--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Sat, 3 Dec 2016 00:52:46 +0300
+Subject: adm80211: add checks for dma mapping errors
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+
+[ Upstream commit d15697de60db5570532fdedb8e13b2251d65b8e3 ]
+
+The driver does not check if mapping dma memory succeed.
+The patch adds the checks and failure handling.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/admtek/adm8211.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/admtek/adm8211.c
++++ b/drivers/net/wireless/admtek/adm8211.c
+@@ -413,6 +413,13 @@ static void adm8211_interrupt_rci(struct
+ skb_tail_pointer(newskb),
+ RX_PKT_SIZE,
+ PCI_DMA_FROMDEVICE);
++ if (pci_dma_mapping_error(priv->pdev,
++ priv->rx_buffers[entry].mapping)) {
++ priv->rx_buffers[entry].skb = NULL;
++ dev_kfree_skb(newskb);
++ skb = NULL;
++ /* TODO: update rx dropped stats */
++ }
+ } else {
+ skb = NULL;
+ /* TODO: update rx dropped stats */
+@@ -1450,6 +1457,12 @@ static int adm8211_init_rings(struct iee
+ skb_tail_pointer(rx_info->skb),
+ RX_PKT_SIZE,
+ PCI_DMA_FROMDEVICE);
++ if (pci_dma_mapping_error(priv->pdev, rx_info->mapping)) {
++ dev_kfree_skb(rx_info->skb);
++ rx_info->skb = NULL;
++ break;
++ }
++
+ desc->buffer1 = cpu_to_le32(rx_info->mapping);
+ desc->status = cpu_to_le32(RDES0_STATUS_OWN | RDES0_STATUS_SQL);
+ }
+@@ -1613,7 +1626,7 @@ static void adm8211_calc_durations(int *
+ }
+
+ /* Transmit skb w/adm8211_tx_hdr (802.11 header created by hardware) */
+-static void adm8211_tx_raw(struct ieee80211_hw *dev, struct sk_buff *skb,
++static int adm8211_tx_raw(struct ieee80211_hw *dev, struct sk_buff *skb,
+ u16 plcp_signal,
+ size_t hdrlen)
+ {
+@@ -1625,6 +1638,8 @@ static void adm8211_tx_raw(struct ieee80
+
+ mapping = pci_map_single(priv->pdev, skb->data, skb->len,
+ PCI_DMA_TODEVICE);
++ if (pci_dma_mapping_error(priv->pdev, mapping))
++ return -ENOMEM;
+
+ spin_lock_irqsave(&priv->lock, flags);
+
+@@ -1657,6 +1672,8 @@ static void adm8211_tx_raw(struct ieee80
+
+ /* Trigger transmit poll */
+ ADM8211_CSR_WRITE(TDR, 0);
++
++ return 0;
+ }
+
+ /* Put adm8211_tx_hdr on skb and transmit */
+@@ -1710,7 +1727,10 @@ static void adm8211_tx(struct ieee80211_
+
+ txhdr->retry_limit = info->control.rates[0].count;
+
+- adm8211_tx_raw(dev, skb, plcp_signal, hdrlen);
++ if (adm8211_tx_raw(dev, skb, plcp_signal, hdrlen)) {
++ /* Drop packet */
++ ieee80211_free_txskb(dev, skb);
++ }
+ }
+
+ static int adm8211_alloc_rings(struct ieee80211_hw *dev)
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 7 Dec 2016 14:21:22 +0300
+Subject: adm80211: return an error if adm8211_alloc_rings() fails
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit c705a6b3aa7804d7bc6660183f51e510c61dc807 ]
+
+We accidentally return success when adm8211_alloc_rings() fails but we
+should preserve the error code.
+
+Fixes: cc0b88cf5ecf ("[PATCH] Add adm8211 802.11b wireless driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/admtek/adm8211.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/admtek/adm8211.c
++++ b/drivers/net/wireless/admtek/adm8211.c
+@@ -1843,7 +1843,8 @@ static int adm8211_probe(struct pci_dev
+ priv->rx_ring_size = rx_ring_size;
+ priv->tx_ring_size = tx_ring_size;
+
+- if (adm8211_alloc_rings(dev)) {
++ err = adm8211_alloc_rings(dev);
++ if (err) {
+ printk(KERN_ERR "%s (adm8211): Cannot allocate TX/RX ring\n",
+ pci_name(pdev));
+ goto err_iounmap;
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Gabriele Mazzotta <gabriele.mzt@gmail.com>
+Date: Sat, 24 Dec 2016 19:50:00 +0100
+Subject: ALSA: hda - Apply ALC269_FIXUP_NO_SHUTUP on HDA_FIXUP_ACT_PROBE
+
+From: Gabriele Mazzotta <gabriele.mzt@gmail.com>
+
+
+[ Upstream commit 972aa2c708703c21f14eb958b37e82aae2530e44 ]
+
+Setting shutup when the action is HDA_FIXUP_ACT_PRE_PROBE might
+not have the desired effect since it could be overridden by
+another more generic shutup function. Prevent this by setting
+the more specific shutup function on HDA_FIXUP_ACT_PROBE.
+
+Signed-off-by: Gabriele Mazzotta <gabriele.mzt@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -4419,7 +4419,7 @@ static void alc_no_shutup(struct hda_cod
+ static void alc_fixup_no_shutup(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+ {
+- if (action == HDA_FIXUP_ACT_PRE_PROBE) {
++ if (action == HDA_FIXUP_ACT_PROBE) {
+ struct alc_spec *spec = codec->spec;
+ spec->shutup = alc_no_shutup;
+ }
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 8 Dec 2016 13:05:43 +0000
+Subject: ASoC: rsnd: don't double free kctrl
+
+From: Colin Ian King <colin.king@canonical.com>
+
+
+[ Upstream commit 0ea617a298dcdc2251b4e10f83ac3f3e627b66e3 ]
+
+On an error, snd_ctl_add already free's kctrl, so calling snd_ctl_free_one
+to free it again leads to a double free error. Fix this by removing
+the extraneous snd_ctl_free_one call.
+
+Issue found using static analysis with CoverityScan, CID 1372908
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/sh/rcar/core.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/sound/soc/sh/rcar/core.c
++++ b/sound/soc/sh/rcar/core.c
+@@ -978,10 +978,8 @@ static int __rsnd_kctrl_new(struct rsnd_
+ return -ENOMEM;
+
+ ret = snd_ctl_add(card, kctrl);
+- if (ret < 0) {
+- snd_ctl_free_one(kctrl);
++ if (ret < 0)
+ return ret;
+- }
+
+ cfg->update = update;
+ cfg->card = card;
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Richard Fitzgerald <rf@opensource.wolfsonmicro.com>
+Date: Tue, 20 Dec 2016 10:29:12 +0000
+Subject: ASoC: wm_adsp: Don't overrun firmware file buffer when reading region data
+
+From: Richard Fitzgerald <rf@opensource.wolfsonmicro.com>
+
+
+[ Upstream commit 1cab2a84f470e15ecc8e5143bfe9398c6e888032 ]
+
+Protect against corrupt firmware files by ensuring that the length we
+get for the data in a region actually lies within the available firmware
+file data buffer.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.wolfsonmicro.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/wm_adsp.c | 25 ++++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+--- a/sound/soc/codecs/wm_adsp.c
++++ b/sound/soc/codecs/wm_adsp.c
+@@ -1365,7 +1365,7 @@ static int wm_adsp_load(struct wm_adsp *
+ const struct wmfw_region *region;
+ const struct wm_adsp_region *mem;
+ const char *region_name;
+- char *file, *text;
++ char *file, *text = NULL;
+ struct wm_adsp_buf *buf;
+ unsigned int reg;
+ int regions = 0;
+@@ -1526,10 +1526,21 @@ static int wm_adsp_load(struct wm_adsp *
+ regions, le32_to_cpu(region->len), offset,
+ region_name);
+
++ if ((pos + le32_to_cpu(region->len) + sizeof(*region)) >
++ firmware->size) {
++ adsp_err(dsp,
++ "%s.%d: %s region len %d bytes exceeds file length %zu\n",
++ file, regions, region_name,
++ le32_to_cpu(region->len), firmware->size);
++ ret = -EINVAL;
++ goto out_fw;
++ }
++
+ if (text) {
+ memcpy(text, region->data, le32_to_cpu(region->len));
+ adsp_info(dsp, "%s: %s\n", file, text);
+ kfree(text);
++ text = NULL;
+ }
+
+ if (reg) {
+@@ -1574,6 +1585,7 @@ out_fw:
+ regmap_async_complete(regmap);
+ wm_adsp_buf_free(&buf_list);
+ release_firmware(firmware);
++ kfree(text);
+ out:
+ kfree(file);
+
+@@ -2054,6 +2066,17 @@ static int wm_adsp_load_coeff(struct wm_
+ }
+
+ if (reg) {
++ if ((pos + le32_to_cpu(blk->len) + sizeof(*blk)) >
++ firmware->size) {
++ adsp_err(dsp,
++ "%s.%d: %s region len %d bytes exceeds file length %zu\n",
++ file, blocks, region_name,
++ le32_to_cpu(blk->len),
++ firmware->size);
++ ret = -EINVAL;
++ goto out_fw;
++ }
++
+ buf = wm_adsp_buf_alloc(blk->data,
+ le32_to_cpu(blk->len),
+ &buf_list);
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Ryan Hsu <ryanhsu@qca.qualcomm.com>
+Date: Tue, 13 Dec 2016 14:55:19 -0800
+Subject: ath10k: fix incorrect txpower set by P2P_DEVICE interface
+
+From: Ryan Hsu <ryanhsu@qca.qualcomm.com>
+
+
+[ Upstream commit 88407beb1b1462f706a1950a355fd086e1c450b6 ]
+
+Ath10k reports the phy capability that supports P2P_DEVICE interface.
+
+When we use the P2P supported wpa_supplicant to start connection, it'll
+create two interfaces, one is wlan0 (vdev_id=0) and one is P2P_DEVICE
+p2p-dev-wlan0 which is for p2p control channel (vdev_id=1).
+
+ ath10k_pci mac vdev create 0 (add interface) type 2 subtype 0
+ ath10k_add_interface: vdev_id: 0, txpower: 0, bss_power: 0
+ ...
+ ath10k_pci mac vdev create 1 (add interface) type 2 subtype 1
+ ath10k_add_interface: vdev_id: 1, txpower: 0, bss_power: 0
+
+And the txpower in per vif bss_conf will only be set to valid tx power when
+the interface is assigned with channel_ctx.
+
+But this P2P_DEVICE interface will never be used for any connection, so
+that the uninitialized bss_conf.txpower=0 is assinged to the
+arvif->txpower when interface created.
+
+Since the txpower configuration is firmware per physical interface.
+So the smallest txpower of all vifs will be the one limit the tx power
+of the physical device, that causing the low txpower issue on other
+active interfaces.
+
+ wlan0: Limiting TX power to 21 (24 - 3) dBm
+ ath10k_pci mac vdev_id 0 txpower 21
+ ath10k_mac_txpower_recalc: vdev_id: 1, txpower: 0
+ ath10k_mac_txpower_recalc: vdev_id: 0, txpower: 21
+ ath10k_pci mac txpower 0
+
+This issue only happens when we use the wpa_supplicant that supports
+P2P or if we use the iw tool to create the control P2P_DEVICE interface.
+
+Signed-off-by: Ryan Hsu <ryanhsu@qca.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -4668,7 +4668,8 @@ static int ath10k_mac_txpower_recalc(str
+ lockdep_assert_held(&ar->conf_mutex);
+
+ list_for_each_entry(arvif, &ar->arvifs, list) {
+- WARN_ON(arvif->txpower < 0);
++ if (arvif->txpower <= 0)
++ continue;
+
+ if (txpower == -1)
+ txpower = arvif->txpower;
+@@ -4676,8 +4677,8 @@ static int ath10k_mac_txpower_recalc(str
+ txpower = min(txpower, arvif->txpower);
+ }
+
+- if (WARN_ON(txpower == -1))
+- return -EINVAL;
++ if (txpower == -1)
++ return 0;
+
+ ret = ath10k_mac_txpower_setup(ar, txpower);
+ if (ret) {
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Christian Lamparter <chunkeey@googlemail.com>
+Date: Thu, 29 Dec 2016 16:12:09 +0200
+Subject: ath10k: fix potential memory leak in ath10k_wmi_tlv_op_pull_fw_stats()
+
+From: Christian Lamparter <chunkeey@googlemail.com>
+
+
+[ Upstream commit 097e46d2ae90265d1afe141ba6208ba598b79e01 ]
+
+ath10k_wmi_tlv_op_pull_fw_stats() uses tb = ath10k_wmi_tlv_parse_alloc(...)
+function, which allocates memory. If any of the three error-paths are
+taken, this tb needs to be freed.
+
+Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/wmi-tlv.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+@@ -1105,8 +1105,10 @@ static int ath10k_wmi_tlv_op_pull_fw_sta
+ struct ath10k_fw_stats_pdev *dst;
+
+ src = data;
+- if (data_len < sizeof(*src))
++ if (data_len < sizeof(*src)) {
++ kfree(tb);
+ return -EPROTO;
++ }
+
+ data += sizeof(*src);
+ data_len -= sizeof(*src);
+@@ -1126,8 +1128,10 @@ static int ath10k_wmi_tlv_op_pull_fw_sta
+ struct ath10k_fw_stats_vdev *dst;
+
+ src = data;
+- if (data_len < sizeof(*src))
++ if (data_len < sizeof(*src)) {
++ kfree(tb);
+ return -EPROTO;
++ }
+
+ data += sizeof(*src);
+ data_len -= sizeof(*src);
+@@ -1145,8 +1149,10 @@ static int ath10k_wmi_tlv_op_pull_fw_sta
+ struct ath10k_fw_stats_peer *dst;
+
+ src = data;
+- if (data_len < sizeof(*src))
++ if (data_len < sizeof(*src)) {
++ kfree(tb);
+ return -EPROTO;
++ }
+
+ data += sizeof(*src);
+ data_len -= sizeof(*src);
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Ryan Hsu <ryanhsu@qca.qualcomm.com>
+Date: Thu, 22 Dec 2016 15:02:37 -0800
+Subject: ath10k: ignore configuring the incorrect board_id
+
+From: Ryan Hsu <ryanhsu@qca.qualcomm.com>
+
+
+[ Upstream commit d2e202c06ca42d353d95df12437740921a6d05b5 ]
+
+With command to get board_id from otp, in the case of following
+
+ boot get otp board id result 0x00000000 board_id 0 chip_id 0
+ boot using board name 'bus=pci,bmi-chip-id=0,bmi-board-id=0"
+ ...
+ failed to fetch board data for bus=pci,bmi-chip-id=0,bmi-board-id=0 from
+ ath10k/QCA6174/hw3.0/board-2.bin
+
+The invalid board_id=0 will be used as index to search in the board-2.bin.
+
+Ignore the case with board_id=0, as it means the otp is not carrying
+the board id information.
+
+Signed-off-by: Ryan Hsu <ryanhsu@qca.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath10k/core.c
++++ b/drivers/net/wireless/ath/ath10k/core.c
+@@ -691,8 +691,11 @@ static int ath10k_core_get_board_id_from
+ "boot get otp board id result 0x%08x board_id %d chip_id %d\n",
+ result, board_id, chip_id);
+
+- if ((result & ATH10K_BMI_BOARD_ID_STATUS_MASK) != 0)
++ if ((result & ATH10K_BMI_BOARD_ID_STATUS_MASK) != 0 ||
++ (board_id == 0)) {
++ ath10k_warn(ar, "board id is not exist in otp, ignore it\n");
+ return -EOPNOTSUPP;
++ }
+
+ ar->id.bmi_ids_valid = true;
+ ar->id.bmi_board_id = board_id;
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Bartosz Markowski <bartosz.markowski@tieto.com>
+Date: Thu, 15 Dec 2016 11:23:24 +0200
+Subject: ath10k: set CTS protection VDEV param only if VDEV is up
+
+From: Bartosz Markowski <bartosz.markowski@tieto.com>
+
+
+[ Upstream commit 7cfe0455ee1218add152e986b89b4bb8dbeafcdd ]
+
+The cts protection vdev parameter, in new QCA9377 TF2.0 firmware,
+requires bss peer to be created for the STATION vdev type.
+bss peer is being allocated by the firmware after vdev_start/_up commands.
+mac80211 may call the cts protection setup at any time, so the
+we needs to track the situation and defer the cts configuration
+to prevent firmware asserts, like below:
+
+[00]: 0x05020001 0x000015B3 0x0099ACE2 0x00955B31
+[04]: 0x0099ACE2 0x00060730 0x00000004 0x00000000
+[08]: 0x0044C754 0x00412C10 0x00000000 0x00409C54
+[12]: 0x00000009 0x00000000 0x00952F6C 0x00952F77
+[16]: 0x00952CC4 0x00910712 0x00000000 0x00000000
+[20]: 0x4099ACE2 0x0040E858 0x00421254 0x004127F4
+[24]: 0x8099B9B2 0x0040E8B8 0x00000000 0xC099ACE2
+[28]: 0x800B75CB 0x0040E8F8 0x00000007 0x00005008
+[32]: 0x809B048A 0x0040E958 0x00000010 0x00433B10
+[36]: 0x809AFBBC 0x0040E9A8 0x0042BB74 0x0042BBBC
+[40]: 0x8091D252 0x0040E9C8 0x0042BBBC 0x00000001
+[44]: 0x809FFA45 0x0040EA78 0x0043D3E4 0x0042C2C8
+[48]: 0x809FCEF4 0x0040EA98 0x0043D3E4 0x00000001
+[52]: 0x80911210 0x0040EAE8 0x00000010 0x004041D0
+[56]: 0x80911154 0x0040EB28 0x00400000 0x00000000
+
+Signed-off-by: Bartosz Markowski <bartosz.markowski@tieto.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 51 ++++++++++++++++++++++++++++------
+ 1 file changed, 43 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -1224,6 +1224,36 @@ static int ath10k_monitor_recalc(struct
+ return ath10k_monitor_stop(ar);
+ }
+
++static bool ath10k_mac_can_set_cts_prot(struct ath10k_vif *arvif)
++{
++ struct ath10k *ar = arvif->ar;
++
++ lockdep_assert_held(&ar->conf_mutex);
++
++ if (!arvif->is_started) {
++ ath10k_dbg(ar, ATH10K_DBG_MAC, "defer cts setup, vdev is not ready yet\n");
++ return false;
++ }
++
++ return true;
++}
++
++static int ath10k_mac_set_cts_prot(struct ath10k_vif *arvif)
++{
++ struct ath10k *ar = arvif->ar;
++ u32 vdev_param;
++
++ lockdep_assert_held(&ar->conf_mutex);
++
++ vdev_param = ar->wmi.vdev_param->protection_mode;
++
++ ath10k_dbg(ar, ATH10K_DBG_MAC, "mac vdev %d cts_protection %d\n",
++ arvif->vdev_id, arvif->use_cts_prot);
++
++ return ath10k_wmi_vdev_set_param(ar, arvif->vdev_id, vdev_param,
++ arvif->use_cts_prot ? 1 : 0);
++}
++
+ static int ath10k_recalc_rtscts_prot(struct ath10k_vif *arvif)
+ {
+ struct ath10k *ar = arvif->ar;
+@@ -5322,20 +5352,18 @@ static void ath10k_bss_info_changed(stru
+
+ if (changed & BSS_CHANGED_ERP_CTS_PROT) {
+ arvif->use_cts_prot = info->use_cts_prot;
+- ath10k_dbg(ar, ATH10K_DBG_MAC, "mac vdev %d cts_prot %d\n",
+- arvif->vdev_id, info->use_cts_prot);
+
+ ret = ath10k_recalc_rtscts_prot(arvif);
+ if (ret)
+ ath10k_warn(ar, "failed to recalculate rts/cts prot for vdev %d: %d\n",
+ arvif->vdev_id, ret);
+
+- vdev_param = ar->wmi.vdev_param->protection_mode;
+- ret = ath10k_wmi_vdev_set_param(ar, arvif->vdev_id, vdev_param,
+- info->use_cts_prot ? 1 : 0);
+- if (ret)
+- ath10k_warn(ar, "failed to set protection mode %d on vdev %i: %d\n",
+- info->use_cts_prot, arvif->vdev_id, ret);
++ if (ath10k_mac_can_set_cts_prot(arvif)) {
++ ret = ath10k_mac_set_cts_prot(arvif);
++ if (ret)
++ ath10k_warn(ar, "failed to set cts protection for vdev %d: %d\n",
++ arvif->vdev_id, ret);
++ }
+ }
+
+ if (changed & BSS_CHANGED_ERP_SLOT) {
+@@ -7356,6 +7384,13 @@ ath10k_mac_op_assign_vif_chanctx(struct
+ arvif->is_up = true;
+ }
+
++ if (ath10k_mac_can_set_cts_prot(arvif)) {
++ ret = ath10k_mac_set_cts_prot(arvif);
++ if (ret)
++ ath10k_warn(ar, "failed to set cts protection for vdev %d: %d\n",
++ arvif->vdev_id, ret);
++ }
++
+ mutex_unlock(&ar->conf_mutex);
+ return 0;
+
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Thu, 29 Dec 2016 12:13:42 -0500
+Subject: bnxt_en: Set default completion ring for async events.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+
+[ Upstream commit 486b5c22ea1d35e00e90dd79a32a9ee530b18915 ]
+
+With the added support for the bnxt_re RDMA driver, both drivers can be
+allocating completion rings in any order. The firmware does not know
+which completion ring should be receiving async events. Add an
+extra step to tell firmware the completion ring number for receiving
+async events after bnxt_en allocates the completion rings.
+
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -3800,6 +3800,30 @@ static int hwrm_ring_alloc_send_msg(stru
+ return rc;
+ }
+
++static int bnxt_hwrm_set_async_event_cr(struct bnxt *bp, int idx)
++{
++ int rc;
++
++ if (BNXT_PF(bp)) {
++ struct hwrm_func_cfg_input req = {0};
++
++ bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FUNC_CFG, -1, -1);
++ req.fid = cpu_to_le16(0xffff);
++ req.enables = cpu_to_le32(FUNC_CFG_REQ_ENABLES_ASYNC_EVENT_CR);
++ req.async_event_cr = cpu_to_le16(idx);
++ rc = hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT);
++ } else {
++ struct hwrm_func_vf_cfg_input req = {0};
++
++ bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FUNC_VF_CFG, -1, -1);
++ req.enables =
++ cpu_to_le32(FUNC_VF_CFG_REQ_ENABLES_ASYNC_EVENT_CR);
++ req.async_event_cr = cpu_to_le16(idx);
++ rc = hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT);
++ }
++ return rc;
++}
++
+ static int bnxt_hwrm_ring_alloc(struct bnxt *bp)
+ {
+ int i, rc = 0;
+@@ -3816,6 +3840,12 @@ static int bnxt_hwrm_ring_alloc(struct b
+ goto err_out;
+ BNXT_CP_DB(cpr->cp_doorbell, cpr->cp_raw_cons);
+ bp->grp_info[i].cp_fw_ring_id = ring->fw_ring_id;
++
++ if (!i) {
++ rc = bnxt_hwrm_set_async_event_cr(bp, ring->fw_ring_id);
++ if (rc)
++ netdev_warn(bp->dev, "Failed to set async event completion ring.\n");
++ }
+ }
+
+ for (i = 0; i < bp->tx_nr_rings; i++) {
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Pan Bian <bianpan2016@163.com>
+Date: Sun, 4 Dec 2016 12:51:53 +0800
+Subject: btrfs: return the actual error value from from btrfs_uuid_tree_iterate
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit 73ba39ab9307340dc98ec3622891314bbc09cc2e ]
+
+In function btrfs_uuid_tree_iterate(), errno is assigned to variable ret
+on errors. However, it directly returns 0. It may be better to return
+ret. This patch also removes the warning, because the caller already
+prints a warning.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188731
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Reviewed-by: Omar Sandoval <osandov@fb.com>
+[ edited subject ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/uuid-tree.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/fs/btrfs/uuid-tree.c
++++ b/fs/btrfs/uuid-tree.c
+@@ -351,7 +351,5 @@ skip:
+
+ out:
+ btrfs_free_path(path);
+- if (ret)
+- btrfs_warn(fs_info, "btrfs_uuid_tree_iterate failed %d", ret);
+- return 0;
++ return ret;
+ }
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Hans Verkuil <hansverk@cisco.com>
+Date: Fri, 9 Dec 2016 11:28:19 -0200
+Subject: [media] cec: CEC_MSG_GIVE_FEATURES should abort for CEC version < 2
+
+From: Hans Verkuil <hansverk@cisco.com>
+
+
+[ Upstream commit a24f56d47930492c94ef6875bf45adf7607ca1a4 ]
+
+This is a 2.0 only message, so it should return Feature Abort if the
+adapter is configured for CEC version 1.4.
+
+Right now it does nothing, which means that the sender will time out.
+
+Signed-off-by: Hans Verkuil <hansverk@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/media/cec/cec-adap.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/media/cec/cec-adap.c
++++ b/drivers/staging/media/cec/cec-adap.c
+@@ -1557,9 +1557,9 @@ static int cec_receive_notify(struct cec
+ }
+
+ case CEC_MSG_GIVE_FEATURES:
+- if (adap->log_addrs.cec_version >= CEC_OP_CEC_VERSION_2_0)
+- return cec_report_features(adap, la_idx);
+- return 0;
++ if (adap->log_addrs.cec_version < CEC_OP_CEC_VERSION_2_0)
++ return cec_feature_abort(adap, msg);
++ return cec_report_features(adap, la_idx);
+
+ default:
+ /*
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Hans Verkuil <hansverk@cisco.com>
+Date: Fri, 9 Dec 2016 11:54:06 -0200
+Subject: [media] cec: update log_addr[] before finishing configuration
+
+From: Hans Verkuil <hansverk@cisco.com>
+
+
+[ Upstream commit 7af26f889eb67db272021a939f7d4a57e96dd961 ]
+
+The loop that sets the unused logical addresses to INVALID should be
+done before 'configured' is set to true. This ensures that cec_log_addrs
+is consistent before it will be used.
+
+Signed-off-by: Hans Verkuil <hansverk@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/media/cec/cec-adap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/media/cec/cec-adap.c
++++ b/drivers/staging/media/cec/cec-adap.c
+@@ -1062,6 +1062,8 @@ configured:
+ for (i = 1; i < las->num_log_addrs; i++)
+ las->log_addr[i] = CEC_LOG_ADDR_INVALID;
+ }
++ for (i = las->num_log_addrs; i < CEC_MAX_LOG_ADDRS; i++)
++ las->log_addr[i] = CEC_LOG_ADDR_INVALID;
+ adap->is_configured = true;
+ adap->is_configuring = false;
+ cec_post_state_event(adap);
+@@ -1079,8 +1081,6 @@ configured:
+ cec_report_features(adap, i);
+ cec_report_phys_addr(adap, i);
+ }
+- for (i = las->num_log_addrs; i < CEC_MAX_LOG_ADDRS; i++)
+- las->log_addr[i] = CEC_LOG_ADDR_INVALID;
+ mutex_lock(&adap->lock);
+ adap->kthread_config = NULL;
+ mutex_unlock(&adap->lock);
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Hans Verkuil <hansverk@cisco.com>
+Date: Fri, 9 Dec 2016 11:14:32 -0200
+Subject: [media] cec: when canceling a message, don't overwrite old status info
+
+From: Hans Verkuil <hansverk@cisco.com>
+
+
+[ Upstream commit 120476123646ba3619c90db7bcbc6f8eea53c990 ]
+
+When a pending message was canceled (e.g. due to a timeout), then the
+old tx_status info was overwritten instead of ORed. The same happened
+with the tx_error_cnt field. So just modify them instead of overwriting
+them.
+
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/media/cec/cec-adap.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/media/cec/cec-adap.c
++++ b/drivers/staging/media/cec/cec-adap.c
+@@ -288,10 +288,10 @@ static void cec_data_cancel(struct cec_d
+
+ /* Mark it as an error */
+ data->msg.tx_ts = ktime_get_ns();
+- data->msg.tx_status = CEC_TX_STATUS_ERROR |
+- CEC_TX_STATUS_MAX_RETRIES;
++ data->msg.tx_status |= CEC_TX_STATUS_ERROR |
++ CEC_TX_STATUS_MAX_RETRIES;
++ data->msg.tx_error_cnt++;
+ data->attempts = 0;
+- data->msg.tx_error_cnt = 1;
+ /* Queue transmitted message for monitoring purposes */
+ cec_queue_msg_monitor(data->adap, &data->msg, 1);
+
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Abhishek Sahu <absahu@codeaurora.org>
+Date: Fri, 25 Nov 2016 21:11:32 +0530
+Subject: clk: qcom: ipq4019: Add all the frequencies for apss cpu
+
+From: Abhishek Sahu <absahu@codeaurora.org>
+
+
+[ Upstream commit 86c654d41a52e3d17e9bc2c2ba37f3c963e66a4a ]
+
+The APSS CPU clock does not contain all the frequencies in its
+frequency table so this patch adds the same.
+
+Signed-off-by: Abhishek Sahu <absahu@codeaurora.org>
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/qcom/gcc-ipq4019.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/clk/qcom/gcc-ipq4019.c
++++ b/drivers/clk/qcom/gcc-ipq4019.c
+@@ -525,10 +525,20 @@ static struct clk_rcg2 sdcc1_apps_clk_s
+ };
+
+ static const struct freq_tbl ftbl_gcc_apps_clk[] = {
+- F(48000000, P_XO, 1, 0, 0),
++ F(48000000, P_XO, 1, 0, 0),
+ F(200000000, P_FEPLL200, 1, 0, 0),
++ F(384000000, P_DDRPLLAPSS, 1, 0, 0),
++ F(413000000, P_DDRPLLAPSS, 1, 0, 0),
++ F(448000000, P_DDRPLLAPSS, 1, 0, 0),
++ F(488000000, P_DDRPLLAPSS, 1, 0, 0),
+ F(500000000, P_FEPLL500, 1, 0, 0),
+- F(626000000, P_DDRPLLAPSS, 1, 0, 0),
++ F(512000000, P_DDRPLLAPSS, 1, 0, 0),
++ F(537000000, P_DDRPLLAPSS, 1, 0, 0),
++ F(565000000, P_DDRPLLAPSS, 1, 0, 0),
++ F(597000000, P_DDRPLLAPSS, 1, 0, 0),
++ F(632000000, P_DDRPLLAPSS, 1, 0, 0),
++ F(672000000, P_DDRPLLAPSS, 1, 0, 0),
++ F(716000000, P_DDRPLLAPSS, 1, 0, 0),
+ { }
+ };
+
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Marcus Cooper <codekipper@gmail.com>
+Date: Tue, 20 Dec 2016 11:44:46 +0100
+Subject: clk: sunxi-ng: A31: Fix spdif clock register
+
+From: Marcus Cooper <codekipper@gmail.com>
+
+
+[ Upstream commit 70421257c068b91476e70cade15fca68045d0693 ]
+
+As the SPDIF was rarely documented on the earlier Allwinner SoCs
+it was assumed that it had a similar clock register to the one
+described in the H3 User Manual.
+
+However this is not the case and it looks to shares the same setup
+as the I2S clock registers.
+
+Signed-off-by: Marcus Cooper <codekipper@gmail.com>
+Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/sunxi-ng/ccu-sun6i-a31.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/clk/sunxi-ng/ccu-sun6i-a31.c
++++ b/drivers/clk/sunxi-ng/ccu-sun6i-a31.c
+@@ -468,8 +468,8 @@ static SUNXI_CCU_MUX_WITH_GATE(daudio0_c
+ static SUNXI_CCU_MUX_WITH_GATE(daudio1_clk, "daudio1", daudio_parents,
+ 0x0b4, 16, 2, BIT(31), CLK_SET_RATE_PARENT);
+
+-static SUNXI_CCU_M_WITH_GATE(spdif_clk, "spdif", "pll-audio",
+- 0x0c0, 0, 4, BIT(31), CLK_SET_RATE_PARENT);
++static SUNXI_CCU_MUX_WITH_GATE(spdif_clk, "spdif", daudio_parents,
++ 0x0c0, 16, 2, BIT(31), CLK_SET_RATE_PARENT);
+
+ static SUNXI_CCU_GATE(usb_phy0_clk, "usb-phy0", "osc24M",
+ 0x0cc, BIT(8), 0);
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Icenowy Zheng <icenowy@aosc.xyz>
+Date: Tue, 13 Dec 2016 23:22:47 +0800
+Subject: clk: sunxi-ng: fix PLL_CPUX adjusting on A33
+
+From: Icenowy Zheng <icenowy@aosc.xyz>
+
+
+[ Upstream commit 790d929b540661945d1c70652ffb602c5c06ad85 ]
+
+When adjusting PLL_CPUX on A33, the PLL is temporarily driven too high,
+and the system hangs.
+
+Add a notifier to avoid this situation by temporarily switching to a
+known stable 24 MHz oscillator.
+
+Signed-off-by: Icenowy Zheng <icenowy@aosc.xyz>
+Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/sunxi-ng/ccu-sun8i-a33.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/clk/sunxi-ng/ccu-sun8i-a33.c
++++ b/drivers/clk/sunxi-ng/ccu-sun8i-a33.c
+@@ -752,6 +752,13 @@ static const struct sunxi_ccu_desc sun8i
+ .num_resets = ARRAY_SIZE(sun8i_a33_ccu_resets),
+ };
+
++static struct ccu_mux_nb sun8i_a33_cpu_nb = {
++ .common = &cpux_clk.common,
++ .cm = &cpux_clk.mux,
++ .delay_us = 1, /* > 8 clock cycles at 24 MHz */
++ .bypass_index = 1, /* index of 24 MHz oscillator */
++};
++
+ static void __init sun8i_a33_ccu_setup(struct device_node *node)
+ {
+ void __iomem *reg;
+@@ -775,6 +782,9 @@ static void __init sun8i_a33_ccu_setup(s
+ writel(val, reg + SUN8I_A33_PLL_MIPI_REG);
+
+ sunxi_ccu_probe(node, reg, &sun8i_a33_ccu_desc);
++
++ ccu_mux_notifier_register(pll_cpux_clk.common.hw.clk,
++ &sun8i_a33_cpu_nb);
+ }
+ CLK_OF_DECLARE(sun8i_a33_ccu, "allwinner,sun8i-a33-ccu",
+ sun8i_a33_ccu_setup);
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Romain Perier <romain.perier@free-electrons.com>
+Date: Wed, 14 Dec 2016 15:15:07 +0100
+Subject: crypto: marvell - Copy IVDIG before launching partial DMA ahash requests
+
+From: Romain Perier <romain.perier@free-electrons.com>
+
+
+[ Upstream commit 8759fec4af222f338d08f8f1a7ad6a77ca6cb301 ]
+
+Currently, inner IV/DIGEST data are only copied once into the hash
+engines and not set explicitly before launching a request that is not a
+first frag. This is an issue especially when multiple ahash reqs are
+computed in parallel or chained with cipher request, as the state of the
+request being computed is not updated into the hash engine. It leads to
+non-deterministic corrupted digest results.
+
+Fixes: commit 2786cee8e50b ("crypto: marvell - Move SRAM I/O operations to step functions")
+Signed-off-by: Romain Perier <romain.perier@free-electrons.com>
+Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/marvell/cesa.h | 3 ++-
+ drivers/crypto/marvell/hash.c | 34 +++++++++++++++++++++++++++++++++-
+ drivers/crypto/marvell/tdma.c | 9 ++++++++-
+ 3 files changed, 43 insertions(+), 3 deletions(-)
+
+--- a/drivers/crypto/marvell/cesa.h
++++ b/drivers/crypto/marvell/cesa.h
+@@ -273,7 +273,8 @@ struct mv_cesa_op_ctx {
+ #define CESA_TDMA_SRC_IN_SRAM BIT(30)
+ #define CESA_TDMA_END_OF_REQ BIT(29)
+ #define CESA_TDMA_BREAK_CHAIN BIT(28)
+-#define CESA_TDMA_TYPE_MSK GENMASK(27, 0)
++#define CESA_TDMA_SET_STATE BIT(27)
++#define CESA_TDMA_TYPE_MSK GENMASK(26, 0)
+ #define CESA_TDMA_DUMMY 0
+ #define CESA_TDMA_DATA 1
+ #define CESA_TDMA_OP 2
+--- a/drivers/crypto/marvell/hash.c
++++ b/drivers/crypto/marvell/hash.c
+@@ -280,13 +280,32 @@ static void mv_cesa_ahash_std_prepare(st
+ sreq->offset = 0;
+ }
+
++static void mv_cesa_ahash_dma_step(struct ahash_request *req)
++{
++ struct mv_cesa_ahash_req *creq = ahash_request_ctx(req);
++ struct mv_cesa_req *base = &creq->base;
++
++ /* We must explicitly set the digest state. */
++ if (base->chain.first->flags & CESA_TDMA_SET_STATE) {
++ struct mv_cesa_engine *engine = base->engine;
++ int i;
++
++ /* Set the hash state in the IVDIG regs. */
++ for (i = 0; i < ARRAY_SIZE(creq->state); i++)
++ writel_relaxed(creq->state[i], engine->regs +
++ CESA_IVDIG(i));
++ }
++
++ mv_cesa_dma_step(base);
++}
++
+ static void mv_cesa_ahash_step(struct crypto_async_request *req)
+ {
+ struct ahash_request *ahashreq = ahash_request_cast(req);
+ struct mv_cesa_ahash_req *creq = ahash_request_ctx(ahashreq);
+
+ if (mv_cesa_req_get_type(&creq->base) == CESA_DMA_REQ)
+- mv_cesa_dma_step(&creq->base);
++ mv_cesa_ahash_dma_step(ahashreq);
+ else
+ mv_cesa_ahash_std_step(ahashreq);
+ }
+@@ -562,11 +581,15 @@ static int mv_cesa_ahash_dma_req_init(st
+ struct mv_cesa_ahash_dma_iter iter;
+ struct mv_cesa_op_ctx *op = NULL;
+ unsigned int frag_len;
++ bool set_state = false;
+ int ret;
+
+ basereq->chain.first = NULL;
+ basereq->chain.last = NULL;
+
++ if (!mv_cesa_mac_op_is_first_frag(&creq->op_tmpl))
++ set_state = true;
++
+ if (creq->src_nents) {
+ ret = dma_map_sg(cesa_dev->dev, req->src, creq->src_nents,
+ DMA_TO_DEVICE);
+@@ -650,6 +673,15 @@ static int mv_cesa_ahash_dma_req_init(st
+ basereq->chain.last->flags |= (CESA_TDMA_END_OF_REQ |
+ CESA_TDMA_BREAK_CHAIN);
+
++ if (set_state) {
++ /*
++ * Put the CESA_TDMA_SET_STATE flag on the first tdma desc to
++ * let the step logic know that the IVDIG registers should be
++ * explicitly set before launching a TDMA chain.
++ */
++ basereq->chain.first->flags |= CESA_TDMA_SET_STATE;
++ }
++
+ return 0;
+
+ err_free_tdma:
+--- a/drivers/crypto/marvell/tdma.c
++++ b/drivers/crypto/marvell/tdma.c
+@@ -112,7 +112,14 @@ void mv_cesa_tdma_chain(struct mv_cesa_e
+ last->next = dreq->chain.first;
+ engine->chain.last = dreq->chain.last;
+
+- if (!(last->flags & CESA_TDMA_BREAK_CHAIN))
++ /*
++ * Break the DMA chain if the CESA_TDMA_BREAK_CHAIN is set on
++ * the last element of the current chain, or if the request
++ * being queued needs the IV regs to be set before lauching
++ * the request.
++ */
++ if (!(last->flags & CESA_TDMA_BREAK_CHAIN) &&
++ !(dreq->chain.first->flags & CESA_TDMA_SET_STATE))
+ last->next_dma = dreq->chain.first->cur_dma;
+ }
+ }
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Shawn Guo <shawn.guo@linaro.org>
+Date: Thu, 15 Dec 2016 22:03:36 +0800
+Subject: dmaengine: zx: set DMA_CYCLIC cap_mask bit
+
+From: Shawn Guo <shawn.guo@linaro.org>
+
+
+[ Upstream commit fc318d64f3d91e15babac00e08354b1beb650b57 ]
+
+The zx_dma driver supports cyclic transfer mode. Let's set DMA_CYCLIC
+cap_mask bit to make that clear, and avoid unnecessary failure when
+clients request channel via dma_request_chan_by_mask() with DMA_CYCLIC
+bit set in mask.
+
+Signed-off-by: Shawn Guo <shawn.guo@linaro.org>
+Reviewed-by: Jun Nie <jun.nie@linaro.org>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/zx296702_dma.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/dma/zx296702_dma.c
++++ b/drivers/dma/zx296702_dma.c
+@@ -813,6 +813,7 @@ static int zx_dma_probe(struct platform_
+ INIT_LIST_HEAD(&d->slave.channels);
+ dma_cap_set(DMA_SLAVE, d->slave.cap_mask);
+ dma_cap_set(DMA_MEMCPY, d->slave.cap_mask);
++ dma_cap_set(DMA_CYCLIC, d->slave.cap_mask);
+ dma_cap_set(DMA_PRIVATE, d->slave.cap_mask);
+ d->slave.dev = &op->dev;
+ d->slave.device_free_chan_resources = zx_dma_free_chan_resources;
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Thu, 22 Dec 2016 08:36:38 +0000
+Subject: drm: Apply range restriction after color adjustment when allocation
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+
+[ Upstream commit 3db93756b501e5f0a3951c79cfa9ed43c26d3455 ]
+
+mm->color_adjust() compares the hole with its neighbouring nodes. They
+only abutt before we restrict the hole, so we have to apply color_adjust
+before we apply the range restriction.
+
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: http://patchwork.freedesktop.org/patch/msgid/20161222083641.2691-36-chris@chris-wilson.co.uk
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_mm.c | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+--- a/drivers/gpu/drm/drm_mm.c
++++ b/drivers/gpu/drm/drm_mm.c
+@@ -348,14 +348,12 @@ static void drm_mm_insert_helper_range(s
+
+ BUG_ON(!hole_node->hole_follows || node->allocated);
+
+- if (adj_start < start)
+- adj_start = start;
+- if (adj_end > end)
+- adj_end = end;
+-
+ if (mm->color_adjust)
+ mm->color_adjust(hole_node, color, &adj_start, &adj_end);
+
++ adj_start = max(adj_start, start);
++ adj_end = min(adj_end, end);
++
+ if (flags & DRM_MM_CREATE_TOP)
+ adj_start = adj_end - size;
+
+@@ -566,17 +564,15 @@ static struct drm_mm_node *drm_mm_search
+ flags & DRM_MM_SEARCH_BELOW) {
+ u64 hole_size = adj_end - adj_start;
+
+- if (adj_start < start)
+- adj_start = start;
+- if (adj_end > end)
+- adj_end = end;
+-
+ if (mm->color_adjust) {
+ mm->color_adjust(entry, color, &adj_start, &adj_end);
+ if (adj_end <= adj_start)
+ continue;
+ }
+
++ adj_start = max(adj_start, start);
++ adj_end = min(adj_end, end);
++
+ if (!check_free_hole(adj_start, adj_end, size, alignment))
+ continue;
+
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Fri, 30 Dec 2016 17:38:52 +0100
+Subject: drm/armada: Fix compile fail
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+
+[ Upstream commit 7357f89954b6d005df6ab8929759e78d7d9a80f9 ]
+
+I reported the include issue for tracepoints a while ago, but nothing
+seems to have happened. Now it bit us, since the drm_mm_print
+conversion was broken for armada. Fix it, so I can re-enable armada
+in the drm-misc build configs.
+
+v2: Rebase just the compile fix on top of Chris' build fix.
+
+Cc: Russell King <rmk+kernel@armlinux.org.uk>
+Cc: Chris Wilson <chris@chris-wilson.co.uk>
+Acked: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/1483115932-19584-1-git-send-email-daniel.vetter@ffwll.ch
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/armada/Makefile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/armada/Makefile
++++ b/drivers/gpu/drm/armada/Makefile
+@@ -4,3 +4,5 @@ armada-y += armada_510.o
+ armada-$(CONFIG_DEBUG_FS) += armada_debugfs.o
+
+ obj-$(CONFIG_DRM_ARMADA) := armada.o
++
++CFLAGS_armada_trace.o := -I$(src)
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Thu, 8 Dec 2016 12:07:38 +0100
+Subject: drm/mediatek: don't use drm_put_dev
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+
+[ Upstream commit ae9d2daecf086958a41ad216152ec208d70ba325 ]
+
+fsl is already fully demidlayered in the probe function, but for
+convenience stuck with drm_put_dev. Call the unregister/unref parts
+separately, to make sure this driver works correct.
+
+Cc: Philipp Zabel <p.zabel@pengutronix.de>
+Cc: CK Hu <ck.hu@mediatek.com>
+Reviewed-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20161208110739.24417-3-daniel.vetter@ffwll.ch
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/mediatek/mtk_drm_drv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
++++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+@@ -321,7 +321,8 @@ static void mtk_drm_unbind(struct device
+ {
+ struct mtk_drm_private *private = dev_get_drvdata(dev);
+
+- drm_put_dev(private->drm);
++ drm_dev_unregister(private->drm);
++ drm_dev_unref(private->drm);
+ private->drm = NULL;
+ }
+
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Fri, 18 Nov 2016 19:18:47 +0100
+Subject: drm/sun4i: Fix a return value in case of error
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit 0f0861e31e3c59ca4bc1ec59d99260cfca79740e ]
+
+If 'sun4i_backend_drm_format_to_layer()' does not return 0, then 'val' is
+left unmodified.
+As it is not initialized either, the return value can be anything.
+
+It is likely that returning the error code was expected here.
+
+As the only caller of 'sun4i_backend_update_layer_formats()' does not check
+the return value, this fix is purely theorical.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/sun4i/sun4i_backend.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/sun4i/sun4i_backend.c
++++ b/drivers/gpu/drm/sun4i/sun4i_backend.c
+@@ -172,7 +172,7 @@ int sun4i_backend_update_layer_formats(s
+ ret = sun4i_backend_drm_format_to_layer(plane, fb->pixel_format, &val);
+ if (ret) {
+ DRM_DEBUG_DRIVER("Invalid format\n");
+- return val;
++ return ret;
+ }
+
+ regmap_update_bits(backend->regs, SUN4I_BACKEND_ATTCTL_REG1(layer),
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 5 Dec 2016 11:12:44 -0800
+Subject: fscrypt: use ENOKEY when file cannot be created w/o key
+
+From: Eric Biggers <ebiggers@google.com>
+
+
+[ Upstream commit 54475f531bb8d7078f63c159e5e0615d486c498c ]
+
+As part of an effort to clean up fscrypt-related error codes, make
+attempting to create a file in an encrypted directory that hasn't been
+"unlocked" fail with ENOKEY. Previously, several error codes were used
+for this case, including ENOENT, EACCES, and EPERM, and they were not
+consistent between and within filesystems. ENOKEY is a better choice
+because it expresses that the failure is due to lacking the encryption
+key. It also matches the error code returned when trying to open an
+encrypted regular file without the key.
+
+I am not aware of any users who might be relying on the previous
+inconsistent error codes, which were never documented anywhere.
+
+This failure case will be exercised by an xfstest.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/crypto/fname.c | 4 ++--
+ fs/ext4/ialloc.c | 2 +-
+ fs/ext4/namei.c | 4 +++-
+ fs/f2fs/dir.c | 5 ++++-
+ fs/f2fs/namei.c | 4 ++--
+ 5 files changed, 12 insertions(+), 7 deletions(-)
+
+--- a/fs/crypto/fname.c
++++ b/fs/crypto/fname.c
+@@ -332,7 +332,7 @@ int fscrypt_fname_usr_to_disk(struct ino
+ * in a directory. Consequently, a user space name cannot be mapped to
+ * a disk-space name
+ */
+- return -EACCES;
++ return -ENOKEY;
+ }
+ EXPORT_SYMBOL(fscrypt_fname_usr_to_disk);
+
+@@ -367,7 +367,7 @@ int fscrypt_setup_filename(struct inode
+ return 0;
+ }
+ if (!lookup)
+- return -EACCES;
++ return -ENOKEY;
+
+ /*
+ * We don't have the key and we are doing a lookup; decode the
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -771,7 +771,7 @@ struct inode *__ext4_new_inode(handle_t
+ if (err)
+ return ERR_PTR(err);
+ if (!fscrypt_has_encryption_key(dir))
+- return ERR_PTR(-EPERM);
++ return ERR_PTR(-ENOKEY);
+ if (!handle)
+ nblocks += EXT4_DATA_TRANS_BLOCKS(dir->i_sb);
+ encrypt = 1;
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -1378,6 +1378,8 @@ static struct buffer_head * ext4_find_en
+ return NULL;
+
+ retval = ext4_fname_setup_filename(dir, d_name, 1, &fname);
++ if (retval == -ENOENT)
++ return NULL;
+ if (retval)
+ return ERR_PTR(retval);
+
+@@ -3090,7 +3092,7 @@ static int ext4_symlink(struct inode *di
+ if (err)
+ return err;
+ if (!fscrypt_has_encryption_key(dir))
+- return -EPERM;
++ return -ENOKEY;
+ disk_link.len = (fscrypt_fname_encrypted_size(dir, len) +
+ sizeof(struct fscrypt_symlink_data));
+ sd = kzalloc(disk_link.len, GFP_KERNEL);
+--- a/fs/f2fs/dir.c
++++ b/fs/f2fs/dir.c
+@@ -277,7 +277,10 @@ struct f2fs_dir_entry *f2fs_find_entry(s
+
+ err = fscrypt_setup_filename(dir, child, 1, &fname);
+ if (err) {
+- *res_page = ERR_PTR(err);
++ if (err == -ENOENT)
++ *res_page = NULL;
++ else
++ *res_page = ERR_PTR(err);
+ return NULL;
+ }
+
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -403,7 +403,7 @@ static int f2fs_symlink(struct inode *di
+ return err;
+
+ if (!fscrypt_has_encryption_key(dir))
+- return -EPERM;
++ return -ENOKEY;
+
+ disk_link.len = (fscrypt_fname_encrypted_size(dir, len) +
+ sizeof(struct fscrypt_symlink_data));
+@@ -447,7 +447,7 @@ static int f2fs_symlink(struct inode *di
+ goto err_out;
+
+ if (!fscrypt_has_encryption_key(inode)) {
+- err = -EPERM;
++ err = -ENOKEY;
+ goto err_out;
+ }
+
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 5 Dec 2016 11:12:45 -0800
+Subject: fscrypt: use ENOTDIR when setting encryption policy on nondirectory
+
+From: Eric Biggers <ebiggers@google.com>
+
+
+[ Upstream commit dffd0cfa06d4ed83bb3ae8eb067989ceec5d18e1 ]
+
+As part of an effort to clean up fscrypt-related error codes, make
+FS_IOC_SET_ENCRYPTION_POLICY fail with ENOTDIR when the file descriptor
+does not refer to a directory. This is more descriptive than EINVAL,
+which was ambiguous with some of the other error cases.
+
+I am not aware of any users who might be relying on the previous error
+code of EINVAL, which was never documented anywhere, and in some buggy
+kernels did not exist at all as the S_ISDIR() check was missing.
+
+This failure case will be exercised by an xfstest.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/crypto/policy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/crypto/policy.c
++++ b/fs/crypto/policy.c
+@@ -113,7 +113,7 @@ int fscrypt_process_policy(struct file *
+
+ if (!inode_has_encryption_context(inode)) {
+ if (!S_ISDIR(inode->i_mode))
+- ret = -EINVAL;
++ ret = -ENOTDIR;
+ else if (!inode->i_sb->s_cop->empty_dir)
+ ret = -EOPNOTSUPP;
+ else if (!inode->i_sb->s_cop->empty_dir(inode))
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Date: Tue, 20 Dec 2016 12:28:19 +0100
+Subject: gpio: mockup: dynamically allocate memory for chip name
+
+From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+
+
+[ Upstream commit ad6d8004fa29a8958381b60215e32d1e903b0492 ]
+
+Currently the chip name buffer is allocated on the stack and the
+address of the buffer is passed to the gpio framework. It's invalid
+after probe() returns, so the sysfs label attribute displays garbage.
+
+Use devm_kasprintf() for each string instead.
+
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-mockup.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpio/gpio-mockup.c
++++ b/drivers/gpio/gpio-mockup.c
+@@ -126,7 +126,7 @@ static int mockup_gpio_probe(struct plat
+ int i;
+ int base;
+ int ngpio;
+- char chip_name[sizeof(GPIO_NAME) + 3];
++ char *chip_name;
+
+ if (gpio_mockup_params_nr < 2)
+ return -EINVAL;
+@@ -146,8 +146,12 @@ static int mockup_gpio_probe(struct plat
+ ngpio = gpio_mockup_ranges[i * 2 + 1] - base;
+
+ if (ngpio >= 0) {
+- sprintf(chip_name, "%s-%c", GPIO_NAME,
+- pins_name_start + i);
++ chip_name = devm_kasprintf(dev, GFP_KERNEL,
++ "%s-%c", GPIO_NAME,
++ pins_name_start + i);
++ if (!chip_name)
++ return -ENOMEM;
++
+ ret = mockup_gpio_add(dev, &cntr[i],
+ chip_name, base, ngpio);
+ } else {
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Pan Bian <bianpan2016@163.com>
+Date: Sat, 3 Dec 2016 17:24:17 +0800
+Subject: iio: light: fix improper return value
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit db4e5376d058af8924fafd0520a0942d92538d0e ]
+
+In function cm3232_reg_init(), it returns 0 even if the last call to
+i2c_smbus_write_byte_data() returns a negative value (indicates error).
+As a result, the return value may be inconsistent with the execution
+status, and the caller of cm3232_reg_init() will not be able to detect
+the error. This patch fixes the bug.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188641
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/cm3232.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/light/cm3232.c
++++ b/drivers/iio/light/cm3232.c
+@@ -119,7 +119,7 @@ static int cm3232_reg_init(struct cm3232
+ if (ret < 0)
+ dev_err(&chip->client->dev, "Error writing reg_cmd\n");
+
+- return 0;
++ return ret;
+ }
+
+ /**
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Masashi Honma <masashi.honma@gmail.com>
+Date: Thu, 8 Dec 2016 10:15:50 +0900
+Subject: mac80211: Remove invalid flag operations in mesh TSF synchronization
+
+From: Masashi Honma <masashi.honma@gmail.com>
+
+
+[ Upstream commit 76f43b4c0a9337af22827d78de4f2b8fd5328489 ]
+
+mesh_sync_offset_adjust_tbtt() implements Extensible synchronization
+framework ([1] 13.13.2 Extensible synchronization framework). It shall
+not operate the flag "TBTT Adjusting subfield" ([1] 8.4.2.100.8 Mesh
+Capability), since it is used only for MBCA ([1] 13.13.4 Mesh beacon
+collision avoidance, see 13.13.4.4.3 TBTT scanning and adjustment
+procedures for detail). So this patch remove the flag operations.
+
+[1] IEEE Std 802.11 2012
+
+Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
+[remove adjusting_tbtt entirely, since it's now unused]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/ieee80211_i.h | 1 -
+ net/mac80211/mesh.c | 3 ---
+ net/mac80211/mesh_sync.c | 11 -----------
+ 3 files changed, 15 deletions(-)
+
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -681,7 +681,6 @@ struct ieee80211_if_mesh {
+ const struct ieee80211_mesh_sync_ops *sync_ops;
+ s64 sync_offset_clockdrift_max;
+ spinlock_t sync_offset_lock;
+- bool adjusting_tbtt;
+ /* mesh power save */
+ enum nl80211_mesh_power_mode nonpeer_pm;
+ int ps_peers_light_sleep;
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -279,8 +279,6 @@ int mesh_add_meshconf_ie(struct ieee8021
+ /* Mesh PS mode. See IEEE802.11-2012 8.4.2.100.8 */
+ *pos |= ifmsh->ps_peers_deep_sleep ?
+ IEEE80211_MESHCONF_CAPAB_POWER_SAVE_LEVEL : 0x00;
+- *pos++ |= ifmsh->adjusting_tbtt ?
+- IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING : 0x00;
+ *pos++ = 0x00;
+
+ return 0;
+@@ -850,7 +848,6 @@ int ieee80211_start_mesh(struct ieee8021
+ ifmsh->mesh_cc_id = 0; /* Disabled */
+ /* register sync ops from extensible synchronization framework */
+ ifmsh->sync_ops = ieee80211_mesh_sync_ops_get(ifmsh->mesh_sp_id);
+- ifmsh->adjusting_tbtt = false;
+ ifmsh->sync_offset_clockdrift_max = 0;
+ set_bit(MESH_WORK_HOUSEKEEPING, &ifmsh->wrkq_flags);
+ ieee80211_mesh_root_setup(ifmsh);
+--- a/net/mac80211/mesh_sync.c
++++ b/net/mac80211/mesh_sync.c
+@@ -123,7 +123,6 @@ static void mesh_sync_offset_rx_bcn_pres
+ */
+
+ if (elems->mesh_config && mesh_peer_tbtt_adjusting(elems)) {
+- clear_sta_flag(sta, WLAN_STA_TOFFSET_KNOWN);
+ msync_dbg(sdata, "STA %pM : is adjusting TBTT\n",
+ sta->sta.addr);
+ goto no_sync;
+@@ -172,11 +171,9 @@ static void mesh_sync_offset_adjust_tbtt
+ struct beacon_data *beacon)
+ {
+ struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
+- u8 cap;
+
+ WARN_ON(ifmsh->mesh_sp_id != IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET);
+ WARN_ON(!rcu_read_lock_held());
+- cap = beacon->meshconf->meshconf_cap;
+
+ spin_lock_bh(&ifmsh->sync_offset_lock);
+
+@@ -190,21 +187,13 @@ static void mesh_sync_offset_adjust_tbtt
+ "TBTT : kicking off TBTT adjustment with clockdrift_max=%lld\n",
+ ifmsh->sync_offset_clockdrift_max);
+ set_bit(MESH_WORK_DRIFT_ADJUST, &ifmsh->wrkq_flags);
+-
+- ifmsh->adjusting_tbtt = true;
+ } else {
+ msync_dbg(sdata,
+ "TBTT : max clockdrift=%lld; too small to adjust\n",
+ (long long)ifmsh->sync_offset_clockdrift_max);
+ ifmsh->sync_offset_clockdrift_max = 0;
+-
+- ifmsh->adjusting_tbtt = false;
+ }
+ spin_unlock_bh(&ifmsh->sync_offset_lock);
+-
+- beacon->meshconf->meshconf_cap = ifmsh->adjusting_tbtt ?
+- IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING | cap :
+- ~IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING & cap;
+ }
+
+ static const struct sync_method sync_methods[] = {
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Masashi Honma <masashi.honma@gmail.com>
+Date: Wed, 30 Nov 2016 09:06:04 +0900
+Subject: mac80211: Suppress NEW_PEER_CANDIDATE event if no room
+
+From: Masashi Honma <masashi.honma@gmail.com>
+
+
+[ Upstream commit 11197d006bcfabf0173a7820a163fcaac420d10e ]
+
+Previously, kernel sends NEW_PEER_CANDIDATE event to user land even if
+the found peer does not have any room to accept other peer. This causes
+continuous connection trials.
+
+Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/mesh_plink.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/net/mac80211/mesh_plink.c
++++ b/net/mac80211/mesh_plink.c
+@@ -505,12 +505,14 @@ mesh_sta_info_alloc(struct ieee80211_sub
+
+ /* Userspace handles station allocation */
+ if (sdata->u.mesh.user_mpm ||
+- sdata->u.mesh.security & IEEE80211_MESH_SEC_AUTHED)
+- cfg80211_notify_new_peer_candidate(sdata->dev, addr,
+- elems->ie_start,
+- elems->total_len,
+- GFP_KERNEL);
+- else
++ sdata->u.mesh.security & IEEE80211_MESH_SEC_AUTHED) {
++ if (mesh_peer_accepts_plinks(elems) &&
++ mesh_plink_availables(sdata))
++ cfg80211_notify_new_peer_candidate(sdata->dev, addr,
++ elems->ie_start,
++ elems->total_len,
++ GFP_KERNEL);
++ } else
+ sta = __mesh_sta_info_alloc(sdata, addr);
+
+ return sta;
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Amitkumar Karwar <akarwar@marvell.com>
+Date: Thu, 1 Dec 2016 19:23:31 +0530
+Subject: mwifiex: sdio: fix use after free issue for save_adapter
+
+From: Amitkumar Karwar <akarwar@marvell.com>
+
+
+[ Upstream commit 74c8719b8ee0922593a5cbec0bd6127d86d8a2f4 ]
+
+If we have sdio work requests received when sdio card reset is
+happening, we may end up accessing older save_adapter pointer
+later which is already freed during card reset.
+This patch solves the problem by cancelling those pending requests.
+
+Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/marvell/mwifiex/sdio.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/wireless/marvell/mwifiex/sdio.c
++++ b/drivers/net/wireless/marvell/mwifiex/sdio.c
+@@ -2296,6 +2296,12 @@ static void mwifiex_recreate_adapter(str
+ mmc_hw_reset(func->card->host);
+ sdio_release_host(func);
+
++ /* Previous save_adapter won't be valid after this. We will cancel
++ * pending work requests.
++ */
++ clear_bit(MWIFIEX_IFACE_WORK_DEVICE_DUMP, &iface_work_flags);
++ clear_bit(MWIFIEX_IFACE_WORK_CARD_RESET, &iface_work_flags);
++
+ mwifiex_sdio_probe(func, device_id);
+ }
+
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Thomas Preisner <thomas.preisner+linux@fau.de>
+Date: Fri, 30 Dec 2016 03:37:53 +0100
+Subject: net: 3com: typhoon: typhoon_init_one: fix incorrect return values
+
+From: Thomas Preisner <thomas.preisner+linux@fau.de>
+
+
+[ Upstream commit 107fded7bf616ad6f46823d98b8ed6405d7adf2d ]
+
+In a few cases the err-variable is not set to a negative error code if a
+function call in typhoon_init_one() fails and thus 0 is returned
+instead.
+It may be better to set err to the appropriate negative error
+code before returning.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188841
+
+Reported-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Thomas Preisner <thomas.preisner+linux@fau.de>
+Signed-off-by: Milan Stephan <milan.stephan+linux@fau.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/3com/typhoon.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/3com/typhoon.c
++++ b/drivers/net/ethernet/3com/typhoon.c
+@@ -2398,8 +2398,9 @@ typhoon_init_one(struct pci_dev *pdev, c
+ *(__be16 *)&dev->dev_addr[0] = htons(le16_to_cpu(xp_resp[0].parm1));
+ *(__be32 *)&dev->dev_addr[2] = htonl(le32_to_cpu(xp_resp[0].parm2));
+
+- if(!is_valid_ether_addr(dev->dev_addr)) {
++ if (!is_valid_ether_addr(dev->dev_addr)) {
+ err_msg = "Could not obtain valid ethernet address, aborting";
++ err = -EIO;
+ goto error_out_reset;
+ }
+
+@@ -2407,7 +2408,8 @@ typhoon_init_one(struct pci_dev *pdev, c
+ * later when we print out the version reported.
+ */
+ INIT_COMMAND_WITH_RESPONSE(&xp_cmd, TYPHOON_CMD_READ_VERSIONS);
+- if(typhoon_issue_command(tp, 1, &xp_cmd, 3, xp_resp) < 0) {
++ err = typhoon_issue_command(tp, 1, &xp_cmd, 3, xp_resp);
++ if (err < 0) {
+ err_msg = "Could not get Sleep Image version";
+ goto error_out_reset;
+ }
+@@ -2449,7 +2451,8 @@ typhoon_init_one(struct pci_dev *pdev, c
+ dev->features = dev->hw_features |
+ NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_RXCSUM;
+
+- if(register_netdev(dev) < 0) {
++ err = register_netdev(dev);
++ if (err < 0) {
+ err_msg = "unable to register netdev";
+ goto error_out_reset;
+ }
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Thomas Preisner <thomas.preisner+linux@fau.de>
+Date: Fri, 30 Dec 2016 03:37:54 +0100
+Subject: net: 3com: typhoon: typhoon_init_one: make return values more specific
+
+From: Thomas Preisner <thomas.preisner+linux@fau.de>
+
+
+[ Upstream commit 6b6bbb5922a4b1d4b58125a572da91010295fba3 ]
+
+In some cases the return value of a failing function is not being used
+and the function typhoon_init_one() returns another negative error code
+instead.
+
+Signed-off-by: Thomas Preisner <thomas.preisner+linux@fau.de>
+Signed-off-by: Milan Stephan <milan.stephan+linux@fau.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/3com/typhoon.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/ethernet/3com/typhoon.c
++++ b/drivers/net/ethernet/3com/typhoon.c
+@@ -2366,9 +2366,9 @@ typhoon_init_one(struct pci_dev *pdev, c
+ * 4) Get the hardware address.
+ * 5) Put the card to sleep.
+ */
+- if (typhoon_reset(ioaddr, WaitSleep) < 0) {
++ err = typhoon_reset(ioaddr, WaitSleep);
++ if (err < 0) {
+ err_msg = "could not reset 3XP";
+- err = -EIO;
+ goto error_out_dma;
+ }
+
+@@ -2382,16 +2382,16 @@ typhoon_init_one(struct pci_dev *pdev, c
+ typhoon_init_interface(tp);
+ typhoon_init_rings(tp);
+
+- if(typhoon_boot_3XP(tp, TYPHOON_STATUS_WAITING_FOR_HOST) < 0) {
++ err = typhoon_boot_3XP(tp, TYPHOON_STATUS_WAITING_FOR_HOST);
++ if (err < 0) {
+ err_msg = "cannot boot 3XP sleep image";
+- err = -EIO;
+ goto error_out_reset;
+ }
+
+ INIT_COMMAND_WITH_RESPONSE(&xp_cmd, TYPHOON_CMD_READ_MAC_ADDRESS);
+- if(typhoon_issue_command(tp, 1, &xp_cmd, 1, xp_resp) < 0) {
++ err = typhoon_issue_command(tp, 1, &xp_cmd, 1, xp_resp);
++ if (err < 0) {
+ err_msg = "cannot read MAC address";
+- err = -EIO;
+ goto error_out_reset;
+ }
+
+@@ -2424,9 +2424,9 @@ typhoon_init_one(struct pci_dev *pdev, c
+ if(xp_resp[0].numDesc != 0)
+ tp->capabilities |= TYPHOON_WAKEUP_NEEDS_RESET;
+
+- if(typhoon_sleep(tp, PCI_D3hot, 0) < 0) {
++ err = typhoon_sleep(tp, PCI_D3hot, 0);
++ if (err < 0) {
+ err_msg = "cannot put adapter to sleep";
+- err = -EIO;
+ goto error_out_reset;
+ }
+
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: David Ahern <dsa@cumulusnetworks.com>
+Date: Thu, 29 Dec 2016 15:39:37 -0800
+Subject: net: Allow IP_MULTICAST_IF to set index to L3 slave
+
+From: David Ahern <dsa@cumulusnetworks.com>
+
+
+[ Upstream commit 7bb387c5ab12aeac3d5eea28686489ff46b53ca9 ]
+
+IP_MULTICAST_IF fails if sk_bound_dev_if is already set and the new index
+does not match it. e.g.,
+
+ ntpd[15381]: setsockopt IP_MULTICAST_IF 192.168.1.23 fails: Invalid argument
+
+Relax the check in setsockopt to allow setting mc_index to an L3 slave if
+sk_bound_dev_if points to an L3 master.
+
+Make a similar change for IPv6. In this case change the device lookup to
+take the rcu_read_lock avoiding a refcnt. The rcu lock is also needed for
+the lookup of a potential L3 master device.
+
+This really only silences a setsockopt failure since uses of mc_index are
+secondary to sk_bound_dev_if if it is set. In both cases, if either index
+is an L3 slave or master, lookups are directed to the same FIB table so
+relaxing the check at setsockopt time causes no harm.
+
+Patch is based on a suggested change by Darwin for a problem noted in
+their code base.
+
+Suggested-by: Darwin Dingel <darwin.dingel@alliedtelesis.co.nz>
+Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_sockglue.c | 7 ++++++-
+ net/ipv6/ipv6_sockglue.c | 16 ++++++++++++----
+ 2 files changed, 18 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -819,6 +819,7 @@ static int do_ip_setsockopt(struct sock
+ {
+ struct ip_mreqn mreq;
+ struct net_device *dev = NULL;
++ int midx;
+
+ if (sk->sk_type == SOCK_STREAM)
+ goto e_inval;
+@@ -863,11 +864,15 @@ static int do_ip_setsockopt(struct sock
+ err = -EADDRNOTAVAIL;
+ if (!dev)
+ break;
++
++ midx = l3mdev_master_ifindex(dev);
++
+ dev_put(dev);
+
+ err = -EINVAL;
+ if (sk->sk_bound_dev_if &&
+- mreq.imr_ifindex != sk->sk_bound_dev_if)
++ mreq.imr_ifindex != sk->sk_bound_dev_if &&
++ (!midx || midx != sk->sk_bound_dev_if))
+ break;
+
+ inet->mc_index = mreq.imr_ifindex;
+--- a/net/ipv6/ipv6_sockglue.c
++++ b/net/ipv6/ipv6_sockglue.c
+@@ -585,16 +585,24 @@ done:
+
+ if (val) {
+ struct net_device *dev;
++ int midx;
+
+- if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != val)
+- goto e_inval;
++ rcu_read_lock();
+
+- dev = dev_get_by_index(net, val);
++ dev = dev_get_by_index_rcu(net, val);
+ if (!dev) {
++ rcu_read_unlock();
+ retv = -ENODEV;
+ break;
+ }
+- dev_put(dev);
++ midx = l3mdev_master_ifindex_rcu(dev);
++
++ rcu_read_unlock();
++
++ if (sk->sk_bound_dev_if &&
++ sk->sk_bound_dev_if != val &&
++ (!midx || midx != sk->sk_bound_dev_if))
++ goto e_inval;
+ }
+ np->mcast_oif = val;
+ retv = 0;
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 13 Dec 2016 13:59:33 +0100
+Subject: netfilter: nf_tables: fix oob access
+
+From: Florian Westphal <fw@strlen.de>
+
+
+[ Upstream commit 3e38df136e453aa69eb4472108ebce2fb00b1ba6 ]
+
+BUG: KASAN: slab-out-of-bounds in nf_tables_rule_destroy+0xf1/0x130 at addr ffff88006a4c35c8
+Read of size 8 by task nft/1607
+
+When we've destroyed last valid expr, nft_expr_next() returns an invalid expr.
+We must not dereference it unless it passes != nft_expr_last() check.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -2068,7 +2068,7 @@ static void nf_tables_rule_destroy(const
+ * is called on error from nf_tables_newrule().
+ */
+ expr = nft_expr_first(rule);
+- while (expr->ops && expr != nft_expr_last(rule)) {
++ while (expr != nft_expr_last(rule) && expr->ops) {
+ nf_tables_expr_destroy(ctx, expr);
+ expr = nft_expr_next(expr);
+ }
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sun, 11 Dec 2016 20:46:51 +0100
+Subject: netfilter: nft_queue: use raw_smp_processor_id()
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+
+[ Upstream commit c2e756ff9e699865d294cdc112acfc36419cf5cc ]
+
+Using smp_processor_id() causes splats with PREEMPT_RCU:
+
+[19379.552780] BUG: using smp_processor_id() in preemptible [00000000] code: ping/32389
+[19379.552793] caller is debug_smp_processor_id+0x17/0x19
+[...]
+[19379.552823] Call Trace:
+[19379.552832] [<ffffffff81274e9e>] dump_stack+0x67/0x90
+[19379.552837] [<ffffffff8129a4d4>] check_preemption_disabled+0xe5/0xf5
+[19379.552842] [<ffffffff8129a4fb>] debug_smp_processor_id+0x17/0x19
+[19379.552849] [<ffffffffa07c42dd>] nft_queue_eval+0x35/0x20c [nft_queue]
+
+No need to disable preemption since we only fetch the numeric value, so
+let's use raw_smp_processor_id() instead.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_queue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_queue.c
++++ b/net/netfilter/nft_queue.c
+@@ -38,7 +38,7 @@ static void nft_queue_eval(const struct
+
+ if (priv->queues_total > 1) {
+ if (priv->flags & NFT_QUEUE_FLAG_CPU_FANOUT) {
+- int cpu = smp_processor_id();
++ int cpu = raw_smp_processor_id();
+
+ queue = priv->queuenum + cpu % priv->queues_total;
+ } else {
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Daniel Verkamp <daniel.verkamp@intel.com>
+Date: Fri, 9 Dec 2016 12:59:46 -0700
+Subject: nvmet: fix KATO offset in Set Features
+
+From: Daniel Verkamp <daniel.verkamp@intel.com>
+
+
+[ Upstream commit 6c73f949300f17851f53fa80c9d1611ccd6909d3 ]
+
+The Set Features implementation for Keep Alive Timer was using the wrong
+structure when retrieving the KATO value; it was treating the Set
+Features command as a Property Set command.
+
+The NVMe spec defines the Keep Alive Timer feature as having one input
+in CDW11 (4 bytes at offset 44 in the command) whereas the code was
+reading 8 bytes at offset 48.
+
+Since the Linux NVMe over Fabrics host never sets this feature, this
+code has presumably never been tested.
+
+Signed-off-by: Daniel Verkamp <daniel.verkamp@intel.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/target/admin-cmd.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/nvme/target/admin-cmd.c
++++ b/drivers/nvme/target/admin-cmd.c
+@@ -381,7 +381,6 @@ static void nvmet_execute_set_features(s
+ {
+ struct nvmet_subsys *subsys = req->sq->ctrl->subsys;
+ u32 cdw10 = le32_to_cpu(req->cmd->common.cdw10[0]);
+- u64 val;
+ u32 val32;
+ u16 status = 0;
+
+@@ -391,8 +390,7 @@ static void nvmet_execute_set_features(s
+ (subsys->max_qid - 1) | ((subsys->max_qid - 1) << 16));
+ break;
+ case NVME_FEAT_KATO:
+- val = le64_to_cpu(req->cmd->prop_set.value);
+- val32 = val & 0xffff;
++ val32 = le32_to_cpu(req->cmd->common.cdw10[1]);
+ req->sq->ctrl->kato = DIV_ROUND_UP(val32, 1000);
+ nvmet_set_result(req, req->sq->ctrl->kato);
+ break;
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Bjorn Helgaas <bhelgaas@google.com>
+Date: Mon, 2 Jan 2017 14:04:24 -0600
+Subject: PCI: Apply _HPX settings only to relevant devices
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+
+[ Upstream commit 977509f7c5c6fb992ffcdf4291051af343b91645 ]
+
+Previously we didn't check the type of device before trying to apply Type 1
+(PCI-X) or Type 2 (PCIe) Setting Records from _HPX.
+
+We don't support PCI-X Setting Records, so this was harmless, but the
+warning was useless.
+
+We do support PCIe Setting Records, and we didn't check whether a device
+was PCIe before applying settings. I don't think anything bad happened on
+non-PCIe devices because pcie_capability_clear_and_set_word(),
+pcie_cap_has_lnkctl(), etc., would fail before doing any harm. But it's
+ugly to depend on those internals.
+
+Check the device type before attempting to apply Type 1 and Type 2 Setting
+Records (Type 0 records are applicable to PCI, PCI-X, and PCIe devices).
+
+A side benefit is that this prevents useless "not supported" warnings when
+a BIOS supplies a Type 1 (PCI-X) Setting Record and we try to apply it to
+every single device:
+
+ pci 0000:00:00.0: PCI-X settings not supported
+
+After this patch, we'll get the warning only when a BIOS supplies a Type 1
+record and we have a PCI-X device to which it should be applied.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=187731
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/probe.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -1438,8 +1438,16 @@ static void program_hpp_type0(struct pci
+
+ static void program_hpp_type1(struct pci_dev *dev, struct hpp_type1 *hpp)
+ {
+- if (hpp)
+- dev_warn(&dev->dev, "PCI-X settings not supported\n");
++ int pos;
++
++ if (!hpp)
++ return;
++
++ pos = pci_find_capability(dev, PCI_CAP_ID_PCIX);
++ if (!pos)
++ return;
++
++ dev_warn(&dev->dev, "PCI-X settings not supported\n");
+ }
+
+ static bool pcie_root_rcb_set(struct pci_dev *dev)
+@@ -1465,6 +1473,9 @@ static void program_hpp_type2(struct pci
+ if (!hpp)
+ return;
+
++ if (!pci_is_pcie(dev))
++ return;
++
+ if (hpp->revision > 1) {
+ dev_warn(&dev->dev, "PCIe settings rev %d not supported\n",
+ hpp->revision);
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Tue, 20 Dec 2016 06:40:43 +0100
+Subject: pinctrl: sirf: atlas7: Add missing 'of_node_put()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit 7af355e6715b325d8af29822f4c3dbecd7eeebec ]
+
+Reference to 'sys2pci_np' should be dropped in all cases here, not only in
+error handling path.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/sirf/pinctrl-atlas7.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/pinctrl/sirf/pinctrl-atlas7.c
++++ b/drivers/pinctrl/sirf/pinctrl-atlas7.c
+@@ -5420,14 +5420,15 @@ static int atlas7_pinmux_probe(struct pl
+ sys2pci_np = of_find_node_by_name(NULL, "sys2pci");
+ if (!sys2pci_np)
+ return -EINVAL;
++
+ ret = of_address_to_resource(sys2pci_np, 0, &res);
++ of_node_put(sys2pci_np);
+ if (ret)
+ return ret;
++
+ pmx->sys2pci_base = devm_ioremap_resource(&pdev->dev, &res);
+- if (IS_ERR(pmx->sys2pci_base)) {
+- of_node_put(sys2pci_np);
++ if (IS_ERR(pmx->sys2pci_base))
+ return -ENOMEM;
+- }
+
+ pmx->dev = &pdev->dev;
+
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Avinash Repaka <avinash.repaka@oracle.com>
+Date: Mon, 29 Feb 2016 15:30:57 -0800
+Subject: RDS: make message size limit compliant with spec
+
+From: Avinash Repaka <avinash.repaka@oracle.com>
+
+
+[ Upstream commit f9fb69adb6c7acca60977a4db5a5f95b8e66c041 ]
+
+RDS support max message size as 1M but the code doesn't check this
+in all cases. Patch fixes it for RDMA & non-RDMA and RDS MR size
+and its enforced irrespective of underlying transport.
+
+Signed-off-by: Avinash Repaka <avinash.repaka@oracle.com>
+Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/rdma.c | 9 ++++++++-
+ net/rds/rds.h | 3 +++
+ net/rds/send.c | 31 +++++++++++++++++++++++++++++++
+ 3 files changed, 42 insertions(+), 1 deletion(-)
+
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -40,7 +40,6 @@
+ /*
+ * XXX
+ * - build with sparse
+- * - should we limit the size of a mr region? let transport return failure?
+ * - should we detect duplicate keys on a socket? hmm.
+ * - an rdma is an mlock, apply rlimit?
+ */
+@@ -200,6 +199,14 @@ static int __rds_rdma_map(struct rds_soc
+ goto out;
+ }
+
++ /* Restrict the size of mr irrespective of underlying transport
++ * To account for unaligned mr regions, subtract one from nr_pages
++ */
++ if ((nr_pages - 1) > (RDS_MAX_MSG_SIZE >> PAGE_SHIFT)) {
++ ret = -EMSGSIZE;
++ goto out;
++ }
++
+ rdsdebug("RDS: get_mr addr %llx len %llu nr_pages %u\n",
+ args->vec.addr, args->vec.bytes, nr_pages);
+
+--- a/net/rds/rds.h
++++ b/net/rds/rds.h
+@@ -50,6 +50,9 @@ void rdsdebug(char *fmt, ...)
+ #define RDS_FRAG_SHIFT 12
+ #define RDS_FRAG_SIZE ((unsigned int)(1 << RDS_FRAG_SHIFT))
+
++/* Used to limit both RDMA and non-RDMA RDS message to 1MB */
++#define RDS_MAX_MSG_SIZE ((unsigned int)(1 << 20))
++
+ #define RDS_CONG_MAP_BYTES (65536 / 8)
+ #define RDS_CONG_MAP_PAGES (PAGE_ALIGN(RDS_CONG_MAP_BYTES) / PAGE_SIZE)
+ #define RDS_CONG_MAP_PAGE_BITS (PAGE_SIZE * 8)
+--- a/net/rds/send.c
++++ b/net/rds/send.c
+@@ -988,6 +988,26 @@ static int rds_send_mprds_hash(struct rd
+ return hash;
+ }
+
++static int rds_rdma_bytes(struct msghdr *msg, size_t *rdma_bytes)
++{
++ struct rds_rdma_args *args;
++ struct cmsghdr *cmsg;
++
++ for_each_cmsghdr(cmsg, msg) {
++ if (!CMSG_OK(msg, cmsg))
++ return -EINVAL;
++
++ if (cmsg->cmsg_level != SOL_RDS)
++ continue;
++
++ if (cmsg->cmsg_type == RDS_CMSG_RDMA_ARGS) {
++ args = CMSG_DATA(cmsg);
++ *rdma_bytes += args->remote_vec.bytes;
++ }
++ }
++ return 0;
++}
++
+ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
+ {
+ struct sock *sk = sock->sk;
+@@ -1002,6 +1022,7 @@ int rds_sendmsg(struct socket *sock, str
+ int nonblock = msg->msg_flags & MSG_DONTWAIT;
+ long timeo = sock_sndtimeo(sk, nonblock);
+ struct rds_conn_path *cpath;
++ size_t total_payload_len = payload_len, rdma_payload_len = 0;
+
+ /* Mirror Linux UDP mirror of BSD error message compatibility */
+ /* XXX: Perhaps MSG_MORE someday */
+@@ -1034,6 +1055,16 @@ int rds_sendmsg(struct socket *sock, str
+ }
+ release_sock(sk);
+
++ ret = rds_rdma_bytes(msg, &rdma_payload_len);
++ if (ret)
++ goto out;
++
++ total_payload_len += rdma_payload_len;
++ if (max_t(size_t, payload_len, rdma_payload_len) > RDS_MAX_MSG_SIZE) {
++ ret = -EMSGSIZE;
++ goto out;
++ }
++
+ if (payload_len > rds_sk_sndbuf(rs)) {
+ ret = -EMSGSIZE;
+ goto out;
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Date: Sun, 4 Dec 2016 16:25:43 -0800
+Subject: RDS: RDMA: fix the ib_map_mr_sg_zbva() argument
+
+From: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+
+
+[ Upstream commit 3e56c2f856d7aba6a03feea834d68f9c05f7d0b6 ]
+
+Fixes warning: Using plain integer as NULL pointer
+
+Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/ib_frmr.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/rds/ib_frmr.c
++++ b/net/rds/ib_frmr.c
+@@ -104,14 +104,15 @@ static int rds_ib_post_reg_frmr(struct r
+ struct rds_ib_frmr *frmr = &ibmr->u.frmr;
+ struct ib_send_wr *failed_wr;
+ struct ib_reg_wr reg_wr;
+- int ret;
++ int ret, off = 0;
+
+ while (atomic_dec_return(&ibmr->ic->i_fastreg_wrs) <= 0) {
+ atomic_inc(&ibmr->ic->i_fastreg_wrs);
+ cpu_relax();
+ }
+
+- ret = ib_map_mr_sg_zbva(frmr->mr, ibmr->sg, ibmr->sg_len, 0, PAGE_SIZE);
++ ret = ib_map_mr_sg_zbva(frmr->mr, ibmr->sg, ibmr->sg_len,
++ &off, PAGE_SIZE);
+ if (unlikely(ret != ibmr->sg_len))
+ return ret < 0 ? ret : -EINVAL;
+
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Date: Mon, 4 Jul 2016 17:04:37 -0700
+Subject: RDS: RDMA: return appropriate error on rdma map failures
+
+From: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+
+
+[ Upstream commit 584a8279a44a800dea5a5c1e9d53a002e03016b4 ]
+
+The first message to a remote node should prompt a new
+connection even if it is RDMA operation. For RDMA operation
+the MR mapping can fail because connections is not yet up.
+
+Since the connection establishment is asynchronous,
+we make sure the map failure because of unavailable
+connection reach to the user by appropriate error code.
+Before returning to the user, lets trigger the connection
+so that its ready for the next retry.
+
+Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/send.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/net/rds/send.c
++++ b/net/rds/send.c
+@@ -946,6 +946,11 @@ static int rds_cmsg_send(struct rds_sock
+ ret = rds_cmsg_rdma_map(rs, rm, cmsg);
+ if (!ret)
+ *allocated_mr = 1;
++ else if (ret == -ENODEV)
++ /* Accommodate the get_mr() case which can fail
++ * if connection isn't established yet.
++ */
++ ret = -EAGAIN;
+ break;
+ case RDS_CMSG_ATOMIC_CSWP:
+ case RDS_CMSG_ATOMIC_FADD:
+@@ -1114,8 +1119,12 @@ int rds_sendmsg(struct socket *sock, str
+
+ /* Parse any control messages the user may have included. */
+ ret = rds_cmsg_send(rs, rm, msg, &allocated_mr);
+- if (ret)
++ if (ret) {
++ /* Trigger connection so that its ready for the next retry */
++ if (ret == -EAGAIN)
++ rds_conn_connect_if_down(conn);
+ goto out;
++ }
+
+ if (rm->rdma.op_active && !conn->c_trans->xmit_rdma) {
+ printk_ratelimited(KERN_NOTICE "rdma_op %p conn xmit_rdma %p\n",
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Mon, 19 Dec 2016 11:52:49 +0100
+Subject: rt2800: set minimum MPDU and PSDU lengths to sane values
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+
+[ Upstream commit a51b89698ccc93c7e274eb71377fae49c4593ab2 ]
+
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+@@ -4707,8 +4707,8 @@ static int rt2800_init_registers(struct
+ rt2x00_set_field32(®, MAX_LEN_CFG_MAX_PSDU, 2);
+ else
+ rt2x00_set_field32(®, MAX_LEN_CFG_MAX_PSDU, 1);
+- rt2x00_set_field32(®, MAX_LEN_CFG_MIN_PSDU, 0);
+- rt2x00_set_field32(®, MAX_LEN_CFG_MIN_MPDU, 0);
++ rt2x00_set_field32(®, MAX_LEN_CFG_MIN_PSDU, 10);
++ rt2x00_set_field32(®, MAX_LEN_CFG_MIN_MPDU, 10);
+ rt2800_register_write(rt2x00dev, MAX_LEN_CFG, reg);
+
+ rt2800_register_read(rt2x00dev, LED_CFG, ®);
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Tue, 20 Dec 2016 12:58:10 +0100
+Subject: s390/kbuild: enable modversions for symbols exported from asm
+
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+
+[ Upstream commit cabab3f9f5ca077535080b3252e6168935b914af ]
+
+s390 version of commit 334bb7738764 ("x86/kbuild: enable modversions
+for symbols exported from asm") so we get also rid of all these
+warnings:
+
+WARNING: EXPORT symbol "_mcount" [vmlinux] version generation failed, symbol will not be versioned.
+WARNING: EXPORT symbol "memcpy" [vmlinux] version generation failed, symbol will not be versioned.
+WARNING: EXPORT symbol "memmove" [vmlinux] version generation failed, symbol will not be versioned.
+WARNING: EXPORT symbol "memset" [vmlinux] version generation failed, symbol will not be versioned.
+WARNING: EXPORT symbol "save_fpu_regs" [vmlinux] version generation failed, symbol will not be versioned.
+WARNING: EXPORT symbol "sie64a" [vmlinux] version generation failed, symbol will not be versioned.
+WARNING: EXPORT symbol "sie_exit" [vmlinux] version generation failed, symbol will not be versioned.
+
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/asm-prototypes.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+ create mode 100644 arch/s390/include/asm/asm-prototypes.h
+
+--- /dev/null
++++ b/arch/s390/include/asm/asm-prototypes.h
+@@ -0,0 +1,8 @@
++#ifndef _ASM_S390_PROTOTYPES_H
++
++#include <linux/kvm_host.h>
++#include <linux/ftrace.h>
++#include <asm/fpu/api.h>
++#include <asm-generic/asm-prototypes.h>
++
++#endif /* _ASM_S390_PROTOTYPES_H */
e1000e-fix-return-value-test.patch
e1000e-separate-signaling-for-link-check-link-up.patch
e1000e-avoid-receiver-overrun-interrupt-bursts.patch
+rds-make-message-size-limit-compliant-with-spec.patch
+rds-rdma-return-appropriate-error-on-rdma-map-failures.patch
+rds-rdma-fix-the-ib_map_mr_sg_zbva-argument.patch
+pci-apply-_hpx-settings-only-to-relevant-devices.patch
+drm-sun4i-fix-a-return-value-in-case-of-error.patch
+clk-sunxi-ng-a31-fix-spdif-clock-register.patch
+clk-sunxi-ng-fix-pll_cpux-adjusting-on-a33.patch
+dmaengine-zx-set-dma_cyclic-cap_mask-bit.patch
+fscrypt-use-enokey-when-file-cannot-be-created-w-o-key.patch
+fscrypt-use-enotdir-when-setting-encryption-policy-on-nondirectory.patch
+net-allow-ip_multicast_if-to-set-index-to-l3-slave.patch
+net-3com-typhoon-typhoon_init_one-make-return-values-more-specific.patch
+net-3com-typhoon-typhoon_init_one-fix-incorrect-return-values.patch
+drm-armada-fix-compile-fail.patch
+rt2800-set-minimum-mpdu-and-psdu-lengths-to-sane-values.patch
+adm80211-return-an-error-if-adm8211_alloc_rings-fails.patch
+mwifiex-sdio-fix-use-after-free-issue-for-save_adapter.patch
+ath10k-fix-incorrect-txpower-set-by-p2p_device-interface.patch
+ath10k-ignore-configuring-the-incorrect-board_id.patch
+ath10k-fix-potential-memory-leak-in-ath10k_wmi_tlv_op_pull_fw_stats.patch
+pinctrl-sirf-atlas7-add-missing-of_node_put.patch
+bnxt_en-set-default-completion-ring-for-async-events.patch
+ath10k-set-cts-protection-vdev-param-only-if-vdev-is-up.patch
+alsa-hda-apply-alc269_fixup_no_shutup-on-hda_fixup_act_probe.patch
+gpio-mockup-dynamically-allocate-memory-for-chip-name.patch
+drm-apply-range-restriction-after-color-adjustment-when-allocation.patch
+clk-qcom-ipq4019-add-all-the-frequencies-for-apss-cpu.patch
+drm-mediatek-don-t-use-drm_put_dev.patch
+mac80211-remove-invalid-flag-operations-in-mesh-tsf-synchronization.patch
+mac80211-suppress-new_peer_candidate-event-if-no-room.patch
+adm80211-add-checks-for-dma-mapping-errors.patch
+iio-light-fix-improper-return-value.patch
+staging-iio-cdc-fix-improper-return-value.patch
+spi-spi_fsl_dspi-should-depend-on-has_dma.patch
+netfilter-nft_queue-use-raw_smp_processor_id.patch
+netfilter-nf_tables-fix-oob-access.patch
+asoc-rsnd-don-t-double-free-kctrl.patch
+crypto-marvell-copy-ivdig-before-launching-partial-dma-ahash-requests.patch
+btrfs-return-the-actual-error-value-from-from-btrfs_uuid_tree_iterate.patch
+asoc-wm_adsp-don-t-overrun-firmware-file-buffer-when-reading-region-data.patch
+s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch
+cec-when-canceling-a-message-don-t-overwrite-old-status-info.patch
+cec-cec_msg_give_features-should-abort-for-cec-version-2.patch
+cec-update-log_addr-before-finishing-configuration.patch
+nvmet-fix-kato-offset-in-set-features.patch
+xen-xenbus-driver-must-not-accept-invalid-transaction-ids.patch
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Wed, 14 Dec 2016 13:28:05 +0100
+Subject: spi: SPI_FSL_DSPI should depend on HAS_DMA
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+
+[ Upstream commit dadab2d4e3cf708ceba22ecddd94aedfecb39199 ]
+
+If NO_DMA=y:
+
+ ERROR: "bad_dma_ops" [drivers/spi/spi-fsl-dspi.ko] undefined!
+
+Add a dependency on HAS_DMA to fix this.
+
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/spi/Kconfig
++++ b/drivers/spi/Kconfig
+@@ -365,6 +365,7 @@ config SPI_FSL_SPI
+ config SPI_FSL_DSPI
+ tristate "Freescale DSPI controller"
+ select REGMAP_MMIO
++ depends on HAS_DMA
+ depends on SOC_VF610 || SOC_LS1021A || ARCH_LAYERSCAPE || COMPILE_TEST
+ help
+ This enables support for the Freescale DSPI controller in master
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Pan Bian <bianpan2016@163.com>
+Date: Sat, 3 Dec 2016 21:44:30 +0800
+Subject: staging: iio: cdc: fix improper return value
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit 91ca1a8c584f55857b1f6ab20a1d3a1ce7a559bb ]
+
+At the end of function ad7150_write_event_config(), directly returns 0.
+As a result, the errors will be ignored by the callers. It may be better
+to return variable "ret".
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/iio/cdc/ad7150.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/iio/cdc/ad7150.c
++++ b/drivers/staging/iio/cdc/ad7150.c
+@@ -274,7 +274,7 @@ static int ad7150_write_event_config(str
+ error_ret:
+ mutex_unlock(&chip->state_lock);
+
+- return 0;
++ return ret;
+ }
+
+ static int ad7150_read_event_value(struct iio_dev *indio_dev,
--- /dev/null
+From foo@baz Tue Nov 28 10:49:28 CET 2017
+From: Juergen Gross <jgross@suse.com>
+Date: Thu, 22 Dec 2016 08:19:46 +0100
+Subject: xen: xenbus driver must not accept invalid transaction ids
+
+From: Juergen Gross <jgross@suse.com>
+
+
+[ Upstream commit 639b08810d6ad74ded2c5f6e233c4fcb9d147168 ]
+
+When accessing Xenstore in a transaction the user is specifying a
+transaction id which he normally obtained from Xenstore when starting
+the transaction. Xenstore is validating a transaction id against all
+known transaction ids of the connection the request came in. As all
+requests of a domain not being the one where Xenstore lives share
+one connection, validation of transaction ids of different users of
+Xenstore in that domain should be done by the kernel of that domain
+being the multiplexer between the Xenstore users in that domain and
+Xenstore.
+
+In order to prohibit one Xenstore user "hijacking" a transaction from
+another user the xenbus driver has to verify a given transaction id
+against all known transaction ids of the user before forwarding it to
+Xenstore.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
++++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
+@@ -316,7 +316,7 @@ static int xenbus_write_transaction(unsi
+ rc = -ENOMEM;
+ goto out;
+ }
+- } else if (msg_type == XS_TRANSACTION_END) {
++ } else if (u->u.msg.tx_id != 0) {
+ list_for_each_entry(trans, &u->transactions, list)
+ if (trans->handle.id == u->u.msg.tx_id)
+ break;
projects / thirdparty / kernel / stable-queue.git / commitdiff
