--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Michael Scott <michael@opensourcefoundries.com>
+Date: Tue, 19 Jun 2018 16:44:06 -0700
+Subject: 6lowpan: iphc: reset mac_header after decompress to fix panic
+
+From: Michael Scott <michael@opensourcefoundries.com>
+
+[ Upstream commit 03bc05e1a4972f73b4eb8907aa373369e825c252 ]
+
+After decompression of 6lowpan socket data, an IPv6 header is inserted
+before the existing socket payload. After this, we reset the
+network_header value of the skb to account for the difference in payload
+size from prior to decompression + the addition of the IPv6 header.
+
+However, we fail to reset the mac_header value.
+
+Leaving the mac_header value untouched here, can cause a calculation
+error in net/packet/af_packet.c packet_rcv() function when an
+AF_PACKET socket is opened in SOCK_RAW mode for use on a 6lowpan
+interface.
+
+On line 2088, the data pointer is moved backward by the value returned
+from skb_mac_header(). If skb->data is adjusted so that it is before
+the skb->head pointer (which can happen when an old value of mac_header
+is left in place) the kernel generates a panic in net/core/skbuff.c
+line 1717.
+
+This panic can be generated by BLE 6lowpan interfaces (such as bt0) and
+802.15.4 interfaces (such as lowpan0) as they both use the same 6lowpan
+sources for compression and decompression.
+
+Signed-off-by: Michael Scott <michael@opensourcefoundries.com>
+Acked-by: Alexander Aring <aring@mojatatu.com>
+Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/6lowpan/iphc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/6lowpan/iphc.c
++++ b/net/6lowpan/iphc.c
+@@ -569,6 +569,7 @@ int lowpan_header_decompress(struct sk_b
+ hdr.hop_limit, &hdr.daddr);
+
+ skb_push(skb, sizeof(hdr));
++ skb_reset_mac_header(skb);
+ skb_reset_network_header(skb);
+ skb_copy_to_linear_data(skb, &hdr, sizeof(hdr));
+
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Mon, 2 Jul 2018 09:34:29 +0200
+Subject: alarmtimer: Prevent overflow for relative nanosleep
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit 5f936e19cc0ef97dbe3a56e9498922ad5ba1edef ]
+
+Air Icy reported:
+
+ UBSAN: Undefined behaviour in kernel/time/alarmtimer.c:811:7
+ signed integer overflow:
+ 1529859276030040771 + 9223372036854775807 cannot be represented in type 'long long int'
+ Call Trace:
+ alarm_timer_nsleep+0x44c/0x510 kernel/time/alarmtimer.c:811
+ __do_sys_clock_nanosleep kernel/time/posix-timers.c:1235 [inline]
+ __se_sys_clock_nanosleep kernel/time/posix-timers.c:1213 [inline]
+ __x64_sys_clock_nanosleep+0x326/0x4e0 kernel/time/posix-timers.c:1213
+ do_syscall_64+0xb8/0x3a0 arch/x86/entry/common.c:290
+
+alarm_timer_nsleep() uses ktime_add() to add the current time and the
+relative expiry value. ktime_add() has no sanity checks so the addition
+can overflow when the relative timeout is large enough.
+
+Use ktime_add_safe() which has the necessary sanity checks in place and
+limits the result to the valid range.
+
+Fixes: 9a7adcf5c6de ("timers: Posix interface for alarm-timers")
+Reported-by: Team OWL337 <icytxw@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: John Stultz <john.stultz@linaro.org>
+Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1807020926360.1595@nanos.tec.linutronix.de
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/time/alarmtimer.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/time/alarmtimer.c
++++ b/kernel/time/alarmtimer.c
+@@ -773,7 +773,8 @@ static int alarm_timer_nsleep(const cloc
+ /* Convert (if necessary) to absolute time */
+ if (flags != TIMER_ABSTIME) {
+ ktime_t now = alarm_bases[type].gettime();
+- exp = ktime_add(now, exp);
++
++ exp = ktime_add_safe(now, exp);
+ }
+
+ if (alarmtimer_do_nsleep(&alarm, exp))
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Thu, 28 Jun 2018 15:28:24 +0800
+Subject: ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 1adca4b0cd65c14cb8b8c9c257720385869c3d5f ]
+
+This patch can make audio controller in AMD Raven Ridge gets runtime
+suspended to D3, to save ~1W power when it's not in use.
+
+Cc: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/hda_intel.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2360,7 +2360,8 @@ static const struct pci_device_id azx_id
+ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB },
+ /* AMD Raven */
+ { PCI_DEVICE(0x1022, 0x15e3),
+- .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB },
++ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB |
++ AZX_DCAPS_PM_RUNTIME },
+ /* ATI HDMI */
+ { PCI_DEVICE(0x1002, 0x0002),
+ .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS },
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Nicholas Mc Guire <hofrat@osadl.org>
+Date: Fri, 29 Jun 2018 19:07:42 +0200
+Subject: ALSA: snd-aoa: add of_node_put() in error path
+
+From: Nicholas Mc Guire <hofrat@osadl.org>
+
+[ Upstream commit 222bce5eb88d1af656419db04bcd84b2419fb900 ]
+
+ Both calls to of_find_node_by_name() and of_get_next_child() return a
+node pointer with refcount incremented thus it must be explicidly
+decremented here after the last usage. As we are assured to have a
+refcounted np either from the initial
+of_find_node_by_name(NULL, name); or from the of_get_next_child(gpio, np)
+in the while loop if we reached the error code path below, an
+x of_node_put(np) is needed.
+
+Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
+Fixes: commit f3d9478b2ce4 ("[ALSA] snd-aoa: add snd-aoa")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/aoa/core/gpio-feature.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/sound/aoa/core/gpio-feature.c
++++ b/sound/aoa/core/gpio-feature.c
+@@ -88,8 +88,10 @@ static struct device_node *get_gpio(char
+ }
+
+ reg = of_get_property(np, "reg", NULL);
+- if (!reg)
++ if (!reg) {
++ of_node_put(np);
+ return NULL;
++ }
+
+ *gpioptr = *reg;
+
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Kevin Hilman <khilman@baylibre.com>
+Date: Mon, 21 May 2018 13:08:32 -0700
+Subject: ARM: dts: dra7: fix DCAN node addresses
+
+From: Kevin Hilman <khilman@baylibre.com>
+
+[ Upstream commit 949bdcc8a97c6078f21c8d4966436b117f2e4cd3 ]
+
+Fix the DT node addresses to match the reg property addresses,
+which were verified to match the TRM:
+http://www.ti.com/lit/pdf/sprui30
+
+Cc: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Acked-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/dra7.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/dra7.dtsi
++++ b/arch/arm/boot/dts/dra7.dtsi
+@@ -1549,7 +1549,7 @@
+ };
+ };
+
+- dcan1: can@481cc000 {
++ dcan1: can@4ae3c000 {
+ compatible = "ti,dra7-d_can";
+ ti,hwmods = "dcan1";
+ reg = <0x4ae3c000 0x2000>;
+@@ -1559,7 +1559,7 @@
+ status = "disabled";
+ };
+
+- dcan2: can@481d0000 {
++ dcan2: can@48480000 {
+ compatible = "ti,dra7-d_can";
+ ti,hwmods = "dcan2";
+ reg = <0x48480000 0x2000>;
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Ethan Tuttle <ethan@ethantuttle.com>
+Date: Tue, 19 Jun 2018 21:31:08 -0700
+Subject: ARM: mvebu: declare asm symbols as character arrays in pmsu.c
+
+From: Ethan Tuttle <ethan@ethantuttle.com>
+
+[ Upstream commit d0d378ff451a66e486488eec842e507d28145813 ]
+
+With CONFIG_FORTIFY_SOURCE, memcpy uses the declared size of operands to
+detect buffer overflows. If src or dest is declared as a char, attempts to
+copy more than byte will result in a fortify_panic().
+
+Address this problem in mvebu_setup_boot_addr_wa() by declaring
+mvebu_boot_wa_start and mvebu_boot_wa_end as character arrays. Also remove
+a couple addressof operators to avoid "arithmetic on pointer to an
+incomplete type" compiler error.
+
+See commit 54a7d50b9205 ("x86: mark kprobe templates as character arrays,
+not single characters") for a similar fix.
+
+Fixes "detected buffer overflow in memcpy" error during init on some mvebu
+systems (armada-370-xp, armada-375):
+
+(fortify_panic) from (mvebu_setup_boot_addr_wa+0xb0/0xb4)
+(mvebu_setup_boot_addr_wa) from (mvebu_v7_cpu_pm_init+0x154/0x204)
+(mvebu_v7_cpu_pm_init) from (do_one_initcall+0x7c/0x1a8)
+(do_one_initcall) from (kernel_init_freeable+0x1bc/0x254)
+(kernel_init_freeable) from (kernel_init+0x8/0x114)
+(kernel_init) from (ret_from_fork+0x14/0x2c)
+
+Signed-off-by: Ethan Tuttle <ethan@ethantuttle.com>
+Tested-by: Ethan Tuttle <ethan@ethantuttle.com>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-mvebu/pmsu.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/arm/mach-mvebu/pmsu.c
++++ b/arch/arm/mach-mvebu/pmsu.c
+@@ -117,8 +117,8 @@ void mvebu_pmsu_set_cpu_boot_addr(int hw
+ PMSU_BOOT_ADDR_REDIRECT_OFFSET(hw_cpu));
+ }
+
+-extern unsigned char mvebu_boot_wa_start;
+-extern unsigned char mvebu_boot_wa_end;
++extern unsigned char mvebu_boot_wa_start[];
++extern unsigned char mvebu_boot_wa_end[];
+
+ /*
+ * This function sets up the boot address workaround needed for SMP
+@@ -131,7 +131,7 @@ int mvebu_setup_boot_addr_wa(unsigned in
+ phys_addr_t resume_addr_reg)
+ {
+ void __iomem *sram_virt_base;
+- u32 code_len = &mvebu_boot_wa_end - &mvebu_boot_wa_start;
++ u32 code_len = mvebu_boot_wa_end - mvebu_boot_wa_start;
+
+ mvebu_mbus_del_window(BOOTROM_BASE, BOOTROM_SIZE);
+ mvebu_mbus_add_window_by_id(crypto_eng_target, crypto_eng_attribute,
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Liam Girdwood <liam.r.girdwood@linux.intel.com>
+Date: Thu, 14 Jun 2018 20:26:42 +0100
+Subject: ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs
+
+From: Liam Girdwood <liam.r.girdwood@linux.intel.com>
+
+[ Upstream commit e01b4f624278d5efe5fb5da585ca371947b16680 ]
+
+Sometime a component or topology may configure a DAI widget with no
+private data leading to a dev_dbg() dereferencne of this data.
+
+Fix this to check for non NULL private data and let users know if widget
+is missing DAI.
+
+Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/soc-dapm.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -3864,6 +3864,13 @@ int snd_soc_dapm_link_dai_widgets(struct
+ continue;
+ }
+
++ /* let users know there is no DAI to link */
++ if (!dai_w->priv) {
++ dev_dbg(card->dev, "dai widget %s has no DAI\n",
++ dai_w->name);
++ continue;
++ }
++
+ dai = dai_w->priv;
+
+ /* ...find all widgets with the same stream and link them */
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Ben Greear <greearb@candelatech.com>
+Date: Mon, 18 Jun 2018 17:00:56 +0300
+Subject: ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock
+
+From: Ben Greear <greearb@candelatech.com>
+
+[ Upstream commit 168f75f11fe68455e0d058a818ebccfc329d8685 ]
+
+While debugging driver crashes related to a buggy firmware
+crashing under load, I noticed that ath10k_htt_rx_ring_free
+could be called without being under lock. I'm not sure if this
+is the root cause of the crash or not, but it seems prudent to
+protect it.
+
+Originally tested on 4.16+ kernel with ath10k-ct 10.4 firmware
+running on 9984 NIC.
+
+Signed-off-by: Ben Greear <greearb@candelatech.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/htt_rx.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
+@@ -212,11 +212,12 @@ int ath10k_htt_rx_ring_refill(struct ath
+ spin_lock_bh(&htt->rx_ring.lock);
+ ret = ath10k_htt_rx_ring_fill_n(htt, (htt->rx_ring.fill_level -
+ htt->rx_ring.fill_cnt));
+- spin_unlock_bh(&htt->rx_ring.lock);
+
+ if (ret)
+ ath10k_htt_rx_ring_free(htt);
+
++ spin_unlock_bh(&htt->rx_ring.lock);
++
+ return ret;
+ }
+
+@@ -230,7 +231,9 @@ void ath10k_htt_rx_free(struct ath10k_ht
+ skb_queue_purge(&htt->rx_compl_q);
+ skb_queue_purge(&htt->rx_in_ord_compl_q);
+
++ spin_lock_bh(&htt->rx_ring.lock);
+ ath10k_htt_rx_ring_free(htt);
++ spin_unlock_bh(&htt->rx_ring.lock);
+
+ dma_free_coherent(htt->ar->dev,
+ (htt->rx_ring.size *
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: "Ondrej Mosnáček" <omosnace@redhat.com>
+Date: Tue, 5 Jun 2018 11:00:10 +0200
+Subject: audit: Fix extended comparison of GID/EGID
+
+From: "Ondrej Mosnáček" <omosnace@redhat.com>
+
+[ Upstream commit af85d1772e31fed34165a1b3decef340cf4080c0 ]
+
+The audit_filter_rules() function in auditsc.c used the in_[e]group_p()
+functions to check GID/EGID match, but these functions use the current
+task's credentials, while the comparison should use the credentials of
+the task given to audit_filter_rules() as a parameter (tsk).
+
+Note that we can use group_search(cred->group_info, ...) as a
+replacement for both in_group_p and in_egroup_p as these functions only
+compare the parameter to cred->fsgid/egid and then call group_search.
+
+In fact, the usage of in_group_p was even more incorrect: it compares to
+cred->fsgid (which is usually equal to cred->egid) and not cred->gid.
+
+GitHub issue:
+https://github.com/linux-audit/audit-kernel/issues/82
+
+Fixes: 37eebe39c973 ("audit: improve GID/EGID comparation logic")
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/auditsc.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -489,20 +489,20 @@ static int audit_filter_rules(struct tas
+ result = audit_gid_comparator(cred->gid, f->op, f->gid);
+ if (f->op == Audit_equal) {
+ if (!result)
+- result = in_group_p(f->gid);
++ result = groups_search(cred->group_info, f->gid);
+ } else if (f->op == Audit_not_equal) {
+ if (result)
+- result = !in_group_p(f->gid);
++ result = !groups_search(cred->group_info, f->gid);
+ }
+ break;
+ case AUDIT_EGID:
+ result = audit_gid_comparator(cred->egid, f->op, f->gid);
+ if (f->op == Audit_equal) {
+ if (!result)
+- result = in_egroup_p(f->gid);
++ result = groups_search(cred->group_info, f->gid);
+ } else if (f->op == Audit_not_equal) {
+ if (result)
+- result = !in_egroup_p(f->gid);
++ result = !groups_search(cred->group_info, f->gid);
+ }
+ break;
+ case AUDIT_SGID:
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Jian-Hong Pan <jian-hong@endlessm.com>
+Date: Fri, 25 May 2018 17:54:52 +0800
+Subject: Bluetooth: Add a new Realtek 8723DE ID 0bda:b009
+
+From: Jian-Hong Pan <jian-hong@endlessm.com>
+
+[ Upstream commit 45ae68b8cfc25bdbffc11248001c47ab1b76ff6e ]
+
+Without this patch we cannot turn on the Bluethooth adapter on HP
+14-bs007la.
+
+T: Bus=01 Lev=02 Prnt=03 Port=00 Cnt=01 Dev#= 4 Spd=12 MxCh= 0
+D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=0bda ProdID=b009 Rev= 2.00
+S: Manufacturer=Realtek
+S: Product=802.11n WLAN Adapter
+S: SerialNumber=00e04c000001
+C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
+I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+
+Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -340,6 +340,7 @@ static const struct usb_device_id blackl
+ { USB_DEVICE(0x7392, 0xa611), .driver_info = BTUSB_REALTEK },
+
+ /* Additional Realtek 8723DE Bluetooth devices */
++ { USB_DEVICE(0x0bda, 0xb009), .driver_info = BTUSB_REALTEK },
+ { USB_DEVICE(0x2ff8, 0xb011), .driver_info = BTUSB_REALTEK },
+
+ /* Additional Realtek 8821AE Bluetooth devices */
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Stafford Horne <shorne@gmail.com>
+Date: Mon, 25 Jun 2018 21:45:37 +0900
+Subject: crypto: skcipher - Fix -Wstringop-truncation warnings
+
+From: Stafford Horne <shorne@gmail.com>
+
+[ Upstream commit cefd769fd0192c84d638f66da202459ed8ad63ba ]
+
+As of GCC 9.0.0 the build is reporting warnings like:
+
+ crypto/ablkcipher.c: In function ‘crypto_ablkcipher_report’:
+ crypto/ablkcipher.c:374:2: warning: ‘strncpy’ specified bound 64 equals destination size [-Wstringop-truncation]
+ strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<default>",
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ sizeof(rblkcipher.geniv));
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This means the strnycpy might create a non null terminated string. Fix this by
+explicitly performing '\0' termination.
+
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Max Filippov <jcmvbkbc@gmail.com>
+Cc: Eric Biggers <ebiggers3@gmail.com>
+Cc: Nick Desaulniers <nick.desaulniers@gmail.com>
+Signed-off-by: Stafford Horne <shorne@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/ablkcipher.c | 2 ++
+ crypto/blkcipher.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/crypto/ablkcipher.c
++++ b/crypto/ablkcipher.c
+@@ -384,6 +384,7 @@ static int crypto_ablkcipher_report(stru
+ strncpy(rblkcipher.type, "ablkcipher", sizeof(rblkcipher.type));
+ strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<default>",
+ sizeof(rblkcipher.geniv));
++ rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0';
+
+ rblkcipher.blocksize = alg->cra_blocksize;
+ rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize;
+@@ -465,6 +466,7 @@ static int crypto_givcipher_report(struc
+ strncpy(rblkcipher.type, "givcipher", sizeof(rblkcipher.type));
+ strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<built-in>",
+ sizeof(rblkcipher.geniv));
++ rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0';
+
+ rblkcipher.blocksize = alg->cra_blocksize;
+ rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize;
+--- a/crypto/blkcipher.c
++++ b/crypto/blkcipher.c
+@@ -515,6 +515,7 @@ static int crypto_blkcipher_report(struc
+ strncpy(rblkcipher.type, "blkcipher", sizeof(rblkcipher.type));
+ strncpy(rblkcipher.geniv, alg->cra_blkcipher.geniv ?: "<default>",
+ sizeof(rblkcipher.geniv));
++ rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0';
+
+ rblkcipher.blocksize = alg->cra_blocksize;
+ rblkcipher.min_keysize = alg->cra_blkcipher.min_keysize;
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+Date: Tue, 12 Jun 2018 12:36:25 +0800
+Subject: drivers/tty: add error handling for pcmcia_loop_config
+
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+
+[ Upstream commit 85c634e919bd6ef17427f26a52920aeba12e16ee ]
+
+When pcmcia_loop_config fails, the lack of error-handling code may
+cause unexpected results.
+
+This patch adds error-handling code after calling pcmcia_loop_config.
+
+Signed-off-by: Zhouyang Jia <jiazhouyang09@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/serial_cs.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/8250/serial_cs.c
++++ b/drivers/tty/serial/8250/serial_cs.c
+@@ -629,8 +629,10 @@ static int serial_config(struct pcmcia_d
+ (link->has_func_id) &&
+ (link->socket->pcmcia_pfc == 0) &&
+ ((link->func_id == CISTPL_FUNCID_MULTI) ||
+- (link->func_id == CISTPL_FUNCID_SERIAL)))
+- pcmcia_loop_config(link, serial_check_for_multi, info);
++ (link->func_id == CISTPL_FUNCID_SERIAL))) {
++ if (pcmcia_loop_config(link, serial_check_for_multi, info))
++ goto failed;
++ }
+
+ /*
+ * Apply any multi-port quirk.
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 12 Jun 2018 14:43:35 +0200
+Subject: EDAC, i7core: Fix memleaks and use-after-free on probe and remove
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 6c974d4dfafe5e9ee754f2a6fba0eb1864f1649e ]
+
+Make sure to free and deregister the addrmatch and chancounts devices
+allocated during probe in all error paths. Also fix use-after-free in a
+probe error path and in the remove success path where the devices were
+being put before before deregistration.
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Fixes: 356f0a30860d ("i7core_edac: change the mem allocation scheme to make Documentation/kobject.txt happy")
+Link: http://lkml.kernel.org/r/20180612124335.6420-2-johan@kernel.org
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/i7core_edac.c | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+--- a/drivers/edac/i7core_edac.c
++++ b/drivers/edac/i7core_edac.c
+@@ -1187,15 +1187,14 @@ static int i7core_create_sysfs_devices(s
+
+ rc = device_add(pvt->addrmatch_dev);
+ if (rc < 0)
+- return rc;
++ goto err_put_addrmatch;
+
+ if (!pvt->is_registered) {
+ pvt->chancounts_dev = kzalloc(sizeof(*pvt->chancounts_dev),
+ GFP_KERNEL);
+ if (!pvt->chancounts_dev) {
+- put_device(pvt->addrmatch_dev);
+- device_del(pvt->addrmatch_dev);
+- return -ENOMEM;
++ rc = -ENOMEM;
++ goto err_del_addrmatch;
+ }
+
+ pvt->chancounts_dev->type = &all_channel_counts_type;
+@@ -1209,9 +1208,18 @@ static int i7core_create_sysfs_devices(s
+
+ rc = device_add(pvt->chancounts_dev);
+ if (rc < 0)
+- return rc;
++ goto err_put_chancounts;
+ }
+ return 0;
++
++err_put_chancounts:
++ put_device(pvt->chancounts_dev);
++err_del_addrmatch:
++ device_del(pvt->addrmatch_dev);
++err_put_addrmatch:
++ put_device(pvt->addrmatch_dev);
++
++ return rc;
+ }
+
+ static void i7core_delete_sysfs_devices(struct mem_ctl_info *mci)
+@@ -1221,11 +1229,11 @@ static void i7core_delete_sysfs_devices(
+ edac_dbg(1, "\n");
+
+ if (!pvt->is_registered) {
+- put_device(pvt->chancounts_dev);
+ device_del(pvt->chancounts_dev);
++ put_device(pvt->chancounts_dev);
+ }
+- put_device(pvt->addrmatch_dev);
+ device_del(pvt->addrmatch_dev);
++ put_device(pvt->addrmatch_dev);
+ }
+
+ /****************************************************************************
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+Date: Thu, 14 Jun 2018 21:37:17 +0800
+Subject: HID: hid-ntrig: add error handling for sysfs_create_group
+
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+
+[ Upstream commit 44d4d51de9a3534a2b63d69efda02a10e66541e4 ]
+
+When sysfs_create_group fails, the lack of error-handling code may
+cause unexpected results.
+
+This patch adds error-handling code after calling sysfs_create_group.
+
+Signed-off-by: Zhouyang Jia <jiazhouyang09@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-ntrig.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/hid/hid-ntrig.c
++++ b/drivers/hid/hid-ntrig.c
+@@ -955,6 +955,8 @@ static int ntrig_probe(struct hid_device
+
+ ret = sysfs_create_group(&hdev->dev.kobj,
+ &ntrig_attribute_group);
++ if (ret)
++ hid_err(hdev, "cannot create sysfs group\n");
+
+ return 0;
+ err_free:
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Guoqing Jiang <gqjiang@suse.com>
+Date: Mon, 2 Jul 2018 16:26:24 +0800
+Subject: md-cluster: clear another node's suspend_area after the copy is finished
+
+From: Guoqing Jiang <gqjiang@suse.com>
+
+[ Upstream commit 010228e4a932ca1e8365e3b58c8e1e44c16ff793 ]
+
+When one node leaves cluster or stops the resyncing
+(resync or recovery) array, then other nodes need to
+call recover_bitmaps to continue the unfinished task.
+
+But we need to clear suspend_area later after other
+nodes copy the resync information to their bitmap
+(by call bitmap_copy_from_slot). Otherwise, all nodes
+could write to the suspend_area even the suspend_area
+is not handled by any node, because area_resyncing
+returns 0 at the beginning of raid1_write_request.
+Which means one node could write suspend_area while
+another node is resyncing the same area, then data
+could be inconsistent.
+
+So let's clear suspend_area later to avoid above issue
+with the protection of bm lock. Also it is straightforward
+to clear suspend_area after nodes have copied the resync
+info to bitmap.
+
+Signed-off-by: Guoqing Jiang <gqjiang@suse.com>
+Reviewed-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md-cluster.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+--- a/drivers/md/md-cluster.c
++++ b/drivers/md/md-cluster.c
+@@ -239,15 +239,6 @@ static void recover_bitmaps(struct md_th
+ while (cinfo->recovery_map) {
+ slot = fls64((u64)cinfo->recovery_map) - 1;
+
+- /* Clear suspend_area associated with the bitmap */
+- spin_lock_irq(&cinfo->suspend_lock);
+- list_for_each_entry_safe(s, tmp, &cinfo->suspend_list, list)
+- if (slot == s->slot) {
+- list_del(&s->list);
+- kfree(s);
+- }
+- spin_unlock_irq(&cinfo->suspend_lock);
+-
+ snprintf(str, 64, "bitmap%04d", slot);
+ bm_lockres = lockres_init(mddev, str, NULL, 1);
+ if (!bm_lockres) {
+@@ -266,6 +257,16 @@ static void recover_bitmaps(struct md_th
+ pr_err("md-cluster: Could not copy data from bitmap %d\n", slot);
+ goto dlm_unlock;
+ }
++
++ /* Clear suspend_area associated with the bitmap */
++ spin_lock_irq(&cinfo->suspend_lock);
++ list_for_each_entry_safe(s, tmp, &cinfo->suspend_list, list)
++ if (slot == s->slot) {
++ list_del(&s->list);
++ kfree(s);
++ }
++ spin_unlock_irq(&cinfo->suspend_lock);
++
+ if (hi > 0) {
+ /* TODO:Wait for current resync to get over */
+ set_bit(MD_RECOVERY_NEEDED, &mddev->recovery);
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Date: Tue, 15 May 2018 05:21:45 -0400
+Subject: media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt()
+
+From: Sylwester Nawrocki <s.nawrocki@samsung.com>
+
+[ Upstream commit 7c1b9a5aeed91bef98988ac0fcf38c8c1f4f9a3a ]
+
+This patch fixes potential NULL pointer dereference as indicated
+by the following static checker warning:
+
+drivers/media/platform/exynos4-is/fimc-isp-video.c:408 isp_video_try_fmt_mplane()
+error: NULL dereference inside function '__isp_video_try_fmt(isp, &f->fmt.pix_mp, (0))()'.
+
+Fixes: 34947b8aebe3: ("[media] exynos4-is: Add the FIMC-IS ISP capture DMA driver")
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/exynos4-is/fimc-isp-video.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/platform/exynos4-is/fimc-isp-video.c
++++ b/drivers/media/platform/exynos4-is/fimc-isp-video.c
+@@ -391,12 +391,17 @@ static void __isp_video_try_fmt(struct f
+ struct v4l2_pix_format_mplane *pixm,
+ const struct fimc_fmt **fmt)
+ {
+- *fmt = fimc_isp_find_format(&pixm->pixelformat, NULL, 2);
++ const struct fimc_fmt *__fmt;
++
++ __fmt = fimc_isp_find_format(&pixm->pixelformat, NULL, 2);
++
++ if (fmt)
++ *fmt = __fmt;
+
+ pixm->colorspace = V4L2_COLORSPACE_SRGB;
+ pixm->field = V4L2_FIELD_NONE;
+- pixm->num_planes = (*fmt)->memplanes;
+- pixm->pixelformat = (*fmt)->fourcc;
++ pixm->num_planes = __fmt->memplanes;
++ pixm->pixelformat = __fmt->fourcc;
+ /*
+ * TODO: double check with the docmentation these width/height
+ * constraints are correct.
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Fri, 29 Jun 2018 17:49:22 -0400
+Subject: media: fsl-viu: fix error handling in viu_of_probe()
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+[ Upstream commit 662a99e145661c2b35155cf375044deae9b79896 ]
+
+viu_of_probe() ignores fails in i2c_get_adapter(),
+tries to unlock uninitialized mutex on error path.
+
+The patch streamlining the error handling in viu_of_probe().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/fsl-viu.c | 38 +++++++++++++++++++++++---------------
+ 1 file changed, 23 insertions(+), 15 deletions(-)
+
+--- a/drivers/media/platform/fsl-viu.c
++++ b/drivers/media/platform/fsl-viu.c
+@@ -1417,7 +1417,7 @@ static int viu_of_probe(struct platform_
+ sizeof(struct viu_reg), DRV_NAME)) {
+ dev_err(&op->dev, "Error while requesting mem region\n");
+ ret = -EBUSY;
+- goto err;
++ goto err_irq;
+ }
+
+ /* remap registers */
+@@ -1425,7 +1425,7 @@ static int viu_of_probe(struct platform_
+ if (!viu_regs) {
+ dev_err(&op->dev, "Can't map register set\n");
+ ret = -ENOMEM;
+- goto err;
++ goto err_irq;
+ }
+
+ /* Prepare our private structure */
+@@ -1433,7 +1433,7 @@ static int viu_of_probe(struct platform_
+ if (!viu_dev) {
+ dev_err(&op->dev, "Can't allocate private structure\n");
+ ret = -ENOMEM;
+- goto err;
++ goto err_irq;
+ }
+
+ viu_dev->vr = viu_regs;
+@@ -1449,16 +1449,21 @@ static int viu_of_probe(struct platform_
+ ret = v4l2_device_register(viu_dev->dev, &viu_dev->v4l2_dev);
+ if (ret < 0) {
+ dev_err(&op->dev, "v4l2_device_register() failed: %d\n", ret);
+- goto err;
++ goto err_irq;
+ }
+
+ ad = i2c_get_adapter(0);
++ if (!ad) {
++ ret = -EFAULT;
++ dev_err(&op->dev, "couldn't get i2c adapter\n");
++ goto err_v4l2;
++ }
+
+ v4l2_ctrl_handler_init(&viu_dev->hdl, 5);
+ if (viu_dev->hdl.error) {
+ ret = viu_dev->hdl.error;
+ dev_err(&op->dev, "couldn't register control\n");
+- goto err_vdev;
++ goto err_i2c;
+ }
+ /* This control handler will inherit the control(s) from the
+ sub-device(s). */
+@@ -1476,7 +1481,7 @@ static int viu_of_probe(struct platform_
+ vdev = video_device_alloc();
+ if (vdev == NULL) {
+ ret = -ENOMEM;
+- goto err_vdev;
++ goto err_hdl;
+ }
+
+ *vdev = viu_template;
+@@ -1497,7 +1502,7 @@ static int viu_of_probe(struct platform_
+ ret = video_register_device(viu_dev->vdev, VFL_TYPE_GRABBER, -1);
+ if (ret < 0) {
+ video_device_release(viu_dev->vdev);
+- goto err_vdev;
++ goto err_unlock;
+ }
+
+ /* enable VIU clock */
+@@ -1505,12 +1510,12 @@ static int viu_of_probe(struct platform_
+ if (IS_ERR(clk)) {
+ dev_err(&op->dev, "failed to lookup the clock!\n");
+ ret = PTR_ERR(clk);
+- goto err_clk;
++ goto err_vdev;
+ }
+ ret = clk_prepare_enable(clk);
+ if (ret) {
+ dev_err(&op->dev, "failed to enable the clock!\n");
+- goto err_clk;
++ goto err_vdev;
+ }
+ viu_dev->clk = clk;
+
+@@ -1521,7 +1526,7 @@ static int viu_of_probe(struct platform_
+ if (request_irq(viu_dev->irq, viu_intr, 0, "viu", (void *)viu_dev)) {
+ dev_err(&op->dev, "Request VIU IRQ failed.\n");
+ ret = -ENODEV;
+- goto err_irq;
++ goto err_clk;
+ }
+
+ mutex_unlock(&viu_dev->lock);
+@@ -1529,16 +1534,19 @@ static int viu_of_probe(struct platform_
+ dev_info(&op->dev, "Freescale VIU Video Capture Board\n");
+ return ret;
+
+-err_irq:
+- clk_disable_unprepare(viu_dev->clk);
+ err_clk:
+- video_unregister_device(viu_dev->vdev);
++ clk_disable_unprepare(viu_dev->clk);
+ err_vdev:
+- v4l2_ctrl_handler_free(&viu_dev->hdl);
++ video_unregister_device(viu_dev->vdev);
++err_unlock:
+ mutex_unlock(&viu_dev->lock);
++err_hdl:
++ v4l2_ctrl_handler_free(&viu_dev->hdl);
++err_i2c:
+ i2c_put_adapter(ad);
++err_v4l2:
+ v4l2_device_unregister(&viu_dev->v4l2_dev);
+-err:
++err_irq:
+ irq_dispose_mapping(viu_irq);
+ return ret;
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Sat, 9 Jun 2018 08:22:45 -0400
+Subject: media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data
+
+From: Javier Martinez Canillas <javierm@redhat.com>
+
+[ Upstream commit 2ec7debd44b49927a6e2861521994cc075a389ed ]
+
+The struct clk_init_data init variable is declared in the isp_xclk_init()
+function so is an automatic variable allocated in the stack. But it's not
+explicitly zero-initialized, so some init fields are left uninitialized.
+
+This causes the data structure to have undefined values that may confuse
+the common clock framework when the clock is registered.
+
+For example, the uninitialized .flags field could have the CLK_IS_CRITICAL
+bit set, causing the framework to wrongly prepare the clk on registration.
+This leads to the isp_xclk_prepare() callback being called, which in turn
+calls to the omap3isp_get() function that increments the isp dev refcount.
+
+Since this omap3isp_get() call is unexpected, this leads to an unbalanced
+omap3isp_get() call that prevents the requested IRQ to be later enabled,
+due the refcount not being 0 when the correct omap3isp_get() call happens.
+
+Fixes: 9b28ee3c9122 ("[media] omap3isp: Use the common clock framework")
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/omap3isp/isp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/platform/omap3isp/isp.c
++++ b/drivers/media/platform/omap3isp/isp.c
+@@ -303,7 +303,7 @@ static struct clk *isp_xclk_src_get(stru
+ static int isp_xclk_init(struct isp_device *isp)
+ {
+ struct device_node *np = isp->dev->of_node;
+- struct clk_init_data init;
++ struct clk_init_data init = { 0 };
+ unsigned int i;
+
+ for (i = 0; i < ARRAY_SIZE(isp->xclks); ++i)
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Sun, 10 Jun 2018 11:42:01 -0400
+Subject: media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+[ Upstream commit 30ed2b83343bd1e07884ca7355dac70d25ffc158 ]
+
+When the subdevice doesn't provide s_power core ops callback, the
+v4l2_subdev_call for s_power returns -ENOIOCTLCMD. If the subdevice
+doesn't have the special handling for its power saving mode, the s_power
+isn't required. So -ENOIOCTLCMD from the v4l2_subdev_call should be
+ignored.
+
+Cc: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Acked-by: Sylwester Nawrocki <sylvester.nawrocki@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/s3c-camif/camif-capture.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/platform/s3c-camif/camif-capture.c
++++ b/drivers/media/platform/s3c-camif/camif-capture.c
+@@ -117,6 +117,8 @@ static int sensor_set_power(struct camif
+
+ if (camif->sensor.power_count == !on)
+ err = v4l2_subdev_call(sensor->sd, core, s_power, on);
++ if (err == -ENOIOCTLCMD)
++ err = 0;
+ if (!err)
+ sensor->power_count += on ? 1 : -1;
+
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Sun, 10 Jun 2018 11:42:26 -0400
+Subject: media: soc_camera: ov772x: correct setting of banding filter
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+[ Upstream commit 22216ec41e919682c15345e95928f266e8ba6f9e ]
+
+The banding filter ON/OFF is controlled via bit 5 of COM8 register. It
+is attempted to be enabled in ov772x_set_params() by the following line.
+
+ ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, 1);
+
+But this unexpectedly results disabling the banding filter, because the
+mask and set bits are exclusive.
+
+On the other hand, ov772x_s_ctrl() correctly sets the bit by:
+
+ ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, BNDF_ON_OFF);
+
+The same fix was already applied to non-soc_camera version of ov772x
+driver in the commit commit a024ee14cd36 ("media: ov772x: correct setting
+of banding filter")
+
+Cc: Jacopo Mondi <jacopo+renesas@jmondi.org>
+Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Cc: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/soc_camera/ov772x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/i2c/soc_camera/ov772x.c
++++ b/drivers/media/i2c/soc_camera/ov772x.c
+@@ -834,7 +834,7 @@ static int ov772x_set_params(struct ov77
+ * set COM8
+ */
+ if (priv->band_filter) {
+- ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, 1);
++ ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, BNDF_ON_OFF);
+ if (!ret)
+ ret = ov772x_mask_set(client, BDBASE,
+ 0xff, 256 - priv->band_filter);
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+Date: Mon, 11 Jun 2018 00:39:20 -0400
+Subject: media: tm6000: add error handling for dvb_register_adapter
+
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+
+[ Upstream commit e95d7c6eb94c634852eaa5ff4caf3db05b5d2e86 ]
+
+When dvb_register_adapter fails, the lack of error-handling code may
+cause unexpected results.
+
+This patch adds error-handling code after calling dvb_register_adapter.
+
+Signed-off-by: Zhouyang Jia <jiazhouyang09@gmail.com>
+[hans.verkuil@cisco.com: use pr_err and fix typo: adater -> adapter]
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/tm6000/tm6000-dvb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/media/usb/tm6000/tm6000-dvb.c
++++ b/drivers/media/usb/tm6000/tm6000-dvb.c
+@@ -275,6 +275,11 @@ static int register_dvb(struct tm6000_co
+
+ ret = dvb_register_adapter(&dvb->adapter, "Trident TVMaster 6000 DVB-T",
+ THIS_MODULE, &dev->udev->dev, adapter_nr);
++ if (ret < 0) {
++ pr_err("tm6000: couldn't register the adapter!\n");
++ goto err;
++ }
++
+ dvb->adapter.priv = dev;
+
+ if (dvb->frontend) {
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Jessica Yu <jeyu@kernel.org>
+Date: Tue, 5 Jun 2018 10:22:52 +0200
+Subject: module: exclude SHN_UNDEF symbols from kallsyms api
+
+From: Jessica Yu <jeyu@kernel.org>
+
+[ Upstream commit 9f2d1e68cf4d641def734adaccfc3823d3575e6c ]
+
+Livepatch modules are special in that we preserve their entire symbol
+tables in order to be able to apply relocations after module load. The
+unwanted side effect of this is that undefined (SHN_UNDEF) symbols of
+livepatch modules are accessible via the kallsyms api and this can
+confuse symbol resolution in livepatch (klp_find_object_symbol()) and
+cause subtle bugs in livepatch.
+
+Have the module kallsyms api skip over SHN_UNDEF symbols. These symbols
+are usually not available for normal modules anyway as we cut down their
+symbol tables to just the core (non-undefined) symbols, so this should
+really just affect livepatch modules. Note that this patch doesn't
+affect the display of undefined symbols in /proc/kallsyms.
+
+Reported-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Tested-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Jessica Yu <jeyu@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/module.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -3860,7 +3860,7 @@ static unsigned long mod_find_symname(st
+
+ for (i = 0; i < kallsyms->num_symtab; i++)
+ if (strcmp(name, symname(kallsyms, i)) == 0 &&
+- kallsyms->symtab[i].st_info != 'U')
++ kallsyms->symtab[i].st_shndx != SHN_UNDEF)
+ return kallsyms->symtab[i].st_value;
+ return 0;
+ }
+@@ -3906,6 +3906,10 @@ int module_kallsyms_on_each_symbol(int (
+ if (mod->state == MODULE_STATE_UNFORMED)
+ continue;
+ for (i = 0; i < kallsyms->num_symtab; i++) {
++
++ if (kallsyms->symtab[i].st_shndx == SHN_UNDEF)
++ continue;
++
+ ret = fn(data, symname(kallsyms, i),
+ mod, kallsyms->symtab[i].st_value);
+ if (ret != 0)
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Wed, 13 Jun 2018 15:21:35 -0400
+Subject: nfsd: fix corrupted reply to badly ordered compound
+
+From: "J. Bruce Fields" <bfields@redhat.com>
+
+[ Upstream commit 5b7b15aee641904ae269be9846610a3950cbd64c ]
+
+We're encoding a single op in the reply but leaving the number of ops
+zero, so the reply makes no sense.
+
+Somewhat academic as this isn't a case any real client will hit, though
+in theory perhaps that could change in a future protocol extension.
+
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4proc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1632,6 +1632,7 @@ nfsd4_proc_compound(struct svc_rqst *rqs
+ if (status) {
+ op = &args->ops[0];
+ op->status = status;
++ resp->opcnt = 1;
+ goto encode_op;
+ }
+
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Sudeep Holla <sudeep.holla@arm.com>
+Date: Mon, 18 Jun 2018 16:54:32 +0100
+Subject: power: vexpress: fix corruption in notifier registration
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+[ Upstream commit 09bebb1adb21ecd04adf7ccb3b06f73e3a851e93 ]
+
+Vexpress platforms provide two different restart handlers: SYS_REBOOT
+that restart the entire system, while DB_RESET only restarts the
+daughter board containing the CPU. DB_RESET is overridden by SYS_REBOOT
+if it exists.
+
+notifier_chain_register used in register_restart_handler by design
+relies on notifiers to be registered once only, however vexpress restart
+notifier can get registered twice. When this happen it corrupts list
+of notifiers, as result some notifiers can be not called on proper
+event, traverse on list can be cycled forever, and second unregister
+can access already freed memory.
+
+So far, since this was the only restart handler in the system, no issue
+was observed even if the same notifier was registered twice. However
+commit 6c5c0d48b686 ("watchdog: sp805: add restart handler") added
+support for SP805 restart handlers and since the system under test
+contains two vexpress restart and two SP805 watchdog instances, it was
+observed that during the boot traversing the restart handler list looped
+forever as there's a cycle in that list resulting in boot hang.
+
+This patch fixes the issues by ensuring that the notifier is installed
+only once.
+
+Cc: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Fixes: 46c99ac66222 ("power/reset: vexpress: Register with kernel restart handler")
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/reset/vexpress-poweroff.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/power/reset/vexpress-poweroff.c
++++ b/drivers/power/reset/vexpress-poweroff.c
+@@ -35,6 +35,7 @@ static void vexpress_reset_do(struct dev
+ }
+
+ static struct device *vexpress_power_off_device;
++static atomic_t vexpress_restart_nb_refcnt = ATOMIC_INIT(0);
+
+ static void vexpress_power_off(void)
+ {
+@@ -99,10 +100,13 @@ static int _vexpress_register_restart_ha
+ int err;
+
+ vexpress_restart_device = dev;
+- err = register_restart_handler(&vexpress_restart_nb);
+- if (err) {
+- dev_err(dev, "cannot register restart handler (err=%d)\n", err);
+- return err;
++ if (atomic_inc_return(&vexpress_restart_nb_refcnt) == 1) {
++ err = register_restart_handler(&vexpress_restart_nb);
++ if (err) {
++ dev_err(dev, "cannot register restart handler (err=%d)\n", err);
++ atomic_dec(&vexpress_restart_nb_refcnt);
++ return err;
++ }
+ }
+ device_create_file(dev, &dev_attr_active);
+
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Hari Bathini <hbathini@linux.ibm.com>
+Date: Thu, 28 Jun 2018 10:49:56 +0530
+Subject: powerpc/kdump: Handle crashkernel memory reservation failure
+
+From: Hari Bathini <hbathini@linux.ibm.com>
+
+[ Upstream commit 8950329c4a64c6d3ca0bc34711a1afbd9ce05657 ]
+
+Memory reservation for crashkernel could fail if there are holes around
+kdump kernel offset (128M). Fail gracefully in such cases and print an
+error message.
+
+Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
+Tested-by: David Gibson <dgibson@redhat.com>
+Reviewed-by: Dave Young <dyoung@redhat.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/machine_kexec.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/machine_kexec.c
++++ b/arch/powerpc/kernel/machine_kexec.c
+@@ -186,7 +186,12 @@ void __init reserve_crashkernel(void)
+ (unsigned long)(crashk_res.start >> 20),
+ (unsigned long)(memblock_phys_mem_size() >> 20));
+
+- memblock_reserve(crashk_res.start, crash_size);
++ if (!memblock_is_region_memory(crashk_res.start, crash_size) ||
++ memblock_reserve(crashk_res.start, crash_size)) {
++ pr_err("Failed to reserve memory for crashkernel!\n");
++ crashk_res.start = crashk_res.end = 0;
++ return;
++ }
+ }
+
+ int overlaps_crashkernel(unsigned long start, unsigned long size)
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+Date: Fri, 1 Jun 2018 18:06:16 +1000
+Subject: powerpc/powernv/ioda2: Reduce upper limit for DMA window size
+
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+
+[ Upstream commit d3d4ffaae439981e1e441ebb125aa3588627c5d8 ]
+
+We use PHB in mode1 which uses bit 59 to select a correct DMA window.
+However there is mode2 which uses bits 59:55 and allows up to 32 DMA
+windows per a PE.
+
+Even though documentation does not clearly specify that, it seems that
+the actual hardware does not support bits 59:55 even in mode1, in other
+words we can create a window as big as 1<<58 but DMA simply won't work.
+
+This reduces the upper limit from 59 to 55 bits to let the userspace know
+about the hardware limits.
+
+Fixes: 7aafac11e3 "powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested"
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/powernv/pci-ioda.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/powernv/pci-ioda.c
++++ b/arch/powerpc/platforms/powernv/pci-ioda.c
+@@ -2270,7 +2270,7 @@ static long pnv_pci_ioda2_table_alloc_pa
+ level_shift = entries_shift + 3;
+ level_shift = max_t(unsigned, level_shift, PAGE_SHIFT);
+
+- if ((level_shift - 3) * levels + page_shift >= 60)
++ if ((level_shift - 3) * levels + page_shift >= 55)
+ return -EINVAL;
+
+ /* Allocate TCE table */
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 5 Jun 2018 14:31:39 +0300
+Subject: rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit ae636fb1554833ee5133ca47bf4b2791b6739c52 ]
+
+This is a static checker fix, not something I have tested. The issue
+is that on the second iteration through the loop, we jump forward by
+le32_to_cpu(auth_req->length) bytes. The problem is that if the length
+is more than "buflen" then we end up with a negative "buflen". A
+negative buflen is type promoted to a high positive value and the loop
+continues but it's accessing beyond the end of the buffer.
+
+I believe the "auth_req->length" comes from the firmware and if the
+firmware is malicious or buggy, you're already toasted so the impact of
+this bug is probably not very severe.
+
+Fixes: 030645aceb3d ("rndis_wlan: handle 802.11 indications from device")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/rndis_wlan.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/wireless/rndis_wlan.c
++++ b/drivers/net/wireless/rndis_wlan.c
+@@ -2919,6 +2919,8 @@ static void rndis_wlan_auth_indication(s
+
+ while (buflen >= sizeof(*auth_req)) {
+ auth_req = (void *)buf;
++ if (buflen < le32_to_cpu(auth_req->length))
++ return;
+ type = "unknown";
+ flags = le32_to_cpu(auth_req->flags);
+ pairwise_error = false;
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Sun, 17 Jun 2018 00:30:43 +0200
+Subject: s390/extmem: fix gcc 8 stringop-overflow warning
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+[ Upstream commit 6b2ddf33baec23dace85bd647e3fc4ac070963e8 ]
+
+arch/s390/mm/extmem.c: In function '__segment_load':
+arch/s390/mm/extmem.c:436:2: warning: 'strncat' specified bound 7 equals
+source length [-Wstringop-overflow=]
+ strncat(seg->res_name, " (DCSS)", 7);
+
+What gcc complains about here is the misuse of strncat function, which
+in this case does not limit a number of bytes taken from "src", so it is
+in the end the same as strcat(seg->res_name, " (DCSS)");
+
+Keeping in mind that a res_name is 15 bytes, strncat in this case
+would overflow the buffer and write 0 into alignment byte between the
+fields in the struct. To avoid that increasing res_name size to 16,
+and reusing strlcat.
+
+Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/mm/extmem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/mm/extmem.c
++++ b/arch/s390/mm/extmem.c
+@@ -79,7 +79,7 @@ struct qin64 {
+ struct dcss_segment {
+ struct list_head list;
+ char dcss_name[8];
+- char res_name[15];
++ char res_name[16];
+ unsigned long start_addr;
+ unsigned long end;
+ atomic_t ref_count;
+@@ -434,7 +434,7 @@ __segment_load (char *name, int do_nonsh
+ memcpy(&seg->res_name, seg->dcss_name, 8);
+ EBCASC(seg->res_name, 8);
+ seg->res_name[8] = '\0';
+- strncat(seg->res_name, " (DCSS)", 7);
++ strlcat(seg->res_name, " (DCSS)", sizeof(seg->res_name));
+ seg->res->name = seg->res_name;
+ rc = seg->vm_segtype;
+ if (rc == SEG_TYPE_SC ||
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+Date: Tue, 12 Jun 2018 11:13:00 +0800
+Subject: scsi: bnx2i: add error handling for ioremap_nocache
+
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+
+[ Upstream commit aa154ea885eb0c2407457ce9c1538d78c95456fa ]
+
+When ioremap_nocache fails, the lack of error-handling code may cause
+unexpected results.
+
+This patch adds error-handling code after calling ioremap_nocache.
+
+Signed-off-by: Zhouyang Jia <jiazhouyang09@gmail.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Acked-by: Manish Rangankar <Manish.Rangankar@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/bnx2i/bnx2i_hwi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/bnx2i/bnx2i_hwi.c
++++ b/drivers/scsi/bnx2i/bnx2i_hwi.c
+@@ -2742,6 +2742,8 @@ int bnx2i_map_ep_dbell_regs(struct bnx2i
+ BNX2X_DOORBELL_PCI_BAR);
+ reg_off = (1 << BNX2X_DB_SHIFT) * (cid_num & 0x1FFFF);
+ ep->qp.ctx_base = ioremap_nocache(reg_base + reg_off, 4);
++ if (!ep->qp.ctx_base)
++ return -ENOMEM;
+ goto arm_cq;
+ }
+
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Breno Leitao <leitao@debian.org>
+Date: Tue, 26 Jun 2018 17:35:16 -0300
+Subject: scsi: ibmvscsi: Improve strings handling
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit 1262dc09dc9ae7bf4ad00b6a2c5ed6a6936bcd10 ]
+
+Currently an open firmware property is copied into partition_name variable
+without keeping a room for \0.
+
+Later one, this variable (partition_name), which is 97 bytes long, is
+strncpyed into ibmvcsci_host_data->madapter_info->partition_name, which is
+96 bytes long, possibly truncating it 'again' and removing the \0.
+
+This patch simply decreases the partition name to 96 and just copy using
+strlcpy() which guarantees that the string is \0 terminated. I think there
+is no issue if this there is a truncation in this very first copy, i.e,
+when the open firmware property is read and copied into the driver for the
+very first time;
+
+This issue also causes the following warning on GCC 8:
+
+ drivers/scsi/ibmvscsi/ibmvscsi.c:281:2: warning: strncpy output may be truncated copying 96 bytes from a string of length 96 [-Wstringop-truncation]
+ ...
+ inlined from ibmvscsi_probe at drivers/scsi/ibmvscsi/ibmvscsi.c:2221:7:
+ drivers/scsi/ibmvscsi/ibmvscsi.c:265:3: warning: strncpy specified bound 97 equals destination size [-Wstringop-truncation]
+
+CC: Bart Van Assche <bart.vanassche@wdc.com>
+CC: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Acked-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ibmvscsi/ibmvscsi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/ibmvscsi/ibmvscsi.c
++++ b/drivers/scsi/ibmvscsi/ibmvscsi.c
+@@ -93,7 +93,7 @@ static int max_requests = IBMVSCSI_MAX_R
+ static int max_events = IBMVSCSI_MAX_REQUESTS_DEFAULT + 2;
+ static int fast_fail = 1;
+ static int client_reserve = 1;
+-static char partition_name[97] = "UNKNOWN";
++static char partition_name[96] = "UNKNOWN";
+ static unsigned int partition_number = -1;
+
+ static struct scsi_transport_template *ibmvscsi_transport_template;
+@@ -261,7 +261,7 @@ static void gather_partition_info(void)
+
+ ppartition_name = of_get_property(rootdn, "ibm,partition-name", NULL);
+ if (ppartition_name)
+- strncpy(partition_name, ppartition_name,
++ strlcpy(partition_name, ppartition_name,
+ sizeof(partition_name));
+ p_number_ptr = of_get_property(rootdn, "ibm,partition-no", NULL);
+ if (p_number_ptr)
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Fri, 22 Jun 2018 14:54:49 -0700
+Subject: scsi: klist: Make it safe to use klists in atomic context
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+[ Upstream commit 624fa7790f80575a4ec28fbdb2034097dc18d051 ]
+
+In the scsi_transport_srp implementation it cannot be avoided to
+iterate over a klist from atomic context when using the legacy block
+layer instead of blk-mq. Hence this patch that makes it safe to use
+klists in atomic context. This patch avoids that lockdep reports the
+following:
+
+WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
+ Possible interrupt unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&(&k->k_lock)->rlock);
+ local_irq_disable();
+ lock(&(&q->__queue_lock)->rlock);
+ lock(&(&k->k_lock)->rlock);
+ <Interrupt>
+ lock(&(&q->__queue_lock)->rlock);
+
+stack backtrace:
+Workqueue: kblockd blk_timeout_work
+Call Trace:
+ dump_stack+0xa4/0xf5
+ check_usage+0x6e6/0x700
+ __lock_acquire+0x185d/0x1b50
+ lock_acquire+0xd2/0x260
+ _raw_spin_lock+0x32/0x50
+ klist_next+0x47/0x190
+ device_for_each_child+0x8e/0x100
+ srp_timed_out+0xaf/0x1d0 [scsi_transport_srp]
+ scsi_times_out+0xd4/0x410 [scsi_mod]
+ blk_rq_timed_out+0x36/0x70
+ blk_timeout_work+0x1b5/0x220
+ process_one_work+0x4fe/0xad0
+ worker_thread+0x63/0x5a0
+ kthread+0x1c1/0x1e0
+ ret_from_fork+0x24/0x30
+
+See also commit c9ddf73476ff ("scsi: scsi_transport_srp: Fix shost to
+rport translation").
+
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: Martin K. Petersen <martin.petersen@oracle.com>
+Cc: James Bottomley <jejb@linux.vnet.ibm.com>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/klist.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/lib/klist.c
++++ b/lib/klist.c
+@@ -336,8 +336,9 @@ struct klist_node *klist_prev(struct kli
+ void (*put)(struct klist_node *) = i->i_klist->put;
+ struct klist_node *last = i->i_cur;
+ struct klist_node *prev;
++ unsigned long flags;
+
+- spin_lock(&i->i_klist->k_lock);
++ spin_lock_irqsave(&i->i_klist->k_lock, flags);
+
+ if (last) {
+ prev = to_klist_node(last->n_node.prev);
+@@ -356,7 +357,7 @@ struct klist_node *klist_prev(struct kli
+ prev = to_klist_node(prev->n_node.prev);
+ }
+
+- spin_unlock(&i->i_klist->k_lock);
++ spin_unlock_irqrestore(&i->i_klist->k_lock, flags);
+
+ if (put && last)
+ put(last);
+@@ -377,8 +378,9 @@ struct klist_node *klist_next(struct kli
+ void (*put)(struct klist_node *) = i->i_klist->put;
+ struct klist_node *last = i->i_cur;
+ struct klist_node *next;
++ unsigned long flags;
+
+- spin_lock(&i->i_klist->k_lock);
++ spin_lock_irqsave(&i->i_klist->k_lock, flags);
+
+ if (last) {
+ next = to_klist_node(last->n_node.next);
+@@ -397,7 +399,7 @@ struct klist_node *klist_next(struct kli
+ next = to_klist_node(next->n_node.next);
+ }
+
+- spin_unlock(&i->i_klist->k_lock);
++ spin_unlock_irqrestore(&i->i_klist->k_lock, flags);
+
+ if (put && last)
+ put(last);
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Fri, 22 Jun 2018 14:53:01 -0700
+Subject: scsi: target/iscsi: Make iscsit_ta_authentication() respect the output buffer size
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+[ Upstream commit 35bea5c84fd13c643cce63f0b5cd4b148f8c901d ]
+
+Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Reviewed-by: Mike Christie <mchristi@redhat.com>
+Cc: Mike Christie <mchristi@redhat.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/iscsi/iscsi_target_tpg.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target_tpg.c
++++ b/drivers/target/iscsi/iscsi_target_tpg.c
+@@ -637,8 +637,7 @@ int iscsit_ta_authentication(struct iscs
+ none = strstr(buf1, NONE);
+ if (none)
+ goto out;
+- strncat(buf1, ",", strlen(","));
+- strncat(buf1, NONE, strlen(NONE));
++ strlcat(buf1, "," NONE, sizeof(buf1));
+ if (iscsi_update_param_value(param, buf1) < 0)
+ return -EINVAL;
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Alistair Strachan <astrachan@google.com>
+Date: Tue, 19 Jun 2018 17:57:35 -0700
+Subject: staging: android: ashmem: Fix mmap size validation
+
+From: Alistair Strachan <astrachan@google.com>
+
+[ Upstream commit 8632c614565d0c5fdde527889601c018e97b6384 ]
+
+The ashmem driver did not check that the size/offset of the vma passed
+to its .mmap() function was not larger than the ashmem object being
+mapped. This could cause mmap() to succeed, even though accessing parts
+of the mapping would later fail with a segmentation fault.
+
+Ensure an error is returned by the ashmem_mmap() function if the vma
+size is larger than the ashmem object size. This enables safer handling
+of the problem in userspace.
+
+Cc: Todd Kjos <tkjos@android.com>
+Cc: devel@driverdev.osuosl.org
+Cc: linux-kernel@vger.kernel.org
+Cc: kernel-team@android.com
+Cc: Joel Fernandes <joel@joelfernandes.org>
+Signed-off-by: Alistair Strachan <astrachan@google.com>
+Acked-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Reviewed-by: Martijn Coenen <maco@android.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/android/ashmem.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/staging/android/ashmem.c
++++ b/drivers/staging/android/ashmem.c
+@@ -370,6 +370,12 @@ static int ashmem_mmap(struct file *file
+ goto out;
+ }
+
++ /* requested mapping size larger than object size */
++ if (vma->vm_end - vma->vm_start > PAGE_ALIGN(asma->size)) {
++ ret = -EINVAL;
++ goto out;
++ }
++
+ /* requested protection bits must match our allowed protection mask */
+ if (unlikely((vma->vm_flags & ~calc_vm_prot_bits(asma->prot_mask)) &
+ calc_vm_prot_bits(PROT_MASK))) {
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Mon, 2 Jul 2018 14:27:35 +0100
+Subject: staging: rts5208: fix missing error check on call to rtsx_write_register
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit c5fae4f4fd28189b1062fb8ef7b21fec37cb8b17 ]
+
+Currently the check on error return from the call to rtsx_write_register
+is checking the error status from the previous call. Fix this by adding
+in the missing assignment of retval.
+
+Detected by CoverityScan, CID#709877
+
+Fixes: fa590c222fba ("staging: rts5208: add support for rts5208 and rts5288")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rts5208/sd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rts5208/sd.c
++++ b/drivers/staging/rts5208/sd.c
+@@ -5031,7 +5031,7 @@ int sd_execute_write_data(struct scsi_cm
+ goto SD_Execute_Write_Cmd_Failed;
+ }
+
+- rtsx_write_register(chip, SD_BYTE_CNT_L, 0xFF, 0x00);
++ retval = rtsx_write_register(chip, SD_BYTE_CNT_L, 0xFF, 0x00);
+ if (retval != STATUS_SUCCESS) {
+ rtsx_trace(chip);
+ goto SD_Execute_Write_Cmd_Failed;
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Matt Ranostay <matt.ranostay@konsulko.com>
+Date: Fri, 8 Jun 2018 23:58:15 -0700
+Subject: tsl2550: fix lux1_input error in low light
+
+From: Matt Ranostay <matt.ranostay@konsulko.com>
+
+[ Upstream commit ce054546cc2c26891cefa2f284d90d93b52205de ]
+
+ADC channel 0 photodiode detects both infrared + visible light,
+but ADC channel 1 just detects infrared. However, the latter is a bit
+more sensitive in that range so complete darkness or low light causes
+a error condition in which the chan0 - chan1 is negative that
+results in a -EAGAIN.
+
+This patch changes the resulting lux1_input sysfs attribute message from
+"Resource temporarily unavailable" to a user-grokable lux value of 0.
+
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Matt Ranostay <matt.ranostay@konsulko.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/tsl2550.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/tsl2550.c
++++ b/drivers/misc/tsl2550.c
+@@ -177,7 +177,7 @@ static int tsl2550_calculate_lux(u8 ch0,
+ } else
+ lux = 0;
+ else
+- return -EAGAIN;
++ return 0;
+
+ /* LUX range check */
+ return lux > TSL2550_MAX_LUX ? TSL2550_MAX_LUX : lux;
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 4 Jul 2018 17:02:18 +0200
+Subject: USB: serial: kobil_sct: fix modem-status error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit a420b5d939ee58f1d950f0ea782834056520aeaa ]
+
+Make sure to return -EIO in case of a short modem-status read request.
+
+While at it, split the debug message to not include the (zeroed)
+transfer-buffer content in case of errors.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/kobil_sct.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/serial/kobil_sct.c
++++ b/drivers/usb/serial/kobil_sct.c
+@@ -408,12 +408,20 @@ static int kobil_tiocmget(struct tty_str
+ transfer_buffer_length,
+ KOBIL_TIMEOUT);
+
+- dev_dbg(&port->dev, "%s - Send get_status_line_state URB returns: %i. Statusline: %02x\n",
+- __func__, result, transfer_buffer[0]);
++ dev_dbg(&port->dev, "Send get_status_line_state URB returns: %i\n",
++ result);
++ if (result < 1) {
++ if (result >= 0)
++ result = -EIO;
++ goto out_free;
++ }
++
++ dev_dbg(&port->dev, "Statusline: %02x\n", transfer_buffer[0]);
+
+ result = 0;
+ if ((transfer_buffer[0] & SUSBCR_GSL_DSR) != 0)
+ result = TIOCM_DSR;
++out_free:
+ kfree(transfer_buffer);
+ return result;
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Julia Lawall <Julia.Lawall@lip6.fr>
+Date: Sun, 1 Jul 2018 19:32:04 +0200
+Subject: usb: wusbcore: security: cast sizeof to int for comparison
+
+From: Julia Lawall <Julia.Lawall@lip6.fr>
+
+[ Upstream commit d3ac5598c5010a8999978ebbcca3b1c6188ca36b ]
+
+Comparing an int to a size, which is unsigned, causes the int to become
+unsigned, giving the wrong result. usb_get_descriptor can return a
+negative error code.
+
+A simplified version of the semantic match that finds this problem is as
+follows: (http://coccinelle.lip6.fr/)
+
+// <smpl>
+@@
+int x;
+expression e,e1;
+identifier f;
+@@
+
+*x = f(...);
+... when != x = e1
+ when != if (x < 0 || ...) { ... return ...; }
+*x < sizeof(e)
+// </smpl>
+
+Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/wusbcore/security.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/wusbcore/security.c
++++ b/drivers/usb/wusbcore/security.c
+@@ -230,7 +230,7 @@ int wusb_dev_sec_add(struct wusbhc *wusb
+
+ result = usb_get_descriptor(usb_dev, USB_DT_SECURITY,
+ 0, secd, sizeof(*secd));
+- if (result < sizeof(*secd)) {
++ if (result < (int)sizeof(*secd)) {
+ dev_err(dev, "Can't read security descriptor or "
+ "not enough data: %d\n", result);
+ goto out;
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Anton Vasilyev <vasilyev@ispras.ru>
+Date: Fri, 6 Jul 2018 15:32:53 +0300
+Subject: uwb: hwa-rc: fix memory leak at probe
+
+From: Anton Vasilyev <vasilyev@ispras.ru>
+
+[ Upstream commit 11b71782c1d10d9bccc31825cf84291cd7588a1e ]
+
+hwarc_probe() allocates memory for hwarc, but does not free it
+if uwb_rc_add() or hwarc_get_version() fail.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/uwb/hwa-rc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/uwb/hwa-rc.c
++++ b/drivers/uwb/hwa-rc.c
+@@ -875,6 +875,7 @@ error_get_version:
+ error_rc_add:
+ usb_put_intf(iface);
+ usb_put_dev(hwarc->usb_dev);
++ kfree(hwarc);
+ error_alloc:
+ uwb_rc_put(uwb_rc);
+ error_rc_alloc:
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 4 Jul 2018 12:33:34 +0300
+Subject: vmci: type promotion bug in qp_host_get_user_memory()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 7fb2fd4e25fc1fb10dcb30b5519de257cfeae84c ]
+
+The problem is that if get_user_pages_fast() fails and returns a
+negative error code, it gets type promoted to a high positive value and
+treated as a success.
+
+Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/vmw_vmci/vmci_queue_pair.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c
++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c
+@@ -755,7 +755,7 @@ static int qp_host_get_user_memory(u64 p
+ retval = get_user_pages_fast((uintptr_t) produce_uva,
+ produce_q->kernel_if->num_pages, 1,
+ produce_q->kernel_if->u.h.header_page);
+- if (retval < produce_q->kernel_if->num_pages) {
++ if (retval < (int)produce_q->kernel_if->num_pages) {
+ pr_debug("get_user_pages_fast(produce) failed (retval=%d)",
+ retval);
+ qp_release_pages(produce_q->kernel_if->u.h.header_page,
+@@ -767,7 +767,7 @@ static int qp_host_get_user_memory(u64 p
+ retval = get_user_pages_fast((uintptr_t) consume_uva,
+ consume_q->kernel_if->num_pages, 1,
+ consume_q->kernel_if->u.h.header_page);
+- if (retval < consume_q->kernel_if->num_pages) {
++ if (retval < (int)consume_q->kernel_if->num_pages) {
+ pr_debug("get_user_pages_fast(consume) failed (retval=%d)",
+ retval);
+ qp_release_pages(consume_q->kernel_if->u.h.header_page,
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Tony Lindgren <tony@atomide.com>
+Date: Tue, 19 Jun 2018 02:43:35 -0700
+Subject: wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 4ec7cece87b3ed21ffcd407c62fb2f151a366bc1 ]
+
+Otherwise we can get:
+
+WARNING: CPU: 0 PID: 55 at drivers/net/wireless/ti/wlcore/io.h:84
+
+I've only seen this few times with the runtime PM patches enabled
+so this one is probably not needed before that. This seems to
+work currently based on the current PM implementation timer. Let's
+apply this separately though in case others are hitting this issue.
+
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ti/wlcore/cmd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/wireless/ti/wlcore/cmd.c
++++ b/drivers/net/wireless/ti/wlcore/cmd.c
+@@ -35,6 +35,7 @@
+ #include "wl12xx_80211.h"
+ #include "cmd.h"
+ #include "event.h"
++#include "ps.h"
+ #include "tx.h"
+ #include "hw_ops.h"
+
+@@ -191,6 +192,10 @@ int wlcore_cmd_wait_for_event_or_timeout
+
+ timeout_time = jiffies + msecs_to_jiffies(WL1271_EVENT_TIMEOUT);
+
++ ret = wl1271_ps_elp_wakeup(wl);
++ if (ret < 0)
++ return ret;
++
+ do {
+ if (time_after(jiffies, timeout_time)) {
+ wl1271_debug(DEBUG_CMD, "timeout waiting for event %d",
+@@ -222,6 +227,7 @@ int wlcore_cmd_wait_for_event_or_timeout
+ } while (!event);
+
+ out:
++ wl1271_ps_elp_sleep(wl);
+ kfree(events_vector);
+ return ret;
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Jan Beulich <JBeulich@suse.com>
+Date: Mon, 2 Jul 2018 04:47:57 -0600
+Subject: x86/entry/64: Add two more instruction suffixes
+
+From: Jan Beulich <JBeulich@suse.com>
+
+[ Upstream commit 6709812f094d96543b443645c68daaa32d3d3e77 ]
+
+Sadly, other than claimed in:
+
+ a368d7fd2a ("x86/entry/64: Add instruction suffix")
+
+... there are two more instances which want to be adjusted.
+
+As said there, omitting suffixes from instructions in AT&T mode is bad
+practice when operand size cannot be determined by the assembler from
+register operands, and is likely going to be warned about by upstream
+gas in the future (mine does already).
+
+Add the other missing suffixes here as well.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/5B3A02DD02000078001CFB78@prv1-mh.provo.novell.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/entry/entry_64.S | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/entry/entry_64.S
++++ b/arch/x86/entry/entry_64.S
+@@ -90,7 +90,7 @@ ENDPROC(native_usergs_sysret64)
+ .endm
+
+ .macro TRACE_IRQS_IRETQ_DEBUG
+- bt $9, EFLAGS(%rsp) /* interrupts off? */
++ btl $9, EFLAGS(%rsp) /* interrupts off? */
+ jnc 1f
+ TRACE_IRQS_ON_DEBUG
+ 1:
+@@ -620,7 +620,7 @@ retint_kernel:
+ #ifdef CONFIG_PREEMPT
+ /* Interrupts are off */
+ /* Check if we need preemption */
+- bt $9, EFLAGS(%rsp) /* were interrupts off? */
++ btl $9, EFLAGS(%rsp) /* were interrupts off? */
+ jnc 1f
+ 0: cmpl $0, PER_CPU_VAR(__preempt_count)
+ jnz 1f
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Fri, 6 Jul 2018 09:08:01 -0700
+Subject: x86/numa_emulation: Fix emulated-to-physical node mapping
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+[ Upstream commit 3b6c62f363a19ce82bf378187ab97c9dc01e3927 ]
+
+Without this change the distance table calculation for emulated nodes
+may use the wrong numa node and report an incorrect distance.
+
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Wei Yang <richard.weiyang@gmail.com>
+Cc: linux-mm@kvack.org
+Link: http://lkml.kernel.org/r/153089328103.27680.14778434392225818887.stgit@dwillia2-desk3.amr.corp.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/mm/numa_emulation.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/mm/numa_emulation.c
++++ b/arch/x86/mm/numa_emulation.c
+@@ -60,7 +60,7 @@ static int __init emu_setup_memblk(struc
+ eb->nid = nid;
+
+ if (emu_nid_to_phys[nid] == NUMA_NO_NODE)
+- emu_nid_to_phys[nid] = nid;
++ emu_nid_to_phys[nid] = pb->nid;
+
+ pb->start += size;
+ if (pb->start >= pb->end) {
--- /dev/null
+From foo@baz Sat Sep 29 04:30:43 PDT 2018
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Fri, 29 Jun 2018 22:31:10 +0300
+Subject: x86/tsc: Add missing header to tsc_msr.c
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit dbd0fbc76c77daac08ddd245afdcbade0d506e19 ]
+
+Add a missing header otherwise compiler warns about missed prototype:
+
+CC arch/x86/kernel/tsc_msr.o
+arch/x86/kernel/tsc_msr.c:73:15: warning: no previous prototype for ‘cpu_khz_from_msr’ [-Wmissing-prototypes]
+ unsigned long cpu_khz_from_msr(void)
+ ^~~~~~~~~~~~~~~~
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Pavel Tatashin <pasha.tatashin@oracle.com>
+Link: https://lkml.kernel.org/r/20180629193113.84425-4-andriy.shevchenko@linux.intel.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/tsc_msr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kernel/tsc_msr.c
++++ b/arch/x86/kernel/tsc_msr.c
+@@ -21,6 +21,7 @@
+ #include <asm/setup.h>
+ #include <asm/apic.h>
+ #include <asm/param.h>
++#include <asm/tsc.h>
+
+ /* CPU reference clock frequency: in KHz */
+ #define FREQ_83 83200
projects / thirdparty / kernel / stable-queue.git / commitdiff
