--- /dev/null
+From 61b272c3aa170b3e461b8df636407b29f35f98eb Mon Sep 17 00:00:00 2001
+From: Tuomas Tynkkynen <tuomas@tuxera.com>
+Date: Sun, 19 Nov 2017 11:28:43 +0200
+Subject: 9p: Fix missing commas in mount options
+
+From: Tuomas Tynkkynen <tuomas@tuxera.com>
+
+commit 61b272c3aa170b3e461b8df636407b29f35f98eb upstream.
+
+Since commit c4fac9100456 ("9p: Implement show_options"), the mount
+options of 9p filesystems are printed out with some missing commas
+between the individual options:
+
+p9-scratch on /mnt/scratch type 9p (rw,dirsync,loose,access=clienttrans=virtio)
+
+Add them back.
+
+Fixes: c4fac9100456 ("9p: Implement show_options")
+Signed-off-by: Tuomas Tynkkynen <tuomas@tuxera.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/9p/client.c | 2 +-
+ net/9p/trans_fd.c | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/9p/client.c
++++ b/net/9p/client.c
+@@ -82,7 +82,7 @@ int p9_show_client_options(struct seq_fi
+ {
+ if (clnt->msize != 8192)
+ seq_printf(m, ",msize=%u", clnt->msize);
+- seq_printf(m, "trans=%s", clnt->trans_mod->name);
++ seq_printf(m, ",trans=%s", clnt->trans_mod->name);
+
+ switch (clnt->proto_version) {
+ case p9_proto_legacy:
+--- a/net/9p/trans_fd.c
++++ b/net/9p/trans_fd.c
+@@ -724,12 +724,12 @@ static int p9_fd_show_options(struct seq
+ {
+ if (clnt->trans_mod == &p9_tcp_trans) {
+ if (clnt->trans_opts.tcp.port != P9_PORT)
+- seq_printf(m, "port=%u", clnt->trans_opts.tcp.port);
++ seq_printf(m, ",port=%u", clnt->trans_opts.tcp.port);
+ } else if (clnt->trans_mod == &p9_fd_trans) {
+ if (clnt->trans_opts.fd.rfd != ~0)
+- seq_printf(m, "rfd=%u", clnt->trans_opts.fd.rfd);
++ seq_printf(m, ",rfd=%u", clnt->trans_opts.fd.rfd);
+ if (clnt->trans_opts.fd.wfd != ~0)
+- seq_printf(m, "wfd=%u", clnt->trans_opts.fd.wfd);
++ seq_printf(m, ",wfd=%u", clnt->trans_opts.fd.wfd);
+ }
+ return 0;
+ }
--- /dev/null
+From c2432466f583cb719b35a41e757da587d9ab1d00 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 17 Nov 2017 12:08:40 +0100
+Subject: ALSA: hda: Fix too short HDMI/DP chmap reporting
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit c2432466f583cb719b35a41e757da587d9ab1d00 upstream.
+
+We got a regression report about the HD-audio HDMI chmap, where some
+surround channels are reported as UNKNOWN. The git bisection pointed
+the culprit at the commit 9b3dc8aa3fb1 ("ALSA: hda - Register chmap
+obj as priv data instead of codec"). The story behind scene is like
+this:
+
+- While moving the code out of the legacy HDA to the HDA common place,
+ the patch modifies the code to obtain the chmap array indirectly in
+ a byte array, and it expands it to kctl value array.
+- At the latter operation, the size of the array is wrongly passed by
+ sizeof() to the pointer.
+- It can be 4 on 32bit arch, thus too short for 6+ channels.
+ (And that's the reason why it didn't hit other persons; it's 8 on
+ 64bit arch, thus it's usually enough.)
+
+The code was further changed meanwhile, but the problem persisted.
+Let's fix it by correctly evaluating the array size.
+
+Fixes: 9b3dc8aa3fb1 ("ALSA: hda - Register chmap obj as priv data instead of codec")
+Reported-by: VDR User <user.vdr@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/hda/hdmi_chmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/hda/hdmi_chmap.c
++++ b/sound/hda/hdmi_chmap.c
+@@ -746,7 +746,7 @@ static int hdmi_chmap_ctl_get(struct snd
+ memset(pcm_chmap, 0, sizeof(pcm_chmap));
+ chmap->ops.get_chmap(chmap->hdac, pcm_idx, pcm_chmap);
+
+- for (i = 0; i < sizeof(chmap); i++)
++ for (i = 0; i < ARRAY_SIZE(pcm_chmap); i++)
+ ucontrol->value.integer.value[i] = pcm_chmap[i];
+
+ return 0;
--- /dev/null
+From d6c0615f510bc1ee26cfb2b9a3343ac99b9c46fb Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 22 Nov 2017 12:34:56 +0100
+Subject: ALSA: hda - Fix yet remaining issue with vmaster 0dB initialization
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit d6c0615f510bc1ee26cfb2b9a3343ac99b9c46fb upstream.
+
+The previous fix for addressing the breakage in vmaster slave
+initialization, commit a91d66129fb9 ("ALSA: hda - Fix incorrect TLV
+callback check introduced during set_fs() removal"), introduced a new
+helper to process over each slave kctl. However, this helper passes
+only the original kctl, not the virtual slave kctl. As a result,
+HD-audio driver (which is the only user so far) couldn't initialize
+the slave correctly because it's trying to update the value directly
+with the original kctl, not with the mapped kctl.
+
+This patch fixes the situation again by passing both the mapped slaved
+and original slave kctls to the function. Luckily there is a single
+caller as of now, so changing the call signature is no big matter.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=197959
+Fixes: a91d66129fb9 ("ALSA: hda - Fix incorrect TLV callback check introduced during set_fs() removal")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/sound/control.h | 4 +++-
+ sound/core/vmaster.c | 6 ++++--
+ sound/pci/hda/hda_codec.c | 10 +++++++---
+ 3 files changed, 14 insertions(+), 6 deletions(-)
+
+--- a/include/sound/control.h
++++ b/include/sound/control.h
+@@ -249,7 +249,9 @@ int snd_ctl_add_vmaster_hook(struct snd_
+ void snd_ctl_sync_vmaster(struct snd_kcontrol *kctl, bool hook_only);
+ #define snd_ctl_sync_vmaster_hook(kctl) snd_ctl_sync_vmaster(kctl, true)
+ int snd_ctl_apply_vmaster_slaves(struct snd_kcontrol *kctl,
+- int (*func)(struct snd_kcontrol *, void *),
++ int (*func)(struct snd_kcontrol *vslave,
++ struct snd_kcontrol *slave,
++ void *arg),
+ void *arg);
+
+ /*
+--- a/sound/core/vmaster.c
++++ b/sound/core/vmaster.c
+@@ -495,7 +495,9 @@ EXPORT_SYMBOL_GPL(snd_ctl_sync_vmaster);
+ * Returns 0 if successful, or a negative error code.
+ */
+ int snd_ctl_apply_vmaster_slaves(struct snd_kcontrol *kctl,
+- int (*func)(struct snd_kcontrol *, void *),
++ int (*func)(struct snd_kcontrol *vslave,
++ struct snd_kcontrol *slave,
++ void *arg),
+ void *arg)
+ {
+ struct link_master *master;
+@@ -507,7 +509,7 @@ int snd_ctl_apply_vmaster_slaves(struct
+ if (err < 0)
+ return err;
+ list_for_each_entry(slave, &master->slaves, list) {
+- err = func(&slave->slave, arg);
++ err = func(slave->kctl, &slave->slave, arg);
+ if (err < 0)
+ return err;
+ }
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -1823,7 +1823,9 @@ struct slave_init_arg {
+ };
+
+ /* initialize the slave volume with 0dB via snd_ctl_apply_vmaster_slaves() */
+-static int init_slave_0dB(struct snd_kcontrol *kctl, void *_arg)
++static int init_slave_0dB(struct snd_kcontrol *slave,
++ struct snd_kcontrol *kctl,
++ void *_arg)
+ {
+ struct slave_init_arg *arg = _arg;
+ int _tlv[4];
+@@ -1860,7 +1862,7 @@ static int init_slave_0dB(struct snd_kco
+ arg->step = step;
+ val = -tlv[2] / step;
+ if (val > 0) {
+- put_kctl_with_value(kctl, val);
++ put_kctl_with_value(slave, val);
+ return val;
+ }
+
+@@ -1868,7 +1870,9 @@ static int init_slave_0dB(struct snd_kco
+ }
+
+ /* unmute the slave via snd_ctl_apply_vmaster_slaves() */
+-static int init_slave_unmute(struct snd_kcontrol *slave, void *_arg)
++static int init_slave_unmute(struct snd_kcontrol *slave,
++ struct snd_kcontrol *kctl,
++ void *_arg)
+ {
+ return put_kctl_with_value(slave, 1);
+ }
--- /dev/null
+From 3aabf94c2d95fe465d5fa8590113d1c1f7d8333d Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Wed, 8 Nov 2017 15:28:33 +0800
+Subject: ALSA: hda/realtek - Fix ALC275 no sound issue
+
+From: Kailang Yang <kailang@realtek.com>
+
+commit 3aabf94c2d95fe465d5fa8590113d1c1f7d8333d upstream.
+
+Sound works after a cold boot but not after a reboot from windows.
+This patch will solve this issue. This is relation with Class-D power control.
+
+[ The bug was reported in Bugzilla below for Sony VAIO SVS13A1C5E
+ -- tiwai]
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=197737
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -341,6 +341,9 @@ static void alc_fill_eapd_coef(struct hd
+ case 0x10ec0299:
+ alc_update_coef_idx(codec, 0x10, 1<<9, 0);
+ break;
++ case 0x10ec0275:
++ alc_update_coef_idx(codec, 0xe, 0, 1<<0);
++ break;
+ case 0x10ec0293:
+ alc_update_coef_idx(codec, 0xa, 1<<13, 0);
+ break;
--- /dev/null
+From 2d7fe6185722b0817bb345f62ab06b76a7b26542 Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Wed, 22 Nov 2017 15:21:32 +0800
+Subject: ALSA: hda/realtek - Fix ALC700 family no sound issue
+
+From: Kailang Yang <kailang@realtek.com>
+
+commit 2d7fe6185722b0817bb345f62ab06b76a7b26542 upstream.
+
+It maybe the typo for ALC700 support patch.
+To fix the bit value on this patch.
+
+Fixes: 6fbae35a3170 ("ALSA: hda/realtek - Add support for new codecs ALC700/ALC701/ALC703")
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6866,7 +6866,7 @@ static int patch_alc269(struct hda_codec
+ case 0x10ec0703:
+ spec->codec_variant = ALC269_TYPE_ALC700;
+ spec->gen.mixer_nid = 0; /* ALC700 does not have any loopback mixer path */
+- alc_update_coef_idx(codec, 0x4a, 0, 1 << 15); /* Combo jack auto trigger control */
++ alc_update_coef_idx(codec, 0x4a, 1 << 15, 0); /* Combo jack auto trigger control */
+ break;
+
+ }
--- /dev/null
+From 20e3f985bb875fea4f86b04eba4b6cc29bfd6b71 Mon Sep 17 00:00:00 2001
+From: Henrik Eriksson <henrik.eriksson@axis.com>
+Date: Tue, 21 Nov 2017 09:29:28 +0100
+Subject: ALSA: pcm: update tstamp only if audio_tstamp changed
+
+From: Henrik Eriksson <henrik.eriksson@axis.com>
+
+commit 20e3f985bb875fea4f86b04eba4b6cc29bfd6b71 upstream.
+
+commit 3179f6200188 ("ALSA: core: add .get_time_info") had a side effect
+of changing the behaviour of the PCM runtime tstamp. Prior to this
+change tstamp was not updated by snd_pcm_update_hw_ptr0() unless the
+hw_ptr had moved, after this change tstamp was always updated.
+
+For an application using alsa-lib, doing snd_pcm_readi() followed by
+snd_pcm_status() to estimate the age of the read samples by subtracting
+status->avail * [sample rate] from status->tstamp this change degraded
+the accuracy of the estimate on devices where the pcm hw does not
+provide a granular hw_ptr, e.g., devices using
+soc-generic-dmaengine-pcm.c and a dma-engine with residue_granularity
+DMA_RESIDUE_GRANULARITY_DESCRIPTOR. The accuracy of the estimate
+depended on the latency between the PCM hw completing a period and the
+driver called snd_pcm_period_elapsed() to notify ALSA core, typically
+determined by interrupt handling latency. After the change the accuracy
+of the estimate depended on the latency between the PCM hw completing a
+period and the application calling snd_pcm_status(), determined by the
+scheduling of the application process. The maximum error of the
+estimate is one period length in both cases, but the error average and
+variance is smaller when it depends on interrupt latency.
+
+Instead of always updating tstamp, update it only if audio_tstamp
+changed.
+
+Fixes: 3179f6200188 ("ALSA: core: add .get_time_info")
+Suggested-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Henrik Eriksson <henrik.eriksson@axis.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm_lib.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/sound/core/pcm_lib.c
++++ b/sound/core/pcm_lib.c
+@@ -248,8 +248,10 @@ static void update_audio_tstamp(struct s
+ runtime->rate);
+ *audio_tstamp = ns_to_timespec(audio_nsecs);
+ }
+- runtime->status->audio_tstamp = *audio_tstamp;
+- runtime->status->tstamp = *curr_tstamp;
++ if (!timespec_equal(&runtime->status->audio_tstamp, audio_tstamp)) {
++ runtime->status->audio_tstamp = *audio_tstamp;
++ runtime->status->tstamp = *curr_tstamp;
++ }
+
+ /*
+ * re-take a driver timestamp to let apps detect if the reference tstamp
--- /dev/null
+From 3d4e8303f2c747c8540a0a0126d0151514f6468b Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 21 Nov 2017 16:36:11 +0100
+Subject: ALSA: timer: Remove kernel warning at compat ioctl error paths
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 3d4e8303f2c747c8540a0a0126d0151514f6468b upstream.
+
+Some timer compat ioctls have NULL checks of timer instance with
+snd_BUG_ON() that bring up WARN_ON() when the debug option is set.
+Actually the condition can be met in the normal situation and it's
+confusing and bad to spew kernel warnings with stack trace there.
+Let's remove snd_BUG_ON() invocation and replace with the simple
+checks. Also, correct the error code to EBADFD to follow the native
+ioctl error handling.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer_compat.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/sound/core/timer_compat.c
++++ b/sound/core/timer_compat.c
+@@ -66,11 +66,11 @@ static int snd_timer_user_info_compat(st
+ struct snd_timer *t;
+
+ tu = file->private_data;
+- if (snd_BUG_ON(!tu->timeri))
+- return -ENXIO;
++ if (!tu->timeri)
++ return -EBADFD;
+ t = tu->timeri->timer;
+- if (snd_BUG_ON(!t))
+- return -ENXIO;
++ if (!t)
++ return -EBADFD;
+ memset(&info, 0, sizeof(info));
+ info.card = t->card ? t->card->number : -1;
+ if (t->hw.flags & SNDRV_TIMER_HW_SLAVE)
+@@ -99,8 +99,8 @@ static int snd_timer_user_status_compat(
+ struct snd_timer_status32 status;
+
+ tu = file->private_data;
+- if (snd_BUG_ON(!tu->timeri))
+- return -ENXIO;
++ if (!tu->timeri)
++ return -EBADFD;
+ memset(&status, 0, sizeof(status));
+ status.tstamp.tv_sec = tu->tstamp.tv_sec;
+ status.tstamp.tv_nsec = tu->tstamp.tv_nsec;
--- /dev/null
+From 0a62d6c966956d77397c32836a5bbfe3af786fc1 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 21 Nov 2017 17:28:06 +0100
+Subject: ALSA: usb-audio: Add sanity checks in v2 clock parsers
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 0a62d6c966956d77397c32836a5bbfe3af786fc1 upstream.
+
+The helper functions to parse and look for the clock source, selector
+and multiplier unit may return the descriptor with a too short length
+than required, while there is no sanity check in the caller side.
+Add some sanity checks in the parsers, at least, to guarantee the
+given descriptor size, for avoiding the potential crashes.
+
+Fixes: 79f920fbff56 ("ALSA: usb-audio: parse clock topology of UAC2 devices")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/clock.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/sound/usb/clock.c
++++ b/sound/usb/clock.c
+@@ -43,7 +43,7 @@ static struct uac_clock_source_descripto
+ while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra,
+ ctrl_iface->extralen,
+ cs, UAC2_CLOCK_SOURCE))) {
+- if (cs->bClockID == clock_id)
++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id)
+ return cs;
+ }
+
+@@ -59,8 +59,11 @@ static struct uac_clock_selector_descrip
+ while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra,
+ ctrl_iface->extralen,
+ cs, UAC2_CLOCK_SELECTOR))) {
+- if (cs->bClockID == clock_id)
++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) {
++ if (cs->bLength < 5 + cs->bNrInPins)
++ return NULL;
+ return cs;
++ }
+ }
+
+ return NULL;
+@@ -75,7 +78,7 @@ static struct uac_clock_multiplier_descr
+ while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra,
+ ctrl_iface->extralen,
+ cs, UAC2_CLOCK_MULTIPLIER))) {
+- if (cs->bClockID == clock_id)
++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id)
+ return cs;
+ }
+
--- /dev/null
+From d937cd6790a2bef2d07b500487646bd794c039bb Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 21 Nov 2017 16:55:51 +0100
+Subject: ALSA: usb-audio: Add sanity checks to FE parser
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit d937cd6790a2bef2d07b500487646bd794c039bb upstream.
+
+When the usb-audio descriptor contains the malformed feature unit
+description with a too short length, the driver may access
+out-of-bounds. Add a sanity check of the header size at the beginning
+of parse_audio_feature_unit().
+
+Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1469,6 +1469,12 @@ static int parse_audio_feature_unit(stru
+ __u8 *bmaControls;
+
+ if (state->mixer->protocol == UAC_VERSION_1) {
++ if (hdr->bLength < 7) {
++ usb_audio_err(state->chip,
++ "unit %u: invalid UAC_FEATURE_UNIT descriptor\n",
++ unitid);
++ return -EINVAL;
++ }
+ csize = hdr->bControlSize;
+ if (!csize) {
+ usb_audio_dbg(state->chip,
+@@ -1486,6 +1492,12 @@ static int parse_audio_feature_unit(stru
+ }
+ } else {
+ struct uac2_feature_unit_descriptor *ftr = _ftr;
++ if (hdr->bLength < 6) {
++ usb_audio_err(state->chip,
++ "unit %u: invalid UAC_FEATURE_UNIT descriptor\n",
++ unitid);
++ return -EINVAL;
++ }
+ csize = 4;
+ channels = (hdr->bLength - 6) / 4 - 1;
+ bmaControls = ftr->bmaControls;
--- /dev/null
+From f658f17b5e0e339935dca23e77e0f3cad591926b Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 21 Nov 2017 17:00:32 +0100
+Subject: ALSA: usb-audio: Fix potential out-of-bound access at parsing SU
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit f658f17b5e0e339935dca23e77e0f3cad591926b upstream.
+
+The usb-audio driver may trigger an out-of-bound access at parsing a
+malformed selector unit, as it checks the header length only after
+evaluating bNrInPins field, which can be already above the given
+length. Fix it by adding the length check beforehand.
+
+Fixes: 99fc86450c43 ("ALSA: usb-mixer: parse descriptors with structs")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -2098,7 +2098,8 @@ static int parse_audio_selector_unit(str
+ const struct usbmix_name_map *map;
+ char **namelist;
+
+- if (!desc->bNrInPins || desc->bLength < 5 + desc->bNrInPins) {
++ if (desc->bLength < 5 || !desc->bNrInPins ||
++ desc->bLength < 5 + desc->bNrInPins) {
+ usb_audio_err(state->chip,
+ "invalid SELECTOR UNIT descriptor %d\n", unitid);
+ return -EINVAL;
--- /dev/null
+From 8428a8ebde2db1e988e41a58497a28beb7ce1705 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 21 Nov 2017 17:07:43 +0100
+Subject: ALSA: usb-audio: Fix potential zero-division at parsing FU
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 8428a8ebde2db1e988e41a58497a28beb7ce1705 upstream.
+
+parse_audio_feature_unit() contains a code dividing potentially with
+zero when a malformed FU descriptor is passed. Although there is
+already a sanity check, it checks only the value zero, hence it can
+still lead to a zero-division when a value 1 is passed there.
+
+Fix it by correcting the sanity check (and the error message
+thereof).
+
+Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1476,9 +1476,9 @@ static int parse_audio_feature_unit(stru
+ return -EINVAL;
+ }
+ csize = hdr->bControlSize;
+- if (!csize) {
++ if (csize <= 1) {
+ usb_audio_dbg(state->chip,
+- "unit %u: invalid bControlSize == 0\n",
++ "unit %u: invalid bControlSize <= 1\n",
+ unitid);
+ return -EINVAL;
+ }
--- /dev/null
+From 18c1bf35c1c09bca05cf70bc984a4764e0b0372b Mon Sep 17 00:00:00 2001
+From: Maxime Ripard <maxime.ripard@free-electrons.com>
+Date: Wed, 8 Nov 2017 16:47:10 +0100
+Subject: ASoC: sun8i-codec: Fix left and right channels inversion
+
+From: Maxime Ripard <maxime.ripard@free-electrons.com>
+
+commit 18c1bf35c1c09bca05cf70bc984a4764e0b0372b upstream.
+
+Since its introduction, the codec had an inversion of the left and right
+channels. It turned out to be pretty simple as it appears that the codec
+doesn't have the same polarity on the LRCK signal than the I2S block.
+
+Fix this by inverting our bit value for the LRCK inversion.
+
+Fixes: 36c684936fae ("ASoC: Add sun8i digital audio codec")
+Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Reviewed-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/sunxi/sun8i-codec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/sunxi/sun8i-codec.c
++++ b/sound/soc/sunxi/sun8i-codec.c
+@@ -199,7 +199,7 @@ static int sun8i_set_fmt(struct snd_soc_
+ value << SUN8I_AIF1CLK_CTRL_AIF1_BCLK_INV);
+ regmap_update_bits(scodec->regmap, SUN8I_AIF1CLK_CTRL,
+ BIT(SUN8I_AIF1CLK_CTRL_AIF1_LRCK_INV),
+- value << SUN8I_AIF1CLK_CTRL_AIF1_LRCK_INV);
++ !value << SUN8I_AIF1CLK_CTRL_AIF1_LRCK_INV);
+
+ /* DAI format */
+ switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) {
--- /dev/null
+From 560bfe774f058e97596f30ff71cffdac52b72914 Mon Sep 17 00:00:00 2001
+From: Maxime Ripard <maxime.ripard@free-electrons.com>
+Date: Wed, 8 Nov 2017 16:47:08 +0100
+Subject: ASoC: sun8i-codec: Invert Master / Slave condition
+
+From: Maxime Ripard <maxime.ripard@free-electrons.com>
+
+commit 560bfe774f058e97596f30ff71cffdac52b72914 upstream.
+
+The current code had the condition backward when checking if the codec
+should be running in slave or master mode.
+
+Fix it, and make the comment a bit more readable.
+
+Fixes: 36c684936fae ("ASoC: Add sun8i digital audio codec")
+Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Reviewed-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/sunxi/sun8i-codec.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/sound/soc/sunxi/sun8i-codec.c
++++ b/sound/soc/sunxi/sun8i-codec.c
+@@ -170,11 +170,11 @@ static int sun8i_set_fmt(struct snd_soc_
+
+ /* clock masters */
+ switch (fmt & SND_SOC_DAIFMT_MASTER_MASK) {
+- case SND_SOC_DAIFMT_CBS_CFS: /* DAI Slave */
+- value = 0x0; /* Codec Master */
++ case SND_SOC_DAIFMT_CBS_CFS: /* Codec slave, DAI master */
++ value = 0x1;
+ break;
+- case SND_SOC_DAIFMT_CBM_CFM: /* DAI Master */
+- value = 0x1; /* Codec Slave */
++ case SND_SOC_DAIFMT_CBM_CFM: /* Codec Master, DAI slave */
++ value = 0x0;
+ break;
+ default:
+ return -EINVAL;
--- /dev/null
+From 316b7758c998fb13371d14bb6c9e45ab129c19a7 Mon Sep 17 00:00:00 2001
+From: Maxime Ripard <maxime.ripard@free-electrons.com>
+Date: Thu, 9 Nov 2017 10:39:24 +0100
+Subject: ASoC: sun8i-codec: Set the BCLK divider
+
+From: Maxime Ripard <maxime.ripard@free-electrons.com>
+
+commit 316b7758c998fb13371d14bb6c9e45ab129c19a7 upstream.
+
+While the current code was reporting to be able to work in master mode, it
+failed to do so because the BCLK divider wasn't programmed, meaning that
+the BCLK would run at the PLL's frequency no matter the sample rate.
+
+It was obviously a bit too fast.
+
+Add support to retrieve the divider to use, and set it. Since our PLL is
+not always able to generate a perfect multiple of the sample rate, we'll
+have to choose the closest divider that matches our setup.
+
+Fixes: 36c684936fae ("ASoC: Add sun8i digital audio codec")
+Reviewed-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/sunxi/sun8i-codec.c | 51 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 51 insertions(+)
+
+--- a/sound/soc/sunxi/sun8i-codec.c
++++ b/sound/soc/sunxi/sun8i-codec.c
+@@ -73,6 +73,7 @@
+ #define SUN8I_SYS_SR_CTRL_AIF2_FS_MASK GENMASK(11, 8)
+ #define SUN8I_AIF1CLK_CTRL_AIF1_WORD_SIZ_MASK GENMASK(5, 4)
+ #define SUN8I_AIF1CLK_CTRL_AIF1_LRCK_DIV_MASK GENMASK(8, 6)
++#define SUN8I_AIF1CLK_CTRL_AIF1_BCLK_DIV_MASK GENMASK(12, 9)
+
+ struct sun8i_codec {
+ struct device *dev;
+@@ -226,12 +227,57 @@ static int sun8i_set_fmt(struct snd_soc_
+ return 0;
+ }
+
++struct sun8i_codec_clk_div {
++ u8 div;
++ u8 val;
++};
++
++static const struct sun8i_codec_clk_div sun8i_codec_bclk_div[] = {
++ { .div = 1, .val = 0 },
++ { .div = 2, .val = 1 },
++ { .div = 4, .val = 2 },
++ { .div = 6, .val = 3 },
++ { .div = 8, .val = 4 },
++ { .div = 12, .val = 5 },
++ { .div = 16, .val = 6 },
++ { .div = 24, .val = 7 },
++ { .div = 32, .val = 8 },
++ { .div = 48, .val = 9 },
++ { .div = 64, .val = 10 },
++ { .div = 96, .val = 11 },
++ { .div = 128, .val = 12 },
++ { .div = 192, .val = 13 },
++};
++
++static u8 sun8i_codec_get_bclk_div(struct sun8i_codec *scodec,
++ unsigned int rate,
++ unsigned int word_size)
++{
++ unsigned long clk_rate = clk_get_rate(scodec->clk_module);
++ unsigned int div = clk_rate / rate / word_size / 2;
++ unsigned int best_val = 0, best_diff = ~0;
++ int i;
++
++ for (i = 0; i < ARRAY_SIZE(sun8i_codec_bclk_div); i++) {
++ const struct sun8i_codec_clk_div *bdiv = &sun8i_codec_bclk_div[i];
++ unsigned int diff = abs(bdiv->div - div);
++
++ if (diff < best_diff) {
++ best_diff = diff;
++ best_val = bdiv->val;
++ }
++ }
++
++ return best_val;
++}
++
+ static int sun8i_codec_hw_params(struct snd_pcm_substream *substream,
+ struct snd_pcm_hw_params *params,
+ struct snd_soc_dai *dai)
+ {
+ struct sun8i_codec *scodec = snd_soc_codec_get_drvdata(dai->codec);
+ int sample_rate;
++ u8 bclk_div;
+
+ /*
+ * The CPU DAI handles only a sample of 16 bits. Configure the
+@@ -241,6 +287,11 @@ static int sun8i_codec_hw_params(struct
+ SUN8I_AIF1CLK_CTRL_AIF1_WORD_SIZ_MASK,
+ SUN8I_AIF1CLK_CTRL_AIF1_WORD_SIZ_16);
+
++ bclk_div = sun8i_codec_get_bclk_div(scodec, params_rate(params), 16);
++ regmap_update_bits(scodec->regmap, SUN8I_AIF1CLK_CTRL,
++ SUN8I_AIF1CLK_CTRL_AIF1_BCLK_DIV_MASK,
++ bclk_div << SUN8I_AIF1CLK_CTRL_AIF1_BCLK_DIV);
++
+ regmap_update_bits(scodec->regmap, SUN8I_AIF1CLK_CTRL,
+ SUN8I_AIF1CLK_CTRL_AIF1_LRCK_DIV_MASK,
+ SUN8I_AIF1CLK_CTRL_AIF1_LRCK_DIV_16);
--- /dev/null
+From f1601113ddc0339a745e702f4fb1ca37d4875e65 Mon Sep 17 00:00:00 2001
+From: Rameshwar Prasad Sahu <rsahu@apm.com>
+Date: Thu, 2 Nov 2017 16:31:07 +0530
+Subject: ata: fixes kernel crash while tracing ata_eh_link_autopsy event
+
+From: Rameshwar Prasad Sahu <rsahu@apm.com>
+
+commit f1601113ddc0339a745e702f4fb1ca37d4875e65 upstream.
+
+When tracing ata link error event, the kernel crashes when the disk is
+removed due to NULL pointer access by trace_ata_eh_link_autopsy API.
+This occurs as the dev is NULL when the disk disappeared. This patch
+fixes this crash by calling trace_ata_eh_link_autopsy only if "dev"
+is not NULL.
+
+v2 changes:
+ Removed direct passing "link" pointer instead of "dev" in trace API.
+
+Signed-off-by: Rameshwar Prasad Sahu <rsahu@apm.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Fixes: 255c03d15a29 ("libata: Add tracepoints")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libata-eh.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ata/libata-eh.c
++++ b/drivers/ata/libata-eh.c
+@@ -2264,8 +2264,8 @@ static void ata_eh_link_autopsy(struct a
+ if (dev->flags & ATA_DFLAG_DUBIOUS_XFER)
+ eflags |= ATA_EFLAG_DUBIOUS_XFER;
+ ehc->i.action |= ata_eh_speed_down(dev, eflags, all_err_mask);
++ trace_ata_eh_link_autopsy(dev, ehc->i.action, all_err_mask);
+ }
+- trace_ata_eh_link_autopsy(dev, ehc->i.action, all_err_mask);
+ DPRINTK("EXIT\n");
+ }
+
--- /dev/null
+From ecc0c469f27765ed1e2b967be0aa17cee1a60b76 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Fri, 17 Nov 2017 15:29:13 -0800
+Subject: autofs: don't fail mount for transient error
+
+From: NeilBrown <neilb@suse.com>
+
+commit ecc0c469f27765ed1e2b967be0aa17cee1a60b76 upstream.
+
+Currently if the autofs kernel module gets an error when writing to the
+pipe which links to the daemon, then it marks the whole moutpoint as
+catatonic, and it will stop working.
+
+It is possible that the error is transient. This can happen if the
+daemon is slow and more than 16 requests queue up. If a subsequent
+process tries to queue a request, and is then signalled, the write to
+the pipe will return -ERESTARTSYS and autofs will take that as total
+failure.
+
+So change the code to assess -ERESTARTSYS and -ENOMEM as transient
+failures which only abort the current request, not the whole mountpoint.
+
+It isn't a crash or a data corruption, but having autofs mountpoints
+suddenly stop working is rather inconvenient.
+
+Ian said:
+
+: And given the problems with a half dozen (or so) user space applications
+: consuming large amounts of CPU under heavy mount and umount activity this
+: could happen more easily than we expect.
+
+Link: http://lkml.kernel.org/r/87y3norvgp.fsf@notabene.neil.brown.name
+Signed-off-by: NeilBrown <neilb@suse.com>
+Acked-by: Ian Kent <raven@themaw.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/autofs4/waitq.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/fs/autofs4/waitq.c
++++ b/fs/autofs4/waitq.c
+@@ -81,7 +81,8 @@ static int autofs4_write(struct autofs_s
+ spin_unlock_irqrestore(¤t->sighand->siglock, flags);
+ }
+
+- return (bytes > 0);
++ /* if 'wr' returned 0 (impossible) we assume -EIO (safe) */
++ return bytes == 0 ? 0 : wr < 0 ? wr : -EIO;
+ }
+
+ static void autofs4_notify_daemon(struct autofs_sb_info *sbi,
+@@ -95,6 +96,7 @@ static void autofs4_notify_daemon(struct
+ } pkt;
+ struct file *pipe = NULL;
+ size_t pktsz;
++ int ret;
+
+ pr_debug("wait id = 0x%08lx, name = %.*s, type=%d\n",
+ (unsigned long) wq->wait_queue_token,
+@@ -169,7 +171,18 @@ static void autofs4_notify_daemon(struct
+ mutex_unlock(&sbi->wq_mutex);
+
+ if (autofs4_write(sbi, pipe, &pkt, pktsz))
++ switch (ret = autofs4_write(sbi, pipe, &pkt, pktsz)) {
++ case 0:
++ break;
++ case -ENOMEM:
++ case -ERESTARTSYS:
++ /* Just fail this one */
++ autofs4_wait_release(sbi, wq->wait_queue_token, ret);
++ break;
++ default:
+ autofs4_catatonic_mode(sbi);
++ break;
++ }
+ fput(pipe);
+ }
+
--- /dev/null
+From 91af8300d9c1d7c6b6a2fd754109e08d4798b8d8 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Fri, 13 Oct 2017 16:35:29 -0700
+Subject: bcache: check ca->alloc_thread initialized before wake up it
+
+From: Coly Li <colyli@suse.de>
+
+commit 91af8300d9c1d7c6b6a2fd754109e08d4798b8d8 upstream.
+
+In bcache code, sysfs entries are created before all resources get
+allocated, e.g. allocation thread of a cache set.
+
+There is posibility for NULL pointer deference if a resource is accessed
+but which is not initialized yet. Indeed Jorg Bornschein catches one on
+cache set allocation thread and gets a kernel oops.
+
+The reason for this bug is, when bch_bucket_alloc() is called during
+cache set registration and attaching, ca->alloc_thread is not properly
+allocated and initialized yet, call wake_up_process() on ca->alloc_thread
+triggers NULL pointer deference failure. A simple and fast fix is, before
+waking up ca->alloc_thread, checking whether it is allocated, and only
+wake up ca->alloc_thread when it is not NULL.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Reported-by: Jorg Bornschein <jb@capsec.org>
+Cc: Kent Overstreet <kent.overstreet@gmail.com>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/alloc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/alloc.c
++++ b/drivers/md/bcache/alloc.c
+@@ -407,7 +407,8 @@ long bch_bucket_alloc(struct cache *ca,
+
+ finish_wait(&ca->set->bucket_wait, &w);
+ out:
+- wake_up_process(ca->alloc_thread);
++ if (ca->alloc_thread)
++ wake_up_process(ca->alloc_thread);
+
+ trace_bcache_alloc(ca, reserve);
+
--- /dev/null
+From d59b23795933678c9638fd20c942d2b4f3cd6185 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Mon, 30 Oct 2017 14:46:31 -0700
+Subject: bcache: only permit to recovery read error when cache device is clean
+
+From: Coly Li <colyli@suse.de>
+
+commit d59b23795933678c9638fd20c942d2b4f3cd6185 upstream.
+
+When bcache does read I/Os, for example in writeback or writethrough mode,
+if a read request on cache device is failed, bcache will try to recovery
+the request by reading from cached device. If the data on cached device is
+not synced with cache device, then requester will get a stale data.
+
+For critical storage system like database, providing stale data from
+recovery may result an application level data corruption, which is
+unacceptible.
+
+With this patch, for a failed read request in writeback or writethrough
+mode, recovery a recoverable read request only happens when cache device
+is clean. That is to say, all data on cached device is up to update.
+
+For other cache modes in bcache, read request will never hit
+cached_dev_read_error(), they don't need this patch.
+
+Please note, because cache mode can be switched arbitrarily in run time, a
+writethrough mode might be switched from a writeback mode. Therefore
+checking dc->has_data in writethrough mode still makes sense.
+
+Changelog:
+V4: Fix parens error pointed by Michael Lyle.
+v3: By response from Kent Oversteet, he thinks recovering stale data is a
+ bug to fix, and option to permit it is unnecessary. So this version
+ the sysfs file is removed.
+v2: rename sysfs entry from allow_stale_data_on_failure to
+ allow_stale_data_on_failure, and fix the confusing commit log.
+v1: initial patch posted.
+
+[small change to patch comment spelling by mlyle]
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Michael Lyle <mlyle@lyle.org>
+Reported-by: Arne Wolf <awolf@lenovo.com>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Cc: Kent Overstreet <kent.overstreet@gmail.com>
+Cc: Nix <nix@esperi.org.uk>
+Cc: Kai Krakow <hurikhan77@gmail.com>
+Cc: Eric Wheeler <bcache@lists.ewheeler.net>
+Cc: Junhui Tang <tang.junhui@zte.com.cn>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/request.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/request.c
++++ b/drivers/md/bcache/request.c
+@@ -698,8 +698,16 @@ static void cached_dev_read_error(struct
+ {
+ struct search *s = container_of(cl, struct search, cl);
+ struct bio *bio = &s->bio.bio;
++ struct cached_dev *dc = container_of(s->d, struct cached_dev, disk);
+
+- if (s->recoverable) {
++ /*
++ * If cache device is dirty (dc->has_dirty is non-zero), then
++ * recovery a failed read request from cached device may get a
++ * stale data back. So read failure recovery is only permitted
++ * when cache device is clean.
++ */
++ if (s->recoverable &&
++ (dc && !atomic_read(&dc->has_dirty))) {
+ /* Retry from the backing device: */
+ trace_bcache_read_retry(s->orig_bio);
+
--- /dev/null
+From 4e9b6f20828ac880dbc1fa2fdbafae779473d1af Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Thu, 19 Oct 2017 10:00:48 -0700
+Subject: block: Fix a race between blk_cleanup_queue() and timeout handling
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+commit 4e9b6f20828ac880dbc1fa2fdbafae779473d1af upstream.
+
+Make sure that if the timeout timer fires after a queue has been
+marked "dying" that the affected requests are finished.
+
+Reported-by: chenxiang (M) <chenxiang66@hisilicon.com>
+Fixes: commit 287922eb0b18 ("block: defer timeouts to a workqueue")
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Tested-by: chenxiang (M) <chenxiang66@hisilicon.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Keith Busch <keith.busch@intel.com>
+Cc: Hannes Reinecke <hare@suse.com>
+Cc: Ming Lei <ming.lei@redhat.com>
+Cc: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-core.c | 2 ++
+ block/blk-timeout.c | 3 ---
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -333,6 +333,7 @@ EXPORT_SYMBOL(blk_stop_queue);
+ void blk_sync_queue(struct request_queue *q)
+ {
+ del_timer_sync(&q->timeout);
++ cancel_work_sync(&q->timeout_work);
+
+ if (q->mq_ops) {
+ struct blk_mq_hw_ctx *hctx;
+@@ -844,6 +845,7 @@ struct request_queue *blk_alloc_queue_no
+ setup_timer(&q->backing_dev_info->laptop_mode_wb_timer,
+ laptop_mode_timer_fn, (unsigned long) q);
+ setup_timer(&q->timeout, blk_rq_timed_out_timer, (unsigned long) q);
++ INIT_WORK(&q->timeout_work, NULL);
+ INIT_LIST_HEAD(&q->queue_head);
+ INIT_LIST_HEAD(&q->timeout_list);
+ INIT_LIST_HEAD(&q->icq_list);
+--- a/block/blk-timeout.c
++++ b/block/blk-timeout.c
+@@ -134,8 +134,6 @@ void blk_timeout_work(struct work_struct
+ struct request *rq, *tmp;
+ int next_set = 0;
+
+- if (blk_queue_enter(q, true))
+- return;
+ spin_lock_irqsave(q->queue_lock, flags);
+
+ list_for_each_entry_safe(rq, tmp, &q->timeout_list, timeout_list)
+@@ -145,7 +143,6 @@ void blk_timeout_work(struct work_struct
+ mod_timer(&q->timeout, round_jiffies_up(next));
+
+ spin_unlock_irqrestore(q->queue_lock, flags);
+- blk_queue_exit(q);
+ }
+
+ /**
--- /dev/null
+From 6e518111060c2290427d79c43d4add9600ad852b Mon Sep 17 00:00:00 2001
+From: Loic Poulain <loic.poulain@linaro.org>
+Date: Tue, 5 Sep 2017 12:26:03 +0200
+Subject: Bluetooth: btqcomsmd: Add support for BD address setup
+
+From: Loic Poulain <loic.poulain@linaro.org>
+
+commit 6e518111060c2290427d79c43d4add9600ad852b upstream.
+
+This patch implements the hdev setup function since wcnss-bt does not have
+persistent memory to store an allocated BD address. The device is therefore
+marked as unconfigured if no BD address has been previously retrieved.
+
+Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/btqcomsmd.c | 34 ++++++++++++++++++++++++++++++++++
+ 1 file changed, 34 insertions(+)
+
+--- a/drivers/bluetooth/btqcomsmd.c
++++ b/drivers/bluetooth/btqcomsmd.c
+@@ -26,6 +26,7 @@
+ struct btqcomsmd {
+ struct hci_dev *hdev;
+
++ bdaddr_t bdaddr;
+ struct rpmsg_endpoint *acl_channel;
+ struct rpmsg_endpoint *cmd_channel;
+ };
+@@ -100,6 +101,38 @@ static int btqcomsmd_close(struct hci_de
+ return 0;
+ }
+
++static int btqcomsmd_setup(struct hci_dev *hdev)
++{
++ struct btqcomsmd *btq = hci_get_drvdata(hdev);
++ struct sk_buff *skb;
++ int err;
++
++ skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
++ if (IS_ERR(skb))
++ return PTR_ERR(skb);
++ kfree_skb(skb);
++
++ /* Devices do not have persistent storage for BD address. If no
++ * BD address has been retrieved during probe, mark the device
++ * as having an invalid BD address.
++ */
++ if (!bacmp(&btq->bdaddr, BDADDR_ANY)) {
++ set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
++ return 0;
++ }
++
++ /* When setting a configured BD address fails, mark the device
++ * as having an invalid BD address.
++ */
++ err = qca_set_bdaddr_rome(hdev, &btq->bdaddr);
++ if (err) {
++ set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
++ return 0;
++ }
++
++ return 0;
++}
++
+ static int btqcomsmd_probe(struct platform_device *pdev)
+ {
+ struct btqcomsmd *btq;
+@@ -135,6 +168,7 @@ static int btqcomsmd_probe(struct platfo
+ hdev->open = btqcomsmd_open;
+ hdev->close = btqcomsmd_close;
+ hdev->send = btqcomsmd_send;
++ hdev->setup = btqcomsmd_setup;
+ hdev->set_bdaddr = qca_set_bdaddr_rome;
+
+ ret = hci_register_dev(hdev);
--- /dev/null
+From 996478ca9c460886ac147eb0d00e99841b71d31b Mon Sep 17 00:00:00 2001
+From: Josef Bacik <jbacik@fb.com>
+Date: Tue, 22 Aug 2017 16:00:39 -0400
+Subject: btrfs: change how we decide to commit transactions during flushing
+
+From: Josef Bacik <jbacik@fb.com>
+
+commit 996478ca9c460886ac147eb0d00e99841b71d31b upstream.
+
+Nikolay reported that generic/273 was failing currently with ENOSPC.
+Turns out this is because we get to the point where the outstanding
+reservations are greater than the pinned space on the fs. This is a
+mistake, previously we used the current reservation amount in
+may_commit_transaction, not the entire outstanding reservation amount.
+Fix this to find the minimum byte size needed to make progress in
+flushing, and pass that into may_commit_transaction. From there we can
+make a smarter decision on whether to commit the transaction or not.
+This fixes the failure in generic/273.
+
+From Nikolai, IOW: when we go to the final stage of deciding whether to
+do trans commit, instead of passing all the reservations from all
+tickets we just pass the reservation for the current ticket. Otherwise,
+in case all reservations exceed pinned space, then we don't commit
+transaction and fail prematurely. Before we passed num_bytes from
+flush_space, where num_bytes was the sum of all pending reserverations,
+but now all we do is take the first ticket and commit the trans if we
+can satisfy that.
+
+Fixes: 957780eb2788 ("Btrfs: introduce ticketed enospc infrastructure")
+Reported-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Josef Bacik <jbacik@fb.com>
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Tested-by: Nikolay Borisov <nborisov@suse.com>
+[ added Nikolai's comment ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent-tree.c | 42 ++++++++++++++++++++++++++++--------------
+ 1 file changed, 28 insertions(+), 14 deletions(-)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -4919,6 +4919,13 @@ skip_async:
+ }
+ }
+
++struct reserve_ticket {
++ u64 bytes;
++ int error;
++ struct list_head list;
++ wait_queue_head_t wait;
++};
++
+ /**
+ * maybe_commit_transaction - possibly commit the transaction if its ok to
+ * @root - the root we're allocating for
+@@ -4930,18 +4937,29 @@ skip_async:
+ * will return -ENOSPC.
+ */
+ static int may_commit_transaction(struct btrfs_fs_info *fs_info,
+- struct btrfs_space_info *space_info,
+- u64 bytes, int force)
++ struct btrfs_space_info *space_info)
+ {
++ struct reserve_ticket *ticket = NULL;
+ struct btrfs_block_rsv *delayed_rsv = &fs_info->delayed_block_rsv;
+ struct btrfs_trans_handle *trans;
++ u64 bytes;
+
+ trans = (struct btrfs_trans_handle *)current->journal_info;
+ if (trans)
+ return -EAGAIN;
+
+- if (force)
+- goto commit;
++ spin_lock(&space_info->lock);
++ if (!list_empty(&space_info->priority_tickets))
++ ticket = list_first_entry(&space_info->priority_tickets,
++ struct reserve_ticket, list);
++ else if (!list_empty(&space_info->tickets))
++ ticket = list_first_entry(&space_info->tickets,
++ struct reserve_ticket, list);
++ bytes = (ticket) ? ticket->bytes : 0;
++ spin_unlock(&space_info->lock);
++
++ if (!bytes)
++ return 0;
+
+ /* See if there is enough pinned space to make this reservation */
+ if (percpu_counter_compare(&space_info->total_bytes_pinned,
+@@ -4956,8 +4974,12 @@ static int may_commit_transaction(struct
+ return -ENOSPC;
+
+ spin_lock(&delayed_rsv->lock);
++ if (delayed_rsv->size > bytes)
++ bytes = 0;
++ else
++ bytes -= delayed_rsv->size;
+ if (percpu_counter_compare(&space_info->total_bytes_pinned,
+- bytes - delayed_rsv->size) < 0) {
++ bytes) < 0) {
+ spin_unlock(&delayed_rsv->lock);
+ return -ENOSPC;
+ }
+@@ -4971,13 +4993,6 @@ commit:
+ return btrfs_commit_transaction(trans);
+ }
+
+-struct reserve_ticket {
+- u64 bytes;
+- int error;
+- struct list_head list;
+- wait_queue_head_t wait;
+-};
+-
+ /*
+ * Try to flush some data based on policy set by @state. This is only advisory
+ * and may fail for various reasons. The caller is supposed to examine the
+@@ -5027,8 +5042,7 @@ static void flush_space(struct btrfs_fs_
+ ret = 0;
+ break;
+ case COMMIT_TRANS:
+- ret = may_commit_transaction(fs_info, space_info,
+- num_bytes, 0);
++ ret = may_commit_transaction(fs_info, space_info);
+ break;
+ default:
+ ret = -ENOSPC;
--- /dev/null
+From 8a74d29d541cd86569139c6f3f44b2d210458071 Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Tue, 14 Nov 2017 15:40:52 -0500
+Subject: dm: discard support requires all targets in a table support discards
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit 8a74d29d541cd86569139c6f3f44b2d210458071 upstream.
+
+A DM device with a mix of discard capabilities (due to some underlying
+devices not having discard support) _should_ just return -EOPNOTSUPP for
+the region of the device that doesn't support discards (even if only by
+way of the underlying driver formally not supporting discards). BUT,
+that does ask the underlying driver to handle something that it never
+advertised support for. In doing so we're exposing users to the
+potential for a underlying disk driver hanging if/when a discard is
+issued a the device that is incapable and never claimed to support
+discards.
+
+Fix this by requiring that each DM target in a DM table provide discard
+support as a prereq for a DM device to advertise support for discards.
+
+This may cause some configurations that were happily supporting discards
+(even in the face of a mix of discard support) to stop supporting
+discards -- but the risk of users hitting driver hangs, and forced
+reboots, outweighs supporting those fringe mixed discard
+configurations.
+
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-table.c | 33 ++++++++++++++-------------------
+ 1 file changed, 14 insertions(+), 19 deletions(-)
+
+--- a/drivers/md/dm-table.c
++++ b/drivers/md/dm-table.c
+@@ -1758,13 +1758,12 @@ static bool dm_table_supports_write_zero
+ return true;
+ }
+
+-
+-static int device_discard_capable(struct dm_target *ti, struct dm_dev *dev,
+- sector_t start, sector_t len, void *data)
++static int device_not_discard_capable(struct dm_target *ti, struct dm_dev *dev,
++ sector_t start, sector_t len, void *data)
+ {
+ struct request_queue *q = bdev_get_queue(dev->bdev);
+
+- return q && blk_queue_discard(q);
++ return q && !blk_queue_discard(q);
+ }
+
+ static bool dm_table_supports_discards(struct dm_table *t)
+@@ -1772,28 +1771,24 @@ static bool dm_table_supports_discards(s
+ struct dm_target *ti;
+ unsigned i;
+
+- /*
+- * Unless any target used by the table set discards_supported,
+- * require at least one underlying device to support discards.
+- * t->devices includes internal dm devices such as mirror logs
+- * so we need to use iterate_devices here, which targets
+- * supporting discard selectively must provide.
+- */
+ for (i = 0; i < dm_table_get_num_targets(t); i++) {
+ ti = dm_table_get_target(t, i);
+
+ if (!ti->num_discard_bios)
+- continue;
+-
+- if (ti->discards_supported)
+- return true;
++ return false;
+
+- if (ti->type->iterate_devices &&
+- ti->type->iterate_devices(ti, device_discard_capable, NULL))
+- return true;
++ /*
++ * Either the target provides discard support (as implied by setting
++ * 'discards_supported') or it relies on _all_ data devices having
++ * discard support.
++ */
++ if (!ti->discards_supported &&
++ (!ti->type->iterate_devices ||
++ ti->type->iterate_devices(ti, device_not_discard_capable, NULL)))
++ return false;
+ }
+
+- return false;
++ return true;
+ }
+
+ void dm_table_set_restrictions(struct dm_table *t, struct request_queue *q,
--- /dev/null
+From b9a41d21dceadf8104812626ef85dc56ee8a60ed Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Wed, 1 Nov 2017 15:42:36 +0800
+Subject: dm: fix race between dm_get_from_kobject() and __dm_destroy()
+
+From: Hou Tao <houtao1@huawei.com>
+
+commit b9a41d21dceadf8104812626ef85dc56ee8a60ed upstream.
+
+The following BUG_ON was hit when testing repeat creation and removal of
+DM devices:
+
+ kernel BUG at drivers/md/dm.c:2919!
+ CPU: 7 PID: 750 Comm: systemd-udevd Not tainted 4.1.44
+ Call Trace:
+ [<ffffffff81649e8b>] dm_get_from_kobject+0x34/0x3a
+ [<ffffffff81650ef1>] dm_attr_show+0x2b/0x5e
+ [<ffffffff817b46d1>] ? mutex_lock+0x26/0x44
+ [<ffffffff811df7f5>] sysfs_kf_seq_show+0x83/0xcf
+ [<ffffffff811de257>] kernfs_seq_show+0x23/0x25
+ [<ffffffff81199118>] seq_read+0x16f/0x325
+ [<ffffffff811de994>] kernfs_fop_read+0x3a/0x13f
+ [<ffffffff8117b625>] __vfs_read+0x26/0x9d
+ [<ffffffff8130eb59>] ? security_file_permission+0x3c/0x44
+ [<ffffffff8117bdb8>] ? rw_verify_area+0x83/0xd9
+ [<ffffffff8117be9d>] vfs_read+0x8f/0xcf
+ [<ffffffff81193e34>] ? __fdget_pos+0x12/0x41
+ [<ffffffff8117c686>] SyS_read+0x4b/0x76
+ [<ffffffff817b606e>] system_call_fastpath+0x12/0x71
+
+The bug can be easily triggered, if an extra delay (e.g. 10ms) is added
+between the test of DMF_FREEING & DMF_DELETING and dm_get() in
+dm_get_from_kobject().
+
+To fix it, we need to ensure the test of DMF_FREEING & DMF_DELETING and
+dm_get() are done in an atomic way, so _minor_lock is used.
+
+The other callers of dm_get() have also been checked to be OK: some
+callers invoke dm_get() under _minor_lock, some callers invoke it under
+_hash_lock, and dm_start_request() invoke it after increasing
+md->open_count.
+
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -2709,11 +2709,15 @@ struct mapped_device *dm_get_from_kobjec
+
+ md = container_of(kobj, struct mapped_device, kobj_holder.kobj);
+
+- if (test_bit(DMF_FREEING, &md->flags) ||
+- dm_deleting_md(md))
+- return NULL;
+-
++ spin_lock(&_minor_lock);
++ if (test_bit(DMF_FREEING, &md->flags) || dm_deleting_md(md)) {
++ md = NULL;
++ goto out;
++ }
+ dm_get(md);
++out:
++ spin_unlock(&_minor_lock);
++
+ return md;
+ }
+
--- /dev/null
+From db86be3a12d0b6e5c5b51c2ab2a48f06329cb590 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 22 Aug 2017 23:41:28 +0300
+Subject: eCryptfs: use after free in ecryptfs_release_messaging()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit db86be3a12d0b6e5c5b51c2ab2a48f06329cb590 upstream.
+
+We're freeing the list iterator so we should be using the _safe()
+version of hlist_for_each_entry().
+
+Fixes: 88b4a07e6610 ("[PATCH] eCryptfs: Public key transport mechanism")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ecryptfs/messaging.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/ecryptfs/messaging.c
++++ b/fs/ecryptfs/messaging.c
+@@ -442,15 +442,16 @@ void ecryptfs_release_messaging(void)
+ }
+ if (ecryptfs_daemon_hash) {
+ struct ecryptfs_daemon *daemon;
++ struct hlist_node *n;
+ int i;
+
+ mutex_lock(&ecryptfs_daemon_hash_mux);
+ for (i = 0; i < (1 << ecryptfs_hash_bits); i++) {
+ int rc;
+
+- hlist_for_each_entry(daemon,
+- &ecryptfs_daemon_hash[i],
+- euid_chain) {
++ hlist_for_each_entry_safe(daemon, n,
++ &ecryptfs_daemon_hash[i],
++ euid_chain) {
+ rc = ecryptfs_exorcise_daemon(daemon);
+ if (rc)
+ printk(KERN_ERR "%s: Error whilst "
--- /dev/null
+From 51e3ae81ec58e95f10a98ef3dd6d7bce5d8e35a2 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Fri, 6 Oct 2017 23:09:55 -0400
+Subject: ext4: fix interaction between i_size, fallocate, and delalloc after a crash
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 51e3ae81ec58e95f10a98ef3dd6d7bce5d8e35a2 upstream.
+
+If there are pending writes subject to delayed allocation, then i_size
+will show size after the writes have completed, while i_disksize
+contains the value of i_size on the disk (since the writes have not
+been persisted to disk).
+
+If fallocate(2) is called with the FALLOC_FL_KEEP_SIZE flag, either
+with or without the FALLOC_FL_ZERO_RANGE flag set, and the new size
+after the fallocate(2) is between i_size and i_disksize, then after a
+crash, if a journal commit has resulted in the changes made by the
+fallocate() call to be persisted after a crash, but the delayed
+allocation write has not resolved itself, i_size would not be updated,
+and this would cause the following e2fsck complaint:
+
+Inode 12, end of extent exceeds allowed value
+ (logical block 33, physical block 33441, len 7)
+
+This can only take place on a sparse file, where the fallocate(2) call
+is allocating blocks in a range which is before a pending delayed
+allocation write which is extending i_size. Since this situation is
+quite rare, and the window in which the crash must take place is
+typically < 30 seconds, in practice this condition will rarely happen.
+
+Nevertheless, it can be triggered in testing, and in particular by
+xfstests generic/456.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reported-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/extents.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -4794,7 +4794,8 @@ static long ext4_zero_range(struct file
+ }
+
+ if (!(mode & FALLOC_FL_KEEP_SIZE) &&
+- offset + len > i_size_read(inode)) {
++ (offset + len > i_size_read(inode) ||
++ offset + len > EXT4_I(inode)->i_disksize)) {
+ new_size = offset + len;
+ ret = inode_newsize_ok(inode, new_size);
+ if (ret)
+@@ -4965,7 +4966,8 @@ long ext4_fallocate(struct file *file, i
+ }
+
+ if (!(mode & FALLOC_FL_KEEP_SIZE) &&
+- offset + len > i_size_read(inode)) {
++ (offset + len > i_size_read(inode) ||
++ offset + len > EXT4_I(inode)->i_disksize)) {
+ new_size = offset + len;
+ ret = inode_newsize_ok(inode, new_size);
+ if (ret)
--- /dev/null
+From 559db4c6d784ceedc2a5418ced4d357cb843e221 Mon Sep 17 00:00:00 2001
+From: Ross Zwisler <ross.zwisler@linux.intel.com>
+Date: Thu, 12 Oct 2017 11:52:34 -0400
+Subject: ext4: prevent data corruption with inline data + DAX
+
+From: Ross Zwisler <ross.zwisler@linux.intel.com>
+
+commit 559db4c6d784ceedc2a5418ced4d357cb843e221 upstream.
+
+If an inode has inline data it is currently prevented from using DAX by a
+check in ext4_set_inode_flags(). When the inode grows inline data via
+ext4_create_inline_data() or removes its inline data via
+ext4_destroy_inline_data_nolock(), the value of S_DAX can change.
+
+Currently these changes are unsafe because we don't hold off page faults
+and I/O, write back dirty radix tree entries and invalidate all mappings.
+There are also issues with mm-level races when changing the value of S_DAX,
+as well as issues with the VM_MIXEDMAP flag:
+
+https://www.spinics.net/lists/linux-xfs/msg09859.html
+
+The unsafe transition of S_DAX can reliably cause data corruption, as shown
+by the following fstest:
+
+https://patchwork.kernel.org/patch/9948381/
+
+Fix this issue by preventing the DAX mount option from being used on
+filesystems that were created to support inline data. Inline data is an
+option given to mkfs.ext4.
+
+Signed-off-by: Ross Zwisler <ross.zwisler@linux.intel.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inline.c | 10 ----------
+ fs/ext4/super.c | 5 +++++
+ 2 files changed, 5 insertions(+), 10 deletions(-)
+
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -302,11 +302,6 @@ static int ext4_create_inline_data(handl
+ EXT4_I(inode)->i_inline_size = len + EXT4_MIN_INLINE_DATA_SIZE;
+ ext4_clear_inode_flag(inode, EXT4_INODE_EXTENTS);
+ ext4_set_inode_flag(inode, EXT4_INODE_INLINE_DATA);
+- /*
+- * Propagate changes to inode->i_flags as well - e.g. S_DAX may
+- * get cleared
+- */
+- ext4_set_inode_flags(inode);
+ get_bh(is.iloc.bh);
+ error = ext4_mark_iloc_dirty(handle, inode, &is.iloc);
+
+@@ -451,11 +446,6 @@ static int ext4_destroy_inline_data_nolo
+ }
+ }
+ ext4_clear_inode_flag(inode, EXT4_INODE_INLINE_DATA);
+- /*
+- * Propagate changes to inode->i_flags as well - e.g. S_DAX may
+- * get set.
+- */
+- ext4_set_inode_flags(inode);
+
+ get_bh(is.iloc.bh);
+ error = ext4_mark_iloc_dirty(handle, inode, &is.iloc);
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3708,6 +3708,11 @@ static int ext4_fill_super(struct super_
+ }
+
+ if (sbi->s_mount_opt & EXT4_MOUNT_DAX) {
++ if (ext4_has_feature_inline_data(sb)) {
++ ext4_msg(sb, KERN_ERR, "Cannot use DAX on a filesystem"
++ " that may contain inline data");
++ goto failed_mount;
++ }
+ err = bdev_dax_supported(sb, blocksize);
+ if (err)
+ goto failed_mount;
--- /dev/null
+From e9072d859df3e0f2c3ba450f0d1739595c2d5d13 Mon Sep 17 00:00:00 2001
+From: Ross Zwisler <ross.zwisler@linux.intel.com>
+Date: Thu, 12 Oct 2017 11:54:08 -0400
+Subject: ext4: prevent data corruption with journaling + DAX
+
+From: Ross Zwisler <ross.zwisler@linux.intel.com>
+
+commit e9072d859df3e0f2c3ba450f0d1739595c2d5d13 upstream.
+
+The current code has the potential for data corruption when changing an
+inode's journaling mode, as that can result in a subsequent unsafe change
+in S_DAX.
+
+I've captured an instance of this data corruption in the following fstest:
+
+https://patchwork.kernel.org/patch/9948377/
+
+Prevent this data corruption from happening by disallowing changes to the
+journaling mode if the '-o dax' mount option was used. This means that for
+a given filesystem we could have a mix of inodes using either DAX or
+data journaling, but whatever state the inodes are in will be held for the
+duration of the mount.
+
+Signed-off-by: Ross Zwisler <ross.zwisler@linux.intel.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 5 -----
+ fs/ext4/ioctl.c | 16 +++++++++++++---
+ 2 files changed, 13 insertions(+), 8 deletions(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -5967,11 +5967,6 @@ int ext4_change_inode_journal_flag(struc
+ ext4_clear_inode_flag(inode, EXT4_INODE_JOURNAL_DATA);
+ }
+ ext4_set_aops(inode);
+- /*
+- * Update inode->i_flags after EXT4_INODE_JOURNAL_DATA was updated.
+- * E.g. S_DAX may get cleared / set.
+- */
+- ext4_set_inode_flags(inode);
+
+ jbd2_journal_unlock_updates(journal);
+ percpu_up_write(&sbi->s_journal_flag_rwsem);
+--- a/fs/ext4/ioctl.c
++++ b/fs/ext4/ioctl.c
+@@ -291,10 +291,20 @@ flags_err:
+ if (err)
+ goto flags_out;
+
+- if ((jflag ^ oldflags) & (EXT4_JOURNAL_DATA_FL))
++ if ((jflag ^ oldflags) & (EXT4_JOURNAL_DATA_FL)) {
++ /*
++ * Changes to the journaling mode can cause unsafe changes to
++ * S_DAX if we are using the DAX mount option.
++ */
++ if (test_opt(inode->i_sb, DAX)) {
++ err = -EBUSY;
++ goto flags_out;
++ }
++
+ err = ext4_change_inode_journal_flag(inode, jflag);
+- if (err)
+- goto flags_out;
++ if (err)
++ goto flags_out;
++ }
+ if (migrate) {
+ if (flags & EXT4_EXTENTS_FL)
+ err = ext4_ext_migrate(inode);
--- /dev/null
+From 5b4267d195dd887c4412e34b5a7365baa741b679 Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Fri, 13 Oct 2017 10:27:45 -0700
+Subject: f2fs: expose some sectors to user in inline data or dentry case
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit 5b4267d195dd887c4412e34b5a7365baa741b679 upstream.
+
+If there's some data written through inline data or dentry, we need to shouw
+st_blocks. This fixes reporting zero blocks even though there is small written
+data.
+
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+[Jaegeuk Kim: avoid link file for quotacheck]
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/file.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -683,6 +683,12 @@ int f2fs_getattr(const struct path *path
+ STATX_ATTR_NODUMP);
+
+ generic_fillattr(inode, stat);
++
++ /* we need to show initial sectors used for inline_data/dentries */
++ if ((S_ISREG(inode->i_mode) && f2fs_has_inline_data(inode)) ||
++ f2fs_has_inline_dentry(inode))
++ stat->blocks += (stat->size + 511) >> 9;
++
+ return 0;
+ }
+
--- /dev/null
+From f37650f1c7c71cf5180b43229d13b421d81e7170 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Mon, 30 Oct 2017 21:14:56 +0100
+Subject: fanotify: fix fsnotify_prepare_user_wait() failure
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit f37650f1c7c71cf5180b43229d13b421d81e7170 upstream.
+
+If fsnotify_prepare_user_wait() fails, we leave the event on the
+notification list. Which will result in a warning in
+fsnotify_destroy_event() and later use-after-free.
+
+Instead of adding a new helper to remove the event from the list in this
+case, I opted to move the prepare/finish up into fanotify_handle_event().
+
+This will allow these to be moved further out into the generic code later,
+and perhaps let us move to non-sleeping RCU.
+
+Reviewed-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 05f0e38724e8 ("fanotify: Release SRCU lock when waiting for userspace response")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/notify/fanotify/fanotify.c | 33 ++++++++++++++++++++-------------
+ 1 file changed, 20 insertions(+), 13 deletions(-)
+
+--- a/fs/notify/fanotify/fanotify.c
++++ b/fs/notify/fanotify/fanotify.c
+@@ -65,19 +65,8 @@ static int fanotify_get_response(struct
+
+ pr_debug("%s: group=%p event=%p\n", __func__, group, event);
+
+- /*
+- * fsnotify_prepare_user_wait() fails if we race with mark deletion.
+- * Just let the operation pass in that case.
+- */
+- if (!fsnotify_prepare_user_wait(iter_info)) {
+- event->response = FAN_ALLOW;
+- goto out;
+- }
+-
+ wait_event(group->fanotify_data.access_waitq, event->response);
+
+- fsnotify_finish_user_wait(iter_info);
+-out:
+ /* userspace responded, convert to something usable */
+ switch (event->response) {
+ case FAN_ALLOW:
+@@ -212,9 +201,21 @@ static int fanotify_handle_event(struct
+ pr_debug("%s: group=%p inode=%p mask=%x\n", __func__, group, inode,
+ mask);
+
++#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
++ if (mask & FAN_ALL_PERM_EVENTS) {
++ /*
++ * fsnotify_prepare_user_wait() fails if we race with mark
++ * deletion. Just let the operation pass in that case.
++ */
++ if (!fsnotify_prepare_user_wait(iter_info))
++ return 0;
++ }
++#endif
++
+ event = fanotify_alloc_event(inode, mask, data);
++ ret = -ENOMEM;
+ if (unlikely(!event))
+- return -ENOMEM;
++ goto finish;
+
+ fsn_event = &event->fse;
+ ret = fsnotify_add_event(group, fsn_event, fanotify_merge);
+@@ -224,7 +225,8 @@ static int fanotify_handle_event(struct
+ /* Our event wasn't used in the end. Free it. */
+ fsnotify_destroy_event(group, fsn_event);
+
+- return 0;
++ ret = 0;
++ goto finish;
+ }
+
+ #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
+@@ -233,6 +235,11 @@ static int fanotify_handle_event(struct
+ iter_info);
+ fsnotify_destroy_event(group, fsn_event);
+ }
++finish:
++ if (mask & FAN_ALL_PERM_EVENTS)
++ fsnotify_finish_user_wait(iter_info);
++#else
++finish:
+ #endif
+ return ret;
+ }
--- /dev/null
+From 11d49e9d089ccec81be87c2386dfdd010d7f7f6e Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 24 Sep 2017 18:36:44 -0400
+Subject: fix a page leak in vhost_scsi_iov_to_sgl() error recovery
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 11d49e9d089ccec81be87c2386dfdd010d7f7f6e upstream.
+
+we are advancing sg as we go, so the pages we need to drop in
+case of error are *before* the current sg.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vhost/scsi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/vhost/scsi.c
++++ b/drivers/vhost/scsi.c
+@@ -688,6 +688,7 @@ vhost_scsi_iov_to_sgl(struct vhost_scsi_
+ struct scatterlist *sg, int sg_count)
+ {
+ size_t off = iter->iov_offset;
++ struct scatterlist *p = sg;
+ int i, ret;
+
+ for (i = 0; i < iter->nr_segs; i++) {
+@@ -696,8 +697,8 @@ vhost_scsi_iov_to_sgl(struct vhost_scsi_
+
+ ret = vhost_scsi_map_to_sgl(cmd, base, len, sg, write);
+ if (ret < 0) {
+- for (i = 0; i < sg_count; i++) {
+- struct page *page = sg_page(&sg[i]);
++ while (p < sg) {
++ struct page *page = sg_page(p++);
+ if (page)
+ put_page(page);
+ }
--- /dev/null
+From 8ee031631546cf2f7859cc69593bd60bbdd70b46 Mon Sep 17 00:00:00 2001
+From: Tuomas Tynkkynen <tuomas@tuxera.com>
+Date: Wed, 6 Sep 2017 17:59:07 +0300
+Subject: fs/9p: Compare qid.path in v9fs_test_inode
+
+From: Tuomas Tynkkynen <tuomas@tuxera.com>
+
+commit 8ee031631546cf2f7859cc69593bd60bbdd70b46 upstream.
+
+Commit fd2421f54423 ("fs/9p: When doing inode lookup compare qid details
+and inode mode bits.") transformed v9fs_qid_iget() to use iget5_locked()
+instead of iget_locked(). However, the test() callback is not checking
+fid.path at all, which means that a lookup in the inode cache can now
+accidentally locate a completely wrong inode from the same inode hash
+bucket if the other fields (qid.type and qid.version) match.
+
+Fixes: fd2421f54423 ("fs/9p: When doing inode lookup compare qid details and inode mode bits.")
+Reviewed-by: Latchesar Ionkov <lucho@ionkov.net>
+Signed-off-by: Tuomas Tynkkynen <tuomas@tuxera.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/9p/vfs_inode.c | 3 +++
+ fs/9p/vfs_inode_dotl.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+--- a/fs/9p/vfs_inode.c
++++ b/fs/9p/vfs_inode.c
+@@ -483,6 +483,9 @@ static int v9fs_test_inode(struct inode
+
+ if (v9inode->qid.type != st->qid.type)
+ return 0;
++
++ if (v9inode->qid.path != st->qid.path)
++ return 0;
+ return 1;
+ }
+
+--- a/fs/9p/vfs_inode_dotl.c
++++ b/fs/9p/vfs_inode_dotl.c
+@@ -87,6 +87,9 @@ static int v9fs_test_inode_dotl(struct i
+
+ if (v9inode->qid.type != st->qid.type)
+ return 0;
++
++ if (v9inode->qid.path != st->qid.path)
++ return 0;
+ return 1;
+ }
+
--- /dev/null
+From 67f2519fe2903c4041c0e94394d14d372fe51399 Mon Sep 17 00:00:00 2001
+From: Greg Edwards <gedwards@ddn.com>
+Date: Tue, 24 Oct 2017 11:21:48 -0600
+Subject: fs: guard_bio_eod() needs to consider partitions
+
+From: Greg Edwards <gedwards@ddn.com>
+
+commit 67f2519fe2903c4041c0e94394d14d372fe51399 upstream.
+
+guard_bio_eod() needs to look at the partition capacity, not just the
+capacity of the whole device, when determining if truncation is
+necessary.
+
+[ 60.268688] attempt to access beyond end of device
+[ 60.268690] unknown-block(9,1): rw=0, want=67103509, limit=67103506
+[ 60.268693] buffer_io_error: 2 callbacks suppressed
+[ 60.268696] Buffer I/O error on dev md1p7, logical block 4524305, async page read
+
+Fixes: 74d46992e0d9 ("block: replace bi_bdev with a gendisk pointer and partitions index")
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Edwards <gedwards@ddn.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/buffer.c | 10 +++++++++-
+ include/linux/genhd.h | 1 +
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/fs/buffer.c
++++ b/fs/buffer.c
+@@ -3055,8 +3055,16 @@ void guard_bio_eod(int op, struct bio *b
+ sector_t maxsector;
+ struct bio_vec *bvec = &bio->bi_io_vec[bio->bi_vcnt - 1];
+ unsigned truncated_bytes;
++ struct hd_struct *part;
++
++ rcu_read_lock();
++ part = __disk_get_part(bio->bi_disk, bio->bi_partno);
++ if (part)
++ maxsector = part_nr_sects_read(part);
++ else
++ maxsector = get_capacity(bio->bi_disk);
++ rcu_read_unlock();
+
+- maxsector = get_capacity(bio->bi_disk);
+ if (!maxsector)
+ return;
+
+--- a/include/linux/genhd.h
++++ b/include/linux/genhd.h
+@@ -243,6 +243,7 @@ static inline dev_t part_devt(struct hd_
+ return part_to_dev(part)->devt;
+ }
+
++extern struct hd_struct *__disk_get_part(struct gendisk *disk, int partno);
+ extern struct hd_struct *disk_get_part(struct gendisk *disk, int partno);
+
+ static inline void disk_put_part(struct hd_struct *part)
--- /dev/null
+From a0b3bc855374c50b5ea85273553485af48caf2f7 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Sun, 29 Oct 2017 06:30:19 -0400
+Subject: fscrypt: lock mutex before checking for bounce page pool
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit a0b3bc855374c50b5ea85273553485af48caf2f7 upstream.
+
+fscrypt_initialize(), which allocates the global bounce page pool when
+an encrypted file is first accessed, uses "double-checked locking" to
+try to avoid locking fscrypt_init_mutex. However, it doesn't use any
+memory barriers, so it's theoretically possible for a thread to observe
+a bounce page pool which has not been fully initialized. This is a
+classic bug with "double-checked locking".
+
+While "only a theoretical issue" in the latest kernel, in pre-4.8
+kernels the pointer that was checked was not even the last to be
+initialized, so it was easily possible for a crash (NULL pointer
+dereference) to happen. This was changed only incidentally by the large
+refactor to use fs/crypto/.
+
+Solve both problems in a trivial way that can easily be backported: just
+always take the mutex. It's theoretically less efficient, but it
+shouldn't be noticeable in practice as the mutex is only acquired very
+briefly once per encrypted file.
+
+Later I'd like to make this use a helper macro like DO_ONCE(). However,
+DO_ONCE() runs in atomic context, so we'd need to add a new macro that
+allows blocking.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/crypto/crypto.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/fs/crypto/crypto.c
++++ b/fs/crypto/crypto.c
+@@ -410,11 +410,8 @@ int fscrypt_initialize(unsigned int cop_
+ {
+ int i, res = -ENOMEM;
+
+- /*
+- * No need to allocate a bounce page pool if there already is one or
+- * this FS won't use it.
+- */
+- if (cop_flags & FS_CFLG_OWN_PAGES || fscrypt_bounce_page_pool)
++ /* No need to allocate a bounce page pool if this FS won't use it. */
++ if (cop_flags & FS_CFLG_OWN_PAGES)
+ return 0;
+
+ mutex_lock(&fscrypt_init_mutex);
--- /dev/null
+From 24c20305c7fc8959836211cb8c50aab93ae0e54f Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Mon, 30 Oct 2017 21:14:55 +0100
+Subject: fsnotify: clean up fsnotify_prepare/finish_user_wait()
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 24c20305c7fc8959836211cb8c50aab93ae0e54f upstream.
+
+This patch doesn't actually fix any bug, just paves the way for fixing mark
+and group pinning.
+
+Reviewed-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/notify/mark.c | 98 +++++++++++++++++++++++++++----------------------------
+ 1 file changed, 49 insertions(+), 49 deletions(-)
+
+--- a/fs/notify/mark.c
++++ b/fs/notify/mark.c
+@@ -109,16 +109,6 @@ void fsnotify_get_mark(struct fsnotify_m
+ atomic_inc(&mark->refcnt);
+ }
+
+-/*
+- * Get mark reference when we found the mark via lockless traversal of object
+- * list. Mark can be already removed from the list by now and on its way to be
+- * destroyed once SRCU period ends.
+- */
+-static bool fsnotify_get_mark_safe(struct fsnotify_mark *mark)
+-{
+- return atomic_inc_not_zero(&mark->refcnt);
+-}
+-
+ static void __fsnotify_recalc_mask(struct fsnotify_mark_connector *conn)
+ {
+ u32 new_mask = 0;
+@@ -256,32 +246,63 @@ void fsnotify_put_mark(struct fsnotify_m
+ FSNOTIFY_REAPER_DELAY);
+ }
+
+-bool fsnotify_prepare_user_wait(struct fsnotify_iter_info *iter_info)
++/*
++ * Get mark reference when we found the mark via lockless traversal of object
++ * list. Mark can be already removed from the list by now and on its way to be
++ * destroyed once SRCU period ends.
++ *
++ * Also pin the group so it doesn't disappear under us.
++ */
++static bool fsnotify_get_mark_safe(struct fsnotify_mark *mark)
+ {
+ struct fsnotify_group *group;
+
+- if (WARN_ON_ONCE(!iter_info->inode_mark && !iter_info->vfsmount_mark))
+- return false;
+-
+- if (iter_info->inode_mark)
+- group = iter_info->inode_mark->group;
+- else
+- group = iter_info->vfsmount_mark->group;
++ if (!mark)
++ return true;
+
++ group = mark->group;
+ /*
+ * Since acquisition of mark reference is an atomic op as well, we can
+ * be sure this inc is seen before any effect of refcount increment.
+ */
+ atomic_inc(&group->user_waits);
++ if (atomic_inc_not_zero(&mark->refcnt))
++ return true;
++
++ if (atomic_dec_and_test(&group->user_waits) && group->shutdown)
++ wake_up(&group->notification_waitq);
++
++ return false;
++}
++
++/*
++ * Puts marks and wakes up group destruction if necessary.
++ *
++ * Pairs with fsnotify_get_mark_safe()
++ */
++static void fsnotify_put_mark_wake(struct fsnotify_mark *mark)
++{
++ if (mark) {
++ struct fsnotify_group *group = mark->group;
+
+- if (iter_info->inode_mark) {
+- /* This can fail if mark is being removed */
+- if (!fsnotify_get_mark_safe(iter_info->inode_mark))
+- goto out_wait;
+- }
+- if (iter_info->vfsmount_mark) {
+- if (!fsnotify_get_mark_safe(iter_info->vfsmount_mark))
+- goto out_inode;
++ fsnotify_put_mark(mark);
++ /*
++ * We abuse notification_waitq on group shutdown for waiting for
++ * all marks pinned when waiting for userspace.
++ */
++ if (atomic_dec_and_test(&group->user_waits) && group->shutdown)
++ wake_up(&group->notification_waitq);
++ }
++}
++
++bool fsnotify_prepare_user_wait(struct fsnotify_iter_info *iter_info)
++{
++ /* This can fail if mark is being removed */
++ if (!fsnotify_get_mark_safe(iter_info->inode_mark))
++ return false;
++ if (!fsnotify_get_mark_safe(iter_info->vfsmount_mark)) {
++ fsnotify_put_mark_wake(iter_info->inode_mark);
++ return false;
+ }
+
+ /*
+@@ -292,34 +313,13 @@ bool fsnotify_prepare_user_wait(struct f
+ srcu_read_unlock(&fsnotify_mark_srcu, iter_info->srcu_idx);
+
+ return true;
+-out_inode:
+- if (iter_info->inode_mark)
+- fsnotify_put_mark(iter_info->inode_mark);
+-out_wait:
+- if (atomic_dec_and_test(&group->user_waits) && group->shutdown)
+- wake_up(&group->notification_waitq);
+- return false;
+ }
+
+ void fsnotify_finish_user_wait(struct fsnotify_iter_info *iter_info)
+ {
+- struct fsnotify_group *group = NULL;
+-
+ iter_info->srcu_idx = srcu_read_lock(&fsnotify_mark_srcu);
+- if (iter_info->inode_mark) {
+- group = iter_info->inode_mark->group;
+- fsnotify_put_mark(iter_info->inode_mark);
+- }
+- if (iter_info->vfsmount_mark) {
+- group = iter_info->vfsmount_mark->group;
+- fsnotify_put_mark(iter_info->vfsmount_mark);
+- }
+- /*
+- * We abuse notification_waitq on group shutdown for waiting for all
+- * marks pinned when waiting for userspace.
+- */
+- if (atomic_dec_and_test(&group->user_waits) && group->shutdown)
+- wake_up(&group->notification_waitq);
++ fsnotify_put_mark_wake(iter_info->inode_mark);
++ fsnotify_put_mark_wake(iter_info->vfsmount_mark);
+ }
+
+ /*
--- /dev/null
+From 9a31d7ad997f55768c687974ce36b759065b49e5 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Mon, 30 Oct 2017 21:14:56 +0100
+Subject: fsnotify: fix pinning group in fsnotify_prepare_user_wait()
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 9a31d7ad997f55768c687974ce36b759065b49e5 upstream.
+
+Blind increment of group's user_waits is not enough, we could be far enough
+in the group's destruction that it isn't taken into account (i.e. grabbing
+the mark ref afterwards doesn't guarantee that it was the ref coming from
+the _group_ that was grabbed).
+
+Instead we need to check (under lock) that the mark is still attached to
+the group after having obtained a ref to the mark. If not, skip it.
+
+Reviewed-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 9385a84d7e1f ("fsnotify: Pass fsnotify_iter_info into handle_event handler")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/notify/mark.c | 25 +++++++++++--------------
+ 1 file changed, 11 insertions(+), 14 deletions(-)
+
+--- a/fs/notify/mark.c
++++ b/fs/notify/mark.c
+@@ -255,23 +255,20 @@ void fsnotify_put_mark(struct fsnotify_m
+ */
+ static bool fsnotify_get_mark_safe(struct fsnotify_mark *mark)
+ {
+- struct fsnotify_group *group;
+-
+ if (!mark)
+ return true;
+
+- group = mark->group;
+- /*
+- * Since acquisition of mark reference is an atomic op as well, we can
+- * be sure this inc is seen before any effect of refcount increment.
+- */
+- atomic_inc(&group->user_waits);
+- if (atomic_inc_not_zero(&mark->refcnt))
+- return true;
+-
+- if (atomic_dec_and_test(&group->user_waits) && group->shutdown)
+- wake_up(&group->notification_waitq);
+-
++ if (atomic_inc_not_zero(&mark->refcnt)) {
++ spin_lock(&mark->lock);
++ if (mark->flags & FSNOTIFY_MARK_FLAG_ATTACHED) {
++ /* mark is attached, group is still alive then */
++ atomic_inc(&mark->group->user_waits);
++ spin_unlock(&mark->lock);
++ return true;
++ }
++ spin_unlock(&mark->lock);
++ fsnotify_put_mark(mark);
++ }
+ return false;
+ }
+
--- /dev/null
+From 0d6ec079d6aaa098b978d6395973bb027c752a03 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Mon, 30 Oct 2017 21:14:55 +0100
+Subject: fsnotify: pin both inode and vfsmount mark
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 0d6ec079d6aaa098b978d6395973bb027c752a03 upstream.
+
+We may fail to pin one of the marks in fsnotify_prepare_user_wait() when
+dropping the srcu read lock, resulting in use after free at the next
+iteration.
+
+Solution is to store both marks in iter_info instead of just the one we'll
+be sending the event for.
+
+Reviewed-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 9385a84d7e1f ("fsnotify: Pass fsnotify_iter_info into handle_event handler")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/notify/fsnotify.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/fs/notify/fsnotify.c
++++ b/fs/notify/fsnotify.c
+@@ -335,6 +335,13 @@ int fsnotify(struct inode *to_tell, __u3
+ struct fsnotify_mark, obj_list);
+ vfsmount_group = vfsmount_mark->group;
+ }
++ /*
++ * Need to protect both marks against freeing so that we can
++ * continue iteration from this place, regardless of which mark
++ * we actually happen to send an event for.
++ */
++ iter_info.inode_mark = inode_mark;
++ iter_info.vfsmount_mark = vfsmount_mark;
+
+ if (inode_group && vfsmount_group) {
+ int cmp = fsnotify_compare_groups(inode_group,
+@@ -348,9 +355,6 @@ int fsnotify(struct inode *to_tell, __u3
+ }
+ }
+
+- iter_info.inode_mark = inode_mark;
+- iter_info.vfsmount_mark = vfsmount_mark;
+-
+ ret = send_to_group(to_tell, inode_mark, vfsmount_mark, mask,
+ data, data_is, cookie, file_name,
+ &iter_info);
--- /dev/null
+From 4f8413a3a799c958f7a10a6310a451e6b8aef5ad Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Thu, 9 Nov 2017 14:17:59 +0000
+Subject: genirq: Track whether the trigger type has been set
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 4f8413a3a799c958f7a10a6310a451e6b8aef5ad upstream.
+
+When requesting a shared interrupt, we assume that the firmware
+support code (DT or ACPI) has called irqd_set_trigger_type
+already, so that we can retrieve it and check that the requester
+is being reasonnable.
+
+Unfortunately, we still have non-DT, non-ACPI systems around,
+and these guys won't call irqd_set_trigger_type before requesting
+the interrupt. The consequence is that we fail the request that
+would have worked before.
+
+We can either chase all these use cases (boring), or address it
+in core code (easier). Let's have a per-irq_desc flag that
+indicates whether irqd_set_trigger_type has been called, and
+let's just check it when checking for a shared interrupt.
+If it hasn't been set, just take whatever the interrupt
+requester asks.
+
+Fixes: 382bd4de6182 ("genirq: Use irqd_get_trigger_type to compare the trigger type for shared IRQs")
+Reported-and-tested-by: Petr Cvek <petrcvekcz@gmail.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/irq.h | 11 ++++++++++-
+ kernel/irq/manage.c | 13 ++++++++++++-
+ 2 files changed, 22 insertions(+), 2 deletions(-)
+
+--- a/include/linux/irq.h
++++ b/include/linux/irq.h
+@@ -211,6 +211,7 @@ struct irq_data {
+ * IRQD_MANAGED_SHUTDOWN - Interrupt was shutdown due to empty affinity
+ * mask. Applies only to affinity managed irqs.
+ * IRQD_SINGLE_TARGET - IRQ allows only a single affinity target
++ * IRQD_DEFAULT_TRIGGER_SET - Expected trigger already been set
+ */
+ enum {
+ IRQD_TRIGGER_MASK = 0xf,
+@@ -231,6 +232,7 @@ enum {
+ IRQD_IRQ_STARTED = (1 << 22),
+ IRQD_MANAGED_SHUTDOWN = (1 << 23),
+ IRQD_SINGLE_TARGET = (1 << 24),
++ IRQD_DEFAULT_TRIGGER_SET = (1 << 25),
+ };
+
+ #define __irqd_to_state(d) ACCESS_PRIVATE((d)->common, state_use_accessors)
+@@ -260,18 +262,25 @@ static inline void irqd_mark_affinity_wa
+ __irqd_to_state(d) |= IRQD_AFFINITY_SET;
+ }
+
++static inline bool irqd_trigger_type_was_set(struct irq_data *d)
++{
++ return __irqd_to_state(d) & IRQD_DEFAULT_TRIGGER_SET;
++}
++
+ static inline u32 irqd_get_trigger_type(struct irq_data *d)
+ {
+ return __irqd_to_state(d) & IRQD_TRIGGER_MASK;
+ }
+
+ /*
+- * Must only be called inside irq_chip.irq_set_type() functions.
++ * Must only be called inside irq_chip.irq_set_type() functions or
++ * from the DT/ACPI setup code.
+ */
+ static inline void irqd_set_trigger_type(struct irq_data *d, u32 type)
+ {
+ __irqd_to_state(d) &= ~IRQD_TRIGGER_MASK;
+ __irqd_to_state(d) |= type & IRQD_TRIGGER_MASK;
++ __irqd_to_state(d) |= IRQD_DEFAULT_TRIGGER_SET;
+ }
+
+ static inline bool irqd_is_level_type(struct irq_data *d)
+--- a/kernel/irq/manage.c
++++ b/kernel/irq/manage.c
+@@ -1245,7 +1245,18 @@ __setup_irq(unsigned int irq, struct irq
+ * set the trigger type must match. Also all must
+ * agree on ONESHOT.
+ */
+- unsigned int oldtype = irqd_get_trigger_type(&desc->irq_data);
++ unsigned int oldtype;
++
++ /*
++ * If nobody did set the configuration before, inherit
++ * the one provided by the requester.
++ */
++ if (irqd_trigger_type_was_set(&desc->irq_data)) {
++ oldtype = irqd_get_trigger_type(&desc->irq_data);
++ } else {
++ oldtype = new->flags & IRQF_TRIGGER_MASK;
++ irqd_set_trigger_type(&desc->irq_data, oldtype);
++ }
+
+ if (!((old->flags & new->flags) & IRQF_SHARED) ||
+ (oldtype != (new->flags & IRQF_TRIGGER_MASK)) ||
--- /dev/null
+From 00ee9a1ca5080202bc37b44e998c3b2c74d45817 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Sat, 11 Nov 2017 17:51:25 +0100
+Subject: irqchip/gic-v3: Fix ppi-partitions lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 00ee9a1ca5080202bc37b44e998c3b2c74d45817 upstream.
+
+Fix child-node lookup during initialisation, which ended up searching
+the whole device tree depth-first starting at the parent rather than
+just matching on its children.
+
+To make things worse, the parent gic node was prematurely freed, while
+the ppi-partitions node was leaked.
+
+Fixes: e3825ba1af3a ("irqchip/gic-v3: Add support for partitioned PPIs")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-gic-v3.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/irqchip/irq-gic-v3.c
++++ b/drivers/irqchip/irq-gic-v3.c
+@@ -1071,18 +1071,18 @@ static void __init gic_populate_ppi_part
+ int nr_parts;
+ struct partition_affinity *parts;
+
+- parts_node = of_find_node_by_name(gic_node, "ppi-partitions");
++ parts_node = of_get_child_by_name(gic_node, "ppi-partitions");
+ if (!parts_node)
+ return;
+
+ nr_parts = of_get_child_count(parts_node);
+
+ if (!nr_parts)
+- return;
++ goto out_put_node;
+
+ parts = kzalloc(sizeof(*parts) * nr_parts, GFP_KERNEL);
+ if (WARN_ON(!parts))
+- return;
++ goto out_put_node;
+
+ for_each_child_of_node(parts_node, child_part) {
+ struct partition_affinity *part;
+@@ -1149,6 +1149,9 @@ static void __init gic_populate_ppi_part
+
+ gic_data.ppi_descs[i] = desc;
+ }
++
++out_put_node:
++ of_node_put(parts_node);
+ }
+
+ static void __init gic_of_setup_kvm_info(struct device_node *node)
--- /dev/null
+From 3fc9fb13a4b2576aeab86c62fd64eb29ab68659c Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Fri, 27 Oct 2017 20:52:56 -0700
+Subject: iscsi-target: Fix non-immediate TMR reference leak
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 3fc9fb13a4b2576aeab86c62fd64eb29ab68659c upstream.
+
+This patch fixes a se_cmd->cmd_kref reference leak that can
+occur when a non immediate TMR is proceeded our of command
+sequence number order, and CMDSN_LOWER_THAN_EXP is returned
+by iscsit_sequence_cmd().
+
+To address this bug, call target_put_sess_cmd() during this
+special case following what iscsit_process_scsi_cmd() does
+upon CMDSN_LOWER_THAN_EXP.
+
+Cc: Mike Christie <mchristi@redhat.com>
+Cc: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -2099,12 +2099,14 @@ attach:
+
+ if (!(hdr->opcode & ISCSI_OP_IMMEDIATE)) {
+ int cmdsn_ret = iscsit_sequence_cmd(conn, cmd, buf, hdr->cmdsn);
+- if (cmdsn_ret == CMDSN_HIGHER_THAN_EXP)
++ if (cmdsn_ret == CMDSN_HIGHER_THAN_EXP) {
+ out_of_order_cmdsn = 1;
+- else if (cmdsn_ret == CMDSN_LOWER_THAN_EXP)
++ } else if (cmdsn_ret == CMDSN_LOWER_THAN_EXP) {
++ target_put_sess_cmd(&cmd->se_cmd);
+ return 0;
+- else if (cmdsn_ret == CMDSN_ERROR_CANNOT_RECOVER)
++ } else if (cmdsn_ret == CMDSN_ERROR_CANNOT_RECOVER) {
+ return -1;
++ }
+ }
+ iscsit_ack_from_expstatsn(conn, be32_to_cpu(hdr->exp_statsn));
+
--- /dev/null
+From ae072726f6109bb1c94841d6fb3a82dde298ea85 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Fri, 27 Oct 2017 12:32:59 -0700
+Subject: iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit ae072726f6109bb1c94841d6fb3a82dde298ea85 upstream.
+
+Since commit 59b6986dbf fixed a potential NULL pointer dereference
+by allocating a se_tmr_req for ISCSI_TM_FUNC_TASK_REASSIGN, the
+se_tmr_req is currently leaked by iscsit_free_cmd() because no
+iscsi_cmd->se_cmd.se_tfo was associated.
+
+To address this, treat ISCSI_TM_FUNC_TASK_REASSIGN like any other
+TMR and call transport_init_se_cmd() + target_get_sess_cmd() to
+setup iscsi_cmd->se_cmd.se_tfo with se_cmd->cmd_kref of 2.
+
+This will ensure normal release operation once se_cmd->cmd_kref
+reaches zero and target_release_cmd_kref() is invoked, se_tmr_req
+will be released via existing target_free_cmd_mem() and
+core_tmr_release_req() code.
+
+Reported-by: Donald White <dew@datera.io>
+Cc: Donald White <dew@datera.io>
+Cc: Mike Christie <mchristi@redhat.com>
+Cc: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target.c | 22 +++++++++-------------
+ 1 file changed, 9 insertions(+), 13 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -1960,7 +1960,6 @@ iscsit_handle_task_mgt_cmd(struct iscsi_
+ struct iscsi_tmr_req *tmr_req;
+ struct iscsi_tm *hdr;
+ int out_of_order_cmdsn = 0, ret;
+- bool sess_ref = false;
+ u8 function, tcm_function = TMR_UNKNOWN;
+
+ hdr = (struct iscsi_tm *) buf;
+@@ -1993,22 +1992,23 @@ iscsit_handle_task_mgt_cmd(struct iscsi_
+
+ cmd->data_direction = DMA_NONE;
+ cmd->tmr_req = kzalloc(sizeof(*cmd->tmr_req), GFP_KERNEL);
+- if (!cmd->tmr_req)
++ if (!cmd->tmr_req) {
+ return iscsit_add_reject_cmd(cmd,
+ ISCSI_REASON_BOOKMARK_NO_RESOURCES,
+ buf);
++ }
++
++ transport_init_se_cmd(&cmd->se_cmd, &iscsi_ops,
++ conn->sess->se_sess, 0, DMA_NONE,
++ TCM_SIMPLE_TAG, cmd->sense_buffer + 2);
++
++ target_get_sess_cmd(&cmd->se_cmd, true);
+
+ /*
+ * TASK_REASSIGN for ERL=2 / connection stays inside of
+ * LIO-Target $FABRIC_MOD
+ */
+ if (function != ISCSI_TM_FUNC_TASK_REASSIGN) {
+- transport_init_se_cmd(&cmd->se_cmd, &iscsi_ops,
+- conn->sess->se_sess, 0, DMA_NONE,
+- TCM_SIMPLE_TAG, cmd->sense_buffer + 2);
+-
+- target_get_sess_cmd(&cmd->se_cmd, true);
+- sess_ref = true;
+ tcm_function = iscsit_convert_tmf(function);
+ if (tcm_function == TMR_UNKNOWN) {
+ pr_err("Unknown iSCSI TMR Function:"
+@@ -2124,12 +2124,8 @@ attach:
+ * For connection recovery, this is also the default action for
+ * TMR TASK_REASSIGN.
+ */
+- if (sess_ref) {
+- pr_debug("Handle TMR, using sess_ref=true check\n");
+- target_put_sess_cmd(&cmd->se_cmd);
+- }
+-
+ iscsit_add_cmd_to_response_queue(cmd, conn, cmd->i_state);
++ target_put_sess_cmd(&cmd->se_cmd);
+ return 0;
+ }
+ EXPORT_SYMBOL(iscsit_handle_task_mgt_cmd);
--- /dev/null
+From 34be4dbf87fc3e474a842305394534216d428f5d Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 19 Oct 2017 16:47:48 +0200
+Subject: isofs: fix timestamps beyond 2027
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 34be4dbf87fc3e474a842305394534216d428f5d upstream.
+
+isofs uses a 'char' variable to load the number of years since
+1900 for an inode timestamp. On architectures that use a signed
+char type by default, this results in an invalid date for
+anything beyond 2027.
+
+This changes the function argument to a 'u8' array, which
+is defined the same way on all architectures, and unambiguously
+lets us use years until 2155.
+
+This should be backported to all kernels that might still be
+in use by that date.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/isofs/isofs.h | 2 +-
+ fs/isofs/rock.h | 2 +-
+ fs/isofs/util.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/isofs/isofs.h
++++ b/fs/isofs/isofs.h
+@@ -107,7 +107,7 @@ static inline unsigned int isonum_733(ch
+ /* Ignore bigendian datum due to broken mastering programs */
+ return get_unaligned_le32(p);
+ }
+-extern int iso_date(char *, int);
++extern int iso_date(u8 *, int);
+
+ struct inode; /* To make gcc happy */
+
+--- a/fs/isofs/rock.h
++++ b/fs/isofs/rock.h
+@@ -66,7 +66,7 @@ struct RR_PL_s {
+ };
+
+ struct stamp {
+- char time[7];
++ __u8 time[7]; /* actually 6 unsigned, 1 signed */
+ } __attribute__ ((packed));
+
+ struct RR_TF_s {
+--- a/fs/isofs/util.c
++++ b/fs/isofs/util.c
+@@ -16,7 +16,7 @@
+ * to GMT. Thus we should always be correct.
+ */
+
+-int iso_date(char * p, int flag)
++int iso_date(u8 *p, int flag)
+ {
+ int year, month, day, hour, minute, second, tz;
+ int crtime;
--- /dev/null
+From c2c48ddfc8b03b9ecb51d2832b586497b37531bc Mon Sep 17 00:00:00 2001
+From: Thomas Backlund <tmb@mageia.org>
+Date: Tue, 14 Nov 2017 12:37:51 +0200
+Subject: iwlwifi: fix firmware names for 9000 and A000 series hw
+
+From: Thomas Backlund <tmb@mageia.org>
+
+commit c2c48ddfc8b03b9ecb51d2832b586497b37531bc upstream.
+
+iwlwifi 9000 and a0000 series hw contains an extra dash in firmware
+file name as seeen in modinfo output for kernel 4.14:
+
+firmware: iwlwifi-9260-th-b0-jf-b0--34.ucode
+firmware: iwlwifi-9260-th-a0-jf-a0--34.ucode
+firmware: iwlwifi-9000-pu-a0-jf-b0--34.ucode
+firmware: iwlwifi-9000-pu-a0-jf-a0--34.ucode
+firmware: iwlwifi-QuQnj-a0-hr-a0--34.ucode
+firmware: iwlwifi-QuQnj-a0-jf-b0--34.ucode
+firmware: iwlwifi-QuQnj-f0-hr-a0--34.ucode
+firmware: iwlwifi-Qu-a0-jf-b0--34.ucode
+firmware: iwlwifi-Qu-a0-hr-a0--34.ucode
+
+Fix that by dropping the extra adding of '"-"'.
+
+Signed-off-by: Thomas Backlund <tmb@mageia.org>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/cfg/9000.c | 6 +++---
+ drivers/net/wireless/intel/iwlwifi/cfg/a000.c | 10 +++++-----
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/cfg/9000.c
++++ b/drivers/net/wireless/intel/iwlwifi/cfg/9000.c
+@@ -79,11 +79,11 @@
+ #define IWL9000_MODULE_FIRMWARE(api) \
+ IWL9000_FW_PRE "-" __stringify(api) ".ucode"
+ #define IWL9000RFB_MODULE_FIRMWARE(api) \
+- IWL9000RFB_FW_PRE "-" __stringify(api) ".ucode"
++ IWL9000RFB_FW_PRE __stringify(api) ".ucode"
+ #define IWL9260A_MODULE_FIRMWARE(api) \
+- IWL9260A_FW_PRE "-" __stringify(api) ".ucode"
++ IWL9260A_FW_PRE __stringify(api) ".ucode"
+ #define IWL9260B_MODULE_FIRMWARE(api) \
+- IWL9260B_FW_PRE "-" __stringify(api) ".ucode"
++ IWL9260B_FW_PRE __stringify(api) ".ucode"
+
+ #define NVM_HW_SECTION_NUM_FAMILY_9000 10
+
+--- a/drivers/net/wireless/intel/iwlwifi/cfg/a000.c
++++ b/drivers/net/wireless/intel/iwlwifi/cfg/a000.c
+@@ -80,15 +80,15 @@
+ #define IWL_A000_HR_A0_FW_PRE "iwlwifi-QuQnj-a0-hr-a0-"
+
+ #define IWL_A000_HR_MODULE_FIRMWARE(api) \
+- IWL_A000_HR_FW_PRE "-" __stringify(api) ".ucode"
++ IWL_A000_HR_FW_PRE __stringify(api) ".ucode"
+ #define IWL_A000_JF_MODULE_FIRMWARE(api) \
+- IWL_A000_JF_FW_PRE "-" __stringify(api) ".ucode"
++ IWL_A000_JF_FW_PRE __stringify(api) ".ucode"
+ #define IWL_A000_HR_F0_QNJ_MODULE_FIRMWARE(api) \
+- IWL_A000_HR_F0_FW_PRE "-" __stringify(api) ".ucode"
++ IWL_A000_HR_F0_FW_PRE __stringify(api) ".ucode"
+ #define IWL_A000_JF_B0_QNJ_MODULE_FIRMWARE(api) \
+- IWL_A000_JF_B0_FW_PRE "-" __stringify(api) ".ucode"
++ IWL_A000_JF_B0_FW_PRE __stringify(api) ".ucode"
+ #define IWL_A000_HR_A0_QNJ_MODULE_FIRMWARE(api) \
+- IWL_A000_HR_A0_FW_PRE "-" __stringify(api) ".ucode"
++ IWL_A000_HR_A0_FW_PRE __stringify(api) ".ucode"
+
+ #define NVM_HW_SECTION_NUM_FAMILY_A000 10
+
--- /dev/null
+From b11270853fa3654f08d4a6a03b23ddb220512d8d Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 6 Nov 2017 21:57:26 -0800
+Subject: libceph: don't WARN() if user tries to add invalid key
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit b11270853fa3654f08d4a6a03b23ddb220512d8d upstream.
+
+The WARN_ON(!key->len) in set_secret() in net/ceph/crypto.c is hit if a
+user tries to add a key of type "ceph" with an invalid payload as
+follows (assuming CONFIG_CEPH_LIB=y):
+
+ echo -e -n '\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' \
+ | keyctl padd ceph desc @s
+
+This can be hit by fuzzers. As this is merely bad input and not a
+kernel bug, replace the WARN_ON() with return -EINVAL.
+
+Fixes: 7af3ea189a9a ("libceph: stop allocating a new cipher on every crypto request")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/crypto.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ceph/crypto.c
++++ b/net/ceph/crypto.c
+@@ -37,7 +37,9 @@ static int set_secret(struct ceph_crypto
+ return -ENOTSUPP;
+ }
+
+- WARN_ON(!key->len);
++ if (!key->len)
++ return -EINVAL;
++
+ key->key = kmemdup(buf, key->len, GFP_NOIO);
+ if (!key->key) {
+ ret = -ENOMEM;
--- /dev/null
+From dc3033e16c59a2c4e62b31341258a5786cbcee56 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Fri, 20 Oct 2017 17:33:18 +0300
+Subject: lockd: double unregister of inetaddr notifiers
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit dc3033e16c59a2c4e62b31341258a5786cbcee56 upstream.
+
+lockd_up() can call lockd_unregister_notifiers twice:
+inside lockd_start_svc() when it calls lockd_svc_exit_thread()
+and then in error path of lockd_up()
+
+Patch forces lockd_start_svc() to unregister notifiers in all error cases
+and removes extra unregister in error path of lockd_up().
+
+Fixes: cb7d224f82e4 "lockd: unregister notifier blocks if the service ..."
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/lockd/svc.c | 20 +++++++++-----------
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+--- a/fs/lockd/svc.c
++++ b/fs/lockd/svc.c
+@@ -369,6 +369,7 @@ static int lockd_start_svc(struct svc_se
+ printk(KERN_WARNING
+ "lockd_up: svc_rqst allocation failed, error=%d\n",
+ error);
++ lockd_unregister_notifiers();
+ goto out_rqst;
+ }
+
+@@ -459,13 +460,16 @@ int lockd_up(struct net *net)
+ }
+
+ error = lockd_up_net(serv, net);
+- if (error < 0)
+- goto err_net;
++ if (error < 0) {
++ lockd_unregister_notifiers();
++ goto err_put;
++ }
+
+ error = lockd_start_svc(serv);
+- if (error < 0)
+- goto err_start;
+-
++ if (error < 0) {
++ lockd_down_net(serv, net);
++ goto err_put;
++ }
+ nlmsvc_users++;
+ /*
+ * Note: svc_serv structures have an initial use count of 1,
+@@ -476,12 +480,6 @@ err_put:
+ err_create:
+ mutex_unlock(&nlmsvc_mutex);
+ return error;
+-
+-err_start:
+- lockd_down_net(serv, net);
+-err_net:
+- lockd_unregister_notifiers();
+- goto err_put;
+ }
+ EXPORT_SYMBOL_GPL(lockd_up);
+
--- /dev/null
+From a371c10ea4b38a5f120e86d906d404d50a0f4660 Mon Sep 17 00:00:00 2001
+From: Anup Patel <anup.patel@broadcom.com>
+Date: Tue, 3 Oct 2017 10:51:48 +0530
+Subject: mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush sequence
+
+From: Anup Patel <anup.patel@broadcom.com>
+
+commit a371c10ea4b38a5f120e86d906d404d50a0f4660 upstream.
+
+As-per suggestion from FlexRM HW folks, we have to first set
+FlexRM ring flush state and then clear it for FlexRM ring flush
+to work properly.
+
+Currently, the FlexRM driver has incomplete FlexRM ring flush
+sequence which causes repeated insmod+rmmod of mailbox client
+drivers to fail.
+
+This patch fixes FlexRM ring flush sequence in flexrm_shutdown()
+as described above.
+
+Fixes: dbc049eee730 ("mailbox: Add driver for Broadcom FlexRM
+ring manager")
+
+Signed-off-by: Anup Patel <anup.patel@broadcom.com>
+Reviewed-by: Scott Branden <scott.branden@broadcom.com>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mailbox/bcm-flexrm-mailbox.c | 22 +++++++++++++++++++---
+ 1 file changed, 19 insertions(+), 3 deletions(-)
+
+--- a/drivers/mailbox/bcm-flexrm-mailbox.c
++++ b/drivers/mailbox/bcm-flexrm-mailbox.c
+@@ -1365,8 +1365,8 @@ static void flexrm_shutdown(struct mbox_
+ /* Disable/inactivate ring */
+ writel_relaxed(0x0, ring->regs + RING_CONTROL);
+
+- /* Flush ring with timeout of 1s */
+- timeout = 1000;
++ /* Set ring flush state */
++ timeout = 1000; /* timeout of 1s */
+ writel_relaxed(BIT(CONTROL_FLUSH_SHIFT),
+ ring->regs + RING_CONTROL);
+ do {
+@@ -1374,7 +1374,23 @@ static void flexrm_shutdown(struct mbox_
+ FLUSH_DONE_MASK)
+ break;
+ mdelay(1);
+- } while (timeout--);
++ } while (--timeout);
++ if (!timeout)
++ dev_err(ring->mbox->dev,
++ "setting ring%d flush state timedout\n", ring->num);
++
++ /* Clear ring flush state */
++ timeout = 1000; /* timeout of 1s */
++ writel_relaxed(0x0, ring + RING_CONTROL);
++ do {
++ if (!(readl_relaxed(ring + RING_FLUSH_DONE) &
++ FLUSH_DONE_MASK))
++ break;
++ mdelay(1);
++ } while (--timeout);
++ if (!timeout)
++ dev_err(ring->mbox->dev,
++ "clearing ring%d flush state timedout\n", ring->num);
+
+ /* Abort all in-flight requests */
+ for (reqid = 0; reqid < RING_MAX_REQ_COUNT; reqid++) {
--- /dev/null
+From 938b533d479e7428b7fa1b8179283646d2e2c53d Mon Sep 17 00:00:00 2001
+From: Shaohua Li <shli@fb.com>
+Date: Mon, 16 Oct 2017 19:03:44 -0700
+Subject: md/bitmap: revert a patch
+
+From: Shaohua Li <shli@fb.com>
+
+commit 938b533d479e7428b7fa1b8179283646d2e2c53d upstream.
+
+This reverts commit 8031c3ddc70a. That patches doesn't work well if PAGE_SIZE >
+4k. We will fix the original problem with a different approach.
+
+Fix: 8031c3ddc70a(md/bitmap: copy correct data for bitmap super)
+Reported-by: Joshua Kinard <kumba@gentoo.org>
+Suggested-by: Neil Brown <neilb@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bitmap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/bitmap.c
++++ b/drivers/md/bitmap.c
+@@ -625,7 +625,7 @@ re_read:
+ err = read_sb_page(bitmap->mddev,
+ offset,
+ sb_page,
+- 0, PAGE_SIZE);
++ 0, sizeof(bitmap_super_t));
+ }
+ if (err)
+ return err;
+@@ -2123,7 +2123,7 @@ int bitmap_resize(struct bitmap *bitmap,
+ if (store.sb_page && bitmap->storage.sb_page)
+ memcpy(page_address(store.sb_page),
+ page_address(bitmap->storage.sb_page),
+- PAGE_SIZE);
++ sizeof(bitmap_super_t));
+ bitmap_file_unmap(&bitmap->storage);
+ bitmap->storage = store;
+
--- /dev/null
+From b90f6ff080c52e2f05364210733df120e3c4e597 Mon Sep 17 00:00:00 2001
+From: Artur Paszkiewicz <artur.paszkiewicz@intel.com>
+Date: Thu, 26 Oct 2017 15:56:54 +0200
+Subject: md: don't check MD_SB_CHANGE_CLEAN in md_allow_write
+
+From: Artur Paszkiewicz <artur.paszkiewicz@intel.com>
+
+commit b90f6ff080c52e2f05364210733df120e3c4e597 upstream.
+
+Only MD_SB_CHANGE_PENDING should be used to wait for transition from
+clean to dirty. Checking also MD_SB_CHANGE_CLEAN is unnecessary and can
+race with e.g. md_do_sync(). This sporadically causes a hang when
+changing consistency policy during resync:
+
+INFO: task mdadm:6183 blocked for more than 30 seconds.
+ Not tainted 4.14.0-rc3+ #391
+"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+mdadm D12752 6183 6022 0x00000000
+Call Trace:
+ __schedule+0x93f/0x990
+ schedule+0x6b/0x90
+ md_allow_write+0x100/0x130 [md_mod]
+ ? do_wait_intr_irq+0x90/0x90
+ resize_stripes+0x3a/0x5b0 [raid456]
+ ? kernfs_fop_write+0xbe/0x180
+ raid5_change_consistency_policy+0xa6/0x200 [raid456]
+ consistency_policy_store+0x2e/0x70 [md_mod]
+ md_attr_store+0x90/0xc0 [md_mod]
+ sysfs_kf_write+0x42/0x50
+ kernfs_fop_write+0x119/0x180
+ __vfs_write+0x28/0x110
+ ? rcu_sync_lockdep_assert+0x12/0x60
+ ? __sb_start_write+0x15a/0x1c0
+ ? vfs_write+0xa3/0x1a0
+ vfs_write+0xb4/0x1a0
+ SyS_write+0x49/0xa0
+ entry_SYSCALL_64_fastpath+0x18/0xad
+
+Fixes: 2214c260c72b ("md: don't return -EAGAIN in md_allow_write for external metadata arrays")
+Signed-off-by: Artur Paszkiewicz <artur.paszkiewicz@intel.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/md.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -8111,7 +8111,6 @@ void md_allow_write(struct mddev *mddev)
+ sysfs_notify_dirent_safe(mddev->sysfs_state);
+ /* wait for the dirty state to be recorded in the metadata */
+ wait_event(mddev->sb_wait,
+- !test_bit(MD_SB_CHANGE_CLEAN, &mddev->sb_flags) &&
+ !test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags));
+ } else
+ spin_unlock(&mddev->lock);
--- /dev/null
+From d47c8ad261f787af22a220ffcc2d07afba809223 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Thu, 5 Oct 2017 16:23:16 +1100
+Subject: md: fix deadlock error in recent patch.
+
+From: NeilBrown <neilb@suse.com>
+
+commit d47c8ad261f787af22a220ffcc2d07afba809223 upstream.
+
+A recent patch aimed to cause md_write_start() to fail (rather than
+block) when the mddev was suspending, so as to avoid deadlocks.
+Unfortunately the test in wait_event() was wrong, and it didn't change
+behaviour at all.
+
+We wait_event() must wait until the metadata is written OR the array is
+suspending.
+
+Fixes: cc27b0c78c79 ("md: fix deadlock between mddev_suspend() and md_write_start()")
+Reported-by: Xiao Ni <xni@redhat.com>
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/md.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -8039,7 +8039,8 @@ bool md_write_start(struct mddev *mddev,
+ if (did_change)
+ sysfs_notify_dirent_safe(mddev->sysfs_state);
+ wait_event(mddev->sb_wait,
+- !test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags) && !mddev->suspended);
++ !test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags) ||
++ mddev->suspended);
+ if (test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags)) {
+ percpu_ref_put(&mddev->writes_pending);
+ return false;
--- /dev/null
+From 07d70913dce59f3c8e5d0ca76250861158a9ca6c Mon Sep 17 00:00:00 2001
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Date: Wed, 11 Oct 2017 12:40:55 +0200
+Subject: mfd: lpc_ich: Avoton/Rangeley uses SPI_BYT method
+
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+
+commit 07d70913dce59f3c8e5d0ca76250861158a9ca6c upstream.
+
+Avoton/Rangeley are based on Silvermount micro-architecture, like
+Bay Trail, and uses the INTEL_SPI_BYT method to drive SPI.
+
+Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/lpc_ich.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mfd/lpc_ich.c
++++ b/drivers/mfd/lpc_ich.c
+@@ -522,6 +522,7 @@ static struct lpc_ich_info lpc_chipset_i
+ .name = "Avoton SoC",
+ .iTCO_version = 3,
+ .gpio_version = AVOTON_GPIO,
++ .spi_type = INTEL_SPI_BYT,
+ },
+ [LPC_BAYTRAIL] = {
+ .name = "Bay Trail SoC",
--- /dev/null
+From 56a46acf62af5ba44fca2f3f1c7c25a2d5385b19 Mon Sep 17 00:00:00 2001
+From: Mirko Parthey <mirko.parthey@web.de>
+Date: Thu, 18 May 2017 21:30:03 +0200
+Subject: MIPS: BCM47XX: Fix LED inversion for WRT54GSv1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mirko Parthey <mirko.parthey@web.de>
+
+commit 56a46acf62af5ba44fca2f3f1c7c25a2d5385b19 upstream.
+
+The WLAN LED on the Linksys WRT54GSv1 is active low, but the software
+treats it as active high. Fix the inverted logic.
+
+Fixes: 7bb26b169116 ("MIPS: BCM47xx: Fix LEDs on WRT54GS V1.0")
+Signed-off-by: Mirko Parthey <mirko.parthey@web.de>
+Looks-ok-by: Rafał Miłecki <zajec5@gmail.com>
+Cc: Hauke Mehrtens <hauke@hauke-m.de>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16071/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/bcm47xx/leds.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/bcm47xx/leds.c
++++ b/arch/mips/bcm47xx/leds.c
+@@ -331,7 +331,7 @@ bcm47xx_leds_linksys_wrt54g3gv2[] __init
+ /* Verified on: WRT54GS V1.0 */
+ static const struct gpio_led
+ bcm47xx_leds_linksys_wrt54g_type_0101[] __initconst = {
+- BCM47XX_GPIO_LED(0, "green", "wlan", 0, LEDS_GPIO_DEFSTATE_OFF),
++ BCM47XX_GPIO_LED(0, "green", "wlan", 1, LEDS_GPIO_DEFSTATE_OFF),
+ BCM47XX_GPIO_LED(1, "green", "power", 0, LEDS_GPIO_DEFSTATE_ON),
+ BCM47XX_GPIO_LED(7, "green", "dmz", 1, LEDS_GPIO_DEFSTATE_OFF),
+ };
--- /dev/null
+From 3cad14d56adbf7d621fc5a35db42f3acc0a2d6e8 Mon Sep 17 00:00:00 2001
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Sun, 5 Nov 2017 14:30:52 +0900
+Subject: MIPS: dts: remove bogus bcm96358nb4ser.dtb from dtb-y entry
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+commit 3cad14d56adbf7d621fc5a35db42f3acc0a2d6e8 upstream.
+
+arch/mips/boot/dts/brcm/bcm96358nb4ser.dts does not exist, so
+we cannot build bcm96358nb4ser.dtb .
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Fixes: 695835511f96 ("MIPS: BMIPS: rename bcm96358nb4ser to bcm6358-neufbox4-sercom")
+Acked-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/boot/dts/brcm/Makefile | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/mips/boot/dts/brcm/Makefile
++++ b/arch/mips/boot/dts/brcm/Makefile
+@@ -23,7 +23,6 @@ dtb-$(CONFIG_DT_NONE) += \
+ bcm63268-comtrend-vr-3032u.dtb \
+ bcm93384wvg.dtb \
+ bcm93384wvg_viper.dtb \
+- bcm96358nb4ser.dtb \
+ bcm96368mvwg.dtb \
+ bcm9ejtagprb.dtb \
+ bcm97125cbmb.dtb \
--- /dev/null
+From 547da673173de51f73887377eb275304775064ad Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@mips.com>
+Date: Tue, 7 Nov 2017 19:09:20 +0000
+Subject: MIPS: Fix an n32 core file generation regset support regression
+
+From: Maciej W. Rozycki <macro@mips.com>
+
+commit 547da673173de51f73887377eb275304775064ad upstream.
+
+Fix a commit 7aeb753b5353 ("MIPS: Implement task_user_regset_view.")
+regression, then activated by commit 6a9c001b7ec3 ("MIPS: Switch ELF
+core dumper to use regsets.)", that caused n32 processes to dump o32
+core files by failing to set the EF_MIPS_ABI2 flag in the ELF core file
+header's `e_flags' member:
+
+$ file tls-core
+tls-core: ELF 32-bit MSB executable, MIPS, N32 MIPS64 rel2 version 1 (SYSV), [...]
+$ ./tls-core
+Aborted (core dumped)
+$ file core
+core: ELF 32-bit MSB core file MIPS, MIPS-I version 1 (SYSV), SVR4-style
+$
+
+Previously the flag was set as the result of a:
+
+statement placed in arch/mips/kernel/binfmt_elfn32.c, however in the
+regset case, i.e. when CORE_DUMP_USE_REGSET is set, ELF_CORE_EFLAGS is
+no longer used by `fill_note_info' in fs/binfmt_elf.c, and instead the
+`->e_flags' member of the regset view chosen is. We have the views
+defined in arch/mips/kernel/ptrace.c, however only an o32 and an n64
+one, and the latter is used for n32 as well. Consequently an o32 core
+file is incorrectly dumped from n32 processes (the ELF32 vs ELF64 class
+is chosen elsewhere, and the 32-bit one is correctly selected for n32).
+
+Correct the issue then by defining an n32 regset view and using it as
+appropriate. Issue discovered in GDB testing.
+
+Fixes: 7aeb753b5353 ("MIPS: Implement task_user_regset_view.")
+Signed-off-by: Maciej W. Rozycki <macro@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Djordje Todorovic <djordje.todorovic@rt-rk.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/17617/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/ptrace.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -618,6 +618,19 @@ static const struct user_regset_view use
+ .n = ARRAY_SIZE(mips64_regsets),
+ };
+
++#ifdef CONFIG_MIPS32_N32
++
++static const struct user_regset_view user_mipsn32_view = {
++ .name = "mipsn32",
++ .e_flags = EF_MIPS_ABI2,
++ .e_machine = ELF_ARCH,
++ .ei_osabi = ELF_OSABI,
++ .regsets = mips64_regsets,
++ .n = ARRAY_SIZE(mips64_regsets),
++};
++
++#endif /* CONFIG_MIPS32_N32 */
++
+ #endif /* CONFIG_64BIT */
+
+ const struct user_regset_view *task_user_regset_view(struct task_struct *task)
+@@ -629,6 +642,10 @@ const struct user_regset_view *task_user
+ if (test_tsk_thread_flag(task, TIF_32BIT_REGS))
+ return &user_mips_view;
+ #endif
++#ifdef CONFIG_MIPS32_N32
++ if (test_tsk_thread_flag(task, TIF_32BIT_ADDR))
++ return &user_mipsn32_view;
++#endif
+ return &user_mips64_view;
+ #endif
+ }
--- /dev/null
+From 22b8ba765a726d90e9830ff6134c32b04f12c10f Mon Sep 17 00:00:00 2001
+From: James Hogan <jhogan@kernel.org>
+Date: Mon, 3 Jul 2017 23:41:47 +0100
+Subject: MIPS: Fix MIPS64 FP save/restore on 32-bit kernels
+
+From: James Hogan <jhogan@kernel.org>
+
+commit 22b8ba765a726d90e9830ff6134c32b04f12c10f upstream.
+
+32-bit kernels can be configured to support MIPS64, in which case
+neither CONFIG_64BIT or CONFIG_CPU_MIPS32_R* will be set. This causes
+the CP0_Status.FR checks at the point of floating point register save
+and restore to be compiled out, which results in odd FP registers not
+being saved or restored to the task or signal context even when
+CP0_Status.FR is set.
+
+Fix the ifdefs to use CONFIG_CPU_MIPSR2 and CONFIG_CPU_MIPSR6, which are
+enabled for the relevant revisions of either MIPS32 or MIPS64, along
+with some other CPUs such as Octeon (r2), Loongson1 (r2), XLP (r2),
+Loongson 3A R2.
+
+The suspect code originates from commit 597ce1723e0f ("MIPS: Support for
+64-bit FP with O32 binaries") in v3.14, however the code in
+__enable_fpu() was consistent and refused to set FR=1, falling back to
+software FPU emulation. This was suboptimal but should be functionally
+correct.
+
+Commit fcc53b5f6c38 ("MIPS: fpu.h: Allow 64-bit FPU on a 64-bit MIPS R6
+CPU") in v4.2 (and stable tagged back to 4.0) later introduced the bug
+by updating __enable_fpu() to set FR=1 but failing to update the other
+similar ifdefs to enable FR=1 state handling.
+
+Fixes: fcc53b5f6c38 ("MIPS: fpu.h: Allow 64-bit FPU on a 64-bit MIPS R6 CPU")
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Paul Burton <paul.burton@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16739/
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/asmmacro.h | 8 ++++----
+ arch/mips/kernel/r4k_fpu.S | 20 ++++++++++----------
+ 2 files changed, 14 insertions(+), 14 deletions(-)
+
+--- a/arch/mips/include/asm/asmmacro.h
++++ b/arch/mips/include/asm/asmmacro.h
+@@ -130,8 +130,8 @@
+ .endm
+
+ .macro fpu_save_double thread status tmp
+-#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPS32_R2) || \
+- defined(CONFIG_CPU_MIPS32_R6)
++#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPSR2) || \
++ defined(CONFIG_CPU_MIPSR6)
+ sll \tmp, \status, 5
+ bgez \tmp, 10f
+ fpu_save_16odd \thread
+@@ -189,8 +189,8 @@
+ .endm
+
+ .macro fpu_restore_double thread status tmp
+-#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPS32_R2) || \
+- defined(CONFIG_CPU_MIPS32_R6)
++#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPSR2) || \
++ defined(CONFIG_CPU_MIPSR6)
+ sll \tmp, \status, 5
+ bgez \tmp, 10f # 16 register mode?
+
+--- a/arch/mips/kernel/r4k_fpu.S
++++ b/arch/mips/kernel/r4k_fpu.S
+@@ -40,8 +40,8 @@
+ */
+ LEAF(_save_fp)
+ EXPORT_SYMBOL(_save_fp)
+-#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPS32_R2) || \
+- defined(CONFIG_CPU_MIPS32_R6)
++#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPSR2) || \
++ defined(CONFIG_CPU_MIPSR6)
+ mfc0 t0, CP0_STATUS
+ #endif
+ fpu_save_double a0 t0 t1 # clobbers t1
+@@ -52,8 +52,8 @@ EXPORT_SYMBOL(_save_fp)
+ * Restore a thread's fp context.
+ */
+ LEAF(_restore_fp)
+-#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPS32_R2) || \
+- defined(CONFIG_CPU_MIPS32_R6)
++#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPSR2) || \
++ defined(CONFIG_CPU_MIPSR6)
+ mfc0 t0, CP0_STATUS
+ #endif
+ fpu_restore_double a0 t0 t1 # clobbers t1
+@@ -246,11 +246,11 @@ LEAF(_save_fp_context)
+ cfc1 t1, fcr31
+ .set pop
+
+-#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPS32_R2) || \
+- defined(CONFIG_CPU_MIPS32_R6)
++#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPSR2) || \
++ defined(CONFIG_CPU_MIPSR6)
+ .set push
+ SET_HARDFLOAT
+-#ifdef CONFIG_CPU_MIPS32_R2
++#ifdef CONFIG_CPU_MIPSR2
+ .set mips32r2
+ .set fp=64
+ mfc0 t0, CP0_STATUS
+@@ -314,11 +314,11 @@ LEAF(_save_fp_context)
+ LEAF(_restore_fp_context)
+ EX lw t1, 0(a1)
+
+-#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPS32_R2) || \
+- defined(CONFIG_CPU_MIPS32_R6)
++#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPSR2) || \
++ defined(CONFIG_CPU_MIPSR6)
+ .set push
+ SET_HARDFLOAT
+-#ifdef CONFIG_CPU_MIPS32_R2
++#ifdef CONFIG_CPU_MIPSR2
+ .set mips32r2
+ .set fp=64
+ mfc0 t0, CP0_STATUS
--- /dev/null
+From c7fd89a6407ea3a44a2a2fa12d290162c42499c4 Mon Sep 17 00:00:00 2001
+From: James Hogan <jhogan@kernel.org>
+Date: Fri, 10 Nov 2017 11:46:54 +0000
+Subject: MIPS: Fix odd fp register warnings with MIPS64r2
+
+From: James Hogan <jhogan@kernel.org>
+
+commit c7fd89a6407ea3a44a2a2fa12d290162c42499c4 upstream.
+
+Building 32-bit MIPS64r2 kernels produces warnings like the following
+on certain toolchains (such as GNU assembler 2.24.90, but not GNU
+assembler 2.28.51) since commit 22b8ba765a72 ("MIPS: Fix MIPS64 FP
+save/restore on 32-bit kernels"), due to the exposure of fpu_save_16odd
+from fpu_save_double and fpu_restore_16odd from fpu_restore_double:
+
+arch/mips/kernel/r4k_fpu.S:47: Warning: float register should be even, was 1
+...
+arch/mips/kernel/r4k_fpu.S:59: Warning: float register should be even, was 1
+...
+
+This appears to be because .set mips64r2 does not change the FPU ABI to
+64-bit when -march=mips64r2 (or e.g. -march=xlp) is provided on the
+command line on that toolchain, from the default FPU ABI of 32-bit due
+to the -mabi=32. This makes access to the odd FPU registers invalid.
+
+Fix by explicitly changing the FPU ABI with .set fp=64 directives in
+fpu_save_16odd and fpu_restore_16odd, and moving the undefine of fp up
+in asmmacro.h so fp doesn't turn into $30.
+
+Fixes: 22b8ba765a72 ("MIPS: Fix MIPS64 FP save/restore on 32-bit kernels")
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Paul Burton <paul.burton@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/17656/
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/asmmacro.h | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/arch/mips/include/asm/asmmacro.h
++++ b/arch/mips/include/asm/asmmacro.h
+@@ -19,6 +19,9 @@
+ #include <asm/asmmacro-64.h>
+ #endif
+
++/* preprocessor replaces the fp in ".set fp=64" with $30 otherwise */
++#undef fp
++
+ /*
+ * Helper macros for generating raw instruction encodings.
+ */
+@@ -105,6 +108,7 @@
+ .macro fpu_save_16odd thread
+ .set push
+ .set mips64r2
++ .set fp=64
+ SET_HARDFLOAT
+ sdc1 $f1, THREAD_FPR1(\thread)
+ sdc1 $f3, THREAD_FPR3(\thread)
+@@ -163,6 +167,7 @@
+ .macro fpu_restore_16odd thread
+ .set push
+ .set mips64r2
++ .set fp=64
+ SET_HARDFLOAT
+ ldc1 $f1, THREAD_FPR1(\thread)
+ ldc1 $f3, THREAD_FPR3(\thread)
+@@ -234,9 +239,6 @@
+ .endm
+
+ #ifdef TOOLCHAIN_SUPPORTS_MSA
+-/* preprocessor replaces the fp in ".set fp=64" with $30 otherwise */
+-#undef fp
+-
+ .macro _cfcmsa rd, cs
+ .set push
+ .set mips32r2
--- /dev/null
+From 409fcace9963c1e8d2cb0f7ac62e8b34d47ef979 Mon Sep 17 00:00:00 2001
+From: Aleksandar Markovic <aleksandar.markovic@mips.com>
+Date: Thu, 2 Nov 2017 12:13:58 +0100
+Subject: MIPS: math-emu: Fix final emulation phase for certain instructions
+
+From: Aleksandar Markovic <aleksandar.markovic@mips.com>
+
+commit 409fcace9963c1e8d2cb0f7ac62e8b34d47ef979 upstream.
+
+Fix final phase of <CLASS|MADDF|MSUBF|MAX|MIN|MAXA|MINA>.<D|S>
+emulation. Provide proper generation of SIGFPE signal and updating
+debugfs FP exception stats in cases of any exception flags set in
+preceding phases of emulation.
+
+CLASS.<D|S> instruction may generate "Unimplemented Operation" FP
+exception. <MADDF|MSUBF>.<D|S> instructions may generate "Inexact",
+"Unimplemented Operation", "Invalid Operation", "Overflow", and
+"Underflow" FP exceptions. <MAX|MIN|MAXA|MINA>.<D|S> instructions
+can generate "Unimplemented Operation" and "Invalid Operation" FP
+exceptions.
+
+The proper final processing of the cases when any FP exception
+flag is set is achieved by replacing "break" statement with "goto
+copcsr" statement. With such solution, this patch brings the final
+phase of emulation of the above instructions consistent with the
+one corresponding to the previously implemented emulation of other
+related FPU instructions (ADD, SUB, etc.).
+
+Fixes: 38db37ba069f ("MIPS: math-emu: Add support for the MIPS R6 CLASS FPU instruction")
+Fixes: e24c3bec3e8e ("MIPS: math-emu: Add support for the MIPS R6 MADDF FPU instruction")
+Fixes: 83d43305a1df ("MIPS: math-emu: Add support for the MIPS R6 MSUBF FPU instruction")
+Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU instruction")
+Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU instruction")
+Signed-off-by: Aleksandar Markovic <aleksandar.markovic@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Douglas Leung <douglas.leung@mips.com>
+Cc: Goran Ferenc <goran.ferenc@mips.com>
+Cc: "Maciej W. Rozycki" <macro@imgtec.com>
+Cc: Miodrag Dinic <miodrag.dinic@mips.com>
+Cc: Paul Burton <paul.burton@mips.com>
+Cc: Petar Jovanovic <petar.jovanovic@mips.com>
+Cc: Raghu Gandham <raghu.gandham@mips.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/17581/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/math-emu/cp1emu.c | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+--- a/arch/mips/math-emu/cp1emu.c
++++ b/arch/mips/math-emu/cp1emu.c
+@@ -1795,7 +1795,7 @@ static int fpu_emu(struct pt_regs *xcp,
+ SPFROMREG(fs, MIPSInst_FS(ir));
+ SPFROMREG(fd, MIPSInst_FD(ir));
+ rv.s = ieee754sp_maddf(fd, fs, ft);
+- break;
++ goto copcsr;
+ }
+
+ case fmsubf_op: {
+@@ -1809,7 +1809,7 @@ static int fpu_emu(struct pt_regs *xcp,
+ SPFROMREG(fs, MIPSInst_FS(ir));
+ SPFROMREG(fd, MIPSInst_FD(ir));
+ rv.s = ieee754sp_msubf(fd, fs, ft);
+- break;
++ goto copcsr;
+ }
+
+ case frint_op: {
+@@ -1834,7 +1834,7 @@ static int fpu_emu(struct pt_regs *xcp,
+ SPFROMREG(fs, MIPSInst_FS(ir));
+ rv.w = ieee754sp_2008class(fs);
+ rfmt = w_fmt;
+- break;
++ goto copcsr;
+ }
+
+ case fmin_op: {
+@@ -1847,7 +1847,7 @@ static int fpu_emu(struct pt_regs *xcp,
+ SPFROMREG(ft, MIPSInst_FT(ir));
+ SPFROMREG(fs, MIPSInst_FS(ir));
+ rv.s = ieee754sp_fmin(fs, ft);
+- break;
++ goto copcsr;
+ }
+
+ case fmina_op: {
+@@ -1860,7 +1860,7 @@ static int fpu_emu(struct pt_regs *xcp,
+ SPFROMREG(ft, MIPSInst_FT(ir));
+ SPFROMREG(fs, MIPSInst_FS(ir));
+ rv.s = ieee754sp_fmina(fs, ft);
+- break;
++ goto copcsr;
+ }
+
+ case fmax_op: {
+@@ -1873,7 +1873,7 @@ static int fpu_emu(struct pt_regs *xcp,
+ SPFROMREG(ft, MIPSInst_FT(ir));
+ SPFROMREG(fs, MIPSInst_FS(ir));
+ rv.s = ieee754sp_fmax(fs, ft);
+- break;
++ goto copcsr;
+ }
+
+ case fmaxa_op: {
+@@ -1886,7 +1886,7 @@ static int fpu_emu(struct pt_regs *xcp,
+ SPFROMREG(ft, MIPSInst_FT(ir));
+ SPFROMREG(fs, MIPSInst_FS(ir));
+ rv.s = ieee754sp_fmaxa(fs, ft);
+- break;
++ goto copcsr;
+ }
+
+ case fabs_op:
+@@ -2165,7 +2165,7 @@ copcsr:
+ DPFROMREG(fs, MIPSInst_FS(ir));
+ DPFROMREG(fd, MIPSInst_FD(ir));
+ rv.d = ieee754dp_maddf(fd, fs, ft);
+- break;
++ goto copcsr;
+ }
+
+ case fmsubf_op: {
+@@ -2179,7 +2179,7 @@ copcsr:
+ DPFROMREG(fs, MIPSInst_FS(ir));
+ DPFROMREG(fd, MIPSInst_FD(ir));
+ rv.d = ieee754dp_msubf(fd, fs, ft);
+- break;
++ goto copcsr;
+ }
+
+ case frint_op: {
+@@ -2204,7 +2204,7 @@ copcsr:
+ DPFROMREG(fs, MIPSInst_FS(ir));
+ rv.l = ieee754dp_2008class(fs);
+ rfmt = l_fmt;
+- break;
++ goto copcsr;
+ }
+
+ case fmin_op: {
+@@ -2217,7 +2217,7 @@ copcsr:
+ DPFROMREG(ft, MIPSInst_FT(ir));
+ DPFROMREG(fs, MIPSInst_FS(ir));
+ rv.d = ieee754dp_fmin(fs, ft);
+- break;
++ goto copcsr;
+ }
+
+ case fmina_op: {
+@@ -2230,7 +2230,7 @@ copcsr:
+ DPFROMREG(ft, MIPSInst_FT(ir));
+ DPFROMREG(fs, MIPSInst_FS(ir));
+ rv.d = ieee754dp_fmina(fs, ft);
+- break;
++ goto copcsr;
+ }
+
+ case fmax_op: {
+@@ -2243,7 +2243,7 @@ copcsr:
+ DPFROMREG(ft, MIPSInst_FT(ir));
+ DPFROMREG(fs, MIPSInst_FS(ir));
+ rv.d = ieee754dp_fmax(fs, ft);
+- break;
++ goto copcsr;
+ }
+
+ case fmaxa_op: {
+@@ -2256,7 +2256,7 @@ copcsr:
+ DPFROMREG(ft, MIPSInst_FT(ir));
+ DPFROMREG(fs, MIPSInst_FS(ir));
+ rv.d = ieee754dp_fmaxa(fs, ft);
+- break;
++ goto copcsr;
+ }
+
+ case fabs_op:
--- /dev/null
+From 8593b18ad348733b5d5ddfa0c79dcabf51dff308 Mon Sep 17 00:00:00 2001
+From: John Crispin <john@phrozen.org>
+Date: Mon, 20 Feb 2017 10:29:43 +0100
+Subject: MIPS: pci: Remove KERN_WARN instance inside the mt7620 driver
+
+From: John Crispin <john@phrozen.org>
+
+commit 8593b18ad348733b5d5ddfa0c79dcabf51dff308 upstream.
+
+Switch the printk() call to the prefered pr_warn() api.
+
+Fixes: 7e5873d3755c ("MIPS: pci: Add MT7620a PCIE driver")
+Signed-off-by: John Crispin <john@phrozen.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/15321/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/pci/pci-mt7620.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/pci/pci-mt7620.c
++++ b/arch/mips/pci/pci-mt7620.c
+@@ -121,7 +121,7 @@ static int wait_pciephy_busy(void)
+ else
+ break;
+ if (retry++ > WAITRETRY_MAX) {
+- printk(KERN_WARN "PCIE-PHY retry failed.\n");
++ pr_warn("PCIE-PHY retry failed.\n");
+ return -1;
+ }
+ }
--- /dev/null
+From 5d03a6613957785e94af7a4a6212ad4af66aa5c2 Mon Sep 17 00:00:00 2001
+From: Vitaly Wool <vitalywool@gmail.com>
+Date: Fri, 17 Nov 2017 15:26:16 -0800
+Subject: mm/z3fold.c: use kref to prevent page free/compact race
+
+From: Vitaly Wool <vitalywool@gmail.com>
+
+commit 5d03a6613957785e94af7a4a6212ad4af66aa5c2 upstream.
+
+There is a race in the current z3fold implementation between
+do_compact() called in a work queue context and the page release
+procedure when page's kref goes to 0.
+
+do_compact() may be waiting for page lock, which is released by
+release_z3fold_page_locked right before putting the page onto the
+"stale" list, and then the page may be freed as do_compact() modifies
+its contents.
+
+The mechanism currently implemented to handle that (checking the
+PAGE_STALE flag) is not reliable enough. Instead, we'll use page's kref
+counter to guarantee that the page is not released if its compaction is
+scheduled. It then becomes compaction function's responsibility to
+decrease the counter and quit immediately if the page was actually
+freed.
+
+Link: http://lkml.kernel.org/r/20171117092032.00ea56f42affbed19f4fcc6c@gmail.com
+Signed-off-by: Vitaly Wool <vitaly.wool@sonymobile.com>
+Cc: <Oleksiy.Avramchenko@sony.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/z3fold.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/mm/z3fold.c
++++ b/mm/z3fold.c
+@@ -404,8 +404,7 @@ static void do_compact_page(struct z3fol
+ WARN_ON(z3fold_page_trylock(zhdr));
+ else
+ z3fold_page_lock(zhdr);
+- if (test_bit(PAGE_STALE, &page->private) ||
+- !test_and_clear_bit(NEEDS_COMPACTING, &page->private)) {
++ if (WARN_ON(!test_and_clear_bit(NEEDS_COMPACTING, &page->private))) {
+ z3fold_page_unlock(zhdr);
+ return;
+ }
+@@ -413,6 +412,11 @@ static void do_compact_page(struct z3fol
+ list_del_init(&zhdr->buddy);
+ spin_unlock(&pool->lock);
+
++ if (kref_put(&zhdr->refcount, release_z3fold_page_locked)) {
++ atomic64_dec(&pool->pages_nr);
++ return;
++ }
++
+ z3fold_compact_page(zhdr);
+ unbuddied = get_cpu_ptr(pool->unbuddied);
+ fchunks = num_free_chunks(zhdr);
+@@ -753,9 +757,11 @@ static void z3fold_free(struct z3fold_po
+ list_del_init(&zhdr->buddy);
+ spin_unlock(&pool->lock);
+ zhdr->cpu = -1;
++ kref_get(&zhdr->refcount);
+ do_compact_page(zhdr, true);
+ return;
+ }
++ kref_get(&zhdr->refcount);
+ queue_work_on(zhdr->cpu, pool->compact_wq, &zhdr->work);
+ z3fold_page_unlock(zhdr);
+ }
--- /dev/null
+From 1530578abdac4edce9244c7a1962ded3ffdb58ce Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+Date: Sat, 11 Nov 2017 16:08:34 +0100
+Subject: mtd: Avoid probe failures when mtd->dbg.dfs_dir is invalid
+
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+
+commit 1530578abdac4edce9244c7a1962ded3ffdb58ce upstream.
+
+Commit e8e3edb95ce6 ("mtd: create per-device and module-scope debugfs
+entries") tried to make MTD related debugfs stuff consistent across the
+MTD framework by creating a root <debugfs>/mtd/ directory containing
+one directory per MTD device.
+
+The problem is that, by default, the MTD layer only registers the
+master device if no partitions are defined for this master. This
+behavior breaks all drivers that expect mtd->dbg.dfs_dir to be filled
+correctly after calling mtd_device_register() in order to add their own
+debugfs entries.
+
+The only way we can force all MTD masters to be registered no matter if
+they expose partitions or not is by enabling the
+CONFIG_MTD_PARTITIONED_MASTER option.
+
+In such situations, there's no other solution but to accept skipping
+debugfs initialization when dbg.dfs_dir is invalid, and when this
+happens, inform the user that he should consider enabling
+CONFIG_MTD_PARTITIONED_MASTER.
+
+Fixes: e8e3edb95ce6 ("mtd: create per-device and module-scope debugfs entries")
+Cc: Mario J. Rugiero <mrugiero@gmail.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Reported-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/devices/docg3.c | 7 ++++++-
+ drivers/mtd/nand/nandsim.c | 13 +++++++++----
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+
+--- a/drivers/mtd/devices/docg3.c
++++ b/drivers/mtd/devices/docg3.c
+@@ -1814,8 +1814,13 @@ static void __init doc_dbg_register(stru
+ struct dentry *root = floor->dbg.dfs_dir;
+ struct docg3 *docg3 = floor->priv;
+
+- if (IS_ERR_OR_NULL(root))
++ if (IS_ERR_OR_NULL(root)) {
++ if (IS_ENABLED(CONFIG_DEBUG_FS) &&
++ !IS_ENABLED(CONFIG_MTD_PARTITIONED_MASTER))
++ dev_warn(floor->dev.parent,
++ "CONFIG_MTD_PARTITIONED_MASTER must be enabled to expose debugfs stuff\n");
+ return;
++ }
+
+ debugfs_create_file("docg3_flashcontrol", S_IRUSR, root, docg3,
+ &flashcontrol_fops);
+--- a/drivers/mtd/nand/nandsim.c
++++ b/drivers/mtd/nand/nandsim.c
+@@ -520,11 +520,16 @@ static int nandsim_debugfs_create(struct
+ struct dentry *root = nsmtd->dbg.dfs_dir;
+ struct dentry *dent;
+
+- if (!IS_ENABLED(CONFIG_DEBUG_FS))
++ /*
++ * Just skip debugfs initialization when the debugfs directory is
++ * missing.
++ */
++ if (IS_ERR_OR_NULL(root)) {
++ if (IS_ENABLED(CONFIG_DEBUG_FS) &&
++ !IS_ENABLED(CONFIG_MTD_PARTITIONED_MASTER))
++ NS_WARN("CONFIG_MTD_PARTITIONED_MASTER must be enabled to expose debugfs stuff\n");
+ return 0;
+-
+- if (IS_ERR_OR_NULL(root))
+- return -1;
++ }
+
+ dent = debugfs_create_file("nandsim_wear_report", S_IRUSR,
+ root, dev, &dfs_fops);
--- /dev/null
+From 1533bfa6f6b6bcca1ea1f172ef4a1c5ce5e7b335 Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+Date: Thu, 5 Oct 2017 18:57:24 +0200
+Subject: mtd: nand: atmel: Actually use the PM ops
+
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+
+commit 1533bfa6f6b6bcca1ea1f172ef4a1c5ce5e7b335 upstream.
+
+commit 6e532afaca8e ("mtd: nand: atmel: Add PM ops") was defining PM
+ops but nothing was using/referencing those PM ops.
+
+Fixes: 6e532afaca8e ("mtd: nand: atmel: Add PM ops")
+Cc: Romain Izard <romain.izard.pro@gmail.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Acked-by: Wenyou Yang <wenyou.yang@microchip.com>
+Tested-by: Romain Izard <romain.izard.pro@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/atmel/nand-controller.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mtd/nand/atmel/nand-controller.c
++++ b/drivers/mtd/nand/atmel/nand-controller.c
+@@ -2547,6 +2547,7 @@ static struct platform_driver atmel_nand
+ .driver = {
+ .name = "atmel-nand-controller",
+ .of_match_table = of_match_ptr(atmel_nand_controller_of_ids),
++ .pm = &atmel_nand_controller_pm_ops,
+ },
+ .probe = atmel_nand_controller_probe,
+ .remove = atmel_nand_controller_remove,
--- /dev/null
+From b9bb98424c51437973b854691aa1e9b2bfd348f5 Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+Date: Thu, 5 Oct 2017 18:53:19 +0200
+Subject: mtd: nand: Export nand_reset() symbol
+
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+
+commit b9bb98424c51437973b854691aa1e9b2bfd348f5 upstream.
+
+Commit 6e532afaca8e ("mtd: nand: atmel: Add PM ops") started to use the
+nand_reset() function which was not yet exported by the NAND framework
+(because it was only used internally before that). Export this symbol
+to avoid build errors when the driver is enabled as a module.
+
+Fixes: 6e532afaca8e ("mtd: nand: atmel: Add PM ops")
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/nand_base.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mtd/nand/nand_base.c
++++ b/drivers/mtd/nand/nand_base.c
+@@ -1246,6 +1246,7 @@ int nand_reset(struct nand_chip *chip, i
+
+ return 0;
+ }
++EXPORT_SYMBOL_GPL(nand_reset);
+
+ /**
+ * nand_check_erased_buf - check if a buffer contains (almost) only 0xff data
--- /dev/null
+From 30863e38ebeb500a31cecee8096fb5002677dd9b Mon Sep 17 00:00:00 2001
+From: Brent Taylor <motobud@gmail.com>
+Date: Mon, 30 Oct 2017 22:32:45 -0500
+Subject: mtd: nand: Fix writing mtdoops to nand flash.
+
+From: Brent Taylor <motobud@gmail.com>
+
+commit 30863e38ebeb500a31cecee8096fb5002677dd9b upstream.
+
+When mtdoops calls mtd_panic_write(), it eventually calls
+panic_nand_write() in nand_base.c. In order to properly wait for the
+nand chip to be ready in panic_nand_wait(), the chip must first be
+selected.
+
+When using the atmel nand flash controller, a panic would occur due to
+a NULL pointer exception.
+
+Fixes: 2af7c6539931 ("mtd: Add panic_write for NAND flashes")
+Signed-off-by: Brent Taylor <motobud@gmail.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/nand_base.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/mtd/nand/nand_base.c
++++ b/drivers/mtd/nand/nand_base.c
+@@ -2800,15 +2800,18 @@ static int panic_nand_write(struct mtd_i
+ size_t *retlen, const uint8_t *buf)
+ {
+ struct nand_chip *chip = mtd_to_nand(mtd);
++ int chipnr = (int)(to >> chip->chip_shift);
+ struct mtd_oob_ops ops;
+ int ret;
+
+- /* Wait for the device to get ready */
+- panic_nand_wait(mtd, chip, 400);
+-
+ /* Grab the device */
+ panic_nand_get_device(chip, mtd, FL_WRITING);
+
++ chip->select_chip(mtd, chipnr);
++
++ /* Wait for the device to get ready */
++ panic_nand_wait(mtd, chip, 400);
++
+ memset(&ops, 0, sizeof(ops));
+ ops.len = len;
+ ops.datbuf = (uint8_t *)buf;
--- /dev/null
+From 1d2fcdcf33339c7c8016243de0f7f31cf6845e8d Mon Sep 17 00:00:00 2001
+From: Xiaolei Li <xiaolei.li@mediatek.com>
+Date: Mon, 30 Oct 2017 10:39:56 +0800
+Subject: mtd: nand: mtk: fix infinite ECC decode IRQ issue
+
+From: Xiaolei Li <xiaolei.li@mediatek.com>
+
+commit 1d2fcdcf33339c7c8016243de0f7f31cf6845e8d upstream.
+
+For MT2701 NAND Controller, there may generate infinite ECC decode IRQ
+during long time burn test on some platforms. Once this issue occurred,
+the ECC decode IRQ status cannot be cleared in the IRQ handler function,
+and threads cannot be scheduled.
+
+ECC HW generates decode IRQ each sector, so there will have more than one
+decode IRQ if read one page of large page NAND.
+
+Currently, ECC IRQ handle flow is that we will check whether it is decode
+IRQ at first by reading the register ECC_DECIRQ_STA. This is a read-clear
+type register. If this IRQ is decode IRQ, then the ECC IRQ signal will be
+cleared at the same time.
+Secondly, we will check whether all sectors are decoded by reading the
+register ECC_DECDONE. This is because the current IRQ may be not dealed
+in time, and the next sectors have been decoded before reading the
+register ECC_DECIRQ_STA. Then, the next sectors's decode IRQs will not
+be generated.
+Thirdly, if all sectors are decoded by comparing with ecc->sectors, then we
+will complete ecc->done, set ecc->sectors as 0, and disable ECC IRQ by
+programming the register ECC_IRQ_REG(op) as 0. Otherwise, wait for the
+next ECC IRQ.
+
+But, there is a timing issue between step one and two. When we read the
+reigster ECC_DECIRQ_STA, all sectors are decoded except the last sector,
+and the ECC IRQ signal is cleared. But the last sector is decoded before
+reading ECC_DECDONE, so the ECC IRQ signal is enabled again by ECC HW, and
+it means we will receive one extra ECC IRQ later. In step three, we will
+find that all sectors were decoded, then disable ECC IRQ and return.
+When deal with the extra ECC IRQ, the ECC IRQ status cannot be cleared
+anymore. That is because the register ECC_DECIRQ_STA can only be cleared
+when the register ECC_IRQ_REG(op) is enabled. But actually we have
+disabled ECC IRQ in the previous ECC IRQ handle. So, there will
+keep receiving ECC decode IRQ.
+
+Now, we read the register ECC_DECIRQ_STA once again before completing the
+ecc done event. This ensures that there will be no extra ECC decode IRQ.
+
+Also, remove writel(0, ecc->regs + ECC_IRQ_REG(op)) from irq handler,
+because ECC IRQ is disabled in mtk_ecc_disable(). And clear ECC_DECIRQ_STA
+in mtk_ecc_disable() in case there is a timeout to wait decode IRQ.
+
+Fixes: 1d6b1e464950 ("mtd: mediatek: driver for MTK Smart Device")
+Signed-off-by: Xiaolei Li <xiaolei.li@mediatek.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/mtk_ecc.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/nand/mtk_ecc.c
++++ b/drivers/mtd/nand/mtk_ecc.c
+@@ -115,6 +115,11 @@ static irqreturn_t mtk_ecc_irq(int irq,
+ op = ECC_DECODE;
+ dec = readw(ecc->regs + ECC_DECDONE);
+ if (dec & ecc->sectors) {
++ /*
++ * Clear decode IRQ status once again to ensure that
++ * there will be no extra IRQ.
++ */
++ readw(ecc->regs + ECC_DECIRQ_STA);
+ ecc->sectors = 0;
+ complete(&ecc->done);
+ } else {
+@@ -130,8 +135,6 @@ static irqreturn_t mtk_ecc_irq(int irq,
+ }
+ }
+
+- writel(0, ecc->regs + ECC_IRQ_REG(op));
+-
+ return IRQ_HANDLED;
+ }
+
+@@ -307,6 +310,12 @@ void mtk_ecc_disable(struct mtk_ecc *ecc
+
+ /* disable it */
+ mtk_ecc_wait_idle(ecc, op);
++ if (op == ECC_DECODE)
++ /*
++ * Clear decode IRQ status in case there is a timeout to wait
++ * decode IRQ.
++ */
++ readw(ecc->regs + ECC_DECIRQ_STA);
+ writew(0, ecc->regs + ECC_IRQ_REG(op));
+ writew(ECC_OP_DISABLE, ecc->regs + ECC_CTL_REG(op));
+
--- /dev/null
+From 739c64414f01748a36e7d82c8e0611dea94412bd Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@ti.com>
+Date: Fri, 20 Oct 2017 15:16:21 +0300
+Subject: mtd: nand: omap2: Fix subpage write
+
+From: Roger Quadros <rogerq@ti.com>
+
+commit 739c64414f01748a36e7d82c8e0611dea94412bd upstream.
+
+Since v4.12, NAND subpage writes were causing a NULL pointer
+dereference on OMAP platforms (omap2-nand) using OMAP_ECC_BCH4_CODE_HW,
+OMAP_ECC_BCH8_CODE_HW and OMAP_ECC_BCH16_CODE_HW.
+
+This is because for those ECC modes, omap_calculate_ecc_bch()
+generates ECC bytes for the entire (multi-sector) page and this can
+overflow the ECC buffer provided by nand_write_subpage_hwecc()
+as it expects ecc.calculate() to return ECC bytes for just one sector.
+
+However, the root cause of the problem is present since v3.9
+but was not seen then as NAND buffers were being allocated
+as one big chunk prior to commit 3deb9979c731 ("mtd: nand: allocate
+aligned buffers if NAND_OWN_BUFFERS is unset").
+
+Fix the issue by providing a OMAP optimized write_subpage()
+implementation.
+
+Fixes: 62116e5171e0 ("mtd: nand: omap2: Support for hardware BCH error correction.")
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/omap2.c | 339 +++++++++++++++++++++++++++++++----------------
+ 1 file changed, 224 insertions(+), 115 deletions(-)
+
+--- a/drivers/mtd/nand/omap2.c
++++ b/drivers/mtd/nand/omap2.c
+@@ -1133,129 +1133,172 @@ static u8 bch8_polynomial[] = {0xef, 0x
+ 0x97, 0x79, 0xe5, 0x24, 0xb5};
+
+ /**
+- * omap_calculate_ecc_bch - Generate bytes of ECC bytes
++ * _omap_calculate_ecc_bch - Generate ECC bytes for one sector
+ * @mtd: MTD device structure
+ * @dat: The pointer to data on which ecc is computed
+ * @ecc_code: The ecc_code buffer
++ * @i: The sector number (for a multi sector page)
+ *
+- * Support calculating of BCH4/8 ecc vectors for the page
++ * Support calculating of BCH4/8/16 ECC vectors for one sector
++ * within a page. Sector number is in @i.
+ */
+-static int __maybe_unused omap_calculate_ecc_bch(struct mtd_info *mtd,
+- const u_char *dat, u_char *ecc_calc)
++static int _omap_calculate_ecc_bch(struct mtd_info *mtd,
++ const u_char *dat, u_char *ecc_calc, int i)
+ {
+ struct omap_nand_info *info = mtd_to_omap(mtd);
+ int eccbytes = info->nand.ecc.bytes;
+ struct gpmc_nand_regs *gpmc_regs = &info->reg;
+ u8 *ecc_code;
+- unsigned long nsectors, bch_val1, bch_val2, bch_val3, bch_val4;
++ unsigned long bch_val1, bch_val2, bch_val3, bch_val4;
+ u32 val;
+- int i, j;
++ int j;
++
++ ecc_code = ecc_calc;
++ switch (info->ecc_opt) {
++ case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW:
++ case OMAP_ECC_BCH8_CODE_HW:
++ bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]);
++ bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]);
++ bch_val3 = readl(gpmc_regs->gpmc_bch_result2[i]);
++ bch_val4 = readl(gpmc_regs->gpmc_bch_result3[i]);
++ *ecc_code++ = (bch_val4 & 0xFF);
++ *ecc_code++ = ((bch_val3 >> 24) & 0xFF);
++ *ecc_code++ = ((bch_val3 >> 16) & 0xFF);
++ *ecc_code++ = ((bch_val3 >> 8) & 0xFF);
++ *ecc_code++ = (bch_val3 & 0xFF);
++ *ecc_code++ = ((bch_val2 >> 24) & 0xFF);
++ *ecc_code++ = ((bch_val2 >> 16) & 0xFF);
++ *ecc_code++ = ((bch_val2 >> 8) & 0xFF);
++ *ecc_code++ = (bch_val2 & 0xFF);
++ *ecc_code++ = ((bch_val1 >> 24) & 0xFF);
++ *ecc_code++ = ((bch_val1 >> 16) & 0xFF);
++ *ecc_code++ = ((bch_val1 >> 8) & 0xFF);
++ *ecc_code++ = (bch_val1 & 0xFF);
++ break;
++ case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW:
++ case OMAP_ECC_BCH4_CODE_HW:
++ bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]);
++ bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]);
++ *ecc_code++ = ((bch_val2 >> 12) & 0xFF);
++ *ecc_code++ = ((bch_val2 >> 4) & 0xFF);
++ *ecc_code++ = ((bch_val2 & 0xF) << 4) |
++ ((bch_val1 >> 28) & 0xF);
++ *ecc_code++ = ((bch_val1 >> 20) & 0xFF);
++ *ecc_code++ = ((bch_val1 >> 12) & 0xFF);
++ *ecc_code++ = ((bch_val1 >> 4) & 0xFF);
++ *ecc_code++ = ((bch_val1 & 0xF) << 4);
++ break;
++ case OMAP_ECC_BCH16_CODE_HW:
++ val = readl(gpmc_regs->gpmc_bch_result6[i]);
++ ecc_code[0] = ((val >> 8) & 0xFF);
++ ecc_code[1] = ((val >> 0) & 0xFF);
++ val = readl(gpmc_regs->gpmc_bch_result5[i]);
++ ecc_code[2] = ((val >> 24) & 0xFF);
++ ecc_code[3] = ((val >> 16) & 0xFF);
++ ecc_code[4] = ((val >> 8) & 0xFF);
++ ecc_code[5] = ((val >> 0) & 0xFF);
++ val = readl(gpmc_regs->gpmc_bch_result4[i]);
++ ecc_code[6] = ((val >> 24) & 0xFF);
++ ecc_code[7] = ((val >> 16) & 0xFF);
++ ecc_code[8] = ((val >> 8) & 0xFF);
++ ecc_code[9] = ((val >> 0) & 0xFF);
++ val = readl(gpmc_regs->gpmc_bch_result3[i]);
++ ecc_code[10] = ((val >> 24) & 0xFF);
++ ecc_code[11] = ((val >> 16) & 0xFF);
++ ecc_code[12] = ((val >> 8) & 0xFF);
++ ecc_code[13] = ((val >> 0) & 0xFF);
++ val = readl(gpmc_regs->gpmc_bch_result2[i]);
++ ecc_code[14] = ((val >> 24) & 0xFF);
++ ecc_code[15] = ((val >> 16) & 0xFF);
++ ecc_code[16] = ((val >> 8) & 0xFF);
++ ecc_code[17] = ((val >> 0) & 0xFF);
++ val = readl(gpmc_regs->gpmc_bch_result1[i]);
++ ecc_code[18] = ((val >> 24) & 0xFF);
++ ecc_code[19] = ((val >> 16) & 0xFF);
++ ecc_code[20] = ((val >> 8) & 0xFF);
++ ecc_code[21] = ((val >> 0) & 0xFF);
++ val = readl(gpmc_regs->gpmc_bch_result0[i]);
++ ecc_code[22] = ((val >> 24) & 0xFF);
++ ecc_code[23] = ((val >> 16) & 0xFF);
++ ecc_code[24] = ((val >> 8) & 0xFF);
++ ecc_code[25] = ((val >> 0) & 0xFF);
++ break;
++ default:
++ return -EINVAL;
++ }
++
++ /* ECC scheme specific syndrome customizations */
++ switch (info->ecc_opt) {
++ case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW:
++ /* Add constant polynomial to remainder, so that
++ * ECC of blank pages results in 0x0 on reading back
++ */
++ for (j = 0; j < eccbytes; j++)
++ ecc_calc[j] ^= bch4_polynomial[j];
++ break;
++ case OMAP_ECC_BCH4_CODE_HW:
++ /* Set 8th ECC byte as 0x0 for ROM compatibility */
++ ecc_calc[eccbytes - 1] = 0x0;
++ break;
++ case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW:
++ /* Add constant polynomial to remainder, so that
++ * ECC of blank pages results in 0x0 on reading back
++ */
++ for (j = 0; j < eccbytes; j++)
++ ecc_calc[j] ^= bch8_polynomial[j];
++ break;
++ case OMAP_ECC_BCH8_CODE_HW:
++ /* Set 14th ECC byte as 0x0 for ROM compatibility */
++ ecc_calc[eccbytes - 1] = 0x0;
++ break;
++ case OMAP_ECC_BCH16_CODE_HW:
++ break;
++ default:
++ return -EINVAL;
++ }
++
++ return 0;
++}
++
++/**
++ * omap_calculate_ecc_bch_sw - ECC generator for sector for SW based correction
++ * @mtd: MTD device structure
++ * @dat: The pointer to data on which ecc is computed
++ * @ecc_code: The ecc_code buffer
++ *
++ * Support calculating of BCH4/8/16 ECC vectors for one sector. This is used
++ * when SW based correction is required as ECC is required for one sector
++ * at a time.
++ */
++static int omap_calculate_ecc_bch_sw(struct mtd_info *mtd,
++ const u_char *dat, u_char *ecc_calc)
++{
++ return _omap_calculate_ecc_bch(mtd, dat, ecc_calc, 0);
++}
++
++/**
++ * omap_calculate_ecc_bch_multi - Generate ECC for multiple sectors
++ * @mtd: MTD device structure
++ * @dat: The pointer to data on which ecc is computed
++ * @ecc_code: The ecc_code buffer
++ *
++ * Support calculating of BCH4/8/16 ecc vectors for the entire page in one go.
++ */
++static int omap_calculate_ecc_bch_multi(struct mtd_info *mtd,
++ const u_char *dat, u_char *ecc_calc)
++{
++ struct omap_nand_info *info = mtd_to_omap(mtd);
++ int eccbytes = info->nand.ecc.bytes;
++ unsigned long nsectors;
++ int i, ret;
+
+ nsectors = ((readl(info->reg.gpmc_ecc_config) >> 4) & 0x7) + 1;
+ for (i = 0; i < nsectors; i++) {
+- ecc_code = ecc_calc;
+- switch (info->ecc_opt) {
+- case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW:
+- case OMAP_ECC_BCH8_CODE_HW:
+- bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]);
+- bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]);
+- bch_val3 = readl(gpmc_regs->gpmc_bch_result2[i]);
+- bch_val4 = readl(gpmc_regs->gpmc_bch_result3[i]);
+- *ecc_code++ = (bch_val4 & 0xFF);
+- *ecc_code++ = ((bch_val3 >> 24) & 0xFF);
+- *ecc_code++ = ((bch_val3 >> 16) & 0xFF);
+- *ecc_code++ = ((bch_val3 >> 8) & 0xFF);
+- *ecc_code++ = (bch_val3 & 0xFF);
+- *ecc_code++ = ((bch_val2 >> 24) & 0xFF);
+- *ecc_code++ = ((bch_val2 >> 16) & 0xFF);
+- *ecc_code++ = ((bch_val2 >> 8) & 0xFF);
+- *ecc_code++ = (bch_val2 & 0xFF);
+- *ecc_code++ = ((bch_val1 >> 24) & 0xFF);
+- *ecc_code++ = ((bch_val1 >> 16) & 0xFF);
+- *ecc_code++ = ((bch_val1 >> 8) & 0xFF);
+- *ecc_code++ = (bch_val1 & 0xFF);
+- break;
+- case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW:
+- case OMAP_ECC_BCH4_CODE_HW:
+- bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]);
+- bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]);
+- *ecc_code++ = ((bch_val2 >> 12) & 0xFF);
+- *ecc_code++ = ((bch_val2 >> 4) & 0xFF);
+- *ecc_code++ = ((bch_val2 & 0xF) << 4) |
+- ((bch_val1 >> 28) & 0xF);
+- *ecc_code++ = ((bch_val1 >> 20) & 0xFF);
+- *ecc_code++ = ((bch_val1 >> 12) & 0xFF);
+- *ecc_code++ = ((bch_val1 >> 4) & 0xFF);
+- *ecc_code++ = ((bch_val1 & 0xF) << 4);
+- break;
+- case OMAP_ECC_BCH16_CODE_HW:
+- val = readl(gpmc_regs->gpmc_bch_result6[i]);
+- ecc_code[0] = ((val >> 8) & 0xFF);
+- ecc_code[1] = ((val >> 0) & 0xFF);
+- val = readl(gpmc_regs->gpmc_bch_result5[i]);
+- ecc_code[2] = ((val >> 24) & 0xFF);
+- ecc_code[3] = ((val >> 16) & 0xFF);
+- ecc_code[4] = ((val >> 8) & 0xFF);
+- ecc_code[5] = ((val >> 0) & 0xFF);
+- val = readl(gpmc_regs->gpmc_bch_result4[i]);
+- ecc_code[6] = ((val >> 24) & 0xFF);
+- ecc_code[7] = ((val >> 16) & 0xFF);
+- ecc_code[8] = ((val >> 8) & 0xFF);
+- ecc_code[9] = ((val >> 0) & 0xFF);
+- val = readl(gpmc_regs->gpmc_bch_result3[i]);
+- ecc_code[10] = ((val >> 24) & 0xFF);
+- ecc_code[11] = ((val >> 16) & 0xFF);
+- ecc_code[12] = ((val >> 8) & 0xFF);
+- ecc_code[13] = ((val >> 0) & 0xFF);
+- val = readl(gpmc_regs->gpmc_bch_result2[i]);
+- ecc_code[14] = ((val >> 24) & 0xFF);
+- ecc_code[15] = ((val >> 16) & 0xFF);
+- ecc_code[16] = ((val >> 8) & 0xFF);
+- ecc_code[17] = ((val >> 0) & 0xFF);
+- val = readl(gpmc_regs->gpmc_bch_result1[i]);
+- ecc_code[18] = ((val >> 24) & 0xFF);
+- ecc_code[19] = ((val >> 16) & 0xFF);
+- ecc_code[20] = ((val >> 8) & 0xFF);
+- ecc_code[21] = ((val >> 0) & 0xFF);
+- val = readl(gpmc_regs->gpmc_bch_result0[i]);
+- ecc_code[22] = ((val >> 24) & 0xFF);
+- ecc_code[23] = ((val >> 16) & 0xFF);
+- ecc_code[24] = ((val >> 8) & 0xFF);
+- ecc_code[25] = ((val >> 0) & 0xFF);
+- break;
+- default:
+- return -EINVAL;
+- }
+-
+- /* ECC scheme specific syndrome customizations */
+- switch (info->ecc_opt) {
+- case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW:
+- /* Add constant polynomial to remainder, so that
+- * ECC of blank pages results in 0x0 on reading back */
+- for (j = 0; j < eccbytes; j++)
+- ecc_calc[j] ^= bch4_polynomial[j];
+- break;
+- case OMAP_ECC_BCH4_CODE_HW:
+- /* Set 8th ECC byte as 0x0 for ROM compatibility */
+- ecc_calc[eccbytes - 1] = 0x0;
+- break;
+- case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW:
+- /* Add constant polynomial to remainder, so that
+- * ECC of blank pages results in 0x0 on reading back */
+- for (j = 0; j < eccbytes; j++)
+- ecc_calc[j] ^= bch8_polynomial[j];
+- break;
+- case OMAP_ECC_BCH8_CODE_HW:
+- /* Set 14th ECC byte as 0x0 for ROM compatibility */
+- ecc_calc[eccbytes - 1] = 0x0;
+- break;
+- case OMAP_ECC_BCH16_CODE_HW:
+- break;
+- default:
+- return -EINVAL;
+- }
++ ret = _omap_calculate_ecc_bch(mtd, dat, ecc_calc, i);
++ if (ret)
++ return ret;
+
+- ecc_calc += eccbytes;
++ ecc_calc += eccbytes;
+ }
+
+ return 0;
+@@ -1496,7 +1539,7 @@ static int omap_write_page_bch(struct mt
+ chip->write_buf(mtd, buf, mtd->writesize);
+
+ /* Update ecc vector from GPMC result registers */
+- chip->ecc.calculate(mtd, buf, &ecc_calc[0]);
++ omap_calculate_ecc_bch_multi(mtd, buf, &ecc_calc[0]);
+
+ ret = mtd_ooblayout_set_eccbytes(mtd, ecc_calc, chip->oob_poi, 0,
+ chip->ecc.total);
+@@ -1509,6 +1552,72 @@ static int omap_write_page_bch(struct mt
+ }
+
+ /**
++ * omap_write_subpage_bch - BCH hardware ECC based subpage write
++ * @mtd: mtd info structure
++ * @chip: nand chip info structure
++ * @offset: column address of subpage within the page
++ * @data_len: data length
++ * @buf: data buffer
++ * @oob_required: must write chip->oob_poi to OOB
++ * @page: page number to write
++ *
++ * OMAP optimized subpage write method.
++ */
++static int omap_write_subpage_bch(struct mtd_info *mtd,
++ struct nand_chip *chip, u32 offset,
++ u32 data_len, const u8 *buf,
++ int oob_required, int page)
++{
++ u8 *ecc_calc = chip->buffers->ecccalc;
++ int ecc_size = chip->ecc.size;
++ int ecc_bytes = chip->ecc.bytes;
++ int ecc_steps = chip->ecc.steps;
++ u32 start_step = offset / ecc_size;
++ u32 end_step = (offset + data_len - 1) / ecc_size;
++ int step, ret = 0;
++
++ /*
++ * Write entire page at one go as it would be optimal
++ * as ECC is calculated by hardware.
++ * ECC is calculated for all subpages but we choose
++ * only what we want.
++ */
++
++ /* Enable GPMC ECC engine */
++ chip->ecc.hwctl(mtd, NAND_ECC_WRITE);
++
++ /* Write data */
++ chip->write_buf(mtd, buf, mtd->writesize);
++
++ for (step = 0; step < ecc_steps; step++) {
++ /* mask ECC of un-touched subpages by padding 0xFF */
++ if (step < start_step || step > end_step)
++ memset(ecc_calc, 0xff, ecc_bytes);
++ else
++ ret = _omap_calculate_ecc_bch(mtd, buf, ecc_calc, step);
++
++ if (ret)
++ return ret;
++
++ buf += ecc_size;
++ ecc_calc += ecc_bytes;
++ }
++
++ /* copy calculated ECC for whole page to chip->buffer->oob */
++ /* this include masked-value(0xFF) for unwritten subpages */
++ ecc_calc = chip->buffers->ecccalc;
++ ret = mtd_ooblayout_set_eccbytes(mtd, ecc_calc, chip->oob_poi, 0,
++ chip->ecc.total);
++ if (ret)
++ return ret;
++
++ /* write OOB buffer to NAND device */
++ chip->write_buf(mtd, chip->oob_poi, mtd->oobsize);
++
++ return 0;
++}
++
++/**
+ * omap_read_page_bch - BCH ecc based page read function for entire page
+ * @mtd: mtd info structure
+ * @chip: nand chip info structure
+@@ -1544,7 +1653,7 @@ static int omap_read_page_bch(struct mtd
+ chip->ecc.total);
+
+ /* Calculate ecc bytes */
+- chip->ecc.calculate(mtd, buf, ecc_calc);
++ omap_calculate_ecc_bch_multi(mtd, buf, ecc_calc);
+
+ ret = mtd_ooblayout_get_eccbytes(mtd, ecc_code, chip->oob_poi, 0,
+ chip->ecc.total);
+@@ -2044,7 +2153,7 @@ static int omap_nand_probe(struct platfo
+ nand_chip->ecc.strength = 4;
+ nand_chip->ecc.hwctl = omap_enable_hwecc_bch;
+ nand_chip->ecc.correct = nand_bch_correct_data;
+- nand_chip->ecc.calculate = omap_calculate_ecc_bch;
++ nand_chip->ecc.calculate = omap_calculate_ecc_bch_sw;
+ mtd_set_ooblayout(mtd, &omap_sw_ooblayout_ops);
+ /* Reserve one byte for the OMAP marker */
+ oobbytes_per_step = nand_chip->ecc.bytes + 1;
+@@ -2066,9 +2175,9 @@ static int omap_nand_probe(struct platfo
+ nand_chip->ecc.strength = 4;
+ nand_chip->ecc.hwctl = omap_enable_hwecc_bch;
+ nand_chip->ecc.correct = omap_elm_correct_data;
+- nand_chip->ecc.calculate = omap_calculate_ecc_bch;
+ nand_chip->ecc.read_page = omap_read_page_bch;
+ nand_chip->ecc.write_page = omap_write_page_bch;
++ nand_chip->ecc.write_subpage = omap_write_subpage_bch;
+ mtd_set_ooblayout(mtd, &omap_ooblayout_ops);
+ oobbytes_per_step = nand_chip->ecc.bytes;
+
+@@ -2087,7 +2196,7 @@ static int omap_nand_probe(struct platfo
+ nand_chip->ecc.strength = 8;
+ nand_chip->ecc.hwctl = omap_enable_hwecc_bch;
+ nand_chip->ecc.correct = nand_bch_correct_data;
+- nand_chip->ecc.calculate = omap_calculate_ecc_bch;
++ nand_chip->ecc.calculate = omap_calculate_ecc_bch_sw;
+ mtd_set_ooblayout(mtd, &omap_sw_ooblayout_ops);
+ /* Reserve one byte for the OMAP marker */
+ oobbytes_per_step = nand_chip->ecc.bytes + 1;
+@@ -2109,9 +2218,9 @@ static int omap_nand_probe(struct platfo
+ nand_chip->ecc.strength = 8;
+ nand_chip->ecc.hwctl = omap_enable_hwecc_bch;
+ nand_chip->ecc.correct = omap_elm_correct_data;
+- nand_chip->ecc.calculate = omap_calculate_ecc_bch;
+ nand_chip->ecc.read_page = omap_read_page_bch;
+ nand_chip->ecc.write_page = omap_write_page_bch;
++ nand_chip->ecc.write_subpage = omap_write_subpage_bch;
+ mtd_set_ooblayout(mtd, &omap_ooblayout_ops);
+ oobbytes_per_step = nand_chip->ecc.bytes;
+
+@@ -2131,9 +2240,9 @@ static int omap_nand_probe(struct platfo
+ nand_chip->ecc.strength = 16;
+ nand_chip->ecc.hwctl = omap_enable_hwecc_bch;
+ nand_chip->ecc.correct = omap_elm_correct_data;
+- nand_chip->ecc.calculate = omap_calculate_ecc_bch;
+ nand_chip->ecc.read_page = omap_read_page_bch;
+ nand_chip->ecc.write_page = omap_write_page_bch;
++ nand_chip->ecc.write_subpage = omap_write_subpage_bch;
+ mtd_set_ooblayout(mtd, &omap_ooblayout_ops);
+ oobbytes_per_step = nand_chip->ecc.bytes;
+
--- /dev/null
+From 9523feac272ccad2ad8186ba4fcc89103754de52 Mon Sep 17 00:00:00 2001
+From: Tuomas Tynkkynen <tuomas@tuxera.com>
+Date: Wed, 6 Sep 2017 17:59:08 +0300
+Subject: net/9p: Switch to wait_event_killable()
+
+From: Tuomas Tynkkynen <tuomas@tuxera.com>
+
+commit 9523feac272ccad2ad8186ba4fcc89103754de52 upstream.
+
+Because userspace gets Very Unhappy when calls like stat() and execve()
+return -EINTR on 9p filesystem mounts. For instance, when bash is
+looking in PATH for things to execute and some SIGCHLD interrupts
+stat(), bash can throw a spurious 'command not found' since it doesn't
+retry the stat().
+
+In practice, hitting the problem is rare and needs a really
+slow/bogged down 9p server.
+
+Signed-off-by: Tuomas Tynkkynen <tuomas@tuxera.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/9p/client.c | 3 +--
+ net/9p/trans_virtio.c | 13 ++++++-------
+ net/9p/trans_xen.c | 4 ++--
+ 3 files changed, 9 insertions(+), 11 deletions(-)
+
+--- a/net/9p/client.c
++++ b/net/9p/client.c
+@@ -773,8 +773,7 @@ p9_client_rpc(struct p9_client *c, int8_
+ }
+ again:
+ /* Wait for the response */
+- err = wait_event_interruptible(*req->wq,
+- req->status >= REQ_STATUS_RCVD);
++ err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD);
+
+ /*
+ * Make sure our req is coherent with regard to updates in other
+--- a/net/9p/trans_virtio.c
++++ b/net/9p/trans_virtio.c
+@@ -286,8 +286,8 @@ req_retry:
+ if (err == -ENOSPC) {
+ chan->ring_bufs_avail = 0;
+ spin_unlock_irqrestore(&chan->lock, flags);
+- err = wait_event_interruptible(*chan->vc_wq,
+- chan->ring_bufs_avail);
++ err = wait_event_killable(*chan->vc_wq,
++ chan->ring_bufs_avail);
+ if (err == -ERESTARTSYS)
+ return err;
+
+@@ -327,7 +327,7 @@ static int p9_get_mapped_pages(struct vi
+ * Other zc request to finish here
+ */
+ if (atomic_read(&vp_pinned) >= chan->p9_max_pages) {
+- err = wait_event_interruptible(vp_wq,
++ err = wait_event_killable(vp_wq,
+ (atomic_read(&vp_pinned) < chan->p9_max_pages));
+ if (err == -ERESTARTSYS)
+ return err;
+@@ -471,8 +471,8 @@ req_retry_pinned:
+ if (err == -ENOSPC) {
+ chan->ring_bufs_avail = 0;
+ spin_unlock_irqrestore(&chan->lock, flags);
+- err = wait_event_interruptible(*chan->vc_wq,
+- chan->ring_bufs_avail);
++ err = wait_event_killable(*chan->vc_wq,
++ chan->ring_bufs_avail);
+ if (err == -ERESTARTSYS)
+ goto err_out;
+
+@@ -489,8 +489,7 @@ req_retry_pinned:
+ virtqueue_kick(chan->vq);
+ spin_unlock_irqrestore(&chan->lock, flags);
+ p9_debug(P9_DEBUG_TRANS, "virtio request kicked\n");
+- err = wait_event_interruptible(*req->wq,
+- req->status >= REQ_STATUS_RCVD);
++ err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD);
+ /*
+ * Non kernel buffers are pinned, unpin them
+ */
+--- a/net/9p/trans_xen.c
++++ b/net/9p/trans_xen.c
+@@ -156,8 +156,8 @@ static int p9_xen_request(struct p9_clie
+ ring = &priv->rings[num];
+
+ again:
+- while (wait_event_interruptible(ring->wq,
+- p9_xen_write_todo(ring, size)) != 0)
++ while (wait_event_killable(ring->wq,
++ p9_xen_write_todo(ring, size)) != 0)
+ ;
+
+ spin_lock_irqsave(&ring->lock, flags);
--- /dev/null
+From 3944369db701f075092357b511fd9f5755771585 Mon Sep 17 00:00:00 2001
+From: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Date: Wed, 1 Nov 2017 15:48:43 -0400
+Subject: NFS: Avoid RCU usage in tracepoints
+
+From: Anna Schumaker <Anna.Schumaker@Netapp.com>
+
+commit 3944369db701f075092357b511fd9f5755771585 upstream.
+
+There isn't an obvious way to acquire and release the RCU lock during a
+tracepoint, so we can't use the rpc_peeraddr2str() function here.
+Instead, rely on the client's cl_hostname, which should have similar
+enough information without needing an rcu_dereference().
+
+Reported-by: Dave Jones <davej@codemonkey.org.uk>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4trace.h | 24 ++++++------------------
+ 1 file changed, 6 insertions(+), 18 deletions(-)
+
+--- a/fs/nfs/nfs4trace.h
++++ b/fs/nfs/nfs4trace.h
+@@ -202,17 +202,13 @@ DECLARE_EVENT_CLASS(nfs4_clientid_event,
+ TP_ARGS(clp, error),
+
+ TP_STRUCT__entry(
+- __string(dstaddr,
+- rpc_peeraddr2str(clp->cl_rpcclient,
+- RPC_DISPLAY_ADDR))
++ __string(dstaddr, clp->cl_hostname)
+ __field(int, error)
+ ),
+
+ TP_fast_assign(
+ __entry->error = error;
+- __assign_str(dstaddr,
+- rpc_peeraddr2str(clp->cl_rpcclient,
+- RPC_DISPLAY_ADDR));
++ __assign_str(dstaddr, clp->cl_hostname);
+ ),
+
+ TP_printk(
+@@ -1133,9 +1129,7 @@ DECLARE_EVENT_CLASS(nfs4_inode_callback_
+ __field(dev_t, dev)
+ __field(u32, fhandle)
+ __field(u64, fileid)
+- __string(dstaddr, clp ?
+- rpc_peeraddr2str(clp->cl_rpcclient,
+- RPC_DISPLAY_ADDR) : "unknown")
++ __string(dstaddr, clp ? clp->cl_hostname : "unknown")
+ ),
+
+ TP_fast_assign(
+@@ -1148,9 +1142,7 @@ DECLARE_EVENT_CLASS(nfs4_inode_callback_
+ __entry->fileid = 0;
+ __entry->dev = 0;
+ }
+- __assign_str(dstaddr, clp ?
+- rpc_peeraddr2str(clp->cl_rpcclient,
+- RPC_DISPLAY_ADDR) : "unknown")
++ __assign_str(dstaddr, clp ? clp->cl_hostname : "unknown")
+ ),
+
+ TP_printk(
+@@ -1192,9 +1184,7 @@ DECLARE_EVENT_CLASS(nfs4_inode_stateid_c
+ __field(dev_t, dev)
+ __field(u32, fhandle)
+ __field(u64, fileid)
+- __string(dstaddr, clp ?
+- rpc_peeraddr2str(clp->cl_rpcclient,
+- RPC_DISPLAY_ADDR) : "unknown")
++ __string(dstaddr, clp ? clp->cl_hostname : "unknown")
+ __field(int, stateid_seq)
+ __field(u32, stateid_hash)
+ ),
+@@ -1209,9 +1199,7 @@ DECLARE_EVENT_CLASS(nfs4_inode_stateid_c
+ __entry->fileid = 0;
+ __entry->dev = 0;
+ }
+- __assign_str(dstaddr, clp ?
+- rpc_peeraddr2str(clp->cl_rpcclient,
+- RPC_DISPLAY_ADDR) : "unknown")
++ __assign_str(dstaddr, clp ? clp->cl_hostname : "unknown")
+ __entry->stateid_seq =
+ be32_to_cpu(stateid->seqid);
+ __entry->stateid_hash =
--- /dev/null
+From f02fee227e5f21981152850744a6084ff3fa94ee Mon Sep 17 00:00:00 2001
+From: Joshua Watt <jpewhacker@gmail.com>
+Date: Tue, 7 Nov 2017 16:25:47 -0600
+Subject: NFS: Fix typo in nomigration mount option
+
+From: Joshua Watt <jpewhacker@gmail.com>
+
+commit f02fee227e5f21981152850744a6084ff3fa94ee upstream.
+
+The option was incorrectly masking off all other options.
+
+Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -1332,7 +1332,7 @@ static int nfs_parse_mount_options(char
+ mnt->options |= NFS_OPTION_MIGRATION;
+ break;
+ case Opt_nomigration:
+- mnt->options &= NFS_OPTION_MIGRATION;
++ mnt->options &= ~NFS_OPTION_MIGRATION;
+ break;
+
+ /*
--- /dev/null
+From c05cefcc72416a37eba5a2b35f0704ed758a9145 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Sun, 5 Nov 2017 15:45:22 -0500
+Subject: nfs: Fix ugly referral attributes
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit c05cefcc72416a37eba5a2b35f0704ed758a9145 upstream.
+
+Before traversing a referral and performing a mount, the mounted-on
+directory looks strange:
+
+dr-xr-xr-x. 2 4294967294 4294967294 0 Dec 31 1969 dir.0
+
+nfs4_get_referral is wiping out any cached attributes with what was
+returned via GETATTR(fs_locations), but the bit mask for that
+operation does not request any file attributes.
+
+Retrieve owner and timestamp information so that the memcpy in
+nfs4_get_referral fills in more attributes.
+
+Changes since v1:
+- Don't request attributes that the client unconditionally replaces
+- Request only MOUNTED_ON_FILEID or FILEID attribute, not both
+- encode_fs_locations() doesn't use the third bitmask word
+
+Fixes: 6b97fd3da1ea ("NFSv4: Follow a referral")
+Suggested-by: Pradeep Thomas <pradeepthomas@gmail.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -254,15 +254,12 @@ const u32 nfs4_fsinfo_bitmap[3] = { FATT
+ };
+
+ const u32 nfs4_fs_locations_bitmap[3] = {
+- FATTR4_WORD0_TYPE
+- | FATTR4_WORD0_CHANGE
++ FATTR4_WORD0_CHANGE
+ | FATTR4_WORD0_SIZE
+ | FATTR4_WORD0_FSID
+ | FATTR4_WORD0_FILEID
+ | FATTR4_WORD0_FS_LOCATIONS,
+- FATTR4_WORD1_MODE
+- | FATTR4_WORD1_NUMLINKS
+- | FATTR4_WORD1_OWNER
++ FATTR4_WORD1_OWNER
+ | FATTR4_WORD1_OWNER_GROUP
+ | FATTR4_WORD1_RAWDEV
+ | FATTR4_WORD1_SPACE_USED
+@@ -6777,9 +6774,7 @@ static int _nfs4_proc_fs_locations(struc
+ struct page *page)
+ {
+ struct nfs_server *server = NFS_SERVER(dir);
+- u32 bitmask[3] = {
+- [0] = FATTR4_WORD0_FSID | FATTR4_WORD0_FS_LOCATIONS,
+- };
++ u32 bitmask[3];
+ struct nfs4_fs_locations_arg args = {
+ .dir_fh = NFS_FH(dir),
+ .name = name,
+@@ -6798,12 +6793,15 @@ static int _nfs4_proc_fs_locations(struc
+
+ dprintk("%s: start\n", __func__);
+
++ bitmask[0] = nfs4_fattr_bitmap[0] | FATTR4_WORD0_FS_LOCATIONS;
++ bitmask[1] = nfs4_fattr_bitmap[1];
++
+ /* Ask for the fileid of the absent filesystem if mounted_on_fileid
+ * is not supported */
+ if (NFS_SERVER(dir)->attr_bitmask[1] & FATTR4_WORD1_MOUNTED_ON_FILEID)
+- bitmask[1] |= FATTR4_WORD1_MOUNTED_ON_FILEID;
++ bitmask[0] &= ~FATTR4_WORD0_FILEID;
+ else
+- bitmask[0] |= FATTR4_WORD0_FILEID;
++ bitmask[1] &= ~FATTR4_WORD1_MOUNTED_ON_FILEID;
+
+ nfs_fattr_init(&fs_locations->fattr);
+ fs_locations->server = server;
--- /dev/null
+From b688741cb06695312f18b730653d6611e1bad28d Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Fri, 25 Aug 2017 17:34:41 +1000
+Subject: NFS: revalidate "." etc correctly on "open".
+
+From: NeilBrown <neilb@suse.com>
+
+commit b688741cb06695312f18b730653d6611e1bad28d upstream.
+
+For correct close-to-open semantics, NFS must validate
+the change attribute of a directory (or file) on open.
+
+Since commit ecf3d1f1aa74 ("vfs: kill FS_REVAL_DOT by adding a
+d_weak_revalidate dentry op"), open() of "." or a path ending ".." is
+not revalidated reliably (except when that direct is a mount point).
+
+Prior to that commit, "." was revalidated using nfs_lookup_revalidate()
+which checks the LOOKUP_OPEN flag and forces revalidation if the flag is
+set.
+Since that commit, nfs_weak_revalidate() is used for NFSv3 (which
+ignores the flags) and nothing is used for NFSv4.
+
+This is fixed by using nfs_lookup_verify_inode() in
+nfs_weak_revalidate(). This does the revalidation exactly when needed.
+Also, add a definition of .d_weak_revalidate for NFSv4.
+
+The incorrect behavior is easily demonstrated by running "echo *" in
+some non-mountpoint NFS directory while watching network traffic.
+Without this patch, "echo *" sometimes doesn't produce any traffic.
+With the patch it always does.
+
+Fixes: ecf3d1f1aa74 ("vfs: kill FS_REVAL_DOT by adding a d_weak_revalidate dentry op")
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/dir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -1241,8 +1241,7 @@ static int nfs_weak_revalidate(struct de
+ return 0;
+ }
+
+- if (nfs_mapping_need_revalidate_inode(inode))
+- error = __nfs_revalidate_inode(NFS_SERVER(inode), inode);
++ error = nfs_lookup_verify_inode(inode, flags);
+ dfprintk(LOOKUPCACHE, "NFS: %s: inode %lu is %s\n",
+ __func__, inode->i_ino, error ? "invalid" : "valid");
+ return !error;
+@@ -1393,6 +1392,7 @@ static int nfs4_lookup_revalidate(struct
+
+ const struct dentry_operations nfs4_dentry_operations = {
+ .d_revalidate = nfs4_lookup_revalidate,
++ .d_weak_revalidate = nfs_weak_revalidate,
+ .d_delete = nfs_dentry_delete,
+ .d_iput = nfs_dentry_iput,
+ .d_automount = nfs_d_automount,
--- /dev/null
+From fcfa447062b2061e11f68b846d61cbfe60d0d604 Mon Sep 17 00:00:00 2001
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Fri, 10 Nov 2017 06:27:49 -0500
+Subject: NFS: Revert "NFS: Move the flock open mode check into nfs_flock()"
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+commit fcfa447062b2061e11f68b846d61cbfe60d0d604 upstream.
+
+Commit e12937279c8b "NFS: Move the flock open mode check into nfs_flock()"
+changed NFSv3 behavior for flock() such that the open mode must match the
+lock type, however that requirement shouldn't be enforced for flock().
+
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/file.c | 18 ++----------------
+ fs/nfs/nfs4proc.c | 14 ++++++++++++++
+ 2 files changed, 16 insertions(+), 16 deletions(-)
+
+--- a/fs/nfs/file.c
++++ b/fs/nfs/file.c
+@@ -829,23 +829,9 @@ int nfs_flock(struct file *filp, int cmd
+ if (NFS_SERVER(inode)->flags & NFS_MOUNT_LOCAL_FLOCK)
+ is_local = 1;
+
+- /*
+- * VFS doesn't require the open mode to match a flock() lock's type.
+- * NFS, however, may simulate flock() locking with posix locking which
+- * requires the open mode to match the lock type.
+- */
+- switch (fl->fl_type) {
+- case F_UNLCK:
++ /* We're simulating flock() locks using posix locks on the server */
++ if (fl->fl_type == F_UNLCK)
+ return do_unlk(filp, cmd, fl, is_local);
+- case F_RDLCK:
+- if (!(filp->f_mode & FMODE_READ))
+- return -EBADF;
+- break;
+- case F_WRLCK:
+- if (!(filp->f_mode & FMODE_WRITE))
+- return -EBADF;
+- }
+-
+ return do_setlk(filp, cmd, fl, is_local);
+ }
+ EXPORT_SYMBOL_GPL(nfs_flock);
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -6568,6 +6568,20 @@ nfs4_proc_lock(struct file *filp, int cm
+ !test_bit(NFS_STATE_POSIX_LOCKS, &state->flags))
+ return -ENOLCK;
+
++ /*
++ * Don't rely on the VFS having checked the file open mode,
++ * since it won't do this for flock() locks.
++ */
++ switch (request->fl_type) {
++ case F_RDLCK:
++ if (!(filp->f_mode & FMODE_READ))
++ return -EBADF;
++ break;
++ case F_WRLCK:
++ if (!(filp->f_mode & FMODE_WRITE))
++ return -EBADF;
++ }
++
+ status = nfs4_set_lock_state(state, request);
+ if (status != 0)
+ return status;
--- /dev/null
+From 95da1b3a5aded124dd1bda1e3cdb876184813140 Mon Sep 17 00:00:00 2001
+From: Andrew Elble <aweits@rit.edu>
+Date: Fri, 3 Nov 2017 14:06:31 -0400
+Subject: nfsd: deal with revoked delegations appropriately
+
+From: Andrew Elble <aweits@rit.edu>
+
+commit 95da1b3a5aded124dd1bda1e3cdb876184813140 upstream.
+
+If a delegation has been revoked by the server, operations using that
+delegation should error out with NFS4ERR_DELEG_REVOKED in the >4.1
+case, and NFS4ERR_BAD_STATEID otherwise.
+
+The server needs NFSv4.1 clients to explicitly free revoked delegations.
+If the server returns NFS4ERR_DELEG_REVOKED, the client will do that;
+otherwise it may just forget about the delegation and be unable to
+recover when it later sees SEQ4_STATUS_RECALLABLE_STATE_REVOKED set on a
+SEQUENCE reply. That can cause the Linux 4.1 client to loop in its
+stage manager.
+
+Signed-off-by: Andrew Elble <aweits@rit.edu>
+Reviewed-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4state.c | 25 ++++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -3966,7 +3966,8 @@ static struct nfs4_delegation *find_dele
+ {
+ struct nfs4_stid *ret;
+
+- ret = find_stateid_by_type(cl, s, NFS4_DELEG_STID);
++ ret = find_stateid_by_type(cl, s,
++ NFS4_DELEG_STID|NFS4_REVOKED_DELEG_STID);
+ if (!ret)
+ return NULL;
+ return delegstateid(ret);
+@@ -3989,6 +3990,12 @@ nfs4_check_deleg(struct nfs4_client *cl,
+ deleg = find_deleg_stateid(cl, &open->op_delegate_stateid);
+ if (deleg == NULL)
+ goto out;
++ if (deleg->dl_stid.sc_type == NFS4_REVOKED_DELEG_STID) {
++ nfs4_put_stid(&deleg->dl_stid);
++ if (cl->cl_minorversion)
++ status = nfserr_deleg_revoked;
++ goto out;
++ }
+ flags = share_access_to_flags(open->op_share_access);
+ status = nfs4_check_delegmode(deleg, flags);
+ if (status) {
+@@ -4858,6 +4865,16 @@ nfsd4_lookup_stateid(struct nfsd4_compou
+ struct nfs4_stid **s, struct nfsd_net *nn)
+ {
+ __be32 status;
++ bool return_revoked = false;
++
++ /*
++ * only return revoked delegations if explicitly asked.
++ * otherwise we report revoked or bad_stateid status.
++ */
++ if (typemask & NFS4_REVOKED_DELEG_STID)
++ return_revoked = true;
++ else if (typemask & NFS4_DELEG_STID)
++ typemask |= NFS4_REVOKED_DELEG_STID;
+
+ if (ZERO_STATEID(stateid) || ONE_STATEID(stateid))
+ return nfserr_bad_stateid;
+@@ -4872,6 +4889,12 @@ nfsd4_lookup_stateid(struct nfsd4_compou
+ *s = find_stateid_by_type(cstate->clp, stateid, typemask);
+ if (!*s)
+ return nfserr_bad_stateid;
++ if (((*s)->sc_type == NFS4_REVOKED_DELEG_STID) && !return_revoked) {
++ nfs4_put_stid(*s);
++ if (cstate->minorversion)
++ return nfserr_deleg_revoked;
++ return nfserr_bad_stateid;
++ }
+ return nfs_ok;
+ }
+
--- /dev/null
+From 31ccb1f7ba3cfe29631587d451cf5bb8ab593550 Mon Sep 17 00:00:00 2001
+From: Andreas Rohner <andreas.rohner@gmx.net>
+Date: Fri, 17 Nov 2017 15:29:35 -0800
+Subject: nilfs2: fix race condition that causes file system corruption
+
+From: Andreas Rohner <andreas.rohner@gmx.net>
+
+commit 31ccb1f7ba3cfe29631587d451cf5bb8ab593550 upstream.
+
+There is a race condition between nilfs_dirty_inode() and
+nilfs_set_file_dirty().
+
+When a file is opened, nilfs_dirty_inode() is called to update the
+access timestamp in the inode. It calls __nilfs_mark_inode_dirty() in a
+separate transaction. __nilfs_mark_inode_dirty() caches the ifile
+buffer_head in the i_bh field of the inode info structure and marks it
+as dirty.
+
+After some data was written to the file in another transaction, the
+function nilfs_set_file_dirty() is called, which adds the inode to the
+ns_dirty_files list.
+
+Then the segment construction calls nilfs_segctor_collect_dirty_files(),
+which goes through the ns_dirty_files list and checks the i_bh field.
+If there is a cached buffer_head in i_bh it is not marked as dirty
+again.
+
+Since nilfs_dirty_inode() and nilfs_set_file_dirty() use separate
+transactions, it is possible that a segment construction that writes out
+the ifile occurs in-between the two. If this happens the inode is not
+on the ns_dirty_files list, but its ifile block is still marked as dirty
+and written out.
+
+In the next segment construction, the data for the file is written out
+and nilfs_bmap_propagate() updates the b-tree. Eventually the bmap root
+is written into the i_bh block, which is not dirty, because it was
+written out in another segment construction.
+
+As a result the bmap update can be lost, which leads to file system
+corruption. Either the virtual block address points to an unallocated
+DAT block, or the DAT entry will be reused for something different.
+
+The error can remain undetected for a long time. A typical error
+message would be one of the "bad btree" errors or a warning that a DAT
+entry could not be found.
+
+This bug can be reproduced reliably by a simple benchmark that creates
+and overwrites millions of 4k files.
+
+Link: http://lkml.kernel.org/r/1509367935-3086-2-git-send-email-konishi.ryusuke@lab.ntt.co.jp
+Signed-off-by: Andreas Rohner <andreas.rohner@gmx.net>
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Tested-by: Andreas Rohner <andreas.rohner@gmx.net>
+Tested-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nilfs2/segment.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/nilfs2/segment.c
++++ b/fs/nilfs2/segment.c
+@@ -1958,8 +1958,6 @@ static int nilfs_segctor_collect_dirty_f
+ err, ii->vfs_inode.i_ino);
+ return err;
+ }
+- mark_buffer_dirty(ibh);
+- nilfs_mdt_mark_dirty(ifile);
+ spin_lock(&nilfs->ns_inode_lock);
+ if (likely(!ii->i_bh))
+ ii->i_bh = ibh;
+@@ -1968,6 +1966,10 @@ static int nilfs_segctor_collect_dirty_f
+ goto retry;
+ }
+
++ // Always redirty the buffer to avoid race condition
++ mark_buffer_dirty(ii->i_bh);
++ nilfs_mdt_mark_dirty(ifile);
++
+ clear_bit(NILFS_I_QUEUED, &ii->i_state);
+ set_bit(NILFS_I_BUSY, &ii->i_state);
+ list_move_tail(&ii->i_dirty, &sci->sc_dirty_files);
--- /dev/null
+From fc09785de0a364427a5df63d703bae9a306ed116 Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Tue, 26 Sep 2017 17:11:33 +0200
+Subject: p54: don't unregister leds when they are not initialized
+
+From: Andrey Konovalov <andreyknvl@google.com>
+
+commit fc09785de0a364427a5df63d703bae9a306ed116 upstream.
+
+ieee80211_register_hw() in p54_register_common() may fail and leds won't
+get initialized. Currently p54_unregister_common() doesn't check that and
+always calls p54_unregister_leds(). The fix is to check priv->registered
+flag before calling p54_unregister_leds().
+
+Found by syzkaller.
+
+INFO: trying to register non-static key.
+the code is fine but needs lockdep annotation.
+turning off the locking correctness validator.
+CPU: 1 PID: 1404 Comm: kworker/1:1 Not tainted
+4.14.0-rc1-42251-gebb2c2437d80-dirty #205
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+Workqueue: usb_hub_wq hub_event
+Call Trace:
+ __dump_stack lib/dump_stack.c:16
+ dump_stack+0x292/0x395 lib/dump_stack.c:52
+ register_lock_class+0x6c4/0x1a00 kernel/locking/lockdep.c:769
+ __lock_acquire+0x27e/0x4550 kernel/locking/lockdep.c:3385
+ lock_acquire+0x259/0x620 kernel/locking/lockdep.c:4002
+ flush_work+0xf0/0x8c0 kernel/workqueue.c:2886
+ __cancel_work_timer+0x51d/0x870 kernel/workqueue.c:2961
+ cancel_delayed_work_sync+0x1f/0x30 kernel/workqueue.c:3081
+ p54_unregister_leds+0x6c/0xc0 drivers/net/wireless/intersil/p54/led.c:160
+ p54_unregister_common+0x3d/0xb0 drivers/net/wireless/intersil/p54/main.c:856
+ p54u_disconnect+0x86/0x120 drivers/net/wireless/intersil/p54/p54usb.c:1073
+ usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423
+ __device_release_driver drivers/base/dd.c:861
+ device_release_driver_internal+0x4f4/0x5c0 drivers/base/dd.c:893
+ device_release_driver+0x1e/0x30 drivers/base/dd.c:918
+ bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565
+ device_del+0x5c4/0xab0 drivers/base/core.c:1985
+ usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170
+ usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
+ hub_port_connect drivers/usb/core/hub.c:4754
+ hub_port_connect_change drivers/usb/core/hub.c:5009
+ port_event drivers/usb/core/hub.c:5115
+ hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195
+ process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
+ process_scheduled_works kernel/workqueue.c:2179
+ worker_thread+0xb2b/0x1850 kernel/workqueue.c:2255
+ kthread+0x3a1/0x470 kernel/kthread.c:231
+ ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
+
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Acked-by: Christian Lamparter <chunkeey@googlemail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intersil/p54/main.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/intersil/p54/main.c
++++ b/drivers/net/wireless/intersil/p54/main.c
+@@ -852,12 +852,11 @@ void p54_unregister_common(struct ieee80
+ {
+ struct p54_common *priv = dev->priv;
+
+-#ifdef CONFIG_P54_LEDS
+- p54_unregister_leds(priv);
+-#endif /* CONFIG_P54_LEDS */
+-
+ if (priv->registered) {
+ priv->registered = false;
++#ifdef CONFIG_P54_LEDS
++ p54_unregister_leds(priv);
++#endif /* CONFIG_P54_LEDS */
+ ieee80211_unregister_hw(dev);
+ }
+
--- /dev/null
+From f6eca2d43ed694ab8124dd24c88277f7eca93b7d Mon Sep 17 00:00:00 2001
+From: Nate Dailey <nate.dailey@stratus.com>
+Date: Tue, 17 Oct 2017 08:17:03 -0400
+Subject: raid1: prevent freeze_array/wait_all_barriers deadlock
+
+From: Nate Dailey <nate.dailey@stratus.com>
+
+commit f6eca2d43ed694ab8124dd24c88277f7eca93b7d upstream.
+
+If freeze_array is attempted in the middle of close_sync/
+wait_all_barriers, deadlock can occur.
+
+freeze_array will wait for nr_pending and nr_queued to line up.
+wait_all_barriers increments nr_pending for each barrier bucket, one
+at a time, but doesn't actually issue IO that could be counted in
+nr_queued. So freeze_array is blocked until wait_all_barriers
+completes and allow_all_barriers runs. At the same time, when
+_wait_barrier sees array_frozen == 1, it stops and waits for
+freeze_array to complete.
+
+Prevent the deadlock by making close_sync call _wait_barrier and
+_allow_barrier for one bucket at a time, instead of deferring the
+_allow_barrier calls until after all _wait_barriers are complete.
+
+Signed-off-by: Nate Dailey <nate.dailey@stratus.com>
+Fix: fd76863e37fe(RAID1: a new I/O barrier implementation to remove resync window)
+Reviewed-by: Coly Li <colyli@suse.de>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid1.c | 24 ++++++------------------
+ 1 file changed, 6 insertions(+), 18 deletions(-)
+
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -990,14 +990,6 @@ static void wait_barrier(struct r1conf *
+ _wait_barrier(conf, idx);
+ }
+
+-static void wait_all_barriers(struct r1conf *conf)
+-{
+- int idx;
+-
+- for (idx = 0; idx < BARRIER_BUCKETS_NR; idx++)
+- _wait_barrier(conf, idx);
+-}
+-
+ static void _allow_barrier(struct r1conf *conf, int idx)
+ {
+ atomic_dec(&conf->nr_pending[idx]);
+@@ -1011,14 +1003,6 @@ static void allow_barrier(struct r1conf
+ _allow_barrier(conf, idx);
+ }
+
+-static void allow_all_barriers(struct r1conf *conf)
+-{
+- int idx;
+-
+- for (idx = 0; idx < BARRIER_BUCKETS_NR; idx++)
+- _allow_barrier(conf, idx);
+-}
+-
+ /* conf->resync_lock should be held */
+ static int get_unqueued_pending(struct r1conf *conf)
+ {
+@@ -1654,8 +1638,12 @@ static void print_conf(struct r1conf *co
+
+ static void close_sync(struct r1conf *conf)
+ {
+- wait_all_barriers(conf);
+- allow_all_barriers(conf);
++ int idx;
++
++ for (idx = 0; idx < BARRIER_BUCKETS_NR; idx++) {
++ _wait_barrier(conf, idx);
++ _allow_barrier(conf, idx);
++ }
+
+ mempool_destroy(conf->r1buf_pool);
+ conf->r1buf_pool = NULL;
--- /dev/null
+From bfa62a52cad93686bb8d8171ea5288813248a7c6 Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Thu, 9 Nov 2017 11:59:24 +0100
+Subject: rt2x00usb: mark device removed when get ENOENT usb error
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+commit bfa62a52cad93686bb8d8171ea5288813248a7c6 upstream.
+
+ENOENT usb error mean "specified interface or endpoint does not exist or
+is not enabled". Mark device not present when we encounter this error
+similar like we do with ENODEV error.
+
+Otherwise we can have infinite loop in rt2x00usb_work_rxdone(), because
+we remove and put again RX entries to the queue infinitely.
+
+We can have similar situation when submit urb will fail all the time
+with other error, so we need consider to limit number of entries
+processed by rxdone work. But for now, since the patch fixes
+reproducible soft lockup issue on single processor systems
+and taken ENOENT error meaning, let apply this fix.
+
+Patch adds additional ENOENT check not only in rx kick routine, but
+also on other places where we check for ENODEV error.
+
+Reported-by: Richard Genoud <richard.genoud@gmail.com>
+Debugged-by: Richard Genoud <richard.genoud@gmail.com>
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Tested-by: Richard Genoud <richard.genoud@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ralink/rt2x00/rt2x00usb.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c
++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c
+@@ -57,7 +57,7 @@ int rt2x00usb_vendor_request(struct rt2x
+ if (status >= 0)
+ return 0;
+
+- if (status == -ENODEV) {
++ if (status == -ENODEV || status == -ENOENT) {
+ /* Device has disappeared. */
+ clear_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags);
+ break;
+@@ -321,7 +321,7 @@ static bool rt2x00usb_kick_tx_entry(stru
+
+ status = usb_submit_urb(entry_priv->urb, GFP_ATOMIC);
+ if (status) {
+- if (status == -ENODEV)
++ if (status == -ENODEV || status == -ENOENT)
+ clear_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags);
+ set_bit(ENTRY_DATA_IO_FAILED, &entry->flags);
+ rt2x00lib_dmadone(entry);
+@@ -410,7 +410,7 @@ static bool rt2x00usb_kick_rx_entry(stru
+
+ status = usb_submit_urb(entry_priv->urb, GFP_ATOMIC);
+ if (status) {
+- if (status == -ENODEV)
++ if (status == -ENODEV || status == -ENOENT)
+ clear_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags);
+ set_bit(ENTRY_DATA_IO_FAILED, &entry->flags);
+ rt2x00lib_dmadone(entry);
--- /dev/null
+From 3f2a162fab15aee243178b5308bb5d1206fc4043 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 6 Nov 2017 14:55:35 +0100
+Subject: rtlwifi: fix uninitialized rtlhal->last_suspend_sec time
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 3f2a162fab15aee243178b5308bb5d1206fc4043 upstream.
+
+We set rtlhal->last_suspend_sec to an uninitialized stack variable,
+but unfortunately gcc never warned about this, I only found it
+while working on another patch. I opened a gcc bug for this.
+
+Presumably the value of rtlhal->last_suspend_sec is not all that
+important, but it does get used, so we probably want the
+patch backported to stable kernels.
+
+Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82839
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c
+@@ -1372,6 +1372,7 @@ static void _rtl8821ae_get_wakeup_reason
+
+ ppsc->wakeup_reason = 0;
+
++ do_gettimeofday(&ts);
+ rtlhal->last_suspend_sec = ts.tv_sec;
+
+ switch (fw_reason) {
--- /dev/null
+From 519ce2f933fa14acf69d5c8cabcc18711943d629 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Thu, 14 Sep 2017 13:17:44 -0500
+Subject: rtlwifi: rtl8192ee: Fix memory leak when loading firmware
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 519ce2f933fa14acf69d5c8cabcc18711943d629 upstream.
+
+In routine rtl92ee_set_fw_rsvdpagepkt(), the driver allocates an skb, but
+never calls rtl_cmd_send_packet(), which will free the buffer. All other
+rtlwifi drivers perform this operation correctly.
+
+This problem has been in the driver since it was included in the kernel.
+Fortunately, each firmware load only leaks 4 buffers, which likely
+explains why it has not previously been detected.
+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c
+@@ -682,7 +682,7 @@ void rtl92ee_set_fw_rsvdpagepkt(struct i
+ struct rtl_priv *rtlpriv = rtl_priv(hw);
+ struct rtl_mac *mac = rtl_mac(rtl_priv(hw));
+ struct sk_buff *skb = NULL;
+-
++ bool rtstatus;
+ u32 totalpacketlen;
+ u8 u1rsvdpageloc[5] = { 0 };
+ bool b_dlok = false;
+@@ -768,7 +768,9 @@ void rtl92ee_set_fw_rsvdpagepkt(struct i
+ skb = dev_alloc_skb(totalpacketlen);
+ skb_put_data(skb, &reserved_page_packet, totalpacketlen);
+
+- b_dlok = true;
++ rtstatus = rtl_cmd_send_packet(hw, skb);
++ if (rtstatus)
++ b_dlok = true;
+
+ if (b_dlok) {
+ RT_TRACE(rtlpriv, COMP_POWER, DBG_LOUD ,
--- /dev/null
+From 1234a6d54fed8a00091968c4eb2fb52e1cbb8e2e Mon Sep 17 00:00:00 2001
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+Date: Fri, 29 Sep 2017 17:34:29 -0700
+Subject: scsi: lpfc: Fix crash receiving ELS while detaching driver
+
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+
+commit 1234a6d54fed8a00091968c4eb2fb52e1cbb8e2e upstream.
+
+The driver crashes when attempting to use a freed ndpl pointer.
+
+The pci_remove_one handler runs on a separate kernel thread. The order
+of the removal is starting by freeing all of the ndlps and then
+disabling interrupts. In between these two events the driver can still
+receive an ELS and process it. When it tries to use the ndlp pointer
+will be NULL
+
+Change the order of the pci_remove_one vs disable interrupts so that
+interrupts are disabled before the ndlp's are freed.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/lpfc/lpfc_attr.c | 6 ++++--
+ drivers/scsi/lpfc/lpfc_bsg.c | 4 +++-
+ drivers/scsi/lpfc/lpfc_els.c | 7 ++++++-
+ drivers/scsi/lpfc/lpfc_hbadisc.c | 5 ++++-
+ drivers/scsi/lpfc/lpfc_init.c | 14 +++++++-------
+ drivers/scsi/lpfc/lpfc_nportdisc.c | 2 +-
+ drivers/scsi/lpfc/lpfc_sli.c | 12 ++++++++++++
+ 7 files changed, 37 insertions(+), 13 deletions(-)
+
+--- a/drivers/scsi/lpfc/lpfc_attr.c
++++ b/drivers/scsi/lpfc/lpfc_attr.c
+@@ -3134,7 +3134,8 @@ lpfc_txq_hw_show(struct device *dev, str
+ struct lpfc_hba *phba = ((struct lpfc_vport *) shost->hostdata)->phba;
+ struct lpfc_sli_ring *pring = lpfc_phba_elsring(phba);
+
+- return snprintf(buf, PAGE_SIZE, "%d\n", pring->txq_max);
++ return snprintf(buf, PAGE_SIZE, "%d\n",
++ pring ? pring->txq_max : 0);
+ }
+
+ static DEVICE_ATTR(txq_hw, S_IRUGO,
+@@ -3147,7 +3148,8 @@ lpfc_txcmplq_hw_show(struct device *dev,
+ struct lpfc_hba *phba = ((struct lpfc_vport *) shost->hostdata)->phba;
+ struct lpfc_sli_ring *pring = lpfc_phba_elsring(phba);
+
+- return snprintf(buf, PAGE_SIZE, "%d\n", pring->txcmplq_max);
++ return snprintf(buf, PAGE_SIZE, "%d\n",
++ pring ? pring->txcmplq_max : 0);
+ }
+
+ static DEVICE_ATTR(txcmplq_hw, S_IRUGO,
+--- a/drivers/scsi/lpfc/lpfc_bsg.c
++++ b/drivers/scsi/lpfc/lpfc_bsg.c
+@@ -2911,7 +2911,7 @@ static int lpfcdiag_loop_post_rxbufs(str
+ }
+ }
+
+- if (!cmdiocbq || !rxbmp || !rxbpl || !rxbuffer) {
++ if (!cmdiocbq || !rxbmp || !rxbpl || !rxbuffer || !pring) {
+ ret_val = -ENOMEM;
+ goto err_post_rxbufs_exit;
+ }
+@@ -5421,6 +5421,8 @@ lpfc_bsg_timeout(struct bsg_job *job)
+ struct lpfc_iocbq *check_iocb, *next_iocb;
+
+ pring = lpfc_phba_elsring(phba);
++ if (unlikely(!pring))
++ return -EIO;
+
+ /* if job's driver data is NULL, the command completed or is in the
+ * the process of completing. In this case, return status to request
+--- a/drivers/scsi/lpfc/lpfc_els.c
++++ b/drivers/scsi/lpfc/lpfc_els.c
+@@ -7430,6 +7430,8 @@ lpfc_els_timeout_handler(struct lpfc_vpo
+ timeout = (uint32_t)(phba->fc_ratov << 1);
+
+ pring = lpfc_phba_elsring(phba);
++ if (unlikely(!pring))
++ return;
+
+ if ((phba->pport->load_flag & FC_UNLOADING))
+ return;
+@@ -9310,6 +9312,9 @@ void lpfc_fabric_abort_nport(struct lpfc
+
+ pring = lpfc_phba_elsring(phba);
+
++ if (unlikely(!pring))
++ return;
++
+ spin_lock_irq(&phba->hbalock);
+ list_for_each_entry_safe(piocb, tmp_iocb, &phba->fabric_iocb_list,
+ list) {
+@@ -9416,7 +9421,7 @@ lpfc_sli4_els_xri_aborted(struct lpfc_hb
+ rxid, 1);
+
+ /* Check if TXQ queue needs to be serviced */
+- if (!(list_empty(&pring->txq)))
++ if (pring && !list_empty(&pring->txq))
+ lpfc_worker_wake_up(phba);
+ return;
+ }
+--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
+@@ -3324,7 +3324,8 @@ lpfc_mbx_cmpl_read_topology(struct lpfc_
+
+ /* Unblock ELS traffic */
+ pring = lpfc_phba_elsring(phba);
+- pring->flag &= ~LPFC_STOP_IOCB_EVENT;
++ if (pring)
++ pring->flag &= ~LPFC_STOP_IOCB_EVENT;
+
+ /* Check for error */
+ if (mb->mbxStatus) {
+@@ -5430,6 +5431,8 @@ lpfc_free_tx(struct lpfc_hba *phba, stru
+
+ psli = &phba->sli;
+ pring = lpfc_phba_elsring(phba);
++ if (unlikely(!pring))
++ return;
+
+ /* Error matching iocb on txq or txcmplq
+ * First check the txq.
+--- a/drivers/scsi/lpfc/lpfc_init.c
++++ b/drivers/scsi/lpfc/lpfc_init.c
+@@ -11404,6 +11404,13 @@ lpfc_pci_remove_one_s4(struct pci_dev *p
+ /* Remove FC host and then SCSI host with the physical port */
+ fc_remove_host(shost);
+ scsi_remove_host(shost);
++ /*
++ * Bring down the SLI Layer. This step disables all interrupts,
++ * clears the rings, discards all mailbox commands, and resets
++ * the HBA FCoE function.
++ */
++ lpfc_debugfs_terminate(vport);
++ lpfc_sli4_hba_unset(phba);
+
+ /* Perform ndlp cleanup on the physical port. The nvme and nvmet
+ * localports are destroyed after to cleanup all transport memory.
+@@ -11412,13 +11419,6 @@ lpfc_pci_remove_one_s4(struct pci_dev *p
+ lpfc_nvmet_destroy_targetport(phba);
+ lpfc_nvme_destroy_localport(vport);
+
+- /*
+- * Bring down the SLI Layer. This step disables all interrupts,
+- * clears the rings, discards all mailbox commands, and resets
+- * the HBA FCoE function.
+- */
+- lpfc_debugfs_terminate(vport);
+- lpfc_sli4_hba_unset(phba);
+
+ lpfc_stop_hba_timers(phba);
+ spin_lock_irq(&phba->hbalock);
+--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
+@@ -216,7 +216,7 @@ lpfc_els_abort(struct lpfc_hba *phba, st
+ pring = lpfc_phba_elsring(phba);
+
+ /* In case of error recovery path, we might have a NULL pring here */
+- if (!pring)
++ if (unlikely(!pring))
+ return;
+
+ /* Abort outstanding I/O on NPort <nlp_DID> */
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -10632,6 +10632,14 @@ lpfc_sli_issue_abort_iotag(struct lpfc_h
+ (cmdiocb->iocb_flag & LPFC_DRIVER_ABORTED) != 0)
+ return 0;
+
++ if (!pring) {
++ if (cmdiocb->iocb_flag & LPFC_IO_FABRIC)
++ cmdiocb->fabric_iocb_cmpl = lpfc_ignore_els_cmpl;
++ else
++ cmdiocb->iocb_cmpl = lpfc_ignore_els_cmpl;
++ goto abort_iotag_exit;
++ }
++
+ /*
+ * If we're unloading, don't abort iocb on the ELS ring, but change
+ * the callback so that nothing happens when it finishes.
+@@ -12500,6 +12508,8 @@ lpfc_sli4_els_wcqe_to_rspiocbq(struct lp
+ unsigned long iflags;
+
+ pring = lpfc_phba_elsring(phba);
++ if (unlikely(!pring))
++ return NULL;
+
+ wcqe = &irspiocbq->cq_event.cqe.wcqe_cmpl;
+ spin_lock_irqsave(&pring->ring_lock, iflags);
+@@ -18694,6 +18704,8 @@ lpfc_drain_txq(struct lpfc_hba *phba)
+ uint32_t txq_cnt = 0;
+
+ pring = lpfc_phba_elsring(phba);
++ if (unlikely(!pring))
++ return 0;
+
+ spin_lock_irqsave(&pring->ring_lock, iflags);
+ list_for_each_entry(piocbq, &pring->txq, list) {
--- /dev/null
+From 8e036a9497c5d565baafda4c648f2f372999a547 Mon Sep 17 00:00:00 2001
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+Date: Fri, 29 Sep 2017 17:34:35 -0700
+Subject: scsi: lpfc: Fix FCP hba_wqidx assignment
+
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+
+commit 8e036a9497c5d565baafda4c648f2f372999a547 upstream.
+
+The driver is encountering oops in lpfc_sli_calc_ring.
+
+The driver is setting hba_wqidx for FCP based on the policy in use for
+NVME. The two may not be the same. Change to set the wqidx based on the
+FCP policy.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index 2893d4fb9654..8c37885f4851 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -9396,10 +9396,13 @@ lpfc_sli4_calc_ring(struct lpfc_hba *phba, struct lpfc_iocbq *piocb)
+ * for abort iocb hba_wqidx should already
+ * be setup based on what work queue we used.
+ */
+- if (!(piocb->iocb_flag & LPFC_USE_FCPWQIDX))
++ if (!(piocb->iocb_flag & LPFC_USE_FCPWQIDX)) {
+ piocb->hba_wqidx =
+ lpfc_sli4_scmd_to_wqidx_distr(phba,
+ piocb->context1);
++ piocb->hba_wqidx = piocb->hba_wqidx %
++ phba->cfg_fcp_io_channel;
++ }
+ return phba->sli4_hba.fcp_wq[piocb->hba_wqidx]->pring;
+ } else {
+ if (unlikely(!phba->sli4_hba.oas_wq))
--- /dev/null
+From e7981a2c725f8e237f749fa1358997707d57e32c Mon Sep 17 00:00:00 2001
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+Date: Fri, 29 Sep 2017 17:34:39 -0700
+Subject: scsi: lpfc: Fix oops if nvmet_fc_register_targetport fails
+
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+
+commit e7981a2c725f8e237f749fa1358997707d57e32c upstream.
+
+if nvmet targetport registration fails, the driver encounters a NULL
+pointer oops in lpfc_hb_timeout_handler.
+
+To fix: if registration fails, ensure nvmet_support is cleared on the
+port structure.
+
+Also enhanced the log message on failure.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/lpfc/lpfc_nvmet.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/lpfc/lpfc_nvmet.c
++++ b/drivers/scsi/lpfc/lpfc_nvmet.c
+@@ -1138,9 +1138,14 @@ lpfc_nvmet_create_targetport(struct lpfc
+ #endif
+ if (error) {
+ lpfc_printf_log(phba, KERN_ERR, LOG_NVME_DISC,
+- "6025 Cannot register NVME targetport "
+- "x%x\n", error);
++ "6025 Cannot register NVME targetport x%x: "
++ "portnm %llx nodenm %llx segs %d qs %d\n",
++ error,
++ pinfo.port_name, pinfo.node_name,
++ lpfc_tgttemplate.max_sgl_segments,
++ lpfc_tgttemplate.max_hw_queues);
+ phba->targetport = NULL;
++ phba->nvmet_support = 0;
+
+ lpfc_nvmet_cleanup_io_context(phba);
+
+@@ -1152,9 +1157,11 @@ lpfc_nvmet_create_targetport(struct lpfc
+ lpfc_printf_log(phba, KERN_INFO, LOG_NVME_DISC,
+ "6026 Registered NVME "
+ "targetport: %p, private %p "
+- "portnm %llx nodenm %llx\n",
++ "portnm %llx nodenm %llx segs %d qs %d\n",
+ phba->targetport, tgtp,
+- pinfo.port_name, pinfo.node_name);
++ pinfo.port_name, pinfo.node_name,
++ lpfc_tgttemplate.max_sgl_segments,
++ lpfc_tgttemplate.max_hw_queues);
+
+ atomic_set(&tgtp->rcv_ls_req_in, 0);
+ atomic_set(&tgtp->rcv_ls_req_out, 0);
--- /dev/null
+From 401bb4169da655f3e5d28d0b208182e1ab60bf2a Mon Sep 17 00:00:00 2001
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+Date: Fri, 29 Sep 2017 17:34:28 -0700
+Subject: scsi: lpfc: fix pci hot plug crash in list_add call
+
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+
+commit 401bb4169da655f3e5d28d0b208182e1ab60bf2a upstream.
+
+During pci hot plug, the kernel crashes in a list_add_call
+
+The lookup by tag function will return null if the IOCB is out of range
+or does not have the on txcmplq flag set.
+
+Fix: Check for null return from lookup by tag.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/lpfc/lpfc_sli.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -12507,19 +12507,21 @@ lpfc_sli4_els_wcqe_to_rspiocbq(struct lp
+ /* Look up the ELS command IOCB and create pseudo response IOCB */
+ cmdiocbq = lpfc_sli_iocbq_lookup_by_tag(phba, pring,
+ bf_get(lpfc_wcqe_c_request_tag, wcqe));
+- /* Put the iocb back on the txcmplq */
+- lpfc_sli_ringtxcmpl_put(phba, pring, cmdiocbq);
+- spin_unlock_irqrestore(&pring->ring_lock, iflags);
+-
+ if (unlikely(!cmdiocbq)) {
++ spin_unlock_irqrestore(&pring->ring_lock, iflags);
+ lpfc_printf_log(phba, KERN_WARNING, LOG_SLI,
+ "0386 ELS complete with no corresponding "
+- "cmdiocb: iotag (%d)\n",
+- bf_get(lpfc_wcqe_c_request_tag, wcqe));
++ "cmdiocb: 0x%x 0x%x 0x%x 0x%x\n",
++ wcqe->word0, wcqe->total_data_placed,
++ wcqe->parameter, wcqe->word3);
+ lpfc_sli_release_iocbq(phba, irspiocbq);
+ return NULL;
+ }
+
++ /* Put the iocb back on the txcmplq */
++ lpfc_sli_ringtxcmpl_put(phba, pring, cmdiocbq);
++ spin_unlock_irqrestore(&pring->ring_lock, iflags);
++
+ /* Fake the irspiocbq and copy necessary response information */
+ lpfc_sli4_iocb_param_transfer(phba, irspiocbq, cmdiocbq, wcqe);
+
+@@ -17137,7 +17139,8 @@ exit:
+ if (pcmd && pcmd->virt)
+ dma_pool_free(phba->lpfc_drb_pool, pcmd->virt, pcmd->phys);
+ kfree(pcmd);
+- lpfc_sli_release_iocbq(phba, iocbq);
++ if (iocbq)
++ lpfc_sli_release_iocbq(phba, iocbq);
+ lpfc_in_buf_free(phba, &dmabuf->dbuf);
+ }
+
--- /dev/null
+From 1901762f2ca2747ed269239ca5332a8023ce4e3d Mon Sep 17 00:00:00 2001
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+Date: Fri, 29 Sep 2017 17:34:27 -0700
+Subject: scsi: lpfc: fix pci hot plug crash in timer management routines
+
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+
+commit 1901762f2ca2747ed269239ca5332a8023ce4e3d upstream.
+
+During pci hot plug, the kernel crashes in timer management code.
+
+The sli4 remove_one handler is not stoping the timers as it starts to
+remove the port so that it can be swapped.
+
+Fix: Stop the timers early in the handler routine.
+
+Note: Fix in SLI-4 only. SLI-3 already stopped the timers properly.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/lpfc/lpfc_init.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/lpfc/lpfc_init.c
++++ b/drivers/scsi/lpfc/lpfc_init.c
+@@ -11420,6 +11420,7 @@ lpfc_pci_remove_one_s4(struct pci_dev *p
+ lpfc_debugfs_terminate(vport);
+ lpfc_sli4_hba_unset(phba);
+
++ lpfc_stop_hba_timers(phba);
+ spin_lock_irq(&phba->hbalock);
+ list_del_init(&vport->listentry);
+ spin_unlock_irq(&phba->hbalock);
--- /dev/null
+From 8653188763b56e0bcbdcab30cc7b059672c900ac Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Mon, 6 Nov 2017 11:59:05 -0800
+Subject: scsi: qla2xxx: Suppress a kernel complaint in qla_init_base_qpair()
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+commit 8653188763b56e0bcbdcab30cc7b059672c900ac upstream.
+
+Avoid that the following is reported while loading the qla2xxx
+kernel module:
+
+BUG: using smp_processor_id() in preemptible [00000000] code: modprobe/783
+caller is debug_smp_processor_id+0x17/0x20
+CPU: 7 PID: 783 Comm: modprobe Not tainted 4.14.0-rc8-dbg+ #2
+Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+Call Trace:
+ dump_stack+0x8e/0xce
+ check_preemption_disabled+0xe3/0xf0
+ debug_smp_processor_id+0x17/0x20
+ qla2x00_probe_one+0xf43/0x26c0 [qla2xxx]
+ pci_device_probe+0xca/0x140
+ driver_probe_device+0x2e2/0x440
+ __driver_attach+0xa3/0xe0
+ bus_for_each_dev+0x5f/0x90
+ driver_attach+0x19/0x20
+ bus_add_driver+0x1c0/0x260
+ driver_register+0x5b/0xd0
+ __pci_register_driver+0x63/0x70
+ qla2x00_module_init+0x1d6/0x222 [qla2xxx]
+ do_one_initcall+0x3c/0x163
+ do_init_module+0x55/0x1eb
+ load_module+0x20a2/0x2890
+ SYSC_finit_module+0xd7/0xf0
+ SyS_finit_module+0x9/0x10
+ entry_SYSCALL_64_fastpath+0x23/0xc2
+
+Fixes: commit 8abfa9e22683 ("scsi: qla2xxx: Add function call to qpair for door bell")
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: Quinn Tran <quinn.tran@cavium.com>
+Cc: Himanshu Madhani <himanshu.madhani@cavium.com>
+Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_os.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -388,7 +388,7 @@ static void qla_init_base_qpair(struct s
+ INIT_LIST_HEAD(&ha->base_qpair->nvme_done_list);
+ ha->base_qpair->enable_class_2 = ql2xenableclass2;
+ /* init qpair to this cpu. Will adjust at run time. */
+- qla_cpu_update(rsp->qpair, smp_processor_id());
++ qla_cpu_update(rsp->qpair, raw_smp_processor_id());
+ ha->base_qpair->pdev = ha->pdev;
+
+ if (IS_QLA27XX(ha) || IS_QLA83XX(ha))
--- /dev/null
+From 4a109032e3941413d8a029f619543fc5aec1d26d Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <damien.lemoal@wdc.com>
+Date: Wed, 11 Oct 2017 05:54:25 +0900
+Subject: scsi: sd_zbc: Fix sd_zbc_read_zoned_characteristics()
+
+From: Damien Le Moal <damien.lemoal@wdc.com>
+
+commit 4a109032e3941413d8a029f619543fc5aec1d26d upstream.
+
+The three values starting at byte 8 of the Zoned Block Device
+Characteristics VPD page B6h are 32 bits values, not 64bits. So use
+get_unaligned_be32() to retrieve the values and not get_unaligned_be64()
+
+Fixes: 89d947561077 ("sd: Implement support for ZBC devices")
+Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
+Reviewed-by: Bart Van Assche <Bart.VanAssche@wdc.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sd_zbc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/sd_zbc.c
++++ b/drivers/scsi/sd_zbc.c
+@@ -375,15 +375,15 @@ static int sd_zbc_read_zoned_characteris
+ if (sdkp->device->type != TYPE_ZBC) {
+ /* Host-aware */
+ sdkp->urswrz = 1;
+- sdkp->zones_optimal_open = get_unaligned_be64(&buf[8]);
+- sdkp->zones_optimal_nonseq = get_unaligned_be64(&buf[12]);
++ sdkp->zones_optimal_open = get_unaligned_be32(&buf[8]);
++ sdkp->zones_optimal_nonseq = get_unaligned_be32(&buf[12]);
+ sdkp->zones_max_open = 0;
+ } else {
+ /* Host-managed */
+ sdkp->urswrz = buf[4] & 1;
+ sdkp->zones_optimal_open = 0;
+ sdkp->zones_optimal_nonseq = 0;
+- sdkp->zones_max_open = get_unaligned_be64(&buf[16]);
++ sdkp->zones_max_open = get_unaligned_be32(&buf[16]);
+ }
+
+ return 0;
ovl-put-upperdentry-if-ovl_check_origin-fails.patch
dm-allocate-struct-mapped_device-with-kvzalloc.patch
sched-rt-simplify-the-ipi-based-rt-balancing-logic.patch
+mips-pci-remove-kern_warn-instance-inside-the-mt7620-driver.patch
+dm-fix-race-between-dm_get_from_kobject-and-__dm_destroy.patch
+dm-discard-support-requires-all-targets-in-a-table-support-discards.patch
+mips-fix-odd-fp-register-warnings-with-mips64r2.patch
+mips-fix-mips64-fp-save-restore-on-32-bit-kernels.patch
+mips-dts-remove-bogus-bcm96358nb4ser.dtb-from-dtb-y-entry.patch
+mips-fix-an-n32-core-file-generation-regset-support-regression.patch
+mips-bcm47xx-fix-led-inversion-for-wrt54gsv1.patch
+mips-math-emu-fix-final-emulation-phase-for-certain-instructions.patch
+rt2x00usb-mark-device-removed-when-get-enoent-usb-error.patch
+mm-z3fold.c-use-kref-to-prevent-page-free-compact-race.patch
+autofs-don-t-fail-mount-for-transient-error.patch
+nilfs2-fix-race-condition-that-causes-file-system-corruption.patch
+fscrypt-lock-mutex-before-checking-for-bounce-page-pool.patch
+ecryptfs-use-after-free-in-ecryptfs_release_messaging.patch
+libceph-don-t-warn-if-user-tries-to-add-invalid-key.patch
+bcache-check-ca-alloc_thread-initialized-before-wake-up-it.patch
+bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch
+fs-guard_bio_eod-needs-to-consider-partitions.patch
+fanotify-fix-fsnotify_prepare_user_wait-failure.patch
+isofs-fix-timestamps-beyond-2027.patch
+btrfs-change-how-we-decide-to-commit-transactions-during-flushing.patch
+f2fs-expose-some-sectors-to-user-in-inline-data-or-dentry-case.patch
+nfs-fix-typo-in-nomigration-mount-option.patch
+nfs-revert-nfs-move-the-flock-open-mode-check-into-nfs_flock.patch
+nfs-fix-ugly-referral-attributes.patch
+nfs-avoid-rcu-usage-in-tracepoints.patch
+nfs-revalidate-.-etc-correctly-on-open.patch
+nfsd-deal-with-revoked-delegations-appropriately.patch
+rtlwifi-rtl8192ee-fix-memory-leak-when-loading-firmware.patch
+rtlwifi-fix-uninitialized-rtlhal-last_suspend_sec-time.patch
+iwlwifi-fix-firmware-names-for-9000-and-a000-series-hw.patch
+md-fix-deadlock-error-in-recent-patch.patch
+md-don-t-check-md_sb_change_clean-in-md_allow_write.patch
+bluetooth-btqcomsmd-add-support-for-bd-address-setup.patch
+md-bitmap-revert-a-patch.patch
+fsnotify-clean-up-fsnotify_prepare-finish_user_wait.patch
+fsnotify-pin-both-inode-and-vfsmount-mark.patch
+fsnotify-fix-pinning-group-in-fsnotify_prepare_user_wait.patch
+ata-fixes-kernel-crash-while-tracing-ata_eh_link_autopsy-event.patch
+ext4-fix-interaction-between-i_size-fallocate-and-delalloc-after-a-crash.patch
+ext4-prevent-data-corruption-with-inline-data-dax.patch
+ext4-prevent-data-corruption-with-journaling-dax.patch
+alsa-pcm-update-tstamp-only-if-audio_tstamp-changed.patch
+alsa-usb-audio-add-sanity-checks-to-fe-parser.patch
+alsa-usb-audio-fix-potential-out-of-bound-access-at-parsing-su.patch
+alsa-usb-audio-fix-potential-zero-division-at-parsing-fu.patch
+alsa-usb-audio-add-sanity-checks-in-v2-clock-parsers.patch
+alsa-timer-remove-kernel-warning-at-compat-ioctl-error-paths.patch
+alsa-hda-realtek-fix-alc275-no-sound-issue.patch
+alsa-hda-fix-too-short-hdmi-dp-chmap-reporting.patch
+alsa-hda-fix-yet-remaining-issue-with-vmaster-0db-initialization.patch
+alsa-hda-realtek-fix-alc700-family-no-sound-issue.patch
+asoc-sun8i-codec-invert-master-slave-condition.patch
+asoc-sun8i-codec-fix-left-and-right-channels-inversion.patch
+asoc-sun8i-codec-set-the-bclk-divider.patch
+mfd-lpc_ich-avoton-rangeley-uses-spi_byt-method.patch
+fix-a-page-leak-in-vhost_scsi_iov_to_sgl-error-recovery.patch
+9p-fix-missing-commas-in-mount-options.patch
+fs-9p-compare-qid.path-in-v9fs_test_inode.patch
+net-9p-switch-to-wait_event_killable.patch
+scsi-qla2xxx-suppress-a-kernel-complaint-in-qla_init_base_qpair.patch
+scsi-sd_zbc-fix-sd_zbc_read_zoned_characteristics.patch
+scsi-lpfc-fix-pci-hot-plug-crash-in-timer-management-routines.patch
+scsi-lpfc-fix-pci-hot-plug-crash-in-list_add-call.patch
+scsi-lpfc-fix-crash-receiving-els-while-detaching-driver.patch
+scsi-lpfc-fix-fcp-hba_wqidx-assignment.patch
+scsi-lpfc-fix-oops-if-nvmet_fc_register_targetport-fails.patch
+iscsi-target-make-task_reassign-use-proper-se_cmd-cmd_kref.patch
+iscsi-target-fix-non-immediate-tmr-reference-leak.patch
+target-fix-null-pointer-regression-in-core_tmr_drain_tmr_list.patch
+target-fix-buffer-offset-in-core_scsi3_pri_read_full_status.patch
+target-fix-queue_full-scsi-task-attribute-handling.patch
+target-fix-caw_sem-leak-in-transport_generic_request_failure.patch
+target-fix-quiese-during-transport_write_pending_qf-endless-loop.patch
+target-avoid-early-cmd_t_pre_execute-failures-during-abort_task.patch
+mtd-avoid-probe-failures-when-mtd-dbg.dfs_dir-is-invalid.patch
+mtd-nand-export-nand_reset-symbol.patch
+mtd-nand-atmel-actually-use-the-pm-ops.patch
+mtd-nand-omap2-fix-subpage-write.patch
+mtd-nand-fix-writing-mtdoops-to-nand-flash.patch
+mtd-nand-mtk-fix-infinite-ecc-decode-irq-issue.patch
+mailbox-bcm-flexrm-mailbox-fix-flexrm-ring-flush-sequence.patch
+p54-don-t-unregister-leds-when-they-are-not-initialized.patch
+block-fix-a-race-between-blk_cleanup_queue-and-timeout-handling.patch
+raid1-prevent-freeze_array-wait_all_barriers-deadlock.patch
+genirq-track-whether-the-trigger-type-has-been-set.patch
+irqchip-gic-v3-fix-ppi-partitions-lookup.patch
+lockd-double-unregister-of-inetaddr-notifiers.patch
--- /dev/null
+From 1c21a48055a67ceb693e9c2587824a8de60a217c Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Fri, 27 Oct 2017 22:19:26 -0800
+Subject: target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 1c21a48055a67ceb693e9c2587824a8de60a217c upstream.
+
+This patch fixes bug where early se_cmd exceptions that occur
+before backend execution can result in use-after-free if/when
+a subsequent ABORT_TASK occurs for the same tag.
+
+Since an early se_cmd exception will have had se_cmd added to
+se_session->sess_cmd_list via target_get_sess_cmd(), it will
+not have CMD_T_COMPLETE set by the usual target_complete_cmd()
+backend completion path.
+
+This causes a subsequent ABORT_TASK + __target_check_io_state()
+to signal ABORT_TASK should proceed. As core_tmr_abort_task()
+executes, it will bring the outstanding se_cmd->cmd_kref count
+down to zero releasing se_cmd, after se_cmd has already been
+queued with error status into fabric driver response path code.
+
+To address this bug, introduce a CMD_T_PRE_EXECUTE bit that is
+set at target_get_sess_cmd() time, and cleared immediately before
+backend driver dispatch in target_execute_cmd() once CMD_T_ACTIVE
+is set.
+
+Then, check CMD_T_PRE_EXECUTE within __target_check_io_state() to
+determine when an early exception has occured, and avoid aborting
+this se_cmd since it will have already been queued into fabric
+driver response path code.
+
+Reported-by: Donald White <dew@datera.io>
+Cc: Donald White <dew@datera.io>
+Cc: Mike Christie <mchristi@redhat.com>
+Cc: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_tmr.c | 9 +++++++++
+ drivers/target/target_core_transport.c | 2 ++
+ include/target/target_core_base.h | 1 +
+ 3 files changed, 12 insertions(+)
+
+--- a/drivers/target/target_core_tmr.c
++++ b/drivers/target/target_core_tmr.c
+@@ -133,6 +133,15 @@ static bool __target_check_io_state(stru
+ spin_unlock(&se_cmd->t_state_lock);
+ return false;
+ }
++ if (se_cmd->transport_state & CMD_T_PRE_EXECUTE) {
++ if (se_cmd->scsi_status) {
++ pr_debug("Attempted to abort io tag: %llu early failure"
++ " status: 0x%02x\n", se_cmd->tag,
++ se_cmd->scsi_status);
++ spin_unlock(&se_cmd->t_state_lock);
++ return false;
++ }
++ }
+ if (sess->sess_tearing_down || se_cmd->cmd_wait_set) {
+ pr_debug("Attempted to abort io tag: %llu already shutdown,"
+ " skipping\n", se_cmd->tag);
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -1974,6 +1974,7 @@ void target_execute_cmd(struct se_cmd *c
+ }
+
+ cmd->t_state = TRANSPORT_PROCESSING;
++ cmd->transport_state &= ~CMD_T_PRE_EXECUTE;
+ cmd->transport_state |= CMD_T_ACTIVE | CMD_T_SENT;
+ spin_unlock_irq(&cmd->t_state_lock);
+
+@@ -2682,6 +2683,7 @@ int target_get_sess_cmd(struct se_cmd *s
+ ret = -ESHUTDOWN;
+ goto out;
+ }
++ se_cmd->transport_state |= CMD_T_PRE_EXECUTE;
+ list_add_tail(&se_cmd->se_cmd_list, &se_sess->sess_cmd_list);
+ out:
+ spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags);
+--- a/include/target/target_core_base.h
++++ b/include/target/target_core_base.h
+@@ -490,6 +490,7 @@ struct se_cmd {
+ #define CMD_T_STOP (1 << 5)
+ #define CMD_T_TAS (1 << 10)
+ #define CMD_T_FABRIC_STOP (1 << 11)
++#define CMD_T_PRE_EXECUTE (1 << 12)
+ spinlock_t t_state_lock;
+ struct kref cmd_kref;
+ struct completion t_transport_stop_comp;
--- /dev/null
+From c58a252beb04cf0e02d6a746b2ed7ea89b6deb71 Mon Sep 17 00:00:00 2001
+From: tangwenji <tang.wenji@zte.com.cn>
+Date: Thu, 17 Aug 2017 19:51:54 +0800
+Subject: target: fix buffer offset in core_scsi3_pri_read_full_status
+
+From: tangwenji <tang.wenji@zte.com.cn>
+
+commit c58a252beb04cf0e02d6a746b2ed7ea89b6deb71 upstream.
+
+When at least two initiators register pr on the same LUN,
+the target returns the exception data due to buffer offset
+error, therefore the initiator executes command 'sg_persist -s'
+may cause the initiator to appear segfault error.
+
+This fixes a regression originally introduced by:
+
+ commit a85d667e58bddf73be84d1981b41eaac985ed216
+ Author: Bart Van Assche <bart.vanassche@sandisk.com>
+ Date: Tue May 23 16:48:27 2017 -0700
+
+ target: Use {get,put}_unaligned_be*() instead of open coding these functions
+
+Signed-off-by: tangwenji <tang.wenji@zte.com.cn>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_pr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/target/target_core_pr.c
++++ b/drivers/target/target_core_pr.c
+@@ -4011,6 +4011,7 @@ core_scsi3_pri_read_full_status(struct s
+ * Set the ADDITIONAL DESCRIPTOR LENGTH
+ */
+ put_unaligned_be32(desc_len, &buf[off]);
++ off += 4;
+ /*
+ * Size of full desctipor header minus TransportID
+ * containing $FABRIC_MOD specific) initiator device/port
--- /dev/null
+From fd2f928b0ddd2fe8876d4f1344df2ace2b715a4d Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Fri, 29 Sep 2017 16:03:24 -0700
+Subject: target: Fix caw_sem leak in transport_generic_request_failure
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit fd2f928b0ddd2fe8876d4f1344df2ace2b715a4d upstream.
+
+With the recent addition of transport_check_aborted_status() within
+transport_generic_request_failure() to avoid sending a SCSI status
+exception after CMD_T_ABORTED w/ TAS=1 has occured, it introduced
+a COMPARE_AND_WRITE early failure regression.
+
+Namely when COMPARE_AND_WRITE fails and se_device->caw_sem has
+been taken by sbc_compare_and_write(), if the new check for
+transport_check_aborted_status() returns true and exits,
+cmd->transport_complete_callback() -> compare_and_write_post()
+is skipped never releasing se_device->caw_sem.
+
+This regression was originally introduced by:
+
+ commit e3b88ee95b4e4bf3e9729a4695d695b9c7c296c8
+ Author: Bart Van Assche <bart.vanassche@sandisk.com>
+ Date: Tue Feb 14 16:25:45 2017 -0800
+
+ target: Fix handling of aborted failed commands
+
+To address this bug, move the transport_check_aborted_status()
+call after transport_complete_task_attr() and
+cmd->transport_complete_callback().
+
+Cc: Mike Christie <mchristi@redhat.com>
+Cc: Hannes Reinecke <hare@suse.com>
+Cc: Bart Van Assche <bart.vanassche@sandisk.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_transport.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -1730,9 +1730,6 @@ void transport_generic_request_failure(s
+ {
+ int ret = 0, post_ret = 0;
+
+- if (transport_check_aborted_status(cmd, 1))
+- return;
+-
+ pr_debug("-----[ Storage Engine Exception; sense_reason %d\n",
+ sense_reason);
+ target_show_cmd("-----[ ", cmd);
+@@ -1741,6 +1738,7 @@ void transport_generic_request_failure(s
+ * For SAM Task Attribute emulation for failed struct se_cmd
+ */
+ transport_complete_task_attr(cmd);
++
+ /*
+ * Handle special case for COMPARE_AND_WRITE failure, where the
+ * callback is expected to drop the per device ->caw_sem.
+@@ -1749,6 +1747,9 @@ void transport_generic_request_failure(s
+ cmd->transport_complete_callback)
+ cmd->transport_complete_callback(cmd, false, &post_ret);
+
++ if (transport_check_aborted_status(cmd, 1))
++ return;
++
+ switch (sense_reason) {
+ case TCM_NON_EXISTENT_LUN:
+ case TCM_UNSUPPORTED_SCSI_OPCODE:
--- /dev/null
+From 88fb2fa7db7510bf1078226ab48d162d9854f3d4 Mon Sep 17 00:00:00 2001
+From: tangwenji <tang.wenji@zte.com.cn>
+Date: Wed, 16 Aug 2017 16:39:00 +0800
+Subject: target: fix null pointer regression in core_tmr_drain_tmr_list
+
+From: tangwenji <tang.wenji@zte.com.cn>
+
+commit 88fb2fa7db7510bf1078226ab48d162d9854f3d4 upstream.
+
+The target system kernel crash when the initiator executes
+the sg_persist -A command,because of the second argument to
+be set to NULL when core_tmr_lun_reset is called in
+core_scsi3_pro_preempt function.
+
+This fixes a regression originally introduced by:
+
+ commit 51ec502a32665fed66c7f03799ede4023b212536
+ Author: Bart Van Assche <bart.vanassche@sandisk.com>
+ Date: Tue Feb 14 16:25:54 2017 -0800
+
+ target: Delete tmr from list before processing
+
+Signed-off-by: tangwenji <tang.wenji@zte.com.cn>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_tmr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/target/target_core_tmr.c
++++ b/drivers/target/target_core_tmr.c
+@@ -217,7 +217,8 @@ static void core_tmr_drain_tmr_list(
+ * LUN_RESET tmr..
+ */
+ spin_lock_irqsave(&dev->se_tmr_lock, flags);
+- list_del_init(&tmr->tmr_list);
++ if (tmr)
++ list_del_init(&tmr->tmr_list);
+ list_for_each_entry_safe(tmr_p, tmr_pp, &dev->dev_tmr_list, tmr_list) {
+ cmd = tmr_p->task_cmd;
+ if (!cmd) {
--- /dev/null
+From 1c79df1f349fb6050016cea4ef1dfbc3853a5685 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Fri, 22 Sep 2017 16:48:28 -0700
+Subject: target: Fix QUEUE_FULL + SCSI task attribute handling
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 1c79df1f349fb6050016cea4ef1dfbc3853a5685 upstream.
+
+This patch fixes a bug during QUEUE_FULL where transport_complete_qf()
+calls transport_complete_task_attr() after it's already been invoked
+by target_complete_ok_work() or transport_generic_request_failure()
+during initial completion, preceeding QUEUE_FULL.
+
+This will result in se_device->simple_cmds, se_device->dev_cur_ordered_id
+and/or se_device->dev_ordered_sync being updated multiple times for
+a single se_cmd.
+
+To address this bug, clear SCF_TASK_ATTR_SET after the first call
+to transport_complete_task_attr(), and avoid updating SCSI task
+attribute related counters for any subsequent calls.
+
+Also, when a se_cmd is deferred due to ordered tags and executed
+via target_restart_delayed_cmds(), set CMD_T_SENT before execution
+matching what target_execute_cmd() does.
+
+Cc: Michael Cyr <mikecyr@linux.vnet.ibm.com>
+Cc: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
+Cc: Mike Christie <mchristi@redhat.com>
+Cc: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_transport.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -2010,6 +2010,8 @@ static void target_restart_delayed_cmds(
+ list_del(&cmd->se_delayed_node);
+ spin_unlock(&dev->delayed_cmd_lock);
+
++ cmd->transport_state |= CMD_T_SENT;
++
+ __target_execute_cmd(cmd, true);
+
+ if (cmd->sam_task_attr == TCM_ORDERED_TAG)
+@@ -2045,6 +2047,8 @@ static void transport_complete_task_attr
+ pr_debug("Incremented dev_cur_ordered_id: %u for ORDERED\n",
+ dev->dev_cur_ordered_id);
+ }
++ cmd->se_cmd_flags &= ~SCF_TASK_ATTR_SET;
++
+ restart:
+ target_restart_delayed_cmds(dev);
+ }
--- /dev/null
+From 9574a497df2bbc0a676b609ce0dd24d237cee3a6 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Fri, 29 Sep 2017 16:43:11 -0700
+Subject: target: Fix quiese during transport_write_pending_qf endless loop
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 9574a497df2bbc0a676b609ce0dd24d237cee3a6 upstream.
+
+This patch fixes a potential end-less loop during QUEUE_FULL,
+where cmd->se_tfo->write_pending() callback fails repeatedly
+but __transport_wait_for_tasks() has already been invoked to
+quiese the outstanding se_cmd descriptor.
+
+To address this bug, this patch adds a CMD_T_STOP|CMD_T_ABORTED
+check within transport_write_pending_qf() and invokes the
+existing se_cmd->t_transport_stop_comp to signal quiese
+completion back to __transport_wait_for_tasks().
+
+Cc: Mike Christie <mchristi@redhat.com>
+Cc: Hannes Reinecke <hare@suse.com>
+Cc: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
+Cc: Michael Cyr <mikecyr@linux.vnet.ibm.com>
+Cc: Potnuri Bharat Teja <bharat@chelsio.com>
+Cc: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_transport.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -2575,7 +2575,20 @@ EXPORT_SYMBOL(transport_generic_new_cmd)
+
+ static void transport_write_pending_qf(struct se_cmd *cmd)
+ {
++ unsigned long flags;
+ int ret;
++ bool stop;
++
++ spin_lock_irqsave(&cmd->t_state_lock, flags);
++ stop = (cmd->transport_state & (CMD_T_STOP | CMD_T_ABORTED));
++ spin_unlock_irqrestore(&cmd->t_state_lock, flags);
++
++ if (stop) {
++ pr_debug("%s:%d CMD_T_STOP|CMD_T_ABORTED for ITT: 0x%08llx\n",
++ __func__, __LINE__, cmd->tag);
++ complete_all(&cmd->t_transport_stop_comp);
++ return;
++ }
+
+ ret = cmd->se_tfo->write_pending(cmd);
+ if (ret) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
