--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sun, 15 Oct 2017 21:24:49 +0200
+Subject: ACPI / bus: Leave modalias empty for devices which are not present
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+
+[ Upstream commit 10809bb976648ac58194a629e3d7af99e7400297 ]
+
+Most Bay and Cherry Trail devices use a generic DSDT with all possible
+peripheral devices present in the DSDT, with their _STA returning 0x00 or
+0x0f based on AML variables which describe what is actually present on
+the board.
+
+Since ACPI device objects with a 0x00 status (not present) still get an
+entry under /sys/bus/acpi/devices, and those entry had an acpi:PNPID
+modalias, userspace would end up loading modules for non present hardware.
+
+This commit fixes this by leaving the modalias empty for non present
+devices. This results in 10 modules less being loaded with a generic
+distro kernel config on my Cherry Trail test-device (a GPD pocket).
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/device_sysfs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/acpi/device_sysfs.c
++++ b/drivers/acpi/device_sysfs.c
+@@ -146,6 +146,10 @@ static int create_pnp_modalias(struct ac
+ int count;
+ struct acpi_hardware_id *id;
+
++ /* Avoid unnecessarily loading modules for non present devices. */
++ if (!acpi_device_is_present(acpi_dev))
++ return 0;
++
+ /*
+ * Since we skip ACPI_DT_NAMESPACE_HID from the modalias below, 0 should
+ * be returned if ACPI_DT_NAMESPACE_HID is the only ACPI/PNP ID in the
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Michael Lyle <mlyle@lyle.org>
+Date: Fri, 24 Nov 2017 15:14:27 -0800
+Subject: bcache: check return value of register_shrinker
+
+From: Michael Lyle <mlyle@lyle.org>
+
+
+[ Upstream commit 6c4ca1e36cdc1a0a7a84797804b87920ccbebf51 ]
+
+register_shrinker is now __must_check, so check it to kill a warning.
+Caller of bch_btree_cache_alloc in super.c appropriately checks return
+value so this is fully plumbed through.
+
+This V2 fixes checkpatch warnings and improves the commit description,
+as I was too hasty getting the previous version out.
+
+Signed-off-by: Michael Lyle <mlyle@lyle.org>
+Reviewed-by: Vojtech Pavlik <vojtech@suse.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/btree.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/btree.c
++++ b/drivers/md/bcache/btree.c
+@@ -808,7 +808,10 @@ int bch_btree_cache_alloc(struct cache_s
+ c->shrink.scan_objects = bch_mca_scan;
+ c->shrink.seeks = 4;
+ c->shrink.batch = c->btree_pages * 2;
+- register_shrinker(&c->shrink);
++
++ if (register_shrinker(&c->shrink))
++ pr_warn("bcache: %s: could not register shrinker",
++ __func__);
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Josef Bacik <jbacik@fb.com>
+Date: Wed, 15 Nov 2017 16:20:52 -0500
+Subject: btrfs: fix deadlock when writing out space cache
+
+From: Josef Bacik <jbacik@fb.com>
+
+
+[ Upstream commit b77000ed558daa3bef0899d29bf171b8c9b5e6a8 ]
+
+If we fail to prepare our pages for whatever reason (out of memory in
+our case) we need to make sure to drop the block_group->data_rwsem,
+otherwise hilarity ensues.
+
+Signed-off-by: Josef Bacik <jbacik@fb.com>
+Reviewed-by: Omar Sandoval <osandov@fb.com>
+Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+[ add label and use existing unlocking code ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/free-space-cache.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/free-space-cache.c
++++ b/fs/btrfs/free-space-cache.c
+@@ -1258,7 +1258,7 @@ static int __btrfs_write_out_cache(struc
+ /* Lock all pages first so we can lock the extent safely. */
+ ret = io_ctl_prepare_pages(io_ctl, inode, 0);
+ if (ret)
+- goto out;
++ goto out_unlock;
+
+ lock_extent_bits(&BTRFS_I(inode)->io_tree, 0, i_size_read(inode) - 1,
+ 0, &cached_state);
+@@ -1351,6 +1351,7 @@ out_nospc_locked:
+ out_nospc:
+ cleanup_write_cache_enospc(inode, io_ctl, &cached_state, &bitmap_list);
+
++out_unlock:
+ if (block_group && (block_group->flags & BTRFS_BLOCK_GROUP_DATA))
+ up_write(&block_group->data_rwsem);
+
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: James Hogan <jhogan@kernel.org>
+Date: Wed, 15 Nov 2017 21:17:55 +0000
+Subject: cpufreq: Add Loongson machine dependencies
+
+From: James Hogan <jhogan@kernel.org>
+
+
+[ Upstream commit 0d307935fefa6389eb726c6362351c162c949101 ]
+
+The MIPS loongson cpufreq drivers don't build unless configured for the
+correct machine type, due to dependency on machine specific architecture
+headers and symbols in machine specific platform code.
+
+More specifically loongson1-cpufreq.c uses RST_CPU_EN and RST_CPU,
+neither of which is defined in asm/mach-loongson32/regs-clk.h unless
+CONFIG_LOONGSON1_LS1B=y, and loongson2_cpufreq.c references
+loongson2_clockmod_table[], which is only defined in
+arch/mips/loongson64/lemote-2f/clock.c, i.e. when
+CONFIG_LEMOTE_MACH2F=y.
+
+Add these dependencies to Kconfig to avoid randconfig / allyesconfig
+build failures (e.g. when based on BMIPS which also has a cpufreq
+driver).
+
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/cpufreq/Kconfig
++++ b/drivers/cpufreq/Kconfig
+@@ -236,6 +236,7 @@ endif
+ if MIPS
+ config LOONGSON2_CPUFREQ
+ tristate "Loongson2 CPUFreq Driver"
++ depends on LEMOTE_MACH2F
+ help
+ This option adds a CPUFreq driver for loongson processors which
+ support software configurable cpu frequency.
+@@ -248,6 +249,7 @@ config LOONGSON2_CPUFREQ
+
+ config LOONGSON1_CPUFREQ
+ tristate "Loongson1 CPUFreq Driver"
++ depends on LOONGSON1_LS1B
+ help
+ This option adds a CPUFreq driver for loongson1 processors which
+ support software configurable cpu frequency.
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Felix Kuehling <Felix.Kuehling@amd.com>
+Date: Wed, 1 Nov 2017 19:21:55 -0400
+Subject: drm/amdgpu: Fix SDMA load/unload sequence on HWS disabled mode
+
+From: Felix Kuehling <Felix.Kuehling@amd.com>
+
+
+[ Upstream commit cf21654b40968609779751b34e7923180968fe5b ]
+
+Fix the SDMA load and unload sequence as suggested by HW document.
+
+Signed-off-by: shaoyun liu <shaoyun.liu@amd.com>
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Acked-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c | 47 +++++++++++++++-------
+ 1 file changed, 34 insertions(+), 13 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c
+@@ -367,29 +367,50 @@ static int kgd_hqd_sdma_load(struct kgd_
+ {
+ struct amdgpu_device *adev = get_amdgpu_device(kgd);
+ struct cik_sdma_rlc_registers *m;
++ unsigned long end_jiffies;
+ uint32_t sdma_base_addr;
++ uint32_t data;
+
+ m = get_sdma_mqd(mqd);
+ sdma_base_addr = get_sdma_base_addr(m);
+
+- WREG32(sdma_base_addr + mmSDMA0_RLC0_VIRTUAL_ADDR,
+- m->sdma_rlc_virtual_addr);
++ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_CNTL,
++ m->sdma_rlc_rb_cntl & (~SDMA0_RLC0_RB_CNTL__RB_ENABLE_MASK));
+
+- WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_BASE,
+- m->sdma_rlc_rb_base);
++ end_jiffies = msecs_to_jiffies(2000) + jiffies;
++ while (true) {
++ data = RREG32(sdma_base_addr + mmSDMA0_RLC0_CONTEXT_STATUS);
++ if (data & SDMA0_RLC0_CONTEXT_STATUS__IDLE_MASK)
++ break;
++ if (time_after(jiffies, end_jiffies))
++ return -ETIME;
++ usleep_range(500, 1000);
++ }
++ if (m->sdma_engine_id) {
++ data = RREG32(mmSDMA1_GFX_CONTEXT_CNTL);
++ data = REG_SET_FIELD(data, SDMA1_GFX_CONTEXT_CNTL,
++ RESUME_CTX, 0);
++ WREG32(mmSDMA1_GFX_CONTEXT_CNTL, data);
++ } else {
++ data = RREG32(mmSDMA0_GFX_CONTEXT_CNTL);
++ data = REG_SET_FIELD(data, SDMA0_GFX_CONTEXT_CNTL,
++ RESUME_CTX, 0);
++ WREG32(mmSDMA0_GFX_CONTEXT_CNTL, data);
++ }
+
++ WREG32(sdma_base_addr + mmSDMA0_RLC0_DOORBELL,
++ m->sdma_rlc_doorbell);
++ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_RPTR, 0);
++ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_WPTR, 0);
++ WREG32(sdma_base_addr + mmSDMA0_RLC0_VIRTUAL_ADDR,
++ m->sdma_rlc_virtual_addr);
++ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_BASE, m->sdma_rlc_rb_base);
+ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_BASE_HI,
+ m->sdma_rlc_rb_base_hi);
+-
+ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_RPTR_ADDR_LO,
+ m->sdma_rlc_rb_rptr_addr_lo);
+-
+ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_RPTR_ADDR_HI,
+ m->sdma_rlc_rb_rptr_addr_hi);
+-
+- WREG32(sdma_base_addr + mmSDMA0_RLC0_DOORBELL,
+- m->sdma_rlc_doorbell);
+-
+ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_CNTL,
+ m->sdma_rlc_rb_cntl);
+
+@@ -492,9 +513,9 @@ static int kgd_hqd_sdma_destroy(struct k
+ }
+
+ WREG32(sdma_base_addr + mmSDMA0_RLC0_DOORBELL, 0);
+- WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_RPTR, 0);
+- WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_WPTR, 0);
+- WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_BASE, 0);
++ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_CNTL,
++ RREG32(sdma_base_addr + mmSDMA0_RLC0_RB_CNTL) |
++ SDMA0_RLC0_RB_CNTL__RB_ENABLE_MASK);
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Felix Kuehling <Felix.Kuehling@amd.com>
+Date: Wed, 1 Nov 2017 19:21:57 -0400
+Subject: drm/amdkfd: Fix SDMA oversubsription handling
+
+From: Felix Kuehling <Felix.Kuehling@amd.com>
+
+
+[ Upstream commit 8c946b8988acec785bcf67088b6bd0747f36d2d3 ]
+
+SDMA only supports a fixed number of queues. HWS cannot handle
+oversubscription.
+
+Signed-off-by: shaoyun liu <shaoyun.liu@amd.com>
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Reviewed-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 18 +++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
+@@ -205,6 +205,24 @@ int pqm_create_queue(struct process_queu
+
+ switch (type) {
+ case KFD_QUEUE_TYPE_SDMA:
++ if (dev->dqm->queue_count >=
++ CIK_SDMA_QUEUES_PER_ENGINE * CIK_SDMA_ENGINE_NUM) {
++ pr_err("Over-subscription is not allowed for SDMA.\n");
++ retval = -EPERM;
++ goto err_create_queue;
++ }
++
++ retval = create_cp_queue(pqm, dev, &q, properties, f, *qid);
++ if (retval != 0)
++ goto err_create_queue;
++ pqn->q = q;
++ pqn->kq = NULL;
++ retval = dev->dqm->ops.create_queue(dev->dqm, q, &pdd->qpd,
++ &q->properties.vmid);
++ pr_debug("DQM returned %d for create_queue\n", retval);
++ print_queue(q);
++ break;
++
+ case KFD_QUEUE_TYPE_COMPUTE:
+ /* check if there is over subscription */
+ if ((sched_policy == KFD_SCHED_POLICY_HWS_NO_OVERSUBSCRIPTION) &&
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: shaoyunl <Shaoyun.Liu@amd.com>
+Date: Wed, 1 Nov 2017 19:21:56 -0400
+Subject: drm/amdkfd: Fix SDMA ring buffer size calculation
+
+From: shaoyunl <Shaoyun.Liu@amd.com>
+
+
+[ Upstream commit d12fb13f23199faa7e536acec1db49068e5a067d ]
+
+ffs function return the position of the first bit set on 1 based.
+(bit zero returns 1).
+
+Signed-off-by: shaoyun liu <shaoyun.liu@amd.com>
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Reviewed-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c
+@@ -215,8 +215,8 @@ static int update_mqd_sdma(struct mqd_ma
+ BUG_ON(!mm || !mqd || !q);
+
+ m = get_sdma_mqd(mqd);
+- m->sdma_rlc_rb_cntl = ffs(q->queue_size / sizeof(unsigned int)) <<
+- SDMA0_RLC0_RB_CNTL__RB_SIZE__SHIFT |
++ m->sdma_rlc_rb_cntl = (ffs(q->queue_size / sizeof(unsigned int)) - 1)
++ << SDMA0_RLC0_RB_CNTL__RB_SIZE__SHIFT |
+ q->vmid << SDMA0_RLC0_RB_CNTL__RB_VMID__SHIFT |
+ 1 << SDMA0_RLC0_RB_CNTL__RPTR_WRITEBACK_ENABLE__SHIFT |
+ 6 << SDMA0_RLC0_RB_CNTL__RPTR_WRITEBACK_TIMER__SHIFT;
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 24 Sep 2017 08:01:03 +0200
+Subject: drm/omap: Fix error handling path in 'omap_dmm_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit 8677b1ac2db021ab30bb1fa34f1e56ebe0051ec3 ]
+
+If we don't find a matching device node, we must free the memory allocated
+in 'omap_dmm' a few lines above.
+
+Fixes: 7cb0d6c17b96 ("drm/omap: fix TILER on OMAP5")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/omapdrm/omap_dmm_tiler.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
++++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
+@@ -611,7 +611,8 @@ static int omap_dmm_probe(struct platfor
+ match = of_match_node(dmm_of_match, dev->dev.of_node);
+ if (!match) {
+ dev_err(&dev->dev, "failed to find matching device node\n");
+- return -ENODEV;
++ ret = -ENODEV;
++ goto fail;
+ }
+
+ omap_dmm->plat_data = match->data;
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Mon, 6 Nov 2017 16:22:48 +0300
+Subject: grace: replace BUG_ON by WARN_ONCE in exit_net hook
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+
+[ Upstream commit b872285751c1af010e12d02bce7069e2061a58ca ]
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs_common/grace.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/nfs_common/grace.c
++++ b/fs/nfs_common/grace.c
+@@ -104,7 +104,9 @@ grace_exit_net(struct net *net)
+ {
+ struct list_head *grace_list = net_generic(net, grace_net_id);
+
+- BUG_ON(!list_empty(grace_list));
++ WARN_ONCE(!list_empty(grace_list),
++ "net %x %s: grace_list is not empty\n",
++ net->ns.inum, __func__);
+ }
+
+ static struct pernet_operations grace_net_ops = {
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Robert Lippert <roblip@gmail.com>
+Date: Mon, 27 Nov 2017 15:51:55 -0800
+Subject: hwmon: (pmbus) Use 64bit math for DIRECT format values
+
+From: Robert Lippert <roblip@gmail.com>
+
+
+[ Upstream commit bd467e4eababe4c04272c1e646f066db02734c79 ]
+
+Power values in the 100s of watt range can easily blow past
+32bit math limits when processing everything in microwatts.
+
+Use 64bit math instead to avoid these issues on common 32bit ARM
+BMC platforms.
+
+Fixes: 442aba78728e ("hwmon: PMBus device driver")
+Signed-off-by: Robert Lippert <rlippert@google.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/pmbus/pmbus_core.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+--- a/drivers/hwmon/pmbus/pmbus_core.c
++++ b/drivers/hwmon/pmbus/pmbus_core.c
+@@ -20,6 +20,7 @@
+ */
+
+ #include <linux/kernel.h>
++#include <linux/math64.h>
+ #include <linux/module.h>
+ #include <linux/init.h>
+ #include <linux/err.h>
+@@ -476,8 +477,8 @@ static long pmbus_reg2data_linear(struct
+ static long pmbus_reg2data_direct(struct pmbus_data *data,
+ struct pmbus_sensor *sensor)
+ {
+- long val = (s16) sensor->data;
+- long m, b, R;
++ s64 b, val = (s16)sensor->data;
++ s32 m, R;
+
+ m = data->info->m[sensor->class];
+ b = data->info->b[sensor->class];
+@@ -505,11 +506,12 @@ static long pmbus_reg2data_direct(struct
+ R--;
+ }
+ while (R < 0) {
+- val = DIV_ROUND_CLOSEST(val, 10);
++ val = div_s64(val + 5LL, 10L); /* round closest */
+ R++;
+ }
+
+- return (val - b) / m;
++ val = div_s64(val - b, m);
++ return clamp_val(val, LONG_MIN, LONG_MAX);
+ }
+
+ /*
+@@ -629,7 +631,8 @@ static u16 pmbus_data2reg_linear(struct
+ static u16 pmbus_data2reg_direct(struct pmbus_data *data,
+ struct pmbus_sensor *sensor, long val)
+ {
+- long m, b, R;
++ s64 b, val64 = val;
++ s32 m, R;
+
+ m = data->info->m[sensor->class];
+ b = data->info->b[sensor->class];
+@@ -646,18 +649,18 @@ static u16 pmbus_data2reg_direct(struct
+ R -= 3; /* Adjust R and b for data in milli-units */
+ b *= 1000;
+ }
+- val = val * m + b;
++ val64 = val64 * m + b;
+
+ while (R > 0) {
+- val *= 10;
++ val64 *= 10;
+ R--;
+ }
+ while (R < 0) {
+- val = DIV_ROUND_CLOSEST(val, 10);
++ val64 = div_s64(val64 + 5LL, 10L); /* round closest */
+ R++;
+ }
+
+- return val;
++ return (u16)clamp_val(val64, S16_MIN, S16_MAX);
+ }
+
+ static u16 pmbus_data2reg_vid(struct pmbus_data *data,
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Yisheng Xie <xieyisheng1@huawei.com>
+Date: Wed, 29 Nov 2017 16:11:08 -0800
+Subject: kmemleak: add scheduling point to kmemleak_scan()
+
+From: Yisheng Xie <xieyisheng1@huawei.com>
+
+
+[ Upstream commit bde5f6bc68db51128f875a756e9082a6c6ff7b4c ]
+
+kmemleak_scan() will scan struct page for each node and it can be really
+large and resulting in a soft lockup. We have seen a soft lockup when
+do scan while compile kernel:
+
+ watchdog: BUG: soft lockup - CPU#53 stuck for 22s! [bash:10287]
+ [...]
+ Call Trace:
+ kmemleak_scan+0x21a/0x4c0
+ kmemleak_write+0x312/0x350
+ full_proxy_write+0x5a/0xa0
+ __vfs_write+0x33/0x150
+ vfs_write+0xad/0x1a0
+ SyS_write+0x52/0xc0
+ do_syscall_64+0x61/0x1a0
+ entry_SYSCALL64_slow_path+0x25/0x25
+
+Fix this by adding cond_resched every MAX_SCAN_SIZE.
+
+Link: http://lkml.kernel.org/r/1511439788-20099-1-git-send-email-xieyisheng1@huawei.com
+Signed-off-by: Yisheng Xie <xieyisheng1@huawei.com>
+Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Michal Hocko <mhocko@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/kmemleak.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/kmemleak.c
++++ b/mm/kmemleak.c
+@@ -1394,6 +1394,8 @@ static void kmemleak_scan(void)
+ if (page_count(page) == 0)
+ continue;
+ scan_block(page, page + 1, NULL);
++ if (!(pfn % (MAX_SCAN_SIZE / sizeof(*page))))
++ cond_resched();
+ }
+ }
+ put_online_mems();
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Mon, 20 Nov 2017 14:52:21 -0800
+Subject: KVM: VMX: Fix rflags cache during vCPU reset
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+
+[ Upstream commit c37c28730bb031cc8a44a130c2555c0f3efbe2d0 ]
+
+Reported by syzkaller:
+
+ *** Guest State ***
+ CR0: actual=0x0000000080010031, shadow=0x0000000060000010, gh_mask=fffffffffffffff7
+ CR4: actual=0x0000000000002061, shadow=0x0000000000000000, gh_mask=ffffffffffffe8f1
+ CR3 = 0x000000002081e000
+ RSP = 0x000000000000fffa RIP = 0x0000000000000000
+ RFLAGS=0x00023000 DR7 = 0x00000000000000
+ ^^^^^^^^^^
+ ------------[ cut here ]------------
+ WARNING: CPU: 6 PID: 24431 at /home/kernel/linux/arch/x86/kvm//x86.c:7302 kvm_arch_vcpu_ioctl_run+0x651/0x2ea0 [kvm]
+ CPU: 6 PID: 24431 Comm: reprotest Tainted: G W OE 4.14.0+ #26
+ RIP: 0010:kvm_arch_vcpu_ioctl_run+0x651/0x2ea0 [kvm]
+ RSP: 0018:ffff880291d179e0 EFLAGS: 00010202
+ Call Trace:
+ kvm_vcpu_ioctl+0x479/0x880 [kvm]
+ do_vfs_ioctl+0x142/0x9a0
+ SyS_ioctl+0x74/0x80
+ entry_SYSCALL_64_fastpath+0x23/0x9a
+
+The failed vmentry is triggered by the following beautified testcase:
+
+ #include <unistd.h>
+ #include <sys/syscall.h>
+ #include <string.h>
+ #include <stdint.h>
+ #include <linux/kvm.h>
+ #include <fcntl.h>
+ #include <sys/ioctl.h>
+
+ long r[5];
+ int main()
+ {
+ struct kvm_debugregs dr = { 0 };
+
+ r[2] = open("/dev/kvm", O_RDONLY);
+ r[3] = ioctl(r[2], KVM_CREATE_VM, 0);
+ r[4] = ioctl(r[3], KVM_CREATE_VCPU, 7);
+ struct kvm_guest_debug debug = {
+ .control = 0xf0403,
+ .arch = {
+ .debugreg[6] = 0x2,
+ .debugreg[7] = 0x2
+ }
+ };
+ ioctl(r[4], KVM_SET_GUEST_DEBUG, &debug);
+ ioctl(r[4], KVM_RUN, 0);
+ }
+
+which testcase tries to setup the processor specific debug
+registers and configure vCPU for handling guest debug events through
+KVM_SET_GUEST_DEBUG. The KVM_SET_GUEST_DEBUG ioctl will get and set
+rflags in order to set TF bit if single step is needed. All regs' caches
+are reset to avail and GUEST_RFLAGS vmcs field is reset to 0x2 during vCPU
+reset. However, the cache of rflags is not reset during vCPU reset. The
+function vmx_get_rflags() returns an unreset rflags cache value since
+the cache is marked avail, it is 0 after boot. Vmentry fails if the
+rflags reserved bit 1 is 0.
+
+This patch fixes it by resetting both the GUEST_RFLAGS vmcs field and
+its cache to 0x2 during vCPU reset.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Tested-by: Dmitry Vyukov <dvyukov@google.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Nadav Amit <nadav.amit@gmail.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -4954,7 +4954,7 @@ static void vmx_vcpu_reset(struct kvm_vc
+ vmcs_write64(GUEST_IA32_DEBUGCTL, 0);
+ }
+
+- vmcs_writel(GUEST_RFLAGS, 0x02);
++ kvm_set_rflags(vcpu, X86_EFLAGS_FIXED);
+ kvm_rip_write(vcpu, 0xfff0);
+
+ vmcs_writel(GUEST_GDTR_BASE, 0);
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Liran Alon <liran.alon@oracle.com>
+Date: Sun, 5 Nov 2017 16:56:34 +0200
+Subject: KVM: x86: Don't re-execute instruction when not passing CR2 value
+
+From: Liran Alon <liran.alon@oracle.com>
+
+
+[ Upstream commit 9b8ae63798cb97e785a667ff27e43fa6220cb734 ]
+
+In case of instruction-decode failure or emulation failure,
+x86_emulate_instruction() will call reexecute_instruction() which will
+attempt to use the cr2 value passed to x86_emulate_instruction().
+However, when x86_emulate_instruction() is called from
+emulate_instruction(), cr2 is not passed (passed as 0) and therefore
+it doesn't make sense to execute reexecute_instruction() logic at all.
+
+Fixes: 51d8b66199e9 ("KVM: cleanup emulate_instruction")
+
+Signed-off-by: Liran Alon <liran.alon@oracle.com>
+Reviewed-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/kvm_host.h | 3 ++-
+ arch/x86/kvm/vmx.c | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -998,7 +998,8 @@ int x86_emulate_instruction(struct kvm_v
+ static inline int emulate_instruction(struct kvm_vcpu *vcpu,
+ int emulation_type)
+ {
+- return x86_emulate_instruction(vcpu, 0, emulation_type, NULL, 0);
++ return x86_emulate_instruction(vcpu, 0,
++ emulation_type | EMULTYPE_NO_REEXECUTE, NULL, 0);
+ }
+
+ void kvm_enable_efer_bits(u64);
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -6023,7 +6023,7 @@ static int handle_invalid_guest_state(st
+ if (test_bit(KVM_REQ_EVENT, &vcpu->requests))
+ return 1;
+
+- err = emulate_instruction(vcpu, EMULTYPE_NO_REEXECUTE);
++ err = emulate_instruction(vcpu, 0);
+
+ if (err == EMULATE_USER_EXIT) {
+ ++vcpu->stat.mmio_exits;
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Liran Alon <liran.alon@oracle.com>
+Date: Sun, 5 Nov 2017 16:56:33 +0200
+Subject: KVM: x86: emulator: Return to user-mode on L1 CPL=0 emulation failure
+
+From: Liran Alon <liran.alon@oracle.com>
+
+
+[ Upstream commit 1f4dcb3b213235e642088709a1c54964d23365e9 ]
+
+On this case, handle_emulation_failure() fills kvm_run with
+internal-error information which it expects to be delivered
+to user-mode for further processing.
+However, the code reports a wrong return-value which makes KVM to never
+return to user-mode on this scenario.
+
+Fixes: 6d77dbfc88e3 ("KVM: inject #UD if instruction emulation fails and exit to
+userspace")
+
+Signed-off-by: Liran Alon <liran.alon@oracle.com>
+Reviewed-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/x86.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -5153,7 +5153,7 @@ static int handle_emulation_failure(stru
+ vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
+ vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
+ vcpu->run->internal.ndata = 0;
+- r = EMULATE_FAIL;
++ r = EMULATE_USER_EXIT;
+ }
+ kvm_queue_exception(vcpu, UD_VECTOR);
+
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Sun, 5 Nov 2017 16:54:47 -0800
+Subject: KVM: X86: Fix operand/address-size during instruction decoding
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+
+[ Upstream commit 3853be2603191829b442b64dac6ae8ba0c027bf9 ]
+
+Pedro reported:
+ During tests that we conducted on KVM, we noticed that executing a "PUSH %ES"
+ instruction under KVM produces different results on both memory and the SP
+ register depending on whether EPT support is enabled. With EPT the SP is
+ reduced by 4 bytes (and the written value is 0-padded) but without EPT support
+ it is only reduced by 2 bytes. The difference can be observed when the CS.DB
+ field is 1 (32-bit) but not when it's 0 (16-bit).
+
+The internal segment descriptor cache exist even in real/vm8096 mode. The CS.D
+also should be respected instead of just default operand/address-size/66H
+prefix/67H prefix during instruction decoding. This patch fixes it by also
+adjusting operand/address-size according to CS.D.
+
+Reported-by: Pedro Fonseca <pfonseca@cs.washington.edu>
+Tested-by: Pedro Fonseca <pfonseca@cs.washington.edu>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Nadav Amit <nadav.amit@gmail.com>
+Cc: Pedro Fonseca <pfonseca@cs.washington.edu>
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/emulate.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -4978,6 +4978,8 @@ int x86_decode_insn(struct x86_emulate_c
+ bool op_prefix = false;
+ bool has_seg_override = false;
+ struct opcode opcode;
++ u16 dummy;
++ struct desc_struct desc;
+
+ ctxt->memop.type = OP_NONE;
+ ctxt->memopp = NULL;
+@@ -4996,6 +4998,11 @@ int x86_decode_insn(struct x86_emulate_c
+ switch (mode) {
+ case X86EMUL_MODE_REAL:
+ case X86EMUL_MODE_VM86:
++ def_op_bytes = def_ad_bytes = 2;
++ ctxt->ops->get_segment(ctxt, &dummy, &desc, NULL, VCPU_SREG_CS);
++ if (desc.d)
++ def_op_bytes = def_ad_bytes = 4;
++ break;
+ case X86EMUL_MODE_PROT16:
+ def_op_bytes = def_ad_bytes = 2;
+ break;
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Nikita Leshenko <nikita.leshchenko@oracle.com>
+Date: Sun, 5 Nov 2017 15:52:32 +0200
+Subject: KVM: x86: ioapic: Clear Remote IRR when entry is switched to edge-triggered
+
+From: Nikita Leshenko <nikita.leshchenko@oracle.com>
+
+
+[ Upstream commit a8bfec2930525808c01f038825d1df3904638631 ]
+
+Some OSes (Linux, Xen) use this behavior to clear the Remote IRR bit for
+IOAPICs without an EOI register. They simulate the EOI message manually
+by changing the trigger mode to edge and then back to level, with the
+entry being masked during this.
+
+QEMU implements this feature in commit ed1263c363c9
+("ioapic: clear remote irr bit for edge-triggered interrupts")
+
+As a side effect, this commit removes an incorrect behavior where Remote
+IRR was cleared when the redirection table entry was rewritten. This is not
+consistent with the manual and also opens an opportunity for a strange
+behavior when a redirection table entry is modified from an interrupt
+handler that handles the same entry: The modification will clear the
+Remote IRR bit even though the interrupt handler is still running.
+
+Signed-off-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
+Reviewed-by: Liran Alon <liran.alon@oracle.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Reviewed-by: Steve Rutherford <srutherford@google.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/ioapic.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/ioapic.c
++++ b/arch/x86/kvm/ioapic.c
+@@ -296,8 +296,17 @@ static void ioapic_write_indirect(struct
+ } else {
+ e->bits &= ~0xffffffffULL;
+ e->bits |= (u32) val;
+- e->fields.remote_irr = 0;
+ }
++
++ /*
++ * Some OSes (Linux, Xen) assume that Remote IRR bit will
++ * be cleared by IOAPIC hardware when the entry is configured
++ * as edge-triggered. This behavior is used to simulate an
++ * explicit EOI on IOAPICs that don't have the EOI register.
++ */
++ if (e->fields.trig_mode == IOAPIC_EDGE_TRIG)
++ e->fields.remote_irr = 0;
++
+ mask_after = e->fields.mask;
+ if (mask_before != mask_after)
+ kvm_fire_mask_notifiers(ioapic->kvm, KVM_IRQCHIP_IOAPIC, index, mask_after);
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Nikita Leshenko <nikita.leshchenko@oracle.com>
+Date: Sun, 5 Nov 2017 15:52:29 +0200
+Subject: KVM: x86: ioapic: Fix level-triggered EOI and IOAPIC reconfigure race
+
+From: Nikita Leshenko <nikita.leshchenko@oracle.com>
+
+
+[ Upstream commit 0fc5a36dd6b345eb0d251a65c236e53bead3eef7 ]
+
+KVM uses ioapic_handled_vectors to track vectors that need to notify the
+IOAPIC on EOI. The problem is that IOAPIC can be reconfigured while an
+interrupt with old configuration is pending or running and
+ioapic_handled_vectors only remembers the newest configuration;
+thus EOI from the old interrupt is not delievered to the IOAPIC.
+
+A previous commit db2bdcbbbd32
+("KVM: x86: fix edge EOI and IOAPIC reconfig race")
+addressed this issue by adding pending edge-triggered interrupts to
+ioapic_handled_vectors, fixing this race for edge-triggered interrupts.
+The commit explicitly ignored level-triggered interrupts,
+but this race applies to them as well:
+
+1) IOAPIC sends a level triggered interrupt vector to VCPU0
+2) VCPU0's handler deasserts the irq line and reconfigures the IOAPIC
+ to route the vector to VCPU1. The reconfiguration rewrites only the
+ upper 32 bits of the IOREDTBLn register. (Causes KVM to update
+ ioapic_handled_vectors for VCPU0 and it no longer includes the vector.)
+3) VCPU0 sends EOI for the vector, but it's not delievered to the
+ IOAPIC because the ioapic_handled_vectors doesn't include the vector.
+4) New interrupts are not delievered to VCPU1 because remote_irr bit
+ is set forever.
+
+Therefore, the correct behavior is to add all pending and running
+interrupts to ioapic_handled_vectors.
+
+This commit introduces a slight performance hit similar to
+commit db2bdcbbbd32 ("KVM: x86: fix edge EOI and IOAPIC reconfig race")
+for the rare case that the vector is reused by a non-IOAPIC source on
+VCPU0. We prefer to keep solution simple and not handle this case just
+as the original commit does.
+
+Fixes: db2bdcbbbd32 ("KVM: x86: fix edge EOI and IOAPIC reconfig race")
+
+Signed-off-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
+Reviewed-by: Liran Alon <liran.alon@oracle.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/ioapic.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/ioapic.c
++++ b/arch/x86/kvm/ioapic.c
+@@ -247,8 +247,7 @@ void kvm_ioapic_scan_entry(struct kvm_vc
+ index == RTC_GSI) {
+ if (kvm_apic_match_dest(vcpu, NULL, 0,
+ e->fields.dest_id, e->fields.dest_mode) ||
+- (e->fields.trig_mode == IOAPIC_EDGE_TRIG &&
+- kvm_apic_pending_eoi(vcpu, e->fields.vector)))
++ kvm_apic_pending_eoi(vcpu, e->fields.vector))
+ __set_bit(e->fields.vector,
+ (unsigned long *)eoi_exit_bitmap);
+ }
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Nikita Leshenko <nikita.leshchenko@oracle.com>
+Date: Sun, 5 Nov 2017 15:52:33 +0200
+Subject: KVM: x86: ioapic: Preserve read-only values in the redirection table
+
+From: Nikita Leshenko <nikita.leshchenko@oracle.com>
+
+
+[ Upstream commit b200dded0a6974a3b69599832b2203483920ab25 ]
+
+According to 82093AA (IOAPIC) manual, Remote IRR and Delivery Status are
+read-only. QEMU implements the bits as RO in commit 479c2a1cb7fb
+("ioapic: keep RO bits for IOAPIC entry").
+
+Signed-off-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
+Reviewed-by: Liran Alon <liran.alon@oracle.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Reviewed-by: Steve Rutherford <srutherford@google.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/ioapic.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/x86/kvm/ioapic.c
++++ b/arch/x86/kvm/ioapic.c
+@@ -268,6 +268,7 @@ static void ioapic_write_indirect(struct
+ {
+ unsigned index;
+ bool mask_before, mask_after;
++ int old_remote_irr, old_delivery_status;
+ union kvm_ioapic_redirect_entry *e;
+
+ switch (ioapic->ioregsel) {
+@@ -290,6 +291,9 @@ static void ioapic_write_indirect(struct
+ return;
+ e = &ioapic->redirtbl[index];
+ mask_before = e->fields.mask;
++ /* Preserve read-only fields */
++ old_remote_irr = e->fields.remote_irr;
++ old_delivery_status = e->fields.delivery_status;
+ if (ioapic->ioregsel & 1) {
+ e->bits &= 0xffffffff;
+ e->bits |= (u64) val << 32;
+@@ -297,6 +301,8 @@ static void ioapic_write_indirect(struct
+ e->bits &= ~0xffffffffULL;
+ e->bits |= (u32) val;
+ }
++ e->fields.remote_irr = old_remote_irr;
++ e->fields.delivery_status = old_delivery_status;
+
+ /*
+ * Some OSes (Linux, Xen) assume that Remote IRR bit will
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Mon, 13 Nov 2017 07:25:40 +0300
+Subject: lockd: fix "list_add double add" caused by legacy signal interface
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+
+[ Upstream commit 81833de1a46edce9ca20cfe079872ac1c20ef359 ]
+
+restart_grace() uses hardcoded init_net.
+It can cause to "list_add double add" in following scenario:
+
+1) nfsd and lockd was started in several net namespaces
+2) nfsd in init_net was stopped (lockd was not stopped because
+ it have users from another net namespaces)
+3) lockd got signal, called restart_grace() -> set_grace_period()
+ and enabled lock_manager in hardcoded init_net.
+4) nfsd in init_net is started again,
+ its lockd_up() calls set_grace_period() and tries to add
+ lock_manager into init_net 2nd time.
+
+Jeff Layton suggest:
+"Make it safe to call locks_start_grace multiple times on the same
+lock_manager. If it's already on the global grace_list, then don't try
+to add it again. (But we don't intentionally add twice, so for now we
+WARN about that case.)
+
+With this change, we also need to ensure that the nfsd4 lock manager
+initializes the list before we call locks_start_grace. While we're at
+it, move the rest of the nfsd_net initialization into
+nfs4_state_create_net. I see no reason to have it spread over two
+functions like it is today."
+
+Suggested patch was updated to generate warning in described situation.
+
+Suggested-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs_common/grace.c | 6 +++++-
+ fs/nfsd/nfs4state.c | 7 ++++---
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs_common/grace.c
++++ b/fs/nfs_common/grace.c
+@@ -30,7 +30,11 @@ locks_start_grace(struct net *net, struc
+ struct list_head *grace_list = net_generic(net, grace_net_id);
+
+ spin_lock(&grace_lock);
+- list_add(&lm->list, grace_list);
++ if (list_empty(&lm->list))
++ list_add(&lm->list, grace_list);
++ else
++ WARN(1, "double list_add attempt detected in net %x %s\n",
++ net->ns.inum, (net == &init_net) ? "(init_net)" : "");
+ spin_unlock(&grace_lock);
+ }
+ EXPORT_SYMBOL_GPL(locks_start_grace);
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -6792,6 +6792,10 @@ static int nfs4_state_create_net(struct
+ INIT_LIST_HEAD(&nn->sessionid_hashtbl[i]);
+ nn->conf_name_tree = RB_ROOT;
+ nn->unconf_name_tree = RB_ROOT;
++ nn->boot_time = get_seconds();
++ nn->grace_ended = false;
++ nn->nfsd4_manager.block_opens = true;
++ INIT_LIST_HEAD(&nn->nfsd4_manager.list);
+ INIT_LIST_HEAD(&nn->client_lru);
+ INIT_LIST_HEAD(&nn->close_lru);
+ INIT_LIST_HEAD(&nn->del_recall_lru);
+@@ -6846,9 +6850,6 @@ nfs4_state_start_net(struct net *net)
+ ret = nfs4_state_create_net(net);
+ if (ret)
+ return ret;
+- nn->boot_time = get_seconds();
+- nn->grace_ended = false;
+- nn->nfsd4_manager.block_opens = true;
+ locks_start_grace(net, &nn->nfsd4_manager);
+ nfsd4_client_tracking_init(net);
+ printk(KERN_INFO "NFSD: starting %ld-second grace period (net %p)\n",
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Chun-Yeow Yeoh <yeohchunyeow@gmail.com>
+Date: Tue, 14 Nov 2017 23:20:05 +0800
+Subject: mac80211: fix the update of path metric for RANN frame
+
+From: Chun-Yeow Yeoh <yeohchunyeow@gmail.com>
+
+
+[ Upstream commit fbbdad5edf0bb59786a51b94a9d006bc8c2da9a2 ]
+
+The previous path metric update from RANN frame has not considered
+the own link metric toward the transmitting mesh STA. Fix this.
+
+Reported-by: Michael65535
+Signed-off-by: Chun-Yeow Yeoh <yeohchunyeow@gmail.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/mesh_hwmp.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/net/mac80211/mesh_hwmp.c
++++ b/net/mac80211/mesh_hwmp.c
+@@ -776,7 +776,7 @@ static void hwmp_rann_frame_process(stru
+ struct mesh_path *mpath;
+ u8 ttl, flags, hopcount;
+ const u8 *orig_addr;
+- u32 orig_sn, metric, metric_txsta, interval;
++ u32 orig_sn, new_metric, orig_metric, last_hop_metric, interval;
+ bool root_is_gate;
+
+ ttl = rann->rann_ttl;
+@@ -787,7 +787,7 @@ static void hwmp_rann_frame_process(stru
+ interval = le32_to_cpu(rann->rann_interval);
+ hopcount = rann->rann_hopcount;
+ hopcount++;
+- metric = le32_to_cpu(rann->rann_metric);
++ orig_metric = le32_to_cpu(rann->rann_metric);
+
+ /* Ignore our own RANNs */
+ if (ether_addr_equal(orig_addr, sdata->vif.addr))
+@@ -804,7 +804,10 @@ static void hwmp_rann_frame_process(stru
+ return;
+ }
+
+- metric_txsta = airtime_link_metric_get(local, sta);
++ last_hop_metric = airtime_link_metric_get(local, sta);
++ new_metric = orig_metric + last_hop_metric;
++ if (new_metric < orig_metric)
++ new_metric = MAX_METRIC;
+
+ mpath = mesh_path_lookup(sdata, orig_addr);
+ if (!mpath) {
+@@ -817,7 +820,7 @@ static void hwmp_rann_frame_process(stru
+ }
+
+ if (!(SN_LT(mpath->sn, orig_sn)) &&
+- !(mpath->sn == orig_sn && metric < mpath->rann_metric)) {
++ !(mpath->sn == orig_sn && new_metric < mpath->rann_metric)) {
+ rcu_read_unlock();
+ return;
+ }
+@@ -835,7 +838,7 @@ static void hwmp_rann_frame_process(stru
+ }
+
+ mpath->sn = orig_sn;
+- mpath->rann_metric = metric + metric_txsta;
++ mpath->rann_metric = new_metric;
+ mpath->is_root = true;
+ /* Recording RANNs sender address to send individually
+ * addressed PREQs destined for root mesh STA */
+@@ -855,7 +858,7 @@ static void hwmp_rann_frame_process(stru
+ mesh_path_sel_frame_tx(MPATH_RANN, flags, orig_addr,
+ orig_sn, 0, NULL, 0, broadcast_addr,
+ hopcount, ttl, interval,
+- metric + metric_txsta, 0, sdata);
++ new_metric, 0, sdata);
+ }
+
+ rcu_read_unlock();
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Icenowy Zheng <icenowy@aosc.io>
+Date: Sun, 16 Apr 2017 02:51:16 -0400
+Subject: media: usbtv: add a new usbid
+
+From: Icenowy Zheng <icenowy@aosc.io>
+
+
+[ Upstream commit 04226916d2360f56d57ad00bc48d2d1854d1e0b0 ]
+
+A new usbid of UTV007 is found in a newly bought device.
+
+The usbid is 1f71:3301.
+
+The ID on the chip is:
+UTV007
+A89029.1
+1520L18K1
+
+Both video and audio is tested with the modified usbtv driver.
+
+Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
+Acked-by: Lubomir Rintel <lkundrak@v3.sk>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/usbtv/usbtv-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/usb/usbtv/usbtv-core.c
++++ b/drivers/media/usb/usbtv/usbtv-core.c
+@@ -127,6 +127,7 @@ static void usbtv_disconnect(struct usb_
+
+ static struct usb_device_id usbtv_id_table[] = {
+ { USB_DEVICE(0x1b71, 0x3002) },
++ { USB_DEVICE(0x1f71, 0x3301) },
+ {}
+ };
+ MODULE_DEVICE_TABLE(usb, usbtv_id_table);
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Wed, 29 Nov 2017 11:01:09 +0100
+Subject: net: ethernet: xilinx: Mark XILINX_LL_TEMAC broken on 64-bit
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+
+[ Upstream commit 15bfe05c8d6386f1a90e9340d15336e85e32aad6 ]
+
+On 64-bit (e.g. powerpc64/allmodconfig):
+
+ drivers/net/ethernet/xilinx/ll_temac_main.c: In function 'temac_start_xmit_done':
+ drivers/net/ethernet/xilinx/ll_temac_main.c:633:22: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
+ dev_kfree_skb_irq((struct sk_buff *)cur_p->app4);
+ ^
+
+cdmac_bd.app4 is u32, so it is too small to hold a kernel pointer.
+
+Note that several other fields in struct cdmac_bd are also too small to
+hold physical addresses on 64-bit platforms.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/xilinx/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/xilinx/Kconfig
++++ b/drivers/net/ethernet/xilinx/Kconfig
+@@ -34,6 +34,7 @@ config XILINX_AXI_EMAC
+ config XILINX_LL_TEMAC
+ tristate "Xilinx LL TEMAC (LocalLink Tri-mode Ethernet MAC) driver"
+ depends on (PPC || MICROBLAZE)
++ depends on !64BIT || BROKEN
+ select PHYLIB
+ ---help---
+ This driver supports the Xilinx 10/100/1000 LocalLink TEMAC
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Andrew Elble <aweits@rit.edu>
+Date: Thu, 9 Nov 2017 13:41:10 -0500
+Subject: nfsd: check for use of the closed special stateid
+
+From: Andrew Elble <aweits@rit.edu>
+
+
+[ Upstream commit ae254dac721d44c0bfebe2795df87459e2e88219 ]
+
+Prevent the use of the closed (invalid) special stateid by clients.
+
+Signed-off-by: Andrew Elble <aweits@rit.edu>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4state.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -72,6 +72,7 @@ static u64 current_sessionid = 1;
+ #define ZERO_STATEID(stateid) (!memcmp((stateid), &zero_stateid, sizeof(stateid_t)))
+ #define ONE_STATEID(stateid) (!memcmp((stateid), &one_stateid, sizeof(stateid_t)))
+ #define CURRENT_STATEID(stateid) (!memcmp((stateid), ¤tstateid, sizeof(stateid_t)))
++#define CLOSE_STATEID(stateid) (!memcmp((stateid), &close_stateid, sizeof(stateid_t)))
+
+ /* forward declarations */
+ static bool check_for_locks(struct nfs4_file *fp, struct nfs4_lockowner *lowner);
+@@ -4704,7 +4705,8 @@ static __be32 nfsd4_validate_stateid(str
+ struct nfs4_stid *s;
+ __be32 status = nfserr_bad_stateid;
+
+- if (ZERO_STATEID(stateid) || ONE_STATEID(stateid))
++ if (ZERO_STATEID(stateid) || ONE_STATEID(stateid) ||
++ CLOSE_STATEID(stateid))
+ return status;
+ /* Client debugging aid. */
+ if (!same_clid(&stateid->si_opaque.so_clid, &cl->cl_clientid)) {
+@@ -4762,7 +4764,8 @@ nfsd4_lookup_stateid(struct nfsd4_compou
+ else if (typemask & NFS4_DELEG_STID)
+ typemask |= NFS4_REVOKED_DELEG_STID;
+
+- if (ZERO_STATEID(stateid) || ONE_STATEID(stateid))
++ if (ZERO_STATEID(stateid) || ONE_STATEID(stateid) ||
++ CLOSE_STATEID(stateid))
+ return nfserr_bad_stateid;
+ status = lookup_clientid(&stateid->si_opaque.so_clid, cstate, nn);
+ if (status == nfserr_stale_clientid) {
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Fri, 3 Nov 2017 08:00:12 -0400
+Subject: nfsd: CLOSE SHOULD return the invalid special stateid for NFSv4.x (x>0)
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+
+[ Upstream commit fb500a7cfee7f2f447d2bbf30cb59629feab6ac1 ]
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4state.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -63,6 +63,9 @@ static const stateid_t zero_stateid = {
+ static const stateid_t currentstateid = {
+ .si_generation = 1,
+ };
++static const stateid_t close_stateid = {
++ .si_generation = 0xffffffffU,
++};
+
+ static u64 current_sessionid = 1;
+
+@@ -5243,6 +5246,11 @@ nfsd4_close(struct svc_rqst *rqstp, stru
+ nfsd4_close_open_stateid(stp);
+ mutex_unlock(&stp->st_mutex);
+
++ /* See RFC5661 sectionm 18.2.4 */
++ if (stp->st_stid.sc_client->cl_minorversion)
++ memcpy(&close->cl_stateid, &close_stateid,
++ sizeof(close->cl_stateid));
++
+ /* put reference from nfs4_preprocess_seqid_op */
+ nfs4_put_stid(&stp->st_stid);
+ out:
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Fri, 3 Nov 2017 08:00:15 -0400
+Subject: nfsd: Ensure we check stateid validity in the seqid operation checks
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+
+[ Upstream commit 9271d7e509c1bfc0b9a418caec29ec8d1ac38270 ]
+
+After taking the stateid st_mutex, we want to know that the stateid
+still represents valid state before performing any non-idempotent
+actions.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4state.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -5014,15 +5014,9 @@ static __be32 nfs4_seqid_op_checks(struc
+ status = nfsd4_check_seqid(cstate, sop, seqid);
+ if (status)
+ return status;
+- if (stp->st_stid.sc_type == NFS4_CLOSED_STID
+- || stp->st_stid.sc_type == NFS4_REVOKED_DELEG_STID)
+- /*
+- * "Closed" stateid's exist *only* to return
+- * nfserr_replay_me from the previous step, and
+- * revoked delegations are kept only for free_stateid.
+- */
+- return nfserr_bad_stateid;
+- mutex_lock(&stp->st_mutex);
++ status = nfsd4_lock_ol_stateid(stp);
++ if (status != nfs_ok)
++ return status;
+ status = check_stateid_generation(stateid, &stp->st_stid.sc_stateid, nfsd4_has_session(cstate));
+ if (status == nfs_ok)
+ status = nfs4_check_fh(current_fh, &stp->st_stid);
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: zhangliping <zhangliping02@baidu.com>
+Date: Sat, 25 Nov 2017 22:02:12 +0800
+Subject: openvswitch: fix the incorrect flow action alloc size
+
+From: zhangliping <zhangliping02@baidu.com>
+
+
+[ Upstream commit 67c8d22a73128ff910e2287567132530abcf5b71 ]
+
+If we want to add a datapath flow, which has more than 500 vxlan outputs'
+action, we will get the following error reports:
+ openvswitch: netlink: Flow action size 32832 bytes exceeds max
+ openvswitch: netlink: Flow action size 32832 bytes exceeds max
+ openvswitch: netlink: Actions may not be safe on all matching packets
+ ... ...
+
+It seems that we can simply enlarge the MAX_ACTIONS_BUFSIZE to fix it, but
+this is not the root cause. For example, for a vxlan output action, we need
+about 60 bytes for the nlattr, but after it is converted to the flow
+action, it only occupies 24 bytes. This means that we can still support
+more than 1000 vxlan output actions for a single datapath flow under the
+the current 32k max limitation.
+
+So even if the nla_len(attr) is larger than MAX_ACTIONS_BUFSIZE, we
+shouldn't report EINVAL and keep it move on, as the judgement can be
+done by the reserve_sfa_size.
+
+Signed-off-by: zhangliping <zhangliping02@baidu.com>
+Acked-by: Pravin B Shelar <pshelar@ovn.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/flow_netlink.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/net/openvswitch/flow_netlink.c
++++ b/net/openvswitch/flow_netlink.c
+@@ -1672,14 +1672,11 @@ int ovs_nla_put_mask(const struct sw_flo
+
+ #define MAX_ACTIONS_BUFSIZE (32 * 1024)
+
+-static struct sw_flow_actions *nla_alloc_flow_actions(int size, bool log)
++static struct sw_flow_actions *nla_alloc_flow_actions(int size)
+ {
+ struct sw_flow_actions *sfa;
+
+- if (size > MAX_ACTIONS_BUFSIZE) {
+- OVS_NLERR(log, "Flow action size %u bytes exceeds max", size);
+- return ERR_PTR(-EINVAL);
+- }
++ WARN_ON_ONCE(size > MAX_ACTIONS_BUFSIZE);
+
+ sfa = kmalloc(sizeof(*sfa) + size, GFP_KERNEL);
+ if (!sfa)
+@@ -1752,12 +1749,15 @@ static struct nlattr *reserve_sfa_size(s
+ new_acts_size = ksize(*sfa) * 2;
+
+ if (new_acts_size > MAX_ACTIONS_BUFSIZE) {
+- if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size)
++ if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) {
++ OVS_NLERR(log, "Flow action size exceeds max %u",
++ MAX_ACTIONS_BUFSIZE);
+ return ERR_PTR(-EMSGSIZE);
++ }
+ new_acts_size = MAX_ACTIONS_BUFSIZE;
+ }
+
+- acts = nla_alloc_flow_actions(new_acts_size, log);
++ acts = nla_alloc_flow_actions(new_acts_size);
+ if (IS_ERR(acts))
+ return (void *)acts;
+
+@@ -2369,7 +2369,7 @@ int ovs_nla_copy_actions(struct net *net
+ {
+ int err;
+
+- *sfa = nla_alloc_flow_actions(nla_len(attr), log);
++ *sfa = nla_alloc_flow_actions(min(nla_len(attr), MAX_ACTIONS_BUFSIZE));
+ if (IS_ERR(*sfa))
+ return PTR_ERR(*sfa);
+
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Wed, 29 Nov 2017 22:34:50 +0900
+Subject: quota: Check for register_shrinker() failure.
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+
+[ Upstream commit 88bc0ede8d35edc969350852894dc864a2dc1859 ]
+
+register_shrinker() might return -ENOMEM error since Linux 3.12.
+Call panic() as with other failure checks in this function if
+register_shrinker() failed.
+
+Fixes: 1d3d4437eae1 ("vmscan: per-node deferred work")
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Cc: Jan Kara <jack@suse.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/quota/dquot.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -2919,7 +2919,8 @@ static int __init dquot_init(void)
+ pr_info("VFS: Dquot-cache hash table entries: %ld (order %ld,"
+ " %ld bytes)\n", nr_hash, order, (PAGE_SIZE << order));
+
+- register_shrinker(&dqcache_shrinker);
++ if (register_shrinker(&dqcache_shrinker))
++ panic("Cannot register dquot shrinker");
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: "Guilherme G. Piccoli" <gpiccoli@linux.vnet.ibm.com>
+Date: Fri, 17 Nov 2017 19:14:55 -0200
+Subject: scsi: aacraid: Prevent crash in case of free interrupt during scsi EH path
+
+From: "Guilherme G. Piccoli" <gpiccoli@linux.vnet.ibm.com>
+
+
+[ Upstream commit e4717292ddebcfe231651b5aff9fa19ca158d178 ]
+
+As part of the scsi EH path, aacraid performs a reinitialization of the
+adapter, which encompass freeing resources and IRQs, NULLifying lots of
+pointers, and then initialize it all over again. We've identified a
+problem during the free IRQ portion of this path if CONFIG_DEBUG_SHIRQ
+is enabled on kernel config file.
+
+Happens that, in case this flag was set, right after free_irq()
+effectively clears the interrupt, it checks if it was requested as
+IRQF_SHARED. In positive case, it performs another call to the IRQ
+handler on driver. Problem is: since aacraid currently free some
+resources *before* freeing the IRQ, once free_irq() path calls the
+handler again (due to CONFIG_DEBUG_SHIRQ), aacraid crashes due to NULL
+pointer dereference with the following trace:
+
+ aac_src_intr_message+0xf8/0x740 [aacraid]
+ __free_irq+0x33c/0x4a0
+ free_irq+0x78/0xb0
+ aac_free_irq+0x13c/0x150 [aacraid]
+ aac_reset_adapter+0x2e8/0x970 [aacraid]
+ aac_eh_reset+0x3a8/0x5d0 [aacraid]
+ scsi_try_host_reset+0x74/0x180
+ scsi_eh_ready_devs+0xc70/0x1510
+ scsi_error_handler+0x624/0xa20
+
+This patch prevents the crash by changing the order of the
+deinitialization in this path of aacraid: first we clear the IRQ, then
+we free other resources. No functional change intended.
+
+Signed-off-by: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
+Reviewed-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/aacraid/commsup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/aacraid/commsup.c
++++ b/drivers/scsi/aacraid/commsup.c
+@@ -1363,13 +1363,13 @@ static int _aac_reset_adapter(struct aac
+ * will ensure that i/o is queisced and the card is flushed in that
+ * case.
+ */
++ aac_free_irq(aac);
+ aac_fib_map_free(aac);
+ pci_free_consistent(aac->pdev, aac->comm_size, aac->comm_addr, aac->comm_phys);
+ aac->comm_addr = NULL;
+ aac->comm_phys = 0;
+ kfree(aac->queues);
+ aac->queues = NULL;
+- aac_free_irq(aac);
+ kfree(aac->fsa_dev);
+ aac->fsa_dev = NULL;
+ quirks = aac_get_driver_ident(index)->quirks;
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+Date: Mon, 20 Nov 2017 08:12:29 -0600
+Subject: scsi: ufs: ufshcd: fix potential NULL pointer dereference in ufshcd_config_vreg
+
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+
+
+[ Upstream commit 727535903bea924c4f73abb202c4b3e85fff0ca4 ]
+
+_vreg_ is being dereferenced before it is null checked, hence there is a
+potential null pointer dereference.
+
+Fix this by moving the pointer dereference after _vreg_ has been null
+checked.
+
+This issue was detected with the help of Coccinelle.
+
+Fixes: aa4976130934 ("ufs: Add regulator enable support")
+Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
+Reviewed-by: Subhash Jadavani <subhashj@codeaurora.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -4392,12 +4392,15 @@ static int ufshcd_config_vreg(struct dev
+ struct ufs_vreg *vreg, bool on)
+ {
+ int ret = 0;
+- struct regulator *reg = vreg->reg;
+- const char *name = vreg->name;
++ struct regulator *reg;
++ const char *name;
+ int min_uV, uA_load;
+
+ BUG_ON(!vreg);
+
++ reg = vreg->reg;
++ name = vreg->name;
++
+ if (regulator_count_voltages(reg) > 0) {
+ min_uV = on ? vreg->min_uV : 0;
+ ret = regulator_set_voltage(reg, min_uV, vreg->max_uV);
gpio-ath79-add-missing-module_description-license.patch
mtd-nand-denali_pci-add-missing-module_description-author-license.patch
igb-free-irqs-when-device-is-hotplugged.patch
+kvm-x86-emulator-return-to-user-mode-on-l1-cpl-0-emulation-failure.patch
+kvm-x86-don-t-re-execute-instruction-when-not-passing-cr2-value.patch
+kvm-x86-fix-operand-address-size-during-instruction-decoding.patch
+kvm-x86-ioapic-fix-level-triggered-eoi-and-ioapic-reconfigure-race.patch
+kvm-x86-ioapic-clear-remote-irr-when-entry-is-switched-to-edge-triggered.patch
+kvm-x86-ioapic-preserve-read-only-values-in-the-redirection-table.patch
+acpi-bus-leave-modalias-empty-for-devices-which-are-not-present.patch
+cpufreq-add-loongson-machine-dependencies.patch
+bcache-check-return-value-of-register_shrinker.patch
+drm-amdgpu-fix-sdma-load-unload-sequence-on-hws-disabled-mode.patch
+drm-amdkfd-fix-sdma-ring-buffer-size-calculation.patch
+drm-amdkfd-fix-sdma-oversubsription-handling.patch
+openvswitch-fix-the-incorrect-flow-action-alloc-size.patch
+mac80211-fix-the-update-of-path-metric-for-rann-frame.patch
+btrfs-fix-deadlock-when-writing-out-space-cache.patch
+kvm-vmx-fix-rflags-cache-during-vcpu-reset.patch
+xen-netfront-remove-warning-when-unloading-module.patch
+nfsd-close-should-return-the-invalid-special-stateid-for-nfsv4.x-x-0.patch
+nfsd-ensure-we-check-stateid-validity-in-the-seqid-operation-checks.patch
+grace-replace-bug_on-by-warn_once-in-exit_net-hook.patch
+nfsd-check-for-use-of-the-closed-special-stateid.patch
+lockd-fix-list_add-double-add-caused-by-legacy-signal-interface.patch
+hwmon-pmbus-use-64bit-math-for-direct-format-values.patch
+net-ethernet-xilinx-mark-xilinx_ll_temac-broken-on-64-bit.patch
+quota-check-for-register_shrinker-failure.patch
+sunrpc-allow-connect-to-return-ehostunreach.patch
+kmemleak-add-scheduling-point-to-kmemleak_scan.patch
+drm-omap-fix-error-handling-path-in-omap_dmm_probe.patch
+xfs-ubsan-fixes.patch
+scsi-aacraid-prevent-crash-in-case-of-free-interrupt-during-scsi-eh-path.patch
+scsi-ufs-ufshcd-fix-potential-null-pointer-dereference-in-ufshcd_config_vreg.patch
+media-usbtv-add-a-new-usbid.patch
+usb-gadget-don-t-dereference-g-until-after-it-has-been-null-checked.patch
+staging-rtl8188eu-fix-incorrect-response-to-siocgiwessid.patch
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Sat, 25 Nov 2017 13:32:38 -0600
+Subject: staging: rtl8188eu: Fix incorrect response to SIOCGIWESSID
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+
+[ Upstream commit b77992d2df9e47144354d1b25328b180afa33442 ]
+
+When not associated with an AP, wifi device drivers should respond to the
+SIOCGIWESSID ioctl with a zero-length string for the SSID, which is the
+behavior expected by dhcpcd.
+
+Currently, this driver returns an error code (-1) from the ioctl call,
+which causes dhcpcd to assume that the device is not a wireless interface
+and therefore it fails to work correctly with it thereafter.
+
+This problem was reported and tested at
+https://github.com/lwfinger/rtl8188eu/issues/234.
+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 14 ++++----------
+ 1 file changed, 4 insertions(+), 10 deletions(-)
+
+--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
++++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+@@ -1399,19 +1399,13 @@ static int rtw_wx_get_essid(struct net_d
+ if ((check_fwstate(pmlmepriv, _FW_LINKED)) ||
+ (check_fwstate(pmlmepriv, WIFI_ADHOC_MASTER_STATE))) {
+ len = pcur_bss->Ssid.SsidLength;
+-
+- wrqu->essid.length = len;
+-
+ memcpy(extra, pcur_bss->Ssid.Ssid, len);
+-
+- wrqu->essid.flags = 1;
+ } else {
+- ret = -1;
+- goto exit;
++ len = 0;
++ *extra = 0;
+ }
+-
+-exit:
+-
++ wrqu->essid.length = len;
++ wrqu->essid.flags = 1;
+
+ return ret;
+ }
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Fri, 24 Nov 2017 12:00:24 -0500
+Subject: SUNRPC: Allow connect to return EHOSTUNREACH
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+
+[ Upstream commit 4ba161a793d5f43757c35feff258d9f20a082940 ]
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Tested-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/xprtsock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sunrpc/xprtsock.c
++++ b/net/sunrpc/xprtsock.c
+@@ -2360,6 +2360,7 @@ static void xs_tcp_setup_socket(struct w
+ case -ECONNREFUSED:
+ case -ECONNRESET:
+ case -ENETUNREACH:
++ case -EHOSTUNREACH:
+ case -EADDRINUSE:
+ case -ENOBUFS:
+ /* retry with existing socket, after a delay */
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Tue, 14 Nov 2017 16:18:28 +0000
+Subject: usb: gadget: don't dereference g until after it has been null checked
+
+From: Colin Ian King <colin.king@canonical.com>
+
+
+[ Upstream commit b2fc059fa549fe6881d4c1f8d698b0f50bcd16ec ]
+
+Avoid dereferencing pointer g until after g has been sanity null checked;
+move the assignment of cdev much later when it is required into a more
+local scope.
+
+Detected by CoverityScan, CID#1222135 ("Dereference before null check")
+
+Fixes: b785ea7ce662 ("usb: gadget: composite: fix ep->maxburst initialization")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/composite.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -104,7 +104,6 @@ int config_ep_by_speed(struct usb_gadget
+ struct usb_function *f,
+ struct usb_ep *_ep)
+ {
+- struct usb_composite_dev *cdev = get_gadget_data(g);
+ struct usb_endpoint_descriptor *chosen_desc = NULL;
+ struct usb_descriptor_header **speed_desc = NULL;
+
+@@ -176,8 +175,12 @@ ep_found:
+ _ep->maxburst = comp_desc->bMaxBurst + 1;
+ break;
+ default:
+- if (comp_desc->bMaxBurst != 0)
++ if (comp_desc->bMaxBurst != 0) {
++ struct usb_composite_dev *cdev;
++
++ cdev = get_gadget_data(g);
+ ERROR(cdev, "ep0 bMaxBurst must be 0\n");
++ }
+ _ep->maxburst = 1;
+ break;
+ }
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: Eduardo Otubo <otubo@redhat.com>
+Date: Thu, 23 Nov 2017 15:18:35 +0100
+Subject: xen-netfront: remove warning when unloading module
+
+From: Eduardo Otubo <otubo@redhat.com>
+
+
+[ Upstream commit 5b5971df3bc2775107ddad164018a8a8db633b81 ]
+
+v2:
+ * Replace busy wait with wait_event()/wake_up_all()
+ * Cannot garantee that at the time xennet_remove is called, the
+ xen_netback state will not be XenbusStateClosed, so added a
+ condition for that
+ * There's a small chance for the xen_netback state is
+ XenbusStateUnknown by the time the xen_netfront switches to Closed,
+ so added a condition for that.
+
+When unloading module xen_netfront from guest, dmesg would output
+warning messages like below:
+
+ [ 105.236836] xen:grant_table: WARNING: g.e. 0x903 still in use!
+ [ 105.236839] deferring g.e. 0x903 (pfn 0x35805)
+
+This problem relies on netfront and netback being out of sync. By the time
+netfront revokes the g.e.'s netback didn't have enough time to free all of
+them, hence displaying the warnings on dmesg.
+
+The trick here is to make netfront to wait until netback frees all the g.e.'s
+and only then continue to cleanup for the module removal, and this is done by
+manipulating both device states.
+
+Signed-off-by: Eduardo Otubo <otubo@redhat.com>
+Acked-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netfront.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -86,6 +86,8 @@ struct netfront_cb {
+ /* IRQ name is queue name with "-tx" or "-rx" appended */
+ #define IRQ_NAME_SIZE (QUEUE_NAME_SIZE + 3)
+
++static DECLARE_WAIT_QUEUE_HEAD(module_unload_q);
++
+ struct netfront_stats {
+ u64 packets;
+ u64 bytes;
+@@ -2037,10 +2039,12 @@ static void netback_changed(struct xenbu
+ break;
+
+ case XenbusStateClosed:
++ wake_up_all(&module_unload_q);
+ if (dev->state == XenbusStateClosed)
+ break;
+ /* Missed the backend's CLOSING state -- fallthrough */
+ case XenbusStateClosing:
++ wake_up_all(&module_unload_q);
+ xenbus_frontend_closed(dev);
+ break;
+ }
+@@ -2146,6 +2150,20 @@ static int xennet_remove(struct xenbus_d
+
+ dev_dbg(&dev->dev, "%s\n", dev->nodename);
+
++ if (xenbus_read_driver_state(dev->otherend) != XenbusStateClosed) {
++ xenbus_switch_state(dev, XenbusStateClosing);
++ wait_event(module_unload_q,
++ xenbus_read_driver_state(dev->otherend) ==
++ XenbusStateClosing);
++
++ xenbus_switch_state(dev, XenbusStateClosed);
++ wait_event(module_unload_q,
++ xenbus_read_driver_state(dev->otherend) ==
++ XenbusStateClosed ||
++ xenbus_read_driver_state(dev->otherend) ==
++ XenbusStateUnknown);
++ }
++
+ xennet_disconnect_backend(info);
+
+ unregister_netdev(info->netdev);
--- /dev/null
+From foo@baz Thu Feb 1 14:14:46 CET 2018
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Mon, 27 Nov 2017 09:50:17 -0800
+Subject: xfs: ubsan fixes
+
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+
+
+[ Upstream commit 22a6c83777ac7c17d6c63891beeeac24cf5da450 ]
+
+Fix some complaints from the UBSAN about signed integer addition overflows.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_aops.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -310,7 +310,7 @@ xfs_map_blocks(
+ (ip->i_df.if_flags & XFS_IFEXTENTS));
+ ASSERT(offset <= mp->m_super->s_maxbytes);
+
+- if (offset + count > mp->m_super->s_maxbytes)
++ if ((xfs_ufsize_t)offset + count > mp->m_super->s_maxbytes)
+ count = mp->m_super->s_maxbytes - offset;
+ end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + count);
+ offset_fsb = XFS_B_TO_FSBT(mp, offset);
+@@ -1360,7 +1360,7 @@ xfs_map_trim_size(
+ if (mapping_size > size)
+ mapping_size = size;
+ if (offset < i_size_read(inode) &&
+- offset + mapping_size >= i_size_read(inode)) {
++ (xfs_ufsize_t)offset + mapping_size >= i_size_read(inode)) {
+ /* limit mapping to block that spans EOF */
+ mapping_size = roundup_64(i_size_read(inode) - offset,
+ i_blocksize(inode));
+@@ -1416,7 +1416,7 @@ __xfs_get_blocks(
+ }
+
+ ASSERT(offset <= mp->m_super->s_maxbytes);
+- if (offset + size > mp->m_super->s_maxbytes)
++ if ((xfs_ufsize_t)offset + size > mp->m_super->s_maxbytes)
+ size = mp->m_super->s_maxbytes - offset;
+ end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + size);
+ offset_fsb = XFS_B_TO_FSBT(mp, offset);
projects / thirdparty / kernel / stable-queue.git / commitdiff
