--- /dev/null
+From foo@baz Thu Oct 18 11:08:34 CEST 2018
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 31 Aug 2018 15:08:44 +0200
+Subject: batman-adv: Avoid probe ELP information leak
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit 88d0895d0ea9d4431507d576c963f2ff9918144d ]
+
+The probe ELPs for WiFi interfaces are expanded to contain at least
+BATADV_ELP_MIN_PROBE_SIZE bytes. This is usually a lot more than the
+number of bytes which the template ELP packet requires.
+
+These extra padding bytes were not initialized and thus could contain data
+which were previously stored at the same location. It is therefore required
+to set it to some predefined or random values to avoid leaking private
+information from the system transmitting these kind of packets.
+
+Fixes: e4623c913508 ("batman-adv: Avoid probe ELP information leak")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Antonio Quartulli <a@unstable.cc>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bat_v_elp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/batman-adv/bat_v_elp.c
++++ b/net/batman-adv/bat_v_elp.c
+@@ -241,7 +241,7 @@ batadv_v_elp_wifi_neigh_probe(struct bat
+ * the packet to be exactly of that size to make the link
+ * throughput estimation effective.
+ */
+- skb_put(skb, probe_len - hard_iface->bat_v.elp_skb->len);
++ skb_put_zero(skb, probe_len - hard_iface->bat_v.elp_skb->len);
+
+ batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
+ "Sending unicast (probe) ELP packet on interface %s to %pM\n",
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Marek Lindner <mareklindner@neomailbox.ch>
+Date: Fri, 7 Sep 2018 05:45:54 +0800
+Subject: batman-adv: fix backbone_gw refcount on queue_work() failure
+
+From: Marek Lindner <mareklindner@neomailbox.ch>
+
+[ Upstream commit 5af96b9c59c72fb2af2d19c5cc2f3cdcee391dff ]
+
+The backbone_gw refcounter is to be decreased by the queued work and
+currently is never decreased if the queue_work() call fails.
+Fix by checking the queue_work() return value and decrease refcount
+if necessary.
+
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -1772,6 +1772,7 @@ batadv_bla_loopdetect_check(struct batad
+ {
+ struct batadv_bla_backbone_gw *backbone_gw;
+ struct ethhdr *ethhdr;
++ bool ret;
+
+ ethhdr = eth_hdr(skb);
+
+@@ -1795,8 +1796,13 @@ batadv_bla_loopdetect_check(struct batad
+ if (unlikely(!backbone_gw))
+ return true;
+
+- queue_work(batadv_event_workqueue, &backbone_gw->report_work);
+- /* backbone_gw is unreferenced in the report work function function */
++ ret = queue_work(batadv_event_workqueue, &backbone_gw->report_work);
++
++ /* backbone_gw is unreferenced in the report work function function
++ * if queue_work() call was successful
++ */
++ if (!ret)
++ batadv_backbone_gw_put(backbone_gw);
+
+ return true;
+ }
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Marek Lindner <mareklindner@neomailbox.ch>
+Date: Fri, 7 Sep 2018 05:45:55 +0800
+Subject: batman-adv: fix hardif_neigh refcount on queue_work() failure
+
+From: Marek Lindner <mareklindner@neomailbox.ch>
+
+[ Upstream commit 4c4af6900844ab04c9434c972021d7b48610e06a ]
+
+The hardif_neigh refcounter is to be decreased by the queued work and
+currently is never decreased if the queue_work() call fails.
+Fix by checking the queue_work() return value and decrease refcount
+if necessary.
+
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bat_v_elp.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/batman-adv/bat_v_elp.c
++++ b/net/batman-adv/bat_v_elp.c
+@@ -268,6 +268,7 @@ static void batadv_v_elp_periodic_work(s
+ struct batadv_priv *bat_priv;
+ struct sk_buff *skb;
+ u32 elp_interval;
++ bool ret;
+
+ bat_v = container_of(work, struct batadv_hard_iface_bat_v, elp_wq.work);
+ hard_iface = container_of(bat_v, struct batadv_hard_iface, bat_v);
+@@ -329,8 +330,11 @@ static void batadv_v_elp_periodic_work(s
+ * may sleep and that is not allowed in an rcu protected
+ * context. Therefore schedule a task for that.
+ */
+- queue_work(batadv_event_workqueue,
+- &hardif_neigh->bat_v.metric_work);
++ ret = queue_work(batadv_event_workqueue,
++ &hardif_neigh->bat_v.metric_work);
++
++ if (!ret)
++ batadv_hardif_neigh_put(hardif_neigh);
+ }
+ rcu_read_unlock();
+
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 31 Aug 2018 16:56:29 +0200
+Subject: batman-adv: Fix segfault when writing to sysfs elp_interval
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit a25bab9d723a08bd0bdafb1529faf9094c690b70 ]
+
+The per hardif sysfs file "batman_adv/elp_interval" is using the generic
+functions to store/show uint values. The helper __batadv_store_uint_attr
+requires the softif net_device as parameter to print the resulting change
+as info text when the users writes to this file. It uses the helper
+function batadv_info to add it at the same time to the kernel ring buffer
+and to the batman-adv debug log (when CONFIG_BATMAN_ADV_DEBUG is enabled).
+
+The function batadv_info requires as first parameter the batman-adv softif
+net_device. This parameter is then used to find the private buffer which
+contains the debug log for this batman-adv interface. But
+batadv_store_throughput_override used as first argument the slave
+net_device. This slave device doesn't have the batadv_priv private data
+which is access by batadv_info.
+
+Writing to this file with CONFIG_BATMAN_ADV_DEBUG enabled can either lead
+to a segfault or to memory corruption.
+
+Fixes: 0744ff8fa8fa ("batman-adv: Add hard_iface specific sysfs wrapper macros for UINT")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/sysfs.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+--- a/net/batman-adv/sysfs.c
++++ b/net/batman-adv/sysfs.c
+@@ -188,7 +188,8 @@ ssize_t batadv_store_##_name(struct kobj
+ \
+ return __batadv_store_uint_attr(buff, count, _min, _max, \
+ _post_func, attr, \
+- &bat_priv->_var, net_dev); \
++ &bat_priv->_var, net_dev, \
++ NULL); \
+ }
+
+ #define BATADV_ATTR_SIF_SHOW_UINT(_name, _var) \
+@@ -262,7 +263,9 @@ ssize_t batadv_store_##_name(struct kobj
+ \
+ length = __batadv_store_uint_attr(buff, count, _min, _max, \
+ _post_func, attr, \
+- &hard_iface->_var, net_dev); \
++ &hard_iface->_var, \
++ hard_iface->soft_iface, \
++ net_dev); \
+ \
+ batadv_hardif_put(hard_iface); \
+ return length; \
+@@ -356,10 +359,12 @@ __batadv_store_bool_attr(char *buff, siz
+
+ static int batadv_store_uint_attr(const char *buff, size_t count,
+ struct net_device *net_dev,
++ struct net_device *slave_dev,
+ const char *attr_name,
+ unsigned int min, unsigned int max,
+ atomic_t *attr)
+ {
++ char ifname[IFNAMSIZ + 3] = "";
+ unsigned long uint_val;
+ int ret;
+
+@@ -385,8 +390,11 @@ static int batadv_store_uint_attr(const
+ if (atomic_read(attr) == uint_val)
+ return count;
+
+- batadv_info(net_dev, "%s: Changing from: %i to: %lu\n",
+- attr_name, atomic_read(attr), uint_val);
++ if (slave_dev)
++ snprintf(ifname, sizeof(ifname), "%s: ", slave_dev->name);
++
++ batadv_info(net_dev, "%s: %sChanging from: %i to: %lu\n",
++ attr_name, ifname, atomic_read(attr), uint_val);
+
+ atomic_set(attr, uint_val);
+ return count;
+@@ -397,12 +405,13 @@ static ssize_t __batadv_store_uint_attr(
+ void (*post_func)(struct net_device *),
+ const struct attribute *attr,
+ atomic_t *attr_store,
+- struct net_device *net_dev)
++ struct net_device *net_dev,
++ struct net_device *slave_dev)
+ {
+ int ret;
+
+- ret = batadv_store_uint_attr(buff, count, net_dev, attr->name, min, max,
+- attr_store);
++ ret = batadv_store_uint_attr(buff, count, net_dev, slave_dev,
++ attr->name, min, max, attr_store);
+ if (post_func && ret)
+ post_func(net_dev);
+
+@@ -571,7 +580,7 @@ static ssize_t batadv_store_gw_sel_class
+ return __batadv_store_uint_attr(buff, count, 1, BATADV_TQ_MAX_VALUE,
+ batadv_post_gw_reselect, attr,
+ &bat_priv->gw.sel_class,
+- bat_priv->soft_iface);
++ bat_priv->soft_iface, NULL);
+ }
+
+ static ssize_t batadv_show_gw_bwidth(struct kobject *kobj,
--- /dev/null
+From foo@baz Thu Oct 18 11:08:34 CEST 2018
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 31 Aug 2018 16:46:47 +0200
+Subject: batman-adv: Fix segfault when writing to throughput_override
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit b9fd14c20871e6189f635e49b32d7789e430b3c8 ]
+
+The per hardif sysfs file "batman_adv/throughput_override" prints the
+resulting change as info text when the users writes to this file. It uses
+the helper function batadv_info to add it at the same time to the kernel
+ring buffer and to the batman-adv debug log (when CONFIG_BATMAN_ADV_DEBUG
+is enabled).
+
+The function batadv_info requires as first parameter the batman-adv softif
+net_device. This parameter is then used to find the private buffer which
+contains the debug log for this batman-adv interface. But
+batadv_store_throughput_override used as first argument the slave
+net_device. This slave device doesn't have the batadv_priv private data
+which is access by batadv_info.
+
+Writing to this file with CONFIG_BATMAN_ADV_DEBUG enabled can either lead
+to a segfault or to memory corruption.
+
+Fixes: 0b5ecc6811bd ("batman-adv: add throughput override attribute to hard_ifaces")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/sysfs.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/batman-adv/sysfs.c
++++ b/net/batman-adv/sysfs.c
+@@ -1090,8 +1090,9 @@ static ssize_t batadv_store_throughput_o
+ if (old_tp_override == tp_override)
+ goto out;
+
+- batadv_info(net_dev, "%s: Changing from: %u.%u MBit to: %u.%u MBit\n",
+- "throughput_override",
++ batadv_info(hard_iface->soft_iface,
++ "%s: %s: Changing from: %u.%u MBit to: %u.%u MBit\n",
++ "throughput_override", net_dev->name,
+ old_tp_override / 10, old_tp_override % 10,
+ tp_override / 10, tp_override % 10);
+
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 12 Aug 2018 21:04:41 +0200
+Subject: batman-adv: Prevent duplicated gateway_node entry
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit dff9bc42ab0b2d38c5e90ddd79b238fed5b4c7ad ]
+
+The function batadv_gw_node_add is responsible for adding new gw_node to
+the gateway_list. It is expecting that the caller already checked that
+there is not already an entry with the same key or not.
+
+But the lock for the list is only held when the list is really modified.
+This could lead to duplicated entries because another context could create
+an entry with the same key between the check and the list manipulation.
+
+The check and the manipulation of the list must therefore be in the same
+locked code section.
+
+Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/gateway_client.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/net/batman-adv/gateway_client.c
++++ b/net/batman-adv/gateway_client.c
+@@ -32,6 +32,7 @@
+ #include <linux/kernel.h>
+ #include <linux/kref.h>
+ #include <linux/list.h>
++#include <linux/lockdep.h>
+ #include <linux/netdevice.h>
+ #include <linux/netlink.h>
+ #include <linux/rculist.h>
+@@ -348,6 +349,9 @@ out:
+ * @bat_priv: the bat priv with all the soft interface information
+ * @orig_node: originator announcing gateway capabilities
+ * @gateway: announced bandwidth information
++ *
++ * Has to be called with the appropriate locks being acquired
++ * (gw.list_lock).
+ */
+ static void batadv_gw_node_add(struct batadv_priv *bat_priv,
+ struct batadv_orig_node *orig_node,
+@@ -355,6 +359,8 @@ static void batadv_gw_node_add(struct ba
+ {
+ struct batadv_gw_node *gw_node;
+
++ lockdep_assert_held(&bat_priv->gw.list_lock);
++
+ if (gateway->bandwidth_down == 0)
+ return;
+
+@@ -369,10 +375,8 @@ static void batadv_gw_node_add(struct ba
+ gw_node->bandwidth_down = ntohl(gateway->bandwidth_down);
+ gw_node->bandwidth_up = ntohl(gateway->bandwidth_up);
+
+- spin_lock_bh(&bat_priv->gw.list_lock);
+ kref_get(&gw_node->refcount);
+ hlist_add_head_rcu(&gw_node->list, &bat_priv->gw.gateway_list);
+- spin_unlock_bh(&bat_priv->gw.list_lock);
+
+ batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
+ "Found new gateway %pM -> gw bandwidth: %u.%u/%u.%u MBit\n",
+@@ -428,11 +432,14 @@ void batadv_gw_node_update(struct batadv
+ {
+ struct batadv_gw_node *gw_node, *curr_gw = NULL;
+
++ spin_lock_bh(&bat_priv->gw.list_lock);
+ gw_node = batadv_gw_node_get(bat_priv, orig_node);
+ if (!gw_node) {
+ batadv_gw_node_add(bat_priv, orig_node, gateway);
++ spin_unlock_bh(&bat_priv->gw.list_lock);
+ goto out;
+ }
++ spin_unlock_bh(&bat_priv->gw.list_lock);
+
+ if (gw_node->bandwidth_down == ntohl(gateway->bandwidth_down) &&
+ gw_node->bandwidth_up == ntohl(gateway->bandwidth_up))
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 12 Aug 2018 21:04:44 +0200
+Subject: batman-adv: Prevent duplicated global TT entry
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit e7136e48ffdfb9f37b0820f619380485eb407361 ]
+
+The function batadv_tt_global_orig_entry_add is responsible for adding new
+tt_orig_list_entry to the orig_list. It first checks whether the entry
+already is in the list or not. If it is, then the creation of a new entry
+is aborted.
+
+But the lock for the list is only held when the list is really modified.
+This could lead to duplicated entries because another context could create
+an entry with the same key between the check and the list manipulation.
+
+The check and the manipulation of the list must therefore be in the same
+locked code section.
+
+Fixes: d657e621a0f5 ("batman-adv: add reference counting for type batadv_tt_orig_list_entry")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/translation-table.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -1613,6 +1613,8 @@ batadv_tt_global_orig_entry_add(struct b
+ {
+ struct batadv_tt_orig_list_entry *orig_entry;
+
++ spin_lock_bh(&tt_global->list_lock);
++
+ orig_entry = batadv_tt_global_orig_entry_find(tt_global, orig_node);
+ if (orig_entry) {
+ /* refresh the ttvn: the current value could be a bogus one that
+@@ -1635,11 +1637,9 @@ batadv_tt_global_orig_entry_add(struct b
+ orig_entry->flags = flags;
+ kref_init(&orig_entry->refcount);
+
+- spin_lock_bh(&tt_global->list_lock);
+ kref_get(&orig_entry->refcount);
+ hlist_add_head_rcu(&orig_entry->list,
+ &tt_global->orig_list);
+- spin_unlock_bh(&tt_global->list_lock);
+ atomic_inc(&tt_global->orig_list_count);
+
+ sync_flags:
+@@ -1647,6 +1647,8 @@ sync_flags:
+ out:
+ if (orig_entry)
+ batadv_tt_orig_list_entry_put(orig_entry);
++
++ spin_unlock_bh(&tt_global->list_lock);
+ }
+
+ /**
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 12 Aug 2018 21:04:42 +0200
+Subject: batman-adv: Prevent duplicated nc_node entry
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit fa122fec8640eb7186ce5a41b83a4c1744ceef8f ]
+
+The function batadv_nc_get_nc_node is responsible for adding new nc_nodes
+to the in_coding_list and out_coding_list. It first checks whether the
+entry already is in the list or not. If it is, then the creation of a new
+entry is aborted.
+
+But the lock for the list is only held when the list is really modified.
+This could lead to duplicated entries because another context could create
+an entry with the same key between the check and the list manipulation.
+
+The check and the manipulation of the list must therefore be in the same
+locked code section.
+
+Fixes: d56b1705e28c ("batman-adv: network coding - detect coding nodes and remove these after timeout")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/network-coding.c | 27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+
+--- a/net/batman-adv/network-coding.c
++++ b/net/batman-adv/network-coding.c
+@@ -854,16 +854,27 @@ batadv_nc_get_nc_node(struct batadv_priv
+ spinlock_t *lock; /* Used to lock list selected by "int in_coding" */
+ struct list_head *list;
+
++ /* Select ingoing or outgoing coding node */
++ if (in_coding) {
++ lock = &orig_neigh_node->in_coding_list_lock;
++ list = &orig_neigh_node->in_coding_list;
++ } else {
++ lock = &orig_neigh_node->out_coding_list_lock;
++ list = &orig_neigh_node->out_coding_list;
++ }
++
++ spin_lock_bh(lock);
++
+ /* Check if nc_node is already added */
+ nc_node = batadv_nc_find_nc_node(orig_node, orig_neigh_node, in_coding);
+
+ /* Node found */
+ if (nc_node)
+- return nc_node;
++ goto unlock;
+
+ nc_node = kzalloc(sizeof(*nc_node), GFP_ATOMIC);
+ if (!nc_node)
+- return NULL;
++ goto unlock;
+
+ /* Initialize nc_node */
+ INIT_LIST_HEAD(&nc_node->list);
+@@ -872,22 +883,14 @@ batadv_nc_get_nc_node(struct batadv_priv
+ kref_get(&orig_neigh_node->refcount);
+ nc_node->orig_node = orig_neigh_node;
+
+- /* Select ingoing or outgoing coding node */
+- if (in_coding) {
+- lock = &orig_neigh_node->in_coding_list_lock;
+- list = &orig_neigh_node->in_coding_list;
+- } else {
+- lock = &orig_neigh_node->out_coding_list_lock;
+- list = &orig_neigh_node->out_coding_list;
+- }
+-
+ batadv_dbg(BATADV_DBG_NC, bat_priv, "Adding nc_node %pM -> %pM\n",
+ nc_node->addr, nc_node->orig_node->orig);
+
+ /* Add nc_node to orig_node */
+- spin_lock_bh(lock);
+ kref_get(&nc_node->refcount);
+ list_add_tail_rcu(&nc_node->list, list);
++
++unlock:
+ spin_unlock_bh(lock);
+
+ return nc_node;
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 12 Aug 2018 21:04:43 +0200
+Subject: batman-adv: Prevent duplicated softif_vlan entry
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit 94cb82f594ed86be303398d6dfc7640a6f1d45d4 ]
+
+The function batadv_softif_vlan_get is responsible for adding new
+softif_vlan to the softif_vlan_list. It first checks whether the entry
+already is in the list or not. If it is, then the creation of a new entry
+is aborted.
+
+But the lock for the list is only held when the list is really modified.
+This could lead to duplicated entries because another context could create
+an entry with the same key between the check and the list manipulation.
+
+The check and the manipulation of the list must therefore be in the same
+locked code section.
+
+Fixes: 5d2c05b21337 ("batman-adv: add per VLAN interface attribute framework")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/soft-interface.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+--- a/net/batman-adv/soft-interface.c
++++ b/net/batman-adv/soft-interface.c
+@@ -574,15 +574,20 @@ int batadv_softif_create_vlan(struct bat
+ struct batadv_softif_vlan *vlan;
+ int err;
+
++ spin_lock_bh(&bat_priv->softif_vlan_list_lock);
++
+ vlan = batadv_softif_vlan_get(bat_priv, vid);
+ if (vlan) {
+ batadv_softif_vlan_put(vlan);
++ spin_unlock_bh(&bat_priv->softif_vlan_list_lock);
+ return -EEXIST;
+ }
+
+ vlan = kzalloc(sizeof(*vlan), GFP_ATOMIC);
+- if (!vlan)
++ if (!vlan) {
++ spin_unlock_bh(&bat_priv->softif_vlan_list_lock);
+ return -ENOMEM;
++ }
+
+ vlan->bat_priv = bat_priv;
+ vlan->vid = vid;
+@@ -590,17 +595,23 @@ int batadv_softif_create_vlan(struct bat
+
+ atomic_set(&vlan->ap_isolation, 0);
+
++ kref_get(&vlan->refcount);
++ hlist_add_head_rcu(&vlan->list, &bat_priv->softif_vlan_list);
++ spin_unlock_bh(&bat_priv->softif_vlan_list_lock);
++
++ /* batadv_sysfs_add_vlan cannot be in the spinlock section due to the
++ * sleeping behavior of the sysfs functions and the fs_reclaim lock
++ */
+ err = batadv_sysfs_add_vlan(bat_priv->soft_iface, vlan);
+ if (err) {
+- kfree(vlan);
++ /* ref for the function */
++ batadv_softif_vlan_put(vlan);
++
++ /* ref for the list */
++ batadv_softif_vlan_put(vlan);
+ return err;
+ }
+
+- spin_lock_bh(&bat_priv->softif_vlan_list_lock);
+- kref_get(&vlan->refcount);
+- hlist_add_head_rcu(&vlan->list, &bat_priv->softif_vlan_list);
+- spin_unlock_bh(&bat_priv->softif_vlan_list_lock);
+-
+ /* add a new TT local entry. This one will be marked with the NOPURGE
+ * flag
+ */
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 12 Aug 2018 21:04:45 +0200
+Subject: batman-adv: Prevent duplicated tvlv handler
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit ae3cdc97dc10c7a3b31f297dab429bfb774c9ccb ]
+
+The function batadv_tvlv_handler_register is responsible for adding new
+tvlv_handler to the handler_list. It first checks whether the entry
+already is in the list or not. If it is, then the creation of a new entry
+is aborted.
+
+But the lock for the list is only held when the list is really modified.
+This could lead to duplicated entries because another context could create
+an entry with the same key between the check and the list manipulation.
+
+The check and the manipulation of the list must therefore be in the same
+locked code section.
+
+Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/tvlv.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/batman-adv/tvlv.c
++++ b/net/batman-adv/tvlv.c
+@@ -529,15 +529,20 @@ void batadv_tvlv_handler_register(struct
+ {
+ struct batadv_tvlv_handler *tvlv_handler;
+
++ spin_lock_bh(&bat_priv->tvlv.handler_list_lock);
++
+ tvlv_handler = batadv_tvlv_handler_get(bat_priv, type, version);
+ if (tvlv_handler) {
++ spin_unlock_bh(&bat_priv->tvlv.handler_list_lock);
+ batadv_tvlv_handler_put(tvlv_handler);
+ return;
+ }
+
+ tvlv_handler = kzalloc(sizeof(*tvlv_handler), GFP_ATOMIC);
+- if (!tvlv_handler)
++ if (!tvlv_handler) {
++ spin_unlock_bh(&bat_priv->tvlv.handler_list_lock);
+ return;
++ }
+
+ tvlv_handler->ogm_handler = optr;
+ tvlv_handler->unicast_handler = uptr;
+@@ -547,7 +552,6 @@ void batadv_tvlv_handler_register(struct
+ kref_init(&tvlv_handler->refcount);
+ INIT_HLIST_NODE(&tvlv_handler->list);
+
+- spin_lock_bh(&bat_priv->tvlv.handler_list_lock);
+ kref_get(&tvlv_handler->refcount);
+ hlist_add_head_rcu(&tvlv_handler->list, &bat_priv->tvlv.handler_list);
+ spin_unlock_bh(&bat_priv->tvlv.handler_list_lock);
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: John Fastabend <john.fastabend@gmail.com>
+Date: Tue, 18 Sep 2018 09:01:49 -0700
+Subject: bpf: sockmap, fix transition through disconnect without close
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit b05545e15e1ff1d6a6a8593971275f9cc3e6b92b ]
+
+It is possible (via shutdown()) for TCP socks to go trough TCP_CLOSE
+state via tcp_disconnect() without actually calling tcp_close which
+would then call our bpf_tcp_close() callback. Because of this a user
+could disconnect a socket then put it in a LISTEN state which would
+break our assumptions about sockets always being ESTABLISHED state.
+
+To resolve this rely on the unhash hook, which is called in the
+disconnect case, to remove the sock from the sockmap.
+
+Reported-by: Eric Dumazet <edumazet@google.com>
+Fixes: 1aa12bdf1bfb ("bpf: sockmap, add sock close() hook to remove socks")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/sockmap.c | 60 ++++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 41 insertions(+), 19 deletions(-)
+
+--- a/kernel/bpf/sockmap.c
++++ b/kernel/bpf/sockmap.c
+@@ -132,6 +132,7 @@ struct smap_psock {
+ struct work_struct gc_work;
+
+ struct proto *sk_proto;
++ void (*save_unhash)(struct sock *sk);
+ void (*save_close)(struct sock *sk, long timeout);
+ void (*save_data_ready)(struct sock *sk);
+ void (*save_write_space)(struct sock *sk);
+@@ -143,6 +144,7 @@ static int bpf_tcp_recvmsg(struct sock *
+ static int bpf_tcp_sendmsg(struct sock *sk, struct msghdr *msg, size_t size);
+ static int bpf_tcp_sendpage(struct sock *sk, struct page *page,
+ int offset, size_t size, int flags);
++static void bpf_tcp_unhash(struct sock *sk);
+ static void bpf_tcp_close(struct sock *sk, long timeout);
+
+ static inline struct smap_psock *smap_psock_sk(const struct sock *sk)
+@@ -184,6 +186,7 @@ static void build_protos(struct proto pr
+ struct proto *base)
+ {
+ prot[SOCKMAP_BASE] = *base;
++ prot[SOCKMAP_BASE].unhash = bpf_tcp_unhash;
+ prot[SOCKMAP_BASE].close = bpf_tcp_close;
+ prot[SOCKMAP_BASE].recvmsg = bpf_tcp_recvmsg;
+ prot[SOCKMAP_BASE].stream_memory_read = bpf_tcp_stream_read;
+@@ -217,6 +220,7 @@ static int bpf_tcp_init(struct sock *sk)
+ return -EBUSY;
+ }
+
++ psock->save_unhash = sk->sk_prot->unhash;
+ psock->save_close = sk->sk_prot->close;
+ psock->sk_proto = sk->sk_prot;
+
+@@ -305,30 +309,12 @@ static struct smap_psock_map_entry *psoc
+ return e;
+ }
+
+-static void bpf_tcp_close(struct sock *sk, long timeout)
++static void bpf_tcp_remove(struct sock *sk, struct smap_psock *psock)
+ {
+- void (*close_fun)(struct sock *sk, long timeout);
+ struct smap_psock_map_entry *e;
+ struct sk_msg_buff *md, *mtmp;
+- struct smap_psock *psock;
+ struct sock *osk;
+
+- lock_sock(sk);
+- rcu_read_lock();
+- psock = smap_psock_sk(sk);
+- if (unlikely(!psock)) {
+- rcu_read_unlock();
+- release_sock(sk);
+- return sk->sk_prot->close(sk, timeout);
+- }
+-
+- /* The psock may be destroyed anytime after exiting the RCU critial
+- * section so by the time we use close_fun the psock may no longer
+- * be valid. However, bpf_tcp_close is called with the sock lock
+- * held so the close hook and sk are still valid.
+- */
+- close_fun = psock->save_close;
+-
+ if (psock->cork) {
+ free_start_sg(psock->sock, psock->cork, true);
+ kfree(psock->cork);
+@@ -379,6 +365,42 @@ static void bpf_tcp_close(struct sock *s
+ kfree(e);
+ e = psock_map_pop(sk, psock);
+ }
++}
++
++static void bpf_tcp_unhash(struct sock *sk)
++{
++ void (*unhash_fun)(struct sock *sk);
++ struct smap_psock *psock;
++
++ rcu_read_lock();
++ psock = smap_psock_sk(sk);
++ if (unlikely(!psock)) {
++ rcu_read_unlock();
++ if (sk->sk_prot->unhash)
++ sk->sk_prot->unhash(sk);
++ return;
++ }
++ unhash_fun = psock->save_unhash;
++ bpf_tcp_remove(sk, psock);
++ rcu_read_unlock();
++ unhash_fun(sk);
++}
++
++static void bpf_tcp_close(struct sock *sk, long timeout)
++{
++ void (*close_fun)(struct sock *sk, long timeout);
++ struct smap_psock *psock;
++
++ lock_sock(sk);
++ rcu_read_lock();
++ psock = smap_psock_sk(sk);
++ if (unlikely(!psock)) {
++ rcu_read_unlock();
++ release_sock(sk);
++ return sk->sk_prot->close(sk, timeout);
++ }
++ close_fun = psock->save_close;
++ bpf_tcp_remove(sk, psock);
+ rcu_read_unlock();
+ release_sock(sk);
+ close_fun(sk, timeout);
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: John Fastabend <john.fastabend@gmail.com>
+Date: Tue, 18 Sep 2018 09:01:44 -0700
+Subject: bpf: sockmap only allow ESTABLISHED sock state
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit 5607fff303636d48b88414c6be353d9fed700af2 ]
+
+After this patch we only allow socks that are in ESTABLISHED state or
+are being added via a sock_ops event that is transitioning into an
+ESTABLISHED state. By allowing sock_ops events we allow users to
+manage sockmaps directly from sock ops programs. The two supported
+sock_ops ops are BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB and
+BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB.
+
+Similar to TLS ULP this ensures sk_user_data is correct.
+
+Reported-by: Eric Dumazet <edumazet@google.com>
+Fixes: 1aa12bdf1bfb ("bpf: sockmap, add sock close() hook to remove socks")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/sockmap.c | 31 ++++++++++++++++++++++++++++++-
+ 1 file changed, 30 insertions(+), 1 deletion(-)
+
+--- a/kernel/bpf/sockmap.c
++++ b/kernel/bpf/sockmap.c
+@@ -2100,8 +2100,12 @@ static int sock_map_update_elem(struct b
+ return -EINVAL;
+ }
+
++ /* ULPs are currently supported only for TCP sockets in ESTABLISHED
++ * state.
++ */
+ if (skops.sk->sk_type != SOCK_STREAM ||
+- skops.sk->sk_protocol != IPPROTO_TCP) {
++ skops.sk->sk_protocol != IPPROTO_TCP ||
++ skops.sk->sk_state != TCP_ESTABLISHED) {
+ fput(socket->file);
+ return -EOPNOTSUPP;
+ }
+@@ -2456,6 +2460,16 @@ static int sock_hash_update_elem(struct
+ return -EINVAL;
+ }
+
++ /* ULPs are currently supported only for TCP sockets in ESTABLISHED
++ * state.
++ */
++ if (skops.sk->sk_type != SOCK_STREAM ||
++ skops.sk->sk_protocol != IPPROTO_TCP ||
++ skops.sk->sk_state != TCP_ESTABLISHED) {
++ fput(socket->file);
++ return -EOPNOTSUPP;
++ }
++
+ lock_sock(skops.sk);
+ preempt_disable();
+ rcu_read_lock();
+@@ -2544,10 +2558,22 @@ const struct bpf_map_ops sock_hash_ops =
+ .map_release_uref = sock_map_release,
+ };
+
++static bool bpf_is_valid_sock_op(struct bpf_sock_ops_kern *ops)
++{
++ return ops->op == BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB ||
++ ops->op == BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB;
++}
+ BPF_CALL_4(bpf_sock_map_update, struct bpf_sock_ops_kern *, bpf_sock,
+ struct bpf_map *, map, void *, key, u64, flags)
+ {
+ WARN_ON_ONCE(!rcu_read_lock_held());
++
++ /* ULPs are currently supported only for TCP sockets in ESTABLISHED
++ * state. This checks that the sock ops triggering the update is
++ * one indicating we are (or will be soon) in an ESTABLISHED state.
++ */
++ if (!bpf_is_valid_sock_op(bpf_sock))
++ return -EOPNOTSUPP;
+ return sock_map_ctx_update_elem(bpf_sock, map, key, flags);
+ }
+
+@@ -2566,6 +2592,9 @@ BPF_CALL_4(bpf_sock_hash_update, struct
+ struct bpf_map *, map, void *, key, u64, flags)
+ {
+ WARN_ON_ONCE(!rcu_read_lock_held());
++
++ if (!bpf_is_valid_sock_op(bpf_sock))
++ return -EOPNOTSUPP;
+ return sock_hash_ctx_update_elem(bpf_sock, map, key, flags);
+ }
+
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: John Fastabend <john.fastabend@gmail.com>
+Date: Tue, 18 Sep 2018 09:01:54 -0700
+Subject: bpf: test_maps, only support ESTABLISHED socks
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit 5028027844cfc6168e39650abecd817ba64c9d98 ]
+
+Ensure that sockets added to a sock{map|hash} that is not in the
+ESTABLISHED state is rejected.
+
+Fixes: 1aa12bdf1bfb ("bpf: sockmap, add sock close() hook to remove socks")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/bpf/test_maps.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/tools/testing/selftests/bpf/test_maps.c
++++ b/tools/testing/selftests/bpf/test_maps.c
+@@ -566,7 +566,11 @@ static void test_sockmap(int tasks, void
+ /* Test update without programs */
+ for (i = 0; i < 6; i++) {
+ err = bpf_map_update_elem(fd, &i, &sfd[i], BPF_ANY);
+- if (err) {
++ if (i < 2 && !err) {
++ printf("Allowed update sockmap '%i:%i' not in ESTABLISHED\n",
++ i, sfd[i]);
++ goto out_sockmap;
++ } else if (i >= 2 && err) {
+ printf("Failed noprog update sockmap '%i:%i'\n",
+ i, sfd[i]);
+ goto out_sockmap;
+@@ -727,7 +731,7 @@ static void test_sockmap(int tasks, void
+ }
+
+ /* Test map update elem afterwards fd lives in fd and map_fd */
+- for (i = 0; i < 6; i++) {
++ for (i = 2; i < 6; i++) {
+ err = bpf_map_update_elem(map_fd_rx, &i, &sfd[i], BPF_ANY);
+ if (err) {
+ printf("Failed map_fd_rx update sockmap %i '%i:%i'\n",
+@@ -831,7 +835,7 @@ static void test_sockmap(int tasks, void
+ }
+
+ /* Delete the elems without programs */
+- for (i = 0; i < 6; i++) {
++ for (i = 2; i < 6; i++) {
+ err = bpf_map_delete_elem(fd, &i);
+ if (err) {
+ printf("Failed delete sockmap %i '%i:%i'\n",
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Tao Ren <taoren@fb.com>
+Date: Wed, 19 Sep 2018 15:13:31 -0700
+Subject: clocksource/drivers/fttmr010: Fix set_next_event handler
+
+From: Tao Ren <taoren@fb.com>
+
+[ Upstream commit 4451d3f59f2a6f95e5d205c2d04ea072955d080d ]
+
+Currently, the aspeed MATCH1 register is updated to <current_count -
+cycles> in set_next_event handler, with the assumption that COUNT
+register value is preserved when the timer is disabled and it continues
+decrementing after the timer is enabled. But the assumption is wrong:
+RELOAD register is loaded into COUNT register when the aspeed timer is
+enabled, which means the next event may be delayed because timer
+interrupt won't be generated until <0xFFFFFFFF - current_count +
+cycles>.
+
+The problem can be fixed by updating RELOAD register to <cycles>, and
+COUNT register will be re-loaded when the timer is enabled and interrupt
+is generated when COUNT register overflows.
+
+The test result on Facebook Backpack-CMM BMC hardware (AST2500) shows
+the issue is fixed: without the patch, usleep(100) suspends the process
+for several milliseconds (and sometimes even over 40 milliseconds);
+after applying the fix, usleep(100) takes averagely 240 microseconds to
+return under the same workload level.
+
+Signed-off-by: Tao Ren <taoren@fb.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Tested-by: Lei YU <mine260309@gmail.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clocksource/timer-fttmr010.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+--- a/drivers/clocksource/timer-fttmr010.c
++++ b/drivers/clocksource/timer-fttmr010.c
+@@ -130,13 +130,17 @@ static int fttmr010_timer_set_next_event
+ cr &= ~fttmr010->t1_enable_val;
+ writel(cr, fttmr010->base + TIMER_CR);
+
+- /* Setup the match register forward/backward in time */
+- cr = readl(fttmr010->base + TIMER1_COUNT);
+- if (fttmr010->count_down)
+- cr -= cycles;
+- else
+- cr += cycles;
+- writel(cr, fttmr010->base + TIMER1_MATCH1);
++ if (fttmr010->count_down) {
++ /*
++ * ASPEED Timer Controller will load TIMER1_LOAD register
++ * into TIMER1_COUNT register when the timer is re-enabled.
++ */
++ writel(cycles, fttmr010->base + TIMER1_LOAD);
++ } else {
++ /* Setup the match register forward in time */
++ cr = readl(fttmr010->base + TIMER1_COUNT);
++ writel(cr + cycles, fttmr010->base + TIMER1_MATCH1);
++ }
+
+ /* Start */
+ cr = readl(fttmr010->base + TIMER_CR);
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Keerthy <j-keerthy@ti.com>
+Date: Wed, 8 Aug 2018 18:44:59 +0530
+Subject: clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for non-am43 SoCs
+
+From: Keerthy <j-keerthy@ti.com>
+
+[ Upstream commit 3b7d96a0dbb6b630878597a1838fc39f808b761b ]
+
+The 32k clocksource is NONSTOP for non-am43 SoCs. Hence
+add the flag for all the other SoCs.
+
+Reported-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Keerthy <j-keerthy@ti.com>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clocksource/timer-ti-32k.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/clocksource/timer-ti-32k.c
++++ b/drivers/clocksource/timer-ti-32k.c
+@@ -98,6 +98,9 @@ static int __init ti_32k_timer_init(stru
+ return -ENXIO;
+ }
+
++ if (!of_machine_is_compatible("ti,am43"))
++ ti_32k_timer.cs.flags |= CLOCK_SOURCE_SUSPEND_NONSTOP;
++
+ ti_32k_timer.counter = ti_32k_timer.base;
+
+ /*
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Steve Wise <swise@opengridcomputing.com>
+Date: Fri, 31 Aug 2018 11:52:00 -0700
+Subject: cxgb4: fix abort_req_rss6 struct
+
+From: Steve Wise <swise@opengridcomputing.com>
+
+[ Upstream commit 9f34519a82356f6cf0ccb8480ee0ed99b3d0af75 ]
+
+Remove the incorrect WR_HDR field which can cause a misinterpretation
+of ABORT CPL by ULDs, such as iw_cxgb4.
+
+Fixes: a3cdaa69e4ae ("cxgb4: Adds CPL support for Shared Receive Queues")
+Signed-off-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/t4_msg.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/ethernet/chelsio/cxgb4/t4_msg.h
++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_msg.h
+@@ -753,7 +753,6 @@ struct cpl_abort_req_rss {
+ };
+
+ struct cpl_abort_req_rss6 {
+- WR_HDR;
+ union opcode_tid ot;
+ __u32 srqidx_status;
+ };
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Alexandru Gheorghe <alexandru-cosmin.gheorghe@arm.com>
+Date: Mon, 16 Jul 2018 11:07:07 +0100
+Subject: drm: mali-dp: Call drm_crtc_vblank_reset on device init
+
+From: Alexandru Gheorghe <alexandru-cosmin.gheorghe@arm.com>
+
+[ Upstream commit 69be1984ded00a11b1ed0888c6d8e4f35370372f ]
+
+Currently, if userspace calls drm_wait_vblank before the crtc is
+activated the crtc vblank_enable hook is called, which in case of
+malidp driver triggers some warninngs. This happens because on
+device init we don't inform the drm core about the vblank state
+by calling drm_crtc_vblank_on/off/reset which together with
+drm_vblank_get have some magic that prevents calling drm_vblank_enable
+when crtc is off.
+
+Signed-off-by: Alexandru Gheorghe <alexandru-cosmin.gheorghe@arm.com>
+Acked-by: Liviu Dudau <liviu.dudau@arm.com>
+Signed-off-by: Liviu Dudau <liviu.dudau@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/arm/malidp_drv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/arm/malidp_drv.c
++++ b/drivers/gpu/drm/arm/malidp_drv.c
+@@ -615,6 +615,7 @@ static int malidp_bind(struct device *de
+ drm->irq_enabled = true;
+
+ ret = drm_vblank_init(drm, drm->mode_config.num_crtc);
++ drm_crtc_vblank_reset(&malidp->crtc);
+ if (ret < 0) {
+ DRM_ERROR("failed to initialise vblank\n");
+ goto vblank_fail;
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Michael Schmitz <schmitzmic@gmail.com>
+Date: Mon, 17 Sep 2018 15:27:49 -0700
+Subject: Input: atakbd - fix Atari CapsLock behaviour
+
+From: Michael Schmitz <schmitzmic@gmail.com>
+
+[ Upstream commit 52d2c7bf7c90217fbe875d2d76f310979c48eb83 ]
+
+The CapsLock key on Atari keyboards is not a toggle, it does send the
+normal make and break scancodes.
+
+Drop the CapsLock toggle handling code, which did cause the CapsLock
+key to merely act as a Shift key.
+
+Tested-by: Michael Schmitz <schmitzmic@gmail.com>
+Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
+Signed-off-by: Andreas Schwab <schwab@linux-m68k.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/keyboard/atakbd.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+--- a/drivers/input/keyboard/atakbd.c
++++ b/drivers/input/keyboard/atakbd.c
+@@ -189,14 +189,8 @@ static void atakbd_interrupt(unsigned ch
+
+ scancode = atakbd_keycode[scancode];
+
+- if (scancode == KEY_CAPSLOCK) { /* CapsLock is a toggle switch key on Amiga */
+- input_report_key(atakbd_dev, scancode, 1);
+- input_report_key(atakbd_dev, scancode, 0);
+- input_sync(atakbd_dev);
+- } else {
+- input_report_key(atakbd_dev, scancode, down);
+- input_sync(atakbd_dev);
+- }
++ input_report_key(atakbd_dev, scancode, down);
++ input_sync(atakbd_dev);
+ } else /* scancodes >= 0xf3 are mouse data, most likely */
+ printk(KERN_INFO "atakbd: unhandled scancode %x\n", scancode);
+
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Andreas Schwab <schwab@linux-m68k.org>
+Date: Mon, 17 Sep 2018 12:43:34 -0700
+Subject: Input: atakbd - fix Atari keymap
+
+From: Andreas Schwab <schwab@linux-m68k.org>
+
+[ Upstream commit 9e62df51be993035c577371ffee5477697a56aad ]
+
+Fix errors in Atari keymap (mostly in keypad, help and undo keys).
+
+Patch provided on debian-68k ML by Andreas Schwab <schwab@linux-m68k.org>,
+keymap array size and unhandled scancode limit adjusted to 0x73 by me.
+
+Tested-by: Michael Schmitz <schmitzmic@gmail.com>
+Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
+Signed-off-by: Andreas Schwab <schwab@linux-m68k.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/keyboard/atakbd.c | 64 ++++++++++++++++------------------------
+ 1 file changed, 26 insertions(+), 38 deletions(-)
+
+--- a/drivers/input/keyboard/atakbd.c
++++ b/drivers/input/keyboard/atakbd.c
+@@ -79,8 +79,7 @@ MODULE_LICENSE("GPL");
+ */
+
+
+-static unsigned char atakbd_keycode[0x72] = { /* American layout */
+- [0] = KEY_GRAVE,
++static unsigned char atakbd_keycode[0x73] = { /* American layout */
+ [1] = KEY_ESC,
+ [2] = KEY_1,
+ [3] = KEY_2,
+@@ -121,9 +120,9 @@ static unsigned char atakbd_keycode[0x72
+ [38] = KEY_L,
+ [39] = KEY_SEMICOLON,
+ [40] = KEY_APOSTROPHE,
+- [41] = KEY_BACKSLASH, /* FIXME, '#' */
++ [41] = KEY_GRAVE,
+ [42] = KEY_LEFTSHIFT,
+- [43] = KEY_GRAVE, /* FIXME: '~' */
++ [43] = KEY_BACKSLASH,
+ [44] = KEY_Z,
+ [45] = KEY_X,
+ [46] = KEY_C,
+@@ -149,45 +148,34 @@ static unsigned char atakbd_keycode[0x72
+ [66] = KEY_F8,
+ [67] = KEY_F9,
+ [68] = KEY_F10,
+- [69] = KEY_ESC,
+- [70] = KEY_DELETE,
+- [71] = KEY_KP7,
+- [72] = KEY_KP8,
+- [73] = KEY_KP9,
++ [71] = KEY_HOME,
++ [72] = KEY_UP,
+ [74] = KEY_KPMINUS,
+- [75] = KEY_KP4,
+- [76] = KEY_KP5,
+- [77] = KEY_KP6,
++ [75] = KEY_LEFT,
++ [77] = KEY_RIGHT,
+ [78] = KEY_KPPLUS,
+- [79] = KEY_KP1,
+- [80] = KEY_KP2,
+- [81] = KEY_KP3,
+- [82] = KEY_KP0,
+- [83] = KEY_KPDOT,
+- [90] = KEY_KPLEFTPAREN,
+- [91] = KEY_KPRIGHTPAREN,
+- [92] = KEY_KPASTERISK, /* FIXME */
+- [93] = KEY_KPASTERISK,
+- [94] = KEY_KPPLUS,
+- [95] = KEY_HELP,
++ [80] = KEY_DOWN,
++ [82] = KEY_INSERT,
++ [83] = KEY_DELETE,
+ [96] = KEY_102ND,
+- [97] = KEY_KPASTERISK, /* FIXME */
+- [98] = KEY_KPSLASH,
++ [97] = KEY_UNDO,
++ [98] = KEY_HELP,
+ [99] = KEY_KPLEFTPAREN,
+ [100] = KEY_KPRIGHTPAREN,
+ [101] = KEY_KPSLASH,
+ [102] = KEY_KPASTERISK,
+- [103] = KEY_UP,
+- [104] = KEY_KPASTERISK, /* FIXME */
+- [105] = KEY_LEFT,
+- [106] = KEY_RIGHT,
+- [107] = KEY_KPASTERISK, /* FIXME */
+- [108] = KEY_DOWN,
+- [109] = KEY_KPASTERISK, /* FIXME */
+- [110] = KEY_KPASTERISK, /* FIXME */
+- [111] = KEY_KPASTERISK, /* FIXME */
+- [112] = KEY_KPASTERISK, /* FIXME */
+- [113] = KEY_KPASTERISK /* FIXME */
++ [103] = KEY_KP7,
++ [104] = KEY_KP8,
++ [105] = KEY_KP9,
++ [106] = KEY_KP4,
++ [107] = KEY_KP5,
++ [108] = KEY_KP6,
++ [109] = KEY_KP1,
++ [110] = KEY_KP2,
++ [111] = KEY_KP3,
++ [112] = KEY_KP0,
++ [113] = KEY_KPDOT,
++ [114] = KEY_KPENTER,
+ };
+
+ static struct input_dev *atakbd_dev;
+@@ -195,7 +183,7 @@ static struct input_dev *atakbd_dev;
+ static void atakbd_interrupt(unsigned char scancode, char down)
+ {
+
+- if (scancode < 0x72) { /* scancodes < 0xf2 are keys */
++ if (scancode < 0x73) { /* scancodes < 0xf3 are keys */
+
+ // report raw events here?
+
+@@ -209,7 +197,7 @@ static void atakbd_interrupt(unsigned ch
+ input_report_key(atakbd_dev, scancode, down);
+ input_sync(atakbd_dev);
+ }
+- } else /* scancodes >= 0xf2 are mouse data, most likely */
++ } else /* scancodes >= 0xf3 are mouse data, most likely */
+ printk(KERN_INFO "atakbd: unhandled scancode %x\n", scancode);
+
+ return;
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Tue, 18 Sep 2018 16:10:49 +0300
+Subject: intel_th: pci: Add Ice Lake PCH support
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+[ Upstream commit 59d08d00d43c644ee2011d7ff1807bdd69f31fe0 ]
+
+This adds Intel(R) Trace Hub PCI ID for Ice Lake PCH.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/intel_th/pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/hwtracing/intel_th/pci.c
++++ b/drivers/hwtracing/intel_th/pci.c
+@@ -160,6 +160,11 @@ static const struct pci_device_id intel_
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x18e1),
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
+ },
++ {
++ /* Ice Lake PCH */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x34a6),
++ .driver_data = (kernel_ulong_t)&intel_th_2x,
++ },
+ { 0 },
+ };
+
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Arindam Nath <arindam.nath@amd.com>
+Date: Tue, 18 Sep 2018 15:40:58 +0530
+Subject: iommu/amd: Return devid as alias for ACPI HID devices
+
+From: Arindam Nath <arindam.nath@amd.com>
+
+[ Upstream commit 5ebb1bc2d63d90dd204169e21fd7a0b4bb8c776e ]
+
+ACPI HID devices do not actually have an alias for
+them in the IVRS. But dev_data->alias is still used
+for indexing into the IOMMU device table for devices
+being handled by the IOMMU. So for ACPI HID devices,
+we simply return the corresponding devid as an alias,
+as parsed from IVRS table.
+
+Signed-off-by: Arindam Nath <arindam.nath@amd.com>
+Fixes: 2bf9a0a12749 ('iommu/amd: Add iommu support for ACPI HID devices')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/amd_iommu.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -246,7 +246,13 @@ static u16 get_alias(struct device *dev)
+
+ /* The callers make sure that get_device_id() does not fail here */
+ devid = get_device_id(dev);
++
++ /* For ACPI HID devices, we simply return the devid as such */
++ if (!dev_is_pci(dev))
++ return devid;
++
+ ivrs_alias = amd_iommu_alias_table[devid];
++
+ pci_for_each_dma_alias(pdev, __last_alias, &pci_alias);
+
+ if (ivrs_alias == pci_alias)
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Heiko Stuebner <heiko@sntech.de>
+Date: Mon, 27 Aug 2018 12:56:24 +0200
+Subject: iommu/rockchip: Free irqs in shutdown handler
+
+From: Heiko Stuebner <heiko@sntech.de>
+
+[ Upstream commit 74bc2abca7603c956d1e331e8b9bee7b874c1eec ]
+
+In the iommu's shutdown handler we disable runtime-pm which could
+result in the irq-handler running unclocked and since commit
+ 3fc7c5c0cff3 ("iommu/rockchip: Handle errors returned from PM framework")
+we warn about that fact.
+
+This can cause warnings on shutdown on some Rockchip machines, so
+free the irqs in the shutdown handler before we disable runtime-pm.
+
+Reported-by: Enric Balletbo i Serra <enric.balletbo@collabora.com>
+Fixes: 3fc7c5c0cff3 ("iommu/rockchip: Handle errors returned from PM framework")
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Tested-by: Enric Balletbo i Serra <enric.balletbo@collabora.com>
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/rockchip-iommu.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/iommu/rockchip-iommu.c
++++ b/drivers/iommu/rockchip-iommu.c
+@@ -1242,6 +1242,12 @@ err_unprepare_clocks:
+
+ static void rk_iommu_shutdown(struct platform_device *pdev)
+ {
++ struct rk_iommu *iommu = platform_get_drvdata(pdev);
++ int i = 0, irq;
++
++ while ((irq = platform_get_irq(pdev, i++)) != -ENXIO)
++ devm_free_irq(iommu->dev, irq, iommu);
++
+ pm_runtime_force_suspend(&pdev->dev);
+ }
+
--- /dev/null
+From foo@baz Thu Oct 18 11:08:34 CEST 2018
+From: Jozef Balga <jozef.balga@gmail.com>
+Date: Tue, 21 Aug 2018 05:01:04 -0400
+Subject: media: af9035: prevent buffer overflow on write
+
+From: Jozef Balga <jozef.balga@gmail.com>
+
+[ Upstream commit 312f73b648626a0526a3aceebb0a3192aaba05ce ]
+
+When less than 3 bytes are written to the device, memcpy is called with
+negative array size which leads to buffer overflow and kernel panic. This
+patch adds a condition and returns -EOPNOTSUPP instead.
+Fixes bugzilla issue 64871
+
+[mchehab+samsung@kernel.org: fix a merge conflict and changed the
+ condition to match the patch's comment, e. g. len == 3 could
+ also be valid]
+Signed-off-by: Jozef Balga <jozef.balga@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/dvb-usb-v2/af9035.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb-v2/af9035.c
++++ b/drivers/media/usb/dvb-usb-v2/af9035.c
+@@ -402,8 +402,10 @@ static int af9035_i2c_master_xfer(struct
+ if (msg[0].addr == state->af9033_i2c_addr[1])
+ reg |= 0x100000;
+
+- ret = af9035_wr_regs(d, reg, &msg[0].buf[3],
+- msg[0].len - 3);
++ ret = (msg[0].len >= 3) ? af9035_wr_regs(d, reg,
++ &msg[0].buf[3],
++ msg[0].len - 3)
++ : -EOPNOTSUPP;
+ } else {
+ /* I2C write */
+ u8 buf[MAX_XFER_SIZE];
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Christian Lamparter <chunkeey@gmail.com>
+Date: Mon, 17 Sep 2018 17:22:40 +0200
+Subject: net: emac: fix fixed-link setup for the RTL8363SB switch
+
+From: Christian Lamparter <chunkeey@gmail.com>
+
+[ Upstream commit 08e39982ef64f800fd1f9b9b92968d14d5fafa82 ]
+
+On the Netgear WNDAP620, the emac ethernet isn't receiving nor
+xmitting any frames from/to the RTL8363SB (identifies itself
+as a RTL8367RB).
+
+This is caused by the emac hardware not knowing the forced link
+parameters for speed, duplex, pause, etc.
+
+This begs the question, how this was working on the original
+driver code, when it was necessary to set the phy_address and
+phy_map to 0xffffffff. But I guess without access to the old
+PPC405/440/460 hardware, it's not possible to know.
+
+Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/emac/core.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/ibm/emac/core.c
++++ b/drivers/net/ethernet/ibm/emac/core.c
+@@ -2677,12 +2677,17 @@ static int emac_init_phy(struct emac_ins
+ if (of_phy_is_fixed_link(np)) {
+ int res = emac_dt_mdio_probe(dev);
+
+- if (!res) {
+- res = of_phy_register_fixed_link(np);
+- if (res)
+- mdiobus_unregister(dev->mii_bus);
++ if (res)
++ return res;
++
++ res = of_phy_register_fixed_link(np);
++ dev->phy_dev = of_phy_find_device(np);
++ if (res || !dev->phy_dev) {
++ mdiobus_unregister(dev->mii_bus);
++ return res ? res : -EINVAL;
+ }
+- return res;
++ emac_adjust_link(dev->ndev);
++ put_device(&dev->phy_dev->mdio.dev);
+ }
+ return 0;
+ }
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Fri, 21 Sep 2018 02:44:12 -0700
+Subject: net/mlx4: Use cpumask_available for eq->affinity_mask
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit 8ac1ee6f4d62e781e3b3fd8b9c42b70371427669 ]
+
+Clang warns that the address of a pointer will always evaluated as true
+in a boolean context:
+
+drivers/net/ethernet/mellanox/mlx4/eq.c:243:11: warning: address of
+array 'eq->affinity_mask' will always evaluate to 'true'
+[-Wpointer-bool-conversion]
+ if (!eq->affinity_mask || cpumask_empty(eq->affinity_mask))
+ ~~~~~^~~~~~~~~~~~~
+1 warning generated.
+
+Use cpumask_available, introduced in commit f7e30f01a9e2 ("cpumask: Add
+helper cpumask_available()"), which does the proper checking and avoids
+this warning.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/86
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/eq.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/eq.c
++++ b/drivers/net/ethernet/mellanox/mlx4/eq.c
+@@ -240,7 +240,8 @@ static void mlx4_set_eq_affinity_hint(st
+ struct mlx4_dev *dev = &priv->dev;
+ struct mlx4_eq *eq = &priv->eq_table.eq[vec];
+
+- if (!eq->affinity_mask || cpumask_empty(eq->affinity_mask))
++ if (!cpumask_available(eq->affinity_mask) ||
++ cpumask_empty(eq->affinity_mask))
+ return;
+
+ hint_err = irq_set_affinity_hint(eq->irq, eq->affinity_mask);
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Ursula Braun <ubraun@linux.ibm.com>
+Date: Tue, 18 Sep 2018 15:46:34 +0200
+Subject: net/smc: fix non-blocking connect problem
+
+From: Ursula Braun <ubraun@linux.ibm.com>
+
+[ Upstream commit 648a5a7aed346c3b8fe7c32a835edfb0dfbf4451 ]
+
+In state SMC_INIT smc_poll() delegates polling to the internal
+CLC socket. This means, once the connect worker has finished
+its kernel_connect() step, the poll wake-up may occur. This is not
+intended. The wake-up should occur from the wake up call in
+smc_connect_work() after __smc_connect() has finished.
+Thus in state SMC_INIT this patch now calls sock_poll_wait() on the
+main SMC socket.
+
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/af_smc.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -612,7 +612,10 @@ static void smc_connect_work(struct work
+ smc->sk.sk_err = -rc;
+
+ out:
+- smc->sk.sk_state_change(&smc->sk);
++ if (smc->sk.sk_err)
++ smc->sk.sk_state_change(&smc->sk);
++ else
++ smc->sk.sk_write_space(&smc->sk);
+ kfree(smc->connect_info);
+ smc->connect_info = NULL;
+ release_sock(&smc->sk);
+@@ -1345,7 +1348,7 @@ static __poll_t smc_poll(struct file *fi
+ return EPOLLNVAL;
+
+ smc = smc_sk(sock->sk);
+- if ((sk->sk_state == SMC_INIT) || smc->use_fallback) {
++ if (smc->use_fallback) {
+ /* delegate to CLC child sock */
+ mask = smc->clcsock->ops->poll(file, smc->clcsock, wait);
+ sk->sk_err = smc->clcsock->sk->sk_err;
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 18 Sep 2018 15:46:38 +0200
+Subject: net/smc: fix sizeof to int comparison
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 381897798a94065ffcad0772eecdc6b04a7ff23d ]
+
+Comparing an int to a size, which is unsigned, causes the int to become
+unsigned, giving the wrong result. kernel_sendmsg can return a negative
+error code.
+
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/smc_clc.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+--- a/net/smc/smc_clc.c
++++ b/net/smc/smc_clc.c
+@@ -405,14 +405,12 @@ int smc_clc_send_proposal(struct smc_soc
+ vec[i++].iov_len = sizeof(trl);
+ /* due to the few bytes needed for clc-handshake this cannot block */
+ len = kernel_sendmsg(smc->clcsock, &msg, vec, i, plen);
+- if (len < sizeof(pclc)) {
+- if (len >= 0) {
+- reason_code = -ENETUNREACH;
+- smc->sk.sk_err = -reason_code;
+- } else {
+- smc->sk.sk_err = smc->clcsock->sk->sk_err;
+- reason_code = -smc->sk.sk_err;
+- }
++ if (len < 0) {
++ smc->sk.sk_err = smc->clcsock->sk->sk_err;
++ reason_code = -smc->sk.sk_err;
++ } else if (len < (int)sizeof(pclc)) {
++ reason_code = -ENETUNREACH;
++ smc->sk.sk_err = -reason_code;
+ }
+
+ return reason_code;
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+Date: Thu, 20 Sep 2018 16:32:52 -0500
+Subject: PCI: dwc: Fix scheduling while atomic issues
+
+From: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+
+[ Upstream commit 9024143e700f89d74b8cdaf316a3499d74fc56fe ]
+
+When programming the inbound/outbound ATUs, we call usleep_range() after
+each checking PCIE_ATU_ENABLE bit. Unfortunately, the ATU programming
+can be executed in atomic context:
+
+inbound ATU programming could be called through
+pci_epc_write_header()
+ =>dw_pcie_ep_write_header()
+ =>dw_pcie_prog_inbound_atu()
+
+outbound ATU programming could be called through
+pci_bus_read_config_dword()
+ =>dw_pcie_rd_conf()
+ =>dw_pcie_prog_outbound_atu()
+
+Fix this issue by calling mdelay() instead.
+
+Fixes: f8aed6ec624f ("PCI: dwc: designware: Add EP mode support")
+Fixes: d8bbeb39fbf3 ("PCI: designware: Wait for iATU enable")
+Signed-off-by: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+[lorenzo.pieralisi@arm.com: commit log update]
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: Gustavo Pimentel <gustavo.pimentel@synopsys.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/dwc/pcie-designware.c | 8 ++++----
+ drivers/pci/controller/dwc/pcie-designware.h | 3 +--
+ 2 files changed, 5 insertions(+), 6 deletions(-)
+
+--- a/drivers/pci/controller/dwc/pcie-designware.c
++++ b/drivers/pci/controller/dwc/pcie-designware.c
+@@ -135,7 +135,7 @@ static void dw_pcie_prog_outbound_atu_un
+ if (val & PCIE_ATU_ENABLE)
+ return;
+
+- usleep_range(LINK_WAIT_IATU_MIN, LINK_WAIT_IATU_MAX);
++ mdelay(LINK_WAIT_IATU);
+ }
+ dev_err(pci->dev, "Outbound iATU is not being enabled\n");
+ }
+@@ -178,7 +178,7 @@ void dw_pcie_prog_outbound_atu(struct dw
+ if (val & PCIE_ATU_ENABLE)
+ return;
+
+- usleep_range(LINK_WAIT_IATU_MIN, LINK_WAIT_IATU_MAX);
++ mdelay(LINK_WAIT_IATU);
+ }
+ dev_err(pci->dev, "Outbound iATU is not being enabled\n");
+ }
+@@ -236,7 +236,7 @@ static int dw_pcie_prog_inbound_atu_unro
+ if (val & PCIE_ATU_ENABLE)
+ return 0;
+
+- usleep_range(LINK_WAIT_IATU_MIN, LINK_WAIT_IATU_MAX);
++ mdelay(LINK_WAIT_IATU);
+ }
+ dev_err(pci->dev, "Inbound iATU is not being enabled\n");
+
+@@ -282,7 +282,7 @@ int dw_pcie_prog_inbound_atu(struct dw_p
+ if (val & PCIE_ATU_ENABLE)
+ return 0;
+
+- usleep_range(LINK_WAIT_IATU_MIN, LINK_WAIT_IATU_MAX);
++ mdelay(LINK_WAIT_IATU);
+ }
+ dev_err(pci->dev, "Inbound iATU is not being enabled\n");
+
+--- a/drivers/pci/controller/dwc/pcie-designware.h
++++ b/drivers/pci/controller/dwc/pcie-designware.h
+@@ -26,8 +26,7 @@
+
+ /* Parameters for the waiting for iATU enabled routine */
+ #define LINK_WAIT_MAX_IATU_RETRIES 5
+-#define LINK_WAIT_IATU_MIN 9000
+-#define LINK_WAIT_IATU_MAX 10000
++#define LINK_WAIT_IATU 9
+
+ /* Synopsys-specific PCIe configuration registers */
+ #define PCIE_PORT_LINK_CONTROL 0x710
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Daniel Kurtz <djkurtz@chromium.org>
+Date: Sat, 22 Sep 2018 13:58:26 -0600
+Subject: pinctrl/amd: poll InterruptEnable bits in amd_gpio_irq_set_type
+
+From: Daniel Kurtz <djkurtz@chromium.org>
+
+[ Upstream commit b85bfa246efd24ea3fdb5ee949c28e3110c6d299 ]
+
+>From the AMD BKDG, if WAKE_INT_MASTER_REG.MaskStsEn is set, a software
+write to the debounce registers of *any* gpio will block wake/interrupt
+status generation for *all* gpios for a length of time that depends on
+WAKE_INT_MASTER_REG.MaskStsLength[11:0]. During this period the Interrupt
+Delivery bit (INTERRUPT_ENABLE) will read as 0.
+
+In commit 4c1de0414a1340 ("pinctrl/amd: poll InterruptEnable bits in
+enable_irq") we tried to fix this same "gpio Interrupts are blocked
+immediately after writing debounce registers" problem, but incorrectly
+assumed it only affected the gpio whose debounce was being configured
+and not ALL gpios.
+
+To solve this for all gpios, we move the polling loop from
+amd_gpio_irq_enable() to amd_gpio_irq_set_type(), while holding the gpio
+spinlock. This ensures that another gpio operation (e.g.
+amd_gpio_irq_unmask()) can read a temporarily disabled IRQ and
+incorrectly disable it while trying to modify some other register bits.
+
+Fixes: 4c1de0414a1340 pinctrl/amd: poll InterruptEnable bits in enable_irq
+Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinctrl-amd.c | 33 +++++++++++++++++++++++----------
+ 1 file changed, 23 insertions(+), 10 deletions(-)
+
+--- a/drivers/pinctrl/pinctrl-amd.c
++++ b/drivers/pinctrl/pinctrl-amd.c
+@@ -348,21 +348,12 @@ static void amd_gpio_irq_enable(struct i
+ unsigned long flags;
+ struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
+ struct amd_gpio *gpio_dev = gpiochip_get_data(gc);
+- u32 mask = BIT(INTERRUPT_ENABLE_OFF) | BIT(INTERRUPT_MASK_OFF);
+
+ raw_spin_lock_irqsave(&gpio_dev->lock, flags);
+ pin_reg = readl(gpio_dev->base + (d->hwirq)*4);
+ pin_reg |= BIT(INTERRUPT_ENABLE_OFF);
+ pin_reg |= BIT(INTERRUPT_MASK_OFF);
+ writel(pin_reg, gpio_dev->base + (d->hwirq)*4);
+- /*
+- * When debounce logic is enabled it takes ~900 us before interrupts
+- * can be enabled. During this "debounce warm up" period the
+- * "INTERRUPT_ENABLE" bit will read as 0. Poll the bit here until it
+- * reads back as 1, signaling that interrupts are now enabled.
+- */
+- while ((readl(gpio_dev->base + (d->hwirq)*4) & mask) != mask)
+- continue;
+ raw_spin_unlock_irqrestore(&gpio_dev->lock, flags);
+ }
+
+@@ -426,7 +417,7 @@ static void amd_gpio_irq_eoi(struct irq_
+ static int amd_gpio_irq_set_type(struct irq_data *d, unsigned int type)
+ {
+ int ret = 0;
+- u32 pin_reg;
++ u32 pin_reg, pin_reg_irq_en, mask;
+ unsigned long flags, irq_flags;
+ struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
+ struct amd_gpio *gpio_dev = gpiochip_get_data(gc);
+@@ -495,6 +486,28 @@ static int amd_gpio_irq_set_type(struct
+ }
+
+ pin_reg |= CLR_INTR_STAT << INTERRUPT_STS_OFF;
++ /*
++ * If WAKE_INT_MASTER_REG.MaskStsEn is set, a software write to the
++ * debounce registers of any GPIO will block wake/interrupt status
++ * generation for *all* GPIOs for a lenght of time that depends on
++ * WAKE_INT_MASTER_REG.MaskStsLength[11:0]. During this period the
++ * INTERRUPT_ENABLE bit will read as 0.
++ *
++ * We temporarily enable irq for the GPIO whose configuration is
++ * changing, and then wait for it to read back as 1 to know when
++ * debounce has settled and then disable the irq again.
++ * We do this polling with the spinlock held to ensure other GPIO
++ * access routines do not read an incorrect value for the irq enable
++ * bit of other GPIOs. We keep the GPIO masked while polling to avoid
++ * spurious irqs, and disable the irq again after polling.
++ */
++ mask = BIT(INTERRUPT_ENABLE_OFF);
++ pin_reg_irq_en = pin_reg;
++ pin_reg_irq_en |= mask;
++ pin_reg_irq_en &= ~BIT(INTERRUPT_MASK_OFF);
++ writel(pin_reg_irq_en, gpio_dev->base + (d->hwirq)*4);
++ while ((readl(gpio_dev->base + (d->hwirq)*4) & mask) != mask)
++ continue;
+ writel(pin_reg, gpio_dev->base + (d->hwirq)*4);
+ raw_spin_unlock_irqrestore(&gpio_dev->lock, flags);
+
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Date: Tue, 25 Sep 2018 17:55:15 +0530
+Subject: powerpc/numa: Use associativity if VPHN hcall is successful
+
+From: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+
+[ Upstream commit 2483ef056f6e42f61cd266452e2841165dfe1b5c ]
+
+Currently associativity is used to lookup node-id even if the
+preceding VPHN hcall failed. However this can cause CPU to be made
+part of the wrong node, (most likely to be node 0). This is because
+VPHN is not enabled on KVM guests.
+
+With 2ea6263 ("powerpc/topology: Get topology for shared processors at
+boot"), associativity is used to set to the wrong node. Hence KVM
+guest topology is broken.
+
+For example : A 4 node KVM guest before would have reported.
+
+ [root@localhost ~]# numactl -H
+ available: 4 nodes (0-3)
+ node 0 cpus: 0 1 2 3
+ node 0 size: 1746 MB
+ node 0 free: 1604 MB
+ node 1 cpus: 4 5 6 7
+ node 1 size: 2044 MB
+ node 1 free: 1765 MB
+ node 2 cpus: 8 9 10 11
+ node 2 size: 2044 MB
+ node 2 free: 1837 MB
+ node 3 cpus: 12 13 14 15
+ node 3 size: 2044 MB
+ node 3 free: 1903 MB
+ node distances:
+ node 0 1 2 3
+ 0: 10 40 40 40
+ 1: 40 10 40 40
+ 2: 40 40 10 40
+ 3: 40 40 40 10
+
+Would now report:
+
+ [root@localhost ~]# numactl -H
+ available: 4 nodes (0-3)
+ node 0 cpus: 0 2 3 4 5 6 7 8 9 10 11 12 13 14 15
+ node 0 size: 1746 MB
+ node 0 free: 1244 MB
+ node 1 cpus:
+ node 1 size: 2044 MB
+ node 1 free: 2032 MB
+ node 2 cpus: 1
+ node 2 size: 2044 MB
+ node 2 free: 2028 MB
+ node 3 cpus:
+ node 3 size: 2044 MB
+ node 3 free: 2032 MB
+ node distances:
+ node 0 1 2 3
+ 0: 10 40 40 40
+ 1: 40 10 40 40
+ 2: 40 40 10 40
+ 3: 40 40 40 10
+
+Fix this by skipping associativity lookup if the VPHN hcall failed.
+
+Fixes: 2ea626306810 ("powerpc/topology: Get topology for shared processors at boot")
+Signed-off-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/mm/numa.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/mm/numa.c
++++ b/arch/powerpc/mm/numa.c
+@@ -1204,7 +1204,9 @@ int find_and_online_cpu_nid(int cpu)
+ int new_nid;
+
+ /* Use associativity from first thread for all siblings */
+- vphn_get_associativity(cpu, associativity);
++ if (vphn_get_associativity(cpu, associativity))
++ return cpu_to_node(cpu);
++
+ new_nid = associativity_to_nid(associativity);
+ if (new_nid < 0 || !node_possible(new_nid))
+ new_nid = first_online_node;
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Michael Neuling <mikey@neuling.org>
+Date: Tue, 25 Sep 2018 19:36:47 +1000
+Subject: powerpc/tm: Avoid possible userspace r1 corruption on reclaim
+
+From: Michael Neuling <mikey@neuling.org>
+
+[ Upstream commit 96dc89d526ef77604376f06220e3d2931a0bfd58 ]
+
+Current we store the userspace r1 to PACATMSCRATCH before finally
+saving it to the thread struct.
+
+In theory an exception could be taken here (like a machine check or
+SLB miss) that could write PACATMSCRATCH and hence corrupt the
+userspace r1. The SLB fault currently doesn't touch PACATMSCRATCH, but
+others do.
+
+We've never actually seen this happen but it's theoretically
+possible. Either way, the code is fragile as it is.
+
+This patch saves r1 to the kernel stack (which can't fault) before we
+turn MSR[RI] back on. PACATMSCRATCH is still used but only with
+MSR[RI] off. We then copy r1 from the kernel stack to the thread
+struct once we have MSR[RI] back on.
+
+Suggested-by: Breno Leitao <leitao@debian.org>
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/tm.S | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/tm.S
++++ b/arch/powerpc/kernel/tm.S
+@@ -178,6 +178,13 @@ _GLOBAL(tm_reclaim)
+ std r11, GPR11(r1) /* Temporary stash */
+
+ /*
++ * Move the saved user r1 to the kernel stack in case PACATMSCRATCH is
++ * clobbered by an exception once we turn on MSR_RI below.
++ */
++ ld r11, PACATMSCRATCH(r13)
++ std r11, GPR1(r1)
++
++ /*
+ * Store r13 away so we can free up the scratch SPR for the SLB fault
+ * handler (needed once we start accessing the thread_struct).
+ */
+@@ -213,7 +220,7 @@ _GLOBAL(tm_reclaim)
+ SAVE_GPR(8, r7) /* user r8 */
+ SAVE_GPR(9, r7) /* user r9 */
+ SAVE_GPR(10, r7) /* user r10 */
+- ld r3, PACATMSCRATCH(r13) /* user r1 */
++ ld r3, GPR1(r1) /* user r1 */
+ ld r4, GPR7(r1) /* user r7 */
+ ld r5, GPR11(r1) /* user r11 */
+ ld r6, GPR12(r1) /* user r12 */
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Michael Neuling <mikey@neuling.org>
+Date: Mon, 24 Sep 2018 17:27:04 +1000
+Subject: powerpc/tm: Fix userspace r13 corruption
+
+From: Michael Neuling <mikey@neuling.org>
+
+[ Upstream commit cf13435b730a502e814c63c84d93db131e563f5f ]
+
+When we treclaim we store the userspace checkpointed r13 to a scratch
+SPR and then later save the scratch SPR to the user thread struct.
+
+Unfortunately, this doesn't work as accessing the user thread struct
+can take an SLB fault and the SLB fault handler will write the same
+scratch SPRG that now contains the userspace r13.
+
+To fix this, we store r13 to the kernel stack (which can't fault)
+before we access the user thread struct.
+
+Found by running P8 guest + powervm + disable_1tb_segments + TM. Seen
+as a random userspace segfault with r13 looking like a kernel address.
+
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Reviewed-by: Breno Leitao <leitao@debian.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/tm.S | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kernel/tm.S
++++ b/arch/powerpc/kernel/tm.S
+@@ -175,13 +175,20 @@ _GLOBAL(tm_reclaim)
+ std r1, PACATMSCRATCH(r13)
+ ld r1, PACAR1(r13)
+
+- /* Store the PPR in r11 and reset to decent value */
+ std r11, GPR11(r1) /* Temporary stash */
+
++ /*
++ * Store r13 away so we can free up the scratch SPR for the SLB fault
++ * handler (needed once we start accessing the thread_struct).
++ */
++ GET_SCRATCH0(r11)
++ std r11, GPR13(r1)
++
+ /* Reset MSR RI so we can take SLB faults again */
+ li r11, MSR_RI
+ mtmsrd r11, 1
+
++ /* Store the PPR in r11 and reset to decent value */
+ mfspr r11, SPRN_PPR
+ HMT_MEDIUM
+
+@@ -210,7 +217,7 @@ _GLOBAL(tm_reclaim)
+ ld r4, GPR7(r1) /* user r7 */
+ ld r5, GPR11(r1) /* user r11 */
+ ld r6, GPR12(r1) /* user r12 */
+- GET_SCRATCH0(8) /* user r13 */
++ ld r8, GPR13(r1) /* user r13 */
+ std r3, GPR1(r7)
+ std r4, GPR7(r7)
+ std r5, GPR11(r7)
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Sudarsana Reddy Kalluru <sudarsana.kalluru@cavium.com>
+Date: Wed, 19 Sep 2018 21:59:11 -0700
+Subject: qed: Do not add VLAN 0 tag to untagged frames in multi-function mode.
+
+From: Sudarsana Reddy Kalluru <sudarsana.kalluru@cavium.com>
+
+[ Upstream commit 0216da9413afa546627a1b0d319dfd17fef34050 ]
+
+In certain multi-function switch dependent modes, firmware adds vlan tag 0
+to the untagged frames. This leads to double tagging for the traffic
+if the dcbx is enabled, which is not the desired behavior. To avoid this,
+driver needs to set "dcb_dont_add_vlan0" flag.
+
+Fixes: cac6f691 ("qed: Add support for Unified Fabric Port")
+Signed-off-by: Sudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
+Signed-off-by: Tomer Tayar <Tomer.Tayar@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_dcbx.c | 9 ++++++++-
+ drivers/net/ethernet/qlogic/qed/qed_dcbx.h | 1 +
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c
+@@ -190,6 +190,7 @@ qed_dcbx_dp_protocol(struct qed_hwfn *p_
+
+ static void
+ qed_dcbx_set_params(struct qed_dcbx_results *p_data,
++ struct qed_hwfn *p_hwfn,
+ struct qed_hw_info *p_info,
+ bool enable,
+ u8 prio,
+@@ -206,6 +207,11 @@ qed_dcbx_set_params(struct qed_dcbx_resu
+ else
+ p_data->arr[type].update = DONT_UPDATE_DCB_DSCP;
+
++ /* Do not add vlan tag 0 when DCB is enabled and port in UFP/OV mode */
++ if ((test_bit(QED_MF_8021Q_TAGGING, &p_hwfn->cdev->mf_bits) ||
++ test_bit(QED_MF_8021AD_TAGGING, &p_hwfn->cdev->mf_bits)))
++ p_data->arr[type].dont_add_vlan0 = true;
++
+ /* QM reconf data */
+ if (p_info->personality == personality)
+ p_info->offload_tc = tc;
+@@ -233,7 +239,7 @@ qed_dcbx_update_app_info(struct qed_dcbx
+ personality = qed_dcbx_app_update[i].personality;
+ name = qed_dcbx_app_update[i].name;
+
+- qed_dcbx_set_params(p_data, p_info, enable,
++ qed_dcbx_set_params(p_data, p_hwfn, p_info, enable,
+ prio, tc, type, personality);
+ }
+ }
+@@ -956,6 +962,7 @@ static void qed_dcbx_update_protocol_dat
+ p_data->dcb_enable_flag = p_src->arr[type].enable;
+ p_data->dcb_priority = p_src->arr[type].priority;
+ p_data->dcb_tc = p_src->arr[type].tc;
++ p_data->dcb_dont_add_vlan0 = p_src->arr[type].dont_add_vlan0;
+ }
+
+ /* Set pf update ramrod command params */
+--- a/drivers/net/ethernet/qlogic/qed/qed_dcbx.h
++++ b/drivers/net/ethernet/qlogic/qed/qed_dcbx.h
+@@ -55,6 +55,7 @@ struct qed_dcbx_app_data {
+ u8 update; /* Update indication */
+ u8 priority; /* Priority */
+ u8 tc; /* Traffic Class */
++ bool dont_add_vlan0; /* Do not insert a vlan tag with id 0 */
+ };
+
+ #define QED_DCBX_VERSION_DISABLED 0
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Sudarsana Reddy Kalluru <sudarsana.kalluru@cavium.com>
+Date: Wed, 19 Sep 2018 21:59:10 -0700
+Subject: qed: Fix populating the invalid stag value in multi function mode.
+
+From: Sudarsana Reddy Kalluru <sudarsana.kalluru@cavium.com>
+
+[ Upstream commit 50fdf60181b01b7383b85d4b9acbb842263d96a2 ]
+
+In multi-function mode, driver receives the stag value (outer vlan)
+for a PF from management FW (MFW). If the stag value is negotiated prior to
+the driver load, then the stag is not notified to the driver and hence
+driver will have the invalid stag value.
+The fix is to request the MFW for STAG value during the driver load time.
+
+Fixes: cac6f691 ("qed: Add support for Unified Fabric Port")
+Signed-off-by: Sudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
+Signed-off-by: Tomer Tayar <Tomer.Tayar@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_dev.c | 15 ++++++++++++++-
+ drivers/net/ethernet/qlogic/qed/qed_hsi.h | 4 ++++
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+@@ -1636,7 +1636,7 @@ static int qed_vf_start(struct qed_hwfn
+ int qed_hw_init(struct qed_dev *cdev, struct qed_hw_init_params *p_params)
+ {
+ struct qed_load_req_params load_req_params;
+- u32 load_code, param, drv_mb_param;
++ u32 load_code, resp, param, drv_mb_param;
+ bool b_default_mtu = true;
+ struct qed_hwfn *p_hwfn;
+ int rc = 0, mfw_rc, i;
+@@ -1782,6 +1782,19 @@ int qed_hw_init(struct qed_dev *cdev, st
+
+ if (IS_PF(cdev)) {
+ p_hwfn = QED_LEADING_HWFN(cdev);
++
++ /* Get pre-negotiated values for stag, bandwidth etc. */
++ DP_VERBOSE(p_hwfn,
++ QED_MSG_SPQ,
++ "Sending GET_OEM_UPDATES command to trigger stag/bandwidth attention handling\n");
++ drv_mb_param = 1 << DRV_MB_PARAM_DUMMY_OEM_UPDATES_OFFSET;
++ rc = qed_mcp_cmd(p_hwfn, p_hwfn->p_main_ptt,
++ DRV_MSG_CODE_GET_OEM_UPDATES,
++ drv_mb_param, &resp, ¶m);
++ if (rc)
++ DP_NOTICE(p_hwfn,
++ "Failed to send GET_OEM_UPDATES attention request\n");
++
+ drv_mb_param = STORM_FW_VERSION;
+ rc = qed_mcp_cmd(p_hwfn, p_hwfn->p_main_ptt,
+ DRV_MSG_CODE_OV_UPDATE_STORM_FW_VER,
+--- a/drivers/net/ethernet/qlogic/qed/qed_hsi.h
++++ b/drivers/net/ethernet/qlogic/qed/qed_hsi.h
+@@ -12415,6 +12415,7 @@ struct public_drv_mb {
+ #define DRV_MSG_SET_RESOURCE_VALUE_MSG 0x35000000
+ #define DRV_MSG_CODE_OV_UPDATE_WOL 0x38000000
+ #define DRV_MSG_CODE_OV_UPDATE_ESWITCH_MODE 0x39000000
++#define DRV_MSG_CODE_GET_OEM_UPDATES 0x41000000
+
+ #define DRV_MSG_CODE_BW_UPDATE_ACK 0x32000000
+ #define DRV_MSG_CODE_NIG_DRAIN 0x30000000
+@@ -12540,6 +12541,9 @@ struct public_drv_mb {
+ #define DRV_MB_PARAM_ESWITCH_MODE_VEB 0x1
+ #define DRV_MB_PARAM_ESWITCH_MODE_VEPA 0x2
+
++#define DRV_MB_PARAM_DUMMY_OEM_UPDATES_MASK 0x1
++#define DRV_MB_PARAM_DUMMY_OEM_UPDATES_OFFSET 0
++
+ #define DRV_MB_PARAM_SET_LED_MODE_OPER 0x0
+ #define DRV_MB_PARAM_SET_LED_MODE_ON 0x1
+ #define DRV_MB_PARAM_SET_LED_MODE_OFF 0x2
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
+Date: Tue, 18 Sep 2018 12:22:26 +0200
+Subject: ravb: do not write 1 to reserved bits
+
+From: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
+
+[ Upstream commit 2fe397a3959de8a472f165e6d152f64cb77fa2cc ]
+
+EtherAVB hardware requires 0 to be written to status register bits in
+order to clear them, however, care must be taken not to:
+
+1. Clear other bits, by writing zero to them
+2. Write one to reserved bits
+
+This patch corrects the ravb driver with respect to the second point above.
+This is done by defining reserved bit masks for the affected registers and,
+after auditing the code, ensure all sites that may write a one to a
+reserved bit use are suitably masked.
+
+Signed-off-by: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
+Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
+Reviewed-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/renesas/ravb.h | 5 +++++
+ drivers/net/ethernet/renesas/ravb_main.c | 11 ++++++-----
+ drivers/net/ethernet/renesas/ravb_ptp.c | 2 +-
+ 3 files changed, 12 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/renesas/ravb.h
++++ b/drivers/net/ethernet/renesas/ravb.h
+@@ -431,6 +431,7 @@ enum EIS_BIT {
+ EIS_CULF1 = 0x00000080,
+ EIS_TFFF = 0x00000100,
+ EIS_QFS = 0x00010000,
++ EIS_RESERVED = (GENMASK(31, 17) | GENMASK(15, 11)),
+ };
+
+ /* RIC0 */
+@@ -475,6 +476,7 @@ enum RIS0_BIT {
+ RIS0_FRF15 = 0x00008000,
+ RIS0_FRF16 = 0x00010000,
+ RIS0_FRF17 = 0x00020000,
++ RIS0_RESERVED = GENMASK(31, 18),
+ };
+
+ /* RIC1 */
+@@ -531,6 +533,7 @@ enum RIS2_BIT {
+ RIS2_QFF16 = 0x00010000,
+ RIS2_QFF17 = 0x00020000,
+ RIS2_RFFF = 0x80000000,
++ RIS2_RESERVED = GENMASK(30, 18),
+ };
+
+ /* TIC */
+@@ -547,6 +550,7 @@ enum TIS_BIT {
+ TIS_FTF1 = 0x00000002, /* Undocumented? */
+ TIS_TFUF = 0x00000100,
+ TIS_TFWF = 0x00000200,
++ TIS_RESERVED = (GENMASK(31, 20) | GENMASK(15, 12) | GENMASK(7, 4))
+ };
+
+ /* ISS */
+@@ -620,6 +624,7 @@ enum GIC_BIT {
+ enum GIS_BIT {
+ GIS_PTCF = 0x00000001, /* Undocumented? */
+ GIS_PTMF = 0x00000004,
++ GIS_RESERVED = GENMASK(15, 10),
+ };
+
+ /* GIE (R-Car Gen3 only) */
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -742,10 +742,11 @@ static void ravb_error_interrupt(struct
+ u32 eis, ris2;
+
+ eis = ravb_read(ndev, EIS);
+- ravb_write(ndev, ~EIS_QFS, EIS);
++ ravb_write(ndev, ~(EIS_QFS | EIS_RESERVED), EIS);
+ if (eis & EIS_QFS) {
+ ris2 = ravb_read(ndev, RIS2);
+- ravb_write(ndev, ~(RIS2_QFF0 | RIS2_RFFF), RIS2);
++ ravb_write(ndev, ~(RIS2_QFF0 | RIS2_RFFF | RIS2_RESERVED),
++ RIS2);
+
+ /* Receive Descriptor Empty int */
+ if (ris2 & RIS2_QFF0)
+@@ -798,7 +799,7 @@ static bool ravb_timestamp_interrupt(str
+ u32 tis = ravb_read(ndev, TIS);
+
+ if (tis & TIS_TFUF) {
+- ravb_write(ndev, ~TIS_TFUF, TIS);
++ ravb_write(ndev, ~(TIS_TFUF | TIS_RESERVED), TIS);
+ ravb_get_tx_tstamp(ndev);
+ return true;
+ }
+@@ -933,7 +934,7 @@ static int ravb_poll(struct napi_struct
+ /* Processing RX Descriptor Ring */
+ if (ris0 & mask) {
+ /* Clear RX interrupt */
+- ravb_write(ndev, ~mask, RIS0);
++ ravb_write(ndev, ~(mask | RIS0_RESERVED), RIS0);
+ if (ravb_rx(ndev, "a, q))
+ goto out;
+ }
+@@ -941,7 +942,7 @@ static int ravb_poll(struct napi_struct
+ if (tis & mask) {
+ spin_lock_irqsave(&priv->lock, flags);
+ /* Clear TX interrupt */
+- ravb_write(ndev, ~mask, TIS);
++ ravb_write(ndev, ~(mask | TIS_RESERVED), TIS);
+ ravb_tx_free(ndev, q, true);
+ netif_wake_subqueue(ndev, q);
+ mmiowb();
+--- a/drivers/net/ethernet/renesas/ravb_ptp.c
++++ b/drivers/net/ethernet/renesas/ravb_ptp.c
+@@ -319,7 +319,7 @@ void ravb_ptp_interrupt(struct net_devic
+ }
+ }
+
+- ravb_write(ndev, ~gis, GIS);
++ ravb_write(ndev, ~(gis | GIS_RESERVED), GIS);
+ }
+
+ void ravb_ptp_init(struct net_device *ndev, struct platform_device *pdev)
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+Date: Thu, 20 Sep 2018 22:33:00 -0700
+Subject: RDMA/bnxt_re: Fix system crash during RDMA resource initialization
+
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+
+[ Upstream commit de5c95d0f518537f59ee5aef762abc46f868c377 ]
+
+bnxt_re_ib_reg acquires and releases the rtnl lock whenever it accesses
+the L2 driver.
+
+The following sequence can trigger a crash
+
+Acquires the rtnl_lock ->
+ Registers roce driver callback with L2 driver ->
+ release the rtnl lock
+bnxt_re acquires the rtnl_lock ->
+ Request for MSIx vectors ->
+ release the rtnl_lock
+
+Issue happens when bnxt_re proceeds with remaining part of initialization
+and L2 driver invokes bnxt_ulp_irq_stop as a part of bnxt_open_nic.
+
+The crash is in bnxt_qplib_nq_stop_irq as the NQ structures are
+not initialized yet,
+
+<snip>
+[ 3551.726647] BUG: unable to handle kernel NULL pointer dereference at (null)
+[ 3551.726656] IP: [<ffffffffc0840ee9>] bnxt_qplib_nq_stop_irq+0x59/0xb0 [bnxt_re]
+[ 3551.726674] PGD 0
+[ 3551.726679] Oops: 0002 1 SMP
+...
+[ 3551.726822] Hardware name: Dell Inc. PowerEdge R720/08RW36, BIOS 2.4.3 07/09/2014
+[ 3551.726826] task: ffff97e30eec5ee0 ti: ffff97e3173bc000 task.ti: ffff97e3173bc000
+[ 3551.726829] RIP: 0010:[<ffffffffc0840ee9>] [<ffffffffc0840ee9>]
+bnxt_qplib_nq_stop_irq+0x59/0xb0 [bnxt_re]
+...
+[ 3551.726872] Call Trace:
+[ 3551.726886] [<ffffffffc082cb9e>] bnxt_re_stop_irq+0x4e/0x70 [bnxt_re]
+[ 3551.726899] [<ffffffffc07d6a53>] bnxt_ulp_irq_stop+0x43/0x70 [bnxt_en]
+[ 3551.726908] [<ffffffffc07c82f4>] bnxt_reserve_rings+0x174/0x1e0 [bnxt_en]
+[ 3551.726917] [<ffffffffc07cafd8>] __bnxt_open_nic+0x368/0x9a0 [bnxt_en]
+[ 3551.726925] [<ffffffffc07cb62b>] bnxt_open_nic+0x1b/0x50 [bnxt_en]
+[ 3551.726934] [<ffffffffc07cc62f>] bnxt_setup_mq_tc+0x11f/0x260 [bnxt_en]
+[ 3551.726943] [<ffffffffc07d5f58>] bnxt_dcbnl_ieee_setets+0xb8/0x1f0 [bnxt_en]
+[ 3551.726954] [<ffffffff890f983a>] dcbnl_ieee_set+0x9a/0x250
+[ 3551.726966] [<ffffffff88fd6d21>] ? __alloc_skb+0xa1/0x2d0
+[ 3551.726972] [<ffffffff890f72fa>] dcb_doit+0x13a/0x210
+[ 3551.726981] [<ffffffff89003ff7>] rtnetlink_rcv_msg+0xa7/0x260
+[ 3551.726989] [<ffffffff88ffdb00>] ? rtnl_unicast+0x20/0x30
+[ 3551.726996] [<ffffffff88bf9dc8>] ? __kmalloc_node_track_caller+0x58/0x290
+[ 3551.727002] [<ffffffff890f7326>] ? dcb_doit+0x166/0x210
+[ 3551.727007] [<ffffffff88fd6d0d>] ? __alloc_skb+0x8d/0x2d0
+[ 3551.727012] [<ffffffff89003f50>] ? rtnl_newlink+0x880/0x880
+...
+[ 3551.727104] [<ffffffff8911f7d5>] system_call_fastpath+0x1c/0x21
+...
+[ 3551.727164] RIP [<ffffffffc0840ee9>] bnxt_qplib_nq_stop_irq+0x59/0xb0 [bnxt_re]
+[ 3551.727175] RSP <ffff97e3173bf788>
+[ 3551.727177] CR2: 0000000000000000
+
+Avoid this inconsistent state and system crash by acquiring
+the rtnl lock for the entire duration of device initialization.
+Re-factor the code to remove the rtnl lock from the individual function
+and acquire and release it from the caller.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Fixes: 6e04b1035689 ("RDMA/bnxt_re: Fix broken RoCE driver due to recent L2 driver changes")
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/bnxt_re/main.c | 93 ++++++++++++++---------------------
+ 1 file changed, 38 insertions(+), 55 deletions(-)
+
+--- a/drivers/infiniband/hw/bnxt_re/main.c
++++ b/drivers/infiniband/hw/bnxt_re/main.c
+@@ -78,7 +78,7 @@ static struct list_head bnxt_re_dev_list
+ /* Mutex to protect the list of bnxt_re devices added */
+ static DEFINE_MUTEX(bnxt_re_dev_lock);
+ static struct workqueue_struct *bnxt_re_wq;
+-static void bnxt_re_ib_unreg(struct bnxt_re_dev *rdev, bool lock_wait);
++static void bnxt_re_ib_unreg(struct bnxt_re_dev *rdev);
+
+ /* SR-IOV helper functions */
+
+@@ -182,7 +182,7 @@ static void bnxt_re_shutdown(void *p)
+ if (!rdev)
+ return;
+
+- bnxt_re_ib_unreg(rdev, false);
++ bnxt_re_ib_unreg(rdev);
+ }
+
+ static void bnxt_re_stop_irq(void *handle)
+@@ -251,7 +251,7 @@ static struct bnxt_ulp_ops bnxt_re_ulp_o
+ /* Driver registration routines used to let the networking driver (bnxt_en)
+ * to know that the RoCE driver is now installed
+ */
+-static int bnxt_re_unregister_netdev(struct bnxt_re_dev *rdev, bool lock_wait)
++static int bnxt_re_unregister_netdev(struct bnxt_re_dev *rdev)
+ {
+ struct bnxt_en_dev *en_dev;
+ int rc;
+@@ -260,14 +260,9 @@ static int bnxt_re_unregister_netdev(str
+ return -EINVAL;
+
+ en_dev = rdev->en_dev;
+- /* Acquire rtnl lock if it is not invokded from netdev event */
+- if (lock_wait)
+- rtnl_lock();
+
+ rc = en_dev->en_ops->bnxt_unregister_device(rdev->en_dev,
+ BNXT_ROCE_ULP);
+- if (lock_wait)
+- rtnl_unlock();
+ return rc;
+ }
+
+@@ -281,14 +276,12 @@ static int bnxt_re_register_netdev(struc
+
+ en_dev = rdev->en_dev;
+
+- rtnl_lock();
+ rc = en_dev->en_ops->bnxt_register_device(en_dev, BNXT_ROCE_ULP,
+ &bnxt_re_ulp_ops, rdev);
+- rtnl_unlock();
+ return rc;
+ }
+
+-static int bnxt_re_free_msix(struct bnxt_re_dev *rdev, bool lock_wait)
++static int bnxt_re_free_msix(struct bnxt_re_dev *rdev)
+ {
+ struct bnxt_en_dev *en_dev;
+ int rc;
+@@ -298,13 +291,9 @@ static int bnxt_re_free_msix(struct bnxt
+
+ en_dev = rdev->en_dev;
+
+- if (lock_wait)
+- rtnl_lock();
+
+ rc = en_dev->en_ops->bnxt_free_msix(rdev->en_dev, BNXT_ROCE_ULP);
+
+- if (lock_wait)
+- rtnl_unlock();
+ return rc;
+ }
+
+@@ -320,7 +309,6 @@ static int bnxt_re_request_msix(struct b
+
+ num_msix_want = min_t(u32, BNXT_RE_MAX_MSIX, num_online_cpus());
+
+- rtnl_lock();
+ num_msix_got = en_dev->en_ops->bnxt_request_msix(en_dev, BNXT_ROCE_ULP,
+ rdev->msix_entries,
+ num_msix_want);
+@@ -335,7 +323,6 @@ static int bnxt_re_request_msix(struct b
+ }
+ rdev->num_msix = num_msix_got;
+ done:
+- rtnl_unlock();
+ return rc;
+ }
+
+@@ -358,24 +345,18 @@ static void bnxt_re_fill_fw_msg(struct b
+ fw_msg->timeout = timeout;
+ }
+
+-static int bnxt_re_net_ring_free(struct bnxt_re_dev *rdev, u16 fw_ring_id,
+- bool lock_wait)
++static int bnxt_re_net_ring_free(struct bnxt_re_dev *rdev, u16 fw_ring_id)
+ {
+ struct bnxt_en_dev *en_dev = rdev->en_dev;
+ struct hwrm_ring_free_input req = {0};
+ struct hwrm_ring_free_output resp;
+ struct bnxt_fw_msg fw_msg;
+- bool do_unlock = false;
+ int rc = -EINVAL;
+
+ if (!en_dev)
+ return rc;
+
+ memset(&fw_msg, 0, sizeof(fw_msg));
+- if (lock_wait) {
+- rtnl_lock();
+- do_unlock = true;
+- }
+
+ bnxt_re_init_hwrm_hdr(rdev, (void *)&req, HWRM_RING_FREE, -1, -1);
+ req.ring_type = RING_ALLOC_REQ_RING_TYPE_L2_CMPL;
+@@ -386,8 +367,6 @@ static int bnxt_re_net_ring_free(struct
+ if (rc)
+ dev_err(rdev_to_dev(rdev),
+ "Failed to free HW ring:%d :%#x", req.ring_id, rc);
+- if (do_unlock)
+- rtnl_unlock();
+ return rc;
+ }
+
+@@ -405,7 +384,6 @@ static int bnxt_re_net_ring_alloc(struct
+ return rc;
+
+ memset(&fw_msg, 0, sizeof(fw_msg));
+- rtnl_lock();
+ bnxt_re_init_hwrm_hdr(rdev, (void *)&req, HWRM_RING_ALLOC, -1, -1);
+ req.enables = 0;
+ req.page_tbl_addr = cpu_to_le64(dma_arr[0]);
+@@ -426,27 +404,21 @@ static int bnxt_re_net_ring_alloc(struct
+ if (!rc)
+ *fw_ring_id = le16_to_cpu(resp.ring_id);
+
+- rtnl_unlock();
+ return rc;
+ }
+
+ static int bnxt_re_net_stats_ctx_free(struct bnxt_re_dev *rdev,
+- u32 fw_stats_ctx_id, bool lock_wait)
++ u32 fw_stats_ctx_id)
+ {
+ struct bnxt_en_dev *en_dev = rdev->en_dev;
+ struct hwrm_stat_ctx_free_input req = {0};
+ struct bnxt_fw_msg fw_msg;
+- bool do_unlock = false;
+ int rc = -EINVAL;
+
+ if (!en_dev)
+ return rc;
+
+ memset(&fw_msg, 0, sizeof(fw_msg));
+- if (lock_wait) {
+- rtnl_lock();
+- do_unlock = true;
+- }
+
+ bnxt_re_init_hwrm_hdr(rdev, (void *)&req, HWRM_STAT_CTX_FREE, -1, -1);
+ req.stat_ctx_id = cpu_to_le32(fw_stats_ctx_id);
+@@ -457,8 +429,6 @@ static int bnxt_re_net_stats_ctx_free(st
+ dev_err(rdev_to_dev(rdev),
+ "Failed to free HW stats context %#x", rc);
+
+- if (do_unlock)
+- rtnl_unlock();
+ return rc;
+ }
+
+@@ -478,7 +448,6 @@ static int bnxt_re_net_stats_ctx_alloc(s
+ return rc;
+
+ memset(&fw_msg, 0, sizeof(fw_msg));
+- rtnl_lock();
+
+ bnxt_re_init_hwrm_hdr(rdev, (void *)&req, HWRM_STAT_CTX_ALLOC, -1, -1);
+ req.update_period_ms = cpu_to_le32(1000);
+@@ -490,7 +459,6 @@ static int bnxt_re_net_stats_ctx_alloc(s
+ if (!rc)
+ *fw_stats_ctx_id = le32_to_cpu(resp.stat_ctx_id);
+
+- rtnl_unlock();
+ return rc;
+ }
+
+@@ -929,19 +897,19 @@ fail:
+ return rc;
+ }
+
+-static void bnxt_re_free_nq_res(struct bnxt_re_dev *rdev, bool lock_wait)
++static void bnxt_re_free_nq_res(struct bnxt_re_dev *rdev)
+ {
+ int i;
+
+ for (i = 0; i < rdev->num_msix - 1; i++) {
+- bnxt_re_net_ring_free(rdev, rdev->nq[i].ring_id, lock_wait);
++ bnxt_re_net_ring_free(rdev, rdev->nq[i].ring_id);
+ bnxt_qplib_free_nq(&rdev->nq[i]);
+ }
+ }
+
+-static void bnxt_re_free_res(struct bnxt_re_dev *rdev, bool lock_wait)
++static void bnxt_re_free_res(struct bnxt_re_dev *rdev)
+ {
+- bnxt_re_free_nq_res(rdev, lock_wait);
++ bnxt_re_free_nq_res(rdev);
+
+ if (rdev->qplib_res.dpi_tbl.max) {
+ bnxt_qplib_dealloc_dpi(&rdev->qplib_res,
+@@ -1219,7 +1187,7 @@ static int bnxt_re_setup_qos(struct bnxt
+ return 0;
+ }
+
+-static void bnxt_re_ib_unreg(struct bnxt_re_dev *rdev, bool lock_wait)
++static void bnxt_re_ib_unreg(struct bnxt_re_dev *rdev)
+ {
+ int i, rc;
+
+@@ -1234,28 +1202,27 @@ static void bnxt_re_ib_unreg(struct bnxt
+ cancel_delayed_work(&rdev->worker);
+
+ bnxt_re_cleanup_res(rdev);
+- bnxt_re_free_res(rdev, lock_wait);
++ bnxt_re_free_res(rdev);
+
+ if (test_and_clear_bit(BNXT_RE_FLAG_RCFW_CHANNEL_EN, &rdev->flags)) {
+ rc = bnxt_qplib_deinit_rcfw(&rdev->rcfw);
+ if (rc)
+ dev_warn(rdev_to_dev(rdev),
+ "Failed to deinitialize RCFW: %#x", rc);
+- bnxt_re_net_stats_ctx_free(rdev, rdev->qplib_ctx.stats.fw_id,
+- lock_wait);
++ bnxt_re_net_stats_ctx_free(rdev, rdev->qplib_ctx.stats.fw_id);
+ bnxt_qplib_free_ctx(rdev->en_dev->pdev, &rdev->qplib_ctx);
+ bnxt_qplib_disable_rcfw_channel(&rdev->rcfw);
+- bnxt_re_net_ring_free(rdev, rdev->rcfw.creq_ring_id, lock_wait);
++ bnxt_re_net_ring_free(rdev, rdev->rcfw.creq_ring_id);
+ bnxt_qplib_free_rcfw_channel(&rdev->rcfw);
+ }
+ if (test_and_clear_bit(BNXT_RE_FLAG_GOT_MSIX, &rdev->flags)) {
+- rc = bnxt_re_free_msix(rdev, lock_wait);
++ rc = bnxt_re_free_msix(rdev);
+ if (rc)
+ dev_warn(rdev_to_dev(rdev),
+ "Failed to free MSI-X vectors: %#x", rc);
+ }
+ if (test_and_clear_bit(BNXT_RE_FLAG_NETDEV_REGISTERED, &rdev->flags)) {
+- rc = bnxt_re_unregister_netdev(rdev, lock_wait);
++ rc = bnxt_re_unregister_netdev(rdev);
+ if (rc)
+ dev_warn(rdev_to_dev(rdev),
+ "Failed to unregister with netdev: %#x", rc);
+@@ -1276,6 +1243,12 @@ static int bnxt_re_ib_reg(struct bnxt_re
+ {
+ int i, j, rc;
+
++ bool locked;
++
++ /* Acquire rtnl lock through out this function */
++ rtnl_lock();
++ locked = true;
++
+ /* Registered a new RoCE device instance to netdev */
+ rc = bnxt_re_register_netdev(rdev);
+ if (rc) {
+@@ -1374,12 +1347,16 @@ static int bnxt_re_ib_reg(struct bnxt_re
+ schedule_delayed_work(&rdev->worker, msecs_to_jiffies(30000));
+ }
+
++ rtnl_unlock();
++ locked = false;
++
+ /* Register ib dev */
+ rc = bnxt_re_register_ib(rdev);
+ if (rc) {
+ pr_err("Failed to register with IB: %#x\n", rc);
+ goto fail;
+ }
++ set_bit(BNXT_RE_FLAG_IBDEV_REGISTERED, &rdev->flags);
+ dev_info(rdev_to_dev(rdev), "Device registered successfully");
+ for (i = 0; i < ARRAY_SIZE(bnxt_re_attributes); i++) {
+ rc = device_create_file(&rdev->ibdev.dev,
+@@ -1395,7 +1372,6 @@ static int bnxt_re_ib_reg(struct bnxt_re
+ goto fail;
+ }
+ }
+- set_bit(BNXT_RE_FLAG_IBDEV_REGISTERED, &rdev->flags);
+ ib_get_eth_speed(&rdev->ibdev, 1, &rdev->active_speed,
+ &rdev->active_width);
+ set_bit(BNXT_RE_FLAG_ISSUE_ROCE_STATS, &rdev->flags);
+@@ -1404,17 +1380,21 @@ static int bnxt_re_ib_reg(struct bnxt_re
+
+ return 0;
+ free_sctx:
+- bnxt_re_net_stats_ctx_free(rdev, rdev->qplib_ctx.stats.fw_id, true);
++ bnxt_re_net_stats_ctx_free(rdev, rdev->qplib_ctx.stats.fw_id);
+ free_ctx:
+ bnxt_qplib_free_ctx(rdev->en_dev->pdev, &rdev->qplib_ctx);
+ disable_rcfw:
+ bnxt_qplib_disable_rcfw_channel(&rdev->rcfw);
+ free_ring:
+- bnxt_re_net_ring_free(rdev, rdev->rcfw.creq_ring_id, true);
++ bnxt_re_net_ring_free(rdev, rdev->rcfw.creq_ring_id);
+ free_rcfw:
+ bnxt_qplib_free_rcfw_channel(&rdev->rcfw);
+ fail:
+- bnxt_re_ib_unreg(rdev, true);
++ if (!locked)
++ rtnl_lock();
++ bnxt_re_ib_unreg(rdev);
++ rtnl_unlock();
++
+ return rc;
+ }
+
+@@ -1567,7 +1547,7 @@ static int bnxt_re_netdev_event(struct n
+ */
+ if (atomic_read(&rdev->sched_count) > 0)
+ goto exit;
+- bnxt_re_ib_unreg(rdev, false);
++ bnxt_re_ib_unreg(rdev);
+ bnxt_re_remove_one(rdev);
+ bnxt_re_dev_unreg(rdev);
+ break;
+@@ -1646,7 +1626,10 @@ static void __exit bnxt_re_mod_exit(void
+ */
+ flush_workqueue(bnxt_re_wq);
+ bnxt_re_dev_stop(rdev);
+- bnxt_re_ib_unreg(rdev, true);
++ /* Acquire the rtnl_lock as the L2 resources are freed here */
++ rtnl_lock();
++ bnxt_re_ib_unreg(rdev);
++ rtnl_unlock();
+ bnxt_re_remove_one(rdev);
+ bnxt_re_dev_unreg(rdev);
+ }
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Majd Dibbiny <majd@mellanox.com>
+Date: Tue, 18 Sep 2018 10:51:37 +0300
+Subject: RDMA/uverbs: Fix validity check for modify QP
+
+From: Majd Dibbiny <majd@mellanox.com>
+
+[ Upstream commit 4eeed3686981ff887bbdd7254139e2eca276534c ]
+
+Uverbs shouldn't enforce QP state in the command unless the user set the QP
+state bit in the attribute mask.
+
+In addition, only copy qp attr fields which have the corresponding bit set
+in the attribute mask over to the internal attr structure.
+
+Fixes: 88de869bbe4f ("RDMA/uverbs: Ensure validity of current QP state value")
+Fixes: bc38a6abdd5a ("[PATCH] IB uverbs: core implementation")
+Signed-off-by: Majd Dibbiny <majd@mellanox.com>
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/uverbs_cmd.c | 68 +++++++++++++++++++++++------------
+ 1 file changed, 45 insertions(+), 23 deletions(-)
+
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -2048,33 +2048,55 @@ static int modify_qp(struct ib_uverbs_fi
+
+ if ((cmd->base.attr_mask & IB_QP_CUR_STATE &&
+ cmd->base.cur_qp_state > IB_QPS_ERR) ||
+- cmd->base.qp_state > IB_QPS_ERR) {
++ (cmd->base.attr_mask & IB_QP_STATE &&
++ cmd->base.qp_state > IB_QPS_ERR)) {
+ ret = -EINVAL;
+ goto release_qp;
+ }
+
+- attr->qp_state = cmd->base.qp_state;
+- attr->cur_qp_state = cmd->base.cur_qp_state;
+- attr->path_mtu = cmd->base.path_mtu;
+- attr->path_mig_state = cmd->base.path_mig_state;
+- attr->qkey = cmd->base.qkey;
+- attr->rq_psn = cmd->base.rq_psn;
+- attr->sq_psn = cmd->base.sq_psn;
+- attr->dest_qp_num = cmd->base.dest_qp_num;
+- attr->qp_access_flags = cmd->base.qp_access_flags;
+- attr->pkey_index = cmd->base.pkey_index;
+- attr->alt_pkey_index = cmd->base.alt_pkey_index;
+- attr->en_sqd_async_notify = cmd->base.en_sqd_async_notify;
+- attr->max_rd_atomic = cmd->base.max_rd_atomic;
+- attr->max_dest_rd_atomic = cmd->base.max_dest_rd_atomic;
+- attr->min_rnr_timer = cmd->base.min_rnr_timer;
+- attr->port_num = cmd->base.port_num;
+- attr->timeout = cmd->base.timeout;
+- attr->retry_cnt = cmd->base.retry_cnt;
+- attr->rnr_retry = cmd->base.rnr_retry;
+- attr->alt_port_num = cmd->base.alt_port_num;
+- attr->alt_timeout = cmd->base.alt_timeout;
+- attr->rate_limit = cmd->rate_limit;
++ if (cmd->base.attr_mask & IB_QP_STATE)
++ attr->qp_state = cmd->base.qp_state;
++ if (cmd->base.attr_mask & IB_QP_CUR_STATE)
++ attr->cur_qp_state = cmd->base.cur_qp_state;
++ if (cmd->base.attr_mask & IB_QP_PATH_MTU)
++ attr->path_mtu = cmd->base.path_mtu;
++ if (cmd->base.attr_mask & IB_QP_PATH_MIG_STATE)
++ attr->path_mig_state = cmd->base.path_mig_state;
++ if (cmd->base.attr_mask & IB_QP_QKEY)
++ attr->qkey = cmd->base.qkey;
++ if (cmd->base.attr_mask & IB_QP_RQ_PSN)
++ attr->rq_psn = cmd->base.rq_psn;
++ if (cmd->base.attr_mask & IB_QP_SQ_PSN)
++ attr->sq_psn = cmd->base.sq_psn;
++ if (cmd->base.attr_mask & IB_QP_DEST_QPN)
++ attr->dest_qp_num = cmd->base.dest_qp_num;
++ if (cmd->base.attr_mask & IB_QP_ACCESS_FLAGS)
++ attr->qp_access_flags = cmd->base.qp_access_flags;
++ if (cmd->base.attr_mask & IB_QP_PKEY_INDEX)
++ attr->pkey_index = cmd->base.pkey_index;
++ if (cmd->base.attr_mask & IB_QP_EN_SQD_ASYNC_NOTIFY)
++ attr->en_sqd_async_notify = cmd->base.en_sqd_async_notify;
++ if (cmd->base.attr_mask & IB_QP_MAX_QP_RD_ATOMIC)
++ attr->max_rd_atomic = cmd->base.max_rd_atomic;
++ if (cmd->base.attr_mask & IB_QP_MAX_DEST_RD_ATOMIC)
++ attr->max_dest_rd_atomic = cmd->base.max_dest_rd_atomic;
++ if (cmd->base.attr_mask & IB_QP_MIN_RNR_TIMER)
++ attr->min_rnr_timer = cmd->base.min_rnr_timer;
++ if (cmd->base.attr_mask & IB_QP_PORT)
++ attr->port_num = cmd->base.port_num;
++ if (cmd->base.attr_mask & IB_QP_TIMEOUT)
++ attr->timeout = cmd->base.timeout;
++ if (cmd->base.attr_mask & IB_QP_RETRY_CNT)
++ attr->retry_cnt = cmd->base.retry_cnt;
++ if (cmd->base.attr_mask & IB_QP_RNR_RETRY)
++ attr->rnr_retry = cmd->base.rnr_retry;
++ if (cmd->base.attr_mask & IB_QP_ALT_PATH) {
++ attr->alt_port_num = cmd->base.alt_port_num;
++ attr->alt_timeout = cmd->base.alt_timeout;
++ attr->alt_pkey_index = cmd->base.alt_pkey_index;
++ }
++ if (cmd->base.attr_mask & IB_QP_RATE_LIMIT)
++ attr->rate_limit = cmd->rate_limit;
+
+ if (cmd->base.attr_mask & IB_QP_AV)
+ copy_ah_attr_from_uverbs(qp->device, &attr->ah_attr,
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: James Cowgill <jcowgill@debian.org>
+Date: Thu, 6 Sep 2018 22:57:56 +0100
+Subject: RISC-V: include linux/ftrace.h in asm-prototypes.h
+
+From: James Cowgill <jcowgill@debian.org>
+
+[ Upstream commit 57a489786de9ec37d6e25ef1305dc337047f0236 ]
+
+Building a riscv kernel with CONFIG_FUNCTION_TRACER and
+CONFIG_MODVERSIONS enabled results in these two warnings:
+
+ MODPOST vmlinux.o
+WARNING: EXPORT symbol "return_to_handler" [vmlinux] version generation failed, symbol will not be versioned.
+WARNING: EXPORT symbol "_mcount" [vmlinux] version generation failed, symbol will not be versioned.
+
+When exporting symbols from an assembly file, the MODVERSIONS code
+requires their prototypes to be defined in asm-prototypes.h (see
+scripts/Makefile.build). Since both of these symbols have prototypes
+defined in linux/ftrace.h, include this header from RISC-V's
+asm-prototypes.h.
+
+Reported-by: Karsten Merker <merker@debian.org>
+Signed-off-by: James Cowgill <jcowgill@debian.org>
+Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/include/asm/asm-prototypes.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+ create mode 100644 arch/riscv/include/asm/asm-prototypes.h
+
+--- /dev/null
++++ b/arch/riscv/include/asm/asm-prototypes.h
+@@ -0,0 +1,7 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++#ifndef _ASM_RISCV_PROTOTYPES_H
++
++#include <linux/ftrace.h>
++#include <asm-generic/asm-prototypes.h>
++
++#endif /* _ASM_RISCV_PROTOTYPES_H */
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Laura Abbott <labbott@redhat.com>
+Date: Tue, 11 Sep 2018 12:22:26 -0700
+Subject: scsi: ibmvscsis: Ensure partition name is properly NUL terminated
+
+From: Laura Abbott <labbott@redhat.com>
+
+[ Upstream commit adad633af7b970bfa5dd1b624a4afc83cac9b235 ]
+
+While reviewing another part of the code, Kees noticed that the strncpy of the
+partition name might not always be NUL terminated. Switch to using strscpy
+which does this safely.
+
+Reported-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Laura Abbott <labbott@redhat.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
++++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
+@@ -3478,7 +3478,7 @@ static int ibmvscsis_probe(struct vio_de
+ snprintf(vscsi->eye, sizeof(vscsi->eye), "VSCSI %s", vdev->name);
+
+ vscsi->dds.unit_id = vdev->unit_address;
+- strncpy(vscsi->dds.partition_name, partition_name,
++ strscpy(vscsi->dds.partition_name, partition_name,
+ sizeof(vscsi->dds.partition_name));
+ vscsi->dds.partition_num = partition_number;
+
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Laura Abbott <labbott@redhat.com>
+Date: Tue, 11 Sep 2018 12:22:25 -0700
+Subject: scsi: ibmvscsis: Fix a stringop-overflow warning
+
+From: Laura Abbott <labbott@redhat.com>
+
+[ Upstream commit d792d4c4fc866ae224b0b0ca2aabd87d23b4d6cc ]
+
+There's currently a warning about string overflow with strncat:
+
+drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c: In function 'ibmvscsis_probe':
+drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c:3479:2: error: 'strncat' specified
+bound 64 equals destination size [-Werror=stringop-overflow=]
+ strncat(vscsi->eye, vdev->name, MAX_EYE);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Switch to a single snprintf instead of a strcpy + strcat to handle this
+cleanly.
+
+Signed-off-by: Laura Abbott <labbott@redhat.com>
+Suggested-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
++++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
+@@ -3475,8 +3475,7 @@ static int ibmvscsis_probe(struct vio_de
+ vscsi->dds.window[LOCAL].liobn,
+ vscsi->dds.window[REMOTE].liobn);
+
+- strcpy(vscsi->eye, "VSCSI ");
+- strncat(vscsi->eye, vdev->name, MAX_EYE);
++ snprintf(vscsi->eye, sizeof(vscsi->eye), "VSCSI %s", vdev->name);
+
+ vscsi->dds.unit_id = vdev->unit_address;
+ strncpy(vscsi->dds.partition_name, partition_name,
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Wen Xiong <wenxiong@linux.vnet.ibm.com>
+Date: Thu, 20 Sep 2018 19:32:12 -0500
+Subject: scsi: ipr: System hung while dlpar adding primary ipr adapter back
+
+From: Wen Xiong <wenxiong@linux.vnet.ibm.com>
+
+[ Upstream commit 318ddb34b2052f838aa243d07173e2badf3e630e ]
+
+While dlpar adding primary ipr adapter back, driver goes through adapter
+initialization then schedule ipr_worker_thread to start te disk scan by
+dropping the host lock, calling scsi_add_device. Then get the adapter reset
+request again, so driver does scsi_block_requests, this will cause the
+scsi_add_device get hung until we unblock. But we can't run ipr_worker_thread
+to do the unblock because its stuck in scsi_add_device.
+
+This patch fixes the issue.
+
+[mkp: typo and whitespace fixes]
+
+Signed-off-by: Wen Xiong <wenxiong@linux.vnet.ibm.com>
+Acked-by: Brian King <brking@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ipr.c | 106 ++++++++++++++++++++++++++++++-----------------------
+ drivers/scsi/ipr.h | 1
+ 2 files changed, 62 insertions(+), 45 deletions(-)
+
+--- a/drivers/scsi/ipr.c
++++ b/drivers/scsi/ipr.c
+@@ -3310,6 +3310,65 @@ static void ipr_release_dump(struct kref
+ LEAVE;
+ }
+
++static void ipr_add_remove_thread(struct work_struct *work)
++{
++ unsigned long lock_flags;
++ struct ipr_resource_entry *res;
++ struct scsi_device *sdev;
++ struct ipr_ioa_cfg *ioa_cfg =
++ container_of(work, struct ipr_ioa_cfg, scsi_add_work_q);
++ u8 bus, target, lun;
++ int did_work;
++
++ ENTER;
++ spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags);
++
++restart:
++ do {
++ did_work = 0;
++ if (!ioa_cfg->hrrq[IPR_INIT_HRRQ].allow_cmds) {
++ spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags);
++ return;
++ }
++
++ list_for_each_entry(res, &ioa_cfg->used_res_q, queue) {
++ if (res->del_from_ml && res->sdev) {
++ did_work = 1;
++ sdev = res->sdev;
++ if (!scsi_device_get(sdev)) {
++ if (!res->add_to_ml)
++ list_move_tail(&res->queue, &ioa_cfg->free_res_q);
++ else
++ res->del_from_ml = 0;
++ spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags);
++ scsi_remove_device(sdev);
++ scsi_device_put(sdev);
++ spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags);
++ }
++ break;
++ }
++ }
++ } while (did_work);
++
++ list_for_each_entry(res, &ioa_cfg->used_res_q, queue) {
++ if (res->add_to_ml) {
++ bus = res->bus;
++ target = res->target;
++ lun = res->lun;
++ res->add_to_ml = 0;
++ spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags);
++ scsi_add_device(ioa_cfg->host, bus, target, lun);
++ spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags);
++ goto restart;
++ }
++ }
++
++ ioa_cfg->scan_done = 1;
++ spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags);
++ kobject_uevent(&ioa_cfg->host->shost_dev.kobj, KOBJ_CHANGE);
++ LEAVE;
++}
++
+ /**
+ * ipr_worker_thread - Worker thread
+ * @work: ioa config struct
+@@ -3324,13 +3383,9 @@ static void ipr_release_dump(struct kref
+ static void ipr_worker_thread(struct work_struct *work)
+ {
+ unsigned long lock_flags;
+- struct ipr_resource_entry *res;
+- struct scsi_device *sdev;
+ struct ipr_dump *dump;
+ struct ipr_ioa_cfg *ioa_cfg =
+ container_of(work, struct ipr_ioa_cfg, work_q);
+- u8 bus, target, lun;
+- int did_work;
+
+ ENTER;
+ spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags);
+@@ -3368,49 +3423,9 @@ static void ipr_worker_thread(struct wor
+ return;
+ }
+
+-restart:
+- do {
+- did_work = 0;
+- if (!ioa_cfg->hrrq[IPR_INIT_HRRQ].allow_cmds) {
+- spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags);
+- return;
+- }
++ schedule_work(&ioa_cfg->scsi_add_work_q);
+
+- list_for_each_entry(res, &ioa_cfg->used_res_q, queue) {
+- if (res->del_from_ml && res->sdev) {
+- did_work = 1;
+- sdev = res->sdev;
+- if (!scsi_device_get(sdev)) {
+- if (!res->add_to_ml)
+- list_move_tail(&res->queue, &ioa_cfg->free_res_q);
+- else
+- res->del_from_ml = 0;
+- spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags);
+- scsi_remove_device(sdev);
+- scsi_device_put(sdev);
+- spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags);
+- }
+- break;
+- }
+- }
+- } while (did_work);
+-
+- list_for_each_entry(res, &ioa_cfg->used_res_q, queue) {
+- if (res->add_to_ml) {
+- bus = res->bus;
+- target = res->target;
+- lun = res->lun;
+- res->add_to_ml = 0;
+- spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags);
+- scsi_add_device(ioa_cfg->host, bus, target, lun);
+- spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags);
+- goto restart;
+- }
+- }
+-
+- ioa_cfg->scan_done = 1;
+ spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags);
+- kobject_uevent(&ioa_cfg->host->shost_dev.kobj, KOBJ_CHANGE);
+ LEAVE;
+ }
+
+@@ -9908,6 +9923,7 @@ static void ipr_init_ioa_cfg(struct ipr_
+ INIT_LIST_HEAD(&ioa_cfg->free_res_q);
+ INIT_LIST_HEAD(&ioa_cfg->used_res_q);
+ INIT_WORK(&ioa_cfg->work_q, ipr_worker_thread);
++ INIT_WORK(&ioa_cfg->scsi_add_work_q, ipr_add_remove_thread);
+ init_waitqueue_head(&ioa_cfg->reset_wait_q);
+ init_waitqueue_head(&ioa_cfg->msi_wait_q);
+ init_waitqueue_head(&ioa_cfg->eeh_wait_q);
+--- a/drivers/scsi/ipr.h
++++ b/drivers/scsi/ipr.h
+@@ -1568,6 +1568,7 @@ struct ipr_ioa_cfg {
+ u8 saved_mode_page_len;
+
+ struct work_struct work_q;
++ struct work_struct scsi_add_work_q;
+ struct workqueue_struct *reset_work_q;
+
+ wait_queue_head_t reset_wait_q;
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: James Smart <jsmart2021@gmail.com>
+Date: Thu, 13 Sep 2018 15:41:10 -0700
+Subject: scsi: lpfc: Synchronize access to remoteport via rport
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 9e210178267b80c4eeb832fade7e146a18c84915 ]
+
+The driver currently uses the ndlp to get the local rport which is then used
+to get the nvme transport remoteport pointer. There can be cases where a stale
+remoteport pointer is obtained as synchronization isn't done through the
+different dereferences.
+
+Correct by using locks to synchronize the dereferences.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_attr.c | 15 ++++++++++-----
+ drivers/scsi/lpfc/lpfc_debugfs.c | 10 +++++-----
+ drivers/scsi/lpfc/lpfc_nvme.c | 11 ++++++++---
+ 3 files changed, 23 insertions(+), 13 deletions(-)
+
+--- a/drivers/scsi/lpfc/lpfc_attr.c
++++ b/drivers/scsi/lpfc/lpfc_attr.c
+@@ -320,12 +320,12 @@ lpfc_nvme_info_show(struct device *dev,
+ localport->port_id, statep);
+
+ list_for_each_entry(ndlp, &vport->fc_nodes, nlp_listp) {
++ nrport = NULL;
++ spin_lock(&vport->phba->hbalock);
+ rport = lpfc_ndlp_get_nrport(ndlp);
+- if (!rport)
+- continue;
+-
+- /* local short-hand pointer. */
+- nrport = rport->remoteport;
++ if (rport)
++ nrport = rport->remoteport;
++ spin_unlock(&vport->phba->hbalock);
+ if (!nrport)
+ continue;
+
+@@ -3304,6 +3304,7 @@ lpfc_update_rport_devloss_tmo(struct lpf
+ struct lpfc_nodelist *ndlp;
+ #if (IS_ENABLED(CONFIG_NVME_FC))
+ struct lpfc_nvme_rport *rport;
++ struct nvme_fc_remote_port *remoteport = NULL;
+ #endif
+
+ shost = lpfc_shost_from_vport(vport);
+@@ -3314,8 +3315,12 @@ lpfc_update_rport_devloss_tmo(struct lpf
+ if (ndlp->rport)
+ ndlp->rport->dev_loss_tmo = vport->cfg_devloss_tmo;
+ #if (IS_ENABLED(CONFIG_NVME_FC))
++ spin_lock(&vport->phba->hbalock);
+ rport = lpfc_ndlp_get_nrport(ndlp);
+ if (rport)
++ remoteport = rport->remoteport;
++ spin_unlock(&vport->phba->hbalock);
++ if (remoteport)
+ nvme_fc_set_remoteport_devloss(rport->remoteport,
+ vport->cfg_devloss_tmo);
+ #endif
+--- a/drivers/scsi/lpfc/lpfc_debugfs.c
++++ b/drivers/scsi/lpfc/lpfc_debugfs.c
+@@ -551,7 +551,7 @@ lpfc_debugfs_nodelist_data(struct lpfc_v
+ unsigned char *statep;
+ struct nvme_fc_local_port *localport;
+ struct lpfc_nvmet_tgtport *tgtp;
+- struct nvme_fc_remote_port *nrport;
++ struct nvme_fc_remote_port *nrport = NULL;
+ struct lpfc_nvme_rport *rport;
+
+ cnt = (LPFC_NODELIST_SIZE / LPFC_NODELIST_ENTRY_SIZE);
+@@ -696,11 +696,11 @@ lpfc_debugfs_nodelist_data(struct lpfc_v
+ len += snprintf(buf + len, size - len, "\tRport List:\n");
+ list_for_each_entry(ndlp, &vport->fc_nodes, nlp_listp) {
+ /* local short-hand pointer. */
++ spin_lock(&phba->hbalock);
+ rport = lpfc_ndlp_get_nrport(ndlp);
+- if (!rport)
+- continue;
+-
+- nrport = rport->remoteport;
++ if (rport)
++ nrport = rport->remoteport;
++ spin_unlock(&phba->hbalock);
+ if (!nrport)
+ continue;
+
+--- a/drivers/scsi/lpfc/lpfc_nvme.c
++++ b/drivers/scsi/lpfc/lpfc_nvme.c
+@@ -2718,7 +2718,9 @@ lpfc_nvme_register_port(struct lpfc_vpor
+ rpinfo.port_name = wwn_to_u64(ndlp->nlp_portname.u.wwn);
+ rpinfo.node_name = wwn_to_u64(ndlp->nlp_nodename.u.wwn);
+
++ spin_lock_irq(&vport->phba->hbalock);
+ oldrport = lpfc_ndlp_get_nrport(ndlp);
++ spin_unlock_irq(&vport->phba->hbalock);
+ if (!oldrport)
+ lpfc_nlp_get(ndlp);
+
+@@ -2833,7 +2835,7 @@ lpfc_nvme_unregister_port(struct lpfc_vp
+ struct nvme_fc_local_port *localport;
+ struct lpfc_nvme_lport *lport;
+ struct lpfc_nvme_rport *rport;
+- struct nvme_fc_remote_port *remoteport;
++ struct nvme_fc_remote_port *remoteport = NULL;
+
+ localport = vport->localport;
+
+@@ -2847,11 +2849,14 @@ lpfc_nvme_unregister_port(struct lpfc_vp
+ if (!lport)
+ goto input_err;
+
++ spin_lock_irq(&vport->phba->hbalock);
+ rport = lpfc_ndlp_get_nrport(ndlp);
+- if (!rport)
++ if (rport)
++ remoteport = rport->remoteport;
++ spin_unlock_irq(&vport->phba->hbalock);
++ if (!remoteport)
+ goto input_err;
+
+- remoteport = rport->remoteport;
+ lpfc_printf_vlog(vport, KERN_INFO, LOG_NVME_DISC,
+ "6033 Unreg nvme remoteport %p, portname x%llx, "
+ "port_id x%06x, portstate x%x port type x%x\n",
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Fri, 21 Sep 2018 09:01:01 +0200
+Subject: scsi: sd: don't crash the host on invalid commands
+
+From: Johannes Thumshirn <jthumshirn@suse.de>
+
+[ Upstream commit f1f1fadacaf08b7cf11714c0c29f8fa4d4ef68a9 ]
+
+When sd_init_command() get's a command with a unknown req_op() it crashes the
+system via BUG().
+
+This makes debugging the actual reason for the broken request cmd_flags pretty
+hard as the system is down before it's able to write out debugging data on the
+serial console or the trace buffer.
+
+Change the BUG() to a WARN_ON() and return BLKPREP_KILL to fail gracefully and
+return an I/O error to the producer of the request.
+
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Cc: Hannes Reinecke <hare@suse.de>
+Cc: Bart Van Assche <bvanassche@acm.org>
+Cc: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -1277,7 +1277,8 @@ static int sd_init_command(struct scsi_c
+ case REQ_OP_ZONE_RESET:
+ return sd_zbc_setup_reset_cmnd(cmd);
+ default:
+- BUG();
++ WARN_ON_ONCE(1);
++ return BLKPREP_KILL;
+ }
+ }
+
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Mon, 17 Sep 2018 15:30:06 +0200
+Subject: selftests: pmtu: properly redirect stderr to /dev/null
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 0a286afee5a1e8dca86d824209dbd3200294f86f ]
+
+The cleanup function uses "$CMD 2 > /dev/null", which doesn't actually
+send stderr to /dev/null, so when the netns doesn't exist, the error
+message is shown. Use "2> /dev/null" instead, so that those messages
+disappear, as was intended.
+
+Fixes: d1f1b9cbf34c ("selftests: net: Introduce first PMTU test")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Acked-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/pmtu.sh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/tools/testing/selftests/net/pmtu.sh
++++ b/tools/testing/selftests/net/pmtu.sh
+@@ -178,8 +178,8 @@ setup() {
+
+ cleanup() {
+ [ ${cleanup_done} -eq 1 ] && return
+- ip netns del ${NS_A} 2 > /dev/null
+- ip netns del ${NS_B} 2 > /dev/null
++ ip netns del ${NS_A} 2> /dev/null
++ ip netns del ${NS_B} 2> /dev/null
+ cleanup_done=1
+ }
+
--- /dev/null
+From foo@baz Thu Oct 18 11:08:34 CEST 2018
+From: Sanyog Kale <sanyog.r.kale@intel.com>
+Date: Fri, 27 Jul 2018 14:44:10 +0530
+Subject: soundwire: Fix acquiring bus lock twice during master release
+
+From: Sanyog Kale <sanyog.r.kale@intel.com>
+
+[ Upstream commit 8d6ccf5cebbc7ed1dee9986e36853a78dfb64084 ]
+
+As part of sdw_stream_remove_master(), sdw_stream_remove_slave() is called
+which results in bus lock being acquired twice.
+
+So, fix it by performing specific Slave remove operations in
+sdw_release_master_stream() instead of calling sdw_stream_remove_slave().
+
+Signed-off-by: Sanyog Kale <sanyog.r.kale@intel.com>
+Signed-off-by: Shreyas NC <shreyas.nc@intel.com>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soundwire/stream.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/soundwire/stream.c
++++ b/drivers/soundwire/stream.c
+@@ -899,9 +899,10 @@ static void sdw_release_master_stream(st
+ struct sdw_master_runtime *m_rt = stream->m_rt;
+ struct sdw_slave_runtime *s_rt, *_s_rt;
+
+- list_for_each_entry_safe(s_rt, _s_rt,
+- &m_rt->slave_rt_list, m_rt_node)
+- sdw_stream_remove_slave(s_rt->slave, stream);
++ list_for_each_entry_safe(s_rt, _s_rt, &m_rt->slave_rt_list, m_rt_node) {
++ sdw_slave_port_release(s_rt->slave->bus, s_rt->slave, stream);
++ sdw_release_slave_stream(s_rt->slave, stream);
++ }
+
+ list_del(&m_rt->bus_node);
+ }
--- /dev/null
+From foo@baz Thu Oct 18 11:08:34 CEST 2018
+From: Shreyas NC <shreyas.nc@intel.com>
+Date: Fri, 27 Jul 2018 14:44:08 +0530
+Subject: soundwire: Fix duplicate stream state assignment
+
+From: Shreyas NC <shreyas.nc@intel.com>
+
+[ Upstream commit 0aebe40bae6cf5652fdc3d05ecee15fbf5748194 ]
+
+For a SoundWire stream it is expected that a Slave is added to the
+stream before Master is added.
+
+So, move the stream state to CONFIGURED after the first Slave is
+added and remove the stream state assignment for Master add.
+Along with these changes, add additional comments to explain the same.
+
+Signed-off-by: Shreyas NC <shreyas.nc@intel.com>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soundwire/stream.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/soundwire/stream.c
++++ b/drivers/soundwire/stream.c
+@@ -1123,8 +1123,6 @@ int sdw_stream_add_master(struct sdw_bus
+ if (ret)
+ goto stream_error;
+
+- stream->state = SDW_STREAM_CONFIGURED;
+-
+ stream_error:
+ sdw_release_master_stream(stream);
+ error:
+@@ -1141,6 +1139,10 @@ EXPORT_SYMBOL(sdw_stream_add_master);
+ * @stream: SoundWire stream
+ * @port_config: Port configuration for audio stream
+ * @num_ports: Number of ports
++ *
++ * It is expected that Slave is added before adding Master
++ * to the Stream.
++ *
+ */
+ int sdw_stream_add_slave(struct sdw_slave *slave,
+ struct sdw_stream_config *stream_config,
+@@ -1186,6 +1188,12 @@ int sdw_stream_add_slave(struct sdw_slav
+ if (ret)
+ goto stream_error;
+
++ /*
++ * Change stream state to CONFIGURED on first Slave add.
++ * Bus is not aware of number of Slave(s) in a stream at this
++ * point so cannot depend on all Slave(s) to be added in order to
++ * change stream state to CONFIGURED.
++ */
+ stream->state = SDW_STREAM_CONFIGURED;
+ goto error;
+
--- /dev/null
+From foo@baz Thu Oct 18 11:08:34 CEST 2018
+From: Shreyas NC <shreyas.nc@intel.com>
+Date: Fri, 27 Jul 2018 14:44:09 +0530
+Subject: soundwire: Fix incorrect exit after configuring stream
+
+From: Shreyas NC <shreyas.nc@intel.com>
+
+[ Upstream commit 3fef1a2259c556cce34df2791688cb3001f81c92 ]
+
+In sdw_stream_add_master() after the Master ports are configured,
+the stream is released incorrectly.
+
+So, fix it by avoiding stream release after configuring the Master
+for the stream.
+While at it, rename the label appropriately.
+
+Signed-off-by: Shreyas NC <shreyas.nc@intel.com>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soundwire/stream.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/soundwire/stream.c
++++ b/drivers/soundwire/stream.c
+@@ -1112,7 +1112,7 @@ int sdw_stream_add_master(struct sdw_bus
+ "Master runtime config failed for stream:%s",
+ stream->name);
+ ret = -ENOMEM;
+- goto error;
++ goto unlock;
+ }
+
+ ret = sdw_config_stream(bus->dev, stream, stream_config, false);
+@@ -1123,9 +1123,11 @@ int sdw_stream_add_master(struct sdw_bus
+ if (ret)
+ goto stream_error;
+
++ goto unlock;
++
+ stream_error:
+ sdw_release_master_stream(stream);
+-error:
++unlock:
+ mutex_unlock(&bus->bus_lock);
+ return ret;
+ }
--- /dev/null
+From foo@baz Thu Oct 18 11:08:34 CEST 2018
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Tue, 4 Sep 2018 15:39:30 +0200
+Subject: spi: gpio: Fix copy-and-paste error
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 1723c3155f117ee6e00f28fadf6e9eda4fc85806 ]
+
+This fixes an embarrassing copy-and-paste error in the
+errorpath of spi_gpio_request(): we were checking the wrong
+struct member for error code right after retrieveing the
+sck GPIO.
+
+Fixes: 9b00bc7b901ff672 ("spi: spi-gpio: Rewrite to use GPIO descriptors")
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-gpio.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/spi/spi-gpio.c
++++ b/drivers/spi/spi-gpio.c
+@@ -287,8 +287,8 @@ static int spi_gpio_request(struct devic
+ *mflags |= SPI_MASTER_NO_RX;
+
+ spi_gpio->sck = devm_gpiod_get(dev, "sck", GPIOD_OUT_LOW);
+- if (IS_ERR(spi_gpio->mosi))
+- return PTR_ERR(spi_gpio->mosi);
++ if (IS_ERR(spi_gpio->sck))
++ return PTR_ERR(spi_gpio->sck);
+
+ for (i = 0; i < num_chipselects; i++) {
+ spi_gpio->cs_gpios[i] = devm_gpiod_get_index(dev, "cs",
--- /dev/null
+From foo@baz Thu Oct 18 11:08:35 CEST 2018
+From: Kairui Song <kasong@redhat.com>
+Date: Thu, 27 Sep 2018 20:38:45 +0800
+Subject: x86/boot: Fix kexec booting failure in the SEV bit detection code
+
+From: Kairui Song <kasong@redhat.com>
+
+[ Upstream commit bdec8d7fa55e6f5314ed72e5a0b435d90ff90548 ]
+
+Commit
+
+ 1958b5fc4010 ("x86/boot: Add early boot support when running with SEV active")
+
+can occasionally cause system resets when kexec-ing a second kernel even
+if SEV is not active.
+
+That's because get_sev_encryption_bit() uses 32-bit rIP-relative
+addressing to read the value of enc_bit - a variable which caches a
+previously detected encryption bit position - but kexec may allocate
+the early boot code to a higher location, beyond the 32-bit addressing
+limit.
+
+In this case, garbage will be read and get_sev_encryption_bit() will
+return the wrong value, leading to accessing memory with the wrong
+encryption setting.
+
+Therefore, remove enc_bit, and thus get rid of the need to do 32-bit
+rIP-relative addressing in the first place.
+
+ [ bp: massage commit message heavily. ]
+
+Fixes: 1958b5fc4010 ("x86/boot: Add early boot support when running with SEV active")
+Suggested-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Kairui Song <kasong@redhat.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: linux-kernel@vger.kernel.org
+Cc: tglx@linutronix.de
+Cc: mingo@redhat.com
+Cc: hpa@zytor.com
+Cc: brijesh.singh@amd.com
+Cc: kexec@lists.infradead.org
+Cc: dyoung@redhat.com
+Cc: bhe@redhat.com
+Cc: ghook@redhat.com
+Link: https://lkml.kernel.org/r/20180927123845.32052-1-kasong@redhat.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/boot/compressed/mem_encrypt.S | 19 -------------------
+ 1 file changed, 19 deletions(-)
+
+--- a/arch/x86/boot/compressed/mem_encrypt.S
++++ b/arch/x86/boot/compressed/mem_encrypt.S
+@@ -25,20 +25,6 @@ ENTRY(get_sev_encryption_bit)
+ push %ebx
+ push %ecx
+ push %edx
+- push %edi
+-
+- /*
+- * RIP-relative addressing is needed to access the encryption bit
+- * variable. Since we are running in 32-bit mode we need this call/pop
+- * sequence to get the proper relative addressing.
+- */
+- call 1f
+-1: popl %edi
+- subl $1b, %edi
+-
+- movl enc_bit(%edi), %eax
+- cmpl $0, %eax
+- jge .Lsev_exit
+
+ /* Check if running under a hypervisor */
+ movl $1, %eax
+@@ -69,15 +55,12 @@ ENTRY(get_sev_encryption_bit)
+
+ movl %ebx, %eax
+ andl $0x3f, %eax /* Return the encryption bit location */
+- movl %eax, enc_bit(%edi)
+ jmp .Lsev_exit
+
+ .Lno_sev:
+ xor %eax, %eax
+- movl %eax, enc_bit(%edi)
+
+ .Lsev_exit:
+- pop %edi
+ pop %edx
+ pop %ecx
+ pop %ebx
+@@ -113,8 +96,6 @@ ENTRY(set_sev_encryption_mask)
+ ENDPROC(set_sev_encryption_mask)
+
+ .data
+-enc_bit:
+- .int 0xffffffff
+
+ #ifdef CONFIG_AMD_MEM_ENCRYPT
+ .balign 8
projects / thirdparty / kernel / stable-queue.git / commitdiff
