--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Marc Dionne <marc.dionne@auristor.com>
+Date: Thu, 16 Mar 2017 16:27:44 +0000
+Subject: afs: Adjust mode bits processing
+
+From: Marc Dionne <marc.dionne@auristor.com>
+
+
+[ Upstream commit 627f46943ff90bcc32ddeb675d881c043c6fa2ae ]
+
+Mode bits for an afs file should not be enforced in the usual
+way.
+
+For files, the absence of user bits can restrict file access
+with respect to what is granted by the server.
+
+These bits apply regardless of the owner or the current uid; the
+rest of the mode bits (group, other) are ignored.
+
+Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/security.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/afs/security.c
++++ b/fs/afs/security.c
+@@ -340,17 +340,22 @@ int afs_permission(struct inode *inode,
+ } else {
+ if (!(access & AFS_ACE_LOOKUP))
+ goto permission_denied;
++ if ((mask & MAY_EXEC) && !(inode->i_mode & S_IXUSR))
++ goto permission_denied;
+ if (mask & (MAY_EXEC | MAY_READ)) {
+ if (!(access & AFS_ACE_READ))
+ goto permission_denied;
++ if (!(inode->i_mode & S_IRUSR))
++ goto permission_denied;
+ } else if (mask & MAY_WRITE) {
+ if (!(access & AFS_ACE_WRITE))
+ goto permission_denied;
++ if (!(inode->i_mode & S_IWUSR))
++ goto permission_denied;
+ }
+ }
+
+ key_put(key);
+- ret = generic_permission(inode, mask);
+ _leave(" = %d", ret);
+ return ret;
+
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 16 Mar 2017 16:27:48 +0000
+Subject: afs: Fix afs_kill_pages()
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit 7286a35e893176169b09715096a4aca557e2ccd2 ]
+
+Fix afs_kill_pages() in two ways:
+
+ (1) If a writeback has been partially flushed, then if we try and kill the
+ pages it contains, some of them may no longer be undergoing writeback
+ and end_page_writeback() will assert.
+
+ Fix this by checking to see whether the page in question is actually
+ undergoing writeback before ending that writeback.
+
+ (2) The loop that scans for pages to kill doesn't increase the first page
+ index, and so the loop may not terminate, but it will try to process
+ the same pages over and over again.
+
+ Fix this by increasing the first page index to one after the last page
+ we processed.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/write.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/fs/afs/write.c
++++ b/fs/afs/write.c
+@@ -300,10 +300,14 @@ static void afs_kill_pages(struct afs_vn
+ ASSERTCMP(pv.nr, ==, count);
+
+ for (loop = 0; loop < count; loop++) {
+- ClearPageUptodate(pv.pages[loop]);
++ struct page *page = pv.pages[loop];
++ ClearPageUptodate(page);
+ if (error)
+- SetPageError(pv.pages[loop]);
+- end_page_writeback(pv.pages[loop]);
++ SetPageError(page);
++ if (PageWriteback(page))
++ end_page_writeback(page);
++ if (page->index >= first)
++ first = page->index + 1;
+ }
+
+ __pagevec_release(&pv);
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 16 Mar 2017 16:27:43 +0000
+Subject: afs: Fix missing put_page()
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit 29c8bbbd6e21daa0997d1c3ee886b897ee7ad652 ]
+
+In afs_writepages_region(), inside the loop where we find dirty pages to
+deal with, one of the if-statements is missing a put_page().
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/write.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/afs/write.c
++++ b/fs/afs/write.c
+@@ -504,6 +504,7 @@ static int afs_writepages_region(struct
+
+ if (PageWriteback(page) || !PageDirty(page)) {
+ unlock_page(page);
++ put_page(page);
+ continue;
+ }
+
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 16 Mar 2017 16:27:48 +0000
+Subject: afs: Fix page leak in afs_write_begin()
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit 6d06b0d25209c80e99c1e89700f1e09694a3766b ]
+
+afs_write_begin() leaks a ref and a lock on a page if afs_fill_page()
+fails. Fix the leak by unlocking and releasing the page in the error path.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/write.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/afs/write.c
++++ b/fs/afs/write.c
+@@ -149,12 +149,12 @@ int afs_write_begin(struct file *file, s
+ kfree(candidate);
+ return -ENOMEM;
+ }
+- *pagep = page;
+- /* page won't leak in error case: it eventually gets cleaned off LRU */
+
+ if (!PageUptodate(page) && len != PAGE_CACHE_SIZE) {
+ ret = afs_fill_page(vnode, key, index << PAGE_CACHE_SHIFT, page);
+ if (ret < 0) {
++ unlock_page(page);
++ put_page(page);
+ kfree(candidate);
+ _leave(" = %d [prep]", ret);
+ return ret;
+@@ -162,6 +162,9 @@ int afs_write_begin(struct file *file, s
+ SetPageUptodate(page);
+ }
+
++ /* page won't leak in error case: it eventually gets cleaned off LRU */
++ *pagep = page;
++
+ try_again:
+ spin_lock(&vnode->writeback_lock);
+
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 16 Mar 2017 16:27:47 +0000
+Subject: afs: Fix the maths in afs_fs_store_data()
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit 146a1192783697810b63a1e41c4d59fc93387340 ]
+
+afs_fs_store_data() works out of the size of the write it's going to make,
+but it uses 32-bit unsigned subtraction in one place that gets
+automatically cast to loff_t.
+
+However, if to < offset, then the number goes negative, but as the result
+isn't signed, this doesn't get sign-extended to 64-bits when placed in a
+loff_t.
+
+Fix by casting the operands to loff_t.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/fsclient.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/afs/fsclient.c
++++ b/fs/afs/fsclient.c
+@@ -1225,7 +1225,7 @@ int afs_fs_store_data(struct afs_server
+ _enter(",%x,{%x:%u},,",
+ key_serial(wb->key), vnode->fid.vid, vnode->fid.vnode);
+
+- size = to - offset;
++ size = (loff_t)to - (loff_t)offset;
+ if (first != last)
+ size += (loff_t)(last - first) << PAGE_SHIFT;
+ pos = (loff_t)first << PAGE_SHIFT;
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 16 Mar 2017 16:27:45 +0000
+Subject: afs: Flush outstanding writes when an fd is closed
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit 58fed94dfb17e89556b5705f20f90e5b2971b6a1 ]
+
+Flush outstanding writes in afs when an fd is closed. This is what NFS and
+CIFS do.
+
+Reported-by: Marc Dionne <marc.c.dionne@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/file.c | 1 +
+ fs/afs/internal.h | 1 +
+ fs/afs/write.c | 14 ++++++++++++++
+ 3 files changed, 16 insertions(+)
+
+--- a/fs/afs/file.c
++++ b/fs/afs/file.c
+@@ -29,6 +29,7 @@ static int afs_readpages(struct file *fi
+
+ const struct file_operations afs_file_operations = {
+ .open = afs_open,
++ .flush = afs_flush,
+ .release = afs_release,
+ .llseek = generic_file_llseek,
+ .read = new_sync_read,
+--- a/fs/afs/internal.h
++++ b/fs/afs/internal.h
+@@ -749,6 +749,7 @@ extern int afs_writepages(struct address
+ extern void afs_pages_written_back(struct afs_vnode *, struct afs_call *);
+ extern ssize_t afs_file_write(struct kiocb *, struct iov_iter *);
+ extern int afs_writeback_all(struct afs_vnode *);
++extern int afs_flush(struct file *, fl_owner_t);
+ extern int afs_fsync(struct file *, loff_t, loff_t, int);
+
+
+--- a/fs/afs/write.c
++++ b/fs/afs/write.c
+@@ -743,6 +743,20 @@ out:
+ }
+
+ /*
++ * Flush out all outstanding writes on a file opened for writing when it is
++ * closed.
++ */
++int afs_flush(struct file *file, fl_owner_t id)
++{
++ _enter("");
++
++ if ((file->f_mode & FMODE_WRITE) == 0)
++ return 0;
++
++ return vfs_fsync(file, 0);
++}
++
++/*
+ * notification that a previously read-only page is about to become writable
+ * - if it returns an error, the caller will deliver a bus error signal
+ */
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Marc Dionne <marc.dionne@auristor.com>
+Date: Thu, 16 Mar 2017 16:27:47 +0000
+Subject: afs: Populate and use client modification time
+
+From: Marc Dionne <marc.dionne@auristor.com>
+
+
+[ Upstream commit ab94f5d0dd6fd82e7eeca5e7c8096eaea0a0261f ]
+
+The inode timestamps should be set from the client time
+in the status received from the server, rather than the
+server time which is meant for internal server use.
+
+Set AFS_SET_MTIME and populate the mtime for operations
+that take an input status, such as file/dir creation
+and StoreData. If an input time is not provided the
+server will set the vnode times based on the current server
+time.
+
+In a situation where the server has some skew with the
+client, this could lead to the client seeing a timestamp
+in the future for a file that it just created or wrote.
+
+Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/fsclient.c | 18 +++++++++---------
+ fs/afs/inode.c | 2 +-
+ 2 files changed, 10 insertions(+), 10 deletions(-)
+
+--- a/fs/afs/fsclient.c
++++ b/fs/afs/fsclient.c
+@@ -105,7 +105,7 @@ static void xdr_decode_AFSFetchStatus(co
+ vnode->vfs_inode.i_mode = mode;
+ }
+
+- vnode->vfs_inode.i_ctime.tv_sec = status->mtime_server;
++ vnode->vfs_inode.i_ctime.tv_sec = status->mtime_client;
+ vnode->vfs_inode.i_mtime = vnode->vfs_inode.i_ctime;
+ vnode->vfs_inode.i_atime = vnode->vfs_inode.i_ctime;
+ vnode->vfs_inode.i_version = data_version;
+@@ -703,8 +703,8 @@ int afs_fs_create(struct afs_server *ser
+ memset(bp, 0, padsz);
+ bp = (void *) bp + padsz;
+ }
+- *bp++ = htonl(AFS_SET_MODE);
+- *bp++ = 0; /* mtime */
++ *bp++ = htonl(AFS_SET_MODE | AFS_SET_MTIME);
++ *bp++ = htonl(vnode->vfs_inode.i_mtime.tv_sec); /* mtime */
+ *bp++ = 0; /* owner */
+ *bp++ = 0; /* group */
+ *bp++ = htonl(mode & S_IALLUGO); /* unix mode */
+@@ -981,8 +981,8 @@ int afs_fs_symlink(struct afs_server *se
+ memset(bp, 0, c_padsz);
+ bp = (void *) bp + c_padsz;
+ }
+- *bp++ = htonl(AFS_SET_MODE);
+- *bp++ = 0; /* mtime */
++ *bp++ = htonl(AFS_SET_MODE | AFS_SET_MTIME);
++ *bp++ = htonl(vnode->vfs_inode.i_mtime.tv_sec); /* mtime */
+ *bp++ = 0; /* owner */
+ *bp++ = 0; /* group */
+ *bp++ = htonl(S_IRWXUGO); /* unix mode */
+@@ -1192,8 +1192,8 @@ static int afs_fs_store_data64(struct af
+ *bp++ = htonl(vnode->fid.vnode);
+ *bp++ = htonl(vnode->fid.unique);
+
+- *bp++ = 0; /* mask */
+- *bp++ = 0; /* mtime */
++ *bp++ = htonl(AFS_SET_MTIME); /* mask */
++ *bp++ = htonl(vnode->vfs_inode.i_mtime.tv_sec); /* mtime */
+ *bp++ = 0; /* owner */
+ *bp++ = 0; /* group */
+ *bp++ = 0; /* unix mode */
+@@ -1269,8 +1269,8 @@ int afs_fs_store_data(struct afs_server
+ *bp++ = htonl(vnode->fid.vnode);
+ *bp++ = htonl(vnode->fid.unique);
+
+- *bp++ = 0; /* mask */
+- *bp++ = 0; /* mtime */
++ *bp++ = htonl(AFS_SET_MTIME); /* mask */
++ *bp++ = htonl(vnode->vfs_inode.i_mtime.tv_sec); /* mtime */
+ *bp++ = 0; /* owner */
+ *bp++ = 0; /* group */
+ *bp++ = 0; /* unix mode */
+--- a/fs/afs/inode.c
++++ b/fs/afs/inode.c
+@@ -71,7 +71,7 @@ static int afs_inode_map_status(struct a
+ inode->i_uid = vnode->status.owner;
+ inode->i_gid = vnode->status.group;
+ inode->i_size = vnode->status.size;
+- inode->i_ctime.tv_sec = vnode->status.mtime_server;
++ inode->i_ctime.tv_sec = vnode->status.mtime_client;
+ inode->i_ctime.tv_nsec = 0;
+ inode->i_atime = inode->i_mtime = inode->i_ctime;
+ inode->i_blocks = 0;
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Marc Dionne <marc.dionne@auristor.com>
+Date: Thu, 16 Mar 2017 16:27:43 +0000
+Subject: afs: Populate group ID from vnode status
+
+From: Marc Dionne <marc.dionne@auristor.com>
+
+
+[ Upstream commit 6186f0788b31f44affceeedc7b48eb10faea120d ]
+
+The group was hard coded to GLOBAL_ROOT_GID; use the group
+ID that was received from the server.
+
+Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/afs/inode.c
++++ b/fs/afs/inode.c
+@@ -69,7 +69,7 @@ static int afs_inode_map_status(struct a
+
+ set_nlink(inode, vnode->status.nlink);
+ inode->i_uid = vnode->status.owner;
+- inode->i_gid = GLOBAL_ROOT_GID;
++ inode->i_gid = vnode->status.group;
+ inode->i_size = vnode->status.size;
+ inode->i_ctime.tv_sec = vnode->status.mtime_server;
+ inode->i_ctime.tv_nsec = 0;
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Fri, 3 Nov 2017 11:45:18 +0000
+Subject: arm-ccn: perf: Prevent module unload while PMU is in use
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+
+[ Upstream commit c7f5828bf77dcbd61d51f4736c1d5aa35663fbb4 ]
+
+When the PMU driver is built as a module, the perf expects the
+pmu->module to be valid, so that the driver is prevented from
+being unloaded while it is in use. Fix the CCN pmu driver to
+fill in this field.
+
+Fixes: a33b0daab73a0 ("bus: ARM CCN PMU driver")
+Cc: Pawel Moll <pawel.moll@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/arm-ccn.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/bus/arm-ccn.c
++++ b/drivers/bus/arm-ccn.c
+@@ -1157,6 +1157,7 @@ static int arm_ccn_pmu_init(struct arm_c
+
+ /* Perf driver registration */
+ ccn->dt.pmu = (struct pmu) {
++ .module = THIS_MODULE,
+ .attr_groups = arm_ccn_pmu_attr_groups,
+ .task_ctx_nr = perf_invalid_context,
+ .event_init = arm_ccn_pmu_event_init,
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Miaoqing Pan <miaoqing@codeaurora.org>
+Date: Wed, 27 Sep 2017 09:13:34 +0800
+Subject: ath9k: fix tx99 potential info leak
+
+From: Miaoqing Pan <miaoqing@codeaurora.org>
+
+
+[ Upstream commit ee0a47186e2fa9aa1c56cadcea470ca0ba8c8692 ]
+
+When the user sets count to zero the string buffer would remain
+completely uninitialized which causes the kernel to parse its
+own stack data, potentially leading to an info leak. In addition
+to that, the string might be not terminated properly when the
+user data does not contain a 0-terminator.
+
+Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
+Reviewed-by: Christoph Böhmwalder <christoph@boehmwalder.at>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath9k/tx99.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath9k/tx99.c
++++ b/drivers/net/wireless/ath/ath9k/tx99.c
+@@ -180,6 +180,9 @@ static ssize_t write_file_tx99(struct fi
+ ssize_t len;
+ int r;
+
++ if (count < 1)
++ return -EINVAL;
++
+ if (sc->cur_chan->nvifs > 1)
+ return -EOPNOTSUPP;
+
+@@ -187,6 +190,8 @@ static ssize_t write_file_tx99(struct fi
+ if (copy_from_user(buf, user_buf, len))
+ return -EFAULT;
+
++ buf[len] = '\0';
++
+ if (strtobool(buf, &start))
+ return -EINVAL;
+
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Liang Chen <liangchen.linux@gmail.com>
+Date: Mon, 30 Oct 2017 14:46:35 -0700
+Subject: bcache: explicitly destroy mutex while exiting
+
+From: Liang Chen <liangchen.linux@gmail.com>
+
+
+[ Upstream commit 330a4db89d39a6b43f36da16824eaa7a7509d34d ]
+
+mutex_destroy does nothing most of time, but it's better to call
+it to make the code future proof and it also has some meaning
+for like mutex debug.
+
+As Coly pointed out in a previous review, bcache_exit() may not be
+able to handle all the references properly if userspace registers
+cache and backing devices right before bch_debug_init runs and
+bch_debug_init failes later. So not exposing userspace interface
+until everything is ready to avoid that issue.
+
+Signed-off-by: Liang Chen <liangchen.linux@gmail.com>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Reviewed-by: Coly Li <colyli@suse.de>
+Reviewed-by: Eric Wheeler <bcache@linux.ewheeler.net>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/super.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -2120,6 +2120,7 @@ static void bcache_exit(void)
+ if (bcache_major)
+ unregister_blkdev(bcache_major, "bcache");
+ unregister_reboot_notifier(&reboot);
++ mutex_destroy(&bch_register_lock);
+ }
+
+ static int __init bcache_init(void)
+@@ -2138,14 +2139,15 @@ static int __init bcache_init(void)
+ bcache_major = register_blkdev(0, "bcache");
+ if (bcache_major < 0) {
+ unregister_reboot_notifier(&reboot);
++ mutex_destroy(&bch_register_lock);
+ return bcache_major;
+ }
+
+ if (!(bcache_wq = create_workqueue("bcache")) ||
+ !(bcache_kobj = kobject_create_and_add("bcache", fs_kobj)) ||
+- sysfs_create_files(bcache_kobj, files) ||
+ bch_request_init() ||
+- bch_debug_init(bcache_kobj))
++ bch_debug_init(bcache_kobj) ||
++ sysfs_create_files(bcache_kobj, files))
+ goto err;
+
+ return 0;
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: "tang.junhui" <tang.junhui@zte.com.cn>
+Date: Mon, 30 Oct 2017 14:46:34 -0700
+Subject: bcache: fix wrong cache_misses statistics
+
+From: "tang.junhui" <tang.junhui@zte.com.cn>
+
+
+[ Upstream commit c157313791a999646901b3e3c6888514ebc36d62 ]
+
+Currently, Cache missed IOs are identified by s->cache_miss, but actually,
+there are many situations that missed IOs are not assigned a value for
+s->cache_miss in cached_dev_cache_miss(), for example, a bypassed IO
+(s->iop.bypass = 1), or the cache_bio allocate failed. In these situations,
+it will go to out_put or out_submit, and s->cache_miss is null, which leads
+bch_mark_cache_accounting() to treat this IO as a hit IO.
+
+[ML: applied by 3-way merge]
+
+Signed-off-by: tang.junhui <tang.junhui@zte.com.cn>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Reviewed-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/request.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/request.c
++++ b/drivers/md/bcache/request.c
+@@ -464,6 +464,7 @@ struct search {
+ unsigned recoverable:1;
+ unsigned write:1;
+ unsigned read_dirty_data:1;
++ unsigned cache_missed:1;
+
+ unsigned long start_time;
+
+@@ -651,6 +652,7 @@ static inline struct search *search_allo
+
+ s->orig_bio = bio;
+ s->cache_miss = NULL;
++ s->cache_missed = 0;
+ s->d = d;
+ s->recoverable = 1;
+ s->write = (bio->bi_rw & REQ_WRITE) != 0;
+@@ -774,7 +776,7 @@ static void cached_dev_read_done_bh(stru
+ struct cached_dev *dc = container_of(s->d, struct cached_dev, disk);
+
+ bch_mark_cache_accounting(s->iop.c, s->d,
+- !s->cache_miss, s->iop.bypass);
++ !s->cache_missed, s->iop.bypass);
+ trace_bcache_read(s->orig_bio, !s->cache_miss, s->iop.bypass);
+
+ if (s->iop.error)
+@@ -793,6 +795,8 @@ static int cached_dev_cache_miss(struct
+ struct cached_dev *dc = container_of(s->d, struct cached_dev, disk);
+ struct bio *miss, *cache_bio;
+
++ s->cache_missed = 1;
++
+ if (s->cache_miss || s->iop.bypass) {
+ miss = bio_next_split(bio, sectors, GFP_NOIO, s->d->bio_split);
+ ret = miss == bio ? MAP_DONE : MAP_CONTINUE;
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
+Date: Fri, 10 Mar 2017 16:45:44 -0500
+Subject: btrfs: add missing memset while reading compressed inline extents
+
+From: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
+
+
+[ Upstream commit e1699d2d7bf6e6cce3e1baff19f9dd4595a58664 ]
+
+This is a story about 4 distinct (and very old) btrfs bugs.
+
+Commit c8b978188c ("Btrfs: Add zlib compression support") added
+three data corruption bugs for inline extents (bugs #1-3).
+
+Commit 93c82d5750 ("Btrfs: zero page past end of inline file items")
+fixed bug #1: uncompressed inline extents followed by a hole and more
+extents could get non-zero data in the hole as they were read. The fix
+was to add a memset in btrfs_get_extent to zero out the hole.
+
+Commit 166ae5a418 ("btrfs: fix inline compressed read err corruption")
+fixed bug #2: compressed inline extents which contained non-zero bytes
+might be replaced with zero bytes in some cases. This patch removed an
+unhelpful memset from uncompress_inline, but the case where memset is
+required was missed.
+
+There is also a memset in the decompression code, but this only covers
+decompressed data that is shorter than the ram_bytes from the extent
+ref record. This memset doesn't cover the region between the end of the
+decompressed data and the end of the page. It has also moved around a
+few times over the years, so there's no single patch to refer to.
+
+This patch fixes bug #3: compressed inline extents followed by a hole
+and more extents could get non-zero data in the hole as they were read
+(i.e. bug #3 is the same as bug #1, but s/uncompressed/compressed/).
+The fix is the same: zero out the hole in the compressed case too,
+by putting a memset back in uncompress_inline, but this time with
+correct parameters.
+
+The last and oldest bug, bug #0, is the cause of the offending inline
+extent/hole/extent pattern. Bug #0 is a subtle and mostly-harmless quirk
+of behavior somewhere in the btrfs write code. In a few special cases,
+an inline extent and hole are allowed to persist where they normally
+would be combined with later extents in the file.
+
+A fast reproducer for bug #0 is presented below. A few offending extents
+are also created in the wild during large rsync transfers with the -S
+flag. A Linux kernel build (git checkout; make allyesconfig; make -j8)
+will produce a handful of offending files as well. Once an offending
+file is created, it can present different content to userspace each
+time it is read.
+
+Bug #0 is at least 4 and possibly 8 years old. I verified every vX.Y
+kernel back to v3.5 has this behavior. There are fossil records of this
+bug's effects in commits all the way back to v2.6.32. I have no reason
+to believe bug #0 wasn't present at the beginning of btrfs compression
+support in v2.6.29, but I can't easily test kernels that old to be sure.
+
+It is not clear whether bug #0 is worth fixing. A fix would likely
+require injecting extra reads into currently write-only paths, and most
+of the exceptional cases caused by bug #0 are already handled now.
+
+Whether we like them or not, bug #0's inline extents followed by holes
+are part of the btrfs de-facto disk format now, and we need to be able
+to read them without data corruption or an infoleak. So enough about
+bug #0, let's get back to bug #3 (this patch).
+
+An example of on-disk structure leading to data corruption found in
+the wild:
+
+ item 61 key (606890 INODE_ITEM 0) itemoff 9662 itemsize 160
+ inode generation 50 transid 50 size 47424 nbytes 49141
+ block group 0 mode 100644 links 1 uid 0 gid 0
+ rdev 0 flags 0x0(none)
+ item 62 key (606890 INODE_REF 603050) itemoff 9642 itemsize 20
+ inode ref index 3 namelen 10 name: DB_File.so
+ item 63 key (606890 EXTENT_DATA 0) itemoff 8280 itemsize 1362
+ inline extent data size 1341 ram 4085 compress(zlib)
+ item 64 key (606890 EXTENT_DATA 4096) itemoff 8227 itemsize 53
+ extent data disk byte 5367308288 nr 20480
+ extent data offset 0 nr 45056 ram 45056
+ extent compression(zlib)
+
+Different data appears in userspace during each read of the 11 bytes
+between 4085 and 4096. The extent in item 63 is not long enough to
+fill the first page of the file, so a memset is required to fill the
+space between item 63 (ending at 4085) and item 64 (beginning at 4096)
+with zero.
+
+Here is a reproducer from Liu Bo, which demonstrates another method
+of creating the same inline extent and hole pattern:
+
+Using 'page_poison=on' kernel command line (or enable
+CONFIG_PAGE_POISONING) run the following:
+
+ # touch foo
+ # chattr +c foo
+ # xfs_io -f -c "pwrite -W 0 1000" foo
+ # xfs_io -f -c "falloc 4 8188" foo
+ # od -x foo
+ # echo 3 >/proc/sys/vm/drop_caches
+ # od -x foo
+
+This produce the following on my box:
+
+Correct output: file contains 1000 data bytes followed
+by zeros:
+
+ 0000000 cdcd cdcd cdcd cdcd cdcd cdcd cdcd cdcd
+ *
+ 0001740 cdcd cdcd cdcd cdcd 0000 0000 0000 0000
+ 0001760 0000 0000 0000 0000 0000 0000 0000 0000
+ *
+ 0020000
+
+Actual output: the data after the first 1000 bytes
+will be different each run:
+
+ 0000000 cdcd cdcd cdcd cdcd cdcd cdcd cdcd cdcd
+ *
+ 0001740 cdcd cdcd cdcd cdcd 6c63 7400 635f 006d
+ 0001760 5f74 6f43 7400 435f 0053 5f74 7363 7400
+ 0002000 435f 0056 5f74 6164 7400 645f 0062 5f74
+ (...)
+
+Signed-off-by: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
+Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: Chris Mason <clm@fb.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/inode.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -6325,6 +6325,20 @@ static noinline int uncompress_inline(st
+ max_size = min_t(unsigned long, PAGE_CACHE_SIZE, max_size);
+ ret = btrfs_decompress(compress_type, tmp, page,
+ extent_offset, inline_size, max_size);
++
++ /*
++ * decompression code contains a memset to fill in any space between the end
++ * of the uncompressed data and the end of max_size in case the decompressed
++ * data ends up shorter than ram_bytes. That doesn't cover the hole between
++ * the end of an inline extent and the beginning of the next block, so we
++ * cover that region here.
++ */
++
++ if (max_size + pg_offset < PAGE_SIZE) {
++ char *map = kmap(page);
++ memset(map + pg_offset + max_size, 0, PAGE_SIZE - max_size - pg_offset);
++ kunmap(page);
++ }
+ kfree(tmp);
+ return ret;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Date: Tue, 19 Sep 2017 04:48:10 +0200
+Subject: clk: tegra: Fix cclk_lp divisor register
+
+From: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+
+
+[ Upstream commit 54eff2264d3e9fd7e3987de1d7eba1d3581c631e ]
+
+According to comments in code and common sense, cclk_lp uses its
+own divisor, not cclk_g's.
+
+Fixes: b08e8c0ecc42 ("clk: tegra: add clock support for Tegra30")
+Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Acked-By: Peter De Schrijver <pdeschrijver@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/tegra/clk-tegra30.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/tegra/clk-tegra30.c
++++ b/drivers/clk/tegra/clk-tegra30.c
+@@ -1063,7 +1063,7 @@ static void __init tegra30_super_clk_ini
+ * U71 divider of cclk_lp.
+ */
+ clk = tegra_clk_register_divider("pll_p_out3_cclklp", "pll_p_out3",
+- clk_base + SUPER_CCLKG_DIVIDER, 0,
++ clk_base + SUPER_CCLKLP_DIVIDER, 0,
+ TEGRA_DIVIDER_INT, 16, 8, 1, NULL);
+ clk_register_clkdev(clk, "pll_p_out3_cclklp", NULL);
+
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Matthias Kaehlcke <mka@chromium.org>
+Date: Mon, 13 Mar 2017 14:30:29 -0700
+Subject: dmaengine: Fix array index out of bounds warning in __get_unmap_pool()
+
+From: Matthias Kaehlcke <mka@chromium.org>
+
+
+[ Upstream commit 23f963e91fd81f44f6b316b1c24db563354c6be8 ]
+
+This fixes the following warning when building with clang and
+CONFIG_DMA_ENGINE_RAID=n :
+
+drivers/dma/dmaengine.c:1102:11: error: array index 2 is past the end of the array (which contains 1 element) [-Werror,-Warray-bounds]
+ return &unmap_pool[2];
+ ^ ~
+drivers/dma/dmaengine.c:1083:1: note: array 'unmap_pool' declared here
+static struct dmaengine_unmap_pool unmap_pool[] = {
+^
+drivers/dma/dmaengine.c:1104:11: error: array index 3 is past the end of the array (which contains 1 element) [-Werror,-Warray-bounds]
+ return &unmap_pool[3];
+ ^ ~
+drivers/dma/dmaengine.c:1083:1: note: array 'unmap_pool' declared here
+static struct dmaengine_unmap_pool unmap_pool[] = {
+
+Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/dmaengine.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/dma/dmaengine.c
++++ b/drivers/dma/dmaengine.c
+@@ -976,12 +976,14 @@ static struct dmaengine_unmap_pool *__ge
+ switch (order) {
+ case 0 ... 1:
+ return &unmap_pool[0];
++#if IS_ENABLED(CONFIG_DMA_ENGINE_RAID)
+ case 2 ... 4:
+ return &unmap_pool[1];
+ case 5 ... 7:
+ return &unmap_pool[2];
+ case 8:
+ return &unmap_pool[3];
++#endif
+ default:
+ BUG();
+ return NULL;
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 15 Mar 2017 21:11:46 -0400
+Subject: drm/radeon: reinstate oland workaround for sclk
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+
+[ Upstream commit 66822d815ae61ecb2d9dba9031517e8a8476969d ]
+
+Higher sclks seem to be unstable on some boards.
+
+bug: https://bugs.freedesktop.org/show_bug.cgi?id=100222
+
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/radeon/si_dpm.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/si_dpm.c
++++ b/drivers/gpu/drm/radeon/si_dpm.c
+@@ -2989,9 +2989,13 @@ static void si_apply_state_adjust_rules(
+ max_mclk = 80000;
+ }
+ } else if (rdev->family == CHIP_OLAND) {
+- if ((rdev->pdev->device == 0x6604) &&
+- (rdev->pdev->subsystem_vendor == 0x1028) &&
+- (rdev->pdev->subsystem_device == 0x066F)) {
++ if ((rdev->pdev->revision == 0xC7) ||
++ (rdev->pdev->revision == 0x80) ||
++ (rdev->pdev->revision == 0x81) ||
++ (rdev->pdev->revision == 0x83) ||
++ (rdev->pdev->revision == 0x87) ||
++ (rdev->pdev->device == 0x6604) ||
++ (rdev->pdev->device == 0x6605)) {
+ max_sclk = 75000;
+ }
+ }
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Tue, 14 Mar 2017 14:42:03 -0400
+Subject: drm/radeon/si: add dpm quirk for Oland
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+
+[ Upstream commit 0f424de1fd9bc4ab24bd1fe5430ab5618e803e31 ]
+
+OLAND 0x1002:0x6604 0x1028:0x066F 0x00 seems to have problems
+with higher sclks.
+
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/radeon/si_dpm.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/gpu/drm/radeon/si_dpm.c
++++ b/drivers/gpu/drm/radeon/si_dpm.c
+@@ -2988,6 +2988,12 @@ static void si_apply_state_adjust_rules(
+ max_sclk = 75000;
+ max_mclk = 80000;
+ }
++ } else if (rdev->family == CHIP_OLAND) {
++ if ((rdev->pdev->device == 0x6604) &&
++ (rdev->pdev->subsystem_vendor == 0x1028) &&
++ (rdev->pdev->subsystem_device == 0x066F)) {
++ max_sclk = 75000;
++ }
+ }
+ /* Apply dpm quirks */
+ while (p && p->chip_device != 0) {
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Thu, 9 Nov 2017 18:09:33 +0100
+Subject: fbdev: controlfb: Add missing modes to fix out of bounds access
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+
+[ Upstream commit ac831a379d34109451b3c41a44a20ee10ecb615f ]
+
+Dan's static analysis says:
+
+ drivers/video/fbdev/controlfb.c:560 control_setup()
+ error: buffer overflow 'control_mac_modes' 20 <= 21
+
+Indeed, control_mac_modes[] has only 20 elements, while VMODE_MAX is 22,
+which may lead to an out of bounds read when parsing vmode commandline
+options.
+
+The bug was introduced in v2.4.5.6, when 2 new modes were added to
+macmodes.h, but control_mac_modes[] wasn't updated:
+
+https://kernel.opensuse.org/cgit/kernel/diff/include/video/macmodes.h?h=v2.5.2&id=29f279c764808560eaceb88fef36cbc35c529aad
+
+Augment control_mac_modes[] with the two new video modes to fix this.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/controlfb.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/video/fbdev/controlfb.h
++++ b/drivers/video/fbdev/controlfb.h
+@@ -141,5 +141,7 @@ static struct max_cmodes control_mac_mod
+ {{ 1, 2}}, /* 1152x870, 75Hz */
+ {{ 0, 1}}, /* 1280x960, 75Hz */
+ {{ 0, 1}}, /* 1280x1024, 75Hz */
++ {{ 1, 2}}, /* 1152x768, 60Hz */
++ {{ 0, 1}}, /* 1600x1024, 60Hz */
+ };
+
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Bob Peterson <rpeterso@redhat.com>
+Date: Wed, 20 Sep 2017 08:30:04 -0500
+Subject: GFS2: Take inode off order_write list when setting jdata flag
+
+From: Bob Peterson <rpeterso@redhat.com>
+
+
+[ Upstream commit cc555b09d8c3817aeebda43a14ab67049a5653f7 ]
+
+This patch fixes a deadlock caused when the jdata flag is set for
+inodes that are already on the ordered write list. Since it is
+on the ordered write list, log_flush calls gfs2_ordered_write which
+calls filemap_fdatawrite. But since the inode had the jdata flag
+set, that calls gfs2_jdata_writepages, which tries to start a new
+transaction. A new transaction cannot be started because it tries
+to acquire the log_flush rwsem which is already locked by the log
+flush operation.
+
+The bottom line is: We cannot switch an inode from ordered to jdata
+until we eliminate any ordered data pages (via log flush) or any
+log_flush operation afterward will create the circular dependency
+above. So we need to flush the log before setting the diskflags to
+switch the file mode, then we need to remove the inode from the
+ordered writes list.
+
+Before this patch, the log flush was done for jdata->ordered, but
+that's wrong. If we're going from jdata to ordered, we don't need
+to call gfs2_log_flush because the call to filemap_fdatawrite will
+do it for us:
+
+ filemap_fdatawrite() -> __filemap_fdatawrite_range()
+ __filemap_fdatawrite_range() -> do_writepages()
+ do_writepages() -> gfs2_jdata_writepages()
+ gfs2_jdata_writepages() -> gfs2_log_flush()
+
+This patch modifies function do_gfs2_set_flags so that if a file
+has its jdata flag set, and it's already on the ordered write list,
+the log will be flushed and it will be removed from the list
+before setting the flag.
+
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Acked-by: Abhijith Das <adas@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/gfs2/file.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/gfs2/file.c
++++ b/fs/gfs2/file.c
+@@ -256,7 +256,7 @@ static int do_gfs2_set_flags(struct file
+ goto out;
+ }
+ if ((flags ^ new_flags) & GFS2_DIF_JDATA) {
+- if (flags & GFS2_DIF_JDATA)
++ if (new_flags & GFS2_DIF_JDATA)
+ gfs2_log_flush(sdp, ip->i_gl, NORMAL_FLUSH);
+ error = filemap_fdatawrite(inode->i_mapping);
+ if (error)
+@@ -264,6 +264,8 @@ static int do_gfs2_set_flags(struct file
+ error = filemap_fdatawait(inode->i_mapping);
+ if (error)
+ goto out;
++ if (new_flags & GFS2_DIF_JDATA)
++ gfs2_ordered_del_inode(ip);
+ }
+ error = gfs2_trans_begin(sdp, RES_DINODE, 0);
+ if (error)
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Tue, 28 Feb 2017 17:14:41 -0800
+Subject: Input: i8042 - add TUXEDO BU1406 (N24_25BU) to the nomux list
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+
+[ Upstream commit a4c2a13129f7c5bcf81704c06851601593303fd5 ]
+
+TUXEDO BU1406 does not implement active multiplexing mode properly,
+and takes around 550 ms in i8042_set_mux_mode(). Given that the
+device does not have external AUX port, there is no downside in
+disabling the MUX mode.
+
+Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Suggested-by: Vojtech Pavlik <vojtech@suse.cz>
+Reviewed-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/serio/i8042-x86ia64io.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/input/serio/i8042-x86ia64io.h
++++ b/drivers/input/serio/i8042-x86ia64io.h
+@@ -514,6 +514,13 @@ static const struct dmi_system_id __init
+ DMI_MATCH(DMI_PRODUCT_NAME, "IC4I"),
+ },
+ },
++ {
++ /* TUXEDO BU1406 */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Notebook"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "N24_25BU"),
++ },
++ },
+ { }
+ };
+
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: tangwenji <tang.wenji@zte.com.cn>
+Date: Fri, 15 Sep 2017 16:03:13 +0800
+Subject: iscsi-target: fix memory leak in lio_target_tiqn_addtpg()
+
+From: tangwenji <tang.wenji@zte.com.cn>
+
+
+[ Upstream commit 12d5a43b2dffb6cd28062b4e19024f7982393288 ]
+
+tpg must free when call core_tpg_register() return fail
+
+Signed-off-by: tangwenji <tang.wenji@zte.com.cn>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/iscsi/iscsi_target_configfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/target/iscsi/iscsi_target_configfs.c
++++ b/drivers/target/iscsi/iscsi_target_configfs.c
+@@ -1458,7 +1458,7 @@ static struct se_portal_group *lio_targe
+ wwn, &tpg->tpg_se_tpg, tpg,
+ TRANSPORT_TPG_TYPE_NORMAL);
+ if (ret < 0)
+- return NULL;
++ goto free_out;
+
+ ret = iscsit_tpg_add_portal_group(tiqn, tpg);
+ if (ret != 0)
+@@ -1470,6 +1470,7 @@ static struct se_portal_group *lio_targe
+ return &tpg->tpg_se_tpg;
+ out:
+ core_tpg_deregister(&tpg->tpg_se_tpg);
++free_out:
+ kfree(tpg);
+ return NULL;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Alexander Duyck <alexander.h.duyck@intel.com>
+Date: Fri, 13 Oct 2017 13:40:24 -0700
+Subject: macvlan: Only deliver one copy of the frame to the macvlan interface
+
+From: Alexander Duyck <alexander.h.duyck@intel.com>
+
+
+[ Upstream commit dd6b9c2c332b40f142740d1b11fb77c653ff98ea ]
+
+This patch intoduces a slight adjustment for macvlan to address the fact
+that in source mode I was seeing two copies of any packet addressed to the
+macvlan interface being delivered where there should have been only one.
+
+The issue appears to be that one copy was delivered based on the source MAC
+address and then the second copy was being delivered based on the
+destination MAC address. To fix it I am just treating a unicast address
+match as though it is not a match since source based macvlan isn't supposed
+to be matching based on the destination MAC anyway.
+
+Fixes: 79cf79abce71 ("macvlan: add source mode")
+Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macvlan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -440,7 +440,7 @@ static rx_handler_result_t macvlan_handl
+ struct macvlan_dev, list);
+ else
+ vlan = macvlan_hash_lookup(port, eth->h_dest);
+- if (vlan == NULL)
++ if (!vlan || vlan->mode == MACVLAN_MODE_SOURCE)
+ return RX_HANDLER_PASS;
+
+ dev = vlan->dev;
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 3 Nov 2017 12:21:21 +0100
+Subject: mm: Handle 0 flags in _calc_vm_trans() macro
+
+From: Jan Kara <jack@suse.cz>
+
+
+[ Upstream commit 592e254502041f953e84d091eae2c68cba04c10b ]
+
+_calc_vm_trans() does not handle the situation when some of the passed
+flags are 0 (which can happen if these VM flags do not make sense for
+the architecture). Improve the _calc_vm_trans() macro to return 0 in
+such situation. Since all passed flags are constant, this does not add
+any runtime overhead.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/mman.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/linux/mman.h
++++ b/include/linux/mman.h
+@@ -63,8 +63,9 @@ static inline int arch_validate_prot(uns
+ * ("bit1" and "bit2" must be single bits)
+ */
+ #define _calc_vm_trans(x, bit1, bit2) \
++ ((!(bit1) || !(bit2)) ? 0 : \
+ ((bit1) <= (bit2) ? ((x) & (bit1)) * ((bit2) / (bit1)) \
+- : ((x) & (bit1)) / ((bit1) / (bit2)))
++ : ((x) & (bit1)) / ((bit1) / (bit2))))
+
+ /*
+ * Combine the mmap "prot" argument into "vm_flags" used internally.
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Doug Berger <opendmb@gmail.com>
+Date: Thu, 9 Mar 2017 16:58:44 -0800
+Subject: net: bcmgenet: correct MIB access of UniMAC RUNT counters
+
+From: Doug Berger <opendmb@gmail.com>
+
+
+[ Upstream commit 1ad3d225e5a40ca6c586989b4baaca710544c15a ]
+
+The gap between the Tx status counters and the Rx RUNT counters is now
+being added to allow correct reporting of the registers.
+
+Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -705,13 +705,16 @@ static void bcmgenet_update_mib_counters
+ switch (s->type) {
+ case BCMGENET_STAT_NETDEV:
+ continue;
+- case BCMGENET_STAT_MIB_RX:
+- case BCMGENET_STAT_MIB_TX:
+ case BCMGENET_STAT_RUNT:
+- if (s->type != BCMGENET_STAT_MIB_RX)
+- offset = BCMGENET_STAT_OFFSET;
++ offset += BCMGENET_STAT_OFFSET;
++ /* fall through */
++ case BCMGENET_STAT_MIB_TX:
++ offset += BCMGENET_STAT_OFFSET;
++ /* fall through */
++ case BCMGENET_STAT_MIB_RX:
+ val = bcmgenet_umac_readl(priv,
+ UMAC_MIB_START + j + offset);
++ offset = 0; /* Reset Offset */
+ break;
+ case BCMGENET_STAT_MISC:
+ if (GENET_IS_V1(priv)) {
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Doug Berger <opendmb@gmail.com>
+Date: Thu, 9 Mar 2017 16:58:43 -0800
+Subject: net: bcmgenet: correct the RBUF_OVFL_CNT and RBUF_ERR_CNT MIB values
+
+From: Doug Berger <opendmb@gmail.com>
+
+
+[ Upstream commit ffff71328a3c321f7c14cc1edd33577717037744 ]
+
+The location of the RBUF overflow and error counters has moved between
+different version of the GENET MAC. This commit corrects the driver to
+read from the correct locations depending on the version of the GENET
+MAC.
+
+Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 60 ++++++++++++++++++++++---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.h | 10 ++--
+ 2 files changed, 60 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -1,7 +1,7 @@
+ /*
+ * Broadcom GENET (Gigabit Ethernet) controller driver
+ *
+- * Copyright (c) 2014 Broadcom Corporation
++ * Copyright (c) 2014-2017 Broadcom
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+@@ -610,8 +610,9 @@ static const struct bcmgenet_stats bcmge
+ STAT_GENET_RUNT("rx_runt_bytes", mib.rx_runt_bytes),
+ /* Misc UniMAC counters */
+ STAT_GENET_MISC("rbuf_ovflow_cnt", mib.rbuf_ovflow_cnt,
+- UMAC_RBUF_OVFL_CNT),
+- STAT_GENET_MISC("rbuf_err_cnt", mib.rbuf_err_cnt, UMAC_RBUF_ERR_CNT),
++ UMAC_RBUF_OVFL_CNT_V1),
++ STAT_GENET_MISC("rbuf_err_cnt", mib.rbuf_err_cnt,
++ UMAC_RBUF_ERR_CNT_V1),
+ STAT_GENET_MISC("mdf_err_cnt", mib.mdf_err_cnt, UMAC_MDF_ERR_CNT),
+ };
+
+@@ -651,6 +652,45 @@ static void bcmgenet_get_strings(struct
+ }
+ }
+
++static u32 bcmgenet_update_stat_misc(struct bcmgenet_priv *priv, u16 offset)
++{
++ u16 new_offset;
++ u32 val;
++
++ switch (offset) {
++ case UMAC_RBUF_OVFL_CNT_V1:
++ if (GENET_IS_V2(priv))
++ new_offset = RBUF_OVFL_CNT_V2;
++ else
++ new_offset = RBUF_OVFL_CNT_V3PLUS;
++
++ val = bcmgenet_rbuf_readl(priv, new_offset);
++ /* clear if overflowed */
++ if (val == ~0)
++ bcmgenet_rbuf_writel(priv, 0, new_offset);
++ break;
++ case UMAC_RBUF_ERR_CNT_V1:
++ if (GENET_IS_V2(priv))
++ new_offset = RBUF_ERR_CNT_V2;
++ else
++ new_offset = RBUF_ERR_CNT_V3PLUS;
++
++ val = bcmgenet_rbuf_readl(priv, new_offset);
++ /* clear if overflowed */
++ if (val == ~0)
++ bcmgenet_rbuf_writel(priv, 0, new_offset);
++ break;
++ default:
++ val = bcmgenet_umac_readl(priv, offset);
++ /* clear if overflowed */
++ if (val == ~0)
++ bcmgenet_umac_writel(priv, 0, offset);
++ break;
++ }
++
++ return val;
++}
++
+ static void bcmgenet_update_mib_counters(struct bcmgenet_priv *priv)
+ {
+ int i, j = 0;
+@@ -674,10 +714,16 @@ static void bcmgenet_update_mib_counters
+ UMAC_MIB_START + j + offset);
+ break;
+ case BCMGENET_STAT_MISC:
+- val = bcmgenet_umac_readl(priv, s->reg_offset);
+- /* clear if overflowed */
+- if (val == ~0)
+- bcmgenet_umac_writel(priv, 0, s->reg_offset);
++ if (GENET_IS_V1(priv)) {
++ val = bcmgenet_umac_readl(priv, s->reg_offset);
++ /* clear if overflowed */
++ if (val == ~0)
++ bcmgenet_umac_writel(priv, 0,
++ s->reg_offset);
++ } else {
++ val = bcmgenet_update_stat_misc(priv,
++ s->reg_offset);
++ }
+ break;
+ }
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2014 Broadcom Corporation
++ * Copyright (c) 2014-2017 Broadcom
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+@@ -196,7 +196,9 @@ struct bcmgenet_mib_counters {
+ #define MDIO_REG_SHIFT 16
+ #define MDIO_REG_MASK 0x1F
+
+-#define UMAC_RBUF_OVFL_CNT 0x61C
++#define UMAC_RBUF_OVFL_CNT_V1 0x61C
++#define RBUF_OVFL_CNT_V2 0x80
++#define RBUF_OVFL_CNT_V3PLUS 0x94
+
+ #define UMAC_MPD_CTRL 0x620
+ #define MPD_EN (1 << 0)
+@@ -206,7 +208,9 @@ struct bcmgenet_mib_counters {
+
+ #define UMAC_MPD_PW_MS 0x624
+ #define UMAC_MPD_PW_LS 0x628
+-#define UMAC_RBUF_ERR_CNT 0x634
++#define UMAC_RBUF_ERR_CNT_V1 0x634
++#define RBUF_ERR_CNT_V2 0x84
++#define RBUF_ERR_CNT_V3PLUS 0x98
+ #define UMAC_MDF_ERR_CNT 0x638
+ #define UMAC_MDF_CTRL 0x650
+ #define UMAC_MDF_ADDR 0x654
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Doug Berger <opendmb@gmail.com>
+Date: Thu, 9 Mar 2017 16:58:48 -0800
+Subject: net: bcmgenet: Power up the internal PHY before probing the MII
+
+From: Doug Berger <opendmb@gmail.com>
+
+
+[ Upstream commit 6be371b053dc86f11465cc1abce2e99bda0a0574 ]
+
+When using the internal PHY it must be powered up when the MII is probed
+or the PHY will not be detected. Since the PHY is powered up at reset
+this has not been a problem. However, when the kernel is restarted with
+kexec the PHY will likely be powered down when the kernel starts so it
+will not be detected and the Ethernet link will not be established.
+
+This commit explicitly powers up the internal PHY when the GENET driver
+is probed to correct this behavior.
+
+Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -2598,6 +2598,7 @@ static int bcmgenet_probe(struct platfor
+ const void *macaddr;
+ struct resource *r;
+ int err = -EIO;
++ const char *phy_mode_str;
+
+ /* Up to GENET_MAX_MQ_CNT + 1 TX queues and a single RX queue */
+ dev = alloc_etherdev_mqs(sizeof(*priv), GENET_MAX_MQ_CNT + 1, 1);
+@@ -2685,6 +2686,13 @@ static int bcmgenet_probe(struct platfor
+ if (IS_ERR(priv->clk_wol))
+ dev_warn(&priv->pdev->dev, "failed to get enet-wol clock\n");
+
++ /* If this is an internal GPHY, power it on now, before UniMAC is
++ * brought out of reset as absolutely no UniMAC activity is allowed
++ */
++ if (dn && !of_property_read_string(dn, "phy-mode", &phy_mode_str) &&
++ !strcasecmp(phy_mode_str, "internal"))
++ bcmgenet_power_up(priv, GENET_POWER_PASSIVE);
++
+ err = reset_umac(priv);
+ if (err)
+ goto err_clk_disable;
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Vlad Yasevich <vyasevich@gmail.com>
+Date: Tue, 14 Mar 2017 08:58:08 -0400
+Subject: net: Resend IGMP memberships upon peer notification.
+
+From: Vlad Yasevich <vyasevich@gmail.com>
+
+
+[ Upstream commit 37c343b4f4e70e9dc328ab04903c0ec8d154c1a4 ]
+
+When we notify peers of potential changes, it's also good to update
+IGMP memberships. For example, during VM migration, updating IGMP
+memberships will redirect existing multicast streams to the VM at the
+new location.
+
+Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -1248,6 +1248,7 @@ void netdev_notify_peers(struct net_devi
+ {
+ rtnl_lock();
+ call_netdevice_notifiers(NETDEV_NOTIFY_PEERS, dev);
++ call_netdevice_notifiers(NETDEV_RESEND_IGMP, dev);
+ rtnl_unlock();
+ }
+ EXPORT_SYMBOL(netdev_notify_peers);
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 13:42:03 +0100
+Subject: net: wimax/i2400m: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+
+[ Upstream commit 6e526fdff7be4f13b24f929a04c0e9ae6761291e ]
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer or accessing memory beyond the endpoint array should a
+malicious device lack the expected endpoints.
+
+The endpoints are specifically dereferenced in the i2400m_bootrom_init
+path during probe (e.g. in i2400mu_tx_bulk_out).
+
+Fixes: f398e4240fce ("i2400m/USB: probe/disconnect, dev init/shutdown
+and reset backends")
+Cc: Inaky Perez-Gonzalez <inaky@linux.intel.com>
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wimax/i2400m/usb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wimax/i2400m/usb.c
++++ b/drivers/net/wimax/i2400m/usb.c
+@@ -467,6 +467,9 @@ int i2400mu_probe(struct usb_interface *
+ struct i2400mu *i2400mu;
+ struct usb_device *usb_dev = interface_to_usbdev(iface);
+
++ if (iface->cur_altsetting->desc.bNumEndpoints < 4)
++ return -ENODEV;
++
+ if (usb_dev->speed != USB_SPEED_HIGH)
+ dev_err(dev, "device not connected as high speed\n");
+
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: NeilBrown <neilb@suse.com>
+Date: Fri, 10 Mar 2017 11:36:39 +1100
+Subject: NFSD: fix nfsd_minorversion(.., NFSD_AVAIL)
+
+From: NeilBrown <neilb@suse.com>
+
+
+[ Upstream commit 928c6fb3a9bfd6c5b287aa3465226add551c13c0 ]
+
+Current code will return 1 if the version is supported,
+and -1 if it isn't.
+This is confusing and inconsistent with the one place where this
+is used.
+So change to return 1 if it is supported, and zero if not.
+i.e. an error is never returned.
+
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfssvc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfssvc.c
++++ b/fs/nfsd/nfssvc.c
+@@ -150,7 +150,8 @@ int nfsd_vers(int vers, enum vers_op cha
+
+ int nfsd_minorversion(u32 minorversion, enum vers_op change)
+ {
+- if (minorversion > NFSD_SUPPORTED_MINOR_VERSION)
++ if (minorversion > NFSD_SUPPORTED_MINOR_VERSION &&
++ change != NFSD_AVAIL)
+ return -1;
+ switch(change) {
+ case NFSD_SET:
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: NeilBrown <neilb@suse.com>
+Date: Fri, 10 Mar 2017 11:36:39 +1100
+Subject: NFSD: fix nfsd_reset_versions for NFSv4.
+
+From: NeilBrown <neilb@suse.com>
+
+
+[ Upstream commit 800a938f0bf9130c8256116649c0cc5806bfb2fd ]
+
+If you write "-2 -3 -4" to the "versions" file, it will
+notice that no versions are enabled, and nfsd_reset_versions()
+is called.
+This enables all major versions, not no minor versions.
+So we lose the invariant that NFSv4 is only advertised when
+at least one minor is enabled.
+
+Fix the code to explicitly enable minor versions for v4,
+change it to use nfsd_vers() to test and set, and simplify
+the code.
+
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfssvc.c | 25 +++++++++++--------------
+ 1 file changed, 11 insertions(+), 14 deletions(-)
+
+--- a/fs/nfsd/nfssvc.c
++++ b/fs/nfsd/nfssvc.c
+@@ -329,23 +329,20 @@ static void nfsd_last_thread(struct svc_
+
+ void nfsd_reset_versions(void)
+ {
+- int found_one = 0;
+ int i;
+
+- for (i = NFSD_MINVERS; i < NFSD_NRVERS; i++) {
+- if (nfsd_program.pg_vers[i])
+- found_one = 1;
+- }
++ for (i = 0; i < NFSD_NRVERS; i++)
++ if (nfsd_vers(i, NFSD_TEST))
++ return;
+
+- if (!found_one) {
+- for (i = NFSD_MINVERS; i < NFSD_NRVERS; i++)
+- nfsd_program.pg_vers[i] = nfsd_version[i];
+-#if defined(CONFIG_NFSD_V2_ACL) || defined(CONFIG_NFSD_V3_ACL)
+- for (i = NFSD_ACL_MINVERS; i < NFSD_ACL_NRVERS; i++)
+- nfsd_acl_program.pg_vers[i] =
+- nfsd_acl_version[i];
+-#endif
+- }
++ for (i = 0; i < NFSD_NRVERS; i++)
++ if (i != 4)
++ nfsd_vers(i, NFSD_SET);
++ else {
++ int minor = 0;
++ while (nfsd_minorversion(minor, NFSD_SET) >= 0)
++ minor++;
++ }
+ }
+
+ /*
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Olga Kornievskaia <kolga@netapp.com>
+Date: Wed, 8 Mar 2017 14:39:15 -0500
+Subject: NFSv4.1 respect server's max size in CREATE_SESSION
+
+From: Olga Kornievskaia <kolga@netapp.com>
+
+
+[ Upstream commit 033853325fe3bdc70819a8b97915bd3bca41d3af ]
+
+Currently client doesn't respect max sizes server returns in CREATE_SESSION.
+nfs4_session_set_rwsize() gets called and server->rsize, server->wsize are 0
+so they never get set to the sizes returned by the server.
+
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4client.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/nfs4client.c
++++ b/fs/nfs/nfs4client.c
+@@ -894,9 +894,9 @@ static void nfs4_session_set_rwsize(stru
+ server_resp_sz = sess->fc_attrs.max_resp_sz - nfs41_maxread_overhead;
+ server_rqst_sz = sess->fc_attrs.max_rqst_sz - nfs41_maxwrite_overhead;
+
+- if (server->rsize > server_resp_sz)
++ if (!server->rsize || server->rsize > server_resp_sz)
+ server->rsize = server_resp_sz;
+- if (server->wsize > server_rqst_sz)
++ if (!server->wsize || server->wsize > server_rqst_sz)
+ server->wsize = server_rqst_sz;
+ #endif /* CONFIG_NFS_V4_1 */
+ }
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Stafford Horne <shorne@gmail.com>
+Date: Mon, 13 Mar 2017 07:44:45 +0900
+Subject: openrisc: fix issue handling 8 byte get_user calls
+
+From: Stafford Horne <shorne@gmail.com>
+
+
+[ Upstream commit 154e67cd8e8f964809d0e75e44bb121b169c75b3 ]
+
+Was getting the following error with allmodconfig:
+
+ ERROR: "__get_user_bad" [lib/test_user_copy.ko] undefined!
+
+This was simply a missing break statement, causing an unwanted fall
+through.
+
+Signed-off-by: Stafford Horne <shorne@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/openrisc/include/asm/uaccess.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/openrisc/include/asm/uaccess.h
++++ b/arch/openrisc/include/asm/uaccess.h
+@@ -215,7 +215,7 @@ do { \
+ case 1: __get_user_asm(x, ptr, retval, "l.lbz"); break; \
+ case 2: __get_user_asm(x, ptr, retval, "l.lhz"); break; \
+ case 4: __get_user_asm(x, ptr, retval, "l.lwz"); break; \
+- case 8: __get_user_asm2(x, ptr, retval); \
++ case 8: __get_user_asm2(x, ptr, retval); break; \
+ default: (x) = __get_user_bad(); \
+ } \
+ } while (0)
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Wed, 11 Oct 2017 15:35:56 -0600
+Subject: PCI: Detach driver before procfs & sysfs teardown on device remove
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+
+[ Upstream commit 16b6c8bb687cc3bec914de09061fcb8411951fda ]
+
+When removing a device, for example a VF being removed due to SR-IOV
+teardown, a "soft" hot-unplug via 'echo 1 > remove' in sysfs, or an actual
+hot-unplug, we first remove the procfs and sysfs attributes for the device
+before attempting to release the device from any driver bound to it.
+Unbinding the driver from the device can take time. The device might need
+to write out data or it might be actively in use. If it's in use by
+userspace through a vfio driver, the unbind might block until the user
+releases the device. This leads to a potentially non-trivial amount of
+time where the device exists, but we've torn down the interfaces that
+userspace uses to examine devices, for instance lspci might generate this
+sort of error:
+
+ pcilib: Cannot open /sys/bus/pci/devices/0000:01:0a.3/config
+ lspci: Unable to read the standard configuration space header of device 0000:01:0a.3
+
+We don't seem to have any dependence on this teardown ordering in the
+kernel, so let's unbind the driver first, which is also more symmetric with
+the instantiation of the device in pci_bus_add_device().
+
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/remove.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pci/remove.c
++++ b/drivers/pci/remove.c
+@@ -20,9 +20,9 @@ static void pci_stop_dev(struct pci_dev
+ pci_pme_active(dev, false);
+
+ if (dev->is_added) {
++ device_release_driver(&dev->dev);
+ pci_proc_detach_device(dev);
+ pci_remove_sysfs_dev_files(dev);
+- device_release_driver(&dev->dev);
+ dev->is_added = 0;
+ }
+
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Qiang <zhengqiang10@huawei.com>
+Date: Thu, 28 Sep 2017 11:54:34 +0800
+Subject: PCI/PME: Handle invalid data when reading Root Status
+
+From: Qiang <zhengqiang10@huawei.com>
+
+
+[ Upstream commit 3ad3f8ce50914288731a3018b27ee44ab803e170 ]
+
+PCIe PME and native hotplug share the same interrupt number, so hotplug
+interrupts are also processed by PME. In some cases, e.g., a Link Down
+interrupt, a device may be present but unreachable, so when we try to
+read its Root Status register, the read fails and we get all ones data
+(0xffffffff).
+
+Previously, we interpreted that data as PCI_EXP_RTSTA_PME being set, i.e.,
+"some device has asserted PME," so we scheduled pcie_pme_work_fn(). This
+caused an infinite loop because pcie_pme_work_fn() tried to handle PME
+requests until PCI_EXP_RTSTA_PME is cleared, but with the link down,
+PCI_EXP_RTSTA_PME can't be cleared.
+
+Check for the invalid 0xffffffff data everywhere we read the Root Status
+register.
+
+1469d17dd341 ("PCI: pciehp: Handle invalid data when reading from
+non-existent devices") added similar checks in the hotplug driver.
+
+Signed-off-by: Qiang Zheng <zhengqiang10@huawei.com>
+[bhelgaas: changelog, also check in pcie_pme_work_fn(), use "~0" to follow
+other similar checks]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pcie/pme.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/pcie/pme.c
++++ b/drivers/pci/pcie/pme.c
+@@ -233,6 +233,9 @@ static void pcie_pme_work_fn(struct work
+ break;
+
+ pcie_capability_read_dword(port, PCI_EXP_RTSTA, &rtsta);
++ if (rtsta == (u32) ~0)
++ break;
++
+ if (rtsta & PCI_EXP_RTSTA_PME) {
+ /*
+ * Clear PME status of the port. If there are other
+@@ -280,7 +283,7 @@ static irqreturn_t pcie_pme_irq(int irq,
+ spin_lock_irqsave(&data->lock, flags);
+ pcie_capability_read_dword(port, PCI_EXP_RTSTA, &rtsta);
+
+- if (!(rtsta & PCI_EXP_RTSTA_PME)) {
++ if (rtsta == (u32) ~0 || !(rtsta & PCI_EXP_RTSTA_PME)) {
+ spin_unlock_irqrestore(&data->lock, flags);
+ return IRQ_NONE;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Wed, 15 Mar 2017 22:53:37 +0100
+Subject: perf symbols: Fix symbols__fixup_end heuristic for corner cases
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+
+[ Upstream commit e7ede72a6d40cb3a30c087142d79381ca8a31dab ]
+
+The current symbols__fixup_end() heuristic for the last entry in the rb
+tree is suboptimal as it leads to not being able to recognize the symbol
+in the call graph in a couple of corner cases, for example:
+
+ i) If the symbol has a start address (f.e. exposed via kallsyms)
+ that is at a page boundary, then the roundup(curr->start, 4096)
+ for the last entry will result in curr->start == curr->end with
+ a symbol length of zero.
+
+ii) If the symbol has a start address that is shortly before a page
+ boundary, then also here, curr->end - curr->start will just be
+ very few bytes, where it's unrealistic that we could perform a
+ match against.
+
+Instead, change the heuristic to roundup(curr->start, 4096) + 4096, so
+that we can catch such corner cases and have a better chance to find
+that specific symbol. It's still just best effort as the real end of the
+symbol is unknown to us (and could even be at a larger offset than the
+current range), but better than the current situation.
+
+Alexei reported that he recently run into case i) with a JITed eBPF
+program (these are all page aligned) as the last symbol which wasn't
+properly shown in the call graph (while other eBPF program symbols in
+the rb tree were displayed correctly). Since this is a generic issue,
+lets try to improve the heuristic a bit.
+
+Reported-and-Tested-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Fixes: 2e538c4a1847 ("perf tools: Improve kernel/modules symbol lookup")
+Link: http://lkml.kernel.org/r/bb5c80d27743be6f12afc68405f1956a330e1bc9.1489614365.git.daniel@iogearbox.net
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/symbol.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/util/symbol.c
++++ b/tools/perf/util/symbol.c
+@@ -191,7 +191,7 @@ void symbols__fixup_end(struct rb_root *
+
+ /* Last entry */
+ if (curr->end == curr->start)
+- curr->end = roundup(curr->start, 4096);
++ curr->end = roundup(curr->start, 4096) + 4096;
+ }
+
+ void __map_groups__fixup_end(struct map_groups *mg, enum map_type type)
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Wed, 11 Oct 2017 11:57:15 +0200
+Subject: pinctrl: adi2: Fix Kconfig build problem
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+
+[ Upstream commit 1c363531dd814dc4fe10865722bf6b0f72ce4673 ]
+
+The build robot is complaining on Blackfin:
+
+drivers/pinctrl/pinctrl-adi2.c: In function 'port_setup':
+>> drivers/pinctrl/pinctrl-adi2.c:221:21: error: dereferencing
+ pointer to incomplete type 'struct gpio_port_t'
+ writew(readw(®s->port_fer) & ~BIT(offset),
+ ^~
+drivers/pinctrl/pinctrl-adi2.c: In function 'adi_gpio_ack_irq':
+>> drivers/pinctrl/pinctrl-adi2.c:266:18: error: dereferencing
+pointer to incomplete type 'struct bfin_pint_regs'
+ if (readl(®s->invert_set) & pintbit)
+ ^~
+It seems the driver need to include <asm/gpio.h> and <asm/irq.h>
+to compile.
+
+The Blackfin architecture was re-defining the Kconfig
+PINCTRL symbol which is not OK, so replaced this with
+PINCTRL_BLACKFIN_ADI2 which selects PINCTRL and PINCTRL_ADI2
+just like most arches do.
+
+Further, the old GPIO driver symbol GPIO_ADI was possible to
+select at the same time as selecting PINCTRL. This was not
+working because the arch-local <asm/gpio.h> header contains
+an explicit #ifndef PINCTRL clause making compilation break
+if you combine them. The same is true for DEBUG_MMRS.
+
+Make sure the ADI2 pinctrl driver is not selected at the same
+time as the old GPIO implementation. (This should be converted
+to use gpiolib or pincontrol and move to drivers/...) Also make
+sure the old GPIO_ADI driver or DEBUG_MMRS is not selected at
+the same time as the new PINCTRL implementation, and only make
+PINCTRL_ADI2 selectable for the Blackfin families that actually
+have it.
+
+This way it is still possible to add e.g. I2C-based pin
+control expanders on the Blackfin.
+
+Cc: Steven Miao <realmz6@gmail.com>
+Cc: Huanhuan Feng <huanhuan.feng@analog.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/blackfin/Kconfig | 7 +++++--
+ arch/blackfin/Kconfig.debug | 1 +
+ drivers/pinctrl/Kconfig | 3 ++-
+ 3 files changed, 8 insertions(+), 3 deletions(-)
+
+--- a/arch/blackfin/Kconfig
++++ b/arch/blackfin/Kconfig
+@@ -318,11 +318,14 @@ config BF53x
+
+ config GPIO_ADI
+ def_bool y
++ depends on !PINCTRL
+ depends on (BF51x || BF52x || BF53x || BF538 || BF539 || BF561)
+
+-config PINCTRL
++config PINCTRL_BLACKFIN_ADI2
+ def_bool y
+- depends on BF54x || BF60x
++ depends on (BF54x || BF60x)
++ select PINCTRL
++ select PINCTRL_ADI2
+
+ config MEM_MT48LC64M4A2FB_7E
+ bool
+--- a/arch/blackfin/Kconfig.debug
++++ b/arch/blackfin/Kconfig.debug
+@@ -17,6 +17,7 @@ config DEBUG_VERBOSE
+
+ config DEBUG_MMRS
+ tristate "Generate Blackfin MMR tree"
++ depends on !PINCTRL
+ select DEBUG_FS
+ help
+ Create a tree of Blackfin MMRs via the debugfs tree. If
+--- a/drivers/pinctrl/Kconfig
++++ b/drivers/pinctrl/Kconfig
+@@ -28,7 +28,8 @@ config DEBUG_PINCTRL
+
+ config PINCTRL_ADI2
+ bool "ADI pin controller driver"
+- depends on BLACKFIN
++ depends on (BF54x || BF60x)
++ depends on !GPIO_ADI
+ select PINMUX
+ select IRQ_DOMAIN
+ help
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Markus Elfring <elfring@users.sourceforge.net>
+Date: Wed, 1 Nov 2017 18:42:45 +0100
+Subject: platform/x86: sony-laptop: Fix error handling in sony_nc_setup_rfkill()
+
+From: Markus Elfring <elfring@users.sourceforge.net>
+
+
+[ Upstream commit f6c8a317ab208aee223776327c06f23342492d54 ]
+
+Source code review for a specific software refactoring showed the need
+for another correction because the error code "-1" was returned so far
+if a call of the function "sony_call_snc_handle" failed here.
+Thus assign the return value from these two function calls also to
+the variable "err" and provide it in case of a failure.
+
+Fixes: d6f15ed876b83a1a0eba1d0473eef58acc95444a ("sony-laptop: use soft rfkill status stored in hw")
+Suggested-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lkml.org/lkml/2017/10/31/463
+Link: https://lkml.kernel.org/r/<CAHp75VcMkXCioCzmLE0+BTmkqc5RSOx9yPO0ectVHMrMvewgwg@mail.gmail.com>
+Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/sony-laptop.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/platform/x86/sony-laptop.c
++++ b/drivers/platform/x86/sony-laptop.c
+@@ -1654,17 +1654,19 @@ static int sony_nc_setup_rfkill(struct a
+ if (!rfk)
+ return -ENOMEM;
+
+- if (sony_call_snc_handle(sony_rfkill_handle, 0x200, &result) < 0) {
++ err = sony_call_snc_handle(sony_rfkill_handle, 0x200, &result);
++ if (err < 0) {
+ rfkill_destroy(rfk);
+- return -1;
++ return err;
+ }
+ hwblock = !(result & 0x1);
+
+- if (sony_call_snc_handle(sony_rfkill_handle,
+- sony_rfkill_address[nc_type],
+- &result) < 0) {
++ err = sony_call_snc_handle(sony_rfkill_handle,
++ sony_rfkill_address[nc_type],
++ &result);
++ if (err < 0) {
+ rfkill_destroy(rfk);
+- return -1;
++ return err;
+ }
+ swblock = !(result & 0x2);
+
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Wed, 18 Oct 2017 11:16:47 +0200
+Subject: powerpc/ipic: Fix status get and status clear
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+
+[ Upstream commit 6b148a7ce72a7f87c81cbcde48af014abc0516a9 ]
+
+IPIC Status is provided by register IPIC_SERSR and not by IPIC_SERMR
+which is the mask register.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/sysdev/ipic.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/sysdev/ipic.c
++++ b/arch/powerpc/sysdev/ipic.c
+@@ -844,12 +844,12 @@ void ipic_disable_mcp(enum ipic_mcp_irq
+
+ u32 ipic_get_mcp_status(void)
+ {
+- return ipic_read(primary_ipic->regs, IPIC_SERMR);
++ return ipic_read(primary_ipic->regs, IPIC_SERSR);
+ }
+
+ void ipic_clear_mcp_status(u32 mask)
+ {
+- ipic_write(primary_ipic->regs, IPIC_SERMR, mask);
++ ipic_write(primary_ipic->regs, IPIC_SERSR, mask);
+ }
+
+ /* Return an interrupt vector or NO_IRQ if no interrupt is pending. */
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: "William A. Kennington III" <wak@google.com>
+Date: Fri, 22 Sep 2017 16:58:00 -0700
+Subject: powerpc/opal: Fix EBUSY bug in acquiring tokens
+
+From: "William A. Kennington III" <wak@google.com>
+
+
+[ Upstream commit 71e24d7731a2903b1ae2bba2b2971c654d9c2aa6 ]
+
+The current code checks the completion map to look for the first token
+that is complete. In some cases, a completion can come in but the
+token can still be on lease to the caller processing the completion.
+If this completed but unreleased token is the first token found in the
+bitmap by another tasks trying to acquire a token, then the
+__test_and_set_bit call will fail since the token will still be on
+lease. The acquisition will then fail with an EBUSY.
+
+This patch reorganizes the acquisition code to look at the
+opal_async_token_map for an unleased token. If the token has no lease
+it must have no outstanding completions so we should never see an
+EBUSY, unless we have leased out too many tokens. Since
+opal_async_get_token_inrerruptible is protected by a semaphore, we
+will practically never see EBUSY anymore.
+
+Fixes: 8d7248232208 ("powerpc/powernv: Infrastructure to support OPAL async completion")
+Signed-off-by: William A. Kennington III <wak@google.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/powernv/opal-async.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/platforms/powernv/opal-async.c
++++ b/arch/powerpc/platforms/powernv/opal-async.c
+@@ -39,18 +39,18 @@ int __opal_async_get_token(void)
+ int token;
+
+ spin_lock_irqsave(&opal_async_comp_lock, flags);
+- token = find_first_bit(opal_async_complete_map, opal_max_async_tokens);
++ token = find_first_zero_bit(opal_async_token_map, opal_max_async_tokens);
+ if (token >= opal_max_async_tokens) {
+ token = -EBUSY;
+ goto out;
+ }
+
+- if (__test_and_set_bit(token, opal_async_token_map)) {
++ if (!__test_and_clear_bit(token, opal_async_complete_map)) {
+ token = -EBUSY;
+ goto out;
+ }
+
+- __clear_bit(token, opal_async_complete_map);
++ __set_bit(token, opal_async_token_map);
+
+ out:
+ spin_unlock_irqrestore(&opal_async_comp_lock, flags);
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Shriya <shriyak@linux.vnet.ibm.com>
+Date: Fri, 13 Oct 2017 10:06:41 +0530
+Subject: powerpc/powernv/cpufreq: Fix the frequency read by /proc/cpuinfo
+
+From: Shriya <shriyak@linux.vnet.ibm.com>
+
+
+[ Upstream commit cd77b5ce208c153260ed7882d8910f2395bfaabd ]
+
+The call to /proc/cpuinfo in turn calls cpufreq_quick_get() which
+returns the last frequency requested by the kernel, but may not
+reflect the actual frequency the processor is running at. This patch
+makes a call to cpufreq_get() instead which returns the current
+frequency reported by the hardware.
+
+Fixes: fb5153d05a7d ("powerpc: powernv: Implement ppc_md.get_proc_freq()")
+Signed-off-by: Shriya <shriyak@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/powernv/setup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/powernv/setup.c
++++ b/arch/powerpc/platforms/powernv/setup.c
+@@ -319,7 +319,7 @@ static unsigned long pnv_get_proc_freq(u
+ {
+ unsigned long ret_freq;
+
+- ret_freq = cpufreq_quick_get(cpu) * 1000ul;
++ ret_freq = cpufreq_get(cpu) * 1000ul;
+
+ /*
+ * If the backend cpufreq driver does not exist,
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Gao Feng <gfree.wind@vip.163.com>
+Date: Tue, 31 Oct 2017 18:25:37 +0800
+Subject: ppp: Destroy the mutex when cleanup
+
+From: Gao Feng <gfree.wind@vip.163.com>
+
+
+[ Upstream commit f02b2320b27c16b644691267ee3b5c110846f49e ]
+
+The mutex_destroy only makes sense when enable DEBUG_MUTEX. For the
+good readbility, it's better to invoke it in exit func when the init
+func invokes mutex_init.
+
+Signed-off-by: Gao Feng <gfree.wind@vip.163.com>
+Acked-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/ppp_generic.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -916,6 +916,7 @@ static __net_exit void ppp_exit_net(stru
+ {
+ struct ppp_net *pn = net_generic(net, ppp_net_id);
+
++ mutex_destroy(&pn->all_ppp_mutex);
+ idr_destroy(&pn->units_idr);
+ }
+
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: NeilBrown <neilb@suse.com>
+Date: Tue, 17 Oct 2017 16:18:36 +1100
+Subject: raid5: Set R5_Expanded on parity devices as well as data.
+
+From: NeilBrown <neilb@suse.com>
+
+
+[ Upstream commit 235b6003fb28f0dd8e7ed8fbdb088bb548291766 ]
+
+When reshaping a fully degraded raid5/raid6 to a larger
+nubmer of devices, the new device(s) are not in-sync
+and so that can make the newly grown stripe appear to be
+"failed".
+To avoid this, we set the R5_Expanded flag to say "Even though
+this device is not fully in-sync, this block is safe so
+don't treat the device as failed for this stripe".
+This flag is set for data devices, not not for parity devices.
+
+Consequently, if you have a RAID6 with two devices that are partly
+recovered and a spare, and start a reshape to include the spare,
+then when the reshape gets past the point where the recovery was
+up to, it will think the stripes are failed and will get into
+an infinite loop, failing to make progress.
+
+So when contructing parity on an EXPAND_READY stripe,
+set R5_Expanded.
+
+Reported-by: Curt <lightspd@gmail.com>
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid5.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -1454,8 +1454,11 @@ static void ops_complete_reconstruct(voi
+ struct r5dev *dev = &sh->dev[i];
+
+ if (dev->written || i == pd_idx || i == qd_idx) {
+- if (!discard && !test_bit(R5_SkipCopy, &dev->flags))
++ if (!discard && !test_bit(R5_SkipCopy, &dev->flags)) {
+ set_bit(R5_UPTODATE, &dev->flags);
++ if (test_bit(STRIPE_EXPAND_READY, &sh->state))
++ set_bit(R5_Expanded, &dev->flags);
++ }
+ if (fua)
+ set_bit(R5_WantFUA, &dev->flags);
+ if (sync)
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Thu, 2 Mar 2017 15:10:59 +0100
+Subject: sched/deadline: Use deadline instead of period when calculating overflow
+
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+
+
+[ Upstream commit 2317d5f1c34913bac5971d93d69fb6c31bb74670 ]
+
+I was testing Daniel's changes with his test case, and tweaked it a
+little. Instead of having the runtime equal to the deadline, I
+increased the deadline ten fold.
+
+Daniel's test case had:
+
+ attr.sched_runtime = 2 * 1000 * 1000; /* 2 ms */
+ attr.sched_deadline = 2 * 1000 * 1000; /* 2 ms */
+ attr.sched_period = 2 * 1000 * 1000 * 1000; /* 2 s */
+
+To make it more interesting, I changed it to:
+
+ attr.sched_runtime = 2 * 1000 * 1000; /* 2 ms */
+ attr.sched_deadline = 20 * 1000 * 1000; /* 20 ms */
+ attr.sched_period = 2 * 1000 * 1000 * 1000; /* 2 s */
+
+The results were rather surprising. The behavior that Daniel's patch
+was fixing came back. The task started using much more than .1% of the
+CPU. More like 20%.
+
+Looking into this I found that it was due to the dl_entity_overflow()
+constantly returning true. That's because it uses the relative period
+against relative runtime vs the absolute deadline against absolute
+runtime.
+
+ runtime / (deadline - t) > dl_runtime / dl_period
+
+There's even a comment mentioning this, and saying that when relative
+deadline equals relative period, that the equation is the same as using
+deadline instead of period. That comment is backwards! What we really
+want is:
+
+ runtime / (deadline - t) > dl_runtime / dl_deadline
+
+We care about if the runtime can make its deadline, not its period. And
+then we can say "when the deadline equals the period, the equation is
+the same as using dl_period instead of dl_deadline".
+
+After correcting this, now when the task gets enqueued, it can throttle
+correctly, and Daniel's fix to the throttling of sleeping deadline
+tasks works even when the runtime and deadline are not the same.
+
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Daniel Bristot de Oliveira <bristot@redhat.com>
+Cc: Juri Lelli <juri.lelli@arm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Luca Abeni <luca.abeni@santannapisa.it>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Romulo Silva de Oliveira <romulo.deoliveira@ufsc.br>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tommaso Cucinotta <tommaso.cucinotta@sssup.it>
+Link: http://lkml.kernel.org/r/02135a27f1ae3fe5fd032568a5a2f370e190e8d7.1488392936.git.bristot@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/deadline.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -368,13 +368,13 @@ static void replenish_dl_entity(struct s
+ *
+ * This function returns true if:
+ *
+- * runtime / (deadline - t) > dl_runtime / dl_period ,
++ * runtime / (deadline - t) > dl_runtime / dl_deadline ,
+ *
+ * IOW we can't recycle current parameters.
+ *
+- * Notice that the bandwidth check is done against the period. For
++ * Notice that the bandwidth check is done against the deadline. For
+ * task with deadline equal to period this is the same of using
+- * dl_deadline instead of dl_period in the equation above.
++ * dl_period instead of dl_deadline in the equation above.
+ */
+ static bool dl_entity_overflow(struct sched_dl_entity *dl_se,
+ struct sched_dl_entity *pi_se, u64 t)
+@@ -399,7 +399,7 @@ static bool dl_entity_overflow(struct sc
+ * of anything below microseconds resolution is actually fiction
+ * (but still we want to give the user that illusion >;).
+ */
+- left = (pi_se->dl_period >> DL_SCALE) * (dl_se->runtime >> DL_SCALE);
++ left = (pi_se->dl_deadline >> DL_SCALE) * (dl_se->runtime >> DL_SCALE);
+ right = ((dl_se->deadline - t) >> DL_SCALE) *
+ (pi_se->dl_runtime >> DL_SCALE);
+
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 4 Oct 2017 10:50:37 +0300
+Subject: scsi: bfa: integer overflow in debugfs
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit 3e351275655d3c84dc28abf170def9786db5176d ]
+
+We could allocate less memory than intended because we do:
+
+ bfad->regdata = kzalloc(len << 2, GFP_KERNEL);
+
+The shift can overflow leading to a crash. This is debugfs code so the
+impact is very small. I fixed the network version of this in March with
+commit 13e2d5187f6b ("bna: integer overflow bug in debugfs").
+
+Fixes: ab2a9ba189e8 ("[SCSI] bfa: add debugfs support")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/bfa/bfad_debugfs.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/bfa/bfad_debugfs.c
++++ b/drivers/scsi/bfa/bfad_debugfs.c
+@@ -254,7 +254,8 @@ bfad_debugfs_write_regrd(struct file *fi
+ struct bfad_s *bfad = port->bfad;
+ struct bfa_s *bfa = &bfad->bfa;
+ struct bfa_ioc_s *ioc = &bfa->ioc;
+- int addr, len, rc, i;
++ int addr, rc, i;
++ u32 len;
+ u32 *regbuf;
+ void __iomem *rb, *reg_addr;
+ unsigned long flags;
+@@ -274,7 +275,7 @@ bfad_debugfs_write_regrd(struct file *fi
+ }
+
+ rc = sscanf(kern_buf, "%x:%x", &addr, &len);
+- if (rc < 2) {
++ if (rc < 2 || len > (UINT_MAX >> 2)) {
+ printk(KERN_INFO
+ "bfad[%d]: %s failed to read user buf\n",
+ bfad->inst_no, __func__);
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Kurt Garloff <garloff@suse.de>
+Date: Tue, 17 Oct 2017 09:10:45 +0200
+Subject: scsi: scsi_devinfo: Add REPORTLUN2 to EMC SYMMETRIX blacklist entry
+
+From: Kurt Garloff <garloff@suse.de>
+
+
+[ Upstream commit 909cf3e16a5274fe2127cf3cea5c8dba77b2c412 ]
+
+All EMC SYMMETRIX support REPORT_LUNS, even if configured to report
+SCSI-2 for whatever reason.
+
+Signed-off-by: Kurt Garloff <garloff@suse.de>
+Signed-off-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/scsi_devinfo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/scsi_devinfo.c
++++ b/drivers/scsi/scsi_devinfo.c
+@@ -160,7 +160,7 @@ static struct {
+ {"DGC", "RAID", NULL, BLIST_SPARSELUN}, /* Dell PV 650F, storage on LUN 0 */
+ {"DGC", "DISK", NULL, BLIST_SPARSELUN}, /* Dell PV 650F, no storage on LUN 0 */
+ {"EMC", "Invista", "*", BLIST_SPARSELUN | BLIST_LARGELUN},
+- {"EMC", "SYMMETRIX", NULL, BLIST_SPARSELUN | BLIST_LARGELUN | BLIST_FORCELUN},
++ {"EMC", "SYMMETRIX", NULL, BLIST_SPARSELUN | BLIST_LARGELUN | BLIST_REPORTLUN2},
+ {"EMULEX", "MD21/S2 ESDI", NULL, BLIST_SINGLELUN},
+ {"easyRAID", "16P", NULL, BLIST_NOREPORTLUN},
+ {"easyRAID", "X6P", NULL, BLIST_NOREPORTLUN},
don-t-leak-a-key-reference-if-request_key-tries-to-use-a-revoked-keyring.patch
keys-don-t-permit-request_key-to-construct-a-new-keyring.patch
mac80211-fix-addition-of-mesh-configuration-element.patch
+usb-phy-isp1301-add-of-device-id-table.patch
+net-bcmgenet-correct-the-rbuf_ovfl_cnt-and-rbuf_err_cnt-mib-values.patch
+net-bcmgenet-correct-mib-access-of-unimac-runt-counters.patch
+net-bcmgenet-power-up-the-internal-phy-before-probing-the-mii.patch
+nfsd-fix-nfsd_minorversion-..-nfsd_avail.patch
+nfsd-fix-nfsd_reset_versions-for-nfsv4.patch
+input-i8042-add-tuxedo-bu1406-n24_25bu-to-the-nomux-list.patch
+net-wimax-i2400m-fix-null-deref-at-probe.patch
+dmaengine-fix-array-index-out-of-bounds-warning-in-__get_unmap_pool.patch
+net-resend-igmp-memberships-upon-peer-notification.patch
+openrisc-fix-issue-handling-8-byte-get_user-calls.patch
+drm-radeon-si-add-dpm-quirk-for-oland.patch
+sched-deadline-use-deadline-instead-of-period-when-calculating-overflow.patch
+drm-radeon-reinstate-oland-workaround-for-sclk.patch
+afs-fix-missing-put_page.patch
+afs-populate-group-id-from-vnode-status.patch
+afs-adjust-mode-bits-processing.patch
+afs-flush-outstanding-writes-when-an-fd-is-closed.patch
+afs-fix-the-maths-in-afs_fs_store_data.patch
+afs-populate-and-use-client-modification-time.patch
+afs-fix-page-leak-in-afs_write_begin.patch
+afs-fix-afs_kill_pages.patch
+perf-symbols-fix-symbols__fixup_end-heuristic-for-corner-cases.patch
+nfsv4.1-respect-server-s-max-size-in-create_session.patch
+btrfs-add-missing-memset-while-reading-compressed-inline-extents.patch
+target-use-system-workqueue-for-alua-transitions.patch
+fbdev-controlfb-add-missing-modes-to-fix-out-of-bounds-access.patch
+video-udlfb-fix-read-edid-timeout.patch
+video-fbdev-au1200fb-release-some-resources-if-a-memory-allocation-fails.patch
+video-fbdev-au1200fb-return-an-error-code-if-a-memory-allocation-fails.patch
+pci-pme-handle-invalid-data-when-reading-root-status.patch
+powerpc-powernv-cpufreq-fix-the-frequency-read-by-proc-cpuinfo.patch
+powerpc-opal-fix-ebusy-bug-in-acquiring-tokens.patch
+powerpc-ipic-fix-status-get-and-status-clear.patch
+platform-x86-sony-laptop-fix-error-handling-in-sony_nc_setup_rfkill.patch
+target-iscsi-fix-a-race-condition-in-iscsit_add_reject_from_cmd.patch
+iscsi-target-fix-memory-leak-in-lio_target_tiqn_addtpg.patch
+target-fix-condition-return-in-core_pr_dump_initiator_port.patch
+target-file-do-not-return-error-for-unmap-if-length-is-zero.patch
+arm-ccn-perf-prevent-module-unload-while-pmu-is-in-use.patch
+mm-handle-0-flags-in-_calc_vm_trans-macro.patch
+clk-tegra-fix-cclk_lp-divisor-register.patch
+ppp-destroy-the-mutex-when-cleanup.patch
+thermal-drivers-step_wise-fix-temperature-regulation-misbehavior.patch
+gfs2-take-inode-off-order_write-list-when-setting-jdata-flag.patch
+bcache-explicitly-destroy-mutex-while-exiting.patch
+bcache-fix-wrong-cache_misses-statistics.patch
+xfs-fix-log-block-underflow-during-recovery-cycle-verification.patch
+pci-detach-driver-before-procfs-sysfs-teardown-on-device-remove.patch
+tty-fix-oops-when-rmmod-8250.patch
+pinctrl-adi2-fix-kconfig-build-problem.patch
+raid5-set-r5_expanded-on-parity-devices-as-well-as-data.patch
+scsi-scsi_devinfo-add-reportlun2-to-emc-symmetrix-blacklist-entry.patch
+scsi-bfa-integer-overflow-in-debugfs.patch
+udf-avoid-overflow-when-session-starts-at-large-offset.patch
+macvlan-only-deliver-one-copy-of-the-frame-to-the-macvlan-interface.patch
+ath9k-fix-tx99-potential-info-leak.patch
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Jiang Yi <jiangyilism@gmail.com>
+Date: Fri, 11 Aug 2017 11:29:44 +0800
+Subject: target/file: Do not return error for UNMAP if length is zero
+
+From: Jiang Yi <jiangyilism@gmail.com>
+
+
+[ Upstream commit 594e25e73440863981032d76c9b1e33409ceff6e ]
+
+The function fd_execute_unmap() in target_core_file.c calles
+
+ret = file->f_op->fallocate(file, mode, pos, len);
+
+Some filesystems implement fallocate() to return error if
+length is zero (e.g. btrfs) but according to SCSI Block
+Commands spec UNMAP should return success for zero length.
+
+Signed-off-by: Jiang Yi <jiangyilism@gmail.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_file.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/target/target_core_file.c
++++ b/drivers/target/target_core_file.c
+@@ -592,6 +592,10 @@ fd_do_unmap(struct se_cmd *cmd, void *pr
+ struct inode *inode = file->f_mapping->host;
+ int ret;
+
++ if (!nolb) {
++ return 0;
++ }
++
+ if (cmd->se_dev->dev_attrib.pi_prot_type) {
+ ret = fd_do_prot_unmap(cmd, lba, nolb);
+ if (ret)
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: tangwenji <tang.wenji@zte.com.cn>
+Date: Thu, 24 Aug 2017 19:59:37 +0800
+Subject: target:fix condition return in core_pr_dump_initiator_port()
+
+From: tangwenji <tang.wenji@zte.com.cn>
+
+
+[ Upstream commit 24528f089d0a444070aa4f715ace537e8d6bf168 ]
+
+When is pr_reg->isid_present_at_reg is false,this function should return.
+
+This fixes a regression originally introduced by:
+
+ commit d2843c173ee53cf4c12e7dfedc069a5bc76f0ac5
+ Author: Andy Grover <agrover@redhat.com>
+ Date: Thu May 16 10:40:55 2013 -0700
+
+ target: Alter core_pr_dump_initiator_port for ease of use
+
+Signed-off-by: tangwenji <tang.wenji@zte.com.cn>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_pr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/target/target_core_pr.c
++++ b/drivers/target/target_core_pr.c
+@@ -58,8 +58,10 @@ void core_pr_dump_initiator_port(
+ char *buf,
+ u32 size)
+ {
+- if (!pr_reg->isid_present_at_reg)
++ if (!pr_reg->isid_present_at_reg) {
+ buf[0] = '\0';
++ return;
++ }
+
+ snprintf(buf, size, ",i,0x%s", pr_reg->pr_reg_isid);
+ }
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Tue, 31 Oct 2017 11:03:17 -0700
+Subject: target/iscsi: Fix a race condition in iscsit_add_reject_from_cmd()
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+
+[ Upstream commit cfe2b621bb18d86e93271febf8c6e37622da2d14 ]
+
+Avoid that cmd->se_cmd.se_tfo is read after a command has already been
+freed.
+
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Mike Christie <mchristi@redhat.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/iscsi/iscsi_target.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -674,6 +674,7 @@ static int iscsit_add_reject_from_cmd(
+ unsigned char *buf)
+ {
+ struct iscsi_conn *conn;
++ const bool do_put = cmd->se_cmd.se_tfo != NULL;
+
+ if (!cmd->conn) {
+ pr_err("cmd->conn is NULL for ITT: 0x%08x\n",
+@@ -704,7 +705,7 @@ static int iscsit_add_reject_from_cmd(
+ * Perform the kref_put now if se_cmd has already been setup by
+ * scsit_setup_scsi_cmd()
+ */
+- if (cmd->se_cmd.se_tfo != NULL) {
++ if (do_put) {
+ pr_debug("iscsi reject: calling target_put_sess_cmd >>>>>>\n");
+ target_put_sess_cmd(&cmd->se_cmd);
+ }
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Mike Christie <mchristi@redhat.com>
+Date: Wed, 1 Mar 2017 23:13:26 -0600
+Subject: target: Use system workqueue for ALUA transitions
+
+From: Mike Christie <mchristi@redhat.com>
+
+
+[ Upstream commit 207ee84133c00a8a2a5bdec94df4a5b37d78881c ]
+
+If tcmu-runner is processing a STPG and needs to change the kernel's
+ALUA state then we cannot use the same work queue for task management
+requests and ALUA transitions, because we could deadlock. The problem
+occurs when a STPG times out before tcmu-runner is able to
+call into target_tg_pt_gp_alua_access_state_store->
+core_alua_do_port_transition -> core_alua_do_transition_tg_pt ->
+queue_work. In this case, the tmr is on the work queue waiting for
+the STPG to complete, but the STPG transition is now queued behind
+the waiting tmr.
+
+Note:
+This bug will also be fixed by this patch:
+http://www.spinics.net/lists/target-devel/msg14560.html
+which switches the tmr code to use the system workqueues.
+
+For both, I am not sure if we need a dedicated workqueue since
+it is not a performance path and I do not think we need WQ_MEM_RECLAIM
+to make forward progress to free up memory like the block layer does.
+
+Signed-off-by: Mike Christie <mchristi@redhat.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_alua.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/target/target_core_alua.c
++++ b/drivers/target/target_core_alua.c
+@@ -1126,13 +1126,11 @@ static int core_alua_do_transition_tg_pt
+ unsigned long transition_tmo;
+
+ transition_tmo = tg_pt_gp->tg_pt_gp_implicit_trans_secs * HZ;
+- queue_delayed_work(tg_pt_gp->tg_pt_gp_dev->tmr_wq,
+- &tg_pt_gp->tg_pt_gp_transition_work,
+- transition_tmo);
++ schedule_delayed_work(&tg_pt_gp->tg_pt_gp_transition_work,
++ transition_tmo);
+ } else {
+ tg_pt_gp->tg_pt_gp_transition_complete = &wait;
+- queue_delayed_work(tg_pt_gp->tg_pt_gp_dev->tmr_wq,
+- &tg_pt_gp->tg_pt_gp_transition_work, 0);
++ schedule_delayed_work(&tg_pt_gp->tg_pt_gp_transition_work, 0);
+ wait_for_completion(&wait);
+ tg_pt_gp->tg_pt_gp_transition_complete = NULL;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Daniel Lezcano <daniel.lezcano@linaro.org>
+Date: Thu, 19 Oct 2017 19:05:58 +0200
+Subject: thermal/drivers/step_wise: Fix temperature regulation misbehavior
+
+From: Daniel Lezcano <daniel.lezcano@linaro.org>
+
+
+[ Upstream commit 07209fcf33542c1ff1e29df2dbdf8f29cdaacb10 ]
+
+There is a particular situation when the cooling device is cpufreq and the heat
+dissipation is not efficient enough where the temperature increases little by
+little until reaching the critical threshold and leading to a SoC reset.
+
+The behavior is reproducible on a hikey6220 with bad heat dissipation (eg.
+stacked with other boards).
+
+Running a simple C program doing while(1); for each CPU of the SoC makes the
+temperature to reach the passive regulation trip point and ends up to the
+maximum allowed temperature followed by a reset.
+
+This issue has been also reported by running the libhugetlbfs test suite.
+
+What is observed is a ping pong between two cpu frequencies, 1.2GHz and 900MHz
+while the temperature continues to grow.
+
+It appears the step wise governor calls get_target_state() the first time with
+the throttle set to true and the trend to 'raising'. The code selects logically
+the next state, so the cpu frequency decreases from 1.2GHz to 900MHz, so far so
+good. The temperature decreases immediately but still stays greater than the
+trip point, then get_target_state() is called again, this time with the
+throttle set to true *and* the trend to 'dropping'. From there the algorithm
+assumes we have to step down the state and the cpu frequency jumps back to
+1.2GHz. But the temperature is still higher than the trip point, so
+get_target_state() is called with throttle=1 and trend='raising' again, we jump
+to 900MHz, then get_target_state() is called with throttle=1 and
+trend='dropping', we jump to 1.2GHz, etc ... but the temperature does not
+stabilizes and continues to increase.
+
+[ 237.922654] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1
+[ 237.922678] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1
+[ 237.922690] thermal cooling_device0: cur_state=0
+[ 237.922701] thermal cooling_device0: old_target=0, target=1
+[ 238.026656] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1
+[ 238.026680] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=1
+[ 238.026694] thermal cooling_device0: cur_state=1
+[ 238.026707] thermal cooling_device0: old_target=1, target=0
+[ 238.134647] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1
+[ 238.134667] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1
+[ 238.134679] thermal cooling_device0: cur_state=0
+[ 238.134690] thermal cooling_device0: old_target=0, target=1
+
+In this situation the temperature continues to increase while the trend is
+oscillating between 'dropping' and 'raising'. We need to keep the current state
+untouched if the throttle is set, so the temperature can decrease or a higher
+state could be selected, thus preventing this oscillation.
+
+Keeping the next_target untouched when 'throttle' is true at 'dropping' time
+fixes the issue.
+
+The following traces show the governor does not change the next state if
+trend==2 (dropping) and throttle==1.
+
+[ 2306.127987] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1
+[ 2306.128009] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1
+[ 2306.128021] thermal cooling_device0: cur_state=0
+[ 2306.128031] thermal cooling_device0: old_target=0, target=1
+[ 2306.231991] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1
+[ 2306.232016] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=1
+[ 2306.232030] thermal cooling_device0: cur_state=1
+[ 2306.232042] thermal cooling_device0: old_target=1, target=1
+[ 2306.335982] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=0,throttle=1
+[ 2306.336006] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=0,throttle=1
+[ 2306.336021] thermal cooling_device0: cur_state=1
+[ 2306.336034] thermal cooling_device0: old_target=1, target=1
+[ 2306.439984] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1
+[ 2306.440008] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=0
+[ 2306.440022] thermal cooling_device0: cur_state=1
+[ 2306.440034] thermal cooling_device0: old_target=1, target=0
+
+[ ... ]
+
+After a while, if the temperature continues to increase, the next state becomes
+2 which is 720MHz on the hikey. That results in the temperature stabilizing
+around the trip point.
+
+[ 2455.831982] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1
+[ 2455.832006] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=0
+[ 2455.832019] thermal cooling_device0: cur_state=1
+[ 2455.832032] thermal cooling_device0: old_target=1, target=1
+[ 2455.935985] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=0,throttle=1
+[ 2455.936013] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=0,throttle=0
+[ 2455.936027] thermal cooling_device0: cur_state=1
+[ 2455.936040] thermal cooling_device0: old_target=1, target=1
+[ 2456.043984] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=0,throttle=1
+[ 2456.044009] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=0,throttle=0
+[ 2456.044023] thermal cooling_device0: cur_state=1
+[ 2456.044036] thermal cooling_device0: old_target=1, target=1
+[ 2456.148001] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1
+[ 2456.148028] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1
+[ 2456.148042] thermal cooling_device0: cur_state=1
+[ 2456.148055] thermal cooling_device0: old_target=1, target=2
+[ 2456.252009] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1
+[ 2456.252041] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=0
+[ 2456.252058] thermal cooling_device0: cur_state=2
+[ 2456.252075] thermal cooling_device0: old_target=2, target=1
+
+IOW, this change is needed to keep the state for a cooling device if the
+temperature trend is oscillating while the temperature increases slightly.
+
+Without this change, the situation above leads to a catastrophic crash by a
+hardware reset on hikey. This issue has been reported to happen on an OMAP
+dra7xx also.
+
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Cc: Keerthy <j-keerthy@ti.com>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Leo Yan <leo.yan@linaro.org>
+Tested-by: Keerthy <j-keerthy@ti.com>
+Reviewed-by: Keerthy <j-keerthy@ti.com>
+Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/step_wise.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/thermal/step_wise.c
++++ b/drivers/thermal/step_wise.c
+@@ -31,8 +31,7 @@
+ * If the temperature is higher than a trip point,
+ * a. if the trend is THERMAL_TREND_RAISING, use higher cooling
+ * state for this trip point
+- * b. if the trend is THERMAL_TREND_DROPPING, use lower cooling
+- * state for this trip point
++ * b. if the trend is THERMAL_TREND_DROPPING, do nothing
+ * c. if the trend is THERMAL_TREND_RAISE_FULL, use upper limit
+ * for this trip point
+ * d. if the trend is THERMAL_TREND_DROP_FULL, use lower limit
+@@ -94,9 +93,11 @@ static unsigned long get_target_state(st
+ if (!throttle)
+ next_target = THERMAL_NO_TARGET;
+ } else {
+- next_target = cur_state - 1;
+- if (next_target > instance->upper)
+- next_target = instance->upper;
++ if (!throttle) {
++ next_target = cur_state - 1;
++ if (next_target > instance->upper)
++ next_target = instance->upper;
++ }
+ }
+ break;
+ case THERMAL_TREND_DROP_FULL:
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: nixiaoming <nixiaoming@huawei.com>
+Date: Fri, 15 Sep 2017 17:45:56 +0800
+Subject: tty fix oops when rmmod 8250
+
+From: nixiaoming <nixiaoming@huawei.com>
+
+
+[ Upstream commit c79dde629d2027ca80329c62854a7635e623d527 ]
+
+After rmmod 8250.ko
+tty_kref_put starts kwork (release_one_tty) to release proc interface
+oops when accessing driver->driver_name in proc_tty_unregister_driver
+
+Use jprobe, found driver->driver_name point to 8250.ko
+static static struct uart_driver serial8250_reg
+.driver_name= serial,
+
+Use name in proc_dir_entry instead of driver->driver_name to fix oops
+
+test on linux 4.1.12:
+
+BUG: unable to handle kernel paging request at ffffffffa01979de
+IP: [<ffffffff81310f40>] strchr+0x0/0x30
+PGD 1a0d067 PUD 1a0e063 PMD 851c1f067 PTE 0
+Oops: 0000 [#1] PREEMPT SMP
+Modules linked in: ... ... [last unloaded: 8250]
+CPU: 7 PID: 116 Comm: kworker/7:1 Tainted: G O 4.1.12 #1
+Hardware name: Insyde RiverForest/Type2 - Board Product Name1, BIOS NE5KV904 12/21/2015
+Workqueue: events release_one_tty
+task: ffff88085b684960 ti: ffff880852884000 task.ti: ffff880852884000
+RIP: 0010:[<ffffffff81310f40>] [<ffffffff81310f40>] strchr+0x0/0x30
+RSP: 0018:ffff880852887c90 EFLAGS: 00010282
+RAX: ffffffff81a5eca0 RBX: ffffffffa01979de RCX: 0000000000000004
+RDX: ffff880852887d10 RSI: 000000000000002f RDI: ffffffffa01979de
+RBP: ffff880852887cd8 R08: 0000000000000000 R09: ffff88085f5d94d0
+R10: 0000000000000195 R11: 0000000000000000 R12: ffffffffa01979de
+R13: ffff880852887d00 R14: ffffffffa01979de R15: ffff88085f02e840
+FS: 0000000000000000(0000) GS:ffff88085f5c0000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffa01979de CR3: 0000000001a0c000 CR4: 00000000001406e0
+Stack:
+ ffffffff812349b1 ffff880852887cb8 ffff880852887d10 ffff88085f5cd6c2
+ ffff880852800a80 ffffffffa01979de ffff880852800a84 0000000000000010
+ ffff88085bb28bd8 ffff880852887d38 ffffffff812354f0 ffff880852887d08
+Call Trace:
+ [<ffffffff812349b1>] ? __xlate_proc_name+0x71/0xd0
+ [<ffffffff812354f0>] remove_proc_entry+0x40/0x180
+ [<ffffffff815f6811>] ? _raw_spin_lock_irqsave+0x41/0x60
+ [<ffffffff813be520>] ? destruct_tty_driver+0x60/0xe0
+ [<ffffffff81237c68>] proc_tty_unregister_driver+0x28/0x40
+ [<ffffffff813be548>] destruct_tty_driver+0x88/0xe0
+ [<ffffffff813be5bd>] tty_driver_kref_put+0x1d/0x20
+ [<ffffffff813becca>] release_one_tty+0x5a/0xd0
+ [<ffffffff81074159>] process_one_work+0x139/0x420
+ [<ffffffff810745a1>] worker_thread+0x121/0x450
+ [<ffffffff81074480>] ? process_scheduled_works+0x40/0x40
+ [<ffffffff8107a16c>] kthread+0xec/0x110
+ [<ffffffff81080000>] ? tg_rt_schedulable+0x210/0x220
+ [<ffffffff8107a080>] ? kthread_freezable_should_stop+0x80/0x80
+ [<ffffffff815f7292>] ret_from_fork+0x42/0x70
+ [<ffffffff8107a080>] ? kthread_freezable_should_stop+0x80/0x80
+
+Signed-off-by: nixiaoming <nixiaoming@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/proc_tty.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/proc/proc_tty.c
++++ b/fs/proc/proc_tty.c
+@@ -14,6 +14,7 @@
+ #include <linux/tty.h>
+ #include <linux/seq_file.h>
+ #include <linux/bitops.h>
++#include "internal.h"
+
+ /*
+ * The /proc/tty directory inodes...
+@@ -164,7 +165,7 @@ void proc_tty_unregister_driver(struct t
+ if (!ent)
+ return;
+
+- remove_proc_entry(driver->driver_name, proc_tty_driver);
++ remove_proc_entry(ent->name, proc_tty_driver);
+
+ driver->proc_entry = NULL;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 16 Oct 2017 11:38:11 +0200
+Subject: udf: Avoid overflow when session starts at large offset
+
+From: Jan Kara <jack@suse.cz>
+
+
+[ Upstream commit abdc0eb06964fe1d2fea6dd1391b734d0590365d ]
+
+When session starts beyond offset 2^31 the arithmetics in
+udf_check_vsd() would overflow. Make sure the computation is done in
+large enough type.
+
+Reported-by: Cezary Sliwa <sliwa@ifpan.edu.pl>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/udf/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -706,7 +706,7 @@ static loff_t udf_check_vsd(struct super
+ else
+ sectorsize = sb->s_blocksize;
+
+- sector += (sbi->s_session << sb->s_blocksize_bits);
++ sector += (((loff_t)sbi->s_session) << sb->s_blocksize_bits);
+
+ udf_debug("Starting at sector %u (%ld byte sectors)\n",
+ (unsigned int)(sector >> sb->s_blocksize_bits),
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Javier Martinez Canillas <javier@osg.samsung.com>
+Date: Wed, 22 Feb 2017 15:23:22 -0300
+Subject: usb: phy: isp1301: Add OF device ID table
+
+From: Javier Martinez Canillas <javier@osg.samsung.com>
+
+
+[ Upstream commit fd567653bdb908009b650f079bfd4b63169e2ac4 ]
+
+The driver doesn't have a struct of_device_id table but supported devices
+are registered via Device Trees. This is working on the assumption that a
+I2C device registered via OF will always match a legacy I2C device ID and
+that the MODALIAS reported will always be of the form i2c:<device>.
+
+But this could change in the future so the correct approach is to have an
+OF device ID table if the devices are registered via OF.
+
+Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/phy/phy-isp1301.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/phy/phy-isp1301.c
++++ b/drivers/usb/phy/phy-isp1301.c
+@@ -32,6 +32,12 @@ static const struct i2c_device_id isp130
+ { }
+ };
+
++static const struct of_device_id isp1301_of_match[] = {
++ {.compatible = "nxp,isp1301" },
++ { },
++};
++MODULE_DEVICE_TABLE(of, isp1301_of_match);
++
+ static struct i2c_client *isp1301_i2c_client;
+
+ static int __isp1301_write(struct isp1301 *isp, u8 reg, u8 value, u8 clear)
+@@ -129,6 +135,7 @@ static int isp1301_remove(struct i2c_cli
+ static struct i2c_driver isp1301_driver = {
+ .driver = {
+ .name = DRV_NAME,
++ .of_match_table = of_match_ptr(isp1301_of_match),
+ },
+ .probe = isp1301_probe,
+ .remove = isp1301_remove,
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Thu, 9 Nov 2017 18:09:28 +0100
+Subject: video: fbdev: au1200fb: Release some resources if a memory allocation fails
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit 451f130602619a17c8883dd0b71b11624faffd51 ]
+
+We should go through the error handling code instead of returning -ENOMEM
+directly.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Cc: Tejun Heo <tj@kernel.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/au1200fb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/au1200fb.c
++++ b/drivers/video/fbdev/au1200fb.c
+@@ -1699,7 +1699,8 @@ static int au1200fb_drv_probe(struct pla
+ if (!fbdev->fb_mem) {
+ print_err("fail to allocate frambuffer (size: %dK))",
+ fbdev->fb_len / 1024);
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto failed;
+ }
+
+ /*
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Thu, 9 Nov 2017 18:09:28 +0100
+Subject: video: fbdev: au1200fb: Return an error code if a memory allocation fails
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit 8cae353e6b01ac3f18097f631cdbceb5ff28c7f3 ]
+
+'ret' is known to be 0 at this point.
+In case of memory allocation error in 'framebuffer_alloc()', return
+-ENOMEM instead.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Cc: Tejun Heo <tj@kernel.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/au1200fb.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/au1200fb.c
++++ b/drivers/video/fbdev/au1200fb.c
+@@ -1680,8 +1680,10 @@ static int au1200fb_drv_probe(struct pla
+
+ fbi = framebuffer_alloc(sizeof(struct au1200fb_device),
+ &dev->dev);
+- if (!fbi)
++ if (!fbi) {
++ ret = -ENOMEM;
+ goto failed;
++ }
+
+ _au1200fb_infos[plane] = fbi;
+ fbdev = fbi->par;
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Ladislav Michl <ladis@linux-mips.org>
+Date: Thu, 9 Nov 2017 18:09:30 +0100
+Subject: video: udlfb: Fix read EDID timeout
+
+From: Ladislav Michl <ladis@linux-mips.org>
+
+
+[ Upstream commit c98769475575c8a585f5b3952f4b5f90266f699b ]
+
+While usb_control_msg function expects timeout in miliseconds, a value
+of HZ is used. Replace it with USB_CTRL_GET_TIMEOUT and also fix error
+message which looks like:
+udlfb: Read EDID byte 78 failed err ffffff92
+as error is either negative errno or number of bytes transferred use %d
+format specifier.
+
+Returned EDID is in second byte, so return error when less than two bytes
+are received.
+
+Fixes: 18dffdf8913a ("staging: udlfb: enhance EDID and mode handling support")
+Signed-off-by: Ladislav Michl <ladis@linux-mips.org>
+Cc: Bernie Thompson <bernie@plugable.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/udlfb.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/video/fbdev/udlfb.c
++++ b/drivers/video/fbdev/udlfb.c
+@@ -769,11 +769,11 @@ static int dlfb_get_edid(struct dlfb_dat
+
+ for (i = 0; i < len; i++) {
+ ret = usb_control_msg(dev->udev,
+- usb_rcvctrlpipe(dev->udev, 0), (0x02),
+- (0x80 | (0x02 << 5)), i << 8, 0xA1, rbuf, 2,
+- HZ);
+- if (ret < 1) {
+- pr_err("Read EDID byte %d failed err %x\n", i, ret);
++ usb_rcvctrlpipe(dev->udev, 0), 0x02,
++ (0x80 | (0x02 << 5)), i << 8, 0xA1,
++ rbuf, 2, USB_CTRL_GET_TIMEOUT);
++ if (ret < 2) {
++ pr_err("Read EDID byte %d failed: %d\n", i, ret);
+ i--;
+ break;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 15:03:25 CET 2017
+From: Brian Foster <bfoster@redhat.com>
+Date: Thu, 26 Oct 2017 09:31:16 -0700
+Subject: xfs: fix log block underflow during recovery cycle verification
+
+From: Brian Foster <bfoster@redhat.com>
+
+
+[ Upstream commit 9f2a4505800607e537e9dd9dea4f55c4b0c30c7a ]
+
+It is possible for mkfs to format very small filesystems with too
+small of an internal log with respect to the various minimum size
+and block count requirements. If this occurs when the log happens to
+be smaller than the scan window used for cycle verification and the
+scan wraps the end of the log, the start_blk calculation in
+xlog_find_head() underflows and leads to an attempt to scan an
+invalid range of log blocks. This results in log recovery failure
+and a failed mount.
+
+Since there may be filesystems out in the wild with this kind of
+geometry, we cannot simply refuse to mount. Instead, cap the scan
+window for cycle verification to the size of the physical log. This
+ensures that the cycle verification proceeds as expected when the
+scan wraps the end of the log.
+
+Reported-by: Zorro Lang <zlang@redhat.com>
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_log_recover.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/xfs/xfs_log_recover.c
++++ b/fs/xfs/xfs_log_recover.c
+@@ -740,7 +740,7 @@ xlog_find_head(
+ * in the in-core log. The following number can be made tighter if
+ * we actually look at the block size of the filesystem.
+ */
+- num_scan_bblks = XLOG_TOTAL_REC_SHIFT(log);
++ num_scan_bblks = min_t(int, log_bbnum, XLOG_TOTAL_REC_SHIFT(log));
+ if (head_blk >= num_scan_bblks) {
+ /*
+ * We are guaranteed that the entire check can be performed
projects / thirdparty / kernel / stable-queue.git / commitdiff
