--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Marc Dionne <marc.dionne@auristor.com>
+Date: Thu, 16 Mar 2017 16:27:44 +0000
+Subject: afs: Adjust mode bits processing
+
+From: Marc Dionne <marc.dionne@auristor.com>
+
+
+[ Upstream commit 627f46943ff90bcc32ddeb675d881c043c6fa2ae ]
+
+Mode bits for an afs file should not be enforced in the usual
+way.
+
+For files, the absence of user bits can restrict file access
+with respect to what is granted by the server.
+
+These bits apply regardless of the owner or the current uid; the
+rest of the mode bits (group, other) are ignored.
+
+Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/security.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/afs/security.c
++++ b/fs/afs/security.c
+@@ -340,17 +340,22 @@ int afs_permission(struct inode *inode,
+ } else {
+ if (!(access & AFS_ACE_LOOKUP))
+ goto permission_denied;
++ if ((mask & MAY_EXEC) && !(inode->i_mode & S_IXUSR))
++ goto permission_denied;
+ if (mask & (MAY_EXEC | MAY_READ)) {
+ if (!(access & AFS_ACE_READ))
+ goto permission_denied;
++ if (!(inode->i_mode & S_IRUSR))
++ goto permission_denied;
+ } else if (mask & MAY_WRITE) {
+ if (!(access & AFS_ACE_WRITE))
+ goto permission_denied;
++ if (!(inode->i_mode & S_IWUSR))
++ goto permission_denied;
+ }
+ }
+
+ key_put(key);
+- ret = generic_permission(inode, mask);
+ _leave(" = %d", ret);
+ return ret;
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 16 Mar 2017 16:27:47 +0000
+Subject: afs: Better abort and net error handling
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit 70af0e3bd65142f9e674961c975451638a7ce1d5 ]
+
+If we receive a network error, a remote abort or a protocol error whilst
+we're still transmitting data, make sure we return an appropriate error to
+the caller rather than ESHUTDOWN or ECONNABORTED.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/rxrpc.c | 35 +++++++++++++++++++++++++++--------
+ 1 file changed, 27 insertions(+), 8 deletions(-)
+
+--- a/fs/afs/rxrpc.c
++++ b/fs/afs/rxrpc.c
+@@ -321,6 +321,8 @@ int afs_make_call(struct in_addr *addr,
+ struct rxrpc_call *rxcall;
+ struct msghdr msg;
+ struct kvec iov[1];
++ size_t offset;
++ u32 abort_code;
+ int ret;
+
+ _enter("%x,{%d},", addr->s_addr, ntohs(call->port));
+@@ -368,9 +370,11 @@ int afs_make_call(struct in_addr *addr,
+ msg.msg_controllen = 0;
+ msg.msg_flags = (call->send_pages ? MSG_MORE : 0);
+
+- /* have to change the state *before* sending the last packet as RxRPC
+- * might give us the reply before it returns from sending the
+- * request */
++ /* We have to change the state *before* sending the last packet as
++ * rxrpc might give us the reply before it returns from sending the
++ * request. Further, if the send fails, we may already have been given
++ * a notification and may have collected it.
++ */
+ if (!call->send_pages)
+ call->state = AFS_CALL_AWAIT_REPLY;
+ ret = rxrpc_kernel_send_data(afs_socket, rxcall,
+@@ -389,7 +393,17 @@ int afs_make_call(struct in_addr *addr,
+ return wait_mode->wait(call);
+
+ error_do_abort:
+- rxrpc_kernel_abort_call(afs_socket, rxcall, RX_USER_ABORT, -ret, "KSD");
++ call->state = AFS_CALL_COMPLETE;
++ if (ret != -ECONNABORTED) {
++ rxrpc_kernel_abort_call(afs_socket, rxcall, RX_USER_ABORT,
++ -ret, "KSD");
++ } else {
++ abort_code = 0;
++ offset = 0;
++ rxrpc_kernel_recv_data(afs_socket, rxcall, NULL, 0, &offset,
++ false, &abort_code);
++ ret = call->type->abort_to_error(abort_code);
++ }
+ error_kill_call:
+ afs_end_call(call);
+ _leave(" = %d", ret);
+@@ -434,16 +448,18 @@ static void afs_deliver_to_call(struct a
+ case -EINPROGRESS:
+ case -EAGAIN:
+ goto out;
++ case -ECONNABORTED:
++ goto call_complete;
+ case -ENOTCONN:
+ abort_code = RX_CALL_DEAD;
+ rxrpc_kernel_abort_call(afs_socket, call->rxcall,
+ abort_code, -ret, "KNC");
+- goto do_abort;
++ goto save_error;
+ case -ENOTSUPP:
+ abort_code = RXGEN_OPCODE;
+ rxrpc_kernel_abort_call(afs_socket, call->rxcall,
+ abort_code, -ret, "KIV");
+- goto do_abort;
++ goto save_error;
+ case -ENODATA:
+ case -EBADMSG:
+ case -EMSGSIZE:
+@@ -453,7 +469,7 @@ static void afs_deliver_to_call(struct a
+ abort_code = RXGEN_SS_UNMARSHAL;
+ rxrpc_kernel_abort_call(afs_socket, call->rxcall,
+ abort_code, EBADMSG, "KUM");
+- goto do_abort;
++ goto save_error;
+ }
+ }
+
+@@ -464,8 +480,9 @@ out:
+ _leave("");
+ return;
+
+-do_abort:
++save_error:
+ call->error = ret;
++call_complete:
+ call->state = AFS_CALL_COMPLETE;
+ goto done;
+ }
+@@ -513,6 +530,8 @@ static int afs_wait_for_call_to_complete
+ _debug("call incomplete");
+ rxrpc_kernel_abort_call(afs_socket, call->rxcall,
+ RX_CALL_DEAD, -ret, abort_why);
++ } else if (call->error < 0) {
++ ret = call->error;
+ }
+
+ _debug("call complete");
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Marc Dionne <marc.dionne@auristor.com>
+Date: Thu, 16 Mar 2017 16:27:44 +0000
+Subject: afs: Deal with an empty callback array
+
+From: Marc Dionne <marc.dionne@auristor.com>
+
+
+[ Upstream commit bcd89270d93b7edebb5de5e5e7dca1a77a33496e ]
+
+Servers may send a callback array that is the same size as
+the FID array, or an empty array. If the callback count is
+0, the code would attempt to read (fid_count * 12) bytes of
+data, which would fail and result in an unmarshalling error.
+This would lead to stale data for remotely modified files
+or directories.
+
+Store the callback array size in the internal afs_call
+structure and use that to determine the amount of data to
+read.
+
+Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/cmservice.c | 11 +++++------
+ fs/afs/internal.h | 5 ++++-
+ 2 files changed, 9 insertions(+), 7 deletions(-)
+
+--- a/fs/afs/cmservice.c
++++ b/fs/afs/cmservice.c
+@@ -168,7 +168,6 @@ static int afs_deliver_cb_callback(struc
+ struct afs_callback *cb;
+ struct afs_server *server;
+ __be32 *bp;
+- u32 tmp;
+ int ret, loop;
+
+ _enter("{%u}", call->unmarshall);
+@@ -230,9 +229,9 @@ static int afs_deliver_cb_callback(struc
+ if (ret < 0)
+ return ret;
+
+- tmp = ntohl(call->tmp);
+- _debug("CB count: %u", tmp);
+- if (tmp != call->count && tmp != 0)
++ call->count2 = ntohl(call->tmp);
++ _debug("CB count: %u", call->count2);
++ if (call->count2 != call->count && call->count2 != 0)
+ return -EBADMSG;
+ call->offset = 0;
+ call->unmarshall++;
+@@ -240,14 +239,14 @@ static int afs_deliver_cb_callback(struc
+ case 4:
+ _debug("extract CB array");
+ ret = afs_extract_data(call, call->buffer,
+- call->count * 3 * 4, false);
++ call->count2 * 3 * 4, false);
+ if (ret < 0)
+ return ret;
+
+ _debug("unmarshall CB array");
+ cb = call->request;
+ bp = call->buffer;
+- for (loop = call->count; loop > 0; loop--, cb++) {
++ for (loop = call->count2; loop > 0; loop--, cb++) {
+ cb->version = ntohl(*bp++);
+ cb->expiry = ntohl(*bp++);
+ cb->type = ntohl(*bp++);
+--- a/fs/afs/internal.h
++++ b/fs/afs/internal.h
+@@ -105,7 +105,10 @@ struct afs_call {
+ unsigned request_size; /* size of request data */
+ unsigned reply_max; /* maximum size of reply */
+ unsigned first_offset; /* offset into mapping[first] */
+- unsigned last_to; /* amount of mapping[last] */
++ union {
++ unsigned last_to; /* amount of mapping[last] */
++ unsigned count2; /* count used in unmarshalling */
++ };
+ unsigned char unmarshall; /* unmarshalling phase */
+ bool incoming; /* T if incoming call */
+ bool send_pages; /* T if data from mapping should be sent */
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 16 Mar 2017 16:27:49 +0000
+Subject: afs: Fix abort on signal while waiting for call completion
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit 954cd6dc02a65065aecb7150962c0870c5b0e322 ]
+
+Fix the way in which a call that's in progress and being waited for is
+aborted in the case that EINTR is detected. We should be sending
+RX_USER_ABORT rather than RX_CALL_DEAD as the abort code.
+
+Note that since the only two ways out of the loop are if the call completes
+or if a signal happens, the kill-the-call clause after the loop has
+finished can only happen in the case of EINTR. This means that we only
+have one abort case to deal with, not two, and the "KWC" case can never
+happen and so can be deleted.
+
+Note further that simply aborting the call isn't necessarily the best thing
+here since at this point: the request has been entirely sent and it's
+likely the server will do the operation anyway - whether we abort it or
+not. In future, we should punt the handling of the remainder of the call
+off to a background thread.
+
+Reported-by: Marc Dionne <marc.c.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/rxrpc.c | 19 ++++++-------------
+ 1 file changed, 6 insertions(+), 13 deletions(-)
+
+--- a/fs/afs/rxrpc.c
++++ b/fs/afs/rxrpc.c
+@@ -492,7 +492,6 @@ call_complete:
+ */
+ static int afs_wait_for_call_to_complete(struct afs_call *call)
+ {
+- const char *abort_why;
+ int ret;
+
+ DECLARE_WAITQUEUE(myself, current);
+@@ -511,13 +510,8 @@ static int afs_wait_for_call_to_complete
+ continue;
+ }
+
+- abort_why = "KWC";
+- ret = call->error;
+- if (call->state == AFS_CALL_COMPLETE)
+- break;
+- abort_why = "KWI";
+- ret = -EINTR;
+- if (signal_pending(current))
++ if (call->state == AFS_CALL_COMPLETE ||
++ signal_pending(current))
+ break;
+ schedule();
+ }
+@@ -525,15 +519,14 @@ static int afs_wait_for_call_to_complete
+ remove_wait_queue(&call->waitq, &myself);
+ __set_current_state(TASK_RUNNING);
+
+- /* kill the call */
++ /* Kill off the call if it's still live. */
+ if (call->state < AFS_CALL_COMPLETE) {
+- _debug("call incomplete");
++ _debug("call interrupted");
+ rxrpc_kernel_abort_call(afs_socket, call->rxcall,
+- RX_CALL_DEAD, -ret, abort_why);
+- } else if (call->error < 0) {
+- ret = call->error;
++ RX_USER_ABORT, -EINTR, "KWI");
+ }
+
++ ret = call->error;
+ _debug("call complete");
+ afs_end_call(call);
+ _leave(" = %d", ret);
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 16 Mar 2017 16:27:48 +0000
+Subject: afs: Fix afs_kill_pages()
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit 7286a35e893176169b09715096a4aca557e2ccd2 ]
+
+Fix afs_kill_pages() in two ways:
+
+ (1) If a writeback has been partially flushed, then if we try and kill the
+ pages it contains, some of them may no longer be undergoing writeback
+ and end_page_writeback() will assert.
+
+ Fix this by checking to see whether the page in question is actually
+ undergoing writeback before ending that writeback.
+
+ (2) The loop that scans for pages to kill doesn't increase the first page
+ index, and so the loop may not terminate, but it will try to process
+ the same pages over and over again.
+
+ Fix this by increasing the first page index to one after the last page
+ we processed.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/write.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/fs/afs/write.c
++++ b/fs/afs/write.c
+@@ -299,10 +299,14 @@ static void afs_kill_pages(struct afs_vn
+ ASSERTCMP(pv.nr, ==, count);
+
+ for (loop = 0; loop < count; loop++) {
+- ClearPageUptodate(pv.pages[loop]);
++ struct page *page = pv.pages[loop];
++ ClearPageUptodate(page);
+ if (error)
+- SetPageError(pv.pages[loop]);
+- end_page_writeback(pv.pages[loop]);
++ SetPageError(page);
++ if (PageWriteback(page))
++ end_page_writeback(page);
++ if (page->index >= first)
++ first = page->index + 1;
+ }
+
+ __pagevec_release(&pv);
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 16 Mar 2017 16:27:43 +0000
+Subject: afs: Fix missing put_page()
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit 29c8bbbd6e21daa0997d1c3ee886b897ee7ad652 ]
+
+In afs_writepages_region(), inside the loop where we find dirty pages to
+deal with, one of the if-statements is missing a put_page().
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/write.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/afs/write.c
++++ b/fs/afs/write.c
+@@ -502,6 +502,7 @@ static int afs_writepages_region(struct
+
+ if (PageWriteback(page) || !PageDirty(page)) {
+ unlock_page(page);
++ put_page(page);
+ continue;
+ }
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 16 Mar 2017 16:27:48 +0000
+Subject: afs: Fix page leak in afs_write_begin()
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit 6d06b0d25209c80e99c1e89700f1e09694a3766b ]
+
+afs_write_begin() leaks a ref and a lock on a page if afs_fill_page()
+fails. Fix the leak by unlocking and releasing the page in the error path.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/write.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/afs/write.c
++++ b/fs/afs/write.c
+@@ -148,12 +148,12 @@ int afs_write_begin(struct file *file, s
+ kfree(candidate);
+ return -ENOMEM;
+ }
+- *pagep = page;
+- /* page won't leak in error case: it eventually gets cleaned off LRU */
+
+ if (!PageUptodate(page) && len != PAGE_SIZE) {
+ ret = afs_fill_page(vnode, key, index << PAGE_SHIFT, page);
+ if (ret < 0) {
++ unlock_page(page);
++ put_page(page);
+ kfree(candidate);
+ _leave(" = %d [prep]", ret);
+ return ret;
+@@ -161,6 +161,9 @@ int afs_write_begin(struct file *file, s
+ SetPageUptodate(page);
+ }
+
++ /* page won't leak in error case: it eventually gets cleaned off LRU */
++ *pagep = page;
++
+ try_again:
+ spin_lock(&vnode->writeback_lock);
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 16 Mar 2017 16:27:47 +0000
+Subject: afs: Fix the maths in afs_fs_store_data()
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit 146a1192783697810b63a1e41c4d59fc93387340 ]
+
+afs_fs_store_data() works out of the size of the write it's going to make,
+but it uses 32-bit unsigned subtraction in one place that gets
+automatically cast to loff_t.
+
+However, if to < offset, then the number goes negative, but as the result
+isn't signed, this doesn't get sign-extended to 64-bits when placed in a
+loff_t.
+
+Fix by casting the operands to loff_t.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/fsclient.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/afs/fsclient.c
++++ b/fs/afs/fsclient.c
+@@ -1178,7 +1178,7 @@ int afs_fs_store_data(struct afs_server
+ _enter(",%x,{%x:%u},,",
+ key_serial(wb->key), vnode->fid.vid, vnode->fid.vnode);
+
+- size = to - offset;
++ size = (loff_t)to - (loff_t)offset;
+ if (first != last)
+ size += (loff_t)(last - first) << PAGE_SHIFT;
+ pos = (loff_t)first << PAGE_SHIFT;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 16 Mar 2017 16:27:45 +0000
+Subject: afs: Flush outstanding writes when an fd is closed
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit 58fed94dfb17e89556b5705f20f90e5b2971b6a1 ]
+
+Flush outstanding writes in afs when an fd is closed. This is what NFS and
+CIFS do.
+
+Reported-by: Marc Dionne <marc.c.dionne@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/file.c | 1 +
+ fs/afs/internal.h | 1 +
+ fs/afs/write.c | 14 ++++++++++++++
+ 3 files changed, 16 insertions(+)
+
+--- a/fs/afs/file.c
++++ b/fs/afs/file.c
+@@ -29,6 +29,7 @@ static int afs_readpages(struct file *fi
+
+ const struct file_operations afs_file_operations = {
+ .open = afs_open,
++ .flush = afs_flush,
+ .release = afs_release,
+ .llseek = generic_file_llseek,
+ .read_iter = generic_file_read_iter,
+--- a/fs/afs/internal.h
++++ b/fs/afs/internal.h
+@@ -752,6 +752,7 @@ extern int afs_writepages(struct address
+ extern void afs_pages_written_back(struct afs_vnode *, struct afs_call *);
+ extern ssize_t afs_file_write(struct kiocb *, struct iov_iter *);
+ extern int afs_writeback_all(struct afs_vnode *);
++extern int afs_flush(struct file *, fl_owner_t);
+ extern int afs_fsync(struct file *, loff_t, loff_t, int);
+
+
+--- a/fs/afs/write.c
++++ b/fs/afs/write.c
+@@ -736,6 +736,20 @@ out:
+ }
+
+ /*
++ * Flush out all outstanding writes on a file opened for writing when it is
++ * closed.
++ */
++int afs_flush(struct file *file, fl_owner_t id)
++{
++ _enter("");
++
++ if ((file->f_mode & FMODE_WRITE) == 0)
++ return 0;
++
++ return vfs_fsync(file, 0);
++}
++
++/*
+ * notification that a previously read-only page is about to become writable
+ * - if it returns an error, the caller will deliver a bus error signal
+ */
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 16 Mar 2017 16:27:47 +0000
+Subject: afs: Invalid op ID should abort with RXGEN_OPCODE
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit 1157f153f37a8586765034470e4f00a4a6c4ce6f ]
+
+When we are given an invalid operation ID, we should abort that with
+RXGEN_OPCODE rather than RX_INVALID_OPERATION.
+
+Also map RXGEN_OPCODE to -ENOTSUPP.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/misc.c | 2 ++
+ fs/afs/rxrpc.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/afs/misc.c
++++ b/fs/afs/misc.c
+@@ -84,6 +84,8 @@ int afs_abort_to_error(u32 abort_code)
+ case RXKADDATALEN: return -EKEYREJECTED;
+ case RXKADILLEGALLEVEL: return -EKEYREJECTED;
+
++ case RXGEN_OPCODE: return -ENOTSUPP;
++
+ default: return -EREMOTEIO;
+ }
+ }
+--- a/fs/afs/rxrpc.c
++++ b/fs/afs/rxrpc.c
+@@ -440,7 +440,7 @@ static void afs_deliver_to_call(struct a
+ abort_code, -ret, "KNC");
+ goto do_abort;
+ case -ENOTSUPP:
+- abort_code = RX_INVALID_OPERATION;
++ abort_code = RXGEN_OPCODE;
+ rxrpc_kernel_abort_call(afs_socket, call->rxcall,
+ abort_code, -ret, "KIV");
+ goto do_abort;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Tina Ruchandani <ruchandani.tina@gmail.com>
+Date: Thu, 16 Mar 2017 16:27:46 +0000
+Subject: afs: Migrate vlocation fields to 64-bit
+
+From: Tina Ruchandani <ruchandani.tina@gmail.com>
+
+
+[ Upstream commit 8a79790bf0b7da216627ffb85f52cfb4adbf1e4e ]
+
+get_seconds() returns real wall-clock seconds. On 32-bit systems
+this value will overflow in year 2038 and beyond. This patch changes
+afs's vlocation record to use ktime_get_real_seconds() instead, for the
+fields time_of_death and update_at.
+
+Signed-off-by: Tina Ruchandani <ruchandani.tina@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/callback.c | 7 ++++---
+ fs/afs/internal.h | 7 ++++---
+ fs/afs/server.c | 6 +++---
+ fs/afs/vlocation.c | 16 +++++++++-------
+ 4 files changed, 20 insertions(+), 16 deletions(-)
+
+--- a/fs/afs/callback.c
++++ b/fs/afs/callback.c
+@@ -362,7 +362,7 @@ static void afs_callback_updater(struct
+ {
+ struct afs_server *server;
+ struct afs_vnode *vnode, *xvnode;
+- time_t now;
++ time64_t now;
+ long timeout;
+ int ret;
+
+@@ -370,7 +370,7 @@ static void afs_callback_updater(struct
+
+ _enter("");
+
+- now = get_seconds();
++ now = ktime_get_real_seconds();
+
+ /* find the first vnode to update */
+ spin_lock(&server->cb_lock);
+@@ -424,7 +424,8 @@ static void afs_callback_updater(struct
+
+ /* and then reschedule */
+ _debug("reschedule");
+- vnode->update_at = get_seconds() + afs_vnode_update_timeout;
++ vnode->update_at = ktime_get_real_seconds() +
++ afs_vnode_update_timeout;
+
+ spin_lock(&server->cb_lock);
+
+--- a/fs/afs/internal.h
++++ b/fs/afs/internal.h
+@@ -11,6 +11,7 @@
+
+ #include <linux/compiler.h>
+ #include <linux/kernel.h>
++#include <linux/ktime.h>
+ #include <linux/fs.h>
+ #include <linux/pagemap.h>
+ #include <linux/rxrpc.h>
+@@ -245,7 +246,7 @@ struct afs_cache_vhash {
+ */
+ struct afs_vlocation {
+ atomic_t usage;
+- time_t time_of_death; /* time at which put reduced usage to 0 */
++ time64_t time_of_death; /* time at which put reduced usage to 0 */
+ struct list_head link; /* link in cell volume location list */
+ struct list_head grave; /* link in master graveyard list */
+ struct list_head update; /* link in master update list */
+@@ -256,7 +257,7 @@ struct afs_vlocation {
+ struct afs_cache_vlocation vldb; /* volume information DB record */
+ struct afs_volume *vols[3]; /* volume access record pointer (index by type) */
+ wait_queue_head_t waitq; /* status change waitqueue */
+- time_t update_at; /* time at which record should be updated */
++ time64_t update_at; /* time at which record should be updated */
+ spinlock_t lock; /* access lock */
+ afs_vlocation_state_t state; /* volume location state */
+ unsigned short upd_rej_cnt; /* ENOMEDIUM count during update */
+@@ -269,7 +270,7 @@ struct afs_vlocation {
+ */
+ struct afs_server {
+ atomic_t usage;
+- time_t time_of_death; /* time at which put reduced usage to 0 */
++ time64_t time_of_death; /* time at which put reduced usage to 0 */
+ struct in_addr addr; /* server address */
+ struct afs_cell *cell; /* cell in which server resides */
+ struct list_head link; /* link in cell's server list */
+--- a/fs/afs/server.c
++++ b/fs/afs/server.c
+@@ -242,7 +242,7 @@ void afs_put_server(struct afs_server *s
+ spin_lock(&afs_server_graveyard_lock);
+ if (atomic_read(&server->usage) == 0) {
+ list_move_tail(&server->grave, &afs_server_graveyard);
+- server->time_of_death = get_seconds();
++ server->time_of_death = ktime_get_real_seconds();
+ queue_delayed_work(afs_wq, &afs_server_reaper,
+ afs_server_timeout * HZ);
+ }
+@@ -277,9 +277,9 @@ static void afs_reap_server(struct work_
+ LIST_HEAD(corpses);
+ struct afs_server *server;
+ unsigned long delay, expiry;
+- time_t now;
++ time64_t now;
+
+- now = get_seconds();
++ now = ktime_get_real_seconds();
+ spin_lock(&afs_server_graveyard_lock);
+
+ while (!list_empty(&afs_server_graveyard)) {
+--- a/fs/afs/vlocation.c
++++ b/fs/afs/vlocation.c
+@@ -340,7 +340,8 @@ static void afs_vlocation_queue_for_upda
+ struct afs_vlocation *xvl;
+
+ /* wait at least 10 minutes before updating... */
+- vl->update_at = get_seconds() + afs_vlocation_update_timeout;
++ vl->update_at = ktime_get_real_seconds() +
++ afs_vlocation_update_timeout;
+
+ spin_lock(&afs_vlocation_updates_lock);
+
+@@ -506,7 +507,7 @@ void afs_put_vlocation(struct afs_vlocat
+ if (atomic_read(&vl->usage) == 0) {
+ _debug("buried");
+ list_move_tail(&vl->grave, &afs_vlocation_graveyard);
+- vl->time_of_death = get_seconds();
++ vl->time_of_death = ktime_get_real_seconds();
+ queue_delayed_work(afs_wq, &afs_vlocation_reap,
+ afs_vlocation_timeout * HZ);
+
+@@ -543,11 +544,11 @@ static void afs_vlocation_reaper(struct
+ LIST_HEAD(corpses);
+ struct afs_vlocation *vl;
+ unsigned long delay, expiry;
+- time_t now;
++ time64_t now;
+
+ _enter("");
+
+- now = get_seconds();
++ now = ktime_get_real_seconds();
+ spin_lock(&afs_vlocation_graveyard_lock);
+
+ while (!list_empty(&afs_vlocation_graveyard)) {
+@@ -622,13 +623,13 @@ static void afs_vlocation_updater(struct
+ {
+ struct afs_cache_vlocation vldb;
+ struct afs_vlocation *vl, *xvl;
+- time_t now;
++ time64_t now;
+ long timeout;
+ int ret;
+
+ _enter("");
+
+- now = get_seconds();
++ now = ktime_get_real_seconds();
+
+ /* find a record to update */
+ spin_lock(&afs_vlocation_updates_lock);
+@@ -684,7 +685,8 @@ static void afs_vlocation_updater(struct
+
+ /* and then reschedule */
+ _debug("reschedule");
+- vl->update_at = get_seconds() + afs_vlocation_update_timeout;
++ vl->update_at = ktime_get_real_seconds() +
++ afs_vlocation_update_timeout;
+
+ spin_lock(&afs_vlocation_updates_lock);
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Marc Dionne <marc.dionne@auristor.com>
+Date: Thu, 16 Mar 2017 16:27:47 +0000
+Subject: afs: Populate and use client modification time
+
+From: Marc Dionne <marc.dionne@auristor.com>
+
+
+[ Upstream commit ab94f5d0dd6fd82e7eeca5e7c8096eaea0a0261f ]
+
+The inode timestamps should be set from the client time
+in the status received from the server, rather than the
+server time which is meant for internal server use.
+
+Set AFS_SET_MTIME and populate the mtime for operations
+that take an input status, such as file/dir creation
+and StoreData. If an input time is not provided the
+server will set the vnode times based on the current server
+time.
+
+In a situation where the server has some skew with the
+client, this could lead to the client seeing a timestamp
+in the future for a file that it just created or wrote.
+
+Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/fsclient.c | 18 +++++++++---------
+ fs/afs/inode.c | 2 +-
+ 2 files changed, 10 insertions(+), 10 deletions(-)
+
+--- a/fs/afs/fsclient.c
++++ b/fs/afs/fsclient.c
+@@ -105,7 +105,7 @@ static void xdr_decode_AFSFetchStatus(co
+ vnode->vfs_inode.i_mode = mode;
+ }
+
+- vnode->vfs_inode.i_ctime.tv_sec = status->mtime_server;
++ vnode->vfs_inode.i_ctime.tv_sec = status->mtime_client;
+ vnode->vfs_inode.i_mtime = vnode->vfs_inode.i_ctime;
+ vnode->vfs_inode.i_atime = vnode->vfs_inode.i_ctime;
+ vnode->vfs_inode.i_version = data_version;
+@@ -676,8 +676,8 @@ int afs_fs_create(struct afs_server *ser
+ memset(bp, 0, padsz);
+ bp = (void *) bp + padsz;
+ }
+- *bp++ = htonl(AFS_SET_MODE);
+- *bp++ = 0; /* mtime */
++ *bp++ = htonl(AFS_SET_MODE | AFS_SET_MTIME);
++ *bp++ = htonl(vnode->vfs_inode.i_mtime.tv_sec); /* mtime */
+ *bp++ = 0; /* owner */
+ *bp++ = 0; /* group */
+ *bp++ = htonl(mode & S_IALLUGO); /* unix mode */
+@@ -945,8 +945,8 @@ int afs_fs_symlink(struct afs_server *se
+ memset(bp, 0, c_padsz);
+ bp = (void *) bp + c_padsz;
+ }
+- *bp++ = htonl(AFS_SET_MODE);
+- *bp++ = 0; /* mtime */
++ *bp++ = htonl(AFS_SET_MODE | AFS_SET_MTIME);
++ *bp++ = htonl(vnode->vfs_inode.i_mtime.tv_sec); /* mtime */
+ *bp++ = 0; /* owner */
+ *bp++ = 0; /* group */
+ *bp++ = htonl(S_IRWXUGO); /* unix mode */
+@@ -1145,8 +1145,8 @@ static int afs_fs_store_data64(struct af
+ *bp++ = htonl(vnode->fid.vnode);
+ *bp++ = htonl(vnode->fid.unique);
+
+- *bp++ = 0; /* mask */
+- *bp++ = 0; /* mtime */
++ *bp++ = htonl(AFS_SET_MTIME); /* mask */
++ *bp++ = htonl(vnode->vfs_inode.i_mtime.tv_sec); /* mtime */
+ *bp++ = 0; /* owner */
+ *bp++ = 0; /* group */
+ *bp++ = 0; /* unix mode */
+@@ -1222,8 +1222,8 @@ int afs_fs_store_data(struct afs_server
+ *bp++ = htonl(vnode->fid.vnode);
+ *bp++ = htonl(vnode->fid.unique);
+
+- *bp++ = 0; /* mask */
+- *bp++ = 0; /* mtime */
++ *bp++ = htonl(AFS_SET_MTIME); /* mask */
++ *bp++ = htonl(vnode->vfs_inode.i_mtime.tv_sec); /* mtime */
+ *bp++ = 0; /* owner */
+ *bp++ = 0; /* group */
+ *bp++ = 0; /* unix mode */
+--- a/fs/afs/inode.c
++++ b/fs/afs/inode.c
+@@ -72,7 +72,7 @@ static int afs_inode_map_status(struct a
+ inode->i_uid = vnode->status.owner;
+ inode->i_gid = vnode->status.group;
+ inode->i_size = vnode->status.size;
+- inode->i_ctime.tv_sec = vnode->status.mtime_server;
++ inode->i_ctime.tv_sec = vnode->status.mtime_client;
+ inode->i_ctime.tv_nsec = 0;
+ inode->i_atime = inode->i_mtime = inode->i_ctime;
+ inode->i_blocks = 0;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Marc Dionne <marc.dionne@auristor.com>
+Date: Thu, 16 Mar 2017 16:27:43 +0000
+Subject: afs: Populate group ID from vnode status
+
+From: Marc Dionne <marc.dionne@auristor.com>
+
+
+[ Upstream commit 6186f0788b31f44affceeedc7b48eb10faea120d ]
+
+The group was hard coded to GLOBAL_ROOT_GID; use the group
+ID that was received from the server.
+
+Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/afs/inode.c
++++ b/fs/afs/inode.c
+@@ -70,7 +70,7 @@ static int afs_inode_map_status(struct a
+
+ set_nlink(inode, vnode->status.nlink);
+ inode->i_uid = vnode->status.owner;
+- inode->i_gid = GLOBAL_ROOT_GID;
++ inode->i_gid = vnode->status.group;
+ inode->i_size = vnode->status.size;
+ inode->i_ctime.tv_sec = vnode->status.mtime_server;
+ inode->i_ctime.tv_nsec = 0;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Tina Ruchandani <ruchandani.tina@gmail.com>
+Date: Thu, 16 Mar 2017 16:27:46 +0000
+Subject: afs: Prevent callback expiry timer overflow
+
+From: Tina Ruchandani <ruchandani.tina@gmail.com>
+
+
+[ Upstream commit 56e714312e7dbd6bb83b2f78d3ec19a404c7649f ]
+
+get_seconds() returns real wall-clock seconds. On 32-bit systems
+this value will overflow in year 2038 and beyond. This patch changes
+afs_vnode record to use ktime_get_real_seconds() instead, for the
+fields cb_expires and cb_expires_at.
+
+Signed-off-by: Tina Ruchandani <ruchandani.tina@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/fsclient.c | 2 +-
+ fs/afs/inode.c | 7 ++++---
+ fs/afs/internal.h | 4 ++--
+ 3 files changed, 7 insertions(+), 6 deletions(-)
+
+--- a/fs/afs/fsclient.c
++++ b/fs/afs/fsclient.c
+@@ -139,7 +139,7 @@ static void xdr_decode_AFSCallBack(const
+ vnode->cb_version = ntohl(*bp++);
+ vnode->cb_expiry = ntohl(*bp++);
+ vnode->cb_type = ntohl(*bp++);
+- vnode->cb_expires = vnode->cb_expiry + get_seconds();
++ vnode->cb_expires = vnode->cb_expiry + ktime_get_real_seconds();
+ *_bp = bp;
+ }
+
+--- a/fs/afs/inode.c
++++ b/fs/afs/inode.c
+@@ -245,12 +245,13 @@ struct inode *afs_iget(struct super_bloc
+ vnode->cb_version = 0;
+ vnode->cb_expiry = 0;
+ vnode->cb_type = 0;
+- vnode->cb_expires = get_seconds();
++ vnode->cb_expires = ktime_get_real_seconds();
+ } else {
+ vnode->cb_version = cb->version;
+ vnode->cb_expiry = cb->expiry;
+ vnode->cb_type = cb->type;
+- vnode->cb_expires = vnode->cb_expiry + get_seconds();
++ vnode->cb_expires = vnode->cb_expiry +
++ ktime_get_real_seconds();
+ }
+ }
+
+@@ -323,7 +324,7 @@ int afs_validate(struct afs_vnode *vnode
+ !test_bit(AFS_VNODE_CB_BROKEN, &vnode->flags) &&
+ !test_bit(AFS_VNODE_MODIFIED, &vnode->flags) &&
+ !test_bit(AFS_VNODE_ZAP_DATA, &vnode->flags)) {
+- if (vnode->cb_expires < get_seconds() + 10) {
++ if (vnode->cb_expires < ktime_get_real_seconds() + 10) {
+ _debug("callback expired");
+ set_bit(AFS_VNODE_CB_BROKEN, &vnode->flags);
+ } else {
+--- a/fs/afs/internal.h
++++ b/fs/afs/internal.h
+@@ -373,8 +373,8 @@ struct afs_vnode {
+ struct rb_node server_rb; /* link in server->fs_vnodes */
+ struct rb_node cb_promise; /* link in server->cb_promises */
+ struct work_struct cb_broken_work; /* work to be done on callback break */
+- time_t cb_expires; /* time at which callback expires */
+- time_t cb_expires_at; /* time used to order cb_promise */
++ time64_t cb_expires; /* time at which callback expires */
++ time64_t cb_expires_at; /* time used to order cb_promise */
+ unsigned cb_version; /* callback version */
+ unsigned cb_expiry; /* callback expiry time */
+ afs_callback_type_t cb_type; /* type of callback */
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Fri, 3 Nov 2017 11:45:18 +0000
+Subject: arm-ccn: perf: Prevent module unload while PMU is in use
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+
+[ Upstream commit c7f5828bf77dcbd61d51f4736c1d5aa35663fbb4 ]
+
+When the PMU driver is built as a module, the perf expects the
+pmu->module to be valid, so that the driver is prevented from
+being unloaded while it is in use. Fix the CCN pmu driver to
+fill in this field.
+
+Fixes: a33b0daab73a0 ("bus: ARM CCN PMU driver")
+Cc: Pawel Moll <pawel.moll@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/arm-ccn.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/bus/arm-ccn.c
++++ b/drivers/bus/arm-ccn.c
+@@ -1280,6 +1280,7 @@ static int arm_ccn_pmu_init(struct arm_c
+
+ /* Perf driver registration */
+ ccn->dt.pmu = (struct pmu) {
++ .module = THIS_MODULE,
+ .attr_groups = arm_ccn_pmu_attr_groups,
+ .task_ctx_nr = perf_invalid_context,
+ .event_init = arm_ccn_pmu_event_init,
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Nick Desaulniers <ndesaulniers@google.com>
+Date: Fri, 27 Oct 2017 09:33:41 -0700
+Subject: arm64: prevent regressions in compressed kernel image size when upgrading to binutils 2.27
+
+From: Nick Desaulniers <ndesaulniers@google.com>
+
+
+[ Upstream commit fd9dde6abcb9bfe6c6bee48834e157999f113971 ]
+
+Upon upgrading to binutils 2.27, we found that our lz4 and gzip
+compressed kernel images were significantly larger, resulting is 10ms
+boot time regressions.
+
+As noted by Rahul:
+"aarch64 binaries uses RELA relocations, where each relocation entry
+includes an addend value. This is similar to x86_64. On x86_64, the
+addend values are also stored at the relocation offset for relative
+relocations. This is an optimization: in the case where code does not
+need to be relocated, the loader can simply skip processing relative
+relocations. In binutils-2.25, both bfd and gold linkers did this for
+x86_64, but only the gold linker did this for aarch64. The kernel build
+here is using the bfd linker, which stored zeroes at the relocation
+offsets for relative relocations. Since a set of zeroes compresses
+better than a set of non-zero addend values, this behavior was resulting
+in much better lz4 compression.
+
+The bfd linker in binutils-2.27 is now storing the actual addend values
+at the relocation offsets. The behavior is now consistent with what it
+does for x86_64 and what gold linker does for both architectures. The
+change happened in this upstream commit:
+https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=1f56df9d0d5ad89806c24e71f296576d82344613
+Since a bunch of zeroes got replaced by non-zero addend values, we see
+the side effect of lz4 compressed image being a bit bigger.
+
+To get the old behavior from the bfd linker, "--no-apply-dynamic-relocs"
+flag can be used:
+$ LDFLAGS="--no-apply-dynamic-relocs" make
+With this flag, the compressed image size is back to what it was with
+binutils-2.25.
+
+If the kernel is using ASLR, there aren't additional runtime costs to
+--no-apply-dynamic-relocs, as the relocations will need to be applied
+again anyway after the kernel is relocated to a random address.
+
+If the kernel is not using ASLR, then presumably the current default
+behavior of the linker is better. Since the static linker performed the
+dynamic relocs, and the kernel is not moved to a different address at
+load time, it can skip applying the relocations all over again."
+
+Some measurements:
+
+$ ld -v
+GNU ld (binutils-2.25-f3d35cf6) 2.25.51.20141117
+ ^
+$ ls -l vmlinux
+-rwxr-x--- 1 ndesaulniers eng 300652760 Oct 26 11:57 vmlinux
+$ ls -l Image.lz4-dtb
+-rw-r----- 1 ndesaulniers eng 16932627 Oct 26 11:57 Image.lz4-dtb
+
+$ ld -v
+GNU ld (binutils-2.27-53dd00a1) 2.27.0.20170315
+ ^
+pre patch:
+$ ls -l vmlinux
+-rwxr-x--- 1 ndesaulniers eng 300376208 Oct 26 11:43 vmlinux
+$ ls -l Image.lz4-dtb
+-rw-r----- 1 ndesaulniers eng 18159474 Oct 26 11:43 Image.lz4-dtb
+
+post patch:
+$ ls -l vmlinux
+-rwxr-x--- 1 ndesaulniers eng 300376208 Oct 26 12:06 vmlinux
+$ ls -l Image.lz4-dtb
+-rw-r----- 1 ndesaulniers eng 16932466 Oct 26 12:06 Image.lz4-dtb
+
+By Siqi's measurement w/ gzip:
+binutils 2.27 with this patch (with --no-apply-dynamic-relocs):
+Image 41535488
+Image.gz 13404067
+
+binutils 2.27 without this patch (without --no-apply-dynamic-relocs):
+Image 41535488
+Image.gz 14125516
+
+Any compression scheme should be able to get better results from the
+longer runs of zeros, not just GZIP and LZ4.
+
+10ms boot time savings isn't anything to get excited about, but users of
+arm64+compression+bfd-2.27 should not have to pay a penalty for no
+runtime improvement.
+
+Reported-by: Gopinath Elanchezhian <gelanchezhian@google.com>
+Reported-by: Sindhuri Pentyala <spentyala@google.com>
+Reported-by: Wei Wang <wvw@google.com>
+Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Suggested-by: Rahul Chaudhry <rahulchaudhry@google.com>
+Suggested-by: Siqi Lin <siqilin@google.com>
+Suggested-by: Stephen Hines <srhines@google.com>
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+[will: added comment to Makefile]
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/Makefile | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/Makefile
++++ b/arch/arm64/Makefile
+@@ -14,8 +14,12 @@ LDFLAGS_vmlinux :=-p --no-undefined -X
+ CPPFLAGS_vmlinux.lds = -DTEXT_OFFSET=$(TEXT_OFFSET)
+ GZFLAGS :=-9
+
+-ifneq ($(CONFIG_RELOCATABLE),)
+-LDFLAGS_vmlinux += -pie -shared -Bsymbolic
++ifeq ($(CONFIG_RELOCATABLE), y)
++# Pass --no-apply-dynamic-relocs to restore pre-binutils-2.27 behaviour
++# for relative relocs, since this leads to better Image compression
++# with the relocation offsets always being zero.
++LDFLAGS_vmlinux += -pie -shared -Bsymbolic \
++ $(call ld-option, --no-apply-dynamic-relocs)
+ endif
+
+ ifeq ($(CONFIG_ARM64_ERRATUM_843419),y)
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Pankaj Bharadiya <pankaj.laxminarayan.bharadiya@intel.com>
+Date: Tue, 7 Nov 2017 16:16:19 +0530
+Subject: ASoC: Intel: Skylake: Fix uuid_module memory leak in failure case
+
+From: Pankaj Bharadiya <pankaj.laxminarayan.bharadiya@intel.com>
+
+
+[ Upstream commit f8e066521192c7debe59127d90abbe2773577e25 ]
+
+In the loop that adds the uuid_module to the uuid_list list, allocated
+memory is not properly freed in the error path free uuid_list whenever
+any of the memory allocation in the loop fails to avoid memory leak.
+
+Signed-off-by: Pankaj Bharadiya <pankaj.laxminarayan.bharadiya@intel.com>
+Signed-off-by: Guneshwor Singh <guneshwor.o.singh@intel.com>
+Acked-By: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/intel/skylake/skl-sst-utils.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/sound/soc/intel/skylake/skl-sst-utils.c
++++ b/sound/soc/intel/skylake/skl-sst-utils.c
+@@ -295,6 +295,7 @@ int snd_skl_parse_uuids(struct sst_dsp *
+ struct uuid_module *module;
+ struct firmware stripped_fw;
+ unsigned int safe_file;
++ int ret = 0;
+
+ /* Get the FW pointer to derive ADSP header */
+ stripped_fw.data = fw->data;
+@@ -343,8 +344,10 @@ int snd_skl_parse_uuids(struct sst_dsp *
+
+ for (i = 0; i < num_entry; i++, mod_entry++) {
+ module = kzalloc(sizeof(*module), GFP_KERNEL);
+- if (!module)
+- return -ENOMEM;
++ if (!module) {
++ ret = -ENOMEM;
++ goto free_uuid_list;
++ }
+
+ uuid_bin = (uuid_le *)mod_entry->uuid.id;
+ memcpy(&module->uuid, uuid_bin, sizeof(module->uuid));
+@@ -355,8 +358,8 @@ int snd_skl_parse_uuids(struct sst_dsp *
+ size = sizeof(int) * mod_entry->instance_max_count;
+ module->instance_id = devm_kzalloc(ctx->dev, size, GFP_KERNEL);
+ if (!module->instance_id) {
+- kfree(module);
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto free_uuid_list;
+ }
+
+ list_add_tail(&module->list, &skl->uuid_list);
+@@ -367,6 +370,10 @@ int snd_skl_parse_uuids(struct sst_dsp *
+ }
+
+ return 0;
++
++free_uuid_list:
++ skl_freeup_uuid_list(skl);
++ return ret;
+ }
+
+ void skl_freeup_uuid_list(struct skl_sst *ctx)
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Date: Tue, 14 Mar 2017 09:34:49 +0900
+Subject: ASoC: rcar: clear DE bit only in PDMACHCR when it stops
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+
+[ Upstream commit 62a10498afb27370ec6018e9d802b74850fd8d9a ]
+
+R-Car datasheet indicates "Clear DE in PDMACHCR" for transfer stop,
+but current code clears all bits in PDMACHCR.
+Because of this, DE bit might never been cleared,
+and it causes CMD overflow. This patch fixes this issue.
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Tested-by: Hiroyuki Yokoyama <hiroyuki.yokoyama.vx@renesas.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/sh/rcar/dma.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/sh/rcar/dma.c
++++ b/sound/soc/sh/rcar/dma.c
+@@ -361,6 +361,20 @@ static u32 rsnd_dmapp_read(struct rsnd_d
+ return ioread32(rsnd_dmapp_addr(dmac, dma, reg));
+ }
+
++static void rsnd_dmapp_bset(struct rsnd_dma *dma, u32 data, u32 mask, u32 reg)
++{
++ struct rsnd_mod *mod = rsnd_mod_get(dma);
++ struct rsnd_priv *priv = rsnd_mod_to_priv(mod);
++ struct rsnd_dma_ctrl *dmac = rsnd_priv_to_dmac(priv);
++ volatile void __iomem *addr = rsnd_dmapp_addr(dmac, dma, reg);
++ u32 val = ioread32(addr);
++
++ val &= ~mask;
++ val |= (data & mask);
++
++ iowrite32(val, addr);
++}
++
+ static int rsnd_dmapp_stop(struct rsnd_mod *mod,
+ struct rsnd_dai_stream *io,
+ struct rsnd_priv *priv)
+@@ -368,10 +382,10 @@ static int rsnd_dmapp_stop(struct rsnd_m
+ struct rsnd_dma *dma = rsnd_mod_to_dma(mod);
+ int i;
+
+- rsnd_dmapp_write(dma, 0, PDMACHCR);
++ rsnd_dmapp_bset(dma, 0, PDMACHCR_DE, PDMACHCR);
+
+ for (i = 0; i < 1024; i++) {
+- if (0 == rsnd_dmapp_read(dma, PDMACHCR))
++ if (0 == (rsnd_dmapp_read(dma, PDMACHCR) & PDMACHCR_DE))
+ return 0;
+ udelay(1);
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Hiroyuki Yokoyama <hiroyuki.yokoyama.vx@renesas.com>
+Date: Wed, 1 Mar 2017 03:51:00 +0000
+Subject: ASoC: rsnd: fix sound route path when using SRC6/SRC9
+
+From: Hiroyuki Yokoyama <hiroyuki.yokoyama.vx@renesas.com>
+
+
+[ Upstream commit a1c2ff53726907aff5feb37e4cfd45c1ff626431 ]
+
+This patch fixes the problem that the missing value of the route path
+setting table and incorrect values are set in the CMD_ROUTE_SELECT
+register.
+
+Signed-off-by: Hiroyuki Yokoyama <hiroyuki.yokoyama.vx@renesas.com>
+[Kuninori: shared data on MIX and non-MIX case]
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/sh/rcar/cmd.c | 36 ++++++++++++++++++++----------------
+ 1 file changed, 20 insertions(+), 16 deletions(-)
+
+--- a/sound/soc/sh/rcar/cmd.c
++++ b/sound/soc/sh/rcar/cmd.c
+@@ -31,23 +31,24 @@ static int rsnd_cmd_init(struct rsnd_mod
+ struct rsnd_mod *mix = rsnd_io_to_mod_mix(io);
+ struct device *dev = rsnd_priv_to_dev(priv);
+ u32 data;
++ u32 path[] = {
++ [1] = 1 << 0,
++ [5] = 1 << 8,
++ [6] = 1 << 12,
++ [9] = 1 << 15,
++ };
+
+ if (!mix && !dvc)
+ return 0;
+
++ if (ARRAY_SIZE(path) < rsnd_mod_id(mod) + 1)
++ return -ENXIO;
++
+ if (mix) {
+ struct rsnd_dai *rdai;
+ struct rsnd_mod *src;
+ struct rsnd_dai_stream *tio;
+ int i;
+- u32 path[] = {
+- [0] = 0,
+- [1] = 1 << 0,
+- [2] = 0,
+- [3] = 0,
+- [4] = 0,
+- [5] = 1 << 8
+- };
+
+ /*
+ * it is assuming that integrater is well understanding about
+@@ -70,16 +71,19 @@ static int rsnd_cmd_init(struct rsnd_mod
+ } else {
+ struct rsnd_mod *src = rsnd_io_to_mod_src(io);
+
+- u32 path[] = {
+- [0] = 0x30000,
+- [1] = 0x30001,
+- [2] = 0x40000,
+- [3] = 0x10000,
+- [4] = 0x20000,
+- [5] = 0x40100
++ u8 cmd_case[] = {
++ [0] = 0x3,
++ [1] = 0x3,
++ [2] = 0x4,
++ [3] = 0x1,
++ [4] = 0x2,
++ [5] = 0x4,
++ [6] = 0x1,
++ [9] = 0x2,
+ };
+
+- data = path[rsnd_mod_id(src)];
++ data = path[rsnd_mod_id(src)] |
++ cmd_case[rsnd_mod_id(src)] << 16;
+ }
+
+ dev_dbg(dev, "ctu/mix path = 0x%08x", data);
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Date: Wed, 1 Nov 2017 07:16:58 +0000
+Subject: ASoC: rsnd: rsnd_ssi_run_mods() needs to care ssi_parent_mod
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+
+[ Upstream commit 21781e87881f9c420871b1d1f3f29d4cd7bffb10 ]
+
+SSI parent mod might be NULL. ssi_parent_mod() needs to care
+about it. Otherwise, it uses negative shift.
+This patch fixes it.
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/sh/rcar/ssi.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/sound/soc/sh/rcar/ssi.c
++++ b/sound/soc/sh/rcar/ssi.c
+@@ -172,10 +172,15 @@ static u32 rsnd_ssi_run_mods(struct rsnd
+ {
+ struct rsnd_mod *ssi_mod = rsnd_io_to_mod_ssi(io);
+ struct rsnd_mod *ssi_parent_mod = rsnd_io_to_mod_ssip(io);
++ u32 mods;
+
+- return rsnd_ssi_multi_slaves_runtime(io) |
+- 1 << rsnd_mod_id(ssi_mod) |
+- 1 << rsnd_mod_id(ssi_parent_mod);
++ mods = rsnd_ssi_multi_slaves_runtime(io) |
++ 1 << rsnd_mod_id(ssi_mod);
++
++ if (ssi_parent_mod)
++ mods |= 1 << rsnd_mod_id(ssi_parent_mod);
++
++ return mods;
+ }
+
+ u32 rsnd_ssi_multi_slaves_runtime(struct rsnd_dai_stream *io)
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Miaoqing Pan <miaoqing@codeaurora.org>
+Date: Wed, 27 Sep 2017 09:13:34 +0800
+Subject: ath9k: fix tx99 potential info leak
+
+From: Miaoqing Pan <miaoqing@codeaurora.org>
+
+
+[ Upstream commit ee0a47186e2fa9aa1c56cadcea470ca0ba8c8692 ]
+
+When the user sets count to zero the string buffer would remain
+completely uninitialized which causes the kernel to parse its
+own stack data, potentially leading to an info leak. In addition
+to that, the string might be not terminated properly when the
+user data does not contain a 0-terminator.
+
+Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
+Reviewed-by: Christoph Böhmwalder <christoph@boehmwalder.at>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath9k/tx99.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath9k/tx99.c
++++ b/drivers/net/wireless/ath/ath9k/tx99.c
+@@ -179,6 +179,9 @@ static ssize_t write_file_tx99(struct fi
+ ssize_t len;
+ int r;
+
++ if (count < 1)
++ return -EINVAL;
++
+ if (sc->cur_chan->nvifs > 1)
+ return -EOPNOTSUPP;
+
+@@ -186,6 +189,8 @@ static ssize_t write_file_tx99(struct fi
+ if (copy_from_user(buf, user_buf, len))
+ return -EFAULT;
+
++ buf[len] = '\0';
++
+ if (strtobool(buf, &start))
+ return -EINVAL;
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 3 Nov 2017 11:24:44 -0600
+Subject: badblocks: fix wrong return value in badblocks_set if badblocks are disabled
+
+From: Liu Bo <bo.li.liu@oracle.com>
+
+
+[ Upstream commit 39b4954c0a1556f8f7f1fdcf59a227117fcd8a0b ]
+
+MD's rdev_set_badblocks() expects that badblocks_set() returns 1 if
+badblocks are disabled, otherwise, rdev_set_badblocks() will record
+superblock changes and return success in that case and md will fail to
+report an IO error which it should.
+
+This bug has existed since badblocks were introduced in commit
+9e0e252a048b ("badblocks: Add core badblock management code").
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Acked-by: Guoqing Jiang <gqjiang@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/badblocks.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/block/badblocks.c
++++ b/block/badblocks.c
+@@ -178,7 +178,7 @@ int badblocks_set(struct badblocks *bb,
+
+ if (bb->shift < 0)
+ /* badblocks are disabled */
+- return 0;
++ return 1;
+
+ if (bb->shift) {
+ /* round the start down, and the end up */
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Liang Chen <liangchen.linux@gmail.com>
+Date: Mon, 30 Oct 2017 14:46:35 -0700
+Subject: bcache: explicitly destroy mutex while exiting
+
+From: Liang Chen <liangchen.linux@gmail.com>
+
+
+[ Upstream commit 330a4db89d39a6b43f36da16824eaa7a7509d34d ]
+
+mutex_destroy does nothing most of time, but it's better to call
+it to make the code future proof and it also has some meaning
+for like mutex debug.
+
+As Coly pointed out in a previous review, bcache_exit() may not be
+able to handle all the references properly if userspace registers
+cache and backing devices right before bch_debug_init runs and
+bch_debug_init failes later. So not exposing userspace interface
+until everything is ready to avoid that issue.
+
+Signed-off-by: Liang Chen <liangchen.linux@gmail.com>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Reviewed-by: Coly Li <colyli@suse.de>
+Reviewed-by: Eric Wheeler <bcache@linux.ewheeler.net>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/super.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -2091,6 +2091,7 @@ static void bcache_exit(void)
+ if (bcache_major)
+ unregister_blkdev(bcache_major, "bcache");
+ unregister_reboot_notifier(&reboot);
++ mutex_destroy(&bch_register_lock);
+ }
+
+ static int __init bcache_init(void)
+@@ -2109,14 +2110,15 @@ static int __init bcache_init(void)
+ bcache_major = register_blkdev(0, "bcache");
+ if (bcache_major < 0) {
+ unregister_reboot_notifier(&reboot);
++ mutex_destroy(&bch_register_lock);
+ return bcache_major;
+ }
+
+ if (!(bcache_wq = alloc_workqueue("bcache", WQ_MEM_RECLAIM, 0)) ||
+ !(bcache_kobj = kobject_create_and_add("bcache", fs_kobj)) ||
+- sysfs_create_files(bcache_kobj, files) ||
+ bch_request_init() ||
+- bch_debug_init(bcache_kobj))
++ bch_debug_init(bcache_kobj) ||
++ sysfs_create_files(bcache_kobj, files))
+ goto err;
+
+ return 0;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: "tang.junhui" <tang.junhui@zte.com.cn>
+Date: Mon, 30 Oct 2017 14:46:34 -0700
+Subject: bcache: fix wrong cache_misses statistics
+
+From: "tang.junhui" <tang.junhui@zte.com.cn>
+
+
+[ Upstream commit c157313791a999646901b3e3c6888514ebc36d62 ]
+
+Currently, Cache missed IOs are identified by s->cache_miss, but actually,
+there are many situations that missed IOs are not assigned a value for
+s->cache_miss in cached_dev_cache_miss(), for example, a bypassed IO
+(s->iop.bypass = 1), or the cache_bio allocate failed. In these situations,
+it will go to out_put or out_submit, and s->cache_miss is null, which leads
+bch_mark_cache_accounting() to treat this IO as a hit IO.
+
+[ML: applied by 3-way merge]
+
+Signed-off-by: tang.junhui <tang.junhui@zte.com.cn>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Reviewed-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/request.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/request.c
++++ b/drivers/md/bcache/request.c
+@@ -468,6 +468,7 @@ struct search {
+ unsigned recoverable:1;
+ unsigned write:1;
+ unsigned read_dirty_data:1;
++ unsigned cache_missed:1;
+
+ unsigned long start_time;
+
+@@ -653,6 +654,7 @@ static inline struct search *search_allo
+
+ s->orig_bio = bio;
+ s->cache_miss = NULL;
++ s->cache_missed = 0;
+ s->d = d;
+ s->recoverable = 1;
+ s->write = op_is_write(bio_op(bio));
+@@ -771,7 +773,7 @@ static void cached_dev_read_done_bh(stru
+ struct cached_dev *dc = container_of(s->d, struct cached_dev, disk);
+
+ bch_mark_cache_accounting(s->iop.c, s->d,
+- !s->cache_miss, s->iop.bypass);
++ !s->cache_missed, s->iop.bypass);
+ trace_bcache_read(s->orig_bio, !s->cache_miss, s->iop.bypass);
+
+ if (s->iop.error)
+@@ -790,6 +792,8 @@ static int cached_dev_cache_miss(struct
+ struct cached_dev *dc = container_of(s->d, struct cached_dev, disk);
+ struct bio *miss, *cache_bio;
+
++ s->cache_missed = 1;
++
+ if (s->cache_miss || s->iop.bypass) {
+ miss = bio_next_split(bio, sectors, GFP_NOIO, s->d->bio_split);
+ ret = miss == bio ? MAP_DONE : MAP_CONTINUE;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Mon, 13 Mar 2017 16:10:11 +0200
+Subject: blk-mq: Fix tagset reinit in the presence of cpu hot-unplug
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+
+[ Upstream commit 0067d4b020ea07a58540acb2c5fcd3364bf326e0 ]
+
+In case cpu was unplugged, we need to make sure not to assume
+that the tags for that cpu are still allocated. so check
+for null tags when reinitializing a tagset.
+
+Reported-by: Yi Zhang <yizhan@redhat.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-mq-tag.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/block/blk-mq-tag.c
++++ b/block/blk-mq-tag.c
+@@ -311,6 +311,9 @@ int blk_mq_reinit_tagset(struct blk_mq_t
+ for (i = 0; i < set->nr_hw_queues; i++) {
+ struct blk_mq_tags *tags = set->tags[i];
+
++ if (!tags)
++ continue;
++
+ for (j = 0; j < tags->nr_tags; j++) {
+ if (!tags->rqs[j])
+ continue;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Wed, 8 Mar 2017 18:44:35 -0500
+Subject: bnxt_en: Ignore 0 value in autoneg supported speed from firmware.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+
+[ Upstream commit 520ad89a54edea84496695d528f73ddcf4a52ea4 ]
+
+In some situations, the firmware will return 0 for autoneg supported
+speed. This may happen if the firmware detects no SFP module, for
+example. The driver should ignore this so that we don't end up with
+an invalid autoneg setting with nothing advertised. When SFP module
+is inserted, we'll get the updated settings from firmware at that time.
+
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -5132,8 +5132,9 @@ static int bnxt_hwrm_phy_qcaps(struct bn
+ bp->lpi_tmr_hi = le32_to_cpu(resp->valid_tx_lpi_timer_high) &
+ PORT_PHY_QCAPS_RESP_TX_LPI_TIMER_HIGH_MASK;
+ }
+- link_info->support_auto_speeds =
+- le16_to_cpu(resp->supported_speeds_auto_mode);
++ if (resp->supported_speeds_auto_mode)
++ link_info->support_auto_speeds =
++ le16_to_cpu(resp->supported_speeds_auto_mode);
+
+ hwrm_phy_qcaps_exit:
+ mutex_unlock(&bp->hwrm_cmd_lock);
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
+Date: Fri, 10 Mar 2017 16:45:44 -0500
+Subject: btrfs: add missing memset while reading compressed inline extents
+
+From: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
+
+
+[ Upstream commit e1699d2d7bf6e6cce3e1baff19f9dd4595a58664 ]
+
+This is a story about 4 distinct (and very old) btrfs bugs.
+
+Commit c8b978188c ("Btrfs: Add zlib compression support") added
+three data corruption bugs for inline extents (bugs #1-3).
+
+Commit 93c82d5750 ("Btrfs: zero page past end of inline file items")
+fixed bug #1: uncompressed inline extents followed by a hole and more
+extents could get non-zero data in the hole as they were read. The fix
+was to add a memset in btrfs_get_extent to zero out the hole.
+
+Commit 166ae5a418 ("btrfs: fix inline compressed read err corruption")
+fixed bug #2: compressed inline extents which contained non-zero bytes
+might be replaced with zero bytes in some cases. This patch removed an
+unhelpful memset from uncompress_inline, but the case where memset is
+required was missed.
+
+There is also a memset in the decompression code, but this only covers
+decompressed data that is shorter than the ram_bytes from the extent
+ref record. This memset doesn't cover the region between the end of the
+decompressed data and the end of the page. It has also moved around a
+few times over the years, so there's no single patch to refer to.
+
+This patch fixes bug #3: compressed inline extents followed by a hole
+and more extents could get non-zero data in the hole as they were read
+(i.e. bug #3 is the same as bug #1, but s/uncompressed/compressed/).
+The fix is the same: zero out the hole in the compressed case too,
+by putting a memset back in uncompress_inline, but this time with
+correct parameters.
+
+The last and oldest bug, bug #0, is the cause of the offending inline
+extent/hole/extent pattern. Bug #0 is a subtle and mostly-harmless quirk
+of behavior somewhere in the btrfs write code. In a few special cases,
+an inline extent and hole are allowed to persist where they normally
+would be combined with later extents in the file.
+
+A fast reproducer for bug #0 is presented below. A few offending extents
+are also created in the wild during large rsync transfers with the -S
+flag. A Linux kernel build (git checkout; make allyesconfig; make -j8)
+will produce a handful of offending files as well. Once an offending
+file is created, it can present different content to userspace each
+time it is read.
+
+Bug #0 is at least 4 and possibly 8 years old. I verified every vX.Y
+kernel back to v3.5 has this behavior. There are fossil records of this
+bug's effects in commits all the way back to v2.6.32. I have no reason
+to believe bug #0 wasn't present at the beginning of btrfs compression
+support in v2.6.29, but I can't easily test kernels that old to be sure.
+
+It is not clear whether bug #0 is worth fixing. A fix would likely
+require injecting extra reads into currently write-only paths, and most
+of the exceptional cases caused by bug #0 are already handled now.
+
+Whether we like them or not, bug #0's inline extents followed by holes
+are part of the btrfs de-facto disk format now, and we need to be able
+to read them without data corruption or an infoleak. So enough about
+bug #0, let's get back to bug #3 (this patch).
+
+An example of on-disk structure leading to data corruption found in
+the wild:
+
+ item 61 key (606890 INODE_ITEM 0) itemoff 9662 itemsize 160
+ inode generation 50 transid 50 size 47424 nbytes 49141
+ block group 0 mode 100644 links 1 uid 0 gid 0
+ rdev 0 flags 0x0(none)
+ item 62 key (606890 INODE_REF 603050) itemoff 9642 itemsize 20
+ inode ref index 3 namelen 10 name: DB_File.so
+ item 63 key (606890 EXTENT_DATA 0) itemoff 8280 itemsize 1362
+ inline extent data size 1341 ram 4085 compress(zlib)
+ item 64 key (606890 EXTENT_DATA 4096) itemoff 8227 itemsize 53
+ extent data disk byte 5367308288 nr 20480
+ extent data offset 0 nr 45056 ram 45056
+ extent compression(zlib)
+
+Different data appears in userspace during each read of the 11 bytes
+between 4085 and 4096. The extent in item 63 is not long enough to
+fill the first page of the file, so a memset is required to fill the
+space between item 63 (ending at 4085) and item 64 (beginning at 4096)
+with zero.
+
+Here is a reproducer from Liu Bo, which demonstrates another method
+of creating the same inline extent and hole pattern:
+
+Using 'page_poison=on' kernel command line (or enable
+CONFIG_PAGE_POISONING) run the following:
+
+ # touch foo
+ # chattr +c foo
+ # xfs_io -f -c "pwrite -W 0 1000" foo
+ # xfs_io -f -c "falloc 4 8188" foo
+ # od -x foo
+ # echo 3 >/proc/sys/vm/drop_caches
+ # od -x foo
+
+This produce the following on my box:
+
+Correct output: file contains 1000 data bytes followed
+by zeros:
+
+ 0000000 cdcd cdcd cdcd cdcd cdcd cdcd cdcd cdcd
+ *
+ 0001740 cdcd cdcd cdcd cdcd 0000 0000 0000 0000
+ 0001760 0000 0000 0000 0000 0000 0000 0000 0000
+ *
+ 0020000
+
+Actual output: the data after the first 1000 bytes
+will be different each run:
+
+ 0000000 cdcd cdcd cdcd cdcd cdcd cdcd cdcd cdcd
+ *
+ 0001740 cdcd cdcd cdcd cdcd 6c63 7400 635f 006d
+ 0001760 5f74 6f43 7400 435f 0053 5f74 7363 7400
+ 0002000 435f 0056 5f74 6164 7400 645f 0062 5f74
+ (...)
+
+Signed-off-by: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
+Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: Chris Mason <clm@fb.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/inode.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -6812,6 +6812,20 @@ static noinline int uncompress_inline(st
+ max_size = min_t(unsigned long, PAGE_SIZE, max_size);
+ ret = btrfs_decompress(compress_type, tmp, page,
+ extent_offset, inline_size, max_size);
++
++ /*
++ * decompression code contains a memset to fill in any space between the end
++ * of the uncompressed data and the end of max_size in case the decompressed
++ * data ends up shorter than ram_bytes. That doesn't cover the hole between
++ * the end of an inline extent and the beginning of the next block, so we
++ * cover that region here.
++ */
++
++ if (max_size + pg_offset < PAGE_SIZE) {
++ char *map = kmap(page);
++ memset(map + pg_offset + max_size, 0, PAGE_SIZE - max_size - pg_offset);
++ kunmap(page);
++ }
+ kfree(tmp);
+ return ret;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 10 Sep 2017 13:19:38 +0200
+Subject: btrfs: tests: Fix a memory leak in error handling path in 'run_test()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit 9ca2e97fa3c3216200afe35a3b111ec51cc796d2 ]
+
+If 'btrfs_alloc_path()' fails, we must free the resources already
+allocated, as done in the other error handling paths in this function.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Qu Wenruo <quwenruo.btrfs@gmx.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tests/free-space-tree-tests.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/tests/free-space-tree-tests.c
++++ b/fs/btrfs/tests/free-space-tree-tests.c
+@@ -501,7 +501,8 @@ static int run_test(test_func_t test_fun
+ path = btrfs_alloc_path();
+ if (!path) {
+ test_msg("Couldn't allocate path\n");
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto out;
+ }
+
+ ret = add_block_group_free_space(&trans, root->fs_info, cache);
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Leo Yan <leo.yan@linaro.org>
+Date: Fri, 1 Sep 2017 08:47:14 +0800
+Subject: clk: hi6220: mark clock cs_atb_syspll as critical
+
+From: Leo Yan <leo.yan@linaro.org>
+
+
+[ Upstream commit d2a3671ebe6479483a12f94fcca63c058d95ad64 ]
+
+Clock cs_atb_syspll is pll used for coresight trace bus; when clock
+cs_atb_syspll is disabled and operates its child clock node cs_atb
+results in system hang. So mark clock cs_atb_syspll as critical to
+keep it enabled.
+
+Cc: Guodong Xu <guodong.xu@linaro.org>
+Cc: Zhangfei Gao <zhangfei.gao@linaro.org>
+Cc: Haojian Zhuang <haojian.zhuang@linaro.org>
+Signed-off-by: Leo Yan <leo.yan@linaro.org>
+Signed-off-by: Michael Turquette <mturquette@baylibre.com>
+Link: lkml.kernel.org/r/1504226835-2115-2-git-send-email-leo.yan@linaro.org
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/hisilicon/clk-hi6220.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/hisilicon/clk-hi6220.c
++++ b/drivers/clk/hisilicon/clk-hi6220.c
+@@ -144,7 +144,7 @@ static struct hisi_gate_clock hi6220_sep
+ { HI6220_BBPPLL_SEL, "bbppll_sel", "pll0_bbp_gate", CLK_SET_RATE_PARENT|CLK_IGNORE_UNUSED, 0x270, 9, 0, },
+ { HI6220_MEDIA_PLL_SRC, "media_pll_src", "pll_media_gate", CLK_SET_RATE_PARENT|CLK_IGNORE_UNUSED, 0x270, 10, 0, },
+ { HI6220_MMC2_SEL, "mmc2_sel", "mmc2_mux1", CLK_SET_RATE_PARENT|CLK_IGNORE_UNUSED, 0x270, 11, 0, },
+- { HI6220_CS_ATB_SYSPLL, "cs_atb_syspll", "syspll", CLK_SET_RATE_PARENT|CLK_IGNORE_UNUSED, 0x270, 12, 0, },
++ { HI6220_CS_ATB_SYSPLL, "cs_atb_syspll", "syspll", CLK_SET_RATE_PARENT|CLK_IS_CRITICAL, 0x270, 12, 0, },
+ };
+
+ static struct hisi_mux_clock hi6220_mux_clks_sys[] __initdata = {
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
+Date: Tue, 1 Aug 2017 12:40:07 +0200
+Subject: clk: imx6: refine hdmi_isfr's parent to make HDMI work on i.MX6 SoCs w/o VPU
+
+From: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
+
+
+[ Upstream commit c68ee58d9ee7b856ac722f18f4f26579c8fbd2b4 ]
+
+On i.MX6 SoCs without VPU (in my case MCIMX6D4AVT10AC), the hdmi driver
+fails to probe:
+
+[ 2.540030] dwhdmi-imx 120000.hdmi: Unsupported HDMI controller
+(0000:00:00)
+[ 2.548199] imx-drm display-subsystem: failed to bind 120000.hdmi
+(ops dw_hdmi_imx_ops): -19
+[ 2.557403] imx-drm display-subsystem: master bind failed: -19
+
+That's because hdmi_isfr's parent, video_27m, is not correctly ungated.
+As explained in commit 5ccc248cc537 ("ARM: imx6q: clk: Add support for
+mipi_core_cfg clock as a shared clock gate"), video_27m is gated by
+CCM_CCGR3[CG8].
+
+On i.MX6 SoCs with VPU, the hdmi is working thanks to the
+CCM_CMEOR[mod_en_ov_vpu] bit which makes the video_27m ungated whatever
+is in CCM_CCGR3[CG8]. The issue can be reproduced by setting
+CCMEOR[mod_en_ov_vpu] to 0.
+
+Make the HDMI work in every case by setting hdmi_isfr's parent to
+mipi_core_cfg.
+
+Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
+Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/imx/clk-imx6q.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/imx/clk-imx6q.c
++++ b/drivers/clk/imx/clk-imx6q.c
+@@ -487,7 +487,7 @@ static void __init imx6q_clocks_init(str
+ clk[IMX6QDL_CLK_GPU2D_CORE] = imx_clk_gate2("gpu2d_core", "gpu2d_core_podf", base + 0x6c, 24);
+ clk[IMX6QDL_CLK_GPU3D_CORE] = imx_clk_gate2("gpu3d_core", "gpu3d_core_podf", base + 0x6c, 26);
+ clk[IMX6QDL_CLK_HDMI_IAHB] = imx_clk_gate2("hdmi_iahb", "ahb", base + 0x70, 0);
+- clk[IMX6QDL_CLK_HDMI_ISFR] = imx_clk_gate2("hdmi_isfr", "video_27m", base + 0x70, 4);
++ clk[IMX6QDL_CLK_HDMI_ISFR] = imx_clk_gate2("hdmi_isfr", "mipi_core_cfg", base + 0x70, 4);
+ clk[IMX6QDL_CLK_I2C1] = imx_clk_gate2("i2c1", "ipg_per", base + 0x70, 6);
+ clk[IMX6QDL_CLK_I2C2] = imx_clk_gate2("i2c2", "ipg_per", base + 0x70, 8);
+ clk[IMX6QDL_CLK_I2C3] = imx_clk_gate2("i2c3", "ipg_per", base + 0x70, 10);
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Chen Zhong <chen.zhong@mediatek.com>
+Date: Thu, 5 Oct 2017 11:50:23 +0800
+Subject: clk: mediatek: add the option for determining PLL source clock
+
+From: Chen Zhong <chen.zhong@mediatek.com>
+
+
+[ Upstream commit c955bf3998efa3355790a4d8c82874582f1bc727 ]
+
+Since the previous setup always sets the PLL using crystal 26MHz, this
+doesn't always happen in every MediaTek platform. So the patch added
+flexibility for assigning extra member for determining the PLL source
+clock.
+
+Signed-off-by: Chen Zhong <chen.zhong@mediatek.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/mediatek/clk-mtk.h | 1 +
+ drivers/clk/mediatek/clk-pll.c | 5 ++++-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/clk/mediatek/clk-mtk.h
++++ b/drivers/clk/mediatek/clk-mtk.h
+@@ -185,6 +185,7 @@ struct mtk_pll_data {
+ uint32_t pcw_reg;
+ int pcw_shift;
+ const struct mtk_pll_div_table *div_table;
++ const char *parent_name;
+ };
+
+ void mtk_clk_register_plls(struct device_node *node,
+--- a/drivers/clk/mediatek/clk-pll.c
++++ b/drivers/clk/mediatek/clk-pll.c
+@@ -302,7 +302,10 @@ static struct clk *mtk_clk_register_pll(
+
+ init.name = data->name;
+ init.ops = &mtk_pll_ops;
+- init.parent_names = &parent_name;
++ if (data->parent_name)
++ init.parent_names = &data->parent_name;
++ else
++ init.parent_names = &parent_name;
+ init.num_parents = 1;
+
+ clk = clk_register(NULL, &pll->hw);
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Date: Tue, 19 Sep 2017 04:48:10 +0200
+Subject: clk: tegra: Fix cclk_lp divisor register
+
+From: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+
+
+[ Upstream commit 54eff2264d3e9fd7e3987de1d7eba1d3581c631e ]
+
+According to comments in code and common sense, cclk_lp uses its
+own divisor, not cclk_g's.
+
+Fixes: b08e8c0ecc42 ("clk: tegra: add clock support for Tegra30")
+Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Acked-By: Peter De Schrijver <pdeschrijver@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/tegra/clk-tegra30.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/tegra/clk-tegra30.c
++++ b/drivers/clk/tegra/clk-tegra30.c
+@@ -963,7 +963,7 @@ static void __init tegra30_super_clk_ini
+ * U71 divider of cclk_lp.
+ */
+ clk = tegra_clk_register_divider("pll_p_out3_cclklp", "pll_p_out3",
+- clk_base + SUPER_CCLKG_DIVIDER, 0,
++ clk_base + SUPER_CCLKLP_DIVIDER, 0,
+ TEGRA_DIVIDER_INT, 16, 8, 1, NULL);
+ clk_register_clkdev(clk, "pll_p_out3_cclklp", NULL);
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Robert Baronescu <robert.baronescu@nxp.com>
+Date: Tue, 10 Oct 2017 13:22:00 +0300
+Subject: crypto: tcrypt - fix buffer lengths in test_aead_speed()
+
+From: Robert Baronescu <robert.baronescu@nxp.com>
+
+
+[ Upstream commit 7aacbfcb331ceff3ac43096d563a1f93ed46e35e ]
+
+Fix the way the length of the buffers used for
+encryption / decryption are computed.
+For e.g. in case of encryption, input buffer does not contain
+an authentication tag.
+
+Signed-off-by: Robert Baronescu <robert.baronescu@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/tcrypt.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/crypto/tcrypt.c
++++ b/crypto/tcrypt.c
+@@ -342,7 +342,7 @@ static void test_aead_speed(const char *
+ }
+
+ sg_init_aead(sg, xbuf,
+- *b_size + (enc ? authsize : 0));
++ *b_size + (enc ? 0 : authsize));
+
+ sg_init_aead(sgout, xoutbuf,
+ *b_size + (enc ? authsize : 0));
+@@ -350,7 +350,9 @@ static void test_aead_speed(const char *
+ sg_set_buf(&sg[0], assoc, aad_size);
+ sg_set_buf(&sgout[0], assoc, aad_size);
+
+- aead_request_set_crypt(req, sg, sgout, *b_size, iv);
++ aead_request_set_crypt(req, sg, sgout,
++ *b_size + (enc ? 0 : authsize),
++ iv);
+ aead_request_set_ad(req, aad_size);
+
+ if (secs)
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Matthias Kaehlcke <mka@chromium.org>
+Date: Mon, 13 Mar 2017 14:30:29 -0700
+Subject: dmaengine: Fix array index out of bounds warning in __get_unmap_pool()
+
+From: Matthias Kaehlcke <mka@chromium.org>
+
+
+[ Upstream commit 23f963e91fd81f44f6b316b1c24db563354c6be8 ]
+
+This fixes the following warning when building with clang and
+CONFIG_DMA_ENGINE_RAID=n :
+
+drivers/dma/dmaengine.c:1102:11: error: array index 2 is past the end of the array (which contains 1 element) [-Werror,-Warray-bounds]
+ return &unmap_pool[2];
+ ^ ~
+drivers/dma/dmaengine.c:1083:1: note: array 'unmap_pool' declared here
+static struct dmaengine_unmap_pool unmap_pool[] = {
+^
+drivers/dma/dmaengine.c:1104:11: error: array index 3 is past the end of the array (which contains 1 element) [-Werror,-Warray-bounds]
+ return &unmap_pool[3];
+ ^ ~
+drivers/dma/dmaengine.c:1083:1: note: array 'unmap_pool' declared here
+static struct dmaengine_unmap_pool unmap_pool[] = {
+
+Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/dmaengine.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/dma/dmaengine.c
++++ b/drivers/dma/dmaengine.c
+@@ -1107,12 +1107,14 @@ static struct dmaengine_unmap_pool *__ge
+ switch (order) {
+ case 0 ... 1:
+ return &unmap_pool[0];
++#if IS_ENABLED(CONFIG_DMA_ENGINE_RAID)
+ case 2 ... 4:
+ return &unmap_pool[1];
+ case 5 ... 7:
+ return &unmap_pool[2];
+ case 8:
+ return &unmap_pool[3];
++#endif
+ default:
+ BUG();
+ return NULL;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Hiroyuki Yokoyama <hiroyuki.yokoyama.vx@renesas.com>
+Date: Thu, 19 Oct 2017 01:15:13 +0000
+Subject: dmaengine: rcar-dmac: use TCRB instead of TCR for residue
+
+From: Hiroyuki Yokoyama <hiroyuki.yokoyama.vx@renesas.com>
+
+
+[ Upstream commit 847449f23dcbff68234525f90dd53c7c7db18cad ]
+
+SYS/RT/Audio DMAC includes independent data buffers for reading
+and writing. Therefore, the read transfer counter and write transfer
+counter have different values.
+TCR indicates read counter, and TCRB indicates write counter.
+The relationship is like below.
+
+ TCR TCRB
+[SOURCE] -> [DMAC] -> [SINK]
+
+In the MEM_TO_DEV direction, what really matters is how much data has
+been written to the device. If the DMA is interrupted between read and
+write, then, the data doesn't end up in the destination, so shouldn't
+be counted. TCRB is thus the register we should use in this cases.
+
+In the DEV_TO_MEM direction, the situation is more complex. Both the
+read and write side are important. What matters from a data consumer
+point of view is how much data has been written to memory.
+On the other hand, if the transfer is interrupted between read and
+write, we'll end up losing data. It can also be important to report.
+
+In the MEM_TO_MEM direction, what matters is of course how much data
+has been written to memory from data consumer point of view.
+Here, because read and write have independent data buffers, it will
+take a while for TCR and TCRB to become equal. Thus we should check
+TCRB in this case, too.
+
+Thus, all cases we should check TCRB instead of TCR.
+
+Without this patch, Sound Capture has noise after PluseAudio support
+(= 07b7acb51d2 ("ASoC: rsnd: update pointer more accurate")), because
+the recorder will use wrong residue counter which indicates transferred
+from sound device, but in reality the data was not yet put to memory
+and recorder will record it.
+
+Signed-off-by: Hiroyuki Yokoyama <hiroyuki.yokoyama.vx@renesas.com>
+[Kuninori: added detail information in log]
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/sh/rcar-dmac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma/sh/rcar-dmac.c
++++ b/drivers/dma/sh/rcar-dmac.c
+@@ -1289,7 +1289,7 @@ static unsigned int rcar_dmac_chan_get_r
+ }
+
+ /* Add the residue for the current chunk. */
+- residue += rcar_dmac_chan_read(chan, RCAR_DMATCR) << desc->xfer_shift;
++ residue += rcar_dmac_chan_read(chan, RCAR_DMATCRB) << desc->xfer_shift;
+
+ return residue;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Wed, 8 Nov 2017 12:02:25 +0200
+Subject: dmaengine: ti-dma-crossbar: Correct am335x/am43xx mux value type
+
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+
+
+[ Upstream commit 288e7560e4d3e259aa28f8f58a8dfe63627a1bf6 ]
+
+The used 0x1f mask is only valid for am335x family of SoC, different family
+using this type of crossbar might have different number of electable
+events. In case of am43xx family 0x3f mask should have been used for
+example.
+Instead of trying to handle each family's mask, just use u8 type to store
+the mux value since the event offsets are aligned to byte offset.
+
+Fixes: 42dbdcc6bf965 ("dmaengine: ti-dma-crossbar: Add support for crossbar on AM33xx/AM43xx")
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/ti-dma-crossbar.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/dma/ti-dma-crossbar.c
++++ b/drivers/dma/ti-dma-crossbar.c
+@@ -49,12 +49,12 @@ struct ti_am335x_xbar_data {
+
+ struct ti_am335x_xbar_map {
+ u16 dma_line;
+- u16 mux_val;
++ u8 mux_val;
+ };
+
+-static inline void ti_am335x_xbar_write(void __iomem *iomem, int event, u16 val)
++static inline void ti_am335x_xbar_write(void __iomem *iomem, int event, u8 val)
+ {
+- writeb_relaxed(val & 0x1f, iomem + event);
++ writeb_relaxed(val, iomem + event);
+ }
+
+ static void ti_am335x_xbar_free(struct device *dev, void *route_data)
+@@ -105,7 +105,7 @@ static void *ti_am335x_xbar_route_alloca
+ }
+
+ map->dma_line = (u16)dma_spec->args[0];
+- map->mux_val = (u16)dma_spec->args[2];
++ map->mux_val = (u8)dma_spec->args[2];
+
+ dma_spec->args[2] = 0;
+ dma_spec->args_count = 2;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Sat, 4 Mar 2017 18:13:59 -0700
+Subject: Drivers: hv: util: move waiting for release to hv_utils_transport itself
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+
+[ Upstream commit e9c18ae6eb2b312f16c63e34b43ea23926daa398 ]
+
+Waiting for release_event in all three drivers introduced issues on release
+as on_reset() hook is not always called. E.g. if the device was never
+opened we will never get the completion.
+
+Move the waiting code to hvutil_transport_destroy() and make sure it is
+only called when the device is open. hvt->lock serialization should
+guarantee the absence of races.
+
+Fixes: 5a66fecbf6aa ("Drivers: hv: util: kvp: Fix a rescind processing issue")
+Fixes: 20951c7535b5 ("Drivers: hv: util: Fcopy: Fix a rescind processing issue")
+Fixes: d77044d142e9 ("Drivers: hv: util: Backup: Fix a rescind processing issue")
+
+Reported-by: Dexuan Cui <decui@microsoft.com>
+Tested-by: Dexuan Cui <decui@microsoft.com>
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hv/hv_fcopy.c | 4 ----
+ drivers/hv/hv_kvp.c | 4 ----
+ drivers/hv/hv_snapshot.c | 4 ----
+ drivers/hv/hv_utils_transport.c | 12 ++++++++----
+ drivers/hv/hv_utils_transport.h | 1 +
+ 5 files changed, 9 insertions(+), 16 deletions(-)
+
+--- a/drivers/hv/hv_fcopy.c
++++ b/drivers/hv/hv_fcopy.c
+@@ -61,7 +61,6 @@ static DECLARE_WORK(fcopy_send_work, fco
+ static const char fcopy_devname[] = "vmbus/hv_fcopy";
+ static u8 *recv_buffer;
+ static struct hvutil_transport *hvt;
+-static struct completion release_event;
+ /*
+ * This state maintains the version number registered by the daemon.
+ */
+@@ -322,7 +321,6 @@ static void fcopy_on_reset(void)
+
+ if (cancel_delayed_work_sync(&fcopy_timeout_work))
+ fcopy_respond_to_host(HV_E_FAIL);
+- complete(&release_event);
+ }
+
+ int hv_fcopy_init(struct hv_util_service *srv)
+@@ -330,7 +328,6 @@ int hv_fcopy_init(struct hv_util_service
+ recv_buffer = srv->recv_buffer;
+ fcopy_transaction.recv_channel = srv->channel;
+
+- init_completion(&release_event);
+ /*
+ * When this driver loads, the user level daemon that
+ * processes the host requests may not yet be running.
+@@ -352,5 +349,4 @@ void hv_fcopy_deinit(void)
+ fcopy_transaction.state = HVUTIL_DEVICE_DYING;
+ cancel_delayed_work_sync(&fcopy_timeout_work);
+ hvutil_transport_destroy(hvt);
+- wait_for_completion(&release_event);
+ }
+--- a/drivers/hv/hv_kvp.c
++++ b/drivers/hv/hv_kvp.c
+@@ -88,7 +88,6 @@ static DECLARE_WORK(kvp_sendkey_work, kv
+ static const char kvp_devname[] = "vmbus/hv_kvp";
+ static u8 *recv_buffer;
+ static struct hvutil_transport *hvt;
+-static struct completion release_event;
+ /*
+ * Register the kernel component with the user-level daemon.
+ * As part of this registration, pass the LIC version number.
+@@ -717,7 +716,6 @@ static void kvp_on_reset(void)
+ if (cancel_delayed_work_sync(&kvp_timeout_work))
+ kvp_respond_to_host(NULL, HV_E_FAIL);
+ kvp_transaction.state = HVUTIL_DEVICE_INIT;
+- complete(&release_event);
+ }
+
+ int
+@@ -726,7 +724,6 @@ hv_kvp_init(struct hv_util_service *srv)
+ recv_buffer = srv->recv_buffer;
+ kvp_transaction.recv_channel = srv->channel;
+
+- init_completion(&release_event);
+ /*
+ * When this driver loads, the user level daemon that
+ * processes the host requests may not yet be running.
+@@ -750,5 +747,4 @@ void hv_kvp_deinit(void)
+ cancel_delayed_work_sync(&kvp_timeout_work);
+ cancel_work_sync(&kvp_sendkey_work);
+ hvutil_transport_destroy(hvt);
+- wait_for_completion(&release_event);
+ }
+--- a/drivers/hv/hv_snapshot.c
++++ b/drivers/hv/hv_snapshot.c
+@@ -66,7 +66,6 @@ static int dm_reg_value;
+ static const char vss_devname[] = "vmbus/hv_vss";
+ static __u8 *recv_buffer;
+ static struct hvutil_transport *hvt;
+-static struct completion release_event;
+
+ static void vss_timeout_func(struct work_struct *dummy);
+ static void vss_handle_request(struct work_struct *dummy);
+@@ -331,13 +330,11 @@ static void vss_on_reset(void)
+ if (cancel_delayed_work_sync(&vss_timeout_work))
+ vss_respond_to_host(HV_E_FAIL);
+ vss_transaction.state = HVUTIL_DEVICE_INIT;
+- complete(&release_event);
+ }
+
+ int
+ hv_vss_init(struct hv_util_service *srv)
+ {
+- init_completion(&release_event);
+ if (vmbus_proto_version < VERSION_WIN8_1) {
+ pr_warn("Integration service 'Backup (volume snapshot)'"
+ " not supported on this host version.\n");
+@@ -368,5 +365,4 @@ void hv_vss_deinit(void)
+ cancel_delayed_work_sync(&vss_timeout_work);
+ cancel_work_sync(&vss_handle_request_work);
+ hvutil_transport_destroy(hvt);
+- wait_for_completion(&release_event);
+ }
+--- a/drivers/hv/hv_utils_transport.c
++++ b/drivers/hv/hv_utils_transport.c
+@@ -182,10 +182,11 @@ static int hvt_op_release(struct inode *
+ * connects back.
+ */
+ hvt_reset(hvt);
+- mutex_unlock(&hvt->lock);
+
+ if (mode_old == HVUTIL_TRANSPORT_DESTROY)
+- hvt_transport_free(hvt);
++ complete(&hvt->release);
++
++ mutex_unlock(&hvt->lock);
+
+ return 0;
+ }
+@@ -304,6 +305,7 @@ struct hvutil_transport *hvutil_transpor
+
+ init_waitqueue_head(&hvt->outmsg_q);
+ mutex_init(&hvt->lock);
++ init_completion(&hvt->release);
+
+ spin_lock(&hvt_list_lock);
+ list_add(&hvt->list, &hvt_list);
+@@ -351,6 +353,8 @@ void hvutil_transport_destroy(struct hvu
+ if (hvt->cn_id.idx > 0 && hvt->cn_id.val > 0)
+ cn_del_callback(&hvt->cn_id);
+
+- if (mode_old != HVUTIL_TRANSPORT_CHARDEV)
+- hvt_transport_free(hvt);
++ if (mode_old == HVUTIL_TRANSPORT_CHARDEV)
++ wait_for_completion(&hvt->release);
++
++ hvt_transport_free(hvt);
+ }
+--- a/drivers/hv/hv_utils_transport.h
++++ b/drivers/hv/hv_utils_transport.h
+@@ -41,6 +41,7 @@ struct hvutil_transport {
+ int outmsg_len; /* its length */
+ wait_queue_head_t outmsg_q; /* poll/read wait queue */
+ struct mutex lock; /* protects struct members */
++ struct completion release; /* synchronize with fd release */
+ };
+
+ struct hvutil_transport *hvutil_transport_init(const char *name,
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 14 Mar 2017 22:27:11 +0100
+Subject: drm: amd: remove broken include path
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+
+[ Upstream commit 655d9ca9ac075da1ef2a45012ba48a39f6eb1f58 ]
+
+The AMD ACP driver adds "-I../acp -I../acp/include" to the gcc command
+line, which makes no sense, since these are evaluated relative to the
+build directory. When we build with "make W=1", they instead cause
+a warning:
+
+cc1: error: ../acp/: No such file or directory [-Werror=missing-include-dirs]
+cc1: error: ../acp/include: No such file or directory [-Werror=missing-include-dirs]
+cc1: all warnings being treated as errors
+../scripts/Makefile.build:289: recipe for target 'drivers/gpu/drm/amd/amdgpu/amdgpu_drv.o' failed
+../scripts/Makefile.build:289: recipe for target 'drivers/gpu/drm/amd/amdgpu/amdgpu_device.o' failed
+../scripts/Makefile.build:289: recipe for target 'drivers/gpu/drm/amd/amdgpu/amdgpu_kms.o' failed
+
+This removes the subdir-ccflags variable that evidently did not
+serve any purpose here.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/acp/Makefile | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/acp/Makefile
++++ b/drivers/gpu/drm/amd/acp/Makefile
+@@ -3,6 +3,4 @@
+ # of AMDSOC/AMDGPU drm driver.
+ # It provides the HW control for ACP related functionalities.
+
+-subdir-ccflags-y += -I$(AMDACPPATH)/ -I$(AMDACPPATH)/include
+-
+ AMD_ACP_FILES := $(AMDACPPATH)/acp_hw.o
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Dave Airlie <airlied@redhat.com>
+Date: Fri, 10 Mar 2017 12:13:04 +1000
+Subject: drm/amdgpu: fix parser init error path to avoid crash in parser fini
+
+From: Dave Airlie <airlied@redhat.com>
+
+
+[ Upstream commit 607523d19c9d67ba4cf7bdaced644f11ed04992c ]
+
+If we don't reset the chunk info in the error path, the subsequent
+fini path will double free.
+
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+@@ -240,6 +240,8 @@ free_partial_kdata:
+ for (; i >= 0; i--)
+ drm_free_large(p->chunks[i].kdata);
+ kfree(p->chunks);
++ p->chunks = NULL;
++ p->nchunks = 0;
+ put_ctx:
+ amdgpu_ctx_put(p->ctx);
+ free_chunk:
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Date: Tue, 28 Feb 2017 10:11:45 +0200
+Subject: drm/omap: fix dmabuf mmap for dma_alloc'ed buffers
+
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+
+
+[ Upstream commit 9fa1d7537242bd580ffa99c4725a0407096aad26 ]
+
+omap_gem_dmabuf_mmap() returns an error (with a WARN) when called for a
+buffer which is allocated with dma_alloc_*(). This prevents dmabuf mmap
+from working on SoCs without DMM, e.g. AM4 and OMAP3.
+
+I could not find any reason for omap_gem_dmabuf_mmap() rejecting such
+buffers, and just removing the if() fixes the limitation.
+
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/omapdrm/omap_gem_dmabuf.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/gpu/drm/omapdrm/omap_gem_dmabuf.c
++++ b/drivers/gpu/drm/omapdrm/omap_gem_dmabuf.c
+@@ -147,9 +147,6 @@ static int omap_gem_dmabuf_mmap(struct d
+ struct drm_gem_object *obj = buffer->priv;
+ int ret = 0;
+
+- if (WARN_ON(!obj->filp))
+- return -EINVAL;
+-
+ ret = drm_gem_mmap_obj(obj, omap_gem_mmap_size(obj), vma);
+ if (ret < 0)
+ return ret;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 15 Mar 2017 21:11:46 -0400
+Subject: drm/radeon: reinstate oland workaround for sclk
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+
+[ Upstream commit 66822d815ae61ecb2d9dba9031517e8a8476969d ]
+
+Higher sclks seem to be unstable on some boards.
+
+bug: https://bugs.freedesktop.org/show_bug.cgi?id=100222
+
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/radeon/si_dpm.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/si_dpm.c
++++ b/drivers/gpu/drm/radeon/si_dpm.c
+@@ -3030,9 +3030,13 @@ static void si_apply_state_adjust_rules(
+ max_mclk = 80000;
+ }
+ } else if (rdev->family == CHIP_OLAND) {
+- if ((rdev->pdev->device == 0x6604) &&
+- (rdev->pdev->subsystem_vendor == 0x1028) &&
+- (rdev->pdev->subsystem_device == 0x066F)) {
++ if ((rdev->pdev->revision == 0xC7) ||
++ (rdev->pdev->revision == 0x80) ||
++ (rdev->pdev->revision == 0x81) ||
++ (rdev->pdev->revision == 0x83) ||
++ (rdev->pdev->revision == 0x87) ||
++ (rdev->pdev->device == 0x6604) ||
++ (rdev->pdev->device == 0x6605)) {
+ max_sclk = 75000;
+ }
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Tue, 14 Mar 2017 14:42:03 -0400
+Subject: drm/radeon/si: add dpm quirk for Oland
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+
+[ Upstream commit 0f424de1fd9bc4ab24bd1fe5430ab5618e803e31 ]
+
+OLAND 0x1002:0x6604 0x1028:0x066F 0x00 seems to have problems
+with higher sclks.
+
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/radeon/si_dpm.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/gpu/drm/radeon/si_dpm.c
++++ b/drivers/gpu/drm/radeon/si_dpm.c
+@@ -3029,6 +3029,12 @@ static void si_apply_state_adjust_rules(
+ max_sclk = 75000;
+ max_mclk = 80000;
+ }
++ } else if (rdev->family == CHIP_OLAND) {
++ if ((rdev->pdev->device == 0x6604) &&
++ (rdev->pdev->subsystem_vendor == 0x1028) &&
++ (rdev->pdev->subsystem_device == 0x066F)) {
++ max_sclk = 75000;
++ }
+ }
+ /* Apply dpm quirks */
+ while (p && p->chip_device != 0) {
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Daniel Drake <drake@endlessm.com>
+Date: Tue, 7 Feb 2017 13:08:23 -0600
+Subject: efi/esrt: Cleanup bad memory map log messages
+
+From: Daniel Drake <drake@endlessm.com>
+
+
+[ Upstream commit 822f5845f710e57d7e2df1fd1ee00d6e19d334fe ]
+
+The Intel Compute Stick STCK1A8LFC and Weibu F3C platforms both
+log 2 error messages during boot:
+
+ efi: requested map not found.
+ esrt: ESRT header is not in the memory map.
+
+Searching the web, this seems to affect many other platforms too.
+Since these messages are logged as errors, they appear on-screen during
+the boot process even when using the "quiet" boot parameter used by
+distros.
+
+Demote the ESRT error to a warning so that it does not appear on-screen,
+and delete the error logging from efi_mem_desc_lookup; both callsites
+of that function log more specific messages upon failure.
+
+Out of curiosity I looked closer at the Weibu F3C. There is no entry in
+the UEFI-provided memory map which corresponds to the ESRT pointer, but
+hacking the code to map it anyway, the ESRT does appear to be valid with
+2 entries.
+
+Signed-off-by: Daniel Drake <drake@endlessm.com>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Acked-by: Peter Jones <pjones@redhat.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/efi/efi.c | 1 -
+ drivers/firmware/efi/esrt.c | 2 +-
+ 2 files changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -384,7 +384,6 @@ int __init efi_mem_desc_lookup(u64 phys_
+ return 0;
+ }
+ }
+- pr_err_once("requested map not found.\n");
+ return -ENOENT;
+ }
+
+--- a/drivers/firmware/efi/esrt.c
++++ b/drivers/firmware/efi/esrt.c
+@@ -251,7 +251,7 @@ void __init efi_esrt_init(void)
+
+ rc = efi_mem_desc_lookup(efi.esrt, &md);
+ if (rc < 0) {
+- pr_err("ESRT header is not in the memory map.\n");
++ pr_warn("ESRT header is not in the memory map.\n");
+ return;
+ }
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Thu, 9 Nov 2017 18:09:33 +0100
+Subject: fbdev: controlfb: Add missing modes to fix out of bounds access
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+
+[ Upstream commit ac831a379d34109451b3c41a44a20ee10ecb615f ]
+
+Dan's static analysis says:
+
+ drivers/video/fbdev/controlfb.c:560 control_setup()
+ error: buffer overflow 'control_mac_modes' 20 <= 21
+
+Indeed, control_mac_modes[] has only 20 elements, while VMODE_MAX is 22,
+which may lead to an out of bounds read when parsing vmode commandline
+options.
+
+The bug was introduced in v2.4.5.6, when 2 new modes were added to
+macmodes.h, but control_mac_modes[] wasn't updated:
+
+https://kernel.opensuse.org/cgit/kernel/diff/include/video/macmodes.h?h=v2.5.2&id=29f279c764808560eaceb88fef36cbc35c529aad
+
+Augment control_mac_modes[] with the two new video modes to fix this.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/controlfb.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/video/fbdev/controlfb.h
++++ b/drivers/video/fbdev/controlfb.h
+@@ -141,5 +141,7 @@ static struct max_cmodes control_mac_mod
+ {{ 1, 2}}, /* 1152x870, 75Hz */
+ {{ 0, 1}}, /* 1280x960, 75Hz */
+ {{ 0, 1}}, /* 1280x1024, 75Hz */
++ {{ 1, 2}}, /* 1152x768, 60Hz */
++ {{ 0, 1}}, /* 1600x1024, 60Hz */
+ };
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Taku Izumi <izumi.taku@jp.fujitsu.com>
+Date: Wed, 15 Mar 2017 13:47:50 +0900
+Subject: fjes: Fix wrong netdevice feature flags
+
+From: Taku Izumi <izumi.taku@jp.fujitsu.com>
+
+
+[ Upstream commit fe8daf5fa715f7214952f06a387e4b7de818c5be ]
+
+This patch fixes netdev->features for Extended Socket network device.
+
+Currently Extended Socket network device's netdev->feature claims
+NETIF_F_HW_CSUM, however this is completely wrong. There's no feature
+of checksum offloading.
+That causes invalid TCP/UDP checksum and packet rejection when IP
+forwarding from Extended Socket network device to other network device.
+
+NETIF_F_HW_CSUM should be omitted.
+
+Signed-off-by: Taku Izumi <izumi.taku@jp.fujitsu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/fjes/fjes_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/fjes/fjes_main.c
++++ b/drivers/net/fjes/fjes_main.c
+@@ -1277,7 +1277,7 @@ static void fjes_netdev_setup(struct net
+ fjes_set_ethtool_ops(netdev);
+ netdev->mtu = fjes_support_mtu[3];
+ netdev->flags |= IFF_BROADCAST;
+- netdev->features |= NETIF_F_HW_CSUM | NETIF_F_HW_VLAN_CTAG_FILTER;
++ netdev->features |= NETIF_F_HW_VLAN_CTAG_FILTER;
+ }
+
+ static void fjes_irq_watch_task(struct work_struct *work)
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Bob Peterson <rpeterso@redhat.com>
+Date: Wed, 20 Sep 2017 08:30:04 -0500
+Subject: GFS2: Take inode off order_write list when setting jdata flag
+
+From: Bob Peterson <rpeterso@redhat.com>
+
+
+[ Upstream commit cc555b09d8c3817aeebda43a14ab67049a5653f7 ]
+
+This patch fixes a deadlock caused when the jdata flag is set for
+inodes that are already on the ordered write list. Since it is
+on the ordered write list, log_flush calls gfs2_ordered_write which
+calls filemap_fdatawrite. But since the inode had the jdata flag
+set, that calls gfs2_jdata_writepages, which tries to start a new
+transaction. A new transaction cannot be started because it tries
+to acquire the log_flush rwsem which is already locked by the log
+flush operation.
+
+The bottom line is: We cannot switch an inode from ordered to jdata
+until we eliminate any ordered data pages (via log flush) or any
+log_flush operation afterward will create the circular dependency
+above. So we need to flush the log before setting the diskflags to
+switch the file mode, then we need to remove the inode from the
+ordered writes list.
+
+Before this patch, the log flush was done for jdata->ordered, but
+that's wrong. If we're going from jdata to ordered, we don't need
+to call gfs2_log_flush because the call to filemap_fdatawrite will
+do it for us:
+
+ filemap_fdatawrite() -> __filemap_fdatawrite_range()
+ __filemap_fdatawrite_range() -> do_writepages()
+ do_writepages() -> gfs2_jdata_writepages()
+ gfs2_jdata_writepages() -> gfs2_log_flush()
+
+This patch modifies function do_gfs2_set_flags so that if a file
+has its jdata flag set, and it's already on the ordered write list,
+the log will be flushed and it will be removed from the list
+before setting the flag.
+
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Acked-by: Abhijith Das <adas@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/gfs2/file.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/gfs2/file.c
++++ b/fs/gfs2/file.c
+@@ -256,7 +256,7 @@ static int do_gfs2_set_flags(struct file
+ goto out;
+ }
+ if ((flags ^ new_flags) & GFS2_DIF_JDATA) {
+- if (flags & GFS2_DIF_JDATA)
++ if (new_flags & GFS2_DIF_JDATA)
+ gfs2_log_flush(sdp, ip->i_gl, NORMAL_FLUSH);
+ error = filemap_fdatawrite(inode->i_mapping);
+ if (error)
+@@ -264,6 +264,8 @@ static int do_gfs2_set_flags(struct file
+ error = filemap_fdatawait(inode->i_mapping);
+ if (error)
+ goto out;
++ if (new_flags & GFS2_DIF_JDATA)
++ gfs2_ordered_del_inode(ip);
+ }
+ error = gfs2_trans_begin(sdp, RES_DINODE, 0);
+ if (error)
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
+Date: Fri, 10 Nov 2017 10:01:43 +0100
+Subject: HID: cp2112: fix broken gpio_direction_input callback
+
+From: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
+
+
+[ Upstream commit 7da85fbf1c87d4f73621e0e7666a3387497075a9 ]
+
+When everything goes smoothly, ret is set to 0 which makes the function
+to return EIO error.
+
+Fixes: 8e9faa15469e ("HID: cp2112: fix gpio-callback error handling")
+Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-cp2112.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/hid-cp2112.c
++++ b/drivers/hid/hid-cp2112.c
+@@ -188,6 +188,8 @@ static int cp2112_gpio_direction_input(s
+ HID_REQ_GET_REPORT);
+ if (ret != CP2112_GPIO_CONFIG_LENGTH) {
+ hid_err(hdev, "error requesting GPIO config: %d\n", ret);
++ if (ret >= 0)
++ ret = -EIO;
+ goto exit;
+ }
+
+@@ -197,8 +199,10 @@ static int cp2112_gpio_direction_input(s
+ ret = hid_hw_raw_request(hdev, CP2112_GPIO_CONFIG, buf,
+ CP2112_GPIO_CONFIG_LENGTH, HID_FEATURE_REPORT,
+ HID_REQ_SET_REPORT);
+- if (ret < 0) {
++ if (ret != CP2112_GPIO_CONFIG_LENGTH) {
+ hid_err(hdev, "error setting GPIO config: %d\n", ret);
++ if (ret >= 0)
++ ret = -EIO;
+ goto exit;
+ }
+
+@@ -206,7 +210,7 @@ static int cp2112_gpio_direction_input(s
+
+ exit:
+ mutex_unlock(&dev->lock);
+- return ret < 0 ? ret : -EIO;
++ return ret;
+ }
+
+ static void cp2112_gpio_set(struct gpio_chip *chip, unsigned offset, int value)
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Parav Pandit <parav@mellanox.com>
+Date: Mon, 16 Oct 2017 08:45:16 +0300
+Subject: IB/core: Fix calculation of maximum RoCE MTU
+
+From: Parav Pandit <parav@mellanox.com>
+
+
+[ Upstream commit 99260132fde7bddc6e0132ce53da94d1c9ccabcb ]
+
+The original code only took into consideration the largest header
+possible after the IB_BTH_BYTES. This was incorrect, as the largest
+possible header size is the largest possible combination of headers we
+might run into. The new code accounts for all possible headers in the
+largest possible combination and subtracts that from the MTU to make
+sure that all packets will fit on the wire.
+
+Link: https://www.spinics.net/lists/linux-rdma/msg54558.html
+Fixes: 3c86aa70bf67 ("RDMA/cm: Add RDMA CM support for IBoE devices")
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
+Reported-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/rdma/ib_addr.h | 7 ++++---
+ include/rdma/ib_pack.h | 19 +++++++++++--------
+ 2 files changed, 15 insertions(+), 11 deletions(-)
+
+--- a/include/rdma/ib_addr.h
++++ b/include/rdma/ib_addr.h
+@@ -243,10 +243,11 @@ static inline void rdma_addr_set_dgid(st
+ static inline enum ib_mtu iboe_get_mtu(int mtu)
+ {
+ /*
+- * reduce IB headers from effective IBoE MTU. 28 stands for
+- * atomic header which is the biggest possible header after BTH
++ * Reduce IB headers from effective IBoE MTU.
+ */
+- mtu = mtu - IB_GRH_BYTES - IB_BTH_BYTES - 28;
++ mtu = mtu - (IB_GRH_BYTES + IB_UDP_BYTES + IB_BTH_BYTES +
++ IB_EXT_XRC_BYTES + IB_EXT_ATOMICETH_BYTES +
++ IB_ICRC_BYTES);
+
+ if (mtu >= ib_mtu_enum_to_int(IB_MTU_4096))
+ return IB_MTU_4096;
+--- a/include/rdma/ib_pack.h
++++ b/include/rdma/ib_pack.h
+@@ -37,14 +37,17 @@
+ #include <uapi/linux/if_ether.h>
+
+ enum {
+- IB_LRH_BYTES = 8,
+- IB_ETH_BYTES = 14,
+- IB_VLAN_BYTES = 4,
+- IB_GRH_BYTES = 40,
+- IB_IP4_BYTES = 20,
+- IB_UDP_BYTES = 8,
+- IB_BTH_BYTES = 12,
+- IB_DETH_BYTES = 8
++ IB_LRH_BYTES = 8,
++ IB_ETH_BYTES = 14,
++ IB_VLAN_BYTES = 4,
++ IB_GRH_BYTES = 40,
++ IB_IP4_BYTES = 20,
++ IB_UDP_BYTES = 8,
++ IB_BTH_BYTES = 12,
++ IB_DETH_BYTES = 8,
++ IB_EXT_ATOMICETH_BYTES = 28,
++ IB_EXT_XRC_BYTES = 4,
++ IB_ICRC_BYTES = 4
+ };
+
+ struct ib_field {
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Patel Jay P <jay.p.patel@intel.com>
+Date: Mon, 23 Oct 2017 06:05:53 -0700
+Subject: Ib/hfi1: Return actual operational VLs in port info query
+
+From: Patel Jay P <jay.p.patel@intel.com>
+
+
+[ Upstream commit 00f9203119dd2774564407c7a67b17d81916298b ]
+
+__subn_get_opa_portinfo stores value returned by hfi1_get_ib_cfg() as
+operational vls. hfi1_get_ib_cfg() returns vls_operational field in
+hfi1_pportdata. The problem with this is that the value is always equal
+to vls_supported field in hfi1_pportdata.
+
+The logic to calculate operational_vls is to set value passed by FM
+(in __subn_set_opa_portinfo routine). If no value is passed then
+default value is stored in operational_vls.
+
+Field actual_vls_operational is calculated on the basis of buffer
+control table. Hence, modifying hfi1_get_ib_cfg() to return
+actual_operational_vls when used with HFI1_IB_CFG_OP_VLS parameter
+
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Patel Jay P <jay.p.patel@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/hfi1/chip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/hfi1/chip.c
++++ b/drivers/infiniband/hw/hfi1/chip.c
+@@ -9769,7 +9769,7 @@ int hfi1_get_ib_cfg(struct hfi1_pportdat
+ goto unimplemented;
+
+ case HFI1_IB_CFG_OP_VLS:
+- val = ppd->vls_operational;
++ val = ppd->actual_vls_operational;
+ break;
+ case HFI1_IB_CFG_VL_HIGH_CAP: /* VL arb high priority table size */
+ val = VL_ARB_HIGH_PRIO_TABLE_SIZE;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Alex Vesker <valex@mellanox.com>
+Date: Tue, 10 Oct 2017 10:36:41 +0300
+Subject: IB/ipoib: Grab rtnl lock on heavy flush when calling ndo_open/stop
+
+From: Alex Vesker <valex@mellanox.com>
+
+
+[ Upstream commit b4b678b06f6eef18bff44a338c01870234db0bc9 ]
+
+When ndo_open and ndo_stop are called RTNL lock should be held.
+In this specific case ipoib_ib_dev_open calls the offloaded ndo_open
+which re-sets the number of TX queue assuming RTNL lock is held.
+Since RTNL lock is not held, RTNL assert will fail.
+
+Signed-off-by: Alex Vesker <valex@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_ib.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+@@ -1177,10 +1177,15 @@ static void __ipoib_ib_dev_flush(struct
+ ipoib_ib_dev_down(dev);
+
+ if (level == IPOIB_FLUSH_HEAVY) {
++ rtnl_lock();
+ if (test_bit(IPOIB_FLAG_INITIALIZED, &priv->flags))
+ ipoib_ib_dev_stop(dev);
+- if (ipoib_ib_dev_open(dev) != 0)
++
++ result = ipoib_ib_dev_open(dev);
++ rtnl_unlock();
++ if (result)
+ return;
++
+ if (netif_queue_stopped(dev))
+ netif_start_queue(dev);
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Matteo Croce <mcroce@redhat.com>
+Date: Thu, 12 Oct 2017 16:12:37 +0200
+Subject: icmp: don't fail on fragment reassembly time exceeded
+
+From: Matteo Croce <mcroce@redhat.com>
+
+
+[ Upstream commit 258bbb1b0e594ad5f5652cb526b3c63e6a7fad3d ]
+
+The ICMP implementation currently replies to an ICMP time exceeded message
+(type 11) with an ICMP host unreachable message (type 3, code 1).
+
+However, time exceeded messages can either represent "time to live exceeded
+in transit" (code 0) or "fragment reassembly time exceeded" (code 1).
+
+Unconditionally replying to "fragment reassembly time exceeded" with
+host unreachable messages might cause unjustified connection resets
+which are now easily triggered as UFO has been removed, because, in turn,
+sending large buffers triggers IP fragmentation.
+
+The issue can be easily reproduced by running a lot of UDP streams
+which is likely to trigger IP fragmentation:
+
+ # start netserver in the test namespace
+ ip netns add test
+ ip netns exec test netserver
+
+ # create a VETH pair
+ ip link add name veth0 type veth peer name veth0 netns test
+ ip link set veth0 up
+ ip -n test link set veth0 up
+
+ for i in $(seq 20 29); do
+ # assign addresses to both ends
+ ip addr add dev veth0 192.168.$i.1/24
+ ip -n test addr add dev veth0 192.168.$i.2/24
+
+ # start the traffic
+ netperf -L 192.168.$i.1 -H 192.168.$i.2 -t UDP_STREAM -l 0 &
+ done
+
+ # wait
+ send_data: data send error: No route to host (errno 113)
+ netperf: send_omni: send_data failed: No route to host
+
+We need to differentiate instead: if fragment reassembly time exceeded
+is reported, we need to silently drop the packet,
+if time to live exceeded is reported, maintain the current behaviour.
+In both cases increment the related error count "icmpInTimeExcds".
+
+While at it, fix a typo in a comment, and convert the if statement
+into a switch to mate it more readable.
+
+Signed-off-by: Matteo Croce <mcroce@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/icmp.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -766,7 +766,7 @@ static bool icmp_tag_validation(int prot
+ }
+
+ /*
+- * Handle ICMP_DEST_UNREACH, ICMP_TIME_EXCEED, ICMP_QUENCH, and
++ * Handle ICMP_DEST_UNREACH, ICMP_TIME_EXCEEDED, ICMP_QUENCH, and
+ * ICMP_PARAMETERPROB.
+ */
+
+@@ -794,7 +794,8 @@ static bool icmp_unreach(struct sk_buff
+ if (iph->ihl < 5) /* Mangled header, drop. */
+ goto out_err;
+
+- if (icmph->type == ICMP_DEST_UNREACH) {
++ switch (icmph->type) {
++ case ICMP_DEST_UNREACH:
+ switch (icmph->code & 15) {
+ case ICMP_NET_UNREACH:
+ case ICMP_HOST_UNREACH:
+@@ -830,8 +831,16 @@ static bool icmp_unreach(struct sk_buff
+ }
+ if (icmph->code > NR_ICMP_UNREACH)
+ goto out;
+- } else if (icmph->type == ICMP_PARAMETERPROB)
++ break;
++ case ICMP_PARAMETERPROB:
+ info = ntohl(icmph->un.gateway) >> 24;
++ break;
++ case ICMP_TIME_EXCEEDED:
++ __ICMP_INC_STATS(net, ICMP_MIB_INTIMEEXCDS);
++ if (icmph->code == ICMP_EXC_FRAGTIME)
++ goto out;
++ break;
++ }
+
+ /*
+ * Throw it at our lower layers
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Tue, 28 Feb 2017 17:14:41 -0800
+Subject: Input: i8042 - add TUXEDO BU1406 (N24_25BU) to the nomux list
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+
+[ Upstream commit a4c2a13129f7c5bcf81704c06851601593303fd5 ]
+
+TUXEDO BU1406 does not implement active multiplexing mode properly,
+and takes around 550 ms in i8042_set_mux_mode(). Given that the
+device does not have external AUX port, there is no downside in
+disabling the MUX mode.
+
+Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Suggested-by: Vojtech Pavlik <vojtech@suse.cz>
+Reviewed-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/serio/i8042-x86ia64io.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/input/serio/i8042-x86ia64io.h
++++ b/drivers/input/serio/i8042-x86ia64io.h
+@@ -520,6 +520,13 @@ static const struct dmi_system_id __init
+ DMI_MATCH(DMI_PRODUCT_NAME, "IC4I"),
+ },
+ },
++ {
++ /* TUXEDO BU1406 */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Notebook"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "N24_25BU"),
++ },
++ },
+ { }
+ };
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Thu, 30 Jun 2016 16:10:51 +0300
+Subject: intel_th: pci: Add Gemini Lake support
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+
+[ Upstream commit 340837f985c2cb87ca0868d4aa9ce42b0fab3a21 ]
+
+This adds Intel(R) Trace Hub PCI ID for Gemini Lake SOC.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/intel_th/pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/hwtracing/intel_th/pci.c
++++ b/drivers/hwtracing/intel_th/pci.c
+@@ -95,6 +95,11 @@ static const struct pci_device_id intel_
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x9da6),
+ .driver_data = (kernel_ulong_t)0,
+ },
++ {
++ /* Gemini Lake */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x318e),
++ .driver_data = (kernel_ulong_t)0,
++ },
+ { 0 },
+ };
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Gary R Hook <gary.hook@amd.com>
+Date: Fri, 3 Nov 2017 10:50:34 -0600
+Subject: iommu/amd: Limit the IOVA page range to the specified addresses
+
+From: Gary R Hook <gary.hook@amd.com>
+
+
+[ Upstream commit b92b4fb5c14257c0e7eae291ecc1f7b1962e1699 ]
+
+The extent of pages specified when applying a reserved region should
+include up to the last page of the range, but not the page following
+the range.
+
+Signed-off-by: Gary R Hook <gary.hook@amd.com>
+Fixes: 8d54d6c8b8f3 ('iommu/amd: Implement apply_dm_region call-back')
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/amd_iommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -3211,7 +3211,7 @@ static void amd_iommu_apply_dm_region(st
+ unsigned long start, end;
+
+ start = IOVA_PFN(region->start);
+- end = IOVA_PFN(region->start + region->length);
++ end = IOVA_PFN(region->start + region->length - 1);
+
+ WARN_ON_ONCE(reserve_iova(&dma_dom->iovad, start, end) == NULL);
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
+Date: Mon, 27 Feb 2017 14:30:26 +0200
+Subject: iommu/io-pgtable-arm-v7s: Check for leaf entry before dereferencing it
+
+From: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
+
+
+[ Upstream commit a03849e7210277fa212779b7cd9c30e1ab6194b2 ]
+
+Do a check for already installed leaf entry at the current level before
+dereferencing it in order to avoid walking the page table down with
+wrong pointer to the next level.
+
+Signed-off-by: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
+CC: Will Deacon <will.deacon@arm.com>
+CC: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/io-pgtable-arm-v7s.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/iommu/io-pgtable-arm-v7s.c
++++ b/drivers/iommu/io-pgtable-arm-v7s.c
+@@ -418,8 +418,12 @@ static int __arm_v7s_map(struct arm_v7s_
+ pte |= ARM_V7S_ATTR_NS_TABLE;
+
+ __arm_v7s_set_pte(ptep, pte, 1, cfg);
+- } else {
++ } else if (ARM_V7S_PTE_IS_TABLE(pte, lvl)) {
+ cptep = iopte_deref(pte, lvl);
++ } else {
++ /* We require an unmap first */
++ WARN_ON(!selftest_running);
++ return -EEXIST;
+ }
+
+ /* Rinse, repeat */
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Matthias Brugger <matthias.bgg@gmail.com>
+Date: Mon, 30 Oct 2017 12:37:55 +0100
+Subject: iommu/mediatek: Fix driver name
+
+From: Matthias Brugger <matthias.bgg@gmail.com>
+
+
+[ Upstream commit 395df08d2e1de238a9c8c33fdcd0e2160efd63a9 ]
+
+There exist two Mediatek iommu drivers for the two different
+generations of the device. But both drivers have the same name
+"mtk-iommu". This breaks the registration of the second driver:
+
+Error: Driver 'mtk-iommu' is already registered, aborting...
+
+Fix this by changing the name for first generation to
+"mtk-iommu-v1".
+
+Fixes: b17336c55d89 ("iommu/mediatek: add support for mtk iommu generation one HW")
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/mtk_iommu_v1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iommu/mtk_iommu_v1.c
++++ b/drivers/iommu/mtk_iommu_v1.c
+@@ -703,7 +703,7 @@ static struct platform_driver mtk_iommu_
+ .probe = mtk_iommu_probe,
+ .remove = mtk_iommu_remove,
+ .driver = {
+- .name = "mtk-iommu",
++ .name = "mtk-iommu-v1",
+ .of_match_table = mtk_iommu_of_ids,
+ .pm = &mtk_iommu_pm_ops,
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 14 Mar 2017 13:54:12 +0100
+Subject: irqchip/mvebu-odmi: Select GENERIC_MSI_IRQ_DOMAIN
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+
+[ Upstream commit fa23b9d1b89fdc34f296f02e496a20aeff5736be ]
+
+This driver uses the MSI domain but has no strict dependency on PCI_MSI, so we
+may run into a build failure when CONFIG_GENERIC_MSI_IRQ_DOMAIN is disabled:
+
+drivers/irqchip/irq-mvebu-odmi.c:152:15: error: variable 'odmi_msi_ops' has initializer but incomplete type
+ static struct msi_domain_ops odmi_msi_ops = {
+ ^~~~~~~~~~~~~~
+drivers/irqchip/irq-mvebu-odmi.c:155:15: error: variable 'odmi_msi_domain_info' has initializer but incomplete type
+ static struct msi_domain_info odmi_msi_domain_info = {
+ ^~~~~~~~~~~~~~~
+drivers/irqchip/irq-mvebu-odmi.c:156:3: error: 'struct msi_domain_info' has no member named 'flags'
+ .flags = (MSI_FLAG_USE_DEF_DOM_OPS | MSI_FLAG_USE_DEF_CHIP_OPS),
+ ^~~~~
+drivers/irqchip/irq-mvebu-odmi.c:156:12: error: 'MSI_FLAG_USE_DEF_DOM_OPS' undeclared here (not in a function)
+ .flags = (MSI_FLAG_USE_DEF_DOM_OPS | MSI_FLAG_USE_DEF_CHIP_OPS),
+ ^~~~~~~~~~~~~~~~~~~~~~~~
+drivers/irqchip/irq-mvebu-odmi.c:156:39: error: 'MSI_FLAG_USE_DEF_CHIP_OPS' undeclared here (not in a function); did you mean 'MSI_FLAG_USE_DEF_DOM_OPS'?
+
+Selecting the option from this driver seems to solve this nicely, though I could
+not find any other instance of this in irqchip drivers.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/irqchip/Kconfig
++++ b/drivers/irqchip/Kconfig
+@@ -258,6 +258,7 @@ config IRQ_MXS
+
+ config MVEBU_ODMI
+ bool
++ select GENERIC_MSI_IRQ_DOMAIN
+
+ config MVEBU_PIC
+ bool
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: tangwenji <tang.wenji@zte.com.cn>
+Date: Fri, 15 Sep 2017 16:03:13 +0800
+Subject: iscsi-target: fix memory leak in lio_target_tiqn_addtpg()
+
+From: tangwenji <tang.wenji@zte.com.cn>
+
+
+[ Upstream commit 12d5a43b2dffb6cd28062b4e19024f7982393288 ]
+
+tpg must free when call core_tpg_register() return fail
+
+Signed-off-by: tangwenji <tang.wenji@zte.com.cn>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/iscsi/iscsi_target_configfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/target/iscsi/iscsi_target_configfs.c
++++ b/drivers/target/iscsi/iscsi_target_configfs.c
+@@ -1144,7 +1144,7 @@ static struct se_portal_group *lio_targe
+
+ ret = core_tpg_register(wwn, &tpg->tpg_se_tpg, SCSI_PROTOCOL_ISCSI);
+ if (ret < 0)
+- return NULL;
++ goto free_out;
+
+ ret = iscsit_tpg_add_portal_group(tiqn, tpg);
+ if (ret != 0)
+@@ -1156,6 +1156,7 @@ static struct se_portal_group *lio_targe
+ return &tpg->tpg_se_tpg;
+ out:
+ core_tpg_deregister(&tpg->tpg_se_tpg);
++free_out:
+ kfree(tpg);
+ return NULL;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Sara Sharon <sara.sharon@intel.com>
+Date: Tue, 14 Mar 2017 09:50:35 +0200
+Subject: iwlwifi: mvm: cleanup pending frames in DQA mode
+
+From: Sara Sharon <sara.sharon@intel.com>
+
+
+[ Upstream commit 9a3fcf912ef7f5c6e18f9af6875dd13f7311f7aa ]
+
+When a station is asleep, the fw will set it as "asleep".
+All queues that are used only by one station will be stopped by
+the fw.
+
+In pre-DQA mode this was relevant for aggregation queues. However,
+in DQA mode a queue is owned by one station only, so all queues
+will be stopped.
+As a result, we don't expect to get filtered frames back to
+mac80211 and don't have to maintain the entire pending_frames
+state logic, the same way as we do in aggregations.
+
+The correct behavior is to align DQA behavior with the aggregation
+queue behaviour pre-DQA:
+- Don't count pending frames.
+- Let mac80211 know we have frames in these queues so that it can
+properly handle trigger frames.
+
+When a trigger frame is received, mac80211 tells the driver to send
+frames from the queues using release_buffered_frames.
+The driver will tell the fw to let frames out even if the station
+is asleep. This is done by iwl_mvm_sta_modify_sleep_tx_count.
+
+Reported-and-tested-by: Jens Axboe <axboe@kernel.dk>
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sara Sharon <sara.sharon@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 5 +-
+ drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 11 +++--
+ drivers/net/wireless/intel/iwlwifi/mvm/sta.h | 2 -
+ drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 41 +++++++++-------------
+ 4 files changed, 28 insertions(+), 31 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -2320,7 +2320,7 @@ iwl_mvm_mac_release_buffered_frames(stru
+ {
+ struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw);
+
+- /* Called when we need to transmit (a) frame(s) from agg queue */
++ /* Called when we need to transmit (a) frame(s) from agg or dqa queue */
+
+ iwl_mvm_sta_modify_sleep_tx_count(mvm, sta, reason, num_frames,
+ tids, more_data, true);
+@@ -2340,7 +2340,8 @@ static void iwl_mvm_mac_sta_notify(struc
+ for (tid = 0; tid < IWL_MAX_TID_COUNT; tid++) {
+ struct iwl_mvm_tid_data *tid_data = &mvmsta->tid_data[tid];
+
+- if (tid_data->state != IWL_AGG_ON &&
++ if (!iwl_mvm_is_dqa_supported(mvm) &&
++ tid_data->state != IWL_AGG_ON &&
+ tid_data->state != IWL_EMPTYING_HW_QUEUE_DELBA)
+ continue;
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+@@ -3032,7 +3032,7 @@ void iwl_mvm_sta_modify_sleep_tx_count(s
+ struct ieee80211_sta *sta,
+ enum ieee80211_frame_release_type reason,
+ u16 cnt, u16 tids, bool more_data,
+- bool agg)
++ bool single_sta_queue)
+ {
+ struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta);
+ struct iwl_mvm_add_sta_cmd cmd = {
+@@ -3052,14 +3052,14 @@ void iwl_mvm_sta_modify_sleep_tx_count(s
+ for_each_set_bit(tid, &_tids, IWL_MAX_TID_COUNT)
+ cmd.awake_acs |= BIT(tid_to_ucode_ac[tid]);
+
+- /* If we're releasing frames from aggregation queues then check if the
+- * all queues combined that we're releasing frames from have
++ /* If we're releasing frames from aggregation or dqa queues then check
++ * if all the queues that we're releasing frames from, combined, have:
+ * - more frames than the service period, in which case more_data
+ * needs to be set
+ * - fewer than 'cnt' frames, in which case we need to adjust the
+ * firmware command (but do that unconditionally)
+ */
+- if (agg) {
++ if (single_sta_queue) {
+ int remaining = cnt;
+ int sleep_tx_count;
+
+@@ -3069,7 +3069,8 @@ void iwl_mvm_sta_modify_sleep_tx_count(s
+ u16 n_queued;
+
+ tid_data = &mvmsta->tid_data[tid];
+- if (WARN(tid_data->state != IWL_AGG_ON &&
++ if (WARN(!iwl_mvm_is_dqa_supported(mvm) &&
++ tid_data->state != IWL_AGG_ON &&
+ tid_data->state != IWL_EMPTYING_HW_QUEUE_DELBA,
+ "TID %d state is %d\n",
+ tid, tid_data->state)) {
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.h
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.h
+@@ -545,7 +545,7 @@ void iwl_mvm_sta_modify_sleep_tx_count(s
+ struct ieee80211_sta *sta,
+ enum ieee80211_frame_release_type reason,
+ u16 cnt, u16 tids, bool more_data,
+- bool agg);
++ bool single_sta_queue);
+ int iwl_mvm_drain_sta(struct iwl_mvm *mvm, struct iwl_mvm_sta *mvmsta,
+ bool drain);
+ void iwl_mvm_sta_modify_disable_tx(struct iwl_mvm *mvm,
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+@@ -7,7 +7,7 @@
+ *
+ * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+- * Copyright(c) 2016 Intel Deutschland GmbH
++ * Copyright(c) 2016 - 2017 Intel Deutschland GmbH
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+@@ -34,6 +34,7 @@
+ *
+ * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
++ * Copyright(c) 2016 - 2017 Intel Deutschland GmbH
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+@@ -621,8 +622,10 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mv
+ * values.
+ * Note that we don't need to make sure it isn't agg'd, since we're
+ * TXing non-sta
++ * For DQA mode - we shouldn't increase it though
+ */
+- atomic_inc(&mvm->pending_frames[sta_id]);
++ if (!iwl_mvm_is_dqa_supported(mvm))
++ atomic_inc(&mvm->pending_frames[sta_id]);
+
+ return 0;
+ }
+@@ -1009,11 +1012,8 @@ static int iwl_mvm_tx_mpdu(struct iwl_mv
+
+ spin_unlock(&mvmsta->lock);
+
+- /* Increase pending frames count if this isn't AMPDU */
+- if ((iwl_mvm_is_dqa_supported(mvm) &&
+- mvmsta->tid_data[tx_cmd->tid_tspec].state != IWL_AGG_ON &&
+- mvmsta->tid_data[tx_cmd->tid_tspec].state != IWL_AGG_STARTING) ||
+- (!iwl_mvm_is_dqa_supported(mvm) && !is_ampdu))
++ /* Increase pending frames count if this isn't AMPDU or DQA queue */
++ if (!iwl_mvm_is_dqa_supported(mvm) && !is_ampdu)
+ atomic_inc(&mvm->pending_frames[mvmsta->sta_id]);
+
+ return 0;
+@@ -1083,12 +1083,13 @@ static void iwl_mvm_check_ratid_empty(st
+ lockdep_assert_held(&mvmsta->lock);
+
+ if ((tid_data->state == IWL_AGG_ON ||
+- tid_data->state == IWL_EMPTYING_HW_QUEUE_DELBA) &&
++ tid_data->state == IWL_EMPTYING_HW_QUEUE_DELBA ||
++ iwl_mvm_is_dqa_supported(mvm)) &&
+ iwl_mvm_tid_queued(tid_data) == 0) {
+ /*
+- * Now that this aggregation queue is empty tell mac80211 so it
+- * knows we no longer have frames buffered for the station on
+- * this TID (for the TIM bitmap calculation.)
++ * Now that this aggregation or DQA queue is empty tell
++ * mac80211 so it knows we no longer have frames buffered for
++ * the station on this TID (for the TIM bitmap calculation.)
+ */
+ ieee80211_sta_set_buffered(sta, tid, false);
+ }
+@@ -1261,7 +1262,6 @@ static void iwl_mvm_rx_tx_cmd_single(str
+ u8 skb_freed = 0;
+ u16 next_reclaimed, seq_ctl;
+ bool is_ndp = false;
+- bool txq_agg = false; /* Is this TXQ aggregated */
+
+ __skb_queue_head_init(&skbs);
+
+@@ -1287,6 +1287,10 @@ static void iwl_mvm_rx_tx_cmd_single(str
+ info->flags |= IEEE80211_TX_STAT_ACK;
+ break;
+ case TX_STATUS_FAIL_DEST_PS:
++ /* In DQA, the FW should have stopped the queue and not
++ * return this status
++ */
++ WARN_ON(iwl_mvm_is_dqa_supported(mvm));
+ info->flags |= IEEE80211_TX_STAT_TX_FILTERED;
+ break;
+ default:
+@@ -1391,15 +1395,6 @@ static void iwl_mvm_rx_tx_cmd_single(str
+ bool send_eosp_ndp = false;
+
+ spin_lock_bh(&mvmsta->lock);
+- if (iwl_mvm_is_dqa_supported(mvm)) {
+- enum iwl_mvm_agg_state state;
+-
+- state = mvmsta->tid_data[tid].state;
+- txq_agg = (state == IWL_AGG_ON ||
+- state == IWL_EMPTYING_HW_QUEUE_DELBA);
+- } else {
+- txq_agg = txq_id >= mvm->first_agg_queue;
+- }
+
+ if (!is_ndp) {
+ tid_data->next_reclaimed = next_reclaimed;
+@@ -1456,11 +1451,11 @@ static void iwl_mvm_rx_tx_cmd_single(str
+ * If the txq is not an AMPDU queue, there is no chance we freed
+ * several skbs. Check that out...
+ */
+- if (txq_agg)
++ if (iwl_mvm_is_dqa_supported(mvm) || txq_id >= mvm->first_agg_queue)
+ goto out;
+
+ /* We can't free more than one frame at once on a shared queue */
+- WARN_ON(!iwl_mvm_is_dqa_supported(mvm) && (skb_freed > 1));
++ WARN_ON(skb_freed > 1);
+
+ /* If we have still frames for this STA nothing to do here */
+ if (!atomic_sub_and_test(skb_freed, &mvm->pending_frames[sta_id]))
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Radim Krčmář <rkrcmar@redhat.com>
+Date: Tue, 7 Mar 2017 17:51:49 +0100
+Subject: KVM: nVMX: do not warn when MSR bitmap address is not backed
+
+From: Radim Krčmář <rkrcmar@redhat.com>
+
+
+[ Upstream commit 05d8d34611139f8435af90ac54b65eb31e82e388 ]
+
+Before trying to do nested_get_page() in nested_vmx_merge_msr_bitmap(),
+we have already checked that the MSR bitmap address is valid (4k aligned
+and within physical limits). SDM doesn't specify what happens if the
+there is no memory mapped at the valid address, but Intel CPUs treat the
+situation as if the bitmap was configured to trap all MSRs.
+
+KVM already does that by returning false and a correct handling doesn't
+need the guest-trigerrable warning that was reported by syzkaller:
+(The warning was originally there to catch some possible bugs in nVMX.)
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 0 PID: 7832 at arch/x86/kvm/vmx.c:9709
+ nested_vmx_merge_msr_bitmap arch/x86/kvm/vmx.c:9709 [inline]
+ WARNING: CPU: 0 PID: 7832 at arch/x86/kvm/vmx.c:9709
+ nested_get_vmcs12_pages+0xfb6/0x15c0 arch/x86/kvm/vmx.c:9640
+ Kernel panic - not syncing: panic_on_warn set ...
+ CPU: 0 PID: 7832 Comm: syz-executor1 Not tainted 4.10.0+ #229
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ Call Trace:
+ __dump_stack lib/dump_stack.c:15 [inline]
+ dump_stack+0x2ee/0x3ef lib/dump_stack.c:51
+ panic+0x1fb/0x412 kernel/panic.c:179
+ __warn+0x1c4/0x1e0 kernel/panic.c:540
+ warn_slowpath_null+0x2c/0x40 kernel/panic.c:583
+ nested_vmx_merge_msr_bitmap arch/x86/kvm/vmx.c:9709 [inline]
+ nested_get_vmcs12_pages+0xfb6/0x15c0 arch/x86/kvm/vmx.c:9640
+ enter_vmx_non_root_mode arch/x86/kvm/vmx.c:10471 [inline]
+ nested_vmx_run+0x6186/0xaab0 arch/x86/kvm/vmx.c:10561
+ handle_vmlaunch+0x1a/0x20 arch/x86/kvm/vmx.c:7312
+ vmx_handle_exit+0xfc0/0x3f00 arch/x86/kvm/vmx.c:8526
+ vcpu_enter_guest arch/x86/kvm/x86.c:6982 [inline]
+ vcpu_run arch/x86/kvm/x86.c:7044 [inline]
+ kvm_arch_vcpu_ioctl_run+0x1418/0x4840 arch/x86/kvm/x86.c:7205
+ kvm_vcpu_ioctl+0x673/0x1120 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2570
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+[Jim Mattson explained the bare metal behavior: "I believe this behavior
+ would be documented in the chipset data sheet rather than the SDM,
+ since the chipset returns all 1s for an unclaimed read."]
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -9543,10 +9543,8 @@ static inline bool nested_vmx_merge_msr_
+ return false;
+
+ page = nested_get_page(vcpu, vmcs12->msr_bitmap);
+- if (!page) {
+- WARN_ON(1);
++ if (!page)
+ return false;
+- }
+ msr_bitmap_l1 = (unsigned long *)kmap(page);
+ if (!msr_bitmap_l1) {
+ nested_release_page_clean(page);
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Wed, 25 Oct 2017 15:57:55 +0200
+Subject: l2tp: cleanup l2tp_tunnel_delete calls
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+
+[ Upstream commit 4dc12ffeaeac939097a3f55c881d3dc3523dff0c ]
+
+l2tp_tunnel_delete does not return anything since commit 62b982eeb458
+("l2tp: fix race condition in l2tp_tunnel_delete"). But call sites of
+l2tp_tunnel_delete still do casts to void to avoid unused return value
+warnings.
+
+Kill these now useless casts.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Cc: Sabrina Dubroca <sd@queasysnail.net>
+Cc: Guillaume Nault <g.nault@alphalink.fr>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: netdev@vger.kernel.org
+Acked-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_core.c | 2 +-
+ net/l2tp/l2tp_netlink.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1944,7 +1944,7 @@ static __net_exit void l2tp_exit_net(str
+
+ rcu_read_lock_bh();
+ list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
+- (void)l2tp_tunnel_delete(tunnel);
++ l2tp_tunnel_delete(tunnel);
+ }
+ rcu_read_unlock_bh();
+
+--- a/net/l2tp/l2tp_netlink.c
++++ b/net/l2tp/l2tp_netlink.c
+@@ -287,7 +287,7 @@ static int l2tp_nl_cmd_tunnel_delete(str
+ l2tp_tunnel_notify(&l2tp_nl_family, info,
+ tunnel, L2TP_CMD_TUNNEL_DELETE);
+
+- (void) l2tp_tunnel_delete(tunnel);
++ l2tp_tunnel_delete(tunnel);
+
+ out:
+ return ret;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Alexander Duyck <alexander.h.duyck@intel.com>
+Date: Fri, 13 Oct 2017 13:40:24 -0700
+Subject: macvlan: Only deliver one copy of the frame to the macvlan interface
+
+From: Alexander Duyck <alexander.h.duyck@intel.com>
+
+
+[ Upstream commit dd6b9c2c332b40f142740d1b11fb77c653ff98ea ]
+
+This patch intoduces a slight adjustment for macvlan to address the fact
+that in source mode I was seeing two copies of any packet addressed to the
+macvlan interface being delivered where there should have been only one.
+
+The issue appears to be that one copy was delivered based on the source MAC
+address and then the second copy was being delivered based on the
+destination MAC address. To fix it I am just treating a unicast address
+match as though it is not a match since source based macvlan isn't supposed
+to be matching based on the destination MAC anyway.
+
+Fixes: 79cf79abce71 ("macvlan: add source mode")
+Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macvlan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -452,7 +452,7 @@ static rx_handler_result_t macvlan_handl
+ struct macvlan_dev, list);
+ else
+ vlan = macvlan_hash_lookup(port, eth->h_dest);
+- if (vlan == NULL)
++ if (!vlan || vlan->mode == MACVLAN_MODE_SOURCE)
+ return RX_HANDLER_PASS;
+
+ dev = vlan->dev;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Guoqing Jiang <gqjiang@suse.com>
+Date: Fri, 24 Feb 2017 11:15:12 +0800
+Subject: md-cluster: free md_cluster_info if node leave cluster
+
+From: Guoqing Jiang <gqjiang@suse.com>
+
+
+[ Upstream commit 9c8043f337f14d1743006dfc59c03e80a42e3884 ]
+
+To avoid memory leak, we need to free the cinfo which
+is allocated when node join cluster.
+
+Reviewed-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Guoqing Jiang <gqjiang@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md-cluster.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/md/md-cluster.c
++++ b/drivers/md/md-cluster.c
+@@ -974,6 +974,7 @@ static int leave(struct mddev *mddev)
+ lockres_free(cinfo->bitmap_lockres);
+ unlock_all_bitmaps(mddev);
+ dlm_release_lockspace(cinfo->lockspace, 2);
++ kfree(cinfo);
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Jiri Pirko <jiri@mellanox.com>
+Date: Tue, 14 Mar 2017 14:00:00 +0100
+Subject: mlxsw: reg: Fix SPVM max record count
+
+From: Jiri Pirko <jiri@mellanox.com>
+
+
+[ Upstream commit f004ec065b4879d6bc9ba0211af2169b3ce3097f ]
+
+The num_rec field is 8 bit, so the maximal count number is 255. This
+fixes vlans not being enabled for wider ranges than 255.
+
+Fixes: b2e345f9a454 ("mlxsw: reg: Add Switch Port VID and Switch Port VLAN Membership registers definitions")
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Reviewed-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/reg.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/reg.h
++++ b/drivers/net/ethernet/mellanox/mlxsw/reg.h
+@@ -788,7 +788,7 @@ static inline void mlxsw_reg_spvid_pack(
+ #define MLXSW_REG_SPVM_ID 0x200F
+ #define MLXSW_REG_SPVM_BASE_LEN 0x04 /* base length, without records */
+ #define MLXSW_REG_SPVM_REC_LEN 0x04 /* record length */
+-#define MLXSW_REG_SPVM_REC_MAX_COUNT 256
++#define MLXSW_REG_SPVM_REC_MAX_COUNT 255
+ #define MLXSW_REG_SPVM_LEN (MLXSW_REG_SPVM_BASE_LEN + \
+ MLXSW_REG_SPVM_REC_LEN * MLXSW_REG_SPVM_REC_MAX_COUNT)
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Jiri Pirko <jiri@mellanox.com>
+Date: Tue, 14 Mar 2017 14:00:01 +0100
+Subject: mlxsw: reg: Fix SPVMLR max record count
+
+From: Jiri Pirko <jiri@mellanox.com>
+
+
+[ Upstream commit e9093b1183bbac462d2caef3eac165778c0b1bf1 ]
+
+The num_rec field is 8 bit, so the maximal count number is 255.
+This fixes vlans learning not being enabled for wider ranges than 255.
+
+Fixes: a4feea74cd7a ("mlxsw: reg: Add Switch Port VLAN MAC Learning register definition")
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Reviewed-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/reg.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/reg.h
++++ b/drivers/net/ethernet/mellanox/mlxsw/reg.h
+@@ -1757,7 +1757,7 @@ static inline void mlxsw_reg_sfmr_pack(c
+ #define MLXSW_REG_SPVMLR_ID 0x2020
+ #define MLXSW_REG_SPVMLR_BASE_LEN 0x04 /* base length, without records */
+ #define MLXSW_REG_SPVMLR_REC_LEN 0x04 /* record length */
+-#define MLXSW_REG_SPVMLR_REC_MAX_COUNT 256
++#define MLXSW_REG_SPVMLR_REC_MAX_COUNT 255
+ #define MLXSW_REG_SPVMLR_LEN (MLXSW_REG_SPVMLR_BASE_LEN + \
+ MLXSW_REG_SPVMLR_REC_LEN * \
+ MLXSW_REG_SPVMLR_REC_MAX_COUNT)
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 3 Nov 2017 12:21:21 +0100
+Subject: mm: Handle 0 flags in _calc_vm_trans() macro
+
+From: Jan Kara <jack@suse.cz>
+
+
+[ Upstream commit 592e254502041f953e84d091eae2c68cba04c10b ]
+
+_calc_vm_trans() does not handle the situation when some of the passed
+flags are 0 (which can happen if these VM flags do not make sense for
+the architecture). Improve the _calc_vm_trans() macro to return 0 in
+such situation. Since all passed flags are constant, this does not add
+any runtime overhead.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/mman.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/linux/mman.h
++++ b/include/linux/mman.h
+@@ -63,8 +63,9 @@ static inline bool arch_validate_prot(un
+ * ("bit1" and "bit2" must be single bits)
+ */
+ #define _calc_vm_trans(x, bit1, bit2) \
++ ((!(bit1) || !(bit2)) ? 0 : \
+ ((bit1) <= (bit2) ? ((x) & (bit1)) * ((bit2) / (bit1)) \
+- : ((x) & (bit1)) / ((bit1) / (bit2)))
++ : ((x) & (bit1)) / ((bit1) / (bit2))))
+
+ /*
+ * Combine the mmap "prot" argument into "vm_flags" used internally.
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: yong mao <yong.mao@mediatek.com>
+Date: Sat, 4 Mar 2017 15:10:03 +0800
+Subject: mmc: mediatek: Fixed bug where clock frequency could be set wrong
+
+From: yong mao <yong.mao@mediatek.com>
+
+
+[ Upstream commit 40ceda09c8c84694c2ca6b00bcc6dc71e8e62d96 ]
+
+This patch can fix two issues:
+
+Issue 1:
+In previous code, div may be overflow when setting clock frequency
+as f_min. We can use DIV_ROUND_UP to fix this boundary related
+issue.
+
+Issue 2:
+In previous code, we can not set the correct clock frequency when
+div equals 0xff.
+
+Signed-off-by: Yong Mao <yong.mao@mediatek.com>
+Signed-off-by: Chaotian Jing <chaotian.jing@mediatek.com>
+Reviewed-by: Daniel Kurtz <djkurtz@chromium.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/mtk-sd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/host/mtk-sd.c
++++ b/drivers/mmc/host/mtk-sd.c
+@@ -579,7 +579,7 @@ static void msdc_set_mclk(struct msdc_ho
+ }
+ }
+ sdr_set_field(host->base + MSDC_CFG, MSDC_CFG_CKMOD | MSDC_CFG_CKDIV,
+- (mode << 8) | (div % 0xff));
++ (mode << 8) | div);
+ sdr_set_bits(host->base + MSDC_CFG, MSDC_CFG_CKPDN);
+ while (!(readl(host->base + MSDC_CFG) & MSDC_CFG_CKSTB))
+ cpu_relax();
+@@ -1562,7 +1562,7 @@ static int msdc_drv_probe(struct platfor
+ host->src_clk_freq = clk_get_rate(host->src_clk);
+ /* Set host parameters to mmc */
+ mmc->ops = &mt_msdc_ops;
+- mmc->f_min = host->src_clk_freq / (4 * 255);
++ mmc->f_min = DIV_ROUND_UP(host->src_clk_freq, 4 * 255);
+
+ mmc->caps |= MMC_CAP_ERASE | MMC_CAP_CMD23;
+ /* MMC core transfer sizes tunable parameters */
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Doug Berger <opendmb@gmail.com>
+Date: Thu, 9 Mar 2017 16:58:44 -0800
+Subject: net: bcmgenet: correct MIB access of UniMAC RUNT counters
+
+From: Doug Berger <opendmb@gmail.com>
+
+
+[ Upstream commit 1ad3d225e5a40ca6c586989b4baaca710544c15a ]
+
+The gap between the Tx status counters and the Rx RUNT counters is now
+being added to allow correct reporting of the registers.
+
+Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -876,13 +876,16 @@ static void bcmgenet_update_mib_counters
+ case BCMGENET_STAT_NETDEV:
+ case BCMGENET_STAT_SOFT:
+ continue;
+- case BCMGENET_STAT_MIB_RX:
+- case BCMGENET_STAT_MIB_TX:
+ case BCMGENET_STAT_RUNT:
+- if (s->type != BCMGENET_STAT_MIB_RX)
+- offset = BCMGENET_STAT_OFFSET;
++ offset += BCMGENET_STAT_OFFSET;
++ /* fall through */
++ case BCMGENET_STAT_MIB_TX:
++ offset += BCMGENET_STAT_OFFSET;
++ /* fall through */
++ case BCMGENET_STAT_MIB_RX:
+ val = bcmgenet_umac_readl(priv,
+ UMAC_MIB_START + j + offset);
++ offset = 0; /* Reset Offset */
+ break;
+ case BCMGENET_STAT_MISC:
+ if (GENET_IS_V1(priv)) {
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Doug Berger <opendmb@gmail.com>
+Date: Thu, 9 Mar 2017 16:58:43 -0800
+Subject: net: bcmgenet: correct the RBUF_OVFL_CNT and RBUF_ERR_CNT MIB values
+
+From: Doug Berger <opendmb@gmail.com>
+
+
+[ Upstream commit ffff71328a3c321f7c14cc1edd33577717037744 ]
+
+The location of the RBUF overflow and error counters has moved between
+different version of the GENET MAC. This commit corrects the driver to
+read from the correct locations depending on the version of the GENET
+MAC.
+
+Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 60 ++++++++++++++++++++++---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.h | 10 ++--
+ 2 files changed, 60 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -1,7 +1,7 @@
+ /*
+ * Broadcom GENET (Gigabit Ethernet) controller driver
+ *
+- * Copyright (c) 2014 Broadcom Corporation
++ * Copyright (c) 2014-2017 Broadcom
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+@@ -778,8 +778,9 @@ static const struct bcmgenet_stats bcmge
+ STAT_GENET_RUNT("rx_runt_bytes", mib.rx_runt_bytes),
+ /* Misc UniMAC counters */
+ STAT_GENET_MISC("rbuf_ovflow_cnt", mib.rbuf_ovflow_cnt,
+- UMAC_RBUF_OVFL_CNT),
+- STAT_GENET_MISC("rbuf_err_cnt", mib.rbuf_err_cnt, UMAC_RBUF_ERR_CNT),
++ UMAC_RBUF_OVFL_CNT_V1),
++ STAT_GENET_MISC("rbuf_err_cnt", mib.rbuf_err_cnt,
++ UMAC_RBUF_ERR_CNT_V1),
+ STAT_GENET_MISC("mdf_err_cnt", mib.mdf_err_cnt, UMAC_MDF_ERR_CNT),
+ STAT_GENET_SOFT_MIB("alloc_rx_buff_failed", mib.alloc_rx_buff_failed),
+ STAT_GENET_SOFT_MIB("rx_dma_failed", mib.rx_dma_failed),
+@@ -821,6 +822,45 @@ static void bcmgenet_get_strings(struct
+ }
+ }
+
++static u32 bcmgenet_update_stat_misc(struct bcmgenet_priv *priv, u16 offset)
++{
++ u16 new_offset;
++ u32 val;
++
++ switch (offset) {
++ case UMAC_RBUF_OVFL_CNT_V1:
++ if (GENET_IS_V2(priv))
++ new_offset = RBUF_OVFL_CNT_V2;
++ else
++ new_offset = RBUF_OVFL_CNT_V3PLUS;
++
++ val = bcmgenet_rbuf_readl(priv, new_offset);
++ /* clear if overflowed */
++ if (val == ~0)
++ bcmgenet_rbuf_writel(priv, 0, new_offset);
++ break;
++ case UMAC_RBUF_ERR_CNT_V1:
++ if (GENET_IS_V2(priv))
++ new_offset = RBUF_ERR_CNT_V2;
++ else
++ new_offset = RBUF_ERR_CNT_V3PLUS;
++
++ val = bcmgenet_rbuf_readl(priv, new_offset);
++ /* clear if overflowed */
++ if (val == ~0)
++ bcmgenet_rbuf_writel(priv, 0, new_offset);
++ break;
++ default:
++ val = bcmgenet_umac_readl(priv, offset);
++ /* clear if overflowed */
++ if (val == ~0)
++ bcmgenet_umac_writel(priv, 0, offset);
++ break;
++ }
++
++ return val;
++}
++
+ static void bcmgenet_update_mib_counters(struct bcmgenet_priv *priv)
+ {
+ int i, j = 0;
+@@ -845,10 +885,16 @@ static void bcmgenet_update_mib_counters
+ UMAC_MIB_START + j + offset);
+ break;
+ case BCMGENET_STAT_MISC:
+- val = bcmgenet_umac_readl(priv, s->reg_offset);
+- /* clear if overflowed */
+- if (val == ~0)
+- bcmgenet_umac_writel(priv, 0, s->reg_offset);
++ if (GENET_IS_V1(priv)) {
++ val = bcmgenet_umac_readl(priv, s->reg_offset);
++ /* clear if overflowed */
++ if (val == ~0)
++ bcmgenet_umac_writel(priv, 0,
++ s->reg_offset);
++ } else {
++ val = bcmgenet_update_stat_misc(priv,
++ s->reg_offset);
++ }
+ break;
+ }
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2014 Broadcom Corporation
++ * Copyright (c) 2014-2017 Broadcom
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+@@ -214,7 +214,9 @@ struct bcmgenet_mib_counters {
+ #define MDIO_REG_SHIFT 16
+ #define MDIO_REG_MASK 0x1F
+
+-#define UMAC_RBUF_OVFL_CNT 0x61C
++#define UMAC_RBUF_OVFL_CNT_V1 0x61C
++#define RBUF_OVFL_CNT_V2 0x80
++#define RBUF_OVFL_CNT_V3PLUS 0x94
+
+ #define UMAC_MPD_CTRL 0x620
+ #define MPD_EN (1 << 0)
+@@ -224,7 +226,9 @@ struct bcmgenet_mib_counters {
+
+ #define UMAC_MPD_PW_MS 0x624
+ #define UMAC_MPD_PW_LS 0x628
+-#define UMAC_RBUF_ERR_CNT 0x634
++#define UMAC_RBUF_ERR_CNT_V1 0x634
++#define RBUF_ERR_CNT_V2 0x84
++#define RBUF_ERR_CNT_V3PLUS 0x98
+ #define UMAC_MDF_ERR_CNT 0x638
+ #define UMAC_MDF_CTRL 0x650
+ #define UMAC_MDF_ADDR 0x654
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Doug Berger <opendmb@gmail.com>
+Date: Thu, 9 Mar 2017 16:58:46 -0800
+Subject: net: bcmgenet: power down internal phy if open or resume fails
+
+From: Doug Berger <opendmb@gmail.com>
+
+
+[ Upstream commit 7627409cc4970e8c8b9de6945ad86a575290a94e ]
+
+Since the internal PHY is powered up during the open and resume
+functions it should be powered back down if the functions fail.
+
+Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -2857,6 +2857,8 @@ err_irq0:
+ err_fini_dma:
+ bcmgenet_fini_dma(priv);
+ err_clk_disable:
++ if (priv->internal_phy)
++ bcmgenet_power_down(priv, GENET_POWER_PASSIVE);
+ clk_disable_unprepare(priv->clk);
+ return ret;
+ }
+@@ -3560,6 +3562,8 @@ static int bcmgenet_resume(struct device
+ return 0;
+
+ out_clk_disable:
++ if (priv->internal_phy)
++ bcmgenet_power_down(priv, GENET_POWER_PASSIVE);
+ clk_disable_unprepare(priv->clk);
+ return ret;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Doug Berger <opendmb@gmail.com>
+Date: Thu, 9 Mar 2017 16:58:48 -0800
+Subject: net: bcmgenet: Power up the internal PHY before probing the MII
+
+From: Doug Berger <opendmb@gmail.com>
+
+
+[ Upstream commit 6be371b053dc86f11465cc1abce2e99bda0a0574 ]
+
+When using the internal PHY it must be powered up when the MII is probed
+or the PHY will not be detected. Since the PHY is powered up at reset
+this has not been a problem. However, when the kernel is restarted with
+kexec the PHY will likely be powered down when the kernel starts so it
+will not be detected and the Ethernet link will not be established.
+
+This commit explicitly powers up the internal PHY when the GENET driver
+is probed to correct this behavior.
+
+Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -3296,6 +3296,7 @@ static int bcmgenet_probe(struct platfor
+ const void *macaddr;
+ struct resource *r;
+ int err = -EIO;
++ const char *phy_mode_str;
+
+ /* Up to GENET_MAX_MQ_CNT + 1 TX queues and RX queues */
+ dev = alloc_etherdev_mqs(sizeof(*priv), GENET_MAX_MQ_CNT + 1,
+@@ -3403,6 +3404,13 @@ static int bcmgenet_probe(struct platfor
+ priv->clk_eee = NULL;
+ }
+
++ /* If this is an internal GPHY, power it on now, before UniMAC is
++ * brought out of reset as absolutely no UniMAC activity is allowed
++ */
++ if (dn && !of_property_read_string(dn, "phy-mode", &phy_mode_str) &&
++ !strcasecmp(phy_mode_str, "internal"))
++ bcmgenet_power_up(priv, GENET_POWER_PASSIVE);
++
+ err = reset_umac(priv);
+ if (err)
+ goto err_clk_disable;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Doug Berger <opendmb@gmail.com>
+Date: Thu, 9 Mar 2017 16:58:45 -0800
+Subject: net: bcmgenet: reserved phy revisions must be checked first
+
+From: Doug Berger <opendmb@gmail.com>
+
+
+[ Upstream commit eca4bad73409aedc6ff22f823c18b67a4f08c851 ]
+
+The reserved gphy_rev value of 0x01ff must be tested before the old
+or new scheme for GPHY major versioning are tested, otherwise it will
+be treated as 0xff00 according to the old scheme.
+
+Fixes: b04a2f5b9ff5 ("net: bcmgenet: add support for new GENET PHY revision scheme")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -3233,6 +3233,12 @@ static void bcmgenet_set_hw_params(struc
+ */
+ gphy_rev = reg & 0xffff;
+
++ /* This is reserved so should require special treatment */
++ if (gphy_rev == 0 || gphy_rev == 0x01ff) {
++ pr_warn("Invalid GPHY revision detected: 0x%04x\n", gphy_rev);
++ return;
++ }
++
+ /* This is the good old scheme, just GPHY major, no minor nor patch */
+ if ((gphy_rev & 0xf0) != 0)
+ priv->gphy_rev = gphy_rev << 8;
+@@ -3241,12 +3247,6 @@ static void bcmgenet_set_hw_params(struc
+ else if ((gphy_rev & 0xff00) != 0)
+ priv->gphy_rev = gphy_rev;
+
+- /* This is reserved so should require special treatment */
+- else if (gphy_rev == 0 || gphy_rev == 0x01ff) {
+- pr_warn("Invalid GPHY revision detected: 0x%04x\n", gphy_rev);
+- return;
+- }
+-
+ #ifdef CONFIG_PHYS_ADDR_T_64BIT
+ if (!(params->flags & GENET_HAS_40BITS))
+ pr_warn("GENET does not support 40-bits PA\n");
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Doug Berger <opendmb@gmail.com>
+Date: Thu, 9 Mar 2017 16:58:47 -0800
+Subject: net: bcmgenet: synchronize irq0 status between the isr and task
+
+From: Doug Berger <opendmb@gmail.com>
+
+
+[ Upstream commit 07c52d6a0b955a8a28834f9354793cfc4b81d0e9 ]
+
+Add a spinlock to ensure that irq0_stat is not unintentionally altered
+as the result of preemption. Also removed unserviced irq0 interrupts
+and removed irq1_stat since there is no bottom half service for those
+interrupts.
+
+Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 73 +++++++++++++------------
+ drivers/net/ethernet/broadcom/genet/bcmgenet.h | 6 +-
+ 2 files changed, 44 insertions(+), 35 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -2513,24 +2513,28 @@ static int bcmgenet_init_dma(struct bcmg
+ /* Interrupt bottom half */
+ static void bcmgenet_irq_task(struct work_struct *work)
+ {
++ unsigned long flags;
++ unsigned int status;
+ struct bcmgenet_priv *priv = container_of(
+ work, struct bcmgenet_priv, bcmgenet_irq_work);
+
+ netif_dbg(priv, intr, priv->dev, "%s\n", __func__);
+
+- if (priv->irq0_stat & UMAC_IRQ_MPD_R) {
+- priv->irq0_stat &= ~UMAC_IRQ_MPD_R;
++ spin_lock_irqsave(&priv->lock, flags);
++ status = priv->irq0_stat;
++ priv->irq0_stat = 0;
++ spin_unlock_irqrestore(&priv->lock, flags);
++
++ if (status & UMAC_IRQ_MPD_R) {
+ netif_dbg(priv, wol, priv->dev,
+ "magic packet detected, waking up\n");
+ bcmgenet_power_up(priv, GENET_POWER_WOL_MAGIC);
+ }
+
+ /* Link UP/DOWN event */
+- if (priv->irq0_stat & UMAC_IRQ_LINK_EVENT) {
++ if (status & UMAC_IRQ_LINK_EVENT)
+ phy_mac_interrupt(priv->phydev,
+- !!(priv->irq0_stat & UMAC_IRQ_LINK_UP));
+- priv->irq0_stat &= ~UMAC_IRQ_LINK_EVENT;
+- }
++ !!(status & UMAC_IRQ_LINK_UP));
+ }
+
+ /* bcmgenet_isr1: handle Rx and Tx priority queues */
+@@ -2539,22 +2543,21 @@ static irqreturn_t bcmgenet_isr1(int irq
+ struct bcmgenet_priv *priv = dev_id;
+ struct bcmgenet_rx_ring *rx_ring;
+ struct bcmgenet_tx_ring *tx_ring;
+- unsigned int index;
++ unsigned int index, status;
+
+- /* Save irq status for bottom-half processing. */
+- priv->irq1_stat =
+- bcmgenet_intrl2_1_readl(priv, INTRL2_CPU_STAT) &
++ /* Read irq status */
++ status = bcmgenet_intrl2_1_readl(priv, INTRL2_CPU_STAT) &
+ ~bcmgenet_intrl2_1_readl(priv, INTRL2_CPU_MASK_STATUS);
+
+ /* clear interrupts */
+- bcmgenet_intrl2_1_writel(priv, priv->irq1_stat, INTRL2_CPU_CLEAR);
++ bcmgenet_intrl2_1_writel(priv, status, INTRL2_CPU_CLEAR);
+
+ netif_dbg(priv, intr, priv->dev,
+- "%s: IRQ=0x%x\n", __func__, priv->irq1_stat);
++ "%s: IRQ=0x%x\n", __func__, status);
+
+ /* Check Rx priority queue interrupts */
+ for (index = 0; index < priv->hw_params->rx_queues; index++) {
+- if (!(priv->irq1_stat & BIT(UMAC_IRQ1_RX_INTR_SHIFT + index)))
++ if (!(status & BIT(UMAC_IRQ1_RX_INTR_SHIFT + index)))
+ continue;
+
+ rx_ring = &priv->rx_rings[index];
+@@ -2567,7 +2570,7 @@ static irqreturn_t bcmgenet_isr1(int irq
+
+ /* Check Tx priority queue interrupts */
+ for (index = 0; index < priv->hw_params->tx_queues; index++) {
+- if (!(priv->irq1_stat & BIT(index)))
++ if (!(status & BIT(index)))
+ continue;
+
+ tx_ring = &priv->tx_rings[index];
+@@ -2587,19 +2590,20 @@ static irqreturn_t bcmgenet_isr0(int irq
+ struct bcmgenet_priv *priv = dev_id;
+ struct bcmgenet_rx_ring *rx_ring;
+ struct bcmgenet_tx_ring *tx_ring;
++ unsigned int status;
++ unsigned long flags;
+
+- /* Save irq status for bottom-half processing. */
+- priv->irq0_stat =
+- bcmgenet_intrl2_0_readl(priv, INTRL2_CPU_STAT) &
++ /* Read irq status */
++ status = bcmgenet_intrl2_0_readl(priv, INTRL2_CPU_STAT) &
+ ~bcmgenet_intrl2_0_readl(priv, INTRL2_CPU_MASK_STATUS);
+
+ /* clear interrupts */
+- bcmgenet_intrl2_0_writel(priv, priv->irq0_stat, INTRL2_CPU_CLEAR);
++ bcmgenet_intrl2_0_writel(priv, status, INTRL2_CPU_CLEAR);
+
+ netif_dbg(priv, intr, priv->dev,
+- "IRQ=0x%x\n", priv->irq0_stat);
++ "IRQ=0x%x\n", status);
+
+- if (priv->irq0_stat & UMAC_IRQ_RXDMA_DONE) {
++ if (status & UMAC_IRQ_RXDMA_DONE) {
+ rx_ring = &priv->rx_rings[DESC_INDEX];
+
+ if (likely(napi_schedule_prep(&rx_ring->napi))) {
+@@ -2608,7 +2612,7 @@ static irqreturn_t bcmgenet_isr0(int irq
+ }
+ }
+
+- if (priv->irq0_stat & UMAC_IRQ_TXDMA_DONE) {
++ if (status & UMAC_IRQ_TXDMA_DONE) {
+ tx_ring = &priv->tx_rings[DESC_INDEX];
+
+ if (likely(napi_schedule_prep(&tx_ring->napi))) {
+@@ -2617,22 +2621,23 @@ static irqreturn_t bcmgenet_isr0(int irq
+ }
+ }
+
+- if (priv->irq0_stat & (UMAC_IRQ_PHY_DET_R |
+- UMAC_IRQ_PHY_DET_F |
+- UMAC_IRQ_LINK_EVENT |
+- UMAC_IRQ_HFB_SM |
+- UMAC_IRQ_HFB_MM |
+- UMAC_IRQ_MPD_R)) {
+- /* all other interested interrupts handled in bottom half */
+- schedule_work(&priv->bcmgenet_irq_work);
+- }
+-
+ if ((priv->hw_params->flags & GENET_HAS_MDIO_INTR) &&
+- priv->irq0_stat & (UMAC_IRQ_MDIO_DONE | UMAC_IRQ_MDIO_ERROR)) {
+- priv->irq0_stat &= ~(UMAC_IRQ_MDIO_DONE | UMAC_IRQ_MDIO_ERROR);
++ status & (UMAC_IRQ_MDIO_DONE | UMAC_IRQ_MDIO_ERROR)) {
+ wake_up(&priv->wq);
+ }
+
++ /* all other interested interrupts handled in bottom half */
++ status &= (UMAC_IRQ_LINK_EVENT |
++ UMAC_IRQ_MPD_R);
++ if (status) {
++ /* Save irq status for bottom-half processing. */
++ spin_lock_irqsave(&priv->lock, flags);
++ priv->irq0_stat |= status;
++ spin_unlock_irqrestore(&priv->lock, flags);
++
++ schedule_work(&priv->bcmgenet_irq_work);
++ }
++
+ return IRQ_HANDLED;
+ }
+
+@@ -3334,6 +3339,8 @@ static int bcmgenet_probe(struct platfor
+ goto err;
+ }
+
++ spin_lock_init(&priv->lock);
++
+ SET_NETDEV_DEV(dev, &pdev->dev);
+ dev_set_drvdata(&pdev->dev, dev);
+ ether_addr_copy(dev->dev_addr, macaddr);
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
+@@ -623,11 +623,13 @@ struct bcmgenet_priv {
+ struct work_struct bcmgenet_irq_work;
+ int irq0;
+ int irq1;
+- unsigned int irq0_stat;
+- unsigned int irq1_stat;
+ int wol_irq;
+ bool wol_irq_disabled;
+
++ /* shared status */
++ spinlock_t lock;
++ unsigned int irq0_stat;
++
+ /* HW descriptors/checksum variables */
+ bool desc_64b_en;
+ bool desc_rxchk_en;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Alexander Potapenko <glider@google.com>
+Date: Wed, 8 Mar 2017 18:08:16 +0100
+Subject: net: initialize msg.msg_flags in recvfrom
+
+From: Alexander Potapenko <glider@google.com>
+
+
+[ Upstream commit 9f138fa609c47403374a862a08a41394be53d461 ]
+
+KMSAN reports a use of uninitialized memory in put_cmsg() because
+msg.msg_flags in recvfrom haven't been initialized properly.
+The flag values don't affect the result on this path, but it's still a
+good idea to initialize them explicitly.
+
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/socket.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1702,6 +1702,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void
+ /* We assume all kernel code knows the size of sockaddr_storage */
+ msg.msg_namelen = 0;
+ msg.msg_iocb = NULL;
++ msg.msg_flags = 0;
+ if (sock->file->f_flags & O_NONBLOCK)
+ flags |= MSG_DONTWAIT;
+ err = sock_recvmsg(sock, &msg, flags);
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Mon, 13 Mar 2017 19:29:08 +0200
+Subject: net/mlx4_core: Avoid delays during VF driver device shutdown
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+
+[ Upstream commit 4cbe4dac82e423ecc9a0ba46af24a860853259f4 ]
+
+Some Hypervisors detach VFs from VMs by instantly causing an FLR event
+to be generated for a VF.
+
+In the mlx4 case, this will cause that VF's comm channel to be disabled
+before the VM has an opportunity to invoke the VF device's "shutdown"
+method.
+
+For such Hypervisors, there is a race condition between the VF's
+shutdown method and its internal-error detection/reset thread.
+
+The internal-error detection/reset thread (which runs every 5 seconds) also
+detects a disabled comm channel. If the internal-error detection/reset
+flow wins the race, we still get delays (while that flow tries repeatedly
+to detect comm-channel recovery).
+
+The cited commit fixed the command timeout problem when the
+internal-error detection/reset flow loses the race.
+
+This commit avoids the unneeded delays when the internal-error
+detection/reset flow wins.
+
+Fixes: d585df1c5ccf ("net/mlx4_core: Avoid command timeouts during VF driver device shutdown")
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Reported-by: Simon Xiao <sixiao@microsoft.com>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/cmd.c | 11 +++++++++++
+ drivers/net/ethernet/mellanox/mlx4/main.c | 11 +++++++++++
+ include/linux/mlx4/device.h | 1 +
+ 3 files changed, 23 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx4/cmd.c
+@@ -2304,6 +2304,17 @@ static int sync_toggles(struct mlx4_dev
+ rd_toggle = swab32(readl(&priv->mfunc.comm->slave_read));
+ if (wr_toggle == 0xffffffff || rd_toggle == 0xffffffff) {
+ /* PCI might be offline */
++
++ /* If device removal has been requested,
++ * do not continue retrying.
++ */
++ if (dev->persist->interface_state &
++ MLX4_INTERFACE_STATE_NOWAIT) {
++ mlx4_warn(dev,
++ "communication channel is offline\n");
++ return -EIO;
++ }
++
+ msleep(100);
+ wr_toggle = swab32(readl(&priv->mfunc.comm->
+ slave_write));
+--- a/drivers/net/ethernet/mellanox/mlx4/main.c
++++ b/drivers/net/ethernet/mellanox/mlx4/main.c
+@@ -1940,6 +1940,14 @@ static int mlx4_comm_check_offline(struc
+ (u32)(1 << COMM_CHAN_OFFLINE_OFFSET));
+ if (!offline_bit)
+ return 0;
++
++ /* If device removal has been requested,
++ * do not continue retrying.
++ */
++ if (dev->persist->interface_state &
++ MLX4_INTERFACE_STATE_NOWAIT)
++ break;
++
+ /* There are cases as part of AER/Reset flow that PF needs
+ * around 100 msec to load. We therefore sleep for 100 msec
+ * to allow other tasks to make use of that CPU during this
+@@ -3954,6 +3962,9 @@ static void mlx4_remove_one(struct pci_d
+ struct devlink *devlink = priv_to_devlink(priv);
+ int active_vfs = 0;
+
++ if (mlx4_is_slave(dev))
++ persist->interface_state |= MLX4_INTERFACE_STATE_NOWAIT;
++
+ mutex_lock(&persist->interface_state_mutex);
+ persist->interface_state |= MLX4_INTERFACE_STATE_DELETION;
+ mutex_unlock(&persist->interface_state_mutex);
+--- a/include/linux/mlx4/device.h
++++ b/include/linux/mlx4/device.h
+@@ -476,6 +476,7 @@ enum {
+ enum {
+ MLX4_INTERFACE_STATE_UP = 1 << 0,
+ MLX4_INTERFACE_STATE_DELETION = 1 << 1,
++ MLX4_INTERFACE_STATE_NOWAIT = 1 << 2,
+ };
+
+ #define MSTR_SM_CHANGE_MASK (MLX4_EQ_PORT_INFO_MSTR_SM_SL_CHANGE_MASK | \
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Daniel Jurgens <danielj@mellanox.com>
+Date: Fri, 10 Mar 2017 14:33:02 +0200
+Subject: net/mlx5: Don't save PCI state when PCI error is detected
+
+From: Daniel Jurgens <danielj@mellanox.com>
+
+
+[ Upstream commit 5d47f6c89d568ab61712d8c40676fbb020b68752 ]
+
+When a PCI error is detected the PCI state could be corrupt, don't save
+it in that flow. Save the state after initialization. After restoring the
+PCI state during slot reset save it again, restoring the state destroys
+the previously saved state info.
+
+Fixes: 05ac2c0b7438 ('net/mlx5: Fix race between PCI error handlers and
+health work')
+Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
+
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -1283,6 +1283,7 @@ static int init_one(struct pci_dev *pdev
+ if (err)
+ goto clean_load;
+
++ pci_save_state(pdev);
+ return 0;
+
+ clean_load:
+@@ -1331,9 +1332,8 @@ static pci_ers_result_t mlx5_pci_err_det
+
+ mlx5_enter_error_state(dev);
+ mlx5_unload_one(dev, priv, false);
+- /* In case of kernel call save the pci state and drain the health wq */
++ /* In case of kernel call drain the health wq */
+ if (state) {
+- pci_save_state(pdev);
+ mlx5_drain_health_wq(dev);
+ mlx5_pci_disable_device(dev);
+ }
+@@ -1385,6 +1385,7 @@ static pci_ers_result_t mlx5_pci_slot_re
+
+ pci_set_master(pdev);
+ pci_restore_state(pdev);
++ pci_save_state(pdev);
+
+ if (wait_vital(pdev)) {
+ dev_err(&pdev->dev, "%s: wait_vital timed out\n", __func__);
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Paul Blakey <paulb@mellanox.com>
+Date: Fri, 10 Mar 2017 14:33:01 +0200
+Subject: net/mlx5: Fix create autogroup prev initializer
+
+From: Paul Blakey <paulb@mellanox.com>
+
+
+[ Upstream commit af36370569eb37420e1e78a2e60c277b781fcd00 ]
+
+The autogroups list is a list of non overlapping group boundaries
+sorted by their start index. If the autogroups list wasn't empty
+and an empty group slot was found at the start of the list,
+the new group was added to the end of the list instead of the
+beginning, as the prev initializer was incorrect.
+When this was repeated, it caused multiple groups to have
+overlapping boundaries.
+
+Fixed that by correctly initializing the prev pointer to the
+start of the list.
+
+Fixes: eccec8da3b4e ('net/mlx5: Keep autogroups list ordered')
+Signed-off-by: Paul Blakey <paulb@mellanox.com>
+Reviewed-by: Mark Bloch <markb@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+@@ -1015,7 +1015,7 @@ static struct mlx5_flow_group *create_au
+ u32 *match_criteria)
+ {
+ int inlen = MLX5_ST_SZ_BYTES(create_flow_group_in);
+- struct list_head *prev = ft->node.children.prev;
++ struct list_head *prev = &ft->node.children;
+ unsigned int candidate_index = 0;
+ struct mlx5_flow_group *fg;
+ void *match_criteria_addr;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: David Ahern <dsa@cumulusnetworks.com>
+Date: Mon, 13 Mar 2017 16:49:10 -0700
+Subject: net: mpls: Fix nexthop alive tracking on down events
+
+From: David Ahern <dsa@cumulusnetworks.com>
+
+
+[ Upstream commit 61733c91c454a61be0ffc93fe46a5d5f2f048c1c ]
+
+Alive tracking of nexthops can account for a link twice if the carrier
+goes down followed by an admin down of the same link rendering multipath
+routes useless. This is similar to 79099aab38c8 for UNREGISTER events and
+DOWN events.
+
+Fix by tracking number of alive nexthops in mpls_ifdown similar to the
+logic in mpls_ifup. Checking the flags per nexthop once after all events
+have been processed is simpler than trying to maintian a running count
+through all event combinations.
+
+Also, WRITE_ONCE is used instead of ACCESS_ONCE to set rt_nhn_alive
+per a comment from checkpatch:
+ WARNING: Prefer WRITE_ONCE(<FOO>, <BAR>) over ACCESS_ONCE(<FOO>) = <BAR>
+
+Fixes: c89359a42e2a4 ("mpls: support for dead routes")
+Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
+Acked-by: Robert Shearman <rshearma@brocade.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mpls/af_mpls.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/net/mpls/af_mpls.c
++++ b/net/mpls/af_mpls.c
+@@ -937,6 +937,8 @@ static void mpls_ifdown(struct net_devic
+ {
+ struct mpls_route __rcu **platform_label;
+ struct net *net = dev_net(dev);
++ unsigned int nh_flags = RTNH_F_DEAD | RTNH_F_LINKDOWN;
++ unsigned int alive;
+ unsigned index;
+
+ platform_label = rtnl_dereference(net->mpls.platform_label);
+@@ -946,9 +948,11 @@ static void mpls_ifdown(struct net_devic
+ if (!rt)
+ continue;
+
++ alive = 0;
+ change_nexthops(rt) {
+ if (rtnl_dereference(nh->nh_dev) != dev)
+- continue;
++ goto next;
++
+ switch (event) {
+ case NETDEV_DOWN:
+ case NETDEV_UNREGISTER:
+@@ -956,13 +960,16 @@ static void mpls_ifdown(struct net_devic
+ /* fall through */
+ case NETDEV_CHANGE:
+ nh->nh_flags |= RTNH_F_LINKDOWN;
+- if (event != NETDEV_UNREGISTER)
+- ACCESS_ONCE(rt->rt_nhn_alive) = rt->rt_nhn_alive - 1;
+ break;
+ }
+ if (event == NETDEV_UNREGISTER)
+ RCU_INIT_POINTER(nh->nh_dev, NULL);
++next:
++ if (!(nh->nh_flags & nh_flags))
++ alive++;
+ } endfor_nexthops(rt);
++
++ WRITE_ONCE(rt->rt_nhn_alive, alive);
+ }
+ }
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Vlad Yasevich <vyasevich@gmail.com>
+Date: Tue, 14 Mar 2017 08:58:08 -0400
+Subject: net: Resend IGMP memberships upon peer notification.
+
+From: Vlad Yasevich <vyasevich@gmail.com>
+
+
+[ Upstream commit 37c343b4f4e70e9dc328ab04903c0ec8d154c1a4 ]
+
+When we notify peers of potential changes, it's also good to update
+IGMP memberships. For example, during VM migration, updating IGMP
+memberships will redirect existing multicast streams to the VM at the
+new location.
+
+Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -1304,6 +1304,7 @@ void netdev_notify_peers(struct net_devi
+ {
+ rtnl_lock();
+ call_netdevice_notifiers(NETDEV_NOTIFY_PEERS, dev);
++ call_netdevice_notifiers(NETDEV_RESEND_IGMP, dev);
+ rtnl_unlock();
+ }
+ EXPORT_SYMBOL(netdev_notify_peers);
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 13:42:03 +0100
+Subject: net: wimax/i2400m: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+
+[ Upstream commit 6e526fdff7be4f13b24f929a04c0e9ae6761291e ]
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer or accessing memory beyond the endpoint array should a
+malicious device lack the expected endpoints.
+
+The endpoints are specifically dereferenced in the i2400m_bootrom_init
+path during probe (e.g. in i2400mu_tx_bulk_out).
+
+Fixes: f398e4240fce ("i2400m/USB: probe/disconnect, dev init/shutdown
+and reset backends")
+Cc: Inaky Perez-Gonzalez <inaky@linux.intel.com>
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wimax/i2400m/usb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wimax/i2400m/usb.c
++++ b/drivers/net/wimax/i2400m/usb.c
+@@ -467,6 +467,9 @@ int i2400mu_probe(struct usb_interface *
+ struct i2400mu *i2400mu;
+ struct usb_device *usb_dev = interface_to_usbdev(iface);
+
++ if (iface->cur_altsetting->desc.bNumEndpoints < 4)
++ return -ENODEV;
++
+ if (usb_dev->speed != USB_SPEED_HIGH)
+ dev_err(dev, "device not connected as high speed\n");
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 9 Mar 2017 23:22:30 +0100
+Subject: netfilter: bridge: honor frag_max_size when refragmenting
+
+From: Florian Westphal <fw@strlen.de>
+
+
+[ Upstream commit 4ca60d08cbe65f501baad64af50fceba79c19fbb ]
+
+consider a bridge with mtu 9000, but end host sending smaller
+packets to another host with mtu < 9000.
+
+In this case, after reassembly, bridge+defrag would refragment,
+and then attempt to send the reassembled packet as long as it
+was below 9k.
+
+Instead we have to cap by the largest fragment size seen.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_netfilter_hooks.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -706,18 +706,20 @@ static unsigned int nf_bridge_mtu_reduct
+
+ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff *skb)
+ {
+- struct nf_bridge_info *nf_bridge;
+- unsigned int mtu_reserved;
++ struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
++ unsigned int mtu, mtu_reserved;
+
+ mtu_reserved = nf_bridge_mtu_reduction(skb);
++ mtu = skb->dev->mtu;
+
+- if (skb_is_gso(skb) || skb->len + mtu_reserved <= skb->dev->mtu) {
++ if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu)
++ mtu = nf_bridge->frag_max_size;
++
++ if (skb_is_gso(skb) || skb->len + mtu_reserved <= mtu) {
+ nf_bridge_info_free(skb);
+ return br_dev_queue_push_xmit(net, sk, skb);
+ }
+
+- nf_bridge = nf_bridge_info_get(skb);
+-
+ /* This is wrong! We should preserve the original fragment
+ * boundaries by preserving frag_list rather than refragmenting.
+ */
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: KUWAZAWA Takuya <albatross0@gmail.com>
+Date: Sun, 15 Oct 2017 20:54:10 +0900
+Subject: netfilter: ipvs: Fix inappropriate output of procfs
+
+From: KUWAZAWA Takuya <albatross0@gmail.com>
+
+
+[ Upstream commit c5504f724c86ee925e7ffb80aa342cfd57959b13 ]
+
+Information about ipvs in different network namespace can be seen via procfs.
+
+How to reproduce:
+
+ # ip netns add ns01
+ # ip netns add ns02
+ # ip netns exec ns01 ip a add dev lo 127.0.0.1/8
+ # ip netns exec ns02 ip a add dev lo 127.0.0.1/8
+ # ip netns exec ns01 ipvsadm -A -t 10.1.1.1:80
+ # ip netns exec ns02 ipvsadm -A -t 10.1.1.2:80
+
+The ipvsadm displays information about its own network namespace only.
+
+ # ip netns exec ns01 ipvsadm -Ln
+ IP Virtual Server version 1.2.1 (size=4096)
+ Prot LocalAddress:Port Scheduler Flags
+ -> RemoteAddress:Port Forward Weight ActiveConn InActConn
+ TCP 10.1.1.1:80 wlc
+
+ # ip netns exec ns02 ipvsadm -Ln
+ IP Virtual Server version 1.2.1 (size=4096)
+ Prot LocalAddress:Port Scheduler Flags
+ -> RemoteAddress:Port Forward Weight ActiveConn InActConn
+ TCP 10.1.1.2:80 wlc
+
+But I can see information about other network namespace via procfs.
+
+ # ip netns exec ns01 cat /proc/net/ip_vs
+ IP Virtual Server version 1.2.1 (size=4096)
+ Prot LocalAddress:Port Scheduler Flags
+ -> RemoteAddress:Port Forward Weight ActiveConn InActConn
+ TCP 0A010101:0050 wlc
+ TCP 0A010102:0050 wlc
+
+ # ip netns exec ns02 cat /proc/net/ip_vs
+ IP Virtual Server version 1.2.1 (size=4096)
+ Prot LocalAddress:Port Scheduler Flags
+ -> RemoteAddress:Port Forward Weight ActiveConn InActConn
+ TCP 0A010102:0050 wlc
+
+Signed-off-by: KUWAZAWA Takuya <albatross0@gmail.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -2040,12 +2040,16 @@ static int ip_vs_info_seq_show(struct se
+ seq_puts(seq,
+ " -> RemoteAddress:Port Forward Weight ActiveConn InActConn\n");
+ } else {
++ struct net *net = seq_file_net(seq);
++ struct netns_ipvs *ipvs = net_ipvs(net);
+ const struct ip_vs_service *svc = v;
+ const struct ip_vs_iter *iter = seq->private;
+ const struct ip_vs_dest *dest;
+ struct ip_vs_scheduler *sched = rcu_dereference(svc->scheduler);
+ char *sched_name = sched ? sched->name : "none";
+
++ if (svc->ipvs != ipvs)
++ return 0;
+ if (iter->table == ip_vs_svc_table) {
+ #ifdef CONFIG_IP_VS_IPV6
+ if (svc->af == AF_INET6)
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: NeilBrown <neilb@suse.com>
+Date: Fri, 10 Mar 2017 11:36:39 +1100
+Subject: NFSD: fix nfsd_minorversion(.., NFSD_AVAIL)
+
+From: NeilBrown <neilb@suse.com>
+
+
+[ Upstream commit 928c6fb3a9bfd6c5b287aa3465226add551c13c0 ]
+
+Current code will return 1 if the version is supported,
+and -1 if it isn't.
+This is confusing and inconsistent with the one place where this
+is used.
+So change to return 1 if it is supported, and zero if not.
+i.e. an error is never returned.
+
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfssvc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfssvc.c
++++ b/fs/nfsd/nfssvc.c
+@@ -155,7 +155,8 @@ int nfsd_vers(int vers, enum vers_op cha
+
+ int nfsd_minorversion(u32 minorversion, enum vers_op change)
+ {
+- if (minorversion > NFSD_SUPPORTED_MINOR_VERSION)
++ if (minorversion > NFSD_SUPPORTED_MINOR_VERSION &&
++ change != NFSD_AVAIL)
+ return -1;
+ switch(change) {
+ case NFSD_SET:
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: NeilBrown <neilb@suse.com>
+Date: Fri, 10 Mar 2017 11:36:39 +1100
+Subject: NFSD: fix nfsd_reset_versions for NFSv4.
+
+From: NeilBrown <neilb@suse.com>
+
+
+[ Upstream commit 800a938f0bf9130c8256116649c0cc5806bfb2fd ]
+
+If you write "-2 -3 -4" to the "versions" file, it will
+notice that no versions are enabled, and nfsd_reset_versions()
+is called.
+This enables all major versions, not no minor versions.
+So we lose the invariant that NFSv4 is only advertised when
+at least one minor is enabled.
+
+Fix the code to explicitly enable minor versions for v4,
+change it to use nfsd_vers() to test and set, and simplify
+the code.
+
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfssvc.c | 25 +++++++++++--------------
+ 1 file changed, 11 insertions(+), 14 deletions(-)
+
+--- a/fs/nfsd/nfssvc.c
++++ b/fs/nfsd/nfssvc.c
+@@ -400,23 +400,20 @@ static void nfsd_last_thread(struct svc_
+
+ void nfsd_reset_versions(void)
+ {
+- int found_one = 0;
+ int i;
+
+- for (i = NFSD_MINVERS; i < NFSD_NRVERS; i++) {
+- if (nfsd_program.pg_vers[i])
+- found_one = 1;
+- }
++ for (i = 0; i < NFSD_NRVERS; i++)
++ if (nfsd_vers(i, NFSD_TEST))
++ return;
+
+- if (!found_one) {
+- for (i = NFSD_MINVERS; i < NFSD_NRVERS; i++)
+- nfsd_program.pg_vers[i] = nfsd_version[i];
+-#if defined(CONFIG_NFSD_V2_ACL) || defined(CONFIG_NFSD_V3_ACL)
+- for (i = NFSD_ACL_MINVERS; i < NFSD_ACL_NRVERS; i++)
+- nfsd_acl_program.pg_vers[i] =
+- nfsd_acl_version[i];
+-#endif
+- }
++ for (i = 0; i < NFSD_NRVERS; i++)
++ if (i != 4)
++ nfsd_vers(i, NFSD_SET);
++ else {
++ int minor = 0;
++ while (nfsd_minorversion(minor, NFSD_SET) >= 0)
++ minor++;
++ }
+ }
+
+ /*
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Olga Kornievskaia <kolga@netapp.com>
+Date: Wed, 8 Mar 2017 14:39:15 -0500
+Subject: NFSv4.1 respect server's max size in CREATE_SESSION
+
+From: Olga Kornievskaia <kolga@netapp.com>
+
+
+[ Upstream commit 033853325fe3bdc70819a8b97915bd3bca41d3af ]
+
+Currently client doesn't respect max sizes server returns in CREATE_SESSION.
+nfs4_session_set_rwsize() gets called and server->rsize, server->wsize are 0
+so they never get set to the sizes returned by the server.
+
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4client.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/nfs4client.c
++++ b/fs/nfs/nfs4client.c
+@@ -1004,9 +1004,9 @@ static void nfs4_session_set_rwsize(stru
+ server_resp_sz = sess->fc_attrs.max_resp_sz - nfs41_maxread_overhead;
+ server_rqst_sz = sess->fc_attrs.max_rqst_sz - nfs41_maxwrite_overhead;
+
+- if (server->rsize > server_resp_sz)
++ if (!server->rsize || server->rsize > server_resp_sz)
+ server->rsize = server_resp_sz;
+- if (server->wsize > server_rqst_sz)
++ if (!server->wsize || server->wsize > server_rqst_sz)
+ server->wsize = server_rqst_sz;
+ #endif /* CONFIG_NFS_V4_1 */
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Mon, 27 Feb 2017 18:44:45 +0200
+Subject: nvme-loop: fix a possible use-after-free when destroying the admin queue
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+
+[ Upstream commit e4c5d3762e2d6d274bd1cc948c47063becfa2103 ]
+
+we need to destroy the nvmet sq and let it finish gracefully
+before continue to cleanup the queue.
+
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/target/loop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvme/target/loop.c
++++ b/drivers/nvme/target/loop.c
+@@ -288,9 +288,9 @@ static struct blk_mq_ops nvme_loop_admin
+
+ static void nvme_loop_destroy_admin_queue(struct nvme_loop_ctrl *ctrl)
+ {
++ nvmet_sq_destroy(&ctrl->queues[0].nvme_sq);
+ blk_cleanup_queue(ctrl->ctrl.admin_q);
+ blk_mq_free_tag_set(&ctrl->admin_tag_set);
+- nvmet_sq_destroy(&ctrl->queues[0].nvme_sq);
+ }
+
+ static void nvme_loop_free_ctrl(struct nvme_ctrl *nctrl)
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Christoph Hellwig <hch@lst.de>
+Date: Wed, 18 Oct 2017 13:20:01 +0200
+Subject: nvme: use kref_get_unless_zero in nvme_find_get_ns
+
+From: Christoph Hellwig <hch@lst.de>
+
+
+[ Upstream commit 2dd4122854f697afc777582d18548dded03ce5dd ]
+
+For kref_get_unless_zero to protect against lookup vs free races we need
+to use it in all places where we aren't guaranteed to already hold a
+reference. There is no such guarantee in nvme_find_get_ns, so switch to
+kref_get_unless_zero in this function.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1619,7 +1619,8 @@ static struct nvme_ns *nvme_find_get_ns(
+ mutex_lock(&ctrl->namespaces_mutex);
+ list_for_each_entry(ns, &ctrl->namespaces, list) {
+ if (ns->ns_id == nsid) {
+- kref_get(&ns->kref);
++ if (!kref_get_unless_zero(&ns->kref))
++ continue;
+ ret = ns;
+ break;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Mon, 6 Mar 2017 18:46:20 +0200
+Subject: nvmet: confirm sq percpu has scheduled and switched to atomic
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+
+[ Upstream commit d11ea004a458b982e19b188c386e25a9b66ec446 ]
+
+percpu_ref_kill is not enough to prevent subsequent
+percpu_ref_tryget_live from failing. Hence call
+perfcpu_ref_kill_confirm to make it safe.
+
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/target/core.c | 11 ++++++++++-
+ drivers/nvme/target/nvmet.h | 1 +
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/nvme/target/core.c
++++ b/drivers/nvme/target/core.c
+@@ -422,6 +422,13 @@ void nvmet_sq_setup(struct nvmet_ctrl *c
+ ctrl->sqs[qid] = sq;
+ }
+
++static void nvmet_confirm_sq(struct percpu_ref *ref)
++{
++ struct nvmet_sq *sq = container_of(ref, struct nvmet_sq, ref);
++
++ complete(&sq->confirm_done);
++}
++
+ void nvmet_sq_destroy(struct nvmet_sq *sq)
+ {
+ /*
+@@ -430,7 +437,8 @@ void nvmet_sq_destroy(struct nvmet_sq *s
+ */
+ if (sq->ctrl && sq->ctrl->sqs && sq->ctrl->sqs[0] == sq)
+ nvmet_async_events_free(sq->ctrl);
+- percpu_ref_kill(&sq->ref);
++ percpu_ref_kill_and_confirm(&sq->ref, nvmet_confirm_sq);
++ wait_for_completion(&sq->confirm_done);
+ wait_for_completion(&sq->free_done);
+ percpu_ref_exit(&sq->ref);
+
+@@ -458,6 +466,7 @@ int nvmet_sq_init(struct nvmet_sq *sq)
+ return ret;
+ }
+ init_completion(&sq->free_done);
++ init_completion(&sq->confirm_done);
+
+ return 0;
+ }
+--- a/drivers/nvme/target/nvmet.h
++++ b/drivers/nvme/target/nvmet.h
+@@ -73,6 +73,7 @@ struct nvmet_sq {
+ u16 qid;
+ u16 size;
+ struct completion free_done;
++ struct completion confirm_done;
+ };
+
+ /**
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Thu, 9 Mar 2017 13:45:52 +0200
+Subject: nvmet-rdma: Fix a possible uninitialized variable dereference
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+
+[ Upstream commit b25634e2a051bef4b2524b11adddfbfa6448f6cd ]
+
+When handling a new recv command, we grab a new rsp resource and
+check for the queue state being live. In case the queue is not in
+live state, we simply restore the rsp back to the free list. However
+in this flow we didn't set rsp->queue yet, so we cannot dereference it.
+
+Instead, make sure to initialize rsp->queue (and other rsp members)
+as soon as possible so we won't reference uninitialized variables.
+
+Reported-by: Yi Zhang <yizhan@redhat.com>
+Reported-by: Raju Rangoju <rajur@chelsio.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Tested-by: Raju Rangoju <rajur@chelsio.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/target/rdma.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/nvme/target/rdma.c
++++ b/drivers/nvme/target/rdma.c
+@@ -703,11 +703,6 @@ static void nvmet_rdma_handle_command(st
+ {
+ u16 status;
+
+- cmd->queue = queue;
+- cmd->n_rdma = 0;
+- cmd->req.port = queue->port;
+-
+-
+ ib_dma_sync_single_for_cpu(queue->dev->device,
+ cmd->cmd->sge[0].addr, cmd->cmd->sge[0].length,
+ DMA_FROM_DEVICE);
+@@ -760,9 +755,12 @@ static void nvmet_rdma_recv_done(struct
+
+ cmd->queue = queue;
+ rsp = nvmet_rdma_get_rsp(queue);
++ rsp->queue = queue;
+ rsp->cmd = cmd;
+ rsp->flags = 0;
+ rsp->req.cmd = cmd->nvme_cmd;
++ rsp->req.port = queue->port;
++ rsp->n_rdma = 0;
+
+ if (unlikely(queue->state != NVMET_RDMA_Q_LIVE)) {
+ unsigned long flags;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Stafford Horne <shorne@gmail.com>
+Date: Mon, 13 Mar 2017 07:44:45 +0900
+Subject: openrisc: fix issue handling 8 byte get_user calls
+
+From: Stafford Horne <shorne@gmail.com>
+
+
+[ Upstream commit 154e67cd8e8f964809d0e75e44bb121b169c75b3 ]
+
+Was getting the following error with allmodconfig:
+
+ ERROR: "__get_user_bad" [lib/test_user_copy.ko] undefined!
+
+This was simply a missing break statement, causing an unwanted fall
+through.
+
+Signed-off-by: Stafford Horne <shorne@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/openrisc/include/asm/uaccess.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/openrisc/include/asm/uaccess.h
++++ b/arch/openrisc/include/asm/uaccess.h
+@@ -211,7 +211,7 @@ do { \
+ case 1: __get_user_asm(x, ptr, retval, "l.lbz"); break; \
+ case 2: __get_user_asm(x, ptr, retval, "l.lhz"); break; \
+ case 4: __get_user_asm(x, ptr, retval, "l.lwz"); break; \
+- case 8: __get_user_asm2(x, ptr, retval); \
++ case 8: __get_user_asm2(x, ptr, retval); break; \
+ default: (x) = __get_user_bad(); \
+ } \
+ } while (0)
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Wed, 11 Oct 2017 15:35:56 -0600
+Subject: PCI: Detach driver before procfs & sysfs teardown on device remove
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+
+[ Upstream commit 16b6c8bb687cc3bec914de09061fcb8411951fda ]
+
+When removing a device, for example a VF being removed due to SR-IOV
+teardown, a "soft" hot-unplug via 'echo 1 > remove' in sysfs, or an actual
+hot-unplug, we first remove the procfs and sysfs attributes for the device
+before attempting to release the device from any driver bound to it.
+Unbinding the driver from the device can take time. The device might need
+to write out data or it might be actively in use. If it's in use by
+userspace through a vfio driver, the unbind might block until the user
+releases the device. This leads to a potentially non-trivial amount of
+time where the device exists, but we've torn down the interfaces that
+userspace uses to examine devices, for instance lspci might generate this
+sort of error:
+
+ pcilib: Cannot open /sys/bus/pci/devices/0000:01:0a.3/config
+ lspci: Unable to read the standard configuration space header of device 0000:01:0a.3
+
+We don't seem to have any dependence on this teardown ordering in the
+kernel, so let's unbind the driver first, which is also more symmetric with
+the instantiation of the device in pci_bus_add_device().
+
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/remove.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pci/remove.c
++++ b/drivers/pci/remove.c
+@@ -19,9 +19,9 @@ static void pci_stop_dev(struct pci_dev
+ pci_pme_active(dev, false);
+
+ if (dev->is_added) {
++ device_release_driver(&dev->dev);
+ pci_proc_detach_device(dev);
+ pci_remove_sysfs_dev_files(dev);
+- device_release_driver(&dev->dev);
+ dev->is_added = 0;
+ }
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Fri, 13 Oct 2017 21:35:43 +0300
+Subject: PCI: Do not allocate more buses than available in parent
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+
+[ Upstream commit a20c7f36bd3d20d245616ae223bb9d05dfb6f050 ]
+
+One can ask more buses to be reserved for hotplug bridges by passing
+pci=hpbussize=N in the kernel command line. If the parent bus does not
+have enough bus space available we incorrectly create child bus with the
+requested number of subordinate buses.
+
+In the example below hpbussize is set to one more than we have available
+buses in the root port:
+
+ pci 0000:07:00.0: [8086:1578] type 01 class 0x060400
+ pci 0000:07:00.0: scanning [bus 00-00] behind bridge, pass 0
+ pci 0000:07:00.0: bridge configuration invalid ([bus 00-00]), reconfiguring
+ pci 0000:07:00.0: scanning [bus 00-00] behind bridge, pass 1
+ pci_bus 0000:08: busn_res: can not insert [bus 08-ff] under [bus 07-3f] (conflicts with (null) [bus 07-3f])
+ pci_bus 0000:08: scanning bus
+ ...
+ pci_bus 0000:0a: bus scan returning with max=40
+ pci_bus 0000:0a: busn_res: [bus 0a-ff] end is updated to 40
+ pci_bus 0000:0a: [bus 0a-40] partially hidden behind bridge 0000:07 [bus 07-3f]
+ pci_bus 0000:08: bus scan returning with max=40
+ pci_bus 0000:08: busn_res: [bus 08-ff] end is updated to 40
+
+Instead of allowing this, limit the subordinate number to be less than or
+equal the maximum subordinate number allocated for the parent bus (if it
+has any).
+
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+[bhelgaas: remove irrelevant dmesg messages]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/probe.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -932,7 +932,8 @@ int pci_scan_bridge(struct pci_bus *bus,
+ child = pci_add_new_bus(bus, dev, max+1);
+ if (!child)
+ goto out;
+- pci_bus_insert_busn_res(child, max+1, 0xff);
++ pci_bus_insert_busn_res(child, max+1,
++ bus->busn_res.end);
+ }
+ max++;
+ buses = (buses & 0xff000000)
+@@ -2136,6 +2137,10 @@ unsigned int pci_scan_child_bus(struct p
+ if (bus->self && bus->self->is_hotplug_bridge && pci_hotplug_bus_size) {
+ if (max - bus->busn_res.start < pci_hotplug_bus_size - 1)
+ max = bus->busn_res.start + pci_hotplug_bus_size - 1;
++
++ /* Do not allocate more buses than we have room left */
++ if (max > bus->busn_res.end)
++ max = bus->busn_res.end;
+ }
+
+ /*
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Qiang <zhengqiang10@huawei.com>
+Date: Thu, 28 Sep 2017 11:54:34 +0800
+Subject: PCI/PME: Handle invalid data when reading Root Status
+
+From: Qiang <zhengqiang10@huawei.com>
+
+
+[ Upstream commit 3ad3f8ce50914288731a3018b27ee44ab803e170 ]
+
+PCIe PME and native hotplug share the same interrupt number, so hotplug
+interrupts are also processed by PME. In some cases, e.g., a Link Down
+interrupt, a device may be present but unreachable, so when we try to
+read its Root Status register, the read fails and we get all ones data
+(0xffffffff).
+
+Previously, we interpreted that data as PCI_EXP_RTSTA_PME being set, i.e.,
+"some device has asserted PME," so we scheduled pcie_pme_work_fn(). This
+caused an infinite loop because pcie_pme_work_fn() tried to handle PME
+requests until PCI_EXP_RTSTA_PME is cleared, but with the link down,
+PCI_EXP_RTSTA_PME can't be cleared.
+
+Check for the invalid 0xffffffff data everywhere we read the Root Status
+register.
+
+1469d17dd341 ("PCI: pciehp: Handle invalid data when reading from
+non-existent devices") added similar checks in the hotplug driver.
+
+Signed-off-by: Qiang Zheng <zhengqiang10@huawei.com>
+[bhelgaas: changelog, also check in pcie_pme_work_fn(), use "~0" to follow
+other similar checks]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pcie/pme.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/pcie/pme.c
++++ b/drivers/pci/pcie/pme.c
+@@ -232,6 +232,9 @@ static void pcie_pme_work_fn(struct work
+ break;
+
+ pcie_capability_read_dword(port, PCI_EXP_RTSTA, &rtsta);
++ if (rtsta == (u32) ~0)
++ break;
++
+ if (rtsta & PCI_EXP_RTSTA_PME) {
+ /*
+ * Clear PME status of the port. If there are other
+@@ -279,7 +282,7 @@ static irqreturn_t pcie_pme_irq(int irq,
+ spin_lock_irqsave(&data->lock, flags);
+ pcie_capability_read_dword(port, PCI_EXP_RTSTA, &rtsta);
+
+- if (!(rtsta & PCI_EXP_RTSTA_PME)) {
++ if (rtsta == (u32) ~0 || !(rtsta & PCI_EXP_RTSTA_PME)) {
+ spin_unlock_irqrestore(&data->lock, flags);
+ return IRQ_NONE;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Wed, 15 Mar 2017 22:53:37 +0100
+Subject: perf symbols: Fix symbols__fixup_end heuristic for corner cases
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+
+[ Upstream commit e7ede72a6d40cb3a30c087142d79381ca8a31dab ]
+
+The current symbols__fixup_end() heuristic for the last entry in the rb
+tree is suboptimal as it leads to not being able to recognize the symbol
+in the call graph in a couple of corner cases, for example:
+
+ i) If the symbol has a start address (f.e. exposed via kallsyms)
+ that is at a page boundary, then the roundup(curr->start, 4096)
+ for the last entry will result in curr->start == curr->end with
+ a symbol length of zero.
+
+ii) If the symbol has a start address that is shortly before a page
+ boundary, then also here, curr->end - curr->start will just be
+ very few bytes, where it's unrealistic that we could perform a
+ match against.
+
+Instead, change the heuristic to roundup(curr->start, 4096) + 4096, so
+that we can catch such corner cases and have a better chance to find
+that specific symbol. It's still just best effort as the real end of the
+symbol is unknown to us (and could even be at a larger offset than the
+current range), but better than the current situation.
+
+Alexei reported that he recently run into case i) with a JITed eBPF
+program (these are all page aligned) as the last symbol which wasn't
+properly shown in the call graph (while other eBPF program symbols in
+the rb tree were displayed correctly). Since this is a generic issue,
+lets try to improve the heuristic a bit.
+
+Reported-and-Tested-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Fixes: 2e538c4a1847 ("perf tools: Improve kernel/modules symbol lookup")
+Link: http://lkml.kernel.org/r/bb5c80d27743be6f12afc68405f1956a330e1bc9.1489614365.git.daniel@iogearbox.net
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/symbol.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/util/symbol.c
++++ b/tools/perf/util/symbol.c
+@@ -202,7 +202,7 @@ void symbols__fixup_end(struct rb_root *
+
+ /* Last entry */
+ if (curr->end == curr->start)
+- curr->end = roundup(curr->start, 4096);
++ curr->end = roundup(curr->start, 4096) + 4096;
+ }
+
+ void __map_groups__fixup_end(struct map_groups *mg, enum map_type type)
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Wed, 11 Oct 2017 11:57:15 +0200
+Subject: pinctrl: adi2: Fix Kconfig build problem
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+
+[ Upstream commit 1c363531dd814dc4fe10865722bf6b0f72ce4673 ]
+
+The build robot is complaining on Blackfin:
+
+drivers/pinctrl/pinctrl-adi2.c: In function 'port_setup':
+>> drivers/pinctrl/pinctrl-adi2.c:221:21: error: dereferencing
+ pointer to incomplete type 'struct gpio_port_t'
+ writew(readw(®s->port_fer) & ~BIT(offset),
+ ^~
+drivers/pinctrl/pinctrl-adi2.c: In function 'adi_gpio_ack_irq':
+>> drivers/pinctrl/pinctrl-adi2.c:266:18: error: dereferencing
+pointer to incomplete type 'struct bfin_pint_regs'
+ if (readl(®s->invert_set) & pintbit)
+ ^~
+It seems the driver need to include <asm/gpio.h> and <asm/irq.h>
+to compile.
+
+The Blackfin architecture was re-defining the Kconfig
+PINCTRL symbol which is not OK, so replaced this with
+PINCTRL_BLACKFIN_ADI2 which selects PINCTRL and PINCTRL_ADI2
+just like most arches do.
+
+Further, the old GPIO driver symbol GPIO_ADI was possible to
+select at the same time as selecting PINCTRL. This was not
+working because the arch-local <asm/gpio.h> header contains
+an explicit #ifndef PINCTRL clause making compilation break
+if you combine them. The same is true for DEBUG_MMRS.
+
+Make sure the ADI2 pinctrl driver is not selected at the same
+time as the old GPIO implementation. (This should be converted
+to use gpiolib or pincontrol and move to drivers/...) Also make
+sure the old GPIO_ADI driver or DEBUG_MMRS is not selected at
+the same time as the new PINCTRL implementation, and only make
+PINCTRL_ADI2 selectable for the Blackfin families that actually
+have it.
+
+This way it is still possible to add e.g. I2C-based pin
+control expanders on the Blackfin.
+
+Cc: Steven Miao <realmz6@gmail.com>
+Cc: Huanhuan Feng <huanhuan.feng@analog.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/blackfin/Kconfig | 7 +++++--
+ arch/blackfin/Kconfig.debug | 1 +
+ drivers/pinctrl/Kconfig | 3 ++-
+ 3 files changed, 8 insertions(+), 3 deletions(-)
+
+--- a/arch/blackfin/Kconfig
++++ b/arch/blackfin/Kconfig
+@@ -319,11 +319,14 @@ config BF53x
+
+ config GPIO_ADI
+ def_bool y
++ depends on !PINCTRL
+ depends on (BF51x || BF52x || BF53x || BF538 || BF539 || BF561)
+
+-config PINCTRL
++config PINCTRL_BLACKFIN_ADI2
+ def_bool y
+- depends on BF54x || BF60x
++ depends on (BF54x || BF60x)
++ select PINCTRL
++ select PINCTRL_ADI2
+
+ config MEM_MT48LC64M4A2FB_7E
+ bool
+--- a/arch/blackfin/Kconfig.debug
++++ b/arch/blackfin/Kconfig.debug
+@@ -17,6 +17,7 @@ config DEBUG_VERBOSE
+
+ config DEBUG_MMRS
+ tristate "Generate Blackfin MMR tree"
++ depends on !PINCTRL
+ select DEBUG_FS
+ help
+ Create a tree of Blackfin MMRs via the debugfs tree. If
+--- a/drivers/pinctrl/Kconfig
++++ b/drivers/pinctrl/Kconfig
+@@ -26,7 +26,8 @@ config DEBUG_PINCTRL
+
+ config PINCTRL_ADI2
+ bool "ADI pin controller driver"
+- depends on BLACKFIN
++ depends on (BF54x || BF60x)
++ depends on !GPIO_ADI
+ select PINMUX
+ select IRQ_DOMAIN
+ help
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Osama Khan <osama.khan@ericsson.com>
+Date: Sat, 21 Oct 2017 10:42:21 +0000
+Subject: platform/x86: hp_accel: Add quirk for HP ProBook 440 G4
+
+From: Osama Khan <osama.khan@ericsson.com>
+
+
+[ Upstream commit 163ca80013aafb6dc9cb295de3db7aeab9ab43f8 ]
+
+Added support for HP ProBook 440 G4 laptops by including the accelerometer
+orientation quirk for that device. Testing was performed based on the
+axis orientation guidelines here:
+https://www.kernel.org/doc/Documentation/misc-devices/lis3lv02d
+which states "If the left side is elevated, X increases (becomes positive)".
+
+When tested, on lifting the left edge, x values became increasingly negative
+thus indicating an inverted x-axis on the installed lis3lv02d chip.
+This was compensated by adding an entry for this device in hp_accel.c
+specifying the quirk as x_inverted. The patch was tested on a
+ProBook 440 G4 device and x-axis as well as y and z-axis values are now
+generated as per spec.
+
+Signed-off-by: Osama Khan <osama.khan@ericsson.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/hp_accel.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/platform/x86/hp_accel.c
++++ b/drivers/platform/x86/hp_accel.c
+@@ -240,6 +240,7 @@ static const struct dmi_system_id lis3lv
+ AXIS_DMI_MATCH("HDX18", "HP HDX 18", x_inverted),
+ AXIS_DMI_MATCH("HPB432x", "HP ProBook 432", xy_rotated_left),
+ AXIS_DMI_MATCH("HPB440G3", "HP ProBook 440 G3", x_inverted_usd),
++ AXIS_DMI_MATCH("HPB440G4", "HP ProBook 440 G4", x_inverted),
+ AXIS_DMI_MATCH("HPB442x", "HP ProBook 442", xy_rotated_left),
+ AXIS_DMI_MATCH("HPB452x", "HP ProBook 452", y_inverted),
+ AXIS_DMI_MATCH("HPB522x", "HP ProBook 522", xy_swap),
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Date: Sun, 29 Oct 2017 02:49:54 -0700
+Subject: platform/x86: intel_punit_ipc: Fix resource ioremap warning
+
+From: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+
+
+[ Upstream commit 6cc8cbbc8868033f279b63e98b26b75eaa0006ab ]
+
+For PUNIT device, ISPDRIVER_IPC and GTDDRIVER_IPC resources are not
+mandatory. So when PMC IPC driver creates a PUNIT device, if these
+resources are not available then it creates dummy resource entries for
+these missing resources. But during PUNIT device probe, doing ioremap on
+these dummy resources generates following warning messages.
+
+intel_punit_ipc: can't request region for resource [mem 0x00000000]
+intel_punit_ipc: can't request region for resource [mem 0x00000000]
+intel_punit_ipc: can't request region for resource [mem 0x00000000]
+intel_punit_ipc: can't request region for resource [mem 0x00000000]
+
+This patch fixes this issue by adding extra check for resource size
+before performing ioremap operation.
+
+Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/intel_punit_ipc.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/platform/x86/intel_punit_ipc.c
++++ b/drivers/platform/x86/intel_punit_ipc.c
+@@ -252,28 +252,28 @@ static int intel_punit_get_bars(struct p
+ * - GTDRIVER_IPC BASE_IFACE
+ */
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 2);
+- if (res) {
++ if (res && resource_size(res) > 1) {
+ addr = devm_ioremap_resource(&pdev->dev, res);
+ if (!IS_ERR(addr))
+ punit_ipcdev->base[ISPDRIVER_IPC][BASE_DATA] = addr;
+ }
+
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 3);
+- if (res) {
++ if (res && resource_size(res) > 1) {
+ addr = devm_ioremap_resource(&pdev->dev, res);
+ if (!IS_ERR(addr))
+ punit_ipcdev->base[ISPDRIVER_IPC][BASE_IFACE] = addr;
+ }
+
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 4);
+- if (res) {
++ if (res && resource_size(res) > 1) {
+ addr = devm_ioremap_resource(&pdev->dev, res);
+ if (!IS_ERR(addr))
+ punit_ipcdev->base[GTDRIVER_IPC][BASE_DATA] = addr;
+ }
+
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 5);
+- if (res) {
++ if (res && resource_size(res) > 1) {
+ addr = devm_ioremap_resource(&pdev->dev, res);
+ if (!IS_ERR(addr))
+ punit_ipcdev->base[GTDRIVER_IPC][BASE_IFACE] = addr;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Markus Elfring <elfring@users.sourceforge.net>
+Date: Wed, 1 Nov 2017 18:42:45 +0100
+Subject: platform/x86: sony-laptop: Fix error handling in sony_nc_setup_rfkill()
+
+From: Markus Elfring <elfring@users.sourceforge.net>
+
+
+[ Upstream commit f6c8a317ab208aee223776327c06f23342492d54 ]
+
+Source code review for a specific software refactoring showed the need
+for another correction because the error code "-1" was returned so far
+if a call of the function "sony_call_snc_handle" failed here.
+Thus assign the return value from these two function calls also to
+the variable "err" and provide it in case of a failure.
+
+Fixes: d6f15ed876b83a1a0eba1d0473eef58acc95444a ("sony-laptop: use soft rfkill status stored in hw")
+Suggested-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lkml.org/lkml/2017/10/31/463
+Link: https://lkml.kernel.org/r/<CAHp75VcMkXCioCzmLE0+BTmkqc5RSOx9yPO0ectVHMrMvewgwg@mail.gmail.com>
+Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/sony-laptop.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/platform/x86/sony-laptop.c
++++ b/drivers/platform/x86/sony-laptop.c
+@@ -1660,17 +1660,19 @@ static int sony_nc_setup_rfkill(struct a
+ if (!rfk)
+ return -ENOMEM;
+
+- if (sony_call_snc_handle(sony_rfkill_handle, 0x200, &result) < 0) {
++ err = sony_call_snc_handle(sony_rfkill_handle, 0x200, &result);
++ if (err < 0) {
+ rfkill_destroy(rfk);
+- return -1;
++ return err;
+ }
+ hwblock = !(result & 0x1);
+
+- if (sony_call_snc_handle(sony_rfkill_handle,
+- sony_rfkill_address[nc_type],
+- &result) < 0) {
++ err = sony_call_snc_handle(sony_rfkill_handle,
++ sony_rfkill_address[nc_type],
++ &result);
++ if (err < 0) {
+ rfkill_destroy(rfk);
+- return -1;
++ return err;
+ }
+ swblock = !(result & 0x2);
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Wed, 18 Oct 2017 11:16:47 +0200
+Subject: powerpc/ipic: Fix status get and status clear
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+
+[ Upstream commit 6b148a7ce72a7f87c81cbcde48af014abc0516a9 ]
+
+IPIC Status is provided by register IPIC_SERSR and not by IPIC_SERMR
+which is the mask register.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/sysdev/ipic.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/sysdev/ipic.c
++++ b/arch/powerpc/sysdev/ipic.c
+@@ -845,12 +845,12 @@ void ipic_disable_mcp(enum ipic_mcp_irq
+
+ u32 ipic_get_mcp_status(void)
+ {
+- return ipic_read(primary_ipic->regs, IPIC_SERMR);
++ return ipic_read(primary_ipic->regs, IPIC_SERSR);
+ }
+
+ void ipic_clear_mcp_status(u32 mask)
+ {
+- ipic_write(primary_ipic->regs, IPIC_SERMR, mask);
++ ipic_write(primary_ipic->regs, IPIC_SERSR, mask);
+ }
+
+ /* Return an interrupt vector or 0 if no interrupt is pending. */
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: "William A. Kennington III" <wak@google.com>
+Date: Fri, 22 Sep 2017 16:58:00 -0700
+Subject: powerpc/opal: Fix EBUSY bug in acquiring tokens
+
+From: "William A. Kennington III" <wak@google.com>
+
+
+[ Upstream commit 71e24d7731a2903b1ae2bba2b2971c654d9c2aa6 ]
+
+The current code checks the completion map to look for the first token
+that is complete. In some cases, a completion can come in but the
+token can still be on lease to the caller processing the completion.
+If this completed but unreleased token is the first token found in the
+bitmap by another tasks trying to acquire a token, then the
+__test_and_set_bit call will fail since the token will still be on
+lease. The acquisition will then fail with an EBUSY.
+
+This patch reorganizes the acquisition code to look at the
+opal_async_token_map for an unleased token. If the token has no lease
+it must have no outstanding completions so we should never see an
+EBUSY, unless we have leased out too many tokens. Since
+opal_async_get_token_inrerruptible is protected by a semaphore, we
+will practically never see EBUSY anymore.
+
+Fixes: 8d7248232208 ("powerpc/powernv: Infrastructure to support OPAL async completion")
+Signed-off-by: William A. Kennington III <wak@google.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/powernv/opal-async.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/platforms/powernv/opal-async.c
++++ b/arch/powerpc/platforms/powernv/opal-async.c
+@@ -39,18 +39,18 @@ int __opal_async_get_token(void)
+ int token;
+
+ spin_lock_irqsave(&opal_async_comp_lock, flags);
+- token = find_first_bit(opal_async_complete_map, opal_max_async_tokens);
++ token = find_first_zero_bit(opal_async_token_map, opal_max_async_tokens);
+ if (token >= opal_max_async_tokens) {
+ token = -EBUSY;
+ goto out;
+ }
+
+- if (__test_and_set_bit(token, opal_async_token_map)) {
++ if (!__test_and_clear_bit(token, opal_async_complete_map)) {
+ token = -EBUSY;
+ goto out;
+ }
+
+- __clear_bit(token, opal_async_complete_map);
++ __set_bit(token, opal_async_token_map);
+
+ out:
+ spin_unlock_irqrestore(&opal_async_comp_lock, flags);
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Mon, 9 Oct 2017 21:52:44 +1100
+Subject: powerpc/perf/hv-24x7: Fix incorrect comparison in memord
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+
+[ Upstream commit 05c14c03138532a3cb2aa29c2960445c8753343b ]
+
+In the hv-24x7 code there is a function memord() which tries to
+implement a sort function return -1, 0, 1. However one of the
+conditions is incorrect, such that it can never be true, because we
+will have already returned.
+
+I don't believe there is a bug in practice though, because the
+comparisons are an optimisation prior to calling memcmp().
+
+Fix it by swapping the second comparision, so it can be true.
+
+Reported-by: David Binderman <dcb314@hotmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/perf/hv-24x7.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/perf/hv-24x7.c
++++ b/arch/powerpc/perf/hv-24x7.c
+@@ -516,7 +516,7 @@ static int memord(const void *d1, size_t
+ {
+ if (s1 < s2)
+ return 1;
+- if (s2 > s1)
++ if (s1 > s2)
+ return -1;
+
+ return memcmp(d1, d2, s1);
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Shriya <shriyak@linux.vnet.ibm.com>
+Date: Fri, 13 Oct 2017 10:06:41 +0530
+Subject: powerpc/powernv/cpufreq: Fix the frequency read by /proc/cpuinfo
+
+From: Shriya <shriyak@linux.vnet.ibm.com>
+
+
+[ Upstream commit cd77b5ce208c153260ed7882d8910f2395bfaabd ]
+
+The call to /proc/cpuinfo in turn calls cpufreq_quick_get() which
+returns the last frequency requested by the kernel, but may not
+reflect the actual frequency the processor is running at. This patch
+makes a call to cpufreq_get() instead which returns the current
+frequency reported by the hardware.
+
+Fixes: fb5153d05a7d ("powerpc: powernv: Implement ppc_md.get_proc_freq()")
+Signed-off-by: Shriya <shriyak@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/powernv/setup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/powernv/setup.c
++++ b/arch/powerpc/platforms/powernv/setup.c
+@@ -289,7 +289,7 @@ static unsigned long pnv_get_proc_freq(u
+ {
+ unsigned long ret_freq;
+
+- ret_freq = cpufreq_quick_get(cpu) * 1000ul;
++ ret_freq = cpufreq_get(cpu) * 1000ul;
+
+ /*
+ * If the backend cpufreq driver does not exist,
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Gao Feng <gfree.wind@vip.163.com>
+Date: Tue, 31 Oct 2017 18:25:37 +0800
+Subject: ppp: Destroy the mutex when cleanup
+
+From: Gao Feng <gfree.wind@vip.163.com>
+
+
+[ Upstream commit f02b2320b27c16b644691267ee3b5c110846f49e ]
+
+The mutex_destroy only makes sense when enable DEBUG_MUTEX. For the
+good readbility, it's better to invoke it in exit func when the init
+func invokes mutex_init.
+
+Signed-off-by: Gao Feng <gfree.wind@vip.163.com>
+Acked-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/ppp_generic.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -958,6 +958,7 @@ static __net_exit void ppp_exit_net(stru
+ unregister_netdevice_many(&list);
+ rtnl_unlock();
+
++ mutex_destroy(&pn->all_ppp_mutex);
+ idr_destroy(&pn->units_idr);
+ }
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Ram Amrani <Ram.Amrani@cavium.com>
+Date: Tue, 14 Mar 2017 15:25:58 +0200
+Subject: qed: Align CIDs according to DORQ requirement
+
+From: Ram Amrani <Ram.Amrani@cavium.com>
+
+
+[ Upstream commit f3e48119b97f56fb09310c95d49da122a27003d7 ]
+
+The Doorbell HW block can be configured at a granularity
+of 16 x CIDs, so we need to make sure that the actual number
+of CIDs configured would be a multiplication of 16.
+
+Today, when RoCE is enabled - given that the number is unaligned,
+doorbelling the higher CIDs would fail to reach the firmware and
+would eventually timeout.
+
+Fixes: dbb799c39717 ("qed: Initialize hardware for new protocols")
+Signed-off-by: Ram Amrani <Ram.Amrani@cavium.com>
+Signed-off-by: Yuval Mintz <Yuval.Mintz@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_cxt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
+@@ -373,8 +373,9 @@ static void qed_cxt_set_proto_cid_count(
+ u32 page_sz = p_mgr->clients[ILT_CLI_CDUC].p_size.val;
+ u32 cxt_size = CONN_CXT_SIZE(p_hwfn);
+ u32 elems_per_page = ILT_PAGE_IN_BYTES(page_sz) / cxt_size;
++ u32 align = elems_per_page * DQ_RANGE_ALIGN;
+
+- p_conn->cid_count = roundup(p_conn->cid_count, elems_per_page);
++ p_conn->cid_count = roundup(p_conn->cid_count, align);
+ }
+ }
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Ram Amrani <Ram.Amrani@cavium.com>
+Date: Tue, 14 Mar 2017 15:26:02 +0200
+Subject: qed: Fix interrupt flags on Rx LL2
+
+From: Ram Amrani <Ram.Amrani@cavium.com>
+
+
+[ Upstream commit 1df2adedcce17ad4a39fba74f0e2b611f797fe10 ]
+
+Before iterating over the the LL2 Rx ring, the ring's
+spinlock is taken via spin_lock_irqsave().
+The actual processing of the packet [including handling
+by the protocol driver] is done without said lock,
+so qed releases the spinlock and re-claims it afterwards.
+
+Problem is that the final spin_lock_irqrestore() at the end
+of the iteration uses the original flags saved from the
+initial irqsave() instead of the flags from the most recent
+irqsave(). So it's possible that the interrupt status would
+be incorrect at the end of the processing.
+
+Fixes: 0a7fb11c23c0 ("qed: Add Light L2 support");
+CC: Ram Amrani <Ram.Amrani@cavium.com>
+Signed-off-by: Yuval Mintz <Yuval.Mintz@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_ll2.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/qlogic/qed/qed_ll2.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_ll2.c
+@@ -443,7 +443,7 @@ qed_ll2_rxq_completion_gsi(struct qed_hw
+ static int qed_ll2_rxq_completion_reg(struct qed_hwfn *p_hwfn,
+ struct qed_ll2_info *p_ll2_conn,
+ union core_rx_cqe_union *p_cqe,
+- unsigned long lock_flags,
++ unsigned long *p_lock_flags,
+ bool b_last_cqe)
+ {
+ struct qed_ll2_rx_queue *p_rx = &p_ll2_conn->rx_queue;
+@@ -464,10 +464,10 @@ static int qed_ll2_rxq_completion_reg(st
+ "Mismatch between active_descq and the LL2 Rx chain\n");
+ list_add_tail(&p_pkt->list_entry, &p_rx->free_descq);
+
+- spin_unlock_irqrestore(&p_rx->lock, lock_flags);
++ spin_unlock_irqrestore(&p_rx->lock, *p_lock_flags);
+ qed_ll2b_complete_rx_packet(p_hwfn, p_ll2_conn->my_id,
+ p_pkt, &p_cqe->rx_cqe_fp, b_last_cqe);
+- spin_lock_irqsave(&p_rx->lock, lock_flags);
++ spin_lock_irqsave(&p_rx->lock, *p_lock_flags);
+
+ return 0;
+ }
+@@ -507,7 +507,8 @@ static int qed_ll2_rxq_completion(struct
+ break;
+ case CORE_RX_CQE_TYPE_REGULAR:
+ rc = qed_ll2_rxq_completion_reg(p_hwfn, p_ll2_conn,
+- cqe, flags, b_last_cqe);
++ cqe, &flags,
++ b_last_cqe);
+ break;
+ default:
+ rc = -EIO;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: "Mintz, Yuval" <Yuval.Mintz@cavium.com>
+Date: Tue, 14 Mar 2017 15:26:00 +0200
+Subject: qed: Fix mapping leak on LL2 rx flow
+
+From: "Mintz, Yuval" <Yuval.Mintz@cavium.com>
+
+
+[ Upstream commit 752ecb2da11124a948567076b60767dc8034cfa5 ]
+
+When receiving an Rx LL2 packet, qed fails to unmap the previous buffer.
+
+Fixes: 0a7fb11c23c0 ("qed: Add Light L2 support");
+Signed-off-by: Yuval Mintz <Yuval.Mintz@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_ll2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/qlogic/qed/qed_ll2.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_ll2.c
+@@ -187,6 +187,8 @@ static void qed_ll2b_complete_rx_packet(
+ /* If need to reuse or there's no replacement buffer, repost this */
+ if (rc)
+ goto out_post;
++ dma_unmap_single(&cdev->pdev->dev, buffer->phys_addr,
++ cdev->ll2->rx_size, DMA_FROM_DEVICE);
+
+ skb = build_skb(buffer->data, 0);
+ if (!skb) {
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: NeilBrown <neilb@suse.com>
+Date: Tue, 17 Oct 2017 16:18:36 +1100
+Subject: raid5: Set R5_Expanded on parity devices as well as data.
+
+From: NeilBrown <neilb@suse.com>
+
+
+[ Upstream commit 235b6003fb28f0dd8e7ed8fbdb088bb548291766 ]
+
+When reshaping a fully degraded raid5/raid6 to a larger
+nubmer of devices, the new device(s) are not in-sync
+and so that can make the newly grown stripe appear to be
+"failed".
+To avoid this, we set the R5_Expanded flag to say "Even though
+this device is not fully in-sync, this block is safe so
+don't treat the device as failed for this stripe".
+This flag is set for data devices, not not for parity devices.
+
+Consequently, if you have a RAID6 with two devices that are partly
+recovered and a spare, and start a reshape to include the spare,
+then when the reshape gets past the point where the recovery was
+up to, it will think the stripes are failed and will get into
+an infinite loop, failing to make progress.
+
+So when contructing parity on an EXPAND_READY stripe,
+set R5_Expanded.
+
+Reported-by: Curt <lightspd@gmail.com>
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid5.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -1689,8 +1689,11 @@ static void ops_complete_reconstruct(voi
+ struct r5dev *dev = &sh->dev[i];
+
+ if (dev->written || i == pd_idx || i == qd_idx) {
+- if (!discard && !test_bit(R5_SkipCopy, &dev->flags))
++ if (!discard && !test_bit(R5_SkipCopy, &dev->flags)) {
+ set_bit(R5_UPTODATE, &dev->flags);
++ if (test_bit(STRIPE_EXPAND_READY, &sh->state))
++ set_bit(R5_Expanded, &dev->flags);
++ }
+ if (fua)
+ set_bit(R5_WantFUA, &dev->flags);
+ if (sync)
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Wed, 11 Oct 2017 10:48:45 -0700
+Subject: RDMA/cma: Avoid triggering undefined behavior
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+
+[ Upstream commit c0b64f58e8d49570aa9ee55d880f92c20ff0166b ]
+
+According to the C standard the behavior of computations with
+integer operands is as follows:
+* A computation involving unsigned operands can never overflow,
+ because a result that cannot be represented by the resulting
+ unsigned integer type is reduced modulo the number that is one
+ greater than the largest value that can be represented by the
+ resulting type.
+* The behavior for signed integer underflow and overflow is
+ undefined.
+
+Hence only use unsigned integers when checking for integer
+overflow.
+
+This patch is what I came up with after having analyzed the
+following smatch warnings:
+
+drivers/infiniband/core/cma.c:3448: cma_resolve_ib_udp() warn: signed overflow undefined. 'offset + conn_param->private_data_len < conn_param->private_data_len'
+drivers/infiniband/core/cma.c:3505: cma_connect_ib() warn: signed overflow undefined. 'offset + conn_param->private_data_len < conn_param->private_data_len'
+
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Acked-by: Sean Hefty <sean.hefty@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/cma.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -1482,7 +1482,7 @@ static struct rdma_id_private *cma_id_fr
+ return id_priv;
+ }
+
+-static inline int cma_user_data_offset(struct rdma_id_private *id_priv)
++static inline u8 cma_user_data_offset(struct rdma_id_private *id_priv)
+ {
+ return cma_family(id_priv) == AF_IB ? 0 : sizeof(struct cma_hdr);
+ }
+@@ -1877,7 +1877,8 @@ static int cma_req_handler(struct ib_cm_
+ struct rdma_id_private *listen_id, *conn_id = NULL;
+ struct rdma_cm_event event;
+ struct net_device *net_dev;
+- int offset, ret;
++ u8 offset;
++ int ret;
+
+ listen_id = cma_id_from_event(cm_id, ib_event, &net_dev);
+ if (IS_ERR(listen_id))
+@@ -3309,7 +3310,8 @@ static int cma_resolve_ib_udp(struct rdm
+ struct ib_cm_sidr_req_param req;
+ struct ib_cm_id *id;
+ void *private_data;
+- int offset, ret;
++ u8 offset;
++ int ret;
+
+ memset(&req, 0, sizeof req);
+ offset = cma_user_data_offset(id_priv);
+@@ -3366,7 +3368,8 @@ static int cma_connect_ib(struct rdma_id
+ struct rdma_route *route;
+ void *private_data;
+ struct ib_cm_id *id;
+- int offset, ret;
++ u8 offset;
++ int ret;
+
+ memset(&req, 0, sizeof req);
+ offset = cma_user_data_offset(id_priv);
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Leon Romanovsky <leon@kernel.org>
+Date: Wed, 25 Oct 2017 07:41:11 +0300
+Subject: RDMA/cxgb4: Declare stag as __be32
+
+From: Leon Romanovsky <leon@kernel.org>
+
+
+[ Upstream commit 35fb2a88ed4b77356fa679a8525c869a3594e287 ]
+
+The scqe.stag is actually __b32, fix it.
+
+ drivers/infiniband/hw/cxgb4/cq.c:754:52: warning: cast to restricted __be32
+
+Cc: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Reviewed-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/cxgb4/t4.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/cxgb4/t4.h
++++ b/drivers/infiniband/hw/cxgb4/t4.h
+@@ -171,7 +171,7 @@ struct t4_cqe {
+ __be32 msn;
+ } rcqe;
+ struct {
+- u32 stag;
++ __be32 stag;
+ u16 nada2;
+ u16 cidx;
+ } scqe;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Dou Liyang <douly.fnst@cn.fujitsu.com>
+Date: Fri, 3 Mar 2017 16:02:23 +0800
+Subject: Revert "x86/acpi: Set persistent cpuid <-> nodeid mapping when booting"
+
+From: Dou Liyang <douly.fnst@cn.fujitsu.com>
+
+
+[ Upstream commit c962cff17dfa11f4a8227ac16de2b28aea3312e4 ]
+
+Revert: dc6db24d2476 ("x86/acpi: Set persistent cpuid <-> nodeid mapping when booting")
+
+The mapping of "cpuid <-> nodeid" is established at boot time via ACPI
+tables to keep associations of workqueues and other node related items
+consistent across cpu hotplug.
+
+But, ACPI tables are unreliable and failures with that boot time mapping
+have been reported on machines where the ACPI table and the physical
+information which is retrieved at actual hotplug is inconsistent.
+
+Revert the mapping implementation so it can be replaced with a less error
+prone approach.
+
+Signed-off-by: Dou Liyang <douly.fnst@cn.fujitsu.com>
+Tested-by: Xiaolong Ye <xiaolong.ye@intel.com>
+Cc: rjw@rjwysocki.net
+Cc: linux-acpi@vger.kernel.org
+Cc: guzheng1@huawei.com
+Cc: izumi.taku@jp.fujitsu.com
+Cc: lenb@kernel.org
+Link: http://lkml.kernel.org/r/1488528147-2279-2-git-send-email-douly.fnst@cn.fujitsu.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/acpi/boot.c | 2 -
+ drivers/acpi/acpi_processor.c | 5 --
+ drivers/acpi/bus.c | 1
+ drivers/acpi/processor_core.c | 73 ------------------------------------------
+ include/linux/acpi.h | 3 -
+ 5 files changed, 1 insertion(+), 83 deletions(-)
+
+--- a/arch/x86/kernel/acpi/boot.c
++++ b/arch/x86/kernel/acpi/boot.c
+@@ -720,7 +720,7 @@ static void __init acpi_set_irq_model_io
+ #ifdef CONFIG_ACPI_HOTPLUG_CPU
+ #include <acpi/processor.h>
+
+-int acpi_map_cpu2node(acpi_handle handle, int cpu, int physid)
++static int acpi_map_cpu2node(acpi_handle handle, int cpu, int physid)
+ {
+ #ifdef CONFIG_ACPI_NUMA
+ int nid;
+--- a/drivers/acpi/acpi_processor.c
++++ b/drivers/acpi/acpi_processor.c
+@@ -182,11 +182,6 @@ int __weak arch_register_cpu(int cpu)
+
+ void __weak arch_unregister_cpu(int cpu) {}
+
+-int __weak acpi_map_cpu2node(acpi_handle handle, int cpu, int physid)
+-{
+- return -ENODEV;
+-}
+-
+ static int acpi_processor_hotadd_init(struct acpi_processor *pr)
+ {
+ unsigned long long sta;
+--- a/drivers/acpi/bus.c
++++ b/drivers/acpi/bus.c
+@@ -1197,7 +1197,6 @@ static int __init acpi_init(void)
+ acpi_wakeup_device_init();
+ acpi_debugger_init();
+ acpi_setup_sb_notify_handler();
+- acpi_set_processor_mapping();
+ return 0;
+ }
+
+--- a/drivers/acpi/processor_core.c
++++ b/drivers/acpi/processor_core.c
+@@ -280,79 +280,6 @@ int acpi_get_cpuid(acpi_handle handle, i
+ }
+ EXPORT_SYMBOL_GPL(acpi_get_cpuid);
+
+-#ifdef CONFIG_ACPI_HOTPLUG_CPU
+-static bool __init
+-map_processor(acpi_handle handle, phys_cpuid_t *phys_id, int *cpuid)
+-{
+- int type, id;
+- u32 acpi_id;
+- acpi_status status;
+- acpi_object_type acpi_type;
+- unsigned long long tmp;
+- union acpi_object object = { 0 };
+- struct acpi_buffer buffer = { sizeof(union acpi_object), &object };
+-
+- status = acpi_get_type(handle, &acpi_type);
+- if (ACPI_FAILURE(status))
+- return false;
+-
+- switch (acpi_type) {
+- case ACPI_TYPE_PROCESSOR:
+- status = acpi_evaluate_object(handle, NULL, NULL, &buffer);
+- if (ACPI_FAILURE(status))
+- return false;
+- acpi_id = object.processor.proc_id;
+-
+- /* validate the acpi_id */
+- if(acpi_processor_validate_proc_id(acpi_id))
+- return false;
+- break;
+- case ACPI_TYPE_DEVICE:
+- status = acpi_evaluate_integer(handle, "_UID", NULL, &tmp);
+- if (ACPI_FAILURE(status))
+- return false;
+- acpi_id = tmp;
+- break;
+- default:
+- return false;
+- }
+-
+- type = (acpi_type == ACPI_TYPE_DEVICE) ? 1 : 0;
+-
+- *phys_id = __acpi_get_phys_id(handle, type, acpi_id, false);
+- id = acpi_map_cpuid(*phys_id, acpi_id);
+-
+- if (id < 0)
+- return false;
+- *cpuid = id;
+- return true;
+-}
+-
+-static acpi_status __init
+-set_processor_node_mapping(acpi_handle handle, u32 lvl, void *context,
+- void **rv)
+-{
+- phys_cpuid_t phys_id;
+- int cpu_id;
+-
+- if (!map_processor(handle, &phys_id, &cpu_id))
+- return AE_ERROR;
+-
+- acpi_map_cpu2node(handle, cpu_id, phys_id);
+- return AE_OK;
+-}
+-
+-void __init acpi_set_processor_mapping(void)
+-{
+- /* Set persistent cpu <-> node mapping for all processors. */
+- acpi_walk_namespace(ACPI_TYPE_PROCESSOR, ACPI_ROOT_OBJECT,
+- ACPI_UINT32_MAX, set_processor_node_mapping,
+- NULL, NULL, NULL);
+-}
+-#else
+-void __init acpi_set_processor_mapping(void) {}
+-#endif /* CONFIG_ACPI_HOTPLUG_CPU */
+-
+ #ifdef CONFIG_ACPI_HOTPLUG_IOAPIC
+ static int get_ioapic_id(struct acpi_subtable_header *entry, u32 gsi_base,
+ u64 *phys_addr, int *ioapic_id)
+--- a/include/linux/acpi.h
++++ b/include/linux/acpi.h
+@@ -276,11 +276,8 @@ bool acpi_processor_validate_proc_id(int
+ /* Arch dependent functions for cpu hotplug support */
+ int acpi_map_cpu(acpi_handle handle, phys_cpuid_t physid, int *pcpu);
+ int acpi_unmap_cpu(int cpu);
+-int acpi_map_cpu2node(acpi_handle handle, int cpu, int physid);
+ #endif /* CONFIG_ACPI_HOTPLUG_CPU */
+
+-void acpi_set_processor_mapping(void);
+-
+ #ifdef CONFIG_ACPI_HOTPLUG_IOAPIC
+ int acpi_get_ioapic_id(acpi_handle handle, u32 gsi_base, u64 *phys_addr);
+ #endif
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Philipp Zabel <p.zabel@pengutronix.de>
+Date: Tue, 7 Nov 2017 13:12:17 +0100
+Subject: rtc: pcf8563: fix output clock rate
+
+From: Philipp Zabel <p.zabel@pengutronix.de>
+
+
+[ Upstream commit a3350f9c57ffad569c40f7320b89da1f3061c5bb ]
+
+The pcf8563_clkout_recalc_rate function erroneously ignores the
+frequency index read from the CLKO register and always returns
+32768 Hz.
+
+Fixes: a39a6405d5f9 ("rtc: pcf8563: add CLKOUT to common clock framework")
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-pcf8563.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/rtc/rtc-pcf8563.c
++++ b/drivers/rtc/rtc-pcf8563.c
+@@ -422,7 +422,7 @@ static unsigned long pcf8563_clkout_reca
+ return 0;
+
+ buf &= PCF8563_REG_CLKO_F_MASK;
+- return clkout_rates[ret];
++ return clkout_rates[buf];
+ }
+
+ static long pcf8563_clkout_round_rate(struct clk_hw *hw, unsigned long rate,
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Jia-Ju Bai <baijiaju1990@163.com>
+Date: Sun, 8 Oct 2017 19:54:45 +0800
+Subject: rtl8188eu: Fix a possible sleep-in-atomic bug in rtw_createbss_cmd
+
+From: Jia-Ju Bai <baijiaju1990@163.com>
+
+
+[ Upstream commit 2bf9806d4228f7a6195f8e03eda0479d2a93b411 ]
+
+The driver may sleep under a spinlock, and the function call path is:
+rtw_surveydone_event_callback(acquire the spinlock)
+ rtw_createbss_cmd
+ kzalloc(GFP_KERNEL) --> may sleep
+
+To fix it, GFP_KERNEL is replaced with GFP_ATOMIC.
+This bug is found by my static analysis tool and my code review.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8188eu/core/rtw_cmd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8188eu/core/rtw_cmd.c
++++ b/drivers/staging/rtl8188eu/core/rtw_cmd.c
+@@ -342,7 +342,7 @@ u8 rtw_createbss_cmd(struct adapter *pa
+ else
+ RT_TRACE(_module_rtl871x_cmd_c_, _drv_info_, (" createbss for SSid:%s\n", pmlmepriv->assoc_ssid.Ssid));
+
+- pcmd = kzalloc(sizeof(struct cmd_obj), GFP_KERNEL);
++ pcmd = kzalloc(sizeof(struct cmd_obj), GFP_ATOMIC);
+ if (!pcmd) {
+ res = _FAIL;
+ goto exit;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Jia-Ju Bai <baijiaju1990@163.com>
+Date: Sun, 8 Oct 2017 19:54:07 +0800
+Subject: rtl8188eu: Fix a possible sleep-in-atomic bug in rtw_disassoc_cmd
+
+From: Jia-Ju Bai <baijiaju1990@163.com>
+
+
+[ Upstream commit 08880f8e08cbd814e870e9d3ab9530abc1bce226 ]
+
+The driver may sleep under a spinlock, and the function call path is:
+rtw_set_802_11_bssid(acquire the spinlock)
+ rtw_disassoc_cmd
+ kzalloc(GFP_KERNEL) --> may sleep
+
+To fix it, GFP_KERNEL is replaced with GFP_ATOMIC.
+This bug is found by my static analysis tool and my code review.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8188eu/core/rtw_cmd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8188eu/core/rtw_cmd.c
++++ b/drivers/staging/rtl8188eu/core/rtw_cmd.c
+@@ -522,7 +522,7 @@ u8 rtw_disassoc_cmd(struct adapter *pada
+
+ if (enqueue) {
+ /* need enqueue, prepare cmd_obj and enqueue */
+- cmdobj = kzalloc(sizeof(*cmdobj), GFP_KERNEL);
++ cmdobj = kzalloc(sizeof(*cmdobj), GFP_ATOMIC);
+ if (!cmdobj) {
+ res = _FAIL;
+ kfree(param);
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 16 Mar 2017 16:27:10 +0000
+Subject: rxrpc: Ignore BUSY packets on old calls
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit 4d4a6ac73e7466c2085c307fac41f74ce4568a45 ]
+
+If we receive a BUSY packet for a call we think we've just completed, the
+packet is handed off to the connection processor to deal with - but the
+connection processor doesn't expect a BUSY packet and so flags a protocol
+error.
+
+Fix this by simply ignoring the BUSY packet for the moment.
+
+The symptom of this may appear as a system call failing with EPROTO. This
+may be triggered by pressing ctrl-C under some circumstances.
+
+This comes about we abort calls due to interruption by a signal (which we
+shouldn't do, but that's going to be a large fix and mostly in fs/afs/).
+What happens is that we abort the call and may also abort follow up calls
+too (this needs offloading somehoe). So we see a transmission of something
+like the following sequence of packets:
+
+ DATA for call N
+ ABORT call N
+ DATA for call N+1
+ ABORT call N+1
+
+in very quick succession on the same channel. However, the peer may have
+deferred the processing of the ABORT from the call N to a background thread
+and thus sees the DATA message from the call N+1 coming in before it has
+cleared the channel. Thus it sends a BUSY packet[*].
+
+[*] Note that some implementations (OpenAFS, for example) mark the BUSY
+ packet with one plus the callNumber of the call prior to call N.
+ Ordinarily, this would be call N, but there's no requirement for the
+ calls on a channel to be numbered strictly sequentially (the number is
+ required to increase).
+
+ This is wrong and means that the callNumber in the BUSY packet should
+ be ignored (it really ought to be N+1 since that's what it's in
+ response to).
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/conn_event.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/rxrpc/conn_event.c
++++ b/net/rxrpc/conn_event.c
+@@ -275,6 +275,10 @@ static int rxrpc_process_event(struct rx
+ rxrpc_conn_retransmit_call(conn, skb);
+ return 0;
+
++ case RXRPC_PACKET_TYPE_BUSY:
++ /* Just ignore BUSY packets for now. */
++ return 0;
++
+ case RXRPC_PACKET_TYPE_ABORT:
+ if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
+ &wtmp, sizeof(wtmp)) < 0)
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Fri, 10 Mar 2017 07:48:49 +0000
+Subject: rxrpc: Wake up the transmitter if Rx window size increases on the peer
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit 702f2ac87a9a8da23bf8506466bc70175fc970b2 ]
+
+The RxRPC ACK packet may contain an extension that includes the peer's
+current Rx window size for this call. We adjust the local Tx window size
+to match. However, the transmitter can stall if the receive window is
+reduced to 0 by the peer and then reopened.
+
+This is because the normal way that the transmitter is re-energised is by
+dropping something out of our Tx queue and thus making space. When a
+single gap is made, the transmitter is woken up. However, because there's
+nothing in the Tx queue at this point, this doesn't happen.
+
+To fix this, perform a wake_up() any time we see the peer's Rx window size
+increasing.
+
+The observable symptom is that calls start failing on ETIMEDOUT and the
+following:
+
+ kAFS: SERVER DEAD state=-62
+
+appears in dmesg.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/input.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/net/rxrpc/input.c
++++ b/net/rxrpc/input.c
+@@ -649,6 +649,7 @@ static void rxrpc_input_ackinfo(struct r
+ struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
+ struct rxrpc_peer *peer;
+ unsigned int mtu;
++ bool wake = false;
+ u32 rwind = ntohl(ackinfo->rwind);
+
+ _proto("Rx ACK %%%u Info { rx=%u max=%u rwin=%u jm=%u }",
+@@ -656,9 +657,14 @@ static void rxrpc_input_ackinfo(struct r
+ ntohl(ackinfo->rxMTU), ntohl(ackinfo->maxMTU),
+ rwind, ntohl(ackinfo->jumbo_max));
+
+- if (rwind > RXRPC_RXTX_BUFF_SIZE - 1)
+- rwind = RXRPC_RXTX_BUFF_SIZE - 1;
+- call->tx_winsize = rwind;
++ if (call->tx_winsize != rwind) {
++ if (rwind > RXRPC_RXTX_BUFF_SIZE - 1)
++ rwind = RXRPC_RXTX_BUFF_SIZE - 1;
++ if (rwind > call->tx_winsize)
++ wake = true;
++ call->tx_winsize = rwind;
++ }
++
+ if (call->cong_ssthresh > rwind)
+ call->cong_ssthresh = rwind;
+
+@@ -672,6 +678,9 @@ static void rxrpc_input_ackinfo(struct r
+ spin_unlock_bh(&peer->lock);
+ _net("Net MTU %u (maxdata %u)", peer->mtu, peer->maxdata);
+ }
++
++ if (wake)
++ wake_up(&call->waitq);
+ }
+
+ /*
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Mon, 6 Mar 2017 21:51:28 -0800
+Subject: sched/deadline: Add missing update_rq_clock() in dl_task_timer()
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+
+[ Upstream commit dcc3b5ffe1b32771c9a22e2c916fb94c4fcf5b79 ]
+
+The following warning can be triggered by hot-unplugging the CPU
+on which an active SCHED_DEADLINE task is running on:
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 7 PID: 0 at kernel/sched/sched.h:833 replenish_dl_entity+0x71e/0xc40
+ rq->clock_update_flags < RQCF_ACT_SKIP
+ CPU: 7 PID: 0 Comm: swapper/7 Tainted: G B 4.11.0-rc1+ #24
+ Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS 02/16/2016
+ Call Trace:
+ <IRQ>
+ dump_stack+0x85/0xc4
+ __warn+0x172/0x1b0
+ warn_slowpath_fmt+0xb4/0xf0
+ ? __warn+0x1b0/0x1b0
+ ? debug_check_no_locks_freed+0x2c0/0x2c0
+ ? cpudl_set+0x3d/0x2b0
+ replenish_dl_entity+0x71e/0xc40
+ enqueue_task_dl+0x2ea/0x12e0
+ ? dl_task_timer+0x777/0x990
+ ? __hrtimer_run_queues+0x270/0xa50
+ dl_task_timer+0x316/0x990
+ ? enqueue_task_dl+0x12e0/0x12e0
+ ? enqueue_task_dl+0x12e0/0x12e0
+ __hrtimer_run_queues+0x270/0xa50
+ ? hrtimer_cancel+0x20/0x20
+ ? hrtimer_interrupt+0x119/0x600
+ hrtimer_interrupt+0x19c/0x600
+ ? trace_hardirqs_off+0xd/0x10
+ local_apic_timer_interrupt+0x74/0xe0
+ smp_apic_timer_interrupt+0x76/0xa0
+ apic_timer_interrupt+0x93/0xa0
+
+The DL task will be migrated to a suitable later deadline rq once the DL
+timer fires and currnet rq is offline. The rq clock of the new rq should
+be updated. This patch fixes it by updating the rq clock after holding
+the new rq's rq lock.
+
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Juri Lelli <juri.lelli@arm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/1488865888-15894-1-git-send-email-wanpeng.li@hotmail.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/deadline.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -638,6 +638,7 @@ static enum hrtimer_restart dl_task_time
+ lockdep_unpin_lock(&rq->lock, rf.cookie);
+ rq = dl_task_offline_migration(rq, p);
+ rf.cookie = lockdep_pin_lock(&rq->lock);
++ update_rq_clock(rq);
+
+ /*
+ * Now that the task has been migrated to the new RQ and we
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Daniel Bristot de Oliveira <bristot@redhat.com>
+Date: Thu, 2 Mar 2017 15:10:57 +0100
+Subject: sched/deadline: Make sure the replenishment timer fires in the next period
+
+From: Daniel Bristot de Oliveira <bristot@redhat.com>
+
+
+[ Upstream commit 5ac69d37784b237707a7b15d199cdb6c6fdb6780 ]
+
+Currently, the replenishment timer is set to fire at the deadline
+of a task. Although that works for implicit deadline tasks because the
+deadline is equals to the begin of the next period, that is not correct
+for constrained deadline tasks (deadline < period).
+
+For instance:
+
+f.c:
+ --------------- %< ---------------
+int main (void)
+{
+ for(;;);
+}
+ --------------- >% ---------------
+
+ # gcc -o f f.c
+
+ # trace-cmd record -e sched:sched_switch \
+ -e syscalls:sys_exit_sched_setattr \
+ chrt -d --sched-runtime 490000000 \
+ --sched-deadline 500000000 \
+ --sched-period 1000000000 0 ./f
+
+ # trace-cmd report | grep "{pid of ./f}"
+
+After setting parameters, the task is replenished and continue running
+until being throttled:
+
+ f-11295 [003] 13322.113776: sys_exit_sched_setattr: 0x0
+
+The task is throttled after running 492318 ms, as expected:
+
+ f-11295 [003] 13322.606094: sched_switch: f:11295 [-1] R ==> watchdog/3:32 [0]
+
+But then, the task is replenished 500719 ms after the first
+replenishment:
+
+ <idle>-0 [003] 13322.614495: sched_switch: swapper/3:0 [120] R ==> f:11295 [-1]
+
+Running for 490277 ms:
+
+ f-11295 [003] 13323.104772: sched_switch: f:11295 [-1] R ==> swapper/3:0 [120]
+
+Hence, in the first period, the task runs 2 * runtime, and that is a bug.
+
+During the first replenishment, the next deadline is set one period away.
+So the runtime / period starts to be respected. However, as the second
+replenishment took place in the wrong instant, the next replenishment
+will also be held in a wrong instant of time. Rather than occurring in
+the nth period away from the first activation, it is taking place
+in the (nth period - relative deadline).
+
+Signed-off-by: Daniel Bristot de Oliveira <bristot@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Luca Abeni <luca.abeni@santannapisa.it>
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Reviewed-by: Juri Lelli <juri.lelli@arm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Romulo Silva de Oliveira <romulo.deoliveira@ufsc.br>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tommaso Cucinotta <tommaso.cucinotta@sssup.it>
+Link: http://lkml.kernel.org/r/ac50d89887c25285b47465638354b63362f8adff.1488392936.git.bristot@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/deadline.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -505,10 +505,15 @@ static void update_dl_entity(struct sche
+ }
+ }
+
++static inline u64 dl_next_period(struct sched_dl_entity *dl_se)
++{
++ return dl_se->deadline - dl_se->dl_deadline + dl_se->dl_period;
++}
++
+ /*
+ * If the entity depleted all its runtime, and if we want it to sleep
+ * while waiting for some new execution time to become available, we
+- * set the bandwidth enforcement timer to the replenishment instant
++ * set the bandwidth replenishment timer to the replenishment instant
+ * and try to activate it.
+ *
+ * Notice that it is important for the caller to know if the timer
+@@ -530,7 +535,7 @@ static int start_dl_timer(struct task_st
+ * that it is actually coming from rq->clock and not from
+ * hrtimer's time base reading.
+ */
+- act = ns_to_ktime(dl_se->deadline);
++ act = ns_to_ktime(dl_next_period(dl_se));
+ now = hrtimer_cb_get_time(timer);
+ delta = ktime_to_ns(now) - rq_clock(rq);
+ act = ktime_add_ns(act, delta);
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Daniel Bristot de Oliveira <bristot@redhat.com>
+Date: Thu, 2 Mar 2017 15:10:58 +0100
+Subject: sched/deadline: Throttle a constrained deadline task activated after the deadline
+
+From: Daniel Bristot de Oliveira <bristot@redhat.com>
+
+
+[ Upstream commit df8eac8cafce7d086be3bd5cf5a838fa37594dfb ]
+
+During the activation, CBS checks if it can reuse the current task's
+runtime and period. If the deadline of the task is in the past, CBS
+cannot use the runtime, and so it replenishes the task. This rule
+works fine for implicit deadline tasks (deadline == period), and the
+CBS was designed for implicit deadline tasks. However, a task with
+constrained deadline (deadine < period) might be awakened after the
+deadline, but before the next period. In this case, replenishing the
+task would allow it to run for runtime / deadline. As in this case
+deadline < period, CBS enables a task to run for more than the
+runtime / period. In a very loaded system, this can cause a domino
+effect, making other tasks miss their deadlines.
+
+To avoid this problem, in the activation of a constrained deadline
+task after the deadline but before the next period, throttle the
+task and set the replenishing timer to the begin of the next period,
+unless it is boosted.
+
+Reproducer:
+
+ --------------- %< ---------------
+ int main (int argc, char **argv)
+ {
+ int ret;
+ int flags = 0;
+ unsigned long l = 0;
+ struct timespec ts;
+ struct sched_attr attr;
+
+ memset(&attr, 0, sizeof(attr));
+ attr.size = sizeof(attr);
+
+ attr.sched_policy = SCHED_DEADLINE;
+ attr.sched_runtime = 2 * 1000 * 1000; /* 2 ms */
+ attr.sched_deadline = 2 * 1000 * 1000; /* 2 ms */
+ attr.sched_period = 2 * 1000 * 1000 * 1000; /* 2 s */
+
+ ts.tv_sec = 0;
+ ts.tv_nsec = 2000 * 1000; /* 2 ms */
+
+ ret = sched_setattr(0, &attr, flags);
+
+ if (ret < 0) {
+ perror("sched_setattr");
+ exit(-1);
+ }
+
+ for(;;) {
+ /* XXX: you may need to adjust the loop */
+ for (l = 0; l < 150000; l++);
+ /*
+ * The ideia is to go to sleep right before the deadline
+ * and then wake up before the next period to receive
+ * a new replenishment.
+ */
+ nanosleep(&ts, NULL);
+ }
+
+ exit(0);
+ }
+ --------------- >% ---------------
+
+On my box, this reproducer uses almost 50% of the CPU time, which is
+obviously wrong for a task with 2/2000 reservation.
+
+Signed-off-by: Daniel Bristot de Oliveira <bristot@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Juri Lelli <juri.lelli@arm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Luca Abeni <luca.abeni@santannapisa.it>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Romulo Silva de Oliveira <romulo.deoliveira@ufsc.br>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tommaso Cucinotta <tommaso.cucinotta@sssup.it>
+Link: http://lkml.kernel.org/r/edf58354e01db46bf42df8d2dd32418833f68c89.1488392936.git.bristot@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/deadline.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 45 insertions(+)
+
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -695,6 +695,37 @@ void init_dl_task_timer(struct sched_dl_
+ timer->function = dl_task_timer;
+ }
+
++/*
++ * During the activation, CBS checks if it can reuse the current task's
++ * runtime and period. If the deadline of the task is in the past, CBS
++ * cannot use the runtime, and so it replenishes the task. This rule
++ * works fine for implicit deadline tasks (deadline == period), and the
++ * CBS was designed for implicit deadline tasks. However, a task with
++ * constrained deadline (deadine < period) might be awakened after the
++ * deadline, but before the next period. In this case, replenishing the
++ * task would allow it to run for runtime / deadline. As in this case
++ * deadline < period, CBS enables a task to run for more than the
++ * runtime / period. In a very loaded system, this can cause a domino
++ * effect, making other tasks miss their deadlines.
++ *
++ * To avoid this problem, in the activation of a constrained deadline
++ * task after the deadline but before the next period, throttle the
++ * task and set the replenishing timer to the begin of the next period,
++ * unless it is boosted.
++ */
++static inline void dl_check_constrained_dl(struct sched_dl_entity *dl_se)
++{
++ struct task_struct *p = dl_task_of(dl_se);
++ struct rq *rq = rq_of_dl_rq(dl_rq_of_se(dl_se));
++
++ if (dl_time_before(dl_se->deadline, rq_clock(rq)) &&
++ dl_time_before(rq_clock(rq), dl_next_period(dl_se))) {
++ if (unlikely(dl_se->dl_boosted || !start_dl_timer(p)))
++ return;
++ dl_se->dl_throttled = 1;
++ }
++}
++
+ static
+ int dl_runtime_exceeded(struct sched_dl_entity *dl_se)
+ {
+@@ -928,6 +959,11 @@ static void dequeue_dl_entity(struct sch
+ __dequeue_dl_entity(dl_se);
+ }
+
++static inline bool dl_is_constrained(struct sched_dl_entity *dl_se)
++{
++ return dl_se->dl_deadline < dl_se->dl_period;
++}
++
+ static void enqueue_task_dl(struct rq *rq, struct task_struct *p, int flags)
+ {
+ struct task_struct *pi_task = rt_mutex_get_top_task(p);
+@@ -954,6 +990,15 @@ static void enqueue_task_dl(struct rq *r
+ }
+
+ /*
++ * Check if a constrained deadline task was activated
++ * after the deadline but before the next period.
++ * If that is the case, the task will be throttled and
++ * the replenishment timer will be set to the next period.
++ */
++ if (!p->dl.dl_throttled && dl_is_constrained(&p->dl))
++ dl_check_constrained_dl(&p->dl);
++
++ /*
+ * If p is throttled, we do nothing. In fact, if it exhausted
+ * its budget it needs a replenishment and, since it now is on
+ * its rq, the bandwidth timer callback (which clearly has not
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Thu, 2 Mar 2017 15:10:59 +0100
+Subject: sched/deadline: Use deadline instead of period when calculating overflow
+
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+
+
+[ Upstream commit 2317d5f1c34913bac5971d93d69fb6c31bb74670 ]
+
+I was testing Daniel's changes with his test case, and tweaked it a
+little. Instead of having the runtime equal to the deadline, I
+increased the deadline ten fold.
+
+Daniel's test case had:
+
+ attr.sched_runtime = 2 * 1000 * 1000; /* 2 ms */
+ attr.sched_deadline = 2 * 1000 * 1000; /* 2 ms */
+ attr.sched_period = 2 * 1000 * 1000 * 1000; /* 2 s */
+
+To make it more interesting, I changed it to:
+
+ attr.sched_runtime = 2 * 1000 * 1000; /* 2 ms */
+ attr.sched_deadline = 20 * 1000 * 1000; /* 20 ms */
+ attr.sched_period = 2 * 1000 * 1000 * 1000; /* 2 s */
+
+The results were rather surprising. The behavior that Daniel's patch
+was fixing came back. The task started using much more than .1% of the
+CPU. More like 20%.
+
+Looking into this I found that it was due to the dl_entity_overflow()
+constantly returning true. That's because it uses the relative period
+against relative runtime vs the absolute deadline against absolute
+runtime.
+
+ runtime / (deadline - t) > dl_runtime / dl_period
+
+There's even a comment mentioning this, and saying that when relative
+deadline equals relative period, that the equation is the same as using
+deadline instead of period. That comment is backwards! What we really
+want is:
+
+ runtime / (deadline - t) > dl_runtime / dl_deadline
+
+We care about if the runtime can make its deadline, not its period. And
+then we can say "when the deadline equals the period, the equation is
+the same as using dl_period instead of dl_deadline".
+
+After correcting this, now when the task gets enqueued, it can throttle
+correctly, and Daniel's fix to the throttling of sleeping deadline
+tasks works even when the runtime and deadline are not the same.
+
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Daniel Bristot de Oliveira <bristot@redhat.com>
+Cc: Juri Lelli <juri.lelli@arm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Luca Abeni <luca.abeni@santannapisa.it>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Romulo Silva de Oliveira <romulo.deoliveira@ufsc.br>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tommaso Cucinotta <tommaso.cucinotta@sssup.it>
+Link: http://lkml.kernel.org/r/02135a27f1ae3fe5fd032568a5a2f370e190e8d7.1488392936.git.bristot@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/deadline.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -445,13 +445,13 @@ static void replenish_dl_entity(struct s
+ *
+ * This function returns true if:
+ *
+- * runtime / (deadline - t) > dl_runtime / dl_period ,
++ * runtime / (deadline - t) > dl_runtime / dl_deadline ,
+ *
+ * IOW we can't recycle current parameters.
+ *
+- * Notice that the bandwidth check is done against the period. For
++ * Notice that the bandwidth check is done against the deadline. For
+ * task with deadline equal to period this is the same of using
+- * dl_deadline instead of dl_period in the equation above.
++ * dl_period instead of dl_deadline in the equation above.
+ */
+ static bool dl_entity_overflow(struct sched_dl_entity *dl_se,
+ struct sched_dl_entity *pi_se, u64 t)
+@@ -476,7 +476,7 @@ static bool dl_entity_overflow(struct sc
+ * of anything below microseconds resolution is actually fiction
+ * (but still we want to give the user that illusion >;).
+ */
+- left = (pi_se->dl_period >> DL_SCALE) * (dl_se->runtime >> DL_SCALE);
++ left = (pi_se->dl_deadline >> DL_SCALE) * (dl_se->runtime >> DL_SCALE);
+ right = ((dl_se->deadline - t) >> DL_SCALE) *
+ (pi_se->dl_runtime >> DL_SCALE);
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 4 Oct 2017 10:50:37 +0300
+Subject: scsi: bfa: integer overflow in debugfs
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit 3e351275655d3c84dc28abf170def9786db5176d ]
+
+We could allocate less memory than intended because we do:
+
+ bfad->regdata = kzalloc(len << 2, GFP_KERNEL);
+
+The shift can overflow leading to a crash. This is debugfs code so the
+impact is very small. I fixed the network version of this in March with
+commit 13e2d5187f6b ("bna: integer overflow bug in debugfs").
+
+Fixes: ab2a9ba189e8 ("[SCSI] bfa: add debugfs support")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/bfa/bfad_debugfs.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/bfa/bfad_debugfs.c
++++ b/drivers/scsi/bfa/bfad_debugfs.c
+@@ -255,7 +255,8 @@ bfad_debugfs_write_regrd(struct file *fi
+ struct bfad_s *bfad = port->bfad;
+ struct bfa_s *bfa = &bfad->bfa;
+ struct bfa_ioc_s *ioc = &bfa->ioc;
+- int addr, len, rc, i;
++ int addr, rc, i;
++ u32 len;
+ u32 *regbuf;
+ void __iomem *rb, *reg_addr;
+ unsigned long flags;
+@@ -266,7 +267,7 @@ bfad_debugfs_write_regrd(struct file *fi
+ return PTR_ERR(kern_buf);
+
+ rc = sscanf(kern_buf, "%x:%x", &addr, &len);
+- if (rc < 2) {
++ if (rc < 2 || len > (UINT_MAX >> 2)) {
+ printk(KERN_INFO
+ "bfad[%d]: %s failed to read user buf\n",
+ bfad->inst_no, __func__);
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Martin Wilck <mwilck@suse.de>
+Date: Fri, 20 Oct 2017 16:51:14 -0500
+Subject: scsi: hpsa: cleanup sas_phy structures in sysfs when unloading
+
+From: Martin Wilck <mwilck@suse.de>
+
+
+[ Upstream commit 55ca38b4255bb336c2d35990bdb2b368e19b435a ]
+
+I am resubmitting this patch on behalf of Martin Wilck with his
+permission.
+
+The original patch can be found here:
+https://www.spinics.net/lists/linux-scsi/msg102083.html
+
+This patch did not help until Hannes's
+commit 9441284fbc39 ("scsi-fixup-kernel-warning-during-rmmod")
+was applied to the kernel.
+
+--------------------------------------
+Original patch description from Martin:
+--------------------------------------
+
+When the hpsa module is unloaded using rmmod, dangling
+symlinks remain under /sys/class/sas_phy. Fix this by
+calling sas_phy_delete() rather than sas_phy_free (which,
+according to comments, should not be called for PHYs that
+have been set up successfully, anyway).
+
+Tested-by: Don Brace <don.brace@microsemi.com>
+Reviewed-by: Don Brace <don.brace@microsemi.com>
+Signed-off-by: Martin Wilck <mwilck@suse.de>
+Signed-off-by: Don Brace <don.brace@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/hpsa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -9632,9 +9632,9 @@ static void hpsa_free_sas_phy(struct hps
+ struct sas_phy *phy = hpsa_sas_phy->phy;
+
+ sas_port_delete_phy(hpsa_sas_phy->parent_port->port, phy);
+- sas_phy_free(phy);
+ if (hpsa_sas_phy->added_to_port)
+ list_del(&hpsa_sas_phy->phy_list_entry);
++ sas_phy_delete(phy);
+ kfree(hpsa_sas_phy);
+ }
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Martin Wilck <mwilck@suse.de>
+Date: Fri, 20 Oct 2017 16:51:08 -0500
+Subject: scsi: hpsa: destroy sas transport properties before scsi_host
+
+From: Martin Wilck <mwilck@suse.de>
+
+
+[ Upstream commit dfb2e6f46b3074eb85203d8f0888b71ec1c2e37a ]
+
+This patch cleans up a lot of warnings when unloading the driver.
+
+A current example of the stack trace starts with:
+ [ 142.570715] sysfs group 'power' not found for kobject 'port-5:0'
+There can be hundreds of these messages during a driver unload.
+
+I am resubmitting this patch on behalf of Martin Wilck with his
+permission.
+
+His original patch can be found here:
+https://www.spinics.net/lists/linux-scsi/msg102085.html
+
+This patch did not help until Hannes's
+commit 9441284fbc39 ("scsi-fixup-kernel-warning-during-rmmod")
+was applied to the kernel.
+
+---------------------------
+Original patch description:
+---------------------------
+
+Unloading the hpsa driver causes warnings
+
+[ 1063.793652] WARNING: CPU: 1 PID: 4850 at ../fs/sysfs/group.c:237 device_del+0x54/0x240()
+[ 1063.793659] sysfs group ffffffff81cf21a0 not found for kobject 'port-2:0'
+
+with two different stacks:
+1)
+[ 1063.793774] [<ffffffff81448af4>] device_del+0x54/0x240
+[ 1063.793780] [<ffffffff8145178a>] transport_remove_classdev+0x4a/0x60
+[ 1063.793784] [<ffffffff81451216>] attribute_container_device_trigger+0xa6/0xb0
+[ 1063.793802] [<ffffffffa0105d46>] sas_port_delete+0x126/0x160 [scsi_transport_sas]
+[ 1063.793819] [<ffffffffa036ebcc>] hpsa_free_sas_port+0x3c/0x70 [hpsa]
+
+2)
+[ 1063.797103] [<ffffffff81448af4>] device_del+0x54/0x240
+[ 1063.797118] [<ffffffffa0105d4e>] sas_port_delete+0x12e/0x160 [scsi_transport_sas]
+[ 1063.797134] [<ffffffffa036ebcc>] hpsa_free_sas_port+0x3c/0x70 [hpsa]
+
+This is caused by the fact that host device hostX is deleted before the
+SAS transport devices hostX/port-a:b.
+
+This patch fixes this by reverting the order of device deletions.
+
+Tested-by: Don Brace <don.brace@microsemi.com>
+Reviewed-by: Don Brace <don.brace@microsemi.com>
+Signed-off-by: Martin Wilck <mwilck@suse.de>
+Signed-off-by: Don Brace <don.brace@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/hpsa.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -9105,6 +9105,8 @@ static void hpsa_remove_one(struct pci_d
+ destroy_workqueue(h->rescan_ctlr_wq);
+ destroy_workqueue(h->resubmit_wq);
+
++ hpsa_delete_sas_host(h);
++
+ /*
+ * Call before disabling interrupts.
+ * scsi_remove_host can trigger I/O operations especially
+@@ -9139,8 +9141,6 @@ static void hpsa_remove_one(struct pci_d
+ h->lockup_detected = NULL; /* init_one 2 */
+ /* (void) pci_disable_pcie_error_reporting(pdev); */ /* init_one 1 */
+
+- hpsa_delete_sas_host(h);
+-
+ kfree(h); /* init_one 1 */
+ }
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Don Brace <don.brace@microsemi.com>
+Date: Fri, 10 Mar 2017 14:35:23 -0600
+Subject: scsi: hpsa: do not timeout reset operations
+
+From: Don Brace <don.brace@microsemi.com>
+
+
+[ Upstream commit 2ef2884980873081a4edae92f9d88dd580c85f6e ]
+
+Resets can take longer than DEFAULT_TIMEOUT.
+
+Reviewed-by: Scott Benesh <scott.benesh@microsemi.com>
+Reviewed-by: Scott Teel <scott.teel@microsemi.com>
+Reviewed-by: Tomas Henzl <thenzl@redhat.com>
+Signed-off-by: Don Brace <don.brace@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/hpsa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -2951,7 +2951,7 @@ static int hpsa_send_reset(struct ctlr_i
+ /* fill_cmd can't fail here, no data buffer to map. */
+ (void) fill_cmd(c, reset_type, h, NULL, 0, 0,
+ scsi3addr, TYPE_MSG);
+- rc = hpsa_scsi_do_simple_cmd(h, c, reply_queue, DEFAULT_TIMEOUT);
++ rc = hpsa_scsi_do_simple_cmd(h, c, reply_queue, NO_TIMEOUT);
+ if (rc) {
+ dev_warn(&h->pdev->dev, "Failed to send reset command\n");
+ goto out;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Don Brace <don.brace@microsemi.com>
+Date: Fri, 10 Mar 2017 14:35:17 -0600
+Subject: scsi: hpsa: limit outstanding rescans
+
+From: Don Brace <don.brace@microsemi.com>
+
+
+[ Upstream commit 87b9e6aa87d9411f1059aa245c0c79976bc557ac ]
+
+Avoid rescan storms. No need to queue another if one is pending.
+
+Reviewed-by: Scott Benesh <scott.benesh@microsemi.com>
+Reviewed-by: Scott Teel <scott.teel@microsemi.com>
+Reviewed-by: Tomas Henzl <thenzl@redhat.com>
+Signed-off-by: Don Brace <don.brace@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/hpsa.c | 16 +++++++++++++++-
+ drivers/scsi/hpsa.h | 1 +
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -5529,7 +5529,7 @@ static void hpsa_scan_complete(struct ct
+
+ spin_lock_irqsave(&h->scan_lock, flags);
+ h->scan_finished = 1;
+- wake_up_all(&h->scan_wait_queue);
++ wake_up(&h->scan_wait_queue);
+ spin_unlock_irqrestore(&h->scan_lock, flags);
+ }
+
+@@ -5547,11 +5547,23 @@ static void hpsa_scan_start(struct Scsi_
+ if (unlikely(lockup_detected(h)))
+ return hpsa_scan_complete(h);
+
++ /*
++ * If a scan is already waiting to run, no need to add another
++ */
++ spin_lock_irqsave(&h->scan_lock, flags);
++ if (h->scan_waiting) {
++ spin_unlock_irqrestore(&h->scan_lock, flags);
++ return;
++ }
++
++ spin_unlock_irqrestore(&h->scan_lock, flags);
++
+ /* wait until any scan already in progress is finished. */
+ while (1) {
+ spin_lock_irqsave(&h->scan_lock, flags);
+ if (h->scan_finished)
+ break;
++ h->scan_waiting = 1;
+ spin_unlock_irqrestore(&h->scan_lock, flags);
+ wait_event(h->scan_wait_queue, h->scan_finished);
+ /* Note: We don't need to worry about a race between this
+@@ -5561,6 +5573,7 @@ static void hpsa_scan_start(struct Scsi_
+ */
+ }
+ h->scan_finished = 0; /* mark scan as in progress */
++ h->scan_waiting = 0;
+ spin_unlock_irqrestore(&h->scan_lock, flags);
+
+ if (unlikely(lockup_detected(h)))
+@@ -8799,6 +8812,7 @@ reinit_after_soft_reset:
+ init_waitqueue_head(&h->event_sync_wait_queue);
+ mutex_init(&h->reset_mutex);
+ h->scan_finished = 1; /* no scan currently in progress */
++ h->scan_waiting = 0;
+
+ pci_set_drvdata(pdev, h);
+ h->ndevices = 0;
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -203,6 +203,7 @@ struct ctlr_info {
+ dma_addr_t errinfo_pool_dhandle;
+ unsigned long *cmd_pool_bits;
+ int scan_finished;
++ u8 scan_waiting : 1;
+ spinlock_t scan_lock;
+ wait_queue_head_t scan_wait_queue;
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Don Brace <don.brace@microsemi.com>
+Date: Fri, 10 Mar 2017 14:35:11 -0600
+Subject: scsi: hpsa: update check for logical volume status
+
+From: Don Brace <don.brace@microsemi.com>
+
+
+[ Upstream commit 85b29008d8af6d94a0723aaa8d93cfb6e041158b ]
+
+ - Add in a new case for volume offline. Resolves internal testing bug
+ for multilun array management.
+ - Return correct status for failed TURs.
+
+Reviewed-by: Scott Benesh <scott.benesh@microsemi.com>
+Reviewed-by: Scott Teel <scott.teel@microsemi.com>
+Signed-off-by: Don Brace <don.brace@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/hpsa.c | 35 ++++++++++++++++-------------------
+ drivers/scsi/hpsa_cmd.h | 2 ++
+ 2 files changed, 18 insertions(+), 19 deletions(-)
+
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3686,7 +3686,7 @@ exit_failed:
+ * # (integer code indicating one of several NOT READY states
+ * describing why a volume is to be kept offline)
+ */
+-static int hpsa_volume_offline(struct ctlr_info *h,
++static unsigned char hpsa_volume_offline(struct ctlr_info *h,
+ unsigned char scsi3addr[])
+ {
+ struct CommandList *c;
+@@ -3707,7 +3707,7 @@ static int hpsa_volume_offline(struct ct
+ DEFAULT_TIMEOUT);
+ if (rc) {
+ cmd_free(h, c);
+- return 0;
++ return HPSA_VPD_LV_STATUS_UNSUPPORTED;
+ }
+ sense = c->err_info->SenseInfo;
+ if (c->err_info->SenseLen > sizeof(c->err_info->SenseInfo))
+@@ -3718,19 +3718,13 @@ static int hpsa_volume_offline(struct ct
+ cmd_status = c->err_info->CommandStatus;
+ scsi_status = c->err_info->ScsiStatus;
+ cmd_free(h, c);
+- /* Is the volume 'not ready'? */
+- if (cmd_status != CMD_TARGET_STATUS ||
+- scsi_status != SAM_STAT_CHECK_CONDITION ||
+- sense_key != NOT_READY ||
+- asc != ASC_LUN_NOT_READY) {
+- return 0;
+- }
+
+ /* Determine the reason for not ready state */
+ ldstat = hpsa_get_volume_status(h, scsi3addr);
+
+ /* Keep volume offline in certain cases: */
+ switch (ldstat) {
++ case HPSA_LV_FAILED:
+ case HPSA_LV_UNDERGOING_ERASE:
+ case HPSA_LV_NOT_AVAILABLE:
+ case HPSA_LV_UNDERGOING_RPI:
+@@ -3752,7 +3746,7 @@ static int hpsa_volume_offline(struct ct
+ default:
+ break;
+ }
+- return 0;
++ return HPSA_LV_OK;
+ }
+
+ /*
+@@ -3825,10 +3819,10 @@ static int hpsa_update_device_info(struc
+ /* Do an inquiry to the device to see what it is. */
+ if (hpsa_scsi_do_inquiry(h, scsi3addr, 0, inq_buff,
+ (unsigned char) OBDR_TAPE_INQ_SIZE) != 0) {
+- /* Inquiry failed (msg printed already) */
+ dev_err(&h->pdev->dev,
+- "hpsa_update_device_info: inquiry failed\n");
+- rc = -EIO;
++ "%s: inquiry failed, device will be skipped.\n",
++ __func__);
++ rc = HPSA_INQUIRY_FAILED;
+ goto bail_out;
+ }
+
+@@ -3857,15 +3851,19 @@ static int hpsa_update_device_info(struc
+ if ((this_device->devtype == TYPE_DISK ||
+ this_device->devtype == TYPE_ZBC) &&
+ is_logical_dev_addr_mode(scsi3addr)) {
+- int volume_offline;
++ unsigned char volume_offline;
+
+ hpsa_get_raid_level(h, scsi3addr, &this_device->raid_level);
+ if (h->fw_support & MISC_FW_RAID_OFFLOAD_BASIC)
+ hpsa_get_ioaccel_status(h, scsi3addr, this_device);
+ volume_offline = hpsa_volume_offline(h, scsi3addr);
+- if (volume_offline < 0 || volume_offline > 0xff)
+- volume_offline = HPSA_VPD_LV_STATUS_UNSUPPORTED;
+- this_device->volume_offline = volume_offline & 0xff;
++ if (volume_offline == HPSA_LV_FAILED) {
++ rc = HPSA_LV_FAILED;
++ dev_err(&h->pdev->dev,
++ "%s: LV failed, device will be skipped.\n",
++ __func__);
++ goto bail_out;
++ }
+ } else {
+ this_device->raid_level = RAID_UNKNOWN;
+ this_device->offload_config = 0;
+@@ -4353,8 +4351,7 @@ static void hpsa_update_scsi_devices(str
+ goto out;
+ }
+ if (rc) {
+- dev_warn(&h->pdev->dev,
+- "Inquiry failed, skipping device.\n");
++ h->drv_req_rescan = 1;
+ continue;
+ }
+
+--- a/drivers/scsi/hpsa_cmd.h
++++ b/drivers/scsi/hpsa_cmd.h
+@@ -156,6 +156,7 @@
+ #define CFGTBL_BusType_Fibre2G 0x00000200l
+
+ /* VPD Inquiry types */
++#define HPSA_INQUIRY_FAILED 0x02
+ #define HPSA_VPD_SUPPORTED_PAGES 0x00
+ #define HPSA_VPD_LV_DEVICE_ID 0x83
+ #define HPSA_VPD_LV_DEVICE_GEOMETRY 0xC1
+@@ -166,6 +167,7 @@
+ /* Logical volume states */
+ #define HPSA_VPD_LV_STATUS_UNSUPPORTED 0xff
+ #define HPSA_LV_OK 0x0
++#define HPSA_LV_FAILED 0x01
+ #define HPSA_LV_NOT_AVAILABLE 0x0b
+ #define HPSA_LV_UNDERGOING_ERASE 0x0F
+ #define HPSA_LV_UNDERGOING_RPI 0x12
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Douglas Gilbert <dgilbert@interlog.com>
+Date: Sun, 29 Oct 2017 10:47:19 -0400
+Subject: scsi: scsi_debug: write_same: fix error report
+
+From: Douglas Gilbert <dgilbert@interlog.com>
+
+
+[ Upstream commit e33d7c56450b0a5c7290cbf9e1581fab5174f552 ]
+
+The scsi_debug driver incorrectly suggests there is an error with the
+SCSI WRITE SAME command when the number_of_logical_blocks is greater
+than 1. It will also suggest there is an error when NDOB
+(no data-out buffer) is set and the number_of_logical_blocks is
+greater than 0. Both are valid, fix.
+
+Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/scsi_debug.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/scsi_debug.c
++++ b/drivers/scsi/scsi_debug.c
+@@ -2996,11 +2996,11 @@ static int resp_write_same(struct scsi_c
+ if (-1 == ret) {
+ write_unlock_irqrestore(&atomic_rw, iflags);
+ return DID_ERROR << 16;
+- } else if (sdebug_verbose && (ret < (num * sdebug_sector_size)))
++ } else if (sdebug_verbose && !ndob && (ret < sdebug_sector_size))
+ sdev_printk(KERN_INFO, scp->device,
+- "%s: %s: cdb indicated=%u, IO sent=%d bytes\n",
++ "%s: %s: lb size=%u, IO sent=%d bytes\n",
+ my_name, "write same",
+- num * sdebug_sector_size, ret);
++ sdebug_sector_size, ret);
+
+ /* Copy first sector to remaining blocks */
+ for (i = 1 ; i < num ; i++)
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Kurt Garloff <garloff@suse.de>
+Date: Tue, 17 Oct 2017 09:10:45 +0200
+Subject: scsi: scsi_devinfo: Add REPORTLUN2 to EMC SYMMETRIX blacklist entry
+
+From: Kurt Garloff <garloff@suse.de>
+
+
+[ Upstream commit 909cf3e16a5274fe2127cf3cea5c8dba77b2c412 ]
+
+All EMC SYMMETRIX support REPORT_LUNS, even if configured to report
+SCSI-2 for whatever reason.
+
+Signed-off-by: Kurt Garloff <garloff@suse.de>
+Signed-off-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/scsi_devinfo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/scsi_devinfo.c
++++ b/drivers/scsi/scsi_devinfo.c
+@@ -160,7 +160,7 @@ static struct {
+ {"DGC", "RAID", NULL, BLIST_SPARSELUN}, /* Dell PV 650F, storage on LUN 0 */
+ {"DGC", "DISK", NULL, BLIST_SPARSELUN}, /* Dell PV 650F, no storage on LUN 0 */
+ {"EMC", "Invista", "*", BLIST_SPARSELUN | BLIST_LARGELUN},
+- {"EMC", "SYMMETRIX", NULL, BLIST_SPARSELUN | BLIST_LARGELUN | BLIST_FORCELUN},
++ {"EMC", "SYMMETRIX", NULL, BLIST_SPARSELUN | BLIST_LARGELUN | BLIST_REPORTLUN2},
+ {"EMULEX", "MD21/S2 ESDI", NULL, BLIST_SINGLELUN},
+ {"easyRAID", "16P", NULL, BLIST_NOREPORTLUN},
+ {"easyRAID", "X6P", NULL, BLIST_NOREPORTLUN},
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: weiping zhang <zhangweiping@didichuxing.com>
+Date: Thu, 12 Oct 2017 14:56:44 +0800
+Subject: scsi: sd: change allow_restart to bool in sysfs interface
+
+From: weiping zhang <zhangweiping@didichuxing.com>
+
+
+[ Upstream commit 658e9a6dc1126f21fa417cd213e1cdbff8be0ba2 ]
+
+/sys/class/scsi_disk/0:2:0:0/allow_restart can be changed to 0
+unexpectedly by writing an invalid string such as the following:
+
+echo asdf > /sys/class/scsi_disk/0:2:0:0/allow_restart
+
+Signed-off-by: weiping zhang <zhangweiping@didichuxing.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sd.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -260,6 +260,7 @@ static ssize_t
+ allow_restart_store(struct device *dev, struct device_attribute *attr,
+ const char *buf, size_t count)
+ {
++ bool v;
+ struct scsi_disk *sdkp = to_scsi_disk(dev);
+ struct scsi_device *sdp = sdkp->device;
+
+@@ -269,7 +270,10 @@ allow_restart_store(struct device *dev,
+ if (sdp->type != TYPE_DISK)
+ return -EINVAL;
+
+- sdp->allow_restart = simple_strtoul(buf, NULL, 10);
++ if (kstrtobool(buf, &v))
++ return -EINVAL;
++
++ sdp->allow_restart = v;
+
+ return count;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: weiping zhang <zhangweiping@didichuxing.com>
+Date: Thu, 12 Oct 2017 14:57:06 +0800
+Subject: scsi: sd: change manage_start_stop to bool in sysfs interface
+
+From: weiping zhang <zhangweiping@didichuxing.com>
+
+
+[ Upstream commit 623401ee33e42cee64d333877892be8db02951eb ]
+
+/sys/class/scsi_disk/0:2:0:0/manage_start_stop can be changed to 0
+unexpectly by writing an invalid string.
+
+Signed-off-by: weiping zhang <zhangweiping@didichuxing.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sd.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -234,11 +234,15 @@ manage_start_stop_store(struct device *d
+ {
+ struct scsi_disk *sdkp = to_scsi_disk(dev);
+ struct scsi_device *sdp = sdkp->device;
++ bool v;
+
+ if (!capable(CAP_SYS_ADMIN))
+ return -EACCES;
+
+- sdp->manage_start_stop = simple_strtoul(buf, NULL, 10);
++ if (kstrtobool(buf, &v))
++ return -EINVAL;
++
++ sdp->manage_start_stop = v;
+
+ return count;
+ }
ext4-fix-fdatasync-2-after-fallocate-2-operation.patch
ext4-fix-crash-when-a-directory-s-i_size-is-too-small.patch
mac80211-fix-addition-of-mesh-configuration-element.patch
+usb-phy-isp1301-add-of-device-id-table.patch
+kvm-nvmx-do-not-warn-when-msr-bitmap-address-is-not-backed.patch
+usb-xhci-mtk-check-hcc_params-after-adding-primary-hcd.patch
+md-cluster-free-md_cluster_info-if-node-leave-cluster.patch
+userfaultfd-shmem-__do_fault-requires-vm_fault_nopage.patch
+userfaultfd-selftest-vm-allow-to-build-in-vm-directory.patch
+net-initialize-msg.msg_flags-in-recvfrom.patch
+bnxt_en-ignore-0-value-in-autoneg-supported-speed-from-firmware.patch
+net-bcmgenet-correct-the-rbuf_ovfl_cnt-and-rbuf_err_cnt-mib-values.patch
+net-bcmgenet-correct-mib-access-of-unimac-runt-counters.patch
+net-bcmgenet-reserved-phy-revisions-must-be-checked-first.patch
+net-bcmgenet-power-down-internal-phy-if-open-or-resume-fails.patch
+net-bcmgenet-synchronize-irq0-status-between-the-isr-and-task.patch
+net-bcmgenet-power-up-the-internal-phy-before-probing-the-mii.patch
+rxrpc-wake-up-the-transmitter-if-rx-window-size-increases-on-the-peer.patch
+net-mlx5-fix-create-autogroup-prev-initializer.patch
+net-mlx5-don-t-save-pci-state-when-pci-error-is-detected.patch
+iommu-io-pgtable-arm-v7s-check-for-leaf-entry-before-dereferencing-it.patch
+drm-amdgpu-fix-parser-init-error-path-to-avoid-crash-in-parser-fini.patch
+nfsd-fix-nfsd_minorversion-..-nfsd_avail.patch
+nfsd-fix-nfsd_reset_versions-for-nfsv4.patch
+input-i8042-add-tuxedo-bu1406-n24_25bu-to-the-nomux-list.patch
+drm-omap-fix-dmabuf-mmap-for-dma_alloc-ed-buffers.patch
+netfilter-bridge-honor-frag_max_size-when-refragmenting.patch
+asoc-rsnd-fix-sound-route-path-when-using-src6-src9.patch
+blk-mq-fix-tagset-reinit-in-the-presence-of-cpu-hot-unplug.patch
+writeback-fix-memory-leak-in-wb_queue_work.patch
+net-wimax-i2400m-fix-null-deref-at-probe.patch
+dmaengine-fix-array-index-out-of-bounds-warning-in-__get_unmap_pool.patch
+irqchip-mvebu-odmi-select-generic_msi_irq_domain.patch
+net-resend-igmp-memberships-upon-peer-notification.patch
+mlxsw-reg-fix-spvm-max-record-count.patch
+mlxsw-reg-fix-spvmlr-max-record-count.patch
+qed-align-cids-according-to-dorq-requirement.patch
+qed-fix-mapping-leak-on-ll2-rx-flow.patch
+qed-fix-interrupt-flags-on-rx-ll2.patch
+drm-amd-remove-broken-include-path.patch
+intel_th-pci-add-gemini-lake-support.patch
+openrisc-fix-issue-handling-8-byte-get_user-calls.patch
+asoc-rcar-clear-de-bit-only-in-pdmachcr-when-it-stops.patch
+scsi-hpsa-update-check-for-logical-volume-status.patch
+scsi-hpsa-limit-outstanding-rescans.patch
+scsi-hpsa-do-not-timeout-reset-operations.patch
+fjes-fix-wrong-netdevice-feature-flags.patch
+drm-radeon-si-add-dpm-quirk-for-oland.patch
+drivers-hv-util-move-waiting-for-release-to-hv_utils_transport-itself.patch
+iwlwifi-mvm-cleanup-pending-frames-in-dqa-mode.patch
+sched-deadline-add-missing-update_rq_clock-in-dl_task_timer.patch
+sched-deadline-make-sure-the-replenishment-timer-fires-in-the-next-period.patch
+sched-deadline-throttle-a-constrained-deadline-task-activated-after-the-deadline.patch
+sched-deadline-use-deadline-instead-of-period-when-calculating-overflow.patch
+mmc-mediatek-fixed-bug-where-clock-frequency-could-be-set-wrong.patch
+drm-radeon-reinstate-oland-workaround-for-sclk.patch
+afs-fix-missing-put_page.patch
+afs-populate-group-id-from-vnode-status.patch
+afs-adjust-mode-bits-processing.patch
+afs-deal-with-an-empty-callback-array.patch
+afs-flush-outstanding-writes-when-an-fd-is-closed.patch
+afs-migrate-vlocation-fields-to-64-bit.patch
+afs-prevent-callback-expiry-timer-overflow.patch
+afs-fix-the-maths-in-afs_fs_store_data.patch
+afs-invalid-op-id-should-abort-with-rxgen_opcode.patch
+afs-better-abort-and-net-error-handling.patch
+afs-populate-and-use-client-modification-time.patch
+afs-fix-page-leak-in-afs_write_begin.patch
+afs-fix-afs_kill_pages.patch
+afs-fix-abort-on-signal-while-waiting-for-call-completion.patch
+nvme-loop-fix-a-possible-use-after-free-when-destroying-the-admin-queue.patch
+nvmet-confirm-sq-percpu-has-scheduled-and-switched-to-atomic.patch
+nvmet-rdma-fix-a-possible-uninitialized-variable-dereference.patch
+net-mlx4_core-avoid-delays-during-vf-driver-device-shutdown.patch
+net-mpls-fix-nexthop-alive-tracking-on-down-events.patch
+rxrpc-ignore-busy-packets-on-old-calls.patch
+tty-don-t-panic-on-oom-in-tty_set_ldisc.patch
+tty-fix-data-race-in-tty_ldisc_ref_wait.patch
+perf-symbols-fix-symbols__fixup_end-heuristic-for-corner-cases.patch
+efi-esrt-cleanup-bad-memory-map-log-messages.patch
+nfsv4.1-respect-server-s-max-size-in-create_session.patch
+btrfs-add-missing-memset-while-reading-compressed-inline-extents.patch
+target-use-system-workqueue-for-alua-transitions.patch
+target-fix-alua-transition-timeout-handling.patch
+target-fix-race-during-implicit-transition-work-flushes.patch
+revert-x86-acpi-set-persistent-cpuid-nodeid-mapping-when-booting.patch
+hid-cp2112-fix-broken-gpio_direction_input-callback.patch
+sfc-don-t-warn-on-successful-change-of-mac.patch
+fbdev-controlfb-add-missing-modes-to-fix-out-of-bounds-access.patch
+video-udlfb-fix-read-edid-timeout.patch
+video-fbdev-au1200fb-release-some-resources-if-a-memory-allocation-fails.patch
+video-fbdev-au1200fb-return-an-error-code-if-a-memory-allocation-fails.patch
+rtc-pcf8563-fix-output-clock-rate.patch
+asoc-intel-skylake-fix-uuid_module-memory-leak-in-failure-case.patch
+dmaengine-ti-dma-crossbar-correct-am335x-am43xx-mux-value-type.patch
+pci-pme-handle-invalid-data-when-reading-root-status.patch
+powerpc-powernv-cpufreq-fix-the-frequency-read-by-proc-cpuinfo.patch
+pci-do-not-allocate-more-buses-than-available-in-parent.patch
+iommu-mediatek-fix-driver-name.patch
+netfilter-ipvs-fix-inappropriate-output-of-procfs.patch
+powerpc-opal-fix-ebusy-bug-in-acquiring-tokens.patch
+powerpc-ipic-fix-status-get-and-status-clear.patch
+platform-x86-intel_punit_ipc-fix-resource-ioremap-warning.patch
+platform-x86-sony-laptop-fix-error-handling-in-sony_nc_setup_rfkill.patch
+target-iscsi-fix-a-race-condition-in-iscsit_add_reject_from_cmd.patch
+iscsi-target-fix-memory-leak-in-lio_target_tiqn_addtpg.patch
+target-fix-condition-return-in-core_pr_dump_initiator_port.patch
+target-file-do-not-return-error-for-unmap-if-length-is-zero.patch
+badblocks-fix-wrong-return-value-in-badblocks_set-if-badblocks-are-disabled.patch
+iommu-amd-limit-the-iova-page-range-to-the-specified-addresses.patch
+xfs-truncate-pagecache-before-writeback-in-xfs_setattr_size.patch
+arm-ccn-perf-prevent-module-unload-while-pmu-is-in-use.patch
+crypto-tcrypt-fix-buffer-lengths-in-test_aead_speed.patch
+mm-handle-0-flags-in-_calc_vm_trans-macro.patch
+clk-mediatek-add-the-option-for-determining-pll-source-clock.patch
+clk-imx6-refine-hdmi_isfr-s-parent-to-make-hdmi-work-on-i.mx6-socs-w-o-vpu.patch
+clk-hi6220-mark-clock-cs_atb_syspll-as-critical.patch
+clk-tegra-fix-cclk_lp-divisor-register.patch
+ppp-destroy-the-mutex-when-cleanup.patch
+asoc-rsnd-rsnd_ssi_run_mods-needs-to-care-ssi_parent_mod.patch
+thermal-drivers-step_wise-fix-temperature-regulation-misbehavior.patch
+scsi-scsi_debug-write_same-fix-error-report.patch
+gfs2-take-inode-off-order_write-list-when-setting-jdata-flag.patch
+bcache-explicitly-destroy-mutex-while-exiting.patch
+bcache-fix-wrong-cache_misses-statistics.patch
+ib-hfi1-return-actual-operational-vls-in-port-info-query.patch
+arm64-prevent-regressions-in-compressed-kernel-image-size-when-upgrading-to-binutils-2.27.patch
+btrfs-tests-fix-a-memory-leak-in-error-handling-path-in-run_test.patch
+platform-x86-hp_accel-add-quirk-for-hp-probook-440-g4.patch
+nvme-use-kref_get_unless_zero-in-nvme_find_get_ns.patch
+l2tp-cleanup-l2tp_tunnel_delete-calls.patch
+xfs-fix-log-block-underflow-during-recovery-cycle-verification.patch
+xfs-fix-incorrect-extent-state-in-xfs_bmap_add_extent_unwritten_real.patch
+rdma-cxgb4-declare-stag-as-__be32.patch
+pci-detach-driver-before-procfs-sysfs-teardown-on-device-remove.patch
+scsi-hpsa-cleanup-sas_phy-structures-in-sysfs-when-unloading.patch
+scsi-hpsa-destroy-sas-transport-properties-before-scsi_host.patch
+powerpc-perf-hv-24x7-fix-incorrect-comparison-in-memord.patch
+soc-mediatek-pwrap-fix-compiler-errors.patch
+tty-fix-oops-when-rmmod-8250.patch
+dmaengine-rcar-dmac-use-tcrb-instead-of-tcr-for-residue.patch
+pinctrl-adi2-fix-kconfig-build-problem.patch
+raid5-set-r5_expanded-on-parity-devices-as-well-as-data.patch
+scsi-scsi_devinfo-add-reportlun2-to-emc-symmetrix-blacklist-entry.patch
+ib-core-fix-calculation-of-maximum-roce-mtu.patch
+vt6655-fix-a-possible-sleep-in-atomic-bug-in-vt6655_suspend.patch
+rtl8188eu-fix-a-possible-sleep-in-atomic-bug-in-rtw_createbss_cmd.patch
+rtl8188eu-fix-a-possible-sleep-in-atomic-bug-in-rtw_disassoc_cmd.patch
+scsi-sd-change-manage_start_stop-to-bool-in-sysfs-interface.patch
+scsi-sd-change-allow_restart-to-bool-in-sysfs-interface.patch
+scsi-bfa-integer-overflow-in-debugfs.patch
+udf-avoid-overflow-when-session-starts-at-large-offset.patch
+macvlan-only-deliver-one-copy-of-the-frame-to-the-macvlan-interface.patch
+rdma-cma-avoid-triggering-undefined-behavior.patch
+ib-ipoib-grab-rtnl-lock-on-heavy-flush-when-calling-ndo_open-stop.patch
+icmp-don-t-fail-on-fragment-reassembly-time-exceeded.patch
+ath9k-fix-tx99-potential-info-leak.patch
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Robert Stonehouse <rstonehouse@solarflare.com>
+Date: Tue, 7 Nov 2017 17:30:30 +0000
+Subject: sfc: don't warn on successful change of MAC
+
+From: Robert Stonehouse <rstonehouse@solarflare.com>
+
+
+[ Upstream commit cbad52e92ad7f01f0be4ca58bde59462dc1afe3a ]
+
+Fixes: 535a61777f44e ("sfc: suppress handled MCDI failures when changing the MAC address")
+Signed-off-by: Bert Kenward <bkenward@solarflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/sfc/ef10.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/sfc/ef10.c
++++ b/drivers/net/ethernet/sfc/ef10.c
+@@ -4967,7 +4967,7 @@ static int efx_ef10_set_mac_address(stru
+ * MCFW do not support VFs.
+ */
+ rc = efx_ef10_vport_set_mac_address(efx);
+- } else {
++ } else if (rc) {
+ efx_mcdi_display_error(efx, MC_CMD_VADAPTOR_SET_MAC,
+ sizeof(inbuf), NULL, 0, rc);
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Matthias Brugger <matthias.bgg@gmail.com>
+Date: Sat, 21 Oct 2017 10:17:47 +0200
+Subject: soc: mediatek: pwrap: fix compiler errors
+
+From: Matthias Brugger <matthias.bgg@gmail.com>
+
+
+[ Upstream commit fb2c1934f30577756e55e24e8870b45c78da3bc2 ]
+
+When compiling using sparse, we got the following error:
+drivers/soc/mediatek/mtk-pmic-wrap.c:686:25: error: dubious one-bit signed bitfield
+
+Changing the data type to unsigned fixes this.
+
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/mediatek/mtk-pmic-wrap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/soc/mediatek/mtk-pmic-wrap.c
++++ b/drivers/soc/mediatek/mtk-pmic-wrap.c
+@@ -522,7 +522,7 @@ struct pmic_wrapper_type {
+ u32 int_en_all;
+ u32 spi_w;
+ u32 wdt_src;
+- int has_bridge:1;
++ unsigned int has_bridge:1;
+ int (*init_reg_clock)(struct pmic_wrapper *wrp);
+ int (*init_soc_specific)(struct pmic_wrapper *wrp);
+ };
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Jiang Yi <jiangyilism@gmail.com>
+Date: Fri, 11 Aug 2017 11:29:44 +0800
+Subject: target/file: Do not return error for UNMAP if length is zero
+
+From: Jiang Yi <jiangyilism@gmail.com>
+
+
+[ Upstream commit 594e25e73440863981032d76c9b1e33409ceff6e ]
+
+The function fd_execute_unmap() in target_core_file.c calles
+
+ret = file->f_op->fallocate(file, mode, pos, len);
+
+Some filesystems implement fallocate() to return error if
+length is zero (e.g. btrfs) but according to SCSI Block
+Commands spec UNMAP should return success for zero length.
+
+Signed-off-by: Jiang Yi <jiangyilism@gmail.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_file.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/target/target_core_file.c
++++ b/drivers/target/target_core_file.c
+@@ -466,6 +466,10 @@ fd_execute_unmap(struct se_cmd *cmd, sec
+ struct inode *inode = file->f_mapping->host;
+ int ret;
+
++ if (!nolb) {
++ return 0;
++ }
++
+ if (cmd->se_dev->dev_attrib.pi_prot_type) {
+ ret = fd_do_prot_unmap(cmd, lba, nolb);
+ if (ret)
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Mike Christie <mchristi@redhat.com>
+Date: Thu, 2 Mar 2017 04:59:48 -0600
+Subject: target: fix ALUA transition timeout handling
+
+From: Mike Christie <mchristi@redhat.com>
+
+
+[ Upstream commit d7175373f2745ed4abe5b388d5aabd06304f801e ]
+
+The implicit transition time tells initiators the min time
+to wait before timing out a transition. We currently schedule
+the transition to occur in tg_pt_gp_implicit_trans_secs
+seconds so there is no room for delays. If
+core_alua_do_transition_tg_pt_work->core_alua_update_tpg_primary_metadata
+needs to write out info to a remote file, then the initiator can
+easily time out the operation.
+
+Signed-off-by: Mike Christie <mchristi@redhat.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_alua.c | 23 ++++++++---------------
+ include/target/target_core_base.h | 2 +-
+ 2 files changed, 9 insertions(+), 16 deletions(-)
+
+--- a/drivers/target/target_core_alua.c
++++ b/drivers/target/target_core_alua.c
+@@ -1010,7 +1010,7 @@ static void core_alua_queue_state_change
+ static void core_alua_do_transition_tg_pt_work(struct work_struct *work)
+ {
+ struct t10_alua_tg_pt_gp *tg_pt_gp = container_of(work,
+- struct t10_alua_tg_pt_gp, tg_pt_gp_transition_work.work);
++ struct t10_alua_tg_pt_gp, tg_pt_gp_transition_work);
+ struct se_device *dev = tg_pt_gp->tg_pt_gp_dev;
+ bool explicit = (tg_pt_gp->tg_pt_gp_alua_access_status ==
+ ALUA_STATUS_ALTERED_BY_EXPLICIT_STPG);
+@@ -1073,13 +1073,12 @@ static int core_alua_do_transition_tg_pt
+ /*
+ * Flush any pending transitions
+ */
+- if (!explicit && tg_pt_gp->tg_pt_gp_implicit_trans_secs &&
+- atomic_read(&tg_pt_gp->tg_pt_gp_alua_access_state) ==
++ if (!explicit && atomic_read(&tg_pt_gp->tg_pt_gp_alua_access_state) ==
+ ALUA_ACCESS_STATE_TRANSITION) {
+ /* Just in case */
+ tg_pt_gp->tg_pt_gp_alua_pending_state = new_state;
+ tg_pt_gp->tg_pt_gp_transition_complete = &wait;
+- flush_delayed_work(&tg_pt_gp->tg_pt_gp_transition_work);
++ flush_work(&tg_pt_gp->tg_pt_gp_transition_work);
+ wait_for_completion(&wait);
+ tg_pt_gp->tg_pt_gp_transition_complete = NULL;
+ return 0;
+@@ -1114,15 +1113,9 @@ static int core_alua_do_transition_tg_pt
+ atomic_inc(&tg_pt_gp->tg_pt_gp_ref_cnt);
+ spin_unlock(&dev->t10_alua.tg_pt_gps_lock);
+
+- if (!explicit && tg_pt_gp->tg_pt_gp_implicit_trans_secs) {
+- unsigned long transition_tmo;
+-
+- transition_tmo = tg_pt_gp->tg_pt_gp_implicit_trans_secs * HZ;
+- schedule_delayed_work(&tg_pt_gp->tg_pt_gp_transition_work,
+- transition_tmo);
+- } else {
++ schedule_work(&tg_pt_gp->tg_pt_gp_transition_work);
++ if (explicit) {
+ tg_pt_gp->tg_pt_gp_transition_complete = &wait;
+- schedule_delayed_work(&tg_pt_gp->tg_pt_gp_transition_work, 0);
+ wait_for_completion(&wait);
+ tg_pt_gp->tg_pt_gp_transition_complete = NULL;
+ }
+@@ -1690,8 +1683,8 @@ struct t10_alua_tg_pt_gp *core_alua_allo
+ mutex_init(&tg_pt_gp->tg_pt_gp_md_mutex);
+ spin_lock_init(&tg_pt_gp->tg_pt_gp_lock);
+ atomic_set(&tg_pt_gp->tg_pt_gp_ref_cnt, 0);
+- INIT_DELAYED_WORK(&tg_pt_gp->tg_pt_gp_transition_work,
+- core_alua_do_transition_tg_pt_work);
++ INIT_WORK(&tg_pt_gp->tg_pt_gp_transition_work,
++ core_alua_do_transition_tg_pt_work);
+ tg_pt_gp->tg_pt_gp_dev = dev;
+ atomic_set(&tg_pt_gp->tg_pt_gp_alua_access_state,
+ ALUA_ACCESS_STATE_ACTIVE_OPTIMIZED);
+@@ -1799,7 +1792,7 @@ void core_alua_free_tg_pt_gp(
+ dev->t10_alua.alua_tg_pt_gps_counter--;
+ spin_unlock(&dev->t10_alua.tg_pt_gps_lock);
+
+- flush_delayed_work(&tg_pt_gp->tg_pt_gp_transition_work);
++ flush_work(&tg_pt_gp->tg_pt_gp_transition_work);
+
+ /*
+ * Allow a struct t10_alua_tg_pt_gp_member * referenced by
+--- a/include/target/target_core_base.h
++++ b/include/target/target_core_base.h
+@@ -297,7 +297,7 @@ struct t10_alua_tg_pt_gp {
+ struct list_head tg_pt_gp_lun_list;
+ struct se_lun *tg_pt_gp_alua_lun;
+ struct se_node_acl *tg_pt_gp_alua_nacl;
+- struct delayed_work tg_pt_gp_transition_work;
++ struct work_struct tg_pt_gp_transition_work;
+ struct completion *tg_pt_gp_transition_complete;
+ };
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: tangwenji <tang.wenji@zte.com.cn>
+Date: Thu, 24 Aug 2017 19:59:37 +0800
+Subject: target:fix condition return in core_pr_dump_initiator_port()
+
+From: tangwenji <tang.wenji@zte.com.cn>
+
+
+[ Upstream commit 24528f089d0a444070aa4f715ace537e8d6bf168 ]
+
+When is pr_reg->isid_present_at_reg is false,this function should return.
+
+This fixes a regression originally introduced by:
+
+ commit d2843c173ee53cf4c12e7dfedc069a5bc76f0ac5
+ Author: Andy Grover <agrover@redhat.com>
+ Date: Thu May 16 10:40:55 2013 -0700
+
+ target: Alter core_pr_dump_initiator_port for ease of use
+
+Signed-off-by: tangwenji <tang.wenji@zte.com.cn>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_pr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/target/target_core_pr.c
++++ b/drivers/target/target_core_pr.c
+@@ -56,8 +56,10 @@ void core_pr_dump_initiator_port(
+ char *buf,
+ u32 size)
+ {
+- if (!pr_reg->isid_present_at_reg)
++ if (!pr_reg->isid_present_at_reg) {
+ buf[0] = '\0';
++ return;
++ }
+
+ snprintf(buf, size, ",i,0x%s", pr_reg->pr_reg_isid);
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Mike Christie <mchristi@redhat.com>
+Date: Thu, 2 Mar 2017 04:59:50 -0600
+Subject: target: fix race during implicit transition work flushes
+
+From: Mike Christie <mchristi@redhat.com>
+
+
+[ Upstream commit 760bf578edf8122f2503a3a6a3f4b0de3b6ce0bb ]
+
+This fixes the following races:
+
+1. core_alua_do_transition_tg_pt could have read
+tg_pt_gp_alua_access_state and gone into this if chunk:
+
+if (!explicit &&
+ atomic_read(&tg_pt_gp->tg_pt_gp_alua_access_state) ==
+ ALUA_ACCESS_STATE_TRANSITION) {
+
+and then core_alua_do_transition_tg_pt_work could update the
+state. core_alua_do_transition_tg_pt would then only set
+tg_pt_gp_alua_pending_state and the tg_pt_gp_alua_access_state would
+not get updated with the second calls state.
+
+2. core_alua_do_transition_tg_pt could be setting
+tg_pt_gp_transition_complete while the tg_pt_gp_transition_work
+is already completing. core_alua_do_transition_tg_pt then waits on the
+completion that will never be called.
+
+To handle these issues, we just call flush_work which will return when
+core_alua_do_transition_tg_pt_work has completed so there is no need
+to do the complete/wait. And, if core_alua_do_transition_tg_pt_work
+was running, instead of trying to sneak in the state change, we just
+schedule up another core_alua_do_transition_tg_pt_work call.
+
+Note that this does not handle a possible race where there are multiple
+threads call core_alua_do_transition_tg_pt at the same time. I think
+we need a mutex in target_tg_pt_gp_alua_access_state_store.
+
+Signed-off-by: Mike Christie <mchristi@redhat.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_alua.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+--- a/drivers/target/target_core_alua.c
++++ b/drivers/target/target_core_alua.c
+@@ -1073,16 +1073,8 @@ static int core_alua_do_transition_tg_pt
+ /*
+ * Flush any pending transitions
+ */
+- if (!explicit && atomic_read(&tg_pt_gp->tg_pt_gp_alua_access_state) ==
+- ALUA_ACCESS_STATE_TRANSITION) {
+- /* Just in case */
+- tg_pt_gp->tg_pt_gp_alua_pending_state = new_state;
+- tg_pt_gp->tg_pt_gp_transition_complete = &wait;
++ if (!explicit)
+ flush_work(&tg_pt_gp->tg_pt_gp_transition_work);
+- wait_for_completion(&wait);
+- tg_pt_gp->tg_pt_gp_transition_complete = NULL;
+- return 0;
+- }
+
+ /*
+ * Save the old primary ALUA access state, and set the current state
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Tue, 31 Oct 2017 11:03:17 -0700
+Subject: target/iscsi: Fix a race condition in iscsit_add_reject_from_cmd()
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+
+[ Upstream commit cfe2b621bb18d86e93271febf8c6e37622da2d14 ]
+
+Avoid that cmd->se_cmd.se_tfo is read after a command has already been
+freed.
+
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Mike Christie <mchristi@redhat.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/iscsi/iscsi_target.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -841,6 +841,7 @@ static int iscsit_add_reject_from_cmd(
+ unsigned char *buf)
+ {
+ struct iscsi_conn *conn;
++ const bool do_put = cmd->se_cmd.se_tfo != NULL;
+
+ if (!cmd->conn) {
+ pr_err("cmd->conn is NULL for ITT: 0x%08x\n",
+@@ -871,7 +872,7 @@ static int iscsit_add_reject_from_cmd(
+ * Perform the kref_put now if se_cmd has already been setup by
+ * scsit_setup_scsi_cmd()
+ */
+- if (cmd->se_cmd.se_tfo != NULL) {
++ if (do_put) {
+ pr_debug("iscsi reject: calling target_put_sess_cmd >>>>>>\n");
+ target_put_sess_cmd(&cmd->se_cmd);
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Mike Christie <mchristi@redhat.com>
+Date: Wed, 1 Mar 2017 23:13:26 -0600
+Subject: target: Use system workqueue for ALUA transitions
+
+From: Mike Christie <mchristi@redhat.com>
+
+
+[ Upstream commit 207ee84133c00a8a2a5bdec94df4a5b37d78881c ]
+
+If tcmu-runner is processing a STPG and needs to change the kernel's
+ALUA state then we cannot use the same work queue for task management
+requests and ALUA transitions, because we could deadlock. The problem
+occurs when a STPG times out before tcmu-runner is able to
+call into target_tg_pt_gp_alua_access_state_store->
+core_alua_do_port_transition -> core_alua_do_transition_tg_pt ->
+queue_work. In this case, the tmr is on the work queue waiting for
+the STPG to complete, but the STPG transition is now queued behind
+the waiting tmr.
+
+Note:
+This bug will also be fixed by this patch:
+http://www.spinics.net/lists/target-devel/msg14560.html
+which switches the tmr code to use the system workqueues.
+
+For both, I am not sure if we need a dedicated workqueue since
+it is not a performance path and I do not think we need WQ_MEM_RECLAIM
+to make forward progress to free up memory like the block layer does.
+
+Signed-off-by: Mike Christie <mchristi@redhat.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_alua.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/target/target_core_alua.c
++++ b/drivers/target/target_core_alua.c
+@@ -1118,13 +1118,11 @@ static int core_alua_do_transition_tg_pt
+ unsigned long transition_tmo;
+
+ transition_tmo = tg_pt_gp->tg_pt_gp_implicit_trans_secs * HZ;
+- queue_delayed_work(tg_pt_gp->tg_pt_gp_dev->tmr_wq,
+- &tg_pt_gp->tg_pt_gp_transition_work,
+- transition_tmo);
++ schedule_delayed_work(&tg_pt_gp->tg_pt_gp_transition_work,
++ transition_tmo);
+ } else {
+ tg_pt_gp->tg_pt_gp_transition_complete = &wait;
+- queue_delayed_work(tg_pt_gp->tg_pt_gp_dev->tmr_wq,
+- &tg_pt_gp->tg_pt_gp_transition_work, 0);
++ schedule_delayed_work(&tg_pt_gp->tg_pt_gp_transition_work, 0);
+ wait_for_completion(&wait);
+ tg_pt_gp->tg_pt_gp_transition_complete = NULL;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Daniel Lezcano <daniel.lezcano@linaro.org>
+Date: Thu, 19 Oct 2017 19:05:58 +0200
+Subject: thermal/drivers/step_wise: Fix temperature regulation misbehavior
+
+From: Daniel Lezcano <daniel.lezcano@linaro.org>
+
+
+[ Upstream commit 07209fcf33542c1ff1e29df2dbdf8f29cdaacb10 ]
+
+There is a particular situation when the cooling device is cpufreq and the heat
+dissipation is not efficient enough where the temperature increases little by
+little until reaching the critical threshold and leading to a SoC reset.
+
+The behavior is reproducible on a hikey6220 with bad heat dissipation (eg.
+stacked with other boards).
+
+Running a simple C program doing while(1); for each CPU of the SoC makes the
+temperature to reach the passive regulation trip point and ends up to the
+maximum allowed temperature followed by a reset.
+
+This issue has been also reported by running the libhugetlbfs test suite.
+
+What is observed is a ping pong between two cpu frequencies, 1.2GHz and 900MHz
+while the temperature continues to grow.
+
+It appears the step wise governor calls get_target_state() the first time with
+the throttle set to true and the trend to 'raising'. The code selects logically
+the next state, so the cpu frequency decreases from 1.2GHz to 900MHz, so far so
+good. The temperature decreases immediately but still stays greater than the
+trip point, then get_target_state() is called again, this time with the
+throttle set to true *and* the trend to 'dropping'. From there the algorithm
+assumes we have to step down the state and the cpu frequency jumps back to
+1.2GHz. But the temperature is still higher than the trip point, so
+get_target_state() is called with throttle=1 and trend='raising' again, we jump
+to 900MHz, then get_target_state() is called with throttle=1 and
+trend='dropping', we jump to 1.2GHz, etc ... but the temperature does not
+stabilizes and continues to increase.
+
+[ 237.922654] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1
+[ 237.922678] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1
+[ 237.922690] thermal cooling_device0: cur_state=0
+[ 237.922701] thermal cooling_device0: old_target=0, target=1
+[ 238.026656] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1
+[ 238.026680] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=1
+[ 238.026694] thermal cooling_device0: cur_state=1
+[ 238.026707] thermal cooling_device0: old_target=1, target=0
+[ 238.134647] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1
+[ 238.134667] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1
+[ 238.134679] thermal cooling_device0: cur_state=0
+[ 238.134690] thermal cooling_device0: old_target=0, target=1
+
+In this situation the temperature continues to increase while the trend is
+oscillating between 'dropping' and 'raising'. We need to keep the current state
+untouched if the throttle is set, so the temperature can decrease or a higher
+state could be selected, thus preventing this oscillation.
+
+Keeping the next_target untouched when 'throttle' is true at 'dropping' time
+fixes the issue.
+
+The following traces show the governor does not change the next state if
+trend==2 (dropping) and throttle==1.
+
+[ 2306.127987] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1
+[ 2306.128009] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1
+[ 2306.128021] thermal cooling_device0: cur_state=0
+[ 2306.128031] thermal cooling_device0: old_target=0, target=1
+[ 2306.231991] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1
+[ 2306.232016] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=1
+[ 2306.232030] thermal cooling_device0: cur_state=1
+[ 2306.232042] thermal cooling_device0: old_target=1, target=1
+[ 2306.335982] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=0,throttle=1
+[ 2306.336006] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=0,throttle=1
+[ 2306.336021] thermal cooling_device0: cur_state=1
+[ 2306.336034] thermal cooling_device0: old_target=1, target=1
+[ 2306.439984] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1
+[ 2306.440008] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=0
+[ 2306.440022] thermal cooling_device0: cur_state=1
+[ 2306.440034] thermal cooling_device0: old_target=1, target=0
+
+[ ... ]
+
+After a while, if the temperature continues to increase, the next state becomes
+2 which is 720MHz on the hikey. That results in the temperature stabilizing
+around the trip point.
+
+[ 2455.831982] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1
+[ 2455.832006] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=0
+[ 2455.832019] thermal cooling_device0: cur_state=1
+[ 2455.832032] thermal cooling_device0: old_target=1, target=1
+[ 2455.935985] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=0,throttle=1
+[ 2455.936013] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=0,throttle=0
+[ 2455.936027] thermal cooling_device0: cur_state=1
+[ 2455.936040] thermal cooling_device0: old_target=1, target=1
+[ 2456.043984] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=0,throttle=1
+[ 2456.044009] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=0,throttle=0
+[ 2456.044023] thermal cooling_device0: cur_state=1
+[ 2456.044036] thermal cooling_device0: old_target=1, target=1
+[ 2456.148001] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1
+[ 2456.148028] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1
+[ 2456.148042] thermal cooling_device0: cur_state=1
+[ 2456.148055] thermal cooling_device0: old_target=1, target=2
+[ 2456.252009] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1
+[ 2456.252041] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=0
+[ 2456.252058] thermal cooling_device0: cur_state=2
+[ 2456.252075] thermal cooling_device0: old_target=2, target=1
+
+IOW, this change is needed to keep the state for a cooling device if the
+temperature trend is oscillating while the temperature increases slightly.
+
+Without this change, the situation above leads to a catastrophic crash by a
+hardware reset on hikey. This issue has been reported to happen on an OMAP
+dra7xx also.
+
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Cc: Keerthy <j-keerthy@ti.com>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Leo Yan <leo.yan@linaro.org>
+Tested-by: Keerthy <j-keerthy@ti.com>
+Reviewed-by: Keerthy <j-keerthy@ti.com>
+Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/step_wise.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/thermal/step_wise.c
++++ b/drivers/thermal/step_wise.c
+@@ -31,8 +31,7 @@
+ * If the temperature is higher than a trip point,
+ * a. if the trend is THERMAL_TREND_RAISING, use higher cooling
+ * state for this trip point
+- * b. if the trend is THERMAL_TREND_DROPPING, use lower cooling
+- * state for this trip point
++ * b. if the trend is THERMAL_TREND_DROPPING, do nothing
+ * c. if the trend is THERMAL_TREND_RAISE_FULL, use upper limit
+ * for this trip point
+ * d. if the trend is THERMAL_TREND_DROP_FULL, use lower limit
+@@ -94,9 +93,11 @@ static unsigned long get_target_state(st
+ if (!throttle)
+ next_target = THERMAL_NO_TARGET;
+ } else {
+- next_target = cur_state - 1;
+- if (next_target > instance->upper)
+- next_target = instance->upper;
++ if (!throttle) {
++ next_target = cur_state - 1;
++ if (next_target > instance->upper)
++ next_target = instance->upper;
++ }
+ }
+ break;
+ case THERMAL_TREND_DROP_FULL:
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Dmitry Vyukov <dvyukov@google.com>
+Date: Sat, 4 Mar 2017 14:55:19 +0100
+Subject: tty: don't panic on OOM in tty_set_ldisc()
+
+From: Dmitry Vyukov <dvyukov@google.com>
+
+
+[ Upstream commit 5362544bebe85071188dd9e479b5a5040841c895 ]
+
+If tty_ldisc_open() fails in tty_set_ldisc(), it tries to go back
+to the old discipline or N_TTY. But that can fail as well, in such
+case it panics. This is not a graceful way to handle OOM.
+
+Leave ldisc==NULL if all attempts fail instead.
+Also use existing tty_ldisc_reinit() helper function instead of
+tty_ldisc_restore(). Also don't WARN/BUG in tty_ldisc_reinit()
+if N_TTY fails, which would have the same net effect of bringing
+kernel down on OOM. Instead print a single line message about
+what has happened.
+
+Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: syzkaller@googlegroups.com
+Cc: linux-kernel@vger.kernel.org
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jiri Slaby <jslaby@suse.com>
+Cc: Peter Hurley <peter@hurleysoftware.com>
+Cc: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/tty_ldisc.c | 85 +++++++++---------------------------------------
+ 1 file changed, 16 insertions(+), 69 deletions(-)
+
+--- a/drivers/tty/tty_ldisc.c
++++ b/drivers/tty/tty_ldisc.c
+@@ -489,41 +489,6 @@ static void tty_ldisc_close(struct tty_s
+ }
+
+ /**
+- * tty_ldisc_restore - helper for tty ldisc change
+- * @tty: tty to recover
+- * @old: previous ldisc
+- *
+- * Restore the previous line discipline or N_TTY when a line discipline
+- * change fails due to an open error
+- */
+-
+-static void tty_ldisc_restore(struct tty_struct *tty, struct tty_ldisc *old)
+-{
+- struct tty_ldisc *new_ldisc;
+- int r;
+-
+- /* There is an outstanding reference here so this is safe */
+- old = tty_ldisc_get(tty, old->ops->num);
+- WARN_ON(IS_ERR(old));
+- tty->ldisc = old;
+- tty_set_termios_ldisc(tty, old->ops->num);
+- if (tty_ldisc_open(tty, old) < 0) {
+- tty_ldisc_put(old);
+- /* This driver is always present */
+- new_ldisc = tty_ldisc_get(tty, N_TTY);
+- if (IS_ERR(new_ldisc))
+- panic("n_tty: get");
+- tty->ldisc = new_ldisc;
+- tty_set_termios_ldisc(tty, N_TTY);
+- r = tty_ldisc_open(tty, new_ldisc);
+- if (r < 0)
+- panic("Couldn't open N_TTY ldisc for "
+- "%s --- error %d.",
+- tty_name(tty), r);
+- }
+-}
+-
+-/**
+ * tty_set_ldisc - set line discipline
+ * @tty: the terminal to set
+ * @ldisc: the line discipline
+@@ -536,12 +501,7 @@ static void tty_ldisc_restore(struct tty
+
+ int tty_set_ldisc(struct tty_struct *tty, int disc)
+ {
+- int retval;
+- struct tty_ldisc *old_ldisc, *new_ldisc;
+-
+- new_ldisc = tty_ldisc_get(tty, disc);
+- if (IS_ERR(new_ldisc))
+- return PTR_ERR(new_ldisc);
++ int retval, old_disc;
+
+ tty_lock(tty);
+ retval = tty_ldisc_lock(tty, 5 * HZ);
+@@ -554,7 +514,8 @@ int tty_set_ldisc(struct tty_struct *tty
+ }
+
+ /* Check the no-op case */
+- if (tty->ldisc->ops->num == disc)
++ old_disc = tty->ldisc->ops->num;
++ if (old_disc == disc)
+ goto out;
+
+ if (test_bit(TTY_HUPPED, &tty->flags)) {
+@@ -563,34 +524,25 @@ int tty_set_ldisc(struct tty_struct *tty
+ goto out;
+ }
+
+- old_ldisc = tty->ldisc;
+-
+- /* Shutdown the old discipline. */
+- tty_ldisc_close(tty, old_ldisc);
+-
+- /* Now set up the new line discipline. */
+- tty->ldisc = new_ldisc;
+- tty_set_termios_ldisc(tty, disc);
+-
+- retval = tty_ldisc_open(tty, new_ldisc);
++ retval = tty_ldisc_reinit(tty, disc);
+ if (retval < 0) {
+ /* Back to the old one or N_TTY if we can't */
+- tty_ldisc_put(new_ldisc);
+- tty_ldisc_restore(tty, old_ldisc);
++ if (tty_ldisc_reinit(tty, old_disc) < 0) {
++ pr_err("tty: TIOCSETD failed, reinitializing N_TTY\n");
++ if (tty_ldisc_reinit(tty, N_TTY) < 0) {
++ /* At this point we have tty->ldisc == NULL. */
++ pr_err("tty: reinitializing N_TTY failed\n");
++ }
++ }
+ }
+
+- if (tty->ldisc->ops->num != old_ldisc->ops->num && tty->ops->set_ldisc) {
++ if (tty->ldisc && tty->ldisc->ops->num != old_disc &&
++ tty->ops->set_ldisc) {
+ down_read(&tty->termios_rwsem);
+ tty->ops->set_ldisc(tty);
+ up_read(&tty->termios_rwsem);
+ }
+
+- /* At this point we hold a reference to the new ldisc and a
+- reference to the old ldisc, or we hold two references to
+- the old ldisc (if it was restored as part of error cleanup
+- above). In either case, releasing a single reference from
+- the old ldisc is correct. */
+- new_ldisc = old_ldisc;
+ out:
+ tty_ldisc_unlock(tty);
+
+@@ -598,7 +550,6 @@ out:
+ already running */
+ tty_buffer_restart_work(tty->port);
+ err:
+- tty_ldisc_put(new_ldisc); /* drop the extra reference */
+ tty_unlock(tty);
+ return retval;
+ }
+@@ -659,10 +610,8 @@ int tty_ldisc_reinit(struct tty_struct *
+ int retval;
+
+ ld = tty_ldisc_get(tty, disc);
+- if (IS_ERR(ld)) {
+- BUG_ON(disc == N_TTY);
++ if (IS_ERR(ld))
+ return PTR_ERR(ld);
+- }
+
+ if (tty->ldisc) {
+ tty_ldisc_close(tty, tty->ldisc);
+@@ -674,10 +623,8 @@ int tty_ldisc_reinit(struct tty_struct *
+ tty_set_termios_ldisc(tty, disc);
+ retval = tty_ldisc_open(tty, tty->ldisc);
+ if (retval) {
+- if (!WARN_ON(disc == N_TTY)) {
+- tty_ldisc_put(tty->ldisc);
+- tty->ldisc = NULL;
+- }
++ tty_ldisc_put(tty->ldisc);
++ tty->ldisc = NULL;
+ }
+ return retval;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Dmitry Vyukov <dvyukov@google.com>
+Date: Sat, 4 Mar 2017 13:46:12 +0100
+Subject: tty: fix data race in tty_ldisc_ref_wait()
+
+From: Dmitry Vyukov <dvyukov@google.com>
+
+
+[ Upstream commit a4a3e061149f09c075f108b6f1cf04d9739a6bc2 ]
+
+tty_ldisc_ref_wait() checks tty->ldisc under tty->ldisc_sem.
+But if ldisc==NULL it releases them sem and reloads
+tty->ldisc without holding the sem. This is wrong and
+can lead to returning non-NULL ldisc without protection.
+
+Don't reload tty->ldisc second time.
+
+Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: syzkaller@googlegroups.com
+Cc: linux-kernel@vger.kernel.org
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jiri Slaby <jslaby@suse.com>
+Cc: Peter Hurley <peter@hurleysoftware.com>
+Cc: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/tty_ldisc.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/tty_ldisc.c
++++ b/drivers/tty/tty_ldisc.c
+@@ -271,10 +271,13 @@ const struct file_operations tty_ldiscs_
+
+ struct tty_ldisc *tty_ldisc_ref_wait(struct tty_struct *tty)
+ {
++ struct tty_ldisc *ld;
++
+ ldsem_down_read(&tty->ldisc_sem, MAX_SCHEDULE_TIMEOUT);
+- if (!tty->ldisc)
++ ld = tty->ldisc;
++ if (!ld)
+ ldsem_up_read(&tty->ldisc_sem);
+- return tty->ldisc;
++ return ld;
+ }
+ EXPORT_SYMBOL_GPL(tty_ldisc_ref_wait);
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: nixiaoming <nixiaoming@huawei.com>
+Date: Fri, 15 Sep 2017 17:45:56 +0800
+Subject: tty fix oops when rmmod 8250
+
+From: nixiaoming <nixiaoming@huawei.com>
+
+
+[ Upstream commit c79dde629d2027ca80329c62854a7635e623d527 ]
+
+After rmmod 8250.ko
+tty_kref_put starts kwork (release_one_tty) to release proc interface
+oops when accessing driver->driver_name in proc_tty_unregister_driver
+
+Use jprobe, found driver->driver_name point to 8250.ko
+static static struct uart_driver serial8250_reg
+.driver_name= serial,
+
+Use name in proc_dir_entry instead of driver->driver_name to fix oops
+
+test on linux 4.1.12:
+
+BUG: unable to handle kernel paging request at ffffffffa01979de
+IP: [<ffffffff81310f40>] strchr+0x0/0x30
+PGD 1a0d067 PUD 1a0e063 PMD 851c1f067 PTE 0
+Oops: 0000 [#1] PREEMPT SMP
+Modules linked in: ... ... [last unloaded: 8250]
+CPU: 7 PID: 116 Comm: kworker/7:1 Tainted: G O 4.1.12 #1
+Hardware name: Insyde RiverForest/Type2 - Board Product Name1, BIOS NE5KV904 12/21/2015
+Workqueue: events release_one_tty
+task: ffff88085b684960 ti: ffff880852884000 task.ti: ffff880852884000
+RIP: 0010:[<ffffffff81310f40>] [<ffffffff81310f40>] strchr+0x0/0x30
+RSP: 0018:ffff880852887c90 EFLAGS: 00010282
+RAX: ffffffff81a5eca0 RBX: ffffffffa01979de RCX: 0000000000000004
+RDX: ffff880852887d10 RSI: 000000000000002f RDI: ffffffffa01979de
+RBP: ffff880852887cd8 R08: 0000000000000000 R09: ffff88085f5d94d0
+R10: 0000000000000195 R11: 0000000000000000 R12: ffffffffa01979de
+R13: ffff880852887d00 R14: ffffffffa01979de R15: ffff88085f02e840
+FS: 0000000000000000(0000) GS:ffff88085f5c0000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffa01979de CR3: 0000000001a0c000 CR4: 00000000001406e0
+Stack:
+ ffffffff812349b1 ffff880852887cb8 ffff880852887d10 ffff88085f5cd6c2
+ ffff880852800a80 ffffffffa01979de ffff880852800a84 0000000000000010
+ ffff88085bb28bd8 ffff880852887d38 ffffffff812354f0 ffff880852887d08
+Call Trace:
+ [<ffffffff812349b1>] ? __xlate_proc_name+0x71/0xd0
+ [<ffffffff812354f0>] remove_proc_entry+0x40/0x180
+ [<ffffffff815f6811>] ? _raw_spin_lock_irqsave+0x41/0x60
+ [<ffffffff813be520>] ? destruct_tty_driver+0x60/0xe0
+ [<ffffffff81237c68>] proc_tty_unregister_driver+0x28/0x40
+ [<ffffffff813be548>] destruct_tty_driver+0x88/0xe0
+ [<ffffffff813be5bd>] tty_driver_kref_put+0x1d/0x20
+ [<ffffffff813becca>] release_one_tty+0x5a/0xd0
+ [<ffffffff81074159>] process_one_work+0x139/0x420
+ [<ffffffff810745a1>] worker_thread+0x121/0x450
+ [<ffffffff81074480>] ? process_scheduled_works+0x40/0x40
+ [<ffffffff8107a16c>] kthread+0xec/0x110
+ [<ffffffff81080000>] ? tg_rt_schedulable+0x210/0x220
+ [<ffffffff8107a080>] ? kthread_freezable_should_stop+0x80/0x80
+ [<ffffffff815f7292>] ret_from_fork+0x42/0x70
+ [<ffffffff8107a080>] ? kthread_freezable_should_stop+0x80/0x80
+
+Signed-off-by: nixiaoming <nixiaoming@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/proc_tty.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/proc/proc_tty.c
++++ b/fs/proc/proc_tty.c
+@@ -14,6 +14,7 @@
+ #include <linux/tty.h>
+ #include <linux/seq_file.h>
+ #include <linux/bitops.h>
++#include "internal.h"
+
+ /*
+ * The /proc/tty directory inodes...
+@@ -164,7 +165,7 @@ void proc_tty_unregister_driver(struct t
+ if (!ent)
+ return;
+
+- remove_proc_entry(driver->driver_name, proc_tty_driver);
++ remove_proc_entry(ent->name, proc_tty_driver);
+
+ driver->proc_entry = NULL;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 16 Oct 2017 11:38:11 +0200
+Subject: udf: Avoid overflow when session starts at large offset
+
+From: Jan Kara <jack@suse.cz>
+
+
+[ Upstream commit abdc0eb06964fe1d2fea6dd1391b734d0590365d ]
+
+When session starts beyond offset 2^31 the arithmetics in
+udf_check_vsd() would overflow. Make sure the computation is done in
+large enough type.
+
+Reported-by: Cezary Sliwa <sliwa@ifpan.edu.pl>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/udf/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -710,7 +710,7 @@ static loff_t udf_check_vsd(struct super
+ else
+ sectorsize = sb->s_blocksize;
+
+- sector += (sbi->s_session << sb->s_blocksize_bits);
++ sector += (((loff_t)sbi->s_session) << sb->s_blocksize_bits);
+
+ udf_debug("Starting at sector %u (%ld byte sectors)\n",
+ (unsigned int)(sector >> sb->s_blocksize_bits),
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Javier Martinez Canillas <javier@osg.samsung.com>
+Date: Wed, 22 Feb 2017 15:23:22 -0300
+Subject: usb: phy: isp1301: Add OF device ID table
+
+From: Javier Martinez Canillas <javier@osg.samsung.com>
+
+
+[ Upstream commit fd567653bdb908009b650f079bfd4b63169e2ac4 ]
+
+The driver doesn't have a struct of_device_id table but supported devices
+are registered via Device Trees. This is working on the assumption that a
+I2C device registered via OF will always match a legacy I2C device ID and
+that the MODALIAS reported will always be of the form i2c:<device>.
+
+But this could change in the future so the correct approach is to have an
+OF device ID table if the devices are registered via OF.
+
+Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/phy/phy-isp1301.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/phy/phy-isp1301.c
++++ b/drivers/usb/phy/phy-isp1301.c
+@@ -33,6 +33,12 @@ static const struct i2c_device_id isp130
+ };
+ MODULE_DEVICE_TABLE(i2c, isp1301_id);
+
++static const struct of_device_id isp1301_of_match[] = {
++ {.compatible = "nxp,isp1301" },
++ { },
++};
++MODULE_DEVICE_TABLE(of, isp1301_of_match);
++
+ static struct i2c_client *isp1301_i2c_client;
+
+ static int __isp1301_write(struct isp1301 *isp, u8 reg, u8 value, u8 clear)
+@@ -130,6 +136,7 @@ static int isp1301_remove(struct i2c_cli
+ static struct i2c_driver isp1301_driver = {
+ .driver = {
+ .name = DRV_NAME,
++ .of_match_table = of_match_ptr(isp1301_of_match),
+ },
+ .probe = isp1301_probe,
+ .remove = isp1301_remove,
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Date: Thu, 9 Mar 2017 15:39:34 +0200
+Subject: usb: xhci-mtk: check hcc_params after adding primary hcd
+
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+
+
+[ Upstream commit 94a631d91ad341b3b4bdac72d1104d9f090e0ca9 ]
+
+hcc_params is set in xhci_gen_setup() called from usb_add_hcd(),
+so checks the Maximum Primary Stream Array Size in the hcc_params
+register after adding primary hcd.
+
+Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-mtk.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/host/xhci-mtk.c
++++ b/drivers/usb/host/xhci-mtk.c
+@@ -632,13 +632,13 @@ static int xhci_mtk_probe(struct platfor
+ goto power_off_phys;
+ }
+
+- if (HCC_MAX_PSA(xhci->hcc_params) >= 4)
+- xhci->shared_hcd->can_do_streams = 1;
+-
+ ret = usb_add_hcd(hcd, irq, IRQF_SHARED);
+ if (ret)
+ goto put_usb3_hcd;
+
++ if (HCC_MAX_PSA(xhci->hcc_params) >= 4)
++ xhci->shared_hcd->can_do_streams = 1;
++
+ ret = usb_add_hcd(xhci->shared_hcd, irq, IRQF_SHARED);
+ if (ret)
+ goto dealloc_usb2_hcd;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Andrea Arcangeli <aarcange@redhat.com>
+Date: Thu, 9 Mar 2017 16:17:14 -0800
+Subject: userfaultfd: selftest: vm: allow to build in vm/ directory
+
+From: Andrea Arcangeli <aarcange@redhat.com>
+
+
+[ Upstream commit 46aa6a302b53f543f8e8b8e1714dc5e449ad36a6 ]
+
+linux/tools/testing/selftests/vm $ make
+
+ gcc -Wall -I ../../../../usr/include compaction_test.c -lrt -o /compaction_test
+ /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.4/../../../../x86_64-pc-linux-gnu/bin/ld: cannot open output file /compaction_test: Permission denied
+ collect2: error: ld returned 1 exit status
+ make: *** [../lib.mk:54: /compaction_test] Error 1
+
+Since commit a8ba798bc8ec ("selftests: enable O and KBUILD_OUTPUT")
+selftests/vm build fails if run from the "selftests/vm" directory, but
+it works in the selftests/ directory. It's quicker to be able to do a
+local vm-only build after a tree wipe and this patch allows for it
+again.
+
+Link: http://lkml.kernel.org/r/20170302173738.18994-4-aarcange@redhat.com
+Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
+Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Pavel Emelyanov <xemul@parallels.com>
+Cc: Hillf Danton <hillf.zj@alibaba-inc.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/vm/Makefile | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/tools/testing/selftests/vm/Makefile
++++ b/tools/testing/selftests/vm/Makefile
+@@ -1,5 +1,9 @@
+ # Makefile for vm selftests
+
++ifndef OUTPUT
++ OUTPUT := $(shell pwd)
++endif
++
+ CFLAGS = -Wall -I ../../../../usr/include $(EXTRA_CFLAGS)
+ BINARIES = compaction_test
+ BINARIES += hugepage-mmap
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Andrea Arcangeli <aarcange@redhat.com>
+Date: Thu, 9 Mar 2017 16:16:28 -0800
+Subject: userfaultfd: shmem: __do_fault requires VM_FAULT_NOPAGE
+
+From: Andrea Arcangeli <aarcange@redhat.com>
+
+
+[ Upstream commit 6bbc4a4144b1a69743022ac68dfaf6e7d993abb9 ]
+
+__do_fault assumes vmf->page has been initialized and is valid if
+VM_FAULT_NOPAGE is not returned by vma->vm_ops->fault(vma, vmf).
+
+handle_userfault() in turn should return VM_FAULT_NOPAGE if it doesn't
+return VM_FAULT_SIGBUS or VM_FAULT_RETRY (the other two possibilities).
+
+This VM_FAULT_NOPAGE case is only invoked when signal are pending and it
+didn't matter for anonymous memory before. It only started to matter
+since shmem was introduced. hugetlbfs also takes a different path and
+doesn't exercise __do_fault.
+
+Link: http://lkml.kernel.org/r/20170228154201.GH5816@redhat.com
+Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: "Kirill A. Shutemov" <kirill@shutemov.name>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/userfaultfd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/userfaultfd.c
++++ b/fs/userfaultfd.c
+@@ -419,7 +419,7 @@ int handle_userfault(struct fault_env *f
+ * in such case.
+ */
+ down_read(&mm->mmap_sem);
+- ret = 0;
++ ret = VM_FAULT_NOPAGE;
+ }
+ }
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Thu, 9 Nov 2017 18:09:28 +0100
+Subject: video: fbdev: au1200fb: Release some resources if a memory allocation fails
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit 451f130602619a17c8883dd0b71b11624faffd51 ]
+
+We should go through the error handling code instead of returning -ENOMEM
+directly.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Cc: Tejun Heo <tj@kernel.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/au1200fb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/au1200fb.c
++++ b/drivers/video/fbdev/au1200fb.c
+@@ -1700,7 +1700,8 @@ static int au1200fb_drv_probe(struct pla
+ if (!fbdev->fb_mem) {
+ print_err("fail to allocate frambuffer (size: %dK))",
+ fbdev->fb_len / 1024);
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto failed;
+ }
+
+ /*
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Thu, 9 Nov 2017 18:09:28 +0100
+Subject: video: fbdev: au1200fb: Return an error code if a memory allocation fails
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit 8cae353e6b01ac3f18097f631cdbceb5ff28c7f3 ]
+
+'ret' is known to be 0 at this point.
+In case of memory allocation error in 'framebuffer_alloc()', return
+-ENOMEM instead.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Cc: Tejun Heo <tj@kernel.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/au1200fb.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/au1200fb.c
++++ b/drivers/video/fbdev/au1200fb.c
+@@ -1681,8 +1681,10 @@ static int au1200fb_drv_probe(struct pla
+
+ fbi = framebuffer_alloc(sizeof(struct au1200fb_device),
+ &dev->dev);
+- if (!fbi)
++ if (!fbi) {
++ ret = -ENOMEM;
+ goto failed;
++ }
+
+ _au1200fb_infos[plane] = fbi;
+ fbdev = fbi->par;
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Ladislav Michl <ladis@linux-mips.org>
+Date: Thu, 9 Nov 2017 18:09:30 +0100
+Subject: video: udlfb: Fix read EDID timeout
+
+From: Ladislav Michl <ladis@linux-mips.org>
+
+
+[ Upstream commit c98769475575c8a585f5b3952f4b5f90266f699b ]
+
+While usb_control_msg function expects timeout in miliseconds, a value
+of HZ is used. Replace it with USB_CTRL_GET_TIMEOUT and also fix error
+message which looks like:
+udlfb: Read EDID byte 78 failed err ffffff92
+as error is either negative errno or number of bytes transferred use %d
+format specifier.
+
+Returned EDID is in second byte, so return error when less than two bytes
+are received.
+
+Fixes: 18dffdf8913a ("staging: udlfb: enhance EDID and mode handling support")
+Signed-off-by: Ladislav Michl <ladis@linux-mips.org>
+Cc: Bernie Thompson <bernie@plugable.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/udlfb.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/video/fbdev/udlfb.c
++++ b/drivers/video/fbdev/udlfb.c
+@@ -769,11 +769,11 @@ static int dlfb_get_edid(struct dlfb_dat
+
+ for (i = 0; i < len; i++) {
+ ret = usb_control_msg(dev->udev,
+- usb_rcvctrlpipe(dev->udev, 0), (0x02),
+- (0x80 | (0x02 << 5)), i << 8, 0xA1, rbuf, 2,
+- HZ);
+- if (ret < 1) {
+- pr_err("Read EDID byte %d failed err %x\n", i, ret);
++ usb_rcvctrlpipe(dev->udev, 0), 0x02,
++ (0x80 | (0x02 << 5)), i << 8, 0xA1,
++ rbuf, 2, USB_CTRL_GET_TIMEOUT);
++ if (ret < 2) {
++ pr_err("Read EDID byte %d failed: %d\n", i, ret);
+ i--;
+ break;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Jia-Ju Bai <baijiaju1990@163.com>
+Date: Mon, 9 Oct 2017 16:45:55 +0800
+Subject: vt6655: Fix a possible sleep-in-atomic bug in vt6655_suspend
+
+From: Jia-Ju Bai <baijiaju1990@163.com>
+
+
+[ Upstream commit 42c8eb3f6e15367981b274cb79ee4657e2c6949d ]
+
+The driver may sleep under a spinlock, and the function call path is:
+vt6655_suspend (acquire the spinlock)
+ pci_set_power_state
+ __pci_start_power_transition (drivers/pci/pci.c)
+ msleep --> may sleep
+
+To fix it, pci_set_power_state is called without having a spinlock.
+
+This bug is found by my static analysis tool and my code review.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/vt6655/device_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/vt6655/device_main.c
++++ b/drivers/staging/vt6655/device_main.c
+@@ -1698,10 +1698,11 @@ static int vt6655_suspend(struct pci_dev
+ MACbShutdown(priv);
+
+ pci_disable_device(pcid);
+- pci_set_power_state(pcid, pci_choose_state(pcid, state));
+
+ spin_unlock_irqrestore(&priv->lock, flags);
+
++ pci_set_power_state(pcid, pci_choose_state(pcid, state));
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Mon Dec 18 14:12:34 CET 2017
+From: Tahsin Erdogan <tahsin@google.com>
+Date: Fri, 10 Mar 2017 12:09:49 -0800
+Subject: writeback: fix memory leak in wb_queue_work()
+
+From: Tahsin Erdogan <tahsin@google.com>
+
+
+[ Upstream commit 4a3a485b1ed0e109718cc8c9d094fa0f552de9b2 ]
+
+When WB_registered flag is not set, wb_queue_work() skips queuing the
+work, but does not perform the necessary clean up. In particular, if
+work->auto_free is true, it should free the memory.
+
+The leak condition can be reprouced by following these steps:
+
+ mount /dev/sdb /mnt/sdb
+ /* In qemu console: device_del sdb */
+ umount /dev/sdb
+
+Above will result in a wb_queue_work() call on an unregistered wb and
+thus leak memory.
+
+Reported-by: John Sperbeck <jsperbeck@google.com>
+Signed-off-by: Tahsin Erdogan <tahsin@google.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fs-writeback.c | 35 +++++++++++++++++++++--------------
+ 1 file changed, 21 insertions(+), 14 deletions(-)
+
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -173,19 +173,33 @@ static void wb_wakeup(struct bdi_writeba
+ spin_unlock_bh(&wb->work_lock);
+ }
+
++static void finish_writeback_work(struct bdi_writeback *wb,
++ struct wb_writeback_work *work)
++{
++ struct wb_completion *done = work->done;
++
++ if (work->auto_free)
++ kfree(work);
++ if (done && atomic_dec_and_test(&done->cnt))
++ wake_up_all(&wb->bdi->wb_waitq);
++}
++
+ static void wb_queue_work(struct bdi_writeback *wb,
+ struct wb_writeback_work *work)
+ {
+ trace_writeback_queue(wb, work);
+
+- spin_lock_bh(&wb->work_lock);
+- if (!test_bit(WB_registered, &wb->state))
+- goto out_unlock;
+ if (work->done)
+ atomic_inc(&work->done->cnt);
+- list_add_tail(&work->list, &wb->work_list);
+- mod_delayed_work(bdi_wq, &wb->dwork, 0);
+-out_unlock:
++
++ spin_lock_bh(&wb->work_lock);
++
++ if (test_bit(WB_registered, &wb->state)) {
++ list_add_tail(&work->list, &wb->work_list);
++ mod_delayed_work(bdi_wq, &wb->dwork, 0);
++ } else
++ finish_writeback_work(wb, work);
++
+ spin_unlock_bh(&wb->work_lock);
+ }
+
+@@ -1875,16 +1889,9 @@ static long wb_do_writeback(struct bdi_w
+
+ set_bit(WB_writeback_running, &wb->state);
+ while ((work = get_next_work_item(wb)) != NULL) {
+- struct wb_completion *done = work->done;
+-
+ trace_writeback_exec(wb, work);
+-
+ wrote += wb_writeback(wb, work);
+-
+- if (work->auto_free)
+- kfree(work);
+- if (done && atomic_dec_and_test(&done->cnt))
+- wake_up_all(&wb->bdi->wb_waitq);
++ finish_writeback_work(wb, work);
+ }
+
+ /*
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Christoph Hellwig <hch@lst.de>
+Date: Tue, 17 Oct 2017 14:16:19 -0700
+Subject: xfs: fix incorrect extent state in xfs_bmap_add_extent_unwritten_real
+
+From: Christoph Hellwig <hch@lst.de>
+
+
+[ Upstream commit 5e422f5e4fd71d18bc6b851eeb3864477b3d842e ]
+
+There was one spot in xfs_bmap_add_extent_unwritten_real that didn't use the
+passed in new extent state but always converted to normal, leading to wrong
+behavior when converting from normal to unwritten.
+
+Only found by code inspection, it seems like this code path to move partial
+extent from written to unwritten while merging it with the next extent is
+rarely exercised.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/libxfs/xfs_bmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/xfs/libxfs/xfs_bmap.c
++++ b/fs/xfs/libxfs/xfs_bmap.c
+@@ -2713,7 +2713,7 @@ xfs_bmap_add_extent_unwritten_real(
+ &i)))
+ goto done;
+ XFS_WANT_CORRUPTED_GOTO(mp, i == 0, done);
+- cur->bc_rec.b.br_state = XFS_EXT_NORM;
++ cur->bc_rec.b.br_state = new->br_state;
+ if ((error = xfs_btree_insert(cur, &i)))
+ goto done;
+ XFS_WANT_CORRUPTED_GOTO(mp, i == 1, done);
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Brian Foster <bfoster@redhat.com>
+Date: Thu, 26 Oct 2017 09:31:16 -0700
+Subject: xfs: fix log block underflow during recovery cycle verification
+
+From: Brian Foster <bfoster@redhat.com>
+
+
+[ Upstream commit 9f2a4505800607e537e9dd9dea4f55c4b0c30c7a ]
+
+It is possible for mkfs to format very small filesystems with too
+small of an internal log with respect to the various minimum size
+and block count requirements. If this occurs when the log happens to
+be smaller than the scan window used for cycle verification and the
+scan wraps the end of the log, the start_blk calculation in
+xlog_find_head() underflows and leads to an attempt to scan an
+invalid range of log blocks. This results in log recovery failure
+and a failed mount.
+
+Since there may be filesystems out in the wild with this kind of
+geometry, we cannot simply refuse to mount. Instead, cap the scan
+window for cycle verification to the size of the physical log. This
+ensures that the cycle verification proceeds as expected when the
+scan wraps the end of the log.
+
+Reported-by: Zorro Lang <zlang@redhat.com>
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_log_recover.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/xfs/xfs_log_recover.c
++++ b/fs/xfs/xfs_log_recover.c
+@@ -753,7 +753,7 @@ xlog_find_head(
+ * in the in-core log. The following number can be made tighter if
+ * we actually look at the block size of the filesystem.
+ */
+- num_scan_bblks = XLOG_TOTAL_REC_SHIFT(log);
++ num_scan_bblks = min_t(int, log_bbnum, XLOG_TOTAL_REC_SHIFT(log));
+ if (head_blk >= num_scan_bblks) {
+ /*
+ * We are guaranteed that the entire check can be performed
--- /dev/null
+From foo@baz Mon Dec 18 14:12:35 CET 2017
+From: Eryu Guan <eguan@redhat.com>
+Date: Wed, 1 Nov 2017 21:43:50 -0700
+Subject: xfs: truncate pagecache before writeback in xfs_setattr_size()
+
+From: Eryu Guan <eguan@redhat.com>
+
+
+[ Upstream commit 350976ae21873b0d36584ea005076356431b8f79 ]
+
+On truncate down, if new size is not block size aligned, we zero the
+rest of block to avoid exposing stale data to user, and
+iomap_truncate_page() skips zeroing if the range is already in
+unwritten state or a hole. Then we writeback from on-disk i_size to
+the new size if this range hasn't been written to disk yet, and
+truncate page cache beyond new EOF and set in-core i_size.
+
+The problem is that we could write data between di_size and newsize
+before removing the page cache beyond newsize, as the extents may
+still be in unwritten state right after a buffer write. As such, the
+page of data that newsize lies in has not been zeroed by page cache
+invalidation before it is written, and xfs_do_writepage() hasn't
+triggered it's "zero data beyond EOF" case because we haven't
+updated in-core i_size yet. Then a subsequent mmap read could see
+non-zeros past EOF.
+
+I occasionally see this in fsx runs in fstests generic/112, a
+simplified fsx operation sequence is like (assuming 4k block size
+xfs):
+
+ fallocate 0x0 0x1000 0x0 keep_size
+ write 0x0 0x1000 0x0
+ truncate 0x0 0x800 0x1000
+ punch_hole 0x0 0x800 0x800
+ mapread 0x0 0x800 0x800
+
+where fallocate allocates unwritten extent but doesn't update
+i_size, buffer write populates the page cache and extent is still
+unwritten, truncate skips zeroing page past new EOF and writes the
+page to disk, punch_hole invalidates the page cache, at last mapread
+reads the block back and sees non-zero beyond EOF.
+
+Fix it by moving truncate_setsize() to before writeback so the page
+cache invalidation zeros the partial page at the new EOF. This also
+triggers "zero data beyond EOF" in xfs_do_writepage() at writeback
+time, because newsize has been set and page straddles the newsize.
+
+Also fixed the wrong 'end' param of filemap_write_and_wait_range()
+call while we're at it, the 'end' is inclusive and should be
+'newsize - 1'.
+
+Suggested-by: Dave Chinner <dchinner@redhat.com>
+Signed-off-by: Eryu Guan <eguan@redhat.com>
+Acked-by: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_iops.c | 36 ++++++++++++++++++++----------------
+ 1 file changed, 20 insertions(+), 16 deletions(-)
+
+--- a/fs/xfs/xfs_iops.c
++++ b/fs/xfs/xfs_iops.c
+@@ -871,22 +871,6 @@ xfs_setattr_size(
+ return error;
+
+ /*
+- * We are going to log the inode size change in this transaction so
+- * any previous writes that are beyond the on disk EOF and the new
+- * EOF that have not been written out need to be written here. If we
+- * do not write the data out, we expose ourselves to the null files
+- * problem. Note that this includes any block zeroing we did above;
+- * otherwise those blocks may not be zeroed after a crash.
+- */
+- if (did_zeroing ||
+- (newsize > ip->i_d.di_size && oldsize != ip->i_d.di_size)) {
+- error = filemap_write_and_wait_range(VFS_I(ip)->i_mapping,
+- ip->i_d.di_size, newsize);
+- if (error)
+- return error;
+- }
+-
+- /*
+ * We've already locked out new page faults, so now we can safely remove
+ * pages from the page cache knowing they won't get refaulted until we
+ * drop the XFS_MMAP_EXCL lock after the extent manipulations are
+@@ -902,9 +886,29 @@ xfs_setattr_size(
+ * user visible changes). There's not much we can do about this, except
+ * to hope that the caller sees ENOMEM and retries the truncate
+ * operation.
++ *
++ * And we update in-core i_size and truncate page cache beyond newsize
++ * before writeback the [di_size, newsize] range, so we're guaranteed
++ * not to write stale data past the new EOF on truncate down.
+ */
+ truncate_setsize(inode, newsize);
+
++ /*
++ * We are going to log the inode size change in this transaction so
++ * any previous writes that are beyond the on disk EOF and the new
++ * EOF that have not been written out need to be written here. If we
++ * do not write the data out, we expose ourselves to the null files
++ * problem. Note that this includes any block zeroing we did above;
++ * otherwise those blocks may not be zeroed after a crash.
++ */
++ if (did_zeroing ||
++ (newsize > ip->i_d.di_size && oldsize != ip->i_d.di_size)) {
++ error = filemap_write_and_wait_range(VFS_I(ip)->i_mapping,
++ ip->i_d.di_size, newsize - 1);
++ if (error)
++ return error;
++ }
++
+ error = xfs_trans_alloc(mp, &M_RES(mp)->tr_itruncate, 0, 0, 0, &tp);
+ if (error)
+ return error;
projects / thirdparty / kernel / stable-queue.git / commitdiff
