]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
4.9-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 21 Sep 2018 07:45:36 +0000 (09:45 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 21 Sep 2018 07:45:36 +0000 (09:45 +0200)
added patches:
alsa-msnd-fix-the-default-sample-sizes.patch
alsa-usb-audio-fix-multiple-definitions-in-au0828_device-macro.patch
arm-dts-qcom-msm8974-hammerhead-increase-load-on-l20-for-sdhci.patch
arm-exynos-clear-global-variable-on-init-error-path.patch
arm64-dts-qcom-db410c-fix-bluetooth-led-trigger.patch
clk-clk-fixed-factor-clear-of_populated-flag-in-case-of-failure.patch
clk-imx6ul-fix-missing-of_node_put.patch
crypto-sharah-unregister-correct-algorithms-for-sahara-3.patch
dmaengine-mv_xor_v2-kill-the-tasklets-upon-exit.patch
dmaengine-pl330-fix-irq-race-with-terminate_all.patch
drivers-base-stop-new-probing-during-shutdown.patch
efi-arm-preserve-early-mapping-of-uefi-memory-map-longer-for-bgrt.patch
fbdev-distinguish-between-interlaced-and-progressive-modes.patch
fbdev-omapfb-off-by-one-in-omapfb_register_client.patch
fbdev-via-fix-defined-but-not-used-warning.patch
gfs2-don-t-reject-a-supposedly-full-bitmap-if-we-have-blocks-reserved.patch
gfs2-special-case-rindex-for-gfs2_grow.patch
ib-rxe-drop-qp0-silently.patch
iommu-arm-smmu-v3-sync-the-ovackflg-to-priq-consumer-register.patch
kbuild-add-.delete_on_error-special-target.patch
kvm-arm-arm64-fix-vgic-init-race.patch
mac80211-restrict-delayed-tailroom-needed-decrement.patch
media-tw686x-fix-oops-on-buffer-alloc-failure.patch
media-videobuf2-core-check-for-q-error-in-vb2_core_qbuf.patch
mips-ath79-fix-system-restart.patch
mips-jz4740-bump-zload-address.patch
mtd-maps-fix-solutionengine.c-printk-format-warnings.patch
nfp-avoid-buffer-leak-when-fw-communication-fails.patch
perf-powerpc-fix-callchain-ip-filtering-when-return-address-is-in-a-register.patch
perf-powerpc-fix-callchain-ip-filtering.patch
perf-test-fix-subtest-number-when-showing-results.patch
platform-x86-toshiba_acpi-fix-defined-but-not-used-build-warnings.patch
powerpc-powernv-opal_put_chars-partial-write-fix.patch
s390-qeth-fix-race-in-used-buffer-accounting.patch
s390-qeth-reset-layer2-attribute-on-layer-switch.patch
smack-fix-handling-of-ipv4-traffic-received-by-pf_inet6-sockets.patch
video-fbdev-pxafb-clear-allocated-memory-for-video-modes.patch
video-goldfishfb-fix-memory-leak-on-driver-remove.patch
wan-fsl_ucc_hdlc-use-is_err_value-to-check-return-value-of-qe_muram_alloc.patch
xen-netfront-fix-queue-name-setting.patch
xen-netfront-fix-warn-message-as-irq-device-name-has.patch
xfrm-fix-passing-zero-to-err_ptr-warning.patch

43 files changed:
queue-4.9/alsa-msnd-fix-the-default-sample-sizes.patch [new file with mode: 0644]
queue-4.9/alsa-usb-audio-fix-multiple-definitions-in-au0828_device-macro.patch [new file with mode: 0644]
queue-4.9/arm-dts-qcom-msm8974-hammerhead-increase-load-on-l20-for-sdhci.patch [new file with mode: 0644]
queue-4.9/arm-exynos-clear-global-variable-on-init-error-path.patch [new file with mode: 0644]
queue-4.9/arm64-dts-qcom-db410c-fix-bluetooth-led-trigger.patch [new file with mode: 0644]
queue-4.9/clk-clk-fixed-factor-clear-of_populated-flag-in-case-of-failure.patch [new file with mode: 0644]
queue-4.9/clk-imx6ul-fix-missing-of_node_put.patch [new file with mode: 0644]
queue-4.9/crypto-sharah-unregister-correct-algorithms-for-sahara-3.patch [new file with mode: 0644]
queue-4.9/dmaengine-mv_xor_v2-kill-the-tasklets-upon-exit.patch [new file with mode: 0644]
queue-4.9/dmaengine-pl330-fix-irq-race-with-terminate_all.patch [new file with mode: 0644]
queue-4.9/drivers-base-stop-new-probing-during-shutdown.patch [new file with mode: 0644]
queue-4.9/efi-arm-preserve-early-mapping-of-uefi-memory-map-longer-for-bgrt.patch [new file with mode: 0644]
queue-4.9/fbdev-distinguish-between-interlaced-and-progressive-modes.patch [new file with mode: 0644]
queue-4.9/fbdev-omapfb-off-by-one-in-omapfb_register_client.patch [new file with mode: 0644]
queue-4.9/fbdev-via-fix-defined-but-not-used-warning.patch [new file with mode: 0644]
queue-4.9/gfs2-don-t-reject-a-supposedly-full-bitmap-if-we-have-blocks-reserved.patch [new file with mode: 0644]
queue-4.9/gfs2-special-case-rindex-for-gfs2_grow.patch [new file with mode: 0644]
queue-4.9/ib-rxe-drop-qp0-silently.patch [new file with mode: 0644]
queue-4.9/iommu-arm-smmu-v3-sync-the-ovackflg-to-priq-consumer-register.patch [new file with mode: 0644]
queue-4.9/kbuild-add-.delete_on_error-special-target.patch [new file with mode: 0644]
queue-4.9/kvm-arm-arm64-fix-vgic-init-race.patch [new file with mode: 0644]
queue-4.9/mac80211-restrict-delayed-tailroom-needed-decrement.patch [new file with mode: 0644]
queue-4.9/media-tw686x-fix-oops-on-buffer-alloc-failure.patch [new file with mode: 0644]
queue-4.9/media-videobuf2-core-check-for-q-error-in-vb2_core_qbuf.patch [new file with mode: 0644]
queue-4.9/mips-ath79-fix-system-restart.patch [new file with mode: 0644]
queue-4.9/mips-jz4740-bump-zload-address.patch [new file with mode: 0644]
queue-4.9/mtd-maps-fix-solutionengine.c-printk-format-warnings.patch [new file with mode: 0644]
queue-4.9/nfp-avoid-buffer-leak-when-fw-communication-fails.patch [new file with mode: 0644]
queue-4.9/perf-powerpc-fix-callchain-ip-filtering-when-return-address-is-in-a-register.patch [new file with mode: 0644]
queue-4.9/perf-powerpc-fix-callchain-ip-filtering.patch [new file with mode: 0644]
queue-4.9/perf-test-fix-subtest-number-when-showing-results.patch [new file with mode: 0644]
queue-4.9/platform-x86-toshiba_acpi-fix-defined-but-not-used-build-warnings.patch [new file with mode: 0644]
queue-4.9/powerpc-powernv-opal_put_chars-partial-write-fix.patch [new file with mode: 0644]
queue-4.9/s390-qeth-fix-race-in-used-buffer-accounting.patch [new file with mode: 0644]
queue-4.9/s390-qeth-reset-layer2-attribute-on-layer-switch.patch [new file with mode: 0644]
queue-4.9/series
queue-4.9/smack-fix-handling-of-ipv4-traffic-received-by-pf_inet6-sockets.patch [new file with mode: 0644]
queue-4.9/video-fbdev-pxafb-clear-allocated-memory-for-video-modes.patch [new file with mode: 0644]
queue-4.9/video-goldfishfb-fix-memory-leak-on-driver-remove.patch [new file with mode: 0644]
queue-4.9/wan-fsl_ucc_hdlc-use-is_err_value-to-check-return-value-of-qe_muram_alloc.patch [new file with mode: 0644]
queue-4.9/xen-netfront-fix-queue-name-setting.patch [new file with mode: 0644]
queue-4.9/xen-netfront-fix-warn-message-as-irq-device-name-has.patch [new file with mode: 0644]
queue-4.9/xfrm-fix-passing-zero-to-err_ptr-warning.patch [new file with mode: 0644]

diff --git a/queue-4.9/alsa-msnd-fix-the-default-sample-sizes.patch b/queue-4.9/alsa-msnd-fix-the-default-sample-sizes.patch
new file mode 100644 (file)
index 0000000..d27bc75
--- /dev/null
@@ -0,0 +1,34 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 25 Jul 2018 23:00:48 +0200
+Subject: ALSA: msnd: Fix the default sample sizes
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 7c500f9ea139d0c9b80fdea5a9c911db3166ea54 ]
+
+The default sample sizes set by msnd driver are bogus; it sets ALSA
+PCM format, not the actual bit width.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/isa/msnd/msnd_pinnacle.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/isa/msnd/msnd_pinnacle.c
++++ b/sound/isa/msnd/msnd_pinnacle.c
+@@ -82,10 +82,10 @@
+ static void set_default_audio_parameters(struct snd_msnd *chip)
+ {
+-      chip->play_sample_size = DEFSAMPLESIZE;
++      chip->play_sample_size = snd_pcm_format_width(DEFSAMPLESIZE);
+       chip->play_sample_rate = DEFSAMPLERATE;
+       chip->play_channels = DEFCHANNELS;
+-      chip->capture_sample_size = DEFSAMPLESIZE;
++      chip->capture_sample_size = snd_pcm_format_width(DEFSAMPLESIZE);
+       chip->capture_sample_rate = DEFSAMPLERATE;
+       chip->capture_channels = DEFCHANNELS;
+ }
diff --git a/queue-4.9/alsa-usb-audio-fix-multiple-definitions-in-au0828_device-macro.patch b/queue-4.9/alsa-usb-audio-fix-multiple-definitions-in-au0828_device-macro.patch
new file mode 100644 (file)
index 0000000..4842fb3
--- /dev/null
@@ -0,0 +1,39 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 25 Jul 2018 23:00:46 +0200
+Subject: ALSA: usb-audio: Fix multiple definitions in AU0828_DEVICE() macro
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit bd1cd0eb2ce9141100628d476ead4de485501b29 ]
+
+AU0828_DEVICE() macro in quirks-table.h uses USB_DEVICE_VENDOR_SPEC()
+for expanding idVendor and idProduct fields.  However, the latter
+macro adds also match_flags and bInterfaceClass, which are different
+from the values AU0828_DEVICE() macro sets after that.
+
+For fixing them, just expand idVendor and idProduct fields manually in
+AU0828_DEVICE().
+
+This fixes sparse warnings like:
+  sound/usb/quirks-table.h:2892:1: warning: Initializer entry defined twice
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/quirks-table.h |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/quirks-table.h
++++ b/sound/usb/quirks-table.h
+@@ -2875,7 +2875,8 @@ YAMAHA_DEVICE(0x7010, "UB99"),
+  */
+ #define AU0828_DEVICE(vid, pid, vname, pname) { \
+-      USB_DEVICE_VENDOR_SPEC(vid, pid), \
++      .idVendor = vid, \
++      .idProduct = pid, \
+       .match_flags = USB_DEVICE_ID_MATCH_DEVICE | \
+                      USB_DEVICE_ID_MATCH_INT_CLASS | \
+                      USB_DEVICE_ID_MATCH_INT_SUBCLASS, \
diff --git a/queue-4.9/arm-dts-qcom-msm8974-hammerhead-increase-load-on-l20-for-sdhci.patch b/queue-4.9/arm-dts-qcom-msm8974-hammerhead-increase-load-on-l20-for-sdhci.patch
new file mode 100644 (file)
index 0000000..ee84887
--- /dev/null
@@ -0,0 +1,59 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Bhushan Shah <bshah@kde.org>
+Date: Mon, 9 Jul 2018 14:46:28 +0530
+Subject: ARM: dts: qcom: msm8974-hammerhead: increase load on l20 for sdhci
+
+From: Bhushan Shah <bshah@kde.org>
+
+[ Upstream commit 03864e57770a9541e7ff3990bacf2d9a2fffcd5d ]
+
+The kernel would not boot on the hammerhead hardware due to the
+following error:
+
+mmc0: Timeout waiting for hardware interrupt.
+mmc0: sdhci: ============ SDHCI REGISTER DUMP ===========
+mmc0: sdhci: Sys addr:  0x00000200 | Version:  0x00003802
+mmc0: sdhci: Blk size:  0x00000200 | Blk cnt:  0x00000200
+mmc0: sdhci: Argument:  0x00000000 | Trn mode: 0x00000023
+mmc0: sdhci: Present:   0x03e80000 | Host ctl: 0x00000034
+mmc0: sdhci: Power:     0x00000001 | Blk gap:  0x00000000
+mmc0: sdhci: Wake-up:   0x00000000 | Clock:    0x00000007
+mmc0: sdhci: Timeout:   0x0000000e | Int stat: 0x00000000
+mmc0: sdhci: Int enab:  0x02ff900b | Sig enab: 0x02ff100b
+mmc0: sdhci: AC12 err:  0x00000000 | Slot int: 0x00000000
+mmc0: sdhci: Caps:      0x642dc8b2 | Caps_1:   0x00008007
+mmc0: sdhci: Cmd:       0x00000c1b | Max curr: 0x00000000
+mmc0: sdhci: Resp[0]:   0x00000c00 | Resp[1]:  0x00000000
+mmc0: sdhci: Resp[2]:   0x00000000 | Resp[3]:  0x00000000
+mmc0: sdhci: Host ctl2: 0x00000008
+mmc0: sdhci: ADMA Err:  0x00000000 | ADMA Ptr: 0x70040220
+mmc0: sdhci: ============================================
+mmc0: Card stuck in wrong state! mmcblk0 card_busy_detect status: 0xe00
+mmc0: cache flush error -110
+mmc0: Reset 0x1 never completed.
+
+This patch increases the load on l20 to 0.2 amps for the sdhci
+and allows the device to boot normally.
+
+Signed-off-by: Bhushan Shah <bshah@kde.org>
+Signed-off-by: Brian Masney <masneyb@onstation.org>
+Suggested-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Tested-by: Brian Masney <masneyb@onstation.org>
+Signed-off-by: Andy Gross <andy.gross@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/qcom-msm8974-lge-nexus5-hammerhead.dts |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm/boot/dts/qcom-msm8974-lge-nexus5-hammerhead.dts
++++ b/arch/arm/boot/dts/qcom-msm8974-lge-nexus5-hammerhead.dts
+@@ -188,6 +188,8 @@
+                                               regulator-max-microvolt = <2950000>;
+                                               regulator-boot-on;
++                                              regulator-system-load = <200000>;
++                                              regulator-allow-set-load;
+                                       };
+                                       l21 {
diff --git a/queue-4.9/arm-exynos-clear-global-variable-on-init-error-path.patch b/queue-4.9/arm-exynos-clear-global-variable-on-init-error-path.patch
new file mode 100644 (file)
index 0000000..8ee0672
--- /dev/null
@@ -0,0 +1,36 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Tue, 24 Jul 2018 18:48:14 +0200
+Subject: ARM: exynos: Clear global variable on init error path
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit cd4806911cee3901bc2b5eb95603cf1958720b57 ]
+
+For most of Exynos SoCs, Power Management Unit (PMU) address space is
+mapped into global variable 'pmu_base_addr' very early when initializing
+PMU interrupt controller.  A lot of other machine code depends on it so
+when doing iounmap() on this address, clear the global as well to avoid
+usage of invalid value (pointing to unmapped memory region).
+
+Properly mapped PMU address space is a requirement for all other machine
+code so this fix is purely theoretical.  Boot will fail immediately in
+many other places after following this error path.
+
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-exynos/suspend.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/mach-exynos/suspend.c
++++ b/arch/arm/mach-exynos/suspend.c
+@@ -252,6 +252,7 @@ static int __init exynos_pmu_irq_init(st
+                                         NULL);
+       if (!domain) {
+               iounmap(pmu_base_addr);
++              pmu_base_addr = NULL;
+               return -ENOMEM;
+       }
diff --git a/queue-4.9/arm64-dts-qcom-db410c-fix-bluetooth-led-trigger.patch b/queue-4.9/arm64-dts-qcom-db410c-fix-bluetooth-led-trigger.patch
new file mode 100644 (file)
index 0000000..c6bf0cb
--- /dev/null
@@ -0,0 +1,33 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Loic Poulain <loic.poulain@linaro.org>
+Date: Wed, 11 Jul 2018 14:18:23 +0200
+Subject: arm64: dts: qcom: db410c: Fix Bluetooth LED trigger
+
+From: Loic Poulain <loic.poulain@linaro.org>
+
+[ Upstream commit e53db018315b7660bb7000a29e79faff2496c2c2 ]
+
+Current LED trigger, 'bt', is not known/used by any existing driver.
+Fix this by renaming it to 'bluetooth-power' trigger which is
+controlled by the Bluetooth subsystem.
+
+Fixes: 9943230c8860 ("arm64: dts: qcom: Add apq8016-sbc board LED's related device nodes")
+Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
+Signed-off-by: Andy Gross <andy.gross@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/qcom/apq8016-sbc.dtsi |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/qcom/apq8016-sbc.dtsi
++++ b/arch/arm64/boot/dts/qcom/apq8016-sbc.dtsi
+@@ -170,7 +170,7 @@
+                       led@6 {
+                               label = "apq8016-sbc:blue:bt";
+                               gpios = <&pm8916_mpps 3 GPIO_ACTIVE_HIGH>;
+-                              linux,default-trigger = "bt";
++                              linux,default-trigger = "bluetooth-power";
+                               default-state = "off";
+                       };
+               };
diff --git a/queue-4.9/clk-clk-fixed-factor-clear-of_populated-flag-in-case-of-failure.patch b/queue-4.9/clk-clk-fixed-factor-clear-of_populated-flag-in-case-of-failure.patch
new file mode 100644 (file)
index 0000000..e4c9a20
--- /dev/null
@@ -0,0 +1,46 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Rajan Vaja <rajan.vaja@xilinx.com>
+Date: Tue, 17 Jul 2018 06:17:00 -0700
+Subject: clk: clk-fixed-factor: Clear OF_POPULATED flag in case of failure
+
+From: Rajan Vaja <rajan.vaja@xilinx.com>
+
+[ Upstream commit f6dab4233d6b64d719109040503b567f71fbfa01 ]
+
+Fixed factor clock has two initializations at of_clk_init() time
+and during platform driver probe. Before of_clk_init() call,
+node is marked as populated and so its probe never gets called.
+
+During of_clk_init() fixed factor clock registration may fail if
+any of its parent clock is not registered. In this case, it doesn't
+get chance to retry registration from probe. Clear OF_POPULATED
+flag if fixed factor clock registration fails so that clock
+registration is attempted again from probe.
+
+Signed-off-by: Rajan Vaja <rajan.vaja@xilinx.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/clk-fixed-factor.c |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/clk/clk-fixed-factor.c
++++ b/drivers/clk/clk-fixed-factor.c
+@@ -177,8 +177,15 @@ static struct clk *_of_fixed_factor_clk_
+       clk = clk_register_fixed_factor(NULL, clk_name, parent_name, flags,
+                                       mult, div);
+-      if (IS_ERR(clk))
++      if (IS_ERR(clk)) {
++              /*
++               * If parent clock is not registered, registration would fail.
++               * Clear OF_POPULATED flag so that clock registration can be
++               * attempted again from probe function.
++               */
++              of_node_clear_flag(node, OF_POPULATED);
+               return clk;
++      }
+       ret = of_clk_add_provider(node, of_clk_src_simple_get, clk);
+       if (ret) {
diff --git a/queue-4.9/clk-imx6ul-fix-missing-of_node_put.patch b/queue-4.9/clk-imx6ul-fix-missing-of_node_put.patch
new file mode 100644 (file)
index 0000000..0719a4e
--- /dev/null
@@ -0,0 +1,32 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Nicholas Mc Guire <hofrat@osadl.org>
+Date: Fri, 13 Jul 2018 13:13:20 +0200
+Subject: clk: imx6ul: fix missing of_node_put()
+
+From: Nicholas Mc Guire <hofrat@osadl.org>
+
+[ Upstream commit 11177e7a7aaef95935592072985526ebf0a3df43 ]
+
+of_find_compatible_node() is returning a device node with refcount
+incremented and must be explicitly decremented after the last use
+which is right after the us in of_iomap() here.
+
+Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
+Fixes: 787b4271a6a0 ("clk: imx: add imx6ul clk tree support")
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/imx/clk-imx6ul.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/clk/imx/clk-imx6ul.c
++++ b/drivers/clk/imx/clk-imx6ul.c
+@@ -120,6 +120,7 @@ static void __init imx6ul_clocks_init(st
+       np = of_find_compatible_node(NULL, NULL, "fsl,imx6ul-anatop");
+       base = of_iomap(np, 0);
++      of_node_put(np);
+       WARN_ON(!base);
+       clks[IMX6UL_PLL1_BYPASS_SRC] = imx_clk_mux("pll1_bypass_src", base + 0x00, 14, 1, pll_bypass_src_sels, ARRAY_SIZE(pll_bypass_src_sels));
diff --git a/queue-4.9/crypto-sharah-unregister-correct-algorithms-for-sahara-3.patch b/queue-4.9/crypto-sharah-unregister-correct-algorithms-for-sahara-3.patch
new file mode 100644 (file)
index 0000000..39cde24
--- /dev/null
@@ -0,0 +1,42 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: "Michael Müller" <michael@fds-team.de>
+Date: Sun, 15 Jul 2018 00:27:06 +0200
+Subject: crypto: sharah - Unregister correct algorithms for SAHARA 3
+
+From: "Michael Müller" <michael@fds-team.de>
+
+[ Upstream commit 0e7d4d932ffc23f75efb31a8c2ac2396c1b81c55 ]
+
+This patch fixes two typos related to unregistering algorithms supported by
+SAHARAH 3. In sahara_register_algs the wrong algorithms are unregistered
+in case of an error. In sahara_unregister_algs the wrong array is used to
+determine the iteration count.
+
+Signed-off-by: Michael Müller <michael@fds-team.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/sahara.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/sahara.c
++++ b/drivers/crypto/sahara.c
+@@ -1352,7 +1352,7 @@ err_sha_v4_algs:
+ err_sha_v3_algs:
+       for (j = 0; j < k; j++)
+-              crypto_unregister_ahash(&sha_v4_algs[j]);
++              crypto_unregister_ahash(&sha_v3_algs[j]);
+ err_aes_algs:
+       for (j = 0; j < i; j++)
+@@ -1368,7 +1368,7 @@ static void sahara_unregister_algs(struc
+       for (i = 0; i < ARRAY_SIZE(aes_algs); i++)
+               crypto_unregister_alg(&aes_algs[i]);
+-      for (i = 0; i < ARRAY_SIZE(sha_v4_algs); i++)
++      for (i = 0; i < ARRAY_SIZE(sha_v3_algs); i++)
+               crypto_unregister_ahash(&sha_v3_algs[i]);
+       if (dev->version > SAHARA_VERSION_3)
diff --git a/queue-4.9/dmaengine-mv_xor_v2-kill-the-tasklets-upon-exit.patch b/queue-4.9/dmaengine-mv_xor_v2-kill-the-tasklets-upon-exit.patch
new file mode 100644 (file)
index 0000000..fcddfba
--- /dev/null
@@ -0,0 +1,37 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Hanna Hawa <hannah@marvell.com>
+Date: Tue, 17 Jul 2018 13:30:00 +0300
+Subject: dmaengine: mv_xor_v2: kill the tasklets upon exit
+
+From: Hanna Hawa <hannah@marvell.com>
+
+[ Upstream commit 8bbafed8dd5cfa81071b50ead5cb60367fdef3a9 ]
+
+The mv_xor_v2 driver uses a tasklet, initialized during the probe()
+routine. However, it forgets to cleanup the tasklet using
+tasklet_kill() function during the remove() routine, which this patch
+fixes. This prevents the tasklet from potentially running after the
+module has been removed.
+
+Fixes: 19a340b1a820 ("dmaengine: mv_xor_v2: new driver")
+
+Signed-off-by: Hanna Hawa <hannah@marvell.com>
+Reviewed-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/mv_xor_v2.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/dma/mv_xor_v2.c
++++ b/drivers/dma/mv_xor_v2.c
+@@ -844,6 +844,8 @@ static int mv_xor_v2_remove(struct platf
+       platform_msi_domain_free_irqs(&pdev->dev);
++      tasklet_kill(&xor_dev->irq_tasklet);
++
+       clk_disable_unprepare(xor_dev->clk);
+       return 0;
diff --git a/queue-4.9/dmaengine-pl330-fix-irq-race-with-terminate_all.patch b/queue-4.9/dmaengine-pl330-fix-irq-race-with-terminate_all.patch
new file mode 100644 (file)
index 0000000..71af6b8
--- /dev/null
@@ -0,0 +1,55 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: John Keeping <john@metanate.com>
+Date: Tue, 17 Jul 2018 11:48:16 +0100
+Subject: dmaengine: pl330: fix irq race with terminate_all
+
+From: John Keeping <john@metanate.com>
+
+[ Upstream commit e49756544a21f5625b379b3871d27d8500764670 ]
+
+In pl330_update() when checking if a channel has been aborted, the
+channel's lock is not taken, only the overall pl330_dmac lock.  But in
+pl330_terminate_all() the aborted flag (req_running==-1) is set under
+the channel lock and not the pl330_dmac lock.
+
+With threaded interrupts, this leads to a potential race:
+
+    pl330_terminate_all                pl330_update
+    -------------------         ------------
+    lock channel
+                                entry
+    lock pl330
+    _stop channel
+    unlock pl330
+                                lock pl330
+                                check req_running != -1
+    req_running = -1
+                                _start channel
+
+Signed-off-by: John Keeping <john@metanate.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/pl330.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/dma/pl330.c
++++ b/drivers/dma/pl330.c
+@@ -2167,13 +2167,14 @@ static int pl330_terminate_all(struct dm
+       pm_runtime_get_sync(pl330->ddma.dev);
+       spin_lock_irqsave(&pch->lock, flags);
++
+       spin_lock(&pl330->lock);
+       _stop(pch->thread);
+-      spin_unlock(&pl330->lock);
+-
+       pch->thread->req[0].desc = NULL;
+       pch->thread->req[1].desc = NULL;
+       pch->thread->req_running = -1;
++      spin_unlock(&pl330->lock);
++
+       power_down = pch->active;
+       pch->active = false;
diff --git a/queue-4.9/drivers-base-stop-new-probing-during-shutdown.patch b/queue-4.9/drivers-base-stop-new-probing-during-shutdown.patch
new file mode 100644 (file)
index 0000000..101bf0e
--- /dev/null
@@ -0,0 +1,55 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Pingfan Liu <kernelfans@gmail.com>
+Date: Thu, 19 Jul 2018 13:14:58 +0800
+Subject: drivers/base: stop new probing during shutdown
+
+From: Pingfan Liu <kernelfans@gmail.com>
+
+[ Upstream commit 3297c8fc65af5d40501ea7cddff1b195cae57e4e ]
+
+There is a race window in device_shutdown(), which may cause
+-1. parent device shut down before child or
+-2. no shutdown on a new probing device.
+
+For 1st, taking the following scenario:
+         device_shutdown                        new plugin device
+  list_del_init(parent_dev);
+  spin_unlock(list_lock);
+                                                  device_add(child)
+                                                  probe child
+  shutdown parent_dev
+       --> now child is on the tail of devices_kset
+
+For 2nd, taking the following scenario:
+         device_shutdown                        new plugin device
+                                                  device_add(dev)
+  device_lock(dev);
+  ...
+  device_unlock(dev);
+                                                  probe dev
+       --> now, the new occurred dev has no opportunity to shutdown
+
+To fix this race issue, just prevent the new probing request. With this
+logic, device_shutdown() is more similar to dpm_prepare().
+
+Signed-off-by: Pingfan Liu <kernelfans@gmail.com>
+Reviewed-by: Rafael J. Wysocki <rafael@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/core.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/base/core.c
++++ b/drivers/base/core.c
+@@ -2072,6 +2072,9 @@ void device_shutdown(void)
+ {
+       struct device *dev, *parent;
++      wait_for_device_probe();
++      device_block_probing();
++
+       spin_lock(&devices_kset->list_lock);
+       /*
+        * Walk the devices list backward, shutting down each in turn.
diff --git a/queue-4.9/efi-arm-preserve-early-mapping-of-uefi-memory-map-longer-for-bgrt.patch b/queue-4.9/efi-arm-preserve-early-mapping-of-uefi-memory-map-longer-for-bgrt.patch
new file mode 100644 (file)
index 0000000..0eff1a8
--- /dev/null
@@ -0,0 +1,58 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Mon, 23 Jul 2018 10:57:30 +0900
+Subject: efi/arm: preserve early mapping of UEFI memory map longer for BGRT
+
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+[ Upstream commit 3ea86495aef2f6de26b7cb1599ba350dd6a0c521 ]
+
+The BGRT code validates the contents of the table against the UEFI
+memory map, and so it expects it to be mapped when the code runs.
+
+On ARM, this is currently not the case, since we tear down the early
+mapping after efi_init() completes, and only create the permanent
+mapping in arm_enable_runtime_services(), which executes as an early
+initcall, but still leaves a window where the UEFI memory map is not
+mapped.
+
+So move the call to efi_memmap_unmap() from efi_init() to
+arm_enable_runtime_services().
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+[will: fold in EFI_MEMMAP attribute check from Ard]
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/efi/arm-init.c    |    1 -
+ drivers/firmware/efi/arm-runtime.c |    4 +++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/firmware/efi/arm-init.c
++++ b/drivers/firmware/efi/arm-init.c
+@@ -250,7 +250,6 @@ void __init efi_init(void)
+       reserve_regions();
+       efi_memattr_init();
+       efi_esrt_init();
+-      efi_memmap_unmap();
+       memblock_reserve(params.mmap & PAGE_MASK,
+                        PAGE_ALIGN(params.mmap_size +
+--- a/drivers/firmware/efi/arm-runtime.c
++++ b/drivers/firmware/efi/arm-runtime.c
+@@ -118,11 +118,13 @@ static int __init arm_enable_runtime_ser
+ {
+       u64 mapsize;
+-      if (!efi_enabled(EFI_BOOT)) {
++      if (!efi_enabled(EFI_BOOT) || !efi_enabled(EFI_MEMMAP)) {
+               pr_info("EFI services will not be available.\n");
+               return 0;
+       }
++      efi_memmap_unmap();
++
+       if (efi_runtime_disabled()) {
+               pr_info("EFI runtime services will be disabled.\n");
+               return 0;
diff --git a/queue-4.9/fbdev-distinguish-between-interlaced-and-progressive-modes.patch b/queue-4.9/fbdev-distinguish-between-interlaced-and-progressive-modes.patch
new file mode 100644 (file)
index 0000000..e39af18
--- /dev/null
@@ -0,0 +1,123 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Fredrik Noring <noring@nocrew.org>
+Date: Tue, 24 Jul 2018 19:11:24 +0200
+Subject: fbdev: Distinguish between interlaced and progressive modes
+
+From: Fredrik Noring <noring@nocrew.org>
+
+[ Upstream commit 1ba0a59cea41ea05fda92daaf2a2958a2246b9cf ]
+
+I discovered the problem when developing a frame buffer driver for the
+PlayStation 2 (not yet merged), using the following video modes for the
+PlayStation 3 in drivers/video/fbdev/ps3fb.c:
+
+    }, {
+        /* 1080if */
+        "1080if", 50, 1920, 1080, 13468, 148, 484, 36, 4, 88, 5,
+        FB_SYNC_BROADCAST, FB_VMODE_INTERLACED
+    }, {
+        /* 1080pf */
+        "1080pf", 50, 1920, 1080, 6734, 148, 484, 36, 4, 88, 5,
+        FB_SYNC_BROADCAST, FB_VMODE_NONINTERLACED
+    },
+
+In ps3fb_probe, the mode_option module parameter is used with fb_find_mode
+but it can only select the interlaced variant of 1920x1080 since the loop
+matching the modes does not take the difference between interlaced and
+progressive modes into account.
+
+In short, without the patch, progressive 1920x1080 cannot be chosen as a
+mode_option parameter since fb_find_mode (falsely) thinks interlace is a
+perfect match.
+
+Signed-off-by: Fredrik Noring <noring@nocrew.org>
+Cc: "Maciej W. Rozycki" <macro@linux-mips.org>
+[b.zolnierkie: updated patch description]
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/core/modedb.c |   41 +++++++++++++++++++++++++++-----------
+ 1 file changed, 30 insertions(+), 11 deletions(-)
+
+--- a/drivers/video/fbdev/core/modedb.c
++++ b/drivers/video/fbdev/core/modedb.c
+@@ -644,7 +644,7 @@ static int fb_try_mode(struct fb_var_scr
+  *
+  *     Valid mode specifiers for @mode_option:
+  *
+- *     <xres>x<yres>[M][R][-<bpp>][@<refresh>][i][m] or
++ *     <xres>x<yres>[M][R][-<bpp>][@<refresh>][i][p][m] or
+  *     <name>[-<bpp>][@<refresh>]
+  *
+  *     with <xres>, <yres>, <bpp> and <refresh> decimal numbers and
+@@ -653,10 +653,10 @@ static int fb_try_mode(struct fb_var_scr
+  *      If 'M' is present after yres (and before refresh/bpp if present),
+  *      the function will compute the timings using VESA(tm) Coordinated
+  *      Video Timings (CVT).  If 'R' is present after 'M', will compute with
+- *      reduced blanking (for flatpanels).  If 'i' is present, compute
+- *      interlaced mode.  If 'm' is present, add margins equal to 1.8%
+- *      of xres rounded down to 8 pixels, and 1.8% of yres. The char
+- *      'i' and 'm' must be after 'M' and 'R'. Example:
++ *      reduced blanking (for flatpanels).  If 'i' or 'p' are present, compute
++ *      interlaced or progressive mode.  If 'm' is present, add margins equal
++ *      to 1.8% of xres rounded down to 8 pixels, and 1.8% of yres. The chars
++ *      'i', 'p' and 'm' must be after 'M' and 'R'. Example:
+  *
+  *      1024x768MR-8@60m - Reduced blank with margins at 60Hz.
+  *
+@@ -697,7 +697,8 @@ int fb_find_mode(struct fb_var_screeninf
+               unsigned int namelen = strlen(name);
+               int res_specified = 0, bpp_specified = 0, refresh_specified = 0;
+               unsigned int xres = 0, yres = 0, bpp = default_bpp, refresh = 0;
+-              int yres_specified = 0, cvt = 0, rb = 0, interlace = 0;
++              int yres_specified = 0, cvt = 0, rb = 0;
++              int interlace_specified = 0, interlace = 0;
+               int margins = 0;
+               u32 best, diff, tdiff;
+@@ -748,9 +749,17 @@ int fb_find_mode(struct fb_var_screeninf
+                               if (!cvt)
+                                       margins = 1;
+                               break;
++                      case 'p':
++                              if (!cvt) {
++                                      interlace = 0;
++                                      interlace_specified = 1;
++                              }
++                              break;
+                       case 'i':
+-                              if (!cvt)
++                              if (!cvt) {
+                                       interlace = 1;
++                                      interlace_specified = 1;
++                              }
+                               break;
+                       default:
+                               goto done;
+@@ -819,11 +828,21 @@ done:
+                       if ((name_matches(db[i], name, namelen) ||
+                            (res_specified && res_matches(db[i], xres, yres))) &&
+                           !fb_try_mode(var, info, &db[i], bpp)) {
+-                              if (refresh_specified && db[i].refresh == refresh)
+-                                      return 1;
++                              const int db_interlace = (db[i].vmode &
++                                      FB_VMODE_INTERLACED ? 1 : 0);
++                              int score = abs(db[i].refresh - refresh);
++
++                              if (interlace_specified)
++                                      score += abs(db_interlace - interlace);
++
++                              if (!interlace_specified ||
++                                  db_interlace == interlace)
++                                      if (refresh_specified &&
++                                          db[i].refresh == refresh)
++                                              return 1;
+-                              if (abs(db[i].refresh - refresh) < diff) {
+-                                      diff = abs(db[i].refresh - refresh);
++                              if (score < diff) {
++                                      diff = score;
+                                       best = i;
+                               }
+                       }
diff --git a/queue-4.9/fbdev-omapfb-off-by-one-in-omapfb_register_client.patch b/queue-4.9/fbdev-omapfb-off-by-one-in-omapfb_register_client.patch
new file mode 100644 (file)
index 0000000..af8dd6f
--- /dev/null
@@ -0,0 +1,33 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 24 Jul 2018 19:11:28 +0200
+Subject: fbdev: omapfb: off by one in omapfb_register_client()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 5ec1ec35b2979b59d0b33381e7c9aac17e159d16 ]
+
+The omapfb_register_client[] array has OMAPFB_PLANE_NUM elements so the
+> should be >= or we are one element beyond the end of the array.
+
+Fixes: 8b08cf2b64f5 ("OMAP: add TI OMAP framebuffer driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Imre Deak <imre.deak@solidboot.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/omap/omapfb_main.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/omap/omapfb_main.c
++++ b/drivers/video/fbdev/omap/omapfb_main.c
+@@ -956,7 +956,7 @@ int omapfb_register_client(struct omapfb
+ {
+       int r;
+-      if ((unsigned)omapfb_nb->plane_idx > OMAPFB_PLANE_NUM)
++      if ((unsigned)omapfb_nb->plane_idx >= OMAPFB_PLANE_NUM)
+               return -EINVAL;
+       if (!notifier_inited) {
diff --git a/queue-4.9/fbdev-via-fix-defined-but-not-used-warning.patch b/queue-4.9/fbdev-via-fix-defined-but-not-used-warning.patch
new file mode 100644 (file)
index 0000000..d908298
--- /dev/null
@@ -0,0 +1,42 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Tue, 24 Jul 2018 19:11:27 +0200
+Subject: fbdev/via: fix defined but not used warning
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit b6566b47a67e07fdca44cf51abb14e2fbe17d3eb ]
+
+Fix a build warning in viafbdev.c when CONFIG_PROC_FS is not enabled
+by marking the unused function as __maybe_unused.
+
+../drivers/video/fbdev/via/viafbdev.c:1471:12: warning: 'viafb_sup_odev_proc_show' defined but not used [-Wunused-function]
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/via/viafbdev.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/via/viafbdev.c
++++ b/drivers/video/fbdev/via/viafbdev.c
+@@ -19,6 +19,7 @@
+  * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+  */
++#include <linux/compiler.h>
+ #include <linux/module.h>
+ #include <linux/seq_file.h>
+ #include <linux/slab.h>
+@@ -1468,7 +1469,7 @@ static const struct file_operations viaf
+ #endif /* CONFIG_FB_VIA_DIRECT_PROCFS */
+-static int viafb_sup_odev_proc_show(struct seq_file *m, void *v)
++static int __maybe_unused viafb_sup_odev_proc_show(struct seq_file *m, void *v)
+ {
+       via_odev_to_seq(m, supported_odev_map[
+               viaparinfo->shared->chip_info.gfx_chip_name]);
diff --git a/queue-4.9/gfs2-don-t-reject-a-supposedly-full-bitmap-if-we-have-blocks-reserved.patch b/queue-4.9/gfs2-don-t-reject-a-supposedly-full-bitmap-if-we-have-blocks-reserved.patch
new file mode 100644 (file)
index 0000000..389c632
--- /dev/null
@@ -0,0 +1,42 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Bob Peterson <rpeterso@redhat.com>
+Date: Mon, 18 Jun 2018 13:24:13 -0500
+Subject: gfs2: Don't reject a supposedly full bitmap if we have blocks reserved
+
+From: Bob Peterson <rpeterso@redhat.com>
+
+[ Upstream commit e79e0e1428188b24c3b57309ffa54a33c4ae40c4 ]
+
+Before this patch, you could get into situations like this:
+
+1. Process 1 searches for X free blocks, finds them, makes a reservation
+2. Process 2 searches for free blocks in the same rgrp, but now the
+   bitmap is full because process 1's reservation is skipped over.
+   So it marks the bitmap as GBF_FULL.
+3. Process 1 tries to allocate blocks from its own reservation, but
+   since the GBF_FULL bit is set, it skips over the rgrp and searches
+   elsewhere, thus not using its own reservation.
+
+This patch adds an additional check to allow processes to use their
+own reservations.
+
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/gfs2/rgrp.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/gfs2/rgrp.c
++++ b/fs/gfs2/rgrp.c
+@@ -1675,7 +1675,8 @@ static int gfs2_rbm_find(struct gfs2_rbm
+       while(1) {
+               bi = rbm_bi(rbm);
+-              if (test_bit(GBF_FULL, &bi->bi_flags) &&
++              if ((ip == NULL || !gfs2_rs_active(&ip->i_res)) &&
++                  test_bit(GBF_FULL, &bi->bi_flags) &&
+                   (state == GFS2_BLKST_FREE))
+                       goto next_bitmap;
diff --git a/queue-4.9/gfs2-special-case-rindex-for-gfs2_grow.patch b/queue-4.9/gfs2-special-case-rindex-for-gfs2_grow.patch
new file mode 100644 (file)
index 0000000..85283ea
--- /dev/null
@@ -0,0 +1,48 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Wed, 25 Jul 2018 18:45:08 +0100
+Subject: gfs2: Special-case rindex for gfs2_grow
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit 776125785a87ff05d49938bd5b9f336f2a05bff6 ]
+
+To speed up the common case of appending to a file,
+gfs2_write_alloc_required presumes that writing beyond the end of a file
+will always require additional blocks to be allocated.  This assumption
+is incorrect for preallocates files, but there are no negative
+consequences as long as *some* space is still left on the filesystem.
+
+One special file that always has some space preallocated beyond the end
+of the file is the rindex: when growing a filesystem, gfs2_grow adds one
+or more new resource groups and appends records describing those
+resource groups to the rindex; the preallocated space ensures that this
+is always possible.
+
+However, when a filesystem is completely full, gfs2_write_alloc_required
+will indicate that an additional allocation is required, and appending
+the next record to the rindex will fail even though space for that
+record has already been preallocated.  To fix that, skip the incorrect
+optimization in gfs2_write_alloc_required, but for the rindex only.
+Other writes to preallocated space beyond the end of the file are still
+allowed to fail on completely full filesystems.
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Reviewed-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/gfs2/bmap.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/gfs2/bmap.c
++++ b/fs/gfs2/bmap.c
+@@ -1472,7 +1472,7 @@ int gfs2_write_alloc_required(struct gfs
+       end_of_file = (i_size_read(&ip->i_inode) + sdp->sd_sb.sb_bsize - 1) >> shift;
+       lblock = offset >> shift;
+       lblock_stop = (offset + len + sdp->sd_sb.sb_bsize - 1) >> shift;
+-      if (lblock_stop > end_of_file)
++      if (lblock_stop > end_of_file && ip != GFS2_I(sdp->sd_rindex))
+               return 1;
+       size = (lblock_stop - lblock) << shift;
diff --git a/queue-4.9/ib-rxe-drop-qp0-silently.patch b/queue-4.9/ib-rxe-drop-qp0-silently.patch
new file mode 100644 (file)
index 0000000..34edc0a
--- /dev/null
@@ -0,0 +1,53 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Zhu Yanjun <yanjun.zhu@oracle.com>
+Date: Fri, 13 Jul 2018 03:10:20 -0400
+Subject: IB/rxe: Drop QP0 silently
+
+From: Zhu Yanjun <yanjun.zhu@oracle.com>
+
+[ Upstream commit 536ca245c512aedfd84cde072d7b3ca14b6e1792 ]
+
+According to "Annex A16: RDMA over Converged Ethernet (RoCE)":
+
+A16.4.3 MANAGEMENT INTERFACES
+
+As defined in the base specification, a special Queue Pair, QP0 is defined
+solely for communication between subnet manager(s) and subnet management
+agents. Since such an IB-defined subnet management architecture is outside
+the scope of this annex, it follows that there is also no requirement that
+a port which conforms to this annex be associated with a QP0. Thus, for
+end nodes designed to conform to this annex, the concept of QP0 is
+undefined and unused for any port connected to an Ethernet network.
+
+CA16-8: A packet arriving at a RoCE port containing a BTH with the
+destination QP field set to QP0 shall be silently dropped.
+
+Signed-off-by: Zhu Yanjun <yanjun.zhu@oracle.com>
+Acked-by: Moni Shoua <monis@mellanox.com>
+Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/sw/rxe/rxe_recv.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/sw/rxe/rxe_recv.c
++++ b/drivers/infiniband/sw/rxe/rxe_recv.c
+@@ -225,9 +225,14 @@ static int hdr_check(struct rxe_pkt_info
+               goto err1;
+       }
++      if (unlikely(qpn == 0)) {
++              pr_warn_once("QP 0 not supported");
++              goto err1;
++      }
++
+       if (qpn != IB_MULTICAST_QPN) {
+-              index = (qpn == 0) ? port->qp_smi_index :
+-                      ((qpn == 1) ? port->qp_gsi_index : qpn);
++              index = (qpn == 1) ? port->qp_gsi_index : qpn;
++
+               qp = rxe_pool_get_index(&rxe->qp_pool, index);
+               if (unlikely(!qp)) {
+                       pr_warn_ratelimited("no qp matches qpn 0x%x\n", qpn);
diff --git a/queue-4.9/iommu-arm-smmu-v3-sync-the-ovackflg-to-priq-consumer-register.patch b/queue-4.9/iommu-arm-smmu-v3-sync-the-ovackflg-to-priq-consumer-register.patch
new file mode 100644 (file)
index 0000000..83d953c
--- /dev/null
@@ -0,0 +1,33 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Miao Zhong <zhongmiao@hisilicon.com>
+Date: Mon, 23 Jul 2018 20:56:58 +0800
+Subject: iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register
+
+From: Miao Zhong <zhongmiao@hisilicon.com>
+
+[ Upstream commit 0d535967ac658966c6ade8f82b5799092f7d5441 ]
+
+When PRI queue occurs overflow, driver should update the OVACKFLG to
+the PRIQ consumer register, otherwise subsequent PRI requests will not
+be processed.
+
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Miao Zhong <zhongmiao@hisilicon.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/arm-smmu-v3.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iommu/arm-smmu-v3.c
++++ b/drivers/iommu/arm-smmu-v3.c
+@@ -1233,6 +1233,7 @@ static irqreturn_t arm_smmu_priq_thread(
+       /* Sync our overflow flag, as we believe we're up to speed */
+       q->cons = Q_OVF(q, q->prod) | Q_WRP(q, q->cons) | Q_IDX(q, q->cons);
++      writel(q->cons, q->cons_reg);
+       return IRQ_HANDLED;
+ }
diff --git a/queue-4.9/kbuild-add-.delete_on_error-special-target.patch b/queue-4.9/kbuild-add-.delete_on_error-special-target.patch
new file mode 100644 (file)
index 0000000..aef0561
--- /dev/null
@@ -0,0 +1,64 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Fri, 20 Jul 2018 16:46:33 +0900
+Subject: kbuild: add .DELETE_ON_ERROR special target
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+[ Upstream commit 9c2af1c7377a8a6ef86e5cabf80978f3dbbb25c0 ]
+
+If Make gets a fatal signal while a shell is executing, it may delete
+the target file that the recipe was supposed to update.  This is needed
+to make sure that it is remade from scratch when Make is next run; if
+Make is interrupted after the recipe has begun to write the target file,
+it results in an incomplete file whose time stamp is newer than that
+of the prerequisites files.  Make automatically deletes the incomplete
+file on interrupt unless the target is marked .PRECIOUS.
+
+The situation is just the same as when the shell fails for some reasons.
+Usually when a recipe line fails, if it has changed the target file at
+all, the file is corrupted, or at least it is not completely updated.
+Yet the file’s time stamp says that it is now up to date, so the next
+time Make runs, it will not try to update that file.
+
+However, Make does not cater to delete the incomplete target file in
+this case.  We need to add .DELETE_ON_ERROR somewhere in the Makefile
+to request it.
+
+scripts/Kbuild.include seems a suitable place to add it because it is
+included from almost all sub-makes.
+
+Please note .DELETE_ON_ERROR is not effective for phony targets.
+
+The external module building should never ever touch the kernel tree.
+The following recipe fails if include/generated/autoconf.h is missing.
+However, include/config/auto.conf is not deleted since it is a phony
+target.
+
+ PHONY += include/config/auto.conf
+
+ include/config/auto.conf:
+         $(Q)test -e include/generated/autoconf.h -a -e $@ || (          \
+         echo >&2;                                                       \
+         echo >&2 "  ERROR: Kernel configuration is invalid.";           \
+         echo >&2 "         include/generated/autoconf.h or $@ are missing.";\
+         echo >&2 "         Run 'make oldconfig && make prepare' on kernel src to fix it."; \
+         echo >&2 ;                                                      \
+         /bin/false)
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/Kbuild.include |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/scripts/Kbuild.include
++++ b/scripts/Kbuild.include
+@@ -394,3 +394,6 @@ endif
+ endef
+ #
+ ###############################################################################
++
++# delete partially updated (i.e. corrupted) files on error
++.DELETE_ON_ERROR:
diff --git a/queue-4.9/kvm-arm-arm64-fix-vgic-init-race.patch b/queue-4.9/kvm-arm-arm64-fix-vgic-init-race.patch
new file mode 100644 (file)
index 0000000..d561c7b
--- /dev/null
@@ -0,0 +1,39 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Christoffer Dall <christoffer.dall@arm.com>
+Date: Tue, 3 Jul 2018 22:54:14 +0200
+Subject: KVM: arm/arm64: Fix vgic init race
+
+From: Christoffer Dall <christoffer.dall@arm.com>
+
+[ Upstream commit 1d47191de7e15900f8fbfe7cccd7c6e1c2d7c31a ]
+
+The vgic_init function can race with kvm_arch_vcpu_create() which does
+not hold kvm_lock() and we therefore have no synchronization primitives
+to ensure we're doing the right thing.
+
+As the user is trying to initialize or run the VM while at the same time
+creating more VCPUs, we just have to refuse to initialize the VGIC in
+this case rather than silently failing with a broken VCPU.
+
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/arm/vgic/vgic-init.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/virt/kvm/arm/vgic/vgic-init.c
++++ b/virt/kvm/arm/vgic/vgic-init.c
+@@ -241,6 +241,10 @@ int vgic_init(struct kvm *kvm)
+       if (vgic_initialized(kvm))
+               return 0;
++      /* Are we also in the middle of creating a VCPU? */
++      if (kvm->created_vcpus != atomic_read(&kvm->online_vcpus))
++              return -EBUSY;
++
+       /* freeze the number of spis */
+       if (!dist->nr_spis)
+               dist->nr_spis = VGIC_NR_IRQS_LEGACY - VGIC_NR_PRIVATE_IRQS;
diff --git a/queue-4.9/mac80211-restrict-delayed-tailroom-needed-decrement.patch b/queue-4.9/mac80211-restrict-delayed-tailroom-needed-decrement.patch
new file mode 100644 (file)
index 0000000..239bac5
--- /dev/null
@@ -0,0 +1,138 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Manikanta Pubbisetty <mpubbise@codeaurora.org>
+Date: Tue, 10 Jul 2018 16:48:27 +0530
+Subject: mac80211: restrict delayed tailroom needed decrement
+
+From: Manikanta Pubbisetty <mpubbise@codeaurora.org>
+
+[ Upstream commit 133bf90dbb8b873286f8ec2e81ba26e863114b8c ]
+
+As explained in ieee80211_delayed_tailroom_dec(), during roam,
+keys of the old AP will be destroyed and new keys will be
+installed. Deletion of the old key causes
+crypto_tx_tailroom_needed_cnt to go from 1 to 0 and the new key
+installation causes a transition from 0 to 1.
+
+Whenever crypto_tx_tailroom_needed_cnt transitions from 0 to 1,
+we invoke synchronize_net(); the reason for doing this is to avoid
+a race in the TX path as explained in increment_tailroom_need_count().
+This synchronize_net() operation can be slow and can affect the station
+roam time. To avoid this, decrementing the crypto_tx_tailroom_needed_cnt
+is delayed for a while so that upon installation of new key the
+transition would be from 1 to 2 instead of 0 to 1 and thereby
+improving the roam time.
+
+This is all correct for a STA iftype, but deferring the tailroom_needed
+decrement for other iftypes may be unnecessary.
+
+For example, let's consider the case of a 4-addr client connecting to
+an AP for which AP_VLAN interface is also created, let the initial
+value for tailroom_needed on the AP be 1.
+
+* 4-addr client connects to the AP (AP: tailroom_needed = 1)
+* AP will clear old keys, delay decrement of tailroom_needed count
+* AP_VLAN is created, it takes the tailroom count from master
+  (AP_VLAN: tailroom_needed = 1, AP: tailroom_needed = 1)
+* Install new key for the station, assume key is plumbed in the HW,
+  there won't be any change in tailroom_needed count on AP iface
+* Delayed decrement of tailroom_needed count on AP
+  (AP: tailroom_needed = 0, AP_VLAN: tailroom_needed = 1)
+
+Because of the delayed decrement on AP iface, tailroom_needed count goes
+out of sync between AP(master iface) and AP_VLAN(slave iface) and
+there would be unnecessary tailroom created for the packets going
+through AP_VLAN iface.
+
+Also, WARN_ONs were observed while trying to bring down the AP_VLAN
+interface:
+(warn_slowpath_common) (warn_slowpath_null+0x18/0x20)
+(warn_slowpath_null) (ieee80211_free_keys+0x114/0x1e4)
+(ieee80211_free_keys) (ieee80211_del_virtual_monitor+0x51c/0x850)
+(ieee80211_del_virtual_monitor) (ieee80211_stop+0x30/0x3c)
+(ieee80211_stop) (__dev_close_many+0x94/0xb8)
+(__dev_close_many) (dev_close_many+0x5c/0xc8)
+
+Restricting delayed decrement to station interface alone fixes the problem
+and it makes sense to do so because delayed decrement is done to improve
+roam time which is applicable only for client devices.
+
+Signed-off-by: Manikanta Pubbisetty <mpubbise@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/cfg.c |    2 +-
+ net/mac80211/key.c |   24 +++++++++++++++---------
+ 2 files changed, 16 insertions(+), 10 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -454,7 +454,7 @@ static int ieee80211_del_key(struct wiph
+               goto out_unlock;
+       }
+-      ieee80211_key_free(key, true);
++      ieee80211_key_free(key, sdata->vif.type == NL80211_IFTYPE_STATION);
+       ret = 0;
+  out_unlock:
+--- a/net/mac80211/key.c
++++ b/net/mac80211/key.c
+@@ -648,11 +648,15 @@ int ieee80211_key_link(struct ieee80211_
+ {
+       struct ieee80211_local *local = sdata->local;
+       struct ieee80211_key *old_key;
+-      int idx, ret;
+-      bool pairwise;
+-
+-      pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE;
+-      idx = key->conf.keyidx;
++      int idx = key->conf.keyidx;
++      bool pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE;
++      /*
++       * We want to delay tailroom updates only for station - in that
++       * case it helps roaming speed, but in other cases it hurts and
++       * can cause warnings to appear.
++       */
++      bool delay_tailroom = sdata->vif.type == NL80211_IFTYPE_STATION;
++      int ret;
+       mutex_lock(&sdata->local->key_mtx);
+@@ -680,14 +684,14 @@ int ieee80211_key_link(struct ieee80211_
+       increment_tailroom_need_count(sdata);
+       ieee80211_key_replace(sdata, sta, pairwise, old_key, key);
+-      ieee80211_key_destroy(old_key, true);
++      ieee80211_key_destroy(old_key, delay_tailroom);
+       ieee80211_debugfs_key_add(key);
+       if (!local->wowlan) {
+               ret = ieee80211_key_enable_hw_accel(key);
+               if (ret)
+-                      ieee80211_key_free(key, true);
++                      ieee80211_key_free(key, delay_tailroom);
+       } else {
+               ret = 0;
+       }
+@@ -922,7 +926,8 @@ void ieee80211_free_sta_keys(struct ieee
+               ieee80211_key_replace(key->sdata, key->sta,
+                               key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE,
+                               key, NULL);
+-              __ieee80211_key_destroy(key, true);
++              __ieee80211_key_destroy(key, key->sdata->vif.type ==
++                                      NL80211_IFTYPE_STATION);
+       }
+       for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
+@@ -932,7 +937,8 @@ void ieee80211_free_sta_keys(struct ieee
+               ieee80211_key_replace(key->sdata, key->sta,
+                               key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE,
+                               key, NULL);
+-              __ieee80211_key_destroy(key, true);
++              __ieee80211_key_destroy(key, key->sdata->vif.type ==
++                                      NL80211_IFTYPE_STATION);
+       }
+       mutex_unlock(&local->key_mtx);
diff --git a/queue-4.9/media-tw686x-fix-oops-on-buffer-alloc-failure.patch b/queue-4.9/media-tw686x-fix-oops-on-buffer-alloc-failure.patch
new file mode 100644 (file)
index 0000000..f1e9898
--- /dev/null
@@ -0,0 +1,53 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Krzysztof Ha?asa <khalasa@piap.pl>
+Date: Thu, 28 Jun 2018 17:45:07 -0400
+Subject: media: tw686x: Fix oops on buffer alloc failure
+
+From: Krzysztof Ha?asa <khalasa@piap.pl>
+
+[ Upstream commit 5a1a2f63d840dc2631505b607e11ff65ac1b7d3c ]
+
+The error path currently calls tw686x_video_free() which requires
+vc->dev to be initialized, causing a NULL dereference on uninitizalized
+channels.
+
+Fix this by setting the vc->dev fields for all the channels first.
+
+Fixes: f8afaa8dbc0d ("[media] tw686x: Introduce an interface to support multiple DMA modes")
+
+Signed-off-by: Krzysztof Ha?asa <khalasa@piap.pl>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/pci/tw686x/tw686x-video.c |   11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/pci/tw686x/tw686x-video.c
++++ b/drivers/media/pci/tw686x/tw686x-video.c
+@@ -1190,6 +1190,14 @@ int tw686x_video_init(struct tw686x_dev
+                       return err;
+       }
++      /* Initialize vc->dev and vc->ch for the error path */
++      for (ch = 0; ch < max_channels(dev); ch++) {
++              struct tw686x_video_channel *vc = &dev->video_channels[ch];
++
++              vc->dev = dev;
++              vc->ch = ch;
++      }
++
+       for (ch = 0; ch < max_channels(dev); ch++) {
+               struct tw686x_video_channel *vc = &dev->video_channels[ch];
+               struct video_device *vdev;
+@@ -1198,9 +1206,6 @@ int tw686x_video_init(struct tw686x_dev
+               spin_lock_init(&vc->qlock);
+               INIT_LIST_HEAD(&vc->vidq_queued);
+-              vc->dev = dev;
+-              vc->ch = ch;
+-
+               /* default settings */
+               err = tw686x_set_standard(vc, V4L2_STD_NTSC);
+               if (err)
diff --git a/queue-4.9/media-videobuf2-core-check-for-q-error-in-vb2_core_qbuf.patch b/queue-4.9/media-videobuf2-core-check-for-q-error-in-vb2_core_qbuf.patch
new file mode 100644 (file)
index 0000000..b0561d6
--- /dev/null
@@ -0,0 +1,39 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Thu, 5 Jul 2018 04:25:19 -0400
+Subject: media: videobuf2-core: check for q->error in vb2_core_qbuf()
+
+From: Hans Verkuil <hverkuil@xs4all.nl>
+
+[ Upstream commit b509d733d337417bcb7fa4a35be3b9a49332b724 ]
+
+The vb2_core_qbuf() function didn't check if q->error was set. It is
+checked in __buf_prepare(), but that function isn't called if the buffer
+was already prepared before with VIDIOC_PREPARE_BUF.
+
+So check it at the start of vb2_core_qbuf() as well.
+
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/videobuf2-core.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/media/v4l2-core/videobuf2-core.c
++++ b/drivers/media/v4l2-core/videobuf2-core.c
+@@ -1375,6 +1375,11 @@ int vb2_core_qbuf(struct vb2_queue *q, u
+       struct vb2_buffer *vb;
+       int ret;
++      if (q->error) {
++              dprintk(1, "fatal error occurred on queue\n");
++              return -EIO;
++      }
++
+       vb = q->bufs[index];
+       switch (vb->state) {
diff --git a/queue-4.9/mips-ath79-fix-system-restart.patch b/queue-4.9/mips-ath79-fix-system-restart.patch
new file mode 100644 (file)
index 0000000..6b6c0d5
--- /dev/null
@@ -0,0 +1,46 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Felix Fietkau <nbd@nbd.name>
+Date: Fri, 20 Jul 2018 13:58:22 +0200
+Subject: MIPS: ath79: fix system restart
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit f8a7bfe1cb2c1ebfa07775c9c8ac0ad3ba8e5ff5 ]
+
+This patch disables irq on reboot to fix hang issues that were observed
+due to pending interrupts.
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: John Crispin <john@phrozen.org>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/19913/
+Cc: James Hogan <jhogan@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/ath79/setup.c                  |    1 +
+ arch/mips/include/asm/mach-ath79/ath79.h |    1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/arch/mips/ath79/setup.c
++++ b/arch/mips/ath79/setup.c
+@@ -40,6 +40,7 @@ static char ath79_sys_type[ATH79_SYS_TYP
+ static void ath79_restart(char *command)
+ {
++      local_irq_disable();
+       ath79_device_reset_set(AR71XX_RESET_FULL_CHIP);
+       for (;;)
+               if (cpu_wait)
+--- a/arch/mips/include/asm/mach-ath79/ath79.h
++++ b/arch/mips/include/asm/mach-ath79/ath79.h
+@@ -134,6 +134,7 @@ static inline u32 ath79_pll_rr(unsigned
+ static inline void ath79_reset_wr(unsigned reg, u32 val)
+ {
+       __raw_writel(val, ath79_reset_base + reg);
++      (void) __raw_readl(ath79_reset_base + reg); /* flush */
+ }
+ static inline u32 ath79_reset_rr(unsigned reg)
diff --git a/queue-4.9/mips-jz4740-bump-zload-address.patch b/queue-4.9/mips-jz4740-bump-zload-address.patch
new file mode 100644 (file)
index 0000000..497fc82
--- /dev/null
@@ -0,0 +1,44 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Paul Cercueil <paul@crapouillou.net>
+Date: Sun, 8 Jul 2018 17:07:12 +0200
+Subject: MIPS: jz4740: Bump zload address
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+[ Upstream commit c6ea7e9747318e5a6774995f4f8e3e0f7c0fa8ba ]
+
+Having the zload address at 0x8060.0000 means the size of the
+uncompressed kernel cannot be bigger than around 6 MiB, as it is
+deflated at address 0x8001.0000.
+
+This limit is too small; a kernel with some built-in drivers and things
+like debugfs enabled will already be over 6 MiB in size, and so will
+fail to extract properly.
+
+To fix this, we bump the zload address from 0x8060.0000 to 0x8100.0000.
+
+This is fine, as all the boards featuring Ingenic JZ SoCs have at least
+32 MiB of RAM, and use u-boot or compatible bootloaders which won't
+hardcode the load address but read it from the uImage's header.
+
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/19787/
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/jz4740/Platform |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/jz4740/Platform
++++ b/arch/mips/jz4740/Platform
+@@ -1,4 +1,4 @@
+ platform-$(CONFIG_MACH_INGENIC)       += jz4740/
+ cflags-$(CONFIG_MACH_INGENIC) += -I$(srctree)/arch/mips/include/asm/mach-jz4740
+ load-$(CONFIG_MACH_INGENIC)   += 0xffffffff80010000
+-zload-$(CONFIG_MACH_INGENIC)  += 0xffffffff80600000
++zload-$(CONFIG_MACH_INGENIC)  += 0xffffffff81000000
diff --git a/queue-4.9/mtd-maps-fix-solutionengine.c-printk-format-warnings.patch b/queue-4.9/mtd-maps-fix-solutionengine.c-printk-format-warnings.patch
new file mode 100644 (file)
index 0000000..5aaffe8
--- /dev/null
@@ -0,0 +1,60 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Tue, 24 Jul 2018 11:29:01 -0700
+Subject: mtd/maps: fix solutionengine.c printk format warnings
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 1d25e3eeed1d987404e2d2e451eebac8c15cecc1 ]
+
+Fix 2 printk format warnings (this driver is currently only used by
+arch/sh/) by using "%pap" instead of "%lx".
+
+Fixes these build warnings:
+
+../drivers/mtd/maps/solutionengine.c: In function 'init_soleng_maps':
+../include/linux/kern_levels.h:5:18: warning: format '%lx' expects argument of type 'long unsigned int', but argument 2 has type 'resource_size_t' {aka 'unsigned int'} [-Wformat=]
+../drivers/mtd/maps/solutionengine.c:62:54: note: format string is defined here
+  printk(KERN_NOTICE "Solution Engine: Flash at 0x%08lx, EPROM at 0x%08lx\n",
+                                                  ~~~~^
+                                                  %08x
+../include/linux/kern_levels.h:5:18: warning: format '%lx' expects argument of type 'long unsigned int', but argument 3 has type 'resource_size_t' {aka 'unsigned int'} [-Wformat=]
+../drivers/mtd/maps/solutionengine.c:62:72: note: format string is defined here
+  printk(KERN_NOTICE "Solution Engine: Flash at 0x%08lx, EPROM at 0x%08lx\n",
+                                                                    ~~~~^
+                                                                    %08x
+
+Cc: David Woodhouse <dwmw2@infradead.org>
+Cc: Brian Norris <computersforpeace@gmail.com>
+Cc: Boris Brezillon <boris.brezillon@bootlin.com>
+Cc: Marek Vasut <marek.vasut@gmail.com>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: linux-mtd@lists.infradead.org
+Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
+Cc: Rich Felker <dalias@libc.org>
+Cc: linux-sh@vger.kernel.org
+Cc: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/maps/solutionengine.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/mtd/maps/solutionengine.c
++++ b/drivers/mtd/maps/solutionengine.c
+@@ -59,9 +59,9 @@ static int __init init_soleng_maps(void)
+                       return -ENXIO;
+               }
+       }
+-      printk(KERN_NOTICE "Solution Engine: Flash at 0x%08lx, EPROM at 0x%08lx\n",
+-             soleng_flash_map.phys & 0x1fffffff,
+-             soleng_eprom_map.phys & 0x1fffffff);
++      printk(KERN_NOTICE "Solution Engine: Flash at 0x%pap, EPROM at 0x%pap\n",
++             &soleng_flash_map.phys,
++             &soleng_eprom_map.phys);
+       flash_mtd->owner = THIS_MODULE;
+       eprom_mtd = do_map_probe("map_rom", &soleng_eprom_map);
diff --git a/queue-4.9/nfp-avoid-buffer-leak-when-fw-communication-fails.patch b/queue-4.9/nfp-avoid-buffer-leak-when-fw-communication-fails.patch
new file mode 100644 (file)
index 0000000..76d7133
--- /dev/null
@@ -0,0 +1,79 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+Date: Fri, 20 Jul 2018 21:14:39 -0700
+Subject: nfp: avoid buffer leak when FW communication fails
+
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+
+[ Upstream commit 07300f774fec9519663a597987a4083225588be4 ]
+
+After device is stopped we reset the rings by moving all free buffers
+to positions [0, cnt - 2], and clear the position cnt - 1 in the ring.
+We then proceed to clear the read/write pointers.  This means that if
+we try to reset the ring again the code will assume that the next to
+fill buffer is at position 0 and swap it with cnt - 1.  Since we
+previously cleared position cnt - 1 it will lead to leaking the first
+buffer and leaving ring in a bad state.
+
+This scenario can only happen if FW communication fails, in which case
+the ring will never be used again, so the fact it's in a bad state will
+not be noticed.  Buffer leak is the only problem.  Don't try to move
+buffers in the ring if the read/write pointers indicate the ring was
+never used or have already been reset.
+
+nfp_net_clear_config_and_disable() is now fully idempotent.
+
+Found by code inspection, FW communication failures are very rare,
+and reconfiguring a live device is not common either, so it's unlikely
+anyone has ever noticed the leak.
+
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/nfp_net_common.c |   13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c
++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c
+@@ -990,7 +990,7 @@ static void nfp_net_tx_complete(struct n
+  * @nn:               NFP Net device
+  * @tx_ring:  TX ring structure
+  *
+- * Assumes that the device is stopped
++ * Assumes that the device is stopped, must be idempotent.
+  */
+ static void
+ nfp_net_tx_ring_reset(struct nfp_net *nn, struct nfp_net_tx_ring *tx_ring)
+@@ -1144,13 +1144,18 @@ static void nfp_net_rx_give_one(struct n
+  * nfp_net_rx_ring_reset() - Reflect in SW state of freelist after disable
+  * @rx_ring:  RX ring structure
+  *
+- * Warning: Do *not* call if ring buffers were never put on the FW freelist
+- *        (i.e. device was not enabled)!
++ * Assumes that the device is stopped, must be idempotent.
+  */
+ static void nfp_net_rx_ring_reset(struct nfp_net_rx_ring *rx_ring)
+ {
+       unsigned int wr_idx, last_idx;
++      /* wr_p == rd_p means ring was never fed FL bufs.  RX rings are always
++       * kept at cnt - 1 FL bufs.
++       */
++      if (rx_ring->wr_p == 0 && rx_ring->rd_p == 0)
++              return;
++
+       /* Move the empty entry to the end of the list */
+       wr_idx = rx_ring->wr_p % rx_ring->cnt;
+       last_idx = rx_ring->cnt - 1;
+@@ -1919,6 +1924,8 @@ static void nfp_net_vec_clear_ring_data(
+ /**
+  * nfp_net_clear_config_and_disable() - Clear control BAR and disable NFP
+  * @nn:      NFP Net device to reconfigure
++ *
++ * Warning: must be fully idempotent.
+  */
+ static void nfp_net_clear_config_and_disable(struct nfp_net *nn)
+ {
diff --git a/queue-4.9/perf-powerpc-fix-callchain-ip-filtering-when-return-address-is-in-a-register.patch b/queue-4.9/perf-powerpc-fix-callchain-ip-filtering-when-return-address-is-in-a-register.patch
new file mode 100644 (file)
index 0000000..54eea68
--- /dev/null
@@ -0,0 +1,113 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Sandipan Das <sandipan@linux.ibm.com>
+Date: Tue, 10 Jul 2018 19:28:14 +0530
+Subject: perf powerpc: Fix callchain ip filtering when return address is in a register
+
+From: Sandipan Das <sandipan@linux.ibm.com>
+
+[ Upstream commit 9068533e4f470daf2b0f29c71d865990acd8826e ]
+
+For powerpc64, perf will filter out the second entry in the callchain,
+i.e. the LR value, if the return address of the function corresponding
+to the probed location has already been saved on its caller's stack.
+
+The state of the return address is determined using debug information.
+At any point within a function, if the return address is already saved
+somewhere, a DWARF expression can tell us about its location. If the
+return address in still in LR only, no DWARF expression would exist.
+
+Typically, the instructions in a function's prologue first copy the LR
+value to R0 and then pushes R0 on to the stack. If LR has already been
+copied to R0 but R0 is yet to be pushed to the stack, we can still get a
+DWARF expression that says that the return address is in R0. This is
+indicating that getting a DWARF expression for the return address does
+not guarantee the fact that it has already been saved on the stack.
+
+This can be observed on a powerpc64le system running Fedora 27 as shown
+below.
+
+  # objdump -d /usr/lib64/libc-2.26.so | less
+  ...
+  000000000015af20 <inet_pton>:
+    15af20:       0b 00 4c 3c     addis   r2,r12,11
+    15af24:       e0 c1 42 38     addi    r2,r2,-15904
+    15af28:       a6 02 08 7c     mflr    r0
+    15af2c:       f0 ff c1 fb     std     r30,-16(r1)
+    15af30:       f8 ff e1 fb     std     r31,-8(r1)
+    15af34:       78 1b 7f 7c     mr      r31,r3
+    15af38:       78 23 83 7c     mr      r3,r4
+    15af3c:       78 2b be 7c     mr      r30,r5
+    15af40:       10 00 01 f8     std     r0,16(r1)
+    15af44:       c1 ff 21 f8     stdu    r1,-64(r1)
+    15af48:       28 00 81 f8     std     r4,40(r1)
+  ...
+
+  # readelf --debug-dump=frames-interp /usr/lib64/libc-2.26.so | less
+  ...
+  00027024 0000000000000024 00027028 FDE cie=00000000 pc=000000000015af20..000000000015af88
+     LOC           CFA      r30   r31   ra
+  000000000015af20 r1+0     u     u     u
+  000000000015af34 r1+0     c-16  c-8   r0
+  000000000015af48 r1+64    c-16  c-8   c+16
+  000000000015af5c r1+0     c-16  c-8   c+16
+  000000000015af78 r1+0     u     u
+  ...
+
+  # perf probe -x /usr/lib64/libc-2.26.so -a inet_pton+0x18
+  # perf record -e probe_libc:inet_pton -g ping -6 -c 1 ::1
+  # perf script
+
+Before:
+
+  ping  2829 [005] 512917.460174: probe_libc:inet_pton: (7fff7e2baf38)
+              7fff7e2baf38 __GI___inet_pton+0x18 (/usr/lib64/libc-2.26.so)
+              7fff7e2705b4 getaddrinfo+0x164 (/usr/lib64/libc-2.26.so)
+                 12f152d70 _init+0xbfc (/usr/bin/ping)
+              7fff7e1836a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so)
+              7fff7e183898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so)
+                         0 [unknown] ([unknown])
+
+After:
+
+  ping  2829 [005] 512917.460174: probe_libc:inet_pton: (7fff7e2baf38)
+              7fff7e2baf38 __GI___inet_pton+0x18 (/usr/lib64/libc-2.26.so)
+              7fff7e26fa54 gaih_inet.constprop.7+0xf44 (/usr/lib64/libc-2.26.so)
+              7fff7e2705b4 getaddrinfo+0x164 (/usr/lib64/libc-2.26.so)
+                 12f152d70 _init+0xbfc (/usr/bin/ping)
+              7fff7e1836a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so)
+              7fff7e183898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so)
+                         0 [unknown] ([unknown])
+
+Reported-by: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Signed-off-by: Sandipan Das <sandipan@linux.ibm.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Maynard Johnson <maynard@us.ibm.com>
+Cc: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Cc: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
+Cc: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
+Link: http://lkml.kernel.org/r/66e848a7bdf2d43b39210a705ff6d828a0865661.1530724939.git.sandipan@linux.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/arch/powerpc/util/skip-callchain-idx.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/tools/perf/arch/powerpc/util/skip-callchain-idx.c
++++ b/tools/perf/arch/powerpc/util/skip-callchain-idx.c
+@@ -58,9 +58,13 @@ static int check_return_reg(int ra_regno
+       }
+       /*
+-       * Check if return address is on the stack.
++       * Check if return address is on the stack. If return address
++       * is in a register (typically R0), it is yet to be saved on
++       * the stack.
+        */
+-      if (nops != 0 || ops != NULL)
++      if ((nops != 0 || ops != NULL) &&
++              !(nops == 1 && ops[0].atom == DW_OP_regx &&
++                      ops[0].number2 == 0 && ops[0].offset == 0))
+               return 0;
+       /*
diff --git a/queue-4.9/perf-powerpc-fix-callchain-ip-filtering.patch b/queue-4.9/perf-powerpc-fix-callchain-ip-filtering.patch
new file mode 100644 (file)
index 0000000..4d40253
--- /dev/null
@@ -0,0 +1,180 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Sandipan Das <sandipan@linux.ibm.com>
+Date: Tue, 10 Jul 2018 19:28:13 +0530
+Subject: perf powerpc: Fix callchain ip filtering
+
+From: Sandipan Das <sandipan@linux.ibm.com>
+
+[ Upstream commit c715fcfda5a08edabaa15508742be926b7ee51db ]
+
+For powerpc64, redundant entries in the callchain are filtered out by
+determining the state of the return address and the stack frame using
+DWARF debug information.
+
+For making these filtering decisions we must analyze the debug
+information for the location corresponding to the program counter value,
+i.e. the first entry in the callchain, and not the LR value; otherwise,
+perf may filter out either the second or the third entry in the
+callchain incorrectly.
+
+This can be observed on a powerpc64le system running Fedora 27 as shown
+below.
+
+Case 1 - Attaching a probe at inet_pton+0x8 (binary offset 0x15af28).
+         Return address is still in LR and a new stack frame is not yet
+         allocated. The LR value, i.e. the second entry, should not be
+        filtered out.
+
+  # objdump -d /usr/lib64/libc-2.26.so | less
+  ...
+  000000000010eb10 <gaih_inet.constprop.7>:
+  ...
+    10fa48:       78 bb e4 7e     mr      r4,r23
+    10fa4c:       0a 00 60 38     li      r3,10
+    10fa50:       d9 b4 04 48     bl      15af28 <inet_pton+0x8>
+    10fa54:       00 00 00 60     nop
+    10fa58:       ac f4 ff 4b     b       10ef04 <gaih_inet.constprop.7+0x3f4>
+  ...
+  0000000000110450 <getaddrinfo>:
+  ...
+    1105a8:       54 00 ff 38     addi    r7,r31,84
+    1105ac:       58 00 df 38     addi    r6,r31,88
+    1105b0:       69 e5 ff 4b     bl      10eb18 <gaih_inet.constprop.7+0x8>
+    1105b4:       78 1b 71 7c     mr      r17,r3
+    1105b8:       50 01 7f e8     ld      r3,336(r31)
+  ...
+  000000000015af20 <inet_pton>:
+    15af20:       0b 00 4c 3c     addis   r2,r12,11
+    15af24:       e0 c1 42 38     addi    r2,r2,-15904
+    15af28:       a6 02 08 7c     mflr    r0
+    15af2c:       f0 ff c1 fb     std     r30,-16(r1)
+    15af30:       f8 ff e1 fb     std     r31,-8(r1)
+  ...
+
+  # perf probe -x /usr/lib64/libc-2.26.so -a inet_pton+0x8
+  # perf record -e probe_libc:inet_pton -g ping -6 -c 1 ::1
+  # perf script
+
+Before:
+
+  ping  4507 [002] 514985.546540: probe_libc:inet_pton: (7fffa7dbaf28)
+              7fffa7dbaf28 __GI___inet_pton+0x8 (/usr/lib64/libc-2.26.so)
+              7fffa7d705b4 getaddrinfo+0x164 (/usr/lib64/libc-2.26.so)
+                 13fb52d70 _init+0xbfc (/usr/bin/ping)
+              7fffa7c836a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so)
+              7fffa7c83898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so)
+                         0 [unknown] ([unknown])
+
+After:
+
+  ping  4507 [002] 514985.546540: probe_libc:inet_pton: (7fffa7dbaf28)
+              7fffa7dbaf28 __GI___inet_pton+0x8 (/usr/lib64/libc-2.26.so)
+              7fffa7d6fa54 gaih_inet.constprop.7+0xf44 (/usr/lib64/libc-2.26.so)
+              7fffa7d705b4 getaddrinfo+0x164 (/usr/lib64/libc-2.26.so)
+                 13fb52d70 _init+0xbfc (/usr/bin/ping)
+              7fffa7c836a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so)
+              7fffa7c83898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so)
+                         0 [unknown] ([unknown])
+
+Case 2 - Attaching a probe at _int_malloc+0x180 (binary offset 0x9cf10).
+         Return address in still in LR and a new stack frame has already
+         been allocated but not used. The caller's caller, i.e. the third
+        entry, is invalid and should be filtered out and not the second
+        one.
+
+  # objdump -d /usr/lib64/libc-2.26.so | less
+  ...
+  000000000009cd90 <_int_malloc>:
+     9cd90:       17 00 4c 3c     addis   r2,r12,23
+     9cd94:       70 a3 42 38     addi    r2,r2,-23696
+     9cd98:       26 00 80 7d     mfcr    r12
+     9cd9c:       f8 ff e1 fb     std     r31,-8(r1)
+     9cda0:       17 00 e4 3b     addi    r31,r4,23
+     9cda4:       d8 ff 61 fb     std     r27,-40(r1)
+     9cda8:       78 23 9b 7c     mr      r27,r4
+     9cdac:       1f 00 bf 2b     cmpldi  cr7,r31,31
+     9cdb0:       f0 ff c1 fb     std     r30,-16(r1)
+     9cdb4:       b0 ff c1 fa     std     r22,-80(r1)
+     9cdb8:       78 1b 7e 7c     mr      r30,r3
+     9cdbc:       08 00 81 91     stw     r12,8(r1)
+     9cdc0:       11 ff 21 f8     stdu    r1,-240(r1)
+     9cdc4:       4c 01 9d 41     bgt     cr7,9cf10 <_int_malloc+0x180>
+     9cdc8:       20 00 a4 2b     cmpldi  cr7,r4,32
+  ...
+     9cf08:       00 00 00 60     nop
+     9cf0c:       00 00 42 60     ori     r2,r2,0
+     9cf10:       e4 06 ff 7b     rldicr  r31,r31,0,59
+     9cf14:       40 f8 a4 7f     cmpld   cr7,r4,r31
+     9cf18:       68 05 9d 41     bgt     cr7,9d480 <_int_malloc+0x6f0>
+  ...
+  000000000009e3c0 <tcache_init.part.4>:
+  ...
+     9e420:       40 02 80 38     li      r4,576
+     9e424:       78 fb e3 7f     mr      r3,r31
+     9e428:       71 e9 ff 4b     bl      9cd98 <_int_malloc+0x8>
+     9e42c:       00 00 a3 2f     cmpdi   cr7,r3,0
+     9e430:       78 1b 7e 7c     mr      r30,r3
+  ...
+  000000000009f7a0 <__libc_malloc>:
+  ...
+     9f8f8:       00 00 89 2f     cmpwi   cr7,r9,0
+     9f8fc:       1c ff 9e 40     bne     cr7,9f818 <__libc_malloc+0x78>
+     9f900:       c9 ea ff 4b     bl      9e3c8 <tcache_init.part.4+0x8>
+     9f904:       00 00 00 60     nop
+     9f908:       e8 90 22 e9     ld      r9,-28440(r2)
+  ...
+
+  # perf probe -x /usr/lib64/libc-2.26.so -a _int_malloc+0x180
+  # perf record -e probe_libc:_int_malloc -g ./test-malloc
+  # perf script
+
+Before:
+
+  test-malloc  6554 [009] 515975.797403: probe_libc:_int_malloc: (7fffa6e6cf10)
+              7fffa6e6cf10 _int_malloc+0x180 (/usr/lib64/libc-2.26.so)
+              7fffa6dd0000 [unknown] (/usr/lib64/libc-2.26.so)
+              7fffa6e6f904 malloc+0x164 (/usr/lib64/libc-2.26.so)
+              7fffa6e6f9fc malloc+0x25c (/usr/lib64/libc-2.26.so)
+                  100006b4 main+0x38 (/home/testuser/test-malloc)
+              7fffa6df36a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so)
+              7fffa6df3898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so)
+                         0 [unknown] ([unknown])
+
+After:
+
+  test-malloc  6554 [009] 515975.797403: probe_libc:_int_malloc: (7fffa6e6cf10)
+              7fffa6e6cf10 _int_malloc+0x180 (/usr/lib64/libc-2.26.so)
+              7fffa6e6e42c tcache_init.part.4+0x6c (/usr/lib64/libc-2.26.so)
+              7fffa6e6f904 malloc+0x164 (/usr/lib64/libc-2.26.so)
+              7fffa6e6f9fc malloc+0x25c (/usr/lib64/libc-2.26.so)
+                  100006b4 main+0x38 (/home/sandipan/test-malloc)
+              7fffa6df36a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so)
+              7fffa6df3898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so)
+                         0 [unknown] ([unknown])
+
+Signed-off-by: Sandipan Das <sandipan@linux.ibm.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Maynard Johnson <maynard@us.ibm.com>
+Cc: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Cc: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
+Cc: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
+Fixes: a60335ba3298 ("perf tools powerpc: Adjust callchain based on DWARF debug info")
+Link: http://lkml.kernel.org/r/24bb726d91ed173aebc972ec3f41a2ef2249434e.1530724939.git.sandipan@linux.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/arch/powerpc/util/skip-callchain-idx.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/arch/powerpc/util/skip-callchain-idx.c
++++ b/tools/perf/arch/powerpc/util/skip-callchain-idx.c
+@@ -250,7 +250,7 @@ int arch_skip_callchain_idx(struct threa
+       if (!chain || chain->nr < 3)
+               return skip_slot;
+-      ip = chain->ips[2];
++      ip = chain->ips[1];
+       thread__find_addr_location(thread, PERF_RECORD_MISC_USER,
+                       MAP__FUNCTION, ip, &al);
diff --git a/queue-4.9/perf-test-fix-subtest-number-when-showing-results.patch b/queue-4.9/perf-test-fix-subtest-number-when-showing-results.patch
new file mode 100644 (file)
index 0000000..fd67549
--- /dev/null
@@ -0,0 +1,69 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Thomas Richter <tmricht@linux.ibm.com>
+Date: Tue, 24 Jul 2018 15:48:58 +0200
+Subject: perf test: Fix subtest number when showing results
+
+From: Thomas Richter <tmricht@linux.ibm.com>
+
+[ Upstream commit 9ef0112442bdddef5fb55adf20b3a5464b33de75 ]
+
+Perf test 40 for example has several subtests numbered 1-4 when
+displaying the start of the subtest. When the subtest results
+are displayed the subtests are numbered 0-3.
+
+Use this command to generate trace output:
+
+  [root@s35lp76 perf]# ./perf test -Fv 40 2>/tmp/bpf1
+
+Fix this by adjusting the subtest number when show the
+subtest result.
+
+Output before:
+
+  [root@s35lp76 perf]# egrep '(^40\.[0-4]| subtest [0-4]:)' /tmp/bpf1
+  40.1: Basic BPF filtering                                 :
+  BPF filter subtest 0: Ok
+  40.2: BPF pinning                                         :
+  BPF filter subtest 1: Ok
+  40.3: BPF prologue generation                             :
+  BPF filter subtest 2: Ok
+  40.4: BPF relocation checker                              :
+  BPF filter subtest 3: Ok
+  [root@s35lp76 perf]#
+
+Output after:
+
+  root@s35lp76 ~]# egrep '(^40\.[0-4]| subtest [0-4]:)' /tmp/bpf1
+  40.1: Basic BPF filtering                                 :
+  BPF filter subtest 1: Ok
+  40.2: BPF pinning                                         :
+  BPF filter subtest 2: Ok
+  40.3: BPF prologue generation                             :
+  BPF filter subtest 3: Ok
+  40.4: BPF relocation checker                              :
+  BPF filter subtest 4: Ok
+  [root@s35lp76 ~]#
+
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Link: http://lkml.kernel.org/r/20180724134858.100644-1-tmricht@linux.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/tests/builtin-test.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/tests/builtin-test.c
++++ b/tools/perf/tests/builtin-test.c
+@@ -413,7 +413,7 @@ static int __cmd_test(int argc, const ch
+                       for (subi = 0; subi < subn; subi++) {
+                               pr_info("%2d.%1d: %-*s:", i, subi + 1, subw,
+                                       t->subtest.get_desc(subi));
+-                              err = test_and_print(t, skip, subi);
++                              err = test_and_print(t, skip, subi + 1);
+                               if (err != TEST_OK && t->subtest.skip_if_fail)
+                                       skip = true;
+                       }
diff --git a/queue-4.9/platform-x86-toshiba_acpi-fix-defined-but-not-used-build-warnings.patch b/queue-4.9/platform-x86-toshiba_acpi-fix-defined-but-not-used-build-warnings.patch
new file mode 100644 (file)
index 0000000..8d2a37a
--- /dev/null
@@ -0,0 +1,44 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Fri, 6 Jul 2018 20:53:09 -0700
+Subject: platform/x86: toshiba_acpi: Fix defined but not used build warnings
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit c2e2a618eb7104e18fdcf739d4d911563812a81c ]
+
+Fix a build warning in toshiba_acpi.c when CONFIG_PROC_FS is not enabled
+by marking the unused function as __maybe_unused.
+
+../drivers/platform/x86/toshiba_acpi.c:1685:12: warning: 'version_proc_show' defined but not used [-Wunused-function]
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Azael Avalos <coproscefalo@gmail.com>
+Cc: platform-driver-x86@vger.kernel.org
+Cc: Andy Shevchenko <andy@infradead.org>
+Signed-off-by: Darren Hart (VMware) <dvhart@infradead.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/toshiba_acpi.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/platform/x86/toshiba_acpi.c
++++ b/drivers/platform/x86/toshiba_acpi.c
+@@ -34,6 +34,7 @@
+ #define TOSHIBA_ACPI_VERSION  "0.24"
+ #define PROC_INTERFACE_VERSION        1
++#include <linux/compiler.h>
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+ #include <linux/moduleparam.h>
+@@ -1687,7 +1688,7 @@ static const struct file_operations keys
+       .write          = keys_proc_write,
+ };
+-static int version_proc_show(struct seq_file *m, void *v)
++static int __maybe_unused version_proc_show(struct seq_file *m, void *v)
+ {
+       seq_printf(m, "driver:                  %s\n", TOSHIBA_ACPI_VERSION);
+       seq_printf(m, "proc_interface:          %d\n", PROC_INTERFACE_VERSION);
diff --git a/queue-4.9/powerpc-powernv-opal_put_chars-partial-write-fix.patch b/queue-4.9/powerpc-powernv-opal_put_chars-partial-write-fix.patch
new file mode 100644 (file)
index 0000000..3923519
--- /dev/null
@@ -0,0 +1,38 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Tue, 1 May 2018 00:55:44 +1000
+Subject: powerpc/powernv: opal_put_chars partial write fix
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit bd90284cc6c1c9e8e48c8eadd0c79574fcce0b81 ]
+
+The intention here is to consume and discard the remaining buffer
+upon error. This works if there has not been a previous partial write.
+If there has been, then total_len is no longer total number of bytes
+to copy. total_len is always "bytes left to copy", so it should be
+added to written bytes.
+
+This code may not be exercised any more if partial writes will not be
+hit, but this is a small bugfix before a larger change.
+
+Reviewed-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/powernv/opal.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/powernv/opal.c
++++ b/arch/powerpc/platforms/powernv/opal.c
+@@ -369,7 +369,7 @@ int opal_put_chars(uint32_t vtermno, con
+               /* Closed or other error drop */
+               if (rc != OPAL_SUCCESS && rc != OPAL_BUSY &&
+                   rc != OPAL_BUSY_EVENT) {
+-                      written = total_len;
++                      written += total_len;
+                       break;
+               }
+               if (rc == OPAL_SUCCESS) {
diff --git a/queue-4.9/s390-qeth-fix-race-in-used-buffer-accounting.patch b/queue-4.9/s390-qeth-fix-race-in-used-buffer-accounting.patch
new file mode 100644 (file)
index 0000000..3aaf876
--- /dev/null
@@ -0,0 +1,40 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Julian Wiedmann <jwi@linux.ibm.com>
+Date: Thu, 19 Jul 2018 12:43:48 +0200
+Subject: s390/qeth: fix race in used-buffer accounting
+
+From: Julian Wiedmann <jwi@linux.ibm.com>
+
+[ Upstream commit a702349a4099cd5a7bab0904689d8e0bf8dcd622 ]
+
+By updating q->used_buffers only _after_ do_QDIO() has completed, there
+is a potential race against the buffer's TX completion. In the unlikely
+case that the TX completion path wins, qeth_qdio_output_handler() would
+decrement the counter before qeth_flush_buffers() even incremented it.
+
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_core_main.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/s390/net/qeth_core_main.c
++++ b/drivers/s390/net/qeth_core_main.c
+@@ -3499,13 +3499,14 @@ static void qeth_flush_buffers(struct qe
+       qdio_flags = QDIO_FLAG_SYNC_OUTPUT;
+       if (atomic_read(&queue->set_pci_flags_count))
+               qdio_flags |= QDIO_FLAG_PCI_OUT;
++      atomic_add(count, &queue->used_buffers);
++
+       rc = do_QDIO(CARD_DDEV(queue->card), qdio_flags,
+                    queue->queue_no, index, count);
+       if (queue->card->options.performance_stats)
+               queue->card->perf_stats.outbound_do_qdio_time +=
+                       qeth_get_micros() -
+                       queue->card->perf_stats.outbound_do_qdio_start_time;
+-      atomic_add(count, &queue->used_buffers);
+       if (rc) {
+               queue->card->stats.tx_errors += count;
+               /* ignore temporary SIGA errors without busy condition */
diff --git a/queue-4.9/s390-qeth-reset-layer2-attribute-on-layer-switch.patch b/queue-4.9/s390-qeth-reset-layer2-attribute-on-layer-switch.patch
new file mode 100644 (file)
index 0000000..9d85f3b
--- /dev/null
@@ -0,0 +1,37 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Julian Wiedmann <jwi@linux.ibm.com>
+Date: Thu, 19 Jul 2018 12:43:49 +0200
+Subject: s390/qeth: reset layer2 attribute on layer switch
+
+From: Julian Wiedmann <jwi@linux.ibm.com>
+
+[ Upstream commit 70551dc46ffa3555a0b5f3545b0cd87ab67fd002 ]
+
+After the subdriver's remove() routine has completed, the card's layer
+mode is undetermined again. Reflect this in the layer2 field.
+
+If qeth_dev_layer2_store() hits an error after remove() was called, the
+card _always_ requires a setup(), even if the previous layer mode is
+requested again.
+But qeth_dev_layer2_store() bails out early if the requested layer mode
+still matches the current one. So unless we reset the layer2 field,
+re-probing the card back to its previous mode is currently not possible.
+
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_core_sys.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/s390/net/qeth_core_sys.c
++++ b/drivers/s390/net/qeth_core_sys.c
+@@ -423,6 +423,7 @@ static ssize_t qeth_dev_layer2_store(str
+       if (card->discipline) {
+               card->discipline->remove(card->gdev);
+               qeth_core_free_discipline(card);
++              card->options.layer2 = -1;
+       }
+       rc = qeth_core_load_discipline(card, newdis);
index b5d7000690f82c0a7d559f1cbf9252ce95d003be..dac542ba3cb2766cbe131138e23e63bfb8a97ca8 100644 (file)
@@ -2,3 +2,45 @@ be2net-fix-memory-leak-in-be_cmd_get_profile_config.patch
 rds-fix-two-rcu-related-problems.patch
 net-mlx5-fix-use-after-free-in-self-healing-flow.patch
 net-mlx5-fix-debugfs-cleanup-in-the-device-init-remove-flow.patch
+iommu-arm-smmu-v3-sync-the-ovackflg-to-priq-consumer-register.patch
+alsa-msnd-fix-the-default-sample-sizes.patch
+alsa-usb-audio-fix-multiple-definitions-in-au0828_device-macro.patch
+xfrm-fix-passing-zero-to-err_ptr-warning.patch
+gfs2-special-case-rindex-for-gfs2_grow.patch
+clk-imx6ul-fix-missing-of_node_put.patch
+clk-clk-fixed-factor-clear-of_populated-flag-in-case-of-failure.patch
+kbuild-add-.delete_on_error-special-target.patch
+media-tw686x-fix-oops-on-buffer-alloc-failure.patch
+dmaengine-pl330-fix-irq-race-with-terminate_all.patch
+mips-ath79-fix-system-restart.patch
+media-videobuf2-core-check-for-q-error-in-vb2_core_qbuf.patch
+ib-rxe-drop-qp0-silently.patch
+mtd-maps-fix-solutionengine.c-printk-format-warnings.patch
+perf-test-fix-subtest-number-when-showing-results.patch
+gfs2-don-t-reject-a-supposedly-full-bitmap-if-we-have-blocks-reserved.patch
+fbdev-omapfb-off-by-one-in-omapfb_register_client.patch
+video-goldfishfb-fix-memory-leak-on-driver-remove.patch
+fbdev-via-fix-defined-but-not-used-warning.patch
+perf-powerpc-fix-callchain-ip-filtering-when-return-address-is-in-a-register.patch
+video-fbdev-pxafb-clear-allocated-memory-for-video-modes.patch
+fbdev-distinguish-between-interlaced-and-progressive-modes.patch
+arm-exynos-clear-global-variable-on-init-error-path.patch
+perf-powerpc-fix-callchain-ip-filtering.patch
+powerpc-powernv-opal_put_chars-partial-write-fix.patch
+mips-jz4740-bump-zload-address.patch
+mac80211-restrict-delayed-tailroom-needed-decrement.patch
+smack-fix-handling-of-ipv4-traffic-received-by-pf_inet6-sockets.patch
+wan-fsl_ucc_hdlc-use-is_err_value-to-check-return-value-of-qe_muram_alloc.patch
+efi-arm-preserve-early-mapping-of-uefi-memory-map-longer-for-bgrt.patch
+nfp-avoid-buffer-leak-when-fw-communication-fails.patch
+xen-netfront-fix-queue-name-setting.patch
+arm64-dts-qcom-db410c-fix-bluetooth-led-trigger.patch
+arm-dts-qcom-msm8974-hammerhead-increase-load-on-l20-for-sdhci.patch
+s390-qeth-fix-race-in-used-buffer-accounting.patch
+s390-qeth-reset-layer2-attribute-on-layer-switch.patch
+platform-x86-toshiba_acpi-fix-defined-but-not-used-build-warnings.patch
+kvm-arm-arm64-fix-vgic-init-race.patch
+drivers-base-stop-new-probing-during-shutdown.patch
+dmaengine-mv_xor_v2-kill-the-tasklets-upon-exit.patch
+crypto-sharah-unregister-correct-algorithms-for-sahara-3.patch
+xen-netfront-fix-warn-message-as-irq-device-name-has.patch
diff --git a/queue-4.9/smack-fix-handling-of-ipv4-traffic-received-by-pf_inet6-sockets.patch b/queue-4.9/smack-fix-handling-of-ipv4-traffic-received-by-pf_inet6-sockets.patch
new file mode 100644 (file)
index 0000000..2134def
--- /dev/null
@@ -0,0 +1,83 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Piotr Sawicki <p.sawicki2@partner.samsung.com>
+Date: Thu, 19 Jul 2018 11:42:58 +0200
+Subject: Smack: Fix handling of IPv4 traffic received by PF_INET6 sockets
+
+From: Piotr Sawicki <p.sawicki2@partner.samsung.com>
+
+[ Upstream commit 129a99890936766f4b69b9da7ed88366313a9210 ]
+
+A socket which has sk_family set to PF_INET6 is able to receive not
+only IPv6 but also IPv4 traffic (IPv4-mapped IPv6 addresses).
+
+Prior to this patch, the smk_skb_to_addr_ipv6() could have been
+called for socket buffers containing IPv4 packets, in result such
+traffic was allowed.
+
+Signed-off-by: Piotr Sawicki <p.sawicki2@partner.samsung.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/smack/smack_lsm.c |   14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -3966,15 +3966,19 @@ static int smack_socket_sock_rcv_skb(str
+       struct smack_known *skp = NULL;
+       int rc = 0;
+       struct smk_audit_info ad;
++      u16 family = sk->sk_family;
+ #ifdef CONFIG_AUDIT
+       struct lsm_network_audit net;
+ #endif
+ #if IS_ENABLED(CONFIG_IPV6)
+       struct sockaddr_in6 sadd;
+       int proto;
++
++      if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
++              family = PF_INET;
+ #endif /* CONFIG_IPV6 */
+-      switch (sk->sk_family) {
++      switch (family) {
+       case PF_INET:
+ #ifdef CONFIG_SECURITY_SMACK_NETFILTER
+               /*
+@@ -3992,7 +3996,7 @@ static int smack_socket_sock_rcv_skb(str
+                */
+               netlbl_secattr_init(&secattr);
+-              rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr);
++              rc = netlbl_skbuff_getattr(skb, family, &secattr);
+               if (rc == 0)
+                       skp = smack_from_secattr(&secattr, ssp);
+               else
+@@ -4005,7 +4009,7 @@ access_check:
+ #endif
+ #ifdef CONFIG_AUDIT
+               smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
+-              ad.a.u.net->family = sk->sk_family;
++              ad.a.u.net->family = family;
+               ad.a.u.net->netif = skb->skb_iif;
+               ipv4_skb_to_auditdata(skb, &ad.a, NULL);
+ #endif
+@@ -4019,7 +4023,7 @@ access_check:
+               rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in,
+                                       MAY_WRITE, rc);
+               if (rc != 0)
+-                      netlbl_skbuff_err(skb, sk->sk_family, rc, 0);
++                      netlbl_skbuff_err(skb, family, rc, 0);
+               break;
+ #if IS_ENABLED(CONFIG_IPV6)
+       case PF_INET6:
+@@ -4035,7 +4039,7 @@ access_check:
+                       skp = smack_net_ambient;
+ #ifdef CONFIG_AUDIT
+               smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
+-              ad.a.u.net->family = sk->sk_family;
++              ad.a.u.net->family = family;
+               ad.a.u.net->netif = skb->skb_iif;
+               ipv6_skb_to_auditdata(skb, &ad.a, NULL);
+ #endif /* CONFIG_AUDIT */
diff --git a/queue-4.9/video-fbdev-pxafb-clear-allocated-memory-for-video-modes.patch b/queue-4.9/video-fbdev-pxafb-clear-allocated-memory-for-video-modes.patch
new file mode 100644 (file)
index 0000000..8573d3e
--- /dev/null
@@ -0,0 +1,36 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Daniel Mack <daniel@zonque.org>
+Date: Tue, 24 Jul 2018 19:11:25 +0200
+Subject: video: fbdev: pxafb: clear allocated memory for video modes
+
+From: Daniel Mack <daniel@zonque.org>
+
+[ Upstream commit b951d80aaf224b1f774e10def672f5e37488e4ee ]
+
+When parsing the video modes from DT properties, make sure to zero out
+memory before using it. This is important because not all fields in the mode
+struct are explicitly initialized, even though they are used later on.
+
+Fixes: 420a488278e86 ("video: fbdev: pxafb: initial devicetree conversion")
+Reviewed-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Daniel Mack <daniel@zonque.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/pxafb.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/video/fbdev/pxafb.c
++++ b/drivers/video/fbdev/pxafb.c
+@@ -2128,8 +2128,8 @@ static int of_get_pxafb_display(struct d
+               return -EINVAL;
+       ret = -ENOMEM;
+-      info->modes = kmalloc_array(timings->num_timings,
+-                                  sizeof(info->modes[0]), GFP_KERNEL);
++      info->modes = kcalloc(timings->num_timings, sizeof(info->modes[0]),
++                            GFP_KERNEL);
+       if (!info->modes)
+               goto out;
+       info->num_modes = timings->num_timings;
diff --git a/queue-4.9/video-goldfishfb-fix-memory-leak-on-driver-remove.patch b/queue-4.9/video-goldfishfb-fix-memory-leak-on-driver-remove.patch
new file mode 100644 (file)
index 0000000..3633b52
--- /dev/null
@@ -0,0 +1,37 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Anton Vasilyev <vasilyev@ispras.ru>
+Date: Tue, 24 Jul 2018 19:11:27 +0200
+Subject: video: goldfishfb: fix memory leak on driver remove
+
+From: Anton Vasilyev <vasilyev@ispras.ru>
+
+[ Upstream commit 5958fde72d04e7b8c6de3669d1f794a90997e3eb ]
+
+goldfish_fb_probe() allocates memory for fb, but goldfish_fb_remove() does
+not have deallocation of fb, which leads to memory leak on probe/remove.
+
+The patch adds deallocation into goldfish_fb_remove().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
+Cc: Aleksandar Markovic <aleksandar.markovic@mips.com>
+Cc: Miodrag Dinic <miodrag.dinic@mips.com>
+Cc: Goran Ferenc <goran.ferenc@mips.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/goldfishfb.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/video/fbdev/goldfishfb.c
++++ b/drivers/video/fbdev/goldfishfb.c
+@@ -301,6 +301,7 @@ static int goldfish_fb_remove(struct pla
+       dma_free_coherent(&pdev->dev, framesize, (void *)fb->fb.screen_base,
+                                               fb->fb.fix.smem_start);
+       iounmap(fb->reg_base);
++      kfree(fb);
+       return 0;
+ }
diff --git a/queue-4.9/wan-fsl_ucc_hdlc-use-is_err_value-to-check-return-value-of-qe_muram_alloc.patch b/queue-4.9/wan-fsl_ucc_hdlc-use-is_err_value-to-check-return-value-of-qe_muram_alloc.patch
new file mode 100644 (file)
index 0000000..a87ac13
--- /dev/null
@@ -0,0 +1,49 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Mon, 23 Jul 2018 22:12:33 +0800
+Subject: wan/fsl_ucc_hdlc: use IS_ERR_VALUE() to check return value of qe_muram_alloc
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit fd800f646402c0f85547166b59ca065175928b7b ]
+
+qe_muram_alloc return a unsigned long integer,which should not
+compared with zero. check it using IS_ERR_VALUE() to fix this.
+
+Fixes: c19b6d246a35 ("drivers/net: support hdlc function for QE-UCC")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wan/fsl_ucc_hdlc.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wan/fsl_ucc_hdlc.c
++++ b/drivers/net/wan/fsl_ucc_hdlc.c
+@@ -161,7 +161,7 @@ static int uhdlc_init(struct ucc_hdlc_pr
+       priv->ucc_pram_offset = qe_muram_alloc(sizeof(struct ucc_hdlc_param),
+                               ALIGNMENT_OF_UCC_HDLC_PRAM);
+-      if (priv->ucc_pram_offset < 0) {
++      if (IS_ERR_VALUE(priv->ucc_pram_offset)) {
+               dev_err(priv->dev, "Can not allocate MURAM for hdlc parameter.\n");
+               ret = -ENOMEM;
+               goto free_tx_bd;
+@@ -197,14 +197,14 @@ static int uhdlc_init(struct ucc_hdlc_pr
+       /* Alloc riptr, tiptr */
+       riptr = qe_muram_alloc(32, 32);
+-      if (riptr < 0) {
++      if (IS_ERR_VALUE(riptr)) {
+               dev_err(priv->dev, "Cannot allocate MURAM mem for Receive internal temp data pointer\n");
+               ret = -ENOMEM;
+               goto free_tx_skbuff;
+       }
+       tiptr = qe_muram_alloc(32, 32);
+-      if (tiptr < 0) {
++      if (IS_ERR_VALUE(tiptr)) {
+               dev_err(priv->dev, "Cannot allocate MURAM mem for Transmit internal temp data pointer\n");
+               ret = -ENOMEM;
+               goto free_riptr;
diff --git a/queue-4.9/xen-netfront-fix-queue-name-setting.patch b/queue-4.9/xen-netfront-fix-queue-name-setting.patch
new file mode 100644 (file)
index 0000000..0e0fee2
--- /dev/null
@@ -0,0 +1,53 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Fri, 20 Jul 2018 18:33:59 +0200
+Subject: xen-netfront: fix queue name setting
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+[ Upstream commit 2d408c0d4574b01b9ed45e02516888bf925e11a9 ]
+
+Commit f599c64fdf7d ("xen-netfront: Fix race between device setup and
+open") changed the initialization order: xennet_create_queues() now
+happens before we do register_netdev() so using netdev->name in
+xennet_init_queue() is incorrect, we end up with the following in
+/proc/interrupts:
+
+ 60:        139          0   xen-dyn    -event     eth%d-q0-tx
+ 61:        265          0   xen-dyn    -event     eth%d-q0-rx
+ 62:        234          0   xen-dyn    -event     eth%d-q1-tx
+ 63:          1          0   xen-dyn    -event     eth%d-q1-rx
+
+and this looks ugly. Actually, using early netdev name (even when it's
+already set) is also not ideal: nowadays we tend to rename eth devices
+and queue name may end up not corresponding to the netdev name.
+
+Use nodename from xenbus device for queue naming: this can't change in VM's
+lifetime. Now /proc/interrupts looks like
+
+ 62:        202          0   xen-dyn    -event     device/vif/0-q0-tx
+ 63:        317          0   xen-dyn    -event     device/vif/0-q0-rx
+ 64:        262          0   xen-dyn    -event     device/vif/0-q1-tx
+ 65:         17          0   xen-dyn    -event     device/vif/0-q1-rx
+
+Fixes: f599c64fdf7d ("xen-netfront: Fix race between device setup and open")
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netfront.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -1630,7 +1630,7 @@ static int xennet_init_queue(struct netf
+                   (unsigned long)queue);
+       snprintf(queue->name, sizeof(queue->name), "%s-q%u",
+-               queue->info->netdev->name, queue->id);
++               queue->info->xbdev->nodename, queue->id);
+       /* Initialise tx_skbs as a free chain containing every entry. */
+       queue->tx_skb_freelist = 0;
diff --git a/queue-4.9/xen-netfront-fix-warn-message-as-irq-device-name-has.patch b/queue-4.9/xen-netfront-fix-warn-message-as-irq-device-name-has.patch
new file mode 100644 (file)
index 0000000..848373a
--- /dev/null
@@ -0,0 +1,95 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: Xiao Liang <xiliang@redhat.com>
+Date: Tue, 14 Aug 2018 23:21:28 +0800
+Subject: xen-netfront: fix warn message as irq device name has '/'
+
+From: Xiao Liang <xiliang@redhat.com>
+
+[ Upstream commit 21f2706b20100bb3db378461ab9b8e2035309b5b ]
+
+There is a call trace generated after commit 2d408c0d4574b01b9ed45e02516888bf925e11a9(
+xen-netfront: fix queue name setting). There is no 'device/vif/xx-q0-tx' file found
+under /proc/irq/xx/.
+
+This patch only picks up device type and id as its name.
+
+With the patch, now /proc/interrupts looks like below and the warning message gone:
+ 70:         21          0          0          0   xen-dyn    -event     vif0-q0-tx
+ 71:         15          0          0          0   xen-dyn    -event     vif0-q0-rx
+ 72:         14          0          0          0   xen-dyn    -event     vif0-q1-tx
+ 73:         33          0          0          0   xen-dyn    -event     vif0-q1-rx
+ 74:         12          0          0          0   xen-dyn    -event     vif0-q2-tx
+ 75:         24          0          0          0   xen-dyn    -event     vif0-q2-rx
+ 76:         19          0          0          0   xen-dyn    -event     vif0-q3-tx
+ 77:         21          0          0          0   xen-dyn    -event     vif0-q3-rx
+
+Below is call trace information without this patch:
+
+name 'device/vif/0-q0-tx'
+WARNING: CPU: 2 PID: 37 at fs/proc/generic.c:174 __xlate_proc_name+0x85/0xa0
+RIP: 0010:__xlate_proc_name+0x85/0xa0
+RSP: 0018:ffffb85c40473c18 EFLAGS: 00010286
+RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000000006
+RDX: 0000000000000007 RSI: 0000000000000096 RDI: ffff984c7f516930
+RBP: ffffb85c40473cb8 R08: 000000000000002c R09: 0000000000000229
+R10: 0000000000000000 R11: 0000000000000001 R12: ffffb85c40473c98
+R13: ffffb85c40473cb8 R14: ffffb85c40473c50 R15: 0000000000000000
+FS:  0000000000000000(0000) GS:ffff984c7f500000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f69b6899038 CR3: 000000001c20a006 CR4: 00000000001606e0
+Call Trace:
+__proc_create+0x45/0x230
+? snprintf+0x49/0x60
+proc_mkdir_data+0x35/0x90
+register_handler_proc+0xef/0x110
+? proc_register+0xfc/0x110
+? proc_create_data+0x70/0xb0
+__setup_irq+0x39b/0x660
+? request_threaded_irq+0xad/0x160
+request_threaded_irq+0xf5/0x160
+? xennet_tx_buf_gc+0x1d0/0x1d0 [xen_netfront]
+bind_evtchn_to_irqhandler+0x3d/0x70
+? xenbus_alloc_evtchn+0x41/0xa0
+netback_changed+0xa46/0xcda [xen_netfront]
+? find_watch+0x40/0x40
+xenwatch_thread+0xc5/0x160
+? finish_wait+0x80/0x80
+kthread+0x112/0x130
+? kthread_create_worker_on_cpu+0x70/0x70
+ret_from_fork+0x35/0x40
+Code: 81 5c 00 48 85 c0 75 cc 5b 49 89 2e 31 c0 5d 4d 89 3c 24 41 5c 41 5d 41 5e 41 5f c3 4c 89 ee 48 c7 c7 40 4f 0e b4 e8 65 ea d8 ff <0f> 0b b8 fe ff ff ff 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 0f 1f
+---[ end trace 650e5561b0caab3a ]---
+
+Signed-off-by: Xiao Liang <xiliang@redhat.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netfront.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -1622,6 +1622,7 @@ static int xennet_init_queue(struct netf
+ {
+       unsigned short i;
+       int err = 0;
++      char *devid;
+       spin_lock_init(&queue->tx_lock);
+       spin_lock_init(&queue->rx_lock);
+@@ -1629,8 +1630,9 @@ static int xennet_init_queue(struct netf
+       setup_timer(&queue->rx_refill_timer, rx_refill_timeout,
+                   (unsigned long)queue);
+-      snprintf(queue->name, sizeof(queue->name), "%s-q%u",
+-               queue->info->xbdev->nodename, queue->id);
++      devid = strrchr(queue->info->xbdev->nodename, '/') + 1;
++      snprintf(queue->name, sizeof(queue->name), "vif%s-q%u",
++               devid, queue->id);
+       /* Initialise tx_skbs as a free chain containing every entry. */
+       queue->tx_skb_freelist = 0;
diff --git a/queue-4.9/xfrm-fix-passing-zero-to-err_ptr-warning.patch b/queue-4.9/xfrm-fix-passing-zero-to-err_ptr-warning.patch
new file mode 100644 (file)
index 0000000..6b740d0
--- /dev/null
@@ -0,0 +1,39 @@
+From foo@baz Fri Sep 21 09:36:02 CEST 2018
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Wed, 25 Jul 2018 16:54:33 +0800
+Subject: xfrm: fix 'passing zero to ERR_PTR()' warning
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 934ffce1343f22ed5e2d0bd6da4440f4848074de ]
+
+Fix a static code checker warning:
+
+  net/xfrm/xfrm_policy.c:1836 xfrm_resolve_and_create_bundle() warn: passing zero to 'ERR_PTR'
+
+xfrm_tmpl_resolve return 0 just means no xdst found, return NULL
+instead of passing zero to ERR_PTR.
+
+Fixes: d809ec895505 ("xfrm: do not assume that template resolving always returns xfrms")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_policy.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1873,7 +1873,10 @@ xfrm_resolve_and_create_bundle(struct xf
+       /* Try to instantiate a bundle */
+       err = xfrm_tmpl_resolve(pols, num_pols, fl, xfrm, family);
+       if (err <= 0) {
+-              if (err != 0 && err != -EAGAIN)
++              if (err == 0)
++                      return NULL;
++
++              if (err != -EAGAIN)
+                       XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
+               return ERR_PTR(err);
+       }