]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
patches for 4.9
authorSasha Levin <sashal@kernel.org>
Thu, 13 Dec 2018 15:21:13 +0000 (10:21 -0500)
committerSasha Levin <sashal@kernel.org>
Thu, 13 Dec 2018 15:21:13 +0000 (10:21 -0500)
Signed-off-by: Sasha Levin <sashal@kernel.org>
41 files changed:
queue-4.9/arm-dts-logicpd-somlv-fix-interrupt-on-mmc3_dat1.patch [new file with mode: 0644]
queue-4.9/arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch [new file with mode: 0644]
queue-4.9/arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch [new file with mode: 0644]
queue-4.9/asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch [new file with mode: 0644]
queue-4.9/asoc-omap-abe-twl6040-fix-missing-audio-card-caused-.patch [new file with mode: 0644]
queue-4.9/asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch [new file with mode: 0644]
queue-4.9/asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch [new file with mode: 0644]
queue-4.9/bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch [new file with mode: 0644]
queue-4.9/btrfs-send-fix-infinite-loop-due-to-directory-rename.patch [new file with mode: 0644]
queue-4.9/cachefiles-fix-page-leak-in-cachefiles_read_backing_.patch [new file with mode: 0644]
queue-4.9/debugobjects-avoid-recursive-calls-with-kmemleak.patch [new file with mode: 0644]
queue-4.9/drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch [new file with mode: 0644]
queue-4.9/exportfs-do-not-read-dentry-after-free.patch [new file with mode: 0644]
queue-4.9/fscache-cachefiles-remove-redundant-variable-cache.patch [new file with mode: 0644]
queue-4.9/fscache-fix-race-between-enablement-and-dropping-of-.patch [new file with mode: 0644]
queue-4.9/hfs-do-not-free-node-before-using.patch [new file with mode: 0644]
queue-4.9/hfsplus-do-not-free-node-before-using.patch [new file with mode: 0644]
queue-4.9/hwmon-ina2xx-fix-current-value-calculation.patch [new file with mode: 0644]
queue-4.9/hwmon-w83795-temp4_type-has-writable-permission.patch [new file with mode: 0644]
queue-4.9/igb-fix-uninitialized-variables.patch [new file with mode: 0644]
queue-4.9/ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch [new file with mode: 0644]
queue-4.9/ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch [new file with mode: 0644]
queue-4.9/kvm-x86-fix-empty-body-warnings.patch [new file with mode: 0644]
queue-4.9/net-hisilicon-remove-unexpected-free_netdev.patch [new file with mode: 0644]
queue-4.9/net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch [new file with mode: 0644]
queue-4.9/objtool-fix-double-free-in-.cold-detection-error-pat.patch [new file with mode: 0644]
queue-4.9/objtool-fix-segfault-in-.cold-detection-with-ffuncti.patch [new file with mode: 0644]
queue-4.9/ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch [new file with mode: 0644]
queue-4.9/ocfs2-fix-potential-use-after-free.patch [new file with mode: 0644]
queue-4.9/pstore-convert-console-write-to-use-write_buf.patch [new file with mode: 0644]
queue-4.9/rdma-mlx5-fix-fence-type-for-ib_wr_local_inv-wr.patch [new file with mode: 0644]
queue-4.9/s390-cpum_cf-reject-request-for-sampling-in-event-in.patch [new file with mode: 0644]
queue-4.9/selftests-add-script-to-stress-test-nft-packet-path-.patch [new file with mode: 0644]
queue-4.9/series
queue-4.9/sysv-return-err-instead-of-0-in-__sysv_write_inode.patch [new file with mode: 0644]
queue-4.9/usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch [new file with mode: 0644]
queue-4.9/usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch [new file with mode: 0644]
queue-4.9/usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch [new file with mode: 0644]
queue-4.9/usb-omap_udc-use-devm_request_irq.patch [new file with mode: 0644]
queue-4.9/x86-kvm-vmx-fix-old-style-function-declaration.patch [new file with mode: 0644]
queue-4.9/xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch [new file with mode: 0644]

diff --git a/queue-4.9/arm-dts-logicpd-somlv-fix-interrupt-on-mmc3_dat1.patch b/queue-4.9/arm-dts-logicpd-somlv-fix-interrupt-on-mmc3_dat1.patch
new file mode 100644 (file)
index 0000000..34fe7ed
--- /dev/null
@@ -0,0 +1,36 @@
+From ff07c06245cf5f1bb52297083cfbde649ff64485 Mon Sep 17 00:00:00 2001
+From: Adam Ford <aford173@gmail.com>
+Date: Sun, 28 Oct 2018 15:29:27 -0500
+Subject: ARM: dts: logicpd-somlv: Fix interrupt on mmc3_dat1
+
+[ Upstream commit 3d8b804bc528d3720ec0c39c212af92dafaf6e84 ]
+
+The interrupt on mmc3_dat1 is wrong which prevents this from
+appearing in /proc/interrupts.
+
+Fixes: ab8dd3aed011 ("ARM: DTS: Add minimal Support for Logic PD
+DM3730 SOM-LV") #Kernel 4.9+
+
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/logicpd-som-lv.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/logicpd-som-lv.dtsi b/arch/arm/boot/dts/logicpd-som-lv.dtsi
+index e262fa9ef334..876ed5f2922c 100644
+--- a/arch/arm/boot/dts/logicpd-som-lv.dtsi
++++ b/arch/arm/boot/dts/logicpd-som-lv.dtsi
+@@ -122,7 +122,7 @@
+ };
+ &mmc3 {
+-      interrupts-extended = <&intc 94 &omap3_pmx_core2 0x46>;
++      interrupts-extended = <&intc 94 &omap3_pmx_core 0x136>;
+       pinctrl-0 = <&mmc3_pins &wl127x_gpio>;
+       pinctrl-names = "default";
+       vmmc-supply = <&wl12xx_vmmc>;
+-- 
+2.19.1
+
diff --git a/queue-4.9/arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch b/queue-4.9/arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch
new file mode 100644 (file)
index 0000000..ef90b19
--- /dev/null
@@ -0,0 +1,40 @@
+From 4e8073cb4b28db7146b4f88f877aae0ec67991d0 Mon Sep 17 00:00:00 2001
+From: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+Date: Wed, 7 Nov 2018 22:30:31 +0100
+Subject: ARM: OMAP1: ams-delta: Fix possible use of uninitialized field
+
+[ Upstream commit cec83ff1241ec98113a19385ea9e9cfa9aa4125b ]
+
+While playing with initialization order of modem device, it has been
+discovered that under some circumstances (early console init, I
+believe) its .pm() callback may be called before the
+uart_port->private_data pointer is initialized from
+plat_serial8250_port->private_data, resulting in NULL pointer
+dereference.  Fix it by checking for uninitialized pointer before using
+it in modem_pm().
+
+Fixes: aabf31737a6a ("ARM: OMAP1: ams-delta: update the modem to use regulator API")
+Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap1/board-ams-delta.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm/mach-omap1/board-ams-delta.c b/arch/arm/mach-omap1/board-ams-delta.c
+index 6613a6ff5dbc..c4b634c54fbd 100644
+--- a/arch/arm/mach-omap1/board-ams-delta.c
++++ b/arch/arm/mach-omap1/board-ams-delta.c
+@@ -511,6 +511,9 @@ static void modem_pm(struct uart_port *port, unsigned int state, unsigned old)
+ {
+       struct modem_private_data *priv = port->private_data;
++      if (!priv)
++              return;
++
+       if (IS_ERR(priv->regulator))
+               return;
+-- 
+2.19.1
+
diff --git a/queue-4.9/arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch b/queue-4.9/arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch
new file mode 100644 (file)
index 0000000..3b04b83
--- /dev/null
@@ -0,0 +1,45 @@
+From 7610bf4fa9c1d0c1a2f6ef993b1550abc80aab09 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Wed, 17 Oct 2018 17:54:00 -0700
+Subject: ARM: OMAP2+: prm44xx: Fix section annotation on
+ omap44xx_prm_enable_io_wakeup
+
+[ Upstream commit eef3dc34a1e0b01d53328b88c25237bcc7323777 ]
+
+When building the kernel with Clang, the following section mismatch
+warning appears:
+
+WARNING: vmlinux.o(.text+0x38b3c): Section mismatch in reference from
+the function omap44xx_prm_late_init() to the function
+.init.text:omap44xx_prm_enable_io_wakeup()
+The function omap44xx_prm_late_init() references
+the function __init omap44xx_prm_enable_io_wakeup().
+This is often because omap44xx_prm_late_init lacks a __init
+annotation or the annotation of omap44xx_prm_enable_io_wakeup is wrong.
+
+Remove the __init annotation from omap44xx_prm_enable_io_wakeup so there
+is no more mismatch.
+
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap2/prm44xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-omap2/prm44xx.c b/arch/arm/mach-omap2/prm44xx.c
+index 30768003f854..8c505284bc0c 100644
+--- a/arch/arm/mach-omap2/prm44xx.c
++++ b/arch/arm/mach-omap2/prm44xx.c
+@@ -344,7 +344,7 @@ static void omap44xx_prm_reconfigure_io_chain(void)
+  * to occur, WAKEUPENABLE bits must be set in the pad mux registers, and
+  * omap44xx_prm_reconfigure_io_chain() must be called.  No return value.
+  */
+-static void __init omap44xx_prm_enable_io_wakeup(void)
++static void omap44xx_prm_enable_io_wakeup(void)
+ {
+       s32 inst = omap4_prmst_get_prm_dev_inst();
+-- 
+2.19.1
+
diff --git a/queue-4.9/asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch b/queue-4.9/asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch
new file mode 100644 (file)
index 0000000..3203ea5
--- /dev/null
@@ -0,0 +1,57 @@
+From c65fb8dc94c146e95d8f2fa63edc1a4f9d01fd4e Mon Sep 17 00:00:00 2001
+From: Tzung-Bi Shih <tzungbi@google.com>
+Date: Wed, 14 Nov 2018 17:06:13 +0800
+Subject: ASoC: dapm: Recalculate audio map forcely when card instantiated
+
+[ Upstream commit 882eab6c28d23a970ae73b7eb831b169a672d456 ]
+
+Audio map are possible in wrong state before card->instantiated has
+been set to true.  Imaging the following examples:
+
+time 1: at the beginning
+
+  in:-1    in:-1    in:-1    in:-1
+ out:-1   out:-1   out:-1   out:-1
+ SIGGEN        A        B      Spk
+
+time 2: after someone called snd_soc_dapm_new_widgets()
+(e.g. create_fill_widget_route_map() in sound/soc/codecs/hdac_hdmi.c)
+
+   in:1     in:0     in:0     in:0
+  out:0    out:0    out:0    out:1
+ SIGGEN        A        B      Spk
+
+time 3: routes added
+
+   in:1     in:0     in:0     in:0
+  out:0    out:0    out:0    out:1
+ SIGGEN -----> A -----> B ---> Spk
+
+In the end, the path should be powered on but it did not.  At time 3,
+"in" of SIGGEN and "out" of Spk did not propagate to their neighbors
+because snd_soc_dapm_add_path() will not invalidate the paths if
+the card has not instantiated (i.e. card->instantiated is false).
+To correct the state of audio map, recalculate the whole map forcely.
+
+Signed-off-by: Tzung-Bi Shih <tzungbi@google.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
+index 4e3de566809c..168559b5e9f3 100644
+--- a/sound/soc/soc-core.c
++++ b/sound/soc/soc-core.c
+@@ -2018,6 +2018,7 @@ static int snd_soc_instantiate_card(struct snd_soc_card *card)
+       }
+       card->instantiated = 1;
++      dapm_mark_endpoints_dirty(card);
+       snd_soc_dapm_sync(&card->dapm);
+       mutex_unlock(&card->mutex);
+       mutex_unlock(&client_mutex);
+-- 
+2.19.1
+
diff --git a/queue-4.9/asoc-omap-abe-twl6040-fix-missing-audio-card-caused-.patch b/queue-4.9/asoc-omap-abe-twl6040-fix-missing-audio-card-caused-.patch
new file mode 100644 (file)
index 0000000..c43cbf8
--- /dev/null
@@ -0,0 +1,159 @@
+From d24a41764912ea9a45a4d49667d24486e694d753 Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Wed, 14 Nov 2018 14:58:20 +0200
+Subject: ASoC: omap-abe-twl6040: Fix missing audio card caused by deferred
+ probing
+
+[ Upstream commit 76836fd354922ebe4798a64fda01f8dc6a8b0984 ]
+
+The machine driver fails to probe in next-20181113 with:
+
+[    2.539093] omap-abe-twl6040 sound: ASoC: CODEC DAI twl6040-legacy not registered
+[    2.546630] omap-abe-twl6040 sound: devm_snd_soc_register_card() failed: -517
+...
+[    3.693206] omap-abe-twl6040 sound: ASoC: Both platform name/of_node are set for TWL6040
+[    3.701446] omap-abe-twl6040 sound: ASoC: failed to init link TWL6040
+[    3.708007] omap-abe-twl6040 sound: devm_snd_soc_register_card() failed: -22
+[    3.715148] omap-abe-twl6040: probe of sound failed with error -22
+
+Bisect pointed to a merge commit:
+first bad commit: [0f688ab20a540aafa984c5dbd68a71debebf4d7f] Merge remote-tracking branch 'net-next/master'
+
+and a diff between a working kernel does not reveal anything which would
+explain the change in behavior.
+
+Further investigation showed that on the second try of loading fails
+because the dai_link->platform is no longer NULL and it might be pointing
+to uninitialized memory.
+
+The fix is to move the snd_soc_dai_link and snd_soc_card inside of the
+abe_twl6040 struct, which is dynamically allocated every time the driver
+probes.
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/omap/omap-abe-twl6040.c | 67 +++++++++++++------------------
+ 1 file changed, 29 insertions(+), 38 deletions(-)
+
+diff --git a/sound/soc/omap/omap-abe-twl6040.c b/sound/soc/omap/omap-abe-twl6040.c
+index 89fe95e877db..07af30017b48 100644
+--- a/sound/soc/omap/omap-abe-twl6040.c
++++ b/sound/soc/omap/omap-abe-twl6040.c
+@@ -36,6 +36,8 @@
+ #include "../codecs/twl6040.h"
+ struct abe_twl6040 {
++      struct snd_soc_card card;
++      struct snd_soc_dai_link dai_links[2];
+       int     jack_detection; /* board can detect jack events */
+       int     mclk_freq;      /* MCLK frequency speed for twl6040 */
+ };
+@@ -208,40 +210,10 @@ static int omap_abe_dmic_init(struct snd_soc_pcm_runtime *rtd)
+                               ARRAY_SIZE(dmic_audio_map));
+ }
+-/* Digital audio interface glue - connects codec <--> CPU */
+-static struct snd_soc_dai_link abe_twl6040_dai_links[] = {
+-      {
+-              .name = "TWL6040",
+-              .stream_name = "TWL6040",
+-              .codec_dai_name = "twl6040-legacy",
+-              .codec_name = "twl6040-codec",
+-              .init = omap_abe_twl6040_init,
+-              .ops = &omap_abe_ops,
+-      },
+-      {
+-              .name = "DMIC",
+-              .stream_name = "DMIC Capture",
+-              .codec_dai_name = "dmic-hifi",
+-              .codec_name = "dmic-codec",
+-              .init = omap_abe_dmic_init,
+-              .ops = &omap_abe_dmic_ops,
+-      },
+-};
+-
+-/* Audio machine driver */
+-static struct snd_soc_card omap_abe_card = {
+-      .owner = THIS_MODULE,
+-
+-      .dapm_widgets = twl6040_dapm_widgets,
+-      .num_dapm_widgets = ARRAY_SIZE(twl6040_dapm_widgets),
+-      .dapm_routes = audio_map,
+-      .num_dapm_routes = ARRAY_SIZE(audio_map),
+-};
+-
+ static int omap_abe_probe(struct platform_device *pdev)
+ {
+       struct device_node *node = pdev->dev.of_node;
+-      struct snd_soc_card *card = &omap_abe_card;
++      struct snd_soc_card *card;
+       struct device_node *dai_node;
+       struct abe_twl6040 *priv;
+       int num_links = 0;
+@@ -252,12 +224,18 @@ static int omap_abe_probe(struct platform_device *pdev)
+               return -ENODEV;
+       }
+-      card->dev = &pdev->dev;
+-
+       priv = devm_kzalloc(&pdev->dev, sizeof(struct abe_twl6040), GFP_KERNEL);
+       if (priv == NULL)
+               return -ENOMEM;
++      card = &priv->card;
++      card->dev = &pdev->dev;
++      card->owner = THIS_MODULE;
++      card->dapm_widgets = twl6040_dapm_widgets;
++      card->num_dapm_widgets = ARRAY_SIZE(twl6040_dapm_widgets);
++      card->dapm_routes = audio_map;
++      card->num_dapm_routes = ARRAY_SIZE(audio_map);
++
+       if (snd_soc_of_parse_card_name(card, "ti,model")) {
+               dev_err(&pdev->dev, "Card name is not provided\n");
+               return -ENODEV;
+@@ -274,14 +252,27 @@ static int omap_abe_probe(struct platform_device *pdev)
+               dev_err(&pdev->dev, "McPDM node is not provided\n");
+               return -EINVAL;
+       }
+-      abe_twl6040_dai_links[0].cpu_of_node = dai_node;
+-      abe_twl6040_dai_links[0].platform_of_node = dai_node;
++
++      priv->dai_links[0].name = "DMIC";
++      priv->dai_links[0].stream_name = "TWL6040";
++      priv->dai_links[0].cpu_of_node = dai_node;
++      priv->dai_links[0].platform_of_node = dai_node;
++      priv->dai_links[0].codec_dai_name = "twl6040-legacy";
++      priv->dai_links[0].codec_name = "twl6040-codec";
++      priv->dai_links[0].init = omap_abe_twl6040_init;
++      priv->dai_links[0].ops = &omap_abe_ops;
+       dai_node = of_parse_phandle(node, "ti,dmic", 0);
+       if (dai_node) {
+               num_links = 2;
+-              abe_twl6040_dai_links[1].cpu_of_node = dai_node;
+-              abe_twl6040_dai_links[1].platform_of_node = dai_node;
++              priv->dai_links[1].name = "TWL6040";
++              priv->dai_links[1].stream_name = "DMIC Capture";
++              priv->dai_links[1].cpu_of_node = dai_node;
++              priv->dai_links[1].platform_of_node = dai_node;
++              priv->dai_links[1].codec_dai_name = "dmic-hifi";
++              priv->dai_links[1].codec_name = "dmic-codec";
++              priv->dai_links[1].init = omap_abe_dmic_init;
++              priv->dai_links[1].ops = &omap_abe_dmic_ops;
+       } else {
+               num_links = 1;
+       }
+@@ -300,7 +291,7 @@ static int omap_abe_probe(struct platform_device *pdev)
+               return -ENODEV;
+       }
+-      card->dai_link = abe_twl6040_dai_links;
++      card->dai_link = priv->dai_links;
+       card->num_links = num_links;
+       snd_soc_card_set_drvdata(card, priv);
+-- 
+2.19.1
+
diff --git a/queue-4.9/asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch b/queue-4.9/asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch
new file mode 100644 (file)
index 0000000..0e35201
--- /dev/null
@@ -0,0 +1,63 @@
+From ee26808b1fae2a1bebe2f2d78e272f25df3ad38a Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Wed, 14 Nov 2018 13:06:23 +0200
+Subject: ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE
+
+[ Upstream commit ffdcc3638c58d55a6fa68b6e5dfd4fb4109652eb ]
+
+We need to block sleep states which would require longer time to leave than
+the time the DMA must react to the DMA request in order to keep the FIFO
+serviced without overrun.
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Acked-by: Jarkko Nikula <jarkko.nikula@bitmer.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/omap/omap-dmic.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/sound/soc/omap/omap-dmic.c b/sound/soc/omap/omap-dmic.c
+index 09db2aec12a3..776e809a8aab 100644
+--- a/sound/soc/omap/omap-dmic.c
++++ b/sound/soc/omap/omap-dmic.c
+@@ -48,6 +48,8 @@ struct omap_dmic {
+       struct device *dev;
+       void __iomem *io_base;
+       struct clk *fclk;
++      struct pm_qos_request pm_qos_req;
++      int latency;
+       int fclk_freq;
+       int out_freq;
+       int clk_div;
+@@ -124,6 +126,8 @@ static void omap_dmic_dai_shutdown(struct snd_pcm_substream *substream,
+       mutex_lock(&dmic->mutex);
++      pm_qos_remove_request(&dmic->pm_qos_req);
++
+       if (!dai->active)
+               dmic->active = 0;
+@@ -226,6 +230,8 @@ static int omap_dmic_dai_hw_params(struct snd_pcm_substream *substream,
+       /* packet size is threshold * channels */
+       dma_data = snd_soc_dai_get_dma_data(dai, substream);
+       dma_data->maxburst = dmic->threshold * channels;
++      dmic->latency = (OMAP_DMIC_THRES_MAX - dmic->threshold) * USEC_PER_SEC /
++                      params_rate(params);
+       return 0;
+ }
+@@ -236,6 +242,9 @@ static int omap_dmic_dai_prepare(struct snd_pcm_substream *substream,
+       struct omap_dmic *dmic = snd_soc_dai_get_drvdata(dai);
+       u32 ctrl;
++      if (pm_qos_request_active(&dmic->pm_qos_req))
++              pm_qos_update_request(&dmic->pm_qos_req, dmic->latency);
++
+       /* Configure uplink threshold */
+       omap_dmic_write(dmic, OMAP_DMIC_FIFO_CTRL_REG, dmic->threshold);
+-- 
+2.19.1
+
diff --git a/queue-4.9/asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch b/queue-4.9/asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch
new file mode 100644 (file)
index 0000000..613fe13
--- /dev/null
@@ -0,0 +1,127 @@
+From 9b897f00c1c5cb88bde1c4cca82aeec060517bc1 Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Wed, 14 Nov 2018 13:06:22 +0200
+Subject: ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with
+ CPU_IDLE
+
+[ Upstream commit 373a500e34aea97971c9d71e45edad458d3da98f ]
+
+We need to block sleep states which would require longer time to leave than
+the time the DMA must react to the DMA request in order to keep the FIFO
+serviced without under of overrun.
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Acked-by: Jarkko Nikula <jarkko.nikula@bitmer.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/omap/omap-mcpdm.c | 43 ++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 42 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/omap/omap-mcpdm.c b/sound/soc/omap/omap-mcpdm.c
+index 64609c77a79d..44ffeb71cd1d 100644
+--- a/sound/soc/omap/omap-mcpdm.c
++++ b/sound/soc/omap/omap-mcpdm.c
+@@ -54,6 +54,8 @@ struct omap_mcpdm {
+       unsigned long phys_base;
+       void __iomem *io_base;
+       int irq;
++      struct pm_qos_request pm_qos_req;
++      int latency[2];
+       struct mutex mutex;
+@@ -277,6 +279,9 @@ static void omap_mcpdm_dai_shutdown(struct snd_pcm_substream *substream,
+                                 struct snd_soc_dai *dai)
+ {
+       struct omap_mcpdm *mcpdm = snd_soc_dai_get_drvdata(dai);
++      int tx = (substream->stream == SNDRV_PCM_STREAM_PLAYBACK);
++      int stream1 = tx ? SNDRV_PCM_STREAM_PLAYBACK : SNDRV_PCM_STREAM_CAPTURE;
++      int stream2 = tx ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
+       mutex_lock(&mcpdm->mutex);
+@@ -289,6 +294,14 @@ static void omap_mcpdm_dai_shutdown(struct snd_pcm_substream *substream,
+               }
+       }
++      if (mcpdm->latency[stream2])
++              pm_qos_update_request(&mcpdm->pm_qos_req,
++                                    mcpdm->latency[stream2]);
++      else if (mcpdm->latency[stream1])
++              pm_qos_remove_request(&mcpdm->pm_qos_req);
++
++      mcpdm->latency[stream1] = 0;
++
+       mutex_unlock(&mcpdm->mutex);
+ }
+@@ -300,7 +313,7 @@ static int omap_mcpdm_dai_hw_params(struct snd_pcm_substream *substream,
+       int stream = substream->stream;
+       struct snd_dmaengine_dai_dma_data *dma_data;
+       u32 threshold;
+-      int channels;
++      int channels, latency;
+       int link_mask = 0;
+       channels = params_channels(params);
+@@ -340,14 +353,25 @@ static int omap_mcpdm_dai_hw_params(struct snd_pcm_substream *substream,
+               dma_data->maxburst =
+                               (MCPDM_DN_THRES_MAX - threshold) * channels;
++              latency = threshold;
+       } else {
+               /* If playback is not running assume a stereo stream to come */
+               if (!mcpdm->config[!stream].link_mask)
+                       mcpdm->config[!stream].link_mask = (0x3 << 3);
+               dma_data->maxburst = threshold * channels;
++              latency = (MCPDM_DN_THRES_MAX - threshold);
+       }
++      /*
++       * The DMA must act to a DMA request within latency time (usec) to avoid
++       * under/overflow
++       */
++      mcpdm->latency[stream] = latency * USEC_PER_SEC / params_rate(params);
++
++      if (!mcpdm->latency[stream])
++              mcpdm->latency[stream] = 10;
++
+       /* Check if we need to restart McPDM with this stream */
+       if (mcpdm->config[stream].link_mask &&
+           mcpdm->config[stream].link_mask != link_mask)
+@@ -362,6 +386,20 @@ static int omap_mcpdm_prepare(struct snd_pcm_substream *substream,
+                                 struct snd_soc_dai *dai)
+ {
+       struct omap_mcpdm *mcpdm = snd_soc_dai_get_drvdata(dai);
++      struct pm_qos_request *pm_qos_req = &mcpdm->pm_qos_req;
++      int tx = (substream->stream == SNDRV_PCM_STREAM_PLAYBACK);
++      int stream1 = tx ? SNDRV_PCM_STREAM_PLAYBACK : SNDRV_PCM_STREAM_CAPTURE;
++      int stream2 = tx ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
++      int latency = mcpdm->latency[stream2];
++
++      /* Prevent omap hardware from hitting off between FIFO fills */
++      if (!latency || mcpdm->latency[stream1] < latency)
++              latency = mcpdm->latency[stream1];
++
++      if (pm_qos_request_active(pm_qos_req))
++              pm_qos_update_request(pm_qos_req, latency);
++      else if (latency)
++              pm_qos_add_request(pm_qos_req, PM_QOS_CPU_DMA_LATENCY, latency);
+       if (!omap_mcpdm_active(mcpdm)) {
+               omap_mcpdm_start(mcpdm);
+@@ -423,6 +461,9 @@ static int omap_mcpdm_remove(struct snd_soc_dai *dai)
+       free_irq(mcpdm->irq, (void *)mcpdm);
+       pm_runtime_disable(mcpdm->dev);
++      if (pm_qos_request_active(&mcpdm->pm_qos_req))
++              pm_qos_remove_request(&mcpdm->pm_qos_req);
++
+       return 0;
+ }
+-- 
+2.19.1
+
diff --git a/queue-4.9/bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch b/queue-4.9/bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch
new file mode 100644 (file)
index 0000000..374365f
--- /dev/null
@@ -0,0 +1,44 @@
+From 97f2d10ac553c0653190711ff64348308c55fb10 Mon Sep 17 00:00:00 2001
+From: Martynas Pumputis <m@lambda.lt>
+Date: Fri, 23 Nov 2018 17:43:26 +0100
+Subject: bpf: fix check of allowed specifiers in bpf_trace_printk
+
+[ Upstream commit 1efb6ee3edea57f57f9fb05dba8dcb3f7333f61f ]
+
+A format string consisting of "%p" or "%s" followed by an invalid
+specifier (e.g. "%p%\n" or "%s%") could pass the check which
+would make format_decode (lib/vsprintf.c) to warn.
+
+Fixes: 9c959c863f82 ("tracing: Allow BPF programs to call bpf_trace_printk()")
+Reported-by: syzbot+1ec5c5ec949c4adaa0c4@syzkaller.appspotmail.com
+Signed-off-by: Martynas Pumputis <m@lambda.lt>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/bpf_trace.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
+index 41805fb3c661..7cc06f267be5 100644
+--- a/kernel/trace/bpf_trace.c
++++ b/kernel/trace/bpf_trace.c
+@@ -161,11 +161,13 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1,
+                       i++;
+               } else if (fmt[i] == 'p' || fmt[i] == 's') {
+                       mod[fmt_cnt]++;
+-                      i++;
+-                      if (!isspace(fmt[i]) && !ispunct(fmt[i]) && fmt[i] != 0)
++                      /* disallow any further format extensions */
++                      if (fmt[i + 1] != 0 &&
++                          !isspace(fmt[i + 1]) &&
++                          !ispunct(fmt[i + 1]))
+                               return -EINVAL;
+                       fmt_cnt++;
+-                      if (fmt[i - 1] == 's') {
++                      if (fmt[i] == 's') {
+                               if (str_seen)
+                                       /* allow only one '%s' per fmt string */
+                                       return -EINVAL;
+-- 
+2.19.1
+
diff --git a/queue-4.9/btrfs-send-fix-infinite-loop-due-to-directory-rename.patch b/queue-4.9/btrfs-send-fix-infinite-loop-due-to-directory-rename.patch
new file mode 100644 (file)
index 0000000..31e1683
--- /dev/null
@@ -0,0 +1,200 @@
+From 85ff69fb231aef87cacda61e9f7beb8c123f25f9 Mon Sep 17 00:00:00 2001
+From: Robbie Ko <robbieko@synology.com>
+Date: Wed, 14 Nov 2018 18:32:37 +0000
+Subject: Btrfs: send, fix infinite loop due to directory rename dependencies
+
+[ Upstream commit a4390aee72713d9e73f1132bcdeb17d72fbbf974 ]
+
+When doing an incremental send, due to the need of delaying directory move
+(rename) operations we can end up in infinite loop at
+apply_children_dir_moves().
+
+An example scenario that triggers this problem is described below, where
+directory names correspond to the numbers of their respective inodes.
+
+Parent snapshot:
+
+ .
+ |--- 261/
+       |--- 271/
+             |--- 266/
+                   |--- 259/
+                   |--- 260/
+                   |     |--- 267
+                   |
+                   |--- 264/
+                   |     |--- 258/
+                   |           |--- 257/
+                   |
+                   |--- 265/
+                   |--- 268/
+                   |--- 269/
+                   |     |--- 262/
+                   |
+                   |--- 270/
+                   |--- 272/
+                   |     |--- 263/
+                   |     |--- 275/
+                   |
+                   |--- 274/
+                         |--- 273/
+
+Send snapshot:
+
+ .
+ |-- 275/
+      |-- 274/
+           |-- 273/
+                |-- 262/
+                     |-- 269/
+                          |-- 258/
+                               |-- 271/
+                                    |-- 268/
+                                         |-- 267/
+                                              |-- 270/
+                                                   |-- 259/
+                                                   |    |-- 265/
+                                                   |
+                                                   |-- 272/
+                                                        |-- 257/
+                                                             |-- 260/
+                                                             |-- 264/
+                                                                  |-- 263/
+                                                                       |-- 261/
+                                                                            |-- 266/
+
+When processing inode 257 we delay its move (rename) operation because its
+new parent in the send snapshot, inode 272, was not yet processed. Then
+when processing inode 272, we delay the move operation for that inode
+because inode 274 is its ancestor in the send snapshot. Finally we delay
+the move operation for inode 274 when processing it because inode 275 is
+its new parent in the send snapshot and was not yet moved.
+
+When finishing processing inode 275, we start to do the move operations
+that were previously delayed (at apply_children_dir_moves()), resulting in
+the following iterations:
+
+1) We issue the move operation for inode 274;
+
+2) Because inode 262 depended on the move operation of inode 274 (it was
+   delayed because 274 is its ancestor in the send snapshot), we issue the
+   move operation for inode 262;
+
+3) We issue the move operation for inode 272, because it was delayed by
+   inode 274 too (ancestor of 272 in the send snapshot);
+
+4) We issue the move operation for inode 269 (it was delayed by 262);
+
+5) We issue the move operation for inode 257 (it was delayed by 272);
+
+6) We issue the move operation for inode 260 (it was delayed by 272);
+
+7) We issue the move operation for inode 258 (it was delayed by 269);
+
+8) We issue the move operation for inode 264 (it was delayed by 257);
+
+9) We issue the move operation for inode 271 (it was delayed by 258);
+
+10) We issue the move operation for inode 263 (it was delayed by 264);
+
+11) We issue the move operation for inode 268 (it was delayed by 271);
+
+12) We verify if we can issue the move operation for inode 270 (it was
+    delayed by 271). We detect a path loop in the current state, because
+    inode 267 needs to be moved first before we can issue the move
+    operation for inode 270. So we delay again the move operation for
+    inode 270, this time we will attempt to do it after inode 267 is
+    moved;
+
+13) We issue the move operation for inode 261 (it was delayed by 263);
+
+14) We verify if we can issue the move operation for inode 266 (it was
+    delayed by 263). We detect a path loop in the current state, because
+    inode 270 needs to be moved first before we can issue the move
+    operation for inode 266. So we delay again the move operation for
+    inode 266, this time we will attempt to do it after inode 270 is
+    moved (its move operation was delayed in step 12);
+
+15) We issue the move operation for inode 267 (it was delayed by 268);
+
+16) We verify if we can issue the move operation for inode 266 (it was
+    delayed by 270). We detect a path loop in the current state, because
+    inode 270 needs to be moved first before we can issue the move
+    operation for inode 266. So we delay again the move operation for
+    inode 266, this time we will attempt to do it after inode 270 is
+    moved (its move operation was delayed in step 12). So here we added
+    again the same delayed move operation that we added in step 14;
+
+17) We attempt again to see if we can issue the move operation for inode
+    266, and as in step 16, we realize we can not due to a path loop in
+    the current state due to a dependency on inode 270. Again we delay
+    inode's 266 rename to happen after inode's 270 move operation, adding
+    the same dependency to the empty stack that we did in steps 14 and 16.
+    The next iteration will pick the same move dependency on the stack
+    (the only entry) and realize again there is still a path loop and then
+    again the same dependency to the stack, over and over, resulting in
+    an infinite loop.
+
+So fix this by preventing adding the same move dependency entries to the
+stack by removing each pending move record from the red black tree of
+pending moves. This way the next call to get_pending_dir_moves() will
+not return anything for the current parent inode.
+
+A test case for fstests, with this reproducer, follows soon.
+
+Signed-off-by: Robbie Ko <robbieko@synology.com>
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+[Wrote changelog with example and more clear explanation]
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/send.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index 79dc3ee1de58..a45f26ac5da7 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -3349,7 +3349,8 @@ static void free_pending_move(struct send_ctx *sctx, struct pending_dir_move *m)
+       kfree(m);
+ }
+-static void tail_append_pending_moves(struct pending_dir_move *moves,
++static void tail_append_pending_moves(struct send_ctx *sctx,
++                                    struct pending_dir_move *moves,
+                                     struct list_head *stack)
+ {
+       if (list_empty(&moves->list)) {
+@@ -3360,6 +3361,10 @@ static void tail_append_pending_moves(struct pending_dir_move *moves,
+               list_add_tail(&moves->list, stack);
+               list_splice_tail(&list, stack);
+       }
++      if (!RB_EMPTY_NODE(&moves->node)) {
++              rb_erase(&moves->node, &sctx->pending_dir_moves);
++              RB_CLEAR_NODE(&moves->node);
++      }
+ }
+ static int apply_children_dir_moves(struct send_ctx *sctx)
+@@ -3374,7 +3379,7 @@ static int apply_children_dir_moves(struct send_ctx *sctx)
+               return 0;
+       INIT_LIST_HEAD(&stack);
+-      tail_append_pending_moves(pm, &stack);
++      tail_append_pending_moves(sctx, pm, &stack);
+       while (!list_empty(&stack)) {
+               pm = list_first_entry(&stack, struct pending_dir_move, list);
+@@ -3385,7 +3390,7 @@ static int apply_children_dir_moves(struct send_ctx *sctx)
+                       goto out;
+               pm = get_pending_dir_moves(sctx, parent_ino);
+               if (pm)
+-                      tail_append_pending_moves(pm, &stack);
++                      tail_append_pending_moves(sctx, pm, &stack);
+       }
+       return 0;
+-- 
+2.19.1
+
diff --git a/queue-4.9/cachefiles-fix-page-leak-in-cachefiles_read_backing_.patch b/queue-4.9/cachefiles-fix-page-leak-in-cachefiles_read_backing_.patch
new file mode 100644 (file)
index 0000000..31b35ff
--- /dev/null
@@ -0,0 +1,87 @@
+From 14849ad2414c5ae90db1a06d7b15892811c31c01 Mon Sep 17 00:00:00 2001
+From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+Date: Mon, 24 Sep 2018 12:02:39 +1000
+Subject: cachefiles: Fix page leak in cachefiles_read_backing_file while
+ vmscan is active
+
+[ Upstream commit 9a24ce5b66f9c8190d63b15f4473600db4935f1f ]
+
+[Description]
+
+In a heavily loaded system where the system pagecache is nearing memory
+limits and fscache is enabled, pages can be leaked by fscache while trying
+read pages from cachefiles backend.  This can happen because two
+applications can be reading same page from a single mount, two threads can
+be trying to read the backing page at same time.  This results in one of
+the threads finding that a page for the backing file or netfs file is
+already in the radix tree.  During the error handling cachefiles does not
+clean up the reference on backing page, leading to page leak.
+
+[Fix]
+The fix is straightforward, to decrement the reference when error is
+encountered.
+
+  [dhowells: Note that I've removed the clearance and put of newpage as
+   they aren't attested in the commit message and don't appear to actually
+   achieve anything since a new page is only allocated is newpage!=NULL and
+   any residual new page is cleared before returning.]
+
+[Testing]
+I have tested the fix using following method for 12+ hrs.
+
+1) mkdir -p /mnt/nfs ; mount -o vers=3,fsc <server_ip>:/export /mnt/nfs
+2) create 10000 files of 2.8MB in a NFS mount.
+3) start a thread to simulate heavy VM presssure
+   (while true ; do echo 3 > /proc/sys/vm/drop_caches ; sleep 1 ; done)&
+4) start multiple parallel reader for data set at same time
+   find /mnt/nfs -type f | xargs -P 80 cat > /dev/null &
+   find /mnt/nfs -type f | xargs -P 80 cat > /dev/null &
+   find /mnt/nfs -type f | xargs -P 80 cat > /dev/null &
+   ..
+   ..
+   find /mnt/nfs -type f | xargs -P 80 cat > /dev/null &
+   find /mnt/nfs -type f | xargs -P 80 cat > /dev/null &
+5) finally check using cat /proc/fs/fscache/stats | grep -i pages ;
+   free -h , cat /proc/meminfo and page-types -r -b lru
+   to ensure all pages are freed.
+
+Reviewed-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Shantanu Goel <sgoel01@yahoo.com>
+Signed-off-by: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+[dja: forward ported to current upstream]
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cachefiles/rdwr.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/cachefiles/rdwr.c b/fs/cachefiles/rdwr.c
+index 5e3bc9de7a16..8d43306c038b 100644
+--- a/fs/cachefiles/rdwr.c
++++ b/fs/cachefiles/rdwr.c
+@@ -537,7 +537,10 @@ static int cachefiles_read_backing_file(struct cachefiles_object *object,
+                                           netpage->index, cachefiles_gfp);
+               if (ret < 0) {
+                       if (ret == -EEXIST) {
++                              put_page(backpage);
++                              backpage = NULL;
+                               put_page(netpage);
++                              netpage = NULL;
+                               fscache_retrieval_complete(op, 1);
+                               continue;
+                       }
+@@ -610,7 +613,10 @@ static int cachefiles_read_backing_file(struct cachefiles_object *object,
+                                           netpage->index, cachefiles_gfp);
+               if (ret < 0) {
+                       if (ret == -EEXIST) {
++                              put_page(backpage);
++                              backpage = NULL;
+                               put_page(netpage);
++                              netpage = NULL;
+                               fscache_retrieval_complete(op, 1);
+                               continue;
+                       }
+-- 
+2.19.1
+
diff --git a/queue-4.9/debugobjects-avoid-recursive-calls-with-kmemleak.patch b/queue-4.9/debugobjects-avoid-recursive-calls-with-kmemleak.patch
new file mode 100644 (file)
index 0000000..ec0271f
--- /dev/null
@@ -0,0 +1,58 @@
+From 8669323839ae5501dcad5363851e70960c21adc0 Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@gmx.us>
+Date: Fri, 30 Nov 2018 14:09:48 -0800
+Subject: debugobjects: avoid recursive calls with kmemleak
+
+[ Upstream commit 8de456cf87ba863e028c4dd01bae44255ce3d835 ]
+
+CONFIG_DEBUG_OBJECTS_RCU_HEAD does not play well with kmemleak due to
+recursive calls.
+
+fill_pool
+  kmemleak_ignore
+    make_black_object
+      put_object
+        __call_rcu (kernel/rcu/tree.c)
+          debug_rcu_head_queue
+            debug_object_activate
+              debug_object_init
+                fill_pool
+                  kmemleak_ignore
+                    make_black_object
+                      ...
+
+So add SLAB_NOLEAKTRACE to kmem_cache_create() to not register newly
+allocated debug objects at all.
+
+Link: http://lkml.kernel.org/r/20181126165343.2339-1-cai@gmx.us
+Signed-off-by: Qian Cai <cai@gmx.us>
+Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
+Acked-by: Waiman Long <longman@redhat.com>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Yang Shi <yang.shi@linux.alibaba.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/debugobjects.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/debugobjects.c b/lib/debugobjects.c
+index 88580e8ee39e..1c43d4c5d2ab 100644
+--- a/lib/debugobjects.c
++++ b/lib/debugobjects.c
+@@ -1110,7 +1110,8 @@ void __init debug_objects_mem_init(void)
+       obj_cache = kmem_cache_create("debug_objects_cache",
+                                     sizeof (struct debug_obj), 0,
+-                                    SLAB_DEBUG_OBJECTS, NULL);
++                                    SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE,
++                                    NULL);
+       if (!obj_cache || debug_objects_replace_static_objects()) {
+               debug_objects_enabled = 0;
+-- 
+2.19.1
+
diff --git a/queue-4.9/drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch b/queue-4.9/drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch
new file mode 100644 (file)
index 0000000..f29c3b8
--- /dev/null
@@ -0,0 +1,94 @@
+From 924770877b5ec2917e3e3bcce1d3a8a1c20238b3 Mon Sep 17 00:00:00 2001
+From: "Y.C. Chen" <yc_chen@aspeedtech.com>
+Date: Thu, 22 Nov 2018 11:56:28 +0800
+Subject: drm/ast: fixed reading monitor EDID not stable issue
+
+[ Upstream commit 300625620314194d9e6d4f6dda71f2dc9cf62d9f ]
+
+v1: over-sample data to increase the stability with some specific monitors
+v2: refine to avoid infinite loop
+v3: remove un-necessary "volatile" declaration
+
+[airlied: fix two checkpatch warnings]
+
+Signed-off-by: Y.C. Chen <yc_chen@aspeedtech.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1542858988-1127-1-git-send-email-yc_chen@aspeedtech.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/ast/ast_mode.c | 36 ++++++++++++++++++++++++++++------
+ 1 file changed, 30 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/ast/ast_mode.c b/drivers/gpu/drm/ast/ast_mode.c
+index 57205016b04a..201874b96dd6 100644
+--- a/drivers/gpu/drm/ast/ast_mode.c
++++ b/drivers/gpu/drm/ast/ast_mode.c
+@@ -954,9 +954,21 @@ static int get_clock(void *i2c_priv)
+ {
+       struct ast_i2c_chan *i2c = i2c_priv;
+       struct ast_private *ast = i2c->dev->dev_private;
+-      uint32_t val;
++      uint32_t val, val2, count, pass;
++
++      count = 0;
++      pass = 0;
++      val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4) & 0x01;
++      do {
++              val2 = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4) & 0x01;
++              if (val == val2) {
++                      pass++;
++              } else {
++                      pass = 0;
++                      val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4) & 0x01;
++              }
++      } while ((pass < 5) && (count++ < 0x10000));
+-      val = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4;
+       return val & 1 ? 1 : 0;
+ }
+@@ -964,9 +976,21 @@ static int get_data(void *i2c_priv)
+ {
+       struct ast_i2c_chan *i2c = i2c_priv;
+       struct ast_private *ast = i2c->dev->dev_private;
+-      uint32_t val;
++      uint32_t val, val2, count, pass;
++
++      count = 0;
++      pass = 0;
++      val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5) & 0x01;
++      do {
++              val2 = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5) & 0x01;
++              if (val == val2) {
++                      pass++;
++              } else {
++                      pass = 0;
++                      val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5) & 0x01;
++              }
++      } while ((pass < 5) && (count++ < 0x10000));
+-      val = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5;
+       return val & 1 ? 1 : 0;
+ }
+@@ -979,7 +1003,7 @@ static void set_clock(void *i2c_priv, int clock)
+       for (i = 0; i < 0x10000; i++) {
+               ujcrb7 = ((clock & 0x01) ? 0 : 1);
+-              ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xfe, ujcrb7);
++              ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xf4, ujcrb7);
+               jtemp = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x01);
+               if (ujcrb7 == jtemp)
+                       break;
+@@ -995,7 +1019,7 @@ static void set_data(void *i2c_priv, int data)
+       for (i = 0; i < 0x10000; i++) {
+               ujcrb7 = ((data & 0x01) ? 0 : 1) << 2;
+-              ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xfb, ujcrb7);
++              ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xf1, ujcrb7);
+               jtemp = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x04);
+               if (ujcrb7 == jtemp)
+                       break;
+-- 
+2.19.1
+
diff --git a/queue-4.9/exportfs-do-not-read-dentry-after-free.patch b/queue-4.9/exportfs-do-not-read-dentry-after-free.patch
new file mode 100644 (file)
index 0000000..b8fda8b
--- /dev/null
@@ -0,0 +1,40 @@
+From 950e51a9e1b7422e5d1567f3424dd547d81f4a3e Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Fri, 23 Nov 2018 15:56:33 +0800
+Subject: exportfs: do not read dentry after free
+
+[ Upstream commit 2084ac6c505a58f7efdec13eba633c6aaa085ca5 ]
+
+The function dentry_connected calls dput(dentry) to drop the previously
+acquired reference to dentry. In this case, dentry can be released.
+After that, IS_ROOT(dentry) checks the condition
+(dentry == dentry->d_parent), which may result in a use-after-free bug.
+This patch directly compares dentry with its parent obtained before
+dropping the reference.
+
+Fixes: a056cc8934c("exportfs: stop retrying once we race with
+rename/remove")
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/exportfs/expfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/exportfs/expfs.c b/fs/exportfs/expfs.c
+index a4b531be9168..7a7bba7c2328 100644
+--- a/fs/exportfs/expfs.c
++++ b/fs/exportfs/expfs.c
+@@ -76,7 +76,7 @@ static bool dentry_connected(struct dentry *dentry)
+               struct dentry *parent = dget_parent(dentry);
+               dput(dentry);
+-              if (IS_ROOT(dentry)) {
++              if (dentry == parent) {
+                       dput(parent);
+                       return false;
+               }
+-- 
+2.19.1
+
diff --git a/queue-4.9/fscache-cachefiles-remove-redundant-variable-cache.patch b/queue-4.9/fscache-cachefiles-remove-redundant-variable-cache.patch
new file mode 100644 (file)
index 0000000..4fd48dd
--- /dev/null
@@ -0,0 +1,39 @@
+From 5e010d140f9dd87d399a995b2100aecb033b45f3 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Tue, 17 Jul 2018 09:53:42 +0100
+Subject: fscache, cachefiles: remove redundant variable 'cache'
+
+[ Upstream commit 31ffa563833576bd49a8bf53120568312755e6e2 ]
+
+Variable 'cache' is being assigned but is never used hence it is
+redundant and can be removed.
+
+Cleans up clang warning:
+warning: variable 'cache' set but not used [-Wunused-but-set-variable]
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cachefiles/rdwr.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/fs/cachefiles/rdwr.c b/fs/cachefiles/rdwr.c
+index 8d43306c038b..799b59d96fe2 100644
+--- a/fs/cachefiles/rdwr.c
++++ b/fs/cachefiles/rdwr.c
+@@ -969,11 +969,8 @@ int cachefiles_write_page(struct fscache_storage *op, struct page *page)
+ void cachefiles_uncache_page(struct fscache_object *_object, struct page *page)
+ {
+       struct cachefiles_object *object;
+-      struct cachefiles_cache *cache;
+       object = container_of(_object, struct cachefiles_object, fscache);
+-      cache = container_of(object->fscache.cache,
+-                           struct cachefiles_cache, cache);
+       _enter("%p,{%lu}", object, page->index);
+-- 
+2.19.1
+
diff --git a/queue-4.9/fscache-fix-race-between-enablement-and-dropping-of-.patch b/queue-4.9/fscache-fix-race-between-enablement-and-dropping-of-.patch
new file mode 100644 (file)
index 0000000..cdf24d4
--- /dev/null
@@ -0,0 +1,74 @@
+From a13e0b8a52e6eeff44a24ac089fba662fb210d24 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Fri, 26 Oct 2018 17:16:29 +1100
+Subject: fscache: fix race between enablement and dropping of object
+
+[ Upstream commit c5a94f434c82529afda290df3235e4d85873c5b4 ]
+
+It was observed that a process blocked indefintely in
+__fscache_read_or_alloc_page(), waiting for FSCACHE_COOKIE_LOOKING_UP
+to be cleared via fscache_wait_for_deferred_lookup().
+
+At this time, ->backing_objects was empty, which would normaly prevent
+__fscache_read_or_alloc_page() from getting to the point of waiting.
+This implies that ->backing_objects was cleared *after*
+__fscache_read_or_alloc_page was was entered.
+
+When an object is "killed" and then "dropped",
+FSCACHE_COOKIE_LOOKING_UP is cleared in fscache_lookup_failure(), then
+KILL_OBJECT and DROP_OBJECT are "called" and only in DROP_OBJECT is
+->backing_objects cleared.  This leaves a window where
+something else can set FSCACHE_COOKIE_LOOKING_UP and
+__fscache_read_or_alloc_page() can start waiting, before
+->backing_objects is cleared
+
+There is some uncertainty in this analysis, but it seems to be fit the
+observations.  Adding the wake in this patch will be handled correctly
+by __fscache_read_or_alloc_page(), as it checks if ->backing_objects
+is empty again, after waiting.
+
+Customer which reported the hang, also report that the hang cannot be
+reproduced with this fix.
+
+The backtrace for the blocked process looked like:
+
+PID: 29360  TASK: ffff881ff2ac0f80  CPU: 3   COMMAND: "zsh"
+ #0 [ffff881ff43efbf8] schedule at ffffffff815e56f1
+ #1 [ffff881ff43efc58] bit_wait at ffffffff815e64ed
+ #2 [ffff881ff43efc68] __wait_on_bit at ffffffff815e61b8
+ #3 [ffff881ff43efca0] out_of_line_wait_on_bit at ffffffff815e625e
+ #4 [ffff881ff43efd08] fscache_wait_for_deferred_lookup at ffffffffa04f2e8f [fscache]
+ #5 [ffff881ff43efd18] __fscache_read_or_alloc_page at ffffffffa04f2ffe [fscache]
+ #6 [ffff881ff43efd58] __nfs_readpage_from_fscache at ffffffffa0679668 [nfs]
+ #7 [ffff881ff43efd78] nfs_readpage at ffffffffa067092b [nfs]
+ #8 [ffff881ff43efda0] generic_file_read_iter at ffffffff81187a73
+ #9 [ffff881ff43efe50] nfs_file_read at ffffffffa066544b [nfs]
+#10 [ffff881ff43efe70] __vfs_read at ffffffff811fc756
+#11 [ffff881ff43efee8] vfs_read at ffffffff811fccfa
+#12 [ffff881ff43eff18] sys_read at ffffffff811fda62
+#13 [ffff881ff43eff50] entry_SYSCALL_64_fastpath at ffffffff815e986e
+
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fscache/object.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/fscache/object.c b/fs/fscache/object.c
+index 7a182c87f378..ab1d7f35f6c2 100644
+--- a/fs/fscache/object.c
++++ b/fs/fscache/object.c
+@@ -715,6 +715,9 @@ static const struct fscache_state *fscache_drop_object(struct fscache_object *ob
+       if (awaken)
+               wake_up_bit(&cookie->flags, FSCACHE_COOKIE_INVALIDATING);
++      if (test_and_clear_bit(FSCACHE_COOKIE_LOOKING_UP, &cookie->flags))
++              wake_up_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP);
++
+       /* Prevent a race with our last child, which has to signal EV_CLEARED
+        * before dropping our spinlock.
+-- 
+2.19.1
+
diff --git a/queue-4.9/hfs-do-not-free-node-before-using.patch b/queue-4.9/hfs-do-not-free-node-before-using.patch
new file mode 100644 (file)
index 0000000..80d8eb3
--- /dev/null
@@ -0,0 +1,49 @@
+From 9e20841da546bad1d1b976ea5f15fa5987ed3982 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Fri, 30 Nov 2018 14:09:14 -0800
+Subject: hfs: do not free node before using
+
+[ Upstream commit ce96a407adef126870b3f4a1b73529dd8aa80f49 ]
+
+hfs_bmap_free() frees the node via hfs_bnode_put(node).  However, it
+then reads node->this when dumping error message on an error path, which
+may result in a use-after-free bug.  This patch frees the node only when
+it is never again used.
+
+Link: http://lkml.kernel.org/r/1542963889-128825-1-git-send-email-bianpan2016@163.com
+Fixes: a1185ffa2fc ("HFS rewrite")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Joe Perches <joe@perches.com>
+Cc: Ernesto A. Fernandez <ernesto.mnd.fernandez@gmail.com>
+Cc: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/btree.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c
+index 37cdd955eceb..320f4372f172 100644
+--- a/fs/hfs/btree.c
++++ b/fs/hfs/btree.c
+@@ -328,13 +328,14 @@ void hfs_bmap_free(struct hfs_bnode *node)
+               nidx -= len * 8;
+               i = node->next;
+-              hfs_bnode_put(node);
+               if (!i) {
+                       /* panic */;
+                       pr_crit("unable to free bnode %u. bmap not found!\n",
+                               node->this);
++                      hfs_bnode_put(node);
+                       return;
+               }
++              hfs_bnode_put(node);
+               node = hfs_bnode_find(tree, i);
+               if (IS_ERR(node))
+                       return;
+-- 
+2.19.1
+
diff --git a/queue-4.9/hfsplus-do-not-free-node-before-using.patch b/queue-4.9/hfsplus-do-not-free-node-before-using.patch
new file mode 100644 (file)
index 0000000..1c9368f
--- /dev/null
@@ -0,0 +1,49 @@
+From 35598283f79dab8e3c73f78676f2c240d566d589 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Fri, 30 Nov 2018 14:09:18 -0800
+Subject: hfsplus: do not free node before using
+
+[ Upstream commit c7d7d620dcbd2a1c595092280ca943f2fced7bbd ]
+
+hfs_bmap_free() frees node via hfs_bnode_put(node).  However it then
+reads node->this when dumping error message on an error path, which may
+result in a use-after-free bug.  This patch frees node only when it is
+never used.
+
+Link: http://lkml.kernel.org/r/1543053441-66942-1-git-send-email-bianpan2016@163.com
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Ernesto A. Fernandez <ernesto.mnd.fernandez@gmail.com>
+Cc: Joe Perches <joe@perches.com>
+Cc: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/btree.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
+index d9d1a36ba826..8d2256454efe 100644
+--- a/fs/hfsplus/btree.c
++++ b/fs/hfsplus/btree.c
+@@ -453,14 +453,15 @@ void hfs_bmap_free(struct hfs_bnode *node)
+               nidx -= len * 8;
+               i = node->next;
+-              hfs_bnode_put(node);
+               if (!i) {
+                       /* panic */;
+                       pr_crit("unable to free bnode %u. "
+                                       "bmap not found!\n",
+                               node->this);
++                      hfs_bnode_put(node);
+                       return;
+               }
++              hfs_bnode_put(node);
+               node = hfs_bnode_find(tree, i);
+               if (IS_ERR(node))
+                       return;
+-- 
+2.19.1
+
diff --git a/queue-4.9/hwmon-ina2xx-fix-current-value-calculation.patch b/queue-4.9/hwmon-ina2xx-fix-current-value-calculation.patch
new file mode 100644 (file)
index 0000000..0b38816
--- /dev/null
@@ -0,0 +1,39 @@
+From 3b870aae4955cd740f398b078f018edb05d8c8f7 Mon Sep 17 00:00:00 2001
+From: Nicolin Chen <nicoleotsuka@gmail.com>
+Date: Tue, 13 Nov 2018 19:48:54 -0800
+Subject: hwmon: (ina2xx) Fix current value calculation
+
+[ Upstream commit 38cd989ee38c16388cde89db5b734f9d55b905f9 ]
+
+The current register (04h) has a sign bit at MSB. The comments
+for this calculation also mention that it's a signed register.
+
+However, the regval is unsigned type so result of calculation
+turns out to be an incorrect value when current is negative.
+
+This patch simply fixes this by adding a casting to s16.
+
+Fixes: 5d389b125186c ("hwmon: (ina2xx) Make calibration register value fixed")
+Signed-off-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/ina2xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/ina2xx.c b/drivers/hwmon/ina2xx.c
+index 9ac6e1673375..1f291b344178 100644
+--- a/drivers/hwmon/ina2xx.c
++++ b/drivers/hwmon/ina2xx.c
+@@ -273,7 +273,7 @@ static int ina2xx_get_value(struct ina2xx_data *data, u8 reg,
+               break;
+       case INA2XX_CURRENT:
+               /* signed register, result in mA */
+-              val = regval * data->current_lsb_uA;
++              val = (s16)regval * data->current_lsb_uA;
+               val = DIV_ROUND_CLOSEST(val, 1000);
+               break;
+       case INA2XX_CALIBRATION:
+-- 
+2.19.1
+
diff --git a/queue-4.9/hwmon-w83795-temp4_type-has-writable-permission.patch b/queue-4.9/hwmon-w83795-temp4_type-has-writable-permission.patch
new file mode 100644 (file)
index 0000000..2908d13
--- /dev/null
@@ -0,0 +1,35 @@
+From 3b6c2be027fb75a13a0da40703cf00ac5083fafe Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Thu, 15 Nov 2018 10:44:57 +0800
+Subject: hwmon: (w83795) temp4_type has writable permission
+
+[ Upstream commit 09aaf6813cfca4c18034fda7a43e68763f34abb1 ]
+
+Both datasheet and comments of store_temp_mode() tell us that temp1~4_type
+is writable, so fix it.
+
+Signed-off-by: Yao Wang <wangyao@lemote.com>
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Fixes: 39deb6993e7c (" hwmon: (w83795) Simplify temperature sensor type handling")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/w83795.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/w83795.c b/drivers/hwmon/w83795.c
+index 49276bbdac3d..1bb80f992aa8 100644
+--- a/drivers/hwmon/w83795.c
++++ b/drivers/hwmon/w83795.c
+@@ -1691,7 +1691,7 @@ store_sf_setup(struct device *dev, struct device_attribute *attr,
+  * somewhere else in the code
+  */
+ #define SENSOR_ATTR_TEMP(index) {                                     \
+-      SENSOR_ATTR_2(temp##index##_type, S_IRUGO | (index < 4 ? S_IWUSR : 0), \
++      SENSOR_ATTR_2(temp##index##_type, S_IRUGO | (index < 5 ? S_IWUSR : 0), \
+               show_temp_mode, store_temp_mode, NOT_USED, index - 1),  \
+       SENSOR_ATTR_2(temp##index##_input, S_IRUGO, show_temp,          \
+               NULL, TEMP_READ, index - 1),                            \
+-- 
+2.19.1
+
diff --git a/queue-4.9/igb-fix-uninitialized-variables.patch b/queue-4.9/igb-fix-uninitialized-variables.patch
new file mode 100644 (file)
index 0000000..3809306
--- /dev/null
@@ -0,0 +1,32 @@
+From e8f9283a4b171219473fb503aad91519f2b766d8 Mon Sep 17 00:00:00 2001
+From: Yunjian Wang <wangyunjian@huawei.com>
+Date: Tue, 6 Nov 2018 16:27:12 +0800
+Subject: igb: fix uninitialized variables
+
+[ Upstream commit e4c39f7926b4de355f7df75651d75003806aae09 ]
+
+This patch fixes the variable 'phy_word' may be used uninitialized.
+
+Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/e1000_i210.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/igb/e1000_i210.c b/drivers/net/ethernet/intel/igb/e1000_i210.c
+index 07d48f2e3369..6766081f5ab9 100644
+--- a/drivers/net/ethernet/intel/igb/e1000_i210.c
++++ b/drivers/net/ethernet/intel/igb/e1000_i210.c
+@@ -862,6 +862,7 @@ s32 igb_pll_workaround_i210(struct e1000_hw *hw)
+               nvm_word = E1000_INVM_DEFAULT_AL;
+       tmp_nvm = nvm_word | E1000_INVM_PLL_WO_VAL;
+       igb_write_phy_reg_82580(hw, I347AT4_PAGE_SELECT, E1000_PHY_PLL_FREQ_PAGE);
++      phy_word = E1000_PHY_PLL_UNCONF;
+       for (i = 0; i < E1000_MAX_PLL_TRIES; i++) {
+               /* check current state directly from internal PHY */
+               igb_read_phy_reg_82580(hw, E1000_PHY_PLL_FREQ_REG, &phy_word);
+-- 
+2.19.1
+
diff --git a/queue-4.9/ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch b/queue-4.9/ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch
new file mode 100644 (file)
index 0000000..04782cb
--- /dev/null
@@ -0,0 +1,57 @@
+From 41ba66694ca775a147a8475b2e58bba0bd917956 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Thu, 15 Nov 2018 15:14:30 +0800
+Subject: ipvs: call ip_vs_dst_notifier earlier than ipv6_dev_notf
+
+[ Upstream commit 2a31e4bd9ad255ee40809b5c798c4b1c2b09703b ]
+
+ip_vs_dst_event is supposed to clean up all dst used in ipvs'
+destinations when a net dev is going down. But it works only
+when the dst's dev is the same as the dev from the event.
+
+Now with the same priority but late registration,
+ip_vs_dst_notifier is always called later than ipv6_dev_notf
+where the dst's dev is set to lo for NETDEV_DOWN event.
+
+As the dst's dev lo is not the same as the dev from the event
+in ip_vs_dst_event, ip_vs_dst_notifier doesn't actually work.
+Also as these dst have to wait for dest_trash_timer to clean
+them up. It would cause some non-permanent kernel warnings:
+
+  unregister_netdevice: waiting for br0 to become free. Usage count = 3
+
+To fix it, call ip_vs_dst_notifier earlier than ipv6_dev_notf
+by increasing its priority to ADDRCONF_NOTIFY_PRIORITY + 5.
+
+Note that for ipv4 route fib_netdev_notifier doesn't set dst's
+dev to lo in NETDEV_DOWN event, so this fix is only needed when
+IP_VS_IPV6 is defined.
+
+Fixes: 7a4f0761fce3 ("IPVS: init and cleanup restructuring")
+Reported-by: Li Shuang <shuali@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 079b3c426720..8382b7880b24 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -4013,6 +4013,9 @@ static void __net_exit ip_vs_control_net_cleanup_sysctl(struct netns_ipvs *ipvs)
+ static struct notifier_block ip_vs_dst_notifier = {
+       .notifier_call = ip_vs_dst_event,
++#ifdef CONFIG_IP_VS_IPV6
++      .priority = ADDRCONF_NOTIFY_PRIORITY + 5,
++#endif
+ };
+ int __net_init ip_vs_control_net_init(struct netns_ipvs *ipvs)
+-- 
+2.19.1
+
diff --git a/queue-4.9/ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch b/queue-4.9/ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch
new file mode 100644 (file)
index 0000000..864244c
--- /dev/null
@@ -0,0 +1,43 @@
+From 2edbd15d68fd35690f5c589e38b07400629ab172 Mon Sep 17 00:00:00 2001
+From: Josh Elsasser <jelsasser@appneta.com>
+Date: Sat, 24 Nov 2018 12:57:33 -0800
+Subject: ixgbe: recognize 1000BaseLX SFP modules as 1Gbps
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit a8bf879af7b1999eba36303ce9cc60e0e7dd816c ]
+
+Add the two 1000BaseLX enum values to the X550's check for 1Gbps modules,
+allowing the core driver code to establish a link over this SFP type.
+
+This is done by the out-of-tree driver but the fix wasn't in mainline.
+
+Fixes: e23f33367882 ("ixgbe: Fix 1G and 10G link stability for X550EM_x SFP+”)
+Fixes: 6a14ee0cfb19 ("ixgbe: Add X550 support function pointers")
+Signed-off-by: Josh Elsasser <jelsasser@appneta.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
+index 77a60aa5dc7e..8466f3874a28 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
+@@ -1702,7 +1702,9 @@ static s32 ixgbe_get_link_capabilities_X550em(struct ixgbe_hw *hw,
+               *autoneg = false;
+               if (hw->phy.sfp_type == ixgbe_sfp_type_1g_sx_core0 ||
+-                  hw->phy.sfp_type == ixgbe_sfp_type_1g_sx_core1) {
++                  hw->phy.sfp_type == ixgbe_sfp_type_1g_sx_core1 ||
++                  hw->phy.sfp_type == ixgbe_sfp_type_1g_lx_core0 ||
++                  hw->phy.sfp_type == ixgbe_sfp_type_1g_lx_core1) {
+                       *speed = IXGBE_LINK_SPEED_1GB_FULL;
+                       return 0;
+               }
+-- 
+2.19.1
+
diff --git a/queue-4.9/kvm-x86-fix-empty-body-warnings.patch b/queue-4.9/kvm-x86-fix-empty-body-warnings.patch
new file mode 100644 (file)
index 0000000..9a8c1d4
--- /dev/null
@@ -0,0 +1,43 @@
+From 0b1b5ef4244e3ddfb03a84ac418f5c28bb7023cc Mon Sep 17 00:00:00 2001
+From: Yi Wang <wang.yi59@zte.com.cn>
+Date: Thu, 8 Nov 2018 16:48:36 +0800
+Subject: KVM: x86: fix empty-body warnings
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 354cb410d87314e2eda344feea84809e4261570a ]
+
+We get the following warnings about empty statements when building
+with 'W=1':
+
+arch/x86/kvm/lapic.c:632:53: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body]
+arch/x86/kvm/lapic.c:1907:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body]
+arch/x86/kvm/lapic.c:1936:65: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body]
+arch/x86/kvm/lapic.c:1975:44: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body]
+
+Rework the debug helper macro to get rid of these warnings.
+
+Signed-off-by: Yi Wang <wang.yi59@zte.com.cn>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/lapic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
+index 69a81a7daa24..c8630569e392 100644
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -57,7 +57,7 @@
+ #define APIC_BUS_CYCLE_NS 1
+ /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
+-#define apic_debug(fmt, arg...)
++#define apic_debug(fmt, arg...) do {} while (0)
+ /* 14 is the version for Xeon and Pentium 8.4.8*/
+ #define APIC_VERSION                  (0x14UL | ((KVM_APIC_LVT_NUM - 1) << 16))
+-- 
+2.19.1
+
diff --git a/queue-4.9/net-hisilicon-remove-unexpected-free_netdev.patch b/queue-4.9/net-hisilicon-remove-unexpected-free_netdev.patch
new file mode 100644 (file)
index 0000000..3fb9aed
--- /dev/null
@@ -0,0 +1,37 @@
+From ca1b7aac9eb0bcc2a9bd7a3c4af771202a5767ae Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Wed, 28 Nov 2018 15:30:24 +0800
+Subject: net: hisilicon: remove unexpected free_netdev
+
+[ Upstream commit c758940158bf29fe14e9d0f89d5848f227b48134 ]
+
+The net device ndev is freed via free_netdev when failing to register
+the device. The control flow then jumps to the error handling code
+block. ndev is used and freed again. Resulting in a use-after-free bug.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hip04_eth.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c
+index 39778892b3b3..b5d18d95d7b9 100644
+--- a/drivers/net/ethernet/hisilicon/hip04_eth.c
++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c
+@@ -922,10 +922,8 @@ static int hip04_mac_probe(struct platform_device *pdev)
+       }
+       ret = register_netdev(ndev);
+-      if (ret) {
+-              free_netdev(ndev);
++      if (ret)
+               goto alloc_fail;
+-      }
+       return 0;
+-- 
+2.19.1
+
diff --git a/queue-4.9/net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch b/queue-4.9/net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch
new file mode 100644 (file)
index 0000000..ef4a936
--- /dev/null
@@ -0,0 +1,82 @@
+From f6416d12ab1df085dfd6b93eb36cc999c84febff Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Mon, 26 Nov 2018 15:07:16 +0100
+Subject: net: thunderx: fix NULL pointer dereference in nic_remove
+
+[ Upstream commit 24a6d2dd263bc910de018c78d1148b3e33b94512 ]
+
+Fix a possible NULL pointer dereference in nic_remove routine
+removing the nicpf module if nic_probe fails.
+The issue can be triggered with the following reproducer:
+
+$rmmod nicvf
+$rmmod nicpf
+
+[  521.412008] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000014
+[  521.422777] Mem abort info:
+[  521.425561]   ESR = 0x96000004
+[  521.428624]   Exception class = DABT (current EL), IL = 32 bits
+[  521.434535]   SET = 0, FnV = 0
+[  521.437579]   EA = 0, S1PTW = 0
+[  521.440730] Data abort info:
+[  521.443603]   ISV = 0, ISS = 0x00000004
+[  521.447431]   CM = 0, WnR = 0
+[  521.450417] user pgtable: 4k pages, 48-bit VAs, pgdp = 0000000072a3da42
+[  521.457022] [0000000000000014] pgd=0000000000000000
+[  521.461916] Internal error: Oops: 96000004 [#1] SMP
+[  521.511801] Hardware name: GIGABYTE H270-T70/MT70-HD0, BIOS T49 02/02/2018
+[  521.518664] pstate: 80400005 (Nzcv daif +PAN -UAO)
+[  521.523451] pc : nic_remove+0x24/0x88 [nicpf]
+[  521.527808] lr : pci_device_remove+0x48/0xd8
+[  521.532066] sp : ffff000013433cc0
+[  521.535370] x29: ffff000013433cc0 x28: ffff810f6ac50000
+[  521.540672] x27: 0000000000000000 x26: 0000000000000000
+[  521.545974] x25: 0000000056000000 x24: 0000000000000015
+[  521.551274] x23: ffff8007ff89a110 x22: ffff000001667070
+[  521.556576] x21: ffff8007ffb170b0 x20: ffff8007ffb17000
+[  521.561877] x19: 0000000000000000 x18: 0000000000000025
+[  521.567178] x17: 0000000000000000 x16: 000000000000010ffc33ff98 x8 : 0000000000000000
+[  521.593683] x7 : 0000000000000000 x6 : 0000000000000001
+[  521.598983] x5 : 0000000000000002 x4 : 0000000000000003
+[  521.604284] x3 : ffff8007ffb17184 x2 : ffff8007ffb17184
+[  521.609585] x1 : ffff000001662118 x0 : ffff000008557be0
+[  521.614887] Process rmmod (pid: 1897, stack limit = 0x00000000859535c3)
+[  521.621490] Call trace:
+[  521.623928]  nic_remove+0x24/0x88 [nicpf]
+[  521.627927]  pci_device_remove+0x48/0xd8
+[  521.631847]  device_release_driver_internal+0x1b0/0x248
+[  521.637062]  driver_detach+0x50/0xc0
+[  521.640628]  bus_remove_driver+0x60/0x100
+[  521.644627]  driver_unregister+0x34/0x60
+[  521.648538]  pci_unregister_driver+0x24/0xd8
+[  521.652798]  nic_cleanup_module+0x14/0x111c [nicpf]
+[  521.657672]  __arm64_sys_delete_module+0x150/0x218
+[  521.662460]  el0_svc_handler+0x94/0x110
+[  521.666287]  el0_svc+0x8/0xc
+[  521.669160] Code: aa1e03e0 9102c295 d503201f f9404eb3 (b9401660)
+
+Fixes: 4863dea3fab0 ("net: Adding support for Cavium ThunderX network controller")
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/thunder/nic_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/nic_main.c b/drivers/net/ethernet/cavium/thunder/nic_main.c
+index 6677b96e1f3f..da142f6bd0c3 100644
+--- a/drivers/net/ethernet/cavium/thunder/nic_main.c
++++ b/drivers/net/ethernet/cavium/thunder/nic_main.c
+@@ -1371,6 +1371,9 @@ static void nic_remove(struct pci_dev *pdev)
+ {
+       struct nicpf *nic = pci_get_drvdata(pdev);
++      if (!nic)
++              return;
++
+       if (nic->flags & NIC_SRIOV_ENABLED)
+               pci_disable_sriov(pdev);
+-- 
+2.19.1
+
diff --git a/queue-4.9/objtool-fix-double-free-in-.cold-detection-error-pat.patch b/queue-4.9/objtool-fix-double-free-in-.cold-detection-error-pat.patch
new file mode 100644 (file)
index 0000000..4783306
--- /dev/null
@@ -0,0 +1,42 @@
+From 63163084ec60bfde6a0942039b6b2ff43c41ae3d Mon Sep 17 00:00:00 2001
+From: Artem Savkov <asavkov@redhat.com>
+Date: Tue, 20 Nov 2018 11:52:15 -0600
+Subject: objtool: Fix double-free in .cold detection error path
+
+[ Upstream commit 0b9301fb632f7111a3293a30cc5b20f1b82ed08d ]
+
+If read_symbols() fails during second list traversal (the one dealing
+with ".cold" subfunctions) it frees the symbol, but never deletes it
+from the list/hash_table resulting in symbol being freed again in
+elf_close(). Fix it by just returning an error, leaving cleanup to
+elf_close().
+
+Signed-off-by: Artem Savkov <asavkov@redhat.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 13810435b9a7 ("objtool: Support GCC 8's cold subfunctions")
+Link: http://lkml.kernel.org/r/beac5a9b7da9e8be90223459dcbe07766ae437dd.1542736240.git.jpoimboe@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/objtool/elf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c
+index 0d1acb704f64..3616d626991e 100644
+--- a/tools/objtool/elf.c
++++ b/tools/objtool/elf.c
+@@ -312,7 +312,7 @@ static int read_symbols(struct elf *elf)
+                       if (!pfunc) {
+                               WARN("%s(): can't find parent function",
+                                    sym->name);
+-                              goto err;
++                              return -1;
+                       }
+                       sym->pfunc = pfunc;
+-- 
+2.19.1
+
diff --git a/queue-4.9/objtool-fix-segfault-in-.cold-detection-with-ffuncti.patch b/queue-4.9/objtool-fix-segfault-in-.cold-detection-with-ffuncti.patch
new file mode 100644 (file)
index 0000000..642d97e
--- /dev/null
@@ -0,0 +1,76 @@
+From 458892705d029b1a90a3d1fea9c89a1e041cfabc Mon Sep 17 00:00:00 2001
+From: Artem Savkov <asavkov@redhat.com>
+Date: Tue, 20 Nov 2018 11:52:16 -0600
+Subject: objtool: Fix segfault in .cold detection with -ffunction-sections
+
+[ Upstream commit 22566c1603030f0a036ad564634b064ad1a55db2 ]
+
+Because find_symbol_by_name() traverses the same lists as
+read_symbols(), changing sym->name in place without copying it affects
+the result of find_symbol_by_name().  In the case where a ".cold"
+function precedes its parent in sec->symbol_list, it can result in a
+function being considered a parent of itself. This leads to function
+length being set to 0 and other consequent side-effects including a
+segfault in add_switch_table().  The effects of this bug are only
+visible when building with -ffunction-sections in KCFLAGS.
+
+Fix by copying the search string instead of modifying it in place.
+
+Signed-off-by: Artem Savkov <asavkov@redhat.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 13810435b9a7 ("objtool: Support GCC 8's cold subfunctions")
+Link: http://lkml.kernel.org/r/910abd6b5a4945130fd44f787c24e07b9e07c8da.1542736240.git.jpoimboe@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/objtool/elf.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c
+index 3616d626991e..dd4ed7c3c062 100644
+--- a/tools/objtool/elf.c
++++ b/tools/objtool/elf.c
+@@ -31,6 +31,8 @@
+ #include "elf.h"
+ #include "warn.h"
++#define MAX_NAME_LEN 128
++
+ struct section *find_section_by_name(struct elf *elf, const char *name)
+ {
+       struct section *sec;
+@@ -298,6 +300,8 @@ static int read_symbols(struct elf *elf)
+       /* Create parent/child links for any cold subfunctions */
+       list_for_each_entry(sec, &elf->sections, list) {
+               list_for_each_entry(sym, &sec->symbol_list, list) {
++                      char pname[MAX_NAME_LEN + 1];
++                      size_t pnamelen;
+                       if (sym->type != STT_FUNC)
+                               continue;
+                       sym->pfunc = sym->cfunc = sym;
+@@ -305,9 +309,16 @@ static int read_symbols(struct elf *elf)
+                       if (!coldstr)
+                               continue;
+-                      coldstr[0] = '\0';
+-                      pfunc = find_symbol_by_name(elf, sym->name);
+-                      coldstr[0] = '.';
++                      pnamelen = coldstr - sym->name;
++                      if (pnamelen > MAX_NAME_LEN) {
++                              WARN("%s(): parent function name exceeds maximum length of %d characters",
++                                   sym->name, MAX_NAME_LEN);
++                              return -1;
++                      }
++
++                      strncpy(pname, sym->name, pnamelen);
++                      pname[pnamelen] = '\0';
++                      pfunc = find_symbol_by_name(elf, pname);
+                       if (!pfunc) {
+                               WARN("%s(): can't find parent function",
+-- 
+2.19.1
+
diff --git a/queue-4.9/ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch b/queue-4.9/ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch
new file mode 100644 (file)
index 0000000..4507373
--- /dev/null
@@ -0,0 +1,147 @@
+From fea3cae39d7071c977be805f05c36feef17a788b Mon Sep 17 00:00:00 2001
+From: Larry Chen <lchen@suse.com>
+Date: Fri, 30 Nov 2018 14:08:56 -0800
+Subject: ocfs2: fix deadlock caused by ocfs2_defrag_extent()
+
+[ Upstream commit e21e57445a64598b29a6f629688f9b9a39e7242a ]
+
+ocfs2_defrag_extent may fall into deadlock.
+
+ocfs2_ioctl_move_extents
+    ocfs2_ioctl_move_extents
+      ocfs2_move_extents
+        ocfs2_defrag_extent
+          ocfs2_lock_allocators_move_extents
+
+            ocfs2_reserve_clusters
+              inode_lock GLOBAL_BITMAP_SYSTEM_INODE
+
+         __ocfs2_flush_truncate_log
+              inode_lock GLOBAL_BITMAP_SYSTEM_INODE
+
+As backtrace shows above, ocfs2_reserve_clusters() will call inode_lock
+against the global bitmap if local allocator has not sufficient cluters.
+Once global bitmap could meet the demand, ocfs2_reserve_cluster will
+return success with global bitmap locked.
+
+After ocfs2_reserve_cluster(), if truncate log is full,
+__ocfs2_flush_truncate_log() will definitely fall into deadlock because
+it needs to inode_lock global bitmap, which has already been locked.
+
+To fix this bug, we could remove from
+ocfs2_lock_allocators_move_extents() the code which intends to lock
+global allocator, and put the removed code after
+__ocfs2_flush_truncate_log().
+
+ocfs2_lock_allocators_move_extents() is referred by 2 places, one is
+here, the other does not need the data allocator context, which means
+this patch does not affect the caller so far.
+
+Link: http://lkml.kernel.org/r/20181101071422.14470-1-lchen@suse.com
+Signed-off-by: Larry Chen <lchen@suse.com>
+Reviewed-by: Changwei Ge <ge.changwei@h3c.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/move_extents.c | 47 +++++++++++++++++++++++------------------
+ 1 file changed, 26 insertions(+), 21 deletions(-)
+
+diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
+index 4e8f32eb0bdb..c179afd0051a 100644
+--- a/fs/ocfs2/move_extents.c
++++ b/fs/ocfs2/move_extents.c
+@@ -156,18 +156,14 @@ static int __ocfs2_move_extent(handle_t *handle,
+ }
+ /*
+- * lock allocators, and reserving appropriate number of bits for
+- * meta blocks and data clusters.
+- *
+- * in some cases, we don't need to reserve clusters, just let data_ac
+- * be NULL.
++ * lock allocator, and reserve appropriate number of bits for
++ * meta blocks.
+  */
+-static int ocfs2_lock_allocators_move_extents(struct inode *inode,
++static int ocfs2_lock_meta_allocator_move_extents(struct inode *inode,
+                                       struct ocfs2_extent_tree *et,
+                                       u32 clusters_to_move,
+                                       u32 extents_to_split,
+                                       struct ocfs2_alloc_context **meta_ac,
+-                                      struct ocfs2_alloc_context **data_ac,
+                                       int extra_blocks,
+                                       int *credits)
+ {
+@@ -192,13 +188,6 @@ static int ocfs2_lock_allocators_move_extents(struct inode *inode,
+               goto out;
+       }
+-      if (data_ac) {
+-              ret = ocfs2_reserve_clusters(osb, clusters_to_move, data_ac);
+-              if (ret) {
+-                      mlog_errno(ret);
+-                      goto out;
+-              }
+-      }
+       *credits += ocfs2_calc_extend_credits(osb->sb, et->et_root_el);
+@@ -260,10 +249,10 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context,
+               }
+       }
+-      ret = ocfs2_lock_allocators_move_extents(inode, &context->et, *len, 1,
+-                                               &context->meta_ac,
+-                                               &context->data_ac,
+-                                               extra_blocks, &credits);
++      ret = ocfs2_lock_meta_allocator_move_extents(inode, &context->et,
++                                              *len, 1,
++                                              &context->meta_ac,
++                                              extra_blocks, &credits);
+       if (ret) {
+               mlog_errno(ret);
+               goto out;
+@@ -286,6 +275,21 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context,
+               }
+       }
++      /*
++       * Make sure ocfs2_reserve_cluster is called after
++       * __ocfs2_flush_truncate_log, otherwise, dead lock may happen.
++       *
++       * If ocfs2_reserve_cluster is called
++       * before __ocfs2_flush_truncate_log, dead lock on global bitmap
++       * may happen.
++       *
++       */
++      ret = ocfs2_reserve_clusters(osb, *len, &context->data_ac);
++      if (ret) {
++              mlog_errno(ret);
++              goto out_unlock_mutex;
++      }
++
+       handle = ocfs2_start_trans(osb, credits);
+       if (IS_ERR(handle)) {
+               ret = PTR_ERR(handle);
+@@ -606,9 +610,10 @@ static int ocfs2_move_extent(struct ocfs2_move_extents_context *context,
+               }
+       }
+-      ret = ocfs2_lock_allocators_move_extents(inode, &context->et, len, 1,
+-                                               &context->meta_ac,
+-                                               NULL, extra_blocks, &credits);
++      ret = ocfs2_lock_meta_allocator_move_extents(inode, &context->et,
++                                              len, 1,
++                                              &context->meta_ac,
++                                              extra_blocks, &credits);
+       if (ret) {
+               mlog_errno(ret);
+               goto out;
+-- 
+2.19.1
+
diff --git a/queue-4.9/ocfs2-fix-potential-use-after-free.patch b/queue-4.9/ocfs2-fix-potential-use-after-free.patch
new file mode 100644 (file)
index 0000000..00c7039
--- /dev/null
@@ -0,0 +1,47 @@
+From a5ccdc9d1f0f9605b3f4ec8516494cf025edfbbf Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Fri, 30 Nov 2018 14:10:54 -0800
+Subject: ocfs2: fix potential use after free
+
+[ Upstream commit 164f7e586739d07eb56af6f6d66acebb11f315c8 ]
+
+ocfs2_get_dentry() calls iput(inode) to drop the reference count of
+inode, and if the reference count hits 0, inode is freed.  However, in
+this function, it then reads inode->i_generation, which may result in a
+use after free bug.  Move the put operation later.
+
+Link: http://lkml.kernel.org/r/1543109237-110227-1-git-send-email-bianpan2016@163.com
+Fixes: 781f200cb7a("ocfs2: Remove masklog ML_EXPORT.")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Changwei Ge <ge.changwei@h3c.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/export.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ocfs2/export.c b/fs/ocfs2/export.c
+index 827fc9809bc2..3494e220b510 100644
+--- a/fs/ocfs2/export.c
++++ b/fs/ocfs2/export.c
+@@ -125,10 +125,10 @@ static struct dentry *ocfs2_get_dentry(struct super_block *sb,
+ check_gen:
+       if (handle->ih_generation != inode->i_generation) {
+-              iput(inode);
+               trace_ocfs2_get_dentry_generation((unsigned long long)blkno,
+                                                 handle->ih_generation,
+                                                 inode->i_generation);
++              iput(inode);
+               result = ERR_PTR(-ESTALE);
+               goto bail;
+       }
+-- 
+2.19.1
+
diff --git a/queue-4.9/pstore-convert-console-write-to-use-write_buf.patch b/queue-4.9/pstore-convert-console-write-to-use-write_buf.patch
new file mode 100644 (file)
index 0000000..ad81e8a
--- /dev/null
@@ -0,0 +1,42 @@
+From 0c04812aeb1a2ea1248ed5c822099c80dd47a847 Mon Sep 17 00:00:00 2001
+From: Namhyung Kim <namhyung@kernel.org>
+Date: Wed, 19 Oct 2016 10:23:41 +0900
+Subject: pstore: Convert console write to use ->write_buf
+
+[ Upstream commit 70ad35db3321a6d129245979de4ac9d06eed897c ]
+
+Maybe I'm missing something, but I don't know why it needs to copy the
+input buffer to psinfo->buf and then write.  Instead we can write the
+input buffer directly.  The only implementation that supports console
+message (i.e. ramoops) already does it for ftrace messages.
+
+For the upcoming virtio backend driver, it needs to protect psinfo->buf
+overwritten from console messages.  If it could use ->write_buf method
+instead of ->write, the problem will be solved easily.
+
+Cc: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/pstore/platform.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/pstore/platform.c b/fs/pstore/platform.c
+index 43033a3d66d5..2434bffbc6dd 100644
+--- a/fs/pstore/platform.c
++++ b/fs/pstore/platform.c
+@@ -584,8 +584,8 @@ static void pstore_console_write(struct console *con, const char *s, unsigned c)
+               } else {
+                       spin_lock_irqsave(&psinfo->buf_lock, flags);
+               }
+-              memcpy(psinfo->buf, s, c);
+-              psinfo->write(PSTORE_TYPE_CONSOLE, 0, &id, 0, 0, 0, c, psinfo);
++              psinfo->write_buf(PSTORE_TYPE_CONSOLE, 0, &id, 0,
++                                s, 0, c, psinfo);
+               spin_unlock_irqrestore(&psinfo->buf_lock, flags);
+               s += c;
+               c = e - s;
+-- 
+2.19.1
+
diff --git a/queue-4.9/rdma-mlx5-fix-fence-type-for-ib_wr_local_inv-wr.patch b/queue-4.9/rdma-mlx5-fix-fence-type-for-ib_wr_local_inv-wr.patch
new file mode 100644 (file)
index 0000000..d592a9d
--- /dev/null
@@ -0,0 +1,67 @@
+From c0e56ea253ea3107c5fa581900789262d06f02a2 Mon Sep 17 00:00:00 2001
+From: Majd Dibbiny <majd@mellanox.com>
+Date: Mon, 5 Nov 2018 08:07:37 +0200
+Subject: RDMA/mlx5: Fix fence type for IB_WR_LOCAL_INV WR
+
+[ Upstream commit 074fca3a18e7e1e0d4d7dcc9d7badc43b90232f4 ]
+
+Currently, for IB_WR_LOCAL_INV WR, when the next fence is None, the
+current fence will be SMALL instead of Normal Fence.
+
+Without this patch krping doesn't work on CX-5 devices and throws
+following error:
+
+The error messages are from CX5 driver are: (from server side)
+[ 710.434014] mlx5_0:dump_cqe:278:(pid 2712): dump error cqe
+[ 710.434016] 00000000 00000000 00000000 00000000
+[ 710.434016] 00000000 00000000 00000000 00000000
+[ 710.434017] 00000000 00000000 00000000 00000000
+[ 710.434018] 00000000 93003204 100000b8 000524d2
+[ 710.434019] krping: cq completion failed with wr_id 0 status 4 opcode 128 vender_err 32
+
+Fixed the logic to set the correct fence type.
+
+Fixes: 6e8484c5cf07 ("RDMA/mlx5: set UMR wqe fence according to HCA cap")
+Signed-off-by: Majd Dibbiny <majd@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/qp.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
+index f8f7a2191b98..f89489b28575 100644
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -3888,17 +3888,18 @@ int mlx5_ib_post_send(struct ib_qp *ibqp, struct ib_send_wr *wr,
+                       goto out;
+               }
+-              if (wr->opcode == IB_WR_LOCAL_INV ||
+-                  wr->opcode == IB_WR_REG_MR) {
++              if (wr->opcode == IB_WR_REG_MR) {
+                       fence = dev->umr_fence;
+                       next_fence = MLX5_FENCE_MODE_INITIATOR_SMALL;
+-              } else if (wr->send_flags & IB_SEND_FENCE) {
+-                      if (qp->next_fence)
+-                              fence = MLX5_FENCE_MODE_SMALL_AND_FENCE;
+-                      else
+-                              fence = MLX5_FENCE_MODE_FENCE;
+-              } else {
+-                      fence = qp->next_fence;
++              } else  {
++                      if (wr->send_flags & IB_SEND_FENCE) {
++                              if (qp->next_fence)
++                                      fence = MLX5_FENCE_MODE_SMALL_AND_FENCE;
++                              else
++                                      fence = MLX5_FENCE_MODE_FENCE;
++                      } else {
++                              fence = qp->next_fence;
++                      }
+               }
+               switch (ibqp->qp_type) {
+-- 
+2.19.1
+
diff --git a/queue-4.9/s390-cpum_cf-reject-request-for-sampling-in-event-in.patch b/queue-4.9/s390-cpum_cf-reject-request-for-sampling-in-event-in.patch
new file mode 100644 (file)
index 0000000..402b64f
--- /dev/null
@@ -0,0 +1,113 @@
+From b6f5dd1bba553ee08e8e46afa0299e9648e921e6 Mon Sep 17 00:00:00 2001
+From: Thomas Richter <tmricht@linux.ibm.com>
+Date: Tue, 13 Nov 2018 15:38:22 +0000
+Subject: s390/cpum_cf: Reject request for sampling in event initialization
+
+[ Upstream commit 613a41b0d16e617f46776a93b975a1eeea96417c ]
+
+On s390 command perf top fails
+[root@s35lp76 perf] # ./perf top -F100000  --stdio
+   Error:
+   cycles: PMU Hardware doesn't support sampling/overflow-interrupts.
+       Try 'perf stat'
+[root@s35lp76 perf] #
+
+Using event -e rb0000 works as designed.  Event rb0000 is the event
+number of the sampling facility for basic sampling.
+
+During system start up the following PMUs are installed in the kernel's
+PMU list (from head to tail):
+   cpum_cf --> s390 PMU counter facility device driver
+   cpum_sf --> s390 PMU sampling facility device driver
+   uprobe
+   kprobe
+   tracepoint
+   task_clock
+   cpu_clock
+
+Perf top executes following functions and calls perf_event_open(2) system
+call with different parameters many times:
+
+cmd_top
+--> __cmd_top
+    --> perf_evlist__add_default
+        --> __perf_evlist__add_default
+            --> perf_evlist__new_cycles (creates event type:0 (HW)
+                                       config 0 (CPU_CYCLES)
+               --> perf_event_attr__set_max_precise_ip
+                   Uses perf_event_open(2) to detect correct
+                   precise_ip level. Fails 3 times on s390 which is ok.
+
+Then functions cmd_top
+--> __cmd_top
+    --> perf_top__start_counters
+        -->perf_evlist__config
+          --> perf_can_comm_exec
+               --> perf_probe_api
+                  This functions test support for the following events:
+                  "cycles:u", "instructions:u", "cpu-clock:u" using
+                  --> perf_do_probe_api
+                      --> perf_event_open_cloexec
+                          Test the close on exec flag support with
+                          perf_event_open(2).
+                      perf_do_probe_api returns true if the event is
+                      supported.
+                      The function returns true because event cpu-clock is
+                      supported by the PMU cpu_clock.
+                      This is achieved by many calls to perf_event_open(2).
+
+Function perf_top__start_counters now calls perf_evsel__open() for every
+event, which is the default event cpu_cycles (config:0) and type HARDWARE
+(type:0) which a predfined frequence of 4000.
+
+Given the above order of the PMU list, the PMU cpum_cf gets called first
+and returns 0, which indicates support for this sampling. The event is
+fully allocated in the function perf_event_open (file kernel/event/core.c
+near line 10521 and the following check fails:
+
+        event = perf_event_alloc(&attr, cpu, task, group_leader, NULL,
+                                NULL, NULL, cgroup_fd);
+       if (IS_ERR(event)) {
+               err = PTR_ERR(event);
+               goto err_cred;
+       }
+
+        if (is_sampling_event(event)) {
+               if (event->pmu->capabilities & PERF_PMU_CAP_NO_INTERRUPT) {
+                       err = -EOPNOTSUPP;
+                       goto err_alloc;
+               }
+       }
+
+The check for the interrupt capabilities fails and the system call
+perf_event_open() returns -EOPNOTSUPP (-95).
+
+Add a check to return -ENODEV when sampling is requested in PMU cpum_cf.
+This allows common kernel code in the perf_event_open() system call to
+test the next PMU in above list.
+
+Fixes: 97b1198fece0 (" "s390, perf: Use common PMU interrupt disabled code")
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/perf_cpum_cf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/s390/kernel/perf_cpum_cf.c b/arch/s390/kernel/perf_cpum_cf.c
+index 037c2a253ae4..1238e7ef1170 100644
+--- a/arch/s390/kernel/perf_cpum_cf.c
++++ b/arch/s390/kernel/perf_cpum_cf.c
+@@ -344,6 +344,8 @@ static int __hw_perf_event_init(struct perf_event *event)
+               break;
+       case PERF_TYPE_HARDWARE:
++              if (is_sampling_event(event))   /* No sampling support */
++                      return -ENOENT;
+               ev = attr->config;
+               /* Count user space (problem-state) only */
+               if (!attr->exclude_user && attr->exclude_kernel) {
+-- 
+2.19.1
+
diff --git a/queue-4.9/selftests-add-script-to-stress-test-nft-packet-path-.patch b/queue-4.9/selftests-add-script-to-stress-test-nft-packet-path-.patch
new file mode 100644 (file)
index 0000000..df48137
--- /dev/null
@@ -0,0 +1,150 @@
+From 3b2962f4a5da424e08916f9d2f81f313bae28a88 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 31 Oct 2018 18:26:21 +0100
+Subject: selftests: add script to stress-test nft packet path vs. control
+ plane
+
+[ Upstream commit 25d8bcedbf4329895dbaf9dd67baa6f18dad918c ]
+
+Start flood ping for each cpu while loading/flushing rulesets to make
+sure we do not access already-free'd rules from nf_tables evaluation loop.
+
+Also add this to TARGETS so 'make run_tests' in selftest dir runs it
+automatically.
+
+This would have caught the bug fixed in previous change
+("netfilter: nf_tables: do not skip inactive chains during generation update")
+sooner.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/Makefile              |  1 +
+ tools/testing/selftests/netfilter/Makefile    |  6 ++
+ tools/testing/selftests/netfilter/config      |  2 +
+ .../selftests/netfilter/nft_trans_stress.sh   | 78 +++++++++++++++++++
+ 4 files changed, 87 insertions(+)
+ create mode 100644 tools/testing/selftests/netfilter/Makefile
+ create mode 100644 tools/testing/selftests/netfilter/config
+ create mode 100755 tools/testing/selftests/netfilter/nft_trans_stress.sh
+
+diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile
+index 76faf5bf0b32..d37dfc6608c6 100644
+--- a/tools/testing/selftests/Makefile
++++ b/tools/testing/selftests/Makefile
+@@ -15,6 +15,7 @@ TARGETS += memory-hotplug
+ TARGETS += mount
+ TARGETS += mqueue
+ TARGETS += net
++TARGETS += netfilter
+ TARGETS += nsfs
+ TARGETS += powerpc
+ TARGETS += pstore
+diff --git a/tools/testing/selftests/netfilter/Makefile b/tools/testing/selftests/netfilter/Makefile
+new file mode 100644
+index 000000000000..47ed6cef93fb
+--- /dev/null
++++ b/tools/testing/selftests/netfilter/Makefile
+@@ -0,0 +1,6 @@
++# SPDX-License-Identifier: GPL-2.0
++# Makefile for netfilter selftests
++
++TEST_PROGS := nft_trans_stress.sh
++
++include ../lib.mk
+diff --git a/tools/testing/selftests/netfilter/config b/tools/testing/selftests/netfilter/config
+new file mode 100644
+index 000000000000..1017313e41a8
+--- /dev/null
++++ b/tools/testing/selftests/netfilter/config
+@@ -0,0 +1,2 @@
++CONFIG_NET_NS=y
++NF_TABLES_INET=y
+diff --git a/tools/testing/selftests/netfilter/nft_trans_stress.sh b/tools/testing/selftests/netfilter/nft_trans_stress.sh
+new file mode 100755
+index 000000000000..f1affd12c4b1
+--- /dev/null
++++ b/tools/testing/selftests/netfilter/nft_trans_stress.sh
+@@ -0,0 +1,78 @@
++#!/bin/bash
++#
++# This test is for stress-testing the nf_tables config plane path vs.
++# packet path processing: Make sure we never release rules that are
++# still visible to other cpus.
++#
++# set -e
++
++# Kselftest framework requirement - SKIP code is 4.
++ksft_skip=4
++
++testns=testns1
++tables="foo bar baz quux"
++
++nft --version > /dev/null 2>&1
++if [ $? -ne 0 ];then
++      echo "SKIP: Could not run test without nft tool"
++      exit $ksft_skip
++fi
++
++ip -Version > /dev/null 2>&1
++if [ $? -ne 0 ];then
++      echo "SKIP: Could not run test without ip tool"
++      exit $ksft_skip
++fi
++
++tmp=$(mktemp)
++
++for table in $tables; do
++      echo add table inet "$table" >> "$tmp"
++      echo flush table inet "$table" >> "$tmp"
++
++      echo "add chain inet $table INPUT { type filter hook input priority 0; }" >> "$tmp"
++      echo "add chain inet $table OUTPUT { type filter hook output priority 0; }" >> "$tmp"
++      for c in $(seq 1 400); do
++              chain=$(printf "chain%03u" "$c")
++              echo "add chain inet $table $chain" >> "$tmp"
++      done
++
++      for c in $(seq 1 400); do
++              chain=$(printf "chain%03u" "$c")
++              for BASE in INPUT OUTPUT; do
++                      echo "add rule inet $table $BASE counter jump $chain" >> "$tmp"
++              done
++              echo "add rule inet $table $chain counter return" >> "$tmp"
++      done
++done
++
++ip netns add "$testns"
++ip -netns "$testns" link set lo up
++
++lscpu | grep ^CPU\(s\): | ( read cpu cpunum ;
++cpunum=$((cpunum-1))
++for i in $(seq 0 $cpunum);do
++      mask=$(printf 0x%x $((1<<$i)))
++        ip netns exec "$testns" taskset $mask ping -4 127.0.0.1 -fq > /dev/null &
++        ip netns exec "$testns" taskset $mask ping -6 ::1 -fq > /dev/null &
++done)
++
++sleep 1
++
++for i in $(seq 1 10) ; do ip netns exec "$testns" nft -f "$tmp" & done
++
++for table in $tables;do
++      randsleep=$((RANDOM%10))
++      sleep $randsleep
++      ip netns exec "$testns" nft delete table inet $table 2>/dev/null
++done
++
++randsleep=$((RANDOM%10))
++sleep $randsleep
++
++pkill -9 ping
++
++wait
++
++rm -f "$tmp"
++ip netns del "$testns"
+-- 
+2.19.1
+
index b98b8101d4e21b174c3d3a2ab0b22a660f257330..ba3287be2b9a5cc536dee636786c449778c35922 100644 (file)
@@ -8,3 +8,43 @@ rtnetlink-ndo_dflt_fdb_dump-only-work-for-arphrd_ether-devices.patch
 tcp-fix-null-ref-in-tail-loss-probe.patch
 tun-forbid-iface-creation-with-rtnl-ops.patch
 neighbour-avoid-writing-before-skb-head-in-neigh_hh_output.patch
+arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch
+arm-dts-logicpd-somlv-fix-interrupt-on-mmc3_dat1.patch
+arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch
+sysv-return-err-instead-of-0-in-__sysv_write_inode.patch
+selftests-add-script-to-stress-test-nft-packet-path-.patch
+s390-cpum_cf-reject-request-for-sampling-in-event-in.patch
+hwmon-ina2xx-fix-current-value-calculation.patch
+asoc-omap-abe-twl6040-fix-missing-audio-card-caused-.patch
+asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch
+hwmon-w83795-temp4_type-has-writable-permission.patch
+objtool-fix-double-free-in-.cold-detection-error-pat.patch
+objtool-fix-segfault-in-.cold-detection-with-ffuncti.patch
+btrfs-send-fix-infinite-loop-due-to-directory-rename.patch
+rdma-mlx5-fix-fence-type-for-ib_wr_local_inv-wr.patch
+asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch
+asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch
+exportfs-do-not-read-dentry-after-free.patch
+bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch
+ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch
+usb-omap_udc-use-devm_request_irq.patch
+usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch
+usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch
+usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch
+kvm-x86-fix-empty-body-warnings.patch
+x86-kvm-vmx-fix-old-style-function-declaration.patch
+net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch
+cachefiles-fix-page-leak-in-cachefiles_read_backing_.patch
+igb-fix-uninitialized-variables.patch
+ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch
+net-hisilicon-remove-unexpected-free_netdev.patch
+drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch
+xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch
+fscache-fix-race-between-enablement-and-dropping-of-.patch
+fscache-cachefiles-remove-redundant-variable-cache.patch
+ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch
+hfs-do-not-free-node-before-using.patch
+hfsplus-do-not-free-node-before-using.patch
+debugobjects-avoid-recursive-calls-with-kmemleak.patch
+ocfs2-fix-potential-use-after-free.patch
+pstore-convert-console-write-to-use-write_buf.patch
diff --git a/queue-4.9/sysv-return-err-instead-of-0-in-__sysv_write_inode.patch b/queue-4.9/sysv-return-err-instead-of-0-in-__sysv_write_inode.patch
new file mode 100644 (file)
index 0000000..79dc84e
--- /dev/null
@@ -0,0 +1,39 @@
+From c4d7bb9d94ff971c8f9a7b170aaa01d745cd8528 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Sat, 10 Nov 2018 04:13:24 +0000
+Subject: sysv: return 'err' instead of 0 in __sysv_write_inode
+
+[ Upstream commit c4b7d1ba7d263b74bb72e9325262a67139605cde ]
+
+Fixes gcc '-Wunused-but-set-variable' warning:
+
+fs/sysv/inode.c: In function '__sysv_write_inode':
+fs/sysv/inode.c:239:6: warning:
+ variable 'err' set but not used [-Wunused-but-set-variable]
+
+__sysv_write_inode should return 'err' instead of 0
+
+Fixes: 05459ca81ac3 ("repair sysv_write_inode(), switch sysv to simple_fsync()")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/sysv/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/sysv/inode.c b/fs/sysv/inode.c
+index d62c423a5a2d..7b391b43bcf5 100644
+--- a/fs/sysv/inode.c
++++ b/fs/sysv/inode.c
+@@ -275,7 +275,7 @@ static int __sysv_write_inode(struct inode *inode, int wait)
+                 }
+         }
+       brelse(bh);
+-      return 0;
++      return err;
+ }
+ int sysv_write_inode(struct inode *inode, struct writeback_control *wbc)
+-- 
+2.19.1
+
diff --git a/queue-4.9/usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch b/queue-4.9/usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch
new file mode 100644 (file)
index 0000000..233be0b
--- /dev/null
@@ -0,0 +1,114 @@
+From ecc78d588b88f5617e40d42271198742c0592916 Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Sun, 25 Nov 2018 00:17:05 +0200
+Subject: USB: omap_udc: fix crashes on probe error and module removal
+
+[ Upstream commit 99f700366fcea1aa2fa3c49c99f371670c3c62f8 ]
+
+We currently crash if usb_add_gadget_udc_release() fails, since the
+udc->done is not initialized until in the remove function.
+Furthermore, on module removal the udc data is accessed although
+the release function is already triggered by usb_del_gadget_udc()
+early in the function.
+
+Fix by rewriting the release and remove functions, basically moving
+all the cleanup into the release function, and doing the completion
+only in the module removal case.
+
+The patch fixes omap_udc module probe with a failing gadged, and also
+allows the removal of omap_udc. Tested by running "modprobe omap_udc;
+modprobe -r omap_udc" in a loop.
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/omap_udc.c | 50 ++++++++++++-------------------
+ 1 file changed, 19 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c
+index 2945408f0eec..2a23b21fe153 100644
+--- a/drivers/usb/gadget/udc/omap_udc.c
++++ b/drivers/usb/gadget/udc/omap_udc.c
+@@ -2612,9 +2612,22 @@ omap_ep_setup(char *name, u8 addr, u8 type,
+ static void omap_udc_release(struct device *dev)
+ {
+-      complete(udc->done);
++      pullup_disable(udc);
++      if (!IS_ERR_OR_NULL(udc->transceiver)) {
++              usb_put_phy(udc->transceiver);
++              udc->transceiver = NULL;
++      }
++      omap_writew(0, UDC_SYSCON1);
++      remove_proc_file();
++      if (udc->dc_clk) {
++              if (udc->clk_requested)
++                      omap_udc_enable_clock(0);
++              clk_put(udc->hhc_clk);
++              clk_put(udc->dc_clk);
++      }
++      if (udc->done)
++              complete(udc->done);
+       kfree(udc);
+-      udc = NULL;
+ }
+ static int
+@@ -2919,12 +2932,8 @@ static int omap_udc_probe(struct platform_device *pdev)
+       }
+       create_proc_file();
+-      status = usb_add_gadget_udc_release(&pdev->dev, &udc->gadget,
+-                      omap_udc_release);
+-      if (!status)
+-              return 0;
+-
+-      remove_proc_file();
++      return usb_add_gadget_udc_release(&pdev->dev, &udc->gadget,
++                                        omap_udc_release);
+ cleanup1:
+       kfree(udc);
+@@ -2951,36 +2960,15 @@ static int omap_udc_remove(struct platform_device *pdev)
+ {
+       DECLARE_COMPLETION_ONSTACK(done);
+-      if (!udc)
+-              return -ENODEV;
+-
+-      usb_del_gadget_udc(&udc->gadget);
+-      if (udc->driver)
+-              return -EBUSY;
+-
+       udc->done = &done;
+-      pullup_disable(udc);
+-      if (!IS_ERR_OR_NULL(udc->transceiver)) {
+-              usb_put_phy(udc->transceiver);
+-              udc->transceiver = NULL;
+-      }
+-      omap_writew(0, UDC_SYSCON1);
+-
+-      remove_proc_file();
++      usb_del_gadget_udc(&udc->gadget);
+-      if (udc->dc_clk) {
+-              if (udc->clk_requested)
+-                      omap_udc_enable_clock(0);
+-              clk_put(udc->hhc_clk);
+-              clk_put(udc->dc_clk);
+-      }
++      wait_for_completion(&done);
+       release_mem_region(pdev->resource[0].start,
+                       pdev->resource[0].end - pdev->resource[0].start + 1);
+-      wait_for_completion(&done);
+-
+       return 0;
+ }
+-- 
+2.19.1
+
diff --git a/queue-4.9/usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch b/queue-4.9/usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch
new file mode 100644 (file)
index 0000000..54147f3
--- /dev/null
@@ -0,0 +1,41 @@
+From cccf734ea58984e0b1e59f0bf17cd57f7edcc8e8 Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Sun, 25 Nov 2018 00:17:06 +0200
+Subject: USB: omap_udc: fix omap_udc_start() on 15xx machines
+
+[ Upstream commit 6ca6695f576b8453fe68865e84d25946d63b10ad ]
+
+On OMAP 15xx machines there are no transceivers, and omap_udc_start()
+always fails as it forgot to adjust the default return value.
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/omap_udc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c
+index 2a23b21fe153..8f044caa8ad4 100644
+--- a/drivers/usb/gadget/udc/omap_udc.c
++++ b/drivers/usb/gadget/udc/omap_udc.c
+@@ -2045,7 +2045,7 @@ static inline int machine_without_vbus_sense(void)
+ static int omap_udc_start(struct usb_gadget *g,
+               struct usb_gadget_driver *driver)
+ {
+-      int             status = -ENODEV;
++      int             status;
+       struct omap_ep  *ep;
+       unsigned long   flags;
+@@ -2083,6 +2083,7 @@ static int omap_udc_start(struct usb_gadget *g,
+                       goto done;
+               }
+       } else {
++              status = 0;
+               if (can_pullup(udc))
+                       pullup_enable(udc);
+               else
+-- 
+2.19.1
+
diff --git a/queue-4.9/usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch b/queue-4.9/usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch
new file mode 100644 (file)
index 0000000..1c9a81b
--- /dev/null
@@ -0,0 +1,32 @@
+From 641555751792449957b493fca3d4b1db5b419e9b Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Sun, 25 Nov 2018 00:17:07 +0200
+Subject: USB: omap_udc: fix USB gadget functionality on Palm Tungsten E
+
+[ Upstream commit 2c2322fbcab8102b8cadc09d66714700a2da42c2 ]
+
+On Palm TE nothing happens when you try to use gadget drivers and plug
+the USB cable. Fix by adding the board to the vbus sense quirk list.
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/omap_udc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c
+index 8f044caa8ad4..9eed4947aad8 100644
+--- a/drivers/usb/gadget/udc/omap_udc.c
++++ b/drivers/usb/gadget/udc/omap_udc.c
+@@ -2037,6 +2037,7 @@ static inline int machine_without_vbus_sense(void)
+ {
+       return machine_is_omap_innovator()
+               || machine_is_omap_osk()
++              || machine_is_omap_palmte()
+               || machine_is_sx1()
+               /* No known omap7xx boards with vbus sense */
+               || cpu_is_omap7xx();
+-- 
+2.19.1
+
diff --git a/queue-4.9/usb-omap_udc-use-devm_request_irq.patch b/queue-4.9/usb-omap_udc-use-devm_request_irq.patch
new file mode 100644 (file)
index 0000000..68bddb9
--- /dev/null
@@ -0,0 +1,102 @@
+From 4194600a6d04cfa6eb9984f245bb6770625e196d Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Sun, 25 Nov 2018 00:17:04 +0200
+Subject: USB: omap_udc: use devm_request_irq()
+
+[ Upstream commit 286afdde1640d8ea8916a0f05e811441fbbf4b9d ]
+
+The current code fails to release the third irq on the error path
+(observed by reading the code), and we get also multiple WARNs with
+failing gadget drivers due to duplicate IRQ releases. Fix by using
+devm_request_irq().
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/omap_udc.c | 37 +++++++++----------------------
+ 1 file changed, 10 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c
+index a8709f9e5648..2945408f0eec 100644
+--- a/drivers/usb/gadget/udc/omap_udc.c
++++ b/drivers/usb/gadget/udc/omap_udc.c
+@@ -2886,8 +2886,8 @@ static int omap_udc_probe(struct platform_device *pdev)
+               udc->clr_halt = UDC_RESET_EP;
+       /* USB general purpose IRQ:  ep0, state changes, dma, etc */
+-      status = request_irq(pdev->resource[1].start, omap_udc_irq,
+-                      0, driver_name, udc);
++      status = devm_request_irq(&pdev->dev, pdev->resource[1].start,
++                                omap_udc_irq, 0, driver_name, udc);
+       if (status != 0) {
+               ERR("can't get irq %d, err %d\n",
+                       (int) pdev->resource[1].start, status);
+@@ -2895,20 +2895,20 @@ static int omap_udc_probe(struct platform_device *pdev)
+       }
+       /* USB "non-iso" IRQ (PIO for all but ep0) */
+-      status = request_irq(pdev->resource[2].start, omap_udc_pio_irq,
+-                      0, "omap_udc pio", udc);
++      status = devm_request_irq(&pdev->dev, pdev->resource[2].start,
++                                omap_udc_pio_irq, 0, "omap_udc pio", udc);
+       if (status != 0) {
+               ERR("can't get irq %d, err %d\n",
+                       (int) pdev->resource[2].start, status);
+-              goto cleanup2;
++              goto cleanup1;
+       }
+ #ifdef        USE_ISO
+-      status = request_irq(pdev->resource[3].start, omap_udc_iso_irq,
+-                      0, "omap_udc iso", udc);
++      status = devm_request_irq(&pdev->dev, pdev->resource[3].start,
++                                omap_udc_iso_irq, 0, "omap_udc iso", udc);
+       if (status != 0) {
+               ERR("can't get irq %d, err %d\n",
+                       (int) pdev->resource[3].start, status);
+-              goto cleanup3;
++              goto cleanup1;
+       }
+ #endif
+       if (cpu_is_omap16xx() || cpu_is_omap7xx()) {
+@@ -2921,22 +2921,11 @@ static int omap_udc_probe(struct platform_device *pdev)
+       create_proc_file();
+       status = usb_add_gadget_udc_release(&pdev->dev, &udc->gadget,
+                       omap_udc_release);
+-      if (status)
+-              goto cleanup4;
+-
+-      return 0;
++      if (!status)
++              return 0;
+-cleanup4:
+       remove_proc_file();
+-#ifdef        USE_ISO
+-cleanup3:
+-      free_irq(pdev->resource[2].start, udc);
+-#endif
+-
+-cleanup2:
+-      free_irq(pdev->resource[1].start, udc);
+-
+ cleanup1:
+       kfree(udc);
+       udc = NULL;
+@@ -2980,12 +2969,6 @@ static int omap_udc_remove(struct platform_device *pdev)
+       remove_proc_file();
+-#ifdef        USE_ISO
+-      free_irq(pdev->resource[3].start, udc);
+-#endif
+-      free_irq(pdev->resource[2].start, udc);
+-      free_irq(pdev->resource[1].start, udc);
+-
+       if (udc->dc_clk) {
+               if (udc->clk_requested)
+                       omap_udc_enable_clock(0);
+-- 
+2.19.1
+
diff --git a/queue-4.9/x86-kvm-vmx-fix-old-style-function-declaration.patch b/queue-4.9/x86-kvm-vmx-fix-old-style-function-declaration.patch
new file mode 100644 (file)
index 0000000..f34ba64
--- /dev/null
@@ -0,0 +1,68 @@
+From 31989e869b781c45eee91d4577562fa69e6f0a7c Mon Sep 17 00:00:00 2001
+From: Yi Wang <wang.yi59@zte.com.cn>
+Date: Thu, 8 Nov 2018 11:22:21 +0800
+Subject: x86/kvm/vmx: fix old-style function declaration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 1e4329ee2c52692ea42cc677fb2133519718b34a ]
+
+The inline keyword which is not at the beginning of the function
+declaration may trigger the following build warnings, so let's fix it:
+
+arch/x86/kvm/vmx.c:1309:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration]
+arch/x86/kvm/vmx.c:5947:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration]
+arch/x86/kvm/vmx.c:5985:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration]
+arch/x86/kvm/vmx.c:6023:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration]
+
+Signed-off-by: Yi Wang <wang.yi59@zte.com.cn>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 8888d894bf39..011050820608 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -1077,7 +1077,7 @@ static void copy_vmcs12_to_shadow(struct vcpu_vmx *vmx);
+ static void copy_shadow_to_vmcs12(struct vcpu_vmx *vmx);
+ static int alloc_identity_pagetable(struct kvm *kvm);
+ static void vmx_update_msr_bitmap(struct kvm_vcpu *vcpu);
+-static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bitmap,
++static __always_inline void vmx_disable_intercept_for_msr(unsigned long *msr_bitmap,
+                                                         u32 msr, int type);
+ static DEFINE_PER_CPU(struct vmcs *, vmxarea);
+@@ -4872,7 +4872,7 @@ static void free_vpid(int vpid)
+       spin_unlock(&vmx_vpid_lock);
+ }
+-static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bitmap,
++static __always_inline void vmx_disable_intercept_for_msr(unsigned long *msr_bitmap,
+                                                         u32 msr, int type)
+ {
+       int f = sizeof(unsigned long);
+@@ -4907,7 +4907,7 @@ static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bit
+       }
+ }
+-static void __always_inline vmx_enable_intercept_for_msr(unsigned long *msr_bitmap,
++static __always_inline void vmx_enable_intercept_for_msr(unsigned long *msr_bitmap,
+                                                        u32 msr, int type)
+ {
+       int f = sizeof(unsigned long);
+@@ -4942,7 +4942,7 @@ static void __always_inline vmx_enable_intercept_for_msr(unsigned long *msr_bitm
+       }
+ }
+-static void __always_inline vmx_set_intercept_for_msr(unsigned long *msr_bitmap,
++static __always_inline void vmx_set_intercept_for_msr(unsigned long *msr_bitmap,
+                                                     u32 msr, int type, bool value)
+ {
+       if (value)
+-- 
+2.19.1
+
diff --git a/queue-4.9/xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch b/queue-4.9/xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch
new file mode 100644 (file)
index 0000000..3243bec
--- /dev/null
@@ -0,0 +1,37 @@
+From 98f6f0f4042d5613b4b3ea4c2b756ffba8d88cee Mon Sep 17 00:00:00 2001
+From: Srikanth Boddepalli <boddepalli.srikanth@gmail.com>
+Date: Tue, 27 Nov 2018 19:53:27 +0530
+Subject: xen: xlate_mmu: add missing header to fix 'W=1' warning
+
+[ Upstream commit 72791ac854fea36034fa7976b748fde585008e78 ]
+
+Add a missing header otherwise compiler warns about missed prototype:
+
+drivers/xen/xlate_mmu.c:183:5: warning: no previous prototype for 'xen_xlate_unmap_gfn_range?' [-Wmissing-prototypes]
+  int xen_xlate_unmap_gfn_range(struct vm_area_struct *vma,
+      ^~~~~~~~~~~~~~~~~~~~~~~~~
+
+Signed-off-by: Srikanth Boddepalli <boddepalli.srikanth@gmail.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Reviewed-by: Joey Pabalinas <joeypabalinas@gmail.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/xlate_mmu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/xen/xlate_mmu.c b/drivers/xen/xlate_mmu.c
+index 23f1387b3ef7..e7df65d32c91 100644
+--- a/drivers/xen/xlate_mmu.c
++++ b/drivers/xen/xlate_mmu.c
+@@ -36,6 +36,7 @@
+ #include <asm/xen/hypervisor.h>
+ #include <xen/xen.h>
++#include <xen/xen-ops.h>
+ #include <xen/page.h>
+ #include <xen/interface/xen.h>
+ #include <xen/interface/memory.h>
+-- 
+2.19.1
+