_REG_VS) >= NVME_VS(1, 2, 0)) {
+ dev->cmb = nvme_map_cmb(dev);
+-
+- if (dev->cmbsz) {
++ if (dev->cmb) {
+ if (sysfs_add_file_to_group(&dev->ctrl.device->kobj,
+ &dev_attr_cmb.attr, NULL))
+ dev_warn(dev->dev,
+--
+2.17.1
+
--- /dev/null
+From 4eb12277cfae0de4b6c436f58bbebb264803b19e Mon Sep 17 00:00:00 2001
+From: Daniel Verkamp <daniel.verkamp@intel.com>
+Date: Thu, 12 Apr 2018 09:16:13 -0600
+Subject: nvmet: fix space padding in serial number
+
+[ Upstream commit c73996984902516745bc587d5e8a0b2e034aea05 ]
+
+Commit 42de82a8b544 previously attempted to fix this, and it did
+correctly pad the MN and FR fields with spaces, but the SN field still
+contains 0 bytes. The current code fills out the first 16 bytes with
+hex2bin, leaving the last 4 bytes zeroed. Rather than adding a lot of
+error-prone math to avoid overwriting SN twice, just set the whole thing
+to spaces up front (it's only 20 bytes).
+
+Fixes: 42de82a8b544 ("nvmet: don't report 0-bytes in serial number")
+Signed-off-by: Daniel Verkamp <daniel.verkamp@intel.com>
+Reviewed-by: Martin Wilck <mwilck@suse.com>
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/admin-cmd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/nvme/target/admin-cmd.c b/drivers/nvme/target/admin-cmd.c
+index 2caed285fd7b..cdb7752dcbb7 100644
+--- a/drivers/nvme/target/admin-cmd.c
++++ b/drivers/nvme/target/admin-cmd.c
+@@ -192,6 +192,7 @@ static void nvmet_execute_identify_ctrl(struct nvmet_req *req)
+ id->vid = 0;
+ id->ssvid = 0;
+
++ memset(id->sn, ' ', sizeof(id->sn));
+ bin2hex(id->sn, &ctrl->subsys->serial,
+ min(sizeof(ctrl->subsys->serial), sizeof(id->sn) / 2));
+ copy_and_pad(id->mn, sizeof(id->mn), model, sizeof(model) - 1);
+--
+2.17.1
+
--- /dev/null
+From 5acb141b262f64a5538597fd4af51b91ee52530a Mon Sep 17 00:00:00 2001
+From: Eric Ren <zren@suse.com>
+Date: Fri, 23 Jun 2017 15:08:55 -0700
+Subject: ocfs2: fix deadlock caused by recursive locking in xattr
+
+[ Upstream commit 8818efaaacb78c60a9d90c5705b6c99b75d7d442 ]
+
+Another deadlock path caused by recursive locking is reported. This
+kind of issue was introduced since commit 743b5f1434f5 ("ocfs2: take
+inode lock in ocfs2_iop_set/get_acl()"). Two deadlock paths have been
+fixed by commit b891fa5024a9 ("ocfs2: fix deadlock issue when taking
+inode lock at vfs entry points"). Yes, we intend to fix this kind of
+case in incremental way, because it's hard to find out all possible
+paths at once.
+
+This one can be reproduced like this. On node1, cp a large file from
+home directory to ocfs2 mountpoint. While on node2, run
+setfacl/getfacl. Both nodes will hang up there. The backtraces:
+
+On node1:
+ __ocfs2_cluster_lock.isra.39+0x357/0x740 [ocfs2]
+ ocfs2_inode_lock_full_nested+0x17d/0x840 [ocfs2]
+ ocfs2_write_begin+0x43/0x1a0 [ocfs2]
+ generic_perform_write+0xa9/0x180
+ __generic_file_write_iter+0x1aa/0x1d0
+ ocfs2_file_write_iter+0x4f4/0xb40 [ocfs2]
+ __vfs_write+0xc3/0x130
+ vfs_write+0xb1/0x1a0
+ SyS_write+0x46/0xa0
+
+On node2:
+ __ocfs2_cluster_lock.isra.39+0x357/0x740 [ocfs2]
+ ocfs2_inode_lock_full_nested+0x17d/0x840 [ocfs2]
+ ocfs2_xattr_set+0x12e/0xe80 [ocfs2]
+ ocfs2_set_acl+0x22d/0x260 [ocfs2]
+ ocfs2_iop_set_acl+0x65/0xb0 [ocfs2]
+ set_posix_acl+0x75/0xb0
+ posix_acl_xattr_set+0x49/0xa0
+ __vfs_setxattr+0x69/0x80
+ __vfs_setxattr_noperm+0x72/0x1a0
+ vfs_setxattr+0xa7/0xb0
+ setxattr+0x12d/0x190
+ path_setxattr+0x9f/0xb0
+ SyS_setxattr+0x14/0x20
+
+Fix this one by using ocfs2_inode_{lock|unlock}_tracker, which is
+exported by commit 439a36b8ef38 ("ocfs2/dlmglue: prepare tracking logic
+to avoid recursive cluster lock").
+
+Link: http://lkml.kernel.org/r/20170622014746.5815-1-zren@suse.com
+Fixes: 743b5f1434f5 ("ocfs2: take inode lock in ocfs2_iop_set/get_acl()")
+Signed-off-by: Eric Ren <zren@suse.com>
+Reported-by: Thomas Voegtle <tv@lio96.de>
+Tested-by: Thomas Voegtle <tv@lio96.de>
+Reviewed-by: Joseph Qi <jiangqi903@gmail.com>
+Cc: Mark Fasheh <mfasheh@versity.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/dlmglue.c | 4 ++++
+ fs/ocfs2/xattr.c | 23 +++++++++++++----------
+ 2 files changed, 17 insertions(+), 10 deletions(-)
+
+diff --git a/fs/ocfs2/dlmglue.c b/fs/ocfs2/dlmglue.c
+index 785fcc29d85d..5729d55da67d 100644
+--- a/fs/ocfs2/dlmglue.c
++++ b/fs/ocfs2/dlmglue.c
+@@ -2599,6 +2599,10 @@ void ocfs2_inode_unlock_tracker(struct inode *inode,
+ struct ocfs2_lock_res *lockres;
+
+ lockres = &OCFS2_I(inode)->ip_inode_lockres;
++ /* had_lock means that the currect process already takes the cluster
++ * lock previously. If had_lock is 1, we have nothing to do here, and
++ * it will get unlocked where we got the lock.
++ */
+ if (!had_lock) {
+ ocfs2_remove_holder(lockres, oh);
+ ocfs2_inode_unlock(inode, ex);
+diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
+index 03f6ff249edb..01932763b4d1 100644
+--- a/fs/ocfs2/xattr.c
++++ b/fs/ocfs2/xattr.c
+@@ -1330,20 +1330,21 @@ static int ocfs2_xattr_get(struct inode *inode,
+ void *buffer,
+ size_t buffer_size)
+ {
+- int ret;
++ int ret, had_lock;
+ struct buffer_head *di_bh = NULL;
++ struct ocfs2_lock_holder oh;
+
+- ret = ocfs2_inode_lock(inode, &di_bh, 0);
+- if (ret < 0) {
+- mlog_errno(ret);
+- return ret;
++ had_lock = ocfs2_inode_lock_tracker(inode, &di_bh, 0, &oh);
++ if (had_lock < 0) {
++ mlog_errno(had_lock);
++ return had_lock;
+ }
+ down_read(&OCFS2_I(inode)->ip_xattr_sem);
+ ret = ocfs2_xattr_get_nolock(inode, di_bh, name_index,
+ name, buffer, buffer_size);
+ up_read(&OCFS2_I(inode)->ip_xattr_sem);
+
+- ocfs2_inode_unlock(inode, 0);
++ ocfs2_inode_unlock_tracker(inode, 0, &oh, had_lock);
+
+ brelse(di_bh);
+
+@@ -3539,11 +3540,12 @@ int ocfs2_xattr_set(struct inode *inode,
+ {
+ struct buffer_head *di_bh = NULL;
+ struct ocfs2_dinode *di;
+- int ret, credits, ref_meta = 0, ref_credits = 0;
++ int ret, credits, had_lock, ref_meta = 0, ref_credits = 0;
+ struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
+ struct inode *tl_inode = osb->osb_tl_inode;
+ struct ocfs2_xattr_set_ctxt ctxt = { NULL, NULL, NULL, };
+ struct ocfs2_refcount_tree *ref_tree = NULL;
++ struct ocfs2_lock_holder oh;
+
+ struct ocfs2_xattr_info xi = {
+ .xi_name_index = name_index,
+@@ -3574,8 +3576,9 @@ int ocfs2_xattr_set(struct inode *inode,
+ return -ENOMEM;
+ }
+
+- ret = ocfs2_inode_lock(inode, &di_bh, 1);
+- if (ret < 0) {
++ had_lock = ocfs2_inode_lock_tracker(inode, &di_bh, 1, &oh);
++ if (had_lock < 0) {
++ ret = had_lock;
+ mlog_errno(ret);
+ goto cleanup_nolock;
+ }
+@@ -3672,7 +3675,7 @@ cleanup:
+ if (ret)
+ mlog_errno(ret);
+ }
+- ocfs2_inode_unlock(inode, 1);
++ ocfs2_inode_unlock_tracker(inode, 1, &oh, had_lock);
+ cleanup_nolock:
+ brelse(di_bh);
+ brelse(xbs.xattr_bh);
+--
+2.17.1
+
--- /dev/null
+From 431f5b6339904bbdee2be52cc8a2c8c6f84decdf Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 22 May 2017 15:08:31 +0300
+Subject: orangefs: off by ones in xattr size checks
+
+[ Upstream commit 5f13e58767a53ebb54265e03c0c4a67650286263 ]
+
+A previous patch which claimed to remove off by ones actually introduced
+them.
+
+strlen() returns the length of the string not including the NUL
+character. We are using strcpy() to copy "name" into a buffer which is
+ORANGEFS_MAX_XATTR_NAMELEN characters long. We should make sure to
+leave space for the NUL, otherwise we're writing one character beyond
+the end of the buffer.
+
+Fixes: e675c5ec51fe ("orangefs: clean up oversize xattr validation")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Mike Marshall <hubcap@omnibond.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/orangefs/xattr.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/orangefs/xattr.c b/fs/orangefs/xattr.c
+index 237c9c04dc3b..a34b25be39c5 100644
+--- a/fs/orangefs/xattr.c
++++ b/fs/orangefs/xattr.c
+@@ -76,7 +76,7 @@ ssize_t orangefs_inode_getxattr(struct inode *inode, const char *name,
+ if (S_ISLNK(inode->i_mode))
+ return -EOPNOTSUPP;
+
+- if (strlen(name) > ORANGEFS_MAX_XATTR_NAMELEN)
++ if (strlen(name) >= ORANGEFS_MAX_XATTR_NAMELEN)
+ return -EINVAL;
+
+ fsuid = from_kuid(&init_user_ns, current_fsuid());
+@@ -169,7 +169,7 @@ static int orangefs_inode_removexattr(struct inode *inode, const char *name,
+ struct orangefs_kernel_op_s *new_op = NULL;
+ int ret = -ENOMEM;
+
+- if (strlen(name) > ORANGEFS_MAX_XATTR_NAMELEN)
++ if (strlen(name) >= ORANGEFS_MAX_XATTR_NAMELEN)
+ return -EINVAL;
+
+ down_write(&orangefs_inode->xattr_sem);
+@@ -233,7 +233,7 @@ int orangefs_inode_setxattr(struct inode *inode, const char *name,
+
+ if (size > ORANGEFS_MAX_XATTR_VALUELEN)
+ return -EINVAL;
+- if (strlen(name) > ORANGEFS_MAX_XATTR_NAMELEN)
++ if (strlen(name) >= ORANGEFS_MAX_XATTR_NAMELEN)
+ return -EINVAL;
+
+ internal_flag = convert_to_internal_xattr_flags(flags);
+--
+2.17.1
+
--- /dev/null
+From d668f35bb8d2f2c9aaaacf2f87e45d5726957a1f Mon Sep 17 00:00:00 2001
+From: Dongdong Liu <liudongdong3@huawei.com>
+Date: Thu, 28 Dec 2017 17:53:32 +0800
+Subject: PCI: Disable MSI for HiSilicon Hip06/Hip07 only in Root Port mode
+
+[ Upstream commit deb86999323661c019ef2740eb9d479d1e526b5c ]
+
+HiSilicon Hip06/Hip07 can operate as either a Root Port or an Endpoint. It
+always advertises an MSI capability, but it can only generate MSIs when in
+Endpoint mode.
+
+The device has the same Vendor and Device IDs in both modes, so check the
+Class Code and disable MSI only when operating as a Root Port.
+
+[bhelgaas: changelog]
+Fixes: 72f2ff0deb87 ("PCI: Disable MSI for HiSilicon Hip06/Hip07 Root Ports")
+Signed-off-by: Dongdong Liu <liudongdong3@huawei.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Zhou Wang <wangzhou1@hisilicon.com>
+Cc: stable@vger.kernel.org # v4.11+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/quirks.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index c7a695c2303a..2250f0d33481 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -1634,8 +1634,8 @@ static void quirk_pcie_mch(struct pci_dev *pdev)
+ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_E7520_MCH, quirk_pcie_mch);
+ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_E7320_MCH, quirk_pcie_mch);
+ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_E7525_MCH, quirk_pcie_mch);
+-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_HUAWEI, 0x1610, quirk_pcie_mch);
+
++DECLARE_PCI_FIXUP_CLASS_FINAL(PCI_VENDOR_ID_HUAWEI, 0x1610, PCI_CLASS_BRIDGE_PCI, 8, quirk_pcie_mch);
+
+ /*
+ * It's possible for the MSI to get corrupted if shpc and acpi
+--
+2.17.1
+
--- /dev/null
+From 2746521fd5e39800ea2081e2e34e568f1442aeee Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Thu, 20 Jul 2017 16:14:55 +0200
+Subject: perf/core: Fix locking for children siblings group read
+
+[ Upstream commit 2aeb1883547626d82c597cce2c99f0b9c62e2425 ]
+
+We're missing ctx lock when iterating children siblings
+within the perf_read path for group reading. Following
+race and crash can happen:
+
+User space doing read syscall on event group leader:
+
+T1:
+ perf_read
+ lock event->ctx->mutex
+ perf_read_group
+ lock leader->child_mutex
+ __perf_read_group_add(child)
+ list_for_each_entry(sub, &leader->sibling_list, group_entry)
+
+----> sub might be invalid at this point, because it could
+ get removed via perf_event_exit_task_context in T2
+
+Child exiting and cleaning up its events:
+
+T2:
+ perf_event_exit_task_context
+ lock ctx->mutex
+ list_for_each_entry_safe(child_event, next, &child_ctx->event_list,...
+ perf_event_exit_event(child)
+ lock ctx->lock
+ perf_group_detach(child)
+ unlock ctx->lock
+
+----> child is removed from sibling_list without any sync
+ with T1 path above
+
+ ...
+ free_event(child)
+
+Before the child is removed from the leader's child_list,
+(and thus is omitted from perf_read_group processing), we
+need to ensure that perf_read_group touches child's
+siblings under its ctx->lock.
+
+Peter further notes:
+
+| One additional note; this bug got exposed by commit:
+|
+| ba5213ae6b88 ("perf/core: Correct event creation with PERF_FORMAT_GROUP")
+|
+| which made it possible to actually trigger this code-path.
+
+Tested-by: Andi Kleen <ak@linux.intel.com>
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: ba5213ae6b88 ("perf/core: Correct event creation with PERF_FORMAT_GROUP")
+Link: http://lkml.kernel.org/r/20170720141455.2106-1-jolsa@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 95bd00d9f2c3..06b359af4322 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -4331,7 +4331,9 @@ EXPORT_SYMBOL_GPL(perf_event_read_value);
+ static int __perf_read_group_add(struct perf_event *leader,
+ u64 read_format, u64 *values)
+ {
++ struct perf_event_context *ctx = leader->ctx;
+ struct perf_event *sub;
++ unsigned long flags;
+ int n = 1; /* skip @nr */
+ int ret;
+
+@@ -4361,12 +4363,15 @@ static int __perf_read_group_add(struct perf_event *leader,
+ if (read_format & PERF_FORMAT_ID)
+ values[n++] = primary_event_id(leader);
+
++ raw_spin_lock_irqsave(&ctx->lock, flags);
++
+ list_for_each_entry(sub, &leader->sibling_list, group_entry) {
+ values[n++] += perf_event_count(sub);
+ if (read_format & PERF_FORMAT_ID)
+ values[n++] = primary_event_id(sub);
+ }
+
++ raw_spin_unlock_irqrestore(&ctx->lock, flags);
+ return 0;
+ }
+
+--
+2.17.1
+
--- /dev/null
+From c1659e6f2609c44b241f0ba373bc2e066c45711a Mon Sep 17 00:00:00 2001
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Fri, 9 Jun 2017 16:54:28 -0300
+Subject: perf evsel: Fix probing of precise_ip level for default cycles event
+
+[ Upstream commit 7a1ac110c22eb726684c837544a2d42c33e07be7 ]
+
+Since commit 18e7a45af91a ("perf/x86: Reject non sampling events with
+precise_ip") returns -EINVAL for sys_perf_event_open() with an attribute
+with (attr.precise_ip > 0 && attr.sample_period == 0), just like is done
+in the routine used to probe the max precise level when no events were
+passed to 'perf record' or 'perf top', i.e.:
+
+ perf_evsel__new_cycles()
+ perf_event_attr__set_max_precise_ip()
+
+The x86 code, in x86_pmu_hw_config(), which is called all the way from
+sys_perf_event_open() did, starting with the aforementioned commit:
+
+ /* There's no sense in having PEBS for non sampling events: */
+ if (!is_sampling_event(event))
+ return -EINVAL;
+
+Which makes it fail for cycles:ppp, cycles:pp and cycles:p, always using
+just the non precise cycles variant.
+
+To make sure that this is the case, I tested it, before this patch,
+with:
+
+ # perf probe -L x86_pmu_hw_config
+ <x86_pmu_hw_config@/home/acme/git/linux/arch/x86/events/core.c:0>
+ 0 int x86_pmu_hw_config(struct perf_event *event)
+ 1 {
+ 2 if (event->attr.precise_ip) {
+<SNIP>
+ 17 if (event->attr.precise_ip > precise)
+ 18 return -EOPNOTSUPP;
+
+ /* There's no sense in having PEBS for non sampling events: */
+ 21 if (!is_sampling_event(event))
+ 22 return -EINVAL;
+ }
+<SNIP>
+ # perf probe x86_pmu_hw_config:22
+ Added new events:
+ probe:x86_pmu_hw_config (on x86_pmu_hw_config:22)
+ probe:x86_pmu_hw_config_1 (on x86_pmu_hw_config:22)
+
+ You can now use it in all perf tools, such as:
+
+ perf record -e probe:x86_pmu_hw_config_1 -aR sleep 1
+
+ # perf trace -e perf_event_open,probe:x86_pmu_hwconfig*/max-stack=16/ perf record usleep 1
+ 0.000 ( 0.015 ms): perf/4150 perf_event_open(attr_uptr: 0x7ffebc8ba110, cpu: -1, group_fd: -1 ) ...
+ 0.015 ( ): probe:x86_pmu_hw_config:(ffffffff9c0065e1))
+ x86_pmu_hw_config ([kernel.kallsyms])
+ hsw_hw_config ([kernel.kallsyms])
+ x86_pmu_event_init ([kernel.kallsyms])
+ perf_try_init_event ([kernel.kallsyms])
+ perf_event_alloc ([kernel.kallsyms])
+ SYSC_perf_event_open ([kernel.kallsyms])
+ sys_perf_event_open ([kernel.kallsyms])
+ do_syscall_64 ([kernel.kallsyms])
+ return_from_SYSCALL_64 ([kernel.kallsyms])
+ syscall (/usr/lib64/libc-2.24.so)
+ perf_event_attr__set_max_precise_ip (/home/acme/bin/perf)
+ perf_evsel__new_cycles (/home/acme/bin/perf)
+ perf_evlist__add_default (/home/acme/bin/perf)
+ cmd_record (/home/acme/bin/perf)
+ run_builtin (/home/acme/bin/perf)
+ handle_internal_command (/home/acme/bin/perf)
+ 0.000 ( 0.021 ms): perf/4150 ... [continued]: perf_event_open()) = -1 EINVAL Invalid argument
+ 0.023 ( 0.002 ms): perf/4150 perf_event_open(attr_uptr: 0x7ffebc8ba110, cpu: -1, group_fd: -1 ) ...
+ 0.025 ( ): probe:x86_pmu_hw_config:(ffffffff9c0065e1))
+ x86_pmu_hw_config ([kernel.kallsyms])
+ hsw_hw_config ([kernel.kallsyms])
+ x86_pmu_event_init ([kernel.kallsyms])
+ perf_try_init_event ([kernel.kallsyms])
+ perf_event_alloc ([kernel.kallsyms])
+ SYSC_perf_event_open ([kernel.kallsyms])
+ sys_perf_event_open ([kernel.kallsyms])
+ do_syscall_64 ([kernel.kallsyms])
+ return_from_SYSCALL_64 ([kernel.kallsyms])
+ syscall (/usr/lib64/libc-2.24.so)
+ perf_event_attr__set_max_precise_ip (/home/acme/bin/perf)
+ perf_evsel__new_cycles (/home/acme/bin/perf)
+ perf_evlist__add_default (/home/acme/bin/perf)
+ cmd_record (/home/acme/bin/perf)
+ run_builtin (/home/acme/bin/perf)
+ handle_internal_command (/home/acme/bin/perf)
+ 0.023 ( 0.004 ms): perf/4150 ... [continued]: perf_event_open()) = -1 EINVAL Invalid argument
+ 0.028 ( 0.002 ms): perf/4150 perf_event_open(attr_uptr: 0x7ffebc8ba110, cpu: -1, group_fd: -1 ) ...
+ 0.030 ( ): probe:x86_pmu_hw_config:(ffffffff9c0065e1))
+ x86_pmu_hw_config ([kernel.kallsyms])
+ hsw_hw_config ([kernel.kallsyms])
+ x86_pmu_event_init ([kernel.kallsyms])
+ perf_try_init_event ([kernel.kallsyms])
+ perf_event_alloc ([kernel.kallsyms])
+ SYSC_perf_event_open ([kernel.kallsyms])
+ sys_perf_event_open ([kernel.kallsyms])
+ do_syscall_64 ([kernel.kallsyms])
+ return_from_SYSCALL_64 ([kernel.kallsyms])
+ syscall (/usr/lib64/libc-2.24.so)
+ perf_event_attr__set_max_precise_ip (/home/acme/bin/perf)
+ perf_evsel__new_cycles (/home/acme/bin/perf)
+ perf_evlist__add_default (/home/acme/bin/perf)
+ cmd_record (/home/acme/bin/perf)
+ run_builtin (/home/acme/bin/perf)
+ handle_internal_command (/home/acme/bin/perf)
+ 0.028 ( 0.004 ms): perf/4150 ... [continued]: perf_event_open()) = -1 EINVAL Invalid argument
+ 41.018 ( 0.012 ms): perf/4150 perf_event_open(attr_uptr: 0x7ffebc8b5dd0, pid: -1, group_fd: -1, flags: FD_CLOEXEC) = 4
+ 41.065 ( 0.011 ms): perf/4150 perf_event_open(attr_uptr: 0x3c7db78, pid: -1, group_fd: -1, flags: FD_CLOEXEC) = 4
+ 41.080 ( 0.006 ms): perf/4150 perf_event_open(attr_uptr: 0x3c7db78, pid: -1, group_fd: -1, flags: FD_CLOEXEC) = 4
+ 41.103 ( 0.010 ms): perf/4150 perf_event_open(attr_uptr: 0x3c4e748, pid: 4151 (perf), group_fd: -1, flags: FD_CLOEXEC) = 4
+ 41.115 ( 0.006 ms): perf/4150 perf_event_open(attr_uptr: 0x3c4e748, pid: 4151 (perf), cpu: 1, group_fd: -1, flags: FD_CLOEXEC) = 5
+ 41.122 ( 0.004 ms): perf/4150 perf_event_open(attr_uptr: 0x3c4e748, pid: 4151 (perf), cpu: 2, group_fd: -1, flags: FD_CLOEXEC) = 6
+ 41.128 ( 0.008 ms): perf/4150 perf_event_open(attr_uptr: 0x3c4e748, pid: 4151 (perf), cpu: 3, group_fd: -1, flags: FD_CLOEXEC) = 8
+ [ perf record: Woken up 1 times to write data ]
+ [ perf record: Captured and wrote 0.017 MB perf.data (2 samples) ]
+ #
+
+I.e. that return -EINVAL in x86_pmu_hw_config() is hit three times.
+
+So fix it by just setting attr.sample_period
+
+Now, after this patch:
+
+ # perf trace --max-stack=2 -e perf_event_open,probe:x86_pmu_hw_config* perf record usleep 1
+ [ perf record: Woken up 1 times to write data ]
+ 0.000 ( 0.017 ms): perf/8469 perf_event_open(attr_uptr: 0x7ffe36c27d10, pid: -1, cpu: 3, group_fd: -1, flags: FD_CLOEXEC) = 4
+ syscall (/usr/lib64/libc-2.24.so)
+ perf_event_open_cloexec_flag (/home/acme/bin/perf)
+ 0.050 ( 0.031 ms): perf/8469 perf_event_open(attr_uptr: 0x24ebb78, pid: -1, group_fd: -1, flags: FD_CLOEXEC) = 4
+ syscall (/usr/lib64/libc-2.24.so)
+ perf_evlist__config (/home/acme/bin/perf)
+ 0.092 ( 0.040 ms): perf/8469 perf_event_open(attr_uptr: 0x24ebb78, pid: -1, group_fd: -1, flags: FD_CLOEXEC) = 4
+ syscall (/usr/lib64/libc-2.24.so)
+ perf_evlist__config (/home/acme/bin/perf)
+ 0.143 ( 0.007 ms): perf/8469 perf_event_open(attr_uptr: 0x24bc748, cpu: -1, group_fd: -1 ) = 4
+ syscall (/usr/lib64/libc-2.24.so)
+ perf_event_attr__set_max_precise_ip (/home/acme/bin/perf)
+ 0.161 ( 0.007 ms): perf/8469 perf_event_open(attr_uptr: 0x24bc748, pid: 8470 (perf), group_fd: -1, flags: FD_CLOEXEC) = 4
+ syscall (/usr/lib64/libc-2.24.so)
+ perf_evsel__open (/home/acme/bin/perf)
+ 0.171 ( 0.005 ms): perf/8469 perf_event_open(attr_uptr: 0x24bc748, pid: 8470 (perf), cpu: 1, group_fd: -1, flags: FD_CLOEXEC) = 5
+ syscall (/usr/lib64/libc-2.24.so)
+ perf_evsel__open (/home/acme/bin/perf)
+ 0.180 ( 0.007 ms): perf/8469 perf_event_open(attr_uptr: 0x24bc748, pid: 8470 (perf), cpu: 2, group_fd: -1, flags: FD_CLOEXEC) = 6
+ syscall (/usr/lib64/libc-2.24.so)
+ perf_evsel__open (/home/acme/bin/perf)
+ 0.190 ( 0.005 ms): perf/8469 perf_event_open(attr_uptr: 0x24bc748, pid: 8470 (perf), cpu: 3, group_fd: -1, flags: FD_CLOEXEC) = 8
+ syscall (/usr/lib64/libc-2.24.so)
+ perf_evsel__open (/home/acme/bin/perf)
+ [ perf record: Captured and wrote 0.017 MB perf.data (7 samples) ]
+ #
+
+The probe one called from perf_event_attr__set_max_precise_ip() works
+the first time, with attr.precise_ip = 3, wit hthe next ones being the
+per cpu ones for the cycles:ppp event.
+
+And here is the text from a report and alternative proposed patch by
+Thomas-Mich Richter:
+
+ ---
+
+On s390 the counter and sampling facility do not support a precise IP
+skid level and sometimes returns EOPNOTSUPP when structure member
+precise_ip in struct perf_event_attr is not set to zero.
+
+On s390 commnd 'perf record -- true' fails with error EOPNOTSUPP. This
+happens only when no events are specified on command line.
+
+The functions called are
+...
+ --> perf_evlist__add_default
+ --> perf_evsel__new_cycles
+ --> perf_event_attr__set_max_precise_ip
+
+The last function determines the value of structure member precise_ip by
+invoking the perf_event_open() system call and checking the return code.
+The first successful open is the value for precise_ip.
+
+However the value is determined without setting member sample_period and
+indicates no sampling.
+
+On s390 the counter facility and sampling facility are different. The
+above procedure determines a precise_ip value of 3 using the counter
+facility. Later it uses the sampling facility with a value of 3 and
+fails with EOPNOTSUPP.
+
+ ---
+
+v2: Older compilers (e.g. gcc 4.4.7) don't support referencing members
+ of unnamed union members in the container struct initialization, so
+ move from:
+
+ struct perf_event_attr attr = {
+ ...
+ .sample_period = 1,
+ };
+
+to right after it as:
+
+ struct perf_event_attr attr = {
+ ...
+ };
+
+ attr.sample_period = 1;
+
+v3: We need to reset .sample_period to 0 to let the users of
+perf_evsel__new_cycles() to properly setup attr.sample_period or
+attr.sample_freq. Reported by Ingo Molnar.
+
+Reported-and-Acked-by: Thomas-Mich Richter <tmricht@linux.vnet.ibm.com>
+Acked-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+Acked-by: Jiri Olsa <jolsa@redhat.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Wang Nan <wangnan0@huawei.com>
+Fixes: 18e7a45af91a ("perf/x86: Reject non sampling events with precise_ip")
+Link: http://lkml.kernel.org/n/tip-yv6nnkl7tzqocrm0hl3x7vf1@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/task-exit.c | 2 +-
+ tools/perf/util/evsel.c | 12 ++++++++++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/tests/task-exit.c b/tools/perf/tests/task-exit.c
+index 01a5ba2788c6..b0d005d295a9 100644
+--- a/tools/perf/tests/task-exit.c
++++ b/tools/perf/tests/task-exit.c
+@@ -82,7 +82,7 @@ int test__task_exit(int subtest __maybe_unused)
+
+ evsel = perf_evlist__first(evlist);
+ evsel->attr.task = 1;
+- evsel->attr.sample_freq = 0;
++ evsel->attr.sample_freq = 1;
+ evsel->attr.inherit = 0;
+ evsel->attr.watermark = 0;
+ evsel->attr.wakeup_events = 1;
+diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
+index 3be8c489884e..f7128c2a6386 100644
+--- a/tools/perf/util/evsel.c
++++ b/tools/perf/util/evsel.c
+@@ -263,8 +263,20 @@ struct perf_evsel *perf_evsel__new_cycles(void)
+ struct perf_evsel *evsel;
+
+ event_attr_init(&attr);
++ /*
++ * Unnamed union member, not supported as struct member named
++ * initializer in older compilers such as gcc 4.4.7
++ *
++ * Just for probing the precise_ip:
++ */
++ attr.sample_period = 1;
+
+ perf_event_attr__set_max_precise_ip(&attr);
++ /*
++ * Now let the usual logic to set up the perf_event_attr defaults
++ * to kick in when we return and before perf_evsel__open() is called.
++ */
++ attr.sample_period = 0;
+
+ evsel = perf_evsel__new(&attr);
+ if (evsel == NULL)
+--
+2.17.1
+
--- /dev/null
+From fbba66b4548a9c943d57d802394077d7a327d9b2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= <bjorn.topel@intel.com>
+Date: Wed, 21 Jun 2017 18:41:34 +0200
+Subject: perf probe: Fix probe definition for inlined functions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 7598f8bc1383ffd77686cb4e92e749bef3c75937 ]
+
+In commit 613f050d68a8 ("perf probe: Fix to probe on gcc generated
+functions in modules"), the offset from symbol is, incorrectly, added
+to the trace point address. This leads to incorrect probe trace points
+for inlined functions and when using relative line number on symbols.
+
+Prior this patch:
+ $ perf probe -m nf_nat -D in_range
+ p:probe/in_range nf_nat:in_range.isra.9+0
+ $ perf probe -m i40e -D i40e_clean_rx_irq
+ p:probe/i40e_clean_rx_irq i40e:i40e_napi_poll+2212
+ $ perf probe -m i40e -D i40e_clean_rx_irq:16
+ p:probe/i40e_clean_rx_irq i40e:i40e_lan_xmit_frame+626
+
+After:
+ $ perf probe -m nf_nat -D in_range
+ p:probe/in_range nf_nat:in_range.isra.9+0
+ $ perf probe -m i40e -D i40e_clean_rx_irq
+ p:probe/i40e_clean_rx_irq i40e:i40e_napi_poll+1106
+ $ perf probe -m i40e -D i40e_clean_rx_irq:16
+ p:probe/i40e_clean_rx_irq i40e:i40e_napi_poll+2665
+
+Committer testing:
+
+Using 'pfunct', a tool found in the 'dwarves' package [1], one can ask what are
+the functions that while not being explicitely marked as inline, were inlined
+by the compiler:
+
+ # pfunct --cc_inlined /lib/modules/4.12.0-rc4+/kernel/drivers/net/ethernet/intel/e1000e/e1000e.ko | head
+ __ew32
+ e1000_regdump
+ e1000e_dump_ps_pages
+ e1000_desc_unused
+ e1000e_systim_to_hwtstamp
+ e1000e_rx_hwtstamp
+ e1000e_update_rdt_wa
+ e1000e_update_tdt_wa
+ e1000_put_txbuf
+ e1000_consume_page
+
+Then ask 'perf probe' to produce the kprobe_tracer probe definitions for two of
+them:
+
+ # perf probe -m e1000e -D e1000e_rx_hwtstamp
+ p:probe/e1000e_rx_hwtstamp e1000e:e1000_receive_skb+74
+
+ # perf probe -m e1000e -D e1000_consume_page
+ p:probe/e1000_consume_page e1000e:e1000_clean_jumbo_rx_irq+876
+ p:probe/e1000_consume_page_1 e1000e:e1000_clean_jumbo_rx_irq+1506
+ p:probe/e1000_consume_page_2 e1000e:e1000_clean_rx_irq_ps+1074
+
+Now lets concentrate on the 'e1000_consume_page' one, that was inlined twice in
+e1000_clean_jumbo_rx_irq(), lets see what readelf says about the DWARF tags for
+that function:
+
+ $ readelf -wi /lib/modules/4.12.0-rc4+/kernel/drivers/net/ethernet/intel/e1000e/e1000e.ko
+ <SNIP>
+ <1><13e27b>: Abbrev Number: 121 (DW_TAG_subprogram)
+ <13e27c> DW_AT_name : (indirect string, offset: 0xa8945): e1000_clean_jumbo_rx_irq
+ <13e287> DW_AT_low_pc : 0x17a30
+ <3><13e6ef>: Abbrev Number: 119 (DW_TAG_inlined_subroutine)
+ <13e6f0> DW_AT_abstract_origin: <0x13ed2c>
+ <13e6f4> DW_AT_low_pc : 0x17be6
+ <SNIP>
+ <1><13ed2c>: Abbrev Number: 142 (DW_TAG_subprogram)
+ <13ed2e> DW_AT_name : (indirect string, offset: 0xa54c3): e1000_consume_page
+
+So, the first time in e1000_clean_jumbo_rx_irq() where e1000_consume_page() is
+inlined is at PC 0x17be6, which subtracted from e1000_clean_jumbo_rx_irq()'s
+address, gives us the offset we should use in the probe definition:
+
+ 0x17be6 - 0x17a30 = 438
+
+but above we have 876, which is twice as much.
+
+Lets see the second inline expansion of e1000_consume_page() in
+e1000_clean_jumbo_rx_irq():
+
+ <3><13e86e>: Abbrev Number: 119 (DW_TAG_inlined_subroutine)
+ <13e86f> DW_AT_abstract_origin: <0x13ed2c>
+ <13e873> DW_AT_low_pc : 0x17d21
+
+ 0x17d21 - 0x17a30 = 753
+
+So we where adding it at twice the offset from the containing function as we
+should.
+
+And then after this patch:
+
+ # perf probe -m e1000e -D e1000e_rx_hwtstamp
+ p:probe/e1000e_rx_hwtstamp e1000e:e1000_receive_skb+37
+
+ # perf probe -m e1000e -D e1000_consume_page
+ p:probe/e1000_consume_page e1000e:e1000_clean_jumbo_rx_irq+438
+ p:probe/e1000_consume_page_1 e1000e:e1000_clean_jumbo_rx_irq+753
+ p:probe/e1000_consume_page_2 e1000e:e1000_clean_jumbo_rx_irq+1353
+ #
+
+Which matches the two first expansions and shows that because we were
+doubling the offset it would spill over the next function:
+
+ readelf -sw /lib/modules/4.12.0-rc4+/kernel/drivers/net/ethernet/intel/e1000e/e1000e.ko
+ 673: 0000000000017a30 1626 FUNC LOCAL DEFAULT 2 e1000_clean_jumbo_rx_irq
+ 674: 0000000000018090 2013 FUNC LOCAL DEFAULT 2 e1000_clean_rx_irq_ps
+
+This is the 3rd inline expansion of e1000_consume_page() in
+e1000_clean_jumbo_rx_irq():
+
+ <3><13ec77>: Abbrev Number: 119 (DW_TAG_inlined_subroutine)
+ <13ec78> DW_AT_abstract_origin: <0x13ed2c>
+ <13ec7c> DW_AT_low_pc : 0x17f79
+
+ 0x17f79 - 0x17a30 = 1353
+
+ So:
+
+ 0x17a30 + 2 * 1353 = 0x184c2
+
+ And:
+
+ 0x184c2 - 0x18090 = 1074
+
+Which explains the bogus third expansion for e1000_consume_page() to end up at:
+
+ p:probe/e1000_consume_page_2 e1000e:e1000_clean_rx_irq_ps+1074
+
+All fixed now :-)
+
+[1] https://git.kernel.org/pub/scm/devel/pahole/pahole.git/
+
+Signed-off-by: Björn Töpel <bjorn.topel@intel.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: stable@vger.kernel.org
+Fixes: 613f050d68a8 ("perf probe: Fix to probe on gcc generated functions in modules")
+Link: http://lkml.kernel.org/r/20170621164134.5701-1-bjorn.topel@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/probe-event.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/probe-event.c b/tools/perf/util/probe-event.c
+index c93daccec755..a7452fd3b6ee 100644
+--- a/tools/perf/util/probe-event.c
++++ b/tools/perf/util/probe-event.c
+@@ -615,7 +615,7 @@ static int post_process_probe_trace_point(struct probe_trace_point *tp,
+ struct map *map, unsigned long offs)
+ {
+ struct symbol *sym;
+- u64 addr = tp->address + tp->offset - offs;
++ u64 addr = tp->address - offs;
+
+ sym = map__find_symbol(map, addr);
+ if (!sym)
+--
+2.17.1
+
--- /dev/null
+From 6c16f5a7abd6dc840351abc8d5d48b9c04eeb80c Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@redhat.com>
+Date: Sun, 23 Sep 2018 18:13:43 +0200
+Subject: perf/ring_buffer: Prevent concurent ring buffer access
+
+[ Upstream commit cd6fb677ce7e460c25bdd66f689734102ec7d642 ]
+
+Some of the scheduling tracepoints allow the perf_tp_event
+code to write to ring buffer under different cpu than the
+code is running on.
+
+This results in corrupted ring buffer data demonstrated in
+following perf commands:
+
+ # perf record -e 'sched:sched_switch,sched:sched_wakeup' perf bench sched messaging
+ # Running 'sched/messaging' benchmark:
+ # 20 sender and receiver processes per group
+ # 10 groups == 400 processes run
+
+ Total time: 0.383 [sec]
+ [ perf record: Woken up 8 times to write data ]
+ 0x42b890 [0]: failed to process type: -1765585640
+ [ perf record: Captured and wrote 4.825 MB perf.data (29669 samples) ]
+
+ # perf report --stdio
+ 0x42b890 [0]: failed to process type: -1765585640
+
+The reason for the corruption are some of the scheduling tracepoints,
+that have __perf_task dfined and thus allow to store data to another
+cpu ring buffer:
+
+ sched_waking
+ sched_wakeup
+ sched_wakeup_new
+ sched_stat_wait
+ sched_stat_sleep
+ sched_stat_iowait
+ sched_stat_blocked
+
+The perf_tp_event function first store samples for current cpu
+related events defined for tracepoint:
+
+ hlist_for_each_entry_rcu(event, head, hlist_entry)
+ perf_swevent_event(event, count, &data, regs);
+
+And then iterates events of the 'task' and store the sample
+for any task's event that passes tracepoint checks:
+
+ ctx = rcu_dereference(task->perf_event_ctxp[perf_sw_context]);
+
+ list_for_each_entry_rcu(event, &ctx->event_list, event_entry) {
+ if (event->attr.type != PERF_TYPE_TRACEPOINT)
+ continue;
+ if (event->attr.config != entry->type)
+ continue;
+
+ perf_swevent_event(event, count, &data, regs);
+ }
+
+Above code can race with same code running on another cpu,
+ending up with 2 cpus trying to store under the same ring
+buffer, which is specifically not allowed.
+
+This patch prevents the problem, by allowing only events with the same
+current cpu to receive the event.
+
+NOTE: this requires the use of (per-task-)per-cpu buffers for this
+feature to work; perf-record does this.
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+[peterz: small edits to Changelog]
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andrew Vagin <avagin@openvz.org>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Fixes: e6dab5ffab59 ("perf/trace: Add ability to set a target task for events")
+Link: http://lkml.kernel.org/r/20180923161343.GB15054@krava
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 95bd00d9f2c3..3caf1a863a0b 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -7737,6 +7737,8 @@ void perf_tp_event(u16 event_type, u64 count, void *record, int entry_size,
+ goto unlock;
+
+ list_for_each_entry_rcu(event, &ctx->event_list, event_entry) {
++ if (event->cpu != smp_processor_id())
++ continue;
+ if (event->attr.type != PERF_TYPE_TRACEPOINT)
+ continue;
+ if (event->attr.config != entry->type)
+--
+2.17.1
+
--- /dev/null
+From 572193552d718ea007cda05e3ad08e506524d191 Mon Sep 17 00:00:00 2001
+From: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
+Date: Tue, 24 Oct 2017 19:50:06 +0530
+Subject: perf symbols: Fix memory corruption because of zero length symbols
+
+[ Upstream commit 331c7cb307971eac38e9470340e10c87855bf4bc ]
+
+Perf top is often crashing at very random locations on powerpc. After
+investigating, I found the crash only happens when sample is of zero
+length symbol. Powerpc kernel has many such symbols which does not
+contain length details in vmlinux binary and thus start and end
+addresses of such symbols are same.
+
+Structure
+
+ struct sym_hist {
+ u64 nr_samples;
+ u64 period;
+ struct sym_hist_entry addr[0];
+ };
+
+has last member 'addr[]' of size zero. 'addr[]' is an array of addresses
+that belongs to one symbol (function). If function consist of 100
+instructions, 'addr' points to an array of 100 'struct sym_hist_entry'
+elements. For zero length symbol, it points to the *empty* array, i.e.
+no members in the array and thus offset 0 is also invalid for such
+array.
+
+ static int __symbol__inc_addr_samples(...)
+ {
+ ...
+ offset = addr - sym->start;
+ h = annotation__histogram(notes, evidx);
+ h->nr_samples++;
+ h->addr[offset].nr_samples++;
+ h->period += sample->period;
+ h->addr[offset].period += sample->period;
+ ...
+ }
+
+Here, when 'addr' is same as 'sym->start', 'offset' becomes 0, which is
+valid for normal symbols but *invalid* for zero length symbols and thus
+updating h->addr[offset] causes memory corruption.
+
+Fix this by adding one dummy element for zero length symbols.
+
+Link: https://lkml.org/lkml/2016/10/10/148
+Fixes: edee44be5919 ("perf annotate: Don't throw error for zero length symbols")
+Signed-off-by: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jin Yao <yao.jin@linux.intel.com>
+Cc: Kim Phillips <kim.phillips@arm.com>
+Cc: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Taeung Song <treeze.taeung@gmail.com>
+Link: http://lkml.kernel.org/r/1508854806-10542-1-git-send-email-ravi.bangoria@linux.vnet.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/annotate.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c
+index a38227eb5450..3336cbc6ec48 100644
+--- a/tools/perf/util/annotate.c
++++ b/tools/perf/util/annotate.c
+@@ -495,9 +495,19 @@ static struct ins *ins__find(const char *name)
+ int symbol__alloc_hist(struct symbol *sym)
+ {
+ struct annotation *notes = symbol__annotation(sym);
+- const size_t size = symbol__size(sym);
++ size_t size = symbol__size(sym);
+ size_t sizeof_sym_hist;
+
++ /*
++ * Add buffer of one element for zero length symbol.
++ * When sample is taken from first instruction of
++ * zero length symbol, perf still resolves it and
++ * shows symbol name in perf report and allows to
++ * annotate it.
++ */
++ if (size == 0)
++ size = 1;
++
+ /* Check for overflow when calculating sizeof_sym_hist */
+ if (size > (SIZE_MAX - sizeof(struct sym_hist)) / sizeof(u64))
+ return -1;
+--
+2.17.1
+
--- /dev/null
+From a4a4385ab34314d8dd667f4a65190d83e51a5f6a Mon Sep 17 00:00:00 2001
+From: Sandipan Das <sandipan@linux.ibm.com>
+Date: Thu, 26 Jul 2018 22:47:33 +0530
+Subject: perf tests: Fix indexing when invoking subtests
+
+[ Upstream commit aa90f9f9554616d5738f7bedb4a8f0e5e14d1bc6 ]
+
+Recently, the subtest numbering was changed to start from 1. While it
+is fine for displaying results, this should not be the case when the
+subtests are actually invoked.
+
+Typically, the subtests are stored in zero-indexed arrays and invoked
+based on the index passed to the main test function. Since the index
+now starts from 1, the second subtest in the array (index 1) gets
+invoked instead of the first (index 0). This applies to all of the
+following subtests but for the last one, the subtest always fails
+because it does not meet the boundary condition of the subtest index
+being lesser than the number of subtests.
+
+This can be observed on powerpc64 and x86_64 systems running Fedora 28
+as shown below.
+
+Before:
+
+ # perf test "builtin clang support"
+ 55: builtin clang support :
+ 55.1: builtin clang compile C source to IR : Ok
+ 55.2: builtin clang compile C source to ELF object : FAILED!
+
+ # perf test "LLVM search and compile"
+ 38: LLVM search and compile :
+ 38.1: Basic BPF llvm compile : Ok
+ 38.2: kbuild searching : Ok
+ 38.3: Compile source for BPF prologue generation : Ok
+ 38.4: Compile source for BPF relocation : FAILED!
+
+ # perf test "BPF filter"
+ 40: BPF filter :
+ 40.1: Basic BPF filtering : Ok
+ 40.2: BPF pinning : Ok
+ 40.3: BPF prologue generation : Ok
+ 40.4: BPF relocation checker : FAILED!
+
+After:
+
+ # perf test "builtin clang support"
+ 55: builtin clang support :
+ 55.1: builtin clang compile C source to IR : Ok
+ 55.2: builtin clang compile C source to ELF object : Ok
+
+ # perf test "LLVM search and compile"
+ 38: LLVM search and compile :
+ 38.1: Basic BPF llvm compile : Ok
+ 38.2: kbuild searching : Ok
+ 38.3: Compile source for BPF prologue generation : Ok
+ 38.4: Compile source for BPF relocation : Ok
+
+ # perf test "BPF filter"
+ 40: BPF filter :
+ 40.1: Basic BPF filtering : Ok
+ 40.2: BPF pinning : Ok
+ 40.3: BPF prologue generation : Ok
+ 40.4: BPF relocation checker : Ok
+
+Signed-off-by: Sandipan Das <sandipan@linux.ibm.com>
+Reported-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Hendrik Brueckner <brueckner@linux.ibm.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Cc: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Cc: Thomas Richter <tmricht@linux.ibm.com>
+Fixes: 9ef0112442bd ("perf test: Fix subtest number when showing results")
+Link: http://lkml.kernel.org/r/20180726171733.33208-1-sandipan@linux.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/builtin-test.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/tests/builtin-test.c b/tools/perf/tests/builtin-test.c
+index ade7213943ad..03239956987f 100644
+--- a/tools/perf/tests/builtin-test.c
++++ b/tools/perf/tests/builtin-test.c
+@@ -335,7 +335,7 @@ static int test_and_print(struct test *t, bool force_skip, int subtest)
+ if (!t->subtest.get_nr)
+ pr_debug("%s:", t->desc);
+ else
+- pr_debug("%s subtest %d:", t->desc, subtest);
++ pr_debug("%s subtest %d:", t->desc, subtest + 1);
+
+ switch (err) {
+ case TEST_OK:
+@@ -413,7 +413,7 @@ static int __cmd_test(int argc, const char *argv[], struct intlist *skiplist)
+ for (subi = 0; subi < subn; subi++) {
+ pr_info("%2d.%1d: %-*s:", i, subi + 1, subw,
+ t->subtest.get_desc(subi));
+- err = test_and_print(t, skip, subi + 1);
++ err = test_and_print(t, skip, subi);
+ if (err != TEST_OK && t->subtest.skip_if_fail)
+ skip = true;
+ }
+--
+2.17.1
+
--- /dev/null
+From 901b233c9a99656755141a5a2de5ad9a7de69970 Mon Sep 17 00:00:00 2001
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Fri, 21 Sep 2018 07:07:06 -0700
+Subject: perf/x86/intel/uncore: Fix PCI BDF address of M3UPI on SKX
+
+[ Upstream commit 9d92cfeaf5215158d26d2991be7f7ff865cb98f3 ]
+
+The counters on M3UPI Link 0 and Link 3 don't count properly, and writing
+0 to these counters may causes system crash on some machines.
+
+The PCI BDF addresses of the M3UPI in the current code are incorrect.
+
+The correct addresses should be:
+
+ D18:F1 0x204D
+ D18:F2 0x204E
+ D18:F5 0x204D
+
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Fixes: cd34cd97b7b4 ("perf/x86/intel/uncore: Add Skylake server uncore support")
+Link: http://lkml.kernel.org/r/1537538826-55489-1-git-send-email-kan.liang@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/uncore_snbep.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
+index 6bc36944a8c1..8c2a9fa0caf3 100644
+--- a/arch/x86/events/intel/uncore_snbep.c
++++ b/arch/x86/events/intel/uncore_snbep.c
+@@ -3767,16 +3767,16 @@ static const struct pci_device_id skx_uncore_pci_ids[] = {
+ .driver_data = UNCORE_PCI_DEV_FULL_DATA(21, 5, SKX_PCI_UNCORE_M2PCIE, 3),
+ },
+ { /* M3UPI0 Link 0 */
+- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204C),
+- .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 0, SKX_PCI_UNCORE_M3UPI, 0),
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204D),
++ .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 1, SKX_PCI_UNCORE_M3UPI, 0),
+ },
+ { /* M3UPI0 Link 1 */
+- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204D),
+- .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 1, SKX_PCI_UNCORE_M3UPI, 1),
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204E),
++ .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 2, SKX_PCI_UNCORE_M3UPI, 1),
+ },
+ { /* M3UPI1 Link 2 */
+- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204C),
+- .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 4, SKX_PCI_UNCORE_M3UPI, 2),
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204D),
++ .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 5, SKX_PCI_UNCORE_M3UPI, 2),
+ },
+ { /* end: all zeroes */ }
+ };
+--
+2.17.1
+
--- /dev/null
+From fd30a5819b96e3efba0b6c93c80e3abd7e372a67 Mon Sep 17 00:00:00 2001
+From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
+Date: Fri, 28 Apr 2017 16:23:59 +0800
+Subject: platform/x86: acer-wmi: setup accelerometer when ACPI device was
+ found
+
+[ Upstream commit f9ac89f5ad613b462339e845aeb8494646fd9be2 ]
+
+The 98d610c3739a patch was introduced since v4.11-rc1 that it causes
+that the accelerometer input device will not be created on workable
+machines because the HID string comparing logic is wrong.
+
+And, the patch doesn't prevent that the accelerometer input device
+be created on the machines that have no BST0001. That's because
+the acpi_get_devices() returns success even it didn't find any
+match device.
+
+This patch fixed the HID string comparing logic of BST0001 device.
+And, it also makes sure that the acpi_get_devices() returns
+acpi_handle for BST0001.
+
+Fixes: 98d610c3739a ("acer-wmi: setup accelerometer when machine has appropriate notify event")
+Reference: https://bugzilla.kernel.org/show_bug.cgi?id=193761
+Reported-by: Samuel Sieb <samuel-kbugs@sieb.net>
+Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/acer-wmi.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/platform/x86/acer-wmi.c b/drivers/platform/x86/acer-wmi.c
+index c29b9b611ab2..1515c9480f89 100644
+--- a/drivers/platform/x86/acer-wmi.c
++++ b/drivers/platform/x86/acer-wmi.c
+@@ -1856,7 +1856,7 @@ static acpi_status __init acer_wmi_get_handle_cb(acpi_handle ah, u32 level,
+ if (!strcmp(ctx, "SENR")) {
+ if (acpi_bus_get_device(ah, &dev))
+ return AE_OK;
+- if (!strcmp(ACER_WMID_ACCEL_HID, acpi_device_hid(dev)))
++ if (strcmp(ACER_WMID_ACCEL_HID, acpi_device_hid(dev)))
+ return AE_OK;
+ } else
+ return AE_OK;
+@@ -1877,8 +1877,7 @@ static int __init acer_wmi_get_handle(const char *name, const char *prop,
+ handle = NULL;
+ status = acpi_get_devices(prop, acer_wmi_get_handle_cb,
+ (void *)name, &handle);
+-
+- if (ACPI_SUCCESS(status)) {
++ if (ACPI_SUCCESS(status) && handle) {
+ *ah = handle;
+ return 0;
+ } else {
+@@ -2247,8 +2246,8 @@ static int __init acer_wmi_init(void)
+ if (err)
+ return err;
+ err = acer_wmi_accel_setup();
+- if (err)
+- return err;
++ if (err && err != -ENODEV)
++ pr_warn("Cannot enable accelerometer\n");
+ }
+
+ err = platform_driver_register(&acer_platform_driver);
+--
+2.17.1
+
--- /dev/null
+From 819097fd57e6821b65617e7d8d0258e0e1fd93ec Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Fri, 8 Dec 2017 17:31:37 +0200
+Subject: ptr_ring: fix up after recent ptr_ring changes
+
+[ Upstream commit 5790eabc6e7c3ce2d6ca2e3bbf4de467ce2b64b3 ]
+
+Add more stubs to make it build.
+
+Fixes: 81fbfe8a ("ptr_ring: use kmalloc_array()")
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/virtio/ringtest/ptr_ring.c | 29 +++++++++++++++++++++++------
+ 1 file changed, 23 insertions(+), 6 deletions(-)
+
+diff --git a/tools/virtio/ringtest/ptr_ring.c b/tools/virtio/ringtest/ptr_ring.c
+index 635b07b4fdd3..b4a2e6af515f 100644
+--- a/tools/virtio/ringtest/ptr_ring.c
++++ b/tools/virtio/ringtest/ptr_ring.c
+@@ -15,24 +15,41 @@
+ #define unlikely(x) (__builtin_expect(!!(x), 0))
+ #define likely(x) (__builtin_expect(!!(x), 1))
+ #define ALIGN(x, a) (((x) + (a) - 1) / (a) * (a))
++#define SIZE_MAX (~(size_t)0)
++
+ typedef pthread_spinlock_t spinlock_t;
+
+ typedef int gfp_t;
+-static void *kmalloc(unsigned size, gfp_t gfp)
+-{
+- return memalign(64, size);
+-}
++#define __GFP_ZERO 0x1
+
+-static void *kzalloc(unsigned size, gfp_t gfp)
++static void *kmalloc(unsigned size, gfp_t gfp)
+ {
+ void *p = memalign(64, size);
+ if (!p)
+ return p;
+- memset(p, 0, size);
+
++ if (gfp & __GFP_ZERO)
++ memset(p, 0, size);
+ return p;
+ }
+
++static inline void *kzalloc(unsigned size, gfp_t flags)
++{
++ return kmalloc(size, flags | __GFP_ZERO);
++}
++
++static inline void *kmalloc_array(size_t n, size_t size, gfp_t flags)
++{
++ if (size != 0 && n > SIZE_MAX / size)
++ return NULL;
++ return kmalloc(n * size, flags);
++}
++
++static inline void *kcalloc(size_t n, size_t size, gfp_t flags)
++{
++ return kmalloc_array(n, size, flags | __GFP_ZERO);
++}
++
+ static void kfree(void *p)
+ {
+ if (p)
+--
+2.17.1
+
--- /dev/null
+From 552752caa05920eb234a866dbe4532311dd2fdf1 Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Wed, 26 Sep 2018 18:11:22 +0200
+Subject: pxa168fb: prepare the clock
+
+[ Upstream commit d85536cde91fcfed6fb8d983783bd2b92c843939 ]
+
+Add missing prepare/unprepare operations for fbi->clk,
+this fixes following kernel warning:
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 0 PID: 1 at drivers/clk/clk.c:874 clk_core_enable+0x2c/0x1b0
+ Enabling unprepared disp0_clk
+ Modules linked in:
+ CPU: 0 PID: 1 Comm: swapper Not tainted 4.18.0-rc8-00032-g02b43ddd4f21-dirty #25
+ Hardware name: Marvell MMP2 (Device Tree Support)
+ [<c010f7cc>] (unwind_backtrace) from [<c010cc6c>] (show_stack+0x10/0x14)
+ [<c010cc6c>] (show_stack) from [<c011dab4>] (__warn+0xd8/0xf0)
+ [<c011dab4>] (__warn) from [<c011db10>] (warn_slowpath_fmt+0x44/0x6c)
+ [<c011db10>] (warn_slowpath_fmt) from [<c043898c>] (clk_core_enable+0x2c/0x1b0)
+ [<c043898c>] (clk_core_enable) from [<c0439ec8>] (clk_core_enable_lock+0x18/0x2c)
+ [<c0439ec8>] (clk_core_enable_lock) from [<c0436698>] (pxa168fb_probe+0x464/0x6ac)
+ [<c0436698>] (pxa168fb_probe) from [<c04779a0>] (platform_drv_probe+0x48/0x94)
+ [<c04779a0>] (platform_drv_probe) from [<c0475bec>] (driver_probe_device+0x328/0x470)
+ [<c0475bec>] (driver_probe_device) from [<c0475de4>] (__driver_attach+0xb0/0x124)
+ [<c0475de4>] (__driver_attach) from [<c0473c38>] (bus_for_each_dev+0x64/0xa0)
+ [<c0473c38>] (bus_for_each_dev) from [<c0474ee0>] (bus_add_driver+0x1b8/0x230)
+ [<c0474ee0>] (bus_add_driver) from [<c0476a20>] (driver_register+0xac/0xf0)
+ [<c0476a20>] (driver_register) from [<c0102dd4>] (do_one_initcall+0xb8/0x1f0)
+ [<c0102dd4>] (do_one_initcall) from [<c0b010a0>] (kernel_init_freeable+0x294/0x2e0)
+ [<c0b010a0>] (kernel_init_freeable) from [<c07e9eb8>] (kernel_init+0x8/0x10c)
+ [<c07e9eb8>] (kernel_init) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
+ Exception stack(0xd008bfb0 to 0xd008bff8)
+ bfa0: 00000000 00000000 00000000 00000000
+ bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+ bfe0: 00000000 00000000 00000000 00000000 00000013 00000000
+ ---[ end trace c0af40f9e2ed7cb4 ]---
+
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+[b.zolnierkie: enhance patch description a bit]
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/pxa168fb.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/video/fbdev/pxa168fb.c b/drivers/video/fbdev/pxa168fb.c
+index def3a501acd6..d059d04c63ac 100644
+--- a/drivers/video/fbdev/pxa168fb.c
++++ b/drivers/video/fbdev/pxa168fb.c
+@@ -712,7 +712,7 @@ static int pxa168fb_probe(struct platform_device *pdev)
+ /*
+ * enable controller clock
+ */
+- clk_enable(fbi->clk);
++ clk_prepare_enable(fbi->clk);
+
+ pxa168fb_set_par(info);
+
+@@ -767,7 +767,7 @@ static int pxa168fb_probe(struct platform_device *pdev)
+ failed_free_cmap:
+ fb_dealloc_cmap(&info->cmap);
+ failed_free_clk:
+- clk_disable(fbi->clk);
++ clk_disable_unprepare(fbi->clk);
+ failed_free_fbmem:
+ dma_free_coherent(fbi->dev, info->fix.smem_len,
+ info->screen_base, fbi->fb_start_dma);
+@@ -807,7 +807,7 @@ static int pxa168fb_remove(struct platform_device *pdev)
+ dma_free_wc(fbi->dev, PAGE_ALIGN(info->fix.smem_len),
+ info->screen_base, info->fix.smem_start);
+
+- clk_disable(fbi->clk);
++ clk_disable_unprepare(fbi->clk);
+
+ framebuffer_release(info);
+
+--
+2.17.1
+
--- /dev/null
+From b663ba9588c3c98ed81a119687b7aabc4515a710 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Mon, 24 Sep 2018 15:17:03 -0700
+Subject: qed: Avoid constant logical operation warning in qed_vf_pf_acquire
+
+[ Upstream commit 1c492a9d55ba99079210ed901dd8a5423f980487 ]
+
+Clang warns when a constant is used in a boolean context as it thinks a
+bitwise operation may have been intended.
+
+drivers/net/ethernet/qlogic/qed/qed_vf.c:415:27: warning: use of logical
+'&&' with constant operand [-Wconstant-logical-operand]
+ if (!p_iov->b_pre_fp_hsi &&
+ ^
+drivers/net/ethernet/qlogic/qed/qed_vf.c:415:27: note: use '&' for a
+bitwise operation
+ if (!p_iov->b_pre_fp_hsi &&
+ ^~
+ &
+drivers/net/ethernet/qlogic/qed/qed_vf.c:415:27: note: remove constant
+to silence this warning
+ if (!p_iov->b_pre_fp_hsi &&
+ ~^~
+1 warning generated.
+
+This has been here since commit 1fe614d10f45 ("qed: Relax VF firmware
+requirements") and I am not entirely sure why since 0 isn't a special
+case. Just remove the statement causing Clang to warn since it isn't
+required.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/126
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_vf.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_vf.c b/drivers/net/ethernet/qlogic/qed/qed_vf.c
+index faf8215872de..9cc02b94328a 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_vf.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_vf.c
+@@ -295,7 +295,6 @@ static int qed_vf_pf_acquire(struct qed_hwfn *p_hwfn)
+ }
+
+ if (!p_iov->b_pre_fp_hsi &&
+- ETH_HSI_VER_MINOR &&
+ (resp->pfdev_info.minor_fp_hsi < ETH_HSI_VER_MINOR)) {
+ DP_INFO(p_hwfn,
+ "PF is using older fastpath HSI; %02x.%02x is configured\n",
+--
+2.17.1
+
--- /dev/null
+From 9248cf95df2d96816ca1ae3cd4c94fdf1f38bcae Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Mon, 24 Sep 2018 14:34:53 -0700
+Subject: qed: Avoid implicit enum conversion in qed_roce_mode_to_flavor
+
+[ Upstream commit d3a315795b4ce8b105a64a90699103121bde04a8 ]
+
+Clang warns when one enumerated type is implicitly converted to another.
+
+drivers/net/ethernet/qlogic/qed/qed_roce.c:153:12: warning: implicit
+conversion from enumeration type 'enum roce_mode' to different
+enumeration type 'enum roce_flavor' [-Wenum-conversion]
+ flavor = ROCE_V2_IPV6;
+ ~ ^~~~~~~~~~~~
+drivers/net/ethernet/qlogic/qed/qed_roce.c:156:12: warning: implicit
+conversion from enumeration type 'enum roce_mode' to different
+enumeration type 'enum roce_flavor' [-Wenum-conversion]
+ flavor = MAX_ROCE_MODE;
+ ~ ^~~~~~~~~~~~~
+2 warnings generated.
+
+Use the appropriate values from the expected type, roce_flavor:
+
+ROCE_V2_IPV6 = RROCE_IPV6 = 2
+MAX_ROCE_MODE = MAX_ROCE_FLAVOR = 3
+
+While we're add it, ditch the local variable flavor, we can just return
+the value directly from the switch statement.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/125
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_roce.c | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_roce.c b/drivers/net/ethernet/qlogic/qed/qed_roce.c
+index d9dcb0d1714c..07783d13df71 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_roce.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_roce.c
+@@ -1059,23 +1059,16 @@ static void qed_rdma_copy_gids(struct qed_rdma_qp *qp, __le32 *src_gid,
+
+ static enum roce_flavor qed_roce_mode_to_flavor(enum roce_mode roce_mode)
+ {
+- enum roce_flavor flavor;
+-
+ switch (roce_mode) {
+ case ROCE_V1:
+- flavor = PLAIN_ROCE;
+- break;
++ return PLAIN_ROCE;
+ case ROCE_V2_IPV4:
+- flavor = RROCE_IPV4;
+- break;
++ return RROCE_IPV4;
+ case ROCE_V2_IPV6:
+- flavor = ROCE_V2_IPV6;
+- break;
++ return RROCE_IPV6;
+ default:
+- flavor = MAX_ROCE_MODE;
+- break;
++ return MAX_ROCE_FLAVOR;
+ }
+- return flavor;
+ }
+
+ static int qed_roce_alloc_cid(struct qed_hwfn *p_hwfn, u16 *cid)
+--
+2.17.1
+
--- /dev/null
+From 35289d532f32f3f479ee268a27f7fd778742a438 Mon Sep 17 00:00:00 2001
+From: "Mintz, Yuval" <Yuval.Mintz@cavium.com>
+Date: Thu, 6 Apr 2017 15:58:28 +0300
+Subject: qed: Warn PTT usage by wrong hw-function
+
+[ Upstream commit 3a50d3518dcba44f8a0f9356b7140fe1499984ea ]
+
+PTT entries are per-hwfn; If some errneous flow is trying
+to use a PTT belonging to a differnet hwfn warn user, as this
+can break every register accessing flow later and is very hard
+to root-cause.
+
+Signed-off-by: Yuval Mintz <Yuval.Mintz@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_hw.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_hw.c b/drivers/net/ethernet/qlogic/qed/qed_hw.c
+index 6e4fae9b1430..944749cfe092 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_hw.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_hw.c
+@@ -34,6 +34,7 @@ struct qed_ptt {
+ struct list_head list_entry;
+ unsigned int idx;
+ struct pxp_ptt_entry pxp;
++ u8 hwfn_id;
+ };
+
+ struct qed_ptt_pool {
+@@ -55,6 +56,7 @@ int qed_ptt_pool_alloc(struct qed_hwfn *p_hwfn)
+ p_pool->ptts[i].idx = i;
+ p_pool->ptts[i].pxp.offset = QED_BAR_INVALID_OFFSET;
+ p_pool->ptts[i].pxp.pretend.control = 0;
++ p_pool->ptts[i].hwfn_id = p_hwfn->my_id;
+ if (i >= RESERVED_PTT_MAX)
+ list_add(&p_pool->ptts[i].list_entry,
+ &p_pool->free_list);
+@@ -169,6 +171,11 @@ static u32 qed_set_ptt(struct qed_hwfn *p_hwfn,
+
+ offset = hw_addr - win_hw_addr;
+
++ if (p_ptt->hwfn_id != p_hwfn->my_id)
++ DP_NOTICE(p_hwfn,
++ "ptt[%d] of hwfn[%02x] is used by hwfn[%02x]!\n",
++ p_ptt->idx, p_ptt->hwfn_id, p_hwfn->my_id);
++
+ /* Verify the address is within the window */
+ if (hw_addr < win_hw_addr ||
+ offset >= PXP_EXTERNAL_BAR_PF_WINDOW_SINGLE_SIZE) {
+--
+2.17.1
+
--- /dev/null
+From 5b9aedcd0afc7c0d94875c9708a77b9deac5cea4 Mon Sep 17 00:00:00 2001
+From: "Chopra, Manish" <Manish.Chopra@cavium.com>
+Date: Fri, 2 Jun 2017 06:52:54 -0700
+Subject: qlcnic: Fix tunnel offload for 82xx adapters
+
+[ Upstream commit 4bd7ef0b033721b659b9357057e76d1ced95c1da ]
+
+Qlogic's 82xx series adapter doesn't support
+tunnel offloads, driver incorrectly assumes that it is
+supported and causes firmware hang while running tunnel IO.
+
+This patch fixes this by not advertising tunnel offloads
+for 82xx adapters.
+
+Signed-off-by: Manish Chopra <manish.chopra@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic.h | 26 +++++++++++++++++--
+ .../ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 2 ++
+ .../net/ethernet/qlogic/qlcnic/qlcnic_main.c | 2 ++
+ .../qlogic/qlcnic/qlcnic_sriov_common.c | 2 ++
+ 4 files changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h b/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h
+index 5ddadcd0c8db..f1242ab32ca6 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h
+@@ -1825,22 +1825,44 @@ struct qlcnic_hardware_ops {
+ u32 (*get_cap_size)(void *, int);
+ void (*set_sys_info)(void *, int, u32);
+ void (*store_cap_mask)(void *, u32);
++ bool (*encap_rx_offload) (struct qlcnic_adapter *adapter);
++ bool (*encap_tx_offload) (struct qlcnic_adapter *adapter);
+ };
+
+ extern struct qlcnic_nic_template qlcnic_vf_ops;
+
+-static inline bool qlcnic_encap_tx_offload(struct qlcnic_adapter *adapter)
++static inline bool qlcnic_83xx_encap_tx_offload(struct qlcnic_adapter *adapter)
+ {
+ return adapter->ahw->extra_capability[0] &
+ QLCNIC_83XX_FW_CAPAB_ENCAP_TX_OFFLOAD;
+ }
+
+-static inline bool qlcnic_encap_rx_offload(struct qlcnic_adapter *adapter)
++static inline bool qlcnic_83xx_encap_rx_offload(struct qlcnic_adapter *adapter)
+ {
+ return adapter->ahw->extra_capability[0] &
+ QLCNIC_83XX_FW_CAPAB_ENCAP_RX_OFFLOAD;
+ }
+
++static inline bool qlcnic_82xx_encap_tx_offload(struct qlcnic_adapter *adapter)
++{
++ return false;
++}
++
++static inline bool qlcnic_82xx_encap_rx_offload(struct qlcnic_adapter *adapter)
++{
++ return false;
++}
++
++static inline bool qlcnic_encap_rx_offload(struct qlcnic_adapter *adapter)
++{
++ return adapter->ahw->hw_ops->encap_rx_offload(adapter);
++}
++
++static inline bool qlcnic_encap_tx_offload(struct qlcnic_adapter *adapter)
++{
++ return adapter->ahw->hw_ops->encap_tx_offload(adapter);
++}
++
+ static inline int qlcnic_start_firmware(struct qlcnic_adapter *adapter)
+ {
+ return adapter->nic_ops->start_firmware(adapter);
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+index 05d32e86bcf7..35c5ac41c0a1 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+@@ -242,6 +242,8 @@ static struct qlcnic_hardware_ops qlcnic_83xx_hw_ops = {
+ .get_cap_size = qlcnic_83xx_get_cap_size,
+ .set_sys_info = qlcnic_83xx_set_sys_info,
+ .store_cap_mask = qlcnic_83xx_store_cap_mask,
++ .encap_rx_offload = qlcnic_83xx_encap_rx_offload,
++ .encap_tx_offload = qlcnic_83xx_encap_tx_offload,
+ };
+
+ static struct qlcnic_nic_template qlcnic_83xx_ops = {
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c
+index 3ae3968b0edf..ebf5ead16939 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c
+@@ -632,6 +632,8 @@ static struct qlcnic_hardware_ops qlcnic_hw_ops = {
+ .get_cap_size = qlcnic_82xx_get_cap_size,
+ .set_sys_info = qlcnic_82xx_set_sys_info,
+ .store_cap_mask = qlcnic_82xx_store_cap_mask,
++ .encap_rx_offload = qlcnic_82xx_encap_rx_offload,
++ .encap_tx_offload = qlcnic_82xx_encap_tx_offload,
+ };
+
+ static int qlcnic_check_multi_tx_capability(struct qlcnic_adapter *adapter)
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
+index 2f656f395f39..c58180f40844 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
+@@ -77,6 +77,8 @@ static struct qlcnic_hardware_ops qlcnic_sriov_vf_hw_ops = {
+ .free_mac_list = qlcnic_sriov_vf_free_mac_list,
+ .enable_sds_intr = qlcnic_83xx_enable_sds_intr,
+ .disable_sds_intr = qlcnic_83xx_disable_sds_intr,
++ .encap_rx_offload = qlcnic_83xx_encap_rx_offload,
++ .encap_tx_offload = qlcnic_83xx_encap_tx_offload,
+ };
+
+ static struct qlcnic_nic_template qlcnic_sriov_vf_ops = {
+--
+2.17.1
+
--- /dev/null
+From dfe366f3283a63b5ce66bb7efaa00a692372518c Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:54 -0700
+Subject: r8152: Check for supported Wake-on-LAN Modes
+
+[ Upstream commit f2750df1548bd8a2b060eb609fc43ca82811af4c ]
+
+The driver does not check for Wake-on-LAN modes specified by an user,
+but will conditionally set the device as wake-up enabled or not based on
+that, which could be a very confusing user experience.
+
+Fixes: 21ff2e8976b1 ("r8152: support WOL")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index 5988674818ed..02e29562d254 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -3776,6 +3776,9 @@ static int rtl8152_set_wol(struct net_device *dev, struct ethtool_wolinfo *wol)
+ if (!rtl_can_wakeup(tp))
+ return -EOPNOTSUPP;
+
++ if (wol->wolopts & ~WAKE_ANY)
++ return -EINVAL;
++
+ ret = usb_autopm_get_interface(tp->intf);
+ if (ret < 0)
+ goto out_set_wol;
+--
+2.17.1
+
--- /dev/null
+From 9cd00dcdc4cc54cb6b3eb1b2bb8636ecc6cd5f71 Mon Sep 17 00:00:00 2001
+From: Dag Moxnes <dag.moxnes@oracle.com>
+Date: Wed, 25 Apr 2018 13:22:01 +0200
+Subject: rds: ib: Fix missing call to rds_ib_dev_put in rds_ib_setup_qp
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 91a825290ca4eae88603bc811bf74a45f94a3f46 ]
+
+The function rds_ib_setup_qp is calling rds_ib_get_client_data and
+should correspondingly call rds_ib_dev_put. This call was lost in
+the non-error path with the introduction of error handling done in
+commit 3b12f73a5c29 ("rds: ib: add error handle")
+
+Signed-off-by: Dag Moxnes <dag.moxnes@oracle.com>
+Reviewed-by: Håkon Bugge <haakon.bugge@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rds/ib_cm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/rds/ib_cm.c b/net/rds/ib_cm.c
+index 169156cfd4c8..96e61eab19bc 100644
+--- a/net/rds/ib_cm.c
++++ b/net/rds/ib_cm.c
+@@ -505,7 +505,7 @@ static int rds_ib_setup_qp(struct rds_connection *conn)
+ rdsdebug("conn %p pd %p cq %p %p\n", conn, ic->i_pd,
+ ic->i_send_cq, ic->i_recv_cq);
+
+- return ret;
++ goto out;
+
+ sends_out:
+ vfree(ic->i_sends);
+@@ -530,6 +530,7 @@ send_cq_out:
+ ic->i_send_cq = NULL;
+ rds_ibdev_out:
+ rds_ib_remove_conn(rds_ibdev, conn);
++out:
+ rds_ib_dev_put(rds_ibdev);
+
+ return ret;
+--
+2.17.1
+
--- /dev/null
+From 650f9c207a40d6e64629fdbc441623613987cc12 Mon Sep 17 00:00:00 2001
+From: Jeremy Linton <lintonrjeremy@gmail.com>
+Date: Sat, 8 Apr 2017 02:18:40 -0500
+Subject: reset: hi6220: Set module license so that it can be loaded
+
+[ Upstream commit 4497a224f759cd8350e07382307b55f870ef0df2 ]
+
+The hi6220_reset driver can be built as a standalone module
+yet it cannot be loaded because it depends on GPL exported symbols.
+
+Lets set the module license so that the module loads, and things like
+the on-board kirin drm starts working.
+
+Signed-off-by: Jeremy Linton <lintonrjeremy@gmail.com>
+Reviewed-by: Xinliang Liu <xinliang.liu@linaro.org>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/reset/hisilicon/hi6220_reset.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/reset/hisilicon/hi6220_reset.c b/drivers/reset/hisilicon/hi6220_reset.c
+index 35ce53edabf9..d5e5229308f2 100644
+--- a/drivers/reset/hisilicon/hi6220_reset.c
++++ b/drivers/reset/hisilicon/hi6220_reset.c
+@@ -155,3 +155,5 @@ static int __init hi6220_reset_init(void)
+ }
+
+ postcore_initcall(hi6220_reset_init);
++
++MODULE_LICENSE("GPL v2");
+--
+2.17.1
+
--- /dev/null
+From 238345c78c64846c24daa9aca738cc618f64ea72 Mon Sep 17 00:00:00 2001
+From: Alex Estrin <alex.estrin@intel.com>
+Date: Tue, 26 Sep 2017 06:06:22 -0700
+Subject: Revert "IB/ipoib: Update broadcast object if PKey value was changed
+ in index 0"
+
+[ Upstream commit 612601d0013f03de9dc134809f242ba6da9ca252 ]
+
+commit 9a9b8112699d will cause core to fail UD QP from being destroyed
+on ipoib unload, therefore cause resources leakage.
+On pkey change event above patch modifies mgid before calling underlying
+driver to detach it from QP. Drivers' detach_mcast() will fail to find
+modified mgid it was never given to attach in a first place.
+Core qp->usecnt will never go down, so ib_destroy_qp() will fail.
+
+IPoIB driver actually does take care of new broadcast mgid based on new
+pkey by destroying an old mcast object in ipoib_mcast_dev_flush())
+....
+ if (priv->broadcast) {
+ rb_erase(&priv->broadcast->rb_node, &priv->multicast_tree);
+ list_add_tail(&priv->broadcast->list, &remove_list);
+ priv->broadcast = NULL;
+ }
+...
+
+then in restarted ipoib_macst_join_task() creating a new broadcast mcast
+object, sending join request and on completion tells the driver to attach
+to reinitialized QP:
+...
+if (!priv->broadcast) {
+...
+ broadcast = ipoib_mcast_alloc(dev, 0);
+...
+ memcpy(broadcast->mcmember.mgid.raw, priv->dev->broadcast + 4,
+ sizeof (union ib_gid));
+ priv->broadcast = broadcast;
+...
+
+Fixes: 9a9b8112699d ("IB/ipoib: Update broadcast object if PKey value was changed in index 0")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Alex Estrin <alex.estrin@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Reviewed-by: Feras Daoud <ferasda@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_ib.c | 13 -------------
+ 1 file changed, 13 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_ib.c b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+index 3dd5bf6c6c7a..ad3089c23e18 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+@@ -974,19 +974,6 @@ static inline int update_parent_pkey(struct ipoib_dev_priv *priv)
+ */
+ priv->dev->broadcast[8] = priv->pkey >> 8;
+ priv->dev->broadcast[9] = priv->pkey & 0xff;
+-
+- /*
+- * Update the broadcast address in the priv->broadcast object,
+- * in case it already exists, otherwise no one will do that.
+- */
+- if (priv->broadcast) {
+- spin_lock_irq(&priv->lock);
+- memcpy(priv->broadcast->mcmember.mgid.raw,
+- priv->dev->broadcast + 4,
+- sizeof(union ib_gid));
+- spin_unlock_irq(&priv->lock);
+- }
+-
+ return 0;
+ }
+
+--
+2.17.1
+
--- /dev/null
+From f090ca3367a7f98550990b912d4d7f6d59f51d0d Mon Sep 17 00:00:00 2001
+From: Jia-Ju Bai <baijiaju1990@163.com>
+Date: Mon, 5 Jun 2017 20:23:40 +0800
+Subject: rxe: Fix a sleep-in-atomic bug in post_one_send
+
+[ Upstream commit 07d432bb97f19dd5e784175152f9fce3b2646133 ]
+
+The driver may sleep under a spin lock, and the function call path is:
+post_one_send (acquire the lock by spin_lock_irqsave)
+ init_send_wqe
+ copy_from_user --> may sleep
+
+There is no flow that makes "qp->is_user" true, and copy_from_user may
+cause bug when a non-user pointer is used. So the lines of copy_from_user
+and check of "qp->is_user" are removed.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Acked-by: Moni Shoua <monis@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_verbs.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.c b/drivers/infiniband/sw/rxe/rxe_verbs.c
+index ced416f5dffb..ef13082d6ca1 100644
+--- a/drivers/infiniband/sw/rxe/rxe_verbs.c
++++ b/drivers/infiniband/sw/rxe/rxe_verbs.c
+@@ -729,13 +729,8 @@ static int init_send_wqe(struct rxe_qp *qp, struct ib_send_wr *ibwr,
+
+ sge = ibwr->sg_list;
+ for (i = 0; i < num_sge; i++, sge++) {
+- if (qp->is_user && copy_from_user(p, (__user void *)
+- (uintptr_t)sge->addr, sge->length))
+- return -EFAULT;
+-
+- else if (!qp->is_user)
+- memcpy(p, (void *)(uintptr_t)sge->addr,
+- sge->length);
++ memcpy(p, (void *)(uintptr_t)sge->addr,
++ sge->length);
+
+ p += sge->length;
+ }
+--
+2.17.1
+
--- /dev/null
+From 3dd24de51ce4acd13355a59d3feb0e76cb436bdf Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Mon, 8 Oct 2018 15:46:01 +0100
+Subject: rxrpc: Don't check RXRPC_CALL_TX_LAST after calling
+ rxrpc_rotate_tx_window()
+
+[ Upstream commit c479d5f2c2e1ce609da08c075054440d97ddff52 ]
+
+We should only call the function to end a call's Tx phase if we rotated the
+marked-last packet out of the transmission buffer.
+
+Make rxrpc_rotate_tx_window() return an indication of whether it just
+rotated the packet marked as the last out of the transmit buffer, carrying
+the information out of the locked section in that function.
+
+We can then check the return value instead of examining RXRPC_CALL_TX_LAST.
+
+Fixes: 70790dbe3f66 ("rxrpc: Pass the last Tx packet marker in the annotation buffer")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/input.c | 35 +++++++++++++++++++----------------
+ 1 file changed, 19 insertions(+), 16 deletions(-)
+
+diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
+index f3ac85a285a2..7bfde4737cb3 100644
+--- a/net/rxrpc/input.c
++++ b/net/rxrpc/input.c
+@@ -216,10 +216,11 @@ static void rxrpc_send_ping(struct rxrpc_call *call, struct sk_buff *skb,
+ /*
+ * Apply a hard ACK by advancing the Tx window.
+ */
+-static void rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,
++static bool rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,
+ struct rxrpc_ack_summary *summary)
+ {
+ struct sk_buff *skb, *list = NULL;
++ bool rot_last = false;
+ int ix;
+ u8 annotation;
+
+@@ -243,15 +244,17 @@ static void rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,
+ skb->next = list;
+ list = skb;
+
+- if (annotation & RXRPC_TX_ANNO_LAST)
++ if (annotation & RXRPC_TX_ANNO_LAST) {
+ set_bit(RXRPC_CALL_TX_LAST, &call->flags);
++ rot_last = true;
++ }
+ if ((annotation & RXRPC_TX_ANNO_MASK) != RXRPC_TX_ANNO_ACK)
+ summary->nr_rot_new_acks++;
+ }
+
+ spin_unlock(&call->lock);
+
+- trace_rxrpc_transmit(call, (test_bit(RXRPC_CALL_TX_LAST, &call->flags) ?
++ trace_rxrpc_transmit(call, (rot_last ?
+ rxrpc_transmit_rotate_last :
+ rxrpc_transmit_rotate));
+ wake_up(&call->waitq);
+@@ -262,6 +265,8 @@ static void rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,
+ skb->next = NULL;
+ rxrpc_free_skb(skb, rxrpc_skb_tx_freed);
+ }
++
++ return rot_last;
+ }
+
+ /*
+@@ -332,11 +337,11 @@ static bool rxrpc_receiving_reply(struct rxrpc_call *call)
+ ktime_get_real());
+ }
+
+- if (!test_bit(RXRPC_CALL_TX_LAST, &call->flags))
+- rxrpc_rotate_tx_window(call, top, &summary);
+ if (!test_bit(RXRPC_CALL_TX_LAST, &call->flags)) {
+- rxrpc_proto_abort("TXL", call, top);
+- return false;
++ if (!rxrpc_rotate_tx_window(call, top, &summary)) {
++ rxrpc_proto_abort("TXL", call, top);
++ return false;
++ }
+ }
+ if (!rxrpc_end_tx_phase(call, true, "ETD"))
+ return false;
+@@ -839,8 +844,12 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb,
+ if (nr_acks > call->tx_top - hard_ack)
+ return rxrpc_proto_abort("AKN", call, 0);
+
+- if (after(hard_ack, call->tx_hard_ack))
+- rxrpc_rotate_tx_window(call, hard_ack, &summary);
++ if (after(hard_ack, call->tx_hard_ack)) {
++ if (rxrpc_rotate_tx_window(call, hard_ack, &summary)) {
++ rxrpc_end_tx_phase(call, false, "ETA");
++ return;
++ }
++ }
+
+ if (nr_acks > 0) {
+ if (skb_copy_bits(skb, offset, buf.acks, nr_acks) < 0)
+@@ -849,11 +858,6 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb,
+ &summary);
+ }
+
+- if (test_bit(RXRPC_CALL_TX_LAST, &call->flags)) {
+- rxrpc_end_tx_phase(call, false, "ETA");
+- return;
+- }
+-
+ if (call->rxtx_annotations[call->tx_top & RXRPC_RXTX_BUFF_MASK] &
+ RXRPC_TX_ANNO_LAST &&
+ summary.nr_acks == call->tx_top - hard_ack &&
+@@ -875,8 +879,7 @@ static void rxrpc_input_ackall(struct rxrpc_call *call, struct sk_buff *skb)
+
+ _proto("Rx ACKALL %%%u", sp->hdr.serial);
+
+- rxrpc_rotate_tx_window(call, call->tx_top, &summary);
+- if (test_bit(RXRPC_CALL_TX_LAST, &call->flags))
++ if (rxrpc_rotate_tx_window(call, call->tx_top, &summary))
+ rxrpc_end_tx_phase(call, false, "ETL");
+ }
+
+--
+2.17.1
+
--- /dev/null
+From f8c62cf32961acca7553bca98548fde02248721b Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Mon, 8 Oct 2018 15:46:11 +0100
+Subject: rxrpc: Only take the rwind and mtu values from latest ACK
+
+[ Upstream commit 298bc15b2079c324e82d0a6fda39c3d762af7282 ]
+
+Move the out-of-order and duplicate ACK packet check to before the call to
+rxrpc_input_ackinfo() so that the receive window size and MTU size are only
+checked in the latest ACK packet and don't regress.
+
+Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/input.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
+index 7bfde4737cb3..a4380e182e6c 100644
+--- a/net/rxrpc/input.c
++++ b/net/rxrpc/input.c
+@@ -808,6 +808,16 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb,
+ rxrpc_propose_ack_respond_to_ack);
+ }
+
++ /* Discard any out-of-order or duplicate ACKs. */
++ if (before_eq(sp->hdr.serial, call->acks_latest)) {
++ _debug("discard ACK %d <= %d",
++ sp->hdr.serial, call->acks_latest);
++ return;
++ }
++ call->acks_latest_ts = skb->tstamp;
++ call->acks_latest = sp->hdr.serial;
++
++ /* Parse rwind and mtu sizes if provided. */
+ ioffset = offset + nr_acks + 3;
+ if (skb->len >= ioffset + sizeof(buf.info)) {
+ if (skb_copy_bits(skb, ioffset, &buf.info, sizeof(buf.info)) < 0)
+@@ -829,15 +839,6 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb,
+ return;
+ }
+
+- /* Discard any out-of-order or duplicate ACKs. */
+- if (before_eq(sp->hdr.serial, call->acks_latest)) {
+- _debug("discard ACK %d <= %d",
+- sp->hdr.serial, call->acks_latest);
+- return;
+- }
+- call->acks_latest_ts = skb->tstamp;
+- call->acks_latest = sp->hdr.serial;
+-
+ if (before(hard_ack, call->tx_hard_ack) ||
+ after(hard_ack, call->tx_top))
+ return rxrpc_proto_abort("AKW", call, 0);
+--
+2.17.1
+
--- /dev/null
+From 301c415a23d87f1f50cc8733820d37bf8c7a1e4b Mon Sep 17 00:00:00 2001
+From: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
+Date: Thu, 2 Mar 2017 09:21:33 -0800
+Subject: scsi: aacraid: Fix typo in blink status
+
+[ Upstream commit 934767c56b0d9dbb95a40e9e6e4d9dcdc3a165ad ]
+
+The return status of the adapter check on KERNEL_PANIC is supposed to be
+the upper 16 bits of the OMR status register.
+
+Fixes: c421530bf848604e (scsi: aacraid: Reorder Adpater status check)
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
+Reviewed-by: Dave Carroll <david.carroll@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/aacraid/src.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/aacraid/src.c b/drivers/scsi/aacraid/src.c
+index 7b178d765726..c0592fda409e 100644
+--- a/drivers/scsi/aacraid/src.c
++++ b/drivers/scsi/aacraid/src.c
+@@ -445,7 +445,7 @@ err_out:
+ return -1;
+
+ err_blink:
+- return (status > 16) & 0xFF;
++ return (status >> 16) & 0xFF;
+ }
+
+ /**
+--
+2.17.1
+
--- /dev/null
+From 90c0a48c5ad7f229cb87bf1c9942e55f1e230163 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Tue, 20 Mar 2018 21:05:48 +0000
+Subject: scsi: qla2xxx: Avoid double completion of abort command
+
+[ Upstream commit 3a9910d7b686546dcc9986e790af17e148f1c888 ]
+
+qla2x00_tmf_sp_done() now deletes the timer that will run
+qla2x00_tmf_iocb_timeout(), but doesn't check whether the timer already
+expired. Check the return value from del_timer() to avoid calling
+complete() a second time.
+
+Fixes: 4440e46d5db7 ("[SCSI] qla2xxx: Add IOCB Abort command asynchronous ...")
+Fixes: 1514839b3664 ("scsi: qla2xxx: Fix NULL pointer crash due to active ...")
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_init.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index 5f66b6da65f2..b6d9e3104b89 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -368,8 +368,8 @@ qla24xx_abort_sp_done(void *data, void *ptr, int res)
+ srb_t *sp = (srb_t *)ptr;
+ struct srb_iocb *abt = &sp->u.iocb_cmd;
+
+- del_timer(&sp->u.iocb_cmd.timer);
+- complete(&abt->u.abt.comp);
++ if (del_timer(&sp->u.iocb_cmd.timer))
++ complete(&abt->u.abt.comp);
+ }
+
+ static int
+--
+2.17.1
+
--- /dev/null
+From d3defbed265453adbedb11d0b801d94114ca109a Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 26 Nov 2017 20:56:07 +0800
+Subject: sctp: use right member as the param of list_for_each_entry
+
+[ Upstream commit a8dd397903a6e57157f6265911f7d35681364427 ]
+
+Commit d04adf1b3551 ("sctp: reset owner sk for data chunks on out queues
+when migrating a sock") made a mistake that using 'list' as the param of
+list_for_each_entry to traverse the retransmit, sacked and abandoned
+queues, while chunks are using 'transmitted_list' to link into these
+queues.
+
+It could cause NULL dereference panic if there are chunks in any of these
+queues when peeling off one asoc.
+
+So use the chunk member 'transmitted_list' instead in this patch.
+
+Fixes: d04adf1b3551 ("sctp: reset owner sk for data chunks on out queues when migrating a sock")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/socket.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index 64d2d9ea2f8c..16aa8673f918 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -185,13 +185,13 @@ static void sctp_for_each_tx_datachunk(struct sctp_association *asoc,
+ list_for_each_entry(chunk, &t->transmitted, transmitted_list)
+ cb(chunk);
+
+- list_for_each_entry(chunk, &q->retransmit, list)
++ list_for_each_entry(chunk, &q->retransmit, transmitted_list)
+ cb(chunk);
+
+- list_for_each_entry(chunk, &q->sacked, list)
++ list_for_each_entry(chunk, &q->sacked, transmitted_list)
+ cb(chunk);
+
+- list_for_each_entry(chunk, &q->abandoned, list)
++ list_for_each_entry(chunk, &q->abandoned, transmitted_list)
+ cb(chunk);
+
+ list_for_each_entry(chunk, &q->out_chunk_list, list)
+--
+2.17.1
+
--- /dev/null
+xfrm-validate-address-prefix-lengths-in-the-xfrm-sel.patch
+xfrm6-call-kfree_skb-when-skb-is-toobig.patch
+mac80211-always-report-tx-status.patch
+cfg80211-reg-init-wiphy_idx-in-regulatory_hint_core.patch
+mac80211-fix-pending-queue-hang-due-to-tx_drop.patch
+cfg80211-address-some-corner-cases-in-scan-result-ch.patch
+mac80211-tdls-fix-skb-queue-priority-assignment.patch
+arm-8799-1-mm-fix-pci_ioremap_io-offset-check.patch
+xfrm-validate-template-mode.patch
+arm-dts-bcm63xx-fix-incorrect-interrupt-specifiers.patch
+net-macb-clean-64b-dma-addresses-if-they-are-not-det.patch
+soc-fsl-qbman-qman-avoid-allocating-from-non-existin.patch
+soc-fsl-qe-fix-copy-paste-bug-in-ucc_get_tdm_sync_sh.patch
+nl80211-fix-possible-spectre-v1-for-nl80211_txrate_h.patch
+mac80211_hwsim-do-not-omit-multicast-announce-of-fir.patch
+bluetooth-smp-fix-crash-in-unpairing.patch
+pxa168fb-prepare-the-clock.patch
+qed-avoid-implicit-enum-conversion-in-qed_roce_mode_.patch
+qed-avoid-constant-logical-operation-warning-in-qed_.patch
+asix-check-for-supported-wake-on-lan-modes.patch
+ax88179_178a-check-for-supported-wake-on-lan-modes.patch
+lan78xx-check-for-supported-wake-on-lan-modes.patch
+sr9800-check-for-supported-wake-on-lan-modes.patch
+r8152-check-for-supported-wake-on-lan-modes.patch
+smsc75xx-check-for-wake-on-lan-modes.patch
+smsc95xx-check-for-wake-on-lan-modes.patch
+perf-ring_buffer-prevent-concurent-ring-buffer-acces.patch
+perf-x86-intel-uncore-fix-pci-bdf-address-of-m3upi-o.patch
+net-fec-fix-rare-tx-timeout.patch
+declance-fix-continuation-with-the-adapter-identific.patch
+net-cxgb3_main-fix-a-missing-check-bug.patch
+perf-symbols-fix-memory-corruption-because-of-zero-l.patch
+mm-memory_hotplug.c-fix-overflow-in-test_pages_in_a_.patch
+mips-micromips-fix-decoding-of-swsp16-instruction.patch
+mips-handle-non-word-sized-instructions-when-examini.patch
+scsi-aacraid-fix-typo-in-blink-status.patch
+f2fs-fix-multiple-f2fs_add_link-having-same-name-for.patch
+igb-remove-superfluous-reset-to-phy-and-page-0-selec.patch
+acpi-sysfs-make-acpi-gpe-mask-kernel-parameter-cover.patch
+pci-disable-msi-for-hisilicon-hip06-hip07-only-in-ro.patch
+i2c-bcm2835-avoid-possible-null-ptr-dereference.patch
+efi-fb-correct-pci_std_resource_end-usage.patch
+ipv6-set-rt6i_protocol-properly-in-the-route-when-it.patch
+platform-x86-acer-wmi-setup-accelerometer-when-acpi-.patch
+ib-ipoib-do-not-warn-if-ipoib-debugfs-doesn-t-exist.patch
+ib-core-fix-the-validations-of-a-multicast-lid-in-at.patch
+orangefs-off-by-ones-in-xattr-size-checks.patch
+rxe-fix-a-sleep-in-atomic-bug-in-post_one_send.patch
+nvme-pci-fix-cmb-sysfs-file-removal-in-reset-path.patch
+net-phy-marvell-limit-88m1101-autoneg-errata-to-88e1.patch
+net-mlx5-fix-command-completion-after-timeout-access.patch
+tipc-fix-tipc_sk_reinit-handling-of-eagain.patch
+tipc-fix-a-race-condition-of-releasing-subscriber-ob.patch
+bnxt_en-don-t-use-rtnl-lock-to-protect-link-change-l.patch
+ath10k-fix-napi-enable-disable-symmetry-for-ahb-inte.patch
+arm-dts-bcm283x-reserve-first-page-for-firmware.patch
+btrfs-fiemap-cache-and-merge-fiemap-extent-before-su.patch
+ata-sata_rcar-handle-return-value-of-clk_prepare_ena.patch
+reset-hi6220-set-module-license-so-that-it-can-be-lo.patch
+asoc-intel-skylake-fix-to-parse-consecutive-string-t.patch
+arch-sparc-increase-config_nodes_shift-on-sparc64-to.patch
+mac80211-fix-tx-aggregation-start-stop-callback-race.patch
+libata-fix-error-checking-in-in-ata_parse_force_one.patch
+net-ethernet-stmmac-fix-altr_tse_pcs-sgmii-initializ.patch
+qlcnic-fix-tunnel-offload-for-82xx-adapters.patch
+x86-cpu-cyrix-add-alternative-device-id-of-geode-gx1.patch
+arm-8677-1-boot-compressed-fix-decompressor-header-l.patch
+gpu-ipu-v3-fix-csi-selection-for-vdic.patch
+elevator-fix-truncation-of-icq_cache_name.patch
+net-stmmac-ensure-jumbo_frm-error-return-is-correctl.patch
+btrfs-clear-extent_defrag-bits-in-finish_ordered_io.patch
+ufs-we-need-to-sync-inode-before-freeing-it.patch
+net-mlx5e-fix-fixpoint-divide-exception-in-mlx5e_am_.patch
+ip6_tunnel-correct-tos-value-in-collect_md-mode.patch
+net-mlx5-fix-driver-load-error-flow-when-firmware-is.patch
+perf-evsel-fix-probing-of-precise_ip-level-for-defau.patch
+perf-probe-fix-probe-definition-for-inlined-function.patch
+net-mlx5-fix-health-work-queue-spin-lock-to-irq-safe.patch
+usb-renesas_usbhs-gadget-fix-spin_lock_init-for-uep-.patch
+usb-renesas_usbhs-gadget-fix-unused-but-set-variable.patch
+usb-dwc3-omap-remove-irq_noautoen-used-with-shared-i.patch
+clk-samsung-fix-m2m-scaler-clock-on-exynos542x.patch
+ptr_ring-fix-up-after-recent-ptr_ring-changes.patch
+staging-wilc1000-fix-problem-with-wrong-vif-index.patch
+rds-ib-fix-missing-call-to-rds_ib_dev_put-in-rds_ib_.patch
+iio-adc-revert-axp288-drop-bogus-axp288_adc_ts_pin_c.patch
+qed-warn-ptt-usage-by-wrong-hw-function.patch
+ocfs2-fix-deadlock-caused-by-recursive-locking-in-xa.patch
+net-cdc_ncm-getntbformat-endian-fix.patch
+sctp-use-right-member-as-the-param-of-list_for_each_.patch
+alsa-hda-no-loopback-on-alc299-codec.patch
+x86-power-fix-some-ordering-bugs-in-__restore_proces.patch
+ath10k-convert-warning-about-non-existent-otp-board-.patch
+ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch
+ib-ipoib-fix-lockdep-issue-found-on-ipoib_ib_dev_hea.patch
+ib-rxe-put-the-pool-on-allocation-failure.patch
+nbd-only-set-msg_more-when-we-have-more-to-send.patch
+mm-frame_vector.c-release-a-semaphore-in-get_vaddr_f.patch
+ib-mlx5-avoid-passing-an-invalid-qp-type-to-firmware.patch
+scsi-qla2xxx-avoid-double-completion-of-abort-comman.patch
+drm-bochs-don-t-remove-uninitialized-fbdev-framebuff.patch
+i40e-avoid-nvm-acquire-deadlock-during-nvm-update.patch
+revert-ib-ipoib-update-broadcast-object-if-pkey-valu.patch
+btrfs-incremental-send-fix-invalid-memory-access.patch
+drm-msm-fix-possible-null-dereference-on-failure-of-.patch
+arm-tegra-fix-ulpi-regression-on-tegra20.patch
+module-fix-debug_set_module_ronx-typo.patch
+iio-pressure-zpa2326-remove-always-true-check-which-.patch
+l2tp-remove-configurable-payload-offset.patch
+macsec-fix-memory-leaks-when-skb_to_sgvec-fails.patch
+perf-core-fix-locking-for-children-siblings-group-re.patch
+cifs-use-ull-suffix-for-64-bit-constant.patch
+futex-futex_wake_op-do-not-fail-on-invalid-op.patch
+alsa-hda-fix-incorrect-usage-of-is_reachable.patch
+test_bpf-fix-testing-with-config_bpf_jit_always_on-y.patch
+xen-netfront-update-features-after-registering-netde.patch
+sparc64-fix-regression-in-pmdp_invalidate.patch
+xen-netfront-fix-mismatched-rtnl_unlock.patch
+enic-do-not-overwrite-error-code.patch
+bonding-ratelimit-failed-speed-duplex-update-warning.patch
+nvmet-fix-space-padding-in-serial-number.patch
+iio-buffer-fix-the-function-signature-to-match-imple.patch
+x86-paravirt-fix-some-warning-messages.patch
+ib-mlx4-fix-an-error-handling-path-in-mlx4_ib_rereg_.patch
+libertas-call-into-generic-suspend-code-before-turni.patch
+xhci-fix-usb3-null-pointer-dereference-at-logical-di.patch
+perf-tests-fix-indexing-when-invoking-subtests.patch
+arm-dts-imx53-qsb-disable-1.2ghz-opp.patch
+rxrpc-don-t-check-rxrpc_call_tx_last-after-calling-r.patch
+rxrpc-only-take-the-rwind-and-mtu-values-from-latest.patch
+net-ena-fix-null-dereference-due-to-untimely-napi-in.patch
+fs-fat-fatent.c-add-cond_resched-to-fat_count_free_c.patch
--- /dev/null
+From 470b7eb7fdfaf7d4a3b7639aeb4a44f8a3dbc092 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:55 -0700
+Subject: smsc75xx: Check for Wake-on-LAN modes
+
+[ Upstream commit 9c734b2769a73eea2e9e9767c0e0bf839ff23679 ]
+
+The driver does not check for Wake-on-LAN modes specified by an user,
+but will conditionally set the device as wake-up enabled or not based on
+that, which could be a very confusing user experience.
+
+Fixes: 6c636503260d ("smsc75xx: add wol magic packet support")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc75xx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c
+index 8d3f938c6a51..977d9c772554 100644
+--- a/drivers/net/usb/smsc75xx.c
++++ b/drivers/net/usb/smsc75xx.c
+@@ -731,6 +731,9 @@ static int smsc75xx_ethtool_set_wol(struct net_device *net,
+ struct smsc75xx_priv *pdata = (struct smsc75xx_priv *)(dev->data[0]);
+ int ret;
+
++ if (wolinfo->wolopts & ~SUPPORTED_WAKE)
++ return -EINVAL;
++
+ pdata->wolopts = wolinfo->wolopts & SUPPORTED_WAKE;
+
+ ret = device_set_wakeup_enable(&dev->udev->dev, pdata->wolopts);
+--
+2.17.1
+
--- /dev/null
+From a8845cfa6f488f4b8346795e5647b781806fcdba Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:56 -0700
+Subject: smsc95xx: Check for Wake-on-LAN modes
+
+[ Upstream commit c530c471ba37bdd9fe1c7185b01455c00ae606fb ]
+
+The driver does not check for Wake-on-LAN modes specified by an user,
+but will conditionally set the device as wake-up enabled or not based on
+that, which could be a very confusing user experience.
+
+Fixes: e0e474a83c18 ("smsc95xx: add wol magic packet support")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc95xx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
+index 831aa33d078a..a167116ceeee 100644
+--- a/drivers/net/usb/smsc95xx.c
++++ b/drivers/net/usb/smsc95xx.c
+@@ -775,6 +775,9 @@ static int smsc95xx_ethtool_set_wol(struct net_device *net,
+ struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]);
+ int ret;
+
++ if (wolinfo->wolopts & ~SUPPORTED_WAKE)
++ return -EINVAL;
++
+ pdata->wolopts = wolinfo->wolopts & SUPPORTED_WAKE;
+
+ ret = device_set_wakeup_enable(&dev->udev->dev, pdata->wolopts);
+--
+2.17.1
+
--- /dev/null
+From e7b53b5630d7bfbbd3becb928e4df7f5d1d14594 Mon Sep 17 00:00:00 2001
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Thu, 23 Aug 2018 23:36:00 +0200
+Subject: soc: fsl: qbman: qman: avoid allocating from non existing gen_pool
+
+[ Upstream commit 64e9e22e68512da8df3c9a7430f07621e48db3c2 ]
+
+If the qman driver didn't probe, calling qman_alloc_fqid_range,
+qman_alloc_pool_range or qman_alloc_cgrid_range (as done in dpaa_eth) will
+pass a NULL pointer to gen_pool_alloc, leading to a NULL pointer
+dereference.
+
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Reviewed-by: Roy Pledge <roy.pledge@nxp.com>
+Signed-off-by: Li Yang <leoyang.li@nxp.com>
+(cherry picked from commit f72487a2788aa70c3aee1d0ebd5470de9bac953a)
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/fsl/qbman/qman.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c
+index 2caacd9d2526..2cc82ed6433a 100644
+--- a/drivers/soc/fsl/qbman/qman.c
++++ b/drivers/soc/fsl/qbman/qman.c
+@@ -2713,6 +2713,9 @@ static int qman_alloc_range(struct gen_pool *p, u32 *result, u32 cnt)
+ {
+ unsigned long addr;
+
++ if (!p)
++ return -ENODEV;
++
+ addr = gen_pool_alloc(p, cnt);
+ if (!addr)
+ return -ENOMEM;
+--
+2.17.1
+
--- /dev/null
+From 05b7e9871237ade8980acfbecf24f07b6a5aabd1 Mon Sep 17 00:00:00 2001
+From: Zhao Qiang <qiang.zhao@nxp.com>
+Date: Thu, 1 Feb 2018 14:54:32 +0800
+Subject: soc: fsl: qe: Fix copy/paste bug in ucc_get_tdm_sync_shift()
+
+[ Upstream commit 96fc74333f84cfdf8d434c6c07254e215e2aad00 ]
+
+There is a copy and paste bug so we accidentally use the RX_ shift when
+we're in TX_ mode.
+
+Fixes: bb8b2062aff3 ("fsl/qe: setup clock source for TDM mode")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>
+Signed-off-by: Li Yang <leoyang.li@nxp.com>
+(cherry picked from commit 3cb31b634052ed458922e0c8e2b4b093d7fb60b9)
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/fsl/qe/ucc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/fsl/qe/ucc.c b/drivers/soc/fsl/qe/ucc.c
+index c646d8713861..681f7d4b7724 100644
+--- a/drivers/soc/fsl/qe/ucc.c
++++ b/drivers/soc/fsl/qe/ucc.c
+@@ -626,7 +626,7 @@ static u32 ucc_get_tdm_sync_shift(enum comm_dir mode, u32 tdm_num)
+ {
+ u32 shift;
+
+- shift = (mode == COMM_DIR_RX) ? RX_SYNC_SHIFT_BASE : RX_SYNC_SHIFT_BASE;
++ shift = (mode == COMM_DIR_RX) ? RX_SYNC_SHIFT_BASE : TX_SYNC_SHIFT_BASE;
+ shift -= tdm_num * 2;
+
+ return shift;
+--
+2.17.1
+
--- /dev/null
+From 8e5600fb392b50affc0c5e8a9450374070fc2996 Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Thu, 15 Mar 2018 14:18:00 -0700
+Subject: sparc64: Fix regression in pmdp_invalidate().
+
+[ Upstream commit cfb61b5e3e09f8b49bc4d685429df75f45127adc ]
+
+pmdp_invalidate() was changed to update the pmd atomically
+(to not lose dirty/access bits) and return the original pmd
+value.
+
+However, in doing so, we lost a lot of the essential work that
+set_pmd_at() does, namely to update hugepage mapping counts and
+queuing up the batched TLB flush entry.
+
+Thus we were not flushing entries out of the TLB when making
+such PMD changes.
+
+Fix this by abstracting the accounting work of set_pmd_at() out into a
+separate function, and call it from pmdp_establish().
+
+Fixes: a8e654f01cb7 ("sparc64: update pmdp_invalidate() to return old pmd value")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sparc/mm/tlb.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/arch/sparc/mm/tlb.c b/arch/sparc/mm/tlb.c
+index b2722ed31053..349cb83f7b5f 100644
+--- a/arch/sparc/mm/tlb.c
++++ b/arch/sparc/mm/tlb.c
+@@ -163,13 +163,10 @@ static void tlb_batch_pmd_scan(struct mm_struct *mm, unsigned long vaddr,
+ pte_unmap(pte);
+ }
+
+-void set_pmd_at(struct mm_struct *mm, unsigned long addr,
+- pmd_t *pmdp, pmd_t pmd)
+-{
+- pmd_t orig = *pmdp;
+-
+- *pmdp = pmd;
+
++static void __set_pmd_acct(struct mm_struct *mm, unsigned long addr,
++ pmd_t orig, pmd_t pmd)
++{
+ if (mm == &init_mm)
+ return;
+
+@@ -219,6 +216,15 @@ void set_pmd_at(struct mm_struct *mm, unsigned long addr,
+ }
+ }
+
++void set_pmd_at(struct mm_struct *mm, unsigned long addr,
++ pmd_t *pmdp, pmd_t pmd)
++{
++ pmd_t orig = *pmdp;
++
++ *pmdp = pmd;
++ __set_pmd_acct(mm, addr, orig, pmd);
++}
++
+ static inline pmd_t pmdp_establish(struct vm_area_struct *vma,
+ unsigned long address, pmd_t *pmdp, pmd_t pmd)
+ {
+@@ -227,6 +233,7 @@ static inline pmd_t pmdp_establish(struct vm_area_struct *vma,
+ do {
+ old = *pmdp;
+ } while (cmpxchg64(&pmdp->pmd, old.pmd, pmd.pmd) != old.pmd);
++ __set_pmd_acct(vma->vm_mm, address, old, pmd);
+
+ return old;
+ }
+--
+2.17.1
+
--- /dev/null
+From 2726931738369b05354178fca21aedf378cc8554 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:53 -0700
+Subject: sr9800: Check for supported Wake-on-LAN modes
+
+[ Upstream commit c5cb93e994ffb43b7b3b1ff10b9f928f54574a36 ]
+
+The driver currently silently accepts unsupported Wake-on-LAN modes
+(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user,
+which is confusing.
+
+Fixes: 19a38d8e0aa3 ("USB2NET : SR9800 : One chip USB2.0 USB2NET SR9800 Device Driver Support")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/sr9800.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/sr9800.c b/drivers/net/usb/sr9800.c
+index a50df0d8fb9a..004c955c1fd1 100644
+--- a/drivers/net/usb/sr9800.c
++++ b/drivers/net/usb/sr9800.c
+@@ -421,6 +421,9 @@ sr_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo)
+ struct usbnet *dev = netdev_priv(net);
+ u8 opt = 0;
+
++ if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC))
++ return -EINVAL;
++
+ if (wolinfo->wolopts & WAKE_PHY)
+ opt |= SR_MONITOR_LINK;
+ if (wolinfo->wolopts & WAKE_MAGIC)
+--
+2.17.1
+
--- /dev/null
+From 66b41b94504973225fbcfdd35c040d090512af94 Mon Sep 17 00:00:00 2001
+From: Aditya Shankar <aditya.shankar@microchip.com>
+Date: Fri, 7 Apr 2017 17:24:58 +0530
+Subject: staging: wilc1000: Fix problem with wrong vif index
+
+[ Upstream commit 0e490657c7214cce33fbca3d88227298c5c968ae ]
+
+The vif->idx value is always 0 for two interfaces.
+
+wl->vif_num = 0;
+
+loop {
+ ...
+
+ vif->idx = wl->vif_num;
+ ...
+ wl->vif_num = i;
+ ....
+ i++;
+ ...
+}
+
+At present, vif->idx is assigned the value of wl->vif_num
+at the beginning of this block and device is initialized
+based on this index value.
+In the next iteration, wl->vif_num is still 0 as it is only updated
+later but gets assigned to vif->idx in the beginning. This causes problems
+later when we try to reference a particular interface and also while
+configuring the firmware.
+
+This patch moves the assignment to vif->idx from the beginning
+of the block to after wl->vif_num is updated with latest value of i.
+
+Fixes: commit 735bb39ca3be ("staging: wilc1000: simplify vif[i]->ndev accesses")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Aditya Shankar <aditya.shankar@microchip.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/wilc1000/linux_wlan.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/wilc1000/linux_wlan.c b/drivers/staging/wilc1000/linux_wlan.c
+index 07d6e4824a9d..2e5e3b368532 100644
+--- a/drivers/staging/wilc1000/linux_wlan.c
++++ b/drivers/staging/wilc1000/linux_wlan.c
+@@ -1260,11 +1260,12 @@ int wilc_netdev_init(struct wilc **wilc, struct device *dev, int io_type,
+ else
+ strcpy(ndev->name, "p2p%d");
+
+- vif->idx = wl->vif_num;
+ vif->wilc = *wilc;
+ vif->ndev = ndev;
+ wl->vif[i] = vif;
+ wl->vif_num = i;
++ vif->idx = wl->vif_num;
++
+ ndev->netdev_ops = &wilc_netdev_ops;
+
+ {
+--
+2.17.1
+
--- /dev/null
+From 9a51ff5096ba5138d7e6bb9f8e6f98fc45ee4040 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Tue, 20 Mar 2018 09:58:51 -0300
+Subject: test_bpf: Fix testing with CONFIG_BPF_JIT_ALWAYS_ON=y on other arches
+
+[ Upstream commit 52fda36d63bfc8c8e8ae5eda8eb5ac6f52cd67ed ]
+
+Function bpf_fill_maxinsns11 is designed to not be able to be JITed on
+x86_64. So, it fails when CONFIG_BPF_JIT_ALWAYS_ON=y, and
+commit 09584b406742 ("bpf: fix selftests/bpf test_kmod.sh failure when
+CONFIG_BPF_JIT_ALWAYS_ON=y") makes sure that failure is detected on that
+case.
+
+However, it does not fail on other architectures, which have a different
+JIT compiler design. So, test_bpf has started to fail to load on those.
+
+After this fix, test_bpf loads fine on both x86_64 and ppc64el.
+
+Fixes: 09584b406742 ("bpf: fix selftests/bpf test_kmod.sh failure when CONFIG_BPF_JIT_ALWAYS_ON=y")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Reviewed-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/test_bpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/test_bpf.c b/lib/test_bpf.c
+index 1586dfdea809..960d4d627361 100644
+--- a/lib/test_bpf.c
++++ b/lib/test_bpf.c
+@@ -4874,7 +4874,7 @@ static struct bpf_test tests[] = {
+ {
+ "BPF_MAXINSNS: Jump, gap, jump, ...",
+ { },
+-#ifdef CONFIG_BPF_JIT_ALWAYS_ON
++#if defined(CONFIG_BPF_JIT_ALWAYS_ON) && defined(CONFIG_X86)
+ CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL,
+ #else
+ CLASSIC | FLAG_NO_DATA,
+--
+2.17.1
+
--- /dev/null
+From 87a5780982aa1974965a64f45ed7aadc71f9d45f Mon Sep 17 00:00:00 2001
+From: Ying Xue <ying.xue@windriver.com>
+Date: Tue, 22 Aug 2017 12:28:41 +0200
+Subject: tipc: fix a race condition of releasing subscriber object
+
+[ Upstream commit fd849b7c41f0fabfe783d0691a63c5518e8ebc99 ]
+
+No matter whether a request is inserted into workqueue as a work item
+to cancel a subscription or to delete a subscription's subscriber
+asynchronously, the work items may be executed in different workers.
+As a result, it doesn't mean that one request which is raised prior to
+another request is definitely handled before the latter. By contrast,
+if the latter request is executed before the former request, below
+error may happen:
+
+[ 656.183644] BUG: spinlock bad magic on CPU#0, kworker/u8:0/12117
+[ 656.184487] general protection fault: 0000 [#1] SMP
+[ 656.185160] Modules linked in: tipc ip6_udp_tunnel udp_tunnel 9pnet_virtio 9p 9pnet virtio_net virtio_pci virtio_ring virtio [last unloaded: ip6_udp_tunnel]
+[ 656.187003] CPU: 0 PID: 12117 Comm: kworker/u8:0 Not tainted 4.11.0-rc7+ #6
+[ 656.187920] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+[ 656.188690] Workqueue: tipc_rcv tipc_recv_work [tipc]
+[ 656.189371] task: ffff88003f5cec40 task.stack: ffffc90004448000
+[ 656.190157] RIP: 0010:spin_bug+0xdd/0xf0
+[ 656.190678] RSP: 0018:ffffc9000444bcb8 EFLAGS: 00010202
+[ 656.191375] RAX: 0000000000000034 RBX: ffff88003f8d1388 RCX: 0000000000000000
+[ 656.192321] RDX: ffff88003ba13708 RSI: ffff88003ba0cd08 RDI: ffff88003ba0cd08
+[ 656.193265] RBP: ffffc9000444bcd0 R08: 0000000000000030 R09: 000000006b6b6b6b
+[ 656.194208] R10: ffff8800bde3e000 R11: 00000000000001b4 R12: 6b6b6b6b6b6b6b6b
+[ 656.195157] R13: ffffffff81a3ca64 R14: ffff88003f8d1388 R15: ffff88003f8d13a0
+[ 656.196101] FS: 0000000000000000(0000) GS:ffff88003ba00000(0000) knlGS:0000000000000000
+[ 656.197172] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 656.197935] CR2: 00007f0b3d2e6000 CR3: 000000003ef9e000 CR4: 00000000000006f0
+[ 656.198873] Call Trace:
+[ 656.199210] do_raw_spin_lock+0x66/0xa0
+[ 656.199735] _raw_spin_lock_bh+0x19/0x20
+[ 656.200258] tipc_subscrb_subscrp_delete+0x28/0xf0 [tipc]
+[ 656.200990] tipc_subscrb_rcv_cb+0x45/0x260 [tipc]
+[ 656.201632] tipc_receive_from_sock+0xaf/0x100 [tipc]
+[ 656.202299] tipc_recv_work+0x2b/0x60 [tipc]
+[ 656.202872] process_one_work+0x157/0x420
+[ 656.203404] worker_thread+0x69/0x4c0
+[ 656.203898] kthread+0x138/0x170
+[ 656.204328] ? process_one_work+0x420/0x420
+[ 656.204889] ? kthread_create_on_node+0x40/0x40
+[ 656.205527] ret_from_fork+0x29/0x40
+[ 656.206012] Code: 48 8b 0c 25 00 c5 00 00 48 c7 c7 f0 24 a3 81 48 81 c1 f0 05 00 00 65 8b 15 61 ef f5 7e e8 9a 4c 09 00 4d 85 e4 44 8b 4b 08 74 92 <45> 8b 84 24 40 04 00 00 49 8d 8c 24 f0 05 00 00 eb 8d 90 0f 1f
+[ 656.208504] RIP: spin_bug+0xdd/0xf0 RSP: ffffc9000444bcb8
+[ 656.209798] ---[ end trace e2a800e6eb0770be ]---
+
+In above scenario, the request of deleting subscriber was performed
+earlier than the request of canceling a subscription although the
+latter was issued before the former, which means tipc_subscrb_delete()
+was called before tipc_subscrp_cancel(). As a result, when
+tipc_subscrb_subscrp_delete() called by tipc_subscrp_cancel() was
+executed to cancel a subscription, the subscription's subscriber
+refcnt had been decreased to 1. After tipc_subscrp_delete() where
+the subscriber was freed because its refcnt was decremented to zero,
+but the subscriber's lock had to be released, as a consequence, panic
+happened.
+
+By contrast, if we increase subscriber's refcnt before
+tipc_subscrb_subscrp_delete() is called in tipc_subscrp_cancel(),
+the panic issue can be avoided.
+
+Fixes: d094c4d5f5c7 ("tipc: add subscription refcount to avoid invalid delete")
+Reported-by: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>
+Signed-off-by: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/subscr.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/tipc/subscr.c b/net/tipc/subscr.c
+index 271cd66e4b3b..c2646446e157 100644
+--- a/net/tipc/subscr.c
++++ b/net/tipc/subscr.c
+@@ -256,7 +256,9 @@ static void tipc_subscrp_delete(struct tipc_subscription *sub)
+ static void tipc_subscrp_cancel(struct tipc_subscr *s,
+ struct tipc_subscriber *subscriber)
+ {
++ tipc_subscrb_get(subscriber);
+ tipc_subscrb_subscrp_delete(subscriber, s);
++ tipc_subscrb_put(subscriber);
+ }
+
+ static struct tipc_subscription *tipc_subscrp_create(struct net *net,
+--
+2.17.1
+
--- /dev/null
+From a59f2d5ea964bf68b8942379cb0a04dfb5e4d66a Mon Sep 17 00:00:00 2001
+From: Bob Peterson <rpeterso@redhat.com>
+Date: Wed, 23 Aug 2017 10:43:02 -0400
+Subject: tipc: Fix tipc_sk_reinit handling of -EAGAIN
+
+[ Upstream commit 6c7e983b220f89e03286dc70a41c7ef3a8b409df ]
+
+In 9dbbfb0ab6680c6a85609041011484e6658e7d3c function tipc_sk_reinit
+had additional logic added to loop in the event that function
+rhashtable_walk_next() returned -EAGAIN. No worries.
+
+However, if rhashtable_walk_start returns -EAGAIN, it does "continue",
+and therefore skips the call to rhashtable_walk_stop(). That has
+the effect of calling rcu_read_lock() without its paired call to
+rcu_read_unlock(). Since rcu_read_lock() may be nested, the problem
+may not be apparent for a while, especially since resize events may
+be rare. But the comments to rhashtable_walk_start() state:
+
+ * ...Note that we take the RCU lock in all
+ * cases including when we return an error. So you must always call
+ * rhashtable_walk_stop to clean up.
+
+This patch replaces the continue with a goto and label to ensure a
+matching call to rhashtable_walk_stop().
+
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/socket.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index 25bc5c30d7fb..9d3f047305ce 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -2277,8 +2277,8 @@ void tipc_sk_reinit(struct net *net)
+
+ do {
+ tsk = ERR_PTR(rhashtable_walk_start(&iter));
+- if (tsk)
+- continue;
++ if (IS_ERR(tsk))
++ goto walk_stop;
+
+ while ((tsk = rhashtable_walk_next(&iter)) && !IS_ERR(tsk)) {
+ spin_lock_bh(&tsk->sk.sk_lock.slock);
+@@ -2287,7 +2287,7 @@ void tipc_sk_reinit(struct net *net)
+ msg_set_orignode(msg, tn->own_addr);
+ spin_unlock_bh(&tsk->sk.sk_lock.slock);
+ }
+-
++walk_stop:
+ rhashtable_walk_stop(&iter);
+ } while (tsk == ERR_PTR(-EAGAIN));
+ }
+--
+2.17.1
+
--- /dev/null
+From a0578b054ef6a9db7e26464599a728e75b73fd96 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 10 Jun 2017 12:01:50 -0400
+Subject: ufs: we need to sync inode before freeing it
+
+[ Upstream commit 67a70017fa0a152657bc7e337e69bb9c9f5549bf ]
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ufs/inode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/ufs/inode.c b/fs/ufs/inode.c
+index a2760a2869f4..0f22c036699a 100644
+--- a/fs/ufs/inode.c
++++ b/fs/ufs/inode.c
+@@ -846,6 +846,7 @@ void ufs_evict_inode(struct inode * inode)
+ inode->i_size = 0;
+ if (inode->i_blocks)
+ ufs_truncate_blocks(inode);
++ ufs_update_inode(inode, inode_needs_sync(inode));
+ }
+
+ invalidate_inode_buffers(inode);
+--
+2.17.1
+
--- /dev/null
+From 23a2bb27a354ac0f8b9d716a4d0f1e50211e1ebc Mon Sep 17 00:00:00 2001
+From: Vignesh R <vigneshr@ti.com>
+Date: Fri, 7 Jul 2017 11:52:52 +0530
+Subject: usb: dwc3: omap: remove IRQ_NOAUTOEN used with shared irq
+
+[ Upstream commit ee249b4554947de3be77be4e9e6077b20c0fe055 ]
+
+IRQ_NOAUTOEN cannot be used with shared IRQs, since commit 04c848d39879
+("genirq: Warn when IRQ_NOAUTOEN is used with shared interrupts") and
+kernel now throws a warn dump. But OMAP DWC3 driver uses this flag. As
+per commit 12a7f17fac5b ("usb: dwc3: omap: fix race of pm runtime with
+irq handler in probe") that introduced this flag, PM runtime can race
+with IRQ handler when deferred probing happens due to extcon,
+therefore IRQ_NOAUTOEN needs to be set so that irq is not enabled until
+extcon is registered.
+
+Remove setting of IRQ_NOAUTOEN and move the registration of
+shared irq to a point after dwc3_omap_extcon_register() and
+of_platform_populate(). This avoids possibility of probe deferring and
+above said race condition.
+
+Reviewed-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/dwc3-omap.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/usb/dwc3/dwc3-omap.c b/drivers/usb/dwc3/dwc3-omap.c
+index f221cb479e14..8e69150776f5 100644
+--- a/drivers/usb/dwc3/dwc3-omap.c
++++ b/drivers/usb/dwc3/dwc3-omap.c
+@@ -512,15 +512,6 @@ static int dwc3_omap_probe(struct platform_device *pdev)
+
+ /* check the DMA Status */
+ reg = dwc3_omap_readl(omap->base, USBOTGSS_SYSCONFIG);
+- irq_set_status_flags(omap->irq, IRQ_NOAUTOEN);
+- ret = devm_request_threaded_irq(dev, omap->irq, dwc3_omap_interrupt,
+- dwc3_omap_interrupt_thread, IRQF_SHARED,
+- "dwc3-omap", omap);
+- if (ret) {
+- dev_err(dev, "failed to request IRQ #%d --> %d\n",
+- omap->irq, ret);
+- goto err1;
+- }
+
+ ret = dwc3_omap_extcon_register(omap);
+ if (ret < 0)
+@@ -532,8 +523,15 @@ static int dwc3_omap_probe(struct platform_device *pdev)
+ goto err2;
+ }
+
++ ret = devm_request_threaded_irq(dev, omap->irq, dwc3_omap_interrupt,
++ dwc3_omap_interrupt_thread, IRQF_SHARED,
++ "dwc3-omap", omap);
++ if (ret) {
++ dev_err(dev, "failed to request IRQ #%d --> %d\n",
++ omap->irq, ret);
++ goto err1;
++ }
+ dwc3_omap_enable_irqs(omap);
+- enable_irq(omap->irq);
+ return 0;
+
+ err2:
+--
+2.17.1
+
--- /dev/null
+From 5c668dd496376a1331c9d4c5396a3921c09568c1 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Wed, 9 Aug 2017 19:55:24 +0900
+Subject: usb: renesas_usbhs: gadget: fix spin_lock_init() for &uep->lock
+
+[ Upstream commit 14a8d4bfc2102f85ce097563d151370c91c1898a ]
+
+This patch fixes an issue that the spin_lock_init() is not called
+for almost all pipes. Otherwise, the lockdep output the following
+message when we connect a usb cable using g_ncm:
+
+ INFO: trying to register non-static key.
+ the code is fine but needs lockdep annotation.
+ turning off the locking correctness validator.
+
+Reported-by: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
+Fixes: b8b9c974afee ("usb: renesas_usbhs: gadget: disable all eps when the driver stops")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Tested-by: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/renesas_usbhs/mod_gadget.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c
+index 93fba9033b00..54a3237aac08 100644
+--- a/drivers/usb/renesas_usbhs/mod_gadget.c
++++ b/drivers/usb/renesas_usbhs/mod_gadget.c
+@@ -1085,7 +1085,6 @@ int usbhs_mod_gadget_probe(struct usbhs_priv *priv)
+ ret = -ENOMEM;
+ goto usbhs_mod_gadget_probe_err_gpriv;
+ }
+- spin_lock_init(&uep->lock);
+
+ gpriv->transceiver = usb_get_phy(USB_PHY_TYPE_UNDEFINED);
+ dev_info(dev, "%stransceiver found\n",
+@@ -1135,6 +1134,7 @@ int usbhs_mod_gadget_probe(struct usbhs_priv *priv)
+ uep->ep.name = uep->ep_name;
+ uep->ep.ops = &usbhsg_ep_ops;
+ INIT_LIST_HEAD(&uep->ep.ep_list);
++ spin_lock_init(&uep->lock);
+
+ /* init DCP */
+ if (usbhsg_is_dcp(uep)) {
+--
+2.17.1
+
--- /dev/null
+From 74cc8300e77d05433c7a7fb3d0e70532ac90fc5c Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Fri, 28 Jul 2017 19:28:57 +0900
+Subject: usb: renesas_usbhs: gadget: fix unused-but-set-variable warning
+
+[ Upstream commit b7d44c36a6f6d956e1539e0dd42f98b26e5a4684 ]
+
+The commit b8b9c974afee ("usb: renesas_usbhs: gadget: disable all eps
+when the driver stops") causes the unused-but-set-variable warning.
+But, if the usbhsg_ep_disable() will return non-zero value, udc/core.c
+doesn't clear the ep->enabled flag. So, this driver should not return
+non-zero value, if the pipe is zero because this means the pipe is
+already disabled. Otherwise, the ep->enabled flag is never cleared
+when the usbhsg_ep_disable() is called by the renesas_usbhs driver first.
+
+Fixes: b8b9c974afee ("usb: renesas_usbhs: gadget: disable all eps when the driver stops")
+Fixes: 11432050f070 ("usb: renesas_usbhs: gadget: fix NULL pointer dereference in ep_disable()")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/renesas_usbhs/mod_gadget.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c
+index 54a3237aac08..5984fb134cf4 100644
+--- a/drivers/usb/renesas_usbhs/mod_gadget.c
++++ b/drivers/usb/renesas_usbhs/mod_gadget.c
+@@ -639,14 +639,11 @@ static int usbhsg_ep_disable(struct usb_ep *ep)
+ struct usbhsg_uep *uep = usbhsg_ep_to_uep(ep);
+ struct usbhs_pipe *pipe;
+ unsigned long flags;
+- int ret = 0;
+
+ spin_lock_irqsave(&uep->lock, flags);
+ pipe = usbhsg_uep_to_pipe(uep);
+- if (!pipe) {
+- ret = -EINVAL;
++ if (!pipe)
+ goto out;
+- }
+
+ usbhsg_pipe_disable(uep);
+ usbhs_pipe_free(pipe);
+--
+2.17.1
+
--- /dev/null
+From a6bfe1f8ed4e76699f9b18ebf04e4c6eb13388a9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20S=C3=BCnkenberg?=
+ <christian.suenkenberg@student.kit.edu>
+Date: Sun, 4 Jun 2017 19:18:39 +0200
+Subject: x86/cpu/cyrix: Add alternative Device ID of Geode GX1 SoC
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit ae1d557d8f30cb097b4d1f2ab04fa294588ee1cf ]
+
+A SoC variant of Geode GX1, notably NSC branded SC1100, seems to
+report an inverted Device ID in its DIR0 configuration register,
+specifically 0xb instead of the expected 0x4.
+
+Catch this presumably quirky version so it's properly recognized
+as GX1 and has its cache switched to write-back mode, which provides
+a significant performance boost in most workloads.
+
+SC1100's datasheet "Geode™ SC1100 Information Appliance On a Chip",
+states in section 1.1.7.1 "Device ID" that device identification
+values are specified in SC1100's device errata. These, however,
+seem to not have been publicly released.
+
+Wading through a number of boot logs and /proc/cpuinfo dumps found on
+pastebin and blogs, this patch should mostly be relevant for a number
+of now admittedly aging Soekris NET4801 and PC Engines WRAP devices,
+the latter being the platform this issue was discovered on.
+Performance impact was verified using "openssl speed", with
+write-back caching scaling throughput between -3% and +41%.
+
+Signed-off-by: Christian Sünkenberg <christian.suenkenberg@student.kit.edu>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/1496596719.26725.14.camel@student.kit.edu
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/cyrix.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/kernel/cpu/cyrix.c b/arch/x86/kernel/cpu/cyrix.c
+index 455d8ada9b9a..d39cfb2c6b63 100644
+--- a/arch/x86/kernel/cpu/cyrix.c
++++ b/arch/x86/kernel/cpu/cyrix.c
+@@ -253,6 +253,7 @@ static void init_cyrix(struct cpuinfo_x86 *c)
+ break;
+
+ case 4: /* MediaGX/GXm or Geode GXM/GXLV/GX1 */
++ case 11: /* GX1 with inverted Device ID */
+ #ifdef CONFIG_PCI
+ {
+ u32 vendor, device;
+--
+2.17.1
+
--- /dev/null
+From 0e6c5e84213222cce65d6983af36132dce0f84a3 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 19 Sep 2018 13:35:53 +0300
+Subject: x86/paravirt: Fix some warning messages
+
+[ Upstream commit 571d0563c8881595f4ab027aef9ed1c55e3e7b7c ]
+
+The first argument to WARN_ONCE() is a condition.
+
+Fixes: 5800dc5c19f3 ("x86/paravirt: Fix spectre-v2 mitigations for paravirt guests")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Alok Kataria <akataria@vmware.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: virtualization@lists.linux-foundation.org
+Cc: kernel-janitors@vger.kernel.org
+Link: https://lkml.kernel.org/r/20180919103553.GD9238@mwanda
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/paravirt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/paravirt.c b/arch/x86/kernel/paravirt.c
+index 29d465627919..bf9552bebb3c 100644
+--- a/arch/x86/kernel/paravirt.c
++++ b/arch/x86/kernel/paravirt.c
+@@ -90,7 +90,7 @@ unsigned paravirt_patch_call(void *insnbuf,
+
+ if (len < 5) {
+ #ifdef CONFIG_RETPOLINE
+- WARN_ONCE("Failing to patch indirect CALL in %ps\n", (void *)addr);
++ WARN_ONCE(1, "Failing to patch indirect CALL in %ps\n", (void *)addr);
+ #endif
+ return len; /* call too long for patch site */
+ }
+@@ -110,7 +110,7 @@ unsigned paravirt_patch_jmp(void *insnbuf, const void *target,
+
+ if (len < 5) {
+ #ifdef CONFIG_RETPOLINE
+- WARN_ONCE("Failing to patch indirect JMP in %ps\n", (void *)addr);
++ WARN_ONCE(1, "Failing to patch indirect JMP in %ps\n", (void *)addr);
+ #endif
+ return len; /* call too long for patch site */
+ }
+--
+2.17.1
+
--- /dev/null
+From 160052e7ad155125fa8a3993db49c5286957b11e Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Thu, 30 Nov 2017 07:57:57 -0800
+Subject: x86/power: Fix some ordering bugs in __restore_processor_context()
+
+[ Upstream commit 5b06bbcfc2c621da3009da8decb7511500c293ed ]
+
+__restore_processor_context() had a couple of ordering bugs. It
+restored GSBASE after calling load_gs_index(), and the latter can
+call into tracing code. It also tried to restore segment registers
+before restoring the LDT, which is straight-up wrong.
+
+Reorder the code so that we restore GSBASE, then the descriptor
+tables, then the segments.
+
+This fixes two bugs. First, it fixes a regression that broke resume
+under certain configurations due to irqflag tracing in
+native_load_gs_index(). Second, it fixes resume when the userspace
+process that initiated suspect had funny segments. The latter can be
+reproduced by compiling this:
+
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * ldt_echo.c - Echo argv[1] while using an LDT segment
+ */
+
+int main(int argc, char **argv)
+{
+ int ret;
+ size_t len;
+ char *buf;
+
+ const struct user_desc desc = {
+ .entry_number = 0,
+ .base_addr = 0,
+ .limit = 0xfffff,
+ .seg_32bit = 1,
+ .contents = 0, /* Data, grow-up */
+ .read_exec_only = 0,
+ .limit_in_pages = 1,
+ .seg_not_present = 0,
+ .useable = 0
+ };
+
+ if (argc != 2)
+ errx(1, "Usage: %s STRING", argv[0]);
+
+ len = asprintf(&buf, "%s\n", argv[1]);
+ if (len < 0)
+ errx(1, "Out of memory");
+
+ ret = syscall(SYS_modify_ldt, 1, &desc, sizeof(desc));
+ if (ret < -1)
+ errno = -ret;
+ if (ret)
+ err(1, "modify_ldt");
+
+ asm volatile ("movw %0, %%es" :: "rm" ((unsigned short)7));
+ write(1, buf, len);
+ return 0;
+}
+
+and running ldt_echo >/sys/power/mem
+
+Without the fix, the latter causes a triple fault on resume.
+
+Fixes: ca37e57bbe0c ("x86/entry/64: Add missing irqflags tracing to native_load_gs_index()")
+Reported-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lkml.kernel.org/r/6b31721ea92f51ea839e79bd97ade4a75b1eeea2.1512057304.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/power/cpu.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c
+index 53cace2ec0e2..73063dfed476 100644
+--- a/arch/x86/power/cpu.c
++++ b/arch/x86/power/cpu.c
+@@ -222,8 +222,20 @@ static void notrace __restore_processor_state(struct saved_context *ctxt)
+ load_idt((const struct desc_ptr *)&ctxt->idt_limit);
+ #endif
+
++#ifdef CONFIG_X86_64
+ /*
+- * segment registers
++ * We need GSBASE restored before percpu access can work.
++ * percpu access can happen in exception handlers or in complicated
++ * helpers like load_gs_index().
++ */
++ wrmsrl(MSR_GS_BASE, ctxt->gs_base);
++#endif
++
++ fix_processor_context();
++
++ /*
++ * Restore segment registers. This happens after restoring the GDT
++ * and LDT, which happen in fix_processor_context().
+ */
+ #ifdef CONFIG_X86_32
+ loadsegment(es, ctxt->es);
+@@ -244,13 +256,14 @@ static void notrace __restore_processor_state(struct saved_context *ctxt)
+ load_gs_index(ctxt->gs);
+ asm volatile ("movw %0, %%ss" :: "r" (ctxt->ss));
+
++ /*
++ * Restore FSBASE and user GSBASE after reloading the respective
++ * segment selectors.
++ */
+ wrmsrl(MSR_FS_BASE, ctxt->fs_base);
+- wrmsrl(MSR_GS_BASE, ctxt->gs_base);
+ wrmsrl(MSR_KERNEL_GS_BASE, ctxt->gs_kernel_base);
+ #endif
+
+- fix_processor_context();
+-
+ do_fpu_end();
+ x86_platform.restore_sched_clock_state();
+ mtrr_bp_restore();
+--
+2.17.1
+
--- /dev/null
+From dde2de20820ca0f2074f59b03c560259f3bd4437 Mon Sep 17 00:00:00 2001
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+Date: Thu, 21 Jun 2018 14:00:20 +0100
+Subject: xen-netfront: Fix mismatched rtnl_unlock
+
+[ Upstream commit cb257783c2927b73614b20f915a91ff78aa6f3e8 ]
+
+Fixes: f599c64fdf7d ("xen-netfront: Fix race between device setup and open")
+Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/xen-netfront.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
+index c85edd161a6c..aceae791baf3 100644
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -1848,7 +1848,7 @@ static int talk_to_netback(struct xenbus_device *dev,
+ err = xen_net_read_mac(dev, info->netdev->dev_addr);
+ if (err) {
+ xenbus_dev_fatal(dev, err, "parsing %s/mac", dev->nodename);
+- goto out;
++ goto out_unlocked;
+ }
+
+ rtnl_lock();
+@@ -1963,6 +1963,7 @@ abort_transaction_no_dev_fatal:
+ xennet_destroy_queues(info);
+ out:
+ rtnl_unlock();
++out_unlocked:
+ device_unregister(&dev->dev);
+ return err;
+ }
+--
+2.17.1
+
--- /dev/null
+From d112f28f573e2d543cd1d52bdc8120f502a0d759 Mon Sep 17 00:00:00 2001
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+Date: Thu, 21 Jun 2018 14:00:21 +0100
+Subject: xen-netfront: Update features after registering netdev
+
+[ Upstream commit 45c8184c1bed1ca8a7f02918552063a00b909bf5 ]
+
+Update the features after calling register_netdev() otherwise the
+device features are not set up correctly and it not possible to change
+the MTU of the device. After this change, the features reported by
+ethtool match the device's features before the commit which introduced
+the issue and it is possible to change the device's MTU.
+
+Fixes: f599c64fdf7d ("xen-netfront: Fix race between device setup and open")
+Reported-by: Liam Shepherd <liam@dancer.es>
+Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/xen-netfront.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
+index 3c1adb38412b..c85edd161a6c 100644
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -1994,10 +1994,6 @@ static int xennet_connect(struct net_device *dev)
+ /* talk_to_netback() sets the correct number of queues */
+ num_queues = dev->real_num_tx_queues;
+
+- rtnl_lock();
+- netdev_update_features(dev);
+- rtnl_unlock();
+-
+ if (dev->reg_state == NETREG_UNINITIALIZED) {
+ err = register_netdev(dev);
+ if (err) {
+@@ -2007,6 +2003,10 @@ static int xennet_connect(struct net_device *dev)
+ }
+ }
+
++ rtnl_lock();
++ netdev_update_features(dev);
++ rtnl_unlock();
++
+ /*
+ * All public and private state should now be sane. Get
+ * ready to start sending and receiving packets and give the driver
+--
+2.17.1
+
--- /dev/null
+From ca3c37e1f304a3a40f0b409608088d3683d30eb0 Mon Sep 17 00:00:00 2001
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Wed, 1 Aug 2018 13:45:11 +0200
+Subject: xfrm: Validate address prefix lengths in the xfrm selector.
+
+[ Upstream commit 07bf7908950a8b14e81aa1807e3c667eab39287a ]
+
+We don't validate the address prefix lengths in the xfrm
+selector we got from userspace. This can lead to undefined
+behaviour in the address matching functions if the prefix
+is too big for the given address family. Fix this by checking
+the prefixes and refuse SA/policy insertation when a prefix
+is invalid.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Air Icy <icytxw@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 6e768093d7c8..b7ac834a6091 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -151,10 +151,16 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
+ err = -EINVAL;
+ switch (p->family) {
+ case AF_INET:
++ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
++ goto out;
++
+ break;
+
+ case AF_INET6:
+ #if IS_ENABLED(CONFIG_IPV6)
++ if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128)
++ goto out;
++
+ break;
+ #else
+ err = -EAFNOSUPPORT;
+@@ -1316,10 +1322,16 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p)
+
+ switch (p->sel.family) {
+ case AF_INET:
++ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
++ return -EINVAL;
++
+ break;
+
+ case AF_INET6:
+ #if IS_ENABLED(CONFIG_IPV6)
++ if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128)
++ return -EINVAL;
++
+ break;
+ #else
+ return -EAFNOSUPPORT;
+--
+2.17.1
+
--- /dev/null
+From 88629fdeab9704e2a0278ae639261aa6eba450dc Mon Sep 17 00:00:00 2001
+From: Sean Tranchetti <stranche@codeaurora.org>
+Date: Wed, 19 Sep 2018 13:54:56 -0600
+Subject: xfrm: validate template mode
+
+[ Upstream commit 32bf94fb5c2ec4ec842152d0e5937cd4bb6738fa ]
+
+XFRM mode parameters passed as part of the user templates
+in the IP_XFRM_POLICY are never properly validated. Passing
+values other than valid XFRM modes can cause stack-out-of-bounds
+reads to occur later in the XFRM processing:
+
+[ 140.535608] ================================================================
+[ 140.543058] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x17e4/0x1cc4
+[ 140.550306] Read of size 4 at addr ffffffc0238a7a58 by task repro/5148
+[ 140.557369]
+[ 140.558927] Call trace:
+[ 140.558936] dump_backtrace+0x0/0x388
+[ 140.558940] show_stack+0x24/0x30
+[ 140.558946] __dump_stack+0x24/0x2c
+[ 140.558949] dump_stack+0x8c/0xd0
+[ 140.558956] print_address_description+0x74/0x234
+[ 140.558960] kasan_report+0x240/0x264
+[ 140.558963] __asan_report_load4_noabort+0x2c/0x38
+[ 140.558967] xfrm_state_find+0x17e4/0x1cc4
+[ 140.558971] xfrm_resolve_and_create_bundle+0x40c/0x1fb8
+[ 140.558975] xfrm_lookup+0x238/0x1444
+[ 140.558977] xfrm_lookup_route+0x48/0x11c
+[ 140.558984] ip_route_output_flow+0x88/0xc4
+[ 140.558991] raw_sendmsg+0xa74/0x266c
+[ 140.558996] inet_sendmsg+0x258/0x3b0
+[ 140.559002] sock_sendmsg+0xbc/0xec
+[ 140.559005] SyS_sendto+0x3a8/0x5a8
+[ 140.559008] el0_svc_naked+0x34/0x38
+[ 140.559009]
+[ 140.592245] page dumped because: kasan: bad access detected
+[ 140.597981] page_owner info is not active (free page?)
+[ 140.603267]
+[ 140.653503] ================================================================
+
+Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index b7ac834a6091..026770884d46 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1412,6 +1412,9 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family)
+ (ut[i].family != prev_family))
+ return -EINVAL;
+
++ if (ut[i].mode >= XFRM_MODE_MAX)
++ return -EINVAL;
++
+ prev_family = ut[i].family;
+
+ switch (ut[i].family) {
+--
+2.17.1
+
--- /dev/null
+From c7033052d4a9752366664650bdce1959a54bc58a Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Fri, 31 Aug 2018 08:38:49 -0300
+Subject: xfrm6: call kfree_skb when skb is toobig
+
+[ Upstream commit 215ab0f021c9fea3c18b75e7d522400ee6a49990 ]
+
+After commit d6990976af7c5d8f55903bfb4289b6fb030bf754 ("vti6: fix PMTU caching
+and reporting on xmit"), some too big skbs might be potentially passed down to
+__xfrm6_output, causing it to fail to transmit but not free the skb, causing a
+leak of skb, and consequentially a leak of dst references.
+
+After running pmtu.sh, that shows as failure to unregister devices in a namespace:
+
+[ 311.397671] unregister_netdevice: waiting for veth_b to become free. Usage count = 1
+
+The fix is to call kfree_skb in case of transmit failures.
+
+Fixes: dd767856a36e ("xfrm6: Don't call icmpv6_send on local error")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/xfrm6_output.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
+index 4d09ce6fa90e..64862c5084ee 100644
+--- a/net/ipv6/xfrm6_output.c
++++ b/net/ipv6/xfrm6_output.c
+@@ -165,9 +165,11 @@ static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
+
+ if (toobig && xfrm6_local_dontfrag(skb)) {
+ xfrm6_local_rxpmtu(skb, mtu);
++ kfree_skb(skb);
+ return -EMSGSIZE;
+ } else if (!skb->ignore_df && toobig && skb->sk) {
+ xfrm_local_error(skb, mtu);
++ kfree_skb(skb);
+ return -EMSGSIZE;
+ }
+
+--
+2.17.1
+
--- /dev/null
+From 75b041b95528e5093f0645b6d117426a9b069cc4 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Mon, 14 May 2018 11:57:23 +0300
+Subject: xhci: Fix USB3 NULL pointer dereference at logical disconnect.
+
+[ Upstream commit 2278446e2b7cd33ad894b32e7eb63afc7db6c86e ]
+
+Hub driver will try to disable a USB3 device twice at logical disconnect,
+racing with xhci_free_dev() callback from the first port disable.
+
+This can be triggered with "udisksctl power-off --block-device <disk>"
+or by writing "1" to the "remove" sysfs file for a USB3 device
+in 4.17-rc4.
+
+USB3 devices don't have a similar disabled link state as USB2 devices,
+and use a U3 suspended link state instead. In this state the port
+is still enabled and connected.
+
+hub_port_connect() first disconnects the device, then later it notices
+that device is still enabled (due to U3 states) it will try to disable
+the port again (set to U3).
+
+The xhci_free_dev() called during device disable is async, so checking
+for existing xhci->devs[i] when setting link state to U3 the second time
+was successful, even if device was being freed.
+
+The regression was caused by, and whole thing revealed by,
+Commit 44a182b9d177 ("xhci: Fix use-after-free in xhci_free_virt_device")
+which sets xhci->devs[i]->udev to NULL before xhci_virt_dev() returned.
+and causes a NULL pointer dereference the second time we try to set U3.
+
+Fix this by checking xhci->devs[i]->udev exists before setting link state.
+
+The original patch went to stable so this fix needs to be applied there as
+well.
+
+Fixes: 44a182b9d177 ("xhci: Fix use-after-free in xhci_free_virt_device")
+Cc: <stable@vger.kernel.org>
+Reported-by: Jordan Glover <Golden_Miller83@protonmail.ch>
+Tested-by: Jordan Glover <Golden_Miller83@protonmail.ch>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-hub.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
+index 45a03eff4db1..0f09ab5399f4 100644
+--- a/drivers/usb/host/xhci-hub.c
++++ b/drivers/usb/host/xhci-hub.c
+@@ -366,7 +366,7 @@ int xhci_find_slot_id_by_port(struct usb_hcd *hcd, struct xhci_hcd *xhci,
+
+ slot_id = 0;
+ for (i = 0; i < MAX_HC_SLOTS; i++) {
+- if (!xhci->devs[i])
++ if (!xhci->devs[i] || !xhci->devs[i]->udev)
+ continue;
+ speed = xhci->devs[i]->udev->speed;
+ if (((speed >= USB_SPEED_SUPER) == (hcd->speed >= HCD_USB3))
+--
+2.17.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
